This SecureDrop Client release updates a Rust dependency, bytes, which published a security advisory about potential undefined behavior. We are not aware of any exploits for this issue, but are releasing an update as a precaution.
Users need to run the standard SecureDrop Workstation Updater to apply these updates; no further action is necessary.
Changelog
Acknowledgments
This release incorporates Freedom of the Press Foundation (FPF) contributions by Martin C; Nathan Dyer; Micah Lee; Kunal Mehta, release manager; Cory Francis Myers; Vicki Niu; Kevin O’Gorman; Francisco Rocha; John Skinner, communications manager; and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via Signal, if you are a member of an existing support group (membership is available to SecureDrop administrators on request)
- Via securedrop@freedom.press (PGP encrypted) for sensitive security issues (please use judiciously), or submit a report via Bugcrowd
We also encourage you to file nonsensitive issues via our GitHub repository.
Thank you for using SecureDrop!