1 files changed, 14 insertions, 4 deletions

diff --git a/nixpkgs/pkgs/applications/networking/mailreaders/claws-mail/default.nix b/nixpkgs/pkgs/applications/networking/mailreaders/claws-mail/default.nix
index 5f5e66597ac..08acda3adb7 100644
--- a/nixpkgs/pkgs/applications/networking/mailreaders/claws-mail/default.nix
+++ b/nixpkgs/pkgs/applications/networking/mailreaders/claws-mail/default.nix
@@ -1,4 +1,4 @@
-{ config, fetchurl, stdenv, wrapGAppsHook, autoreconfHook
+{ config, fetchurl, fetchpatch, stdenv, wrapGAppsHook, autoreconfHook
 , curl, dbus, dbus-glib, enchant, gtk2, gnutls, gnupg, gpgme
 , libarchive, libcanberra-gtk2, libetpan, libnotify, libsoup, libxml2, networkmanager
 , openldap, perl, pkgconfig, poppler, python, shared-mime-info
@@ -30,16 +30,26 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   pname = "claws-mail";
-  version = "3.17.5";
+  version = "3.17.6";
 
   src = fetchurl {
     url = "http://www.claws-mail.org/download.php?file=releases/claws-mail-${version}.tar.xz";
-    sha256 = "1gjrmdmhc7zzilrlss9yl86ybv9sra8v0qi7mkwv7d9azidx5kns";
+    sha256 = "1s05qw0r0gqwvvkxvrrwbjkbi61dvilixiwrpgcq21qc9csc9r0m";
   };
 
   outputs = [ "out" "dev" ];
 
-  patches = [ ./mime.patch ];
+  patches = [
+    ./mime.patch
+
+    # Backports a mitigation to the "mailto vulnerability". This patch is
+    # included in the next release and must therefore be removed.
+    (fetchpatch {
+      name = "fix-4373-4374.patch";
+      url = "https://git.claws-mail.org/?p=claws.git;a=patch;h=4c9d15b4b37cdc57edfa16df550a0a881a156153";
+      sha256 = "0sp0vxr6pk2fv5ydpcakb50rmn2w2nma98apgfsgcgan82qmwk7n";
+    })
+  ];
 
   preConfigure = ''
     # autotools check tries to dlopen libpython as a requirement for the python plugin