41 files changed, 963 insertions, 179 deletions

diff --git a/documentation/migration-guides/migration-5.3.rst b/documentation/migration-guides/migration-5.3.rst
index 985712cb22..e59bc8c638 100644
--- a/documentation/migration-guides/migration-5.3.rst
+++ b/documentation/migration-guides/migration-5.3.rst
@@ -134,10 +134,20 @@ To set back the "mac" policy in systemd (version 257.8 at the time of writing
 this note), you should set the ``NamePolicy`` and ``AlternativeNamesPolicy`` as
 detailed in :manpage:`systemd.link(5)`.
 
+Removal of unlicensed Linux kernel firmware
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+By default, the ``linux-firmware`` recipe now excludes firmware that do not
+provide any license information. The recipe holds an internal list of firmware
+to exclude via a variable named ``REMOVE_UNLICENSED``, this variable may be
+overridden if unlicensed firmware is needed. See :oe_git:`the recipe
+</openembedded-core/tree/meta/recipes-kernel/linux-firmware>` for a complete
+overview of the removed firmware.
+
 Supported kernel versions
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-The :term:`OLDEST_KERNEL` setting is XXX in this release, meaning that
+The :term:`OLDEST_KERNEL` setting is 5.15 in this release, meaning that
 out the box, older kernels are not supported. See :ref:`4.3 migration notes
 <migration-4.3-supported-kernel-versions>` for details.
 
@@ -147,7 +157,9 @@ Supported distributions
 Compared to the previous releases, running BitBake is supported on new
 GNU/Linux distributions:
 
--  XXX
+-  Debian 13 (Trixie)
+-  Fedora 42
+-  Ubuntu 25.04
 
 On the other hand, some earlier distributions are no longer supported:
 
@@ -174,6 +186,10 @@ The following variables have been removed:
    :term:`BitBake` invocation and replace it with information about what was
    built during the build. This was partly broken and hard to maintain.
 
+-  ``GPE_MIRROR``: this variable used to contain the
+   "http://gpe.linuxtogo.org/download/source" URL, but was not used by any
+   recipe in OE-Core.
+
 Removed recipes
 ~~~~~~~~~~~~~~~
 
@@ -195,6 +211,11 @@ The following recipes have been removed in this release:
 -  ``xf86-input-vmmouse``: It has a runtime dependency on ``xf86-input-mouse``,
    which stopped supporting Linux.
 
+-  ``babeltrace``: Removed in favour of ``babeltrace2``.
+
+-  ``cwautomacros``: A long-obsolete set of custom :ref:`ref-classes-autotools`
+   macros, not used by any other recipe.
+
 Removed :term:`PACKAGECONFIG` entries
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -206,6 +227,8 @@ Removed :term:`PACKAGECONFIG` entries
 
 -  ``mesa``: ``kmsro``, ``osmesa``, ``xa``
 
+-  ``systemd``: ``dbus``
+
 Removed classes
 ~~~~~~~~~~~~~~~
 
@@ -269,4 +292,22 @@ Miscellaneous changes
 -  ``xserver-xorg``: remove sub-package ``${PN}-xwayland``, as ``xwayland`` is
    now its own recipe.
 
--  The Wic-specific option ``--extra-space`` has been renamed to ``--extra-filesystem-space``.
\ No newline at end of file
+-  ``gdk-pixbuf``: drop the ``GDK_PIXBUF_LOADERS`` variable, which was part of
+   the recipe's :term:`PACKAGECONFIG`. Instead the :term:`PACKAGECONFIG` can be
+   modified directly to achieve the same result.
+
+-  Remove the ``meta/conf/distro/include/distro_alias.inc`` include file,
+   which associated a recipe name to one or more Distribution package name.
+   This file is not used and maintained anymore.
+
+-  Remove the ``nghttp2-proxy`` package from the ``nghttp2`` recipe as the
+   ``nghttp2-proxy`` package became empty after an upgrade that makes it a
+   library recipe only (due to
+   :term:`EXTRA_OEMAKE` containing ``-DENABLE_APP=OFF`` by default in the
+   recipe).
+
+-  Remove the ``util-linux-fcntl-lock`` package (in the ``util-linux`` recipe) as
+   ``util-linux`` now supports the ``--fcntl`` flag for the ``flock`` command.
+
+   Recipes currently using the ``fcntl-lock`` command should replace these by
+   ``flock --fcntl``.
diff --git a/documentation/migration-guides/release-notes-5.3.rst b/documentation/migration-guides/release-notes-5.3.rst
index 66c88fcb48..5cd875e9b5 100644
--- a/documentation/migration-guides/release-notes-5.3.rst
+++ b/documentation/migration-guides/release-notes-5.3.rst
@@ -11,10 +11,21 @@ Release notes for |yocto-ver| (|yocto-codename|)
 New Features / Enhancements in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
--  Linux kernel XXX, gcc 15, glibc XXX, LLVM XXX, and over XXX other
+-  Linux kernel 6.16, gcc 15, glibc 2.42, LLVM 21.1.1, and over 300 other
    recipe upgrades.
 
--  Minimum Python version required on the host: XXX.
+-  Minimum Python version required on the host: 3.9.
+
+-  Host requirements changes:
+
+   -  The minimum disk space requirement is now 140Gbytes (previously 90Gbytes).
+
+   -  The minimum RAM requirement is now 32Gbytes (previously 8Gbytes).
+
+   -  These changes are mainly due to recent additions of the LLVM and other
+      resource heavy recipes. For guidance on how to limit the resources used by
+      the :term:`OpenEmbedded Build System`, see the
+      :doc:`/dev-manual/limiting-resources` guide.
 
 -  BitBake changes:
 
@@ -36,10 +47,18 @@ New Features / Enhancements in |yocto-ver|
       -  ``az``: Add sanity check to check that :term:`AZ_SAS` starts with ``?``
          to mark the start of the query parameters.
 
-      -  ``git``: Add the tag to shallow clone tarball name.
+      -  ``git``:
+
+         -  Add the tag to shallow clone tarball name.
+         -  Verify if local clones contains a tag, when the ``tag=`` parameter
+            is used in :term:`SRC_URI`.
+
+   -  ``knotty``:
+
+      -  Pass failed task logs through the log infrastructure (use
+         ``bb.plain()`` instead of ``print()``).
 
-   -  ``knotty``: pass failed task logs through the log infrastructure (use
-      ``bb.plain()`` instead of ``print()``)
+      -  Improve refresh rate of the footer progress bar.
 
    -  Add support for automatically promoting class inherits to deferred
       inherits by listing them in the :term:`BB_DEFER_BBCLASSES` variable.
@@ -92,6 +111,17 @@ New Features / Enhancements in |yocto-ver|
       :term:`BitBake` to specify what to profile. Can be "main", "idle" or
       "parsing". Split the reports in separate files.
 
+   -  A "filtering" functionality was added and allows modifying the value of a
+      variable before its value is returned by :term:`BitBake`. The
+      ``setVarFilter`` API can be used for applying the filters, but it is
+      **not** recommended for general use. It was added for internal use in
+      the :term:`OpenEmbedded Build System` in the :ref:`ref-classes-native`
+      class. The list of filters that are allowed are derived from a select
+      list of functions that must be added using a ``filter_proc`` decorator.
+
+   -  ``tests/parse``: Add tests for ``include``, ``require`` and
+      ``include_all``.
+
 -  Toolchain changes:
 
    -  The Clang/LLVM toolchain can now be used as part of the build.
@@ -106,6 +136,12 @@ New Features / Enhancements in |yocto-ver|
       The toolchain is also customizable on a per-recipe basis, using the
       :term:`TOOLCHAIN` and :term:`TOOLCHAIN_NATIVE` variables.
 
+      .. warning::
+
+         The :term:`TOOLCHAIN` should **not** be set globally. For overriding
+         the toolchain globally, use :term:`PREFERRED_TOOLCHAIN_TARGET`,
+         :term:`PREFERRED_TOOLCHAIN_NATIVE` and :term:`PREFERRED_TOOLCHAIN_SDK`.
+
    -  Multiple recipes were pinned to use the GCC/Binutils toolchain as they do
       not support being built with Clang/LLVM yet. In these recipes the
       :term:`TOOLCHAIN` variable is set to "gcc".
@@ -119,14 +155,42 @@ New Features / Enhancements in |yocto-ver|
    -  ``bitbake.conf``: Drop ``lz4`` from :term:`HOSTTOOLS`, as it is not
       required anymore, and the ``lz4-native`` package is used instead.
 
-   -  ``conf/fragments``: add a fragment for the CDN :ref:`sstate-cache
-      <overview-manual/concepts:shared state cache>` mirror.
+   -  :term:`Configuration Fragments <Configuration Fragment>`:
+
+      -  Add a fragment for the `CDN` :ref:`sstate-cache
+         <overview-manual/concepts:shared state cache>` mirror.
+
+      -  Add a ``show-fragments`` sub-command to the
+         :oe_git:`bitbake-config-build </bitbake/tree/bin/bitbake-config-build>`
+         utility, to show the content of fragments from command-line.
 
    -  ``default-distrovars``: set an empty default for :term:`LICENSE_PATH`.
 
    -  The default definition of :term:`UNPACKDIR` is no longer
       ``sources-unpack`` but ``sources``.
 
+   -  The default value for :term:`IMAGE_FSTYPES` (defined in
+      :oe_git:`bitbake.conf </openembedded-core/tree/meta/conf/bitbake.conf>`)
+      is now ``tar.zst`` (previously ``tar.gz``).
+
+   -  Remove the ``meta/conf/distro/include/distro_alias.inc`` include file,
+      which associated a recipe name to one or more Distribution package name.
+      This file is not used and maintained anymore.
+
+   -  A new configuration file :ref:`structure-build-conf-toolcfg.conf` is now
+      used by :oe_git:`bitbake-config-build </bitbake/tree/bin/bitbake-config-build>`
+      to manage :term:`Configuration Fragments <Configuration Fragment>`.
+
+   -  ``bitbake.conf``: add :term:`TMPDIR` to the ``GIT_CEILING_DIRECTORIES``
+      Git variable. This avoids Git trying to find a repository higher than
+      :term:`TMPDIR` in recipes that use the :ref:`structure-build-work-shared`
+      directory for storing their sources. This fixes reproducibility issues.
+
+   -  Changes to the ``genericarm64`` machine configuration:
+
+      -  Increase the :term:`Initramfs` maximum size.
+      -  Install extra Linux firmware packages to fix Linux kernel warnings.
+
 -  New variables:
 
    -  The ``VIRTUAL-RUNTIME_dbus`` variable, to allow changing the runtime
@@ -159,6 +223,11 @@ New Features / Enhancements in |yocto-ver|
       deployed filenames. Users can now override :term:`UBOOT_VERSION` to
       changes the output filenames.
 
+   -  The :term:`UBOOT_MAKE_OPTS` variable specifies extra options passed to
+      ``make`` when building U-boot. Extra options can also be passed as the
+      fourth argument of the :term:`UBOOT_CONFIG` variable. See the
+      documentation of :ref:`ref-classes-uboot-config` class for more details.
+
 -  Kernel-related changes:
 
    -  ``linux/generate-cve-exclusions``: use data from CVEProject instead of
@@ -186,6 +255,8 @@ New Features / Enhancements in |yocto-ver|
    -  ``linux-yocto``: when built for RISC-V, enable features in
       :term:`KERNEL_FEATURES` based on features listed in :term:`TUNE_FEATURES`.
 
+   -  ``perf``: Enable ``coresight`` if enabled in :term:`MACHINE_FEATURES`.
+
 -  New core recipes:
 
    -  ``python3-pdm``, ``python3-pdm-backend`` and ``python3-pdm-build-locked``,
@@ -210,6 +281,13 @@ New Features / Enhancements in |yocto-ver|
       to code blocks in Sphinx. It is part of ``buildtools-docs-tarball`` for later
       use in the Yocto Project documentation.
 
+   -  ``python3-coherent-licensed``: License management tooling for `Coherent
+      System` and skeleton projects. It became a new dependency of
+      ``python3-zipp``.
+
+   -  ``gn``: a commonly used build tool to generate `ninja
+      <https://ninja-build.org/>`__ files.
+
    -  LLVM/Clang related recipes:
 
       -  ``clang``: LLVM based C/C++ compiler.
@@ -225,11 +303,15 @@ New Features / Enhancements in |yocto-ver|
       -  ``llvm-tblgen-native``: LLVM TableGen binaries for the build host,
          often used to build LLVM projects.
 
+      -  ``lld``: the LLVM Linker.
+
       -  ``lldb``: LLDB debugger for LLVM projects.
 
       -  ``llvm-project-source``: canonical git mirror of the LLVM subversion
          repository.
 
+      -  ``llvm``: The LLVM Compiler Infrastructure.
+
       -  ``openmp``: LLVM OpenMP compiler Runtime.
 
   -  ``kernel-signing-keys-native``: this recipe is used in the
@@ -242,6 +324,9 @@ New Features / Enhancements in |yocto-ver|
    -  ``glvnd``, which enables OpenGL Vendor Neutral Dispatch Library
       support when using recipes such as ``mesa``.
 
+   -  ``opencl``: support for the :wikipedia:`OpenCL (Open Computing Language)
+      <OpenCL>` framework.
+
 -  New core classes:
 
    -  The new :ref:`ref-classes-kernel-fit-image` class replaces the previous
@@ -255,6 +340,10 @@ New Features / Enhancements in |yocto-ver|
       maintain Go recipes that use a ``BPN-go-mods.inc`` and
       ``BPN-licenses.inc`` and update these files automatically.
 
+   -  The new :ref:`ref-classes-python_pdm` class supports building Python
+      recipes with the `PDM <https://pdm-project.org/>`__ package and dependency
+      manager.
+
 -  Architecture-specific changes:
 
    -  Rework the RISC-V :term:`TUNE_FEATURES` to make them based of the RISC-V
@@ -299,6 +388,16 @@ New Features / Enhancements in |yocto-ver|
       </openembedded-core/tree/meta/conf/machine/include/riscv/README>` for more
       information.
 
+   -  Add support for new Arm64 instruction sets, which are represented as files
+      to be included in :term:`MACHINE` configuration in :term:`OpenEmbedded-Core
+      (OE-Core)`. The new configuration files are:
+
+      -  :oe_git:`conf/machine/include/arm/arch-armv8-7a.inc </openembedded-core/tree/meta/conf/machine/include/arm/arch-armv8-7a.inc>`
+      -  :oe_git:`conf/machine/include/arm/arch-armv8-8a.inc </openembedded-core/tree/meta/conf/machine/include/arm/arch-armv8-8a.inc>`
+      -  :oe_git:`conf/machine/include/arm/arch-armv9-1a.inc </openembedded-core/tree/meta/conf/machine/include/arm/arch-armv9-1a.inc>`
+      -  :oe_git:`conf/machine/include/arm/arch-armv9-2a.inc </openembedded-core/tree/meta/conf/machine/include/arm/arch-armv9-2a.inc>`
+      -  :oe_git:`conf/machine/include/arm/arch-armv9-3a.inc </openembedded-core/tree/meta/conf/machine/include/arm/arch-armv9-3a.inc>`
+
    -  ``arch-mips.inc``: Use ``-EB``/``-EL`` for denoting Endianness.
 
    -  Enable ``riscv32`` as supported arch for ``musl`` systems.
@@ -306,6 +405,15 @@ New Features / Enhancements in |yocto-ver|
    -  Powerpc: Use ``-maltivec`` in compiler flags if ``altivec`` is in
       :term:`TUNE_FEATURES`.
 
+   -  ``arm``: add a ``nocrypto`` feature to :term:`TUNE_FEATURES` to complement
+      the ``crypto`` feature to explicitly disable cryptographic extensions via
+      `GCC` flags.
+
+      This lead to the creation of two new tunes:
+
+      -  ``tune-cortexa72-nocrypto``
+      -  ``tune-cortexa53-nocrypto``
+
 -  QEMU / ``runqemu`` changes:
 
    -  Refactor :ref:`ref-classes-qemu` functions into library functions (in
@@ -330,19 +438,40 @@ New Features / Enhancements in |yocto-ver|
       machine's CPU must also be recent enough to support these instructions
       natively.
 
-   -  ``runqemu`` can now run compressed images with snapshot mode. For example,
-      with ``IMAGE_FSTYPES = "... ext4.zst ..."``, you can run::
+   -  ``runqemu``:
+
+      -  The script can now run compressed images with snapshot mode. For
+         example, with :term:`IMAGE_FSTYPES` containing ``ext4.zst``, you can run::
+
+            runqemu snapshot ext4.zst <image-recipe>
 
-         runqemu snapshot ext4.zst <image-recipe>
+      -  Add support for the ``erofs`` filesystem.
+
+      -  The :term:`BitBake` environment is now a requirement, and the script
+         cannot run without a successful call to ``bitbake -e``.
+
+         The script will also raise an error with the ``bitbake`` command is not
+         found.
 
 -  Documentation changes:
 
+   -  Add documentation on :term:`Configuration Fragments <Configuration
+      Fragment>`:
+
+      -  :doc:`/ref-manual/fragments`
+      -  :doc:`/dev-manual/creating-fragments`
+
    -  Part of :term:`BitBake` internals are now documented at
       :yocto_docs:`/bitbake/bitbake-user-manual/bitbake-user-manual-library-functions.html`.
 
    -  A new :doc:`/dev-manual/limiting-resources` guide was created to help
-      users limit the host resources used by the :term:`OpenEmbedded Build
-      System`.
+      users limit the resources used by the :term:`OpenEmbedded Build System`.
+
+   -  A new :doc:`/dev-manual/hashequivserver` guide was created to help users
+      setting up a :ref:`overview-manual/concepts:Hash Equivalence` server.
+
+   -  The QA checks defined in the :term:`OpenEmbedded Build System` were
+      gathered in :doc:`/ref-manual/qa-checks`.
 
 -  Core library changes:
 
@@ -352,6 +481,9 @@ New Features / Enhancements in |yocto-ver|
 
 -  Go changes:
 
+   -  :ref:`ref-classes-go-mod-update-modules`: Update license finding to use
+      the new ``find_licenses_up`` library function.
+
 -  Rust changes:
 
    -  ``rust-llvm``:
@@ -362,6 +494,9 @@ New Features / Enhancements in |yocto-ver|
       -  Disable the following feature through configuration
          (:ref:`ref-tasks-configure`): libedit, benchmarks.
 
+   -  Add the ``has-thread-local`` option to the
+      :ref:`ref-classes-rust-target-config` class.
+
 -  Wic Image Creator changes:
 
    -  After a Python upgrade, WIC plugins containing dashes (``-``) for their
@@ -387,17 +522,36 @@ New Features / Enhancements in |yocto-ver|
          :term:`BitBake` variables. This directory is usually found in
          :term:`STAGING_DIR`.
 
-   - Add the Wic-specific option ``--extra-partiton-space`` to add extra empty
-     space after the space filled by the filesystem in the partition.
+   -  Add the Wic-specific option ``--extra-partition-space`` to add extra empty
+      space after the space filled by the filesystem in the partition.
+
+   -  The Wic-specific option ``--extra-space`` has a new alias
+      ``--extra-filesystem-space``.
+
+   -  ``bootimg_pcbios``: move Syslinux install into separate functions, to make
+      it easier to add new bootloaders.
+
+      The Grub bootloader can now be installed with this Wic plugin.
 
    -  Add the Wic plugin ``extra_partition`` to install files from the
-      :term:`DEPLOY_DIR_IMAGE` directory into an extra non-rootfs partition.
+      :term:`DEPLOY_DIR_IMAGE` directory into an extra non-rootfs partition. See the
+      :term:`IMAGE_EXTRA_PARTITION_FILES` variable for more information.
 
 -  SDK-related changes:
 
    -  Include additional information about Meson setting in the SDK environment
       setup script (host system, CPU family, etc.).
 
+   -  Add Go to :term:`SDK_TOOLCHAIN_LANGS`, except for the following
+      architecture on which this is not supported:
+
+      -  RISC-V 32 bits (``rv32``)
+      -  PowerPC
+
+   -  Image-based SDKs can now include `Zsh` completions by adding the
+      ``zsh-completion-pkgs`` feature to the :term:`IMAGE_FEATURES` variable in
+      the image recipe.
+
 -  Testing-related changes:
 
    -  ``bitbake/tests/fetch``: Add tests for ``gitsm`` with git-lfs.
@@ -405,6 +559,9 @@ New Features / Enhancements in |yocto-ver|
    -  ``bitbake/lib/bb/tests/fetch``: add a test case to ensure Git shallow
       fetch works for tag containing slashes.
 
+   -  :ref:`ref-classes-testexport`: capture all tests and data from all layers
+      (instead of the :term:`OpenEmbedded-Core (OE-Core)` layer only).
+
    -  OEQA:
 
       -  SDK:
@@ -455,8 +612,16 @@ New Features / Enhancements in |yocto-ver|
 
       - ``runqemu``: add new test for booting compressed images.
 
-   -  :ref:`ref-classes-testexport`: capture all tests and data from all layers
-      (instead of the :term:`OpenEmbedded-Core (OE-Core)` layer only).
+      -  General improvements of the parallelization of tests, namely fixing
+         some tests that could spawn an unlimited number of threads leading to
+         OOM kills.
+
+      -  A new SDK test is now running for Go after ``go`` was added to
+         :term:`SDK_TOOLCHAIN_LANGS`.
+
+      -  Commands sent over SSH (using the ``OESSHTarget`` class) will now error
+         when an SSH failure occurs. It is possible to ignore these errors by
+         passing ``ignore_ssh_fails`` when executing a command.
 
 -  Utility script changes:
 
@@ -468,6 +633,8 @@ New Features / Enhancements in |yocto-ver|
          patch files *must* include an ``Upstream-Status`` to pass with this
          script.
 
+      -  Show the :term:`DISTRO` used when running the script.
+
       -  :ref:`ref-classes-yocto-check-layer` class:
 
          -  Refactor to be extended easily.
@@ -490,7 +657,11 @@ New Features / Enhancements in |yocto-ver|
 
    -  ``buildstats-diff``: find last two Buildstats files if none are specified.
 
-   -  ``pybootchartgui``: visualize ``/proc/net/dev`` network stats in graphs.
+   -  ``pybootchartgui``:
+
+      -  visualize ``/proc/net/dev`` network stats in graphs.
+
+      -  account for network statistics when calculating extents.
 
 -  Packaging changes:
 
@@ -499,6 +670,19 @@ New Features / Enhancements in |yocto-ver|
       detailed information on the files used during the compilation and improve
       SPDX accuracy.
 
+   -  When using the ``ipk`` and ``rpm`` package managers, give out more possible
+      reasons about unmatched packages.
+
+      For example::
+
+         E: Package 'catch2' has no installation candidate
+         catch2 is a recipe. Its generated packages are: ['catch2-src', 'catch2-dbg', 'catch2-staticdev', 'catch2-dev', 'catch2-doc']
+         Either specify a generated package or set ALLOW_EMPTY:${PN} = "1" in catch2 recipe
+
+   -  ``package.py``: replace all files unconditionally when copying debug
+      sources (passing ``-u`` to the ``cpio`` command in
+      ``copydebugsources()``). This improves reproducibility.
+
 -  LLVM related changes:
 
    -  Like ``gcc-source``, the LLVM project sources are part of ``work-shared``
@@ -535,14 +719,26 @@ New Features / Enhancements in |yocto-ver|
 
    -  Handle workspaces for multiconfig.
 
+   -  Fix upgrade for recipes with Git submodules.
+
 -  Patchtest-related changes:
 
+   -  Multiple improvements to the tool's :oe_git:`README
+      </openembedded-core/tree/scripts/patchtest.README>`.
+
+   -  Don't match :term:`BitBake` Python expansions as GitHub usernames
+      (``${@...}`` syntax).
+
 -  Security changes:
 
    -  ``openssl``: add FIPS support. This can be enabled through the ``fips``
       :term:`PACKAGECONFIG`.
 
--  :ref:`ref-classes-cve-check` changes:
+-  :ref:`ref-classes-cve-check` class changes:
+
+
+   -  ``cve-update-db-native``: FKIE: use Secondary metric if there is no
+      Primary metric.
 
 -  New :term:`PACKAGECONFIG` options for individual recipes:
 
@@ -554,13 +750,34 @@ New Features / Enhancements in |yocto-ver|
    -  ``openssl``: ``fips``
    -  ``qemu``: ``sdl-image``, ``pixman``
    -  ``wget``: ``pcre2``
-   -  ``mesa``: ``asahi``, ``amd``, ``svga``, ``teflon``, ``nouveau``
+   -  ``mesa``: ``asahi``, ``amd``, ``svga``, ``teflon``, ``nouveau``,
+      ``xmlconfig``
+   -  ``dbus``: ``traditional-activation``, ``message-bus``
+   -  ``cmake``: ``debugger``
+   -  ``libcxx``: ``unwind-cross``
+   -  ``tiff``: ``lerc``
+   -  ``freetype``: ``brotli``
+   -  ``gawk``: ``pma-if-64bit``
+   -  ``x264``: ``ffmpeg``, ``opencl``
 
 -  Systemd related changes:
 
    -  Enable getty generator by default by adding ``serial-getty-generator`` to
       :term:`PACKAGECONFIG`.
 
+   -  Now uses the :term:`USE_NLS` variable to enable or disable building
+      translations.
+
+   -  Fix deduplicated templates and instance lines in preset files when listing
+      both template and instances in :term:`SYSTEMD_SERVICE`.
+
+   -  Stop enabling non-standard MAC policy when using the 'pni-names' feature
+      (part of :term:`DISTRO_FEATURES`). Instead, follow what is provided by
+      upstream systemd.
+
+   -  Install ``systemd-sysv-install`` when using the
+      ``systemd-systemctl-native`` recipe.
+
 -  :ref:`ref-classes-sanity` class changes:
 
    -  :ref:`ref-classes-insane`: Move test for invalid :term:`PACKAGECONFIG` to
@@ -576,6 +793,9 @@ New Features / Enhancements in |yocto-ver|
       install ``libstdc++-14-dev`` instead of ``libgcc-14-dev`` to avoid build
       issues when building :ref:`ref-classes-native` with Clang.
 
+   -  Drop the ``var-undefined`` QA check as it was not relevant for the
+      variables it was checking, as those are mandatory by default.
+
 -  U-boot related changes:
 
    -  :ref:`ref-classes-uboot-sign`: Add support for setting firmware property
@@ -589,6 +809,11 @@ New Features / Enhancements in |yocto-ver|
       variable to automatically set U-boot configuration options (for example
       ``CONFIG_RISCV_ISA_F``).
 
+   -  Improve the way build directories are split when having multiple
+      configurations listed in :term:`UBOOT_CONFIG`. This fixes an issue where
+      two or more of these configurations were using the same directory for
+      building (because these were using the same defconfig file).
+
 -  Miscellaneous changes:
 
    -  ``dropbear``: The ``dropbearkey.service`` can now take extra arguments for
@@ -648,12 +873,78 @@ New Features / Enhancements in |yocto-ver|
    -  :ref:`ref-classes-externalsrc`: Always ask Git for location of ``.git``
       directory (may be different from the default ``${S}/.git``).
 
-   -  :ref:`ref-classes-features_check`: Add support for required
-      :term:`TUNE_FEATURES`.
+   -  :ref:`ref-classes-features_check`: Add support for :term:`REQUIRED_TUNE_FEATURES`.
 
    -  ``openssh``: limit read access to ``sshd_config`` file (set its filemode
       to ``0600``).
 
+   -  ``barebox-tools`` now installs the ``rk-usb-loader`` utility.
+
+   -  The :ref:`ref-classes-setuptools3_legacy` class now supports the
+      :ref:`qa-check-pep517-backend` QA check.
+
+   -  The :ref:`ref-classes-ccache` class now supports using `Ccache` for native
+      recipes when the local build configuration contains::
+
+         ASSUME_PROVIDED += "ccache-native"
+         HOSTTOOLS += "ccache"
+
+   -  :ref:`ref-classes-python_pep517`: use ``pyproject-build`` instead of
+      calling the module with ``nativepython3``.
+
+   -  ``dbus-glib``: include the binding tools separately into the
+      ``${PN}-tools`` package.
+
+   -  ``dbus``: use the :ref:`ref-classes-systemd` class to handle the unit
+      files of D-Bus.
+
+   -  ``dpkg``: add :ref:`ptest <test-manual/ptest:testing packages with ptest>`
+      support.
+
+   -  ``shared-mime-info``: Now uses the :term:`USE_NLS` variable to enable
+      building translations.
+
+   -  ``p11-kit``: Now uses the :term:`USE_NLS` variable to enable building
+      translations.
+
+   -  ``babeltrace2``: Enable Python plugins
+
+   -  ``initramfs-framework``: mount a temporary filesystem on ``/run`` and move
+      it to the root filesystem directory before calling ``switch_root``.
+
+   -  ``python3``: Pass ``PLATFORM_TRIPLET`` explicitly when cross compiling to
+      make the build deterministic instead of letting Python detect the platform
+      triplet (``${HOST_ARCH}-${HOST_OS}``).
+
+   -  ``pulseaudio``: Add the ``audio`` group explicitly if
+      ``pulseaudio-server`` is used.
+
+   -  ``oe/license_finder``: Add ``find_licenses_up`` function to find licenses
+      upwards until reaching a predefined top directory (as an argument).
+
+   -  ``mesa``:
+
+      -  Build Mesa's Asahi tools when ``asahi`` is part of the recipe's
+         :term:`PACKAGECONFIG` variable.
+
+      -  The ``mesa`` recipe now declares two new :term:`PROVIDES` for Vulkan
+         and OpenCL ICD. These virtual provider are respectively named
+         ``virtual-opencl-icd`` and ``virtual-vulkan-icd``.
+
+   -  ``mesa-demos``: split info tools to a separate package ``mesa-demos-info``.
+
+   -  ``vte``: skip :ref:`ref-classes-gobject-introspection` with Clang on Arm,
+      as it caused build failures.
+
+   -  ``shadow``: Increase the maximum group name length from 24 to 32 (default
+      value provided by upstream recipe, was previously hardcoded to 24).
+
+   -  ``udev-extraconf``: Speed up the ``mount.sh`` script by passing the block
+      device of interest to ``blkid`` when getting partition label names.
+
+   -  ``piglit``: enable OpenCL support if ``opencl`` is part of the
+      :term:`DISTRO` features.
+
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/meta/classes-recipe/barebox.bbclass b/meta/classes-recipe/barebox.bbclass
index ece8fb6485..73615999aa 100644
--- a/meta/classes-recipe/barebox.bbclass
+++ b/meta/classes-recipe/barebox.bbclass
@@ -16,6 +16,8 @@ DEPENDS += "bison-native flex-native lz4-native"
 
 S = "${UNPACKDIR}/barebox-${PV}"
 B = "${WORKDIR}/build"
+KBUILD_OUTPUT = "${B}"
+OE_TERMINAL_EXPORTS += "KBUILD_OUTPUT"
 
 require conf/image-uefi.conf
 
diff --git a/meta/classes-recipe/kernel-fit-image.bbclass b/meta/classes-recipe/kernel-fit-image.bbclass
index 16b6ab7b2f..fd0d21ceee 100644
--- a/meta/classes-recipe/kernel-fit-image.bbclass
+++ b/meta/classes-recipe/kernel-fit-image.bbclass
@@ -63,14 +63,12 @@ python do_compile() {
     )
 
     # Prepare a kernel image section.
-    linux_bin = d.getVar('FIT_LINUX_BIN')
-    if linux_bin:
-        shutil.copyfile(os.path.join(kernel_deploydir, "linux.bin"), "linux.bin")
-        with open(os.path.join(kernel_deploydir, "linux_comp")) as linux_comp_f:
-            linux_comp = linux_comp_f.read()
-        root_node.fitimage_emit_section_kernel("kernel-1", "linux.bin", linux_comp,
-            d.getVar('UBOOT_LOADADDRESS'), d.getVar('UBOOT_ENTRYPOINT'),
-            d.getVar('UBOOT_MKIMAGE_KERNEL_TYPE'), d.getVar("UBOOT_ENTRYSYMBOL"))
+    shutil.copyfile(os.path.join(kernel_deploydir, "linux.bin"), "linux.bin")
+    with open(os.path.join(kernel_deploydir, "linux_comp")) as linux_comp_f:
+        linux_comp = linux_comp_f.read()
+    root_node.fitimage_emit_section_kernel("kernel-1", "linux.bin", linux_comp,
+        d.getVar('UBOOT_LOADADDRESS'), d.getVar('UBOOT_ENTRYPOINT'),
+        d.getVar('UBOOT_MKIMAGE_KERNEL_TYPE'), d.getVar("UBOOT_ENTRYSYMBOL"))
 
     # Prepare a DTB image section
     kernel_devicetree = d.getVar('KERNEL_DEVICETREE')
diff --git a/meta/classes-recipe/rust-target-config.bbclass b/meta/classes-recipe/rust-target-config.bbclass
index 0c7e3c0090..9ce57843cf 100644
--- a/meta/classes-recipe/rust-target-config.bbclass
+++ b/meta/classes-recipe/rust-target-config.bbclass
@@ -405,7 +405,7 @@ def rust_gen_target(d, thing, wd, arch):
         tspec['llvm-abiname'] = "lp64d"
     if "powerpc64le" in tspec['llvm-target']:
         tspec['llvm-abiname'] = "elfv2"
-    if "powerpc64" in tspec['llvm-target']:
+    elif "powerpc64" in tspec['llvm-target']:
         tspec['llvm-abiname'] = "elfv1"
     tspec['vendor'] = "unknown"
     tspec['target-family'] = "unix"
diff --git a/meta/classes-recipe/uboot-config.bbclass b/meta/classes-recipe/uboot-config.bbclass
index eb82dd3583..fd6c045142 100644
--- a/meta/classes-recipe/uboot-config.bbclass
+++ b/meta/classes-recipe/uboot-config.bbclass
@@ -85,7 +85,7 @@ SPL_MKIMAGE_DTCOPTS ??= ""
 UBOOT_MKIMAGE ?= "uboot-mkimage"
 UBOOT_MKIMAGE_SIGN ?= "${UBOOT_MKIMAGE}"
 
-# Signature activation - this requires KERNEL_IMAGETYPE = "fitImage"
+# Signature activation
 UBOOT_SIGN_ENABLE ?= "0"
 
 # Arguments passed to mkimage for signing
diff --git a/meta/classes/toolchain/clang.bbclass b/meta/classes/toolchain/clang.bbclass
index b4a1c180f6..9a3cd0e584 100644
--- a/meta/classes/toolchain/clang.bbclass
+++ b/meta/classes/toolchain/clang.bbclass
@@ -32,6 +32,7 @@ TUNE_CCARGS += "${@bb.utils.contains("DISTRO_FEATURES", "usrmerge", " --dyld-pre
 
 LDFLAGS:append:class-nativesdk:x86-64 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux-x86-64.so.2"
 LDFLAGS:append:class-nativesdk:aarch64 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux-aarch64.so.1"
+LDFLAGS:append:class-cross-canadian = " -Wl,-dynamic-linker,${base_libdir}/placeholder/to/be/rewritten/by/sdk/installer"
 
 # do_populate_sysroot needs STRIP, do_package_qa needs OBJDUMP
 POPULATESYSROOTDEPS:append:class-target = " llvm-native:do_populate_sysroot"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index c4142e2b72..6902bc0c44 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -886,6 +886,7 @@ RECIPE_MAINTAINER:pn-wic-tools = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-wireless-regdb = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-wpa-supplicant = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-wpebackend-fdo = "Unassigned <unassigned@yoctoproject.org>"
+RECIPE_MAINTAINER:pn-x11-volatiles = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-x11perf = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-x264 = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-xauth = "Unassigned <unassigned@yoctoproject.org>"
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 9c2e10dd2b..8df5e92a34 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -9,7 +9,6 @@ import re
 import shlex
 import logging
 import pprint
-import tempfile
 
 import oe.fitimage
 
@@ -47,10 +46,11 @@ class FitImageTestCase(OESelftestTestCase):
         # Check if the its file contains the expected paths and attributes.
         # The _get_req_* functions are implemented by more specific chield classes.
         self._check_its_file()
-            req_its_paths = self._get_req_its_paths()
+            req_its_paths, not_req_its_paths = self._get_req_its_paths()
             req_sigvalues_config = self._get_req_sigvalues_config()
             req_sigvalues_image = self._get_req_sigvalues_image()
-            # Compare the its file against req_its_paths, req_sigvalues_config, req_sigvalues_image
+            # Compare the its file against req_its_paths, not_req_its_paths,
+            #                              req_sigvalues_config, req_sigvalues_image
 
         # Call the dumpimage utiliy and check that it prints all the expected paths and attributes
         # The _get_req_* functions are implemented by more specific chield classes.
@@ -198,7 +198,7 @@ class FitImageTestCase(OESelftestTestCase):
         # Support only the test recipe which provides 1 devicetree and 1 devicetree overlay
         pref_prov_dtb = bb_vars.get('PREFERRED_PROVIDER_virtual/dtb')
         if pref_prov_dtb == "bbb-dtbs-as-ext":
-            all_dtbs += ["am335x-bonegreen-ext.dtb", "BBORG_RELAY-00A2.dtbo"]
+            all_dtbs += ["BBORG_RELAY-00A2.dtbo", "am335x-bonegreen-ext.dtb"]
             dtb_symlinks.append("am335x-bonegreen-ext-alias.dtb")
         return (all_dtbs, dtb_symlinks)
 
@@ -234,8 +234,9 @@ class FitImageTestCase(OESelftestTestCase):
                 self.logger.debug("its file: %s" % its_file.read())
 
         # Generate a list of expected paths in the its file
-        req_its_paths = self._get_req_its_paths(bb_vars)
+        req_its_paths, not_req_its_paths = self._get_req_its_paths(bb_vars)
         self.logger.debug("req_its_paths:\n%s\n" % pprint.pformat(req_its_paths, indent=4))
+        self.logger.debug("not_req_its_paths:\n%s\n" % pprint.pformat(not_req_its_paths, indent=4))
 
         # Generate a dict of expected configuration signature nodes
         req_sigvalues_config = self._get_req_sigvalues_config(bb_vars)
@@ -275,6 +276,11 @@ class FitImageTestCase(OESelftestTestCase):
             if not req_path in its_paths:
                 self.fail('Missing path in its file: %s (%s)' % (req_path, its_file_path))
 
+        # check if all not expected paths are absent in the its file
+        for not_req_path in not_req_its_paths:
+            if not_req_path in its_paths:
+                self.fail('Unexpected path found in its file: %s (%s)' % (not_req_path, its_file_path))
+
         # Check if all the expected singnature nodes (images and configurations) are found
         self.logger.debug("sigs:\n%s\n" % pprint.pformat(sigs, indent=4))
         if req_sigvalues_config or req_sigvalues_image:
@@ -353,7 +359,7 @@ class FitImageTestCase(OESelftestTestCase):
 
     def _get_req_its_paths(self, bb_vars):
         self.logger.error("This function needs to be implemented")
-        return []
+        return ([], [])
 
     def _get_req_its_fields(self, bb_vars):
         self.logger.error("This function needs to be implemented")
@@ -499,7 +505,7 @@ class KernelFitImageBase(FitImageTestCase):
         return (fitimage_its_path, fitimage_path)
 
     def _get_req_its_paths(self, bb_vars):
-        """Generate a list of expected paths in the its file
+        """Generate a list of expected and a list of not expected paths in the its file
 
         Example:
             [
@@ -515,15 +521,26 @@ class KernelFitImageBase(FitImageTestCase):
         uboot_sign_enable = bb_vars.get('UBOOT_SIGN_ENABLE')
 
         # image nodes
-        images = [ 'kernel-1' ]
+        images = ['kernel-1']
+        not_images = []
+
         if dtb_files:
             images += [ 'fdt-' + dtb for dtb in dtb_files ]
+
         if fit_uboot_env:
             images.append('bootscr-' + fit_uboot_env)
+        else:
+            not_images.append('bootscr-boot.cmd')
+
         if bb_vars['MACHINE'] == "qemux86-64": # Not really the right if
             images.append('setup-1')
+        else:
+            not_images.append('setup-1')
+
         if initramfs_image and initramfs_image_bundle != "1":
             images.append('ramdisk-1')
+        else:
+            not_images.append('ramdisk-1')
 
         # configuration nodes (one per DTB and also one per symlink)
         if dtb_files:
@@ -541,7 +558,12 @@ class KernelFitImageBase(FitImageTestCase):
             req_its_paths.append(['/', 'configurations', configuration, 'hash-1'])
             if uboot_sign_enable == "1":
                 req_its_paths.append(['/', 'configurations', configuration, 'signature-1'])
-        return req_its_paths
+
+        not_req_its_paths = []
+        for image in not_images:
+            not_req_its_paths.append(['/', 'images', image])
+
+        return (req_its_paths, not_req_its_paths)
 
     def _get_req_its_fields(self, bb_vars):
         initramfs_image = bb_vars['INITRAMFS_IMAGE']
@@ -572,10 +594,23 @@ class KernelFitImageBase(FitImageTestCase):
             fit_conf_prefix = bb_vars.get('FIT_CONF_PREFIX', "conf-")
             its_field_check.append('default = "' + fit_conf_prefix + fit_conf_default_dtb + '";')
 
-        its_field_check.append('kernel = "kernel-1";')
+        # configuration nodes (one per DTB and also one per symlink)
+        dtb_files, dtb_symlinks = FitImageTestCase._get_dtb_files(bb_vars)
+        if dtb_files:
+            for dtb in dtb_files:
+                its_field_check.append('kernel = "kernel-1";')
+                its_field_check.append('fdt = "fdt-%s";' % dtb)
+            for dtb in dtb_symlinks:
+                its_field_check.append('kernel = "kernel-1";')
+                # Works only for tests were the symlink is with -alias suffix
+                its_field_check.append('fdt = "fdt-%s";' % dtb.replace('-alias', ''))
 
-        if initramfs_image and initramfs_image_bundle != "1":
-            its_field_check.append('ramdisk = "ramdisk-1";')
+            if initramfs_image and initramfs_image_bundle != "1":
+                its_field_check.append('ramdisk = "ramdisk-1";')
+        else:
+            its_field_check.append('kernel = "kernel-1";')
+            if initramfs_image and initramfs_image_bundle != "1":
+                its_field_check.append('ramdisk = "ramdisk-1";')
 
         return its_field_check
 
@@ -1032,20 +1067,21 @@ class FitImagePyTests(KernelFitImageBase):
         # Provide variables without calling bitbake
         bb_vars = {
             # image-fitimage.conf
+            'FIT_ADDRESS_CELLS': "1",
+            'FIT_CONF_DEFAULT_DTB': "",
+            'FIT_CONF_PREFIX': "conf-",
             'FIT_DESC': "Kernel fitImage for a dummy distro",
-            'FIT_HASH_ALG': "sha256",
-            'FIT_SIGN_ALG': "rsa2048",
-            'FIT_PAD_ALG': "pkcs-1.5",
             'FIT_GENERATE_KEYS': "0",
-            'FIT_SIGN_NUMBITS': "2048",
+            'FIT_HASH_ALG': "sha256",
             'FIT_KEY_GENRSA_ARGS': "-F4",
             'FIT_KEY_REQ_ARGS': "-batch -new",
             'FIT_KEY_SIGN_PKCS': "-x509",
+            'FIT_LINUX_BIN': "linux.bin",
+            'FIT_PAD_ALG': "pkcs-1.5",
+            'FIT_SIGN_ALG': "rsa2048",
             'FIT_SIGN_INDIVIDUAL': "0",
-            'FIT_CONF_PREFIX': "conf-",
+            'FIT_SIGN_NUMBITS': "2048",
             'FIT_SUPPORTED_INITRAMFS_FSTYPES': "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio",
-            'FIT_CONF_DEFAULT_DTB': "",
-            'FIT_ADDRESS_CELLS': "1",
             'FIT_UBOOT_ENV': "",
             # kernel.bbclass
             'UBOOT_ENTRYPOINT': "0x20008000",
@@ -1072,6 +1108,9 @@ class FitImagePyTests(KernelFitImageBase):
         }
         if bb_vars_overrides:
             bb_vars.update(bb_vars_overrides)
+            if logging.DEBUG >= self.logger.level:
+                debug_output = "\n".join([f"{key} = {value}" for key, value in bb_vars_overrides.items()])
+                self.logger.debug("bb_vars overrides:\n%s" % debug_output)
 
         root_node = oe.fitimage.ItsNodeRootKernel(
             bb_vars["FIT_DESC"], bb_vars["FIT_ADDRESS_CELLS"],
@@ -1204,7 +1243,7 @@ class UBootFitImageTests(FitImageTestCase):
                 req_its_paths.append(['/', 'images', image, 'signature'])
         for configuration in configurations:
             req_its_paths.append(['/', 'configurations', configuration])
-        return req_its_paths
+        return (req_its_paths, [])
 
     def _get_req_its_fields(self, bb_vars):
         loadables = ["uboot"]
@@ -1730,4 +1769,3 @@ UBOOT_FIT_GENERATE_KEYS = "1"
         self.write_config(config)
         bb_vars = self._fit_get_bb_vars()
         self._test_fitimage(bb_vars)
-
diff --git a/meta/lib/oeqa/selftest/cases/rust.py b/meta/lib/oeqa/selftest/cases/rust.py
index 06acf53e9a..31222e2456 100644
--- a/meta/lib/oeqa/selftest/cases/rust.py
+++ b/meta/lib/oeqa/selftest/cases/rust.py
@@ -122,6 +122,9 @@ class RustSelfTestSystemEmulated(OESelftestTestCase, OEPTestResultTestCase):
             cmd = "export TARGET_VENDOR=\"-poky\";"
             cmd = cmd + " export PATH=%s/recipe-sysroot-native/usr/bin/python3-native:%s/recipe-sysroot-native/usr/bin:%s/recipe-sysroot-native/usr/bin/%s:%s/hosttools:$PATH;" % (rustlibpath, rustlibpath, rustlibpath, tcpath, tmpdir)
             cmd = cmd + " export RUST_TARGET_PATH=%s/rust-targets;" % rustlibpath
+            # Strip debug symbols from test binaries to reduce size (300+ MB -> ~140 MB)
+            # PowerPC mac99 QEMU has 768MB RAM limit, so we need to minimize test binary sizes
+            cmd = cmd + " export RUSTFLAGS='-C strip=debuginfo';"
             # Trigger testing.
             cmd = cmd + " export TEST_DEVICE_ADDR=\"%s:12345\";" % qemu.ip
             cmd = cmd + " cd %s; python3 src/bootstrap/bootstrap.py test %s --target %s" % (builddir, testargs, targetsys)
diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py
index bb4ac23ebf..d7a9b14658 100644
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -1905,6 +1905,42 @@ INITRAMFS_IMAGE = "core-image-initramfs-boot"
             self.assertIn("Source parameter 'fill' only works with the '--fixed-size' option, exiting.", result.output)
             self.assertNotEqual(0, result.status)
 
+    def test_diskid_on_msdos_partition(self):
+        """Test diksid on msdos partions"""
+        img = 'core-image-minimal'
+        diskid = "0xdeadbbef"
+        with NamedTemporaryFile("w", suffix=".wks") as wks:
+            wks.writelines(['bootloader --ptable msdos --diskid %s\n' % diskid,
+                            'part /boot --size=100M --active --fstype=ext4 --label boot\n'
+                            'part /     --source rootfs      --fstype=ext4 --label root\n'])
+            wks.flush()
+            cmd = "wic create %s -e %s -o %s" % (wks.name, img, self.resultdir)
+            runCmd(cmd)
+            wksname = os.path.splitext(os.path.basename(wks.name))[0]
+            out = glob(os.path.join(self.resultdir, "%s-*direct" % wksname))
+            self.assertEqual(1, len(out))
+            sysroot = get_bb_var('RECIPE_SYSROOT_NATIVE', 'wic-tools')
+            result = runCmd("%s/usr/sbin/sfdisk -l %s | grep 'Disk identifier:'" % (sysroot, out[0]))
+            self.assertEqual("Disk identifier: %s" % diskid.lower(), result.output)
+
+    def test_diskid_on_gpt_partition(self):
+        """Test diksid on gpt partions"""
+        img = 'core-image-minimal'
+        diskid = "deadbeef-cafe-babe-f00d-cec2ea4eface"
+        with NamedTemporaryFile("w", suffix=".wks") as wks:
+            wks.writelines(['bootloader --ptable gpt --diskid %s\n' % diskid,
+                            'part /boot --size=100M --active --fstype=ext4 --label boot\n'
+                            'part /     --source rootfs      --fstype=ext4 --label root\n'])
+            wks.flush()
+            cmd = "wic create %s -e %s -o %s" % (wks.name, img, self.resultdir)
+            runCmd(cmd)
+            wksname = os.path.splitext(os.path.basename(wks.name))[0]
+            out = glob(os.path.join(self.resultdir, "%s-*direct" % wksname))
+            self.assertEqual(1, len(out))
+            sysroot = get_bb_var('RECIPE_SYSROOT_NATIVE', 'wic-tools')
+            result = runCmd("%s/usr/sbin/sfdisk -l %s | grep 'Disk identifier:'" % (sysroot, out[0]))
+            self.assertEqual("Disk identifier: %s" % diskid.upper(), result.output)
+
 class ModifyTests(WicTestCase):
     def test_wic_ls(self):
         """Test listing image content using 'wic ls'"""
diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
index 864c6010c9..e41d0858fd 100644
--- a/meta/recipes-bsp/barebox/barebox-common.inc
+++ b/meta/recipes-bsp/barebox/barebox-common.inc
@@ -3,6 +3,6 @@ SECTION = "bootloaders"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
 
-PV = "2025.08.0"
+PV = "2025.09.0"
 SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
-SRC_URI[sha256sum] = "b32f141ee708e87cb0cc01d626adafc07bd6eb52d62ca969287d7d27462eab32"
+SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 220160a7e1..4fe8ba4d28 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -35,6 +35,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://CVE-2023-38471-2.patch \
            file://CVE-2023-38472.patch \
            file://CVE-2023-38473.patch \
+           file://CVE-2024-52616.patch \
+           file://CVE-2024-52615.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
new file mode 100644
index 0000000000..9737f52837
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch
@@ -0,0 +1,228 @@
+From 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 27 Nov 2024 18:07:32 +0100
+Subject: [PATCH] core/wide-area: fix for CVE-2024-52615
+
+CVE: CVE-2024-52615
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 128 ++++++++++++++++++++++-------------------
+ 1 file changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 00a15056e..06df7afc6 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup {
+ 
+     AvahiAddress dns_server_used;
+ 
++    int fd;
++    AvahiWatch *watch;
++    AvahiProtocol proto;
++
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups);
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key);
+ };
+@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup {
+ struct AvahiWideAreaLookupEngine {
+     AvahiServer *server;
+ 
+-    int fd_ipv4, fd_ipv6;
+-    AvahiWatch *watch_ipv4, *watch_ipv6;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i
+     return l;
+ }
+ 
++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata);
++
+ static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) {
++    AvahiWideAreaLookupEngine *e;
+     AvahiAddress *a;
++    AvahiServer *s;
++    AvahiWatch *w;
++    int r;
+ 
+     assert(l);
+     assert(p);
+ 
+-    if (l->engine->n_dns_servers <= 0)
++    e = l->engine;
++    assert(e);
++
++    s = e->server;
++    assert(s);
++
++    if (e->n_dns_servers <= 0)
+         return -1;
+ 
+-    assert(l->engine->current_dns_server < l->engine->n_dns_servers);
++    assert(e->current_dns_server < e->n_dns_servers);
+ 
+-    a = &l->engine->dns_servers[l->engine->current_dns_server];
++    a = &e->dns_servers[e->current_dns_server];
+     l->dns_server_used = *a;
+ 
+-    if (a->proto == AVAHI_PROTO_INET) {
++    if (l->fd >= 0) {
++        /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */
++        s->poll_api->watch_free(l->watch);
++        l->watch = NULL;
+ 
+-        if (l->engine->fd_ipv4 < 0)
+-            return -1;
++        close(l->fd);
++        l->fd = -EBADF;
++    }
+ 
+-        return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT);
++    assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6);
+ 
+-    } else {
+-        assert(a->proto == AVAHI_PROTO_INET6);
++    if (a->proto == AVAHI_PROTO_INET)
++        r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
++    else
++        r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+ 
+-        if (l->engine->fd_ipv6 < 0)
+-            return -1;
++    if (r < 0) {
++        avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup");
++        return -1;
++    }
+ 
+-        return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
++    w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l);
++    if (!w) {
++        close(r);
++        avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup");
++        return -1;
+     }
++
++    l->fd = r;
++    l->watch = w;
++    l->proto = a->proto;
++
++    return a->proto == AVAHI_PROTO_INET ?
++                avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT):
++                avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
+ }
+ 
+ static void next_dns_server(AvahiWideAreaLookupEngine *e) {
+@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     l->dead = 0;
+     l->key = avahi_key_ref(key);
+     l->cname_key = avahi_key_new_cname(l->key);
++    l->fd = -EBADF;
++    l->watch = NULL;
++    l->proto = AVAHI_PROTO_UNSPEC;
+     l->callback = callback;
+     l->userdata = userdata;
+ 
+@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) {
+     if (l->cname_key)
+         avahi_key_unref(l->cname_key);
+ 
++    if (l->watch)
++            l->engine->server->poll_api->watch_free(l->watch);
++
++    if (l->fd >= 0)
++        close(l->fd);
++
+     avahi_free(l);
+ }
+ 
+@@ -572,14 +614,20 @@ static void handle_packet(AvahiWideAreaLookupEngine *e, AvahiDnsPacket *p) {
+ }
+ 
+ static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) {
+-    AvahiWideAreaLookupEngine *e = userdata;
++    AvahiWideAreaLookup *l = userdata;
++    AvahiWideAreaLookupEngine *e = l->engine;
+     AvahiDnsPacket *p = NULL;
+ 
+-    if (fd == e->fd_ipv4)
+-        p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL);
++    assert(l);
++    assert(e);
++    assert(l->fd == fd);
++
++    if (l->proto == AVAHI_PROTO_INET)
++        p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL);
+     else {
+-        assert(fd == e->fd_ipv6);
+-        p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL);
++        assert(l->proto == AVAHI_PROTO_INET6);
++
++        p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL);
+     }
+ 
+     if (p) {
+@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+     e->server = s;
+     e->cleanup_dead = 0;
+ 
+-    /* Create sockets */
+-    e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
+-    e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+-
+-    if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) {
+-        avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno));
+-
+-        if (e->fd_ipv6 >= 0)
+-            close(e->fd_ipv6);
+-
+-        if (e->fd_ipv4 >= 0)
+-            close(e->fd_ipv4);
+-
+-        avahi_free(e);
+-        return NULL;
+-    }
+-
+-    /* Create watches */
+-
+-    e->watch_ipv4 = e->watch_ipv6 = NULL;
+-
+-    if (e->fd_ipv4 >= 0)
+-        e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e);
+-    if (e->fd_ipv6 >= 0)
+-        e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+-
+     e->n_dns_servers = e->current_dns_server = 0;
+ 
+     /* Initialize cache */
+@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) {
+     avahi_hashmap_free(e->lookups_by_id);
+     avahi_hashmap_free(e->lookups_by_key);
+ 
+-    if (e->watch_ipv4)
+-        e->server->poll_api->watch_free(e->watch_ipv4);
+-
+-    if (e->watch_ipv6)
+-        e->server->poll_api->watch_free(e->watch_ipv6);
+-
+-    if (e->fd_ipv6 >= 0)
+-        close(e->fd_ipv6);
+-
+-    if (e->fd_ipv4 >= 0)
+-        close(e->fd_ipv4);
+-
+     avahi_free(e);
+ }
+ 
+@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres
+ 
+     if (a) {
+         for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--)
+-            if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0))
++            if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6)
+                 e->dns_servers[e->n_dns_servers++] = *a;
+     } else {
+         assert(n == 0);
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
new file mode 100644
index 0000000000..a156f98728
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2024-52616.patch
@@ -0,0 +1,104 @@
+From f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Mon, 11 Nov 2024 00:56:09 +0100
+Subject: [PATCH] Properly randomize query id of DNS packets
+
+CVE: CVE-2024-52616
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/f8710bdc8b29ee1176fe3bfaeabebbda1b7a79f7]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 36 ++++++++++++++++++++++++++++--------
+ configure.ac           |  3 ++-
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 971f5e714..00a15056e 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -40,6 +40,13 @@
+ #include "addr-util.h"
+ #include "rr-util.h"
+ 
++#ifdef HAVE_SYS_RANDOM_H
++#include <sys/random.h>
++#endif
++#ifndef HAVE_GETRANDOM
++#  define getrandom(d, len, flags) (-1)
++#endif
++
+ #define CACHE_ENTRIES_MAX 500
+ 
+ typedef struct AvahiWideAreaCacheEntry AvahiWideAreaCacheEntry;
+@@ -84,8 +91,6 @@ struct AvahiWideAreaLookupEngine {
+     int fd_ipv4, fd_ipv6;
+     AvahiWatch *watch_ipv4, *watch_ipv6;
+ 
+-    uint16_t next_id;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -201,6 +206,26 @@ static void sender_timeout_callback(AvahiTimeEvent *e, void *userdata) {
+     avahi_time_event_update(e, avahi_elapse_time(&tv, 1000, 0));
+ }
+ 
++static uint16_t get_random_uint16(void) {
++    uint16_t next_id;
++
++    if (getrandom(&next_id, sizeof(next_id), 0) == -1)
++        next_id = (uint16_t) rand();
++    return next_id;
++}
++
++static uint16_t avahi_wide_area_next_id(AvahiWideAreaLookupEngine *e) {
++    uint16_t next_id;
++
++    next_id = get_random_uint16();
++    while (find_lookup(e, next_id)) {
++        /* This ID is already used, get new. */
++        next_id = get_random_uint16();
++    }
++    return next_id;
++}
++
++
+ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     AvahiWideAreaLookupEngine *e,
+     AvahiKey *key,
+@@ -227,11 +252,7 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     /* If more than 65K wide area quries are issued simultaneously,
+      * this will break. This should be limited by some higher level */
+ 
+-    for (;; e->next_id++)
+-        if (!find_lookup(e, e->next_id))
+-            break; /* This ID is not yet used. */
+-
+-    l->id = e->next_id++;
++    l->id = avahi_wide_area_next_id(e);
+ 
+     /* We keep the packet around in case we need to repeat our query */
+     l->packet = avahi_dns_packet_new(0);
+@@ -604,7 +625,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+         e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+ 
+     e->n_dns_servers = e->current_dns_server = 0;
+-    e->next_id = (uint16_t) rand();
+ 
+     /* Initialize cache */
+     AVAHI_LLIST_HEAD_INIT(AvahiWideAreaCacheEntry, e->cache);
+diff --git a/configure.ac b/configure.ac
+index a3211b80e..31bce3d76 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -367,7 +367,8 @@ AC_FUNC_SELECT_ARGTYPES
+ # whether libc's malloc does too. (Same for realloc.)
+ #AC_FUNC_MALLOC
+ #AC_FUNC_REALLOC
+-AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname])
++AC_CHECK_FUNCS([gethostname memchr memmove memset mkdir select socket strchr strcspn strdup strerror strrchr strspn strstr uname setresuid setreuid setresgid setregid strcasecmp gettimeofday putenv strncasecmp strlcpy gethostbyname seteuid setegid setproctitle getprogname getrandom])
++AC_CHECK_HEADERS([sys/random.h])
+ 
+ AC_FUNC_CHOWN
+ AC_FUNC_STAT
+
diff --git a/meta/recipes-connectivity/bind/bind_9.20.13.bb b/meta/recipes-connectivity/bind/bind_9.20.15.bb
index de39924c3d..1195b5bdc3 100644
--- a/meta/recipes-connectivity/bind/bind_9.20.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.20.15.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "151f9376ead317e646a5d0c9f01c060386d891118d7437a7f829bb9727c7b34c"
+SRC_URI[sha256sum] = "d62b38fae48ba83fca6181112d0c71018d8b0f2ce285dc79dc6a0367722ccabb"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb b/meta/recipes-connectivity/openssh/openssh_10.1p1.bb
index 2f446b5540..83b6183858 100644
--- a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.1p1.bb
@@ -26,7 +26,7 @@ SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.ta
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
            file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
            "
-SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
+SRC_URI[sha256sum] = "b9fc7a2b82579467a6f2f43e4a81c8e1dfda614ddb4f9b255aafd7020bbf0758"
 
 CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
diff --git a/meta/recipes-devtools/binutils/binutils-cross-canadian.inc b/meta/recipes-devtools/binutils/binutils-cross-canadian.inc
index 7d7ffe92ce..d28dcaf402 100644
--- a/meta/recipes-devtools/binutils/binutils-cross-canadian.inc
+++ b/meta/recipes-devtools/binutils/binutils-cross-canadian.inc
@@ -21,9 +21,10 @@ LDFLAGS:append:toolchain-clang = " -fuse-ld=bfd"
 do_install () {
         autotools_do_install
 
-        # We're not interested in the libs or headers, these would come from the 
+        # We're not interested in the plugins, libs, or headers, these would come from the
         # nativesdk or target version of the binutils recipe
         rm -rf ${D}${prefix}/${TARGET_SYS}
+        rm -rf ${D}${libdir}/bfd-plugins
         rm -f ${D}${libdir}/libbfd*
         rm -f ${D}${libdir}/libiberty*
         rm -f ${D}${libdir}/libopcodes*
diff --git a/meta/recipes-devtools/fmt/fmt/run-ptest b/meta/recipes-devtools/fmt/fmt/run-ptest
index a069e4543c..ba1e9fc51f 100644
--- a/meta/recipes-devtools/fmt/fmt/run-ptest
+++ b/meta/recipes-devtools/fmt/fmt/run-ptest
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-for t in `ls ./*-test`; do
+for t in *-test; do
         ./$t && echo PASS: $t || echo FAIL: $t
 done
diff --git a/meta/recipes-devtools/fmt/fmt_11.2.0.bb b/meta/recipes-devtools/fmt/fmt_11.2.0.bb
index 06ba523ada..133e1ae77d 100644
--- a/meta/recipes-devtools/fmt/fmt_11.2.0.bb
+++ b/meta/recipes-devtools/fmt/fmt_11.2.0.bb
@@ -17,7 +17,7 @@ EXTRA_OECMAKE += "-DBUILD_SHARED_LIBS=ON"
 EXTRA_OECMAKE += "${@bb.utils.contains('PTEST_ENABLED', '1', '-DFMT_TEST=ON', '', d)}"
 
 do_install_ptest(){
-        for t in `ls ${B}/bin/*-test`; do
+        for t in ${B}/bin/*-test; do
                 install $t ${D}${PTEST_PATH}/
         done
 }
diff --git a/meta/recipes-devtools/python/python3-hypothesis_6.139.2.bb b/meta/recipes-devtools/python/python3-hypothesis_6.142.2.bb
index b03cc22fac..5ba7c66577 100644
--- a/meta/recipes-devtools/python/python3-hypothesis_6.139.2.bb
+++ b/meta/recipes-devtools/python/python3-hypothesis_6.142.2.bb
@@ -13,7 +13,7 @@ SRC_URI += " \
     file://test_rle.py \
     "
 
-SRC_URI[sha256sum] = "2dc2ff36ea977a9cb7fb68f24a5dbf5d673b88a2e502212676eafe09b699f511"
+SRC_URI[sha256sum] = "c4204a2ce327e45fbaf83a2b58142a285135698dc1d08e368ae9901f06b49e64"
 
 RDEPENDS:${PN} += " \
     python3-attrs \
diff --git a/meta/recipes-devtools/python/python3-referencing_0.36.2.bb b/meta/recipes-devtools/python/python3-referencing_0.37.0.bb
index 388c1887fb..a75f5f80d4 100644
--- a/meta/recipes-devtools/python/python3-referencing_0.36.2.bb
+++ b/meta/recipes-devtools/python/python3-referencing_0.37.0.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/python-jsonschema/referencing"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=93eb9740964b59e9ba30281255b044e2"
 
-SRC_URI[sha256sum] = "df2e89862cd09deabbdba16944cc3f10feb6b3e6f18e902f7cc25609a34775aa"
+SRC_URI[sha256sum] = "44aefc3142c5b842538163acb373e24cce6632bd54bdb01b21ad5863489f50d8"
 
 inherit pypi python_hatchling
 
diff --git a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb
index a4f3995730..62fdf8e345 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.5.0.bb
@@ -7,18 +7,23 @@ SRC_URI[sha256sum] = "3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbf
 
 inherit pypi python_hatchling
 
-DEPENDS += " \
-    python3-hatch-vcs-native \
-"
+DEPENDS += "python3-hatch-vcs-native"
+
+PACKAGECONFIG ??= ""
+# This is not recommended for use upstream, and has large dependencies
+PACKAGECONFIG[openssl] = ",,,python3-cryptography python3-pyopenssl"
+
+do_install:append() {
+    if ! ${@bb.utils.contains("PACKAGECONFIG", "openssl", "true", "false", d)}; then
+        rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/urllib3/contrib/pyopenssl.py
+    fi
+}
 
 RDEPENDS:${PN} += "\
-    python3-certifi \
-    python3-cryptography \
-    python3-email \
     python3-idna \
+    python3-email \
     python3-json \
     python3-netclient \
-    python3-pyopenssl \
     python3-threading \
     python3-logging \
 "
diff --git a/meta/recipes-devtools/qemu/qemu-native_10.0.2.bb b/meta/recipes-devtools/qemu/qemu-native_10.0.6.bb
index 26fa84c180..26fa84c180 100644
--- a/meta/recipes-devtools/qemu/qemu-native_10.0.2.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_10.0.6.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_10.0.2.bb b/meta/recipes-devtools/qemu/qemu-system-native_10.0.6.bb
index 22462e2499..22462e2499 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_10.0.2.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_10.0.6.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 2ee76e9a7c..3ed5dcc671 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -31,7 +31,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0008-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \
            file://0010-configure-lookup-meson-exutable-from-PATH.patch \
            file://0011-qemu-Ensure-pip-and-the-python-venv-aren-t-used-for-.patch \
-           file://0012-Remove-deprecated-get_event_loop-calls.patch \
            file://qemu-guest-agent.init \
            file://qemu-guest-agent.udev \
            "
@@ -39,7 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 UPSTREAM_CHECK_URI = "https://www.qemu.org"
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
-SRC_URI[sha256sum] = "ef786f2398cb5184600f69aef4d5d691efd44576a3cff4126d38d4c6fec87759"
+SRC_URI[sha256sum] = "c7c40c4b166871e775804e97fce4da65665d1cc93a5c6c9e2ede9d9ee992e7a0"
 
 CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
@@ -51,6 +50,7 @@ CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue."
 
 # NVD DB has this CVE as version-less (with "-")
 CVE_STATUS[CVE-2024-6505] = "fixed-version: this CVE is fixed since 9.1.0"
+CVE_STATUS[CVE-2024-8354] = "fixed-version: this CVE is fixed since 10.0.5"
 
 CVE_STATUS[CVE-2023-1386] = "disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=2223985"
 
diff --git a/meta/recipes-devtools/qemu/qemu/0012-Remove-deprecated-get_event_loop-calls.patch b/meta/recipes-devtools/qemu/qemu/0012-Remove-deprecated-get_event_loop-calls.patch
deleted file mode 100644
index 64816fe7d9..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0012-Remove-deprecated-get_event_loop-calls.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 5240406747fd43886618ae8194153e6fc957a82a Mon Sep 17 00:00:00 2001
-From: John Snow <jsnow@redhat.com>
-Date: Tue, 13 Aug 2024 09:35:30 -0400
-Subject: [PATCH] Remove deprecated get_event_loop calls
-
-This method was deprecated in 3.12 because it ordinarily should not be
-used from coroutines; if there is not a currently running event loop,
-this automatically creates a new event loop - which is usually not what
-you want from code that would ever run in the bottom half.
-
-In our case, we do want this behavior in two places:
-
-(1) The synchronous shim, for convenience: this allows fully sync
-programs to use QEMUMonitorProtocol() without needing to set up an event
-loop beforehand. This is intentional to fully box in the async
-complexities into the legacy sync shim.
-
-(2) The qmp_tui shell; instead of relying on asyncio.run to create and
-run an asyncio program, we need to be able to pass the current asyncio
-loop to urwid setup functions. For convenience, again, we create one if
-one is not present to simplify the creation of the TUI appliance.
-
-The remaining user of get_event_loop() was in fact one of the erroneous
-users that should not have been using this function: if there's no
-running event loop inside of a coroutine, you're in big trouble :)
-
-Upstream-Status: Backport [https://gitlab.com/qemu-project/python-qemu-qmp/-/merge_requests/33]
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- python/qemu/qmp/legacy.py  | 9 ++++++++-
- python/qemu/qmp/qmp_tui.py | 7 ++++++-
- python/tests/protocol.py   | 2 +-
- 3 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/python/qemu/qmp/legacy.py b/python/qemu/qmp/legacy.py
-index 22a2b56..ea9b803 100644
---- a/python/qemu/qmp/legacy.py
-+++ b/python/qemu/qmp/legacy.py
-@@ -86,7 +86,14 @@ def __init__(self,
-                 "server argument should be False when passing a socket")
- 
-         self._qmp = QMPClient(nickname)
--        self._aloop = asyncio.get_event_loop()
-+
-+        try:
-+            self._aloop = asyncio.get_running_loop()
-+        except RuntimeError:
-+            # No running loop; since this is a sync shim likely to be
-+            # used in fully sync programs, create one if neccessary.
-+            self._aloop = asyncio.get_event_loop_policy().get_event_loop()
-+
-         self._address = address
-         self._timeout: Optional[float] = None
- 
-diff --git a/python/qemu/qmp/qmp_tui.py b/python/qemu/qmp/qmp_tui.py
-index 2d9ebbd..d11b9fc 100644
---- a/python/qemu/qmp/qmp_tui.py
-+++ b/python/qemu/qmp/qmp_tui.py
-@@ -377,7 +377,12 @@ def run(self, debug: bool = False) -> None:
-         screen = urwid.raw_display.Screen()
-         screen.set_terminal_properties(256)
- 
--        self.aloop = asyncio.get_event_loop()
-+        try:
-+            self.aloop = asyncio.get_running_loop()
-+        except RuntimeError:
-+            # No running asyncio event loop. Create one if necessary.
-+            self.aloop = asyncio.get_event_loop_policy().get_event_loop()
-+
-         self.aloop.set_debug(debug)
- 
-         # Gracefully handle SIGTERM and SIGINT signals
-diff --git a/python/tests/protocol.py b/python/tests/protocol.py
-index 56c4d44..8dcef57 100644
---- a/python/tests/protocol.py
-+++ b/python/tests/protocol.py
-@@ -228,7 +228,7 @@ def async_test(async_test_method):
-         Decorator; adds SetUp and TearDown to async tests.
-         """
-         async def _wrapper(self, *args, **kwargs):
--            loop = asyncio.get_event_loop()
-+            loop = asyncio.get_running_loop()
-             loop.set_debug(True)
- 
-             await self._asyncSetUp()
diff --git a/meta/recipes-devtools/qemu/qemu_10.0.2.bb b/meta/recipes-devtools/qemu/qemu_10.0.6.bb
index 5d544d8d13..5d544d8d13 100644
--- a/meta/recipes-devtools/qemu/qemu_10.0.2.bb
+++ b/meta/recipes-devtools/qemu/qemu_10.0.6.bb
diff --git a/meta/recipes-extended/tar/tar_1.35.bb b/meta/recipes-extended/tar/tar_1.35.bb
index ea0993a909..d463eff97d 100644
--- a/meta/recipes-extended/tar/tar_1.35.bb
+++ b/meta/recipes-extended/tar/tar_1.35.bb
@@ -94,3 +94,7 @@ BBCLASSEXTEND = "native nativesdk"
 # Avoid false positives from CVEs in node-tar package
 # For example CVE-2021-{32803,32804,37701,37712,37713}
 CVE_PRODUCT = "gnu:tar"
+
+# A test uses cmp to compare two 8GB files. Busybox's cmp does the job usually, but it is much slower than
+# diffutils' cmp, and the test times out when there is a high load on the host machine.
+RDEPENDS:${PN}-ptest += "diffutils"
diff --git a/meta/recipes-graphics/images/core-image-weston.bb b/meta/recipes-graphics/images/core-image-weston.bb
index 62305cc1ce..96d9c34bfa 100644
--- a/meta/recipes-graphics/images/core-image-weston.bb
+++ b/meta/recipes-graphics/images/core-image-weston.bb
@@ -4,9 +4,11 @@ IMAGE_FEATURES += "splash package-management ssh-server-dropbear hwcodecs weston
 
 LICENSE = "MIT"
 
-inherit core-image
+inherit core-image features_check
 
 CORE_IMAGE_BASE_INSTALL += "gtk+3-demo"
 CORE_IMAGE_BASE_INSTALL += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'weston-xwayland matchbox-terminal', '', d)}"
 
 QB_MEM = "-m 512"
+
+REQUIRED_DISTRO_FEATURES = "wayland"
diff --git a/meta/recipes-graphics/x11-common/x11-volatiles.bb b/meta/recipes-graphics/x11-common/x11-volatiles.bb
new file mode 100644
index 0000000000..23bd6e1661
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/x11-volatiles.bb
@@ -0,0 +1,20 @@
+SUMMARY = "Xserver Volatile Directories"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
+SECTION = "x11"
+
+SRC_URI = "file://02_x11"
+
+S = "${UNPACKDIR}"
+
+inherit bin_package features_check
+
+REQUIRED_DISTRO_FEATURES = "x11"
+CONFLICT_DISTRO_FEATURES = "systemd"
+
+do_install() {
+        install -d ${D}${sysconfdir}/default/volatiles
+        install -m 0644 ${UNPACKDIR}/02_x11 ${D}${sysconfdir}/default/volatiles
+}
+
+FILES:${PN} += "${sysconfdir}/default/volatiles"
diff --git a/meta/recipes-graphics/x11-common/x11-volatiles/02_x11 b/meta/recipes-graphics/x11-common/x11-volatiles/02_x11
new file mode 100644
index 0000000000..35c3698479
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/x11-volatiles/02_x11
@@ -0,0 +1,6 @@
+# Volatile entries to match systemd
+# https://github.com/systemd/systemd/blob/main/tmpfiles.d/x11.conf
+d root root 1777 /tmp/.X11-unix none
+d root root 1777 /tmp/.ICE-unix none
+d root root 1777 /tmp/.XIM-unix none
+d root root 1777 /tmp/.font-unix none
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
index 14c45be432..3c8cb0173f 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.18.bb
@@ -26,3 +26,5 @@ RCONFLICTS:${PN} = "${PN}-extension-dri \
                     ${PN}-extension-extmod \
                     ${PN}-extension-dbe \
                    "
+
+RDEPENDS:${PN} += "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "", "x11-volatiles", d)}"
diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb
index 900da524b3..a621af1a7f 100644
--- a/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_24.1.8.bb
@@ -47,4 +47,4 @@ do_install:append() {
 
 FILES:${PN} += "${libdir}/xorg/protocol.txt"
 
-RDEPENDS:${PN} += "xkbcomp"
+RDEPENDS:${PN} += "xkbcomp ${@bb.utils.contains("DISTRO_FEATURES", "systemd", "", "x11-volatiles", d)}"
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20251021.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20251021.bb
index 70fd983b0c..66d3be90e7 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20251021.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20251021.bb
@@ -643,7 +643,6 @@ PACKAGES =+ "${PN}-amphion-vpu-license ${PN}-amphion-vpu \
              ${PN}-qca-wcn6750 \
              ${PN}-qca-qca2066 \
              ${PN}-qca-wcn7850 \
-             ${PN}-qca-misc \
              \
              ${PN}-imx-sdma-license ${PN}-imx-sdma-imx6q ${PN}-imx-sdma-imx7d \
              \
@@ -934,7 +933,6 @@ LICENSE:${PN}-qca-wcn399x = "Firmware-qualcommAthos_ath10k"
 LICENSE:${PN}-qca-wcn6750 = "Firmware-qualcommAthos_ath10k"
 LICENSE:${PN}-qca-qca2066 = "Firmware-qualcommAthos_ath10k"
 LICENSE:${PN}-qca-wcn7850 = "Firmware-qcom"
-LICENSE:${PN}-qca-misc = "Firmware-qualcommAthos_ath10k & Firmware-qcom"
 
 FILES:${PN}-ar3k-license = "${nonarch_base_libdir}/firmware/LICENSE.QualcommAtheros_ar3k"
 FILES:${PN}-ar3k = " \
@@ -1061,12 +1059,7 @@ FILES:${PN}-qca-wcn7850 = " \
   ${nonarch_base_libdir}/firmware/qca/hmtnv20.b112* \
   ${nonarch_base_libdir}/firmware/qca/hmtnv20.bin* \
 "
-FILES:${PN}-qca-misc = "${nonarch_base_libdir}/firmware/qca/*"
-# -qca is a virtual package that depends upon all qca packages.
 ALLOW_EMPTY:${PN}-qca = "1"
-# -qca-misc is a catch all package that includes all the qca
-# firmwares that are not already included in other -qca- packages.
-ALLOW_EMPTY:${PN}-qca-misc = "1"
 
 RDEPENDS:${PN}-ar3k += "${PN}-ar3k-license ${PN}-atheros-license"
 RDEPENDS:${PN}-ath10k += "${PN}-ath10k-license"
@@ -1103,7 +1096,6 @@ RDEPENDS:${PN}-qca-wcn399x += "${PN}-ath10k-license"
 RDEPENDS:${PN}-qca-wcn6750 += "${PN}-ath10k-license"
 RDEPENDS:${PN}-qca-qca2066 += "${PN}-ath10k-license"
 RDEPENDS:${PN}-qca-wcn7850 += "${PN}-qcom-license"
-RDEPENDS:${PN}-qca-misc += "${PN}-ath10k-license ${PN}-qcom-license"
 # For ralink
 LICENSE:${PN}-ralink = "Firmware-ralink-firmware"
 LICENSE:${PN}-ralink-license = "Firmware-ralink-firmware"
diff --git a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers_6.16.bb b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers_6.17.bb
index c3c77f8719..b4bf1126ab 100644
--- a/meta/recipes-kernel/linux-libc-headers/linux-libc-headers_6.16.bb
+++ b/meta/recipes-kernel/linux-libc-headers/linux-libc-headers_6.17.bb
@@ -8,5 +8,5 @@ SRC_URI:append:libc-musl = "\
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 
-SRC_URI[sha256sum] = "1a4be2fe6b5246aa4ac8987a8a4af34c42a8dd7d08b46ab48516bcc1befbcd83"
+SRC_URI[sha256sum] = "9b607166a1c999d8326098121222feb080a20a3253975fcdfa2de96ba7f757a7"
 
diff --git a/meta/recipes-kernel/linux/kernel-devsrc.bb b/meta/recipes-kernel/linux/kernel-devsrc.bb
index 04dd683dde..411c99ba30 100644
--- a/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -400,7 +400,7 @@ do_install() {
     for ss in $(find $kerneldir/build/scripts -type f -name '*'); do
         sed -i 's,/usr/bin/python2,/usr/bin/env python3,' "$ss"
         sed -i 's,/usr/bin/env python2,/usr/bin/env python3,' "$ss"
-        sed -i 's,/usr/bin/python,/usr/bin/env python3,' "$ss"
+        sed -i 's,/usr/bin/python$,/usr/bin/env python3,' "$ss"
     done
 
     chown -R root:root ${D}
diff --git a/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch b/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
new file mode 100644
index 0000000000..4fa0373ff7
--- /dev/null
+++ b/meta/recipes-support/lz4/lz4/CVE-2025-62813.patch
@@ -0,0 +1,69 @@
+From f64efec011c058bd70348576438abac222fe6c82 Mon Sep 17 00:00:00 2001
+From: louislafosse <louis.lafosse@epitech.eu>
+Date: Mon, 31 Mar 2025 20:48:52 +0200
+Subject: [PATCH] fix(null) : improve error handlings when passing a null
+ pointer to some functions from lz4frame
+
+CVE: CVE-2025-62813
+Upstream-Status: Backport [https://github.com/lz4/lz4/commit/f64efec011c058bd70348576438abac222fe6c82]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ lib/lz4frame.c    | 15 +++++++++++++--
+ tests/frametest.c |  9 ++++++---
+ 2 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/lib/lz4frame.c b/lib/lz4frame.c
+index 85daca7b..c9e4a3cf 100644
+--- a/lib/lz4frame.c
++++ b/lib/lz4frame.c
+@@ -539,9 +539,16 @@ LZ4F_CDict*
+ LZ4F_createCDict_advanced(LZ4F_CustomMem cmem, const void* dictBuffer, size_t dictSize)
+ {
+     const char* dictStart = (const char*)dictBuffer;
+-    LZ4F_CDict* const cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    LZ4F_CDict* cdict = NULL;
++
+     DEBUGLOG(4, "LZ4F_createCDict_advanced");
+-    if (!cdict) return NULL;
++
++    if (!dictStart)
++        return NULL;
++    cdict = (LZ4F_CDict*)LZ4F_malloc(sizeof(*cdict), cmem);
++    if (!cdict)
++        return NULL;
++
+     cdict->cmem = cmem;
+     if (dictSize > 64 KB) {
+         dictStart += dictSize - 64 KB;
+@@ -1486,6 +1493,10 @@ LZ4F_errorCode_t LZ4F_getFrameInfo(LZ4F_dctx* dctx,
+                                    LZ4F_frameInfo_t* frameInfoPtr,
+                              const void* srcBuffer, size_t* srcSizePtr)
+ {
++    assert(dctx != NULL);
++    RETURN_ERROR_IF(frameInfoPtr == NULL, parameter_null);
++    RETURN_ERROR_IF(srcSizePtr == NULL, parameter_null);
++
+     LZ4F_STATIC_ASSERT(dstage_getFrameHeader < dstage_storeFrameHeader);
+     if (dctx->dStage > dstage_storeFrameHeader) {
+         /* frameInfo already decoded */
+diff --git a/tests/frametest.c b/tests/frametest.c
+index de0fe643..90247547 100644
+--- a/tests/frametest.c
++++ b/tests/frametest.c
+@@ -714,10 +714,13 @@ static int unitTests(U32 seed, double compressibility)
+         size_t const srcSize = 65 KB; /* must be > 64 KB to avoid short-size optimizations */
+         size_t const dstCapacity = LZ4F_compressFrameBound(srcSize, NULL);
+         size_t cSizeNoDict, cSizeWithDict;
+-        LZ4F_CDict* const cdict = LZ4F_createCDict(CNBuffer, dictSize);
+-        if (cdict == NULL) goto _output_error;
+-        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        LZ4F_CDict* cdict = NULL;
+ 
++        CHECK( LZ4F_createCompressionContext(&cctx, LZ4F_VERSION) );
++        cdict = LZ4F_createCDict(CNBuffer, dictSize);
++        if (cdict == NULL)
++            goto _output_error;
++        
+         DISPLAYLEVEL(3, "Testing LZ4F_createCDict_advanced : ");
+         {   LZ4F_CDict* const cda = LZ4F_createCDict_advanced(lz4f_cmem_test, CNBuffer, dictSize);
+             if (cda == NULL) goto _output_error;
diff --git a/meta/recipes-support/lz4/lz4_1.10.0.bb b/meta/recipes-support/lz4/lz4_1.10.0.bb
index 9bd3cfc27b..f2a86036b5 100644
--- a/meta/recipes-support/lz4/lz4_1.10.0.bb
+++ b/meta/recipes-support/lz4/lz4_1.10.0.bb
@@ -14,7 +14,9 @@ SRCREV = "ebb370ca83af193212df4dcbadcc5d87bc0de2f0"
 
 SRC_URI = "git://github.com/lz4/lz4.git;branch=release;protocol=https \
            file://reproducibility.patch \
-           file://run-ptest"
+           file://run-ptest \
+           file://CVE-2025-62813.patch \
+"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
 
 inherit ptest
diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py
index 48b5b09ddd..4ccd70dc55 100644
--- a/scripts/lib/wic/ksparser.py
+++ b/scripts/lib/wic/ksparser.py
@@ -16,6 +16,7 @@ import os
 import shlex
 import logging
 import re
+import uuid
 
 from argparse import ArgumentParser, ArgumentError, ArgumentTypeError
 
@@ -196,7 +197,7 @@ class KickStart():
         bootloader.add_argument('--configfile')
         bootloader.add_argument('--ptable', choices=('msdos', 'gpt', 'gpt-hybrid'),
                                 default='msdos')
-        bootloader.add_argument('--diskid', type=lambda x: int(x, 0))
+        bootloader.add_argument('--diskid')
         bootloader.add_argument('--timeout', type=int)
         bootloader.add_argument('--source')
 
@@ -297,6 +298,24 @@ class KickStart():
                             if append_var:
                                 self.bootloader.append = ' '.join(filter(None, \
                                                          (self.bootloader.append, append_var)))
+                            if parsed.diskid:
+                                if parsed.ptable == "msdos":
+                                    try:
+                                        self.bootloader.diskid = int(parsed.diskid, 0)
+                                    except ValueError:
+                                        err = "with --ptbale msdos only 32bit integers " \
+                                              "are allowed for --diskid. %s could not " \
+                                              "be parsed" % self.ptable
+                                        raise KickStartError(err)
+                                else:
+                                    try:
+                                        self.bootloader.diskid = uuid.UUID(parsed.diskid)
+                                    except ValueError:
+                                        err = "with --ptable %s only valid uuids are " \
+                                              "allowed for --diskid. %s could not be " \
+                                              "parsed" % (parsed.ptable, parsed.diskid)
+                                        raise KickStartError(err)
+
                         else:
                             err = "%s:%d: more than one bootloader specified" \
                                       % (confpath, lineno)
diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py
index f40f033a3d..ad922cfbf1 100644
--- a/scripts/lib/wic/plugins/imager/direct.py
+++ b/scripts/lib/wic/plugins/imager/direct.py
@@ -315,7 +315,14 @@ class PartitionedImage():
                           # all partitions (in bytes)
         self.ptable_format = ptable_format  # Partition table format
         # Disk system identifier
-        if disk_id:
+        if disk_id and ptable_format in ('gpt', 'gpt-hybrid'):
+            self.disk_guid = disk_id
+        elif os.getenv('SOURCE_DATE_EPOCH'):
+            self.disk_guid = uuid.UUID(int=int(os.getenv('SOURCE_DATE_EPOCH')))
+        else:
+            self.disk_guid = uuid.uuid4()
+
+        if disk_id and ptable_format == 'msdos':
             self.identifier = disk_id
         elif os.getenv('SOURCE_DATE_EPOCH'):
             self.identifier = random.Random(int(os.getenv('SOURCE_DATE_EPOCH'))).randint(1, 0xffffffff)
@@ -545,11 +552,6 @@ class PartitionedImage():
 
     def _write_disk_guid(self):
         if self.ptable_format in ('gpt', 'gpt-hybrid'):
-            if os.getenv('SOURCE_DATE_EPOCH'):
-                self.disk_guid = uuid.UUID(int=int(os.getenv('SOURCE_DATE_EPOCH')))
-            else:
-                self.disk_guid = uuid.uuid4()
-
             logger.debug("Set disk guid %s", self.disk_guid)
             sfdisk_cmd = "sfdisk --sector-size %s --disk-id %s %s" % \
                         (self.sector_size, self.path, self.disk_guid)