[galaxy-dev] [hxr at hx42.org: [SECURITY] 2017-08 security patch. Update now!]

E. Rasche hxr at hx42.org
Tue Aug 29 11:08:02 EDT 2017


Two high priority security vulnerabilities were recently discovered by
Eric Rasche and Manabu Ishii respectively. These vulnerabilities  were
to cross site scripting and session fixation attacks. Detailed 
descriptions
of these categories of vulnerabilities can be found at:

- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.owasp.org/index.php/Session_fixation

Per our new security policies 
(https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md), 
we have created patches for versions of Galaxy including 16.10, 17.01, 
and 17.05.

**With Git**

If you have cloned Galaxy from the official GitHub repository and are on 
a supported release_branch, you can simply `git pull` to pull in the 
security patch which has been applied to those branches.

**Manual Patching**

The 16.10 patch can apply cleanly to 17.01 as well and can be fetched 
using:

wget https://gist.githubusercontent.com/jmchilton/760bf8ba6055b9a47a48529fcc49a493/raw/01bc98e5a8067a435f38d7cf4fda4e304c4425a2/2017augsecurity_1610.patch

The 17.05 patch can be fetched using:

wget https://gist.githubusercontent.com/jmchilton/2623e37a2ccb1820770278e348dfefe5/raw/20e225df42e0d4d867f71590536e710af0d7cd08/2017augsecurity_1705.patch

Once the patch has been downloaded and copied to the root of your Galaxy 
directory, it can be applied using the following patch command:

  % patch -p1  < 2017augsecurity_1610.patch

  -or-

    % patch -p1  < 2017augsecurity_1705.patch

If you are having trouble applying the patch feel free to email
galaxy-committers at lists.galaxyproject.org and we will try to help.

-Eric (on behalf of the Galaxy Committers)

Post script: this mail was intended to go out on Thursday the 24th of 
August, however I failed to send it then. My apologies to the community, 
it will be more timely in the future.


More information about the galaxy-dev mailing list