JBoss AS: list known vulnerability

CVE-2015-7501

Warning in JBoss module

nixos/modules/services/web-servers/jboss/default.nix

@@ -25,7 +25,7 @@ in
 
       enable = mkOption {
         default = false;
-        description = "Whether to enable jboss";
+        description = "Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities.";
       };
 
       tempDir = mkOption {

pkgs/servers/http/jboss/default.nix

@@ -22,5 +22,8 @@ stdenv.mkDerivation {
     license = licenses.lgpl21;
     maintainers = [ maintainers.sander ];
     platforms = platforms.unix;
+    knownVulnerabilities = [
+      "CVE-2015-7501: remote code execution in apache-commons-collections: InvokerTransformer during deserialisation"
+    ];
   };
 }