summary refs log tree commit diff
path: root/gnu/packages
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages')
-rw-r--r--gnu/packages/admin.scm9
-rw-r--r--gnu/packages/autotools.scm37
-rw-r--r--gnu/packages/backup.scm9
-rw-r--r--gnu/packages/base.scm59
-rw-r--r--gnu/packages/bash.scm10
-rw-r--r--gnu/packages/bdw-gc.scm36
-rw-r--r--gnu/packages/bootstrap.scm1
-rw-r--r--gnu/packages/commencement.scm27
-rw-r--r--gnu/packages/cross-base.scm2
-rw-r--r--gnu/packages/cyrus-sasl.scm9
-rw-r--r--gnu/packages/databases.scm45
-rw-r--r--gnu/packages/flex.scm61
-rw-r--r--gnu/packages/fontutils.scm6
-rw-r--r--gnu/packages/gcc.scm24
-rw-r--r--gnu/packages/gnupg.scm8
-rw-r--r--gnu/packages/guile.scm19
-rw-r--r--gnu/packages/icu4c.scm25
-rw-r--r--gnu/packages/kde-frameworks.scm12
-rw-r--r--gnu/packages/libunistring.scm11
-rw-r--r--gnu/packages/linux.scm26
-rw-r--r--gnu/packages/m4.scm6
-rw-r--r--gnu/packages/make-bootstrap.scm5
-rw-r--r--gnu/packages/mit-krb5.scm4
-rw-r--r--gnu/packages/multiprecision.scm8
-rw-r--r--gnu/packages/ncurses.scm23
-rw-r--r--gnu/packages/nettle.scm6
-rw-r--r--gnu/packages/patches/flex-CVE-2016-6354.patch30
-rw-r--r--gnu/packages/patches/gcc-libiberty-printf-decl.patch28
-rw-r--r--gnu/packages/patches/libarchive-7zip-heap-overflow.patch77
-rw-r--r--gnu/packages/patches/libarchive-fix-filesystem-attacks.patch445
-rw-r--r--gnu/packages/patches/libarchive-fix-symlink-check.patch60
-rw-r--r--gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch44
-rw-r--r--gnu/packages/patches/sed-hurd-path-max.patch34
-rw-r--r--gnu/packages/patches/tar-CVE-2016-6321.patch51
-rw-r--r--gnu/packages/php.scm2
-rw-r--r--gnu/packages/ssh.scm4
-rw-r--r--gnu/packages/tls.scm5
-rw-r--r--gnu/packages/xorg.scm8
38 files changed, 329 insertions, 947 deletions
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 8a7dc6af89..9e912a9543 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -112,20 +112,23 @@ usual file attributes can be checked for inconsistencies.")
 (define-public progress
   (package
     (name "progress")
-    (version "0.13")
+    (version "0.13.1")
     (source (origin
       (method url-fetch)
       (uri (string-append "https://github.com/Xfennec/"
                           name "/archive/v" version ".tar.gz"))
       (sha256
-       (base32 "133iar4vq5vlklydb4cyazjy6slmpbndrws474mg738bd8avc30n"))
+       (base32 "199rk6608q9m6l0fbjm0xl2w1c5krf8245dqnksdp4rqp7l9ak06"))
       (file-name (string-append name "-" version ".tar.gz"))))
     (build-system gnu-build-system)
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("which" ,which)))
     (inputs
      `(("ncurses" ,ncurses)))
     (arguments
      `(#:tests? #f ; There is no test suite.
-       #:make-flags (list "CC=gcc" "LDFLAGS+=-lncurses"
+       #:make-flags (list "CC=gcc"
                           (string-append "PREFIX=" (assoc-ref %outputs "out")))
        #:phases
        (modify-phases %standard-phases
diff --git a/gnu/packages/autotools.scm b/gnu/packages/autotools.scm
index 72492e70eb..442c87c1f1 100644
--- a/gnu/packages/autotools.scm
+++ b/gnu/packages/autotools.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2014 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016 David Thompson <davet@gnu.org>
+;;; Copyright © 2017 ng0 <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
   #:use-module (gnu packages m4)
+  #:use-module (gnu packages man)
   #:use-module (gnu packages bash)
   #:use-module (guix utils)
   #:use-module (guix packages)
@@ -300,6 +302,7 @@ Makefile, simplifying the entire process for the developer.")
     (propagated-inputs `(("m4" ,m4)))
     (native-inputs `(("m4" ,m4)
                      ("perl" ,perl)
+                     ("help2man" ,help2man) ;because we modify ltmain.sh
                      ("automake" ,automake)      ;some tests rely on 'aclocal'
                      ("autoconf" ,(autoconf-wrapper)))) ;others on 'autom4te'
 
@@ -313,21 +316,27 @@ Makefile, simplifying the entire process for the developer.")
                                       (or (%current-target-system)
                                           (%current-system))))
 
-       #:phases (alist-cons-before
-                 'check 'pre-check
-                 (lambda* (#:key inputs #:allow-other-keys)
-                   ;; Run the test suite in parallel, if possible.
-                   (setenv "TESTSUITEFLAGS"
-                           (string-append
-                            "-j"
-                            (number->string (parallel-job-count))))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'check 'pre-check
+           (lambda* (#:key inputs #:allow-other-keys)
+             ;; Run the test suite in parallel, if possible.
+             (setenv "TESTSUITEFLAGS"
+                     (string-append
+                      "-j"
+                      (number->string (parallel-job-count))))
+           ;; Patch references to /bin/sh.
+           (let ((bash (assoc-ref inputs "bash")))
+             (substitute* "tests/testsuite"
+               (("/bin/sh")
+                (string-append bash "/bin/sh")))
+             #t)))
+         (add-after 'patch-source-shebangs 'restore-ltmain-shebang
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "build-aux/ltmain.in"
+               (("^#!.*/bin/sh$") "#!/bin/sh"))
+             #t)))))
 
-                   ;; Path references to /bin/sh.
-                   (let ((bash (assoc-ref inputs "bash")))
-                     (substitute* "tests/testsuite"
-                       (("/bin/sh")
-                        (string-append bash "/bin/bash")))))
-                 %standard-phases)))
     (synopsis "Generic shared library support tools")
     (description
      "GNU Libtool helps in the creation and use of shared libraries, by
diff --git a/gnu/packages/backup.scm b/gnu/packages/backup.scm
index 8cfe470ec6..8308616a1f 100644
--- a/gnu/packages/backup.scm
+++ b/gnu/packages/backup.scm
@@ -173,20 +173,15 @@ backups (called chunks) to allow easy burning to CD/DVD.")
 (define-public libarchive
   (package
     (name "libarchive")
-    (version "3.2.1")
+    (version "3.2.2")
     (source
      (origin
        (method url-fetch)
        (uri (string-append "http://libarchive.org/downloads/libarchive-"
                            version ".tar.gz"))
-       (patches (search-patches
-                  "libarchive-7zip-heap-overflow.patch"
-                  "libarchive-fix-symlink-check.patch"
-                  "libarchive-fix-filesystem-attacks.patch"
-                  "libarchive-safe_fprintf-buffer-overflow.patch"))
        (sha256
         (base32
-         "1lngng84k1kkljl74q0cdqc3s82vn2kimfm02dgm4d6m7x71mvkj"))))
+         "03q6y428rg723c9fj1vidzjw46w1vf8z0h95lkvz1l9jw571j739"))))
     (build-system gnu-build-system)
     ;; TODO: Add -L/path/to/nettle in libarchive.pc.
     (inputs
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index c75e038289..93b598f808 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -78,14 +78,14 @@ command-line arguments, multiple languages, and so on.")
 (define-public grep
   (package
    (name "grep")
-   (version "2.25")
+   (version "2.27")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/grep/grep-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0c38b67cnwchwzv4wq2gpz6smkhdxrac2hhssv8f0l04qnx867p2"))
+              "1syadppgpxpfhpwhhqcsibrn131azypzps5aicx1qjh74d6w8k5d"))
             (patches (search-patches "grep-timing-sensitive-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))             ;some of the tests require it
@@ -118,30 +118,32 @@ including, for example, recursive directory searching.")
 (define-public sed
   (package
    (name "sed")
-   (version "4.2.2")
+   (version "4.3")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/sed/sed-" version
-                                ".tar.bz2"))
+                                ".tar.xz"))
             (sha256
              (base32
-              "1myvrmh99jsvk7v3d7crm0gcrq51hmmm1r2kjyyci152in1x2j7h"))
-            (patches (search-patches "sed-hurd-path-max.patch"))))
+              "1anhdgah8h423hlmn9hwzxzr7hjbqjm6hxq3z1p7p7nf8640vhj7"))))
    (build-system gnu-build-system)
    (synopsis "Stream editor")
    (arguments
     (if (%current-target-system)
         '()
-        `(#:phases (alist-cons-before
-                    'patch-source-shebangs 'patch-test-suite
-                    (lambda* (#:key inputs #:allow-other-keys)
-                      (let ((bash (assoc-ref inputs "bash")))
-                        (patch-makefile-SHELL "testsuite/Makefile.tests")
-                        (substitute* '("testsuite/bsd.sh"
-                                       "testsuite/bug-regex9.c")
-                          (("/bin/sh")
-                           (string-append bash "/bin/bash")))))
-                    %standard-phases))))
+        `(#:phases
+          (modify-phases %standard-phases
+            (add-before 'patch-source-shebangs 'patch-test-suite
+              (lambda* (#:key inputs #:allow-other-keys)
+                (let ((bash (assoc-ref inputs "bash")))
+                  (patch-makefile-SHELL "testsuite/Makefile.tests")
+                  (substitute* '("testsuite/bsd.sh"
+                                 "testsuite/bug-regex9.c")
+                    (("/bin/sh")
+                     (string-append bash "/bin/sh")))
+                  #t)))))))
+   (native-inputs
+    `(("perl" ,perl))) ; for build-aux/help2man
    (description
     "Sed is a non-interactive, text stream editor.  It receives a text
 input from a file or from standard input and it then applies a series of text
@@ -149,7 +151,7 @@ editing commands to the stream and prints its output to standard output.  It
 is often used for substituting text patterns in a stream.  The GNU
 implementation offers several extensions over the standard utility.")
    (license gpl3+)
-   (home-page "http://www.gnu.org/software/sed/")))
+   (home-page "https://www.gnu.org/software/sed/")))
 
 (define-public tar
   (package
@@ -162,7 +164,8 @@ implementation offers several extensions over the standard utility.")
             (sha256
              (base32
               "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"))
-            (patches (search-patches "tar-skip-unreliable-tests.patch"))))
+            (patches (search-patches "tar-CVE-2016-6321.patch"
+                                     "tar-skip-unreliable-tests.patch"))))
    (build-system gnu-build-system)
    ;; Note: test suite requires ~1GiB of disk space.
    (arguments
@@ -277,14 +280,14 @@ used to apply commands with arbitrarily long arguments.")
 (define-public coreutils
   (package
    (name "coreutils")
-   (version "8.25")
+   (version "8.26")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/coreutils/coreutils-"
                                 version ".tar.xz"))
             (sha256
              (base32
-              "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"))))
+              "13lspazc7xkviy93qz7ks9jv4sldvgmwpq36ghrbrqpq93br8phm"))))
    (build-system gnu-build-system)
    (inputs `(("acl"  ,acl)                        ; TODO: add SELinux
              ("gmp"  ,gmp)                        ;bignums in 'expr', yay!
@@ -715,7 +718,21 @@ with the Linux kernel.")
              ;; Use the right 'pwd'.
              (substitute* "configure"
                (("/bin/pwd") "pwd")))
-          ,original-phases)))
+           (alist-replace
+            'build
+            (lambda _
+              ;; Force mach/hurd/libpthread subdirs to build first in order to avoid
+              ;; linking errors.
+              ;; See <https://lists.gnu.org/archive/html/bug-hurd/2016-11/msg00045.html>
+              (let ((-j (list "-j" (number->string (parallel-job-count)))))
+                (let-syntax ((make (syntax-rules ()
+                                     ((_ target)
+                                      (zero? (apply system* "make" target -j))))))
+                  (and (make "mach/subdir_lib")
+                       (make "hurd/subdir_lib")
+                       (make "libpthread/subdir_lib")
+                       (zero? (apply system* "make" -j))))))
+            ,original-phases))))
         ((#:configure-flags original-configure-flags)
         `(append (list "--host=i586-pc-gnu"
 
diff --git a/gnu/packages/bash.scm b/gnu/packages/bash.scm
index d328d711d1..90b6c3f17e 100644
--- a/gnu/packages/bash.scm
+++ b/gnu/packages/bash.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2012, 2013, 2014, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016 Efraim Flashenr <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -38,7 +39,7 @@
 
 (define (patch-url seqno)
   "Return the URL of Bash patch number SEQNO."
-  (format #f "mirror://gnu/bash/bash-4.3-patches/bash43-~3,'0d" seqno))
+  (format #f "mirror://gnu/bash/bash-4.4-patches/bash44-~3,'0d" seqno))
 
 (define (bash-patch seqno sha256)
   "Return the origin of Bash patch SEQNO, with expected hash SHA256"
@@ -54,7 +55,12 @@
 (define %patch-series-4.4
   ;; This is the current patches series for 4.4, generated using
   ;; 'download-patches' below.
-  (patch-series))
+  (patch-series
+   (1 "03vzy7qwjdd5qvl3ydg99naazas2qmyd0yhnrflgjbbm64axja1y")
+   (2 "0lrwq6vyqism3yqv9s7kzaf3dsl4q5w9r5svcqz279qp7qca083h")
+   (3 "1chqww2rj6g42b8s60q5zlzy0jzp684jkpsbrbfy1vzxja8mmpsi")
+   (4 "1cy8abf96hkrjhw921ndr0shlcnc52bg45rn6xri4v5clhq0l25d")
+   (5 "0a8515kyk4zsgmvlqvlganjfr7pq0j6kzpr4d6xx02kpbdr4n7i2")))
 
 (define (download-patches store count)
   "Download COUNT Bash patches into store.  Return a list of
diff --git a/gnu/packages/bdw-gc.scm b/gnu/packages/bdw-gc.scm
index 992a11bac0..b9732374d7 100644
--- a/gnu/packages/bdw-gc.scm
+++ b/gnu/packages/bdw-gc.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014, 2016 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -24,24 +25,23 @@
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages pkg-config))
 
-(define-public libgc-7.2
+(define-public libgc
   (package
    (name "libgc")
-   (version "7.2f")
+   (version "7.6.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
                                 version ".tar.gz"))
             (sha256
              (base32
-              "119x7p1cqw40mpwj80xfq879l9m1dkc7vbc1f3bz3kvkf8bf6p16"))))
+              "143x7g0d0k6250ai6m2x3l4y352mzizi4wbgrmahxscv2aqjhjm1"))))
    (build-system gnu-build-system)
    (arguments
-    ;; Make it so that we don't rely on /proc.  This is especially useful in
-    ;; an initrd run before /proc is mounted.
-    '(#:configure-flags '("CPPFLAGS=-DUSE_LIBC_PRIVATES"
-                          ;; Install gc_cpp.h et al.
+    '(#:configure-flags '(;; Install gc_cpp.h et al.
                           "--enable-cplusplus")))
+   (native-inputs `(("pkg-config" ,pkg-config)))
+   (inputs `(("libatomic-ops" ,libatomic-ops)))
    (outputs '("out" "debug"))
    (synopsis "The Boehm-Demers-Weiser conservative garbage collector
 for C and C++")
@@ -67,7 +67,7 @@ C or C++ programs, though that is not its primary goal.")
 (define-public libatomic-ops
   (package
     (name "libatomic-ops")
-    (version "7.4.2")
+    (version "7.4.4")
     (source (origin
               (method url-fetch)
               (uri (string-append
@@ -75,7 +75,7 @@ C or C++ programs, though that is not its primary goal.")
                     version ".tar.gz"))
               (sha256
                (base32
-                "1pdm0h1y7bgkczr8byg20r6bq15m5072cqm5pny4f9crc9gn3yh4"))))
+                "13vg5fqwil17zpf4hj4h8rh3blzmym693lkdjgvwpgni1mh0l8dz"))))
     (build-system gnu-build-system)
     (outputs '("out" "debug"))
     (synopsis "Accessing hardware atomic memory update operations")
@@ -88,21 +88,3 @@ lock-free code, experiment with thread programming paradigms, etc.")
 
     ;; Some source files are X11-style, others are GPLv2+.
     (license gpl2+)))
-
-(define-public libgc
-  (package (inherit libgc-7.2)
-    (version "7.4.2")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "http://www.hboehm.info/gc/gc_source/gc-"
-                                  version ".tar.gz"))
-              (sha256
-               (base32
-                "18mg28rr6kwr5clc65k4l4hkyy4kd16amx831sjf8q2lqkbhlck3"))))
-
-    ;; New dependencies.
-    (native-inputs `(("pkg-config" ,pkg-config)))
-    (inputs `(("libatomic-ops" ,libatomic-ops)))
-
-    ;; 'USE_LIBC_PRIVATES' is now the default.
-    (arguments '(#:configure-flags '("--enable-cplusplus")))))
diff --git a/gnu/packages/bootstrap.scm b/gnu/packages/bootstrap.scm
index dd922c3ae4..c4a3fc3e7c 100644
--- a/gnu/packages/bootstrap.scm
+++ b/gnu/packages/bootstrap.scm
@@ -168,6 +168,7 @@ successful, or false to signal an error."
         ((string=? system "i586-gnu") "/lib/ld.so.1")
         ((string=? system "i686-gnu") "/lib/ld.so.1")
         ((string=? system "aarch64-linux") "/lib/ld-linux-aarch64.so.1")
+        ((string=? system "powerpc-linux") "/lib/ld.so.1")
 
         ;; XXX: This one is used bare-bones, without a libc, so add a case
         ;; here just so we can keep going.
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 7df1d3fca9..273e3ca808 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -172,6 +172,26 @@
                     ,cf)))))
      (inputs %boot0-inputs))))
 
+(define libstdc++-boot0
+  ;; GCC's libcc1 is always built as a shared library (the top-level
+  ;; 'Makefile.def' forcefully adds --enable-shared) and thus needs to refer
+  ;; to libstdc++.so.  We cannot build libstdc++-5.3 because it relies on
+  ;; C++14 features missing in our bootstrap compiler.
+  (let ((lib (package-with-bootstrap-guile (make-libstdc++ gcc-4.9))))
+    (package
+      (inherit lib)
+      (name "libstdc++-boot0")
+      (arguments
+       `(#:guile ,%bootstrap-guile
+         #:implicit-inputs? #f
+
+         ;; XXX: libstdc++.so NEEDs ld.so for some reason.
+         #:validate-runpath? #f
+
+         ,@(package-arguments lib)))
+      (inputs %boot0-inputs)
+      (native-inputs '()))))
+
 (define gcc-boot0
   (package-with-bootstrap-guile
    (package (inherit gcc)
@@ -257,6 +277,9 @@
                ("mpc-source" ,(package-source mpc))
                ("binutils-cross" ,binutils-boot0)
 
+               ;; The libstdc++ that libcc1 links against.
+               ("libstdc++" ,libstdc++-boot0)
+
                ;; Call it differently so that the builder can check whether
                ;; the "libc" input is #f.
                ("libc-native" ,@(assoc-ref %boot0-inputs "libc"))
@@ -987,10 +1010,10 @@ and binaries, plus debugging symbols in the 'debug' output), and Binutils.")
   (gcc-toolchain gcc-4.8))
 
 (define-public gcc-toolchain-4.9
-  (gcc-toolchain gcc-final))
+  (gcc-toolchain gcc-4.9))
 
 (define-public gcc-toolchain-5
-  (gcc-toolchain gcc-5))
+  (gcc-toolchain gcc-final))
 
 (define-public gcc-toolchain-6
   (gcc-toolchain gcc-6))
diff --git a/gnu/packages/cross-base.scm b/gnu/packages/cross-base.scm
index a3dfb8f477..47e0958193 100644
--- a/gnu/packages/cross-base.scm
+++ b/gnu/packages/cross-base.scm
@@ -281,7 +281,7 @@ GCC that does not target a libc; otherwise, target that libc."
               (setenv "ARCH" ,(system->linux-architecture target))
               (format #t "`ARCH' set to `~a' (cross compiling)~%" (getenv "ARCH"))
 
-              (and (zero? (system* "make" "defconfig"))
+              (and (zero? (system* "make" ,(system->defconfig target)))
                    (zero? (system* "make" "mrproper" "headers_check"))))
             ,phases))))
       (native-inputs `(("cross-gcc" ,xgcc)
diff --git a/gnu/packages/cyrus-sasl.scm b/gnu/packages/cyrus-sasl.scm
index 89a4a49797..3c6a87828a 100644
--- a/gnu/packages/cyrus-sasl.scm
+++ b/gnu/packages/cyrus-sasl.scm
@@ -31,7 +31,6 @@
 (define-public cyrus-sasl
   (package
    (name "cyrus-sasl")
-   (replacement cyrus-sasl/fixed)
    (version "2.1.26")
    (source (origin
             (method url-fetch)
@@ -41,6 +40,7 @@
                        (string-append
                         "ftp://ftp.cyrusimap.org/cyrus-sasl/cyrus-sasl-"
                         version ".tar.gz")))
+            (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch"))
             (sha256 (base32
                      "1hvvbcsg21nlncbgs0cgn3iwlnb3vannzwsp6rwvnn9ba4v53g4g"))))
    (build-system gnu-build-system)
@@ -66,10 +66,3 @@ server writers.")
    (license (license:non-copyleft "file://COPYING"
                                   "See COPYING in the distribution."))
    (home-page "http://cyrusimap.web.cmu.edu")))
-
-(define cyrus-sasl/fixed
-  (package
-    (inherit cyrus-sasl)
-    (source (origin
-              (inherit (package-source cyrus-sasl))
-              (patches (search-patches "cyrus-sasl-CVE-2013-4122.patch"))))))
diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index e05a337e47..c5e8599028 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -507,12 +507,9 @@ for example from a shell script.")
 (define-public sqlite
   (package
    (name "sqlite")
-   (version "3.14.1")
+   (version "3.15.2")
    (source (origin
             (method url-fetch)
-            ;; TODO: Download from sqlite.org once this bug :
-            ;; http://lists.gnu.org/archive/html/bug-guile/2013-01/msg00027.html
-            ;; has been fixed.
             (uri (let ((numeric-version
                         (match (string-split version #\.)
                           ((first-digit other-digits ...)
@@ -522,23 +519,11 @@ for example from a shell script.")
                                             (map (cut string-pad <> 2 #\0)
                                                  other-digits))
                                            6 #\0))))))
-                   (list
-                    (string-append
-                     "https://fossies.org/linux/misc/sqlite-autoconf-"
-                     numeric-version ".tar.gz")
-                    (string-append
-                     "http://distfiles.gentoo.org/distfiles/"
-                     "/sqlite-autoconf-" numeric-version ".tar.gz"))
-
-                   ;; XXX: As of 2015-09-08, SourceForge is squatting the URL
-                   ;; below, returning 200 and showing an advertising page.
-                   ;; (string-append
-                   ;;  "mirror://sourceforge/sqlite.mirror/SQLite%20" version
-                   ;;  "/sqlite-autoconf-" numeric-version ".tar.gz")
-                   ))
+                   (string-append "https://sqlite.org/2016/sqlite-autoconf-"
+                                  numeric-version ".tar.gz")))
             (sha256
              (base32
-              "19j73j44akqgc6m82wm98yvnmm3mfzmfqr8mp3n7n080d53q4wdw"))))
+              "0j9i1zrwxc7dfd6xr3xagal3incrlalsrk96havnas1qp5im1cq7"))))
    (build-system gnu-build-system)
    (inputs `(("readline" ,readline)))
    (arguments
@@ -549,7 +534,7 @@ for example from a shell script.")
       (list (string-append "CFLAGS=-O2 -DSQLITE_SECURE_DELETE "
                            "-DSQLITE_ENABLE_UNLOCK_NOTIFY "
                            "-DSQLITE_ENABLE_DBSTAT_VTAB"))))
-   (home-page "http://www.sqlite.org/")
+   (home-page "https://www.sqlite.org/")
    (synopsis "The SQLite database management system")
    (description
     "SQLite is a software library that implements a self-contained, serverless,
@@ -558,26 +543,6 @@ widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license public-domain)))
 
-(define-public sqlite-3.15.1
-  (package (inherit sqlite)
-           (version "3.15.1")
-           (source (origin
-                     (method url-fetch)
-                     (uri (let ((numeric-version
-                                 (match (string-split version #\.)
-                                   ((first-digit other-digits ...)
-                                    (string-append first-digit
-                                                   (string-pad-right
-                                                    (string-concatenate
-                                                     (map (cut string-pad <> 2 #\0)
-                                                          other-digits))
-                                                    6 #\0))))))
-                            (string-append "https://sqlite.org/2016/sqlite-autoconf-"
-                                           numeric-version ".tar.gz")))
-                     (sha256
-                      (base32
-                       "1ig2d9jzzixiifmgqsl6kjcvy17jwxby3s24gfnc5qvyd6vqkyjx"))))))
-
 (define-public tdb
   (package
     (name "tdb")
diff --git a/gnu/packages/flex.scm b/gnu/packages/flex.scm
index c1f74d65ad..d9abbfa4e2 100644
--- a/gnu/packages/flex.scm
+++ b/gnu/packages/flex.scm
@@ -24,6 +24,7 @@
   #:use-module (guix build-system gnu)
   #:use-module (gnu packages)
   #:use-module (gnu packages m4)
+  #:use-module (gnu packages man)
   #:use-module (gnu packages bison)
   #:use-module (gnu packages indent)
   #:use-module (srfi srfi-1))
@@ -31,29 +32,32 @@
 (define-public flex
   (package
     (name "flex")
-    (version "2.6.0")
+    (version "2.6.2")
     (source (origin
-             (method url-fetch)
-             (uri (string-append "mirror://sourceforge/flex/flex-"
-                                 version ".tar.bz2"))
-             (patches (search-patches "flex-CVE-2016-6354.patch"))
-             (sha256
-              (base32
-               "1sdqx63yadindzafrq1w31ajblf9gl1c301g068s20s7bbpi3ri4"))))
+              (method url-fetch)
+              (uri (string-append
+                    "https://github.com/westes/flex"
+                    "/releases/download/v" version "/"
+                    "flex-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1jdjghh1qjq3z7snphshcak6p07gch2n4215vjvrkism25x460cs"))))
     (build-system gnu-build-system)
     (inputs
      (let ((bison-for-tests
             ;; Work around an incompatibility with Bison 3.0:
             ;; <http://lists.gnu.org/archive/html/bug-bison/2013-09/msg00014.html>.
-            (package (inherit bison)
+            (package
+              (inherit bison)
               (version "2.7.1")
               (source (origin
-                       (method url-fetch)
-                       (uri (string-append "mirror://gnu/bison/bison-"
-                                           version ".tar.xz"))
-                       (sha256
-                        (base32
-                         "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
+                        (method url-fetch)
+                        (uri (string-append
+                              "mirror://gnu/bison/"
+                              "bison-" version ".tar.xz"))
+                        (sha256
+                         (base32
+                          "1yx7isx67sdmyijvihgyra1f59fwdz7sqriginvavfj5yb5ss2dl"))))
 
               ;; Unlike Bison 3.0, this version did not need Flex for its
               ;; tests, so it allows us to break the cycle.
@@ -61,9 +65,11 @@
        `(("bison" ,bison-for-tests)
          ("indent" ,indent))))
     ;; m4 is not present in PATH when cross-building
-    (native-inputs `(("m4" ,m4)))
+    (native-inputs
+     `(("help2man" ,help2man)
+       ("m4" ,m4)))
     (propagated-inputs `(("m4" ,m4)))
-    (home-page "http://flex.sourceforge.net/")
+    (home-page "https://github.com/westes/flex")
     (synopsis "Fast lexical analyser generator")
     (description
      "Flex is a tool for generating scanners.  A scanner, sometimes
@@ -78,23 +84,4 @@ is run, it analyzes its input for occurrences of text matching the
 regular expressions for each rule.  Whenever it finds a match, it
 executes the corresponding C code.")
     (license (non-copyleft "file://COPYING"
-                        "See COPYING in the distribution."))))
-
-(define-public flex-2.6.1
-  ;; The kservice and solid packages use flex.  extra-cmake-modules
-  ;; forces C89 for all C files for compatibility with windows.
-  ;; Flex 2.6.0 generates a lexer containing a single line comment.  Single
-  ;; line comments are part of the C99 standard, so the lexer won't compile
-  ;; if C89 is used.
-  (package
-    (inherit flex)
-    (version "2.6.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append
-                    "https://github.com/westes/flex"
-                    "/releases/download/v" version "/"
-                    "flex-" version ".tar.gz"))
-              (sha256
-               (base32
-                "0fy14c35yz2m1n1m4f02by3501fn0cca37zn7jp8lpp4b3kgjhrw"))))))
+                           "See COPYING in the distribution."))))
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 60cff2e330..1ffb427529 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -46,13 +46,13 @@
 (define-public freetype
   (package
    (name "freetype")
-   (version "2.6.3")
+   (version "2.7")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://savannah/freetype/freetype-"
                                 version ".tar.bz2"))
             (sha256 (base32
-                     "18k3b026762lmyrxfil5xv8qwnvj7hc12gz9bjqzbb12lmx707ip"))))
+                     "0j3xgzn6pchgg1nm294vhx7cdicb7x3x8kwnlcm7v1alnzsm396n"))))
    (build-system gnu-build-system)
    (native-inputs
     `(("pkg-config" ,pkg-config)))
@@ -69,7 +69,7 @@ It supports both bitmap and scalable formats, including TrueType, OpenType,
 Type1, CID, CFF, Windows FON/FNT, X11 PCF, and others.  It supports high-speed
 anti-aliased glyph bitmap generation with 256 gray levels.")
    (license license:freetype)           ; some files have other licenses
-   (home-page "http://www.freetype.org/")))
+   (home-page "https://www.freetype.org/")))
 
 (define-public ttfautohint
   (package
diff --git a/gnu/packages/gcc.scm b/gnu/packages/gcc.scm
index cfd33f85ab..206c67ed99 100644
--- a/gnu/packages/gcc.scm
+++ b/gnu/packages/gcc.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -211,7 +212,7 @@ where the OS part is overloaded to denote a specific ABI---into GCC
 
                 ;; Fix the dynamic linker's file name.
                 (substitute* (find-files "gcc/config"
-                                         "^(linux|gnu)(64|-elf|-eabi)?\\.h$")
+                                         "^(linux|gnu|sysv4)(64|-elf|-eabi)?\\.h$")
                   (("#define GLIBC_DYNAMIC_LINKER([^ ]*).*$" _ suffix)
                    (format #f "#define GLIBC_DYNAMIC_LINKER~a \"~a\"~%"
                            suffix
@@ -240,7 +241,21 @@ where the OS part is overloaded to denote a specific ABI---into GCC
                    (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\"
 #define STANDARD_STARTFILE_PREFIX_2 \"\"
 ~a"
-                           libc line))))
+                           libc line)))
+
+              ;; The rs6000 (a.k.a. powerpc) config in GCC does not use
+              ;; GNU_USER_* defines.  Do the above for this case.
+              (substitute*
+                  "gcc/config/rs6000/sysv4.h"
+                (("#define LIB_LINUX_SPEC (.*)$" _ suffix)
+                 (format #f "#define LIB_LINUX_SPEC \
+\"-L~a/lib %{!static:-rpath=~a/lib %{!static-libgcc:-rpath=~a/lib -lgcc_s}} \" ~a"
+                         libc libc libdir suffix))
+                (("#define	STARTFILE_LINUX_SPEC.*$" line)
+                 (format #f "#define STANDARD_STARTFILE_PREFIX_1 \"~a/lib\"
+#define STANDARD_STARTFILE_PREFIX_2 \"\"
+~a"
+                         libc line))))
 
               ;; Don't retain a dependency on the build-time sed.
               (substitute* "fixincludes/fixincl.x"
@@ -358,7 +373,8 @@ Go.  It also includes runtime support libraries for these languages.")
               (sha256
                (base32
                 "0fihlcy5hnksdxk0sn6bvgnyq8gfrgs8m794b1jxwd1dxinzg3b0"))
-              (patches (search-patches "gcc-strmov-store-file-names.patch"
+              (patches (search-patches "gcc-arm-bug-71399.patch"
+                                       "gcc-strmov-store-file-names.patch"
                                        "gcc-5.0-libvtv-runpath.patch"))))))
 
 (define-public gcc-6
@@ -377,7 +393,7 @@ Go.  It also includes runtime support libraries for these languages.")
 
 ;; Note: When changing the default gcc version, update
 ;;       the gcc-toolchain-* definitions accordingly.
-(define-public gcc gcc-4.9)
+(define-public gcc gcc-5)
 
 (define-public (make-libstdc++ gcc)
   "Return a libstdc++ package based on GCC.  The primary use case is when
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 56fba45e3a..151952663b 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -58,7 +58,7 @@
 (define-public libgpg-error
   (package
     (name "libgpg-error")
-    (version "1.24")
+    (version "1.25")
     (source
      (origin
       (method url-fetch)
@@ -66,7 +66,7 @@
                           version ".tar.bz2"))
       (sha256
        (base32
-        "0h75sf1ngr750c3fjfn4583q7wz40qm63jhg8vjfdrbx936f2s4j"))))
+        "031jc5196fdcxn2g61i1pdabvdbxxcdi4j7jbaq3hfs38dcgfa7n"))))
     (build-system gnu-build-system)
     (home-page "https://gnupg.org")
     (synopsis "Library of error values for GnuPG components")
@@ -82,14 +82,14 @@ Daemon and possibly more in the future.")
 (define-public libgcrypt
   (package
     (name "libgcrypt")
-    (version "1.7.3")
+    (version "1.7.5")
     (source (origin
              (method url-fetch)
              (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0wbh6fq5zi9wg2xcfvfpwh7dv52jihivx1vm4h91c2kx0w8n3b6x"))))
+               "0078pbzm6nlgvnwlylshsg707ifcmfpnpbvhlhqbpwpfic9a9zni"))))
     (build-system gnu-build-system)
     (propagated-inputs
      `(("libgpg-error-host" ,libgpg-error)))
diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm
index 9458ab714f..a408f8f9aa 100644
--- a/gnu/packages/guile.scm
+++ b/gnu/packages/guile.scm
@@ -133,15 +133,15 @@ without requiring the source code to be rewritten.")
 (define-public guile-2.0
   (package
    (name "guile")
-   (version "2.0.12")
-   (replacement guile-2.0.13)                 ;CVE-2016-8606 and CVE-2016-8605
+   (version "2.0.13")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/guile/guile-" version
                                 ".tar.xz"))
             (sha256
              (base32
-              "1sdpjq0jf1h65w29q0zprj4x6kdp5jskkvbnlwphy9lvdxrqg0fy"))))
+              "12yqkr974y91ylgw6jnmci2v90i90s7h9vxa4zk0sai8vjnz4i1p"))
+            (patches (search-patches "guile-repl-server-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("pkgconfig" ,pkg-config)))
    (inputs `(("libffi" ,libffi)
@@ -214,19 +214,6 @@ without requiring the source code to be rewritten.")
     (properties '((hidden? . #t)))          ;people should install 'guile-2.0'
     (replacement #f)))
 
-(define guile-2.0.13
-  (package
-    (inherit guile-2.0)
-    (version "2.0.13")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "mirror://gnu/guile/guile-" version
-                                  ".tar.xz"))
-              (sha256
-               (base32
-                "12yqkr974y91ylgw6jnmci2v90i90s7h9vxa4zk0sai8vjnz4i1p"))
-              (patches (search-patches "guile-repl-server-test.patch"))))))
-
 (define-public guile-next
   (package (inherit guile-2.0)
     (name "guile-next")
diff --git a/gnu/packages/icu4c.scm b/gnu/packages/icu4c.scm
index 13723bf585..d842f03b4e 100644
--- a/gnu/packages/icu4c.scm
+++ b/gnu/packages/icu4c.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -28,20 +29,17 @@
 (define-public icu4c
   (package
    (name "icu4c")
-   (version "55.1")
+   (version "58.2")
    (source (origin
             (method url-fetch)
             (uri (string-append
-                  "mirror://sourceforge/icu/ICU4C/"
+                  "http://download.icu-project.org/files/icu4c/"
                   version
                   "/icu4c-"
                   (string-map (lambda (x) (if (char=? x #\.) #\_ x)) version)
                   "-src.tgz"))
             (sha256
-             (base32 "0ys5f5spizg45qlaa31j2lhgry0jka2gfha527n4ndfxxz5j4sz1"))
-            (patches (search-patches "icu4c-CVE-2014-6585.patch"
-                                     "icu4c-CVE-2015-1270.patch"
-                                     "icu4c-CVE-2015-4760.patch"))))
+             (base32 "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib"))))
    (build-system gnu-build-system)
    (inputs
     `(("perl" ,perl)))
@@ -55,18 +53,9 @@
               '("--with-data-packaging=archive")
               '()))
       #:phases
-      (alist-cons-after
-       'unpack 'chdir-to-source
-       (lambda _ (chdir "source"))
-       (alist-cons-before
-        'configure 'patch-configure
-        (lambda _
-          ;; patch out two occurrences of /bin/sh from configure script
-          ;; that might have disappeared in a release later than 54.1
-          (substitute* "configure"
-            (("`/bin/sh")
-             (string-append "`" (which "bash")))))
-        %standard-phases))))
+      (modify-phases %standard-phases
+        (add-after 'unpack 'chdir-to-source
+          (lambda _ (chdir "source") #t)))))
    (synopsis "International Components for Unicode")
    (description
     "ICU is a set of C/C++ and Java libraries providing Unicode and
diff --git a/gnu/packages/kde-frameworks.scm b/gnu/packages/kde-frameworks.scm
index 94145fb95d..a7f2cabbc4 100644
--- a/gnu/packages/kde-frameworks.scm
+++ b/gnu/packages/kde-frameworks.scm
@@ -1117,11 +1117,7 @@ which are used in DBus communication.")
     (native-inputs
      `(("bison" ,bison)
        ("extra-cmake-modules" ,extra-cmake-modules)
-       ;; extra-cmake-modules forces C89 for all C files for compatibility with
-       ;; Windows.  Flex 2.6.0 generates a lexer containing a single line
-       ;; comment.  Single line comments are part of the C99 standard, so the
-       ;; lexer won't compile if C89 is used.
-       ("flex" ,flex-2.6.1)
+       ("flex" ,flex)
        ("qttools" ,qttools)))
     (inputs
      `(("qtbase" ,qtbase)
@@ -2535,11 +2531,7 @@ typed.")
     (native-inputs
      `(("bison" ,bison)
        ("extra-cmake-modules" ,extra-cmake-modules)
-       ;; extra-cmake-modules forces C89 for all C files for compatibility with
-       ;; Windows.  Flex 2.6.0 generates a lexer containing a single line
-       ;; comment.  Single line comments are part of the C99 standard, so the
-       ;; lexer won't compile if C89 is used.
-       ("flex" ,flex-2.6.1)))
+       ("flex" ,flex)))
     (inputs
      `(("kcrash" ,kcrash)
        ("kdbusaddons" ,kdbusaddons)
diff --git a/gnu/packages/libunistring.scm b/gnu/packages/libunistring.scm
index a9779d4ffd..212bec4b49 100644
--- a/gnu/packages/libunistring.scm
+++ b/gnu/packages/libunistring.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2012, 2013, 2014 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -28,15 +29,15 @@
 (define-public libunistring
   (package
    (name "libunistring")
-   (version "0.9.6")
+   (version "0.9.7")
    (source (origin
             (method url-fetch)
             (uri (string-append
                   "mirror://gnu/libunistring/libunistring-"
-                  version ".tar.gz"))
+                  version ".tar.xz"))
             (sha256
              (base32
-              "0ixxmgpgh2v8ifm6hbwsjxl023myk3dfnj7wnvmqjivza31fw9cn"))))
+              "15z76qrmrvkc3c6hfq2lzzqysgd21s682f2smycfab5g598n8drf"))))
    (propagated-inputs (libiconv-if-needed))
    (build-system gnu-build-system)
    (arguments
@@ -49,5 +50,5 @@
     "GNU libunistring is a library providing functions to manipulate
 Unicode strings and for manipulating C strings according to the Unicode
 standard.")
-   (home-page "http://www.gnu.org/software/libunistring/")
-   (license lgpl3+)))
+   (home-page "https://www.gnu.org/software/libunistring/")
+   (license (list lgpl3+ gpl2))))
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 0c191629ce..5e450a72a7 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -17,6 +17,7 @@
 ;;; Copyright © 2016 John Darrington <jmd@gnu.org>
 ;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2016 Rene Saavedra <rennes@openmailbox.org>
+;;; Copyright © 2016 Carlos Sánchez de La Lama <csanchezdll@gmail.com>
 ;;; Copyright © 2016 ng0 <ng0@libertad.pw>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -101,6 +102,13 @@
           ((string-prefix? "aarch64" arch) "arm64")
           (else arch))))
 
+(define-public (system->defconfig system)
+  "Some systems (notably powerpc-linux) require a special target for kernel
+defconfig.  Return the appropiate make target if applicable, otherwise return
+\"defconfig\"."
+  (cond ((string-prefix? "powerpc-" system) "pmac32_defconfig")
+        (else "defconfig")))
+
 (define (linux-libre-urls version)
   "Return a list of URLs for Linux-Libre VERSION."
   (list (string-append
@@ -140,11 +148,13 @@
            (lambda _
              (let ((arch ,(system->linux-architecture
                           (or (%current-target-system)
-                              (%current-system)))))
+                              (%current-system))))
+                   (defconfig ,(system->defconfig
+                                (or (%current-target-system)
+                                    (%current-system)))))
                (setenv "ARCH" arch)
                (format #t "`ARCH' set to `~a'~%" (getenv "ARCH"))
-
-               (and (zero? (system* "make" "defconfig"))
+               (and (zero? (system* "make" defconfig))
                     (zero? (system* "make" "mrproper" "headers_check"))))))
          (replace 'install
            (lambda* (#:key outputs #:allow-other-keys)
@@ -453,7 +463,7 @@ providing the system administrator with some help in common tasks.")
 (define-public util-linux
   (package
     (name "util-linux")
-    (version "2.28.1")
+    (version "2.28.2")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://kernel.org/linux/utils/"
@@ -461,7 +471,7 @@ providing the system administrator with some help in common tasks.")
                                   name "-" version ".tar.xz"))
               (sha256
                (base32
-                "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy"))
+                "1kgh16j3ywzf5gdz4vq6v3dyc5qsi377p11clj9xxgi0dwa3g7dq"))
               (patches (search-patches "util-linux-tests.patch"))
               (modules '((guix build utils)))
               (snippet
@@ -477,7 +487,7 @@ providing the system administrator with some help in common tasks.")
                "static"))      ; >2 MiB of static .a libraries
     (arguments
      `(#:configure-flags (list "--disable-use-tty-group"
-
+                               "--enable-fs-paths-default=/run/current-system/profile/sbin"
                                ;; Install completions where our
                                ;; bash-completion package expects them.
                                (string-append "--with-bashcompletiondir="
@@ -1156,7 +1166,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).")
 (define-public libcap
   (package
     (name "libcap")
-    (version "2.24")
+    (version "2.25")
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -1164,7 +1174,7 @@ advanced aspects of IP configuration (iptunnel, ipmaddr).")
                    "libcap2/libcap-" version ".tar.xz"))
              (sha256
               (base32
-               "0rbc9qbqs5bp9am9s9g83wxj5k4ixps2agy9dxr1v1fwg27mdr6f"))))
+               "0qjiqc5pknaal57453nxcbz3mn1r4hkyywam41wfcglq3v2qlg39"))))
     (build-system gnu-build-system)
     (arguments '(#:phases
                  (modify-phases %standard-phases
diff --git a/gnu/packages/m4.scm b/gnu/packages/m4.scm
index d1ba928768..6ad00f8a58 100644
--- a/gnu/packages/m4.scm
+++ b/gnu/packages/m4.scm
@@ -26,14 +26,14 @@
 (define-public m4
   (package
    (name "m4")
-   (version "1.4.17")
+   (version "1.4.18")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/m4/m4-"
-                                version ".tar.bz2"))
+                                version ".tar.xz"))
             (sha256
              (base32
-              "0w0da1chh12mczxa5lnwzjk9czi3dq6gnnndbpa6w4rj76b1yklf"))))
+              "01sfjd5a4waqw83bibvmn522g69qfqvwig9i2qlgy154l1nfihgj"))))
    (build-system gnu-build-system)
    (arguments
     `(;; Explicitly disable tests when cross-compiling, otherwise 'make check'
diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm
index e5c614cee7..d2a559c084 100644
--- a/gnu/packages/make-bootstrap.scm
+++ b/gnu/packages/make-bootstrap.scm
@@ -416,8 +416,9 @@ for `sh' in $PATH, and without nscd, and with static NSS modules."
                  ;; the 'pre-configure phase of our main gcc package, because
                  ;; that shared library is not present in this static gcc.  See
                  ;; <https://lists.gnu.org/archive/html/guix-devel/2015-01/msg00008.html>.
-                 (substitute* (find-files "gcc/config"
-                                          "^gnu-user.*\\.h$")
+                 (substitute* (cons "gcc/config/rs6000/sysv4.h"
+                                    (find-files "gcc/config"
+                                                "^gnu-user.*\\.h$"))
                    ((" -lgcc_s}}") "}}")))
                ,phases)))))
      (native-inputs
diff --git a/gnu/packages/mit-krb5.scm b/gnu/packages/mit-krb5.scm
index 3299c7b5c4..87fe57dc4b 100644
--- a/gnu/packages/mit-krb5.scm
+++ b/gnu/packages/mit-krb5.scm
@@ -32,7 +32,7 @@
 (define-public mit-krb5
   (package
     (name "mit-krb5")
-    (version "1.14.3")
+    (version "1.14.4")
     (source (origin
               (method url-fetch)
               (uri (string-append "http://web.mit.edu/kerberos/dist/krb5/"
@@ -40,7 +40,7 @@
                                   "/krb5-" version ".tar.gz"))
               (sha256
                (base32
-                "1jgjiyh1sp72lkxvk437lz5hzcibvw99jc4ihzfz03fg43aj0ind"))))
+                "158bgq9xcg5ljgzia1880ak7m9g6vf2r009rzdqif5n9h111m9h3"))))
     (build-system gnu-build-system)
     (native-inputs
      `(("bison" ,bison)
diff --git a/gnu/packages/multiprecision.scm b/gnu/packages/multiprecision.scm
index 36e35ca00c..b6d2d7f4af 100644
--- a/gnu/packages/multiprecision.scm
+++ b/gnu/packages/multiprecision.scm
@@ -32,7 +32,7 @@
 (define-public gmp
   (package
    (name "gmp")
-   (version "6.1.1")
+   (version "6.1.2")
    (source (origin
             (method url-fetch)
             (uri
@@ -40,7 +40,7 @@
                             version ".tar.xz"))
             (sha256
              (base32
-              "0cg84n482gcvl0s4xq4wgwsk4r0x0m8dnzpizwqdd2j8vw2rqvnk"))
+              "04hrwahdxyqdik559604r7wrj9ffklwvipgfxgj4ys4skbl6bdc7"))
             (patches (search-patches "gmp-faulty-test.patch"))))
    (build-system gnu-build-system)
    (native-inputs `(("m4" ,m4)))
@@ -87,13 +87,13 @@ cryptography and computational algebra.")
 (define-public mpfr
   (package
    (name "mpfr")
-   (version "3.1.4")
+   (version "3.1.5")
    (source (origin
             (method url-fetch)
             (uri (string-append "mirror://gnu/mpfr/mpfr-" version
                                 ".tar.xz"))
             (sha256 (base32
-                     "1x8pcnpn1vxfzfsr0js07rwhwyq27fmdzcfjpzi5773ldnqi653n"))))
+                     "1g32l2fg8f62lcyzzh88y3fsh6rk539qc6ahhdgvx7wpnf1dwpq1"))))
    (build-system gnu-build-system)
    (outputs '("out" "debug"))
    (propagated-inputs `(("gmp" ,gmp)))            ; <mpfr.h> refers to <gmp.h>
diff --git a/gnu/packages/ncurses.scm b/gnu/packages/ncurses.scm
index 6949e1e03f..d725a71c0d 100644
--- a/gnu/packages/ncurses.scm
+++ b/gnu/packages/ncurses.scm
@@ -30,6 +30,7 @@
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages swig)
   #:use-module (guix utils))
 
@@ -87,7 +88,7 @@
                (let ((out (assoc-ref outputs "out")))
                  ;; When building a wide-character (Unicode) build, create backward
                  ;; compatibility links from the the "normal" libraries to the
-                 ;; wide-character libraries (e.g. libncurses.so to libncursesw.so).
+                 ;; wide-character ones (e.g. libncurses.so to libncursesw.so).
                  ,@(if (target-mingw?)
                        '( ;; TODO: create .la files to link to the .dll?
                          (with-directory-excursion (string-append out "/bin")
@@ -116,7 +117,11 @@
                                        (define lib.so.x
                                          (string-append "lib" lib ".so.6"))
                                        (define lib.so
-                                         (string-append "lib" lib ".so")))
+                                         (string-append "lib" lib ".so"))
+                                       (define packagew.pc
+                                         (string-append lib "w.pc"))
+                                       (define package.pc
+                                         (string-append lib ".pc")))
                                      '())
 
                                (when (file-exists? libw.a)
@@ -127,7 +132,12 @@
                                          (false-if-exception (delete-file lib.so))
                                          (call-with-output-file lib.so
                                            (lambda (p)
-                                             (format p "INPUT (-l~aw)~%" lib))))
+                                             (format p "INPUT (-l~aw)~%" lib)))
+                                         (with-directory-excursion "pkgconfig"
+                                           (format #t "creating symlink for `~a'~%"
+                                                   package.pc)
+                                           (when (file-exists? packagew.pc)
+                                             (symlink packagew.pc package.pc))))
                                        '())))
                              '("curses" "ncurses" "form" "panel" "menu")))))))
        `(#:configure-flags
@@ -135,6 +145,11 @@
            'quasiquote
            `(("--with-shared" "--without-debug" "--enable-widec"
               
+              "--enable-pc-files"
+              ,(list 'unquote '(string-append "--with-pkg-config-libdir="
+                                              (assoc-ref %outputs "out")
+                                              "/lib/pkgconfig"))
+
               ;; By default headers land in an `ncursesw' subdir, which is not
               ;; what users expect.
               ,(list 'unquote '(string-append "--includedir=" (assoc-ref %outputs "out")
@@ -157,6 +172,8 @@
                     (add-after 'unpack 'remove-unneeded-shebang
                       ,remove-shebang-phase)))))
     (self-native-input? #t)           ; for `tic'
+     (native-inputs
+      `(("pkg-config" ,pkg-config)))
     (native-search-paths
      (list (search-path-specification
             (variable "TERMINFO_DIRS")
diff --git a/gnu/packages/nettle.scm b/gnu/packages/nettle.scm
index d1203dfe75..e4e0eedc05 100644
--- a/gnu/packages/nettle.scm
+++ b/gnu/packages/nettle.scm
@@ -47,7 +47,7 @@
     (outputs '("out" "debug"))
     (native-inputs `(("m4" ,m4)))
     (propagated-inputs `(("gmp" ,gmp)))
-    (home-page "http://www.lysator.liu.se/~nisse/nettle/")
+    (home-page "https://www.lysator.liu.se/~nisse/nettle/")
     (synopsis "C library for low-level cryptographic functionality")
     (description
      "GNU Nettle is a low-level cryptographic library.  It is designed to
@@ -60,14 +60,14 @@ themselves.")
   ;; This version is not API-compatible with version 2.  In particular, lsh
   ;; cannot use it yet.  So keep it separate.
   (package (inherit nettle-2)
-    (version "3.2")
+    (version "3.3")
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://gnu/nettle/nettle-"
                                   version ".tar.gz"))
               (sha256
                (base32
-                "15wxhk52yc62rx0pddmry66hqm6z5brrrkx4npd3wh9nybg86hpa"))))
+                "07mif3af077763vc35s1x8vzhzlgqcgxh67c1xr13jnhslkjd526"))))
     (arguments
      (substitute-keyword-arguments (package-arguments nettle-2)
        ((#:configure-flags flags)
diff --git a/gnu/packages/patches/flex-CVE-2016-6354.patch b/gnu/packages/patches/flex-CVE-2016-6354.patch
deleted file mode 100644
index 1f3cb028d4..0000000000
--- a/gnu/packages/patches/flex-CVE-2016-6354.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Fix CVE-2016-6354 (Buffer overflow in generated code (yy_get_next_buffer).
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6354
-https://security-tracker.debian.org/tracker/CVE-2016-6354
-
-Patch copied from upstream source repository:
-https://github.com/westes/flex/commit/a5cbe929ac3255d371e698f62dc256afe7006466
-
-From a5cbe929ac3255d371e698f62dc256afe7006466 Mon Sep 17 00:00:00 2001
-From: Will Estes <westes575@gmail.com>
-Date: Sat, 27 Feb 2016 11:56:05 -0500
-Subject: [PATCH] Fixed incorrect integer type
-
----
- src/flex.skl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/flex.skl b/src/flex.skl
-index 36a526a..64f853d 100644
---- a/src/flex.skl
-+++ b/src/flex.skl
-@@ -1703,7 +1703,7 @@ int yyFlexLexer::yy_get_next_buffer()
- 
- 	else
- 		{
--			yy_size_t num_to_read =
-+			int num_to_read =
- 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
- 
- 		while ( num_to_read <= 0 )
diff --git a/gnu/packages/patches/gcc-libiberty-printf-decl.patch b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
new file mode 100644
index 0000000000..a612c9e00e
--- /dev/null
+++ b/gnu/packages/patches/gcc-libiberty-printf-decl.patch
@@ -0,0 +1,28 @@
+This patch makes the exeception specifier of libiberty's 'asprintf'
+and 'vasprintf' declarations match those of glibc to work around the
+problem described at <https://gcc.gnu.org/ml/gcc-help/2016-04/msg00039.html>.
+
+The problem in part stems from the fact that libiberty is configured
+without _GNU_SOURCE (thus, it sets HAVE_DECL_ASPRINTF to 0), whereas libcc1
+is configured and built with _GNU_SOURCE, hence the conflicting declarations.
+
+--- gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:46.262709079 +0200
++++ gcc-5.3.0/include/libiberty.h	2016-04-23 22:45:37.110635439 +0200
+@@ -625,7 +625,7 @@ extern int pwait (int, int *, int);
+ /* Like sprintf but provides a pointer to malloc'd storage, which must
+    be freed by the caller.  */
+ 
+-extern int asprintf (char **, const char *, ...) ATTRIBUTE_PRINTF_2;
++extern int asprintf (char **, const char *, ...) __THROWNL ATTRIBUTE_PRINTF_2;
+ #endif
+ 
+ /* Like asprintf but allocates memory without fail. This works like
+@@ -637,7 +637,7 @@ extern char *xasprintf (const char *, ..
+ /* Like vsprintf but provides a pointer to malloc'd storage, which
+    must be freed by the caller.  */
+ 
+-extern int vasprintf (char **, const char *, va_list) ATTRIBUTE_PRINTF(2,0);
++extern int vasprintf (char **, const char *, va_list) __THROWNL ATTRIBUTE_PRINTF(2,0);
+ #endif
+ 
+ /* Like vasprintf but allocates memory without fail. This works like
diff --git a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch b/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
deleted file mode 100644
index bef628f0a8..0000000000
--- a/gnu/packages/patches/libarchive-7zip-heap-overflow.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-Fix buffer overflow reading 7Zip files:
-
-https://github.com/libarchive/libarchive/issues/761
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
-
-From 7f17c791dcfd8c0416e2cd2485b19410e47ef126 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 18 Sep 2016 18:14:58 -0700
-Subject: [PATCH] Issue 761:  Heap overflow reading corrupted 7Zip files
-
-The sample file that demonstrated this had multiple 'EmptyStream'
-attributes.  The first one ended up being used to calculate
-certain statistics, then was overwritten by the second which
-was incompatible with those statistics.
-
-The fix here is to reject any header with multiple EmptyStream
-attributes.  While here, also reject headers with multiple
-EmptyFile, AntiFile, Name, or Attributes markers.
----
- libarchive/archive_read_support_format_7zip.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
-index 1dfe52b..c0a536c 100644
---- a/libarchive/archive_read_support_format_7zip.c
-+++ b/libarchive/archive_read_support_format_7zip.c
-@@ -2431,6 +2431,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 
- 		switch (type) {
- 		case kEmptyStream:
-+			if (h->emptyStreamBools != NULL)
-+				return (-1);
- 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->emptyStreamBools));
- 			if (h->emptyStreamBools == NULL)
-@@ -2451,6 +2453,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->emptyFileBools != NULL)
-+				return (-1);
- 			h->emptyFileBools = calloc(empty_streams,
- 			    sizeof(*h->emptyFileBools));
- 			if (h->emptyFileBools == NULL)
-@@ -2465,6 +2469,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 					return (-1);
- 				break;
- 			}
-+			if (h->antiBools != NULL)
-+				return (-1);
- 			h->antiBools = calloc(empty_streams,
- 			    sizeof(*h->antiBools));
- 			if (h->antiBools == NULL)
-@@ -2491,6 +2497,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((ll & 1) || ll < zip->numFiles * 4)
- 				return (-1);
- 
-+			if (zip->entry_names != NULL)
-+				return (-1);
- 			zip->entry_names = malloc(ll);
- 			if (zip->entry_names == NULL)
- 				return (-1);
-@@ -2543,6 +2551,8 @@ read_Header(struct archive_read *a, struct _7z_header_info *h,
- 			if ((p = header_bytes(a, 2)) == NULL)
- 				return (-1);
- 			allAreDefined = *p;
-+			if (h->attrBools != NULL)
-+				return (-1);
- 			h->attrBools = calloc((size_t)zip->numFiles,
- 			    sizeof(*h->attrBools));
- 			if (h->attrBools == NULL)
--- 
-2.10.0
-
diff --git a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch b/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
deleted file mode 100644
index bce63d5e4e..0000000000
--- a/gnu/packages/patches/libarchive-fix-filesystem-attacks.patch
+++ /dev/null
@@ -1,445 +0,0 @@
-This patch fixes two bugs that allow attackers to overwrite or change
-the permissions of arbitrary files:
-
-https://github.com/libarchive/libarchive/issues/745
-https://github.com/libarchive/libarchive/issues/746
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/dfd6b54ce33960e420fb206d8872fb759b577ad9
-
-From dfd6b54ce33960e420fb206d8872fb759b577ad9 Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 11 Sep 2016 13:21:57 -0700
-Subject: [PATCH] Fixes for Issue #745 and Issue #746 from Doran Moppert.
-
----
- libarchive/archive_write_disk_posix.c | 294 ++++++++++++++++++++++++++--------
- 1 file changed, 227 insertions(+), 67 deletions(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 8f0421e..abe1a86 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -326,12 +326,14 @@ struct archive_write_disk {
- 
- #define HFS_BLOCKS(s)	((s) >> 12)
- 
-+static int	check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	check_symlinks(struct archive_write_disk *);
- static int	create_filesystem_object(struct archive_write_disk *);
- static struct fixup_entry *current_fixup(struct archive_write_disk *, const char *pathname);
- #if defined(HAVE_FCHDIR) && defined(PATH_MAX)
- static void	edit_deep_directories(struct archive_write_disk *ad);
- #endif
-+static int	cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags);
- static int	cleanup_pathname(struct archive_write_disk *);
- static int	create_dir(struct archive_write_disk *, char *);
- static int	create_parent_dir(struct archive_write_disk *, char *);
-@@ -2014,6 +2016,10 @@ create_filesystem_object(struct archive_write_disk *a)
- 	const char *linkname;
- 	mode_t final_mode, mode;
- 	int r;
-+	/* these for check_symlinks_fsobj */
-+	char *linkname_copy;	/* non-const copy of linkname */
-+	struct archive_string error_string;
-+	int error_number;
- 
- 	/* We identify hard/symlinks according to the link names. */
- 	/* Since link(2) and symlink(2) don't handle modes, we're done here. */
-@@ -2022,6 +2028,27 @@ create_filesystem_object(struct archive_write_disk *a)
- #if !HAVE_LINK
- 		return (EPERM);
- #else
-+		archive_string_init(&error_string);
-+		linkname_copy = strdup(linkname);
-+		if (linkname_copy == NULL) {
-+		    return (EPERM);
-+		}
-+		/* TODO: consider using the cleaned-up path as the link target? */
-+		r = cleanup_pathname_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		r = check_symlinks_fsobj(linkname_copy, &error_number, &error_string, a->flags);
-+		if (r != ARCHIVE_OK) {
-+			archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+			free(linkname_copy);
-+			/* EPERM is more appropriate than error_number for our callers */
-+			return (EPERM);
-+		}
-+		free(linkname_copy);
- 		r = link(linkname, a->name) ? errno : 0;
- 		/*
- 		 * New cpio and pax formats allow hardlink entries
-@@ -2362,115 +2389,228 @@ current_fixup(struct archive_write_disk *a, const char *pathname)
-  * recent paths.
-  */
- /* TODO: Extend this to support symlinks on Windows Vista and later. */
-+
-+/*
-+ * Checks the given path to see if any elements along it are symlinks.  Returns
-+ * ARCHIVE_OK if there are none, otherwise puts an error in errmsg.
-+ */
- static int
--check_symlinks(struct archive_write_disk *a)
-+check_symlinks_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- #if !defined(HAVE_LSTAT)
- 	/* Platform doesn't have lstat, so we can't look for symlinks. */
- 	(void)a; /* UNUSED */
-+	(void)path; /* UNUSED */
-+	(void)error_number; /* UNUSED */
-+	(void)error_string; /* UNUSED */
-+	(void)flags; /* UNUSED */
- 	return (ARCHIVE_OK);
- #else
--	char *pn;
-+	int res = ARCHIVE_OK;
-+	char *tail;
-+	char *head;
-+	int last;
- 	char c;
- 	int r;
- 	struct stat st;
-+	int restore_pwd;
-+
-+	/* Nothing to do here if name is empty */
-+	if(path[0] == '\0')
-+	    return (ARCHIVE_OK);
- 
- 	/*
- 	 * Guard against symlink tricks.  Reject any archive entry whose
- 	 * destination would be altered by a symlink.
-+	 *
-+	 * Walk the filename in chunks separated by '/'.  For each segment:
-+	 *  - if it doesn't exist, continue
-+	 *  - if it's symlink, abort or remove it
-+	 *  - if it's a directory and it's not the last chunk, cd into it
-+	 * As we go:
-+	 *  head points to the current (relative) path
-+	 *  tail points to the temporary \0 terminating the segment we're currently examining
-+	 *  c holds what used to be in *tail
-+	 *  last is 1 if this is the last tail
- 	 */
--	/* Whatever we checked last time doesn't need to be re-checked. */
--	pn = a->name;
--	if (archive_strlen(&(a->path_safe)) > 0) {
--		char *p = a->path_safe.s;
--		while ((*pn != '\0') && (*p == *pn))
--			++p, ++pn;
--	}
-+	restore_pwd = open(".", O_RDONLY | O_BINARY | O_CLOEXEC);
-+	__archive_ensure_cloexec_flag(restore_pwd);
-+	if (restore_pwd < 0)
-+		return (ARCHIVE_FATAL);
-+	head = path;
-+	tail = path;
-+	last = 0;
-+	/* TODO: reintroduce a safe cache here? */
- 	/* Skip the root directory if the path is absolute. */
--	if(pn == a->name && pn[0] == '/')
--		++pn;
--	c = pn[0];
--	/* Keep going until we've checked the entire name. */
--	while (pn[0] != '\0' && (pn[0] != '/' || pn[1] != '\0')) {
-+	if(tail == path && tail[0] == '/')
-+		++tail;
-+	/* Keep going until we've checked the entire name.
-+	 * head, tail, path all alias the same string, which is
-+	 * temporarily zeroed at tail, so be careful restoring the
-+	 * stashed (c=tail[0]) for error messages.
-+	 * Exiting the loop with break is okay; continue is not.
-+	 */
-+	while (!last) {
-+		/* Skip the separator we just consumed, plus any adjacent ones */
-+		while (*tail == '/')
-+		    ++tail;
- 		/* Skip the next path element. */
--		while (*pn != '\0' && *pn != '/')
--			++pn;
--		c = pn[0];
--		pn[0] = '\0';
-+		while (*tail != '\0' && *tail != '/')
-+			++tail;
-+		/* is this the last path component? */
-+		last = (tail[0] == '\0') || (tail[0] == '/' && tail[1] == '\0');
-+		/* temporarily truncate the string here */
-+		c = tail[0];
-+		tail[0] = '\0';
- 		/* Check that we haven't hit a symlink. */
--		r = lstat(a->name, &st);
-+		r = lstat(head, &st);
- 		if (r != 0) {
-+			tail[0] = c;
- 			/* We've hit a dir that doesn't exist; stop now. */
- 			if (errno == ENOENT) {
- 				break;
- 			} else {
--				/* Note: This effectively disables deep directory
-+				/* Treat any other error as fatal - best to be paranoid here
-+				 * Note: This effectively disables deep directory
- 				 * support when security checks are enabled.
- 				 * Otherwise, very long pathnames that trigger
- 				 * an error here could evade the sandbox.
- 				 * TODO: We could do better, but it would probably
- 				 * require merging the symlink checks with the
- 				 * deep-directory editing. */
--				return (ARCHIVE_FAILED);
-+				if (error_number) *error_number = errno;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Could not stat %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
-+			}
-+		} else if (S_ISDIR(st.st_mode)) {
-+			if (!last) {
-+				if (chdir(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not chdir %s",
-+								path);
-+					res = (ARCHIVE_FATAL);
-+					break;
-+				}
-+				/* Our view is now from inside this dir: */
-+				head = tail + 1;
- 			}
- 		} else if (S_ISLNK(st.st_mode)) {
--			if (c == '\0') {
-+			if (last) {
- 				/*
- 				 * Last element is symlink; remove it
- 				 * so we can overwrite it with the
- 				 * item being extracted.
- 				 */
--				if (unlink(a->name)) {
--					archive_set_error(&a->archive, errno,
--					    "Could not remove symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head)) {
-+					tail[0] = c;
-+					if (error_number) *error_number = errno;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Could not remove symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
- 				/*
- 				 * Even if we did remove it, a warning
- 				 * is in order.  The warning is silly,
- 				 * though, if we're just replacing one
- 				 * symlink with another symlink.
- 				 */
--				if (!S_ISLNK(a->mode)) {
--					archive_set_error(&a->archive, 0,
--					    "Removing symlink %s",
--					    a->name);
-+				tail[0] = c;
-+				/* FIXME:  not sure how important this is to restore
-+				if (!S_ISLNK(path)) {
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Removing symlink %s",
-+								path);
- 				}
-+				*/
- 				/* Symlink gone.  No more problem! */
--				pn[0] = c;
--				return (0);
--			} else if (a->flags & ARCHIVE_EXTRACT_UNLINK) {
-+				res = ARCHIVE_OK;
-+				break;
-+			} else if (flags & ARCHIVE_EXTRACT_UNLINK) {
- 				/* User asked us to remove problems. */
--				if (unlink(a->name) != 0) {
--					archive_set_error(&a->archive, 0,
--					    "Cannot remove intervening symlink %s",
--					    a->name);
--					pn[0] = c;
--					return (ARCHIVE_FAILED);
-+				if (unlink(head) != 0) {
-+					tail[0] = c;
-+					if (error_number) *error_number = 0;
-+					if (error_string)
-+						archive_string_sprintf(error_string,
-+								"Cannot remove intervening symlink %s",
-+								path);
-+					res = ARCHIVE_FAILED;
-+					break;
- 				}
--				a->pst = NULL;
-+				tail[0] = c;
- 			} else {
--				archive_set_error(&a->archive, 0,
--				    "Cannot extract through symlink %s",
--				    a->name);
--				pn[0] = c;
--				return (ARCHIVE_FAILED);
-+				tail[0] = c;
-+				if (error_number) *error_number = 0;
-+				if (error_string)
-+					archive_string_sprintf(error_string,
-+							"Cannot extract through symlink %s",
-+							path);
-+				res = ARCHIVE_FAILED;
-+				break;
- 			}
- 		}
--		pn[0] = c;
--		if (pn[0] != '\0')
--			pn++; /* Advance to the next segment. */
-+		/* be sure to always maintain this */
-+		tail[0] = c;
-+		if (tail[0] != '\0')
-+			tail++; /* Advance to the next segment. */
- 	}
--	pn[0] = c;
--	/* We've checked and/or cleaned the whole path, so remember it. */
--	archive_strcpy(&a->path_safe, a->name);
--	return (ARCHIVE_OK);
-+	/* Catches loop exits via break */
-+	tail[0] = c;
-+#ifdef HAVE_FCHDIR
-+	/* If we changed directory above, restore it here. */
-+	if (restore_pwd >= 0) {
-+		r = fchdir(restore_pwd);
-+		if (r != 0) {
-+			if(error_number) *error_number = errno;
-+			if(error_string)
-+				archive_string_sprintf(error_string,
-+						"chdir() failure");
-+		}
-+		close(restore_pwd);
-+		restore_pwd = -1;
-+		if (r != 0) {
-+			res = (ARCHIVE_FATAL);
-+		}
-+	}
-+#endif
-+	/* TODO: reintroduce a safe cache here? */
-+	return res;
- #endif
- }
- 
-+/*
-+ * Check a->name for symlinks, returning ARCHIVE_OK if its clean, otherwise
-+ * calls archive_set_error and returns ARCHIVE_{FATAL,FAILED}
-+ */
-+static int
-+check_symlinks(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = check_symlinks_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	a->pst = NULL;	/* to be safe */
-+	return rc;
-+}
-+
-+
- #if defined(__CYGWIN__)
- /*
-  * 1. Convert a path separator from '\' to '/' .
-@@ -2544,15 +2684,17 @@ cleanup_pathname_win(struct archive_write_disk *a)
-  * is set) if the path is absolute.
-  */
- static int
--cleanup_pathname(struct archive_write_disk *a)
-+cleanup_pathname_fsobj(char *path, int *error_number, struct archive_string *error_string, int flags)
- {
- 	char *dest, *src;
- 	char separator = '\0';
- 
--	dest = src = a->name;
-+	dest = src = path;
- 	if (*src == '\0') {
--		archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--		    "Invalid empty pathname");
-+		if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+		if (error_string)
-+		    archive_string_sprintf(error_string,
-+			    "Invalid empty pathname");
- 		return (ARCHIVE_FAILED);
- 	}
- 
-@@ -2561,9 +2703,11 @@ cleanup_pathname(struct archive_write_disk *a)
- #endif
- 	/* Skip leading '/'. */
- 	if (*src == '/') {
--		if (a->flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
--			archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
--			                  "Path is absolute");
-+		if (flags & ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS) {
-+			if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+			if (error_string)
-+			    archive_string_sprintf(error_string,
-+				    "Path is absolute");
- 			return (ARCHIVE_FAILED);
- 		}
- 
-@@ -2590,10 +2734,11 @@ cleanup_pathname(struct archive_write_disk *a)
- 			} else if (src[1] == '.') {
- 				if (src[2] == '/' || src[2] == '\0') {
- 					/* Conditionally warn about '..' */
--					if (a->flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
--						archive_set_error(&a->archive,
--						    ARCHIVE_ERRNO_MISC,
--						    "Path contains '..'");
-+					if (flags & ARCHIVE_EXTRACT_SECURE_NODOTDOT) {
-+						if (error_number) *error_number = ARCHIVE_ERRNO_MISC;
-+						if (error_string)
-+						    archive_string_sprintf(error_string,
-+							    "Path contains '..'");
- 						return (ARCHIVE_FAILED);
- 					}
- 				}
-@@ -2624,7 +2769,7 @@ cleanup_pathname(struct archive_write_disk *a)
- 	 * We've just copied zero or more path elements, not including the
- 	 * final '/'.
- 	 */
--	if (dest == a->name) {
-+	if (dest == path) {
- 		/*
- 		 * Nothing got copied.  The path must have been something
- 		 * like '.' or '/' or './' or '/././././/./'.
-@@ -2639,6 +2784,21 @@ cleanup_pathname(struct archive_write_disk *a)
- 	return (ARCHIVE_OK);
- }
- 
-+static int
-+cleanup_pathname(struct archive_write_disk *a)
-+{
-+	struct archive_string error_string;
-+	int error_number;
-+	int rc;
-+	archive_string_init(&error_string);
-+	rc = cleanup_pathname_fsobj(a->name, &error_number, &error_string, a->flags);
-+	if (rc != ARCHIVE_OK) {
-+		archive_set_error(&a->archive, error_number, "%s", error_string.s);
-+	}
-+	archive_string_free(&error_string);
-+	return rc;
-+}
-+
- /*
-  * Create the parent directory of the specified path, assuming path
-  * is already in mutable storage.
diff --git a/gnu/packages/patches/libarchive-fix-symlink-check.patch b/gnu/packages/patches/libarchive-fix-symlink-check.patch
deleted file mode 100644
index f042c31a84..0000000000
--- a/gnu/packages/patches/libarchive-fix-symlink-check.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Make sure to check for symlinks even if the pathname is very long:
-
-https://github.com/libarchive/libarchive/issues/744
-
-Patch copied from upstream repository:
-
-https://github.com/libarchive/libarchive/commit/1fa9c7bf90f0862036a99896b0501c381584451a
-
-From 1fa9c7bf90f0862036a99896b0501c381584451a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 17:11:45 -0700
-Subject: [PATCH] Issue #744 (part of Issue #743): Enforce sandbox with very
- long pathnames
-
-Because check_symlinks is handled separately from the deep-directory
-support, very long pathnames cause problems.  Previously, the code
-ignored most failures to lstat() a path component.  In particular,
-this led to check_symlinks always passing for very long paths, which
-in turn provides a way to evade the symlink checks in the sandboxing
-code.
-
-We now fail on unrecognized lstat() failures, which plugs this
-hole at the cost of disabling deep directory support when the
-user requests sandboxing.
-
-TODO:  This probably cannot be completely fixed without
-entirely reimplementing the deep directory support to
-integrate the symlink checks.  I want to reimplement the
-deep directory hanlding someday anyway; openat() and
-related system calls now provide a much cleaner way to
-handle deep directories than the chdir approach used by this
-code.
----
- libarchive/archive_write_disk_posix.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c
-index 39ee3b6..8f0421e 100644
---- a/libarchive/archive_write_disk_posix.c
-+++ b/libarchive/archive_write_disk_posix.c
-@@ -2401,8 +2401,18 @@ check_symlinks(struct archive_write_disk *a)
- 		r = lstat(a->name, &st);
- 		if (r != 0) {
- 			/* We've hit a dir that doesn't exist; stop now. */
--			if (errno == ENOENT)
-+			if (errno == ENOENT) {
- 				break;
-+			} else {
-+				/* Note: This effectively disables deep directory
-+				 * support when security checks are enabled.
-+				 * Otherwise, very long pathnames that trigger
-+				 * an error here could evade the sandbox.
-+				 * TODO: We could do better, but it would probably
-+				 * require merging the symlink checks with the
-+				 * deep-directory editing. */
-+				return (ARCHIVE_FAILED);
-+			}
- 		} else if (S_ISLNK(st.st_mode)) {
- 			if (c == '\0') {
- 				/*
diff --git a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch b/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
deleted file mode 100644
index 0e70ac90ce..0000000000
--- a/gnu/packages/patches/libarchive-safe_fprintf-buffer-overflow.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fixes this buffer overflow:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-Patch copied from upstream source repository:
-https://github.com/libarchive/libarchive/commit/e37b620fe8f14535d737e89a4dcabaed4517bf1a
-
-From e37b620fe8f14535d737e89a4dcabaed4517bf1a Mon Sep 17 00:00:00 2001
-From: Tim Kientzle <kientzle@acm.org>
-Date: Sun, 21 Aug 2016 10:51:43 -0700
-Subject: [PATCH] Issue #767:  Buffer overflow printing a filename
-
-The safe_fprintf function attempts to ensure clean output for an
-arbitrary sequence of bytes by doing a trial conversion of the
-multibyte characters to wide characters -- if the resulting wide
-character is printable then we pass through the corresponding bytes
-unaltered, otherwise, we convert them to C-style ASCII escapes.
-
-The stack trace in Issue #767 suggest that the 20-byte buffer
-was getting overflowed trying to format a non-printable multibyte
-character.  This should only happen if there is a valid multibyte
-character of more than 5 bytes that was unprintable.  (Each byte
-would get expanded to a four-charcter octal-style escape of the form
-"\123" resulting in >20 characters for the >5 byte multibyte character.)
-
-I've not been able to reproduce this, but have expanded the conversion
-buffer to 128 bytes on the belief that no multibyte character set
-has a single character of more than 32 bytes.
----
- tar/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tar/util.c b/tar/util.c
-index 9ff22f2..2b4aebe 100644
---- a/tar/util.c
-+++ b/tar/util.c
-@@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
- 		}
- 
- 		/* If our output buffer is full, dump it and keep going. */
--		if (i > (sizeof(outbuff) - 20)) {
-+		if (i > (sizeof(outbuff) - 128)) {
- 			outbuff[i] = '\0';
- 			fprintf(f, "%s", outbuff);
- 			i = 0;
diff --git a/gnu/packages/patches/sed-hurd-path-max.patch b/gnu/packages/patches/sed-hurd-path-max.patch
deleted file mode 100644
index 5226cba4cb..0000000000
--- a/gnu/packages/patches/sed-hurd-path-max.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-7bb8d35d0330161a5af5341471d0c183a067e8c2
-Author: Jose E. Marchesi <jemarch@gnu.org>
-Date:   Sun Oct 6 14:43:38 2013 +0200
-
-    Set PATH_MAX to some constant in case it is not defined in system
-    headers.
-    
-    2013-10-06  Jose E. Marchesi  <jemarch@gnu.org>
-    
-    	* basicdefs.h (PATH_MAX): Defined to some constant in case it is
-    	not defined by system headers.
-    	* sed/utils.c: Do not include pathmax.h anymore.
-    	* bootstrap.conf (gnulib_modules): Do not use the gnulib module
-    	pathmax.
-
-diff --git a/basicdefs.h b/basicdefs.h
-index 0d28a97..09f5beb 100644
---- a/basicdefs.h
-+++ b/basicdefs.h
-@@ -40,6 +41,13 @@ typedef unsigned long countT;
- #define obstack_chunk_alloc  ck_malloc
- #define obstack_chunk_free   free
- 
-+/* MAX_PATH is not defined in some platforms, most notably GNU/Hurd.
-+   In that case we define it here to some constant.  Note however that
-+   this relies in the fact that sed does reallocation if a buffer
-+   needs to be larger than PATH_MAX.  */
-+#ifndef PATH_MAX
-+# define PATH_MAX 200
-+#endif
- 
- /* handle misdesigned <ctype.h> macros (snarfed from lib/regex.c) */
- /* Jim Meyering writes:
- 
diff --git a/gnu/packages/patches/tar-CVE-2016-6321.patch b/gnu/packages/patches/tar-CVE-2016-6321.patch
new file mode 100644
index 0000000000..b79be9bc94
--- /dev/null
+++ b/gnu/packages/patches/tar-CVE-2016-6321.patch
@@ -0,0 +1,51 @@
+Fix CVE-2016-6321:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
+https://security-tracker.debian.org/tracker/CVE-2016-6321
+
+Patch adapted from upstream source repository (the changes to 'NEWS'
+don't apply to the Tar 1.29 release tarball).
+
+http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f67165d
+
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+---
+ NEWS          | 8 +++++++-
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
+-- 
+2.11.0
+
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
index a84ff43d77..16b098517a 100644
--- a/gnu/packages/php.scm
+++ b/gnu/packages/php.scm
@@ -309,7 +309,7 @@
        ("pcre" ,pcre)
        ("postgresql" ,postgresql)
        ("readline" ,readline)
-       ("sqlite" ,sqlite-3.15.1)
+       ("sqlite" ,sqlite)
        ("tidy" ,tidy)
        ("zip" ,zip)
        ("zlib" ,zlib)))
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 0fe6598bb2..5b6800346c 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -85,7 +85,7 @@ remote applications.")
 (define-public libssh2
   (package
    (name "libssh2")
-   (version "1.7.0")
+   (version "1.8.0")
    (source (origin
             (method url-fetch)
             (uri (string-append
@@ -93,7 +93,7 @@ remote applications.")
                    version ".tar.gz"))
             (sha256
              (base32
-              "116mh112w48vv9k3f15ggp5kxw5sj4b88dzb5j69llsh7ba1ymp4"))))
+              "1m3n8spv79qhjq4yi0wgly5s5rc8783jb1pyra9bkx1md0plxwrr"))))
    (build-system gnu-build-system)
    ;; The installed libssh2.pc file does not include paths to libgcrypt and
    ;; zlib libraries, so we need to propagate the inputs.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index e577421fac..111942ab1f 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -138,7 +138,7 @@ living in the same process.")
 (define-public gnutls
   (package
     (name "gnutls")
-    (version "3.5.4")
+    (version "3.5.7")
     (source (origin
              (method url-fetch)
              (uri
@@ -149,7 +149,7 @@ living in the same process.")
                              "/gnutls-" version ".tar.xz"))
              (sha256
               (base32
-               "1sx8p7v452s9m854r2c5pvcd1k15a3caiv5h35fhrxz0691h2f2f"))))
+               "06l6sza1wk7cr910i70jbc68labklkd229kiiniwys32kq8zrjv0"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags
@@ -294,7 +294,6 @@ required structures.")
                    (lib    (string-append out "/lib"))
                    (static (assoc-ref outputs "static"))
                    (slib   (string-append static "/lib")))
-              (mkdir-p slib)
               (for-each (lambda (file)
                           (install-file file slib)
                           (delete-file file))
diff --git a/gnu/packages/xorg.scm b/gnu/packages/xorg.scm
index 3930d21617..1267d3106d 100644
--- a/gnu/packages/xorg.scm
+++ b/gnu/packages/xorg.scm
@@ -3830,7 +3830,7 @@ extension to the X11 protocol.  It includes:
 (define-public xkeyboard-config
   (package
     (name "xkeyboard-config")
-    (version "2.18")
+    (version "2.19")
     (source
       (origin
         (method url-fetch)
@@ -3840,7 +3840,7 @@ extension to the X11 protocol.  It includes:
               ".tar.bz2"))
         (sha256
           (base32
-            "1l6x2w357ja8vm94ns79s7yj9a5dlr01r9dxrjvzwncadiyr27f4"))))
+            "09sqyi430bbg13pp8j0j60p9p9xn2lpqx38xw1lyv77bp63d3pw3"))))
     (build-system gnu-build-system)
     (inputs
       `(("gettext" ,gettext-minimal)
@@ -4774,7 +4774,7 @@ script around the mkfontscale program.")
 (define-public xproto
   (package
     (name "xproto")
-    (version "7.0.29")
+    (version "7.0.31")
     (source
       (origin
         (method url-fetch)
@@ -4784,7 +4784,7 @@ script around the mkfontscale program.")
                ".tar.bz2"))
         (sha256
           (base32
-            "12lzpa9mrzkyrhrphzpi1014np3328qg7mdq08wj6wyaj9q4f6kc"))))
+            "0ivpxz0rx2a7nahkpkhfgymz7j0pwzaqvyqpdgw9afmxl1yp9yf6"))))
     (build-system gnu-build-system)
     (propagated-inputs
       `(("util-macros" ,util-macros))) ; to get util-macros in (almost?) all package inputs