summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi4
-rw-r--r--gnu/local.mk10
-rw-r--r--gnu/packages/avr.scm2
-rw-r--r--gnu/packages/backup.scm3
-rw-r--r--gnu/packages/bioinformatics.scm37
-rw-r--r--gnu/packages/compression.scm12
-rw-r--r--gnu/packages/cran.scm80
-rw-r--r--gnu/packages/games.scm48
-rw-r--r--gnu/packages/gimp.scm4
-rw-r--r--gnu/packages/gnupg.scm31
-rw-r--r--gnu/packages/imagemagick.scm4
-rw-r--r--gnu/packages/irc.scm44
-rw-r--r--gnu/packages/linux.scm36
-rw-r--r--gnu/packages/mail.scm4
-rw-r--r--gnu/packages/maths.scm4
-rw-r--r--gnu/packages/messaging.scm14
-rw-r--r--gnu/packages/mpd.scm4
-rw-r--r--gnu/packages/package-management.scm4
-rw-r--r--gnu/packages/password-utils.scm4
-rw-r--r--gnu/packages/patches/libarchive-CVE-2017-14502.patch40
-rw-r--r--gnu/packages/patches/libexif-CVE-2017-7544.patch29
-rw-r--r--gnu/packages/patches/links-CVE-2017-11114.patch99
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14685.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14686.patch34
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-14687.patch130
-rw-r--r--gnu/packages/patches/mupdf-CVE-2017-15587.patch25
-rw-r--r--gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch (renamed from gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch)8
-rw-r--r--gnu/packages/patches/xboing-CVE-2004-0149.patch134
-rw-r--r--gnu/packages/pdf.scm13
-rw-r--r--gnu/packages/perl-check.scm24
-rw-r--r--gnu/packages/photo.scm2
-rw-r--r--gnu/packages/python.scm27
-rw-r--r--gnu/packages/security-token.scm1
-rw-r--r--gnu/packages/statistics.scm65
-rw-r--r--gnu/packages/textutils.scm9
-rw-r--r--gnu/packages/tls.scm4
-rw-r--r--gnu/packages/web-browsers.scm1
-rw-r--r--gnu/packages/web.scm14
-rw-r--r--gnu/packages/webkit.scm4
-rw-r--r--gnu/packages/xfce.scm5
-rw-r--r--gnu/packages/xml.scm9
-rw-r--r--gnu/services/base.scm18
-rw-r--r--gnu/tests/web.scm2
-rw-r--r--guix/upstream.scm8
44 files changed, 716 insertions, 372 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 3bb29db960..6b6f8dedae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10025,7 +10025,9 @@ well as in the @var{groups} field of the @var{operating-system} record.
 
 @deffn {Scheme Procedure} urandom-seed-service
 Save some entropy in @var{%random-seed-file} to seed @file{/dev/urandom}
-when rebooting.
+when rebooting.  It also tries to seed @file{/dev/urandom} from
+@file{/dev/hwrng} while booting, if @file{/dev/hwrng} exists and is
+readable.
 @end deffn
 
 @defvr {Scheme Variable} %random-seed-file
diff --git a/gnu/local.mk b/gnu/local.mk
index 84d6df771f..fbc5f52c9c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -782,6 +782,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/liba52-set-soname.patch			\
   %D%/packages/patches/liba52-use-mtune-not-mcpu.patch		\
   %D%/packages/patches/libarchive-CVE-2017-14166.patch		\
+  %D%/packages/patches/libarchive-CVE-2017-14502.patch		\
   %D%/packages/patches/libbase-fix-includes.patch		\
   %D%/packages/patches/libbase-use-own-logging.patch		\
   %D%/packages/patches/libbonobo-activation-test-race.patch	\
@@ -796,6 +797,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch	\
   %D%/packages/patches/libevent-2.1-dns-tests.patch		\
   %D%/packages/patches/libevent-2.1-skip-failing-test.patch	\
+  %D%/packages/patches/libexif-CVE-2017-7544.patch		\
   %D%/packages/patches/libgit2-0.25.1-mtime-0.patch		\
   %D%/packages/patches/libgdata-fix-tests.patch			\
   %D%/packages/patches/libgdata-glib-duplicate-tests.patch	\
@@ -832,6 +834,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/lierolibre-newer-libconfig.patch		\
   %D%/packages/patches/lierolibre-remove-arch-warning.patch	\
   %D%/packages/patches/lierolibre-try-building-other-arch.patch	\
+  %D%/packages/patches/links-CVE-2017-11114.patch		\
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/lirc-localstatedir.patch			\
   %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch	\
@@ -873,11 +876,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/mozjs38-tracelogger.patch		\
   %D%/packages/patches/mozjs38-version-detection.patch		\
   %D%/packages/patches/mumps-build-parallelism.patch		\
-  %D%/packages/patches/mupdf-build-with-openjpeg-2.1.patch	\
-  %D%/packages/patches/mupdf-CVE-2017-14685.patch		\
-  %D%/packages/patches/mupdf-CVE-2017-14686.patch		\
-  %D%/packages/patches/mupdf-CVE-2017-14687.patch		\
-  %D%/packages/patches/mupdf-CVE-2017-15587.patch		\
+  %D%/packages/patches/mupdf-build-with-latest-openjpeg.patch	\
   %D%/packages/patches/mupen64plus-ui-console-notice.patch	\
   %D%/packages/patches/mutt-store-references.patch		\
   %D%/packages/patches/net-tools-bitrot.patch			\
@@ -1119,6 +1118,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/wpa-supplicant-fix-zeroed-keys.patch	\
   %D%/packages/patches/wpa-supplicant-fix-nonce-reuse.patch	\
   %D%/packages/patches/wpa-supplicant-krack-followups.patch	\
+  %D%/packages/patches/xboing-CVE-2004-0149.patch		\
   %D%/packages/patches/xcb-proto-python3-print.patch		\
   %D%/packages/patches/xcb-proto-python3-whitespace.patch	\
   %D%/packages/patches/xdotool-fix-makefile.patch               \
diff --git a/gnu/packages/avr.scm b/gnu/packages/avr.scm
index ecb7cd19a8..e9e93cbb9a 100644
--- a/gnu/packages/avr.scm
+++ b/gnu/packages/avr.scm
@@ -158,7 +158,7 @@ C++.")
     (native-inputs
      `(("unzip" ,unzip)
        ("xxd" ,xxd)))
-    (home-page "http://microscheme.org/")
+    (home-page "https://github.com/ryansuchocki/microscheme/")
     (synopsis "Scheme subset for Atmel microcontrollers")
     (description
      "Microscheme, or @code{(ms)} for short, is a functional programming
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 28d618381f..db1af031fb 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -195,7 +195,8 @@ backups (called chunks) to allow easy burning to CD/DVD.")
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
-       (patches (search-patches "libarchive-CVE-2017-14166.patch"))
+       (patches (search-patches "libarchive-CVE-2017-14166.patch"
+                                "libarchive-CVE-2017-14502.patch"))
        (sha256
         (base32
          "1km0mzfl6in7l5vz9kl09a88ajx562rw93ng9h2jqavrailvsbgd"))))
diff --git a/gnu/packages/bioinformatics.scm b/gnu/packages/bioinformatics.scm
index 479404b4a2..f956aef5af 100644
--- a/gnu/packages/bioinformatics.scm
+++ b/gnu/packages/bioinformatics.scm
@@ -5857,14 +5857,14 @@ information as possible.")
 (define-public r-vegan
   (package
     (name "r-vegan")
-    (version "2.4-4")
+    (version "2.4-5")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "vegan" version))
        (sha256
         (base32
-         "1n57dzv2aid6iqd9fkqik401sidqanhzsawyak94qbiyh6dbd1x9"))))
+         "0cyyvn3xsjn24w590jn6z4xajafv7yzvj6c51vqi9q6m8v5831ya"))))
     (build-system r-build-system)
     (native-inputs
      `(("gfortran" ,gfortran)))
@@ -6025,14 +6025,14 @@ distribution.")
 (define-public r-dexseq
   (package
     (name "r-dexseq")
-    (version "1.24.1")
+    (version "1.24.2")
     (source
      (origin
        (method url-fetch)
        (uri (bioconductor-uri "DEXSeq" version))
        (sha256
         (base32
-         "1hwckj4ijgpdchbakvh60nmcaz4fwd5yplhn0880z3dnlsrp8ik3"))))
+         "18nh8ynxirfwkmc4sawdxgl7w1sl9ny5zpv8zbhv9vi5vgb8pxmj"))))
     (properties `((upstream-name . "DEXSeq")))
     (build-system r-build-system)
     (propagated-inputs
@@ -6703,13 +6703,13 @@ authoring books and technical documents with R Markdown.")
 (define-public r-biocstyle
   (package
    (name "r-biocstyle")
-   (version "2.6.0")
+   (version "2.6.1")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "BiocStyle" version))
               (sha256
                (base32
-                "05f2j9fx8s5gh4f8qkl6wcz32ghz04wxhqb3xxcn1bj24qd7x1x8"))))
+                "03pp04pkcq99kdv2spzr995h2cxsza7l6w3d4gp4112m06prcybm"))))
     (properties
      `((upstream-name . "BiocStyle")))
     (build-system r-build-system)
@@ -6973,13 +6973,13 @@ names in their natural, rather than lexicographic, order.")
 (define-public r-edger
   (package
     (name "r-edger")
-    (version "3.20.1")
+    (version "3.20.2")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "edgeR" version))
               (sha256
                (base32
-                "01qnxwr9rmz8r5ga3hvjk632365ga2aygx71mxkk7jiad2pjznsp"))))
+                "0j5s3i33qmld9l7gs1rzpv601zxyqz711x8mq35hml088c8s99w9"))))
     (properties `((upstream-name . "edgeR")))
     (build-system r-build-system)
     (propagated-inputs
@@ -7039,13 +7039,13 @@ coding changes and predict coding outcomes.")
 (define-public r-limma
   (package
     (name "r-limma")
-    (version "3.34.2")
+    (version "3.34.4")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "limma" version))
               (sha256
                (base32
-                "1zyw01z9crm1jc86fva4pqxd9zxfsbsqwjq6ry39gag9pfb7pwcz"))))
+                "1vcxf9jg8xngxg5kb9bp8rw5sghpnkpj320iq309m2fp41ahsk3f"))))
     (build-system r-build-system)
     (home-page "http://bioinf.wehi.edu.au/limma")
     (synopsis "Package for linear models for microarray and RNA-seq data")
@@ -7172,18 +7172,19 @@ annotation data packages using SQLite data storage.")
 (define-public r-biomart
   (package
     (name "r-biomart")
-    (version "2.34.0")
+    (version "2.34.1")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "biomaRt" version))
               (sha256
                (base32
-                "1dn3ysf0vb3mmg2b3380g0j1ajf88x4rh7fddfp990h2xlnsy2cx"))))
+                "0jzv8b86vpvavwnzi5xf7y18xmn72zkabkn2kclg1mgl847cq13k"))))
     (properties
      `((upstream-name . "biomaRt")))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-annotationdbi" ,r-annotationdbi)
+       ("r-httr" ,r-httr)
        ("r-progress" ,r-progress)
        ("r-rcurl" ,r-rcurl)
        ("r-stringr" ,r-stringr)
@@ -7393,13 +7394,13 @@ alignments.")
 (define-public r-rtracklayer
   (package
     (name "r-rtracklayer")
-    (version "1.38.0")
+    (version "1.38.2")
     (source (origin
               (method url-fetch)
               (uri (bioconductor-uri "rtracklayer" version))
               (sha256
                (base32
-                "12al1ygzy9p4myxa1fd817m28x2fj6f863znk9bw3hp7knbi98dh"))))
+                "1sjn3976f1sqvrq6jq2hgc60ffxgfr3jlklaxfrk3xad5cv2kr2d"))))
     (build-system r-build-system)
     (arguments
      `(#:phases
@@ -10168,14 +10169,14 @@ defining LD blocks.")
 (define-public r-gqtlstats
   (package
     (name "r-gqtlstats")
-    (version "1.10.0")
+    (version "1.10.1")
     (source
      (origin
        (method url-fetch)
        (uri (bioconductor-uri "gQTLstats" version))
        (sha256
         (base32
-         "1cbdqawxzgna8rrgj3siph5sw4d2pb57qc0gn6ibfkhyk45f8gdv"))))
+         "0gvq1sf2zjbkk431x40z6wql3c1rpclnnwa2f1hvykb8mmw70kmq"))))
     (properties `((upstream-name . "gQTLstats")))
     (build-system r-build-system)
     (propagated-inputs
@@ -10222,14 +10223,14 @@ family of feature/genome hypotheses.")
 (define-public r-gviz
   (package
     (name "r-gviz")
-    (version "1.22.0")
+    (version "1.22.2")
     (source
      (origin
        (method url-fetch)
        (uri (bioconductor-uri "Gviz" version))
        (sha256
         (base32
-         "1lrw65a8426wpxw975wjcaiacpp6fqa00nif1yxigyankbfs23c8"))))
+         "173n99mc95sij2vb8n3xd016x7mxhjs961q3l29xkg1lrnnm2sva"))))
     (properties `((upstream-name . "Gviz")))
     (build-system r-build-system)
     (propagated-inputs
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index fc3aea31fe..37a934b5a2 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -1602,7 +1602,7 @@ or junctions, and always follows hard links.")
 (define-public zstd
   (package
     (name "zstd")
-    (version "1.3.2")
+    (version "1.3.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/facebook/zstd/archive/v"
@@ -1610,7 +1610,7 @@ or junctions, and always follows hard links.")
               (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "12krs9k5f408kyn0d7dwxqyc67177mgd14783ay10rafqsim8l5c"))))
+                "0yr91gwi380632w9y7p6idl72svq0mq0jajvdii05pp77qalfz57"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -1618,7 +1618,13 @@ or junctions, and always follows hard links.")
          (delete 'configure))           ; no configure script
        #:make-flags
        (list "CC=gcc"
-             (string-append "PREFIX=" (assoc-ref %outputs "out")))
+             (string-append "PREFIX=" (assoc-ref %outputs "out"))
+             ;; Skip auto-detection of, and creating a dependency on, the build
+             ;; environment's ‘xz’ for what amounts to a dubious feature anyway.
+             "HAVE_LZMA=0"
+             ;; Not currently detected, but be explicit & avoid surprises later.
+             "HAVE_LZ4=0"
+             "HAVE_ZLIB=0")
        #:test-target "test"))
     (home-page "http://zstd.net/")
     (synopsis "Zstandard real-time compression algorithm")
diff --git a/gnu/packages/cran.scm b/gnu/packages/cran.scm
index e7c9c6588a..9b80b68984 100644
--- a/gnu/packages/cran.scm
+++ b/gnu/packages/cran.scm
@@ -541,14 +541,14 @@ plot networks.")
 (define-public r-proxy
   (package
     (name "r-proxy")
-    (version "0.4-19")
+    (version "0.4-20")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "proxy" version))
        (sha256
         (base32
-         "0ladwgi70jw2a3adgg2xadw8hz3mm6llsw428c1fcrl305sy49vb"))))
+         "15g6dacdmlbkcnimblscghl23aj732cn6qwbs583r4im9v5nvbla"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/proxy")
     (synopsis "Distance and similarity measures")
@@ -1444,22 +1444,66 @@ imputations.")
     ;; Any of these two versions.
     (license (list license:gpl2 license:gpl3))))
 
+(define-public r-truncnorm
+  (package
+    (name "r-truncnorm")
+    (version "1.0-7")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "truncnorm" version))
+       (sha256
+        (base32
+         "1qac05z50618y4bw1d7yznsli1bv82s0g8h37iacrjrdkv87bmy7"))))
+    (build-system r-build-system)
+    (home-page "http://cran.r-project.org/web/packages/truncnorm/")
+    (synopsis "Truncated normal distribution")
+    (description "This package provides functions for the truncated normal
+distribution with mean equal to @code{mean} and standard deviation equal to
+@code{sd}.  It includes density, distribution, quantile, and expected value
+functions, as well as a random generation function.")
+    (license license:gpl2)))
+
+(define-public r-rsolnp
+  (package
+    (name "r-rsolnp")
+    (version "1.16")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "Rsolnp" version))
+       (sha256
+        (base32
+         "0w7nkj6igr0gi7r7jg950lsx7dj6aipgxi6vbjsf5f5yc9h7fhii"))))
+    (properties `((upstream-name . "Rsolnp")))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-truncnorm" ,r-truncnorm)))
+    (home-page "http://cran.r-project.org/web/packages/Rsolnp/")
+    (synopsis "General non-linear optimization")
+    (description "The Rsolnp package implements a general non-linear augmented
+Lagrange multiplier method solver, a @dfn{sequential quadratic
+programming} (SQP) based solver).")
+    ;; Any version of the GPL.
+    (license license:gpl2+)))
+
 (define-public r-hardyweinberg
   (package
     (name "r-hardyweinberg")
-    (version "1.5.8")
+    (version "1.5.9")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "HardyWeinberg" version))
        (sha256
         (base32
-         "0xbcchmzii0jv0ygr91n72r39j1axraxd2i607b56v4yd5d8sy4k"))))
+         "0qk3lly5qczn61rj0q9xzscppspvk238yjgr4p71pkzkjhiv40jz"))))
     (properties `((upstream-name . "HardyWeinberg")))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-mice" ,r-mice)
-       ("r-rcpp" ,r-rcpp)))
+       ("r-rcpp" ,r-rcpp)
+       ("r-rsolnp" ,r-rsolnp)))
     (home-page "https://cran.r-project.org/package=HardyWeinberg")
     (synopsis "Statistical tests and graphics for Hardy-Weinberg equilibrium")
     (description
@@ -1620,14 +1664,14 @@ modeling for empirical income distributions.")
 (define-public r-vcd
   (package
     (name "r-vcd")
-    (version "1.4-3")
+    (version "1.4-4")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "vcd" version))
        (sha256
         (base32
-         "05azric2w8mrsdk7y0484cjygcgcmbp96q2v500wvn91fj98kkhp"))))
+         "1lp99h0wvsc61l1dgcqjxdrcgpgw88ak430cdsv43kmm43qssqd5"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-colorspace" ,r-colorspace)
@@ -1773,3 +1817,25 @@ plots in @code{ggplot2}.")
 distributions over time or space.  This package enables the creation of such
 plots in @code{ggplot2}.")
     (license license:gpl2)))
+
+(define-public r-cli
+  (package
+    (name "r-cli")
+    (version "1.0.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (cran-uri "cli" version))
+       (sha256
+        (base32
+         "07as3dr7vwx02p3qgzlmxz1dlrd3x3lysrzp222ip9jcjpydp8wg"))))
+    (build-system r-build-system)
+    (propagated-inputs
+     `(("r-assertthat" ,r-assertthat)
+       ("r-crayon" ,r-crayon)))
+    (home-page "https://github.com/r-lib/cli#readme")
+    (synopsis "Helpers for developing command line interfaces")
+    (description "This package provides a suite of tools designed to build
+attractive command line interfaces (CLIs).  It includes tools for drawing
+rules, boxes, trees, and Unicode symbols with ASCII alternatives.")
+    (license license:expat)))
diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
index df9eed72e8..fb129d4393 100644
--- a/gnu/packages/games.scm
+++ b/gnu/packages/games.scm
@@ -1072,7 +1072,8 @@ Portable Game Notation.")
        (uri (string-append "http://www.techrescue.org/xboing/xboing"
                            version ".tar.gz"))
        (sha256
-        (base32 "16m2si8wmshxpifk861vhpqviqxgcg8bxj6wfw8hpnm4r2w9q0b7"))))
+        (base32 "16m2si8wmshxpifk861vhpqviqxgcg8bxj6wfw8hpnm4r2w9q0b7"))
+       (patches (search-patches "xboing-CVE-2004-0149.patch"))))
     (arguments
      `(#:tests? #f
        #:phases
@@ -2515,6 +2516,7 @@ emulation community.  It provides highly accurate emulation.")
                 (uri (git-reference
                       (url "https://github.com/Aloshi/EmulationStation.git")
                       (commit commit))) ; no version tag
+                (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
                   "0cm0sq2wri2l9cvab1l0g02za59q7klj0h3p028vr96n6njj4w9v"))))
@@ -5136,3 +5138,47 @@ abilities and powers.  With a modern graphical and customisable interface,
 intuitive mouse control, streamlined mechanics and deep, challenging combat,
 Tales of Maj’Eyal offers engaging roguelike gameplay for the 21st century.")
     (license license:gpl3+)))
+
+(define-public quakespasm
+  (package
+    (name "quakespasm")
+    (version "0.93.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "mirror://sourceforge/quakespasm/Source/quakespasm-"
+                           version ".tgz"))
+       (sha256
+        (base32
+         "0b2nz7w4za32pc34r62ql270z692qcjs2pm0i3svkxkvfammhdfq"))))
+    (arguments
+     `(#:tests? #f
+       #:make-flags '("CC=gcc"
+                      "MP3LIB=mpg123"
+                      "USE_CODEC_FLAC=1"
+                      "USE_CODEC_MIKMOD=1"
+                      "USE_SDL2=1"
+                      "-CQuake")
+       #:phases (modify-phases %standard-phases
+                  (delete 'configure)
+                  (add-after 'unpack 'fix-makefile-paths
+                    (lambda* (#:key outputs #:allow-other-keys)
+                      (let ((out (assoc-ref outputs "out")))
+                        (mkdir-p (string-append out "/bin"))
+                        (substitute* "Quake/Makefile"
+                          (("/usr/local/games")
+                           (string-append out "/bin")))
+                        #t))))))
+    (build-system gnu-build-system)
+    (inputs `(("libmikmod" ,libmikmod)
+              ("libvorbis" ,libvorbis)
+              ("flac" ,flac)
+              ("mesa" ,mesa)
+              ("mpg123" ,mpg123)
+              ("sdl2" ,sdl2)))
+    (synopsis "First person shooter engine for Quake 1")
+    (description "Quakespasm is a modern engine for id software's Quake 1.
+It includes support for 64 bit CPUs, custom music playback, a new sound driver,
+some graphical niceities, and numerous bug-fixes and other improvements.")
+    (home-page "http://quakespasm.sourceforge.net/")
+    (license license:gpl2+)))
diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm
index c820818687..b0797453fa 100644
--- a/gnu/packages/gimp.scm
+++ b/gnu/packages/gimp.scm
@@ -43,7 +43,7 @@
 (define-public babl
   (package
     (name "babl")
-    (version "0.1.30")
+    (version "0.1.38")
     (source (origin
               (method url-fetch)
               (uri (list (string-append "https://download.gimp.org/pub/babl/"
@@ -54,7 +54,7 @@
                                         version ".tar.bz2")))
               (sha256
                (base32
-                "1k2k3phh9ybma2snw6hm8inx2dw1jq6cf7w2aqvi4rfr0rxjrha5"))))
+                "11pfbyzq20596p9sgwraxspg3djg1jzz6wvz4bapf0yyr97jiyd0"))))
     (build-system gnu-build-system)
     (home-page "http://gegl.org/babl/")
     (synopsis "Image pixel format conversion library")
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index c8d494c401..bb01aac978 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -127,7 +127,7 @@ generation.")
 (define-public libassuan
   (package
     (name "libassuan")
-    (version "2.4.4")
+    (version "2.5.1")
     (source
      (origin
       (method url-fetch)
@@ -135,10 +135,11 @@ generation.")
                           version ".tar.bz2"))
       (sha256
        (base32
-        "18bwffjkx9pn0lawbsn6zhd90i7xhjgpf9b0nl5xw9134w1a2scy"))))
+        "0jb4nb4nrjr949gd3lw8lh4v5d6qigxaq6xwy24w5apjnhvnrya7"))))
     (build-system gnu-build-system)
     (propagated-inputs
-     `(("libgpg-error" ,libgpg-error) ("pth" ,pth)))
+     `(("libgpg-error" ,libgpg-error)
+       ("pth" ,pth)))
     (home-page "https://gnupg.org")
     (synopsis
      "IPC library used by GnuPG and related software")
@@ -212,14 +213,14 @@ compatible to GNU Pth.")
 (define-public gnupg
   (package
     (name "gnupg")
-    (version "2.2.3")
+    (version "2.2.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/gnupg/gnupg-" version
                                   ".tar.bz2"))
               (sha256
                (base32
-                "1d4482c4pbi0p1k8cc0f9c4q51k56v8navrbz5samxrrs42p3lyb"))))
+                "1v7j8v2ww1knknbrhw3svfrqkmf9ll58iq0dczbsdpqgg1j3w6j0"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("pkg-config" ,pkg-config)))
@@ -327,7 +328,8 @@ libskba (working with X.509 certificates and CMS data).")
                 ;; Keep the old name around to ease transition.
                 (symlink "gpgv" "gpgv2")
                 (symlink "gpg" "gpg2")
-                #t)))))))))
+                #t)))))))
+   (properties `((superseded . ,gnupg)))))
 
 (define-public gnupg-1
   (package (inherit gnupg)
@@ -371,10 +373,14 @@ libskba (working with X.509 certificates and CMS data).")
      ;; Needs to be propagated because gpgme.h includes gpg-error.h.
      `(("libgpg-error" ,libgpg-error)))
     (inputs
-     `(("gnupg" ,gnupg-2.0)
+     `(("gnupg" ,gnupg)
        ("libassuan" ,libassuan)))
     (arguments
-     `(#:phases
+     `(#:configure-flags
+       (list (string-append "--enable-fixed-path="
+                            (assoc-ref %build-inputs "gnupg")
+                            "/bin"))
+       #:phases
        (modify-phases %standard-phases
          (add-after 'configure 'patch-cmake-file
            (lambda _
@@ -478,9 +484,10 @@ distributed separately.")
            (lambda _
              (zero? (system* "make" "check")))))))
     (build-system python-build-system)
+    (native-inputs
+     `(("gnupg" ,gnupg-1)))
     (inputs
-     `(("gnupg" ,gnupg-2.0)
-       ("gpgme" ,gpgme)))
+     `(("gpgme" ,gpgme)))
     (home-page "https://launchpad.net/pygpgme")
     (synopsis "Python module for working with OpenPGP messages")
     (description
@@ -714,14 +721,14 @@ including tools for signing keys, keyring analysis, and party preparation.
 (define-public pinentry-tty
   (package
     (name "pinentry-tty")
-    (version "1.0.0")
+    (version "1.1.0")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnupg/pinentry/pinentry-"
                                   version ".tar.bz2"))
               (sha256
                (base32
-                "0ni7g4plq6x78p32al7m8h2zsakvg1rhfz0qbc3kdc7yq7nw4whn"))))
+                "0w35ypl960pczg5kp6km3dyr000m1hf0vpwwlh72jjkjza36c1v8"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--enable-pinentry-tty")))
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index ac9fca8600..29ce574197 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -46,14 +46,14 @@
     ;; The 7 release series has an incompatible API, while the 6 series is still
     ;; maintained. Don't update to 7 until we've made sure that the ImageMagick
     ;; users are ready for the 7-series API.
-    (version "6.9.9-23")
+    (version "6.9.9-27")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://imagemagick/ImageMagick-"
                                  version ".tar.xz"))
              (sha256
               (base32
-               "0cd6zcbcfvznf0i3q4xz1c4wm4cfplg4zc466lvlb1w8qbn25948"))))
+               "0z71az1bfar1r6mm3ijxbci0vb1ri66ypaals8wb17h1d85hkl17"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
diff --git a/gnu/packages/irc.scm b/gnu/packages/irc.scm
index fbcc0b6f1b..ec329ade7e 100644
--- a/gnu/packages/irc.scm
+++ b/gnu/packages/irc.scm
@@ -153,18 +153,21 @@ SILC and ICB protocols via plugins.")
 (define-public weechat
   (package
     (name "weechat")
-    (version "2.0")
+    (version "2.0.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://weechat.org/files/src/weechat-"
                                   version ".tar.xz"))
               (sha256
                (base32
-                "1ix2izrlr5jx5vl49kz9jbib7cq9mr6i7iyxkcz6xjfrryx2s5x9"))
+                "1l854dramvn9vfba7jpazkjwm4k4i5pshq58vjv6z2mxmcp5hhv9"))
               (patches (search-patches "weechat-python.patch"))))
     (build-system cmake-build-system)
-    (native-inputs `(("gettext" ,gettext-minimal)
-                     ("pkg-config" ,pkg-config)))
+    (native-inputs
+     `(("gettext" ,gettext-minimal)
+       ("pkg-config" ,pkg-config)
+       ;; For tests.
+       ("cpputest" ,cpputest)))
     (inputs `(("ncurses" ,ncurses)
               ("libgcrypt" ,libgcrypt "out")
               ("zlib" ,zlib)
@@ -177,15 +180,30 @@ SILC and ICB protocols via plugins.")
               ("perl" ,perl)
               ("tcl" ,tcl)))
     (arguments
-     `(#:tests? #f ; tests require cpputime
-       #:phases (modify-phases %standard-phases
-                  (add-after 'install 'wrap
-                    (lambda* (#:key inputs outputs #:allow-other-keys)
-                      (let ((out (assoc-ref outputs "out"))
-                            (py2 (assoc-ref inputs "python")))
-                        (wrap-program (string-append out "/bin/weechat")
-                          `("PATH" ":" prefix (,(string-append py2 "/bin"))))
-                        #t))))))
+     `(#:configure-flags
+       (list "-DENABLE_TESTS=ON")       ; ‘make test’ fails otherwise
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'disable-failing-tests
+           ;; For reasons best left to the imagination, CppUTest cannot skip
+           ;; more than one single test...  Resort to manual patching instead.
+           ;; See <https://cpputest.github.io/manual.html#command_line>.
+           (λ _
+             ;; Don't test plugin support for languages we don't enable.
+             (substitute* "tests/unit/test-plugins.cpp"
+               ((".*\\$\\{plugin.name\\} == (javascript|php|ruby)" all)
+                (string-append "// SKIP" all)))
+             (substitute* "tests/scripts/test-scripts.cpp"
+               ((".*\\{ \"(jvascript|php|ruby)\", " all) ; sic
+                (string-append "// SKIP" all)))
+             #t))
+         (add-after 'install 'wrap
+           (lambda* (#:key inputs outputs #:allow-other-keys)
+             (let ((out (assoc-ref outputs "out"))
+                   (py2 (assoc-ref inputs "python")))
+               (wrap-program (string-append out "/bin/weechat")
+                 `("PATH" ":" prefix (,(string-append py2 "/bin"))))
+               #t))))))
     (synopsis "Extensible chat client")
     (description "WeeChat (Wee Enhanced Environment for Chat) is an
 @dfn{Internet Relay Chat} (IRC) client, which is designed to be light and fast.
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index f2336093d9..a2e8dc287e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -370,8 +370,8 @@ It has been modified to remove all non-free binary blobs.")
 (define %intel-compatible-systems '("x86_64-linux" "i686-linux"))
 (define %linux-compatible-systems '("x86_64-linux" "i686-linux" "armhf-linux"))
 
-(define %linux-libre-version "4.14.6")
-(define %linux-libre-hash "0q6dl2shkj5dkf0wgzgfyaq0axk97w05j618xi619y9xqph4ql79")
+(define %linux-libre-version "4.14.8")
+(define %linux-libre-hash "0y8nggpdgfqfx6dy5k39vj552k5mxamwjn6mldwrhs2aqpsrbwr3")
 
 ;; linux-libre configuration for armhf-linux is derived from Debian armmp.  It
 ;; supports qemu "virt" machine and possibly a large number of ARM boards.
@@ -384,14 +384,14 @@ It has been modified to remove all non-free binary blobs.")
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.9
-  (make-linux-libre "4.9.69"
-                    "0xkqbh8fpx47appszjbxzljr6vr0wyk0fphlkynpcrmingk4b98j"
+  (make-linux-libre "4.9.71"
+                    "0z4m77zbndlqy43bgl1xhklpjilbvrhbfbcppc55z3f61qwjf0mc"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
 (define-public linux-libre-4.4
-  (make-linux-libre "4.4.105"
-                    "177qvci7wfrc23vi11bnyayfivxf6d8hankgrzv26jr3z6j0rall"
+  (make-linux-libre "4.4.107"
+                    "0pfzv15c1qj7a77n8cdmsi77yhlbzv35y7qa03j0b96ajwjsclsp"
                     %intel-compatible-systems
                     #:configuration-file kernel-config))
 
@@ -3397,16 +3397,30 @@ The following service daemons are also provided:
 (define-public rng-tools
   (package
     (name "rng-tools")
-    (version "5")
+    (version "6.1")
     (source (origin
               (method url-fetch)
-              (uri (string-append
-                "http://downloads.sourceforge.net/sourceforge/gkernel/"
-                "rng-tools-" version ".tar.gz"))
+              (uri (string-append "https://github.com/nhorman/rng-tools/"
+                                  "archive/v" version ".tar.gz"))
+              (file-name (string-append name "-" version ".tar.gz"))
               (sha256
                (base32
-                "13h7lc8wl9khhvkr0i3bl5j9bapf8anhqis1lcnwxg1vc2v058b0"))))
+                "00ywsknjpc9jd9kfmz2syk9l0xkiiwyx5qhl5zvhhc69v6682i31"))))
     (build-system gnu-build-system)
+    (arguments
+     `(;; Avoid using OpenSSL, curl, and libxml2, reducing the closure by 166 MiB.
+       #:configure-flags '("--without-nistbeacon")
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'bootstrap
+           (lambda _
+             (zero? (system* "sh" "autogen.sh")))))))
+    (native-inputs
+     `(("autoconf" ,autoconf)
+       ("automake" ,automake)
+       ("pkg-config" ,pkg-config)))
+    (inputs
+     `(("libsysfs" ,sysfsutils)))
     (synopsis "Random number generator daemon")
     (description
      "Monitor a hardware random number generator, and supply entropy
diff --git a/gnu/packages/mail.scm b/gnu/packages/mail.scm
index 0423dd7c56..6aedcf7c3a 100644
--- a/gnu/packages/mail.scm
+++ b/gnu/packages/mail.scm
@@ -1049,7 +1049,7 @@ delivery.")
 (define-public exim
   (package
     (name "exim")
-    (version "4.89.1")
+    (version "4.90")
     (source
      (origin
        (method url-fetch)
@@ -1059,7 +1059,7 @@ delivery.")
                                  version ".tar.bz2")))
        (sha256
         (base32
-         "133sjkcm9wlhpcxflr5v865varc1995bqa1y3vjs1w6zc34kp18w"))))
+         "1cmx2648zhpsc4pznky7qsqbjazd3wn4gpslbl30j56cv1m6rb3x"))))
     (build-system gnu-build-system)
     (inputs
      `(("bdb" ,bdb)
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 22d11302a5..11213bea94 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -2482,7 +2482,7 @@ point numbers.")
 (define-public wxmaxima
   (package
     (name "wxmaxima")
-    (version "17.05.1")
+    (version "17.10.1")
     (source
      (origin
        (method url-fetch)
@@ -2491,7 +2491,7 @@ point numbers.")
        (file-name (string-append name "-" version ".tar.gz"))
        (sha256
         (base32
-         "0dv0cy0cf46v0cbw32izscpkdmpxg1qhwq1f4cz46kkqd8k4yfbj"))))
+         "0qlzc31cqkwpfgrb9cif9bcnkj3rq487plg4rns7jxv6pq4609v1"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,autoconf)
diff --git a/gnu/packages/messaging.scm b/gnu/packages/messaging.scm
index 1780536d05..8b3bf5cf68 100644
--- a/gnu/packages/messaging.scm
+++ b/gnu/packages/messaging.scm
@@ -493,14 +493,14 @@ simultaneously and therefore appear under the same nickname on IRC.")
 (define-public python-nbxmpp
   (package
     (name "python-nbxmpp")
-    (version "0.5.5")
+    (version "0.6.1")
     (source
      (origin
        (method url-fetch)
        (uri (pypi-uri "nbxmpp" version))
        (sha256
         (base32
-         "1gnzrzrdl4nii1sc5x8p5iw2ya5sl70j3nn34abqsny51p2pzmv6"))))
+         "0qvkiscy42nhzhccszi049ws8cnhpxgc13g8naq1rsa5x9zy163c"))))
     (build-system python-build-system)
     (arguments
      `(#:tests? #f))                    ; no tests
@@ -518,7 +518,7 @@ was initially a fork of xmpppy, but uses non-blocking sockets.")
 (define-public gajim
   (package
     (name "gajim")
-    (version "0.16.8")
+    (version "0.16.9")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://gajim.org/downloads/"
@@ -526,7 +526,7 @@ was initially a fork of xmpppy, but uses non-blocking sockets.")
                                   "/gajim-" version ".tar.bz2"))
               (sha256
                (base32
-                "0ckakdjg30fsyjsgyy2573x9nmjivdg76y049l86wns5axw8im26"))))
+                "0v08zdvpqaig0wxpxn1l8rsj3wr3fqvnagn8cnvch17vfqv9gcr1"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
@@ -568,8 +568,8 @@ end-to-end encryption support; XML console.")
 (define-public dino
   ;; The only release tarball is for version 0.0, but it is very old and fails
   ;; to build.
-  (let ((commit "2a514d0969f5c25d5e2d14421125a47df6b14974")
-        (revision "2"))
+  (let ((commit "f25fadde2d6c9492b9cafe2cddbcc7b966942e47")
+        (revision "3"))
     (package
       (name "dino")
       (version (string-append "0.0-" revision "." (string-take commit 9)))
@@ -581,7 +581,7 @@ end-to-end encryption support; XML console.")
                 (file-name (string-append name "-" version "-checkout"))
                 (sha256
                  (base32
-                  "0v9fqikxvamdw7bxbwc4s01x0vf30vl77149y16krijaqnq6kzv0"))))
+                  "1nhzrw3pbpybn9qclckk6z427vbgnqd0y1l63zd1rfw4zw099mzs"))))
       (build-system cmake-build-system)
       (arguments
        `(#:tests? #f ; there are no tests
diff --git a/gnu/packages/mpd.scm b/gnu/packages/mpd.scm
index 74b53afce1..e6bc2b4e71 100644
--- a/gnu/packages/mpd.scm
+++ b/gnu/packages/mpd.scm
@@ -76,7 +76,7 @@ interfacing MPD in the C, C++ & Objective C languages.")
 (define-public mpd
   (package
     (name "mpd")
-    (version "0.20.12")
+    (version "0.20.13")
     (source (origin
               (method url-fetch)
               (uri
@@ -85,7 +85,7 @@ interfacing MPD in the C, C++ & Objective C languages.")
                               "/mpd-" version ".tar.xz"))
               (sha256
                (base32
-                "02gpfkki61c24hphaas9pb29wpvd0pbmwdqrpn8wi1gv103aqng1"))))
+                "0h7z90dnpwlyad4kfi1ja9v9vzqic0xg93iy4q0dwlhav0scbha6"))))
     (build-system gnu-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/package-management.scm b/gnu/packages/package-management.scm
index 7aeb4967bf..633708a6f5 100644
--- a/gnu/packages/package-management.scm
+++ b/gnu/packages/package-management.scm
@@ -757,14 +757,14 @@ written entirely in Python.")))
 (define-public gwl
   (package
     (name "gwl")
-    (version "0.1.0")
+    (version "0.1.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.guixwl.org/releases/gwl-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1x4swwp7kmhd57j3scii5c4h8swkcvab2r6mz7wxwwbx300wcqpy"))))
+                "06pm967mq1wyggx7l0nfapw5s0k5qc5r9lawk2v3db868br779a7"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("autoconf" ,autoconf)
diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index d83c2449e1..07197de0d5 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -88,7 +88,7 @@ human.")
 (define-public keepassxc
   (package
     (name "keepassxc")
-    (version "2.2.2")
+    (version "2.2.4")
     (source
      (origin
        (method url-fetch)
@@ -97,7 +97,7 @@ human.")
                            version "-src.tar.xz"))
        (sha256
         (base32
-         "0wrl8kxb16wzdgfjj057yv18cfg0b8z8lxp1fl2q8fkdgr7phm9g"))))
+         "1pfkq1m5vb90kx67vyw70s1hc4ivjsvq2535vm6wdwwsncna6bz5"))))
     (build-system cmake-build-system)
     (inputs
      `(("libgcrypt" ,libgcrypt)
diff --git a/gnu/packages/patches/libarchive-CVE-2017-14502.patch b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
new file mode 100644
index 0000000000..8e0508afb5
--- /dev/null
+++ b/gnu/packages/patches/libarchive-CVE-2017-14502.patch
@@ -0,0 +1,40 @@
+Fix CVE-2017-14502:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14502
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
+
+Patch copied from upstream source repository:
+
+https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
+
+From 5562545b5562f6d12a4ef991fae158bf4ccf92b6 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Sat, 9 Sep 2017 17:47:32 +0200
+Subject: [PATCH] Avoid a read off-by-one error for UTF16 names in RAR
+ archives.
+
+Reported-By: OSS-Fuzz issue 573
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index cbb14c32..751de697 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -1496,7 +1496,11 @@ read_header(struct archive_read *a, struct archive_entry *entry,
+         return (ARCHIVE_FATAL);
+       }
+       filename[filename_size++] = '\0';
+-      filename[filename_size++] = '\0';
++      /*
++       * Do not increment filename_size here as the computations below
++       * add the space for the terminating NUL explicitly.
++       */
++      filename[filename_size] = '\0';
+ 
+       /* Decoded unicode form is UTF-16BE, so we have to update a string
+        * conversion object for it. */
+-- 
+2.15.1
+
diff --git a/gnu/packages/patches/libexif-CVE-2017-7544.patch b/gnu/packages/patches/libexif-CVE-2017-7544.patch
new file mode 100644
index 0000000000..c4ea373dc5
--- /dev/null
+++ b/gnu/packages/patches/libexif-CVE-2017-7544.patch
@@ -0,0 +1,29 @@
+Fix CVE-2017-7544:
+
+https://sourceforge.net/p/libexif/bugs/130/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7544
+
+Patch copied from upstream bug tracker:
+
+https://sourceforge.net/p/libexif/bugs/130/#489a
+
+Index: libexif/exif-data.c
+===================================================================
+RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
+retrieving revision 1.131
+diff -u -r1.131 exif-data.c
+--- a/libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
++++ b/libexif/exif-data.c	25 Jul 2017 21:34:06 -0000
+@@ -255,6 +255,12 @@
+ 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+ 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+ 			e->components = e->size;
++			if (exif_format_get_size (e->format) != 1) {
++				/* e->format is taken from input code,
++				 * but we need to make sure it is a 1 byte
++				 * entity due to the multiplication below. */
++				e->format = EXIF_FORMAT_UNDEFINED;
++			}
+ 		}
+ 	}
+ 
diff --git a/gnu/packages/patches/links-CVE-2017-11114.patch b/gnu/packages/patches/links-CVE-2017-11114.patch
new file mode 100644
index 0000000000..c5ac9884b5
--- /dev/null
+++ b/gnu/packages/patches/links-CVE-2017-11114.patch
@@ -0,0 +1,99 @@
+Fix CVE-2017-11114:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11114
+http://seclists.org/fulldisclosure/2017/Jul/76
+
+Patch copied from Debian:
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870299#12
+
+Origin: upstream, commit: fee5dca79a93a37024e494b985386a5fe60bc1b7
+Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870299#12
+Author: Mikulas Patocka <mikulas@twibright.com>
+Date:   Wed Aug 2 20:13:29 2017 +0200
+Subject: Fix read out of memory in case of corrupted UTF-8 data
+
+---
+ charsets.c |   37 +------------------------------------
+ links.h    |    9 ++++-----
+ 2 files changed, 5 insertions(+), 41 deletions(-)
+
+Index: links-2.14/charsets.c
+===================================================================
+--- links-2.14.orig/charsets.c
++++ links-2.14/charsets.c
+@@ -215,41 +215,6 @@ static struct conv_table *get_translatio
+ 	return utf_table;
+ }
+ 
+-unsigned short int utf8_2_uni_table[0x200] = {
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 128,	0, 0, 0, 192,	0,
+-	0, 0, 256,	0, 0, 0, 320,	0, 0, 0, 384,	0, 0, 0, 448,	0,
+-	0, 0, 512,	0, 0, 0, 576,	0, 0, 0, 640,	0, 0, 0, 704,	0,
+-	0, 0, 768,	0, 0, 0, 832,	0, 0, 0, 896,	0, 0, 0, 960,	0,
+-	0, 0, 1024,	0, 0, 0, 1088,	0, 0, 0, 1152,	0, 0, 0, 1216,	0,
+-	0, 0, 1280,	0, 0, 0, 1344,	0, 0, 0, 1408,	0, 0, 0, 1472,	0,
+-	0, 0, 1536,	0, 0, 0, 1600,	0, 0, 0, 1664,	0, 0, 0, 1728,	0,
+-	0, 0, 1792,	0, 0, 0, 1856,	0, 0, 0, 1920,	0, 0, 0, 1984,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-	0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0, 0, 0, 0,	0,
+-};
+-
+ unsigned char utf_8_1[256] = {
+ 	6, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
+ 	7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
+@@ -269,7 +234,7 @@ unsigned char utf_8_1[256] = {
+ 	3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 1, 1, 6, 6,
+ };
+ 
+-static_const unsigned min_utf_8[9] = {
++static_const unsigned min_utf_8[8] = {
+ 	0, 0x4000000, 0x200000, 0x10000, 0x800, 0x80, 0x100, 0x1,
+ };
+ 
+Index: links-2.14/links.h
+===================================================================
+--- links-2.14.orig/links.h
++++ links-2.14/links.h
+@@ -3906,15 +3906,14 @@ unsigned char *cp_strchr(int charset, un
+ void init_charset(void);
+ 
+ unsigned get_utf_8(unsigned char **p);
+-extern unsigned short int utf8_2_uni_table[0x200];
+ #define GET_UTF_8(s, c)							\
+ do {									\
+ 	if ((unsigned char)(s)[0] < 0x80)				\
+ 		(c) = (s)++[0];						\
+-	else if (((c) = utf8_2_uni_table[((unsigned char)(s)[0] << 2) +	\
+-				((unsigned char)(s)[1] >> 6) - 0x200]))	\
+-		(c) += (unsigned char)(s)[1] & 0x3f, (s) += 2;		\
+-	else								\
++	else if ((unsigned char)(s)[0] >= 0xc2 && (unsigned char)(s)[0] < 0xe0 &&\
++	         ((unsigned char)(s)[1] & 0xc0) == 0x80) {		\
++		(c) = (unsigned char)(s)[0] * 0x40 + (unsigned char)(s)[1], (c) -= 0x3080, (s) += 2;\
++	} else								\
+ 		(c) = get_utf_8(&(s));					\
+ } while (0)
+ #define FWD_UTF_8(s)							\
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14685.patch b/gnu/packages/patches/mupdf-CVE-2017-14685.patch
deleted file mode 100644
index 3fcce5fedf..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14685.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2017-14685:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14685
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
-
-From ab1a420613dec93c686acbee2c165274e922f82a Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 15:23:04 +0200
-Subject: [PATCH] Fix 698539: Don't use xps font if it could not be loaded.
-
-xps_load_links_in_glyphs did not cope with font loading failures.
----
- source/xps/xps-link.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source/xps/xps-link.c b/source/xps/xps-link.c
-index c07e0d7..c26a8d9 100644
---- a/source/xps/xps-link.c
-+++ b/source/xps/xps-link.c
-@@ -91,6 +91,8 @@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct
- 			bidi_level = atoi(bidi_level_att);
- 
- 		font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att);
-+		if (!font)
-+			return;
- 		text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att),
- 				fz_atof(origin_x_att), fz_atof(origin_y_att),
- 				is_sideways, bidi_level, indices_att, unicode_att);
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14686.patch b/gnu/packages/patches/mupdf-CVE-2017-14686.patch
deleted file mode 100644
index e462a6ffeb..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14686.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Fix CVE-2017-14686:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14686
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
-
-From 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 16:33:38 +0200
-Subject: [PATCH] Fix 698540: Check name, comment and meta size field signs.
-
----
- source/fitz/unzip.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
-index f2d4f32..0bcce0f 100644
---- a/source/fitz/unzip.c
-+++ b/source/fitz/unzip.c
-@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
- 		(void) fz_read_int32_le(ctx, file); /* ext file atts */
- 		offset = fz_read_int32_le(ctx, file);
- 
-+		if (namesize < 0 || metasize < 0 || commentsize < 0)
-+			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
-+
- 		name = fz_malloc(ctx, namesize + 1);
- 		n = fz_read(ctx, file, (unsigned char*)name, namesize);
- 		if (n < (size_t)namesize)
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-14687.patch b/gnu/packages/patches/mupdf-CVE-2017-14687.patch
deleted file mode 100644
index cdc41df813..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-14687.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-Fix CVE-2017-14687:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14687
-
-Patch copied from upstream source repository:
-
-https://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
-
-From 2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Tue, 19 Sep 2017 17:17:12 +0200
-Subject: [PATCH] Fix 698558: Handle non-tags in tag name comparisons.
-
-Use fz_xml_is_tag instead of fz_xml_tag && !strcmp idiom.
----
- source/html/css-apply.c   | 2 +-
- source/svg/svg-run.c      | 2 +-
- source/xps/xps-common.c   | 6 +++---
- source/xps/xps-glyphs.c   | 2 +-
- source/xps/xps-path.c     | 4 ++--
- source/xps/xps-resource.c | 2 +-
- 6 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/source/html/css-apply.c b/source/html/css-apply.c
-index de55490..6a91df0 100644
---- a/source/html/css-apply.c
-+++ b/source/html/css-apply.c
-@@ -328,7 +328,7 @@ match_selector(fz_css_selector *sel, fz_xml *node)
- 
- 	if (sel->name)
- 	{
--		if (strcmp(sel->name, fz_xml_tag(node)))
-+		if (!fz_xml_is_tag(node, sel->name))
- 			return 0;
- 	}
- 
-diff --git a/source/svg/svg-run.c b/source/svg/svg-run.c
-index f974c67..5302c64 100644
---- a/source/svg/svg-run.c
-+++ b/source/svg/svg-run.c
-@@ -1044,7 +1044,7 @@ svg_run_use(fz_context *ctx, fz_device *dev, svg_document *doc, fz_xml *root, co
- 		fz_xml *linked = fz_tree_lookup(ctx, doc->idmap, xlink_href_att + 1);
- 		if (linked)
- 		{
--			if (!strcmp(fz_xml_tag(linked), "symbol"))
-+			if (fz_xml_is_tag(linked, "symbol"))
- 				svg_run_use_symbol(ctx, dev, doc, root, linked, &local_state);
- 			else
- 				svg_run_element(ctx, dev, doc, linked, &local_state);
-diff --git a/source/xps/xps-common.c b/source/xps/xps-common.c
-index cc7fed9..f2f9b93 100644
---- a/source/xps/xps-common.c
-+++ b/source/xps/xps-common.c
-@@ -47,7 +47,7 @@ xps_parse_brush(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, const
- 	else if (fz_xml_is_tag(node, "RadialGradientBrush"))
- 		xps_parse_radial_gradient_brush(ctx, doc, ctm, area, base_uri, dict, node);
- 	else
--		fz_warn(ctx, "unknown brush tag: %s", fz_xml_tag(node));
-+		fz_warn(ctx, "unknown brush tag");
- }
- 
- void
-@@ -85,7 +85,7 @@ xps_begin_opacity(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, cons
- 	if (opacity_att)
- 		opacity = fz_atof(opacity_att);
- 
--	if (opacity_mask_tag && !strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
- 	{
- 		char *scb_opacity_att = fz_xml_att(opacity_mask_tag, "Opacity");
- 		char *scb_color_att = fz_xml_att(opacity_mask_tag, "Color");
-@@ -129,7 +129,7 @@ xps_end_opacity(fz_context *ctx, xps_document *doc, char *base_uri, xps_resource
- 
- 	if (opacity_mask_tag)
- 	{
--		if (strcmp(fz_xml_tag(opacity_mask_tag), "SolidColorBrush"))
-+		if (!fz_xml_is_tag(opacity_mask_tag, "SolidColorBrush"))
- 			fz_pop_clip(ctx, dev);
- 	}
- }
-diff --git a/source/xps/xps-glyphs.c b/source/xps/xps-glyphs.c
-index 29dc5b3..5b26d78 100644
---- a/source/xps/xps-glyphs.c
-+++ b/source/xps/xps-glyphs.c
-@@ -592,7 +592,7 @@ xps_parse_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ctm,
- 
- 	/* If it's a solid color brush fill/stroke do a simple fill */
- 
--	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
- 	{
- 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
- 		fill_att = fz_xml_att(fill_tag, "Color");
-diff --git a/source/xps/xps-path.c b/source/xps/xps-path.c
-index 6faeb0c..021d202 100644
---- a/source/xps/xps-path.c
-+++ b/source/xps/xps-path.c
-@@ -879,14 +879,14 @@ xps_parse_path(fz_context *ctx, xps_document *doc, const fz_matrix *ctm, char *b
- 	if (!data_att && !data_tag)
- 		return;
- 
--	if (fill_tag && !strcmp(fz_xml_tag(fill_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(fill_tag, "SolidColorBrush"))
- 	{
- 		fill_opacity_att = fz_xml_att(fill_tag, "Opacity");
- 		fill_att = fz_xml_att(fill_tag, "Color");
- 		fill_tag = NULL;
- 	}
- 
--	if (stroke_tag && !strcmp(fz_xml_tag(stroke_tag), "SolidColorBrush"))
-+	if (fz_xml_is_tag(stroke_tag, "SolidColorBrush"))
- 	{
- 		stroke_opacity_att = fz_xml_att(stroke_tag, "Opacity");
- 		stroke_att = fz_xml_att(stroke_tag, "Color");
-diff --git a/source/xps/xps-resource.c b/source/xps/xps-resource.c
-index c2292e6..8e81ab8 100644
---- a/source/xps/xps-resource.c
-+++ b/source/xps/xps-resource.c
-@@ -84,7 +84,7 @@ xps_parse_remote_resource_dictionary(fz_context *ctx, xps_document *doc, char *b
- 	if (!xml)
- 		return NULL;
- 
--	if (strcmp(fz_xml_tag(xml), "ResourceDictionary"))
-+	if (!fz_xml_is_tag(xml, "ResourceDictionary"))
- 	{
- 		fz_drop_xml(ctx, xml);
- 		fz_throw(ctx, FZ_ERROR_GENERIC, "expected ResourceDictionary element");
--- 
-2.9.1
-
diff --git a/gnu/packages/patches/mupdf-CVE-2017-15587.patch b/gnu/packages/patches/mupdf-CVE-2017-15587.patch
deleted file mode 100644
index 7d24666756..0000000000
--- a/gnu/packages/patches/mupdf-CVE-2017-15587.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Fix CVE-2017-15587.
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15587
-https://nandynarwhals.org/CVE-2017-15587/
-
-This patch is these two upstream commits squashed together:
-<https://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8>
-<https://git.ghostscript.com/?p=mupdf.git;h=d18bc728e46c5a5708f14d27c2b6c44e1d0c3232>
-
-diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
-index 66bd0ed8..89499e61 100644
---- a/source/pdf/pdf-xref.c
-+++ b/source/pdf/pdf-xref.c
-@@ -924,7 +924,7 @@ pdf_read_new_xref_section(fz_context *ctx, pdf_document *doc, fz_stream *stm, fz
- 	pdf_xref_entry *table;
- 	int i, n;
- 
--	if (i0 < 0 || i1 < 0)
-+	if (i0 < 0 || i1 < 0 || i0 > INT_MAX - i1)
- 		fz_throw(ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
- 	//if (i0 + i1 > pdf_xref_len(ctx, doc))
- 	//	fz_throw(ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
--- 
-2.15.0
-
diff --git a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch b/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
index 0b5b735ff3..d5c9c60242 100644
--- a/gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch
+++ b/gnu/packages/patches/mupdf-build-with-latest-openjpeg.patch
@@ -1,4 +1,4 @@
-Make it possible to build MuPDF with OpenJPEG 2.1, which is the latest
+Make it possible to build MuPDF with OpenJPEG 2.3, which is the latest
 release series and contains many important bug fixes.
 
 Patch adapted from Debian:
@@ -10,16 +10,16 @@ And related to this upstream commit:
 http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f88bfe2e62dbadb96d4f52d7aa025f0a516078da
 
 diff --git a/source/fitz/load-jpx.c b/source/fitz/load-jpx.c
-index 6b92e5c..72dea50 100644
+index 65699ba..ea84778 100644
 --- a/source/fitz/load-jpx.c
 +++ b/source/fitz/load-jpx.c
-@@ -444,11 +444,6 @@
+@@ -445,11 +445,6 @@ fz_load_jpx_info(fz_context *ctx, const unsigned char *data, size_t size, int *w
  
  #else /* HAVE_LURATECH */
  
 -#define OPJ_STATIC
 -#define OPJ_HAVE_INTTYPES_H
--#if !defined(_WIN32) && !defined(_WIN64)
+-#if !defined(_MSC_VER) || _MSC_VER >= 1600
 -#define OPJ_HAVE_STDINT_H
 -#endif
  #define USE_JPIP
diff --git a/gnu/packages/patches/xboing-CVE-2004-0149.patch b/gnu/packages/patches/xboing-CVE-2004-0149.patch
new file mode 100644
index 0000000000..b40146b434
--- /dev/null
+++ b/gnu/packages/patches/xboing-CVE-2004-0149.patch
@@ -0,0 +1,134 @@
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0149
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174924
+---
+ demo.c      |  2 +-
+ editor.c    | 12 ++++++------
+ file.c      |  2 +-
+ highscore.c |  6 +++---
+ misc.c      |  2 +-
+ preview.c   |  2 +-
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/demo.c b/demo.c
+index 9084e70..f4fc2cd 100644
+--- a/demo.c
++++ b/demo.c
+@@ -154,7 +154,7 @@ static void DoBlocks(display, window)
+ 
+     /* Construct the demo level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/demo.data", str);
++        snprintf(levelPath, sizeof(levelPath),"%s/demo.data", str);
+     else
+         sprintf(levelPath, "%s/demo.data", LEVEL_INSTALL_DIR);
+ 
+diff --git a/editor.c b/editor.c
+index f2bb9ed..66d0679 100644
+--- a/editor.c
++++ b/editor.c
+@@ -213,7 +213,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Edit level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/editor.data", str);
++        snprintf(levelPath,sizeof(levelPath)-1, "%s/editor.data", str);
+     else
+         sprintf(levelPath, "%s/editor.data", LEVEL_INSTALL_DIR);
+ 
+@@ -958,8 +958,8 @@ static void LoadALevel(display)
+     if ((num > 0) && (num <= MAX_NUM_LEVELS))
+     {
+ 	    /* Construct the Edit level filename */
+-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++        if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
++            snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
+     	else
+         	sprintf(levelPath, "%s/level%02ld.data", 
+ 				LEVEL_INSTALL_DIR, (u_long) num);
+@@ -1017,9 +1017,9 @@ static void SaveALevel(display)
+     num = atoi(str);
+     if ((num > 0) && (num <= MAX_NUM_LEVELS))
+     {
+-	    /* Construct the Edit level filename */
+-   	 	if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        	sprintf(levelPath, "%s/level%02ld.data", str2, (u_long) num);
++        /* Construct the Edit level filename */
++        if ((str2 = getenv("XBOING_LEVELS_DIR")) != NULL)
++            snprintf(levelPath, sizeof(levelPath)-1,"%s/level%02ld.data", str2, (u_long) num);
+     	else
+         	sprintf(levelPath, "%s/level%02ld.data", 
+ 				LEVEL_INSTALL_DIR, (u_long) num);
+diff --git a/file.c b/file.c
+index 4c043cd..99a0854 100644
+--- a/file.c
++++ b/file.c
+@@ -139,7 +139,7 @@ void SetupStage(display, window)
+ 
+     /* Construct the level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02ld.data", str, newLevel);
++        snprintf(levelPath,sizeof(levelPath), "%s/level%02ld.data", str, newLevel);
+     else
+         sprintf(levelPath, "%s/level%02ld.data", LEVEL_INSTALL_DIR, newLevel);
+ 
+diff --git a/highscore.c b/highscore.c
+index f0db3e9..792273e 100644
+--- a/highscore.c
++++ b/highscore.c
+@@ -1023,7 +1023,7 @@ int ReadHighScoreTable(type)
+ 	{
+ 		/* Use the environment variable if it exists */
+ 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-			strcpy(filename, str);
++            strncpy(filename, str, sizeof(filename)-1);
+ 		else
+ 			strcpy(filename, HIGH_SCORE_FILE);
+ 	}
+@@ -1095,7 +1095,7 @@ int WriteHighScoreTable(type)
+ 	{
+ 		/* Use the environment variable if it exists */
+ 		if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-			strcpy(filename, str);
++            strncpy(filename, str, sizeof(filename)-1);
+ 		else
+ 			strcpy(filename, HIGH_SCORE_FILE);
+ 	}	
+@@ -1218,7 +1218,7 @@ static int LockUnlock(cmd)
+ 
+ 	/* Use the environment variable if it exists */
+ 	if ((str = getenv("XBOING_SCORE_FILE")) != NULL)
+-		strcpy(filename, str);
++        strncpy(filename, str, sizeof(filename)-1);
+ 	else
+ 		strcpy(filename, HIGH_SCORE_FILE);
+ 
+diff --git a/misc.c b/misc.c
+index f3ab37e..7f3ddce 100644
+--- a/misc.c
++++ b/misc.c
+@@ -427,7 +427,7 @@ char *GetHomeDir()
+      */
+ 
+     if ((ptr = getenv("HOME")) != NULL)
+-        (void) strcpy(dest, ptr);
++        (void) strncpy(dest, ptr,sizeof(dest)-1);
+     else
+     {
+         /* HOME variable is not present so get USER var */
+diff --git a/preview.c b/preview.c
+index 41c1187..687f566 100644
+--- a/preview.c
++++ b/preview.c
+@@ -139,7 +139,7 @@ static void DoLoadLevel(display, window)
+ 
+     /* Construct the Preview level filename */
+     if ((str = getenv("XBOING_LEVELS_DIR")) != NULL)
+-        sprintf(levelPath, "%s/level%02d.data", str, lnum);
++        snprintf(levelPath, sizeof(levelPath)-1, "%s/level%02d.data", str, lnum);
+     else
+         sprintf(levelPath, "%s/level%02d.data", LEVEL_INSTALL_DIR, lnum);
+ 
+-- 
+2.15.1
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 43c832c6dd..6f5df68ece 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -555,25 +555,22 @@ extracting content or merging files.")
 (define-public mupdf
   (package
     (name "mupdf")
-    (version "1.11")
+    (version "1.12.0")
     (source
       (origin
         (method url-fetch)
         (uri (string-append "https://mupdf.com/downloads/archive/"
-                            name "-" version "-source.tar.gz"))
+                            name "-" version "-source.tar.xz"))
+        (patches (search-patches "mupdf-build-with-latest-openjpeg.patch"))
         (sha256
          (base32
-          "02phamcchgsmvjnb3ir7r5sssvx9fcrscn297z73b82n1jl79510"))
-        (patches (search-patches "mupdf-build-with-openjpeg-2.1.patch"
-                                 "mupdf-CVE-2017-14685.patch"
-                                 "mupdf-CVE-2017-14686.patch"
-                                 "mupdf-CVE-2017-14687.patch"
-                                 "mupdf-CVE-2017-15587.patch"))
+          "0b9j0gqbc3jhmx87r6idcsh8lnb30840c3hyx6dk2gdjqqh3hysp"))
         (modules '((guix build utils)))
         (snippet '(delete-file-recursively "thirdparty"))))
     (build-system gnu-build-system)
     (inputs
       `(("curl" ,curl)
+        ("freeglut" ,freeglut)
         ("freetype" ,freetype)
         ("harfbuzz" ,harfbuzz)
         ("jbig2dec" ,jbig2dec)
diff --git a/gnu/packages/perl-check.scm b/gnu/packages/perl-check.scm
index b1d1f08150..5df2940bd6 100644
--- a/gnu/packages/perl-check.scm
+++ b/gnu/packages/perl-check.scm
@@ -869,6 +869,30 @@ checks for pod coverage of all appropriate files.")
 If this fails, then rather than failing tests this skips all tests.")
     (license perl-license)))
 
+(define-public perl-test-requiresinternet
+  (package
+    (name "perl-test-requiresinternet")
+    (version "0.05")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append
+             "mirror://cpan/authors/id/M/MA/MALLEN/Test-RequiresInternet-"
+             version
+             ".tar.gz"))
+       (sha256
+        (base32
+         "0gl33vpj9bb78pzyijp884b66sbw6jkh1ci0xki8rmf03hmb79xv"))))
+    (build-system perl-build-system)
+    (home-page "http://search.cpan.org/dist/Test-RequiresInternet/")
+    (synopsis "Easily test network connectivity when running tests")
+    (description
+     "This Perl module is intended to easily test network connectivity to
+non-local Internet resources before functional tests begin.  If the sockets
+cannot connect to the specified hosts and ports, the exception is caught and
+reported, and the tests skipped.")
+    (license perl-license)))
+
 (define-public perl-test-script
   (package
     (name "perl-test-script")
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 94174cc392..8c3f34ea6b 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -28,6 +28,7 @@
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix utils)
+  #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages base)
@@ -89,6 +90,7 @@ cameras (CRW/CR2, NEF, RAF, DNG, and others).")
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libexif/libexif/"
                                   version "/libexif-" version ".tar.bz2"))
+              (patches (search-patches "libexif-CVE-2017-7544.patch"))
               (sha256
                (base32
                 "06nlsibr3ylfwp28w8f5466l6drgrnydgxrm4jmxzrmk5svaxk8n"))))
diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm
index 37aa43e2c4..b2a2d84d00 100644
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@@ -12045,3 +12045,30 @@ belong to tagged versions.")
      "BooleanOperations provides a Python library that enables
 boolean operations on paths.")
     (license license:expat)))
+
+(define-public python-tempdir
+  (package
+    (name "python-tempdir")
+    (version "0.7.1")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (pypi-uri "tempdir" version))
+       (sha256
+        (base32
+         "13msyyxqbicr111a294x7fsqbkl6a31fyrqflx3q7k547gnq15k8"))))
+    (build-system python-build-system)
+    (home-page "https://pypi.org/project/tempdir/")
+    (arguments
+     ;; the package has no tests
+     '(#:tests? #f))
+    (synopsis "Python library for managing temporary directories")
+    (description
+     "This library manages temporary directories that are automatically
+deleted with all their contents when they are no longer needed.  It is
+particularly convenient for use in tests.")
+    (license license:expat)))
+
+(define-public python2-tempdir
+  (package-with-python2 python-tempdir))
+
diff --git a/gnu/packages/security-token.scm b/gnu/packages/security-token.scm
index 7c6b957411..7ce531bb6d 100644
--- a/gnu/packages/security-token.scm
+++ b/gnu/packages/security-token.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
diff --git a/gnu/packages/statistics.scm b/gnu/packages/statistics.scm
index d4d9c0e786..7c6ca70314 100644
--- a/gnu/packages/statistics.scm
+++ b/gnu/packages/statistics.scm
@@ -703,13 +703,13 @@ effects of different types of color-blindness.")
 (define-public r-digest
   (package
     (name "r-digest")
-    (version "0.6.12")
+    (version "0.6.13")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "digest" version))
        (sha256
-        (base32 "1awy9phxdvqnadby7rvwy2hkbrj210bqf4xvi27asdq028zlcyd4"))))
+        (base32 "1bsgl07bvf4nk6bn7n3l2ilvk4qvn3nk7yxp22miil7x405xdks6"))))
     (build-system r-build-system)
     ;; Vignettes require r-knitr, which requires r-digest, so we have to
     ;; disable them and the tests.
@@ -988,13 +988,13 @@ the input of another.")
 (define-public r-reshape2
   (package
     (name "r-reshape2")
-    (version "1.4.2")
+    (version "1.4.3")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "reshape2" version))
        (sha256
-        (base32 "0swvjmc9f8cvkrsz463cp6snd8bncbv6q8yrfrb4rgkr0dhq6dvd"))))
+        (base32 "03ki5ka1dj208fc0dclbm0b4xp9d769pah2j9cs34l776p4r9zwa"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-plyr" ,r-plyr)
@@ -1328,13 +1328,13 @@ syntax that can be converted to XHTML or other formats.")
 (define-public r-yaml
   (package
     (name "r-yaml")
-    (version "2.1.14")
+    (version "2.1.16")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "yaml" version))
               (sha256
                (base32
-                "0x88xicrf7vwp77xgan27mnpdljhpkn0pz5kphnwqi3ddy25k9a1"))))
+                "1xlsmqal607w6c9rx86061y1fwpbyd5lqp9bad5n7cc9a0blpnkm"))))
     (build-system r-build-system)
     (home-page "https://cran.r-project.org/web/packages/yaml/")
     (synopsis "Methods to convert R data to YAML and back")
@@ -1502,20 +1502,23 @@ R packages that praise their users.")
 (define-public r-testthat
   (package
     (name "r-testthat")
-    (version "1.0.2")
+    (version "2.0.0")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "testthat" version))
               (sha256
                (base32
-                "0pj1r01x4ny4capr83dfa19hi5i2sjjxky99schzip8zrq5dzxqf"))))
+                "155l53kb69jga5d8c5nvdwqlvlgfmk4vzyyl4d0108j53jnlgh1v"))))
     (build-system r-build-system)
     (propagated-inputs
-     `(("r-digest" ,r-digest)
+     `(("r-cli" ,r-cli)
        ("r-crayon" ,r-crayon)
+       ("r-digest" ,r-digest)
        ("r-magrittr" ,r-magrittr)
        ("r-praise" ,r-praise)
-       ("r-r6" ,r-r6)))
+       ("r-r6" ,r-r6)
+       ("r-rlang" ,r-rlang)
+       ("r-withr" ,r-withr)))
     (home-page "https://github.com/hadley/testthat")
     (synopsis "Unit testing for R")
     (description
@@ -1898,15 +1901,17 @@ chain.")
 (define-public r-ade4
   (package
     (name "r-ade4")
-    (version "1.7-8")
+    (version "1.7-10")
     (source
       (origin
         (method url-fetch)
         (uri (cran-uri "ade4" version))
         (sha256
           (base32
-            "1a5p3wf8l9cp1bjp57b1pc5bqs39kw1v21i4waj9j18wawzlmpb6"))))
+            "0zk81x0yn30gbyc0jpzyw1nxd08ccihl6vyk0ijvj3aw3nr5flc6"))))
     (build-system r-build-system)
+    (propagated-inputs
+     `(("r-mass" ,r-mass)))
     (home-page "http://pbil.univ-lyon1.fr/ADE-4")
     (synopsis "Multivariate data analysis and graphical display")
     (description
@@ -2007,14 +2012,14 @@ limited to R.")
 (define-public r-backports
   (package
     (name "r-backports")
-    (version "1.1.1")
+    (version "1.1.2")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "backports" version))
        (sha256
         (base32
-         "15w8psmv203wzijrk4hvwaw3i4byh2m5s09yrkqwhfckhaj82kj9"))))
+         "0mml9h3xagi7144pyb3jj9zbh9qzns7izkhdg7df20v7bikr6nz8"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/backports")
     (synopsis "Reimplementations of functions introduced since R 3.0.0")
@@ -2278,13 +2283,13 @@ functions make it easy to control additional request components.")
 (define-public r-git2r
   (package
     (name "r-git2r")
-    (version "0.19.0")
+    (version "0.20.0")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "git2r" version))
               (sha256
                (base32
-                "0ws6fbndmaafk2am4dwnz24qizxhld0yh54hgx0z6lzv3p1j209q"))))
+                "1pqggijvsalb5cc2pr5gwfj3s713s63f4xii1xrd0qagfgbgz846"))))
     (build-system r-build-system)
     ;; This R package contains modified sources of libgit2.  This modified
     ;; version of libgit2 is built as the package is built.  Hence libgit2 is
@@ -2415,13 +2420,13 @@ disk (or a connection).")
 (define-public r-plotrix
   (package
     (name "r-plotrix")
-    (version "3.6-6")
+    (version "3.7")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "plotrix" version))
               (sha256
                (base32
-                "07hywp3ym0gbpqdj3f4vhr0bhmynhby8vh6p1b9cm2hv26pzs9q4"))))
+                "0rw81n9p3d2i03b4pgcfj5blryc94f29bm9a4j9bnp5h8qjj6pry"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/plotrix")
     (synopsis "Various plotting functions")
@@ -2474,13 +2479,13 @@ well as additional utilities such as panel and axis annotation functions.")
 (define-public r-rcpparmadillo
   (package
     (name "r-rcpparmadillo")
-    (version "0.8.100.1.0")
+    (version "0.8.300.1.0")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "RcppArmadillo" version))
               (sha256
                (base32
-                "19sghlkslz6llcrjk5pd8c6dsb338jsi4dnwrbbrjkfq6jdr5jlp"))))
+                "0p6cbnwxgzigf7n5qhqvxdr3nd3pq3c2qq6pskqz7avzf813fy83"))))
     (properties `((upstream-name . "RcppArmadillo")))
     (build-system r-build-system)
     (native-inputs
@@ -2545,14 +2550,14 @@ encoder/decoder, round-off-error-free sum and cumsum, etc.")
 (define-public r-rprojroot
   (package
     (name "r-rprojroot")
-    (version "1.2")
+    (version "1.3-1")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "rprojroot" version))
        (sha256
         (base32
-         "1fgyxv1zv04sllcclzz089xl6hpdzac7xk61l0l4acb7rqsx5d18"))))
+         "1jigr2jh3hzy35h94im52yq81lyikw7nfvmbxij84a1b9c32r332"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-backports" ,r-backports)))
@@ -2859,14 +2864,14 @@ statements.")
 (define-public r-segmented
   (package
     (name "r-segmented")
-    (version "0.5-2.2")
+    (version "0.5-3.0")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "segmented" version))
        (sha256
         (base32
-         "1wdjxkgqjqw5q2nywmgkf6y21lb0alhvaqg0m0dr2xyxf1ii79rs"))))
+         "0nrik5fyq59hwiwjcpbi4p5yfavgfjq6wyrynhkrbm4k6v1g1wlq"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/segmented")
     (synopsis "Regression models with breakpoints estimation")
@@ -2923,14 +2928,14 @@ standard R subsetting and Kronecker products.")
 (define-public r-iterators
   (package
     (name "r-iterators")
-    (version "1.0.8")
+    (version "1.0.9")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "iterators" version))
        (sha256
         (base32
-         "1f057pabs7ss9h1n244can26qsi5n2k3salrdk0b0vkphlrs4kmf"))))
+         "16sycjq912ix52fjxjhcwiaqr0yj1v5iqmrvjljd3z857031w06y"))))
     (build-system r-build-system)
     (home-page "http://cran.r-project.org/web/packages/iterators")
     (synopsis "Iterator construct for R")
@@ -3144,14 +3149,14 @@ options and registries, vignette, unit test and bibtex related utilities.")
  (define-public r-registry
    (package
      (name "r-registry")
-     (version "0.3")
+     (version "0.5")
      (source
       (origin
         (method url-fetch)
         (uri (cran-uri "registry" version))
         (sha256
          (base32
-          "0c7lscfxncwwd8zp46h2xfw9gw14dypqv6m2kx85xjhjh0xw99aq"))))
+          "1yqfl1g6vsl28zn8brzc39659k8lqsmfms7900j7p64ilydyb2sx"))))
      (build-system r-build-system)
      (home-page "http://cran.r-project.org/web/packages/registry")
      (synopsis "Infrastructure for R package registries")
@@ -4394,14 +4399,14 @@ Farebrother's algorithm or Liu et al.'s algorithm.")
 (define-public r-cowplot
   (package
     (name "r-cowplot")
-    (version "0.9.1")
+    (version "0.9.2")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "cowplot" version))
        (sha256
         (base32
-         "0iq0wsi7467cj8hqml06whk3xsiv89x8dvm9ynwp411pzzbdjgwm"))))
+         "13yjw7yv7imyqiawqqp304hkp6x36iv6rf6gn03dwzwkj9zwx4lb"))))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-ggplot2" ,r-ggplot2)
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index 674a3507d0..2fb1d1495e 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -388,7 +388,14 @@ regular expression object can be specified.")
                             (assoc-ref %outputs "out") "/share/antiword"))
        #:phases
        (modify-phases %standard-phases
-         (delete 'configure)
+         (replace 'configure
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Ensure that mapping files can be found in the actual package
+             ;; data directory.
+             (substitute* "antiword.h"
+               (("/usr/share/antiword")
+                (string-append (assoc-ref outputs "out") "/share/antiword")))
+             #t))
          (replace 'install
            (lambda* (#:key make-flags #:allow-other-keys)
              (zero? (apply system* "make" `("global_install" ,@make-flags))))))))
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 64ee404417..09e65d9037 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -459,14 +459,14 @@ required structures.")
 (define-public libressl
   (package
     (name "libressl")
-    (version "2.6.3")
+    (version "2.6.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://openbsd/LibreSSL/"
                                   name "-" version ".tar.gz"))
               (sha256
                (base32
-                "162wgzmg4zzqj5cxrsrmkfv1623dc4g8h3fsf1lvjw9i4sc6bbdf"))))
+                "07yi37a2ghsgj2b4w30q1s4d2inqnix7ika1m21y57p9z71212k3"))))
     (build-system gnu-build-system)
     (arguments
      ;; Do as if 'getentropy' was missing since older Linux kernels lack it
diff --git a/gnu/packages/web-browsers.scm b/gnu/packages/web-browsers.scm
index 385147c379..95d2878835 100644
--- a/gnu/packages/web-browsers.scm
+++ b/gnu/packages/web-browsers.scm
@@ -83,6 +83,7 @@ older or slower computers and embedded systems.")
               (method url-fetch)
               (uri (string-append "http://links.twibright.com/download/"
                                   name "-" version ".tar.bz2"))
+              (patches (search-patches "links-CVE-2017-11114.patch"))
               (sha256
                (base32
                 "1f24y83wa1vzzjq5kp857gjqdpnmf8pb29yw7fam0m8wxxw0c3gp"))))
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 8eb4b885bd..f752cffded 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -3876,22 +3876,26 @@ applications.")
 (define-public r-htmltable
   (package
     (name "r-htmltable")
-    (version "1.9")
+    (version "1.11.0")
     (source
      (origin
        (method url-fetch)
        (uri (cran-uri "htmlTable" version))
        (sha256
         (base32
-         "0ciic1f4iczq14j81fg7kxibn65sy8z1zxkvk1yxnxxg6dzplj2v"))))
+         "0x0qrzx6igg5z8jh901d2a8g2idpm5f4frwp1m02910scifcrxwf"))))
     (properties `((upstream-name . "htmlTable")))
     (build-system r-build-system)
     (propagated-inputs
      `(("r-checkmate" ,r-checkmate)
+       ("r-dplyr" ,r-dplyr)
+       ("r-htmltools" ,r-htmltools)
        ("r-htmlwidgets" ,r-htmlwidgets)
        ("r-knitr" ,r-knitr)
        ("r-magrittr" ,r-magrittr)
-       ("r-stringr" ,r-stringr)))
+       ("r-rstudioapi" ,r-rstudioapi)
+       ("r-stringr" ,r-stringr)
+       ("r-tidyr" ,r-tidyr)))
     (home-page "http://gforge.se/packages/")
     (synopsis "Advanced tables for Markdown/HTML")
     (description
@@ -3907,13 +3911,13 @@ LaTeX.")
 (define-public r-curl
   (package
     (name "r-curl")
-    (version "3.0")
+    (version "3.1")
     (source (origin
               (method url-fetch)
               (uri (cran-uri "curl" version))
               (sha256
                (base32
-                "01m52jz2q38yc32xbnmpm48hck2xj9fyhxq262p04y67gjpf7y3v"))))
+                "15fbjya2xrf2k9hhvg3frisrram4yk5wlfz67zj1z8ahpsb2a3r7"))))
     (build-system r-build-system)
     (arguments
      `(#:phases
diff --git a/gnu/packages/webkit.scm b/gnu/packages/webkit.scm
index 89fe9102ed..e2d753aa3d 100644
--- a/gnu/packages/webkit.scm
+++ b/gnu/packages/webkit.scm
@@ -54,14 +54,14 @@
 (define-public webkitgtk
   (package
     (name "webkitgtk")
-    (version "2.18.3")
+    (version "2.18.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://www.webkitgtk.org/releases/"
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "17lgn7qwrwqxl1lgmq5icvzmna6aymx4c7al47rp0vvac7hj0m71"))))
+                "1f1j0r996l20cgkvbwpizn7d4yp58cy334b1pvn4kfb5c2dbpdl7"))))
     (build-system cmake-build-system)
     (arguments
      '(#:tests? #f ; no tests
diff --git a/gnu/packages/xfce.scm b/gnu/packages/xfce.scm
index 7668a1d380..bbe6ab4545 100644
--- a/gnu/packages/xfce.scm
+++ b/gnu/packages/xfce.scm
@@ -492,7 +492,10 @@ your system in categories, so you can quickly find and launch them.")
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
-       (list (string-append "--with-xsession-prefix=" %output))))
+       (list (string-append "--with-xsession-prefix=" %output))
+       ;; Disable icon cache update.
+       #:make-flags
+       '("gtk_update_icon_cache=true")))
     (native-inputs
      `(("pkg-config" ,pkg-config)
        ("intltool" ,intltool)))
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ca5e996d6a..6fce328565 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -179,6 +179,15 @@ project (but it is usable outside of the Gnome platform).")
 based on libxml for XML parsing, tree manipulation and XPath support.")
     (license license:x11)))
 
+(define libxslt/fixed
+  (package
+    (inherit libxslt)
+    (source (origin
+              (inherit (package-source libxslt))
+              (patches (search-patches "libxslt-CVE-2016-4738.patch"
+                                       "libxslt-CVE-2017-5029.patch"
+                                       "libxslt-generated-ids.patch"))))))
+
 (define-public perl-graph-readwrite
   (package
     (name "perl-graph-readwrite")
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 5e08927af3..a3654fd4d3 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -516,6 +516,24 @@ stopped before 'kill' is called."
                           (call-with-output-file "/dev/urandom"
                             (lambda (urandom)
                               (dump-port seed urandom))))))
+
+                    ;; Try writing from /dev/hwrng into /dev/urandom.
+                    ;; It seems that the file /dev/hwrng always exists, even
+                    ;; when there is no hardware random number generator
+                    ;; available. So, we handle a failed read or any other error
+                    ;; reported by the operating system.
+                    (let ((buf (catch 'system-error
+                                 (lambda ()
+                                   (call-with-input-file "/dev/hwrng"
+                                     (lambda (hwrng)
+                                       (get-bytevector-n hwrng 512))))
+                                 ;; Silence is golden...
+                                 (const #f))))
+                      (when buf
+                        (call-with-output-file "/dev/urandom"
+                          (lambda (urandom)
+                            (put-bytevector urandom buf)))))
+
                     ;; Immediately refresh the seed in case the system doesn't
                     ;; shut down cleanly.
                     (call-with-input-file "/dev/urandom"
diff --git a/gnu/tests/web.scm b/gnu/tests/web.scm
index f1214fb5fd..336f25b3c7 100644
--- a/gnu/tests/web.scm
+++ b/gnu/tests/web.scm
@@ -154,7 +154,7 @@ echo(\"Computed by php:\".((string)(2+3)));
          (root "/srv")
          (locations
           (list (nginx-php-location)))
-         (listen "8042")
+         (listen '("8042"))
          (ssl-certificate #f)
          (ssl-certificate-key #f))))
 
diff --git a/guix/upstream.scm b/guix/upstream.scm
index 0fe3308876..caaa0e44e4 100644
--- a/guix/upstream.scm
+++ b/guix/upstream.scm
@@ -278,7 +278,13 @@ and 'interactive' (default)."
                    ((archive-type)
                     (match (and=> (package-source package) origin-uri)
                       ((? string? uri)
-                       (file-extension (basename uri)))
+                       (let ((type (file-extension (basename uri))))
+                         ;; Sometimes we have URLs such as
+                         ;; "https://github.com/…/tarball/v0.1", in which case
+                         ;; we must not consider "1" as the extension.
+                         (and (or (string-contains type "z")
+                                  (string=? type "tar"))
+                              type)))
                       (_
                        "gz")))
                    ((url signature-url)