JBoss AS: list known vulnerability

CVE-2015-7501 Warning in JBoss module (cherry picked from commit 72619a8)
NixOS · Mar 15, 2017 · 7e46b92 · 7e46b92
1 parent 893a539
commit 7e46b92
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/nixos/modules/services/web-servers/jboss/default.nix b/nixos/modules/services/web-servers/jboss/default.nix
@@ -25,7 +25,7 @@ in
 
       enable = mkOption {
         default = false;
-        description = "Whether to enable jboss";
+        description = "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities.";
       };
 
       tempDir = mkOption {

diff --git a/pkgs/servers/http/jboss/default.nix b/pkgs/servers/http/jboss/default.nix
@@ -22,5 +22,8 @@ stdenv.mkDerivation {
     license = licenses.lgpl21;
     maintainers = [ maintainers.sander ];
     platforms = platforms.unix;
+    knownVulnerabilities = [
+      "CVE-2015-7501: remote code execution in apache-commons-collections: InvokerTransformer during deserialisation"
+    ];
   };
 }