nixos/roundcube: add release notes for #77532

This commit is contained in:
Symphorien Gibol 2020-02-05 12:00:00 +00:00
parent 7c558f7ac7
commit 4600fe67c5

View File

@ -246,6 +246,23 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
upstream issue</link> for more information.
</para>
</listitem>
<listitem>
<para>
The <literal>roundcube</literal> module has been hardened.
<itemizedlist>
<listitem>
<para>
The password of the database is not written world readable in the store any more. If <literal>database.host</literal> is set to <literal>localhost</literal>, then a unix user of the same name as the database will be created and PostreSQL peer authentication will be used, removing the need for a password. Otherwise, a password is still needed and can be provided with the new option <literal>database.passwordFile</literal>, which should be set to the path of a file containing the password and readable by the user <literal>nginx</literal> only. The <literal>database.password</literal> option is insecure and deprecated. Usage of this option will print a warning.
</para>
</listitem>
<listitem>
<para>
A random <literal>des_key</literal> is set by default in the configuration of roundcube, instead of using the hardcoded and insecure default. To ensure a clean migration, all users will be logged out when you upgrade to this release.
</para>
</listitem>
</itemizedlist>
</para>
</listitem>
<listitem>
<para>
The packages <literal>openobex</literal> and <literal>obexftp</literal>