Motivation for this change

https://nvd.nist.gov/vuln/detail/CVE-2020-11080

I clearly haven't tried a full rebuild, but I've rebuilt some key packages with this on linux & macos 10.14.

Justification for including patch in-tree:

fetchpatch has a cyclical dependency with nghttp2 via curl, so it won't work without some heavy hackery.

Why not just use fetchurl then?

The patches in full modify Makefile.am and CMakeLists.txt, which triggers the build process to want to re-run automake. automake itself has cyclical dependencies via curl, so we can't provide it here. These sections are non-vital as they're only used to build api documentation.

Why not use fetchpatch to strip out the unwanted hunks?

fetchpatch has a cyclical dependency with nghttp2 via curl, so it won't work without some heavy hackery.

Jokes about recursion aren't funny. Are there any mitigating circumstances?

This is only for a dead-end stable branch and adding this doesn't mean we're going to be carrying this patch around forever.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.