152 files changed, 4446 insertions, 4664 deletions
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
index 5e4460045b..d45c06357d 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
+++ b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
@@ -1,28 +1,28 @@
 SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
 HOMEPAGE = "https://github.com/lathiat/nss-mdns"
+DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
 SECTION = "libs"
-LICENSE = "LGPLv2.1+"
+LICENSE = "LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
 DEPENDS = "avahi"
-SRC_URI = "git://github.com/lathiat/nss-mdns \
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
           "
-SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae"
+SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633"
-S = "${WORKDIR}/git"
 inherit autotools pkgconfig
-COMPATIBLE_HOST_libc-musl = 'null'
+COMPATIBLE_HOST:libc-musl = 'null'
 EXTRA_OECONF = "--libdir=${base_libdir}"
-RDEPENDS_${PN} = "avahi-daemon"
+RDEPENDS:${PN} = "avahi-daemon"
+RPROVIDES:${PN} = "libnss-mdns"
-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
        sed '
                /^hosts:/ !b
                /\<mdns\(4\|6\)\?\(_minimal\)\?\>/ b
@@ -30,7 +30,7 @@ pkg_postinst_${PN} () {
                ' -i $D${sysconfdir}/nsswitch.conf
 }
-pkg_prerm_${PN} () {
+pkg_prerm:${PN} () {
        sed '
                /^hosts:/ !b
                s/[[:blank:]]\+mdns\(4\|6\)\?\(_minimal\( \[NOTFOUND=return\]\)\?\)\?//g
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index c8a3f876aa..220160a7e1 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -5,35 +5,47 @@ with no specific configuration. This tool implements IPv4LL, "Dynamic Configurat
 IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \
 configuration from the link-local 169.254.0.0/16 range without the need for a central \
 server.'
-AUTHOR = "Lennart Poettering <lennart@poettering.net>"
 HOMEPAGE = "http://avahi.org"
-BUGTRACKER = "https://github.com/lathiat/avahi/issues"
+BUGTRACKER = "https://github.com/avahi/avahi/issues"
 SECTION = "network"
-# major part is under LGPLv2.1+, but several .dtd, .xsl, initscripts and
+# major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and
-# python scripts are under GPLv2+
+# python scripts are under GPL-2.0-or-later
-LICENSE = "GPLv2+ & LGPLv2.1+"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://avahi-common/address.h;endline=25;md5=b1d1d2cda1c07eb848ea7d6215712d9d \
                    file://avahi-core/dns.h;endline=23;md5=6fe82590b81aa0ddea5095b548e2fdcb \
                    file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
                    file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
-SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
+SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
           file://00avahi-autoipd \
           file://99avahi-autoipd \
           file://initscript.patch \
           file://0001-Fix-opening-etc-resolv.conf-error.patch \
+           file://handle-hup.patch \
+           file://local-ping.patch \
+           file://invalid-service.patch \
+           file://CVE-2023-1981.patch \
+           file://CVE-2023-38469-1.patch \
+           file://CVE-2023-38469-2.patch \
+           file://CVE-2023-38470-1.patch \
+           file://CVE-2023-38470-2.patch \
+           file://CVE-2023-38471-1.patch \
+           file://CVE-2023-38471-2.patch \
+           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
           "
-UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
+GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
-SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-DEPENDS = "expat libcap libdaemon glib-2.0 intltool-native"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
+DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 # For gtk related PACKAGECONFIGs: gtk, gtk3
-AVAHI_GTK ?= "gtk3"
+AVAHI_GTK ?= ""
 PACKAGECONFIG ??= "dbus ${@bb.utils.contains_any('DISTRO_FEATURES','x11 wayland','${AVAHI_GTK}','',d)}"
 PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
@@ -43,7 +55,7 @@ PACKAGECONFIG[libdns_sd] = "--enable-compat-libdns_sd --enable-dbus,,dbus"
 PACKAGECONFIG[libevent] = "--enable-libevent,--disable-libevent,libevent"
 PACKAGECONFIG[qt5] = "--enable-qt5,--disable-qt5,qtbase"
-inherit autotools pkgconfig gettext gobject-introspection
+inherit autotools pkgconfig gettext gobject-introspection github-releases
 EXTRA_OECONF = "--with-avahi-priv-access-group=adm \
             --disable-stack-protector \
@@ -62,23 +74,22 @@ EXTRA_OECONF = "--with-avahi-priv-access-group=adm \
 # The distro choice determines what init scripts are installed
 EXTRA_OECONF_SYSVINIT = "${@bb.utils.contains('DISTRO_FEATURES','sysvinit','--with-distro=debian','--with-distro=none',d)}"
-EXTRA_OECONF_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES','systemd','--with-systemdsystemunitdir=${systemd_unitdir}/system/','--without-systemdsystemunitdir',d)}"
+EXTRA_OECONF_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES','systemd','--with-systemdsystemunitdir=${systemd_system_unitdir}/','--without-systemdsystemunitdir',d)}"
-do_configure_prepend() {
+do_configure:prepend() {
    # This m4 file will get in the way of our introspection.m4 with special cross-compilation fixes
    rm "${S}/common/introspection.m4" || true
 }
-do_compile_prepend() {
+do_compile:prepend() {
    export GIR_EXTRA_LIBS_PATH="${B}/avahi-gobject/.libs:${B}/avahi-common/.libs:${B}/avahi-client/.libs:${B}/avahi-glib/.libs"
 }
-RRECOMMENDS_${PN}_append_libc-glibc = " libnss-mdns"
+RRECOMMENDS:${PN}:append:libc-glibc = " avahi-libnss-mdns"
 do_install() {
        autotools_do_install
        rm -rf ${D}/run
-        rm -rf ${D}${datadir}/dbus-1/interfaces
        test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1
        rm -rf ${D}${libdir}/avahi
@@ -90,96 +101,96 @@ do_install() {
 PACKAGES =+ "${@bb.utils.contains("PACKAGECONFIG", "libdns_sd", "libavahi-compat-libdnssd", "", d)}"
-FILES_libavahi-compat-libdnssd = "${libdir}/libdns_sd.so.*"
+FILES:libavahi-compat-libdnssd = "${libdir}/libdns_sd.so.*"
-RPROVIDES_libavahi-compat-libdnssd = "libdns-sd"
+RPROVIDES:libavahi-compat-libdnssd = "libdns-sd"
 inherit update-rc.d systemd useradd
 PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils avahi-discover avahi-ui"
-FILES_avahi-ui = "${libdir}/libavahi-ui*.so.*"
+FILES:avahi-ui = "${libdir}/libavahi-ui*.so.*"
-FILES_avahi-discover = "${datadir}/applications/avahi-discover.desktop \
+FILES:avahi-discover = "${datadir}/applications/avahi-discover.desktop \
                        ${datadir}/avahi/interfaces/avahi-discover.ui \
                        ${bindir}/avahi-discover-standalone \
                        "
-LICENSE_libavahi-gobject = "LGPLv2.1+"
+LICENSE:libavahi-gobject = "LGPL-2.1-or-later"
-LICENSE_avahi-daemon = "LGPLv2.1+"
+LICENSE:avahi-daemon = "LGPL-2.1-or-later"
-LICENSE_libavahi-common = "LGPLv2.1+"
+LICENSE:libavahi-common = "LGPL-2.1-or-later"
-LICENSE_libavahi-core = "LGPLv2.1+"
+LICENSE:libavahi-core = "LGPL-2.1-or-later"
-LICENSE_libavahi-client = "LGPLv2.1+"
+LICENSE:libavahi-client = "LGPL-2.1-or-later"
-LICENSE_avahi-dnsconfd = "LGPLv2.1+"
+LICENSE:avahi-dnsconfd = "LGPL-2.1-or-later"
-LICENSE_libavahi-glib = "LGPLv2.1+"
+LICENSE:libavahi-glib = "LGPL-2.1-or-later"
-LICENSE_avahi-autoipd = "LGPLv2.1+"
+LICENSE:avahi-autoipd = "LGPL-2.1-or-later"
-LICENSE_avahi-utils = "LGPLv2.1+"
+LICENSE:avahi-utils = "LGPL-2.1-or-later"
 # As avahi doesn't put any files into PN, clear the files list to avoid problems
 # if extra libraries appear.
-FILES_${PN} = ""
+FILES:${PN} = ""
-FILES_avahi-autoipd = "${sbindir}/avahi-autoipd \
+FILES:avahi-autoipd = "${sbindir}/avahi-autoipd \
                       ${sysconfdir}/avahi/avahi-autoipd.action \
                       ${sysconfdir}/dhcp/*/avahi-autoipd \
                       ${sysconfdir}/udhcpc.d/00avahi-autoipd \
                       ${sysconfdir}/udhcpc.d/99avahi-autoipd"
-FILES_libavahi-common = "${libdir}/libavahi-common.so.*"
+FILES:libavahi-common = "${libdir}/libavahi-common.so.*"
-FILES_libavahi-core = "${libdir}/libavahi-core.so.* ${libdir}/girepository-1.0/AvahiCore*.typelib"
+FILES:libavahi-core = "${libdir}/libavahi-core.so.* ${libdir}/girepository-1.0/AvahiCore*.typelib"
-FILES_avahi-daemon = "${sbindir}/avahi-daemon \
+FILES:avahi-daemon = "${sbindir}/avahi-daemon \
                      ${sysconfdir}/avahi/avahi-daemon.conf \
                      ${sysconfdir}/avahi/hosts \
                      ${sysconfdir}/avahi/services \
                      ${sysconfdir}/dbus-1 \
                      ${sysconfdir}/init.d/avahi-daemon \
-                      ${datadir}/avahi/introspection/*.introspect \
+                      ${datadir}/dbus-1/interfaces \
                      ${datadir}/avahi/avahi-service.dtd \
                      ${datadir}/avahi/service-types \
                      ${datadir}/dbus-1/system-services"
-FILES_libavahi-client = "${libdir}/libavahi-client.so.*"
+FILES:libavahi-client = "${libdir}/libavahi-client.so.*"
-FILES_avahi-dnsconfd = "${sbindir}/avahi-dnsconfd \
+FILES:avahi-dnsconfd = "${sbindir}/avahi-dnsconfd \
                        ${sysconfdir}/avahi/avahi-dnsconfd.action \
                        ${sysconfdir}/init.d/avahi-dnsconfd"
-FILES_libavahi-glib = "${libdir}/libavahi-glib.so.*"
+FILES:libavahi-glib = "${libdir}/libavahi-glib.so.*"
-FILES_libavahi-gobject = "${libdir}/libavahi-gobject.so.*  ${libdir}/girepository-1.0/Avahi*.typelib"
+FILES:libavahi-gobject = "${libdir}/libavahi-gobject.so.*  ${libdir}/girepository-1.0/Avahi*.typelib"
-FILES_avahi-utils = "${bindir}/avahi-* ${bindir}/b* ${datadir}/applications/b*"
+FILES:avahi-utils = "${bindir}/avahi-* ${bindir}/b* ${datadir}/applications/b*"
-RDEPENDS_${PN}-dev = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
+DEV_PKG_DEPENDENCY = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
-RDEPENDS_${PN}-dev += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
+DEV_PKG_DEPENDENCY += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
-RDEPENDS_${PN}-dnsconfd = "${PN}-daemon"
+RDEPENDS:${PN}-dnsconfd = "${PN}-daemon"
-RRECOMMENDS_avahi-daemon_append_libc-glibc = " libnss-mdns"
+RRECOMMENDS:avahi-daemon:append:libc-glibc = " avahi-libnss-mdns"
-CONFFILES_avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
+CONFFILES:avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
 USERADD_PACKAGES = "avahi-daemon avahi-autoipd"
-USERADD_PARAM_avahi-daemon = "--system --home /run/avahi-daemon \
+USERADD_PARAM:avahi-daemon = "--system --home /run/avahi-daemon \
                              --no-create-home --shell /bin/false \
                              --user-group avahi"
-USERADD_PARAM_avahi-autoipd = "--system --home /run/avahi-autoipd \
+USERADD_PARAM:avahi-autoipd = "--system --home /run/avahi-autoipd \
                              --no-create-home --shell /bin/false \
                              --user-group \
                              -c \"Avahi autoip daemon\" \
                              avahi-autoipd"
 INITSCRIPT_PACKAGES = "avahi-daemon avahi-dnsconfd"
-INITSCRIPT_NAME_avahi-daemon = "avahi-daemon"
+INITSCRIPT_NAME:avahi-daemon = "avahi-daemon"
-INITSCRIPT_PARAMS_avahi-daemon = "defaults 21 19"
+INITSCRIPT_PARAMS:avahi-daemon = "defaults 21 19"
-INITSCRIPT_NAME_avahi-dnsconfd = "avahi-dnsconfd"
+INITSCRIPT_NAME:avahi-dnsconfd = "avahi-dnsconfd"
-INITSCRIPT_PARAMS_avahi-dnsconfd = "defaults 22 19"
+INITSCRIPT_PARAMS:avahi-dnsconfd = "defaults 22 19"
 SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-dnsconfd"
-SYSTEMD_SERVICE_${PN}-daemon = "avahi-daemon.service"
+SYSTEMD_SERVICE:${PN}-daemon = "avahi-daemon.service"
-SYSTEMD_SERVICE_${PN}-dnsconfd = "avahi-dnsconfd.service"
+SYSTEMD_SERVICE:${PN}-dnsconfd = "avahi-dnsconfd.service"
-do_install_append() {
+do_install:append() {
        install -d ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
 }
 # At the time the postinst runs, dbus might not be setup so only restart if running 
 # Don't exit early, because update-rc.d needs to run subsequently.
-pkg_postinst_avahi-daemon () {
+pkg_postinst:avahi-daemon () {
 if [ -z "$D" ]; then
        killall -q -HUP dbus-daemon || true
 fi
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+Fixes #375
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
+++ b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
+     }
+ 
+     t = avahi_alternative_host_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
+    if (t) {
+        avahi_dbus_respond_string(c, m, t);
+        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
+        return DBUS_HANDLER_RESULT_HANDLED;
+    } else {
+        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
+    }
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
+     }
+ 
+     t = avahi_alternative_service_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
+    if (t) {
+        avahi_dbus_respond_string(c, m, t);
+        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
+        return DBUS_HANDLER_RESULT_HANDLED;
+    } else {
+        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
+    }
+ }
+ 
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..a078f66102
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
+From 72842945085cc3adaccfdfa2853771b0e75ef991 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] avahi: core: reject overly long TXT resource records
+Closes https://github.com/lathiat/avahi/issues/455
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 7fa0bee..b03a24c 100644
+--- a/avahi-core/rr.c
+++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+             AvahiStringList *strlst;
+            size_t used = 0;
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
+            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+                used += 1+strlst->size;
+                if (used > AVAHI_DNS_RDATA_MAX)
+                    return 0;
+            }
+
+             return 1;
+         }
+     }
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..f8f60ddca1
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH] tests: pass overly long TXT resource records
+to make sure they don't crash avahi any more.
+It reproduces https://github.com/lathiat/avahi/issues/455
+Canonical notes:
+nickgalanis> removed first hunk since there is no .github dir in this release
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
+++ avahi-0.8/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
+#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
+#include <avahi-core/dns.h>
+
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
+    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
+    AvahiStringList *txt = NULL;
+    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
+    memset(rdata, 1, sizeof(rdata));
+    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
+    assert(r >= 0);
+    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
+    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
+    assert(error == AVAHI_ERR_INVALID_RECORD);
+    avahi_string_list_free(txt);
+
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..91f9e677ac
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,59 @@
+From af7bfad67ca53a7c4042a4a2d85456b847e9f249 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] avahi: Ensure each label is at least one byte long
+The only allowed exception is single dot, where it should return empty
+string.
+Fixes #454.
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
+CVE: CVE-2023-38470
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
+index cf763ec..3acc1c1 100644
+--- a/avahi-common/domain-test.c
+++ b/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+    printf("%s\n", s = avahi_normalize_name_strdup("."));
+    avahi_free(s);
+
+    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
+                   "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
+                   ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
+                   "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
+                   "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
+                   "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
+                   "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
+                   "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
+                   "}.?.?.?.}.=.?.?.}");
+    assert(s == NULL);
+
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+diff --git a/avahi-common/domain.c b/avahi-common/domain.c
+index 3b1ab68..e66d241 100644
+--- a/avahi-common/domain.c
+++ b/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
+         }
+         if (!empty) {
+-            if (size < 1)
+            if (size < 2)
+                 return NULL;
+             *(r++) = '.';
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..e0736bf210
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,52 @@
+From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 19 Sep 2023 03:21:25 +0000
+Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
+Fixes:
+```
+==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
+READ of size 1110 at 0x7f9e76f14c16 thread T0
+    #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
+    #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
+    #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
+```
+and
+```
+fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
+==101571== ERROR: libFuzzer: deadly signal
+    #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #3 0x7f1581d7ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
+```
+It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security
+CVE: CVE-2023-38470 #Follow-up patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+Index: avahi-0.8/avahi-common/domain.c
+===================================================================
+--- avahi-0.8.orig/avahi-common/domain.c
+++ avahi-0.8/avahi-common/domain.c
+@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
+         } else
+             empty = 0;
+ 
+-        avahi_escape_label(label, strlen(label), &r, &size);
+        if (!(avahi_escape_label(label, strlen(label), &r, &size)))
+            return NULL;
+     }
+ 
+     return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..b3f716495d
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label()
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+Fixes #453
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index e507750..40f1d68 100644
+--- a/avahi-core/server.c
+++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
+    char label_escaped[AVAHI_LABEL_MAX*4+1];
+    char label[AVAHI_LABEL_MAX];
+    char *hn = NULL, *h;
+    size_t len;
+
+     assert(s);
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+-    hn[strcspn(hn, ".")] = 0;
+    h = hn;
+    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+        avahi_free(h);
+        return AVAHI_ERR_INVALID_HOST_NAME;
+    }
+
+    avahi_free(h);
+
+    h = label_escaped;
+    len = sizeof(label_escaped);
+    if (!avahi_escape_label(label, strlen(label), &h, &len))
+        return AVAHI_ERR_INVALID_HOST_NAME;
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
+    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+     withdraw_host_rrs(s);
+     avahi_free(s->host_name);
+-    s->host_name = hn;
+    s->host_name = avahi_strdup(label_escaped);
+    if (!s->host_name)
+        return AVAHI_ERR_NO_MEMORY;
+     update_fqdn(s);
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..44737bfc2e
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
+CVE: CVE-2023-38471 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+Index: avahi-0.8/avahi-core/server.c
+===================================================================
+--- avahi-0.8.orig/avahi-core/server.c
+++ avahi-0.8/avahi-core/server.c
+@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
+    if (!hn)
+        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
+        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServ
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
+        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServ
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
+        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..85dbded73b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,46 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+Fixes #452
+CVE-2023-38472
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
+++ avahi-0.8/avahi-client/client-test.c
+@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     assert(error == AVAHI_ERR_INVALID_RECORD);
+     avahi_string_list_free(txt);
+ 
+    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+    assert(error != AVAHI_OK);
+
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+Index: avahi-0.8/avahi-daemon/dbus-entry-group.c
+===================================================================
+--- avahi-0.8.orig/avahi-daemon/dbus-entry-group.c
+++ avahi-0.8/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
+        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..707acb60fe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,110 @@
+From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] avahi: common: derive alternative host name from its
+ unescaped version
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+Fixes #451 #487
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
+index 9255435..681fc15 100644
+--- a/avahi-common/alternative-test.c
+++ b/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
+        ").",
+        "\\.",
+        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
+index b3d39f0..a094e6d 100644
+--- a/avahi-common/alternative.c
+++ b/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
+ }
+ char *avahi_alternative_host_name(const char *s) {
+    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
+    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
+    size_t len;
+     assert(s);
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+-    if ((e = strrchr(s, '-'))) {
+    if (!avahi_unescape_label(&s, label, sizeof(label)))
+        return NULL;
+
+    if ((e = strrchr(label, '-'))) {
+         const char *p;
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+-        l = e-s-1;
+        len = e-label-1;
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
+        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+-        if (!(c = avahi_strndup(s, l))) {
+        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
+     } else {
+         char *c;
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
+        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
+         avahi_free(c);
+     }
+    alt = alternative;
+    len = sizeof(alternative);
+    ret = avahi_escape_label(r, strlen(r), &alt, &len);
+
+    avahi_free(r);
+    r = avahi_strdup(ret);
+
+     assert(avahi_is_valid_host_name(r));
+     return r;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/handle-hup.patch b/meta/recipes-connectivity/avahi/files/handle-hup.patch
new file mode 100644
index 0000000000..26632e5443
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/handle-hup.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2021-3468
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
+++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
+    if (events & AVAHI_WATCH_HUP) {
+        client_free(c);
+        return;
+    }
+
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/meta/recipes-connectivity/avahi/files/initscript.patch b/meta/recipes-connectivity/avahi/files/initscript.patch
index c856c3df04..e1176888df 100644
--- a/meta/recipes-connectivity/avahi/files/initscript.patch
+++ b/meta/recipes-connectivity/avahi/files/initscript.patch
@@ -1,4 +1,8 @@
-Upstream-Status: Pending
+Note: upcoming avahi 0.9 drops debian initscripts altogether,
+so any version update would probably have to copy the last
+upstream versions into oe-core, and install them from the recipe.
+Upstream-Status: Inappropriate [upstream removed the files]
 Index: avahi-0.7/initscript/debian/avahi-daemon.in
 ===================================================================
diff --git a/meta/recipes-connectivity/avahi/files/invalid-service.patch b/meta/recipes-connectivity/avahi/files/invalid-service.patch
new file mode 100644
index 0000000000..8f188aff2c
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/invalid-service.patch
@@ -0,0 +1,29 @@
+From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001
+From: Asger Hautop Drewsen <asger@princh.com>
+Date: Mon, 9 Aug 2021 14:25:08 +0200
+Subject: [PATCH] Fix avahi-browse: Invalid service type
+Invalid service types will stop the browse from completing, or
+in simple terms "my washing machine stops me from printing".
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ avahi-core/browse-service.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 63e0275a..ac3d2ecb 100644
+--- a/avahi-core/browse-service.c
+++ b/avahi-core/browse-service.c
+@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare(
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+-    AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+
+    if (!avahi_is_valid_service_type_generic(service_type))
+        service_type = "_invalid._tcp";
+ 
+     if (!domain)
+         domain = server->domain_name;
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
new file mode 100644
index 0000000000..29c192d296
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -0,0 +1,153 @@
+CVE: CVE-2021-36217
+CVE: CVE-2021-3502
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: [PATCH] Fix NULL pointer crashes from #175
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+---
+ avahi-core/browse-dns-server.c   | 5 ++++-
+ avahi-core/browse-domain.c       | 5 ++++-
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c      | 3 +++
+ avahi-core/browse.c              | 3 +++
+ avahi-core/resolve-address.c     | 5 ++++-
+ avahi-core/resolve-host-name.c   | 5 ++++-
+ avahi-core/resolve-service.c     | 5 ++++-
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
+index 049752e9..c2d914fa 100644
+--- a/avahi-core/browse-dns-server.c
+++ b/avahi-core/browse-dns-server.c
+@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
+         AvahiSDNSServerBrowser* b;
+ 
+         b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_dns_server_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
+index f145d56a..06fa70c0 100644
+--- a/avahi-core/browse-domain.c
+++ b/avahi-core/browse-domain.c
+@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
+         AvahiSDomainBrowser *b;
+ 
+         b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_domain_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
+index fdd22dcd..b1fc7af8 100644
+--- a/avahi-core/browse-service-type.c
+++ b/avahi-core/browse-service-type.c
+@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
+         AvahiSServiceTypeBrowser *b;
+ 
+         b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_type_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 5531360c..63e0275a 100644
+--- a/avahi-core/browse-service.c
+++ b/avahi-core/browse-service.c
+@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
+         AvahiSServiceBrowser *b;
+ 
+         b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e579..e8a915e9 100644
+--- a/avahi-core/browse.c
+++ b/avahi-core/browse.c
+@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
+         AvahiSRecordBrowser *b;
+ 
+         b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_record_browser_start_query(b);
+ 
+         return b;
+diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
+index ac0b29b1..e61dd242 100644
+--- a/avahi-core/resolve-address.c
+++ b/avahi-core/resolve-address.c
+@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
+         AvahiSAddressResolver *b;
+ 
+         b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_address_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
+index 808b0e72..4e8e5973 100644
+--- a/avahi-core/resolve-host-name.c
+++ b/avahi-core/resolve-host-name.c
+@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
+         AvahiSHostNameResolver *b;
+ 
+         b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_host_name_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
+diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
+index 66bf3cae..43771763 100644
+--- a/avahi-core/resolve-service.c
+++ b/avahi-core/resolve-service.c
+@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
+         AvahiSServiceResolver *b;
+ 
+         b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
+        if (!b)
+            return NULL;
+
+         avahi_s_service_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
+}
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.16.7/0001-named-lwresd-V-and-start-log-hide-build-options.patch
deleted file mode 100644
index 5bcc16c9b2..0000000000
--- a/meta/recipes-connectivity/bind/bind-9.16.7/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a3af4a405baf5ff582e82aaba392dd9667d94bdc Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 27 Aug 2018 21:24:20 +0800
-Subject: [PATCH] `named/lwresd -V' and start log hide build options
-The build options expose build path directories, so hide them.
-[snip]
-$ named -V
-|built by make with *** (options are hidden)
-[snip]
-Upstream-Status: Inappropriate [oe-core specific]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-Refreshed for 9.16.0
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- bin/named/include/named/globals.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-Index: bind-9.16.0/bin/named/include/named/globals.h
-===================================================================
--- bind-9.16.0.orig/bin/named/include/named/globals.h
-+++ bind-9.16.0/bin/named/include/named/globals.h
-@@ -69,7 +69,7 @@ EXTERN const char *named_g_version     I
- EXTERN const char *named_g_product     INIT(PRODUCT);
- EXTERN const char *named_g_description INIT(DESCRIPTION);
- EXTERN const char *named_g_srcid       INIT(SRCID);
-EXTERN const char *named_g_configargs  INIT(CONFIGARGS);
-+EXTERN const char *named_g_configargs  INIT("*** (options are hidden)");
- EXTERN const char *named_g_builder     INIT(BUILDER);
- EXTERN in_port_t named_g_port         INIT(0);
- EXTERN isc_dscp_t named_g_dscp        INIT(-1);
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
index 8db96ec049..78ab6b87fc 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/0001-avoid-start-failure-with-bind-user.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
@@ -1,4 +1,4 @@
-From 31dde3562f287429eea94b77250d184818b49063 Mon Sep 17 00:00:00 2001
+From c70f74164bea8a8c54c03becffb2f21103dd1f31 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 15 Oct 2018 16:55:09 +0800
 Subject: [PATCH] avoid start failure with bind user
@@ -11,17 +11,14 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 1 file changed, 1 insertion(+)
 diff --git a/init.d b/init.d
-index b2eec60..6e03936 100644
+index 95e8909..771d349 100644
 --- a/init.d
 +++ b/init.d
 @@ -57,6 +57,7 @@ case "$1" in
        modprobe capability >/dev/null 2>&1 || true
        if [ ! -f /etc/bind/rndc.key ]; then
-            /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+            /usr/sbin/rndc-confgen -a -b 512
 +           chown root:bind /etc/bind/rndc.key >/dev/null 2>&1 || true
            chmod 0640 /etc/bind/rndc.key
        fi
        if [ -f /var/run/named/named.pid ]; then
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
new file mode 100644
index 0000000000..53e439721f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
@@ -0,0 +1,34 @@
+From 0dd67d85705cbcfa9a2759c46f3cdf3d0d6375de Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 27 Aug 2018 21:24:20 +0800
+Subject: [PATCH] `named/lwresd -V' and start log hide build options
+The build options expose build path directories, so hide them.
+[snip]
+$ named -V
+|built by make with *** (options are hidden)
+[snip]
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Refreshed for 9.16.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/configure.ac b/configure.ac
+index f9cf4a4..0ce3d26 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -35,7 +35,7 @@ AC_DEFINE([PACKAGE_VERSION_EXTRA], ["][bind_VERSION_EXTRA]["], [BIND 9 Extra par
+ AC_DEFINE([PACKAGE_DESCRIPTION], [m4_ifnblank(bind_DESCRIPTION, [" ]bind_DESCRIPTION["], [])], [An extra string to print after PACKAGE_STRING])
+ AC_DEFINE([PACKAGE_SRCID], ["][bind_SRCID]["], [A short hash from git])
+ 
+-bind_CONFIGARGS="${ac_configure_args:-default}"
+bind_CONFIGARGS="(removed for reproducibility)"
+ AC_DEFINE_UNQUOTED([PACKAGE_CONFIGARGS], ["$bind_CONFIGARGS"], [Either 'defaults' or used ./configure options])
+ 
+ AC_DEFINE([PACKAGE_BUILDER], ["make"], [make or Visual Studio])
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index f9cdc7ca4d..38d208fc1c 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From edda20fb5a6e88548f85e39d34d6c074306e15bc Mon Sep 17 00:00:00 2001
+From 8c9c817933eef20328f10237bbd964580db0a3ad Mon Sep 17 00:00:00 2001
 From: Paul Gortmaker <paul.gortmaker@windriver.com>
 Date: Tue, 9 Jun 2015 11:22:00 -0400
 Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -27,21 +27,20 @@ to make use of the combination some day.
 Upstream-Status: Inappropriate [OE Specific]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
-Index: bind-9.16.4/configure.ac
+diff --git a/configure.ac b/configure.ac
-===================================================================
+index 334b551..f9cf4a4 100644
--- bind-9.16.4.orig/configure.ac
+--- a/configure.ac
-+++ bind-9.16.4/configure.ac
+++ b/configure.ac
-@@ -1232,7 +1232,7 @@ case "$use_lmdb" in
+@@ -863,7 +863,7 @@ AS_CASE([$with_lmdb],
-                LMDB_LIBS=""
+        [no],[],
-                ;;
+        [auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb],
-        auto|yes)
+                                       [ac_lib_lmdb_found=yes],
-               for d in /usr /usr/local /opt/local
+-                                      [for ac_lib_lmdb_path in /usr /usr/local /opt /opt/local; do
-+               for d in "${STAGING_INCDIR}"
+                                      [for ac_lib_lmdb_path in "${STAGING_INCDIR}"; do
-                do
+                                                AX_LIB_LMDB([$ac_lib_lmdb_path],
-                        if test -f "${d}/include/lmdb.h"
+                                                            [ac_lib_lmdb_found=yes
-                        then
+                                                             break])
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/bind9 b/meta/recipes-connectivity/bind/bind/bind9
index 968679ff7f..968679ff7f 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/bind9
+++ b/meta/recipes-connectivity/bind/bind/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch
index aad345f9fc..102fe46ffe 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/conf.patch
+++ b/meta/recipes-connectivity/bind/bind/conf.patch
@@ -1,12 +1,43 @@
+From 83a892af19bf1455ce7132350332ed6d7f1e2b94 Mon Sep 17 00:00:00 2001
+From: Qing He <qing.he@intel.com>
+Date: Tue, 30 Nov 2010 13:35:42 +0800
+Subject: [PATCH] bind: add new recipe
 Upstream-Status: Inappropriate [configuration]
 the patch is imported from openembedded project
 11/30/2010 - Qing He <qing.he@intel.com>
+---
+ conf/db.0               | 12 +++++++
+ conf/db.127             | 13 ++++++++
+ conf/db.255             | 12 +++++++
+ conf/db.empty           | 14 +++++++++
+ conf/db.local           | 13 ++++++++
+ conf/db.root            | 45 ++++++++++++++++++++++++++
+ conf/named.conf         | 49 +++++++++++++++++++++++++++++
+ conf/named.conf.local   |  8 +++++
+ conf/named.conf.options | 24 ++++++++++++++
+ conf/zones.rfc1918      | 20 ++++++++++++
+ init.d                  | 70 +++++++++++++++++++++++++++++++++++++++++
+ 11 files changed, 280 insertions(+)
+ create mode 100644 conf/db.0
+ create mode 100644 conf/db.127
+ create mode 100644 conf/db.255
+ create mode 100644 conf/db.empty
+ create mode 100644 conf/db.local
+ create mode 100644 conf/db.root
+ create mode 100644 conf/named.conf
+ create mode 100644 conf/named.conf.local
+ create mode 100644 conf/named.conf.options
+ create mode 100644 conf/zones.rfc1918
+ create mode 100644 init.d
-diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
+diff --git a/conf/db.0 b/conf/db.0
--- bind-9.3.1.orig/conf/db.0   1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.0        2005-07-10 22:14:00.000000000 +0200
+index 0000000..e3aabdb
+--- /dev/null
+++ b/conf/db.0
 @@ -0,0 +1,12 @@
 +;
 +; BIND reverse data file for broadcast zone
@@ -20,9 +51,11 @@ diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
 +                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
+diff --git a/conf/db.127 b/conf/db.127
--- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.127      2005-07-10 22:14:00.000000000 +0200
+index 0000000..cd05bef
+--- /dev/null
+++ b/conf/db.127
 @@ -0,0 +1,13 @@
 +;
 +; BIND reverse data file for local loopback interface
@@ -37,43 +70,49 @@ diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
 +;
 +@      IN      NS      localhost.
 +1.0.0  IN      PTR     localhost.
-diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
+diff --git a/conf/db.255 b/conf/db.255
--- bind-9.3.1.orig/conf/db.empty       1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.empty    2005-07-10 22:14:00.000000000 +0200
+index 0000000..16cd819
-@@ -0,0 +1,14 @@
+--- /dev/null
-+; BIND reverse data file for empty rfc1918 zone
+++ b/conf/db.255
+@@ -0,0 +1,12 @@
 +;
-+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; BIND reserve data file for broadcast zone
-+; Instead, copy it, edit named.conf, and use that copy.
 +;
-+$TTL   86400
+$TTL   604800
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                         86400 )       ; Negative Cache TTL
+                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255
+diff --git a/conf/db.empty b/conf/db.empty
--- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.255      2005-07-10 22:14:00.000000000 +0200
+index 0000000..8a12858
-@@ -0,0 +1,12 @@
+--- /dev/null
+++ b/conf/db.empty
+@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
 +;
-+; BIND reserve data file for broadcast zone
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
 +;
-+$TTL   604800
+$TTL   86400
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                        604800 )       ; Negative Cache TTL
+                         86400 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
+diff --git a/conf/db.local b/conf/db.local
--- bind-9.3.1.orig/conf/db.local       1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.local    2005-07-10 22:14:00.000000000 +0200
+index 0000000..66b4892
+--- /dev/null
+++ b/conf/db.local
 @@ -0,0 +1,13 @@
 +;
 +; BIND data file for local loopback interface
@@ -88,9 +127,11 @@ diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
 +;
 +@      IN      NS      localhost.
 +@      IN      A       127.0.0.1
-diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
+diff --git a/conf/db.root b/conf/db.root
--- bind-9.3.1.orig/conf/db.root        1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/db.root     2005-07-10 22:14:00.000000000 +0200
+index 0000000..01c20f0
+--- /dev/null
+++ b/conf/db.root
 @@ -0,0 +1,45 @@
 +
 +; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
@@ -137,9 +178,11 @@ diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
 +;; WHEN: Sun Feb  1 11:27:14 2004
 +;; MSG SIZE  rcvd: 436
 +
-diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
+diff --git a/conf/named.conf b/conf/named.conf
--- bind-9.3.1.orig/conf/named.conf     1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/named.conf  2005-07-10 22:33:46.000000000 +0200
+index 0000000..95829cf
+--- /dev/null
+++ b/conf/named.conf
 @@ -0,0 +1,49 @@
 +// This is the primary configuration file for the BIND DNS server named.
 +//
@@ -190,9 +233,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
 +// root-delegation-only exclude { "DE"; "MUSEUM"; };
 +
 +include "/etc/bind/named.conf.local";
-diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
+diff --git a/conf/named.conf.local b/conf/named.conf.local
--- bind-9.3.1.orig/conf/named.conf.local       1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/named.conf.local    2005-07-10 22:14:06.000000000 +0200
+index 0000000..7a57b10
+--- /dev/null
+++ b/conf/named.conf.local
 @@ -0,0 +1,8 @@
 +//
 +// Do any local configuration here
@@ -202,9 +247,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
 +// organization
 +//include "/etc/bind/zones.rfc1918";
 +
-diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
+diff --git a/conf/named.conf.options b/conf/named.conf.options
--- bind-9.3.1.orig/conf/named.conf.options     1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/named.conf.options  2005-07-10 22:14:06.000000000 +0200
+index 0000000..813193d
+--- /dev/null
+++ b/conf/named.conf.options
 @@ -0,0 +1,24 @@
 +options {
 +       directory "/var/cache/bind";
@@ -230,9 +277,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.opt
 +
 +};
 +
-diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
+diff --git a/conf/zones.rfc1918 b/conf/zones.rfc1918
--- bind-9.3.1.orig/conf/zones.rfc1918  1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/conf/zones.rfc1918       2005-07-10 22:14:10.000000000 +0200
+index 0000000..03b5546
+--- /dev/null
+++ b/conf/zones.rfc1918
 @@ -0,0 +1,20 @@
 +zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
 + 
@@ -254,9 +303,11 @@ diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
 +zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
 +
 +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
-diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
+diff --git a/init.d b/init.d
--- bind-9.3.1.orig/init.d      1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ bind-9.3.1/init.d   2005-07-10 23:09:58.000000000 +0200
+index 0000000..2ef2277
+--- /dev/null
+++ b/init.d
 @@ -0,0 +1,70 @@
 +#!/bin/sh
 +
@@ -276,7 +327,7 @@ diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
 +
 +       modprobe capability >/dev/null 2>&1 || true
 +       if [ ! -f /etc/bind/rndc.key ]; then
-+           /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+           /usr/sbin/rndc-confgen -a -b 512
 +           chmod 0640 /etc/bind/rndc.key
 +       fi
 +       if [ -f /var/run/named/named.pid ]; then
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
index 633e29c0e6..633e29c0e6 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/generate-rndc-key.sh
+++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
index 11db95ede1..984d401c70 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/init.d-add-support-for-read-only-rootfs.patch
+++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
@@ -1,14 +1,17 @@
-Subject: init.d: add support for read-only rootfs
+From 1393cbf6b0084128fdfc9b5afb3bcc307265d094 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 27 Mar 2014 02:34:41 +0000
+Subject: [PATCH] init.d: add support for read-only rootfs
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 ---
- init.d |   40 ++++++++++++++++++++++++++++++++++++++++
+ init.d | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 diff --git a/init.d b/init.d
-index 0111ed4..24677c8 100644
+index 2ef2277..95e8909 100644
 --- a/init.d
 +++ b/init.d
 @@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -60,6 +63,3 @@ index 0111ed4..24677c8 100644
 test -x /usr/sbin/rndc || exit 0
 
 case "$1" in
-- 
-1.7.9.5
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
index 146f3e35db..74f2ef83a0 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/make-etc-initd-bind-stop-work.patch
+++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
@@ -1,4 +1,7 @@
-bind: make "/etc/init.d/bind stop" work
+From ce06506bb3fe661e03161af3a603bd228590a254 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Thu, 15 Nov 2012 02:27:54 +0000
+Subject: [PATCH] bind: make "/etc/init.d/bind stop" work
 Upstream-Status: Inappropriate [configuration]
@@ -7,13 +10,13 @@ the named daemon.
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 ---
- conf/named.conf |    5 +++++
+ conf/named.conf | 5 +++++
- conf/rndc.conf  |    5 +++++
+ conf/rndc.conf  | 5 +++++
- 2 files changed, 10 insertions(+), 0 deletions(-)
+ 2 files changed, 10 insertions(+)
 create mode 100644 conf/rndc.conf
 diff --git a/conf/named.conf b/conf/named.conf
-index 95829cf..c8899e7 100644
+index 95829cf..021dbca 100644
 --- a/conf/named.conf
 +++ b/conf/named.conf
 @@ -47,3 +47,8 @@ zone "255.in-addr.arpa" {
@@ -27,7 +30,7 @@ index 95829cf..c8899e7 100644
 +};
 diff --git a/conf/rndc.conf b/conf/rndc.conf
 new file mode 100644
-index 0000000..a0b481d
+index 0000000..4b43a3d
 --- /dev/null
 +++ b/conf/rndc.conf
 @@ -0,0 +1,5 @@
@@ -36,7 +39,3 @@ index 0000000..a0b481d
 +       default-server  localhost;
 +       default-key     rndc-key;
 +};
-- 
-1.7.5.4
diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/named.service b/meta/recipes-connectivity/bind/bind/named.service
index cda56ef015..cda56ef015 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.7/named.service
+++ b/meta/recipes-connectivity/bind/bind/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.16.7.bb b/meta/recipes-connectivity/bind/bind_9.20.9.bb
index fbe3de63cb..93ff957fc5 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.7.bb
+++ b/meta/recipes-connectivity/bind/bind_9.20.9.bb
@@ -1,11 +1,12 @@
 SUMMARY = "ISC Internet Domain Name Server"
 HOMEPAGE = "https://www.isc.org/bind/"
+DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=188b8d0644bd6835df43b84e3f180be1"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
-DEPENDS = "openssl libcap zlib libuv"
+DEPENDS = "openssl libcap zlib libuv liburcu"
 SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://conf.patch \
@@ -19,79 +20,71 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://0001-avoid-start-failure-with-bind-user.patch \
           "
-SRC_URI[sha256sum] = "9f7d1812ebbd26a699f62b6fa8522d5dec57e4bf43af0042a0d60d39ed8314d1"
+SRC_URI[sha256sum] = "3d26900ed9c9a859073ffea9b97e292c1248dad18279b17b05fcb23c3091f86d"
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
-# stay at 9.16 follow the ESV versions divisible by 4
+# follow the ESV versions divisible by 2
-UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/"
+UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
+# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
+# so the issue doesn't affect us.
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
-PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline"
+PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
-PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit"
+PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
-PACKAGECONFIG[python3] = "--with-python=yes --with-python-install-dir=${PYTHON_SITEPACKAGES_DIR} , --without-python, python3-ply-native,"
+PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
-EXTRA_OECONF = " --with-libtool --disable-devpoll --disable-auto-validation --enable-epoll \
+EXTRA_OECONF = " --disable-auto-validation \
                 --with-gssapi=no --with-lmdb=no --with-zlib \
                 --sysconfdir=${sysconfdir}/bind \
                 --with-openssl=${STAGING_DIR_HOST}${prefix} \
               "
-LDFLAGS_append = " -lz"
+LDFLAGS += "-lz"
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native distutils3-base', '', d)}
 # dhcp needs .la so keep them
 REMOVE_LIBTOOL_LA = "0"
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home ${localstatedir}/cache/bind --no-create-home \
+USERADD_PARAM:${PN} = "--system --home ${localstatedir}/cache/bind --no-create-home \
                       --user-group bind"
 INITSCRIPT_NAME = "bind"
 INITSCRIPT_PARAMS = "defaults"
-SYSTEMD_SERVICE_${PN} = "named.service"
+SYSTEMD_SERVICE:${PN} = "named.service"
-do_install_append() {
+do_install:append() {
-        rmdir "${D}${localstatedir}/run"
-        rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
        install -d -o bind "${D}${localstatedir}/cache/bind"
        install -d "${D}${sysconfdir}/bind"
        install -d "${D}${sysconfdir}/init.d"
        install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
        install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
-        if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
-                sed -i -e '1s,#!.*python3,#! /usr/bin/python3,' \
-                ${D}${sbindir}/dnssec-coverage \
-                ${D}${sbindir}/dnssec-checkds \
-                ${D}${sbindir}/dnssec-keymgr
-        fi
        # Install systemd related files
        install -d ${D}${sbindir}
-        install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
+        install -m 755 ${UNPACKDIR}/generate-rndc-key.sh ${D}${sbindir}
-        install -d ${D}${systemd_unitdir}/system
+        install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system
+        install -m 0644 ${UNPACKDIR}/named.service ${D}${systemd_system_unitdir}
        sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
               -e 's,@SBINDIR@,${sbindir},g' \
-               ${D}${systemd_unitdir}/system/named.service
+               ${D}${systemd_system_unitdir}/named.service
        install -d ${D}${sysconfdir}/default
-        install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
+        install -m 0644 ${UNPACKDIR}/bind9 ${D}${sysconfdir}/default
        if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                install -d ${D}${sysconfdir}/tmpfiles.d
                echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
        fi
-    oe_multilib_header isc/platform.h
 }
-CONFFILES_${PN} = " \
+CONFFILES:${PN} = " \
        ${sysconfdir}/bind/named.conf \
        ${sysconfdir}/bind/named.conf.local \
        ${sysconfdir}/bind/named.conf.options \
@@ -102,22 +95,19 @@ CONFFILES_${PN} = " \
        ${sysconfdir}/bind/db.root \
        "
-ALTERNATIVE_${PN}-utils = "nslookup"
+ALTERNATIVE:${PN}-utils = "nslookup"
 ALTERNATIVE_LINK_NAME[nslookup] = "${bindir}/nslookup"
 ALTERNATIVE_PRIORITY = "100"
 PACKAGE_BEFORE_PN += "${PN}-utils"
-FILES_${PN}-utils = "${bindir}/host ${bindir}/dig ${bindir}/mdig ${bindir}/nslookup ${bindir}/nsupdate"
+FILES:${PN}-utils = "${bindir}/host ${bindir}/dig ${bindir}/mdig ${bindir}/nslookup ${bindir}/nsupdate"
-FILES_${PN}-dev += "${bindir}/isc-config.h"
+FILES:${PN}-dev += "${bindir}/isc-config.h"
-FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
+FILES:${PN} += "${sbindir}/generate-rndc-key.sh"
 PACKAGE_BEFORE_PN += "${PN}-libs"
-FILES_${PN}-libs = "${libdir}/*.so* ${libdir}/named/*.so*"
+# special arrangement below due to
-FILES_${PN}-staticdev += "${libdir}/*.la"
+# https://github.com/isc-projects/bind9/commit/0e25af628cd776f98c04fc4cc59048f5448f6c88
+FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so"
-PACKAGE_BEFORE_PN += "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-bind', '', d)}"
+FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so"
-FILES_python3-bind = "${sbindir}/dnssec-coverage ${sbindir}/dnssec-checkds \
-                ${sbindir}/dnssec-keymgr ${PYTHON_SITEPACKAGES_DIR}"
-RDEPENDS_${PN}-dev = ""
+DEV_PKG_DEPENDENCY = ""
-RDEPENDS_python3-bind = "python3-core python3-ply"
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 4c1156c67c..287ebf658e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -2,21 +2,29 @@ SUMMARY = "Linux Bluetooth Stack Userland V5"
 DESCRIPTION = "Linux Bluetooth stack V5 userland components.  These include a system configurations, daemons, tools and system libraries."
 HOMEPAGE = "http://www.bluez.org"
 SECTION = "libs"
-LICENSE = "GPLv2+ & LGPLv2.1+"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                    file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
-                    file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
+                    file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac"
 DEPENDS = "dbus glib-2.0"
 PROVIDES += "bluez-hcidump"
-RPROVIDES_${PN} += "bluez-hcidump"
+RPROVIDES:${PN} += "bluez-hcidump"
-RCONFLICTS_${PN} = "bluez4"
+RCONFLICTS:${PN} = "bluez4"
 PACKAGECONFIG ??= "obex-profiles \
    readline \
    ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
    a2dp-profiles \
    avrcp-profiles \
+    bap-profiles \
+    bass-profiles \
+    mcp-profiles \
+    ccp-profiles \
+    vcp-profiles \
+    micp-profiles \
+    csip-profiles \
+    asha-profiles \
    network-profiles \
    hid-profiles \
    hog-profiles \
@@ -38,6 +46,14 @@ PACKAGECONFIG[network-profiles] = "--enable-network,--disable-network"
 PACKAGECONFIG[hid-profiles] = "--enable-hid,--disable-hid"
 PACKAGECONFIG[hog-profiles] = "--enable-hog,--disable-hog"
 PACKAGECONFIG[health-profiles] = "--enable-health,--disable-health"
+PACKAGECONFIG[bap-profiles] = "--enable-bap,--disable-bap"
+PACKAGECONFIG[bass-profiles] = "--enable-bass,--disable-bass"
+PACKAGECONFIG[mcp-profiles] = "--enable-mcp,--disable-mcp"
+PACKAGECONFIG[ccp-profiles] = "--enable-ccp,--disable-ccp"
+PACKAGECONFIG[vcp-profiles] = "--enable-vcp,--disable-vcp"
+PACKAGECONFIG[micp-profiles] = "--enable-micp,--disable-micp"
+PACKAGECONFIG[csip-profiles] = "--enable-csip,--disable-csip"
+PACKAGECONFIG[asha-profiles] = "--enable-asha,--disable-asha"
 PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis"
 PACKAGECONFIG[tools] = "--enable-tools,--disable-tools"
 PACKAGECONFIG[threads] = "--enable-threads,--disable-threads"
@@ -45,15 +61,15 @@ PACKAGECONFIG[deprecated] = "--enable-deprecated,--disable-deprecated"
 PACKAGECONFIG[mesh] = "--enable-mesh --enable-external-ell,--disable-mesh, json-c ell"
 PACKAGECONFIG[btpclient] = "--enable-btpclient --enable-external-ell,--disable-btpclient, ell"
 PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,udev"
+PACKAGECONFIG[manpages] = "--enable-manpages,--disable-manpages,python3-docutils-native"
 SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
           file://init \
           file://run-ptest \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
           file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
-           file://0001-test-gatt-Fix-hung-issue.patch \
+           file://0001-bluez5-disable-aics-tests.patch \
           "
-S = "${WORKDIR}/bluez-${PV}"
+S = "${UNPACKDIR}/bluez-${PV}"
 CVE_PRODUCT = "bluez"
@@ -63,9 +79,12 @@ EXTRA_OECONF = "\
  --enable-test \
  --enable-datafiles \
  --enable-library \
+  --enable-pie  \
  --without-zsh-completion-dir \
 "
+CFLAGS += "-DFIRMWARE_DIR=\\"${nonarch_base_libdir}/firmware\\""
 # bluez5 builds a large number of useful utilities but does not
 # install them.  Specify which ones we want put into ${PN}-noinst-tools.
 NOINST_TOOLS_READLINE ??= ""
@@ -77,53 +96,41 @@ NOINST_TOOLS = " \
    ${@bb.utils.contains('PACKAGECONFIG', 'tools', '${NOINST_TOOLS_BT}', '', d)} \
 "
-do_install_append() {
+do_install:append() {
        install -d ${D}${INIT_D_DIR}
-        install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth
+        install -m 0755 ${UNPACKDIR}/init ${D}${INIT_D_DIR}/bluetooth
-        install -d ${D}${sysconfdir}/bluetooth/
+        if [ -f ${D}${sysconfdir}/init.d/bluetooth ]; then
-        if [ -f ${S}/profiles/network/network.conf ]; then
+                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}${sysconfdir}/init.d/bluetooth
-                install -m 0644 ${S}/profiles/network/network.conf ${D}/${sysconfdir}/bluetooth/
-        fi
-        if [ -f ${S}/profiles/input/input.conf ]; then
-                install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/
-        fi
-        if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then
-                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth
        fi
        # Install desired tools that upstream leaves in build area
        for f in ${NOINST_TOOLS} ; do
-                install -m 755 ${B}/$f ${D}/${bindir}
+                install -m 755 ${B}/$f ${D}${bindir}
        done
-        # Patch python tools to use Python 3; they should be source compatible, but
-        # still refer to Python 2 in the shebang
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${libdir}/bluez/test/*
 }
 PACKAGES =+ "${PN}-testtools ${PN}-obex ${PN}-noinst-tools"
-FILES_${PN} += " \
+FILES:${PN} += " \
    ${libdir}/bluetooth/plugins/*.so \
    ${systemd_unitdir}/ ${datadir}/dbus-1 \
    ${libdir}/cups \
 "
-FILES_${PN}-dev += " \
+FILES:${PN}-dev += " \
    ${libdir}/bluetooth/plugins/*.la \
 "
-FILES_${PN}-obex = "${libexecdir}/bluetooth/obexd \
+FILES:${PN}-obex = "${libexecdir}/bluetooth/obexd \
                    ${exec_prefix}/lib/systemd/user/obex.service \
                    ${systemd_system_unitdir}/obex.service \
                    ${sysconfdir}/systemd/system/multi-user.target.wants/obex.service \
                    ${datadir}/dbus-1/services/org.bluez.obex.service \
                    ${sysconfdir}/dbus-1/system.d/obexd.conf \
                   "
-SYSTEMD_SERVICE_${PN}-obex = "obex.service"
+SYSTEMD_SERVICE:${PN}-obex = "obex.service"
-FILES_${PN}-testtools = "${libdir}/bluez/test/*"
+FILES:${PN}-testtools = "${libdir}/bluez/test/*"
 def get_noinst_tools_paths (d, bb, tools):
    s = list()
@@ -133,14 +140,14 @@ def get_noinst_tools_paths (d, bb, tools):
        s.append("%s/%s" % (bindir, f))
    return "\n".join(s)
-FILES_${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS'))}"
+FILES:${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS'))}"
-RDEPENDS_${PN}-testtools += "python3-core python3-dbus"
+RDEPENDS:${PN}-testtools += "python3-core python3-dbus"
-RDEPENDS_${PN}-testtools += "${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)}"
+RDEPENDS:${PN}-testtools += "${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)}"
-SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'bluetooth.service', '', d)}"
+SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'bluetooth.service', '', d)}"
 INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME_${PN} = "bluetooth"
+INITSCRIPT_NAME:${PN} = "bluetooth"
 do_compile_ptest() {
        oe_runmake buildtests
@@ -151,4 +158,4 @@ do_install_ptest() {
        rm -f ${D}${PTEST_PATH}/unit/*.o
 }
-RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-gconv-utf-16"
+RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-gconv-utf-16"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
deleted file mode 100644
index 618ed734a9..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From f74eb97c9fb3c0ee2895742e773ac6a3c41c999c Mon Sep 17 00:00:00 2001
-From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org>
-Date: Sat, 12 Oct 2013 17:45:25 +0200
-Subject: [PATCH] Allow using obexd without systemd in the user session
-Not all sessions run systemd --user (actually, the majority
-doesn't), so the dbus daemon must be able to spawn obexd
-directly, and to do so it needs the full path of the daemon.
-Upstream-Status: Denied
-Not accepted by upstream maintainer for being a distro specific
-configuration. See thread:
-http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843
-Signed-off-by: Javier Viguera <javier.viguera@digi.com>
---
- Makefile.obexd                                                | 4 ++--
- .../src/{org.bluez.obex.service => org.bluez.obex.service.in} | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
- rename obexd/src/{org.bluez.obex.service => org.bluez.obex.service.in} (76%)
-diff --git a/Makefile.obexd b/Makefile.obexd
-index de59d29..73004a3 100644
--- a/Makefile.obexd
-+++ b/Makefile.obexd
-@@ -1,12 +1,12 @@
- if SYSTEMD
- systemduserunitdir = $(SYSTEMD_USERUNITDIR)
- systemduserunit_DATA = obexd/src/obex.service
-+endif
- 
- dbussessionbusdir = $(DBUS_SESSIONBUSDIR)
- dbussessionbus_DATA = obexd/src/org.bluez.obex.service
-endif
- 
-EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service
-+EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service.in
- 
- if OBEX
- 
-diff --git a/obexd/src/org.bluez.obex.service b/obexd/src/org.bluez.obex.service.in
-similarity index 76%
-rename from obexd/src/org.bluez.obex.service
-rename to obexd/src/org.bluez.obex.service.in
-index a538088..9c815f2 100644
--- a/obexd/src/org.bluez.obex.service
-+++ b/obexd/src/org.bluez.obex.service.in
-@@ -1,4 +1,4 @@
- [D-BUS Service]
- Name=org.bluez.obex
-Exec=/bin/false
-+Exec=@libexecdir@/obexd
- SystemdService=dbus-org.bluez.obex.service
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
new file mode 100644
index 0000000000..3f01843ea3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
@@ -0,0 +1,40 @@
+From 182545f2504255d67d9ec2071fd5c82ab53c5a2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gu=C3=B0ni=20M=C3=A1r=20Gilbert?= <gudni.m.g@gmail.com>
+Date: Sun, 30 Mar 2025 02:20:24 +0000
+Subject: [PATCH] bluez5: disable aics tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Temporarily disable aics tests as they can fail
+depending on how the tests are executed. Sometimes they pass,
+sometimes they fail. The issue has been observed since BlueZ 5.72 to 5.80
+Starting with BlueZ 5.80, the tests began failing when using the
+ptest-runner script. This is not a new issue in BlueZ 5.80 which is
+why the test is disabled with this commit until a solution is found.
+See discussion on Github:
+https://github.com/bluez/bluez/issues/726
+https://github.com/bluez/bluez/issues/683
+Upstream-Status: Inappropriate [OE-Specific]
+Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
+---
+ unit/test-vcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/unit/test-vcp.c b/unit/test-vcp.c
+index 6a61ea2..04b92e4 100644
+--- a/unit/test-vcp.c
+++ b/unit/test-vcp.c
+@@ -2754,7 +2754,7 @@ int main(int argc, char *argv[])
+        tester_init(&argc, &argv);
+ 
+        test_vocs_unit_testcases();
+-       test_aics_unit_testcases();
+       //test_aics_unit_testcases();
+ 
+        return tester_run();
+ }
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
deleted file mode 100644
index e90b6a546f..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 61e741654cc2eb167bca212a3bb2ba8f3ba280c1 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 24 Aug 2018 12:04:03 +0800
-Subject: [PATCH] test-gatt: Fix hung issue
-The below test hangs infinitely
-$ unit/test-gatt -p  /robustness/unkown-request -d
-/robustness/unkown-request - init
-/robustness/unkown-request - setup
-/robustness/unkown-request - setup complete
-/robustness/unkown-request - run
-  GATT: < 02 17 00                                         ...
-  bt_gatt_server:MTU exchange complete, with MTU: 23
-  GATT: > 03 00 02                                         ...
-  PDU: = 03 00 02                                         ...
-  GATT: < bf 00
-Actually, the /robustness/unkown-request test does
-no action.
-Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=153508881804635&w=2]
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
- unit/test-gatt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/unit/test-gatt.c b/unit/test-gatt.c
-index c7e28f8..b57373b 100644
--- a/unit/test-gatt.c
-+++ b/unit/test-gatt.c
-@@ -4463,7 +4463,7 @@ int main(int argc, char *argv[])
-                        test_server, service_db_1, NULL,
-                        raw_pdu(0x03, 0x00, 0x02),
-                        raw_pdu(0xbf, 0x00),
-                       raw_pdu(0x01, 0xbf, 0x00, 0x00, 0x06));
-+                       raw_pdu());
- 
-        define_test_server("/robustness/unkown-command",
-                        test_server, service_db_1, NULL,
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
index 24ddae6b63..a9af56f141 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
@@ -1,4 +1,4 @@
-From 4bdf0f96dcaa945fd29f26d56e5b36d8c23e4c8b Mon Sep 17 00:00:00 2001
+From fa5da30786837b437707cea921056e9c1c22ffba Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 1 Apr 2016 17:07:34 +0300
 Subject: [PATCH] tests: add a target for building tests without running them
@@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
 1 file changed, 3 insertions(+)
 diff --git a/Makefile.am b/Makefile.am
-index 1a48a71..ba3b92f 100644
+index 02ad23c..169269d 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -425,6 +425,9 @@ endif
+@@ -722,6 +722,9 @@ endif
 TESTS = $(unit_tests)
 AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69
 
@@ -23,6 +23,3 @@ index 1a48a71..ba3b92f 100644
 if DBUS_RUN_SESSION
 AM_TESTS_ENVIRONMENT += dbus-run-session --
 endif
-- 
-2.8.0.rc3
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
index 8190924562..8af6bdb67e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
@@ -1,7 +1,8 @@
 require bluez5.inc
-SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
+SRC_URI[sha256sum] = "108522d909d220581399bfec93daab62035539ceef3dda3e79970785c63bd24c"
-SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
+CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
@@ -31,6 +32,9 @@ NOINST_TOOLS_TESTING ?= " \
    tools/rfcomm-tester \
    tools/bnep-tester \
    tools/userchan-tester \
+    tools/iso-tester \
+    tools/mesh-tester \
+    tools/ioctl-tester \
 "
 # noinst programs in Makefile.tools that are conditional on TOOLS
@@ -40,11 +44,11 @@ NOINST_TOOLS_BT ?= " \
    tools/avinfo \
    tools/avtest \
    tools/scotest \
-    tools/amptest \
    tools/hwdb \
    tools/hcieventmask \
    tools/hcisecfilter \
    tools/btinfo \
+    tools/btconfig \
    tools/btsnoop \
    tools/btproxy \
    tools/btiotest \
@@ -55,6 +59,8 @@ NOINST_TOOLS_BT ?= " \
    tools/advtest \
    tools/seq2bseq \
    tools/nokfw \
+    tools/rtlfw \
+    tools/bcmfw \
    tools/create-image \
    tools/eddystone \
    tools/ibeacon \
@@ -64,5 +70,5 @@ NOINST_TOOLS_BT ?= " \
    tools/check-selftest \
    tools/gatt-service \
    profiles/iap/iapd \
-    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient tools/btpclientctl', '', d)} \
 "
diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb
index 9a519ec866..854e1f1f29 100644
--- a/meta/recipes-connectivity/connman/connman-conf.bb
+++ b/meta/recipes-connectivity/connman/connman-conf.bb
@@ -1,36 +1,20 @@
-SUMMARY = "Connman config to setup wired interface on qemu machines"
+SUMMARY = "Connman config to ignore wired interface on qemu machines"
-DESCRIPTION = "This is the ConnMan configuration to set up a Wired \
+DESCRIPTION = "This is the ConnMan configuration to avoid touching wired \
-network interface for a qemu machine."
+network interface inside qemu machines."
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
-inherit systemd
+SRC_URI = "file://main.conf \
+          "
-SRC_URI_append_qemuall = " file://wired.config \
+S = "${UNPACKDIR}"
-                           file://wired-setup \
-                           file://wired-connection.service \
-"
-PR = "r2"
-S = "${WORKDIR}"
 PACKAGE_ARCH = "${MACHINE_ARCH}"
-FILES_${PN} = "${localstatedir}/* ${datadir}/*"
+FILES:${PN} = "${sysconfdir}/*"
-do_install() {
+# Kernel IP-Config is perfectly capable of setting up networking passed in via ip=
-    #Configure Wired network interface in case of qemu* machines
+do_install:append:qemuall() {
-    if test -e ${WORKDIR}/wired.config &&
+    mkdir -p ${D}${sysconfdir}/connman
-       test -e ${WORKDIR}/wired-setup &&
+    cp ${S}/main.conf ${D}${sysconfdir}/connman/main.conf
-       test -e ${WORKDIR}/wired-connection.service; then
-        install -d ${D}${localstatedir}/lib/connman
-        install -m 0644 ${WORKDIR}/wired.config ${D}${localstatedir}/lib/connman
-        install -d ${D}${datadir}/connman
-        install -m 0755 ${WORKDIR}/wired-setup ${D}${datadir}/connman
-        install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/wired-connection.service ${D}${systemd_system_unitdir}
-        sed -i -e 's|@SCRIPTDIR@|${datadir}/connman|g' ${D}${systemd_system_unitdir}/wired-connection.service
-    fi
 }
-SYSTEMD_SERVICE_${PN}_qemuall = "wired-connection.service"
diff --git a/meta/recipes-connectivity/connman/connman-conf/main.conf b/meta/recipes-connectivity/connman/connman-conf/main.conf
new file mode 100644
index 0000000000..3c9dd396f6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman-conf/main.conf
@@ -0,0 +1,2 @@
+[General]
+NetworkInterfaceBlacklist = eth,en
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
deleted file mode 100644
index 48adfc08ac..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=Setup a wired interface
-Before=connman.service
-[Service]
-Type=oneshot
-ExecStart=@SCRIPTDIR@/wired-setup
-[Install]
-WantedBy=network.target
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
deleted file mode 100644
index c46899ef32..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-CONFIGF=/var/lib/connman/wired.config
-# Extract wired network config from /proc/cmdline
-NET_CONF=`cat /proc/cmdline |sed -ne 's/^.*ip=\([^ ]*\):\([^ ]*\):\([^ ]*\):\([^ ]*\).*$/\1\/\4\/\3/p'`
-# Check if eth0 is already set via kernel cmdline
-if [ "x$NET_CONF" = "x" ]; then
-        # Wired interface is not configured via kernel cmdline
-        # Remove connman config file template
-        rm -f ${CONFIGF}
-else
-        # Setup a connman config accordingly
-        sed -i -e "s|^IPv4 =.*|IPv4 = ${NET_CONF}|" ${CONFIGF}
-fi
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
deleted file mode 100644
index 42998ce897..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
+++ /dev/null
@@ -1,9 +0,0 @@
-[global]
-Name = Wired
-Description = Wired network configuration
-[service_ethernet]
-Type = ethernet
-IPv4 =
-MAC = 52:54:00:12:34:56
-Nameservers = 8.8.8.8
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index af986c4eab..8bfc1540b3 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -1,7 +1,7 @@
 SUMMARY = "GTK+ frontend for the ConnMan network connection manager"
 HOMEPAGE = "http://connman.net/"
 SECTION = "libs/network"
-LICENSE = "GPLv2 & LGPLv2.1"
+LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
                    file://properties/main.c;beginline=1;endline=20;md5=50c77c81871308b033ab7a1504626afb \
                    file://common/connman-dbus.c;beginline=1;endline=20;md5=de6b485c0e717a0236402d220187717a"
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
           file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
           file://null_check_for_ipv4_config.patch \
           file://images/ \
@@ -18,13 +18,15 @@ SRC_URI = "git://github.com/connectivity/connman-gnome.git \
           file://0001-Port-to-Gtk3.patch \
          "
-S = "${WORKDIR}/git"
 inherit autotools-brokensep gtk-icon-cache pkgconfig features_check
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
-RDEPENDS_${PN} = "connman"
+RDEPENDS:${PN} = "connman"
-do_install_append() {
+do_install:append() {
-    install -m 0644 ${WORKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
+    install -m 0644 ${UNPACKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
 }
+# http://errors.yoctoproject.org/Errors/Details/766926/
+# connman-client.c:200:15: error: assignment to 'GtkTreeModel *' {aka 'struct _GtkTreeModel *'} from incompatible pointer type 'GtkTreeStore *' {aka 'struct _GtkTreeStore *'} [-Wincompatible-pointer-types]
+CFLAGS += "-Wno-error=incompatible-pointer-types"
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch
deleted file mode 100644
index dd012750a4..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-networkd-when-using-con.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9fea099d0a3ece37d80ad70d32ebb8a93f8f3280 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Fri, 30 Oct 2020 13:48:45 +0800
-Subject: [PATCH] connman.service: stop systemd-networkd when using connman
-Stop systemd-networkd service when we use connman as network manager.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 79e75d6..014eafe 100644
--- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-networkd.service systemd-networkd.socket
- Conflicts=systemd-resolved.service
- 
- [Service]
-- 
-2.17.1
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
deleted file mode 100644
index 8e2e0bd02d..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Mon, 12 Jun 2017 16:52:39 +0300
-Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
-Stop systemd-resolved service when we use connman as network manager.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 9f5c10f..dab48bc 100644
--- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-resolved.service
- 
- [Service]
- Type=dbus
-- 
-2.4.0
diff --git a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch b/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
deleted file mode 100644
index e6f03e632e..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4ddaf78dad5a9ee4a0658235f71b75132192123e Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 7 Apr 2012 18:52:12 -0700
-Subject: [PATCH] plugin.h: Change visibility to default for debug symbols
-gold refuses to link in undefined weak symbols which
-have hidden visibility
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Pending
---
- include/plugin.h |    4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/include/plugin.h b/include/plugin.h
-index 692a4e5..a9361c3 100644
--- a/include/plugin.h
-+++ b/include/plugin.h
-@@ -89,9 +89,9 @@ struct connman_plugin_desc {
- #else
- #define CONNMAN_PLUGIN_DEFINE(name, description, version, priority, init, exit) \
-                extern struct connman_debug_desc __start___debug[] \
-                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_debug_desc __stop___debug[] \
-                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_plugin_desc connman_plugin_desc \
-                                __attribute__ ((visibility("default"))); \
-                struct connman_plugin_desc connman_plugin_desc = { \
-- 
-1.7.5.4
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index 942b9c97b6..2c612039ee 100644
--- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,83 +1,85 @@
-From c7734e1547db967eccf242fe4b9e8a30b9ff141c Mon Sep 17 00:00:00 2001
+From 4e726a5aaa75d60fab6a56bc37dbec48be53ff79 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 6 Apr 2015 23:02:21 -0700
-Subject: [PATCH] resolve: musl does not implement res_ninit
+Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to
+ __RES
-ported from
+Not all libc implementation have those functions, and the way to determine
+if they do is to check __RES which is explained in resolv.h thusly:
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your resolver
+ * is new enough to contain a certain feature.
+ */
+Indeed, it needs to be at least 19991006.
+The portion of the patch that implements a fallback is ported from
+Alpine Linux:
 http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
-Upstream-Status: Pending
+Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org]
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- gweb/gresolv.c | 34 +++++++++++++---------------------
+ gweb/gresolv.c | 21 +++++++++++++++++++++
- 1 file changed, 13 insertions(+), 21 deletions(-)
+ 1 file changed, 21 insertions(+)
 diff --git a/gweb/gresolv.c b/gweb/gresolv.c
-index 38a554e..a9e8740 100644
+index 8101d71..9f1477c 100644
 --- a/gweb/gresolv.c
 +++ b/gweb/gresolv.c
-@@ -36,6 +36,7 @@
+@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index)
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <net/if.h>
-+#include <ctype.h>
- 
- #include "gresolv.h"
- 
-@@ -877,8 +878,6 @@ GResolv *g_resolv_new(int index)
        resolv->index = index;
        resolv->nameserver_list = NULL;
 
-       res_ninit(&resolv->res);
+#if (__RES >= 19991006)
-
+        res_ninit(&resolv->res);
+#endif
+ 
        return resolv;
 }
- 
+@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv)
-@@ -918,8 +917,6 @@ void g_resolv_unref(GResolv *resolv)
 
        flush_nameservers(resolv);
 
-       res_nclose(&resolv->res);
+#if (__RES >= 19991006)
-
+        res_nclose(&resolv->res);
+#endif
+ 
        g_free(resolv);
 }
- 
+@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
-@@ -1022,24 +1019,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
        debug(resolv, "hostname %s", hostname);
 
        if (!resolv->nameserver_list) {
-               int i;
+#if (__RES >= 19991006)
-
+                int i;
-               for (i = 0; i < resolv->res.nscount; i++) {
+ 
-                       char buf[100];
+                for (i = 0; i < resolv->res.nscount; i++) {
-                       int family = resolv->res.nsaddr_list[i].sin_family;
+@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
-                       void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
+                        if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
-
+                                g_resolv_add_nameserver(resolv, buf, 53, 0);
-                       if (family != AF_INET &&
-                                       resolv->res._u._ext.nsaddrs[i]) {
-                               family = AF_INET6;
-                               sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
-+               FILE *f = fopen("/etc/resolv.conf", "r");
-+               if (f) {
-+                       char line[256], *s;
-+                       int i;
-+                       while (fgets(line, sizeof(line), f)) {
-+                               if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
-+                                       continue;
-+                               for (s = &line[11]; isspace(s[0]); s++);
-+                               for (i = 0; s[i] && !isspace(s[i]); i++);
-+                               s[i] = 0;
-+                               g_resolv_add_nameserver(resolv, s, 53, 0);
-                        }
-
-                       if (family != AF_INET && family != AF_INET6)
-                               continue;
-
-                       if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
-                               g_resolv_add_nameserver(resolv, buf, 53, 0);
-+                       fclose(f);
                }
+#else
+                FILE *f = fopen("/etc/resolv.conf", "r");
+                if (f) {
+                        char line[256], *s;
+                        int i;
+                        while (fgets(line, sizeof(line), f)) {
+                                if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
+                                        continue;
+                                for (s = &line[11]; isspace(s[0]); s++);
+                                for (i = 0; s[i] && !isspace(s[i]); i++);
+                                s[i] = 0;
+                                g_resolv_add_nameserver(resolv, s, 53, 0);
+                        }
+                        fclose(f);
+                }
+#endif
 
                if (!resolv->nameserver_list)
+                        g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0);
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..62f07e707a
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+CVE: CVE-2025-32366
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9..1dd2f7f 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+        if ((offset + *rdlen) > *response_size)
+                return -ENOBUFS;
+       if ((*end + *rdlen) > max)
+               return -EINVAL;
+
+        memcpy(response + offset, *end, *rdlen);
+        *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..c114589679
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+Fixes: CVE-2025-32743
+CVE: CVE-2025-32743
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7..7ee26d9 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+                                gpointer request, gpointer name)
+ {
+        int sk = -1;
+       int err;
+        const char *lookup = (const char *)name;
+-       int err = ns_try_resolv_from_cache(req, request, lookup);
+
+       if (!lookup || strlen(lookup) == 0)
+               return -EINVAL;
+
+       err = ns_try_resolv_from_cache(req, request, lookup);
+        if (err > 0)
+                /* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index c64fa0d715..adb5d44fed 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -10,53 +10,15 @@ fi
 set -e
-nfsroot=0
-exec 9<&0 < /proc/mounts
-while read dev mtpt fstype rest; do
-        if test $mtpt = "/" ; then
-                case $fstype in
-                    nfs | nfs4)
-                        nfsroot=1
-                        break
-                        ;;
-                    *)
-                        ;;
-                esac
-        fi
-done
 do_start() {
-        EXTRA_PARAM=""
-        if test $nfsroot -eq 1 ; then
-            NET_DEVS=`cat /proc/net/dev | sed -ne 's/^\([a-zA-Z0-9 ]*\):.*$/\1/p'`
-            NET_ADDR=`cat /proc/cmdline | sed -ne 's/^.*ip=\([^ :]*\).*$/\1/p'`
-            if [ ! -z "$NET_ADDR" ]; then
-                if [ "$NET_ADDR" = dhcp ]; then
-                    ethn=`ifconfig | grep "^eth" | sed -e "s/\(eth[0-9]\)\(.*\)/\1/"`
-                    if [ ! -z "$ethn" ]; then
-                        EXTRA_PARAM="-I $ethn"
-                    fi
-                else
-                    for i in $NET_DEVS; do
-                        ADDR=`ifconfig $i | sed 's/addr://g' | sed -ne 's/^.*inet \([0-9.]*\) .*$/\1/p'`
-                        if [ "$NET_ADDR" = "$ADDR" ]; then
-                            EXTRA_PARAM="-I $i"
-                            break
-                        fi
-                    done
-                fi
-            fi
-        fi
        if [ -f @DATADIR@/connman/wired-setup ] ; then
                . @DATADIR@/connman/wired-setup
        fi
-        $DAEMON $EXTRA_PARAM
+        $DAEMON
 }
 do_stop() {
-        start-stop-daemon --stop --name connmand --quiet
+        start-stop-daemon --stop --oknodo --name connmand --quiet
 }
 case "$1" in
diff --git a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch b/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
deleted file mode 100644
index e96e38bcf9..0000000000
--- a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-With binutils 2.27 on at least MIPS, connmand will crash on startup.  This
-appears to be due to the symbol visibilty scripts hiding symbols that stdio
-looks up at runtime, resulting in it segfaulting.
-This certainly appears to be a bug in binutils 2.27 although the problem has
-been known about for some time:
-https://sourceware.org/bugzilla/show_bug.cgi?id=17908
-As the version scripts are only used to hide symbols from plugins we can safely
-remove the scripts to work around the problem until binutils is fixed.
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-diff --git a/Makefile.am b/Makefile.am
-index d70725c..76ae432 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -132,2 +132 @@ src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
-src_connmand_LDFLAGS = -Wl,--export-dynamic \
-                               -Wl,--version-script=$(srcdir)/src/connman.ver
-+src_connmand_LDFLAGS = -Wl,--export-dynamic
-@@ -166,2 +165 @@ vpn_connman_vpnd_LDADD = gdbus/libgdbus-internal.la $(builtin_vpn_libadd) \
-vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic \
-                               -Wl,--version-script=$(srcdir)/vpn/vpn.ver
-+vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic
diff --git a/meta/recipes-connectivity/connman/connman_1.38.bb b/meta/recipes-connectivity/connman/connman_1.38.bb
deleted file mode 100644
index 45c2934dec..0000000000
--- a/meta/recipes-connectivity/connman/connman_1.38.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-require connman.inc
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-           file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-           file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
-           file://0001-connman.service-stop-systemd-networkd-when-using-con.patch \
-           file://connman \
-           file://no-version-scripts.patch \
-           "
-SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-SRC_URI[md5sum] = "1ed8745354c7254bdfd4def54833ee94"
-SRC_URI[sha256sum] = "cb30aca97c2f79ccaed8802aa2909ac5100a3969de74c0af8a9d73b85fc4932b"
-RRECOMMENDS_${PN} = "connman-conf"
-RCONFLICTS_${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman_1.44.bb
index 776bbfbff2..1b0fbe438c 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -7,48 +7,72 @@ It is a fully modular system that can be extended, through plug-ins, \
 to support all kinds of wired or wireless technologies. Also, \
 configuration methods, like DHCP and domain name resolving, are \
 implemented using plug-ins."
-HOMEPAGE = "http://connman.net/"
+HOMEPAGE = "https://web.git.kernel.org/pub/scm/network/connman/connman.git/about/"
-BUGTRACKER = "https://01.org/jira/browse/CM"
+LICENSE  = "GPL-2.0-only"
-LICENSE  = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                    file://src/main.c;beginline=1;endline=20;md5=486a279a6ab0c8d152bcda3a5b5edc36"
 inherit autotools pkgconfig systemd update-rc.d update-alternatives
-DEPENDS  = "dbus glib-2.0 ppp"
+CVE_PRODUCT = "connman connection_manager"
+DEPENDS  = "dbus glib-2.0"
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://connman \
+           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+           file://CVE-2025-32743.patch \
+           file://CVE-2025-32366.patch \
+           "
+SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"
+RRECOMMENDS:${PN} = "connman-conf"
+RCONFLICTS:${PN} = "networkmanager"
 EXTRA_OECONF += "\
-    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
+    ac_cv_path_IP6TABLES_SAVE=${sbindir}/ip6tables-save \
+    ac_cv_path_IPTABLES_SAVE=${sbindir}/iptables-save \
    ac_cv_path_PPPD=${sbindir}/pppd \
+    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
    --enable-debug \
    --enable-loopback \
    --enable-ethernet \
    --enable-tools \
    --disable-polkit \
+    --runstatedir='${runtimedir}' \
+    --with-dns-backend='${@bb.utils.contains("DISTRO_FEATURES", "systemd-resolved", "systemd-resolved", "internal", d)}' \
 "
+# For smooth operation it would be best to start only one wireless daemon at a time.
+# If wpa-supplicant is running, connman will use it preferentially.
+# Select either wpa-supplicant or iwd
+WIRELESS_DAEMON ??= "wpa-supplicant"
 PACKAGECONFIG ??= "wispr iptables client\
-                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd wifi', d)} \
+                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd', d)} \
                   ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
+                   ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'wifi ${WIRELESS_DAEMON}', '', d)} \
 "
 # If you want ConnMan to support VPN, add following statement into
 # local.conf or distro config
-# PACKAGECONFIG_append_pn-connman = " openvpn vpnc l2tp pptp"
+# PACKAGECONFIG:append:pn-connman = " openvpn vpnc l2tp pptp"
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/ --with-tmpfilesdir=${sysconfdir}/tmpfiles.d/,--with-systemdunitdir='' --with-tmpfilesdir=''"
+PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_system_unitdir}/ --with-tmpfilesdir=${sysconfdir}/tmpfiles.d/,--with-systemdunitdir='' --with-tmpfilesdir=''"
-PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi, wpa-supplicant, wpa-supplicant"
+PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi"
 PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5, bluez5"
 PACKAGECONFIG[3g] = "--enable-ofono, --disable-ofono, ofono, ofono"
+PACKAGECONFIG[wpa-supplicant] = ",,wpa-supplicant,wpa-supplicant"
+PACKAGECONFIG[iwd] = "--enable-iwd,--disable-iwd,,iwd"
 PACKAGECONFIG[tist] = "--enable-tist,--disable-tist,"
 PACKAGECONFIG[openvpn] = "--enable-openvpn --with-openvpn=${sbindir}/openvpn,--disable-openvpn,,openvpn"
 PACKAGECONFIG[vpnc] = "--enable-vpnc --with-vpnc=${sbindir}/vpnc,--disable-vpnc,,vpnc"
-PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,,xl2tpd"
+PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,ppp,xl2tpd"
-PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,,pptp-linux"
+PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,ppp,pptp-linux"
 # WISPr support for logging into hotspots, requires TLS
 PACKAGECONFIG[wispr] = "--enable-wispr,--disable-wispr,gnutls,"
-PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat"
+PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat,iptables"
-PACKAGECONFIG[iptables] = "--with-firewall=iptables ,,iptables,iptables"
+PACKAGECONFIG[iptables] = "--with-firewall=iptables,,iptables,,,nftables"
 PACKAGECONFIG[nfc] = "--enable-neard, --disable-neard, neard, neard"
 PACKAGECONFIG[client] = "--enable-client,--disable-client,readline"
 PACKAGECONFIG[wireguard] = "--enable-wireguard,--disable-wireguard,libmnl"
@@ -64,19 +88,19 @@ python __anonymous () {
    d.setVar('SYSTEMD_PACKAGES', systemd_packages)
 }
-SYSTEMD_SERVICE_${PN} = "connman.service"
+SYSTEMD_SERVICE:${PN} = "connman.service"
-SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
+SYSTEMD_SERVICE:${PN}-vpn = "connman-vpn.service"
-SYSTEMD_SERVICE_${PN}-wait-online = "connman-wait-online.service"
+SYSTEMD_SERVICE:${PN}-wait-online = "connman-wait-online.service"
-ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_PRIORITY = "${@bb.utils.contains('DISTRO_FEATURES','systemd-resolved','10','100',d)}"
-ALTERNATIVE_${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
+ALTERNATIVE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
 ALTERNATIVE_TARGET[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv-conf.connman','',d)}"
 ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv.conf','',d)}"
-do_install_append() {
+do_install:append() {
        if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
                install -d ${D}${sysconfdir}/init.d
-                install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman
+                install -m 0755 ${UNPACKDIR}/connman ${D}${sysconfdir}/init.d/connman
                sed -i s%@DATADIR@%${datadir}% ${D}${sysconfdir}/init.d/connman
        fi
@@ -93,14 +117,15 @@ do_install_append() {
        # plugins directory to be present for ownership
        mkdir -p ${D}${libdir}/connman/plugins
-    # For read-only filesystem, do not create links during bootup
+        # For read-only filesystem, do not create links during bootup
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-        ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
+                install -d ${D}${sysconfdir}
-    fi
+                ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
+        fi
 }
 # These used to be plugins, but now they are core
-RPROVIDES_${PN} = "\
+RPROVIDES:${PN} = "\
        connman-plugin-loopback \
        connman-plugin-ethernet \
        ${@bb.utils.contains('PACKAGECONFIG', 'bluetooth','connman-plugin-bluetooth', '', d)} \
@@ -108,10 +133,6 @@ RPROVIDES_${PN} = "\
        ${@bb.utils.contains('PACKAGECONFIG', '3g','connman-plugin-ofono', '', d)} \
        "
-RDEPENDS_${PN} = "\
-        dbus \
-        "
 PACKAGES_DYNAMIC += "^${PN}-plugin-.*"
 def add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, add_insane_skip):
@@ -119,11 +140,11 @@ def add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, add_insane_skip):
    if plugintype in depmap:
        rdepends = map(lambda x: multilib_prefix + x, \
                       depmap[plugintype].split())
-        d.setVar("RDEPENDS_%s" % pkg, " ".join(rdepends))
+        d.setVar("RDEPENDS:%s" % pkg, " ".join(rdepends))
    if add_insane_skip:
-        d.appendVar("INSANE_SKIP_%s" % pkg, "dev-so")
+        d.appendVar("INSANE_SKIP:%s" % pkg, "dev-so")
-python populate_packages_prepend() {
+python populate_packages:prepend() {
    depmap = dict(pppd="ppp")
    multilib_prefix = (d.getVar("MLPREFIX") or "")
@@ -144,72 +165,73 @@ python populate_packages_prepend() {
 PACKAGES =+ "${PN}-tools ${PN}-tests ${PN}-client"
-FILES_${PN}-tools = "${bindir}/wispr"
+FILES:${PN}-tools = "${bindir}/wispr"
-RDEPENDS_${PN}-tools ="${PN}"
+RDEPENDS:${PN}-tools = "${PN}"
-FILES_${PN}-tests = "${bindir}/*-test"
+FILES:${PN}-tests = "${bindir}/*-test"
+RDEPENDS:${PN}-tests = "${@bb.utils.contains('PACKAGECONFIG', 'iptables', 'iptables', '', d)}"
-FILES_${PN}-client = "${bindir}/connmanctl"
+FILES:${PN}-client = "${bindir}/connmanctl"
-RDEPENDS_${PN}-client ="${PN}"
+RDEPENDS:${PN}-client = "${PN}"
-FILES_${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
+FILES:${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
            ${libdir}/connman/plugins \
            ${sysconfdir} ${sharedstatedir} ${localstatedir} ${datadir} \
            ${base_bindir}/* ${base_sbindir}/* ${base_libdir}/*.so* ${datadir}/${PN} \
            ${datadir}/dbus-1/system-services/* \
            ${sysconfdir}/tmpfiles.d/connman_resolvconf.conf"
-FILES_${PN}-dev += "${libdir}/connman/*/*.la"
+FILES:${PN}-dev += "${libdir}/connman/*/*.la"
 PACKAGES =+ "${PN}-vpn ${PN}-wait-online"
-SUMMARY_${PN}-vpn = "A daemon for managing VPN connections within embedded devices"
+SUMMARY:${PN}-vpn = "A daemon for managing VPN connections within embedded devices"
-DESCRIPTION_${PN}-vpn = "The ConnMan VPN provides a daemon for \
+DESCRIPTION:${PN}-vpn = "The ConnMan VPN provides a daemon for \
 managing VPN connections within embedded devices running the Linux \
 operating system.  The connman-vpnd handles all the VPN connections \
 and starts/stops VPN client processes when necessary. The connman-vpnd \
 provides a DBus API for managing VPN connections. All the different \
 VPN technogies are implemented using plug-ins."
-FILES_${PN}-vpn += "${sbindir}/connman-vpnd \
+FILES:${PN}-vpn += "${sbindir}/connman-vpnd \
                    ${sysconfdir}/dbus-1/system.d/connman-vpn-dbus.conf \
                    ${datadir}/dbus-1/system-services/net.connman.vpn.service \
-                    ${systemd_unitdir}/system/connman-vpn.service"
+                    ${systemd_system_unitdir}/connman-vpn.service"
-SUMMARY_${PN}-wait-online = "A program that will return once ConnMan has connected to a network"
+SUMMARY:${PN}-wait-online = "A program that will return once ConnMan has connected to a network"
-DESCRIPTION_${PN}-wait-online = "A service that can be enabled so that \
+DESCRIPTION:${PN}-wait-online = "A service that can be enabled so that \
 the system waits until a network connection is established."
-FILES_${PN}-wait-online += "${sbindir}/connmand-wait-online \
+FILES:${PN}-wait-online += "${sbindir}/connmand-wait-online \
-                            ${systemd_unitdir}/system/connman-wait-online.service"
+                            ${systemd_system_unitdir}/connman-wait-online.service"
-SUMMARY_${PN}-plugin-vpn-openvpn = "An OpenVPN plugin for ConnMan VPN"
+SUMMARY:${PN}-plugin-vpn-openvpn = "An OpenVPN plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-openvpn = "The ConnMan OpenVPN plugin uses openvpn client \
+DESCRIPTION:${PN}-plugin-vpn-openvpn = "The ConnMan OpenVPN plugin uses openvpn client \
 to create a VPN connection to OpenVPN server."
-FILES_${PN}-plugin-vpn-openvpn += "${libdir}/connman/scripts/openvpn-script \
+FILES:${PN}-plugin-vpn-openvpn += "${libdir}/connman/scripts/openvpn-script \
                                   ${libdir}/connman/plugins-vpn/openvpn.so"
-RDEPENDS_${PN}-plugin-vpn-openvpn += "${PN}-vpn"
+RDEPENDS:${PN}-plugin-vpn-openvpn += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','openvpn','${PN}-plugin-vpn-openvpn', '', d)}"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','openvpn','${PN}-plugin-vpn-openvpn', '', d)}"
-SUMMARY_${PN}-plugin-vpn-vpnc = "A vpnc plugin for ConnMan VPN"
+SUMMARY:${PN}-plugin-vpn-vpnc = "A vpnc plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-vpnc = "The ConnMan vpnc plugin uses vpnc client \
+DESCRIPTION:${PN}-plugin-vpn-vpnc = "The ConnMan vpnc plugin uses vpnc client \
 to create a VPN connection to Cisco3000 VPN Concentrator."
-FILES_${PN}-plugin-vpn-vpnc += "${libdir}/connman/scripts/openconnect-script \
+FILES:${PN}-plugin-vpn-vpnc += "${libdir}/connman/scripts/openconnect-script \
                                ${libdir}/connman/plugins-vpn/vpnc.so \
                                ${libdir}/connman/scripts/vpn-script"
-RDEPENDS_${PN}-plugin-vpn-vpnc += "${PN}-vpn"
+RDEPENDS:${PN}-plugin-vpn-vpnc += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','vpnc','${PN}-plugin-vpn-vpnc', '', d)}"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','vpnc','${PN}-plugin-vpn-vpnc', '', d)}"
-SUMMARY_${PN}-plugin-vpn-l2tp = "A L2TP plugin for ConnMan VPN"
+SUMMARY:${PN}-plugin-vpn-l2tp = "A L2TP plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-l2tp = "The ConnMan L2TP plugin uses xl2tpd daemon \
+DESCRIPTION:${PN}-plugin-vpn-l2tp = "The ConnMan L2TP plugin uses xl2tpd daemon \
 to create a VPN connection to L2TP server."
-FILES_${PN}-plugin-vpn-l2tp += "${libdir}/connman/scripts/libppp-plugin.so* \
+FILES:${PN}-plugin-vpn-l2tp += "${libdir}/connman/scripts/libppp-plugin.so* \
                                ${libdir}/connman/plugins-vpn/l2tp.so"
-RDEPENDS_${PN}-plugin-vpn-l2tp += "${PN}-vpn"
+RDEPENDS:${PN}-plugin-vpn-l2tp += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','l2tp','${PN}-plugin-vpn-l2tp', '', d)}"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','l2tp','${PN}-plugin-vpn-l2tp', '', d)}"
-SUMMARY_${PN}-plugin-vpn-pptp = "A PPTP plugin for ConnMan VPN"
+SUMMARY:${PN}-plugin-vpn-pptp = "A PPTP plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-pptp = "The ConnMan PPTP plugin uses pptp-linux client \
+DESCRIPTION:${PN}-plugin-vpn-pptp = "The ConnMan PPTP plugin uses pptp-linux client \
 to create a VPN connection to PPTP server."
-FILES_${PN}-plugin-vpn-pptp += "${libdir}/connman/scripts/libppp-plugin.so* \
+FILES:${PN}-plugin-vpn-pptp += "${libdir}/connman/scripts/libppp-plugin.so* \
                                ${libdir}/connman/plugins-vpn/pptp.so"
-RDEPENDS_${PN}-plugin-vpn-pptp += "${PN}-vpn"
+RDEPENDS:${PN}-plugin-vpn-pptp += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','pptp','${PN}-plugin-vpn-pptp', '', d)}"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','pptp','${PN}-plugin-vpn-pptp', '', d)}"
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.2.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
index cca60ddae2..bfb24aa58c 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.3.2.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
@@ -7,21 +7,22 @@ DESCRIPTION = "dhcpcd runs on your machine and silently configures your \
 HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/"
 LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=9674cc803c5d71306941e6e8b5c002f2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=4dda5beb433a809f2e0aeffbf9da3d91"
-UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/"
+SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=master \
-SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \
           file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \
+           file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \
           file://dhcpcd.service \
           file://dhcpcd@.service \
+           file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
           "
-SRC_URI[sha256sum] = "6d49af5e766a2515e6366e4f669663df04ecdf90a1a60ddb1d7a2feb4b5d2566"
+SRCREV = "93df2b254caf9639f9ffb66e0fe2b584eeba6220"
+# Doesn't use automake so we can't do out-of-tree builds
 inherit pkgconfig autotools-brokensep systemd useradd
-SYSTEMD_SERVICE_${PN} = "dhcpcd.service"
+SYSTEMD_SERVICE:${PN} = "dhcpcd.service"
 PACKAGECONFIG ?= "udev ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
@@ -32,8 +33,11 @@ PACKAGECONFIG[ntp] = "--with-hook=ntp, , ,ntp"
 PACKAGECONFIG[chrony] = "--with-hook=ntp, , ,chrony"
 PACKAGECONFIG[ypbind] = "--with-eghook=yp, , ,ypbind-mt"
+# add option to override DBDIR location
+DBDIR ?= "${localstatedir}/lib/${BPN}"
 EXTRA_OECONF = "--enable-ipv4 \
-                --dbdir=${localstatedir}/lib/${BPN} \
+                --dbdir=${DBDIR} \
                --sbindir=${base_sbindir} \
                --runstatedir=/run \
                --enable-privsep \
@@ -43,15 +47,21 @@ EXTRA_OECONF = "--enable-ipv4 \
               "
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system -d ${localstatedir}/lib/${BPN} -M -s /bin/false -U dhcpcd"
+USERADD_PARAM:${PN} = "--system -d ${DBDIR} -M -s /bin/false -U dhcpcd"
+# This isn't autoconf but is instead a configure script that tries to look like
+# autoconf, so just run it directly.
+do_configure() {
+    oe_runconf
+}
-do_install_append () {
+do_install:append () {
    # install systemd unit files
-    install -d ${D}${systemd_unitdir}/system
+    install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/dhcpcd*.service ${D}${systemd_unitdir}/system
+    install -m 0644 ${UNPACKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
-    chmod 700 ${D}${localstatedir}/lib/${BPN}
+    chmod 700 ${D}${DBDIR}
-    chown dhcpcd:dhcpcd ${D}${localstatedir}/lib/${BPN}
+    chown dhcpcd:dhcpcd ${D}${DBDIR}
 }
-FILES_${PN}-dbg += "${libdir}/dhcpcd/dev/.debug"
+FILES:${PN}-dbg += "${libdir}/dhcpcd/dev/.debug"
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
new file mode 100644
index 0000000000..512e33aebf
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
@@ -0,0 +1,79 @@
+From d1581ce103db0a5db0b1761907fff9ddd6b55a8a Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 9 Nov 2022 16:33:18 +0800
+Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd
+systemd's resolvconf implementation ignores the protocol part.
+See https://github.com/systemd/systemd/issues/25032.
+When using 'dhcp server + dns server + dhcpcd + systemd', we
+get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra',
+yet systemd's resolvconf treats it as eth0. This will delete the
+DNS information set by 'resolvconf -a eth0.dhcp'.
+Fortunately, 20-resolv.conf has the ability to build the resolv.conf
+file contents itself. We can just pass the generated contents to
+systemd's resolvconf. This way, the DNS information is not incorrectly
+deleted. Also, it does not cause behavior regression for dhcpcd
+in other cases.
+Upstream-Status: Inappropriate [OE Specific]
+This patch has been rejected by dhcpcd upstream.
+See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ hooks/20-resolv.conf | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
+index bd0b0df5..9c7721de 100644
+--- a/hooks/20-resolv.conf
+++ b/hooks/20-resolv.conf
+@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming"
+ NL="
+ "
+ : ${resolvconf:=resolvconf}
+resolvconf_from_systemd=false
+ if command -v "$resolvconf" >/dev/null 2>&1; then
+        have_resolvconf=true
+       if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then
+               resolvconf_from_systemd=true
+       fi
+ else
+        have_resolvconf=false
+ fi
+@@ -69,8 +73,13 @@ build_resolv_conf()
+        else
+                echo "# /etc/resolv.conf.tail can replace this line" >> "$cf"
+        fi
+-       if change_file /etc/resolv.conf "$cf"; then
+-               chmod 644 /etc/resolv.conf
+       if $resolvconf_from_systemd; then
+               [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
+               "$resolvconf" -a "$ifname" <"$cf"
+       else
+               if change_file /etc/resolv.conf "$cf"; then
+                       chmod 644 /etc/resolv.conf
+               fi
+        fi
+        rm -f "$cf"
+ }
+@@ -179,7 +188,7 @@ add_resolv_conf()
+        for x in ${new_domain_name_servers}; do
+                conf="${conf}nameserver $x$NL"
+        done
+-       if $have_resolvconf; then
+       if $have_resolvconf && ! $resolvconf_from_systemd; then
+                [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
+                printf %s "$conf" | "$resolvconf" -a "$ifname"
+                return $?
+@@ -195,7 +204,7 @@ add_resolv_conf()
+ 
+ remove_resolv_conf()
+ {
+-       if $have_resolvconf; then
+       if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then
+                "$resolvconf" -d "$ifname" -f
+        else
+                if [ -e "$resolv_conf_dir/$ifname" ]; then
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
new file mode 100644
index 0000000000..484b84f94a
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
@@ -0,0 +1,43 @@
+From e9b1376c59b15e7b03611429187d9d89167154b5 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 10 Mar 2023 03:48:46 +0000
+Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib.
+Error: Transaction test error:
+ file /usr/share/man/man8/dhcpcd.8 conflicts between attempted
+ installs of dhcpcd-doc-9.4.1-r0.cortexa57 and
+ lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon
+The differences between the two files are as follows:
+@@ -821,7 +821,7 @@
+ If you always use the same options, put them here.
+ .It Pa /usr/libexec/dhcpcd-run-hooks
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa /usr/lib64/dhcpcd/dev
+.It Pa /usr/lib/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
+It is just a man file, there is no necessary to manage multiple
+versions.
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ src/dhcpcd.8.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in
+index 91fdde2c..b467dc3b 100644
+--- a/src/dhcpcd.8.in
+++ b/src/dhcpcd.8.in
+@@ -826,7 +826,7 @@ Configuration file for dhcpcd.
+ If you always use the same options, put them here.
+ .It Pa @SCRIPT@
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa @LIBDIR@/dhcpcd/dev
+.It Pa /usr/<libdir>/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
index 37d2344438..fd3fae7e7e 100644
--- a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
@@ -1,4 +1,4 @@
-From aa9e3982c1e75ad49945a62f5e262279c7a905a4 Mon Sep 17 00:00:00 2001
+From c2ebc32112e0cd29390b4dc951b65efae36d607b Mon Sep 17 00:00:00 2001
 From: Stefano Cappa <stefano.cappa.ks89@gmail.com>
 Date: Sun, 13 Jan 2019 01:50:52 +0100
 Subject: [PATCH] remove INCLUDEDIR to prevent build issues
@@ -11,10 +11,10 @@ Signed-off-by: Stefano Cappa <stefano.cappa.ks89@gmail.com>
 1 file changed, 5 deletions(-)
 diff --git a/configure b/configure
-index 6c81e0db..32dea2b4 100755
+index a60da137..3673de8b 100755
 --- a/configure
 +++ b/configure
-@@ -20,7 +20,6 @@ BUILD=
+@@ -26,7 +26,6 @@ BUILD=
 HOST=
 HOSTCC=
 TARGET=
@@ -22,7 +22,7 @@ index 6c81e0db..32dea2b4 100755
 DEBUG=
 FORK=
 STATIC=
-@@ -72,7 +71,6 @@ for x do
+@@ -89,7 +88,6 @@ for x do
        --mandir) MANDIR=$var;;
        --datadir) DATADIR=$var;;
        --with-ccopts|CFLAGS) CFLAGS=$var;;
@@ -30,7 +30,7 @@ index 6c81e0db..32dea2b4 100755
        CC) CC=$var;;
        CPPFLAGS) CPPFLAGS=$var;;
        PKG_CONFIG) PKG_CONFIG=$var;;
-@@ -309,9 +307,6 @@ if [ -n "$CPPFLAGS" ]; then
+@@ -346,9 +344,6 @@ if [ -n "$CPPFLAGS" ]; then
        echo "CPPFLAGS=" >>$CONFIG_MK
        echo "CPPFLAGS+=        $CPPFLAGS" >>$CONFIG_MK
 fi
@@ -40,6 +40,3 @@ index 6c81e0db..32dea2b4 100755
 if [ -n "$LDFLAGS" ]; then
        echo "LDFLAGS=" >>$CONFIG_MK
        echo "LDFLAGS+= $LDFLAGS" >>$CONFIG_MK
-- 
-2.17.2 (Apple Git-113)
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch
deleted file mode 100644
index 49d319f59d..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 7d39930468e272c740b0eed3c7e5b7fb3abf29e8 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 5 Aug 2020 10:36:22 -0700
-Subject: [PATCH] ftpd,telnetd: Fix multiple definitions of errcatch and not42
-This helps fix build failures when -fno-common option is used
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- ftpd/extern.h     | 2 +-
- ftpd/ftpcmd.c     | 1 +
- telnetd/utility.c | 2 +-
- 3 files changed, 3 insertions(+), 2 deletions(-)
-diff --git a/ftpd/extern.h b/ftpd/extern.h
-index ab33cf3..91dbbee 100644
--- a/ftpd/extern.h
-+++ b/ftpd/extern.h
-@@ -90,7 +90,7 @@ extern void user (const char *);
- extern char *sgetsave (const char *);
- 
- /* Exported from ftpd.c.  */
-jmp_buf errcatch;
-+extern jmp_buf errcatch;
- extern struct sockaddr_storage data_dest;
- extern socklen_t data_dest_len;
- extern struct sockaddr_storage his_addr;
-diff --git a/ftpd/ftpcmd.c b/ftpd/ftpcmd.c
-index beb1f06..d272e9d 100644
--- a/ftpd/ftpcmd.c
-+++ b/ftpd/ftpcmd.c
-@@ -106,6 +106,7 @@
- #endif
- 
- off_t restart_point;
-+jmp_buf errcatch;
- 
- static char cbuf[512];           /* Command Buffer.  */
- static char *fromname;
-diff --git a/telnetd/utility.c b/telnetd/utility.c
-index e7ffb8e..46bf91e 100644
--- a/telnetd/utility.c
-+++ b/telnetd/utility.c
-@@ -63,7 +63,7 @@ static int ncc;
- static char ptyibuf[BUFSIZ], *ptyip;
- static int pcc;
- 
-int not42;
-+extern int not42;
- 
- static int
- readstream (int p, char *ibuf, int bufsize)
-- 
-2.28.0
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch
deleted file mode 100644
index d4764f5867..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Upstream-Status: Pending
-Subject: rcp: fix to work with large files
-When we copy file by rcp command, if the file > 2GB, it will fail.
-The cause is that it used incorrect data type on file size in sink() of rcp.
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
- src/rcp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/rcp.c b/src/rcp.c
-index 21f55b6..bafa35f 100644
--- a/src/rcp.c
-+++ b/src/rcp.c
-@@ -876,9 +876,9 @@ sink (int argc, char *argv[])
-   enum
-   { YES, NO, DISPLAYED } wrerr;
-   BUF *bp;
-  off_t i, j;
-+  off_t i, j, size;
-   int amt, count, exists, first, mask, mode, ofd, omode;
-  int setimes, size, targisdir, wrerrno;
-+  int setimes, targisdir, wrerrno;
-   char ch, *cp, *np, *targ, *vect[1], buf[BUFSIZ];
-   const char *why;
- 
-- 
-1.9.1
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
deleted file mode 100644
index a91913cb51..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-tftpd: Fix abort on error path
-When trying to fetch a non existent file, the app crashes with:
-*** buffer overflow detected ***: 
-Aborted
-Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205]
-Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
-diff --git a/src/tftpd.c b/src/tftpd.c
-index 56002a0..144012f 100644
--- a/src/tftpd.c
-+++ b/src/tftpd.c
-@@ -864,9 +864,8 @@ nak (int error)
-       pe->e_msg = strerror (error - 100);
-       tp->th_code = EUNDEF;    /* set 'undef' errorcode */
-     }
-  strcpy (tp->th_msg, pe->e_msg);
-   length = strlen (pe->e_msg);
-  tp->th_msg[length] = '\0';
-+  memcpy(tp->th_msg, pe->e_msg, length + 1);
-   length += 5;
-   if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length)
-     syslog (LOG_ERR, "nak: %m\n");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
deleted file mode 100644
index 24c134fcac..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Upstream: http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html
-Upstream-Status: Pending
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
- ping/ping_common.h | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-diff --git a/ping/ping_common.h b/ping/ping_common.h
-index 1dfd1b5..3bfbd12 100644
--- a/ping/ping_common.h
-+++ b/ping/ping_common.h
-@@ -17,10 +17,14 @@
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see `http://www.gnu.org/licenses/'. */
- 
-+#include <config.h>
-+
- #include <netinet/in_systm.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
-+#ifdef HAVE_IPV6
- #include <netinet/icmp6.h>
-+#endif
- #include <icmp.h>
- #include <error.h>
- #include <progname.h>
-@@ -62,7 +66,12 @@ struct ping_stat
-    want to follow the traditional behaviour of ping.  */
- #define DEFAULT_PING_COUNT 0
- 
-+#ifdef HAVE_IPV6
- #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN)
-+#else
-+#define PING_HEADER_LEN (ICMP_MINLEN)
-+#endif
-+
- #define PING_TIMING(s)  ((s) >= sizeof (struct timeval))
- #define PING_DATALEN    (64 - PING_HEADER_LEN)  /* default data length */
- 
-@@ -74,13 +83,20 @@ struct ping_stat
-   (t).tv_usec = ((i)%PING_PRECISION)*(1000000/PING_PRECISION) ;\
- } while (0)
- 
-+#ifdef HAVE_IPV6
- /* FIXME: Adjust IPv6 case for options and their consumption.  */
- #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \
-                                   (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN))
- 
-+#else
-+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)
-+#endif
-+
-+#ifdef HAVE_IPV6
- typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest,
-                          struct sockaddr_in6 * from, struct icmp6_hdr * icmp,
-                          int datalen);
-+#endif
- 
- typedef int (*ping_efp) (int code,
-                         void *closure,
-@@ -89,13 +105,17 @@ typedef int (*ping_efp) (int code,
-                         struct ip * ip, icmphdr_t * icmp, int datalen);
- 
- union event {
-+#ifdef HAVE_IPV6
-   ping_efp6 handler6;
-+#endif
-   ping_efp handler;
- };
- 
- union ping_address {
-   struct sockaddr_in ping_sockaddr;
-+#ifdef HAVE_IPV6
-   struct sockaddr_in6 ping_sockaddr6;
-+#endif
- };
- 
- typedef struct ping_data PING;
-- 
-2.8.3
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
deleted file mode 100644
index 3da4e9f55a..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 552a7d64ad4a7188a9b7cd89933ae7caf7ebfe90 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier at gentoo.org>
-Date: Thu, 18 Nov 2010 16:59:14 -0500
-Subject: [PATCH gnulib] printf-parse: pull in features.h for __GLIBC__
-Upstream-Status: Pending
-Signed-off-by: Mike Frysinger <vapier at gentoo.org>
---
- lib/printf-parse.h |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-diff --git a/lib/printf-parse.h b/lib/printf-parse.h
-index 67a4a2a..3bd6152 100644
--- a/lib/printf-parse.h
-+++ b/lib/printf-parse.h
-@@ -25,6 +25,9 @@
- 
- #include "printf-args.h"
- 
-+#ifdef HAVE_FEATURES_H
-+# include <features.h> /* for __GLIBC__ */
-+#endif
- 
- /* Flags */
- #define FLAG_GROUP       1      /* ' flag */
-- 
-1.7.3.2
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
deleted file mode 100644
index b13bb9229f..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Upstream-Status: Pending
--- inetutils-1.8/lib/wchar.in.h
-+++ inetutils-1.8/lib/wchar.in.h
-@@ -70,6 +70,9 @@
- /* The include_next requires a split double-inclusion guard.  */
- #if @HAVE_WCHAR_H@
- # @INCLUDE_NEXT@ @NEXT_WCHAR_H@
-+#else
-+# include <stddef.h>
-+# define MB_CUR_MAX 1
- #endif
- 
- #undef _GL_ALREADY_INCLUDING_WCHAR_H
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
deleted file mode 100644
index 2592989a90..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-inetutils: define PATH_PROCNET_DEV if not already defined
-this prevents the following compilation error :
-system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function)
-this patch comes from :
- http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/
-Upstream-Status: Inappropriate [not author]
-Signed-of-by: Eric Bénard <eric@eukrea.com>
---
-diff -Naur inetutils-1.9.orig/ifconfig/system/linux.c inetutils-1.9/ifconfig/system/linux.c
--- inetutils-1.9.orig/ifconfig/system/linux.c  2012-01-04 16:31:36.000000000 -0500
-+++ inetutils-1.9/ifconfig/system/linux.c       2012-01-04 16:40:53.000000000 -0500
-@@ -49,6 +49,10 @@
- #include "../ifconfig.h"
- 
- 
-+#ifndef PATH_PROCNET_DEV
-+  #define PATH_PROCNET_DEV "/proc/net/dev"
-+#endif
-+
- /* ARPHRD stuff.  */
- 
- static void
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
deleted file mode 100644
index ff3abd86aa..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Only check security/pam_appl.h which is provided by package libpam when pam is
-enabled.
-Upstream-Status: Pending
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
-diff --git a/configure.ac b/configure.ac
-index b35e672..e78a751 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -195,6 +195,19 @@ fi
- 
- # See if we have libpam.a.  Investigate PAM versus Linux-PAM.
- if test "$with_pam" = yes ; then
-+  AC_CHECK_HEADERS([security/pam_appl.h], [], [], [
-+#include <sys/types.h>
-+#ifdef HAVE_NETINET_IN_SYSTM_H
-+# include <netinet/in_systm.h>
-+#endif
-+#include <netinet/in.h>
-+#ifdef HAVE_NETINET_IP_H
-+# include <netinet/ip.h>
-+#endif
-+#ifdef HAVE_SYS_PARAM_H
-+# include <sys/param.h>
-+#endif
-+])
-   AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl)
-   AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam)
-   if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then
-@@ -587,7 +600,7 @@ AC_HEADER_DIRENT
- AC_CHECK_HEADERS([arpa/nameser.h errno.h fcntl.h features.h \
-                  glob.h memory.h netinet/ether.h netinet/in_systm.h \
-                  netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \
-                 security/pam_appl.h shadow.h \
-+                 shadow.h \
-                  stdarg.h stdlib.h string.h stropts.h sys/tty.h \
-                  sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \
-                  sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \
diff --git a/meta/recipes-connectivity/inetutils/inetutils/version.patch b/meta/recipes-connectivity/inetutils/inetutils/version.patch
deleted file mode 100644
index 532a0e5c08..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/version.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Upstream-Status: Pending
-remove m4_esyscmd function
-Signed-off-by: Chunrong Guo <b40290@freescale.com>
--- inetutils-1.9.1/configure.ac        2012-01-06 22:05:05.000000000 +0800
-+++ inetutils-1.9.1/configure.ac        2012-11-12 14:01:11.732957019 +0800
-@@ -20,8 +20,7 @@
- 
- AC_PREREQ(2.59)
- 
-AC_INIT([GNU inetutils],
- m4_esyscmd([build-aux/git-version-gen .tarball-version 's/inetutils-/v/;s/_/./g']),
-+AC_INIT([GNU inetutils],[1.9.4],
-  [bug-inetutils@gnu.org])
- 
- AC_CONFIG_SRCDIR([src/inetd.c])
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index adf6d4414e..6e03195f2d 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -1,3 +1,4 @@
+SUMMARY = "The GNU inetutils are a collection of common networking utilities and servers."
 DESCRIPTION = "The GNU inetutils are a collection of common \
 networking utilities and servers including ftp, ftpd, rcp, \
 rexec, rlogin, rlogind, rsh, rshd, syslog, syslogd, talk, \
@@ -6,35 +7,21 @@ HOMEPAGE = "http://www.gnu.org/software/inetutils"
 SECTION = "net"
 DEPENDS = "ncurses netbase readline virtual/crypt"
-LICENSE = "GPLv3"
+LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7"
-SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
+SRC_URI[sha256sum] = "68bedbfeaf73f7d86be2a7d99bcfbd4093d829f52770893919ae174c0b2357ca"
-           file://version.patch \
+SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
-           file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \
+           file://rexec.xinetd.inetutils \
-           file://inetutils-1.8-0003-wchar.patch \
-           file://rexec.xinetd.inetutils  \
           file://rlogin.xinetd.inetutils \
           file://rsh.xinetd.inetutils \
           file://telnet.xinetd.inetutils \
           file://tftpd.xinetd.inetutils \
-           file://inetutils-1.9-PATH_PROCNET_DEV.patch \
+           "
-           file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
-           file://0001-rcp-fix-to-work-with-large-files.patch \
-           file://fix-buffer-fortify-tfpt.patch \
-           file://0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch \
-"
-SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
-SRC_URI[sha256sum] = "be8f75eff936b8e41b112462db51adf689715658a1b09e0d6b05d11ec92cc616"
 inherit autotools gettext update-alternatives texinfo
-acpaths = "-I ./m4"
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}"
 PACKAGECONFIG ??= "ftp uucpd \
                   ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                   ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \
@@ -46,24 +33,36 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no,"
 PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6,"
 EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \
-        inetutils_cv_path_login=${base_bindir}/login \
        --with-libreadline-prefix=${STAGING_LIBDIR} \
        --enable-rpath=no \
-"
+        --with-path-login=${base_bindir}/login \
+        --with-path-cp=${base_bindir}/cp \
+        --with-path-uucico=${libexecdir}/uuico \
+        --with-path-procnet-dev=/proc/net/dev \
+        "
+EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx"
 # These are horrible for security, disable them
-EXTRA_OECONF_append = " --disable-rsh --disable-rshd --disable-rcp \
+EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \
        --disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd"
-do_configure_prepend () {
+# The configure script guesses many paths in cross builds, check for this happening
+do_configure_cross_check() {
+    if grep "may be incorrect because of cross-compilation" ${B}/config.log; then
+        bberror Default path values used, these must be set explicitly
+    fi
+}
+do_configure[postfuncs] += "do_configure_cross_check"
+# The --with-path options are not actually options, so this check needs to be silenced
+ERROR_QA:remove = "unknown-configure-option"
+do_configure:prepend () {
    export HELP2MAN='true'
-    cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S}
-    rm -f ${S}/glob/configure*
 }
-do_install_append () {
+do_install:append () {
    install -m 0755 -d ${D}${base_sbindir}
    install -m 0755 -d ${D}${sbindir}
    install -m 0755 -d ${D}${sysconfdir}/xinetd.d
@@ -71,6 +70,7 @@ do_install_append () {
         install -m 0755 -d ${D}${base_bindir}
         mv ${D}${bindir}/ping* ${D}${base_bindir}/
         mv ${D}${bindir}/hostname ${D}${base_bindir}/
+         mv ${D}${bindir}/dnsdomainname ${D}${base_bindir}/
    fi
    mv ${D}${bindir}/ifconfig ${D}${base_sbindir}/
    mv ${D}${libexecdir}/syslogd ${D}${base_sbindir}/
@@ -78,23 +78,23 @@ do_install_append () {
    mv ${D}${libexecdir}/telnetd ${D}${sbindir}/in.telnetd
    if [ -e ${D}${libexecdir}/rexecd ]; then
        mv ${D}${libexecdir}/rexecd ${D}${sbindir}/in.rexecd
-        cp ${WORKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
+        cp ${UNPACKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
    fi
    if [ -e ${D}${libexecdir}/rlogind ]; then
        mv ${D}${libexecdir}/rlogind ${D}${sbindir}/in.rlogind
-        cp ${WORKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
+        cp ${UNPACKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
    fi
    if [ -e ${D}${libexecdir}/rshd ]; then
        mv ${D}${libexecdir}/rshd ${D}${sbindir}/in.rshd
-        cp ${WORKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
+        cp ${UNPACKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
    fi
    if [ -e ${D}${libexecdir}/talkd ]; then
        mv ${D}${libexecdir}/talkd ${D}${sbindir}/in.talkd
    fi
    mv ${D}${libexecdir}/uucpd ${D}${sbindir}/in.uucpd
    mv ${D}${libexecdir}/* ${D}${bindir}/
-    cp ${WORKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
+    cp ${UNPACKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
-    cp ${WORKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
+    cp ${UNPACKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
    sed -e 's,@SBINDIR@,${sbindir},g' -i ${D}/${sysconfdir}/xinetd.d/*
    if [ -e ${D}${libdir}/charset.alias ]; then
@@ -118,33 +118,35 @@ PACKAGES =+ "${PN}-tftpd-dbg ${PN}-telnetd-dbg ${PN}-rshd-dbg"
 NOAUTOPACKAGEDEBUG = "1"
 ALTERNATIVE_PRIORITY = "79"
-ALTERNATIVE_${PN} = "whois"
+ALTERNATIVE:${PN} = "whois dnsdomainname"
 ALTERNATIVE_LINK_NAME[uucpd]  = "${sbindir}/in.uucpd"
+ALTERNATIVE_LINK_NAME[dnsdomainname]  = "${base_bindir}/dnsdomainname"
 ALTERNATIVE_PRIORITY_${PN}-logger = "60"
-ALTERNATIVE_${PN}-logger = "logger"
+ALTERNATIVE:${PN}-logger = "logger"
-ALTERNATIVE_${PN}-syslogd = "syslogd"
+ALTERNATIVE:${PN}-syslogd = "syslogd"
 ALTERNATIVE_LINK_NAME[syslogd]  = "${base_sbindir}/syslogd"
-ALTERNATIVE_${PN}-ftp = "ftp"
+ALTERNATIVE:${PN}-ftp = "ftp"
-ALTERNATIVE_${PN}-ftpd = "ftpd"
+ALTERNATIVE:${PN}-ftpd = "ftpd"
-ALTERNATIVE_${PN}-tftp = "tftp"
+ALTERNATIVE:${PN}-tftp = "tftp"
-ALTERNATIVE_${PN}-tftpd = "tftpd"
+ALTERNATIVE:${PN}-tftpd = "tftpd"
 ALTERNATIVE_LINK_NAME[tftpd] = "${sbindir}/tftpd"
 ALTERNATIVE_TARGET[tftpd]  = "${sbindir}/in.tftpd"
-ALTERNATIVE_${PN}-telnet = "telnet"
+ALTERNATIVE:${PN}-telnet = "telnet"
-ALTERNATIVE_${PN}-telnetd = "telnetd"
+ALTERNATIVE:${PN}-telnetd = "telnetd"
 ALTERNATIVE_LINK_NAME[telnetd] = "${sbindir}/telnetd"
 ALTERNATIVE_TARGET[telnetd] = "${sbindir}/in.telnetd"
-ALTERNATIVE_${PN}-inetd= "inetd"
+ALTERNATIVE:${PN}-inetd = "inetd"
-ALTERNATIVE_${PN}-traceroute = "traceroute"
+ALTERNATIVE:${PN}-traceroute = "traceroute"
-ALTERNATIVE_${PN}-hostname = "hostname"
+ALTERNATIVE:${PN}-hostname = "hostname"
 ALTERNATIVE_LINK_NAME[hostname]  = "${base_bindir}/hostname"
+ALTERNATIVE_PRIORITY[hostname] = "100"
-ALTERNATIVE_${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
+ALTERNATIVE:${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
                         tftpd.8 tftp.1 telnetd.8"
 ALTERNATIVE_LINK_NAME[hostname.1] = "${mandir}/man1/hostname.1"
 ALTERNATIVE_LINK_NAME[dnsdomainname.1] = "${mandir}/man1/dnsdomainname.1"
@@ -154,62 +156,61 @@ ALTERNATIVE_LINK_NAME[telnetd.8] = "${mandir}/man8/telnetd.8"
 ALTERNATIVE_LINK_NAME[tftpd.8] = "${mandir}/man8/tftpd.8"
 ALTERNATIVE_LINK_NAME[tftp.1] = "${mandir}/man1/tftp.1"
-ALTERNATIVE_${PN}-ifconfig = "ifconfig"
+ALTERNATIVE:${PN}-ifconfig = "ifconfig"
 ALTERNATIVE_LINK_NAME[ifconfig]  = "${base_sbindir}/ifconfig"
-ALTERNATIVE_${PN}-ping = "ping"
+ALTERNATIVE:${PN}-ping = "ping"
 ALTERNATIVE_LINK_NAME[ping]   = "${base_bindir}/ping"
-ALTERNATIVE_${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
+ALTERNATIVE:${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
 ALTERNATIVE_LINK_NAME[ping6]  = "${base_bindir}/ping6"
+FILES:${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
+FILES:${PN}-ping = "${base_bindir}/ping.${BPN}"
+FILES:${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
+FILES:${PN}-hostname = "${base_bindir}/hostname.${BPN}"
+FILES:${PN}-ifconfig = "${base_sbindir}/ifconfig.${BPN}"
+FILES:${PN}-traceroute = "${bindir}/traceroute.${BPN}"
+FILES:${PN}-logger = "${bindir}/logger.${BPN}"
-FILES_${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
+FILES:${PN}-syslogd = "${base_sbindir}/syslogd.${BPN}"
-FILES_${PN}-ping = "${base_bindir}/ping.${BPN}"
+RCONFLICTS:${PN}-syslogd = "rsyslog busybox-syslog sysklogd syslog-ng"
-FILES_${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
-FILES_${PN}-hostname = "${base_bindir}/hostname.${BPN}"
-FILES_${PN}-ifconfig = "${base_sbindir}/ifconfig.${BPN}"
-FILES_${PN}-traceroute = "${bindir}/traceroute.${BPN}"
-FILES_${PN}-logger = "${bindir}/logger.${BPN}"
-FILES_${PN}-syslogd = "${base_sbindir}/syslogd.${BPN}"
-RCONFLICTS_${PN}-syslogd = "rsyslog busybox-syslog sysklogd syslog-ng"
-FILES_${PN}-ftp = "${bindir}/ftp.${BPN}"
+FILES:${PN}-ftp = "${bindir}/ftp.${BPN}"
-FILES_${PN}-tftp = "${bindir}/tftp.${BPN}"
+FILES:${PN}-tftp = "${bindir}/tftp.${BPN}"
-FILES_${PN}-telnet = "${bindir}/telnet.${BPN}"
+FILES:${PN}-telnet = "${bindir}/telnet.${BPN}"
 # We make us of RCONFLICTS / RPROVIDES here rather than using the normal
 # alternatives method as this leads to packaging QA issues when using
 # musl as that library does not provide what these applications need to
 # build.
-FILES_${PN}-rsh = "${bindir}/rsh ${bindir}/rlogin ${bindir}/rexec ${bindir}/rcp"
+FILES:${PN}-rsh = "${bindir}/rsh ${bindir}/rlogin ${bindir}/rexec ${bindir}/rcp"
-RCONFLICTS_${PN}-rsh += "netkit-rsh-client"
+RCONFLICTS:${PN}-rsh += "netkit-rsh-client"
-RPROVIDES_${PN}-rsh = "rsh"
+RPROVIDES:${PN}-rsh = "rsh"
-FILES_${PN}-rshd = "${sbindir}/in.rshd ${sbindir}/in.rlogind ${sbindir}/in.rexecd \
+FILES:${PN}-rshd = "${sbindir}/in.rshd ${sbindir}/in.rlogind ${sbindir}/in.rexecd \
                    ${sysconfdir}/xinetd.d/rsh ${sysconfdir}/xinetd.d/rlogin ${sysconfdir}/xinetd.d/rexec"
-FILES_${PN}-rshd-dbg = "${sbindir}/.debug/in.rshd ${sbindir}/.debug/in.rlogind ${sbindir}/.debug/in.rexecd"
+FILES:${PN}-rshd-dbg = "${sbindir}/.debug/in.rshd ${sbindir}/.debug/in.rlogind ${sbindir}/.debug/in.rexecd"
-RDEPENDS_${PN}-rshd += "xinetd tcp-wrappers"
+RDEPENDS:${PN}-rshd += "xinetd tcp-wrappers"
-RCONFLICTS_${PN}-rshd += "netkit-rshd-server"
+RCONFLICTS:${PN}-rshd += "netkit-rshd-server"
-RPROVIDES_${PN}-rshd = "rshd"
+RPROVIDES:${PN}-rshd = "rshd"
-FILES_${PN}-ftpd = "${bindir}/ftpd.${BPN}"
+FILES:${PN}-ftpd = "${bindir}/ftpd.${BPN}"
-FILES_${PN}-ftpd-dbg = "${bindir}/.debug/ftpd.${BPN}"
+FILES:${PN}-ftpd-dbg = "${bindir}/.debug/ftpd.${BPN}"
-RDEPENDS_${PN}-ftpd += "xinetd"
+RDEPENDS:${PN}-ftpd += "xinetd"
-FILES_${PN}-tftpd = "${sbindir}/in.tftpd ${sysconfdir}/xinetd.d/tftpd"
+FILES:${PN}-tftpd = "${sbindir}/in.tftpd ${sysconfdir}/xinetd.d/tftpd"
-FILES_${PN}-tftpd-dbg = "${sbindir}/.debug/in.tftpd"
+FILES:${PN}-tftpd-dbg = "${sbindir}/.debug/in.tftpd"
-RCONFLICTS_${PN}-tftpd += "netkit-tftpd"
+RCONFLICTS:${PN}-tftpd += "netkit-tftpd"
-RDEPENDS_${PN}-tftpd += "xinetd"
+RDEPENDS:${PN}-tftpd += "xinetd"
-FILES_${PN}-telnetd = "${sbindir}/in.telnetd ${sysconfdir}/xinetd.d/telnet"
+FILES:${PN}-telnetd = "${sbindir}/in.telnetd ${sysconfdir}/xinetd.d/telnet"
-FILES_${PN}-telnetd-dbg = "${sbindir}/.debug/in.telnetd"
+FILES:${PN}-telnetd-dbg = "${sbindir}/.debug/in.telnetd"
-RCONFLICTS_${PN}-telnetd += "netkit-telnet"
+RCONFLICTS:${PN}-telnetd += "netkit-telnet"
-RPROVIDES_${PN}-telnetd = "telnetd"
+RPROVIDES:${PN}-telnetd = "telnetd"
-RDEPENDS_${PN}-telnetd += "xinetd"
+RDEPENDS:${PN}-telnetd += "xinetd"
-FILES_${PN}-inetd = "${bindir}/inetd.${BPN}"
+FILES:${PN}-inetd = "${bindir}/inetd.${BPN}"
-RDEPENDS_${PN} = "xinetd"
+RDEPENDS:${PN} = "xinetd"
diff --git a/meta/recipes-connectivity/iproute2/iproute2.inc b/meta/recipes-connectivity/iproute2/iproute2.inc
deleted file mode 100644
index 403d264308..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2.inc
+++ /dev/null
@@ -1,81 +0,0 @@
-SUMMARY = "TCP / IP networking and traffic control utilities"
-DESCRIPTION = "Iproute2 is a collection of utilities for controlling \
-TCP / IP networking and traffic control in Linux.  Of the utilities ip \
-and tc are the most important.  ip controls IPv4 and IPv6 \
-configuration and tc stands for traffic control."
-HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
-SECTION = "base"
-LICENSE = "GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://ip/ip.c;beginline=3;endline=8;md5=689d691d0410a4b64d3899f8d6e31817"
-DEPENDS = "flex-native bison-native iptables libcap"
-inherit update-alternatives bash-completion pkgconfig
-CLEANBROKEN = "1"
-PACKAGECONFIG ??= "tipc elf devlink"
-PACKAGECONFIG[tipc] = ",,libmnl,"
-PACKAGECONFIG[elf] = ",,elfutils,"
-PACKAGECONFIG[devlink] = ",,libmnl,"
-EXTRA_OEMAKE = "\
-    CC='${CC}' \
-    KERNEL_INCLUDE=${STAGING_INCDIR} \
-    DOCDIR=${docdir}/iproute2 \
-    SUBDIRS='lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc', d)}' \
-    SBINDIR='${base_sbindir}' \
-    LIBDIR='${libdir}' \
-"
-do_configure_append () {
-    sh configure ${STAGING_INCDIR}
-    # Explicitly disable ATM support
-    sed -i -e '/TC_CONFIG_ATM/d' config.mk
-}
-do_install () {
-    oe_runmake DESTDIR=${D} install
-    mv ${D}${base_sbindir}/ip ${D}${base_sbindir}/ip.iproute2
-    install -d ${D}${datadir}
-    mv ${D}/share/* ${D}${datadir}/ || true
-    rm ${D}/share -rf || true
-}
-# The .so files in iproute2-tc are modules, not traditional libraries
-INSANE_SKIP_${PN}-tc = "dev-so"
-PACKAGES =+ "\
-    ${PN}-devlink \
-    ${PN}-genl \
-    ${PN}-ifstat \
-    ${PN}-lnstat \
-    ${PN}-nstat \
-    ${PN}-rtacct \
-    ${PN}-ss \
-    ${PN}-tc \
-    ${PN}-tipc \
-"
-FILES_${PN}-tc = "${base_sbindir}/tc* \
-                  ${libdir}/tc/*.so"
-FILES_${PN}-lnstat = "${base_sbindir}/lnstat \
-                      ${base_sbindir}/ctstat \
-                      ${base_sbindir}/rtstat"
-FILES_${PN}-ifstat = "${base_sbindir}/ifstat"
-FILES_${PN}-genl = "${base_sbindir}/genl"
-FILES_${PN}-rtacct = "${base_sbindir}/rtacct"
-FILES_${PN}-nstat = "${base_sbindir}/nstat"
-FILES_${PN}-ss = "${base_sbindir}/ss"
-FILES_${PN}-tipc = "${base_sbindir}/tipc"
-FILES_${PN}-devlink = "${base_sbindir}/devlink"
-ALTERNATIVE_${PN} = "ip"
-ALTERNATIVE_TARGET[ip] = "${base_sbindir}/ip.${BPN}"
-ALTERNATIVE_LINK_NAME[ip] = "${base_sbindir}/ip"
-ALTERNATIVE_PRIORITY = "100"
-ALTERNATIVE_${PN}-tc = "tc"
-ALTERNATIVE_LINK_NAME[tc] = "${base_sbindir}/tc"
-ALTERNATIVE_PRIORITY_${PN}-tc = "100"
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
new file mode 100644
index 0000000000..c4dea39676
--- /dev/null
+++ b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
@@ -0,0 +1,24 @@
+From 9e427aa1c647f741b08a1f0c44483ea974c7fc61 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Sat, 24 Aug 2024 15:32:25 +0200
+Subject: [PATCH] include/libnetlink.h: add missing include for htobe64
+ definitions
+Upstream-Status: Submitted [by email to stephen@networkplumber.org netdev@vger.kernel.org]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ include/libnetlink.h | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/include/libnetlink.h b/include/libnetlink.h
+index 7074e91..3dbfa42 100644
+--- a/include/libnetlink.h
+++ b/include/libnetlink.h
+@@ -13,6 +13,7 @@
+ #include <linux/neighbour.h>
+ #include <linux/netconf.h>
+ #include <arpa/inet.h>
+#include <endian.h>
+ 
+ struct rtnl_handle {
+        int                     fd;
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
deleted file mode 100644
index 74e3de1ce9..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From c25f8d1f7a6203dfeb10b39f80ffd314bb84a58d Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Thu, 22 Dec 2016 15:26:30 +0200
-Subject: [PATCH] libc-compat.h: add musl workaround
-The libc-compat.h kernel header uses glibc specific macros (__GLIBC__ and
-__USE_MISC) to solve conflicts with libc provided headers. This patch makes
-libc-compat.h work for musl libc as well.
-Upstream-Status: Pending
-Taken From:
-https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-workaround-to-the-libc-compat.h-copy.patch
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
- include/uapi/linux/libc-compat.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
-index a159991..22198fa 100644
--- a/include/uapi/linux/libc-compat.h
-+++ b/include/uapi/linux/libc-compat.h
-@@ -50,10 +50,12 @@
- #define _LIBC_COMPAT_H
- 
- /* We have included glibc headers... */
-#if defined(__GLIBC__)
-+#if 1
-+#define __USE_MISC
- 
- /* Coordinate with glibc net/if.h header. */
- #if defined(_NET_IF_H) && defined(__USE_MISC)
-+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
- 
- /* GLIBC headers included first so don't define anything
-  * that would already be defined. */
diff --git a/meta/recipes-connectivity/iproute2/iproute2_5.9.0.bb b/meta/recipes-connectivity/iproute2/iproute2_5.9.0.bb
deleted file mode 100644
index 0e6a53e6a4..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2_5.9.0.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require iproute2.inc
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
-           file://0001-libc-compat.h-add-musl-workaround.patch \
-           "
-SRC_URI[sha256sum] = "a25dac94bcdcf2f73316c7f812115ea7a5710580bad892b08a83d00c6b33dacf"
-# CFLAGS are computed in Makefile and reference CCOPTS
-#
-EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS}'"
diff --git a/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
new file mode 100644
index 0000000000..592e3e15af
--- /dev/null
+++ b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
@@ -0,0 +1,112 @@
+SUMMARY = "TCP / IP networking and traffic control utilities"
+DESCRIPTION = "Iproute2 is a collection of utilities for controlling \
+TCP / IP networking and traffic control in Linux.  Of the utilities ip \
+and tc are the most important.  ip controls IPv4 and IPv6 \
+configuration and tc stands for traffic control."
+HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
+                    "
+DEPENDS = "flex-native bison-native libcap"
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
+           file://0001-include-libnetlink.h-add-missing-include-for-htobe64.patch \
+           "
+SRC_URI[sha256sum] = "8041854a882583ad5263466736c9c8c68c74b1a35754ab770d23343f947528fb"
+inherit update-alternatives bash-completion pkgconfig
+PACKAGECONFIG ??= "tipc elf devlink iptables"
+PACKAGECONFIG[tipc] = ",,libmnl,"
+PACKAGECONFIG[elf] = ",,elfutils,"
+PACKAGECONFIG[devlink] = ",,libmnl,"
+PACKAGECONFIG[iptables] = ",,iptables"
+PACKAGECONFIG[rdma] = ",,libmnl,"
+PACKAGECONFIG[selinux] = ",,libselinux"
+IPROUTE2_MAKE_SUBDIRS = "lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc rdma', d)}"
+# This is needed with GCC-14 and musl
+CFLAGS += "-Wno-error=incompatible-pointer-types"
+# CFLAGS are computed in Makefile and reference CCOPTS
+#
+EXTRA_OEMAKE = "\
+    CC='${CC}' \
+    KERNEL_INCLUDE=${STAGING_INCDIR} \
+    DOCDIR=${docdir}/iproute2 \
+    SUBDIRS='${IPROUTE2_MAKE_SUBDIRS}' \
+    SBINDIR='${base_sbindir}' \
+    CONF_USR_DIR='${libdir}/iproute2' \
+    LIBDIR='${libdir}' \
+    CCOPTS='${CFLAGS}' \
+"
+do_configure:append () {
+    sh configure ${STAGING_INCDIR}
+    # Explicitly disable ATM support
+    sed -i -e '/TC_CONFIG_ATM/d' config.mk
+}
+do_install () {
+    oe_runmake DESTDIR=${D} install
+    mv ${D}${base_sbindir}/ip ${D}${base_sbindir}/ip.iproute2
+    install -d ${D}${datadir}
+    mv ${D}/share/* ${D}${datadir}/ || true
+    rm ${D}/share -rf || true
+    # Remove support fot ipt and xt in tc. So tc library directory is not needed.
+    rm ${D}${libdir}/tc -rf
+}
+# The .so files in iproute2-tc are modules, not traditional libraries
+INSANE_SKIP:${PN}-tc = "dev-so"
+IPROUTE2_PACKAGES =+ "\
+    ${PN}-bridge \
+    ${PN}-devlink \
+    ${PN}-genl \
+    ${PN}-ifstat \
+    ${PN}-ip \
+    ${PN}-lnstat \
+    ${PN}-nstat \
+    ${PN}-routel \
+    ${PN}-rtacct \
+    ${PN}-ss \
+    ${PN}-tc \
+    ${PN}-tipc \
+    ${PN}-rdma \
+"
+PACKAGE_BEFORE_PN = "${IPROUTE2_PACKAGES}"
+RDEPENDS:${PN} += "${PN}-ip"
+FILES:${PN}-tc = "${base_sbindir}/tc* \
+                  ${libdir}/tc/*.so"
+FILES:${PN}-lnstat = "${base_sbindir}/lnstat \
+                      ${base_sbindir}/ctstat \
+                      ${base_sbindir}/rtstat"
+FILES:${PN}-ifstat = "${base_sbindir}/ifstat"
+FILES:${PN}-ip = "${base_sbindir}/ip.* ${libdir}/iproute2"
+FILES:${PN}-genl = "${base_sbindir}/genl"
+FILES:${PN}-rtacct = "${base_sbindir}/rtacct"
+FILES:${PN}-nstat = "${base_sbindir}/nstat"
+FILES:${PN}-ss = "${base_sbindir}/ss"
+FILES:${PN}-tipc = "${base_sbindir}/tipc"
+FILES:${PN}-devlink = "${base_sbindir}/devlink"
+FILES:${PN}-rdma = "${base_sbindir}/rdma"
+FILES:${PN}-routel = "${base_sbindir}/routel"
+FILES:${PN}-bridge = "${base_sbindir}/bridge"
+RDEPENDS:${PN}-routel = "python3-core"
+ALTERNATIVE:${PN}-ip = "ip"
+ALTERNATIVE_TARGET[ip] = "${base_sbindir}/ip.${BPN}"
+ALTERNATIVE_LINK_NAME[ip] = "${base_sbindir}/ip"
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE:${PN}-tc = "tc"
+ALTERNATIVE_LINK_NAME[tc] = "${base_sbindir}/tc"
+ALTERNATIVE_PRIORITY_${PN}-tc = "100"
diff --git a/meta/recipes-connectivity/iw/iw_5.9.bb b/meta/recipes-connectivity/iw/iw_6.9.bb
index 3d1e1c7e79..e34400e18b 100644
--- a/meta/recipes-connectivity/iw/iw_5.9.bb
+++ b/meta/recipes-connectivity/iw/iw_6.9.bb
@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
 HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
 DEPENDS = "libnl"
@@ -14,7 +14,7 @@ SRC_URI = "http://www.kernel.org/pub/software/network/iw/${BP}.tar.gz \
           file://separate-objdir.patch \
 "
-SRC_URI[sha256sum] = "6e7d3c9f8b4ee68e412f20fe229c9854c2dba383e3e650ce6af8eb8dbd12efc3"
+SRC_URI[sha256sum] = "4c3194778b175d58442907d51d1977e7270fce5cbebff0eab11c45c1da287a4b"
 inherit pkgconfig
diff --git a/meta/recipes-connectivity/kea/files/0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch b/meta/recipes-connectivity/kea/files/0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch
deleted file mode 100644
index ab3fd83946..0000000000
--- a/meta/recipes-connectivity/kea/files/0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 639dc25cdabc9d1846000a542c8cc19158b69994 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Fri, 18 Sep 2020 08:18:08 +0000
-Subject: [PATCH] keactrl.in: create /var/lib/kea and /var/run/kea folder
-Create /var/lib/kea and /var/run/kea folder to fix below error:
- # keactrl start
- INFO/keactrl: Starting /usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
- INFO/keactrl: Starting /usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
- INFO/keactrl: Starting /usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
- Unable to use interprocess sync lockfile (No such file or directory): /var/run/kea/logger_lockfile
- Service failed: Launch failed: Unable to open PID file '/var/run/kea/kea-ctrl-agent.kea-ctrl-agent.pid' for write
- [snip]
- ERROR [kea-dhcp4.dhcp4/615.140641792751488] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /etc/kea/kea-dhcp4.conf, reason: Unable to open database: unable to open '/var/lib/kea/kea-leases4.csv'
- [snip]
-Upstream-Status: Inappropriate [config specific]
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
- src/bin/keactrl/keactrl.in | 2 ++
- 1 file changed, 2 insertions(+)
-diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in
-index 12b2b3f..47cf6f9 100644
--- a/src/bin/keactrl/keactrl.in
-+++ b/src/bin/keactrl/keactrl.in
-@@ -482,6 +482,8 @@ case ${command} in
-         # The variables (dhcp4_srv, dhcp6_serv, dhcp_ddns_srv etc) are set in the
-         # keactrl.conf file that shellcheck is unable to read.
-         # shellcheck disable=SC2154
-+        [ -d @LOCALSTATEDIR@/run/kea ] || mkdir -p @LOCALSTATEDIR@/run/kea
-+        [ -d @LOCALSTATEDIR@/lib/kea ] || mkdir -p @LOCALSTATEDIR@/lib/kea
-         run_conditional "dhcp4" "start_server ${dhcp4_srv} -c ${kea_dhcp4_config_file} ${args}" 1
-         run_conditional "dhcp6" "start_server ${dhcp6_srv} -c ${kea_dhcp6_config_file} ${args}" 1
-         # shellcheck disable=SC2154
-- 
-2.26.2
diff --git a/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
new file mode 100644
index 0000000000..15c09d4c41
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
@@ -0,0 +1,96 @@
+From 72d7e6c0b6b5af4fea2e4db9ed33757984ccdc5b Mon Sep 17 00:00:00 2001
+From: Razvan Becheriu <razvan@isc.org>
+Date: Fri, 14 Jun 2024 17:09:50 +0300
+Subject: [PATCH] make kea environment available to lfc
+Upstream-Status: Backport
+[https://gitlab.isc.org/isc-projects/kea/-/commit/f477e8ebcc8b8e1f1adaad4d55031084c0ff6f40]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ configure.ac                                  |  2 ++
+ src/lib/dhcpsrv/memfile_lease_mgr.cc          |  3 ++-
+ .../tests/memfile_lease_mgr_unittest.cc       | 26 +++++++++++++++++++
+ src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in  |  6 +++++
+ 4 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+diff --git a/configure.ac b/configure.ac
+index c00edb5..7b572b0 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1629,6 +1629,8 @@ AC_CONFIG_FILES([src/lib/dhcp_ddns/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_libraries.h])
+AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_kea_lfc_env.sh],
+                [chmod +x src/lib/dhcpsrv/tests/test_kea_lfc_env.sh])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/testutils/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/tests/Makefile])
+diff --git a/src/lib/dhcpsrv/memfile_lease_mgr.cc b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+index db4f5d5..0ecf3e7 100644
+--- a/src/lib/dhcpsrv/memfile_lease_mgr.cc
+++ b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+@@ -209,7 +209,8 @@ LFCSetup::setup(const uint32_t lfc_interval,
+     args.push_back("ignored-path");
+ 
+     // Create the process (do not start it yet).
+-    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args));
+    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args,
+                                    ProcessEnvVars(), true));
+ 
+     // If we've been told to run it once now, invoke the callback directly.
+     if (run_once_now) {
+diff --git a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+index 034f1f5..9edf637 100644
+--- a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+++ b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+@@ -534,6 +534,32 @@ TEST_F(MemfileLeaseMgrTest, lfcTimer) {
+     EXPECT_EQ(2, lease_mgr->getLFCCount());
+ }
+ 
+/// @brief Check that the kea environment is accesible to the Lease
+/// File Cleanup process.
+TEST_F(MemfileLeaseMgrTest, lfcEnv) {
+    DatabaseConnection::ParameterMap pmap;
+    pmap["type"] = "memfile";
+    pmap["universe"] = "4";
+    pmap["name"] = getLeaseFilePath("leasefile4_0.csv");
+    pmap["lfc-interval"] = "1";
+
+    std::ostringstream s;
+    s << DHCP_DATA_DIR << "/test_kea_lfc_env.sh";
+    setenv("KEA_LFC_EXECUTABLE", s.str().c_str(), 1);
+
+    boost::scoped_ptr<NakedMemfileLeaseMgr> lease_mgr(new NakedMemfileLeaseMgr(pmap));
+
+    // Try to run the lease file cleanup.
+    ASSERT_NO_THROW(lease_mgr->lfcCallback());
+
+    // Wait for the LFC process to complete.
+    ASSERT_TRUE(waitForProcess(*lease_mgr, 1));
+
+    // And make sure it has returned an exit status of 0.
+    EXPECT_EQ(0, lease_mgr->getLFCExitStatus())
+        << "environment not available to LFC";
+}
+
+ /// @brief This test checks if the LFC timer is disabled (doesn't trigger)
+ /// cleanups when the lfc-interval is set to 0.
+ TEST_F(MemfileLeaseMgrTest, lfcTimerDisabled) {
+diff --git a/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+new file mode 100644
+index 0000000..3eb71d5
+--- /dev/null
+++ b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+@@ -0,0 +1,6 @@
+#!/bin/sh
+
+if [ $(env | grep -c KEA_LFC_EXECUTABLE) != 0 ]; then
+    exit 0
+fi
+exit 1
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
new file mode 100644
index 0000000000..94fbd12737
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
@@ -0,0 +1,28 @@
+From 841924e1fe8db2bff3eab8d37634ef08f86c00ec Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 15:57:03 +0000
+Subject: [PATCH] src/lib/log/logger_unittest_support.cc: do not write build
+ path into binary
+This breaks reproducibility and is needed only in unit testing.
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ src/lib/log/logger_unittest_support.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/lib/log/logger_unittest_support.cc b/src/lib/log/logger_unittest_support.cc
+index fc01c6e..f46d17e 100644
+--- a/src/lib/log/logger_unittest_support.cc
+++ b/src/lib/log/logger_unittest_support.cc
+@@ -84,7 +84,7 @@ void initLogger(isc::log::Severity severity, int dbglevel) {
+     const char* localfile = getenv("KEA_LOGGER_LOCALMSG");
+ 
+     // Set a directory for creating lockfiles when running tests
+-    setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
+    //setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
+ 
+     // Initialize logging
+     initLogger(root, severity, dbglevel, localfile);
diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
index 733adf5536..763639327a 100644
--- a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
+++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
@@ -1,25 +1,34 @@
-There are conflict of config files between kea and lib32-kea:
+From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Tue, 22 Sep 2020 15:02:33 +0800
+Subject: [PATCH] There are conflict of config files between kea and lib32-kea:
 | Error: Transaction test error:
 |  file /etc/kea/kea-ctrl-agent.conf conflicts between attempted installs of
     lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
 |  file /etc/kea/kea-dhcp4.conf conflicts between attempted installs of
     lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
+|  file /etc/kea/kea-dhcp6.conf conflicts between attempted installs of
+     lib32-kea-2.6.1-r0.core2_32 and kea-2.6.1-r0.core2_64
 Because they are all commented out, replace the expanded libdir path with
 '$libdir' in the config files to avoid conflict.
+Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602]
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
 ---
 src/bin/keactrl/kea-ctrl-agent.conf.pre | 3 ++-
- src/bin/keactrl/kea-dhcp4.conf.pre      | 6 ++++--
+ src/bin/keactrl/kea-dhcp4.conf.pre      | 4 ++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
+ src/bin/keactrl/kea-dhcp6.conf.pre      | 4 ++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
 diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre
-index 211b7ff..d710ec7 100644
+index e6ae8b8..50a3092 100644
 --- a/src/bin/keactrl/kea-ctrl-agent.conf.pre
 +++ b/src/bin/keactrl/kea-ctrl-agent.conf.pre
-@@ -45,7 +45,8 @@
+@@ -51,7 +51,8 @@
     // Agent will fail to start.
     "hooks-libraries": [
 //  {
@@ -30,26 +39,46 @@ index 211b7ff..d710ec7 100644
 //          "param1": "foo"
 //      }
 diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre
-index 5f77a32..70ae3d9 100644
+index 6edb8a1..b2a7385 100644
 --- a/src/bin/keactrl/kea-dhcp4.conf.pre
 +++ b/src/bin/keactrl/kea-dhcp4.conf.pre
-@@ -252,7 +252,8 @@
+@@ -255,7 +255,7 @@
-     //      // of all devices serviced by Kea, including their identifiers
+     //       // of all devices serviced by Kea, including their identifiers
-     //      // (like MAC address), their location in the network, times
+     //       // (like MAC address), their location in the network, times
-     //      // when they were active etc.
+     //       // when they were active etc.
-    //      "library": "@libdir@/kea/hooks/libdhcp_legal_log.so"
+-    //       "library": "@libdir@/kea/hooks/libdhcp_legal_log.so",
-+    //      // Replace $libdir with real library path /usr/lib or /usr/lib64
+    //       "library": "$libdir/kea/hooks/libdhcp_legal_log.so",
-+    //      "library": "$libdir/kea/hooks/libdhcp_legal_log.so"
+     //       "parameters": {
-     //      "parameters": {
+     //           "path": "/var/lib/kea",
-     //          "path": "/var/lib/kea",
+     //           "base-name": "kea-forensic4"
-     //          "base-name": "kea-forensic4"
+@@ -272,7 +272,7 @@
-@@ -269,7 +270,8 @@
+     //       // of specific options or perhaps even a combination of several
-     //      // of specific options or perhaps even a combination of several
+     //       // options and fields to uniquely identify a client. Those scenarios
-     //      // options and fields to uniquely identify a client. Those scenarios
+     //       // are addressed by the Flexible Identifiers hook application.
-     //      // are addressed by the Flexible Identifiers hook application.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
-    //      "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
+    //       "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
-+    //      // Replace $libdir with real library path /usr/lib or /usr/lib64
+     //       "parameters": {
-+    //      "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
+     //           "identifier-expression": "relay4[2].hex"
-     //      "parameters": {
+     //       }
-     //          "identifier-expression": "substring(relay6[0].option[18],0,8)"
+diff --git a/src/bin/keactrl/kea-dhcp6.conf.pre b/src/bin/keactrl/kea-dhcp6.conf.pre
-     //      }
+index 271021b..5b85854 100644
+--- a/src/bin/keactrl/kea-dhcp6.conf.pre
+++ b/src/bin/keactrl/kea-dhcp6.conf.pre
+@@ -201,7 +201,7 @@
+     //       // of all devices serviced by Kea, including their identifiers
+     //       // (like MAC address), their location in the network, times
+     //       // when they were active etc.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_legal_log.so",
+    //       "library": "$libdir/kea/hooks/libdhcp_legal_log.so",
+     //       "parameters": {
+     //           "path": "/var/lib/kea",
+     //           "base-name": "kea-forensic6"
+@@ -218,7 +218,7 @@
+     //       // of specific options or perhaps even a combination of several
+     //       // options and fields to uniquely identify a client. Those scenarios
+     //       // are addressed by the Flexible Identifiers hook application.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
+    //       "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
+     //       "parameters": {
+     //           "identifier-expression": "relay6[0].option[37].hex"
+     //       }
diff --git a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
index eeeb89942b..2f5a217d3f 100644
--- a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
+++ b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
@@ -1,22 +1,35 @@
-Busybox does not support ps -p so use pgrep
+From f5125725e4e2e250ccc78a17a8b77431100e7c15 Mon Sep 17 00:00:00 2001
+From: Armin kuster <akuster808@gmail.com>
+Date: Wed, 14 Oct 2020 22:48:31 -0700
+Subject: [PATCH] Busybox does not support ps -p so use pgrep
 Upstream-Status: Inappropriate [embedded specific]
 Based on changes from Diego Sueiro <Diego.Sueiro@arm.com>
 Signed-off-by: Armin kuster <akuster808@gmail.com>
-Index: kea-1.7.10/src/bin/keactrl/keactrl.in
+Refresh to apply on top of 2.6.1.
-===================================================================
--- kea-1.7.10.orig/src/bin/keactrl/keactrl.in
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
-+++ kea-1.7.10/src/bin/keactrl/keactrl.in
+---
-@@ -137,8 +137,8 @@ check_running() {
+ src/bin/keactrl/keactrl.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in
+index cccfdac303..20ae2e6ec5 100644
+--- a/src/bin/keactrl/keactrl.in
+++ b/src/bin/keactrl/keactrl.in
+@@ -146,8 +146,8 @@ check_running() {
     # Get the PID from the PID file (if it exists)
     get_pid_from_file "${proc_name}"
     if [ ${_pid} -gt 0 ]; then
 -        # Use ps to check if PID is alive
-        ps -p ${_pid} 1>/dev/null
+-        if ps -p ${_pid} 1>/dev/null; then
 +        # Use pgrep and grep to check if PID is alive
-+        pgrep -v 1 | grep ${_pid} 1>/dev/null
+        if pgrep -v 1 | grep ${_pid} 1>/dev/null; then
-         retcode=$?
-         if [ $retcode -eq 0 ]; then
             # No error, so PID IS ALIVE
+             _running=1
+         fi
+-- 
+2.39.2
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
index 91aa2eb14f..f6059d73cb 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
@@ -6,7 +6,6 @@ After=time-sync.target
 [Service]
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
-ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/kea
 ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf
 [Install]
diff --git a/meta/recipes-connectivity/kea/kea_1.7.10.bb b/meta/recipes-connectivity/kea/kea_1.7.10.bb
deleted file mode 100644
index 1d011ace78..0000000000
--- a/meta/recipes-connectivity/kea/kea_1.7.10.bb
+++ /dev/null
@@ -1,73 +0,0 @@
-SUMMARY = "ISC Kea DHCP Server"
-DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It supports both DHCPv4 and DHCPv6 protocols along with their extensions, e.g. prefix delegation and dynamic updates to DNS."
-HOMEPAGE = "http://kea.isc.org"
-SECTION = "connectivity"
-LICENSE = "MPL-2.0 & Apache-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=68d95543d2096459290a4e6b9ceccffa"
-DEPENDS = "boost log4cplus openssl"
-SRC_URI = "\
-    http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
-    file://0001-keactrl.in-create-var-lib-kea-and-var-run-kea-folder.patch \
-    file://kea-dhcp4.service \
-    file://kea-dhcp6.service \
-    file://kea-dhcp-ddns.service \
-    file://kea-dhcp4-server \
-    file://kea-dhcp6-server \
-    file://kea-dhcp-ddns-server \
-    file://fix-multilib-conflict.patch \
-    file://fix_pid_keactrl.patch \
-"
-SRC_URI[sha256sum] = "4e121f0e58b175a827581c69cb1d60778647049fa47f142940dddc9ce58f3c82"
-inherit autotools systemd update-rc.d upstream-version-is-even
-INITSCRIPT_NAME = "kea-dhcp4-server"
-INITSCRIPT_PARAMS = "defaults 30"
-SYSTEMD_SERVICE_${PN} = "kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-DEBUG_OPTIMIZATION_remove_mips = " -Og"
-DEBUG_OPTIMIZATION_append_mips = " -O"
-BUILD_OPTIMIZATION_remove_mips = " -Og"
-BUILD_OPTIMIZATION_append_mips = " -O"
-DEBUG_OPTIMIZATION_remove_mipsel = " -Og"
-DEBUG_OPTIMIZATION_append_mipsel = " -O"
-BUILD_OPTIMIZATION_remove_mipsel = " -Og"
-BUILD_OPTIMIZATION_append_mipsel = " -O"
-EXTRA_OECONF = "--with-boost-libs=-lboost_system \
-                --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \
-                --with-openssl=${STAGING_DIR_TARGET}${prefix}"
-do_configure_prepend() {
-    # replace abs_top_builddir to avoid introducing the build path
-    # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target
-    find ${S} -type f -name *.sh.in | xargs sed -i  "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g"
-    sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
-}
-do_install_append() {
-    install -d ${D}${sysconfdir}/init.d
-    install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
-    install -m 0755 ${WORKDIR}/kea-*-server ${D}${sysconfdir}/init.d
-    sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \
-           -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \
-           ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl
-}
-do_install_append() {
-    rm -rf "${D}${localstatedir}"
-}
-CONFFILES_${PN} = "${sysconfdir}/kea/keactrl.conf"
-FILES_${PN}-staticdev += "${libdir}/kea/hooks/*.a ${libdir}/hooks/*.a"
-FILES_${PN} += "${libdir}/hooks/*.so"
-PARALLEL_MAKEINST = ""
diff --git a/meta/recipes-connectivity/kea/kea_2.6.3.bb b/meta/recipes-connectivity/kea/kea_2.6.3.bb
new file mode 100644
index 0000000000..1df91e4522
--- /dev/null
+++ b/meta/recipes-connectivity/kea/kea_2.6.3.bb
@@ -0,0 +1,80 @@
+SUMMARY = "ISC Kea DHCP Server"
+DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It supports both DHCPv4 and DHCPv6 protocols along with their extensions, e.g. prefix delegation and dynamic updates to DNS."
+HOMEPAGE = "http://kea.isc.org"
+SECTION = "connectivity"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ee16e7280a6cf2a1487717faf33190dc"
+DEPENDS = "boost log4cplus openssl"
+SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
+           file://kea-dhcp4.service \
+           file://kea-dhcp6.service \
+           file://kea-dhcp-ddns.service \
+           file://kea-dhcp4-server \
+           file://kea-dhcp6-server \
+           file://kea-dhcp-ddns-server \
+           file://fix-multilib-conflict.patch \
+           file://fix_pid_keactrl.patch \
+           file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
+           file://0001-make-kea-environment-available-to-lfc.patch \
+           "
+SRC_URI[sha256sum] = "00241a5955ffd3d215a2c098c4527f9d7f4b203188b276f9a36250dd3d9dd612"
+inherit autotools systemd update-rc.d upstream-version-is-even
+INITSCRIPT_NAME = "kea-dhcp4-server"
+INITSCRIPT_PARAMS = "defaults 30"
+SYSTEMD_SERVICE:${PN} = "kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+DEBUG_OPTIMIZATION:remove:mips = " -Og"
+DEBUG_OPTIMIZATION:append:mips = " -O"
+BUILD_OPTIMIZATION:remove:mips = " -Og"
+BUILD_OPTIMIZATION:append:mips = " -O"
+DEBUG_OPTIMIZATION:remove:mipsel = " -Og"
+DEBUG_OPTIMIZATION:append:mipsel = " -O"
+BUILD_OPTIMIZATION:remove:mipsel = " -Og"
+BUILD_OPTIMIZATION:append:mipsel = " -O"
+CXXFLAGS:remove = "-fvisibility-inlines-hidden"
+EXTRA_OECONF = "--with-boost-libs=-lboost_system \
+                --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \
+                --with-openssl=${STAGING_DIR_TARGET}${prefix}"
+do_configure:prepend() {
+    # replace abs_top_builddir to avoid introducing the build path
+    # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target
+    find ${S} -type f -name *.sh.in | xargs sed -i  "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g"
+    sed -i "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
+}
+# patch out build host paths for reproducibility
+do_compile:prepend:class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/config.report
+}
+do_install:append() {
+    install -d ${D}${sysconfdir}/init.d
+    install -d ${D}${systemd_system_unitdir}
+    install -m 0644 ${UNPACKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
+    install -m 0755 ${UNPACKDIR}/kea-*-server ${D}${sysconfdir}/init.d
+    sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \
+           -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \
+           ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl
+    sed -i "s:${B}:@abs_top_builddir_placeholder@:g" ${D}${sbindir}/kea-admin
+}
+do_install:append() {
+    rm -rf "${D}${localstatedir}"
+}
+CONFFILES:${PN} = "${sysconfdir}/kea/keactrl.conf"
+FILES:${PN}-staticdev += "${libdir}/kea/hooks/*.a ${libdir}/hooks/*.a"
+FILES:${PN} += "${libdir}/hooks/*.so"
+PARALLEL_MAKEINST = ""
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
index 35bb5650b3..7ad52acd06 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
@@ -10,10 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                    file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.xz"
-           "
+SRC_URI[sha256sum] = "84fa89ac6d303028c1c5b754abff77224f45eca0a94eb1a34ff0aa9ceece3925"
-SRC_URI[md5sum] = "21af603d9a591c7d96a6457021d84e6c"
-SRC_URI[sha256sum] = "635237637c5b619bcceba91900666b64d56ecb7be63f298f601ec786ce087094"
 inherit autotools binconfig-disabled pkgconfig
@@ -21,10 +19,11 @@ BINCONFIG = "${bindir}/pcap-config"
 # Explicitly disable dag support. We don't have recipe for it and if enabled here,
 # configure script poisons the include dirs with /usr/local/include even when the
-# support hasn't been detected.
+# support hasn't been detected. Do the same thing for DPDK.
 EXTRA_OECONF = " \
                 --with-pcap=linux \
                 --without-dag \
+                 --without-dpdk \
                 "
 EXTRA_AUTORECONF += "--exclude=aclocal"
@@ -36,9 +35,9 @@ PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 PACKAGECONFIG[libnl] = "--with-libnl,--without-libnl,libnl"
-do_configure_prepend () {
+do_configure:prepend () {
    #remove hardcoded references to /usr/include
    sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.ac
 }
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/libuv/libuv_1.40.0.bb b/meta/recipes-connectivity/libuv/libuv_1.40.0.bb
deleted file mode 100644
index f793db09be..0000000000
--- a/meta/recipes-connectivity/libuv/libuv_1.40.0.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMMARY = "A multi-platform support library with a focus on asynchronous I/O"
-HOMEPAGE = "https://github.com/libuv/libuv"
-BUGTRACKER = "https://github.com/libuv/libuv/issues"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47"
-SRCREV = "4e69e333252693bd82d6338d6124f0416538dbfc"
-SRC_URI = "git://github.com/libuv/libuv;branch=v1.x"
-S = "${WORKDIR}/git"
-inherit autotools
-do_configure() {
-    ${S}/autogen.sh || bbnote "${PN} failed to autogen.sh"
-    oe_runconf
-}
-BBCLASSEXTEND = "native"
diff --git a/meta/recipes-connectivity/libuv/libuv_1.51.0.bb b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
new file mode 100644
index 0000000000..9ff9cf35e2
--- /dev/null
+++ b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
@@ -0,0 +1,20 @@
+SUMMARY = "A multi-platform support library with a focus on asynchronous I/O"
+HOMEPAGE = "https://github.com/libuv/libuv"
+DESCRIPTION = "libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it's also used by Luvit, Julia, pyuv, and others."
+BUGTRACKER = "https://github.com/libuv/libuv/issues"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b \
+                    file://LICENSE-extra;md5=f9307417749e19bd1d6d68a394b49324"
+SRCREV = "5152db2cbfeb5582e9c27c5ea1dba2cd9e10759b"
+SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https;tag=v${PV}"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+inherit autotools
+do_configure() {
+    ${S}/autogen.sh || bbnote "${PN} failed to autogen.sh"
+    oe_runconf
+}
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20240407.bb
index 0b0bbab168..2e8702a045 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20240407.bb
@@ -1,15 +1,15 @@
 SUMMARY = "Mobile Broadband Service Provider Database"
 HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders"
+DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there"
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "22b49d86fb7aded2c195a9d49e5924da696b3228"
-PV = "20190618"
 PE = "1"
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
-S = "${WORKDIR}/git"
+SRCREV = "55ba955d53305df96123534488fd160ea882b4dd"
-inherit autotools
+inherit meson
 DEPENDS += "libxslt-native"
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.19.bb
index 7c124a3c0b..41c7e55f44 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.19.bb
@@ -1,50 +1,48 @@
 SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
-DEPENDS = "dbus glib-2.0 libnl"
+DEPENDS = "dbus glib-2.0 libnl autoconf-archive-native"
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;branch=master \
           file://neard.in \
           file://Makefile.am-fix-parallel-issue.patch \
           file://Makefile.am-do-not-ship-version.h.patch \
           file://0001-Add-header-dependency-to-nciattach.o.patch \
          "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7"
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
 inherit autotools pkgconfig systemd update-rc.d
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_unitdir}/system/ --with-systemduserunitdir=${systemd_unitdir}/user/,--disable-systemd"
+PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir}/ --with-systemduserunitdir=${systemd_unitdir}/user/,--disable-systemd"
 EXTRA_OECONF += "--enable-tools"
 # This would copy neard start-stop shell and test scripts
-do_install_append() {
+do_install:append() {
        if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
                install -d ${D}${sysconfdir}/init.d/
-                sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \
+                sed "s:@installpath@:${libexecdir}/nfc:" ${UNPACKDIR}/neard.in \
                  > ${D}${sysconfdir}/init.d/neard
                chmod 0755 ${D}${sysconfdir}/init.d/neard
        fi
 }
-RDEPENDS_${PN} = "dbus"
 # Bluez & Wifi are not mandatory except for handover
-RRECOMMENDS_${PN} = "\
+WIRELESS_DAEMON ??= "wpa-supplicant"
+RRECOMMENDS:${PN} = "\
                     ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez5', '', d)} \
-                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','wpa-supplicant', '', d)} \
+                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','${WIRELESS_DAEMON}', '', d)} \
                    "
 INITSCRIPT_NAME = "neard"
 INITSCRIPT_PARAMS = "defaults 64"
-SYSTEMD_SERVICE_${PN} = "neard.service"
+SYSTEMD_SERVICE:${PN} = "neard.service"
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
deleted file mode 100644
index bd350144e3..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
+++ /dev/null
@@ -1,299 +0,0 @@
-From 690a90a5b7786e40b5447ad7c5f19a7657d27405 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 14 Dec 2018 17:44:32 +0800
-Subject: [PATCH] Makefile.am: fix undefined function for libnsm.a
-The source file of libnsm.a uses some function
-in ../support/misc/file.c, add ../support/misc/file.c
-to libnsm_a_SOURCES to fix build error when run
-"make -C tests statdb_dump":
-| ../support/nsm/libnsm.a(file.o): In function `nsm_make_pathname':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| ../support/nsm/libnsm.a(file.o): In function `nsm_setup_pathnames':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:280: undefined reference to `generic_setup_basedir'
-| collect2: error: ld returned 1 exit status
-As there is already one source file named file.c
-as support/nsm/file.c in support/nsm/Makefile.am,
-so rename ../support/misc/file.c to ../support/misc/misc.c.
-Upstream-Status: Submitted[https://marc.info/?l=linux-nfs&m=154502780423058&w=2]
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-Rebase it.
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
- support/misc/Makefile.am |   2 +-
- support/misc/file.c      | 115 ---------------------------------------------------------------------------------------------------------------
- support/misc/misc.c      | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- support/nsm/Makefile.am  |   2 +-
- 4 files changed, 113 insertions(+), 117 deletions(-)
-diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am
-index f9993e3..8b0e9db 100644
--- a/support/misc/Makefile.am
-+++ b/support/misc/Makefile.am
-@@ -1,7 +1,7 @@
- ## Process this file with automake to produce Makefile.in
- 
- noinst_LIBRARIES = libmisc.a
-libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c file.c \
-+libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \
-                    nfsd_path.c workqueue.c xstat.c
- 
- MAINTAINERCLEANFILES = Makefile.in
-diff --git a/support/misc/file.c b/support/misc/file.c
-deleted file mode 100644
-index 06f6bb2..0000000
--- a/support/misc/file.c
-+++ /dev/null
-@@ -1,115 +0,0 @@
-/*
- * Copyright 2009 Oracle.  All rights reserved.
- * Copyright 2017 Red Hat, Inc.  All rights reserved.
- *
- * This file is part of nfs-utils.
- *
- * nfs-utils is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * nfs-utils is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <sys/stat.h>
-
-#include <string.h>
-#include <libgen.h>
-#include <stdio.h>
-#include <errno.h>
-#include <dirent.h>
-#include <stdlib.h>
-#include <stdbool.h>
-#include <limits.h>
-
-#include "xlog.h"
-#include "misc.h"
-
-/*
- * Returns a dynamically allocated, '\0'-terminated buffer
- * containing an appropriate pathname, or NULL if an error
- * occurs.  Caller must free the returned result with free(3).
- */
-__attribute__((__malloc__))
-char *
-generic_make_pathname(const char *base, const char *leaf)
-{
-       size_t size;
-       char *path;
-       int len;
-
-       size = strlen(base) + strlen(leaf) + 2;
-       if (size > PATH_MAX)
-               return NULL;
-
-       path = malloc(size);
-       if (path == NULL)
-               return NULL;
-
-       len = snprintf(path, size, "%s/%s", base, leaf);
-       if ((len < 0) || ((size_t)len >= size)) {
-               free(path);
-               return NULL;
-       }
-
-       return path;
-}
-
-
-/**
- * generic_setup_basedir - set up basedir
- * @progname: C string containing name of program, for error messages
- * @parentdir: C string containing pathname to on-disk state, or NULL
- * @base: character buffer to contain the basedir that is set up
- * @baselen: size of @base in bytes
- *
- * This runs before logging is set up, so error messages are directed
- * to stderr.
- *
- * Returns true and sets up our basedir, if @parentdir was valid
- * and usable; otherwise false is returned.
- */
-_Bool
-generic_setup_basedir(const char *progname, const char *parentdir, char *base,
-                     const size_t baselen)
-{
-       static char buf[PATH_MAX];
-       struct stat st;
-       char *path;
-
-       /* First: test length of name and whether it exists */
-       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
-               (void)fprintf(stderr, "%s: Directory name too long: %s",
-                               progname, parentdir);
-               return false;
-       }
-       if (lstat(parentdir, &st) == -1) {
-               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
-                               progname, parentdir, strerror(errno));
-               return false;
-       }
-
-       /* Ensure we have a clean directory pathname */
-       strncpy(buf, parentdir, sizeof(buf)-1);
-       path = dirname(buf);
-       if (*path == '.') {
-               (void)fprintf(stderr, "%s: Unusable directory %s",
-                               progname, parentdir);
-               return false;
-       }
-
-       xlog(D_CALL, "Using %s as the state directory", parentdir);
-       strcpy(base, parentdir);
-       return true;
-}
-diff --git a/support/misc/misc.c b/support/misc/misc.c
-new file mode 100644
-index 0000000..e7c3819
--- /dev/null
-+++ b/support/misc/misc.c
-@@ -0,0 +1,111 @@
-+/*
-+ * Copyright 2009 Oracle.  All rights reserved.
-+ * Copyright 2017 Red Hat, Inc.  All rights reserved.
-+ *
-+ * This file is part of nfs-utils.
-+ *
-+ * nfs-utils is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * nfs-utils is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include <sys/stat.h>
-+
-+#include <string.h>
-+#include <libgen.h>
-+#include <stdio.h>
-+#include <errno.h>
-+#include <dirent.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <limits.h>
-+
-+#include "xlog.h"
-+#include "misc.h"
-+
-+/*
-+ * Returns a dynamically allocated, '\0'-terminated buffer
-+ * containing an appropriate pathname, or NULL if an error
-+ * occurs.  Caller must free the returned result with free(3).
-+ */
-+__attribute__((__malloc__))
-+char *
-+generic_make_pathname(const char *base, const char *leaf)
-+{
-+       size_t size;
-+       char *path;
-+       int len;
-+
-+       size = strlen(base) + strlen(leaf) + 2;
-+       if (size > PATH_MAX)
-+               return NULL;
-+
-+       path = malloc(size);
-+       if (path == NULL)
-+               return NULL;
-+
-+       len = snprintf(path, size, "%s/%s", base, leaf);
-+       if ((len < 0) || ((size_t)len >= size)) {
-+               free(path);
-+               return NULL;
-+       }
-+
-+       return path;
-+}
-+
-+
-+/**
-+ * generic_setup_basedir - set up basedir
-+ * @progname: C string containing name of program, for error messages
-+ * @parentdir: C string containing pathname to on-disk state, or NULL
-+ * @base: character buffer to contain the basedir that is set up
-+ * @baselen: size of @base in bytes
-+ *
-+ * This runs before logging is set up, so error messages are directed
-+ * to stderr.
-+ *
-+ * Returns true and sets up our basedir, if @parentdir was valid
-+ * and usable; otherwise false is returned.
-+ */
-+_Bool
-+generic_setup_basedir(const char *progname, const char *parentdir, char *base,
-+                     const size_t baselen)
-+{
-+       static char buf[PATH_MAX];
-+       struct stat st;
-+       char *path;
-+
-+       /* First: test length of name and whether it exists */
-+       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
-+               (void)fprintf(stderr, "%s: Directory name too long: %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+       if (lstat(parentdir, &st) == -1) {
-+               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
-+                               progname, parentdir, strerror(errno));
-+               return false;
-+       }
-+
-+       /* Ensure we have a clean directory pathname */
-+       strncpy(buf, parentdir, sizeof(buf)-1);
-+       path = dirname(buf);
-+       if (*path == '.') {
-+               (void)fprintf(stderr, "%s: Unusable directory %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+
-+       xlog(D_CALL, "Using %s as the state directory", parentdir);
-+       strcpy(base, parentdir);
-+       return true;
-+}
-diff --git a/support/nsm/Makefile.am b/support/nsm/Makefile.am
-index 8f5874e..68f1a46 100644
--- a/support/nsm/Makefile.am
-+++ b/support/nsm/Makefile.am
-@@ -10,7 +10,7 @@ GENFILES      = $(GENFILES_CLNT) $(GENFILES_SVC) $(GENFILES_XDR) $(GENFILES_H)
- EXTRA_DIST     = sm_inter.x
- 
- noinst_LIBRARIES = libnsm.a
-libnsm_a_SOURCES = $(GENFILES) file.c rpc.c
-+libnsm_a_SOURCES = $(GENFILES) ../misc/misc.c file.c rpc.c
- 
- BUILT_SOURCES = $(GENFILES)
- 
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
new file mode 100644
index 0000000000..351407ddcd
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
@@ -0,0 +1,36 @@
+From 9efa7a0d37665d9bb0f46d2407883a5ab42c2b84 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 24 Jul 2023 20:39:16 -0700
+Subject: [PATCH] locktest: Makefile.am: Do not use build flags
+Using CFLAGS_FOR_BUILD etc. here means it is using wrong flags
+when thse flags are speficied different than target flags which
+is common when cross-building. It can pass wrong paths to linker
+and it would find incompatible libraries during link since they
+are from host system and target maybe not same as build host.
+Fixes subtle errors like
+| aarch64-yoe-linux-ld.lld: error: /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/nfs-utils/2.6.3-r0/recipe-sysroot-native/usr/lib/libsqlite3.so is incompatible with elf64-littleaarch64
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169025681008001&w=2]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/locktest/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
+diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am
+index e8914655..2fd36971 100644
+--- a/tools/locktest/Makefile.am
+++ b/tools/locktest/Makefile.am
+@@ -2,8 +2,5 @@
+ 
+ noinst_PROGRAMS = testlk
+ testlk_SOURCES = testlk.c
+-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
+-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
+ 
+ MAINTAINERCLEANFILES = Makefile.in
+-- 
+2.41.0
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
new file mode 100644
index 0000000000..bbf44d5977
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
@@ -0,0 +1,38 @@
+From 001913c5eb0aad933a93ee966252905cd46d776b Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Tue, 6 Jun 2023 16:07:53 -0600
+Subject: [PATCH] Use "nogroup" for nobody group
+Upstream-Status: Inappropriate [oe-core specific, configuration]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ support/nfsidmap/idmapd.conf | 2 +-
+ utils/idmapd/idmapd.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
+index 2a2f79a1..e6f3724f 100644
+--- a/support/nfsidmap/idmapd.conf
+++ b/support/nfsidmap/idmapd.conf
+@@ -41,7 +41,7 @@
+ [Mapping]
+ 
+ #Nobody-User = nobody
+-#Nobody-Group = nobody
+#Nobody-Group = nogroup
+ 
+ [Translation]
+ 
+diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
+index cd9a965f..3be805e9 100644
+--- a/utils/idmapd/idmapd.c
+++ b/utils/idmapd/idmapd.c
+@@ -89,7 +89,7 @@
+ #endif
+ 
+ #ifndef NFS4NOBODY_GROUP
+-#define NFS4NOBODY_GROUP "nobody"
+#define NFS4NOBODY_GROUP "nogroup"
+ #endif
+ 
+ /* From Niels */
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
new file mode 100644
index 0000000000..3241e8e859
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
@@ -0,0 +1,42 @@
+From a2af266f013722a64c5d04e0fe097cd711393a53 Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Wed, 8 Nov 2023 16:24:20 -0600
+Subject: [PATCH] find OE provided Kerberos
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ aclocal/kerberos5.m4 | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
+index f96f0fd4..ad85fdf2 100644
+--- a/aclocal/kerberos5.m4
+++ b/aclocal/kerberos5.m4
+@@ -22,8 +22,8 @@ AC_DEFUN([AC_KERBEROS_V5],[
+     dnl This ugly hack brought on by the split installation of
+     dnl MIT Kerberos on Fedora Core 1
+     K5CONFIG=""
+-    if test -f $dir/bin/krb5-config; then
+-      K5CONFIG=$dir/bin/krb5-config
+    if test -f $dir/bin/crossscripts/krb5-config; then
+      K5CONFIG=$dir/bin/crossscripts/krb5-config
+     elif test -f "/usr/kerberos/bin/krb5-config"; then
+       K5CONFIG="/usr/kerberos/bin/krb5-config"
+     elif test -f "/usr/lib/mit/bin/krb5-config"; then
+@@ -72,6 +72,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   AC_MSG_RESULT($KRBDIR)
+ 
+   dnl Check if -rpath=$(KRBDIR)/lib is needed
+  if false; then
+   echo "The current KRBDIR is $KRBDIR"
+   if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+        -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+@@ -81,6 +82,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   else
+     KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
+   fi
+  fi
+ 
+   dnl Now check for functions within gssapi library
+   AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
deleted file mode 100644
index f13d7b380c..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 398fed3bb0350cb1229e54e7020ae0e044c206d1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
-Date: Wed, 17 Feb 2016 08:33:45 +0100
-Subject: bugfix: adjust statd service name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Upstream uses 'rpc-statd.service' and Yocto introduced 'nfs-statd.service'
-instead but forgot to update the mount.nfs helper 'start-statd' accordingly.
-Upstream-Status: Inappropriate [other]
-Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
-Rebase it.
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
- utils/statd/start-statd | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index af5c950..df9b9be 100755
--- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -28,10 +28,10 @@ fi
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
-    if systemctl start rpc-statd.service; then
-+    if systemctl start nfs-statd.service; then
-         # Ensure systemd knows not to stop rpc.statd or its dependencies
-         # on 'systemctl isolate ..'
-        systemctl add-wants --runtime remote-fs.target rpc-statd.service
-+        systemctl add-wants --runtime remote-fs.target nfs-statd.service
-         exit 0
-     fi
- fi
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
deleted file mode 100644
index fde99b599e..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 1ab0c326405c6daa06f1a7eb4b0b60bf4e0584c2 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 31 Dec 2019 08:15:34 -0800
-Subject: [PATCH] Detect warning options during configure
-Certain options maybe compiler specific therefore its better
-to detect them before use.
-nfs_error copies the format string and appends newline to it
-but compiler can forget that it was format string since its not
-same fmt string that was passed. Ignore the warning
-Wdiscarded-qualifiers is gcc specific and this is no longer needed
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- support/nfs/xcommon.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/support/nfs/xcommon.c b/support/nfs/xcommon.c
-index 3989f0b..e080423 100644
--- a/support/nfs/xcommon.c
-+++ b/support/nfs/xcommon.c
-@@ -98,7 +98,10 @@ nfs_error (const char *fmt, ...) {
- 
-      fmt2 = xstrconcat2 (fmt, "\n");
-      va_start (args, fmt);
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
-      vfprintf (stderr, fmt2, args);
-+#pragma GCC diagnostic pop
-      va_end (args);
-      free (fmt2);
- }
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
deleted file mode 100644
index c01415de84..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=NFS Mount Daemon
-DefaultDependencies=no
-After=rpcbind.socket
-Requires=proc-fs-nfsd.mount
-After=proc-fs-nfsd.mount
-After=network.target local-fs.target
-BindsTo=nfs-server.service
-ConditionPathExists=@SYSCONFDIR@/exports
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.mountd -F $MOUNTD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
deleted file mode 100644
index 5c845b7e82..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
+++ /dev/null
@@ -1,23 +0,0 @@
-[Unit]
-Description=NFS server and services
-DefaultDependencies=no
-Requires=network.target proc-fs-nfsd.mount
-Requires=nfs-mountd.service
-Wants=rpcbind.service
-After=local-fs.target
-After=network.target proc-fs-nfsd.mount rpcbind.service nfs-mountd.service
-ConditionPathExists=@SYSCONFDIR@/exports
-[Service]
-Type=oneshot
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStartPre=@SBINDIR@/exportfs -r
-ExecStart=@SBINDIR@/rpc.nfsd $NFSD_OPTS $NFSD_COUNT
-ExecStop=@SBINDIR@/rpc.nfsd 0
-ExecStopPost=@SBINDIR@/exportfs -au
-ExecStopPost=@SBINDIR@/exportfs -f
-ExecReload=@SBINDIR@/exportfs -r
-RemainAfterExit=yes
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
deleted file mode 100644
index 4fa64e1998..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=NFS status monitor for NFSv2/3 locking.
-DefaultDependencies=no
-Conflicts=umount.target
-Requires=nss-lookup.target rpcbind.service
-After=network.target nss-lookup.target rpcbind.service
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.statd -F $STATD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
deleted file mode 100644
index ede0dcefc4..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-[PATCH] nfs-utils: debianize start-statd
-Upstream-Status: Pending
-make start-statd command to use nfscommon configure, too.
-Signed-off-by: Henrik Riomar <henrik.riomar@ericsson.com>
-Signed-off-by: Li Wang <li.wang@windriver.com>
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
- utils/statd/start-statd | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index 2fd6039..f591b34 100755
--- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -17,6 +17,14 @@ then
-     # statd already running - must have been slow to respond.
-     exit 0
- fi
-+
-+# Read config
-+DEFAULTFILE=/etc/default/nfs-common
-+NEED_IDMAPD=
-+if [ -f $DEFAULTFILE ]; then
-+    . $DEFAULTFILE
-+fi
-+
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
-@@ -25,4 +33,4 @@ fi
- 
- cd /
- # Fall back to launching it ourselves.
-exec rpc.statd --no-notify
-+exec rpc.statd --no-notify $STATDOPTS
-- 
-2.6.6
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
deleted file mode 100644
index a1007a7fbf..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# Parameters to be passed to nfs-utils (clients & server) service files.
-#
-# Options to pass to rpc.nfsd.
-NFSD_OPTS=""
-# Number of servers to start up; the default is 8 servers.
-NFSD_COUNT=""
-# Where to mount nfsd filesystem; the default is "/proc/fs/nfsd".
-PROCNFSD_MOUNTPOINT=""
-# Options used to mount nfsd filesystem; the default is "rw,nodev,noexec,nosuid".
-PROCNFSD_MOUNTOPTS=""
-# Options for rpc.mountd.
-# If you have a port-based firewall, you might want to set up
-# a fixed port here using the --port option.
-MOUNTD_OPTS=""
-# Parameters to be passed to nfs-common (nfs clients & server) init script.
-#
-# If you do not set values for the NEED_ options, they will be attempted
-# autodetected; this should be sufficient for most people. Valid alternatives
-# for the NEED_ options are "yes" and "no".
-# Do you want to start the statd daemon? It is not needed for NFSv4.
-NEED_STATD=""
-# Options to pass to rpc.statd.
-# N.B. statd normally runs on both client and server, and run-time
-# options should be specified accordingly.
-# STATD_OPTS="-p 32765 -o 32766"
-STATD_OPTS=""
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
index 992267d5a1..9b7fd17b41 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
@@ -1,63 +1,279 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          nfs-common
-# Required-Start:    $portmap hwclock
+# Required-Start:    $portmap $time
-# Required-Stop:     $portmap hwclock
+# Required-Stop:     $portmap $time
-# Default-Start:     2 3 4 5
+# Default-Start:     S
 # Default-Stop:      0 1 6
-# Short-Description: NFS support for both client and server
+# Short-Description: NFS support files common to client and server
 # Description:       NFS is a popular protocol for file sharing across
-#                    TCP/IP networks. This service provides various
+#                    TCP/IP networks. This service provides various
 #                    support functions for NFS mounts.
 ### END INIT INFO
-#
-# Startup script for nfs-utils
-#
-#
-# Location of executables:
-# Source function library.
+# What is this?
+DESC="NFS common utilities"
+# Read config
+DEFAULTFILE=/etc/default/nfs-utils
+NEED_STATD=
+NEED_GSSD=
+if nfsconf --isset general pipefs-directory; then
+    PIPEFS_MOUNTPOINT=$(nfsconf --get general pipefs-directory)
+else
+    PIPEFS_MOUNTPOINT=/var/lib/nfs/rpc_pipefs
+fi
+if [ -f $DEFAULTFILE ]; then
+    . $DEFAULTFILE
+fi
 . /etc/init.d/functions
-test -x "$NFS_STATD" || NFS_STATD=/usr/sbin/rpc.statd
+# Exit if required binaries are missing.
-test -z "$STATD_PID" && STATD_PID=/var/run/rpc.statd.pid
+[ -x /usr/sbin/rpc.statd ] || exit 0
 #
-# The default state directory is /var/lib/nfs
+# Parse the fstab file, and determine whether we need gssd. (The
-test -n "$NFS_STATEDIR" || NFS_STATEDIR=/var/lib/nfs
+# /etc/defaults settings, if any, will override our autodetection.) This code
+# is partially adapted from the mountnfs.sh script in the sysvinit package.
 #
-#----------------------------------------------------------------------
+AUTO_NEED_GSSD=no
-# Startup and shutdown functions.
-#  Actual startup/shutdown is at the end of this file.
+if [ -f /etc/fstab ]; then
+    exec 9<&0 </etc/fstab
-start_statd(){
-        echo -n "starting statd: "
+    while read -r DEV _ _ OPTS _
-        start-stop-daemon --start --exec "$NFS_STATD" --pidfile "$STATD_PID"
+    do
-        echo done
+        case $DEV in
+            ''|\#*)
+                continue
+                ;;
+        esac
+        OLDIFS="$IFS"
+        IFS=","
+        for OPT in $OPTS; do
+            case "$OPT" in
+                sec=krb5|sec=krb5i|sec=krb5p)
+                    AUTO_NEED_GSSD=yes
+                ;;
+            esac
+        done
+        IFS="$OLDIFS"
+    done
+    exec 0<&9 9<&-
+fi
+case "$NEED_STATD" in
+    yes|no)
+        ;;
+    *)
+        NEED_STATD=yes
+        ;;
+esac
+case "$NEED_IDMAPD" in
+    yes|no)
+        ;;
+    *)
+        NEED_IDMAPD=yes
+        ;;
+esac
+case "$NEED_GSSD" in
+    yes|no)
+        ;;
+    *)
+        NEED_GSSD=$AUTO_NEED_GSSD
+        ;;
+esac
+do_modprobe() {
+    if [ -x /sbin/modprobe ] && [ -f /proc/modules ]
+    then
+        modprobe -q "$1" || true
+    fi
+}
+do_mount() {
+    if ! grep -E -qs "$1\$" /proc/filesystems
+    then
+        return 1
+    fi
+    if ! mountpoint -q "$2"
+    then
+        mount -t "$1" "$1" "$2"
+        return
+    fi
+    return 0
 }
-stop_statd(){
-        echo -n 'stopping statd: '
+do_umount() {
-        start-stop-daemon --stop --quiet --signal 1 --pidfile "$STATD_PID"
+    if mountpoint -q "$1"
-        echo done
+    then
+        umount "$1"
+    fi
+    return 0
 }
-#----------------------------------------------------------------------
-#
+# See how we were called.
-# supported options:
-#  start
-#  stop
-#  restart: stops and starts mountd
-#FIXME: need to create the /var/lib/nfs/... directories
 case "$1" in
  start)
-        start_statd;;
+        echo -n "Starting $DESC ..."
+        if [ "$NEED_STATD" = yes ]; then
+            echo -n " statd"
+            # See if rpcbind is running
+            if [ -x /usr/sbin/rpcinfo ]; then
+                /usr/sbin/rpcinfo -p >/dev/null 2>&1
+                RET=$?
+                if [ $RET != 0 ]; then
+                   echo
+                   echo "Not starting: portmapper is not running"
+                   exit 0
+                fi
+            fi
+            start-stop-daemon --start --oknodo --quiet \
+                --pidfile /run/rpc.statd.pid \
+                --exec /usr/sbin/rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            else
+                if [ -d /run/sendsigs.omit.d ]; then
+                    rm -f /run/sendsigs.omit.d/statd
+                    ln -s /run/rpc.statd.pid /run/sendsigs.omit.d/statd
+                fi
+            fi
+        fi
+        # Don't start idmapd and gssd if we don't have them (say, if /usr is not
+        # up yet).
+        [ -x /usr/sbin/rpc.idmapd ] || NEED_IDMAPD=no
+        [ -x /usr/sbin/rpc.gssd   ] || NEED_GSSD=no
+        if [ "$NEED_IDMAPD" = yes ] || [ "$NEED_GSSD" = yes ]
+        then
+            do_modprobe sunrpc
+            do_modprobe nfs
+            do_modprobe nfsd
+            mkdir -p "$PIPEFS_MOUNTPOINT"
+            if do_mount rpc_pipefs $PIPEFS_MOUNTPOINT
+            then
+                if [ "$NEED_IDMAPD" = yes ]
+                then
+                    ecno -n " idmapd"
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.idmapd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+                if [ "$NEED_GSSD" = yes ]
+                then
+                    do_modprobe rpcsec_gss_krb5
+                    echo -n " gssd"
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.gssd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+            fi
+        fi
+        echo " done"
+        ;;
  stop)
-        stop_statd;;
+        echo -n "Stopping $DESC ..."
+        if [ "$NEED_GSSD" = yes ]
+        then
+            echo -n " gssd"
+            start-stop-daemon --stop --oknodo --quiet \
+                    --name rpc.gssd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            echo -n " idmapd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.idmapd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_STATD" = yes ]
+        then
+            echo -n " statd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        do_umount $PIPEFS_MOUNTPOINT 2>/dev/null || true
+        echo " done"
+        ;;
  status)
-        status $NFS_STATD
+        if [ "$NEED_STATD" = yes ]
-        exit $?;;
+        then
-  restart)
+            if ! pidof rpc.statd >/dev/null
+            then
+                echo "rpc.statd not running"
+                exit 3
+            fi
+        fi
+        if [ "$NEED_GSSD" = yes ]
+        then
+            if ! pidof rpc.gssd >/dev/null
+            then
+                echo "rpc.gssd not running"
+                exit 3
+            fi
+        fi
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            if ! pidof rpc.idmapd >/dev/null
+            then
+                echo "rpc.idmapd not running"
+                exit 3
+            fi
+        fi
+        echo "all daemons running"
+        exit 0
+        ;;
+  restart | force-reload)
        $0 stop
-        $0 start;;
+        sleep 1
+        $0 start
+        ;;
  *)
-        echo "Usage: $0 {start|stop|status|restart}"
+        echo "Usage: nfscommon {start|stop|status|restart}"
-        exit 1;;
+        exit 1
+        ;;
 esac
+exit 0
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
index 0f5747cc6d..99ec280b35 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
@@ -1,8 +1,10 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          nfs-kernel-server
-# Required-Start:    $remote_fs nfs-common $portmap hwclock
+# Required-Start:    $remote_fs nfs-common $portmap $time
-# Required-Stop:     $remote_fs nfs-common $portmap hwclock
+# Required-Stop:     $remote_fs nfs-common $portmap $time
+# Should-Start:      $named
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Kernel NFS server support
@@ -19,20 +21,25 @@
 #
 # The environment variable NFS_SERVERS may be set in /etc/default/nfsd
 # Other control variables may be overridden here too
-test -r /etc/default/nfsd && . /etc/default/nfsd
+test -r /etc/default/nfs-utils && . /etc/default/nfs-utils
 #
 # Location of executables:
 test -x "$NFS_MOUNTD" || NFS_MOUNTD=/usr/sbin/rpc.mountd
 test -x "$NFS_NFSD" || NFS_NFSD=/usr/sbin/rpc.nfsd
+test -x "$NFS_SVCGSSD" || NFS_SVCGSSD=/usr/sbin/rpc.svcgssd
 #
 # The user mode program must also exist (it just starts the kernel
 # threads using the kernel module code).
 test -x "$NFS_MOUNTD" || exit 0
 test -x "$NFS_NFSD" || exit 0
-#
-# Default is 8 threads, value is settable between 1 and the truely
+case "$NEED_SVCGSSD" in
-# ridiculous 99
+        yes|no)
-test "$NFS_SERVERS" != "" && test "$NFS_SERVERS" -gt 0 && test "$NFS_SERVERS" -lt 100 || NFS_SERVERS=8
+                ;;
+        *)
+                NEED_SVCGSSD=no
+                ;;
+esac
 #
 #----------------------------------------------------------------------
 # Startup and shutdown functions.
@@ -49,6 +56,22 @@ stop_mountd(){
        echo done
 }
 #
+#svcgssd
+start_svcgssd(){
+        modprobe -q rpcsec_gss_krb5
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "starting svcgssd: "
+                start-stop-daemon --start --exec "$NFS_SVCGSSD" -- "$@"
+                echo done
+        fi
+}
+stop_svcgssd(){
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "stop svcgssd: "
+                start-stop-daemon --stop --exec "$NFS_SVCGSSD"
+                echo done
+        fi
+}
 #nfsd
 start_nfsd(){
        modprobe -q nfsd
@@ -62,38 +85,18 @@ start_nfsd(){
                exit 1
        }
-        echo -n "starting $1 nfsd kernel threads: "
+        echo -n "starting nfsd: "
        start-stop-daemon --start --exec "$NFS_NFSD" -- "$@"
        echo done
 }
-delay_nfsd(){
-        for delay in 0 1 2 3 4 5 6 7 8 9 
-        do
-                if pidof nfsd >/dev/null
-                then
-                        echo -n .
-                        sleep 1
-                else
-                        return 0
-                fi
-        done
-        return 1
-}
 stop_nfsd(){
-        # WARNING: this kills any process with the executable
-        # name 'nfsd'.
        echo -n 'stopping nfsd: '
-        start-stop-daemon --stop --quiet --signal 1 --name nfsd
+        $NFS_NFSD 0
-        if delay_nfsd || {
+        if pidof nfsd
-                echo failed
-                echo ' using signal 9: '
-                start-stop-daemon --stop --quiet --signal 9 --name nfsd
-                delay_nfsd
-        }
        then
-                echo done
-        else
                echo failed
+        else
+                echo done
        fi
 }
@@ -108,11 +111,13 @@ stop_nfsd(){
 case "$1" in
  start)
        test -r /etc/exports && exportfs -r
-        start_nfsd "$NFS_SERVERS"
+        start_nfsd
+        start_svcgssd
        start_mountd
        test -r /etc/exports && exportfs -a;;
  stop) exportfs -ua
        stop_mountd
+        stop_svcgssd
        stop_nfsd;;
  status)
        status /usr/sbin/rpc.mountd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount b/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
deleted file mode 100644
index 630801b375..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=NFSD configuration filesystem
-After=systemd-modules-load.service
-[Mount]
-What=nfsd
-Where=/proc/fs/nfsd
-Type=nfsd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.2.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.2.bb
deleted file mode 100644
index c7ac67cf31..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.2.bb
+++ /dev/null
@@ -1,145 +0,0 @@
-SUMMARY = "userspace utilities for kernel nfs"
-DESCRIPTION = "The nfs-utils package provides a daemon for the kernel \
-NFS server and related tools."
-HOMEPAGE = "http://nfs.sourceforge.net/"
-SECTION = "console/network"
-LICENSE = "MIT & GPLv2+ & BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=95f3a93a5c3c7888de623b46ea085a84"
-# util-linux for libblkid
-DEPENDS = "libcap libevent util-linux sqlite3 libtirpc"
-RDEPENDS_${PN} = "${PN}-client"
-RRECOMMENDS_${PN} = "kernel-module-nfsd"
-inherit useradd
-USERADD_PACKAGES = "${PN}-client"
-USERADD_PARAM_${PN}-client = "--system  --home-dir /var/lib/nfs \
-                              --shell /bin/false --user-group rpcuser"
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.xz \
-           file://nfsserver \
-           file://nfscommon \
-           file://nfs-utils.conf \
-           file://nfs-server.service \
-           file://nfs-mountd.service \
-           file://nfs-statd.service \
-           file://proc-fs-nfsd.mount \
-           file://nfs-utils-debianize-start-statd.patch \
-           file://bugfix-adjust-statd-service-name.patch \
-           file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
-           file://clang-warnings.patch \
-           "
-SRC_URI[sha256sum] = "d493b81c9d3ffce5d10af701a63ed2b8a21768c23da4a2eceb4d708aea65d9de"
-# Only kernel-module-nfsd is required here (but can be built-in)  - the nfsd module will
-# pull in the remainder of the dependencies.
-INITSCRIPT_PACKAGES = "${PN} ${PN}-client"
-INITSCRIPT_NAME = "nfsserver"
-INITSCRIPT_PARAMS = "defaults"
-INITSCRIPT_NAME_${PN}-client = "nfscommon"
-INITSCRIPT_PARAMS_${PN}-client = "defaults 19 21"
-inherit autotools-brokensep update-rc.d systemd pkgconfig
-SYSTEMD_PACKAGES = "${PN} ${PN}-client"
-SYSTEMD_SERVICE_${PN} = "nfs-server.service nfs-mountd.service"
-SYSTEMD_SERVICE_${PN}-client = "nfs-statd.service"
-# --enable-uuid is need for cross-compiling
-EXTRA_OECONF = "--with-statduser=rpcuser \
-                --enable-mountconfig \
-                --enable-libmount-mount \
-                --enable-uuid \
-                --disable-gss \
-                --disable-nfsdcltrack \
-                --with-statdpath=/var/lib/nfs/statd \
-                --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
-               "
-PACKAGECONFIG ??= "tcp-wrappers \
-    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
-"
-PACKAGECONFIG_remove_libc-musl = "tcp-wrappers"
-PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
-PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
-# libdevmapper is available in meta-oe
-PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
-# keyutils is available in meta-oe
-PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils,python3-core"
-PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats"
-CONFFILES_${PN}-client += "${localstatedir}/lib/nfs/etab \
-                           ${localstatedir}/lib/nfs/rmtab \
-                           ${localstatedir}/lib/nfs/xtab \
-                           ${localstatedir}/lib/nfs/statd/state \
-                           ${sysconfdir}/nfsmount.conf"
-FILES_${PN}-client = "${sbindir}/*statd \
-                      ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
-                      ${sbindir}/showmount ${sbindir}/nfsstat \
-                      ${localstatedir}/lib/nfs \
-                      ${sysconfdir}/nfs-utils.conf \
-                      ${sysconfdir}/nfsmount.conf \
-                      ${sysconfdir}/init.d/nfscommon \
-                      ${systemd_unitdir}/system/nfs-statd.service"
-RDEPENDS_${PN}-client = "${PN}-mount rpcbind"
-FILES_${PN}-mount = "${base_sbindir}/*mount.nfs*"
-FILES_${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat ${sbindir}/nfsdclnts"
-RDEPENDS_${PN}-stats = "python3-core"
-FILES_${PN}-staticdev += "${libdir}/libnfsidmap/*.a"
-FILES_${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/"
-do_configure_prepend() {
-        sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
-                ${S}/utils/mount/Makefile.am
-}
-# Make clean needed because the package comes with
-# precompiled 64-bit objects that break the build
-do_compile_prepend() {
-        make clean
-}
-# Works on systemd only
-HIGH_RLIMIT_NOFILE ??= "4096"
-do_install_append () {
-        install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
-        install -m 0755 ${WORKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
-        install -m 0755 ${WORKDIR}/nfs-utils.conf ${D}${sysconfdir}
-        install -m 0755 ${S}/utils/mount/nfsmount.conf ${D}${sysconfdir}
-        install -d ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_unitdir}/system/
-        install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_unitdir}/system/
-        install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_unitdir}/system/
-        sed -i -e 's,@SBINDIR@,${sbindir},g' \
-                -e 's,@SYSCONFDIR@,${sysconfdir},g' \
-                -e 's,@HIGH_RLIMIT_NOFILE@,${HIGH_RLIMIT_NOFILE},g' \
-                ${D}${systemd_unitdir}/system/*.service
-        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-                install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/
-                install -d ${D}${systemd_unitdir}/system/sysinit.target.wants/
-                ln -sf ../proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/sysinit.target.wants/proc-fs-nfsd.mount
-        fi
-        # kernel code as of 3.8 hard-codes this path as a default
-        install -d ${D}/var/lib/nfs/v4recovery
-        # chown the directories and files
-        chown -R rpcuser:rpcuser ${D}${localstatedir}/lib/nfs/statd
-        chmod 0644 ${D}${localstatedir}/lib/nfs/statd/state
-        # Make python tools use python 3
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${sbindir}/mountstats ${D}${sbindir}/nfsiostat
-}
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
new file mode 100644
index 0000000000..9668ac0e86
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
@@ -0,0 +1,159 @@
+SUMMARY = "userspace utilities for kernel nfs"
+DESCRIPTION = "The nfs-utils package provides a daemon for the kernel \
+NFS server and related tools."
+HOMEPAGE = "http://nfs.sourceforge.net/"
+SECTION = "console/network"
+LICENSE = "MIT & GPL-2.0-or-later & BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=95f3a93a5c3c7888de623b46ea085a84"
+# util-linux for libblkid
+DEPENDS = "libcap libevent util-linux sqlite3 libtirpc libxml2"
+RDEPENDS:${PN} = "${PN}-client"
+RRECOMMENDS:${PN} = "kernel-module-nfsd"
+inherit useradd
+USERADD_PACKAGES = "${PN}-client"
+USERADD_PARAM:${PN}-client = "--system  --home-dir /var/lib/nfs \
+                              --shell /bin/false --user-group rpcuser"
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.xz \
+           file://nfsserver \
+           file://nfscommon \
+           file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \
+           file://0004-Use-nogroup-for-nobody-group.patch \
+           file://0005-find-OE-provided-Kerberos.patch \
+           "
+SRC_URI[sha256sum] = "11e7c5847a8423a72931c865bd9296e7fd56ff270a795a849183900961711725"
+# Only kernel-module-nfsd is required here (but can be built-in)  - the nfsd module will
+# pull in the remainder of the dependencies.
+INITSCRIPT_PACKAGES = "${PN} ${PN}-client"
+INITSCRIPT_NAME = "nfsserver"
+INITSCRIPT_PARAMS = "defaults"
+INITSCRIPT_NAME:${PN}-client = "nfscommon"
+INITSCRIPT_PARAMS:${PN}-client = "defaults 19 21"
+inherit autotools-brokensep update-rc.d systemd pkgconfig
+SYSTEMD_PACKAGES = "${PN} ${PN}-client"
+SYSTEMD_SERVICE:${PN} = "nfs-server.service"
+SYSTEMD_SERVICE:${PN}-client = "nfs-client.target"
+# --enable-uuid is need for cross-compiling
+EXTRA_OECONF = "--with-statduser=rpcuser \
+                --enable-mountconfig \
+                --enable-libmount-mount \
+                --enable-uuid \
+                --with-statdpath=/var/lib/nfs/statd \
+                --with-pluginpath=${libdir}/libnfsidmap \
+                --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
+               "
+LDFLAGS += "-lsqlite3 -levent"
+PACKAGECONFIG ??= "tcp-wrappers \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} \
+"
+PACKAGECONFIG:remove:libc-musl = "tcp-wrappers"
+#krb5 is available in meta-oe
+PACKAGECONFIG[gssapi] = "--with-krb5=${STAGING_EXECPREFIXDIR} --enable-gss --enable-svcgss,--disable-gss --disable-svcgss,krb5"
+PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
+PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+# libdevmapper is available in meta-oe
+PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
+# keyutils is available in meta-oe
+PACKAGECONFIG[nfsv4] = "--enable-nfsv4 --enable-nfsdcltrack,--disable-nfsv4 --disable-nfsdcltrack,keyutils,python3-core"
+PACKAGECONFIG[nfsdctl] = "--enable-nfsdctl,--disable-nfsdctl,libnl readline,"
+PACKAGECONFIG[systemd] = "--with-systemd=${systemd_unitdir}/system,--without-systemd"
+PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats ${PN}-rpcctl"
+CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \
+                           ${localstatedir}/lib/nfs/rmtab \
+                           ${localstatedir}/lib/nfs/xtab \
+                           ${localstatedir}/lib/nfs/statd/state \
+                           ${sysconfdir}/idmapd.conf \
+                           ${sysconfdir}/nfs.conf \
+                           ${sysconfdir}/nfsmount.conf"
+FILES:${PN}-client = "${sbindir}/*statd \
+                      ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
+                      ${sbindir}/showmount ${sbindir}/nfsstat \
+                      ${sbindir}/rpc.gssd \
+                      ${sbindir}/nfsconf \
+                      ${libdir}/libnfsidmap.so.* \
+                      ${libdir}/libnfsidmap/*.so \
+                      ${libexecdir}/nfsrahead \
+                      ${localstatedir}/lib/nfs \
+                      ${sysconfdir}/idmapd.conf \
+                      ${sysconfdir}/init.d/nfscommon \
+                      ${sysconfdir}/nfs.conf \
+                      ${sysconfdir}/nfsmount.conf \
+                      ${systemd_system_unitdir}/auth-rpcgss-module.service \
+                      ${systemd_system_unitdir}/nfs-client.target \
+                      ${systemd_system_unitdir}/nfs-idmapd.service \
+                      ${systemd_system_unitdir}/nfs-statd.service \
+                      ${systemd_system_unitdir}/nfscommon.service \
+                      ${systemd_system_unitdir}/rpc-gssd.service \
+                      ${systemd_system_unitdir}/rpc-statd-notify.service \
+                      ${systemd_system_unitdir}/rpc-statd.service \
+                      ${systemd_system_unitdir}/rpc_pipefs.target \
+                      ${systemd_system_unitdir}/var-lib-nfs-rpc_pipefs.mount \
+                      ${nonarch_libdir}/udev/rules.d/*"
+RDEPENDS:${PN}-client = "${PN}-mount rpcbind"
+FILES:${PN}-mount = "${base_sbindir}/*mount.nfs*"
+FILES:${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat ${sbindir}/nfsdclnts"
+RDEPENDS:${PN}-stats = "python3-core"
+FILES:${PN}-rpcctl = "${sbindir}/rpcctl"
+RDEPENDS:${PN}-rpcctl = "python3-core"
+FILES:${PN}-staticdev += "${libdir}/libnfsidmap/*.a"
+FILES:${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/ ${nonarch_libdir}/modprobe.d"
+do_configure:prepend() {
+        sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
+                -e 's,udev_rulesdir = /usr/lib/udev/rules.d/,udev_rulesdir = ${nonarch_base_libdir}/udev/rules.d/,g' \
+                ${S}/utils/mount/Makefile.am ${S}/utils/nfsdcltrack/Makefile.am \
+                ${S}/systemd/Makefile.am ${S}/tools/nfsrahead/Makefile.am
+}
+# Make clean needed because the package comes with
+# precompiled 64-bit objects that break the build
+do_compile:prepend() {
+        make clean
+}
+# Works on systemd only
+HIGH_RLIMIT_NOFILE ??= "4096"
+do_install:append () {
+        install -d ${D}${sysconfdir}/init.d
+        install -m 0755 ${UNPACKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
+        install -m 0755 ${UNPACKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
+        install -m 0644 ${S}/support/nfsidmap/idmapd.conf ${D}${sysconfdir}
+        install -m 0644 ${S}/nfs.conf ${D}${sysconfdir}
+        install -d ${D}${systemd_system_unitdir}
+        # Retain historical service name so old scripts keep working
+        ln -s rpc-statd.service ${D}${systemd_system_unitdir}/nfs-statd.service
+        # Add compatibility symlinks for the sysvinit scripts
+        ln -s nfs-server.service ${D}${systemd_system_unitdir}/nfsserver.service
+        ln -s /dev/null ${D}${systemd_system_unitdir}/nfscommon.service
+        # kernel code as of 3.8 hard-codes this path as a default
+        install -d ${D}/var/lib/nfs/v4recovery
+        # chown the directories and files
+        chown -R rpcuser:rpcuser ${D}${localstatedir}/lib/nfs/statd
+        chmod 0644 ${D}${localstatedir}/lib/nfs/statd/state
+}
diff --git a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch b/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
deleted file mode 100644
index 8a5a300adc..0000000000
--- a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 22b52db4842611ac31a356f023fc09595384e2ad Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Thu, 23 May 2019 18:11:22 -0700
-Subject: [PATCH] mbim: add an optional TEMP_FAILURE_RETRY macro copy
-Fixes build on musl which does not provide this macro
-Upstream-Status: Submitted [https://lists.ofono.org/pipermail/ofono/2019-May/019370.html]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
- drivers/mbimmodem/mbim-private.h | 9 +++++++++
- 1 file changed, 9 insertions(+)
-diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
-index e159235..51693ea 100644
--- a/drivers/mbimmodem/mbim-private.h
-+++ b/drivers/mbimmodem/mbim-private.h
-@@ -21,6 +21,15 @@
- 
- #define align_len(len, boundary) (((len)+(boundary)-1) & ~((boundary)-1))
- 
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) ({     \
-+  __typeof(expression) __result;              \
-+  do {                                        \
-+    __result = (expression);                  \
-+  } while (__result == -1 && errno == EINTR); \
-+  __result; })
-+#endif
-+
- enum mbim_control_message {
-        MBIM_OPEN_MSG = 0x1,
-        MBIM_CLOSE_MSG = 0x2,
-- 
-2.21.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.31.bb b/meta/recipes-connectivity/ofono/ofono_2.17.bb
index 7d0976ad7f..36bbe9439a 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.31.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.17.bb
@@ -2,49 +2,45 @@ SUMMARY = "open source telephony"
 DESCRIPTION = "oFono is a stack for mobile telephony devices on Linux. oFono supports speaking to telephony devices through specific drivers, or with generic AT commands."
 HOMEPAGE = "http://www.ofono.org"
 BUGTRACKER = "https://01.org/jira/browse/OF"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://src/ofono.h;beginline=1;endline=20;md5=3ce17d5978ef3445def265b98899c2ee"
+                    file://src/ofono.h;beginline=1;endline=6;md5=13e42133935ceecfc9bcb547f256e277"
 DEPENDS = "dbus glib-2.0 udev mobile-broadband-provider-info ell"
-SRC_URI = "\
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-    ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://ofono \
-    file://ofono \
+           "
-    file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
+SRC_URI[sha256sum] = "70bb50997d3a7657edf133355677f8e04b2158bcb031118a67b296107f6ea73e"
-"
-SRC_URI[md5sum] = "1c26340e3c6ed132cc812595081bb3dc"
-SRC_URI[sha256sum] = "a15c5d28096c10eb30e47a68b6dc2e7c4a5a99d7f4cfedf0b69624f33d859e9b"
 inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data
 INITSCRIPT_NAME = "ofono"
 INITSCRIPT_PARAMS = "defaults 22"
-SYSTEMD_SERVICE_${PN} = "ofono.service"
+SYSTEMD_SERVICE:${PN} = "ofono.service"
 PACKAGECONFIG ??= "\
    ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
    ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
 "
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/,--with-systemdunitdir="
+PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_system_unitdir}/,--with-systemdunitdir="
 PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5"
 EXTRA_OECONF += "--enable-test --enable-external-ell"
-do_install_append() {
+do_install:append() {
-  install -d ${D}${sysconfdir}/init.d/
+    install -d ${D}${sysconfdir}/init.d/
-  install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
+    install -m 0755 ${UNPACKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
 }
 PACKAGES =+ "${PN}-tests"
-FILES_${PN} += "${systemd_unitdir}"
+FILES:${PN} += "${systemd_unitdir}"
-FILES_${PN}-tests = "${libdir}/${BPN}/test"
+FILES:${PN}-tests = "${libdir}/${BPN}/test"
-RDEPENDS_${PN} += "dbus"
+RDEPENDS:${PN}-tests = "\
-RDEPENDS_${PN}-tests = "\
    python3-core \
    python3-dbus \
    ${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)} \
 "
-RRECOMMENDS_${PN} += "kernel-module-tun mobile-broadband-provider-info"
+RRECOMMENDS:${PN} += "kernel-module-tun mobile-broadband-provider-info"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
new file mode 100644
index 0000000000..f424288e37
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -0,0 +1,59 @@
+From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Mon, 11 Sep 2023 09:55:21 +0100
+Subject: [PATCH] regress/banner.sh: log input and output files on error
+Some test environments like yocto with qemu are seeing these
+tests failing. There may be additional error messages in the
+stderr of ssh cloent command. busybox cmp shows this error when
+first input file has less new line characters then second
+input file:
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+Logging the full banner.out will show what other error messages
+are captured in addition of the expected banner.
+Full log of a failing banner test runs is:
+run test banner.sh ...
+test banner: missing banner file
+test banner: size 0
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 0 mismatch
+test banner: size 10
+test banner: size 100
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 100 mismatch
+test banner: size 1000
+test banner: size 10000
+test banner: size 100000
+test banner: suppress banner (-q)
+FAIL:  banner
+return value: 1
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
+Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/banner.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/regress/banner.sh b/regress/banner.sh
+index a84feb5..de84957 100644
+--- a/regress/banner.sh
+++ b/regress/banner.sh
+@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
+        verbose "test $tid: size $s"
+        ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+                cmp $OBJ/banner.in $OBJ/banner.out ) || \
+-               fail "banner size $s mismatch"
+               ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
+                 verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
+                 fail "banner size $s mismatch" )
+ done
+ 
+ trace "test suppress banner (-q)"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..360b62af34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
+From 9dcccafe44ea17e972e7cddea205bbe9fe71d8d6 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Mon, 15 Jul 2024 18:43:08 +0100
+Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
+The SSHAGENT_BIN was changed in [1] to SSH_BIN but
+the last one don't use the absolute path and consequently
+the function increase_datafile_size can loops forever
+if the binary not found.
+[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/test-exec.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 8a00c72..2891f27 100644
+--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
+@@ -179,6 +179,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
+ fi
+ 
+ # Path to sshd must be absolute for rexec
+case "$SSH" in
+/*) ;;
+*) SSH=`which $SSH` ;;
+esac
+
+ case "$SSHD" in
+ /*) ;;
+ *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Adjust test cases to work with busybox.
- Replace dd parameter "obs" with "bs".
- Replace "head -<num>" with "head -n <num>".
-Signed-off-by: Maxin B. John <maxin.john@enea.com>
-Upstream-Status: Pending
-Index: openssh-7.6p1/regress/cipher-speed.sh
-===================================================================
--- openssh-7.6p1.orig/regress/cipher-speed.sh
-+++ openssh-7.6p1/regress/cipher-speed.sh
-@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
-                printf "%-60s" "$c/$m:"
-                ( ${SSH} -o 'compression no' \
-                        -F $OBJ/ssh_proxy -m $m -c $c somehost \
-                       exec sh -c \'"dd of=/dev/null obs=32k"\' \
-+                       exec sh -c \'"dd of=/dev/null bs=32k"\' \
-                < ${DATA} ) 2>&1 | getbytes
- 
-                if [ $? -ne 0 ]; then
-Index: openssh-7.6p1/regress/transfer.sh
-===================================================================
--- openssh-7.6p1.orig/regress/transfer.sh
-+++ openssh-7.6p1/regress/transfer.sh
-@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}           || fail "corrupted
- for s in 10 100 1k 32k 64k 128k 256k; do
-        trace "dd-size ${s}"
-        rm -f ${COPY}
-       dd if=$DATA obs=${s} 2> /dev/null | \
-+       dd if=$DATA bs=${s} 2> /dev/null | \
-                ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-        if [ $? -ne 0 ]; then
-                fail "ssh cat $DATA failed"
-Index: openssh-7.6p1/regress/key-options.sh
-===================================================================
--- openssh-7.6p1.orig/regress/key-options.sh
-+++ openssh-7.6p1/regress/key-options.sh
-@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
-        fi
- 
-        sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
-       from=`head -1 $authkeys | cut -f1 -d ' '`
-+       from=`head -n 1 $authkeys | cut -f1 -d ' '`
-        verbose "key option $from"
-        r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
-        if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
-From: Yuanjie Huang <yuanjie.huang@windriver.com>
-Date: Wed, 24 Aug 2016 03:15:43 +0000
-Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
-Pointer arithmatic results in implementation defined signed integer
-type, so that 's - src' in strlcpy and others may trigger signed overflow.
-In case of compilation by gcc or clang with -ftrapv option, the overflow
-would lead to program abort.
-Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
-Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
-Complete the fix
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- openbsd-compat/strlcat.c | 10 +++++++---
- openbsd-compat/strlcpy.c |  8 ++++++--
- openbsd-compat/strnlen.c |  8 ++++++--
- 3 files changed, 19 insertions(+), 7 deletions(-)
-diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
-index bcc1b61..124e1e3 100644
--- a/openbsd-compat/strlcat.c
-+++ b/openbsd-compat/strlcat.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Appends src to string dst of size siz (unlike strncat, siz is the
-@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
-        /* Find the end of dst and adjust bytes left but don't go past end */
-        while (n-- != 0 && *d != '\0')
-                d++;
-       dlen = d - dst;
-+       dlen = (uintptr_t)d - (uintptr_t)dst;
-        n = siz - dlen;
- 
-        if (n == 0)
-@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
-                s++;
-        }
-        *d = '\0';
-
-       return(dlen + (s - src));       /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (dlen + ((uintptr_t)s - (uintptr_t)src));        /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCAT */
-diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
-index b4b1b60..b06f374 100644
--- a/openbsd-compat/strlcpy.c
-+++ b/openbsd-compat/strlcpy.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Copy src to string dst of size siz.  At most siz-1 characters
-@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
-                while (*s++)
-                        ;
-        }
-
-       return(s - src - 1);    /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return ((uintptr_t)s - (uintptr_t)src - 1);     /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCPY */
-diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 7ad3573..7040f1f 100644
--- a/openbsd-compat/strnlen.c
-+++ b/openbsd-compat/strnlen.c
-@@ -23,6 +23,7 @@
- #include <sys/types.h>
- 
- #include <string.h>
-+#include <stdint.h>
- 
- size_t
- strnlen(const char *str, size_t maxlen)
-@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
- 
-        for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
-                ;
-
-       return (size_t)(cp - str);
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (size_t)((uintptr_t)cp - (uintptr_t)str);
- }
- #endif
-- 
-2.17.1
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index ae03e929b2..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,11 +1,26 @@
 #!/bin/sh
+export TEST_SSH_SSH=ssh
 export TEST_SHELL=sh
 export SKIP_UNIT=1
 cd regress
+# copied from openssh-portable/.github/run_test.sh
+output_failed_logs() {
+    for i in failed*.log; do
+        if [ -f "$i" ]; then
+            echo -------------------------------------------------------------------------
+            echo LOGFILE $i
+            cat $i
+            echo -------------------------------------------------------------------------
+        fi
+    done
+}
+trap output_failed_logs 0
 sed -i "/\t\tagent-ptrace /d" Makefile
-make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \
+make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
        | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
 SSHAGENT=`which ssh-agent`
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803e..cb2774a163 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
+#       $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -17,11 +17,11 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
-Host *
+Include /etc/ssh/ssh_config.d/*.conf
-  ForwardAgent yes
-  ForwardX11 yes
+# Host *
-#   RhostsRSAAuthentication no
+#   ForwardAgent no
-#   RSAAuthentication yes
+#   ForwardX11 no
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@@ -36,7 +36,6 @@ Host *
 #   IdentityFile ~/.ssh/id_ecdsa
 #   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
@@ -46,3 +45,4 @@ Host *
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
index 4882e58b48..cf675a4dad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -7,4 +7,4 @@ password   include      common-password
 session    optional     pam_keyinit.so force revoke
 session    include      common-session
 session    required     pam_loginuid.so
+session    required     pam_env.so
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
new file mode 100644
index 0000000000..c71fff1cc1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=OpenSSH server daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=nss-user-lookup.target
+[Service]
+Type=notify-reload
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
+ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
 [Unit]
 Conflicts=sshd.service
 Wants=sshdgenkeys.service
+After=nss-user-lookup.target
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7153..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -6,8 +6,9 @@ generate_key() {
    local DIR="$(dirname "$FILE")"
    mkdir -p "$DIR"
+    rm -f ${FILE}.tmp
    ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
+    chmod go-rwx "$FILE.tmp"
    # Atomically rename file public key
    mv -f "${FILE}.tmp.pub" "${FILE}.pub"
@@ -56,8 +57,7 @@ while true ; do
    esac
 done
-HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
+HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
-[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
 for key in ${HOST_KEYS} ; do
    [ -f $key ] && continue
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570..e9eaf93157 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -10,6 +10,8 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
+Include /etc/ssh/sshd_config.d/*.conf
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -57,9 +59,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
-# Change to yes to enable challenge-response passwords (beware issues with
+# Change to yes to enable keyboard-interactive authentication (beware issues
-# some PAM modules and threads)
+# with some PAM modules and threads)
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 # Kerberos options
 #KerberosAuthentication no
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 #UsePAM no
 #AllowAgentForwarding yes
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
diff --git a/meta/recipes-connectivity/openssh/openssh_10.0p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
new file mode 100644
index 0000000000..a044aec063
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -0,0 +1,224 @@
+SUMMARY = "A suite of security-related network utilities based on \
+the SSH protocol including the ssh client and sshd server"
+DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
+Ssh (Secure Shell) is a program for logging into a remote machine \
+and for executing commands on a remote machine."
+HOMEPAGE = "http://www.openssh.com/"
+SECTION = "console/network"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=78ffb36e5a48c0d8c5648603a3b6c8eb"
+DEPENDS = "zlib openssl virtual/crypt"
+DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
+           file://sshd_config \
+           file://ssh_config \
+           file://init \
+           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://sshd.service \
+           file://sshd.socket \
+           file://sshd@.service \
+           file://sshdgenkeys.service \
+           file://volatiles.99_sshd \
+           file://run-ptest \
+           file://sshd_check_keys \
+           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
+           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
+           "
+SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
+CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
+PAM_SRC_URI = "file://sshd"
+inherit manpages useradd update-rc.d update-alternatives systemd
+USERADD_PACKAGES = "${PN}-sshd"
+USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
+INITSCRIPT_PACKAGES = "${PN}-sshd"
+INITSCRIPT_NAME:${PN}-sshd = "sshd"
+INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
+SYSTEMD_PACKAGES = "${PN}-sshd"
+SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
+inherit autotools-brokensep ptest pkgconfig
+# systemd-sshd-socket-mode means installing sshd.socket
+# and systemd-sshd-service-mode corresponding to sshd.service
+PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
+PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
+PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
+PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
+PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
+PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
+PACKAGECONFIG[systemd-sshd-socket-mode] = ""
+PACKAGECONFIG[systemd-sshd-service-mode] = ""
+PACKAGECONFIG[hostkey-rsa] = ""
+PACKAGECONFIG[hostkey-ecdsa] = ""
+PACKAGECONFIG[hostkey-ed25519] = ""
+EXTRA_AUTORECONF += "--exclude=aclocal"
+# login path is hardcoded in sshd
+EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
+                ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
+                --without-zlib-version-check \
+                --with-privsep-path=${localstatedir}/run/sshd \
+                --sysconfdir=${sysconfdir}/ssh \
+                --with-xauth=${bindir}/xauth \
+                --disable-strip \
+                "
+# musl doesn't implement wtmp/utmp and logwtmp
+EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
+# Work around ICE on mips/mips64 starting in 9.6p1
+EXTRA_OECONF:append:mips = " --without-hardening"
+EXTRA_OECONF:append:mips64 = " --without-hardening"
+# Work around ICE on powerpc64le starting in 9.6p1
+EXTRA_OECONF:append:powerpc64le = " --without-hardening"
+# Since we do not depend on libbsd, we do not want configure to use it
+# just because it finds libutil.h.  But, specifying --disable-libutil
+# causes compile errors, so...
+CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no"
+# passwd path is hardcoded in sshd
+CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
+# We don't want to depend on libblockfile
+CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
+do_configure:prepend () {
+        export LD="${CC}"
+        install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
+        install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
+}
+do_compile_ptest() {
+        oe_runmake regress-binaries regress-unit-binaries
+}
+sshd_hostkey_setup() {
+        # Enable specific ssh host keys
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+}
+do_install:append () {
+        if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+                install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
+                sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
+                sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        install -d ${D}${sysconfdir}/init.d
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
+        rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
+        rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
+        install -d ${D}/${sysconfdir}/default/volatiles
+        install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
+        install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
+        # Create config files for read-only rootfs
+        install -d ${D}${sysconfdir}/ssh
+        install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+        install -d ${D}${systemd_system_unitdir}
+        if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
+            install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
+            install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
+            sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+                    -e 's,@SBINDIR@,${sbindir},g' \
+                    -e 's,@BINDIR@,${bindir},g' \
+                    -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+            ${D}${systemd_system_unitdir}/sshd.socket
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
+            install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
+        fi
+        install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
+        sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+                -e 's,@SBINDIR@,${sbindir},g' \
+                -e 's,@BINDIR@,${bindir},g' \
+                -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+                ${D}${systemd_system_unitdir}/*.service
+        sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+                ${D}${sysconfdir}/init.d/sshd
+        install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+        sshd_hostkey_setup
+}
+do_install_ptest () {
+        sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
+        cp -r regress ${D}${PTEST_PATH}
+        cp config.h ${D}${PTEST_PATH}
+}
+ALLOW_EMPTY:${PN} = "1"
+PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
+FILES:${PN}-scp = "${bindir}/scp.${BPN}"
+FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
+FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys ${libexecdir}/sshd-auth"
+FILES:${PN}-sftp = "${bindir}/sftp"
+FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
+FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
+FILES:${PN}-keygen = "${bindir}/ssh-keygen"
+RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
+RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
+# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
+RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
+RPROVIDES:${PN}-ssh = "ssh"
+RPROVIDES:${PN}-sshd = "sshd"
+RCONFLICTS:${PN} = "dropbear"
+RCONFLICTS:${PN}-sshd = "dropbear"
+CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
+CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
+ALTERNATIVE_PRIORITY = "90"
+ALTERNATIVE:${PN}-scp = "scp"
+ALTERNATIVE:${PN}-ssh = "ssh"
+BBCLASSEXTEND += "nativesdk"
diff --git a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb b/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
deleted file mode 100644
index 676a8a6533..0000000000
--- a/meta/recipes-connectivity/openssh/openssh_8.4p1.bb
+++ /dev/null
@@ -1,179 +0,0 @@
-SUMMARY = "A suite of security-related network utilities based on \
-the SSH protocol including the ssh client and sshd server"
-DESCRIPTION = "Secure rlogin/rsh/rcp/telnet replacement (OpenSSH) \
-Ssh (Secure Shell) is a program for logging into a remote machine \
-and for executing commands on a remote machine."
-HOMEPAGE = "http://www.openssh.com/"
-SECTION = "console/network"
-LICENSE = "BSD & ISC & MIT"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=18d9e5a8b3dd1790d73502f50426d4d3"
-DEPENDS = "zlib openssl virtual/crypt"
-DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
-           file://sshd_config \
-           file://ssh_config \
-           file://init \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           file://sshd.socket \
-           file://sshd@.service \
-           file://sshdgenkeys.service \
-           file://volatiles.99_sshd \
-           file://run-ptest \
-           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
-           file://sshd_check_keys \
-           file://add-test-support-for-busybox.patch \
-           "
-SRC_URI[sha256sum] = "5a01d22e407eb1c05ba8a8f7c654d388a13e9f226e4ed33bd38748dafa1d2b24"
-# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
-# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_WHITELIST += "CVE-2014-9278"
-PAM_SRC_URI = "file://sshd"
-inherit manpages useradd update-rc.d update-alternatives systemd
-USERADD_PACKAGES = "${PN}-sshd"
-USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
-INITSCRIPT_PACKAGES = "${PN}-sshd"
-INITSCRIPT_NAME_${PN}-sshd = "sshd"
-INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
-SYSTEMD_PACKAGES = "${PN}-sshd"
-SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
-inherit autotools-brokensep ptest
-PACKAGECONFIG ??= "rng-tools"
-PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
-PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
-PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
-PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
-# Add RRECOMMENDS to rng-tools for sshd package
-PACKAGECONFIG[rng-tools] = ""
-EXTRA_AUTORECONF += "--exclude=aclocal"
-# login path is hardcoded in sshd
-EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
-                ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
-                --without-zlib-version-check \
-                --with-privsep-path=${localstatedir}/run/sshd \
-                --sysconfdir=${sysconfdir}/ssh \
-                --with-xauth=${bindir}/xauth \
-                --disable-strip \
-                "
-# musl doesn't implement wtmp/utmp
-EXTRA_OECONF_append_libc-musl = " --disable-wtmp"
-# Since we do not depend on libbsd, we do not want configure to use it
-# just because it finds libutil.h.  But, specifying --disable-libutil
-# causes compile errors, so...
-CACHED_CONFIGUREVARS += "ac_cv_header_bsd_libutil_h=no ac_cv_header_libutil_h=no"
-# passwd path is hardcoded in sshd
-CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
-# We don't want to depend on libblockfile
-CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
-do_configure_prepend () {
-        export LD="${CC}"
-        install -m 0644 ${WORKDIR}/sshd_config ${B}/
-        install -m 0644 ${WORKDIR}/ssh_config ${B}/
-}
-do_compile_ptest() {
-        # skip regress/unittests/ binaries: this will silently skip
-        # unittests in run-ptests which is good because they are so slow.
-        oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
-                   regress/check-perm regress/mkdtemp
-}
-do_install_append () {
-        if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
-                install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
-                sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
-        fi
-        if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
-                sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
-        fi
-        install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
-        rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
-        rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
-        install -d ${D}/${sysconfdir}/default/volatiles
-        install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
-        install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
-        # Create config files for read-only rootfs
-        install -d ${D}${sysconfdir}/ssh
-        install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
-        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        install -d ${D}${systemd_unitdir}/system
-        install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system
-        install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system
-        install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system
-        sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
-                -e 's,@SBINDIR@,${sbindir},g' \
-                -e 's,@BINDIR@,${bindir},g' \
-                -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
-                ${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
-        sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
-                ${D}${sysconfdir}/init.d/sshd
-        install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
-}
-do_install_ptest () {
-        sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
-        cp -r regress ${D}${PTEST_PATH}
-}
-ALLOW_EMPTY_${PN} = "1"
-PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
-FILES_${PN}-scp = "${bindir}/scp.${BPN}"
-FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
-FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
-FILES_${PN}-sftp = "${bindir}/sftp"
-FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
-FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
-FILES_${PN}-keygen = "${bindir}/ssh-keygen"
-RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
-RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS_${PN}-sshd_append_class-target = "\
-    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
-"
-# gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
-RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
-RPROVIDES_${PN}-ssh = "ssh"
-RPROVIDES_${PN}-sshd = "sshd"
-RCONFLICTS_${PN} = "dropbear"
-RCONFLICTS_${PN}-sshd = "dropbear"
-CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
-CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
-ALTERNATIVE_PRIORITY = "90"
-ALTERNATIVE_${PN}-scp = "scp"
-ALTERNATIVE_${PN}-ssh = "ssh"
-BBCLASSEXTEND += "nativesdk"
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7ac..71d378734c 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,24 @@
-export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
+export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
+export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
+# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$SSL_CERT_FILE" ]; then
+        if [ -n "$CAFILE" ];then
+                export SSL_CERT_FILE="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
+        fi
+fi
+if [ -z "$SSL_CERT_DIR" ]; then
+        if [ -n "$CAPATH" ];then
+                export SSL_CERT_DIR="$CAPATH"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
+        fi
+fi
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
new file mode 100644
index 0000000000..5b7365a353
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -0,0 +1,367 @@
+From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
+From: William Lyu <William.Lyu@windriver.com>
+Date: Fri, 20 Oct 2023 16:22:37 -0400
+Subject: [PATCH] Added handshake history reporting when test fails
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.h |  70 +++++++++++++++++++-
+ test/ssl_test.c          |  44 +++++++++++++
+ 3 files changed, 217 insertions(+), 34 deletions(-)
+diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
+index f611b3a..5703b48 100644
+--- a/test/helpers/handshake.c
+++ b/test/helpers/handshake.c
+@@ -25,6 +25,102 @@
+ #include <netinet/sctp.h>
+ #endif
+ 
+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
+/* Maps string names to various enumeration type */
+typedef struct {
+    const char *name;
+    int value;
+} enum_name_map;
+
+static const enum_name_map connect_phase_names[] = {
+    {"Handshake", HANDSHAKE},
+    {"RenegAppData", RENEG_APPLICATION_DATA},
+    {"RenegSetup", RENEG_SETUP},
+    {"RenegHandshake", RENEG_HANDSHAKE},
+    {"AppData", APPLICATION_DATA},
+    {"Shutdown", SHUTDOWN},
+    {"ConnectionDone", CONNECTION_DONE}
+};
+
+static const enum_name_map peer_status_names[] = {
+    {"PeerSuccess", PEER_SUCCESS},
+    {"PeerRetry", PEER_RETRY},
+    {"PeerError", PEER_ERROR},
+    {"PeerWaiting", PEER_WAITING},
+    {"PeerTestFail", PEER_TEST_FAILURE}
+};
+
+static const enum_name_map handshake_status_names[] = {
+    {"HandshakeSuccess", HANDSHAKE_SUCCESS},
+    {"ClientError", CLIENT_ERROR},
+    {"ServerError", SERVER_ERROR},
+    {"InternalError", INTERNAL_ERROR},
+    {"HandshakeRetry", HANDSHAKE_RETRY}
+};
+
+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
+static const char *enum_name(const enum_name_map *enums, size_t num_enums,
+                             int value)
+{
+    size_t i;
+    for (i = 0; i < num_enums; i++) {
+        if (enums[i].value == value) {
+            return enums[i].name;
+        }
+    }
+    return "InvalidValue";
+}
+
+const char *handshake_connect_phase_name(connect_phase_t phase)
+{
+    return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names),
+                     (int)phase);
+}
+
+const char *handshake_status_name(handshake_status_t handshake_status)
+{
+    return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names),
+                     (int)handshake_status);
+}
+
+const char *handshake_peer_status_name(peer_status_t peer_status)
+{
+    return enum_name(peer_status_names, OSSL_NELEM(peer_status_names),
+                     (int)peer_status);
+}
+
+static void save_loop_history(HANDSHAKE_HISTORY *history,
+                              connect_phase_t phase,
+                              handshake_status_t handshake_status,
+                              peer_status_t server_status,
+                              peer_status_t client_status,
+                              int client_turn_count,
+                              int is_client_turn)
+{
+    HANDSHAKE_HISTORY_ENTRY *new_entry = NULL;
+
+    /*
+     * Create a new history entry for a handshake loop with statuses given in
+     * the arguments. Potentially evicting the oldest entry when the
+     * ring buffer is full.
+     */
+    ++(history->last_idx);
+    history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+
+    new_entry = &((history->entries)[history->last_idx]);
+    new_entry->phase = phase;
+    new_entry->handshake_status = handshake_status;
+    new_entry->server_status = server_status;
+    new_entry->client_status = client_status;
+    new_entry->client_turn_count = client_turn_count;
+    new_entry->is_client_turn = is_client_turn;
+
+    /* Evict the oldest handshake loop entry when the ring buffer is full. */
+    if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) {
+        ++(history->entry_count);
+    }
+}
+
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
+ {
+     HANDSHAKE_RESULT *ret;
+@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+         SSL_set_post_handshake_auth(client, 1);
+ }
+ 
+-/* The status for each connection phase. */
+-typedef enum {
+-    PEER_SUCCESS,
+-    PEER_RETRY,
+-    PEER_ERROR,
+-    PEER_WAITING,
+-    PEER_TEST_FAILURE
+-} peer_status_t;
+-
+ /* An SSL object and associated read-write buffers. */
+ typedef struct peer_st {
+     SSL *ssl;
+@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
+     }
+ }
+ 
+-typedef enum {
+-    HANDSHAKE,
+-    RENEG_APPLICATION_DATA,
+-    RENEG_SETUP,
+-    RENEG_HANDSHAKE,
+-    APPLICATION_DATA,
+-    SHUTDOWN,
+-    CONNECTION_DONE
+-} connect_phase_t;
+-
+-
+ static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
+ {
+     switch (test_ctx->handshake_mode) {
+@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+     }
+ }
+ 
+-typedef enum {
+-    /* Both parties succeeded. */
+-    HANDSHAKE_SUCCESS,
+-    /* Client errored. */
+-    CLIENT_ERROR,
+-    /* Server errored. */
+-    SERVER_ERROR,
+-    /* Peers are in inconsistent state. */
+-    INTERNAL_ERROR,
+-    /* One or both peers not done. */
+-    HANDSHAKE_RETRY
+-} handshake_status_t;
+-
+ /*
+  * Determine the handshake outcome.
+  * last_status: the status of the peer to have acted last.
+@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+ 
+     start = time(NULL);
+ 
+    save_loop_history(&(ret->history),
+                      phase, status, server.status, client.status,
+                      client_turn_count, client_turn);
+
+     /*
+      * Half-duplex handshake loop.
+      * Client and server speak to each other synchronously in the same process.
+@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                                       0 /* server went last */);
+         }
+ 
+        save_loop_history(&(ret->history),
+                          phase, status, server.status, client.status,
+                          client_turn_count, client_turn);
+
+         switch (status) {
+         case HANDSHAKE_SUCCESS:
+             client_turn_count = 0;
+diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
+index 78b03f9..b9967c2 100644
+--- a/test/helpers/handshake.h
+++ b/test/helpers/handshake.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -12,6 +12,11 @@
+ 
+ #include "ssl_test_ctx.h"
+ 
+#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
+#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
+#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
+    ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1)
+
+ typedef struct ctx_data_st {
+     unsigned char *npn_protocols;
+     size_t npn_protocols_len;
+@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
+     char *session_ticket_app_data;
+ } CTX_DATA;
+ 
+typedef enum {
+    HANDSHAKE,
+    RENEG_APPLICATION_DATA,
+    RENEG_SETUP,
+    RENEG_HANDSHAKE,
+    APPLICATION_DATA,
+    SHUTDOWN,
+    CONNECTION_DONE
+} connect_phase_t;
+
+/* The status for each connection phase. */
+typedef enum {
+    PEER_SUCCESS,
+    PEER_RETRY,
+    PEER_ERROR,
+    PEER_WAITING,
+    PEER_TEST_FAILURE
+} peer_status_t;
+
+typedef enum {
+    /* Both parties succeeded. */
+    HANDSHAKE_SUCCESS,
+    /* Client errored. */
+    CLIENT_ERROR,
+    /* Server errored. */
+    SERVER_ERROR,
+    /* Peers are in inconsistent state. */
+    INTERNAL_ERROR,
+    /* One or both peers not done. */
+    HANDSHAKE_RETRY
+} handshake_status_t;
+
+/* Stores the various status information in a handshake loop. */
+typedef struct handshake_history_entry_st {
+    connect_phase_t phase;
+    handshake_status_t handshake_status;
+    peer_status_t server_status;
+    peer_status_t client_status;
+    int client_turn_count;
+    int is_client_turn;
+} HANDSHAKE_HISTORY_ENTRY;
+
+typedef struct handshake_history_st {
+    /* Implemented using ring buffer. */
+    /*
+     * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|,
+     * ..., etc., going up to |entry_count| number of entries. Note that when
+     * the index into the array |entries| becomes < 0, we wrap around to
+     * the end of |entries|.
+     */
+    HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY];
+    /* The number of valid entries in |entries| array. */
+    size_t entry_count;
+    /* The index of the last valid entry in the |entries| array. */
+    size_t last_idx;
+} HANDSHAKE_HISTORY;
+
+ typedef struct handshake_result {
+     ssl_test_result_t result;
+     /* These alerts are in the 2-byte format returned by the info_callback. */
+@@ -77,6 +139,8 @@ typedef struct handshake_result {
+     char *cipher;
+     /* session ticket application data */
+     char *result_session_ticket_app_data;
+    /* handshake loop history */
+    HANDSHAKE_HISTORY history;
+ } HANDSHAKE_RESULT;
+ 
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
+@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                                     CTX_DATA *server2_ctx_data,
+                                     CTX_DATA *client_ctx_data);
+ 
+const char *handshake_connect_phase_name(connect_phase_t phase);
+const char *handshake_status_name(handshake_status_t handshake_status);
+const char *handshake_peer_status_name(peer_status_t peer_status);
+
+ #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+diff --git a/test/ssl_test.c b/test/ssl_test.c
+index ea60851..9d6b093 100644
+--- a/test/ssl_test.c
+++ b/test/ssl_test.c
+@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
+ /* Currently the section names are of the form test-<number>, e.g. test-15. */
+ #define MAX_TESTCASE_NAME_LENGTH 100
+ 
+static void print_handshake_history(const HANDSHAKE_HISTORY *history)
+{
+    size_t first_idx;
+    size_t i;
+    size_t cur_idx;
+    const HANDSHAKE_HISTORY_ENTRY *cur_entry;
+    const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|";
+    const char body_template[]   = "|%14s|%16s|%16s|%16s|%17d|%14s|";
+
+    TEST_info("The following is the server/client state "
+              "in the most recent %d handshake loops.",
+              MAX_HANDSHAKE_HISTORY_ENTRY);
+
+    TEST_note("=================================================="
+              "==================================================");
+    TEST_note(header_template,
+              "phase", "handshake status", "server status",
+              "client status", "client turn count", "is client turn");
+    TEST_note("+--------------+----------------+----------------"
+              "+----------------+-----------------+--------------+");
+
+    first_idx = (history->last_idx - history->entry_count + 1) &
+                MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+    for (i = 0; i < history->entry_count; ++i) {
+        cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+        cur_entry = &(history->entries)[cur_idx];
+        TEST_note(body_template,
+                  handshake_connect_phase_name(cur_entry->phase),
+                  handshake_status_name(cur_entry->handshake_status),
+                  handshake_peer_status_name(cur_entry->server_status),
+                  handshake_peer_status_name(cur_entry->client_status),
+                  cur_entry->client_turn_count,
+                  cur_entry->is_client_turn ? "true" : "false");
+    }
+    TEST_note("=================================================="
+              "==================================================");
+}
+
+ static const char *print_alert(int alert)
+ {
+     return alert ? SSL_alert_desc_string_long(alert) : "no alert";
+@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+         ret &= check_client_sign_type(result, test_ctx);
+         ret &= check_client_ca_names(result, test_ctx);
+     }
+
+    /* Print handshake loop history if any check fails. */
+    if (!ret) {
+        print_handshake_history(&(result->history));
+    }
+
+     return ret;
+ }
+--
+2.25.1
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..7043188973
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,39 @@
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 30 May 2023 09:11:27 -0700
+Subject: [PATCH] Configure: do not tweak mips cflags
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+diff --git a/Configure b/Configure
+index fff97bd..5ee54c1 100755
+--- a/Configure
+++ b/Configure
+@@ -1551,16 +1551,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 949c788344..687d682976 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -1,4 +1,4 @@
-From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
+From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
 Date: Tue, 6 Nov 2018 14:50:47 +0100
 Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
@@ -21,34 +21,43 @@ https://patchwork.openembedded.org/patch/147229/
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Martin Hundebøll <martin@geanix.com>
 Update to fix buildpaths qa issue for '-fmacro-prefix-map'.
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Update to fix buildpaths qa issue for '-ffile-prefix-map'.
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- Configurations/unix-Makefile.tmpl | 10 +++++++++-
+ Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
 crypto/build.info                 |  2 +-
- 2 files changed, 10 insertions(+), 2 deletions(-)
+ 2 files changed, 16 insertions(+), 2 deletions(-)
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 16af4d2087..54c162784c 100644
+index 09303c4..011bda1 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
-@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                          '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
 BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
 
 -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
 +# *_Q variables are used for one thing only: to build up buildinf.h
 CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
+              $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
               $cppflags2 =~ s|([\\"])|\\$1|g;
+              $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
               $lib_cppflags =~ s|([\\"])|\\$1|g;
+              $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
               join(' ', $lib_cppflags || (), $cppflags2 || (),
                         $cppflags1 || ()) -}
 
 +CFLAGS_Q={- for (@{$config{CFLAGS}}) {
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
+              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
+              s|-isystem/[^ ]+/usr/include ||g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -59,18 +68,15 @@ index 16af4d2087..54c162784c 100644
 
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 diff --git a/crypto/build.info b/crypto/build.info
-index b515b7318e..8c9cee2a09 100644
+index aee5c46..95c9577 100644
 --- a/crypto/build.info
 +++ b/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
+@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
-         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
 
+ DEPEND[info.o]=buildinf.h
 DEPEND[cversion.o]=buildinf.h
 -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
 +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
- DEPEND[buildinf.h]=../configdata.pm
 
- GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
-- 
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
-2.19.1
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
deleted file mode 100644
index d8d9651b64..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 2 Oct 2018 23:58:24 +0800
-Subject: [PATCH] skip test_symbol_presence
-We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared'
-as INSTALL told us the shared libraries will not be built.
-[INSTALL snip]
- Notes on shared libraries
- -------------------------
- For most systems the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl. On these systems
- the shared libraries will be created by default. This can be suppressed and
- only static libraries created by using the "no-shared" option. On systems
- where OpenSSL does not know how to build shared libraries the "no-shared"
- option will be forced and only static libraries will be created.
-[INSTALL snip]
-Hence directly modification the case to skip it.
-Upstream-Status: Inappropriate [OE Specific]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- test/recipes/01-test_symbol_presence.t | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7f2a2d7..0b93745 100644
--- a/test/recipes/01-test_symbol_presence.t
-+++ b/test/recipes/01-test_symbol_presence.t
-@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils;
- 
- setup("test_symbol_presence");
- 
-plan skip_all => "Only useful when building shared libraries"
-    if disabled("shared");
-+plan skip_all => "The case needs debug symbols then we just disable it";
- 
- my @libnames = ("crypto", "ssl");
- my $testcount = scalar @libnames;
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-diff --git a/Configure b/Configure
-index 3baa8ce..9ef52ed 100755
--- a/Configure
-+++ b/Configure
-@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
- unless ($disabled{afalgeng}) {
-     $config{afalgeng}="";
-     if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
-        my $minver = 4*10000 + 1*100 + 0;
-        if ($config{CROSS_COMPILE} eq "") {
-            my $verstr = `uname -r`;
-            my ($ma, $mi1, $mi2) = split("\\.", $verstr);
-            ($mi2) = $mi2 =~ /(\d+)/;
-            my $ver = $ma*10000 + $mi1*100 + $mi2;
-            if ($ver < $minver) {
-                disable('too-old-kernel', 'afalgeng');
-            } else {
-                push @{$config{engdirs}}, "afalg";
-            }
-        } else {
-            disable('cross-compiling', 'afalgeng');
-        }
-+        push @{$config{engdirs}}, "afalg";
-     } else {
-         disable('not-linux', 'afalgeng');
-     }
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducible.patch b/meta/recipes-connectivity/openssl/openssl/reproducible.patch
deleted file mode 100644
index a24260c95d..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/reproducible.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-The value for perl_archname can vary depending on the host, e.g. 
-x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which
-makes the ptest package non-reproducible. Its unused other than 
-these references so drop it.
-RP 2020/2/6
-Upstream-Status: Pending
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Index: openssl-1.1.1d/Configure
-===================================================================
--- openssl-1.1.1d.orig/Configure
-+++ openssl-1.1.1d/Configure
-@@ -286,7 +286,7 @@ if (defined env($local_config_envname))
- # Save away perl command information
- $config{perl_cmd} = $^X;
- $config{perl_version} = $Config{version};
-$config{perl_archname} = $Config{archname};
-+#$config{perl_archname} = $Config{archname};
- 
- $config{prefix}="";
- $config{openssldir}="";
-@@ -2517,7 +2517,7 @@ _____
-                           @{$config{perlargv}}), "\n";
-         print "\nPerl information:\n\n";
-         print '    ',$config{perl_cmd},"\n";
-        print '    ',$config{perl_version},' for ',$config{perl_archname},"\n";
-+        print '    ',$config{perl_version},"\n";
-     }
-     if ($dump || $options) {
-         my $longest = 0;
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index 3fb22471f8..cd29bb1446 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -1,12 +1,19 @@
 #!/bin/sh
-set -e
+set -eu
-# Optional arguments are 'list' to lists all tests, or the test name (base name
+# Optional arguments are 'list' to lists the tests, or the test name (base name
-# ie test_evp, not 03_test_evp.t).
+# ie test_evp, not 03_test_evp.t). Without any arguments we run all tests.
+if test $# -gt 0; then
+    TESTS=$*
+else
+    # Skip test_symbol_presence as this is for developers
+    TESTS="alltests -test_symbol_presence"
+fi
 export TOP=.
-# OPENSSL_ENGINES is relative from the test binaries
+# Run four jobs in parallel
-export OPENSSL_ENGINES=../engines
+export HARNESS_JOBS=4
-perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'
+{ perl ./test/run_tests.pl $TESTS || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb
deleted file mode 100644
index 1827167201..0000000000
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1h.bb
+++ /dev/null
@@ -1,216 +0,0 @@
-SUMMARY = "Secure Socket Layer"
-DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
-HOMEPAGE = "http://www.openssl.org/"
-BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
-SECTION = "libs/network"
-# "openssl" here actually means both OpenSSL and SSLeay licenses apply
-# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
-LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
-DEPENDS = "hostperl-runtime-native"
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
-           file://run-ptest \
-           file://0001-skip-test_symbol_presence.patch \
-           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-           file://afalg.patch \
-           file://reproducible.patch \
-           "
-SRC_URI_append_class-nativesdk = " \
-           file://environment.d-openssl.sh \
-           "
-SRC_URI[sha256sum] = "5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9"
-inherit lib_package multilib_header multilib_script ptest
-MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-PACKAGECONFIG ?= ""
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-B = "${WORKDIR}/build"
-do_configure[cleandirs] = "${B}"
-#| ./libcrypto.so: undefined reference to `getcontext'
-#| ./libcrypto.so: undefined reference to `setcontext'
-#| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF_append_libc-musl = " no-async"
-EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
-# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
-# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
-# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-do_configure () {
-        os=${HOST_OS}
-        case $os in
-        linux-gnueabi |\
-        linux-gnuspe |\
-        linux-musleabi |\
-        linux-muslspe |\
-        linux-musl )
-                os=linux
-                ;;
-        *)
-                ;;
-        esac
-        target="$os-${HOST_ARCH}"
-        case $target in
-        linux-arm*)
-                target=linux-armv4
-                ;;
-        linux-aarch64*)
-                target=linux-aarch64
-                ;;
-        linux-i?86 | linux-viac3)
-                target=linux-x86
-                ;;
-        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
-                target=linux-x32
-                ;;
-        linux-gnu64-x86_64)
-                target=linux-x86_64
-                ;;
-        linux-mips | linux-mipsel)
-                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
-                target="linux-mips32 ${TARGET_CC_ARCH}"
-                ;;
-        linux-gnun32-mips*)
-                target=linux-mips64
-                ;;
-        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
-                target=linux64-mips64
-                ;;
-        linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
-                target=linux-generic32
-                ;;
-        linux-powerpc)
-                target=linux-ppc
-                ;;
-        linux-powerpc64)
-                target=linux-ppc64
-                ;;
-        linux-powerpc64le)
-                target=linux-ppc64le
-                ;;
-        linux-riscv32)
-                target=linux-generic32
-                ;;
-        linux-riscv64)
-                target=linux-generic64
-                ;;
-        linux-sparc | linux-supersparc)
-                target=linux-sparcv9
-                ;;
-        esac
-        useprefix=${prefix}
-        if [ "x$useprefix" = "x" ]; then
-                useprefix=/
-        fi
-        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
-        # environment variables set by bitbake. Adjust the environment variables instead.
-        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
-        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
-        perl ${B}/configdata.pm --dump
-}
-do_install () {
-        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-        oe_multilib_header openssl/opensslconf.h
-        # Create SSL structure for packages such as ca-certificates which
-        # contain hard-coded paths to /etc/ssl. Debian does the same.
-        install -d ${D}${sysconfdir}/ssl
-        mv ${D}${libdir}/ssl-1.1/certs \
-           ${D}${libdir}/ssl-1.1/private \
-           ${D}${libdir}/ssl-1.1/openssl.cnf \
-           ${D}${sysconfdir}/ssl/
-        # Although absolute symlinks would be OK for the target, they become
-        # invalid if native or nativesdk are relocated from sstate.
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf
-}
-do_install_append_class-native () {
-        create_wrapper ${D}${bindir}/openssl \
-            OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
-            SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
-            SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
-            OPENSSL_ENGINES=${libdir}/engines-1.1
-}
-do_install_append_class-nativesdk () {
-        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-        sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-}
-PTEST_BUILD_HOST_FILES += "configdata.pm"
-PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
-        # Prune the build tree
-        rm -f ${B}/fuzz/*.* ${B}/test/*.*
-        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
-        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-        # For test_shlibload
-        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
-        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
-        install -d ${D}${PTEST_PATH}/apps
-        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
-        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
-        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-        install -d ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
-}
-# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
-# package RRECOMMENDS on this package. This will enable the configuration
-# file to be installed for both the openssl-bin package and the libcrypto
-# package since the openssl-bin package depends on the libcrypto package.
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
-FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl${SOLIBS}"
-FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
-                      ${libdir}/ssl-1.1/openssl.cnf* \
-                      "
-FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
-FILES_${PN} =+ "${libdir}/ssl-1.1/*"
-FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
-CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
-RRECOMMENDS_libcrypto += "openssl-conf"
-RDEPENDS_${PN}-misc = "perl"
-RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
-RDEPENDS_${PN}-bin += "openssl-conf"
-BBCLASSEXTEND = "native nativesdk"
-CVE_PRODUCT = "openssl:openssl"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
-# Apache in meta-webserver is already recent enough
-CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
new file mode 100644
index 0000000000..0f5c28dafa
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -0,0 +1,283 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           "
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-openssl.sh \
+           "
+SRC_URI[sha256sum] = "344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0"
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
+EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+do_configure () {
+        # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+        # the issue really clear that perl isn't functional due to symbol mismatch issues.
+        cat <<- EOF > ${WORKDIR}/perltest
+        #!/usr/bin/env perl
+        use POSIX;
+        EOF
+        chmod a+x ${WORKDIR}/perltest
+        ${WORKDIR}/perltest
+        os=${HOST_OS}
+        case $os in
+        linux-gnueabi |\
+        linux-gnuspe |\
+        linux-musleabi |\
+        linux-muslspe |\
+        linux-musl )
+                os=linux
+                ;;
+        *)
+                ;;
+        esac
+        target="$os-${HOST_ARCH}"
+        case $target in
+        linux-arc | linux-microblaze*)
+                target=linux-latomic
+                ;;
+        linux-arm*)
+                target=linux-armv4
+                ;;
+        linux-aarch64*)
+                target=linux-aarch64
+                ;;
+        linux-i?86 | linux-viac3)
+                target=linux-x86
+                ;;
+        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+                target=linux-x32
+                ;;
+        linux-gnu64-x86_64)
+                target=linux-x86_64
+                ;;
+        linux-loongarch64)
+                target=linux64-loongarch64
+                ;;
+        linux-mips | linux-mipsel)
+                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+                target="linux-mips32 ${TARGET_CC_ARCH}"
+                ;;
+        linux-gnun32-mips*)
+                target=linux-mips64
+                ;;
+        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+                target=linux64-mips64
+                ;;
+        linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+                target=linux-generic32
+                ;;
+        linux-powerpc)
+                target=linux-ppc
+                ;;
+        linux-powerpc64)
+                target=linux-ppc64
+                ;;
+        linux-powerpc64le)
+                target=linux-ppc64le
+                ;;
+        linux-riscv32)
+                target=linux32-riscv32
+                ;;
+        linux-riscv64)
+                target=linux64-riscv64
+                ;;
+        linux-sparc | linux-supersparc)
+                target=linux-sparcv9
+                ;;
+        mingw32-x86_64)
+                target=mingw64
+                ;;
+        esac
+        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+        # environment variables set by bitbake. Adjust the environment variables instead.
+        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
+        perl ${B}/configdata.pm --dump
+}
+do_compile:append () {
+        # The test suite binaries are large and we don't need the debugging in them
+        if test -d ${B}/test; then
+                find ${B}/test -type f -executable -exec ${STRIP} {} \;
+        fi
+}
+do_install () {
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+            ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+            ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
+        oe_multilib_header openssl/opensslconf.h
+        oe_multilib_header openssl/configuration.h
+        # Create SSL structure for packages such as ca-certificates which
+        # contain hard-coded paths to /etc/ssl. Debian does the same.
+        install -d ${D}${sysconfdir}/ssl
+        mv ${D}${libdir}/ssl-3/certs \
+           ${D}${libdir}/ssl-3/private \
+           ${D}${libdir}/ssl-3/openssl.cnf \
+           ${D}${sysconfdir}/ssl/
+        # Although absolute symlinks would be OK for the target, they become
+        # invalid if native or nativesdk are relocated from sstate.
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+        # Generate fipsmodule.cnf in pkg_postinst_ontarget
+        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+                rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+        fi
+}
+do_install:append:class-native () {
+        create_wrapper ${D}${bindir}/openssl \
+            OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+            SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+            SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+            OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+            OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
+}
+do_install:append:class-nativesdk () {
+        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+        install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest() {
+        install -m644 ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        cp -rf ${S}/Configurations ${S}/external ${D}${PTEST_PATH}/
+        install -d ${D}${PTEST_PATH}/apps
+        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+        cd ${S}
+        find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find util -name \*.p[lm] -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        cd ${B}
+        # Everything but .? (.o and .d)
+        find test -type f -name \*[^.]? -exec install -m755 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.srl -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        install -m755 ${B}/util/*wrap.* ${D}${PTEST_PATH}/util/
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps/
+        install -m755 ${S}/test/*.pl ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/shibboleth.pfx ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/*.bin ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/dane*.in ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/smcont*.txt ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/ssl_test.tmpl ${D}${PTEST_PATH}/test/
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm ${D}${PTEST_PATH}/util/wrap.pl
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines/
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/engines-3/loader_attic.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
+}
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+        if test -f ${libdir}/ossl-modules/fips.so; then
+                ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+        fi
+}
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+                      ${libdir}/ssl-3/openssl.cnf* \
+                      "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
+RDEPENDS:${PN}-bin += "openssl-conf"
+# The test suite is installed stripped
+INSANE_SKIP:${PN} = "already-stripped"
+BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT = "openssl:openssl"
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index b5f68951d7..5c9c8219d7 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -1,8 +1,8 @@
 SUMMARY = "Enables PPP dial-in through a serial connection"
 SECTION = "console/network"
+DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
 DEPENDS = "ppp"
-RDEPENDS_${PN} = "ppp"
+RDEPENDS:${PN} = "ppp"
-PR = "r8"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
@@ -11,17 +11,17 @@ SRC_URI = "file://host-peer \
 inherit allarch useradd
-S = "${WORKDIR}"
+S = "${UNPACKDIR}"
 do_install() {
        install -d ${D}${sysconfdir}/ppp/peers
-        install -m 0644 ${WORKDIR}/host-peer ${D}${sysconfdir}/ppp/peers/host
+        install -m 0644 ${S}/host-peer ${D}${sysconfdir}/ppp/peers/host
        install -d ${D}${sbindir}
-        install -m 0755 ${WORKDIR}/ppp-dialin ${D}${sbindir}
+        install -m 0755 ${S}/ppp-dialin ${D}${sbindir}
 }
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home /dev/null \
+USERADD_PARAM:${PN} = "--system --home /dev/null \
                       --no-create-home --shell ${sbindir}/ppp-dialin \
                       --no-user-group --gid nogroup ppp"
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch b/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch
deleted file mode 100644
index 65291368bd..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From e50cdaed07e51f2508f94eb1f34fe43776e4ca78 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Fri, 29 May 2015 14:57:05 -0700
-Subject: [PATCH] Fix build with musl
-There are several assumption about glibc
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Upstream-Status: Pending
---
- include/net/ppp_defs.h                  | 2 ++
- pppd/Makefile.linux                     | 2 +-
- pppd/plugins/rp-pppoe/config.h          | 3 ++-
- pppd/plugins/rp-pppoe/plugin.c          | 1 -
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 8 ++++----
- pppd/plugins/rp-pppoe/pppoe.h           | 2 +-
- pppd/sys-linux.c                        | 3 ++-
- 7 files changed, 12 insertions(+), 9 deletions(-)
-diff --git a/include/net/ppp_defs.h b/include/net/ppp_defs.h
-index b06eda5..dafa36c 100644
--- a/include/net/ppp_defs.h
-+++ b/include/net/ppp_defs.h
-@@ -38,6 +38,8 @@
- #ifndef _PPP_DEFS_H_
- #define _PPP_DEFS_H_
- 
-+#include <sys/time.h>
-+
- /*
-  * The basic PPP frame.
-  */
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 4e485a1..76411bc 100644
--- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -131,7 +131,7 @@ LIBS        += -lcrypt
- endif
- 
- ifdef USE_LIBUTIL
-CFLAGS += -DHAVE_LOGWTMP=1
-+#CFLAGS        += -DHAVE_LOGWTMP=1
- LIBS   += -lutil
- endif
- 
-diff --git a/pppd/plugins/rp-pppoe/config.h b/pppd/plugins/rp-pppoe/config.h
-index a708859..4a16a88 100644
--- a/pppd/plugins/rp-pppoe/config.h
-+++ b/pppd/plugins/rp-pppoe/config.h
-@@ -78,8 +78,9 @@
- #define HAVE_NET_IF_ARP_H 1
- 
- /* Define if you have the <net/ethernet.h> header file.  */
-+#ifdef __GLIBC__
- #define HAVE_NET_ETHERNET_H 1
-
-+#endif
- /* Define if you have the <net/if.h> header file.  */
- #define HAVE_NET_IF_H 1
- 
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index 44e0c31..93c0906 100644
--- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -46,7 +46,6 @@ static char const RCSID[] =
- #include <unistd.h>
- #include <fcntl.h>
- #include <signal.h>
-#include <net/ethernet.h>
- #include <net/if_arp.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_pppox.h>
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index f19c6d8..f45df2c 100644
--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -29,10 +29,6 @@
- #include <linux/if_packet.h>
- #endif
- 
-#ifdef HAVE_NET_ETHERNET_H
-#include <net/ethernet.h>
-#endif
-
- #ifdef HAVE_ASM_TYPES_H
- #include <asm/types.h>
- #endif
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index a4e7d5c..de191c8 100644
--- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -90,7 +90,7 @@ typedef unsigned long UINT32_t;
- #ifdef HAVE_SYS_SOCKET_H
- #include <sys/socket.h>
- #endif
-#ifndef HAVE_SYS_DLPI_H
-+#if !defined HAVE_SYS_DLPI_H && defined HAVE_NET_ETHERNET_H
- #include <netinet/if_ether.h>
- #endif
- #endif
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index a0531e9..84ee394 100644
--- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -112,7 +112,7 @@
- #include <linux/types.h>
- #include <linux/if.h>
- #include <linux/if_arp.h>
-#include <linux/route.h>
-+/* #include <linux/route.h> */
- #include <linux/if_ether.h>
- #endif
- #include <netinet/in.h>
-@@ -145,6 +145,7 @@
- #endif
- 
- #ifdef INET6
-+#include <net/route.h>
- #ifndef _LINUX_IN6_H
- /*
-  *    This is in linux/include/net/ipv6.h.
-- 
-2.17.1
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch b/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
deleted file mode 100644
index a32f89fbc8..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-commit cd90fd147844a0cfec101f1e2db7a3c59d236621
-Author: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date:   Wed Dec 28 14:11:22 2016 +0200
-pppol2tp plugin: Remove unneeded include
-The include is not required and will break compile on musl libc with
-    
-| In file included from pppol2tp.c:34:0:
-| /usr/include/linux/if.h:97:2: error: expected identifier before numeric constant
-|   IFF_LOWER_UP   = 1<<16, /* __volatile__ */
-Patch originally from Khem Raj.
-Upstream-Status: Pending [https://github.com/paulusmack/ppp/issues/73]
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
-index 9643b96..458316b 100644
--- a/pppd/plugins/pppol2tp/openl2tp.c
-+++ b/pppd/plugins/pppol2tp/openl2tp.c
-@@ -47,7 +47,6 @@
- #include <linux/if_ether.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_ppp.h>
-#include <linux/if_pppox.h>
- #include <linux/if_pppol2tp.h>
- 
- #include "l2tp_event.h"
-diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
-index 0e28606..4f6d98c 100644
--- a/pppd/plugins/pppol2tp/pppol2tp.c
-+++ b/pppd/plugins/pppol2tp/pppol2tp.c
-@@ -46,7 +46,6 @@
- #include <linux/if_ether.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_ppp.h>
-#include <linux/if_pppox.h>
- #include <linux/if_pppol2tp.h>
- 
- /* should be added to system's socket.h... */
---
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
deleted file mode 100644
index b7ba7ba643..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@ozlabs.org>
-Date: Mon, 3 Feb 2020 15:53:28 +1100
-Subject: [PATCH] pppd: Fix bounds check in EAP code
-Given that we have just checked vallen < len, it can never be the case
-that vallen >= len + sizeof(rhostname).  This fixes the check so we
-actually avoid overflowing the rhostname array.
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-Upstream-Status: Backport
-[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
-CVE: CVE-2020-8597
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- pppd/eap.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 94407f5..1b93db0 100644
--- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -1420,7 +1420,7 @@ int len;
-                }
- 
-                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
-+               if (len - vallen >= sizeof (rhostname)) {
-                        dbglog("EAP: trimming really long peer name down");
-                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
-                        rhostname[sizeof (rhostname) - 1] = '\0';
-@@ -1846,7 +1846,7 @@ int len;
-                }
- 
-                /* Not so likely to happen. */
-               if (vallen >= len + sizeof (rhostname)) {
-+               if (len - vallen >= sizeof (rhostname)) {
-                        dbglog("EAP: trimming really long peer name down");
-                        BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
-                        rhostname[sizeof (rhostname) - 1] = '\0';
-- 
-2.17.1
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
new file mode 100644
index 0000000000..a00706c184
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
@@ -0,0 +1,98 @@
+From a6eb65162db5bcc5ec26cff7361885c0a44cbbfa Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 17 Mar 2025 11:12:07 +0100
+Subject: [PATCH] pppd/pppdconf.h: remove erroneous generated header
+Upstream-Status: Inappropriate [tarball generation issue tracked at https://github.com/ppp-project/ppp/issues/541]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ pppd/pppdconf.h | 80 -------------------------------------------------
+ 1 file changed, 80 deletions(-)
+ delete mode 100644 pppd/pppdconf.h
+diff --git a/pppd/pppdconf.h b/pppd/pppdconf.h
+deleted file mode 100644
+index 51a8f02..0000000
+--- a/pppd/pppdconf.h
+++ /dev/null
+@@ -1,80 +0,0 @@
+-/* pppd/pppdconf.h.  Generated from pppdconf.h.in by configure.  */
+-/* 
+- * Copyright (c) 2022 Eivind Næss. All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- *
+- * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer.
+- *
+- * 2. Redistributions in binary form must reproduce the above copyright
+- *    notice, this list of conditions and the following disclaimer in
+- *    the documentation and/or other materials provided with the
+- *    distribution.
+- *
+- * 3. The name(s) of the authors of this software must not be used to
+- *    endorse or promote products derived from this software without
+- *    prior written permission.
+- *
+- * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
+- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+- * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
+- * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+- */
+-
+-/*
+- * This file is generated by configure and sets the features enabled
+- *   in pppd when configured.
+- */
+-
+-#ifndef PPP_PPPDCONF_H
+-#define PPP_PPPDCONF_H
+-
+-/* Have Microsoft CHAP support */
+-#define PPP_WITH_CHAPMS 1
+-
+-/* Have Microsoft LAN Manager support */
+-/* #undef PPP_WITH_MSLANMAN */
+-
+-/* Have Microsoft MPPE support */
+-#define PPP_WITH_MPPE 1
+-
+-/* Have multilink support */
+-#define PPP_WITH_MULTILINK 1
+-
+-/* Have packet activity filter support */
+-#define PPP_WITH_FILTER 1
+-
+-/* Have support for loadable plugins */
+-#define PPP_WITH_PLUGINS 1
+-
+-/* Have Callback Protocol support */
+-/* #undef PPP_WITH_CBCP */
+-
+-/* Include TDB support */
+-#define PPP_WITH_TDB 1
+-
+-/* Have IPv6 Control Protocol */
+-#define PPP_WITH_IPV6CP 1
+-
+-/* Support for Pluggable Authentication Modules */
+-/* #undef PPP_WITH_PAM */
+-
+-/* Have EAP-SRP authentication support */
+-/* #undef PPP_WITH_SRP */
+-
+-/* Have EAP-TLS authentication support */
+-#define PPP_WITH_EAPTLS 1
+-
+-/* Have PEAP authentication support */
+-#define PPP_WITH_PEAP 1
+-
+-/* The pppd version */
+-#define PPPD_VERSION "2.5.2"
+-
+-#endif
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
new file mode 100644
index 0000000000..d95c72e96b
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
@@ -0,0 +1,33 @@
+From 5edcb01f1d8d521c819d45df1f1bb87697252130 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 17 Mar 2025 14:38:26 -0700
+Subject: [PATCH] pppd/session: Fixed building with GCC 15
+Fixed building with GCC 15 which defaults to C23
+and find conflicting declration of getspnam() here
+with the one provided by shadow.h (extern struct spwd *getspnam (const char *__name);)
+Fixes
+../../ppp-2.5.2/pppd/session.c: In function 'session_start':
+../../ppp-2.5.2/pppd/session.c:185:18: error: conflicting types for 'getspnam'; have 'struct spwd *(void)'
+  185 |     struct spwd *getspnam();
+      |                  ^~~~~~~~
+Upstream-Status: Submitted [https://github.com/ppp-project/ppp/pull/553]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppd/session.c | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/pppd/session.c b/pppd/session.c
+index f08d8e1..9cc7538 100644
+--- a/pppd/session.c
+++ b/pppd/session.c
+@@ -182,7 +182,6 @@ session_start(const int flags, const char *user, const char *passwd, const char
+     char *cbuf;
+ #ifdef HAVE_SHADOW_H
+     struct spwd *spwd;
+-    struct spwd *getspnam();
+     long now = 0;
+ #endif /* #ifdef HAVE_SHADOW_H */
+ #endif /* #ifdef PPP_WITH_PAM */
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
new file mode 100644
index 0000000000..2a3b3cc84a
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
@@ -0,0 +1,75 @@
+From 44a766a3d086f10cb584a0c423e5bed6af2e3615 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
+Date: Thu, 27 Feb 2025 23:00:16 +0100
+Subject: [PATCH] pppdump: Fixed building with GCC 15 (#548)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+GCC 15 defaults to C23 which does not allow K&R declarations.
+Credit Yaakov Selkowitz in:
+https://src.fedoraproject.org/rpms/ppp/pull-request/12
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/pull/548]
+Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppdump/pppdump.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index c24208a..1534036 100644
+--- a/pppdump/pppdump.c
+++ b/pppdump/pppdump.c
+@@ -42,14 +42,12 @@ int tot_sent, tot_rcvd;
+ extern int optind;
+ extern char *optarg;
+ 
+-void dumplog();
+-void dumpppp();
+-void show_time();
+void dumplog(FILE *);
+void dumpppp(FILE *);
+void show_time(FILE *, int);
+ 
+ int
+-main(ac, av)
+-    int ac;
+-    char **av;
+main(int ac, char **av)
+ {
+     int i;
+     char *p;
+@@ -97,8 +95,7 @@ main(ac, av)
+ }
+ 
+ void
+-dumplog(f)
+-    FILE *f;
+dumplog(FILE *f)
+ {
+     int c, n, k, col;
+     int nb, c2;
+@@ -241,8 +238,7 @@ struct pkt {
+ unsigned char dbuf[8192];
+ 
+ void
+-dumpppp(f)
+-    FILE *f;
+dumpppp(FILE *f)
+ {
+     int c, n, k;
+     int nb, nl, dn, proto, rv;
+@@ -375,9 +371,7 @@ dumpppp(f)
+ }
+ 
+ void
+-show_time(f, c)
+-    FILE *f;
+-    int c;
+show_time(FILE *f, int c)
+ {
+     time_t t;
+     int n;
diff --git a/meta/recipes-connectivity/ppp/ppp/copts.patch b/meta/recipes-connectivity/ppp/ppp/copts.patch
deleted file mode 100644
index 53ff06e03e..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/copts.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-ppp: use build system CFLAGS when compiling
-Upstream-Status: Pending
-Override the hard-coded COPTS make variables with
-CFLAGS.  Add COPTS into one Makefile that did not
-use it.
-Signed-off-by: Joe Slater <jslater@windriver.com>
--- a/pppd/plugins/radius/Makefile.linux
-+++ b/pppd/plugins/radius/Makefile.linux
-@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ 
- INSTALL        = install
- 
- PLUGIN=radius.so radattr.so radrealms.so
-CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+CFLAGS=-I. -I../.. -I../../../include $(COPTS) -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
- 
- # Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol.
diff --git a/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch b/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
deleted file mode 100644
index c5a0be86f5..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-ppp: Buffer overflow in radius plugin
-From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450
-Upstream-Status: Backport
-CVE: CVE-2015-3310
-On systems with more than 65535 processes running, pppd aborts when
-sending a "start" accounting message to the RADIUS server because of a
-buffer overflow in rc_mksid.
-The process id is used in rc_mksid to generate a pseudo-unique string,
-assuming that the hex representation of the pid will be at most 4
-characters (FFFF). __sprintf_chk(), used when compiling with
-optimization levels greater than 0 and FORTIFY_SOURCE, detects the
-buffer overflow and makes pppd crash.
-The following patch fixes the problem.
--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
-+++ ppp-2.4.6/pppd/plugins/radius/util.c
-@@ -77,7 +77,7 @@ rc_mksid (void)
-   static unsigned short int cnt = 0;
-   sprintf (buf, "%08lX%04X%02hX",
-           (unsigned long int) time (NULL),
-          (unsigned int) getpid (),
-+          (unsigned int) getpid () % 65535,
-           cnt & 0xFF);
-   cnt++;
-   return buf;
diff --git a/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch b/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch
deleted file mode 100644
index 614a474c37..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 505705d0e1b55ce3fdc10d0e5eab5488f869adb6 Mon Sep 17 00:00:00 2001
-From: Andreas Oberritter <obi@opendreambox.org>
-Date: Thu, 1 Jul 2010 14:34:12 +0800
-Subject: [PATCH] ppp: Upgraded to version 2.4.5
-The patch comes from OpenEmbedded.
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-Updated from OE-Classic to include the pcap hunk.
-Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
-Upstream-Status: Inappropriate [configuration]
---
- pppd/Makefile.linux | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 4e485a1..44c4193 100644
--- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -188,10 +188,10 @@ LIBS      += -ldl
- endif
- 
- ifdef FILTER
-ifneq ($(wildcard /usr/include/pcap-bpf.h),)
-+#ifneq ($(wildcard /usr/include/pcap-bpf.h),)
- LIBS    += -lpcap
- CFLAGS  += -DPPP_FILTER
-endif
-+#endif
- endif
- 
- ifdef HAVE_INET6
diff --git a/meta/recipes-connectivity/ppp/ppp/makefile.patch b/meta/recipes-connectivity/ppp/ppp/makefile.patch
deleted file mode 100644
index 25b8ded441..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/makefile.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From f7fb1d1abfa6d208fb40fca1602e0c488108f1b5 Mon Sep 17 00:00:00 2001
-From: Richard Purdie <richard@openedhand.com>
-Date: Wed, 31 Aug 2005 10:45:47 +0000
-Subject: [PATCH] Initial population
-The patch comes from OpenEmbedded
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-Upstream-Status: Inappropriate [configuration]
---
- chat/Makefile.linux                  |  2 +-
- pppd/Makefile.linux                  |  4 ++--
- pppd/plugins/radius/Makefile.linux   | 10 +++++-----
- pppd/plugins/rp-pppoe/Makefile.linux |  4 ++--
- pppdump/Makefile.linux               |  2 +-
- pppstats/Makefile.linux              |  2 +-
- 6 files changed, 12 insertions(+), 12 deletions(-)
-diff --git a/chat/Makefile.linux b/chat/Makefile.linux
-index 0732ec8..f082dab 100644
--- a/chat/Makefile.linux
-+++ b/chat/Makefile.linux
-@@ -25,7 +25,7 @@ chat.o:       chat.c
- 
- install: chat
-        mkdir -p $(BINDIR) $(MANDIR)
-       $(INSTALL) -s -c chat $(BINDIR)
-+       $(INSTALL) -c chat $(BINDIR)
-        $(INSTALL) -c -m 644 chat.8 $(MANDIR)
- 
- clean:
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 9664f70..4e485a1 100644
--- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -107,7 +107,7 @@ ifdef USE_SRP
- CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
- LIBS   += -lsrp -L/usr/local/ssl/lib -lcrypto
- TARGETS        += srp-entry
-EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry
-+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
- MANPAGES += srp-entry.8
- EXTRACLEAN += srp-entry.o
- NEEDDES=y
-@@ -219,7 +219,7 @@ all: $(TARGETS)
- install: pppd
-        mkdir -p $(BINDIR) $(MANDIR)
-        $(EXTRAINSTALL)
-       $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd
-+       $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd
-        if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \
-          chmod o-rx,u+s $(BINDIR)/pppd; fi
-        $(INSTALL) -c -m 444 pppd.8 $(MANDIR)
-diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
-index e702263..af57ae3 100644
--- a/pppd/plugins/radius/Makefile.linux
-+++ b/pppd/plugins/radius/Makefile.linux
-@@ -36,11 +36,11 @@ all: $(PLUGIN)
- 
- install: all
-        $(INSTALL) -d -m 755 $(LIBDIR)
-       $(INSTALL) -s -c -m 755 radius.so $(LIBDIR)
-       $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR)
-       $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR)
-       $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR)
-       $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
-+       $(INSTALL) -c -m 755 radius.so $(LIBDIR)
-+       $(INSTALL) -c -m 755 radattr.so $(LIBDIR)
-+       $(INSTALL) -c -m 755 radrealms.so $(LIBDIR)
-+       $(INSTALL) -m 444 pppd-radius.8 $(MANDIR)
-+       $(INSTALL) -m 444 pppd-radattr.8 $(MANDIR)
- 
- radius.so: radius.o libradiusclient.a
-        $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
-diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
-index 749ccc2..2c93f4a 100644
--- a/pppd/plugins/rp-pppoe/Makefile.linux
-+++ b/pppd/plugins/rp-pppoe/Makefile.linux
-@@ -43,9 +43,9 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o
- 
- install: all
-        $(INSTALL) -d -m 755 $(LIBDIR)
-       $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR)
-+       $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR)
-        $(INSTALL) -d -m 755 $(BINDIR)
-       $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR)
-+       $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR)
- 
- clean:
-        rm -f *.o *.so pppoe-discovery
-diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index cdf7ac4..0457561 100644
--- a/pppdump/Makefile.linux
-+++ b/pppdump/Makefile.linux
-@@ -17,5 +17,5 @@ clean:
- 
- install:
-        mkdir -p $(BINDIR) $(MANDIR)
-       $(INSTALL) -s -c pppdump $(BINDIR)
-+       $(INSTALL) -c pppdump $(BINDIR)
-        $(INSTALL) -c -m 444 pppdump.8 $(MANDIR)
-diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
-index 71afbe6..1819370 100644
--- a/pppstats/Makefile.linux
-+++ b/pppstats/Makefile.linux
-@@ -22,7 +22,7 @@ all: pppstats
- 
- install: pppstats
-        -mkdir -p $(MANDIR)
-       $(INSTALL) -s -c pppstats $(BINDIR)
-+       $(INSTALL) -c pppstats $(BINDIR)
-        $(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
- 
- pppstats: $(PPPSTATSRCS)
diff --git a/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch b/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch
deleted file mode 100644
index a72414ff8a..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-The patch comes from OpenEmbedded
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-Upstream-Status: Inappropriate [embedded specific]
-diff -ruN ppp-2.4.5-orig/pppd/ipcp.c ppp-2.4.5/pppd/ipcp.c
--- ppp-2.4.5-orig/pppd/ipcp.c  2010-06-30 15:51:12.050166398 +0800
-+++ ppp-2.4.5/pppd/ipcp.c       2010-06-30 17:02:33.930393283 +0800
-@@ -55,6 +55,8 @@
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
- 
- #include "pppd.h"
- #include "fsm.h"
-@@ -2095,6 +2097,14 @@
-     u_int32_t peerdns1, peerdns2;
- {
-     FILE *f;
-+    struct stat dirinfo;
-+
-+    if(stat(_PATH_OUTDIR, &dirinfo)) {
-+        if(mkdir(_PATH_OUTDIR, 0775)) {
-+            error("Failed to create directory %s: %m", _PATH_OUTDIR);
-+            return;
-+        }
-+    }
- 
-     f = fopen(_PATH_RESOLV, "w");
-     if (f == NULL) {
-diff -ruN ppp-2.4.5-orig/pppd/pathnames.h ppp-2.4.5/pppd/pathnames.h
--- ppp-2.4.5-orig/pppd/pathnames.h     2010-06-30 15:51:12.043682063 +0800
-+++ ppp-2.4.5/pppd/pathnames.h  2010-06-30 17:03:20.594371055 +0800
-@@ -30,7 +30,8 @@
- #define _PATH_TTYOPT    _ROOT_PATH "/etc/ppp/options."
- #define _PATH_CONNERRS  _ROOT_PATH "/etc/ppp/connect-errors"
- #define _PATH_PEERFILES         _ROOT_PATH "/etc/ppp/peers/"
-#define _PATH_RESOLV    _ROOT_PATH "/etc/ppp/resolv.conf"
-+#define _PATH_OUTDIR   _ROOT_PATH _PATH_VARRUN "/ppp"
-+#define _PATH_RESOLV   _PATH_OUTDIR "/resolv.conf"
- 
- #define _PATH_USEROPT   ".ppprc"
- #define        _PATH_PSEUDONYM  ".ppp_pseudonym"
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.8.bb b/meta/recipes-connectivity/ppp/ppp_2.4.8.bb
deleted file mode 100644
index f9c60d6bad..0000000000
--- a/meta/recipes-connectivity/ppp/ppp_2.4.8.bb
+++ /dev/null
@@ -1,103 +0,0 @@
-SUMMARY = "Point-to-Point Protocol (PPP) support"
-DESCRIPTION = "ppp (Paul's PPP Package) is an open source package which implements \
-the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
-SECTION = "console/network"
-HOMEPAGE = "http://samba.org/ppp/"
-BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
-DEPENDS = "libpcap openssl virtual/crypt"
-LICENSE = "BSD & GPLv2+ & LGPLv2+ & PD"
-LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
-                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
-                    file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
-                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
-SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
-           file://makefile.patch \
-           file://pppd-resolv-varrun.patch \
-           file://makefile-remove-hard-usr-reference.patch \
-           file://pon \
-           file://poff \
-           file://init \
-           file://ip-up \
-           file://ip-down \
-           file://08setupdns \
-           file://92removedns \
-           file://copts.patch \
-           file://pap \
-           file://ppp_on_boot \
-           file://provider \
-           file://ppp@.service \
-           file://fix-CVE-2015-3310.patch \
-           file://0001-ppp-Remove-unneeded-include.patch \
-           file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
-           "
-SRC_URI_append_libc-musl = "\
-           file://0001-Fix-build-with-musl.patch \
-"
-SRC_URI[md5sum] = "2ca8342b9804be15103fd3f687af701c"
-SRC_URI[sha256sum] = "f6bf89beae26b2943dff8f1003533d6a5a4909a0fa6edfbec44fe039bbe61bc6"
-inherit autotools-brokensep systemd
-TARGET_CC_ARCH += " ${LDFLAGS}"
-EXTRA_OEMAKE = "STRIPPROG=${STRIP} MANDIR=${D}${datadir}/man/man8 INCDIR=${D}${includedir} LIBDIR=${D}${libdir}/pppd/${PV} BINDIR=${D}${sbindir}"
-EXTRA_OECONF = "--disable-strip"
-# Package Makefile computes CFLAGS, referencing COPTS.
-# Typically hard-coded to '-O2 -g' in the Makefile's.
-#
-EXTRA_OEMAKE += ' COPTS="${CFLAGS} -I${STAGING_INCDIR}/openssl -I${S}/include"'
-do_configure () {
-        oe_runconf
-}
-do_install_append () {
-        make install-etcppp ETCDIR=${D}/${sysconfdir}/ppp
-        mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
-        mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
-        mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
-        install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon
-        install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp
-        install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
-        install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
-        mkdir -p ${D}${sysconfdir}/chatscripts
-        mkdir -p ${D}${sysconfdir}/ppp/peers
-        install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts
-        install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
-        install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
-        install -d ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_unitdir}/system
-        sed -i -e 's,@SBINDIR@,${sbindir},g' \
-               ${D}${systemd_unitdir}/system/ppp@.service
-        rm -rf ${D}/${mandir}/man8/man8
-        chmod u+s ${D}${sbindir}/pppd
-}
-do_install_append_libc-musl () {
-        install -Dm 0644 ${S}/include/net/ppp_defs.h ${D}${includedir}/net/ppp_defs.h
-}
-CONFFILES_${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options"
-PACKAGES =+ "${PN}-oa ${PN}-oe ${PN}-radius ${PN}-winbind ${PN}-minconn ${PN}-password ${PN}-l2tp ${PN}-tools"
-FILES_${PN}        = "${sysconfdir} ${bindir} ${sbindir}/chat ${sbindir}/pppd ${systemd_unitdir}/system/ppp@.service"
-FILES_${PN}-oa       = "${libdir}/pppd/${PV}/pppoatm.so"
-FILES_${PN}-oe       = "${sbindir}/pppoe-discovery ${libdir}/pppd/${PV}/rp-pppoe.so"
-FILES_${PN}-radius   = "${libdir}/pppd/${PV}/radius.so ${libdir}/pppd/${PV}/radattr.so ${libdir}/pppd/${PV}/radrealms.so"
-FILES_${PN}-winbind  = "${libdir}/pppd/${PV}/winbind.so"
-FILES_${PN}-minconn  = "${libdir}/pppd/${PV}/minconn.so"
-FILES_${PN}-password = "${libdir}/pppd/${PV}/pass*.so"
-FILES_${PN}-l2tp     = "${libdir}/pppd/${PV}/*l2tp.so"
-FILES_${PN}-tools    = "${sbindir}/pppstats ${sbindir}/pppdump"
-SUMMARY_${PN}-oa       = "Plugin for PPP for PPP-over-ATM support"
-SUMMARY_${PN}-oe       = "Plugin for PPP for PPP-over-Ethernet support"
-SUMMARY_${PN}-radius   = "Plugin for PPP for RADIUS support"
-SUMMARY_${PN}-winbind  = "Plugin for PPP to authenticate against Samba or Windows"
-SUMMARY_${PN}-minconn  = "Plugin for PPP to set a delay before the idle timeout applies"
-SUMMARY_${PN}-password = "Plugin for PPP to get passwords via a pipe"
-SUMMARY_${PN}-l2tp     = "Plugin for PPP for l2tp support"
-SUMMARY_${PN}-tools    = "Additional tools for the PPP package"
diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.2.bb b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
new file mode 100644
index 0000000000..607678db8b
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
@@ -0,0 +1,81 @@
+SUMMARY = "Point-to-Point Protocol (PPP) support"
+DESCRIPTION = "ppp (Paul's PPP Package) is an open source package which implements \
+the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
+SECTION = "console/network"
+HOMEPAGE = "http://samba.org/ppp/"
+BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
+DEPENDS = "libpcap virtual/crypt"
+LICENSE = "BSD-2-Clause & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD & MIT"
+LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=25;md5=f0463bd67ae70535c709fca554089bd8 \
+                    file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
+                    file://chat/chat.c;beginline=1;endline=1;md5=234d7d4edd08962c0144e4604050e0b6 \
+                    "
+SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
+           file://pon \
+           file://poff \
+           file://init \
+           file://ip-up \
+           file://ip-down \
+           file://08setupdns \
+           file://92removedns \
+           file://pap \
+           file://ppp_on_boot \
+           file://provider \
+           file://ppp@.service \
+           file://0001-pppdump-Fixed-building-with-GCC-15-548.patch \
+           file://0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch \
+           file://0001-pppd-session-Fixed-building-with-GCC-15.patch \
+           "
+SRC_URI[sha256sum] = "47da358de54a10cb10bf6ff2cf9b1c03c0d3555518f6182e8f701b8e55733cb2"
+inherit autotools pkgconfig systemd
+PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} openssl"
+PACKAGECONFIG[pam] = "--with-pam=yes,--with-pam=no,libpam"
+PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl"
+PACKAGECONFIG[multilink] = "--enable-multilink,--disable-multilink"
+do_install:append () {
+        mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
+        mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
+        mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
+        install -m 0755 ${UNPACKDIR}/pon ${D}${bindir}/pon
+        install -m 0755 ${UNPACKDIR}/poff ${D}${bindir}/poff
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/ppp
+        install -m 0755 ${UNPACKDIR}/ip-up ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/ip-down ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
+        install -m 0755 ${UNPACKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
+        mkdir -p ${D}${sysconfdir}/chatscripts
+        mkdir -p ${D}${sysconfdir}/ppp/peers
+        install -m 0755 ${UNPACKDIR}/pap ${D}${sysconfdir}/chatscripts
+        install -m 0755 ${UNPACKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
+        install -m 0755 ${UNPACKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
+        install -d ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/ppp@.service ${D}${systemd_system_unitdir}
+        sed -i -e 's,@SBINDIR@,${sbindir},g' \
+               ${D}${systemd_system_unitdir}/ppp@.service
+}
+CONFFILES:${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options"
+PACKAGES =+ "${PN}-oa ${PN}-oe ${PN}-radius ${PN}-winbind ${PN}-minconn ${PN}-password ${PN}-l2tp ${PN}-tools"
+FILES:${PN}        = "${sysconfdir} ${bindir} ${sbindir}/chat ${sbindir}/pppd ${systemd_system_unitdir}/ppp@.service"
+FILES:${PN}-oa       = "${libdir}/pppd/${PV}/pppoatm.so"
+FILES:${PN}-oe       = "${sbindir}/pppoe-discovery ${libdir}/pppd/${PV}/*pppoe.so"
+FILES:${PN}-radius   = "${libdir}/pppd/${PV}/radius.so ${libdir}/pppd/${PV}/radattr.so ${libdir}/pppd/${PV}/radrealms.so"
+FILES:${PN}-winbind  = "${libdir}/pppd/${PV}/winbind.so"
+FILES:${PN}-minconn  = "${libdir}/pppd/${PV}/minconn.so"
+FILES:${PN}-password = "${libdir}/pppd/${PV}/pass*.so"
+FILES:${PN}-l2tp     = "${libdir}/pppd/${PV}/*l2tp.so"
+FILES:${PN}-tools    = "${sbindir}/pppstats ${sbindir}/pppdump"
+SUMMARY:${PN}-oa       = "Plugin for PPP for PPP-over-ATM support"
+SUMMARY:${PN}-oe       = "Plugin for PPP for PPP-over-Ethernet support"
+SUMMARY:${PN}-radius   = "Plugin for PPP for RADIUS support"
+SUMMARY:${PN}-winbind  = "Plugin for PPP to authenticate against Samba or Windows"
+SUMMARY:${PN}-minconn  = "Plugin for PPP to set a delay before the idle timeout applies"
+SUMMARY:${PN}-password = "Plugin for PPP to get passwords via a pipe"
+SUMMARY:${PN}-l2tp     = "Plugin for PPP for l2tp support"
+SUMMARY:${PN}-tools    = "Additional tools for the PPP package"
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
new file mode 100644
index 0000000000..ab32f26754
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
@@ -0,0 +1,37 @@
+From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 17 Nov 2022 17:26:30 +0800
+Subject: [PATCH] avoid using -m option for readlink
+Use a more widely used option '-f' instead of '-m' here to
+avoid dependency on coreutils.
+Looking at the git history of the resolvconf repo, the '-m'
+is deliberately used. And it wants to depend on coreutils.
+But in case of OE, the existence of /etc is ensured, and busybox
+readlink provides '-f' option, so we can just use '-f'. In this
+way, the coreutils dependency is not necessary any more.
+Upstream-Status: Inappropriate [OE Specific]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ etc/resolvconf/update.d/libc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc
+index 1c4f6bc..f75d22c 100755
+--- a/etc/resolvconf/update.d/libc
+++ b/etc/resolvconf/update.d/libc
+@@ -57,7 +57,7 @@ fi
+ report_warning() { echo "$0: Warning: $*" >&2 ; }
+ 
+ resolv_conf_is_symlinked_to_dynamic_file() {
+-       [ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
+       [ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
+ }
+ 
+ if ! resolv_conf_is_symlinked_to_dynamic_file ; then
+-- 
+2.17.1
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch b/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
deleted file mode 100644
index 1aead07869..0000000000
--- a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-busybox installs readlink into /usr/bin, so ensure /usr/bin
-is in the path.
-Upstream-Status: Submitted
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-Index: resolvconf-1.76/etc/resolvconf/update.d/libc
-===================================================================
--- resolvconf-1.76.orig/etc/resolvconf/update.d/libc
-+++ resolvconf-1.76/etc/resolvconf/update.d/libc
-@@ -16,7 +16,7 @@
- #
- 
- set -e
-PATH=/sbin:/bin
-+PATH=/sbin:/bin:/usr/bin
- 
- [ -x /lib/resolvconf/list-records ] || exit 1
- 
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.83.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
index 33ee553d19..c10c57267a 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.83.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
@@ -5,34 +5,29 @@ itself up as the intermediary between programs that supply \
 nameserver information and programs that need nameserver \
 information."
 SECTION = "console/network"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
-AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
-RDEPENDS_${PN} = "bash"
+RDEPENDS:${PN} = "bash sed util-linux-flock"
-SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
-           file://fix-path-for-busybox.patch \
           file://99_resolvconf \
-          "
+           file://0001-avoid-using-m-option-for-readlink.patch \
+           "
-SRCREV = "d001dd2b7ce4c854eaa29e46b9640ab66c6e70bb"
+SRCREV = "ab766fa31f7939f6d879123236b4275320b7ff64"
-S = "${WORKDIR}/git"
 # the package is taken from snapshots.debian.org; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/"
-inherit allarch
 do_compile () {
        :
 }
 do_install () {
        install -d ${D}${sysconfdir}/default/volatiles
-        install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
        if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                install -d ${D}${sysconfdir}/tmpfiles.d
                echo "d /run/${BPN}/interface - - - -" \
@@ -40,12 +35,14 @@ do_install () {
        fi
        install -d ${D}${base_libdir}/${BPN}
        install -d ${D}${sysconfdir}/${BPN}
+        install -d ${D}${nonarch_base_libdir}/${BPN}
        ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
        install -d ${D}${sysconfdir} ${D}${base_sbindir}
        install -d ${D}${mandir}/man8 ${D}${docdir}/${P}
        cp -pPR etc/resolvconf ${D}${sysconfdir}/
        chown -R root:root ${D}${sysconfdir}/
        install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+        install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN}
        install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
        install -d ${D}/${sysconfdir}/network/if-up.d
        install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
@@ -55,7 +52,7 @@ do_install () {
        install -m 0644 man/resolvconf.8 ${D}${mandir}/man8/
 }
-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
        if [ -z "$D" ]; then
                if command -v systemd-tmpfiles >/dev/null; then
                        systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/resolvconf.conf
@@ -65,4 +62,4 @@ pkg_postinst_${PN} () {
        fi
 }
-FILES_${PN} += "${base_libdir}/${BPN}"
+FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}"
diff --git a/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
new file mode 100644
index 0000000000..9f7005d709
--- /dev/null
+++ b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
@@ -0,0 +1,14 @@
+SUMMARY = "A general purpose TCP-IP emulator"
+DESCRIPTION = "A general purpose TCP-IP emulator used by virtual machine hypervisors to provide virtual networking services."
+HOMEPAGE = "https://gitlab.freedesktop.org/slirp/libslirp"
+LICENSE = "BSD-3-Clause & MIT"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bca0186b14e6b05e338e729f106db727"
+SRC_URI = "git://gitlab.freedesktop.org/slirp/libslirp.git;protocol=https;branch=master"
+SRCREV = "9c744e1e52aa0d9646ed91d789d588696292c21e"
+DEPENDS = "glib-2.0"
+inherit meson pkgconfig
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
new file mode 100644
index 0000000000..ea00dfa0a9
--- /dev/null
+++ b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
@@ -0,0 +1,62 @@
+From c4c3d5f2d4dfe8167205e8d20b4cb7a197706c16 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 27 Nov 2024 04:09:59 -0800
+Subject: [PATCH] fix compile procan.c failed
+1. Compile socat failed if out of tree build (build dir != source dir)
+...
+gcc -c -D CC="gcc" -o procan.o procan.c
+cc1: fatal error: procan.c: No such file or directory
+...
+Explicitly add $srcdir to makefile rule
+2. Compile socat failed if multiple words in $(CC), such as CC="gcc -m64"
+...
+from ../socat-1.8.0.0/procan.c:10:
+../socat-1.8.0.0/sysincludes.h:18:10: fatal error: inttypes.h: No such file or directory
+   18 | #include <inttypes.h>   /* uint16_t */
+...
+In commit [Procan: print umask, CC, and couple more new infos][1],
+it defeines marcro CC in C source, the space in CC will break
+C source compile. Use first word of $(CC) to defeine marco CC
+[1] https://repo.or.cz/socat.git/commit/cd5673dbd0786c94e0b3ace7e35fab14c01e3185
+Upstream-Status: Submitted [socat@dest-unreach.org]
+Rebase to 1.8.0.1
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Makefile.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+diff --git a/Makefile.in b/Makefile.in
+index 631d31d..103d4d1 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -110,7 +110,7 @@ socat: socat.o libxio.a
+        $(CC) $(CFLAGS) $(LDFLAGS) -o $@ socat.o libxio.a $(CLIBS)
+ 
+ procan.o: $(srcdir)/procan.c
+-       $(CC) $(CFLAGS) -c -D CC="\"$(CC)\"" -o $@ $(srcdir)/procan.c
+       $(CC) $(CFLAGS) -c -D CC="\"$(firstword $(CC))\"" -o $@ $(srcdir)/procan.c
+ 
+ PROCAN_OBJS=procan_main.o procan.o procan-cdefs.o hostan.o error.o sycls.o sysutils.o utils.o vsnprintf_r.o snprinterr.o
+ procan: $(PROCAN_OBJS)
+@@ -132,9 +132,9 @@ install: progs $(srcdir)/doc/socat.1
+        mkdir -p $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 socat $(DESTDIR)$(BINDEST)/socat1
+        ln -sf socat1 $(DESTDIR)$(BINDEST)/socat
+-       $(INSTALL) -m 755 socat-chain.sh  $(DESTDIR)$(BINDEST)
+-       $(INSTALL) -m 755 socat-mux.sh    $(DESTDIR)$(BINDEST)
+-       $(INSTALL) -m 755 socat-broker.sh $(DESTDIR)$(BINDEST)
+       $(INSTALL) -m 755 $(srcdir)/socat-chain.sh  $(DESTDIR)$(BINDEST)
+       $(INSTALL) -m 755 $(srcdir)/socat-mux.sh    $(DESTDIR)$(BINDEST)
+       $(INSTALL) -m 755 $(srcdir)/socat-broker.sh $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 procan $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 filan $(DESTDIR)$(BINDEST)
+        mkdir -p $(DESTDIR)$(MANDEST)/man1
+-- 
+2.25.1
diff --git a/meta/recipes-connectivity/socat/socat_1.7.3.4.bb b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
index f3f569d262..ee6ca1fe44 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.3.4.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
@@ -7,13 +7,13 @@ SECTION = "console/network"
 LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://README;beginline=257;endline=287;md5=338c05eadd013872abb1d6e198e10a3f"
+                    file://README;beginline=248;endline=278;md5=338c05eadd013872abb1d6e198e10a3f"
 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
+           file://0001-fix-compile-procan.c-failed.patch \
 "
-SRC_URI[md5sum] = "3cca4f8cd9d2d1caabd9cc099451bac9"
+SRC_URI[sha256sum] = "01eb017361d95bb3a6941e840b59e4463a3fabf92df4154ed02b16a2ed6a0095"
-SRC_URI[sha256sum] = "972374ca86f65498e23e3259c2ee1b8f9dbeb04d12c2a78c0c9b5d1cb97dfdfc"
 inherit autotools
@@ -29,15 +29,15 @@ TERMBITS_SHIFTS ?= "sc_cv_sys_crdly_shift=9 \
                    sc_cv_sys_tabdly_shift=11 \
                    sc_cv_sys_csize_shift=4"
-TERMBITS_SHIFTS_powerpc = "sc_cv_sys_crdly_shift=12 \
+TERMBITS_SHIFTS:powerpc = "sc_cv_sys_crdly_shift=12 \
                           sc_cv_sys_tabdly_shift=10 \
                           sc_cv_sys_csize_shift=8"
-TERMBITS_SHIFTS_powerpc64 = "sc_cv_sys_crdly_shift=12 \
+TERMBITS_SHIFTS:powerpc64 = "sc_cv_sys_crdly_shift=12 \
                             sc_cv_sys_tabdly_shift=10 \
                             sc_cv_sys_csize_shift=8"
-PACKAGECONFIG_class-target ??= "tcp-wrappers readline openssl"
+PACKAGECONFIG:class-target ??= "tcp-wrappers readline openssl"
 PACKAGECONFIG ??= "readline openssl"
 PACKAGECONFIG[tcp-wrappers] = "--enable-libwrap,--disable-libwrap,tcp-wrappers"
 PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline"
@@ -45,7 +45,7 @@ PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
 CFLAGS += "-fcommon"
-do_install_prepend () {
+do_install:prepend () {
    mkdir -p ${D}${bindir}
    install -d ${D}${bindir} ${D}${mandir}/man1
 }
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
index ddd10e6eeb..57b0534929 100644
--- a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
@@ -6,14 +6,18 @@ SRC_URI = "file://dropbear_rsa_host_key \
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+S = "${UNPACKDIR}"
 INHIBIT_DEFAULT_DEPS = "1"
+COMPATIBLE_MACHINE = "^qemu.*$"
 do_install () {
        install -d ${D}${sysconfdir}/dropbear
-        install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
+        install ${UNPACKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
        install -d ${D}${sysconfdir}/ssh
-        install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/
+        install ${UNPACKDIR}/openssh/* ${D}${sysconfdir}/ssh/
        chmod 0600 ${D}${sysconfdir}/ssh/*
        chmod 0644 ${D}${sysconfdir}/ssh/*.pub
-}
-\ No newline at end of file
+}
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
deleted file mode 100644
index 7b0713cf6d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
-of disconnection in certain situations because source address validation is
-mishandled. This is a denial of service that should have been prevented by PMF
-(aka management frame protection). The attacker must send a crafted 802.11 frame
-from a location that is within the 802.11 communications range.
-CVE: CVE-2019-16275
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Thu, 29 Aug 2019 11:52:04 +0300
-Subject: [PATCH] AP: Silently ignore management frame from unexpected source
- address
-Do not process any received Management frames with unexpected/invalid SA
-so that we do not add any state for unexpected STA addresses or end up
-sending out frames to unexpected destination. This prevents unexpected
-sequences where an unprotected frame might end up causing the AP to send
-out a response to another device and that other device processing the
-unexpected response.
-In particular, this prevents some potential denial of service cases
-where the unexpected response frame from the AP might result in a
-connected station dropping its association.
-Signed-off-by: Jouni Malinen <j@w1.fi>
---
- src/ap/drv_callbacks.c | 13 +++++++++++++
- src/ap/ieee802_11.c    | 12 ++++++++++++
- 2 files changed, 25 insertions(+)
-diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
-index 31587685fe3b..34ca379edc3d 100644
--- a/src/ap/drv_callbacks.c
-+++ b/src/ap/drv_callbacks.c
-@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
-                           "hostapd_notif_assoc: Skip event with no address");
-                return -1;
-        }
-+
-+       if (is_multicast_ether_addr(addr) ||
-+           is_zero_ether_addr(addr) ||
-+           os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
-+               /* Do not process any frames with unexpected/invalid SA so that
-+                * we do not add any state for unexpected STA addresses or end
-+                * up sending out frames to unexpected destination. */
-+               wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
-+                          " in received indication - ignore this indication silently",
-+                          __func__, MAC2STR(addr));
-+               return 0;
-+       }
-+
-        random_add_randomness(addr, ETH_ALEN);
- 
-        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index c85a28db44b7..e7065372e158 100644
--- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
-        fc = le_to_host16(mgmt->frame_control);
-        stype = WLAN_FC_GET_STYPE(fc);
- 
-+       if (is_multicast_ether_addr(mgmt->sa) ||
-+           is_zero_ether_addr(mgmt->sa) ||
-+           os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
-+               /* Do not process any frames with unexpected/invalid SA so that
-+                * we do not add any state for unexpected STA addresses or end
-+                * up sending out frames to unexpected destination. */
-+               wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
-+                          " in received frame - ignore this frame silently",
-+                          MAC2STR(mgmt->sa));
-+               return 0;
-+       }
-+
-        if (stype == WLAN_FC_STYPE_BEACON) {
-                handle_beacon(hapd, mgmt, len, fi);
-                return 1;
-- 
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
deleted file mode 100644
index 53ad5d028a..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Wed, 3 Jun 2020 23:17:35 +0300
-Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
- other networks
-The UPnP Device Architecture 2.0 specification errata ("UDA errata
-16-04-2020.docx") addresses a problem with notifications being allowed
-to go out to other domains by disallowing such cases. Do such filtering
-for the notification callback URLs to avoid undesired connections to
-external networks based on subscriptions that any device in the local
-network could request when WPS support for external registrars is
-enabled (the upnp_iface parameter in hostapd configuration).
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #1
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- src/wps/wps_er.c     |  2 +-
- src/wps/wps_upnp.c   | 38 ++++++++++++++++++++++++++++++++++++--
- src/wps/wps_upnp_i.h |  3 ++-
- 3 files changed, 39 insertions(+), 4 deletions(-)
-Index: wpa_supplicant-2.9/src/wps/wps_er.c
-===================================================================
--- wpa_supplicant-2.9.orig/src/wps/wps_er.c
-+++ wpa_supplicant-2.9/src/wps/wps_er.c
-@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
-                           "with %s", filter);
-        }
-        if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
-                          er->mac_addr)) {
-+                          NULL, er->mac_addr)) {
-                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
-                           "for %s. Does it have IP address?", er->ifname);
-                wps_er_deinit(er, NULL, NULL);
-Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
-===================================================================
--- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
-+++ wpa_supplicant-2.9/src/wps/wps_upnp.c
-@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
- }
-+static int local_network_addr(struct upnp_wps_device_sm *sm,
-+                             struct sockaddr_in *addr)
-+{
-+       return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
-+               (sm->ip_addr & sm->netmask.s_addr);
-+}
-+
-+
- /* subscr_addr_add_url -- add address(es) for one url to subscription */
- static void subscr_addr_add_url(struct subscription *s, const char *url,
-                                size_t url_len)
-@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
-        for (rp = result; rp; rp = rp->ai_next) {
-                struct subscr_addr *a;
-+               struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
-                /* Limit no. of address to avoid denial of service attack */
-                if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
-@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
-                        break;
-                }
-+               if (!local_network_addr(s->sm, addr)) {
-+                       wpa_printf(MSG_INFO,
-+                                  "WPS UPnP: Ignore a delivery URL that points to another network %s",
-+                                  inet_ntoa(addr->sin_addr));
-+                       continue;
-+               }
-+
-                a = os_zalloc(sizeof(*a) + alloc_len);
-                if (a == NULL)
-                        break;
-@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
-  * @net_if: Selected network interface name
-  * @ip_addr: Buffer for returning IP address in network byte order
-  * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
-+ * @netmask: Buffer for returning netmask or %NULL if not needed
-  * @mac: Buffer for returning MAC address
-  * Returns: 0 on success, -1 on failure
-  */
- int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
-                  u8 mac[ETH_ALEN])
-+                  struct in_addr *netmask, u8 mac[ETH_ALEN])
- {
-        struct ifreq req;
-        int sock = -1;
-@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
-        in_addr.s_addr = *ip_addr;
-        os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
-+       if (netmask) {
-+               os_memset(&req, 0, sizeof(req));
-+               os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
-+               if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
-+                       wpa_printf(MSG_ERROR,
-+                                  "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
-+                                  errno, strerror(errno));
-+                       goto fail;
-+               }
-+               addr = (struct sockaddr_in *) &req.ifr_netmask;
-+               netmask->s_addr = addr->sin_addr.s_addr;
-+       }
-+
- #ifdef __linux__
-        os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
-        if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
-@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
-        /* Determine which IP and mac address we're using */
-        if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
-                          sm->mac_addr)) {
-+                          &sm->netmask, sm->mac_addr)) {
-                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
-                           "for %s. Does it have IP address?", net_if);
-                goto fail;
-        }
-+       wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
-+                  MACSTR,
-+                  sm->ip_addr_text, inet_ntoa(sm->netmask),
-+                  MAC2STR(sm->mac_addr));
-        /* Listen for incoming TCP connections so that others
-         * can fetch our "xml files" from us.
-Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
-===================================================================
--- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
-+++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
-@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
-        u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
-        char *ip_addr_text; /* IP address of network i.f. we use */
-        unsigned ip_addr; /* IP address of network i.f. we use (host order) */
-+       struct in_addr netmask;
-        int multicast_sd; /* send multicast messages over this socket */
-        int ssdp_sd; /* receive discovery UPD packets on socket */
-        int ssdp_sd_registered; /* nonzero if we must unregister */
-@@ -158,7 +159,7 @@ struct subscription * subscription_find(
-                                        const u8 uuid[UUID_LEN]);
- void subscr_addr_delete(struct subscr_addr *a);
- int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
-                  u8 mac[ETH_ALEN]);
-+                  struct in_addr *netmask, u8 mac[ETH_ALEN]);
- /* wps_upnp_ssdp.c */
- void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
new file mode 100644
index 0000000000..f9634e47c9
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
@@ -0,0 +1,53 @@
+From 809d9d8172db8e2a08ff639875f838b5b86d2641 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <geomatsi@gmail.com>
+Date: Thu, 22 Aug 2024 00:03:41 +0300
+Subject: [PATCH] macsec_linux: Hardware offload requires Linux headers >= v5.7
+Hardware offload in Linux macsec driver is enabled in compile time if
+libnl version is >= v3.6. This is not sufficient for successful build
+since enum 'macsec_offload' has been added to Linux header if_link.h
+in kernels v5.6 and v5.7, see commits:
+- https://github.com/torvalds/linux/commit/21114b7feec29e4425a3ac48a037569c016a46c8
+- https://github.com/torvalds/linux/commit/76564261a7db80c5f5c624e0122a28787f266bdf
+New libnl with older Linux headers is a valid combination. This is how
+hostapd build failure has been detected by Buildroot autobuilder, see:
+- http://autobuild.buildroot.net/results/b59d5bc5bd17683a3a1e3577c40c802e81911f84/
+Extend compile time condition for the enablement of the macsec hardware
+offload adding Linux headers version check.
+Fixes: 40c139664439 ("macsec_linux: Add support for MACsec hardware offload")
+Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/patch/?id=809d9d8172db8e2a08ff639875f838b5b86d2641]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+---
+ src/drivers/driver_macsec_linux.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
+index c867154981e9..fad47a292f9f 100644
+--- a/src/drivers/driver_macsec_linux.c
+++ b/src/drivers/driver_macsec_linux.c
+@@ -19,6 +19,7 @@
+ #include <netlink/route/link.h>
+ #include <netlink/route/link/macsec.h>
+ #include <linux/if_macsec.h>
+#include <linux/version.h>
+ #include <inttypes.h>
+ 
+ #include "utils/common.h"
+@@ -32,7 +33,8 @@
+ 
+ #define UNUSED_SCI 0xffffffffffffffff
+ 
+-#if LIBNL_VER_NUM >= LIBNL_VER(3, 6)
+#if (LIBNL_VER_NUM >= LIBNL_VER(3, 6) && \
+     LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
+ #define LIBNL_HAS_OFFLOAD
+ #endif
+ 
+-- 
+2.39.2
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
deleted file mode 100644
index a476cf040e..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001
-From: Joshua DeWeese <jdeweese@hennypenny.com>
-Date: Wed, 30 Jan 2019 16:19:47 -0500
-Subject: [PATCH] replace systemd install Alias with WantedBy
-According to the systemd documentation "WantedBy=foo.service in a
-service bar.service is mostly equivalent to
-Alias=foo.service.wants/bar.service in the same file." However,
-this is not really the intended purpose of install Aliases.
-Upstream-Status: Submitted [hostap@lists.infradead.org]
-Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
---
- wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +-
- wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in   | 2 +-
- wpa_supplicant/systemd/wpa_supplicant.service.arg.in         | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-index 03ac507..da69a87 100644
--- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I
- 
- [Install]
-Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-index c8a744d..ca3054b 100644
--- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
- 
- [Install]
-Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-index 7788b38..55d2b9c 100644
--- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I
- 
- [Install]
-Alias=multi-user.target.wants/wpa_supplicant@%i.service
-+WantedBy=multi-user.target
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
deleted file mode 100644
index 59640859dd..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Wed, 3 Jun 2020 22:41:02 +0300
-Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
- path
-More than about 700 character URL ended up overflowing the wpabuf used
-for building the event notification and this resulted in the wpabuf
-buffer overflow checks terminating the hostapd process. Fix this by
-allocating the buffer to be large enough to contain the full URL path.
-However, since that around 700 character limit has been the practical
-limit for more than ten years, start explicitly enforcing that as the
-limit or the callback URLs since any longer ones had not worked before
-and there is no need to enable them now either.
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #2
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- src/wps/wps_upnp.c       | 9 +++++++--
- src/wps/wps_upnp_event.c | 3 ++-
- 2 files changed, 9 insertions(+), 3 deletions(-)
-diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
-index 7d4b7439940e..ab685d52ecab 100644
--- a/src/wps/wps_upnp.c
-+++ b/src/wps/wps_upnp.c
-@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
-        int rerr;
-        size_t host_len, path_len;
-       /* url MUST begin with http: */
-       if (url_len < 7 || os_strncasecmp(url, "http://", 7))
-+       /* URL MUST begin with HTTP scheme. In addition, limit the length of
-+        * the URL to 700 characters which is around the limit that was
-+        * implicitly enforced for more than 10 years due to a bug in
-+        * generating the event messages. */
-+       if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
-+               wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
-                goto fail;
-+       }
-        url += 7;
-        url_len -= 7;
-diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
-index d7e6edcc6503..08a23612f338 100644
--- a/src/wps/wps_upnp_event.c
-+++ b/src/wps/wps_upnp_event.c
-@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
-        struct wpabuf *buf;
-        char *b;
-       buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
-+       buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
-+                          wpabuf_len(e->data));
-        if (buf == NULL)
-                return NULL;
-        wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
--
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
deleted file mode 100644
index 8a014ef28a..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Thu, 4 Jun 2020 21:24:04 +0300
-Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
- properly
-While it is appropriate to try to retransmit the event to another
-callback URL on a failure to initiate the HTTP client connection, there
-is no point in trying the exact same operation multiple times in a row.
-Replve the event_retry() calls with event_addr_failure() for these cases
-to avoid busy loops trying to repeat the same failing operation.
-These potential busy loops would go through eloop callbacks, so the
-process is not completely stuck on handling them, but unnecessary CPU
-would be used to process the continues retries that will keep failing
-for the same reason.
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #2
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- src/wps/wps_upnp_event.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
-index 08a23612f338..c0d9e41d9a38 100644
--- a/src/wps/wps_upnp_event.c
-+++ b/src/wps/wps_upnp_event.c
-@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
-        buf = event_build_message(e);
-        if (buf == NULL) {
-               event_retry(e, 0);
-+               event_addr_failure(e);
-                return -1;
-        }
-@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
-                                         event_http_cb, e);
-        if (e->http_event == NULL) {
-                wpabuf_free(buf);
-               event_retry(e, 0);
-+               event_addr_failure(e);
-                return -1;
-        }
--
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
deleted file mode 100644
index f04e398fdb..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
+++ /dev/null
@@ -1,552 +0,0 @@
-# Example wpa_supplicant build time configuration
-#
-# This file lists the configuration options that are used when building the
-# hostapd binary. All lines starting with # are ignored. Configuration option
-# lines must be commented out complete, if they are not to be included, i.e.,
-# just setting VARIABLE=n is not disabling that variable.
-#
-# This file is included in Makefile, so variables like CFLAGS and LIBS can also
-# be modified from here. In most cases, these lines should use += in order not
-# to override previous values of the variables.
-# Uncomment following two lines and fix the paths if you have installed OpenSSL
-# or GnuTLS in non-default location
-#CFLAGS += -I/usr/local/openssl/include
-#LIBS += -L/usr/local/openssl/lib
-# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
-# the kerberos files are not in the default include path. Following line can be
-# used to fix build issues on such systems (krb5.h not found).
-#CFLAGS += -I/usr/include/kerberos
-# Example configuration for various cross-compilation platforms
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-#       -I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-# Driver interface for Host AP driver
-CONFIG_DRIVER_HOSTAP=y
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-# Driver interface for madwifi driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_MADWIFI=y
-# Set include directory to the madwifi source tree
-#CFLAGS += -I../../madwifi
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-# Driver interface for Atmel driver
-# CONFIG_DRIVER_ATMEL=y
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-# Driver interface for generic Linux wireless extensions
-# Note: WEXT is deprecated in the current Linux kernel version and no new
-# functionality is added to it. nl80211-based interface is the new
-# replacement for WEXT and its use allows wpa_supplicant to properly control
-# the driver to improve existing functionality like roaming and to support new
-# functionality.
-CONFIG_DRIVER_WEXT=y
-# Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
-# driver_nl80211.c requires libnl. If you are compiling it yourself
-# you may need to point hostapd to your version of libnl.
-#
-#CFLAGS += -I$<path to libnl include files>
-#LIBS += -L$<path to libnl library files>
-# Use libnl v2.0 (or 3.0) libraries.
-#CONFIG_LIBNL20=y
-# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
-CONFIG_LIBNL32=y
-# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
-#CONFIG_DRIVER_BSD=y
-#CFLAGS += -I/usr/local/include
-#LIBS += -L/usr/local/lib
-#LIBS_p += -L/usr/local/lib
-#LIBS_c += -L/usr/local/lib
-# Driver interface for Windows NDIS
-#CONFIG_DRIVER_NDIS=y
-#CFLAGS += -I/usr/include/w32api/ddk
-#LIBS += -L/usr/local/lib
-# For native build using mingw
-#CONFIG_NATIVE_WINDOWS=y
-# Additional directories for cross-compilation on Linux host for mingw target
-#CFLAGS += -I/opt/mingw/mingw32/include/ddk
-#LIBS += -L/opt/mingw/mingw32/lib
-#CC=mingw32-gcc
-# By default, driver_ndis uses WinPcap for low-level operations. This can be
-# replaced with the following option which replaces WinPcap calls with NDISUIO.
-# However, this requires that WZC is disabled (net stop wzcsvc) before starting
-# wpa_supplicant.
-# CONFIG_USE_NDISUIO=y
-# Driver interface for development testing
-#CONFIG_DRIVER_TEST=y
-# Driver interface for wired Ethernet drivers
-CONFIG_DRIVER_WIRED=y
-# Driver interface for the Broadcom RoboSwitch family
-#CONFIG_DRIVER_ROBOSWITCH=y
-# Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
-# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
-# included)
-CONFIG_IEEE8021X_EAPOL=y
-# EAP-MD5
-CONFIG_EAP_MD5=y
-# EAP-MSCHAPv2
-CONFIG_EAP_MSCHAPV2=y
-# EAP-TLS
-CONFIG_EAP_TLS=y
-# EAL-PEAP
-CONFIG_EAP_PEAP=y
-# EAP-TTLS
-CONFIG_EAP_TTLS=y
-# EAP-FAST
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
-#CONFIG_EAP_FAST=y
-# EAP-GTC
-CONFIG_EAP_GTC=y
-# EAP-OTP
-CONFIG_EAP_OTP=y
-# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
-#CONFIG_EAP_SIM=y
-# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
-#CONFIG_EAP_PSK=y
-# EAP-pwd (secure authentication using only a password)
-#CONFIG_EAP_PWD=y
-# EAP-PAX
-#CONFIG_EAP_PAX=y
-# LEAP
-CONFIG_EAP_LEAP=y
-# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
-#CONFIG_EAP_AKA=y
-# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
-# This requires CONFIG_EAP_AKA to be enabled, too.
-#CONFIG_EAP_AKA_PRIME=y
-# Enable USIM simulator (Milenage) for EAP-AKA
-#CONFIG_USIM_SIMULATOR=y
-# EAP-SAKE
-#CONFIG_EAP_SAKE=y
-# EAP-GPSK
-#CONFIG_EAP_GPSK=y
-# Include support for optional SHA256 cipher suite in EAP-GPSK
-#CONFIG_EAP_GPSK_SHA256=y
-# EAP-TNC and related Trusted Network Connect support (experimental)
-#CONFIG_EAP_TNC=y
-# Wi-Fi Protected Setup (WPS)
-CONFIG_WPS=y
-# Enable WSC 2.0 support
-#CONFIG_WPS2=y
-# Enable WPS external registrar functionality
-#CONFIG_WPS_ER=y
-# Disable credentials for an open network by default when acting as a WPS
-# registrar.
-#CONFIG_WPS_REG_DISABLE_OPEN=y
-# Enable WPS support with NFC config method
-#CONFIG_WPS_NFC=y
-# EAP-IKEv2
-#CONFIG_EAP_IKEV2=y
-# EAP-EKE
-#CONFIG_EAP_EKE=y
-# PKCS#12 (PFX) support (used to read private key and certificate file from
-# a file that usually has extension .p12 or .pfx)
-CONFIG_PKCS12=y
-# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
-# engine.
-CONFIG_SMARTCARD=y
-# PC/SC interface for smartcards (USIM, GSM SIM)
-# Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
-# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
-#CONFIG_HT_OVERRIDES=y
-# Support VHT overrides (disable VHT, mask MCS rates, etc.)
-#CONFIG_VHT_OVERRIDES=y
-# Development testing
-#CONFIG_EAPOL_TEST=y
-# Select control interface backend for external programs, e.g, wpa_cli:
-# unix = UNIX domain sockets (default for Linux/*BSD)
-# udp = UDP sockets using localhost (127.0.0.1)
-# named_pipe = Windows Named Pipe (default for Windows)
-# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
-# y = use default (backwards compatibility)
-# If this option is commented out, control interface is not included in the
-# build.
-CONFIG_CTRL_IFACE=y
-# Include support for GNU Readline and History Libraries in wpa_cli.
-# When building a wpa_cli binary for distribution, please note that these
-# libraries are licensed under GPL and as such, BSD license may not apply for
-# the resulting binary.
-#CONFIG_READLINE=y
-# Include internal line edit mode in wpa_cli. This can be used as a replacement
-# for GNU Readline to provide limited command line editing and history support.
-#CONFIG_WPA_CLI_EDIT=y
-# Remove debugging code that is printing out debug message to stdout.
-# This can be used to reduce the size of the wpa_supplicant considerably
-# if debugging code is not needed. The size reduction can be around 35%
-# (e.g., 90 kB).
-#CONFIG_NO_STDOUT_DEBUG=y
-# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
-# 35-50 kB in code size.
-#CONFIG_NO_WPA=y
-# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
-# This option can be used to reduce code size by removing support for
-# converting ASCII passphrases into PSK. If this functionality is removed, the
-# PSK can only be configured as the 64-octet hexstring (e.g., from
-# wpa_passphrase). This saves about 0.5 kB in code size.
-#CONFIG_NO_WPA_PASSPHRASE=y
-# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
-# This can be used if ap_scan=1 mode is never enabled.
-#CONFIG_NO_SCAN_PROCESSING=y
-# Select configuration backend:
-# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
-#       path is given on command line, not here; this option is just used to
-#       select the backend that allows configuration files to be used)
-# winreg = Windows registry (see win_example.reg for an example)
-CONFIG_BACKEND=file
-# Remove configuration write functionality (i.e., to allow the configuration
-# file to be updated based on runtime configuration changes). The runtime
-# configuration can still be changed, the changes are just not going to be
-# persistent over restarts. This option can be used to reduce code size by
-# about 3.5 kB.
-#CONFIG_NO_CONFIG_WRITE=y
-# Remove support for configuration blobs to reduce code size by about 1.5 kB.
-#CONFIG_NO_CONFIG_BLOBS=y
-# Select program entry point implementation:
-# main = UNIX/POSIX like main() function (default)
-# main_winsvc = Windows service (read parameters from registry)
-# main_none = Very basic example (development use only)
-#CONFIG_MAIN=main
-# Select wrapper for operatins system and C library specific functions
-# unix = UNIX/POSIX like systems (default)
-# win32 = Windows systems
-# none = Empty template
-#CONFIG_OS=unix
-# Select event loop implementation
-# eloop = select() loop (default)
-# eloop_win = Windows events and WaitForMultipleObject() loop
-#CONFIG_ELOOP=eloop
-# Should we use poll instead of select? Select is used by default.
-#CONFIG_ELOOP_POLL=y
-# Select layer 2 packet implementation
-# linux = Linux packet socket (default)
-# pcap = libpcap/libdnet/WinPcap
-# freebsd = FreeBSD libpcap
-# winpcap = WinPcap with receive thread
-# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
-# none = Empty template
-#CONFIG_L2_PACKET=linux
-# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
-CONFIG_PEERKEY=y
-# IEEE 802.11w (management frame protection), also known as PMF
-# Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
-# Select TLS implementation
-# openssl = OpenSSL (default)
-# gnutls = GnuTLS
-# internal = Internal TLSv1 implementation (experimental)
-# none = Empty template
-#CONFIG_TLS=openssl
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
-# can be enabled to get a stronger construction of messages when block ciphers
-# are used. It should be noted that some existing TLS v1.0 -based
-# implementation may not be compatible with TLS v1.1 message (ClientHello is
-# sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
-# can be enabled to enable use of stronger crypto algorithms. It should be
-# noted that some existing TLS v1.0 -based implementation may not be compatible
-# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
-# will be used)
-#CONFIG_TLSV12=y
-# If CONFIG_TLS=internal is used, additional library and include paths are
-# needed for LibTomMath. Alternatively, an integrated, minimal version of
-# LibTomMath can be used. See beginning of libtommath.c for details on benefits
-# and drawbacks of this option.
-#CONFIG_INTERNAL_LIBTOMMATH=y
-#ifndef CONFIG_INTERNAL_LIBTOMMATH
-#LTM_PATH=/usr/src/libtommath-0.39
-#CFLAGS += -I$(LTM_PATH)
-#LIBS += -L$(LTM_PATH)
-#LIBS_p += -L$(LTM_PATH)
-#endif
-# At the cost of about 4 kB of additional binary size, the internal LibTomMath
-# can be configured to include faster routines for exptmod, sqr, and div to
-# speed up DH and RSA calculation considerably
-#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
-# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
-# This is only for Windows builds and requires WMI-related header files and
-# WbemUuid.Lib from Platform SDK even when building with MinGW.
-#CONFIG_NDIS_EVENTS_INTEGRATED=y
-#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
-# Add support for old DBus control interface
-# (fi.epitest.hostap.WPASupplicant)
-#CONFIG_CTRL_IFACE_DBUS=y
-# Add support for new DBus control interface
-# (fi.w1.hostap.wpa_supplicant1)
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-# Add introspection support for new DBus control interface
-#CONFIG_CTRL_IFACE_DBUS_INTRO=y
-# Add support for loading EAP methods dynamically as shared libraries.
-# When this option is enabled, each EAP method can be either included
-# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
-# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
-# be loaded in the beginning of the wpa_supplicant configuration file
-# (see load_dynamic_eap parameter in the example file) before being used in
-# the network blocks.
-#
-# Note that some shared parts of EAP methods are included in the main program
-# and in order to be able to use dynamic EAP methods using these parts, the
-# main program must have been build with the EAP method enabled (=y or =dyn).
-# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
-# unless at least one of them was included in the main build to force inclusion
-# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
-# in the main build to be able to load these methods dynamically.
-#
-# Please also note that using dynamic libraries will increase the total binary
-# size. Thus, it may not be the best option for targets that have limited
-# amount of memory/flash.
-#CONFIG_DYNAMIC_EAP_METHODS=y
-# IEEE Std 802.11r-2008 (Fast BSS Transition)
-#CONFIG_IEEE80211R=y
-# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
-#CONFIG_DEBUG_FILE=y
-# Send debug messages to syslog instead of stdout
-#CONFIG_DEBUG_SYSLOG=y
-# Set syslog facility for debug messages
-#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
-# Add support for sending all debug messages (regardless of debug verbosity)
-# to the Linux kernel tracing facility. This helps debug the entire stack by
-# making it easy to record everything happening from the driver up into the
-# same file, e.g., using trace-cmd.
-#CONFIG_DEBUG_LINUX_TRACING=y
-# Enable privilege separation (see README 'Privilege separation' for details)
-#CONFIG_PRIVSEP=y
-# Enable mitigation against certain attacks against TKIP by delaying Michael
-# MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
-# Enable tracing code for developer debugging
-# This tracks use of memory allocations and other registrations and reports
-# incorrect use with a backtrace of call (or allocation) location.
-#CONFIG_WPA_TRACE=y
-# For BSD, uncomment these.
-#LIBS += -lexecinfo
-#LIBS_p += -lexecinfo
-#LIBS_c += -lexecinfo
-# Use libbfd to get more details for developer debugging
-# This enables use of libbfd to get more detailed symbols for the backtraces
-# generated by CONFIG_WPA_TRACE=y.
-#CONFIG_WPA_TRACE_BFD=y
-# For BSD, uncomment these.
-#LIBS += -lbfd -liberty -lz
-#LIBS_p += -lbfd -liberty -lz
-#LIBS_c += -lbfd -liberty -lz
-CONFIG_TLS = %ssl%
-CONFIG_CTRL_IFACE_DBUS=y
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-# wpa_supplicant depends on strong random number generation being available
-# from the operating system. os_get_random() function is used to fetch random
-# data when needed, e.g., for key generation. On Linux and BSD systems, this
-# works by reading /dev/urandom. It should be noted that the OS entropy pool
-# needs to be properly initialized before wpa_supplicant is started. This is
-# important especially on embedded devices that do not have a hardware random
-# number generator and may by default start up with minimal entropy available
-# for random number generation.
-#
-# As a safety net, wpa_supplicant is by default trying to internally collect
-# additional entropy for generating random data to mix in with the data fetched
-# from the OS. This by itself is not considered to be very strong, but it may
-# help in cases where the system pool is not initialized properly. However, it
-# is very strongly recommended that the system pool is initialized with enough
-# entropy either by using hardware assisted random number generator or by
-# storing state over device reboots.
-#
-# wpa_supplicant can be configured to maintain its own entropy store over
-# restarts to enhance random number generation. This is not perfect, but it is
-# much more secure than using the same sequence of random numbers after every
-# reboot. This can be enabled with -e<entropy file> command line option. The
-# specified file needs to be readable and writable by wpa_supplicant.
-#
-# If the os_get_random() is known to provide strong random data (e.g., on
-# Linux/BSD, the board in question is known to have reliable source of random
-# data from /dev/urandom), the internal wpa_supplicant random pool can be
-# disabled. This will save some in binary size and CPU use. However, this
-# should only be considered for builds that are known to be used on devices
-# that meet the requirements described above.
-#CONFIG_NO_RANDOM_POOL=y
-# IEEE 802.11n (High Throughput) support (mainly for AP mode)
-#CONFIG_IEEE80211N=y
-# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
-# (depends on CONFIG_IEEE80211N)
-#CONFIG_IEEE80211AC=y
-# Wireless Network Management (IEEE Std 802.11v-2011)
-# Note: This is experimental and not complete implementation.
-#CONFIG_WNM=y
-# Interworking (IEEE 802.11u)
-# This can be used to enable functionality to improve interworking with
-# external networks (GAS/ANQP to learn more about the networks and network
-# selection based on available credentials).
-#CONFIG_INTERWORKING=y
-# Hotspot 2.0
-#CONFIG_HS20=y
-# Disable roaming in wpa_supplicant
-#CONFIG_NO_ROAMING=y
-# AP mode operations with wpa_supplicant
-# This can be used for controlling AP mode operations with wpa_supplicant. It
-# should be noted that this is mainly aimed at simple cases like
-# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
-# external RADIUS server can be supported with hostapd.
-CONFIG_AP=y
-CONFIG_BGSCAN_SIMPLE=y
-# P2P (Wi-Fi Direct)
-# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
-# more information on P2P operations.
-#CONFIG_P2P=y
-# Enable TDLS support
-#CONFIG_TDLS=y
-# Wi-Fi Direct
-# This can be used to enable Wi-Fi Direct extensions for P2P using an external
-# program to control the additional information exchanges in the messages.
-#CONFIG_WIFI_DISPLAY=y
-# Autoscan
-# This can be used to enable automatic scan support in wpa_supplicant.
-# See wpa_supplicant.conf for more information on autoscan usage.
-#
-# Enabling directly a module will enable autoscan support.
-# For exponential module:
-CONFIG_AUTOSCAN_EXPONENTIAL=y
-# For periodic module:
-#CONFIG_AUTOSCAN_PERIODIC=y
-# Password (and passphrase, etc.) backend for external storage
-# These optional mechanisms can be used to add support for storing passwords
-# and other secrets in external (to wpa_supplicant) location. This allows, for
-# example, operating system specific key storage to be used
-#
-# External password backend for testing purposes (developer use)
-#CONFIG_EXT_PASSWORD_TEST=y
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
new file mode 100644
index 0000000000..6dc76494f7
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -0,0 +1,137 @@
+SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
+DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
+HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+BUGTRACKER = "http://w1.fi/security/"
+SECTION = "network"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
+                    file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
+DEPENDS = "dbus libnl"
+SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
+           file://wpa-supplicant.sh \
+           file://wpa_supplicant.conf \
+           file://wpa_supplicant.conf-sane \
+           file://99_wpa_supplicant \
+           file://0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch \
+           "
+SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
+S = "${UNPACKDIR}/wpa_supplicant-${PV}"
+inherit pkgconfig systemd
+PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
+PACKAGECONFIG[openssl] = ",,openssl"
+CVE_PRODUCT = "wpa_supplicant"
+CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant"
+EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
+do_configure () {
+        ${MAKE} -C wpa_supplicant clean
+        sed -e '/^CONFIG_TLS=/d' <wpa_supplicant/defconfig >wpa_supplicant/.config
+        if ${@ bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d) }; then
+                echo 'CONFIG_TLS=openssl' >>wpa_supplicant/.config
+        elif ${@ bb.utils.contains('PACKAGECONFIG', 'gnutls', 'true', 'false', d) }; then
+                echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config
+        sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \
+               -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \
+               -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config
+        fi
+        # For rebuild
+        rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
+}
+do_compile () {
+        oe_runmake -C wpa_supplicant
+        if [ -z "${DISABLE_STATIC}" ]; then
+                oe_runmake -C wpa_supplicant libwpa_client.a
+        fi
+}
+do_install () {
+        oe_runmake -C wpa_supplicant DESTDIR="${D}" install
+        install -d ${D}${docdir}/wpa_supplicant
+        install -m 644 wpa_supplicant/README ${UNPACKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
+        install -d ${D}${sysconfdir}
+        install -m 600 ${UNPACKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
+        install -d ${D}${sysconfdir}/network/if-pre-up.d/
+        install -d ${D}${sysconfdir}/network/if-post-down.d/
+        install -d ${D}${sysconfdir}/network/if-down.d/
+        install -m 755 ${UNPACKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
+        ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant
+        install -d ${D}/${sysconfdir}/dbus-1/system.d
+        install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
+        install -d ${D}/${datadir}/dbus-1/system-services
+        install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+                install -d ${D}/${systemd_system_unitdir}
+                install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir}
+        fi
+        install -d ${D}/etc/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
+        install -d ${D}${includedir}
+        install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir}
+        if [ -z "${DISABLE_STATIC}" ]; then
+                install -d ${D}${libdir}
+                install -m 0644 wpa_supplicant/libwpa_client.a ${D}${libdir}
+        fi
+}
+pkg_postinst:${PN} () {
+        # If we're offline, we don't need to do this.
+        if [ "x$D" = "x" ]; then
+                killall -q -HUP dbus-daemon || true
+        fi
+}
+PACKAGE_BEFORE_PN += "${PN}-passphrase ${PN}-cli"
+PACKAGES =+ "${PN}-lib"
+PACKAGES += "${PN}-plugins"
+ALLOW_EMPTY:${PN}-plugins = "1"
+PACKAGES_DYNAMIC += "^${PN}-plugin-.*$"
+NOAUTOPACKAGEDEBUG = "1"
+FILES:${PN}-passphrase = "${sbindir}/wpa_passphrase"
+FILES:${PN}-cli = "${sbindir}/wpa_cli"
+FILES:${PN}-lib = "${libdir}/libwpa_client*${SOLIBSDEV}"
+FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
+FILES:${PN}-dbg += "${sbindir}/.debug ${libdir}/.debug"
+CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf"
+RRECOMMENDS:${PN} = "${PN}-passphrase ${PN}-cli ${PN}-plugins"
+SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+python split_wpa_supplicant_libs () {
+    libdir = d.expand('${libdir}/wpa_supplicant')
+    dbglibdir = os.path.join(libdir, '.debug')
+    split_packages = do_split_packages(d, libdir, r'^(.*)\.so', '${PN}-plugin-%s', 'wpa_supplicant %s plugin', prepend=True)
+    split_dbg_packages = do_split_packages(d, dbglibdir, r'^(.*)\.so', '${PN}-plugin-%s-dbg', 'wpa_supplicant %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg')
+    if split_packages:
+        pn = d.getVar('PN')
+        d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages))
+        d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages))
+}
+PACKAGESPLITFUNCS += "split_wpa_supplicant_libs"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
deleted file mode 100644
index 7cc03fef7d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ /dev/null
@@ -1,113 +0,0 @@
-SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
-HOMEPAGE = "http://w1.fi/wpa_supplicant/"
-BUGTRACKER = "http://w1.fi/security/"
-SECTION = "network"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \
-                    file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b"
-DEPENDS = "dbus libnl"
-RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
-PACKAGECONFIG ??= "gnutls"
-PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
-PACKAGECONFIG[openssl] = ",,openssl"
-inherit pkgconfig systemd
-SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
-           file://defconfig \
-           file://wpa-supplicant.sh \
-           file://wpa_supplicant.conf \
-           file://wpa_supplicant.conf-sane \
-           file://99_wpa_supplicant \
-           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
-           file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
-           file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
-           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
-           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
-          "
-SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
-SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
-CVE_PRODUCT = "wpa_supplicant"
-S = "${WORKDIR}/wpa_supplicant-${PV}"
-PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
-FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
-FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
-FILES_${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
-CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
-do_configure () {
-        ${MAKE} -C wpa_supplicant clean
-        install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
-        if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
-                ssl=openssl
-        elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
-                ssl=gnutls
-        fi
-        if [ -n "$ssl" ]; then
-                sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
-        fi
-        # For rebuild
-        rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
-}
-export EXTRA_CFLAGS = "${CFLAGS}"
-export BINDIR = "${sbindir}"
-do_compile () {
-        unset CFLAGS CPPFLAGS CXXFLAGS
-        sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
-        oe_runmake -C wpa_supplicant
-}
-do_install () {
-        install -d ${D}${sbindir}
-        install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
-        install -m 755 wpa_supplicant/wpa_cli        ${D}${sbindir}
-        install -d ${D}${bindir}
-        install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
-        install -d ${D}${docdir}/wpa_supplicant
-        install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
-        install -d ${D}${sysconfdir}
-        install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
-        install -d ${D}${sysconfdir}/network/if-pre-up.d/
-        install -d ${D}${sysconfdir}/network/if-post-down.d/
-        install -d ${D}${sysconfdir}/network/if-down.d/
-        install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
-        cd ${D}${sysconfdir}/network/ && \
-        ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
-        install -d ${D}/${sysconfdir}/dbus-1/system.d
-        install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
-        install -d ${D}/${datadir}/dbus-1/system-services
-        install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
-        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-                install -d ${D}/${systemd_unitdir}/system
-                install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system
-        fi
-        install -d ${D}/etc/default/volatiles
-        install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
-}
-pkg_postinst_wpa-supplicant () {
-        # If we're offline, we don't need to do this.
-        if [ "x$D" = "x" ]; then
-                killall -q -HUP dbus-daemon || true
-        fi
-}