From a9611a52f3f01f0366cb7c08fab45c09a64e19b7 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 08:23:42 -0500
Subject: [PATCH 01/15] mcabber: 1.0.3 -> 1.0.4 for 'roster push attack'

---
 .../networking/instant-messengers/mcabber/default.nix       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/networking/instant-messengers/mcabber/default.nix b/pkgs/applications/networking/instant-messengers/mcabber/default.nix
index 3ae3f7bb3dd1..ca752ccf8269 100644
--- a/pkgs/applications/networking/instant-messengers/mcabber/default.nix
+++ b/pkgs/applications/networking/instant-messengers/mcabber/default.nix
@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   name = "mcabber-${version}";
-  version = "1.0.3";
+  version = "1.0.4";
 
   src = fetchurl {
     url = "http://mcabber.com/files/mcabber-${version}.tar.bz2";
-    sha256 = "16hkb7v1sqp1gqj94darwwrv23alqaiqdhqjq8gjd6f3l05bprj4";
+    sha256 = "02nfn5r7cjpnacym95l6bvczii232v3x2gi79gfa9syc7w0brdk3";
   };
 
   buildInputs = [ openssl ncurses pkgconfig glib loudmouth libotr gpgme ];
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   configureFlags = "--with-openssl=${openssl.dev} --enable-modules --enable-otr";
 
   doCheck = true;
-  
+
   meta = with stdenv.lib; {
     homepage = http://mcabber.com/;
     description = "Small Jabber console client";

From 0707962235faaf499c47c0d24e1fec53399c4f7b Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 08:29:44 -0500
Subject: [PATCH 02/15] mujs: 2016-09-21 -> 2016-11-30 for multiple CVEs

 - CVE-2016-7504
 - CVE-2016-7505
 - CVE-2016-7506
 - CVE-2016-9017
 - CVE-2016-9108
 - CVE-2016-9109
 - CVE-2016-9294

See more information: https://lwn.net/Vulnerabilities/707361/
---
 pkgs/development/interpreters/mujs/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/interpreters/mujs/default.nix b/pkgs/development/interpreters/mujs/default.nix
index b8359488725a..0a87d037454d 100644
--- a/pkgs/development/interpreters/mujs/default.nix
+++ b/pkgs/development/interpreters/mujs/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchgit, clang }:
 
 stdenv.mkDerivation rec {
-  name = "mujs-2016-09-21";
+  name = "mujs-2016-11-30";
 
   src = fetchgit {
     url = git://git.ghostscript.com/mujs.git;
-    rev  = "5c337af4b3df80cf967e4f9f6a21522de84b392a";
-    sha256 = "1x5g6nycggc83md2dbr2nahjbkkmmn64bg25a8hih7z72sw41dgw";
+    rev  = "a0ceaf5050faf419401fe1b83acfa950ec8a8a89";
+    sha256 = "13abghhqrivaip4h0fav80i8hid220dj0ddc1xnhn6w9rbnrriyg";
   };
 
   buildInputs = [ clang ];

From 7d09138caec41f53fa34dce47c56436283dd9a40 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 08:37:48 -0500
Subject: [PATCH 03/15] perlPackages.DBDmysql: 4.033 -> 4.039

---
 pkgs/development/perl-modules/DBD-mysql/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/perl-modules/DBD-mysql/default.nix b/pkgs/development/perl-modules/DBD-mysql/default.nix
index 14ed14e34afd..0e1db7e234d3 100644
--- a/pkgs/development/perl-modules/DBD-mysql/default.nix
+++ b/pkgs/development/perl-modules/DBD-mysql/default.nix
@@ -1,11 +1,11 @@
 { fetchurl, buildPerlPackage, DBI, mysql }:
 
 buildPerlPackage rec {
-  name = "DBD-mysql-4.033";
+  name = "DBD-mysql-4.039";
 
   src = fetchurl {
     url = "mirror://cpan/authors/id/C/CA/CAPTTOFU/${name}.tar.gz";
-    sha256 = "0769xakykps0cx368g4vaips4w3bjk383rianiavq7sq6g6bp66c";
+    sha256 = "0k4p3bjdbmxm2amb0qiiwmn8v83zrjkz5qp84xdjrg8k5v9aj0hn";
   };
 
   buildInputs = [ mysql.lib ] ;

From 0cff959e790c5ee6612cbba44d709aa3e71f6c16 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 09:07:17 -0500
Subject: [PATCH 04/15] maatkit: update URL

---
 pkgs/development/perl-modules/maatkit/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/perl-modules/maatkit/default.nix b/pkgs/development/perl-modules/maatkit/default.nix
index e301bd1009fb..fabb3824129c 100644
--- a/pkgs/development/perl-modules/maatkit/default.nix
+++ b/pkgs/development/perl-modules/maatkit/default.nix
@@ -4,7 +4,7 @@ buildPerlPackage rec {
   name = "maatkit-7540";
 
   src = fetchurl {
-    url = "http://maatkit.googlecode.com/files/${name}.tar.gz" ;
+    url = "https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/maatkit/${name}.tar.gz";
     sha256 = "1a7rxrddkrsfxb2wj01ha91ld0vapfkqcy8j9p08l76zz2l8p2v1";
   };
 

From eba91fa2bdc130da4ca35a2f60b9d30d90d284f9 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:20:21 -0500
Subject: [PATCH 05/15] tomcat6: 6.0.45 -> 6.0.48

For CVE-2016-8735, a remote code execution vulnerability.
---
 pkgs/servers/http/tomcat/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/tomcat/default.nix b/pkgs/servers/http/tomcat/default.nix
index 00aaff899dc4..66613335166a 100644
--- a/pkgs/servers/http/tomcat/default.nix
+++ b/pkgs/servers/http/tomcat/default.nix
@@ -33,8 +33,8 @@ in {
 
   tomcat6 = common {
     versionMajor = "6";
-    versionMinor = "0.45";
-    sha256 = "0ba8h86padpk23xmscp7sg70g0v8ji2jbwwriz59hxqy5zhd76wg";
+    versionMinor = "0.48";
+    sha256 = "1w4jf28g8p25fmijixw6b02iqlagy2rvr57y3n90hvz341kb0bbc";
   };
 
   tomcat7 = common {

From 3d0310daf383efb0357e483a082cafcf43d45ae1 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:21:01 -0500
Subject: [PATCH 06/15] tomcat7: 7.0.72 -> 7.0.73

For CVE-2016-8735, a remote code execution vulnerability.
---
 pkgs/servers/http/tomcat/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/tomcat/default.nix b/pkgs/servers/http/tomcat/default.nix
index 66613335166a..5c22278cf62a 100644
--- a/pkgs/servers/http/tomcat/default.nix
+++ b/pkgs/servers/http/tomcat/default.nix
@@ -39,8 +39,8 @@ in {
 
   tomcat7 = common {
     versionMajor = "7";
-    versionMinor = "0.72";
-    sha256 = "1nx5pmz3bq3n20fdspqh8ljqy1nj67rwi1vsqjpkrvd996x7p73p";
+    versionMinor = "0.73";
+    sha256 = "11gaiy56q7pik06sdypr80sl3g6k41s171wqqwlhxffmsxm4v08f";
   };
 
   tomcat8 = common {

From 80a475042c4be3bb564a4a2d609a9f66ae906574 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:21:16 -0500
Subject: [PATCH 07/15] tomcat8: 8.0.37 -> 8.0.39

For CVE-2016-8735, a remote code execution vulnerability.
---
 pkgs/servers/http/tomcat/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/tomcat/default.nix b/pkgs/servers/http/tomcat/default.nix
index 5c22278cf62a..e22f27612316 100644
--- a/pkgs/servers/http/tomcat/default.nix
+++ b/pkgs/servers/http/tomcat/default.nix
@@ -45,8 +45,8 @@ in {
 
   tomcat8 = common {
     versionMajor = "8";
-    versionMinor = "0.37";
-    sha256 = "0f9d4yxjzwdrayj5l3jyiclnmpb5lffvmsnp54qpf6m3gm7cj5i6";
+    versionMinor = "0.39";
+    sha256 = "16hyypdawby66qa8y66sfprcf78wjy319a0gsi4jgfqfywcsm4s0";
   };
 
   tomcat85 = common {

From 42f1ae1911421e5fa886432aae38a52a6b343490 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:21:27 -0500
Subject: [PATCH 08/15] tomcat85: 8.5.5 -> 8.5.8

For CVE-2016-8735, a remote code execution vulnerability.
---
 pkgs/servers/http/tomcat/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/tomcat/default.nix b/pkgs/servers/http/tomcat/default.nix
index e22f27612316..7d972ba3486e 100644
--- a/pkgs/servers/http/tomcat/default.nix
+++ b/pkgs/servers/http/tomcat/default.nix
@@ -51,8 +51,8 @@ in {
 
   tomcat85 = common {
     versionMajor = "8";
-    versionMinor = "5.5";
-    sha256 = "0idfxjrw5q45f531gyjnv6xjkbj9nhy2v1w4z7558z96230a0fqj";
+    versionMinor = "5.8";
+    sha256 = "1rfws897m09pbnb1jc4684didpklfhqp86szv2jcqzdx0hlfxxs0";
   };
 
   tomcatUnstable = common {

From 5f789809736002bd973f9e98685366249222de58 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:21:39 -0500
Subject: [PATCH 09/15] tomcatUnstable: 9.0.0.M10 -> 9.0.0.M13

For CVE-2016-8735, a remote code execution vulnerability.
---
 pkgs/servers/http/tomcat/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/http/tomcat/default.nix b/pkgs/servers/http/tomcat/default.nix
index 7d972ba3486e..edf1e59931ed 100644
--- a/pkgs/servers/http/tomcat/default.nix
+++ b/pkgs/servers/http/tomcat/default.nix
@@ -57,8 +57,8 @@ in {
 
   tomcatUnstable = common {
     versionMajor = "9";
-    versionMinor = "0.0.M10";
-    sha256 = "0p3pqwz9zjvr9w73divsyaa53mbazf0icxfs06wvgxsvkbgj5gq9";
+    versionMinor = "0.0.M13";
+    sha256 = "0im3w4iqpar7x50vg7c9zkxyqf9x53xs5jvcq79xqgrmcqb9lk91";
   };
 
 }

From 9c71508c95482139f3fb1fef2cc5f3cb20600ad5 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 18:34:35 -0500
Subject: [PATCH 10/15] bzip2: patch for CVE-2016-3189

---
 pkgs/tools/compression/bzip2/CVE-2016-3189.patch | 12 ++++++++++++
 pkgs/tools/compression/bzip2/default.nix         |  8 +++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/tools/compression/bzip2/CVE-2016-3189.patch

diff --git a/pkgs/tools/compression/bzip2/CVE-2016-3189.patch b/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
new file mode 100644
index 000000000000..eff324b32503
--- /dev/null
+++ b/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
@@ -0,0 +1,12 @@
+diff --git a/bzip2recover.c b/bzip2recover.c
+index f9de049..252c1b7 100644
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix
index cabd412fe65d..51f478110659 100644
--- a/pkgs/tools/compression/bzip2/default.nix
+++ b/pkgs/tools/compression/bzip2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl
+{ stdenv, fetchurl, fetchpatch
 , linkStatic ? (stdenv.system == "i686-cygwin")
 }:
 
@@ -20,10 +20,16 @@ stdenv.mkDerivation rec {
     sha256 = "0b5b5p8c7bslc6fslcr1nj9136412v3qcvbg6yxi9argq9g72v8c";
   };
 
+  patches = [
+    ./CVE-2016-3189.patch
+  ];
+
+
   postPatch = ''
     sed -i -e '/<sys\\stat\.h>/s|\\|/|' bzip2.c
   '';
 
+
   outputs = [ "bin" "dev" "out" "man" ];
 
   configureFlags =

From 892a9b1f0faf9553234784f5569a883c6f4f34ce Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:05:52 -0500
Subject: [PATCH 11/15] icu: patch for multiple CVEs

 - CVE-2014-6585
 - CVE-2015-4760
 - CVE-2016-0494
 - CVE-2016-6293
 - CVE-2016-7415
---
 pkgs/development/libraries/icu/54.1.nix    |  5 ++--
 pkgs/development/libraries/icu/default.nix | 34 +++++++++++++++++++++-
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/libraries/icu/54.1.nix b/pkgs/development/libraries/icu/54.1.nix
index cd4398b3cc03..a2465ce930ff 100644
--- a/pkgs/development/libraries/icu/54.1.nix
+++ b/pkgs/development/libraries/icu/54.1.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
 
 let
-  icu = import ./default.nix { inherit stdenv fetchurl fixDarwinDylibNames; };
+  icu = import ./default.nix { inherit stdenv fetchurl fetchpatch fixDarwinDylibNames; };
 in
   stdenv.lib.overrideDerivation icu (attrs: {
     src = fetchurl {
@@ -9,4 +9,3 @@ in
       sha256 = "1cwapgjmvrcv1n2wjspj3vahidg596gjfp4jn1gcb4baralcjayl";
     };
   })
-
diff --git a/pkgs/development/libraries/icu/default.nix b/pkgs/development/libraries/icu/default.nix
index ba8fe038ffac..d4a4c2a500c1 100644
--- a/pkgs/development/libraries/icu/default.nix
+++ b/pkgs/development/libraries/icu/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
 
 let
   pname = "icu4c";
@@ -25,6 +25,38 @@ stdenv.mkDerivation ({
     echo Source root reset to ''${sourceRoot}
   '';
 
+  # This pre/postPatch shenanigans is to handle that the patches expect
+  # to be outside of `source`.
+  prePatch = ''
+    pushd ..
+  '';
+  postPatch = ''
+    popd
+  '';
+
+  patches = [
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2014-6585.patch";
+      sha256 = "1s8kqax444pqf5chwxvgsx1n1dx7v74h34fqh08fyq57mcjnpj4d";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2015-4760.patch";
+      sha256 = "08gawyqbylk28i9pxv9vsw2drdpd6i97q0aml4nmv2xyb1ala0wp";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-0494.patch";
+      sha256 = "1741s8lpmnizjprzk3xb7zkm5fznzgk8hhlrs8a338c18nalvxay";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-6293.patch";
+      sha256 = "01h4xcss1vmsr60ijkv4lxsgvspwimyss61zp9nq4xd5i3kk1f4b";
+    })
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-7415.patch";
+      sha256 = "01d070h8d7rkj55ac8isr64m999bv5znc8vnxa7aajglsfidzs2r";
+    })
+  ];
+
   preConfigure = ''
     sed -i -e "s|/bin/sh|${stdenv.shell}|" configure
   '';

From 6393ca650eb9ef5f045905600c4256a0d0bf20b7 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:06:43 -0500
Subject: [PATCH 12/15] Revert "bzip2: patch for CVE-2016-3189"

This reverts commit 9c71508c95482139f3fb1fef2cc5f3cb20600ad5.
---
 pkgs/tools/compression/bzip2/CVE-2016-3189.patch | 12 ------------
 pkgs/tools/compression/bzip2/default.nix         |  8 +-------
 2 files changed, 1 insertion(+), 19 deletions(-)
 delete mode 100644 pkgs/tools/compression/bzip2/CVE-2016-3189.patch

diff --git a/pkgs/tools/compression/bzip2/CVE-2016-3189.patch b/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
deleted file mode 100644
index eff324b32503..000000000000
--- a/pkgs/tools/compression/bzip2/CVE-2016-3189.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/bzip2recover.c b/bzip2recover.c
-index f9de049..252c1b7 100644
---- a/bzip2recover.c
-+++ b/bzip2recover.c
-@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
-             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
-             bsPutUInt32 ( bsWr, blockCRC );
-             bsClose ( bsWr );
-+            outFile = NULL;
-          }
-          if (wrBlock >= rbCtr) break;
-          wrBlock++;
diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix
index 51f478110659..cabd412fe65d 100644
--- a/pkgs/tools/compression/bzip2/default.nix
+++ b/pkgs/tools/compression/bzip2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch
+{ stdenv, fetchurl
 , linkStatic ? (stdenv.system == "i686-cygwin")
 }:
 
@@ -20,16 +20,10 @@ stdenv.mkDerivation rec {
     sha256 = "0b5b5p8c7bslc6fslcr1nj9136412v3qcvbg6yxi9argq9g72v8c";
   };
 
-  patches = [
-    ./CVE-2016-3189.patch
-  ];
-
-
   postPatch = ''
     sed -i -e '/<sys\\stat\.h>/s|\\|/|' bzip2.c
   '';
 
-
   outputs = [ "bin" "dev" "out" "man" ];
 
   configureFlags =

From c97fda0bcf925426a6d57d300deca4da2feedaa2 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:10:06 -0500
Subject: [PATCH 13/15] Revert "icu: patch for multiple CVEs"

This reverts commit 892a9b1f0faf9553234784f5569a883c6f4f34ce.
---
 pkgs/development/libraries/icu/54.1.nix    |  5 ++--
 pkgs/development/libraries/icu/default.nix | 34 +---------------------
 2 files changed, 4 insertions(+), 35 deletions(-)

diff --git a/pkgs/development/libraries/icu/54.1.nix b/pkgs/development/libraries/icu/54.1.nix
index a2465ce930ff..cd4398b3cc03 100644
--- a/pkgs/development/libraries/icu/54.1.nix
+++ b/pkgs/development/libraries/icu/54.1.nix
@@ -1,7 +1,7 @@
-{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fixDarwinDylibNames }:
 
 let
-  icu = import ./default.nix { inherit stdenv fetchurl fetchpatch fixDarwinDylibNames; };
+  icu = import ./default.nix { inherit stdenv fetchurl fixDarwinDylibNames; };
 in
   stdenv.lib.overrideDerivation icu (attrs: {
     src = fetchurl {
@@ -9,3 +9,4 @@ in
       sha256 = "1cwapgjmvrcv1n2wjspj3vahidg596gjfp4jn1gcb4baralcjayl";
     };
   })
+
diff --git a/pkgs/development/libraries/icu/default.nix b/pkgs/development/libraries/icu/default.nix
index d4a4c2a500c1..ba8fe038ffac 100644
--- a/pkgs/development/libraries/icu/default.nix
+++ b/pkgs/development/libraries/icu/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
+{ stdenv, fetchurl, fixDarwinDylibNames }:
 
 let
   pname = "icu4c";
@@ -25,38 +25,6 @@ stdenv.mkDerivation ({
     echo Source root reset to ''${sourceRoot}
   '';
 
-  # This pre/postPatch shenanigans is to handle that the patches expect
-  # to be outside of `source`.
-  prePatch = ''
-    pushd ..
-  '';
-  postPatch = ''
-    popd
-  '';
-
-  patches = [
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2014-6585.patch";
-      sha256 = "1s8kqax444pqf5chwxvgsx1n1dx7v74h34fqh08fyq57mcjnpj4d";
-    })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2015-4760.patch";
-      sha256 = "08gawyqbylk28i9pxv9vsw2drdpd6i97q0aml4nmv2xyb1ala0wp";
-    })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-0494.patch";
-      sha256 = "1741s8lpmnizjprzk3xb7zkm5fznzgk8hhlrs8a338c18nalvxay";
-    })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-6293.patch";
-      sha256 = "01h4xcss1vmsr60ijkv4lxsgvspwimyss61zp9nq4xd5i3kk1f4b";
-    })
-    (fetchpatch {
-      url = "https://sources.debian.net/data/main/i/icu/57.1-5/debian/patches/CVE-2016-7415.patch";
-      sha256 = "01d070h8d7rkj55ac8isr64m999bv5znc8vnxa7aajglsfidzs2r";
-    })
-  ];
-
   preConfigure = ''
     sed -i -e "s|/bin/sh|${stdenv.shell}|" configure
   '';

From 7e40e89273df9ed15dc563401cd7c1343bcd0188 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:18:08 -0500
Subject: [PATCH 14/15] rpcbind: patch for CVE-2015-7236

---
 pkgs/servers/rpcbind/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/rpcbind/default.nix b/pkgs/servers/rpcbind/default.nix
index ba2e1447ffe5..744763c43f11 100644
--- a/pkgs/servers/rpcbind/default.nix
+++ b/pkgs/servers/rpcbind/default.nix
@@ -1,10 +1,10 @@
-{ fetchurl, stdenv, pkgconfig, libtirpc
+{ fetchurl, fetchpatch, stdenv, pkgconfig, libtirpc
 , useSystemd ? true, systemd }:
 
 let version = "0.2.3";
 in stdenv.mkDerivation rec {
   name = "rpcbind-${version}";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/rpcbind/${version}/${name}.tar.bz2";
     sha256 = "0yyjzv4161rqxrgjcijkrawnk55rb96ha0pav48s03l2klx855wq";
@@ -13,6 +13,10 @@ in stdenv.mkDerivation rec {
   patches = [
     ./sunrpc.patch
     ./0001-handle_reply-Don-t-use-the-xp_auth-pointer-directly.patch
+    (fetchpatch {
+      url = "https://sources.debian.net/data/main/r/rpcbind/0.2.3-0.5/debian/patches/CVE-2015-7236.patch";
+      sha256 = "1wsv5j8f5djzxr11n4027x107cam1avmx9w34g6l5d9s61j763wq";
+    })
   ];
 
   buildInputs = [ libtirpc ]

From 16995fc57bbf0147b4b43d467f03dfeb4cb877a7 Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Wed, 30 Nov 2016 19:19:25 -0500
Subject: [PATCH 15/15] boehmgc: 7.2f -> 7.2g

---
 pkgs/development/libraries/boehm-gc/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/boehm-gc/default.nix b/pkgs/development/libraries/boehm-gc/default.nix
index b0eec4e130b6..fb1f177d9695 100644
--- a/pkgs/development/libraries/boehm-gc/default.nix
+++ b/pkgs/development/libraries/boehm-gc/default.nix
@@ -1,11 +1,11 @@
 { lib, stdenv, fetchurl, enableLargeConfig ? false }:
 
 stdenv.mkDerivation rec {
-  name = "boehm-gc-7.2f";
+  name = "boehm-gc-7.2g";
 
   src = fetchurl {
-    url = http://www.hboehm.info/gc/gc_source/gc-7.2f.tar.gz;
-    sha256 = "119x7p1cqw40mpwj80xfq879l9m1dkc7vbc1f3bz3kvkf8bf6p16";
+    url = http://www.hboehm.info/gc/gc_source/gc-7.2g.tar.gz;
+    sha256 = "0bvw6cc555qg5b7dgcqy3ryiw0wir79dqy0glff3hjmyy7i2jkjq";
   };
   patches = if stdenv.isCygwin then [ ./cygwin.patch ] else null;