The release of the next version of SecureDrop, 0.13.0, is scheduled for May 29, 2019. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 0.13.0?

For sources

• Bugfix: If the same source is creating more than one source account at a time (e.g., by logging in through two separate tabs), this will no longer result in a broken session state in which every subsequent page request fails with a server error. (Issue, Pull Request)
• UI fix: When a source that was “flagged for reply” logs in again, the message shown to the source will no longer incorrectly state that “we put a hold on sending all documents from that day through to our journalists”. (Issue, Pull Request)

For administrators

• Compatibility: This release will remove all remaining support for Ubuntu 14.04, which reached end-of-life on April 30. Installations still running on Ubuntu 14.04 servers will not receive this update, but their administrators are urged to re-install as soon as possible (see below). (Issue, Pull Requests: 1 2 3 4 5)
• Dependency update: The pyca/cryptography library will be updated from version 2.0.3 to version 2.6.1 as a precaution. The update was previously held back due to issues with Ubuntu 14.04 compatibility. (Issue, Pull Request)
• Dependency removal: The jQuery JavaScript library will no longer be used on the Source or Journalist Interface. (Issue, Pull Request)
• Web server configuration update: The web server configuration for the Journalist Interface will be updated to permit use of the DELETE HTTP method, which is used by some Journalist Interface API methods. (Issue, Pull Request)

For developers

• Journalist Interface API changes:

• New feature: A new /logout endpoint will allow for authorization token revocation. (Issue, Pull Request, Documentation)
• New feature: The /source and /sources endpoints will now provide fingerprints of sources’ public keys, along with the keys themselves. (Issue, Pull Request, Documentation)
• Bugfix: Endpoints that return submission or reply files will now provide the SHA-256 checksum of the file as an ETag header, instead of providing the same checksum for every request. (Issue, Pull Request)

What administrators will need to do

SecureDrop Application and Monitor Server code will be updated to SecureDrop 0.13.0 automatically. As with previous releases, you should be able to update your workstations using the graphical updater; we will include instructions for performing the workstation update manually in case of issues.

If you are still running Ubuntu 14.04 on your servers, they will not receive this update, and we urge you to take them offline and prepare to reinstall SecureDrop. Ubuntu 14.04 has reached end-of-life for security updates on April 30, 2019. While the Source Interface on installations on Ubuntu 14.04 will no longer accept submissions, keeping your servers running on this version still carries significant security risks. Please see our previous advisory.

Questions and comments

If you have questions or comments regarding this release, please don't hesitate to reach out:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!