From 3e1b8935c07ae44455af893e93f28b4ccc46dbf0 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 14:16:17 -0600
Subject: [PATCH 1/8] mbedtls: 1.3.14 -> 1.3.16 for CVE-2015-8036

---
 pkgs/development/libraries/mbedtls/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/mbedtls/default.nix b/pkgs/development/libraries/mbedtls/default.nix
index 7c7b82d9eef..ef0caed69d7 100644
--- a/pkgs/development/libraries/mbedtls/default.nix
+++ b/pkgs/development/libraries/mbedtls/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, perl }:
 
 stdenv.mkDerivation rec {
-  name = "mbedtls-1.3.14";
+  name = "mbedtls-1.3.16";
 
   src = fetchurl {
     url = "https://polarssl.org/download/${name}-gpl.tgz";
-    sha256 = "1y3gr3kfai3d13j08r4pv42sh47nbfm4nqi9jq8c9d06qidr2xmy";
+    sha256 = "f413146c177c52d4ad8f48015e2fb21dd3a029ca30a2ea000cbc4f9bd092c933";
   };
 
   nativeBuildInputs = [ perl ];

From a1b69275afca5ec06e930c4605d55778ee6de4b8 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 14:32:56 -0600
Subject: [PATCH 2/8] libbsd: 0.7.0 -> 0.8.2 for CVE-2016-2090

---
 pkgs/development/libraries/libbsd/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/libbsd/default.nix b/pkgs/development/libraries/libbsd/default.nix
index bc88d8dc12c..541f70cabb8 100644
--- a/pkgs/development/libraries/libbsd/default.nix
+++ b/pkgs/development/libraries/libbsd/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl }:
 
-let name = "libbsd-0.7.0";
+let name = "libbsd-0.8.2";
 in stdenv.mkDerivation {
   inherit name;
 
   src = fetchurl {
     url = "http://libbsd.freedesktop.org/releases/${name}.tar.xz";
-    sha256 = "1fqhbi0vd6xjxazf633x388cc8qyn58l78704s0h6k63wlbhwfqg";
+    sha256 = "02i5brb2007sxq3mn862mr7yxxm0g6nj172417hjyvjax7549xmj";
   };
 
   patchPhase = ''
@@ -15,7 +15,7 @@ in stdenv.mkDerivation {
       --replace "{exec_prefix}" "{prefix}"
   '';
 
-  meta = { 
+  meta = {
     description = "Common functions found on BSD systems";
     homepage = http://libbsd.freedesktop.org/;
     license = stdenv.lib.licenses.bsd3;

From 77134ea4a536226e1d4d6495705b6a3777f8bf15 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 14:48:29 -0600
Subject: [PATCH 3/8] jasper: patch for CVE-2016-1867

---
 pkgs/development/libraries/jasper/default.nix         |  3 ++-
 .../libraries/jasper/jasper-CVE-2016-1867.diff        | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/libraries/jasper/jasper-CVE-2016-1867.diff

diff --git a/pkgs/development/libraries/jasper/default.nix b/pkgs/development/libraries/jasper/default.nix
index 2fa9cf7dbf9..40d54ed400a 100644
--- a/pkgs/development/libraries/jasper/default.nix
+++ b/pkgs/development/libraries/jasper/default.nix
@@ -9,6 +9,7 @@ stdenv.mkDerivation rec {
   };
 
   patches = [
+    ./jasper-CVE-2016-1867.diff
     ./jasper-CVE-2014-8137-variant2.diff
     ./jasper-CVE-2014-8137-noabort.diff
     ./jasper-CVE-2014-8138.diff
@@ -21,7 +22,7 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ libjpeg ];
 
   configureFlags = "--enable-shared";
-  
+
   meta = {
     homepage = https://www.ece.uvic.ca/~frodo/jasper/;
     description = "JPEG2000 Library";
diff --git a/pkgs/development/libraries/jasper/jasper-CVE-2016-1867.diff b/pkgs/development/libraries/jasper/jasper-CVE-2016-1867.diff
new file mode 100644
index 00000000000..b2dce8d8e70
--- /dev/null
+++ b/pkgs/development/libraries/jasper/jasper-CVE-2016-1867.diff
@@ -0,0 +1,11 @@
+--- jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c	2007-01-19 22:43:07.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jpc/jpc_t2cod.c	2016-01-14 14:22:24.569056412 +0100
+@@ -429,7 +429,7 @@
+ 	}
+
+ 	for (pi->compno = pchg->compnostart, pi->picomp =
+-	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend); ++pi->compno,
++	  &pi->picomps[pi->compno]; pi->compno < JAS_CAST(int, pchg->compnoend) && pi->compno < pi->numcomps; ++pi->compno,
+ 	  ++pi->picomp) {
+ 		pirlvl = pi->picomp->pirlvls;
+ 		pi->xstep = pi->picomp->hsamp * (1 << (pirlvl->prcwidthexpn +
\ No newline at end of file

From 0a2c3ec971fd47267b0f6411fdabeb163c105f91 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 15:31:52 -0600
Subject: [PATCH 4/8] mysql: 5.5.45 -> 5.5.48 for multiple CVEs: CVE-2015-4792
 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826
 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870
 CVE-2015-4879 CVE-2015-4913

---
 pkgs/servers/sql/mysql/5.5.x.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/sql/mysql/5.5.x.nix b/pkgs/servers/sql/mysql/5.5.x.nix
index dbbb9223ee4..8c288e54cd4 100644
--- a/pkgs/servers/sql/mysql/5.5.x.nix
+++ b/pkgs/servers/sql/mysql/5.5.x.nix
@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   name = "mysql-${version}";
-  version = "5.5.45";
+  version = "5.5.48";
 
   src = fetchurl {
     url = "mirror://mysql/MySQL-5.5/${name}.tar.gz";
-    sha256 = "0clkr3r44j8nsgmjzv6r09pb0vjangn5hpyjxgg5ynr674ygskkl";
+    sha256 = "10fpzvf6hxvqgaq8paiz8fvhcbbs4qnzqw0svq40bvlyhx2qfgyc";
   };
 
   patches = if stdenv.isCygwin then [

From 73f64108511fc8978599fca14df053c49889e2f5 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 15:35:19 -0600
Subject: [PATCH 5/8] cgit: 0.11.2 -> 0.12 for CVE-2016-1899 CVE-2016-1900
 CVE-2016-1901

---
 .../version-management/git-and-tools/cgit/default.nix     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/version-management/git-and-tools/cgit/default.nix b/pkgs/applications/version-management/git-and-tools/cgit/default.nix
index 6cde64b3090..49e1734fe02 100644
--- a/pkgs/applications/version-management/git-and-tools/cgit/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/cgit/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   name = "cgit-${version}";
-  version = "0.11.2";
+  version = "0.12";
 
   src = fetchurl {
     url = "http://git.zx2c4.com/cgit/snapshot/${name}.tar.xz";
-    sha256 = "0fryh56kyah7v9a8zzhbhwlyy2j116w87sxmgrn2kmwk0rvnw4if";
+    sha256 = "1dx54hgfyabmg9nm5qp6d01f54nlbqbbdwhwl0llb9imjf237qif";
   };
 
   # cgit is tightly coupled with git and needs a git source tree to build.
@@ -18,8 +18,8 @@ stdenv.mkDerivation rec {
   # NOTE: as of 0.10.1, the git version is compatible from 1.9.0 to
   # 1.9.2 (see the repository history)
   gitSrc = fetchurl {
-    url    = "mirror://kernel/software/scm/git/git-2.3.2.tar.xz";
-    sha256 = "09gqijsjfnxlbsxbxzlvllg37bfs9f4jwa2plqsanmba09i89sqq";
+    url    = "mirror://kernel/software/scm/git/git-2.7.0.tar.xz";
+    sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
   };
 
   buildInputs = [

From 4a54794d18683db41d2a4203f14c5debf628883c Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 16:13:47 -0600
Subject: [PATCH 6/8] xara: broken due to patch-tracker.debian.org being
 missing.

---
 pkgs/applications/graphics/xara/default.nix                   | 4 +++-
 .../networking/mailreaders/thunderbird/default.nix            | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/xara/default.nix b/pkgs/applications/graphics/xara/default.nix
index cd3a09887d0..cc456465ba6 100644
--- a/pkgs/applications/graphics/xara/default.nix
+++ b/pkgs/applications/graphics/xara/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     url = http://downloads2.xara.com/opensource/XaraLX-0.7r1785.tar.bz2;
     sha256 = "05xbzq1i1vw2mdsv7zjqfpxfv3g1j0g5kks0gq6sh373xd6y8lyh";
   };
-    
+
   nativeBuildInputs = [ automake pkgconfig gettext perl zip ];
   buildInputs = [ wxGTK gtk libxml2 freetype pango ];
 
@@ -17,4 +17,6 @@ stdenv.mkDerivation {
   patches = map fetchurl (import ./debian-patches.nix);
 
   prePatch = "patchShebangs Scripts";
+
+  meta.broken = true;
 }
diff --git a/pkgs/applications/networking/mailreaders/thunderbird/default.nix b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
index 32f77cfa2c2..093e7a22b92 100644
--- a/pkgs/applications/networking/mailreaders/thunderbird/default.nix
+++ b/pkgs/applications/networking/mailreaders/thunderbird/default.nix
@@ -13,7 +13,7 @@
   enableOfficialBranding ? false
 }:
 
-let version = "38.3.0"; in
+let version = "38.6.0"; in
 let verName = "${version}"; in
 
 stdenv.mkDerivation rec {

From 1aed3948d7584ff594daf35dd8200e1a74f62213 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 16:50:13 -0600
Subject: [PATCH 7/8] pythonmagick: 0.9.11 -> 0.9.12

---
 pkgs/applications/graphics/PythonMagick/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/graphics/PythonMagick/default.nix b/pkgs/applications/graphics/PythonMagick/default.nix
index 17bf7d54670..5ab7d4d8a69 100644
--- a/pkgs/applications/graphics/PythonMagick/default.nix
+++ b/pkgs/applications/graphics/PythonMagick/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "0.9.11";
+  version = "0.9.12";
 
 in
 
@@ -10,8 +10,8 @@ stdenv.mkDerivation rec {
   name = "pythonmagick-${version}";
 
   src = fetchurl {
-    url = "http://www.imagemagick.org/download/python/releases/PythonMagick-${version}.tar.gz";
-    sha256 = "01z01mlqkk0lvrh2jsmf84qjw29sq4rpj0653x7nqy7mrszwwp2v";
+    url = "http://www.imagemagick.org/download/python/releases/PythonMagick-${version}.tar.xz";
+    sha256 = "1l1kr3d7l40fkxgs6mrlxj65alv2jizm9hhgg9i9g90a8qj8642b";
   };
 
   buildInputs = [python boost pkgconfig imagemagick];

From 7df907b27278abc3c3b716473c188cbff5996f84 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 27 Feb 2016 16:54:04 -0600
Subject: [PATCH 8/8] moodle: 2.8.5 -> 2.8.10 for CVE-2016-0724 CVE-2016-0725

---
 .../services/web-servers/apache-httpd/moodle.nix       | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/web-servers/apache-httpd/moodle.nix b/nixos/modules/services/web-servers/apache-httpd/moodle.nix
index 84c8281ecd8..87b1fba5aa1 100644
--- a/nixos/modules/services/web-servers/apache-httpd/moodle.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/moodle.nix
@@ -46,16 +46,16 @@ let
     '';
   # Unpack Moodle and put the config file in its root directory.
   moodleRoot = pkgs.stdenv.mkDerivation rec {
-    name= "moodle-2.8.5";
+    name= "moodle-2.8.10";
 
     src = pkgs.fetchurl {
       url = "https://download.moodle.org/stable28/${name}.tgz";
-      sha256 = "1a159a193010cddedce10ee009184502e6f732e4d7c85167d8597fe5dff9e190";
+      sha256 = "0c3r5081ipcwc9s6shakllnrkd589y2ln5z5m1q09l4h6a7cy4z2";
     };
 
     buildPhase =
       ''
-      ''; 
+      '';
 
     installPhase =
       ''
@@ -132,7 +132,7 @@ in
         cleartext in the Nix store!
       '';
     };
-    
+
     dbPrefix = mkOption {
       default = "mdl_";
       example = "my_other_mdl_";
@@ -158,7 +158,7 @@ in
       type = types.path;
       };
 
-    
+
     extraConfig = mkOption {
       default = "";
       example =