We’re pleased to announce that SecureDrop 2.2.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 2.2.0?
For all users
- Localization: Timestamps will now be displayed using the language’s “long” format (Issue, Pull Request).
- Security: The security-related defensive HTTP headers that prevent various types of attacks on the Source and Journalist Interfaces have been improved (Issue, Pull Request).
- Usability: The “Refresh codename” feature has been removed to avoid potential user confusion (Pull Request). A bug with the display of the “Forgot your codename?” hint has been fixed (Issue, Pull Request).
- Accessibility: The Journalist Interface now uses more standards-compliant semantic HTML and ARIA annotations to improve accessibility (Issue, Pull Request).
- Hardware support: The grsecurity-patched Linux Kernel has been upgraded from 5.4.136 to 5.15.18, adding support for newer hardware (Issue, Pull Request).
- Hardware deprecation: SecureDrop 2.2.x will be the last release series to support Mac Minis and Intel 5th-gen NUCs. If you are still using these, you must move to a supported hardware platform as soon as possible (Pull Request).
- Security: Newly set HOTP (Yubikey) two-factor secrets, either when creating a new journalist account or changing an existing one, are now 160 bits (40 hex characters) in length (Issue, Pull Request).
- Security: Journalist accounts have always been expected to have two-factor secrets that are at least 80 bits in length. Accounts with shorter, invalid secrets will now be unable to log in, an administrator will need to reset the account’s two-factor credentials in this case. This applies to both 2FA apps like FreeOTP and Google Authenticator (TOTP) and Yubikeys (HOTP) (Pull Request).
- User account management: When deleting a journalist’s account, some information associated with their account like past replies and whether a message has been seen will now be associated with an internal “deleted” account (Issue, Pull Request).
- Dependency updates: The following dependencies have been updated (Pull Requests: 1, 2):
- click from 6.7 to 8.0.3
- flask-babel from 011.2 to 2.0.0
- flask-wtf from 0.14.2 to 1.0.0
- Flask from 1.0.2 to 2.0.2
- itsdangerous from 0.24 to 2.0.1
- jinja2 from 2.11.3 to 3.0.2
- markupsafe from 1.1.1 to 2.0.1
- redis from 3.3.6 to 3.5.3
- rq from 1.1.0 to 1.10.0
- werkzeug from 0.16.0 to 2.0.2
- wtforms from 2.1.0 to 3.0.0
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.2.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
SecureDrop 2.2.x is the last release series to include official support for Apple Mac Minis and Intel NUC5 hardware. Newer NUC models will continue to be supported. If you are using Mac Minis or Intel NUC5s, we urge you to migrate to to supported hardware at your earliest convenience.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Catalan: Benet (BennyBeat) R. i Camps
- Chinese (Simplified): ff98sha
- Chinese (Traditional): Chi-Hsun Tsai
- Czech: michaela-bot
- Dutch: kwadronaut
- French: AO Localization Lab
- Greek: Adrian, Dimitris Maroulidis
- Icelandic: Sveinn í Felli, Oktavia
- Italian: lsd-cat
- Norwegian Bokmål: Øyvind Bye Skille
- Portuguese (Brazil): leilane
- Slovak: Katarina Kasalova
- Spanish: Zuhualime Akoochimoya
- Swedish: Jonas Waga
- Turkish: Kaya Zeren, tekrei
Thanks to Muna Hemoudi and the Localization Lab for supporting this effort.
This release incorporates Freedom of the Press Foundation contributions by: Allie Crevier, Kunal Mehta (co-communications manager and deputy localization manager), Erik Moeller (co-communications manager), Cory Myers (whose work was partially supported by Internews), Kevin O’Gorman (release manager), and Conor Schaefer (deputy release manager & localization manager).
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via firstname.lastname@example.org (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!