From c4c936f2f766e83263a519be924d48009bfd6cd3 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Sun, 8 Mar 2020 07:16:53 +1000
Subject: [PATCH] rkt: add CVEs

https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/
---
 pkgs/applications/virtualization/rkt/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/applications/virtualization/rkt/default.nix b/pkgs/applications/virtualization/rkt/default.nix
index fd0bd92faa6..bacd175197d 100644
--- a/pkgs/applications/virtualization/rkt/default.nix
+++ b/pkgs/applications/virtualization/rkt/default.nix
@@ -69,5 +69,10 @@ in stdenv.mkDerivation rec {
     license = licenses.asl20;
     maintainers = with maintainers; [ ragge steveej ];
     platforms = [ "x86_64-linux" ];
+    knownVulnerabilities = [
+      "CVE-2019-10144: processes run with `rkt enter` are given all capabilities during stage 2"
+      "CVE-2019-10145: processes run with `rkt enter` do not have seccomp filtering during stage 2"
+      "CVE-2019-10147: processes run with `rkt enter` are not limited by cgroups during stage 2"
+    ];
   };
 }