Two high priority security vulnerabilities were recently discovered by
Eric Rasche and Manabu Ishii respectively. These vulnerabilities were
to cross site scripting and session fixation attacks. Detailed
of these categories of vulnerabilities can be found at:
Per our new security policies
we have created patches for versions of Galaxy including 16.10, 17.01,
If you have cloned Galaxy from the official GitHub repository and are on
a supported release_branch, you can simply `git pull` to pull in the
security patch which has been applied to those branches.
The 16.10 patch can apply cleanly to 17.01 as well and can be fetched
The 17.05 patch can be fetched using:
Once the patch has been downloaded and copied to the root of your Galaxy
directory, it can be applied using the following patch command:
% patch -p1 < 2017augsecurity_1610.patch
% patch -p1 < 2017augsecurity_1705.patch
If you are having trouble applying the patch feel free to email
galaxy-committers(a)lists.galaxyproject.org and we will try to help.
-Eric (on behalf of the Galaxy Committers)
Post script: this mail was intended to go out on Thursday the 24th of
August, however I failed to send it then. My apologies to the community,
it will be more timely in the future.