From 72619a86c9166d7b4bea5762070ee14fb72dc6e7 Mon Sep 17 00:00:00 2001
From: Renaud <c0bw3b@users.noreply.github.com>
Date: Thu, 9 Mar 2017 21:02:16 +0100
Subject: [PATCH] JBoss AS: list known vulnerability

CVE-2015-7501

Warning in JBoss module
---
 nixos/modules/services/web-servers/jboss/default.nix | 2 +-
 pkgs/servers/http/jboss/default.nix                  | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/web-servers/jboss/default.nix b/nixos/modules/services/web-servers/jboss/default.nix
index 583fe56eb5e2..d28724281a83 100644
--- a/nixos/modules/services/web-servers/jboss/default.nix
+++ b/nixos/modules/services/web-servers/jboss/default.nix
@@ -25,7 +25,7 @@ in
 
       enable = mkOption {
         default = false;
-        description = "Whether to enable jboss";
+        description = "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities.";
       };
 
       tempDir = mkOption {
diff --git a/pkgs/servers/http/jboss/default.nix b/pkgs/servers/http/jboss/default.nix
index 2dd9d544a03b..068053d71f09 100644
--- a/pkgs/servers/http/jboss/default.nix
+++ b/pkgs/servers/http/jboss/default.nix
@@ -22,5 +22,8 @@ stdenv.mkDerivation {
     license = licenses.lgpl21;
     maintainers = [ maintainers.sander ];
     platforms = platforms.unix;
+    knownVulnerabilities = [
+      "CVE-2015-7501: remote code execution in apache-commons-collections: InvokerTransformer during deserialisation"
+    ];
   };
 }