Today we are announcing the release of SecureDrop 0.12.2. This point release adds hardware support for newer generation Intel NUCs via an updated kernel, improves the reliability of the backup script for large backups, and includes several other smaller fixes and updates. It also will disable source interface submissions on instances running Ubuntu 14.04 after April 30 (see our previous announcement).
Reminder: If you have not upgraded your SecureDrop servers to to Ubuntu 16.04 yet, it is imperative for the security of your SecureDrop instance that you do so as soon as possible, and we strongly recommend doing it before April 30. Ubuntu 14.04 will not receive security updates after April 30, and no release after the 0.12 release series of SecureDrop will support Ubuntu 14.04.
What’s new in SecureDrop 0.12.2
- Behavior change: The warning about NoScript’s “cross-site request sanitization” feature has been removed from the submission screen of the Source Interface. As of Tor Browser 8.0.8, Tor includes a workaround for the underlying Firefox bug. The Firefox bug is now also fixed. (Issue, Pull Request)
- End-of-life for Ubuntu 14.04: After April 30, Ubuntu 14.04 reaches end-of-life for security updates. For security reasons, the Source Interface of SecureDrop instances running Ubuntu 14.04 will no longer accept submissions. Instead, it will show a simple maintenance notice: “We’re sorry, our SecureDrop is currently offline. Please try again later. Check our website for more information.” (Issue, Pull Request)
- Kernel update: SecureDrop kernels have been updated from version 4.4.167 to version 4.4.177 and now include network driver support for the chipset used by 7th generation Intel NUC models like the NUC7i5BNH. (Issue, Pull Request)
- Bugfix: Transferring large backup files from the SecureDrop servers to the Admin Workstation using the provided backup script should no longer fail with a “MemoryError”. (Pull Request)
- Bugfix: Sending an OSSEC test alert from the Journalist Interface now works again, and web application errors triggered by the Journalist Interface should generate OSSEC alerts as expected. (Issue, Pull Request)
- Bugfix: In previous releases, when more than one network interface was present on the Admin Workstation or the Journalist Workstation, multiple graphical updater windows would appear when a new release of SecureDrop was available. For SecureDrop updates after this one, only a single graphical updater window will appear. (Issue, Pull Request)
- Bugfix: On SecureDrop instances upgraded from Ubuntu 14.04 to Ubuntu 16.04, deleting a source in the Journalist Interface caused an AppArmor warning concerning access to
/usr/bin/pinentry-gtk-2to be reported as an OSSEC alert. This was due to an AppArmor policy issue. (Issue, Pull Request)
- Dependency updates / security: As a routine precaution for defense in depth, Ansible has been updated to version 2.6.14 (from 2.6.8), Jinja2 to version 2.10.1 (from 2.10), and SQLAlchemy to version 1.3.0 (from 1.2.0). (Pull Request)
What administrators need to do
Existing SecureDrop installations will be automatically updated to this point release. Your Admin and Journalist Workstations should alert you to the availability of workstation updates, which you can perform by clicking “Update Now”. If the graphical updater fails, please see our instructions.
Questions and comments
If you have any questions, please don’t hesitate to reach out: