15:24 <andi-> https://dovecot.org/pipermail/dovecot-news/2019-August/000418.html (reminder to self to look into it)

16:28 <andi-> https://github.com/NixOS/nixpkgs/pull/67637 & https://github.com/NixOS/nixpkgs/pull/67639 looking for reviewers

16:28 <{^_^}> #67637 (by andir, 23 minutes ago, open): dovecot-pigeonhole: 0.5.7.1 -> 0.5.7.2 (CVE-2019-11500)

16:28 <{^_^}> #67639 (by andir, 4 minutes ago, open): [19.03] dovecot apply CVE-2019-11500 patches

21:09 <samueldr> https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/

21:09 <samueldr> >> RDoc documentations generated with previous versions have to be re-generated with newer RDoc

21:09 <samueldr> good thing this is a non-issue with nix :)

21:10 <andi-> how is that to be exploited?

21:10 <samueldr> (though this looks like it is a really low priority issue)

21:11 <andi-> Someone must host the static page and then others can pass in (search?) strings that get evaled?

21:11 <samueldr> not sure, it looks like they basically upgraded jQuery in RDoc because of the CVEs

21:11 <andi-> also from 2012 o.O

21:12 <samueldr> so it's possible it's not relevant to their use of jQuery

21:12 <andi-> but I guess that is what happens if you vendor dependencies once without tooling?

21:13 <samueldr> sounds like it

21:13 <samueldr> https://github.com/ruby/ruby/commits/master/lib/rdoc/generator/template/darkfish/js/jquery.js

21:13 <samueldr> looks like they removed it

21:13 <andi-> I had a chat with a nodejs maintainer about our nix expression for it... They really want us to use all the vendored dependencies for it. Still wanted to report the failing tests to him since we should be able to make all of them pass or report to upstream why they fail.

21:14 <andi-> they just removed it without removing references to it?

21:15 <samueldr> I know about as much as you do as of now