Galaxy Security Notification

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Galaxy Security Notification

Nate Coraor (
A security vulnerability was recently discovered by Björn Grüning with Galaxy's "user impersonation" feature that can expose an administrator's active history to users whom they impersonate.  Only Galaxy instances with `allow_user_impersonation = True` set in their configurations are affected, and only if an administrator makes use of the impersonation feature.  By default, user impersonation is disabled.

A fix (id: 9d42f1e32efb) has been provided in the stable branch of Galaxy.  To apply the fix, ensure you are on the stable branch and upgrade to the latest changeset:

  % hg branch

  % hg pull -u

For Galaxy installations on relatively old versions that administrators are not yet ready to upgrade, there are three workarounds.  First, the patch can be downloaded and applied manually:

  % wget -o security.patch

and then:

  % hg patch security.patch


  % patch -p1 < security.patch

Second, the impersonation feature can be disabled by setting the following option in Galaxy's configuration file:

  allow_user_impersonation = False

In all of the above cases, the Galaxy server process(es) must be restarted for the change to take effect.

Third, the feature can be left enabled and unpatched, and the vulnerability can be worked around by educating administrators who use the feature.  As long as a new history is created by the administrator prior to switching to the impersonated user, no data will be exposed to the impersonated user.

Galaxy Team
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

To search Galaxy mailing lists use the unified search at: