Merge branch 'glibc-2.22' into staging

I'm running whole my working notebook on 2.22 without any problems. I don't expect any significant issues.
2016-02-25 08:42:59 +01:00 · 2016-02-25 08:42:59 +01:00 · 30b7bd8d01
commit 30b7bd8d01
parent ef86e9506d 59617de6d7
44 changed files with 199 additions and 1123 deletions
--- a/lib/types.nix
+++ b/lib/types.nix
@ -93,7 +93,7 @@ rec {
    # derivation is a reserved keyword.
    package = mkOptionType {
-      name = "derivation";
+      name = "package";
      check = x: isDerivation x || isStorePath x;
      merge = loc: defs:
        let res = mergeOneOption loc defs;
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@ -37,6 +37,7 @@ in
      package = mkOption {
        type = types.package;
        default = pkgs.slurm-llnl;
        defaultText = "pkgs.slurm-llnl";
        example = literalExample "pkgs.slurm-llnl-full";
        description = ''
          The packge to use for slurm binaries.
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@ -61,6 +61,7 @@ in {
      package = mkOption {
        type = types.package;
        default = pkgs.matrix-synapse;
        defaultText = "pkgs.matrix-synapse";
        description = ''
          Overridable attribute of the matrix synapse server package to use.
        '';
--- a/nixos/modules/services/misc/plex.nix
+++ b/nixos/modules/services/misc/plex.nix
@ -58,6 +58,7 @@ in
      package = mkOption {
        type = types.package;
        default = pkgs.plex;
        defaultText = "pkgs.plex";
        description = ''
          The Plex package to use. Plex subscribers may wish to use their own
          package here, pointing to subscriber-only server versions.
--- a/nixos/modules/services/monitoring/collectd.nix
+++ b/nixos/modules/services/monitoring/collectd.nix
@ -34,6 +34,15 @@ in {
      type = bool;
    };
    package = mkOption {
      default = pkgs.collectd;
      defaultText = "pkgs.collectd";
      description = ''
        Which collectd package to use.
      '';
      type = package;
    };
    user = mkOption {
      default = "collectd";
      description = ''
--- a/nixos/modules/services/networking/consul.nix
+++ b/nixos/modules/services/networking/consul.nix
@ -33,6 +33,7 @@ in
      package = mkOption {
        type = types.package;
        default = pkgs.consul;
        defaultText = "pkgs.consul";
        description = ''
          The package used for the Consul agent and CLI.
        '';
--- a/nixos/modules/services/networking/ejabberd.nix
+++ b/nixos/modules/services/networking/ejabberd.nix
@ -32,6 +32,7 @@ in {
      package = mkOption {
        type = types.package;
        default = pkgs.ejabberd;
        defaultText = "pkgs.ejabberd";
        description = "ejabberd server package to use";
      };
--- a/nixos/modules/services/networking/tlsdated.nix
+++ b/nixos/modules/services/networking/tlsdated.nix
@ -26,6 +26,7 @@ in
      extraOptions = mkOption {
        type = types.string;
        default = "";
        description = ''
          Additional command line arguments to pass to tlsdated.
        '';
--- a/nixos/modules/services/security/haka.nix
+++ b/nixos/modules/services/security/haka.nix
@ -59,6 +59,7 @@ in
      package = mkOption {
        default = pkgs.haka;
        defaultText = "pkgs.haka";
        type = types.package;
        description = "
          Which Haka derivation to use.
--- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
@ -370,6 +370,7 @@ rec {
    package = mkOption {
      type = types.package;
      default = pkgs.owncloud70;
      defaultText = "pkgs.owncloud70";
      example = literalExample "pkgs.owncloud70";
      description = ''
          PostgreSQL package to use.
--- a/pkgs/applications/graphics/inkscape/default.nix
+++ b/pkgs/applications/graphics/inkscape/default.nix
@ -1,7 +1,7 @@
 { stdenv, fetchurl, pkgconfig, perl, perlXMLParser, gtk, libXft
 , libpng, zlib, popt, boehmgc, libxml2, libxslt, glib, gtkmm
 , glibmm, libsigcxx, lcms, boost, gettext, makeWrapper, intltool
-, gsl, python, pyxml, lxml, poppler, imagemagick, libwpg, librevenge
+, gsl, python, numpy, pyxml, lxml, poppler, imagemagick, libwpg, librevenge
 , libvisio, libcdr, libexif, unzip
 , boxMakerPlugin ? false # boxmaker plugin
 }:
@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
  propagatedBuildInputs = [
    # Python is used at run-time to execute scripts, e.g., those from
    # the "Effects" menu.
-    python pyxml lxml
+    python pyxml numpy lxml
  ];
  buildInputs = [
@ -66,7 +66,7 @@ stdenv.mkDerivation rec {
    for i in "$out/bin/"*
    do
      wrapProgram "$i" --prefix PYTHONPATH :      \
-       "$(toPythonPath ${pyxml}):$(toPythonPath ${lxml})"  \
+       "$(toPythonPath ${pyxml}):$(toPythonPath ${lxml}):$(toPythonPath ${numpy})"  \
       --prefix PATH : ${python}/bin ||  \
        exit 2
    done
--- a/pkgs/applications/networking/cluster/spark/default.nix
+++ b/pkgs/applications/networking/cluster/spark/default.nix
@ -6,11 +6,11 @@ with stdenv.lib;
 stdenv.mkDerivation rec {
  name    = "spark-${version}";
-  version = "1.5.2";
+  version = "1.6.0";
  src = fetchzip {
    url    = "mirror://apache/spark/${name}/${name}-bin-cdh4.tgz";
-    sha256 = "0bgpz3bqj24flrbajzhbkz38fjsd53qmji1kls9izji8vprcjr5v";
+    sha256 = "0waq8xx4bjj1yvfbadv1gdvz8s4kh5zasicv2n5623ld6lj7zgad";
  };
  buildInputs = [ makeWrapper jre pythonPackages.python pythonPackages.numpy ]
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@ -267,7 +267,9 @@ EOF
    let
-      baseJson = writeText "${name}-config.json" (builtins.toJSON {
+      baseName = baseNameOf name;
      baseJson = writeText "${baseName}-config.json" (builtins.toJSON {
          created = "1970-01-01T00:00:01Z";
          architecture = "amd64";
          os = "linux";
@ -277,11 +279,11 @@ EOF
      layer = (if runAsRoot == null
               then mkPureLayer { inherit baseJson contents extraCommands; }
               else mkRootLayer { inherit baseJson fromImage fromImageName fromImageTag contents runAsRoot diskSize extraCommands; });
-      depsTarball = mkTarball { name = "${name}-deps";
+      depsTarball = mkTarball { name = "${baseName}-deps";
                                drv = layer;
                                onlyDeps = true; };
-      result = runCommand "${name}.tar.gz" {
+      result = runCommand "${baseName}.tar.gz" {
        buildInputs = [ jshon ];
        imageName = name;
--- a/pkgs/development/libraries/aws-sdk-cpp/default.nix
+++ b/pkgs/development/libraries/aws-sdk-cpp/default.nix
@ -1,4 +1,9 @@
-{ lib, stdenv, fetchFromGitHub, cmake, curl }:
+{ lib, stdenv, fetchFromGitHub, cmake, curl
 , # Allow building a limited set of APIs, e.g. ["s3" "ec2"].
  apis ? ["*"]
 , # Whether to enable AWS' custom memory management.
  customMemoryManagement ? true
 }:
 stdenv.mkDerivation rec {
  name = "aws-sdk-cpp-${version}";
@ -13,9 +18,10 @@ stdenv.mkDerivation rec {
  buildInputs = [ cmake curl ];
-  # FIXME: provide flags to build only part of the SDK, or put them in
+  cmakeFlags =
-  # different outputs.
+    lib.optional (!customMemoryManagement) "-DCUSTOM_MEMORY_MANAGEMENT=0"
-  # cmakeFlags = "-DBUILD_ONLY=aws-cpp-sdk-s3";
+    ++ lib.optional (apis != ["*"])
      "-DBUILD_ONLY=${lib.concatMapStringsSep ";" (api: "aws-cpp-sdk-" + api) apis}";
  enableParallelBuilding = true;
--- a/pkgs/development/libraries/glibc/builder.sh
+++ b/pkgs/development/libraries/glibc/builder.sh
@ -22,22 +22,11 @@ postInstall() {
    test -f $out/etc/ld.so.cache && rm $out/etc/ld.so.cache
-    # FIXME: Use `test -n $linuxHeaders' when `kernelHeaders' has been
+    if test -n "$linuxHeaders"; then
    # renamed.
    if test -z "$hurdHeaders"; then
        # Include the Linux kernel headers in Glibc, except the `scsi'
        # subdirectory, which Glibc provides itself.
        (cd $out/include && \
-         ln -sv $(ls -d $kernelHeaders/include/* | grep -v 'scsi$') .)
+         ln -sv $(ls -d $linuxHeaders/include/* | grep -v 'scsi$') .)
    fi
    if test -f "$out/lib/libhurduser.so"; then
        # libc.so, libhurduser.so, and libmachuser.so depend on each
        # other, so add them to libc.so (a RUNPATH on libc.so.0.3
        # would be ignored by the cross-linker.)
        echo "adding \`libhurduser.so' and \`libmachuser.so' to the \`libc.so' linker script..."
        sed -i "$out/lib/libc.so" \
            -e"s|\(libc\.so\.[^ ]\+\>\)|\1 $out/lib/libhurduser.so $out/lib/libmachuser.so|g"
    fi
    # Fix for NIXOS-54 (ldd not working on x86_64).  Make a symlink
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@ -3,27 +3,22 @@
 cross:
-{ name, fetchurl, fetchgit ? null, stdenv, installLocales ? false
+{ name, fetchurl, lib, stdenv, installLocales ? false
-, gccCross ? null, kernelHeaders ? null
+, gccCross ? null, linuxHeaders ? null
 , machHeaders ? null, hurdHeaders ? null, libpthreadHeaders ? null
 , mig ? null
 , profilingLibraries ? false, meta
 , withGd ? false, gd ? null, libpng ? null
 , preConfigure ? "", ... }@args:
 let
-  version = "2.21";
+  version = "2.23";
-
+  sha256 = "1lk9a8jv5kyx8hp0wmfzjyk047q95ybyjqbyw5idl7414jxqml1b";
 in
 assert cross != null -> gccCross != null;
 assert mig != null -> machHeaders != null;
 assert machHeaders != null -> hurdHeaders != null;
 assert hurdHeaders != null -> libpthreadHeaders != null;
 stdenv.mkDerivation ({
-  inherit kernelHeaders installLocales;
+  inherit linuxHeaders installLocales;
  # The host/target system.
  crossConfig = if cross != null then cross.config else null;
@ -32,9 +27,7 @@ stdenv.mkDerivation ({
  enableParallelBuilding = true;
-  /* Don't try to apply these patches to the Hurd's snapshot, which is
+  patches =
     older.  */
  patches = stdenv.lib.optionals (hurdHeaders == null)
    [ /* Have rpcgen(1) look for cpp(1) in $PATH.  */
      ./rpcgen-path.patch
@ -56,14 +49,6 @@ stdenv.mkDerivation ({
         "/bin:/usr/bin", which is inappropriate on NixOS machines. This
         patch extends the search path by "/run/current-system/sw/bin". */
      ./fix_path_attribute_in_getconf.patch
      ./security-4a28f4d5.patch
      ./security-bdf1ff05.patch
      ./cve-2014-8121.patch
      ./cve-2015-1781.patch
      ./cve-2015-7547.patch
      ./glibc-locale-incompatibility.patch
    ];
  postPatch =
@ -100,36 +85,35 @@ stdenv.mkDerivation ({
      "--sysconfdir=/etc"
      "--localedir=/var/run/current-system/sw/lib/locale"
      "libc_cv_ssp=no"
-      (if kernelHeaders != null
+      (if linuxHeaders != null
-       then "--with-headers=${kernelHeaders}/include"
+       then "--with-headers=${linuxHeaders}/include"
       else "--without-headers")
      (if profilingLibraries
       then "--enable-profile"
       else "--disable-profile")
-    ] ++ stdenv.lib.optionals (cross == null && kernelHeaders != null) [
+    ] ++ lib.optionals (cross == null && linuxHeaders != null) [
      "--enable-kernel=2.6.32"
-    ] ++ stdenv.lib.optionals (cross != null) [
+    ] ++ lib.optionals (cross != null) [
      (if cross.withTLS then "--with-tls" else "--without-tls")
      (if cross.float == "soft" then "--without-fp" else "--with-fp")
-    ] ++ stdenv.lib.optionals (cross != null
+    ] ++ lib.optionals (cross != null
          && cross.platform ? kernelMajor
          && cross.platform.kernelMajor == "2.6") [
      "--enable-kernel=2.6.0"
      "--with-__thread"
-    ] ++ stdenv.lib.optionals (cross == null && stdenv.isArm) [
+    ] ++ lib.optionals (cross == null && stdenv.isArm) [
      "--host=arm-linux-gnueabi"
      "--build=arm-linux-gnueabi"
      # To avoid linking with -lgcc_s (dynamic link)
      # so the glibc does not depend on its compiler store path
      "libc_cv_as_needed=no"
-    ] ++ stdenv.lib.optional withGd "--with-gd";
+    ] ++ lib.optional withGd "--with-gd";
  installFlags = [ "sysconfdir=$(out)/etc" ];
-  buildInputs = stdenv.lib.optionals (cross != null) [ gccCross ]
+  buildInputs = lib.optionals (cross != null) [ gccCross ]
-    ++ stdenv.lib.optional (mig != null) mig
+    ++ lib.optionals withGd [ gd libpng ];
    ++ stdenv.lib.optionals withGd [ gd libpng ];
  # Needed to install share/zoneinfo/zone.tab.  Set to impure /bin/sh to
  # prevent a retained dependency on the bootstrap tools in the stdenv-linux
@ -141,32 +125,22 @@ stdenv.mkDerivation ({
  # I.e. when gcc is compiled with --with-arch=i686, then the
  # preprocessor symbol `__i686' will be defined to `1'.  This causes
  # the symbol __i686.get_pc_thunk.dx to be mangled.
-  NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (stdenv.system == "i686-linux") "-U__i686"
+  NIX_CFLAGS_COMPILE = lib.optionalString (stdenv.system == "i686-linux") "-U__i686"
    + " -Wno-error=strict-prototypes";
 }
 # Remove the `gccCross' attribute so that the *native* glibc store path
 # doesn't depend on whether `gccCross' is null or not.
-// (removeAttrs args [ "gccCross" "fetchurl" "fetchgit" "withGd" "gd" "libpng" ]) //
+// (removeAttrs args [ "lib" "gccCross" "fetchurl" "withGd" "gd" "libpng" ]) //
 {
  name = name + "-${version}" +
-    stdenv.lib.optionalString (cross != null) "-${cross.config}";
+    lib.optionalString (cross != null) "-${cross.config}";
-  src =
+  src = fetchurl {
-    if hurdHeaders != null
+    url = "mirror://gnu/glibc/glibc-${version}.tar.gz";
-    then fetchgit {
+    inherit sha256;
-      # Shamefully the "official" glibc won't build on GNU, so use the one
+  };
      # maintained by the Hurd folks, `tschwinge/Roger_Whittaker' branch.
      # See <http://www.gnu.org/software/hurd/source_repositories/glibc.html>.
      url = "git://git.sv.gnu.org/hurd/glibc.git";
      sha256 = "cecec9dd5a2bafc875c56b058b6d7628a22b250b53747513dec304f31ffdb82d";
      rev = "d3cdecf18e6550b0984a42b43ed48c5fb26501e1";
    }
    else fetchurl {
      url = "mirror://gnu/glibc/glibc-${version}.tar.gz";
      sha256 = "0f4prv4c0fcpi85wv4028wqxn075197gwxhgf0vp571fiw2pi3wd";
    };
  # Remove absolute paths from `configure' & co.; build out-of-tree.
  preConfigure = ''
@ -182,17 +156,18 @@ stdenv.mkDerivation ({
    configureScript="`pwd`/../$sourceRoot/configure"
-    ${stdenv.lib.optionalString (stdenv.cc.libc != null)
+    ${lib.optionalString (stdenv.cc.libc != null)
      ''makeFlags="$makeFlags BUILD_LDFLAGS=-Wl,-rpath,${stdenv.cc.libc}/lib"''
    }
    ${preConfigure}
  '';
  preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH";
  meta = {
    homepage = http://www.gnu.org/software/libc/;
-    description = "The GNU C Library"
+    description = "The GNU C Library";
      + stdenv.lib.optionalString (hurdHeaders != null) ", for GNU/Hurd";
    longDescription =
      '' Any Unix-like operating system needs a C library: the library which
@ -203,24 +178,9 @@ stdenv.mkDerivation ({
         most systems with the Linux kernel.
      '';
-    license = stdenv.lib.licenses.lgpl2Plus;
+    license = lib.licenses.lgpl2Plus;
-    maintainers = [ ];
+    maintainers = [ lib.maintainers.eelco ];
-    #platforms = stdenv.lib.platforms.linux;
+    #platforms = lib.platforms.linux;
  } // meta;
 }
 // stdenv.lib.optionalAttrs withGd {
  preBuild = "unset NIX_DONT_SET_RPATH";
 }
 // stdenv.lib.optionalAttrs (hurdHeaders != null) {
  # Work around the fact that the configure snippet that looks for
  # <hurd/version.h> does not honor `--with-headers=$sysheaders' and that
  # glibc expects Mach, Hurd, and pthread headers to be in the same place.
  CPATH = "${hurdHeaders}/include:${machHeaders}/include:${libpthreadHeaders}/include";
  # Install NSS stuff in the right place.
  # XXX: This will be needed for all new glibcs and isn't Hurd-specific.
  makeFlags = ''vardbdir="$out/var/db"'';
 })
--- a/pkgs/development/libraries/glibc/cve-2014-8121.patch
+++ b/pkgs/development/libraries/glibc/cve-2014-8121.patch
@ -1,230 +0,0 @@
 From 03d2730b44cc2236318fd978afa2651753666c55 Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Wed, 29 Apr 2015 14:41:25 +0200
 Subject: [PATCH] CVE-2014-8121: Do not close NSS files database during
 iteration [BZ #18007]
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 Robin Hack discovered Samba would enter an infinite loop processing
 certain quota-related requests.  We eventually tracked this down to a
 glibc issue.
 Running a (simplified) test case under strace shows that /etc/passwd
 is continuously opened and closed:
 â¦
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
 lseek(3, 0, SEEK_CUR)                   = 0
 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
 lseek(3, 2717, SEEK_SET)                = 2717
 close(3)                                = 0
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
 lseek(3, 0, SEEK_CUR)                   = 0
 lseek(3, 0, SEEK_SET)                   = 0
 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
 lseek(3, 2717, SEEK_SET)                = 2717
 close(3)                                = 0
 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
 lseek(3, 0, SEEK_CUR)                   = 0
 â¦
 The lookup function implementation in
 nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that.  It is
 supposed skip closing the input file if it was already open.
  /* Reset file pointer to beginning or open file.  */			      \
  status = internal_setent (keep_stream);				      \
 									      \
  if (status == NSS_STATUS_SUCCESS)					      \
    {									      \
      /* Tell getent function that we have repositioned the file pointer.  */ \
      last_use = getby;							      \
 									      \
      while ((status = internal_getent (result, buffer, buflen, errnop	      \
 					H_ERRNO_ARG EXTRA_ARGS_VALUE))	      \
 	     == NSS_STATUS_SUCCESS)					      \
 	{ break_if_match }						      \
 									      \
      if (! keep_stream)						      \
 	internal_endent ();						      \
    }									      \
 keep_stream is initialized from the stayopen flag in internal_setent.
 internal_setent is called from the set*ent implementation as:
  status = internal_setent (stayopen);
 However, for non-host database, this flag is always 0, per the
 STAYOPEN magic in nss/getXXent_r.c.
 Thus, the fix is this:
 -  status = internal_setent (stayopen);
 +  status = internal_setent (1);
 This is not a behavioral change even for the hosts database (where the
 application can specify the stayopen flag) because with a call to
 sethostent(0), the file handle is still not closed in the
 implementation of gethostent.
 ---
 ChangeLog                 |   8 ++++
 NEWS                      |  12 +++--
 nss/Makefile              |   2 +-
 nss/nss_files/files-XXX.c |   2 +-
 nss/tst-nss-getpwent.c    | 118 ++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 136 insertions(+), 6 deletions(-)
 create mode 100644 nss/tst-nss-getpwent.c
 diff --git a/nss/Makefile b/nss/Makefile
 index d75dad2..65ab7b5 100644
 --- a/nss/Makefile
 +++ b/nss/Makefile
@@ -47,7 +47,7 @@ install-bin             := getent makedb
 makedb-modules = xmalloc hash-string
 extra-objs		+= $(makedb-modules:=.o)
 -tests			= test-netdb tst-nss-test1 test-digits-dots
 +tests			= test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent
 xtests			= bug-erange
 # Specify rules for the nss_* modules.  We have some services.
 diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
 index a7a45e5..a7ce5ea 100644
 --- a/nss/nss_files/files-XXX.c
 +++ b/nss/nss_files/files-XXX.c
@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
   __libc_lock_lock (lock);
 -  status = internal_setent (stayopen);
 +  status = internal_setent (1);
   if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
     {
 diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c
 new file mode 100644
 index 0000000..f2e8abc
 --- /dev/null
 +++ b/nss/tst-nss-getpwent.c
@@ -0,0 +1,118 @@
 +/* Copyright (C) 2015 Free Software Foundation, Inc.
 +   This file is part of the GNU C Library.
 +
 +   The GNU C Library is free software; you can redistribute it and/or
 +   modify it under the terms of the GNU Lesser General Public
 +   License as published by the Free Software Foundation; either
 +   version 2.1 of the License, or (at your option) any later version.
 +
 +   The GNU C Library is distributed in the hope that it will be useful,
 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +   Lesser General Public License for more details.
 +
 +   You should have received a copy of the GNU Lesser General Public
 +   License along with the GNU C Library; if not, see
 +   <http://www.gnu.org/licenses/>.  */
 +
 +#include <pwd.h>
 +#include <stdbool.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +
 +int
 +do_test (void)
 +{
 +  /* Count the number of entries in the password database, and fetch
 +     data from the first and last entries.  */
 +  size_t count = 0;
 +  struct passwd * pw;
 +  char *first_name = NULL;
 +  uid_t first_uid = 0;
 +  char *last_name = NULL;
 +  uid_t last_uid = 0;
 +  setpwent ();
 +  while ((pw  = getpwent ()) != NULL)
 +    {
 +      if (first_name == NULL)
 +	{
 +	  first_name = strdup (pw->pw_name);
 +	  if (first_name == NULL)
 +	    {
 +	      printf ("strdup: %m\n");
 +	      return 1;
 +	    }
 +	  first_uid = pw->pw_uid;
 +	}
 +
 +      free (last_name);
 +      last_name = strdup (pw->pw_name);
 +      if (last_name == NULL)
 +	{
 +	  printf ("strdup: %m\n");
 +	  return 1;
 +	}
 +      last_uid = pw->pw_uid;
 +      ++count;
 +    }
 +  endpwent ();
 +
 +  if (count == 0)
 +    {
 +      printf ("No entries in the password database.\n");
 +      return 0;
 +    }
 +
 +  /* Try again, this time interleaving with name-based and UID-based
 +     lookup operations.  The counts do not match if the interleaved
 +     lookups affected the enumeration.  */
 +  size_t new_count = 0;
 +  setpwent ();
 +  while ((pw  = getpwent ()) != NULL)
 +    {
 +      if (new_count == count)
 +	{
 +	  printf ("Additional entry in the password database.\n");
 +	  return 1;
 +	}
 +      ++new_count;
 +      struct passwd *pw2 = getpwnam (first_name);
 +      if (pw2 == NULL)
 +	{
 +	  printf ("getpwnam (%s) failed: %m\n", first_name);
 +	  return 1;
 +	}
 +      pw2 = getpwnam (last_name);
 +      if (pw2 == NULL)
 +	{
 +	  printf ("getpwnam (%s) failed: %m\n", last_name);
 +	  return 1;
 +	}
 +      pw2 = getpwuid (first_uid);
 +      if (pw2 == NULL)
 +	{
 +	  printf ("getpwuid (%llu) failed: %m\n",
 +		  (unsigned long long) first_uid);
 +	  return 1;
 +	}
 +      pw2 = getpwuid (last_uid);
 +      if (pw2 == NULL)
 +	{
 +	  printf ("getpwuid (%llu) failed: %m\n",
 +		  (unsigned long long) last_uid);
 +	  return 1;
 +	}
 +    }
 +  endpwent ();
 +  if (new_count < count)
 +    {
 +      printf ("Missing entry in the password database.\n");
 +      return 1;
 +    }
 +
 +  return 0;
 +}
 +
 +#define TEST_FUNCTION do_test ()
 +#include "../test-skeleton.c"
--- a/pkgs/development/libraries/glibc/cve-2015-1781.patch
+++ b/pkgs/development/libraries/glibc/cve-2015-1781.patch
@ -1,27 +0,0 @@
 From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
 From: Arjun Shankar <arjun.is@lostca.se>
 Date: Tue, 21 Apr 2015 14:06:31 +0200
 Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
 [BZ#18287]
 ---
 ChangeLog                 | 6 ++++++
 NEWS                      | 9 ++++++++-
 resolv/nss_dns/dns-host.c | 3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)
 diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
 index b16b0dd..d8c5579 100644
 --- a/resolv/nss_dns/dns-host.c
 +++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
 -  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
 +  buflen = buflen > pad ? buflen - pad : 0;
 +  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:
--- a/pkgs/development/libraries/glibc/cve-2015-7547.patch
+++ b/pkgs/development/libraries/glibc/cve-2015-7547.patch
@ -1,573 +0,0 @@
 CVE-2015-7547
 2016-02-15  Carlos O'Donell  <carlos@redhat.com>
 	[BZ #18665]
 	* resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set
 	*herrno_p.
 	(gaih_getanswer): Document functional behviour. Return tryagain
 	if any result is tryagain.
 	* resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero
 	when freed.
 	* resolv/res_send.c: Add copyright text.
 	(__libc_res_nsend): Document that MAXPACKET is expected.
 	(send_vc): Document. Remove buffer reuse.
 	(send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the
 	size of the buffer. Add Dprint for truncated UDP buffer.
 diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
 index a255d5e..47cfe27 100644
 --- a/resolv/nss_dns/dns-host.c
 +++ b/resolv/nss_dns/dns-host.c
@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
   int h_namelen = 0;
   if (ancount == 0)
 -    return NSS_STATUS_NOTFOUND;
 +    {
 +      *h_errnop = HOST_NOT_FOUND;
 +      return NSS_STATUS_NOTFOUND;
 +    }
   while (ancount-- > 0 && cp < end_of_message && had_error == 0)
     {
@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
   /* Special case here: if the resolver sent a result but it only
      contains a CNAME while we are looking for a T_A or T_AAAA record,
      we fail with NOTFOUND instead of TRYAGAIN.  */
 -  return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
 +  if (canon != NULL)
 +    {
 +      *h_errnop = HOST_NOT_FOUND;
 +      return NSS_STATUS_NOTFOUND;
 +    }
 +
 +  *h_errnop = NETDB_INTERNAL;
 +  return NSS_STATUS_TRYAGAIN;
 }
@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
   enum nss_status status = NSS_STATUS_NOTFOUND;
 +  /* Combining the NSS status of two distinct queries requires some
 +     compromise and attention to symmetry (A or AAAA queries can be
 +     returned in any order).  What follows is a breakdown of how this
 +     code is expected to work and why. We discuss only SUCCESS,
 +     TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
 +     that apply (though RETURN and MERGE exist).  We make a distinction
 +     between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
 +     A recoverable TRYAGAIN is almost always due to buffer size issues
 +     and returns ERANGE in errno and the caller is expected to retry
 +     with a larger buffer.
 +
 +     Lastly, you may be tempted to make significant changes to the
 +     conditions in this code to bring about symmetry between responses.
 +     Please don't change anything without due consideration for
 +     expected application behaviour.  Some of the synthesized responses
 +     aren't very well thought out and sometimes appear to imply that
 +     IPv4 responses are always answer 1, and IPv6 responses are always
 +     answer 2, but that's not true (see the implemetnation of send_dg
 +     and send_vc to see response can arrive in any order, particlarly
 +     for UDP). However, we expect it holds roughly enough of the time
 +     that this code works, but certainly needs to be fixed to make this
 +     a more robust implementation.
 +
 +     ----------------------------------------------
 +     | Answer 1 Status /   | Synthesized | Reason |
 +     | Answer 2 Status     | Status      |        |
 +     |--------------------------------------------|
 +     | SUCCESS/SUCCESS     | SUCCESS     | [1]    |
 +     | SUCCESS/TRYAGAIN    | TRYAGAIN    | [5]    |
 +     | SUCCESS/TRYAGAIN'   | SUCCESS     | [1]    |
 +     | SUCCESS/NOTFOUND    | SUCCESS     | [1]    |
 +     | SUCCESS/UNAVAIL     | SUCCESS     | [1]    |
 +     | TRYAGAIN/SUCCESS    | TRYAGAIN    | [2]    |
 +     | TRYAGAIN/TRYAGAIN   | TRYAGAIN    | [2]    |
 +     | TRYAGAIN/TRYAGAIN'  | TRYAGAIN    | [2]    |
 +     | TRYAGAIN/NOTFOUND   | TRYAGAIN    | [2]    |
 +     | TRYAGAIN/UNAVAIL    | TRYAGAIN    | [2]    |
 +     | TRYAGAIN'/SUCCESS   | SUCCESS     | [3]    |
 +     | TRYAGAIN'/TRYAGAIN  | TRYAGAIN    | [3]    |
 +     | TRYAGAIN'/TRYAGAIN' | TRYAGAIN'   | [3]    |
 +     | TRYAGAIN'/NOTFOUND  | TRYAGAIN'   | [3]    |
 +     | TRYAGAIN'/UNAVAIL   | UNAVAIL     | [3]    |
 +     | NOTFOUND/SUCCESS    | SUCCESS     | [3]    |
 +     | NOTFOUND/TRYAGAIN   | TRYAGAIN    | [3]    |
 +     | NOTFOUND/TRYAGAIN'  | TRYAGAIN'   | [3]    |
 +     | NOTFOUND/NOTFOUND   | NOTFOUND    | [3]    |
 +     | NOTFOUND/UNAVAIL    | UNAVAIL     | [3]    |
 +     | UNAVAIL/SUCCESS     | UNAVAIL     | [4]    |
 +     | UNAVAIL/TRYAGAIN    | UNAVAIL     | [4]    |
 +     | UNAVAIL/TRYAGAIN'   | UNAVAIL     | [4]    |
 +     | UNAVAIL/NOTFOUND    | UNAVAIL     | [4]    |
 +     | UNAVAIL/UNAVAIL     | UNAVAIL     | [4]    |
 +     ----------------------------------------------
 +
 +     [1] If the first response is a success we return success.
 +         This ignores the state of the second answer and in fact
 +         incorrectly sets errno and h_errno to that of the second
 +	 answer.  However because the response is a success we ignore
 +	 *errnop and *h_errnop (though that means you touched errno on
 +         success).  We are being conservative here and returning the
 +         likely IPv4 response in the first answer as a success.
 +
 +     [2] If the first response is a recoverable TRYAGAIN we return
 +	 that instead of looking at the second response.  The
 +	 expectation here is that we have failed to get an IPv4 response
 +	 and should retry both queries.
 +
 +     [3] If the first response was not a SUCCESS and the second
 +	 response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
 +	 or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
 +	 result from the second response, otherwise the first responses
 +	 status is used.  Again we have some odd side-effects when the
 +	 second response is NOTFOUND because we overwrite *errnop and
 +	 *h_errnop that means that a first answer of NOTFOUND might see
 +	 its *errnop and *h_errnop values altered.  Whether it matters
 +	 in practice that a first response NOTFOUND has the wrong
 +	 *errnop and *h_errnop is undecided.
 +
 +     [4] If the first response is UNAVAIL we return that instead of
 +	 looking at the second response.  The expectation here is that
 +	 it will have failed similarly e.g. configuration failure.
 +
 +     [5] Testing this code is complicated by the fact that truncated
 +	 second response buffers might be returned as SUCCESS if the
 +	 first answer is a SUCCESS.  To fix this we add symmetry to
 +	 TRYAGAIN with the second response.  If the second response
 +	 is a recoverable error we now return TRYAGIN even if the first
 +	 response was SUCCESS.  */
 +
   if (anslen1 > 0)
     status = gaih_getanswer_slice(answer1, anslen1, qname,
 				  &pat, &buffer, &buflen,
 				  errnop, h_errnop, ttlp,
 				  &first);
 +
   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
        || (status == NSS_STATUS_TRYAGAIN
 	   /* We want to look at the second answer in case of an
@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
 						     &pat, &buffer, &buflen,
 						     errnop, h_errnop, ttlp,
 						     &first);
 +      /* Use the second response status in some cases.  */
       if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
 	status = status2;
 +      /* Do not return a truncated second response (unless it was
 +         unavoidable e.g. unrecoverable TRYAGAIN).  */
 +      if (status == NSS_STATUS_SUCCESS
 +	  && (status2 == NSS_STATUS_TRYAGAIN
 +	      && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
 +	status = NSS_STATUS_TRYAGAIN;
     }
   return status;
 diff --git a/resolv/res_query.c b/resolv/res_query.c
 index 4a9b3b3..95470a9 100644
 --- a/resolv/res_query.c
 +++ b/resolv/res_query.c
@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
 		  {
 		    free (*answerp2);
 		    *answerp2 = NULL;
 +		    *nanswerp2 = 0;
 		    *answerp2_malloced = 0;
 		  }
 	}
@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
 			  {
 			    free (*answerp2);
 			    *answerp2 = NULL;
 +			    *nanswerp2 = 0;
 			    *answerp2_malloced = 0;
 			  }
@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
 	  {
 	    free (*answerp2);
 	    *answerp2 = NULL;
 +	    *nanswerp2 = 0;
 	    *answerp2_malloced = 0;
 	  }
 	if (saved_herrno != -1)
 diff --git a/resolv/res_send.c b/resolv/res_send.c
 index a968b95..21843f1 100644
 --- a/resolv/res_send.c
 +++ b/resolv/res_send.c
@@ -1,3 +1,20 @@
 +/* Copyright (C) 2016 Free Software Foundation, Inc.
 +   This file is part of the GNU C Library.
 +
 +   The GNU C Library is free software; you can redistribute it and/or
 +   modify it under the terms of the GNU Lesser General Public
 +   License as published by the Free Software Foundation; either
 +   version 2.1 of the License, or (at your option) any later version.
 +
 +   The GNU C Library is distributed in the hope that it will be useful,
 +   but WITHOUT ANY WARRANTY; without even the implied warranty of
 +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +   Lesser General Public License for more details.
 +
 +   You should have received a copy of the GNU Lesser General Public
 +   License along with the GNU C Library; if not, see
 +   <http://www.gnu.org/licenses/>.  */
 +
 /*
  * Copyright (c) 1985, 1989, 1993
  *    The Regents of the University of California.  All rights reserved.
@@ -355,6 +372,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
 #ifdef USE_HOOKS
 	if (__glibc_unlikely (statp->qhook || statp->rhook))       {
 		if (anssiz < MAXPACKET && ansp) {
 +			/* Always allocate MAXPACKET, callers expect
 +			   this specific size.  */
 			u_char *buf = malloc (MAXPACKET);
 			if (buf == NULL)
 				return (-1);
@@ -630,6 +649,77 @@ get_nsaddr (res_state statp, int n)
     return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
 }
 +/* The send_vc function is responsible for sending a DNS query over TCP
 +   to the nameserver numbered NS from the res_state STATP i.e.
 +   EXT(statp).nssocks[ns].  The function supports sending both IPv4 and
 +   IPv6 queries at the same serially on the same socket.
 +
 +   Please note that for TCP there is no way to disable sending both
 +   queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
 +   and sends the queries serially and waits for the result after each
 +   sent query.  This implemetnation should be corrected to honour these
 +   options.
 +
 +   Please also note that for TCP we send both queries over the same
 +   socket one after another.  This technically violates best practice
 +   since the server is allowed to read the first query, respond, and
 +   then close the socket (to service another client).  If the server
 +   does this, then the remaining second query in the socket data buffer
 +   will cause the server to send the client an RST which will arrive
 +   asynchronously and the client's OS will likely tear down the socket
 +   receive buffer resulting in a potentially short read and lost
 +   response data.  This will force the client to retry the query again,
 +   and this process may repeat until all servers and connection resets
 +   are exhausted and then the query will fail.  It's not known if this
 +   happens with any frequency in real DNS server implementations.  This
 +   implementation should be corrected to use two sockets by default for
 +   parallel queries.
 +
 +   The query stored in BUF of BUFLEN length is sent first followed by
 +   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
 +   serially on the same socket.
 +
 +   Answers to the query are stored firstly in *ANSP up to a max of
 +   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
 +   is non-NULL (to indicate that modifying the answer buffer is allowed)
 +   then malloc is used to allocate a new response buffer and ANSCP and
 +   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
 +   are needed but ANSCP is NULL, then as much of the response as
 +   possible is read into the buffer, but the results will be truncated.
 +   When truncation happens because of a small answer buffer the DNS
 +   packets header feild TC will bet set to 1, indicating a truncated
 +   message and the rest of the socket data will be read and discarded.
 +
 +   Answers to the query are stored secondly in *ANSP2 up to a max of
 +   *ANSSIZP2 bytes, with the actual response length stored in
 +   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
 +   is non-NULL (required for a second query) then malloc is used to
 +   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
 +   size and *ANSP2_MALLOCED is set to 1.
 +
 +   The ANSP2_MALLOCED argument will eventually be removed as the
 +   change in buffer pointer can be used to detect the buffer has
 +   changed and that the caller should use free on the new buffer.
 +
 +   Note that the answers may arrive in any order from the server and
 +   therefore the first and second answer buffers may not correspond to
 +   the first and second queries.
 +
 +   It is not supported to call this function with a non-NULL ANSP2
 +   but a NULL ANSCP.  Put another way, you can call send_vc with a
 +   single unmodifiable buffer or two modifiable buffers, but no other
 +   combination is supported.
 +
 +   It is the caller's responsibility to free the malloc allocated
 +   buffers by detecting that the pointers have changed from their
 +   original values i.e. *ANSCP or *ANSP2 has changed.
 +
 +   If errors are encountered then *TERRNO is set to an appropriate
 +   errno value and a zero result is returned for a recoverable error,
 +   and a less-than zero result is returned for a non-recoverable error.
 +
 +   If no errors are encountered then *TERRNO is left unmodified and
 +   a the length of the first response in bytes is returned.  */
 static int
 send_vc(res_state statp,
 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
@@ -639,11 +729,7 @@ send_vc(res_state statp,
 {
 	const HEADER *hp = (HEADER *) buf;
 	const HEADER *hp2 = (HEADER *) buf2;
 -	u_char *ans = *ansp;
 -	int orig_anssizp = *anssizp;
 -	// XXX REMOVE
 -	// int anssiz = *anssizp;
 -	HEADER *anhp = (HEADER *) ans;
 +	HEADER *anhp = (HEADER *) *ansp;
 	struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
 	int truncating, connreset, n;
 	/* On some architectures compiler might emit a warning indicating
@@ -731,6 +817,8 @@ send_vc(res_state statp,
 	 * Receive length & response
 	 */
 	int recvresp1 = 0;
 +	/* Skip the second response if there is no second query.
 +           To do that we mark the second response as received.  */
 	int recvresp2 = buf2 == NULL;
 	uint16_t rlen16;
  read_len:
@@ -767,40 +855,14 @@ send_vc(res_state statp,
 	u_char **thisansp;
 	int *thisresplenp;
 	if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
 +		/* We have not received any responses
 +		   yet or we only have one response to
 +		   receive.  */
 		thisanssizp = anssizp;
 		thisansp = anscp ?: ansp;
 		assert (anscp != NULL || ansp2 == NULL);
 		thisresplenp = &resplen;
 	} else {
 -		if (*anssizp != MAXPACKET) {
 -			/* No buffer allocated for the first
 -			   reply.  We can try to use the rest
 -			   of the user-provided buffer.  */
 -#if __GNUC_PREREQ (4, 7)
 -			DIAG_PUSH_NEEDS_COMMENT;
 -			DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
 -#endif
 -#if _STRING_ARCH_unaligned
 -			*anssizp2 = orig_anssizp - resplen;
 -			*ansp2 = *ansp + resplen;
 -#else
 -			int aligned_resplen
 -			  = ((resplen + __alignof__ (HEADER) - 1)
 -			     & ~(__alignof__ (HEADER) - 1));
 -			*anssizp2 = orig_anssizp - aligned_resplen;
 -			*ansp2 = *ansp + aligned_resplen;
 -#endif
 -#if __GNUC_PREREQ (4, 7)
 -			DIAG_POP_NEEDS_COMMENT;
 -#endif
 -		} else {
 -			/* The first reply did not fit into the
 -			   user-provided buffer.  Maybe the second
 -			   answer will.  */
 -			*anssizp2 = orig_anssizp;
 -			*ansp2 = *ansp;
 -		}
 -
 		thisanssizp = anssizp2;
 		thisansp = ansp2;
 		thisresplenp = resplen2;
@@ -804,10 +870,14 @@ send_vc(res_state statp,
 	anhp = (HEADER *) *thisansp;
 	*thisresplenp = rlen;
 -	if (rlen > *thisanssizp) {
 -		/* Yes, we test ANSCP here.  If we have two buffers
 -		   both will be allocatable.  */
 -		if (__glibc_likely (anscp != NULL))       {
 +	/* Is the answer buffer too small?  */
 +	if (*thisanssizp < rlen) {
 +		/* If the current buffer is not the the static
 +		   user-supplied buffer then we can reallocate
 +		   it.  */
 +		if (thisansp != NULL && thisansp != ansp) {
 +			/* Always allocate MAXPACKET, callers expect
 +			   this specific size.  */
 			u_char *newp = malloc (MAXPACKET);
 			if (newp == NULL) {
 				*terrno = ENOMEM;
@@ -819,6 +889,9 @@ send_vc(res_state statp,
 			if (thisansp == ansp2)
 			  *ansp2_malloced = 1;
 			anhp = (HEADER *) newp;
 +			/* A uint16_t can't be larger than MAXPACKET
 +			   thus it's safe to allocate MAXPACKET but
 +			   read RLEN bytes instead.  */
 			len = rlen;
 		} else {
 			Dprint(statp->options & RES_DEBUG,
@@ -948,6 +1021,66 @@ reopen (res_state statp, int *terrno, int ns)
 	return 1;
 }
 +/* The send_dg function is responsible for sending a DNS query over UDP
 +   to the nameserver numbered NS from the res_state STATP i.e.
 +   EXT(statp).nssocks[ns].  The function supports IPv4 and IPv6 queries
 +   along with the ability to send the query in parallel for both stacks
 +   (default) or serially (RES_SINGLKUP).  It also supports serial lookup
 +   with a close and reopen of the socket used to talk to the server
 +   (RES_SNGLKUPREOP) to work around broken name servers.
 +
 +   The query stored in BUF of BUFLEN length is sent first followed by
 +   the query stored in BUF2 of BUFLEN2 length.  Queries are sent
 +   in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
 +
 +   Answers to the query are stored firstly in *ANSP up to a max of
 +   *ANSSIZP bytes.  If more than *ANSSIZP bytes are needed and ANSCP
 +   is non-NULL (to indicate that modifying the answer buffer is allowed)
 +   then malloc is used to allocate a new response buffer and ANSCP and
 +   ANSP will both point to the new buffer.  If more than *ANSSIZP bytes
 +   are needed but ANSCP is NULL, then as much of the response as
 +   possible is read into the buffer, but the results will be truncated.
 +   When truncation happens because of a small answer buffer the DNS
 +   packets header feild TC will bet set to 1, indicating a truncated
 +   message, while the rest of the UDP packet is discarded.
 +
 +   Answers to the query are stored secondly in *ANSP2 up to a max of
 +   *ANSSIZP2 bytes, with the actual response length stored in
 +   *RESPLEN2.  If more than *ANSSIZP bytes are needed and ANSP2
 +   is non-NULL (required for a second query) then malloc is used to
 +   allocate a new response buffer, *ANSSIZP2 is set to the new buffer
 +   size and *ANSP2_MALLOCED is set to 1.
 +
 +   The ANSP2_MALLOCED argument will eventually be removed as the
 +   change in buffer pointer can be used to detect the buffer has
 +   changed and that the caller should use free on the new buffer.
 +
 +   Note that the answers may arrive in any order from the server and
 +   therefore the first and second answer buffers may not correspond to
 +   the first and second queries.
 +
 +   It is not supported to call this function with a non-NULL ANSP2
 +   but a NULL ANSCP.  Put another way, you can call send_vc with a
 +   single unmodifiable buffer or two modifiable buffers, but no other
 +   combination is supported.
 +
 +   It is the caller's responsibility to free the malloc allocated
 +   buffers by detecting that the pointers have changed from their
 +   original values i.e. *ANSCP or *ANSP2 has changed.
 +
 +   If an answer is truncated because of UDP datagram DNS limits then
 +   *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
 +   the caller to retry with TCP.  The value *GOTSOMEWHERE is set to 1
 +   if any progress was made reading a response from the nameserver and
 +   is used by the caller to distinguish between ECONNREFUSED and
 +   ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
 +
 +   If errors are encountered then *TERRNO is set to an appropriate
 +   errno value and a zero result is returned for a recoverable error,
 +   and a less-than zero result is returned for a non-recoverable error.
 +
 +   If no errors are encountered then *TERRNO is left unmodified and
 +   a the length of the first response in bytes is returned.  */
 static int
 send_dg(res_state statp,
 	const u_char *buf, int buflen, const u_char *buf2, int buflen2,
@@ -957,8 +1090,6 @@ send_dg(res_state statp,
 {
 	const HEADER *hp = (HEADER *) buf;
 	const HEADER *hp2 = (HEADER *) buf2;
 -	u_char *ans = *ansp;
 -	int orig_anssizp = *anssizp;
 	struct timespec now, timeout, finish;
 	struct pollfd pfd[1];
 	int ptimeout;
@@ -991,6 +1122,8 @@ send_dg(res_state statp,
 	int need_recompute = 0;
 	int nwritten = 0;
 	int recvresp1 = 0;
 +	/* Skip the second response if there is no second query.
 +           To do that we mark the second response as received.  */
 	int recvresp2 = buf2 == NULL;
 	pfd[0].fd = EXT(statp).nssocks[ns];
 	pfd[0].events = POLLOUT;
@@ -1154,55 +1287,56 @@ send_dg(res_state statp,
 		int *thisresplenp;
 		if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
 +			/* We have not received any responses
 +			   yet or we only have one response to
 +			   receive.  */
 			thisanssizp = anssizp;
 			thisansp = anscp ?: ansp;
 			assert (anscp != NULL || ansp2 == NULL);
 			thisresplenp = &resplen;
 		} else {
 -			if (*anssizp != MAXPACKET) {
 -				/* No buffer allocated for the first
 -				   reply.  We can try to use the rest
 -				   of the user-provided buffer.  */
 -#if _STRING_ARCH_unaligned
 -				*anssizp2 = orig_anssizp - resplen;
 -				*ansp2 = *ansp + resplen;
 -#else
 -				int aligned_resplen
 -				  = ((resplen + __alignof__ (HEADER) - 1)
 -				     & ~(__alignof__ (HEADER) - 1));
 -				*anssizp2 = orig_anssizp - aligned_resplen;
 -				*ansp2 = *ansp + aligned_resplen;
 -#endif
 -			} else {
 -				/* The first reply did not fit into the
 -				   user-provided buffer.  Maybe the second
 -				   answer will.  */
 -				*anssizp2 = orig_anssizp;
 -				*ansp2 = *ansp;
 -			}
 -
 			thisanssizp = anssizp2;
 			thisansp = ansp2;
 			thisresplenp = resplen2;
 		}
 		if (*thisanssizp < MAXPACKET
 -		    /* Yes, we test ANSCP here.  If we have two buffers
 -		       both will be allocatable.  */
 -		    && anscp
 +		    /* If the current buffer is not the the static
 +		       user-supplied buffer then we can reallocate
 +		       it.  */
 +		    && (thisansp != NULL && thisansp != ansp)
 #ifdef FIONREAD
 +		    /* Is the size too small?  */
 		    && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
 			|| *thisanssizp < *thisresplenp)
 #endif
                     ) {
 +			/* Always allocate MAXPACKET, callers expect
 +			   this specific size.  */
 			u_char *newp = malloc (MAXPACKET);
 			if (newp != NULL) {
 -				*anssizp = MAXPACKET;
 -				*thisansp = ans = newp;
 +				*thisanssizp = MAXPACKET;
 +				*thisansp = newp;
 				if (thisansp == ansp2)
 				  *ansp2_malloced = 1;
 			}
 		}
 +		/* We could end up with truncation if anscp was NULL
 +		   (not allowed to change caller's buffer) and the
 +		   response buffer size is too small.  This isn't a
 +		   reliable way to detect truncation because the ioctl
 +		   may be an inaccurate report of the UDP message size.
 +		   Therefore we use this only to issue debug output.
 +		   To do truncation accurately with UDP we need
 +		   MSG_TRUNC which is only available on Linux.  We
 +		   can abstract out the Linux-specific feature in the
 +		   future to detect truncation.  */
 +		if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
 +			Dprint(statp->options & RES_DEBUG,
 +			       (stdout, ";; response may be truncated (UDP)\n")
 +			);
 +		}
 +
 		HEADER *anhp = (HEADER *) *thisansp;
 		socklen_t fromlen = sizeof(struct sockaddr_in6);
 		assert (sizeof(from) <= fromlen);
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@ -1,6 +1,4 @@
-{ stdenv, fetchurl, fetchgit ? null, kernelHeaders
+{ lib, stdenv, fetchurl, linuxHeaders
 , machHeaders ? null, hurdHeaders ? null, libpthreadHeaders ? null
 , mig ? null
 , installLocales ? true
 , profilingLibraries ? false
 , gccCross ? null
@ -16,11 +14,10 @@ let
 in
  build cross ({
    name = "glibc"
-      + stdenv.lib.optionalString (hurdHeaders != null) "-hurd"
+      + lib.optionalString debugSymbols "-debug"
-      + stdenv.lib.optionalString debugSymbols "-debug"
+      + lib.optionalString withGd "-gd";
      + stdenv.lib.optionalString withGd "-gd";
-    inherit fetchurl fetchgit stdenv kernelHeaders installLocales
+    inherit lib stdenv fetchurl linuxHeaders installLocales
      profilingLibraries gccCross withGd gd libpng;
    builder = ./builder.sh;
@ -58,23 +55,6 @@ in
  //
  (if hurdHeaders != null
   then rec {
     inherit machHeaders hurdHeaders libpthreadHeaders mig fetchgit;
     propagatedBuildInputs = [ machHeaders hurdHeaders libpthreadHeaders ];
     passthru = {
       # When building GCC itself `propagatedBuildInputs' above is not
       # honored, so we pass it here so that the GCC builder can do the right
       # thing.
       inherit propagatedBuildInputs;
     };
   }
   else { })
  //
  (if cross != null
   then {
      preConfigure = ''
--- a/pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch
+++ b/pkgs/development/libraries/glibc/glibc-locale-incompatibility.patch
@ -1,25 +0,0 @@
 http://git.savannah.gnu.org/cgit/guix.git/plain/gnu/packages/patches/glibc-locale-incompatibility.patch
 This patch avoids an assertion failure when incompatible locale data
 is encountered:
  https://sourceware.org/ml/libc-alpha/2015-09/msg00575.html
 --- glibc-2.22/locale/loadlocale.c	2015-09-22 17:16:02.321981548 +0200
 +++ glibc-2.22/locale/loadlocale.c	2015-09-22 17:17:34.814659064 +0200
@@ -120,10 +120,11 @@
 	 _nl_value_type_LC_XYZ array.  There are all pointers.  */
       switch (category)
 	{
 -#define CATTEST(cat) \
 -	case LC_##cat:							      \
 -	  assert (cnt < (sizeof (_nl_value_type_LC_##cat)		      \
 -			 / sizeof (_nl_value_type_LC_##cat[0])));	      \
 +#define CATTEST(cat)						\
 +	case LC_##cat:						\
 +	  if (cnt >= (sizeof (_nl_value_type_LC_##cat)		\
 +		      / sizeof (_nl_value_type_LC_##cat[0])))	\
 +	    goto puntdata;					\
 	  break
 	  CATTEST (NUMERIC);
 	  CATTEST (TIME);
--- a/pkgs/development/libraries/glibc/info.nix
+++ b/pkgs/development/libraries/glibc/info.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, texinfo, perl }:
+{ lib, stdenv, fetchurl, texinfo, perl }:
 let build = import ./common.nix; in
@ -6,7 +6,7 @@ let build = import ./common.nix; in
 build null {
  name = "glibc-info";
-  inherit fetchurl stdenv;
+  inherit fetchurl stdenv lib;
  configureFlags = [ "--enable-add-ons" ];
--- a/pkgs/development/libraries/glibc/locales.nix
+++ b/pkgs/development/libraries/glibc/locales.nix
@ -6,14 +6,14 @@
   http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc
 */
-{ stdenv, fetchurl, writeText, allLocales ? true, locales ? ["en_US.UTF-8/UTF-8"] }:
+{ lib, stdenv, fetchurl, writeText, allLocales ? true, locales ? ["en_US.UTF-8/UTF-8"] }:
 let build = import ./common.nix; in
 build null {
  name = "glibc-locales";
-  inherit fetchurl stdenv;
+  inherit fetchurl stdenv lib;
  installLocales = true;
  builder = ./locales-builder.sh;
--- a/pkgs/development/libraries/glibc/security-4a28f4d5.patch
+++ b/pkgs/development/libraries/glibc/security-4a28f4d5.patch
@ -1,53 +0,0 @@
 From 4a28f4d55a6cc33474c0792fe93b5942d81bf185 Mon Sep 17 00:00:00 2001
 From: Andreas Schwab <schwab@suse.de>
 Date: Thu, 26 Feb 2015 14:55:24 +0100
 Subject: [PATCH] Fix read past end of pattern in fnmatch (bug 18032)
 ---
 ChangeLog            | 7 +++++++
 NEWS                 | 2 +-
 posix/fnmatch_loop.c | 5 ++---
 posix/tst-fnmatch3.c | 8 +++++---
 4 files changed, 15 insertions(+), 7 deletions(-)
 diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
 index c0cb2fc..72c5d8f 100644
 --- a/posix/fnmatch_loop.c
 +++ b/posix/fnmatch_loop.c
@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
 		  }
 		else if (c == L('[') && *p == L('.'))
 		  {
 -		    ++p;
 		    while (1)
 		      {
 			c = *++p;
 -			if (c == '\0')
 +			if (c == L('\0'))
 			  return FNM_NOMATCH;
 -			if (*p == L('.') && p[1] == L(']'))
 +			if (c == L('.') && p[1] == L(']'))
 			  break;
 		      }
 		    p += 2;
 diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
 index d27a557..75bc00a 100644
 --- a/posix/tst-fnmatch3.c
 +++ b/posix/tst-fnmatch3.c
@@ -21,9 +21,11 @@
 int
 do_test (void)
 {
 -  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
 -
 -  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
 +  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
 +    return 1;
 +  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
 +    return 1;
 +  return 0;
 }
 #define TEST_FUNCTION do_test ()
--- a/pkgs/development/libraries/glibc/security-bdf1ff05.patch
+++ b/pkgs/development/libraries/glibc/security-bdf1ff05.patch
@ -1,39 +0,0 @@
 From bdf1ff052a8e23d637f2c838fa5642d78fcedc33 Mon Sep 17 00:00:00 2001
 From: Paul Pluzhnikov <ppluzhnikov@google.com>
 Date: Sun, 22 Feb 2015 12:01:47 -0800
 Subject: [PATCH] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
 ---
 ChangeLog       | 6 ++++++
 NEWS            | 6 +++---
 libio/wstrops.c | 8 +++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)
 diff --git a/libio/wstrops.c b/libio/wstrops.c
 index 43d847d..3993579 100644
 --- a/libio/wstrops.c
 +++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
 	  size_t old_wblen = _IO_wblen (fp);
 	  _IO_size_t new_size = 2 * old_wblen + 100;
 -	  if (new_size < old_wblen)
 +
 +	  if (__glibc_unlikely (new_size < old_wblen)
 +	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
 	    return EOF;
 +
 	  new_buf
 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
 									* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
     return 1;
   _IO_size_t newsize = offset + 100;
 +  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
 +    return 1;
 +
   wchar_t *oldbuf = wd->_IO_buf_base;
   wchar_t *newbuf
     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
--- a/pkgs/development/libraries/qt-5/5.5/qtbase/default.nix
+++ b/pkgs/development/libraries/qt-5/5.5/qtbase/default.nix
@ -26,6 +26,12 @@
 let
  inherit (srcs.qt5) version;
  system-x86_64 = lib.elem stdenv.system lib.platforms.x86_64;
  dontInvalidateBacking = fetchurl {
    url = "https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=patch;h=0f68f8920573cdce1729a285a92ac8582df32841;hp=24c50f8dcf7fa61ac3c3d4d6295c259a104a2b8c";
    name = "qtbug-48321-dont-invalidate-backing-store.patch";
    sha256 = "07vnndmvri73psz0nrs2hg0zw2i4b1k1igy2al6kwjbp7d5xpglr";
  };
 in
 stdenv.mkDerivation {
@ -49,6 +55,10 @@ stdenv.mkDerivation {
  postPatch =
    ''
      cd qtbase
      patch -p1 <${dontInvalidateBacking}
      cd ..
      substituteInPlace configure --replace /bin/pwd pwd
      substituteInPlace qtbase/configure --replace /bin/pwd pwd
      substituteInPlace qtbase/src/corelib/global/global.pri --replace /bin/ls ${coreutils}/bin/ls
--- a/pkgs/development/python-modules/matplotlib/default.nix
+++ b/pkgs/development/python-modules/matplotlib/default.nix
@ -12,11 +12,11 @@ assert enableGtk2 -> pygtk != null;
 buildPythonPackage rec {
  name = "matplotlib-${version}";
-  version = "1.5.0";
+  version = "1.5.1";
  src = fetchurl {
    url = "https://pypi.python.org/packages/source/m/matplotlib/${name}.tar.gz";
-    sha256 = "67b08b1650a00a6317d94b76a30a47320087e5244920604c5462188cba0c2646";
+    sha256 = "3ab8d968eac602145642d0db63dd8d67c85e9a5444ce0e2ecb2a8fedc7224d40";
  };
  NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.isDarwin "-I${libcxx}/include/c++/v1";
@ -37,6 +37,14 @@ buildPythonPackage rec {
  patches = stdenv.lib.optionals stdenv.isDarwin [ ./darwin-stdenv.patch ];
  checkPhase = ''
    ${python.interpreter} tests.py
  '';
  # The entry point for running tests, tests.py, is not included in the release.
  # https://github.com/matplotlib/matplotlib/issues/6017
  doCheck = false;
  prePatch = ''
    # Failing test: ERROR: matplotlib.tests.test_style.test_use_url
    sed -i 's/test_use_url/fails/' lib/matplotlib/tests/test_style.py
@ -52,4 +60,5 @@ buildPythonPackage rec {
    maintainers = with maintainers; [ lovek323 ];
    platforms   = platforms.unix;
  };
 }
--- a/pkgs/development/tools/build-managers/apache-ant/default.nix
+++ b/pkgs/development/tools/build-managers/apache-ant/default.nix
@ -23,9 +23,14 @@ stdenv.mkDerivation {
      mv * $out/lib/ant/
      # Get rid of the manual (35 MiB).  Maybe we should put this in a
-      # separate output.  Also get rid of the Ant scripts since we
+      # separate output.  Keep the antRun script since it's vanilla sh
-      # provide our own.
+      # and needed for the <exec/> task (but since we set ANT_HOME to
      # a weird value, we have to move antRun to a weird location).
      # Get rid of the other Ant scripts since we provide our own.
      mv $out/lib/ant/bin/antRun $out/bin/
      rm -rf $out/lib/ant/{manual,bin,WHATSNEW}
      mkdir $out/lib/ant/bin
      mv $out/bin/antRun $out/lib/ant/bin/
      # Install ant-contrib.
      unpackFile $contrib
--- a/pkgs/development/tools/continuous-integration/jenkins/default.nix
+++ b/pkgs/development/tools/continuous-integration/jenkins/default.nix
@ -2,11 +2,11 @@
 stdenv.mkDerivation rec {
  name = "jenkins-${version}";
-  version = "1.643";
+  version = "1.647";
  src = fetchurl {
    url = "http://mirrors.jenkins-ci.org/war/${version}/jenkins.war";
-    sha256 = "b8c6387e56d04a0a4a7ec8d9dacd379fbd5d4001d01fdfcd443f9864809f9293";
+    sha256 = "03r0wic5y8yhpa353s5px7l6m63p7jkb56sh6k4k5dacsc4qcxsj";
  };
  meta = with stdenv.lib; {
    description = "An extendable open source continuous integration server";
--- a/pkgs/development/tools/misc/gdb/default.nix
+++ b/pkgs/development/tools/misc/gdb/default.nix
@ -3,6 +3,8 @@
 , python ? null
 , guile ? null
 , target ? null
 # Support all known targets in one gdb binary.
 , multitarget ? false
 # Additional dependencies for GNU/Hurd.
 , mig ? null, hurd ? null
@ -47,6 +49,7 @@ stdenv.mkDerivation rec {
      "--with-separate-debug-dir=/run/current-system/sw/lib/debug"
    ]
    ++ optional (target != null) "--target=${target.config}"
    ++ optional multitarget "--enable-targets=all"
    ++ optional (elem stdenv.system platforms.cygwin) "--without-python";
  crossAttrs = {
@ -54,7 +57,9 @@ stdenv.mkDerivation rec {
    configureFlags = with stdenv.lib;
      [ "--with-gmp=${gmp.crossDrv}" "--with-mpfr=${mpfr.crossDrv}" "--with-system-readline"
        "--with-system-zlib" "--with-expat" "--with-libexpat-prefix=${expat.crossDrv}" "--without-python"
-      ] ++ optional (target != null) "--target=${target.config}";
+      ]
      ++ optional (target != null) "--target=${target.config}"
      ++ optional multitarget "--enable-targets=all";
  };
  postInstall =
--- a/pkgs/development/tools/misc/msitools/default.nix
+++ b/pkgs/development/tools/misc/msitools/default.nix
@ -0,0 +1,21 @@
 {stdenv, fetchurl, intltool, glib, pkgconfig, libgsf, libuuid, gcab, bzip2}:
 stdenv.mkDerivation rec {
  version = "0.94";
  name = "msitools-${version}";
  src = fetchurl {
    url = "http://ftp.gnome.org/pub/GNOME/sources/msitools/0.94/${name}.tar.xz";
    sha256 = "0bndnm3mgcqkw5dhwy5l1zri4lqvjbhbn5rxz651fkxlkhab8bhm";
  };
  buildInputs = [intltool glib pkgconfig libgsf libuuid gcab bzip2];
  meta = with stdenv.lib; {
    description = "Set of programs to inspect and build Windows Installer (.MSI) files";
    homepage = https://wiki.gnome.org/msitools;
    license = [licenses.gpl2 licenses.lgpl21];
    maintainer = [maintainers.vcunat];
    platforms = platforms.unix;
  };
 }
--- a/pkgs/os-specific/linux/alsa-tools/default.nix
+++ b/pkgs/os-specific/linux/alsa-tools/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
      "ftp://ftp.alsa-project.org/pub/tools/${name}.tar.bz2"
      "http://alsa.cybermirror.org/tools/${name}.tar.bz2"
    ];
-    sha256 = "3b1c3135b76e14532d3dd23fb15759ddd7daf9ffbc183f7a9a0a3a86374748f1";
+    sha256 = "0ldbaz3qr7z0639xg37ba7cmrb512rrjavap6r5jjl0ab665ad3x";
  };
  buildInputs = [ alsaLib pkgconfig gtk gtk3 fltk13 ];
--- a/pkgs/os-specific/linux/cpufrequtils/default.nix
+++ b/pkgs/os-specific/linux/cpufrequtils/default.nix
@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
      -i Makefile
  '';
-  buildInputs = [ stdenv.cc.libc.kernelHeaders libtool gettext ];
+  buildInputs = [ stdenv.cc.libc.linuxHeaders libtool gettext ];
  meta = {
    description = "Tools to display or change the CPU governor settings";
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation {
  builder = ./builder.sh;
  inherit glibc;
-  kernelHeaders = glibc.kernelHeaders;
+  kernelHeaders = glibc.linuxHeaders;
  patches = [
--- a/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
+++ b/pkgs/os-specific/linux/firmware/firmware-linux-nonfree/default.nix
@ -2,7 +2,7 @@
 stdenv.mkDerivation rec {
  name = "firmware-linux-nonfree-${version}";
-  version = "2015-12-04";
+  version = "2016-01-26";
  # This repo is built by merging the latest versions of
  # http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/
@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
  src = fetchFromGitHub {
    owner = "wkennington";
    repo = "linux-firmware";
-    rev = "bbe4917c054eb0a73e250c6363341e3bf6725839";
+    rev = "0922e78fc8431c2cc6585eb66e5b75f566644ac8";
-    sha256 = "1p9c74p8j8zmddljaan5i29h8wsbz8911dv2sykpnahg9r939ykd";
+    sha256 = "07hv4kgbsxndhm1va6k6scy083886aap3naq1l4jdz7dnph4ir02";
  };
  preInstall = ''
--- a/pkgs/os-specific/linux/kernel/linux-3.18.nix
+++ b/pkgs/os-specific/linux/kernel/linux-3.18.nix
@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
-  version = "3.18.26";
+  version = "3.18.27";
  extraMeta.branch = "3.18";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v3.x/linux-${version}.tar.xz";
-    sha256 = "0bhf8x1h5crc9kimprjs7q74p86gsqsdr8nz54nv33c6zmryqsic";
+    sha256 = "01lz0c3ns0yp5vnjch1pn10h43g6fr4xw7w3b6kb477083cjr7dc";
  };
  kernelPatches = args.kernelPatches;
--- a/pkgs/os-specific/linux/kernel/linux-4.1.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix
@ -1,12 +1,12 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
-  version = "4.1.17";
+  version = "4.1.18";
  extraMeta.branch = "4.1";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "084ij19vgm27ljrjabqqmlqn27p168nsm9grhr6rajid4n79h6ab";
+    sha256 = "1n838dg058knmx4n5mfqxh2ai9d3x6w9zs1apkwzm89rpisc1ijb";
  };
  kernelPatches = args.kernelPatches;
--- a/pkgs/os-specific/linux/kernel/linux-4.3.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.3.nix
@ -1,13 +1,13 @@
 { stdenv, fetchurl, perl, buildLinux, ... } @ args:
 import ./generic.nix (args // rec {
-  version = "4.3.4";
+  version = "4.3.5";
  extraMeta.branch = "4.3";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0vcsvnpxkpxiidlbw3cy1kl02hfml2jy3cbrvwj2nc4a9y5fb3hj";
+    sha256 = "0g656q51nzb61n0kb2k8br9shvz51yh8kyrsblbjmhi4dbcpizr8";
  };
  features.iwlwifi = true;
--- a/pkgs/servers/mail/rmilter/default.nix
+++ b/pkgs/servers/mail/rmilter/default.nix
@ -2,21 +2,25 @@
 stdenv.mkDerivation rec {
  name = "rmilter-${version}";
-  version = "1.6.7";
+  version = "1.7.3";
  src = fetchFromGitHub {
    owner = "vstakhov";
    repo = "rmilter";
    rev = version;
-    sha256 = "1syviydlv4m1isl0r52sk4s0a75fyk788j1z3yvfzzf1hga333gn";
+    sha256 = "04xalaxq5xgg5ls0f4ayp8yhzdfq5gqjb8qwfyha3mrx4dqrgh7s";
  };
  nativeBuildInputs = [ bison cmake flex ];
-  buildInputs = [ libmilter openssl pcre opendkim];
+  buildInputs = [ libmilter openssl pcre opendkim ];
  meta = with stdenv.lib; {
    homepage = "https://github.com/vstakhov/rmilter";
-    license = licenses.bsd2; 
+    license = licenses.bsd2;
-    description = "server, used to integrate rspamd and milter compatible MTA, for example postfix or sendmail";
+    description = ''
-    maintainers = maintainers.avnik;
+      Daemon to integrate rspamd and milter compatible MTA, for example
      postfix or sendmail
    '';
    maintainers = with maintainers; [ avnik fpletz ];
  };
 }
--- a/pkgs/servers/mail/rspamd/default.nix
+++ b/pkgs/servers/mail/rspamd/default.nix
@ -1,17 +1,18 @@
 { stdenv, fetchFromGitHub, cmake, perl
- ,file , glib, gmime, libevent, luajit, openssl, pcre, pkgconfig, sqlite }:
+, file, glib, gmime, libevent, luajit, openssl, pcre, pkgconfig, sqlite }:
 let libmagic = file;  # libmagic provided buy file package ATM
 in
 stdenv.mkDerivation rec {
  name = "rspamd-${version}";
-  version = "git-2016-01-16";
+  version = "1.1.3";
  src = fetchFromGitHub {
    owner = "vstakhov";
    repo = "rspamd";
-    rev = "04bfc92c1357c0f908ce9371ab303f8bf57657df";
+    rev = version;
-    sha256 = "1zip1msjjy5q7jcsn4l0yyg92c3wdsf1v5jv1acglrih8dbfl7zj";
+    sha256 = "0mvh812a91yqynmcpv159dmkipx72fwg7rgscq7virzphchkbzvj";
  };
  nativeBuildInputs = [ cmake pkgconfig perl ];
@ -31,8 +32,8 @@ stdenv.mkDerivation rec {
  meta = with stdenv.lib; {
    homepage = "https://github.com/vstakhov/rspamd";
-    license = licenses.bsd2; 
+    license = licenses.bsd2;
    description = "advanced spam filtering system";
-    maintainers = maintainers.avnik;
+    maintainers = with maintainers; [ avnik fpletz ];
  };
 }
--- a/pkgs/servers/nosql/redis/default.nix
+++ b/pkgs/servers/nosql/redis/default.nix
@ -1,12 +1,12 @@
 { stdenv, fetchurl }:
 stdenv.mkDerivation rec {
-  version = "3.0.6";
+  version = "3.0.7";
  name = "redis-${version}";
  src = fetchurl {
    url = "http://download.redis.io/releases/${name}.tar.gz";
-    sha256 = "092nnxjyaf7h9mnwac5rwjl0ikyyqa44vn426w64hn2534iia7kg";
+    sha256 = "08vzfdr67gp3lvk770qpax2c5g2sx8hn6p64jn3jddrvxb2939xj";
  };
  makeFlags = "PREFIX=$(out)";
--- a/pkgs/tools/networking/nbd/default.nix
+++ b/pkgs/tools/networking/nbd/default.nix
@ -8,7 +8,9 @@ stdenv.mkDerivation rec {
    sha256 = "1pkkid657zgjymwxv3fm32cxnq9llfz29rl15vp6mn42vnzbj1di";
  };
-  buildInputs = [ pkgconfig glib ] ++ stdenv.lib.optional (stdenv ? glibc) stdenv.glibc.kernelHeaders;
+  buildInputs =
    [ pkgconfig glib ]
    ++ stdenv.lib.optional (stdenv ? glibc) stdenv.glibc.linuxHeaders;
  postInstall = ''
    mkdir -p "$out/share/doc/${name}"
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -5988,6 +5988,8 @@ let
  mk = callPackage ../development/tools/build-managers/mk { };
  msitools = callPackage ../development/tools/misc/msitools { };
  multi-ghc-travis = callPackage ../development/tools/haskell/multi-ghc-travis { };
  neoload = callPackage ../development/tools/neoload {
@ -6699,22 +6701,18 @@ let
  glfw3 = callPackage ../development/libraries/glfw/3.x.nix { };
  glibc = callPackage ../development/libraries/glibc {
    kernelHeaders = linuxHeaders;
    installLocales = config.glibc.locales or false;
    machHeaders = null;
    hurdHeaders = null;
    gccCross = null;
  };
  glibc_memusage = callPackage ../development/libraries/glibc {
    kernelHeaders = linuxHeaders;
    installLocales = false;
    withGd = true;
  };
  glibcCross = forceNativeDrv (glibc.override {
    gccCross = gccCrossStageStatic;
-    kernelHeaders = linuxHeadersCross;
+    linuxHeaders = linuxHeadersCross;
  });
  # We can choose:
@ -12427,7 +12425,7 @@ let
  inferno = callPackage_i686 ../applications/inferno { };
  inkscape = callPackage ../applications/graphics/inkscape {
-    inherit (pythonPackages) lxml;
+    inherit (pythonPackages) python pyxml lxml numpy;
    lcms = lcms2;
  };
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -1804,15 +1804,24 @@ in modules // {
  cycler = buildPythonPackage rec {
    name = "cycler-${version}";
-    version = "0.9.0";
+    version = "0.10.0";
    src = pkgs.fetchurl {
      url = "https://pypi.python.org/packages/source/C/Cycler/${name}.tar.gz";
-      sha256 = "96dc4ddf27ef62c09990c6196ac1167685e89168042ec0ae4db586de023355bc";
+      sha256 = "cd7b2d1018258d7247a71425e9f26463dfb444d411c39569972f4ce586b0c9d8";
    };
    buildInputs = with self; [ coverage nose ];
    propagatedBuildInputs = with self; [ six ];
    checkPhase = ''
      ${python.interpreter} run_tests.py
    '';
    # Tests were not included in release.
    # https://github.com/matplotlib/cycler/issues/31
    doCheck = false;
    meta = {
      description = "Composable style cycles";
      homepage = http://github.com/matplotlib/cycler;
@ -8960,10 +8969,11 @@ in modules // {
      ${python.interpreter} -m unittest discover
    '';
-    # Judging from SyntaxError
+    # Because 2to3 is used the tests in $out need to be run.
-    disabled = isPy3k;
+    # Both when using unittest and pytest this resulted in many errors,
-
+    # some Python byte/str errors, and others specific to resources tested.
-    # Lots of errors. Likely due to being in a chroot
+    # Failing tests due to the latter is to be expected with this type of package.
    # Tests are therefore disabled.
    doCheck = false;
    meta = {
@ -10433,15 +10443,19 @@ in modules // {
  keyring = buildPythonPackage rec {
-    name = "keyring-3.3";
+    name = "keyring-8.4.1";
    src = pkgs.fetchurl {
-      url = "https://pypi.python.org/packages/source/k/keyring/${name}.zip";
+      url = "https://pypi.python.org/packages/source/k/keyring/${name}.tar.gz";
-      md5 = "81291e0c7337affb71442e6c7671e77f";
+      sha256 = "1286sh5g53168qxbl4g5bmns9ci0ld0jl3h44b7h8is5nw1421ar";
    };
    buildInputs = with self;
-      [ fs gdata python_keyczar mock pyasn1 pycrypto pytest six ];
+      [ fs gdata python_keyczar mock pyasn1 pycrypto pytest_28 six setuptools_scm pytestrunner ];
    checkPhase = ''
      py.test $out
    '';
    meta = {
      description = "Store and access your passwords safely";
@ -12528,16 +12542,16 @@ in modules // {
  };
  numexpr = buildPythonPackage rec {
-    version = "2.4.6";
+    version = "2.5";
    name = "numexpr-${version}";
    src = pkgs.fetchurl {
      url = "https://pypi.python.org/packages/source/n/numexpr/${name}.tar.gz";
-      sha256 = "052397670dc56d7845ff894cd7d858e4f115491ecd93bcc0eda5cb83990c5da3";
+      sha256 = "319cdf4e402177a1c8ed4972cffd09f523446f186d347b7c1974787cdabf0294";
    };
    # Tests fail with python 3. https://github.com/pydata/numexpr/issues/177
-    doCheck = !isPy3k;
+    # doCheck = !isPy3k;
    propagatedBuildInputs = with self; [ numpy ];