The release of the next version of SecureDrop, 0.6, is scheduled for March 13, 2018. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s coming in SecureDrop 0.6?
- Bugfix: Layout problems at some screen resolutions have been fixed. (Issue, Pull Request 1, Pull Request 2)
- New feature / behavior change: Once you have updated the workstations using the old method (see below), it will be much easier to keep journalist and admin workstations up-to-date. From that point forward, you will be able to check for updates by running (from within the ~/Persistent/securedrop directory on a workstation) the securedrop-admin check_for_updates command to check for updates, and the securedrop-admin update command to apply them. (Issue, Pull Request)
- New feature / behavior change: You should no longer manually edit the site-specific file to update the server configuration, or run the securedrop-admin sdconfig --force command. Instead, you can simply use the command securedrop-admin sdconfig to modify the configuration. (Issue, Pull Request)
- Bugfix: You can now configure a blank SASL domain for OSSEC email alerts without triggering a validation error. (Issue, Commit)
- Bugfix: You will no longer receive OSSEC alerts regarding Apache2’s ability to execute /usr/bin/file. These command invocations are a normal part of the web server’s operations, and the AppArmor profile has been updated to permit them. (Issue, Pull Request)
- Bugfix: If you attempt to reset a user’s two-factor token, you will be shown a confirmation prompt before the action is completed. This confirmation prompt is not new, but it was broken in a previous release. (Issue, Pull Request)
Major kernel upgrade
SecureDrop 0.6 will introduce substantial improvements to server kernels. Your SecureDrop application and monitoring servers will be automatically upgraded to kernel version 4.4.115.
Until now, the SecureDrop Project has been using Linux 3.14 kernels which have reached end-of-life and are no longer receiving security updates. The SecureDrop kernels have been extensively hardened, and we are not aware of any vulnerabilities that can be exploited by an attacker without first obtaining code execution capabilities on a SecureDrop server.
The new Linux kernels will be supported until 2022. This upgrade is an important precaution and will ensure the timely application of future kernel security updates.
While these kernels have undergone extensive internal testing and we have not observed any errors, there may be some instances where there is hardware incompatibility, especially for SecureDrop instances using hardware not explicitly recommended in our documentation (see next section).
What administrators need to do
The update will be automatic on the Application and Monitor Servers. If you expect to run the new kernels against hardware other than our official hardware recommendations, we strongly recommend that you get in touch with us before the update, so we can help you anticipate and resolve any hardware compatibility issues. If you skip this step, there is significant outage risk associated with this update.
order to discover any potential issues with the upgrade on your system
we would like to request that you run the below commands from the Admin
Workstation Tails USB device. Doing so will enable our engineers to
determine if the networking hardware installed on your servers is
supported by the new kernel image we intend to ship.
cd ~/Persistent/securedrop/ source .venv/bin/activate cd install_files/ansible-base ansible all -b -m setup > server-facts.log
You can share the generated server-facts.log with us as follows:
- If you are a member of our Support Portal, please create a new issue and attach the file to it.
- Alternatively, email us at firstname.lastname@example.org (GPG encrypted) with the subject “SecureDrop kernel facts” and the file attached.
We will then verify that your hardware will work with the new kernels, and provide assistance if there are compatibility issues.
For the journalist and administrator Tails workstations, you will need to perform an update using the following manual method, which will make available the new securedrop-admin update command for future updates:
cd ~/Persistent/securedrop git checkout 0.6 gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.6 # Output should include "Good signature" ./securedrop-admin setup
Questions and Comments
If you have questions or comments regarding this release, you can reach us in the following ways:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via email@example.com (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!