NixOS · Apr 22, 2020 · Apr 22, 2020 · Apr 22, 2020 · Apr 22, 2020 · Apr 22, 2020
diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix
@@ -182,7 +182,7 @@ let
         ${optionalString (cfg.smtp.passwordFile != null) ''password: "@smtpPassword@",''}
         domain: "${cfg.smtp.domain}",
         ${optionalString (cfg.smtp.authentication != null) "authentication: :${cfg.smtp.authentication},"}
-        enable_starttls_auto: ${toString cfg.smtp.enableStartTLSAuto},
+        enable_starttls_auto: ${boolToString cfg.smtp.enableStartTLSAuto},
         ca_file: "/etc/ssl/certs/ca-certificates.crt",
         openssl_verify_mode: '${cfg.smtp.opensslVerifyMode}'
       }

diff --git a/pkgs/applications/audio/dfasma/default.nix b/pkgs/applications/audio/dfasma/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, fftw, libsndfile, qtbase, qtmultimedia, qmake }:
+{ mkDerivation, stdenv, fetchFromGitHub, fftw, libsndfile, qtbase, qtmultimedia, qmake }:
 
 let
 
@@ -26,7 +26,7 @@ let
     };
   };
 
-in stdenv.mkDerivation rec {
+in mkDerivation rec {
   pname = "dfasma";
   version = "1.4.5";
 

diff --git a/pkgs/applications/audio/iannix/default.nix b/pkgs/applications/audio/iannix/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchFromGitHub, alsaLib, pkgconfig, qtbase, qtscript, qmake
+{ mkDerivation, stdenv, fetchFromGitHub, alsaLib, pkgconfig, qtbase, qtscript, qmake
 }:
 
-stdenv.mkDerivation {
+mkDerivation {
   pname = "iannix";
   version = "2016-01-31";
   src = fetchFromGitHub {

diff --git a/pkgs/applications/audio/traverso/default.nix b/pkgs/applications/audio/traverso/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, fetchurl, cmake, pkgconfig
+{ mkDerivation, stdenv, fetchurl, cmake, pkgconfig
 , alsaLib, fftw, flac, lame, libjack2, libmad, libpulseaudio
 , libsamplerate, libsndfile, libvorbis, portaudio, qtbase, wavpack
 }:
-stdenv.mkDerivation {
+mkDerivation {
   pname = "traverso";
   version = "0.49.6";
 

diff --git a/pkgs/applications/editors/mindforger/default.nix b/pkgs/applications/editors/mindforger/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, qmake, qtbase, qtwebkit }:
+{ mkDerivation, stdenv, fetchurl, qmake, qtbase, qtwebkit }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "mindforger";
   version = "1.48.2";
 

diff --git a/pkgs/applications/editors/okteta/default.nix b/pkgs/applications/editors/okteta/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, fetchurl, extra-cmake-modules, kdoctools, qtscript, kconfig
+{ mkDerivation, stdenv, fetchurl, extra-cmake-modules, kdoctools, qtscript, kconfig
 , kinit, karchive, kcrash, kcmutils, kconfigwidgets, knewstuff, kparts
 , qca-qt5, shared-mime-info }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "okteta";
   version = "0.26.2";
 

diff --git a/pkgs/applications/graphics/awesomebump/default.nix b/pkgs/applications/graphics/awesomebump/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchgit, qtbase, qmake, makeWrapper, qtscript, flex, bison, qtdeclarative }:
+{ mkDerivation, lib, fetchgit, qtbase, qmake, qtscript, flex, bison, qtdeclarative }:
 
 
 let
@@ -11,7 +11,7 @@ let
     fetchSubmodules = true;
   };
 
-  qtnproperty = stdenv.mkDerivation {
+  qtnproperty = mkDerivation {
     name = "qtnproperty";
     inherit src;
     sourceRoot = "AwesomeBump/Sources/utils/QtnProperty";
@@ -22,20 +22,21 @@ let
       install -D bin-linux/QtnPEG $out/bin/QtnPEG
     '';
   };
-in stdenv.mkDerivation {
+in mkDerivation {
   pname = "awesomebump";
   inherit version;
 
   inherit src;
 
   buildInputs = [ qtbase qtscript qtdeclarative ];
 
-  nativeBuildInputs = [ qmake makeWrapper ];
+  nativeBuildInputs = [ qmake ];
 
   preBuild = ''
     ln -sf ${qtnproperty}/bin/QtnPEG Sources/utils/QtnProperty/bin-linux/QtnPEG
   '';
 
+  dontWrapQtApps = true;
   postInstall = ''
     d=$out/libexec/AwesomeBump
 
@@ -44,7 +45,7 @@ in stdenv.mkDerivation {
     cp -prd Bin/Configs Bin/Core $d/
 
     # AwesomeBump expects to find Core and Configs in its current directory.
-    makeWrapper $d/AwesomeBump $out/bin/AwesomeBump \
+    makeQtWrapper $d/AwesomeBump $out/bin/AwesomeBump \
         --run "cd $d"
   '';
 

diff --git a/pkgs/applications/graphics/phototonic/default.nix b/pkgs/applications/graphics/phototonic/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qtbase, qmake, exiv2 }:
+{ mkDerivation, stdenv, fetchFromGitHub, qtbase, qmake, exiv2 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "phototonic";
   version = "2.1";
 

diff --git a/pkgs/applications/graphics/qcomicbook/default.nix b/pkgs/applications/graphics/qcomicbook/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, pkgconfig, cmake, qtbase, qttools, qtx11extras, poppler }:
+{ mkDerivation, stdenv, fetchFromGitHub, pkgconfig, cmake, qtbase, qttools, qtx11extras, poppler }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "qcomicbook";
   version = "0.9.1";
 

diff --git a/pkgs/applications/misc/candle/default.nix b/pkgs/applications/misc/candle/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qtbase, qtserialport, qmake }:
+{ mkDerivation, stdenv, fetchFromGitHub, qtbase, qtserialport, qmake }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "candle";
   version = "1.1";
 

diff --git a/pkgs/applications/misc/openbrf/default.nix b/pkgs/applications/misc/openbrf/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchFromGitHub, qtbase, vcg, glew, qmake, libGLU_combined }:
+{ mkDerivation, stdenv, fetchFromGitHub, qtbase, vcg, glew, qmake, libGLU_combined }:
 
 
-stdenv.mkDerivation {
+mkDerivation {
   name = "openbrf-unstable-2016-01-09";
 
   src = fetchFromGitHub {

diff --git a/pkgs/applications/misc/qt-box-editor/default.nix b/pkgs/applications/misc/qt-box-editor/default.nix
@@ -1,4 +1,5 @@
-{ stdenv
+{ mkDerivation
+, stdenv
 , fetchFromGitHub
 , qtbase
 , qtsvg
@@ -7,7 +8,7 @@
 , tesseract
 }:
 
-stdenv.mkDerivation {
+mkDerivation {
   pname = "qt-box-editor";
   version = "unstable-2019-07-12";
 

diff --git a/pkgs/applications/misc/valentina/default.nix b/pkgs/applications/misc/valentina/default.nix
@@ -1,12 +1,12 @@
-{ stdenv, fetchhg
+{ mkDerivation, stdenv, fetchhg
 , qmake, qttools
 , qtbase, qtsvg, qtxmlpatterns
 , poppler_utils
 }:
 
 with stdenv.lib;
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "valentina";
   version = "0.6.1";
 

diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.nix b/pkgs/applications/networking/browsers/chromium/upstream-info.nix
@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "1s16wl101yabq0l7w0q50lxkr2gn090pcaj6l5sj6g5xvi9lhgbf";
-    sha256bin64 = "0k6fsqlpiwp9vds83hb3cg9xf74hqgbfdm3ijyad2rmwc5rqk0ax";
-    version = "83.0.4103.14";
+    sha256 = "1s3flhzp69g62285r9nwc5m9fa65ldx19inwdm4nq1m5bn63v6lj";
+    sha256bin64 = "0xbbj89xx98vvw1a4l4wj7hhwjasdmkxbbkgaad2cj4zqmbb8h52";
+    version = "83.0.4103.23";
   };
   dev = {
-    sha256 = "0djppzwzpfyyfjb1mhy5wws2379m3wpzyk2x3kw5nd0mdz35hbny";
-    sha256bin64 = "1wg55qhfvd5zvigjl6496za81mh9b2c5da53zy07bk8wj91ly8pf";
-    version = "84.0.4115.5";
+    sha256 = "1jgx55sb3azwb2rni89yxlz94j264iilwh0br29sngcailxamrbd";
+    sha256bin64 = "107yndkcdb78zxpswn9aja63n0q4q5q49183058z5jm4zlplkgad";
+    version = "84.0.4122.7";
   };
   stable = {
-    sha256 = "0ahqh3vmzbpai4xwn7qybgw9phc8ssjdvfc7384mxqk9swqgv7qg";
-    sha256bin64 = "0gpgim244594m35qwf625blwdqgjbp4qr846wq75a9a9zqwqs05w";
-    version = "81.0.4044.122";
+    sha256 = "1ls663s1f74p912x42qp3zcvm17kmjiv1ij6yy1c14gdhcpmjx7z";
+    sha256bin64 = "0nzds27x1j3298cq5xkgikjdddymbw88gcpnlm03492b6090257y";
+    version = "81.0.4044.129";
   };
 }
diff --git a/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix b/pkgs/applications/networking/browsers/firefox-bin/release_sources.nix
diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix
@@ -15,7 +15,7 @@
 , rust-cbindgen, nodejs, nasm, fetchpatch
 
 # backports of newer libraries for stable firefox >= 70
-, nss_3_51
+, nss_3_52
 , sqlite_3_31_1
 , nspr_4_25
 , rustc_1_41
@@ -124,7 +124,7 @@ let
   ]
   ++ patches;
 
-  nss_pkg = if lib.versionAtLeast ffversion "71" then nss_3_51 else nss;
+  nss_pkg = if lib.versionAtLeast ffversion "71" then nss_3_52 else nss;
   nspr_pkg = if lib.versionAtLeast ffversion "71" then nspr_4_25 else nspr;
   sqlite_pkg = if lib.versionAtLeast ffversion "70" then sqlite_3_31_1 else sqlite;
   rustc_pkg = if lib.versionAtLeast ffversion "73" then rustc_1_41 else rustc;

diff --git a/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx76.patch b/pkgs/applications/networking/browsers/firefox/no-buildconfig-ffx76.patch
@@ -0,0 +1,23 @@
+diff -ur firefox-65.0-orig/docshell/base/nsAboutRedirector.cpp firefox-65.0/docshell/base/nsAboutRedirector.cpp
+--- firefox-76.0.orig/docshell/base/nsAboutRedirector.cpp       2020-05-03 19:01:29.926544735 +0200
++++ firefox-76.0/docshell/base/nsAboutRedirector.cpp    2020-05-03 19:12:00.845035570 +0200
+@@ -62,8 +62,6 @@
+     {"about", "chrome://global/content/aboutAbout.html", 0},
+     {"addons", "chrome://mozapps/content/extensions/extensions.xhtml",
+      nsIAboutModule::ALLOW_SCRIPT},
+-    {"buildconfig", "chrome://global/content/buildconfig.html",
+-     nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT},
+     {"checkerboard", "chrome://global/content/aboutCheckerboard.html",
+      nsIAboutModule::URI_SAFE_FOR_UNTRUSTED_CONTENT |
+          nsIAboutModule::ALLOW_SCRIPT},
+diff -ur firefox-65.0-orig/toolkit/content/jar.mn firefox-65.0/toolkit/content/jar.mn
+--- firefox-65.0-orig/toolkit/content/jar.mn    2019-01-23 00:48:35.033372506 +0100
++++ firefox-65.0/toolkit/content/jar.mn 2019-01-23 00:50:45.126565924 +0100
+@@ -36,7 +36,6 @@
+    content/global/plugins.css
+    content/global/browser-child.js
+    content/global/browser-content.js
+-*   content/global/buildconfig.html
+    content/global/buildconfig.css
+    content/global/contentAreaUtils.js
+    content/global/datepicker.xhtml
diff --git a/pkgs/applications/networking/browsers/firefox/packages.nix b/pkgs/applications/networking/browsers/firefox/packages.nix
@@ -16,14 +16,14 @@ in
 rec {
   firefox = common rec {
     pname = "firefox";
-    ffversion = "75.0";
+    ffversion = "76.0";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz";
-      sha512 = "0m3ibm6dy9cpvsxkzkzwj7na5rm5qz7sm3bpx604ibay9pccvgv59jxapisvmswzmlz2nv02l6p2gxlz3b0lbcg7rd5zasia92y7j99";
+      sha512 = "3dq9h84w1qqidabbrl34jgyjr8bbmbf5wddjazpr7znfm49fn2xyg8fmm5lx9dakghk3wp8yhfi36gmk08fzlrm47v6h17dm9hkh0hz";
     };
 
     patches = [
-      ./no-buildconfig-ffx65.patch
+      ./no-buildconfig-ffx76.patch
     ];
 
     meta = {
@@ -99,10 +99,10 @@ rec {
 
   firefox-esr-68 = common rec {
     pname = "firefox-esr";
-    ffversion = "68.7.0esr";
+    ffversion = "68.8.0esr";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz";
-      sha512 = "29qbcc78hz1rsnz735a5miwfj0c3r1c5qm2043vyd9qz879vsh4ab82k7wncm3xa04kqdff26zh1rpbbjmdr7gwn4q8nmjzzs7wzpd3";
+      sha512 = "2rl5irkamxi8caa8krj0wng93lb82kk9mf09mgci87mj9hy6fxzcrlmiiffp14s03rv0raagrn4w54pbx1336mylq6saxmfhpf676hk";
     };
 
     patches = [

diff --git a/pkgs/applications/networking/instant-messengers/ricochet/default.nix b/pkgs/applications/networking/instant-messengers/ricochet/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchurl, pkgconfig, makeDesktopItem
+{ mkDerivation, stdenv, fetchurl, pkgconfig, makeDesktopItem
 , qtbase, qttools, qtmultimedia, qtquick1, qtquickcontrols
 , openssl, protobuf, qmake
 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "ricochet";
   version = "1.1.4";
 

diff --git a/pkgs/applications/networking/instant-messengers/swift-im/default.nix b/pkgs/applications/networking/instant-messengers/swift-im/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchurl, pkgconfig, qttools, scons
+{ mkDerivation, stdenv, fetchurl, pkgconfig, qttools, scons
 , GConf, avahi, boost, hunspell, libXScrnSaver, libedit, libidn, libnatpmp, libxml2
 , lua, miniupnpc, openssl, qtbase, qtmultimedia, qtsvg, qtwebkit, qtx11extras, zlib
 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "swift-im";
   version = "4.0.2";
 

diff --git a/pkgs/applications/networking/instant-messengers/tensor/default.nix b/pkgs/applications/networking/instant-messengers/tensor/default.nix
@@ -1,9 +1,9 @@
-{ stdenv, fetchgit, qtbase, qtquickcontrols, qmake, makeDesktopItem }:
+{ mkDerivation, stdenv, fetchgit, qtbase, qtquickcontrols, qmake, makeDesktopItem }:
 
 # we now have libqmatrixclient so a future version of tensor that supports it
 # should use that
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "tensor-git";
   version = "2017-02-21";
 

diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix
@@ -1,6 +1,6 @@
-{stdenv, fetchFromGitHub, cmake, qtbase, qttools, qtsvg, qwt }:
+{ mkDerivation, stdenv, fetchFromGitHub, cmake, qtbase, qttools, qtsvg, qwt }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "caneda";
   version = "0.3.1";
 

diff --git a/pkgs/applications/version-management/gitlab/data.json b/pkgs/applications/version-management/gitlab/data.json
@@ -1,13 +1,13 @@
 {
-  "version": "12.8.8",
-  "repo_hash": "1y8flmssz8bp07v7x9gxazqn5889hvkxk0k6py773gdnna5fd5fb",
+  "version": "12.8.10",
+  "repo_hash": "1njkihj66d8fnk1l0r5pys38akf5srqlrgj2hzc68l5m8d51dk15",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v12.8.8-ee",
+  "rev": "v12.8.10-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "12.8.8",
+    "GITALY_SERVER_VERSION": "12.8.10",
     "GITLAB_PAGES_VERSION": "1.16.0",
     "GITLAB_SHELL_VERSION": "11.0.0",
-    "GITLAB_WORKHORSE_VERSION": "8.21.1"
+    "GITLAB_WORKHORSE_VERSION": "8.21.2"
   }
 }
diff --git a/pkgs/applications/version-management/gitlab/gitaly/Gemfile.lock b/pkgs/applications/version-management/gitlab/gitaly/Gemfile.lock
@@ -114,7 +114,7 @@ GEM
     minitest (5.14.0)
     msgpack (1.3.1)
     multipart-post (2.0.0)
-    nokogiri (1.10.7)
+    nokogiri (1.10.9)
       mini_portile2 (~> 2.4.0)
     nokogumbo (1.5.0)
       nokogiri
@@ -242,4 +242,4 @@ DEPENDENCIES
   webmock (~> 3.4.0)
 
 BUNDLED WITH
-   1.17.3
+   2.1.4
diff --git a/pkgs/applications/version-management/gitlab/gitaly/default.nix b/pkgs/applications/version-management/gitlab/gitaly/default.nix
@@ -19,14 +19,14 @@ let
       };
   };
 in buildGoPackage rec {
-  version = "12.8.8";
+  version = "12.8.10";
   pname = "gitaly";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitaly";
     rev = "v${version}";
-    sha256 = "182jqglzbzq8jnlq6l634125jkvi67pfr1xck68n4k09gyzqllxv";
+    sha256 = "1vhnpyggh2ch93i75np11rjzvq8d6pwv2kzvwh7ak3fa02w9qdfs";
   };
 
   # Fix a check which assumes that hook files are writeable by their

diff --git a/pkgs/applications/version-management/gitlab/gitaly/gemset.nix b/pkgs/applications/version-management/gitlab/gitaly/gemset.nix
@@ -515,10 +515,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0r0qpgf80h764k176yr63gqbs2z0xbsp8vlvs2a79d5r9vs83kln";
+      sha256 = "12j76d0bp608932xkzmfi638c7aqah57l437q8494znzbj610qnm";
       type = "gem";
     };
-    version = "1.10.7";
+    version = "1.10.9";
   };
   nokogumbo = {
     dependencies = ["nokogiri"];

diff --git a/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix b/pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix
@@ -3,13 +3,13 @@
 buildGoPackage rec {
   pname = "gitlab-workhorse";
 
-  version = "8.21.1";
+  version = "8.21.2";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-workhorse";
     rev = "v${version}";
-    sha256 = "1d384xw7hfrph4i61z9z315sik7ja9hgrvmhljirwxrch1fyx3m4";
+    sha256 = "065yy8zfxahpybk3mbvc492by1lvssqcbqm8i4yp09m669rk239w";
   };
 
   goPackagePath = "gitlab.com/gitlab-org/gitlab-workhorse";

diff --git a/pkgs/applications/version-management/gitlab/rubyEnv/Gemfile b/pkgs/applications/version-management/gitlab/rubyEnv/Gemfile
@@ -163,7 +163,7 @@ gem 'diffy', '~> 3.1.0'
 gem 'diff_match_patch', '~> 0.1.0'
 
 # Application server
-gem 'rack', '~> 2.0.7'
+gem 'rack', '~> 2.0.9'
 
 group :unicorn do
   gem 'unicorn', '~> 5.4.1'

diff --git a/pkgs/applications/version-management/gitlab/rubyEnv/Gemfile.lock b/pkgs/applications/version-management/gitlab/rubyEnv/Gemfile.lock
@@ -173,7 +173,7 @@ GEM
     concord (0.1.5)
       adamantium (~> 0.2.0)
       equalizer (~> 0.0.9)
-    concurrent-ruby (1.1.5)
+    concurrent-ruby (1.1.6)
     connection_pool (2.2.2)
     contracts (0.11.0)
     cork (0.3.0)
@@ -783,7 +783,7 @@ GEM
     public_suffix (4.0.3)
     pyu-ruby-sasl (0.0.3.3)
     raabro (1.1.6)
-    rack (2.0.7)
+    rack (2.0.9)
     rack-accept (0.4.5)
       rack (>= 0.4)
     rack-attack (6.2.0)
@@ -854,17 +854,17 @@ GEM
       json
     recursive-open-struct (1.1.0)
     redis (4.1.3)
-    redis-actionpack (5.1.0)
-      actionpack (>= 4.0, < 7)
-      redis-rack (>= 1, < 3)
+    redis-actionpack (5.2.0)
+      actionpack (>= 5, < 7)
+      redis-rack (>= 2.1.0, < 3)
       redis-store (>= 1.1.0, < 2)
     redis-activesupport (5.2.0)
       activesupport (>= 3, < 7)
       redis-store (>= 1.3, < 2)
     redis-namespace (1.6.0)
       redis (>= 3.0.4)
-    redis-rack (2.0.6)
-      rack (>= 1.5, < 3)
+    redis-rack (2.1.2)
+      rack (>= 2.0.8, < 3)
       redis-store (>= 1.2, < 2)
     redis-rails (5.0.2)
       redis-actionpack (>= 5.0, < 6)
@@ -1325,7 +1325,7 @@ DEPENDENCIES
   prometheus-client-mmap (~> 0.10.0)
   pry-byebug (~> 3.5.1)
   pry-rails (~> 0.3.9)
-  rack (~> 2.0.7)
+  rack (~> 2.0.9)
   rack-attack (~> 6.2.0)
   rack-cors (~> 1.0.6)
   rack-oauth2 (~> 1.9.3)

diff --git a/pkgs/applications/version-management/gitlab/rubyEnv/gemset.nix b/pkgs/applications/version-management/gitlab/rubyEnv/gemset.nix
@@ -763,10 +763,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1x07r23s7836cpp5z9yrlbpljcxpax14yw4fy4bnp6crhr6x24an";
+      sha256 = "094387x4yasb797mv07cs3g6f08y56virc2rjcpb1k79rzaj3nhl";
       type = "gem";
     };
-    version = "1.1.5";
+    version = "1.1.6";
   };
   connection_pool = {
     groups = ["default"];
@@ -3501,10 +3501,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "0z90vflxbgjy2n84r7mbyax3i2vyvvrxxrf86ljzn5rw65jgnn2i";
+      sha256 = "1mxzk12xylrz6d4n9jj5jasfscbf1pbk4idrb0nlf327lx9rwfkk";
       type = "gem";
     };
-    version = "2.0.7";
+    version = "2.0.9";
   };
   rack-accept = {
     dependencies = ["rack"];
@@ -3803,10 +3803,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1hvai5ygkyii9wq8h98wim8shgrm7vkv0js62zpm85vdl1xzvphz";
+      sha256 = "0c2276zzc0044zh37a8frx1v7hnra7z7k126154ps7njbqngfdv3";
       type = "gem";
     };
-    version = "5.1.0";
+    version = "5.2.0";
   };
   redis-activesupport = {
     dependencies = ["activesupport" "redis-store"];
@@ -3836,10 +3836,10 @@
     platforms = [];
     source = {
       remotes = ["https://rubygems.org"];
-      sha256 = "1pa19ydbk0l6wilwbxcjn6knfs4ffgj0rhaaldrlhf76pjgkaiqb";
+      sha256 = "0ldw5sxyd80pv0gr89kvn6ziszlbs8lv1a573fkm6d0f11fps413";
       type = "gem";
     };
-    version = "2.0.6";
+    version = "2.1.2";
   };
   redis-rails = {
     dependencies = ["redis-actionpack" "redis-activesupport" "redis-store"];

diff --git a/pkgs/applications/version-management/gitlab/update.py b/pkgs/applications/version-management/gitlab/update.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env nix-shell
-#! nix-shell -i python3 -p bundix common-updater-scripts nix nix-prefetch-git python3 python3Packages.requests python3Packages.lxml python3Packages.click python3Packages.click-log vgo2nix yarn2nix-moretea.yarn2nix
+#! nix-shell -i python3 -p bundix bundler common-updater-scripts nix nix-prefetch-git python3 python3Packages.requests python3Packages.lxml python3Packages.click python3Packages.click-log vgo2nix yarn2nix-moretea.yarn2nix
 
 import click
 import click_log
@@ -100,7 +100,7 @@ def cli():
 
 
 @cli.command('update-data')
-@click.option('--rev', default='latest', help='The rev to use, \'latest\' points to the latest (stable) tag')
+@click.option('--rev', default='latest', help='The rev to use (vX.Y.Z-ee), or \'latest\'')
 def update_data(rev: str):
     """Update data.nix"""
     repo = GitLabRepo()
@@ -135,6 +135,7 @@ def update_rubyenv():
         with open(rubyenv_dir / fn, 'w') as f:
             f.write(repo.get_file(fn, rev))
 
+    subprocess.check_output(['bundle', 'lock'], cwd=rubyenv_dir)
     subprocess.check_output(['bundix'], cwd=rubyenv_dir)
 
 
@@ -174,6 +175,7 @@ def update_gitaly():
         with open(gitaly_dir / fn, 'w') as f:
             f.write(repo.get_file(fn, f"v{gitaly_server_version}"))
 
+    subprocess.check_output(['bundle', 'lock'], cwd=gitaly_dir)
     subprocess.check_output(['bundix'], cwd=gitaly_dir)
 
     os.environ['GOROOT'] = ""
@@ -227,10 +229,11 @@ def update_gitlab_workhorse():
         os.unlink(gitlab_workhorse_dir / fn)
 
 @cli.command('update-all')
+@click.option('--rev', default='latest', help='The rev to use (vX.Y.Z-ee), or \'latest\'')
 @click.pass_context
-def update_all(ctx):
+def update_all(ctx, rev: str):
     """Update all gitlab components to the latest stable release"""
-    ctx.invoke(update_data, rev='latest')
+    ctx.invoke(update_data, rev=rev)
     ctx.invoke(update_rubyenv)
     ctx.invoke(update_yarnpkgs)
     ctx.invoke(update_gitaly)

diff --git a/pkgs/applications/video/bomi/default.nix b/pkgs/applications/video/bomi/default.nix
@@ -1,7 +1,7 @@
-{ config, stdenv, fetchFromGitHub
+{ mkDerivation, config, stdenv, fetchFromGitHub
 , fetchpatch, pkgconfig, perl, python, which
 , libX11, libxcb, libGLU_combined
-, qtbase, qtdeclarative, qtquickcontrols, qttools, qtx11extras, qmake, makeWrapper
+, qtbase, qtdeclarative, qtquickcontrols, qttools, qtx11extras, qmake
 , libchardet
 , ffmpeg
 
@@ -29,7 +29,7 @@ assert pulseSupport -> libpulseaudio != null;
 assert cddaSupport -> libcdda != null;
 assert youtubeSupport -> youtube-dl != null;
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "bomi";
   version = "0.9.11";
 
@@ -90,8 +90,9 @@ stdenv.mkDerivation rec {
     patchShebangs build-mpv
   '';
 
+  dontWrapQtApps = true;
   postInstall = ''
-    wrapProgram $out/bin/bomi \
+    wrapQtApp $out/bin/bomi \
       ${optionalString youtubeSupport "--prefix PATH ':' '${youtube-dl}/bin'"}
   '';
 
@@ -105,7 +106,7 @@ stdenv.mkDerivation rec {
                    ++ optional cddaSupport "--enable-cdda"
                    ;
 
-  nativeBuildInputs = [ makeWrapper pkgconfig perl python which qttools qmake ];
+  nativeBuildInputs = [ pkgconfig perl python which qttools qmake ];
 
   meta = with stdenv.lib; {
     description = "Powerful and easy-to-use multimedia player";

diff --git a/pkgs/applications/video/qmediathekview/default.nix b/pkgs/applications/video/qmediathekview/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qtbase, qttools, xz, boost, qmake, pkgconfig }:
+{ mkDerivation, stdenv, fetchFromGitHub, qtbase, qttools, xz, boost, qmake, pkgconfig }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "QMediathekView";
   version = "2019-01-06";
 

diff --git a/pkgs/applications/video/qstopmotion/default.nix b/pkgs/applications/video/qstopmotion/default.nix
@@ -1,8 +1,8 @@
-{ stdenv, fetchurl, qt5, ffmpeg, guvcview, cmake, ninja, libxml2
+{ mkDerivation, stdenv, fetchurl, qt5, ffmpeg, guvcview, cmake, ninja, libxml2
 , gettext, pkgconfig, libgphoto2, gphoto2, v4l-utils, libv4l, pcre
 , qwt, extra-cmake-modules }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "qstopmotion";
   version = "2.4.1";
 

diff --git a/pkgs/applications/virtualization/aqemu/default.nix b/pkgs/applications/virtualization/aqemu/default.nix
@@ -1,7 +1,7 @@
-{ cmake, fetchFromGitHub, libvncserver, qemu, qtbase, stdenv
+{ mkDerivation, cmake, fetchFromGitHub, libvncserver, qemu, qtbase, stdenv
 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "aqemu";
   version = "0.9.2";
 

diff --git a/pkgs/desktops/gnome-3/core/mutter/3.28.nix b/pkgs/desktops/gnome-3/core/mutter/3.28.nix
@@ -12,8 +12,8 @@ stdenv.mkDerivation rec {
     domain = "gitlab.gnome.org";
     owner = "GNOME";
     repo = pname;
-    rev = "74e3126b77eb5f27c0ae3f53b0aff2d2eebc15af"; # patches of tip from gnome-3-28 branch
-    sha256 = "0gw1n1w3i040w5mv30kkg7g8a59ymjlc5yaklip0ngg8xv76g0zi";
+    rev = "88e855bf0a5646fdd85a838bfb433451c42513d7"; # patches of tip from gnome-3-28 branch
+    sha256 = "19k99qkjhk3r8rwa1v6wl0frm1wd95iasqmrb9sadyri0mkwxvg4";
   };
 
   patches = [

diff --git a/pkgs/desktops/gnome-3/core/mutter/default.nix b/pkgs/desktops/gnome-3/core/mutter/default.nix
@@ -62,6 +62,17 @@ stdenv.mkDerivation rec {
       url = "https://gitlab.gnome.org/GNOME/mutter/commit/8307c0f7ab60760de53f764e6636893733543be8.diff";
       sha256 = "1hzfva71xdqvvnx5smjsrjlgyrmc7dj94mpylkak0gwda5si0h2n";
     })
+
+    # Fix backported for desktop freezing after ~50 days idle
+    # https://mail.gnome.org/archives/distributor-list/2020-April/msg00001.html
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/mutter/-/commit/002299fbef2fd99fb36e5b881ed7b4095ff481f6.patch";
+      sha256 = "0x3kk75rqmcsyzhmhxjnh8n8ng4zyrbmh0yzvc79zcphzmdckavb";
+    })
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/mutter/-/commit/c2e12b3434967e520dcda76bf1d562676e8961ff.patch";
+      sha256 = "0l3ckmskxmisbjdhpr30yc2hclyc4l2f0jsgzisnq5aiszy9q0i0";
+    })
   ];
 
   postPatch = ''

diff --git a/pkgs/development/libraries/nss/3_51.nix → pkgs/development/libraries/nss/3_52.nix b/pkgs/development/libraries/nss/3_51.nix → pkgs/development/libraries/nss/3_52.nix
@@ -5,7 +5,7 @@ let
     url = http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz;
     sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
   };
-  version = "3.51";
+  version = "3.52";
   underscoreVersion = builtins.replaceStrings ["."] ["_"] version;
 
 in stdenv.mkDerivation rec {
@@ -14,7 +14,7 @@ in stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
-    sha256 = "1725d0idf5zzqafdqfdn9vprc7ys2ywhv23sqn328di968xqnd3m";
+    sha256 = "0q8m9jf6zgkbhx71myjb7y0gcl5ib3gj6qkl9yvdqpd6vl6fn2ha";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -27,8 +27,12 @@ in stdenv.mkDerivation rec {
   propagatedBuildInputs = [ nspr_4_25 ];
 
   prePatch = ''
-    # strip the trailing whitespace from the patch line…
-    xz -d < ${nssPEM} | sed -e '/^-DIRS = builtins $/ s/ $//' | patch -p1
+    # strip the trailing whitespace from the patch line and the renamed CKO_NETSCAPE_ enum to CKO_NSS_
+    xz -d < ${nssPEM} | sed \
+       -e '/^-DIRS = builtins $/ s/ $//' \
+       -e 's/CKO_NETSCAPE_/CKO_NSS_/g' \
+       -e 's/CKT_NETSCAPE_/CKT_NSS_/g' \
+       | patch -p1
   '';
 
   patches =

diff --git a/pkgs/development/libraries/openssl/1.1/cve-2020-1967-test.patch b/pkgs/development/libraries/openssl/1.1/cve-2020-1967-test.patch
@@ -0,0 +1,114 @@
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Fri, 10 Apr 2020 12:27:28 -0700
+Subject: Add test for CVE-2020-1967
+
+Add to test_sslsigalgs a TLSProxy test that injects a
+"signature_algorithms_cert" extension that contains an unallocated
+codepoint.
+
+The test currently fails, since s_server segfaults instead of
+ignoring the unrecognized value.
+
+Since "signature_algorithms" and "signature_algorithms_cert" are very
+similar, also add the analogous test for "signature_algorithms".
+
+[bigeasy: + 2x "fixup! Add test for CVE-2020-1967"]
+---
+ test/recipes/70-test_sslsigalgs.t | 66 +++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 64 insertions(+), 2 deletions(-)
+
+diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
+index f805dcf221e8..9fadefdee62d 100644
+--- a/test/recipes/70-test_sslsigalgs.t
++++ b/test/recipes/70-test_sslsigalgs.t
+@@ -44,7 +44,9 @@ use constant {
+     COMPAT_SIGALGS => 6,
+     SIGALGS_CERT_ALL => 7,
+     SIGALGS_CERT_PKCS => 8,
+-    SIGALGS_CERT_INVALID => 9
++    SIGALGS_CERT_INVALID => 9,
++    UNRECOGNIZED_SIGALGS_CERT => 10,
++    UNRECOGNIZED_SIGALG => 11
+ };
+
+ #Note: Throughout this test we override the default ciphersuites where TLSv1.2
+@@ -53,7 +55,7 @@ use constant {
+
+ #Test 1: Default sig algs should succeed
+ $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
+-plan tests => 22;
++plan tests => 24;
+ ok(TLSProxy::Message->success, "Default sigalgs");
+ my $testtype;
+
+@@ -261,6 +263,39 @@ SKIP: {
+     ok(TLSProxy::Message->fail, "No matching certificate for sigalgs_cert");
+ }
+
++SKIP: {
++    skip "TLS 1.3 disabled", 2 if disabled("tls1_3");
++    #Test 23: Send an unrecognized signature_algorithms_cert
++    #        We should be able to skip over the unrecognized value and use a
++    #        valid one that appears later in the list.
++    $proxy->clear();
++    $proxy->filter(\&inject_unrecognized_sigalg);
++    $proxy->clientflags("-tls1_3");
++    # Use -xcert to get SSL_check_chain() to run in the cert_cb.  This is
++    # needed to trigger (e.g.) CVE-2020-1967
++    $proxy->serverflags("" .
++            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
++            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
++            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
++    $testtype = UNRECOGNIZED_SIGALGS_CERT;
++    $proxy->start();
++    ok(TLSProxy::Message->success(), "Unrecognized sigalg_cert in ClientHello");
++
++    #Test 24: Send an unrecognized signature_algorithms
++    #        We should be able to skip over the unrecognized value and use a
++    #        valid one that appears later in the list.
++    $proxy->clear();
++    $proxy->filter(\&inject_unrecognized_sigalg);
++    $proxy->clientflags("-tls1_3");
++    $proxy->serverflags("" .
++            " -xcert " . srctop_file("test", "certs", "servercert.pem") .
++            " -xkey " . srctop_file("test", "certs", "serverkey.pem") .
++            " -xchain " . srctop_file("test", "certs", "rootcert.pem"));
++    $testtype = UNRECOGNIZED_SIGALG;
++    $proxy->start();
++    ok(TLSProxy::Message->success(), "Unrecognized sigalg in ClientHello");
++}
++
+
+
+ sub sigalgs_filter
+@@ -406,3 +441,30 @@ sub modify_cert_verify_sigalg
+         }
+     }
+ }
++
++sub inject_unrecognized_sigalg
++{
++    my $proxy = shift;
++    my $type;
++
++    # We're only interested in the initial ClientHello
++    if ($proxy->flight != 0) {
++        return;
++    }
++    if ($testtype == UNRECOGNIZED_SIGALGS_CERT) {
++        $type = TLSProxy::Message::EXT_SIG_ALGS_CERT;
++    } elsif ($testtype == UNRECOGNIZED_SIGALG) {
++        $type = TLSProxy::Message::EXT_SIG_ALGS;
++    } else {
++        return;
++    }
++
++    my $ext = pack "C8",
++        0x00, 0x06, #Extension length
++        0xfe, 0x18, #private use
++        0x04, 0x01, #rsa_pkcs1_sha256
++        0x08, 0x04; #rsa_pss_rsae_sha256;
++    my $message = ${$proxy->message_list}[0];
++    $message->set_extension($type, $ext);
++    $message->repack;
++}
diff --git a/pkgs/development/libraries/openssl/1.1/cve-2020-1967.patch b/pkgs/development/libraries/openssl/1.1/cve-2020-1967.patch
@@ -0,0 +1,42 @@
+From: Benjamin Kaduk <kaduk@mit.edu>
+Date: Fri, 10 Apr 2020 12:27:28 -0700
+Subject: Fix NULL dereference in SSL_check_chain() for TLS 1.3
+
+In the tls1_check_sig_alg() helper function, we loop through the list of
+"signature_algorithms_cert" values received from the client and attempt
+to look up each one in turn in our internal table that maps wire
+codepoint to string-form name, digest and/or signature NID, etc., in
+order to compare the signature scheme from the peer's list against what
+is used to sign the certificates in the certificate chain we're
+checking.  Unfortunately, when the peer sends a value that we don't
+support, the lookup returns NULL, but we unconditionally dereference the
+lookup result for the comparison, leading to an application crash
+triggerable by an unauthenticated client.
+
+Since we will not be able to say anything about algorithms we don't
+recognize, treat NULL return from lookup as "does not match".
+
+We currently only apply the "signature_algorithm_cert" checks on TLS 1.3
+connections, so previous TLS versions are unaffected.  SSL_check_chain()
+is not called directly from libssl, but may be used by the application
+inside a callback (e.g., client_hello or cert callback) to verify that a
+candidate certificate chain will be acceptable to the client.
+
+CVE-2020-1967
+---
+ ssl/t1_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index b482019c4c17..5287d10a2d0a 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -2099,7 +2099,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
+         sigalg = use_pc_sigalgs
+                  ? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
+                  : s->shared_sigalgs[i];
+-        if (sig_nid == sigalg->sigandhash)
++        if (sigalg != NULL && sig_nid == sigalg->sigandhash)
+             return 1;
+     }
+     return 0;
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
@@ -154,6 +154,10 @@ in {
 
       ./1.1/cve-2019-1551.patch
       ./1.1/cve-2019-1551-improve.patch
+
+      ./1.1/cve-2020-1967.patch
+      ./1.1/cve-2020-1967-test.patch
+
     ];
     withDocs = true;
   };

diff --git a/pkgs/development/tools/build-managers/ninja/default.nix b/pkgs/development/tools/build-managers/ninja/default.nix
@@ -21,10 +21,9 @@ stdenv.mkDerivation rec {
       sha256 = "0zsg46jflsh644jccrcgyfalr7fkzrv041kyi8644nyk923gcrl9";
     })
     # https://github.com/ninja-build/ninja/issues/1510 - fix w/musl, possibly BSDs?
-    # 
     (fetchpatch {
       name = "fix-issue-1510.patch";
-      url = https://github.com/makepost/ninja/commit/567815df38a2ff54ad7478a90bd75c91e434236a.patch;
+      url = "https://github.com/ninja-build/ninja/commit/567815df38a2ff54ad7478a90bd75c91e434236a.patch";
       sha256 = "0zd0xyi7h2066nw1dsk76c7yf71b0f7v4p5nljda7jxi01vpdh69";
     })
   ];

diff --git a/pkgs/games/enyo-doom/default.nix b/pkgs/games/enyo-doom/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitLab, cmake, qtbase }:
+{ mkDerivation, stdenv, fetchFromGitLab, cmake, qtbase }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "enyo-doom";
   version = "1.06.9";
 

diff --git a/pkgs/games/pro-office-calculator/default.nix b/pkgs/games/pro-office-calculator/default.nix
@@ -1,5 +1,5 @@
-{ stdenv, fetchFromGitHub, tinyxml-2, cmake, qtbase, qtmultimedia }:
-stdenv.mkDerivation rec {
+{ mkDerivation, stdenv, fetchFromGitHub, tinyxml-2, cmake, qtbase, qtmultimedia }:
+mkDerivation rec {
   version = "1.0.13";
   pname = "pro-office-calculator";
 

diff --git a/pkgs/misc/calaos/installer/default.nix b/pkgs/misc/calaos/installer/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qmake, qttools, qtbase }:
+{ mkDerivation, stdenv, fetchFromGitHub, qmake, qttools, qtbase }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   name = "calaos_installer-3.1";
   version = "3.1";
 

diff --git a/pkgs/misc/emulators/firebird-emu/default.nix b/pkgs/misc/emulators/firebird-emu/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qmake, qtbase, qtdeclarative }:
+{ mkDerivation, stdenv, fetchFromGitHub, qmake, qtbase, qtdeclarative }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "firebird-emu";
   version = "1.4";
 

diff --git a/pkgs/misc/emulators/yabause/default.nix b/pkgs/misc/emulators/yabause/default.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, cmake, pkgconfig, qtbase, qt5, libGLU_combined
+{ mkDerivation, stdenv, fetchurl, cmake, pkgconfig, qtbase, qt5, libGLU_combined
 , freeglut ? null, openal ? null, SDL2 ? null }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "yabause";
   version = "0.9.15";
 

diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
@@ -17,7 +17,13 @@ stdenv.mkDerivation rec {
       # Note: fetchurl seems to be unhappy with openwrt git
       # server's URLs containing semicolons. Using the github mirror instead.
       url = "https://raw.githubusercontent.com/openwrt/openwrt/master/package/network/services/hostapd/patches/300-noscan.patch";
-      sha256 = "04wg4yjc19wmwk6gia067z99gzzk9jacnwxh5wyia7k5wg71yj5k";})
+      sha256 = "04wg4yjc19wmwk6gia067z99gzzk9jacnwxh5wyia7k5wg71yj5k";
+    })
+    (fetchurl {
+      name = "CVE-2019-16275.patch";
+      url = "https://w1.fi/security/2019-7/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch";
+      sha256 = "15xjyy7crb557wxpx898b5lnyblxghlij0xby5lmj9hpwwss34dz";
+    })
   ];
 
   outputs = [ "out" "man" ];

diff --git a/pkgs/servers/coturn/default.nix b/pkgs/servers/coturn/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, openssl, libevent }:
+{ stdenv, fetchFromGitHub, fetchpatch, openssl, libevent }:
 
 stdenv.mkDerivation rec {
   pname = "coturn";
@@ -13,7 +13,14 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libevent ];
 
-  patches = [ ./pure-configure.patch ];
+  patches = [
+    ./pure-configure.patch
+    (fetchpatch {
+      name = "CVE-2020-6061+6062.patch";
+      url = "https://sources.debian.org/data/main/c/coturn/4.5.1.1-1.2/debian/patches/CVE-2020-6061+6062.patch";
+      sha256 = "0fcy1wp91bb4hlhnp96sf9bs0d9hf3pwx5f7b1r9cfvr3l5c1bk2";
+    })
+  ];
 
   meta = with stdenv.lib; {
     homepage = https://coturn.net/;

diff --git a/pkgs/servers/roundcube/default.nix b/pkgs/servers/roundcube/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "roundcube";
-  version = "1.3.10";
+  version = "1.3.11";
 
   src = fetchurl {
     url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/roundcubemail-${version}-complete.tar.gz";
-    sha256 = "1gx8dgrr3p6fksv3pm381a080i9r6snwcmfd1q112mqg19ai3zk9";
+    sha256 = "1bqqaq77m21p8j416hbmxhx1cwyxhvabv19svbw5yhi89f56xzx5";
   };
 
   patches = [ ./0001-Don-t-resolve-symlinks-when-trying-to-find-INSTALL_P.patch ];

diff --git a/pkgs/tools/admin/salt/default.nix b/pkgs/tools/admin/salt/default.nix
@@ -1,21 +1,40 @@
 {
-  stdenv, pythonPackages, openssl,
+  stdenv, python2, openssl,
 
   # Many Salt modules require various Python modules to be installed,
   # passing them in this array enables Salt to find them.
   extraInputs ? []
 }:
 
-pythonPackages.buildPythonApplication rec {
+let
+
+  py = python2.override {
+    packageOverrides = self: super: {
+      pyyaml = super.pyyaml.overridePythonAttrs (
+        oldAttrs: rec {
+          version = "3.13";
+          src = oldAttrs.src.override {
+            inherit version;
+            sha256 = "1gx603g484z46cb74j9rzr6sjlh2vndxayicvlyhxdz98lhhkwry";
+          };
+          postPatch = "rm ext/_yaml.c";
+          doCheck = false;
+        }
+      );
+    };
+  };
+
+in
+py.pkgs.buildPythonApplication rec {
   pname = "salt";
-  version = "2019.2.0";
+  version = "2019.2.4";
 
-  src = pythonPackages.fetchPypi {
+  src = py.pkgs.fetchPypi {
     inherit pname version;
-    sha256 = "1kgn3lway0zwwysyzpphv05j4xgxk92dk4rv1vybr2527wmvp5an";
+    sha256 = "0ir8gmir4jl21v252vxwgjaskj15wlkhp715jn7h1jb1vfairsxg";
   };
 
-  propagatedBuildInputs = with pythonPackages; [
+  propagatedBuildInputs = with py.pkgs; [
     jinja2
     markupsafe
     msgpack
@@ -24,8 +43,6 @@ pythonPackages.buildPythonApplication rec {
     pyzmq
     requests
     tornado_4
-  ] ++ stdenv.lib.optional (!pythonPackages.isPy3k) [
-    futures
   ] ++ extraInputs;
 
   patches = [ ./fix-libcrypto-loading.patch ];

diff --git a/pkgs/tools/backup/httrack/qt.nix b/pkgs/tools/backup/httrack/qt.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, cmake, pkgconfig, makeWrapper
+{ mkDerivation, stdenv, fetchurl, cmake, pkgconfig, makeWrapper
 , httrack, qtbase, qtmultimedia }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "httraqt";
   version = "1.4.9";
 

diff --git a/pkgs/tools/graphics/rocket/default.nix b/pkgs/tools/graphics/rocket/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchFromGitHub, qmake, qtbase }:
+{ mkDerivation, stdenv, fetchFromGitHub, qmake, qtbase }:
 
-stdenv.mkDerivation {
+mkDerivation {
   pname = "rocket";
   version = "2018-06-09";
 

diff --git a/pkgs/tools/misc/colord-kde/default.nix b/pkgs/tools/misc/colord-kde/default.nix
@@ -1,11 +1,11 @@
-{ stdenv, lib, fetchurl
+{ mkDerivation, lib, fetchurl
 , extra-cmake-modules, ki18n
 , kconfig, kconfigwidgets, kcoreaddons, kdbusaddons, kiconthemes, kcmutils
 , kio, knotifications, plasma-framework, kwidgetsaddons, kwindowsystem
 , kitemviews, lcms2, libXrandr, qtx11extras
 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   pname = "colord-kde";
   version = "0.5.0";
 

diff --git a/pkgs/tools/text/glogg/default.nix b/pkgs/tools/text/glogg/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, fetchurl, qmake, boost }:
+{ mkDerivation, stdenv, fetchurl, qmake, boost }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
 
   pname = "glogg";
   version = "1.1.4";

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -12836,7 +12836,7 @@ in
   nss = lowPrio (callPackage ../development/libraries/nss { });
 
   # newer NSS version for newer firefox stable releases
-  nss_3_51 = callPackage ../development/libraries/nss/3_51.nix { };
+  nss_3_52 = lowPrio (callPackage ../development/libraries/nss/3_52.nix { });
 
   nssTools = nss.tools;
 
@@ -19437,6 +19437,7 @@ in
 
   monotone = callPackage ../applications/version-management/monotone {
     lua = lua5;
+    botan = botan.override (x: { openssl = null; });
   };
 
   inherit (ocaml-ng.ocamlPackages_4_01_0) monotoneViz;