diff --git a/bzip2/.md5sum b/bzip2/.md5sum
index 134efa59..dc8c7f33 100644
--- a/bzip2/.md5sum
+++ b/bzip2/.md5sum
@@ -1,2 +1,3 @@
+3b17081b71204ddfaa1cef6f5f9d8747  CVE-2016-3189.patch
 00b516f4704d4a7cb50a1d97e6e8e15b  bzip2-1.0.6.tar.gz
 ab2b0d7367fc6f14a3d943a3861ad2c1  bzip2.patch
diff --git a/bzip2/.signature b/bzip2/.signature
index ebf2ccb8..2e185d6a 100644
--- a/bzip2/.signature
+++ b/bzip2/.signature
@@ -1,6 +1,7 @@
 untrusted comment: verify with /etc/ports/core.pub
-RWRJc1FUaeVeqqfPftfIF0ivBJPCnvaKfb3TRTwhrHN2HwJzwZnalx90xUtEQ05eddc+wTr4TBkDpfdlnZ8wHaz4+pZOxRRSZQU=
-SHA256 (Pkgfile) = b5093f1b2cdc92c7773a0eb48bd20aa058fa677b9fc053f2ba1b4c82afe83b2e
+RWRJc1FUaeVeqm1TQVFfW0gKA8At/dPhtV6NvWErI7K10qCoVdy+G3YMe2g5Zlh1u5pYju9Ph8byE7Uxm6vIntJdAWeV8x219w0=
+SHA256 (Pkgfile) = fa4a0928f6530d495d431e37ba880d2359cf96da3cd3b64d68dc5f49b0428ebd
 SHA256 (.footprint) = bd0f9e3ca456b7ff1fcc5440865dc233e263307cb4b59f5d3c5d7ccfdadfcd6d
 SHA256 (bzip2-1.0.6.tar.gz) = a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd
 SHA256 (bzip2.patch) = b8aa64ff17bc5704cbaf2b7012086575acfa6557c89fafdcc6dcd847fb29b5cf
+SHA256 (CVE-2016-3189.patch) = 5c1cce66d2d1dfa61a627734c1a00bf0441c5ab6be0458676e20787705a14a6b
diff --git a/bzip2/CVE-2016-3189.patch b/bzip2/CVE-2016-3189.patch
new file mode 100644
index 00000000..d947130e
--- /dev/null
+++ b/bzip2/CVE-2016-3189.patch
@@ -0,0 +1,10 @@
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
diff --git a/bzip2/Pkgfile b/bzip2/Pkgfile
index 5c399f1a..8e44892a 100644
--- a/bzip2/Pkgfile
+++ b/bzip2/Pkgfile
@@ -4,14 +4,15 @@
 
 name=bzip2
 version=1.0.6
-release=2
+release=3
 source=(http://www.bzip.org/$version/$name-$version.tar.gz \
-        $name.patch)
+        $name.patch CVE-2016-3189.patch)
 
 build() {
 	cd $name-$version
 
 	patch -Np1 -i $SRC/$name.patch
+	patch -p1 -i $SRC/CVE-2016-3189.patch
 
 	make
 	make PREFIX=$PKG/usr install
diff --git a/nasm/.md5sum b/nasm/.md5sum
index 3e731671..5a22f733 100644
--- a/nasm/.md5sum
+++ b/nasm/.md5sum
@@ -1 +1 @@
-abb79a82fa30908217e30f76eca8a557  nasm-2.13.02.tar.xz
+d5ca2ad7121ccbae69dd606b1038532c  nasm-2.13.03.tar.xz
diff --git a/nasm/.signature b/nasm/.signature
index a7869ddb..d7736315 100644
--- a/nasm/.signature
+++ b/nasm/.signature
@@ -1,5 +1,5 @@
 untrusted comment: verify with /etc/ports/core.pub
-RWRJc1FUaeVeqltoBe21yTeUWABrILDhHgX24zQmJ9qJ2c3htKxRX5Vkv9OM+RlRuj0RB5XhxefK8VkrXH+7kX/226SLD51K5AQ=
-SHA256 (Pkgfile) = f7f3d51432547757f0b0bd1808712cce7202fb27b6a2219f7e058d661d678e68
+RWRJc1FUaeVeqr/L+q8lUv9md0uFcmPKZwfnm3jHBnxzTo42yU/eOXvcxROHhkRwcDqH6upGYbbAoiWrdAxEStoXeTabK91ypgE=
+SHA256 (Pkgfile) = ac2af7c313dcb8afc97bc0386e3db0c6b421aeaee712043a4bd9981a37c4ff43
 SHA256 (.footprint) = 2f2595d48b1d9747afa0d6b676a290528c98d1151c567954c594803a07fa9255
-SHA256 (nasm-2.13.02.tar.xz) = 8ac3235f49a6838ff7a8d7ef7c19a4430d0deecc0c2d3e3e237b5e9f53291757
+SHA256 (nasm-2.13.03.tar.xz) = 812ecfb0dcbc5bd409aaa8f61c7de94c5b8752a7b00c632883d15b2ed6452573
diff --git a/nasm/Pkgfile b/nasm/Pkgfile
index a9430de3..bd9546ed 100644
--- a/nasm/Pkgfile
+++ b/nasm/Pkgfile
@@ -3,7 +3,7 @@
 # Maintainer:  CRUX System Team, core-ports at crux dot nu
 
 name=nasm
-version=2.13.02
+version=2.13.03
 release=1
 source=(http://www.nasm.us/pub/nasm/releasebuilds/$version/$name-$version.tar.xz)
 
diff --git a/patch/.md5sum b/patch/.md5sum
index 3c57068b..12801982 100644
--- a/patch/.md5sum
+++ b/patch/.md5sum
@@ -1 +1 @@
-e3da7940431633fb65a01b91d3b7a27a  patch-2.7.5.tar.xz
+78ad9937e4caadcba1526ef1853730d5  patch-2.7.6.tar.xz
diff --git a/patch/.signature b/patch/.signature
index 3b5e2fc6..efc5630e 100644
--- a/patch/.signature
+++ b/patch/.signature
@@ -1,5 +1,5 @@
 untrusted comment: verify with /etc/ports/core.pub
-RWRJc1FUaeVeqklL/bOUmqGJMNyF1s/s5t35tqgwzKj0MUz8ptFe7gj3S6xjGH2FxJWGIrZROei1N6KL+xge8HuxiUny2r/lZAs=
-SHA256 (Pkgfile) = 4c6cadbce6706928987a484e4fe25f26953bba3ad88e13b6db1eaf580f2dac72
+RWRJc1FUaeVeqpQQ5plmVPS868AicvQmCGmvOE9RX3zo7FkrNV/O011ysEAFgsLxRKt4AKaJWNb0v/u+jifXIFr0LuqhQYmAEgg=
+SHA256 (Pkgfile) = 2944383497a26508d2f78876773c3089c7ef7a9e975cc0095d123389c4b96a49
 SHA256 (.footprint) = 7185313cfe8efa96d2ac73dd1a2d12bd07820c9f4982052d085c72abece80bac
-SHA256 (patch-2.7.5.tar.xz) = fd95153655d6b95567e623843a0e77b81612d502ecf78a489a4aed7867caa299
+SHA256 (patch-2.7.6.tar.xz) = ac610bda97abe0d9f6b7c963255a11dcb196c25e337c61f94e4778d632f1d8fd
diff --git a/patch/Pkgfile b/patch/Pkgfile
index e800a47d..72cd7832 100644
--- a/patch/Pkgfile
+++ b/patch/Pkgfile
@@ -3,8 +3,8 @@
 # Maintainer:  CRUX System Team, core-ports at crux dot nu
 
 name=patch
-version=2.7.5
-release=2
+version=2.7.6
+release=1
 source=(http://ftpmirror.gnu.org/gnu/$name/$name-$version.tar.xz)
 
 build() {