Merge branch 'master' into staging-next

Hydra nixpkgs: ?compare=1512490

18 files changed, 384 insertions, 65 deletions

diff --git a/pkgs/tools/security/afl/libdislocator.nix b/pkgs/tools/security/afl/libdislocator.nix
new file mode 100644
index 000000000000..c5844702ef38
--- /dev/null
+++ b/pkgs/tools/security/afl/libdislocator.nix
@@ -0,0 +1,34 @@
+{ stdenv, afl}:
+
+stdenv.mkDerivation rec {
+  version = (builtins.parseDrvName afl.name).version;
+  name = "libdislocator-${version}";
+
+  src = afl.src;
+  sourceRoot = "${afl.name}/libdislocator";
+
+  makeFlags = [ "PREFIX=$(out)" ];
+
+  preInstall = ''
+    mkdir -p $out/lib/afl
+  '';
+  postInstall = ''
+    mkdir $out/bin
+    cat > $out/bin/get-libdislocator-so <<END
+    #!${stdenv.shell}
+    echo $out/lib/afl/libdislocator.so
+    END
+    chmod +x $out/bin/get-libdislocator-so
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = "http://lcamtuf.coredump.cx/afl/";
+    description = ''
+      Drop-in replacement for the libc allocator which improves
+      the odds of bumping into heap-related security bugs in
+      several ways.
+    '';
+    license = stdenv.lib.licenses.asl20;
+    maintainers = with maintainers; [ ris ];
+  };
+}
diff --git a/pkgs/tools/security/browserpass/2.nix b/pkgs/tools/security/browserpass/2.nix
new file mode 100644
index 000000000000..fdbd757449a6
--- /dev/null
+++ b/pkgs/tools/security/browserpass/2.nix
@@ -0,0 +1,43 @@
+# This file was generated by https://github.com/kamilchm/go2nix v1.2.1
+{ stdenv, buildGoPackage, fetchFromGitHub, gnupg }:
+
+buildGoPackage rec {
+  name = "browserpass-${version}";
+  version = "2.0.22";
+
+  goPackagePath = "github.com/dannyvankooten/browserpass";
+
+  goDeps = ./2deps.nix;
+
+  src = fetchFromGitHub {
+    repo = "browserpass";
+    owner = "dannyvankooten";
+    rev = version;
+    sha256 = "05cacrx08k99c5zra7ksdik9xxn3vih3x6in7536zs5gm55mkbfx";
+  };
+
+  postPatch = ''
+    substituteInPlace browserpass.go                                           \
+      --replace /usr/local/bin/gpg ${gnupg}/bin/gpg
+  '';
+
+  postInstall = ''
+      host_file="$bin/bin/browserpass"
+      mkdir -p "$bin/etc"
+
+      sed -e "s!%%replace%%!$host_file!" go/src/${goPackagePath}/chrome/host.json > chrome-host.json
+      sed -e "s!%%replace%%!$host_file!" go/src/${goPackagePath}/firefox/host.json > firefox-host.json
+
+      install chrome-host.json $bin/etc/
+      install -D firefox-host.json $bin/lib/mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json
+      install go/src/${goPackagePath}/chrome/policy.json $bin/etc/chrome-policy.json
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A Chrome & Firefox extension for zx2c4's pass";
+    homepage = https://github.com/dannyvankooten/browserpass;
+    license = licenses.mit;
+    platforms = with platforms; linux ++ darwin ++ openbsd;
+    maintainers = with maintainers; [ rvolosatovs ];
+  };
+}
diff --git a/pkgs/tools/security/browserpass/2deps.nix b/pkgs/tools/security/browserpass/2deps.nix
new file mode 100644
index 000000000000..631463a69d11
--- /dev/null
+++ b/pkgs/tools/security/browserpass/2deps.nix
@@ -0,0 +1,39 @@
+# This file was generated by https://github.com/kamilchm/go2nix v1.2.1
+[
+  {
+    goPackagePath = "github.com/gokyle/twofactor";
+    fetch = {
+      type = "git";
+      url = "https://github.com/gokyle/twofactor";
+      rev = "eaad1884d40f9cabff98a57a524c17afd00c9fe7";
+      sha256 = "07kvga6f2b56kpy52a3xk16garvlqz950s350dax97x7cayba95g";
+    };
+  }
+  {
+    goPackagePath = "github.com/mattn/go-zglob";
+    fetch = {
+      type = "git";
+      url = "https://github.com/mattn/go-zglob";
+      rev = "4959821b481786922ac53e7ef25c61ae19fb7c36";
+      sha256 = "0rwkdw143kphpmingsrw1zp030zf3p08f64h347jpdm4lz8z5449";
+    };
+  }
+  {
+    goPackagePath = "github.com/sahilm/fuzzy";
+    fetch = {
+      type = "git";
+      url = "https://github.com/sahilm/fuzzy";
+      rev = "a154b19bb758dcdd6ede58dc11ea53c2950527b2";
+      sha256 = "0jkw6474d5ik2fq2zznqxj4y3p42z47r7mbg856ln5wyara2sg0l";
+    };
+  }
+  {
+    goPackagePath = "rsc.io/qr";
+    fetch = {
+      type = "git";
+      url = "https://github.com/rsc/qr";
+      rev = "48b2ede4844e13f1a2b7ce4d2529c9af7e359fc5";
+      sha256 = "1npxy32glnkvsp0871972jzjzgkwaqmbv6jsj9wgqsa1s2jr004p";
+    };
+  }
+]
diff --git a/pkgs/tools/security/browserpass/default.nix b/pkgs/tools/security/browserpass/default.nix
index dd797fb9348f..c1c9e679f22c 100644
--- a/pkgs/tools/security/browserpass/default.nix
+++ b/pkgs/tools/security/browserpass/default.nix
@@ -1,43 +1,65 @@
-# This file was generated by https://github.com/kamilchm/go2nix v1.2.1
-{ stdenv, buildGoPackage, fetchFromGitHub, gnupg }:
-
-buildGoPackage rec {
-  name = "browserpass-${version}";
-  version = "2.0.22";
-
-  goPackagePath = "github.com/dannyvankooten/browserpass";
-
-  goDeps = ./deps.nix;
+{ lib, callPackage, buildGoPackage, fetchFromGitHub, makeWrapper, gnupg }:
+let
+  # For backwards compatibility with v2 of the browser extension, we embed v2
+  # of the native host in v3. Because the extension will auto-update when it
+  # is released, this code can be removed from that point on.
+  # Don't forget to remove v2 references down below and the v2 files in this
+  # folder
+  v2 = callPackage ./2.nix {};
+in buildGoPackage rec {
+  pname = "browserpass";
+  version = "3.0.1";
 
   src = fetchFromGitHub {
-    repo = "browserpass";
-    owner = "dannyvankooten";
+    owner = "browserpass";
+    repo = "browserpass-native";
     rev = version;
-    sha256 = "05cacrx08k99c5zra7ksdik9xxn3vih3x6in7536zs5gm55mkbfx";
+    sha256 = "1i3xxysiiapz9y2v0gp13inx7j0d7n0khpmcsy9k95pzn53526dx";
   };
 
+  nativeBuildInputs = [ makeWrapper ];
+
+  goPackagePath = "github.com/browserpass/browserpass-native";
+  goDeps = ./deps.nix;
+
   postPatch = ''
-    substituteInPlace browserpass.go                                           \
-      --replace /usr/local/bin/gpg ${gnupg}/bin/gpg
+    # Because this Makefile will be installed to be used by the user, patch
+    # variables to be valid by default
+    substituteInPlace Makefile \
+      --replace "PREFIX ?= /usr" ""
   '';
 
-  postInstall = ''
-      host_file="$bin/bin/browserpass"
-      mkdir -p "$bin/etc"
+  DESTDIR = placeholder "bin";
+
+  postConfigure = ''
+    cd "go/src/$goPackagePath"
+    make configure
+  '';
+
+  buildPhase = ''
+    make
+  '';
+
+  installPhase = ''
+    make install
+
+    wrapProgram $bin/bin/browserpass \
+      --suffix PATH : ${lib.makeBinPath [ gnupg ]}
 
-      sed -e "s!%%replace%%!$host_file!" go/src/${goPackagePath}/chrome/host.json > chrome-host.json
-      sed -e "s!%%replace%%!$host_file!" go/src/${goPackagePath}/firefox/host.json > firefox-host.json
+    # This path is used by our firefox wrapper for finding native messaging hosts
+    mkdir -p $bin/lib/mozilla/native-messaging-hosts
+    ln -s $bin/lib/browserpass/hosts/firefox/*.json $bin/lib/mozilla/native-messaging-hosts
 
-      install chrome-host.json $bin/etc/
-      install -D firefox-host.json $bin/lib/mozilla/native-messaging-hosts/com.dannyvankooten.browserpass.json
-      install go/src/${goPackagePath}/chrome/policy.json $bin/etc/chrome-policy.json
+    # These can be removed too, see comment up top
+    ln -s ${lib.getBin v2}/etc $bin/etc
+    ln -s ${lib.getBin v2}/lib/mozilla/native-messaging-hosts/* $bin/lib/mozilla/native-messaging-hosts
   '';
 
-  meta = with stdenv.lib; {
-    description = "A Chrome & Firefox extension for zx2c4's pass";
-    homepage = https://github.com/dannyvankooten/browserpass;
-    license = licenses.mit;
-    platforms = with platforms; linux ++ darwin ++ openbsd;
-    maintainers = with maintainers; [ rvolosatovs ];
+  meta = with lib; {
+    description = "Browserpass native client app";
+    homepage = https://github.com/browserpass/browserpass-native;
+    license = licenses.isc;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ rvolosatovs infinisil ];
   };
 }
diff --git a/pkgs/tools/security/browserpass/deps.nix b/pkgs/tools/security/browserpass/deps.nix
index 631463a69d11..334a189ad404 100644
--- a/pkgs/tools/security/browserpass/deps.nix
+++ b/pkgs/tools/security/browserpass/deps.nix
@@ -1,12 +1,21 @@
-# This file was generated by https://github.com/kamilchm/go2nix v1.2.1
+# file generated from go.mod using vgo2nix (https://github.com/adisbladis/vgo2nix)
 [
   {
-    goPackagePath = "github.com/gokyle/twofactor";
+    goPackagePath = "github.com/davecgh/go-spew";
     fetch = {
       type = "git";
-      url = "https://github.com/gokyle/twofactor";
-      rev = "eaad1884d40f9cabff98a57a524c17afd00c9fe7";
-      sha256 = "07kvga6f2b56kpy52a3xk16garvlqz950s350dax97x7cayba95g";
+      url = "https://github.com/davecgh/go-spew";
+      rev = "v1.1.1";
+      sha256 = "0hka6hmyvp701adzag2g26cxdj47g21x6jz4sc6jjz1mn59d474y";
+    };
+  }
+  {
+    goPackagePath = "github.com/konsorten/go-windows-terminal-sequences";
+    fetch = {
+      type = "git";
+      url = "https://github.com/konsorten/go-windows-terminal-sequences";
+      rev = "v1.0.2";
+      sha256 = "09mn209ika7ciy87xf2x31dq5fnqw39jidgaljvmqxwk7ff1hnx7";
     };
   }
   {
@@ -14,26 +23,71 @@
     fetch = {
       type = "git";
       url = "https://github.com/mattn/go-zglob";
-      rev = "4959821b481786922ac53e7ef25c61ae19fb7c36";
-      sha256 = "0rwkdw143kphpmingsrw1zp030zf3p08f64h347jpdm4lz8z5449";
+      rev = "v0.0.1";
+      sha256 = "1sncdyq5fbd42al4amyy91h7vlzm3wm6c9vl8za2pjgfgsd581fz";
+    };
+  }
+  {
+    goPackagePath = "github.com/pmezard/go-difflib";
+    fetch = {
+      type = "git";
+      url = "https://github.com/pmezard/go-difflib";
+      rev = "v1.0.0";
+      sha256 = "0c1cn55m4rypmscgf0rrb88pn58j3ysvc2d0432dp3c6fqg6cnzw";
+    };
+  }
+  {
+    goPackagePath = "github.com/rifflock/lfshook";
+    fetch = {
+      type = "git";
+      url = "https://github.com/rifflock/lfshook";
+      rev = "b9218ef580f5";
+      sha256 = "0wxqjcjfg8c0klmdgmbw3ckagby3wg9rkga9ihd4fsf05x5scxrc";
+    };
+  }
+  {
+    goPackagePath = "github.com/sirupsen/logrus";
+    fetch = {
+      type = "git";
+      url = "https://github.com/sirupsen/logrus";
+      rev = "v1.4.0";
+      sha256 = "1y1qjcg19z7q9sy32rhc148kdql2aw7xkcm9d6r1blrl0mdgpx0w";
+    };
+  }
+  {
+    goPackagePath = "github.com/stretchr/objx";
+    fetch = {
+      type = "git";
+      url = "https://github.com/stretchr/objx";
+      rev = "v0.1.1";
+      sha256 = "0iph0qmpyqg4kwv8jsx6a56a7hhqq8swrazv40ycxk9rzr0s8yls";
+    };
+  }
+  {
+    goPackagePath = "github.com/stretchr/testify";
+    fetch = {
+      type = "git";
+      url = "https://github.com/stretchr/testify";
+      rev = "v1.3.0";
+      sha256 = "0wjchp2c8xbgcbbq32w3kvblk6q6yn533g78nxl6iskq6y95lxsy";
     };
   }
   {
-    goPackagePath = "github.com/sahilm/fuzzy";
+    goPackagePath = "golang.org/x/crypto";
     fetch = {
       type = "git";
-      url = "https://github.com/sahilm/fuzzy";
-      rev = "a154b19bb758dcdd6ede58dc11ea53c2950527b2";
-      sha256 = "0jkw6474d5ik2fq2zznqxj4y3p42z47r7mbg856ln5wyara2sg0l";
+      url = "https://go.googlesource.com/crypto";
+      rev = "c2843e01d9a2";
+      sha256 = "01xgxbj5r79nmisdvpq48zfy8pzaaj90bn6ngd4nf33j9ar1dp8r";
     };
   }
   {
-    goPackagePath = "rsc.io/qr";
+    goPackagePath = "golang.org/x/sys";
     fetch = {
       type = "git";
-      url = "https://github.com/rsc/qr";
-      rev = "48b2ede4844e13f1a2b7ce4d2529c9af7e359fc5";
-      sha256 = "1npxy32glnkvsp0871972jzjzgkwaqmbv6jsj9wgqsa1s2jr004p";
+      url = "https://go.googlesource.com/sys";
+      rev = "fead79001313";
+      sha256 = "12vwl6sv6w7q0dyvynjhbp67242rhh77d6nlsb22ajr8rf17c63i";
     };
   }
 ]
diff --git a/pkgs/tools/security/bundler-audit/Gemfile b/pkgs/tools/security/bundler-audit/Gemfile
new file mode 100644
index 000000000000..f9fb0e329bd4
--- /dev/null
+++ b/pkgs/tools/security/bundler-audit/Gemfile
@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gem 'bundler-audit'
diff --git a/pkgs/tools/security/bundler-audit/Gemfile.lock b/pkgs/tools/security/bundler-audit/Gemfile.lock
new file mode 100644
index 000000000000..28cbcf5a9a66
--- /dev/null
+++ b/pkgs/tools/security/bundler-audit/Gemfile.lock
@@ -0,0 +1,16 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bundler-audit (0.6.1)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 0.18)
+    thor (0.20.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler-audit
+
+BUNDLED WITH
+   1.14.6
diff --git a/pkgs/tools/security/bundler-audit/default.nix b/pkgs/tools/security/bundler-audit/default.nix
new file mode 100644
index 000000000000..8b19b6103d4a
--- /dev/null
+++ b/pkgs/tools/security/bundler-audit/default.nix
@@ -0,0 +1,26 @@
+{ bundlerEnv, ruby, lib }:
+
+bundlerEnv rec {
+  name = "${pname}-${version}";
+  pname = "bundler-audit";
+  version = (import ./gemset.nix).bundler-audit.version;
+
+  inherit ruby;
+  gemdir = ./.;
+
+  meta = with lib; {
+    description = "Patch-level verification for Bundler";
+    longDescription = ''
+      Features:
+      - Checks for vulnerable versions of gems in Gemfile.lock.
+      - Checks for insecure gem sources (http://).
+      - Allows ignoring certain advisories that have been manually worked around.
+      - Prints advisory information.
+      - Does not require a network connection.
+    '';
+    homepage    = https://github.com/rubysec/bundler-audit;
+    license     = licenses.gpl3Plus;
+    maintainers = with maintainers; [ primeos ];
+    platforms   = platforms.unix;
+  };
+}
diff --git a/pkgs/tools/security/bundler-audit/gemset.nix b/pkgs/tools/security/bundler-audit/gemset.nix
new file mode 100644
index 000000000000..56d78b3e8f16
--- /dev/null
+++ b/pkgs/tools/security/bundler-audit/gemset.nix
@@ -0,0 +1,19 @@
+{
+  bundler-audit = {
+    dependencies = ["thor"];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0pm22xpn3xyymsainixnrk8v3l3xi9bzwkjkspx00cfzp84xvxbq";
+      type = "gem";
+    };
+    version = "0.6.1";
+  };
+  thor = {
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1yhrnp9x8qcy5vc7g438amd5j9sw83ih7c30dr6g6slgw9zj3g29";
+      type = "gem";
+    };
+    version = "0.20.3";
+  };
+}
\ No newline at end of file
diff --git a/pkgs/tools/security/clamav/default.nix b/pkgs/tools/security/clamav/default.nix
index 8e641ba4a0ed..4d9beb654ece 100644
--- a/pkgs/tools/security/clamav/default.nix
+++ b/pkgs/tools/security/clamav/default.nix
@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   name = "clamav-${version}";
-  version = "0.101.1";
+  version = "0.101.2";
 
   src = fetchurl {
     url = "https://www.clamav.net/downloads/production/${name}.tar.gz";
-    sha256 = "01mq3z04fjbq5iq8wfwfim72iv3dn04d3ishc5lkhxpmnalqydps";
+    sha256 = "0d3n4y8i5q594h4cjglmvpk4jd73r9ajpp1bvq5lr9zpdzgyn4ha";
   };
 
   # don't install sample config files into the absolute sysconfdir folder
diff --git a/pkgs/tools/security/default.nix b/pkgs/tools/security/default.nix
new file mode 100644
index 000000000000..c5987d37889c
--- /dev/null
+++ b/pkgs/tools/security/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, pkgs }:
+
+stdenv.mkDerivation rec {
+  version = "0.0.1";
+  name = "ecdsatool-${version}";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "kaniini";
+    repo = "ecdsatool";
+    rev = "7c0b2c51e2e64d1986ab1dc2c57c2d895cc00ed1";
+    sha256 = "08z9309znkhrjpwqd4ygvm7cd1ha1qbrnlzw64fr8704jrmx762k";
+  };
+
+  configurePhase = ''
+    ./autogen.sh
+    ./configure --prefix=$out
+  '';
+
+  nativeBuildInputs = with pkgs; [openssl autoconf automake];
+  buildInputs = with pkgs; [libuecc];
+
+  meta = with stdenv.lib; {
+    description = "Create and manipulate ECC NISTP256 keypairs.";
+    homepage = https://github.com/kaniini/ecdsatool/;
+    license = with licenses; [free];
+    platforms = platforms.unix;
+  };
+}
diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix
index 9fb5e45a8edb..fbb370027d7e 100644
--- a/pkgs/tools/security/gnupg/22.nix
+++ b/pkgs/tools/security/gnupg/22.nix
@@ -1,5 +1,6 @@
-{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba
+{ fetchurl, stdenv, pkgconfig, libgcrypt, libassuan, libksba, libgpgerror
 , libiconv, npth, gettext, texinfo, pcsclite, sqlite
+, buildPackages
 
 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
@@ -15,13 +16,14 @@ assert guiSupport -> pinentry != null;
 stdenv.mkDerivation rec {
   name = "gnupg-${version}";
 
-  version = "2.2.14";
+  version = "2.2.15";
 
   src = fetchurl {
     url = "mirror://gnupg/gnupg/${name}.tar.bz2";
-    sha256 = "0yzqrg24j9fc4f8ss5pclyvg70a9z53sv89vl77xii8yvi3fvy8v";
+    sha256 = "0m6lyphbb20i84isdxzfhcbzyc682hdrdv4aqkzmhrdksycf536b";
   };
 
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [
     libgcrypt libassuan libksba libiconv npth gettext texinfo
@@ -36,7 +38,13 @@ stdenv.mkDerivation rec {
   ''; #" fix Emacs syntax highlighting :-(
 
   pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
-  configureFlags = optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}";
+  configureFlags = [
+    "--with-libgpg-error-prefix=${libgpgerror.dev}"
+    "--with-libgcrypt-prefix=${libgcrypt.dev}"
+    "--with-libassuan-prefix=${libassuan.dev}"
+    "--with-ksba-prefix=${libksba.dev}"
+    "--with-npth-prefix=${npth}"
+  ] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}";
 
   postInstall = ''
     mkdir -p $out/lib/systemd/user
diff --git a/pkgs/tools/security/lastpass-cli/default.nix b/pkgs/tools/security/lastpass-cli/default.nix
index 4db350684bef..0415b10b25d8 100644
--- a/pkgs/tools/security/lastpass-cli/default.nix
+++ b/pkgs/tools/security/lastpass-cli/default.nix
@@ -2,15 +2,14 @@
 , bash-completion, openssl, curl, libxml2, libxslt }:
 
 stdenv.mkDerivation rec {
-  name = "lastpass-cli-${version}";
-
-  version = "1.3.1";
+  pname = "lastpass-cli";
+  version = "1.3.2";
 
   src = fetchFromGitHub {
     owner = "lastpass";
-    repo = "lastpass-cli";
+    repo = pname;
     rev = "v${version}";
-    sha256 = "11drzmfdvb8ydw1dxaz9zz8rk0jjqmfv076vydz05qqvgx59s38h";
+    sha256 = "12qjqvqzi3pq7hrdpq59bcxqy6yj1mhx145g9rky1jm2ipzpfayq";
   };
 
   nativeBuildInputs = [ asciidoc cmake docbook_xsl pkgconfig ];
@@ -21,11 +20,12 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  cmakeFlags = [
-    "-DBASH_COMPLETION_COMPLETIONSDIR=./share/bash-completion/completions"
-  ];
+  installTargets = [ "install" "install-doc" ];
 
-  installTargets = "install install-doc";
+  postInstall = ''
+    install -Dm644 -T ../contrib/lpass_zsh_completion $out/share/zsh/site-functions/_lpass
+    install -Dm644 -T ../contrib/completions-lpass.fish $out/share/fish/vendor_completions.d/lpass.fish
+  '';
 
   meta = with lib; {
     description = "Stores, retrieves, generates, and synchronizes passwords securely";
diff --git a/pkgs/tools/security/lynis/default.nix b/pkgs/tools/security/lynis/default.nix
index c72f75e24e27..ceff23911c7e 100644
--- a/pkgs/tools/security/lynis/default.nix
+++ b/pkgs/tools/security/lynis/default.nix
@@ -2,14 +2,14 @@
 
 stdenv.mkDerivation rec {
   pname = "lynis";
-  version = "2.7.1";
+  version = "2.7.2";
   name = "${pname}-${version}";
 
   src = fetchFromGitHub {
     owner = "CISOfy";
     repo = "${pname}";
     rev = "${version}";
-    sha256 = "1nv2dqd2k2n8mcdr6xl5g713xxkgvja6487by1wn4k0b416jij9i";
+    sha256 = "0dbbfk47dpxx7zpb98n4w3ls3z5di57qnr2nsgxjvp49gk9j3f6k";
   };
 
   nativeBuildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/security/modsecurity/default.nix b/pkgs/tools/security/modsecurity/default.nix
index 09f8c63973c7..6ec90cd15a85 100644
--- a/pkgs/tools/security/modsecurity/default.nix
+++ b/pkgs/tools/security/modsecurity/default.nix
@@ -11,11 +11,11 @@ in
 
 stdenv.mkDerivation rec {
   name = "modsecurity-${version}";
-  version = "2.9.2";
+  version = "2.9.3";
 
   src = fetchurl {
     url = "https://www.modsecurity.org/tarball/${version}/${name}.tar.gz";
-    sha256 = "41a8f73476ec891f3a9e8736b98b64ea5c2105f1ce15ea57a1f05b4bf2ffaeb5";
+    sha256 = "0611nskd2y6yagrciqafxdn4rxbdk2v4swf45kc1sgwx2sfh34j1";
   };
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/tools/security/pass/default.nix b/pkgs/tools/security/pass/default.nix
index 007ffdf3e3fa..8ddbd60a38d1 100644
--- a/pkgs/tools/security/pass/default.nix
+++ b/pkgs/tools/security/pass/default.nix
@@ -73,6 +73,9 @@ let
       # Link extensions env
       rmdir $out/lib/password-store/extensions
       ln -s ${extensionsEnv}/lib/password-store/extensions $out/lib/password-store/.
+      for f in ${extensionsEnv}/share/man/man1/*.1.gz; do
+          ln -s $f $out/share/man/man1/
+      done
 
       # Fix program name in --help
       substituteInPlace $out/bin/pass \
diff --git a/pkgs/tools/security/sslscan/default.nix b/pkgs/tools/security/sslscan/default.nix
index 0484e8e069ab..d3a8f35d9148 100644
--- a/pkgs/tools/security/sslscan/default.nix
+++ b/pkgs/tools/security/sslscan/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "sslscan-${version}";
-  version = "1.11.12";
+  version = "1.11.13";
 
   src = fetchFromGitHub {
     owner = "rbsec";
     repo = "sslscan";
     rev = "${version}-rbsec";
-    sha256 = "0wa0z6my6aqjp8si6x522ivk0yy55izbs3ch298gxjw5r15f4jb1";
+    sha256 = "0sa8iw91wi3515lw761j84wagab1x9rxr0mn8m08qj300z2044yk";
   };
 
   buildInputs = [ openssl ];
diff --git a/pkgs/tools/security/zzuf/default.nix b/pkgs/tools/security/zzuf/default.nix
new file mode 100644
index 000000000000..dc2cfe81746a
--- /dev/null
+++ b/pkgs/tools/security/zzuf/default.nix
@@ -0,0 +1,25 @@
+{ stdenv, fetchFromGitHub, autoconf, automake, libtool, pkgconfig }:
+
+stdenv.mkDerivation rec {
+  pname = "zzuf";
+  version = "0.15";
+
+  src = fetchFromGitHub {
+    owner = "samhocevar";
+    repo = "zzuf";
+    rev = "v${version}";
+    sha256 = "0li1s11xf32dafxq1jbnc8c63313hy9ry09dja2rymk9mza4x2n9";
+  };
+
+  buildInputs = [ autoconf automake libtool pkgconfig ];
+
+  preConfigure = "./bootstrap";
+
+  meta = with stdenv.lib; {
+    description = "Transparent application input fuzzer.";
+    homepage = http://caca.zoy.org/wiki/zzuf;
+    license = licenses.wtfpl;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ lihop ];
+  };
+}