diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index a99b37f0d17..eb167210126 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -137,6 +137,17 @@ stdenv.mkDerivation rec {
 
     # from http://git.qemu.org/?p=qemu.git;a=patch;h=ff55e94d23ae94c8628b0115320157c763eb3e06
     ./CVE-2016-9102.patch
+
+    (fetchpatch {
+      name = "qemu-CVE-2016-9911.patch";
+      url = "http://git.qemu.org/?p=qemu.git;a=patch;h=791f97758e223de3290592d169f8e6339c281714";
+      sha256 = "0952mpc81h42k5kqsw42prnw5vw86r3j88wk5z4sr1xd1sg428d6";
+    })
+    (fetchpatch {
+      name = "qemu-CVE-2016-9921_9922.patch";
+      url = "http://git.qemu.org/?p=qemu.git;a=commit;h=4299b90e9ba9ce5ca9024572804ba751aa1a7e70";
+      sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73";
+    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
   hardeningDisable = [ "stackprotector" ];
 
diff --git a/pkgs/development/libraries/crypto++/default.nix b/pkgs/development/libraries/crypto++/default.nix
index d1476df2b60..c1bf789c59b 100644
--- a/pkgs/development/libraries/crypto++/default.nix
+++ b/pkgs/development/libraries/crypto++/default.nix
@@ -1,22 +1,21 @@
-{ fetchurl, stdenv, unzip }:
+{ fetchurl, fetchFromGitHub, stdenv }:
 
 stdenv.mkDerivation rec {
   name = "crypto++-${version}";
   majorVersion = "5.6";
-  version = "${majorVersion}.4";
+  version = "${majorVersion}.5";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/cryptopp/cryptopp564.zip";
-    sha256 = "1msar24a38rxzq0xgmjf09hzaw2lv6s48vnbbhfrf5awn1vh6hxy";
+  src = fetchFromGitHub {
+    owner = "weidai11";
+    repo = "cryptopp";
+    rev = "CRYPTOPP_5_6_5";
+    sha256 = "1yk7jyf4va9425cg05llskpls2jm7n3jwy2hj5jm74zkr4mwpvl7";
   };
 
   patches = with stdenv;
     lib.optional (system != "i686-cygwin") ./dll.patch
     ++ lib.optional isDarwin ./GNUmakefile-darwin.patch;
 
-  buildInputs = [ unzip ];
-
-  sourceRoot = ".";
 
   configurePhase = let
     marchflags =
diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index 5e87164c1b1..e9c1ec8b724 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -16,12 +16,12 @@ assert ldapSupport -> aprutil.ldapSupport && openldap != null;
 assert http2Support -> nghttp2 != null;
 
 stdenv.mkDerivation rec {
-  version = "2.4.23";
+  version = "2.4.25";
   name = "apache-httpd-${version}";
 
   src = fetchurl {
     url = "mirror://apache/httpd/httpd-${version}.tar.bz2";
-    sha256 = "0n2yx3gjlpr4kgqx845fj6amnmg25r2l6a7rzab5hxnpmar985hc";
+    sha256 = "1cl0bkqg6srb1sypga0cn8dcmdyxldavij73zmmkxvlz3kgw4zpq";
   };
 
   # FIXME: -dev depends on -doc
diff --git a/pkgs/servers/shellinabox/default.nix b/pkgs/servers/shellinabox/default.nix
index c9f4e2d253f..cad349c4b51 100644
--- a/pkgs/servers/shellinabox/default.nix
+++ b/pkgs/servers/shellinabox/default.nix
@@ -1,14 +1,14 @@
 { stdenv, fetchFromGitHub, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
 
 stdenv.mkDerivation rec {
-  version = "2.19";
+  version = "2.20";
   name = "shellinabox-${version}";
 
   src = fetchFromGitHub {
     owner = "shellinabox";
     repo = "shellinabox";
-    rev = "1a8010f2c94a62e7398c4fa130dfe9e099dc55cd";
-    sha256 = "16cr7gbnh6vzsxlhg9j9avqrxbhbkqhsbvh197b0ccdwbb04ysan";
+    rev = "v${version}";
+    sha256 = "1hmfayh21cks2lyj572944ll0mmgsxbnj981b3hq3nhdg8ywzjfr";
   };
 
   patches = [ ./shellinabox-minus.patch ];