[hxr@hx42.org: [SECURITY] 2017-08 security patch. Update now!]

classic Classic list List threaded Threaded
1 message Options
| Threaded
Open this post in threaded view
|

[hxr@hx42.org: [SECURITY] 2017-08 security patch. Update now!]

E. Rasche
Two high priority security vulnerabilities were recently discovered by
Eric Rasche and Manabu Ishii respectively. These vulnerabilities  were
to cross site scripting and session fixation attacks. Detailed
descriptions
of these categories of vulnerabilities can be found at:

- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://www.owasp.org/index.php/Session_fixation

Per our new security policies
(https://github.com/galaxyproject/galaxy/blob/dev/SECURITY_POLICY.md),
we have created patches for versions of Galaxy including 16.10, 17.01,
and 17.05.

**With Git**

If you have cloned Galaxy from the official GitHub repository and are on
a supported release_branch, you can simply `git pull` to pull in the
security patch which has been applied to those branches.

**Manual Patching**

The 16.10 patch can apply cleanly to 17.01 as well and can be fetched
using:

wget https://gist.githubusercontent.com/jmchilton/760bf8ba6055b9a47a48529fcc49a493/raw/01bc98e5a8067a435f38d7cf4fda4e304c4425a2/2017augsecurity_1610.patch

The 17.05 patch can be fetched using:

wget https://gist.githubusercontent.com/jmchilton/2623e37a2ccb1820770278e348dfefe5/raw/20e225df42e0d4d867f71590536e710af0d7cd08/2017augsecurity_1705.patch

Once the patch has been downloaded and copied to the root of your Galaxy
directory, it can be applied using the following patch command:

  % patch -p1  < 2017augsecurity_1610.patch

  -or-

    % patch -p1  < 2017augsecurity_1705.patch

If you are having trouble applying the patch feel free to email
[hidden email] and we will try to help.

-Eric (on behalf of the Galaxy Committers)

Post script: this mail was intended to go out on Thursday the 24th of
August, however I failed to send it then. My apologies to the community,
it will be more timely in the future.
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/