The release of the next version of SecureDrop, 0.10.0, is scheduled for October 23, 2018. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s coming in SecureDrop 0.10.0?
- User interface change: The width of the password input on the login screen will be increased to accommodate long passphrases. (Issue, Pull Request)
- Upgrade: OSSEC will be upgraded from version 2.8.2 to version 3.0.0 on your servers. This update includes a large number of bug fixes, including two security fixes. (Release Logs, Issue, Pull Request)
- Kernel configuration: If you have previously downgraded to an earlier version of the Linux kernel on your servers, this release will enforce selection of the most recent available version (4.4.144) as the default kernel. The 3.14.x series kernel, which has reached end-of-life, will be removed completely with SecureDrop 0.11.0, scheduled for December 11. (Issue, Pull Request)
- Security: As a precaution, this release will ship an updated version of the paramiko library, an implementation of the SSHv2 protocol used by
securedrop-admin. The update addresses a vulnerability which does not affect SecureDrop’s use of the library. (Issue, Pull Request)
What administrators will need to do
SecureDrop Application and Monitor Server code will be updated automatically.
On a subsequent boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. Choose "Update Now" on each of the workstations:
Please note that this only updates the SecureDrop code on the workstation. Tails upgrades must be performed separately.
If you have not yet updated to the graphical updater, you can update as follows:
cd ~/Persistent/securedrop git fetch --tags gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.10.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint above matches what you see on the screen of your workstation. If it does, you can check out the new release:
git checkout 0.10.0
Important: Please verify that the output of this command does not contain the text "warning: refname '0.10.0' is ambiguous". If you do see this warning, we recommend that you contact us immediately at firstname.lastname@example.org (GPG encrypted).
Finally, run the following command:
Action may be required for instances with downgraded kernels
If you have previously downgraded your kernel to version 3.14.x, this release will switch the default kernel on your Application and Monitor Servers to version 4.4.144. We have tested this kernel extensively on common hardware configurations. If you do experience issues with this kernel, please follow our kernel troubleshooting guide.
Important: The 3.14.x series kernel will be removed with release 0.11.0 (scheduled for December 11). Please report any compatibility issues to us immediately to avoid extended downtime.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via email@example.com (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!