We are pleased to announce the release of SecureDrop 0.6. This release includes a major kernel upgrade. Please find background on this and other highlights from the release below, and see the complete list of changes for additional technical details.
What’s new in SecureDrop 0.6?
For journalists
- Bugfix: If you delete a collection or a document, you will now be asked to confirm the deletion even if JavaScript is disabled in the Tor web browser. Previously, the confirmation step was skipped if JavaScript was disabled. (Issue, Pull Request)
- Bugfix: Layout problems at some screen resolutions have been fixed. (Issue, Pull Request 1, Pull Request 2)
For administrators
- Upgrade: Tor has been upgraded to 0.3.2.10 on the Application and Monitor servers.
- Upgrade: The grsecurity-hardened Linux kernels have been upgraded to 4.4.115 on the Application and Monitor servers. This is a major upgrade; see below for details.
- New feature / behavior change: Once you have updated the workstations using the old method (see below), it will be much easier to keep Journalist Workstations and Admin Workstations up-to-date. From that point forward, you will be able to check for updates by running (from within the ~/Persistent/securedrop directory on a workstation) the securedrop-admin check_for_updates command to check for updates, and the securedrop-admin update command to apply them. (Issue, Pull Request)
- New feature / behavior change: You should no longer manually edit the site-specific file to update the server configuration, or run the securedrop-admin sdconfig --force command. Instead, you can simply use the command securedrop-admin sdconfig to modify the configuration. (Issue, Pull Request)
- Bugfix: This upgrade fixes a kernel misconfiguration that impacted some SecureDrop installs made between February 16, 2018 and March 13, 2018. The installed kernel was recent and fully patched, but not the preferred grsecurity kernel. See below for details.
- Bugfix: You can now configure a blank SASL domain for OSSEC email alerts without triggering a validation error. (Issue, Commit)
- Bugfix: You will no longer receive OSSEC alerts regarding Apache2’s ability to execute /usr/bin/file. These command invocations are a normal part of the web server’s operations, and the AppArmor profile has been updated to permit them. (Issue, Pull Request)
- Bugfix: If you attempt to reset a user’s two-factor token, you will be shown a confirmation prompt before the action is completed. This confirmation prompt is not new, but it was broken in a previous release. (Issue, Pull Request)
- Bugfix: To obtain a DigiCert Extended Validation Certificate for your .onion address, you need to prove ownership of that address by placing a file in a specific publicly accessible location. DigiCert altered that location, and our Apache configuration and Apache AppArmor profile have been updated to allow verification using the new location. (Issue, Pull Request)
Major kernel upgrade
SecureDrop 0.6 will introduce substantial improvements to server kernels. Your SecureDrop application and monitoring servers will be automatically upgraded to kernel version 4.4.115.
Until now, the SecureDrop Project has been using Linux 3.14 kernels which have reached end-of-life and are no longer receiving security updates. The SecureDrop kernels have been extensively hardened, and we are not aware of any vulnerabilities that can be exploited by an attacker without first obtaining code execution capabilities on a SecureDrop server.
The new Linux kernels will be supported until 2022. This upgrade is an important precaution and will ensure the timely application of future kernel security updates.
While these kernels have undergone extensive internal testing and we have not observed any errors, there may be some instances where there is hardware incompatibility, especially for SecureDrop instances using hardware not explicitly recommended in our documentation.
Automatic fix of misconfigured kernels
Through our testing process, we have uncovered a scenario where the Linux kernel may have been misconfigured for SecureDrop installs undertaken between February 16th and March 13th 2018.
For instances set up during this time window, SecureDrop may have booted into fully patched kernels (4.4.116) coming from the Ubuntu Trusty repository upon install, rather than the grsecurity-hardened 3.14.79 kernels prepared by the SecureDrop team.
The 4.4.116 kernels were backported to Ubuntu Trusty as part of Canonical's Spectre/Meltdown mitigation efforts, and were automatically installed due to the higher version number compared with SecureDrop's hardened grsecurity kernel.
As of this release, we automatically supercede kernels provided by Ubuntu’s repositories, which should address this misconfiguration for any and all running instances, whether or not they were installed during the 25 day window described above.
This is an automatic upgrade for all SecureDrop instances, and no user intervention is required. If you would like to confirm that your instance has booted in the correct kernels, ssh into the application and monitoring servers; the uname -r command should return 4.4.115-grsec.
What administrators need to do
Kernel upgrades
The update will be automatic on the Application and Monitor Servers within 24 hours of the release (13th of March at 22:00 UTC).
If you missed our prior communications about this and are experiencing issues with the new kernel (e.g., you cannot reach the source interface, you cannot SSH into the servers), please consult our troubleshooting guide.
Workstations
We strongly recommend upgrading all Tails drives to 3.6, also released today. You will need to manually upgrade the Admin Workstation, the Journalist Workstation and the Secure Viewing Station.
For the Admin and Journalist Workstations, you will also need to update SecureDrop code using the following manual method, which will make available the new securedrop-admin update command for future updates:
cd ~/Persistent/securedrop git fetch --tags git checkout 0.6 gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.6 # Output should include "Good signature" ./securedrop-admin setup
Questions and Comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!
Acknowledgments
SecureDrop is an open source project, and we are deeply grateful for all contributions to this release. The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Ahmad Gharbeia, Ali Boshanab, ButterflyOfFire, Erin McConnell, Gabriele Kahlout, Jasmine Khalil, Jennifer Helsby, kwadronaut, Ouss, Ramy Raoof, Scharik Yousif, Thalia Rahme
- German: Anna Skaja, Eric H., Ettore Atalan, kwadronaut
- Spanish: Anatoli, Camille Fassett, Daniel Arauz, Freddy Martinez, Jose, Pablo Di Noto
- French: AO, David, Jean-Marc Manach, Loïc Dachary
- Italian: Beatrice Martini, Claudio Arseni, Manuel D'Orso
- Norwegian: Allan Nordhøy, Øyvind Bye Skille
- Dutch: Anne M, kwadronaut, Yarno Ritzen
- Portuguese: Bernardo Tonasse, CecÃlia do Lago, communiaa, Jonas B. R
- Turkish: T. E. Kalaycı, Volkan
- Chinese: Cheng-Chia Tseng, Chi-Hsun Tsai, H.-L. Lee, Jin Lin Wright, Shih-Chieh Ilya Li
Five new languages have been completed and are being reviewed for inclusion in the next release thanks to the work of:
- Swedish: Allan Nordhøy, Jenny Dybedahl, Jonas Franzén, Magdalena Stenius
- Romanian: Jobava
- Finnish: Magdalena Stenius, Max Sandholm, Thomas
- Hindi: Abhishek Jaiswal, Muhammad Usman, Subham Banga
- Russian: Andrey, Maria Ovsyannikova
Localization Lab provided invaluable support to the localization effort; read more in the postmortem.
Correction, March 14, 2018: Due to a bug, the workstation update to Tails 3.6 has to be performed manually. The instructions have been updated to reflect this fact.
Correction, March 15, 2018: A command was missing from the workstation update instructions. Thanks to Jonas Franzen for the bug report.