summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk9
-rw-r--r--gnu/packages/admin.scm14
-rw-r--r--gnu/packages/base.scm6
-rw-r--r--gnu/packages/certs.scm4
-rw-r--r--gnu/packages/curl.scm63
-rw-r--r--gnu/packages/databases.scm89
-rw-r--r--gnu/packages/elf.scm17
-rw-r--r--gnu/packages/fontutils.scm73
-rw-r--r--gnu/packages/freedesktop.scm4
-rw-r--r--gnu/packages/gdb.scm36
-rw-r--r--gnu/packages/ghostscript.scm4
-rw-r--r--gnu/packages/gl.scm10
-rw-r--r--gnu/packages/glib.scm40
-rw-r--r--gnu/packages/gnome.scm43
-rw-r--r--gnu/packages/gnuzilla.scm4
-rw-r--r--gnu/packages/gstreamer.scm45
-rw-r--r--gnu/packages/gtk.scm17
-rw-r--r--gnu/packages/image.scm21
-rw-r--r--gnu/packages/imagemagick.scm18
-rw-r--r--gnu/packages/kde-frameworks.scm23
-rw-r--r--gnu/packages/kde.scm1
-rw-r--r--gnu/packages/libffi.scm4
-rw-r--r--gnu/packages/linux.scm26
-rw-r--r--gnu/packages/node.scm22
-rw-r--r--gnu/packages/nss.scm6
-rw-r--r--gnu/packages/openldap.scm49
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2020-15900.patch36
-rw-r--r--gnu/packages/patches/ghostscript-freetype-compat.patch35
-rw-r--r--gnu/packages/patches/gst-plugins-good-fix-test.patch94
-rw-r--r--gnu/packages/patches/libssh2-CVE-2019-17498.patch126
-rw-r--r--gnu/packages/patches/mesa-skip-disk-cache-test.patch19
-rw-r--r--gnu/packages/patches/mesa-skip-tests.patch49
-rw-r--r--gnu/packages/patches/python-CVE-2020-26116.patch47
-rw-r--r--gnu/packages/patches/qtbase-fix-krita-deadlock.patch110
-rw-r--r--gnu/packages/patches/sbc-fix-build-non-x86.patch17
-rw-r--r--gnu/packages/pulseaudio.scm6
-rw-r--r--gnu/packages/python-crypto.scm23
-rw-r--r--gnu/packages/python-web.scm8
-rw-r--r--gnu/packages/python-xyz.scm16
-rw-r--r--gnu/packages/python.scm1
-rw-r--r--gnu/packages/qt.scm211
-rw-r--r--gnu/packages/rust.scm66
-rw-r--r--gnu/packages/sphinx.scm4
-rw-r--r--gnu/packages/ssh.scm14
-rw-r--r--gnu/packages/time.scm13
-rw-r--r--gnu/packages/tls.scm76
-rw-r--r--gnu/packages/video.scm15
-rw-r--r--gnu/packages/vpn.scm4
-rw-r--r--gnu/packages/vulkan.scm26
-rw-r--r--gnu/packages/web.scm32
-rw-r--r--gnu/packages/xdisorg.scm8
-rw-r--r--gnu/packages/xml.scm3
-rw-r--r--gnu/packages/xorg.scm83
-rw-r--r--gnu/tests/monitoring.scm2
55 files changed, 987 insertions, 807 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e93425f394..d53ed440f9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1064,6 +1064,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghc-monad-par-fix-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-html-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-latex-test.patch		\
+  %D%/packages/patches/ghostscript-CVE-2020-15900.patch		\
+  %D%/packages/patches/ghostscript-freetype-compat.patch	\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
@@ -1127,6 +1129,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-setup-root.patch			\
   %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
   %D%/packages/patches/gspell-dash-test.patch			\
+  %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/guile-1.8-cpp-4.5.patch			\
   %D%/packages/patches/guile-2.2-skip-oom-test.patch            \
   %D%/packages/patches/guile-2.2-skip-so-test.patch             \
@@ -1292,6 +1295,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch	\
   %D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch	\
   %D%/packages/patches/libquicktime-ffmpeg.patch 		\
+  %D%/packages/patches/libssh2-CVE-2019-17498.patch 		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtgvoip-disable-sse2.patch 		\
   %D%/packages/patches/libtgvoip-disable-webrtc.patch 		\
@@ -1351,7 +1355,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmemcached-build-with-gcc7.patch	\
   %D%/packages/patches/libmhash-hmac-fix-uaf.patch		\
   %D%/packages/patches/mediastreamer2-srtp2.patch		\
-  %D%/packages/patches/mesa-skip-disk-cache-test.patch		\
+  %D%/packages/patches/mesa-skip-tests.patch			\
   %D%/packages/patches/mescc-tools-boot.patch			\
   %D%/packages/patches/meson-for-build-rpath.patch		\
   %D%/packages/patches/metabat-fix-compilation.patch		\
@@ -1525,6 +1529,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-3.8-fix-tests.patch		\
   %D%/packages/patches/python-3.9-fix-tests.patch		\
   %D%/packages/patches/python-CVE-2018-14647.patch		\
+  %D%/packages/patches/python-CVE-2020-26116.patch		\
   %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch	\
   %D%/packages/patches/python-argcomplete-1.11.1-fish31.patch	\
   %D%/packages/patches/python-axolotl-AES-fix.patch		\
@@ -1561,7 +1566,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/qrcodegen-cpp-make-install.patch		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtbase-absolute-runpath.patch		\
-  %D%/packages/patches/qtbase-fix-krita-deadlock.patch		\
   %D%/packages/patches/qtbase-moc-ignore-gcc-macro.patch	\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
@@ -1609,6 +1613,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/rust-reproducible-builds.patch		 \
   %D%/packages/patches/rust-openssl-sys-no-vendor.patch	\
   %D%/packages/patches/rxvt-unicode-escape-sequences.patch	\
+  %D%/packages/patches/sbc-fix-build-non-x86.patch		\
   %D%/packages/patches/sbcl-clml-fix-types.patch		\
   %D%/packages/patches/scalapack-blacs-mpi-deprecations.patch	\
   %D%/packages/patches/scheme48-tests.patch			\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 1ddbea7a02..b24d5601cf 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -676,7 +676,10 @@ hostname.")
      `(;; Assume System V `setpgrp (void)', which is the default on GNU
        ;; variants (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
        #:configure-flags
-       '("--with-libpam" "ac_cv_func_setpgrp_void=yes")
+       '(,@(if (hurd-target?)
+             '()
+             '("--with-libpam"))
+          "ac_cv_func_setpgrp_void=yes")
 
        #:phases
        (modify-phases %standard-phases
@@ -701,7 +704,10 @@ hostname.")
                (for-each delete-file (find-files man "^groups\\."))
                #t))))))
 
-    (inputs `(("linux-pam" ,linux-pam)))
+    (inputs
+     `(,@(if (hurd-target?)
+           '()
+           `(("linux-pam" ,linux-pam)))))
     (home-page "https://github.com/shadow-maint/shadow")
     (synopsis "Authentication-related tools such as passwd, su, and login")
     (description
@@ -1496,7 +1502,9 @@ system administrator.")
          `(("groff" ,groff))))
     (inputs
      `(("coreutils" ,coreutils)
-       ("linux-pam" ,linux-pam)
+       ,@(if (hurd-target?)
+           '()
+           `(("linux-pam" ,linux-pam)))
        ("zlib" ,zlib)))
     (home-page "https://www.sudo.ws/")
     (synopsis "Run commands as root")
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index b8301828cc..9aa69cfe77 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -1244,7 +1244,7 @@ command.")
 (define-public tzdata
   (package
     (name "tzdata")
-    (version "2020d")
+    (version "2020f")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1252,7 +1252,7 @@ command.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "1wxskk9mh1x2073n99qna2mq58mgi648mbq5dxlqfcrnvrbkk0cd"))))
+               "10b8cr55x6ji14n3kqkn3avj1s9b79b8gszh81fxrrisij8k248j"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f
@@ -1312,7 +1312,7 @@ command.")
                                 version ".tar.gz"))
                           (sha256
                            (base32
-                            "1mgsckixmmk9qxzsflfxnp3999qi3ls72bgksclk01g852x51w3c"))))))
+                            "1i998crd9fxdfhv4jd241j1arx0ng7j7cvczpmj4y5j5fwmfmvng"))))))
     (home-page "https://www.iana.org/time-zones")
     (synopsis "Database of current and historical time zones")
     (description "The Time Zone Database (often called tz or zoneinfo)
diff --git a/gnu/packages/certs.scm b/gnu/packages/certs.scm
index 0cb20467ab..b72d927c0d 100644
--- a/gnu/packages/certs.scm
+++ b/gnu/packages/certs.scm
@@ -76,7 +76,7 @@
 (define-public nss-certs
   (package
     (name "nss-certs")
-    (version "3.57")
+    (version "3.59")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -87,7 +87,7 @@
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "10n3pncg6k81ikjz12la147rppwqn57bkrdl9gb820w6pq0nra2m"))))
+                "096fs3z21r171q24ca3rq53p1389xmvqz1f2rpm7nlm8r9s82ag6"))))
     (build-system gnu-build-system)
     (outputs '("out"))
     (native-inputs
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 3ceae4718a..52c2be2f80 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -53,16 +53,15 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.69.1")
-   (replacement curl-7.74.0)
+   (version "7.74.0")
    (source (origin
-            (method url-fetch)
-            (uri (string-append "https://curl.haxx.se/download/curl-"
-                                version ".tar.xz"))
-            (sha256
-             (base32
-              "0kwxh76iq9fblk7iyv4f75bmcmasarp2bcm1mm07wyvzd7kdbiq3"))
-            (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+             (method url-fetch)
+             (uri (string-append "https://curl.haxx.se/download/curl-"
+                                 version ".tar.xz"))
+             (sha256
+              (base32
+               "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
+             (patches (search-patches "curl-use-ssl-cert-env.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -126,25 +125,6 @@
            (substitute* "tests/runtests.pl"
              (("/bin/sh") (which "sh")))
 
-           ;; XXX FIXME: Test #1510 seems to work on some machines and not
-           ;; others, possibly based on the kernel version.  It works on Guix System
-           ;; on x86_64 with linux-libre-4.1, but fails on Hydra for both i686
-           ;; and x86_64 with the following error:
-           ;;
-           ;; test 1510...[HTTP GET connection cache limit (CURLOPT_MAXCONNECTS)]
-           ;;
-           ;;  1510: output (log/stderr1510) FAILED:
-           ;; --- log/check-expected    2015-06-27 07:45:53.166720834 +0000
-           ;; +++ log/check-generated   2015-06-27 07:45:53.166720834 +0000
-           ;; @@ -1,5 +1,5 @@
-           ;;  * Connection #0 to host server1.example.com left intact[LF]
-           ;;  * Connection #1 to host server2.example.com left intact[LF]
-           ;;  * Connection #2 to host server3.example.com left intact[LF]
-           ;; -* Closing connection 0[LF]
-           ;; +* Closing connection 1[LF]
-           ;;  * Connection #3 to host server4.example.com left intact[LF]
-           (delete-file "tests/data/test1510")
-
            ;; The top-level "make check" does "make -C tests quiet-test", which
            ;; is too quiet.  Use the "test" target instead, which is more
            ;; verbose.
@@ -171,31 +151,6 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
-;; Replacement package to fix multiple security vulnerabilities.
-(define curl-7.74.0
-  (package
-    (inherit curl)
-    (version "7.74.0")
-    (source (origin
-              (inherit (package-source curl))
-              (uri (string-append "https://curl.haxx.se/download/curl-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments curl)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (replace 'check
-             (lambda _
-               ;; Test 1510 is now disabled upstream, and the test runner
-               ;; complains that it can not disable a non-existing test.
-               ;; Thus, override the phase to not delete the test.
-               (substitute* "tests/runtests.pl"
-                 (("/bin/sh") (which "sh")))
-               (invoke "make" "-C" "tests" "test")))))))))
-
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index ee883c10f5..e24eb20608 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -902,7 +902,7 @@ Language.")
 (define-public mariadb
   (package
     (name "mariadb")
-    (version "10.5.6")
+    (version "10.5.8")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://downloads.mariadb.com/MariaDB"
@@ -910,7 +910,7 @@ Language.")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1i257h0zdypdfj5wkg6ck9pxlkph0jvjs92k22pjr6gnx5lxs1gz"))
+                "1s3vfm73911cddjhgpcbkya6nz7ag2zygg56qqzwscn5ybv28j7b"))
               (modules '((guix build utils)))
               (snippet
                '(begin
@@ -960,6 +960,10 @@ Language.")
          "-DDEFAULT_COLLATION=utf8_general_ci"
          "-DMYSQL_DATADIR=/var/lib/mysql"
          "-DMYSQL_UNIX_ADDR=/run/mysqld/mysqld.sock"
+
+         ;; Do not install the benchmark suite.
+         "-DINSTALL_SQLBENCHDIR=false"
+
          (string-append "-DCMAKE_INSTALL_PREFIX=" (assoc-ref %outputs "lib"))
          (string-append "-DCMAKE_INSTALL_RPATH=" (assoc-ref %outputs "lib")
                         "/lib")
@@ -989,14 +993,26 @@ Language.")
              ;; to other variables such as $INSTALL_INCLUDEDIR, which does
              ;; not work when the latter uses an absolute file name.
              (substitute* "libmariadb/mariadb_config/mariadb_config.c.in"
-               (("@CMAKE_INSTALL_PREFIX@/@INSTALL_INCLUDEDIR@")
-                "@INSTALL_INCLUDEDIR@"))
+               (("%s/@INSTALL_INCLUDEDIR@")
+                (string-append "@INSTALL_INCLUDEDIR@"))
+               ;; As of 10.5.8, the mariadb_config program tries to be
+               ;; clever and computes the installation directory relative
+               ;; to /proc/self/exe when running on Linux.  Make it fall
+               ;; back to the old behaviour.
+               (("defined\\(__linux__\\)")
+                "0"))
              (substitute* "libmariadb/mariadb_config/libmariadb.pc.in"
                (("\\$\\{prefix\\}/@INSTALL_INCLUDEDIR@")
                 "@INSTALL_INCLUDEDIR@"))
+             (substitute* "support-files/mariadb.pc.in"
+               (("^(include|bin|script|doc|man)dir=\\$\\{prefix\\}/" _ dir)
+                (string-append dir "dir=")))
              (substitute* "include/CMakeLists.txt"
                (("\\\\\\$\\{CMAKE_INSTALL_PREFIX\\}/\\$\\{INSTALL_INCLUDEDIR\\}")
                 "${INSTALL_INCLUDEDIR}"))
+             (substitute* "cmake/mariadb_connector_c.cmake"
+               (("\\\\\\$\\{CMAKE_INSTALL_PREFIX\\}/\\$\\{INSTALL_BINDIR\\}")
+                "${INSTALL_BINDIR}"))
              #t))
          (add-after 'unpack 'adjust-tests
            (lambda _
@@ -1009,8 +1025,21 @@ Language.")
                       "main.explain_non_select"
                       "main.stat_tables"
                       "main.stat_tables_innodb"
+                      "main.upgrade_MDEV-19650"
                       "roles.acl_statistics"
 
+                      ;; FIXME: This test checks various table encodings and
+                      ;; fails because Guix defaults to UTF8 instead of the
+                      ;; upstream default latin1_swedish_ci.  It's not easily
+                      ;; substitutable because several encodings are tested.
+                      "main.sp2"
+
+                      ;; XXX: This test occasionally fails on i686-linux:
+                      ;; <https://jira.mariadb.org/browse/MDEV-24458>
+                      ,@(if (string-prefix? "i686" (%current-system))
+                            '("main.myisampack")
+                            '())
+
                       ;; This file contains a time bomb which makes it fail after
                       ;; 2030-12-31.  See <https://bugs.gnu.org/34351> for details.
                       "main.mysqldump"))
@@ -1081,12 +1110,12 @@ Language.")
                 (("\\$basedir/share/mysql")
                  (string-append lib "/share/mysql")))
 
-              ;; Remove unneeded files for testing.
               (with-directory-excursion lib
-                (for-each delete-file-recursively
-                          '("mysql-test" "sql-bench"))
-                ;; And static libraries.
+                ;; Remove tests.
+                (delete-file-recursively "mysql-test")
+                ;; Remove static libraries.
                 (for-each delete-file (find-files "lib" "\\.a$")))
+
               (with-directory-excursion out
                 (delete-file "share/man/man1/mysql-test-run.pl.1")
                 ;; Delete huge and unnecessary executables.
@@ -1162,21 +1191,26 @@ developed in C/C++ to MariaDB and MySQL databases.")
     (license license:lgpl2.1+)))
 
 ;; Don't forget to update the other postgresql packages when upgrading this one.
-(define-public postgresql
+(define-public postgresql-13
   (package
     (name "postgresql")
-    (version "10.13")
+    (version "13.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "1qal0yp7a90yzya7hl56gsmw5fvacplrdhpn7h9gnbyr1i2iyw2d"))
+                "07z6zwr58dckaa97yl9ml240z83d1lhgaxw9aq49i8lsp21mqd0j"))
               (patches (search-patches "postgresql-disable-resolve_symlinks.patch"))))
     (build-system gnu-build-system)
     (arguments
-     `(#:configure-flags '("--with-uuid=e2fs" "--with-openssl")
+     `(#:configure-flags '("--with-uuid=e2fs" "--with-openssl"
+                           ;; PostgreSQL installs its own Makefile (should it?).
+                           ;; Prevent it from retaining needless references to
+                           ;; the build tools in order to save size.
+                           "MKDIR_P=mkdir -p" "INSTALL_BIN=install -c"
+                           "LD=ld" "TAR=tar")
        #:phases
        (modify-phases %standard-phases
          (add-before 'configure 'patch-/bin/sh
@@ -1208,46 +1242,45 @@ TIMESTAMP.  It also supports storage of binary large objects, including
 pictures, sounds, or video.")
     (license (license:x11-style "file://COPYRIGHT"))))
 
-(define-public postgresql-10 postgresql)
-
-(define-public postgresql-13
+(define-public postgresql-11
   (package
-    (inherit postgresql)
-    (version "13.1")
+    (inherit postgresql-13)
+    (name "postgresql")
+    (version "11.6")
     (source (origin
-              (inherit (package-source postgresql))
+              (inherit (package-source postgresql-13))
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "07z6zwr58dckaa97yl9ml240z83d1lhgaxw9aq49i8lsp21mqd0j"))))))
+                "0w1iq488kpzfgfnlw4k32lz5by695mpnkq461jrgsr99z5zlz4j9"))))))
 
-(define-public postgresql-11
+(define-public postgresql-10
   (package
-    (inherit postgresql)
-    (name "postgresql")
-    (version "11.6")
+    (inherit postgresql-11)
+    (version "10.13")
     (source (origin
-              (method url-fetch)
+              (inherit (package-source postgresql-11))
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
-                "0w1iq488kpzfgfnlw4k32lz5by695mpnkq461jrgsr99z5zlz4j9"))))))
+                "1qal0yp7a90yzya7hl56gsmw5fvacplrdhpn7h9gnbyr1i2iyw2d"))))))
 
 (define-public postgresql-9.6
   (package
-    (inherit postgresql)
-    (name "postgresql")
+    (inherit postgresql-10)
     (version "9.6.16")
     (source (origin
-              (method url-fetch)
+              (inherit (package-source postgresql-10))
               (uri (string-append "https://ftp.postgresql.org/pub/source/v"
                                   version "/postgresql-" version ".tar.bz2"))
               (sha256
                (base32
                 "1rr2dgv4ams8r2lp13w85c77rkmzpb88fjlc28mvlw6zq2fblv2w"))))))
 
+(define-public postgresql postgresql-13)
+
 (define-public pgloader
   (package
     (name "pgloader")
diff --git a/gnu/packages/elf.scm b/gnu/packages/elf.scm
index 544598684e..2e21cab48d 100644
--- a/gnu/packages/elf.scm
+++ b/gnu/packages/elf.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2017, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2020 Mark Wielaard <mark@klomp.org>
 ;;; Copyright © 2020 Michael Rohleder <mike@rohleder.de>
 ;;;
@@ -46,14 +46,14 @@
 (define-public elfutils
   (package
     (name "elfutils")
-    (version "0.176")
+    (version "0.182")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://sourceware.org/elfutils/ftp/"
                                   version "/elfutils-" version ".tar.bz2"))
               (sha256
                (base32
-                "08qhrl4g6qqr4ga46jhh78y56a47p3msa5b2x1qhzbxhf71lfmzb"))
+                "0n48dcadjy0wiilddzav2zaxdi30qkkfp160gw5mycyz9s8hdi7c"))
               (patches (search-patches "elfutils-tests-ptrace.patch"))))
     (build-system gnu-build-system)
 
@@ -68,7 +68,16 @@
      ;; know where to find each other.
      `(#:configure-flags (list (string-append "LDFLAGS=-Wl,-rpath="
                                               (assoc-ref %outputs "out")
-                                              "/lib"))
+                                              "/lib")
+                               ;; TODO: Enable the debuginfo server.  It
+                               ;; increases the closure size significantly
+                               ;; and presents bootstrapping problems, so
+                               ;; we disable it for now.  See
+                               ;; https://issues.guix.gnu.org/38803 and
+                               ;; https://sourceware.org/bugzilla/show_bug.cgi?id=25509
+                               ;; for more information.
+                               "--disable-libdebuginfod"
+                               "--disable-debuginfod")
 
        ;; Disable tests on MIPS and PowerPC (without changing
        ;; the arguments list on other systems).
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index ea4b0f094e..cacda2ed04 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2017 Nikita <nikita@n0.is>
 ;;; Copyright © 2017, 2018, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2020 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2020 Nicolas Goaziou <mail@nicolasgoaziou.fr>
@@ -73,14 +73,14 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.10.1")
-   (replacement freetype/fixed)
-   (source (origin
-            (method url-fetch)
-            (uri (string-append "mirror://savannah/freetype/freetype-"
-                                version ".tar.xz"))
-            (sha256 (base32
-                     "0vx2dg1jh5kq34dd6ifpjywkpapp8a7p1bvyq9yq5zi1i94gmnqn"))))
+   (version "2.10.4")
+   (source
+    (origin
+      (method url-fetch)
+      (uri (string-append "mirror://savannah/freetype/freetype-"
+                          version ".tar.xz"))
+      (sha256
+       (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))
    (build-system gnu-build-system)
    (arguments
     ;; The use of "freetype-config" is deprecated, but other packages still
@@ -103,19 +103,6 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
    (license license:freetype)           ; some files have other licenses
    (home-page "https://www.freetype.org/")))
 
-(define freetype/fixed
-  ;; Security fix for CVE-2020-15999.
-  (package
-    (inherit freetype)
-    (version "2.10.4")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "mirror://savannah/freetype/freetype-"
-                           version ".tar.xz"))
-       (sha256
-        (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))))
-
 (define-public ttfautohint
   (package
     (name "ttfautohint")
@@ -331,12 +318,6 @@ Font Format (WOFF).")
 (define-public fontconfig
   (package
    (name "fontconfig")
-
-   ;; This replacement is not security-related, but works around the fact
-   ;; that gs-fonts are not recognized by newer versions of Pango, causing
-   ;; many applications to fail to find fonts otherwise.
-   (replacement fontconfig/font-dejavu)
-
    (version "2.13.1")
    (source (origin
             (method url-fetch)
@@ -351,16 +332,19 @@ Font Format (WOFF).")
    (propagated-inputs `(("expat" ,expat)
                         ("freetype" ,freetype)
                         ("libuuid" ,util-linux "lib")))
-   (inputs `(("gs-fonts" ,gs-fonts)))
+   (inputs
+    ;; We use to use 'gs-fonts' but they are not recognized by newer versions
+    ;; of Pango, causing many applications to fail to find fonts otherwise.
+    `(("font-dejavu" ,font-dejavu)))
    (native-inputs
     `(("gperf" ,gperf)
       ("pkg-config" ,pkg-config)))
    (arguments
     `(#:configure-flags
       (list "--with-cache-dir=/var/cache/fontconfig"
-            ;; register gs-fonts as default fonts
+            ;; register the default fonts
             (string-append "--with-default-fonts="
-                           (assoc-ref %build-inputs "gs-fonts")
+                           (assoc-ref %build-inputs "font-dejavu")
                            "/share/fonts")
 
             ;; Register fonts from user and system profiles.
@@ -393,13 +377,6 @@ high quality, anti-aliased and subpixel rendered text on a display.")
                        "See COPYING in the distribution."))
    (home-page "https://www.freedesktop.org/wiki/Software/fontconfig")))
 
-(define fontconfig/font-dejavu
-  (package
-    (inherit fontconfig)
-    (inputs
-     ;; XXX: Reuse the name to avoid having to override the configure flags.
-     `(("gs-fonts" ,font-dejavu)))))
-
 (define-public t1lib
   (package
    (name "t1lib")
@@ -575,16 +552,15 @@ using the above tables.")
 (define-public libspiro
   (package
     (name "libspiro")
-    (version "20190731")
-    (replacement libspiro-20200505)
+    (version "20200505")
     (source
      (origin
       (method url-fetch)
       (uri (string-append "https://github.com/fontforge/libspiro/releases"
-                          "/download/" version "/libspiro-" version ".tar.gz"))
+                          "/download/" version "/libspiro-dist-" version ".tar.gz"))
       (sha256
        (base32
-        "0m63x97b7aciviijprvy85gm03p2jsgslxn323zl9zn7qz6d3ir4"))))
+        "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")))
@@ -595,19 +571,6 @@ smooth contours with constant curvature at the spline joins.")
     (license license:gpl2+)
     (home-page "http://libspiro.sourceforge.net/")))
 
-(define libspiro-20200505
-  (package
-    (inherit libspiro)
-    (version "20200505")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "https://github.com/fontforge/libspiro/releases"
-                          "/download/" version "/libspiro-dist-" version ".tar.gz"))
-      (sha256
-       (base32
-        "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))))
-
 (define-public libuninameslist
   (package
     (name "libuninameslist")
diff --git a/gnu/packages/freedesktop.scm b/gnu/packages/freedesktop.scm
index 09db6de783..56e53a73e2 100644
--- a/gnu/packages/freedesktop.scm
+++ b/gnu/packages/freedesktop.scm
@@ -373,14 +373,14 @@ freedesktop.org project.")
   ;; Updating this will rebuild over 700 packages through libinput-minimal.
   (package
     (name "libinput")
-    (version "1.16.2")
+    (version "1.16.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://freedesktop.org/software/libinput/"
                                   "libinput-" version ".tar.xz"))
               (sha256
                (base32
-                "1ab0q4iya07kvjd2g1vzamj9h57qldi15h3b8324vg3szr88qggw"))))
+                "0acywdjppj5i591l879bnqa9cs4vgdwnhilwk550x5x8sl33m4k5"))))
     (build-system meson-build-system)
     (arguments
      `(#:configure-flags '("-Ddocumentation=false")
diff --git a/gnu/packages/gdb.scm b/gnu/packages/gdb.scm
index 79fc49f5ff..51b800d0d1 100644
--- a/gnu/packages/gdb.scm
+++ b/gnu/packages/gdb.scm
@@ -38,20 +38,20 @@
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
+  #:use-module ((guix build utils) #:select (alist-replace))
   #:use-module (srfi srfi-1))
 
-(define-public gdb-9.2
+(define-public gdb-10
   (package
     (name "gdb")
-    (version "9.2")
+    (version "10.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnu/gdb/gdb-"
                                  version ".tar.xz"))
-             (patches (search-patches "gdb-hurd.patch"))
              (sha256
               (base32
-               "0mf5fn8v937qwnal4ykn3ji1y2sxk0fa1yfqi679hxmpg6pdf31n"))))
+               "1h32dckz1y8fnyxh22iyw8h3hnhxr79v1ng85px3ljn1xv71wbzq"))))
 
     (build-system gnu-build-system)
     (arguments
@@ -97,7 +97,7 @@
        ("gmp" ,gmp)
        ("readline" ,readline)
        ("ncurses" ,ncurses)
-       ("guile" ,guile-2.0)
+       ("guile" ,guile-3.0)
        ("python-wrapper" ,python-wrapper)
        ("source-highlight" ,source-highlight)
 
@@ -132,7 +132,7 @@ written in C, C++, Ada, Objective-C, Pascal and more.")
 ;; <https://bugs.gnu.org/37810>.
 (define-public gdb-8.2
   (package
-    (inherit gdb-9.2)
+    (inherit gdb-10)
     (version "8.2.1")
     (source (origin
               (method url-fetch)
@@ -140,31 +140,19 @@ written in C, C++, Ada, Objective-C, Pascal and more.")
                                   version ".tar.xz"))
               (sha256
                (base32
-                "00i27xqawjv282a07i73lp1l02n0a3ywzhykma75qg500wll6sha"))))))
+                "00i27xqawjv282a07i73lp1l02n0a3ywzhykma75qg500wll6sha"))))
+    (inputs
+     (alist-replace "guile" (list guile-2.0)
+                    (package-inputs gdb-10)))))
 
 (define-public gdb
   ;; This is the fixed version that packages depend on.  Update it rarely
   ;; enough to avoid massive rebuilds.
-  gdb-9.2)
-
-(define-public gdb-10
-  (package
-    (inherit gdb)
-    (version "10.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/gdb/gdb-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "1h32dckz1y8fnyxh22iyw8h3hnhxr79v1ng85px3ljn1xv71wbzq"))))
-    (inputs
-     `(("guile" ,guile-3.0)
-       ,@(alist-delete "guile" (package-inputs gdb))))))
+  gdb-10)
 
 (define-public gdb-minimal
   (package/inherit
-   gdb-10
+   gdb
    (name "gdb-minimal")
    (inputs (fold alist-delete (package-inputs gdb)
                  '("libxml2" "ncurses" "python-wrapper" "source-highlight")))))
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 4d56f05cf2..03a516dc52 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -170,7 +170,9 @@ printing, and psresize, for adjusting page sizes.")
         (sha256
          (base32
           "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
-        (patches (search-patches "ghostscript-no-header-creationdate.patch"
+        (patches (search-patches "ghostscript-freetype-compat.patch"
+                                 "ghostscript-CVE-2020-15900.patch"
+                                 "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
         (modules '((guix build utils)))
diff --git a/gnu/packages/gl.scm b/gnu/packages/gl.scm
index 1d44ef8ee1..e378474147 100644
--- a/gnu/packages/gl.scm
+++ b/gnu/packages/gl.scm
@@ -235,7 +235,7 @@ also known as DXTn or DXTC) for Mesa.")
 (define-public mesa
   (package
     (name "mesa")
-    (version "20.1.9")
+    (version "20.2.4")
     (source
       (origin
         (method url-fetch)
@@ -247,9 +247,9 @@ also known as DXTn or DXTC) for Mesa.")
                                   version "/mesa-" version ".tar.xz")))
         (sha256
          (base32
-          "10kk8a8k7f4ip8yaiqdyrx162nbw8pw4h3b4hs4ha8mpd43wlldj"))
+          "14m09bk7akj0k02lg8fhvvzbdsashlbdsgl2cw7wbqfj2mhdqwh5"))
         (patches
-         (search-patches "mesa-skip-disk-cache-test.patch"))))
+         (search-patches "mesa-skip-tests.patch"))))
     (build-system meson-build-system)
     (propagated-inputs
       `(;; The following are in the Requires.private field of gl.pc.
@@ -272,7 +272,7 @@ also known as DXTn or DXTC) for Mesa.")
         ,@(match (%current-system)
             ((or "x86_64-linux" "i686-linux")
              ;; Note: update the 'clang' input of mesa-opencl when bumping this.
-             `(("llvm" ,llvm-10)))
+             `(("llvm" ,llvm-11)))
             (_
              `()))
         ("wayland" ,wayland)
@@ -452,7 +452,7 @@ from software emulation to complete hardware acceleration for modern GPUs.")
      `(("libclc" ,libclc)
        ,@(package-inputs mesa)))
     (native-inputs
-     `(("clang" ,clang-10)
+     `(("clang" ,clang-11)
        ,@(package-native-inputs mesa)))))
 
 (define-public mesa-opencl-icd
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 431111f811..9cc2b1b69e 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
@@ -91,7 +91,6 @@
   (package
     (name "dbus")
     (version "1.12.16")
-    (replacement dbus/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -100,7 +99,8 @@
               (sha256
                (base32
                 "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl"))
-              (patches (search-patches "dbus-helper-search-path.patch"))))
+              (patches (search-patches "dbus-CVE-2020-12049.patch"
+                                       "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -168,20 +168,10 @@ or through unencrypted TCP/IP suitable for use behind a firewall with
 shared NFS home directories.")
     (license license:gpl2+)))                     ; or Academic Free License 2.1
 
-;; Replacement package to fix CVE-2020-12049.
-(define dbus/fixed
-  (package
-    (inherit dbus)
-    (source (origin
-              (inherit (package-source dbus))
-              (patches (append (search-patches "dbus-CVE-2020-12049.patch")
-                               (origin-patches (package-source dbus))))))))
-
 (define glib
   (package
    (name "glib")
    (version "2.62.6")
-   (replacement glib-with-gio-patch)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -190,7 +180,8 @@ shared NFS home directories.")
             (sha256
              (base32
               "174bsmbmcvaw69ff9g60q5sx0fn23rkhqcwqz17h5s7sprps4kqh"))
-            (patches (search-patches "glib-tests-timer.patch"))
+            (patches (search-patches "glib-appinfo-watch.patch"
+                                     "glib-tests-timer.patch"))
             (modules '((guix build utils)))
             (snippet
              '(begin
@@ -236,6 +227,17 @@ shared NFS home directories.")
                (("gio-launch-desktop")
                 (string-append out "/libexec/gio-launch-desktop")))
               #t)))
+        ;; TODO: Remove the conditional in the next core-updates cycle.
+        ;; Needed to build glib on slower ARM nodes.
+        ,@(if (string-prefix? "arm" (%current-system))
+              `((add-after 'unpack 'increase-test-timeout
+                  (lambda _
+                    (substitute* "meson.build"
+                      (("test_timeout = 60")
+                       "test_timeout = 90")
+                      (("test_timeout_slow = 120")
+                       "test_timeout_slow = 180")))))
+              '())
         (add-before 'build 'pre-build
           (lambda* (#:key inputs outputs #:allow-other-keys)
             ;; For tests/gdatetime.c.
@@ -388,16 +390,6 @@ dynamic loading, and an object system.")
    (home-page "https://developer.gnome.org/glib/")
    (license license:lgpl2.1+)))
 
-(define glib-with-gio-patch
-  ;; GLib with a fix for <https://bugs.gnu.org/35594>.
-  ;; TODO: Fold into 'glib' above in the next rebuild cycle.
-  (package
-    (inherit glib)
-    (source (origin
-              (inherit (package-source glib))
-              (patches (cons (search-patch "glib-appinfo-watch.patch")
-                             (origin-patches (package-source glib))))))))
-
 (define-public glib-with-documentation
   ;; glib's doc must be built in a separate package since it requires gtk-doc,
   ;; which in turn depends on glib.
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index c72ad9a506..18ceb6def4 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -2956,19 +2956,31 @@ configuring CUPS.")
 (define-public libnotify
   (package
     (name "libnotify")
-    (version "0.7.7")
+    (version "0.7.9")
     (source
      (origin
-      (method url-fetch)
-      (uri (string-append "mirror://gnome/sources/" name "/"
-                          (version-major+minor version)  "/"
-                          name "-" version ".tar.xz"))
-      (sha256
-       (base32
-        "017wgq9n00hx39n0hm784zn18hl721hbaijda868cm96bcqwxd4w"))))
-    (build-system gnu-build-system)
+       (method url-fetch)
+       (uri (string-append "mirror://gnome/sources/" name "/"
+                           (version-major+minor version)  "/"
+                           name "-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0qa7cx6ra5hwqnxw95b9svgjg5q6ynm8y843iqjszxvds5z53h36"))))
+    (build-system meson-build-system)
     (arguments
-     `(#:configure-flags '("--disable-static")))
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'fix-docbook
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; Don't attempt to download XSL schema.
+             (substitute* "meson.build"
+               (("http://docbook.sourceforge.net/release/xsl-ns/current\
+/manpages/docbook.xsl")
+                (string-append (assoc-ref inputs "docbook-xsl")
+                               "/xml/xsl/docbook-xsl-"
+                               ,(package-version docbook-xsl)
+                               "/manpages/docbook.xsl")))
+             #t)))))
     (propagated-inputs
      `(;; In Requires of libnotify.pc.
        ("gdk-pixbuf" ,gdk-pixbuf)
@@ -2977,9 +2989,14 @@ configuring CUPS.")
      `(("gtk+" ,gtk+)
        ("libpng" ,libpng)))
     (native-inputs
-      `(("pkg-config" ,pkg-config)
-        ("glib" ,glib "bin")
-        ("gobject-introspection" ,gobject-introspection)))
+     `(("pkg-config" ,pkg-config)
+       ("glib" ,glib "bin")
+       ("gobject-introspection" ,gobject-introspection)
+
+       ;; For the documentation.
+       ("gtk-doc" ,gtk-doc)
+       ("xsltproc" ,libxslt)
+       ("docbook-xsl" ,docbook-xsl)))
     (home-page "https://developer-next.gnome.org/libnotify/")
     (synopsis
      "GNOME desktop notification library")
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 93e3690bb0..84ec0a7fb3 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -935,7 +935,7 @@ from forcing GEXP-PROMISE."
        ("llvm" ,llvm)
        ("clang" ,clang)
        ("perl" ,perl)
-       ("node" ,node-10.22)
+       ("node" ,node)
        ("python" ,python)
        ("python-2" ,python-2)
        ("python2-pysqlite" ,python2-pysqlite)
@@ -1604,7 +1604,7 @@ standards of the IceCat project.")
        ("clang" ,clang)
        ("llvm" ,llvm)
        ("nasm" ,nasm)
-       ("node" ,node-10.22)
+       ("node" ,node)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python)
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 944eba03d9..b582585d75 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -398,7 +398,7 @@ arrays of data.")
 (define-public gstreamer-docs
   (package
     (name "gstreamer-docs")
-    (version "1.18.1")
+    (version "1.18.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -406,7 +406,7 @@ arrays of data.")
                     "/gstreamer-docs-" version ".tar.xz"))
               (sha256
                (base32
-                "0npnsr1z4x951nw8bfcna1xlgi1p0b4qb291jj3pywlib2lscnnv"))))
+                "07hrgn11ll16yahyyh5684k8ms1j9npsyb8lj0skwbapin4czshm"))))
     (build-system trivial-build-system)
     (arguments
      `(#:modules ((guix build utils))
@@ -461,7 +461,7 @@ the GStreamer multimedia framework.")
 (define-public gstreamer
   (package
     (name "gstreamer")
-    (version "1.18.1")
+    (version "1.18.2")
     (source
      (origin
       (method url-fetch)
@@ -470,7 +470,7 @@ the GStreamer multimedia framework.")
             version ".tar.xz"))
       (sha256
        (base32
-        "1fpcpsw740svvdxvvwn0hly5i72miizm4s0mbid10ji83zi8vpvr"))))
+        "0ijlmvr660m8zn09xlmnq1ajrziqsivp2hig5a9mabhcjx7ypkb6"))))
     (build-system meson-build-system)
     (arguments
      `(#:phases
@@ -521,7 +521,7 @@ This package provides the core library and elements.")
 (define-public gst-plugins-base
   (package
     (name "gst-plugins-base")
-    (version "1.18.1")
+    (version "1.18.2")
     (source
      (origin
       (method url-fetch)
@@ -529,7 +529,7 @@ This package provides the core library and elements.")
                           name "-" version ".tar.xz"))
       (sha256
        (base32
-        "0hf66sh8d4x2ksfnvaq2rqrrfq0vi0pv6wbh9i5jixrhvvbm99hv"))))
+        "1b05kg46azrxxvq42c71071lfsnc34pw4vynnkczdqi6g0gzn16x"))))
     (build-system meson-build-system)
     (propagated-inputs
      `(("glib" ,glib)              ;required by gstreamer-sdp-1.0.pc
@@ -583,7 +583,7 @@ for the GStreamer multimedia library.")
 (define-public gst-plugins-good
   (package
     (name "gst-plugins-good")
-    (version "1.18.1")
+    (version "1.18.2")
     (source
      (origin
        (method url-fetch)
@@ -591,22 +591,15 @@ for the GStreamer multimedia library.")
         (string-append
          "https://gstreamer.freedesktop.org/src/" name "/"
          name "-" version ".tar.xz"))
+       (patches (search-patches "gst-plugins-good-fix-test.patch"))
        (sha256
-        (base32 "0v329xi4qhlfh9aksfyviryqk9lclm4wj1lxrjnbdv4haldfj472"))))
+        (base32 "1929nhjsvbl4bw37nfagnfsnxz737cm2x3ayz9ayrn9lwkfm45zp"))))
     (build-system meson-build-system)
     (arguments
      `(#:glib-or-gtk? #t     ; To wrap binaries and/or compile schemas
        #:phases
        (modify-phases %standard-phases
          ,@%common-gstreamer-phases
-         (add-after 'unpack 'fix-broken-test
-           (lambda _
-             ;; Fix test failure on 32-bit.  Remove for > 1.18.1.
-             ;; https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
-             (substitute* "tests/check/elements/qtdemux.c"
-               (("10000000")
-                "G_GUINT64_CONSTANT (10000000)"))
-             #t))
          (add-before 'check 'pre-check
            (lambda _
              ;; Tests require a running X server.
@@ -681,14 +674,14 @@ model to base your own plug-in on, here it is.")
 (define-public gst-plugins-bad
   (package
     (name "gst-plugins-bad")
-    (version "1.18.1")
+    (version "1.18.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gstreamer.freedesktop.org/src/"
                                   name "/" name "-" version ".tar.xz"))
               (sha256
                (base32
-                "1cn18cbqyysrxnrk5bpxdzd5xcws9g2kmm5rbv00cx6rhn69g5f1"))))
+                "06ildd4rl6cynirv3p00d2ddf5is9svj4i7mkahldzhq24pq5mca"))))
     (build-system meson-build-system)
     (arguments
      `(#:phases
@@ -789,7 +782,7 @@ par compared to the rest.")
 (define-public gst-plugins-ugly
   (package
     (name "gst-plugins-ugly")
-    (version "1.18.1")
+    (version "1.18.2")
     (source
      (origin
        (method url-fetch)
@@ -797,7 +790,7 @@ par compared to the rest.")
         (string-append "https://gstreamer.freedesktop.org/src/"
                        name "/" name "-" version ".tar.xz"))
        (sha256
-        (base32 "09gpbykjchw3lb51ipxj53fy238gr9mg9jybcg5135pb56w6rk8q"))))
+        (base32 "1nwbcv5yaib3d8icvyja3zf6lyjf5zf1hndbijrhj8j7xlia0dx3"))))
     (build-system meson-build-system)
     (arguments
      `(#:glib-or-gtk? #t     ; To wrap binaries and/or compile schemas
@@ -848,7 +841,7 @@ think twice about shipping them.")
 (define-public gst-libav
   (package
     (name "gst-libav")
-    (version "1.18.1")
+    (version "1.18.2")
     (source
      (origin
        (method url-fetch)
@@ -857,7 +850,7 @@ think twice about shipping them.")
          "https://gstreamer.freedesktop.org/src/" name "/"
          name "-" version ".tar.xz"))
        (sha256
-        (base32 "1n1fkkbxxsndblnbm0c2ziqp967hrz5gag6z36xbpvqk4sy1g9rr"))))
+        (base32 "0jbzams9ggk3sq9ywv4gsl9rghyn203l2582m6l5c1sz9ka9m5in"))))
     (build-system meson-build-system)
     (native-inputs
      `(("perl" ,perl)
@@ -878,7 +871,7 @@ decoders, muxers, and demuxers provided by FFmpeg.")
 (define-public gst-editing-services
   (package
     (name "gst-editing-services")
-    (version "1.18.1")
+    (version "1.18.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -886,7 +879,7 @@ decoders, muxers, and demuxers provided by FFmpeg.")
                     "gst-editing-services-" version ".tar.xz"))
               (sha256
                (base32
-                "09rr5a198p1r9wcbsjl01xg6idkfkgj5h9x7xxywarb5i7qv6g79"))))
+                "0pv2k8zlpn3vv2sdlspi3m63ixcwzi90pjly2ypbkg59ab97rb15"))))
     (build-system meson-build-system)
     (arguments
      ;; FIXME: 16/22 failing tests.
@@ -944,7 +937,7 @@ given, also pass them to the build system instead of the ones used by PKG."
 (define-public python-gst
   (package
     (name "python-gst")
-    (version "1.18.1")
+    (version "1.18.2")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -952,7 +945,7 @@ given, also pass them to the build system instead of the ones used by PKG."
                     "gst-python-" version ".tar.xz"))
               (sha256
                (base32
-                "1xpncj9xdn6ycnmrqnk6iaqaia658licyj08cxbjgcvs5x18kcj2"))))
+                "171qxzndii7ynn9ag3a12h9vyydxzwy1j4ip3cb8hgim1dv0z7g1"))))
     (build-system meson-build-system)
     (arguments
      `(#:modules ((guix build meson-build-system)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 89efcd61c4..cd6f9bd7ce 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -357,7 +357,18 @@ used throughout the world.")
               (base32
                "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))
    (build-system gnu-build-system)
-   (arguments '())))
+   (arguments
+    '(#:phases (modify-phases %standard-phases
+                 (add-after 'configure 'disable-layout-test
+                   (lambda _
+                     ;; This test requires that fontconfig uses bitmap fonts
+                     ;; such as "gs-fonts"; however providing such a package
+                     ;; alone is not enough, as the requirement comes from
+                     ;; deeper in the font stack.  Since this version of Pango
+                     ;; is only used for librsvg, simply disable the test.
+                     (substitute* "tests/Makefile"
+                       (("test-layout\\$\\(EXEEXT\\)") ""))
+                     #t)))))))
 
 (define-public pangox-compat
   (package
@@ -830,7 +841,7 @@ application suites.")
 (define-public gtk+
   (package (inherit gtk+-2)
    (name "gtk+")
-   (version "3.24.23")
+   (version "3.24.24")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/" name "/"
@@ -838,7 +849,7 @@ application suites.")
                                 name "-" version ".tar.xz"))
             (sha256
              (base32
-              "1cg2vbwbcp7bc84ky0b69ipgdr9djhspnf5k8lajb8jphcj4v1jx"))
+              "12ipk1d376bai9v820qzhxba93kkh5abi6mhyqr4hwjvqmkl77fc"))
             (patches (search-patches "gtk3-respect-GUIX_GTK3_PATH.patch"
                                      "gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch"))))
    (propagated-inputs
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 935333dee2..339bd7dcf2 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -981,7 +981,7 @@ Metafile}, and @acronym{EMF+, Enhanced Metafile Plus} files.")
 (define-public imlib2
   (package
     (name "imlib2")
-    (version "1.7.0")
+    (version "1.7.1")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -989,7 +989,7 @@ Metafile}, and @acronym{EMF+, Enhanced Metafile Plus} files.")
                     "/imlib2-" version ".tar.bz2"))
               (sha256
                (base32
-                "0zdk4afdrrr1539f2q15zja19j4wwfmpswzws2ffgflcnhywlxhr"))))
+                "01y45cdml2dr9cqgybrgxr86sd77d1qfa1gzclzy1j6bkminlfh3"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags (list "--disable-static")))
@@ -1617,15 +1617,14 @@ is hereby granted."))))
 (define-public libjpeg-turbo
   (package
     (name "libjpeg-turbo")
-    (version "2.0.4")
-    (replacement libjpeg-turbo/fixed)
+    (version "2.0.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
                                   version "/libjpeg-turbo-" version ".tar.gz"))
               (sha256
                (base32
-                "01ill8bgjyk582wipx7sh7gj2nidylpbzvwhx0wkcm6mxx3qbp9k"))))
+                "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("nasm" ,nasm)))
@@ -1675,18 +1674,6 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
                    license:ijg          ;the libjpeg library and associated tools
                    license:zlib))))     ;the libjpeg-turbo SIMD extensions
 
-(define libjpeg-turbo/fixed
-  (package
-    (inherit libjpeg-turbo)
-    (version "2.0.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
-                                  version "/libjpeg-turbo-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))))
-
 (define-deprecated libjpeg libjpeg-turbo)
 (export libjpeg)
 
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 1f80abd012..02a627f17e 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -50,14 +50,14 @@
     ;; The 7 release series has an incompatible API, while the 6 series is still
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
-    (version "6.9.11-34")
+    (version "6.9.11-48")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0acdjkkgjgpfcwj9h9zncywjjrrgb9sh0cvfn3jamjxh5byf638s"))))
+               "0m8nkmywkqwyrr01q7aiakj6mi4rb2psjgzv8n0x82x3s1rpfyql"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch"
@@ -126,20 +126,6 @@ transform images, adjust image colors, apply various special effects, or draw
 text, lines, polygons, ellipses and Bézier curves.")
     (license (license:fsf-free "http://www.imagemagick.org/script/license.php"))))
 
-;; XXX: 'transcode' fails to detect the above ImageMagick, so we provide
-;; this newer version.
-(define-public imagemagick-next
-  (package
-    (inherit imagemagick)
-    (version "6.9.11-37")
-    (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://imagemagick/ImageMagick-"
-                                 version ".tar.xz"))
-             (sha256
-              (base32
-               "19r6fyhr1bycx0p6jz034mil1zh2k7hfr02is40h4g3wf9b9sdni"))))))
-
 (define-public perl-image-magick
   (package
     (name "perl-image-magick")
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 9ecbf75d34..5482400f02 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2016, 2019 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016-2019 Hartmut Goebel <h.goebel@crazy-compilers.com>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
@@ -1088,15 +1088,11 @@ represented by a QPoint or a QSize.")
     (arguments
      `(#:phases
        (modify-phases %standard-phases
-         (add-before 'check 'start-xorg-server
-           (lambda* (#:key inputs #:allow-other-keys)
-             ;; The test suite requires a running X server.
-             ;; Xvfb doesn't have proper glx support and needs a pixeldepth
-             ;; of 24 bit to avoid "libGL error: failed to load driver: swrast"
-             ;;                    "Could not initialize GLX"
-             (system (string-append (assoc-ref inputs "xorg-server")
-                                    "/bin/Xvfb :1 -screen 0 640x480x24 &"))
-             (setenv "DISPLAY" ":1")
+         (add-after 'unpack 'adjust-tests
+           (lambda _
+             ;; It is unclear why this test suddenly started failing.
+             (substitute* "autotests/kcolumnresizertest.cpp"
+               ((".*QCOMPARE.*") ""))
              #t)))))
     (home-page "https://community.kde.org/Frameworks")
     (synopsis "Large set of desktop widgets")
@@ -3480,6 +3476,13 @@ script engines.")
        ("qtdeclarative" ,qtdeclarative)))
     (arguments
      `(#:tests? #f  ;; seem to require network; don't find QTQuick components
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'dont-use-qt515-logic
+           (lambda _
+             (substitute* "src/externalprocess/purposeprocess_main.cpp"
+               ((" 15") " 16"))
+             #t)))
        #:configure-flags '("-DBUILD_TESTING=OFF"))) ; not run anyway
     (home-page "https://community.kde.org/Frameworks")
     (synopsis "Offers available actions for a specific purpose")
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 73be8af9b0..9173aea80f 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -126,6 +126,7 @@ This package contains GUI widgets for baloo.")
         (base32 "0gabc5cb0sf00s7m5v2jnq55qsrdbrq6nqd15y1i15p788zifsjx"))
        (patches (search-patches "grantlee-merge-theme-dirs.patch"))))
     (build-system qt-build-system)
+    (arguments `(#:tests? #f))  ; unexpected error in the test suite.
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)
        ("libxml2" ,libxml2))) ;; xmllint required for tests
diff --git a/gnu/packages/libffi.scm b/gnu/packages/libffi.scm
index 5b8f277009..6c434bbe90 100644
--- a/gnu/packages/libffi.scm
+++ b/gnu/packages/libffi.scm
@@ -111,13 +111,13 @@ conversions for values passed between the two languages.")
 (define-public python-cffi
   (package
     (name "python-cffi")
-    (version "1.14.0")
+    (version "1.14.4")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "cffi" version))
       (sha256
-       (base32 "1dn279gw5ql8i5n3s5v4rnv96rhhjjfn7xq729qbl5bs2954yf1d"))))
+       (base32 "0v080s7vlrjz9z823x2yh36yc8drwpvvir6w8wfkkzd7k2z5qihs"))))
     (build-system python-build-system)
     (inputs
      `(("libffi" ,libffi)))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1d68229281..9e31dfc5db 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -1316,7 +1316,7 @@ application by hooking GStreamer into the loopback device.")
 (define-public linux-pam
   (package
     (name "linux-pam")
-    (version "1.4.0")
+    (version "1.5.1")
     (source
      (origin
        (method url-fetch)
@@ -1325,7 +1325,7 @@ application by hooking GStreamer into the loopback device.")
              version "/Linux-PAM-" version ".tar.xz"))
        (sha256
         (base32
-         "0d6hvz6lpkac08hw5wnlhfdm0fhqd0n6jf6v7fz3jhg6a6694vfd"))
+         "1z4jayf69qyyxln1gl6ch4qxfd66ib1g42garnrv2d8i1drl0790"))
        (patches (search-patches "linux-pam-no-setfsuid.patch"))))
 
     (build-system gnu-build-system)
@@ -2068,7 +2068,7 @@ intercept and print the system calls executed by the program.")
 (define-public alsa-lib
   (package
     (name "alsa-lib")
-    (version "1.2.3.2")
+    (version "1.2.4")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -2076,7 +2076,7 @@ intercept and print the system calls executed by the program.")
                    version ".tar.bz2"))
              (sha256
               (base32
-               "05dyk856ppvqymazyk1cmpln53g88cq1wjpnsygqrvnamyvwa7z8"))))
+               "1xq8d48wfy59qw4x7383j32n8j5njndw5hcgnmlg9pvclphlnmgp"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags (list (string-append "LDFLAGS=-Wl,-rpath="
@@ -2092,14 +2092,14 @@ MIDI functionality to the Linux-based operating system.")
 (define-public alsa-utils
   (package
     (name "alsa-utils")
-    (version "1.2.3")
+    (version "1.2.4")
     (source (origin
              (method url-fetch)
              (uri (string-append "ftp://ftp.alsa-project.org/pub/utils/"
                                  name "-" version ".tar.bz2"))
              (sha256
               (base32
-               "1ai1z4kf91b1m3qrpwqkc1af5vm2fkdkknqv95xdwf19q94aw6gz"))))
+               "09m4dnn4kplawprd2bl15nwa0b4r1brab3x44ga7f1fyk7aw5zwq"))))
     (build-system gnu-build-system)
     (arguments
      ;; XXX: Disable man page creation until we have DocBook.
@@ -2162,6 +2162,11 @@ MIDI functionality to the Linux-based operating system.")
     ;; ALSA applications on OSS however we do not offer OSS and OSS is
     ;; obsolete.
     (outputs '("out" "pulseaudio" "jack"))
+    (native-search-paths
+      (list (search-path-specification
+              (variable "ALSA_PLUGIN_DIR")
+              (files '("lib/alsa-lib"))
+              (separator #f))))
     (arguments
      `(#:configure-flags '(;; Do not install a "local" configuration targeted
                            ;; for /etc/alsa.  On Guix System plugins are loaded from
@@ -2534,7 +2539,7 @@ Linux-based operating systems.")
 (define-public libcap
   (package
     (inherit libcap-2.31)
-    (version "2.44")
+    (version "2.45")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -2542,7 +2547,7 @@ Linux-based operating systems.")
                     "libcap2/libcap-" version ".tar.xz"))
               (sha256
                (base32
-                "1qf80lifygbnxwvqjf8jz5j24n6fqqx4ixnkbf76xs2vrmcq664j"))))
+                "11ijmi7jik9iw6pdszc6bylhggghr8cza03bcrbhbqf0cpvkjrnn"))))
     (arguments
      (substitute-keyword-arguments (package-arguments libcap-2.31)
        ((#:phases phases)
@@ -4715,14 +4720,15 @@ event traces from the kernel (via the relaying through the debug file system).")
 (define-public sbc
   (package
     (name "sbc")
-    (version "1.4")
+    (version "1.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/bluetooth/sbc-"
                                   version ".tar.xz"))
+              (patches (search-patches "sbc-fix-build-non-x86.patch"))
               (sha256
                (base32
-                "1jal98pnrjkzxlkiqy0ykh4qmgnydz9bmsp1jn581p5kddpg92si"))))
+                "1liig5856crb331dps18mp0s13zbkv7yh007zqhq97m94fcddfhc"))))
     (build-system gnu-build-system)
     (inputs
      `(("libsndfile" ,libsndfile)))
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index a495f6d763..77c47ec71f 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -50,14 +50,14 @@
 (define-public node
   (package
     (name "node")
-    (version "10.20.0")
+    (version "10.22.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nodejs.org/dist/v" version
                                   "/node-v" version ".tar.xz"))
               (sha256
                (base32
-                "0cvjwnl0wkcsyw3kannbdv01s235wrnp11n2s6swzjx95gpichfi"))
+                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
               (modules '((guix build utils)))
               (snippet
                `(begin
@@ -211,24 +211,6 @@ devices.")
     (properties '((max-silent-time . 7200)     ;2h, needed on ARM
                   (timeout . 21600)))))        ;6h
 
-;; TODO: Make this the default node on core-updates.  This cannot be done on
-;; master since this version of node requires a newer nghttp2 library at link
-;; time.
-(define-public node-10.22
-  (package
-    (inherit node)
-    (version "10.22.1")
-    (source (origin
-              (inherit (package-source node))
-              (uri (string-append "https://nodejs.org/dist/v" version
-                                  "/node-v" version ".tar.xz"))
-              (sha256
-               (base32
-                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))))
-    (inputs
-     (alist-replace "nghttp2" (list nghttp2-1.41 "lib")
-                    (package-inputs node)))))
-
 (define-public libnode
   (package
     (inherit node)
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index 6e2ca883e0..0444b47071 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -73,7 +73,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.57")
+    (version "3.59")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -84,7 +84,7 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "10n3pncg6k81ikjz12la147rppwqn57bkrdl9gb820w6pq0nra2m"))
+                "096fs3z21r171q24ca3rq53p1389xmvqz1f2rpm7nlm8r9s82ag6"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-3.56-pkgconfig.patch"
                                        "nss-increase-test-timeout.patch"))
@@ -139,7 +139,7 @@ in the Mozilla clients.")
              ;; leading to test failures:
              ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
              ;; work around that, set the time to roughly the release date.
-             (invoke "faketime" "2020-10-01" "./nss/tests/all.sh")))
+             (invoke "faketime" "2020-11-01" "./nss/tests/all.sh")))
          (replace 'install
            (lambda* (#:key outputs #:allow-other-keys)
              (let* ((out (assoc-ref outputs "out"))
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 6e863388d8..fb917882e7 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
@@ -61,25 +61,23 @@
 (define-public openldap
   (package
    (name "openldap")
-   (replacement openldap-2.4.50)
-   (version "2.4.49")
+   (version "2.4.50")
    (source (origin
-            (method url-fetch)
-
-            ;; See <http://www.openldap.org/software/download/> for a list of
-            ;; mirrors.
-            (uri (list (string-append
-                        "ftp://mirror.switch.ch/mirror/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")
-                       (string-append
-                        "https://www.openldap.org/software/download/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")
-                       (string-append
-                        "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")))
-            (sha256
-             (base32
-              "0vp524rsngdcykf6ki7vprsyg7gj8z7hszg8xwxz50219fa1gcg3"))))
+             (method url-fetch)
+             ;; See <http://www.openldap.org/software/download/> for a list of
+             ;; mirrors.
+             (uri (list (string-append
+                         "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")
+                        (string-append
+                         "https://www.openldap.org/software/download/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")
+                        (string-append
+                         "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")))
+             (sha256
+              (base32
+               "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb-5.3)
              ("cyrus-sasl" ,cyrus-sasl)
@@ -127,19 +125,6 @@
    (license openldap2.8)
    (home-page "https://www.openldap.org/")))
 
-(define openldap-2.4.50
-  (package
-    (inherit openldap)
-    (version "2.4.50")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://www.openldap.org/software/download/"
-                                  "OpenLDAP/openldap-release/openldap-" version
-                                  ".tgz"))
-              (sha256
-               (base32
-                "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
-
 (define-public nss-pam-ldapd
   (package
     (name "nss-pam-ldapd")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 98af2187fa..669f69e755 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -408,7 +408,7 @@ $(prefix)/etc/init.d\n")))
 
          ("glibc-utf8-locales" ,glibc-utf8-locales)))
       (propagated-inputs
-       `(("gnutls" ,(if (%current-target-system) gnutls/fixed gnutls))
+       `(("gnutls" ,gnutls)
          ;; Avahi requires "glib" which doesn't cross-compile yet.
          ,@(if (%current-target-system)
                '()
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
++    op->value.bytes = ptr;				/* match */
++    op->tas.rsize = size;				/* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
++    op[-1] = *op1;					/* pre */
++    op[-3].value.bytes = ptr + size;			/* post */
++    if (forward) {
++        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
++        op[-3].tas.rsize = count;			/* post */
++    } else {
++        op[-1].tas.rsize = count;			/* pre */
++        op[-3].tas.rsize -= count + size;		/* post */
++    }
+     make_true(op);
+     return 0;
+ }
diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch
new file mode 100644
index 0000000000..cc225b5ad6
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-freetype-compat.patch
@@ -0,0 +1,35 @@
+Fix build with FreeType 2.10.3 and newer.
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
+
+diff --git a/base/fapi_ft.c b/base/fapi_ft.c
+--- a/base/fapi_ft.c
++++ b/base/fapi_ft.c
+@@ -125,7 +125,7 @@ static void
+ delete_inc_int_info(gs_fapi_server * a_server,
+                     FT_IncrementalRec * a_inc_int_info);
+ 
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_alloc(FT_Memory memory, long size)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size)
+     return (gs_malloc(mem, size, 1, "FF_alloc"));
+ }
+ 
+-FT_CALLBACK_DEF(void *)
++static void *
+     FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *)
+     return (tmp);
+ }
+ 
+-FT_CALLBACK_DEF(void)
++static void
+     FF_free(FT_Memory memory, void *block)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
diff --git a/gnu/packages/patches/gst-plugins-good-fix-test.patch b/gnu/packages/patches/gst-plugins-good-fix-test.patch
new file mode 100644
index 0000000000..38ec0ba802
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-good-fix-test.patch
@@ -0,0 +1,94 @@
+Fix a broken test:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
+
+Patches copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/f5310ce346180a717f091f2f09bcbb3ddfb15436
+
+From 2ce5909f3a0b0da3abb7b794215d6b8b72a3b7fa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Thu, 12 Nov 2020 23:38:21 +0000
+Subject: [PATCH 1/2] tests: qtdemux: fix crash on 32-bit architectures
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/issues/803
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
+---
+ tests/check/elements/qtdemux.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
+index 5271c6576..0c748278b 100644
+--- a/tests/check/elements/qtdemux.c
++++ b/tests/check/elements/qtdemux.c
+@@ -797,9 +797,10 @@ GST_START_TEST (test_qtdemux_pad_names)
+       "protection-system", G_TYPE_STRING,
+       "9a04f079-9840-4286-ab92-e65be0885f95", NULL);
+   caps =
+-      gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
+-      "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
+-      GST_TYPE_CAPS, mediacaps, NULL);
++      gst_caps_new_simple ("video/quicktime",
++      "variant", G_TYPE_STRING, "mss-fragmented",
++      "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++      "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+ 
+   /* Send segment event* */
+   event = gst_event_new_caps (caps);
+@@ -852,9 +853,10 @@ GST_START_TEST (test_qtdemux_pad_names)
+       "protection-system", G_TYPE_STRING,
+       "9a04f079-9840-4286-ab92-e65be0885f95", NULL);
+   caps =
+-      gst_caps_new_simple ("video/quicktime", "variant", G_TYPE_STRING,
+-      "mss-fragmented", "timesacle", G_TYPE_UINT64, 10000000, "media-caps",
+-      GST_TYPE_CAPS, mediacaps, NULL);
++      gst_caps_new_simple ("video/quicktime",
++      "variant", G_TYPE_STRING, "mss-fragmented",
++      "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++      "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+ 
+   /* Send segment event* */
+   event = gst_event_new_caps (caps);
+-- 
+2.30.0
+
+
+From f5310ce346180a717f091f2f09bcbb3ddfb15436 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
+Date: Thu, 12 Nov 2020 23:39:21 +0000
+Subject: [PATCH 2/2] tests: qtdemux: fix typo in caps field
+
+timesacle -> timescale
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/merge_requests/815>
+---
+ tests/check/elements/qtdemux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/check/elements/qtdemux.c b/tests/check/elements/qtdemux.c
+index 0c748278b..4a14c45c0 100644
+--- a/tests/check/elements/qtdemux.c
++++ b/tests/check/elements/qtdemux.c
+@@ -799,7 +799,7 @@ GST_START_TEST (test_qtdemux_pad_names)
+   caps =
+       gst_caps_new_simple ("video/quicktime",
+       "variant", G_TYPE_STRING, "mss-fragmented",
+-      "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++      "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+       "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+ 
+   /* Send segment event* */
+@@ -855,7 +855,7 @@ GST_START_TEST (test_qtdemux_pad_names)
+   caps =
+       gst_caps_new_simple ("video/quicktime",
+       "variant", G_TYPE_STRING, "mss-fragmented",
+-      "timesacle", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
++      "timescale", G_TYPE_UINT64, G_GUINT64_CONSTANT (10000000),
+       "media-caps", GST_TYPE_CAPS, mediacaps, NULL);
+ 
+   /* Send segment event* */
+-- 
+2.30.0
+
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
new file mode 100644
index 0000000000..6f69e562e2
--- /dev/null
+++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
@@ -0,0 +1,126 @@
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
+
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab62944..2e01bfc5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/patches/mesa-skip-disk-cache-test.patch b/gnu/packages/patches/mesa-skip-disk-cache-test.patch
deleted file mode 100644
index 190f6b6ee1..0000000000
--- a/gnu/packages/patches/mesa-skip-disk-cache-test.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-disk_cache_create() here looks up the users home directory from <pwd.h>
-which resolves to "/" in the build environment. I could not find an easy
-way to set the home directory to something else, so we disable this test
-for now.
-
---- a/src/compiler/glsl/tests/cache_test.c
-+++ b/src/compiler/glsl/tests/cache_test.c
-@@ -170,11 +170,6 @@
-    unsetenv("MESA_GLSL_CACHE_DIR");
-    unsetenv("XDG_CACHE_HOME");
- 
--   cache = disk_cache_create("test", "make_check", 0);
--   expect_non_null(cache, "disk_cache_create with no environment variables");
--
--   disk_cache_destroy(cache);
--
-    /* Test with XDG_CACHE_HOME set */
-    setenv("XDG_CACHE_HOME", CACHE_TEST_TMP "/xdg-cache-home", 1);
-    cache = disk_cache_create("test", "make_check", 0);
diff --git a/gnu/packages/patches/mesa-skip-tests.patch b/gnu/packages/patches/mesa-skip-tests.patch
new file mode 100644
index 0000000000..2622d5d312
--- /dev/null
+++ b/gnu/packages/patches/mesa-skip-tests.patch
@@ -0,0 +1,49 @@
+disk_cache_create() here looks up the users home directory from <pwd.h>
+which resolves to "/" in the build environment. I could not find an easy
+way to set the home directory to something else, so we disable this test
+for now.
+
+--- a/src/compiler/glsl/tests/cache_test.c
++++ b/src/compiler/glsl/tests/cache_test.c
+@@ -170,11 +170,6 @@
+    unsetenv("MESA_GLSL_CACHE_DIR");
+    unsetenv("XDG_CACHE_HOME");
+ 
+-   cache = disk_cache_create("test", "make_check", 0);
+-   expect_non_null(cache, "disk_cache_create with no environment variables");
+-
+-   disk_cache_destroy(cache);
+-
+    /* Test with XDG_CACHE_HOME set */
+    setenv("XDG_CACHE_HOME", CACHE_TEST_TMP "/xdg-cache-home", 1);
+    cache = disk_cache_create("test", "make_check", 0);
+
+This test fails on i686-linux. I couldn't come up with a regex that
+could be used to disable it just on i686-linux, so we disable it
+completely with this patch:
+
+https://gitlab.freedesktop.org/mesa/mesa/-/issues/4091
+
+diff --git a/src/util/meson.build b/src/util/meson.build
+index 0893f64..909b3e0 100644
+--- a/src/util/meson.build
++++ b/src/util/meson.build
+@@ -289,18 +289,6 @@ if with_tests
+      suite : ['util'],
+   )   
+ 
+-  test(
+-    'u_debug_stack',
+-    executable(
+-      'u_debug_stack_test',
+-      files('u_debug_stack_test.cpp'),
+-      include_directories : [inc_include, inc_src, inc_mapi, inc_mesa, inc_gallium, inc_gallium_aux],
+-      dependencies : [idep_mesautil, idep_gtest],
+-      c_args : [c_msvc_compat_args],
+-    ),
+-     suite : ['util'],
+-  )
+-
+   process_test_exe = executable(
+     'process_test',
+     files('process_test.c'),
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch
new file mode 100644
index 0000000000..dc0571e964
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2020-26116.patch
@@ -0,0 +1,47 @@
+Fix CVE-2020-26116:
+
+https://cve.circl.lu/cve/CVE-2020-26116
+https://bugs.python.org/issue39603
+
+Taken from upstream (sans test and NEWS update):
+https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+         else:
+             raise CannotSendRequest(self.__state)
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+         # ASCII also helps prevent CVE-2019-9740.
+         return request.encode('ascii')
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                    f"method can't contain control characters. {method!r} "
++                    f"(found at least {match.group()!r})")
++
+     def _validate_path(self, url):
+         """Validate a url for putrequest."""
+         # Prevent CVE-2019-9740.
diff --git a/gnu/packages/patches/qtbase-fix-krita-deadlock.patch b/gnu/packages/patches/qtbase-fix-krita-deadlock.patch
deleted file mode 100644
index d3554be3c9..0000000000
--- a/gnu/packages/patches/qtbase-fix-krita-deadlock.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-Fix a deadlock in Krita:
-
-https://bugreports.qt.io/browse/QTBUG-83207
-
-Patch copied from Qt bug tracker:
-
-https://codereview.qt-project.org/c/qt/qtbase/+/296034
-
-From 276fa8383a7535765be7182883ef4aade17ce013 Mon Sep 17 00:00:00 2001
-From: Thiago Macieira <thiago.macieira@intel.com>
-Date: Thu, 02 Apr 2020 12:08:41 -0300
-Subject: [PATCH] QLibrary: fix deadlock caused by fix to QTBUG-39642
-
-Commit ae6f73e8566fa76470937aca737141183929a5ec inserted a mutex around
-the entire load_sys(). We had reasoed that deadlocks would only occur if
-the object creation in instance() recursed into its own instance(),
-which was already a bug. But we had forgotten that dlopen()/
-LoadLibrary() executes initialization code from the module being loaded,
-which could cause a recursion back into the same QPluginLoader or
-QLibrary object. This recursion is benign because the module *is* loaded
-and dlopen()/LoadLibrary() returns the same handle.
-
-[ChangeLog][QtCore][QLibrary and QPluginLoader] Fixed a deadlock that
-would happen if the plugin or library being loaded has load-time
-initialization code (C++ global variables) that recursed back into the
-same QLibrary or QPluginLoader object.
-
-PS: QLibraryPrivate::loadPlugin() updates pluginState outside a mutex
-lock, so pluginState should be made an atomic variable. Once that is
-done, we'll only need locking the mutex to update errorString (no
-locking before loading).
-
-Fixes: QTBUG-83207
-Task-number: QTBUG-39642
-Change-Id: Ibdc95e9af7bd456a94ecfffd160209304e5ab2eb
-Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
-Reviewed-by: David Faure <david.faure@kdab.com>
----
-
-diff --git a/src/corelib/plugin/qlibrary.cpp b/src/corelib/plugin/qlibrary.cpp
-index ddb053c..be9d92b 100644
---- a/src/corelib/plugin/qlibrary.cpp
-+++ b/src/corelib/plugin/qlibrary.cpp
-@@ -576,9 +576,7 @@
- 
-     Q_TRACE(QLibraryPrivate_load_entry, fileName);
- 
--    mutex.lock();
-     bool ret = load_sys();
--    mutex.unlock();
-     if (qt_debug_component()) {
-         if (ret) {
-             qDebug() << "loaded library" << fileName;
-diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
-index 017aa97..a5c72f8 100644
---- a/src/corelib/plugin/qlibrary_unix.cpp
-+++ b/src/corelib/plugin/qlibrary_unix.cpp
-@@ -123,6 +123,7 @@
- 
- bool QLibraryPrivate::load_sys()
- {
-+    QMutexLocker locker(&mutex);
-     QString attempt;
-     QFileSystemEntry fsEntry(fileName);
- 
-@@ -213,6 +214,7 @@
-     }
- #endif
- 
-+    locker.unlock();
-     bool retry = true;
-     Handle hnd = nullptr;
-     for (int prefix = 0; retry && !hnd && prefix < prefixes.size(); prefix++) {
-@@ -273,6 +275,8 @@
-         }
-     }
- #endif
-+
-+    locker.relock();
-     if (!hnd) {
-         errorString = QLibrary::tr("Cannot load library %1: %2").arg(fileName, qdlerror());
-     }
-diff --git a/src/corelib/plugin/qlibrary_win.cpp b/src/corelib/plugin/qlibrary_win.cpp
-index 000bf76..ef58724 100644
---- a/src/corelib/plugin/qlibrary_win.cpp
-+++ b/src/corelib/plugin/qlibrary_win.cpp
-@@ -78,6 +78,7 @@
-     //     fileName
-     //
-     // NB If it's a plugin we do not ever try the ".dll" extension
-+    QMutexLocker locker(&mutex);
-     QStringList attempts;
- 
-     if (pluginState != IsAPlugin)
-@@ -95,6 +96,7 @@
-         attempts.prepend(QDir::rootPath() + fileName);
- #endif
- 
-+    locker.unlock();
-     Handle hnd = nullptr;
-     for (const QString &attempt : qAsConst(attempts)) {
- #ifndef Q_OS_WINRT
-@@ -115,6 +117,7 @@
- #ifndef Q_OS_WINRT
-     SetErrorMode(oldmode);
- #endif
-+    locker.relock();
-     if (!hnd) {
-         errorString = QLibrary::tr("Cannot load library %1: %2").arg(
-                     QDir::toNativeSeparators(fileName), qt_error_string());
diff --git a/gnu/packages/patches/sbc-fix-build-non-x86.patch b/gnu/packages/patches/sbc-fix-build-non-x86.patch
new file mode 100644
index 0000000000..56ea916d42
--- /dev/null
+++ b/gnu/packages/patches/sbc-fix-build-non-x86.patch
@@ -0,0 +1,17 @@
+Don't refer to x86-specific function on other architectures to avoid linker error.
+
+Submitted upstream at <https://marc.info/?l=linux-bluetooth&m=160857625608440&w=2>
+
+diff --git a/sbc/sbc_primitives.c b/sbc/sbc_primitives.c
+--- a/sbc/sbc_primitives.c
++++ b/sbc/sbc_primitives.c
+@@ -593,7 +593,9 @@ static int sbc_calc_scalefactors_j(
+ 
+ static void sbc_init_primitives_x86(struct sbc_encoder_state *state)
+ {
++#if defined(__x86_64__) || defined(__i386__)
+ 	__builtin_cpu_init();
++#endif
+ 
+ #ifdef SBC_BUILD_WITH_MMX_SUPPORT
+ 	if (__builtin_cpu_supports("mmx"))
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index af74c0ac5c..ea61dd807c 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -180,7 +180,7 @@ rates.")
 (define-public pulseaudio
   (package
     (name "pulseaudio")
-    (version "13.0")
+    (version "14.0")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -188,7 +188,7 @@ rates.")
                    name "-" version ".tar.xz"))
              (sha256
               (base32
-               "0mw0ybrqj7hvf8lqs5gjzip464hfnixw453lr0mqzlng3b5266wn"))
+               "0qf20rgg0ysrnvg3359j56ndls07qmfn5rsy9r85bc42jdfpfd58"))
              (modules '((guix build utils)))
              (snippet
               ;; Disable console-kit support by default since it's deprecated
@@ -241,7 +241,7 @@ rates.")
 
        ("eudev" ,eudev)))         ;for the detection of hardware audio devices
     (native-inputs
-     `(("check" ,check-0.14)
+     `(("check" ,check)
        ("gettext" ,gettext-minimal)
        ("glib:bin" ,glib "bin")
        ("m4" ,m4)
diff --git a/gnu/packages/python-crypto.scm b/gnu/packages/python-crypto.scm
index c3ed58c424..1f491cc972 100644
--- a/gnu/packages/python-crypto.scm
+++ b/gnu/packages/python-crypto.scm
@@ -477,13 +477,13 @@ risk.")
 (define-public python-certifi
   (package
     (name "python-certifi")
-    (version "2020.11.8")
+    (version "2020.12.5")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri "certifi" version))
               (sha256
                (base32
-                "1x4w18gm71dbwys5g2mbcnbw27b3dvphj5d56icg5ys45h4yypgh"))))
+                "177mdbw0livdjvp17sz6wsfrc32838m9y59v871gpgv2888raj8s"))))
     (build-system python-build-system)
     (arguments '(#:tests? #f))          ;no tests
     (home-page "https://certifi.io/")
@@ -499,14 +499,14 @@ is used by the Requests library to verify HTTPS requests.")
 (define-public python-cryptography-vectors
   (package
     (name "python-cryptography-vectors")
-    (version "3.1.1")
+    (version "3.3.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "cryptography_vectors" version))
        (sha256
         (base32
-         "1xp2j79c1y8qj4b97ygx451gzp8l4cp830hnvg3zw8j134bcaaam"))))
+         "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03"))))
     (build-system python-build-system)
     (home-page "https://github.com/pyca/cryptography")
     (synopsis "Test vectors for the cryptography package")
@@ -521,14 +521,14 @@ is used by the Requests library to verify HTTPS requests.")
 (define-public python-cryptography
   (package
     (name "python-cryptography")
-    (version "3.1.1")
+    (version "3.3.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "cryptography" version))
        (sha256
         (base32
-         "0z81q4d1nangw3r0v5f41mfl4d9r04qnbayl5ll5v5jpcfhwd7wx"))))
+         "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy"))))
     (build-system python-build-system)
     (inputs
      `(("openssl" ,openssl)))
@@ -570,14 +570,14 @@ message digests and key derivation functions.")
 (define-public python-pyopenssl
   (package
     (name "python-pyopenssl")
-    (version "19.1.0")
+    (version "20.0.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "pyOpenSSL" version))
        (sha256
         (base32
-         "01wmsq6w0frzbr3zps4ga9kmqjidp2h317jwpq1g9ah24r5lj94s"))))
+         "1i8ab5zn9i9iq2ksizp3rd42v157kacddzz88kviqw3kpp68xw4j"))))
     (build-system python-build-system)
     (arguments
      '(#:phases
@@ -589,7 +589,7 @@ message digests and key derivation functions.")
              ;; PyOpenSSL runs tests against a certificate with a fixed
              ;; expiry time.  To ensure successful builds in the future,
              ;; set the time to roughly the release date.
-             (invoke "faketime" "2019-01-01" "py.test" "-v" "-k"
+             (invoke "faketime" "2020-12-01" "py.test" "-v" "-k"
                      (string-append
                       ;; This test tries to look up certificates from
                       ;; the compiled-in default path in OpenSSL, which
@@ -597,7 +597,10 @@ message digests and key derivation functions.")
                       "not test_fallback_default_verify_paths "
                       ;; This test attempts to make a connection to
                       ;; an external web service.
-                      "and not test_set_default_verify_paths")))))))
+                      "and not test_set_default_verify_paths "
+                      ;; Fails on i686-linux and possibly other 32-bit platforms
+                      ;; https://github.com/pyca/pyopenssl/issues/974
+                      "and not test_verify_with_time")))))))
     (propagated-inputs
      `(("python-cryptography" ,python-cryptography)
        ("python-six" ,python-six)))
diff --git a/gnu/packages/python-web.scm b/gnu/packages/python-web.scm
index b25f567449..ab3769b360 100644
--- a/gnu/packages/python-web.scm
+++ b/gnu/packages/python-web.scm
@@ -2421,13 +2421,13 @@ APIs.")
 (define-public python-requests
   (package
     (name "python-requests")
-    (version "2.24.0")
+    (version "2.25.0")
     (source (origin
              (method url-fetch)
              (uri (pypi-uri "requests" version))
              (sha256
               (base32
-               "06r3017hz0hzxv42gpg73l8xvdjbzw7q904ljvp36b5p3l9rlmdk"))))
+               "1y6mb8c0ipd64d5axq2p368yxndp3f966hmabjka2q2a5y9hn6kz"))))
     (build-system python-build-system)
     (propagated-inputs
      `(("python-certifi" ,python-certifi)
@@ -2650,14 +2650,14 @@ authenticated session objects providing things like keep-alive.")
 (define-public python-urllib3
   (package
     (name "python-urllib3")
-    (version "1.25.9")
+    (version "1.26.2")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "urllib3" version))
         (sha256
          (base32
-          "09rmjqm5syhhc8fx3v06h3yv6cqy0b1081jg8wm5grpwpr72j61h"))))
+          "024yldjwjavps39yb77sc422z8fa9bn20wcqrcncjwrqjab8y60r"))))
     (build-system python-build-system)
     (arguments `(#:tests? #f))
     (propagated-inputs
diff --git a/gnu/packages/python-xyz.scm b/gnu/packages/python-xyz.scm
index c63774ce13..5199ac4d11 100644
--- a/gnu/packages/python-xyz.scm
+++ b/gnu/packages/python-xyz.scm
@@ -686,14 +686,14 @@ by @code{binstar}, @code{binstar-build}, and @code{chalmers}.")
 (define-public python-babel
   (package
     (name "python-babel")
-    (version "2.8.0")
+    (version "2.9.0")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "Babel" version))
       (sha256
        (base32
-        "0f0f2vvs1mpdpz2c0mg1mnc3sih8bizmc1h9m67kdsnqs3i2mb0s"))))
+        "018yg7g2pa6vjixx1nx41cfispgfi0azzp0a1chlycbj8jsil0ys"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-freezegun" ,python-freezegun)
@@ -704,13 +704,7 @@ by @code{binstar}, @code{binstar-build}, and @code{chalmers}.")
      `(#:phases (modify-phases %standard-phases
                   (replace 'check
                     (lambda _
-                      (invoke "pytest" "-vv" "-k"
-                              (string-append
-                               ;; XXX: These tests fail when using Pytest 4.x and
-                               ;; Babel 2.6.0.  Try removing this for later versions.
-                               "not test_no_inherit_metazone_marker_never_in_output"
-                               " and not test_smoke_dates"
-                               " and not test_smoke_numbers")))))))
+                      (invoke "pytest" "-vv"))))))
     (home-page "http://babel.pocoo.org/")
     (synopsis
      "Tools for internationalizing Python applications")
@@ -3557,14 +3551,14 @@ text styles of documentation.")
 (define-public python-pygments
   (package
     (name "python-pygments")
-    (version "2.6.1")
+    (version "2.7.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Pygments" version))
        (sha256
         (base32
-         "0i4gnd4q0mgkq0dp5wymn7ca8zjd8fgp63139svs6jf2c6h48wv4"))))
+         "05mps9r966r3dpqw6zrs1nlwjdf5y4960hl9m7abwb3qyfnarwyc"))))
     (build-system python-build-system)
     (arguments
      ;; FIXME: Tests require sphinx, which depends on this.
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index fa9bf10e07..27e9b70432 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -370,6 +370,7 @@ data types.")
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
+                        "python-CVE-2020-26116.patch"
                         "python-3-fix-tests.patch"
                         "python-3.8-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"
diff --git a/gnu/packages/qt.scm b/gnu/packages/qt.scm
index cef9c6802f..4fbb157600 100644
--- a/gnu/packages/qt.scm
+++ b/gnu/packages/qt.scm
@@ -451,18 +451,17 @@ developers using C++ or QML, a CSS & JavaScript like language.")
 (define-public qtbase
   (package
     (name "qtbase")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "12mjsahlma9rw3vz9a6b5h2s6ylg8b34hxc2vnlna5ll429fgfa8"))
+               "1y70libf2x52lpbqvhz10lpk7nyl1ajjwzjxly9pjdpfj4jsv7wh"))
              ;; Use TZDIR to avoid depending on package "tzdata".
              (patches (search-patches "qtbase-use-TZDIR.patch"
                                       "qtbase-moc-ignore-gcc-macro.patch"
-                                      "qtbase-absolute-runpath.patch"
-                                      "qtbase-fix-krita-deadlock.patch"))
+                                      "qtbase-absolute-runpath.patch"))
              (modules '((guix build utils)))
              (snippet
                ;; corelib uses bundled harfbuzz, md4, md5, sha3
@@ -710,13 +709,13 @@ developers using C++ or QML, a CSS & JavaScript like language.")
 (define-public qtsvg
   (package (inherit qtbase)
     (name "qtsvg")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "18dmfc8s428fzbk7k5vl3212b25455ayrz7s716nwyiy3ahgmmy7"))))
+               "0pjqrdmd1991x9h4rl8sf81pkd89hfd5h1a2gp3fjw96pk0w5hwb"))))
     (propagated-inputs `())
     (native-inputs `(("perl" ,perl)))
     (inputs
@@ -782,13 +781,13 @@ HostData=lib/qt5
 (define-public qtimageformats
   (package (inherit qtsvg)
     (name "qtimageformats")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "132g4rlm61pdcpcrclr1rwpbrxn7va4wjfb021mh8pn1cl0wlgkk"))
+               "1msk8a0z8rr16hkp2fnv668vf6wayiydqgc2mcklaa04rv3qb0mz"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -820,13 +819,13 @@ support for MNG, TGA, TIFF and WBMP image formats.")))
 (define-public qtx11extras
   (package (inherit qtsvg)
     (name "qtx11extras")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0njlh6d327nll7d8qaqrwr5x15m9yzgyar2j45qigs1f7ah896my"))))
+               "0gkfzj195v9flwljnqpdz3a532618yn4h2577nlsai56x4p7053h"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -841,13 +840,13 @@ from within Qt 5.")))
 (define-public qtxmlpatterns
   (package (inherit qtsvg)
     (name "qtxmlpatterns")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1dyg1z4349k04yyzn8xbp4f5qjgm60gz6wgzp80khpilcmk8g6i1"))))
+               "1ypj5jpa31rlx8yfw3y9jia212lfnxvnqkvygs6ihjf3lxi23skn"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f) ; TODO: Enable the tests
@@ -869,13 +868,13 @@ xmlpatternsvalidator.")))
 (define-public qtdeclarative
   (package (inherit qtsvg)
     (name "qtdeclarative")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0l0nhc2si6dl9r4s1bs45z90qqigs8jnrsyjjdy38q4pvix63i53"))))
+               "0lancdn7y0lrlmyn5cbdm0izd5yprvd5n77nhkb7a3wl2sbx0066"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f)             ;TODO: Enable the tests
@@ -910,13 +909,13 @@ with JavaScript and C++.")))
 (define-public qtconnectivity
   (package (inherit qtsvg)
     (name "qtconnectivity")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0a5wzin635b926b8prdwfazgy1vhyf8m6an64wp2lpkp78z7prmb"))))
+               "185zci61ip1wpjrygcw2m6v55lvninc0b8y2p3jh6qgpf5w35003"))))
     (native-inputs
      `(("perl" ,perl)
        ("pkg-config" ,pkg-config)
@@ -931,13 +930,13 @@ with Bluetooth and NFC.")))
 (define-public qtwebsockets
   (package (inherit qtsvg)
     (name "qtwebsockets")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "116amx4mnv50k0fpswgpr5x8wjny8nbffrjmld01pzhkhfqn4vph"))))
+               "0gr399fn5n8j3m9d3vv01vcbr1cb7pw043j04cnnxzrlvn2jvd50"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -955,13 +954,13 @@ consume data received from the server, or both.")))
 (define-public qtsensors
   (package (inherit qtsvg)
     (name "qtsensors")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0qccpgbhyg9k4x5nni7xm0pyvaqia3zrcd42cn7ksf5h21lwmkxw"))))
+               "0fa81r7bn1mf9ynwsx524a55dx1q0jb4vda6j48ssb4lx7wi201z"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:parallel-tests? _ #f) #f) ; can lead to race condition
@@ -985,13 +984,13 @@ recognition API for devices.")))
 (define-public qtmultimedia
   (package (inherit qtsvg)
     (name "qtmultimedia")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1sczzcvk3c5gczz53yvp8ma6gp8aixk5pcq7wh344c9md3g8xkbs"))
+               "1xbd6kc7i0iablqdkvfrajpi32cbq7j6ajbfyyyalcai1s0mhdqc"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -1033,19 +1032,13 @@ set of plugins for interacting with pulseaudio and GStreamer.")))
 (define-public qtwayland
   (package (inherit qtsvg)
     (name "qtwayland")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0al3yypy3fin62n8d1859jh0mn0fbpa161l7f37hgd4gf75365nk"))
-             (modules '((guix build utils)))
-             (snippet
-               ;; The examples try to build and cause the build to fail
-              '(begin
-                 (delete-file-recursively "examples")
-                 #t))))
+               "1ddfx4nak16xx0zh1kl836zxvpbixmmjyplsmfmg65pqkwi34dqr"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases)
@@ -1082,6 +1075,7 @@ set of plugins for interacting with pulseaudio and GStreamer.")))
        ("mesa" ,mesa)
        ("mtdev" ,mtdev)
        ("qtbase" ,qtbase)
+       ("vulkan-headers" ,vulkan-headers)
        ("wayland" ,wayland)))
     (synopsis "Qt Wayland module")
     (description "The Qt Wayland module provides the QtWayland client and
@@ -1090,13 +1084,13 @@ compositor libraries.")))
 (define-public qtserialport
   (package (inherit qtsvg)
     (name "qtserialport")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "08ga9a1lwj83872nxablk602z1dq0la6jqsiicvd7m1sfbfpgnd6"))))
+               "17gp5qzg4wdg8qlxk2p3mh8x1vk33rf33wic3fy0cws193bmkiar"))))
     (native-inputs `(("perl" ,perl)))
     (inputs
      `(("qtbase" ,qtbase)
@@ -1121,13 +1115,13 @@ interacting with serial ports from within Qt.")))
 (define-public qtserialbus
   (package (inherit qtsvg)
     (name "qtserialbus")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "14bahg82jciciqkl74q9hvf3a8kp3pk5v731vp2416k4b8bn4xqb"))))
+               "125x6756fjpldqy6wbw6cg7ngjh2016aiq92bchh719z1mf7xsxf"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases '%standard-phases)
@@ -1153,13 +1147,13 @@ and others.")))
 (define-public qtwebchannel
   (package (inherit qtsvg)
     (name "qtwebchannel")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0x7q66994pw6cd0f505bmirw1sssqs740zaw8lyqqqr32m2ch7bx"))))
+               "1h9y634phvvk557mhmf9z4lmxr41rl8x9mqy2lzp31mk8ffffzqj"))))
     (native-inputs
      `(("perl" ,perl)
        ("qtdeclarative" ,qtdeclarative)
@@ -1174,13 +1168,13 @@ popular web engines, Qt WebKit 2 and Qt WebEngine.")))
 (define-public qtwebglplugin
   (package (inherit qtsvg)
     (name "qtwebglplugin")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "05rl657848fsprsnabdqb5z363c6drjc32k59223vl351f8ihhgb"))))
+               "0ihlnhv8ldkqz82v3j7j22lrhk17b6ghra8sx85y2agd2ysq5rw1"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases)
@@ -1207,13 +1201,13 @@ OpenGL ES 2.0 and can be used in HTML5 canvas elements")))
 (define-public qtwebview
   (package (inherit qtsvg)
     (name "qtwebview")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0jzzcm7z5njkddzfhmyjz4dbbzq8h93980cci4479zc4xq9r47y6"))))
+               "1rw1wibmbxlj6xc86qs3y8h42al1vczqiksyxzaylxs9gqb4d7xy"))))
     (native-inputs
      `(("perl" ,perl)))
     (inputs
@@ -1227,7 +1221,7 @@ native APIs where it makes sense.")))
 (define-public qtlocation
   (package (inherit qtsvg)
     (name "qtlocation")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.qt.io/official_releases/qt/"
@@ -1236,7 +1230,7 @@ native APIs where it makes sense.")))
                                  version ".tar.xz"))
              (sha256
               (base32
-               "1k3m8zhbv04yrqvj7jlnh8f9xczdsmla59j9gcwsqvbg76y0hxy3"))))
+               "184jychnlfhplpwc5cdcsapwljgwvzk5qpf3val4kpq8w44wnkwq"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1257,13 +1251,13 @@ positioning and geolocation plugins.")))
 (define-public qttools
   (package (inherit qtsvg)
     (name "qttools")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1iakl3hlyg51ri1czmis8mmb257b0y1zk2a2knybd3mq69wczc2v"))))
+               "1k618f7v6jaj0ygy8d7jvgb8zjr47sn55kiskbdkkizp3z7d12f1"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1282,13 +1276,13 @@ that helps in Qt development.")))
 (define-public qtscript
   (package (inherit qtsvg)
     (name "qtscript")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1zlvg3hc6h70d789g3kv6dxbwswzkskkm00bdgl01grwrdy4izg9"))
+               "0gk74hk488k9ldacxbxcranr3arf8ifqg8kz9nm1rgdgd59p36d2"))
              (patches (search-patches "qtscript-disable-tests.patch"))))
     (native-inputs
      `(("perl" ,perl)
@@ -1303,13 +1297,13 @@ ECMAScript and Qt.")))
 (define-public qtquickcontrols
   (package (inherit qtsvg)
     (name "qtquickcontrols")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0qa4dlhn3iv9yvaic8hw86v6h8rn9sgq8xjfdaym04pfshfyypfm"))))
+               "1dczakl868mg0lnwpf082jjc5976ycn879li1vqlgw5ihirzp4y3"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1324,13 +1318,13 @@ can be used to build complete interfaces in Qt Quick.")))
 (define-public qtquickcontrols2
   (package (inherit qtsvg)
     (name "qtquickcontrols2")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0q0mk2mjlf9ll0gdrdzxy8096s6g9draaqiwrlvdpa7lv14x7xzs"))))
+               "06c9vrwvbjmzapmfa25y34lgjkzg57xxbm92nr6wkv5qykjnq6v7"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1346,13 +1340,13 @@ not available.")))
 (define-public qtgraphicaleffects
   (package (inherit qtsvg)
     (name "qtgraphicaleffects")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "03xmwhapv0b2qj661iaqqrvhxc7qiid0acrp6rj85824ha2pyyj8"))))
+               "1r6zfc0qga2ax155js7c8y5rx6vgayf582s921j09mb797v6g3gc"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1370,13 +1364,13 @@ coloring, and many more.")))
 (define-public qtgamepad
   (package (inherit qtsvg)
     (name "qtgamepad")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "00wd3h465waxdghg2vdhs5pkj0xikwjn88l12477dksm8zdslzgp"))))
+               "0p07bg93fdfn4gr2kv38qgnws5znhswajrxdfs8xc9l3i7vi2xn7"))))
     (native-inputs
      `(("perl" ,perl)
        ("pkg-config" ,pkg-config)))
@@ -1397,13 +1391,13 @@ and mobile applications targeting TV-like form factors.")))
 (define-public qtscxml
   (package (inherit qtsvg)
     (name "qtscxml")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "141pfschv6zmcvvn3pi7f5vb4nf96zpngy80f9bly1sn58syl303"))
+               "1p5771b9hnpchfcdgy0zkhwg09a6xq88934aggp0rij1k85mkfb0"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -1425,13 +1419,13 @@ also contains functionality to support data models and executable content.")))
 (define-public qtpurchasing
   (package (inherit qtsvg)
     (name "qtpurchasing")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0lg8x7g7dkf95xwxq8b4yw4ypdz68igkscya96xwbklg3q08gc39"))))
+               "09rjx53519dfk4qj2gbn3vlxyriasyb747wpg1p11y7jkwqhs4l7"))))
     (inputs
      `(("qtbase" ,qtbase)
        ("qtdeclarative" ,qtdeclarative)))
@@ -1442,13 +1436,13 @@ purchasing goods and services.")))
 (define-public qtcharts
   (package (inherit qtsvg)
     (name "qtcharts")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1drvm15i6n10b6a1acgarig120ppvqh3r6fqqdn8i3blx81m5cmd"))))
+               "049x7z8zcp9jixmdv2fjscy2ggpd6za9hkdbb2bqp2mxjm0hwxg0"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1466,13 +1460,13 @@ selecting one of the charts themes.")
 (define-public qtdatavis3d
   (package (inherit qtsvg)
     (name "qtdatavis3d")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "080fkpxg70m3c697wfnkjhca58b7r1xsqd559jzb21985pdh6g3j"))))
+               "1zdn3vm0nfy9ny7c783aabp3mhlnqhi9fw2rljn7ibbksmsnasi2"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:tests? _ #f) #f))) ; TODO: Enable the tests
@@ -1490,13 +1484,13 @@ customized by using themes or by adding custom items and labels to them.")
 (define-public qtnetworkauth
   (package (inherit qtsvg)
     (name "qtnetworkauth")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "0pi6p7bq54kzij2p69cgib7n55k69jsq0yqq09yli645s4ym202g"))))
+               "11fdgacv4syr8bff2vdw7rb0dg1gcqpdf37hm3pn31d6z91frhpw"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases)
@@ -1516,13 +1510,13 @@ implementation of OAuth and OAuth2 authenticathon methods for Qt.")))
 (define-public qtremoteobjects
   (package (inherit qtsvg)
     (name "qtremoteobjects")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1mhlws5w0igf5hw0l90p6dz6k7w16dqfbnk2li0zxdmayk2039m6"))))
+               "1hngbp0vkr35rpsrac7b9vx6f360v8v2g0fffzm590l8j2ybd0b7"))))
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases)
@@ -1550,13 +1544,13 @@ processes or computers.")))
 (define-public qtspeech
   (package (inherit qtsvg)
     (name "qtspeech")
-    (version "5.14.2")
+    (version "5.15.2")
     (source (origin
              (method url-fetch)
              (uri (qt5-urls name version))
              (sha256
               (base32
-               "1nn6kspbp8hfkz1jhzc1qx1m9z7r1bgkdqgi9n4vl1q25yk8x7jy"))))
+               "1xc3x3ghnhgchsg1kgj156yg69wn4rwjx8r28i1jd05hxjggn468"))))
 
     (arguments
      (substitute-keyword-arguments (package-arguments qtsvg)
@@ -1618,7 +1612,7 @@ using the Enchant spell-checking library.")
        (uri (qt5-urls name version))
        (sha256
         (base32
-         "0iy9lsl6zxlkca6x2p1506hbj3wmhnaipg23z027wfccbnkxcsg1"))
+         "1q4idxdm81sx102xc12ixj0xpfx52d6vwvs3jpapnkyq8c7cmby8"))
        (modules '((ice-9 ftw)
                   (ice-9 match)
                   (srfi srfi-1)
@@ -1627,8 +1621,9 @@ using the Enchant spell-checking library.")
        (snippet
         '(begin
            (let ((preserved-third-party-files
-                  '("base/third_party/cityhash"
-                    "base/third_party/dmg_fp"
+                  '("base/third_party/double_conversion"
+                    "base/third_party/cityhash"
+                    "base/third_party/cityhash_v103"
                     "base/third_party/dynamic_annotations"
                     "base/third_party/icu"
                     "base/third_party/libevent"
@@ -1651,19 +1646,26 @@ using the Enchant spell-checking library.")
                     "third_party/blink"
                     "third_party/boringssl"
                     "third_party/boringssl/src/third_party/fiat"
-                    "third_party/boringssl/src/third_party/sike"
-                    "third_party/boringssl/linux-x86_64/crypto/third_party/sike"
-                    "third_party/boringssl/linux-aarch64/crypto/third_party/sike"
                     "third_party/breakpad"
                     "third_party/brotli"
                     "third_party/ced"
                     "third_party/cld_3"
+                    "third_party/closure_compiler"
+                    "third_party/crashpad"
+                    "third_party/crashpad/crashpad/third_party/lss"
+                    "third_party/crashpad/crashpad/third_party/zlib"
                     "third_party/crc32c"
                     "third_party/dav1d"
                     "third_party/dawn"
+                    "third_party/devtools-frontend"
+                    "third_party/devtools-frontend/src/front_end/third_party/fabricjs"
+                    "third_party/devtools-frontend/src/front_end/third_party/lighthouse"
+                    "third_party/devtools-frontend/src/front_end/third_party/wasmparser"
+                    "third_party/devtools-frontend/src/third_party/axe-core"
                     "third_party/emoji-segmenter"
                     "third_party/ffmpeg"
                     "third_party/googletest"
+                    "third_party/harfbuzz-ng/utils"
                     "third_party/hunspell"
                     "third_party/iccjpeg"
                     "third_party/icu"
@@ -1674,8 +1676,9 @@ using the Enchant spell-checking library.")
                     "third_party/khronos"
                     "third_party/leveldatabase"
                     "third_party/libaddressinput"
+                    "third_party/libgifcodec"
                     "third_party/libjingle_xmpp"
-                    "third_party/libjpeg"
+                    "third_party/libjpeg_turbo"
                     "third_party/libpng"
                     "third_party/libsrtp"
                     "third_party/libsync"
@@ -1687,6 +1690,7 @@ using the Enchant spell-checking library.")
                     "third_party/libxslt"
                     "third_party/libyuv"
                     "third_party/lss"
+                    "third_party/mako"
                     "third_party/markupsafe"
                     "third_party/mesa_headers"
                     "third_party/metrics_proto"
@@ -1695,18 +1699,25 @@ using the Enchant spell-checking library.")
                     "third_party/one_euro_filter"
                     "third_party/opus"
                     "third_party/ots"
+                    "third_party/pdfium"
+                    "third_party/pdfium/third_party/agg23"
+                    "third_party/pdfium/third_party/base"
+                    "third_party/pdfium/third_party/freetype"
+                    "third_party/pdfium/third_party/lcms"
+                    "third_party/pdfium/third_party/libopenjpeg20"
+                    "third_party/pdfium/third_party/skia_shared"
                     "third_party/perfetto"
                     "third_party/pffft"
                     "third_party/ply"
                     "third_party/polymer"
                     "third_party/protobuf"
+                    "third_party/protobuf/third_party/six"
                     "third_party/pyjson5"
                     "third_party/re2"
                     "third_party/rnnoise"
                     "third_party/skia"
                     "third_party/skia/include/third_party/skcms/skcms.h"
                     "third_party/skia/include/third_party/vulkan"
-                    "third_party/skia/third_party/gif"
                     "third_party/skia/third_party/skcms"
                     "third_party/skia/third_party/vulkanmemoryallocator"
                     "third_party/smhasher"
@@ -1807,7 +1818,7 @@ using the Enchant spell-checking library.")
                    (("third_party/curl") "curl"))
                  (substitute*
                      '("components/viz/common/gpu/vulkan_context_provider.h"
-                       "components/viz/common/resources/resource_format_utils.h"
+                       "components/viz/common/resources/resource_format_utils_vulkan.h"
                        "gpu/config/gpu_util.cc")
                    (("third_party/vulkan/include/")
                     ""))
@@ -1833,6 +1844,7 @@ using the Enchant spell-checking library.")
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python-2" ,python-2)
+       ("python-six" ,python2-six)
        ("ruby" ,ruby)))
     (inputs
      `(("alsa-lib" ,alsa-lib)
@@ -1887,23 +1899,6 @@ using the Enchant spell-checking library.")
      (substitute-keyword-arguments (package-arguments qtsvg)
        ((#:phases phases)
         `(modify-phases ,phases
-           (add-after 'unpack 'fix-build-with-newer-re2
-             (lambda _
-               ;; Adjust for API change in re2, taken from
-               ;; https://chromium-review.googlesource.com/c/chromium/src/+/2145261
-               (substitute* "src/3rdparty/chromium/components/autofill/core\
-/browser/address_rewriter.cc"
-               (("options\\.set_utf8\\(true\\)")
-                "options.set_encoding(RE2::Options::EncodingUTF8)"))
-               #t))
-           (add-after 'unpack 'patch-ninja-version-check
-             (lambda _
-               ;; The build system assumes the system Ninja is too old because
-               ;; it only checks for versions 1.7 through 1.9.  We have 1.10.
-               (substitute* "configure.pri"
-                 (("1\\.\\[7-9\\]\\.\\*")
-                  "1.([7-9]|1[0-9]).*"))
-               #t))
            (add-before 'configure 'substitute-source
              (lambda* (#:key inputs outputs #:allow-other-keys)
                (let ((out (assoc-ref outputs "out"))
@@ -1965,15 +1960,17 @@ and binaries removed, and adds modular support for using system libraries.")
 (define-public python-sip
   (package
     (name "python-sip")
-    (version "4.19.22")
+    (version "4.19.24")
     (source
       (origin
         (method url-fetch)
-        (uri (string-append "https://www.riverbankcomputing.com/static/"
-                            "Downloads/sip/" version "/sip-" version ".tar.gz"))
+        (uri (list (pypi-uri "sip" version)
+                   (string-append "https://www.riverbankcomputing.com/static/"
+                                  "Downloads/sip/" version
+                                  "/sip-" version ".tar.gz")))
         (sha256
          (base32
-          "0idywc326l8v1m3maprg1aq2gph67mmnnsskvlwfx8n19s16idz1"))))
+          "1ra15vb5i9gkg2vdvh16cq9x2mmzw1yi3xphxs8q34q1pf83gkgd"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("python" ,python-wrapper)))
@@ -2023,7 +2020,7 @@ module provides support functions to the automatically generated code.")
 (define-public python-pyqt
   (package
     (name "python-pyqt")
-    (version "5.14.2")
+    (version "5.15.2")
     (source
       (origin
         (method url-fetch)
@@ -2036,7 +2033,7 @@ module provides support functions to the automatically generated code.")
         (file-name (string-append "PyQt5-"version ".tar.gz"))
         (sha256
          (base32
-          "1c4y4qi1l540gd125ikj0al00k5pg65kmqaixcfbzslrsrphq8xx"))
+          "1z74295i69cha52llsqffzhb5zz7qnbjc64h8qg21l91jgf0harp"))
        (patches (search-patches "pyqt-configure.patch"
                                 "pyqt-public-sip.patch"))))
     (build-system gnu-build-system)
@@ -2115,7 +2112,7 @@ contain over 620 classes.")
 (define-public python-pyqtwebengine
   (package
     (name "python-pyqtwebengine")
-    (version "5.14.0")
+    (version "5.15.2")
     (source
      (origin
        (method url-fetch)
@@ -2127,7 +2124,7 @@ contain over 620 classes.")
                                  "/PyQtWebEngine-" version ".tar.gz")))
        (sha256
         (base32
-         "14hw49akb35n9pgiw564x8ykmsifihn9p2ax2x4zmywb3w2ra5g1"))))
+         "0d56ak71r14w4f9r96vaj34qcn2rbln3s6ildvvyc707fjkzwwjd"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("python" ,python)
@@ -2313,15 +2310,15 @@ itself.")
 (define-public qscintilla
   (package
     (name "qscintilla")
-    (version "2.10.8")
+    (version "2.11.6")
     (source (origin
               (method url-fetch)
-              (uri (string-append "mirror://sourceforge/pyqt/QScintilla2/"
-                                  "QScintilla-" version "/QScintilla_gpl-"
-                                  version ".tar.gz"))
+              (uri (string-append "https://www.riverbankcomputing.com/static"
+                                  "/Downloads/QScintilla/" version
+                                  "/QScintilla-" version ".tar.gz"))
               (sha256
                (base32
-                "1swjr786w04r514pry9pn32ivza4il1cg35s60qy39cwc175pka6"))))
+                "19r0vpqb4m9bqwxmjp9w6x0hgahkrg7zryk78hwgplj7vdbn0d77"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/rust.scm b/gnu/packages/rust.scm
index 58a9092ac4..e646cd0091 100644
--- a/gnu/packages/rust.scm
+++ b/gnu/packages/rust.scm
@@ -1317,8 +1317,70 @@ move around."
                  #t)))))))))
 
 (define-public rust-1.46
-  (rust-bootstrapped-package rust-1.45 "1.46.0"
-    "0a17jby2pd050s24cy4dfc0gzvgcl585v3vvyfilniyvjrqknsid"))
+  (let ((base-rust
+         (rust-bootstrapped-package rust-1.45 "1.46.0"
+           "0a17jby2pd050s24cy4dfc0gzvgcl585v3vvyfilniyvjrqknsid")))
+    (package
+      (inherit base-rust)
+      (outputs (cons "rustfmt" (package-outputs base-rust)))
+      (arguments
+       (substitute-keyword-arguments (package-arguments base-rust)
+         ((#:phases phases)
+          `(modify-phases ,phases
+             (replace 'build
+               (lambda* _
+                 (invoke "./x.py" "build")
+                 (invoke "./x.py" "build" "src/tools/cargo")
+                 (invoke "./x.py" "build" "src/tools/rustfmt")))
+             (replace 'check
+               (lambda* _
+                 ;; Test rustfmt.
+                 (let ((parallel-job-spec
+                        (string-append "-j" (number->string
+                                             (min 4
+                                                  (parallel-job-count))))))
+                   (invoke "./x.py" parallel-job-spec "test" "-vv")
+                   (invoke "./x.py" parallel-job-spec "test"
+                           "src/tools/cargo")
+                   (invoke "./x.py" parallel-job-spec "test"
+                           "src/tools/rustfmt"))))
+             (replace 'install
+               (lambda* (#:key outputs #:allow-other-keys)
+                 (invoke "./x.py" "install")
+                 (substitute* "config.toml"
+                   ;; replace prefix to specific output
+                   (("prefix = \"[^\"]*\"")
+                    (string-append "prefix = \"" (assoc-ref outputs "cargo") "\"")))
+                 (invoke "./x.py" "install" "cargo")
+                 (substitute* "config.toml"
+                   ;; replace prefix to specific output
+                   (("prefix = \"[^\"]*\"")
+                    (string-append "prefix = \"" (assoc-ref outputs "rustfmt") "\"")))
+                 (invoke "./x.py" "install" "rustfmt")))
+             (replace 'delete-install-logs
+               (lambda* (#:key outputs #:allow-other-keys)
+                 (define (delete-manifest-file out-path file)
+                   (delete-file (string-append out-path "/lib/rustlib/" file)))
+
+                 (let ((out (assoc-ref outputs "out"))
+                       (cargo-out (assoc-ref outputs "cargo"))
+                       (rustfmt-out (assoc-ref outputs "rustfmt")))
+                   (for-each
+                     (lambda (file) (delete-manifest-file out file))
+                     '("install.log"
+                       "manifest-rust-docs"
+                       ,(string-append "manifest-rust-std-"
+                                       (nix-system->gnu-triplet-for-rust))
+                       "manifest-rustc"))
+                   (for-each
+                     (lambda (file) (delete-manifest-file cargo-out file))
+                     '("install.log"
+                       "manifest-cargo"))
+                   (for-each
+                     (lambda (file) (delete-manifest-file rustfmt-out file))
+                     '("install.log"
+                       "manifest-rustfmt-preview"))
+                   #t))))))))))
 
 (define-public rust-1.47
   (let ((base-rust
diff --git a/gnu/packages/sphinx.scm b/gnu/packages/sphinx.scm
index e666456e4a..7da42d958c 100644
--- a/gnu/packages/sphinx.scm
+++ b/gnu/packages/sphinx.scm
@@ -50,14 +50,14 @@
 (define-public python-sphinx
   (package
     (name "python-sphinx")
-    (version "3.2.1")
+    (version "3.3.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "Sphinx" version))
        (sha256
         (base32
-         "1s70hxhddzf656kmj01lws4cbywgsinbg8750r9ilf7s2sdns79j"))))
+         "0023vc2i29pjxmvdqbz1wdbi7gbj56y1br1b2z8h8wa44li5k38y"))))
     (build-system python-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 90f32c135d..04c8c6ceaa 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2016, 2018, 2019 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2018, 2019, 2020, 2021 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016, 2021 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
@@ -44,6 +44,7 @@
   #:use-module (gnu packages gperf)
   #:use-module (gnu packages groff)
   #:use-module (gnu packages guile)
+  #:use-module (gnu packages hurd)
   #:use-module (gnu packages libedit)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages logging)
@@ -165,7 +166,8 @@ applications.")
                    version ".tar.gz"))
             (sha256
              (base32
-              "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))))
+              "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
+            (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
    (build-system gnu-build-system)
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
@@ -199,7 +201,9 @@ a server that supports the SSH-2 protocol.")
                     ("pkg-config" ,pkg-config)))
    (inputs `(("libedit" ,libedit)
              ("openssl" ,openssl)
-             ("pam" ,linux-pam)
+             ,@(if (hurd-target?)
+                 '()
+                 `(("pam" ,linux-pam)))
              ("mit-krb5" ,mit-krb5)
              ("zlib" ,zlib)
              ("xauth" ,xauth)))        ; for 'ssh -X' and 'ssh -Y'
@@ -222,7 +226,9 @@ a server that supports the SSH-2 protocol.")
                           "--with-libedit"
 
                           ;; Enable PAM support in sshd.
-                          "--with-pam"
+                          ,,@(if (hurd-target?)
+                               '()
+                               '("--with-pam"))
 
                           ;; "make install" runs "install -s" by default,
                           ;; which doesn't work for cross-compiled binaries
diff --git a/gnu/packages/time.scm b/gnu/packages/time.scm
index c1c46a5f2d..9b006a5438 100644
--- a/gnu/packages/time.scm
+++ b/gnu/packages/time.scm
@@ -118,14 +118,14 @@ expressions.")
 (define-public python-pytz
   (package
     (name "python-pytz")
-    (version "2019.1")
+    (version "2020.4")
     (source
      (origin
       (method url-fetch)
       (uri (pypi-uri "pytz" version))
       (sha256
        (base32
-        "0hg1r2c41gnmljdsdmdgy6kb1zkfmxsf49imd96g8znp4cyxsiyp"))))
+        "0s72lz9q7rm2xgl2in0nvhn5cp0cyrxa257fpj2919g0s797ssry"))))
     (build-system python-build-system)
     (home-page "http://pythonhosted.org/pytz")
     (synopsis "Python timezone library")
@@ -328,15 +328,20 @@ ISO 8601 dates, time and duration.")
 (define-public python-iso8601
   (package
     (name "python-iso8601")
-    (version "0.1.12")
+    (version "0.1.13")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "iso8601" version))
        (sha256
         (base32
-         "10nyvvnrhw2w3p09v1ica4lgj6f4g9j3kkfx17qmraiq3w7b5i29"))))
+         "1cgfj91khil4ii5gb8s6nxwm73vx7hqc2k79dd9d8990ylmc5ppp"))))
     (build-system python-build-system)
+    (arguments
+     '(#:phases (modify-phases %standard-phases
+                  (replace 'check
+                    (lambda _
+                      (invoke "pytest" "-vv" "iso8601"))))))
     (native-inputs
      `(("python-pytest" ,python-pytest)))
     (home-page "https://bitbucket.org/micktwomey/pyiso8601")
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 8e438e3a54..775e915534 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -164,21 +164,19 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    ;; XXX Unversion openconnect's "gnutls" input when ungrafting.
-    (replacement gnutls/fixed)
-    (version "3.6.12")
+    (version "3.6.15")
     (source (origin
-             (method url-fetch)
-             (uri
+              (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
               ;; schism (after version 3.1.5).
-              (string-append "mirror://gnupg/gnutls/v"
-                             (version-major+minor version)
-                             "/gnutls-" version ".tar.xz"))
-             (patches (search-patches "gnutls-skip-trust-store-test.patch"))
-             (sha256
-              (base32
-               "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z"))))
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"
+                                       "gnutls-cross.patch"))
+              (sha256
+               (base32
+                "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? ,(not (or (%current-target-system)
@@ -228,7 +226,11 @@ living in the same process.")
                "debug"
                "doc"))                            ;4.1 MiB of man pages
     (native-inputs
-     `(,@(if (hurd-target?) '()
+     `(,@(if (%current-target-system)             ;for cross-build
+             `(("guile" ,guile-3.0))              ;to create .go files
+             '())
+       ,@(if (hurd-target?)
+             '()
              `(("net-tools" ,net-tools)))
        ("pkg-config" ,pkg-config)
        ("which" ,which)
@@ -254,27 +256,6 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-;; Replacement package to fix multiple security vulnerabilities.
-(define-public gnutls/fixed
-  (package
-    (inherit gnutls)
-    (version "3.6.15")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/gnutls/v"
-                                  (version-major+minor version)
-                                  "/gnutls-" version ".tar.xz"))
-              (patches (search-patches "gnutls-skip-trust-store-test.patch"
-                                       "gnutls-cross.patch"))
-              (sha256
-               (base32
-                "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
-    (native-inputs
-     `(,@(if (%current-target-system)             ;for cross-build
-             `(("guile" ,guile-3.0))              ;to create .go files
-             '())
-       ,@(package-native-inputs gnutls)))))
-
 (define-public gnutls/guile-2.0
   ;; GnuTLS for Guile 2.0.
   (package/inherit gnutls
@@ -287,7 +268,7 @@ required structures.")
   ;; Authentication of Named Entities.  This is required for GNS functionality
   ;; by GNUnet and gnURL.  This is done in an extra package definition
   ;; to have the choice between GnuTLS with Dane and without Dane.
-  (package/inherit gnutls/fixed
+  (package/inherit gnutls
     (name "gnutls-dane")
     (inputs `(("unbound" ,unbound)
               ,@(package-inputs gnutls)))))
@@ -306,8 +287,7 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (version "1.1.1f")
-   (replacement openssl-1.1.1i)
+   (version "1.1.1i")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -317,10 +297,10 @@ required structures.")
                         (string-append "ftp://ftp.openssl.org/source/old/"
                                        (string-trim-right version char-set:letter)
                                        "/openssl-" version ".tar.gz")))
+             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
              (sha256
               (base32
-               "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q"))
-             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
+               "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"         ;6.8 MiB of man3 pages and full HTML documentation
@@ -439,24 +419,6 @@ required structures.")
    (license license:openssl)
    (home-page "https://www.openssl.org/")))
 
-(define openssl-1.1.1i
-  (package
-   (inherit openssl)
-   (version "1.1.1i")
-   (source (origin
-             (method url-fetch)
-             (uri (list (string-append "https://www.openssl.org/source/openssl-"
-                                       version ".tar.gz")
-                        (string-append "ftp://ftp.openssl.org/source/"
-                                       "openssl-" version ".tar.gz")
-                        (string-append "ftp://ftp.openssl.org/source/old/"
-                                       (string-trim-right version char-set:letter)
-                                       "/openssl-" version ".tar.gz")))
-             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
-             (sha256
-              (base32
-               "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))))
-
 (define-public openssl-1.0
   (package
     (inherit openssl)
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 97cb7d6837..cd049fb375 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -247,7 +247,7 @@
        ("faac" ,faac)
        ("ffmpeg" ,ffmpeg)
        ("freetype" ,freetype)
-       ("imagemagick" ,imagemagick-next)
+       ("imagemagick" ,imagemagick)
        ("lame" ,lame)
        ("liba52" ,liba52)
        ("libdv" ,libdv)
@@ -1330,19 +1330,14 @@ libebml is a C++ library to read and write EBML files.")
 (define-public libva
   (package
     (name "libva")
-    (version "2.9.0")
+    (version "2.10.0")
     (source
      (origin
        (method url-fetch)
-       (uri (list
-             ;; Newer releases are only available on GitHub.
-             (string-append "https://github.com/01org/libva/releases/download/"
-                            version "/libva-" version ".tar.bz2")
-             ;; Keep the old URL around for compatibility.
-             (string-append "https://www.freedesktop.org/software/vaapi/releases/"
-                            "libva/libva-" version "/libva-" version ".tar.bz2")))
+       (uri (string-append "https://github.com/intel/libva/releases/download/"
+                           version "/libva-" version ".tar.bz2"))
        (sha256
-        (base32 "0jsq6ia3fzyzvq7lxsrn4a8kn2kx4z3v777xkxn6k4ny5lww2i73"))))
+        (base32 "0dh2zjn6wi74ga75r6pbrrj8hjm213zyxvn9bv78z0fra1dy70gs"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index 37555d9b45..ba19f4aebc 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -264,9 +264,7 @@ the user specifically asks to proxy, so the @dfn{VPN} interface no longer
    (build-system gnu-build-system)
    (propagated-inputs
     `(("libxml2" ,libxml2)
-      ;; XXX ‘DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.’
-      ;; See <https://gitlab.com/gnutls/gnutls/-/issues/960>.
-      ("gnutls" ,gnutls/fixed)
+      ("gnutls" ,gnutls)
       ("zlib" ,zlib)))
    (inputs
     `(("lz4" ,lz4)
diff --git a/gnu/packages/vulkan.scm b/gnu/packages/vulkan.scm
index 86b0e55f34..1a0d0d7d63 100644
--- a/gnu/packages/vulkan.scm
+++ b/gnu/packages/vulkan.scm
@@ -150,7 +150,7 @@ SPIR-V, aiming to emit GLSL or MSL that looks like human-written code.")
 (define-public glslang
   (package
     (name "glslang")
-    (version "8.13.3743")
+    (version "10-11.0.0")
     (source
      (origin
        (method git-fetch)
@@ -159,7 +159,7 @@ SPIR-V, aiming to emit GLSL or MSL that looks like human-written code.")
              (commit version)))
        (sha256
         (base32
-         "0d20wfpp2fmbnz1hnsjr9xc62lxpj86ik2qyviqbni0pqj212cry"))
+         "14mn2awswl022ls75mfpsnpsl0ai0jgfbqj3sxcsqawyj5f432py"))
        (file-name (string-append name "-" version "-checkout"))))
     (build-system cmake-build-system)
     (arguments
@@ -183,7 +183,7 @@ interpretation of the specifications for these languages.")
 (define-public vulkan-headers
   (package
     (name "vulkan-headers")
-    (version "1.2.148")
+    (version "1.2.164")
     (source
      (origin
        (method git-fetch)
@@ -193,7 +193,7 @@ interpretation of the specifications for these languages.")
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "1c877npvmkv2qxac308m3x0ij3il7hy5xk3fwsfi7s9dcsaxi63j"))))
+         "11wzxvwim4jna1yssbmprl211dhmz8vmrd498zww3bghzlj7bljv"))))
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f))                    ; No tests.
@@ -207,7 +207,7 @@ interpretation of the specifications for these languages.")
 (define-public vulkan-loader
   (package
     (name "vulkan-loader")
-    (version "1.2.148")
+    (version "1.2.162")
     (source
      (origin
        (method git-fetch)
@@ -217,7 +217,7 @@ interpretation of the specifications for these languages.")
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "0rxh4q09k0pdl3xlvxdv5qkak4d7az25gijxr5w170fjnd8yfrhk"))))
+         "15gx9ab6w1sjq9hkpbas7z2f8f47j6mlln6p3w26qmydjj8gfjjv"))))
     (build-system cmake-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
@@ -261,7 +261,7 @@ and the ICD.")
 (define-public vulkan-tools
   (package
     (name "vulkan-tools")
-    (version "1.2.148")
+    (version "1.2.162")
     (source
      (origin
        (method git-fetch)
@@ -271,7 +271,7 @@ and the ICD.")
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "1908fw4rvg5iaim8ph0c0bzhac6jplg8dhfs6dpxd1dapzwqllkf"))))
+         "129wzk7xj3vn3c8b4p7fzkd0npl58118s2i1d88gsfnlix54nagq"))))
     (build-system cmake-build-system)
     (inputs
      `(("glslang" ,glslang)
@@ -298,7 +298,7 @@ API.")
 (define-public shaderc
   (package
     (name "shaderc")
-    (version "2020.0")
+    (version "2020.4")
     (source
      (origin
        (method git-fetch)
@@ -308,12 +308,16 @@ API.")
        (file-name (git-file-name name version))
        (sha256
         (base32
-         "1kqqvsvib01bsmfbdy3fbwwpvkcdlfb6k71kjvzb3crql7w0rxff"))))
+         "07h78nd964h2bdm4drzws8i1gvyal8a3wlhbcm5qxqk6vknv8hrk"))))
     (build-system cmake-build-system)
     (arguments
      `(;; FIXME: Skip most of the tests, because enabling system gtest breaks
        ;; the build: <https://github.com/google/shaderc/issues/470>.
-       #:configure-flags '("-DSHADERC_SKIP_TESTS=ON")
+       #:configure-flags
+       (list "-DSHADERC_SKIP_TESTS=ON"
+             ;; Note: despite the name, this just specifies the headers.
+             (string-append "-Dglslang_SOURCE_DIR="
+                            (assoc-ref %build-inputs "glslang") "/include/glslang"))
        #:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'do-not-look-for-bundled-sources
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 9f4b533fd2..8cbcfd011e 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -902,7 +902,6 @@ data.")
 
 (define-public json-c
   (package
-    (replacement json-c/fixed)
     (name "json-c")
     (version "0.14")
     (source (origin
@@ -912,7 +911,8 @@ data.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))))
+               "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))
+              (patches (search-patches "json-c-CVE-2020-12762.patch"))))
     (build-system cmake-build-system)
     (home-page "https://github.com/json-c/json-c/wiki")
     (synopsis "JSON implementation in C")
@@ -923,15 +923,6 @@ parse JSON-formatted strings back into the C representation of JSON objects.
 It aims to conform to RFC 7159.")
     (license license:x11)))
 
-(define json-c/fixed
-  (package
-    (inherit json-c)
-    (name "json-c")
-    (version "0.14")
-    (source (origin
-              (inherit (package-source json-c))
-              (patches (search-patches "json-c-CVE-2020-12762.patch"))))))
-
 ;; TODO: Remove these old versions when all dependents have been updated.
 (define-public json-c-0.13
   (package
@@ -7449,8 +7440,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
 (define-public nghttp2
   (package
     (name "nghttp2")
-    (version "1.40.0")
-    (replacement nghttp2-1.41)
+    (version "1.41.0")
     (source
      (origin
        (method url-fetch)
@@ -7459,7 +7449,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                            "nghttp2-" version ".tar.xz"))
        (sha256
         (base32
-         "0wwhwv7cvi1vxpdjwvg0kpa4jzhszclpnwrwfcw728zz53a47z09"))))
+         "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))
     (build-system gnu-build-system)
     (outputs (list "out"
                    "lib"))              ; only libnghttp2
@@ -7533,20 +7523,6 @@ compressed JSON header blocks.
 @end itemize\n")
     (license license:expat)))
 
-(define-public nghttp2-1.41                       ;fixes CVE-2020-11080
-  (package
-    (inherit nghttp2)
-    (version "1.41.0")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/nghttp2/nghttp2/"
-                           "releases/download/v" version "/"
-                           "nghttp2-" version ".tar.xz"))
-       (sha256
-        (base32
-         "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))))
-
 (define-public hpcguix-web
   (let ((commit "9de63562b06b4aef3a3afe5ecb18d3c91e57ee74")
         (revision "5"))
diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm
index 26660b8bfa..79ba61b344 100644
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@@ -358,14 +358,14 @@ avoiding password prompts when X11 forwarding has already been setup.")
 (define-public libxkbcommon
   (package
     (name "libxkbcommon")
-    (version "1.0.1")
+    (version "1.0.3")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://xkbcommon.org/download/libxkbcommon-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "13bcdf2xpjxwbghas0cr448z89qqki2ssgfgswc257y9859v4s5b"))))
+               "0lmwglj16anhpaq0h830xsl1ivknv75i4lir9bk88aq73s2jy852"))))
     (build-system meson-build-system)
     (inputs
      `(("libx11" ,libx11)
@@ -539,7 +539,7 @@ rasterisation.")
 (define-public libdrm
   (package
     (name "libdrm")
-    (version "2.4.102")
+    (version "2.4.103")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -547,7 +547,7 @@ rasterisation.")
                     version ".tar.xz"))
               (sha256
                (base32
-                "0nx0bd9dhymdsd99v4ifib77yjirkvkxf5hzdkbr7qr8dhrzkjwb"))))
+                "08h2nnf4w96b4ql7485mvjgbbsb8rwc0qa93fdm1cq34pbyszq1z"))))
     (build-system meson-build-system)
     (arguments
      `(#:configure-flags
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 930cd795f5..472dfedbb8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -1203,6 +1203,9 @@ Libxml2).")
     (inputs
      `(("nss" ,nss)
        ("libltdl" ,libltdl)))
+    (arguments
+     ;; NSS no longer supports MD5 since 3.59, don't attempt to use it.
+     '(#:configure-flags '("--disable-md5")))
     (synopsis "XML Security Library (using NSS instead of GnuTLS)")))
 
 (define-public minixml
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 900f6c925d..ed98d1acd3 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2017, 2018, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2015 Cyrill Schenkel <cyrill.schenkel@gmail.com>
@@ -3905,27 +3905,25 @@ alternative implementations like XRandR or TwinView.")
     (license license:x11)))
 
 
-(define xkbcomp-intermediate ; used as input for xkeyboard-config
+(define xkbcomp-intermediate            ;used as input for xkeyboard-config
   (package
     (name "xkbcomp-intermediate")
-    (version "1.4.3")
+    (version "1.4.4")
     (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-               "mirror://xorg/individual/app/xkbcomp-"
-               version
-               ".tar.bz2"))
-        (sha256
-         (base32
-          "0dflr250nlj6rrnv658f6dm8qx37sj0xfimc3ihay761kwb2q906"))))
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://xorg/individual/app/xkbcomp-"
+                           version ".tar.bz2"))
+       (sha256
+        (base32
+         "0zpjkbap9160pdd6jpgb5f0yg5281w0rkkx1l0i7g887lq1ydk2r"))))
     (build-system gnu-build-system)
     (inputs
-      `(("xorgproto" ,xorgproto)
-        ("libxkbfile" ,libxkbfile)
-        ("libx11" ,libx11)))
+     `(("xorgproto" ,xorgproto)
+       ("libxkbfile" ,libxkbfile)
+       ("libx11" ,libx11)))
     (native-inputs
-        `(("pkg-config" ,pkg-config)))
+     `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
     (synopsis "Compile XKB keyboard description")
     (description
@@ -4324,23 +4322,21 @@ it for output on various types of printers.")
 (define-public xprop
   (package
     (name "xprop")
-    (version "1.2.4")
+    (version "1.2.5")
     (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-               "mirror://xorg/individual/app/xprop-"
-               version
-               ".tar.bz2"))
-        (sha256
-          (base32
-            "0lzp7kyhpwd5hm83j2zm6j3w3z1z5i4ykgg2nwr01ij6dq4znxwc"))))
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://xorg/individual/app/xprop-"
+                           version ".tar.bz2"))
+       (sha256
+        (base32
+         "18ckr8g1z50zkc01hprkpm1npwbq32yqib4b3l98c95z2q1yv4lv"))))
     (build-system gnu-build-system)
     (inputs
-      `(("xorgproto" ,xorgproto)
-        ("libx11" ,libx11)))
+     `(("libx11" ,libx11)
+       ("xorgproto" ,xorgproto)))
     (native-inputs
-      `(("pkg-config" ,pkg-config)))
+     `(("pkg-config" ,pkg-config)))
     (home-page "https://www.x.org/wiki/")
     (synopsis "Display X server properties")
     (description
@@ -5436,19 +5432,10 @@ draggable titlebars and borders.")
 ;; This package is intended to be used when building GTK+.
 ;; Note: It's currently marked as "hidden" to avoid having two non-eq?
 ;; packages with the same name and version.
-;; TODO: Inherit source from xorg-server in a future rebuild cycle.
 (define-public xorg-server-for-tests
   (hidden-package
    (package
-     (inherit xorg-server)
-     (version "1.20.9")
-     (source (origin
-               (inherit (package-source xorg-server))
-               (uri (string-append "mirror://xorg/individual/xserver/"
-                                   "xorg-server-" version ".tar.bz2"))
-               (sha256
-                (base32
-                 "0w9mrnffvjgmwi50kln15i8rpdskxv97r78l75wlcmg4vzhg46g2")))))))
+     (inherit xorg-server))))
 
 (define-public xorg-server-xwayland
   (package/inherit xorg-server
@@ -5473,8 +5460,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (version "1.6.9")
-    (replacement libx11/fixed)
+    (version "1.6.10")
     (source
       (origin
         (method url-fetch)
@@ -5484,7 +5470,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1ldyn9c6pyx54sxzaw120n3q42rqi7b503aqmyjky6fn038fiiww"))))
+            "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
@@ -5512,19 +5498,6 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
-(define libx11/fixed  ; Fixes CVE-2020-14344
-  (package
-    (inherit libx11)
-    (version "1.6.A")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-               "mirror://xorg/individual/lib/libX11-1.6.10.tar.bz2"))
-        (sha256
-          (base32
-            "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))))
-
 ;; packages of height 5 in the propagated-inputs tree
 
 (define-public libxcursor
diff --git a/gnu/tests/monitoring.scm b/gnu/tests/monitoring.scm
index c21bb1e63d..be69e1c259 100644
--- a/gnu/tests/monitoring.scm
+++ b/gnu/tests/monitoring.scm
@@ -309,7 +309,7 @@ zabbix||{}
           (service dhcp-client-service-type)
           (service postgresql-service-type
                    (postgresql-configuration
-                    (postgresql postgresql-10)
+                    (postgresql postgresql)
                    ;; XXX: Remove when postgresql default socket directory is
                     ;; changed to /var/run/postgresql.
                     (config-file