We are pleased to announce the release of SecureDrop, 0.10.0. This release includes an update of the OSSEC monitoring software. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 0.10.0?
- User interface change: The width of the password input on the login screen has been increased to accommodate long passphrases. (Issue, Pull Request)
- Upgrade: OSSEC has been upgraded from version 2.8.2 to version 3.0.0 on your servers. This update includes a large number of bug fixes, including two security fixes. (Release Logs, Issue, Pull Request)
- Kernel configuration: If you have previously downgraded to an earlier version of the Linux kernel on your servers, this release has enforced selection of the most recent available version (4.4.144) as the default kernel. The 3.14.x series kernel, which has reached end-of-life, will be removed completely with SecureDrop 0.11.0, scheduled for December 11. (Issue, Pull Request)
- Security: A source can no longer delete journalist replies to another source by correctly guessing the file name of the journalist’s reply. File names are based on randomly generated journalist designations, and the issue does not affect the confidentiality of replies. Therefore, we assess the exploitability and impact of this vulnerability to be low. Source submissions and messages are not affected by this bug. The fix is applied automatically as part of the 0.10.0 update. (Issue, Pull Request)
- Security: As a precaution, this release has shipped an updated version of the paramiko library, an implementation of the SSHv2 protocol used by securedrop-admin. The update addresses a vulnerability which does not affect SecureDrop’s use of the library. (Issue, Pull Request)
What administrators need to do
SecureDrop Application and Monitor Server code will be updated automatically.
On a subsequent boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. Choose "Update Now" on each of the workstations:
Please note that this only updates the SecureDrop code on the workstation. Tails upgrades must be performed separately.
If you have not yet updated to the graphical updater, you can update as follows:
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.10.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint above matches what you see on the screen of your workstation. If it does, you can check out the new release:
git checkout 0.10.0
Important: Please verify that the output of this command does not contain the text "warning: refname '0.10.0' is ambiguous". If you do see this warning, we recommend that you contact us immediately at firstname.lastname@example.org (GPG encrypted).
Finally, run the following commands:
Action may be required for instances with downgraded kernels
If you have previously downgraded your kernel to version 3.14.x, this release will switch the default kernel on your Application and Monitor Servers to version 4.4.144. We have tested this kernel extensively on common hardware configurations. If you do experience issues with this kernel, please follow our kernel troubleshooting guide.
Important: The 3.14.x series kernel will be removed with release 0.11.0 (scheduled for December 11). Please report any compatibility issues to us immediately to avoid extended downtime.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Dutch: kwadronaut
- German: kwadronaut
- Hindi: Drashti
- Norwegian: Allan Nordhøy
- Spanish: Pablo Di Noto
- Turkish: Erin McConnell
Kushal Das acted as the internationalization coordinator for this release.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via email@example.com (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!