From 4b9b1fa9456b0858244fc5ba36cfbc71944cad75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Thu, 19 Jan 2017 14:48:00 +0100
Subject: [PATCH 01/19] util-linux: remove seccomp sandbox for CVE-2016-2279

the patch for CVE-2016-2779 was reverted by upstream and was not adopted
by any other downstream distributions. Upstream waits for a better fix
in the kernel:
https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
---
 pkgs/os-specific/linux/util-linux/default.nix | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index f6e26f51cc8..a97ce920533 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv, fetchurl, pkgconfig, zlib, libseccomp, fetchpatch, autoreconfHook, ncurses ? null, perl ? null, pam, systemd, minimal ? false }:
+{ lib, stdenv, fetchurl, pkgconfig, zlib, fetchpatch
+, ncurses ? null, perl ? null, pam, systemd, minimal ? false }:
 
 stdenv.mkDerivation rec {
   name = "util-linux-${version}";
@@ -12,13 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "1rzrmdrz51p9sy7vlw5qmj8pmqazm7hgcch5yq242mkvrikyln9c";
   };
 
-  patches = [
-    ./rtcwake-search-PATH-for-shutdown.patch
-    (fetchpatch {
-      name = "CVE-2016-2779.diff";
-      url = https://github.com/karelzak/util-linux/commit/8e4925016875c6a4f2ab4f833ba66f0fc57396a2.patch;
-      sha256 = "0kmigkq4s1b1ijrq8vcg2a5cw4qnm065m7cb1jn1q1f4x99ycy60";
-  })];
+  patches = [ ./rtcwake-search-PATH-for-shutdown.patch ];
 
   outputs = [ "bin" "dev" "out" "man" ];
 
@@ -54,11 +49,9 @@ stdenv.mkDerivation rec {
 
   makeFlags = "usrbin_execdir=$(bin)/bin usrsbin_execdir=$(bin)/sbin";
 
-  # autoreconfHook is required for CVE-2016-2779
-  nativeBuildInputs = [ pkgconfig autoreconfHook ];
-  # libseccomp is required for CVE-2016-2779
+  nativeBuildInputs = [ pkgconfig ];
   buildInputs =
-    [ zlib pam libseccomp ]
+    [ zlib pam ]
     ++ lib.optional (ncurses != null) ncurses
     ++ lib.optional (systemd != null) systemd
     ++ lib.optional (perl != null) perl;

From 104a37a9fbd101de63562b8560e27e843887fe9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Thu, 19 Jan 2017 15:11:23 +0100
Subject: [PATCH 02/19] util-linux: improve purity by using login from shadow

replacing shutdown in postPatch phase is not necessary as rtcwake was already
patched to use the search path (the only user of shutdown)
---
 pkgs/os-specific/linux/util-linux/default.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix
index a97ce920533..f7f60e8997f 100644
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkgconfig, zlib, fetchpatch
+{ lib, stdenv, fetchurl, pkgconfig, zlib, fetchpatch, shadow
 , ncurses ? null, perl ? null, pam, systemd, minimal ? false }:
 
 stdenv.mkDerivation rec {
@@ -17,12 +17,9 @@ stdenv.mkDerivation rec {
 
   outputs = [ "bin" "dev" "out" "man" ];
 
-  #FIXME: make it also work on non-nixos?
   postPatch = ''
-    # Substituting store paths would create a circular dependency on systemd
     substituteInPlace include/pathnames.h \
-      --replace "/bin/login" "/run/current-system/sw/bin/login" \
-      --replace "/sbin/shutdown" "/run/current-system/sw/bin/shutdown"
+      --replace "/bin/login" "${shadow}/bin/login"
   '';
 
   crossAttrs = {

From a9c1d92695838faf5eb9e4e4b44ef58e0af3bc1a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:38:10 +0100
Subject: [PATCH 03/19] varnish: 4.0.3 -> 5.0.0

---
 pkgs/servers/varnish/default.nix | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/pkgs/servers/varnish/default.nix b/pkgs/servers/varnish/default.nix
index fb333176801..fc5a744ad46 100644
--- a/pkgs/servers/varnish/default.nix
+++ b/pkgs/servers/varnish/default.nix
@@ -1,25 +1,30 @@
-{ stdenv, fetchurl, pcre, libxslt, groff, ncurses, pkgconfig, readline, python
-, pythonPackages }:
+{ stdenv, fetchurl, pcre, libxslt, groff, ncurses, pkgconfig, readline, libedit
+, python, pythonPackages }:
 
 stdenv.mkDerivation rec {
-  version = "4.0.3";
+  version = "5.0.0";
   name = "varnish-${version}";
 
   src = fetchurl {
     url = "http://repo.varnish-cache.org/source/${name}.tar.gz";
-    sha256 = "01l2iypajkdanxpbvzfxm6vs4jay4dgw7lmchqidnivz15sa3fcl";
+    sha256 = "0jizha1mwqk42zmkrh80y07vfl78mg1d9pp5w83qla4xn9ras0ai";
   };
 
-  buildInputs = [ pcre libxslt groff ncurses pkgconfig readline python
-    pythonPackages.docutils];
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [
+    pcre libxslt groff ncurses readline python libedit
+    pythonPackages.docutils
+  ];
 
   buildFlags = "localstatedir=/var/spool";
 
-  meta = {
+  outputs = [ "out" "dev" "man" ];
+
+  meta = with stdenv.lib; {
     description = "Web application accelerator also known as a caching HTTP reverse proxy";
     homepage = "https://www.varnish-cache.org";
-    license = stdenv.lib.licenses.bsd2;
-    maintainers = [ stdenv.lib.maintainers.garbas ];
-    platforms = stdenv.lib.platforms.linux;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ garbas fpletz ];
+    platforms = platforms.linux;
   };
 }

From 77c891f55c2ec01d9e77e80e6abb797f28e55cf2 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:38:29 +0100
Subject: [PATCH 04/19] rrdtool: 1.5.5 -> 1.5.6

---
 pkgs/tools/misc/rrdtool/default.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/misc/rrdtool/default.nix b/pkgs/tools/misc/rrdtool/default.nix
index 2db91549104..98bf6a9cfc2 100644
--- a/pkgs/tools/misc/rrdtool/default.nix
+++ b/pkgs/tools/misc/rrdtool/default.nix
@@ -2,14 +2,16 @@
 , tcl-8_5 }:
 
 stdenv.mkDerivation rec {
-  name = "rrdtool-1.5.5";
+  name = "rrdtool-1.5.6";
+
   src = fetchurl {
     url = "http://oss.oetiker.ch/rrdtool/pub/${name}.tar.gz";
-    sha256 = "1xm6ikzx8iaa6r7v292k8s7srkzhnifamp1szkimgmh5ki26sa1s";
+    sha256 = "1s2cci80g6kbp5p77mkxpfxwvjm1802fw0bjfsa8yjv8g5a7fclq";
   };
+
   buildInputs = [ gettext perl pkgconfig libxml2 pango cairo groff ]
     ++ stdenv.lib.optional stdenv.isDarwin tcl-8_5;
-  
+
   postInstall = ''
     # for munin and rrdtool support
     mkdir -p $out/lib/perl5/site_perl/

From 281a56af4aa2805c46fca819eba8943340503420 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:38:50 +0100
Subject: [PATCH 05/19] collectd: 5.6.0 -> 5.7.0

---
 pkgs/tools/system/collectd/default.nix       | 12 ++---
 pkgs/tools/system/collectd/readdir-fix.patch | 55 --------------------
 2 files changed, 4 insertions(+), 63 deletions(-)
 delete mode 100644 pkgs/tools/system/collectd/readdir-fix.patch

diff --git a/pkgs/tools/system/collectd/default.nix b/pkgs/tools/system/collectd/default.nix
index fb2a66ecf37..7d649256f86 100644
--- a/pkgs/tools/system/collectd/default.nix
+++ b/pkgs/tools/system/collectd/default.nix
@@ -9,6 +9,7 @@
 , libdbi ? null
 , libgcrypt ? null
 , libmemcached ? null, cyrus_sasl ? null
+, libmicrohttpd ? null
 , libmodbus ? null
 , libnotify ? null, gdk_pixbuf ? null
 , liboping ? null
@@ -34,24 +35,19 @@
 , libmnl ? null
 }:
 stdenv.mkDerivation rec {
-  version = "5.6.0";
+  version = "5.7.0";
   name = "collectd-${version}";
 
   src = fetchurl {
     url = "http://collectd.org/files/${name}.tar.bz2";
-    sha256 = "08w6fjzczi2psk7va0xkjh9pigpar6sbjx2a6ayq4dmc3zcvpzzh";
+    sha256 = "1cpjkv4d0iifngihxikzljavya0r2k3blarlahamgbdsqsymz815";
   };
 
   buildInputs = [
     pkgconfig curl iptables libatasmart libcredis libdbi libgcrypt libmemcached
     cyrus_sasl libmodbus libnotify gdk_pixbuf liboping libpcap libsigrok libvirt
     lm_sensors libxml2 lvm2 libmysql postgresql protobufc rabbitmq-c rrdtool
-    varnish yajl jdk libtool python udev net_snmp hiredis libmnl
-  ];
-
-  patches = [
-    # Replace deprecated readdir_r() with readdir() to avoid a fatal warning.
-    ./readdir-fix.patch
+    varnish yajl jdk libtool python udev net_snmp hiredis libmnl libmicrohttpd
   ];
 
   # for some reason libsigrok isn't auto-detected
diff --git a/pkgs/tools/system/collectd/readdir-fix.patch b/pkgs/tools/system/collectd/readdir-fix.patch
deleted file mode 100644
index 171dfc689a4..00000000000
--- a/pkgs/tools/system/collectd/readdir-fix.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff -Naur collectd-5.6.0/src/vserver.c collectd-5.6.0/src/vserver.c
---- collectd-5.6.0/src/vserver.c	2016-09-11 01:10:25.279038699 -0700
-+++ collectd-5.6.0/src/vserver.c	2016-09-25 07:44:40.771177458 -0700
-@@ -132,15 +132,8 @@
- 
- static int vserver_read (void)
- {
--#if NAME_MAX < 1024
--# define DIRENT_BUFFER_SIZE (sizeof (struct dirent) + 1024 + 1)
--#else
--# define DIRENT_BUFFER_SIZE (sizeof (struct dirent) + NAME_MAX + 1)
--#endif
--
- 	DIR 			*proc;
- 	struct dirent 	*dent; /* 42 */
--	char dirent_buffer[DIRENT_BUFFER_SIZE];
- 
- 	errno = 0;
- 	proc = opendir (PROCDIR);
-@@ -165,19 +158,23 @@
- 
- 		int status;
- 
--		status = readdir_r (proc, (struct dirent *) dirent_buffer, &dent);
--		if (status != 0)
--		{
--			char errbuf[4096];
--			ERROR ("vserver plugin: readdir_r failed: %s",
--					sstrerror (errno, errbuf, sizeof (errbuf)));
--			closedir (proc);
--			return (-1);
--		}
--		else if (dent == NULL)
-+		errno = 0;
-+		dent = readdir (proc);
-+		if (dent == NULL)
- 		{
--			/* end of directory */
--			break;
-+			if (errno != 0)
-+			{
-+				char errbuf[4096];
-+				ERROR ("vserver plugin: readdir failed: %s",
-+						sstrerror (errno, errbuf, sizeof (errbuf)));
-+				closedir (proc);
-+				return (-1);
-+			}
-+			else
-+			{
-+				/* end of directory */
-+				break;
-+			}
- 		}
- 
- 		if (dent->d_name[0] == '.')

From 608c167f951cdbafb110291e7d6daa513879a05e Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:39:07 +0100
Subject: [PATCH 06/19] libmicrohttpd: 0.9.50 -> 0.9.52

---
 pkgs/development/libraries/libmicrohttpd/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/libmicrohttpd/default.nix b/pkgs/development/libraries/libmicrohttpd/default.nix
index b53c8da3f54..c38d5c82570 100644
--- a/pkgs/development/libraries/libmicrohttpd/default.nix
+++ b/pkgs/development/libraries/libmicrohttpd/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, libgcrypt, curl, gnutls, pkgconfig }:
 
 stdenv.mkDerivation rec {
-  name = "libmicrohttpd-0.9.50";
+  name = "libmicrohttpd-0.9.52";
 
   src = fetchurl {
     url = "mirror://gnu/libmicrohttpd/${name}.tar.gz";
-    sha256 = "1mzbqr6sqisppz88mh73bbh5sw57g8l87qvhcjdx5pmbd183idni";
+    sha256 = "1smgxw6jv81yybg86bzr4c2sn7a31apf8q4zz0kpch9xfrp7yyal";
   };
 
   outputs = [ "out" "dev" "devdoc" "info" ];
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
 
     homepage = http://www.gnu.org/software/libmicrohttpd/;
 
-    maintainers = [ maintainers.eelco maintainers.vrthra ];
+    maintainers = with maintainers; [ eelco vrthra fpletz ];
     platforms = platforms.linux;
   };
 }

From f3f5045432bd5ebded5cffc5f9a42620eac2965a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:43:07 +0100
Subject: [PATCH 07/19] libpcap: 1.7.4 -> 1.8.1

---
 pkgs/development/libraries/libpcap/default.nix | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/pkgs/development/libraries/libpcap/default.nix b/pkgs/development/libraries/libpcap/default.nix
index d23d123a99c..14567c0daf4 100644
--- a/pkgs/development/libraries/libpcap/default.nix
+++ b/pkgs/development/libraries/libpcap/default.nix
@@ -1,15 +1,15 @@
 { stdenv, fetchurl, flex, bison }:
 
 stdenv.mkDerivation rec {
-  name = "libpcap-1.7.4";
-  
+  name = "libpcap-1.8.1";
+
   src = fetchurl {
     url = "http://www.tcpdump.org/release/${name}.tar.gz";
-    sha256 = "1c28ykkizd7jqgzrfkg7ivqjlqs9p6lygp26bsw2i0z8hwhi3lvs";
+    sha256 = "07jlhc66z76dipj4j5v3dig8x6h3k6cb36kmnmpsixf3zmlvqgb7";
   };
-  
+
   nativeBuildInputs = [ flex bison ];
-  
+
   # We need to force the autodetection because detection doesn't
   # work in pure build enviroments.
   configureFlags =
@@ -22,16 +22,17 @@ stdenv.mkDerivation rec {
   '';
 
   preInstall = ''mkdir -p $out/bin'';
-  
+
   crossAttrs = {
     # Stripping hurts in static libraries
     dontStrip = true;
     configureFlags = configureFlags ++ [ "ac_cv_linux_vers=2" ];
   };
 
-  meta = {
+  meta = with stdenv.lib; {
     homepage = http://www.tcpdump.org;
     description = "Packet Capture Library";
-    platforms = stdenv.lib.platforms.unix;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ fpletz ];
   };
 }

From 9156d932b6383c0c213d069cd09916a0995db944 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 01:44:38 +0100
Subject: [PATCH 08/19] tcpdump: 4.7.4 -> 4.8.1

---
 pkgs/tools/networking/tcpdump/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix
index a50fad8b374..f51f345d1dd 100644
--- a/pkgs/tools/networking/tcpdump/default.nix
+++ b/pkgs/tools/networking/tcpdump/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, libpcap, enableStatic ? false }:
 
 stdenv.mkDerivation rec {
-  name = "tcpdump-4.7.4";
+  name = "tcpdump-4.8.1";
 
   src = fetchurl {
     url = "http://www.tcpdump.org/release/${name}.tar.gz";
-    sha256 = "1byr8w6grk08fsq0444jmcz9ar89lq9nf4mjq2cny0w9k8k21rbb";
+    sha256 = "0743ipl0l7ymjss3ybvvc5cbk9kb7s8yl4p3ramp5kwgqhg39r10";
   };
 
   buildInputs = [ libpcap ];

From 57145c6251d6366caed87d3b24e1c858d7f1a516 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:16:46 +0100
Subject: [PATCH 09/19] libnetfilter_conntrack: 1.0.5 -> 1.0.6

---
 pkgs/development/libraries/libnetfilter_conntrack/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libnetfilter_conntrack/default.nix b/pkgs/development/libraries/libnetfilter_conntrack/default.nix
index 75cca9a028e..a94bf28cd97 100644
--- a/pkgs/development/libraries/libnetfilter_conntrack/default.nix
+++ b/pkgs/development/libraries/libnetfilter_conntrack/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "libnetfilter_conntrack-${version}";
-  version = "1.0.5";
+  version = "1.0.6";
 
   src = fetchurl {
     url = "http://netfilter.org/projects/libnetfilter_conntrack/files/${name}.tar.bz2";
-    sha256 = "0fnpja3g8s38cp7ipija5pvhfgna1gybn0z2bl276nk08fppv7gw";
+    sha256 = "1svzyf3rq9nbrcw1jsricgyhh7x1am8iqn6kjr6mzrw42810ik7g";
   };
 
   buildInputs = [ libmnl ];

From 8a7407e881829ec2ac3b365bc78c721c3ff79875 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:17:16 +0100
Subject: [PATCH 10/19] libnftnl: 1.0.6 -> 1.0.7

---
 pkgs/development/libraries/libnftnl/default.nix | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/libraries/libnftnl/default.nix b/pkgs/development/libraries/libnftnl/default.nix
index a043d36ff4d..074c1a9dfd2 100644
--- a/pkgs/development/libraries/libnftnl/default.nix
+++ b/pkgs/development/libraries/libnftnl/default.nix
@@ -1,20 +1,21 @@
 { stdenv, fetchurl, pkgconfig, libmnl }:
 
 stdenv.mkDerivation rec {
-  name = "libnftnl-1.0.6";
+  name = "libnftnl-1.0.7";
 
   src = fetchurl {
     url = "http://netfilter.org/projects/libnftnl/files/${name}.tar.bz2";
-    sha256 = "0zmh190c7212zvzjsn5lm6pf399r4arq7dliiqq6grd174m96fxd";
+    sha256 = "10irjrylcfkbp11617yr19vpfhgl54w0kw02jhj0i1abqv5nxdlv";
   };
 
-  buildInputs = [ pkgconfig libmnl ];
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ libmnl ];
 
   meta = with stdenv.lib; {
     description = "A userspace library providing a low-level netlink API to the in-kernel nf_tables subsystem";
     homepage = http://netfilter.org/projects/libnftnl;
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ wkennington ];
+    maintainers = with maintainers; [ wkennington fpletz ];
   };
 }

From 016a194ac832af15367a7167f36d869ebd420c1a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:17:35 +0100
Subject: [PATCH 11/19] conntrack_tools: 1.4.3 -> 1.4.4

---
 pkgs/os-specific/linux/conntrack-tools/default.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkgs/os-specific/linux/conntrack-tools/default.nix b/pkgs/os-specific/linux/conntrack-tools/default.nix
index f0988759bc4..ea09050fc60 100644
--- a/pkgs/os-specific/linux/conntrack-tools/default.nix
+++ b/pkgs/os-specific/linux/conntrack-tools/default.nix
@@ -1,18 +1,20 @@
 { fetchurl, stdenv, flex, bison, pkgconfig, libmnl, libnfnetlink
 , libnetfilter_conntrack, libnetfilter_queue, libnetfilter_cttimeout
-, libnetfilter_cthelper }:
+, libnetfilter_cthelper, systemd }:
 
 stdenv.mkDerivation rec {
   name = "conntrack-tools-${version}";
-  version = "1.4.3";
+  version = "1.4.4";
 
   src = fetchurl {
     url = "http://www.netfilter.org/projects/conntrack-tools/files/${name}.tar.bz2";
-    sha256 = "0mrzrzp6y41pmxc6ixc4fkgz6layrpwsmzb522adzzkc6mhcqg5g";
+    sha256 = "0v5spmlcw5n6va8z34f82vcpynadb0b54pnjazgpadf0qkyg9jmp";
   };
 
-  buildInputs = [ libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
-    libnetfilter_cttimeout libnetfilter_cthelper ];
+  buildInputs = [
+    libmnl libnfnetlink libnetfilter_conntrack libnetfilter_queue
+    libnetfilter_cttimeout libnetfilter_cthelper systemd
+  ];
   nativeBuildInputs = [ flex bison pkgconfig ];
 
   meta = with stdenv.lib; {
@@ -20,6 +22,6 @@ stdenv.mkDerivation rec {
     description = "Connection tracking userspace tools";
     platforms = platforms.linux;
     license = licenses.gpl2Plus;
-    maintainers = with maintainers; [ nckx ];
+    maintainers = with maintainers; [ nckx fpletz ];
   };
 }

From 210f894c12ed975dba5c8e500237440c8c744326 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:20:00 +0100
Subject: [PATCH 12/19] iptables: split out dev output

---
 pkgs/os-specific/linux/iptables/default.nix | 14 +++++++++-----
 pkgs/top-level/all-packages.nix             |  4 +++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/pkgs/os-specific/linux/iptables/default.nix b/pkgs/os-specific/linux/iptables/default.nix
index 8c815029661..bbc63d31a13 100644
--- a/pkgs/os-specific/linux/iptables/default.nix
+++ b/pkgs/os-specific/linux/iptables/default.nix
@@ -1,4 +1,5 @@
-{stdenv, fetchurl, bison, flex, libnetfilter_conntrack, libnftnl, libmnl}:
+{ stdenv, fetchurl, bison, flex
+, libnetfilter_conntrack, libnftnl, libmnl }:
 
 stdenv.mkDerivation rec {
   name = "iptables-${version}";
@@ -9,9 +10,9 @@ stdenv.mkDerivation rec {
     sha256 = "0q0w1x4aijid8wj7dg1ny9fqwll483f1sqw7kvkskd8q1c52mdsb";
   };
 
-  nativeBuildInputs = [bison flex];
+  nativeBuildInputs = [ bison flex ];
 
-  buildInputs = [libnetfilter_conntrack libnftnl libmnl];
+  buildInputs = [ libnetfilter_conntrack libnftnl libmnl ];
 
   preConfigure = ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -lmnl -lnftnl"
@@ -22,10 +23,13 @@ stdenv.mkDerivation rec {
     --enable-shared
   '';
 
-  meta = {
+  outputs = [ "out" "dev" ];
+
+  meta = with stdenv.lib; {
     description = "A program to configure the Linux IP packet filtering ruleset";
     homepage = http://www.netfilter.org/projects/iptables/index.html;
-    platforms = stdenv.lib.platforms.linux;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ fpletz ];
     downloadPage = "http://www.netfilter.org/projects/iptables/files/";
     updateWalker = true;
     inherit version;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index fbf1abba565..0cf4923a3fe 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11087,7 +11087,9 @@ in
     inherit (perlPackages) SGMLSpm;
   };
 
-  iptables = callPackage ../os-specific/linux/iptables { };
+  iptables = callPackage ../os-specific/linux/iptables {
+    flex = flex_2_5_35;
+  };
 
   ipset = callPackage ../os-specific/linux/ipset { };
 

From f09c5c9c453e0c303f1d334fd6419688eaafdce8 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:21:07 +0100
Subject: [PATCH 13/19] nftables: 0.6 -> 0.7, enable xtables support

---
 pkgs/os-specific/linux/nftables/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/os-specific/linux/nftables/default.nix b/pkgs/os-specific/linux/nftables/default.nix
index 3557c1f05af..78b13b902c8 100644
--- a/pkgs/os-specific/linux/nftables/default.nix
+++ b/pkgs/os-specific/linux/nftables/default.nix
@@ -1,22 +1,24 @@
 { stdenv, fetchurl, pkgconfig, docbook2x, docbook_xml_dtd_45
-, flex, bison, libmnl, libnftnl, gmp, readline }:
+, flex, bison, libmnl, libnftnl, gmp, readline, iptables }:
 
 stdenv.mkDerivation rec {
-  name = "nftables-0.6";
+  name = "nftables-0.7";
 
   src = fetchurl {
     url = "http://netfilter.org/projects/nftables/files/${name}.tar.bz2";
-    sha256 = "0bbcrn9nz75daic8bq7rspvcw3ck7l82vqcvkyyg4mhwbxjn5pny";
+    sha256 = "0hzdqigdx4i6jbpxbdyq4zy4p4waqn8l6vvz7685ikh1v0wr4qzy";
   };
 
   configureFlags = [
     "CONFIG_MAN=y"
     "DB2MAN=docbook2man"
+    "--with-xtables"
   ];
 
   XML_CATALOG_FILES = "${docbook_xml_dtd_45}/xml/dtd/docbook/catalog.xml";
 
-  buildInputs = [ pkgconfig docbook2x flex bison libmnl libnftnl gmp readline ];
+  nativeBuildInputs = [ pkgconfig docbook2x flex bison ];
+  buildInputs = [ libmnl libnftnl gmp readline iptables ];
 
   meta = with stdenv.lib; {
     description = "The project that aims to replace the existing {ip,ip6,arp,eb}tables framework";

From 152f1131c447a95473294350f7dd11c7b5e4dd1d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 02:28:28 +0100
Subject: [PATCH 14/19] liboping: 1.8.0 -> 1.9.0

---
 pkgs/development/libraries/liboping/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/liboping/default.nix b/pkgs/development/libraries/liboping/default.nix
index 83903002c97..435f593b597 100644
--- a/pkgs/development/libraries/liboping/default.nix
+++ b/pkgs/development/libraries/liboping/default.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, ncurses ? null, perl ? null }:
 
 stdenv.mkDerivation rec {
-  name = "liboping-1.8.0";
+  name = "liboping-1.9.0";
 
   src = fetchurl {
     url = "http://verplant.org/liboping/files/${name}.tar.bz2";
-    sha256 = "1nsvlsvapc64h0anip2hz5ydbgk3an94xqiaa9kivcw1r6193jqx";
+    sha256 = "0c1mdx9ixqypayhm617jjv9kr6y60nh3mnryafjzv23bnn41vfs4";
   };
 
   buildInputs = [ ncurses perl ];

From a50ff980be5171db9382938e88ad178e482f5a30 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 10:31:26 +0100
Subject: [PATCH 15/19] libvirt: 2.5.0 -> 3.0.0

---
 pkgs/development/libraries/libvirt/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libvirt/default.nix b/pkgs/development/libraries/libvirt/default.nix
index 658a2e37883..5fcdd153c99 100644
--- a/pkgs/development/libraries/libvirt/default.nix
+++ b/pkgs/development/libraries/libvirt/default.nix
@@ -9,11 +9,11 @@
 # if you update, also bump pythonPackages.libvirt or it will break
 stdenv.mkDerivation rec {
   name = "libvirt-${version}";
-  version = "2.5.0";
+  version = "3.0.0";
 
   src = fetchurl {
     url = "http://libvirt.org/sources/${name}.tar.xz";
-    sha256 = "07nbh6zhaxx5i1s1acnppf8rzkzb2ppgv35jw7grbbnnpzpzz7c1";
+    sha256 = "0php6wxjcilpir0miwg06yd2ha25zi9fv2apvvgv5c8k1svjd7cx";
   };
 
   patches = [ ./build-on-bsd.patch ];

From 4d8dbb63d7c8015fdeb48fbec2c5db47202f0903 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 10:31:46 +0100
Subject: [PATCH 16/19] pythonPackages.libvirt: 2.5.0 -> 3.0.0

---
 pkgs/top-level/python-packages.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 03977936121..ffb1aefdd33 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -28779,13 +28779,13 @@ EOF
   };
 
   libvirt = let
-    version = "2.5.0";
+    version = "3.0.0";
   in assert version == pkgs.libvirt.version; pkgs.stdenv.mkDerivation rec {
     name = "libvirt-python-${version}";
 
     src = pkgs.fetchurl {
       url = "http://libvirt.org/sources/python/${name}.tar.gz";
-      sha256 = "1lanyrk4invs5j4jrd7yvy7g8kilihjbcrgs5arx8k3bs9x7izgl";
+      sha256 = "1ha4bqf029si1lla1z7ca786w571fh3wfs4h7zaglfk4gb2w39wl";
     };
 
     buildInputs = with self; [ python pkgs.pkgconfig pkgs.libvirt lxml ];

From 268e57bcc57bea218789d72d05a1d724bdc77686 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 10:32:05 +0100
Subject: [PATCH 17/19] libvirt-glib: 0.2.3 -> 1.0.0

---
 pkgs/development/libraries/libvirt-glib/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libvirt-glib/default.nix b/pkgs/development/libraries/libvirt-glib/default.nix
index 6bd0ec52f27..0018e38a9f9 100644
--- a/pkgs/development/libraries/libvirt-glib/default.nix
+++ b/pkgs/development/libraries/libvirt-glib/default.nix
@@ -6,11 +6,11 @@
 let
   inherit (pythonPackages) python pygobject2;
 in stdenv.mkDerivation rec {
-  name = "libvirt-glib-0.2.3";
+  name = "libvirt-glib-1.0.0";
 
   src = fetchurl {
     url = "http://libvirt.org/sources/glib/${name}.tar.gz";
-    sha256 = "1pahj8qa7k2307sd57rwqwq1hijya02v0sxk91hl3cw48niimcf3";
+    sha256 = "0iwa5sdbii52pjpdm5j37f67sdmf0kpcky4liwhy1nf43k85i4fa";
   };
 
   buildInputs = [

From dabedc40a9925b05426c34a2900aee343dc5a8cb Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 22 Jan 2017 14:09:50 +0100
Subject: [PATCH 18/19] ngrep: fix build due to new libpcap, use debian patches

---
 pkgs/tools/networking/ngrep/default.nix | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/networking/ngrep/default.nix b/pkgs/tools/networking/ngrep/default.nix
index 3c0b0d9278a..dcc0e8596e9 100644
--- a/pkgs/tools/networking/ngrep/default.nix
+++ b/pkgs/tools/networking/ngrep/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, libpcap, gnumake3 }:
+{ stdenv, fetchurl, fetchpatch, libpcap, gnumake3, pcre }:
 
 stdenv.mkDerivation rec {
   name = "ngrep-1.45";
@@ -8,13 +8,32 @@ stdenv.mkDerivation rec {
     sha256 = "19rg8339z5wscw877mz0422wbsadds3mnfsvqx3ihy58glrxv9mf";
   };
 
-  buildInputs = [ gnumake3 libpcap ];
+  patches = [
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/users/rfrancoise/ngrep.git/plain/debian/patches/10_debian-build.diff?h=debian/1.45.ds2-14";
+      sha256 = "1p359k54xjbh6r0d0lv1l679n250wxk6j8yyz23gn54kwdc29zfy";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/users/rfrancoise/ngrep.git/plain/debian/patches/10_man-fixes.diff?h=debian/1.45.ds2-14";
+      sha256 = "1b66zfbsrsvg60j988i6ga9iif1c34fsbq3dp1gi993xy4va8m5k";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/users/rfrancoise/ngrep.git/plain/debian/patches/20_setlocale.diff?h=debian/1.45.ds2-14";
+      sha256 = "16xbmnmvw5sjidz2qhay68k3xad05g74nrccflavxbi0jba52fdq";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/users/rfrancoise/ngrep.git/plain/debian/patches/40_ipv6-offsets.diff?h=debian/1.45.ds2-14";
+      sha256 = "0fjlk1sav5nnjapvsa8mvdwjkhgm3kgc6dw7r9h1qx6d3b8cgl76";
+    })
+  ];
+
+  buildInputs = [ gnumake3 libpcap pcre ];
 
   preConfigure = ''
     # Fix broken test for BPF header file
     sed -i "s|BPF=.*|BPF=${libpcap}/include/pcap/bpf.h|" configure
 
-    configureFlags="$configureFlags --with-pcap-includes=${libpcap}/include"
+    configureFlags="$configureFlags --enable-ipv6 --enable-pcre --disable-pcap-restart --with-pcap-includes=${libpcap}/include"
   '';
 
   meta = with stdenv.lib; {

From df67f58fbfde8bfe5f1e6659c18b0953558cd534 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sun, 22 Jan 2017 22:55:39 +0100
Subject: [PATCH 19/19] gtk3: move gtk-update-icon-cache to the main output

This is basically what aa0fa193734a was for gtk2 and Xfce.
Fixes #20874, though I haven't tested it directly.
---
 pkgs/desktops/gnome-3/3.22/default.nix  | 2 +-
 pkgs/development/libraries/gtk+/3.x.nix | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/desktops/gnome-3/3.22/default.nix b/pkgs/desktops/gnome-3/3.22/default.nix
index 3b76ac80fdb..b5e19e5a1b5 100644
--- a/pkgs/desktops/gnome-3/3.22/default.nix
+++ b/pkgs/desktops/gnome-3/3.22/default.nix
@@ -20,7 +20,7 @@ let
     pkgs.desktop_file_utils pkgs.ibus
     pkgs.shared_mime_info # for update-mime-database
     glib # for gsettings
-    gtk3 # for gtk-update-icon-cache
+    gtk3.out # for gtk-update-icon-cache
     glib_networking gvfs dconf gnome-backgrounds gnome_control_center
     gnome-menus gnome_settings_daemon gnome_shell
     gnome_themes_standard defaultIconTheme gnome-shell-extensions
diff --git a/pkgs/development/libraries/gtk+/3.x.nix b/pkgs/development/libraries/gtk+/3.x.nix
index 64f5a1e3bdd..45c21df4696 100644
--- a/pkgs/development/libraries/gtk+/3.x.nix
+++ b/pkgs/development/libraries/gtk+/3.x.nix
@@ -63,6 +63,8 @@ stdenv.mkDerivation rec {
   postInstall = optionalString (!stdenv.isDarwin) ''
     substituteInPlace "$out/lib/gtk-3.0/3.0.0/printbackends/libprintbackend-cups.la" \
       --replace '-L${gmp.dev}/lib' '-L${gmp.out}/lib'
+    # The updater is needed for nixos env and it's tiny.
+    moveToOutput bin/gtk-update-icon-cache "$out"
   '';
 
   meta = with stdenv.lib; {