We are pleased to announce the release of SecureDrop 0.13.0. Changes that sources, journalists, and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

Important: This release is only being issued to servers running Ubuntu 16.04 as their operating system. If you are still running Ubuntu 14.04, we urge you to reinstall SecureDrop as soon as possible.

What’s new in SecureDrop 0.13.0?

For sources

• Bugfix: If a user attempts to create more than one source account in a single session (e.g., by logging in through two separate tabs), this no longer results in a broken session state in which every subsequent page request fails with a server error. (Issue, Pull Request)
• UI fix: When a source that was “flagged for reply” logs in again, the message shown to the source no longer incorrectly states that “we put a hold on sending all documents from that day through to our journalists”. (Issue, Pull Request)

For administrators

• Compatibility: This release removes all remaining support for Ubuntu 14.04, which reached end-of-life on April 30. Installations still running on Ubuntu 14.04 servers will not receive this update, but their administrators are urged to re-install as soon as possible (see below). (Issue, Pull Requests: 1 2 3 4 5)
• Dependency update: The pyca/cryptography library has been updated from version 2.0.3 to version 2.6.1 as a precaution. The update was previously held back due to issues with Ubuntu 14.04 compatibility. (Issue, Pull Request)
• Dependency removal: The jQuery JavaScript library is no longer used on the Source or Journalist Interface. (Issue, Pull Request)
• Web server configuration update: The web server configuration for the Journalist Interface has been updated to permit use of the DELETE HTTP method, which is used by some Journalist Interface API methods. (Issue, Pull Request)

For developers

• Journalist Interface API changes:

• New feature: A new /logout endpoint allows for authorization token revocation. (Issue, Pull Request, Documentation)
• New feature: The /source and /sources endpoints now provide fingerprints of sources’ public keys, along with the keys themselves. (Issue, Pull Request, Documentation)
• Bugfix: Endpoints that return submission or reply files now provide the SHA-256 checksum of the file as an ETag header, instead of providing the same checksum for every request. (Issue, Pull Request)

What administrators need to do

SecureDrop Application and Monitor Server code will be updated to SecureDrop 0.13.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop; please see our instructions for details.

If you are still running Ubuntu 14.04 on your servers, they will not receive this update, and we urge you to take them offline and prepare to reinstall SecureDrop. Ubuntu 14.04 has reached end-of-life for security updates on April 30, 2019. While the Source Interface on installations running Ubuntu 14.04 will no longer accept submissions, keeping your installation online with this version still carries significant security risks. Please see our previous advisory for details.

Acknowledgments

This release was made possible thanks to volunteer code and documentation contributions by Dalek-Sec, Darren Fix, Laura Beaufort, and Ying Wang.

The translations for all supported languages were updated thanks to the work of many volunteers:

• Arabic: Ahmad Gharbeia
• Chinese: Chi-Hsun Tsai
• Dutch: Thom, Yarno Ritzen
• French: AO
• German: Robin Schubert
• Greek: Dimitris Maroulidis, Adrian
• Hindi: Drashti
• Icelandic: Oktavia, Sveinn í Felli
• Italian: Claudio Arseni
• Norwegian: Øyvind Bye Skille, Allan Nordhøy
• Portuguese: communiaa
• Romanian: robbpa
• Russian: Maria Ovsyannikova, Bogdan Kulynych
• Spanish: Zuhualime Akoochimoya, Pablo Di Noto
• Swedish: Jonas Franzén, Allan Nordhøy
• Turkish: Maria Ovsyannikova, Bogdan Kulynych

Thanks to the Localization Lab for supporting this effort. Kushal Das acted as the Localization Manager for this release, and John Hensley was the Deputy Localization Manager.

Questions and comments

If you have questions or comments regarding this release, please don't hesitate to reach out:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!