From a505704e8f6c136ab015243c2807e39e012217d7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 13 Nov 2022 14:31:55 +0100 Subject: [PATCH] qtwebkit: Mark known vulnerable The browser engine is based off an old Webkit version, receives no security backports, does no releases. The WebKitGTK people have counted over 500 CVEs they fixed since 2016. Adding known vulnerable to make people aware they're using a browser engine that is not up to todays standards and could very likely be easily compromised. Projects are recomended to migrate to qtwebengine instead. https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/ https://github.com/qutebrowser/qutebrowser/issues/4039#issue-338246939 https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/ --- pkgs/development/libraries/qt-5/modules/qtwebkit.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/qt-5/modules/qtwebkit.nix b/pkgs/development/libraries/qt-5/modules/qtwebkit.nix index bebfbdda8d8b..76f3481386f3 100644 --- a/pkgs/development/libraries/qt-5/modules/qtwebkit.nix +++ b/pkgs/development/libraries/qt-5/modules/qtwebkit.nix @@ -69,5 +69,8 @@ qtModule { meta = { maintainers = with lib.maintainers; [ abbradar periklis ]; + knownVulnerabilities = [ + "QtWebkit upstream is unmaintained and receives no security updates, see https://blogs.gnome.org/mcatanzaro/2022/11/04/stop-using-qtwebkit/" + ]; }; } -- 2.11.4.GIT