summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--README5
-rw-r--r--gnu/local.mk8
-rw-r--r--gnu/packages/admin.scm14
-rw-r--r--gnu/packages/assembly.scm5
-rw-r--r--gnu/packages/bioinformatics.scm27
-rw-r--r--gnu/packages/compression.scm24
-rw-r--r--gnu/packages/crypto.scm9
-rw-r--r--gnu/packages/curl.scm31
-rw-r--r--gnu/packages/digest.scm55
-rw-r--r--gnu/packages/dns.scm6
-rw-r--r--gnu/packages/emacs.scm25
-rw-r--r--gnu/packages/games.scm10
-rw-r--r--gnu/packages/gimp.scm5
-rw-r--r--gnu/packages/golang.scm75
-rw-r--r--gnu/packages/kde-frameworks.scm4
-rw-r--r--gnu/packages/kde.scm24
-rw-r--r--gnu/packages/libreoffice.scm2
-rw-r--r--gnu/packages/moreutils.scm6
-rw-r--r--gnu/packages/package-management.scm5
-rw-r--r--gnu/packages/patches/fossil-CVE-2017-17459.patch57
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17784.patch41
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17785.patch171
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17786.patch94
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17787.patch42
-rw-r--r--gnu/packages/patches/gimp-CVE-2017-17789.patch48
-rw-r--r--gnu/packages/patches/httpd-CVE-2017-9798.patch22
-rw-r--r--gnu/packages/perl-check.scm37
-rw-r--r--gnu/packages/perl.scm49
-rw-r--r--gnu/packages/python.scm7
-rw-r--r--gnu/packages/regex.scm5
-rw-r--r--gnu/packages/shells.scm4
-rw-r--r--gnu/packages/version-control.scm2
-rw-r--r--gnu/packages/video.scm4
-rw-r--r--gnu/packages/web.scm5
-rw-r--r--gnu/packages/wine.scm115
-rw-r--r--guix/ui.scm4
-rw-r--r--nix/scripts/list-runtime-roots.in7
37 files changed, 923 insertions, 131 deletions
diff --git a/README b/README
index 18e685672d..4192eb4129 100644
--- a/README
+++ b/README
@@ -23,10 +23,9 @@ GNU Guix currently depends on the following packages:
   - [[https://gnu.org/software/guile/][GNU Guile 2.2.x or 2.0.x]], version 2.0.9 or later
   - [[https://gnupg.org/][GNU libgcrypt]]
   - [[https://www.gnu.org/software/make/][GNU Make]]
+  - [[https://www.gnutls.org][GnuTLS]] compiled with guile support enabled.
+  - [[https://gitlab.com/guile-git/guile-git][Guile-Git]]
   - optionally [[https://savannah.nongnu.org/projects/guile-json/][Guile-JSON]], for the 'guix import pypi' command
-  - optionally [[https://www.gnutls.org][GnuTLS]] compiled with guile support enabled, for HTTPS support
-    in the 'guix download' command.  Note that 'guix import pypi' requires
-    this functionality.
 
 Unless `--disable-daemon' was passed, the following packages are needed:
 
diff --git a/gnu/local.mk b/gnu/local.mk
index 7299372e8d..37a31299a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -119,6 +119,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/packages/dejagnu.scm			\
   %D%/packages/dico.scm				\
   %D%/packages/dictionaries.scm			\
+  %D%/packages/digest.scm			\
   %D%/packages/direct-connect.scm		\
   %D%/packages/disk.scm				\
   %D%/packages/display-managers.scm		\
@@ -639,6 +640,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/foomatic-filters-CVE-2015-8327.patch	\
   %D%/packages/patches/foomatic-filters-CVE-2015-8560.patch	\
   %D%/packages/patches/fontconfig-remove-debug-printf.patch	\
+  %D%/packages/patches/fossil-CVE-2017-17459.patch		\
   %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
   %D%/packages/patches/freeimage-fix-build-with-gcc-5.patch	\
@@ -672,6 +674,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/ghostscript-no-header-uuid.patch		\
   %D%/packages/patches/ghostscript-no-header-creationdate.patch \
   %D%/packages/patches/ghostscript-runpath.patch		\
+  %D%/packages/patches/gimp-CVE-2017-17784.patch		\
+  %D%/packages/patches/gimp-CVE-2017-17785.patch		\
+  %D%/packages/patches/gimp-CVE-2017-17786.patch		\
+  %D%/packages/patches/gimp-CVE-2017-17787.patch		\
+  %D%/packages/patches/gimp-CVE-2017-17789.patch		\
   %D%/packages/patches/glib-networking-ssl-cert-file.patch	\
   %D%/packages/patches/glib-respect-datadir.patch		\
   %D%/packages/patches/glib-tests-timer.patch			\
@@ -738,7 +745,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/heimdal-CVE-2017-11103.patch		\
   %D%/packages/patches/hmmer-remove-cpu-specificity.patch	\
   %D%/packages/patches/higan-remove-march-native-flag.patch	\
-  %D%/packages/patches/httpd-CVE-2017-9798.patch		\
   %D%/packages/patches/hubbub-sort-entities.patch		\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
   %D%/packages/patches/hydra-disable-darcs-test.patch		\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index f8b0cc388e..d90bc7c050 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Peter Feigl <peter.feigl@nexoid.at>
 ;;; Copyright © 2016 John J. Foerch <jjfoerch@earthlink.net>
 ;;; Copyright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
-;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2017 Ben Sturmfels <ben@sturm.com.au>
 ;;; Copyright © 2017 Ethan R. Jones <doubleplusgood23@gmail.com>
@@ -1387,14 +1387,14 @@ of supported upstream metrics systems simultaneously.")
 (define-public ansible
   (package
     (name "ansible")
-    (version "2.4.1.0")
+    (version "2.4.2.0")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "ansible" version))
        (sha256
         (base32
-         "0spv0kjaicwss4q52s727b6grdizcxpa0bbsfg26pgf5kjrayqfs"))
+         "0n3n9py4s3aykiii31xq8g4wmd6693jvby0424pjrg0bna01apri"))
        (patches (search-patches "ansible-wrap-program-hack.patch"))))
     (build-system python-build-system)
     (native-inputs
@@ -1413,12 +1413,12 @@ of supported upstream metrics systems simultaneously.")
        ("python2-paramiko" ,python2-paramiko)))
     (arguments
      `(#:python ,python-2)) ; incompatible with Python 3
-    (home-page "http://ansible.com/")
+    (home-page "https://www.ansible.com/")
     (synopsis "Radically simple IT automation")
     (description "Ansible is a radically simple IT automation system.  It
-handles configuration-management, application deployment, cloud provisioning,
-ad-hoc task-execution, and multinode orchestration - including trivializing
-things like zero downtime rolling updates with load balancers.")
+handles configuration management, application deployment, cloud provisioning,
+ad hoc task execution, and multinode orchestration---including trivializing
+things like zero-downtime rolling updates with load balancers.")
     (license license:gpl3+)))
 
 (define-public cpulimit
diff --git a/gnu/packages/assembly.scm b/gnu/packages/assembly.scm
index 769e5d2fca..22765b456a 100644
--- a/gnu/packages/assembly.scm
+++ b/gnu/packages/assembly.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2013, 2015 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -34,14 +35,14 @@
 (define-public nasm
   (package
     (name "nasm")
-    (version "2.13.01")
+    (version "2.13.02")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://www.nasm.us/pub/nasm/releasebuilds/"
                                   version "/" name "-" version ".tar.xz"))
               (sha256
                (base32
-                "0plsvcwxc7q3llr3bz10prwq1gn4ll38aqmv0yzfqcq4iw0160ma"))))
+                "0mqp559rypkv4cz3wb8crkp0s3a3lhcprvypm3vqz0x695gj7hwa"))))
     (build-system gnu-build-system)
     (native-inputs `(("perl" ,perl)  ;for doc and test target
                      ("texinfo" ,texinfo)))
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index d3d9344322..0e9c20f1f1 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -7,7 +7,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2016 Raoul Bonnal <ilpuccio.febo@gmail.com>
-;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Arun Isaac <arunisaac@systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -493,6 +493,20 @@ BED, GFF/GTF, VCF.")
                (base32
                 "0ykjbps1y3z3085q94npw8i9x5gldc6shy8vlc08v76zljsm07hv"))))
     (build-system gnu-build-system)
+    (arguments
+     `(#:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'wrap-executables
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let* ((out (assoc-ref outputs "out")))
+               (for-each
+                (lambda (script)
+                  (wrap-program (string-append out "/bin/" script)
+                    `("R_LIBS_SITE" ":" = (,(getenv "R_LIBS_SITE")))))
+                '("create_annotations_files.bash"
+                  "create_metaplots.bash"
+                  "Ribotaper_ORF_find.sh"
+                  "Ribotaper.sh"))))))))
     (inputs
      `(("bedtools" ,bedtools-2.18)
        ("samtools" ,samtools-0.1)
@@ -1439,7 +1453,7 @@ multiple sequence alignments.")
 (define-public python-pysam
   (package
     (name "python-pysam")
-    (version "0.11.2.2")
+    (version "0.13.0")
     (source (origin
               (method url-fetch)
               ;; Test data is missing on PyPi.
@@ -1449,7 +1463,7 @@ multiple sequence alignments.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "1cfqdxsqs3xhacns9n0271ck6wkc76px66ddjm91wfw2jxxfklvc"))
+                "0dzap2axin9cbbl0d825w294bpn00zagfm1sigamm4v2pm5bj9lp"))
               (modules '((guix build utils)))
               (snippet
                ;; Drop bundled htslib. TODO: Also remove samtools and bcftools.
@@ -3213,7 +3227,7 @@ VCF.")
 (define-public htslib
   (package
     (name "htslib")
-    (version "1.5")
+    (version "1.6")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -3221,7 +3235,7 @@ VCF.")
                     version "/htslib-" version ".tar.bz2"))
               (sha256
                (base32
-                "0bcjmnbwp2bib1z1bkrp95w9v2syzdwdfqww10mkb1hxlmg52ax0"))))
+                "1jsca3hg4rbr6iqq6imkj4lsvgl8g9768bcmny3hlff2w25vx24m"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -3242,7 +3256,8 @@ VCF.")
     (synopsis "C library for reading/writing high-throughput sequencing data")
     (description
      "HTSlib is a C library for reading/writing high-throughput sequencing
-data.  It also provides the bgzip, htsfile, and tabix utilities.")
+data.  It also provides the @command{bgzip}, @command{htsfile}, and
+@command{tabix} utilities.")
     ;; Files under cram/ are released under the modified BSD license;
     ;; the rest is released under the Expat license
     (license (list license:expat license:bsd-3))))
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 47241321fe..c92442042f 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -10,7 +10,7 @@
 ;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Ben Woodcroft <donttrustben@gmail.com>
 ;;; Copyright © 2016 Danny Milosavljevic <dannym@scratchpost.org>
-;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 Kei Kebreau <kkebreau@posteo.net>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
@@ -58,6 +58,7 @@
   #:use-module (gnu packages java)
   #:use-module (gnu packages maths)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages perl-check)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages tls)
@@ -1810,24 +1811,27 @@ recreates the stored directory structure by default.")
      "ZZipLib is a library based on zlib for accessing zip files.")
     (license license:lgpl2.0+)))
 
-(define-public perl-zip
+(define-public perl-archive-zip
   (package
-    (name "perl-zip")
-    (version "1.59")
+    (name "perl-archive-zip")
+    (version "1.60")
     (source
      (origin
        (method url-fetch)
        (uri (string-append
-             "mirror://cpan/authors/id/A/AD/ADAMK/Archive-Zip-"
+             "mirror://cpan/authors/id/P/PH/PHRED/Archive-Zip-"
              version ".tar.gz"))
        (sha256
         (base32
-         "0m31qlppg65vh32pwxkwjby02q70abx49d2yk6vfd4585fqb27cx"))))
+         "02y2ylq83hy9kgj57sc0239x65br9sm98c0chsm61s08yc2mpiza"))))
     (build-system perl-build-system)
-    (synopsis  "Provides an interface to ZIP archive files")
-    (description "The Archive::Zip module allows a Perl program to create,
-manipulate, read, and write Zip archive files.")
-    (home-page "http://search.cpan.org/~adamk/Archive-Zip-1.30/")
+    (native-inputs
+     ;; For tests.
+     `(("perl-test-mockmodule" ,perl-test-mockmodule)))
+    (synopsis  "Provides an interface to Zip archive files")
+    (description "The @code{Archive::Zip} module allows a Perl program to
+create, manipulate, read, and write Zip archive files.")
+    (home-page "http://search.cpan.org/dist/Archive-Zip/")
     (license license:perl-license)))
 
 (define-public libzip
diff --git a/gnu/packages/crypto.scm b/gnu/packages/crypto.scm
index 92da952999..1ac704ddb8 100644
--- a/gnu/packages/crypto.scm
+++ b/gnu/packages/crypto.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015, 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 Lukas Gradl <lgradl@openmailbox>
-;;; Copyright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016, 2017 ng0 <ng0@infotropique.org>
 ;;; Copyright © 2016, 2017 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2017 Pierre Langlois <pierre.langlois@gmx.com>
@@ -595,6 +595,13 @@ data on your platform, so the seed itself will be as random as possible.
        (list (string-append "PREFIX=" (assoc-ref %outputs "out")))
        #:phases
        (modify-phases %standard-phases
+         (add-after 'unpack 'disable-native-optimisation
+           ;; This package installs more than just headers.  Ensure that the
+           ;; cryptest.exe binary & static library aren't CPU model specific.
+           (lambda _
+             (substitute* "GNUmakefile"
+               ((" -march=native") ""))
+             #t))
          (delete 'configure))))
     (native-inputs
      `(("unzip" ,unzip)))
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 3df8acc2c7..302c696233 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -26,10 +26,13 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix utils)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system go)
   #:use-module (gnu packages)
   #:use-module (gnu packages compression)
+  #:use-module (gnu packages golang)
   #:use-module (gnu packages groff)
   #:use-module (gnu packages gsasl)
   #:use-module (gnu packages libidn)
@@ -131,3 +134,31 @@ tunneling, and so on.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "https://curl.haxx.se/")))
+
+(define-public kurly
+  (package
+    (name "kurly")
+    (version "1.1.0")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                     (url "https://github.com/davidjpeacock/kurly.git")
+                     (commit (string-append "v" version))))
+              (sha256
+               (base32
+                "1q192f457sjypgvwq7grrf8gq8w272p3zf1d5ppc20mriqm0mbc3"))))
+    (build-system go-build-system)
+    (arguments
+     '(#:import-path "github.com/davidjpeacock/kurly"))
+    (inputs
+     `(("go-github-com-alsm-ioprogress" ,go-github-com-alsm-ioprogress)
+       ("go-github-com-aki237-nscjar" ,go-github-com-aki237-nscjar)
+       ("go-github-com-davidjpeacock-cli" ,go-github-com-davidjpeacock-cli)))
+    (synopsis "Command-line HTTP client")
+    (description "kurly is an alternative to the @code{curl} program written in
+Go.  kurly is designed to operate in a similar manner to curl, with select
+features.  Notably, kurly is not aiming for feature parity, but common flags and
+mechanisms particularly within the HTTP(S) realm are to be expected.  kurly does
+not offer a replacement for libcurl.")
+    (home-page "https://github.com/davidjpeacock/kurly")
+    (license license:asl2.0)))
diff --git a/gnu/packages/digest.scm b/gnu/packages/digest.scm
new file mode 100644
index 0000000000..5f14ab913b
--- /dev/null
+++ b/gnu/packages/digest.scm
@@ -0,0 +1,55 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages digest)
+  #:use-module ((guix licenses) #:prefix license:)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module (guix build-system gnu))
+
+(define-public xxhash
+  (package
+    (name "xxhash")
+    (version "0.6.4")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/Cyan4973/xxHash/archive/v"
+                           version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32 "08nv9h3jzg6y85ysy2dj3qvvfsdz0rwkk497a2366syz278wqw25"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:make-flags
+       (list "CC=gcc"
+             "XXH_FORCE_MEMORY_ACCESS=1" ; improved performance with GCC
+             (string-append "prefix=" (assoc-ref %outputs "out")))
+       #:test-target "test"
+       #:phases
+       (modify-phases %standard-phases
+         (delete 'configure))))         ; no configure script
+    (home-page "https://cyan4973.github.io/xxHash/")
+    (synopsis "Extremely fast hash algorithm")
+    (description
+     "xxHash is an extremely fast non-cryptographic hash algorithm.  It works
+at speeds close to RAM limits, and comes in both 32- and 64-bit flavours.
+The code is highly portable, and hashes of the same length are identical on all
+platforms (both big and little endian).")
+    (license (list license:bsd-2        ; xxhash library (xxhash.[ch])
+                   license:gpl2+))))    ; xxhsum.c
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index e0197fca32..85b44fb6fb 100644
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -5,7 +5,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2016 ng0 <ng0@we.make.ritual.n0.is>
-;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Vasile Dumitrascu <va511e@yahoo.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
@@ -483,14 +483,14 @@ Extensions} (DNSSEC).")
 (define-public knot
   (package
     (name "knot")
-    (version "2.6.3")
+    (version "2.6.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://secure.nic.cz/files/knot-dns/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "143pk2124liiq1r4ja1s579nbv3hm2scbbfbfclc2pw60r07mcig"))
+                "0siqfm6iibx5yfshw40wa2dvmh99bibda6bmj96mbkby0jskf38x"))
               (modules '((guix build utils)))
               (snippet
                '(begin
diff --git a/gnu/packages/emacs.scm b/gnu/packages/emacs.scm
index c4d7e7bc60..b9280728c4 100644
--- a/gnu/packages/emacs.scm
+++ b/gnu/packages/emacs.scm
@@ -6575,3 +6575,28 @@ Feautures:
      "@code{evil-matchit} is a minor mode for jumping between matching tags in
 evil mode using @kbd{%}.  It is a port of @code{matchit} for Vim.")
     (license license:gpl3+)))
+
+(define-public emacs-evil-smartparens
+  (package
+    (name "emacs-evil-smartparens")
+    (version "0.4.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "https://github.com/expez/evil-smartparens/archive/"
+             version ".tar.gz"))
+       (file-name (string-append name "-" version ".tar.gz"))
+       (sha256
+        (base32
+         "1bwzdd3054d407d5j4m3njsbvmc9r8zzp33m32pj3b3irxrl68q0"))))
+    (build-system emacs-build-system)
+    (propagated-inputs
+     `(("emacs-evil" ,emacs-evil)
+       ("emacs-smartparens" ,emacs-smartparens)))
+    (home-page "https://github.com/expez/evil-smartparens")
+    (synopsis "Emacs Evil integration for Smartparens")
+    (description "@code{emacs-evil-smartparens} is an Emacs minor mode which
+makes Evil play nice with Smartparens.  Evil is an Emacs minor mode that
+emulates Vim features and provides Vim-like key bindings.")
+    (license license:gpl3+)))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index b879fbd5a8..8d0db5ee4f 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -4919,7 +4919,8 @@ fight against their plot and save his fellow rabbits from slavery.")
        ("python-2" ,python-2)))
     (build-system gnu-build-system)
     (arguments
-     `(#:phases
+     `(#:make-flags '("config=release" "verbose=1" "-C" "build/workspaces/gcc")
+       #:phases
        (modify-phases %standard-phases
          (add-after 'unpack 'delete-bundles
            (lambda _
@@ -4946,17 +4947,12 @@ fight against their plot and save his fellow rabbits from slavery.")
                  (zero? (system* "./update-workspaces.sh"
                                  (string-append "--libdir=" lib)
                                  (string-append "--datadir=" data)
-                                 "--minimal-flags"
                                  ;; TODO: "--with-system-nvtt"
                                  "--with-system-mozjs38"))))))
-         (add-before 'build 'chdir
-           (lambda _
-             (chdir "build/workspaces/gcc")
-             #t))
          (delete 'check)
          (replace 'install
            (lambda* (#:key inputs outputs #:allow-other-keys)
-             (chdir "../../../binaries")
+             (chdir "binaries")
              (let* ((out (assoc-ref outputs "out"))
                     (bin (string-append out "/bin"))
                     (lib (string-append out "/lib"))
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index b0797453fa..fc2c8ff516 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -133,6 +133,11 @@ buffers.")
               (uri (string-append "http://download.gimp.org/pub/gimp/v"
                                   (version-major+minor version)
                                   "/gimp-" version ".tar.bz2"))
+              (patches (search-patches "gimp-CVE-2017-17784.patch"
+                                       "gimp-CVE-2017-17785.patch"
+                                       "gimp-CVE-2017-17786.patch"
+                                       "gimp-CVE-2017-17787.patch"
+                                       "gimp-CVE-2017-17789.patch"))
               (sha256
                (base32
                 "12k3lp938qdc9cqj29scg55f3bb8iav2fysd29w0s49bqmfa71wi"))))
diff --git a/gnu/packages/golang.scm b/gnu/packages/golang.scm
index b8f86ac5fd..e7c2d228cc 100644
--- a/gnu/packages/golang.scm
+++ b/gnu/packages/golang.scm
@@ -27,8 +27,10 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix utils)
   #:use-module (guix download)
+  #:use-module (guix git-download)
   #:use-module (guix packages)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system go)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages gcc)
   #:use-module (gnu packages base)
@@ -377,3 +379,76 @@ sequential processes (CSP) concurrent programming features added.")
     (supported-systems %supported-systems)))
 
 (define-public go go-1.9)
+
+(define-public go-github-com-alsm-ioprogress
+  (let ((commit "063c3725f436e7fba0c8f588547bee21ffec7ac5")
+        (revision "0"))
+    (package
+      (name "go-github-com-alsm-ioprogress")
+      (version (git-version "0.0.0" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                       (url "https://github.com/alsm/ioprogress.git")
+                       (commit commit)))
+                (sha256
+                 (base32
+                  "10ym5qlq77nynmkxbk767f2hfwyxg2k7hrzph05hvgzv833dhivh"))))
+      (build-system go-build-system)
+      (arguments
+       '(#:import-path "github.com/alsm/ioprogress"))
+      (synopsis "Textual progress bars in Go")
+      (description "@code{ioprogress} is a Go library with implementations of
+@code{io.Reader} and @code{io.Writer} that draws progress bars.  The primary use
+case for these are for command-line applications but alternate progress bar
+writers can be supplied for alternate environments.")
+      (home-page "https://github.com/alsm/ioprogress")
+      (license license:expat))))
+
+(define-public go-github-com-aki237-nscjar
+  (let ((commit "e2df936ddd6050d30dd90c7214c02b5019c42f06")
+        (revision "0"))
+    (package
+      (name "go-github-com-aki237-nscjar")
+      (version (git-version "0.0.0" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                       (url "https://github.com/aki237/nscjar.git")
+                       (commit commit)))
+                (sha256
+                 (base32
+                  "03y7zzq12qvhsq86lb06sgns8xrkblbn7i7wd886wk3zr5574b96"))))
+      (build-system go-build-system)
+      (arguments
+       '(#:import-path "github.com/aki237/nscjar"))
+      (synopsis "Handle Netscape / Mozilla cookies")
+      (description "@code{nscjar} is a Go library used to parse and output
+Netscape/Mozilla's old-style cookie files.  It also implements a simple cookie
+jar struct to manage the cookies added to the cookie jar.")
+      (home-page "https://github.com/aki237/nscjar")
+      (license license:expat))))
+
+(define-public go-github-com-davidjpeacock-cli
+  (let ((commit "8ba6f23b6e36d03666a14bd9421f5e3efcb59aca")
+        (revision "0"))
+    (package
+      (name "go-github-com-davidjpeacock-cli")
+      (version (git-version "1.19.1" revision commit))
+      (source (origin
+                (method git-fetch)
+                (uri (git-reference
+                       (url "https://github.com/davidjpeacock/cli.git")
+                       (commit commit)))
+                (sha256
+                 (base32
+                  "01s53ny3p0fdx64rnwcnmjj4xpc5adihnh6islsfq5z1ph2phhnj"))))
+      (build-system go-build-system)
+      (arguments
+       '(#:import-path "github.com/davidjpeacock/cli"))
+      (synopsis "Build command-line interfaces in Go")
+      (description "@code{cli} is a package for building command line
+interfaces in Go.  The goal is to enable developers to write fast and
+distributable command line applications in an expressive way.")
+      (home-page "https://github.com/davidjpeacock/cli")
+      (license license:expat))))
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 72dff868cc..ef2a7cb07c 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -3359,6 +3359,10 @@ workspace.")
              (mkdir-p ".kde-unit-test/xdg/config")
              (with-output-to-file ".kde-unit-test/xdg/config/foorc"
                (lambda () #t))  ;; simply touch the file
+             ;; Blacklist a test-function (failing at build.kde.org, too).
+             (with-output-to-file "autotests/BLACKLIST"
+               (lambda _
+                 (display "[testSmb]\n*\n")))
              ;; kuniqueapptest hangs. TODO: Make this test pass.
              (zero? (system* "dbus-launch" "ctest" "."
                              "-E" "kstandarddirstest|kuniqueapptest")))))))
diff --git a/gnu/packages/kde.scm b/gnu/packages/kde.scm
index 89ad30ecd2..f0df44528e 100644
--- a/gnu/packages/kde.scm
+++ b/gnu/packages/kde.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016, 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Mark Meyer <mark@ofosos.org>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -259,7 +260,22 @@ plugins, as well as code to create plugins, or complete applications.")
                             (assoc-ref %build-inputs "libtiff"))
              (string-append "-DCMAKE_CXX_FLAGS=-I"
                             (assoc-ref %build-inputs "ilmbase")
-                            "/include/OpenEXR"))))
+                            "/include/OpenEXR"))
+       #:phases
+       (modify-phases %standard-phases
+         ;; Ensure that icons are found at runtime.
+         ;; This works around <https://bugs.gnu.org/22138>.
+         (add-after 'install 'wrap-executable
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (qt '("qtbase" "qtsvg")))
+               (wrap-program (string-append out "/bin/krita")
+                 `("QT_PLUGIN_PATH" ":" prefix
+                   ,(map (lambda (label)
+                           (string-append (assoc-ref inputs label)
+                                          "/lib/qt5/plugins/"))
+                         qt)))
+               #t))))))
     (native-inputs
      `(("curl" ,curl)
        ("eigen" ,eigen)
@@ -349,7 +365,7 @@ used in KDE development tools Kompare and KDevelop.")
 (define-public libksysguard
   (package
     (name "libksysguard")
-    (version "5.11.2")
+    (version "5.11.4")
     (source
      (origin
        (method url-fetch)
@@ -357,7 +373,7 @@ used in KDE development tools Kompare and KDevelop.")
                            "/libksysguard-" version ".tar.xz"))
        (sha256
         (base32
-         "12d0r4rilydbqdgkm256khvkb9m0hya3p27xqvv3hg77wgxzdl3f"))))
+         "1ry4478fv7blp80zyhz0xr3qragsddrkzjzmxkdarh01f4p987aq"))))
     (native-inputs
      `(("extra-cmake-modules" ,extra-cmake-modules)
        ("pkg-config" ,pkg-config)))
@@ -399,7 +415,7 @@ used in KDE development tools Kompare and KDevelop.")
            (lambda _
              ;; TODO: Fix this failing test-case
              (zero? (system* "ctest" "-E" "processtest")))))))
-    (home-page "https://www.kde.org/info/plasma-5.11.2.php")
+    (home-page "https://www.kde.org/info/plasma-5.11.4.php")
     (synopsis "Network enabled task and system monitoring")
     (description "KSysGuard can obtain information on system load and
 manage running processes.  It obtains this information by interacting
diff --git a/gnu/packages/libreoffice.scm b/gnu/packages/libreoffice.scm
index 6524e58400..799b062439 100644
--- a/gnu/packages/libreoffice.scm
+++ b/gnu/packages/libreoffice.scm
@@ -926,7 +926,7 @@ and to return information on pronunciations, meanings and synonyms.")
        ("openssl" ,openssl)
        ("orcus" ,orcus)
        ("perl" ,perl)
-       ("perl-zip" ,perl-zip)
+       ("perl-archive-zip" ,perl-archive-zip)
        ("poppler" ,poppler)
        ("postgresql" ,postgresql)
        ("python" ,python)
diff --git a/gnu/packages/moreutils.scm b/gnu/packages/moreutils.scm
index bb6228af7f..34bce23c30 100644
--- a/gnu/packages/moreutils.scm
+++ b/gnu/packages/moreutils.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2016, 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2016, 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -30,7 +30,7 @@
 (define-public moreutils
   (package
     (name "moreutils")
-    (version "0.61")
+    (version "0.62")
     (source
      (origin
        (method url-fetch)
@@ -43,7 +43,7 @@
               name "-" version ".tar.gz")))
        (sha256
         (base32
-         "12rhzy8hw8vljlf10b7ys9zky0p94fdvd6ihq8w8cnkia4rd6izb"))))
+         "1gc3rswr0jl0z42pbrmw2zc4gxsyp60hq8cnvrlsig1vk1s9vpwx"))))
     (build-system gnu-build-system)
     ;; For building the manual pages.
     (native-inputs
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 0c1bb4183c..3c53de63af 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2017 Muriithi Frederick Muriuki <fredmanglis@gmail.com>
 ;;; Copyright © 2017 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2017 Roel Janssen <roel@gnu.org>
+;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -500,13 +501,13 @@ transactions from C or Python.")
 (define-public diffoscope
   (package
     (name "diffoscope")
-    (version "88")
+    (version "90")
     (source (origin
               (method url-fetch)
               (uri (pypi-uri name version))
               (sha256
                (base32
-                "1zp6nb37igssxg4bqsi3cw5klx4prhcx50mzg4463l50mssn8mp2"))))
+                "0hhg26vi0z2q4gwklwq4k16hibc4kq16jvyzp6zhr4kspi07wl6i"))))
     (build-system python-build-system)
     (arguments
      `(#:phases (modify-phases %standard-phases
diff --git a/gnu/packages/patches/fossil-CVE-2017-17459.patch b/gnu/packages/patches/fossil-CVE-2017-17459.patch
new file mode 100644
index 0000000000..e566235b4e
--- /dev/null
+++ b/gnu/packages/patches/fossil-CVE-2017-17459.patch
@@ -0,0 +1,57 @@
+Fix CVE-2017-17459:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
+
+Patch copied from upstream source repository:
+
+https://www.fossil-scm.org/xfer/info/1f63db591c77108c
+
+Index: src/http_transport.c
+==================================================================
+--- src/http_transport.c
++++ src/http_transport.c
+@@ -73,10 +73,23 @@
+   if( resetFlag ){
+     transport.nSent = 0;
+     transport.nRcvd = 0;
+   }
+ }
++
++/*
++** Remove leading "-" characters from the input string.
++**
++** This prevents attacks that try to trick a victim into using
++** a ssh:// URI with a carefully crafted hostname of other
++** parameter that ends up being interpreted as a command-line
++** option by "ssh".
++*/
++static const char *stripLeadingMinus(const char *z){
++  while( z[0]=='-' ) z++;
++  return z;
++}
+ 
+ /*
+ ** Default SSH command
+ */
+ #ifdef _WIN32
+@@ -116,17 +129,17 @@
+   }else{
+     zHost = mprintf("%s", pUrlData->name);
+   }
+   n = blob_size(&zCmd);
+   blob_append(&zCmd, " ", 1);
+-  shell_escape(&zCmd, zHost);
++  shell_escape(&zCmd, stripLeadingMinus(zHost));
+   blob_append(&zCmd, " ", 1);
+   shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
+   blob_append(&zCmd, " test-http", 10);
+   if( pUrlData->path && pUrlData->path[0] ){
+     blob_append(&zCmd, " ", 1);
+-    shell_escape(&zCmd, mprintf("%s", pUrlData->path));
++    shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
+   }
+   if( g.fSshTrace ){
+     fossil_print("%s\n", blob_str(&zCmd)+n);  /* Show tail of SSH command */
+   }
+   free(zHost);
+
diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch
new file mode 100644
index 0000000000..c791772fb5
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17784.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-17784:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
+https://bugzilla.gnome.org/show_bug.cgi?id=790784
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
+
+From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Thu, 21 Dec 2017 12:25:32 +0100
+Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
+ load_image.
+
+We were assuming the input name was well formed, hence was
+nul-terminated. As any data coming from external input, this has to be
+thorougly checked.
+Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
+to older gimp-2-8 code.
+---
+ plug-ins/common/file-gbr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
+index b028100bef..d3f01d9c56 100644
+--- a/plug-ins/common/file-gbr.c
++++ b/plug-ins/common/file-gbr.c
+@@ -443,7 +443,8 @@ load_image (const gchar  *filename,
+     {
+       gchar *temp = g_new (gchar, bn_size);
+ 
+-      if ((read (fd, temp, bn_size)) < bn_size)
++      if ((read (fd, temp, bn_size)) < bn_size ||
++          temp[bn_size - 1] != '\0')
+         {
+           g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                        _("Error in GIMP brush file '%s'"),
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/gimp-CVE-2017-17785.patch b/gnu/packages/patches/gimp-CVE-2017-17785.patch
new file mode 100644
index 0000000000..939b01f214
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17785.patch
@@ -0,0 +1,171 @@
+Fix CVE-2017-17785:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
+https://bugzilla.gnome.org/show_bug.cgi?id=739133
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
+
+From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 29 Oct 2017 15:19:41 +0100
+Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI
+ files.
+
+It is possible to trigger a heap overflow while parsing FLI files. The
+RLE decoder is vulnerable to out of boundary writes due to lack of
+boundary checks.
+
+The variable "framebuf" points to a memory area which was allocated
+with fli_header->width * fli_header->height bytes. The RLE decoder
+therefore must never write beyond that limit.
+
+If an illegal frame is detected, the parser won't stop, which means
+that the next valid sequence is properly parsed again. This should
+allow GIMP to parse FLI files as good as possible even if they are
+broken by an attacker or by accident.
+
+While at it, I changed the variable xc to be of type size_t, because
+the multiplication of width and height could overflow a 16 bit type.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b)
+---
+ plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c
+index 313efeb977..ffb651e2af 100644
+--- a/plug-ins/file-fli/fli.c
++++ b/plug-ins/file-fli/fli.c
+@@ -25,6 +25,8 @@
+ 
+ #include "config.h"
+ 
++#include <glib/gstdio.h>
++
+ #include <string.h>
+ #include <stdio.h>
+ 
+@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf)
+ 	unsigned short yc;
+ 	unsigned char *pos;
+ 	for (yc=0; yc < fli_header->height; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++		size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++		n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps;
+ 			ps=fli_read_char(f);
+ 			if (ps & 0x80) {
+ 				unsigned short len;
+-				for (len=-(signed char)ps; len>0; len--) {
++				for (len=-(signed char)ps; len>0 && xc<n; len--) {
+ 					pos[xc++]=fli_read_char(f);
+ 				}
+ 			} else {
+ 				unsigned char val;
++				size_t len;
++				len=MIN(n-xc,ps);
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf,
+ 	memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height);
+ 	firstline = fli_read_short(f);
+ 	numline = fli_read_short(f);
++	if (numline > fli_header->height || fli_header->height-numline < firstline)
++		return;
++
+ 	for (yc=0; yc < numline; yc++) {
+-		unsigned short xc, pc, pcnt;
++		unsigned short pc, pcnt;
++		size_t n, xc;
+ 		pc=fli_read_char(f);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * (firstline+yc));
++		n=(size_t)fli_header->width * (fli_header->height-firstline-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char val;
++				size_t len;
+ 				ps=-(signed char)ps;
+ 				val=fli_read_char(f);
+-				memset(&(pos[xc]), val, ps);
+-				xc+=ps;
++				len=MIN(n-xc,ps);
++				memset(&(pos[xc]), val, len);
++				xc+=len;
+ 			} else {
+-				fread(&(pos[xc]), ps, 1, f);
+-				xc+=ps;
++				size_t len;
++				len=MIN(n-xc,ps);
++				fread(&(pos[xc]), len, 1, f);
++				xc+=len;
+ 			}
+ 		}
+ 	}
+@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ 	yc=0;
+ 	numline = fli_read_short(f);
+ 	for (lc=0; lc < numline; lc++) {
+-		unsigned short xc, pc, pcnt, lpf, lpn;
++		unsigned short pc, pcnt, lpf, lpn;
++		size_t n, xc;
+ 		pc=fli_read_short(f);
+ 		lpf=0; lpn=0;
+ 		while (pc & 0x8000) {
+@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu
+ 			}
+ 			pc=fli_read_short(f);
+ 		}
++		yc=MIN(yc, fli_header->height);
+ 		xc=0;
+ 		pos=framebuf+(fli_header->width * yc);
++		n=(size_t)fli_header->width * (fli_header->height-yc);
+ 		for (pcnt=pc; pcnt>0; pcnt--) {
+ 			unsigned short ps,skip;
+ 			skip=fli_read_char(f);
+ 			ps=fli_read_char(f);
+-			xc+=skip;
++			xc+=MIN(n-xc,skip);
+ 			if (ps & 0x80) {
+ 				unsigned char v1,v2;
+ 				ps=-(signed char)ps;
+ 				v1=fli_read_char(f);
+ 				v2=fli_read_char(f);
+-				while (ps>0) {
++				while (ps>0 && xc+1<n) {
+ 					pos[xc++]=v1;
+ 					pos[xc++]=v2;
+ 					ps--;
+ 				}
+ 			} else {
+-				fread(&(pos[xc]), ps, 2, f);
+-				xc+=ps << 1;
++				size_t len;
++				len=MIN((n-xc)/2,ps);
++				fread(&(pos[xc]), len, 2, f);
++				xc+=len << 1;
+ 			}
+ 		}
+ 		if (lpf) pos[xc]=lpn;
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/gimp-CVE-2017-17786.patch b/gnu/packages/patches/gimp-CVE-2017-17786.patch
new file mode 100644
index 0000000000..851227ac1d
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17786.patch
@@ -0,0 +1,94 @@
+Fix CVE-2017-17786:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
+https://bugzilla.gnome.org/show_bug.cgi?id=739134
+
+Both patches copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
+https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
+
+From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 13:02:38 +0100
+Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
+ overflow in...
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... TGA importer.
+
+Be more thorough on valid TGA RGB and RGBA images.
+In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
+channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
+RGB as 15 and 24 bits.
+Maybe there exist more variants, but if they do exist, we simply don't
+support them yet.
+
+Thanks to Hanno Böck for the report and a first patch attempt.
+
+(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
+---
+ plug-ins/common/file-tga.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index aef98702d4..426acc2925 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -564,12 +564,16 @@ load_image (const gchar  *filename,
+           }
+         break;
+       case TGA_TYPE_COLOR:
+-        if (info.bpp != 15 && info.bpp != 16 &&
+-            info.bpp != 24 && info.bpp != 32)
++        if ((info.bpp != 15 && info.bpp != 16 &&
++             info.bpp != 24 && info.bpp != 32)      ||
++            ((info.bpp == 15 || info.bpp == 24) &&
++             info.alphaBits != 0)                   ||
++            (info.bpp == 16 && info.alphaBits != 1) ||
++            (info.bpp == 32 && info.alphaBits != 8))
+           {
+-            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
++            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+                        gimp_filename_to_utf8 (filename),
+-                       info.imageType, info.bpp);
++                       info.imageType, info.bpp, info.alphaBits);
+             return -1;
+           }
+         break;
+-- 
+2.15.1
+
+From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 13:26:26 +0100
+Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
+
+According to some spec on the web, 16-bit RGB is also valid. In this
+case, the last bit is simply ignored (at least that's how it is
+implemented right now).
+
+(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
+---
+ plug-ins/common/file-tga.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
+index 426acc2925..eb14a1dadc 100644
+--- a/plug-ins/common/file-tga.c
++++ b/plug-ins/common/file-tga.c
+@@ -568,7 +568,8 @@ load_image (const gchar  *filename,
+              info.bpp != 24 && info.bpp != 32)      ||
+             ((info.bpp == 15 || info.bpp == 24) &&
+              info.alphaBits != 0)                   ||
+-            (info.bpp == 16 && info.alphaBits != 1) ||
++            (info.bpp == 16 && info.alphaBits != 1 &&
++             info.alphaBits != 0)                   ||
+             (info.bpp == 32 && info.alphaBits != 8))
+           {
+             g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/gimp-CVE-2017-17787.patch b/gnu/packages/patches/gimp-CVE-2017-17787.patch
new file mode 100644
index 0000000000..b5310d33d9
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17787.patch
@@ -0,0 +1,42 @@
+Fix CVE-2017-17787:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
+https://bugzilla.gnome.org/show_bug.cgi?id=790853
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
+
+From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Thu, 21 Dec 2017 12:49:41 +0100
+Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer.
+
+As any external data, we have to check that strings being read at fixed
+length are properly nul-terminated.
+
+(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d)
+---
+ plug-ins/common/file-psp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index 4cbafe37b1..e350e4d88d 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -890,6 +890,12 @@ read_creator_block (FILE     *f,
+               g_free (string);
+               return -1;
+             }
++          if (string[length - 1] != '\0')
++            {
++              g_message ("Creator keyword data not nul-terminated");
++              g_free (string);
++              return -1;
++            }
+           switch (keyword)
+             {
+             case PSP_CRTR_FLD_TITLE:
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch
new file mode 100644
index 0000000000..6dfa435fd0
--- /dev/null
+++ b/gnu/packages/patches/gimp-CVE-2017-17789.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-17789:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
+https://bugzilla.gnome.org/show_bug.cgi?id=790849
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
+
+From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
+From: Jehan <jehan@girinstud.io>
+Date: Wed, 20 Dec 2017 16:44:20 +0100
+Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
+ overflow...
+
+... in PSP importer.
+Check if declared block length is valid (i.e. within the actual file)
+before going further.
+Consider the file as broken otherwise and fail loading it.
+
+(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
+---
+ plug-ins/common/file-psp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index ac0fff78f0..4cbafe37b1 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1771,6 +1771,15 @@ load_image (const gchar  *filename,
+     {
+       block_start = ftell (f);
+ 
++      if (block_start + block_total_len > st.st_size)
++        {
++          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++                       _("Could not open '%s' for reading: %s"),
++                       gimp_filename_to_utf8 (filename),
++                       _("invalid block size"));
++          goto error;
++        }
++
+       if (id == PSP_IMAGE_BLOCK)
+         {
+           if (block_number != 0)
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/httpd-CVE-2017-9798.patch b/gnu/packages/patches/httpd-CVE-2017-9798.patch
deleted file mode 100644
index 8391a3db4a..0000000000
--- a/gnu/packages/patches/httpd-CVE-2017-9798.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Fixes "options bleed", aka. CVE-2017-9798:
-
-  https://nvd.nist.gov/vuln/detail/CVE-2017-9798
-  https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
-
-From <https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch>.
-
---- a/server/core.c	2017/08/16 16:50:29	1805223
-+++ b/server/core.c	2017/09/08 13:13:11	1807754
-@@ -2266,6 +2266,12 @@
-             /* method has not been registered yet, but resource restriction
-              * is always checked before method handling, so register it.
-              */
-+            if (cmd->pool == cmd->temp_pool) {
-+                /* In .htaccess, we can't globally register new methods. */
-+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
-+                                   "for %s from .htaccess configuration",
-+                                    method, cmd->cmd->name);
-+            }
-             methnum = ap_method_register(cmd->pool,
-                                          apr_pstrdup(cmd->pool, method));
-         }
diff --git a/gnu/packages/perl-check.scm b/gnu/packages/perl-check.scm
index 5df2940bd6..121ebec414 100644
--- a/gnu/packages/perl-check.scm
+++ b/gnu/packages/perl-check.scm
@@ -10,7 +10,7 @@
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Christopher Baines <mail@cbaines.net>
 ;;; Copyright © 2017 Petter <petter@mykolab.ch>
-;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -35,6 +35,11 @@
   #:use-module (guix build-system perl)
   #:use-module (gnu packages perl))
 
+;;;
+;;; Please: Try to add new module packages in alphabetic order.
+;;;
+
+
 (define-public perl-test2-bundle-extended
   (package
     (name "perl-test2-bundle-extended")
@@ -606,6 +611,36 @@ memory_cycle_ok( $object );
 @end example")
     (license artistic2.0)))
 
+(define-public perl-test-mockmodule
+  (package
+    (name "perl-test-mockmodule")
+    (version "0.13")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://cpan/authors/id/G/GF/GFRANKS/"
+                           "Test-MockModule-" version ".tar.gz"))
+       (sha256
+        (base32 "0lwh6fvnc16r6d74vvh5h4b5a1spcslpjb3mcqbv23k01lm78wvl"))))
+    (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)
+       ;; For tests.
+       ("perl-test-pod" ,perl-test-pod)
+       ("perl-test-pod-coverage" ,perl-test-pod-coverage)))
+    (propagated-inputs
+     `(("perl-super" ,perl-super)))
+    (home-page "http://search.cpan.org/dist/Test-MockModule/")
+    (synopsis "Override subroutines in a module for unit testing")
+    (description
+     "@code{Test::MockModule} lets you temporarily redefine subroutines in other
+packages for the purposes of unit testing.  A @code{Test::MockModule} object is
+set up to mock subroutines for a given module.  The mocked object remembers the
+original subroutine so it can be easily restored.  This happens automatically
+when all @code{MockModule} objects for the given module go out of scope, or when
+you @code{unmock()} the subroutine.")
+    (license gpl3)))
+
 (define-public perl-test-mockobject
   (package
     (name "perl-test-mockobject")
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index 4dbe77c4e9..520395b5b5 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -15,7 +15,7 @@
 ;;; Copyright © 2017 Raoul J.P. Bonnal <ilpuccio.febo@gmail.com>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
-;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2017 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;;
@@ -42,6 +42,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system perl)
   #:use-module (gnu packages base)
+  #:use-module (gnu packages compression)
   #:use-module (gnu packages perl-check)
   #:use-module (gnu packages perl-web)
   #:use-module (gnu packages pkg-config))
@@ -261,26 +262,6 @@ variable ANY_MOOSE to be Moose or Mouse.")
 configuration files and parsing command line arguments.")
     (license (package-license perl))))
 
-(define-public perl-archive-zip
-  (package
-    (name "perl-archive-zip")
-    (version "1.30")
-    (source
-     (origin
-       (method url-fetch)
-       (uri (string-append
-             "mirror://cpan/authors/id/A/AD/ADAMK/Archive-Zip-"
-             version ".tar.gz"))
-       (sha256
-        (base32
-         "0633zah5z9njiqnvy3vh42fjymncmil1jdfb7d18w8xpfzzp5d7q"))))
-    (build-system perl-build-system)
-    (synopsis "Perl API to zip files")
-    (description "The Archive::Zip module allows a Perl program to create,
-manipulate, read, and write Zip archive files.")
-    (home-page "http://search.cpan.org/~phred/Archive-Zip-1.37/lib/Archive/Zip.pm")
-    (license (package-license perl))))
-
 (define-public perl-array-utils
   (package
     (name "perl-array-utils")
@@ -7106,6 +7087,32 @@ The idea is just to fool caller().  All the really naughty bits of Tcl's
 uplevel() are avoided.")
     (license (package-license perl))))
 
+(define-public perl-super
+  (package
+    (name "perl-super")
+    (version "1.20141117")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://cpan/authors/id/C/CH/CHROMATIC/"
+                           "SUPER-" version ".tar.gz"))
+       (sha256
+        (base32 "1cn05kacg0xfbm1zzksm2yx2pnrzqja4d9163cxv3sdfc1yhwqhs"))))
+    (build-system perl-build-system)
+    (native-inputs
+     `(("perl-module-build" ,perl-module-build)))
+    (propagated-inputs
+     `(("perl-sub-identify" ,perl-sub-identify)))
+    (home-page "http://search.cpan.org/dist/SUPER/")
+    (synopsis "Control superclass method dispatching")
+    (description
+     "When subclassing a class, you may occasionally want to dispatch control to
+the superclass---at least conditionally and temporarily.  This module provides
+nicer equivalents to the native Perl syntax for calling superclasses, along with
+a universal @code{super} method to determine a class' own superclass, and better
+support for run-time mix-ins and roles.")
+    (license perl-license)))
+
 (define-public perl-svg
   (package
     (name "perl-svg")
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 34f40f0c72..931b37eb6a 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
-;;; Copyright © 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013, 2014, 2015, 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014, 2017 Eric Bavier <bavier@member.fsf.org>
@@ -5452,14 +5452,14 @@ plugins that intend to support Flake8 2.x and 3.x simultaneously.")
 (define-public python-mistune
   (package
     (name "python-mistune")
-    (version "0.7.3")
+    (version "0.8.3")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "mistune" version))
        (sha256
         (base32
-         "04xpk1zvslhq3xpnf01g3ag0dy9wfv4z28p093r8k49vvxlyil11"))))
+         "06b662p6kf46wh2jsabaqhaq4bz1srh2zxkrnx4yg96azlxw645w"))))
     (build-system python-build-system)
     (native-inputs
      `(("python-nose" ,python-nose)
@@ -6582,6 +6582,7 @@ Jupyter kernels such as IJulia and IRKernel.")
 (define python-jupyter-console-minimal
   (package
     (inherit python-jupyter-console)
+    (name "python-jupyter-console-minimal")
     (arguments
      (substitute-keyword-arguments
          (package-arguments python-jupyter-console)
diff --git a/gnu/packages/regex.scm b/gnu/packages/regex.scm
index 4648a4d004..20242322b1 100644
--- a/gnu/packages/regex.scm
+++ b/gnu/packages/regex.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2014 John Darrington
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,7 +29,7 @@
 (define-public re2
    (package
      (name "re2")
-     (version "2017-12-01")
+     (version "2018-01-01")
      (source (origin
                (method url-fetch)
                (uri
@@ -38,7 +39,7 @@
                (file-name (string-append name "-" version ".tar.gz"))
                (sha256
                 (base32
-                 "03gv50hv7yaspx3ls8g8l1yj8nszbc3mplhcf4cr95fcsxy7wyb2"))))
+                 "1hhp8gi0lzw1mvnksb112rc9kcz4j9kjic7v6gbgzyfgk43996mr"))))
      (build-system gnu-build-system)
      (arguments
       `(#:modules ((guix build gnu-build-system)
diff --git a/gnu/packages/shells.scm b/gnu/packages/shells.scm
index 590b2c741d..022287dbf5 100644
--- a/gnu/packages/shells.scm
+++ b/gnu/packages/shells.scm
@@ -381,14 +381,14 @@ ksh, and tcsh.")
 (define-public xonsh
   (package
     (name "xonsh")
-    (version "0.5.12")
+    (version "0.6.0")
     (source
       (origin
         (method url-fetch)
         (uri (pypi-uri "xonsh" version))
         (sha256
           (base32
-            "1yz595hx5bni524m73cx8a08vcr6vfksfci14nx2ylz53igzva2c"))
+            "1ikd1xg4iyjqp51y8g8n6c4y39bgx85xnb4bdd3zibkqac3lrahr"))
         (modules '((guix build utils)))
         (snippet
          `(begin
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index cbf5ce7d87..d400afd6ef 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -1503,6 +1503,8 @@ repository\" with git-annex.")
              (string-append
               "https://www.fossil-scm.org/index.html/uv/"
               "fossil-src-" version ".tar.gz")))
+       (patches (search-patches "fossil-CVE-2017-17459.patch"))
+       (patch-flags '("-p0"))
        (sha256
         (base32
          "0wfgacfg29dkl0c3l1rp5ji0kraa64gcbg5lh8p4m7mqdqcq53wv"))))
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 111ae9b7c8..a43934257d 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -1808,7 +1808,7 @@ be used for realtime video capture via Linux-specific APIs.")
 (define-public obs
   (package
     (name "obs")
-    (version "18.0.2")
+    (version "20.1.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/jp9000/obs-studio"
@@ -1816,7 +1816,7 @@ be used for realtime video capture via Linux-specific APIs.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "02pbiyvf5x0zh448h5rpmyn33qnsqk694xxlyns83mdi74savyqw"))))
+                "1g5z6z050v25whc7n3xvg6l238wmg5crp7ihvk73qngvzxr8bg28"))))
     (build-system cmake-build-system)
     (arguments
      `(#:tests? #f)) ; no tests
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 2cae88523c..aef54982db 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -109,15 +109,14 @@
 (define-public httpd
   (package
     (name "httpd")
-    (version "2.4.27")
+    (version "2.4.29")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://apache/httpd/httpd-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0fn1778mxhf78np2d8qlycg1c2ak18rxax41plahasca4clc3z3i"))
-             (patches (search-patches "httpd-CVE-2017-9798.patch"))))
+               "003z3yckkdihfv69rgqsik1w2jsnh14j3ci8fjia4s2mlajm6xvp"))))
     (build-system gnu-build-system)
     (native-inputs `(("pcre" ,pcre "bin")))       ;for 'pcre-config'
     (inputs `(("apr" ,apr)
diff --git a/gnu/packages/wine.scm b/gnu/packages/wine.scm
index b4a303df93..da7620cd3d 100644
--- a/gnu/packages/wine.scm
+++ b/gnu/packages/wine.scm
@@ -2,7 +2,7 @@
 ;;; Copyright © 2014, 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
-;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com>
+;;; Copyright © 2017, 2018 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2017 Nicolas Goaziou <mail@nicolasgoaziou.fr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -55,19 +55,20 @@
   #:use-module (gnu packages tls)
   #:use-module (gnu packages video)
   #:use-module (gnu packages xml)
-  #:use-module (gnu packages xorg))
+  #:use-module (gnu packages xorg)
+  #:use-module (ice-9 match))
 
 (define-public wine
   (package
     (name "wine")
-    (version "2.0.3")
+    (version "2.0.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://dl.winehq.org/wine/source/2.0"
                                   "/wine-" version ".tar.xz"))
               (sha256
                (base32
-                "0mmyc94r5drffir8zr8jx6iawhgfzjk96fj494aa18vhz1jcc4d8"))))
+                "0nlq6apyq7hq36l3g6gw76lhi8ijz11v3v8m4vxy8d6x1qsppq5m"))))
     (build-system gnu-build-system)
     (native-inputs `(("pkg-config" ,pkg-config)
                      ("gettext" ,gettext-minimal)
@@ -113,19 +114,24 @@
        ("v4l-utils" ,v4l-utils)
        ("zlib" ,zlib)))
     (arguments
-     `(;; Force a 32-bit build (under the assumption that this package is
-       ;; being used on an IA32-compatible architecture.)
-       #:system "i686-linux"
+     `(;; Force a 32-bit build targeting a similar architecture, i.e.:
+       ;; armhf for armhf/aarch64, i686 for i686/x86_64.
+       #:system ,@(match (%current-system)
+                    ((or "armhf-linux" "aarch64-linux")
+                     `("armhf-linux"))
+                    (_
+                     `("i686-linux")))
 
        ;; XXX: There's a test suite, but it's unclear whether it's supposed to
        ;; pass.
        #:tests? #f
 
        #:configure-flags
-       (list (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib"))
+       (list (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib/wine32"))
 
        #:make-flags
-       (list "SHELL=bash")
+       (list "SHELL=bash"
+             (string-append "libdir=" %output "/lib/wine32"))
 
        #:phases
        (modify-phases %standard-phases
@@ -141,7 +147,7 @@
                   (format #f "~a\"~a\"" defso (find-so soname))))
                #t))))))
     (home-page "https://www.winehq.org/")
-    (synopsis "Implementation of the Windows API")
+    (synopsis "Implementation of the Windows API (32-bit only)")
     (description
      "Wine (originally an acronym for \"Wine Is Not an Emulator\") is a
 compatibility layer capable of running Windows applications.  Instead of
@@ -153,22 +159,56 @@ integrate Windows applications into your desktop.")
 
     ;; It really only supports IA32, but building on x86_64 will have the same
     ;; effect as building on i686 anyway.
-    (supported-systems '("i686-linux" "x86_64-linux"))))
+    (supported-systems (delete "mips64el-linux" %supported-systems))))
 
 (define-public wine64
   (package
     (inherit wine)
     (name "wine64")
+    (inputs `(("wine" ,wine)
+              ,@(package-inputs wine)))
     (arguments
      `(#:make-flags
        (list "SHELL=bash"
-             (string-append "libdir=" %output "/lib"))
+             (string-append "libdir=" %output "/lib/wine64"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'copy-wine32-binaries
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((wine32 (assoc-ref %build-inputs "wine"))
+                    (out (assoc-ref %outputs "out")))
+               ;; Copy the 32-bit binaries needed for WoW64.
+               (copy-file (string-append wine32 "/bin/wine")
+                          (string-append out "/bin/wine"))
+               (copy-file (string-append wine32 "/bin/wine-preloader")
+                          (string-append out "/bin/wine-preloader"))
+               #t)))
+         (add-after 'compress-documentation 'copy-wine32-manpage
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((wine32 (assoc-ref %build-inputs "wine"))
+                    (out (assoc-ref %outputs "out")))
+               ;; Copy the missing man file for the wine binary from wine.
+               (copy-file (string-append wine32 "/share/man/man1/wine.1.gz")
+                          (string-append out "/share/man/man1/wine.1.gz"))
+               #t)))
+         (add-after 'configure 'patch-dlopen-paths
+           ;; Hardcode dlopened sonames to absolute paths.
+           (lambda _
+             (let* ((library-path (search-path-as-string->list
+                                   (getenv "LIBRARY_PATH")))
+                    (find-so (lambda (soname)
+                               (search-path library-path soname))))
+               (substitute* "include/config.h"
+                 (("(#define SONAME_.* )\"(.*)\"" _ defso soname)
+                  (format #f "~a\"~a\"" defso (find-so soname))))
+               #t))))
        #:configure-flags
        (list "--enable-win64"
-             (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib"))
-       ,@(strip-keyword-arguments '(#:configure-flags #:make-flags #:system)
+             (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib/wine64"))
+       ,@(strip-keyword-arguments '(#:configure-flags #:make-flags #:phases
+                                    #:system)
                                   (package-arguments wine))))
-    (synopsis "Implementation of the Windows API (64-bit version)")
+    (synopsis "Implementation of the Windows API (WoW64 version)")
     (supported-systems '("x86_64-linux" "aarch64-linux"))))
 
 ;; TODO: This is wine development version, provided for historical reasons.
@@ -202,7 +242,7 @@ integrate Windows applications into your desktop.")
     (inputs `(("gtk+", gtk+)
               ("libva", libva)
               ,@(package-inputs wine)))
-    (synopsis "Implementation of the Windows API (staging branch)")
+    (synopsis "Implementation of the Windows API (staging branch, 32-bit only)")
     (description "Wine-Staging is the testing area of Wine.  It
 contains bug fixes and features, which have not been integrated into
 the development branch yet.  The idea of Wine-Staging is to provide
@@ -221,15 +261,50 @@ integrated into the main branch.")
   (package
     (inherit wine-staging)
     (name "wine64-staging")
+    (inputs `(("wine-staging" ,wine-staging)
+              ,@(package-inputs wine-staging)))
     (arguments
      `(#:make-flags
        (list "SHELL=bash"
-             (string-append "libdir=" %output "/lib"))
+             (string-append "libdir=" %output "/lib/wine64"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'install 'copy-wine32-binaries
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((wine32 (assoc-ref %build-inputs "wine-staging"))
+                    (out (assoc-ref %outputs "out")))
+               ;; Copy the 32-bit binaries needed for WoW64.
+               (copy-file (string-append wine32 "/bin/wine")
+                          (string-append out "/bin/wine"))
+               (copy-file (string-append wine32 "/bin/wine-preloader")
+                          (string-append out "/bin/wine-preloader"))
+               #t)))
+         (add-after 'compress-documentation 'copy-wine32-manpage
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let* ((wine32 (assoc-ref %build-inputs "wine-staging"))
+                    (out (assoc-ref %outputs "out")))
+               ;; Copy the missing man file for the wine binary from
+               ;; wine-staging.
+               (copy-file (string-append wine32 "/share/man/man1/wine.1.gz")
+                          (string-append out "/share/man/man1/wine.1.gz"))
+               #t)))
+         (add-after 'configure 'patch-dlopen-paths
+           ;; Hardcode dlopened sonames to absolute paths.
+           (lambda _
+             (let* ((library-path (search-path-as-string->list
+                                   (getenv "LIBRARY_PATH")))
+                    (find-so (lambda (soname)
+                               (search-path library-path soname))))
+               (substitute* "include/config.h"
+                 (("(#define SONAME_.* )\"(.*)\"" _ defso soname)
+                  (format #f "~a\"~a\"" defso (find-so soname))))
+               #t))))
        #:configure-flags
        (list "--enable-win64"
-             (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib"))
-       ,@(strip-keyword-arguments '(#:configure-flags #:make-flags #:system)
+             (string-append "LDFLAGS=-Wl,-rpath=" %output "/lib/wine64"))
+       ,@(strip-keyword-arguments '(#:configure-flags #:make-flags #:phases
+                                    #:system)
                                   (package-arguments wine-staging))))
-    (synopsis "Implementation of the Windows API (staging branch, 64-bit
+    (synopsis "Implementation of the Windows API (staging branch, WoW64
 version)")
     (supported-systems '("x86_64-linux" "aarch64-linux"))))
diff --git a/guix/ui.scm b/guix/ui.scm
index 2b7cc3d41a..6e08a611cd 100644
--- a/guix/ui.scm
+++ b/guix/ui.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2013 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
 ;;; Copyright © 2014 Cyril Roelandt <tipecaml@gmail.com>
@@ -387,7 +387,7 @@ exiting.  ARGS is the list of arguments received by the 'throw' handler."
   "Display version information for COMMAND and `(exit 0)'."
   (simple-format #t "~a (~a) ~a~%"
                  command %guix-package-name %guix-version)
-  (format #t "Copyright ~a 2017 ~a"
+  (format #t "Copyright ~a 2018 ~a"
           ;; TRANSLATORS: Translate "(C)" to the copyright symbol
           ;; (C-in-a-circle), if this symbol is available in the user's
           ;; locale.  Otherwise, do not translate "(C)"; leave it as-is.  */
diff --git a/nix/scripts/list-runtime-roots.in b/nix/scripts/list-runtime-roots.in
index 48a07edf5f..5f2660fb5e 100644
--- a/nix/scripts/list-runtime-roots.in
+++ b/nix/scripts/list-runtime-roots.in
@@ -130,12 +130,13 @@ or the empty list."
                          (< (string->number a) (string->number b))))))
 
 (define canonicalize-store-item
-  (let ((prefix (+ 1 (string-length %store-directory))))
+  (let* ((store  (string-append %store-directory "/"))
+         (prefix (string-length store)))
     (lambda (file)
       "Return #f if FILE is not a store item; otherwise, return the store file
 name without any sub-directory components."
-      (and (string-prefix? %store-directory file)
-           (string-append %store-directory "/"
+      (and (string-prefix? store file)
+           (string-append store
                           (let ((base (string-drop file prefix)))
                             (match (string-index base #\/)
                               (#f    base)