diff --git a/pkgs/desktops/pantheon/apps/elementary-files/default.nix b/pkgs/desktops/pantheon/apps/elementary-files/default.nix
index 7c736df2c53..3494474c49c 100644
--- a/pkgs/desktops/pantheon/apps/elementary-files/default.nix
+++ b/pkgs/desktops/pantheon/apps/elementary-files/default.nix
@@ -5,7 +5,7 @@
 
 stdenv.mkDerivation rec {
   pname = "files";
-  version = "4.1.4";
+  version = "4.1.5";
 
   name = "elementary-${pname}-${version}";
 
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "0nlmg3izbi4yh2sd69hh8avg76pipxn11l9a39xgqm55lvidlqmn";
+    sha256 = "0z0pisg7py2k6i31v18z5fgpj8x64m1s5clfq4vbbjrcjwx6dcx5";
   };
 
   passthru = {
diff --git a/pkgs/desktops/pantheon/artwork/elementary-icon-theme/default.nix b/pkgs/desktops/pantheon/artwork/elementary-icon-theme/default.nix
index f70186585ec..23fb8445838 100644
--- a/pkgs/desktops/pantheon/artwork/elementary-icon-theme/default.nix
+++ b/pkgs/desktops/pantheon/artwork/elementary-icon-theme/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "icons";
-  version = "5.0.2";
+  version = "5.0.3";
 
   name = "elementary-icon-theme-${version}";
 
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "12j582f0kggv2lp935r75xg7q26zpl0f05s11xcs4qxazhj1ly2r";
+    sha256 = "0wpv7yirf44bfqfmyshzfw9605j1idm7c9jqg68k3nmymmd6iqzf";
   };
 
   passthru = {
diff --git a/pkgs/desktops/pantheon/granite/02-datetime-clock-format-gsettings.patch b/pkgs/desktops/pantheon/granite/02-datetime-clock-format-gsettings.patch
deleted file mode 100644
index 7b7c9871133..00000000000
--- a/pkgs/desktops/pantheon/granite/02-datetime-clock-format-gsettings.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From 698e34dd6e8d98a1818ae00d3313b69a86340771 Mon Sep 17 00:00:00 2001
-From: Fabio Valentini <decathorpe@gmail.com>
-Date: Mon, 17 Dec 2018 14:58:14 +0100
-Subject: DateTime: include "clock-format" gsettings key here
-
----
- data/io.elementary.granite.gschema.xml | 15 +++++++++++++++
- data/meson.build                       |  4 ++++
- lib/DateTime.vala                      |  4 ++--
- meson.build                            | 11 +++++++++++
- meson/post_install.py                  |  5 +++++
- 5 files changed, 37 insertions(+), 2 deletions(-)
- create mode 100644 data/io.elementary.granite.gschema.xml
- create mode 100644 data/meson.build
-
-diff --git a/data/io.elementary.granite.gschema.xml b/data/io.elementary.granite.gschema.xml
-new file mode 100644
-index 0000000..1540fb0
---- /dev/null
-+++ b/data/io.elementary.granite.gschema.xml
-@@ -0,0 +1,15 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<schemalist>
-+  <enum id="io.elementary.granite.clock-formats">
-+    <value nick="12h" value="0" />
-+    <value nick="24h" value="1" />
-+    <value nick="ISO8601" value="2" />
-+  </enum>
-+  <schema id="io.elementary.granite" path="/io/elementary/granite/">
-+    <key name="clock-format" enum="io.elementary.granite.clock-formats">
-+      <default>"12h"</default>
-+      <summary>Whether the clock displays in 12h or 24h format</summary>
-+      <description>Whether the clock displays in 12h or 24h format</description>
-+    </key>
-+  </schema>
-+</schemalist>
-diff --git a/data/meson.build b/data/meson.build
-new file mode 100644
-index 0000000..96cc3b1
---- /dev/null
-+++ b/data/meson.build
-@@ -0,0 +1,4 @@
-+install_data(
-+    rdnn + '.gschema.xml',
-+    install_dir: schema_dir
-+)
-diff --git a/lib/DateTime.vala b/lib/DateTime.vala
-index aea2ec6..3d81191 100644
---- a/lib/DateTime.vala
-+++ b/lib/DateTime.vala
-@@ -104,13 +104,13 @@ namespace Granite.DateTime {
-     }
- 
-     /**
--     * Gets the //clock-format// key from //org.gnome.desktop.interface// schema
-+     * Gets the //clock-format// key from //io.elementary.granite// schema
-      * and determines if the clock format is 12h based
-      *
-      * @return true if the clock format is 12h based, false otherwise.
-      */
-     private static bool is_clock_format_12h () {
--        var h24_settings = new Settings ("io.elementary.desktop.wingpanel.datetime");
-+        var h24_settings = new Settings ("io.elementary.granite");
-         var format = h24_settings.get_string ("clock-format");
-         return (format.contains ("12h"));
-     }
-diff --git a/meson.build b/meson.build
-index 8b98eeb..f0abcdf 100644
---- a/meson.build
-+++ b/meson.build
-@@ -4,6 +4,8 @@ project(
-     version: '5.2.2'
- )
- 
-+rdnn = 'io.elementary.' + meson.project_name()
-+
- if meson.get_compiler('vala').version().version_compare('<0.40.0')
-     error('vala compiler version 0.40.0 or newer is required.')
- endif
-@@ -52,10 +54,18 @@ icons_dir = join_paths(
-     'hicolor'
- )
- 
-+schema_dir = join_paths(
-+    get_option('prefix'),
-+    get_option('datadir'),
-+    'glib-2.0',
-+    'schemas'
-+)
-+
- pkgconfig = import('pkgconfig')
- i18n = import('i18n')
- 
- subdir('lib')
-+subdir('data')
- subdir('demo')
- subdir('icons')
- subdir('po')
-@@ -68,5 +78,6 @@ endif
- meson.add_install_script(
-     join_paths(meson.current_source_dir(), 'meson', 'post_install.py'),
-     '--iconsdir', icons_dir,
-+    '--schemadir', schema_dir,
- )
- 
-diff --git a/meson/post_install.py b/meson/post_install.py
-index 1864515..5313f96 100755
---- a/meson/post_install.py
-+++ b/meson/post_install.py
-@@ -6,11 +6,16 @@ import subprocess
- 
- parser = argparse.ArgumentParser()
- parser.add_argument("--iconsdir", action="store", required=True)
-+parser.add_argument("--schemadir", action="store", required=True)
- args = vars(parser.parse_args())
- 
- icons_dir = args["iconsdir"]
-+schema_dir = args["schemadir"]
- 
- if not os.environ.get('DESTDIR'):
-     print('Compiling icon cache ...')
-     subprocess.run(['gtk-update-icon-cache', icons_dir])
- 
-+    print('Compiling GSettings schemas ...')
-+    subprocess.run(['glib-compile-schemas', schema_dir])
-+
--- 
-2.20.1
-
diff --git a/pkgs/desktops/pantheon/granite/default.nix b/pkgs/desktops/pantheon/granite/default.nix
index fe0e880ccb2..66ba331ddcd 100644
--- a/pkgs/desktops/pantheon/granite/default.nix
+++ b/pkgs/desktops/pantheon/granite/default.nix
@@ -2,28 +2,22 @@
 
 stdenv.mkDerivation rec {
   pname = "granite";
-  version = "5.2.2";
+  version = "5.2.3";
 
   src = fetchFromGitHub {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "1zp0pp5v3j8k6ail724p7h5jj2zmznj0a2ybwfw5sspfdw5bfydh";
+    sha256 = "10ddq1s2w4jvpzq813cylmqhh8pggzaz890fy3kzg07275i98gah";
   };
 
   patches = [
-    # Add Meson support that hit after 5.2.2
-    (fetchpatch {
-      url = "https://github.com/elementary/granite/commit/2066b377226cf327cb2d5399b6b40a2d36d47b11.patch";
-      sha256 = "1bxjgq8wvl1sb79cwhmh9kwawnkkfn7c5q67cyz1fjxmamwyyi85";
-    })
-    (fetchpatch {
-      url = "https://github.com/elementary/granite/commit/f1b29f52e3aaf0f5d6bba44c42617da265f679c8.patch";
-      sha256 = "0cdp9ny6fj1lpcirab641p1qn1rbsvnsaa03hnr6zsdpim96jlvs";
-    })
     # Resolve the circular dependency between granite and the datetime wingpanel indicator
     # See: https://github.com/elementary/granite/pull/242
-    ./02-datetime-clock-format-gsettings.patch
+    (fetchpatch {
+      url = "https://src.fedoraproject.org/rpms/granite/raw/0550b44ed6400c9b1ff7e70871913747df2ff323/f/00-datetime-clock-format-gsettings.patch";
+      sha256 = "0i9yvdmn77x5fjdwd1raw6ym8js8yxa7w6ydc7syx7hcyls00dmq";
+    })
   ];
 
   passthru = {
diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix
index 9fc7d771202..206472187b0 100644
--- a/pkgs/development/libraries/libpng/default.nix
+++ b/pkgs/development/libraries/libpng/default.nix
@@ -18,6 +18,17 @@ in stdenv.mkDerivation rec {
     url = "mirror://sourceforge/libpng/libpng-${version}.tar.xz";
     sha256 = "06d35a3xz2a0kph82r56hqm1fn8fbwrqs07xzmr93dx63x695szc";
   };
+  patches = if !stdenv.hostPlatform.isAarch64 then null # temporarily avoid rebuild
+  else [
+    (fetchurl { # https://github.com/glennrp/libpng/issues/266
+      url = "https://salsa.debian.org/debian/libpng1.6/raw/0e1348f3d/debian/patches/272.patch";
+      sha256 = "1d36khgryq2p27bdx10xrr4kcjr7cdfdj2zhdcjzznpnpns97s6n";
+    })
+    (fetchurl { # https://github.com/glennrp/libpng/issues/275
+      url = "https://salsa.debian.org/debian/libpng1.6/raw/853d1977/debian/patches/CVE-2019-7317.patch";
+      sha256 = "0c8qc176mqh08kcxlnx40rzdggchihkrlzqw6qg6lf0c9ygkf55k";
+    })
+  ];
   postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1";
 
   outputs = [ "out" "dev" "man" ];
diff --git a/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix b/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
index 4a155a4c403..ebeb3ef0884 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/architecture/default.nix
@@ -3,6 +3,12 @@
 appleDerivation {
   dontBuild = true;
 
+  postPatch = ''
+    substituteInPlace Makefile \
+        --replace '/bin/mkdir' 'mkdir' \
+        --replace '/usr/bin/install' 'install'
+  '';
+
   installFlags = [ "EXPORT_DSTDIR=/include/architecture" ];
 
   DSTROOT = "$(out)";
diff --git a/pkgs/tools/archivers/unzip/CVE-2018-18384.patch b/pkgs/tools/archivers/unzip/CVE-2018-18384.patch
new file mode 100644
index 00000000000..e9320e125cf
--- /dev/null
+++ b/pkgs/tools/archivers/unzip/CVE-2018-18384.patch
@@ -0,0 +1,35 @@
+--- unzip60/list.c	
++++ unzip60/list.c	
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
+@@ -389,9 +389,9 @@ int list_files(__G)    /* return PK-type
+             }
+ #else /* !WINDLL */
+             if (cfactor == 100)
+-                sprintf(cfactorstr, LoadFarString(CompFactor100));
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+             else
+-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+             if (longhdr)
+                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
+                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,
+@@ -471,9 +471,9 @@ int list_files(__G)    /* return PK-type
+ 
+ #else /* !WINDLL */
+         if (cfactor == 100)
+-            sprintf(cfactorstr, LoadFarString(CompFactor100));
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+         else
+-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+         if (longhdr) {
+             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
+               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index 7c4bb988b62..cdf189e82df 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -24,6 +24,7 @@ stdenv.mkDerivation {
     ./CVE-2015-7697.diff
     ./CVE-2014-9913.patch
     ./CVE-2016-9844.patch
+    ./CVE-2018-18384.patch
     ./dont-hardcode-cc.patch
   ] ++ stdenv.lib.optional enableNLS
     (fetchurl {