diff --git a/pkgs/development/libraries/botan/2.0.nix b/pkgs/development/libraries/botan/2.0.nix
index a486ba49820..113c4a27b91 100644
--- a/pkgs/development/libraries/botan/2.0.nix
+++ b/pkgs/development/libraries/botan/2.0.nix
@@ -1,10 +1,19 @@
-{ callPackage, ... } @ args:
+{ callPackage, fetchpatch, ... } @ args:
 
 callPackage ./generic.nix (args // {
   baseVersion = "2.18";
-  revision = "0";
-  sha256 = "09z3fy31q1pvnvpy4fswrsl2aq8ksl94lbh5rl7b6nqc3qp8ar6c";
+  revision = "1";
+  sha256 = "0adf53drhk1hlpfih0175c9081bqpclw6p2afn51cmx849ib9izq";
   postPatch = ''
     sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt
   '';
+  extraPatches = [
+    (fetchpatch {
+      name = "CVE-2021-40529.patch";
+      url = "https://github.com/randombit/botan/commit/9a23e4e3bc3966340531f2ff608fa9d33b5185a2.patch";
+      sha256 = "1ax1n2l9zh0hk35vkkywgkhzpdk76xb9apz2wm3h9kjvjs9acr3y";
+      # our source tarball doesn't include the tests
+      excludes = [ "src/tests/*" ];
+    })
+  ];
 })
diff --git a/pkgs/development/libraries/botan/default.nix b/pkgs/development/libraries/botan/default.nix
index c494fa25f77..d6ee9ff152f 100644
--- a/pkgs/development/libraries/botan/default.nix
+++ b/pkgs/development/libraries/botan/default.nix
@@ -10,6 +10,7 @@ callPackage ./generic.nix (args // {
     sed -e 's@lang_flags "@&--std=c++11 @' -i src/build-data/cc/{gcc,clang}.txt
   '';
   knownVulnerabilities = [
+    "CVE-2021-40529"
     # https://botan.randombit.net/security.html#id1
     "2020-03-24: Side channel during CBC padding"
   ];
diff --git a/pkgs/development/libraries/botan/generic.nix b/pkgs/development/libraries/botan/generic.nix
index 2fc5abc2928..58f329fc8af 100644
--- a/pkgs/development/libraries/botan/generic.nix
+++ b/pkgs/development/libraries/botan/generic.nix
@@ -3,6 +3,7 @@
 , baseVersion, revision, sha256
 , sourceExtension ? "tar.xz"
 , extraConfigureFlags ? ""
+, extraPatches ? [ ]
 , postPatch ? null
 , knownVulnerabilities ? [ ]
 , CoreServices
@@ -22,6 +23,7 @@ stdenv.mkDerivation rec {
     ];
     inherit sha256;
   };
+  patches = extraPatches;
   inherit postPatch;
 
   buildInputs = [ python3 bzip2 zlib gmp openssl boost ]
diff --git a/pkgs/tools/system/foreman/Gemfile.lock b/pkgs/tools/system/foreman/Gemfile.lock
index a2a7824f7aa..1bafc658cbc 100644
--- a/pkgs/tools/system/foreman/Gemfile.lock
+++ b/pkgs/tools/system/foreman/Gemfile.lock
@@ -1,15 +1,13 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    foreman (0.78.0)
-      thor (~> 0.19.1)
-    thor (0.19.1)
+    foreman (0.87.2)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   foreman
 
 BUNDLED WITH
-   2.1.4
+   2.2.20
diff --git a/pkgs/tools/system/foreman/gemset.nix b/pkgs/tools/system/foreman/gemset.nix
index f747a2b0634..d5b053daf4c 100644
--- a/pkgs/tools/system/foreman/gemset.nix
+++ b/pkgs/tools/system/foreman/gemset.nix
@@ -1,18 +1,12 @@
 {
-  thor = {
-    version = "0.19.1";
-    source = {
-      type = "gem";
-      remotes = ["https://rubygems.org"];
-      sha256 = "08p5gx18yrbnwc6xc0mxvsfaxzgy2y9i78xq7ds0qmdm67q39y4z";
-    };
-  };
   foreman = {
-    version = "0.78.0";
+    groups = ["default"];
+    platforms = [];
     source = {
-      type = "gem";
       remotes = ["https://rubygems.org"];
-      sha256 = "1caz8mi7gq1hs4l1flcyyw1iw1bdvdbhppsvy12akr01k3s17xaq";
+      sha256 = "0szgxvnzwkzrfbq5dkwa98mig78aqglfy6irdsvq1gq045pbq9r7";
+      type = "gem";
     };
+    version = "0.87.2";
   };
 }