We are pleased to announce the release of SecureDrop 0.12.0. Changes that sources, journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
Important: This release is the first to support Ubuntu 16.04 (Xenial). All existing SecureDrop installations must manually be upgraded from Ubuntu 14.04 (Trusty) to Ubuntu 16.04 before April 30; please see below for details.
What’s new in SecureDrop 0.12.0?
For sources
- Behavior change: This release instructs sources to disable the “cross-site request sanitization” feature in NoScript before uploading files. This NoScript feature, which is turned on by default, sometimes causes uploads to fail due to a bug in Firefox. We will remove these instructions once the Firefox bug is resolved. (Issue, Pull Request)
For journalists
- New feature: You can now tick a “show password” checkbox on the login screen to show your password while you are typing. (Issue, Pull Request)
For administrators
- Support for Ubuntu 16.04 (Xenial): SecureDrop 0.12.0 is the first version to support Ubuntu 16.04 (Xenial) as the base operating system for the Application Server and the Monitor Server. Because Ubuntu 14.04 (Trusty) will stop receiving security updates after April 30, it is of critical importance for the security of your SecureDrop instance to manually update the servers before then; see details below. (Tracking issue)
- New languages: SecureDrop is now available in Romanian and Icelandic. You can enable these or any other supported languages following our documentation.
- Security: As a precaution to reduce the amount of metadata stored about sources, GPG key pairs generated for new sources for replies no longer have an expiration date, and they always use the same creation date. This change has no visible user impact. (Issue, Pull Request)
- New feature: The
securedrop-admin logs
command now includes information about installed packages to aid with debugging. (Issue, Pull Request) - Kernel upgrade / security: The Linux kernel on SecureDrop servers has been upgraded from version 4.4.162 to version 4.4.167. For security reasons, wireless support has been completely removed (rather than blacklisted) in this kernel release. (Issue, Pull Request)
- Behavior change: The order of operations during nightly SecureDrop package updates has been changed to make the servers more resilient against package update failures. Note that if your SecureDrop instance failed to upgrade from 0.10.0 to 0.11.0, manual action is still required. (Issue, Pull Request)
- Upgrade: On servers running Ubuntu 16.04, Tor has been upgraded from version 0.3.4.9 to version 0.3.5.7 on Application and Monitor Servers. See the Tor changelog for details. (Issue)
For developers
Journalist Interface API changes:
- New feature: API consumers can now specify a reply UUID when posting a reply. (Issue, Pull Request)
- New feature: The API now returns the filenames of replies created through the API, to enable consumers to correctly order replies. (Issue, Pull Request)
- New feature: The API now returns the UUID of the signed in journalist together with an authorization token, to avoid the need for a a separate API request for user data. (Issue, Pull Request)
- Bugfix: The API no longer sets unnecessary session cookie headers. (Issue, Pull Request)
- Bugfix: The API now correctly returns the public key of the specified source, instead of sometimes returning the public keys of all sources. (Issue, Pull Request)
- Bugfix: The API now correctly responds with a 403 error when receiving malformed authorization tokens, instead of an internal server error due to an uncaught exception. (Issue, Pull Request)
Metadata endpoint update: The publicly accessible SecureDrop metadata endpoint at yoursourceinterfaceaddress.onion/metadata now includes an operating system version string, e.g., “14.04” or “16.04”. (Issue, Pull Request)
What administrators need to do
Please see the upgrade guide from SecureDrop 0.11.1 to SecureDrop 0.12.0 in our documentation. This also includes detailed instructions for upgrading your server base operating system from Ubuntu 14.04 to Ubuntu 16.04.
Acknowledgments
This release was made possible thanks to volunteer code and documentation contributions by Abhishek Nagekar, deeplow, Garrett Robinson, heartsucker, Loganaden Velvindron and nightwarrior-xxx.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Ahmed Essam, A. Nonymous, ButterflyOfFire, Ahmad Gharbeia
- Chinese: Chi-Hsun Tsai
- Dutch: kwadronaut
- French: AO
- German: Ettore Atalan, Robin Schubert
- Greek: Dimitris Maroulidis, boublis, A. Nonymous, pierwill, Adrian, Loic Dachary
- Hindi: Chandan Kumar
- Icelandic (new): Oktavia, Sveinn í Felli
- Norwegian: Øyvind Bye Skille, Allan Nordhøy
- Portuguese: communiaa, EBonsi
- Romanian (new): robbpa, Jobava, Loic Dachary
- Spanish: Zuhualime Akoochimoya
- Swedish: Jonas Franzén, Allan Nordhøy
- Turkish: Kaya Zeren, Volkan, tekrei
Kushal Das acted as the internationalization coordinator for this release. Thanks to Erin M. from Localization Lab for providing review and support for the localization of this release.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!