From 71e89cccae6202c50113a34ab08add0928c4e1e5 Mon Sep 17 00:00:00 2001 From: mickael e Date: Wed, 6 Mar 2019 09:08:50 -0500 Subject: [PATCH 1/3] Ubuntu 16.04.6 iso has updated apt version (cherry picked from commit b7aa2eadfd172e93afc77efbcc9a1259be6b90a8) --- docs/servers.rst | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/servers.rst b/docs/servers.rst index fa9722614a..aac6137605 100644 --- a/docs/servers.rst +++ b/docs/servers.rst @@ -5,11 +5,10 @@ Set Up the Servers Install Ubuntu -------------- -.. caution:: As of this writing (2019-02-26), Ubuntu ISO images ship a version of - the `apt` package that is vulnerable to CVE-2019-3462. The SecureDrop installer - has mitigations in place to ensure the package is safely upgraded. We - recommend you perform the initial Ubuntu install on servers that do not have - Internet connectivity. +.. caution:: Please ensure you are using Ubuntu Xenial ISO images 16.04.6 or greater. + Ubuntu Xenial ISO images 16.04.5 and lower ship with a version of the `apt` package + vulnerable to CVE-2019-3462. If you are using 16.04.5 or lower, the initial base OS + must be installed without Internet connectivity. .. note:: Installing Ubuntu is simple and may even be something you are very familiar with, but we **strongly** encourage you to read and follow this documentation From 18e880456dcc2ef109a853304b95320a43a9e3db Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Wed, 6 Mar 2019 08:11:52 -0800 Subject: [PATCH 2/3] updated Xenial version references to 16.04.6 as per #4324 (cherry picked from commit a0358c1ecfd26d2a8b71921a8d8f620bd234e6c8) --- docs/servers.rst | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/servers.rst b/docs/servers.rst index aac6137605..4d29ec8333 100644 --- a/docs/servers.rst +++ b/docs/servers.rst @@ -15,7 +15,7 @@ Install Ubuntu exactly as there are some "gotchas" that may cause your SecureDrop set up to break. The SecureDrop *Application Server* and *Monitor Server* run **Ubuntu Server -16.04.5 LTS (Xenial Xerus)**. To install Ubuntu on the servers, you must first +16.04.6 LTS (Xenial Xerus)**. To install Ubuntu on the servers, you must first download and verify the Ubuntu installation media. You should use the *Admin Workstation* to download and verify the Ubuntu installation media. @@ -27,7 +27,7 @@ Download the Ubuntu Installation Media The installation media and the files required to verify it are available on the `Ubuntu Releases page`_. You will need to download the following files: -* `ubuntu-16.04.5-server-amd64.iso`_ +* `ubuntu-16.04.6-server-amd64.iso`_ * `SHA256SUMS`_ * `SHA256SUMS.gpg`_ @@ -43,16 +43,16 @@ Alternatively, you can use the command line: .. code:: sh cd ~/Persistent - torify curl -OOO http://releases.ubuntu.com/16.04.5/{ubuntu-16.04.5-server-amd64.iso,SHA256SUMS{,.gpg}} + torify curl -OOO http://releases.ubuntu.com/16.04.6/{ubuntu-16.04.6-server-amd64.iso,SHA256SUMS{,.gpg}} .. note:: Downloading Ubuntu on the *Admin Workstation* can take a while because Tails does everything over Tor, and Tor is typically slow relative to the speed of your upstream Internet connection. .. _Ubuntu Releases page: http://releases.ubuntu.com/ -.. _ubuntu-16.04.5-server-amd64.iso: http://releases.ubuntu.com/16.04.5/ubuntu-16.04.5-server-amd64.iso -.. _SHA256SUMS: http://releases.ubuntu.com/16.04.5/SHA256SUMS -.. _SHA256SUMS.gpg: http://releases.ubuntu.com/16.04.5/SHA256SUMS.gpg +.. _ubuntu-16.04.6-server-amd64.iso: http://releases.ubuntu.com/16.04.6/ubuntu-16.04.6-server-amd64.iso +.. _SHA256SUMS: http://releases.ubuntu.com/16.04.6/SHA256SUMS +.. _SHA256SUMS.gpg: http://releases.ubuntu.com/16.04.6/SHA256SUMS.gpg Verify the Ubuntu Installation Media ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -86,13 +86,13 @@ Verify the ``SHA256SUMS`` file and move on to the next step if you see The next and final step is to verify the Ubuntu image. :: - sha256sum -c <(grep ubuntu-16.04.5-server-amd64.iso SHA256SUMS) + sha256sum -c <(grep ubuntu-16.04.6-server-amd64.iso SHA256SUMS) If the final verification step is successful, you should see the following output in your terminal. :: - ubuntu-16.04.5-server-amd64.iso: OK + ubuntu-16.04.6-server-amd64.iso: OK .. caution:: If you do not see the line above it is not safe to proceed with the installation. If this happens, please contact us at @@ -120,7 +120,7 @@ Ubuntu installer. If your USB is mapped to /dev/sdX and you are currently in the directory that contains the Ubuntu ISO, you would use dd like so: :: - sudo dd conv=fdatasync if=ubuntu-16.04.5-server-amd64.iso of=/dev/sdX + sudo dd conv=fdatasync if=ubuntu-16.04.6-server-amd64.iso of=/dev/sdX .. _install_ubuntu: From 2cbdfe109a35c0366fe5a1fe0a3253f68c58ae68 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Thu, 7 Mar 2019 18:08:59 -0800 Subject: [PATCH 3/3] [docs] Make it clearer that key generation must be done on the SVS Resolves #4076 (cherry picked from commit 96a0ca610043ebb5cbad53ab7b4d0252a1628db4) --- docs/generate_securedrop_application_key.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/generate_securedrop_application_key.rst b/docs/generate_securedrop_application_key.rst index 66f832dde9..960a4bfe02 100644 --- a/docs/generate_securedrop_application_key.rst +++ b/docs/generate_securedrop_application_key.rst @@ -7,7 +7,16 @@ of this key is only stored on the *Secure Viewing Station* which is never connected to the Internet. SecureDrop submissions can only be decrypted and read on the *Secure Viewing Station*. -We will now generate the *SecureDrop Submission Key*. +We will now generate the *SecureDrop Submission Key*. If you aren't still +logged into your *Secure Viewing Station* from the previous step, boot it using +its Tails USB stick, with persistence enabled. + +.. important:: Do not follow these steps before you have fully configured the + *Secure Viewing Station* according to the :doc:`instructions `. + The private key you will generate in the following steps is one of the most + important secrets associated with your SecureDrop installation. This procedure + is intended to ensure that the private key is protected by the air-gap + throughout its lifetime. Create the Key --------------