From 5ca180fa084e45665ecb0ec8d74461a0a8e43f29 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 28 Dec 2016 19:02:49 -0500
Subject: [PATCH 1/5] apacheHttpd: 2.4.23 -> 2.4.25 for CVE-2016-8743,
 CVE-2016-2161, CVE-2016-0736

---
 pkgs/servers/http/apache-httpd/2.4.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/apache-httpd/2.4.nix b/pkgs/servers/http/apache-httpd/2.4.nix
index 5e87164c1b1..e9c1ec8b724 100644
--- a/pkgs/servers/http/apache-httpd/2.4.nix
+++ b/pkgs/servers/http/apache-httpd/2.4.nix
@@ -16,12 +16,12 @@ assert ldapSupport -> aprutil.ldapSupport && openldap != null;
 assert http2Support -> nghttp2 != null;
 
 stdenv.mkDerivation rec {
-  version = "2.4.23";
+  version = "2.4.25";
   name = "apache-httpd-${version}";
 
   src = fetchurl {
     url = "mirror://apache/httpd/httpd-${version}.tar.bz2";
-    sha256 = "0n2yx3gjlpr4kgqx845fj6amnmg25r2l6a7rzab5hxnpmar985hc";
+    sha256 = "1cl0bkqg6srb1sypga0cn8dcmdyxldavij73zmmkxvlz3kgw4zpq";
   };
 
   # FIXME: -dev depends on -doc

From a5dd31120873ece433de07683fc48646568f877e Mon Sep 17 00:00:00 2001
From: Antoine Eiche <lewo@abesis.fr>
Date: Wed, 28 Dec 2016 23:36:49 +0100
Subject: [PATCH 2/5] qemu: fix CVE-2016-9911

---
 pkgs/applications/virtualization/qemu/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index a99b37f0d17..21a859a7181 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -137,6 +137,12 @@ stdenv.mkDerivation rec {
 
     # from http://git.qemu.org/?p=qemu.git;a=patch;h=ff55e94d23ae94c8628b0115320157c763eb3e06
     ./CVE-2016-9102.patch
+
+    (fetchpatch {
+      name = "qemu-CVE-2016-9911.patch";
+      url = "http://git.qemu.org/?p=qemu.git;a=patch;h=791f97758e223de3290592d169f8e6339c281714";
+      sha256 = "0952mpc81h42k5kqsw42prnw5vw86r3j88wk5z4sr1xd1sg428d6";
+    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
   hardeningDisable = [ "stackprotector" ];
 

From bc63738c6f5fa0e8da611a1035cea251f99c13fc Mon Sep 17 00:00:00 2001
From: Antoine Eiche <lewo@abesis.fr>
Date: Thu, 29 Dec 2016 00:47:38 +0100
Subject: [PATCH 3/5] qemu: fix CVE-2016-9921 and CVE-2016-9922

---
 pkgs/applications/virtualization/qemu/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 21a859a7181..eb167210126 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -143,6 +143,11 @@ stdenv.mkDerivation rec {
       url = "http://git.qemu.org/?p=qemu.git;a=patch;h=791f97758e223de3290592d169f8e6339c281714";
       sha256 = "0952mpc81h42k5kqsw42prnw5vw86r3j88wk5z4sr1xd1sg428d6";
     })
+    (fetchpatch {
+      name = "qemu-CVE-2016-9921_9922.patch";
+      url = "http://git.qemu.org/?p=qemu.git;a=commit;h=4299b90e9ba9ce5ca9024572804ba751aa1a7e70";
+      sha256 = "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73";
+    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
   hardeningDisable = [ "stackprotector" ];
 

From d6254e0bbd87f025cd13f684664a642021a531e4 Mon Sep 17 00:00:00 2001
From: Dhananjay Balan <dhananjay@cliqz.com>
Date: Wed, 28 Dec 2016 16:41:29 +0100
Subject: [PATCH 4/5] shellinabox: 2.19 -> 2.20

should fix shellinabox vulnarabilities from https://github.com/NixOS/nixpkgs/issues/21457
---
 pkgs/servers/shellinabox/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/shellinabox/default.nix b/pkgs/servers/shellinabox/default.nix
index c9f4e2d253f..cad349c4b51 100644
--- a/pkgs/servers/shellinabox/default.nix
+++ b/pkgs/servers/shellinabox/default.nix
@@ -1,14 +1,14 @@
 { stdenv, fetchFromGitHub, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
 
 stdenv.mkDerivation rec {
-  version = "2.19";
+  version = "2.20";
   name = "shellinabox-${version}";
 
   src = fetchFromGitHub {
     owner = "shellinabox";
     repo = "shellinabox";
-    rev = "1a8010f2c94a62e7398c4fa130dfe9e099dc55cd";
-    sha256 = "16cr7gbnh6vzsxlhg9j9avqrxbhbkqhsbvh197b0ccdwbb04ysan";
+    rev = "v${version}";
+    sha256 = "1hmfayh21cks2lyj572944ll0mmgsxbnj981b3hq3nhdg8ywzjfr";
   };
 
   patches = [ ./shellinabox-minus.patch ];

From 8f4098f0873c3ee4368fddb56d88fb95d39b5b14 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 28 Dec 2016 20:56:47 -0500
Subject: [PATCH 5/5] cryptopp: 5.6.4 -> 5.6.5

for CVE-2016-7420: CVE-2016-7420
---
 pkgs/development/libraries/crypto++/default.nix | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkgs/development/libraries/crypto++/default.nix b/pkgs/development/libraries/crypto++/default.nix
index d1476df2b60..c1bf789c59b 100644
--- a/pkgs/development/libraries/crypto++/default.nix
+++ b/pkgs/development/libraries/crypto++/default.nix
@@ -1,22 +1,21 @@
-{ fetchurl, stdenv, unzip }:
+{ fetchurl, fetchFromGitHub, stdenv }:
 
 stdenv.mkDerivation rec {
   name = "crypto++-${version}";
   majorVersion = "5.6";
-  version = "${majorVersion}.4";
+  version = "${majorVersion}.5";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/cryptopp/cryptopp564.zip";
-    sha256 = "1msar24a38rxzq0xgmjf09hzaw2lv6s48vnbbhfrf5awn1vh6hxy";
+  src = fetchFromGitHub {
+    owner = "weidai11";
+    repo = "cryptopp";
+    rev = "CRYPTOPP_5_6_5";
+    sha256 = "1yk7jyf4va9425cg05llskpls2jm7n3jwy2hj5jm74zkr4mwpvl7";
   };
 
   patches = with stdenv;
     lib.optional (system != "i686-cygwin") ./dll.patch
     ++ lib.optional isDarwin ./GNUmakefile-darwin.patch;
 
-  buildInputs = [ unzip ];
-
-  sourceRoot = ".";
 
   configurePhase = let
     marchflags =