summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/curl.scm63
-rw-r--r--gnu/packages/fontutils.scm73
-rw-r--r--gnu/packages/ghostscript.scm4
-rw-r--r--gnu/packages/glib.scm40
-rw-r--r--gnu/packages/gnuzilla.scm4
-rw-r--r--gnu/packages/gtk.scm13
-rw-r--r--gnu/packages/image.scm17
-rw-r--r--gnu/packages/node.scm22
-rw-r--r--gnu/packages/openldap.scm49
-rw-r--r--gnu/packages/package-management.scm2
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2020-15900.patch36
-rw-r--r--gnu/packages/patches/ghostscript-freetype-compat.patch35
-rw-r--r--gnu/packages/patches/libssh2-CVE-2019-17498.patch126
-rw-r--r--gnu/packages/patches/python-CVE-2020-26116.patch47
-rw-r--r--gnu/packages/python.scm1
-rw-r--r--gnu/packages/ssh.scm5
-rw-r--r--gnu/packages/tls.scm76
-rw-r--r--gnu/packages/vpn.scm4
-rw-r--r--gnu/packages/web.scm32
-rw-r--r--gnu/packages/xorg.scm20
21 files changed, 361 insertions, 312 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e649594017..5d14cbc7d3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1059,6 +1059,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghc-monad-par-fix-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-html-tests.patch		\
   %D%/packages/patches/ghc-pandoc-fix-latex-test.patch		\
+  %D%/packages/patches/ghostscript-CVE-2020-15900.patch		\
+  %D%/packages/patches/ghostscript-freetype-compat.patch	\
   %D%/packages/patches/ghostscript-no-header-id.patch		\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
@@ -1285,6 +1287,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libmygpo-qt-missing-qt5-modules.patch	\
   %D%/packages/patches/libqalculate-3.8.0-libcurl-ssl-fix.patch	\
   %D%/packages/patches/libquicktime-ffmpeg.patch 		\
+  %D%/packages/patches/libssh2-CVE-2019-17498.patch 		\
   %D%/packages/patches/libtar-CVE-2013-4420.patch 		\
   %D%/packages/patches/libtgvoip-disable-sse2.patch 		\
   %D%/packages/patches/libtgvoip-disable-webrtc.patch 		\
@@ -1518,6 +1521,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-3.8-fix-tests.patch		\
   %D%/packages/patches/python-3.9-fix-tests.patch		\
   %D%/packages/patches/python-CVE-2018-14647.patch		\
+  %D%/packages/patches/python-CVE-2020-26116.patch		\
   %D%/packages/patches/python-aionotify-0.2.0-py3.8.patch	\
   %D%/packages/patches/python-argcomplete-1.11.1-fish31.patch	\
   %D%/packages/patches/python-axolotl-AES-fix.patch		\
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 33a2188d70..a09210bf04 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Tomáš Čech <sleep_walker@suse.cz>
-;;; Copyright © 2015 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016, 2017, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
@@ -53,16 +53,15 @@
 (define-public curl
   (package
    (name "curl")
-   (version "7.69.1")
-   (replacement curl-7.74.0)
+   (version "7.74.0")
    (source (origin
-            (method url-fetch)
-            (uri (string-append "https://curl.haxx.se/download/curl-"
-                                version ".tar.xz"))
-            (sha256
-             (base32
-              "0kwxh76iq9fblk7iyv4f75bmcmasarp2bcm1mm07wyvzd7kdbiq3"))
-            (patches (search-patches "curl-use-ssl-cert-env.patch"))))
+             (method url-fetch)
+             (uri (string-append "https://curl.haxx.se/download/curl-"
+                                 version ".tar.xz"))
+             (sha256
+              (base32
+               "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))
+             (patches (search-patches "curl-use-ssl-cert-env.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -126,25 +125,6 @@
            (substitute* "tests/runtests.pl"
              (("/bin/sh") (which "sh")))
 
-           ;; XXX FIXME: Test #1510 seems to work on some machines and not
-           ;; others, possibly based on the kernel version.  It works on Guix System
-           ;; on x86_64 with linux-libre-4.1, but fails on Hydra for both i686
-           ;; and x86_64 with the following error:
-           ;;
-           ;; test 1510...[HTTP GET connection cache limit (CURLOPT_MAXCONNECTS)]
-           ;;
-           ;;  1510: output (log/stderr1510) FAILED:
-           ;; --- log/check-expected    2015-06-27 07:45:53.166720834 +0000
-           ;; +++ log/check-generated   2015-06-27 07:45:53.166720834 +0000
-           ;; @@ -1,5 +1,5 @@
-           ;;  * Connection #0 to host server1.example.com left intact[LF]
-           ;;  * Connection #1 to host server2.example.com left intact[LF]
-           ;;  * Connection #2 to host server3.example.com left intact[LF]
-           ;; -* Closing connection 0[LF]
-           ;; +* Closing connection 1[LF]
-           ;;  * Connection #3 to host server4.example.com left intact[LF]
-           (delete-file "tests/data/test1510")
-
            ;; The top-level "make check" does "make -C tests quiet-test", which
            ;; is too quiet.  Use the "test" target instead, which is more
            ;; verbose.
@@ -171,31 +151,6 @@ tunneling, and so on.")
     (name "curl-minimal")
     (inputs (alist-delete "openldap" (package-inputs curl))))))
 
-;; Replacement package to fix multiple security vulnerabilities.
-(define curl-7.74.0
-  (package
-    (inherit curl)
-    (version "7.74.0")
-    (source (origin
-              (inherit (package-source curl))
-              (uri (string-append "https://curl.haxx.se/download/curl-"
-                                  version ".tar.xz"))
-              (sha256
-               (base32
-                "12w7gskrglg6qrmp822j37fmbr0icrcxv7rib1fy5xiw80n5z7cr"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments curl)
-       ((#:phases phases)
-        `(modify-phases ,phases
-           (replace 'check
-             (lambda _
-               ;; Test 1510 is now disabled upstream, and the test runner
-               ;; complains that it can not disable a non-existing test.
-               ;; Thus, override the phase to not delete the test.
-               (substitute* "tests/runtests.pl"
-                 (("/bin/sh") (which "sh")))
-               (invoke "make" "-C" "tests" "test")))))))))
-
 (define-public kurly
   (package
     (name "kurly")
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index ed2e960938..0181536c37 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -8,7 +8,7 @@
 ;;; Copyright © 2017 Nikita <nikita@n0.is>
 ;;; Copyright © 2017, 2018, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2019, 2020 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2020 Roel Janssen <roel@gnu.org>
 ;;; Copyright © 2020 Nicolas Goaziou <mail@nicolasgoaziou.fr>
@@ -73,14 +73,14 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.10.1")
-   (replacement freetype/fixed)
-   (source (origin
-            (method url-fetch)
-            (uri (string-append "mirror://savannah/freetype/freetype-"
-                                version ".tar.xz"))
-            (sha256 (base32
-                     "0vx2dg1jh5kq34dd6ifpjywkpapp8a7p1bvyq9yq5zi1i94gmnqn"))))
+   (version "2.10.4")
+   (source
+    (origin
+      (method url-fetch)
+      (uri (string-append "mirror://savannah/freetype/freetype-"
+                          version ".tar.xz"))
+      (sha256
+       (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))
    (build-system gnu-build-system)
    (arguments
     ;; The use of "freetype-config" is deprecated, but other packages still
@@ -103,19 +103,6 @@ anti-aliased glyph bitmap generation with 256 gray levels.")
    (license license:freetype)           ; some files have other licenses
    (home-page "https://www.freetype.org/")))
 
-(define freetype/fixed
-  ;; Security fix for CVE-2020-15999.
-  (package
-    (inherit freetype)
-    (version "2.10.4")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "mirror://savannah/freetype/freetype-"
-                           version ".tar.xz"))
-       (sha256
-        (base32 "112pyy215chg7f7fmp2l9374chhhpihbh8wgpj5nj6avj3c59a46"))))))
-
 (define-public ttfautohint
   (package
     (name "ttfautohint")
@@ -331,12 +318,6 @@ Font Format (WOFF).")
 (define-public fontconfig
   (package
    (name "fontconfig")
-
-   ;; This replacement is not security-related, but works around the fact
-   ;; that gs-fonts are not recognized by newer versions of Pango, causing
-   ;; many applications to fail to find fonts otherwise.
-   (replacement fontconfig/font-dejavu)
-
    (version "2.13.1")
    (source (origin
             (method url-fetch)
@@ -351,16 +332,19 @@ Font Format (WOFF).")
    (propagated-inputs `(("expat" ,expat)
                         ("freetype" ,freetype)
                         ("libuuid" ,util-linux "lib")))
-   (inputs `(("gs-fonts" ,gs-fonts)))
+   (inputs
+    ;; We use to use 'gs-fonts' but they are not recognized by newer versions
+    ;; of Pango, causing many applications to fail to find fonts otherwise.
+    `(("font-dejavu" ,font-dejavu)))
    (native-inputs
     `(("gperf" ,gperf)
       ("pkg-config" ,pkg-config)))
    (arguments
     `(#:configure-flags
       (list "--with-cache-dir=/var/cache/fontconfig"
-            ;; register gs-fonts as default fonts
+            ;; register the default fonts
             (string-append "--with-default-fonts="
-                           (assoc-ref %build-inputs "gs-fonts")
+                           (assoc-ref %build-inputs "font-dejavu")
                            "/share/fonts")
 
             ;; Register fonts from user and system profiles.
@@ -393,13 +377,6 @@ high quality, anti-aliased and subpixel rendered text on a display.")
                        "See COPYING in the distribution."))
    (home-page "https://www.freedesktop.org/wiki/Software/fontconfig")))
 
-(define fontconfig/font-dejavu
-  (package
-    (inherit fontconfig)
-    (inputs
-     ;; XXX: Reuse the name to avoid having to override the configure flags.
-     `(("gs-fonts" ,font-dejavu)))))
-
 (define-public t1lib
   (package
    (name "t1lib")
@@ -575,16 +552,15 @@ using the above tables.")
 (define-public libspiro
   (package
     (name "libspiro")
-    (version "20190731")
-    (replacement libspiro-20200505)
+    (version "20200505")
     (source
      (origin
       (method url-fetch)
       (uri (string-append "https://github.com/fontforge/libspiro/releases"
-                          "/download/" version "/libspiro-" version ".tar.gz"))
+                          "/download/" version "/libspiro-dist-" version ".tar.gz"))
       (sha256
        (base32
-        "0m63x97b7aciviijprvy85gm03p2jsgslxn323zl9zn7qz6d3ir4"))))
+        "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")))
@@ -595,19 +571,6 @@ smooth contours with constant curvature at the spline joins.")
     (license license:gpl2+)
     (home-page "http://libspiro.sourceforge.net/")))
 
-(define libspiro-20200505
-  (package
-    (inherit libspiro)
-    (version "20200505")
-    (source
-     (origin
-      (method url-fetch)
-      (uri (string-append "https://github.com/fontforge/libspiro/releases"
-                          "/download/" version "/libspiro-dist-" version ".tar.gz"))
-      (sha256
-       (base32
-        "0j8fmyj4wz6mqk17dqs6f8jx0i52n68gv5px17qbrjnbilg9mih6"))))))
-
 (define-public libuninameslist
   (package
     (name "libuninameslist")
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 4d56f05cf2..03a516dc52 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -170,7 +170,9 @@ printing, and psresize, for adjusting page sizes.")
         (sha256
          (base32
           "0z1w42y2jmcpl2m1l3z0sfii6zmvzcwcgzn6bydklia6ig7jli2p"))
-        (patches (search-patches "ghostscript-no-header-creationdate.patch"
+        (patches (search-patches "ghostscript-freetype-compat.patch"
+                                 "ghostscript-CVE-2020-15900.patch"
+                                 "ghostscript-no-header-creationdate.patch"
                                  "ghostscript-no-header-id.patch"
                                  "ghostscript-no-header-uuid.patch"))
         (modules '((guix build utils)))
diff --git a/gnu/packages/glib.scm b/gnu/packages/glib.scm
index 431111f811..9cc2b1b69e 100644
--- a/gnu/packages/glib.scm
+++ b/gnu/packages/glib.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014, 2015, 2016, 2017, 2018 Mark H Weaver <mhw@netris.org>
@@ -91,7 +91,6 @@
   (package
     (name "dbus")
     (version "1.12.16")
-    (replacement dbus/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -100,7 +99,8 @@
               (sha256
                (base32
                 "107ckxaff1cv4q6kmfdi2fb1nlsv03312a7kf6lb4biglhpjv8jl"))
-              (patches (search-patches "dbus-helper-search-path.patch"))))
+              (patches (search-patches "dbus-CVE-2020-12049.patch"
+                                       "dbus-helper-search-path.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -168,20 +168,10 @@ or through unencrypted TCP/IP suitable for use behind a firewall with
 shared NFS home directories.")
     (license license:gpl2+)))                     ; or Academic Free License 2.1
 
-;; Replacement package to fix CVE-2020-12049.
-(define dbus/fixed
-  (package
-    (inherit dbus)
-    (source (origin
-              (inherit (package-source dbus))
-              (patches (append (search-patches "dbus-CVE-2020-12049.patch")
-                               (origin-patches (package-source dbus))))))))
-
 (define glib
   (package
    (name "glib")
    (version "2.62.6")
-   (replacement glib-with-gio-patch)
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnome/sources/"
@@ -190,7 +180,8 @@ shared NFS home directories.")
             (sha256
              (base32
               "174bsmbmcvaw69ff9g60q5sx0fn23rkhqcwqz17h5s7sprps4kqh"))
-            (patches (search-patches "glib-tests-timer.patch"))
+            (patches (search-patches "glib-appinfo-watch.patch"
+                                     "glib-tests-timer.patch"))
             (modules '((guix build utils)))
             (snippet
              '(begin
@@ -236,6 +227,17 @@ shared NFS home directories.")
                (("gio-launch-desktop")
                 (string-append out "/libexec/gio-launch-desktop")))
               #t)))
+        ;; TODO: Remove the conditional in the next core-updates cycle.
+        ;; Needed to build glib on slower ARM nodes.
+        ,@(if (string-prefix? "arm" (%current-system))
+              `((add-after 'unpack 'increase-test-timeout
+                  (lambda _
+                    (substitute* "meson.build"
+                      (("test_timeout = 60")
+                       "test_timeout = 90")
+                      (("test_timeout_slow = 120")
+                       "test_timeout_slow = 180")))))
+              '())
         (add-before 'build 'pre-build
           (lambda* (#:key inputs outputs #:allow-other-keys)
             ;; For tests/gdatetime.c.
@@ -388,16 +390,6 @@ dynamic loading, and an object system.")
    (home-page "https://developer.gnome.org/glib/")
    (license license:lgpl2.1+)))
 
-(define glib-with-gio-patch
-  ;; GLib with a fix for <https://bugs.gnu.org/35594>.
-  ;; TODO: Fold into 'glib' above in the next rebuild cycle.
-  (package
-    (inherit glib)
-    (source (origin
-              (inherit (package-source glib))
-              (patches (cons (search-patch "glib-appinfo-watch.patch")
-                             (origin-patches (package-source glib))))))))
-
 (define-public glib-with-documentation
   ;; glib's doc must be built in a separate package since it requires gtk-doc,
   ;; which in turn depends on glib.
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 0c432f5dc1..98b77a9515 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -935,7 +935,7 @@ from forcing GEXP-PROMISE."
        ("llvm" ,llvm)
        ("clang" ,clang)
        ("perl" ,perl)
-       ("node" ,node-10.22)
+       ("node" ,node)
        ("python" ,python)
        ("python-2" ,python-2)
        ("python2-pysqlite" ,python2-pysqlite)
@@ -1604,7 +1604,7 @@ standards of the IceCat project.")
        ("clang" ,clang)
        ("llvm" ,llvm)
        ("nasm" ,nasm)
-       ("node" ,node-10.22)
+       ("node" ,node)
        ("perl" ,perl)
        ("pkg-config" ,pkg-config)
        ("python" ,python)
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 3c930722b5..b4472a5e98 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -357,7 +357,18 @@ used throughout the world.")
               (base32
                "17bwb7dgbncrfsmchlib03k9n3xaalirb39g3yb43gg8cg6p8aqx"))))
    (build-system gnu-build-system)
-   (arguments '())))
+   (arguments
+    '(#:phases (modify-phases %standard-phases
+                 (add-after 'configure 'disable-layout-test
+                   (lambda _
+                     ;; This test requires that fontconfig uses bitmap fonts
+                     ;; such as "gs-fonts"; however providing such a package
+                     ;; alone is not enough, as the requirement comes from
+                     ;; deeper in the font stack.  Since this version of Pango
+                     ;; is only used for librsvg, simply disable the test.
+                     (substitute* "tests/Makefile"
+                       (("test-layout\\$\\(EXEEXT\\)") ""))
+                     #t)))))))
 
 (define-public pangox-compat
   (package
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 979b069415..dac1d654f6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1613,15 +1613,14 @@ is hereby granted."))))
 (define-public libjpeg-turbo
   (package
     (name "libjpeg-turbo")
-    (version "2.0.4")
-    (replacement libjpeg-turbo/fixed)
+    (version "2.0.5")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
                                   version "/libjpeg-turbo-" version ".tar.gz"))
               (sha256
                (base32
-                "01ill8bgjyk582wipx7sh7gj2nidylpbzvwhx0wkcm6mxx3qbp9k"))))
+                "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))
     (build-system cmake-build-system)
     (native-inputs
      `(("nasm" ,nasm)))
@@ -1671,18 +1670,6 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
                    license:ijg          ;the libjpeg library and associated tools
                    license:zlib))))     ;the libjpeg-turbo SIMD extensions
 
-(define libjpeg-turbo/fixed
-  (package
-    (inherit libjpeg-turbo)
-    (version "2.0.5")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
-                                  version "/libjpeg-turbo-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0pbv6pc97kbj7ib31qcwi7lnmm9xg5y3b11aasmkhfjvf7rgdy0n"))))))
-
 (define-deprecated libjpeg libjpeg-turbo)
 (export libjpeg)
 
diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm
index f04e39bbd5..66ef4f0905 100644
--- a/gnu/packages/node.scm
+++ b/gnu/packages/node.scm
@@ -48,14 +48,14 @@
 (define-public node
   (package
     (name "node")
-    (version "10.20.0")
+    (version "10.22.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://nodejs.org/dist/v" version
                                   "/node-v" version ".tar.xz"))
               (sha256
                (base32
-                "0cvjwnl0wkcsyw3kannbdv01s235wrnp11n2s6swzjx95gpichfi"))
+                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))
               (modules '((guix build utils)))
               (snippet
                `(begin
@@ -201,24 +201,6 @@ devices.")
     (properties '((max-silent-time . 7200)     ;2h, needed on ARM
                   (timeout . 21600)))))        ;6h
 
-;; TODO: Make this the default node on core-updates.  This cannot be done on
-;; master since this version of node requires a newer nghttp2 library at link
-;; time.
-(define-public node-10.22
-  (package
-    (inherit node)
-    (version "10.22.1")
-    (source (origin
-              (inherit (package-source node))
-              (uri (string-append "https://nodejs.org/dist/v" version
-                                  "/node-v" version ".tar.xz"))
-              (sha256
-               (base32
-                "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl"))))
-    (inputs
-     (alist-replace "nghttp2" (list nghttp2-1.41 "lib")
-                    (package-inputs node)))))
-
 (define-public libnode
   (package
     (inherit node)
diff --git a/gnu/packages/openldap.scm b/gnu/packages/openldap.scm
index 6e863388d8..fb917882e7 100644
--- a/gnu/packages/openldap.scm
+++ b/gnu/packages/openldap.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017, 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
@@ -61,25 +61,23 @@
 (define-public openldap
   (package
    (name "openldap")
-   (replacement openldap-2.4.50)
-   (version "2.4.49")
+   (version "2.4.50")
    (source (origin
-            (method url-fetch)
-
-            ;; See <http://www.openldap.org/software/download/> for a list of
-            ;; mirrors.
-            (uri (list (string-append
-                        "ftp://mirror.switch.ch/mirror/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")
-                       (string-append
-                        "https://www.openldap.org/software/download/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")
-                       (string-append
-                        "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
-                        "openldap-release/openldap-" version ".tgz")))
-            (sha256
-             (base32
-              "0vp524rsngdcykf6ki7vprsyg7gj8z7hszg8xwxz50219fa1gcg3"))))
+             (method url-fetch)
+             ;; See <http://www.openldap.org/software/download/> for a list of
+             ;; mirrors.
+             (uri (list (string-append
+                         "ftp://mirror.switch.ch/mirror/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")
+                        (string-append
+                         "https://www.openldap.org/software/download/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")
+                        (string-append
+                         "ftp://ftp.dti.ad.jp/pub/net/OpenLDAP/"
+                         "openldap-release/openldap-" version ".tgz")))
+             (sha256
+              (base32
+               "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))
    (build-system gnu-build-system)
    (inputs `(("bdb" ,bdb-5.3)
              ("cyrus-sasl" ,cyrus-sasl)
@@ -127,19 +125,6 @@
    (license openldap2.8)
    (home-page "https://www.openldap.org/")))
 
-(define openldap-2.4.50
-  (package
-    (inherit openldap)
-    (version "2.4.50")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "https://www.openldap.org/software/download/"
-                                  "OpenLDAP/openldap-release/openldap-" version
-                                  ".tgz"))
-              (sha256
-               (base32
-                "1f46nlfwmys110j36sifm7ah8m8f3s10c3vaiikmmigmifapvdaw"))))))
-
 (define-public nss-pam-ldapd
   (package
     (name "nss-pam-ldapd")
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index df217c801f..801d74627b 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -405,7 +405,7 @@ $(prefix)/etc/init.d\n")))
 
          ("glibc-utf8-locales" ,glibc-utf8-locales)))
       (propagated-inputs
-       `(("gnutls" ,(if (%current-target-system) gnutls/fixed gnutls))
+       `(("gnutls" ,gnutls)
          ;; Avahi requires "glib" which doesn't cross-compile yet.
          ,@(if (%current-target-system)
                '()
diff --git a/gnu/packages/patches/ghostscript-CVE-2020-15900.patch b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
new file mode 100644
index 0000000000..b6658d7c7f
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2020-15900.patch
@@ -0,0 +1,36 @@
+Fix CVE-2020-15900.
+
+https://cve.circl.lu/cve/CVE-2020-15900
+https://artifex.com/security-advisories/CVE-2020-15900
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
+
+diff --git a/psi/zstring.c b/psi/zstring.c
+--- a/psi/zstring.c
++++ b/psi/zstring.c
+@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward)
+     return 0;
+ found:
+     op->tas.type_attrs = op1->tas.type_attrs;
+-    op->value.bytes = ptr;
+-    r_set_size(op, size);
++    op->value.bytes = ptr;				/* match */
++    op->tas.rsize = size;				/* match */
+     push(2);
+-    op[-1] = *op1;
+-    r_set_size(op - 1, ptr - op[-1].value.bytes);
+-    op1->value.bytes = ptr + size;
+-    r_set_size(op1, count + (!forward ? (size - 1) : 0));
++    op[-1] = *op1;					/* pre */
++    op[-3].value.bytes = ptr + size;			/* post */
++    if (forward) {
++        op[-1].tas.rsize = ptr - op[-1].value.bytes;	/* pre */
++        op[-3].tas.rsize = count;			/* post */
++    } else {
++        op[-1].tas.rsize = count;			/* pre */
++        op[-3].tas.rsize -= count + size;		/* post */
++    }
+     make_true(op);
+     return 0;
+ }
diff --git a/gnu/packages/patches/ghostscript-freetype-compat.patch b/gnu/packages/patches/ghostscript-freetype-compat.patch
new file mode 100644
index 0000000000..cc225b5ad6
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-freetype-compat.patch
@@ -0,0 +1,35 @@
+Fix build with FreeType 2.10.3 and newer.
+
+Taken from upstream:
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=41ef9a0bc36b9db7115fbe9623f989bfb47bbade
+
+diff --git a/base/fapi_ft.c b/base/fapi_ft.c
+--- a/base/fapi_ft.c
++++ b/base/fapi_ft.c
+@@ -125,7 +125,7 @@ static void
+ delete_inc_int_info(gs_fapi_server * a_server,
+                     FT_IncrementalRec * a_inc_int_info);
+ 
+-FT_CALLBACK_DEF(void *)
++static void *
+ FF_alloc(FT_Memory memory, long size)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -133,7 +133,7 @@ FF_alloc(FT_Memory memory, long size)
+     return (gs_malloc(mem, size, 1, "FF_alloc"));
+ }
+ 
+-FT_CALLBACK_DEF(void *)
++static void *
+     FF_realloc(FT_Memory memory, long cur_size, long new_size, void *block)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
+@@ -153,7 +153,7 @@ FT_CALLBACK_DEF(void *)
+     return (tmp);
+ }
+ 
+-FT_CALLBACK_DEF(void)
++static void
+     FF_free(FT_Memory memory, void *block)
+ {
+     gs_memory_t *mem = (gs_memory_t *) memory->user;
diff --git a/gnu/packages/patches/libssh2-CVE-2019-17498.patch b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
new file mode 100644
index 0000000000..6f69e562e2
--- /dev/null
+++ b/gnu/packages/patches/libssh2-CVE-2019-17498.patch
@@ -0,0 +1,126 @@
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c.patch
+
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab62944..2e01bfc5d 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -539,24 +529,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -579,7 +569,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/gnu/packages/patches/python-CVE-2020-26116.patch b/gnu/packages/patches/python-CVE-2020-26116.patch
new file mode 100644
index 0000000000..dc0571e964
--- /dev/null
+++ b/gnu/packages/patches/python-CVE-2020-26116.patch
@@ -0,0 +1,47 @@
+Fix CVE-2020-26116:
+
+https://cve.circl.lu/cve/CVE-2020-26116
+https://bugs.python.org/issue39603
+
+Taken from upstream (sans test and NEWS update):
+https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+         else:
+             raise CannotSendRequest(self.__state)
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+         # ASCII also helps prevent CVE-2019-9740.
+         return request.encode('ascii')
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                    f"method can't contain control characters. {method!r} "
++                    f"(found at least {match.group()!r})")
++
+     def _validate_path(self, url):
+         """Validate a url for putrequest."""
+         # Prevent CVE-2019-9740.
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index fa9bf10e07..27e9b70432 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -370,6 +370,7 @@ data types.")
               (uri (string-append "https://www.python.org/ftp/python/"
                                   version "/Python-" version ".tar.xz"))
               (patches (search-patches
+                        "python-CVE-2020-26116.patch"
                         "python-3-fix-tests.patch"
                         "python-3.8-fix-tests.patch"
                         "python-3-deterministic-build-info.patch"
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 146177f7f3..0f2434d7c5 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
-;;; Copyright © 2015, 2016, 2018, 2019 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2018, 2019, 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2019 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
@@ -165,7 +165,8 @@ applications.")
                    version ".tar.gz"))
             (sha256
              (base32
-              "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))))
+              "1zfsz9nldakfz61d2j70pk29zlmj7w2vv46s9l3x2prhcgaqpyym"))
+            (patches (search-patches "libssh2-CVE-2019-17498.patch"))))
    (build-system gnu-build-system)
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ab2a1f8628..0724d4d5be 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -164,21 +164,19 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    ;; XXX Unversion openconnect's "gnutls" input when ungrafting.
-    (replacement gnutls/fixed)
-    (version "3.6.12")
+    (version "3.6.15")
     (source (origin
-             (method url-fetch)
-             (uri
+              (method url-fetch)
               ;; Note: Releases are no longer on ftp.gnu.org since the
               ;; schism (after version 3.1.5).
-              (string-append "mirror://gnupg/gnutls/v"
-                             (version-major+minor version)
-                             "/gnutls-" version ".tar.xz"))
-             (patches (search-patches "gnutls-skip-trust-store-test.patch"))
-             (sha256
-              (base32
-               "0jvca1qahn9lrwv6f5kfs95icirc15b2a8x9fzczyj996ipg3b5z"))))
+              (uri (string-append "mirror://gnupg/gnutls/v"
+                                  (version-major+minor version)
+                                  "/gnutls-" version ".tar.xz"))
+              (patches (search-patches "gnutls-skip-trust-store-test.patch"
+                                       "gnutls-cross.patch"))
+              (sha256
+               (base32
+                "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? ,(not (or (%current-target-system)
@@ -228,7 +226,11 @@ living in the same process.")
                "debug"
                "doc"))                            ;4.1 MiB of man pages
     (native-inputs
-     `(,@(if (hurd-target?) '()
+     `(,@(if (%current-target-system)             ;for cross-build
+             `(("guile" ,guile-3.0))              ;to create .go files
+             '())
+       ,@(if (hurd-target?)
+             '()
              `(("net-tools" ,net-tools)))
        ("pkg-config" ,pkg-config)
        ("which" ,which)
@@ -254,27 +256,6 @@ required structures.")
     (properties '((ftp-server . "ftp.gnutls.org")
                   (ftp-directory . "/gcrypt/gnutls")))))
 
-;; Replacement package to fix multiple security vulnerabilities.
-(define-public gnutls/fixed
-  (package
-    (inherit gnutls)
-    (version "3.6.15")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnupg/gnutls/v"
-                                  (version-major+minor version)
-                                  "/gnutls-" version ".tar.xz"))
-              (patches (search-patches "gnutls-skip-trust-store-test.patch"
-                                       "gnutls-cross.patch"))
-              (sha256
-               (base32
-                "0n0m93ymzd0q9hbknxc2ycanz49sqlkyyf73g9fk7n787llc7a0f"))))
-    (native-inputs
-     `(,@(if (%current-target-system)             ;for cross-build
-             `(("guile" ,guile-3.0))              ;to create .go files
-             '())
-       ,@(package-native-inputs gnutls)))))
-
 (define-public gnutls/guile-2.0
   ;; GnuTLS for Guile 2.0.
   (package/inherit gnutls
@@ -287,7 +268,7 @@ required structures.")
   ;; Authentication of Named Entities.  This is required for GNS functionality
   ;; by GNUnet and gnURL.  This is done in an extra package definition
   ;; to have the choice between GnuTLS with Dane and without Dane.
-  (package/inherit gnutls/fixed
+  (package/inherit gnutls
     (name "gnutls-dane")
     (inputs `(("unbound" ,unbound)
               ,@(package-inputs gnutls)))))
@@ -306,8 +287,7 @@ required structures.")
 (define-public openssl
   (package
    (name "openssl")
-   (version "1.1.1f")
-   (replacement openssl-1.1.1i)
+   (version "1.1.1i")
    (source (origin
              (method url-fetch)
              (uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -317,10 +297,10 @@ required structures.")
                         (string-append "ftp://ftp.openssl.org/source/old/"
                                        (string-trim-right version char-set:letter)
                                        "/openssl-" version ".tar.gz")))
+             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
              (sha256
               (base32
-               "0d9zv9srjqivs8nn099fpbjv1wyhfcb8lzy491dpmfngdvz6nv0q"))
-             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))))
+               "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"         ;6.8 MiB of man3 pages and full HTML documentation
@@ -439,24 +419,6 @@ required structures.")
    (license license:openssl)
    (home-page "https://www.openssl.org/")))
 
-(define openssl-1.1.1i
-  (package
-   (inherit openssl)
-   (version "1.1.1i")
-   (source (origin
-             (method url-fetch)
-             (uri (list (string-append "https://www.openssl.org/source/openssl-"
-                                       version ".tar.gz")
-                        (string-append "ftp://ftp.openssl.org/source/"
-                                       "openssl-" version ".tar.gz")
-                        (string-append "ftp://ftp.openssl.org/source/old/"
-                                       (string-trim-right version char-set:letter)
-                                       "/openssl-" version ".tar.gz")))
-             (patches (search-patches "openssl-1.1-c-rehash-in.patch"))
-             (sha256
-              (base32
-               "0hjj1phcwkz69lx1lrvr9grhpl4y529mwqycqc1hdla1zqsnmgp8"))))))
-
 (define-public openssl-1.0
   (package
     (inherit openssl)
diff --git a/gnu/packages/vpn.scm b/gnu/packages/vpn.scm
index c1f0b65e84..525d1ddb3f 100644
--- a/gnu/packages/vpn.scm
+++ b/gnu/packages/vpn.scm
@@ -264,9 +264,7 @@ the user specifically asks to proxy, so the @dfn{VPN} interface no longer
    (build-system gnu-build-system)
    (propagated-inputs
     `(("libxml2" ,libxml2)
-      ;; XXX ‘DTLS is insecure in GnuTLS v3.6.3 through v3.6.12.’
-      ;; See <https://gitlab.com/gnutls/gnutls/-/issues/960>.
-      ("gnutls" ,gnutls/fixed)
+      ("gnutls" ,gnutls)
       ("zlib" ,zlib)))
    (inputs
     `(("lz4" ,lz4)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index bd1e7eccaa..5851251c6d 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -900,7 +900,6 @@ data.")
 
 (define-public json-c
   (package
-    (replacement json-c/fixed)
     (name "json-c")
     (version "0.14")
     (source (origin
@@ -910,7 +909,8 @@ data.")
                    version ".tar.gz"))
              (sha256
               (base32
-               "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))))
+               "0w381krr99q5a2rypx4g437fa7gzgl82i64sgnrs6g5jr44dwxxk"))
+              (patches (search-patches "json-c-CVE-2020-12762.patch"))))
     (build-system cmake-build-system)
     (home-page "https://github.com/json-c/json-c/wiki")
     (synopsis "JSON implementation in C")
@@ -921,15 +921,6 @@ parse JSON-formatted strings back into the C representation of JSON objects.
 It aims to conform to RFC 7159.")
     (license license:x11)))
 
-(define json-c/fixed
-  (package
-    (inherit json-c)
-    (name "json-c")
-    (version "0.14")
-    (source (origin
-              (inherit (package-source json-c))
-              (patches (search-patches "json-c-CVE-2020-12762.patch"))))))
-
 ;; TODO: Remove these old versions when all dependents have been updated.
 (define-public json-c-0.13
   (package
@@ -7447,8 +7438,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
 (define-public nghttp2
   (package
     (name "nghttp2")
-    (version "1.40.0")
-    (replacement nghttp2-1.41)
+    (version "1.41.0")
     (source
      (origin
        (method url-fetch)
@@ -7457,7 +7447,7 @@ derivation by David Revoy from the original MonsterID by Andreas Gohr.")
                            "nghttp2-" version ".tar.xz"))
        (sha256
         (base32
-         "0wwhwv7cvi1vxpdjwvg0kpa4jzhszclpnwrwfcw728zz53a47z09"))))
+         "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))
     (build-system gnu-build-system)
     (outputs (list "out"
                    "lib"))              ; only libnghttp2
@@ -7531,20 +7521,6 @@ compressed JSON header blocks.
 @end itemize\n")
     (license license:expat)))
 
-(define-public nghttp2-1.41                       ;fixes CVE-2020-11080
-  (package
-    (inherit nghttp2)
-    (version "1.41.0")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append "https://github.com/nghttp2/nghttp2/"
-                           "releases/download/v" version "/"
-                           "nghttp2-" version ".tar.xz"))
-       (sha256
-        (base32
-         "1hk77vngjmvvzb5y1gi1aqwf6qywrc7yak08zvzb7x81qs6mphmb"))))))
-
 (define-public hpcguix-web
   (let ((commit "9de63562b06b4aef3a3afe5ecb18d3c91e57ee74")
         (revision "5"))
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 3a26acc802..cd3a7d3765 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015, 2017, 2018, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2015 Eric Bavier <bavier@member.fsf.org>
-;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Eric Dvorsak <eric@dvorsak.fr>
 ;;; Copyright © 2016 Mathieu Lirzin <mthl@gnu.org>
 ;;; Copyright © 2015 Cyrill Schenkel <cyrill.schenkel@gmail.com>
@@ -5473,8 +5473,7 @@ draggable titlebars and borders.")
 (define-public libx11
   (package
     (name "libx11")
-    (version "1.6.9")
-    (replacement libx11/fixed)
+    (version "1.6.10")
     (source
       (origin
         (method url-fetch)
@@ -5484,7 +5483,7 @@ draggable titlebars and borders.")
                ".tar.bz2"))
         (sha256
           (base32
-            "1ldyn9c6pyx54sxzaw120n3q42rqi7b503aqmyjky6fn038fiiww"))))
+            "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))
     (build-system gnu-build-system)
     (outputs '("out"
                "doc"))                            ;8 MiB of man pages + XML
@@ -5512,19 +5511,6 @@ draggable titlebars and borders.")
     (description "Xorg Core X11 protocol client library.")
     (license license:x11)))
 
-(define libx11/fixed  ; Fixes CVE-2020-14344
-  (package
-    (inherit libx11)
-    (version "1.6.A")
-    (source
-      (origin
-        (method url-fetch)
-        (uri (string-append
-               "mirror://xorg/individual/lib/libX11-1.6.10.tar.bz2"))
-        (sha256
-          (base32
-            "09k2pqmqbn2m1bpgl7jfxyqxaaxsnzbnp2bp8ycmqldqi5ln4j5g"))))))
-
 ;; packages of height 5 in the propagated-inputs tree
 
 (define-public libxcursor