190 files changed, 10209 insertions, 1061 deletions
diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index f0b39db09cc..7bcde52443f 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -97,7 +97,6 @@ ldpath="$_mozappdir"
 #     - CVE-2018-5117
 #   52.5.2-r0:
 #     - CVE-2017-7843
-#     - CVE-2017-7843
 
 prepare() {
 	local i
diff --git a/community/imagemagick6/APKBUILD b/community/imagemagick6/APKBUILD
index 43323633971..77657d81d3f 100644
--- a/community/imagemagick6/APKBUILD
+++ b/community/imagemagick6/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=imagemagick6
-_pkgname=ImageMagick
-pkgver=6.9.10.39
+_pkgname=ImageMagick6
+pkgver=6.9.10.68
 _pkgver=${pkgver%.*}-${pkgver##*.}
 _abiver=${pkgname#imagemagick}
 pkgrel=0
@@ -18,10 +18,40 @@ makedepends="fontconfig-dev freetype-dev ghostscript-dev lcms2-dev
 	zlib-dev"
 checkdepends="freetype fontconfig ghostscript ghostscript-fonts lcms2 graphviz"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-c++:_cxx $pkgname-libs"
-source="http://www.imagemagick.org/download/releases/$_pkgname-$_pkgver.tar.xz"
+source="https://github.com/ImageMagick/ImageMagick6/archive/$_pkgver/$_pkgname-$_pkgver.tar.gz"
 builddir="$srcdir/$_pkgname-$_pkgver"
 
 # secfixes:
+#   6.9.10.55-r0:
+#     - CVE-2019-13454
+#   6.9.10.53-r0:
+#     - CVE-2019-13391
+#     - CVE-2019-13311
+#     - CVE-2019-13310
+#     - CVE-2019-13309
+#     - CVE-2019-13308
+#     - CVE-2019-13307
+#     - CVE-2019-13306
+#     - CVE-2019-13305
+#     - CVE-2019-13304
+#     - CVE-2019-13303
+#     - CVE-2019-13302
+#     - CVE-2019-13301
+#     - CVE-2019-13300
+#     - CVE-2019-13299
+#     - CVE-2019-13298
+#     - CVE-2019-13297
+#     - CVE-2019-13296
+#     - CVE-2019-13295
+#     - CVE-2019-13137
+#     - CVE-2019-13136
+#     - CVE-2019-13135
+#     - CVE-2019-13134
+#     - CVE-2019-13133
+#   6.9.10.44-r0:
+#     - CVE-2019-11598
+#     - CVE-2019-11597
+#     - CVE-2019-11472
 #   6.9.10.39-r0:
 #     - CVE-2019-10649
 #     - CVE-2019-10650
@@ -161,4 +191,4 @@ _cxx() {
 	mv "$pkgdir"/usr/lib/libMagick++*.so.* "$subpkgdir"/usr/lib/
 }
 
-sha512sums="82a0aa990ce3a146e02b02a9674340209bf58ce8edd694b8884509423f3503925b085496e7f299ea4a66c177420dde3e347ac4ea21dd9611ede892faf2425e34  ImageMagick-6.9.10-39.tar.xz"
+sha512sums="867b6b7b88fafc6afbe65a0ef6f812a5a7eb0a0f24b8635dce6f923fc52954b3c96d925dffebb7e3cfc43dfa411c1aa3c03dc4393c40f25daa17e45689685647  ImageMagick6-6.9.10-68.tar.gz"
diff --git a/community/openjdk8/APKBUILD b/community/openjdk8/APKBUILD
index 86c8cd388e8..9e3f8de37b7 100644
--- a/community/openjdk8/APKBUILD
+++ b/community/openjdk8/APKBUILD
@@ -2,10 +2,10 @@
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openjdk8
-_icedteaver=3.12.0
+_icedteaver=3.17.1
 # pkgver is <JDK version>.<JDK update>.<JDK build>
 # Check https://icedtea.classpath.org/wiki/Main_Page when updating!
-pkgver=8.212.04
+pkgver=8.275.01
 pkgrel=0
 pkgdesc="OpenJDK 8 provided by IcedTea"
 url="https://icedtea.classpath.org/"
@@ -13,14 +13,47 @@ arch="all"
 license="custom"
 depends="$pkgname-jre java-cacerts nss"
 options="sover-namecheck"
-makedepends="bash findutils tar zip file paxmark gawk util-linux libxslt
-	autoconf automake linux-headers sed xz coreutils
-	openjdk7 ca-certificates
-	nss-dev nss-static cups-dev jpeg-dev giflib-dev libpng-dev libxt-dev
-	lcms2-dev libxp-dev libxtst-dev libxinerama-dev zlib-dev
-	libxrender-dev alsa-lib-dev freetype-dev fontconfig-dev
-	gtk+2.0-dev krb5-dev attr-dev pcsc-lite-dev lksctp-tools-dev
-	libxcomposite-dev"
+makedepends="
+	alsa-lib-dev
+	attr-dev
+	autoconf
+	automake
+	bash
+	ca-certificates
+	coreutils
+	cups-dev
+	file
+	findutils
+	fontconfig-dev
+	freetype-dev
+	gawk
+	giflib-dev
+	gtk+2.0-dev
+	jpeg-dev
+	krb5-dev
+	lcms2-dev
+	libpng-dev
+	libxcomposite-dev
+	libxinerama-dev
+	libxp-dev
+	libxrender-dev
+	libxslt
+	libxt-dev
+	libxtst-dev
+	linux-headers
+	lksctp-tools-dev
+	nss-dev
+	nss-static
+	openjdk7
+	paxmark
+	pcsc-lite-dev
+	sed
+	tar
+	util-linux
+	xz
+	zip
+	zlib-dev
+	"
 
 case $CARCH in
 x86)	_jarch=i386;;
@@ -29,6 +62,12 @@ arm*)	_jarch=aarch32;;
 *)	_jarch="$CARCH";;
 esac
 
+case $CARCH in
+x86|x86_64|aarch64)
+	_configure_jfr="--enable-jfr";;
+*)	_configure_jfr="--disable-jfr";;
+esac
+
 _bootstrap_java_home="/usr/lib/jvm/java-1.7-openjdk"
 _java_home="/usr/lib/jvm/java-1.8-openjdk"
 _jrelib="$_java_home/jre/lib/$_jarch"
@@ -63,13 +102,74 @@ source="https://icedtea.classpath.org/download/source/icedtea-$_icedteaver.tar.x
 	icedtea-jdk-fix-libjvm-load.patch
 	icedtea-jdk-musl.patch
 	icedtea-jdk-includes.patch
-	icedtea-jdk-getmntent-buffer.patch
 	icedtea-autoconf-config.patch
-	icedtea-jdk-tls-nist-curves.patch
 	"
 builddir="$srcdir/icedtea-$_icedteaver"
 
 # secfixes:
+#   8.272.10-r0:
+#     - CVE-2020-14556
+#     - CVE-2020-14577
+#     - CVE-2020-14578
+#     - CVE-2020-14579
+#     - CVE-2020-14581
+#     - CVE-2020-14583
+#     - CVE-2020-14593
+#     - CVE-2020-14621
+#     - CVE-2020-14779
+#     - CVE-2020-14781
+#     - CVE-2020-14782
+#     - CVE-2020-14792
+#     - CVE-2020-14796
+#     - CVE-2020-14797
+#     - CVE-2020-14798
+#     - CVE-2020-14803
+#   8.252.09-r0:
+#     - CVE-2020-2754
+#     - CVE-2020-2755
+#     - CVE-2020-2756
+#     - CVE-2020-2757
+#     - CVE-2020-2773
+#     - CVE-2020-2781
+#     - CVE-2020-2800
+#     - CVE-2020-2803
+#     - CVE-2020-2805
+#     - CVE-2020-2830
+#   8.242.08-r0:
+#     - CVE-2020-2583
+#     - CVE-2020-2590
+#     - CVE-2020-2593
+#     - CVE-2020-2601
+#     - CVE-2020-2604
+#     - CVE-2020-2659
+#     - CVE-2020-2654
+#   8.232.09-r0:
+#     - CVE-2019-2933
+#     - CVE-2019-2945
+#     - CVE-2019-2949
+#     - CVE-2019-2958
+#     - CVE-2019-2964
+#     - CVE-2019-2962
+#     - CVE-2019-2973
+#     - CVE-2019-2975
+#     - CVE-2019-2978
+#     - CVE-2019-2981
+#     - CVE-2019-2983
+#     - CVE-2019-2987
+#     - CVE-2019-2988
+#     - CVE-2019-2989
+#     - CVE-2019-2992
+#     - CVE-2019-2999
+#     - CVE-2019-2894
+#   8.222.10-r0:
+#     - CVE-2019-2745
+#     - CVE-2019-2762
+#     - CVE-2019-2766
+#     - CVE-2019-2769
+#     - CVE-2019-2786
+#     - CVE-2019-2816
+#     - CVE-2019-2842
+#     - CVE-2019-7317
 #   8.212.04-r0:
 #     - CVE-2019-2602
 #     - CVE-2019-2684
@@ -102,7 +202,7 @@ unpack() {
 	fi
 	mkdir -p "$srcdir"
 	msg "Unpacking sources..."
-	tar -C "$srcdir" -Jxf icedtea-$_icedteaver.tar.xz
+	unxz -c icedtea-$_icedteaver.tar.xz | tar -C "$srcdir" -x
 }
 
 prepare() {
@@ -162,6 +262,7 @@ build() {
 		--disable-dependency-tracking \
 		--disable-downloading \
 		--disable-precompiled-headers \
+		--disable-docs \
 		--with-parallel-jobs=${JOBS:-2} \
 		--with-hotspot-build=default \
 		--with-openjdk-src-zip="$srcdir/openjdk-$_dropsver.tar.xz" \
@@ -174,10 +275,10 @@ build() {
 		--with-nashorn-src-zip="$srcdir/nashorn-$_dropsver.tar.xz" \
 		--with-pax=paxmark \
 		--with-jdk-home="$_bootstrap_java_home" \
-		--with-pkgversion="Alpine ${pkgver}-r${pkgrel}" \
+		--with-pkgversion="Alpine $pkgver-r$pkgrel" \
+		--with-curves="nist+" \
 		--enable-nss \
-		--enable-sunec \
-		--enable-non-nss-curves
+		$_configure_jfr
 	make
 }
 
@@ -232,6 +333,7 @@ jrelib() {
 
 jre() {
 	pkgdesc="OpenJDK 8 Java Runtime"
+	depends="ttf-dejavu"
 	local file dir
 
 	mkdir -p "$subpkgdir"
@@ -259,6 +361,7 @@ jrebase() {
 
 	mkdir -p "$subpkgdir"/$_java_home/bin \
 		"$subpkgdir"/$_java_home/lib/$_jarch
+	ln -s java-1.8-openjdk "$subpkgdir"/usr/lib/jvm/java-8-openjdk
 
 	mv "$pkgdir"/$_java_home/lib/$_jarch/jli \
 		"$subpkgdir"/$_java_home/lib/$_jarch/
@@ -291,24 +394,22 @@ demos() {
 		"$subpkgdir"/$_java_home/
 }
 
-sha512sums="22582d65b9114749c7cfee0fc58fa2cb70e4cf77f3bc62e8097a6c601ead0bf86f530b942e6b0f32ef7bbc5bd17130da236714d83d6e9857c3c5b85c984f2efa  icedtea-3.12.0.tar.xz
-999aa17c0e73ebc465a982c5492043487b860b84dd6e4dda3fa51e3099b4642f3f5e03eb30252f835be81f1ea60dc28cf5f0905cbe347758a1f903db430fcc35  openjdk-3.12.0.tar.xz
-d4ffe454a659db6c13b74c8e190beb3b427574d54fa44c80a3ba1dceb3af6f480ee99378d370ec2e9bfc6b5447a225eeb3e11821c83522479583fb21b0705bd7  corba-3.12.0.tar.xz
-a5b8ca9b90797c5f0bc03b763fca50334a308bfd6955f5f488b661da6698abd991dbe08a7ac1a128922c546eb0061853e12a18971adb16c27302e2d9d0f13872  jaxp-3.12.0.tar.xz
-f1deb09ccf6b1dff40d61f3bc54e55d430ebcbeb0cd53d6008cacf65b94824d486913b63034ee23a473298e0bee61ad1ea3e5520c2a3ab25e9e1e6d58d50d286  jaxws-3.12.0.tar.xz
-2e15cdb58c9ce65c99ad5b5506343fb29cda02a4ea8490cfbe79f708deecee2ef28ad0e5a384d2113e72678aa857d821729b588e5ef53208ae06d0d5278ec326  jdk-3.12.0.tar.xz
-838e3e458734d3fc8d2d968eb3bc7190838cd9a73bf3d61de662f9a992a9951a74021e25331d26545f0181b08c80f298de24e030dad4e076bd76368f3a14e960  langtools-3.12.0.tar.xz
-2a0c18fea7b67c5042b39746f2c7ef53e252d6665efbcd74ebf9b171b13e311821310537e8b14cd4f9798c483afdb1107b9af6bb047262b97a526bfbb481777a  hotspot-3.12.0.tar.xz
-918489daf6d2816d0fac85ed89cccbb0e350dc068502857f1a7e518135c40e5fcca2709a60ae51bad392592bdc459675ea3543e684ba1ed0d8debc7a451af6d5  nashorn-3.12.0.tar.xz
+sha512sums="eaf66df177f08cf335fe795f816e4f6b70a25a402ff8db4c1a2c545dd129350e1135c45e131eab8820620de2a75fda1d56141583ec1a651218d0a02680eb1df7  icedtea-3.17.1.tar.xz
+82f2688b018b893cbf583ccc1cd328f6909ebeb4d30655ddb554691f1f0ee38debe57dc91bc8200d6676ad531047ffbf149ce7c1e49b65e67db3254c7d6205ed  openjdk-3.17.1.tar.xz
+c33886bfa517087e3cf37064fd9dcf1c0b8a9c9ccc4147beac3eb9c07e66c2f8aa3053feb8ab6cbdd42054b073854ed5aaf4a2cfb2888e0a09b7efe3809447c8  corba-3.17.1.tar.xz
+e690a6c498e2418feaa22713517aefd051524aedd349fbab5c70fbdee3ca0f17a297089e02f1de2a27e318413e5ca6fe7dfd825b49c37e749ff48e9c8981307a  jaxp-3.17.1.tar.xz
+99c32483c6f5469c256026be9ee5c2a5654768ceff9d10fa9aa10888640af60d618668ae47880062d1253668e546949fd6ffe94c27d6436088e0a8367e2602fd  jaxws-3.17.1.tar.xz
+7f5321944cc6c7510db5d6ea6ef189bd15fdf7c904c8ec009576c33ce1e0288e18e51a5dc906e5c7c3beb4daebb161be0c08d1fe8f2ebde81b72a992da919142  jdk-3.17.1.tar.xz
+68ff7857d180b90a77858505523416bee6102e30af7a394d08ab1581ba65d28b78c30f48c1b5555c30bf8b43adc5497d5530372101dc2e4adbc99e5d9c988def  langtools-3.17.1.tar.xz
+e377a2ad481727a1d5218f1bf629690ea5f1b7976307f593505efc07252cc5cd408f7eb0873032ec74ed44a31e5f2cd90747be3e6f709eba5ac9fd90857887ab  hotspot-3.17.1.tar.xz
+088948d01fc6ea627610bbdcf6691a7bcdd34c5715be103297292db54d0e9080f82f395c3b4bb432058615bc04e05c2d4292fc8f31735e3005d4cf16ff1f9af1  nashorn-3.17.1.tar.xz
 1f470432275d5beaa8b4e4352a2f24a4a00593546dc4f3bd857794c89e521e8e6d6abc540762bbd769be3e1e3da058e134dc5dc066d12b9b8a1f0656040a795c  fix-paxmark.patch
-09104b19f647dce9ba0835163c05cc7e5e3ec9852b277f22b2d7a02bd483968853544125a09e384e96ba8811f2bbdc9546e05e378582ec6a554ede797ca5ad98  icedtea-hotspot-musl.patch
-e5cf4d70f96fc1e72ae8b97a887adb96092ff36584711cbb8de9d9fa9e859cb8731d638838de0d9591239fc44ffe5c74422d1842bd9f10a0c00dff1627bdeeef  icedtea-hotspot-musl-ppc.patch
+28709285390a997adbd56ebda42ef718fbc08daf572b8568f484436d255514f9d25f033e3333dff8aa352fc9846057ac5bb42fa955d3e5e44eddc96dc273c07c  icedtea-hotspot-musl.patch
+54ef36ea5a749b733cadaf4fb47a2766db204fe7c9d4dbc1c2d49dd1cec14a552d18da5c49da9ebe8718329c59bdee2c34f94f7882a23837cee2f18af6ffe95f  icedtea-hotspot-musl-ppc.patch
 19459dbb922f5a71cd15b53199481498626a783c24f91d2544d55b7dddd2cdb34a64bbf0226b99548612dd1743af01b3f9ff32c30abbbc90ce727ca2dbbbd1f9  icedtea-hotspot-noagent-musl.patch
 f6365cfafafa008bd6c1bf0ccec01a63f8a39bd1a8bc87baa492a27234d47793ba02d455e5667a873ef50148df3baaf6a8421e2da0b15faac675867da714dd5f  icedtea-jdk-execinfo.patch
 48533f87fc2cf29d26b259be0df51087d2fe5b252e72d00c6ea2f4add7b0fb113141718c116279c5905e03f64a1118082e719393786811367cf4d472b5d36774  icedtea-jdk-fix-ipv6-init.patch
 b135991c76b0db8fa7c363e0903624668e11eda7b54a943035c214aa4d7fc8c3e8110ed200edcec82792f3c9393150a9bd628625ddf7f3e55720ff163fbbb471  icedtea-jdk-fix-libjvm-load.patch
-1fbc32ddc528c7c0099dbc1e48f88d29dccf55e7b8997793aa1d3d8408003a1223d898cca4248e1a12d343d3feec5144f875e6cdac8460d763c73ab3ad7e49f9  icedtea-jdk-musl.patch
-e8d9f1b867bf4fc84aa00d1237b264bcf503b1ed5f34735e14b0b747a728953fe0051a5af69ed058d377fbf65d8be1ed9e38fe5fc6edb2d50b31f34bf3ba91dc  icedtea-jdk-includes.patch
-7e6fa46b10c630517bfa46943858aea1d032c12d32ba3fcb7a2143ae1e896c34fa4cb8f925af80cb19f8e29149b835aa054adfd30ebb00539f6c78588d6f5211  icedtea-jdk-getmntent-buffer.patch
-662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167  icedtea-autoconf-config.patch
-9ea7ac942baf29cc619bc2e1acd59201b9f6d38f39a517b495d7613aec746459200c81afb57c5fcdcb856f6bc8b33f7566c8593fed07e5c73f43e08f1072d458  icedtea-jdk-tls-nist-curves.patch"
+3b01de971f64f082d3e289cf337e635ef001381e8ca427a77baa9c52c7ba423889f57665779ca5b3c8bcefb8feacbea31dfaac580c969a4f061439069ee34aae  icedtea-jdk-musl.patch
+974fb54532b7e7d738f4278187fc6bd9f9b2d99866b94f68a617ee4911c89a3b8cc41ecfdcaefecf9157492d006b1844b6b0b41ac4209d84f9e8d13c9e485dd3  icedtea-jdk-includes.patch
+662d662d0a7a84be2978e921317589f212f3ba3b7629527ba0f1140b5ac4c1024893e0ed176211688ed1a4505968c4befc841ed57ffcdbb9d355c2cb0571b167  icedtea-autoconf-config.patch"
diff --git a/community/openjdk8/icedtea-hotspot-musl-ppc.patch b/community/openjdk8/icedtea-hotspot-musl-ppc.patch
index eca684884c8..dfb3150f6b6 100644
--- a/community/openjdk8/icedtea-hotspot-musl-ppc.patch
+++ b/community/openjdk8/icedtea-hotspot-musl-ppc.patch
@@ -1,13 +1,94 @@
+Subject: Fix compilation with different ucontext_t on musl
+Upstream: No
+Author: Simon Frankenberger <simon-alpine@fraho.eu>
+
+The machine state registers have to be accessed differently when
+running on musl libc. This patch fix this by replacing
+"uc_mcontext.regs->grp" with "uc_mcontext.gp_regs"
+and accessing the named fields (like "->nip") by the array index constants.
+
+--- openjdk.orig/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
++++ openjdk/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
+@@ -1243,7 +1243,11 @@
+   // the safepoing polling page.
+   ucontext_t* uc = (ucontext_t*) ucontext;
+   // Set polling address.
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+   address addr = (address)uc->uc_mcontext.regs->gpr[ra] + (ssize_t)ds;
++#else // Musl
++  address addr = (address)uc->uc_mcontext.gp_regs[ra] + (ssize_t)ds;
++#endif
+   if (polling_address_ptr != NULL) {
+     *polling_address_ptr = addr;
+   }
+@@ -1264,15 +1268,24 @@
+     int rb = inv_rb_field(instruction);
+ 
+     // look up content of ra and rb in ucontext
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+     address ra_val=(address)uc->uc_mcontext.regs->gpr[ra];
+     long rb_val=(long)uc->uc_mcontext.regs->gpr[rb];
++#else // Musl
++    address ra_val=(address)uc->uc_mcontext.gp_regs[ra];
++    long rb_val=(long)uc->uc_mcontext.gp_regs[rb];
++#endif
+     return os::is_memory_serialize_page(thread, ra_val+rb_val);
+   } else if (is_stw(instruction) || is_stwu(instruction)) {
+     int ra = inv_ra_field(instruction);
+     int d1 = inv_d1_field(instruction);
+ 
+     // look up content of ra in ucontext
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+     address ra_val=(address)uc->uc_mcontext.regs->gpr[ra];
++#else // Musl
++    address ra_val=(address)uc->uc_mcontext.gp_regs[ra];
++#endif
+     return os::is_memory_serialize_page(thread, ra_val+d1);
+   } else {
+     return false;
+@@ -1335,11 +1348,20 @@
+       || (is_stdu(instruction) && rs == 1)) {
+     int ds = inv_ds_field(instruction);
+     // return banged address
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+     return ds+(address)uc->uc_mcontext.regs->gpr[ra];
++#else // Musl
++    return ds+(address)uc->uc_mcontext.gp_regs[ra];
++#endif
+   } else if (is_stdux(instruction) && rs == 1) {
+     int rb = inv_rb_field(instruction);
++#if defined(__GLIBC__) || defined(__UCLIBC__)
+     address sp = (address)uc->uc_mcontext.regs->gpr[1];
+     long rb_val = (long)uc->uc_mcontext.regs->gpr[rb];
++#else // Musl
++    address sp = (address)uc->uc_mcontext.gp_regs[1];
++    long rb_val = (long)uc->uc_mcontext.gp_regs[rb];
++#endif
+     return ra != 1 || rb_val >= 0 ? NULL         // not a stack bang
+                                   : sp + rb_val; // banged address
+   }
 --- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
 +++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
-@@ -110,11 +110,19 @@
+@@ -75,7 +75,11 @@
+ # include <poll.h>
+ # include <ucontext.h>
+ 
++#if ! (defined(__GLIBC__) || defined(__UCLIBC__))
++# include <asm/ptrace.h>
++#endif
+ 
++
+ address os::current_stack_pointer() {
+   intptr_t* csp;
+ 
+@@ -110,11 +114,19 @@
    //   it because the volatile registers are not needed to make setcontext() work.
    //   Hopefully it was zero'd out beforehand.
    guarantee(uc->uc_mcontext.regs != NULL, "only use ucontext_get_pc in sigaction context");
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
    return (address)uc->uc_mcontext.regs->nip;
 +#else // Musl
-+  return (address)uc->uc_mcontext.gp_regs[32];
++  return (address)uc->uc_mcontext.gp_regs[PT_NIP];
 +#endif
  }
  
@@ -20,55 +101,55 @@
  }
  
  intptr_t* os::Linux::ucontext_get_fp(ucontext_t * uc) {
-@@ -213,7 +221,11 @@
+@@ -213,7 +225,11 @@
    if (uc) {
      address const pc = os::Linux::ucontext_get_pc(uc);
      if (pc && StubRoutines::is_safefetch_fault(pc)) {
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
        uc->uc_mcontext.regs->nip = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc);
 +#else // Musl
-+      uc->uc_mcontext.gp_regs[32] = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc);
++      uc->uc_mcontext.gp_regs[PT_NIP] = (unsigned long)StubRoutines::continuation_for_safefetch_fault(pc);
 +#endif
        return true;
      }
    }
-@@ -364,7 +376,11 @@
+@@ -364,7 +380,11 @@
            // continue at the next instruction after the faulting read. Returning
            // garbage from this read is ok.
            thread->set_pending_unsafe_access_error();
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
            uc->uc_mcontext.regs->nip = ((unsigned long)pc) + 4;
 +#else // Musl
-+          uc->uc_mcontext.gp_regs[32] = ((unsigned long)pc) + 4;
++          uc->uc_mcontext.gp_regs[PT_NIP] = ((unsigned long)pc) + 4;
 +#endif
            return true;
          }
        }
-@@ -383,7 +399,11 @@
+@@ -383,7 +403,11 @@
          // continue at the next instruction after the faulting read. Returning
          // garbage from this read is ok.
          thread->set_pending_unsafe_access_error();
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
          uc->uc_mcontext.regs->nip = ((unsigned long)pc) + 4;
 +#else // Musl
-+        uc->uc_mcontext.gp_regs[32] = ((unsigned long)pc) + 4;
++        uc->uc_mcontext.gp_regs[PT_NIP] = ((unsigned long)pc) + 4;
 +#endif
          return true;
        }
      }
-@@ -406,7 +426,11 @@
+@@ -406,7 +430,11 @@
    if (stub != NULL) {
      // Save all thread context in case we need to restore it.
      if (thread != NULL) thread->set_saved_exception_pc(pc);
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
      uc->uc_mcontext.regs->nip = (unsigned long)stub;
 +#else
-+    uc->uc_mcontext.gp_regs[32] = (unsigned long)stub;
++    uc->uc_mcontext.gp_regs[PT_NIP] = (unsigned long)stub;
 +#endif
      return true;
    }
  
-@@ -564,6 +588,7 @@
+@@ -564,6 +592,7 @@
    ucontext_t* uc = (ucontext_t*)context;
  
    st->print_cr("Registers:");
@@ -76,14 +157,14 @@
    st->print("pc =" INTPTR_FORMAT "  ", uc->uc_mcontext.regs->nip);
    st->print("lr =" INTPTR_FORMAT "  ", uc->uc_mcontext.regs->link);
    st->print("ctr=" INTPTR_FORMAT "  ", uc->uc_mcontext.regs->ctr);
-@@ -572,8 +597,18 @@
+@@ -572,8 +601,18 @@
      st->print("r%-2d=" INTPTR_FORMAT "  ", i, uc->uc_mcontext.regs->gpr[i]);
      if (i % 3 == 2) st->cr();
    }
 +#else // Musl
-+  st->print("pc =" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[32]);
-+  st->print("lr =" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[36]);
-+  st->print("ctr=" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[35]);
++  st->print("pc =" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[PT_NIP]);
++  st->print("lr =" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[PT_LNK]);
++  st->print("ctr=" INTPTR_FORMAT "  ", uc->uc_mcontext.gp_regs[PT_CTR]);
    st->cr();
 +  for (int i = 0; i < 32; i++) {
 +    st->print("r%-2d=" INTPTR_FORMAT "  ", i, uc->uc_mcontext.gp_regs[i]);
@@ -95,7 +176,7 @@
  
    intptr_t *sp = (intptr_t *)os::Linux::ucontext_get_sp(uc);
    st->print_cr("Top of Stack: (sp=" PTR_FORMAT ")", p2i(sp));
-@@ -600,7 +635,11 @@
+@@ -600,7 +639,11 @@
    // this is only for the "general purpose" registers
    for (int i = 0; i < 32; i++) {
      st->print("r%-2d=", i);
@@ -107,63 +188,42 @@
    }
    st->cr();
  }
---- openjdk.orig/hotspot.orig/src/cpu/ppc/vm/macroAssembler_ppc.cpp
-+++ openjdk/hotspot/src/cpu/ppc/vm/macroAssembler_ppc.cpp
-@@ -1242,7 +1242,11 @@
-   // the safepoing polling page.
-   ucontext_t* uc = (ucontext_t*) ucontext;
-   // Set polling address.
-+#if defined(__GLIBC__) || defined(__UCLIBC__)
-   address addr = (address)uc->uc_mcontext.regs->gpr[ra] + (ssize_t)ds;
-+#else // Musl
-+  address addr = (address)uc->uc_mcontext.gp_regs[ra] + (ssize_t)ds;
-+#endif
-   if (polling_address_ptr != NULL) {
-     *polling_address_ptr = addr;
-   }
-@@ -1263,15 +1267,24 @@
-     int rb = inv_rb_field(instruction);
+--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/thread_linux_ppc.cpp
++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/thread_linux_ppc.cpp
+@@ -27,6 +27,10 @@
+ #include "runtime/frame.inline.hpp"
+ #include "runtime/thread.hpp"
  
-     // look up content of ra and rb in ucontext
-+#if defined(__GLIBC__) || defined(__UCLIBC__)
-     address ra_val=(address)uc->uc_mcontext.regs->gpr[ra];
-     long rb_val=(long)uc->uc_mcontext.regs->gpr[rb];
-+#else // Musl
-+    address ra_val=(address)uc->uc_mcontext.gp_regs[ra];
-+    long rb_val=(long)uc->uc_mcontext.gp_regs[rb];
++#if ! (defined(__GLIBC__) || defined(__UCLIBC__))
++#include <asm/ptrace.h>
 +#endif
-     return os::is_memory_serialize_page(thread, ra_val+rb_val);
-   } else if (is_stw(instruction) || is_stwu(instruction)) {
-     int ra = inv_ra_field(instruction);
-     int d1 = inv_d1_field(instruction);
++
+ bool JavaThread::pd_get_top_frame_for_profiling(frame* fr_addr, void* ucontext, bool isInJava) {
+   assert(this->is_Java_thread(), "must be JavaThread");
  
-     // look up content of ra in ucontext
+@@ -42,8 +46,13 @@
+   // if we were running Java code when SIGPROF came in.
+   if (isInJava) {
+     ucontext_t* uc = (ucontext_t*) ucontext;
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
-     address ra_val=(address)uc->uc_mcontext.regs->gpr[ra];
+     frame ret_frame((intptr_t*)uc->uc_mcontext.regs->gpr[1/*REG_SP*/],
+                      (address)uc->uc_mcontext.regs->nip);
 +#else // Musl
-+    address ra_val=(address)uc->uc_mcontext.gp_regs[ra];
++    frame ret_frame((intptr_t*)uc->uc_mcontext.gp_regs[1/*REG_SP*/],
++                     (address)uc->uc_mcontext.gp_regs[PT_NIP]);
 +#endif
-     return os::is_memory_serialize_page(thread, ra_val+d1);
-   } else {
-     return false;
-@@ -1334,11 +1347,20 @@
-       || (is_stdu(instruction) && rs == 1)) {
-     int ds = inv_ds_field(instruction);
-     // return banged address
-+#if defined(__GLIBC__) || defined(__UCLIBC__)
-     return ds+(address)uc->uc_mcontext.regs->gpr[ra];
-+#else // Musl
-+    return ds+(address)uc->uc_mcontext.gp_regs[ra];
-+#endif
-   } else if (is_stdux(instruction) && rs == 1) {
-     int rb = inv_rb_field(instruction);
+ 
+     if (ret_frame.pc() == NULL) {
+       // ucontext wasn't useful
+@@ -55,7 +64,11 @@
+        if (!((Method*)(istate->method))->is_metaspace_object()) {
+          return false;
+        }
 +#if defined(__GLIBC__) || defined(__UCLIBC__)
-     address sp = (address)uc->uc_mcontext.regs->gpr[1];
-     long rb_val = (long)uc->uc_mcontext.regs->gpr[rb];
+        uint64_t reg_bcp = uc->uc_mcontext.regs->gpr[14/*R14_bcp*/];
 +#else // Musl
-+    address sp = (address)uc->uc_mcontext.gp_regs[1];
-+    long rb_val = (long)uc->uc_mcontext.gp_regs[rb];
++       uint64_t reg_bcp = uc->uc_mcontext.gp_regs[14/*R14_bcp*/];
 +#endif
-     return ra != 1 || rb_val >= 0 ? NULL         // not a stack bang
-                                   : sp + rb_val; // banged address
-   }
+        uint64_t istate_bcp = istate->bcp;
+        uint64_t code_start = (uint64_t)(((Method*)(istate->method))->code_base());
+        uint64_t code_end = (uint64_t)(((Method*)istate->method)->code_base() + ((Method*)istate->method)->code_size());
diff --git a/community/openjdk8/icedtea-hotspot-musl.patch b/community/openjdk8/icedtea-hotspot-musl.patch
index cbbb5525f05..c18653b9b3b 100644
--- a/community/openjdk8/icedtea-hotspot-musl.patch
+++ b/community/openjdk8/icedtea-hotspot-musl.patch
@@ -82,8 +82,8 @@ index d2c10e0..20f657f 100644
 -# include <fpu_control.h>
 +# include <linux/types.h>  /* provides __u64 */
  
- #ifdef BUILTIN_SIM
- #define REG_SP REG_RSP
+ #define REG_FP 29
+
 diff --git openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
 index 38388cb..2505ba8 100644
 --- openjdk/hotspot/src/os_cpu/linux_x86/vm/os_linux_x86.cpp
diff --git a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch b/community/openjdk8/icedtea-jdk-getmntent-buffer.patch
deleted file mode 100644
index 075a9d42385..00000000000
--- a/community/openjdk8/icedtea-jdk-getmntent-buffer.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-Give a much bigger buffer to getmntent_r.
-
-https://bugs.alpinelinux.org/issues/7093
-
-diff --git a/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c b/openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-index c8500db..d0b85d6 100644
---- openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-+++ openjdk/jdk/src/solaris/native/sun/nio/fs/LinuxNativeDispatcher.c
-@@ -33,6 +33,7 @@
- #include <dlfcn.h>
- #include <errno.h>
- #include <mntent.h>
-+#include <limits.h>
- 
- #include "sun_nio_fs_LinuxNativeDispatcher.h"
- 
-@@ -173,8 +174,8 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
-     jlong value, jobject entry)
- {
-     struct mntent ent;
--    char buf[1024];
--    int buflen = sizeof(buf);
-+    char *buf = NULL;
-+    const size_t buflen = PATH_MAX * 4;
-     struct mntent* m;
-     FILE* fp = jlong_to_ptr(value);
-     jsize len;
-@@ -183,10 +184,17 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
-     char* dir;
-     char* fstype;
-     char* options;
-+    jint res = -1;
- 
--    m = getmntent_r(fp, &ent, (char*)&buf, buflen);
--    if (m == NULL)
-+    buf = malloc(buflen);
-+    if (buf == NULL) {
-+        JNU_ThrowOutOfMemoryError(env, "native heap");
-         return -1;
-+    }
-+    m = getmntent_r(fp, &ent, buf, buflen);
-+    if (m == NULL)
-+        goto out;
-+
-     name = m->mnt_fsname;
-     dir = m->mnt_dir;
-     fstype = m->mnt_type;
-@@ -195,32 +203,35 @@ Java_sun_nio_fs_LinuxNativeDispatcher_getmntent(JNIEnv* env, jclass this,
-     len = strlen(name);
-     bytes = (*env)->NewByteArray(env, len);
-     if (bytes == NULL)
--        return -1;
-+        goto out;
-     (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)name);
-     (*env)->SetObjectField(env, entry, entry_name, bytes);
- 
-     len = strlen(dir);
-     bytes = (*env)->NewByteArray(env, len);
-     if (bytes == NULL)
--        return -1;
-+        goto out;
-     (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)dir);
-     (*env)->SetObjectField(env, entry, entry_dir, bytes);
- 
-     len = strlen(fstype);
-     bytes = (*env)->NewByteArray(env, len);
-     if (bytes == NULL)
--        return -1;
-+        goto out;
-     (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)fstype);
-     (*env)->SetObjectField(env, entry, entry_fstype, bytes);
- 
-     len = strlen(options);
-     bytes = (*env)->NewByteArray(env, len);
-     if (bytes == NULL)
--        return -1;
-+        goto out;
-     (*env)->SetByteArrayRegion(env, bytes, 0, len, (jbyte*)options);
-     (*env)->SetObjectField(env, entry, entry_options, bytes);
- 
--    return 0;
-+    res = 0;
-+out:
-+    free(buf);
-+    return res;
- }
- 
- JNIEXPORT void JNICALL
diff --git a/community/openjdk8/icedtea-jdk-includes.patch b/community/openjdk8/icedtea-jdk-includes.patch
index 6443a1973d5..5acbb9efb86 100644
--- a/community/openjdk8/icedtea-jdk-includes.patch
+++ b/community/openjdk8/icedtea-jdk-includes.patch
@@ -53,17 +53,6 @@
  
  /* O Flags */
  
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c
-+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c
-@@ -28,7 +28,7 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #if defined(__linux__) && !defined(USE_SELECT)
--#include <sys/poll.h>
-+#include <poll.h>
- #endif
- #include <netinet/tcp.h>        /* Defines TCP_NODELAY, needed for 2.6 */
- #include <netinet/in.h>
 --- openjdk.orig/jdk/src/solaris/native/java/net/bsd_close.c
 +++ openjdk/jdk/src/solaris/native/java/net/bsd_close.c
 @@ -36,7 +36,7 @@
@@ -88,14 +77,14 @@
   * Stack allocated by thread when doing blocking operation
 --- openjdk.orig/jdk/src/solaris/native/java/net/net_util_md.h
 +++ openjdk/jdk/src/solaris/native/java/net/net_util_md.h
-@@ -33,7 +33,7 @@
- #include <unistd.h>
-
- #ifndef USE_SELECT
+@@ -27,7 +27,7 @@
+ #define NET_UTILS_MD_H
+ 
+ #include <netdb.h>
 -#include <sys/poll.h>
 +#include <poll.h>
- #endif
-
+ #include <sys/socket.h>
+ 
  int NET_Timeout(int s, long timeout);
 --- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
 +++ openjdk/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
diff --git a/community/openjdk8/icedtea-jdk-musl.patch b/community/openjdk8/icedtea-jdk-musl.patch
index 97946ba424f..09f5c082e58 100644
--- a/community/openjdk8/icedtea-jdk-musl.patch
+++ b/community/openjdk8/icedtea-jdk-musl.patch
@@ -47,28 +47,6 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/Inet4AddressImpl.c openjdk
  #define HAS_GLIBC_GETHOSTBY_R   1
  #endif
  
-diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c	2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/java/net/PlainDatagramSocketImpl.c	2017-02-06 11:23:47.047832009 +0000
-@@ -41,7 +41,6 @@
- #endif
- #ifdef __linux__
- #include <unistd.h>
--#include <sys/sysctl.h>
- #include <sys/utsname.h>
- #include <netinet/ip.h>
- 
-diff -ru openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c
---- openjdk.orig/jdk/src/solaris/native/java/net/PlainSocketImpl.c	2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/java/net/PlainSocketImpl.c	2017-02-06 11:23:47.047832009 +0000
-@@ -43,7 +43,6 @@
- #endif
- #ifdef __linux__
- #include <unistd.h>
--#include <sys/sysctl.h>
- #endif
- 
- #include "jvm.h"
 diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/src/solaris/native/java/net/linux_close.c
 --- openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c	2017-01-25 04:22:03.000000000 +0000
 +++ openjdk/jdk/src/solaris/native/java/net/linux_close.c	2017-02-06 11:23:47.047832009 +0000
@@ -80,7 +58,7 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/
 +static int sigWakeup;
  
  /*
-  * The fd table and the number of file descriptors
+  * fdTable holds one entry per file descriptor, up to a certain
 @@ -95,6 +95,9 @@
      /*
       * Setup the signal handler
@@ -92,8 +70,8 @@ diff -ru openjdk.orig/jdk/src/solaris/native/java/net/linux_close.c openjdk/jdk/
      sa.sa_flags   = 0;
      sigemptyset(&sa.sa_mask);
 diff -ru openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c
---- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c	2017-01-25 04:22:03.000000000 +0000
-+++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c	2017-02-06 11:23:47.051165409 +0000
+--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/NativeThread.c      2017-01-25 04:22:03.000000000 +0000
++++ openjdk/jdk/src/solaris/native/sun/nio/ch/NativeThread.c   2017-02-06 11:23:47.051165409 +0000
 @@ -36,7 +36,7 @@
    #include <pthread.h>
    #include <sys/signal.h>
diff --git a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch b/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
deleted file mode 100644
index 75fb3af8cf0..00000000000
--- a/community/openjdk8/icedtea-jdk-tls-nist-curves.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Bug #7404 TLS negotiation error in OpenJDK 8 u131
-
-Fixes an OpenJDK 8 regression discovered in docker-library/openjdk#115
-on Alpine Linux 3.5 (u121) and 3.6 (u131) that causes TLS negotiation
-errors for some clients.
-
-Root cause appears to be OpenJDK announcing support for NIST curves the
-underlying NSS library does doesn't. This patch limits OpenJDK's
-announcement to elliptic curves 23 (secp256r1), 24 (secp384r1), and 25
-(secp521r1).
-
-Related issues:
-
-* https://github.com/docker-library/openjdk/issues/115
-* https://bugs.alpinelinux.org/issues/7404
-* https://access.redhat.com/discussions/2339811
-* https://bugzilla.redhat.com/show_bug.cgi?id=1022017
-* https://bugzilla.redhat.com/show_bug.cgi?id=1348525
-
---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java	2017-05-08 20:03:50.000000000 -0700
-+++ openjdk/jdk/src/share/classes/sun/security/ssl/EllipticCurvesExtension.java	2017-06-14 13:37:00.000000000 -0700
-@@ -168,21 +168,10 @@
-                     "contains no supported elliptic curves");
-             }
-         } else {        // default curves
--            int[] ids;
--            if (requireFips) {
--                ids = new int[] {
--                    // only NIST curves in FIPS mode
--                    23, 24, 25, 9, 10, 11, 12, 13, 14,
--                };
--            } else {
--                ids = new int[] {
--                    // NIST curves first
--                    23, 24, 25, 9, 10, 11, 12, 13, 14,
--                    // non-NIST curves
--                    22,
--                };
--            }
--
-+            int[] ids = new int[] {
-+                // NSS currently only supports these three NIST curves
-+                23, 24, 25
-+            };
-             idList = new ArrayList<>(ids.length);
-             for (int curveId : ids) {
-                 if (isAvailableCurve(curveId)) {
diff --git a/community/php5/APKBUILD b/community/php5/APKBUILD
index 7e2fb19bc99..eb564943a7e 100644
--- a/community/php5/APKBUILD
+++ b/community/php5/APKBUILD
@@ -130,11 +130,11 @@ _peardir=/usr/share/pear
 #     - CVE-2018-14883
 #   5.6.36-r0:
 #     - CVE-2018-5712
+#     - CVE-2018-10547
 #   5.6.34-r0:
 #     - CVE-2018-7584
 #   5.6.33-r0:
 #     - CVE-2018-5711
-#     - CVE-2018-5712
 #   5.6.31-r0:
 #     - CVE-2017-9224
 #     - CVE-2017-9226
diff --git a/community/php7/APKBUILD b/community/php7/APKBUILD
index e7c20de6c6b..1477024edb3 100644
--- a/community/php7/APKBUILD
+++ b/community/php7/APKBUILD
@@ -25,7 +25,7 @@
 
 pkgname=php7
 _pkgreal=php
-pkgver=7.1.30
+pkgver=7.1.33
 pkgrel=0
 _apiver=20160303
 _suffix=${pkgname#php}
@@ -181,6 +181,16 @@ ppc64le) options="$options !check";;
 esac
 
 # secfixes:
+#   7.1.33-r0:
+#     - CVE-2019-11043
+#   7.1.32-r0:
+#     - CVE-2019-13224
+#     - CVE-2019-11042
+#     - CVE-2019-11041
+#   7.1.30-r0:
+#     - CVE-2019-11040
+#     - CVE-2019-11039
+#     - CVE-2019-11038
 #   7.1.29-r0:
 #     - CVE-2019-11034
 #     - CVE-2019-11035
@@ -201,7 +211,6 @@ esac
 #     - CVE-2018-14884
 #     - CVE-2018-14883
 #     - CVE-2018-14851
-#     - CVE-2018-7584
 #     - CVE-2018-5712
 #     - CVE-2016-10166
 #   7.1.17-r0:
@@ -214,7 +223,6 @@ esac
 #     - CVE-2018-7584
 #   7.1.13-r0:
 #     - CVE-2018-5711
-#     - CVE-2018-5712
 #   7.1.11-r0:
 #     - CVE-2016-1283
 #   7.1.7-r0:
@@ -670,7 +678,7 @@ _mv() {
 	mv $@
 }
 
-sha512sums="9b8ae29d149803768408261306ed409e6191f403e1dff9fa8d608608c19f112c4822b34b242da82034954223196958b6d74ddd709cf7fe97fbc70237e196c9d0  php-7.1.30.tar.bz2
+sha512sums="60ecf04a5fcb77ad839f5c5514f0d83e16aa9d3cc5250a428ff6cb43defc9d1626bdb5b5ea2671261cc273c51c18387d6267307e28c25d18ca98b212cec7cc99  php-7.1.33.tar.bz2
 1c708de82d1086f272f484faf6cf6d087af7c31750cc2550b0b94ed723961b363f28a947b015b2dfc0765caea185a75f5d2c2f2b099c948b65c290924f606e4f  php7-fpm.initd
 cacce7bf789467ff40647b7319e3760c6c587218720538516e8d400baa75651f72165c4e28056cd0c1dc89efecb4d00d0d7823bed80b29136262c825ce816691  php7-fpm.logrotate
 274bd7b0b2b7002fa84c779640af37b59258bb37b05cb7dd5c89452977d71807f628d91b523b5039608376d1f760f3425d165242ca75ee5129b2730e71c4e198  php7-module.conf
diff --git a/community/tor/APKBUILD b/community/tor/APKBUILD
index ae8eb19cc16..0ee183f6014 100644
--- a/community/tor/APKBUILD
+++ b/community/tor/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Christine Dodrill <me@christine.website>
 pkgname=tor
 pkgver=0.3.1.10
-pkgrel=0
+pkgrel=1
 pkgdesc="Anonymous network connectivity"
 url="https://www.torproject.org"
 arch="all"
diff --git a/community/wireshark/APKBUILD b/community/wireshark/APKBUILD
index ed8e4c2bf95..62a3ec96eed 100644
--- a/community/wireshark/APKBUILD
+++ b/community/wireshark/APKBUILD
@@ -109,14 +109,6 @@ builddir="$srcdir"/$pkgname-$pkgver
 #     - CVE-2017-13765
 #     - CVE-2017-13766
 #     - CVE-2017-13767
-#   2.2.10-r0:
-#     - CVE-2017-15191
-#     - CVE-2017-15192
-#     - CVE-2017-15193
-#   2.2.9-r0:
-#     - CVE-2017-13765
-#     - CVE-2017-13766
-#     - CVE-2017-13767
 #   2.2.8-r0:
 #     - CVE-2017-11406
 #     - CVE-2017-11407
diff --git a/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch b/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch
new file mode 100644
index 00000000000..d07b5a464e8
--- /dev/null
+++ b/main/abuild/0001-abuild-chdir-to-builddir-if-it-exists.patch
@@ -0,0 +1,30 @@
+From 2fe29d5829c0973ace1db350141b3c810ac888a7 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 3 Oct 2018 11:48:11 +0000
+Subject: [PATCH] abuild: chdir to $builddir if it exists
+
+chdir to $builddir before running prepare, build, package or check.
+---
+ abuild.in | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/abuild.in b/abuild.in
+index b1be8fc..8d69b4b 100644
+--- a/abuild.in
++++ b/abuild.in
+@@ -594,6 +594,12 @@ runpart() {
+ 	local part=$1
+ 	[ -n "$DEBUG" ] && msg "$part"
+ 	trap "die '$part failed'" EXIT
++	if [ -d "$builddir" ]; then
++		case "$part" in
++			prepare|build|package|check)
++				cd "$builddir";;
++		esac
++	fi
+ 	$part
+ 	trap - EXIT
+ }
+-- 
+2.18.1
+
diff --git a/main/abuild/APKBUILD b/main/abuild/APKBUILD
index 08d954c9a36..97a246438f3 100644
--- a/main/abuild/APKBUILD
+++ b/main/abuild/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=abuild
 pkgver=3.1.0
 _ver=${pkgver%_git*}
-pkgrel=4
+pkgrel=5
 pkgdesc="Script to build Alpine Packages"
 url="https://git.alpinelinux.org/cgit/abuild/"
 arch="all"
@@ -24,6 +24,7 @@ source="http://dev.alpinelinux.org/archive/abuild/abuild-$_ver.tar.xz
 	0001-abuild-add-env-option-to-require-tests.patch
 	0001-abuild-rootbld-run-testsuites-if-requested-also-hand.patch
 	0001-abuild-fix-race-when-stripping.patch
+	0001-abuild-chdir-to-builddir-if-it-exists.patch
 	"
 builddir="$srcdir/$pkgname-$_ver"
 
@@ -73,4 +74,5 @@ _rootbld() {
 sha512sums="bb9093d67942e3a63e4e053692c0bca30940cae05955518206cd9f7029211a188b7f442456ae126e61cbdca224eddb31e967d5cf0637e16893163cc963871a52  abuild-3.1.0.tar.xz
 e02cc44c8ad9dd61c9b80684b8cf5b64477a6fd6221cde9efea2a7594c6e7ce01a51f8bd4b80d72f82f7caf93217979fb0b354c420983891fa93f34c4252a035  0001-abuild-add-env-option-to-require-tests.patch
 5d196f302715f5f12ca13b70baea59f49bf3180e35e7a15849e9f9bc24b42a13666ee96666eae02bd31d54f227bb7c1fd5ae2e06dcfe1d7eb41ecfd6b9b3d28e  0001-abuild-rootbld-run-testsuites-if-requested-also-hand.patch
-4399485506ce566b158f53b1e4cabf99994d34fa31ddd0c0a6e11d089420f09cf4f72599ae4540d7ad1d11b31a54be05e416e6e58ed4a8acf27e3b91c9df5e2e  0001-abuild-fix-race-when-stripping.patch"
+4399485506ce566b158f53b1e4cabf99994d34fa31ddd0c0a6e11d089420f09cf4f72599ae4540d7ad1d11b31a54be05e416e6e58ed4a8acf27e3b91c9df5e2e  0001-abuild-fix-race-when-stripping.patch
+4cdcd6c3076c1415c9fc2dfdae6634ecac18e43e33cde4fa978137baaf8927369c80e5e630085c68c4c82165234ab5962cf4373c04566c60de92fd62725508a8  0001-abuild-chdir-to-builddir-if-it-exists.patch"
diff --git a/main/ansible/APKBUILD b/main/ansible/APKBUILD
index 8413cbb1958..ab79ce646ff 100644
--- a/main/ansible/APKBUILD
+++ b/main/ansible/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
 pkgname=ansible
 pkgver=2.4.6.0
-pkgrel=0
+pkgrel=1
 pkgdesc="A configuration-management, deployment, task-execution, and multinode orchestration framework"
 url="https://ansible.com"
 arch="noarch"
@@ -13,10 +13,14 @@ _py=py2
 depends="python2 $_py-yaml $_py-paramiko $_py-jinja2 $_py-markupsafe $_py-crypto"
 makedepends="python2-dev py-setuptools"
 subpackages="$pkgname-doc"
-source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://releases.ansible.com/ansible/$pkgname-$pkgver.tar.gz
+	CVE-2019-10206.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   2.4.6.0-r1:
+#   - CVE-2019-10206
 #   2.4.6.0-r0:
 #   - CVE-2018-10855
 
@@ -39,4 +43,5 @@ package() {
 	install -m644 README.md "$pkgdir"/usr/share/doc/$pkgname
 }
 
-sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b  ansible-2.4.6.0.tar.gz"
+sha512sums="3b4d4d8f3b1eb27861e7beac4557b608e3f9a77d4a24d33868c8d1be2b3fd9a57ef98e4685bbfd859d64a2f591487852fb5409ef00006036be4409eaf07d1b5b  ansible-2.4.6.0.tar.gz
+cdc065686625c1724e1f286f2a4986920195c8714fea640c90b663499aa9e8709c52e11590b7816dcd753c68c5c5787d964056bdd8252bc06ff6ca1731a38bc2  CVE-2019-10206.patch"
diff --git a/main/ansible/CVE-2019-10206.patch b/main/ansible/CVE-2019-10206.patch
new file mode 100644
index 00000000000..004035ce5b5
--- /dev/null
+++ b/main/ansible/CVE-2019-10206.patch
@@ -0,0 +1,125 @@
+From d0f7adc5c629475111cdf50bacdeccf247423cf2 Mon Sep 17 00:00:00 2001
+From: Brian Coca <bcoca@users.noreply.github.com>
+Date: Wed, 24 Jul 2019 16:00:20 -0400
+Subject: [PATCH 1/2] prevent templating of passwords from prompt (#59246)
+
+* prevent templating of passwords from prompt
+
+  fixes CVE-2019-10206
+
+(cherry picked from commit e9a37f8e3171105941892a86a1587de18126ec5b)
+---
+ .../fragments/dont_template_passwords_from_prompt.yml |  2 ++
+ lib/ansible/cli/__init__.py                           |  8 ++++++++
+ lib/ansible/utils/unsafe_proxy.py                     | 11 +++++++----
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+ create mode 100644 changelogs/fragments/dont_template_passwords_from_prompt.yml
+
+diff --git a/changelogs/fragments/dont_template_passwords_from_prompt.yml b/changelogs/fragments/dont_template_passwords_from_prompt.yml
+new file mode 100644
+index 000000000000..86a0e6122f94
+--- /dev/null
++++ b/changelogs/fragments/dont_template_passwords_from_prompt.yml
+@@ -0,0 +1,2 @@
++bugfixes:
++    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.
+diff --git a/lib/ansible/cli/__init__.py b/lib/ansible/cli/__init__.py
+index 380ddc4e2a43..76d652f7c8f0 100644
+--- a/lib/ansible/cli/__init__.py
++++ b/lib/ansible/cli/__init__.py
+@@ -42,6 +42,7 @@
+ from ansible.release import __version__
+ from ansible.utils.path import unfrackpath
+ from ansible.utils.vars import load_extra_vars, load_options_vars
++from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
+ from ansible.vars.manager import VariableManager
+ from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret
+ 
+@@ -342,6 +343,13 @@ def ask_passwords(self):
+         except EOFError:
+             pass
+ 
++        # we 'wrap' the passwords to prevent templating as
++        # they can contain special chars and trigger it incorrectly
++        if sshpass:
++            sshpass = AnsibleUnsafeBytes(sshpass)
++        if becomepass:
++            becomepass = AnsibleUnsafeBytes(becomepass)
++
+         return (sshpass, becomepass)
+ 
+     def normalize_become_options(self):
+diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py
+index 963798a08762..abefc1524914 100644
+--- a/lib/ansible/utils/unsafe_proxy.py
++++ b/lib/ansible/utils/unsafe_proxy.py
+@@ -55,7 +55,7 @@
+ 
+ from collections import Mapping, MutableSequence, Set
+ 
+-from ansible.module_utils.six import string_types, text_type
++from ansible.module_utils.six import string_types, text_type, binary_type
+ from ansible.module_utils._text import to_text
+ 
+ 
+@@ -70,15 +70,18 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe):
+     pass
+ 
+ 
++class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
++    pass
++
++
+ class UnsafeProxy(object):
+     def __new__(cls, obj, *args, **kwargs):
+         # In our usage we should only receive unicode strings.
+         # This conditional and conversion exists to sanity check the values
+         # we're given but we may want to take it out for testing and sanitize
+         # our input instead.
+-        if isinstance(obj, string_types):
+-            obj = to_text(obj, errors='surrogate_or_strict')
+-            return AnsibleUnsafeText(obj)
++        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
++            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
+         return obj
+ 
+ 
+
+From 9f435f433ed5af11801a2b4c4da27ab413914b84 Mon Sep 17 00:00:00 2001
+From: Toshio Kuratomi <a.badger@gmail.com>
+Date: Wed, 7 Aug 2019 09:11:56 -0500
+Subject: [PATCH 2/2] Improve performane of UnsafeProxy __new__
+
+This adds an early return to the __new__ method of the UnsafeProxy object
+which avoids creating the unsafe object if the incoming object is already
+unsafe.
+
+(cherry picked from commit c1e23c22a9fedafaaa88c2119b26dc123ff1392e)
+(cherry picked from commit 490f17c7f959ce153765c1f033fdc30becf0faf7)
+---
+ lib/ansible/utils/unsafe_proxy.py | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ansible/utils/unsafe_proxy.py b/lib/ansible/utils/unsafe_proxy.py
+index abefc1524914..6221e7339390 100644
+--- a/lib/ansible/utils/unsafe_proxy.py
++++ b/lib/ansible/utils/unsafe_proxy.py
+@@ -76,11 +76,17 @@ class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+ 
+ class UnsafeProxy(object):
+     def __new__(cls, obj, *args, **kwargs):
++        if isinstance(obj, AnsibleUnsafe):
++            # Already marked unsafe
++            return obj
++
+         # In our usage we should only receive unicode strings.
+         # This conditional and conversion exists to sanity check the values
+         # we're given but we may want to take it out for testing and sanitize
+         # our input instead.
+-        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
++        # Note that this does the wrong thing if we're *intentionall* passing a byte string to this
++        # function.
++        if isinstance(obj, string_types):
+             obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
+         return obj
+ 
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 1f96ed6af53..cedab541937 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=apache2
 _pkgreal=httpd
-pkgver=2.4.39
+pkgver=2.4.41
 pkgrel=0
 pkgdesc="A high performance Unix-based HTTP server"
 url="https://httpd.apache.org/"
@@ -52,6 +52,13 @@ options="suid"
 builddir="$srcdir"/$_pkgreal-$pkgver
 
 # secfixes:
+#   2.4.41-r0:
+#     - CVE-2019-9517
+#     - CVE-2019-10081
+#     - CVE-2019-10082
+#     - CVE-2019-10092
+#     - CVE-2019-10097
+#     - CVE-2019-10098
 #   2.4.39-r0:
 #     - CVE-2019-0196
 #     - CVE-2019-0197
@@ -337,7 +344,7 @@ _lua() {
 		"$subpkgdir"/usr/lib/apache2/ || return 1
 	_load_mods
 }
-sha512sums="9742202040b3dc6344b301540f54b2d3f8e36898410d24206a7f8dcecb1bea7d7230fabc7256752724558af249facf64bffe2cf678b8f7cccb64076737abfda7  httpd-2.4.39.tar.bz2
+sha512sums="350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335  httpd-2.4.41.tar.bz2
 655f5a655fedd737fb881b5caa6f012f5a43a611c513cab6d03bb69be7cca7fd70b49cfca0a3f7a5e7c696ad7bc80495c44155ad82a411306be4964e67faae6e  libressl-fix.patch
 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc  apache2.confd
 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b  apache2.logrotate
diff --git a/main/aspell/APKBUILD b/main/aspell/APKBUILD
index e9ce10ab024..c17152a949c 100644
--- a/main/aspell/APKBUILD
+++ b/main/aspell/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=aspell
 pkgver=0.60.6.1
-pkgrel=12
+pkgrel=13
 pkgdesc="A spell checker designed to eventually replace Ispell"
 url="http://aspell.net/"
 arch="all"
@@ -13,9 +13,15 @@ depends=
 depends_dev="$pkgname-utils"
 makedepends="ncurses-dev perl gettext-dev"
 install=
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2019-17544.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   0.60.6.1-r13:
+#     - CVE-2019-17544
+
 prepare() {
 	cd "$builddir"
 	default_prepare
@@ -67,6 +73,5 @@ libs() {
 	rm -fr "$pkgdir"/usr/lib
 }
 
-md5sums="e66a9c9af6a60dc46134fdacf6ce97d7  aspell-0.60.6.1.tar.gz"
-sha256sums="f52583a83a63633701c5f71db3dc40aab87b7f76b29723aeb27941eff42df6e1  aspell-0.60.6.1.tar.gz"
-sha512sums="f310c7590be98406589b5c26ca36a2ecfe4733f0b40fd6c176b96b7955ef2b5cd0ec9a3d770cf132146ae7a896042b4b698945112995ee1ae66adcfa5542247f  aspell-0.60.6.1.tar.gz"
+sha512sums="f310c7590be98406589b5c26ca36a2ecfe4733f0b40fd6c176b96b7955ef2b5cd0ec9a3d770cf132146ae7a896042b4b698945112995ee1ae66adcfa5542247f  aspell-0.60.6.1.tar.gz
+8df739702cc7591344359721eb7fff247b02404a60666cc94b1e8da063c711d87df5f97dcf22af05efdb54f4e2a38bbc0b6b2bb60386fc6e9c68e15fe2fa9535  CVE-2019-17544.patch"
diff --git a/main/aspell/CVE-2019-17544.patch b/main/aspell/CVE-2019-17544.patch
new file mode 100644
index 00000000000..5bdb4391514
--- /dev/null
+++ b/main/aspell/CVE-2019-17544.patch
@@ -0,0 +1,39 @@
+diff --git a/common/config.cpp b/common/config.cpp
+index b1e919b..51486a7 100644
+--- a/common/config.cpp
++++ b/common/config.cpp
+@@ -763,7 +763,7 @@ namespace acommon {
+       }
+       res.append(':');
+     }
+-    if (res.back() == ':') res.pop_back();
++    if (!res.empty() && res.back() == ':') res.pop_back();
+   }
+ 
+   struct ListAddHelper : public AddableContainer 
+diff --git a/common/file_util.cpp b/common/file_util.cpp
+index 8515832..56ea501 100644
+--- a/common/file_util.cpp
++++ b/common/file_util.cpp
+@@ -181,6 +181,7 @@ namespace acommon {
+     while ( (dir = els.next()) != 0 ) 
+     {
+       path = dir;
++      if (path.empty()) continue;
+       if (path.back() != '/') path += '/';
+       unsigned dir_len = path.size();
+       path += filename;
+diff --git a/common/getdata.cpp b/common/getdata.cpp
+index 7e822c9..1b04823 100644
+--- a/common/getdata.cpp
++++ b/common/getdata.cpp
+@@ -64,7 +64,7 @@ namespace acommon {
+   char * unescape(char * dest, const char * src)
+   {
+     while (*src) {
+-      if (*src == '\\') {
++      if (*src == '\\' && src[1]) {
+ 	++src;
+ 	switch (*src) {
+ 	case 'n': *dest = '\n'; break;
+
diff --git a/main/asterisk/APKBUILD b/main/asterisk/APKBUILD
index 809627e66d1..e34f50cab08 100644
--- a/main/asterisk/APKBUILD
+++ b/main/asterisk/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Timo Teras <timo.teras@iki.fi>
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=asterisk
-pkgver=15.6.1
+pkgver=15.6.2
 pkgrel=0
 pkgdesc="Asterisk: A Module Open Source PBX System"
 pkgusers="asterisk"
@@ -30,6 +30,10 @@ _download="http://downloads.asterisk.org/pub/telephony/asterisk/releases"
 source="$_download/asterisk-$pkgver.tar.gz
 	http://dev.alpinelinux.org/~tteras/asterisk-addon-mp3-r201.patch.gz
 	musl-mutex-init.patch
+	AST-2019-001-15.patch
+	AST-2019-002-15.patch
+	AST-2019-003-15.patch
+	AST-2019-004-15.patch
 
 	asterisk.initd
 	asterisk.confd
@@ -37,6 +41,14 @@ source="$_download/asterisk-$pkgver.tar.gz
 
 builddir="$srcdir/$pkgname-${pkgver/_/-}"
 
+# secfixes:
+#   15.6.2-r0:
+#     - CVE-2018-19278
+#     - CVE-2019-7251
+#     - CVE-2019-12827
+#     - CVE-2019-13161
+#     - CVE-2019-15297
+
 prepare() {
 	default_prepare
 	update_config_sub
@@ -222,9 +234,13 @@ sound_en() {
 	chown -R asterisk:asterisk "$subpkgdir"/var/*/asterisk
 }
 
-sha512sums="b46db036ea1d885a5cf7ddee5a56efc7c02299cf1b8ea87f50d8f84e8a93437ce39671ee33256b5f8d524b1b4cc44fde6eacb86f0cc481f7d74fdd901be40d42  asterisk-15.6.1.tar.gz
+sha512sums="7dac70149769a3be4c6ebe63b4ee0028161c2a96237a4aeb3adac82af81dcad8faf9490f82603bbe6b150eb5f45456dbb10c9877d8bde05896a32b1449e4aa42  asterisk-15.6.2.tar.gz
 aacef3f4796fb1abd33266998b53909cb4b36e7cc5ad2f7bac68bdc43e9a9072d9a4e2e7e681bddfa31f3d04575eb248afe6ea95da780c67e4829c1e22adfe1b  asterisk-addon-mp3-r201.patch.gz
 f72c2e04de80d3ed9ce841308101383a1655e6da7a3c888ad31fffe63d1280993e08aefcf8e638316d439c68b38ee05362c87503fca1f36343976a01af9d6eb1  musl-mutex-init.patch
+3528d29a667f4e27996d87797962100be21743d302eb94cc8828fa8985cf22b961c10b1f4a4e333fee92514a6809c9cf43c3a9a53466b1b8e798ac85f9f193d9  AST-2019-001-15.patch
+94f81acebe10455a5e13df961a41d8c51ddc1399316c6758ff107771c6b785de7aa22aa73573718539fda546d351964714583140e6ef529d7de984cdd1affe18  AST-2019-002-15.patch
+19cbcaf8ef8e525193631e2b1f47f3cf2d4075ca134e96b28df7bcad68530d216a9d7dcbcec8a444590d87e6d1894f6e7cd6ad0e2cb5852656a840164b8e1dc3  AST-2019-003-15.patch
+4c2da08e53ba1ffff8df3152aab2751dcbc3d075cd4863a00a16899fe48caf50119ce335a5e9b923ab894c5f2ea9bfad48110a4e49d337e6457f845bba789d92  AST-2019-004-15.patch
 0044c5db468ec8f2385d18d476f89976f6d036448583a4ef8017ce7a6f8f72105337e6b20037ffe47f561d2877fc9c86720aef23ab037df89b36dc140a5924c4  asterisk.initd
 ab6b6f08ff43268cbb1abb7ed7d678949991ba495682a644bbaeb017d6adbff0a43297905fd73ae8db1786a28d5b5904f1bc253209a0e388c8a27f26c6ce14ed  asterisk.confd
 7591d2faf539d05d9ee4e431c78a5e20686721fd79221ad94dffeeaff9282220b09cb9aec214bd7a8d12affaec0276c9c91e6e21af8b6712c0a9502b60b02f2b  asterisk.logrotate"
diff --git a/main/asterisk/AST-2019-001-15.patch b/main/asterisk/AST-2019-001-15.patch
new file mode 100644
index 00000000000..f7a68be4c0d
--- /dev/null
+++ b/main/asterisk/AST-2019-001-15.patch
@@ -0,0 +1,34 @@
+From 476d60f850c75ca9142aaf783992db74efea6a49 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 30 Jan 2019 12:25:55 -0700
+Subject: [PATCH] res_pjsip_sdp_rtp:  Fix return code from apply_negotiated_sdp_stream
+
+apply_negotiated_sdp_stream was returning a "1" when no joint
+capabilities were found on an outgoing call instead of a "-1".
+This indicated to res_pjsip_session that the handler DID handle
+the sdp when in fact it didn't.  Without the appropriate setup,
+a subsequent media frame coming in would have an invalid stream_num
+and cause a seg fault when the stream was attempted to be retrieved.
+
+apply_negotiated_sdp_stream now returns the correct "-1" and any
+media is now discarded before it reaches the core stream processing.
+
+ASTERISK-28620
+Reported by: Sotiris Ganouris
+
+Change-Id: Ia095cb16b4862f2f6ad6d2d2a77453fa2542371f
+---
+
+diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
+index e2067cc..7f5a859 100644
+--- a/res/res_pjsip_sdp_rtp.c
++++ b/res/res_pjsip_sdp_rtp.c
+@@ -1941,7 +1941,7 @@
+ 	}
+ 
+ 	if (set_caps(session, session_media, session_media_transport, remote_stream, 0, asterisk_stream)) {
+-		return 1;
++		return -1;
+ 	}
+ 
+ 	/* Set the channel uniqueid on the RTP instance now that it is becoming active */
diff --git a/main/asterisk/AST-2019-002-15.patch b/main/asterisk/AST-2019-002-15.patch
new file mode 100644
index 00000000000..29f4299e3d1
--- /dev/null
+++ b/main/asterisk/AST-2019-002-15.patch
@@ -0,0 +1,40 @@
+From ed649e7f5ffcdc1a2dc4b6b2456311d5a1918e24 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Wed, 12 Jun 2019 12:03:04 -0600
+Subject: [PATCH] res_pjsip_messaging:  Check for body in in-dialog message
+
+We now check that a body exists and it has a length > 0 before
+attempting to process it.
+
+ASTERISK-28447
+Reported-by: Gil Richard
+
+Change-Id: Ic469544b22ab848734636588d4c93426cc6f4b1f
+---
+ res/res_pjsip_messaging.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/res/res_pjsip_messaging.c b/res/res_pjsip_messaging.c
+index 224721e7f1..cf9d484ab5 100644
+--- a/res/res_pjsip_messaging.c
++++ b/res/res_pjsip_messaging.c
+@@ -91,10 +91,13 @@ static enum pjsip_status_code check_content_type_in_dialog(const pjsip_rx_data *
+ 	static const pj_str_t text = { "text", 4};
+ 	static const pj_str_t application = { "application", 11};
+ 
++	if (!(rdata->msg_info.msg->body && rdata->msg_info.msg->body->len > 0)) {
++		return res;
++	}
++
+ 	/* We'll accept any text/ or application/ content type */
+-	if (rdata->msg_info.msg->body && rdata->msg_info.msg->body->len
+-		&& (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
+-			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0)) {
++	if (pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &text) == 0
++			|| pj_stricmp(&rdata->msg_info.msg->body->content_type.type, &application) == 0) {
+ 		res = PJSIP_SC_OK;
+ 	} else if (rdata->msg_info.ctype
+ 		&& (pj_stricmp(&rdata->msg_info.ctype->media.type, &text) == 0
+-- 
+2.21.0
+
diff --git a/main/asterisk/AST-2019-003-15.patch b/main/asterisk/AST-2019-003-15.patch
new file mode 100644
index 00000000000..0c8f89a7a16
--- /dev/null
+++ b/main/asterisk/AST-2019-003-15.patch
@@ -0,0 +1,39 @@
+From a8cc63a8b2b973d6d34251d74b8d4576d6796dce Mon Sep 17 00:00:00 2001
+From: Francesco Castellano <francesco.castellano@messagenet.it>
+Date: Fri, 28 Jun 2019 18:15:31 +0200
+Subject: [PATCH] chan_sip: Handle invalid SDP answer to T.38 re-invite
+
+The chan_sip module performs a T.38 re-invite using a single media
+stream of udptl, and expects the SDP answer to be the same.
+
+If an SDP answer is received instead that contains an additional
+media stream with no joint codec a crash will occur as the code
+assumes that at least one joint codec will exist in this
+scenario.
+
+This change removes this assumption.
+
+ASTERISK-28465
+
+Change-Id: I8b02845b53344c6babe867a3f0a5231045c7ac87
+---
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index fe2ae1e..6251878 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -10921,7 +10921,13 @@
+ 			    ast_rtp_lookup_mime_multiple2(s3, NULL, newnoncodeccapability, 0, 0));
+ 	}
+ 
+-	if (portno != -1 || vportno != -1 || tportno != -1) {
++	/* When UDPTL is negotiated it is expected that there are no compatible codecs as audio or
++	 * video is not being transported, thus we continue in this function further up if that is
++	 * the case. If we receive an SDP answer containing both a UDPTL stream and another media
++	 * stream however we need to check again to ensure that there is at least one joint codec
++	 * instead of assuming there is one.
++	 */
++	if ((portno != -1 || vportno != -1 || tportno != -1) && ast_format_cap_count(newjointcapability)) {
+ 		/* We are now ready to change the sip session and RTP structures with the offered codecs, since
+ 		   they are acceptable */
+ 		unsigned int framing;
diff --git a/main/asterisk/AST-2019-004-15.patch b/main/asterisk/AST-2019-004-15.patch
new file mode 100644
index 00000000000..561e3d4ed3f
--- /dev/null
+++ b/main/asterisk/AST-2019-004-15.patch
@@ -0,0 +1,171 @@
+From f361e65dc2c90aaee9472f97b54083e0a2d49303 Mon Sep 17 00:00:00 2001
+From: Kevin Harwell <kharwell@digium.com>
+Date: Tue, 20 Aug 2019 15:05:45 -0500
+Subject: [PATCH] AST-2019-004 - res_pjsip_t38.c: Add NULL checks before using session media
+
+After receiving a 200 OK with a declined stream in response to a T.38
+initiated re-invite Asterisk would crash when attempting to dereference
+a NULL session media object.
+
+This patch checks to make sure the session media object is not NULL before
+attempting to use it.
+
+ASTERISK-28495
+patches:
+  ast-2019-004.patch submitted by Alexei Gradinari (license 5691)
+
+Change-Id: I168f45f4da29cfe739acf87e597baa2aae7aa572
+---
+
+diff --git a/res/res_pjsip_t38.c b/res/res_pjsip_t38.c
+index fae6fbb..624139f 100644
+--- a/res/res_pjsip_t38.c
++++ b/res/res_pjsip_t38.c
+@@ -203,7 +203,6 @@
+ {
+ 	RAII_VAR(struct ast_sip_session *, session, obj, ao2_cleanup);
+ 	RAII_VAR(struct ast_datastore *, datastore, ast_sip_session_get_datastore(session, "t38"), ao2_cleanup);
+-	struct ast_sip_session_media *session_media;
+ 
+ 	if (!datastore) {
+ 		return 0;
+@@ -212,8 +211,7 @@
+ 	ast_debug(2, "Automatically rejecting T.38 request on channel '%s'\n",
+ 		session->channel ? ast_channel_name(session->channel) : "<gone>");
+ 
+-	session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-	t38_change_state(session, session_media, datastore->data, T38_REJECTED);
++	t38_change_state(session, NULL, datastore->data, T38_REJECTED);
+ 	ast_sip_session_resume_reinvite(session);
+ 
+ 	return 0;
+@@ -322,28 +320,37 @@
+ 		int index;
+ 
+ 		session_media = session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-		t38_change_state(session, session_media, state, T38_ENABLED);
++		if (!session_media) {
++			ast_log(LOG_WARNING, "Received %d response to T.38 re-invite on '%s' but no active session media\n",
++					status.code, session->channel ? ast_channel_name(session->channel) : "unknown channel");
++		} else {
++			t38_change_state(session, session_media, state, T38_ENABLED);
+ 
+-		/* Stop all the streams in the stored away active state, they'll go back to being active once
+-		 * we reinvite back.
+-		 */
+-		for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
+-			struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
++			/* Stop all the streams in the stored away active state, they'll go back to being active once
++			 * we reinvite back.
++			 */
++			for (index = 0; index < AST_VECTOR_SIZE(&state->media_state->sessions); ++index) {
++				struct ast_sip_session_media *session_media = AST_VECTOR_GET(&state->media_state->sessions, index);
+ 
+-			if (session_media && session_media->handler && session_media->handler->stream_stop) {
+-				session_media->handler->stream_stop(session_media);
++				if (session_media && session_media->handler && session_media->handler->stream_stop) {
++					session_media->handler->stream_stop(session_media);
++				}
+ 			}
++
++			return 0;
+ 		}
+ 	} else {
+ 		session_media = session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-		t38_change_state(session, session_media, state, T38_REJECTED);
+-
+-		/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
+-		ast_sip_session_media_state_free(state->media_state);
+-		state->media_state = NULL;
+-		ast_sip_session_media_state_reset(session->pending_media_state);
+ 	}
+ 
++	/* If no session_media then response contained a declined stream, so disable */
++	t38_change_state(session, NULL, state, session_media ? T38_REJECTED : T38_DISABLED);
++
++	/* Abort this attempt at switching to T.38 by resetting the pending state and freeing our stored away active state */
++	ast_sip_session_media_state_free(state->media_state);
++	state->media_state = NULL;
++	ast_sip_session_media_state_reset(session->pending_media_state);
++
+ 	return 0;
+ }
+ 
+@@ -426,12 +433,10 @@
+ 		/* Negotiation can not take place without a valid max_ifp value. */
+ 		if (!parameters->max_ifp) {
+ 			if (data->session->t38state == T38_PEER_REINVITE) {
+-				session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-				t38_change_state(data->session, session_media, state, T38_REJECTED);
++				t38_change_state(data->session, NULL, state, T38_REJECTED);
+ 				ast_sip_session_resume_reinvite(data->session);
+ 			} else if (data->session->t38state == T38_ENABLED) {
+-				session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-				t38_change_state(data->session, session_media, state, T38_DISABLED);
++				t38_change_state(data->session, NULL, state, T38_DISABLED);
+ 				ast_sip_session_refresh(data->session, NULL, NULL, NULL,
+ 					AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ 				state->media_state = NULL;
+@@ -454,6 +459,11 @@
+ 			state->our_parms.version = MIN(state->our_parms.version, state->their_parms.version);
+ 			state->our_parms.rate_management = state->their_parms.rate_management;
+ 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to negotiate parameters for reinvite on channel '%s' (No pending session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+ 			t38_change_state(data->session, session_media, state, T38_ENABLED);
+ 			ast_sip_session_resume_reinvite(data->session);
+@@ -468,8 +478,13 @@
+ 			}
+ 			state->our_parms = *parameters;
+ 			session_media = media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to negotiate parameters on channel '%s' (No default session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			ast_udptl_set_local_max_ifp(session_media->udptl, state->our_parms.max_ifp);
+-			t38_change_state(data->session, session_media, state, T38_LOCAL_REINVITE);
++			t38_change_state(data->session, NULL, state, T38_LOCAL_REINVITE);
+ 			ast_sip_session_refresh(data->session, NULL, t38_reinvite_sdp_cb, t38_reinvite_response_cb,
+ 				AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, media_state);
+ 		}
+@@ -478,12 +493,10 @@
+ 	case AST_T38_REFUSED:
+ 	case AST_T38_REQUEST_TERMINATE:         /* Shutdown T38 */
+ 		if (data->session->t38state == T38_PEER_REINVITE) {
+-			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-			t38_change_state(data->session, session_media, state, T38_REJECTED);
++			t38_change_state(data->session, NULL, state, T38_REJECTED);
+ 			ast_sip_session_resume_reinvite(data->session);
+ 		} else if (data->session->t38state == T38_ENABLED) {
+-			session_media = data->session->active_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
+-			t38_change_state(data->session, session_media, state, T38_DISABLED);
++			t38_change_state(data->session, NULL, state, T38_DISABLED);
+ 			ast_sip_session_refresh(data->session, NULL, NULL, NULL, AST_SIP_SESSION_REFRESH_METHOD_INVITE, 1, state->media_state);
+ 			state->media_state = NULL;
+ 		}
+@@ -493,6 +506,11 @@
+ 
+ 		if (data->session->t38state == T38_PEER_REINVITE) {
+ 			session_media = data->session->pending_media_state->default_session[AST_MEDIA_TYPE_IMAGE];
++			if (!session_media) {
++				ast_log(LOG_ERROR, "Failed to request parameters for reinvite on channel '%s' (No pending session media).\n",
++					data->session->channel ? ast_channel_name(data->session->channel) : "unknown channel");
++				break;
++			}
+ 			parameters.max_ifp = ast_udptl_get_far_max_ifp(session_media->udptl);
+ 			parameters.request_response = AST_T38_REQUEST_NEGOTIATE;
+ 			ast_queue_control_data(data->session->channel, AST_CONTROL_T38_PARAMETERS, &parameters, sizeof(parameters));
+@@ -788,7 +806,7 @@
+ 
+ 	if ((session->t38state == T38_REJECTED) || (session->t38state == T38_DISABLED)) {
+ 		ast_debug(3, "Declining; T.38 state is rejected or declined\n");
+-		t38_change_state(session, session_media, state, T38_DISABLED);
++		t38_change_state(session, NULL, state, T38_DISABLED);
+ 		return 0;
+ 	}
+ 
diff --git a/main/avahi/APKBUILD b/main/avahi/APKBUILD
index 4d76fbc2c84..df85dd28b31 100644
--- a/main/avahi/APKBUILD
+++ b/main/avahi/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=avahi
 pkgver=0.6.32
-pkgrel=4
+pkgrel=5
 pkgdesc="A multicast/unicast DNS-SD framework"
 url="http://www.avahi.org/"
 arch="all"
@@ -20,9 +20,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-tools $pkgname-glib
 	py-avahi:py"
 source="https://github.com/lathiat/avahi/releases/download/v$pkgver/avahi-$pkgver.tar.gz
 	openrc-run.patch
+	CVE-2017-6519-and-CVE-2018-1000845.patch
 	"
 
 builddir="$srcdir"/$pkgname-$pkgver
+
+# secfixes:
+#   0.6.32-r5:
+#     - CVE-2017-6519
+#     - CVE-2018-1000845
+
 prepare() {
 	default_prepare
 	autoreconf -vif
@@ -115,7 +122,6 @@ py() {
 	mkdir -p "$subpkgdir"/usr/lib
 	mv "$pkgdir"/usr/lib/py* "$subpkgdir"/usr/lib/
 }
-
-
 sha512sums="6f8d0a64292439cbb989c531a4ba2f25a53ee9cf7ad9df04dedf73149489a92612f3b5955e10aa4b1c76496c34b90ad75590e8aa49468249508267c1c8b899ee  avahi-0.6.32.tar.gz
-2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108  openrc-run.patch"
+2754d11bf027676f30de6322eb9251ae83df5ef8f7b354793263224d432514a49e021d8f819f5525eeaeead04b544e15bfd2183ac8bc9f97e871d246e2b6a108  openrc-run.patch
+dc5c9fde8d1244e70e3cf1c09bc274b094458d2fad982f5a79bcbf3cbddc43a0cf79e9ba106b3b0446a6f0b006fd3beeee48a03bd3d8a06cf8d9821f6945ffed  CVE-2017-6519-and-CVE-2018-1000845.patch"
diff --git a/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
new file mode 100644
index 00000000000..513489fa5b7
--- /dev/null
+++ b/main/avahi/CVE-2017-6519-and-CVE-2018-1000845.patch
@@ -0,0 +1,27 @@
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index a2cb19a..a2580e3 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+ 
+     if (avahi_dns_packet_is_query(p)) {
+         int legacy_unicast = 0;
++        char t[AVAHI_ADDRESS_STR_MAX];
+ 
+         /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
+          * AR section completely here, so far. Until the day we add
+@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
+             legacy_unicast = 1;
+         }
+ 
++        if (!is_mdns_mcast_address(dst_address) &&
++            !avahi_interface_address_on_link(i, src_address)) {
++
++            avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
++            return;
++        }
++
+         if (legacy_unicast)
+             reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
+ 
+
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD
index 6406784634a..b23f4a683cd 100644
--- a/main/bind/APKBUILD
+++ b/main/bind/APKBUILD
@@ -52,7 +52,6 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz
 #     - CVE-2017-3143
 #     - CVE-2017-3141
 #     - CVE-2017-3140
-#     - CVE-2017-3145
 #   9.11.2_p1-r0:
 #     - CVE-2017-3145
 #   9.11.0_p5-r0:
diff --git a/main/binutils/APKBUILD b/main/binutils/APKBUILD
index 10a410b7bd5..6ac5bda4808 100644
--- a/main/binutils/APKBUILD
+++ b/main/binutils/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=binutils
 pkgver=2.30
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools necessary to build programs"
 url="https://www.gnu.org/software/binutils/"
 depends=""
@@ -15,6 +15,15 @@ source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.bz2
 	fix-powerpc64-out-ot-line-save-restore.patch
 	binutils-ld-fix-static-linking.patch
 	gold-mips.patch
+	CVE-2018-7208.patch
+	CVE-2018-6543.patch
+	CVE-2018-7643.patch
+	CVE-2018-6759.patch
+	CVE-2018-7642.patch
+	CVE-2018-7569.patch
+	CVE-2018-6872.patch
+	CVE-2018-7568.patch
+	CVE-2018-8945.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
@@ -27,6 +36,17 @@ fi
 # secfixes:
 #   2.28-r1:
 #   - CVE-2017-7614
+#   2.30-r2:
+#   - CVE-2018-7208
+#   - CVE-2018-6543
+#   - CVE-2018-7643
+#   - CVE-2018-6759
+#   - CVE-2018-7642
+#   - CVE-2018-7570
+#   - CVE-2018-7569
+#   - CVE-2018-6872
+#   - CVE-2018-7568
+#   - CVE-2018-8945
 
 build() {
 	local _sysroot=/
@@ -111,4 +131,13 @@ gold() {
 sha512sums="c3ce91aa20f058ec589bf18c722bf651331b394db6378900cc813cc0eea3a331a96584d5ae090630b627369510397dccc9edfcd43d4aeefc99579f277a05c72c  binutils-2.30.tar.bz2
 29791af5a09387d16fc4272dc7a10f71aed5a13187187af533bbe365506d6e6b581030d3f9bb4b7d8e300fb29b8b37b5f48027d86e33a8395b1a6d2dfb2d895a  fix-powerpc64-out-ot-line-save-restore.patch
 ecee33b0e435aa704af1c334e560f201638ff79e199aa11ed78a72f7c9b46f85fbb227af5748e735fd681d1965fcc42ac81b0c8824e540430ce0c706c81e8b49  binutils-ld-fix-static-linking.patch
-f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f  gold-mips.patch"
+f55cf2e0bf82f97583a1abe10710e4013ecf7d64f1da2ef8659a44a06d0dd8beaf58dab98a183488ea137f03e32d62efc878d95f018f836f8cec870bc448556f  gold-mips.patch
+13d68a99c63ba82c301c51e0747897cb0ee0e199606f1e285d02b5035a2309eabb057fd372fe3ff5bad48119a6ed7968385d0ce2ead776c72a77f4174d2ca777  CVE-2018-7208.patch
+6218beebc64299236073dc69acf6b1959b51abe55f3137b847c7bf66a76d030e5fa40fa2771cc8987559680c87f5c7e7eb5f8026cc62a6ea6f301a3b17e5fad4  CVE-2018-6543.patch
+da7efaea69795bec35324748929befd504edf11454bca5cdd4a408ae144cd8783e45088277d5a2460a7cbd0f19222270f4249fc71bcf5359d1d96ade7ce8f6b1  CVE-2018-7643.patch
+3a424369a49b5f970569748a9405c2927bfc5a300bced5ba1d2e9ce95757225d1727f8d05fbfb7771f7e88e67eaa895d9bece58a5004ef3ce2a83b43fc6f4452  CVE-2018-6759.patch
+a75552fc21209b34a62af9861f8ce25fe01f4dfec13a14918b2d77dfda77b49983abddc4cd0f1ae2901ef385731e56f98fe603911c9a757584b4dc7e45534efa  CVE-2018-7642.patch
+9ecb0bcf73f2c6e6f41875557ad0ac77e968ee4e7de0fd69d3a989109b2d648fe2441da720befa5c975d25cc8241570914229897ccdc3b6e6ff05e424a01fe1c  CVE-2018-7569.patch
+cef3d0a50eda9296359f60feec7feb91610b500c74d0c42517a7f10b5b8b228257dbb6af55cf480d17d6532acb5dca708db1928aa4c6bf2d5c57b7a180a3d08a  CVE-2018-6872.patch
+b73a5fe747f6a967ba4bcfeca59286f1d7b1324841860d31dd914eb96ab61dd5241cb8b6a8491e29aa9ccd63d46bee92e8635f6d4c49b7da46593d43cdbc2e55  CVE-2018-7568.patch
+3578788a75e720aa17e92bf28074ee8bee764a7a6335ef6a1d766b83a67aae27bf806f1354cd919fc69bfb5e9c6579cd01449156c188ac45f1e16e33d10b986a  CVE-2018-8945.patch"
diff --git a/main/binutils/CVE-2018-6543.patch b/main/binutils/CVE-2018-6543.patch
new file mode 100644
index 00000000000..266140517ea
--- /dev/null
+++ b/main/binutils/CVE-2018-6543.patch
@@ -0,0 +1,28 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Fobjdump.c;h=d8dca90f40c87c9bfd437c374f123ba5625a5b1d;hp=6c4d936b266a29a2cab7292978ec8f725b4cf1aa;hb=f2023ce7e8d70b0155cc6206c901e185260918f0;hpb=35f48e217ab6f909510bf9ca07325ec16122ae88
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 6c4d936..d8dca90 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -2466,6 +2466,7 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+   struct dwarf_section *section = &debug_displays [debug].section;
+   bfd *abfd = (bfd *) file;
+   bfd_byte *contents;
++  bfd_size_type amt;
+ 
+   if (section->start != NULL)
+     {
+@@ -2480,9 +2481,11 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+   section->num_relocs = 0;
+   section->address = bfd_get_section_vma (abfd, sec);
+   section->size = bfd_get_section_size (sec);
+-  section->start = contents = malloc (section->size + 1);
++  amt = section->size + 1;
++  section->start = contents = malloc (amt);
+   section->user_data = sec;
+-  if (section->start == NULL
++  if (amt == 0
++      || section->start == NULL
+       || !bfd_get_full_section_contents (abfd, sec, &contents))
+     {
+       free_debug_section (debug);
diff --git a/main/binutils/CVE-2018-6759.patch b/main/binutils/CVE-2018-6759.patch
new file mode 100644
index 00000000000..c3f098fee50
--- /dev/null
+++ b/main/binutils/CVE-2018-6759.patch
@@ -0,0 +1,86 @@
+From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 6 Feb 2018 15:48:29 +0000
+Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
+ chacking the size of debuglink sections.
+
+	PR 22794
+	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
+	section before attempting to read it in.
+	(bfd_get_alt_debug_link_info): Likewise.
+---
+diff --git a/bfd/opncls.c b/bfd/opncls.c
+index 458f06e..16b568c 100644
+--- a/bfd/opncls.c
++++ b/bfd/opncls.c
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
+   bfd_byte *contents;
+   unsigned int crc_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++
++  /* PR 22794: Make sure that the section has a reasonable size.  */
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+     {
+       if (contents != NULL)
+@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, void *crc32_out)
+ 
+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
+   name = (char *) contents;
+-  /* PR 17597: avoid reading off the end of the buffer.  */
+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  /* PR 17597: Avoid reading off the end of the buffer.  */
++  crc_offset = strnlen (name, size) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset + 4 > bfd_get_section_size (sect))
++  if (crc_offset + 4 > size)
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,
+   bfd_byte *contents;
+   unsigned int buildid_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+     {
+       if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd, bfd_size_type *buildid_len,
+ 
+   /* BuildID value is stored after the filename.  */
+   name = (char *) contents;
+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  buildid_offset = strnlen (name, size) + 1;
+   if (buildid_offset >= bfd_get_section_size (sect))
+     return NULL;
+ 
+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
++  *buildid_len = size - buildid_offset;
+   *buildid_out = bfd_malloc (*buildid_len);
+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+ 
+-- 
+2.9.3
+
diff --git a/main/binutils/CVE-2018-6872.patch b/main/binutils/CVE-2018-6872.patch
new file mode 100644
index 00000000000..6b1e7e4e777
--- /dev/null
+++ b/main/binutils/CVE-2018-6872.patch
@@ -0,0 +1,15 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Felf.c;h=db1e076b554a83be5db6234c11e89d26805fb527;hp=dedf35feb3c468d020025b3528a2c6544107db04;hb=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6;hpb=a9479dc051ab00f311c04cdd5b299a70739f67ed
+
+diff --git a/bfd/elf.c b/bfd/elf.c
+index dedf35f..db1e076 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -11012,6 +11012,8 @@ elf_parse_notes (bfd *abfd, char *buf, size_t size, file_ptr offset,
+      align is less than 4, we use 4 byte alignment.   */
+   if (align < 4)
+     align = 4;
++  if (align != 4 && align != 8)
++    return FALSE;
+ 
+   p = buf;
+   while (p < buf + size)
diff --git a/main/binutils/CVE-2018-7208.patch b/main/binutils/CVE-2018-7208.patch
new file mode 100644
index 00000000000..0c7ee6b4fdd
--- /dev/null
+++ b/main/binutils/CVE-2018-7208.patch
@@ -0,0 +1,16 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fcoffgen.c;h=4f90eaddd9cf6d5ae77848043493f305a96bb26d;hp=b2410873d0c9fc9ccd6d44870ec8204dcf3bfbc2;hb=eb77f6a4621795367a39cdd30957903af9dbb815;hpb=0d5e2f6abee322730eea6d7c175ae24631d3b089
+
+diff --git a/bfd/coffgen.c b/bfd/coffgen.c
+index b241087..4f90ead 100644
+--- a/bfd/coffgen.c
++++ b/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
diff --git a/main/binutils/CVE-2018-7568.patch b/main/binutils/CVE-2018-7568.patch
new file mode 100644
index 00000000000..d9571a4810d
--- /dev/null
+++ b/main/binutils/CVE-2018-7568.patch
@@ -0,0 +1,41 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf1.c;h=f272ea831157dc16283774edb933492ca8d3cf48;hp=71bc57bfdf825092c3449ba8810b0efa7b54bb8b;hb=eef104664efb52965d85a28bc3fc7c77e52e48e2;hpb=0d329c0a83a23cebb86fbe0ebddd780dc0df2424
+
+diff --git a/bfd/dwarf1.c b/bfd/dwarf1.c
+index 71bc57b..f272ea8 100644
+--- a/bfd/dwarf1.c
++++ b/bfd/dwarf1.c
+@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
+   /* Then the attributes.  */
+   while (xptr + 2 <= aDiePtrEnd)
+     {
++      unsigned int   block_len;
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
+ 	  break;
+ 	case FORM_BLOCK2:
+ 	  if (xptr + 2 <= aDiePtrEnd)
+-	    xptr += bfd_get_16 (abfd, xptr);
++	    {
++	      block_len = bfd_get_16 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 2;
+ 	  break;
+ 	case FORM_BLOCK4:
+ 	  if (xptr + 4 <= aDiePtrEnd)
+-	    xptr += bfd_get_32 (abfd, xptr);
++	    {
++	      block_len = bfd_get_32 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 4;
+ 	  break;
+ 	case FORM_STRING:
diff --git a/main/binutils/CVE-2018-7569.patch b/main/binutils/CVE-2018-7569.patch
new file mode 100644
index 00000000000..5b268b5a614
--- /dev/null
+++ b/main/binutils/CVE-2018-7569.patch
@@ -0,0 +1,78 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Fdwarf2.c;h=ca22db766c54a0ee8c35199b5110b03d9f7524d8;hp=2413542b84b20554f9f6e58edd03880b81cc6171;hb=12c963421d045a127c413a0722062b9932c50aa9;hpb=116acb2c268c89c89186673a7c92620d21825b25
+
+diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c
+index 2413542..ca22db7 100644
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -623,14 +623,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf, bfd_byte *end)
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-	      bfd_byte *buf,
+-	      bfd_byte *end,
+-	      unsigned int size ATTRIBUTE_UNUSED)
++read_n_bytes (bfd_byte *           buf,
++	      bfd_byte *           end,
++	      struct dwarf_block * block)
+ {
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
++  unsigned int  size = block->size;
++  bfd_byte *    block_end = buf + size;
++
++  if (block_end > end || block_end < buf)
++    {
++      block->data = NULL;
++      block->size = 0;
++      return end;
++    }
++  else
++    {
++      block->data = buf;
++      return block_end;
++    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1128,8 +1138,7 @@ read_attribute_value (struct attribute *  attr,
+ 	return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1139,8 +1148,7 @@ read_attribute_value (struct attribute *  attr,
+ 	return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1180,8 +1188,7 @@ read_attribute_value (struct attribute *  attr,
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ 					 FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1191,8 +1198,7 @@ read_attribute_value (struct attribute *  attr,
+ 	return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
diff --git a/main/binutils/CVE-2018-7642.patch b/main/binutils/CVE-2018-7642.patch
new file mode 100644
index 00000000000..5a3b5f115a7
--- /dev/null
+++ b/main/binutils/CVE-2018-7642.patch
@@ -0,0 +1,21 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=bfd%2Faoutx.h;h=525e5603ec90c296e086091327aa0c472cf06e41;hp=4cadbfbd2fad64e0417c37bb316e3b63f202b3ae;hb=116acb2c268c89c89186673a7c92620d21825b25;hpb=889be5dbd230ee47a90d4a83f682b13ed7e3faae
+
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 4cadbfb..525e560 100644
+--- a/bfd/aoutx.h
++++ b/bfd/aoutx.h
+@@ -2289,10 +2289,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abfd,
+   if (r_baserel)
+     r_extern = 1;
+ 
+-  if (r_extern && r_index > symcount)
++  if (r_extern && r_index >= symcount)
+     {
+       /* We could arrange to return an error, but it might be useful
+-	 to see the file even if it is bad.  */
++	 to see the file even if it is bad.  FIXME: Of course this
++	 means that objdump -r *doesn't* see the actual reloc, and
++	 objcopy silently writes a different reloc.  */
+       r_extern = 0;
+       r_index = N_ABS;
+     }
diff --git a/main/binutils/CVE-2018-7643.patch b/main/binutils/CVE-2018-7643.patch
new file mode 100644
index 00000000000..b0400cd4ceb
--- /dev/null
+++ b/main/binutils/CVE-2018-7643.patch
@@ -0,0 +1,28 @@
+X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=blobdiff_plain;f=binutils%2Fdwarf.c;h=17896e61107eb53afac4b47820d2b18cf2398a9d;hp=6aca9b79942b5593b6ab445795d5b50b8f973bed;hb=d11ae95ea3403559f052903ab053f43ad7821e37;hpb=0cb7c7b0bb79be910e261f3d30c58ace6b0d06d1
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 6aca9b7..17896e6 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_section *section,
+ 	  continue;
+ 	}
+ 
++      if (next < section_begin || next >= finish)
++	{
++	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
++		(unsigned long) offset, i);
++	  continue;
++	}
++
+       if (dwarf_check != 0 && i > 0)
+ 	{
+ 	  if (start < next)
+@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_section *section,
+ 		    (unsigned long) (next - section_begin), section->name);
+ 	    }
+ 	}
++
+       start = next;
+       last_start = next;
+ 
diff --git a/main/binutils/CVE-2018-8945.patch b/main/binutils/CVE-2018-8945.patch
new file mode 100644
index 00000000000..290dd30b4d6
--- /dev/null
+++ b/main/binutils/CVE-2018-8945.patch
@@ -0,0 +1,52 @@
+From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 8 May 2018 12:51:06 +0100
+Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
+ fuzzed input file with corrupt string and attribute sections.
+
+	PR 22809
+	* elf.c (bfd_elf_get_str_section): Check for an excessively large
+	string section.
+	* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+	attribute section is larger than the size of the file.
+---
+ bfd/ChangeLog   | 8 ++++++++
+ bfd/elf-attrs.c | 9 +++++++++
+ bfd/elf.c       | 1 +
+ 3 files changed, 18 insertions(+)
+
+diff --git a/bfd/elf-attrs.c b/bfd/elf-attrs.c
+index dfdf1a5..b353309 100644
+--- a/bfd/elf-attrs.c
++++ b/bfd/elf-attrs.c
+@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, Elf_Internal_Shdr * hdr)
+   /* PR 17512: file: 2844a11d.  */
+   if (hdr->sh_size == 0)
+     return;
++  if (hdr->sh_size > bfd_get_file_size (abfd))
++    {
++      /* xgettext:c-format */
++      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
++			  abfd, hdr->bfd_section, (long long) hdr->sh_size);
++      bfd_set_error (bfd_error_invalid_operation);
++      return;
++    }
++
+   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
+   if (!contents)
+     return;
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 21bc4e7..3e8d510 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsigned int shindex)
+       /* Allocate and clear an extra byte at the end, to prevent crashes
+ 	 in case the string table is not terminated.  */
+       if (shstrtabsize + 1 <= 1
++	  || shstrtabsize > bfd_get_file_size (abfd)
+ 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
+ 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
+ 	shstrtab = NULL;
+-- 
+2.9.3
+
diff --git a/main/coreutils/APKBUILD b/main/coreutils/APKBUILD
index 22976d51599..fe51cc761ba 100644
--- a/main/coreutils/APKBUILD
+++ b/main/coreutils/APKBUILD
@@ -15,6 +15,10 @@ source="http://ftp.gnu.org/gnu/coreutils/$pkgname-$pkgver.tar.xz"
 
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   8.28-r0:
+#     - CVE-2017-18018
+
 build() {
 	cd "$builddir"
 	LIBS="-lrt" ./configure \
diff --git a/main/cups/APKBUILD b/main/cups/APKBUILD
index 4ae0a25f071..343ff25bd6a 100644
--- a/main/cups/APKBUILD
+++ b/main/cups/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=cups
-pkgver=2.2.10
+pkgver=2.2.12
 pkgrel=0
 pkgdesc="The CUPS Printing System"
 url="https://www.cups.org/"
@@ -24,6 +24,9 @@ source="https://github.com/apple/cups/releases/download/v$pkgver/cups-$pkgver-so
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   2.2.12-r0:
+#     - CVE-2019-8696
+#     - CVE-2019-8675
 #   2.2.10-r0:
 #     - CVE-2018-4700
 
@@ -124,8 +127,7 @@ _mv() {
 		mv "$pkgdir"/$i "$subpkgdir"/${i%/*}/
 	done
 }
-
-sha512sums="1393987a263ebf20089dd3008ae4ed770a27a1f289032604eb9e18f2e863bd0e4215a70118f5a6d3940875625278b6798fbc9070e791ec559179c6cf7dc7b05f  cups-2.2.10-source.tar.gz
+sha512sums="b8e7be512938ad388d469d093ad0c882ab42ea1408c27a91340f8424aa0e79e588df3d59795624973b89074a2af650fa9b5b6ed5224138b17e4c6dbbcbf0a2e6  cups-2.2.12-source.tar.gz
 cf64211da59e79285f99d437c02fdd7db462855fb2920ec9563ba47bd8a9e5cbd10555094940ceedeb41ac805c4f0ddb9147481470112a11a76220d0298aef79  cups.logrotate
 2c2683f755a220166b3a1653fdd1a6daa9718c8f0bbdff2e2d5e61d1133306260d63a83d3ff41619b5cf84c4913fae5822b79553e2822858f38fa3613f4c7082  cupsd.initd
 7a8cd9ac33b0dd4627c72df4275db8ccd7cf8e201bce3833719b42f532f526bb347b842e3ea1ef0d61855b5c6e1088b5d20b68942f2c2c0acf504d8d9728efd3  cups-no-export-ssllibs.patch
diff --git a/main/curl/APKBUILD b/main/curl/APKBUILD
index 1cadc700486..33e0dd44c01 100644
--- a/main/curl/APKBUILD
+++ b/main/curl/APKBUILD
@@ -4,7 +4,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=curl
 pkgver=7.61.1
-pkgrel=2
+pkgrel=3
 pkgdesc="URL retrival utility and library"
 url="https://curl.haxx.se"
 arch="all"
@@ -21,10 +21,16 @@ source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
 	CVE-2018-16890.patch
 	CVE-2019-3822.patch
 	CVE-2019-3823.patch
+	CVE-2019-5481.patch
+	CVE-2019-5482.patch
 	"
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   7.61.1-r3:
+#     - CVE-2019-5481
+#     - CVE-2019-5482
 #   7.61.1-r2:
 #     - CVE-2018-16890
 #     - CVE-2019-3822
@@ -127,4 +133,6 @@ c1a684f17267b08f77625064ac62e4f06989c552d6d501565f8bebf31d3a96a613f0683376ec7cc1
 dcaca036eafaaae66eba99808d00ff6bed3c9e59c2c1239ca1ddcf54c9e1c53edabd543dc6925ded3cdf9efd39c0968353527ae5ed0b986cefba333fbc7fd1af  CVE-2018-16842.patch
 573b896bd78e404002398bdf38d952ec6247af551ef7d6e34d52acbf004f8f4de60299e3a8f83be75e22dfb8731e466aea0253efec7116282afab32dbb1f66e8  CVE-2018-16890.patch
 959a55237752b254bc5f58308607f3cf0475e207a7400ff6be7942c48131787f1dec4c05be5b76865ae0adf81ebae77774085ad0c19dd342fb0307cfcfe24b6c  CVE-2019-3822.patch
-73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69  CVE-2019-3823.patch"
+73f0d06f9bbd6f0688e67310120d1e806752626c103b0a52bc4b4a1a77bbe248885778f39386fbfc38cb534cd12d18f205c091769558e6a04b50010cb9ba6a69  CVE-2019-3823.patch
+37161e4d94cdb1add2216b031f70d7ae84451229dffe48ca9856bb311e88678f0e11baab6bb4da0386ed31e8467aa51fabaf6122f876ef9bc0003638d07f22cf  CVE-2019-5481.patch
+6a048e3794415792a4554651bc55b71c22735f58293db584e9c822af9faad22f27c730b5d649d4bf1fb8d2c251f8d6e2f67249929bb7b3a76495c1f36a898ce7  CVE-2019-5482.patch"
diff --git a/main/curl/CVE-2019-5481.patch b/main/curl/CVE-2019-5481.patch
new file mode 100644
index 00000000000..2aa4952cee4
--- /dev/null
+++ b/main/curl/CVE-2019-5481.patch
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8d..c5e4e135df 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
diff --git a/main/curl/CVE-2019-5482.patch b/main/curl/CVE-2019-5482.patch
new file mode 100644
index 00000000000..2cd32ef1798
--- /dev/null
+++ b/main/curl/CVE-2019-5482.patch
@@ -0,0 +1,50 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80..346f293dc5 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
diff --git a/main/dovecot/APKBUILD b/main/dovecot/APKBUILD
index 413e0b02863..252b96fa69a 100644
--- a/main/dovecot/APKBUILD
+++ b/main/dovecot/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=dovecot
-pkgver=2.2.36.3
+pkgver=2.2.36.4
 _pkgvermajor=2.2
 pkgrel=0
 _pigeonholever=0.4.21
@@ -40,6 +40,8 @@ _builddirpigeonhole="$srcdir/$pkgname-${_pkgvermajor}-pigeonhole-$_pigeonholever
 _builddirpluginextdata="$srcdir/pigeonhole-${_pigeonholevermajor/./-}-sieve-extdata-$_pluginextdataver"
 
 # secfixes:
+#   2.2.36.4-r0:
+#     - CVE-2019-11500
 #   2.2.36.3-r0:
 #     - CVE-2019-7524
 #   2.2.36.1-r0:
@@ -234,7 +236,7 @@ _fts_lucene() {
 	depends="$pkgname"
 	_mv $(cd "$pkgdir" && find usr -name '*fts*lucene*')
 }
-sha512sums="47611dbde7ee854ad323dcdb726757c7172376761fa774f28fce3f9d74ed590319d812f0555abed5f8178c326c3cb7661ac0b708ca5982914e255cec60f72e35  dovecot-2.2.36.3.tar.gz
+sha512sums="e33ab2f6c5f7b4ffca3d57580329f1df8e1655c755a1a6b575a4e49d57ea94d1ab67df2419033c9d68acf5959c6edfa596815dc2bc43798e9aef3d17d271cc4d  dovecot-2.2.36.4.tar.gz
 4751f449ede1b05173c706b414ebf9f7f670ff78589ce6f0b687c32c9abe6dae8b3064ed1b20e893d9ec0147b0139ce479e1d74ebe94747c33f2d8ca177912de  dovecot-2.2-pigeonhole-0.4.21.tar.gz
 832a80264fb9bd3021c4e192eb7594c203100783df547aff35acf4dc4d8de5eddfd676fcc5a07a0691d9bb6eb884c9497a692b72a2af5bf9e9bb7a2d3f38923e  39.tar.gz
 09bae967d35b9e5d7d91c81337e1bf5e5aba3abb7b0ab06427f1a0d6f9bb5b2f2e39306cfe45d80488110fc0414e3e2515c0265286c1584d80f8af366d1568a9  skip-iconv-check.patch
diff --git a/main/e2fsprogs/APKBUILD b/main/e2fsprogs/APKBUILD
index db30601d494..7988763db8f 100644
--- a/main/e2fsprogs/APKBUILD
+++ b/main/e2fsprogs/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=e2fsprogs
 pkgver=1.43.7
-pkgrel=0
+pkgrel=1
 pkgdesc="Standard Ext2/3/4 filesystem utilities"
 url="http://e2fsprogs.sourceforge.net"
 arch="all"
@@ -12,9 +12,15 @@ depends_dev="util-linux-dev"
 options="!check"
 makedepends="$depends_dev linux-headers"
 subpackages="$pkgname-dev $pkgname-doc libcom_err $pkgname-libs $pkgname-extra"
-source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz"
-
+source="https://www.kernel.org/pub/linux/kernel/people/tytso/$pkgname/v$pkgver/$pkgname-$pkgver.tar.xz
+	CVE-2019-5094.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
+
+# secfixes:
+#   1.43.7-r1:
+#     - CVE-2019-5094
+
 build () {
 	cd "$builddir"
 	./configure \
@@ -64,5 +70,5 @@ extra() {
 	rmdir "$pkgdir"/lib
 	mv "$pkgdir"/usr "$subpkgdir"/
 }
-
-sha512sums="2ef270364d3cea620db3c3b9932849d0ff5b49d4a9a9b24f0d1ac36888199bd67432edc5f939d9f697ee0342b71a063e1ad4ce8119528a7adab7a777c1de57ba  e2fsprogs-1.43.7.tar.xz"
+sha512sums="2ef270364d3cea620db3c3b9932849d0ff5b49d4a9a9b24f0d1ac36888199bd67432edc5f939d9f697ee0342b71a063e1ad4ce8119528a7adab7a777c1de57ba  e2fsprogs-1.43.7.tar.xz
+72e7d8199ea071802fbe74fbb2153253e5460412b115e03750ecac46d298aeb73bd8e7610a2d5b8be83b7125080c7e9e23d9b71baee1c7a4f68026344106a922  CVE-2019-5094.patch"
diff --git a/main/e2fsprogs/CVE-2019-5094.patch b/main/e2fsprogs/CVE-2019-5094.patch
new file mode 100644
index 00000000000..d350b3f2943
--- /dev/null
+++ b/main/e2fsprogs/CVE-2019-5094.patch
@@ -0,0 +1,190 @@
+diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c
+index 0b9e766..ddb5312 100644
+--- a/lib/support/mkquota.c
++++ b/lib/support/mkquota.c
+@@ -671,6 +671,7 @@ errcode_t quota_compare_and_update(quota_ctx_t qctx, enum quota_type qtype,
+ 	err = qh.qh_ops->scan_dquots(&qh, scan_dquots_callback, &scan_data);
+ 	if (err) {
+ 		log_debug("Error scanning dquots");
++		*usage_inconsistent = 1;
+ 		goto out_close_qh;
+ 	}
+ 
+diff --git a/lib/support/quotaio_tree.c b/lib/support/quotaio_tree.c
+index a7c2028..6cc4fb5 100644
+--- a/lib/support/quotaio_tree.c
++++ b/lib/support/quotaio_tree.c
+@@ -540,6 +540,17 @@ struct dquot *qtree_read_dquot(struct quota_handle *h, qid_t id)
+ 	return dquot;
+ }
+ 
++static int check_reference(struct quota_handle *h, unsigned int blk)
++{
++	if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks) {
++		log_err("Illegal reference (%u >= %u) in %s quota file",
++			blk, h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
++			quota_type2name(h->qh_type));
++		return -1;
++	}
++	return 0;
++}
++
+ /*
+  * Scan all dquots in file and call callback on each
+  */
+@@ -558,7 +569,7 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+ 	int entries, i;
+ 
+ 	if (!buf)
+-		return 0;
++		return -1;
+ 
+ 	set_bit(bitmap, blk);
+ 	read_blk(dquot->dq_h, blk, buf);
+@@ -580,23 +591,12 @@ static int report_block(struct dquot *dquot, unsigned int blk, char *bitmap,
+ 	return entries;
+ }
+ 
+-static void check_reference(struct quota_handle *h, unsigned int blk)
+-{
+-	if (blk >= h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks)
+-		log_err("Illegal reference (%u >= %u) in %s quota file. "
+-			"Quota file is probably corrupted.\n"
+-			"Please run e2fsck (8) to fix it.",
+-			blk,
+-			h->qh_info.u.v2_mdqi.dqi_qtree.dqi_blocks,
+-			quota_type2name(h->qh_type));
+-}
+-
+ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+ 		       char *bitmap,
+ 		       int (*process_dquot) (struct dquot *, void *),
+ 		       void *data)
+ {
+-	int entries = 0, i;
++	int entries = 0, ret, i;
+ 	dqbuf_t buf = getdqbuf();
+ 	__le32 *ref = (__le32 *) buf;
+ 
+@@ -607,22 +607,40 @@ static int report_tree(struct dquot *dquot, unsigned int blk, int depth,
+ 	if (depth == QT_TREEDEPTH - 1) {
+ 		for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ 			blk = ext2fs_le32_to_cpu(ref[i]);
+-			check_reference(dquot->dq_h, blk);
+-			if (blk && !get_bit(bitmap, blk))
+-				entries += report_block(dquot, blk, bitmap,
+-							process_dquot, data);
++			if (check_reference(dquot->dq_h, blk)) {
++				entries = -1;
++				goto errout;
++			}
++			if (blk && !get_bit(bitmap, blk)) {
++				ret = report_block(dquot, blk, bitmap,
++						   process_dquot, data);
++				if (ret < 0) {
++					entries = ret;
++					goto errout;
++				}
++				entries += ret;
++			}
+ 		}
+ 	} else {
+ 		for (i = 0; i < QT_BLKSIZE >> 2; i++) {
+ 			blk = ext2fs_le32_to_cpu(ref[i]);
+ 			if (blk) {
+-				check_reference(dquot->dq_h, blk);
+-				entries += report_tree(dquot, blk, depth + 1,
+-						       bitmap, process_dquot,
+-						       data);
++				if (check_reference(dquot->dq_h, blk)) {
++					entries = -1;
++					goto errout;
++				}
++				ret = report_tree(dquot, blk, depth + 1,
++						  bitmap, process_dquot,
++						  data);
++				if (ret < 0) {
++					entries = ret;
++					goto errout;
++				}
++				entries += ret;
+ 			}
+ 		}
+ 	}
++errout:
+ 	freedqbuf(buf);
+ 	return entries;
+ }
+@@ -642,6 +660,7 @@ int qtree_scan_dquots(struct quota_handle *h,
+ 		      int (*process_dquot) (struct dquot *, void *),
+ 		      void *data)
+ {
++	int ret;
+ 	char *bitmap;
+ 	struct v2_mem_dqinfo *v2info = &h->qh_info.u.v2_mdqi;
+ 	struct qtree_mem_dqinfo *info = &v2info->dqi_qtree;
+@@ -655,10 +674,14 @@ int qtree_scan_dquots(struct quota_handle *h,
+ 		ext2fs_free_mem(&dquot);
+ 		return -1;
+ 	}
+-	v2info->dqi_used_entries = report_tree(dquot, QT_TREEOFF, 0, bitmap,
+-					       process_dquot, data);
++	ret = report_tree(dquot, QT_TREEOFF, 0, bitmap, process_dquot, data);
++	if (ret < 0)
++		goto errout;
++	v2info->dqi_used_entries = ret;
+ 	v2info->dqi_data_blocks = find_set_bits(bitmap, info->dqi_blocks);
++	ret = 0;
++errout:
+ 	ext2fs_free_mem(&bitmap);
+ 	ext2fs_free_mem(&dquot);
+-	return 0;
++	return ret;
+ }
+diff --git a/lib/support/quotaio_v2.c b/lib/support/quotaio_v2.c
+index 38be2a3..7390667 100644
+--- a/lib/support/quotaio_v2.c
++++ b/lib/support/quotaio_v2.c
+@@ -175,6 +175,8 @@ static int v2_check_file(struct quota_handle *h, int type, int fmt)
+ static int v2_init_io(struct quota_handle *h)
+ {
+ 	struct v2_disk_dqinfo ddqinfo;
++	struct v2_mem_dqinfo *info;
++	__u64 filesize;
+ 
+ 	h->qh_info.u.v2_mdqi.dqi_qtree.dqi_entry_size =
+ 		sizeof(struct v2r1_disk_dqblk);
+@@ -185,6 +187,32 @@ static int v2_init_io(struct quota_handle *h)
+ 			 sizeof(ddqinfo)) != sizeof(ddqinfo))
+ 		return -1;
+ 	v2_disk2memdqinfo(&h->qh_info, &ddqinfo);
++
++	/* Check to make sure quota file info is sane */
++	info = &h->qh_info.u.v2_mdqi;
++	if (ext2fs_file_get_lsize(h->qh_qf.e2_file, &filesize))
++		return -1;
++	if ((filesize > (1U << 31)) ||
++	    (info->dqi_qtree.dqi_blocks >
++	     (filesize + QT_BLKSIZE - 1) >> QT_BLKSIZE_BITS)) {
++		log_err("Quota inode %u corrupted: file size %llu; "
++			"dqi_blocks %u", h->qh_qf.ino,
++			filesize, info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
++	if (info->dqi_qtree.dqi_free_blk >= info->dqi_qtree.dqi_blocks) {
++		log_err("Quota inode %u corrupted: free_blk %u; dqi_blocks %u",
++			h->qh_qf.ino, info->dqi_qtree.dqi_free_blk,
++			info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
++	if (info->dqi_qtree.dqi_free_entry >= info->dqi_qtree.dqi_blocks) {
++		log_err("Quota inode %u corrupted: free_entry %u; "
++			"dqi_blocks %u", h->qh_qf.ino,
++			info->dqi_qtree.dqi_free_entry,
++			info->dqi_qtree.dqi_blocks);
++		return -1;
++	}
+ 	return 0;
+ }
+ 
+
diff --git a/main/expat/APKBUILD b/main/expat/APKBUILD
index 7b053971f75..5cf21bacaee 100644
--- a/main/expat/APKBUILD
+++ b/main/expat/APKBUILD
@@ -1,21 +1,23 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=expat
-pkgver=2.2.7
+pkgver=2.2.8
 pkgrel=0
 pkgdesc="An XML Parser library written in C"
 url="http://www.libexpat.org/"
 arch="all"
 license='MIT'
 checkdepends="bash"
-source="http://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
+source="https://downloads.sourceforge.net/project/expat/expat/$pkgver/expat-$pkgver.tar.bz2"
 subpackages="$pkgname-dev $pkgname-doc"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   2.2.7-r1:
+#     - CVE-2019-15903
 #   2.2.7-r0:
-#   - CVE-2018-20843
+#     - CVE-2018-20843
 #   2.2.0-r1:
-#   - CVE-2017-9233
+#     - CVE-2017-9233
 
 build() {
 	cd "$builddir"
@@ -37,4 +39,4 @@ package() {
 	make DESTDIR="$pkgdir/" install
 }
 
-sha512sums="a078692317b44f14a9acdca4ddc04adac6a48d22ab321bba3e9e32c92131752aa397915d7121c4a95dc1b603d6a6128f7dce3741093d4322944787e0b49b4c00  expat-2.2.7.tar.bz2"
+sha512sums="b1c995320d3eb406fe98e87fad204cc1336a74fb70c3ce3876d16ab955507863c3ee406ab10f0e8b63ed51cda0f7da4df0039626990fc2710f41c589c04b4022  expat-2.2.8.tar.bz2"
diff --git a/main/expat/CVE-2019-15903.patch b/main/expat/CVE-2019-15903.patch
new file mode 100644
index 00000000000..bfba7a87b4f
--- /dev/null
+++ b/main/expat/CVE-2019-15903.patch
@@ -0,0 +1,80 @@
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 9c0987f..b8656ca 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -405,7 +405,7 @@ initializeEncoding(XML_Parser parser);
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+          const char *end, int tok, const char *next, const char **nextPtr,
+-         XML_Bool haveMore);
++         XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+                       XML_Bool betweenDecl);
+@@ -4232,7 +4232,7 @@ externalParEntProcessor(XML_Parser parser,
+ 
+   parser->m_processor = prologProcessor;
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -4282,7 +4282,7 @@ prologProcessor(XML_Parser parser,
+   const char *next = s;
+   int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+   return doProlog(parser, parser->m_encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                  nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error
+@@ -4293,7 +4293,7 @@ doProlog(XML_Parser parser,
+          int tok,
+          const char *next,
+          const char **nextPtr,
+-         XML_Bool haveMore)
++         XML_Bool haveMore, XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -4472,6 +4472,11 @@ doProlog(XML_Parser parser,
+       }
+       break;
+     case XML_ROLE_DOCTYPE_CLOSE:
++	  if (allowClosingDoctype != XML_TRUE) {
++		/* Must not close doctype from within expanded parameter entities */
++		return XML_ERROR_INVALID_TOKEN;
++	  }
++
+       if (parser->m_doctypeName) {
+         parser->m_startDoctypeDeclHandler(parser->m_handlerArg, parser->m_doctypeName,
+                                 parser->m_doctypeSysid, parser->m_doctypePubid, 0);
+@@ -5409,7 +5414,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity,
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5456,7 +5461,7 @@ internalEntityProcessor(XML_Parser parser,
+   if (entity->is_param) {
+     int tok = XmlPrologTok(parser->m_internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, parser->m_internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -5483,7 +5488,7 @@ internalEntityProcessor(XML_Parser parser,
+     parser->m_processor = prologProcessor;
+     tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+     return doProlog(parser, parser->m_encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++                    (XML_Bool)!parser->m_parsingStatus.finalBuffer, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+
diff --git a/main/faad2/APKBUILD b/main/faad2/APKBUILD
index ae578853f46..4cde4b96950 100644
--- a/main/faad2/APKBUILD
+++ b/main/faad2/APKBUILD
@@ -1,21 +1,21 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=faad2
-pkgver=2.7
-pkgrel=7
+pkgver=2.9.0
+_pkgver="${pkgver//./_}"
+pkgrel=0
 pkgdesc="ISO AAC audio decoder"
-url="http://www.audiocoding.com/"
+url="https://github.com/knik0/faad2"
 arch="all"
 license="custom:GPL"
 subpackages="$pkgname-dev $pkgname-doc"
 depends=
 makedepends="autoconf automake libtool"
-source="http://downloads.sourceforge.net/sourceforge/faac/$pkgname-$pkgver.tar.bz2
-	automake.patch"
+source="$pkgname-$pkgver.tar.gz::https://github.com/knik0/faad2/archive/$_pkgver.tar.gz"
+builddir="$srcdir/$pkgname-$_pkgver"
 
-_builddir="$srcdir"/$pkgname-$pkgver
+_builddir="$srcdir"/$pkgname-$_pkgver
 prepare() {
 	cd "$_builddir"
-	update_config_sub || return 1
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
@@ -23,6 +23,26 @@ prepare() {
 	done
 }
 
+# secfixes:
+#   2.9.0-r0:
+#     - CVE-2019-6956
+#     - CVE-2018-20196
+#     - CVE-2018-20199
+#     - CVE-2018-20360
+#     - CVE-2018-20362
+#     - CVE-2018-19504
+#     - CVE-2018-20195
+#     - CVE-2018-20198
+#     - CVE-2018-20358
+#     - CVE-2018-20194
+#     - CVE-2018-19503
+#     - CVE-2018-20197
+#     - CVE-2018-20357
+#     - CVE-2018-20359
+#     - CVE-2018-20361
+#     - CVE-2019-15296
+#     - CVE-2018-19502
+
 build() {
 	cd "$_builddir"
 
@@ -43,12 +63,6 @@ build() {
 package() {
 	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
-	install -m644 common/mp4ff/mp4ff_int_types.h "$pkgdir"/usr/include/mp4ff_int_types.h || return 1
 }
 
-md5sums="4c332fa23febc0e4648064685a3d4332  faad2-2.7.tar.bz2
-28b178eddf06bda888fe048abc65d57f  automake.patch"
-sha256sums="14561b5d6bc457e825bfd3921ae50a6648f377a9396eaf16d4b057b39a3f63b5  faad2-2.7.tar.bz2
-e7b9c8231dfd9227b27ff8c1e8a9be678abf73ce4ce0d3ee9333cb19608fdcfd  automake.patch"
-sha512sums="0934aa9b752b5d86879d94156dea02595e2428340d0cf44202ffea369895b21a9aadbb4833a39212c9a79429b409eb108706b1f523bfddd32809b53730d50947  faad2-2.7.tar.bz2
-0b66cfa240529a2139b47cb8dc87c4b43a451b906d66ef7d211fb509358b1493ceee13894516c2f552b33eae74640910e97957caa49dade2597ebd9777152a9e  automake.patch"
+sha512sums="1756b2672f9e438a56b11160ddc77fc721d85860eaa325a3ff01b51a2524baf4c1c61068a97cbc4e99d47e7643f10e1d6afb997eede3295b44551fe4661fb5dc  faad2-2.9.0.tar.gz"
diff --git a/main/faad2/automake.patch b/main/faad2/automake.patch
deleted file mode 100644
index 809031eb006..00000000000
--- a/main/faad2/automake.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- ./configure.in.orig	2012-12-31 10:42:26.394219312 +0000
-+++ ./configure.in	2012-12-31 10:42:43.294360781 +0000
-@@ -25,7 +25,7 @@
- AC_PROG_MAKE_SET
- AC_CHECK_PROGS(RPMBUILD, rpmbuild, rpm)
- 
--AM_CONFIG_HEADER(config.h)
-+AC_CONFIG_HEADER(config.h)
- 
- AC_ARG_WITH(xmms,[  --with-xmms             compile XMMS-1 plugin],
- 	     WITHXMMS=$withval, WITHXMMS=no)
diff --git a/main/file/APKBUILD b/main/file/APKBUILD
index 58477ab711d..fd9fbd1d604 100644
--- a/main/file/APKBUILD
+++ b/main/file/APKBUILD
@@ -2,15 +2,27 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=file
 pkgver=5.32
-pkgrel=0
+pkgrel=2
 pkgdesc="File type identification utility"
 url="http://www.darwinsys.com/file/"
 arch="all"
 license="BSD"
 subpackages="$pkgname-dev $pkgname-doc libmagic"
-source="ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz"
+source="ftp://ftp.astron.com/pub/$pkgname/$pkgname-$pkgver.tar.gz
+	CVE-2019-8906.patch
+	CVE-2019-8905-and-CVE-2019-8907.patch
+	CVE-2019-18218.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   5.32-r2:
+#     - CVE-2019-18218
+#   5.32-r1:
+#     - CVE-2019-8905
+#     - CVE-2019-8906
+#     - CVE-2019-8907
+
 build() {
 	cd "$builddir"
 	./configure \
@@ -37,4 +49,7 @@ libmagic() {
 	mv "$pkgdir"/usr/lib "$pkgdir"/usr/share "$subpkgdir"/usr
 }
 
-sha512sums="315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f  file-5.32.tar.gz"
+sha512sums="315343229fa196335389544ee8010e9e80995ef4721938492dedcfb0465dfc45e1feb96f26dfe53cab484fb5d9bac54d2d72917fbfd28a1d998c6ad8c8f9792f  file-5.32.tar.gz
+f54a16dbca2b5a490405e323924fb2657cc67f73648ad5203b41c13da1dc98e5ca64fc6c94415386538d3c2124f487fc3bf86082ce1571a24d05f5a5e213da08  CVE-2019-8906.patch
+5b8058fd39d9f9d91c7d8377708068dc0161abdbbb7fdb3d1bd9358b297133e425252758b45cccec937a7c51226d4f6dd67f5a13ff935a4353a44f140f011a7e  CVE-2019-8905-and-CVE-2019-8907.patch
+d70c5d298db7f70c45feaeebb077f076e6f1b5bcccb85926afeead64838436fd42681541d56f4fbe35b97dd76bfdbf3abf2665894c18999b37d2ca3fe2f2cf17  CVE-2019-18218.patch"
diff --git a/main/file/CVE-2019-18218.patch b/main/file/CVE-2019-18218.patch
new file mode 100644
index 00000000000..e7eba449222
--- /dev/null
+++ b/main/file/CVE-2019-18218.patch
@@ -0,0 +1,40 @@
+Source: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
+
+diff --git a/src/cdf.c b/src/cdf.c
+index 556a3ff..8bb0a6d 100644
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 				goto out;
+ 			}
+ 			nelements = CDF_GETUINT32(q, 1);
+-			if (nelements == 0) {
+-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == %"
++				    SIZE_T_FORMAT "u\n", nelements));
+ 				goto out;
+ 			}
+ 			slen = 2;
+@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 					goto out;
+ 				inp += nelem;
+ 			}
+-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-			    nelements));
+ 			for (j = 0; j < nelements && i < sh.sh_properties;
+ 			    j++, i++)
+ 			{
+diff --git a/src/cdf.h b/src/cdf.h
+index 2f7e554..0505666 100644
+--- a/src/cdf.h
++++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
++#define CDF_ELEMENT_LIMIT				100000
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1
+
diff --git a/main/file/CVE-2019-8905-and-CVE-2019-8907.patch b/main/file/CVE-2019-8905-and-CVE-2019-8907.patch
new file mode 100644
index 00000000000..d81c54636fb
--- /dev/null
+++ b/main/file/CVE-2019-8905-and-CVE-2019-8907.patch
@@ -0,0 +1,102 @@
+diff --git a/src/file.h b/src/file.h
+index eb9c054..6d9d204 100644
+--- a/src/file.h
++++ b/src/file.h
+@@ -491,7 +491,7 @@ protected int file_looks_utf8(const unsigned char *, size_t, unichar *,
+     size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+     size_t);
+diff --git a/src/funcs.c b/src/funcs.c
+index d7a18f4..eb44261 100644
+--- a/src/funcs.c
++++ b/src/funcs.c
+@@ -581,12 +581,13 @@ file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
+  * convert string to ascii printable format.
+  */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+-	char *ptr, *eptr;
++	char *ptr, *eptr = buf + bufsiz - 1;
+ 	const unsigned char *s = (const unsigned char *)str;
++	const unsigned char *es = s + slen;
+ 
+-	for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++	for (ptr = buf;  ptr < eptr && s < es && *s; s++) {
+ 		if (isprint(*s)) {
+ 			*ptr++ = *s;
+ 			continue;
+diff --git a/src/readelf.c b/src/readelf.c
+index 5f425c9..ee466fc 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -725,7 +725,7 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
+ 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+ 			    file_printable(sbuf, sizeof(sbuf),
+-			    CAST(char *, pi.cpi_name)),
++				CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+ 			    elf_getu32(swap, pi.cpi_pid),
+ 			    elf_getu32(swap, pi.cpi_euid),
+ 			    elf_getu32(swap, pi.cpi_egid),
+@@ -1563,7 +1563,8 @@ dophn_exec(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
+ 		return -1;
+ 	if (interp[0])
+ 		if (file_printf(ms, ", interpreter %s",
+-		    file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++			file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp))) 
++				== -1)
+ 			return -1;
+ 	return 0;
+ }
+diff --git a/src/softmagic.c b/src/softmagic.c
+index b9e9753..fa82d58 100644
+--- a/src/softmagic.c
++++ b/src/softmagic.c
+@@ -544,8 +544,8 @@ mprint(struct magic_set *ms, struct magic *m)
+   	case FILE_LESTRING16:
+ 		if (m->reln == '=' || m->reln == '!') {
+ 			if (file_printf(ms, F(ms, m, "%s"), 
+-			    file_printable(sbuf, sizeof(sbuf), m->value.s))
+-			    == -1)
++				file_printable(sbuf, sizeof(sbuf), m->value.s,
++			    sizeof(m->value.s))) == -1)
+ 				return -1;
+ 			t = ms->offset + m->vallen;
+ 		}
+@@ -572,7 +572,8 @@ mprint(struct magic_set *ms, struct magic *m)
+ 			}
+ 
+ 			if (file_printf(ms, F(ms, m, "%s"),
+-			    file_printable(sbuf, sizeof(sbuf), str)) == -1)
++				file_printable(sbuf, sizeof(sbuf), str,
++				sizeof(p->s) - (str - p->s))) == -1)
+ 				return -1;
+ 
+ 			if (m->type == FILE_PSTRING)
+@@ -678,7 +679,7 @@ mprint(struct magic_set *ms, struct magic *m)
+ 			return -1;
+ 		}
+ 		rval = file_printf(ms, F(ms, m, "%s"),
+-		    file_printable(sbuf, sizeof(sbuf), cp));
++		    file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+ 		free(cp);
+ 
+ 		if (rval == -1)
+@@ -705,7 +706,8 @@ mprint(struct magic_set *ms, struct magic *m)
+ 		break;
+ 	case FILE_DER:
+ 		if (file_printf(ms, F(ms, m, "%s"), 
+-		    file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++			file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++			sizeof(ms->ms_value.s))) == -1)
+ 			return -1;
+ 		t = ms->offset;
+ 		break;
+
diff --git a/main/file/CVE-2019-8906.patch b/main/file/CVE-2019-8906.patch
new file mode 100644
index 00000000000..05ff2c73fdf
--- /dev/null
+++ b/main/file/CVE-2019-8906.patch
@@ -0,0 +1,14 @@
+diff --git a/src/readelf.c b/src/readelf.c
+index 5f425c9..50883fe 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -720,7 +720,7 @@ do_core_note(struct magic_set *ms, unsigned char *nbuf, uint32_t type,
+ 			char sbuf[512];
+ 			struct NetBSD_elfcore_procinfo pi;
+ 			memset(&pi, 0, sizeof(pi));
+-			memcpy(&pi, nbuf + doff, descsz);
++			memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+ 
+ 			if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ 			    "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+
diff --git a/main/freeradius/APKBUILD b/main/freeradius/APKBUILD
index b0fc3b4494f..50456704b0e 100644
--- a/main/freeradius/APKBUILD
+++ b/main/freeradius/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=freeradius
 _realname=freeradius
 pkgver=3.0.15
-pkgrel=4
+pkgrel=5
 pkgdesc="RADIUS (Remote Authentication Dial-In User Service) server"
 url="http://freeradius.org/"
 arch="all"
@@ -32,10 +32,13 @@ source="ftp://ftp.freeradius.org/pub/freeradius/old/$_realname-server-$pkgver.ta
 	fix-scopeid.patch
 	freeradius-313-default-config.patch
 	CVE-2019-11234-5.patch
+	CVE-2019-10143.patch
 	"
 builddir="$srcdir"/$_realname-server-$pkgver
 
 # secfixes:
+#   3.0.17-r5:
+#     - CVE-2019-10143
 #   3.0.15-r4:
 #     - CVE-2019-11234
 #     - CVE-2019-11235
@@ -289,4 +292,5 @@ ba3c424d4eabb147c7aa3e31575a87ddb26b6a792d2a8714e73d8763e07854326a03a83991a74202
 c49e5eec7497fccde5fd09dba1ea9b846e57bc88015bd81640aa531fb5c9b449f37136f42c85fe1d7940c5963aed664b85da28442b388c9fb8cc27873df03b2d  musl-fix-headers.patch
 41d478c0e40ff82fc36232964037c1ab8ffca9fdbb7dca02ed49319906e751c133b5d7bc7773c645cec6d9d39d1de69cba25e8d59afa8d6662563dd17f35f234  fix-scopeid.patch
 666e15a3c3e5b98ff8c3168de85b341606af5e2790af379ddec46464e9d7de14a715876a34ba1eb7fa47ddead23f7134128d591db32309db0e4acbdb6f21ef5e  freeradius-313-default-config.patch
-05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477  CVE-2019-11234-5.patch"
+05b19e1b4d43eac3ddb2f1d62a31bedb2e3386bdafc0253506304d46e6ea41f1bf798c28d3b1207341c4c9d17de0775a9ca8aa2b9c27a90c92d21c0a73ee6477  CVE-2019-11234-5.patch
+5506cc095553c2024319f0818fd317c02c0aa52f306b506e44f661f2f600874426118decdc2313a2da8313bff3578d364262f947faa9198595a830764a336b57  CVE-2019-10143.patch"
diff --git a/main/freeradius/CVE-2019-10143.patch b/main/freeradius/CVE-2019-10143.patch
new file mode 100644
index 00000000000..528550aa822
--- /dev/null
+++ b/main/freeradius/CVE-2019-10143.patch
@@ -0,0 +1,94 @@
+From 1f233773962bf1a9c2d228a180eacddb9db2d574 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 7 May 2019 16:04:29 -0400
+Subject: [PATCH] su to radiusd user/group when rotating logs
+
+The su directive to logrotate ensures that log rotation happens under the
+owner of the logs. Otherwise, logrotate runs as root:root, potentially
+enabling privilege escalation if a RCE is discovered against the
+FreeRADIUS daemon.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ debian/freeradius.logrotate  | 3 +++
+ redhat/freeradius-logrotate  | 1 +
+ scripts/logrotate/freeradius | 3 +++
+ suse/radiusd-logrotate       | 1 +
+ 4 files changed, 8 insertions(+)
+
+diff --git a/debian/freeradius.logrotate b/debian/freeradius.logrotate
+index 7d837d53bd..a8d29b7adf 100644
+--- a/debian/freeradius.logrotate
++++ b/debian/freeradius.logrotate
+@@ -9,6 +9,7 @@
+ 	notifempty
+ 
+ 	copytruncate
++	su freerad freerad
+ }
+ 
+ # (in order)
+@@ -26,6 +27,7 @@
+ 	notifempty
+ 
+ 	nocreate
++	su freerad freerad
+ }
+ 
+ # There are different detail-rotating strategies you can use.  One is
+@@ -45,4 +47,5 @@
+ 	notifempty
+ 
+ 	nocreate
++	su freerad freerad
+ }
+diff --git a/redhat/freeradius-logrotate b/redhat/freeradius-logrotate
+index 360765ddc4..bb97ca5547 100644
+--- a/redhat/freeradius-logrotate
++++ b/redhat/freeradius-logrotate
+@@ -9,6 +9,7 @@ rotate 4
+ missingok
+ compress
+ delaycompress
++su radiusd radiusd
+ 
+ #
+ #  The main server log
+diff --git a/scripts/logrotate/freeradius b/scripts/logrotate/freeradius
+index 3de435e76e..eecf63175a 100644
+--- a/scripts/logrotate/freeradius
++++ b/scripts/logrotate/freeradius
+@@ -17,6 +17,7 @@
+ 	notifempty
+ 
+ 	copytruncate
++	su radiusd radiusd
+ }
+ 
+ # (in order)
+@@ -34,6 +35,7 @@
+ 	notifempty
+ 
+ 	nocreate
++	su radiusd radiusd
+ }
+ 
+ # There are different detail-rotating strategies you can use.  One is
+@@ -53,4 +55,5 @@
+ 	notifempty
+ 
+ 	nocreate
++	su radiusd radiusd
+ }
+diff --git a/suse/radiusd-logrotate b/suse/radiusd-logrotate
+index 24d56be1a9..be5a797684 100644
+--- a/suse/radiusd-logrotate
++++ b/suse/radiusd-logrotate
+@@ -11,6 +11,7 @@ missingok
+ compress
+ delaycompress
+ notifempty
++su radiusd radiusd
+ 
+ #
+ #  The main server log
diff --git a/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
new file mode 100644
index 00000000000..463ae601d76
--- /dev/null
+++ b/main/ghostscript/0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
@@ -0,0 +1,436 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Thu, 31 Jan 2019 11:31:30 -0800
+Subject: Hide pdfdict and GS_PDF_ProcSet (internal stuff for the PDF interp).
+Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-3839
+
+We now keep GS_PDF_ProcSet in pdfdict, and immediately bind pdfdict
+where needed so we can undef it after the last PDF interp file has
+run (pdf_sec.ps).
+---
+ Resource/Init/pdf_base.ps | 11 ++++-----
+ Resource/Init/pdf_draw.ps | 59 +++++++++++++++++++++++------------------------
+ Resource/Init/pdf_font.ps |  9 ++++----
+ Resource/Init/pdf_main.ps | 25 ++++++++++----------
+ Resource/Init/pdf_ops.ps  | 11 +++++----
+ Resource/Init/pdf_sec.ps  |  4 +++-
+ 6 files changed, 60 insertions(+), 59 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index e35e0e3731d4..13dd51f46793 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -23,7 +23,6 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+ 
+ % Define the name interpretation dictionary for reading values.
+@@ -133,11 +132,11 @@ currentdict /num-chars-dict .undef
+ 
+ /.pdfexectoken {		% <count> <opdict> <exectoken> .pdfexectoken ?
+   PDFDEBUG {
+-    pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
++    //pdfdict /PDFSTEPcount known not { //pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+     PDFSTEP {
+-      pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
++      //pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+       PDFSTEPcount 1 gt {
+-        pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
++        //pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+       } executeonly
+       {
+         dup ==only
+@@ -145,10 +144,10 @@ currentdict /num-chars-dict .undef
+         ( ? ) print flush 1 //false .outputpage
+         (%stdin) (r) file 255 string readline {
+           token {
+-            exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
++            exch pop //pdfdict /PDFSTEPcount 3 -1 roll .forceput
+           } executeonly
+           {
+-            pdfdict /PDFSTEPcount 1 .forceput
++            //pdfdict /PDFSTEPcount 1 .forceput
+           } executeonly ifelse % token
+         } {
+           pop /PDFSTEP //false def	 % EOF on stdin
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 36c41a9a30c2..2e39c87d207c 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -18,8 +18,7 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin
+ pdfdict begin
+ 
+ % For simplicity, we use a single interpretation dictionary for all
+@@ -113,7 +112,7 @@ pdfdict begin
+ 
+ /resolvefunction {	% <fndict> resolvefunction <function>
+   .resolvefn
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Function: ) print dup === flush } if } if
+ } bind executeonly def
+ 
+ /resolvefnproc {	% <fndict> resolvefnproc <proc>
+@@ -1086,7 +1085,7 @@ currentdict end readonly def
+ %% finished running the PaintProc.
+ 
+ /.actual_pdfpaintproc {         % <patdict> <resdict> .pdfpaintproc -
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Begin PaintProc) print dup === flush } if } if
+   PDFfile fileposition 3 1 roll
+   q
+   1 index /PaintType oget 1 eq {
+@@ -1121,21 +1120,21 @@ currentdict end readonly def
+       Q
+     }{
+       (\n   **** Error: File has unbalanced q/Q operators \(too many Q's\)\n               Output may be incorrect.\n)
+-      pdfdict /.Qqwarning_issued .knownget
++      //pdfdict /.Qqwarning_issued .knownget
+       {
+         {
+           pop
+         }
+         {
+-          currentglobal pdfdict gcheck .setglobal
+-          pdfdict /.Qqwarning_issued //true .forceput
++          currentglobal //pdfdict gcheck .setglobal
++          //pdfdict /.Qqwarning_issued //true .forceput
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+       }
+       {
+-        currentglobal pdfdict gcheck .setglobal
+-        pdfdict /.Qqwarning_issued //true .forceput
++        currentglobal //pdfdict gcheck .setglobal
++        //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+@@ -1144,21 +1143,21 @@ currentdict end readonly def
+   } loop
+   {
+     (\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+-    pdfdict /.Qqwarning_issued .knownget
++    //pdfdict /.Qqwarning_issued .knownget
+     {
+       {
+         pop
+       }
+       {
+-        currentglobal pdfdict gcheck .setglobal
+-        pdfdict /.Qqwarning_issued //true .forceput
++        currentglobal //pdfdict gcheck .setglobal
++        //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+     }
+     {
+-      currentglobal pdfdict gcheck .setglobal
+-      pdfdict /.Qqwarning_issued //true .forceput
++      currentglobal //pdfdict gcheck .setglobal
++      //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+@@ -1169,7 +1168,7 @@ currentdict end readonly def
+   /pdfemptycount exch def
+ 
+   Q
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%End PaintProc) print dup === flush } if } if
+   PDFfile exch setfileposition
+ } bind executeonly odef
+ 
+@@ -1240,7 +1239,7 @@ currentdict end readonly def
+   ] cvx put
+   dup /BBox 2 copy knownoget { normrect FixPatternBBox put } { pop pop } ifelse
+   dup /.pattern_uses_transparency  1 index patternusestransparency put
+-  PDFDEBUG { pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
++  PDFDEBUG { //pdfdict /PDFSTEPcount .knownget { 1 le } { //true } ifelse { (%Pattern: ) print dup === flush } if } if
+ } bind executeonly def
+ 
+ /ignore_color_op  (   **** Error: Ignoring a color operation in a cached context.\n               Output may be incorrect.\n) readonly def
+@@ -2361,16 +2360,16 @@ currentdict /last-ditch-bpc-csp undef
+ } bind executeonly def
+ 
+ /IncrementAppearanceNumber {
+-  pdfdict /AppearanceNumber .knownget {
+-    1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
++  //pdfdict /AppearanceNumber .knownget {
++    1 add //pdfdict /AppearanceNumber 3 -1 roll .forceput
+   } executeonly
+   {
+-    pdfdict /AppearanceNumber 0 .forceput
++    //pdfdict /AppearanceNumber 0 .forceput
+   } executeonly ifelse
+ }bind executeonly odef
+ 
+ /MakeAppearanceName {
+-  pdfdict /AppearanceNumber get
++  //pdfdict /AppearanceNumber get
+   10 string cvs
+   dup length 10 add string dup 0 (\{FormName) putinterval
+   dup 3 -1 roll
+@@ -2391,17 +2390,17 @@ currentdict /last-ditch-bpc-csp undef
+   gsave initclip
+   MakeNewAppearanceName
+   .pdfFormName
+-  pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
+-  pdfdict /.PreservePDFForm true .forceput
++  //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
++  //pdfdict /.PreservePDFForm true .forceput
+   DoForm
+-  pdfdict /.PreservePDFForm 3 -1 roll .forceput
++  //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+   grestore
+ } bind executeonly odef
+ 
+ /DoForm {
+   %% save the current value, if its true we will set it to false later, in order
+   %% to prevent us preserving Forms which are used *from* an annotation /Appearance.
+-  pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get} {//false}ifelse exch
++  //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get} {//false}ifelse exch
+ 
+   %% We may alter the Default* colour spaces, if the Resources
+   %% ColorSpace entry contains one of them. But we don't want that
+@@ -2516,13 +2515,13 @@ currentdict /last-ditch-bpc-csp undef
+   pdfemptycount countdictstack 3 -1 roll
+   /pdfemptycount count 4 sub store
+ 
+-  pdfdict /.PreservePDFForm known {pdfdict /.PreservePDFForm get}{//false} ifelse
++  //pdfdict /.PreservePDFForm known {//pdfdict /.PreservePDFForm get}{//false} ifelse
+   {
+     %% We must *not* preserve any subsidiary forms (curently at least) as PDF
+     %% form preservation doesn't really work. This is used just for Annotation
+     %% Appearances currently, and if they should happen to use a form, we do not
+     %% want to preserve it.
+-    pdfdict /.PreservePDFForm false .forceput
++    //pdfdict /.PreservePDFForm false .forceput
+     /q cvx /execform cvx 5 -2 roll
+   } executeonly
+   {
+@@ -2555,7 +2554,7 @@ currentdict /last-ditch-bpc-csp undef
+     saved_DCMYK /DefaultCMYK exch /ColorSpace defineresource pop
+     end
+   } if
+-  pdfdict /.PreservePDFForm 3 -1 roll .forceput
++  //pdfdict /.PreservePDFForm 3 -1 roll .forceput
+ } bind executeonly odef
+ 
+ /_dops_save 1 array def
+@@ -2714,13 +2713,13 @@ drawopdict begin
+     % Start by getting the object number for a Form XObject
+     dup Page /XObject obj_get dup 0 eq not {
+       % Now get the recording dictionary and see if that object number has been seen
+-      pdfdict /Recursive_XObject_D get 1 index known {
++      //pdfdict /Recursive_XObject_D get 1 index known {
+         (   **** Error: Recursive XObject detected, ignoring ") print 1 index 256 string cvs print (", object number ) print 256 string cvs print (\n) print
+         (               Output may be incorrect.\n) pdfformaterror
+         //false
+       }{
+         % We haven't seen it yet, so record it.
+-        pdfdict /Recursive_XObject_D get 1 index null put
++        //pdfdict /Recursive_XObject_D get 1 index null put
+         3 1 roll
+         //true
+       }ifelse
+@@ -2758,7 +2757,7 @@ drawopdict begin
+         (               Output may be incorrect.\n) pdfformaterror
+       } ifelse
+       PDFfile exch setfileposition
+-      pdfdict /Recursive_XObject_D get exch undef
++      //pdfdict /Recursive_XObject_D get exch undef
+     }{
+       % Otherwise ignore it and tidy up the stacks
+       pop pop
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 7e35c02ac132..6b09be61f8f2 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -37,8 +37,7 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+-GS_PDF_ProcSet begin
++/GS_PDF_ProcSet load begin	% from userdict at this point
+ pdfdict begin
+ 
+ % We cache the PostScript font in an additional element of the
+@@ -1227,11 +1226,11 @@ currentdict /eexec_pdf_param_dict .undef
+             .pdfruncontext
+             countdictstack BuildCharDictDepth sub
+             {
+-              pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
++              //pdfdict /.Qqwarning_issued .knownget {not}{//true} ifelse
+               {
+                 (\n   **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+                 pdfformatwarning
+-                pdfdict /.Qqwarning_issued //true .forceput
++                //pdfdict /.Qqwarning_issued //true .forceput
+               } executeonly if
+               Q
+             } repeat
+@@ -2361,7 +2360,7 @@ currentdict /bndef undef
+   dup //null eq
+   {pop}
+   {
+-    pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
++    //pdfdict /InputPDFFileName .knownget {.CRCHashFilenameAndObject} if
+     exch dup /.OrigUniqueIDXUID .knownget not
+     {
+       dup /XUID .knownget not
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 0a8929a2ac14..c1de1b0ef05c 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -18,8 +18,9 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
++/GS_PDF_ProcSet dup load def	% keep in pdfdict to hide it
++userdict /GS_PDF_ProcSet undef
+ 
+ % Patch in an obsolete variable used by some third-party software.
+ /#? //false def
+@@ -304,8 +305,8 @@ currentdict /runpdfstring .undef
+    /Page //null def
+    /DSCPageCount 0 def
+    /PDFSave //null def
+-   GS_PDF_ProcSet begin
+-   pdfdict begin
++   //pdfdict /GS_PDF_ProcSet get begin
++   //pdfdict begin
+    pdfopen begin
+    /CumulativePageCount currentpagedevice /PageCount get def
+ } bind executeonly def
+@@ -624,7 +625,7 @@ currentdict /runpdfstring .undef
+   %% copied to a temporary file) and store it in pdfdict. We will use this for
+   %% hashing fonts to detect if fonts with the same name are from different files.
+   %%
+-  dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch pdfdict 3 1 roll .forceput
++  dup currentglobal exch true setglobal .getfilename exch setglobal /InputPDFFileName exch //pdfdict 3 1 roll .forceput
+ 
+   //runpdfbegin exec
+   //pdf_collection_files exec
+@@ -1390,7 +1391,7 @@ currentdict /xref-char-dict undef
+ } bind executeonly def
+ 
+ /pdfopenfile {		% <file> pdfopenfile <dict>
+-   pdfdict readonly pop		% can't do it any earlier than this
++   //pdfdict readonly pop		% can't do it any earlier than this
+    32 dict begin
+    /LocalResources 0 dict def
+    /DefaultQstate //null def	% establish binding
+@@ -2717,21 +2718,21 @@ currentdict /PDF2PS_matrix_key undef
+     StreamRunAborted not {
+       (\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+ 
+-      pdfdict /.Qqwarning_issued .knownget
++      //pdfdict /.Qqwarning_issued .knownget
+       {
+         {
+           pop
+         }
+         {
+-          currentglobal pdfdict gcheck .setglobal
+-          pdfdict /.Qqwarning_issued //true .forceput
++          currentglobal //pdfdict gcheck .setglobal
++          //pdfdict /.Qqwarning_issued //true .forceput
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+       }
+       {
+-        currentglobal pdfdict gcheck .setglobal
+-        pdfdict /.Qqwarning_issued //true .forceput
++        currentglobal //pdfdict gcheck .setglobal
++        //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+@@ -2743,8 +2744,8 @@ currentdict /PDF2PS_matrix_key undef
+   Repaired		% pass Repaired state around the restore
+   RepairedAnError
+   PDFSave restore
+-  currentglobal pdfdict gcheck .setglobal
+-  pdfdict /.Qqwarning_issued //false .forceput
++  currentglobal //pdfdict gcheck .setglobal
++  //pdfdict /.Qqwarning_issued //false .forceput
+   .setglobal
+   /RepairedAnError exch def
+   /Repaired exch def
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 34e2fbd5861a..46de547f7a98 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -24,6 +24,7 @@
+ systemdict /pdfmark known not
+  { userdict /pdfmark { cleartomark } bind executeonly put } if
+ 
++systemdict /pdfdict where { pop } { /pdfdict 100 dict put } ifelse
+ userdict /GS_PDF_ProcSet 256 dict dup begin
+ 
+ % ---------------- Abbreviations ---------------- %
+@@ -174,21 +175,21 @@ currentdict /gput_always_allow .undef
+   {
+     (\n   **** Error: File has unbalanced q/Q operators \(too many Q's\)\n               Output may be incorrect.\n)
+ 
+-    pdfdict /.Qqwarning_issued .knownget
++    //pdfdict /.Qqwarning_issued .knownget
+     {
+       {
+         pop
+       }
+       {
+-        currentglobal pdfdict gcheck .setglobal
+-        pdfdict /.Qqwarning_issued //true .forceput
++        currentglobal //pdfdict gcheck .setglobal
++        //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+     }
+     {
+-      currentglobal pdfdict gcheck .setglobal
+-      pdfdict /.Qqwarning_issued //true .forceput
++      currentglobal //pdfdict gcheck .setglobal
++      //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+diff --git a/Resource/Init/pdf_sec.ps b/Resource/Init/pdf_sec.ps
+index d8cc94c86574..163dd687764e 100644
+--- a/Resource/Init/pdf_sec.ps
++++ b/Resource/Init/pdf_sec.ps
+@@ -39,7 +39,6 @@
+ 
+ /.setlanguagelevel where { pop 2 .setlanguagelevel } if
+ .currentglobal //true .setglobal
+-/pdfdict where { pop } { /pdfdict 100 dict def } ifelse
+ pdfdict begin
+ 
+ % Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
+@@ -748,4 +747,7 @@ currentdict /PDFScanRules_null undef
+  } bind executeonly def
+ 
+ end			% pdfdict
++
++systemdict /pdfdict .forceundef		% hide pdfdict
++
+ .setglobal
+-- 
+2.11.0
+
diff --git a/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
new file mode 100644
index 00000000000..5da83ab565c
--- /dev/null
+++ b/main/ghostscript/0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
@@ -0,0 +1,41 @@
+From: Ray Johnston <ray.johnston@artifex.com>
+Date: Mon, 18 Feb 2019 12:11:45 -0800
+Subject: Bug 700599: Issue an error message if an ExtGstate is not found.
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=be86d2ff2f0f0ea0e365707f3be0fa0c9e7315ee
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=700599
+
+Previously, this was silently ignored. Only issue a single warning,
+and respect PDFSTOPONERROR to prevent continuing with potentially
+incorrect output.
+
+Note that tests_private/pdf/uploads/bug696410.pdf also now gets this
+error message (ExtGState" instead of ExtGState in object 10).
+---
+ Resource/Init/pdf_draw.ps | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 75b5eb622b52..c0201ad65da2 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -494,7 +494,16 @@ end
+     dup {
+       oforce exch gsparamdict exch .knownget { exec } { pop } ifelse
+     } forall pop
+-  } if
++  } {
++    //pdfdict /.gs_warning_issued known not {
++      (\n   **** Error 'gs' ignored -- ExtGState missing from Resources.\n)
++      pdfformaterror
++      (        Output may be incorrect.\n) pdfformaterror
++      //pdfdict /.gs_warning_issued //true .forceput
++      PDFSTOPONERROR { /gs /undefined signalerror } if
++    } if
++  }
++  ifelse
+ } bind executeonly def
+ 
+ % ------ Transparency support ------ %
+-- 
+2.20.1
+
diff --git a/main/ghostscript/APKBUILD b/main/ghostscript/APKBUILD
index ac139d32cb0..ac04652d3fb 100644
--- a/main/ghostscript/APKBUILD
+++ b/main/ghostscript/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=ghostscript
 pkgver=9.26
-pkgrel=2
+pkgrel=4
 pkgdesc="An interpreter for the PostScript language and for PDF"
 url="https://ghostscript.com/"
 arch="all"
@@ -12,22 +12,31 @@ makedepends="autoconf automake libjpeg-turbo-dev libpng-dev jasper-dev expat-dev
 	cups-dev libtool jbig2dec-dev openjpeg-dev"
 subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-gtk"
 source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${pkgver/./}/ghostscript-$pkgver.tar.gz
-	https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs926/0001-Bug700317-Address-.force-operators-exposure.tgz
 	CVE-2019-6116.patch
 	CVE-2019-3835.patch
 	CVE-2019-3838.patch
+	CVE-2019-10216.patch
 	ghostscript-system-zlib.patch
 	fix-sprintf.patch
+	CVE-2019-14811-14812-14813.patch
+	0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
+	0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
+	CVE-2019-14817.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   9.26-r4:
+#     - CVE-2019-14811
+#     - CVE-2019-14812
+#     - CVE-2019-14813
+#     - CVE-2019-14817
+#   9.26-r3:
+#     - CVE-2019-10216
 #   9.26-r2:
 #     - CVE-2019-3835
 #     - CVE-2019-3838
 #     - CVE-2019-6116
-#   9.26-r1:
-#     - CVE-2019-6116
 #   9.26-r0:
 #     - CVE-2018-19409
 #     - CVE-2018-19475
@@ -134,9 +143,13 @@ gtk() {
 }
 
 sha512sums="670159c23618ffafa85c671642bf182a107a82c053a1fd8c3f45f73f203524077be1b212d2ddbabae7892c7713922877e03b020f78bd2aab1ae582c4fc7d820a  ghostscript-9.26.tar.gz
-289d916a0b0da410e6f721e42bc44659c91c66ca0f7b96b1a6b010ae1c25e47788e282edc3578b4e4b120a2c684c7b1fd4cc574084bdc9cbbf6e431a01fbae0e  0001-Bug700317-Address-.force-operators-exposure.tgz
+78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5  CVE-2019-6116.patch
 31769852e75be4e1cd0e7c3f43cc7b3457bf9ba505fc2a5acda53779cc5626854bf15fef3e225f3d922f4038dd18c598dbac30abb863159202e4d0fe02c02d3b  CVE-2019-3835.patch
 dc3bd1de86e4a968ed35a35a125f682cffeed51fe4dbf9b3939dd78b07ef0748fe6b34816e689bcfffb4f819e51bcb5022f3151a5610aa24fd2468cdcbc665ea  CVE-2019-3838.patch
-78564c1dd878cb6a924663cb5d61901a413a867dedc8753e537e08a4da9cc0aaeb817bab266fd66e5d0e871d9ed6078af6e6f455b5426e0917875682d76638f5  CVE-2019-6116.patch
+f89744b17922b7d9c04c6de69ce35fa621732e4373eccc158b7ff6a9e56d2cf0bbea30c28119f4808864ca584e94342e5125d7bcc6195252455b5f223f379e3f  CVE-2019-10216.patch
 70721e3a335afa5e21d4e6cf919119010bd4544a03ab8f53f5325c173902221ad9b88c118b4bfeee80b3e1956bcdbaf4c53f64ae7fb81f5ba57dbc956750c482  ghostscript-system-zlib.patch
-beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch"
+beefcf395f7f828e1b81c088022c08a506e218f27535b9de01e0f0edf7979b435316c318fa676771630f6ad16ff1ab059cd68aa128ed97e5a9f2f3fa840200c4  fix-sprintf.patch
+b61a1c5d818c054463e606a9f85e4f4a308ac839f734d6200dfc3b74e3859ac64b23996ff1bf4c90a0ee95acf10dfa19d066fda0b6fb11689294d0dc4267689e  CVE-2019-14811-14812-14813.patch
+8036fa8a7175546dc3aae8619c92fa38016a8be132bb2a3a01f16ba66b5d9c05581dba40c1f184380b43b4e0b079d3cace7e401f9ed5fd718f36fbe7038649bc  0001-Hide-pdfdict-and-GS_PDF_ProcSet-internal-stuff-for-t.patch
+26ad5e996d4724a1683083c1abfdd39ebf41f5e7478a061f5713e11f2ffaf3834fe52f29e03d585044c7536b1201a97626f3640324abdc3e90b6ecc2a2db399b  0002-Bug-700599-Issue-an-error-message-if-an-ExtGstate-is.patch
+63b7d1a30045e454eba0bcceba52fd402c5fd9313c0057100bb98d2e82c1d61cd404826f63c4b9d7e4fdf4935c71f09a9633d43edbcd0658fb5dc5e20afc6ca0  CVE-2019-14817.patch"
diff --git a/main/ghostscript/CVE-2019-10216.patch b/main/ghostscript/CVE-2019-10216.patch
new file mode 100644
index 00000000000..e8dfa05a941
--- /dev/null
+++ b/main/ghostscript/CVE-2019-10216.patch
@@ -0,0 +1,49 @@
+From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 2 Aug 2019 15:18:26 +0100
+Subject: [PATCH] Bug 701394: protect use of .forceput with executeonly
+
+---
+ Resource/Init/gs_type1.ps | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps
+index 6c7735b..a039cce 100644
+--- a/Resource/Init/gs_type1.ps
++++ b/Resource/Init/gs_type1.ps
+@@ -118,25 +118,25 @@
+                          ( to be the same as glyph: ) print 1 index //== exec } if
+                    3 index exch 3 index .forceput
+                                                                  % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+-                 }
++                 }executeonly
+                  {pop} ifelse
+-               } forall
++               } executeonly forall
+                pop pop
+-             }
++             } executeonly
+              {
+                pop pop pop
+              } ifelse
+-           }
++           } executeonly
+            {
+                                                                % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname
+              pop pop
+            } ifelse
+-         } forall
++         } executeonly forall
+          3 1 roll pop pop
+-     } if
++     } executeonly if
+      pop
+      dup /.AGLprocessed~GS //true .forceput
+-   } if
++   } executeonly if
+ 
+    %% We need to excute the C .buildfont1 in a stopped context so that, if there
+    %% are errors we can put the stack back sanely and exit. Otherwise callers won't
+-- 
+2.9.1
+
diff --git a/main/ghostscript/CVE-2019-14811-14812-14813.patch b/main/ghostscript/CVE-2019-14811-14812-14813.patch
new file mode 100644
index 00000000000..a3d6b76c846
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14811-14812-14813.patch
@@ -0,0 +1,69 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 20 Aug 2019 10:10:28 +0100
+Subject: make .forceput inaccessible
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701443
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14813
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14812
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701445
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14811
+
+Bug #701343, #701344, #701345
+
+More defensive programming. We don't want people to access .forecput
+even though it is no longer sufficient to bypass SAFER. The exploit
+in #701343 didn't work anyway because of earlier work to stop the error
+handler being used, but nevertheless, prevent access to .forceput from
+.setuserparams2.
+---
+ Resource/Init/gs_lev2.ps  | 6 +++---
+ Resource/Init/gs_pdfwr.ps | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 4cc7f820f765..0fd4164650ab 100644
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -158,7 +158,7 @@ end
+     {
+       pop pop
+     } ifelse
+-  } forall
++  } executeonly forall
+         % A context switch might have occurred during the above loop,
+         % causing the interpreter-level parameters to be reset.
+         % Set them again to the new values.  From here on, we are safe,
+@@ -229,9 +229,9 @@ end
+        { pop pop
+        }
+       ifelse
+-    }
++    } executeonly
+    forall pop
+-} .bind odef
++} .bind executeonly odef
+ 
+ % Initialize the passwords.
+ % NOTE: the names StartJobPassword and SystemParamsPassword are known to
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index c158a8faf540..422e66e1a6ca 100644
+--- a/Resource/Init/gs_pdfwr.ps
++++ b/Resource/Init/gs_pdfwr.ps
+@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef
+           systemdict /.pdf_hooked_DSC_Creator //true .forceput
+         } executeonly if
+         pop
+-      } if
++      } executeonly if
+     } {
+       pop
+     } ifelse
+-  }
++  } executeonly
+   {
+     pop
+   } ifelse
+-- 
+2.23.0.rc1
+
diff --git a/main/ghostscript/CVE-2019-14817.patch b/main/ghostscript/CVE-2019-14817.patch
new file mode 100644
index 00000000000..80cdcecb8e2
--- /dev/null
+++ b/main/ghostscript/CVE-2019-14817.patch
@@ -0,0 +1,218 @@
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Aug 2019 10:10:51 +0100
+Subject: PDF interpreter - review .forceput security
+Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19
+Bug: https://bugs.ghostscript.com/show_bug.cgi?id=701450
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14817
+
+Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken"
+
+By abusing the error handler it was possible to get the PDFDEBUG portion
+of .pdfexectoken, which uses .forceput left readable.
+
+Add an executeonly appropriately to make sure that clause isn't readable
+no mstter what.
+
+Review all the uses of .forceput searching for similar cases, add
+executeonly as required to secure those. All cases in the PostScript
+support files seem to be covered already.
+---
+ Resource/Init/pdf_base.ps |  2 +-
+ Resource/Init/pdf_draw.ps | 14 +++++++-------
+ Resource/Init/pdf_font.ps | 29 ++++++++++++++++-------------
+ Resource/Init/pdf_main.ps |  6 +++---
+ Resource/Init/pdf_ops.ps  | 11 ++++++-----
+ 5 files changed, 33 insertions(+), 29 deletions(-)
+
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index 2e28cdd7181e..02503eef8bc4 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef
+     {
+       dup ==only () = flush
+     } ifelse % PDFSTEP
+-  } if % PDFDEBUG
++  } executeonly if % PDFDEBUG
+   2 copy .knownget {
+     exch pop exch pop exch pop exec
+   } {
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 11eb485f2eb7..fe3fc56c4161 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -501,8 +501,8 @@ end
+       (        Output may be incorrect.\n) pdfformaterror
+       //pdfdict /.gs_warning_issued //true .forceput
+       PDFSTOPONERROR { /gs /undefined signalerror } if
+-    } if
+-  }
++    } executeonly if
++  } executeonly
+   ifelse
+ } bind executeonly def
+ 
+@@ -1152,7 +1152,7 @@ currentdict end readonly def
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+-      }
++      } executeonly
+       {
+         currentglobal //pdfdict gcheck .setglobal
+         //pdfdict /.Qqwarning_issued //true .forceput
+@@ -1160,8 +1160,8 @@ currentdict end readonly def
+         pdfformaterror
+       } executeonly ifelse
+       end
+-    } ifelse
+-  } loop
++    } executeonly ifelse
++  } executeonly loop
+   {
+     (\n   **** Error: File has unbalanced q/Q operators \(too many q's\)\n               Output may be incorrect.\n)
+     //pdfdict /.Qqwarning_issued .knownget
+@@ -1175,14 +1175,14 @@ currentdict end readonly def
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    }
++    } executeonly
+     {
+       currentglobal //pdfdict gcheck .setglobal
+       //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+-  } if
++  } executeonly if
+   pop
+ 
+   % restore pdfemptycount
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index 8b8fef8..86b1870 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -677,7 +677,7 @@ currentdict end readonly def
+                 currentglobal 2 index dup gcheck setglobal
+                 /FontInfo 5 dict dup 5 1 roll .forceput
+                 setglobal
+-              } if
++              } executeonly if
+               dup /GlyphNames2Unicode .knownget not {
+                 //true                        % No existing G2U, make one
+               } {
+@@ -701,9 +701,9 @@ currentdict end readonly def
+         } if
+         PDFDEBUG {
+           (.processToUnicode end) =
+-        } if
+-      } if
+-    } stopped
++        } executeonly if
++      } executeonly if
++    } executeonly stopped
+     {
+       .dstackdepth 1 countdictstack 1 sub
+       {pop end} for
+@@ -1298,19 +1300,20 @@ currentdict /eexec_pdf_param_dict .undef
+                 //pdfdict /.Qqwarning_issued //true .forceput
+               } executeonly if
+               Q
+-            } repeat
++            } executeonly repeat
+             Q
+-          } PDFfile fileposition 2 .execn % Keep pdfcount valid.
++          } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid.
+           PDFfile exch setfileposition
+-        } ifelse
+-      } {
++        } executeonly ifelse
++      } executeonly
++      {
+         % PDF Type 3 fonts don't use .notdef
+         % d1 implementation adjusts the width as needed
+         0 0 0 0 0 0
+         pdfopdict /d1 get exec
+       } ifelse
+       end end
+-    } bdef
++    } executeonly bdef
+     dup currentdict Encoding .processToUnicode
+     currentdict end .completefont exch pop
+ } bind executeonly odef
+@@ -2124,9 +2127,9 @@ currentdict /CMap_read_dict undef
+           (Will continue, but content may be missing.) = flush
+         } ifelse
+       } if
+-    } if
++    } executeonly if
+     /findresource cvx /undefined signalerror
+-  } loop
++  } executeonly loop
+ } bind executeonly odef
+ 
+ /buildCIDType0 {	% <CIDFontType0-font-resource> buildCIDType0 <font>
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 00d7e3682fd8..7690bae0f920 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -2771,15 +2771,15 @@ currentdict /PDF2PS_matrix_key undef
+           .setglobal
+           pdfformaterror
+         } executeonly ifelse
+-      }
++      } executeonly
+       {
+         currentglobal //pdfdict gcheck .setglobal
+         //pdfdict /.Qqwarning_issued //true .forceput
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    } if
+-  } if
++    } executeonly if
++  } executeonly if
+   pop
+   count PDFexecstackcount sub { pop } repeat
+   (after exec) VMDEBUG
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index a15c8c6770f7..d594035c066a 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -192,14 +192,14 @@ currentdict /gput_always_allow .undef
+         .setglobal
+         pdfformaterror
+       } executeonly ifelse
+-    }
++    } executeonly
+     {
+       currentglobal //pdfdict gcheck .setglobal
+       //pdfdict /.Qqwarning_issued //true .forceput
+       .setglobal
+       pdfformaterror
+     } executeonly ifelse
+-  } if
++  } executeonly if
+ } bind executeonly odef
+ 
+ % Save PDF gstate
+@@ -446,11 +446,12 @@ currentdict /gput_always_allow .undef
+   dup type /booleantype eq {
+     .currentSMask type /dicttype eq {
+       .currentSMask /Processed 2 index .forceput
++    } executeonly
++    {
++      .setSMask
++    }ifelse
+   } executeonly
+   {
+-      .setSMask
+-  }ifelse
+-  }{
+   .setSMask
+   }ifelse
+ 
+-- 
+2.23.0.rc1
+
diff --git a/main/git/APKBUILD b/main/git/APKBUILD
index 3fb8c48ff0f..c224548dd34 100644
--- a/main/git/APKBUILD
+++ b/main/git/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=git
-pkgver=2.15.3
+pkgver=2.15.4
 pkgrel=0
 pkgdesc="A distributed version control system"
 url="https://www.git-scm.com/"
@@ -11,6 +11,15 @@ depends=
 replaces="git-perl"
 
 # secfixes:
+#   2.15.4-r0:
+#   - CVE-2019-1348
+#   - CVE-2019-1349
+#   - CVE-2019-1350
+#   - CVE-2019-1351
+#   - CVE-2019-1352
+#   - CVE-2019-1353
+#   - CVE-2019-1354
+#   - CVE-2019-1387
 #   2.15.r-r1:
 #   - CVE-2018-19486
 #   2.15.3-r0:
@@ -248,7 +257,7 @@ _git_perl() {
 }
 
 
-sha512sums="0de84aa3511f3b2bf3311efe4ed6991b1d41c292be72a884d477cb893d28e317ec5ee915c392805d866edae019da755c39f9b5e0259fcbf1973f65a112c7670b  git-2.15.3.tar.xz
+sha512sums="b4a7754f0de47f8d260010185576b379da18a5c3978a151c6b0bea421dfabcc2569b40bca5f24ff4cd708837573bb4fbe4f5c886ec3e69fa8875bd43473378a2  git-2.15.4.tar.xz
 85767b5e03137008d6a96199e769e3979f75d83603ac8cb13a3481a915005637409a4fd94e0720da2ec6cd1124f35eba7cf20109a94816c4b4898a81fbc46bd2  bb-tar.patch
 98e4d87d492f2e65930b842e2de3f2043d737dcb1cbcb09e504a21a387ad5e5ce7fbe8f9eea2594eec302c45d0f8f069c6b6767deba1ed61b4636f43dfe2a7aa  CVE-2018-19486.patch
 89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a  git-daemon.initd
diff --git a/main/gvfs/APKBUILD b/main/gvfs/APKBUILD
index 58c93dfeb47..06c058e5967 100644
--- a/main/gvfs/APKBUILD
+++ b/main/gvfs/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gvfs
 pkgver=1.34.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Backends for the gio framework in GLib"
 url="http://ftp.gnome.org/pub/gnome/sources/gvfs/${pkgver%.*}/"
 arch="all"
@@ -25,7 +25,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang
 	$pkgname-smb
 	$pkgname-mtp
 	"
-source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/gvfs/${pkgver%.*}/gvfs-$pkgver.tar.xz
+	CVE-2019-12448.patch
+	CVE-2019-12795.patch
+	CVE-2019-12449.patch
+	CVE-2019-12447.patch
+	"
+
+# secfixes:
+#   1.34.1-r1:
+#     - CVE-2019-12447
+#     - CVE-2019-12448
+#     - CVE-2019-12795
+#     - CVE-2019-12449
 
 builddir="$srcdir/$pkgname-$pkgver"
 build() {
@@ -145,4 +157,8 @@ dav() {
 #	pkgdesc="AFC support for gvfs"
 #}
 
-sha512sums="383f20c3dad1ff833f1d14466f215c7183459c0ed18d842fd09a68061e09814f2a4e33d574a0bf62bc9b6f5023721d03461eaaed86e840513f7e115662af91b6  gvfs-1.34.1.tar.xz"
+sha512sums="383f20c3dad1ff833f1d14466f215c7183459c0ed18d842fd09a68061e09814f2a4e33d574a0bf62bc9b6f5023721d03461eaaed86e840513f7e115662af91b6  gvfs-1.34.1.tar.xz
+a4daaf8e7f6ece24fd0fdbe0ca4cfa5a5d36189249c36779a09f6ab9033b0fcd1db47d1aaa0b5dd4b14c444cc3763d9e25e0580fb2e2021aa42bc5e6d1eef1ec  CVE-2019-12448.patch
+4d381da1e164c1205a4fea19b235163e22c8d1d65ea7ffb130df9c8c76395f20c4b5879111e4ba6d4f54cadbfb084b8c82434ab698e39e6ab2d1e5e0b5ab93ac  CVE-2019-12795.patch
+15c7c46f74049b539ae5d76d03f22b7efda39f0424b13582afca1e82ca90a03bb372ef8c42afdd21f257a46aae8c6c709715bdd76cb5aa4fdf13e4c1f58fa012  CVE-2019-12449.patch
+02c4e94d8eef1f69b6d45ddbbbfa22ff9452238251c8bd3b8ae5cbbdc3a7c1fcde4612f96851dfff55f276bcf84f5b82561b06a18c1d9e20033457e72987013d  CVE-2019-12447.patch"
diff --git a/main/gvfs/CVE-2019-12447.patch b/main/gvfs/CVE-2019-12447.patch
new file mode 100644
index 00000000000..4b37fc5070e
--- /dev/null
+++ b/main/gvfs/CVE-2019-12447.patch
@@ -0,0 +1,33 @@
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index d67353d..daa6df9 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -907,7 +907,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self)
+ 
+ #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \
+                        CAP_TO_MASK(CAP_DAC_OVERRIDE) | \
+-                       CAP_TO_MASK(CAP_DAC_READ_SEARCH))
++                       CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \
++                       CAP_TO_MASK(CAP_CHOWN))
+ 
+ static void
+ acquire_caps (uid_t uid)
+@@ -919,10 +920,15 @@ acquire_caps (uid_t uid)
+   if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
+     g_error ("prctl(PR_SET_KEEPCAPS) failed");
+ 
+-  /* Drop root uid, but retain the required permitted caps */
+-  if (setuid (uid) < 0)
++  /* Set euid to user to make dbus work */
++  if (seteuid (uid) < 0)
+     g_error ("unable to drop privs");
+ 
++  /* Set fsuid to still behave like root when working with files */
++  setfsuid (0);
++  if (setfsuid (-1) != 0)
++   g_error ("setfsuid failed");
++
+   memset (&hdr, 0, sizeof(hdr));
+   hdr.version = _LINUX_CAPABILITY_VERSION;
+ 
+
diff --git a/main/gvfs/CVE-2019-12448.patch b/main/gvfs/CVE-2019-12448.patch
new file mode 100644
index 00000000000..53542a3a1b8
--- /dev/null
+++ b/main/gvfs/CVE-2019-12448.patch
@@ -0,0 +1,128 @@
+From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:24:36 +0200
+Subject: [PATCH] admin: Add query_info_on_read/write functionality
+
+Admin backend doesn't implement query_info_on_read/write which might
+potentially lead to some race conditions which aren't really wanted
+especially in case of admin backend. Let's add this missing functionality.
+---
+ daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 65a979e7..23d16f16 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -42,6 +42,8 @@
+ #include "gvfsjobopenforwrite.h"
+ #include "gvfsjobqueryattributes.h"
+ #include "gvfsjobqueryinfo.h"
++#include "gvfsjobqueryinforead.h"
++#include "gvfsjobqueryinfowrite.h"
+ #include "gvfsjobread.h"
+ #include "gvfsjobseekread.h"
+ #include "gvfsjobseekwrite.h"
+@@ -155,6 +157,19 @@ complete_job (GVfsJob *job,
+   g_vfs_job_succeeded (job);
+ }
+ 
++static void
++fix_file_info (GFileInfo *info)
++{
++  /* Override read/write flags, since the above call will use access()
++   * to determine permissions, which does not honor our privileged
++   * capabilities.
++   */
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++}
++
+ static void
+ do_query_info (GVfsBackend *backend,
+                GVfsJobQueryInfo *query_info_job,
+@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend,
+   if (error != NULL)
+     goto out;
+ 
+-  /* Override read/write flags, since the above call will use access()
+-   * to determine permissions, which does not honor our privileged
+-   * capabilities.
+-   */
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++  fix_file_info (real_info);
++  g_file_info_copy_into (real_info, info);
++  g_object_unref (real_info);
++
++ out:
++  complete_job (job, error);
++}
++
++static void
++do_query_info_on_read (GVfsBackend *backend,
++                       GVfsJobQueryInfoRead *query_info_job,
++                       GVfsBackendHandle handle,
++                       GFileInfo *info,
++                       GFileAttributeMatcher *matcher)
++{
++  GVfsJob *job = G_VFS_JOB (query_info_job);
++  GFileInputStream *stream = handle;
++  GError *error = NULL;
++  GFileInfo *real_info;
++
++  real_info = g_file_input_stream_query_info (stream, query_info_job->attributes,
++                                              job->cancellable, &error);
++  if (error != NULL)
++    goto out;
++
++  fix_file_info (real_info);
++  g_file_info_copy_into (real_info, info);
++  g_object_unref (real_info);
++
++ out:
++  complete_job (job, error);
++}
++
++static void
++do_query_info_on_write (GVfsBackend *backend,
++                        GVfsJobQueryInfoWrite *query_info_job,
++                        GVfsBackendHandle handle,
++                        GFileInfo *info,
++                        GFileAttributeMatcher *matcher)
++{
++  GVfsJob *job = G_VFS_JOB (query_info_job);
++  GFileOutputStream *stream = handle;
++  GError *error = NULL;
++  GFileInfo *real_info;
++
++  real_info = g_file_output_stream_query_info (stream, query_info_job->attributes,
++                                               job->cancellable, &error);
++  if (error != NULL)
++    goto out;
+ 
++  fix_file_info (real_info);
+   g_file_info_copy_into (real_info, info);
+   g_object_unref (real_info);
+ 
+@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+   backend_class->mount = do_mount;
+   backend_class->open_for_read = do_open_for_read;
+   backend_class->query_info = do_query_info;
++  backend_class->query_info_on_read = do_query_info_on_read;
++  backend_class->query_info_on_write = do_query_info_on_write;
+   backend_class->read = do_read;
+   backend_class->create = do_create;
+   backend_class->append_to = do_append_to;
+-- 
+2.21.0
+
+
diff --git a/main/gvfs/CVE-2019-12449.patch b/main/gvfs/CVE-2019-12449.patch
new file mode 100644
index 00000000000..7d58c5d3d8f
--- /dev/null
+++ b/main/gvfs/CVE-2019-12449.patch
@@ -0,0 +1,81 @@
+From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 24 May 2019 09:43:43 +0200
+Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri
+
+User and group is not restored properly when moving (or copying with
+G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
+by GIO fallback code, which doesn't run with root permissions. Let's
+handle this case with pull method to ensure correct ownership.
+---
+ daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 32b51b1a..9a7e8295 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend,
+   complete_job (job, error);
+ }
+ 
++static void
++do_pull (GVfsBackend *backend,
++         GVfsJobPull *pull_job,
++         const char *source,
++         const char *local_path,
++         GFileCopyFlags flags,
++         gboolean remove_source,
++         GFileProgressCallback progress_callback,
++         gpointer progress_callback_data)
++{
++  GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend);
++  GVfsJob *job = G_VFS_JOB (pull_job);
++  GError *error = NULL;
++  GFile *src_file, *dst_file;
++
++  /* Pull method is necessary when user/group needs to be restored, return
++   * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code.
++   */
++  if (!(flags & G_FILE_COPY_ALL_METADATA))
++    {
++      g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR,
++                                G_IO_ERROR_NOT_SUPPORTED,
++                                _("Operation not supported"));
++      return;
++    }
++
++  if (!check_permission (self, job))
++    return;
++
++  src_file = g_file_new_for_path (source);
++  dst_file = g_file_new_for_path (local_path);
++
++  if (remove_source)
++    g_file_move (src_file, dst_file, flags, job->cancellable,
++                 progress_callback, progress_callback_data, &error);
++  else
++    g_file_copy (src_file, dst_file, flags, job->cancellable,
++                 progress_callback, progress_callback_data, &error);
++
++  g_object_unref (src_file);
++  g_object_unref (dst_file);
++
++  complete_job (job, error);
++}
++
+ static void
+ do_query_settable_attributes (GVfsBackend *backend,
+                               GVfsJobQueryAttributes *query_job,
+@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+   backend_class->set_attribute = do_set_attribute;
+   backend_class->delete = do_delete;
+   backend_class->move = do_move;
++  backend_class->pull = do_pull;
+   backend_class->query_settable_attributes = do_query_settable_attributes;
+   backend_class->query_writable_namespaces = do_query_writable_namespaces;
+ }
+-- 
+2.21.0
+
+
diff --git a/main/gvfs/CVE-2019-12795.patch b/main/gvfs/CVE-2019-12795.patch
new file mode 100644
index 00000000000..8d22342424c
--- /dev/null
+++ b/main/gvfs/CVE-2019-12795.patch
@@ -0,0 +1,93 @@
+From e3808a1b4042761055b1d975333a8243d67b8bfe Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8e..be148a7b 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+   
+   gint mount_counter;
+   
++  GDBusAuthObserver *auth_observer;
+   GDBusConnection *conn;
+   GVfsDBusDaemon *daemon_skeleton;
+   GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+     }
+   if (daemon->conn != NULL)
+     g_object_unref (daemon->conn);
++  if (daemon->auth_observer != NULL)
++    g_object_unref (daemon->auth_observer);
+   
+   g_hash_table_destroy (daemon->registered_paths);
+   g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++                                 G_GNUC_UNUSED GIOStream *stream,
++                                 GCredentials *credentials,
++                                 G_GNUC_UNUSED gpointer user_data)
++{
++  gboolean authorized = FALSE;
++
++  if (credentials != NULL)
++    {
++      GCredentials *own_credentials;
++
++      own_credentials = g_credentials_new ();
++
++      if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++        authorized = TRUE;
++
++      g_object_unref (own_credentials);
++    }
++
++  return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ 
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
++  daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+   g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+   server = g_dbus_server_new_sync (address1,
+                                    G_DBUS_SERVER_FLAGS_NONE,
+                                    guid,
+-                                   NULL, /* GDBusAuthObserver */
++                                   daemon->auth_observer,
+                                    NULL, /* GCancellable */
+                                    &error);
+   g_free (guid);
+-- 
+2.21.0
+
+
diff --git a/main/hostapd/APKBUILD b/main/hostapd/APKBUILD
index 1a510d26fb1..ac56f28c670 100644
--- a/main/hostapd/APKBUILD
+++ b/main/hostapd/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=hostapd
 pkgver=2.6
-pkgrel=5
+pkgrel=6
 pkgdesc="daemon for wireless software access points"
 url="http://hostap.epitest.fi/hostapd/"
 arch="all"
@@ -20,8 +20,9 @@ patches="CVE-2012-4445.patch
 	CVE-2019-9496.patch
 	0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 	0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+	CVE-2019-16275.patch
 	"
-source="http://hostap.epitest.fi/releases/$pkgname-$pkgver.tar.gz
+source="https://w1.fi/releases/$pkgname-$pkgver.tar.gz
 	$patches
 	$pkgname.initd
 	$pkgname.confd"
@@ -29,6 +30,8 @@ options="!check" #no testsuite
 builddir="$srcdir"/$pkgname-$pkgver/hostapd
 
 # secfixes:
+#   2.6-r6:
+#     - CVE-2019-16275
 #   2.6-r5:
 #     - CVE-2019-9496
 #   2.6-r4:
@@ -115,5 +118,6 @@ fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed
 90981a52d6cb2e91f67a9bc830d3db02da6fde4bea0cf512b22111da6c8ab151f5dd171a2f2e409d9ff75e388e72c2314dd023a98fdabf16248b11a950bde881  CVE-2019-9496.patch
 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c  0009-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822  0010-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38  CVE-2019-16275.patch
 b54b7c6aa17e5cb86a9b354a516eb2dbefb544df18471339c61d82776de447011a2ac290bea1e6c8beae4b6cebefafb8174683ea42fb773e9e8fe6c679f33ba3  hostapd.initd
 0882263bbd7c0b05bf51f51d66e11a23a0b8ca7da2a3b8a30166d2c5f044c0c134e6bccb1d02c9e81819ca8fb0c0fb55c7121a08fe7233ccaa73ff8ab9a238fe  hostapd.confd"
diff --git a/main/hostapd/CVE-2019-16275.patch b/main/hostapd/CVE-2019-16275.patch
new file mode 100644
index 00000000000..d764a9db016
--- /dev/null
+++ b/main/hostapd/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
diff --git a/main/lame/APKBUILD b/main/lame/APKBUILD
index 0e5638d788c..2bce7a5e74b 100644
--- a/main/lame/APKBUILD
+++ b/main/lame/APKBUILD
@@ -12,11 +12,6 @@ source="http://downloads.sourceforge.net/project/lame/lame/$pkgver/$pkgname-$pkg
 builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
-#   3.100-r0:
-#     - CVE-2017-9410
-#     - CVE-2017-9411
-#     - CVE-2017-9412
-#     - CVE-2015-9099
 #   3.99.5-r6:
 #     - CVE-2015-9099
 #     - CVE-2015-9100
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index a3ed3e8338f..cefa0105137 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libarchive
-pkgver=3.3.2
-pkgrel=2
+pkgver=3.3.3
+pkgrel=1
 pkgdesc="library that can create and read several streaming archive formats"
 url="http://libarchive.org/"
 arch="all"
@@ -10,10 +10,17 @@ license="BSD"
 makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev libressl-dev expat-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
 source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz
-	CVE-2017-14166.patch"
+	CVE-2019-18408.patch::https://github.com/libarchive/libarchive/commit/b8592ecba2f9e451e1f5cb7ab6dcee8b8e7b3f60.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   3.3.3-r1:
+#     - CVE-2019-18408
+#   3.3.3-r0:
+#     - CVE-2017-14501
+#     - CVE-2017-14502
+#     - CVE-2017-14503
 #   3.3.2-r1:
 #     - CVE-2017-14166
 
@@ -39,5 +46,5 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-sha512sums="1e538cd7d492f54b11c16c56f12c1632ba14302a3737ec0db786272aec0c8020f1e27616a7654d57e26737e5ed9bfc9a62f1fdda61a95c39eb726aa7c2f673e4  libarchive-3.3.2.tar.gz
-7cc9dbafd970c07fb4421b7a72a075cc0a000db77df4432222539c58625c93c45f01a144838b551980bc0c6dc5b4c3ab852eb1433006c3174581ba0897010dbe  CVE-2017-14166.patch"
+sha512sums="9d12b47d6976efa9f98e62c25d8b85fd745d4e9ca7b7e6d36bfe095dfe5c4db017d4e785d110f3758f5938dad6f1a1b009267fd7e82cb7212e93e1aea237bab7  libarchive-3.3.3.tar.gz
+4807e01dffb83ff4ef430c66339157e9f7a61db4fc5cec2812c3ee5ad130b4fc2d3c1cbeea87930c76cd8ec3e66272e20622a48edf0c66215b626c4e0db99cab  CVE-2019-18408.patch"
diff --git a/main/libarchive/CVE-2017-14166.patch b/main/libarchive/CVE-2017-14166.patch
deleted file mode 100644
index b729ae41e0a..00000000000
--- a/main/libarchive/CVE-2017-14166.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
-From: Joerg Sonnenberger <joerg@bec.de>
-Date: Tue, 5 Sep 2017 18:12:19 +0200
-Subject: [PATCH] Do something sensible for empty strings to make fuzzers
- happy.
-
----
- libarchive/archive_read_support_format_xar.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
-index 7a22beb9d..93eeacc5e 100644
---- a/libarchive/archive_read_support_format_xar.c
-+++ b/libarchive/archive_read_support_format_xar.c
-@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
- 	uint64_t l;
- 	int digit;
- 
-+	if (char_cnt == 0)
-+		return (0);
-+
- 	l = 0;
- 	digit = *p - '0';
- 	while (digit >= 0 && digit < 10  && char_cnt-- > 0) {
-@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
- {
- 	int64_t l;
- 	int digit;
--        
-+
-+	if (char_cnt == 0)
-+		return (0);
-+
- 	l = 0;
- 	while (char_cnt-- > 0) {
- 		if (*p >= '0' && *p <= '7')
diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD
index ef28628b1e4..fa44fa80660 100644
--- a/main/libcroco/APKBUILD
+++ b/main/libcroco/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libcroco
 pkgver=0.6.12
-pkgrel=0
+pkgrel=1
 pkgdesc="GNOME CSS2 parsing and manipulation toolkit"
 url="http://www.gnome.org"
 arch="all"
@@ -9,11 +9,20 @@ license="LGPL"
 subpackages="$pkgname-dev"
 depends=
 makedepends="glib-dev libxml2-dev"
-source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz
+	CVE-2017-7960.patch
+	CVE-2017-7961.patch
+	CVE-2017-8871-and-CVE-2017-8834.patch
+	"
 
-depends_dev="glib-dev libxml2-dev pkgconfig"
+# secfixes:
+#   0.6.12-r1:
+#     - CVE-2017-7960
+#     - CVE-2017-7961
+#     - CVE-2017-8871
+#     - CVE-2017-8834
 
-builddir="$srcdir/$pkgname-$pkgver"
+depends_dev="glib-dev libxml2-dev pkgconfig"
 
 build() {
 	cd "$builddir"
@@ -28,6 +37,9 @@ build() {
 
 package() {
 	cd "$builddir"
-	make DESTDIR="$pkgdir" install || return 1
+	make DESTDIR="$pkgdir" install
 }
-sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6  libcroco-0.6.12.tar.xz"
+sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6  libcroco-0.6.12.tar.xz
+e6a799e5547c60a317602aa5b537b27ecbc47de84ceb9ef109586370406cd8151c7ab1e7c27f346becf3c10f0524bfc7ac98dcf3160089880c2ac189ee4e7176  CVE-2017-7960.patch
+a1820039d23793ac53ba3acb771f487fe7fed839b298734435e168fecb5cd8b2b20b2fd08b4f827d0ed7eb0b5e76c9290ba912533b95acbf1be7cda5fd604da6  CVE-2017-7961.patch
+568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27  CVE-2017-8871-and-CVE-2017-8834.patch"
diff --git a/main/libcroco/CVE-2017-7960.patch b/main/libcroco/CVE-2017-7960.patch
new file mode 100644
index 00000000000..cd8dbaafa48
--- /dev/null
+++ b/main/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,59 @@
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: [PATCH] input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
+-- 
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-7961.patch b/main/libcroco/CVE-2017-7961.patch
new file mode 100644
index 00000000000..bb0236e6a5a
--- /dev/null
+++ b/main/libcroco/CVE-2017-7961.patch
@@ -0,0 +1,43 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: [PATCH] tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+         status = cr_tknzr_parse_num (a_this, &num);
+         ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++        if (num->val > G_MAXLONG) {
++                status = CR_PARSING_ERROR;
++                goto error;
++        }
++
+         red = num->val;
+         cr_num_destroy (num);
+         num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+                 status = cr_tknzr_parse_num (a_this, &num);
+                 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++                if (num->val > G_MAXLONG) {
++                        status = CR_PARSING_ERROR;
++                        goto error;
++                }
++
+                 PEEK_BYTE (a_this, 1, &next_bytes[0]);
+                 if (next_bytes[0] == '%') {
+                         SKIP_CHARS (a_this, 1);
+-- 
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
new file mode 100644
index 00000000000..f65c6a97481
--- /dev/null
+++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
@@ -0,0 +1,29 @@
+From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@alum.wpi.edu>
+Date: Thu, 2 May 2019 10:54:43 -0500
+Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8
+
+Otherwise, the offending character is never consumed, possibly leading
+to an infinite loop.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=782647
+---
+ src/cr-utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cr-utils.c b/src/cr-utils.c
+index 2420cec..6cf4849 100644
+--- a/src/cr-utils.c
++++ b/src/cr-utils.c
+@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in,
+ 
+         } else {
+                 /*BAD ENCODING */
++                nb_bytes_2_decode = 1;
+                 goto end;
+         }
+ 
+-- 
+2.20.1
+
+
diff --git a/main/libebml/APKBUILD b/main/libebml/APKBUILD
index 686fdb0aa06..d5f64bc41f5 100644
--- a/main/libebml/APKBUILD
+++ b/main/libebml/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=libebml
 pkgver=1.3.5
-pkgrel=0
+pkgrel=1
 pkgdesc="a C++ library to parse Extensible Binary Meta-Language files"
 url="https://www.matroska.org/"
 arch="all"
@@ -12,9 +12,15 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev"
-source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz"
+source="http://dl.matroska.org/downloads/$pkgname/$pkgname-$pkgver.tar.xz
+	CVE-2019-13615.patch
+	"
 options="!check"
 
+# secfixes:
+#   1.3.5-r1:
+#     - CVE-2019-13615
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	local i
@@ -42,4 +48,5 @@ package() {
 	make install DESTDIR="$pkgdir"
 }
 
-sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24  libebml-1.3.5.tar.xz"
+sha512sums="cdf05015724919b19281bf99c562bb7e0bdf16990da274010f664ff316b6ce95ecbeaa1e479f03505281a7f45d5796aee6e7750a9e1c0596b630911d220dca24  libebml-1.3.5.tar.xz
+9cdda162a58c77541065121edafe09643f6c37ffb7b94851903f80a2fb5bf2e4729c6d97b5a23d05257b65abada0f5bf10d9d245cc3b4fd07653bb5ad3c29f0a  CVE-2019-13615.patch"
diff --git a/main/libebml/CVE-2019-13615.patch b/main/libebml/CVE-2019-13615.patch
new file mode 100644
index 00000000000..0c8e24c820d
--- /dev/null
+++ b/main/libebml/CVE-2019-13615.patch
@@ -0,0 +1,85 @@
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index 143f439..871247c 100644
+--- a/src/EbmlElement.cpp
++++ b/src/EbmlElement.cpp
+@@ -372,11 +372,12 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+   int PossibleSizeLength;
+   uint64 SizeUnknown;
+   int ReadIndex = 0; // trick for the algo, start index at 0
+-  uint32 ReadSize = 0;
++  uint32 ReadSize = 0, IdStart = 0;
+   uint64 SizeFound;
+   int SizeIdx;
+   bool bFound;
+   int UpperLevel_original = UpperLevel;
++  uint64 ParseStart = DataStream.getFilePointer();
+ 
+   do {
+     // read a potential ID
+@@ -402,14 +403,17 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+         // ID not found
+         // shift left the read octets
+         memmove(&PossibleIdNSize[0],&PossibleIdNSize[1], --ReadIndex);
++        IdStart++;
+       }
+ 
++      if (MaxDataSize <= ReadSize)
++        break;
+       if (DataStream.read(&PossibleIdNSize[ReadIndex++], 1) == 0) {
+         return NULL; // no more data ?
+       }
+       ReadSize++;
+ 
+-    } while (!bFound && MaxDataSize > ReadSize);
++    } while (!bFound);
+ 
+     if (!bFound)
+       // we reached the maximum we could read without a proper ID
+@@ -432,6 +436,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+         bFound = false;
+         break;
+       }
++      if (MaxDataSize <= ReadSize) {
++        bFound = false;
++        break;
++      }
+       if( DataStream.read( &PossibleIdNSize[SizeIdx++], 1 ) == 0 ) {
+         return NULL; // no more data ?
+       }
+@@ -454,16 +462,15 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+           //  0 : child
+           //  1 : same level
+           //  + : further parent
+-          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + PossibleSizeLength + SizeFound))) {
+-            if (SizeFound == SizeUnknown) {
+-              Result->SetSizeInfinite();
++          if (Result->ValidateSize() && (SizeFound == SizeUnknown || UpperLevel > 0 || MaxDataSize == 0 ||
++                                         MaxDataSize >= (IdStart + PossibleID_Length + _SizeLength + SizeFound))) {
++            if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
++              Result->ElementPosition = ParseStart + IdStart;
++              Result->SizePosition = Result->ElementPosition + PossibleID_Length;
++              // place the file at the beggining of the data
++              DataStream.setFilePointer(Result->SizePosition + _SizeLength);
++              return Result;
+             }
+-
+-            Result->SizePosition = DataStream.getFilePointer() - SizeIdx + EBML_ID_LENGTH(PossibleID);
+-            Result->ElementPosition = Result->SizePosition - EBML_ID_LENGTH(PossibleID);
+-            // place the file at the beggining of the data
+-            DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+-            return Result;
+           }
+         }
+         delete Result;
+@@ -473,8 +480,9 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & DataStream, const EbmlSe
+     // recover all the data in the buffer minus one byte
+     ReadIndex = SizeIdx - 1;
+     memmove(&PossibleIdNSize[0], &PossibleIdNSize[1], ReadIndex);
++    IdStart++;
+     UpperLevel = UpperLevel_original;
+-  } while ( MaxDataSize > DataStream.getFilePointer() - SizeIdx + PossibleID_Length );
++  } while ( MaxDataSize >= ReadSize );
+ 
+   return NULL;
+ }
+
diff --git a/main/libgcrypt/APKBUILD b/main/libgcrypt/APKBUILD
index 9cc6bc1115f..1cac74a1f2e 100644
--- a/main/libgcrypt/APKBUILD
+++ b/main/libgcrypt/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libgcrypt
 pkgver=1.8.3
-pkgrel=0
+pkgrel=2
 pkgdesc="general purpose crypto library based on the code used in GnuPG"
 url="http://www.gnupg.org"
 arch="all"
@@ -11,15 +11,22 @@ depends_dev="libgpg-error-dev"
 makedepends="$depends_dev texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://www.gnupg.org/ftp/gcrypt/libgcrypt/$pkgname-$pkgver.tar.bz2
-	random-Fix-hang-of-_gcry_rndjent_get_version.patch"
+	random-Fix-hang-of-_gcry_rndjent_get_version.patch
+	CVE-2019-12904.patch
+	CVE-2019-13627.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 options="!checkroot"
 
 # secfixes:
+#   1.8.3-r1:
+#     - CVE-2019-13527
+#   1.8.3-r1:
+#     - CVE-2019-12904
 #   1.8.3-r0:
-#   - CVE-2018-0495
+#     - CVE-2018-0495
 
-build () {
+build() {
 	cd "$builddir"
 
 	local _arch_configure=
@@ -60,4 +67,6 @@ package() {
 }
 
 sha512sums="8c873204303f173dd3f49817a81035c1d504b2fc885965c9bc074a6e3fb108ceb6dca366d85e840a40712a6890fc325018ea9b8c1b7b8804c51c44b296cb96a0  libgcrypt-1.8.3.tar.bz2
-a717d40702c8ffdd40a7bffc563bf7aecf01640514a2d07c7eb5e40d742473ba297779fc0fea64576b254214011711a010de0cf306f88c5617fd06214a9fd30e  random-Fix-hang-of-_gcry_rndjent_get_version.patch"
+a717d40702c8ffdd40a7bffc563bf7aecf01640514a2d07c7eb5e40d742473ba297779fc0fea64576b254214011711a010de0cf306f88c5617fd06214a9fd30e  random-Fix-hang-of-_gcry_rndjent_get_version.patch
+36f5f7f99e2c4f28207f91a7a500c3bca81044027b6d37ed0399e395a36638b37c0dff3145854a6caa2e9383722862b37a82bde1af520f06a9f4b327df1ec0af  CVE-2019-12904.patch
+3368e1b09d527f225dc800c26cda5448d592665baa726147784f7648ec0a9cd96309042988c7155b65ac2ddb7af4e5cb635eef561a95723b8f81c672bf773764  CVE-2019-13627.patch"
diff --git a/main/libgcrypt/CVE-2019-12904.patch b/main/libgcrypt/CVE-2019-12904.patch
new file mode 100644
index 00000000000..b596a665704
--- /dev/null
+++ b/main/libgcrypt/CVE-2019-12904.patch
@@ -0,0 +1,475 @@
+Adapted from OpenSUSE patches which are adapted from upstream for 1.8.4 and previous versions.
+
+Upstream commits:
+
+https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
+https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
+
+diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
+index 6169d14..4be77d2 100644
+--- a/cipher/cipher-gcm.c
++++ b/cipher/cipher-gcm.c
+@@ -30,6 +30,14 @@
+ #include "./cipher-internal.h"
+ 
+ 
++/* Helper macro to force alignment to 16 or 64 bytes.  */
++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
++# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
++#else
++# define ATTR_ALIGNED_64
++#endif
++
++
+ #ifdef GCM_USE_INTEL_PCLMUL
+ extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c);
+ 
+@@ -63,40 +71,94 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf,
+ 
+ 
+ #ifdef GCM_USE_TABLES
+-static const u16 gcmR[256] = {
+-  0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+-  0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+-  0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+-  0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+-  0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+-  0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+-  0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+-  0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+-  0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+-  0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+-  0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+-  0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+-  0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+-  0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+-  0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+-  0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+-  0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+-  0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+-  0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+-  0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+-  0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+-  0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+-  0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+-  0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+-  0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+-  0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+-  0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+-  0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+-  0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+-  0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+-  0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+-  0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+-};
++static struct
++{
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
++  u16 R[256];
++  volatile u32 counter_tail;
++} gcm_table ATTR_ALIGNED_64 =
++  {
++    0,
++    { 0, },
++    {
++      0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
++      0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
++      0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
++      0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
++      0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
++      0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
++      0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
++      0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
++      0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
++      0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
++      0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
++      0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
++      0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
++      0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
++      0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
++      0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
++      0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
++      0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
++      0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
++      0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
++      0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
++      0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
++      0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
++      0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
++      0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
++      0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
++      0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
++      0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
++      0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
++      0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
++      0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
++      0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
++    },
++    0
++  };
++
++#define gcmR gcm_table.R
++
++static inline
++void prefetch_table(const void *tab, size_t len)
++{
++  const volatile byte *vtab = tab;
++  size_t i;
++
++  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
++    {
++      (void)vtab[i + 0 * 32];
++      (void)vtab[i + 1 * 32];
++      (void)vtab[i + 2 * 32];
++      (void)vtab[i + 3 * 32];
++      (void)vtab[i + 4 * 32];
++      (void)vtab[i + 5 * 32];
++      (void)vtab[i + 6 * 32];
++      (void)vtab[i + 7 * 32];
++    }
++  for (; i < len; i += 32)
++    {
++      (void)vtab[i];
++    }
++
++  (void)vtab[len - 1];
++}
++
++static inline void
++do_prefetch_tables (const void *gcmM, size_t gcmM_size)
++{
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  gcm_table.counter_head++;
++  gcm_table.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
++  prefetch_table(gcmM, gcmM_size);
++  prefetch_table(&gcm_table, sizeof(gcm_table));
++}
+ 
+ #ifdef GCM_TABLES_USE_U64
+ static void
+@@ -313,6 +375,8 @@ do_ghash (unsigned char *result, const unsigned char *buf, const u32 *gcmM)
+ #define fillM(c) \
+   do_fillM (c->u_mode.gcm.u_ghash_key.key, c->u_mode.gcm.gcm_table)
+ #define GHASH(c, result, buf) do_ghash (result, buf, c->u_mode.gcm.gcm_table)
++#define prefetch_tables(c) \
++  do_prefetch_tables(c->u_mode.gcm.gcm_table, sizeof(c->u_mode.gcm.gcm_table))
+ 
+ #else
+ 
+@@ -378,6 +442,7 @@ do_ghash (unsigned char *hsub, unsigned char *result, const unsigned char *buf)
+ 
+ #define fillM(c) do { } while (0)
+ #define GHASH(c, result, buf) do_ghash (c->u_mode.gcm.u_ghash_key.key, result, buf)
++#define prefetch_tables(c) do {} while (0)
+ 
+ #endif /* !GCM_USE_TABLES */
+ 
+@@ -389,6 +454,8 @@ ghash_internal (gcry_cipher_hd_t c, byte *result, const byte *buf,
+   const unsigned int blocksize = GCRY_GCM_BLOCK_LEN;
+   unsigned int burn = 0;
+ 
++  prefetch_tables (c);
++
+   while (nblocks)
+     {
+       burn = GHASH (c, result, buf);
+diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h
+index 160fb8c..a62d4b7 100644
+--- a/cipher/rijndael-internal.h
++++ b/cipher/rijndael-internal.h
+@@ -29,11 +29,13 @@
+ #define BLOCKSIZE               (128/8)
+ 
+ 
+-/* Helper macro to force alignment to 16 bytes.  */
++/* Helper macro to force alignment to 16 or 64 bytes.  */
+ #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+ # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
++# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
+ #else
+ # define ATTR_ALIGNED_16
++# define ATTR_ALIGNED_64
+ #endif
+ 
+ 
+diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h
+index 8359470..b54d959 100644
+--- a/cipher/rijndael-tables.h
++++ b/cipher/rijndael-tables.h
+@@ -21,80 +21,98 @@
+ /* To keep the actual implementation at a readable size we use this
+    include file to define the tables.  */
+ 
+-static const u32 encT[256] =
++static struct
++{
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
++  u32 T[256];
++  volatile u32 counter_tail;
++} enc_tables ATTR_ALIGNED_64 =
+   {
+-    0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+-    0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+-    0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+-    0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+-    0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+-    0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+-    0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+-    0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+-    0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+-    0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+-    0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+-    0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+-    0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+-    0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+-    0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+-    0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+-    0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+-    0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+-    0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+-    0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+-    0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+-    0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+-    0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+-    0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+-    0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+-    0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+-    0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+-    0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+-    0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+-    0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+-    0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+-    0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+-    0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+-    0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+-    0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+-    0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+-    0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+-    0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+-    0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+-    0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+-    0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+-    0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+-    0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+-    0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+-    0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+-    0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+-    0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+-    0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+-    0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+-    0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+-    0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+-    0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+-    0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+-    0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+-    0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+-    0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+-    0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+-    0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+-    0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+-    0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+-    0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+-    0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+-    0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+-    0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++    0,
++    { 0, },
++    {
++      0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
++      0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
++      0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
++      0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
++      0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
++      0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
++      0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
++      0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
++      0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
++      0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
++      0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
++      0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
++      0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
++      0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
++      0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
++      0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
++      0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
++      0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
++      0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
++      0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
++      0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
++      0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
++      0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
++      0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
++      0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
++      0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
++      0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
++      0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
++      0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
++      0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
++      0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
++      0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
++      0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
++      0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
++      0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
++      0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
++      0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
++      0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
++      0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
++      0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
++      0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
++      0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
++      0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
++      0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
++      0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
++      0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
++      0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
++      0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
++      0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
++      0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
++      0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
++      0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
++      0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
++      0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
++      0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
++      0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
++      0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
++      0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
++      0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
++      0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
++      0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
++      0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
++      0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
++      0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++    },
++    0
+   };
+ 
+-static const struct
++#define encT enc_tables.T
++
++static struct
+ {
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
+   u32 T[256];
+   byte inv_sbox[256];
+-} dec_tables =
++  volatile u32 counter_tail;
++} dec_tables ATTR_ALIGNED_64 =
+   {
++    0,
++    { 0, },
+     {
+       0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
+       0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
+@@ -194,7 +212,8 @@ static const struct
+       0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
+       0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
+       0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
+-    }
++    },
++    0
+   };
+ 
+ #define decT dec_tables.T
+diff --git a/cipher/rijndael.c b/cipher/rijndael.c
+index 8637195..d0edab2 100644
+--- a/cipher/rijndael.c
++++ b/cipher/rijndael.c
+@@ -227,11 +227,11 @@ static const char *selftest(void);
+ 
+ 
+ /* Prefetching for encryption/decryption tables. */
+-static void prefetch_table(const volatile byte *tab, size_t len)
++static inline void prefetch_table(const volatile byte *tab, size_t len)
+ {
+   size_t i;
+ 
+-  for (i = 0; i < len; i += 8 * 32)
++  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
+     {
+       (void)tab[i + 0 * 32];
+       (void)tab[i + 1 * 32];
+@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len)
+       (void)tab[i + 6 * 32];
+       (void)tab[i + 7 * 32];
+     }
++  for (; i < len; i += 32)
++    {
++      (void)tab[i];
++    }
+ 
+   (void)tab[len - 1];
+ }
+ 
+ static void prefetch_enc(void)
+ {
+-  prefetch_table((const void *)encT, sizeof(encT));
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  enc_tables.counter_head++;
++  enc_tables.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
++  prefetch_table((const void *)&enc_tables, sizeof(enc_tables));
+ }
+ 
+ static void prefetch_dec(void)
+ {
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  dec_tables.counter_head++;
++  dec_tables.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
+   prefetch_table((const void *)&dec_tables, sizeof(dec_tables));
+ }
+ 
+@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+-				       encT);
++				       enc_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx,
+   return ret;
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+-  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT);
++  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
++				     enc_tables.T);
+ #else
+   return do_encrypt_fn (ctx, bx, ax);
+ #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/
+@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-				       &dec_tables);
++				       dec_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+   return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-				     &dec_tables);
++				     dec_tables.T);
+ #else
+   return do_decrypt_fn (ctx, bx, ax);
+ #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/
+
diff --git a/main/libgcrypt/CVE-2019-13627.patch b/main/libgcrypt/CVE-2019-13627.patch
new file mode 100644
index 00000000000..4399507340b
--- /dev/null
+++ b/main/libgcrypt/CVE-2019-13627.patch
@@ -0,0 +1,103 @@
+diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
+index 6f2c2f9..647639c 100644
+--- a/cipher/dsa-common.c
++++ b/cipher/dsa-common.c
+@@ -29,6 +29,30 @@
+ #include "pubkey-internal.h"
+ 
+ 
++/*
++ * Modify K, so that computation time difference can be small,
++ * by making K large enough.
++ *
++ * Originally, (EC)DSA computation requires k where 0 < k < q.  Here,
++ * we add q (the order), to keep k in a range: q < k < 2*q (or,
++ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
++ * timing difference of the EC multiply (or exponentiation) operation
++ * can be small.  The result of (EC)DSA computation is same.
++ */
++void
++_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
++{
++  gcry_mpi_t k1 = mpi_new (qbits+2);
++
++  mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
++  k->nlimbs = k->alloced;
++  mpi_add (k, k, q);
++  mpi_add (k1, k, q);
++  mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
++
++  mpi_free (k1);
++}
++
+ /*
+  * Generate a random secret exponent K less than Q.
+  * Note that ECDSA uses this code also to generate D.
+diff --git a/cipher/dsa.c b/cipher/dsa.c
+index 22d8d78..24a5352 100644
+--- a/cipher/dsa.c
++++ b/cipher/dsa.c
+@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
+       k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
+     }
+ 
++  _gcry_dsa_modify_k (k, skey->q, qbits);
++
+   /* r = (a^k mod p) mod q */
+   mpi_powm( r, skey->g, k, skey->p );
+   mpi_fdiv_r( r, r, skey->q );
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 140e8c0..97966c3 100644
+--- a/cipher/ecc-ecdsa.c
++++ b/cipher/ecc-ecdsa.c
+@@ -114,6 +114,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           else
+             k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
++          _gcry_dsa_modify_k (k, skey->E.n, qbits);
++
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+             {
+diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
+index a34fa08..0362a6c 100644
+--- a/cipher/ecc-gost.c
++++ b/cipher/ecc-gost.c
+@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
+           mpi_free (k);
+           k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ 
++          _gcry_dsa_modify_k (k, skey->E.n, qbits);
++
+           _gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
+           if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
+             {
+diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
+index b8167c7..d31e26f 100644
+--- a/cipher/pubkey-internal.h
++++ b/cipher/pubkey-internal.h
+@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
+ 
+ 
+ /*-- dsa-common.c --*/
++void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
+ gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
+ gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
+                                         gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
+diff --git a/mpi/ec.c b/mpi/ec.c
+index 89077cd..adb0260 100644
+--- a/mpi/ec.c
++++ b/mpi/ec.c
+@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
+       unsigned int nbits;
+       int j;
+ 
+-      nbits = mpi_get_nbits (scalar);
++      if (mpi_cmp (scalar, ctx->p) >= 0)
++        nbits = mpi_get_nbits (scalar);
++      else
++        nbits = mpi_get_nbits (ctx->p);
++
+       if (ctx->model == MPI_EC_WEIERSTRASS)
+         {
+           mpi_set_ui (result->x, 1);
diff --git a/main/libjpeg-turbo/APKBUILD b/main/libjpeg-turbo/APKBUILD
index e12587d21b7..2efe02530a4 100644
--- a/main/libjpeg-turbo/APKBUILD
+++ b/main/libjpeg-turbo/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libjpeg-turbo
 pkgver=1.5.3
-pkgrel=2
+pkgrel=3
 pkgdesc="accelerated baseline JPEG compression and decompression library"
 url="http://libjpeg-turbo.virtualgl.org/"
 arch="all"
@@ -15,9 +15,12 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-utils"
 source="https://downloads.sourceforge.net/libjpeg-turbo/libjpeg-turbo-$pkgver.tar.gz
 	0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
 	CVE-2018-11813.patch
+	CVE-2018-14498.patch
 	"
 
 # secfixes:
+#   1.5.3-r3:
+#   - CVE-2018-14498
 #   1.5.3-r2:
 #   - CVE-2018-11813
 #   1.5.3-r1:
@@ -66,4 +69,5 @@ dev() {
 
 sha512sums="b611b1cc3d1ddedddad871854b42449d053a5f910ed1bdfa45c98e0270f4ecc110fde3a10111d2b876d847a826fa634f09c0bb8c357056c9c3a91c9065eb5202  libjpeg-turbo-1.5.3.tar.gz
 d6465d96427289d90c342e94316018565eb1711ea0028121ea0a962900b7c7599a7457e42201bcfd288da30019ae3b841ce319cfbe02705d49749d660ef04b74  0001-tjLoadImage-Fix-FPE-triggered-by-malformed-BMP.patch
-d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a  CVE-2018-11813.patch"
+d32234df784ebe1cad6af114f74d14995637e494a502c171e154e1abc5aa335930d3a256fda234a85842d5c1658d2fac6474e0bc959fdf04413f69a35e3bf39a  CVE-2018-11813.patch
+315aba552a2d66cdc8d83c5602a7e47c995f6709509afd07daf3ffacaf650404dc9f7a4beeb1373cabb5afc915a3d4c704b71dfdfcad3bc25ae5361ed16980d5  CVE-2018-14498.patch"
diff --git a/main/libjpeg-turbo/CVE-2018-14498.patch b/main/libjpeg-turbo/CVE-2018-14498.patch
new file mode 100644
index 00000000000..edf9365448f
--- /dev/null
+++ b/main/libjpeg-turbo/CVE-2018-14498.patch
@@ -0,0 +1,110 @@
+diff --git a/cderror.h b/cderror.h
+index 63de498..92dd2ed 100644
+--- a/cderror.h
++++ b/cderror.h
+@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")
+ JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")
+ JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")
+ JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")
++JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")
+ JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")
+ JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")
+ JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")
+@@ -77,6 +78,7 @@ JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")
+ JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")
+ JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")
+ JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")
++JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")
+ JMESSAGE(JTRC_PGM, "%ux%u PGM image")
+ JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")
+ JMESSAGE(JTRC_PPM, "%ux%u PPM image")
+diff --git a/rdbmp.c b/rdbmp.c
+index eaa7086..01fa2bc 100644
+--- a/rdbmp.c
++++ b/rdbmp.c
+@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {
+   JDIMENSION row_width;         /* Physical width of scanlines in file */
+ 
+   int bits_per_pixel;           /* remembers 8- or 24-bit format */
++  int cmap_length;              /* colormap length */
+ } bmp_source_struct;
+ 
+ 
+@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+ {
+   bmp_source_ptr source = (bmp_source_ptr) sinfo;
+   register JSAMPARRAY colormap = source->colormap;
++  int cmaplen = source->cmap_length;
+   JSAMPARRAY image_ptr;
+   register int t;
+   register JSAMPROW inptr, outptr;
+@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+   outptr = source->pub.buffer[0];
+   for (col = cinfo->image_width; col > 0; col--) {
+     t = GETJSAMPLE(*inptr++);
++    if (t >= cmaplen)
++      ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);
+     *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */
+     *outptr++ = colormap[1][t];
+     *outptr++ = colormap[2][t];
+@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     source->colormap = (*cinfo->mem->alloc_sarray)
+       ((j_common_ptr) cinfo, JPOOL_IMAGE,
+        (JDIMENSION) biClrUsed, (JDIMENSION) 3);
++	source->cmap_length = (int)biClrUsed;
+     /* and read it from the file */
+     read_colormap(source, (int) biClrUsed, mapentrysize);
+     /* account for size of colormap */
+diff --git a/rdppm.c b/rdppm.c
+index 33ff749..c0c0962 100644
+--- a/rdppm.c
++++ b/rdppm.c
+@@ -69,7 +69,7 @@ typedef struct {
+   JSAMPROW pixrow;              /* compressor input buffer */
+   size_t buffer_width;          /* width of I/O buffer */
+   JSAMPLE *rescale;             /* => maxval-remapping array, or NULL */
+-  int maxval;
++  unsigned int maxval;
+ } ppm_source_struct;
+ 
+ typedef ppm_source_struct *ppm_source_ptr;
+@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)
+   }
+ 
+   if (val > maxval)
+-    ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++    ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+ 
+   return val;
+ }
+@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+     *ptr++ = rescale[temp];
+   }
+   return 1;
+@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+     *ptr++ = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+     *ptr++ = rescale[temp];
+     temp  = UCH(*bufferptr++) << 8;
+     temp |= UCH(*bufferptr++);
+     if (temp > maxval)
+-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
++      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);
+     *ptr++ = rescale[temp];
+   }
+   return 1;
+
diff --git a/main/libmad/APKBUILD b/main/libmad/APKBUILD
index d542c5bc33c..08f0cb76630 100644
--- a/main/libmad/APKBUILD
+++ b/main/libmad/APKBUILD
@@ -2,21 +2,28 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libmad
 pkgver=0.15.1b
-pkgrel=7
+pkgrel=8
 pkgdesc="A high-quality MPEG audio decoder"
 url="http://www.underbit.com/products/mad/"
 arch="all"
-license="GPL"
+license="GPL-2.0-or-later"
 subpackages="$pkgname-dev"
-depends=
 makedepends="autoconf automake libtool"
 source="http://downloads.sourceforge.net/sourceforge/mad/$pkgname-$pkgver.tar.gz
 	libmad-0.15.1b-cflags-O2.patch
 	libmad-0.15.1b-cflags.patch
 	automake.patch
+	length-check.patch
+	md_size.patch
 	mad.pc
 	"
 
+# secfixes:
+#   0.15.1b-r8:
+#     - CVE-2017-8372
+#     - CVE-2017-8373
+#     - CVE-2017-8374
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
@@ -51,4 +58,6 @@ sha512sums="2cad30347fb310dc605c46bacd9da117f447a5cabedd8fefdb24ab5de641429e5ec5
 13a8bac30cea4861f903b4abc8673f9a35b6253aae6a02915f99b67e5e8c56460fc1fb059a0aa52143b665f888928baba098daf0ed022420e46317be4dbc6161  libmad-0.15.1b-cflags-O2.patch
 01dc8421dba2b652aa8ca6d1f1a5c310645465b18190ebfdeaae516de881869957e8e7c0c373d0d09623da33719d01e028f2f6164790b54c43a71271f5b4dbba  libmad-0.15.1b-cflags.patch
 e73ec5ae3b14e8d45579b52bcc561a309b85e1e51d946e061e2f0a9252f515e48e2d818e8bdce1adf5a9801ec314be8c911914d0bb12f9113a7afc54cf385250  automake.patch
+dd412962246d4c9db8c07dbafcaba2f64fdc0c94cf6bcc3f4f0f88a92800f40e550cc56dc8a2324c0123d9c70a89055dc50cd714206d7886e2f6877d4cc26600  length-check.patch
+511fc4496044bc676e1957c5085aded89e33248c5ee4c965c76c609904086911dcc912a943be98244b2d7e5f140f432584722cc3b53fdb27265328322a727427  md_size.patch
 ec0b14bd0c6236a216107b507b92c06e295352f1657ba5e45f37fff220a73e1454b262ac36fc715d698c4ffd210d348fca71cf0198e2c49d16fe0ec5ea839f08  mad.pc"
diff --git a/main/libmad/length-check.patch b/main/libmad/length-check.patch
new file mode 100644
index 00000000000..80e48469e65
--- /dev/null
+++ b/main/libmad/length-check.patch
@@ -0,0 +1,817 @@
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 28 Jan 2018 19:26:36 +0100
+Subject: Check the size before reading with mad_bit_read
+
+There are various cases where it attemps to read past the end of the buffer
+using mad_bit_read(). Most functions didn't even know the size of the buffer
+they were reading from.
+
+Index: libmad-0.15.1b/bit.c
+===================================================================
+--- libmad-0.15.1b.orig/bit.c
++++ libmad-0.15.1b/bit.c
+@@ -138,6 +138,9 @@ unsigned long mad_bit_read(struct mad_bi
+ {
+   register unsigned long value;
+ 
++  if (len == 0)
++    return 0;
++
+   if (bitptr->left == CHAR_BIT)
+     bitptr->cache = *bitptr->byte;
+ 
+Index: libmad-0.15.1b/frame.c
+===================================================================
+--- libmad-0.15.1b.orig/frame.c
++++ libmad-0.15.1b/frame.c
+@@ -120,11 +120,18 @@ static
+ int decode_header(struct mad_header *header, struct mad_stream *stream)
+ {
+   unsigned int index;
++  struct mad_bitptr bufend_ptr;
+ 
+   header->flags        = 0;
+   header->private_bits = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* header() */
++  if (mad_bit_length(&stream->ptr, &bufend_ptr) < 32) {
++    stream->error = MAD_ERROR_BUFLEN;
++    return -1;
++  }
+ 
+   /* syncword */
+   mad_bit_skip(&stream->ptr, 11);
+@@ -225,8 +232,13 @@ int decode_header(struct mad_header *hea
+   /* error_check() */
+ 
+   /* crc_check */
+-  if (header->flags & MAD_FLAG_PROTECTION)
++  if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr) < 16) {
++      stream->error = MAD_ERROR_BUFLEN;
++      return -1;
++    }
+     header->crc_target = mad_bit_read(&stream->ptr, 16);
++  }
+ 
+   return 0;
+ }
+@@ -338,7 +350,7 @@ int mad_header_decode(struct mad_header
+       stream->error = MAD_ERROR_BUFLEN;
+       goto fail;
+     }
+-    else if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    else if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       /* mark point where frame sync word was expected */
+       stream->this_frame = ptr;
+       stream->next_frame = ptr + 1;
+@@ -361,6 +373,8 @@ int mad_header_decode(struct mad_header
+     ptr = mad_bit_nextbyte(&stream->ptr);
+   }
+ 
++  stream->error = MAD_ERROR_NONE;
++
+   /* begin processing */
+   stream->this_frame = ptr;
+   stream->next_frame = ptr + 1;  /* possibly bogus sync word */
+@@ -413,7 +427,7 @@ int mad_header_decode(struct mad_header
+     /* check that a valid frame header follows this frame */
+ 
+     ptr = stream->next_frame;
+-    if (!(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
++    if ((end - ptr >= 2) && !(ptr[0] == 0xff && (ptr[1] & 0xe0) == 0xe0)) {
+       ptr = stream->next_frame = stream->this_frame + 1;
+       goto sync;
+     }
+Index: libmad-0.15.1b/layer12.c
+===================================================================
+--- libmad-0.15.1b.orig/layer12.c
++++ libmad-0.15.1b/layer12.c
+@@ -72,10 +72,18 @@ mad_fixed_t const linear_table[14] = {
+  * DESCRIPTION:	decode one requantized Layer I sample from a bitstream
+  */
+ static
+-mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb)
++mad_fixed_t I_sample(struct mad_bitptr *ptr, unsigned int nb, struct mad_stream *stream)
+ {
+   mad_fixed_t sample;
++  struct mad_bitptr frameend_ptr;
+ 
++  mad_bit_init(&frameend_ptr, stream->next_frame);
++
++  if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return 0;
++  }
+   sample = mad_bit_read(ptr, nb);
+ 
+   /* invert most significant bit, extend sign, then scale to fixed format */
+@@ -106,6 +114,10 @@ int mad_layer_I(struct mad_stream *strea
+   struct mad_header *header = &frame->header;
+   unsigned int nch, bound, ch, s, sb, nb;
+   unsigned char allocation[2][32], scalefactor[2][32];
++  struct mad_bitptr bufend_ptr, frameend_ptr;
++
++  mad_bit_init(&bufend_ptr, stream->bufend);
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -118,6 +130,11 @@ int mad_layer_I(struct mad_stream *strea
+   /* check CRC word */
+ 
+   if (header->flags & MAD_FLAG_PROTECTION) {
++    if (mad_bit_length(&stream->ptr, &bufend_ptr)
++		< 4 * (bound * nch + (32 - bound))) {
++      stream->error = MAD_ERROR_BADCRC;
++      return -1;
++    }
+     header->crc_check =
+       mad_bit_crc(stream->ptr, 4 * (bound * nch + (32 - bound)),
+ 		  header->crc_check);
+@@ -133,6 +150,11 @@ int mad_layer_I(struct mad_stream *strea
+ 
+   for (sb = 0; sb < bound; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return -1;
++      }
+       nb = mad_bit_read(&stream->ptr, 4);
+ 
+       if (nb == 15) {
+@@ -145,6 +167,11 @@ int mad_layer_I(struct mad_stream *strea
+   }
+ 
+   for (sb = bound; sb < 32; ++sb) {
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < 4) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     nb = mad_bit_read(&stream->ptr, 4);
+ 
+     if (nb == 15) {
+@@ -161,6 +188,11 @@ int mad_layer_I(struct mad_stream *strea
+   for (sb = 0; sb < 32; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++        if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ 
+ # if defined(OPT_STRICT)
+@@ -185,8 +217,10 @@ int mad_layer_I(struct mad_stream *strea
+       for (ch = 0; ch < nch; ++ch) {
+ 	nb = allocation[ch][sb];
+ 	frame->sbsample[ch][s][sb] = nb ?
+-	  mad_f_mul(I_sample(&stream->ptr, nb),
++	  mad_f_mul(I_sample(&stream->ptr, nb, stream),
+ 		    sf_table[scalefactor[ch][sb]]) : 0;
++	if (stream->error != 0)
++	  return -1;
+       }
+     }
+ 
+@@ -194,7 +228,14 @@ int mad_layer_I(struct mad_stream *strea
+       if ((nb = allocation[0][sb])) {
+ 	mad_fixed_t sample;
+ 
+-	sample = I_sample(&stream->ptr, nb);
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < nb) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++          return -1;
++	}
++	sample = I_sample(&stream->ptr, nb, stream);
++        if (stream->error != 0)
++	  return -1;
+ 
+ 	for (ch = 0; ch < nch; ++ch) {
+ 	  frame->sbsample[ch][s][sb] =
+@@ -280,13 +321,21 @@ struct quantclass {
+ static
+ void II_samples(struct mad_bitptr *ptr,
+ 		struct quantclass const *quantclass,
+-		mad_fixed_t output[3])
++		mad_fixed_t output[3], struct mad_stream *stream)
+ {
+   unsigned int nb, s, sample[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   if ((nb = quantclass->group)) {
+     unsigned int c, nlevels;
+ 
++    if (mad_bit_length(ptr, &frameend_ptr) < quantclass->bits) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return;
++    }
+     /* degrouping */
+     c = mad_bit_read(ptr, quantclass->bits);
+     nlevels = quantclass->nlevels;
+@@ -299,8 +348,14 @@ void II_samples(struct mad_bitptr *ptr,
+   else {
+     nb = quantclass->bits;
+ 
+-    for (s = 0; s < 3; ++s)
++    for (s = 0; s < 3; ++s) {
++      if (mad_bit_length(ptr, &frameend_ptr) < nb) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return;
++      }
+       sample[s] = mad_bit_read(ptr, nb);
++    }
+   }
+ 
+   for (s = 0; s < 3; ++s) {
+@@ -336,6 +391,9 @@ int mad_layer_II(struct mad_stream *stre
+   unsigned char const *offsets;
+   unsigned char allocation[2][32], scfsi[2][32], scalefactor[2][32][3];
+   mad_fixed_t samples[3];
++  struct mad_bitptr frameend_ptr;
++
++  mad_bit_init(&frameend_ptr, stream->next_frame);
+ 
+   nch = MAD_NCHANNELS(header);
+ 
+@@ -402,13 +460,24 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < bound; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
+-    for (ch = 0; ch < nch; ++ch)
++    for (ch = 0; ch < nch; ++ch) {
++      if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++	stream->error = MAD_ERROR_LOSTSYNC;
++	stream->sync = 0;
++	return -1;
++      }
+       allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
++    }
+   }
+ 
+   for (sb = bound; sb < sblimit; ++sb) {
+     nbal = bitalloc_table[offsets[sb]].nbal;
+ 
++    if (mad_bit_length(&stream->ptr, &frameend_ptr) < nbal) {
++      stream->error = MAD_ERROR_LOSTSYNC;
++      stream->sync = 0;
++      return -1;
++    }
+     allocation[0][sb] =
+     allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+   }
+@@ -417,8 +486,14 @@ int mad_layer_II(struct mad_stream *stre
+ 
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+-      if (allocation[ch][sb])
++      if (allocation[ch][sb]) {
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 2) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
++      }
+     }
+   }
+ 
+@@ -441,6 +516,11 @@ int mad_layer_II(struct mad_stream *stre
+   for (sb = 0; sb < sblimit; ++sb) {
+     for (ch = 0; ch < nch; ++ch) {
+       if (allocation[ch][sb]) {
++	if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	  stream->error = MAD_ERROR_LOSTSYNC;
++	  stream->sync = 0;
++	  return -1;
++	}
+ 	scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+ 
+ 	switch (scfsi[ch][sb]) {
+@@ -451,11 +531,21 @@ int mad_layer_II(struct mad_stream *stre
+ 	  break;
+ 
+ 	case 0:
++	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	    stream->error = MAD_ERROR_LOSTSYNC;
++	    stream->sync = 0;
++	    return -1;
++	  }
+ 	  scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ 	  /* fall through */
+ 
+ 	case 1:
+ 	case 3:
++	  if (mad_bit_length(&stream->ptr, &frameend_ptr) < 6) {
++	    stream->error = MAD_ERROR_LOSTSYNC;
++	    stream->sync = 0;
++	    return -1;
++	  }
+ 	  scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ 	}
+ 
+@@ -487,7 +577,9 @@ int mad_layer_II(struct mad_stream *stre
+ 	if ((index = allocation[ch][sb])) {
+ 	  index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-	  II_samples(&stream->ptr, &qc_table[index], samples);
++	  II_samples(&stream->ptr, &qc_table[index], samples, stream);
++	  if (stream->error != 0)
++            return -1;
+ 
+ 	  for (s = 0; s < 3; ++s) {
+ 	    frame->sbsample[ch][3 * gr + s][sb] =
+@@ -505,7 +597,9 @@ int mad_layer_II(struct mad_stream *stre
+       if ((index = allocation[0][sb])) {
+ 	index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
+ 
+-	II_samples(&stream->ptr, &qc_table[index], samples);
++	II_samples(&stream->ptr, &qc_table[index], samples, stream);
++	if (stream->error != 0)
++          return -1;
+ 
+ 	for (ch = 0; ch < nch; ++ch) {
+ 	  for (s = 0; s < 3; ++s) {
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -598,7 +598,8 @@ enum mad_error III_sideinfo(struct mad_b
+ static
+ unsigned int III_scalefactors_lsf(struct mad_bitptr *ptr,
+ 				  struct channel *channel,
+-				  struct channel *gr1ch, int mode_extension)
++				  struct channel *gr1ch, int mode_extension,
++				  unsigned int bits_left, unsigned int *part2_length)
+ {
+   struct mad_bitptr start;
+   unsigned int scalefac_compress, index, slen[4], part, n, i;
+@@ -644,8 +645,12 @@ unsigned int III_scalefactors_lsf(struct
+ 
+     n = 0;
+     for (part = 0; part < 4; ++part) {
+-      for (i = 0; i < nsfb[part]; ++i)
++      for (i = 0; i < nsfb[part]; ++i) {
++	if (bits_left < slen[part])
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[n++] = mad_bit_read(ptr, slen[part]);
++	bits_left -= slen[part];
++      }
+     }
+ 
+     while (n < 39)
+@@ -690,7 +695,10 @@ unsigned int III_scalefactors_lsf(struct
+       max = (1 << slen[part]) - 1;
+ 
+       for (i = 0; i < nsfb[part]; ++i) {
++	if (bits_left < slen[part])
++	  return MAD_ERROR_BADSCFSI;
+ 	is_pos = mad_bit_read(ptr, slen[part]);
++	bits_left -= slen[part];
+ 
+ 	channel->scalefac[n] = is_pos;
+ 	gr1ch->scalefac[n++] = (is_pos == max);
+@@ -703,7 +711,8 @@ unsigned int III_scalefactors_lsf(struct
+     }
+   }
+ 
+-  return mad_bit_length(&start, ptr);
++  *part2_length = mad_bit_length(&start, ptr);
++  return MAD_ERROR_NONE;
+ }
+ 
+ /*
+@@ -712,7 +721,8 @@ unsigned int III_scalefactors_lsf(struct
+  */
+ static
+ unsigned int III_scalefactors(struct mad_bitptr *ptr, struct channel *channel,
+-			      struct channel const *gr0ch, unsigned int scfsi)
++			      struct channel const *gr0ch, unsigned int scfsi,
++			      unsigned int bits_left, unsigned int *part2_length)
+ {
+   struct mad_bitptr start;
+   unsigned int slen1, slen2, sfbi;
+@@ -728,12 +738,20 @@ unsigned int III_scalefactors(struct mad
+     sfbi = 0;
+ 
+     nsfb = (channel->flags & mixed_block_flag) ? 8 + 3 * 3 : 6 * 3;
+-    while (nsfb--)
++    while (nsfb--) {
++      if (bits_left < slen1)
++	return MAD_ERROR_BADSCFSI;
+       channel->scalefac[sfbi++] = mad_bit_read(ptr, slen1);
++      bits_left -= slen1;
++    }
+ 
+     nsfb = 6 * 3;
+-    while (nsfb--)
++    while (nsfb--) {
++      if (bits_left < slen2)
++	return MAD_ERROR_BADSCFSI;
+       channel->scalefac[sfbi++] = mad_bit_read(ptr, slen2);
++      bits_left -= slen2;
++    }
+ 
+     nsfb = 1 * 3;
+     while (nsfb--)
+@@ -745,8 +763,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 0; sfbi < 6; ++sfbi)
++      for (sfbi = 0; sfbi < 6; ++sfbi) {
++	if (bits_left < slen1)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++	bits_left -= slen1;
++      }
+     }
+ 
+     if (scfsi & 0x4) {
+@@ -754,8 +776,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 6; sfbi < 11; ++sfbi)
++      for (sfbi = 6; sfbi < 11; ++sfbi) {
++	if (bits_left < slen1)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen1);
++	bits_left -= slen1;
++      }
+     }
+ 
+     if (scfsi & 0x2) {
+@@ -763,8 +789,12 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 11; sfbi < 16; ++sfbi)
++      for (sfbi = 11; sfbi < 16; ++sfbi) {
++	if (bits_left < slen2)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++	bits_left -= slen2;
++      }
+     }
+ 
+     if (scfsi & 0x1) {
+@@ -772,14 +802,19 @@ unsigned int III_scalefactors(struct mad
+ 	channel->scalefac[sfbi] = gr0ch->scalefac[sfbi];
+     }
+     else {
+-      for (sfbi = 16; sfbi < 21; ++sfbi)
++      for (sfbi = 16; sfbi < 21; ++sfbi) {
++	if (bits_left < slen2)
++	  return MAD_ERROR_BADSCFSI;
+ 	channel->scalefac[sfbi] = mad_bit_read(ptr, slen2);
++	bits_left -= slen2;
++      }
+     }
+ 
+     channel->scalefac[21] = 0;
+   }
+ 
+-  return mad_bit_length(&start, ptr);
++  *part2_length = mad_bit_length(&start, ptr);
++  return MAD_ERROR_NONE;
+ }
+ 
+ /*
+@@ -933,19 +968,17 @@ static
+ enum mad_error III_huffdecode(struct mad_bitptr *ptr, mad_fixed_t xr[576],
+ 			      struct channel *channel,
+ 			      unsigned char const *sfbwidth,
+-			      unsigned int part2_length)
++			      signed int part3_length)
+ {
+   signed int exponents[39], exp;
+   signed int const *expptr;
+   struct mad_bitptr peek;
+-  signed int bits_left, cachesz;
++  signed int bits_left, cachesz, fakebits;
+   register mad_fixed_t *xrptr;
+   mad_fixed_t const *sfbound;
+   register unsigned long bitcache;
+ 
+-  bits_left = (signed) channel->part2_3_length - (signed) part2_length;
+-  if (bits_left < 0)
+-    return MAD_ERROR_BADPART3LEN;
++  bits_left = part3_length;
+ 
+   III_exponents(channel, sfbwidth, exponents);
+ 
+@@ -956,8 +989,12 @@ enum mad_error III_huffdecode(struct mad
+   cachesz  = mad_bit_bitsleft(&peek);
+   cachesz += ((32 - 1 - 24) + (24 - cachesz)) & ~7;
+ 
++  if (bits_left < cachesz) {
++    cachesz = bits_left;
++  }
+   bitcache   = mad_bit_read(&peek, cachesz);
+   bits_left -= cachesz;
++  fakebits = 0;
+ 
+   xrptr = &xr[0];
+ 
+@@ -986,7 +1023,7 @@ enum mad_error III_huffdecode(struct mad
+ 
+     big_values = channel->big_values;
+ 
+-    while (big_values-- && cachesz + bits_left > 0) {
++    while (big_values-- && cachesz + bits_left - fakebits > 0) {
+       union huffpair const *pair;
+       unsigned int clumpsz, value;
+       register mad_fixed_t requantized;
+@@ -1023,10 +1060,19 @@ enum mad_error III_huffdecode(struct mad
+ 	unsigned int bits;
+ 
+ 	bits       = ((32 - 1 - 21) + (21 - cachesz)) & ~7;
++	if (bits_left < bits) {
++	  bits = bits_left;
++	}
+ 	bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
+ 	cachesz   += bits;
+ 	bits_left -= bits;
+       }
++      if (cachesz < 21) {
++	unsigned int bits = 21 - cachesz;
++	bitcache <<= bits;
++	cachesz += bits;
++	fakebits += bits;
++      }
+ 
+       /* hcod (0..19) */
+ 
+@@ -1041,6 +1087,8 @@ enum mad_error III_huffdecode(struct mad
+       }
+ 
+       cachesz -= pair->value.hlen;
++      if (cachesz < fakebits)
++	return MAD_ERROR_BADHUFFDATA;
+ 
+       if (linbits) {
+ 	/* x (0..14) */
+@@ -1054,10 +1102,15 @@ enum mad_error III_huffdecode(struct mad
+ 
+ 	case 15:
+ 	  if (cachesz < linbits + 2) {
+-	    bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	    cachesz   += 16;
+-	    bits_left -= 16;
++	    unsigned int bits = 16;
++	    if (bits_left < 16)
++	      bits = bits_left;
++	    bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	    cachesz   += bits;
++	    bits_left -= bits;
+ 	  }
++	  if (cachesz - fakebits < linbits)
++	    return MAD_ERROR_BADHUFFDATA;
+ 
+ 	  value += MASK(bitcache, cachesz, linbits);
+ 	  cachesz -= linbits;
+@@ -1074,6 +1127,8 @@ enum mad_error III_huffdecode(struct mad
+ 	  }
+ 
+ 	x_final:
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1089,10 +1144,15 @@ enum mad_error III_huffdecode(struct mad
+ 
+ 	case 15:
+ 	  if (cachesz < linbits + 1) {
+-	    bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	    cachesz   += 16;
+-	    bits_left -= 16;
++	    unsigned int bits = 16;
++	    if (bits_left < 16)
++	      bits = bits_left;
++	    bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	    cachesz   += bits;
++	    bits_left -= bits;
+ 	  }
++	  if (cachesz - fakebits < linbits)
++	    return MAD_ERROR_BADHUFFDATA;
+ 
+ 	  value += MASK(bitcache, cachesz, linbits);
+ 	  cachesz -= linbits;
+@@ -1109,6 +1169,8 @@ enum mad_error III_huffdecode(struct mad
+ 	  }
+ 
+ 	y_final:
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1128,6 +1190,8 @@ enum mad_error III_huffdecode(struct mad
+ 	    requantized = reqcache[value] = III_requantize(value, exp);
+ 	  }
+ 
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[0] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1146,6 +1210,8 @@ enum mad_error III_huffdecode(struct mad
+ 	    requantized = reqcache[value] = III_requantize(value, exp);
+ 	  }
+ 
++	  if (cachesz - fakebits < 1)
++	    return MAD_ERROR_BADHUFFDATA;
+ 	  xrptr[1] = MASK1BIT(bitcache, cachesz--) ?
+ 	    -requantized : requantized;
+ 	}
+@@ -1155,9 +1221,6 @@ enum mad_error III_huffdecode(struct mad
+     }
+   }
+ 
+-  if (cachesz + bits_left < 0)
+-    return MAD_ERROR_BADHUFFDATA;  /* big_values overrun */
+-
+   /* count1 */
+   {
+     union huffquad const *table;
+@@ -1167,15 +1230,24 @@ enum mad_error III_huffdecode(struct mad
+ 
+     requantized = III_requantize(1, exp);
+ 
+-    while (cachesz + bits_left > 0 && xrptr <= &xr[572]) {
++    while (cachesz + bits_left - fakebits > 0 && xrptr <= &xr[572]) {
+       union huffquad const *quad;
+ 
+       /* hcod (1..6) */
+ 
+       if (cachesz < 10) {
+-	bitcache   = (bitcache << 16) | mad_bit_read(&peek, 16);
+-	cachesz   += 16;
+-	bits_left -= 16;
++	unsigned int bits = 16;
++	if (bits_left < 16)
++	  bits = bits_left;
++	bitcache   = (bitcache << bits) | mad_bit_read(&peek, bits);
++	cachesz   += bits;
++	bits_left -= bits;
++      }
++      if (cachesz < 10) {
++	unsigned int bits = 10 - cachesz;
++	bitcache <<= bits;
++	cachesz += bits;
++	fakebits += bits;
+       }
+ 
+       quad = &table[MASK(bitcache, cachesz, 4)];
+@@ -1188,6 +1260,11 @@ enum mad_error III_huffdecode(struct mad
+ 		      MASK(bitcache, cachesz, quad->ptr.bits)];
+       }
+ 
++      if (cachesz - fakebits < quad->value.hlen + quad->value.v
++        + quad->value.w + quad->value.x + quad->value.y)
++	/* We don't have enough bits to read one more entry, consider them
++	 * stuffing bits. */
++	break;
+       cachesz -= quad->value.hlen;
+ 
+       if (xrptr == sfbound) {
+@@ -1236,22 +1313,8 @@ enum mad_error III_huffdecode(struct mad
+ 
+       xrptr += 2;
+     }
+-
+-    if (cachesz + bits_left < 0) {
+-# if 0 && defined(DEBUG)
+-      fprintf(stderr, "huffman count1 overrun (%d bits)\n",
+-	      -(cachesz + bits_left));
+-# endif
+-
+-      /* technically the bitstream is misformatted, but apparently
+-	 some encoders are just a bit sloppy with stuffing bits */
+-
+-      xrptr -= 4;
+-    }
+   }
+ 
+-  assert(-bits_left <= MAD_BUFFER_GUARD * CHAR_BIT);
+-
+ # if 0 && defined(DEBUG)
+   if (bits_left < 0)
+     fprintf(stderr, "read %d bits too many\n", -bits_left);
+@@ -2348,10 +2411,11 @@ void III_freqinver(mad_fixed_t sample[18
+  */
+ static
+ enum mad_error III_decode(struct mad_bitptr *ptr, struct mad_frame *frame,
+-			  struct sideinfo *si, unsigned int nch)
++			  struct sideinfo *si, unsigned int nch, unsigned int md_len)
+ {
+   struct mad_header *header = &frame->header;
+   unsigned int sfreqi, ngr, gr;
++  int bits_left = md_len * CHAR_BIT;
+ 
+   {
+     unsigned int sfreq;
+@@ -2383,6 +2447,7 @@ enum mad_error III_decode(struct mad_bit
+     for (ch = 0; ch < nch; ++ch) {
+       struct channel *channel = &granule->ch[ch];
+       unsigned int part2_length;
++      unsigned int part3_length;
+ 
+       sfbwidth[ch] = sfbwidth_table[sfreqi].l;
+       if (channel->block_type == 2) {
+@@ -2391,18 +2456,30 @@ enum mad_error III_decode(struct mad_bit
+       }
+ 
+       if (header->flags & MAD_FLAG_LSF_EXT) {
+-	part2_length = III_scalefactors_lsf(ptr, channel,
++	error = III_scalefactors_lsf(ptr, channel,
+ 					    ch == 0 ? 0 : &si->gr[1].ch[1],
+-					    header->mode_extension);
++					    header->mode_extension, bits_left, &part2_length);
+       }
+       else {
+-	part2_length = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
+-					gr == 0 ? 0 : si->scfsi[ch]);
++	error = III_scalefactors(ptr, channel, &si->gr[0].ch[ch],
++					gr == 0 ? 0 : si->scfsi[ch], bits_left, &part2_length);
+       }
++      if (error)
++        return error;
++
++      bits_left -= part2_length;
+ 
+-      error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part2_length);
++      if (part2_length > channel->part2_3_length)
++        return MAD_ERROR_BADPART3LEN;
++
++      part3_length = channel->part2_3_length - part2_length;
++      if (part3_length > bits_left)
++        return MAD_ERROR_BADPART3LEN;
++
++      error = III_huffdecode(ptr, xr[ch], channel, sfbwidth[ch], part3_length);
+       if (error)
+ 	return error;
++      bits_left -= part3_length;
+     }
+ 
+     /* joint stereo processing */
+@@ -2519,11 +2596,13 @@ int mad_layer_III(struct mad_stream *str
+   unsigned int nch, priv_bitlen, next_md_begin = 0;
+   unsigned int si_len, data_bitlen, md_len;
+   unsigned int frame_space, frame_used, frame_free;
+-  struct mad_bitptr ptr;
++  struct mad_bitptr ptr, bufend_ptr;
+   struct sideinfo si;
+   enum mad_error error;
+   int result = 0;
+ 
++  mad_bit_init(&bufend_ptr, stream->bufend);
++
+   /* allocate Layer III dynamic structures */
+ 
+   if (stream->main_data == 0) {
+@@ -2587,14 +2666,15 @@ int mad_layer_III(struct mad_stream *str
+     unsigned long header;
+ 
+     mad_bit_init(&peek, stream->next_frame);
++    if (mad_bit_length(&peek, &bufend_ptr) >= 57) {
++      header = mad_bit_read(&peek, 32);
++      if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
++        if (!(header & 0x00010000L))  /* protection_bit */
++	  mad_bit_skip(&peek, 16);  /* crc_check */
+ 
+-    header = mad_bit_read(&peek, 32);
+-    if ((header & 0xffe60000L) /* syncword | layer */ == 0xffe20000L) {
+-      if (!(header & 0x00010000L))  /* protection_bit */
+-	mad_bit_skip(&peek, 16);  /* crc_check */
+-
+-      next_md_begin =
+-	mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++        next_md_begin =
++	  mad_bit_read(&peek, (header & 0x00080000L) /* ID */ ? 9 : 8);
++      }
+     }
+ 
+     mad_bit_finish(&peek);
+@@ -2653,7 +2733,7 @@ int mad_layer_III(struct mad_stream *str
+   /* decode main_data */
+ 
+   if (result == 0) {
+-    error = III_decode(&ptr, frame, &si, nch);
++    error = III_decode(&ptr, frame, &si, nch, md_len);
+     if (error) {
+       stream->error = error;
+       result = -1;
diff --git a/main/libmad/md_size.patch b/main/libmad/md_size.patch
new file mode 100644
index 00000000000..657b5ffdb97
--- /dev/null
+++ b/main/libmad/md_size.patch
@@ -0,0 +1,58 @@
+From: Kurt Roeckx <kurt@roeckx.be>
+Date: Sun, 28 Jan 2018 15:44:08 +0100
+Subject: Check the size of the main data
+
+The main data to decode a frame can come from the current frame and part of the
+previous frame, the so called bit reservoir. si.main_data_begin is the part of
+the previous frame we need for this frame. frame_space is the amount of main
+data that can be in this frame, and next_md_begin is the part of this frame that
+is going to be used for the next frame.
+
+The maximum amount of data from a previous frame that the format allows is 511
+bytes. The maximum frame size for the defined bitrates is at MPEG 2.5 layer 2
+at 320 kbit/s and 8 kHz sample rate which gives 72 * (320000 / 8000) + 1 = 2881.
+So those defines are not large enough:
+ # define MAD_BUFFER_GUARD      8
+ # define MAD_BUFFER_MDLEN      (511 + 2048 + MAD_BUFFER_GUARD)
+
+There is also support for a "free" bitrate which allows you to create any frame
+size, which can be larger than the buffer.
+
+Changing the defines is not an option since it's part of the ABI, so we check
+that the main data fits in the bufer.
+
+The previous frame data is stored in *stream->main_data and contains
+stream->md_len bytes. If stream->md_len is larger than the data we
+need from the previous frame (si.main_data_begin) it still wouldn't fit
+in the buffer, so just keep the data that we need.
+
+Index: libmad-0.15.1b/layer3.c
+===================================================================
+--- libmad-0.15.1b.orig/layer3.c
++++ libmad-0.15.1b/layer3.c
+@@ -2608,6 +2608,11 @@ int mad_layer_III(struct mad_stream *str
+     next_md_begin = 0;
+ 
+   md_len = si.main_data_begin + frame_space - next_md_begin;
++  if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN) {
++    stream->error = MAD_ERROR_LOSTSYNC;
++    stream->sync = 0;
++    return -1;
++  }
+ 
+   frame_used = 0;
+ 
+@@ -2625,8 +2630,11 @@ int mad_layer_III(struct mad_stream *str
+       }
+     }
+     else {
+-      mad_bit_init(&ptr,
+-		   *stream->main_data + stream->md_len - si.main_data_begin);
++      memmove(stream->main_data,
++	*stream->main_data + stream->md_len - si.main_data_begin,
++	si.main_data_begin);
++      stream->md_len = si.main_data_begin;
++      mad_bit_init(&ptr, *stream->main_data);
+ 
+       if (md_len > si.main_data_begin) {
+ 	assert(stream->md_len + md_len -
diff --git a/main/libsndfile/APKBUILD b/main/libsndfile/APKBUILD
index b75ce398611..60725f26730 100644
--- a/main/libsndfile/APKBUILD
+++ b/main/libsndfile/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libsndfile
 pkgver=1.0.28
-pkgrel=4
+pkgrel=5
 pkgdesc="A C library for reading and writing files containing sampled sound"
 url="http://www.mega-nerd.com/libsndfile"
 arch="all"
@@ -17,9 +17,13 @@ source="http://www.mega-nerd.com/$pkgname/files/$pkgname-$pkgver.tar.gz
 	CVE-2017-12562.patch
 	CVE-2018-13139.patch
 	CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
+	CVE-2018-19758-and-CVE-2019-3832.patch
 	"
 
 # secfixes:
+#   1.0.28-r5:
+#     - CVE-2018-19758
+#     - CVE-2019-3832
 #   1.0.28-r4:
 #     - CVE-2017-17456
 #     - CVE-2017-17457
@@ -57,17 +61,10 @@ package() {
 	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 }
-md5sums="646b5f98ce89ac60cdb060fcd398247c  libsndfile-1.0.28.tar.gz
-cdd75dee754a3f97a2b9852193858e8b  CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
-883e150165932d7dc89aee64795a5e5e  CVE-2017-8362.patch
-bcee757ad4ec56f92c0c2ad5c9c9bf96  CVE-2017-12562.patch"
-sha256sums="1ff33929f042fa333aed1e8923aa628c3ee9e1eb85512686c55092d1e5a9dfa9  libsndfile-1.0.28.tar.gz
-c2d2665744b32facab093540bd0b0c28e72496dd03f8fd51e0aef42fb76d9631  CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
-3dc977a26f36a779874bda304685a221a9da08d3e6b8d239f19785a31e18dbf7  CVE-2017-8362.patch
-5e13e843a247c5cc3e33e926183281003512bd34dbb32acab6c9360e06e6e3c9  CVE-2017-12562.patch"
 sha512sums="890731a6b8173f714155ce05eaf6d991b31632c8ab207fbae860968861a107552df26fcf85602df2e7f65502c7256c1b41735e1122485a3a07ddb580aa83b57f  libsndfile-1.0.28.tar.gz
 f98c40696fca3e7bca867df993de55bb4145c23428e65d1a669182eb2293046478ac727ae7f94bb77123ef0355c3c53be4f9d6a432665c90c74687d8d3afd9e3  CVE-2017-8361_CVE-2017-8363_CVE-2017-8365.patch
 dfd4b5f1c7471fc416eed5c6040580a020543f145de9103751adaad6ce1c5c6a22abc1cf0ffd381aed3072644cd5ee03ba3598265aa7d202d63167da251cb595  CVE-2017-8362.patch
 814139567d90fb07908014e858c341fe933e04dca69b88ad66078910888237bbeba94f85d9e1489883c424f35fca312eb98c21ae2b122d9289bb6418725cd02e  CVE-2017-12562.patch
 33817e7c85180635fa239e4ea38973b18312878522639f43071188a995f0e1a35dbca6d133555fb0875292b4b609950ae38e747a6b1949f8ae840db9dc3a2805  CVE-2018-13139.patch
-ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a  CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch"
+ba3e5321713dbc118f45dac6f86049a15e6ba54fc788776eb267b1b165a0853bec278d8b066c71372cd243c852faa6781bef6a71d108e7cdbc64fb77fa3afc0a  CVE-2017-17456_CVE-2017-17457_CVE-2018-19661_CVE-2018-19662.patch
+0cde1fba48e57a009a396fabb3332633e165409de64e7d098f944421e9ef7b5e5c0edb428ce2bca33fc6311f6454b3be30d1259a6cf2a84e1f78eae996f14135  CVE-2018-19758-and-CVE-2019-3832.patch"
diff --git a/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch b/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch
new file mode 100644
index 00000000000..3b08a642129
--- /dev/null
+++ b/main/libsndfile/CVE-2018-19758-and-CVE-2019-3832.patch
@@ -0,0 +1,16 @@
+diff --git a/src/wav.c b/src/wav.c
+index 4b943dc..6020f20 100644
+--- a/src/wav.c
++++ b/src/wav.c
+@@ -1094,6 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+ 		psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+ 		psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+ 
++		/* Make sure we don't read past the loops array end. */
++		if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
++			psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
++
+ 		for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+ 		{	int type ;
+ 
+
diff --git a/main/libssh2/APKBUILD b/main/libssh2/APKBUILD
index 023e983eeea..fc7e47b538a 100644
--- a/main/libssh2/APKBUILD
+++ b/main/libssh2/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libssh2
-pkgver=1.8.2
-pkgrel=0
+pkgver=1.9.0
+pkgrel=1
 pkgdesc="library for accessing ssh1/ssh2 protocol servers"
 url="https://libssh2.org/"
 arch="all"
@@ -10,10 +10,15 @@ license="BSD"
 makedepends="libressl-dev zlib-dev"
 options="!check"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc"
-source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz"
+source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz
+	CVE-2019-17498.patch"
 builddir="$srcdir"/libssh2-$pkgver
 
 # security fixes:
+#   1.9.0-r1:
+#     - CVE-2019-17498
+#   1.9.0-r0:
+#     - CVE-2019-13115
 #   1.8.1-r0:
 #     -  CVE-2019-3855
 #     -  CVE-2019-3856
@@ -43,4 +48,5 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="390ab4ad93bb738415ec11a6eb92806c9b9e9e5d8ee7c442d841a58b4292c1c447a9bc99e153ba464e2e11f9c0d1913469303598c3046722d1ae821991e8cb93  libssh2-1.8.2.tar.gz"
+sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17  libssh2-1.9.0.tar.gz
+fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813  CVE-2019-17498.patch"
diff --git a/main/libssh2/CVE-2019-17498.patch b/main/libssh2/CVE-2019-17498.patch
new file mode 100644
index 00000000000..e858cca1862
--- /dev/null
+++ b/main/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,72 @@
+From 1c6fa92b77e34d089493fe6d3e2c6c8775858b94 Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Thu, 29 Aug 2019 15:24:22 -0700
+Subject: [PATCH] fixed type issue, updated SSH_MSG_DISCONNECT
+
+SSH_MSG_DISCONNECT now also uses  _libssh2_get API.
+---
+ src/packet.c | 40 +++++++++++++++-------------------------
+ 1 file changed, 15 insertions(+), 25 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 8908b2c5..97f0cdd4 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -419,8 +419,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -472,33 +472,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
diff --git a/main/libtasn1/APKBUILD b/main/libtasn1/APKBUILD
index f00bed5706f..fecfe0bae2d 100644
--- a/main/libtasn1/APKBUILD
+++ b/main/libtasn1/APKBUILD
@@ -2,20 +2,23 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libtasn1
 pkgver=4.12
-pkgrel=3
+pkgrel=4
 pkgdesc="The ASN.1 library used in GNUTLS"
 url="https://www.gnu.org/software/gnutls/"
 arch="all"
 license="GPL3 LGPL"
 makedepends="texinfo"
 subpackages="$pkgname-dev $pkgname-doc"
-source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+source="http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
 	CVE-2017-10790.patch
 	CVE-2018-6003.patch
+	CVE-2018-1000654.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.12-r4:
+#     - CVE-2018-1000654
 #   4.12-r3:
 #     - CVE-2018-6003
 #   4.12-r1:
@@ -44,4 +47,5 @@ package() {
 }
 sha512sums="6c551670949881193e39122f72948e4999ff1ba377f9ee5963d0a4ad1b84256e4fe42e9f6d6a2aa9f7d4ef7acc0e5174fb5cc3df5298524cdeda92f4b8c104f7  libtasn1-4.12.tar.gz
 8e9dad0a1ee7cb7a8ed3d2a60c1c1bcb3e1ef689dbd2879992d4098f36edbae3bb962b9c87a0a9a77335e83abf10fd72bd78bde99989421c35f4434a9e1d08cc  CVE-2017-10790.patch
-ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d  CVE-2018-6003.patch"
+ab35a4aa314d02b1e7e93b1e5ae04138583274c6774447566e48dd03cf92db2c78760901da6a325b630b2525811c450e8ba180b4a4c188ae48cbaf94fc4c7d3d  CVE-2018-6003.patch
+c0bf6265c0318af0348d0ce24375977afd9abbce66683a1e7ddf06fea34d018aff6e0cbc670eb3097960bb9a6f9e1058eea457aabff3db74df3181e9a70c5b05  CVE-2018-1000654.patch"
diff --git a/main/libtasn1/CVE-2018-1000654.patch b/main/libtasn1/CVE-2018-1000654.patch
new file mode 100644
index 00000000000..9738995ffca
--- /dev/null
+++ b/main/libtasn1/CVE-2018-1000654.patch
@@ -0,0 +1,182 @@
+diff --git a/lib/ASN1.c b/lib/ASN1.c
+index 586dcca..47074f0 100644
+--- a/lib/ASN1.c
++++ b/lib/ASN1.c
+@@ -2811,7 +2811,12 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+               /* Convert into DER coding the value assign to INTEGER constants */
+               _asn1_change_integer_value (p_tree);
+               /* Expand the IDs of OBJECT IDENTIFIER constants */
+-              _asn1_expand_object_id (p_tree);
++              result_parse = _asn1_expand_object_id (p_tree);
++              if (result_parse != ASN1_SUCCESS)
++                {
++                  _asn1_delete_list_and_nodes ();
++                  goto error;
++	        }
+ 
+               *definitions = p_tree;
+             }
+@@ -2824,6 +2829,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+         _asn1_delete_list_and_nodes ();
+     }
+ 
++ error:
+   _asn1_create_errorDescription (result_parse, error_desc);
+ 
+   return result_parse;
+diff --git a/lib/ASN1.y b/lib/ASN1.y
+index 534a9f1..0b81b5b 100644
+--- a/lib/ASN1.y
++++ b/lib/ASN1.y
+@@ -701,7 +701,9 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+               /* Convert into DER coding the value assign to INTEGER constants */
+               _asn1_change_integer_value (p_tree);
+               /* Expand the IDs of OBJECT IDENTIFIER constants */
+-              _asn1_expand_object_id (p_tree);
++              result_parse = _asn1_expand_object_id (p_tree);
++              if (result_parse != ASN1_SUCCESS)
++                goto error;
+ 
+               *definitions = p_tree;
+             }
+@@ -714,6 +716,7 @@ asn1_parser2tree (const char *file, asn1_node * definitions,
+         _asn1_delete_list_and_nodes ();
+     }
+ 
++ error:
+   _asn1_create_errorDescription (result_parse, error_desc);
+ 
+   return result_parse;
+diff --git a/lib/errors.c b/lib/errors.c
+index fef45ae..cee74da 100644
+--- a/lib/errors.c
++++ b/lib/errors.c
+@@ -53,6 +53,7 @@ static const libtasn1_error_entry error_algorithms[] = {
+   LIBTASN1_ERROR_ENTRY (ASN1_ARRAY_ERROR),
+   LIBTASN1_ERROR_ENTRY (ASN1_ELEMENT_NOT_EMPTY),
+   LIBTASN1_ERROR_ENTRY (ASN1_TIME_ENCODING_ERROR),
++  LIBTASN1_ERROR_ENTRY (ASN1_RECURSION),
+   {0, 0}
+ };
+ 
+diff --git a/lib/libtasn1.h b/lib/libtasn1.h
+index ea26b78..8c757d6 100644
+--- a/lib/libtasn1.h
++++ b/lib/libtasn1.h
+@@ -79,6 +79,7 @@ extern "C"
+ #define ASN1_ARRAY_ERROR		16
+ #define ASN1_ELEMENT_NOT_EMPTY		17
+ #define ASN1_TIME_ENCODING_ERROR	18
++#define ASN1_RECURSION			19
+ 
+   /*************************************/
+   /* Constants used in asn1_visit_tree */
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index 786ea64..0090157 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -516,6 +516,23 @@ _asn1_find_up (asn1_node node)
+   return p->left;
+ }
+ 
++/******************************************************************/
++/* Function : _asn1_delete_node_from_list                         */
++/* Description: deletes the list element given                    */
++/******************************************************************/
++static void
++_asn1_delete_node_from_list (asn1_node node)
++{
++  list_type *p = firstElement;
++
++  while (p)
++    {
++      if (p->node == node)
++        p->node = NULL;
++      p = p->next;
++    }
++}
++
+ /******************************************************************/
+ /* Function : _asn1_delete_list                                   */
+ /* Description: deletes the list elements (not the elements       */
+@@ -667,15 +684,15 @@ _asn1_change_integer_value (asn1_node node)
+ /* Parameters:                                                    */
+ /*   node: root of an ASN1 element.                               */
+ /* Return:                                                        */
+-/*   ASN1_ELEMENT_NOT_FOUND if NODE is NULL,                       */
+-/*   otherwise ASN1_SUCCESS                                             */
++/*   ASN1_ELEMENT_NOT_FOUND if NODE is NULL,                      */
++/*   otherwise ASN1_SUCCESS                                       */
+ /******************************************************************/
+ int
+ _asn1_expand_object_id (asn1_node node)
+ {
+   asn1_node p, p2, p3, p4, p5;
+   char name_root[ASN1_MAX_NAME_SIZE], name2[2 * ASN1_MAX_NAME_SIZE + 1];
+-  int move, tlen;
++  int move, tlen, tries;
+ 
+   if (node == NULL)
+     return ASN1_ELEMENT_NOT_FOUND;
+@@ -684,6 +701,7 @@ _asn1_expand_object_id (asn1_node node)
+ 
+   p = node;
+   move = DOWN;
++  tries = 0;
+ 
+   while (!((p == node) && (move == UP)))
+     {
+@@ -707,6 +725,7 @@ _asn1_expand_object_id (asn1_node node)
+ 			  || !(p3->type & CONST_ASSIGN))
+ 			return ASN1_ELEMENT_NOT_FOUND;
+ 		      _asn1_set_down (p, p2->right);
++		      _asn1_delete_node_from_list(p2);
+ 		      _asn1_remove_node (p2, 0);
+ 		      p2 = p;
+ 		      p4 = p3->down;
+@@ -738,6 +757,11 @@ _asn1_expand_object_id (asn1_node node)
+ 			  p4 = p4->right;
+ 			}
+ 		      move = DOWN;
++
++		      tries++;
++                      if (tries >= EXPAND_OBJECT_ID_MAX_RECURSION)
++                        return ASN1_RECURSION;
++
+ 		      continue;
+ 		    }
+ 		}
+@@ -747,6 +771,7 @@ _asn1_expand_object_id (asn1_node node)
+       else
+ 	move = RIGHT;
+ 
++      tries = 0;
+       if (move == DOWN)
+ 	{
+ 	  if (p->down)
+diff --git a/lib/parser_aux.h b/lib/parser_aux.h
+index 9f91833..bb05ae8 100644
+--- a/lib/parser_aux.h
++++ b/lib/parser_aux.h
+@@ -60,6 +60,7 @@ asn1_node _asn1_find_up (asn1_node node);
+ 
+ int _asn1_change_integer_value (asn1_node node);
+ 
++#define EXPAND_OBJECT_ID_MAX_RECURSION 16
+ int _asn1_expand_object_id (asn1_node node);
+ 
+ int _asn1_type_set_config (asn1_node node);
+diff --git a/lib/structure.c b/lib/structure.c
+index 01715b1..f6a93fa 100644
+--- a/lib/structure.c
++++ b/lib/structure.c
+@@ -245,7 +245,7 @@ asn1_array2tree (const asn1_static_node * array, asn1_node * definitions,
+       if (result == ASN1_SUCCESS)
+ 	{
+ 	  _asn1_change_integer_value (*definitions);
+-	  _asn1_expand_object_id (*definitions);
++	  result = _asn1_expand_object_id (*definitions);
+ 	}
+     }
+   else
+
diff --git a/main/libvncserver/APKBUILD b/main/libvncserver/APKBUILD
index e1ba034da16..cb8b743b1d3 100644
--- a/main/libvncserver/APKBUILD
+++ b/main/libvncserver/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libvncserver
 pkgver=0.9.11
-pkgrel=2
+pkgrel=3
 pkgdesc="Library to make writing a vnc server easy"
 url="http://libvncserver.sourceforge.net/"
 arch="all"
@@ -16,9 +16,13 @@ makedepends="$depends_dev autoconf automake libtool"
 install=""
 subpackages="$pkgname-dev"
 source="https://github.com/LibVNC/libvncserver/archive/LibVNCServer-$pkgver.tar.gz
-	CVE-2018-7225.patch"
+	CVE-2018-7225.patch
+	CVE-2019-15681.patch
+	"
 
 # secfixes:
+#   0.9.11-r3:
+#     - CVE-2019-15681
 #   0.9.11-r2:
 #     - CVE-2018-7225
 #   0.9.11-r0:
@@ -53,4 +57,5 @@ package() {
 }
 
 sha512sums="e473c081b68dd3cdd96a1756b4f4945ece79d3c8e4cef62140be1699671555fc16d3080e81d764197a14ea83203ffcd0e18c3cc182e012d036e3faae943003fb  LibVNCServer-0.9.11.tar.gz
-1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706  CVE-2018-7225.patch"
+1704254e74aa0adca48669c28ff475bf82a9468cf31edf43c3e0d10178307a7c8ecd8a8f11c061931318a6e529922d4adc188347da1e632dc2ade604a4388706  CVE-2018-7225.patch
+5ecb5a26813f3f07440ef6c54eebaca4e9b4f7c1cf2ba13375e3b23b950a9b818d068d4eef5532d7ea4d7ae084c4356af7257c45426101ff51afe2b7da338a1f  CVE-2019-15681.patch"
diff --git a/main/libvncserver/CVE-2019-15681.patch b/main/libvncserver/CVE-2019-15681.patch
new file mode 100644
index 00000000000..e328d87920d
--- /dev/null
+++ b/main/libvncserver/CVE-2019-15681.patch
@@ -0,0 +1,23 @@
+From d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Mon, 19 Aug 2019 22:32:25 +0200
+Subject: [PATCH] rfbserver: don't leak stack memory to the remote
+
+Thanks go to Pavel Cheremushkin of Kaspersky for reporting.
+---
+ libvncserver/rfbserver.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c
+index 3bacc891..310e5487 100644
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -3724,6 +3724,8 @@ rfbSendServerCutText(rfbScreenInfoPtr rfbScreen,char *str, int len)
+     rfbServerCutTextMsg sct;
+     rfbClientIteratorPtr iterator;
+ 
++    memset((char *)&sct, 0, sizeof(sct));
++
+     iterator = rfbGetClientIterator(rfbScreen);
+     while ((cl = rfbClientIteratorNext(iterator)) != NULL) {
+         sct.type = rfbServerCutText;
diff --git a/main/libxslt/APKBUILD b/main/libxslt/APKBUILD
index e8c16c027d6..c4d0ab1bd8b 100644
--- a/main/libxslt/APKBUILD
+++ b/main/libxslt/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=libxslt
 pkgver=1.1.31
-pkgrel=1
+pkgrel=2
 pkgdesc="XML stylesheet transformation library"
 url="http://xmlsoft.org/XSLT/"
 arch="all"
@@ -11,14 +11,17 @@ makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python2-dev"
 subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py"
 source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
 	CVE-2019-11068.patch
+	CVE-2019-18197.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.1.31-r2:
+#     - CVE-2019-18197
 #   1.1.31-r1:
-#   - CVE-2019-11068
+#     - CVE-2019-11068
 #   1.1.29-r1:
-#   - CVE-2017-5029
+#     - CVE-2017-5029
 
 build() {
 	cd "$builddir"
@@ -45,4 +48,5 @@ py() {
 }
 
 sha512sums="9012d643625d827b131c825a103f2e2a5f3cbd45d3cdf3318378e8f046da8d084db51c6b0078b5850a26adc81ba3bf357101d65ef510eff54c8b416a71efed92  libxslt-1.1.31.tar.gz
-9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948  CVE-2019-11068.patch"
+9a97c5038809aaf64cb4eb7d67b95acc4b62236d7613a5f753e2a0f4c9e707c22cd07bda2e518d3f36a40b9ed5aa93496b743998c7adadb84ca147e045e35948  CVE-2019-11068.patch
+ec0a7cd35f9078a3939ef6c695f183d9a0da5dd837d0a7f586b89a07c0c0782384501e4c1532b4d9ee7e94e717c37179f470bae59923d0074b309f09b5bf18fa  CVE-2019-18197.patch"
diff --git a/main/libxslt/CVE-2019-18197.patch b/main/libxslt/CVE-2019-18197.patch
new file mode 100644
index 00000000000..a8c7cf541d0
--- /dev/null
+++ b/main/libxslt/CVE-2019-18197.patch
@@ -0,0 +1,30 @@
+From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: [PATCH] Fix dangling pointer in xsltCopyText
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd073..d7ab0b66 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ 		return NULL;
+ 	}
++
++	ctxt->lasttext = NULL;
+     } else {
+         /*
+ 	 * normal processing. keep counters to extend the text node
+-- 
+2.22.0
+
diff --git a/main/mariadb/APKBUILD b/main/mariadb/APKBUILD
index 328ffb1cc93..73a53673b4b 100644
--- a/main/mariadb/APKBUILD
+++ b/main/mariadb/APKBUILD
@@ -4,7 +4,7 @@
 # Contributor: Carlo Landmeter <clandmeter@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mariadb
-pkgver=10.1.40
+pkgver=10.1.41
 pkgrel=0
 pkgdesc="A fast SQL database server"
 url="https://www.mariadb.org/"
@@ -23,6 +23,11 @@ source="https://downloads.mariadb.org/interstitial/mariadb-$pkgver/source/mariad
 	"
 
 # secfixes:
+#   10.1.41-r0:
+#     - CVE-2019-2805
+#     - CVE-2019-2740
+#     - CVE-2019-2739
+#     - CVE-2019-2737
 #   10.1.40-r0:
 #     - CVE-2019-2614
 #     - CVE-2019-2627
@@ -249,6 +254,6 @@ mysql() { _compat mysql mariadb; }
 _compat_client() { _compat mysql-client mariadb-client; }
 _compat_bench() { _compat mysql-bench mariadb-client; }
 
-sha512sums="6b946189c69905f1a23a96d34720f1592353e0095455bf452bba31d53c90143d088f0fd997cac3da0a779840bb6ae6cc30b45144cba474463a8e3a6978a8a8f3  mariadb-10.1.40.tar.gz
+sha512sums="4a18b06fda49c5c3627b4e7cd32fb460e73762273a0c3d09098e34c71e63caa8fad03cdd92ae4a391cdfdb3719934688f0bdf312fa4af7ac3b9e5f5d90f404be  mariadb-10.1.41.tar.gz
 06751768cb00d2e433655635c38d267ef25084a5830ff40e719ac579223c7192dc34b43f919ab6faf480094632327511cbd22456064dde2d04dc15648b9e3b9f  mariadb.initd
 a352661d19becae717c16ac67a0e47ed93787653851a75d27e7764133b31dc02e18c38dbbce6d3138e4db08da616dfc75a0141865cd042cef669d6afe4463127  ppc-remove-glibc-dep.patch"
diff --git a/main/mercurial/APKBUILD b/main/mercurial/APKBUILD
index e382844ace0..1d2f427ae29 100644
--- a/main/mercurial/APKBUILD
+++ b/main/mercurial/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mercurial
 pkgver=4.5.2
-pkgrel=0
+pkgrel=1
 pkgdesc="A scalable distributed SCM tool"
 url="https://www.mercurial-scm.org/"
 arch="all"
@@ -14,10 +14,14 @@ subpackages="
 	$pkgname-vim:vim:noarch
 	$pkgname-zsh-completion:zshcomp:noarch
 	$pkgname-bash-completion:bashcomp:noarch"
-source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz"
+source="https://www.mercurial-scm.org/release/$pkgname-$pkgver.tar.gz
+	CVE-2019-3902.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
+#   4.5.2-r1:
+#   - CVE-2019-3902
 #   4.5.2-r0:
 #   - CVE-2018-1000132
 
@@ -66,4 +70,5 @@ bashcomp() {
 		"$subpkgdir"/usr/share/bash-completion/completions/${pkgname}
 }
 
-sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941  mercurial-4.5.2.tar.gz"
+sha512sums="f70e40cba72b7955f0ecec9c1f53ffffac26f206188617cb182e22ce4f43dc8b970ce46d12c516ef88480c3fa076a59afcddd736dffb642d8e23befaf45b4941  mercurial-4.5.2.tar.gz
+f6a53411ba137661db283878ff1191ee13f879b171e6e97335ebc68e6276373ecff89a6ab16eec5eb572de9c909f5d4f81b726d15da56fa026a758482b5373f3  CVE-2019-3902.patch"
diff --git a/main/mercurial/CVE-2019-3902.patch b/main/mercurial/CVE-2019-3902.patch
new file mode 100644
index 00000000000..28d88c63e7f
--- /dev/null
+++ b/main/mercurial/CVE-2019-3902.patch
@@ -0,0 +1,60 @@
+
+# HG changeset patch
+# User Yuya Nishihara <yuya@tcha.org>
+# Date 1546953576 -32400
+# Node ID 83377b4b4ae0e9a6b8e579f7b0a693b8cf5c3b10
+# Parent  6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
+subrepo: reject potentially unsafe subrepo paths (BC) (SEC)
+
+In addition to the previous patch, this prohibits '~', '$nonexistent', etc.
+for any subrepo types. I think this is safer, and real-world subrepos wouldn't
+use such (local) paths.
+
+diff -r 6c10eba6b9cd -r 83377b4b4ae0 mercurial/subrepo.py
+--- a/mercurial/subrepo.py	Tue Jan 08 22:07:45 2019 +0900
++++ b/mercurial/subrepo.py	Tue Jan 08 22:19:36 2019 +0900
+@@ -115,6 +115,10 @@
+                 vfs.unlink(vfs.reljoin(dirname, f))
+ 
+ def _auditsubrepopath(repo, path):
++    # sanity check for potentially unsafe paths such as '~' and '$FOO'
++    if path.startswith('~') or '$' in path or util.expandpath(path) != path:
++        raise error.Abort(_('subrepo path contains illegal component: %s')
++                          % path)
+     # auditor doesn't check if the path itself is a symlink
+     pathutil.pathauditor(repo.root)(path)
+     if repo.wvfs.islink(path):
+
+# HG changeset patch
+# User Yuya Nishihara <yuya@tcha.org>
+# Date 1546952865 -32400
+# Node ID 6c10eba6b9cddab020de49fd4fabcb2cadcd85d0
+# Parent  31286c9282dfa734e9da085649b7ae5a8ba290ad
+subrepo: prohibit variable expansion on creation of hg subrepo (SEC)
+
+It's probably wrong to expand path at localrepo.*repository() layer, but
+fixing the layering issue would require careful inspection of call paths.
+So, this patch adds add a validation to the subrepo constructor.
+
+os.path.realpath(util.expandpath(root)) is what vfsmod.vfs() would do.
+
+diff -r 31286c9282df -r 6c10eba6b9cd mercurial/subrepo.py
+--- a/mercurial/subrepo.py	Tue Jan 08 21:51:54 2019 +0900
++++ b/mercurial/subrepo.py	Tue Jan 08 22:07:45 2019 +0900
+@@ -403,7 +403,16 @@
+         r = ctx.repo()
+         root = r.wjoin(path)
+         create = allowcreate and not r.wvfs.exists('%s/.hg' % path)
++        # repository constructor does expand variables in path, which is
++        # unsafe since subrepo path might come from untrusted source.
++        if os.path.realpath(util.expandpath(root)) != root:
++            raise error.Abort(_('subrepo path contains illegal component: %s')
++                              % path)
+         self._repo = hg.repository(r.baseui, root, create=create)
++        if self._repo.root != root:
++            raise error.ProgrammingError('failed to reject unsafe subrepo '
++                                         'path: %s (expanded to %s)'
++                                         % (root, self._repo.root))
+ 
+         # Propagate the parent's --hidden option
+         if r is r.unfiltered():
diff --git a/main/mosquitto/APKBUILD b/main/mosquitto/APKBUILD
index 859a37a43d3..643420a97e3 100644
--- a/main/mosquitto/APKBUILD
+++ b/main/mosquitto/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=mosquitto
 pkgver=1.4.15
-pkgrel=0
+pkgrel=2
 pkgdesc="An Open Source MQTT v3.1 Broker"
 url="http://mosquitto.org/"
 arch="all"
@@ -17,10 +17,19 @@ replaces="mosquitto-utils"
 source="http://mosquitto.org/files/source/$pkgname-$pkgver.tar.gz
 	libressl.patch
 	config.patch
-	mosquitto.initd"
+	mosquitto-1.4.x-cve-2018-12550.patch
+	mosquitto-1.4.x-cve-2018-12551.patch
+	mosquitto-1.4.x-cve-2018-12546.patch
+
+	mosquitto.initd
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   1.4.15-r1:
+#     - CVE-2018-12546
+#     - CVE-2018-12550
+#     - CVE-2018-12551
 #   1.4.15-r0:
 #     - CVE-2017-7652
 #     - CVE-2017-7651
@@ -41,7 +50,7 @@ prepare() {
 build() {
 	cd "$builddir"
 	# PSK not supported by libressl
-	make \
+	make mosquitto \
 		WITH_MEMORY_TRACKING=no \
 		WITH_WEBSOCKETS=yes \
 		WITH_SRV=yes \
@@ -82,4 +91,7 @@ clients() {
 sha512sums="36b06547553cf28af3ca9b728c42fc27e849c4ae84d7964572d430233ab26e2b59eee2a215ac23ddf2d0bef419e7c70e64e2a22c397fadb3e0677314d03f1100  mosquitto-1.4.15.tar.gz
 53859b628f965b77f6e47910c0ceba2f2737b815131ed800dc64a80419e434d25b5ba0938ae645882e9aa5d475d4940c7d35cc6d56f54bc4937a66b32d7db4ad  libressl.patch
 d5442373ae6ae8bc83eee59b425fbd76e80f905b9fd2bd2ed2a37a7e156fe95a9cf477c9c4dac0975c5fd90e70884de6fb8a16aefcd37b239199d5deae50b7d2  config.patch
+58cf7211781c07d25ad555e982b66aca716230698ad239b964de073bb41dc2566d2c6fde379ded18106f704aba864859e36cb39c4c85762d00b5ed4f2b5cef58  mosquitto-1.4.x-cve-2018-12550.patch
+b1ba9d61ede7b7f0232811d6e2381a2943ed12a3c8b83ea2c2e1d3fce153260565f48ca900d4e0590688031013e1f425dfa8b1d89e0f1194516438b42dc158e2  mosquitto-1.4.x-cve-2018-12551.patch
+e6544a171eb792ca80b3179e860474e6b19cfc99abe1d05173dac2bd310b2a8c6fcc9c6718812236ceb570f96a137f38eb621fe971cd63b8fe1178e0f2820207  mosquitto-1.4.x-cve-2018-12546.patch
 16f96d8f7f3a8b06e2b2e04d42d7e0d89a931b52277fc017e4802f7a3bc85aff4dd290b1a0c40382ea8f5568d0ceb7319c031d9be916f346d805231a002b0433  mosquitto.initd"
diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch
new file mode 100644
index 00000000000..6ae3457199a
--- /dev/null
+++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12546.patch
@@ -0,0 +1,625 @@
+diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
+index e27fb58..f429a6f 100644
+--- a/man/mosquitto.conf.5.xml
++++ b/man/mosquitto.conf.5.xml
+@@ -230,6 +230,24 @@
+ 					<para>Reloaded on reload signal.</para>
+ 				</listitem>
+ 			</varlistentry>
++			<varlistentry>
++				<term><option>check_retain_source</option> [ true | false ]</term>
++				<listitem>
++					<para>This option affects the scenario when a client
++						subscribes to a topic that has retained messages. It is
++						possible that the client that published the retained
++						message to the topic had access at the time they
++						published, but that access has been subsequently
++						removed. If <option>check_retain_source</option> is set
++						to true, the default, the source of a retained message
++						will be checked for access rights before it is
++						republished. When set to false, no check will be made
++						and the retained message will always be
++						published.</para>
++					<para>This option applies globally, regardless of the
++						<option>per_listener_settings</option> option.</para>
++				</listitem>
++			</varlistentry>
+ 			<varlistentry>
+ 				<term><option>clientid_prefixes</option> <replaceable>prefix</replaceable></term>
+ 				<listitem>
+diff --git a/mosquitto.conf b/mosquitto.conf
+index df1aa8b..70f1f80 100644
+--- a/mosquitto.conf
++++ b/mosquitto.conf
+@@ -122,6 +122,15 @@
+ # This is a non-standard option explicitly disallowed by the spec.
+ #upgrade_outgoing_qos false
+ 
++# This option affects the scenario when a client subscribes to a topic that has
++# retained messages. It is possible that the client that published the retained
++# message to the topic had access at the time they published, but that access
++# has been subsequently removed. If check_retain_source is set to true, the
++# default, the source of a retained message will be checked for access rights
++# before it is republished. When set to false, no check will be made and the
++# retained message will always be published. This affects all listeners.
++#check_retain_source true
++
+ # =================================================================
+ # Default listener
+ # =================================================================
+diff --git a/src/conf.c b/src/conf.c
+index 6edd705..a060827 100644
+--- a/src/conf.c
++++ b/src/conf.c
+@@ -971,6 +971,8 @@ int _config_read_file_core(struct mqtt3_config *config, bool reload, const char
+ #else
+ 					_mosquitto_log_printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
+ #endif
++				}else if(!strcmp(token, "check_retain_source")){
++					if(_conf_parse_bool(&token, "check_retain_source", &config->check_retain_source, saveptr)) return MOSQ_ERR_INVAL;
+ 				}else if(!strcmp(token, "ciphers")){
+ #ifdef WITH_TLS
+ 					if(reload) continue; // Listeners not valid for reloading.
+diff --git a/src/database.c b/src/database.c
+index 6de68a9..a952337 100644
+--- a/src/database.c
++++ b/src/database.c
+@@ -161,6 +161,7 @@ void mosquitto__db_msg_store_remove(struct mosquitto_db *db, struct mosquitto_ms
+ 	db->msg_store_count--;
+ 
+ 	if(store->source_id) _mosquitto_free(store->source_id);
++	if(store->source_username) _mosquitto_free(store->source_username);
+ 	if(store->dest_ids){
+ 		for(i=0; i<store->dest_id_count; i++){
+ 			if(store->dest_ids[i]) _mosquitto_free(store->dest_ids[i]);
+@@ -518,24 +519,24 @@ int mqtt3_db_messages_easy_queue(struct mosquitto_db *db, struct mosquitto *cont
+ 	}else{
+ 		source_id = "";
+ 	}
+-	if(mqtt3_db_message_store(db, source_id, 0, topic, qos, payloadlen, payload, retain, &stored, 0)) return 1;
++	if(mqtt3_db_message_store(db, context, 0, topic, qos, payloadlen, payload, retain, &stored, 0)) return 1;
+ 
+ 	return mqtt3_db_messages_queue(db, source_id, topic, qos, retain, &stored);
+ }
+ 
+-int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id)
++int mqtt3_db_message_store(struct mosquitto_db *db, const struct mosquitto *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id)
+ {
+ 	struct mosquitto_msg_store *temp;
+ 
+ 	assert(db);
+ 	assert(stored);
+ 
+-	temp = _mosquitto_malloc(sizeof(struct mosquitto_msg_store));
++	temp = _mosquitto_calloc(1, sizeof(struct mosquitto_msg_store));
+ 	if(!temp) return MOSQ_ERR_NOMEM;
+ 
+ 	temp->ref_count = 0;
+-	if(source){
+-		temp->source_id = _mosquitto_strdup(source);
++	if(source && source->id){
++		temp->source_id = _mosquitto_strdup(source->id);
+ 	}else{
+ 		temp->source_id = _mosquitto_strdup("");
+ 	}
+@@ -544,6 +545,18 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t
+ 		_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+ 		return MOSQ_ERR_NOMEM;
+ 	}
++
++	if(source && source->username){
++		temp->source_username = _mosquitto_strdup(source->username);
++		if(!temp->source_username){
++			_mosquitto_free(temp->source_id);
++			_mosquitto_free(temp);
++			return MOSQ_ERR_NOMEM;
++		}
++	}
++	if(source){
++		temp->source_listener = source->listener;
++	}
+ 	temp->source_mid = source_mid;
+ 	temp->mid = 0;
+ 	temp->qos = qos;
+@@ -552,6 +565,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t
+ 		temp->topic = _mosquitto_strdup(topic);
+ 		if(!temp->topic){
+ 			_mosquitto_free(temp->source_id);
++			_mosquitto_free(temp->source_username);
+ 			_mosquitto_free(temp);
+ 			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+ 			return MOSQ_ERR_NOMEM;
+@@ -564,6 +578,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t
+ 		temp->payload = _mosquitto_malloc(sizeof(char)*payloadlen);
+ 		if(!temp->payload){
+ 			if(temp->source_id) _mosquitto_free(temp->source_id);
++			if(temp->source_username) _mosquitto_free(temp->source_username);
+ 			if(temp->topic) _mosquitto_free(temp->topic);
+ 			if(temp->payload) _mosquitto_free(temp->payload);
+ 			_mosquitto_free(temp);
+@@ -576,6 +591,7 @@ int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t
+ 
+ 	if(!temp->source_id || (payloadlen && !temp->payload)){
+ 		if(temp->source_id) _mosquitto_free(temp->source_id);
++		if(temp->source_username) _mosquitto_free(temp->source_username);
+ 		if(temp->topic) _mosquitto_free(temp->topic);
+ 		if(temp->payload) _mosquitto_free(temp->payload);
+ 		_mosquitto_free(temp);
+diff --git a/src/mosquitto_broker.h b/src/mosquitto_broker.h
+index 8d19790..7d535cf 100644
+--- a/src/mosquitto_broker.h
++++ b/src/mosquitto_broker.h
+@@ -109,6 +109,7 @@ struct mqtt3_config {
+ 	int auto_id_prefix_len;
+ 	int autosave_interval;
+ 	bool autosave_on_changes;
++	bool check_retain_source;
+ 	char *clientid_prefixes;
+ 	bool connection_messages;
+ 	bool daemon;
+@@ -176,6 +177,8 @@ struct mosquitto_msg_store{
+ 	struct mosquitto_msg_store *prev;
+ 	dbid_t db_id;
+ 	char *source_id;
++	char *source_username;
++	struct _mqtt3_listener *source_listener;
+ 	char **dest_ids;
+ 	int dest_id_count;
+ 	int ref_count;
+@@ -421,7 +424,7 @@ int mqtt3_db_message_write(struct mosquitto_db *db, struct mosquitto *context);
+ int mqtt3_db_messages_delete(struct mosquitto_db *db, struct mosquitto *context);
+ int mqtt3_db_messages_easy_queue(struct mosquitto_db *db, struct mosquitto *context, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain);
+ int mqtt3_db_messages_queue(struct mosquitto_db *db, const char *source_id, const char *topic, int qos, int retain, struct mosquitto_msg_store **stored);
+-int mqtt3_db_message_store(struct mosquitto_db *db, const char *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id);
++int mqtt3_db_message_store(struct mosquitto_db *db, const struct mosquitto *source, uint16_t source_mid, const char *topic, int qos, uint32_t payloadlen, const void *payload, int retain, struct mosquitto_msg_store **stored, dbid_t store_id);
+ int mqtt3_db_message_store_find(struct mosquitto *context, uint16_t mid, struct mosquitto_msg_store **stored);
+ void mosquitto__db_msg_store_add(struct mosquitto_db *db, struct mosquitto_msg_store *store);
+ void mosquitto__db_msg_store_remove(struct mosquitto_db *db, struct mosquitto_msg_store *store);
+@@ -471,6 +474,7 @@ void mqtt3_bridge_packet_cleanup(struct mosquitto *context);
+ /* ============================================================
+  * Security related functions
+  * ============================================================ */
++int acl__find_acls(struct mosquitto_db *db, struct mosquitto *context);
+ int mosquitto_security_module_init(struct mosquitto_db *db);
+ int mosquitto_security_module_cleanup(struct mosquitto_db *db);
+ 
+diff --git a/src/persist.c b/src/persist.c
+index 7cf50b6..3f20b68 100644
+--- a/src/persist.c
++++ b/src/persist.c
+@@ -39,6 +39,8 @@ static uint32_t db_version;
+ 
+ 
+ static int _db_restore_sub(struct mosquitto_db *db, const char *client_id, const char *sub, int qos);
++static int persist__read_string(FILE *db_fptr, char **str);
++static int persist__write_string(FILE *db_fptr, const char *str, bool nullok);
+ 
+ static struct mosquitto *_db_find_or_add_context(struct mosquitto_db *db, const char *client_id, uint16_t last_mid)
+ {
+@@ -148,10 +151,19 @@ static int mqtt3_db_message_store_write(struct mosquitto_db *db, FILE *db_fptr)
+ 		}else{
+ 			tlen = 0;
+ 		}
+-		length = htonl(sizeof(dbid_t) + 2+strlen(stored->source_id) +
++		length = sizeof(dbid_t) + 2+strlen(stored->source_id) +
+ 				sizeof(uint16_t) + sizeof(uint16_t) +
+ 				2+tlen + sizeof(uint32_t) +
+-				stored->payloadlen + sizeof(uint8_t) + sizeof(uint8_t));
++				stored->payloadlen + sizeof(uint8_t) + sizeof(uint8_t)
++				+ 2*sizeof(uint16_t);
++
++		if(stored->source_id){
++			length += strlen(stored->source_id);
++		}
++		if(stored->source_username){
++			length += strlen(stored->source_username);
++		}
++		length = htonl(length);
+ 
+ 		i16temp = htons(DB_CHUNK_MSG_STORE);
+ 		write_e(db_fptr, &i16temp, sizeof(uint16_t));
+@@ -160,12 +172,15 @@ static int mqtt3_db_message_store_write(struct mosquitto_db *db, FILE *db_fptr)
+ 		i64temp = stored->db_id;
+ 		write_e(db_fptr, &i64temp, sizeof(dbid_t));
+ 
+-		slen = strlen(stored->source_id);
+-		i16temp = htons(slen);
+-		write_e(db_fptr, &i16temp, sizeof(uint16_t));
+-		if(slen){
+-			write_e(db_fptr, stored->source_id, slen);
++		if(persist__write_string(db_fptr, stored->source_id, false)) return 1;
++		if(persist__write_string(db_fptr, stored->source_username, true)) return 1;
++		if(stored->source_listener){
++			i16temp = htons(stored->source_listener->port);
++		}else{
++			i16temp = 0;
+ 		}
++		write_e(db_fptr, &i16temp, sizeof(uint16_t));
++
+ 
+ 		i16temp = htons(stored->source_mid);
+ 		write_e(db_fptr, &i16temp, sizeof(uint16_t));
+@@ -243,6 +258,60 @@ error:
+ 	return 1;
+ }
+ 
++
++static int persist__read_string(FILE *db_fptr, char **str)
++{
++	uint16_t i16temp;
++	uint16_t slen;
++	char *s = NULL;
++
++	if(fread(&i16temp, 1, sizeof(uint16_t), db_fptr) != sizeof(uint16_t)){
++		return MOSQ_ERR_INVAL;
++	}
++
++	slen = ntohs(i16temp);
++	if(slen){
++		s = _mosquitto_malloc(slen+1);
++		if(!s){
++			fclose(db_fptr);
++			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
++			return MOSQ_ERR_NOMEM;
++		}
++		if(fread(s, 1, slen, db_fptr) != slen){
++			_mosquitto_free(s);
++			return MOSQ_ERR_NOMEM;
++		}
++		s[slen] = '\0';
++	}
++
++	*str = s;
++	return MOSQ_ERR_SUCCESS;
++}
++
++
++static int persist__write_string(FILE *db_fptr, const char *str, bool nullok)
++{
++	uint16_t i16temp, slen;
++
++	if(str){
++		slen = strlen(str);
++		i16temp = htons(slen);
++		write_e(db_fptr, &i16temp, sizeof(uint16_t));
++		write_e(db_fptr, str, slen);
++	}else if(nullok){
++		i16temp = htons(0);
++		write_e(db_fptr, &i16temp, sizeof(uint16_t));
++	}else{
++		return 1;
++	}
++
++	return MOSQ_ERR_SUCCESS;
++error:
++	_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: %s.", strerror(errno));
++	return 1;
++}
++
++
+ static int _db_subs_retain_write(struct mosquitto_db *db, FILE *db_fptr, struct _mosquitto_subhier *node, const char *topic, int level)
+ {
+ 	struct _mosquitto_subhier *subhier;
+@@ -555,9 +624,9 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ {
+ 	dbid_t i64temp, store_id;
+ 	uint32_t i32temp, payloadlen;
+-	uint16_t i16temp, slen, source_mid;
++	uint16_t i16temp, source_mid, source_port = 0;
+ 	uint8_t qos, retain, *payload = NULL;
+-	char *source_id = NULL;
++	struct mosquitto source;
+ 	char *topic = NULL;
+ 	int rc = 0;
+ 	struct mosquitto_msg_store *stored = NULL;
+@@ -574,41 +643,45 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ 	read_e(db_fptr, &i64temp, sizeof(dbid_t));
+ 	store_id = i64temp;
+ 
+-	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+-	slen = ntohs(i16temp);
+-	if(slen){
+-		source_id = _mosquitto_malloc(slen+1);
+-		if(!source_id){
++	memset(&source, 0, sizeof(struct mosquitto));
++
++	rc = persist__read_string(db_fptr, &source.id);
++	if(rc){
++		_mosquitto_free(load);
++		return rc;
++	}
++	if(db_version == 4){
++		rc = persist__read_string(db_fptr, &source.username);
++		if(rc){
+ 			_mosquitto_free(load);
+-			fclose(db_fptr);
+-			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+-			return MOSQ_ERR_NOMEM;
++			return rc;
++		}
++		read_e(db_fptr, &i16temp, sizeof(uint16_t));
++		source_port = ntohs(i16temp);
++		if(source_port){
++			for(int i=0; i<db->config->listener_count; i++){
++				if(db->config->listeners[i].port == source_port){
++					source.listener = &db->config->listeners[i];
++					break;
++				}
++			}
+ 		}
+-		read_e(db_fptr, source_id, slen);
+-		source_id[slen] = '\0';
+ 	}
++
+ 	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+ 	source_mid = ntohs(i16temp);
+ 
+ 	/* This is the mid - don't need it */
+ 	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+ 
+-	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+-	slen = ntohs(i16temp);
+-	if(slen){
+-		topic = _mosquitto_malloc(slen+1);
+-		if(!topic){
+-			_mosquitto_free(load);
+-			fclose(db_fptr);
+-			if(source_id) _mosquitto_free(source_id);
+-			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+-			return MOSQ_ERR_NOMEM;
+-		}
+-		read_e(db_fptr, topic, slen);
+-		topic[slen] = '\0';
+-	}else{
+-		topic = NULL;
++	rc = persist__read_string(db_fptr, &topic);
++	if(rc){
++		_mosquitto_free(load);
++		fclose(db_fptr);
++		_mosquitto_free(source.id);
++		return rc;
+ 	}
++
+ 	read_e(db_fptr, &qos, sizeof(uint8_t));
+ 	read_e(db_fptr, &retain, sizeof(uint8_t));
+ 	
+@@ -624,7 +693,7 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ 		if(!payload){
+ 			_mosquitto_free(load);
+ 			fclose(db_fptr);
+-			if(source_id) _mosquitto_free(source_id);
++			if(source.id) _mosquitto_free(source.id);
+ 			_mosquitto_free(topic);
+ 			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+ 			return MOSQ_ERR_NOMEM;
+@@ -632,14 +701,14 @@ static int _db_msg_store_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ 		read_e(db_fptr, payload, payloadlen);
+ 	}
+ 
+-	rc = mqtt3_db_message_store(db, source_id, source_mid, topic, qos, payloadlen, payload, retain, &stored, store_id);
++	rc = mqtt3_db_message_store(db, &source, source_mid, topic, qos, payloadlen, payload, retain, &stored, store_id);
+ 
+ 	load->db_id = stored->db_id;
+ 	load->store = stored;
+ 
+ 	HASH_ADD(hh, db->msg_store_load, db_id, sizeof(dbid_t), load);
+ 
+-	if(source_id) _mosquitto_free(source_id);
++	if(source.id) _mosquitto_free(source.id);
+ 	_mosquitto_free(topic);
+ 	_mosquitto_free(payload);
+ 
+@@ -648,7 +717,7 @@ error:
+ 	strerror_r(errno, err, 256);
+ 	_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: %s.", err);
+ 	fclose(db_fptr);
+-	if(source_id) _mosquitto_free(source_id);
++	if(source.id) _mosquitto_free(source.id);
+ 	if(topic) _mosquitto_free(topic);
+ 	if(payload) _mosquitto_free(payload);
+ 	return 1;
+@@ -679,35 +748,24 @@ static int _db_retain_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ 
+ static int _db_sub_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
+ {
+-	uint16_t i16temp, slen;
+ 	uint8_t qos;
+ 	char *client_id;
+ 	char *topic;
+ 	int rc = 0;
+ 	char err[256];
+ 
+-	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+-	slen = ntohs(i16temp);
+-	client_id = _mosquitto_malloc(slen+1);
+-	if(!client_id){
++	rc = persist__read_string(db_fptr, &client_id);
++	if(rc){
+ 		fclose(db_fptr);
+-		_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+-		return MOSQ_ERR_NOMEM;
++		return rc;
+ 	}
+-	read_e(db_fptr, client_id, slen);
+-	client_id[slen] = '\0';
+ 
+-	read_e(db_fptr, &i16temp, sizeof(uint16_t));
+-	slen = ntohs(i16temp);
+-	topic = _mosquitto_malloc(slen+1);
+-	if(!topic){
+-		fclose(db_fptr);
+-		_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
++	rc = persist__read_string(db_fptr, &topic);
++	if(rc){
+ 		_mosquitto_free(client_id);
+-		return MOSQ_ERR_NOMEM;
++		fclose(db_fptr);
++		return rc;
+ 	}
+-	read_e(db_fptr, topic, slen);
+-	topic[slen] = '\0';
+ 
+ 	read_e(db_fptr, &qos, sizeof(uint8_t));
+ 	if(_db_restore_sub(db, client_id, topic, qos)){
+@@ -756,7 +814,9 @@ int mqtt3_db_restore(struct mosquitto_db *db)
+ 		 * Is your DB change still compatible with previous versions?
+ 		 */
+ 		if(db_version > MOSQ_DB_VERSION && db_version != 0){
+-			if(db_version == 2){
++			if(db_version == 3){
++				/* Addition of source_username and source_port to msg_store chunk in v4, v1.5.6 */
++			}else if(db_version == 2){
+ 				/* Addition of disconnect_t to client chunk in v3. */
+ 			}else{
+ 				fclose(fptr);
+diff --git a/src/persist.h b/src/persist.h
+index 808b05f..fb6f474 100644
+--- a/src/persist.h
++++ b/src/persist.h
+@@ -17,7 +17,7 @@ Contributors:
+ #ifndef PERSIST_H
+ #define PERSIST_H
+ 
+-#define MOSQ_DB_VERSION 3
++#define MOSQ_DB_VERSION 4
+ 
+ /* DB read/write */
+ const unsigned char magic[15] = {0x00, 0xB5, 0x00, 'm','o','s','q','u','i','t','t','o',' ','d','b'};
+diff --git a/src/read_handle.c b/src/read_handle.c
+index ddc16ce..51e88d4 100644
+--- a/src/read_handle.c
++++ b/src/read_handle.c
+@@ -220,7 +220,7 @@ int mqtt3_handle_publish(struct mosquitto_db *db, struct mosquitto *context)
+ 	}
+ 	if(!stored){
+ 		dup = 0;
+-		if(mqtt3_db_message_store(db, context->id, mid, topic, qos, payloadlen, payload, retain, &stored, 0)){
++		if(mqtt3_db_message_store(db, context, mid, topic, qos, payloadlen, payload, retain, &stored, 0)){
+ 			_mosquitto_free(topic);
+ 			if(payload) _mosquitto_free(payload);
+ 			return 1;
+@@ -266,7 +266,7 @@ process_bad_message:
+ 		case 2:
+ 			mqtt3_db_message_store_find(context, mid, &stored);
+ 			if(!stored){
+-				if(mqtt3_db_message_store(db, context->id, mid, NULL, qos, 0, NULL, false, &stored, 0)){
++				if(mqtt3_db_message_store(db, context, mid, NULL, qos, 0, NULL, false, &stored, 0)){
+ 					return 1;
+ 				}
+ 				res = mqtt3_db_message_insert(db, context, mid, mosq_md_in, qos, false, stored);
+diff --git a/src/read_handle_server.c b/src/read_handle_server.c
+index 2b9c8f5..c075344 100644
+--- a/src/read_handle_server.c
++++ b/src/read_handle_server.c
+@@ -89,7 +89,6 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
+ 	uint8_t username_flag, password_flag;
+ 	char *username = NULL, *password = NULL;
+ 	int rc;
+-	struct _mosquitto_acl_user *acl_tail;
+ 	struct mosquitto_client_msg *msg_tail, *msg_prev;
+ 	struct mosquitto *found_context;
+ 	int slen;
+@@ -475,26 +474,8 @@ int mqtt3_handle_connect(struct mosquitto_db *db, struct mosquitto *context)
+ 		do_disconnect(db, found_context);
+ 	}
+ 
+-	/* Associate user with its ACL, assuming we have ACLs loaded. */
+-	if(db->acl_list){
+-		acl_tail = db->acl_list;
+-		while(acl_tail){
+-			if(context->username){
+-				if(acl_tail->username && !strcmp(context->username, acl_tail->username)){
+-					context->acl_list = acl_tail;
+-					break;
+-				}
+-			}else{
+-				if(acl_tail->username == NULL){
+-					context->acl_list = acl_tail;
+-					break;
+-				}
+-			}
+-			acl_tail = acl_tail->next;
+-		}
+-	}else{
+-		context->acl_list = NULL;
+-	}
++	rc = acl__find_acls(db, context);
++	if(rc) return rc;
+ 
+ 	if(will_struct){
+ 		context->will = will_struct;
+diff --git a/src/security_default.c b/src/security_default.c
+index a1d3ec1..8a39995 100644
+--- a/src/security_default.c
++++ b/src/security_default.c
+@@ -482,6 +482,39 @@ static int _acl_cleanup(struct mosquitto_db *db, bool reload)
+ 	return MOSQ_ERR_SUCCESS;
+ }
+ 
++
++int acl__find_acls(struct mosquitto_db *db, struct mosquitto *context)
++{
++	struct _mosquitto_acl_user *acl_tail;
++
++	/* Associate user with its ACL, assuming we have ACLs loaded. */
++	if(db->acl_list){
++		acl_tail = db->acl_list;
++		while(acl_tail){
++			if(context->username){
++				if(acl_tail->username && !strcmp(context->username, acl_tail->username)){
++					context->acl_list = acl_tail;
++					break;
++				}
++			}else{
++				if(acl_tail->username == NULL){
++					context->acl_list = acl_tail;
++					break;
++				}
++			}
++			acl_tail = acl_tail->next;
++		}
++		if(context->username && context->acl_list == NULL){
++			return MOSQ_ERR_INVAL;
++		}
++	}else{
++		context->acl_list = NULL;
++	}
++
++	return MOSQ_ERR_SUCCESS;
++}
++
++
+ static int _pwfile_parse(const char *file, struct _mosquitto_unpwd **root)
+ {
+ 	FILE *pwfile;
+diff --git a/src/subs.c b/src/subs.c
+index 4f64b3e..7aed30f 100644
+--- a/src/subs.c
++++ b/src/subs.c
+@@ -681,6 +681,26 @@ static int _retain_process(struct mosquitto_db *db, struct mosquitto_msg_store *
+ 		return rc;
+ 	}
+ 
++	/* Check for original source access */
++	if(db->config->check_retain_source && retained->source_id){
++		struct mosquitto retain_ctxt;
++		memset(&retain_ctxt, 0, sizeof(struct mosquitto));
++
++		retain_ctxt.id = retained->source_id;
++		retain_ctxt.username = retained->source_username;
++		retain_ctxt.listener = retained->source_listener;
++
++		rc = acl__find_acls(db, &retain_ctxt);
++		if(rc) return rc;
++
++		rc = mosquitto_acl_check(db, &retain_ctxt, retained->topic, MOSQ_ACL_WRITE);
++		if(rc == MOSQ_ERR_ACL_DENIED){
++			return MOSQ_ERR_SUCCESS;
++		}else if(rc != MOSQ_ERR_SUCCESS){
++			return rc;
++		}
++	}
++
+ 	if (db->config->upgrade_outgoing_qos){
+ 		qos = sub_qos;
+ 	} else {
diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch
new file mode 100644
index 00000000000..c6a4d9406e4
--- /dev/null
+++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12550.patch
@@ -0,0 +1,28 @@
+Description: Fix for CVE-2018-12550
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2018-12550/mosquitto-1.4.x_cve-2018-12550.patch
+Index: mosquitto-1.4.10/src/security_default.c
+===================================================================
+--- mosquitto-1.4.10.orig/src/security_default.c
++++ mosquitto-1.4.10/src/security_default.c
+@@ -231,7 +231,7 @@ int mosquitto_acl_check_default(struct m
+ 	char *s;
+ 
+ 	if(!db || !context || !topic) return MOSQ_ERR_INVAL;
+-	if(!db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS;
++	if(!db->config->acl_file && !db->acl_list && !db->acl_patterns) return MOSQ_ERR_SUCCESS;
+ 	if(context->bridge) return MOSQ_ERR_SUCCESS;
+ 	if(!context->acl_list && !db->acl_patterns) return MOSQ_ERR_ACL_DENIED;
+ 
+@@ -442,6 +442,10 @@ static int _aclfile_parse(struct mosquit
+ 					fclose(aclfile);
+ 					return 1;
+ 				}
++			}else{
++				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid line in acl_file \"%s\": %s.", db->config->acl_file, buf);
++				fclose(aclfile);
++				return 1;
+ 			}
+ 		}
+ 	}
diff --git a/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch
new file mode 100644
index 00000000000..fee254dea86
--- /dev/null
+++ b/main/mosquitto/mosquitto-1.4.x-cve-2018-12551.patch
@@ -0,0 +1,94 @@
+Description: Fix for CVE-2018-12551
+Author: Roger Light <roger@atchoo.org>
+Forwarded: not-needed
+Origin: upstream, https://mosquitto.org/files/cve/2018-12551/mosquitto-1.4.x_cve-2018-12551.patch
+Index: mosquitto-1.4.10/src/security_default.c
+===================================================================
+--- mosquitto-1.4.10.orig/src/security_default.c
++++ mosquitto-1.4.10/src/security_default.c
+@@ -556,6 +556,9 @@ static int _pwfile_parse(const char *fil
+ 
+ 	while(!feof(pwfile)){
+ 		if(fgets(buf, 256, pwfile)){
++			if(buf[0] == '#') continue;
++			if(!strchr(buf, ':')) continue;
++
+ 			username = strtok_r(buf, ":", &saveptr);
+ 			if(username){
+ 				unpwd = _mosquitto_calloc(1, sizeof(struct _mosquitto_unpwd));
+@@ -588,8 +591,13 @@ static int _pwfile_parse(const char *fil
+ 						unpwd->password[len-1] = '\0';
+ 						len = strlen(unpwd->password);
+ 					}
++
++					HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
++				}else{
++					_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "Warning: Invalid line in password file '%s': %s", file, buf);
++					_mosquitto_free(unpwd->username);
++					_mosquitto_free(unpwd);
+ 				}
+-				HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
+ 			}
+ 		}
+ 	}
+@@ -626,34 +634,39 @@ static int _unpwd_file_parse(struct mosq
+ 				token = strtok(NULL, "$");
+ 				if(token){
+ 					rc = _base64_decode(token, &salt, &salt_len);
+-					if(rc){
+-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s.", u->username);
+-						return MOSQ_ERR_INVAL;
+-					}
+-					u->salt = salt;
+-					u->salt_len = salt_len;
+-					token = strtok(NULL, "$");
+-					if(token){
+-						rc = _base64_decode(token, &password, &password_len);
+-						if(rc){
+-							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s.", u->username);
+-							return MOSQ_ERR_INVAL;
++					if(rc == MOSQ_ERR_SUCCESS && salt_len == 12){
++						u->salt = salt;
++						u->salt_len = salt_len;
++						token = strtok(NULL, "$");
++						if(token){
++							rc = _base64_decode(token, &password, &password_len);
++							if(rc == MOSQ_ERR_SUCCESS && password_len == 64){
++								_mosquitto_free(u->password);
++								u->password = (char *)password;
++								u->password_len = password_len;
++							}else{
++								_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s, removing entry.", u->username);
++								HASH_DEL(db->unpwd, u);
++							}
++						}else{
++							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++							HASH_DEL(db->unpwd, u);
+ 						}
+-						_mosquitto_free(u->password);
+-						u->password = (char *)password;
+-						u->password_len = password_len;
+ 					}else{
+-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-						return MOSQ_ERR_INVAL;
++						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s, removing entry.", u->username);
++						HASH_DEL(db->unpwd, u);
+ 					}
+ 				}else{
+-					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-					return MOSQ_ERR_INVAL;
++					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++					HASH_DEL(db->unpwd, u);
+ 				}
+ 			}else{
+-				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
+-				return MOSQ_ERR_INVAL;
++				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
++				HASH_DEL(db->unpwd, u);
+ 			}
++		}else{
++			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Missing password hash for user %s, removing entry.", u->username);
++			HASH_DEL(db->unpwd, u);
+ 		}
+ 	}
+ #endif
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index a6ce6887d0c..bd8c74c0753 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=musl
 pkgver=1.1.18
-pkgrel=3
+pkgrel=4
 pkgdesc="the musl c library (libc) implementation"
 url="http://www.musl-libc.org/"
 arch="all"
@@ -17,6 +17,7 @@ nolibc) ;;
 *)	subpackages="$subpackages $pkgname-utils";;
 esac
 source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
+	CVE-2019-14697.patch
 	0001-fix-sysconf-for-infinite-rlimits.patch
 	0001-use-the-name-UTC-instead-of-GMT-for-UTC-timezone.patch
 	1000-implement-strftime-GNU-extension-padding-specifiers-.patch
@@ -31,6 +32,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
 	"
 
 # secfixes:
+#   1.1.18-r4:
+#     - CVE-2019-14697
 #   1.1.15-r4:
 #     - CVE-2016-8859
 
@@ -145,6 +148,7 @@ compat() {
 }
 
 sha512sums="4d55c92efe41dfdd9fff6aca5dda76a632a3be60d10e5a7f66a4731d8f7040fb0a20b998965ba4d069b4f8a3527fcd7388e646cb66afc649c4d0cc6c3d358c9c  musl-1.1.18.tar.gz
+37ab61c96b940848e4114de105d87754c7039f52eb2fc19d8bf59c27f484bffbac8b4740e9478207eae03bd7416f7036e04197d0efe30ee5293b17d6d5c1cc15  CVE-2019-14697.patch
 7b44cc006d37672a67bc261de33e64d11f6426fd1ab3ff80f9f980aefc8e0b099ab61f95d110eeb59f75c2fe772fe13bc5546c194c3f90ca9ec4c812dfff6b1b  0001-fix-sysconf-for-infinite-rlimits.patch
 c28abac671f531d200bd1ebc934fc57b1c04404e49237dd6cfde4fe72e4fd8b855df0e75f76d62ec930c56daa00a12a6a3b3bb1c86576c7504fdf9628ad58975  0001-use-the-name-UTC-instead-of-GMT-for-UTC-timezone.patch
 7e4c703e57a3564cd3ee1d5334b806cbe654355179ba55d4d25361dfc555eb4a7d081d80d64fdaff8476949afd04558d278b124d1fb108080beaa5ba2f8ce2b9  1000-implement-strftime-GNU-extension-padding-specifiers-.patch
diff --git a/main/musl/CVE-2019-14697.patch b/main/musl/CVE-2019-14697.patch
new file mode 100644
index 00000000000..eae91a00f9c
--- /dev/null
+++ b/main/musl/CVE-2019-14697.patch
@@ -0,0 +1,233 @@
+From f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Mon, 5 Aug 2019 18:41:47 -0400
+Subject: fix x87 stack imbalance in corner cases of i386 math asm
+
+commit 31c5fb80b9eae86f801be4f46025bc6532a554c5 introduced underflow
+code paths for the i386 math asm, along with checks on the fpu status
+word to skip the underflow-generation instructions if the underflow
+flag was already raised. unfortunately, at least one such path, in
+log1p, returned with 2 items on the x87 stack rather than just 1 item
+for the return value. this is a violation of the ABI's calling
+convention, and could cause subsequent floating point code to produce
+NANs due to x87 stack overflow. if floating point results are used in
+flow control, this can lead to runaway wrong code execution.
+
+rather than reviewing each "underflow already raised" code path for
+correctness, remove them all. they're likely slower than just
+performing the underflow code unconditionally, and significantly more
+complex.
+
+all of this code should be ripped out and replaced by C source files
+with inline asm. doing so would preclude this kind of error by having
+the compiler perform all x87 stack register allocation and stack
+manipulation, and would produce comparable or better code. however
+such a change is a much larger project.
+---
+ src/math/i386/asin.s   | 10 ++--------
+ src/math/i386/atan.s   |  7 ++-----
+ src/math/i386/atan2.s  |  5 +----
+ src/math/i386/atan2f.s |  5 +----
+ src/math/i386/atanf.s  |  7 ++-----
+ src/math/i386/exp.s    | 10 ++--------
+ src/math/i386/log1p.s  |  7 ++-----
+ src/math/i386/log1pf.s |  7 ++-----
+ 8 files changed, 14 insertions(+), 44 deletions(-)
+
+diff --git a/src/math/i386/asin.s b/src/math/i386/asin.s
+index a9f691bf..920d967a 100644
+--- a/src/math/i386/asin.s
++++ b/src/math/i386/asin.s
+@@ -7,13 +7,10 @@ asinf:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+ 
+ .global asinl
+ .type asinl,@function
+@@ -30,11 +27,8 @@ asin:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fsts 4(%esp)
+-2:	ret
++	ret
+ 1:	fld %st(0)
+ 	fld1
+ 	fsub %st(0),%st(1)
+diff --git a/src/math/i386/atan.s b/src/math/i386/atan.s
+index d73137b2..a26feae1 100644
+--- a/src/math/i386/atan.s
++++ b/src/math/i386/atan.s
+@@ -10,8 +10,5 @@ atan:
+ 	fpatan
+ 	ret
+ 		# subnormal x, return x with underflow
+-1:	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+-	fsts 4(%esp)
+-2:	ret
++1:	fsts 4(%esp)
++	ret
+diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s
+index a7d2979b..1fa0524d 100644
+--- a/src/math/i386/atan2.s
++++ b/src/math/i386/atan2.s
+@@ -10,8 +10,5 @@ atan2:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+ 	fsts 4(%esp)
+-1:	ret
++	ret
+diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s
+index 14b88ce5..0b264726 100644
+--- a/src/math/i386/atan2f.s
++++ b/src/math/i386/atan2f.s
+@@ -10,10 +10,7 @@ atan2f:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-1:	ret
++	ret
+diff --git a/src/math/i386/atanf.s b/src/math/i386/atanf.s
+index 8caddefa..893beac5 100644
+--- a/src/math/i386/atanf.s
++++ b/src/math/i386/atanf.s
+@@ -10,10 +10,7 @@ atanf:
+ 	fpatan
+ 	ret
+ 		# subnormal x, return x with underflow
+-1:	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+-	fld %st(0)
++1:	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+diff --git a/src/math/i386/exp.s b/src/math/i386/exp.s
+index c7aa5b6e..df87c497 100644
+--- a/src/math/i386/exp.s
++++ b/src/math/i386/exp.s
+@@ -7,13 +7,10 @@ expm1f:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+ 
+ .global expm1l
+ .type expm1l,@function
+@@ -30,11 +27,8 @@ expm1:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fsts 4(%esp)
+-2:	ret
++	ret
+ 1:	fldl2e
+ 	fmulp
+ 	mov $0xc2820000,%eax
+diff --git a/src/math/i386/log1p.s b/src/math/i386/log1p.s
+index 6b6929c7..354f391a 100644
+--- a/src/math/i386/log1p.s
++++ b/src/math/i386/log1p.s
+@@ -16,9 +16,6 @@ log1p:
+ 	fyl2x
+ 	ret
+ 		# subnormal x, return x with underflow
+-2:	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+-	fsts 4(%esp)
++2:	fsts 4(%esp)
+ 	fstp %st(1)
+-1:	ret
++	ret
+diff --git a/src/math/i386/log1pf.s b/src/math/i386/log1pf.s
+index c0bcd30f..4d3484cd 100644
+--- a/src/math/i386/log1pf.s
++++ b/src/math/i386/log1pf.s
+@@ -16,10 +16,7 @@ log1pf:
+ 	fyl2x
+ 	ret
+ 		# subnormal x, return x with underflow
+-2:	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+-	fxch
++2:	fxch
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-1:	ret
++	ret
+-- 
+cgit v1.2.1
+
+From 6818c31c9bc4bbad5357f1de14bedf781e5b349e Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Mon, 5 Aug 2019 19:57:07 -0400
+Subject: fix build regression in i386 asm for atan2, atan2f
+
+commit f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 inadvertently removed
+labels that were still needed.
+---
+ src/math/i386/atan2.s  | 2 +-
+ src/math/i386/atan2f.s | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s
+index 1fa0524d..76b95f31 100644
+--- a/src/math/i386/atan2.s
++++ b/src/math/i386/atan2.s
+@@ -11,4 +11,4 @@ atan2:
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+ 	fsts 4(%esp)
+-	ret
++1:	ret
+diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s
+index 0b264726..c9408a90 100644
+--- a/src/math/i386/atan2f.s
++++ b/src/math/i386/atan2f.s
+@@ -13,4 +13,4 @@ atan2f:
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-	ret
++1:	ret
+-- 
+cgit v1.2.1
+
diff --git a/main/nfdump/APKBUILD b/main/nfdump/APKBUILD
index cf588cf6445..5974b470b36 100644
--- a/main/nfdump/APKBUILD
+++ b/main/nfdump/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=nfdump
 pkgver=1.6.15
-pkgrel=0
+pkgrel=1
 pkgdesc="The nfdump tools collect and process netflow data on the command line."
 url="http://nfdump.sourceforge.net/"
 arch="all"
@@ -18,8 +18,15 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/phaag/nfdump/archive/v$pkgve
 	nfcapd.initd
 	sfcapd.confd
 	sfcapd.initd
+	CVE-2019-1010057.patch
+	CVE-2019-14459.patch
 	"
 
+# secfixes:
+#   1.6.15-r1:
+#     - CVE-2019-1010057
+#     - CVE-2019-14459
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	local i
@@ -73,21 +80,11 @@ sfcapd() {
                 "$subpkgdir"/etc/init.d/sfcapd
 }
 
-md5sums="6f52c01099a2a74e451ebfb17bf92da8  nfdump-1.6.15.tar.gz
-e7f9467142159da5ebbb4aa858aae142  fix-64bit-fts-compat.patch
-541c45b9ac0e85ac955dd58919972b18  nfcapd.confd
-a82001153dbdfa6c4125064fcc7cd090  nfcapd.initd
-443ef11c9b458c12d0efea627742732c  sfcapd.confd
-1ac7c20be80b87fc725310747125e081  sfcapd.initd"
-sha256sums="9505c0511d273b9aa3f87a5e664425689a3c7370c6ae3bbc05ff4bdb41bfd457  nfdump-1.6.15.tar.gz
-8ffd9160bb5cb639cec08ac68be5cbd33ef918e41630d02c18a75e03881cb5a9  fix-64bit-fts-compat.patch
-7cb26698b26f5cd6c9c6cb2b49bb7be3cc0faffe851c5ac5c78e0a41984a276f  nfcapd.confd
-33c3b5c42655410661f1019e3b8bccb8b875400861a945a7dd784f80520f8a97  nfcapd.initd
-4559669b23534a7bec9cc9d342e7abd55316393ccb4dc57e9b335ac27bdf920c  sfcapd.confd
-4fd63dee5323ce4116fffffa7573bb6a0f781d36867204e7d3670c182a078c56  sfcapd.initd"
 sha512sums="a6bb4f2293ad85d8f16025e7272b889d3814cea2e9255dbd315ee92754675e4ee925c3ebe4e1350f2d5452d69d1d3c13ddeb656324a409c4744da1d4927fe1f2  nfdump-1.6.15.tar.gz
 71a838d493658a3a8479bc9eca70a857fd8629937d4954d21c1d5453d6cc122c089f72e3e109425c902439ee8cfaa273b4089ac347d1fe926473ce6062b7c49a  fix-64bit-fts-compat.patch
 fcb467f819f2b73ac0e13de6de4d6c94cafd3866a7a56685d5d4a048fa975135299655e896ff8370c8c5061d03ab38644623f8be455c08dfe5f630f152820148  nfcapd.confd
 97e432e884dd1cc8f27c2d7398bb0320164d46dea06c64ad72fa385d190998b3d62356634962f42652daf6e31f237baa2f3f3efad47c3fc38cc6bea799db61cc  nfcapd.initd
 abe594a95a9320bec1d6ee6af6b75cd4d176526d4b10d07aa7ed79fc292b51c341339ba8e1e468df9ec2aae138b1dd66e3a291921938217835ac33819da9d153  sfcapd.confd
-7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4  sfcapd.initd"
+7a65c80186a8708a27e90a7239d1b44ee919c3bbf8cd1ca07ef5d35a623d0dce5eac516b65ba7a98c5fcfab5bad6c15e1f03af38a06eb6280afd1c1f0f52cee4  sfcapd.initd
+c57441c5ec04c9b57ae65816731f0960459ab317ca579f2fcc85d5f0f76009e9f01462191e2ca6d3c79adbdf0c6e57633ae67c9f9eb65ef3063385e992ccfba6  CVE-2019-1010057.patch
+6964077020f2273cdb80a6ed72f001c3f5e7241c412681f59e0dd0a2d629d5d549e52e474401e7c7906cff3176440c5d5c419b87c36fa87107f70f45944dc105  CVE-2019-14459.patch"
diff --git a/main/nfdump/CVE-2019-1010057.patch b/main/nfdump/CVE-2019-1010057.patch
new file mode 100644
index 00000000000..3a7ae479108
--- /dev/null
+++ b/main/nfdump/CVE-2019-1010057.patch
@@ -0,0 +1,64 @@
+diff --git a/bin/nfdump.c b/bin/nfdump.c
+index ba8d92f..9f653f8 100644
+--- a/bin/nfdump.c
++++ b/bin/nfdump.c
+@@ -559,7 +559,10 @@ int	v1_map_done = 0;
+ 							exit(255);
+ 						}
+ 					}
+-					ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer);
++					if ( !ConvertCommonV0((void *)record_ptr, (common_record_t *)ConvertBuffer) ) {
++						LogError("Corrupt data file. Unable to decode at %s line %d\n", __FILE__, __LINE__);
++						exit(255);
++					}
+ 					flow_record = (common_record_t *)ConvertBuffer;
+ 					dbg_printf("Converted type %u to %u record\n", CommonRecordV0Type, CommonRecordType);
+ 				case CommonRecordType: {
+diff --git a/bin/nffile_inline.c b/bin/nffile_inline.c
+index 58225aa..4a9ca25 100755
+--- a/bin/nffile_inline.c
++++ b/bin/nffile_inline.c
+@@ -49,7 +49,7 @@ static inline void AppendToBuffer(nffile_t *nffile, void *record, size_t require
+ 
+ static inline void CopyV6IP(uint32_t *dst, uint32_t *src);
+ 
+-static inline void ConvertCommonV0(void *record, common_record_t *flow_record);
++static inline int ConvertCommonV0(void *record, common_record_t *flow_record);
+ 
+ static inline void ExpandRecord_v2(common_record_t *input_record, extension_info_t *extension_info, exporter_info_record_t *exporter_info, master_record_t *output_record );
+ 
+@@ -88,11 +88,13 @@ static inline void CopyV6IP(uint32_t *dst, uint32_t *src) {
+ 	dst[3] = src[3];
+ } // End of CopyV6IP
+ 
+-static inline void ConvertCommonV0(void *record, common_record_t *flow_record) {
++static inline int ConvertCommonV0(void *record, common_record_t *flow_record) {
+ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
+ 
+ 	// copy v0 common record
+ 	memcpy((void *)flow_record, record, COMMON_RECORDV0_DATA_SIZE);
++	if ( flow_record_v0->size <= COMMON_RECORDV0_DATA_SIZE ) 
++		return 0;
+ 	memcpy((void *)flow_record->data, (void *)flow_record_v0->data, flow_record_v0->size - COMMON_RECORDV0_DATA_SIZE);
+ 
+ 	// fix record differences
+@@ -102,6 +104,7 @@ common_record_v0_t *flow_record_v0 = (common_record_v0_t *)record;
+ 	flow_record->exporter_sysid = flow_record_v0->exporter_sysid;
+ 	flow_record->reserved 		= 0;
+ 
++	return 1;
+ } // End of ConvertCommonV0
+ 
+ /*
+diff --git a/bin/nfx.c b/bin/nfx.c
+index fa84afe..ceea74e 100755
+--- a/bin/nfx.c
++++ b/bin/nfx.c
+@@ -542,6 +542,7 @@ int i, extension_size, max_elements;
+ 		int id = map->ex_id[i];
+ 		if ( id > Max_num_extensions ) {
+ 			printf("PANIC! - Verify map id %i: ERROR: element id %i out of range [%i]!\n", map->map_id, id, Max_num_extensions);
++			exit(255);
+ 		}
+ 		extension_size += extension_descriptor[id].size;
+ 		i++;
diff --git a/main/nfdump/CVE-2019-14459.patch b/main/nfdump/CVE-2019-14459.patch
new file mode 100644
index 00000000000..6e10f0dcbe1
--- /dev/null
+++ b/main/nfdump/CVE-2019-14459.patch
@@ -0,0 +1,27 @@
+diff --git a/bin/ipfix.c b/bin/ipfix.c
+index f998b72..604fe25 100644
+--- a/bin/ipfix.c
++++ b/bin/ipfix.c
+@@ -1067,6 +1067,13 @@ ipfix_template_record_t *ipfix_template_record;
+ 	while ( size_left ) {
+ 		uint32_t id, count;
+ 
++		if ( size_left < 4 ) {
++			LogError("Process_ipfix [%u] Template withdraw size error at %s line %u" , 
++				exporter->info.id, __FILE__, __LINE__, strerror (errno));
++			size_left = 0;
++			continue;
++		}
++
+ 		// map next record.
+ 		ipfix_template_record = (ipfix_template_record_t *)DataPtr;
+ 		size_left 		-= 4;
+@@ -1146,7 +1153,7 @@ uint16_t	offset_std_sampler_interval, offset_std_sampler_algorithm, found_std_sa
+ 		uint16_t id, length;
+ 		int Enterprise;
+ 
+-		if ( size_left && size_left < 4 ) {
++		if ( size_left < 4 ) {
+ 			LogError("Process_ipfix [%u] Template size error at %s line %u" , 
+ 				exporter->info.id, __FILE__, __LINE__, strerror (errno));
+ 			return;
diff --git a/main/nghttp2/APKBUILD b/main/nghttp2/APKBUILD
index 1c52b1ca62d..a6d58eaaf87 100644
--- a/main/nghttp2/APKBUILD
+++ b/main/nghttp2/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=nghttp2
-pkgver=1.28.0
+pkgver=1.39.2
 pkgrel=0
 pkgdesc="Experimental HTTP/2 client, server and proxy"
 url="https://nghttp2.org/"
@@ -12,6 +12,11 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-libs"
 source="https://github.com/tatsuhiro-t/$pkgname/releases/download/v$pkgver/nghttp2-$pkgver.tar.xz"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   1.39.2-r0:
+#     - CVE-2019-9511
+#     - CVE-2019-9513
+
 check() {
 	cd "$builddir"
 	make check
@@ -42,4 +47,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="c49d4e02ec8e894e01aff0b3573e5ce6a33e37ddbd777f6363a2890681a2d09d9e29794c7a6aaf20dd094b4b6da4b535f3e81ac58ef4164b1f8cca9e0da26ee9  nghttp2-1.28.0.tar.xz"
+sha512sums="d8c971543e3e87736dfafebca55e9ecd0644e304c9731edaccba34170205824476595861a439077289b438ad489dd6008dedf2c6b2c111920300329be1b1bf34  nghttp2-1.39.2.tar.xz"
diff --git a/main/nmap/APKBUILD b/main/nmap/APKBUILD
index 5254d983ed4..3bf70046291 100644
--- a/main/nmap/APKBUILD
+++ b/main/nmap/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Leonardo Arena <rnalrd@alpinelinux.org>
 pkgname=nmap
 pkgver=7.60
-pkgrel=2
+pkgrel=3
 pkgdesc="A network exploration tool and security/port scanner"
 url="http://nmap.org"
 arch="all"
@@ -16,9 +16,17 @@ subpackages="
 	$pkgname-nping
 	$pkgname-ncat"
 source="http://nmap.org/dist/$pkgname-$pkgver.tar.bz2
-	fortify-source.patch"
+	fortify-source.patch
+	CVE-2017-18594.patch
+	CVE-2018-15173.patch
+	"
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   7.60-r3:
+#     - CVE-2017-18594
+#     - CVE-2018-15173
+
 prepare() {
 	default_prepare
 	update_config_sub
@@ -83,4 +91,6 @@ nping() {
 }
 
 sha512sums="74ba8f6de026ade9ee6bb2252bee18a57210f8207977df7f1c04556629dcdc1e6127f33febc8a52ef88a1dac876116d590564dee4f1c23798c3ac37529991aa4  nmap-7.60.tar.bz2
-2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d  fortify-source.patch"
+2d1f6e290723ac643f456a0e1ac95c4c966106cf2ab743839d25c835bf0141dc2d6bfee19285c3518d4c5f553b0505dabe5a496b769ba47b7adb03e791f05b8d  fortify-source.patch
+a3edb3dc75d4dfa20ebed17b97044f1024b1a9d58145bfc31f3e8bd9d299f047aae47c146866fdfa62fab18383f60dd1ae41091adda0ff7db4a017756886d97d  CVE-2017-18594.patch
+9e439f09e9499a5664aa376273c84cdfc12f9c6854ed218e63c1a48fb76e5a63a8410bc946c4f2dbcb47784161bb75b0c7f45706b83845ec6f612790382bb4e2  CVE-2018-15173.patch"
diff --git a/main/nmap/CVE-2017-18594.patch b/main/nmap/CVE-2017-18594.patch
new file mode 100644
index 00000000000..d6cbce77e7c
--- /dev/null
+++ b/main/nmap/CVE-2017-18594.patch
@@ -0,0 +1,30 @@
+diff --git a/nse_libssh2.cc b/nse_libssh2.cc
+index bf721b6..22f5bbf 100644
+--- a/nse_libssh2.cc
++++ b/nse_libssh2.cc
+@@ -13,7 +13,6 @@ extern "C" {
+ #include "libssh2.h"
+ }
+ 
+-#include "nse_debug.h"
+ #include "nse_nsock.h"
+ #include "nse_utility.h"
+ 
+@@ -296,6 +295,7 @@ static int do_session_handshake (lua_State *L, int status, lua_KContext ctx) {
+ 
+     if (rc) {
+         libssh2_session_free(sshu->session);
++        sshu->session = NULL;
+         return luaL_error(L, "Unable to complete libssh2 handshake.");
+     }
+ 
+@@ -479,7 +479,7 @@ static int userauth_list (lua_State *L, int status, lua_KContext ctx) {
+ }
+ 
+ /*
+-* Returns list of supported authenication methods
++* Returns list of supported authentication methods
+ */
+ static int l_userauth_list (lua_State *L) {
+     return userauth_list(L, 0, 0);
+
diff --git a/main/nmap/CVE-2018-15173.patch b/main/nmap/CVE-2018-15173.patch
new file mode 100644
index 00000000000..4b066dbd97c
--- /dev/null
+++ b/main/nmap/CVE-2018-15173.patch
@@ -0,0 +1,34 @@
+diff --git a/service_scan.cc b/service_scan.cc
+index 1273513..0a431d6 100644
+--- a/service_scan.cc
++++ b/service_scan.cc
+@@ -489,6 +489,15 @@ void ServiceProbeMatch::InitMatch(const char *matchtext, int lineno) {
+   if (pcre_errptr != NULL)
+     fatal("%s: failed to pcre_study regexp on line %d of nmap-service-probes: %s\n", __func__, lineno, pcre_errptr);
+ 
++  // Set some limits to avoid evil match cases.
++  // These are flexible; if they cause problems, increase them.
++#ifdef PCRE_ERROR_MATCHLIMIT
++  regex_extra->match_limit = 100000; // 100K
++#endif
++#ifdef PCRE_ERROR_RECURSIONLIMIT
++  regex_extra->match_limit_recursion = 10000; // 10K
++#endif
++
+   free(modestr);
+   free(flags);
+ 
+@@ -568,6 +577,12 @@ const struct MatchDetails *ServiceProbeMatch::testMatch(const u8 *buf, int bufle
+       if (o.debugging || o.verbose > 1)
+         error("Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
+     } else
++#endif // PCRE_ERROR_MATCHLIMIT
++#ifdef PCRE_ERROR_RECURSIONLIMIT
++    if (rc == PCRE_ERROR_RECURSIONLIMIT) {
++      if (o.debugging || o.verbose > 1)
++        error("Warning: Hit PCRE_ERROR_RECURSIONLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
++    } else
+ #endif // PCRE_ERROR_MATCHLIMIT
+       if (rc != PCRE_ERROR_NOMATCH) {
+         fatal("Unexpected PCRE error (%d) when probing for service %s with the regex '%s'", rc, servicename, matchstr);
+
diff --git a/main/openldap/APKBUILD b/main/openldap/APKBUILD
index 3b3caa86282..e511fc9b1f9 100644
--- a/main/openldap/APKBUILD
+++ b/main/openldap/APKBUILD
@@ -2,12 +2,18 @@
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 #
 # secfixes:
+#   2.4.48-r0:
+#   - CVE-2019-13565
+#   - CVE-2019-13057
+#   2.4.46-r0:
+#   - CVE-2017-14159
+#   - CVE-2017-17740
 #   2.4.44-r5:
 #   - CVE-2017-9287
 #
 pkgname=openldap
-pkgver=2.4.45
-pkgrel=3
+pkgver=2.4.48
+pkgrel=0
 pkgdesc="LDAP Server"
 url="http://www.openldap.org/"
 arch="all"
@@ -23,7 +29,8 @@ subpackages="$pkgname-dev $pkgname-doc libldap
 	$pkgname-backend-all:_backend_all:noarch
 	$pkgname-overlay-all:_overlay_all:noarch"
 install="$pkgname.pre-install $pkgname.post-install $pkgname.post-upgrade"
-source="ftp://ftp.$pkgname.org/pub/OpenLDAP/$pkgname-release/$pkgname-$pkgver.tgz
+source="
+	https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-$pkgver.tgz
 	openldap-2.4-ppolicy.patch
 	openldap-2.4.11-libldap_r.patch
 	openldap-mqtt-overlay.patch
@@ -212,11 +219,11 @@ _submv() {
 	done
 }
 
-sha512sums="1c9fc84efed8998f107ce6e1c6be3f5466388241afdca0cb3847720c9def0bc263a2dbc15bf0f9112d1b4c391fd01e8531a4fb08c5532c30fb86924c08daedab  openldap-2.4.45.tgz
+sha512sums="cf694a415be0bd55cc7f606099da2ed461748efd276561944cd29d7f5a8252a9be799d8778fac2d4fa9f382731eb4ca48c6b85630cb58a3b8249843561ae8feb  openldap-2.4.48.tgz
 5d34d49eabe7cb66cf8284cc3bd9730fa23df4932df68549e242d250ee50d40c434ae074ebc720d5fbcd9d16587c9333c5598d30a5f1177caa61461ab7771f38  openldap-2.4-ppolicy.patch
 44d97efb25d4f39ab10cd5571db43f3bfa7c617a5bb087085ae16c0298aca899b55c8742a502121ba743a73e6d77cd2056bc96cee63d6d0862dabc8fb5574357  openldap-2.4.11-libldap_r.patch
 9c7f41279e91ed995c91e9a8c543c797d9294a93cf260afdc03ab5777e45ed045a4d6a4d4d0180b5dc387dc04babca01d818fbfa8168309df44f4500d2a430a4  openldap-mqtt-overlay.patch
-cbfd573139e6b0c51d0f1f1337d74d5c07813509754758df240b09bc2ba559127f656580eef88f1db1c1322d7cb05042b1926e046e24c19889759647aee7aec6  libressl.patch
+ec4604e4ec55ab2109d59deb54e0b6291f43ec91da9bb42a784add67de3200bed22cfd64b1426d3b8f2f0bdee8d97440adc7c21be43db0646d7508cdee2fdac2  libressl.patch
 8c4244d316a05870dd1147b2ab7ddbcfd7626b5dce2f5a0e72f066dc635c2edb4f1ea3be88c6fec2d5ab016001be16bedef70f2ce0695c3cd96f69e1614ff177  fix-manpages.patch
 0d2e570ddcb7ace1221abad9fc1d3dd0d00d6948340df69879b449959a68feee6a0ad8e17ef9971b35986293e16fc9d8e88de81815fedd5ea6a952eb085406ca  configs.patch
 0c3606e4dad1b32f1c4b62f2bc1990a4c9f7ccd10c7b50e623309ba9df98064e68fc42a7242450f32fb6e5fa2203609d3d069871b5ae994cd4b227a078c93532  slapd.initd
diff --git a/main/openldap/libressl.patch b/main/openldap/libressl.patch
index ac01064186d..919816c2dc0 100644
--- a/main/openldap/libressl.patch
+++ b/main/openldap/libressl.patch
@@ -1,4 +1,6 @@
---- a/libraries/libldap/tls_o.c.orig	2017-06-04 16:31:28 UTC
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 92c708b..77910bb 100644
+--- a/libraries/libldap/tls_o.c
 +++ b/libraries/libldap/tls_o.c
 @@ -47,7 +47,7 @@
  #include <ssl.h>
@@ -9,7 +11,16 @@
  #define ASN1_STRING_data(x)	ASN1_STRING_get0_data(x)
  #endif
  
-@@ -157,7 +157,7 @@ tlso_init( void )
+@@ -116,7 +116,7 @@ static void tlso_thr_init( void ) {}
+ #endif
+ #endif /* OpenSSL 1.1 */
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
+ /*
+  * OpenSSL 1.1 API and later makes the BIO method concrete types internal.
+  */
+@@ -197,7 +197,7 @@ tlso_init( void )
  	(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
  #endif
  
@@ -18,7 +29,7 @@
  	SSL_load_error_strings();
  	SSL_library_init();
  	OpenSSL_add_all_digests();
-@@ -205,7 +205,7 @@ static void
+@@ -249,7 +249,7 @@ static void
  tlso_ctx_ref( tls_ctx *ctx )
  {
  	tlso_ctx *c = (tlso_ctx *)ctx;
@@ -27,7 +38,7 @@
  #define	SSL_CTX_up_ref(ctx)	CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX )
  #endif
  	SSL_CTX_up_ref( c );
-@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *
+@@ -508,7 +508,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
  	if (!x) return LDAP_INVALID_CREDENTIALS;
  	
  	xn = X509_get_subject_name(x);
@@ -36,7 +47,7 @@
  	der_dn->bv_len = i2d_X509_NAME( xn, NULL );
  	der_dn->bv_val = xn->bytes->data;
  #else
-@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval
+@@ -544,7 +544,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
  		return LDAP_INVALID_CREDENTIALS;
  
  	xn = X509_get_subject_name(x);
@@ -45,7 +56,7 @@
  	der_dn->bv_len = i2d_X509_NAME( xn, NULL );
  	der_dn->bv_val = xn->bytes->data;
  #else
-@@ -721,7 +721,7 @@ struct tls_data {
+@@ -765,7 +765,7 @@ struct tls_data {
  	Sockbuf_IO_Desc		*sbiod;
  };
  
@@ -54,12 +65,4 @@
  #define BIO_set_init(b, x)	b->init = x
  #define BIO_set_data(b, x)	b->ptr = x
  #define BIO_clear_flags(b, x)	b->flags &= ~(x)
-@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
- 	return tlso_bio_write( b, str, strlen( str ) );
- }
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10100000
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
- struct bio_method_st {
-     int type;
-     const char *name;
+
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index cfab6962b7a..eaf1f4edfdf 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openssl
-pkgver=1.0.2r
+pkgver=1.0.2t
 pkgrel=0
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url="https://openssl.org"
@@ -29,6 +29,9 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 	"
 
 # secfixes:
+#   1.0.2t-r0:
+#     - CVE-2019-1547
+#     - CVE-2019-1563
 #   1.0.2h-r0:
 #     - CVE-2016-2107
 #     - CVE-2016-2105
@@ -58,7 +61,6 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 #     - CVE-2017-3737
 #     - CVE-2017-3738
 #   1.0.2o-r0:
-#     - CVE-2017-3738
 #     - CVE-2018-0733
 #     - CVE-2018-0739
 #   1.0.2o-r1:
@@ -140,7 +142,7 @@ libssl() {
 	done
 }
 
-sha512sums="6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235  openssl-1.0.2r.tar.gz
+sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71  openssl-1.0.2t.tar.gz
 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c  0002-busybox-basename.patch
 58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4  0003-use-termios.patch
 c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae  0004-fix-default-ca-path-for-apps.patch
diff --git a/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch
new file mode 100644
index 00000000000..b26651ab05e
--- /dev/null
+++ b/main/patch/0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch
@@ -0,0 +1,33 @@
+From b5a91a01e5d0897facdd0f49d64b76b0f02b43e1 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 11:34:51 +0200
+Subject: [PATCH] Allow input files to be missing for ed-style patches
+
+* src/pch.c (do_ed_script): Allow input files to be missing so that new
+files will be created as with non-ed-style patches.
+---
+ src/pch.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index bc6278c..0c5cc26 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2394,9 +2394,11 @@ do_ed_script (char const *inname, char const *outname,
+ 
+     if (! dry_run && ! skip_rest_of_patch) {
+ 	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	assert (! inerrno);
+-	*outname_needs_removal = true;
+-	copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	if (inerrno != ENOENT)
++	  {
++	    *outname_needs_removal = true;
++	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	  }
+ 	sprintf (buf, "%s %s%s", editor_program,
+ 		 verbosity == VERBOSE ? "" : "- ",
+ 		 outname);
+-- 
+2.22.0
+
diff --git a/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
new file mode 100644
index 00000000000..6b65e2dd486
--- /dev/null
+++ b/main/patch/0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
@@ -0,0 +1,211 @@
+From 123eaff0d5d1aebe128295959435b9ca5909c26d Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 12:14:49 +0200
+Subject: [PATCH] Fix arbitrary command execution in ed-style patches
+ (CVE-2018-1000156)
+
+* src/pch.c (do_ed_script): Write ed script to a temporary file instead
+of piping it to ed: this will cause ed to abort on invalid commands
+instead of rejecting them and carrying on.
+* tests/ed-style: New test case.
+* tests/Makefile.am (TESTS): Add test case.
+---
+ src/pch.c         | 91 ++++++++++++++++++++++++++++++++++-------------
+ tests/Makefile.am |  1 +
+ tests/ed-style    | 41 +++++++++++++++++++++
+ 3 files changed, 108 insertions(+), 25 deletions(-)
+ create mode 100644 tests/ed-style
+
+diff --git a/src/pch.c b/src/pch.c
+index 0c5cc26..4fd5a05 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -33,6 +33,7 @@
+ # include <io.h>
+ #endif
+ #include <safe.h>
++#include <sys/wait.h>
+ 
+ #define INITHUNKMAX 125			/* initial dynamic allocation size */
+ 
+@@ -2389,24 +2390,28 @@ do_ed_script (char const *inname, char const *outname,
+     static char const editor_program[] = EDITOR_PROGRAM;
+ 
+     file_offset beginning_of_this_line;
+-    FILE *pipefp = 0;
+     size_t chars_read;
++    FILE *tmpfp = 0;
++    char const *tmpname;
++    int tmpfd;
++    pid_t pid;
++
++    if (! dry_run && ! skip_rest_of_patch)
++      {
++	/* Write ed script to a temporary file.  This causes ed to abort on
++	   invalid commands such as when line numbers or ranges exceed the
++	   number of available lines.  When ed reads from a pipe, it rejects
++	   invalid commands and treats the next line as a new command, which
++	   can lead to arbitrary command execution.  */
++
++	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	if (tmpfd == -1)
++	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++	tmpfp = fdopen (tmpfd, "w+b");
++	if (! tmpfp)
++	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++      }
+ 
+-    if (! dry_run && ! skip_rest_of_patch) {
+-	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+-	if (inerrno != ENOENT)
+-	  {
+-	    *outname_needs_removal = true;
+-	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+-	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+-	fflush (stdout);
+-	pipefp = popen(buf, binary_transput ? "wb" : "w");
+-	if (!pipefp)
+-	  pfatal ("Can't open pipe to %s", quotearg (buf));
+-    }
+     for (;;) {
+ 	char ed_command_letter;
+ 	beginning_of_this_line = file_tell (pfp);
+@@ -2417,14 +2422,14 @@ do_ed_script (char const *inname, char const *outname,
+ 	}
+ 	ed_command_letter = get_ed_command_letter (buf);
+ 	if (ed_command_letter) {
+-	    if (pipefp)
+-		if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++	    if (tmpfp)
++		if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 		    write_fatal ();
+ 	    if (ed_command_letter != 'd' && ed_command_letter != 's') {
+ 	        p_pass_comments_through = true;
+ 		while ((chars_read = get_line ()) != 0) {
+-		    if (pipefp)
+-			if (! fwrite (buf, sizeof *buf, chars_read, pipefp))
++		    if (tmpfp)
++			if (! fwrite (buf, sizeof *buf, chars_read, tmpfp))
+ 			    write_fatal ();
+ 		    if (chars_read == 2  &&  strEQ (buf, ".\n"))
+ 			break;
+@@ -2437,13 +2442,49 @@ do_ed_script (char const *inname, char const *outname,
+ 	    break;
+ 	}
+     }
+-    if (!pipefp)
++    if (!tmpfp)
+       return;
+-    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, pipefp) == 0
+-	|| fflush (pipefp) != 0)
++    if (fwrite ("w\nq\n", sizeof (char), (size_t) 4, tmpfp) == 0
++	|| fflush (tmpfp) != 0)
+       write_fatal ();
+-    if (pclose (pipefp) != 0)
+-      fatal ("%s FAILED", editor_program);
++
++    if (lseek (tmpfd, 0, SEEK_SET) == -1)
++      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
++
++    if (! dry_run && ! skip_rest_of_patch) {
++	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
++	*outname_needs_removal = true;
++	if (inerrno != ENOENT)
++	  {
++	    *outname_needs_removal = true;
++	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
++	  }
++	sprintf (buf, "%s %s%s", editor_program,
++		 verbosity == VERBOSE ? "" : "- ",
++		 outname);
++	fflush (stdout);
++
++	pid = fork();
++	if (pid == -1)
++	  pfatal ("Can't fork");
++	else if (pid == 0)
++	  {
++	    dup2 (tmpfd, 0);
++	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    _exit (2);
++	  }
++	else
++	  {
++	    int wstatus;
++	    if (waitpid (pid, &wstatus, 0) == -1
++	        || ! WIFEXITED (wstatus)
++		|| WEXITSTATUS (wstatus) != 0)
++	      fatal ("%s FAILED", editor_program);
++	  }
++    }
++
++    fclose (tmpfp);
++    safe_unlink (tmpname);
+ 
+     if (ofp)
+       {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 6b6df63..16f8693 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -32,6 +32,7 @@ TESTS = \
+ 	crlf-handling \
+ 	dash-o-append \
+ 	deep-directories \
++	ed-style \
+ 	empty-files \
+ 	false-match \
+ 	fifo \
+diff --git a/tests/ed-style b/tests/ed-style
+new file mode 100644
+index 0000000..d8c0689
+--- /dev/null
++++ b/tests/ed-style
+@@ -0,0 +1,41 @@
++# Copyright (C) 2018 Free Software Foundation, Inc.
++#
++# Copying and distribution of this file, with or without modification,
++# in any medium, are permitted without royalty provided the copyright
++# notice and this notice are preserved.
++
++. $srcdir/test-lib.sh
++
++require cat
++use_local_patch
++use_tmpdir
++
++# ==============================================================
++
++cat > ed1.diff <<EOF
++0a
++foo
++.
++EOF
++
++check 'patch -e foo -i ed1.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
++
++cat > ed2.diff <<EOF
++1337a
++r !echo bar
++,p
++EOF
++
++check 'patch -e foo -i ed2.diff 2> /dev/null || echo "Status: $?"' <<EOF
++?
++Status: 2
++EOF
++
++check 'cat foo' <<EOF
++foo
++EOF
+-- 
+2.22.0
+
diff --git a/main/patch/APKBUILD b/main/patch/APKBUILD
index 3a1cf46ddb2..aae46046b5e 100644
--- a/main/patch/APKBUILD
+++ b/main/patch/APKBUILD
@@ -1,29 +1,45 @@
 # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=patch
-pkgver=2.7.5
-pkgrel=2
+pkgver=2.7.6
+pkgrel=0
 pkgdesc="Utility to apply diffs to files"
 url="https://www.gnu.org/software/patch/patch.html"
 arch="all"
-license="GPL"
+license="GPL-3.0-or-later"
 depends=""
-depends_dev=""
-makedepends=""
-install=""
+makedepends="autoconf automake"
+# testsuite needs coreutils due to bug in busybox `cat -ve`
+# http://lists.busybox.net/pipermail/busybox/2018-April/086401.html
+checkdepends="coreutils bash ed"
 subpackages="$pkgname-doc"
 source="ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
 	CVE-2018-6951.patch
+	CVE-2018-6952.patch
+	0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch
+	0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
+	CVE-2019-13636.patch
+	CVE-2019-13638.patch
 	"
 
-_builddir="$srcdir"/$pkgname-$pkgver
-
 # secfixes:
+#   2.7.6-r0:
+#     - CVE-2018-6952
+#     - CVE-2018-1000156
+#     - CVE-2019-13638
+#   2.7.5-r3:
+#     - CVE-2019-13636
 #   2.7.5-r2:
 #     - CVE-2018-6951
 
+prepare() {
+	default_prepare
+	aclocal && autoheader && autoconf && automake --add-missing
+}
+
 build() {
-	cd "$_builddir"
+	gl_cv_func_gettimeofday_clobber=no \
+	gl_cv_func_tzset_clobber=no \
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -31,19 +47,28 @@ build() {
 		--sysconfdir=/etc \
 		--mandir=/usr/share/man \
 		--localstatedir=/var \
-		--disable-nls \
 		|| return 1
 	make || return 1
 }
 
+check() {
+	cd "$builddir"
+	make SHELL=bash check
+}
+
 package() {
+	cd "$builddir"
 	make prefix="$pkgdir"/usr \
 		mandir="$pkgdir"/usr/share/man \
-		-C "$_builddir" install || return 1
+		-C "$builddir" install || return 1
 
 	rm -f "$pkgdir"/usr/lib/charset.alias
 	rmdir -p "$pkgdir"/usr/lib 2>/dev/null || true
 }
-
-sha512sums="6620ac8101f60c0b456ce339fa5e371f40be0b391e2e9728f34f3625f9907e516de61dac2f91bc76e6fd28a9bd1224efc3ba827cfaa606d857730c1af4195a0f  patch-2.7.5.tar.xz
-db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0  CVE-2018-6951.patch"
+sha512sums="fcca87bdb67a88685a8a25597f9e015f5e60197b9a269fa350ae35a7991ed8da553939b4bbc7f7d3cfd863c67142af403b04165633acbce4339056a905e87fbd  patch-2.7.6.tar.xz
+db51d0b791d38dd4f1b373621ee18620ae339b172f58a79420fdaa4a4b1b1d9df239cf61bbddc4e6a4896b28b8cffc7c99161eb5e2facaec8df86a1bf7755bc0  CVE-2018-6951.patch
+5d2eaef629bae92e5b4e5e57d140c24a73e2811306d5f2854858f846646b034d2da315071f478bcf6f8d856a065b9bb073f76322e8e3a42616bc212281ce6945  CVE-2018-6952.patch
+33e8a82f5ee6b896fd434e7de1ca9e16e8d317941a021bea8c53afd5bf210774e8727df22f8d8f63f255de10de5a26428047bc710b033423d1e7a459cbbaf83a  0001-Allow-input-files-to-be-missing-for-ed-style-patches.patch
+d0d46e28c5fdcd5fe16826cbcf39d5a74fdf2593375d5206aa7bad759f16dbebeca3bf259239f99c13344579044a3de1000d705065cc19e917266bca6e5c0630  0002-Fix-arbitrary-command-execution-in-ed-style-patches-.patch
+029b92bb899d0b1165cfe7f55b5a4c2d7090852f52e5c85a6bb1cf5913c914a5c68c6c34517e84f0a020a56d21814f8c18b934c8ebe059ba4eddece78a3a258c  CVE-2019-13636.patch
+d60f8c2364fca9b73aa73b5914cfd6571d11528d13fa7703ccfa93730cbdf8a6e4c9ca04cb7d02a40d33c38075890790b490052d5217e728b0948991da937980  CVE-2019-13638.patch"
diff --git a/main/patch/CVE-2018-6952.patch b/main/patch/CVE-2018-6952.patch
new file mode 100644
index 00000000000..5f1511c7b16
--- /dev/null
+++ b/main/patch/CVE-2018-6952.patch
@@ -0,0 +1,27 @@
+From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: [PATCH] Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2122,7 +2122,7 @@ pch_swap (void)
+     }
+     if (p_efake >= 0) {			/* fix non-freeable ptr range */
+ 	if (p_efake <= i)
+-	    n = p_end - i + 1;
++	    n = p_end - p_ptrn_lines;
+ 	else
+ 	    n = -i;
+ 	p_efake += n;
diff --git a/main/patch/CVE-2019-13636.patch b/main/patch/CVE-2019-13636.patch
new file mode 100644
index 00000000000..ea4a98d3307
--- /dev/null
+++ b/main/patch/CVE-2019-13636.patch
@@ -0,0 +1,109 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+---
+ src/inp.c  | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+     {
+       if (S_ISREG (instat.st_mode))
+         {
+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++	  int flags = O_RDONLY | binary_transput;
+ 	  size_t buffered = 0, n;
++	  int ifd;
++
++	  if (! follow_symlinks)
++	    flags |= O_NOFOLLOW;
++	  ifd = safe_open (filename, flags, 0);
+ 	  if (ifd < 0)
+ 	    pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+     filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++  if (! follow_symlinks)
++    flags |= O_NOFOLLOW;
++  if ((ifd = safe_open (filename, flags, 0)) < 0
+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+     pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+ 
+ 	  try_makedirs_errno = ENOENT;
+ 	  safe_unlink (bakname);
+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ 	    {
+ 	      if (errno != try_makedirs_errno)
+ 		pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++  if (! follow_symlinks)
++    from_flags |= O_NOFOLLOW;
++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+     {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+   else
+     {
+       assert (S_ISREG (mode));
++      if (! follow_symlinks)
++	to_flags |= O_NOFOLLOW;
+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ 			  to_dir_known_to_exist);
+       copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++  if (! follow_symlinks)
++    to_flags |= O_NOFOLLOW;
++  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
+-- 
+cgit v1.0-41-gc330
+
+
diff --git a/main/patch/CVE-2019-13638.patch b/main/patch/CVE-2019-13638.patch
new file mode 100644
index 00000000000..38caff628aa
--- /dev/null
+++ b/main/patch/CVE-2019-13638.patch
@@ -0,0 +1,38 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else
+-- 
+cgit v1.0-41-gc330
+
diff --git a/main/polkit/APKBUILD b/main/polkit/APKBUILD
index 5cf5e8fa56c..c2c4b3d6f69 100644
--- a/main/polkit/APKBUILD
+++ b/main/polkit/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=polkit
 pkgver=0.105
-pkgrel=8
+pkgrel=10
 pkgdesc="Application development toolkit for controlling system-wide privileges"
 url="http://www.freedesktop.org/wiki/Software/polkit/"
 arch="all"
@@ -21,6 +21,7 @@ source="http://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.g
 	CVE-2015-3255.patch
 	CVE-2015-4625.patch
 	CVE-2018-19788.patch
+	CVE-2019-6133.patch
 	automake.patch
 	fix-parallel-make.patch
 	fix-consolekit-db-stat.patch
@@ -28,6 +29,8 @@ source="http://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.g
 
 _builddir="$srcdir"/polkit-$pkgver
 # secfixes:
+#   0.105-r10:
+#   - CVE-2019-6133
 #   0.105-r8:
 #   - CVE-2018-19788
 
@@ -71,24 +74,6 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }
 
-md5sums="9c29e1b6c214f0bd6f1d4ee303dfaed9  polkit-0.105.tar.gz
-bb4e7bffa5bad89bf3033b3d866a4087  0001-Bug-50145-make-netgroup-support-optional.patch
-2f2b7a0a5e79516582ce12a80c5677a2  CVE-2013-4288.patch
-a3d38d5b0bd35c066806b61cedc175d6  CVE-2015-3218.patch
-ff484f4397db117a6924fe6a65eb552e  CVE-2015-3255.patch
-d18b03f6a0efe134e3c201a2c2410d33  CVE-2015-4625.patch
-38dfb2ffefa4f84d64e4cd93fda145f2  automake.patch
-cca56781a0ac23c0c56b5390fc8f8238  fix-parallel-make.patch
-3d049fef3f78c78b9bd0a6d9e7731692  fix-consolekit-db-stat.patch"
-sha256sums="8fdc7cc8ba4750fcce1a4db9daa759c12afebc7901237e1c993c38f08985e1df  polkit-0.105.tar.gz
-80bf119937c5b75887bf6405e69e364a31e6e2edcac7957816ed7d8ea6b2a5a3  0001-Bug-50145-make-netgroup-support-optional.patch
-394be8089e90ed662af0b2043fa6abdda0c062d89970ce5f5a25df8633123d5e  CVE-2013-4288.patch
-b15b54e86195a5c87efe058cc970db69f1dddbfebd97399689fccc77794f678a  CVE-2015-3218.patch
-90b2a03cabe3a6ea5a5bab13cfb4236b8b7c6820f7a6d27786c601b0331a70e0  CVE-2015-3255.patch
-f34f46d445391234f75b0f92b63af70a5b9597555981dcc34bec78fd46229a98  CVE-2015-4625.patch
-de9e99ec691e45fc204eba576e301299952c0eb13ecedcb7399ba1b6aab94200  automake.patch
-fb0352d687b4b23acace3d211d9f48635d2eae43f5a478cbdda0f1e42784f735  fix-parallel-make.patch
-f0de45566d1ac79c0d9256e5c36244dfc74936dbc45f2af63ce9c6893dedea52  fix-consolekit-db-stat.patch"
 sha512sums="7c0f84b9639814b4690e42b570285ff2018a5ea4cfd7216d9abf44c84ece6592c530f2d6211511c1346963daf4f135e9fa79d1b2f592b454115950991b5e4bc3  polkit-0.105.tar.gz
 09ca9c14044c0a281e9069919efbb6d14918f23f58a282b5ce25c8a6640966396904373822869fe994c711f40c33d5c34cf3b77f85a59e239ba3d0c22a31ca8e  0001-Bug-50145-make-netgroup-support-optional.patch
 d6de3beb063243c11906f525ef2eb65aeca823c25b1f44dde4a16f4fc2c5ce587b129e0bfb25a4a4b88ac2bf5713c47e57700c139323d961c9f9b6ba4c03fffb  CVE-2013-4288.patch
@@ -96,6 +81,7 @@ d6de3beb063243c11906f525ef2eb65aeca823c25b1f44dde4a16f4fc2c5ce587b129e0bfb25a4a4
 0b26b819da0b34f10ff8a768850560b3207a6e10a7141bd1aa4769c1cb2829eb110164974b99d993d4e3a62145ace0fc5375489f84d2b56fe08e3430e3232aa8  CVE-2015-3255.patch
 32ecc38db938fc1e3d14ffd9c492d12a42a91750e0eb1f66f8346d0cefd6e18fd0dffac8bffc65578cfb56c9598d3b336721477e8496de2619d6d69f1a6b309e  CVE-2015-4625.patch
 9bde734555526c77cac43b0aa90545ede4718d837bb2cb4b9fe5833cdaee0cc91215df4c7103fd675add434c1344385ce4b03c4fdeb3024245e4721cd0703f6a  CVE-2018-19788.patch
+be30f6319ffbc729802f316140b2b45c5a3d3059a818fc13814113e46816e1aafb9d594ff7208d8322db9b2e74c2ea5292b9d51aaeb0987f0183320e48e1ef0b  CVE-2019-6133.patch
 25465a23332247d0873e24cb5f011a267413615526755a8295a6367d64fc5eb8c2aa3c9c1fdcfa183b39e3ece14f33b25f15a339d966a31f3feb861b3f17adbf  automake.patch
 6b0d9262ba8b3c000acdcc8c86bd6fc043e5750a0155730638d4e3a92e63f43cb476d63b11856c041d60d8f38f7eb5ada0eb0eced9100bdac3bc2c7dd5108ddd  fix-parallel-make.patch
 95493ef842b46ce9e724933a5d86083589075fb452435057b8f629643cac7c7eff67a24fd188087987e98057f0130757fad546d0c090767da3d71ebaf8485a24  fix-consolekit-db-stat.patch"
diff --git a/main/polkit/CVE-2019-6133.patch b/main/polkit/CVE-2019-6133.patch
new file mode 100644
index 00000000000..9cdf220624c
--- /dev/null
+++ b/main/polkit/CVE-2019-6133.patch
@@ -0,0 +1,159 @@
+diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
+index d2c4c20..3d86022 100644
+--- a/src/polkit/polkitsubject.c
++++ b/src/polkit/polkitsubject.c
+@@ -97,6 +97,8 @@ polkit_subject_hash (PolkitSubject *subject)
+  * @b: A #PolkitSubject.
+  *
+  * Checks if @a and @b are equal, ie. represent the same subject.
++ * However, avoid calling polkit_subject_equal() to compare two processes;
++ * for more information see the `PolkitUnixProcess` documentation.
+  *
+  * This function can be used in e.g. g_hash_table_new().
+  *
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 913be3a..ceaf145 100644
+--- a/src/polkit/polkitunixprocess.c
++++ b/src/polkit/polkitunixprocess.c
+@@ -44,13 +44,82 @@
+  * @title: PolkitUnixProcess
+  * @short_description: Unix processs
+  *
+- * An object for representing a UNIX process.
++ * An object for representing a UNIX process.  NOTE: This object as
++ * designed is now known broken; a mechanism to exploit a delay in
++ * start time in the Linux kernel was identified.  Avoid
++ * calling polkit_subject_equal() to compare two processes.
+  *
+  * To uniquely identify processes, both the process id and the start
+  * time of the process (a monotonic increasing value representing the
+  * time since the kernel was started) is used.
+  */
+ 
++/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75
++
++  But quoting the original email in full here to ensure it's preserved:
++
++  From: Jann Horn <jannh@google.com>
++  Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork
++  Date: Wednesday, October 10, 2018 5:34 PM
++
++When a (non-root) user attempts to e.g. control systemd units in the system
++instance from an active session over DBus, the access is gated by a polkit
++policy that requires "auth_admin_keep" auth. This results in an auth prompt
++being shown to the user, asking the user to confirm the action by entering the
++password of an administrator account.
++
++After the action has been confirmed, the auth decision for "auth_admin_keep" is
++cached for up to five minutes. Subject to some restrictions, similar actions can
++then be performed in this timespan without requiring re-auth:
++
++ - The PID of the DBus client requesting the new action must match the PID of
++   the DBus client requesting the old action (based on SO_PEERCRED information
++   forwarded by the DBus daemon).
++ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22)
++   must not have changed. The granularity of this timestamp is in the
++   millisecond range.
++ - polkit polls every two seconds whether a process with the expected start time
++   still exists. If not, the temporary auth entry is purged.
++
++Without the start time check, this would obviously be buggy because an attacker
++could simply wait for the legitimate client to disappear, then create a new
++client with the same PID.
++
++Unfortunately, the start time check is bypassable because fork() is not atomic.
++Looking at the source code of copy_process() in the kernel:
++
++        p->start_time = ktime_get_ns();
++        p->real_start_time = ktime_get_boot_ns();
++        [...]
++        retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls);
++        if (retval)
++                goto bad_fork_cleanup_io;
++
++        if (pid != &init_struct_pid) {
++                pid = alloc_pid(p->nsproxy->pid_ns_for_children);
++                if (IS_ERR(pid)) {
++                        retval = PTR_ERR(pid);
++                        goto bad_fork_cleanup_thread;
++                }
++        }
++
++The ktime_get_boot_ns() call is where the "start time" of the process is
++recorded. The alloc_pid() call is where a free PID is allocated. In between
++these, some time passes; and because the copy_thread_tls() call between them can
++access userspace memory when sys_clone() is invoked through the 32-bit syscall
++entry point, an attacker can even stall the kernel arbitrarily long at this
++point (by supplying a pointer into userspace memory that is associated with a
++userfaultfd or is backed by a custom FUSE filesystem).
++
++This means that an attacker can immediately call sys_clone() when the victim
++process is created, often resulting in a process that has the exact same start
++time reported in procfs; and then the attacker can delay the alloc_pid() call
++until after the victim process has died and the PID assignment has cycled
++around. This results in an attacker process that polkit can't distinguish from
++the victim process.
++*/
++
++
+ /**
+  * PolkitUnixProcess:
+  *
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index b237e9d..e2200ef 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -2755,6 +2755,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store)
+   g_free (store);
+ }
+ 
++/* See the comment at the top of polkitunixprocess.c */
++static gboolean
++subject_equal_for_authz (PolkitSubject *a,
++                         PolkitSubject *b)
++{
++  if (!polkit_subject_equal (a, b))
++    return FALSE;
++
++  /* Now special case unix processes, as we want to protect against
++   * pid reuse by including the UID.
++   */
++  if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) {
++    PolkitUnixProcess *ap = (PolkitUnixProcess*)a;
++    int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a);
++    PolkitUnixProcess *bp = (PolkitUnixProcess*)b;
++    int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b);
++
++    if (uid_a != -1 && uid_b != -1)
++      {
++        if (uid_a == uid_b)
++          {
++            return TRUE;
++          }
++        else
++          {
++            g_printerr ("denying slowfork; pid %d uid %d != %d!\n",
++                        polkit_unix_process_get_pid (ap),
++                        uid_a, uid_b);
++            return FALSE;
++          }
++      }
++    /* Fall through; one of the uids is unset so we can't reliably compare */
++  }
++
++  return TRUE;
++}
++
+ static gboolean
+ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store,
+                                                  PolkitSubject               *subject,
+@@ -2797,7 +2834,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st
+     TemporaryAuthorization *authorization = l->data;
+ 
+     if (strcmp (action_id, authorization->action_id) == 0 &&
+-        polkit_subject_equal (subject_to_use, authorization->subject))
++        subject_equal_for_authz (subject_to_use, authorization->subject))
+       {
+         ret = TRUE;
+         if (out_tmp_authz_id != NULL)
+
diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index c224a6571c3..6fced481681 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -5,7 +5,7 @@
 # So we build qt support in separate package poppler-qt4
 pkgname=poppler
 pkgver=0.56.0
-pkgrel=0
+pkgrel=1
 pkgdesc="PDF rendering library based on xpdf 3.0"
 url="https://poppler.freedesktop.org/"
 arch="all"
@@ -17,10 +17,15 @@ makedepends="$depends_dev libjpeg-turbo-dev cairo-dev libxml2-dev
 	openjpeg-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib
 	"
-source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz"
-
+source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz
+	CVE-2019-9959.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   0.56.0-r1:
+#     - CVE-2019-9959
+
 prepare() {
 	local _linked_pkg=poppler-qt4
 	local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD
@@ -32,6 +37,7 @@ prepare() {
 			return 1
 		fi
 	fi
+	default_prepare
 }
 
 build() {
@@ -80,4 +86,5 @@ _cpp() {
 		"$subpkgdir"/usr/lib/ || return 1
 }
 
-sha512sums="74d2ca63afcb7e155c153b4ddc71621b7f4f2c60d4fcafd873176d5ac59fafedc35b200a22c7af2013d7f75e670a1cc23d6ba878167a02209917f8d30002d528  poppler-0.56.0.tar.xz"
+sha512sums="74d2ca63afcb7e155c153b4ddc71621b7f4f2c60d4fcafd873176d5ac59fafedc35b200a22c7af2013d7f75e670a1cc23d6ba878167a02209917f8d30002d528  poppler-0.56.0.tar.xz
+c647bf98ee1ec86270d942d256d9ae4264537f9bbfe2b2adc1f31c9cf27604682ba780943cbc6059451dc67228cf923fb1626e24da2635c7728fe1da2613a929  CVE-2019-9959.patch"
diff --git a/main/poppler/CVE-2019-9959.patch b/main/poppler/CVE-2019-9959.patch
new file mode 100644
index 00000000000..d417a698b2b
--- /dev/null
+++ b/main/poppler/CVE-2019-9959.patch
@@ -0,0 +1,13 @@
+diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
+index 7daa23d..714d814 100644
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -368,7 +368,7 @@ void JPXStream::init()
+   if (getDict()) getDict()->lookup("SMaskInData", &smaskInData);
+ 
+   int bufSize = BUFFER_INITIAL_SIZE;
+-  if (oLen.isInt()) bufSize = oLen.getInt();
++  if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
+   oLen.free();
+ 
+   if (cspace.isArray() && cspace.arrayGetLength() > 0) {
diff --git a/main/postgresql/APKBUILD b/main/postgresql/APKBUILD
index 7eda6c2186a..b926f0bb01b 100644
--- a/main/postgresql/APKBUILD
+++ b/main/postgresql/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: G.J.R. Timmer <gjr.timmer@gmail.com>
 # Contributor: Jakub Jirutka <jakub@jirutka.cz>
 pkgname=postgresql
-pkgver=10.9
+pkgver=10.10
 pkgrel=0
 pkgdesc="A sophisticated object-relational DBMS"
 url="https://www.postgresql.org/"
@@ -36,32 +36,34 @@ builddir="$srcdir/$pkgname-$pkgver"
 options="!checkroot"
 
 # secfixes:
+#   10.10-r0:
+#     - CVE-2019-10208
 #   10.9-r0:
-#   - CVE-2019-10164
+#     - CVE-2019-10164
 #   10.8-r0:
-#   - CVE-2019-10129
-#   - CVE-2019-10130
+#     - CVE-2019-10129
+#     - CVE-2019-10130
 #   10.5-r0:
-#   - CVE-2018-10915
-#   - CVE-2018-10925
+#     - CVE-2018-10915
+#     - CVE-2018-10925
 #   10.4-r0:
-#   - CVE-2018-1115
+#     - CVE-2018-1115
 #   10.3-r0:
-#   - CVE-2018-1058
+#     - CVE-2018-1058
 #   10.2-r0:
-#   - CVE-2018-1052
-#   - CVE-2018-1053
+#     - CVE-2018-1052
+#     - CVE-2018-1053
 #   10.1-r0:
-#   - CVE-2017-15098
-#   - CVE-2017-15099
+#     - CVE-2017-15098
+#     - CVE-2017-15099
 #   9.6.4-r0:
-#   - CVE-2017-7546
-#   - CVE-2017-7547
-#   - CVE-2017-7548
+#     - CVE-2017-7546
+#     - CVE-2017-7547
+#     - CVE-2017-7548
 #   9.6.3-r0:
-#   - CVE-2017-7484
-#   - CVE-2017-7485
-#   - CVE-2017-7486
+#     - CVE-2017-7484
+#     - CVE-2017-7485
+#     - CVE-2017-7486
 
 prepare() {
 	default_prepare
@@ -303,7 +305,7 @@ _submv() {
 	done
 }
 
-sha512sums="4e2f30a0fd262f2e3ce5fc836425be635326600cd6cd4e117c57f59ea7ab2e9ea463a8d357fe7adb8c0dd0094e43d08efc2a137f8f9975715a5908e35920f98e  postgresql-10.9.tar.bz2
+sha512sums="60cafe4b27a194949aff482dcce4fa096a9916f37205868437a32afb8964df71934b619a0b891fe85eb7c7f9b11775cffbbedca589e78feb6c4184eb224b48bc  postgresql-10.10.tar.bz2
 1f8e7dc58f5b0a12427cf2fd904ffa898a34f23f3332c8382b94e0d991c007289e7913a69e04498f3d93fc5701855796c207b4b1cc4a0b366f586050124d7fcc  initdb.patch
 5f9d8bb4957194069d01af8ab3abc6d4d83a7e7f8bd7ebe1caae5361d621a3e58f91b14b952958138a794e0a80bc154fbb7e3e78d211e2a95b9b7901335de854  perl-rpath.patch
 8439a6fdfdea0a4867daeb8bc23d6c825f30c00d91d4c39f48653f5ee77341f23282ce03a77aad94b5369700f11d2cb28d5aee360e59138352a9ab331a9f9d0f  conf-unix_socket_directories.patch
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
index 1524c6d952c..c856c7bc7e5 100644
--- a/main/py-django/APKBUILD
+++ b/main/py-django/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=py-django
 _pkgname=Django
-pkgver=1.11.21
+pkgver=1.11.23
 pkgrel=0
 pkgdesc="A high-level Python Web framework"
 url="http://djangoproject.com/"
@@ -17,6 +17,13 @@ source="https://files.pythonhosted.org/packages/source/${_pkgname:0:1}/$_pkgname
 builddir="$srcdir"/$_pkgname-$pkgver
 
 # secfixes:
+#   1.11.23-r0:
+#     - CVE-2019-14232
+#     - CVE-2019-14233
+#     - CVE-2019-14234
+#     - CVE-2019-14235
+#   1.11.22-r0:
+#     - CVE-2019-12781
 #   1.8.16-r0:
 #     - CVE-2016-9013
 #     - CVE-2016-9014
@@ -78,4 +85,4 @@ _py() {
 	done
 }
 
-sha512sums="c91a1189b6b8fbbb1470f870b09c1c553e860d3b8c0977240399524a830d5403929f14b4e4b689354080748aab1c70587ad56e265f4ac0b3bdc2714d01adbbc4  Django-1.11.21.tar.gz"
+sha512sums="c4c5d82e4ecf1a100637ac32eafd3fb0d7690ba5c0cb884846f31c434c0cb1282d94149e031c577d676570f3b331c2a320d58f34f40ac02deae089c4b61c65ea  Django-1.11.23.tar.gz"
diff --git a/main/python2/APKBUILD b/main/python2/APKBUILD
index 79bbe4fe34e..e66422fb7c1 100644
--- a/main/python2/APKBUILD
+++ b/main/python2/APKBUILD
@@ -4,7 +4,7 @@ pkgname=python2
 # the python2-tkinter's pkgver needs to be synchronized with this.
 pkgver=2.7.15
 _verbase=${pkgver%.*}
-pkgrel=2
+pkgrel=3
 pkgdesc="A high-level scripting language"
 url="http://www.python.org"
 arch="all"
@@ -17,10 +17,19 @@ makedepends="expat-dev libressl-dev zlib-dev ncurses-dev bzip2-dev
 	gdbm-dev sqlite-dev libffi-dev readline-dev linux-headers paxmark"
 source="http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
-	unchecked-ioctl.patch"
+	unchecked-ioctl.patch
+	CVE-2018-14647.patch
+	CVE-2019-9636.patch
+	CVE-2019-9948.patch
+	CVE-2019-16935.patch
+	"
 builddir="$srcdir/Python-$pkgver"
 
 # secfixes:
+#   2.7.15-r2:
+#     - CVE-2019-9636
+#     - CVE-2019-9948
+#     - CVE-2018-14647
 #   2.7.15-r0:
 #     - CVE-2018-1060
 #     - CVE-2018-1061
@@ -126,4 +135,8 @@ gdbm() {
 
 sha512sums="27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6  Python-2.7.15.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
-5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82  unchecked-ioctl.patch"
+5a8e013a4132d71c4360771f130d27b37275ae59330cf9a75378dc8a11236017f540eb224f2a148984e82ca3fb6b29129375b1080ba05b81044faa717520ab82  unchecked-ioctl.patch
+6ea4cde4483250bd3ecbf46214935c80ecd79958d09d7fab4f5ba0b80d73ff0a1433f7b6fbd9a5c42d4f2a3dda877cde6a3264a5c832c1e8f4ee3eb2405a624e  CVE-2018-14647.patch
+54086e7b4d3597969b945b1460fe578ff3a13289703d58d79b8f00f644eccc4acc11fc6128b7b114f022a6f6cedc91e02eead6373bac0d36e22eb580a1becb53  CVE-2019-9636.patch
+2f9523bd3e39c4831110821d93aef1562ca80708f1b553428eb5c228cdf2192feb13d7aef41097a5df4b4243da8b8f7247f691c0ab73967b0bf2bf6a1a0d487f  CVE-2019-9948.patch
+758a897f01665149a23cbc3898fe060c043647d6fe6d22d8ca9038554b4ef1c7b2ac638d37eaed265167cd50f9329be2518f07464dccb7a7ab34ec9be4710095  CVE-2019-16935.patch"
diff --git a/main/python2/CVE-2018-14647.patch b/main/python2/CVE-2018-14647.patch
new file mode 100644
index 00000000000..ff27dba7456
--- /dev/null
+++ b/main/python2/CVE-2018-14647.patch
@@ -0,0 +1,82 @@
+From 18b20bad75b4ff0486940fba4ec680e96e70f3a2 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Tue, 18 Sep 2018 15:13:09 +0200
+Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree
+ (GH-9146) (GH-9394)
+
+The C accelerated _elementtree module now initializes hash randomization
+salt from _Py_HashSecret instead of libexpat's default CPRNG.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue34623.
+(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+
+
+
+https://bugs.python.org/issue34623
+---
+ Include/pyexpat.h                                            | 4 +++-
+ .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst   | 2 ++
+ Modules/_elementtree.c                                       | 5 +++++
+ Modules/pyexpat.c                                            | 5 +++++
+ 4 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 5340ef5fa386..3fc5fa54da63 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -3,7 +3,7 @@
+ 
+ /* note: you must import expat.h before importing this module! */
+ 
+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+ 
+ struct PyExpat_CAPI 
+@@ -43,6 +43,8 @@ struct PyExpat_CAPI
+         XML_Parser parser, XML_UnknownEncodingHandler handler,
+         void *encodingHandlerData);
+     void (*SetUserData)(XML_Parser parser, void *userData);
++    /* might be none for expat < 2.1.0 */
++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+     /* always add new stuff to the end! */
+ };
+ 
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index f7f992dd3a95..b38e0ab329c7 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)
+         PyErr_NoMemory();
+         return NULL;
+     }
++    /* expat < 2.1.0 has no XML_SetHashSalt() */
++    if (EXPAT(SetHashSalt) != NULL) {
++        EXPAT(SetHashSalt)(self->parser,
++                           (unsigned long)_Py_HashSecret.prefix);
++    }
+ 
+     ALLOC(sizeof(XMLParserObject), "create expatparser");
+ 
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index 2b4d31293c64..1f8c0d70a559 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
+     capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;
+     capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;
+     capi.SetUserData = XML_SetUserData;
++#if XML_COMBINED_VERSION >= 20100
++    capi.SetHashSalt = XML_SetHashSalt;
++#else
++    capi.SetHashSalt = NULL;
++#endif
+ 
+     /* export using capsule */
+     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
+
diff --git a/main/python2/CVE-2019-16935.patch b/main/python2/CVE-2019-16935.patch
new file mode 100644
index 00000000000..632a3e77b37
--- /dev/null
+++ b/main/python2/CVE-2019-16935.patch
@@ -0,0 +1,92 @@
+From 8eb64155ff26823542ccf0225b3d57b6ae36ea89 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na <donghee.na92@gmail.com>
+Date: Tue, 1 Oct 2019 19:58:01 +0900
+Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
+ (GH-16447)
+
+Escape the server title of DocXMLRPCServer.DocXMLRPCServer
+when rendering the document page as HTML.
+---
+ Lib/DocXMLRPCServer.py                        | 13 +++++++++++-
+ Lib/test/test_docxmlrpc.py                    | 20 +++++++++++++++++++
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst  |  3 +++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
+index 4064ec2e48d4d..90b037dd35d6b 100644
+--- a/Lib/DocXMLRPCServer.py
++++ b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@
+             CGIXMLRPCRequestHandler,
+             resolve_dotted_attribute)
+ 
++
++def _html_escape_quote(s):
++    s = s.replace("&", "&amp;") # Must be done first!
++    s = s.replace("<", "&lt;")
++    s = s.replace(">", "&gt;")
++    s = s.replace('"', "&quot;")
++    s = s.replace('\'', "&#x27;")
++    return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+     """Class used to generate pydoc HTML document for a server"""
+ 
+@@ -210,7 +220,8 @@ def generate_html_documentation(self):
+                                 methods
+                             )
+ 
+-        return documenter.page(self.server_title, documentation)
++        title = _html_escape_quote(self.server_title)
++        return documenter.page(title, documentation)
+ 
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+     """XML-RPC and documentation request handler class.
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 4dff4159e2466..c45b892b8b3e7 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ def test_autolink_dotted_methods(self):
+         self.assertIn("""Try&nbsp;self.<strong>add</strong>,&nbsp;too.""",
+                       response.read())
+ 
++    def test_server_title_escape(self):
++        """Test that the server title and documentation
++        are escaped for HTML.
++        """
++        self.serv.set_server_title('test_title<script>')
++        self.serv.set_server_documentation('test_documentation<script>')
++        self.assertEqual('test_title<script>', self.serv.server_title)
++        self.assertEqual('test_documentation<script>',
++                self.serv.server_documentation)
++
++        generated = self.serv.generate_html_documentation()
++        title = re.search(r'<title>(.+?)</title>', generated).group()
++        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>',
++                title)
++        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>',
++                documentation)
++
++
+ def test_main():
+     test_support.run_unittest(DocXMLRPCHTTPGETServer)
+ 
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000000..8f02baed9ebe5
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`DocXMLRPCServer.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
diff --git a/main/python3/CVE-2019-9636.patch b/main/python2/CVE-2019-9636.patch
index 45a2c8e976e..17a98a4196c 100644
--- a/main/python3/CVE-2019-9636.patch
+++ b/main/python2/CVE-2019-9636.patch
@@ -1,58 +1,60 @@
-From 23fc0416454c4ad5b9b23d520fbe6d89be3efc24 Mon Sep 17 00:00:00 2001
+From e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 Mon Sep 17 00:00:00 2001
 From: Steve Dower <steve.dower@microsoft.com>
-Date: Mon, 11 Mar 2019 21:34:03 -0700
-Subject: [PATCH] [3.6] bpo-36216: Add check for characters in netloc that
- normalize to separators (GH-12201) (GH-12215)
+Date: Thu, 7 Mar 2019 09:08:45 -0800
+Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
+ to separators (GH-12201)
 
 ---
- Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
- Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
- Lib/urllib/parse.py                           | 17 ++++++++++++++
+ Doc/library/urlparse.rst                      | 20 ++++++++++++++++
+ Lib/test/test_urlparse.py                     | 24 +++++++++++++++++++
+ Lib/urlparse.py                               | 17 +++++++++++++
  .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
- 4 files changed, 61 insertions(+)
+ 4 files changed, 64 insertions(+)
  create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
 
-diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
-index d991254d5ca1..647af613a315 100644
---- a/Doc/library/urllib.parse.rst
-+++ b/Doc/library/urllib.parse.rst
-@@ -121,6 +121,11 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
+diff --git a/Doc/library/urlparse.rst b/Doc/library/urlparse.rst
+index 22249da54fbb..0989c88c3022 100644
+--- a/Doc/library/urlparse.rst
++++ b/Doc/library/urlparse.rst
+@@ -119,12 +119,22 @@ The :mod:`urlparse` module defines the following functions:
+    See section :ref:`urlparse-result-object` for more information on the result
+    object.
  
 +   Characters in the :attr:`netloc` attribute that decompose under NFKC
 +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
 +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
++   decomposed before parsing, or is not a Unicode string, no error will be
++   raised.
 +
-    .. versionchanged:: 3.2
-       Added IPv6 URL parsing capabilities.
+    .. versionchanged:: 2.5
+       Added attributes to return value.
  
-@@ -133,6 +138,10 @@ or on combining URL components into a URL string.
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
+    .. versionchanged:: 2.7
+       Added IPv6 URL parsing capabilities.
  
-+   .. versionchanged:: 3.6.9
++   .. versionchanged:: 2.7.17
 +      Characters that affect netloc parsing under NFKC normalization will
 +      now raise :exc:`ValueError`.
 +
  
- .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None)
+ .. function:: parse_qs(qs[, keep_blank_values[, strict_parsing[, max_num_fields]]])
  
-@@ -256,10 +265,19 @@ or on combining URL components into a URL string.
-    Unmatched square brackets in the :attr:`netloc` attribute will raise a
-    :exc:`ValueError`.
+@@ -232,11 +242,21 @@ The :mod:`urlparse` module defines the following functions:
+    See section :ref:`urlparse-result-object` for more information on the result
+    object.
  
 +   Characters in the :attr:`netloc` attribute that decompose under NFKC
 +   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
 +   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
-+   decomposed before parsing, no error will be raised.
++   decomposed before parsing, or is not a Unicode string, no error will be
++   raised.
 +
-    .. versionchanged:: 3.6
-       Out-of-range port numbers now raise :exc:`ValueError`, instead of
-       returning :const:`None`.
+    .. versionadded:: 2.2
  
-+   .. versionchanged:: 3.6.9
+    .. versionchanged:: 2.5
+       Added attributes to return value.
+ 
++   .. versionchanged:: 2.7.17
 +      Characters that affect netloc parsing under NFKC normalization will
 +      now raise :exc:`ValueError`.
 +
@@ -60,53 +62,55 @@ index d991254d5ca1..647af613a315 100644
  .. function:: urlunsplit(parts)
  
 diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
-index be50b47603aa..e6638aee2244 100644
+index 4e1ded73c266..73b0228ea8e3 100644
 --- a/Lib/test/test_urlparse.py
 +++ b/Lib/test/test_urlparse.py
-@@ -1,3 +1,5 @@
+@@ -1,4 +1,6 @@
+ from test import test_support
 +import sys
 +import unicodedata
  import unittest
- import urllib.parse
+ import urlparse
  
-@@ -984,6 +986,27 @@ def test_all(self):
-                 expected.append(name)
-         self.assertCountEqual(urllib.parse.__all__, expected)
+@@ -624,6 +626,28 @@ def test_portseparator(self):
+         self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
+                 ('http','www.python.org:80','','','',''))
  
 +    def test_urlsplit_normalization(self):
 +        # Certain characters should never occur in the netloc,
 +        # including under normalization.
 +        # Ensure that ALL of them are detected and cause an error
-+        illegal_chars = '/:#?@'
++        illegal_chars = u'/:#?@'
 +        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
 +        denorm_chars = [
-+            c for c in map(chr, range(128, sys.maxunicode))
++            c for c in map(unichr, range(128, sys.maxunicode))
 +            if (hex_chars & set(unicodedata.decomposition(c).split()))
 +            and c not in illegal_chars
 +        ]
 +        # Sanity check that we found at least one such character
-+        self.assertIn('\u2100', denorm_chars)
-+        self.assertIn('\uFF03', denorm_chars)
++        self.assertIn(u'\u2100', denorm_chars)
++        self.assertIn(u'\uFF03', denorm_chars)
 +
-+        for scheme in ["http", "https", "ftp"]:
++        for scheme in [u"http", u"https", u"ftp"]:
 +            for c in denorm_chars:
-+                url = "{}://netloc{}false.netloc/path".format(scheme, c)
-+                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
-+                    with self.assertRaises(ValueError):
-+                        urllib.parse.urlsplit(url)
++                url = u"{}://netloc{}false.netloc/path".format(scheme, c)
++                print "Checking %r" % url
++                with self.assertRaises(ValueError):
++                    urlparse.urlsplit(url)
++
+ def test_main():
+     test_support.run_unittest(UrlParseTestCase)
  
- class Utility_Tests(unittest.TestCase):
-     """Testcase to test the various utility functions in the urllib."""
-diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
-index 85e68c8b42c7..7b06f4d71d67 100644
---- a/Lib/urllib/parse.py
-+++ b/Lib/urllib/parse.py
-@@ -391,6 +391,21 @@ def _splitnetloc(url, start=0):
+diff --git a/Lib/urlparse.py b/Lib/urlparse.py
+index f7c2b032b097..54eda08651ab 100644
+--- a/Lib/urlparse.py
++++ b/Lib/urlparse.py
+@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
              delim = min(delim, wdelim)     # use earliest delim position
      return url[start:delim], url[delim:]   # return (domain, rest)
  
 +def _checknetloc(netloc):
-+    if not netloc or not any(ord(c) > 127 for c in netloc):
++    if not netloc or not isinstance(netloc, unicode):
 +        return
 +    # looking for characters like \u2100 that expand to 'a/c'
 +    # IDNA uses NFKC equivalence, so normalize for this check
@@ -123,28 +127,29 @@ index 85e68c8b42c7..7b06f4d71d67 100644
  def urlsplit(url, scheme='', allow_fragments=True):
      """Parse a URL into 5 components:
      <scheme>://<netloc>/<path>?<query>#<fragment>
-@@ -420,6 +435,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
                  url, fragment = url.split('#', 1)
              if '?' in url:
                  url, query = url.split('?', 1)
 +            _checknetloc(netloc)
              v = SplitResult(scheme, netloc, url, query, fragment)
              _parse_cache[key] = v
-             return _coerce_result(v)
-@@ -443,6 +459,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+             return v
+@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
          url, fragment = url.split('#', 1)
      if '?' in url:
          url, query = url.split('?', 1)
 +    _checknetloc(netloc)
      v = SplitResult(scheme, netloc, url, query, fragment)
      _parse_cache[key] = v
-     return _coerce_result(v)
+     return v
 diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
 new file mode 100644
-index 000000000000..5546394157f9
+index 000000000000..1e1ad92c6feb
 --- /dev/null
 +++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
 @@ -0,0 +1,3 @@
 +Changes urlsplit() to raise ValueError when the URL contains characters that
 +decompose under IDNA encoding (NFKC-normalization) into characters that
 +affect how the URL is parsed.
+\ No newline at end of file
diff --git a/main/python2/CVE-2019-9948.patch b/main/python2/CVE-2019-9948.patch
new file mode 100644
index 00000000000..e5d38bd0aca
--- /dev/null
+++ b/main/python2/CVE-2019-9948.patch
@@ -0,0 +1,50 @@
+From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
+From: push0ebp <push0ebp@shl-MacBook-Pro.local>
+Date: Thu, 14 Feb 2019 02:05:46 +0900
+Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
+ URL scheme in urllib
+
+---
+ Lib/test/test_urllib.py | 12 ++++++++++++
+ Lib/urllib.py           |  5 ++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c0693..e5f210e62a18 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -1023,6 +1023,18 @@ def open_spam(self, url):
+             "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
+             "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+ 
++    def test_local_file_open(self):
++        class DummyURLopener(urllib.URLopener):
++            def open_local_file(self, url):
++                return url
++        self.assertEqual(DummyURLopener().open(
++            'local-file://example'), '//example')
++        self.assertEqual(DummyURLopener().open(
++            'local_file://example'), '//example')
++        self.assertRaises(IOError, urllib.urlopen,
++            'local-file://example')
++        self.assertRaises(IOError, urllib.urlopen,
++            'local_file://example')
+ 
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index d85504a5cb7e..a24e9a5c68fb 100644
+--- a/Lib/urllib.py
++++ b/Lib/urllib.py
+@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
+         name = 'open_' + urltype
+         self.type = urltype
+         name = name.replace('-', '_')
+-        if not hasattr(self, name):
++        
++        # bpo-35907: # disallow the file reading with the type not allowed
++        if not hasattr(self, name) or \
++            (self == _urlopener and name == 'open_local_file'):
+             if proxy:
+                 return self.open_unknown_proxy(proxy, fullurl, data)
+             else:
diff --git a/main/python3/APKBUILD b/main/python3/APKBUILD
index a4926f1bd2a..c5d300ce1e9 100644
--- a/main/python3/APKBUILD
+++ b/main/python3/APKBUILD
@@ -3,9 +3,9 @@
 
 pkgname=python3
 # the python2-tkinter's pkgver needs to be synchronized with this.
-pkgver=3.6.8
+pkgver=3.6.9
 _basever="${pkgver%.*}"
-pkgrel=0
+pkgrel=1
 pkgdesc="A high-level scripting language"
 url="http://www.python.org"
 arch="all"
@@ -18,11 +18,16 @@ makedepends="expat-dev libressl-dev zlib-dev ncurses-dev bzip2-dev xz-dev
 source="http://www.python.org/ftp/python/$pkgver/Python-$pkgver.tar.xz
 	musl-find_library.patch
 	fix-xattrs-glibc.patch
-	CVE-2019-9636.patch
+	CVE-2019-16056.patch
+	CVE-2019-16935.patch
 	"
 builddir="$srcdir/Python-$pkgver"
 
 # secfixes:
+#   3.6.9-r1:
+#     - CVE-2019-16935
+#   3.6.8-r1:
+#   - CVE-2019-16056
 #   3.6.8-r0:
 #   - CVE-2018-14647
 #   - CVE-2018-20406
@@ -151,7 +156,8 @@ wininst() {
 		"$subpkgdir"/usr/lib/python$_basever/distutils/command
 }
 
-sha512sums="b17867e451ebe662f50df83ed112d3656c089e7d750651ea640052b01b713b58e66aac9e082f71fd16f5b5510bc9b797f5ccd30f5399581e9aa406197f02938a  Python-3.6.8.tar.xz
+sha512sums="05de9c6f44d96a52bfce10ede4312de892573edaf8bece65926d19973a3a800d65eed7a857af945f69efcfb25efa3788e7a54016b03d80b611eb51c3ea074819  Python-3.6.9.tar.xz
 ab8eaa2858d5109049b1f9f553198d40e0ef8d78211ad6455f7b491af525bffb16738fed60fc84e960c4889568d25753b9e4a1494834fea48291b33f07000ec2  musl-find_library.patch
 37b6ee5d0d5de43799316aa111423ba5a666c17dc7f81b04c330f59c1d1565540eac4c585abe2199bbed52ebe7426001edb1c53bd0a17486a2a8e052d0f494ad  fix-xattrs-glibc.patch
-bf2ec0bdba63b714f99aa9783a31ab935b234cabe4dc482769462a55bd572c74e03f192fbc5e8a7e2b9a887a5eef7dc0c3819fb464b656f73b500d1b65b591ad  CVE-2019-9636.patch"
+e8708c4fef1b591dd7251b36a785f9bc6472f2a25fba11bc4116814e93e770230ebd0016285c28d9065c49c5bf2be10f72182e23fb2767e1875ef20c94b5c97c  CVE-2019-16056.patch
+7f94d887c81f79d90afd4a9621547c13cbdd0232250f62a686b26a63160a4d286a6db9b342d06b9b63af64f994835b489c37bab499a2093c3c2585dc7a04d8a1  CVE-2019-16935.patch"
diff --git a/main/python3/CVE-2019-16056.patch b/main/python3/CVE-2019-16056.patch
new file mode 100644
index 00000000000..b6b4d90385a
--- /dev/null
+++ b/main/python3/CVE-2019-16056.patch
@@ -0,0 +1,89 @@
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
+index 1fb8cb4..9815e4e 100644
+--- a/Lib/email/_header_value_parser.py
++++ b/Lib/email/_header_value_parser.py
+@@ -1561,6 +1561,8 @@ def get_domain(value):
+         token, value = get_dot_atom(value)
+     except errors.HeaderParseError:
+         token, value = get_atom(value)
++    if value and value[0] == '@':
++        raise errors.HeaderParseError('Invalid Domain')
+     if leader is not None:
+         token[:0] = [leader]
+     domain.append(token)
+diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
+index cdfa372..41ff6f8 100644
+--- a/Lib/email/_parseaddr.py
++++ b/Lib/email/_parseaddr.py
+@@ -379,7 +379,12 @@ class AddrlistClass:
+         aslist.append('@')
+         self.pos += 1
+         self.gotonext()
+-        return EMPTYSTRING.join(aslist) + self.getdomain()
++        domain = self.getdomain()
++        if not domain:
++            # Invalid domain, return an empty address instead of returning a
++            # local part to denote failed parsing.
++            return EMPTYSTRING
++        return EMPTYSTRING.join(aslist) + domain
+ 
+     def getdomain(self):
+         """Get the complete domain name from an address."""
+@@ -394,6 +399,10 @@ class AddrlistClass:
+             elif self.field[self.pos] == '.':
+                 self.pos += 1
+                 sdlist.append('.')
++            elif self.field[self.pos] == '@':
++                # bpo-34155: Don't parse domains with two `@` like
++                # `a@malicious.org@important.com`.
++                return EMPTYSTRING
+             elif self.field[self.pos] in self.atomends:
+                 break
+             else:
+diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
+index 676732b..577dc43 100644
+--- a/Lib/test/test_email/test__header_value_parser.py
++++ b/Lib/test/test_email/test__header_value_parser.py
+@@ -1418,6 +1418,16 @@ class TestParser(TestParserMixin, TestEmailBase):
+         self.assertEqual(addr_spec.domain, 'example.com')
+         self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
+ 
++    def test_get_addr_spec_multiple_domains(self):
++        with self.assertRaises(errors.HeaderParseError):
++            parser.get_addr_spec('star@a.star@example.com')
++
++        with self.assertRaises(errors.HeaderParseError):
++            parser.get_addr_spec('star@a@example.com')
++
++        with self.assertRaises(errors.HeaderParseError):
++            parser.get_addr_spec('star@172.17.0.1@example.com')
++
+     # get_obs_route
+ 
+     def test_get_obs_route_simple(self):
+diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
+index f97ccc6..68d0522 100644
+--- a/Lib/test/test_email/test_email.py
++++ b/Lib/test/test_email/test_email.py
+@@ -3035,6 +3035,20 @@ class TestMiscellaneous(TestEmailBase):
+         self.assertEqual(utils.parseaddr('<>'), ('', ''))
+         self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
+ 
++    def test_parseaddr_multiple_domains(self):
++        self.assertEqual(
++            utils.parseaddr('a@b@c'),
++            ('', '')
++        )
++        self.assertEqual(
++            utils.parseaddr('a@b.c@c'),
++            ('', '')
++        )
++        self.assertEqual(
++            utils.parseaddr('a@172.17.0.1@c'),
++            ('', '')
++        )
++
+     def test_noquote_dump(self):
+         self.assertEqual(
+             utils.formataddr(('A Silly Person', 'person@dom.ain')),
+
diff --git a/main/python3/CVE-2019-16935.patch b/main/python3/CVE-2019-16935.patch
new file mode 100644
index 00000000000..567eb90fca3
--- /dev/null
+++ b/main/python3/CVE-2019-16935.patch
@@ -0,0 +1,80 @@
+From 1698cacfb924d1df452e78d11a4bf81ae7777389 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@redhat.com>
+Date: Sat, 28 Sep 2019 09:33:00 +0200
+Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
+ (GH-16441)
+
+Escape the server title of xmlrpc.server.DocXMLRPCServer
+when rendering the document page as HTML.
+
+(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
+---
+ Lib/test/test_docxmlrpc.py                       | 16 ++++++++++++++++
+ Lib/xmlrpc/server.py                             |  3 ++-
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst     |  3 +++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 00903337c07c2..d2adb21af0fb3 100644
+--- a/Lib/test/test_docxmlrpc.py
++++ b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from xmlrpc.server import DocXMLRPCServer
+ import http.client
++import re
+ import sys
+ from test import support
+ threading = support.import_module('threading')
+@@ -193,6 +194,21 @@ def test_annotations(self):
+              b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
+             response.read())
+ 
++    def test_server_title_escape(self):
++        # bpo-38243: Ensure that the server title and documentation
++        # are escaped for HTML.
++        self.serv.set_server_title('test_title<script>')
++        self.serv.set_server_documentation('test_documentation<script>')
++        self.assertEqual('test_title<script>', self.serv.server_title)
++        self.assertEqual('test_documentation<script>',
++                self.serv.server_documentation)
++
++        generated = self.serv.generate_html_documentation()
++        title = re.search(r'<title>(.+?)</title>', generated).group()
++        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
++        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
++        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
++
+ 
+ if __name__ == '__main__':
+     unittest.main()
+diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
+index 3e0dca027f068..efe593748968c 100644
+--- a/Lib/xmlrpc/server.py
++++ b/Lib/xmlrpc/server.py
+@@ -106,6 +106,7 @@ def export_add(self, x, y):
+ 
+ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
+ from http.server import BaseHTTPRequestHandler
++import html
+ import http.server
+ import socketserver
+ import sys
+@@ -904,7 +905,7 @@ def generate_html_documentation(self):
+                                 methods
+                             )
+ 
+-        return documenter.page(self.server_title, documentation)
++        return documenter.page(html.escape(self.server_title), documentation)
+ 
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+     """XML-RPC and documentation request handler class.
+diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+new file mode 100644
+index 0000000000000..98d7be129573a
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+@@ -0,0 +1,3 @@
++Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
++when rendering the document page as HTML.
++(Contributed by Dong-hee Na in :issue:`38243`.)
diff --git a/main/redis/APKBUILD b/main/redis/APKBUILD
index ea415ec2ee2..e5a74fa1a73 100644
--- a/main/redis/APKBUILD
+++ b/main/redis/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: V.Krishn <vkrishn4@gmail.com>
 # Maintainer: TBK <alpine@jjtc.eu>
 pkgname=redis
-pkgver=4.0.11
+pkgver=4.0.14
 pkgrel=0
 pkgdesc="Advanced key-value store"
 url="https://redis.io/"
@@ -21,6 +21,9 @@ source="http://download.redis.io/releases/$pkgname-$pkgver.tar.gz
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.0.14-r0:
+#     - CVE-2019-10192
+#     - CVE-2019-10193
 #   4.0.10-r0:
 #   - CVE-2018-11218
 #   - CVE-2018-11219
@@ -80,7 +83,7 @@ package() {
 		install
 }
 
-sha512sums="f0054af9ca2143731a397b2b21285387707b7f40d9326ba15225feb1a2ff470fab5194308342f63bbe1081f84c7e9ef19543c5a8e3eae49e17bfc515c64201f0  redis-4.0.11.tar.gz
+sha512sums="7730a4083962046f8fee674a8ce95e1d3e8c8dcc2d64a65491dc3b851413b2d745942be7a94ee77074aa530da5f3d458c4e7388d7950a8495d8ee9f4862b7e06  redis-4.0.14.tar.gz
 91b663f802aea9a473195940d3bf2ce3ca2af4e5b6e61a2d28ebbfe502ef2c764b574b7e87c49e60345d1a5d6b73d12920924c93b26be110c2ce824023347b6f  redis.initd
 6d17d169b40a7e23a0a2894eff0f3e2fe8e4461b36f2a9d45468f0abd84ea1035d679b4c0a34029bce093147f9c7bb697e843c113c17769d38c934d4a78a5848  redis.logrotate
 d87aad6185300c99cc9b6a478c83bf62c450fb2c225592d74cc43a3adb93e19d8d2a42cc279907b385aa73a7b9c77b66828dbfb001009edc16a604abb2087e99  redis.confd"
diff --git a/main/rsyslog/APKBUILD b/main/rsyslog/APKBUILD
index ee76846336b..b930f05b2a5 100644
--- a/main/rsyslog/APKBUILD
+++ b/main/rsyslog/APKBUILD
@@ -5,7 +5,7 @@
 # Maintainer: Cameron Banta <cbanta@gmail.com>
 pkgname=rsyslog
 pkgver=8.31.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Enhanced multi-threaded syslogd with database support and more."
 url="http://www.rsyslog.com/"
 arch="all"
@@ -23,9 +23,16 @@ source="http://www.rsyslog.com/files/download/$pkgname/$pkgname-$pkgver.tar.gz
 	$pkgname.conf
 	musl-fix.patch
 	queue.patch
+	CVE-2019-17041.patch::https://github.com/rsyslog/rsyslog/commit/10549ba915556c557b22b3dac7e4cb73ad22d3d8.patch
+	CVE-2019-17042.patch::https://github.com/rsyslog/rsyslog/commit/abc0960a7561e18944a0e08d48f4eb570ea7435a.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   8.31.0-r1:
+#     - CVE-2019-17041
+#     - CVE-2019-17042
+
 build() {
 	cd "$builddir"
 
@@ -103,11 +110,12 @@ snmp() {
 	mv "$pkgdir"/usr/lib/rsyslog/omsnmp.so \
 		"$subpkgdir"/usr/lib/rsyslog/
 }
-
 sha512sums="aab888dda8df3ad7ff404767a58539cdc0bb92d0e537b703cf5833555688dd6d8223889b8d70bf8c594339a51831b57df7a65b397d8b40cded608dfb007befe7  rsyslog-8.31.0.tar.gz
 9a4b184076a82e0899da79ab3749e1c67eac03f36c4460d34ed0385f4a3ffad53681a1cc25dd514e835c9399a9abd01c235743535ad549d5be7f66d9e127b9dc  rsyslog.initd
 a4d969671800227129be870b0318961b79d16365663754111a136734bbf7005abd4da24853dfdc07b3b6691ab5a7b215f0ac6c19022b4c5c8dab06165a42431b  rsyslog.confd
 d54377ddf39197656811a84272568ea761f984e19dd04fc54f372dd04a9244e66d02b26ab33073d0344d054f031660ec611f3c7a18c266e7b68cef5e2c47f06f  rsyslog.logrotate
 3bcd58b222eb7f4d8a42a0643cacb6ab44790f90c9bd550678e002bc19863d5d6a7341e5e5ba0b9292f85c6c04cd5cc42d174acdc63e8ba22022620db10f2b9b  rsyslog.conf
 bd469f3126d9db65cbe6b48a0e6da3ae1a6ef0194b7132799b4fdfcfc50de750691f44de21905fe40c047b7281d3db64b74a473383dd07077c81170daaf3ec6b  musl-fix.patch
-7be105f9a30d23b48ee46e19d31ba37ec30477935a9f7ba3929666a9abe175313dbb7caf55fbb1c6579dd5d25fe037eea84cae9065fe3f765f23569344bce5d7  queue.patch"
+7be105f9a30d23b48ee46e19d31ba37ec30477935a9f7ba3929666a9abe175313dbb7caf55fbb1c6579dd5d25fe037eea84cae9065fe3f765f23569344bce5d7  queue.patch
+e9f75ce261dcefb4bd8f1f70707e1ee4221743f562882eb0e77bee0df468b4dd6aea0513a025909a8abb82d026ab010d8fc74a868c6cd8d5e244d5335d3fcf59  CVE-2019-17041.patch
+2edf53a861d8bf20c2b7434cc13f0cf8d077dfa4d9a924742e521ff17088c5a1e6386af03ac1c1d5fd900fd0ce819f19011e4eb86d6844cb888d5d86bc268168  CVE-2019-17042.patch"
diff --git a/main/ruby/APKBUILD b/main/ruby/APKBUILD
index 6564ca9f72c..1300efb2411 100644
--- a/main/ruby/APKBUILD
+++ b/main/ruby/APKBUILD
@@ -3,6 +3,12 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 #
 # secfixes:
+#   2.4.10-r0:
+#     - CVE-2019-16255
+#     - CVE-2019-16254
+#     - CVE-2019-15845
+#     - CVE-2019-16201
+#     - CVE-2020-10663
 #   2.4.6-r0:
 #     - CVE-2019-8320
 #     - CVE-2019-8321
@@ -33,7 +39,7 @@
 #     - CVE-2017-17405
 #
 pkgname=ruby
-pkgver=2.4.6
+pkgver=2.4.10
 _abiver="${pkgver%.*}.0"
 pkgrel=0
 pkgdesc="An object-oriented language for quick and easy programming"
@@ -260,5 +266,5 @@ _mvgem() {
 	done
 }
 
-sha512sums="7eb7720961e98e22e4335c38eeead9db96d049ef3ac1da437769b98fee7a10feb092643ce75822a2fe3bd5fd94938417ab5c2de7c6056afe0abf6e4cf03ca282  ruby-2.4.6.tar.gz
+sha512sums="dfbe2a28b1a2d458dfc8d4287fbe7caec70890dfecf1e12ac62cddd323d8921ca14a0479453e3691641e3d49366de2e4eb239029c46685234b8f29ac84e1da11  ruby-2.4.10.tar.gz
 cfdc5ea3b2e2ea69c51f38e8e2180cb1dc27008ca55cc6301f142ebafdbab31c3379b3b6bba9ff543153876dd98ed2ad194df3255b7ea77a62e931c935f80538  rubygems-avoid-platform-specific-gems.patch"
diff --git a/main/sdl/0001-CVE-2019-7572.patch b/main/sdl/0001-CVE-2019-7572.patch
new file mode 100644
index 00000000000..2c17831dfcb
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7572.patch
@@ -0,0 +1,64 @@
+From 6086741bda4d43cc227500bc7645a829380e6326 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 09:21:45 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overwrite in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was longer than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to write past the output
+buffer. This patch fixes it.
+
+Based on patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4496>.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 69d62dc..91e89e8 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -336,7 +336,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -363,6 +363,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
++	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+@@ -382,6 +383,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 			}
+ 
+ 			/* Store the initial sample we start with */
++			if (decoded + 2 > decoded_end) goto invalid_size;
+ 			decoded[0] = (Uint8)(state[c].sample&0xFF);
+ 			decoded[1] = (Uint8)(state[c].sample>>8);
+ 			decoded += 2;
+@@ -392,6 +394,8 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
+ 				if (encoded + 4 > encoded_end) goto invalid_size;
++				if (decoded + 4 * 4 * channels > decoded_end)
++					goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7573.patch b/main/sdl/0001-CVE-2019-7573.patch
new file mode 100644
index 00000000000..767a3b20740
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7573.patch
@@ -0,0 +1,83 @@
+From 3e2c89e516701f3586dfeadec13932f665371d2a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 10:36:13 +0100
+Subject: [PATCH] CVE-2019-7573, CVE-2019-7576: Fix buffer overreads in
+ InitMS_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If MS ADPCM format chunk was too short, InitMS_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7573
+https://bugzilla.libsdl.org/show_bug.cgi?id=4491
+CVE-2019-7576
+https://bugzilla.libsdl.org/show_bug.cgi?id=4490
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 91e89e8..1d446ed 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -44,12 +44,13 @@ static struct MS_ADPCM_decoder {
+ 	struct MS_ADPCM_decodestate state[2];
+ } MS_ADPCM_state;
+ 
+-static int InitMS_ADPCM(WaveFMT *format)
++static int InitMS_ADPCM(WaveFMT *format, int length)
+ {
+-	Uint8 *rogue_feel;
++	Uint8 *rogue_feel, *rogue_feel_end;
+ 	int i;
+ 
+ 	/* Set the rogue pointer to the MS_ADPCM specific data */
++	if (length < sizeof(*format)) goto too_short;
+ 	MS_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ 	MS_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ 	MS_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -58,9 +59,11 @@ static int InitMS_ADPCM(WaveFMT *format)
+ 	MS_ADPCM_state.wavefmt.bitspersample =
+ 					 SDL_SwapLE16(format->bitspersample);
+ 	rogue_feel = (Uint8 *)format+sizeof(*format);
++	rogue_feel_end = (Uint8 *)format + length;
+ 	if ( sizeof(*format) == 16 ) {
+ 		rogue_feel += sizeof(Uint16);
+ 	}
++	if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ 	MS_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 	rogue_feel += sizeof(Uint16);
+ 	MS_ADPCM_state.wNumCoef = ((rogue_feel[1]<<8)|rogue_feel[0]);
+@@ -70,12 +73,16 @@ static int InitMS_ADPCM(WaveFMT *format)
+ 		return(-1);
+ 	}
+ 	for ( i=0; i<MS_ADPCM_state.wNumCoef; ++i ) {
++		if (rogue_feel + 4 > rogue_feel_end) goto too_short;
+ 		MS_ADPCM_state.aCoeff[i][0] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 		rogue_feel += sizeof(Uint16);
+ 		MS_ADPCM_state.aCoeff[i][1] = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 		rogue_feel += sizeof(Uint16);
+ 	}
+ 	return(0);
++too_short:
++	SDL_SetError("Unexpected length of a chunk with a MS ADPCM format");
++	return(-1);
+ }
+ 
+ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+@@ -485,7 +492,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ 			break;
+ 		case MS_ADPCM_CODE:
+ 			/* Try to understand this */
+-			if ( InitMS_ADPCM(format) < 0 ) {
++			if ( InitMS_ADPCM(format, lenread) < 0 ) {
+ 				was_error = 1;
+ 				goto done;
+ 			}
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7574.patch b/main/sdl/0001-CVE-2019-7574.patch
new file mode 100644
index 00000000000..0bae80ff875
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7574.patch
@@ -0,0 +1,71 @@
+From 9b2eee24768889378032077423cb6a3221a8ad18 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 15:41:47 +0100
+Subject: [PATCH] CVE-2019-7574: Fix a buffer overread in IMA_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If data chunk was shorter than expected based on a WAV format
+definition, IMA_ADPCM_decode() tried to read past the data chunk
+buffer. This patch fixes it.
+
+CVE-2019-7574
+https://bugzilla.libsdl.org/show_bug.cgi?id=4496
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b6c49de..2968b3d 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -334,7 +334,7 @@ static void Fill_IMA_ADPCM_block(Uint8 *decoded, Uint8 *encoded,
+ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct IMA_ADPCM_decodestate *state;
+-	Uint8 *freeable, *encoded, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ 	Sint32 encoded_len, samplesleft;
+ 	unsigned int c, channels;
+ 
+@@ -350,6 +350,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
++	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/IMA_ADPCM_state.wavefmt.blockalign) * 
+ 				IMA_ADPCM_state.wSamplesPerBlock*
+@@ -365,6 +366,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	while ( encoded_len >= IMA_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+ 		for ( c=0; c<channels; ++c ) {
++			if (encoded + 4 > encoded_end) goto invalid_size;
+ 			/* Fill the state information for this block */
+ 			state[c].sample = ((encoded[1]<<8)|encoded[0]);
+ 			encoded += 2;
+@@ -387,6 +389,7 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (IMA_ADPCM_state.wSamplesPerBlock-1)*channels;
+ 		while ( samplesleft > 0 ) {
+ 			for ( c=0; c<channels; ++c ) {
++				if (encoded + 4 > encoded_end) goto invalid_size;
+ 				Fill_IMA_ADPCM_block(decoded, encoded,
+ 						c, channels, &state[c]);
+ 				encoded += 4;
+@@ -398,6 +401,10 @@ static int IMA_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
++invalid_size:
++	SDL_SetError("Unexpected chunk length for an IMA ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7575.patch b/main/sdl/0001-CVE-2019-7575.patch
new file mode 100644
index 00000000000..53965aa2f23
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7575.patch
@@ -0,0 +1,84 @@
+From e1f80cadb079e35103e6eebf160a818815c823df Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 14:51:52 +0100
+Subject: [PATCH] CVE-2019-7575: Fix a buffer overwrite in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a WAV format defines shorter audio stream and decoded MS ADPCM data chunk
+is longer, decoding continued past the output audio buffer.
+
+This fix is based on a patch from
+<https://bugzilla.libsdl.org/show_bug.cgi?id=4492>.
+
+https://bugzilla.libsdl.org/show_bug.cgi?id=4493
+CVE-2019-7575
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index e42d01c..b6c49de 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct MS_ADPCM_decodestate *state[2];
+-	Uint8 *freeable, *encoded, *encoded_end, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded, *decoded_end;
+ 	Sint32 encoded_len, samplesleft;
+ 	Sint8 nybble, stereo;
+ 	Sint16 *coeff[2];
+@@ -135,6 +135,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		return(-1);
+ 	}
+ 	decoded = *audio_buf;
++	decoded_end = decoded + *audio_len;
+ 
+ 	/* Get ready... Go! */
+ 	stereo = (MS_ADPCM_state.wavefmt.channels == 2);
+@@ -142,7 +143,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	state[1] = &MS_ADPCM_state.state[stereo];
+ 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
+-		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
++		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto invalid_size;
+ 		state[0]->hPredictor = *encoded++;
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+@@ -169,6 +170,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		coeff[1] = MS_ADPCM_state.aCoeff[state[1]->hPredictor];
+ 
+ 		/* Store the two initial samples we start with */
++		if (decoded + 4 + (stereo ? 4 : 0) > decoded_end) goto invalid_size;
+ 		decoded[0] = state[0]->iSamp2&0xFF;
+ 		decoded[1] = state[0]->iSamp2>>8;
+ 		decoded += 2;
+@@ -190,7 +192,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ 					MS_ADPCM_state.wavefmt.channels;
+ 		while ( samplesleft > 0 ) {
+-			if (encoded + 1 > encoded_end) goto too_short;
++			if (encoded + 1 > encoded_end) goto invalid_size;
++			if (decoded + 4 > decoded_end) goto invalid_size;
+ 
+ 			nybble = (*encoded)>>4;
+ 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+@@ -213,8 +216,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
+-too_short:
+-	SDL_SetError("Too short chunk for a MS ADPCM decoder");
++invalid_size:
++	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ 	SDL_free(freeable);
+ 	return(-1);
+ }
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7577.patch b/main/sdl/0001-CVE-2019-7577.patch
new file mode 100644
index 00000000000..23cbf98192b
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7577.patch
@@ -0,0 +1,75 @@
+From ac3d0d365b1f01a6782565feda0c7432a5795671 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 14:12:22 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If RIFF/WAV data chunk length is shorter then expected for an audio
+format defined in preceeding RIFF/WAV format headers, a buffer
+overread can happen.
+
+This patch fixes it by checking a MS ADPCM data to be decoded are not
+past the initialized buffer.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index b4ad6c7..e42d01c 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -115,7 +115,7 @@ static Sint32 MS_ADPCM_nibble(struct MS_ADPCM_decodestate *state,
+ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ {
+ 	struct MS_ADPCM_decodestate *state[2];
+-	Uint8 *freeable, *encoded, *decoded;
++	Uint8 *freeable, *encoded, *encoded_end, *decoded;
+ 	Sint32 encoded_len, samplesleft;
+ 	Sint8 nybble, stereo;
+ 	Sint16 *coeff[2];
+@@ -124,6 +124,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	/* Allocate the proper sized output buffer */
+ 	encoded_len = *audio_len;
+ 	encoded = *audio_buf;
++	encoded_end = encoded + encoded_len;
+ 	freeable = *audio_buf;
+ 	*audio_len = (encoded_len/MS_ADPCM_state.wavefmt.blockalign) * 
+ 				MS_ADPCM_state.wSamplesPerBlock*
+@@ -141,6 +142,7 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	state[1] = &MS_ADPCM_state.state[stereo];
+ 	while ( encoded_len >= MS_ADPCM_state.wavefmt.blockalign ) {
+ 		/* Grab the initial information for this block */
++		if (encoded + 7 + (stereo ? 7 : 0) > encoded_end) goto too_short;
+ 		state[0]->hPredictor = *encoded++;
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+@@ -188,6 +190,8 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		samplesleft = (MS_ADPCM_state.wSamplesPerBlock-2)*
+ 					MS_ADPCM_state.wavefmt.channels;
+ 		while ( samplesleft > 0 ) {
++			if (encoded + 1 > encoded_end) goto too_short;
++
+ 			nybble = (*encoded)>>4;
+ 			new_sample = MS_ADPCM_nibble(state[0],nybble,coeff[0]);
+ 			decoded[0] = new_sample&0xFF;
+@@ -209,6 +213,10 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 	}
+ 	SDL_free(freeable);
+ 	return(0);
++too_short:
++	SDL_SetError("Too short chunk for a MS ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7578.patch b/main/sdl/0001-CVE-2019-7578.patch
new file mode 100644
index 00000000000..b0a89de20df
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7578.patch
@@ -0,0 +1,67 @@
+From 0eb76f6cabcffa2104e34c26e0f41e6de95356ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 15 Feb 2019 10:56:59 +0100
+Subject: [PATCH] CVE-2019-7578: Fix a buffer overread in InitIMA_ADPCM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If IMA ADPCM format chunk was too short, InitIMA_ADPCM() parsing it
+could read past the end of chunk data. This patch fixes it.
+
+CVE-2019-7578
+https://bugzilla.libsdl.org/show_bug.cgi?id=4494
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 1d446ed..08f65cb 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -240,11 +240,12 @@ static struct IMA_ADPCM_decoder {
+ 	struct IMA_ADPCM_decodestate state[2];
+ } IMA_ADPCM_state;
+ 
+-static int InitIMA_ADPCM(WaveFMT *format)
++static int InitIMA_ADPCM(WaveFMT *format, int length)
+ {
+-	Uint8 *rogue_feel;
++	Uint8 *rogue_feel, *rogue_feel_end;
+ 
+ 	/* Set the rogue pointer to the IMA_ADPCM specific data */
++	if (length < sizeof(*format)) goto too_short;
+ 	IMA_ADPCM_state.wavefmt.encoding = SDL_SwapLE16(format->encoding);
+ 	IMA_ADPCM_state.wavefmt.channels = SDL_SwapLE16(format->channels);
+ 	IMA_ADPCM_state.wavefmt.frequency = SDL_SwapLE32(format->frequency);
+@@ -253,11 +254,16 @@ static int InitIMA_ADPCM(WaveFMT *format)
+ 	IMA_ADPCM_state.wavefmt.bitspersample =
+ 					 SDL_SwapLE16(format->bitspersample);
+ 	rogue_feel = (Uint8 *)format+sizeof(*format);
++	rogue_feel_end = (Uint8 *)format + length;
+ 	if ( sizeof(*format) == 16 ) {
+ 		rogue_feel += sizeof(Uint16);
+ 	}
++	if (rogue_feel + 2 > rogue_feel_end) goto too_short;
+ 	IMA_ADPCM_state.wSamplesPerBlock = ((rogue_feel[1]<<8)|rogue_feel[0]);
+ 	return(0);
++too_short:
++	SDL_SetError("Unexpected length of a chunk with an IMA ADPCM format");
++	return(-1);
+ }
+ 
+ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+@@ -500,7 +506,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
+ 			break;
+ 		case IMA_ADPCM_CODE:
+ 			/* Try to understand this */
+-			if ( InitIMA_ADPCM(format) < 0 ) {
++			if ( InitIMA_ADPCM(format, lenread) < 0 ) {
+ 				was_error = 1;
+ 				goto done;
+ 			}
+-- 
+2.20.1
+
diff --git a/main/sdl/0001-CVE-2019-7635.patch b/main/sdl/0001-CVE-2019-7635.patch
new file mode 100644
index 00000000000..ebf8b91e7fd
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7635.patch
@@ -0,0 +1,53 @@
+CVE-2019-7635: Reject BMP images with pixel colors out the palette
+If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
+than the palette offers an SDL_Surface with a palette of the indicated
+number of used colors is created. If some of the image's pixel
+refer to a color number higher then the maximal used colors, a subsequent
+bliting operation on the surface will look up a color past a blit map
+(that is based on the palette) memory. I.e. passing such SDL_Surface
+to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
+a blit function.
+
+This patch fixes it by validing each pixel's color to be less than the
+maximal color number in the palette. A validation failure raises an
+error from a SDL_LoadBMP_RW() function.
+
+CVE-2019-7635
+https://bugzilla.libsdl.org/show_bug.cgi?id=4498
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c	Mon Jun 10 09:25:05 2019 -0700
++++ b/src/video/SDL_bmp.c	Tue Jun 11 06:28:12 2019 -0700
+@@ -308,6 +308,12 @@
+ 				}
+ 				*(bits+i) = (pixel>>shift);
+ 				pixel <<= ExpandBMP;
++				if ( bits[i] >= biClrUsed ) {
++					SDL_SetError(
++						"A BMP image contains a pixel with a color out of the palette");
++					was_error = SDL_TRUE;
++					goto done;
++				}
+ 			} }
+ 			break;
+ 
+@@ -318,6 +324,16 @@
+ 				was_error = SDL_TRUE;
+ 				goto done;
+ 			}
++			if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
++				for ( i=0; i<surface->w; ++i ) {
++					if ( bits[i] >= biClrUsed ) {
++						SDL_SetError(
++							"A BMP image contains a pixel with a color out of the palette");
++						was_error = SDL_TRUE;
++						goto done;
++					}
++				}
++			}
+ #if SDL_BYTEORDER == SDL_BIG_ENDIAN
+ 			/* Byte-swap the pixels if needed. Note that the 24bpp
+ 			   case has already been taken care of above. */
+
diff --git a/main/sdl/0001-CVE-2019-7636.patch b/main/sdl/0001-CVE-2019-7636.patch
new file mode 100644
index 00000000000..51e40ef1cec
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7636.patch
@@ -0,0 +1,29 @@
+Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c
+
+Petr Pisar
+
+The reproducer has these data in BITMAPINFOHEADER:
+
+biSize = 40
+biBitCount = 8
+biClrUsed = 131075
+
+SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
+
+Also fixes CVE-2019-7638
+
+diff -r 8586f153eede -r 19d8c3b9c251 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c	Sun Jan 13 15:27:50 2019 +0100
++++ b/src/video/SDL_bmp.c	Mon Feb 18 07:48:23 2019 -0800
+@@ -233,6 +233,10 @@
+ 	if ( palette ) {
+ 		if ( biClrUsed == 0 ) {
+ 			biClrUsed = 1 << biBitCount;
++		} else if ( biClrUsed > (1 << biBitCount) ) {
++			SDL_SetError("BMP file has an invalid number of colors");
++			was_error = SDL_TRUE;
++			goto done;
+ 		}
+ 		if ( biSize == 12 ) {
+ 			for ( i = 0; i < (int)biClrUsed; ++i ) {
+
diff --git a/main/sdl/0001-CVE-2019-7637.patch b/main/sdl/0001-CVE-2019-7637.patch
new file mode 100644
index 00000000000..90a734f8ae8
--- /dev/null
+++ b/main/sdl/0001-CVE-2019-7637.patch
@@ -0,0 +1,182 @@
+CVE-2019-7637: Fix in integer overflow in SDL_CalculatePitch
+If a too large width is passed to SDL_SetVideoMode() the width travels
+to SDL_CalculatePitch() where the width (e.g. 65535) is multiplied by
+BytesPerPixel (e.g. 4) and the result is stored into Uint16 pitch
+variable. During this arithmetics an integer overflow can happen (e.g.
+the value is clamped as 65532). As a result SDL_Surface with a pitch
+smaller than width * BytesPerPixel is created, too small pixel buffer
+is allocated and when the SDL_Surface is processed in SDL_FillRect()
+a buffer overflow occurs.
+
+This can be reproduced with "./graywin -width 21312312313123213213213"
+command.
+
+This patch fixes is by using a very careful arithmetics in
+SDL_CalculatePitch(). If an overflow is detected, an error is reported
+back as a special 0 value. We assume that 0-width surfaces do not
+occur in the wild. Since SDL_CalculatePitch() is a private function,
+we can change the semantics.
+
+CVE-2019-7637
+https://bugzilla.libsdl.org/show_bug.cgi?id=4497
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/SDL_pixels.c
+--- a/src/video/SDL_pixels.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/SDL_pixels.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -286,26 +286,53 @@
+ 	}
+ }
+ /* 
+- * Calculate the pad-aligned scanline width of a surface
++ * Calculate the pad-aligned scanline width of a surface. Return 0 in case of
++ * an error.
+  */
+ Uint16 SDL_CalculatePitch(SDL_Surface *surface)
+ {
+-	Uint16 pitch;
++	unsigned int pitch = 0;
+ 
+ 	/* Surface should be 4-byte aligned for speed */
+-	pitch = surface->w*surface->format->BytesPerPixel;
++	/* The code tries to prevent from an Uint16 overflow. */;
++	for (Uint8 byte = surface->format->BytesPerPixel; byte; byte--) {
++		pitch += (unsigned int)surface->w;
++		if (pitch < surface->w) {
++			SDL_SetError("A scanline is too wide");
++			return(0);
++		}
++	}
+ 	switch (surface->format->BitsPerPixel) {
+ 		case 1:
+-			pitch = (pitch+7)/8;
++			if (pitch % 8) {
++				pitch = pitch / 8 + 1;
++			} else {
++				pitch = pitch / 8;
++			}
+ 			break;
+ 		case 4:
+-			pitch = (pitch+1)/2;
++			if (pitch % 2) {
++				pitch = pitch / 2 + 1;
++			} else {
++				pitch = pitch / 2;
++			}
+ 			break;
+ 		default:
+ 			break;
+ 	}
+-	pitch = (pitch + 3) & ~3;	/* 4-byte aligning */
+-	return(pitch);
++	/* 4-byte aligning */
++	if (pitch & 3) {
++		if (pitch + 3 < pitch) {
++			SDL_SetError("A scanline is too wide");
++			return(0);
++		}
++		pitch = (pitch + 3) & ~3;
++	}
++	if (pitch > 0xFFFF) {
++		SDL_SetError("A scanline is too wide");
++		return(0);
++	}
++	return((Uint16)pitch);
+ }
+ /*
+  * Match an RGB value to a particular palette index
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/gapi/SDL_gapivideo.c
+--- a/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/gapi/SDL_gapivideo.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -733,6 +733,9 @@
+ 	video->w = gapi->w = width;
+ 	video->h = gapi->h = height;
+ 	video->pitch = SDL_CalculatePitch(video); 
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Small fix for WinCE/Win32 - when activating window
+ 	   SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/nanox/SDL_nxvideo.c
+--- a/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/nanox/SDL_nxvideo.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -378,6 +378,10 @@
+         current -> w = width ;
+         current -> h = height ;
+         current -> pitch = SDL_CalculatePitch (current) ;
++        if (!current->pitch) {
++            current = NULL;
++            goto done;
++        }
+         NX_ResizeImage (this, current, flags) ;
+     }
+ 
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps2gs/SDL_gsvideo.c
+--- a/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/ps2gs/SDL_gsvideo.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -479,6 +479,9 @@
+ 	current->w = width;
+ 	current->h = height;
+ 	current->pitch = SDL_CalculatePitch(current);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Memory map the DMA area for block memory transfer */
+ 	if ( ! mapped_mem ) {
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/ps3/SDL_ps3video.c
+--- a/src/video/ps3/SDL_ps3video.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/ps3/SDL_ps3video.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -339,6 +339,9 @@
+ 	current->w = width;
+ 	current->h = height;
+ 	current->pitch = SDL_CalculatePitch(current);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Alloc aligned mem for current->pixels */
+ 	s_pixels = memalign(16, current->h * current->pitch);
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windib/SDL_dibvideo.c
+--- a/src/video/windib/SDL_dibvideo.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/windib/SDL_dibvideo.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -675,6 +675,9 @@
+ 	video->w = width;
+ 	video->h = height;
+ 	video->pitch = SDL_CalculatePitch(video);
++	if (!current->pitch) {
++		return(NULL);
++	}
+ 
+ 	/* Small fix for WinCE/Win32 - when activating window
+ 	   SDL_VideoSurface is equal to zero, so activating code
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/windx5/SDL_dx5video.c
+--- a/src/video/windx5/SDL_dx5video.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/windx5/SDL_dx5video.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -1127,6 +1127,9 @@
+ 		video->w = width;
+ 		video->h = height;
+ 		video->pitch = SDL_CalculatePitch(video);
++		if (!current->pitch) {
++			return(NULL);
++		}
+ 
+ #ifndef NO_CHANGEDISPLAYSETTINGS
+ 		/* Set fullscreen mode if appropriate.
+diff -r 4646533663ae -r 9b0e5c555c0f src/video/x11/SDL_x11video.c
+--- a/src/video/x11/SDL_x11video.c	Sat Mar 16 18:35:33 2019 -0700
++++ b/src/video/x11/SDL_x11video.c	Sat Mar 16 19:16:24 2019 -0700
+@@ -1225,6 +1225,10 @@
+ 		current->w = width;
+ 		current->h = height;
+ 		current->pitch = SDL_CalculatePitch(current);
++		if (!current->pitch) {
++			current = NULL;
++			goto done;
++		}
+ 		if (X11_ResizeImage(this, current, flags) < 0) {
+ 			current = NULL;
+ 			goto done;
+
diff --git a/main/sdl/0002-CVE-2019-7572.patch b/main/sdl/0002-CVE-2019-7572.patch
new file mode 100644
index 00000000000..0f242be4e40
--- /dev/null
+++ b/main/sdl/0002-CVE-2019-7572.patch
@@ -0,0 +1,59 @@
+From bb11ffcff5ae2f25bead921c2a299e7e63d8a759 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Thu, 14 Feb 2019 16:51:54 +0100
+Subject: [PATCH] CVE-2019-7572: Fix a buffer overread in IMA_ADPCM_nibble
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If an IMA ADPCM block contained an initial index out of step table
+range (loaded in IMA_ADPCM_decode()), IMA_ADPCM_nibble() blindly used
+this bogus value and that lead to a buffer overread.
+
+This patch fixes it by moving clamping the index value at the
+beginning of IMA_ADPCM_nibble() function instead of the end after
+an update.
+
+CVE-2019-7572
+https://bugzilla.libsdl.org/show_bug.cgi?id=4495
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 2968b3d..69d62dc 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -275,6 +275,14 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 	};
+ 	Sint32 delta, step;
+ 
++	/* Clamp index value. The inital value can be invalid. */
++	if ( state->index > 88 ) {
++		state->index = 88;
++	} else
++	if ( state->index < 0 ) {
++		state->index = 0;
++	}
++
+ 	/* Compute difference and new sample value */
+ 	step = step_table[state->index];
+ 	delta = step >> 3;
+@@ -286,12 +294,6 @@ static Sint32 IMA_ADPCM_nibble(struct IMA_ADPCM_decodestate *state,Uint8 nybble)
+ 
+ 	/* Update index value */
+ 	state->index += index_table[nybble];
+-	if ( state->index > 88 ) {
+-		state->index = 88;
+-	} else
+-	if ( state->index < 0 ) {
+-		state->index = 0;
+-	}
+ 
+ 	/* Clamp output sample */
+ 	if ( state->sample > max_audioval ) {
+-- 
+2.20.1
+
diff --git a/main/sdl/0002-CVE-2019-7577.patch b/main/sdl/0002-CVE-2019-7577.patch
new file mode 100644
index 00000000000..06b429cb6dd
--- /dev/null
+++ b/main/sdl/0002-CVE-2019-7577.patch
@@ -0,0 +1,57 @@
+From 69cd6157644cb0a5c9edd7b5920232c2ca31c151 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 12 Mar 2019 16:21:41 +0100
+Subject: [PATCH] CVE-2019-7577: Fix a buffer overread in MS_ADPCM_nibble and
+ MS_ADPCM_decode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If a chunk of RIFF/WAV file with MS ADPCM encoding contains an invalid
+predictor (a valid predictor's value is between 0 and 6 inclusive),
+a buffer overread can happen when the predictor is used as an index
+into an array of MS ADPCM coefficients.
+
+The overead happens when indexing MS_ADPCM_state.aCoeff[] array in
+MS_ADPCM_decode() and later when dereferencing a coef pointer in
+MS_ADPCM_nibble().
+
+This patch fixes it by checking the MS ADPCM predictor values fit
+into the valid range.
+
+CVE-2019-7577
+Reproducer: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/audio/SDL_wave.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c
+index 08f65cb..5f93651 100644
+--- a/src/audio/SDL_wave.c
++++ b/src/audio/SDL_wave.c
+@@ -155,6 +155,9 @@ static int MS_ADPCM_decode(Uint8 **audio_buf, Uint32 *audio_len)
+ 		if ( stereo ) {
+ 			state[1]->hPredictor = *encoded++;
+ 		}
++		if (state[0]->hPredictor >= 7 || state[1]->hPredictor >= 7) {
++			goto invalid_predictor;
++		}
+ 		state[0]->iDelta = ((encoded[1]<<8)|encoded[0]);
+ 		encoded += sizeof(Sint16);
+ 		if ( stereo ) {
+@@ -227,6 +230,10 @@ invalid_size:
+ 	SDL_SetError("Unexpected chunk length for a MS ADPCM decoder");
+ 	SDL_free(freeable);
+ 	return(-1);
++invalid_predictor:
++	SDL_SetError("Invalid predictor value for a MS ADPCM decoder");
++	SDL_free(freeable);
++	return(-1);
+ }
+ 
+ struct IMA_ADPCM_decodestate {
+-- 
+2.20.1
+
diff --git a/main/sdl/0002-CVE-2019-7635.patch b/main/sdl/0002-CVE-2019-7635.patch
new file mode 100644
index 00000000000..01a111ccc4f
--- /dev/null
+++ b/main/sdl/0002-CVE-2019-7635.patch
@@ -0,0 +1,21 @@
+diff -r 19d8c3b9c251 -r 08f3b4992538 src/video/SDL_bmp.c
+--- a/src/video/SDL_bmp.c	Mon Feb 18 07:48:23 2019 -0800
++++ b/src/video/SDL_bmp.c	Sat Mar 16 18:35:11 2019 -0700
+@@ -163,6 +163,14 @@
+ 			ExpandBMP = biBitCount;
+ 			biBitCount = 8;
+ 			break;
++		case 2:
++		case 3:
++		case 5:
++		case 6:
++		case 7:
++			SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
++			was_error = SDL_TRUE;
++			goto done;
+ 		default:
+ 			ExpandBMP = 0;
+ 			break;
+
+
+
diff --git a/main/sdl/0002-CVE-2019-7637.patch b/main/sdl/0002-CVE-2019-7637.patch
new file mode 100644
index 00000000000..bf28310d5eb
--- /dev/null
+++ b/main/sdl/0002-CVE-2019-7637.patch
@@ -0,0 +1,42 @@
+fix copy+paste mistakes in commit 9b0e5c555c0f (CVE-2019-7637 fix):
+
+http://hg.libsdl.org/SDL/rev/9b0e5c555c0f made copy+paste mistakes which
+resulted in windows versions failing to set video mode.
+
+diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/gapi/SDL_gapivideo.c
+--- a/src/video/gapi/SDL_gapivideo.c	Wed Jul 31 23:50:10 2019 +0300
++++ b/src/video/gapi/SDL_gapivideo.c	Fri Aug 02 00:35:05 2019 +0300
+@@ -733,7 +733,7 @@
+ 	video->w = gapi->w = width;
+ 	video->h = gapi->h = height;
+ 	video->pitch = SDL_CalculatePitch(video); 
+-	if (!current->pitch) {
++	if (!video->pitch) {
+ 		return(NULL);
+ 	}
+ 
+diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windib/SDL_dibvideo.c
+--- a/src/video/windib/SDL_dibvideo.c	Wed Jul 31 23:50:10 2019 +0300
++++ b/src/video/windib/SDL_dibvideo.c	Fri Aug 02 00:35:05 2019 +0300
+@@ -675,7 +675,7 @@
+ 	video->w = width;
+ 	video->h = height;
+ 	video->pitch = SDL_CalculatePitch(video);
+-	if (!current->pitch) {
++	if (!video->pitch) {
+ 		return(NULL);
+ 	}
+ 
+diff -r 37d0eba8fa17 -r 32075e9e2135 src/video/windx5/SDL_dx5video.c
+--- a/src/video/windx5/SDL_dx5video.c	Wed Jul 31 23:50:10 2019 +0300
++++ b/src/video/windx5/SDL_dx5video.c	Fri Aug 02 00:35:05 2019 +0300
+@@ -1127,7 +1127,7 @@
+ 		video->w = width;
+ 		video->h = height;
+ 		video->pitch = SDL_CalculatePitch(video);
+-		if (!current->pitch) {
++		if (!video->pitch) {
+ 			return(NULL);
+ 		}
+ 
+
diff --git a/main/sdl/APKBUILD b/main/sdl/APKBUILD
index 69d81747b47..d18b8ce4a3f 100644
--- a/main/sdl/APKBUILD
+++ b/main/sdl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=sdl
 pkgver=1.2.15
-pkgrel=7
+pkgrel=9
 pkgdesc="A library for portable low-level access to a video framebuffer, audio output, mouse, and keyboard"
 url="http://www.libsdl.org"
 arch="all"
@@ -12,11 +12,42 @@ depends_dev="libx11-dev"
 makedepends="$depends_dev libxext-dev libxrender-dev libx11-dev libice-dev
 	libsm-dev libxrandr-dev mesa-dev alsa-lib-dev glu-dev"
 source="http://www.libsdl.org/release/SDL-$pkgver.tar.gz
+	0001-CVE-2019-7574.patch
+	0001-CVE-2019-7572.patch
+	0002-CVE-2019-7572.patch
+	0001-CVE-2019-7573.patch
+	0001-CVE-2019-7577.patch
+	0002-CVE-2019-7577.patch
+	0001-CVE-2019-7575.patch
+	0001-CVE-2019-7578.patch
+	0001-CVE-2019-7635.patch
+	0002-CVE-2019-7635.patch
+	0001-CVE-2019-7636.patch
+	0001-CVE-2019-7637.patch
+	0002-CVE-2019-7637.patch
 	SDL-1.2.10-GrabNotViewable.patch
 	SDL-1.2.15-const_XData32.patch
+	CVE-2019-13616.patch::https://hg.libsdl.org/SDL/raw-diff/ad1bbfbca760/src/video/SDL_bmp.c
 	"
+
 _builddir="$srcdir"/SDL-$pkgver
 
+# secfixes:
+#   1.2.15-r9:
+#     - CVE-2019-13616
+#   1.2.15-r8:
+#     - CVE-2019-7572
+#     - CVE-2019-7573
+#     - CVE-2019-7574
+#     - CVE-2019-7575
+#     - CVE-2019-7576
+#     - CVE-2019-7577
+#     - CVE-2019-7578
+#     - CVE-2019-7635
+#     - CVE-2019-7636
+#     - CVE-2019-7637
+#     - CVE-2019-7638
+
 prepare() {
 	cd "$_builddir"
 	update_config_sub || return 1
@@ -50,13 +81,20 @@ package() {
 	cd "$srcdir"/SDL-$pkgver
 	make DESTDIR="$pkgdir" install
 }
-
-md5sums="9d96df8417572a2afb781a7c4c811a85  SDL-1.2.15.tar.gz
-37ad001a4d2ff924a5fab356b49f8a78  SDL-1.2.10-GrabNotViewable.patch
-d9ad0c726f7d3f3e3c8bbf83368cd38d  SDL-1.2.15-const_XData32.patch"
-sha256sums="d6d316a793e5e348155f0dd93b979798933fb98aa1edebcc108829d6474aad00  SDL-1.2.15.tar.gz
-ea2042b8a45a083b1447d5c56e52b23b79f2ddb0d717ec7b287b34ef71bd2d1a  SDL-1.2.10-GrabNotViewable.patch
-465c611d4a9db44a6d7f0a8f6ef9583ec4b85383b17a2b706b3a811294220173  SDL-1.2.15-const_XData32.patch"
 sha512sums="ac392d916e6953b0925a7cbb0f232affea33339ef69b47a0a7898492afb9784b93138986df53d6da6d3e2ad79af1e9482df565ecca30f89428be0ae6851b1adc  SDL-1.2.15.tar.gz
+8c287d6ffcc159f19d934d560e073a716325b6a62d9dea974b92b2d4a417defc4f8441769b4761c5a2600b10a45ff401b0afbab6823880e3d54eab09e22f9859  0001-CVE-2019-7574.patch
+e713d0f3d24d73831d9f116d4e15e965c5f09e19b15634e8cbf92714612b0172f24a5c542b3fde09732d17b03d7dac3aaac0d8f4e359a45c1c538970413d6e7c  0001-CVE-2019-7572.patch
+3274f91e41b72cd98b6d7962013dd45289952b7af78cc7bc5fe99d4f143434243c8ef0743117d3ec6b090784dfcba8dd460679cc5b49f298ebd8b5afab78a108  0002-CVE-2019-7572.patch
+3bf62a71988feff2329e298cee8ce48c636c65100959385b73953c95eea21cb069a7ed096165c252e5ef1db133330da5d095cf5ad145d9875b1197d3b5517b81  0001-CVE-2019-7573.patch
+f364161069ceb5d05d329ff04f6e72d2c52baff68d0d3f2203f8a7ee3ace1efe8fc63676ea7d097ccc8eb696dcc20c6b141319ddf0c2bb6efc4fd92cb1dba038  0001-CVE-2019-7577.patch
+d2f0664cc0388908ec621c84e7f889ef5abda31dc4e4d23e6e379e26475ed73863ad47b2f13d282c96ba269bdbc77e7effaf5f01032d0683ad991b506063ef19  0002-CVE-2019-7577.patch
+abe54d9f29b5e6c1a91cba2bb44e0988b7ceb5a94c3f63569f436f49f282b80280cecd79ee48b9926fff458efbdf0fff019b0fdbf6530692a11a68dbec73e7ca  0001-CVE-2019-7575.patch
+a31d5c685fafbca72fdc5336343b74b90b1bfd5af4b6f632b4d8271bb1a218ec6419a7994290f65e7a5fc36d921c2d3c1a25ddf0cdf29bffb7229229415eaa9f  0001-CVE-2019-7578.patch
+47729b56a7d323fecd4e4cccddce06061c4f53b723cb08108e1800897da54bae0bede862a09d219dce515696d9e270d062c7aa0af1ba445cc3160cdac8e3d3f7  0001-CVE-2019-7635.patch
+8e2c04d8a8167c479f56aa2b363bd3b5ee302c473642717445385210871e0c7b6bfb3020c553c4b0ca849b8a290602b20e7e398d396fdbf47980c38b0969f230  0002-CVE-2019-7635.patch
+8e9fa28015e64f08d7d8124398ee5b268546105b73313490cfffdd547e67e729455535407177827e485c4132badfc48a73cce18c0ff7ff8a1c8706613acf180c  0001-CVE-2019-7636.patch
+0ad1e445a067afb726df48eac55d593075c945199bd718b4116af84c15df6f5c095f541a5c8a008aef4474dda874e68517236f2f37e1539e0e5684240b058231  0001-CVE-2019-7637.patch
+105378cf7609872198c83b8824a1c36463b01f5696cda6c184252b728cdd1054cdc2e68a338f5d728facd182628d2a8b29b961664e89d7f9022abc0268c9afc1  0002-CVE-2019-7637.patch
 20049408d4c00d895c39a7901d889d1874ebcd382e93b2e8df38bd3726e2236f4e9a980720724cf176a35d05fb0db5dbcabd42089423adeb404f2dba16d52b7b  SDL-1.2.10-GrabNotViewable.patch
-ae7cdb61930199a7989e1690be37133eddeb8d446fef3fb5bbe0008d5e3b30abb28f4cc8ffea5d7a186ec242f158ed06dbd2b9ea98ca3e3caeed5ab12bac6875  SDL-1.2.15-const_XData32.patch"
+ae7cdb61930199a7989e1690be37133eddeb8d446fef3fb5bbe0008d5e3b30abb28f4cc8ffea5d7a186ec242f158ed06dbd2b9ea98ca3e3caeed5ab12bac6875  SDL-1.2.15-const_XData32.patch
+1b97970d0bcb7c49a3edfab2dd8c622a591ee64543ebe9e03b1de29a5cfb87820100444ff5ba0ce319911d1020ad94f6a8678c31aa13e370d1c9aeed6e3fd669  CVE-2019-13616.patch"
diff --git a/main/sdl2/APKBUILD b/main/sdl2/APKBUILD
index 679614c4b50..e66d186d830 100644
--- a/main/sdl2/APKBUILD
+++ b/main/sdl2/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: August Klein <amatcoder@gmail.com>
 # Maintainer: August Klein <amatcoder@gmail.com>
 pkgname=sdl2
-pkgver=2.0.7
-pkgrel=3
+pkgver=2.0.10
+pkgrel=0
 pkgdesc="A development library designed to provide low level access to audio, keyboard, mouse, joystick and graphics"
 url="http://www.libsdl.org"
 arch="all"
@@ -16,6 +16,19 @@ source="https://www.libsdl.org/release/SDL2-$pkgver.tar.gz
 	fix-directfb-include.patch"
 builddir="$srcdir/SDL2-$pkgver"
 
+# secfixes:
+#   2.0.10-r0:
+#     - CVE-2019-7572
+#     - CVE-2019-7573
+#     - CVE-2019-7574
+#     - CVE-2019-7575
+#     - CVE-2019-7576
+#     - CVE-2019-7578
+#     - CVE-2019-7635
+#     - CVE-2019-7636
+#     - CVE-2019-7637
+#     - CVE-2019-7638
+
 build() {
 	cd "$builddir"
 	# NOTE: Please do not remove the --enable-video-directfb flag.
@@ -43,6 +56,5 @@ package() {
 	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 }
-
-sha512sums="eed5477843086a0e66552eb197a5c4929134522bc366d873732361ea0df5fb841ef7e2b1913e21d1bae69e6fd3152ee630492e615c58cbe903e7d6e47b587410  SDL2-2.0.7.tar.gz
-f57a7a7b89f11934835b5693d104354be1107ddd31d34f6cfc07cf480b0811d775c95685f6b6b20c6154f03744ed976c8092973ddb6e87773969b8394e852c24  fix-directfb-include.patch"
+sha512sums="f49b869362699b3282f6e82920e59c7fac581bcbf955f18a81cc126293c08093a90df7fcb39517cc8bc32708d2213fe645a42b655d6d811c1386efebb3d3c798  SDL2-2.0.10.tar.gz
+126fe6f072e7f45c0d8db710904ffc2a3382fa1403d34a4f9c656e1deca633147b1e5273ce9dfd148af2694cd472ab045129ff50e9ebbb0a888125253710a805  fix-directfb-include.patch"
diff --git a/main/sdl2/fix-directfb-include.patch b/main/sdl2/fix-directfb-include.patch
index 0f7cf360161..5ddf7b198ae 100644
--- a/main/sdl2/fix-directfb-include.patch
+++ b/main/sdl2/fix-directfb-include.patch
@@ -14,14 +14,3 @@ index 2d18afb..6416e2f 100644
  /* Set up for C function definitions, even when using C++ */
  #ifdef __cplusplus
  extern "C" {
-@@ -79,10 +84,6 @@ struct SDL_SysWMinfo;
- 
- #endif /* defined(SDL_VIDEO_DRIVER_X11) */
- 
--#if defined(SDL_VIDEO_DRIVER_DIRECTFB)
--#include <directfb.h>
--#endif
--
- #if defined(SDL_VIDEO_DRIVER_COCOA)
- #ifdef __OBJC__
- @class NSWindow;
diff --git a/main/sdl2_image/APKBUILD b/main/sdl2_image/APKBUILD
index 64c70f91169..6023ff887b2 100644
--- a/main/sdl2_image/APKBUILD
+++ b/main/sdl2_image/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Francesco Colista <fcolista@alpinelinux.org>
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=sdl2_image
-pkgver=2.0.2
-pkgrel=1
+pkgver=2.0.5
+pkgrel=0
 _pkgname=SDL2_image
 pkgdesc="A simple library to load images of various formats as SDL surfaces"
 url="http://www.libsdl.org/projects/SDL_image/"
@@ -11,22 +11,22 @@ license="zlib"
 makedepends="sdl2-dev libpng-dev libjpeg-turbo-dev
 	libwebp-dev tiff-dev zlib-dev"
 subpackages="$pkgname-dev"
-source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz
-	CVE-2017-12122.patch
-	CVE-2017-14440.patch
-	CVE-2017-14441.patch
-	CVE-2017-14442.patch
-	CVE-2017-14448.patch
-	CVE-2017-14450.patch
-	CVE-2018-3837.patch
-	CVE-2018-3838.patch
-	CVE-2018-3839.patch
-"
-
+source="http://www.libsdl.org/projects/SDL_image/release/$_pkgname-$pkgver.tar.gz"
 builddir="$srcdir/$_pkgname-$pkgver"
 
 # secfixes:
-#
+#   2.0.5-r0:
+#     - CVE-2019-5060 TALOS-2019-0844
+#     - CVE-2019-5059 TALOS-2019-0843
+#     - CVE-2019-5058 TALOS-2019-0842
+#     - CVE-2019-5057 TALOS-2019-0841
+#     - CVE-2019-5052 TALOS-2019-0821
+#     - CVE-2019-5051 TALOS-2019-0820
+#     - CVE-2019-12222
+#     - CVE-2019-12221
+#     - CVE-2019-12219
+#     - CVE-2019-12218
+#     - CVE-2019-12217
 #   2.0.2-r1:
 #     - CVE-2017-12122 TALOS-2017-0488
 #     - CVE-2017-14440 TALOS-2017-0489
@@ -63,13 +63,4 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="468f1a5aaee0b6920adb80df21aaaa41bfc5c642b4a00ac60244a90c5e9f27b092b73bcdd2c5520aa1de2759e8b174686b186a51f2d07e7e188ce2cd10519724  SDL2_image-2.0.2.tar.gz
-1c3c713af1b3d1996a226741fa0e053e76aee4355c5dfeb9d727b0af016c73760c63907547a11de2d3bb1f23fcbfe5265317d20d54baf10ec8e0cdd25e2370ec  CVE-2017-12122.patch
-0527bcb0113d09a935f694192f864457f3d86c2d69ef7bc89036544756ab23c32e5b30e526190b1642f8d0a531c9dd52eaeca9605320578168932d98bb4badea  CVE-2017-14440.patch
-6455c44fa0727b91fef53bca887b86fc8ae4652ef13ffcb305d86405fba7d2527941530eba2e87af382a05333694bfa69ea3e2c692422a0eb33ef58538ac74b1  CVE-2017-14441.patch
-ac7be687db2fcea5daa0b8f8685f3b7a106bd748ba8277986515d1129b969fbdc9adb3a4836141f81f3cb51c93539339fad40c9bf132582bc977bc0e0103de83  CVE-2017-14442.patch
-e483cfb17333c2f1f3513549891d6378161f70ad70876fb4a4f44e32c4b85e76503eefbb7294c2ad77ab0cb812e646466169aa2f15637ac8337aa623b328d9b9  CVE-2017-14448.patch
-eec58e6fbe0a96f63a01241bb9a3b26b6dbacdd5a5fcbbae5a62a3f577d8b8ef9cf9ec60f70cec854990a16f53086f510c2adc40d345b15ce8a6412910da1a86  CVE-2017-14450.patch
-59c8d73eb65d896c6ea168ac97a817f482507ae9f694c90359096160d9f0c0f584143762d848cf1d021af4a6d16d33c69ad7382b5a2bc10ee22621304420bc36  CVE-2018-3837.patch
-f0a74538c70e47264f892d6b8f3280c8e45db0e0aa05fb145e4398f5c6b16636da12c66de90835015541a236c065287f715351042a79139cbd1b337b4ed0715c  CVE-2018-3838.patch
-09da40655972e32ee9f6498aff12d235e2137dd28e1f3e0fa858d22ee7b228602400b9ce1b40cbf8ec447bf0a07c3c2bd9cf4bcecea0d8360aa5c606d63c53dd  CVE-2018-3839.patch"
+sha512sums="77e743d3f32707e015b290c1379ae3c7d7a3fe265995713267f0d0ec6517de4808f0de9890b5ab28445941af5bc9fbff346620629e0d7d7e9f365262cab05ee7  SDL2_image-2.0.5.tar.gz"
diff --git a/main/sdl2_image/CVE-2017-12122.patch b/main/sdl2_image/CVE-2017-12122.patch
deleted file mode 100644
index 9c2f33b1707..00000000000
--- a/main/sdl2_image/CVE-2017-12122.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-diff -r 3e1ebbbaba54 -r 16772bbb1b09 IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:43:46 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 01:44:36 2018 -0500
-@@ -245,7 +245,7 @@
-         goto done;
-     }
- 
--    if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
-+    if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
-        goto done;
- 
-     if ( bmhd.mask & 2 )               /* There is a transparent color */
-@@ -272,7 +272,7 @@
-         /* The 32 last colors are the same but divided by 2 */
-         /* Some Amiga pictures save 64 colors with 32 last wrong colors, */
-         /* they shouldn't !, and here we overwrite these 32 bad colors. */
--        if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 )
-+        if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 )
-         {
-             nbcolors = 64;
-             ptr = &colormap[0];
-@@ -286,8 +286,8 @@
- 
-         /* If nbcolors < 2^nbplanes, repeat the colormap */
-         /* This happens when pictures have a stencil mask */
--        if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
--            nbrcolorsfinal = (1<<bmhd.planes);
-+        if ( nbrcolorsfinal > (1<<nbplanes) ) {
-+            nbrcolorsfinal = (1<<nbplanes);
-         }
-         for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
-         {
-
-
-diff -r 16772bbb1b09 -r 97f7f01e0665 IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:44:36 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 01:45:04 2018 -0500
-@@ -233,6 +233,12 @@
-         nbplanes = 1;
-     }
- 
-+    if ((nbplanes != 1) && (nbplanes != 4) && (nbplanes != 8) && (nbplanes != 24))
-+    {
-+        error="unsupported number of color planes";
-+        goto done;
-+    }
-+
-     stencil = (bmhd.mask & 1);   /* There is a mask ( 'stencil' ) */
- 
-     /* Allocate memory for a temporary buffer ( used for
-
diff --git a/main/sdl2_image/CVE-2017-14440.patch b/main/sdl2_image/CVE-2017-14440.patch
deleted file mode 100644
index 49ab2b03235..00000000000
--- a/main/sdl2_image/CVE-2017-14440.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516813224 18000
-# Node ID bfa08dc02b3c7b265ead6019f901f17f925570c3
-# Parent  97f7f01e0665b7555a0e5e9465799e80c8f59528
-lbm: Don't overflow static colormap buffer.
-
-diff -r 97f7f01e0665 -r bfa08dc02b3c IMG_lbm.c
---- a/IMG_lbm.c	Wed Jan 24 01:45:04 2018 -0500
-+++ b/IMG_lbm.c	Wed Jan 24 12:00:24 2018 -0500
-@@ -183,6 +183,11 @@
- 
-         if ( !SDL_memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */
-         {
-+            if (size > sizeof (colormap)) {
-+                error="colormap size is too large";
-+                goto done;
-+            }
-+
-             if ( !SDL_RWread( src, &colormap, size, 1 ) )
-             {
-                 error="error reading CMAP chunk";
-
diff --git a/main/sdl2_image/CVE-2017-14441.patch b/main/sdl2_image/CVE-2017-14441.patch
deleted file mode 100644
index 19c30bbf995..00000000000
--- a/main/sdl2_image/CVE-2017-14441.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516816924 18000
-# Node ID a1e9b624ca1033f893e93691802682bf36400f7a
-# Parent  bfa08dc02b3c7b265ead6019f901f17f925570c3
-ico: reject obviously incorrect image sizes.
-
-diff -r bfa08dc02b3c -r a1e9b624ca10 IMG_bmp.c
---- a/IMG_bmp.c	Wed Jan 24 12:00:24 2018 -0500
-+++ b/IMG_bmp.c	Wed Jan 24 13:02:04 2018 -0500
-@@ -735,6 +735,14 @@
-         goto done;
-     }
- 
-+    /* sanity check image size, so we don't overflow integers, etc. */
-+    if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
-+        (biHeight < 0) || (biHeight > 0xFFFFFF)) {
-+        IMG_SetError("Unsupported or invalid ICO dimensions");
-+        was_error = SDL_TRUE;
-+        goto done;
-+    }
-+
-     /* Create a RGBA surface */
-     biHeight = biHeight >> 1;
-     //printf("%d x %d\n", biWidth, biHeight);
-
diff --git a/main/sdl2_image/CVE-2017-14442.patch b/main/sdl2_image/CVE-2017-14442.patch
deleted file mode 100644
index 6fa4524b400..00000000000
--- a/main/sdl2_image/CVE-2017-14442.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1516817527 18000
-# Node ID 37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
-# Parent  a1e9b624ca1033f893e93691802682bf36400f7a
-bmp: don't overflow palette buffer with bogus biClrUsed values.
-
-diff -r a1e9b624ca10 -r 37445f6180a8 IMG_bmp.c
---- a/IMG_bmp.c	Wed Jan 24 13:02:04 2018 -0500
-+++ b/IMG_bmp.c	Wed Jan 24 13:12:07 2018 -0500
-@@ -760,6 +760,11 @@
-         if (biClrUsed == 0) {
-             biClrUsed = 1 << biBitCount;
-         }
-+        if (biClrUsed > SDL_arraysize(palette)) {
-+            IMG_SetError("Unsupported or incorrect biClrUsed field");
-+            was_error = SDL_TRUE;
-+            goto done;
-+        }
-         for (i = 0; i < (int) biClrUsed; ++i) {
-             SDL_RWread(src, &palette[i], 4, 1);
-         }
-
diff --git a/main/sdl2_image/CVE-2017-14448.patch b/main/sdl2_image/CVE-2017-14448.patch
deleted file mode 100644
index 6b02f743165..00000000000
--- a/main/sdl2_image/CVE-2017-14448.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1517092075 18000
-# Node ID 7df1580f1695d327c1c4580dccbf7ca6da5aed9e
-# Parent  37445f6180a8ca7a218ab9f9eaaeaf088b4f6c3a
-xcf: deal with bogus data in rle tile decoding.
-
-diff -r 37445f6180a8 -r 7df1580f1695 IMG_xcf.c
---- a/IMG_xcf.c	Wed Jan 24 13:12:07 2018 -0500
-+++ b/IMG_xcf.c	Sat Jan 27 17:27:55 2018 -0500
-@@ -486,7 +486,7 @@
-   t = load = (unsigned char *) SDL_malloc (len);
-   reallen = SDL_RWread (src, t, 1, len);
- 
--  data = (unsigned char *) SDL_malloc (x*y*bpp);
-+  data = (unsigned char *) SDL_calloc (1, x*y*bpp);
-   for (i = 0; i < bpp; i++) {
-     d    = data + i;
-     size = x*y;
-@@ -503,6 +503,12 @@
-       t += 2;
-     }
- 
-+        if (((size_t) (t - load) + length) >= len) {
-+          break;  /* bogus data */
-+        } else if (length > size) {
-+          break;  /* bogus data */
-+        }
-+
-     count += length;
-     size -= length;
- 
-@@ -518,6 +524,12 @@
-       t += 2;
-     }
- 
-+        if (((size_t) (t - load)) >= len) {
-+          break;  /* bogus data */
-+        } else if (length > size) {
-+          break;  /* bogus data */
-+        }
-+
-     count += length;
-     size -= length;
- 
-@@ -529,6 +541,11 @@
-     }
-       }
-     }
-+
-+    if (size > 0) {
-+      break;  /* just drop out, untouched data initialized to zero. */
-+    }
-+
-   }
- 
-   SDL_free (load);
-
diff --git a/main/sdl2_image/CVE-2017-14450.patch b/main/sdl2_image/CVE-2017-14450.patch
deleted file mode 100644
index c7feeb7f8c5..00000000000
--- a/main/sdl2_image/CVE-2017-14450.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1517113689 18000
-# Node ID 45e750f92c843dccea0820d86726e9cf1d524392
-# Parent  d0142861559ccd4fde994fbd33c34fbdee25f84c
-gif: report error on bogus LWZ data, instead of overflowing a buffer.
-
-diff -r d0142861559c -r 45e750f92c84 IMG_gif.c
---- a/IMG_gif.c	Sat Jan 27 22:50:18 2018 -0500
-+++ b/IMG_gif.c	Sat Jan 27 23:28:09 2018 -0500
-@@ -497,8 +497,10 @@
-             return -3;
-         }
-         *sp++ = table[1][code];
--        if (code == table[0][code])
--        RWSetMsg("circular table entry BIG ERROR");
-+        if (code == table[0][code]) {
-+            RWSetMsg("circular table entry BIG ERROR");
-+            return -3;
-+        }
-         code = table[0][code];
-     }
- 
-
diff --git a/main/sdl2_image/CVE-2017-2887.patch b/main/sdl2_image/CVE-2017-2887.patch
deleted file mode 100644
index 8b4d0c571c8..00000000000
--- a/main/sdl2_image/CVE-2017-2887.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- a/IMG_xcf.c	Mon Sep 18 16:10:17 2017 -0700
-+++ b/IMG_xcf.c	Fri Oct 06 15:40:19 2017 -0700
-@@ -251,6 +251,7 @@
- }
- 
- static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
-+  Uint32 len;
-   prop->id = SDL_ReadBE32 (src);
-   prop->length = SDL_ReadBE32 (src);
- 
-@@ -274,7 +275,12 @@
-     break;
-   case PROP_COMPRESSION:
-   case PROP_COLOR:
--    SDL_RWread (src, &prop->data, prop->length, 1);
-+    if (prop->length > sizeof(prop->data)) {
-+        len = sizeof(prop->data);
-+    } else {
-+        len = prop->length;
-+    }
-+    SDL_RWread(src, &prop->data, len, 1);
-     break;
-   case PROP_VISIBLE:
-     prop->data.visible = SDL_ReadBE32 (src);
-
diff --git a/main/sdl2_image/CVE-2018-3837.patch b/main/sdl2_image/CVE-2018-3837.patch
deleted file mode 100644
index 823a2b9cbce..00000000000
--- a/main/sdl2_image/CVE-2018-3837.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518036231 18000
-# Node ID 2938fc80591abeae74b971cbdf966eff3213297e
-# Parent  f50c9c46ba52f5a594313774a938844e5cf82b4d
-pcx: don't overflow buffer if bytes-per-line is less than image width.
-
-diff -r f50c9c46ba52 -r 2938fc80591a IMG_pcx.c
---- a/IMG_pcx.c	Sun Jan 28 22:10:40 2018 -0800
-+++ b/IMG_pcx.c	Wed Feb 07 15:43:51 2018 -0500
-@@ -147,7 +147,7 @@
-     if (bpl > surface->pitch) {
-         error = "bytes per line is too large (corrupt?)";
-     }
--    buf = (Uint8 *)SDL_malloc(bpl);
-+    buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
-     row = (Uint8 *)surface->pixels;
-     for ( y=0; y<surface->h; ++y ) {
-         /* decode a scan line to a temporary buffer first */
-
diff --git a/main/sdl2_image/CVE-2018-3838.patch b/main/sdl2_image/CVE-2018-3838.patch
deleted file mode 100644
index b0e89b804b5..00000000000
--- a/main/sdl2_image/CVE-2018-3838.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518038334 18000
-# Node ID c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
-# Parent  2938fc80591abeae74b971cbdf966eff3213297e
-xcf: Prevent infinite loop and/or buffer overflow on bogus data.
-
-diff -r 2938fc80591a -r c5f9cbb5d2bb IMG_xcf.c
---- a/IMG_xcf.c	Wed Feb 07 15:43:51 2018 -0500
-+++ b/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
-@@ -483,6 +483,10 @@
-   int i, size, count, j, length;
-   unsigned char val;
- 
-+  if (len == 0) {  /* probably bogus data. */
-+    return NULL;
-+  }
-+
-   t = load = (unsigned char *) SDL_malloc (len);
-   reallen = SDL_RWread (src, t, 1, len);
- 
-@@ -608,6 +612,16 @@
-                 tile = load_tile(src, ox * oy * 6, hierarchy->bpp, ox, oy);
-             }
- 
-+            if (!tile) {
-+                if (hierarchy) {
-+                    free_xcf_hierarchy(hierarchy);
-+                }
-+                if (level) {
-+                    free_xcf_level(level);
-+                }
-+                return 1;
-+            }
-+
-             p8 = tile;
-             p16 = (Uint16 *) p8;
-             p = (Uint32 *) p8;
-
diff --git a/main/sdl2_image/CVE-2018-3839.patch b/main/sdl2_image/CVE-2018-3839.patch
deleted file mode 100644
index 86370cbc4ce..00000000000
--- a/main/sdl2_image/CVE-2018-3839.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-
-# HG changeset patch
-# User Ryan C. Gordon <icculus@icculus.org>
-# Date 1518038991 18000
-# Node ID fb643e371806910f1973abfdfe7f981e8dba60f5
-# Parent  c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
-xcf: check for some potential integer overflows.
-
-diff -r c5f9cbb5d2bb -r fb643e371806 IMG_xcf.c
---- a/IMG_xcf.c	Wed Feb 07 16:18:54 2018 -0500
-+++ b/IMG_xcf.c	Wed Feb 07 16:29:51 2018 -0500
-@@ -595,6 +595,18 @@
-     SDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET);
-     hierarchy = read_xcf_hierarchy(src);
- 
-+    if (hierarchy->bpp > 4) {  /* unsupported. */
-+        SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
-+        free_xcf_hierarchy(hierarchy);
-+        return 1;
-+    }
-+
-+    if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) {  /* arbitrary limit to avoid integer overflow. */
-+        SDL_Log("Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
-+        free_xcf_hierarchy(hierarchy);
-+        return 1;
-+    }
-+
-     level = NULL;
-     for (i = 0; hierarchy->level_file_offsets[i]; i++) {
-         SDL_RWseek(src, hierarchy->level_file_offsets[i], RW_SEEK_SET);
-
diff --git a/main/sdl2_image/CVE-2019-13616.patch b/main/sdl2_image/CVE-2019-13616.patch
new file mode 100644
index 00000000000..cb0fe87a389
--- /dev/null
+++ b/main/sdl2_image/CVE-2019-13616.patch
@@ -0,0 +1,24 @@
+
+# HG changeset patch
+# User Sam Lantinga <slouken@libsdl.org>
+# Date 1564509612 25200
+# Node ID ba45f00879ba0b957780e1fd28304c41503c1737
+# Parent  f1baffa48926c4c76f482f21a240667e9159d1d5
+Fixed bug 4538 - validate image size when loading BMP files
+
+diff -r f1baffa48926 -r ba45f00879ba IMG_bmp.c
+--- a/IMG_bmp.c	Tue Jul 30 10:16:02 2019 -0700
++++ b/IMG_bmp.c	Tue Jul 30 11:00:12 2019 -0700
+@@ -351,6 +351,11 @@
+             SDL_RWseek(src, (biSize - headerSize), RW_SEEK_CUR);
+         }
+     }
++    if (biWidth <= 0 || biHeight == 0) {
++        IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++        was_error = SDL_TRUE;
++        goto done;
++    }
+     if (biHeight < 0) {
+         topDown = SDL_TRUE;
+         biHeight = -biHeight;
+
diff --git a/main/sdl_image/APKBUILD b/main/sdl_image/APKBUILD
index 65e0c8b104d..d5f0411fe54 100644
--- a/main/sdl_image/APKBUILD
+++ b/main/sdl_image/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=sdl_image
 pkgver=1.2.12
-pkgrel=3
+pkgrel=4
 pkgdesc="A simple library to load images of various formats as SDL surfaces"
 url="http://www.libsdl.org/projects/SDL_image/"
 arch="all"
@@ -11,7 +11,13 @@ depends=""
 makedepends="sdl-dev libpng-dev libjpeg-turbo-dev tiff-dev zlib-dev"
 install=""
 subpackages="$pkgname-dev"
-source="http://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz"
+source="http://www.libsdl.org/projects/SDL_image/release/SDL_image-${pkgver}.tar.gz
+	CVE-2019-13616.patch
+	"
+
+# secfixes:
+#   1.2.12-r4:
+#     - CVE-2019-13616
 
 _builddir="$srcdir"/SDL_image-$pkgver
 prepare() {
@@ -42,4 +48,5 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 }
 
-sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136  SDL_image-1.2.12.tar.gz"
+sha512sums="0e71b280abc2a7f15755e4480a3c1b52d41f9f8b0c9216a6f5bd9fc0e939456fb5d6c10419e1d1904785783f9a1891ead278c03e88b0466fecc6871c3ca40136  SDL_image-1.2.12.tar.gz
+0ae144202435ad35e5ff6ae6b73592cd8ef68dba2704e09ba22f2b9e9d98f547f2ead28327be0594897f2165d2bf5c26f07e8ef72760527e8d9e4e593e8e5f60  CVE-2019-13616.patch"
diff --git a/main/sdl_image/CVE-2019-13616.patch b/main/sdl_image/CVE-2019-13616.patch
new file mode 100644
index 00000000000..f2ed7c6aa07
--- /dev/null
+++ b/main/sdl_image/CVE-2019-13616.patch
@@ -0,0 +1,16 @@
+diff --git a/IMG_bmp.c b/IMG_bmp.c
+index b3c7580..bfadd45 100644
+--- a/IMG_bmp.c
++++ b/IMG_bmp.c
+@@ -272,6 +272,11 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
+ 		biClrUsed	= SDL_ReadLE32(src);
+ 		biClrImportant	= SDL_ReadLE32(src);
+ 	}
++	if (biWidth <= 0 || biHeight == 0) {
++		IMG_SetError("BMP file with bad dimensions (%dx%d)", biWidth, biHeight);
++		was_error = SDL_TRUE;
++		goto done;
++	}
+ 	if (biHeight < 0) {
+ 		topDown = SDL_TRUE;
+ 		biHeight = -biHeight;
diff --git a/main/sqlite/APKBUILD b/main/sqlite/APKBUILD
index ee26f82e4cd..2864c8107f3 100644
--- a/main/sqlite/APKBUILD
+++ b/main/sqlite/APKBUILD
@@ -2,8 +2,12 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 #
 # secfixes:
+#   3.25.3-r1:
+#     - CVE-2019-8457
+#   3.25.3-r0:
+#     - CVE-2018-20346
 #   3.21.0-r1:
-#   - CVE-2018-8740
+#     - CVE-2018-8740
 #
 pkgname=sqlite
 pkgver=3.25.3
@@ -22,7 +26,7 @@ esac
 [ $_d -lt 10 ] && _d=0$_d
 _ver=${_a}${_b}${_c}${_d}
 
-pkgrel=0
+pkgrel=2
 pkgdesc="A C library that implements an SQL database engine"
 url="http://www.sqlite.org/"
 arch="all"
@@ -30,9 +34,13 @@ options="!check"
 license="custom"
 depends=""
 makedepends="readline-dev"
-source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz
-	license.txt"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-libs"
+source="http://www.sqlite.org/2018/$pkgname-autoconf-$_ver.tar.gz
+	license.txt
+	CVE-2019-8457.patch
+	CVE-2019-16168.patch
+	"
+builddir="$srcdir/$pkgname-autoconf-$_ver"
 
 _amalgamation="-DSQLITE_ENABLE_FTS4 \
 	-DSQLITE_ENABLE_FTS3_PARENTHESIS \
@@ -46,11 +54,13 @@ _amalgamation="-DSQLITE_ENABLE_FTS4 \
 	-DSQLITE_MAX_VARIABLE_NUMBER=250000 \
 	-DSQLITE_ENABLE_JSON1"
 
-builddir="$srcdir/$pkgname-autoconf-$_ver"
-
 # secfixes:
+#   3.25.3-r2:
+#     - CVE-2018-20346
+#   3.25.3-r1:
+#     - CVE-2019-8457
 #   3.25.3-r0:
-#   - CVE-2018-20346
+#     - CVE-2018-20346
 
 build() {
 	cd "$builddir"
@@ -88,4 +98,6 @@ libs() {
 }
 
 sha512sums="5bc501d15367e097f4070185974b0c3a8246c06b205fb2258ed18870ff3fbf120ac5e0ba031a6744af89f7659206e28e7de2f0367bdb190b8412e453b43de4ba  sqlite-autoconf-3250300.tar.gz
-5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9  license.txt"
+5bde14bec5bf18cc686b8b90a8b2324c8c6600bca1ae56431a795bb34b8b5ae85527143f3b5f0c845c776bce60eaa537624104cefc3a47b3820d43083f40c6e9  license.txt
+ab795b18d5426ff9ccad20f413de4f46fce7b532ebbf72dfbafc7db2d2e46453541abe992535c7aea598ec69c8557b477008e58299e3426afd2e8ab458c859e4  CVE-2019-8457.patch
+19eb036e0d03543127a9ed67155522952cb7f3ce9da81ee49fba14a1c0bfc2cd0c86acab1b47b794043cac033959d861dce7ec97fca2293cb146a7ee1b83b8fa  CVE-2019-16168.patch"
diff --git a/main/sqlite/CVE-2019-16168.patch b/main/sqlite/CVE-2019-16168.patch
new file mode 100644
index 00000000000..d1be258aecd
--- /dev/null
+++ b/main/sqlite/CVE-2019-16168.patch
@@ -0,0 +1,24 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index c607252..7c01bbf 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -104242,7 +104242,9 @@ static void decodeIntArray(
+       if( sqlite3_strglob("unordered*", z)==0 ){
+         pIndex->bUnordered = 1;
+       }else if( sqlite3_strglob("sz=[0-9]*", z)==0 ){
+-        pIndex->szIdxRow = sqlite3LogEst(sqlite3Atoi(z+3));
++        int sz = sqlite3Atoi(z+3);
++        if( sz<2 ) sz = 2;
++        pIndex->szIdxRow = sqlite3LogEst(sz);
+       }else if( sqlite3_strglob("noskipscan*", z)==0 ){
+         pIndex->noSkipScan = 1;
+       }
+@@ -141020,6 +141022,7 @@ static int whereLoopAddBtreeIndex(
+     ** it to pNew->rRun, which is currently set to the cost of the index
+     ** seek only. Then, if this is a non-covering index, add the cost of
+     ** visiting the rows in the main table.  */
++    assert( pSrc->pTab->szTabRow>0 );
+     rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;
+     pNew->rRun = sqlite3LogEstAdd(rLogSize, rCostIdx);
+     if( (pNew->wsFlags & (WHERE_IDX_ONLY|WHERE_IPK))==0 ){
+
diff --git a/main/sqlite/CVE-2019-8457.patch b/main/sqlite/CVE-2019-8457.patch
new file mode 100644
index 00000000000..de1e30a2c50
--- /dev/null
+++ b/main/sqlite/CVE-2019-8457.patch
@@ -0,0 +1,71 @@
+diff --git a/sqlite3.c b/sqlite3.c
+index c607252..2c133c5 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -181825,49 +181825,46 @@ rtreeInit_fail:
+ ** <num-dimension>*2 coordinates.
+ */
+ static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
+-  char *zText = 0;
+   RtreeNode node;
+   Rtree tree;
+   int ii;
++  int nData;
++  int errCode;
++  sqlite3_str *pOut;
+ 
+   UNUSED_PARAMETER(nArg);
+   memset(&node, 0, sizeof(RtreeNode));
+   memset(&tree, 0, sizeof(Rtree));
+   tree.nDim = (u8)sqlite3_value_int(apArg[0]);
++  if( tree.nDim<1 || tree.nDim>5 ) return;
+   tree.nDim2 = tree.nDim*2;
+   tree.nBytesPerCell = 8 + 8 * tree.nDim;
+   node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
++  nData = sqlite3_value_bytes(apArg[1]);
++  if( nData<4 ) return;
++  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+ 
++  pOut = sqlite3_str_new(0);
+   for(ii=0; ii<NCELL(&node); ii++){
+-    char zCell[512];
+-    int nCell = 0;
+     RtreeCell cell;
+     int jj;
+ 
+     nodeGetCell(&tree, &node, ii, &cell);
+-    sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
+-    nCell = (int)strlen(zCell);
++	if( ii>0 ) sqlite3_str_append(pOut, " ", 1);
++	sqlite3_str_appendf(pOut, "{%lld", cell.iRowid);
+     for(jj=0; jj<tree.nDim2; jj++){
+ #ifndef SQLITE_RTREE_INT_ONLY
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
+-                       (double)cell.aCoord[jj].f);
++    sqlite3_str_appendf(pOut, " %g", (double)cell.aCoord[jj].f);
+ #else
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
+-                       cell.aCoord[jj].i);
++	sqlite3_str_appendf(pOut, " %d", cell.aCoord[jj].i);
+ #endif
+-      nCell = (int)strlen(zCell);
+-    }
+-
+-    if( zText ){
+-      char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
+-      sqlite3_free(zText);
+-      zText = zTextNew;
+-    }else{
+-      zText = sqlite3_mprintf("{%s}", zCell);
+     }
++	sqlite3_str_append(pOut, "}", 1);
+   }
+   
+-  sqlite3_result_text(ctx, zText, -1, sqlite3_free);
++  errCode = sqlite3_str_errcode(pOut);
++  sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
++  sqlite3_result_error_code(ctx, errCode);
+ }
+ 
+ /* This routine implements an SQL function that returns the "depth" parameter
+
diff --git a/main/squid/APKBUILD b/main/squid/APKBUILD
index d6055dcd223..ebc43a73eaf 100644
--- a/main/squid/APKBUILD
+++ b/main/squid/APKBUILD
@@ -117,15 +117,8 @@ squid_kerb_auth() {
 	mv "$pkgdir"/usr/lib/squid/squid_kerb_auth "$subpkgdir"/usr/lib/squid/
 }
 sha512sums="4172a053c3b7ffe7a12dfb3febac96942d0fbbe7e98e3f797f22cd75b0a3a89cbbfe7260b5daad099e79d5e9303bb5dfbfee7499cb30a90590aa1bd242ff4817  squid-3.5.27.tar.xz
-<<<<<<< HEAD
 a403573bf3d3d600f7a1ff8639f0f48ac45963b028c7aa09e00f95173b7a9d46c42c21a609d987a18869d850a4be0537c3dc0d0f10398b67509b2a43ccf81776  bug-3679.patch
-=======
-d08d87d4cf97e794735e29ed2a273e27757a9ef95059cf6a2e2855a0c56e92d9e665b85115c9f3b699974447a7b9cccadb0a8ce606beedb41d27df8361241f8b  SQUID-2018_1.patch
-392442527ead5cbb045f6eded522c9aff6ce395034ca028e7298394eccb6ed5b06c814f966ddc6cb264b9a37bf7ae2751e3ed87853566b1d7b757d99280fe60c  SQUID-2018_2.patch
-20a036b34f7a595d83e707180d831c4adc9b7432f09be5341cfe7b3b00cbe3e5c0de07376a67834b94e08c849703822371eb71938a024307cb52cf8ef52138e8  SQUID-2018_3.patch
-d44d0688a416ce993e186afe77051f764c7b01f452cfe27474a7876bc7f58e36c15c06978eedb189b98e276f512aa3bd58992a08668e89a5ef9cd843c22af72a  bug-3679.patch
 9ca3f86fbce36f109a35c35cdb0a9ed21a6fe5cbe7bbb4b92f4527fedd57c19599d338087b099e048084db0374b2ea28bdcbe1798fa37aea8a13d54f6cc0d6a4  CVE-2019-13345.patch
->>>>>>> 61747ef724... main/squid: fix CVE-2019-13345
 15d95f7d787be8c2e6619ef1661fd8aae8d2c1ede706748764644c7dc3d7c34515ef6e8b7543295fddc4e767bbd74a7cf8c42e77cf60b3d574ff11b3f6e336c9  squid.initd
 7292661de344e8a87d855c83afce49511685d2680effab3afab110e45144c0117935f3bf73ab893c9e6d43f7fb5ba013635e24f6da6daf0eeb895ef2e9b5baa9  squid.confd
 89a703fa4f21b6c7c26e64a46fd52407e20f00c34146ade0bea0c4b63d050117c0f8e218f2256a1fbf6abb84f4ec9b0472c9a4092ff6e78f07c4f5a25d0892a5  squid.logrotate"
diff --git a/main/subversion/APKBUILD b/main/subversion/APKBUILD
index 554d0543cbe..1cd95f6a9c4 100644
--- a/main/subversion/APKBUILD
+++ b/main/subversion/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Łukasz Jendrysik <scadu@yandex.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=subversion
-pkgver=1.9.7
+pkgver=1.9.12
 pkgrel=0
 pkgdesc="Replacement for CVS, another versioning system (svn)"
 url="http://subversion.apache.org/"
@@ -24,6 +24,9 @@ source="http://archive.apache.org/dist/$pkgname/$pkgname-$pkgver.tar.bz2
 _builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
+#   1.9.12-r0:
+#     - CVE-2018-11782
+#     - CVE-2019-0203
 #   1.9.7-r0:
 #     - CVE-2017-9800
 
@@ -95,7 +98,7 @@ py() {
 	mv "${pkgdir}"/usr/lib/*py* "${subpkgdir}${pypath}"
 }
 
-sha512sums="a55efd3edaddbc099450d849fcc6fe5a8d20b85ece966d8ac2fd73ee9cb4255a0349bbcfceb4e9fca6daf054ce7c648eff8d273c6873f5dade6e62dcea7eeb2b  subversion-1.9.7.tar.bz2
+sha512sums="08a5c6c0233cc1dbd992180d2077eb1c67725682c457d3f67ebb6d22db0f6b64002a699ab828d435b708340ce6fb07bb1f03d11daefb887053c427ed75ad2de7  subversion-1.9.12.tar.bz2
 fb219c45b80602d919176cc191394df09f90d0f5c7d24e6a36b166bd92777ecae67eeac1e49c0ffbb0e724396b3d2094dbb0bef17d01dc87d418b1cd554bd7c4  subversion-1.7.0-deplibs.patch
 fd6e5f45cff4d3cf0d885a34c822b32141b13b199d99ad8e1b04d641c9c1ee27e73f5c556a4ad54a900b6d39cc14afad17b6738d8af44c76758f1a27b4d49f9a  subversion-perl-deplibs.patch
 7fe993443d4d3ef5e1e75f60e85036ee0b2bb2636c2c830210e64f525f95ae4c10ca1dc4504fc36915ec9391815becbe7cbf5f589c28609386d8d079ed02c630  svnserve.confd
diff --git a/main/tiff/APKBUILD b/main/tiff/APKBUILD
index 7e055fe1c94..e2a620c3c7a 100644
--- a/main/tiff/APKBUILD
+++ b/main/tiff/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Michael Mason <ms13sp@gmail.com>
 pkgname=tiff
 pkgver=4.0.10
-pkgrel=0
+pkgrel=2
 pkgdesc="Provides support for the Tag Image File Format or TIFF"
 url="http://www.libtiff.org/"
 arch="all"
@@ -15,9 +15,15 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-tools"
 builddir="$srcdir/$pkgname-$pkgver"
 source="http://download.osgeo.org/libtiff/$pkgname-$pkgver.tar.gz
 	CVE-2018-12900.patch
+	CVE-2019-14973-rebased.patch
+	CVE-2019-17546.patch
 	"
 
 # secfixes:
+#   4.0.10-r2:
+#     - CVE-2019-10927
+#   4.0.10-r1:
+#     - CVE-2019-14973
 #   4.0.10-r0:
 #     - CVE-2018-12900
 #     - CVE-2018-18557
@@ -87,4 +93,6 @@ tools() {
 }
 
 sha512sums="d213e5db09fd56b8977b187c5a756f60d6e3e998be172550c2892dbdb4b2a8e8c750202bc863fe27d0d1c577ab9de1710d15e9f6ed665aadbfd857525a81eea8  tiff-4.0.10.tar.gz
-c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085  CVE-2018-12900.patch"
+c321f1d4e5d334cdb3b0800299e8165055c040c0c030220769ccfdadcc7fd35a0f3231115f44dc86fe5e34f32eafe1074aa85495a744717f8fc10c0cab2ab085  CVE-2018-12900.patch
+4567184ea17028dbf90753dbebce221881ec26632d88f02d4f6b56556fc19bb9134523f16487707fdd908f21c7bc4660103d0a95f3ccf0890ad4f0d93e81c503  CVE-2019-14973-rebased.patch
+140a6f435a682c5fd2a56e364e0d7448e56b8bf20c8db45db8b15ffd711fa6449f6cdaecab417d7fa96fc832d8eebd40423658153c05dd4f25f769b4b346d5f1  CVE-2019-17546.patch"
diff --git a/main/tiff/CVE-2019-14973-rebased.patch b/main/tiff/CVE-2019-14973-rebased.patch
new file mode 100644
index 00000000000..9bd5c846aee
--- /dev/null
+++ b/main/tiff/CVE-2019-14973-rebased.patch
@@ -0,0 +1,424 @@
+From 1b5e3b6a23827c33acf19ad50ce5ce78f12b3773 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 10 Aug 2019 18:25:03 +0200
+Subject: [PATCH] Fix integer overflow in _TIFFCheckMalloc() and other
+ implementation-defined behaviour (CVE-2019-14973)
+
+_TIFFCheckMalloc()/_TIFFCheckRealloc() used a unsafe way to detect overflow
+in the multiplication of nmemb and elem_size (which are of type tmsize_t, thus
+signed), which was especially easily triggered on 32-bit builds (with recent
+enough compilers that assume that signed multiplication cannot overflow, since
+this is undefined behaviour by the C standard). The original issue which lead to
+this fix was trigged from tif_fax3.c
+
+There were also unsafe (implementation defied), and broken in practice on 64bit
+builds, ways of checking that a uint64 fits of a (signed) tmsize_t by doing
+(uint64)(tmsize_t)uint64_var != uint64_var comparisons. Those have no known
+at that time exploits, but are better to fix in a more bullet-proof way.
+Or similarly use of (int64)uint64_var <= 0.
+---
+ libtiff/tif_aux.c      | 49 +++++++++++++++++++++++++++++++++++++-----
+ libtiff/tif_getimage.c |  6 ++----
+ libtiff/tif_luv.c      |  8 +------
+ libtiff/tif_pixarlog.c |  7 +-----
+ libtiff/tif_read.c     | 38 +++++++++-----------------------
+ libtiff/tif_strip.c    | 35 ++++--------------------------
+ libtiff/tif_tile.c     | 27 +++--------------------
+ libtiff/tiffiop.h      |  7 +++++-
+ 8 files changed, 71 insertions(+), 106 deletions(-)
+
+diff --git a/libtiff/tif_aux.c b/libtiff/tif_aux.c
+index 4ece162..33fb8a4 100644
+--- a/libtiff/tif_aux.c
++++ b/libtiff/tif_aux.c
+@@ -57,18 +57,57 @@ _TIFFMultiply64(TIFF* tif, uint64 first, uint64 second, const char* where)
+ 	return bytes;
+ }
+ 
++tmsize_t
++_TIFFMultiplySSize(TIFF* tif, tmsize_t first, tmsize_t second, const char* where)
++{
++    if( first <= 0 || second <= 0 )
++    {
++        if( tif != NULL && where != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata, where,
++                        "Invalid argument to _TIFFMultiplySSize() in %s", where);
++        }
++        return 0;
++    }
++
++    if( first > TIFF_TMSIZE_T_MAX / second )
++    {
++        if( tif != NULL && where != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata, where,
++                        "Integer overflow in %s", where);
++        }
++        return 0;
++    }
++    return first * second;
++}
++
++tmsize_t _TIFFCastUInt64ToSSize(TIFF* tif, uint64 val, const char* module)
++{
++    if( val > (uint64)TIFF_TMSIZE_T_MAX )
++    {
++        if( tif != NULL && module != NULL )
++        {
++            TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++        }
++        return 0;
++    }
++    return (tmsize_t)val;
++}
++
+ void*
+ _TIFFCheckRealloc(TIFF* tif, void* buffer,
+ 		  tmsize_t nmemb, tmsize_t elem_size, const char* what)
+ {
+ 	void* cp = NULL;
+-	tmsize_t bytes = nmemb * elem_size;
+-
++        tmsize_t count = _TIFFMultiplySSize(tif, nmemb, elem_size, NULL);
+ 	/*
+-	 * XXX: Check for integer overflow.
++	 * Check for integer overflow.
+ 	 */
+-	if (nmemb && elem_size && bytes / elem_size == nmemb)
+-		cp = _TIFFrealloc(buffer, bytes);
++	if (count != 0)
++	{
++		cp = _TIFFrealloc(buffer, count);
++	}
+ 
+ 	if (cp == NULL) {
+ 		TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index 6a9d5a7..2106ca2 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -755,9 +755,8 @@ gtTileSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	uint32 leftmost_tw;
+ 
+ 	tilesize = TIFFTileSize(tif);  
+-	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,tilesize);
++	bufsize = _TIFFMultiplySSize(tif, alpha?4:3,tilesize, "gtTileSeparate");
+ 	if (bufsize == 0) {
+-		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate");
+ 		return (0);
+ 	}
+ 
+@@ -1019,9 +1018,8 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+         uint16 colorchannels;
+ 
+ 	stripsize = TIFFStripSize(tif);  
+-	bufsize = TIFFSafeMultiply(tmsize_t,alpha?4:3,stripsize);
++	bufsize = _TIFFMultiplySSize(tif,alpha?4:3,stripsize, "gtStripSeparate");
+ 	if (bufsize == 0) {
+-		TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate");
+ 		return (0);
+ 	}
+ 
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index aa35ea0..46d2dff 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -1264,16 +1264,10 @@ LogL16GuessDataFmt(TIFFDirectory *td)
+ 	return (SGILOGDATAFMT_UNKNOWN);
+ }
+ 
+-
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
++        return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static int
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 7438d69..5c9a6bf 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -634,15 +634,10 @@ PixarLogGuessDataFmt(TIFFDirectory *td)
+ 	return guess;
+ }
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ static tmsize_t
+ multiply_ms(tmsize_t m1, tmsize_t m2)
+ {
+-        if( m1 == 0 || m2 > TIFF_TMSIZE_T_MAX / m1 )
+-            return 0;
+-        return m1 * m2;
++       return _TIFFMultiplySSize(NULL, m1, m2, NULL);
+ }
+ 
+ static tmsize_t
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index e63810c..9a82baa 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -29,9 +29,6 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
+-#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
+-#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
+-
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -49,6 +46,8 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ #define THRESHOLD_MULTIPLIER 10
+ #define MAX_THRESHOLD (THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * THRESHOLD_MULTIPLIER * INITIAL_THRESHOLD)
+ 
++#define TIFF_INT64_MAX ((((int64)0x7FFFFFFF) << 32) | 0xFFFFFFFF)
++
+ /* Read 'size' bytes in tif_rawdata buffer starting at offset 'rawdata_offset'
+  * Returns 1 in case of success, 0 otherwise. */
+ static int TIFFReadAndRealloc( TIFF* tif, tmsize_t size,
+@@ -734,23 +733,8 @@ TIFFReadRawStrip(TIFF* tif, uint32 strip, void* buf, tmsize_t size)
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	bytecount = td->td_stripbytecount[strip];
+-	if ((int64)bytecount <= 0) {
+-#if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+-		TIFFErrorExt(tif->tif_clientdata, module,
+-			     "%I64u: Invalid strip byte count, strip %lu",
+-			     (unsigned __int64) bytecount,
+-			     (unsigned long) strip);
+-#else
+-		TIFFErrorExt(tif->tif_clientdata, module,
+-			     "%llu: Invalid strip byte count, strip %lu",
+-			     (unsigned long long) bytecount,
+-			     (unsigned long) strip);
+-#endif
+-		return ((tmsize_t)(-1));
+-	}
+-	bytecountm = (tmsize_t)bytecount;
+-	if ((uint64)bytecountm!=bytecount) {
+-		TIFFErrorExt(tif->tif_clientdata, module, "Integer overflow");
++	bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount, module);
++	if (bytecountm == 0) {
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	if (size != (tmsize_t)(-1) && size < bytecountm)
+@@ -774,7 +758,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[strip];
+-		if ((int64)bytecount <= 0) {
++		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"Invalid strip byte count %I64u, strip %lu",
+@@ -801,7 +785,7 @@ TIFFFillStrip(TIFF* tif, uint32 strip)
+ 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
+ 			{
+ 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-				if( (int64)newbytecount >= 0 )
++				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ 				{
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 					TIFFWarningExt(tif->tif_clientdata, module,
+@@ -1196,10 +1180,8 @@ TIFFReadRawTile(TIFF* tif, uint32 tile, void* buf, tmsize_t size)
+ 	bytecount64 = td->td_stripbytecount[tile];
+ 	if (size != (tmsize_t)(-1) && (uint64)size < bytecount64)
+ 		bytecount64 = (uint64)size;
+-	bytecountm = (tmsize_t)bytecount64;
+-	if ((uint64)bytecountm!=bytecount64)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
++	bytecountm = _TIFFCastUInt64ToSSize(tif, bytecount64, module);
++        if( bytecountm == 0 ) {
+ 		return ((tmsize_t)(-1));
+ 	}
+ 	return (TIFFReadRawTile1(tif, tile, buf, bytecountm, module));
+@@ -1221,7 +1203,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ 	if ((tif->tif_flags&TIFF_NOREADRAW)==0)
+ 	{
+ 		uint64 bytecount = td->td_stripbytecount[tile];
+-		if ((int64)bytecount <= 0) {
++		if( bytecount == 0 || bytecount > (uint64)TIFF_INT64_MAX ) {
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 			TIFFErrorExt(tif->tif_clientdata, module,
+ 				"%I64u: Invalid tile byte count, tile %lu",
+@@ -1248,7 +1230,7 @@ TIFFFillTile(TIFF* tif, uint32 tile)
+ 			    (bytecount - 4096) / 10 > (uint64)stripsize  )
+ 			{
+ 				uint64 newbytecount = (uint64)stripsize * 10 + 4096;
+-				if( (int64)newbytecount >= 0 )
++				if( newbytecount == 0 || newbytecount > (uint64)TIFF_INT64_MAX )
+ 				{
+ #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__))
+ 					TIFFWarningExt(tif->tif_clientdata, module,
+diff --git a/libtiff/tif_strip.c b/libtiff/tif_strip.c
+index 5b76fba..2366acf 100644
+--- a/libtiff/tif_strip.c
++++ b/libtiff/tif_strip.c
+@@ -129,15 +129,8 @@ TIFFVStripSize(TIFF* tif, uint32 nrows)
+ {
+ 	static const char module[] = "TIFFVStripSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFVStripSize64(tif,nrows);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++        return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -211,15 +204,8 @@ TIFFStripSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFStripSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFStripSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -330,14 +316,8 @@ TIFFScanlineSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFScanlineSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFScanlineSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m) {
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -366,15 +346,8 @@ TIFFRasterScanlineSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFRasterScanlineSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFRasterScanlineSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer arithmetic overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/libtiff/tif_tile.c b/libtiff/tif_tile.c
+index 58fe935..661cc77 100644
+--- a/libtiff/tif_tile.c
++++ b/libtiff/tif_tile.c
+@@ -181,15 +181,8 @@ TIFFTileRowSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFTileRowSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFTileRowSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -248,15 +241,8 @@ TIFFVTileSize(TIFF* tif, uint32 nrows)
+ {
+ 	static const char module[] = "TIFFVTileSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFVTileSize64(tif,nrows);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+@@ -272,15 +258,8 @@ TIFFTileSize(TIFF* tif)
+ {
+ 	static const char module[] = "TIFFTileSize";
+ 	uint64 m;
+-	tmsize_t n;
+ 	m=TIFFTileSize64(tif);
+-	n=(tmsize_t)m;
+-	if ((uint64)n!=m)
+-	{
+-		TIFFErrorExt(tif->tif_clientdata,module,"Integer overflow");
+-		n=0;
+-	}
+-	return(n);
++	return _TIFFCastUInt64ToSSize(tif, m, module);
+ }
+ 
+ /*
+diff --git a/libtiff/tiffiop.h b/libtiff/tiffiop.h
+index 186c291..558484f 100644
+--- a/libtiff/tiffiop.h
++++ b/libtiff/tiffiop.h
+@@ -77,6 +77,9 @@ extern int snprintf(char* str, size_t size, const char* format, ...);
+ #define	FALSE	0
+ #endif
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ typedef struct client_info {
+     struct client_info *next;
+     void *data;
+@@ -258,7 +261,7 @@ struct tiff {
+ #define TIFFhowmany8_64(x) (((x)&0x07)?((uint64)(x)>>3)+1:(uint64)(x)>>3)
+ #define TIFFroundup_64(x, y) (TIFFhowmany_64(x,y)*(y))
+ 
+-/* Safe multiply which returns zero if there is an integer overflow */
++/* Safe multiply which returns zero if there is an *unsigned* integer overflow. This macro is not safe for *signed* integer types */
+ #define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0)
+ 
+ #define TIFFmax(A,B) ((A)>(B)?(A):(B))
+@@ -368,6 +371,8 @@ extern TIFFErrorHandlerExt _TIFFerrorHandlerExt;
+ 
+ extern uint32 _TIFFMultiply32(TIFF*, uint32, uint32, const char*);
+ extern uint64 _TIFFMultiply64(TIFF*, uint64, uint64, const char*);
++extern tmsize_t _TIFFMultiplySSize(TIFF*, tmsize_t, tmsize_t, const char*);
++extern tmsize_t _TIFFCastUInt64ToSSize(TIFF*, uint64, const char*);
+ extern void* _TIFFCheckMalloc(TIFF*, tmsize_t, tmsize_t, const char*);
+ extern void* _TIFFCheckRealloc(TIFF*, void*, tmsize_t, tmsize_t, const char*);
+ 
+-- 
+2.23.0
+
diff --git a/main/tiff/CVE-2019-17546.patch b/main/tiff/CVE-2019-17546.patch
new file mode 100644
index 00000000000..c04f0a34281
--- /dev/null
+++ b/main/tiff/CVE-2019-17546.patch
@@ -0,0 +1,105 @@
+From 4bb584a35f87af42d6cf09d15e9ce8909a839145 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 15 Aug 2019 15:05:28 +0200
+Subject: [PATCH] RGBA interface: fix integer overflow potentially causing
+ write heap buffer overflow, especially on 32 bit builds. Fixes
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443. Credit to OSS
+ Fuzz
+
+---
+ libtiff/tif_getimage.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
+index c88b5fa6..4da785d3 100644
+--- a/libtiff/tif_getimage.c
++++ b/libtiff/tif_getimage.c
+@@ -949,16 +949,23 @@ gtStripContig(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	fromskew = (w < imagewidth ? imagewidth - w : 0);
+ 	for (row = 0; row < h; row += nrow)
+ 	{
++		uint32 temp;
+ 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ 		nrow = (row + rowstoread > h ? h - row : rowstoread);
+ 		nrowsub = nrow;
+ 		if ((nrowsub%subsamplingver)!=0)
+ 			nrowsub+=subsamplingver-nrowsub%subsamplingver;
++		temp = (row + img->row_offset)%rowsperstrip + nrowsub;
++		if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++		{
++			TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripContig");
++			return 0;
++		}
+ 		if (_TIFFReadEncodedStripAndAllocBuffer(tif,
+ 		    TIFFComputeStrip(tif,row+img->row_offset, 0),
+ 		    (void**)(&buf),
+                     maxstripsize,
+-		    ((row + img->row_offset)%rowsperstrip + nrowsub) * scanline)==(tmsize_t)(-1)
++		    temp * scanline)==(tmsize_t)(-1)
+ 		    && (buf == NULL || img->stoponerr))
+ 		{
+ 			ret = 0;
+@@ -1051,15 +1058,22 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 	fromskew = (w < imagewidth ? imagewidth - w : 0);
+ 	for (row = 0; row < h; row += nrow)
+ 	{
++                uint32 temp;
+ 		rowstoread = rowsperstrip - (row + img->row_offset) % rowsperstrip;
+ 		nrow = (row + rowstoread > h ? h - row : rowstoread);
+ 		offset_row = row + img->row_offset;
++                temp = (row + img->row_offset)%rowsperstrip + nrow;
++                if( scanline > 0 && temp > (size_t)(TIFF_TMSIZE_T_MAX / scanline) )
++                {
++                        TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in gtStripSeparate");
++                        return 0;
++                }
+                 if( buf == NULL )
+                 {
+                     if (_TIFFReadEncodedStripAndAllocBuffer(
+                             tif, TIFFComputeStrip(tif, offset_row, 0),
+                             (void**) &buf, bufsize,
+-                            ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++                            temp * scanline)==(tmsize_t)(-1)
+                         && (buf == NULL || img->stoponerr))
+                     {
+                             ret = 0;
+@@ -1079,7 +1093,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+                     }
+                 }
+ 		else if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 0),
+-		    p0, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++		    p0, temp * scanline)==(tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1087,7 +1101,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		}
+ 		if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 1),
+-                                            p1, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++                                            p1, temp * scanline) == (tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1095,7 +1109,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		}
+ 		if (colorchannels > 1 
+                     && TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, 2),
+-                                            p2, ((row + img->row_offset)%rowsperstrip + nrow) * scanline) == (tmsize_t)(-1)
++                                            p2, temp * scanline) == (tmsize_t)(-1)
+ 		    && img->stoponerr)
+ 		{
+ 			ret = 0;
+@@ -1104,7 +1118,7 @@ gtStripSeparate(TIFFRGBAImage* img, uint32* raster, uint32 w, uint32 h)
+ 		if (alpha)
+ 		{
+ 			if (TIFFReadEncodedStrip(tif, TIFFComputeStrip(tif, offset_row, colorchannels),
+-			    pa, ((row + img->row_offset)%rowsperstrip + nrow) * scanline)==(tmsize_t)(-1)
++			    pa, temp * scanline)==(tmsize_t)(-1)
+ 			    && img->stoponerr)
+ 			{
+ 				ret = 0;
+-- 
+2.22.0
+
+
diff --git a/main/tzdata/APKBUILD b/main/tzdata/APKBUILD
index 869dec1c23a..906ab128cd8 100644
--- a/main/tzdata/APKBUILD
+++ b/main/tzdata/APKBUILD
@@ -2,8 +2,8 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=tzdata
-pkgver=2019a
-_tzcodever=2019a
+pkgver=2019c
+_tzcodever=2019c
 _ptzver=0.5
 pkgrel=0
 pkgdesc="Timezone data"
@@ -57,8 +57,8 @@ package() {
 		"$pkgdir"/usr/bin/posixtz
 }
 
-sha512sums="7cc76ce6be4a67c3e1b2222cb632d2de9dabb76899793a938f87a1d4bb20e462cabdae9e3b986aaabaa400795370510095d236dbad5aff4c192d0887f0ecedf5  tzcode2019a.tar.gz
-d8eb5b2b68abee08bd2b0d2134bce85b5c0aee85168e9697a607604ed5be7d1539ac60fda9b37e0c9c793ef6251978bc250563a0af59497fde775499964bb5aa  tzdata2019a.tar.gz
+sha512sums="61ef36385f501c338c263081486de0d1fccd454b86f8777b0dbad4ea3f21bbde059d0a91c23e207b167ed013127d3db8b7528f0188814a8b44d1f946b19d9b8b  tzcode2019c.tar.gz
+2921cbb2fd44a6b8f7f2ed42c13fbae28195aa5c2eeefa70396bc97cdbaad679c6cc3c143da82cca5b0279065c02389e9af536904288c12886bf345baa8c6565  tzdata2019c.tar.gz
 68dbaab9f4aef166ac2f2d40b49366527b840bebe17a47599fe38345835e4adb8a767910745ece9c384b57af815a871243c3e261a29f41d71f8054df3061b3fd  posixtz-0.5.tar.xz
 0f2a10ee2bb4007f57b59123d1a0b8ef6accf99e568f21537f0bb19f290fff46e24050f55f12569d7787be600e1b62aa790ea85a333153f3ea081a812c81b1b5  0001-posixtz-ensure-the-file-offset-we-pass-to-lseek-is-o.patch
 fb322ab7867517ba39265d56d3576cbcea107c205d524e87015c1819bbb7361f7322232ee3b86ea9b8df2886e7e06a6424e3ac83b2006be290a33856c7d40ac4  0002-fix-implicit-declaration-warnings-by-including-strin.patch"
diff --git a/main/wavpack/APKBUILD b/main/wavpack/APKBUILD
index 12b44ba3cb7..f5b1af74a55 100644
--- a/main/wavpack/APKBUILD
+++ b/main/wavpack/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer:  Natanael Copa <ncopa@alpinelinux.org>
 pkgname=wavpack
 pkgver=5.1.0
-pkgrel=3
+pkgrel=4
 pkgdesc="Audio compression format with lossless, lossy, and hybrid compression modes"
 url="http://www.wavpack.com/"
 arch="all"
@@ -18,10 +18,19 @@ source="http://www.wavpack.com/${pkgname}-${pkgver}.tar.bz2
 	CVE-2018-10538_10539_10540.patch
 	CVE-2018-19840.patch
 	CVE-2018-19841.patch
+	CVE-2019-1010315.patch
+	CVE-2019-11498.patch
+	CVE-2019-1010317.patch
+	CVE-2019-1010319.patch
 	"
 builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
+#   5.1.0-r4:
+#     - CVE-2019-1010319
+#     - CVE-2019-1010317
+#     - CVE-2019-1010315
+#     - CVE-2019-11498
 #   5.1.0-r3:
 #     - CVE-2018-19840
 #     - CVE-2018-19841
@@ -79,4 +88,8 @@ sha512sums="4c31616ae63c3a875afa20f26ce935f7a8f9921e2892b4b8388eca3ccd83b2d686f4
 fd7ff58c53f9b4cec335e36017c5b1709c5526a2d44a54dfbeb050ea303997418d1fa312ebe39f521a35a6f2151b8a0f5845ee9bf6bbda22bef036e9fc0166a5  CVE-2018-10536_10537.patch
 a59eff2a8f47d4383f33667e7737f5e2e639778b367340169f1c5d6335c8948cfd8e1a7554e8b6c05a59d80a04048cf137c0f4fdfd88d2d88757404d3dac31ee  CVE-2018-10538_10539_10540.patch
 67d02dd744c638d126cf5a894d1ff2c39726bd4d3771ef7410ea782e5c9a0f9341909432bd4bea9b8959891c38699601c1aac2da6e0eaddaa5a4d679e7f58dd2  CVE-2018-19840.patch
-dba007fa8cb2537b6f6c8ee559a98e501e948260ce7e7af7d3fdc8c9145bbbbf85c8fed8030de354459c4b08d3015a0ea769a948636bdfd66e567c0a2d2493c6  CVE-2018-19841.patch"
+dba007fa8cb2537b6f6c8ee559a98e501e948260ce7e7af7d3fdc8c9145bbbbf85c8fed8030de354459c4b08d3015a0ea769a948636bdfd66e567c0a2d2493c6  CVE-2018-19841.patch
+46d0fb4483e5ea824b1bce67f2ea76894e16b3f86cd28f234c1e393ea1d859ac304f44f22a7e32cdfbd83ff83d99fc147e0f9de932ee674c4f565cc92e279c28  CVE-2019-1010315.patch
+30ad915f481eef07737cb95e44c1988441b72d0fc6731c4e48b391deb44168ad7536e0e7c3c9363e18f27814cade4c784e9a61e6a46e103aa88db0b42cef57e3  CVE-2019-11498.patch
+91b0fdefdfe2a3f135f3fdf947b43a7bc347e4cd21804d0e4997066997a32bc9bb218cc2ef6b1733c011d83c22035efd22cf993b7af5d0fa540441a3e9685c3c  CVE-2019-1010317.patch
+a180c662d41e96913b946782ae4679b944029d0d62161a7fc204c0b2ff898409a375a33d2376885fe425c449128de61f161867d1c264120682c0708aeea2d21e  CVE-2019-1010319.patch"
diff --git a/main/wavpack/CVE-2019-1010315.patch b/main/wavpack/CVE-2019-1010315.patch
new file mode 100644
index 00000000000..b52d8884a00
--- /dev/null
+++ b/main/wavpack/CVE-2019-1010315.patch
@@ -0,0 +1,36 @@
+From 4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Sat, 2 Mar 2019 18:37:14 -0800
+Subject: [PATCH] issue #65: make sure DSDIFF files have a valid channel count
+
+---
+ cli/dsdiff.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index 0ac4321..f357181 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -180,7 +180,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+ 
+             if (!strncmp (prop_chunk, "SND ", 4)) {
+                 char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize;
+-                uint16_t numChannels, chansSpecified, chanMask = 0;
++                uint16_t numChannels = 0, chansSpecified, chanMask = 0;
+                 uint32_t sampleRate;
+ 
+                 while (eptr - cptr >= sizeof (dff_chunk_header)) {
+@@ -279,6 +279,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+             free (prop_chunk);
+         }
+         else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) {
++
++            if (!config->num_channels) {
++                error_line ("%s is not a valid .DFF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
+             total_samples = dff_chunk_header.ckDataSize / config->num_channels;
+             break;
+         }
+
diff --git a/main/wavpack/CVE-2019-1010317.patch b/main/wavpack/CVE-2019-1010317.patch
new file mode 100644
index 00000000000..94f90275b82
--- /dev/null
+++ b/main/wavpack/CVE-2019-1010317.patch
@@ -0,0 +1,40 @@
+From f68a9555b548306c5b1ee45199ccdc4a16a6101b Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Mon, 4 Mar 2019 21:09:41 -0800
+Subject: [PATCH] issue #66: make sure CAF files have a "desc" chunk
+
+---
+ cli/caff.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/cli/caff.c b/cli/caff.c
+index 2a5e2d9..a35da74 100644
+--- a/cli/caff.c
++++ b/cli/caff.c
+@@ -152,7 +152,7 @@ static struct {
+ 
+ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, WavpackContext *wpc, WavpackConfig *config)
+ {
+-    uint32_t chan_chunk = 0, channel_layout = 0, bcount;
++    uint32_t chan_chunk = 0, desc_chunk = 0, channel_layout = 0, bcount;
+     unsigned char *channel_identities = NULL;
+     unsigned char *channel_reorder = NULL;
+     int64_t total_samples = 0, infilesize;
+@@ -218,6 +218,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+             }
+ 
+             WavpackBigEndianToNative (&caf_audio_format, CAFAudioFormatFormat);
++            desc_chunk = 1;
+ 
+             if (debug_logging_mode) {
+                 char formatstr [5];
+@@ -458,7 +459,7 @@ int ParseCaffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpack
+         else if (!strncmp (caf_chunk_header.mChunkType, "data", 4)) {     // on the data chunk, get size and exit loop
+             uint32_t mEditCount;
+ 
+-            if (!DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
++            if (!desc_chunk || !DoReadFile (infile, &mEditCount, sizeof (mEditCount), &bcount) ||
+                 bcount != sizeof (mEditCount)) {
+                     error_line ("%s is not a valid .CAF file!", infilename);
+                     return WAVPACK_SOFT_ERROR;
+
diff --git a/main/wavpack/CVE-2019-1010319.patch b/main/wavpack/CVE-2019-1010319.patch
new file mode 100644
index 00000000000..6a53ef8fbbc
--- /dev/null
+++ b/main/wavpack/CVE-2019-1010319.patch
@@ -0,0 +1,23 @@
+From 33a0025d1d63ccd05d9dbaa6923d52b1446a62fe Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Mar 2019 21:21:48 -0800
+Subject: [PATCH] issue #68: clear WaveHeader at start to prevent uninitialized
+ read
+
+---
+ cli/wave64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cli/wave64.c b/cli/wave64.c
+index 7beffe6..59548b1 100644
+--- a/cli/wave64.c
++++ b/cli/wave64.c
+@@ -56,6 +56,7 @@ int ParseWave64HeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+     int format_chunk = 0;
+     uint32_t bcount;
+ 
++    CLEAR (WaveHeader);
+     infilesize = DoGetFileSize (infile);
+     memcpy (&filehdr, fourcc, 4);
+ 
+
diff --git a/main/wavpack/CVE-2019-11498.patch b/main/wavpack/CVE-2019-11498.patch
new file mode 100644
index 00000000000..c94aee14665
--- /dev/null
+++ b/main/wavpack/CVE-2019-11498.patch
@@ -0,0 +1,32 @@
+From bc6cba3f552c44565f7f1e66dc1580189addb2b4 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Mar 2019 21:32:27 -0800
+Subject: [PATCH] issue #67: make sure sample rate is specified and non-zero in
+ DFF files
+
+---
+ cli/dsdiff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index f357181..193adee 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -181,7 +181,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+             if (!strncmp (prop_chunk, "SND ", 4)) {
+                 char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize;
+                 uint16_t numChannels = 0, chansSpecified, chanMask = 0;
+-                uint32_t sampleRate;
++                uint32_t sampleRate = 0;
+ 
+                 while (eptr - cptr >= sizeof (dff_chunk_header)) {
+                     memcpy (&dff_chunk_header, cptr, sizeof (dff_chunk_header));
+@@ -280,7 +280,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+         }
+         else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) {
+ 
+-            if (!config->num_channels) {
++            if (!config->num_channels || !config->sample_rate) {
+                 error_line ("%s is not a valid .DFF file!", infilename);
+                 return WAVPACK_SOFT_ERROR;
+             }
diff --git a/main/wpa_supplicant/APKBUILD b/main/wpa_supplicant/APKBUILD
index 3378a74fe1b..55524416e8b 100644
--- a/main/wpa_supplicant/APKBUILD
+++ b/main/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=wpa_supplicant
 pkgver=2.6
-pkgrel=10
+pkgrel=11
 pkgdesc="A utility providing key negotiation for WPA wireless networks"
 url="https://w1.fi/wpa_supplicant/"
 arch="all"
@@ -21,6 +21,7 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz
 	rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
 	0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 	0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+	CVE-2019-16275.patch
 
 	wpa_supplicant.initd
 	wpa_supplicant.confd
@@ -31,6 +32,8 @@ source="http://w1.fi/releases/$pkgname-$pkgver.tar.gz
 	wpa_cli.sh"
 
 # secfixes:
+#   2.6-r16:
+#     - CVE-2019-16275
 #   2.6-r10:
 #     - CVE-2019-11555
 #   2.6-r9:
@@ -103,6 +106,7 @@ fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed
 c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f  rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
 7038044885871271ac724790663d5c0a428db83b41a691747be7a618ae893670a98f3ba52a297937249084296b0e9bcfd791edaa3928548efddb259e1a15f46c  0014-EAP-pwd-server-Fix-reassembly-buffer-handling.patch
 99c734fe395b4231aa6a097a08a00e5dab65ea9c37a7c83b1904a37c39307d9e7e95485734b0d483687126f4100c75f8a7b1420f0a2edcbfe07b454a14548822  0015-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch
+63710cfb0992f2c346a9807d8c97cbeaed032fa376a0e93a2e56f7742ce515e9c4dfadbdb1af03ba272281f639aab832f0178f67634c222a5d99e1d462aa9e38  CVE-2019-16275.patch
 11eed22f6e793f40c788d586c715deecae03c421d11761b7b4a376660bce812c54cc6f353c7d4d5da9c455aeffd778baefb9e76d380027a729574a756e54ddcc  wpa_supplicant.initd
 29103161ec2b9631fca9e8d9a97fafd60ffac3fe78cf613b834395ddcaf8be1e253c22e060d7d9f9b974b2d7ce794caa932a2125e29f6494b75bce475f7b30e1  wpa_supplicant.confd
 e98edc1ecec91335d515c50cac8816e3f6eef139aba574bcf0c6c20c131ef0de40aa657a33d07af09ab28245471a09cb6b3e29b306e48f46d335a0c47a0a56c4  libressl.patch
diff --git a/main/wpa_supplicant/CVE-2019-16275.patch b/main/wpa_supplicant/CVE-2019-16275.patch
new file mode 100644
index 00000000000..d764a9db016
--- /dev/null
+++ b/main/wpa_supplicant/CVE-2019-16275.patch
@@ -0,0 +1,73 @@
+From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Thu, 29 Aug 2019 11:52:04 +0300
+Subject: [PATCH] AP: Silently ignore management frame from unexpected source
+ address
+
+Do not process any received Management frames with unexpected/invalid SA
+so that we do not add any state for unexpected STA addresses or end up
+sending out frames to unexpected destination. This prevents unexpected
+sequences where an unprotected frame might end up causing the AP to send
+out a response to another device and that other device processing the
+unexpected response.
+
+In particular, this prevents some potential denial of service cases
+where the unexpected response frame from the AP might result in a
+connected station dropping its association.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/drv_callbacks.c | 13 +++++++++++++
+ src/ap/ieee802_11.c    | 12 ++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
+index 31587685fe3b..34ca379edc3d 100644
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
+ 			   "hostapd_notif_assoc: Skip event with no address");
+ 		return -1;
+ 	}
++
++	if (is_multicast_ether_addr(addr) ||
++	    is_zero_ether_addr(addr) ||
++	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
++			   " in received indication - ignore this indication silently",
++			   __func__, MAC2STR(addr));
++		return 0;
++	}
++
+ 	random_add_randomness(addr, ETH_ALEN);
+ 
+ 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index c85a28db44b7..e7065372e158 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
+ 	fc = le_to_host16(mgmt->frame_control);
+ 	stype = WLAN_FC_GET_STYPE(fc);
+ 
++	if (is_multicast_ether_addr(mgmt->sa) ||
++	    is_zero_ether_addr(mgmt->sa) ||
++	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
++		/* Do not process any frames with unexpected/invalid SA so that
++		 * we do not add any state for unexpected STA addresses or end
++		 * up sending out frames to unexpected destination. */
++		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
++			   " in received frame - ignore this frame silently",
++			   MAC2STR(mgmt->sa));
++		return 0;
++	}
++
+ 	if (stype == WLAN_FC_STYPE_BEACON) {
+ 		handle_beacon(hapd, mgmt, len, fi);
+ 		return 1;
+-- 
+2.20.1
+
diff --git a/main/zeromq/APKBUILD b/main/zeromq/APKBUILD
index 3cfe83e1df1..3edd05f8669 100644
--- a/main/zeromq/APKBUILD
+++ b/main/zeromq/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=zeromq
 pkgver=4.2.5
-pkgrel=0
+pkgrel=1
 pkgdesc="The ZeroMQ messaging library and tools"
 url="http://www.zeromq.org/"
 arch="all"
@@ -14,10 +14,13 @@ subpackages="$pkgname-dev $pkgname-doc libzmq:libs"
 source="https://github.com/zeromq/libzmq/releases/download/v$pkgver/$pkgname-$pkgver.tar.gz
 	test-driver.patch
 	CVE-2019-6250.patch
+	CVE-2019-13132.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.2.5-r1:
+#     - CVE-2019-13132
 #   4.2.5-r0:
 #     - CVE-2019-6250
 
@@ -47,4 +50,5 @@ package() {
 
 sha512sums="4556cb50d05a6d133015a0ba804d6d951a47479a33fa29561eaeecb93d48b7bb6477365d0986c38b779f500cadaf08522c4a7aa13f5510303bd923f794d37036  zeromq-4.2.5.tar.gz
 64e4ae2c89469359480743beeb4f1e08976a4c52dbfd2dd33020463df78e927993319e456299682901001e0832ebed85291eea0decc1d27a58de78a6c891e660  test-driver.patch
-ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch"
+ee0c71814c93378106593afafd9bb96c15038c2455dcd57ac71a6c3474ebd4eee3f4cf9933ddc737bbe0fe25f8d7cb141517c933fec591c00b7d5563bf33894d  CVE-2019-6250.patch
+e70db052cced7110ff0066c495a1230459710e31bb1f6afd6f01194ac024c625cf365413d81fccf1c4e1670f9ec6e5ed340fddf9e06a0b726ed79009db92c587  CVE-2019-13132.patch"
diff --git a/main/zeromq/CVE-2019-13132.patch b/main/zeromq/CVE-2019-13132.patch
new file mode 100644
index 00000000000..39c80d7996e
--- /dev/null
+++ b/main/zeromq/CVE-2019-13132.patch
@@ -0,0 +1,110 @@
+From 4287cd2274ad48faa2b5346b6108f05b32ec20f2 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Tue, 2 Jul 2019 01:24:19 +0100
+Subject: [PATCH] Problem: application metadata not parsed correctly when using
+ CURVE
+
+Solution: create buffers large enough to contain arbitrary metadata
+---
+ src/curve_server.cpp | 35 ++++++++++++++++++++++++-----------
+ 1 file changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/curve_server.cpp b/src/curve_server.cpp
+index 6938a637..d3a710db 100644
+--- a/src/curve_server.cpp
++++ b/src/curve_server.cpp
+@@ -327,8 +327,12 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+     const size_t clen = (size - 113) + crypto_box_BOXZEROBYTES;
+ 
+     uint8_t initiate_nonce[crypto_box_NONCEBYTES];
+-    uint8_t initiate_plaintext[crypto_box_ZEROBYTES + 128 + 256];
+-    uint8_t initiate_box[crypto_box_BOXZEROBYTES + 144 + 256];
++    uint8_t *initiate_plaintext =
++      static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
++    alloc_assert (initiate_plaintext);
++    uint8_t *initiate_box =
++      static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
++    alloc_assert (initiate_box);
+ 
+     //  Open Box [C + vouch + metadata](C'->S')
+     memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
+@@ -339,6 +343,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+     memcpy (initiate_nonce + 16, initiate + 105, 8);
+     cn_peer_nonce = get_uint64 (initiate + 105);
+ 
++    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
++
+     rc = crypto_box_open (initiate_plaintext, initiate_box, clen,
+                           initiate_nonce, cn_client, cn_secret);
+     if (rc != 0) {
+@@ -346,11 +352,10 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+-    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+-
+     uint8_t vouch_nonce[crypto_box_NONCEBYTES];
+     uint8_t vouch_plaintext[crypto_box_ZEROBYTES + 64];
+     uint8_t vouch_box[crypto_box_BOXZEROBYTES + 80];
+@@ -371,7 +376,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_CRYPTOGRAPHIC);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+     //  What we decrypted must be the client's short-term public key
+@@ -383,7 +389,8 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         session->get_socket ()->event_handshake_failed_protocol (
+           session->get_endpoint (), ZMQ_PROTOCOL_ERROR_ZMTP_KEY_EXCHANGE);
+         errno = EPROTO;
+-        return -1;
++        rc = -1;
++        goto exit;
+     }
+ 
+     //  Precompute connection secret from client key
+@@ -405,7 +412,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+             //  is attempted)
+             rc = receive_and_process_zap_reply ();
+             if (rc == -1)
+-                return -1;
++                goto exit;
+         } else if (!options.zap_enforce_domain) {
+             //  This supports the Stonehouse pattern (encryption without
+             //  authentication) in legacy mode (domain set but no handler).
+@@ -413,15 +420,21 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
+         } else {
+             session->get_socket ()->event_handshake_failed_no_detail (
+               session->get_endpoint (), EFAULT);
+-            return -1;
++            rc = -1;
++            goto exit;
+         }
+     } else {
+         //  This supports the Stonehouse pattern (encryption without authentication).
+         state = sending_ready;
+     }
+ 
+-    return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+-                           clen - crypto_box_ZEROBYTES - 128);
++    rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
++                         clen - crypto_box_ZEROBYTES - 128);
++
++exit:
++    free (initiate_plaintext);
++    free (initiate_box);
++    return rc;
+ }
+ 
+ int zmq::curve_server_t::produce_ready (msg_t *msg_)
+-- 
+2.20.1
+
diff --git a/main/znc/APKBUILD b/main/znc/APKBUILD
index 98f02ad9228..eecf0435c8c 100644
--- a/main/znc/APKBUILD
+++ b/main/znc/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=znc
 pkgver=1.7.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Advanced IRC bouncer"
 url="http://znc.in"
 arch="all"
@@ -14,12 +14,18 @@ pkggroups="$pkgusers"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl
 	$pkgname-modperl $pkgname-modpython"
-source="http://znc.in/releases/znc-$pkgver.tar.gz
+source="http://znc.in/releases/archive/znc-$pkgver.tar.gz
 	$pkgname.initd
-	$pkgname.confd"
+	$pkgname.confd
+	CVE-2019-9917.patch
+	CVE-2019-12816.patch
+	"
 builddir="$srcdir/znc-$pkgver"
 
 # secfixes:
+#   1.7.1-r1:
+#   - CVE-2019-9917
+#   - CVE-2019-12816
 #   1.7.1-r0:
 #   - CVE-2018-14055
 #   - CVE-2018-14056
@@ -111,4 +117,6 @@ _mv_to_sub() {
 
 sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902  znc-1.7.1.tar.gz
 47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc  znc.initd
-00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29  znc.confd"
+00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29  znc.confd
+0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8  CVE-2019-9917.patch
+187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d  CVE-2019-12816.patch"
diff --git a/main/znc/CVE-2019-12816.patch b/main/znc/CVE-2019-12816.patch
new file mode 100644
index 00000000000..6d4d8b199d7
--- /dev/null
+++ b/main/znc/CVE-2019-12816.patch
@@ -0,0 +1,103 @@
+From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Wed, 12 Jun 2019 08:57:29 +0100
+Subject: [PATCH] Fix remote code execution and privilege escalation
+ vulnerability.
+
+To trigger this, need to have a user already.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+
+CVE-2019-12816
+---
+ include/znc/Modules.h |  1 +
+ src/Modules.cpp       | 38 +++++++++++++++++++++++++++++---------
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/include/znc/Modules.h b/include/znc/Modules.h
+index 28fdd3a62..db8f87b81 100644
+--- a/include/znc/Modules.h
++++ b/include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
+   private:
+     static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+                                 CModInfo& Info, CString& sRetMsg);
++    static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+ 
+   protected:
+     CUser* m_pUser;
+diff --git a/src/Modules.cpp b/src/Modules.cpp
+index 5aec7805a..d41951a8d 100644
+--- a/src/Modules.cpp
++++ b/src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
+     return nullptr;
+ }
+ 
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++    for (unsigned int a = 0; a < sModule.length(); a++) {
++        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++            sRetMsg =
++                t_f("Module names can only contain letters, numbers and "
++                    "underscores, [{1}] is invalid")(sModule);
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+                           CModInfo::EModuleType eType, CUser* pUser,
+                           CIRCNetwork* pNetwork, CString& sRetMsg) {
+     sRetMsg = "";
+ 
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     if (FindModule(sModule) != nullptr) {
+         sRetMsg = t_f("Module {1} already loaded.")(sModule);
+         return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
+ 
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+                           CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     CString sModPath, sTmp;
+ 
+     bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ 
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+                               const CString& sModPath, CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     ModInfo.SetName(sModule);
+     ModInfo.SetPath(sModPath);
+ 
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
+     // Some sane defaults in case anything errors out below
+     sRetMsg.clear();
+ 
+-    for (unsigned int a = 0; a < sModule.length(); a++) {
+-        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+-            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+-            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+-            sRetMsg =
+-                t_f("Module names can only contain letters, numbers and "
+-                    "underscores, [{1}] is invalid")(sModule);
+-            return nullptr;
+-        }
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return nullptr;
+     }
+ 
+     // The second argument to dlopen() has a long history. It seems clear
diff --git a/main/znc/CVE-2019-9917.patch b/main/znc/CVE-2019-9917.patch
new file mode 100644
index 00000000000..595d95f5537
--- /dev/null
+++ b/main/znc/CVE-2019-9917.patch
@@ -0,0 +1,122 @@
+From 64613bc8b6b4adf1e32231f9844d99cd512b8973 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 15 Mar 2019 20:34:10 +0000
+Subject: [PATCH] Don't crash if user specified invalid encoding.
+
+This is CVE-2019-9917
+---
+ modules/controlpanel.cpp             |  2 +-
+ src/IRCNetwork.cpp                   |  4 ++--
+ src/User.cpp                         |  4 ++--
+ src/znc.cpp                          | 26 ++++++++++++++++++++++----
+ test/integration/tests/scripting.cpp |  7 +++++++
+ 5 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/modules/controlpanel.cpp b/modules/controlpanel.cpp
+index 139c2aefa..109f8c6b0 100644
+--- a/modules/controlpanel.cpp
++++ b/modules/controlpanel.cpp
+@@ -495,7 +495,7 @@ class CAdminMod : public CModule {
+ #ifdef HAVE_ICU
+         else if (sVar == "clientencoding") {
+             pUser->SetClientEncoding(sValue);
+-            PutModule("ClientEncoding = " + sValue);
++            PutModule("ClientEncoding = " + pUser->GetClientEncoding());
+         }
+ #endif
+         else
+diff --git a/src/IRCNetwork.cpp b/src/IRCNetwork.cpp
+index 0284dc53e..0e1d6e2a3 100644
+--- a/src/IRCNetwork.cpp
++++ b/src/IRCNetwork.cpp
+@@ -1482,9 +1482,9 @@ void CIRCNetwork::SetBindHost(const CString& s) {
+ }
+ 
+ void CIRCNetwork::SetEncoding(const CString& s) {
+-    m_sEncoding = s;
++    m_sEncoding = CZNC::Get().FixupEncoding(s);
+     if (GetIRCSock()) {
+-        GetIRCSock()->SetEncoding(s);
++        GetIRCSock()->SetEncoding(m_sEncoding);
+     }
+ }
+ 
+diff --git a/src/User.cpp b/src/User.cpp
+index 3fd532a7c..c44cf6070 100644
+--- a/src/User.cpp
++++ b/src/User.cpp
+@@ -1253,9 +1253,9 @@ void CUser::SetAdmin(bool b) { m_bAdmin = b; }
+ void CUser::SetDenySetBindHost(bool b) { m_bDenySetBindHost = b; }
+ void CUser::SetDefaultChanModes(const CString& s) { m_sDefaultChanModes = s; }
+ void CUser::SetClientEncoding(const CString& s) {
+-    m_sClientEncoding = s;
++    m_sClientEncoding = CZNC::Get().FixupEncoding(s);
+     for (CClient* pClient : GetAllClients()) {
+-        pClient->SetEncoding(s);
++        pClient->SetEncoding(m_sClientEncoding);
+     }
+ }
+ void CUser::SetQuitMsg(const CString& s) { m_sQuitMsg = s; }
+diff --git a/src/znc.cpp b/src/znc.cpp
+index 4e7216ee1..3f4dd2e07 100644
+--- a/src/znc.cpp
++++ b/src/znc.cpp
+@@ -2092,18 +2092,36 @@ void CZNC::ForceEncoding() {
+     m_uiForceEncoding++;
+ #ifdef HAVE_ICU
+     for (Csock* pSock : GetManager()) {
+-        if (pSock->GetEncoding().empty()) {
+-            pSock->SetEncoding("UTF-8");
+-        }
++        pSock->SetEncoding(FixupEncoding(pSock->GetEncoding()));
+     }
+ #endif
+ }
+ void CZNC::UnforceEncoding() { m_uiForceEncoding--; }
+ bool CZNC::IsForcingEncoding() const { return m_uiForceEncoding; }
+ CString CZNC::FixupEncoding(const CString& sEncoding) const {
+-    if (sEncoding.empty() && m_uiForceEncoding) {
++    if (!m_uiForceEncoding) {
++        return sEncoding;
++    }
++    if (sEncoding.empty()) {
++        return "UTF-8";
++    }
++    const char* sRealEncoding = sEncoding.c_str();
++    if (sEncoding[0] == '*' || sEncoding[0] == '^') {
++        sRealEncoding++;
++    }
++    if (!*sRealEncoding) {
+         return "UTF-8";
+     }
++#ifdef HAVE_ICU
++    UErrorCode e = U_ZERO_ERROR;
++    UConverter* cnv = ucnv_open(sRealEncoding, &e);
++    if (cnv) {
++        ucnv_close(cnv);
++    }
++    if (U_FAILURE(e)) {
++        return "UTF-8";
++    }
++#endif
+     return sEncoding;
+ }
+ 
+diff --git a/test/integration/tests/scripting.cpp b/test/integration/tests/scripting.cpp
+index 9dd68d8fa..8f809f50c 100644
+--- a/test/integration/tests/scripting.cpp
++++ b/test/integration/tests/scripting.cpp
+@@ -55,6 +55,13 @@ TEST_F(ZNCTest, Modpython) {
+     ircd.Write(":n!u@h PRIVMSG nick :Hi\xF0, github issue #1229");
+     // "replacement character"
+     client.ReadUntil("Hi\xEF\xBF\xBD, github issue");
++
++    // Non-existing encoding
++    client.Write("PRIVMSG *controlpanel :Set ClientEncoding $me Western");
++    client.Write("JOIN #a\342");
++    client.ReadUntil(
++        ":*controlpanel!znc@znc.in PRIVMSG nick :ClientEncoding = UTF-8");
++    ircd.ReadUntil("JOIN #a\xEF\xBF\xBD");
+ }
+ 
+ TEST_F(ZNCTest, ModpythonSocket) {