subtree updatesstyhead

poky: subtree update:5d88faa0f3..ecd195a3ef Aditya Tayade (1): e2fsprogs: removed 'sed -u' option Adrian Freihofer (12): oe-selftest: fitimage refactor u-boot-tools-native oe-selftest: fitimage drop test-mkimage-wrapper oe-selftest: fitimage cleanup asserts oe-selftest: fitimage fix test_initramfs_bundle kernel-fitimage: fix handling of empty default dtb pybootchartgui.py: python 3.12+ regexes kernel-fitimage: fix intentation kernel-fitimage: fix external dtb check uboot-config: fix devtool modify with kernel-fitimage devtool: modify kernel adds append twice devtool: remove obsolete SRCTREECOVEREDTASKS handling cml1: add do_savedefconfig Alban Bedel (2): bind: Fix build with the `httpstats` package config enabled util-linux: Add `findmnt` to the bash completion RDEPENDS Alejandro Hernandez Samaniego (1): tclibc-picolibc: Adds a new TCLIBC variant to build with picolibc as C library Aleksandar Nikolic (2): cve-check: Introduce CVE_CHECK_MANIFEST_JSON_SUFFIX scripts/install-buildtools: Update to 5.1 Alessandro Pecugi (1): runqemu: add sd card device Alexander Kanavin (100): perf: drop newt from tui build requirements libnewt: move to meta-oe python3: submit deterministic_imports.patch upstream as a ticket glib-networking: submit eagain.patch upstream psmisc: merge .inc into .bb psmisc: drop duplicate entries psmisc: remove 0001-Use-UINTPTR_MAX-instead-of-__WORDSIZE.patch openssh: drop add-test-support-for-busybox.patch libfm-extra: drop unneeded 0001-nls.m4-Take-it-from-gettext-0.15.patch glslang: mark 0001-generate-glslang-pkg-config.patch as Inappropriate tcp-wrappers: mark all patches as inactive-upstream automake: mark new_rt_path_for_test-driver.patch as Inappropriate settings-daemon: submit addsoundkeys.patch upstream and update to a revision that has it dpkg: mark patches adding custom non-debian architectures as inappropriate for upstream libacpi: mark patches as inactive-upstream python3: drop deterministic_imports.patch lib/oe/recipeutils: return a dict in get_recipe_upgrade_status() instead of a tuple lib/recipeutils: add a function to determine recipes with shared include files recipeutils/get_recipe_upgrade_status: group recipes when they need to be upgraded together devtool/upgrade: use PN instead of BPN for naming newly created upgraded recipes devtool/upgrade: rename RECIPE_UPDATE_EXTRA_TASKS -> RECIPE_UPGRADE_EXTRA_TASKS python3-jinja2: fix upstream version check ca-certificates: get sources from debian tarballs pulseaudio, desktop-file-utils: correct freedesktop.org -> www.freedesktop.org SRC_URI xf86-video-intel: correct SRC_URI as freedesktop anongit is down python3-cython: correct upstream version check python3-babel: drop custom PYPI settings python3-cython: fix upstream check again sysvinit: take release tarballs from github bash: upgrade 5.2.21 -> 5.2.32 boost: upgrade 1.85.0 -> 1.86.0 ccache: upgrade 4.10.1 -> 4.10.2 cmake: upgrade 3.30.1 -> 3.30.2 dpkg: upgrade 1.22.10 -> 1.22.11 e2fsprogs: upgrade 1.47.0 -> 1.47.1 epiphany: upgrade 46.0 -> 46.3 gstreamer1.0: upgrade 1.24.5 -> 1.24.6 kmod: upgrade 32 -> 33 kmscube: upgrade to latest revision libadwaita: upgrade 1.5.2 -> 1.5.3 libedit: upgrade 20240517-3.1 -> 20240808-3.1 libnl: upgrade 3.9.0 -> 3.10.0 librepo: upgrade 1.17.0 -> 1.18.1 libva: upgrade 2.20.0 -> 2.22.0 linux-firmware: upgrade 20240513 -> 20240811 lua: upgrade 5.4.6 -> 5.4.7 mpg123: upgrade 1.32.6 -> 1.32.7 mtools: upgrade 4.0.43 -> 4.0.44 nghttp2: upgrade 1.62.0 -> 1.62.1 puzzles: upgrade to latest revision python3-dtschema: upgrade 2024.4 -> 2024.5 python3-uritools: upgrade 4.0.2 -> 4.0.3 python3-webcolors: upgrade 1.13 -> 24.8.0 sqlite3: upgrade 3.45.3 -> 3.46.1 stress-ng: upgrade 0.17.08 -> 0.18.02 webkitgtk: upgrade 2.44.1 -> 2.44.3 weston: upgrade 13.0.1 -> 13.0.3 xkeyboard-config: upgrade 2.41 -> 2.42 xz: upgrade 5.4.6 -> 5.6.2 mesa: set PV from the .inc file and not via filenames meta/lib/oe/sstatesig.py: do not error out if sstate files fail on os.stat() piglit: add a patch to address host contamination for wayland-scanner selftest: always tweak ERROR_QA/WARN_QA per package selftest: use INIT_MANAGER to enable systemd instead of custom settings xmlto: check upstream version tags, not new commits glib-2.0: update 2.80.2 -> 2.80.4 lttng-modules: update 2.13.13 -> 2.13.14 automake: update 1.16.5 -> 1.17 fmt: update 10.2.1 -> 11.0.2 git: 2.45.2 -> 2.46.0 perlcross: update 1.5.2 -> 1.6 perl: update 5.38.2 -> 5.40.0 gnu-config: update to latest revision python3-license-expression: update 30.3.0 -> 30.3.1 python3-pip: 24.0 -> 24.2 python3-pyopenssl: update 24.1.0 -> 24.2.1 python3-pyyaml: update 6.0.1 -> 6.0.2 python3-scons: update 4.7.0 -> 4.8.0 cargo-c-native: update 0.9.30 -> 0.10.3 go-helloworld: update to latest revision vulkan-samples: update to latest revision ffmpeg: update 6.1.1 -> 7.0.2 libksba: update 1.6.6 -> 1.6.7 p11-kit: update 0.25.3 -> 0.25.5 iproute2: upgrade 6.9.0 -> 6.10.0 ifupdown: upgrade 0.8.41 -> 0.8.43 libdnf: upgrade 0.73.2 -> 0.73.3 mmc-utils: upgrade to latest revision adwaita-icon-theme: upgrade 46.0 -> 46.2 hicolor-icon-theme: upgrade 0.17 -> 0.18 waffle: upgrade 1.8.0 -> 1.8.1 libtraceevent: upgrade 1.8.2 -> 1.8.3 alsa-utils: upgrade 1.2.11 -> 1.2.12 lz4: upgrade 1.9.4 -> 1.10.0 vte: upgrade 0.74.2 -> 0.76.3 cracklib: update 2.9.11 -> 2.10.2 selftest/sstatetests: run CDN mirror check only once package_rpm: use zstd's default compression level package_rpm: restrict rpm to 4 threads ref-manual: merge two separate descriptions of RECIPE_UPGRADE_EXTRA_TASKS Alexander Sverdlin (1): linux-firmware: Move Silabs wfx firmware to a separate package Alexandre Belloni (1): oeqa/selftest/oescripts: pinentry update to 1.3.1 Alexis Lothoré (4): oeqa/ssh: allow to retrieve raw, unformatted ouput oeqa/utils/postactions: transfer whole archive over ssh instead of doing individual copies oeqa/postactions: fix exception handling oeqa/postactions: do not uncompress retrieved archive on host Andrew Oppelt (1): testexport: support for executing tests over serial Andrey Zhizhikin (1): devicetree.bbclass: switch away from S = WORKDIR Antonin Godard (38): ref-manual: add missing CVE_CHECK manifest variables ref-manual: add new vex class ref-manual: add new retain class and variables ref-manual: add missing nospdx class ref-manual: add new RECIPE_UPGRADE_EXTRA_TASKS variable ref-manual: drop siteconfig class ref-manual: add missing TESTIMAGE_FAILED_QA_ARTIFACTS ref-manual: add missing image manifest variables ref-manual: add missing EXTERNAL_KERNEL_DEVICETREE variable ref-manual: drop TCLIBCAPPEND variable ref-manual: add missing OPKGBUILDCMD variable ref-manual: add missing variable PRSERV_UPSTREAM ref-manual: merge patch-status-* to patch-status ref-manual: add mission pep517-backend sanity check release-notes-5.1: update release note for styhead release-notes-5.1: fix spdx bullet point ref-manual: fix ordering of insane checks list release-notes-5.1: add beaglebone-yocto parselogs test oeqa failure ref-manual: structure.rst: document missing tmp/ dirs overview-manual: concepts: add details on package splitting ref-manual: faq: add q&a on class appends ref-manual: release-process: update releases.svg ref-manual: release-process: refresh the current LTS releases ref-manual: release-process: update releases.svg with month after "Current" ref-manual: release-process: add a reference to the doc's release ref-manual: devtool-reference: refresh example outputs ref-manual: devtool-reference: document missing commands conf.py: rename :cve: role to :cve_nist: doc: Makefile: remove inkscape, replace by rsvg-convert doc: Makefile: add support for xelatex doc: add a download page for epub and pdf sphinx-static/switchers.js.in: do not refer to URL_ROOT anymore migration-guides: 5.1: fix titles conf.py: add a bitbake_git extlink dev-manual: document how to provide confs from layer.conf dev-manual: bblock: use warning block instead of attention standards.md: add a section on admonitions ref-manual: classes: fix bin_package description Benjamin Szőke (1): mc: fix source URL Bruce Ashfield (40): linux-yocto/6.6: update to v6.6.34 linux-yocto/6.6: update to v6.6.35 linux-yocto/6.6: fix AMD boot trace linux-yocto/6.6: update to v6.6.36 linux-yocto/6.6: update to v6.6.38 linux-yocto/6.6: update to v6.6.40 linux-yocto/6.6: update to v6.6.43 linux-libc-headers: update to v6.10 kernel-devsrc: remove 64 bit vdso cmd files linux-yocto: introduce 6.10 reference kernel linux-yocto/6.10: update to v6.10 linux-yocto/6.10: update to v6.10.2 linux-yocto/6.10: update to v6.10.3 oeqa/runtime/parselogs: update pci BAR ignore for kernel 6.10 oeqa/runtime/parselogs: mips: skip sysctl warning yocto-bsp: set temporary preferred version for genericarm64 lttng-modules: backport patches for kernel v6.11 linux-yocto-dev: bump to v6.11 linux-yocto-rt/6.10: update to -rt14 linux-yocto/6.10: cfg: disable nfsd legacy client tracking linux-yocto/6.6: update to v6.6.44 poky/poky-tiny: bump preferred version to 6.10 linux-yocto/6.6: update to v6.6.45 linux-yocto/6.6: fix genericarm64 config warning linux-yocto/6.6: update to v6.6.47 linux-yocto/6.10: fix CONFIG_PWM_SYSFS config warning linux-yocto/6.10: update to v6.10.7 linux-yocto/6.10: update to v6.10.8 linux-yocto/6.6: update to v6.6.49 linux-yocto/6.6: update to v6.6.50 linux-yocto/6.10: cfg: arm64 configuration updates linux-yocto/6.6: update to v6.6.52 linux-yocto/6.6: update to v6.6.54 linux-yocto/6.10: update to v6.10.11 linux-yocto/6.10: update to v6.10.12 linux-yocto/6.10: update to v6.10.13 linux-yocto/6.10: update to v6.10.14 linux-yocto/6.10: genericarm64.cfg: enable CONFIG_DMA_CMA linux-yocto/6.10: cfg: gpio: allow to re-enable the deprecated GPIO sysfs interface linux-yocto/6.10: bsp/genericarm64: disable ARM64_SME Carlos Alberto Lopez Perez (1): icu: Backport patch to fix build issues with long paths (>512 chars) Changhyeok Bae (1): ethtool: upgrade 6.7 -> 6.9 Changqing Li (11): pixman: fix do_compile error vulkan-samples: fix do_compile error when -Og enabled multilib.conf: remove appending to PKG_CONFIG_PATH pixman: update patch for fixing inline failure with -Og rt-tests: rt_bmark.py: fix TypeError libcap-ng: update SRC_URI apt-native: don't let dpkg overwrite files by default webkitgtk: fix do_configure error on beaglebone-yocto bitbake.conf: drop VOLATILE_LOG_DIR, use FILESYSTEM_PERMS_TABLES instead bitbake.conf: drop VOLATILE_TMP_DIR, use FILESYSTEM_PERMS_TABLES instead rxvt-unicode.inc: disable the terminfo installation by setting TIC to : Chen Qi (13): pciutils: remove textrel INSANE_SKIP systemd: upgrade from 255.6 to 256 systemd-boot: upgrade from 255.6 to 256 util-linux/util-linux-libuuid: upgrade from 2.39.3 to 2.40.1 libssh2: remove util-linux-col from ptest dependencies kexec-tools: avoid kernel warning json-c: use upstream texts for SUMMARY and DESCRIPTION util-linux/util-linux-libuuid: upgrade from 2.40.1 to 2.40.2 shadow: upgrade from 4.15.1 to 4.16.0 json-c: avoid ptest failure caused by valgrind toolchain-shar-extract.sh: exit when post-relocate-setup.sh fails libgfortran: fix buildpath QA issue shadow: use update-alternatives to handle groups.1 Chris Laplante (4): bitbake: ui/knotty: print log paths for failed tasks in summary bitbake: ui/knotty: respect NO_COLOR & check for tty; rename print_hyperlink => format_hyperlink bitbake: persist_data: close connection in SQLTable __exit__ bitbake: fetch2: use persist_data context managers Chris Spencer (1): cargo_common.bbclass: Support git repos with submodules Christian Lindeberg (3): bitbake: fetch2: Add gomod fetcher bitbake: fetch2: Add gomodgit fetcher bitbake: tests/fetch: Update GoModTest and GoModGitTest Christian Taedcke (1): iptables: fix memory corruption when parsing nft rules Clara Kowalsky (1): resulttool: Add support to create test report in JUnit XML format Claus Stovgaard (1): lib/oe/package-manager: skip processing installed-pkgs with empty globs Clayton Casciato (1): uboot-sign: fix concat_dtb arguments Clément Péron (1): openssl: Remove patch already upstreamed Colin McAllister (2): udev-extraconf: Add collect flag to mount busybox: Fix cut with "-s" flag Corentin Lévy (1): python3-libarchive-c: add ptest Dan McGregor (1): bitbake: prserv: increment 9 to 10 correctly Daniel McGregor (1): libpam: use libdir in conditional Daniel Semkowicz (1): os-release: Fix VERSION_CODENAME in case it is empty Daniil Batalov (1): spdx30_tasks.py: fix typo in call of is_file method Deepesh Varatharajan (1): rust: Rust Oe-Selftest Reduce the testcases in exclude list Deepthi Hemraj (5): llvm: Fix CVE-2024-0151 glibc: stable 2.39 branch updates. binutils: stable 2.42 branch updates glibc: stable 2.40 branch updates glibc: stable 2.40 branch updates. Denys Dmytriyenko (3): llvm: extend llvm-config reproducibility fix to nativesdk class nativesdk-libtool: sanitize the script, remove buildpaths gcc: unify cleanup of include-fixed, apply to cross-canadian Divya Chellam (1): python3: Upgrade 3.12.5 -> 3.12.6 Dmitry Baryshkov (12): mesa: fix QA warnings caused by freedreno tools xserver-xorg: fix CVE-2023-5574 status lib/spdx30_tasks: improve error message linux-firmware: make qcom-sc8280xp-lenovo-x13s-audio install Linaro licence linux-firmware: add packages with SM8550 and SM8650 audio topology files linux-firmware: move -qcom-qcm2290-wifi before -ath10k linux-firmware: use wildcards to grab all qcom-qcm2290/qrb4210 wifi files linux-firmware: package qcom-vpu firmware linux-firmware: restore qcom/vpu-1.0/venus.mdt compatibility symlink piglit: add missing dependency on wayland linux-firmware: add packages for Qualcomm XElite GPU firmware linux-firmware: split ath10k package Enguerrand de Ribaucourt (6): bitbake: fetch2/npmsw: fix fetching git revisions not on master bitbake: fetch2/npmsw: allow packages not declaring a registry version npm: accept unspecified versions in package.json recipetool: create_npm: resolve licenses defined in package.json recipetool: create: split guess_license function recipetool: create_npm: reuse license utils Enrico Jörns (2): bitbake: bitbake-diffsigs: fix handling when finding only a single sigfile archiver.bbclass: fix BB_GENERATE_MIRROR_TARBALLS checking Esben Haabendal (1): mesa: Fix build with etnaviv gallium driver Etienne Cordonnier (3): oeqa/runtime: fix race-condition in minidebuginfo test bitbake: gcp.py: remove slow calls to gsutil stat systemd: make home directory readable by systemd-coredump Fabio Estevam (1): u-boot: upgrade 2024.04 -> 2024.07 Florian Amstutz (1): u-boot: Fix potential index error issues in do_deploy with multiple u-boot configurations Gassner, Tobias.ext (1): rootfs: Ensure run-postinsts is not uninstalled for read-only-rootfs-delayed-postinsts Gauthier HADERER (1): populate_sdk_ext.bclass: make sure OECORE_NATIVE_SYSROOT is exported. Guðni Már Gilbert (7): python3-setuptools: drop python3-2to3 from RDEPENDS bluez5: drop modifications to Python shebangs bluez5: cleanup redundant backslashes python3-attrs: drop python3-ctypes from RDEPENDS gobject-introspection: split tools and giscanner into a separate package bluez5: upgrade 5.77 -> 5.78 bluez5: remove redundant patch for MAX_INPUT Harish Sadineni (4): gcc-runtime: enabling "network" task specific flag oeqa/selftest/gcc: Fix host key verfication failure oeqa/selftest/gcc: Fix kex exchange identification error binutils: Add missing perl modules to RDEPENDS for nativsdk variant Het Patel (1): zlib: Add CVE_PRODUCT to exclude false positives Hiago De Franco (1): weston: backport patch to allow neatvnc < v0.9.0 Hongxu Jia (1): gcc-source: Fix racing on building gcc-source-14.2.0 and lib32-gcc-source-14.2.0 Intaek Hwang (6): alsa-plugins: set CVE_PRODUCT mpfr: set CVE_PRODUCT libatomic-ops: set CVE_PRODUCT gstreamer1.0-plugins-bad: set CVE_PRODUCT python3-lxml: set CVE_PRODUCT python3-psutil: set CVE_PRODUCT Jaeyoon Jung (2): makedevs: Fix issue when rootdir of / is given makedevs: Fix matching uid/gid Jagadeesh Krishnanjanappa (1): tune-cortexa32: set tune feature as armv8a Jan Vermaete (2): python3-websockets: added python3-zipp as RDEPENDS ref-manual: added wic.zst to the IMAGE_TYPES Jinfeng Wang (2): glib-2.0: fix glib-2.0 ptest failure when upgrading tzdata2024b tzdata/tzcode-native: upgrade 2024a -> 2024b Johannes Schneider (3): systemd: add PACKAGECONFIG for bpf-framework systemd: bpf-framework: 'propagate' the '--sysroot=' for crosscompilation systemd: bpf-framework: pass 'recipe-sysroot' to BPF compiler John Ripple (1): packagegroup-core-tools-profile.bb: Enable aarch64 valgrind Jon Mason (6): oeqa/runtime/ssh: add retry logic and sleeps to allow for slower systems oeqa/runtime/ssh: check for all errors at the end docs: modify reference from python2.py to python.py kernel.bbclass: remove unused CMDLINE_CONSOLE oeqa/runtime/ssh: increase the number of attempts wpa-supplicant: add patch to check for kernel header version when compiling macsec Jonas Gorski (1): rootfs-postcommands.bbclass: make opkg status reproducible Jonas Munsin (1): bzip2: set CVE_PRODUCT Jonathan GUILLOT (1): cronie: add inotify PACKAGECONFIG option Jose Quaresma (14): go: upgrade 1.22.3 -> 1.22.4 go: drop the old 1.4 bootstrap C version openssh: fix CVE-2024-6387 go: upgrade 1.22.4 -> 1.22.5 openssh: drop rejected patch fixed in 8.6p1 release openssh: systemd sd-notify patch was rejected upstream oeqa/runtime/scp: requires openssh-sftp-server libssh2: fix ptest regression with openssh 9.8p1 openssh: systemd notification was implemented upstream openssh: upgrade 9.7p1 -> 9.8p1 libssh2: disable-DSA-by-default go: upgrade 1.22.5 -> 1.22.6 bitbake: bitbake: doc/user-manual: Update the BB_HASHSERVE_UPSTREAM oeqa/selftest: Update the BB_HASHSERVE_UPSTREAM Joshua Watt (22): binutils-cross-testsuite: Rename to binutils-testsuite classes/spdx-common: Move SPDX_SUPPLIER scripts/pull-spdx-licenses.py: Add script licenses: Update to SPDX license version 3.24.0 classes/create-spdx-2.2: Handle SemVer License List Versions classes-recipe/image: Add image file manifest classes-global/staging: Exclude do_create_spdx from automatic sysroot extension classes-recipe/image_types: Add SPDX_IMAGE_PURPOSE to images classes-recipe: nospdx: Add class classes-recipe/baremetal-image: Add image file manifest selftest: sstatetests: Exclude all SPDX tasks classes/create-spdx-2.2: Handle empty packages classes/create-spdx-3.0: Add classes selftest: spdx: Add SPDX 3.0 test cases classes/spdx-common: Move to library classes/create-spdx-3.0: Move tasks to library Switch default spdx version to 3.0 classes-recipe/multilib_script: Expand before splitting classes/create-spdx-image-3.0: Fix SSTATE_SKIP_CREATION lib/spdx30_tasks: Report all missing providers lib/oe/sbom30.py: Fix build parameters bitbake: Remove custom exception backtrace formatting Julien Stephan (5): README: add instruction to run Vale on a subset documentation: Makefile: add SPHINXLINTDOCS to specify subset to sphinx-lint styles: vocabularies: Yocto: add sstate ref-manual: variables: add SIGGEN_LOCKEDSIGS* variables dev-manual: add bblock documentation Jörg Sommer (7): classes/kernel: No symlink in postinst without KERNEL_IMAGETYPE_SYMLINK ref-manual: add DEFAULT_TIMEZONE variable ptest-runner: Update 2.4.4 -> 2.4.5 runqemu: Fix detection of -serial parameter buildcfg.py: add dirty status to get_metadata_git_describe doc/features: remove duplicate word in distribution feature ext2 doc/features: describe distribution feature pni-name Kai Kang (3): glibc: fix fortran header file conflict for arm systemd: fix VERSION_TAG related build error kexec-tools: update COMPATIBLE_HOST because of makedumpfile Katawann (1): cve-check: add field "modified" to JSON report Khem Raj (38): llvm: Update to 18.1.8 utils.bbclass: Use objdump instead of readelf to compute SONAME mesa: Including missing LLVM header mesa: Add packageconfig knob to control tegra gallium driver gdb: Upgrade to 15.1 release busybox: Fix tc applet build when using kernel 6.8+ busybox: CVE-2023-42364 and CVE-2023-42365 fixes busybox: Add fix for CVE-2023-42366 gcc-14: Mark CVE-2023-4039 as fixed in GCC14+ systemd: Replace deprecate udevadm command glibc: Upgrade to 2.40 glibc: Remove redundant configure option --disable-werror libyaml: Update status of CVE-2024-35328 libyaml: Change CVE status to wontfix binutils: Upgrade to 2.43 release binutils: Fix comment about major version gcc: Upgrade to GCC 14.2 gnupg: Document CVE-2022-3219 and mark wontfix systemd: Refresh patch to remove patch-fuzz quota: Apply a backport to fix basename API with musl bluez5: Fix build with musl musl: Update to 1.2.5 release musl: Upgrade to latest tip of trunk gdb: Fix build with latest clang fmt: Get rid of std::copy aspell: Backport a fix to build with gcc-15/clang-19 openssh: Mark CVE-2023-51767 as wont-fix python: Backport fixes for CVE-2024-7592 ffmpeg: Fix build on musl linux systems kea: Replace Name::NameString with vector of uint8_t webkitgtk: Fix build issues with clang-19 glibc: Fix the arm/arm64 worsize.h uniificationb patch gcc: Fix spurious '/' in GLIBC_DYNAMIC_LINKER on microblaze libpcre2: Update base uri PhilipHazel -> PCRE2Project linux-yocto: Enable l2tp drivers when ptest featuee is on bluez: Fix mesh builds on musl qemu: Fix build on musl/riscv64 ffmpeg: Disable asm optimizations on x86 Konrad Weihmann (6): testimage: fallback for empty IMAGE_LINK_NAME python3-docutils: fix interpreter lines testexport: fallback for empty IMAGE_LINK_NAME python_flit_core: remove python3 dependency runqemu: keep generating tap devices runqemu: remove unused uid variable Lee Chee Yang (10): migration-guides: add release notes for 4.0.19 migration-guides: add release notes for 5.0.2 migration-guide: add release notes for 4.0.20 migration-guides: add release notes for 5.0.3 migration-guide: add release notes for 4.0.21 release-notes-5.1: update for several section migration-guide: add release notes for 4.0.22 migration-guides: add release notes for 5.0.4 migration-guides: add release notes for 5.0.5 migration-guides: add release notes for 4.0.23 Leon Anavi (1): u-boot.inc: WORKDIR -> UNPACKDIR transition Leonard Göhrs (1): bitbake: fetch2/npm: allow the '@' character in package names Louis Rannou (1): image_qa: fix error handling Marc Ferland (2): appstream: refresh patch appstream: add qt6 PACKAGECONFIG option Marcus Folkesson (1): bootimg-partition: break out code to a common library. Mark Hatle (7): create-sdpx-2.2.bbclass: Switch from exists to isfile checking debugsrc package.py: Fix static debuginfo split package.py: Fix static library processing selftest-hardlink: Add additional test cases spdx30_tasks.py: switch from exists to isfile checking debugsrc create-spdx-*: Support multilibs via SPDX_MULTILIB_SSTATE_ARCHS oeqa sdk cases: Skip SDK test cases when TCLIBC is newlib Markus Volk (4): libinput: update 1.25.0 -> 1.26.1 systemd: dont set polkit permissions manually gtk4: update 4.14.4 -> 4.14.5 gcc: add a backport patch to fix an issue with tzdata 2024b Marta Rybczynska (9): classes/kernel.bbclass: update CVE_PRODUCT cve-check: encode affected product/vendor in CVE_STATUS cve-extra-inclusions: encode CPEs of affected packages cve-check: annotate CVEs during analysis vex.bbclass: add a new class cve-check-map: add new statuses selftest: add test_product_match cve-json-to-text: add script cve-check: remove the TEXT format support Martin Hundeb?ll (1): ofono: upgrade 2.7 -> 2.8 Martin Jansa (10): libgfortran.inc: fix nativesdk-libgfortran dependencies hdparm: drop NO_GENERIC_LICENSE[hdparm] gstreamer1.0-plugins-bad: add PACKAGECONFIG for gtk3 kernel.bbclass: add original package name to RPROVIDES for -image and -base meta-world-pkgdata: Inherit nopackages populate_sdk_base: inherit nopackages mc: set ac_cv_path_ZIP to avoid buildpaths QA issues bitbake.conf: DEBUG_PREFIX_MAP: add -fmacro-prefix-map for STAGING_DIR_NATIVE bitbake: Revert "fetch2/gitsm: use configparser to parse .gitmodules" ffmpeg: fix packaging examples Mathieu Dubois-Briand (1): oeqa/postactions: Fix archive retrieval from target Matthew Bullock (1): openssh: allow configuration of hostkey type Matthias Pritschet (1): ref-manual: fix typo and move SYSROOT_DIRS example Michael Halstead (1): yocto-uninative: Update to 4.6 for glibc 2.40 Michael Opdenacker (1): doc: Makefile: publish pdf and epub versions too Michal Sieron (1): insane: remove obsolete QA errors Mikko Rapeli (2): systemd: update from 256 to 256.4 ovmf-native: remove .pyc files from install Mingli Yu (1): llvm: Enable libllvm for native build Niko Mauno (17): dnf/mesa: Fix missing leading whitespace with ':append' systemd: Mitigate /var/log type mismatch issue systemd: Mitigate /var/tmp type mismatch issue libyaml: Amend CVE status as 'upstream-wontfix' image_types.bbclass: Use --force also with lz4,lzop util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error iw: Fix LICENSE dejagnu: Fix LICENSE unzip: Fix LICENSE zip: Fix LICENSE tiff: Fix LICENSE gcr: Fix LICENSE python3-maturin: Fix cross compilation issue for armv7l, mips64, ppc bitbake.conf: Mark VOLATILE_LOG_DIR as obsolete bitbake.conf: Mark VOLATILE_TMP_DIR as obsolete docs: Replace VOLATILE_LOG_DIR with FILESYSTEM_PERMS_TABLES docs: Replace VOLATILE_TMP_DIR with FILESYSTEM_PERMS_TABLES Ola x Nilsson (4): scons.bbclass: Add scons class prefix to do_configure insane: Remove redundant returns ffmpeg: Package example files in ffmpeg-examples glibc: Fix missing randomness in __gen_tempname Oleksandr Hnatiuk (2): icu: remove host references in nativesdk to fix reproducibility gcc: remove paths to sysroot from configargs.h and checksum-options for gcc-cross-canadian Otavio Salvador (1): u-boot: Ensure we use BFD as linker even if using GCC for it Patrick Wicki (1): gpgme: move gpgme-tool to own sub-package Paul Barker (1): meta-ide-support: Mark recipe as MACHINE-specific Paul Eggleton (1): classes: add new retain class for retaining build results Paul Gerber (1): uboot-sign: fix counters in do_uboot_assemble_fitimage Pavel Zhukov (1): package_rpm: Check if file exists before open() Pedro Ferreira (2): buildhistory: Fix intermittent package file list creation buildhistory: Restoring files from preserve list Peter Kjellerstedt (9): systemd: Correct the indentation in do_install() systemd: Move the MIME file to a separate package license_image.bbclass: Rename license-incompatible to license-exception test-manual: Add a missing dot systemd.bbclass: Clean up empty parent directories oeqa/selftest/bbclasses: Add tests for systemd and update-rc.d interaction systemd: Remove a leftover reference to ${datadir}/mime bitbake: fetch2/gomod: Support URIs with only a hostname image.bbclass: Drop support for ImageQAFailed exceptions in image_qa Peter Marko (17): cargo: remove True option to getVar calls poky-sanity: remove True option to getVar calls flac: fix buildpaths warnings bitbake: fetch/clearcase: remove True option to getVar calls in clearcase module busybox: Patch CVE-2021-42380 busybox: Patch CVE-2023-42363 libstd-rs,rust-cross-canadian: set CVE_PRODUCT to rust glibc: cleanup old cve status libmnl: explicitly disable doxygen libyaml: ignore CVE-2024-35326 libyaml: Ignore CVE-2024-35325 wpa-supplicant: Ignore CVE-2024-5290 cve-check: add support for cvss v4.0 go: upgrade 1.22.6 -> 1.22.7 go: upgrade 1.22.7 -> 1.22.8 cve-check: do not skip cve status description after : cve-check: fix malformed cve status description with : characters Philip Lorenz (1): curl: Reenable auth support for native and nativesdk Primoz Fiser (2): pulseaudio: Add PACKAGECONFIG for optional OSS support pulseaudio: Remove from time64.inc exception list Purushottam Choudhary (2): kmscube: Upgrade to latest revision virglrenderer: Add patch to fix -int-conversion build issue Quentin Schulz (4): bitbake: doc: releases: mark mickledore as outdated bitbake: doc: releases: add nanbield to the outdated manuals bitbake: doc: releases: add scarthgap weston-init: fix weston not starting when xwayland is enabled Rasmus Villemoes (3): iptables: remove /etc/ethertypes openssh: factor out sshd hostkey setup to separate function systemd: include sysvinit in default PACKAGECONFIG only if in DISTRO_FEATURES Regis Dargent (1): udev-extraconf: fix network.sh script did not configure hotplugged interfaces Ricardo Simoes (2): volatile-binds: Do not create workdir if OverlayFS is disabled volatile-binds: Remove workdir if OverlayFS fails Richard Purdie (116): maintainers: Drop go-native as recipe removed oeqa/runtime/parselogs: Add some kernel log trigger keywords bitbake: codeparser/data: Ensure module function contents changing is accounted for bitbake: codeparser: Skip non-local functions for module dependencies native/nativesdk: Stop overriding unprefixed *FLAGS variables qemu: Upgrade 9.0.0 -> 9.0.1 oeqa/runtime/ssh: In case of failure, show exit code and handle -15 (SIGTERM) oeqa/selftest/reproducibile: Explicitly list virtual targets abi_version/package: Bump hashequiv version and package class version testimage/postactions: Allow artifact collection to be skipped python3: Drop generating a static libpython bitbake.conf: Drop obsolete debug compiler options bitbake.conf: Further cleanup compiler optimization flags oeqa/selftest/incompatible_lic: Ensure tests work with ERROR_QA changes oeqa/selftest/locale: Ensure tests work with ERROR_QA changes meson: Fix native meson config busybox: reconfigure wget https support by default for security poky-tiny: Update FULL_OPTIMIZATION to match core changes icu/perf: Drop SPDX_S variable insane: Promote long standing warnings to errors selftest/fortran-helloworld: Fix buildpaths error build-appliance-image: Update to master head revision distro/include: Add yocto-space-optimize, disabling debugging for large components testimage: Fix TESTIMAGE_FAILED_QA_ARTIFACTS setting oeqa/postactions: Separate artefact collection from test result collection qemu: Drop mips workaround poky: Enable yocto-space-optimize.inc time64.inc: Add warnings exclusion for known toolchain problems for now pseudo: Fix to work with glibc 2.40 pseudo: Update to include open symlink handling bugfix create-spdx-3.0/populate_sdk_base: Add SDK_CLASSES inherit mechanism to fix tarball SPDX manifests libtool: Upgrade 2.5.0 -> 2.5.1 qemu: Upgrade 9.0.1 -> 9.0.2 populate_sdk_base: Ensure nativesdk targets have do_package_qa run cve_check: Use a local copy of the database during builds pixman: Backport fix for recent binutils musl: Show error when used with multilibs sdpx: Avoid loading of SPDX_LICENSE_DATA into global config perf: Drop perl buildpaths skip m4: Drop ptest INSANE_SKIPs gettext: Drop ptest INSANE_SKIPs glibc-y2038-tests: Fix debug split and drop INSANE_SKIPs glibc-y2038-tests: Don't force distro policy glib-initial: Inherit nopackages vim: Drop vim-tools INSANE_SKIP as not needed coreutils: Fix intermittent ptest issue coreutils: Update merged patch to backport status bitbake.conf: Add truncate to HOSTTOOLS bitbake.conf: Include cve-check-map earlier, before distro bitbake: BBHandler: Handle comments in addtask/deltask bitbake: cache: Drop unused function bitbake: cookerdata: Separate out data_hash and hook to tinfoil bitbake: BBHandler/ast: Improve addtask handling bitbake: build: Ensure addtask before/after tasknames have prefix applied bitbake: codeparser: Allow code visitor expressions to be declared in metadata lib/oe: Use new visitorcode functionality for qa.handle_error() insane: Optimise ERROR_QA/WARN_QA references in do_populate_sysroot insane: Drop oe.qa.add_message usage insane: Add missing vardepsexclude insane: Further simplify code insane: Allow ERROR_QA to use 'contains' hash optimisations for do_package_qa selftest/sstatetests: Extend to cover ERROR_QA/WARN_QA common issues lz4: Fix static library reproducibility issue lz4: Disable static libraries again abi-version/ssate: Bump to avoid systemd hash corruption issue buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage sstate: Drop SSTATEPOSTINSTFUNC support lttng-tools: 2.13.13 -> 2.13.14 libtool: 2.5.1 -> 2.5.2 gettext: Drop obsolete ptest conditional in do_install elfutils: Drop obsolete ptest conditional in do_install expat: 2.6.2 -> 2.6.3 license: Fix directory layout issues sstate: Make do_recipe_qa and do_populate_lic non-arch specific bitbake: siggen: Fix rare file-checksum hash issue insane: Remove dependency on TCLIBC from QA test conf/defaultsetup.conf: Drop TCLIBCAPPEND poky.conf: Drop TCLIBCAPPEND layer.conf: Drop scarthgap namespace from LAYERSERIES layer.conf: Update to styhead Revert "python3-setuptools: upgrade 72.1.0 -> 72.2.0" ruby: Make docs generation deterministic libedit: Make docs generation deterministic poky-tiny: Drop TCLIBCAPPEND libsdl2: Fix non-deterministic configure option for libsamplerate bitbake: toaster: Update fixtures for styhead scripts/install-buildtools: Update to 5.0.3 build-appliance-image: Update to master head revision poky.conf: Bump version for 5.1 styhead release build-appliance-image: Update to master head revision bitbake: fetch2/git: Use quote from shlex, not pipes efi-bootdisk.wks: Increase overhead-factor to avoid test failures binutils: Fix binutils mingw packaging bitbake: tests/fetch: Use our own mirror of sysprof to decouple from gnome gitlab bitbake: tests/fetch: Use our own mirror of mobile-broadband-provider to decouple from gnome gitlab pseudo: Fix envp bug and add posix_spawn wrapper oeqa/runtime/ssh: Rework ssh timeout oeqa/runtime/ssh: Fix incorrect timeout fix qemurunner: Clean up serial_lock handling bitbake: fetch/wget: Increase timeout to 100s from 30s openssl: Fix SDK environment script to avoid unbound variable bitbake: runqueue: Fix performance of multiconfigs with large overlap bitbake: runqueue: Optimise setscene loop processing bitbake: runqueue: Fix scenetask processing performance issue do_package/sstate/sstatesig: Change timestamp clamping to hash output only selftest/reproducible: Drop rawlogs selftest/reproducible: Clean up pathnames resulttool: Allow store to filter to specific revisions resulttool: Use single space indentation in json output oeqa/utils/gitarchive: Return tag name and improve exclude handling resulttool: Fix passthrough of --all files in store mode resulttool: Add --logfile-archive option to store mode resulttool: Handle ltp rawlogs as well as ptest resulttool: Clean up repoducible build logs resulttool: Trim the precision of duration information resulttool: Improve repo layout for oeselftest results Robert Joslyn (1): curl: Update to 8.9.1 Robert Yang (8): bitbake: cache: Remove invalid symlink for bb_cache.dat bitbake: fetch2/git: Use git shallow fetch to implement clone_shallow_local() bitbake: bitbake: tests/fetch: Update GitShallowTest for clone_shallow_local() bitbake: data_smart: Improve performance for VariableHistory release-notes-5.0.rst: NO_OUTPUT -> NO_COLOR bitbake: gitsm: Add call_process_submodules() to remove duplicated code bitbake: gitsm: Remove downloads/tmpdir when failed cml1.bbclass: do_diffconfig: Don't override .config with .config.orig Rohini Sangam (1): vim: Upgrade 9.1.0698 -> 9.1.0764 Ross Burton (92): expect: fix configure with GCC 14 expect: update code for Tcl channel implementation libxcrypt: correct the check for a working libucontext.h bash: fix configure checks that fail with GCC 14.1 gstreamer1.0: disable flaky baseparser tests librsvg: don't try to run target code at build time librsvg: upgrade to 2.57.3 linux-libc-headers: remove redundant install_headers patch glibc: add task to list exported symbols oeqa/sdk: add out-of-tree kernel module building test openssl: disable tests unless ptest is enabled openssl: strip the test suite openssl: rewrite ptest installation ell: upgrade 0.66 -> 0.67 ofono: upgrade 2.8 -> 2.9 ruby: upgrade 3.3.0 -> 3.3.4 gtk+3: upgrade 3.24.42 -> 3.24.43 pango: upgrade 1.52.2 -> 1.54.0 Revert "python3: drop deterministic_imports.patch" python3: add dependency on -compression to -core python3-jsonschema: rename nongpl PACKAGECONFIG python3-setuptools: RDEPEND on python3-unixadmin python3-poetry-core: remove python3-pathlib2 dependency pytest-runner: remove python3-py dependency python3-chardet: remove pytest-runner DEPENDS python3-websockets: remove unused imports python3-beartype: add missing RDEPENDS python3-jsonschema: remove obsolete RDEPENDS python3-pluggy: clean up RDEPENDS python3-scons: remove obsolete RDEPENDS gi-docgen: remove obsolete python3-toml dependency python3-jinja2: remove obsolete python3-toml dependency python3-setuptools-rust: remove obsolete python3-toml dependency python3-setuptools-scm: remove obsolete python3-tomli dependency python3-zipp: remove obsolete dependencies python3-importlib-metadata: remove obsolete dependencies python3-pathspec: use python_flit_core python3-pyasn1: merge bb/inc python3-pyasn1: use python_setuptools_build_meta build class python3-beartype: use python_setuptools_build_meta build class python3-cffi: use python_setuptools_build_meta build class python3-psutil: use python_setuptools_build_meta build class python3-pycryptodome(x): use python_setuptools_build_meta build class python3-pyelftools: use python_setuptools_build_meta build class python3-ruemel-yaml: use python_setuptools_build_meta build class python3-scons: use python_setuptools_build_meta build class python3-websockets: use python_setuptools_build_meta build class python3-setuptools-scm: remove python3-tomli dependency python3-spdx-tools: use python_setuptools_build_meta build class python3-subunit: use python_setuptools_build_meta build class python3-uritools: use python_setuptools_build_meta build class python3-yamllint: use python_setuptools_build_meta build class python3-mako: add dependency on python3-misc for timeit python3-uritools: enable ptest gi-docgen: upgrade to 2024.1 python3-pytest: clean up RDEPENDS libcap-ng: clean up recipe glib-networking: upgrade 2.78.1 -> 2.80.0 python3-unittest-automake-output: add dependency on unittest python3-idna: generalise RDEPENDS python3-jsonpointer: upgrade 2.4 -> 3.0.0 ptest-packagelists: sort entries python3-cffi: generalise RDEPENDS python3-cffi: enable ptest python3-packaging: enable ptest python3-idna: enable ptest setuptools3: check for a PEP517 build system selection insane: add pep517-backend to WARN_QA python3-numpy: ignore pep517-backend warnings bmaptool: temporarily silence the pep517-backend warning meson: upgrade 1.4.0 -> 1.5.1 python3-pathlib2: remove recipe (moved to meta-python) python3-rfc3986-validator: remove recipe (moved to meta-python) python3-py: remove recipe (moved to meta-python) pytest-runner: remove recipe (moved to meta-python) python3-importlib-metadata: remove recipe (moved to meta-python) python3-toml: remove recipe (moved to meta-python) python3-tomli: remove recipe (moved to meta-python) bblayers/machines: add bitbake-layers command to list machines ffmpeg: fix build with binutils 2.43 on arm with commerical codecs vulkan-samples: limit to aarch64/x86-64 bitbake: fetch2/gitsm: use configparser to parse .gitmodules systemd: add missing dependency on libkmod to udev sanity: check for working user namespaces bitbake.conf: mark TCLIBCAPPEND as deprecated bitbake: fetch2: don't try to preserve all attributes when unpacking files icu: update patch Upstream-Status ffmpeg: nasm is x86 only, so only DEPEND if x86 ffmpeg: no need for textrel INSANE_SKIP strace: download release tarballs from GitHub tcl: skip io-13.6 test case groff: fix rare build race in hdtbl Ryan Eatmon (3): u-boot.inc: Refactor do_* steps into functions that can be overridden oe-setup-build: Fix typo oe-setup-build: Change how we get the SHELL value Sabeeh Khan (1): linux-firmware: add new package for cc33xx firmware Sakib Sajal (1): blktrace: ask for python3 specifically Samantha Jalabert (1): cve_check: Update selftest with new status detail Sergei Zhmylev (1): lsb-release: fix Distro Codename shell escaping Shunsuke Tokumoto (1): python3-setuptools: Add "python:setuptools" to CVE_PRODUCT Siddharth Doshi (5): libxml2: Upgrade 2.12.7 -> 2.12.8 Tiff: Security fix for CVE-2024-7006 vim: Upgrade 9.1.0114 -> 9.1.0682 wpa-supplicant: Upgrade 2.10 -> 2.11 vim: Upgrade 9.1.0682 -> 9.1.0698 Simone Weiß (2): gnutls: upgrade 3.8.5 -> 3.8.6 curl: Ignore CVE-2024-32928 Sreejith Ravi (1): package.py: Add Requires.private field in process_pkgconfig Stefan Mueller-Klieser (1): icu: fix make-icudata package config Steve Sakoman (3): release-notes-4.0: update BB_HASHSERVE_UPSTREAM for new infrastructure poky.conf: bump version for 5.1.1 build-appliance-image: Update to styhead head revision Sundeep KOKKONDA (3): binutils: stable 2.42 branch updates oeqa/selftest/reproducibile: rename of reproducible directories rust: rustdoc reproducibility issue fix Talel BELHAJSALEM (1): contributor-guide: Remove duplicated words Teresa Remmet (1): recipes-bsp: usbutils: Fix usb-devices command using busybox Theodore A. Roth (2): ca-certificates: update 20211016 -> 20240203 ca-certificates: Add comment for provenance of SRCREV Thomas Perrot (2): opensbi: bump to 1.5 opensbi: bump to 1.5.1 Tim Orling (8): python3-rpds-py: upgrade 0.18.1 -> 0.20.0 python3-alabaster: upgrade 0.7.16 -> 1.0.0 python3-cffi: upgrade 1.16.0 -> 1.17.0 python3-more-itertools: upgrade 10.3.0 -> 10.4.0 python3-wheel: upgrade 0.43.0 -> 0.44.0 python3-zipp: upgrade 3.19.2 -> 3.20.0 python3-attrs: upgrade 23.2.0 -> 24.2.0 python3-setuptools-rust: upgrade 1.9.0 -> 1.10.1 Tom Hochstein (2): time64.inc: Simplify GLIBC_64BIT_TIME_FLAGS usage weston: Add missing runtime dependency on freerdp Trevor Gamblin (37): dhcpcd: upgrade 10.0.6 -> 10.0.8 python3-hypothesis: upgrade 6.103.0 -> 6.103.2 python3-psutil: upgrade 5.9.8 -> 6.0.0 python3-testtools: upgrade 2.7.1 -> 2.7.2 python3-urllib3: upgrade 2.2.1 -> 2.2.2 maintainers.inc: add self for unassigned python recipes MAINTAINERS.md: fix patchtest entry python3-pytest-subtests: upgrade 0.12.1 -> 0.13.0 python3-hypothesis: upgrade 6.103.2 -> 6.105.1 python3-setuptools: upgrade 69.5.1 -> 70.3.0 bind: upgrade 9.18.27 -> 9.20.0 cmake: upgrade 3.29.3 -> 3.30.1 dpkg: upgrade 1.22.6 -> 1.22.10 nettle: upgrade 3.9.1 -> 3.10 patchtest/patch.py: remove cruft scripts/patchtest.README: cleanup, add selftest notes kea: upgrade 2.4.1 -> 2.6.1 python3-sphinx: upgrade 7.4.7 -> 8.0.2 python3-hypothesis: upgrade 6.108.4 -> 6.108.10 python3-pytest: upgrade 8.3.1 -> 8.3.2 python3-sphinxcontrib-applehelp: upgrade 1.0.8 -> 2.0.0 python3-sphinxcontrib-devhelp: upgrade 1.0.6 -> 2.0.0 python3-sphinxcontrib-htmlhelp: upgrade 2.0.6 -> 2.1.0 python3-sphinxcontrib-qthelp: upgrade 1.0.8 -> 2.0.0 python3-sphinxcontrib-serializinghtml: upgrade 1.1.10 -> 2.0.0 libassuan: upgrade 2.5.7 -> 3.0.1 python3-setuptools: upgrade 71.1.0 -> 72.1.0 python3-hypothesis: upgrade 6.108.10 -> 6.110.1 python3-cython: upgrade 3.0.10 -> 3.0.11 python3: upgrade 3.12.4 -> 3.12.5 python3: skip readline limited history tests piglit: upgrade 22eaf6a91c -> c11c9374c1 python3-hypothesis: upgrade 6.111.1 -> 6.111.2 python3-pyparsing: upgrade 3.1.2 -> 3.1.4 patchtest: test_mbox: remove duplicate regex definition patchtest: test_shortlog_length: omit shortlog prefixes patchtest: test_non_auh_upgrade: improve parse logic Troels Dalsgaard Hoffmeyer (1): bitbake: build/exec_task: Log str() instead of repr() for exceptions in build Tronje Krabbe (1): rust-target-config: Update data layouts for 32-bit arm targets Ulrich Ölmann (2): initramfs-framework: fix typos buildhistory: fix typos Vijay Anusuri (4): wget: Fix for CVE-2024-38428 apr: upgrade 1.7.4 -> 1.7.5 xserver-xorg: upgrade 21.1.13 -> 21.1.14 xwayland: upgrade 24.1.3 -> 24.1.4 Vivek Puar (1): linux-firmware: upgrade 20240811 -> 20240909 Wadim Egorov (1): watchdog: Set watchdog_module in default config Wang Mingyu (125): alsa-lib: upgrade 1.2.11 -> 1.2.12 alsa-plugins: upgrade 1.2.7.1 -> 1.2.12 alsa-ucm-conf: upgrade 1.2.11 -> 1.2.12 git: upgrade 2.45.1 -> 2.45.2 createrepo-c: upgrade 1.1.1 -> 1.1.2 diffoscope: upgrade 267 -> 271 enchant2: upgrade 2.7.3 -> 2.8.1 fribidi: upgrade 1.0.14 -> 1.0.15 gstreamer: upgrade 1.24.3 -> 1.24.4 libevdev: upgrade 1.13.1 -> 1.13.2 libjitterentropy: upgrade 3.4.1 -> 3.5.0 libpcre2: upgrade 10.43 -> 10.44 pciutils: upgrade 3.12.0 -> 3.13.0 rng-tools: upgrade 6.16 -> 6.17 ttyrun: upgrade 2.32.0 -> 2.33.1 btrfs-tools: handle rename of inode_includes() from e2fsprogs 1.47.1 rt-tests: upgrade 2.6 -> 2.7 base-passwd: upgrade 3.6.3 -> 3.6.4 btrfs-tools: upgrade 6.8.1 -> 6.9.2 ccache: upgrade 4.10 -> 4.10.1 createrepo-c: upgrade 1.1.2 -> 1.1.3 cups: upgrade 2.4.9 -> 2.4.10 debianutils: upgrade 5.19 -> 5.20 diffoscope: upgrade 271 -> 272 dnf: upgrade 4.20.0 -> 4.21.0 gdbm: upgrade 1.23 -> 1.24 gstreamer: upgrade 1.24.4 -> 1.24.5 harfbuzz: upgrade 8.5.0 -> 9.0.0 libadwaita: upgrade 1.5.1 -> 1.5.2 libdnf: upgrade 0.73.1 -> 0.73.2 libdrm: upgrade 2.4.120 -> 2.4.122 libproxy: upgrade 0.5.6 -> 0.5.7 librsvg: upgrade 2.57.3 -> 2.58.1 libsdl2: upgrade 2.30.4 -> 2.30.5 opkg: upgrade 0.6.3 -> 0.7.0 opkg-utils: upgrade 0.6.3 -> 0.7.0 pinentry: upgrade 1.3.0 -> 1.3.1 python3-certifi: upgrade 2024.6.2 -> 2024.7.4 python3-hatchling: upgrade 1.24.2 -> 1.25.0 python3-importlib-metadata: upgrade 7.1.0 -> 8.0.0 python3-maturin: upgrade 1.6.0 -> 1.7.0 python3-pycairo: upgrade 1.26.0 -> 1.26.1 python3-trove-classifiers: upgrade 2024.5.22 -> 2024.7.2 repo: upgrade 2.45 -> 2.46 sysstat: upgrade 12.7.5 -> 12.7.6 wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 cryptodev: upgrade 1.13 -> 1.14 asciidoc: upgrade 10.2.0 -> 10.2.1 glslang: upgrade 1.3.283.0 -> 1.3.290.0 gsettings-desktop-schemas: upgrade 46.0 -> 46.1 kexec-tools: upgrade 2.0.28 -> 2.0.29 libproxy: upgrade 0.5.7 -> 0.5.8 librsvg: upgrade 2.58.1 -> 2.58.2 libsolv: upgrade 0.7.29 -> 0.7.30 libtirpc: upgrade 1.3.4 -> 1.3.5 orc: upgrade 0.4.38 -> 0.4.39 python3-bcrypt: upgrade 4.1.3 -> 4.2.0 python3-dbusmock: upgrade 0.31.1 -> 0.32.1 python3-hypothesis: upgrade 6.105.1 -> 6.108.4 python3-importlib-metadata: upgrade 8.0.0 -> 8.2.0 python3-jsonschema: upgrade 4.22.0 -> 4.23.0 python3-pytest-subtests: upgrade 0.13.0 -> 0.13.1 python3-pytest: upgrade 8.2.2 -> 8.3.1 python3-setuptools: upgrade 70.3.0 -> 71.1.0 python3-sphinx: upgrade 7.3.7 -> 7.4.7 python3-sphinxcontrib-htmlhelp: upgrade 2.0.5 -> 2.0.6 python3-sphinxcontrib-qthelp: upgrade 1.0.7 -> 1.0.8 spirv-headers: upgrade 1.3.283.0 -> 1.3.290.0 spirv-tools: upgrade 1.3.283.0 -> 1.3.290.0 strace: upgrade 6.9 -> 6.10 sysklogd: upgrade 2.5.2 -> 2.6.0 vulkan-headers: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-loader: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-tools: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-utility-libraries: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-validation-layers: upgrade 1.3.283.0 -> 1.3.290.0 vulkan-volk: upgrade 1.3.283.0 -> 1.3.290.0 xwayland: upgrade 24.1.0 -> 24.1.1 binutils: upgrade 2.43 -> 2.43.1 btrfs-tools: upgrade 6.9.2 -> 6.10.1 createrepo-c: upgrade 1.1.3 -> 1.1.4 diffoscope: upgrade 272 -> 276 dnf: upgrade 4.21.0 -> 4.21.1 enchant2: upgrade 2.8.1 -> 2.8.2 erofs-utils: upgrade 1.7.1 -> 1.8.1 ethtool: upgrade 6.9 -> 6.10 freetype: upgrade 2.13.2 -> 2.13.3 libx11: upgrade 1.8.9 -> 1.8.10 libxfont2: upgrade 2.0.6 -> 2.0.7 libxtst: upgrade 1.2.4 -> 1.2.5 pkgconf: upgrade 2.2.0 -> 2.3.0 python3-babel: upgrade 2.15.0 -> 2.16.0 python3-hypothesis: upgrade 6.110.1 -> 6.111.1 python3-lxml: upgrade 5.2.2 -> 5.3.0 python3-setuptools: upgrade 72.1.0 -> 72.2.0 rpcbind: upgrade 1.2.6 -> 1.2.7 sysklogd: upgrade 2.6.0 -> 2.6.1 ttyrun: upgrade 2.33.1 -> 2.34.0 xwayland: upgrade 24.1.1 -> 24.1.2 systemd: upgrade 256.4 -> 256.5 acpica: upgrade 20240322 -> 20240827 cairo: upgrade 1.18.0 -> 1.18.2 dhcpcd: upgrade 10.0.8 -> 10.0.10 diffoscope: upgrade 276 -> 277 ell: upgrade 0.67 -> 0.68 libdrm: upgrade 2.4.122 -> 2.4.123 libsoup: upgrade 3.4.4 -> 3.6.0 liburcu: upgrade 0.14.0 -> 0.14.1 mc: upgrade 4.8.31 -> 4.8.32 nghttp2: upgrade 1.62.1 -> 1.63.0 ofono: upgrade 2.9 -> 2.10 python3-certifi: upgrade 2024.7.4 -> 2024.8.30 python3-idna: upgrade 3.7 -> 3.8 python3-maturin: upgrade 1.7.0 -> 1.7.1 python3-pbr: upgrade 6.0.0 -> 6.1.0 python3-websockets: upgrade 12.0 -> 13.0.1 python3-zipp: upgrade 3.20.0 -> 3.20.1 taglib: upgrade 2.0.1 -> 2.0.2 wayland-protocols: upgrade 1.36 -> 1.37 wayland: upgrade 1.23.0 -> 1.23.1 git: upgrade 2.46.0 -> 2.46.1 libevdev: upgrade 1.13.2 -> 1.13.3 orc: upgrade 0.4.39 -> 0.4.40 wireless-regdb: upgrade 2024.07.04 -> 2024.10.07 xwayland: upgrade 24.1.2 -> 24.1.3 Weisser, Pascal.ext (1): qemuboot: Trigger write_qemuboot_conf task on changes of kernel image realpath Yash Shinde (12): rust: Oe-selftest fixes for rust v1.76 rust: Upgrade 1.75.0->1.76.0 rust: reproducibility issue fix with v1.76 rust: Oe-selftest changes for rust v1.77 rust: Upgrade 1.76.0->1.77.0 rust: Upgrade 1.77.0->1.77.1 rust: Upgrade 1.77.1->1.77.2 rust: Oe-selftest changes for rust v1.78 rust: Upgrade 1.77.2->1.78.0 zlib: Enable PIE for native builds rust: Oe-selftest changes for rust v1.79 rust: Upgrade 1.78.0->1.79.0 Yi Zhao (9): libsdl2: upgrade 2.30.3 -> 2.30.4 less: upgrade 643 -> 661 util-linux: install lastlog2 volatile file rpm: fix expansion of %_libdir in macros libsdl2: upgrade 2.30.5 -> 2.30.6 bind: upgrade 9.20.0 -> 9.20.1 libpcap: upgrade 1.10.4 -> 1.10.5 libsdl2: upgrade 2.30.6 -> 2.30.7 systemd: fix broken links for sysvinit-compatible commands Yoann Congal (10): Revert "insane: skip unimplemented-ptest on S=WORKDIR recipes" insane: skip unimplemented-ptest checks if disabled spirv-tools: Fix git-describe related reproducibility spirv-tools: Update merged patch to backport status oeqa/selftest: Only rewrite envvars paths that absolutely point to builddir migration/release-notes-5.1: document oeqa/selftest envvars change release-notes-5.1: document added python3-libarchive-c ptest release-notes-5.1: document fixed _test_devtool_add_git_url test release-notes-5.1: document spirv-tools reproducibility python3-maturin: sort external libs in wheel files Yuri D'Elia (1): bitbake: fetch2/git: Enforce default remote name to "origin" Zoltan Boszormenyi (1): rpcbind: Fix boot time start failure aszh07 (2): xz: Update LICENSE variable for xz packages ffmpeg: Add "libswresample libavcodec" to CVE_PRODUCT gudnimg (1): bluez5: upgrade 5.72 -> 5.77 hongxu (7): libgpg-error: 1.49 -> 1.50 man-pages: 6.8 -> 6.9.1 libxml2: 2.12.8 -> 2.13.3 readline: 8.2 -> 8.2.13 libxslt: 1.1.39 -> 1.1.42 xmlto: 0.0.28 -> 0.0.29 gnupg: 2.4.5 -> 2.5.0 simit.ghane (2): libgcrypt: Fix building error with '-O2' in sysroot path libgcrypt: upgrade 1.10.3 -> 1.11.0 y75zhang (1): bitbake: fetch/wget: checkstatus: drop shared connecton when catch Timeout error meta-openembedded: 487a2d5695..5d54a52fbe: Adrian Freihofer (1): networkmanager: remove modemmanager rdepends Akash Hadke (1): python3-flatbuffers: provide nativesdk support Alba Herrerías (1): yelp: fix unterminated string Alexander Kanavin (1): libnewt: add from oe-core Alexander Stein (1): luajit: Fix host development package Alexandre Truong (99): ace: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status acpitool: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status anthy: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status atop: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status bitwise: Include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status cfengine-masterfiles: Include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status ckermit: Include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status cloc: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status cups-filters: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status cxxtest: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status czmq: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status daemontools: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status doxygen: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status duktape: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fftw: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fltk: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fltk-native: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status fwupd: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status gmime: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gnome-themes-extra: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gradm: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status graphviz: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status gtkperf: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status hplip: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status icewm: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status irssi: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status jansson: modify existing UPSTREAM_CHECK_REGEX lcov: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status leptonica: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status libcdio-paranoia: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libdbus-c++: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libftdi: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libgnt: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libiodbc: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libjs-jquery: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status liblinebreak: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libmng: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libmtp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libnice: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libopusenc: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libpaper: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libpcsc-perl: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsdl-gfx: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libsigc++-2.0: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsigc++-3: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libsmi: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libspiro: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libstatgrab: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status libwmf: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status libx86-1: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status libxml++-5.0: include UPSTREAM_CHECK_REGEX to fix UNKNOWN_BROKEN status logwarn: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status lprng: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mcpp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mozjs-115: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status mscgen: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status msgpack-cpp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status msktutil: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status nmon: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status nss: modify UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status obexftp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status onig: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status openbox: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status openct: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status openobex: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status p7zip: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status pngcheck: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status rsyslog: modify existing UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status sblim-cmpi-devel: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status sblim-sfc-common: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status ttf-ubuntu-font-family: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status ttf-wqy-zenhei: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status uml-utilities: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status xrdp: include UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status xscreensaver: include UPSTREAM_CHECK_URI to fix UNKNOWN_BROKEN status can-isotp: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status con2fbmap: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status cpufrequtils: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status dbus-daemon-proxy: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status devmem2: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status edid-decode: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status fb-test: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status firmwared: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status funyahoo-plusplus: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status hunspell-dictionaries: switch branch from master to main hunspell-dictionaries: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status icyque: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status iksemel: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status kconfig-frontends: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libbacktrace: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libc-bench: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status libubox: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status linux-serial-test: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status musl-rpmatch: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pam-plugin-ccreds: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pcimem: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pim435: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status properties-cpp: include UPSTREAM_CHECK_COMMITS to fix UNKNOWN_BROKEN status pegtl: add ptest support Alexandre Videgrain (1): openbox: fix crash on alt+tab with fullscreen app Anuj Mittal (1): tbb: pass TBB_STRICT=OFF to disable -Werror Archana Polampalli (1): apache2: Upgrade 2.4.60 -> 2.4.61 Armin Kuster (2): meta-openemnedded: Add myself as styhead maintainer audit: fix build when systemd is enabled. BINDU (1): flatbuffers: adapt for cross-compilation environments Barry Grussling (1): postgresql: Break perl RDEPENDS Bartosz Golaszewski (4): python3-gpiod: update to v2.2.0 python3-virtualenv: add missing run-time dependencies libgpiod: update v2.1.2 -> v2.1.3 python3-gpiod: update v2.2.0 -> v2.2.1 Benjamin Szőke (1): tree: fix broken links Carlos Alberto Lopez Perez (1): sysprof: upgrade 3.44.0 -> 3.48.0 Changqing Li (4): python3-h5py: remove unneeded CFLAGS pavucontrol: update SRC_URI libatasmart: Update SRC_URI libdbi-perl: upgrade 1.643 -> 1.644 Chen Qi (2): python3-protobuf: remove useless and problematic .pth file jansson: add JSON_INTEGER_IS_LONG_LONG for cmake Christian Eggers (2): lvgl: fix version in shared library file name lvgl: update upstream-status of all patches Christophe Vu-Brugier (2): nvme-cli: upgrade 2.9.1 -> 2.10.2 exfatprogs: upgrade 1.2.4 -> 1.2.5 Dimitri Bouras (1): python3-geomet: Switch to setuptools_build_meta build backend Dmitry Baryshkov (6): android-tools: make PN-adbd as a systemd package deqp-runner: improved version of parallel-deqp-runner packagegroup-meta-oe: include deqp-runner into packagegroup-meta-oe-graphics README.md: discourage use of GitHub pull request system android-tools: create flag flag file for adbd at a proper location gpsd: apply patch to fix gpsd building on Musl Einar Gunnarsson (2): yavta: Update to kernel 6.8 v4l-utils: Install media ctrl pkgconfig files Enrico Jörns (6): libconfuse: move to meta-oe libconfuse: provide native and nativesdk support libconfuse: replace DESCRIPTION by SUMMARY libconfuse: switch to release tar archive libconfuse: add backported patch to fix search path logic genimage: add new recipe Esben Haabendal (1): netplan: add missing runtime dependencies Etienne Cordonnier (3): uutils-coreutils: upgrade 0.0.26 -> 0.0.27 uutils-coreutils: disable buildpaths error perfetto: upgrade 31.0 -> 47.0 Fabio Estevam (1): imx-cst: Add recipe Faiz HAMMOUCHE (6): uim: update UPSTREAM_CHECK_* variables to fix devtool upgrades unixodbc: update UPSTREAM_CHECK_* variables to fix devtool upgrades xdotool: update UPSTREAM_CHECK_* variables to fix devtool upgrades xf86-input-tslib: update UPSTREAM_CHECK_* variables to fix devtool upgrades wvstrams: Unmaintained upstream, add UPSTREAM_VERSION_UNKNOWN wvdial: Unmaintained upstream, add UPSTREAM_VERSION_UNKNOWN Fathi Boudra (2): python3-django: upgrade 4.2.11 -> 4.2.16 python3-django: upgrade 5.0.6 -> 5.0.9 Frank de Brabander (1): python3-pydantic-core: fix incompatible version Fredrik Hugosson (1): lvm2: Remove the lvm2-udevrules package Ghislain Mangé (1): wireshark: fix typo in PACKAGECONFIG[zstd] Gianfranco Costamagna (1): vbxguestdrivers: upgrade 7.0.18 -> 7.0.20 Guocai He (1): mariadb: File conflicts for multilib Guðni Már Gilbert (5): python3-incremental: improve packaging python3-twisted: upgrade 24.3.0 -> 24.7.0 python3-incremental: drop python3-twisted-core from RDEPENDS python3-twisted: add python3-attrs to RDEPENDS python3-automat: upgrade 22.10.0 -> 24.8.1 Harish Sadineni (1): bpftool: Add support for riscv64 Hauke Lampe (1): postgresql: Use packageconfig flag for readline dependency Hitendra Prajapati (1): tcpdump: fix CVE-2024-2397 Hongxu Jia (1): nodejs: support cross compile without qemu user conditionally Hubert Wiśniewski (1): libcamera: Use multiple of sizeof as malloc size J. S. (8): znc: Fix buildpaths QA errors webmin: upgrade 2.111 -> 2.202 nodejs: upgrade 20.16.0 -> 20.17.0 syslog-ng: upgrade 4.6.0 -> 4.7.0 xfce4-panel: upgrade 4.18.3 -> 4.18.4 nodejs: upgrade 20.17.0 -> 20.18.0 xfce4-panel: upgrade 4.18.4 -> 4.18.5 nodejs: cleanup Jamin Lin (1): drgn: add new recipe Jan Luebbe (2): python3-grpcio-reflection: new recipe python3-grpcio-channelz: new recipe Jan Vermaete (3): python3-protobuf: added python3-ctypes as RDEPENDS protobuf: version bump 4.25.3 -> 4.25.4 netdata: version bump 1.47.0 -> 1.47.1 Jason Schonberg (1): nodejs: upgrade 20.13.0 -> 20.16.0 Jeremy A. Puhlman (1): net-snmp: Set ps flag value since it checks the host Jeroen Knoops (1): nng: Rename default branch of github.com:nanomsg/nng.git Jiaying Song (3): nftables: change ptest output format wireguard-tools: fix do_fetch error vlock: fix do_fetch error Jose Quaresma (6): composefs: the srcrev hash was the release tag ostree: Upgrade 2024.6 -> 2024.7 composefs: upgrade 1.0.4 -> 1.0.5 gpsd: make the meta-python dependency conditionally Revert "gpsd: make the meta-python dependency conditionally" gpsd: condition the runtime dependence of pyserial on the pygps Justin Bronder (1): python3-xmodem: replace hardcoded /usr with ${prefix} Jörg Sommer (5): dnsmasq: Install conf example from upstream instead of our version dnsmasq: set config dhcp6, broken-rtc by FEATURES gpsd: upgrade 3.24 -> 3.25; new gpsd-snmp bluealsa: upgrade 4.0.0+git -> 4.3.0 zsh: update 5.8 -> 5.9 Kai Kang (1): libosinfo: add runtime dependency osinfo-db Katariina Lounento (1): libtar: patch CVEs Keith McRae (1): ntp: Fix status call reporting incorrect value Khem Raj (142): python3-tornado: Switch to python_setuptools_build_meta rdma-core: Fix recvfrom override errors with glibc 2.40 and clang tipcutils: Replace WORKDIR with UNPACKDIR rdma-core: Do not use overloadable attribute with musl python3-pint: Upgrade to 24.1 flite: Fix buld with clang fortify enabled distros python3-inflate64: Fix build with clang fortified glibc headers renderdoc: Upgrade to 1.33 renderdoc: Fix build with clang fortify and glibc 2.40 overlayfs-tools: Fix build with musl webmin: Upgrade to 2.111 release opencv: Check GTK3DISTROFEATURES for enabling gtk support opencv: Add missing trailing slash sysprof: Fix build with llvm libunwind log4cpp: Fix buildpaths QA error ldns: Upgrade to 1.8.4 libwmf: Fix buildpaths QA Errors in libwmf-config Revert "libftdi: Fix missing ftdi_eeprom" vsomeip: Fix build with GCC-14 turbostat: Add band-aid to build from 6.10+ kernel python3-daemon: Fix build with PEP-575 build backend zfs: Upgrade to 2.2.5 release e2tools: Fix buildpaths QA warning in config.status in ptest glibmm: Upgrade to 2.66.7 release transmission: Upgrade to 4.0.6 release wolfssl: Add packageconfig for reproducible build lprng: Specify target paths for needed utilities sharutils: Let POSIX_SHELL be overridable from environment freediameter: Fix buildpaths QA error libforms: Remove buildpaths from fd2ps and fdesign scripts blueman: Fix buildpathe issue with cython generated code fvwm: Fix buildpaths QA Errors proftpd: Upgrade to 1.3.8b botan: Make it reproducible ndisc: Remove buildpaths from binaries python3-kivy: Remove buildpaths from comments in generated C sources keepalived: Make build reproducible fwknop: Upgrade to 2.6.11 fwknop: Specify target locations of gpg and wget ippool: Fix buildpaths QA error ot-br-posix: Define config files explicitly libyui: Upgrade to 4.6.2 fluentbit: Make it deprecated python3-pyproj: Fix buildpaths QA Error python3-pyproj: Remove absolute paths from cython generated .c files libyui-ncurses: Fix buildpaths QA Error ftgl: Upgrade to 2.4.0 ftgl: Switch to maintained fork frr: Upgrade to 10.1 release python3-pandas: Downgrade version check for numpy to 1.x python3-pycocotools: Use build pep517-backend python3-pycocotools: Downgrade numpy version needed to 1.x python3-pycocotools: Remove absolute paths from comments raptor2: Do not use curl-config to detect curl libgsf: Fix build with libxml2 2.13+ libspatialite: Upgrade to 5.1 libblockdev: Fix build with latest e2fsprogs bluealsa: Fix build on musl bluealsa: Update cython patch to latest upstream patch mariadb: Upgrade to 10.11.9 release gerbera: Upgrade to 2.2.0 e2tools: Fix build with automake 1.17 minidlna: Upgrade to 1.3.3 release vlc: Upgrade to 3.0.21 libplacebo: Add recipe mpv: Upgrade to 0.38.0 release libmpdclient,mpc: Upgrade to 2.22 and 0.35 respectively vlc: Disable recipe mpd: Upgrade to 0.23.15+git xdg-desktop-portal-wlr: Update to latest on master branch ltrace: Switch to gitlab SRC_URI webkitgtk3: Fix build with latest clang python3-grpcio: Upgrade to 1.66.1 release grpc: Upgrade to 1.66.1 release mozjs-115: fix build with clang and libc++ 19 nmap: Upgrade to 7.95 etcd-cpp-apiv3: Fix build with gprc 2.66+ paho-mqtt-cpp: Upgrade to 1.4.1 release poppler: Upgrade to 24.09.0 release nodejs: Fix build with libc++ 19 poco: Drop RISCV patch paho-mqtt-cpp: Move to tip of 1.4.x branch netdata: Upgrade to 1.47.0 freeipmi: Add recipe opentelemetry-cpp: Fix build with clang-19 opengl-es-cts,vulkan-cts: Upgrade recipes to 3.2.11.0 and 1.3.9.2 libcereal: Fix build with clang-19 libjxl: Upgrade to 0.10.3 release python3-serpent: Add missing rdeps for ptests to run python3-parse-type: Add missing rdep on six for ptests paho-mqtt-cpp: Use system paho-mqtt-c python3-serpent: Fix typo attr -> attrs python3-tzdata: Add missing attrs modules rdep for ptests python3-trustme: Add missing ptest rdeps on attrs and six modules python3-service-identity: Fix ptest rdeps python3-fsspec: Add recipe ptest-packagelists-meta-python: Add python3-fsspec to fast test list python3-pyyaml-include: Add missing dependencies for ptests python3-py-cpuinfo: Fix ptest runtime deps python3-flask: Add missing ptest deps yavta: Upgrade SRCREV to include 64bit time_t print format errors libjxl: Do not use -mrelax-all on RISCV with clang python3-wrapt: Add missing rdep on misc modules for ptests python3-pillow: Add missing rdep on py3-compile for ptests python-ujson: Use python_setuptools_build_meta python3-pylint: Add missing ptest rdep on python3-misc python3-fastjsonschema: Add missing rdeps for ptests python3-pytest-mock: Upgrade to 3.14.0 protobuf-c: Link with libatomic on riscv32 highway: Disable RVV on RISCV-32 dav1d: Disable asm code on rv32 mosh: Use libatomic on rv32 for atomics dlm: Disable fcf-protection on riscv32 usbguard: Link with libatomic on rv32 transmission: Link with libatomic on riscv32 ot-br-posix: Link with libatomic on rv32 opentelemetry-cpp: Link with libatomic on rv32 mozjs-115: Fix build on riscv32 netdata: Add checks for 64-bit atomic builtins liburing: Upgrade to 2.7 and fix build on riscv32 highway: Fix cmake to detect riscv32 libjxl: Disable sizeless-vectors on riscv32 kernel-selftest: Fix build on 32bit arches with 64bit time_t reptyr: Do not build for riscv32 python3-typer: Disable test_rich_markup_mode tests python3-pydbus: Add missing rdep on xml module for ptests python3-pdm: Upgrade to 2.19.1 python3-pdm-backend: Upgrade to 2.4.1 release python3-ujson: Add python misc modules to ptest rdeps python3-gunicorn: Add missing rdeps for ptests python3-eth-hash: Add packageconfigs and switch to pep517-backend python3-validators: Add missing rdeps for ptests python3-pint: Upgrade to 0.24.3 python3-pytest-mock: Fix ptests python3-sqlparse: Add missing rdep on mypy module for ptests libhugetlbfs: Use linker wrapper during build webkitgtk3: Always use -g1 for debug flags webkitgtk3: Fix build break with latest gir ndisc6: Fix reproducible build rsyslog: Enable 64bit atomics check xmlsec1: Switch SRC_URI to use github release python3-pdm-build-locked: Add recipe Kieran Bingham (1): libcamera: Add support for pycamera Leon Anavi (39): python3-eth-utils: Upgrade 3.0.0 -> 4.1.1 python3-requests-file: Upgrade 1.5.1 -> 2.1.0 python3-filelock: Upgrade 3.14.0 -> 3.15.3 python3-hexbytes: Upgrade 1.2.0 -> 1.2.1 python3-moteus: Upgrade 0.3.70 -> 0.3.71 python3-tornado: Upgrade 6.4 -> 6.4.1 python3-paho-mqtt: Upgrade 2.0.0 -> 2.1.0 python3-pyperclip: Upgrade 1.8.2 -> 1.9.0 python3-whitenoise: Upgrade 6.6.0 -> 6.7.0 python3-pycocotools: Upgrade 2.0.7 -> 2.0.8 python3-cbor2: Upgrade 5.6.3 -> 5.6.4 python3-gunicorn: Upgrade 21.2.0 -> 22.0.0 python3-aiohttp: Upgrade 3.9.5 -> 3.10.0 python3-aiosignal: switch to PEP-517 build backend python3-pycares: switch to PEP-517 build backend python3-multidict: switch to PEP-517 build backend python3-cachetools: Upgrade 5.3.3 -> 5.4.0 python3-coverage: switch to PEP-517 build backend coverage: Upgrade 7.6.0 -> 7.6.1 python3-aiohttp: Upgrade 3.10.0 -> 3.10.1 python3-hatch-requirements-txt: Add recipe python3-pymongo: Upgrade 4.7.3 -> 4.8.0 python3-itsdangerous: Upgrade 2.1.2 -> 2.2.0 python3-sniffio: witch to PEP-517 build backend python3-sniffio: Upgrade 1.3.0 -> 1.3.1 python3-qface: Upgrade 2.0.10 -> 2.0.11 python3-argcomplete: switch to PEP-517 build backend python3-argcomplete: Upgrade 3.4.0 -> 3.5.0 python3-prettytable: Upgrade 3.10.2 -> 3.11.0 python3-transitions: Upgrade 0.9.1 -> 0.9.2 python3-apispec: Upgrade 6.4.0 -> 6.6.1 python3-imageio: Upgrade 2.34.2 -> 2.35.0 python3-aiohttp: Upgrade 3.10.1 -> 3.10.3 python3-watchdog: Upgrade 4.0.1 -> 4.0.2 python3-soupsieve: Upgrade 2.5 -> 2.6 python3-fastjsonschema: Upgrade 2.18.0 -> 2.20.0 python3-dirty-equals: Upgrade 0.7.1 -> 0.8.0 python3-path: Upgrade 16.14.0 -> 17.0.0 python3-astroid: Upgrade 3.2.4 -> 3.3.2 Libo Chen (1): thin-provisioning-tools: install missed thin_shrink and era_repair Liyin Zhang (1): sound-theme-freedesktop: Update SRC_URI Luca Boccassi (4): dbus-broker: upgrade 32 -> 36 polkit: stop overriding DAC on /usr/share/polkit-1/rules.d polkit: update 124 -> 125 polkit: install group rules in /usr/share/ instead of /etc/ Marc Ferland (3): polkit: update SRC_URI polikt: add elogind packageconfig option polkit: add libs-only PACKAGECONFIG option Markus Volk (28): exiv2: update 0.28.0 -> 0.28.2 wireplumber: update 0.5.3 -> 0.5.5 pipewire: update 1.0.7 -> 1.2.0 flatpak: add PACKAGECONFIG for dconf lvm2: install all systemd service files nss: update 3.101 > 3.102 geary: update 44.1 -> 46.0 dav1d: update 1.4.2 -> 1.4.3 pipewire: update 1.2.0 -> 1.2.1 flatpak: update 1.15.8 -> 1.15.9 blueman: update 2.3.5 -> 2.4.3 pipewire: update 1.2.1 -> 1.2.2 webkitgtk3: update 2.44.2 -> 2.44.3 iwd: update 2.18 -> 2.19 bubblewrap: update 0.9.0 -> 0.10.0 flatpak: update 1.15.9 -> 1.15.10 pipewire: update 1.2.2 -> 1.2.3 cleanup after polkit fix libspelling: add recipe wireplumber: update 0.5.5. -> 0.5.6 gnome-disk-utility: update 46.0 -> 46.1 rygel: update 0.42.5 -> 0.44.0 colord: add configuration to fix runtime iwd: update 2.19 -> 2.20 iwd: use internal ell gnome-shell: add gnome-control-center dependency gnome-desktop: update 44.0 -> 44.1 cryptsetup: fix udev PACKAGECONFIG Martin Jansa (15): lvgl: install lv_conf.h in ${includedir}/${BPN} giflib: fix build with gold and avoid imagemagick-native dependency recipes: ignore various issues fatal with gcc-14 (for 32bit MACHINEs) recipes: ignore various issues fatal with gcc-14 bolt: package systemd_system_unitdir correctly pkcs11-provider: backport a fix for build with gcc-14 blueman: fix installation paths polkit-group-rule: package polkit rules vdpauinfo: require x11 in DISTRO_FEATURES gpm: fix buildpaths QA issue xerces-c: fix buildpaths QA issue gcab: keep buildpaths QA issue as a warning gcab: fix buildpaths QA issue nmap: depend on libpcre2 not libpcre xmlrpc-c: update SRCREV Maxin John (1): nginx: add PACKAGECONFIG knobs for fastcgi, scgi and uwsgi Michael Trimarchi (1): cpuset: Add recipe for cpuset tool 1.6.2 Mikko Rapeli (3): fwupd: skip buildpaths errors gcab: ignore buildpaths error from sources libjcat: skip buildpaths check Neel Gandhi (1): v4l-utils: Install media ctrl header and library files Nikhil R (1): rocksdb: Add an option to set static library Niko Mauno (27): pkcs11-provider: Upgrade 0.3 -> 0.5 opensc: Amend FILES:${PN} declaration opensc: Add 'readline' PACKAGECONFIG option opensc: Drop virtual/libiconv from DEPENDS opensc: Fix LICENSE declaration opensc: Cosmetic fixes python3-xlsxwriter: Fix LICENSE python3-ansi2html: Fix HOMEPAGE and LICENSE python3-cbor2: Fix LICENSE and LIC_FILES_CHKSUM python3-cbor2: Sanitize recipe content python3-crc32c: Amend LICENSE declaration python3-email-validator: Fix LICENSE python3-lru-dict: Fix LICENSE and change SUMMARY to DESCRIPTION python3-mock: Fix LICENSE python3-parse-type: Fix LICENSE python3-parse-type: Cosmetic fixes python3-pillow: Fix LICENSE and change SUMMARY to DESCRIPTION python3-platformdirs: Fix LICENSE python3-colorama: Fix LICENSE python3-fann2: Fix LICENSE python3-nmap: Fix LICENSE and LIC_FILES_CHKSUM python3-pycurl: Fix LICENSE python3-googleapis-common-protos: Fix LIC_FILES_CHKSUM python3-haversine: Fix LIC_FILES_CHKSUM python3-libevdev: Fix LIC_FILES_CHKSUM python3-smbus2: Fix LIC_FILES_CHKSUM python3-xmodem: Fix LIC_FILES_CHKSUM Ninette Adhikari (15): imagemagick: Update status for CVE mercurial: Update CVE status for CVE-2022-43410 influxdb: Update CVE status for CVE-2019-10329 links: CVE status update for CVE-2008-3319 usrsctp: CVE status update for CVE-2019-20503 libraw: CVE status update for CVE-2020-22628 and CVE-2023-1729 xsp: CVE status update for CVE-2006-2658 apache2:apache2-native: CVE status update gimp: CVE status update php-native: CVE status update for CVE-2022-4900 xterm: CVE status update CVE-1999-0965 redis: Update status for CVE-2022-3734 monkey: Update status for CVE-2013-2183 apache2: Update CVE status imagemagick: Update status for CVE Peter Kjellerstedt (2): libdevmapper: Inherit nopackages poppler: Correct the configuration options Peter Marko (4): cjson: fix buildpath warnings squid: Upgrade to 6.10 nginx: Upgrade stable 1.26.0 -> 1.26.2 nginx: Upgrade mainline 1.25.3 -> 1.27.1 Poonam Jadhav (1): tcpreplay: Fix CVE-2023-4256 Przemyslaw Zegan (1): libftdi: Fix missing ftdi_eeprom Quentin Schulz (1): nftables: fix pep517-backend warning Randolph Sapp (2): vulkan-cts: add workaround for createMeshShaderMiscTestsEXT opencl-clhpp: add native and nativesdk Randy MacLeod (2): libee: remove recipe since libee is obsolete liblinebreak: remove obsolete library Ricardo Simoes (8): magic-enum: add recipe magic-enum: Disable unused-value warning in tests memtool: Add recipe directfb: Order PACKAGECONFIG alphabetically directfb: Add freetype PACKAGECONFIG directfb: Add zlib PACKAGECONFIG directfb: Fix C++17 build warning magic-enum: Upgrade v0.9.5 -> v0.9.6 Richard Tollerton (1): tmux: Upgrade to 3.4 Robert Middleton (1): Upgrade dbus-cxx to 2.5.2 Ross Burton (9): libabigail: add recipe for the ABI Generic Analysis and Instrumentation Library libabigail: refresh musl/fts patch python3-importlib-metadata: add from openembedded-core python3-pathlib2: add from openembedded-core python3-py: add from openembedded-core python3-pytest-runner: add from openembedded-core python3-rfc3986-validator: add from openembedded-core python3-toml: add from openembedded-core python3-tomli: add from openembedded-core Rouven Czerwinski (1): softhsm: add destroyed global access prevention patch Ryan Eatmon (2): mpv: Fix typo in x11 option kernel-selftest: Update to allow for turning on all tests Shinji Matsunaga (1): audit: Fix CVE_PRODUCT Siddharth Doshi (1): apache2: Upgrade 2.4.59 -> 2.4.60 Soumya Sambu (4): php: Upgrade to 8.2.20 python3-werkzeug: upgrade 3.0.1 -> 3.0.3 gtk+: Fix CVE-2024-6655 python3-flask-cors: Fix CVE-2024-6221 Thomas Perrot (1): vdpauinfo: add recipe Tim Orling (7): python3-configobj: switch to PEP-517 build backend python3-tzdata: add recipe for v2024.1 python3-tzdata: enable ptest python3-pydantic-core: upgrade 2.18.4 -> 2.21.0 python3-pydantic: upgrade 2.7.3 -> 2.8.2 python3-pydantic-core: backport patch python3-psycopg: add v3.2.1 Tom Geelen (4): python3-sqlparse 0.4.4 -> 0.5.0 python3-bleak 0.21.1 -> 0.22.2 python3-aiohue: 4.7.1 -> 4.7.2 python3-pyjwt 2.8.0 -> 2.9.0 Trevor Gamblin (1): python3-pandas: upgrade 2.0.3 -> 2.2.2 Trevor Woerner (2): apache2: use update-alternatives for httpd python3-matplotlib-inline: update 0.1.6 → 0.1.7 plus fixes Tymoteusz Burak (1): dediprog-flasher: Add recipe Valeria Petrov (1): apache2: do not depend on zlib header and libs from host Vijay Anusuri (3): tipcutils: Add systemd support krb5: upgrade 1.21.2 -> 1.21.3 wireshark: upgrade 4.2.6 -> 4.2.7 Vyacheslav Yurkov (1): overlayfs: Use explicit version Wang Mingyu (306): cryptsetup: upgrade 2.7.2 -> 2.7.3 ctags: upgrade 6.1.20240602.0 -> 6.1.20240623.0 dialog: upgrade 1.3-20240307 -> 1.3-20240619 editorconfig-core-c: upgrade 0.12.7 -> 0.12.9 exiftool: upgrade 12.85 -> 12.87 frr: upgrade 10.0 -> 10.0.1 gensio: upgrade 2.8.4 -> 2.8.5 gtkwave: upgrade 3.3.119 -> 3.3.120 iniparser: upgrade 4.2.2 -> 4.2.4 libbpf: upgrade 1.4.2 -> 1.4.3 libcgi-perl: upgrade 4.64 -> 4.66 libcrypt-openssl-random-perl: upgrade 0.16 -> 0.17 libdaq: upgrade 3.0.14 -> 3.0.15 libextutils-helpers-perl: upgrade 0.026 -> 0.027 libfido2: upgrade 1.14.0 -> 1.15.0 libimobiledevice-glue: upgrade 1.2.0 -> 1.3.0 mcelog: upgrade 199 -> 200 msgraph: upgrade 0.2.2 -> 0.2.3 networkmanager-openvpn: upgrade 1.11.0 -> 1.12.0 opentelemetry-cpp: upgrade 1.15.0 -> 1.16.0 openvpn: upgrade 2.6.10 -> 2.6.11 python3-ansi2html: upgrade 1.9.1 -> 1.9.2 python3-argcomplete: upgrade 3.3.0 -> 3.4.0 python3-bandit: upgrade 1.7.8 -> 1.7.9 python3-coverage: upgrade 7.5.3 -> 7.5.4 python3-djangorestframework: upgrade 3.15.1 -> 3.15.2 python3-email-validator: upgrade 2.1.1 -> 2.2.0 python3-filelock: upgrade 3.15.3 -> 3.15.4 python3-flexparser: upgrade 0.3 -> 0.3.1 python3-google-api-python-client: upgrade 2.131.0 -> 2.134.0 python3-google-auth: upgrade 2.29.0 -> 2.30.0 python3-googleapis-common-protos: upgrade 1.63.0 -> 1.63.1 python3-huey: upgrade 2.5.0 -> 2.5.1 python3-langtable: upgrade 0.0.66 -> 0.0.67 python3-marshmallow: upgrade 3.21.2 -> 3.21.3 python3-meh: upgrade 0.51 -> 0.52 python3-openpyxl: upgrade 3.1.3 -> 3.1.4 python3-parse: upgrade 1.20.1 -> 1.20.2 python3-pdm-backend: upgrade 2.3.0 -> 2.3.1 python3-pint: upgrade 0.23 -> 0.24 python3-portalocker: upgrade 2.8.2 -> 2.10.0 python3-prompt-toolkit: upgrade 3.0.45 -> 3.0.47 python3-pycodestyle: upgrade 2.11.1 -> 2.12.0 python3-pymisp: upgrade 2.4.190 -> 2.4.194 python3-pymongo: upgrade 4.7.2 -> 4.7.3 python3-pyproject-api: upgrade 1.6.1 -> 1.7.1 python3-redis: upgrade 5.0.4 -> 5.0.6 python3-responses: upgrade 0.25.0 -> 0.25.3 python3-robotframework: upgrade 7.0 -> 7.0.1 python3-scikit-build: upgrade 0.17.6 -> 0.18.0 python3-sqlalchemy: upgrade 2.0.30 -> 2.0.31 python3-tox: upgrade 4.15.0 -> 4.15.1 python3-types-psutil: upgrade 5.9.5.20240516 -> 6.0.0.20240621 python3-virtualenv: upgrade 20.26.2 -> 20.26.3 qpdf: upgrade 11.9.0 -> 11.9.1 tesseract: upgrade 5.3.4 -> 5.4.1 thingsboard-gateway: upgrade 3.5 -> 3.5.1 openldap: upgrade 2.6.7 -> 2.6.8 openldap: fix lib32-openldap build failure with gcc-14 sblim-sfcc: fix build failure with gcc-14 openct: fix build failure with gcc-14 libcurses-perl: upgrade 1.41 -> 1.45 ctags: upgrade 6.1.20240623.0 -> 6.1.20240630.0 feh: upgrade 3.10.2 -> 3.10.3 gexiv2: upgrade 0.14.2 -> 0.14.3 isomd5sum: upgrade 1.2.4 -> 1.2.5 libndp: upgrade 1.8 -> 1.9 networkmanager: upgrade 1.48.0 -> 1.48.2 python3-a2wsgi: upgrade 1.10.4 -> 1.10.6 python3-aiofiles: upgrade 23.2.1 -> 24.1.0 python3-alembic: upgrade 1.13.1 -> 1.13.2 python3-awesomeversion: upgrade 24.2.0 -> 24.6.0 python3-dbus-fast: upgrade 2.21.3 -> 2.22.1 python3-gast: upgrade 0.5.4 -> 0.6.0 python3-google-api-core: upgrade 2.19.0 -> 2.19.1 python3-google-api-python-client: upgrade 2.134.0 -> 2.135.0 python3-googleapis-common-protos: upgrade 1.63.1 -> 1.63.2 python3-imageio: upgrade 2.34.1 -> 2.34.2 python3-ipython: upgrade 8.25.0 -> 8.26.0 python3-openpyxl: upgrade 3.1.4 -> 3.1.5 python3-pdm: upgrade 2.15.4 -> 2.16.1 python3-pymodbus: upgrade 3.6.8 -> 3.6.9 python3-rapidjson: upgrade 1.17 -> 1.18 python3-redis: upgrade 5.0.6 -> 5.0.7 python3-twine: upgrade 5.1.0 -> 5.1.1 python3-types-setuptools: upgrade 70.0.0.20240524 -> 70.1.0.20240627 python3-web3: upgrade 6.19.0 -> 6.20.0 fetchmail: disable rpath to fix buildpaths warning. procmail: fix build failure with gcc-14 botan: upgrade 3.4.0 -> 3.5.0 ctags: upgrade 6.1.20240630.0 -> 6.1.20240714.0 exiftool: upgrade 12.87 -> 12.89 gnome-keyring: upgrade 46.1 -> 46.2 hwdata: upgrade 0.383 -> 0.384 imlib2: upgrade 1.12.2 -> 1.12.3 ipset: upgrade 7.21 -> 7.22 libass: upgrade 0.17.2 -> 0.17.3 libbpf: upgrade 1.4.3 -> 1.4.5 lvm2: upgrade 2.03.24 -> 2.03.25 libio-socket-ssl-perl: upgrade 2.085 -> 2.088 mpich: upgrade 4.2.1 -> 4.2.2 nano: upgrade 8.0 -> 8.1 networkmanager: upgrade 1.48.2 -> 1.48.4 poke: upgrade 4.1 -> 4.2 python3-argh: upgrade 0.31.2 -> 0.31.3 python3-astroid: upgrade 3.2.2 -> 3.2.3 python3-coverage: upgrade 7.5.4 -> 7.6.0 python3-humanize: upgrade 4.9.0 -> 4.10.0 python3-moteus: upgrade 0.3.71 -> 0.3.72 python3-oletools: upgrade 0.60.1 -> 0.60.2 python3-pdm-backend: upgrade 2.3.1 -> 2.3.2 python3-pillow: upgrade 10.3.0 -> 10.4.0 python3-portalocker: upgrade 2.10.0 -> 2.10.1 python3-prettytable: upgrade 3.10.0 -> 3.10.2 python3-py7zr: upgrade 0.21.0 -> 0.21.1 python3-sympy: upgrade 1.12.1 -> 1.13.0 python3-tomlkit: upgrade 0.12.5 -> 0.13.0 python3-types-setuptools: upgrade 70.1.0.20240627 -> 70.3.0.20240710 python3-validators: upgrade 0.28.3 -> 0.32.0 qcbor: upgrade 1.3 -> 1.4 sngrep: upgrade 1.8.1 -> 1.8.2 thin-provisioning-tools: upgrade 1.0.12 -> 1.0.13 tree: upgrade 2.1.1 -> 2.1.3 wireshark: upgrade 4.2.5 -> 4.2.6 wolfssl: upgrade 5.7.0 -> 5.7.2 xterm: upgrade 392 -> 393 zenity: upgrade 4.0.1 -> 4.0.2 apache2: upgrade 2.4.61 -> 2.4.62 cfengine-masterfiles: upgrade 3.21.0 -> 3.21.5 cmark: upgrade 0.31.0 -> 0.31.1 cryptsetup: upgrade 2.7.3 -> 2.7.4 ctags: upgrade 6.1.20240714.0 -> 6.1.20240804.0 eog: upgrade 45.3 -> 45.4 fwupd: upgrade 1.9.18 -> 1.9.22 gmime: upgrade 3.2.13 -> 3.2.15 gnome-bluetooth: upgrade 46.0 -> 46.1 googletest: upgrade 1.14.0 -> 1.15.2 icewm: upgrade 3.4.5 -> 3.6.0 leptonica: upgrade 1.82.0 -> 1.84.1 libiodbc: upgrade 3.52.15 -> 3.52.16 liblinebreak: upgrade 1.2 -> 2.1 libnvme: upgrade 1.9 -> 1.10 libpaper: upgrade 2.1.2 -> 2.2.5 libpcsc-perl: upgrade 1.4.14 -> 1.4.15 libsdl-gfx: upgrade 2.0.25 -> 2.0.27 libtdb: upgrade 1.4.10 -> 1.4.11 libtracefs: upgrade 1.8.0 -> 1.8.1 logwarn: upgrade 1.0.14 -> 1.0.17 logwatch: upgrade 7.10 -> 7.11 msgpack-cpp: upgrade 6.1.0 -> 6.1.1 neatvnc: upgrade 0.8.0 -> 0.8.1 networkmanager: upgrade 1.48.4 -> 1.48.6 nss: upgrade 3.102 -> 3.103 openipmi: upgrade 2.0.35 -> 2.0.36 opentelemetry-cpp: upgrade 1.16.0 -> 1.16.1 openvpn: upgrade 2.6.11 -> 2.6.12 python3-a2wsgi: upgrade 1.10.6 -> 1.10.7 python3-aiohappyeyeballs: upgrade 2.3.2 -> 2.3.4 python3-astroid: upgrade 3.2.3 -> 3.2.4 python3-autobahn: upgrade 23.6.2 -> 24.4.2 python3-croniter: upgrade 2.0.5 -> 3.0.3 python3-langtable: upgrade 0.0.67 -> 0.0.68 python3-pdm-backend: upgrade 2.3.2 -> 2.3.3 python3-pure-eval: upgrade 0.2.2 -> 0.2.3 python3-pyfanotify: upgrade 0.2.2 -> 0.3.0 python3-pymisp: upgrade 2.4.194 -> 2.4.195 python3-pymodbus: upgrade 3.6.9 -> 3.7.0 python3-pytest-lazy-fixtures: upgrade 1.0.7 -> 1.1.1 python3-qface: upgrade 2.0.8 -> 2.0.10 python3-rapidjson: upgrade 1.18 -> 1.19 python3-redis: upgrade 5.0.7 -> 5.0.8 python3-regex: upgrade 2024.5.15 -> 2024.7.24 python3-sqlparse: upgrade 0.5.0 -> 0.5.1 python3-sympy: upgrade 1.13.0 -> 1.13.1 python3-tqdm: upgrade 4.66.4 -> 4.66.5 python3-types-setuptools: upgrade 70.3.0.20240710 -> 71.1.0.20240726 python3-validators: upgrade 0.32.0 -> 0.33.0 python3-web3: upgrade 6.20.0 -> 6.20.1 python3-xmlschema: upgrade 3.3.1 -> 3.3.2 qcbor: upgrade 1.4 -> 1.4.1 rsyslog: upgrade 8.2404.0 -> 8.2406.0 ttf-abyssinica: upgrade 2.100 -> 2.201 wavemon: upgrade 0.9.5 -> 0.9.6 xmlsec1: upgrade 1.3.4 -> 1.3.5 picocom: upgrade 2023-04 -> 2024 hostapd: upgrade 2.10 -> 2.11 python3-incremental: upgrade 22.10.0 -> 24.7.2 colord-gtk: upgrade 0.3.0 -> 0.3.1 ctags: upgrade 6.1.20240804.0 -> 6.1.20240825.0 fwupd: upgrade 1.9.22 -> 1.9.24 hwdata: upgrade 0.384 -> 0.385 lastlog2: upgrade 1.2.0 -> 1.3.1 libbytesize: upgrade 2.10 -> 2.11 libei: upgrade 1.2.1 -> 1.3.0 libnet-dns-perl: upgrade 1.45 -> 1.46 libtdb: upgrade 1.4.11 -> 1.4.12 libtest-harness-perl: upgrade 3.48 -> 3.50 xdg-dbus-proxy: upgrade 0.1.5 -> 0.1.6 mdns: upgrade 2200.120.24 -> 2200.140.11 mutter: upgrade 46.2 -> 46.4 networkmanager: upgrade 1.48.6 -> 1.48.10 pamela: upgrade 1.1.0 -> 1.2.0 pcsc-tools: upgrade 1.7.1 -> 1.7.2 postgresql: upgrade 16.3 -> 16.4 python3-aiohappyeyeballs: upgrade 2.3.4 -> 2.4.0 python3-aiohttp: upgrade 3.10.3 -> 3.10.5 python3-aiohue: upgrade 4.7.2 -> 4.7.3 python3-cachetools: upgrade 5.4.0 -> 5.5.0 python3-dbus-fast: upgrade 2.22.1 -> 2.24.0 python3-eth-utils: upgrade 4.1.1 -> 5.0.0 python3-gunicorn: upgrade 22.0.0 -> 23.0.0 python3-imageio: upgrade 2.35.0 -> 2.35.1 python3-importlib-metadata: upgrade 8.2.0 -> 8.4.0 python3-marshmallow: upgrade 3.21.3 -> 3.22.0 python3-nocasedict: upgrade 2.0.3 -> 2.0.4 python3-nocaselist: upgrade 2.0.2 -> 2.0.3 python3-paramiko: upgrade 3.4.0 -> 3.4.1 python3-py7zr: upgrade 0.21.1 -> 0.22.0 python3-pycodestyle: upgrade 2.12.0 -> 2.12.1 python3-pymisp: upgrade 2.4.195 -> 2.4.196 python3-pyzstd: upgrade 0.16.0 -> 0.16.1 python3-simplejson: upgrade 3.19.2 -> 3.19.3 python3-sqlalchemy: upgrade 2.0.31 -> 2.0.32 python3-sympy: upgrade 1.13.1 -> 1.13.2 python3-tomlkit: upgrade 0.13.0 -> 0.13.2 python3-typer: upgrade 0.12.3 -> 0.12.5 python3-types-python-dateutil: upgrade 2.9.0.20240316 -> 2.9.0.20240821 python3-types-setuptools: upgrade 71.1.0.20240726 -> 73.0.0.20240822 python3-xxhash: upgrade 3.4.1 -> 3.5.0 rsyslog: upgrade 8.2406.0 -> 8.2408.0 samba: upgrade 4.19.7 -> 4.19.8 sanlock: upgrade 3.9.3 -> 3.9.4 unbound: upgrade 1.20.0 -> 1.21.0 lastlog2: remove recipe since it has been merged into util-linux ctags: upgrade 6.1.20240825.0 -> 6.1.20240908.0 eog: upgrade 45.4 -> 47.0 flatpak-xdg-utils: upgrade 1.0.5 -> 1.0.6 gensio: upgrade 2.8.5 -> 2.8.7 gnome-autoar: upgrade 0.4.4 -> 0.4.5 hwdata: upgrade 0.385 -> 0.387 libbpf: upgrade 1.4.5 -> 1.4.6 libcompress-raw-bzip2-perl: upgrade 2.212 -> 2.213 libcompress-raw-lzma-perl: upgrade 2.212 -> 2.213 libcompress-raw-zlib-perl: upgrade 2.212 -> 2.213 libextutils-helpers-perl: upgrade 0.027 -> 0.028 libio-compress-lzma-perl: upgrade 2.212 -> 2.213 libio-compress-perl: upgrade 2.212 -> 2.213 libio-socket-ssl-perl: upgrade 2.088 -> 2.089 libspiro: upgrade 20221101 -> 20240903 nano: upgrade 8.1 -> 8.2 python3-dbus-fast: upgrade 2.24.0 -> 2.24.2 python3-executing: upgrade 2.0.1 -> 2.1.0 python3-filelock: upgrade 3.15.4 -> 3.16.0 python3-httpx: upgrade 0.27.0 -> 0.27.2 python3-ipython: upgrade 8.26.0 -> 8.27.0 python3-kiwisolver: upgrade 1.4.5 -> 1.4.7 python3-parse-type: upgrade 0.6.2 -> 0.6.3 python3-pefile: upgrade 2023.2.7 -> 2024.8.26 python3-platformdirs: upgrade 4.2.2 -> 4.3.1 python3-pulsectl: upgrade 24.4.0 -> 24.8.0 python3-pymetno: upgrade 0.12.0 -> 0.13.0 python3-pymisp: upgrade 2.4.196 -> 2.4.197 python3-pymodbus: upgrade 3.7.0 -> 3.7.2 python3-rich: upgrade 13.7.1 -> 13.8.0 python3-scikit-build: upgrade 0.18.0 -> 0.18.1 python3-types-psutil: upgrade 6.0.0.20240621 -> 6.0.0.20240901 python3-types-python-dateutil: upgrade 2.9.0.20240821 -> 2.9.0.20240906 python3-validators: upgrade 0.33.0 -> 0.34.0 python3-virtualenv: upgrade 20.26.3 -> 20.26.4 python3-watchdog: upgrade 4.0.2 -> 5.0.2 python3-yarl: upgrade 1.9.4 -> 1.10.0 python3-zeroconf: upgrade 0.132.2 -> 0.134.0 uhubctl: upgrade 2.5.0 -> 2.6.0 valijson: upgrade 1.0.2 -> 1.0.3 xfsdump: upgrade 3.1.12 -> 3.2.0 xterm: upgrade 393 -> 394 bdwgc: upgrade 8.2.6 -> 8.2.8 ctags: upgrade 6.1.20240908.0 -> 6.1.20240915.0 gnome-backgrounds: upgrade 46.0 -> 47.0 gnome-chess: upgrade 46.0 -> 47.0 gnome-font-viewer: upgrade 46.0 -> 47.0 libmanette: upgrade 0.2.7 -> 0.2.9 pegtl: upgrade 3.2.7 -> 3.2.8 python3-elementpath: upgrade 4.4.0 -> 4.5.0 python3-eventlet: upgrade 0.36.1 -> 0.37.0 python3-filelock: upgrade 3.16.0 -> 3.16.1 python3-greenlet: upgrade 3.0.3 -> 3.1.0 python3-nmap: upgrade 1.6.0 -> 1.9.1 python3-paramiko: upgrade 3.4.1 -> 3.5.0 python3-platformdirs: upgrade 4.3.1 -> 4.3.6 python3-psycopg: upgrade 3.2.1 -> 3.2.2 python3-pyasn1-modules: upgrade 0.4.0 -> 0.4.1 python3-pymisp: upgrade 2.4.197 -> 2.4.198 python3-pyproject-api: upgrade 1.7.1 -> 1.7.2 python3-pyunormalize: upgrade 15.1.0 -> 16.0.0 python3-regex: upgrade 2024.7.24 -> 2024.9.11 python3-rich: upgrade 13.8.0 -> 13.8.1 python3-robotframework: upgrade 7.0.1 -> 7.1 python3-virtualenv: upgrade 20.26.4 -> 20.26.5 python3-xmlschema: upgrade 3.3.2 -> 3.4.1 python3-yarl: upgrade 1.10.0 -> 1.11.1 stunnel: upgrade 5.72 -> 5.73 tecla: upgrade 46.0 -> 47.0 traceroute: upgrade 2.1.5 -> 2.1.6 nmap: Fix off-by-one overflow in the IP protocol table. python3-alembic: upgrade 1.13.2 -> 1.13.3 Yi Zhao (48): libldb: upgrade 2.8.0 -> 2.8.1 samba: upgrade 4.19.6 -> 4.19.7 devecot: set dovecot.conf file mode with chmod packagegroup-xfce-extended: fix typo of gobject-introspection-data feature lastlog2: specify correct pamlibdir wtmpdb: specify correct pamlibdir libnftnl: upgrade 1.2.6 -> 1.2.7 nftables: upgrade 1.0.9 -> 1.1.0 netplan: upgrade 1.0 -> 1.0.1 snort3: upgrade 3.1.84.0 -> 3.3.1.0 snort3: upgrade 3.3.1.0 -> 3.3.2.0 tcpreplay: upgrade 4.4.4 -> 4.5.1 libdaq: upgrade 3.0.15 -> 3.0.16 audit: upgrade 4.0.1 -> 4.0.2 snort3: upgrade 3.3.2.0 -> 3.3.3.0 snort3: upgrade 3.3.3.0 -> 3.3.4.0 tcpdump: upgrade 4.99.4 -> 4.99.5 cryptsetup: upgrade 2.7.4 -> 2.7.5 dracut: upgrade 102 -> 103 freeradius: upgrade 3.2.3 -> 3.2.5 autofs: upgrade 5.1.8 -> 5.1.9 mbedtls: upgrade 3.6.0 -> 3.6.1 mbedtls: upgrade 2.28.8 -> 2.28.9 drbd-utils: upgrade 9.27.0 -> 9.28.0 mm-common: upgrade 1.0.4 -> 1.0.6 lvm2: upgrade 2.03.25 -> 2.03.26 geoclue: upgrade 2.7.1 -> 2.7.2 s-nail: upgrade 14.9.24 -> 14.9.25 crash: upgrade 8.0.4 -> 8.0.5 mce-inject: upgrade to latest git rev mce-test: update to latest git rev fltk: upgrade 1.3.8 -> 1.3.9 openjpeg: upgrade 2.5.0 -> 2.5.2 netplan: upgrade 1.0.1 -> 1.1 libssh: upgrade 0.10.6 -> 0.11.1 jsoncpp: upgrade 1.9.5 -> 1.9.6 debootstrap: upgrade 1.0.132 -> 1.0.137 frr: upgrade 10.1 -> 10.1.1 open-vm-tools: upgrade 12.3.5 -> 12.4.5 v4l-utils: upgrade 1.26.1 -> 1.28.1 catch2: upgrade 3.6.0 -> 3.7.0 tbb: upgrade 2021.11.0 -> 2021.13.0 abseil-cpp: upgrade 20240116.2 -> 20240722.0 protobuf: add abseil-cpp to RDEPENDS protobuf: upgrade 4.25.4 -> 4.25.5 lksctp-tools: upgrade 1.0.19 -> 1.0.20 tcpslice: upgrade 1.7 -> 1.8 libhugetlbfs: upgrade 2.23 -> 2.24 Yoann Congal (39): python3-redis: add an archive prefix to avoid clashing with redis pidgin: Upgrade to 2.14.13 daq: fix SRC_URI to point to the real 2.0.7 release pidgin: Update Upstream-Status for gcc-14 compatibility patch pidgin: Remove gcc-14 compatibility workaround dbus-broker: update UPSTREAM_CHECK_* variables to fix devtool upgrades mariadb: update UPSTREAM_CHECK_* variables to fix devtool upgrades mbuffer: update UPSTREAM_CHECK_* variables to fix devtool upgrades microcom: update UPSTREAM_CHECK_* variables to fix devtool upgrades openbox-xdgmenu: update UPSTREAM_CHECK_* variables to fix devtool upgrades proxy-libintl: update UPSTREAM_CHECK_* variables to fix devtool upgrades pugixml: update UPSTREAM_CHECK_* variables to fix devtool upgrades pv: update UPSTREAM_CHECK_* variables to fix devtool upgrades sblim-sfcc: update UPSTREAM_CHECK_* variables to fix devtool upgrades source-code-pro-fonts: update UPSTREAM_CHECK_* variables to fix devtool upgrades stalonetray: update UPSTREAM_CHECK_* variables to fix devtool upgrades testfloat: update UPSTREAM_CHECK_* variables to fix devtool upgrades tk: update UPSTREAM_CHECK_* variables to fix devtool upgrades tmux: update UPSTREAM_CHECK_* variables to fix devtool upgrades ttf-abyssinica: update UPSTREAM_CHECK_* variables to fix devtool upgrades zeromq: update UPSTREAM_CHECK_* variables to fix devtool upgrades qad: Add UPSTREAM_CHECK_COMMITS reboot-mode: Add UPSTREAM_CHECK_COMMITS s-suite: Add UPSTREAM_CHECK_COMMITS syzkaller: Add UPSTREAM_CHECK_COMMITS yavta: Add UPSTREAM_CHECK_COMMITS zsync-curl: Add UPSTREAM_CHECK_COMMITS klibc: fix debug pkgs reproducibility polkit: Switch PAM files to common-* polkit: fix build on sysvinit grilo: fix buildpaths QA error non-repro-meta-python: exclude packages that failed previously README.md: Hint at "git request-pull" non-repro-meta-networking: exclude packages that failed previously non-repro-meta-filesystems: update known reproducible packages non-repro-meta-networking: update known non-reproducible list polkit: Update Upstream-Status of a merged patch wtmpdb: fix installed-vs-shipped build error minidlna: fix reproducibility Yogesh Tyagi (1): python3-pybind11 : upgrade 2.11.1 -> 2.12.0 Yogita Urade (3): hdf5: upgrade to 1.14.4 poppler: CVE-2024-6239 krb5: fix CVE-2024-26458 and CVE-2024-26461 Zhang Peng (1): hiredis: remove ANSI color from ptest result alba@thehoodiefirm.com (1): apache2:apache2-native: sort CVE status alperak (61): recipes: set S to fix the QA warning pcp: Fix contains reference to TMPDIR [buildpaths] warnings boinc-client: Fix contains reference to TMPDIR [buildpaths] warning rdist: Fix contains reference to TMPDIR [buildpaths] warning gphoto2: Fix contains reference to TMPDIR [buildpaths] warning hplip: Fix contains reference to TMPDIR [buildpaths] warning jsonrpc: Fix contains reference to TMPDIR [buildpaths] warning exiv2: Upgrade 0.28.2 to 0.28.3 for CVE fix tayga: Fix contains reference to TMPDIR [buildpaths] warning etcd-cpp-apiv3: Fix contains reference to TMPDIR [buildpaths] warning python3-lazy: switch to PEP-517 build backend python3-classes: switch to PEP-517 build backend python3-eventlet: switch to PEP-517 build backend python3-bitstruct: switch to PEP-517 build backend python3-dbus-fast: switch to PEP-517 build backend python3-brotli: switch to PEP-517 build backend python3-pymongo: switch to PEP-517 build backend python3-can: switch to PEP-517 build backend python3-pyaudio: switch to PEP-517 build backend python3-term: switch to PEP-517 build backend python3-screeninfo: switch to PEP-517 build backend python3-pykickstart: switch to PEP-517 build backend python3-click-repl: switch to PEP-517 build backend python3-evdev: switch to PEP-517 build backend python3-qrcode: switch to PEP-517 build backend python3-pyproj: switch to PEP-517 build backend python3-file-magic: switch to PEP-517 build backend python3-joblib: switch to PEP-517 build backend python3-dill: switch to PEP-517 build backend python3-luma-oled: switch to PEP-517 build backend python3-pyudev: switch to PEP-517 build backend python3-xmlschema: switch to PEP-517 build backend python3-lru-dict: switch to PEP-517 build backend python3-ipython: switch to PEP-517 build backend python3-portion: switch to PEP-517 build backend python3-lazy-object-proxy: switch to PEP-517 build backend python3-aioserial: switch to PEP-517 build backend perfetto: Fix contains reference to TMPDIR [buildpaths] warning python3-reedsolo: upgrade 2.0.13 -> 2.1.0b1 blueman: Fix do_package QA issue python3-service-identity: switch to PEP-517 build backend python3-parse-type: switch to PEP-517 build backend python3-regex: switch to PEP-517 build backend python3-pytest-timeout: switch to PEP-517 build backend python3-pytest-metadata: switch to PEP-517 build backend python3-pyroute: switch to PEP-517 build backend python3-pyjwt: switch to PEP-517 build backend python3-pyasn1-modules: switch to PEP-517 build backend python3-py-cpuinfo: switch to PEP-517 build backend python3-django: switch to PEP-517 build backend python3-greenlet: switch to PEP-517 build backend python3-gevent: switch to PEP-517 build backend python3-msgpack: upgrade 1.0.8 -> 1.1.0 python3-sqlalchemy: Upgrade 2.0.32 -> 2.0.35 and switch to PEP-517 build backend python3-alembic: switch to PEP-517 build backend python3-inflate64: switch to PEP-517 build backend python3-spidev: switch to PEP-517 build backend python3-pastedeploy: switch to PEP-517 build backend python3-reedsolo: switch to PEP-517 build backend curlpp: Fix build issue libhugetlbfs: Fix contains reference to TMPDIR [buildpaths] error ptak (1): opencv: upgrade 4.9.0 -> 4.10.0 quic-raghuvar (2): android-tools-adbd.service: Change /var to /etc in ConditionPathExists android-toold-adbd: Fix inconsistency between selinux configurations rajmohan r (1): unbound: Add ptest for unbound s-tokumoto (2): capnproto: Add "capnp" to CVE_PRODUCT fuse: Add "fuse:fuse" to CVE_PRODUCT meta-security: b4a8bc606f..e2c44c8b5d: Anusmita Dutta Mazumder (1): Add styhead LAYERSERIES_COMPAT Armin Kuster (18): recipes-*: convert WORKDIR->UNPACKDIR apparmor: fix QA Warnings python3-fail2ban: convert WORKDIR->UNPACKDIR krill: Fix QA warnings suricata: fix QA warnings isic: Fix config error arpwatch: Fix compile error chipsec: Fix QA Warnings tpm-tools: fix QA and compile errors. ima-policy: Fix S=UNPACKDIR harden/initscripts: UNPACKDIR fix harden-image-minima: Fix usermod aide: update to latest stable. python3-privacyidea: switch to PEP-517 build backend switch to PEP-517 build backend python3-tpm2-pyts: switch to PEP-517 build backend gitlab-ci: minor tweaks to try layer.conf: Update to styhead release name series Chen Qi (1): libgssglue: switch to use git source Hitendra Prajapati (2): sssd: Fix CVE-2023-3758 libhtp: fix CVE-2024-45797 Martin Jansa (4): {tcp,udp}-smack-test: fix few more implicit-function-declaration issues fatal with gcc-14 README.md: fix sendemail.to value suricata: run whole autotools_do_configure not just oe_runconf layer.conf: Update to styhead release name series Mikko Rapeli (9): python3-tpm2-pytss: update from 2.1.0 to 2.3.0 parsec-service: UNPACKDIR fixes bastille: UNPACKDIR fixes initramfs-framework-ima: UNPACKDIR fix ima-policy-appraise-all: UNPACKDIR fix ima-policy-simple: UNPACKDIR fix ima-policy-hashed: set S ima-policy-appraise-all: set S ima-policy-simple: set S Rasmus Villemoes (1): fail2ban: update to 1.1.0+ Ricardo Salveti (1): tpm2-tss: drop libgcrypt Siddharth Doshi (1): Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536 Stefan Berger (3): meta-integrity: Remove stale variables and documentation meta-integrity: Add IMA_EVM_PRIVKEY_KEY_OPT to pass options to evmctl meta-integrity: Enable passing private key password Vijay Anusuri (1): tpm2-tools: Upgrade 5.5 -> 5.7 Wang Mingyu (3): ima-policy-hashed: Start WORKDIR -> UNPACKDIR transition suricata: Start WORKDIR -> UNPACKDIR transition trousers: Start WORKDIR -> UNPACKDIR transition Yi Zhao (3): openscap: fix PACKAGECONFIG[remediate_service] openscap: upgrade 1.3.10 -> 1.4.0 scap-security-guide: upgrade 0.1.73 -> 0.1.74 meta-raspberrypi: eb8ffc4e63..97d7a6b5ec: Andrew Lalaev (1): rpi-base.inc: add the disable-wifi-pi5 overlay Bastian Wanner (1): udev-rules-rpi.bb: Fix psplash systemd connection Garrett Brown (1): linux: Enable CONFIG_I2C_BRCMSTB for proper HDMI I2C support Jaeyoon Jung (1): linux-raspberrypi: Drop deprecated configs from android-driver.cfg Jan Vermaete (5): kas: updated the refspec syntax of the kas file README.md: pi3-disable-bt is renamed to disable-bt in kas example rpi-base.inc: added the disable-bt-pi5 device tree overlay raspi-utils: added new recipe extra-build-config.md: added a white line Khem Raj (6): linux-raspberrypi: Upgrade kernel to 6.6.36 weston-init.bbappend: Delete layer.conf: Update to walnascar (5.2) layer/release series linux-raspberrypi-6.6: Upgrade to 6.6.63 rpi-base: Remove bcm2712-rpi-5-b.dtb from RPI_KERNEL_DEVICETREE target SECURITY.md: Add instructions for reporting security issues Leon Anavi (2): rpi-u-boot-scr: WORKDIR -> UNPACKDIR transition conf/layer.conf: Remove meta-lts-mixins Luca Carlon (1): picamera-libs: removed unused libraries from python3-picamera Martin Jansa (1): mesa: rename bbappend to match new recipe name from oe-core Matthias Klein (1): linux-firmware-rpidistro: Upgrade to bookworm/20230625-2+rpt3 Pierrick Curt (1): rpi-base: build uart dts overlays by default Robert Yang (1): conf/layer.conf: Remove duplicated BBFILES Victor Löfgren (1): README.md: Update link to compatible layers Vincent Davis Jr (2): rpi-default-providers: remove vlc,ffmpeg PREFFERED_PROVIDER docs: include PREFERRED_PROVIDER_ffmpeg,vlc change meta-arm: 981425c54e..18bc3f9389: Ali Can Ozaslan (2): arm-bsp/trusted-firmware-m: corstone1000: Increase PS size arm-bsp/optee: corstone1000: Update upstream status Amr Mohamed (5): arm-systemready/README.md: add ARM_FVP_EULA_ACCEPT arm-systemready/linux-distros: new inc file for unattended installation arm-systemready/linux-distros: Add kickstart file for Fedora unattended arm-systemready/oeqa: Add new test for Fedora unattended installation kas: Add new yml file for Distros unattended installation Ben (3): arm-systemready/linux-distros: Implement unattended openSUSE arm-systemready/oeqa: Add unattended installation testcase kas: Include unattended openSUSE test Bence Balogh (18): arm-bsp/optee:corstone1000: Update optee to v4.2 arm-bsp/optee: Remove OP-TEE OS v4.1 recipe arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.11 arm-bsp/u-boot: corstone1000: use mdata v2 arm-bsp/trusted-firmware-a: corstone1000: update upstream statuses arm-bsp/trusted-firmware-m: corstone1000: upgrade to TF-M v2.1.x arm-bsp/trusted-services: corstone1000: align PSA crypto structs with TF-M arm-bsp/trusted-firmware-m: Remove TF-M v2.0 recipe arm-bsp/trusted-firmware-m: corstone1000: fix bank offset arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug arm-bsp/documentation: corstone1000: add Secure Debug test CI: Add secure debug build for Corstone-1000 arm-bsp/linux-yocto: corstone1000: bump to v6.10 arm-bsp/documentation: corstone1000: remove TEE driver load arm-bsp/trusted-firmware-m: corstone1000: Fix MPU configuration arm-bsp/trusted-firmware-m: corstone1000: Update metadata handling arm-bsp/trusted-firmware-m: corstone1000: Update patches arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch Delane Brandy (1): arm-bsp/corstone1000: Update Corstone-1000 user guide Emekcan Aras (1): arm-bsp/trusted-firmware-m: corstone1000: Switch to metadata v2 Harsimran Singh Tungal (7): arm-bsp/u-boot: corstone1000: fix U-Boot patch arm-bsp/trusted-services: corstone1000: fix compilation issues arm-bsp/trusted-services: fix compilation issues for ts-newlib arm-bsp/trusted-firmware-a: corstone1000: fix compilation issue for FVP multicore arm-bsp,kas: corstone1000: enable External System based on new yml file arm-bsp,documentation: corstone1000: update user documentation arm-bsp/trusted-services: corstone1000: Update Trusted-Services patches Hugues KAMBA MPIANA (4): arm-bsp/documentation: corstone1000: Mention PMOD module as prerequisite arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release. kas: corstone-1000: Pin Yocto layer dependencies for CORSTONE1000-2024.11 release Hugues Kamba-Mpiana (2): arm-bsp/documentation: corstone1000: Deprecation of Sphinx context injection arm-bsp/documentation: corstone1000: Install Sphinx theme as recommended Javier Tia (3): arm/optee: Add optee udev rules arm: Enable Secure Boot in all required recipes arm/qemuarm64-secureboot: Enable UEFI Secure Boot Jon Mason (31): arm-bsp/fvp-base: update version to 11.26.11 arm/qemuarm64-secureboot: fix qemu parameter arm-toolchain: fix for WORKDIR changes arm-systemready: WORKDIR to UNPACKDIR changes CI: remove ts-smm-gateway for qemuarm64-secureboot-ts arm-toolchain: update to 13.3 CI: remove unnecessary clang settings CI: add poky-altcfg arm/opencsd: update to 1.5.3 arm/boot-wrapper-aarch64: update with latest patch arm/gn: update to the latest commit CI: remove xorg test removal from edk2 arm-bsp/fvp-base: add edk2 testimage support arm-bsp/fvp-base: u-boot patch clean-up arm: use devtool to clean-up patches arm-bsp: remove unreferenced patches and configs arm/trusted-firmware-a: remove workaround patch for qemuarm64-secureboot arm/qemu-efi-disk: add rootwait to bootargs arm/arm-tstee: pin kernel to 6.6 to workaround issue arm/trusted-firmware-a: update LICENSE entry arm/musl: work around trusted services error arm/libts: Patch to fix 6.10 kernel builds breaks arm-bsp/documentation: corstone1000: Improve user guide arm-toolchain: remove libmount-mountfd-support when using binary toolchain arm-bsp/fvp-base: support poky-altcfg arm-bsp/fvp-base: Get 6.10 kernel working arm-bsp/fvp: Re-enable parselogs arm/optee-os: Backport the clang fixes arm-bsp/fvp-base: use trusted-firmware-a v2.11 CI: Rework qemuarm64-secureboot matrix CI: remove branch name Luca Fancellu (2): arm/oeqa: Introduce retry mechanism for fvp_devices run_cmd arm/lib: Handle timeout for spawn object on stop() Mariam Elshakfy (1): arm/trusted-services: Move ts-newlib compilation fix to meta-arm Martin Jansa (1): layer.conf: Update to styhead release name series Mikko Rapeli (8): optee-os: asm debug prefix fixes optee-os: remove absolute paths optee-os-tadevkit: remove buildpaths INSANE_SKIP optee-os: remove buildpaths INSANE_SKIP optee-os: fix buildpaths QA failure on corstone1000 ts-newlib: setup git with check_git_config arm/optee-client: fix systemd service dependencies trusted-firmware-a: fix panic on kv260/zynqmp Peter Hoyes (1): arm/fvpboot: Revert "Disable timing annotation by default" Quentin Schulz (2): add basic b4 config file arm/trusted-firmware-a: add recipe for more-recent-but-not-yet-released source code Ross Burton (9): CI: update to Kas 4.4 image arm-systemready: explicitly disable SPDX in the fake image classes arm/edk2-firmware: set CVE_PRODUCT to the correct CPE arm-bsp/linux-yocto: update for linux 6.10 CI: switch to building against styhead branches where possible CI: add KAS_BUILD_DIR variable CI: remove duplicate arm-systemready-ir-acs CI: transform testimage reports into JUnit XML reports arm-base/linux-yocto: revert interim 6.10 patch for fvp-base Ziad Elhanafy (2): arm/oeqa: Enable pexpect profiling for testcase debugging arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition Change-Id: I8c03dc8ed1822e0356c1d3dcf86b5c408aff3f78 Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
author: Patrick Williams <patrick@stwcx.xyz> 2024-12-14 02:56:42 +0300
committer: Patrick Williams <patrick@stwcx.xyz> 2024-12-14 04:38:25 +0300
commit: e73366c8bab752f44899222f9df7ce7ed080f2e9 (patch)
tree: 57ae1423728ade061bb318ab6413a18e1afb9c20 /meta-security
parent: 1d19bb6db66dd40f999dbfcd25be489aa4ecd0b3 (diff)
download: openbmc-styhead.tar.xz
75 files changed, 1148 insertions, 154 deletions
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 1e82a874ec..db6a5e5eab 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -77,7 +77,7 @@ qemux86-test:
 qemux86-64:
   extends: .base
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
   - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
   - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
 
@@ -116,11 +116,6 @@ qemuarm64-parsec:
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemumips64:
-  extends: .base
-  script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
-
 qemuriscv64:
   extends: .base
   script:
diff --git a/meta-security/README.md b/meta-security/README.md
index 3e092a9dfa..6c24c2efe4 100644
--- a/meta-security/README.md
+++ b/meta-security/README.md
@@ -76,7 +76,7 @@ When sending single patches, please using something like:
 
 These values can be set as defaults for this repository:
 
-$ git config sendemail.to yocto@lists.yoctoproject.org
+$ git config sendemail.to yocto-patches@lists.yoctoproject.org
 $ git config format.subjectPrefix meta-security][PATCH
 
 Now you can just do 'git send-email origin/master' to send all local patches.
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 471674cd8b..c57c8b9c77 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "nanbield scarthgap"
+LAYERSERIES_COMPAT_security = "styhead"
 
 LAYERDEPENDS_security = "core openembedded-layer"
 
diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
index f2ef335b13..7074f68152 100644
--- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
+++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
@@ -83,11 +83,11 @@ do_install () {
 	install -m 0644 Bastille/AccountSecurity.pm    ${D}${libdir}/Bastille
 	install -m 0644 Bastille/Apache.pm    ${D}${libdir}/Bastille
 	install -m 0644 Bastille/API.pm    ${D}${libdir}/Bastille
-	install -m 0644 ${WORKDIR}/AccountPermission.pm    ${D}${libdir}/Bastille/API
-	install -m 0644 ${WORKDIR}/FileContent.pm    ${D}${libdir}/Bastille/API
-	install -m 0644 ${WORKDIR}/HPSpecific.pm    ${D}${libdir}/Bastille/API
-	install -m 0644 ${WORKDIR}/ServiceAdmin.pm    ${D}${libdir}/Bastille/API
-	install -m 0644 ${WORKDIR}/Miscellaneous.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${UNPACKDIR}/AccountPermission.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${UNPACKDIR}/FileContent.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${UNPACKDIR}/HPSpecific.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${UNPACKDIR}/ServiceAdmin.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${UNPACKDIR}/Miscellaneous.pm    ${D}${libdir}/Bastille/API
 	install -m 0644 Bastille/BootSecurity.pm    ${D}${libdir}/Bastille
 	install -m 0644 Bastille/ConfigureMiscPAM.pm    ${D}${libdir}/Bastille
 	install -m 0644 Bastille/DisableUserTools.pm    ${D}${libdir}/Bastille
@@ -138,7 +138,7 @@ do_install () {
 	install -m 0644 OSMap/OSX.bastille    ${D}${datadir}/Bastille/OSMap
 	install -m 0644 OSMap/OSX.system    ${D}${datadir}/Bastille/OSMap
 
-	install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
+	install -m 0644 ${UNPACKDIR}/config ${D}${sysconfdir}/Bastille/config
 
 	for file in `cat Modules.txt` ; do
 		install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb
index ba0f974c33..46cdc8e3c9 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb
@@ -7,7 +7,11 @@ SRC_URI[sha256sum] = "6425963d91054cfcc185807141c7314a9c5ad46325911bd24dcb489bd0
 
 PYPI_PACKAGE = "Flask-Script"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
 
 RDEPENDS:${PN} += "\
     python3-flask \
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
index 638c56fc27..3d7e8975c0 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb
@@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c346
 
 PYPI_PACKAGE = "json2html"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb
index ff1b611bf5..9aaa7c990c 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb
@@ -2,6 +2,19 @@ DESCRIPTION = "Python pyinotify: Linux filesystem events monitoring"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382"
 
+SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406"
+SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4"
+
+SRC_URI += " \
+           file://0001-Make-asyncore-support-optional-for-Python-3.patch \
+"
+
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
+
 RDEPENDS:${PN} += "\
     python3-ctypes \
     python3-fcntl \
@@ -11,12 +24,3 @@ RDEPENDS:${PN} += "\
     python3-shell \
     python3-threading \
 "
-
-SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406"
-SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4"
-
-SRC_URI += " \
-           file://0001-Make-asyncore-support-optional-for-Python-3.patch \
-"
-
-inherit pypi setuptools3
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb
index f8a6552ad4..e24f3222f7 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb
@@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8e8db3765a57bcb968140e0a353c1a35"
 
 SRC_URI[sha256sum] = "983424b296e62189d70fc73460cd946cf56dcbe82b9bda18c066fc1b24371cdc"
 
-#PYPI_PACKAGE = "Flask-Script"
+inherit pypi python_setuptools_build_meta
 
-inherit pypi setuptools3
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb
index 517ed87f3a..811cf36756 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb
@@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "19b030b3fa37d1f0b5c5ad9ada9059884c3bf2c751c5dd8f1eb4ed49cf
 
 PYPI_PACKAGE = "xmldiff"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb
index 5d88951658..8d5f33ec42 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb
@@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "81d5b8baba60c255b519ccd31a691f9bc064223ff196709d41119bde81
 
 PYPI_PACKAGE = "yamlpath"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
index bf5f87d367..52d35f85c9 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
@@ -11,12 +11,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
 
 DEPENDS = "python3-native"
 
-SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120"
+SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78"
 SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
            file://initd \
            file://run-ptest \
            "
 
+PV = "1.1.0+git"
+
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
 
 inherit update-rc.d ptest setuptools3_legacy
@@ -24,23 +26,13 @@ inherit systemd
 
 SYSTEMD_SERVICE:${PN} = "fail2ban.service"
 
-S = "${WORKDIR}/git"
-
-do_compile () {
-    cd ${S}
-
-    #remove symlink to python3
-    # otherwise 2to3 is run against it
-    rm -f bin/fail2ban-python
-
-    ./fail2ban-2to3
-}
+S = "${UNPACKDIR}/git"
 
 do_install:append () {
     rm  -f ${D}/${bindir}/fail2ban-python
     install -d ${D}/${sysconfdir}/fail2ban
     install -d ${D}/${sysconfdir}/init.d
-    install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+    install -m 0755 ${UNPACKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
         install -d ${D}${systemd_system_unitdir}
@@ -66,7 +58,7 @@ INITSCRIPT_PARAMS = "defaults 25"
 
 INSANE_SKIP:${PN}:append = "already-stripped"
 
-RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables python3-core python3-pyinotify"
+RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} nftables python3-core python3-pyinotify"
 RDEPENDS:${PN} += "python3-sqlite3"
 RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json"
 RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb
index 8268345f7e..36e50e4841 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb
@@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"
 PYPI_PACKAGE = "privacyIDEA"
 SRC_URI[sha256sum] = "7c70feb44980a3fd7501457777a1ec30e73541e54d3b31f2b9b5ab6cd73cff4f"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
 
 do_install:append () {
     rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
index 3a074614a5..62157e0859 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
@@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc"
 PYPI_PACKAGE = "oauth2client"
 SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6"
 
-inherit pypi setuptools3
+inherit pypi python_setuptools_build_meta
+
+DEPENDS += " \
+    python3-setuptools-scm-native \
+"
 
 RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules"
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
new file mode 100644
index 0000000000..1e9fca5425
--- /dev/null
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
@@ -0,0 +1,219 @@
+From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 8 Nov 2023 14:50:24 +0100
+Subject: [PATCH] ad-gpo: use hash to store intermediate results
+
+Currently after the evaluation of a single GPO file the intermediate
+results are stored in the cache and this cache entry is updated until
+all applicable GPO files are evaluated. Finally the data in the cache is
+used to make the decision of access is granted or rejected.
+
+If there are two or more access-control request running in parallel one
+request might overwrite the cache object with intermediate data while
+another request reads the cached data for the access decision and as a
+result will do this decision based on intermediate data.
+
+To avoid this the intermediate results are not stored in the cache
+anymore but in hash tables which are specific to the request. Only the
+final result is written to the cache to have it available for offline
+authentication.
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
+CVE: CVE-2023-3758
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+---
+ src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 102 insertions(+), 14 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 44e9cbb..cec0cb4 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+     return ret;
+ }
+
++static errno_t
++add_result_to_hash(hash_table_t *hash, const char *key, char *value)
++{
++    int hret;
++    hash_key_t k;
++    hash_value_t v;
++
++    if (hash == NULL || key == NULL || value == NULL) {
++        return EINVAL;
++    }
++
++    k.type = HASH_KEY_CONST_STRING;
++    k.c_str = key;
++
++    v.type = HASH_VALUE_PTR;
++    v.ptr = value;
++
++    hret = hash_enter(hash, &k, &v);
++    if (hret != HASH_SUCCESS) {
++        DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
++                                 key, value, hash_error_string(hret));
++        return EIO;
++    }
++
++    return EOK;
++}
++
+ /*
+  * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
+  * and stores the allow_key and deny_key of all of the gpo_map_types present
+@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+  */
+ static errno_t
+ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
++                             hash_table_t *allow_maps, hash_table_t *deny_maps,
+                              const char *filename)
+ {
+     struct ini_cfgfile *file_ctx = NULL;
+@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = allow_value ? allow_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         allow_key,
+-                                                         value);
++                ret = add_result_to_hash(allow_maps, allow_key,
++                                         talloc_strdup(allow_maps, value));
+                 if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
+-                          ret, sss_strerror(ret));
++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++                                               "value: [%s] to allow maps "
++                                               "[%d][%s].\n",
++                                               allow_key, value, ret,
++                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = deny_value ? deny_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         deny_key,
+-                                                         value);
++                ret = add_result_to_hash(deny_maps, deny_key,
++                                         talloc_strdup(deny_maps, value));
+                 if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
+-                          ret, sss_strerror(ret));
++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
++                                               "value: [%s] to deny maps "
++                                               "[%d][%s].\n",
++                                               deny_key, value, ret,
++                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
+     int num_cse_filtered_gpos;
+     int cse_gpo_index;
+     const char *ad_domain;
++    hash_table_t *allow_maps;
++    hash_table_t *deny_maps;
+ };
+
+ static void ad_gpo_connect_done(struct tevent_req *subreq);
+@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+
++    ret = sss_hash_create(state, 0, &state->allow_maps);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
++              "hash table [%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
++
++    ret = sss_hash_create(state, 0, &state->deny_maps);
++    if (ret != EOK) {
++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
++              "hash table [%d]: %s\n", ret, sss_strerror(ret));
++        goto immediately;
++    }
+
+     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+     if (subreq == NULL) {
+@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
+     return EAGAIN;
+ }
+
++static errno_t
++store_hash_maps_in_cache(struct sss_domain_info *domain,
++                         hash_table_t *allow_maps, hash_table_t *deny_maps)
++{
++    int ret;
++    struct hash_iter_context_t *iter;
++    hash_entry_t *entry;
++    size_t c;
++    hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
++
++
++    for (c = 0; hash_list[c] != NULL; c++) {
++        iter = new_hash_iter_context(hash_list[c]);
++        if (iter == NULL) {
++            DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
++            return EINVAL;
++        }
++
++        while ((entry = iter->next(iter)) != NULL) {
++            ret = sysdb_gpo_store_gpo_result_setting(domain,
++                                                     entry->key.c_str,
++                                                     entry->value.ptr);
++            if (ret != EOK) {
++                free(iter);
++                DEBUG(SSSDBG_OP_FAILURE,
++                      "sysdb_gpo_store_gpo_result_setting failed for key:"
++                      "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
++                      (char *) entry->value.ptr, ret, sss_strerror(ret));
++                return ret;
++            }
++        }
++        talloc_free(iter);
++    }
++
++    return EOK;
++}
++
+ /*
+  * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
+  * cse_gpo_index until the policy settings for all applicable GPOs have been
+@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+      * (as part of the GPO Result object in the sysdb cache).
+      */
+     ret = ad_gpo_store_policy_settings(state->host_domain,
++                                       state->allow_maps, state->deny_maps,
+                                        cse_filtered_gpo->policy_filename);
+     if (ret != EOK && ret != ENOENT) {
+         DEBUG(SSSDBG_OP_FAILURE,
+@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+
+     if (ret == EOK) {
+         /* ret is EOK only after all GPO policy files have been downloaded */
++        ret = store_hash_maps_in_cache(state->host_domain,
++                                       state->allow_maps, state->deny_maps);
++        if (ret != EOK) {
++            DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
++                                     "[%d][%s].\n", ret, sss_strerror(ret));
++            goto done;
++        }
+         ret = ad_gpo_perform_hbac_processing(state,
+                                              state->gpo_mode,
+                                              state->gpo_map_type,
+--
+2.25.1
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
index 0c75d8f45f..f973ee158d 100644
--- a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
            file://fix-ldblibdir.patch \
            file://musl_fixup.patch \
            file://0001-sssctl-add-error-analyzer.patch \
+           file://CVE-2023-3758.patch \
            "
 SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
 
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index 8da050be18..f5db75119f 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "6"
 
-LAYERSERIES_COMPAT_harden-layer = "nanbield scarthgap"
+LAYERSERIES_COMPAT_harden-layer = "styhead"
 
 LAYERDEPENDS_harden-layer = "core openembedded-layer"
 
diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
index 38771cdfb9..4366961eac 100644
--- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
+++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -18,9 +18,9 @@ DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
 DEFAULT_ADMIN_GROUP ?= "wheel"
 DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
 
-EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -p '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
 
 EXTRA_USERS_PARAMS:append = " useradd  ${DEFAULT_ADMIN_ACCOUNT};" 
 EXTRA_USERS_PARAMS:append = " groupadd  ${DEFAULT_ADMIN_GROUP};" 
-EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" 
+EXTRA_USERS_PARAMS:append = " usermod -p '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" 
 EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP}  ${DEFAULT_ADMIN_ACCOUNT};" 
diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
index 92e364caf7..8af6979fa4 100644
--- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
+++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -4,5 +4,5 @@ SRC_URI:append:harden = " file://mountall.sh"
 
 do_install:append:harden() {
     install -d ${D}${sysconfdir}/init.d
-    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+    install -m 0755 ${UNPACKDIR}/mountall.sh ${D}${sysconfdir}/init.d
 }
diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md
index c333a9f120..6845c21baa 100644
--- a/meta-security/meta-integrity/README.md
+++ b/meta-security/meta-integrity/README.md
@@ -95,6 +95,8 @@ the image, enable image signing in the local.conf like this:
 
     IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys"
     IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
+    IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>"
+    IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>"
     IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der"
     IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 
@@ -153,12 +155,7 @@ ima-evm-rootfs.bbclass:
     IMA_EVM_KEY_DIR = "<full path>"
     IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>"
 
-By default, the entire file system gets signed. When using a policy which
-does not require that, the set of files to be labelled can be chosen
-by overriding the default "find" expression, for example like this:
-
-    IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f"
-
+By default, the entire file system gets signed.
 
 2. Usage
 ========
diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
index 7b7337379c..7ec27519fa 100644
--- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
+++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass
@@ -8,6 +8,13 @@ IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET"
 # using the example key directory.
 IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem"
 
+# Additional option when signing. Allows to for example provide
+# --keyid <id> or --keyid-from-cert <filename>.
+IMA_EVM_PRIVKEY_KEYID_OPT ?= ""
+
+# Password for the private key
+IMA_EVM_EVMCTL_KEY_PASSWORD ?= ""
+
 # Public part of certificates (used for both IMA and EVM).
 # The default is okay when using the example key directory.
 IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
@@ -19,11 +26,6 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der"
 # ima-local-ca.x509 is what ima-gen-local-ca.sh creates.
 IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem"
 
-# Sign all regular files by default.
-IMA_EVM_ROOTFS_SIGNED ?= ". -type f"
-# Hash nothing by default.
-IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false"
-
 # Mount these file systems (identified via their mount point) with
 # the iversion flags (needed by IMA when allowing writing).
 IMA_EVM_ROOTFS_IVERSION ?= ""
@@ -73,8 +75,11 @@ ima_evm_sign_rootfs () {
         exit 1
     fi
 
+    export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD}
+
     bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}"
-    evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}"
+    evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+        --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}"
 
     # check signing key and signature verification key
     evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1
@@ -87,7 +92,8 @@ ima_evm_sign_rootfs () {
         install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy
 
         bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}"
-        evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy"
+        evmctl sign --imasig ${evmctl_param} --portable -a sha256 \
+          --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} "${IMAGE_ROOTFS}/etc/ima/ima-policy"
     fi
 
     # Optionally write the file names and ima and evm signatures into files
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index aab9652250..292ba21b02 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "nanbield scarthgap"
+LAYERSERIES_COMPAT_integrity = "styhead"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
 
diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
index 58cbe6e958..fed4609773 100644
--- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
+++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb
@@ -25,7 +25,7 @@ REQUIRED_DISTRO_FEATURES = "ima"
 do_install () {
     install -d ${D}/${sysconfdir}/ima
     install -d ${D}/init.d
-    install ${WORKDIR}/ima  ${D}/init.d/20-ima
+    install ${UNPACKDIR}/ima  ${D}/init.d/20-ima
 
     sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima
 }
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
index 5f2244edc3..b9aa35242f 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb
@@ -4,12 +4,14 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 
 SRC_URI = " file://ima_policy_appraise_all"
 
+S = "${UNPACKDIR}"
+
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
+    install ${UNPACKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES:${PN} = "${sysconfdir}/ima"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
index 57c06400be..8f0df9bd06 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb
@@ -6,12 +6,14 @@ SRC_URI = " \
     file://ima_policy_hashed \
 "
 
+S = "${UNPACKDIR}"
+
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
+    install ${UNPACKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES:${PN} = "${sysconfdir}/ima"
diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
index 8fed410063..440ce892ed 100644
--- a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
+++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb
@@ -4,12 +4,14 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 
 SRC_URI = " file://ima_policy_simple"
 
+S = "${UNPACKDIR}"
+
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "ima"
 
 do_install () {
     install -d ${D}/${sysconfdir}/ima
-    install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
+    install ${UNPACKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy
 }
 
 FILES:${PN} = "${sysconfdir}/ima"
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index e9d02306c2..e59b60c832 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer"
 BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_parsec-layer = "5"
 
-LAYERSERIES_COMPAT_parsec-layer = "nanbield scarthgap"
+LAYERSERIES_COMPAT_parsec-layer = "styhead nanbield scarthgap"
 
 LAYERDEPENDS_parsec-layer = "core clang-layer"
 BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
index 2d55c2460f..3aa0b0a592 100644
--- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
+++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb
@@ -61,12 +61,12 @@ do_install () {
         install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system
 
         install -d ${D}${libdir}/tmpfiles.d
-        install -m 644 ${WORKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d
+        install -m 644 ${UNPACKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d
     fi
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/init.d
-        install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
+        install -m 755 ${UNPACKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec
         # Data dir
         install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec"
     fi
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 58b61d4d2b..b8df817b7b 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "6"
 
-LAYERSERIES_COMPAT_tpm-layer = "nanbield scarthgap"
+LAYERSERIES_COMPAT_tpm-layer = "styhead"
 
 LAYERDEPENDS_tpm-layer = " \
     core \
diff --git a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
index b47d53a689..816f382f5c 100644
--- a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb
@@ -22,7 +22,11 @@ SRC_URI = " \
 
 inherit autotools-brokensep gettext
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
+
+# Compile failing with gcc-14
+CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration"
+BUILD_CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration"
 
 do_configure:prepend () {
 	mkdir -p po
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb
index c98d4abf7f..57e284bd7f 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb
@@ -3,13 +3,19 @@ HOMEPAGE = "https://github.com/tpm2-software/tpm2-pytss"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
 
-SRC_URI[sha256sum] = "5b5b4b1456fdc1aeef3d2c3970beaa078c8f7f2648c97a69bcf60c5a2f95c897"
-
 PYPI_PACKAGE = "tpm2-pytss"
 
-DEPENDS = "python3-pkgconfig-native python3-pycparser-native python3-asn1crypto-native"
-DEPENDS:append = " python3-cryptography-native tpm2-tss" 
+SRC_URI[sha256sum] = "20071129379656f5f3c3bc16d364612672b147d81191fb4eb9f9ff9fbee48410"
+
+inherit autotools pkgconfig pypi python_setuptools_build_meta
 
-inherit autotools pkgconfig pypi setuptools3_legacy
+DEPENDS = " \
+    python3-setuptools-scm-native \
+    python3-asn1crypto-native \
+    python3-cryptography-native \
+    python3-pkgconfig-native \
+    python3-pycparser-native \
+    tpm2-tss \
+"
 
 RDEPENDS:${PN} = "libtss2"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb
index 9bad758c24..bb422cf1dc 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb
@@ -8,7 +8,7 @@ DEPENDS = "tpm2-tss openssl curl"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec0261236c123"
+SRC_URI[sha256sum] = "3810d36b5079256f4f2f7ce552e22213d43b1031c131538df8a2dbc3c570983a"
 
 UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases"
 
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb
index 9a57308b03..a27accac6d 100644
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb
@@ -4,7 +4,7 @@ LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
 SECTION = "tpm"
 
-DEPENDS = "autoconf-archive-native libgcrypt openssl"
+DEPENDS = "autoconf-archive-native openssl"
 
 SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \
            file://fixup_hosttools.patch \
@@ -92,6 +92,4 @@ FILES:${PN} = "\
     ${sysconfdir}/tpm2-tss \
     ${sysconfdir}/sysusers.d"
 
-RDEPENDS:libtss2 = "libgcrypt"
-
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb b/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb
index b69f4dfd6d..f6fddd0b20 100644
--- a/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb
+++ b/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb
@@ -12,7 +12,7 @@ SRC_URI[sha256sum] = "d72f4ee7325816bb8dbfcf31eb104207b9fe58a2493c2a875373746a71
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-S = "${WORKDIR}/${BPN}"
+S = "${UNPACKDIR}/${BPN}"
 
 inherit autotools-brokensep
 
diff --git a/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch b/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch
new file mode 100644
index 0000000000..87dd00be8c
--- /dev/null
+++ b/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch
@@ -0,0 +1,29 @@
+From 887bd1b60720f02e937c57568d7ef4d3df4b00e8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 24 Jun 2024 11:27:30 +0800
+Subject: [PATCH] CMakeLists.txt: fix installation directory for systemd unit
+ file
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index fdeda6eb4..77645ecd4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -637,7 +637,7 @@ if(NOT WIN32)
+ 			configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY)
+ 			install(FILES
+ 				${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service
+-				DESTINATION ${CMAKE_INSTALL_PREFIX}/${SYSTEMD_UNITDIR}
++				DESTINATION ${SYSTEMD_UNITDIR}
+ 			)
+ 		endif()
+ 	endif()
+-- 
+2.25.1
+
diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.10.bb b/meta-security/recipes-compliance/openscap/openscap_1.4.0.bb
index d3e44a890f..de56e9dc6e 100644
--- a/meta-security/recipes-compliance/openscap/openscap_1.3.10.bb
+++ b/meta-security/recipes-compliance/openscap/openscap_1.4.0.bb
@@ -9,11 +9,13 @@ LICENSE = "LGPL-2.1-only"
 DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre  xmlsec1"
 DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native"
 
-#March 18th, 2024
-SRCREV = "6d008616978306ce5e68997dce554a1683064f8f"
-SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https "
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \
+           file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \
+          "
 
-S = "${WORKDIR}/git"
+SRCREV = "a01b5d6927c7bccf41d9c623fee0c5f7105db835"
+
+S = "${UNPACKDIR}/git"
 
 inherit cmake pkgconfig python3native python3targetconfig perlnative systemd
 
@@ -24,7 +26,7 @@ PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm"
 PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt"
 PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss"
 PACKAGECONFIG[selinux] = ", ,libselinux"
-PACKAGECONFIG[remdediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=NO,"
+PACKAGECONFIG[remediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=OFF,"
 
 EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
                   -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \
@@ -47,14 +49,6 @@ do_configure:append:class-native () {
     sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
 }
 
-do_install:append () {
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-        if ${@bb.utils.contains('PACKAGECONFIG','remdediate_service','true','false',d)}; then
-            install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service
-        fi
-    fi
-}
-
 do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
 do_install:append:class-native () {
     oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
@@ -64,7 +58,7 @@ do_install:append:class-native () {
 
 
 SYSTEMD_PACKAGES = "${PN}"
-SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remdediate_service', 'oscap-remediate.service', '',d)}"
+SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remediate_service', 'oscap-remediate.service', '',d)}"
 SYSTEMD_AUTO_ENABLE = "disable"
 
 
diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.73.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.74.bb
index 539b6cf745..23b18250fe 100644
--- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.73.bb
+++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.74.bb
@@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
-SRCREV = "2bf9d43840d3ed36a25262d4f45a4015f9b77d8d"
+SRCREV = "1bf21b05fa9581e8ca44e104e741e13fad3551ef"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \
            file://run_eval.sh \
            file://run-ptest \
@@ -15,7 +15,7 @@ SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=
 
 DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 B = "${S}/build"
 
 inherit cmake pkgconfig python3native python3targetconfig ptest
@@ -54,7 +54,7 @@ do_install_ptest() {
     do
        sed -e 's#${HOSTTOOLS_DIR}/##g' \
            -e 's#${RECIPE_SYSROOT_NATIVE}##g' \
-           -e 's#${WORKDIR}#${PTEST_PATH}#g' \
+           -e 's#${UNPACKDIR}#${PTEST_PATH}#g' \
            -e 's#/.*/xmllint#/usr/bin/xmllint#g' \
            -e 's#/.*/oscap#/usr/bin/oscap#g' \
            -e 's#/python3-native##g' \
diff --git a/meta-security/recipes-ids/aide/aide/m4_allow.patch b/meta-security/recipes-ids/aide/aide/m4_allow.patch
new file mode 100644
index 0000000000..6f0b97bfdc
--- /dev/null
+++ b/meta-security/recipes-ids/aide/aide/m4_allow.patch
@@ -0,0 +1,40 @@
+Fixes build issues
+
+Upstream-Status: Inappropriate [next version has many changes to configure.ac]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: aide-0.18.8/configure.ac
+===================================================================
+--- aide-0.18.8.orig/configure.ac
++++ aide-0.18.8/configure.ac
+@@ -14,6 +14,7 @@ dnl The name of the configure h-file.
+ AC_CONFIG_HEADERS(include/config.h)
+ 
+ dnl Checks for programs.
++m4_pattern_allow([AC_MSG_ERROR])
+ AC_PROG_CC
+ if test "x$ac_cv_prog_cc_c99" = xno; then
+     AC_MSG_ERROR([AIDE needs a C99 compatible compiler])
+@@ -246,6 +247,7 @@ if test "$aide_static_choice" != "yes";
+ fi
+ 
+ dnl This macro is new in autoconf-2.13
++m4_pattern_allow([AC_DEFINE])
+ AC_SEARCH_LIBS(syslog, bsd socket inet, [AC_DEFINE(HAVE_SYSLOG,1,[syslog available?])])
+ AC_CHECK_FUNCS(vsyslog)
+ 
+@@ -320,14 +322,10 @@ fi
+ AC_CHECK_HEADERS(syslog.h inttypes.h fcntl.h ctype.h)
+ 
+ AIDE_PKG_CHECK_MANDATORY(pcre2, PCRE2, libpcre2-8)
+-
+ AC_MSG_CHECKING(for pthread for multithreading)
+ AC_ARG_WITH([pthread], AS_HELP_STRING([--with-pthread], [use pthread for multithreading (default: yes)]), [with_pthread=$withval], [with_pthread=yes])
+ AC_MSG_RESULT([$with_pthread])
+ compoptionstring="${compoptionstring}use pthread: $with_pthread\\n"
+-AS_IF([test x"$with_pthread" = xyes], [
+-    AX_PTHREAD([AC_DEFINE(WITH_PTHREAD,1,[use pthread])], [AC_MSG_ERROR([AIDE requires pthread])])
+-])
+ 
+ AIDE_PKG_CHECK(zlib, zlib compression, yes, ZLIB, zlib)
+ 
diff --git a/meta-security/recipes-ids/aide/aide_0.17.4.bb b/meta-security/recipes-ids/aide/aide_0.18.8.bb
index 52ddc43ff8..e2014a1ea6 100644
--- a/meta-security/recipes-ids/aide/aide_0.17.4.bb
+++ b/meta-security/recipes-ids/aide/aide_0.18.8.bb
@@ -3,18 +3,20 @@ HOMEPAGE = "https://aide.github.io"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 LICENSE = "GPL-2.0-only"
 
-DEPENDS = "bison-native libpcre"
+DEPENDS = "bison-native libpcre2"
 
 SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
-           file://aide.conf"
+           file://aide.conf \
+           file://m4_allow.patch \
+           "
 
-SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"
+SRC_URI[sha256sum] = "16662dc632d17e2c5630b801752f97912a8e22697c065ebde175f1cc37b83a60"
 
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
 
 inherit autotools pkgconfig aide-base
 
-PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
+PACKAGECONFIG ??=" gcrypt zlib e2fsattrs posix capabilities curl pthread \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
                  "
@@ -28,14 +30,14 @@ PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
 PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
 PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
 PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"
-
+PACKAGECONFIG[pthread] = "--with-pthread,"
 
 do_install[nostamp] = "1"
 
 do_install:append () {
     install -d ${D}${libdir}/${PN}/logs   
     install -d ${D}${sysconfdir}   
-    install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+    install ${UNPACKDIR}/aide.conf ${D}${sysconfdir}/
 
     for dir in ${AIDE_INCLUDE_DIRS}; do
         echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf
@@ -50,7 +52,7 @@ do_install:class-native () {
     install -d ${STAGING_AIDE_DIR}/lib/logs
 
     install ${B}/aide ${STAGING_AIDE_DIR}/bin
-    install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/
+    install ${UNPACKDIR}/aide.conf ${STAGING_AIDE_DIR}/
 
     sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf
     sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf
diff --git a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
index 81f2b8fe84..deccecfef7 100644
--- a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
+++ b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb
@@ -12,7 +12,7 @@ GO_IMPORT = "import"
 
 inherit go
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 do_compile() {
     export GOARCH="${TARGET_GOARCH}"
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
index 829715bc29..fbd1294792 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb
@@ -15,7 +15,7 @@ UPSTREAM_CHECK_COMMITS = "1"
 
 inherit autotools-brokensep  useradd
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 
 OSSEC_DIR="/var/ossec"
diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc
index 61ec0da24c..65e6734b89 100644
--- a/meta-security/recipes-ids/samhain/samhain.inc
+++ b/meta-security/recipes-ids/samhain/samhain.inc
@@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "ae6ee8eff3cb111b7fc14a57bcc258443dd0bcf1bfacfdf229935ed053
 UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
 UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
 
-S = "${WORKDIR}/samhain-${PV}"
+S = "${UNPACKDIR}/samhain-${PV}"
 
 inherit autotools-brokensep update-rc.d pkgconfig systemd
 
@@ -65,7 +65,7 @@ EXTRA_OEMAKE:append:mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1"
 
 do_unpack_samhain() {
     cd ${UNPACKDIR}
-    tar -xzvf samhain-${PV}.tar.gz -C ${WORKDIR}
+    tar -xzvf samhain-${PV}.tar.gz -C ${UNPACKDIR}
 }
 
 python do_unpack:append() {
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch
new file mode 100644
index 0000000000..7e5d8e2708
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch
@@ -0,0 +1,53 @@
+From a6052dca1e27f3c8f96ec7be0fe7514c56a0d56f Mon Sep 17 00:00:00 2001
+From: Victor Julien <vjulien@oisf.net>
+Date: Tue, 4 Jun 2024 14:43:22 +0200
+Subject: [PATCH 1/4] defrag: don't use completed tracker
+
+When a Tracker is set up for a IPID, frags come in for it and it's
+reassembled and complete, the `DefragTracker::remove` flag is set. This
+is mean to tell the hash cleanup code to recyle the tracker and to let
+the lookup code skip the tracker during lookup.
+
+A logic error lead to the following scenario:
+
+1. there are sufficient frag trackers to make sure the hash table is
+   filled with trackers
+2. frags for a Packet with IPID X are processed correctly (X1)
+3. frags for a new Packet that also has IPID X come in quickly after the
+   first (X2).
+4. during the lookup, the frag for X2 hashes to a hash row that holds
+   more than one tracker
+5. as the trackers in hash row are evaluated, it finds the tracker for
+   X1, but since the `remove` bit is not checked, it is returned as the
+   tracker for X2.
+6. reassembly fails, as the tracker is already complete
+
+The logic error is that only for the first tracker in a row the `remove`
+bit was checked, leading to reuse to a closed tracker if there were more
+trackers in the hash row.
+
+Ticket: #7042.
+
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b]
+CVE: CVE-2024-37151
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/defrag-hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/defrag-hash.c b/src/defrag-hash.c
+index 2f19ce2..87d40f9 100644
+--- a/src/defrag-hash.c
++++ b/src/defrag-hash.c
+@@ -591,7 +591,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p)
+                 return dt;
+             }
+ 
+-            if (DefragTrackerCompare(dt, p) != 0) {
++            if (!dt->remove && DefragTrackerCompare(dt, p) != 0) {
+                 /* we found our tracker, lets put it on top of the
+                  * hash list -- this rewards active trackers */
+                 if (dt->hnext) {
+-- 
+2.44.0
+
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch
new file mode 100644
index 0000000000..14a958cb11
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch
@@ -0,0 +1,44 @@
+From f1645ea911d4e90b1be8ee5863e8e1a665079cce Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 25 Apr 2024 21:24:33 +0200
+Subject: [PATCH 2/4] modbus: abort flow parsing on flood
+
+Ticket: 6987
+
+Let's not spend more resources for a flow which is trying to
+make us do it...
+
+(cherry picked from commit 37509e8e0ed097f8e0174df754835ac60584fc72)
+
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae]
+CVE: CVE-2024-38534
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ rust/src/modbus/modbus.rs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rust/src/modbus/modbus.rs b/rust/src/modbus/modbus.rs
+index 246e9ca..d2f7c6b 100644
+--- a/rust/src/modbus/modbus.rs
++++ b/rust/src/modbus/modbus.rs
+@@ -189,7 +189,7 @@ impl ModbusState {
+                                 None => {
+                                     let mut tx = match self.new_tx() {
+                                         Some(tx) => tx,
+-                                        None => return AppLayerResult::ok(),
++                                        None => return AppLayerResult::err(),
+                                     };
+                                     tx.set_events_from_flags(&msg.error_flags);
+                                     tx.request = Some(msg);
+@@ -215,7 +215,7 @@ impl ModbusState {
+                             None => {
+                                 let mut tx = match self.new_tx() {
+                                     Some(tx) => tx,
+-                                    None => return AppLayerResult::ok(),
++                                    None => return AppLayerResult::err(),
+                                 };
+                                 if msg
+                                     .access_type
+-- 
+2.44.0
+
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch
new file mode 100644
index 0000000000..7ac72c8b19
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch
@@ -0,0 +1,57 @@
+From 6b00dc36d7527f051c2346f03d20f8d9e5a60138 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Mon, 17 Jun 2024 16:30:49 +0200
+Subject: [PATCH 3/4] http2: do not expand duplicate headers
+
+Ticket: 7104
+
+As this can cause a big mamory allocation due to the quadratic
+nature of the HPACK compression.
+
+(cherry picked from commit 5bd17934df321b88f502d48afdd6cc8bad4787a7)
+
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2]
+CVE: CVE-2024-38535
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ rust/src/http2/detect.rs | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
+index 99261ad..9c2f8ab 100644
+--- a/rust/src/http2/detect.rs
++++ b/rust/src/http2/detect.rs
+@@ -432,11 +432,11 @@ pub fn http2_frames_get_header_value_vec(
+                     if found == 0 {
+                         vec.extend_from_slice(&block.value);
+                         found = 1;
+-                    } else if found == 1 {
++                    } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                         found = 2;
+-                    } else {
++                    } else if Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                     }
+@@ -469,14 +469,14 @@ fn http2_frames_get_header_value<'a>(
+                     if found == 0 {
+                         single = Ok(&block.value);
+                         found = 1;
+-                    } else if found == 1 {
++                    } else if found == 1 && Rc::strong_count(&block.name) <= 2 {
+                         if let Ok(s) = single {
+                             vec.extend_from_slice(s);
+                         }
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                         found = 2;
+-                    } else {
++                    } else if Rc::strong_count(&block.name) <= 2 {
+                         vec.extend_from_slice(&[b',', b' ']);
+                         vec.extend_from_slice(&block.value);
+                     }
+-- 
+2.44.0
+
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch
new file mode 100644
index 0000000000..2aa42c465a
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch
@@ -0,0 +1,292 @@
+From 390f09692eb99809c679d3f350c7cc185d163e1a Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Wed, 27 Mar 2024 14:33:54 +0100
+Subject: [PATCH] http2: use a reference counter for headers
+
+Ticket: 6892
+
+As HTTP hpack header compression allows one single byte to
+express a previously seen arbitrary-size header block (name+value)
+we should avoid to copy the vectors data, but just point
+to the same data, while reamining memory safe, even in the case
+of later headers eviction from the dybnamic table.
+
+Rust std solution is Rc, and the use of clone, so long as the
+data is accessed by only one thread.
+
+Note: This patch is needed to patch CVE-2024-38535 as  it defines Rc.
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/390f09692eb99809c679d3f350c7cc185d163e1a]
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ rust/src/http2/detect.rs | 19 +++++++------
+ rust/src/http2/http2.rs  |  2 +-
+ rust/src/http2/parser.rs | 61 +++++++++++++++++++++-------------------
+ 3 files changed, 43 insertions(+), 39 deletions(-)
+
+diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs
+index 9c2f8ab..e068a17 100644
+--- a/rust/src/http2/detect.rs
++++ b/rust/src/http2/detect.rs
+@@ -23,6 +23,7 @@ use crate::core::Direction;
+ use crate::detect::uint::{detect_match_uint, DetectUintData};
+ use std::ffi::CStr;
+ use std::str::FromStr;
++use std::rc::Rc;
+ 
+ fn http2_tx_has_frametype(
+     tx: &mut HTTP2Transaction, direction: Direction, value: u8,
+@@ -404,7 +405,7 @@ fn http2_frames_get_header_firstvalue<'a>(
+     for frame in frames {
+         if let Some(blocks) = http2_header_blocks(frame) {
+             for block in blocks.iter() {
+-                if block.name == name.as_bytes() {
++                if block.name.as_ref() == name.as_bytes() {
+                     return Ok(&block.value);
+                 }
+             }
+@@ -428,7 +429,7 @@ pub fn http2_frames_get_header_value_vec(
+     for frame in frames {
+         if let Some(blocks) = http2_header_blocks(frame) {
+             for block in blocks.iter() {
+-                if block.name == name.as_bytes() {
++                if block.name.as_ref() == name.as_bytes() {
+                     if found == 0 {
+                         vec.extend_from_slice(&block.value);
+                         found = 1;
+@@ -465,7 +466,7 @@ fn http2_frames_get_header_value<'a>(
+     for frame in frames {
+         if let Some(blocks) = http2_header_blocks(frame) {
+             for block in blocks.iter() {
+-                if block.name == name.as_bytes() {
++                if block.name.as_ref() == name.as_bytes() {
+                     if found == 0 {
+                         single = Ok(&block.value);
+                         found = 1;
+@@ -905,8 +906,8 @@ fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) {
+     };
+     let mut blocks = Vec::new();
+     let b = parser::HTTP2FrameHeaderBlock {
+-        name: name.to_vec(),
+-        value: input.to_vec(),
++        name: Rc::new(name.to_vec()),
++        value: Rc::new(input.to_vec()),
+         error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
+         sizeupdate: 0,
+     };
+@@ -1061,15 +1062,15 @@ mod tests {
+         };
+         let mut blocks = Vec::new();
+         let b = parser::HTTP2FrameHeaderBlock {
+-            name: "Host".as_bytes().to_vec(),
+-            value: "abc.com".as_bytes().to_vec(),
++            name: "Host".as_bytes().to_vec().into(),
++            value: "abc.com".as_bytes().to_vec().into(),
+             error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
+             sizeupdate: 0,
+         };
+         blocks.push(b);
+         let b2 = parser::HTTP2FrameHeaderBlock {
+-            name: "Host".as_bytes().to_vec(),
+-            value: "efg.net".as_bytes().to_vec(),
++            name: "Host".as_bytes().to_vec().into(),
++            value: "efg.net".as_bytes().to_vec().into(),
+             error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
+             sizeupdate: 0,
+         };
+diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
+index 326030f..d14ca06 100644
+--- a/rust/src/http2/http2.rs
++++ b/rust/src/http2/http2.rs
+@@ -204,7 +204,7 @@ impl HTTP2Transaction {
+ 
+     fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) {
+         for block in blocks {
+-            if block.name == b"content-encoding" {
++            if block.name.as_ref() == b"content-encoding" {
+                 self.decoder.http2_encoding_fromvec(&block.value, dir);
+             }
+         }
+diff --git a/rust/src/http2/parser.rs b/rust/src/http2/parser.rs
+index adabeb2..1a46437 100644
+--- a/rust/src/http2/parser.rs
++++ b/rust/src/http2/parser.rs
+@@ -30,6 +30,7 @@ use nom7::sequence::tuple;
+ use nom7::{Err, IResult};
+ use std::fmt;
+ use std::str::FromStr;
++use std::rc::Rc;
+ 
+ #[repr(u8)]
+ #[derive(Clone, Copy, PartialEq, Eq, FromPrimitive, Debug)]
+@@ -295,8 +296,8 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option<HTTP
+     };
+     if !name.is_empty() {
+         return Some(HTTP2FrameHeaderBlock {
+-            name: name.as_bytes().to_vec(),
+-            value: value.as_bytes().to_vec(),
++            name: Rc::new(name.as_bytes().to_vec()),
++            value: Rc::new(value.as_bytes().to_vec()),
+             error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
+             sizeupdate: 0,
+         });
+@@ -304,23 +305,23 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option<HTTP
+         //use dynamic table
+         if n == 0 {
+             return Some(HTTP2FrameHeaderBlock {
+-                name: Vec::new(),
+-                value: Vec::new(),
++                name: Rc::new(Vec::new()),
++                value: Rc::new(Vec::new()),
+                 error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIndex0,
+                 sizeupdate: 0,
+             });
+         } else if dyn_headers.table.len() + HTTP2_STATIC_HEADERS_NUMBER < n as usize {
+             return Some(HTTP2FrameHeaderBlock {
+-                name: Vec::new(),
+-                value: Vec::new(),
++                name: Rc::new(Vec::new()),
++                value: Rc::new(Vec::new()),
+                 error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed,
+                 sizeupdate: 0,
+             });
+         } else {
+             let indyn = dyn_headers.table.len() - (n as usize - HTTP2_STATIC_HEADERS_NUMBER);
+             let headcopy = HTTP2FrameHeaderBlock {
+-                name: dyn_headers.table[indyn].name.to_vec(),
+-                value: dyn_headers.table[indyn].value.to_vec(),
++                name: dyn_headers.table[indyn].name.clone(),
++                value: dyn_headers.table[indyn].value.clone(),
+                 error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess,
+                 sizeupdate: 0,
+             };
+@@ -348,8 +349,10 @@ impl fmt::Display for HTTP2HeaderDecodeStatus {
+ 
+ #[derive(Clone, Debug)]
+ pub struct HTTP2FrameHeaderBlock {
+-    pub name: Vec<u8>,
+-    pub value: Vec<u8>,
++    // Use Rc reference counted so that indexed headers do not get copied.
++    // Otherwise, this leads to quadratic complexity in memory occupation.
++    pub name: Rc<Vec<u8>>,
++    pub value: Rc<Vec<u8>>,
+     pub error: HTTP2HeaderDecodeStatus,
+     pub sizeupdate: u64,
+ }
+@@ -391,7 +394,7 @@ fn http2_parse_headers_block_literal_common<'a>(
+ ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> {
+     let (i3, name, error) = if index == 0 {
+         match http2_parse_headers_block_string(input) {
+-            Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)),
++            Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)),
+             Err(e) => Err(e),
+         }
+     } else {
+@@ -403,7 +406,7 @@ fn http2_parse_headers_block_literal_common<'a>(
+             )),
+             None => Ok((
+                 input,
+-                Vec::new(),
++                Rc::new(Vec::new()),
+                 HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed,
+             )),
+         }
+@@ -413,7 +416,7 @@ fn http2_parse_headers_block_literal_common<'a>(
+         i4,
+         HTTP2FrameHeaderBlock {
+             name,
+-            value,
++            value: Rc::new(value),
+             error,
+             sizeupdate: 0,
+         },
+@@ -435,8 +438,8 @@ fn http2_parse_headers_block_literal_incindex<'a>(
+     match r {
+         Ok((r, head)) => {
+             let headcopy = HTTP2FrameHeaderBlock {
+-                name: head.name.to_vec(),
+-                value: head.value.to_vec(),
++                name: head.name.clone(),
++                value: head.value.clone(),
+                 error: head.error,
+                 sizeupdate: 0,
+             };
+@@ -556,8 +559,8 @@ fn http2_parse_headers_block_dynamic_size<'a>(
+     return Ok((
+         i3,
+         HTTP2FrameHeaderBlock {
+-            name: Vec::new(),
+-            value: Vec::new(),
++            name: Rc::new(Vec::new()),
++            value: Rc::new(Vec::new()),
+             error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate,
+             sizeupdate: maxsize2,
+         },
+@@ -614,8 +617,8 @@ fn http2_parse_headers_blocks<'a>(
+                 // if we error from http2_parse_var_uint, we keep the first parsed headers
+                 if err.code == ErrorKind::LengthValue {
+                     blocks.push(HTTP2FrameHeaderBlock {
+-                        name: Vec::new(),
+-                        value: Vec::new(),
++                        name: Rc::new(Vec::new()),
++                        value: Rc::new(Vec::new()),
+                         error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow,
+                         sizeupdate: 0,
+                     });
+@@ -765,8 +768,8 @@ mod tests {
+         match r0 {
+             Ok((remainder, hd)) => {
+                 // Check the first message.
+-                assert_eq!(hd.name, ":method".as_bytes().to_vec());
+-                assert_eq!(hd.value, "GET".as_bytes().to_vec());
++                assert_eq!(hd.name, ":method".as_bytes().to_vec().into());
++                assert_eq!(hd.value, "GET".as_bytes().to_vec().into());
+                 // And we should have no bytes left.
+                 assert_eq!(remainder.len(), 0);
+             }
+@@ -782,8 +785,8 @@ mod tests {
+         match r1 {
+             Ok((remainder, hd)) => {
+                 // Check the first message.
+-                assert_eq!(hd.name, "accept".as_bytes().to_vec());
+-                assert_eq!(hd.value, "*/*".as_bytes().to_vec());
++                assert_eq!(hd.name, "accept".as_bytes().to_vec().into());
++                assert_eq!(hd.value, "*/*".as_bytes().to_vec().into());
+                 // And we should have no bytes left.
+                 assert_eq!(remainder.len(), 0);
+                 assert_eq!(dynh.table.len(), 1);
+@@ -802,8 +805,8 @@ mod tests {
+         match result {
+             Ok((remainder, hd)) => {
+                 // Check the first message.
+-                assert_eq!(hd.name, ":authority".as_bytes().to_vec());
+-                assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec());
++                assert_eq!(hd.name, ":authority".as_bytes().to_vec().into());
++                assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into());
+                 // And we should have no bytes left.
+                 assert_eq!(remainder.len(), 0);
+                 assert_eq!(dynh.table.len(), 2);
+@@ -820,8 +823,8 @@ mod tests {
+         match r3 {
+             Ok((remainder, hd)) => {
+                 // same as before
+-                assert_eq!(hd.name, ":authority".as_bytes().to_vec());
+-                assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec());
++                assert_eq!(hd.name, ":authority".as_bytes().to_vec().into());
++                assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into());
+                 // And we should have no bytes left.
+                 assert_eq!(remainder.len(), 0);
+                 assert_eq!(dynh.table.len(), 2);
+@@ -856,8 +859,8 @@ mod tests {
+         match r2 {
+             Ok((remainder, hd)) => {
+                 // Check the first message.
+-                assert_eq!(hd.name, ":path".as_bytes().to_vec());
+-                assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec());
++                assert_eq!(hd.name, ":path".as_bytes().to_vec().into());
++                assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into());
+                 // And we should have no bytes left.
+                 assert_eq!(remainder.len(), 0);
+                 assert_eq!(dynh.table.len(), 2);
+-- 
+2.44.0
+
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch
new file mode 100644
index 0000000000..2d4b3d78cf
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch
@@ -0,0 +1,40 @@
+From 4026bca7f04c419dd3f3ba17a1af17bbcbcf18bc Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Fri, 17 May 2024 09:39:52 +0200
+Subject: [PATCH 4/4] http: fix nul deref on memcap reached
+
+HttpRangeOpenFileAux may return NULL in different cases, including
+when memcap is reached.
+But is only caller did not check it before calling HttpRangeAppendData
+which would dereference the NULL value.
+
+Ticket: 7029
+(cherry picked from commit fd262df457f67f2174752dd6505ba2ed5911fd96)
+
+Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92]
+CVE: CVE-2024-38536
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/app-layer-htp-range.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/app-layer-htp-range.c b/src/app-layer-htp-range.c
+index 3cdde35..f0d75a9 100644
+--- a/src/app-layer-htp-range.c
++++ b/src/app-layer-htp-range.c
+@@ -351,8 +351,10 @@ static HttpRangeContainerBlock *HttpRangeOpenFile(HttpRangeContainerFile *c, uin
+ {
+     HttpRangeContainerBlock *r =
+             HttpRangeOpenFileAux(c, start, end, total, sbcfg, name, name_len, flags);
+-    if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
+-        SCLogDebug("Failed to append data while opening");
++    if (r) {
++        if (HttpRangeAppendData(sbcfg, r, data, len) < 0) {
++            SCLogDebug("Failed to append data while opening");
++        }
+     }
+     return r;
+ }
+-- 
+2.44.0
+
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch
new file mode 100644
index 0000000000..3db4625224
--- /dev/null
+++ b/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch
@@ -0,0 +1,148 @@
+From 0d550de551b91d5e57ba23e2b1e2c6430fad6818 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <contact@catenacyber.fr>
+Date: Mon, 12 Aug 2024 14:06:40 +0200
+Subject: [PATCH] headers: put a configurable limit on their numbers
+
+So as to avoid quadratic complexity
+
+Ticket: 7191
+
+Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818]
+CVE: CVE-2024-45797
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ htp/htp_config.c           |  8 ++++++++
+ htp/htp_config.h           |  8 ++++++++
+ htp/htp_config_private.h   |  6 ++++++
+ htp/htp_core.h             |  1 +
+ htp/htp_request_generic.c  | 11 +++++++++++
+ htp/htp_response_generic.c | 10 ++++++++++
+ 6 files changed, 44 insertions(+)
+
+diff --git a/htp/htp_config.c b/htp/htp_config.c
+index 767458f..9e0eee3 100644
+--- a/htp/htp_config.c
++++ b/htp/htp_config.c
+@@ -145,6 +145,8 @@ static unsigned char bestfit_1252[] = {
+     0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00
+ };
+ 
++#define HTP_HEADERS_LIMIT 1024
++
+ htp_cfg_t *htp_config_create(void) {
+     htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t));
+     if (cfg == NULL) return NULL;
+@@ -163,6 +165,7 @@ htp_cfg_t *htp_config_create(void) {
+     cfg->response_lzma_layer_limit = 1; // default is only one layer
+     cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT;
+     cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC;
++    cfg->number_headers_limit = HTP_HEADERS_LIMIT;
+     cfg->allow_space_uri = 0;
+ 
+     // Default settings for URL-encoded data.
+@@ -542,6 +545,11 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit) {
+     }
+ }
+ 
++void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) {
++    if (cfg == NULL) return;
++    cfg->number_headers_limit = limit;
++}
++
+ void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) {
+     if (cfg == NULL) return;
+     cfg->log_level = log_level;
+diff --git a/htp/htp_config.h b/htp/htp_config.h
+index d1365dc..ed0eaeb 100644
+--- a/htp/htp_config.h
++++ b/htp/htp_config.h
+@@ -466,6 +466,14 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit);
+  */
+ void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level);
+ 
++/**
++ * Configures the maximum number of headers LibHTP will accept per request or response.
++ *
++ * @param[in] cfg
++ * @param[in] limit
++ */
++void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit);
++
+ /**
+  * Configures how the server reacts to encoded NUL bytes. Some servers will stop at
+  * at NUL, while some will respond with 400 or 404. When the termination option is not
+diff --git a/htp/htp_config_private.h b/htp/htp_config_private.h
+index 5f1d60d..ecc8717 100644
+--- a/htp/htp_config_private.h
++++ b/htp/htp_config_private.h
+@@ -360,6 +360,12 @@ struct htp_cfg_t {
+ 
+     /** Whether to decompress compressed request bodies. */
+     int request_decompression_enabled;
++
++    /** Maximum number of transactions. */
++    uint32_t max_tx;
++
++    /** Maximum number of headers. */
++    uint32_t number_headers_limit;
+ };
+ 
+ #ifdef	__cplusplus
+diff --git a/htp/htp_core.h b/htp/htp_core.h
+index e4c933e..7c23212 100644
+--- a/htp/htp_core.h
++++ b/htp/htp_core.h
+@@ -235,6 +235,7 @@ enum htp_file_source_t {
+ #define HTP_REQUEST_INVALID                0x100000000ULL
+ #define HTP_REQUEST_INVALID_C_L            0x200000000ULL
+ #define HTP_AUTH_INVALID                   0x400000000ULL
++#define HTP_HEADERS_TOO_MANY               0x800000000ULL
+ 
+ #define HTP_MAX_HEADERS_REPETITIONS 64
+ 
+diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c
+index 435cf0a..1350e57 100644
+--- a/htp/htp_request_generic.c
++++ b/htp/htp_request_generic.c
+@@ -120,6 +120,17 @@ htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned cha
+         bstr_free(h->value);
+         free(h);
+     } else {
++        if (htp_table_size(connp->in_tx->request_headers) > connp->cfg->number_headers_limit) {
++            if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) {
++                connp->in_tx->flags |= HTP_HEADERS_TOO_MANY;
++                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many request headers");
++            }
++            bstr_free(h->name);
++            bstr_free(h->value);
++            free(h);
++            // give up on what comes next
++            return HTP_ERROR;
++        }
+         // Add as a new header.
+         if (htp_table_add(connp->in_tx->request_headers, h->name, h) != HTP_OK) {
+             bstr_free(h->name);
+diff --git a/htp/htp_response_generic.c b/htp/htp_response_generic.c
+index f5fa59e..69da625 100644
+--- a/htp/htp_response_generic.c
++++ b/htp/htp_response_generic.c
+@@ -321,6 +321,16 @@ htp_status_t htp_process_response_header_generic(htp_connp_t *connp, unsigned ch
+         bstr_free(h->value);
+         free(h);       
+     } else {
++        if (htp_table_size(connp->out_tx->response_headers) > connp->cfg->number_headers_limit) {
++            if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) {
++                connp->out_tx->flags |= HTP_HEADERS_TOO_MANY;
++                htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many response headers");
++            }
++            bstr_free(h->name);
++            bstr_free(h->value);
++            free(h);
++            return HTP_ERROR;
++        }
+         // Add as a new header.
+         if (htp_table_add(connp->out_tx->response_headers, h->name, h) != HTP_OK) {
+             bstr_free(h->name);
+-- 
+2.25.1
+
diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb
index cc8285ccbe..74a53df471 100644
--- a/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb
+++ b/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb
@@ -4,7 +4,9 @@ require suricata.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843"
 
-SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x"
+SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \
+           file://CVE-2024-45797.patch \
+          "
 SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af"
 
 DEPENDS = "zlib"
@@ -13,9 +15,9 @@ inherit autotools-brokensep pkgconfig
 
 CFLAGS += "-D_DEFAULT_SOURCE"
 
-#S = "${WORKDIR}/suricata-${VER}/${BPN}"
+#S = "${UNPACKDIR}/suricata-${VER}/${BPN}"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 do_configure () {
     cd ${S}
diff --git a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb
index a01b3d937e..6e6c426041 100644
--- a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb
+++ b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb
@@ -16,6 +16,11 @@ SRC_URI += " \
     file://suricata.service \
     file://run-ptest \
     file://fixup.patch \
+    file://CVE-2024-37151.patch \
+    file://CVE-2024-38534.patch \
+    file://CVE-2024-38535_pre.patch \
+    file://CVE-2024-38535.patch \
+    file://CVE-2024-38536.patch \
     "
 
 inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates
@@ -63,9 +68,11 @@ do_configure:prepend () {
     # use host for RUST_SURICATA_LIB_XC_DIR
     sed -i -e 's,\${host_alias},${RUST_HOST_SYS},' ${S}/configure.ac
     sed -i -e 's,libsuricata_rust.a,libsuricata.a,' ${S}/configure.ac
-    oe_runconf
+    autotools_do_configure
 }
 
+CFLAGS += "-Wno-error=incompatible-pointer-types"
+
 do_compile () {
     # we do this to bypass the make provided by this pkg 
     # patches Makefile to skip the subdir
@@ -82,14 +89,14 @@ do_install () {
     oe_runmake install DESTDIR=${D}
 
     install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
-    install -m 0644 ${WORKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/03_suricata
+    install -m 0644 ${UNPACKDIR}/volatiles.03_suricata  ${D}${sysconfdir}/default/volatiles/03_suricata
 
     install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
     install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/tmpfiles.d
-        install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
+        install -m 0644 ${UNPACKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf
 
         install -d ${D}${systemd_unitdir}/system
         sed  -e s:/etc:${sysconfdir}:g \
@@ -98,7 +105,7 @@ do_install () {
              -e s:/usr/bin:${bindir}:g \
              -e s:/bin/kill:${base_bindir}/kill:g \
              -e s:/usr/lib:${libdir}:g \
-             ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
+             ${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
     fi
 
     # Remove /var/run as it is created on startup
@@ -107,6 +114,10 @@ do_install () {
     sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatasc
     sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatactl
     sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py
+    # The build process dumps config logs into the binary, remove them.
+    sed -i -e 's#${RECIPE_SYSROOT}##g' ${D}${bindir}/suricata
+    sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' ${D}${bindir}/suricata
+    sed -i -e 's#CFLAGS.*##g' ${D}${bindir}/suricata
 }
 
 pkg_postinst_ontarget:${PN} () {
@@ -124,3 +135,4 @@ FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
 FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
 
 CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml"
+INSANE_SKIP:${PN} = "already-stripped"
diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 9149e89232..e67d3c7d86 100644
--- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -19,7 +19,7 @@ SRC_URI = "\
 	file://run-ptest \
        "
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 inherit autotools-brokensep update-rc.d ptest
 
@@ -43,11 +43,11 @@ do_install () {
     install -m 0755 ${S}/bin/* ${D}${sbindir}
     install -m 0644 ${S}/lib/* ${D}${base_libdir}
     install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN}
-    install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir}
-    install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire
-    install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN}
-    install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt
-    install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN}
+    install -m 0755 ${UNPACKDIR}/tripwire.cron ${D}${sysconfdir}
+    install -m 0755 ${UNPACKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire
+    install -m 0755 ${UNPACKDIR}/twinstall.sh ${D}${sysconfdir}/${PN}
+    install -m 0644 ${UNPACKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt
+    install -m 0644 ${UNPACKDIR}/twcfg.txt ${D}${sysconfdir}/${PN}
 
     install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4
     install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5
@@ -57,7 +57,7 @@ do_install () {
     install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN}
     install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN}
     install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN}
-    install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN}
+    install -m 0644 ${UNPACKDIR}/tripwire.txt ${D}${docdir}/${BPN}
 }
 
 do_install_ptest:append () {
diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
index 020c3a1df3..751c04572d 100644
--- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
+++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb
@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main"
 
 SRCREV = "5dc5cfea1f4dc8febdd5274d99e277c17df06acc"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 inherit module kernel-module-split
 
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
index fd649e400e..49ab7a7064 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb
@@ -22,7 +22,7 @@ SRC_URI = " \
     "
 
 SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe"
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 PARALLEL_MAKE = ""
 
@@ -74,6 +74,8 @@ do_compile () {
 }
 
 do_install () {
+    sed -i -e 's#${RECIPE_SYSROOT}##g' ${B}/libraries/libapparmor/swig/perl/libapparmor_wrap.c
+
     oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
     oe_runmake -C ${B}/binutils DESTDIR="${D}" install
     oe_runmake -C ${B}/utils DESTDIR="${D}" install
@@ -102,6 +104,9 @@ do_install () {
     fi
     chown root:root -R ${D}/${sysconfdir}/apparmor.d
     chown root:root -R ${D}/${datadir}/apparmor
+
+    find ${D}${libdir}/perl5/ -type f -name ".packlist" -delete
+    find ${D}${PYTHON_SITEPACKAGES_DIR}/LibAppArmor/ -type f -name "_LibAppArmor*.so" -delete
 }
 
 #Building ptest on arm fails.
diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8185e51047..a746c56ad5 100644
--- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
+++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -12,7 +12,7 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"
 
 SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"
 
-S = "${WORKDIR}/${BPN}"
+S = "${UNPACKDIR}/${BPN}"
 
 inherit features_check
 
diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
index 3c8921f131..248a5f6074 100644
--- a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
+++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c
@@ -18,8 +18,10 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 #include <stdio.h>
+#include <stdlib.h>
 #include <sys/socket.h>
 #include <sys/types.h>
+#include <sys/xattr.h>
 #include <errno.h>
 #include <netinet/in.h>
 #include <unistd.h>
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
index 976cbdc2fa..00bb548356 100644
--- a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c
@@ -18,8 +18,10 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 #include <sys/socket.h>
+#include <sys/xattr.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <unistd.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <string.h>
diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
index 7d2fcf5258..32b544252a 100644
--- a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
+++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c
@@ -18,10 +18,13 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 // THE SOFTWARE.
 #include <sys/socket.h>
+#include <sys/xattr.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <string.h>
+#include <unistd.h>
 
 int main(int argc, char* argv[])
 {
diff --git a/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/meta-security/recipes-perl/perl/lib-perl_0.63.bb
index 25d0890d48..6fc44e4430 100644
--- a/meta-security/recipes-perl/perl/lib-perl_0.63.bb
+++ b/meta-security/recipes-perl/perl/lib-perl_0.63.bb
@@ -16,7 +16,7 @@ SRC_URI = "http://www.cpan.org/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz"
 SRC_URI[md5sum] = "8607ac4e0d9d43585ec28312f52df67c"
 SRC_URI[sha256sum] = "72f63db9220098e834d7a38231626bd0c9b802c1ec54a628e2df35f3818e5a00"
 
-S = "${WORKDIR}/lib-${PV}"
+S = "${UNPACKDIR}/lib-${PV}"
 
 EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
 
diff --git a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
index c58d883554..2c32bfcf0b 100644
--- a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
+++ b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
@@ -11,7 +11,7 @@ SRC_URI = "http://sourceforge.net/projects/whisker/files/libwhisker/${PV}/libwhi
 SRC_URI[md5sum] = "7cc1718dddde8f9a439d5622ae2f37eb"
 SRC_URI[sha256sum] = "f45a1cf2ad2637b29dd1b13d7221ea12e3923ea09d107ced446400f19070a42f"
 
-S = "${WORKDIR}/libwhisker2-2.5"
+S = "${UNPACKDIR}/libwhisker2-2.5"
 
 inherit cpan-base
 
diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
index e547938b20..84f93da800 100644
--- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
+++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
@@ -21,6 +21,10 @@ ARPWATCH_GID ?= "arpwatch"
 APRWATCH_FROM ?= "root "
 ARPWATH_REPLY ?= "${ARPWATCH_UID}"
 
+# many configure tests are failing with gcc-14
+CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
+BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
+
 PACKAGECONFIG ??= ""
 
 PACKAGECONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg"
@@ -60,9 +64,9 @@ do_install () {
     install -d ${D}/var/lib/arpwatch
 
     oe_runmake install DESTDIR=${D}
-    install -m 644 ${WORKDIR}/arpwatch.conf  ${D}${sysconfdir}
-    install -m 655 ${WORKDIR}/arpwatch_init  ${D}${sysconfdir}/init.d/arpwatch
-    install -m 644 ${WORKDIR}/arpwatch.default  ${D}${sysconfdir}/default
+    install -m 644 ${UNPACKDIR}/arpwatch.conf  ${D}${sysconfdir}
+    install -m 655 ${UNPACKDIR}/arpwatch_init  ${D}${sysconfdir}/init.d/arpwatch
+    install -m 644 ${UNPACKDIR}/arpwatch.default  ${D}${sysconfdir}/default
 }
 
 INITSCRIPT_NAME = "arpwatch"
diff --git a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
index 85884a770c..5d4de1065b 100644
--- a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
+++ b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
@@ -10,7 +10,7 @@ SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buc
 SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53"
 SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01"
 
-S = "${WORKDIR}/${BPN}_${PV}"
+S = "${UNPACKDIR}/${BPN}_${PV}"
 
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
diff --git a/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
index 1ba3721432..3712e683c9 100644
--- a/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
+++ b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
 SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2"
 SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 do_install() {
     install -d ${D}${bindir}
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb
index 102f26790a..48cc75cac8 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb
@@ -21,7 +21,7 @@ SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \
     file://headers_fixup.patch \
     file://oe_cmake_fixup.patch \
 "
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 LEAD_SONAME = "libclamav.so"
 SO_VER = "9.6.0"
@@ -58,9 +58,9 @@ do_install:append () {
     install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
     install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
 
-    install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
-    install -m 644 ${WORKDIR}/freshclam.conf ${D}/${prefix}/${sysconfdir}
-    install -m 0644 ${WORKDIR}/volatiles.03_clamav  ${D}${sysconfdir}/default/volatiles/03_clamav
+    install -m 644 ${UNPACKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
+    install -m 644 ${UNPACKDIR}/freshclam.conf ${D}/${prefix}/${sysconfdir}
+    install -m 0644 ${UNPACKDIR}/volatiles.03_clamav  ${D}${sysconfdir}/default/volatiles/03_clamav
     sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
     rm ${D}/${libdir}/libclamav.so
     if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
@@ -71,7 +71,7 @@ do_install:append () {
 
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
         install -d ${D}${sysconfdir}/tmpfiles.d
-        install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
+        install -m 0644 ${UNPACKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
     fi
     oe_multilib_header clamav-types.h
 }
diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb
index 5713f466b4..10023c162a 100644
--- a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb
+++ b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb
@@ -16,7 +16,7 @@ SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master
 
 DEPENDS = "libseccomp"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 inherit autotools-brokensep pkgconfig bash-completion features_check
 
diff --git a/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb b/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb
index 9fbdaa7a7c..213b047a97 100644
--- a/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb
+++ b/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb
@@ -12,7 +12,7 @@ DEPENDS = "virtual/kernel nasm-native"
 SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
 SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 inherit module setuptools3
 
@@ -24,6 +24,9 @@ do_compile:append() {
 }
 
 do_install:append() {
+    sed -i -e 's#${S}##g' ${S}/drivers/linux/chipsec.ko
+    sed -i -e 's#${STAGING_KERNEL_BUILDDIR}##g' ${S}/drivers/linux/chipsec.ko
+    sed -i -e 's#${STAGING_KERNEL_DIR}##g' ${S}/drivers/linux/chipsec.ko
 	install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
 }
 
@@ -32,3 +35,4 @@ COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
 FILES:${PN} += "${exec_prefix}"
 
 RDEPENDS:${PN} = "python3 python3-modules"
+INSANE_SKIP:${PN} = "already-stripped"
diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
index ea9593ba6c..c620c6e30f 100644
--- a/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
+++ b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb
@@ -20,12 +20,12 @@ inherit go goarch features_check
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 do_compile() {
 	export GOARCH=${TARGET_GOARCH}
 	export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
-	export GOPATH="${WORKDIR}/git"
+	export GOPATH="${UNPACKDIR}/git"
 
 	# Pass the needed cflags/ldflags so that cgo
 	# can find the needed headers files and libraries
diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
index 3de2bfac86..cf03a1807d 100644
--- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
+++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23"
 SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 do_compile:prepend() {
     sed -i 's/fscryptctl\.1//g' ${S}/Makefile
diff --git a/meta-security/recipes-security/glome/glome_git.bb b/meta-security/recipes-security/glome/glome_git.bb
index 8787ddc359..b99239ee22 100644
--- a/meta-security/recipes-security/glome/glome_git.bb
+++ b/meta-security/recipes-security/glome/glome_git.bb
@@ -10,7 +10,7 @@ inherit meson pkgconfig
 
 DEPENDS += "openssl"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https"
 SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b"
 
diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
index 8a0b1ee8d9..ba0531c139 100644
--- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
+++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb
@@ -8,7 +8,7 @@ SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c"
 
 DEPENDS = "libpam"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 inherit autotools features_check
 
diff --git a/meta-security/recipes-security/isic/isic_0.07.bb b/meta-security/recipes-security/isic/isic_0.07.bb
index 28153e3b4e..d39184ef8d 100644
--- a/meta-security/recipes-security/isic/isic_0.07.bb
+++ b/meta-security/recipes-security/isic/isic_0.07.bb
@@ -17,12 +17,16 @@ SRC_URI = "http://prdownloads.sourceforge.net/isic/${BPN}-${PV}.tgz \
 SRC_URI[md5sum] = "29f70c9bde9aa9128b8f7e66a315f9a4"
 SRC_URI[sha256sum] = "e033c53e03e26a4c72b723e2a5a1c433ee70eb4d23a1ba0d7d7e14ee1a80429d"
 
-S="${WORKDIR}/${BPN}-${PV}"
+S="${UNPACKDIR}/${BPN}-${PV}"
 
 inherit autotools-brokensep
 
 EXTRA_OECONF += "--with-libnet-dir=${STAGING_DIR_HOST}${libdir} "
 
+# many configure tests are failing with gcc-14
+CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
+BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
+
 do_configure () {
     oe_runconf
 }
diff --git a/meta-security/recipes-security/krill/krill_0.12.3.bb b/meta-security/recipes-security/krill/krill_0.12.3.bb
index ee959c2e47..d5917a153b 100644
--- a/meta-security/recipes-security/krill/krill_0.12.3.bb
+++ b/meta-security/recipes-security/krill/krill_0.12.3.bb
@@ -15,7 +15,7 @@ include krill-crates.inc
 UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 CARGO_SRC_DIR = ""
 
 inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates
@@ -26,6 +26,7 @@ do_install:append () {
 
     install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/.
     install ${S}/defaults/* ${D}${datadir}/krill/.
+    find  ${D}${bindir}/ -name "krill*"  -exec sed -i -e 's#${CARGO_HOME}/bitbake##g' {} +
 }
 
 KRILL_UID ?= "krill"
@@ -38,5 +39,6 @@ USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir  \
                        --shell /sbin/nologin ${BPN}"
 
 FILES:${PN} += "{sysconfdir}/defaults ${datadir}"
+INSANE_SKIP:${PN} = "already-stripped"
 
 COMPATIBLE_HOST = "(i.86|x86_64|aarch64).*-linux"
diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb
index b4c61654f1..04bfcee82d 100644
--- a/meta-security/recipes-security/libest/libest_3.2.0.bb
+++ b/meta-security/recipes-security/libest/libest_3.2.0.bb
@@ -20,7 +20,7 @@ EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
 CFLAGS += "-fcommon"
 LDFLAGS:append:libc-musl = " -lexecinfo"
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
 
diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb
index 9d019648e7..e534615974 100644
--- a/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb
+++ b/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb
@@ -21,11 +21,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \
                     file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\
 "
 
-SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \
+SRC_URI = "git://gitlab.com/gsasl/libgssglue.git;protocol=https;branch=master \
            file://libgssglue-canon-name.patch  \
 "
+SRCREV = "c8b4b2936b854a7d4f7ef12e30d6f519b30dec87"
 
-SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746"
+S = "${WORKDIR}/git"
 
 inherit autotools-brokensep
 
diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
index f725a26bc2..f5518d2cef 100644
--- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -10,7 +10,7 @@ HOMEPAGE = "http://mhash.sourceforge.net/"
 LICENSE = "LGPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7"
 
-S = "${WORKDIR}/mhash-${PV}"
+S = "${UNPACKDIR}/mhash-${PV}"
 
 SECTION = "libs"
 
diff --git a/meta-security/recipes-security/libmspack/libmspack_1.11.bb b/meta-security/recipes-security/libmspack/libmspack_1.11.bb
index 59df84b73e..338701efca 100644
--- a/meta-security/recipes-security/libmspack/libmspack_1.11.bb
+++ b/meta-security/recipes-security/libmspack/libmspack_1.11.bb
@@ -11,6 +11,6 @@ SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
 
 inherit autotools
 
-S = "${WORKDIR}/git/${BPN}"
+S = "${UNPACKDIR}/git/${BPN}"
 
 inherit autotools
diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
index 8e6b444a2f..881ee38c85 100644
--- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb
+++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
@@ -13,6 +13,6 @@ DEPENDS = "openssl zlib"
 
 inherit autotools-brokensep
 
-S = "${WORKDIR}/git"
+S = "${UNPACKDIR}/git"
 
 INSANE_SKIP:${PN} = "already-stripped"
author	Patrick Williams <patrick@stwcx.xyz>	2024-12-14 02:56:42 +0300
committer	Patrick Williams <patrick@stwcx.xyz>	2024-12-14 04:38:25 +0300
commit	e73366c8bab752f44899222f9df7ce7ed080f2e9 (patch)
tree	57ae1423728ade061bb318ab6413a18e1afb9c20 /meta-security
parent	1d19bb6db66dd40f999dbfcd25be489aa4ecd0b3 (diff)
download	openbmc-styhead.tar.xz