This SecureDrop Client release closes a potential path traversal attack that could result in a denial of service. As the client is being rewritten and no further releases to the current codebase are planned, we are issuing a small point release to include this fix. We do not consider the issue a security concern, as it would require a compromised SecureDrop server and could only produce an empty 0-byte file.
Regardless, we’d like to thank AbhijitDas-Sukuna0007Abhi for responsibly reporting this issue to us.
Changelog
- Guard against path traversals in the gzip content's original filename (commit)
- Update dependencies:
- Update Rust toolchain from 1.87.0 to 1.90.0 (commit)
Acknowledgments
This release incorporates Freedom of the Press Foundation (FPF) contributions by Martin C; Nathan Dyer, communications manager; Micah Lee; Kunal Mehta, release manager; Cory Francis Myers; Vicki Niu; Kevin O’Gorman; Francisco Rocha, deputy release manager; John Skinner; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, if you are a member of an existing support group (membership is available to SecureDrop administrators on request)
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!