(cherry picked from commit 8eefb7c)

Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.

Fixes: CVE-2020-1967

Segmentation fault in SSL_check_chain (CVE-2020-1967)
=====================================================

Severity: High

Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.

OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue.  This
issue did not affect OpenSSL versions prior to 1.1.1d.

Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g

This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.

(cherry picked from commit bb4f468)

[20.03] openssl: 1.1.1f → 1.1.1g

backports the fix for vincenthz/hs-asn1#35

(cherry picked from commit cb0e38127c7a66c292e60d7e8c1ab4eeb26c44a4)

haskellPackages.asn1-types: backport 0.3.3 -> 0.3.4

This came in handy when I wanted to bump a patch version while avoiding
a new minor version.

(cherry picked from commit 4848eef)

The syntax is ${parameter:-word} (i.e. previously this used
"latestTag" instead of the actual value).
(Fixes a regression from #85278.)

Also: Even though getting the latest tag isn't really security critical
(as long as Git itself is secure against untrusted input), I'd prefer to
switch from the Git to the HTTPS protocol (for authentication of the
server and encryption + uses a standard port).

(cherry picked from commit 6660421)

See: https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.17.5.txt

(cherry picked from commit 43790ee)

[20.03] git: 2.25.3 -> 2.25.4 (security, CVE-2020-11008)

(cherry picked from commit e074301)

(cherry picked from commit 18c2b5a)

(cherry picked from commit 1e23dcb)

original commit bumped version
linux: 5.5.18 -> 5.5.19

While upgrading my Jabber server to 20.03 I noticed that the package was
marked broken but builds just fine.

[20.03] linux: version bumps

Change linux_latest to 5.6

(cherry picked from commit 7f56fdd)

As per stable release policy, all LTS + latest stable kernel are available

(cherry picked from commit 4fbd9e3)

(cherry picked from commit 7bd91fe)

(cherry picked from commit f6e64fe)

(cherry picked from commit 4307923)

(cherry picked from commit c9cf25b)

haskellPackages.hakyll: relax upper bound on warp

* add elementary theme
The program forces this theme to be used
* update description

(cherry picked from commit 19c3bbf)

(cherry picked from commit 6cecb19)

(cherry picked from commit 834a49e)

5.5 was removed in NixOS/nixpkgs@aa7c5b0,
but this attribute was missed, leading to an evaluation failure for the
nixos-20.03-small channel.

vncserver of tigervnc doesn't start because xauth is missing from $PATH

[20.03] linux: really remove 5.5

Build security updates on release branch so *-small channel is updated as soon as possible.

1d61efb accidentially changed the
restartTriggers of systemd-networkd.service` to point to the attribute
name (in this case, a location relative to `/etc`), instead of the
location of the network-related unit files in the nix store.

This caused systemd-networkd to not get restarted on activation of new
networking config, if the file name hasn't changed.

Fix this, by pointing this back to the location in the nix store.

(cherry picked from commit 14395cc)

Fixes #85800

1d61efb accidentially changed the
restartTriggers of `datadog-agent.service` to point to the attribute
name (in this case, a location relative to `/etc`), instead of the
location of the config files in the nix store.

This caused datadog to not get restarted on activation of new
config, if the file name hasn't changed.

Fix this, by pointing this back to the location in the nix store.

(cherry picked from commit f332109)

redmine: 4.1.0 -> 4.1.1 [20.03 backport]