Impact
An attacker can potentially replace the contents of public datasets resulting in data loss or tampering.
All supported versions of Galaxy are affected (i.e. 23.1, 23.2, 24.0, and 24.1). Unsupported versions are likely affected since prior to Galaxy moving to GitHub.
Patches
All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch.
The same patch should work for all supported versions of Galaxy and out of support Galaxy versions back to Galaxy release 22.05. The patch can be found at: https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch.
The out of support Galaxy release 22.01 can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/15060a6cb222f2fcfc687d0f0260f1eb1b9c757b.patch and the 2 releases prior to that (namely 21.05 and 21.09) can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/022da344a02bafd604402ac8e253e0014f6e2e08.patch.
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch" | patch -p1
or:
curl "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch" | patch -p1
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
It is furthermore recommended to upgrade to the latest commit on the release_24.1 branch and apply the latest database migration. We recommend stopping all Galaxy processes and following https://docs.galaxyproject.org/en/master/admin/db_migration.html. The migration ensures that already affected datasets are protected from deletion.
Workarounds
You must apply the supplied patch or update to the release_21.05 branch or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @davelopez. The Galaxy Project is grateful for the help.
Impact
An attacker can potentially replace the contents of public datasets resulting in data loss or tampering.
All supported versions of Galaxy are affected (i.e. 23.1, 23.2, 24.0, and 24.1). Unsupported versions are likely affected since prior to Galaxy moving to GitHub.
Patches
All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch.
The same patch should work for all supported versions of Galaxy and out of support Galaxy versions back to Galaxy release 22.05. The patch can be found at: https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch.
The out of support Galaxy release 22.01 can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/15060a6cb222f2fcfc687d0f0260f1eb1b9c757b.patch and the 2 releases prior to that (namely 21.05 and 21.09) can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/022da344a02bafd604402ac8e253e0014f6e2e08.patch.
To apply the patch, navigate to the root of your Galaxy directory, then execute:
or:
You can test application of the patch before applying it by adding the
--dry-runflag to patch.For the changes to take effect, you must restart all Galaxy server processes.
It is furthermore recommended to upgrade to the latest commit on the release_24.1 branch and apply the latest database migration. We recommend stopping all Galaxy processes and following https://docs.galaxyproject.org/en/master/admin/db_migration.html. The migration ensures that already affected datasets are protected from deletion.
Workarounds
You must apply the supplied patch or update to the release_21.05 branch or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @davelopez. The Galaxy Project is grateful for the help.