[Gmod-tripal-devel] Tripal BLAST Security Release

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Gmod-tripal-devel] Tripal BLAST Security Release

Kucheran, Lacey Sanderson
Hi Everyone,

If you are using Tripal BLAST UI, be advised that a security release was made available today. Please update your Tripal sites ASAP!

This can be done using drush:
drush pm-update tripal_blast

Security Release:
    
       * Advisory ID: DRUPAL-SA-CONTRIB-2016-054
       * Project: Tripal BLAST UI [1]     (third-party module)
       * Version: 7.x
       * Date: 2016-October-26
       * Security risk: 20/25 ( Highly Critical)
         AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
       * Vulnerability: Remote code execution
    
    ———— DESCRIPTION ———— 
    
    This module enables you to run NCBI BLAST jobs on the host system.
    
    The module doesn't sufficiently validate advanced options available to users
    submitting BLAST jobs, thereby exposing the ability to enter a short snippet
    of shell code that will be executed when the BLAST job is run.
    
    This vulnerability only requires the attacker to have minimal permissions on
    the site (for example, "View published content") and therefore can be
    exploited by untrusted or unauthenticated users in most cases.

~Lacey

------------------------------------------------------
Lacey-Anne Sanderson
Bioinformaticist
Pulse Crop Breeding and Genetics
Phone: (306) <a href="tel://966-3208">966-3208
Room 2C33 Agriculture
Department of Plant Sciences
University of Saskatchewan

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Gmod-tripal-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-tripal-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Gmod-tripal-devel] Tripal BLAST Security Release

Kucheran, Lacey Sanderson
Quick Clarification:
You only need to update Tripal Blast, NOT all of Tripal. The update will not cause any interuptions on your site and all previously submitted jobs will be run normally.

Update by running
drush pm-update tripal_blast
on the command-line and then check [yoursite]/admin/reports/updates to ensure that Tripal BLAST is at version 7.x-1.2

~Lacey

------------------------------------------------------
Lacey-Anne Sanderson
Bioinformaticist
Pulse Crop Breeding and Genetics
Phone: (306) <a href="tel://966-3208">966-3208
Room 2C33 Agriculture
Department of Plant Sciences
University of Saskatchewan

On October 26, 2016 at 1:46:08 PM, Kucheran, Lacey Sanderson ([hidden email]) wrote:

Hi Everyone,

If you are using Tripal BLAST UI, be advised that a security release was made available today. Please update your Tripal sites ASAP!

This can be done using drush:
drush pm-update tripal_blast

Security Release:
    
       * Advisory ID: DRUPAL-SA-CONTRIB-2016-054
       * Project: Tripal BLAST UI [1]     (third-party module)
       * Version: 7.x
       * Date: 2016-October-26
       * Security risk: 20/25 ( Highly Critical)
         AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2]
       * Vulnerability: Remote code execution
    
    ———— DESCRIPTION ———— 
    
    This module enables you to run NCBI BLAST jobs on the host system.
    
    The module doesn't sufficiently validate advanced options available to users
    submitting BLAST jobs, thereby exposing the ability to enter a short snippet
    of shell code that will be executed when the BLAST job is run.
    
    This vulnerability only requires the attacker to have minimal permissions on
    the site (for example, "View published content") and therefore can be
    exploited by untrusted or unauthenticated users in most cases.

~Lacey

------------------------------------------------------
Lacey-Anne Sanderson
Bioinformaticist
Pulse Crop Breeding and Genetics
Phone: (306) <a href="tel://966-3208">966-3208
Room 2C33 Agriculture
Department of Plant Sciences
University of Saskatchewan

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Gmod-tripal-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/gmod-tripal-devel