We are pleased to announce the release of SecureDrop 1.4.0. Changes that sources, journalists, and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 1.4.0?
- Bugfix: Deleting a large number of sources at the same time through the Journalist Interface now works more reliably, instead of sometimes timing out. (Issue, Pull Request)
- Security: Previous versions of SecureDrop did not support specifying multiple nameservers during the configuration stage. If the administrator proceeded to do so anyway, the iptables (software firewall) rules for the Application and Monitor Server could end up being misconfigured, depending on the input.
SecureDrop requires the use of a hardware firewall; the iptables rules provide important defense in depth. We have therefore implemented the following mitigations for this issue:
- The Monitor Server now performs an automatic daily configuration check, and will issue a level 12 OSSEC alert if it detects that the iptables rules are misconfigured. We recommend that you check your OSSEC alerts to determine whether your servers are correctly configured; see below for details. (Pull Request)
- The configuration tool (
./securedrop-admin sdconfig) on the Admin Workstation now explicitly supports specifying multiple nameservers, and performs more validation of user input. (Pull Request)
- SecureDrop Release Key update: The expiration date of the SecureDrop Release Key has been updated to June 30, 2021. The fingerprint of the key has not changed. (Issue, Pull Request)
- Dependency updates: The following dependencies on the SecureDrop servers have been updated:
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 1.4.0 automatically within 24 hours of the release.
As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
This release of SecureDrop adds a new level 12 OSSEC alert to let you know about any misconfiguration of iptables rules on your Application and Monitor Server. We recommend that you carefully review the OSSEC alerts you receive in the days following the release. If you see this alert, our documentation includes steps you can take to apply the default configuration.
This release incorporates Freedom of the Press Foundation contributions by Conor Schaefer (Release Manager), Allie Crevier (Deputy RM), Jen Helsby, Kushal Das, Kevin O’Gorman, Mickael E., John Hensley, Nina Alter, and Erik Moeller.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via firstname.lastname@example.org (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!