Release Announcement

SecureDrop 1.5.0 Released

July 28, 2020

We are pleased to announce that SecureDrop 1.5.0 has been released. Changes that all users should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s new in SecureDrop 1.5.0?

For all users

  • Security: Due to security and anonymity improvements in v3 of the onion services protocol, support for v2 onion services will be removed from SecureDrop in February 2021. Instances that make use of v2 onion services will now see a deprecation warning in the Journalist Interface and in securedrop-admin commands.

    We encourage SecureDrop instances using v2 to migrate to v3 at the earliest opportunity. More information on the v2 to v3 onion services migration process can be found here. (Issues: 1, 2, Pull requests: 1, 2)

For journalists

  • Usability: Some words with potentially offensive or distracting meanings have been removed from the dictionary that is used to generate source names in the Journalist Interface. (Issue, Pull request)
  • Usability: An explanation of the effect of deleting sources has been added to the confirmation dialogue in the Journalist Interface. (Issue, Pull request)

For administrators

  • Kernel update: This release includes an update from version 4.14.175 to 4.14.188 of the grsecurity-patched kernel. (Issue, Pull request)
  • User management: On the Journalist Interface, the username “deleted” is disallowed, as this keyword is reserved by the software (Issues: 1, 2, Pull requests: 1, 2)
  • OSSEC improvement: Temporary files staged for secure deletion no longer trigger OSSEC syscheck alerts. (Pull request)
  • Dependency update: The following dependencies on the SecureDrop servers have been updated:

For developers

  • Journalist API:
    • The get_all_submissions API endpoint no longer returns submissions from sources who have been deleted from the database. (Issue, Pull request)
    • The get_all_replies API endpoint no longer returns replies if the corresponding source has been deleted from the database. (Issue, Pull request)

What administrators need to do

SecureDrop Application and Monitor Servers will be automatically updated to SecureDrop 1.5.0 within 24 hours.

As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.

This release includes deprecation warnings for v2 onion services. Support for v2 onion services will be removed from SecureDrop in February 2021. If your instance is using v2 onion services, you will need to migrate to v3 onion services, which offer significant security and anonymity improvements, and publicize your new Source Interface onion URL. Please see our migration documentation or contact us for support.

This release also includes a kernel update. While we have tested the updated kernel extensively on supported hardware, it is possible that it will cause problems on your servers after the update. The upgrade guide has information on kernel troubleshooting.

Acknowledgments

This release was made possible thanks to volunteer code and documentation contributions by @pierwill, Gonzalo Bulnes Guilpain, Stiliyana Simeonova, Prateek Jain, and Daniel Pyon.

The translations for all supported languages were updated thanks to the work of many volunteers:

  • Arabic: Ahmed Essam
  • Catalan: Benet (BennyBeat) R. i Camps, Joan Montané
  • Chinese (Traditional): Chi-Hsun Tsai
  • Czech: Pavel Ruzicka, michaela-bot
  • Dutch: Yarno Ritzen
  • French: AO Localization Lab
  • German: Ettore Atalan, Robin Schubert
  • Greek: Adrian, Dimitris Maroulidis
  • Hindi: Drashti
  • Icelandic: Oktavia, Sveinn í Felli
  • Italian: Claudio Arseni
  • Norwegian Bokmål: Allan Nordhøy, Øyvind Bye Skille
  • Portuguese (Brazil): communiaa
  • Romanian: Jobava, robbpa
  • Russian: Adham Kurbanov
  • Slovak: 1000101, Katarina Kasalova
  • Spanish: Gonzalo Bulnes Guilpain, Zuhualime Akoochimoya
  • Swedish: Allan Nordhøy, Jonas Waga
  • Turkish: Volkan, tekrei

Thanks to Erin McConnell and the Localization Lab for supporting this effort.

This release incorporates Freedom of the Press Foundation contributions by Nina Alter, Allie Crevier, Kushal Das (localization manager), Mickael E. (deputy release manager), John Hensley (release manager), Kevin O’Gorman (deputy localization manager), Erik Moeller, and Conor Schaefer.

Questions and comments

If you have questions or comments regarding this release, please contact us:

  • Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
  • Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
  • Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!

Return to News