Pre-Release Announcement

SecureDrop 2.2.0: Pre-Release Announcement

February 10, 2022

The release of the next version of SecureDrop, 2.2.0, is scheduled for February 17, 2022. We will send out another notification through this blog, Twitter, Mastodon, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 2.2.0?

For all users

  • Localization: Timestamps will now be displayed using the language’s “long” format (Issue, Pull Request).
  • Security: The security-related defensive HTTP headers that prevent various types of attacks on the Source and Journalist Interfaces have been improved (Issue, Pull Request).

For sources

  • Usability: The “Refresh codename” feature has been removed to avoid potential user confusion (Pull Request). A bug with the display of the “Forgot your codename?” hint has been fixed (Issue, Pull Request).

For journalists

  • Accessibility: The Journalist Interface now uses more standards-compliant semantic HTML and ARIA annotations to improve accessibility (Issue, Pull Request).

For administrators

  • Hardware support: The grsecurity-patched Linux Kernel has been upgraded from 5.4.136 to 5.15.18, adding support for newer hardware (Issue, Pull Request).
  • Security: Newly set HOTP (Yubikey) two-factor secrets, either when creating a new journalist account or changing an existing one, are now 160 bits (40 hex characters) in length (Issue, Pull Request).
  • Security: Journalist accounts have always been expected to have two-factor secrets that are at least 80 bits in length. Accounts with shorter, invalid secrets will now be unable to log in; an administrator will need to reset the account’s two-factor credentials in this case. This applies to both 2FA apps like FreeOTP and Google Authenticator (TOTP) and Yubikeys (HOTP) (Pull Request).
  • User account management: When deleting a journalist’s account, some information associated with their account like past replies and whether a message has been seen will now be associated with an internal “deleted” account (Issue, Pull Request).
  • Dependency updates: The following dependencies have been updated: (Pull Requests: 1, 2)
    • click from 6.7 to 8.0.3
    • flask-babel from 011.2 to 2.0.0
    • flask-wtf from 0.14.2 to 1.0.0
    • Flask from 1.0.2 to 2.0.2
    • itsdangerous from 0.24 to 2.0.1
    • jinja2 from 2.11.3 to 3.0.2
    • markupsafe from 1.1.1 to 2.0.1
    • redis from 3.3.6 to 3.5.3
    • rq from 1.1.0 to 1.10.0
    • werkzeug from 0.16.0 to 2.0.2
    • wtforms from 2.1.0 to 3.0.0

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.2.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

Questions and comments

If you have questions or comments regarding this release, please contact us:

  • Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
  • Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
  • Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!

Return to News