xen: mark EOL ≤ 4.15, add known CVEs in nixpkgs

Currently, Xen is very unmaintained, as this is a particularly complex piece of software that touts itself as secure, we are not doing a service to Xen by packaging unsecure piece of their software. Let's be brutally honest about the state of things in nixpkgs.
2025-02-20 19:16:11 +00:00 · 2023-04-26 13:37:31 +02:00 · 2023-04-26 13:37:31 +02:00 · e8d6be7a4b
commit e8d6be7a4b
parent 21c7a6c42a
1 changed files with 13 additions and 2 deletions
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@ -244,10 +244,21 @@ stdenv.mkDerivation (rec {
                    + "\nIncludes:\n"
                    + withXenfiles (name: x: "* ${name}: ${x.meta.description or "(No description)"}.");
    platforms = [ "x86_64-linux" ];
-    maintainers = with lib.maintainers; [ eelco oxij ];
+    maintainers = [ ];
    license = lib.licenses.gpl2;
+    knownVulnerabilities = [
+      # https://www.openwall.com/lists/oss-security/2023/03/21/1
+      # Affects 3.2 (at *least*) - 4.17
+      "CVE-2022-42332"
+      # https://www.openwall.com/lists/oss-security/2023/03/21/2
+      # Affects 4.11 - 4.17
+      "CVE-2022-42333"
+      "CVE-2022-42334"
+      # https://www.openwall.com/lists/oss-security/2023/03/21/3
+      # Affects 4.15 - 4.17
+      "CVE-2022-42331"
    # https://xenbits.xen.org/docs/unstable/support-matrix.html
-    knownVulnerabilities = lib.optionals (lib.versionOlder version "4.13") [
+    ] ++ lib.optionals (lib.versionOlder version "4.15") [
      "This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html"
    ];
  } // (config.meta or {});