102 files changed, 1608 insertions, 2569 deletions

diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
index 0db609fc47..d45c06357d 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb
+++ b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
@@ -13,8 +13,6 @@ SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
 
 SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig
 
 COMPATIBLE_HOST:libc-musl = 'null'
@@ -22,6 +20,7 @@ COMPATIBLE_HOST:libc-musl = 'null'
 EXTRA_OECONF = "--libdir=${base_libdir}"
 
 RDEPENDS:${PN} = "avahi-daemon"
+RPROVIDES:${PN} = "libnss-mdns"
 
 pkg_postinst:${PN} () {
         sed '
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1f18d4491d..220160a7e1 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -85,7 +85,7 @@ do_compile:prepend() {
     export GIR_EXTRA_LIBS_PATH="${B}/avahi-gobject/.libs:${B}/avahi-common/.libs:${B}/avahi-client/.libs:${B}/avahi-glib/.libs"
 }
 
-RRECOMMENDS:${PN}:append:libc-glibc = " libnss-mdns"
+RRECOMMENDS:${PN}:append:libc-glibc = " avahi-libnss-mdns"
 
 do_install() {
         autotools_do_install
@@ -157,7 +157,7 @@ DEV_PKG_DEPENDENCY = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPK
 DEV_PKG_DEPENDENCY += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
 RDEPENDS:${PN}-dnsconfd = "${PN}-daemon"
 
-RRECOMMENDS:avahi-daemon:append:libc-glibc = " libnss-mdns"
+RRECOMMENDS:avahi-daemon:append:libc-glibc = " avahi-libnss-mdns"
 
 CONFFILES:avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
 
@@ -184,8 +184,8 @@ SYSTEMD_SERVICE:${PN}-dnsconfd = "avahi-dnsconfd.service"
 
 do_install:append() {
         install -d ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
 }
 
 # At the time the postinst runs, dbus might not be setup so only restart if running 
diff --git a/meta/recipes-connectivity/avahi/files/initscript.patch b/meta/recipes-connectivity/avahi/files/initscript.patch
index c856c3df04..e1176888df 100644
--- a/meta/recipes-connectivity/avahi/files/initscript.patch
+++ b/meta/recipes-connectivity/avahi/files/initscript.patch
@@ -1,4 +1,8 @@
-Upstream-Status: Pending
+Note: upcoming avahi 0.9 drops debian initscripts altogether,
+so any version update would probably have to copy the last
+upstream versions into oe-core, and install them from the recipe.
+
+Upstream-Status: Inappropriate [upstream removed the files]
 
 Index: avahi-0.7/initscript/debian/avahi-daemon.in
 ===================================================================
diff --git a/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
index ec1bc7b567..78ab6b87fc 100644
--- a/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
@@ -1,4 +1,4 @@
-From 31dde3562f287429eea94b77250d184818b49063 Mon Sep 17 00:00:00 2001
+From c70f74164bea8a8c54c03becffb2f21103dd1f31 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 15 Oct 2018 16:55:09 +0800
 Subject: [PATCH] avoid start failure with bind user
@@ -11,7 +11,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/init.d b/init.d
-index b2eec60..6e03936 100644
+index 95e8909..771d349 100644
 --- a/init.d
 +++ b/init.d
 @@ -57,6 +57,7 @@ case "$1" in
@@ -22,6 +22,3 @@ index b2eec60..6e03936 100644
             chmod 0640 /etc/bind/rndc.key
         fi
         if [ -f /var/run/named/named.pid ]; then
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
index 4c10f33f04..53e439721f 100644
--- a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
@@ -1,4 +1,4 @@
-From 4e83392e840fa7b05e778710b8c202d102477a13 Mon Sep 17 00:00:00 2001
+From 0dd67d85705cbcfa9a2759c46f3cdf3d0d6375de Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Mon, 27 Aug 2018 21:24:20 +0800
 Subject: [PATCH] `named/lwresd -V' and start log hide build options
@@ -15,13 +15,12 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 
 Refreshed for 9.16.0
 Signed-off-by: Armin Kuster <akuster@mvista.com>
-
 ---
  configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index bf20690..c5d330f 100644
+index f9cf4a4..0ce3d26 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -35,7 +35,7 @@ AC_DEFINE([PACKAGE_VERSION_EXTRA], ["][bind_VERSION_EXTRA]["], [BIND 9 Extra par
diff --git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index 38d07cae39..38d208fc1c 100644
--- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From 5ae30329f168c1e8d2e0c3831988a4f3e9096e39 Mon Sep 17 00:00:00 2001
+From 8c9c817933eef20328f10237bbd964580db0a3ad Mon Sep 17 00:00:00 2001
 From: Paul Gortmaker <paul.gortmaker@windriver.com>
 Date: Tue, 9 Jun 2015 11:22:00 -0400
 Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -27,16 +27,15 @@ to make use of the combination some day.
 
 Upstream-Status: Inappropriate [OE Specific]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-
 ---
  configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2ab8ddd..92fe983 100644
+index 334b551..f9cf4a4 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -761,7 +761,7 @@ AS_CASE([$with_lmdb],
+@@ -863,7 +863,7 @@ AS_CASE([$with_lmdb],
         [no],[],
         [auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb],
                                        [ac_lib_lmdb_found=yes],
diff --git a/meta/recipes-connectivity/bind/bind/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch
index aa3642acec..102fe46ffe 100644
--- a/meta/recipes-connectivity/bind/bind/conf.patch
+++ b/meta/recipes-connectivity/bind/bind/conf.patch
@@ -1,12 +1,43 @@
+From 83a892af19bf1455ce7132350332ed6d7f1e2b94 Mon Sep 17 00:00:00 2001
+From: Qing He <qing.he@intel.com>
+Date: Tue, 30 Nov 2010 13:35:42 +0800
+Subject: [PATCH] bind: add new recipe
+
 Upstream-Status: Inappropriate [configuration]
 
 the patch is imported from openembedded project
 
 11/30/2010 - Qing He <qing.he@intel.com>
+---
+ conf/db.0               | 12 +++++++
+ conf/db.127             | 13 ++++++++
+ conf/db.255             | 12 +++++++
+ conf/db.empty           | 14 +++++++++
+ conf/db.local           | 13 ++++++++
+ conf/db.root            | 45 ++++++++++++++++++++++++++
+ conf/named.conf         | 49 +++++++++++++++++++++++++++++
+ conf/named.conf.local   |  8 +++++
+ conf/named.conf.options | 24 ++++++++++++++
+ conf/zones.rfc1918      | 20 ++++++++++++
+ init.d                  | 70 +++++++++++++++++++++++++++++++++++++++++
+ 11 files changed, 280 insertions(+)
+ create mode 100644 conf/db.0
+ create mode 100644 conf/db.127
+ create mode 100644 conf/db.255
+ create mode 100644 conf/db.empty
+ create mode 100644 conf/db.local
+ create mode 100644 conf/db.root
+ create mode 100644 conf/named.conf
+ create mode 100644 conf/named.conf.local
+ create mode 100644 conf/named.conf.options
+ create mode 100644 conf/zones.rfc1918
+ create mode 100644 init.d
 
-diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
---- bind-9.3.1.orig/conf/db.0   1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.0        2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.0 b/conf/db.0
+new file mode 100644
+index 0000000..e3aabdb
+--- /dev/null
++++ b/conf/db.0
 @@ -0,0 +1,12 @@
 +;
 +; BIND reverse data file for broadcast zone
@@ -20,9 +51,11 @@ diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
 +                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
---- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.127      2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.127 b/conf/db.127
+new file mode 100644
+index 0000000..cd05bef
+--- /dev/null
++++ b/conf/db.127
 @@ -0,0 +1,13 @@
 +;
 +; BIND reverse data file for local loopback interface
@@ -37,43 +70,49 @@ diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
 +;
 +@      IN      NS      localhost.
 +1.0.0  IN      PTR     localhost.
-diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
---- bind-9.3.1.orig/conf/db.empty       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.empty    2005-07-10 22:14:00.000000000 +0200
-@@ -0,0 +1,14 @@
-+; BIND reverse data file for empty rfc1918 zone
+diff --git a/conf/db.255 b/conf/db.255
+new file mode 100644
+index 0000000..16cd819
+--- /dev/null
++++ b/conf/db.255
+@@ -0,0 +1,12 @@
 +;
-+; DO NOT EDIT THIS FILE - it is used for multiple zones.
-+; Instead, copy it, edit named.conf, and use that copy.
++; BIND reserve data file for broadcast zone
 +;
-+$TTL   86400
++$TTL   604800
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                         86400 )       ; Negative Cache TTL
++                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255
---- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.255      2005-07-10 22:14:00.000000000 +0200
-@@ -0,0 +1,12 @@
+diff --git a/conf/db.empty b/conf/db.empty
+new file mode 100644
+index 0000000..8a12858
+--- /dev/null
++++ b/conf/db.empty
+@@ -0,0 +1,14 @@
++; BIND reverse data file for empty rfc1918 zone
 +;
-+; BIND reserve data file for broadcast zone
++; DO NOT EDIT THIS FILE - it is used for multiple zones.
++; Instead, copy it, edit named.conf, and use that copy.
 +;
-+$TTL   604800
++$TTL   86400
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                        604800 )       ; Negative Cache TTL
++                         86400 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
---- bind-9.3.1.orig/conf/db.local       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.local    2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.local b/conf/db.local
+new file mode 100644
+index 0000000..66b4892
+--- /dev/null
++++ b/conf/db.local
 @@ -0,0 +1,13 @@
 +;
 +; BIND data file for local loopback interface
@@ -88,9 +127,11 @@ diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
 +;
 +@      IN      NS      localhost.
 +@      IN      A       127.0.0.1
-diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
---- bind-9.3.1.orig/conf/db.root        1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.root     2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.root b/conf/db.root
+new file mode 100644
+index 0000000..01c20f0
+--- /dev/null
++++ b/conf/db.root
 @@ -0,0 +1,45 @@
 +
 +; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
@@ -137,9 +178,11 @@ diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
 +;; WHEN: Sun Feb  1 11:27:14 2004
 +;; MSG SIZE  rcvd: 436
 +
-diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
---- bind-9.3.1.orig/conf/named.conf     1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf  2005-07-10 22:33:46.000000000 +0200
+diff --git a/conf/named.conf b/conf/named.conf
+new file mode 100644
+index 0000000..95829cf
+--- /dev/null
++++ b/conf/named.conf
 @@ -0,0 +1,49 @@
 +// This is the primary configuration file for the BIND DNS server named.
 +//
@@ -190,9 +233,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
 +// root-delegation-only exclude { "DE"; "MUSEUM"; };
 +
 +include "/etc/bind/named.conf.local";
-diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
---- bind-9.3.1.orig/conf/named.conf.local       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf.local    2005-07-10 22:14:06.000000000 +0200
+diff --git a/conf/named.conf.local b/conf/named.conf.local
+new file mode 100644
+index 0000000..7a57b10
+--- /dev/null
++++ b/conf/named.conf.local
 @@ -0,0 +1,8 @@
 +//
 +// Do any local configuration here
@@ -202,9 +247,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
 +// organization
 +//include "/etc/bind/zones.rfc1918";
 +
-diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
---- bind-9.3.1.orig/conf/named.conf.options     1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf.options  2005-07-10 22:14:06.000000000 +0200
+diff --git a/conf/named.conf.options b/conf/named.conf.options
+new file mode 100644
+index 0000000..813193d
+--- /dev/null
++++ b/conf/named.conf.options
 @@ -0,0 +1,24 @@
 +options {
 +       directory "/var/cache/bind";
@@ -230,9 +277,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.opt
 +
 +};
 +
-diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
---- bind-9.3.1.orig/conf/zones.rfc1918  1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/zones.rfc1918       2005-07-10 22:14:10.000000000 +0200
+diff --git a/conf/zones.rfc1918 b/conf/zones.rfc1918
+new file mode 100644
+index 0000000..03b5546
+--- /dev/null
++++ b/conf/zones.rfc1918
 @@ -0,0 +1,20 @@
 +zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
 + 
@@ -254,9 +303,11 @@ diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
 +zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
 +
 +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
-diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
---- bind-9.3.1.orig/init.d      1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/init.d   2005-07-10 23:09:58.000000000 +0200
+diff --git a/init.d b/init.d
+new file mode 100644
+index 0000000..2ef2277
+--- /dev/null
++++ b/init.d
 @@ -0,0 +1,70 @@
 +#!/bin/sh
 +
diff --git a/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
index 11db95ede1..984d401c70 100644
--- a/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
+++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
@@ -1,14 +1,17 @@
-Subject: init.d: add support for read-only rootfs
+From 1393cbf6b0084128fdfc9b5afb3bcc307265d094 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 27 Mar 2014 02:34:41 +0000
+Subject: [PATCH] init.d: add support for read-only rootfs
 
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 ---
- init.d |   40 ++++++++++++++++++++++++++++++++++++++++
+ init.d | 40 ++++++++++++++++++++++++++++++++++++++++
  1 file changed, 40 insertions(+)
 
 diff --git a/init.d b/init.d
-index 0111ed4..24677c8 100644
+index 2ef2277..95e8909 100644
 --- a/init.d
 +++ b/init.d
 @@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -60,6 +63,3 @@ index 0111ed4..24677c8 100644
  test -x /usr/sbin/rndc || exit 0
  
  case "$1" in
--- 
-1.7.9.5
-
diff --git a/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
index 146f3e35db..74f2ef83a0 100644
--- a/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
+++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
@@ -1,4 +1,7 @@
-bind: make "/etc/init.d/bind stop" work
+From ce06506bb3fe661e03161af3a603bd228590a254 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Thu, 15 Nov 2012 02:27:54 +0000
+Subject: [PATCH] bind: make "/etc/init.d/bind stop" work
 
 Upstream-Status: Inappropriate [configuration]
 
@@ -7,13 +10,13 @@ the named daemon.
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 ---
- conf/named.conf |    5 +++++
- conf/rndc.conf  |    5 +++++
- 2 files changed, 10 insertions(+), 0 deletions(-)
+ conf/named.conf | 5 +++++
+ conf/rndc.conf  | 5 +++++
+ 2 files changed, 10 insertions(+)
  create mode 100644 conf/rndc.conf
 
 diff --git a/conf/named.conf b/conf/named.conf
-index 95829cf..c8899e7 100644
+index 95829cf..021dbca 100644
 --- a/conf/named.conf
 +++ b/conf/named.conf
 @@ -47,3 +47,8 @@ zone "255.in-addr.arpa" {
@@ -27,7 +30,7 @@ index 95829cf..c8899e7 100644
 +};
 diff --git a/conf/rndc.conf b/conf/rndc.conf
 new file mode 100644
-index 0000000..a0b481d
+index 0000000..4b43a3d
 --- /dev/null
 +++ b/conf/rndc.conf
 @@ -0,0 +1,5 @@
@@ -36,7 +39,3 @@ index 0000000..a0b481d
 +       default-server  localhost;
 +       default-key     rndc-key;
 +};
-
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/bind/bind_9.18.25.bb b/meta/recipes-connectivity/bind/bind_9.20.10.bb
index cc35604aba..32f0bdf7b5 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.25.bb
+++ b/meta/recipes-connectivity/bind/bind_9.20.10.bb
@@ -6,7 +6,7 @@ SECTION = "console/network"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
 
-DEPENDS = "openssl libcap zlib libuv"
+DEPENDS = "openssl libcap zlib libuv liburcu"
 
 SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://conf.patch \
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "5a4a70432a33d009f0e6e9dbb328aae7a5e27507e98e28bf3c0c6b250ccb2ab3"
+SRC_URI[sha256sum] = "0fb3ba2c337bb488ca68f5df296c435cd255058fb63d0822e91db0235c905716"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
@@ -34,7 +34,7 @@ inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-a
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
 PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
 PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
 PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
@@ -44,7 +44,7 @@ EXTRA_OECONF = " --disable-auto-validation \
                  --sysconfdir=${sysconfdir}/bind \
                  --with-openssl=${STAGING_DIR_HOST}${prefix} \
                "
-LDFLAGS:append = " -lz"
+LDFLAGS += "-lz"
 
 # dhcp needs .la so keep them
 REMOVE_LIBTOOL_LA = "0"
@@ -68,15 +68,15 @@ do_install:append() {
 
         # Install systemd related files
         install -d ${D}${sbindir}
-        install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
+        install -m 755 ${UNPACKDIR}/generate-rndc-key.sh ${D}${sbindir}
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/named.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/named.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                -e 's,@SBINDIR@,${sbindir},g' \
                ${D}${systemd_system_unitdir}/named.service
 
         install -d ${D}${sysconfdir}/default
-        install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
+        install -m 0644 ${UNPACKDIR}/bind9 ${D}${sysconfdir}/default
 
         if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/tmpfiles.d
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index a31d7076ba..287ebf658e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
                     file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac"
 DEPENDS = "dbus glib-2.0"
-RDEPENDS:${PN} += "dbus"
 PROVIDES += "bluez-hcidump"
 RPROVIDES:${PN} += "bluez-hcidump"
 
@@ -18,6 +17,14 @@ PACKAGECONFIG ??= "obex-profiles \
     ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
     a2dp-profiles \
     avrcp-profiles \
+    bap-profiles \
+    bass-profiles \
+    mcp-profiles \
+    ccp-profiles \
+    vcp-profiles \
+    micp-profiles \
+    csip-profiles \
+    asha-profiles \
     network-profiles \
     hid-profiles \
     hog-profiles \
@@ -39,6 +46,14 @@ PACKAGECONFIG[network-profiles] = "--enable-network,--disable-network"
 PACKAGECONFIG[hid-profiles] = "--enable-hid,--disable-hid"
 PACKAGECONFIG[hog-profiles] = "--enable-hog,--disable-hog"
 PACKAGECONFIG[health-profiles] = "--enable-health,--disable-health"
+PACKAGECONFIG[bap-profiles] = "--enable-bap,--disable-bap"
+PACKAGECONFIG[bass-profiles] = "--enable-bass,--disable-bass"
+PACKAGECONFIG[mcp-profiles] = "--enable-mcp,--disable-mcp"
+PACKAGECONFIG[ccp-profiles] = "--enable-ccp,--disable-ccp"
+PACKAGECONFIG[vcp-profiles] = "--enable-vcp,--disable-vcp"
+PACKAGECONFIG[micp-profiles] = "--enable-micp,--disable-micp"
+PACKAGECONFIG[csip-profiles] = "--enable-csip,--disable-csip"
+PACKAGECONFIG[asha-profiles] = "--enable-asha,--disable-asha"
 PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis"
 PACKAGECONFIG[tools] = "--enable-tools,--disable-tools"
 PACKAGECONFIG[threads] = "--enable-threads,--disable-threads"
@@ -51,12 +66,10 @@ PACKAGECONFIG[manpages] = "--enable-manpages,--disable-manpages,python3-docutils
 SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            file://init \
            file://run-ptest \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
-           file://0001-test-gatt-Fix-hung-issue.patch \
-           file://0004-src-shared-util.c-include-linux-limits.h.patch \
+           file://0001-bluez5-disable-aics-tests.patch \
            "
-S = "${WORKDIR}/bluez-${PV}"
+S = "${UNPACKDIR}/bluez-${PV}"
 
 CVE_PRODUCT = "bluez"
 
@@ -85,20 +98,16 @@ NOINST_TOOLS = " \
 
 do_install:append() {
         install -d ${D}${INIT_D_DIR}
-        install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth
+        install -m 0755 ${UNPACKDIR}/init ${D}${INIT_D_DIR}/bluetooth
 
-        if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then
-                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth
+        if [ -f ${D}${sysconfdir}/init.d/bluetooth ]; then
+                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}${sysconfdir}/init.d/bluetooth
         fi
 
         # Install desired tools that upstream leaves in build area
         for f in ${NOINST_TOOLS} ; do
-                install -m 755 ${B}/$f ${D}/${bindir}
+                install -m 755 ${B}/$f ${D}${bindir}
         done
-
-        # Patch python tools to use Python 3; they should be source compatible, but
-        # still refer to Python 2 in the shebang
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${libdir}/bluez/test/*
 }
 
 PACKAGES =+ "${PN}-testtools ${PN}-obex ${PN}-noinst-tools"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
deleted file mode 100644
index 618ed734a9..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From f74eb97c9fb3c0ee2895742e773ac6a3c41c999c Mon Sep 17 00:00:00 2001
-From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org>
-Date: Sat, 12 Oct 2013 17:45:25 +0200
-Subject: [PATCH] Allow using obexd without systemd in the user session
-
-Not all sessions run systemd --user (actually, the majority
-doesn't), so the dbus daemon must be able to spawn obexd
-directly, and to do so it needs the full path of the daemon.
-
-Upstream-Status: Denied
-
-Not accepted by upstream maintainer for being a distro specific
-configuration. See thread:
-
-http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843
-
-Signed-off-by: Javier Viguera <javier.viguera@digi.com>
-
----
- Makefile.obexd                                                | 4 ++--
- .../src/{org.bluez.obex.service => org.bluez.obex.service.in} | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
- rename obexd/src/{org.bluez.obex.service => org.bluez.obex.service.in} (76%)
-
-diff --git a/Makefile.obexd b/Makefile.obexd
-index de59d29..73004a3 100644
---- a/Makefile.obexd
-+++ b/Makefile.obexd
-@@ -1,12 +1,12 @@
- if SYSTEMD
- systemduserunitdir = $(SYSTEMD_USERUNITDIR)
- systemduserunit_DATA = obexd/src/obex.service
-+endif
- 
- dbussessionbusdir = $(DBUS_SESSIONBUSDIR)
- dbussessionbus_DATA = obexd/src/org.bluez.obex.service
--endif
- 
--EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service
-+EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service.in
- 
- if OBEX
- 
-diff --git a/obexd/src/org.bluez.obex.service b/obexd/src/org.bluez.obex.service.in
-similarity index 76%
-rename from obexd/src/org.bluez.obex.service
-rename to obexd/src/org.bluez.obex.service.in
-index a538088..9c815f2 100644
---- a/obexd/src/org.bluez.obex.service
-+++ b/obexd/src/org.bluez.obex.service.in
-@@ -1,4 +1,4 @@
- [D-BUS Service]
- Name=org.bluez.obex
--Exec=/bin/false
-+Exec=@libexecdir@/obexd
- SystemdService=dbus-org.bluez.obex.service
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
new file mode 100644
index 0000000000..3f01843ea3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
@@ -0,0 +1,40 @@
+From 182545f2504255d67d9ec2071fd5c82ab53c5a2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gu=C3=B0ni=20M=C3=A1r=20Gilbert?= <gudni.m.g@gmail.com>
+Date: Sun, 30 Mar 2025 02:20:24 +0000
+Subject: [PATCH] bluez5: disable aics tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Temporarily disable aics tests as they can fail
+depending on how the tests are executed. Sometimes they pass,
+sometimes they fail. The issue has been observed since BlueZ 5.72 to 5.80
+
+Starting with BlueZ 5.80, the tests began failing when using the
+ptest-runner script. This is not a new issue in BlueZ 5.80 which is
+why the test is disabled with this commit until a solution is found.
+
+See discussion on Github:
+https://github.com/bluez/bluez/issues/726
+https://github.com/bluez/bluez/issues/683
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
+---
+ unit/test-vcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unit/test-vcp.c b/unit/test-vcp.c
+index 6a61ea2..04b92e4 100644
+--- a/unit/test-vcp.c
++++ b/unit/test-vcp.c
+@@ -2754,7 +2754,7 @@ int main(int argc, char *argv[])
+        tester_init(&argc, &argv);
+ 
+        test_vocs_unit_testcases();
+-       test_aics_unit_testcases();
++       //test_aics_unit_testcases();
+ 
+        return tester_run();
+ }
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
deleted file mode 100644
index b1e93dbe19..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From fb583a57f9f4ab956a09e9bb96d89aa13553bf21 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 24 Aug 2018 12:04:03 +0800
-Subject: [PATCH] test-gatt: Fix hung issue
-
-The below test hangs infinitely
-$ unit/test-gatt -p  /robustness/unkown-request -d
-/robustness/unkown-request - init
-/robustness/unkown-request - setup
-/robustness/unkown-request - setup complete
-/robustness/unkown-request - run
-  GATT: < 02 17 00                                         ...
-  bt_gatt_server:MTU exchange complete, with MTU: 23
-  GATT: > 03 00 02                                         ...
-  PDU: = 03 00 02                                         ...
-  GATT: < bf 00
-
-Actually, the /robustness/unkown-request test does
-no action.
-
-Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=153508881804635&w=2]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-
----
- unit/test-gatt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unit/test-gatt.c b/unit/test-gatt.c
-index 5e06d4e..4864d36 100644
---- a/unit/test-gatt.c
-+++ b/unit/test-gatt.c
-@@ -4546,7 +4546,7 @@ int main(int argc, char *argv[])
-                        test_server, service_db_1, NULL,
-                        raw_pdu(0x03, 0x00, 0x02),
-                        raw_pdu(0xbf, 0x00),
--                       raw_pdu(0x01, 0xbf, 0x00, 0x00, 0x06));
-+                       raw_pdu());
- 
-        define_test_server("/robustness/unkown-command",
-                        test_server, service_db_1, NULL,
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
index 881494a354..a9af56f141 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
@@ -1,20 +1,19 @@
-From 738e73b386352fd90f1f26cc1ee75427cf4dc23b Mon Sep 17 00:00:00 2001
+From fa5da30786837b437707cea921056e9c1c22ffba Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 1 Apr 2016 17:07:34 +0300
 Subject: [PATCH] tests: add a target for building tests without running them
 
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
-
 ---
  Makefile.am | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/Makefile.am b/Makefile.am
-index e738eb3..dab17dd 100644
+index 02ad23c..169269d 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -710,6 +710,9 @@ endif
+@@ -722,6 +722,9 @@ endif
  TESTS = $(unit_tests)
  AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69
  
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
deleted file mode 100644
index 516d859069..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Mon, 12 Dec 2022 13:10:19 +0100
-Subject: [PATCH] src/shared/util.c: include linux/limits.h
-
-MAX_INPUT is defined in that file. This matters on non-glibc
-systems such as those using musl.
-
-Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
-
----
- src/shared/util.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/shared/util.c b/src/shared/util.c
-index c0c2c4a..036dc0d 100644
---- a/src/shared/util.c
-+++ b/src/shared/util.c
-@@ -23,6 +23,7 @@
- #include <unistd.h>
- #include <dirent.h>
- #include <limits.h>
-+#include <linux/limits.h>
- #include <string.h>
- 
- #ifdef HAVE_SYS_RANDOM_H
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.72.bb b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
index 9fda960ea7..8af6bdb67e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.72.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
@@ -1,6 +1,6 @@
 require bluez5.inc
 
-SRC_URI[sha256sum] = "499d7fa345a996c1bb650f5c6749e1d929111fa6ece0be0e98687fee6124536e"
+SRC_URI[sha256sum] = "108522d909d220581399bfec93daab62035539ceef3dda3e79970785c63bd24c"
 
 CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
 
@@ -32,6 +32,9 @@ NOINST_TOOLS_TESTING ?= " \
     tools/rfcomm-tester \
     tools/bnep-tester \
     tools/userchan-tester \
+    tools/iso-tester \
+    tools/mesh-tester \
+    tools/ioctl-tester \
 "
 
 # noinst programs in Makefile.tools that are conditional on TOOLS
@@ -41,11 +44,11 @@ NOINST_TOOLS_BT ?= " \
     tools/avinfo \
     tools/avtest \
     tools/scotest \
-    tools/amptest \
     tools/hwdb \
     tools/hcieventmask \
     tools/hcisecfilter \
     tools/btinfo \
+    tools/btconfig \
     tools/btsnoop \
     tools/btproxy \
     tools/btiotest \
@@ -56,6 +59,8 @@ NOINST_TOOLS_BT ?= " \
     tools/advtest \
     tools/seq2bseq \
     tools/nokfw \
+    tools/rtlfw \
+    tools/bcmfw \
     tools/create-image \
     tools/eddystone \
     tools/ibeacon \
@@ -65,5 +70,5 @@ NOINST_TOOLS_BT ?= " \
     tools/check-selftest \
     tools/gatt-service \
     profiles/iap/iapd \
-    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient tools/btpclientctl', '', d)} \
 "
diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb
index a1a0e08faa..854e1f1f29 100644
--- a/meta/recipes-connectivity/connman/connman-conf.bb
+++ b/meta/recipes-connectivity/connman/connman-conf.bb
@@ -4,11 +4,10 @@ network interface inside qemu machines."
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-
 SRC_URI = "file://main.conf \
           "
 
-S = "${WORKDIR}"
+S = "${UNPACKDIR}"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index fcd154b4b0..8bfc1540b3 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -18,13 +18,15 @@ SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protoco
            file://0001-Port-to-Gtk3.patch \
           "
 
-S = "${WORKDIR}/git"
-
 inherit autotools-brokensep gtk-icon-cache pkgconfig features_check
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
 
 RDEPENDS:${PN} = "connman"
 
 do_install:append() {
-    install -m 0644 ${WORKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
+    install -m 0644 ${UNPACKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
 }
+
+# http://errors.yoctoproject.org/Errors/Details/766926/
+# connman-client.c:200:15: error: assignment to 'GtkTreeModel *' {aka 'struct _GtkTreeModel *'} from incompatible pointer type 'GtkTreeStore *' {aka 'struct _GtkTreeStore *'} [-Wincompatible-pointer-types]
+CFLAGS += "-Wno-error=incompatible-pointer-types"
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
deleted file mode 100644
index 8e2e0bd02d..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Mon, 12 Jun 2017 16:52:39 +0300
-Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
-
-Stop systemd-resolved service when we use connman as network manager.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
----
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 9f5c10f..dab48bc 100644
---- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-resolved.service
- 
- [Service]
- Type=dbus
--- 
-2.4.0
-
diff --git a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch b/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
deleted file mode 100644
index e6f03e632e..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4ddaf78dad5a9ee4a0658235f71b75132192123e Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 7 Apr 2012 18:52:12 -0700
-Subject: [PATCH] plugin.h: Change visibility to default for debug symbols
-
-gold refuses to link in undefined weak symbols which
-have hidden visibility
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-
-Upstream-Status: Pending
----
- include/plugin.h |    4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/plugin.h b/include/plugin.h
-index 692a4e5..a9361c3 100644
---- a/include/plugin.h
-+++ b/include/plugin.h
-@@ -89,9 +89,9 @@ struct connman_plugin_desc {
- #else
- #define CONNMAN_PLUGIN_DEFINE(name, description, version, priority, init, exit) \
-                extern struct connman_debug_desc __start___debug[] \
--                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_debug_desc __stop___debug[] \
--                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_plugin_desc connman_plugin_desc \
-                                __attribute__ ((visibility("default"))); \
-                struct connman_plugin_desc connman_plugin_desc = { \
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch b/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch
deleted file mode 100644
index 8012606db7..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From cbba6638986c2de763981bf6fc59df6a86fed44f Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 1 Jan 2024 17:42:21 -0800
-Subject: [PATCH v2] src/log.c: Include libgen.h for basename API
-
-Use POSIX version of basename. This comes to front with latest musl
-which dropped the declaration from string.h [1] it fails to build with
-clang-17+ because it treats implicit function declaration as error.
-
-Fix it by applying the basename on a copy of string since posix version
-may modify the input string.
-
-[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7
-
-Upstream-Status: Submitted [https://lore.kernel.org/connman/20240102015917.3732089-1-raj.khem@gmail.com/T/#u]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-
- src/log.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/log.c b/src/log.c
-index 554b046..2df3af7 100644
---- a/src/log.c
-+++ b/src/log.c
-@@ -24,6 +24,7 @@
- #endif
- 
- #include <stdio.h>
-+#include <libgen.h>
- #include <unistd.h>
- #include <stdarg.h>
- #include <stdlib.h>
-@@ -196,6 +197,7 @@ int __connman_log_init(const char *program, const char *debug,
-                const char *program_name, const char *program_version)
- {
-        static char path[PATH_MAX];
-+       char* tmp = strdup(program);
-        int option = LOG_NDELAY | LOG_PID;
- 
-        program_exec = program;
-@@ -212,8 +214,8 @@ int __connman_log_init(const char *program, const char *debug,
-        if (backtrace)
-                signal_setup(signal_handler);
- 
--       openlog(basename(program), option, LOG_DAEMON);
--
-+       openlog(basename(tmp), option, LOG_DAEMON);
-+       free(tmp);
-        syslog(LOG_INFO, "%s version %s", program_name, program_version);
- 
-        return 0;
--- 
-2.43.0
-
diff --git a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
deleted file mode 100644
index 9e5ac8da15..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com>
-Date: Sat, 25 Mar 2023 20:51:52 +0000
-Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release
-
-The API has gone through a significant overhaul, and this change fixes any compile issues.
-1) Fixes to configure.ac itself
-2) Cleanup in pppd plugin itself
-
-Adding a libppp-compat.h file to mask for any differences in the version.
-
-Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f]
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-
----
- scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 127 insertions(+)
- create mode 100644 scripts/libppp-compat.h
-
-diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h
-new file mode 100644
-index 0000000..eee1d09
---- /dev/null
-+++ b/scripts/libppp-compat.h
-@@ -0,0 +1,127 @@
-+/* Copyright (C) Eivind Naess, eivnaes@yahoo.com */
-+/* SPDX-License-Identifier: GPL-2.0-or-later */
-+
-+#ifndef __LIBPPP_COMPAT_H__
-+#define __LIBPPP_COMPAT_H__
-+
-+/* Define USE_EAPTLS compile with EAP TLS support against older pppd headers,
-+ * pppd >= 2.5.0 use PPP_WITH_EAPTLS and is defined in pppdconf.h */
-+#define USE_EAPTLS 1
-+
-+/* Define INET6 to compile with IPv6 support against older pppd headers,
-+ * pppd >= 2.5.0 use PPP_WITH_IPV6CP and is defined in pppdconf.h */
-+#define INET6 1
-+
-+/* PPP < 2.5.0 defines and exports VERSION which overlaps with current package VERSION define.
-+ * this silly macro magic is to work around that. */
-+#undef VERSION
-+#include <pppd/pppd.h>
-+
-+#ifndef PPPD_VERSION
-+#define PPPD_VERSION VERSION
-+#endif
-+
-+#include <pppd/fsm.h>
-+#include <pppd/ccp.h>
-+#include <pppd/eui64.h>
-+#include <pppd/ipcp.h>
-+#include <pppd/ipv6cp.h>
-+#include <pppd/eap.h>
-+#include <pppd/upap.h>
-+
-+#ifdef HAVE_PPPD_CHAP_H
-+#include <pppd/chap.h>
-+#endif
-+
-+#ifdef HAVE_PPPD_CHAP_NEW_H
-+#include <pppd/chap-new.h>
-+#endif
-+
-+#ifdef HAVE_PPPD_CHAP_MS_H
-+#include <pppd/chap_ms.h>
-+#endif
-+
-+#ifndef PPP_PROTO_CHAP
-+#define PPP_PROTO_CHAP 0xc223
-+#endif 
-+
-+#ifndef PPP_PROTO_EAP
-+#define PPP_PROTO_EAP  0xc227
-+#endif
-+
-+
-+#if WITH_PPP_VERSION < PPP_VERSION(2,5,0)
-+
-+static inline bool
-+debug_on (void)
-+{
-+       return debug;
-+}
-+
-+static inline const char
-+*ppp_ipparam (void)
-+{
-+       return ipparam;
-+}
-+
-+static inline int
-+ppp_ifunit (void)
-+{
-+       return ifunit;
-+}
-+
-+static inline const char *
-+ppp_ifname (void)
-+{
-+       return ifname;
-+}
-+
-+static inline int
-+ppp_get_mtu (int idx)
-+{
-+       return netif_get_mtu(idx);
-+}
-+
-+typedef enum ppp_notify
-+{
-+    NF_PID_CHANGE,
-+    NF_PHASE_CHANGE,
-+    NF_EXIT,
-+    NF_SIGNALED,
-+    NF_IP_UP,
-+    NF_IP_DOWN,
-+    NF_IPV6_UP,
-+    NF_IPV6_DOWN,
-+    NF_AUTH_UP,
-+    NF_LINK_DOWN,
-+    NF_FORK,
-+    NF_MAX_NOTIFY
-+} ppp_notify_t;
-+
-+typedef void (ppp_notify_fn) (void *ctx, int arg);
-+
-+static inline void
-+ppp_add_notify (ppp_notify_t type, ppp_notify_fn *func, void *ctx)
-+{
-+       struct notifier **list[NF_MAX_NOTIFY] = {
-+               [NF_PID_CHANGE  ] = &pidchange,
-+               [NF_PHASE_CHANGE] = &phasechange,
-+               [NF_EXIT        ] = &exitnotify,
-+               [NF_SIGNALED    ] = &sigreceived,
-+               [NF_IP_UP       ] = &ip_up_notifier,
-+               [NF_IP_DOWN     ] = &ip_down_notifier,
-+               [NF_IPV6_UP     ] = &ipv6_up_notifier,
-+               [NF_IPV6_DOWN   ] = &ipv6_down_notifier,
-+               [NF_AUTH_UP     ] = &auth_up_notifier,
-+               [NF_LINK_DOWN   ] = &link_down_notifier,
-+               [NF_FORK        ] = &fork_notifier,
-+       };
-+
-+       struct notifier **notify = list[type];
-+       if (notify) {
-+               add_notifier(notify, func, ctx);
-+       }
-+}
-+
-+#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */
-+#endif /* #if__LIBPPP_COMPAT_H__ */
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index aefdd3aa06..2c612039ee 100644
--- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,75 +1,85 @@
-From 01974865e4d331eeaf25248bee1bb96539c450d9 Mon Sep 17 00:00:00 2001
+From 4e726a5aaa75d60fab6a56bc37dbec48be53ff79 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 6 Apr 2015 23:02:21 -0700
-Subject: [PATCH] resolve: musl does not implement res_ninit
+Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to
+ __RES
 
-ported from
+Not all libc implementation have those functions, and the way to determine
+if they do is to check __RES which is explained in resolv.h thusly:
+
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your resolver
+ * is new enough to contain a certain feature.
+ */
+
+Indeed, it needs to be at least 19991006.
+
+The portion of the patch that implements a fallback is ported from
+Alpine Linux:
 http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
 
-Upstream-Status: Pending
+Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org]
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
 ---
- gweb/gresolv.c | 34 +++++++++++++---------------------
- 1 file changed, 13 insertions(+), 21 deletions(-)
+ gweb/gresolv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
 
 diff --git a/gweb/gresolv.c b/gweb/gresolv.c
-index 954e7cf..2a9bc51 100644
+index 8101d71..9f1477c 100644
 --- a/gweb/gresolv.c
 +++ b/gweb/gresolv.c
-@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index)
+@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index)
         resolv->index = index;
         resolv->nameserver_list = NULL;
  
--       res_ninit(&resolv->res);
--
++#if (__RES >= 19991006)
+        res_ninit(&resolv->res);
++#endif
+ 
         return resolv;
  }
- 
-@@ -919,8 +918,6 @@ void g_resolv_unref(GResolv *resolv)
+@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv)
  
         flush_nameservers(resolv);
  
--       res_nclose(&resolv->res);
--
++#if (__RES >= 19991006)
+        res_nclose(&resolv->res);
++#endif
+ 
         g_free(resolv);
  }
- 
-@@ -1023,24 +1020,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
         debug(resolv, "hostname %s", hostname);
  
         if (!resolv->nameserver_list) {
--               int i;
--
--               for (i = 0; i < resolv->res.nscount; i++) {
--                       char buf[100];
--                       int family = resolv->res.nsaddr_list[i].sin_family;
--                       void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
--
--                       if (family != AF_INET &&
--                                       resolv->res._u._ext.nsaddrs[i]) {
--                               family = AF_INET6;
--                               sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
-+               FILE *f = fopen("/etc/resolv.conf", "r");
-+               if (f) {
-+                       char line[256], *s;
-+                       int i;
-+                       while (fgets(line, sizeof(line), f)) {
-+                               if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
-+                                       continue;
-+                               for (s = &line[11]; isspace(s[0]); s++);
-+                               for (i = 0; s[i] && !isspace(s[i]); i++);
-+                               s[i] = 0;
-+                               g_resolv_add_nameserver(resolv, s, 53, 0);
-                        }
--
--                       if (family != AF_INET && family != AF_INET6)
--                               continue;
--
--                       if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
--                               g_resolv_add_nameserver(resolv, buf, 53, 0);
-+                       fclose(f);
++#if (__RES >= 19991006)
+                int i;
+ 
+                for (i = 0; i < resolv->res.nscount; i++) {
+@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+                        if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
+                                g_resolv_add_nameserver(resolv, buf, 53, 0);
                 }
++#else
++                FILE *f = fopen("/etc/resolv.conf", "r");
++                if (f) {
++                        char line[256], *s;
++                        int i;
++                        while (fgets(line, sizeof(line), f)) {
++                                if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
++                                        continue;
++                                for (s = &line[11]; isspace(s[0]); s++);
++                                for (i = 0; s[i] && !isspace(s[i]); i++);
++                                s[i] = 0;
++                                g_resolv_add_nameserver(resolv, s, 53, 0);
++                        }
++                        fclose(f);
++                }
++#endif
  
                 if (!resolv->nameserver_list)
+                        g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0);
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..62f07e707a
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+CVE: CVE-2025-32366
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9..1dd2f7f 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+        if ((offset + *rdlen) > *response_size)
+                return -ENOBUFS;
+
++       if ((*end + *rdlen) > max)
++               return -EINVAL;
++
+        memcpy(response + offset, *end, *rdlen);
+
+        *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..c114589679
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+
+CVE: CVE-2025-32743
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7..7ee26d9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+                                gpointer request, gpointer name)
+ {
+        int sk = -1;
++       int err;
+        const char *lookup = (const char *)name;
+-       int err = ns_try_resolv_from_cache(req, request, lookup);
++
++       if (!lookup || strlen(lookup) == 0)
++               return -EINVAL;
++
++       err = ns_try_resolv_from_cache(req, request, lookup);
+
+        if (err > 0)
+                /* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index a021fd4655..adb5d44fed 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -18,7 +18,7 @@ do_start() {
 }
 
 do_stop() {
-        start-stop-daemon --stop --name connmand --quiet
+        start-stop-daemon --stop --oknodo --name connmand --quiet
 }
 
 case "$1" in
diff --git a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch b/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
deleted file mode 100644
index e96e38bcf9..0000000000
--- a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-With binutils 2.27 on at least MIPS, connmand will crash on startup.  This
-appears to be due to the symbol visibilty scripts hiding symbols that stdio
-looks up at runtime, resulting in it segfaulting.
-
-This certainly appears to be a bug in binutils 2.27 although the problem has
-been known about for some time:
-
-https://sourceware.org/bugzilla/show_bug.cgi?id=17908
-
-As the version scripts are only used to hide symbols from plugins we can safely
-remove the scripts to work around the problem until binutils is fixed.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/Makefile.am b/Makefile.am
-index d70725c..76ae432 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -132,2 +132 @@ src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
--src_connmand_LDFLAGS = -Wl,--export-dynamic \
--                               -Wl,--version-script=$(srcdir)/src/connman.ver
-+src_connmand_LDFLAGS = -Wl,--export-dynamic
-@@ -166,2 +165 @@ vpn_connman_vpnd_LDADD = gdbus/libgdbus-internal.la $(builtin_vpn_libadd) \
--vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic \
--                               -Wl,--version-script=$(srcdir)/vpn/vpn.ver
-+vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic
diff --git a/meta/recipes-connectivity/connman/connman_1.42.bb b/meta/recipes-connectivity/connman/connman_1.42.bb
deleted file mode 100644
index 91ab9895ac..0000000000
--- a/meta/recipes-connectivity/connman/connman_1.42.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-require connman.inc
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-           file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-           file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
-           file://connman \
-           file://no-version-scripts.patch \
-           file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
-           file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
-           "
-
-SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-
-SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa"
-
-RRECOMMENDS:${PN} = "connman-conf"
-RCONFLICTS:${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman_1.44.bb
index 7487ca0d0c..1b0fbe438c 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -7,8 +7,7 @@ It is a fully modular system that can be extended, through plug-ins, \
 to support all kinds of wired or wireless technologies. Also, \
 configuration methods, like DHCP and domain name resolving, are \
 implemented using plug-ins."
-HOMEPAGE = "http://connman.net/"
-BUGTRACKER = "https://01.org/jira/browse/CM"
+HOMEPAGE = "https://web.git.kernel.org/pub/scm/network/connman/connman.git/about/"
 LICENSE  = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://src/main.c;beginline=1;endline=20;md5=486a279a6ab0c8d152bcda3a5b5edc36"
@@ -17,17 +16,32 @@ inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
 CVE_PRODUCT = "connman connection_manager"
 
-DEPENDS  = "dbus glib-2.0 ppp"
+DEPENDS  = "dbus glib-2.0"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://connman \
+           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+           file://CVE-2025-32743.patch \
+           file://CVE-2025-32366.patch \
+           "
+
+SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"
+
+RRECOMMENDS:${PN} = "connman-conf"
+RCONFLICTS:${PN} = "networkmanager"
 
 EXTRA_OECONF += "\
-    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
+    ac_cv_path_IP6TABLES_SAVE=${sbindir}/ip6tables-save \
+    ac_cv_path_IPTABLES_SAVE=${sbindir}/iptables-save \
     ac_cv_path_PPPD=${sbindir}/pppd \
+    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
     --enable-debug \
     --enable-loopback \
     --enable-ethernet \
     --enable-tools \
     --disable-polkit \
-    --runstatedir=/run \
+    --runstatedir='${runtimedir}' \
+    --with-dns-backend='${@bb.utils.contains("DISTRO_FEATURES", "systemd-resolved", "systemd-resolved", "internal", d)}' \
 "
 # For smooth operation it would be best to start only one wireless daemon at a time.
 # If wpa-supplicant is running, connman will use it preferentially.
@@ -53,12 +67,12 @@ PACKAGECONFIG[iwd] = "--enable-iwd,--disable-iwd,,iwd"
 PACKAGECONFIG[tist] = "--enable-tist,--disable-tist,"
 PACKAGECONFIG[openvpn] = "--enable-openvpn --with-openvpn=${sbindir}/openvpn,--disable-openvpn,,openvpn"
 PACKAGECONFIG[vpnc] = "--enable-vpnc --with-vpnc=${sbindir}/vpnc,--disable-vpnc,,vpnc"
-PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,,xl2tpd"
-PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,,pptp-linux"
+PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,ppp,xl2tpd"
+PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,ppp,pptp-linux"
 # WISPr support for logging into hotspots, requires TLS
 PACKAGECONFIG[wispr] = "--enable-wispr,--disable-wispr,gnutls,"
-PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat"
-PACKAGECONFIG[iptables] = "--with-firewall=iptables ,,iptables,iptables"
+PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat,iptables"
+PACKAGECONFIG[iptables] = "--with-firewall=iptables,,iptables,,,nftables"
 PACKAGECONFIG[nfc] = "--enable-neard, --disable-neard, neard, neard"
 PACKAGECONFIG[client] = "--enable-client,--disable-client,readline"
 PACKAGECONFIG[wireguard] = "--enable-wireguard,--disable-wireguard,libmnl"
@@ -78,7 +92,7 @@ SYSTEMD_SERVICE:${PN} = "connman.service"
 SYSTEMD_SERVICE:${PN}-vpn = "connman-vpn.service"
 SYSTEMD_SERVICE:${PN}-wait-online = "connman-wait-online.service"
 
-ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_PRIORITY = "${@bb.utils.contains('DISTRO_FEATURES','systemd-resolved','10','100',d)}"
 ALTERNATIVE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
 ALTERNATIVE_TARGET[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv-conf.connman','',d)}"
 ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv.conf','',d)}"
@@ -86,7 +100,7 @@ ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','sy
 do_install:append() {
         if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
                 install -d ${D}${sysconfdir}/init.d
-                install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman
+                install -m 0755 ${UNPACKDIR}/connman ${D}${sysconfdir}/init.d/connman
                 sed -i s%@DATADIR@%${datadir}% ${D}${sysconfdir}/init.d/connman
         fi
 
@@ -103,10 +117,11 @@ do_install:append() {
         # plugins directory to be present for ownership
         mkdir -p ${D}${libdir}/connman/plugins
 
-    # For read-only filesystem, do not create links during bootup
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-        ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
-    fi
+        # For read-only filesystem, do not create links during bootup
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+                install -d ${D}${sysconfdir}
+                ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
+        fi
 }
 
 # These used to be plugins, but now they are core
@@ -118,10 +133,6 @@ RPROVIDES:${PN} = "\
         ${@bb.utils.contains('PACKAGECONFIG', '3g','connman-plugin-ofono', '', d)} \
         "
 
-RDEPENDS:${PN} = "\
-        dbus \
-        "
-
 PACKAGES_DYNAMIC += "^${PN}-plugin-.*"
 
 def add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, add_insane_skip):
@@ -155,12 +166,13 @@ python populate_packages:prepend() {
 PACKAGES =+ "${PN}-tools ${PN}-tests ${PN}-client"
 
 FILES:${PN}-tools = "${bindir}/wispr"
-RDEPENDS:${PN}-tools ="${PN}"
+RDEPENDS:${PN}-tools = "${PN}"
 
 FILES:${PN}-tests = "${bindir}/*-test"
+RDEPENDS:${PN}-tests = "${@bb.utils.contains('PACKAGECONFIG', 'iptables', 'iptables', '', d)}"
 
 FILES:${PN}-client = "${bindir}/connmanctl"
-RDEPENDS:${PN}-client ="${PN}"
+RDEPENDS:${PN}-client = "${PN}"
 
 FILES:${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
             ${libdir}/connman/plugins \
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
index 6bde9b1f51..bfb24aa58c 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
@@ -7,7 +7,7 @@ DESCRIPTION = "dhcpcd runs on your machine and silently configures your \
 HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/"
 
 LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ba9c7e534853aaf3de76c905b2410ffd"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=4dda5beb433a809f2e0aeffbf9da3d91"
 
 SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=master \
            file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \
@@ -17,9 +17,9 @@ SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=ma
            file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
            "
 
-SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
-S = "${WORKDIR}/git"
+SRCREV = "93df2b254caf9639f9ffb66e0fe2b584eeba6220"
 
+# Doesn't use automake so we can't do out-of-tree builds
 inherit pkgconfig autotools-brokensep systemd useradd
 
 SYSTEMD_SERVICE:${PN} = "dhcpcd.service"
@@ -49,10 +49,16 @@ EXTRA_OECONF = "--enable-ipv4 \
 USERADD_PACKAGES = "${PN}"
 USERADD_PARAM:${PN} = "--system -d ${DBDIR} -M -s /bin/false -U dhcpcd"
 
+# This isn't autoconf but is instead a configure script that tries to look like
+# autoconf, so just run it directly.
+do_configure() {
+    oe_runconf
+}
+
 do_install:append () {
     # install systemd unit files
     install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
+    install -m 0644 ${UNPACKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
 
     chmod 700 ${D}${DBDIR}
     chown dhcpcd:dhcpcd ${D}${DBDIR}
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
index 8d1ed6671a..512e33aebf 100644
--- a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
@@ -1,4 +1,4 @@
-From 02acc4d875ee81e6fd19ef66d69c9f55b4b4a7e7 Mon Sep 17 00:00:00 2001
+From d1581ce103db0a5db0b1761907fff9ddd6b55a8a Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Wed, 9 Nov 2022 16:33:18 +0800
 Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd
@@ -27,7 +27,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
  1 file changed, 13 insertions(+), 4 deletions(-)
 
 diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
-index 7c29e276..becc019f 100644
+index bd0b0df5..9c7721de 100644
 --- a/hooks/20-resolv.conf
 +++ b/hooks/20-resolv.conf
 @@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming"
@@ -59,7 +59,7 @@ index 7c29e276..becc019f 100644
         fi
         rm -f "$cf"
  }
-@@ -170,7 +179,7 @@ add_resolv_conf()
+@@ -179,7 +188,7 @@ add_resolv_conf()
         for x in ${new_domain_name_servers}; do
                 conf="${conf}nameserver $x$NL"
         done
@@ -68,7 +68,7 @@ index 7c29e276..becc019f 100644
                 [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
                 printf %s "$conf" | "$resolvconf" -a "$ifname"
                 return $?
-@@ -186,7 +195,7 @@ add_resolv_conf()
+@@ -195,7 +204,7 @@ add_resolv_conf()
  
  remove_resolv_conf()
  {
@@ -77,6 +77,3 @@ index 7c29e276..becc019f 100644
                 "$resolvconf" -d "$ifname" -f
         else
                 if [ -e "$resolv_conf_dir/$ifname" ]; then
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
index 461d04bd1d..484b84f94a 100644
--- a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
@@ -1,4 +1,4 @@
-From 5d5ba8a2b8010db6bee68bd712f829cb737c9ac1 Mon Sep 17 00:00:00 2001
+From e9b1376c59b15e7b03611429187d9d89167154b5 Mon Sep 17 00:00:00 2001
 From: Lei Maohui <leimaohui@fujitsu.com>
 Date: Fri, 10 Mar 2023 03:48:46 +0000
 Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib.
@@ -24,16 +24,15 @@ versions.
 
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
-
 ---
  src/dhcpcd.8.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in
-index 93232840..09930a31 100644
+index 91fdde2c..b467dc3b 100644
 --- a/src/dhcpcd.8.in
 +++ b/src/dhcpcd.8.in
-@@ -824,7 +824,7 @@ Configuration file for dhcpcd.
+@@ -826,7 +826,7 @@ Configuration file for dhcpcd.
  If you always use the same options, put them here.
  .It Pa @SCRIPT@
  Bourne shell script that is run to configure or de-configure an interface.
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
index c54942be4b..fd3fae7e7e 100644
--- a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
@@ -1,4 +1,4 @@
-From ec9fc4e6086e1dbe0ac2f94a8a088a571596a581 Mon Sep 17 00:00:00 2001
+From c2ebc32112e0cd29390b4dc951b65efae36d607b Mon Sep 17 00:00:00 2001
 From: Stefano Cappa <stefano.cappa.ks89@gmail.com>
 Date: Sun, 13 Jan 2019 01:50:52 +0100
 Subject: [PATCH] remove INCLUDEDIR to prevent build issues
@@ -6,13 +6,12 @@ Subject: [PATCH] remove INCLUDEDIR to prevent build issues
 Upstream-Status: Pending
 
 Signed-off-by: Stefano Cappa <stefano.cappa.ks89@gmail.com>
-
 ---
  configure | 5 -----
  1 file changed, 5 deletions(-)
 
 diff --git a/configure b/configure
-index 5237b0e2..7220718b 100755
+index a60da137..3673de8b 100755
 --- a/configure
 +++ b/configure
 @@ -26,7 +26,6 @@ BUILD=
@@ -23,7 +22,7 @@ index 5237b0e2..7220718b 100755
  DEBUG=
  FORK=
  STATIC=
-@@ -86,7 +85,6 @@ for x do
+@@ -89,7 +88,6 @@ for x do
         --mandir) MANDIR=$var;;
         --datadir) DATADIR=$var;;
         --with-ccopts|CFLAGS) CFLAGS=$var;;
@@ -31,7 +30,7 @@ index 5237b0e2..7220718b 100755
         CC) CC=$var;;
         CPPFLAGS) CPPFLAGS=$var;;
         PKG_CONFIG) PKG_CONFIG=$var;;
-@@ -343,9 +341,6 @@ if [ -n "$CPPFLAGS" ]; then
+@@ -346,9 +344,6 @@ if [ -n "$CPPFLAGS" ]; then
         echo "CPPFLAGS=" >>$CONFIG_MK
         echo "CPPFLAGS+=        $CPPFLAGS" >>$CONFIG_MK
  fi
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index 0f1a0736bd..6e03195f2d 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -11,7 +11,7 @@ LICENSE = "GPL-3.0-only"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7"
 
-SRC_URI[sha256sum] = "87697d60a31e10b5cb86a9f0651e1ec7bee98320d048c0739431aac3d5764fb6"
+SRC_URI[sha256sum] = "68bedbfeaf73f7d86be2a7d99bcfbd4093d829f52770893919ae174c0b2357ca"
 SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://rexec.xinetd.inetutils \
            file://rlogin.xinetd.inetutils \
@@ -22,8 +22,6 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
 
 inherit autotools gettext update-alternatives texinfo
 
-acpaths = "-I ./m4"
-
 PACKAGECONFIG ??= "ftp uucpd \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \
@@ -80,23 +78,23 @@ do_install:append () {
     mv ${D}${libexecdir}/telnetd ${D}${sbindir}/in.telnetd
     if [ -e ${D}${libexecdir}/rexecd ]; then
         mv ${D}${libexecdir}/rexecd ${D}${sbindir}/in.rexecd
-        cp ${WORKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
+        cp ${UNPACKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
     fi
     if [ -e ${D}${libexecdir}/rlogind ]; then
         mv ${D}${libexecdir}/rlogind ${D}${sbindir}/in.rlogind
-        cp ${WORKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
+        cp ${UNPACKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
     fi
     if [ -e ${D}${libexecdir}/rshd ]; then
         mv ${D}${libexecdir}/rshd ${D}${sbindir}/in.rshd
-        cp ${WORKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
+        cp ${UNPACKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
     fi
     if [ -e ${D}${libexecdir}/talkd ]; then
         mv ${D}${libexecdir}/talkd ${D}${sbindir}/in.talkd
     fi
     mv ${D}${libexecdir}/uucpd ${D}${sbindir}/in.uucpd
     mv ${D}${libexecdir}/* ${D}${bindir}/
-    cp ${WORKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
-    cp ${WORKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
+    cp ${UNPACKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
+    cp ${UNPACKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
 
     sed -e 's,@SBINDIR@,${sbindir},g' -i ${D}/${sysconfdir}/xinetd.d/*
     if [ -e ${D}${libdir}/charset.alias ]; then
@@ -141,11 +139,12 @@ ALTERNATIVE:${PN}-telnetd = "telnetd"
 ALTERNATIVE_LINK_NAME[telnetd] = "${sbindir}/telnetd"
 ALTERNATIVE_TARGET[telnetd] = "${sbindir}/in.telnetd"
 
-ALTERNATIVE:${PN}-inetd= "inetd"
+ALTERNATIVE:${PN}-inetd = "inetd"
 ALTERNATIVE:${PN}-traceroute = "traceroute"
 
 ALTERNATIVE:${PN}-hostname = "hostname"
 ALTERNATIVE_LINK_NAME[hostname]  = "${base_bindir}/hostname"
+ALTERNATIVE_PRIORITY[hostname] = "100"
 
 ALTERNATIVE:${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
                          tftpd.8 tftp.1 telnetd.8"
@@ -166,7 +165,6 @@ ALTERNATIVE_LINK_NAME[ping]   = "${base_bindir}/ping"
 ALTERNATIVE:${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
 ALTERNATIVE_LINK_NAME[ping6]  = "${base_bindir}/ping6"
 
-
 FILES:${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
 FILES:${PN}-ping = "${base_bindir}/ping.${BPN}"
 FILES:${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
new file mode 100644
index 0000000000..c4dea39676
--- /dev/null
+++ b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
@@ -0,0 +1,24 @@
+From 9e427aa1c647f741b08a1f0c44483ea974c7fc61 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Sat, 24 Aug 2024 15:32:25 +0200
+Subject: [PATCH] include/libnetlink.h: add missing include for htobe64
+ definitions
+
+Upstream-Status: Submitted [by email to stephen@networkplumber.org netdev@vger.kernel.org]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ include/libnetlink.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/libnetlink.h b/include/libnetlink.h
+index 7074e91..3dbfa42 100644
+--- a/include/libnetlink.h
++++ b/include/libnetlink.h
+@@ -13,6 +13,7 @@
+ #include <linux/neighbour.h>
+ #include <linux/netconf.h>
+ #include <arpa/inet.h>
++#include <endian.h>
+ 
+ struct rtnl_handle {
+        int                     fd;
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
deleted file mode 100644
index 74e3de1ce9..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From c25f8d1f7a6203dfeb10b39f80ffd314bb84a58d Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Thu, 22 Dec 2016 15:26:30 +0200
-Subject: [PATCH] libc-compat.h: add musl workaround
-
-The libc-compat.h kernel header uses glibc specific macros (__GLIBC__ and
-__USE_MISC) to solve conflicts with libc provided headers. This patch makes
-libc-compat.h work for musl libc as well.
-
-Upstream-Status: Pending
-
-Taken From:
-https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-workaround-to-the-libc-compat.h-copy.patch
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
-
----
- include/uapi/linux/libc-compat.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
-index a159991..22198fa 100644
---- a/include/uapi/linux/libc-compat.h
-+++ b/include/uapi/linux/libc-compat.h
-@@ -50,10 +50,12 @@
- #define _LIBC_COMPAT_H
- 
- /* We have included glibc headers... */
--#if defined(__GLIBC__)
-+#if 1
-+#define __USE_MISC
- 
- /* Coordinate with glibc net/if.h header. */
- #if defined(_NET_IF_H) && defined(__USE_MISC)
-+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
- 
- /* GLIBC headers included first so don't define anything
-  * that would already be defined. */
diff --git a/meta/recipes-connectivity/iproute2/iproute2_6.7.0.bb b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
index 8c460adf73..592e3e15af 100644
--- a/meta/recipes-connectivity/iproute2/iproute2_6.7.0.bb
+++ b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
@@ -9,25 +9,28 @@ LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
                     "
 
-DEPENDS = "flex-native bison-native iptables libcap"
+DEPENDS = "flex-native bison-native libcap"
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
-           file://0001-libc-compat.h-add-musl-workaround.patch \
+           file://0001-include-libnetlink.h-add-missing-include-for-htobe64.patch \
            "
 
-SRC_URI[sha256sum] = "ff942dd9828d7d1f867f61fe72ce433078c31e5d8e4a78e20f02cb5892e8841d"
+SRC_URI[sha256sum] = "8041854a882583ad5263466736c9c8c68c74b1a35754ab770d23343f947528fb"
 
 inherit update-alternatives bash-completion pkgconfig
 
-PACKAGECONFIG ??= "tipc elf devlink"
+PACKAGECONFIG ??= "tipc elf devlink iptables"
 PACKAGECONFIG[tipc] = ",,libmnl,"
 PACKAGECONFIG[elf] = ",,elfutils,"
 PACKAGECONFIG[devlink] = ",,libmnl,"
+PACKAGECONFIG[iptables] = ",,iptables"
 PACKAGECONFIG[rdma] = ",,libmnl,"
 PACKAGECONFIG[selinux] = ",,libselinux"
 
 IPROUTE2_MAKE_SUBDIRS = "lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc rdma', d)}"
 
+# This is needed with GCC-14 and musl
+CFLAGS += "-Wno-error=incompatible-pointer-types"
 # CFLAGS are computed in Makefile and reference CCOPTS
 #
 EXTRA_OEMAKE = "\
@@ -53,6 +56,9 @@ do_install () {
     install -d ${D}${datadir}
     mv ${D}/share/* ${D}${datadir}/ || true
     rm ${D}/share -rf || true
+
+    # Remove support fot ipt and xt in tc. So tc library directory is not needed.
+    rm ${D}${libdir}/tc -rf
 }
 
 # The .so files in iproute2-tc are modules, not traditional libraries
diff --git a/meta/recipes-connectivity/iw/iw_6.7.bb b/meta/recipes-connectivity/iw/iw_6.9.bb
index b46b54bc93..e34400e18b 100644
--- a/meta/recipes-connectivity/iw/iw_6.7.bb
+++ b/meta/recipes-connectivity/iw/iw_6.9.bb
@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
 HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
 
 DEPENDS = "libnl"
@@ -14,7 +14,7 @@ SRC_URI = "http://www.kernel.org/pub/software/network/iw/${BP}.tar.gz \
            file://separate-objdir.patch \
 "
 
-SRC_URI[sha256sum] = "b3ef3fa85fa1177b11d3e97d6d38cdfe10ee250ca31482b581f3bd0fc79cb015"
+SRC_URI[sha256sum] = "4c3194778b175d58442907d51d1977e7270fce5cbebff0eab11c45c1da287a4b"
 
 inherit pkgconfig
 
diff --git a/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch b/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
deleted file mode 100644
index 8a5bd00302..0000000000
--- a/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From f9bcfed5a1d44d9211c5f6eba403a9898c8c9057 Mon Sep 17 00:00:00 2001
-From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Date: Tue, 8 Aug 2023 19:03:13 +0100
-Subject: [PATCH] kea: fix reproducible build failure
-
-New version of Kea has started using path of build-dir instead of
-src-dir which results in reproducible builds failure.
-Use src-dir as is used in v2.2.0
-
-Upstream-Status: Pending
-https://gitlab.isc.org/isc-projects/kea/-/issues/3007
-
-Upstream has confirmed the patch will not be accepted but discussions
-with upstream is still going on, we might have a proper solution later.
-
-Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
----
- src/bin/admin/kea-admin.in | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
-index 034a0ee..8ab11ab 100644
---- a/src/bin/admin/kea-admin.in
-+++ b/src/bin/admin/kea-admin.in
-@@ -51,14 +51,14 @@ dump_qry=""
- if test -f "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"; then
-     . "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"
- else
--    . "@abs_top_builddir@/src/bin/admin/admin-utils.sh"
-+    . "@abs_top_srcdir@/src/bin/admin/admin-utils.sh"
- fi
- 
- # Find the installed kea-lfc if available. Fallback to sources otherwise.
- if test -x "@sbindir@/kea-lfc"; then
-     kea_lfc="@sbindir@/kea-lfc"
- else
--    kea_lfc="@abs_top_builddir@/src/bin/lfc/kea-lfc"
-+    kea_lfc="@abs_top_srcdir@/src/bin/lfc/kea-lfc"
- fi
- 
- # Prints out usage version.
-@@ -355,7 +355,7 @@ mysql_upgrade() {
-     # Check if there are any files in it
-     num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
-     if [ "$num_files" -eq 0 ]; then
--        upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/mysql
-+        upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/mysql
- 
-         # Check if the scripts directory exists at all.
-         if [ ! -d ${upgrade_scripts_dir} ]; then
-@@ -405,7 +405,7 @@ pgsql_upgrade() {
-     # Check if there are any files in it
-     num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
-     if [ "$num_files" -eq 0 ]; then
--        upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/pgsql
-+        upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/pgsql
- 
-         # Check if the scripts directory exists at all.
-         if [ ! -d ${upgrade_scripts_dir} ]; then
--- 
-2.39.2
-
diff --git a/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
new file mode 100644
index 0000000000..15c09d4c41
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
@@ -0,0 +1,96 @@
+From 72d7e6c0b6b5af4fea2e4db9ed33757984ccdc5b Mon Sep 17 00:00:00 2001
+From: Razvan Becheriu <razvan@isc.org>
+Date: Fri, 14 Jun 2024 17:09:50 +0300
+Subject: [PATCH] make kea environment available to lfc
+
+Upstream-Status: Backport
+[https://gitlab.isc.org/isc-projects/kea/-/commit/f477e8ebcc8b8e1f1adaad4d55031084c0ff6f40]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ configure.ac                                  |  2 ++
+ src/lib/dhcpsrv/memfile_lease_mgr.cc          |  3 ++-
+ .../tests/memfile_lease_mgr_unittest.cc       | 26 +++++++++++++++++++
+ src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in  |  6 +++++
+ 4 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+
+diff --git a/configure.ac b/configure.ac
+index c00edb5..7b572b0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1629,6 +1629,8 @@ AC_CONFIG_FILES([src/lib/dhcp_ddns/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_libraries.h])
++AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_kea_lfc_env.sh],
++                [chmod +x src/lib/dhcpsrv/tests/test_kea_lfc_env.sh])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/testutils/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/tests/Makefile])
+diff --git a/src/lib/dhcpsrv/memfile_lease_mgr.cc b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+index db4f5d5..0ecf3e7 100644
+--- a/src/lib/dhcpsrv/memfile_lease_mgr.cc
++++ b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+@@ -209,7 +209,8 @@ LFCSetup::setup(const uint32_t lfc_interval,
+     args.push_back("ignored-path");
+ 
+     // Create the process (do not start it yet).
+-    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args));
++    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args,
++                                    ProcessEnvVars(), true));
+ 
+     // If we've been told to run it once now, invoke the callback directly.
+     if (run_once_now) {
+diff --git a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+index 034f1f5..9edf637 100644
+--- a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
++++ b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+@@ -534,6 +534,32 @@ TEST_F(MemfileLeaseMgrTest, lfcTimer) {
+     EXPECT_EQ(2, lease_mgr->getLFCCount());
+ }
+ 
++/// @brief Check that the kea environment is accesible to the Lease
++/// File Cleanup process.
++TEST_F(MemfileLeaseMgrTest, lfcEnv) {
++    DatabaseConnection::ParameterMap pmap;
++    pmap["type"] = "memfile";
++    pmap["universe"] = "4";
++    pmap["name"] = getLeaseFilePath("leasefile4_0.csv");
++    pmap["lfc-interval"] = "1";
++
++    std::ostringstream s;
++    s << DHCP_DATA_DIR << "/test_kea_lfc_env.sh";
++    setenv("KEA_LFC_EXECUTABLE", s.str().c_str(), 1);
++
++    boost::scoped_ptr<NakedMemfileLeaseMgr> lease_mgr(new NakedMemfileLeaseMgr(pmap));
++
++    // Try to run the lease file cleanup.
++    ASSERT_NO_THROW(lease_mgr->lfcCallback());
++
++    // Wait for the LFC process to complete.
++    ASSERT_TRUE(waitForProcess(*lease_mgr, 1));
++
++    // And make sure it has returned an exit status of 0.
++    EXPECT_EQ(0, lease_mgr->getLFCExitStatus())
++        << "environment not available to LFC";
++}
++
+ /// @brief This test checks if the LFC timer is disabled (doesn't trigger)
+ /// cleanups when the lfc-interval is set to 0.
+ TEST_F(MemfileLeaseMgrTest, lfcTimerDisabled) {
+diff --git a/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+new file mode 100644
+index 0000000..3eb71d5
+--- /dev/null
++++ b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+@@ -0,0 +1,6 @@
++#!/bin/sh
++
++if [ $(env | grep -c KEA_LFC_EXECUTABLE) != 0 ]; then
++    exit 0
++fi
++exit 1
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
index 5b135b3aee..763639327a 100644
--- a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
+++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
@@ -8,17 +8,21 @@ Subject: [PATCH] There are conflict of config files between kea and lib32-kea:
      lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
 |  file /etc/kea/kea-dhcp4.conf conflicts between attempted installs of
      lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
+|  file /etc/kea/kea-dhcp6.conf conflicts between attempted installs of
+     lib32-kea-2.6.1-r0.core2_32 and kea-2.6.1-r0.core2_64
 
 Because they are all commented out, replace the expanded libdir path with
 '$libdir' in the config files to avoid conflict.
 
 Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602]
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
 
 ---
  src/bin/keactrl/kea-ctrl-agent.conf.pre | 3 ++-
  src/bin/keactrl/kea-dhcp4.conf.pre      | 4 ++--
- 2 files changed, 4 insertions(+), 3 deletions(-)
+ src/bin/keactrl/kea-dhcp6.conf.pre      | 4 ++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
 
 diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre
 index e6ae8b8..50a3092 100644
@@ -56,3 +60,25 @@ index 6edb8a1..b2a7385 100644
      //       "parameters": {
      //           "identifier-expression": "relay4[2].hex"
      //       }
+diff --git a/src/bin/keactrl/kea-dhcp6.conf.pre b/src/bin/keactrl/kea-dhcp6.conf.pre
+index 271021b..5b85854 100644
+--- a/src/bin/keactrl/kea-dhcp6.conf.pre
++++ b/src/bin/keactrl/kea-dhcp6.conf.pre
+@@ -201,7 +201,7 @@
+     //       // of all devices serviced by Kea, including their identifiers
+     //       // (like MAC address), their location in the network, times
+     //       // when they were active etc.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_legal_log.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_legal_log.so",
+     //       "parameters": {
+     //           "path": "/var/lib/kea",
+     //           "base-name": "kea-forensic6"
+@@ -218,7 +218,7 @@
+     //       // of specific options or perhaps even a combination of several
+     //       // options and fields to uniquely identify a client. Those scenarios
+     //       // are addressed by the Flexible Identifiers hook application.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
+     //       "parameters": {
+     //           "identifier-expression": "relay6[0].option[37].hex"
+     //       }
diff --git a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
index 63a6a2805b..2f5a217d3f 100644
--- a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
+++ b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
@@ -1,4 +1,4 @@
-From c878a356712606549f7f188b62f7d1cae08a176e Mon Sep 17 00:00:00 2001
+From f5125725e4e2e250ccc78a17a8b77431100e7c15 Mon Sep 17 00:00:00 2001
 From: Armin kuster <akuster808@gmail.com>
 Date: Wed, 14 Oct 2020 22:48:31 -0700
 Subject: [PATCH] Busybox does not support ps -p so use pgrep
@@ -8,15 +8,18 @@ Based on changes from Diego Sueiro <Diego.Sueiro@arm.com>
 
 Signed-off-by: Armin kuster <akuster808@gmail.com>
 
+Refresh to apply on top of 2.6.1.
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
 ---
  src/bin/keactrl/keactrl.in | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in
-index 450e997..c353ca9 100644
+index cccfdac303..20ae2e6ec5 100644
 --- a/src/bin/keactrl/keactrl.in
 +++ b/src/bin/keactrl/keactrl.in
-@@ -149,8 +149,8 @@ check_running() {
+@@ -146,8 +146,8 @@ check_running() {
      # Get the PID from the PID file (if it exists)
      get_pid_from_file "${proc_name}"
      if [ ${_pid} -gt 0 ]; then
@@ -27,3 +30,6 @@ index 450e997..c353ca9 100644
              # No error, so PID IS ALIVE
              _running=1
          fi
+-- 
+2.39.2
+
diff --git a/meta/recipes-connectivity/kea/kea_2.4.1.bb b/meta/recipes-connectivity/kea/kea_2.6.3.bb
index c3aa4dc8f0..1df91e4522 100644
--- a/meta/recipes-connectivity/kea/kea_2.4.1.bb
+++ b/meta/recipes-connectivity/kea/kea_2.6.3.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It
 HOMEPAGE = "http://kea.isc.org"
 SECTION = "connectivity"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ea061fa0188838072c4248c1318ec131"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ee16e7280a6cf2a1487717faf33190dc"
 
 DEPENDS = "boost log4cplus openssl"
 
@@ -17,9 +17,9 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
            file://fix-multilib-conflict.patch \
            file://fix_pid_keactrl.patch \
            file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
-           file://0001-kea-fix-reproducible-build-failure.patch \
+           file://0001-make-kea-environment-available-to-lfc.patch \
            "
-SRC_URI[sha256sum] = "815c61f5c271caa4a1db31dd656eb50a7f6ea973da3690f7c8581408e180131a"
+SRC_URI[sha256sum] = "00241a5955ffd3d215a2c098c4527f9d7f4b203188b276f9a36250dd3d9dd612"
 
 inherit autotools systemd update-rc.d upstream-version-is-even
 
@@ -39,6 +39,7 @@ DEBUG_OPTIMIZATION:append:mipsel = " -O"
 BUILD_OPTIMIZATION:remove:mipsel = " -Og"
 BUILD_OPTIMIZATION:append:mipsel = " -O"
 
+CXXFLAGS:remove = "-fvisibility-inlines-hidden"
 EXTRA_OECONF = "--with-boost-libs=-lboost_system \
                 --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \
                 --with-openssl=${STAGING_DIR_TARGET}${prefix}"
@@ -47,7 +48,7 @@ do_configure:prepend() {
     # replace abs_top_builddir to avoid introducing the build path
     # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target
     find ${S} -type f -name *.sh.in | xargs sed -i  "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g"
-    sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
+    sed -i "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
 }
 
 # patch out build host paths for reproducibility
@@ -59,11 +60,12 @@ do_install:append() {
     install -d ${D}${sysconfdir}/init.d
     install -d ${D}${systemd_system_unitdir}
 
-    install -m 0644 ${WORKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
-    install -m 0755 ${WORKDIR}/kea-*-server ${D}${sysconfdir}/init.d
+    install -m 0644 ${UNPACKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
+    install -m 0755 ${UNPACKDIR}/kea-*-server ${D}${sysconfdir}/init.d
     sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \
            -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \
            ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl
+    sed -i "s:${B}:@abs_top_builddir_placeholder@:g" ${D}${sbindir}/kea-admin
 }
 
 do_install:append() {
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
index 166654e280..7ad52acd06 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
@@ -10,8 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
-SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.xz"
+SRC_URI[sha256sum] = "84fa89ac6d303028c1c5b754abff77224f45eca0a94eb1a34ff0aa9ceece3925"
 
 inherit autotools binconfig-disabled pkgconfig
 
diff --git a/meta/recipes-connectivity/libuv/libuv_1.48.0.bb b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
index 87a2c22a7c..9ff9cf35e2 100644
--- a/meta/recipes-connectivity/libuv/libuv_1.48.0.bb
+++ b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
@@ -6,12 +6,10 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b \
                     file://LICENSE-extra;md5=f9307417749e19bd1d6d68a394b49324"
 
-SRCREV = "e9f29cb984231524e3931aa0ae2c5dae1a32884e"
-SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https"
+SRCREV = "5152db2cbfeb5582e9c27c5ea1dba2cd9e10759b"
+SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https;tag=v${PV}"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
-S = "${WORKDIR}/git"
-
 inherit autotools
 
 do_configure() {
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20250613.bb
index a4030b7b32..72663c7e0a 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20250613.bb
@@ -5,13 +5,11 @@ SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
 
-SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
-PV = "20230416"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
-S = "${WORKDIR}/git"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main;tag=${PV}"
+SRCREV = "2a1b409491a531aedcf3eb3ba907929d96bd181a"
 
-inherit autotools
+inherit meson
 
 DEPENDS += "libxslt-native"
diff --git a/meta/recipes-connectivity/neard/neard_0.19.bb b/meta/recipes-connectivity/neard/neard_0.19.bb
index a98f436b98..41c7e55f44 100644
--- a/meta/recipes-connectivity/neard/neard_0.19.bb
+++ b/meta/recipes-connectivity/neard/neard_0.19.bb
@@ -17,8 +17,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;bra
 
 SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig systemd update-rc.d
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
@@ -31,18 +29,17 @@ EXTRA_OECONF += "--enable-tools"
 do_install:append() {
         if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/init.d/
-                sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \
+                sed "s:@installpath@:${libexecdir}/nfc:" ${UNPACKDIR}/neard.in \
                   > ${D}${sysconfdir}/init.d/neard
                 chmod 0755 ${D}${sysconfdir}/init.d/neard
         fi
 }
 
-RDEPENDS:${PN} = "dbus"
-
 # Bluez & Wifi are not mandatory except for handover
+WIRELESS_DAEMON ??= "wpa-supplicant"
 RRECOMMENDS:${PN} = "\
                      ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez5', '', d)} \
-                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','wpa-supplicant', '', d)} \
+                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','${WIRELESS_DAEMON}', '', d)} \
                     "
 
 INITSCRIPT_NAME = "neard"
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
deleted file mode 100644
index 7603eb680d..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
+++ /dev/null
@@ -1,299 +0,0 @@
-From 690a90a5b7786e40b5447ad7c5f19a7657d27405 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 14 Dec 2018 17:44:32 +0800
-Subject: [PATCH] Makefile.am: fix undefined function for libnsm.a
-
-The source file of libnsm.a uses some function
-in ../support/misc/file.c, add ../support/misc/file.c
-to libnsm_a_SOURCES to fix build error when run
-"make -C tests statdb_dump":
-| ../support/nsm/libnsm.a(file.o): In function `nsm_make_pathname':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| ../support/nsm/libnsm.a(file.o): In function `nsm_setup_pathnames':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:280: undefined reference to `generic_setup_basedir'
-| collect2: error: ld returned 1 exit status
-
-As there is already one source file named file.c
-as support/nsm/file.c in support/nsm/Makefile.am,
-so rename ../support/misc/file.c to ../support/misc/misc.c.
-
-Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=154502780423058&w=2]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-
-Rebase it.
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- support/misc/Makefile.am |   2 +-
- support/misc/file.c      | 115 ---------------------------------------------------------------------------------------------------------------
- support/misc/misc.c      | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- support/nsm/Makefile.am  |   2 +-
- 4 files changed, 113 insertions(+), 117 deletions(-)
-
-diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am
-index f9993e3..8b0e9db 100644
---- a/support/misc/Makefile.am
-+++ b/support/misc/Makefile.am
-@@ -1,7 +1,7 @@
- ## Process this file with automake to produce Makefile.in
- 
- noinst_LIBRARIES = libmisc.a
--libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c file.c \
-+libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \
-                    nfsd_path.c workqueue.c xstat.c
- 
- MAINTAINERCLEANFILES = Makefile.in
-diff --git a/support/misc/file.c b/support/misc/file.c
-deleted file mode 100644
-index 06f6bb2..0000000
---- a/support/misc/file.c
-+++ /dev/null
-@@ -1,115 +0,0 @@
--/*
-- * Copyright 2009 Oracle.  All rights reserved.
-- * Copyright 2017 Red Hat, Inc.  All rights reserved.
-- *
-- * This file is part of nfs-utils.
-- *
-- * nfs-utils is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * nfs-utils is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
-- */
--
--#ifdef HAVE_CONFIG_H
--#include <config.h>
--#endif
--
--#include <sys/stat.h>
--
--#include <string.h>
--#include <libgen.h>
--#include <stdio.h>
--#include <errno.h>
--#include <dirent.h>
--#include <stdlib.h>
--#include <stdbool.h>
--#include <limits.h>
--
--#include "xlog.h"
--#include "misc.h"
--
--/*
-- * Returns a dynamically allocated, '\0'-terminated buffer
-- * containing an appropriate pathname, or NULL if an error
-- * occurs.  Caller must free the returned result with free(3).
-- */
--__attribute__((__malloc__))
--char *
--generic_make_pathname(const char *base, const char *leaf)
--{
--       size_t size;
--       char *path;
--       int len;
--
--       size = strlen(base) + strlen(leaf) + 2;
--       if (size > PATH_MAX)
--               return NULL;
--
--       path = malloc(size);
--       if (path == NULL)
--               return NULL;
--
--       len = snprintf(path, size, "%s/%s", base, leaf);
--       if ((len < 0) || ((size_t)len >= size)) {
--               free(path);
--               return NULL;
--       }
--
--       return path;
--}
--
--
--/**
-- * generic_setup_basedir - set up basedir
-- * @progname: C string containing name of program, for error messages
-- * @parentdir: C string containing pathname to on-disk state, or NULL
-- * @base: character buffer to contain the basedir that is set up
-- * @baselen: size of @base in bytes
-- *
-- * This runs before logging is set up, so error messages are directed
-- * to stderr.
-- *
-- * Returns true and sets up our basedir, if @parentdir was valid
-- * and usable; otherwise false is returned.
-- */
--_Bool
--generic_setup_basedir(const char *progname, const char *parentdir, char *base,
--                     const size_t baselen)
--{
--       static char buf[PATH_MAX];
--       struct stat st;
--       char *path;
--
--       /* First: test length of name and whether it exists */
--       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
--               (void)fprintf(stderr, "%s: Directory name too long: %s",
--                               progname, parentdir);
--               return false;
--       }
--       if (lstat(parentdir, &st) == -1) {
--               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
--                               progname, parentdir, strerror(errno));
--               return false;
--       }
--
--       /* Ensure we have a clean directory pathname */
--       strncpy(buf, parentdir, sizeof(buf)-1);
--       path = dirname(buf);
--       if (*path == '.') {
--               (void)fprintf(stderr, "%s: Unusable directory %s",
--                               progname, parentdir);
--               return false;
--       }
--
--       xlog(D_CALL, "Using %s as the state directory", parentdir);
--       strcpy(base, parentdir);
--       return true;
--}
-diff --git a/support/misc/misc.c b/support/misc/misc.c
-new file mode 100644
-index 0000000..e7c3819
---- /dev/null
-+++ b/support/misc/misc.c
-@@ -0,0 +1,111 @@
-+/*
-+ * Copyright 2009 Oracle.  All rights reserved.
-+ * Copyright 2017 Red Hat, Inc.  All rights reserved.
-+ *
-+ * This file is part of nfs-utils.
-+ *
-+ * nfs-utils is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * nfs-utils is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include <sys/stat.h>
-+
-+#include <string.h>
-+#include <libgen.h>
-+#include <stdio.h>
-+#include <errno.h>
-+#include <dirent.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <limits.h>
-+
-+#include "xlog.h"
-+#include "misc.h"
-+
-+/*
-+ * Returns a dynamically allocated, '\0'-terminated buffer
-+ * containing an appropriate pathname, or NULL if an error
-+ * occurs.  Caller must free the returned result with free(3).
-+ */
-+__attribute__((__malloc__))
-+char *
-+generic_make_pathname(const char *base, const char *leaf)
-+{
-+       size_t size;
-+       char *path;
-+       int len;
-+
-+       size = strlen(base) + strlen(leaf) + 2;
-+       if (size > PATH_MAX)
-+               return NULL;
-+
-+       path = malloc(size);
-+       if (path == NULL)
-+               return NULL;
-+
-+       len = snprintf(path, size, "%s/%s", base, leaf);
-+       if ((len < 0) || ((size_t)len >= size)) {
-+               free(path);
-+               return NULL;
-+       }
-+
-+       return path;
-+}
-+
-+
-+/**
-+ * generic_setup_basedir - set up basedir
-+ * @progname: C string containing name of program, for error messages
-+ * @parentdir: C string containing pathname to on-disk state, or NULL
-+ * @base: character buffer to contain the basedir that is set up
-+ * @baselen: size of @base in bytes
-+ *
-+ * This runs before logging is set up, so error messages are directed
-+ * to stderr.
-+ *
-+ * Returns true and sets up our basedir, if @parentdir was valid
-+ * and usable; otherwise false is returned.
-+ */
-+_Bool
-+generic_setup_basedir(const char *progname, const char *parentdir, char *base,
-+                     const size_t baselen)
-+{
-+       static char buf[PATH_MAX];
-+       struct stat st;
-+       char *path;
-+
-+       /* First: test length of name and whether it exists */
-+       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
-+               (void)fprintf(stderr, "%s: Directory name too long: %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+       if (lstat(parentdir, &st) == -1) {
-+               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
-+                               progname, parentdir, strerror(errno));
-+               return false;
-+       }
-+
-+       /* Ensure we have a clean directory pathname */
-+       strncpy(buf, parentdir, sizeof(buf)-1);
-+       path = dirname(buf);
-+       if (*path == '.') {
-+               (void)fprintf(stderr, "%s: Unusable directory %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+
-+       xlog(D_CALL, "Using %s as the state directory", parentdir);
-+       strcpy(base, parentdir);
-+       return true;
-+}
-diff --git a/support/nsm/Makefile.am b/support/nsm/Makefile.am
-index 8f5874e..68f1a46 100644
---- a/support/nsm/Makefile.am
-+++ b/support/nsm/Makefile.am
-@@ -10,7 +10,7 @@ GENFILES      = $(GENFILES_CLNT) $(GENFILES_SVC) $(GENFILES_XDR) $(GENFILES_H)
- EXTRA_DIST     = sm_inter.x
- 
- noinst_LIBRARIES = libnsm.a
--libnsm_a_SOURCES = $(GENFILES) file.c rpc.c
-+libnsm_a_SOURCES = $(GENFILES) ../misc/misc.c file.c rpc.c
- 
- BUILT_SOURCES = $(GENFILES)
- 
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch
deleted file mode 100644
index 57d4660571..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 45597a58e98f351b18db8444292b1cf6dd0cd810 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Sat, 9 Dec 2023 23:34:08 -0800
-Subject: [PATCH] reexport.h: Include unistd.h to compile with musl
-
-Fixed error when compile with musl
-reexport.c: In function 'reexpdb_init':
-reexport.c:62:17: error: implicit declaration of function 'sleep' [-Werror=implicit-function-declaration]
-   62 |                 sleep(1);
-
-
-Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=170254661824522&w=2]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- support/reexport/reexport.h | 1 +
- 1 files changed, 1 insertions(+)
-
-diff --git a/support/reexport/reexport.h b/support/reexport/reexport.h
-index 85fd59c..02f8684 100644
---- a/support/reexport/reexport.h
-+++ b/support/reexport/reexport.h
-@@ -1,6 +1,8 @@
- #ifndef REEXPORT_H
- #define REEXPORT_H
- 
-+#include <unistd.h>
-+
- #include "nfslib.h"
- 
- enum {
--- 
-2.42.0
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
deleted file mode 100644
index 7d903e04bc..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From e2e9251dbeb452f5382179023d8ae18b511167a1 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 25 Jul 2023 23:47:08 -0700
-Subject: [PATCH] tools/locktest: Use intmax_t to print off_t
-
-off_t could be 64bit on 32bit architectures which means using %z printf
-modifier is not enough to print it and compiler will complain about
-format mismatch
-
-Fixes
-| testlk.c:84:66: error: format '%zd' expects argument of type 'signed size_t', but argument 4 has type '__off64_t' {aka 'long long int'} [-Werror=format=]
-|    84 |                         printf("%s: conflicting lock by %d on (%zd;%zd)\n",
-|       |                                                                ~~^
-|       |                                                                  |
-|       |                                                                  int
-|       |                                                                %lld
-|    85 |                                 fname, fl.l_pid, fl.l_start, fl.l_len);
-|       |                                                  ~~~~~~~~~~
-|       |                                                    |
-|       |                                                    __off64_t {aka long long int}
-
-Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169035457128067&w=2]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- tools/locktest/testlk.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/tools/locktest/testlk.c b/tools/locktest/testlk.c
-index ea51f788..9d4c88c4 100644
---- a/tools/locktest/testlk.c
-+++ b/tools/locktest/testlk.c
-@@ -2,6 +2,7 @@
- #include <config.h>
- #endif
- 
-+#include <stdint.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <unistd.h>
-@@ -81,8 +82,8 @@ main(int argc, char **argv)
-                if (fl.l_type == F_UNLCK) {
-                        printf("%s: no conflicting lock\n", fname);
-                } else {
--                       printf("%s: conflicting lock by %d on (%zd;%zd)\n",
--                               fname, fl.l_pid, fl.l_start, fl.l_len);
-+                       printf("%s: conflicting lock by %d on (%jd;%jd)\n",
-+                               fname, fl.l_pid, (intmax_t)fl.l_start, (intmax_t)fl.l_len);
-                }
-                return 0;
-        }
--- 
-2.41.0
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
new file mode 100644
index 0000000000..bbf44d5977
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
@@ -0,0 +1,38 @@
+From 001913c5eb0aad933a93ee966252905cd46d776b Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Tue, 6 Jun 2023 16:07:53 -0600
+Subject: [PATCH] Use "nogroup" for nobody group
+
+Upstream-Status: Inappropriate [oe-core specific, configuration]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ support/nfsidmap/idmapd.conf | 2 +-
+ utils/idmapd/idmapd.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
+index 2a2f79a1..e6f3724f 100644
+--- a/support/nfsidmap/idmapd.conf
++++ b/support/nfsidmap/idmapd.conf
+@@ -41,7 +41,7 @@
+ [Mapping]
+ 
+ #Nobody-User = nobody
+-#Nobody-Group = nobody
++#Nobody-Group = nogroup
+ 
+ [Translation]
+ 
+diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
+index cd9a965f..3be805e9 100644
+--- a/utils/idmapd/idmapd.c
++++ b/utils/idmapd/idmapd.c
+@@ -89,7 +89,7 @@
+ #endif
+ 
+ #ifndef NFS4NOBODY_GROUP
+-#define NFS4NOBODY_GROUP "nobody"
++#define NFS4NOBODY_GROUP "nogroup"
+ #endif
+ 
+ /* From Niels */
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
new file mode 100644
index 0000000000..3241e8e859
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
@@ -0,0 +1,42 @@
+From a2af266f013722a64c5d04e0fe097cd711393a53 Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Wed, 8 Nov 2023 16:24:20 -0600
+Subject: [PATCH] find OE provided Kerberos
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ aclocal/kerberos5.m4 | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
+index f96f0fd4..ad85fdf2 100644
+--- a/aclocal/kerberos5.m4
++++ b/aclocal/kerberos5.m4
+@@ -22,8 +22,8 @@ AC_DEFUN([AC_KERBEROS_V5],[
+     dnl This ugly hack brought on by the split installation of
+     dnl MIT Kerberos on Fedora Core 1
+     K5CONFIG=""
+-    if test -f $dir/bin/krb5-config; then
+-      K5CONFIG=$dir/bin/krb5-config
++    if test -f $dir/bin/crossscripts/krb5-config; then
++      K5CONFIG=$dir/bin/crossscripts/krb5-config
+     elif test -f "/usr/kerberos/bin/krb5-config"; then
+       K5CONFIG="/usr/kerberos/bin/krb5-config"
+     elif test -f "/usr/lib/mit/bin/krb5-config"; then
+@@ -72,6 +72,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   AC_MSG_RESULT($KRBDIR)
+ 
+   dnl Check if -rpath=$(KRBDIR)/lib is needed
++  if false; then
+   echo "The current KRBDIR is $KRBDIR"
+   if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+        -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+@@ -81,6 +82,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   else
+     KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
+   fi
++  fi
+ 
+   dnl Now check for functions within gssapi library
+   AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
deleted file mode 100644
index f13d7b380c..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 398fed3bb0350cb1229e54e7020ae0e044c206d1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
-Date: Wed, 17 Feb 2016 08:33:45 +0100
-Subject: bugfix: adjust statd service name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream uses 'rpc-statd.service' and Yocto introduced 'nfs-statd.service'
-instead but forgot to update the mount.nfs helper 'start-statd' accordingly.
-
-Upstream-Status: Inappropriate [other]
-
-Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
-
-Rebase it.
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- utils/statd/start-statd | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index af5c950..df9b9be 100755
---- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -28,10 +28,10 @@ fi
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
--    if systemctl start rpc-statd.service; then
-+    if systemctl start nfs-statd.service; then
-         # Ensure systemd knows not to stop rpc.statd or its dependencies
-         # on 'systemctl isolate ..'
--        systemctl add-wants --runtime remote-fs.target rpc-statd.service
-+        systemctl add-wants --runtime remote-fs.target nfs-statd.service
-         exit 0
-     fi
- fi
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
deleted file mode 100644
index fde99b599e..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 1ab0c326405c6daa06f1a7eb4b0b60bf4e0584c2 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 31 Dec 2019 08:15:34 -0800
-Subject: [PATCH] Detect warning options during configure
-
-Certain options maybe compiler specific therefore its better
-to detect them before use.
-
-nfs_error copies the format string and appends newline to it
-but compiler can forget that it was format string since its not
-same fmt string that was passed. Ignore the warning
-
-Wdiscarded-qualifiers is gcc specific and this is no longer needed
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
----
- support/nfs/xcommon.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/support/nfs/xcommon.c b/support/nfs/xcommon.c
-index 3989f0b..e080423 100644
---- a/support/nfs/xcommon.c
-+++ b/support/nfs/xcommon.c
-@@ -98,7 +98,10 @@ nfs_error (const char *fmt, ...) {
- 
-      fmt2 = xstrconcat2 (fmt, "\n");
-      va_start (args, fmt);
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
-      vfprintf (stderr, fmt2, args);
-+#pragma GCC diagnostic pop
-      va_end (args);
-      free (fmt2);
- }
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
deleted file mode 100644
index ebfe64b9ce..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
+++ /dev/null
@@ -1,18 +0,0 @@
-[Unit]
-Description=NFS Mount Daemon
-DefaultDependencies=no
-After=rpcbind.socket
-Requires=proc-fs-nfsd.mount
-After=proc-fs-nfsd.mount
-After=network.target local-fs.target
-BindsTo=nfs-server.service
-ConditionPathExists=@SYSCONFDIR@/exports
-
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.mountd -F $MOUNTD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-StateDirectory=nfs
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
deleted file mode 100644
index 15ceee04d0..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=NFS server and services
-DefaultDependencies=no
-Requires=network.target proc-fs-nfsd.mount
-Requires=nfs-mountd.service
-Wants=rpcbind.service
-After=local-fs.target
-After=network.target proc-fs-nfsd.mount rpcbind.service nfs-mountd.service
-ConditionPathExists=@SYSCONFDIR@/exports
-
-[Service]
-Type=oneshot
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStartPre=@SBINDIR@/exportfs -r
-ExecStart=@SBINDIR@/rpc.nfsd $NFSD_OPTS $NFSD_COUNT
-ExecStop=@SBINDIR@/rpc.nfsd 0
-ExecStopPost=@SBINDIR@/exportfs -au
-ExecStopPost=@SBINDIR@/exportfs -f
-ExecReload=@SBINDIR@/exportfs -r
-RemainAfterExit=yes
-StateDirectory=nfs
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
deleted file mode 100644
index b519194121..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=NFS status monitor for NFSv2/3 locking.
-DefaultDependencies=no
-Conflicts=umount.target
-Requires=nss-lookup.target rpcbind.service
-After=network.target nss-lookup.target rpcbind.service
-ConditionPathExists=@SYSCONFDIR@/exports
-
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.statd -F $STATD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-StateDirectory=nfs
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
deleted file mode 100644
index ede0dcefc4..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-[PATCH] nfs-utils: debianize start-statd
-
-Upstream-Status: Pending
-
-make start-statd command to use nfscommon configure, too.
-
-Signed-off-by: Henrik Riomar <henrik.riomar@ericsson.com>
-Signed-off-by: Li Wang <li.wang@windriver.com>
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- utils/statd/start-statd | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index 2fd6039..f591b34 100755
---- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -17,6 +17,14 @@ then
-     # statd already running - must have been slow to respond.
-     exit 0
- fi
-+
-+# Read config
-+DEFAULTFILE=/etc/default/nfs-common
-+NEED_IDMAPD=
-+if [ -f $DEFAULTFILE ]; then
-+    . $DEFAULTFILE
-+fi
-+
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
-@@ -25,4 +33,4 @@ fi
- 
- cd /
- # Fall back to launching it ourselves.
--exec rpc.statd --no-notify
-+exec rpc.statd --no-notify $STATDOPTS
--- 
-2.6.6
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
deleted file mode 100644
index a1007a7fbf..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# Parameters to be passed to nfs-utils (clients & server) service files.
-#
-
-# Options to pass to rpc.nfsd.
-NFSD_OPTS=""
-
-# Number of servers to start up; the default is 8 servers.
-NFSD_COUNT=""
-
-# Where to mount nfsd filesystem; the default is "/proc/fs/nfsd".
-PROCNFSD_MOUNTPOINT=""
-
-# Options used to mount nfsd filesystem; the default is "rw,nodev,noexec,nosuid".
-PROCNFSD_MOUNTOPTS=""
-
-# Options for rpc.mountd.
-# If you have a port-based firewall, you might want to set up
-# a fixed port here using the --port option.
-MOUNTD_OPTS=""
-
-# Parameters to be passed to nfs-common (nfs clients & server) init script.
-#
-
-# If you do not set values for the NEED_ options, they will be attempted
-# autodetected; this should be sufficient for most people. Valid alternatives
-# for the NEED_ options are "yes" and "no".
-
-# Do you want to start the statd daemon? It is not needed for NFSv4.
-NEED_STATD=""
-
-# Options to pass to rpc.statd.
-# N.B. statd normally runs on both client and server, and run-time
-# options should be specified accordingly.
-# STATD_OPTS="-p 32765 -o 32766"
-STATD_OPTS=""
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
index 992267d5a1..9b7fd17b41 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
@@ -1,63 +1,279 @@
 #!/bin/sh
+
 ### BEGIN INIT INFO
 # Provides:          nfs-common
-# Required-Start:    $portmap hwclock
-# Required-Stop:     $portmap hwclock
-# Default-Start:     2 3 4 5
+# Required-Start:    $portmap $time
+# Required-Stop:     $portmap $time
+# Default-Start:     S
 # Default-Stop:      0 1 6
-# Short-Description: NFS support for both client and server
+# Short-Description: NFS support files common to client and server
 # Description:       NFS is a popular protocol for file sharing across
-#                    TCP/IP networks. This service provides various
+#                    TCP/IP networks. This service provides various
 #                    support functions for NFS mounts.
 ### END INIT INFO
-#
-# Startup script for nfs-utils
-#
-#
-# Location of executables:
 
-# Source function library.
+# What is this?
+DESC="NFS common utilities"
+
+# Read config
+DEFAULTFILE=/etc/default/nfs-utils
+NEED_STATD=
+NEED_GSSD=
+if nfsconf --isset general pipefs-directory; then
+    PIPEFS_MOUNTPOINT=$(nfsconf --get general pipefs-directory)
+else
+    PIPEFS_MOUNTPOINT=/var/lib/nfs/rpc_pipefs
+fi
+if [ -f $DEFAULTFILE ]; then
+    . $DEFAULTFILE
+fi
+
 . /etc/init.d/functions
 
-test -x "$NFS_STATD" || NFS_STATD=/usr/sbin/rpc.statd
-test -z "$STATD_PID" && STATD_PID=/var/run/rpc.statd.pid
+# Exit if required binaries are missing.
+[ -x /usr/sbin/rpc.statd ] || exit 0
+
 #
-# The default state directory is /var/lib/nfs
-test -n "$NFS_STATEDIR" || NFS_STATEDIR=/var/lib/nfs
+# Parse the fstab file, and determine whether we need gssd. (The
+# /etc/defaults settings, if any, will override our autodetection.) This code
+# is partially adapted from the mountnfs.sh script in the sysvinit package.
 #
-#----------------------------------------------------------------------
-# Startup and shutdown functions.
-#  Actual startup/shutdown is at the end of this file.
-
-start_statd(){
-        echo -n "starting statd: "
-        start-stop-daemon --start --exec "$NFS_STATD" --pidfile "$STATD_PID"
-        echo done
+AUTO_NEED_GSSD=no
+
+if [ -f /etc/fstab ]; then
+    exec 9<&0 </etc/fstab
+
+    while read -r DEV _ _ OPTS _
+    do
+        case $DEV in
+            ''|\#*)
+                continue
+                ;;
+        esac
+        OLDIFS="$IFS"
+        IFS=","
+        for OPT in $OPTS; do
+            case "$OPT" in
+                sec=krb5|sec=krb5i|sec=krb5p)
+                    AUTO_NEED_GSSD=yes
+                ;;
+            esac
+        done
+        IFS="$OLDIFS"
+    done
+
+    exec 0<&9 9<&-
+fi
+
+case "$NEED_STATD" in
+    yes|no)
+        ;;
+    *)
+        NEED_STATD=yes
+        ;;
+esac
+
+case "$NEED_IDMAPD" in
+    yes|no)
+        ;;
+    *)
+        NEED_IDMAPD=yes
+        ;;
+esac
+
+case "$NEED_GSSD" in
+    yes|no)
+        ;;
+    *)
+        NEED_GSSD=$AUTO_NEED_GSSD
+        ;;
+esac
+
+do_modprobe() {
+    if [ -x /sbin/modprobe ] && [ -f /proc/modules ]
+    then
+        modprobe -q "$1" || true
+    fi
+}
+
+do_mount() {
+    if ! grep -E -qs "$1\$" /proc/filesystems
+    then
+        return 1
+    fi
+    if ! mountpoint -q "$2"
+    then
+        mount -t "$1" "$1" "$2"
+        return
+    fi
+    return 0
 }
-stop_statd(){
-        echo -n 'stopping statd: '
-        start-stop-daemon --stop --quiet --signal 1 --pidfile "$STATD_PID"
-        echo done
+
+do_umount() {
+    if mountpoint -q "$1"
+    then
+        umount "$1"
+    fi
+    return 0
 }
-#----------------------------------------------------------------------
-#
-# supported options:
-#  start
-#  stop
-#  restart: stops and starts mountd
-#FIXME: need to create the /var/lib/nfs/... directories
+
+# See how we were called.
 case "$1" in
   start)
-        start_statd;;
+        echo -n "Starting $DESC ..."
+
+        if [ "$NEED_STATD" = yes ]; then
+            echo -n " statd"
+
+            # See if rpcbind is running
+            if [ -x /usr/sbin/rpcinfo ]; then
+                /usr/sbin/rpcinfo -p >/dev/null 2>&1
+                RET=$?
+                if [ $RET != 0 ]; then
+                   echo
+                   echo "Not starting: portmapper is not running"
+                   exit 0
+                fi
+            fi
+            start-stop-daemon --start --oknodo --quiet \
+                --pidfile /run/rpc.statd.pid \
+                --exec /usr/sbin/rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            else
+                if [ -d /run/sendsigs.omit.d ]; then
+                    rm -f /run/sendsigs.omit.d/statd
+                    ln -s /run/rpc.statd.pid /run/sendsigs.omit.d/statd
+                fi
+            fi
+        fi
+
+        # Don't start idmapd and gssd if we don't have them (say, if /usr is not
+        # up yet).
+        [ -x /usr/sbin/rpc.idmapd ] || NEED_IDMAPD=no
+        [ -x /usr/sbin/rpc.gssd   ] || NEED_GSSD=no
+
+        if [ "$NEED_IDMAPD" = yes ] || [ "$NEED_GSSD" = yes ]
+        then
+            do_modprobe sunrpc
+            do_modprobe nfs
+            do_modprobe nfsd
+            mkdir -p "$PIPEFS_MOUNTPOINT"
+            if do_mount rpc_pipefs $PIPEFS_MOUNTPOINT
+            then
+                if [ "$NEED_IDMAPD" = yes ]
+                then
+                    ecno -n " idmapd"
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.idmapd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+                if [ "$NEED_GSSD" = yes ]
+                then
+                    do_modprobe rpcsec_gss_krb5
+                    echo -n " gssd"
+
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.gssd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+            fi
+        fi
+        echo " done"
+        ;;
+
   stop)
-        stop_statd;;
+        echo -n "Stopping $DESC ..."
+
+        if [ "$NEED_GSSD" = yes ]
+        then
+            echo -n " gssd"
+            start-stop-daemon --stop --oknodo --quiet \
+                    --name rpc.gssd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            echo -n " idmapd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.idmapd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_STATD" = yes ]
+        then
+            echo -n " statd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        do_umount $PIPEFS_MOUNTPOINT 2>/dev/null || true
+        echo " done"
+        ;;
+
   status)
-        status $NFS_STATD
-        exit $?;;
-  restart)
+        if [ "$NEED_STATD" = yes ]
+        then
+            if ! pidof rpc.statd >/dev/null
+            then
+                echo "rpc.statd not running"
+                exit 3
+            fi
+        fi
+
+        if [ "$NEED_GSSD" = yes ]
+        then
+            if ! pidof rpc.gssd >/dev/null
+            then
+                echo "rpc.gssd not running"
+                exit 3
+            fi
+        fi
+
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            if ! pidof rpc.idmapd >/dev/null
+            then
+                echo "rpc.idmapd not running"
+                exit 3
+            fi
+        fi
+
+        echo "all daemons running"
+        exit 0
+        ;;
+
+  restart | force-reload)
         $0 stop
-        $0 start;;
+        sleep 1
+        $0 start
+        ;;
+
   *)
-        echo "Usage: $0 {start|stop|status|restart}"
-        exit 1;;
+        echo "Usage: nfscommon {start|stop|status|restart}"
+        exit 1
+        ;;
 esac
+
+exit 0
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
index 0f5747cc6d..99ec280b35 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
@@ -1,8 +1,10 @@
 #!/bin/sh
+
 ### BEGIN INIT INFO
 # Provides:          nfs-kernel-server
-# Required-Start:    $remote_fs nfs-common $portmap hwclock
-# Required-Stop:     $remote_fs nfs-common $portmap hwclock
+# Required-Start:    $remote_fs nfs-common $portmap $time
+# Required-Stop:     $remote_fs nfs-common $portmap $time
+# Should-Start:      $named
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Kernel NFS server support
@@ -19,20 +21,25 @@
 #
 # The environment variable NFS_SERVERS may be set in /etc/default/nfsd
 # Other control variables may be overridden here too
-test -r /etc/default/nfsd && . /etc/default/nfsd
+test -r /etc/default/nfs-utils && . /etc/default/nfs-utils
 #
 # Location of executables:
 test -x "$NFS_MOUNTD" || NFS_MOUNTD=/usr/sbin/rpc.mountd
 test -x "$NFS_NFSD" || NFS_NFSD=/usr/sbin/rpc.nfsd
+test -x "$NFS_SVCGSSD" || NFS_SVCGSSD=/usr/sbin/rpc.svcgssd
 #
 # The user mode program must also exist (it just starts the kernel
 # threads using the kernel module code).
 test -x "$NFS_MOUNTD" || exit 0
 test -x "$NFS_NFSD" || exit 0
-#
-# Default is 8 threads, value is settable between 1 and the truely
-# ridiculous 99
-test "$NFS_SERVERS" != "" && test "$NFS_SERVERS" -gt 0 && test "$NFS_SERVERS" -lt 100 || NFS_SERVERS=8
+
+case "$NEED_SVCGSSD" in
+        yes|no)
+                ;;
+        *)
+                NEED_SVCGSSD=no
+                ;;
+esac
 #
 #----------------------------------------------------------------------
 # Startup and shutdown functions.
@@ -49,6 +56,22 @@ stop_mountd(){
         echo done
 }
 #
+#svcgssd
+start_svcgssd(){
+        modprobe -q rpcsec_gss_krb5
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "starting svcgssd: "
+                start-stop-daemon --start --exec "$NFS_SVCGSSD" -- "$@"
+                echo done
+        fi
+}
+stop_svcgssd(){
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "stop svcgssd: "
+                start-stop-daemon --stop --exec "$NFS_SVCGSSD"
+                echo done
+        fi
+}
 #nfsd
 start_nfsd(){
         modprobe -q nfsd
@@ -62,38 +85,18 @@ start_nfsd(){
                 exit 1
         }
 
-        echo -n "starting $1 nfsd kernel threads: "
+        echo -n "starting nfsd: "
         start-stop-daemon --start --exec "$NFS_NFSD" -- "$@"
         echo done
 }
-delay_nfsd(){
-        for delay in 0 1 2 3 4 5 6 7 8 9 
-        do
-                if pidof nfsd >/dev/null
-                then
-                        echo -n .
-                        sleep 1
-                else
-                        return 0
-                fi
-        done
-        return 1
-}
 stop_nfsd(){
-        # WARNING: this kills any process with the executable
-        # name 'nfsd'.
         echo -n 'stopping nfsd: '
-        start-stop-daemon --stop --quiet --signal 1 --name nfsd
-        if delay_nfsd || {
-                echo failed
-                echo ' using signal 9: '
-                start-stop-daemon --stop --quiet --signal 9 --name nfsd
-                delay_nfsd
-        }
+        $NFS_NFSD 0
+        if pidof nfsd
         then
-                echo done
-        else
                 echo failed
+        else
+                echo done
         fi
 }
 
@@ -108,11 +111,13 @@ stop_nfsd(){
 case "$1" in
   start)
         test -r /etc/exports && exportfs -r
-        start_nfsd "$NFS_SERVERS"
+        start_nfsd
+        start_svcgssd
         start_mountd
         test -r /etc/exports && exportfs -a;;
   stop) exportfs -ua
         stop_mountd
+        stop_svcgssd
         stop_nfsd;;
   status)
         status /usr/sbin/rpc.mountd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount b/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
deleted file mode 100644
index 630801b375..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=NFSD configuration filesystem
-After=systemd-modules-load.service
-
-[Mount]
-What=nfsd
-Where=/proc/fs/nfsd
-Type=nfsd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
index 2f2644f9a8..9668ac0e86 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
@@ -8,7 +8,7 @@ LICENSE = "MIT & GPL-2.0-or-later & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=95f3a93a5c3c7888de623b46ea085a84"
 
 # util-linux for libblkid
-DEPENDS = "libcap libevent util-linux sqlite3 libtirpc"
+DEPENDS = "libcap libevent util-linux sqlite3 libtirpc libxml2"
 RDEPENDS:${PN} = "${PN}-client"
 RRECOMMENDS:${PN} = "kernel-module-nfsd"
 
@@ -21,20 +21,12 @@ USERADD_PARAM:${PN}-client = "--system  --home-dir /var/lib/nfs \
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.xz \
            file://nfsserver \
            file://nfscommon \
-           file://nfs-utils.conf \
-           file://nfs-server.service \
-           file://nfs-mountd.service \
-           file://nfs-statd.service \
-           file://proc-fs-nfsd.mount \
-           file://nfs-utils-debianize-start-statd.patch \
-           file://bugfix-adjust-statd-service-name.patch \
-           file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
-           file://clang-warnings.patch \
            file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \
-           file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \
-           file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \
+           file://0004-Use-nogroup-for-nobody-group.patch \
+           file://0005-find-OE-provided-Kerberos.patch \
            "
-SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d"
+
+SRC_URI[sha256sum] = "11e7c5847a8423a72931c865bd9296e7fd56ff270a795a849183900961711725"
 
 # Only kernel-module-nfsd is required here (but can be built-in)  - the nfsd module will
 # pull in the remainder of the dependencies.
@@ -48,32 +40,36 @@ INITSCRIPT_PARAMS:${PN}-client = "defaults 19 21"
 inherit autotools-brokensep update-rc.d systemd pkgconfig
 
 SYSTEMD_PACKAGES = "${PN} ${PN}-client"
-SYSTEMD_SERVICE:${PN} = "nfs-server.service nfs-mountd.service"
-SYSTEMD_SERVICE:${PN}-client = "nfs-statd.service"
+SYSTEMD_SERVICE:${PN} = "nfs-server.service"
+SYSTEMD_SERVICE:${PN}-client = "nfs-client.target"
 
 # --enable-uuid is need for cross-compiling
 EXTRA_OECONF = "--with-statduser=rpcuser \
                 --enable-mountconfig \
                 --enable-libmount-mount \
                 --enable-uuid \
-                --disable-gss \
-                --disable-nfsdcltrack \
                 --with-statdpath=/var/lib/nfs/statd \
+                --with-pluginpath=${libdir}/libnfsidmap \
                 --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
                "
 
-LDFLAGS:append = " -lsqlite3 -levent"
+LDFLAGS += "-lsqlite3 -levent"
 
 PACKAGECONFIG ??= "tcp-wrappers \
-    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} \
 "
+
 PACKAGECONFIG:remove:libc-musl = "tcp-wrappers"
+#krb5 is available in meta-oe
+PACKAGECONFIG[gssapi] = "--with-krb5=${STAGING_EXECPREFIXDIR} --enable-gss --enable-svcgss,--disable-gss --disable-svcgss,krb5"
 PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 # libdevmapper is available in meta-oe
 PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
 # keyutils is available in meta-oe
-PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils,python3-core"
+PACKAGECONFIG[nfsv4] = "--enable-nfsv4 --enable-nfsdcltrack,--disable-nfsv4 --disable-nfsdcltrack,keyutils,python3-core"
+PACKAGECONFIG[nfsdctl] = "--enable-nfsdctl,--disable-nfsdctl,libnl readline,"
+PACKAGECONFIG[systemd] = "--with-systemd=${systemd_unitdir}/system,--without-systemd"
 
 PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats ${PN}-rpcctl"
 
@@ -81,17 +77,34 @@ CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \
                            ${localstatedir}/lib/nfs/rmtab \
                            ${localstatedir}/lib/nfs/xtab \
                            ${localstatedir}/lib/nfs/statd/state \
+                           ${sysconfdir}/idmapd.conf \
+                           ${sysconfdir}/nfs.conf \
                            ${sysconfdir}/nfsmount.conf"
 
 FILES:${PN}-client = "${sbindir}/*statd \
-                      ${libdir}/libnfsidmap.so.* \
                       ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
                       ${sbindir}/showmount ${sbindir}/nfsstat \
+                      ${sbindir}/rpc.gssd \
+                      ${sbindir}/nfsconf \
+                      ${libdir}/libnfsidmap.so.* \
+                      ${libdir}/libnfsidmap/*.so \
+                      ${libexecdir}/nfsrahead \
                       ${localstatedir}/lib/nfs \
-                      ${sysconfdir}/nfs-utils.conf \
-                      ${sysconfdir}/nfsmount.conf \
+                      ${sysconfdir}/idmapd.conf \
                       ${sysconfdir}/init.d/nfscommon \
-                      ${systemd_system_unitdir}/nfs-statd.service"
+                      ${sysconfdir}/nfs.conf \
+                      ${sysconfdir}/nfsmount.conf \
+                      ${systemd_system_unitdir}/auth-rpcgss-module.service \
+                      ${systemd_system_unitdir}/nfs-client.target \
+                      ${systemd_system_unitdir}/nfs-idmapd.service \
+                      ${systemd_system_unitdir}/nfs-statd.service \
+                      ${systemd_system_unitdir}/nfscommon.service \
+                      ${systemd_system_unitdir}/rpc-gssd.service \
+                      ${systemd_system_unitdir}/rpc-statd-notify.service \
+                      ${systemd_system_unitdir}/rpc-statd.service \
+                      ${systemd_system_unitdir}/rpc_pipefs.target \
+                      ${systemd_system_unitdir}/var-lib-nfs-rpc_pipefs.mount \
+                      ${nonarch_libdir}/udev/rules.d/*"
 RDEPENDS:${PN}-client = "${PN}-mount rpcbind"
 
 FILES:${PN}-mount = "${base_sbindir}/*mount.nfs*"
@@ -108,7 +121,9 @@ FILES:${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/ ${nonarch_libdir}/modp
 
 do_configure:prepend() {
         sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
-                ${S}/utils/mount/Makefile.am
+                -e 's,udev_rulesdir = /usr/lib/udev/rules.d/,udev_rulesdir = ${nonarch_base_libdir}/udev/rules.d/,g' \
+                ${S}/utils/mount/Makefile.am ${S}/utils/nfsdcltrack/Makefile.am \
+                ${S}/systemd/Makefile.am ${S}/tools/nfsrahead/Makefile.am
 }
 
 # Make clean needed because the package comes with
@@ -122,25 +137,18 @@ HIGH_RLIMIT_NOFILE ??= "4096"
 
 do_install:append () {
         install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
-        install -m 0755 ${WORKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
+        install -m 0755 ${UNPACKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
+        install -m 0755 ${UNPACKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
 
-        install -m 0755 ${WORKDIR}/nfs-utils.conf ${D}${sysconfdir}
-        install -m 0755 ${S}/utils/mount/nfsmount.conf ${D}${sysconfdir}
+        install -m 0644 ${S}/support/nfsidmap/idmapd.conf ${D}${sysconfdir}
+        install -m 0644 ${S}/nfs.conf ${D}${sysconfdir}
 
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_system_unitdir}/
-        install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_system_unitdir}/
-        install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_system_unitdir}/
-        sed -i -e 's,@SBINDIR@,${sbindir},g' \
-                -e 's,@SYSCONFDIR@,${sysconfdir},g' \
-                -e 's,@HIGH_RLIMIT_NOFILE@,${HIGH_RLIMIT_NOFILE},g' \
-                ${D}${systemd_system_unitdir}/*.service
-        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-                install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/
-                install -d ${D}${systemd_system_unitdir}/sysinit.target.wants/
-                ln -sf ../proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/sysinit.target.wants/proc-fs-nfsd.mount
-        fi
+        # Retain historical service name so old scripts keep working
+        ln -s rpc-statd.service ${D}${systemd_system_unitdir}/nfs-statd.service
+        # Add compatibility symlinks for the sysvinit scripts
+        ln -s nfs-server.service ${D}${systemd_system_unitdir}/nfsserver.service
+        ln -s /dev/null ${D}${systemd_system_unitdir}/nfscommon.service
 
         # kernel code as of 3.8 hard-codes this path as a default
         install -d ${D}/var/lib/nfs/v4recovery
@@ -148,7 +156,4 @@ do_install:append () {
         # chown the directories and files
         chown -R rpcuser:rpcuser ${D}${localstatedir}/lib/nfs/statd
         chmod 0644 ${D}${localstatedir}/lib/nfs/statd/state
-
-        # Make python tools use python 3
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${sbindir}/mountstats ${D}${sbindir}/nfsiostat
 }
diff --git a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch b/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
deleted file mode 100644
index 8a5a300adc..0000000000
--- a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 22b52db4842611ac31a356f023fc09595384e2ad Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Thu, 23 May 2019 18:11:22 -0700
-Subject: [PATCH] mbim: add an optional TEMP_FAILURE_RETRY macro copy
-
-Fixes build on musl which does not provide this macro
-
-Upstream-Status: Submitted [https://lists.ofono.org/pipermail/ofono/2019-May/019370.html]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- drivers/mbimmodem/mbim-private.h | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
-index e159235..51693ea 100644
---- a/drivers/mbimmodem/mbim-private.h
-+++ b/drivers/mbimmodem/mbim-private.h
-@@ -21,6 +21,15 @@
- 
- #define align_len(len, boundary) (((len)+(boundary)-1) & ~((boundary)-1))
- 
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) ({     \
-+  __typeof(expression) __result;              \
-+  do {                                        \
-+    __result = (expression);                  \
-+  } while (__result == -1 && errno == EINTR); \
-+  __result; })
-+#endif
-+
- enum mbim_control_message {
-        MBIM_OPEN_MSG = 0x1,
-        MBIM_CLOSE_MSG = 0x2,
--- 
-2.21.0
-
diff --git a/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch b/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
deleted file mode 100644
index 3655b3fd66..0000000000
--- a/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 76e4054801350ebd4a44057379431a33d460ad0f Mon Sep 17 00:00:00 2001
-From: Martin Jansa <Martin.Jansa@gmail.com>
-Date: Wed, 21 Apr 2021 11:01:34 +0000
-Subject: [PATCH] mbim: Fix build with ell-0.39 by restoring unlikely macro
- from ell/util.h
-
-Upstream-Status: Pending
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- drivers/mbimmodem/mbim-private.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
-index 51693eae..d917312c 100644
---- a/drivers/mbimmodem/mbim-private.h
-+++ b/drivers/mbimmodem/mbim-private.h
-@@ -30,6 +30,10 @@
-   __result; })
- #endif
- 
-+/* used to be part of ell/util.h before 0.39:
-+   https://git.kernel.org/pub/scm/libs/ell/ell.git/commit/?id=2a682421b06e41c45098217a686157f576847021 */
-+#define unlikely(x) __builtin_expect(!!(x), 0)
-+
- enum mbim_control_message {
-        MBIM_OPEN_MSG = 0x1,
-        MBIM_CLOSE_MSG = 0x2,
diff --git a/meta/recipes-connectivity/ofono/ofono_2.4.bb b/meta/recipes-connectivity/ofono/ofono_2.17.bb
index dae5cc3c25..36bbe9439a 100644
--- a/meta/recipes-connectivity/ofono/ofono_2.4.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.17.bb
@@ -4,16 +4,13 @@ HOMEPAGE = "http://www.ofono.org"
 BUGTRACKER = "https://01.org/jira/browse/OF"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://src/ofono.h;beginline=1;endline=20;md5=3ce17d5978ef3445def265b98899c2ee"
+                    file://src/ofono.h;beginline=1;endline=6;md5=13e42133935ceecfc9bcb547f256e277"
 DEPENDS = "dbus glib-2.0 udev mobile-broadband-provider-info ell"
 
-SRC_URI = "\
-    ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-    file://ofono \
-    file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
-    file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
-"
-SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://ofono \
+           "
+SRC_URI[sha256sum] = "70bb50997d3a7657edf133355677f8e04b2158bcb031118a67b296107f6ea73e"
 
 inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data
 
@@ -30,14 +27,9 @@ PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5"
 
 EXTRA_OECONF += "--enable-test --enable-external-ell"
 
-do_configure:prepend() {
-    bbnote "Removing bundled ell from ${S}/ell to prevent including it"
-    rm -rf ${S}/ell
-}
-
 do_install:append() {
     install -d ${D}${sysconfdir}/init.d/
-    install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
+    install -m 0755 ${UNPACKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
 }
 
 PACKAGES =+ "${PN}-tests"
@@ -45,7 +37,6 @@ PACKAGES =+ "${PN}-tests"
 FILES:${PN} += "${systemd_unitdir}"
 FILES:${PN}-tests = "${libdir}/${BPN}/test"
 
-RDEPENDS:${PN} += "dbus"
 RDEPENDS:${PN}-tests = "\
     python3-core \
     python3-dbus \
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
index 8763f30f4b..f424288e37 100644
--- a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -1,4 +1,4 @@
-From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
+From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
 From: Mikko Rapeli <mikko.rapeli@linaro.org>
 Date: Mon, 11 Sep 2023 09:55:21 +0100
 Subject: [PATCH] regress/banner.sh: log input and output files on error
@@ -37,12 +37,13 @@ See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
 Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
 
 Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
 ---
  regress/banner.sh | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/regress/banner.sh b/regress/banner.sh
-index a84feb5a..de84957a 100644
+index a84feb5..de84957 100644
 --- a/regress/banner.sh
 +++ b/regress/banner.sh
 @@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
@@ -56,6 +57,3 @@ index a84feb5a..de84957a 100644
  done
  
  trace "test suppress banner (-q)"
--- 
-2.34.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..360b62af34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
+From 9dcccafe44ea17e972e7cddea205bbe9fe71d8d6 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Mon, 15 Jul 2024 18:43:08 +0100
+Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
+
+The SSHAGENT_BIN was changed in [1] to SSH_BIN but
+the last one don't use the absolute path and consequently
+the function increase_datafile_size can loops forever
+if the binary not found.
+
+[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
+
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/test-exec.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 8a00c72..2891f27 100644
+--- a/regress/test-exec.sh
++++ b/regress/test-exec.sh
+@@ -179,6 +179,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
+ fi
+ 
+ # Path to sshd must be absolute for rexec
++case "$SSH" in
++/*) ;;
++*) SSH=`which $SSH` ;;
++esac
++
+ case "$SSHD" in
+ /*) ;;
+ *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
deleted file mode 100644
index f079d936a4..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001
-From: Matt Jolly <Matt.Jolly@footclan.ninja>
-Date: Thu, 2 Feb 2023 21:05:40 +1100
-Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
-
-This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
-patch based on Jakub Jelen's <jjelen@redhat.com> original patch
-
-Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
-
-Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
----
- configure.ac | 24 ++++++++++++++++++++++++
- sshd.c       | 13 +++++++++++++
- 2 files changed, 37 insertions(+)
-
-diff --git a/configure.ac b/configure.ac
-index 82e8bb7..d1145d3 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- AC_SUBST([CHANNELLIBS])
- 
-+# Check whether user wants systemd support
-+SYSTEMD_MSG="no"
-+AC_ARG_WITH(systemd,
-+       [  --with-systemd          Enable systemd support],
-+       [ if test "x$withval" != "xno" ; then
-+               AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+               if test "$PKGCONFIG" != "no"; then
-+                       AC_MSG_CHECKING([for libsystemd])
-+                       if $PKGCONFIG --exists libsystemd; then
-+                               SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
-+                               SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
-+                               CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
-+                               SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
-+                               AC_MSG_RESULT([yes])
-+                               AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
-+                               SYSTEMD_MSG="yes"
-+                       else
-+                               AC_MSG_RESULT([no])
-+                       fi
-+               fi
-+       fi ]
-+)
-+
- # Looking for programs, paths and files
- 
- PRIVSEP_PATH=/var/empty
-@@ -5688,6 +5711,7 @@ echo "                   libldns support: $LDNS_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
- echo "           Solaris project support: $SP_MSG"
- echo "         Solaris privilege support: $SPP_MSG"
-+echo "                   systemd support: $SYSTEMD_MSG"
- echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
-diff --git a/sshd.c b/sshd.c
-index b4f2b97..6820a41 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -88,6 +88,10 @@
- #include <prot.h>
- #endif
- 
-+#ifdef HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
-+#endif
-+
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh2.h"
-@@ -308,6 +312,10 @@ static void
- sighup_restart(void)
- {
-        logit("Received SIGHUP; restarting.");
-+#ifdef HAVE_SYSTEMD
-+       /* Signal systemd that we are reloading */
-+       sd_notify(0, "RELOADING=1");
-+#endif
-        if (options.pid_file != NULL)
-                unlink(options.pid_file);
-        platform_pre_restart();
-@@ -2093,6 +2101,11 @@ main(int ac, char **av)
-                        }
-                }
- 
-+#ifdef HAVE_SYSTEMD
-+               /* Signal systemd that we are ready to accept connections */
-+               sd_notify(0, "READY=1");
-+#endif
-+
-                /* Accept a connection and return in a forked child */
-                server_accept_loop(&sock_in, &sock_out,
-                    &newsock, config_s);
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Adjust test cases to work with busybox.
-
-- Replace dd parameter "obs" with "bs".
-- Replace "head -<num>" with "head -n <num>".
-
-Signed-off-by: Maxin B. John <maxin.john@enea.com>
-Upstream-Status: Pending
-
-Index: openssh-7.6p1/regress/cipher-speed.sh
-===================================================================
---- openssh-7.6p1.orig/regress/cipher-speed.sh
-+++ openssh-7.6p1/regress/cipher-speed.sh
-@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
-                printf "%-60s" "$c/$m:"
-                ( ${SSH} -o 'compression no' \
-                        -F $OBJ/ssh_proxy -m $m -c $c somehost \
--                       exec sh -c \'"dd of=/dev/null obs=32k"\' \
-+                       exec sh -c \'"dd of=/dev/null bs=32k"\' \
-                < ${DATA} ) 2>&1 | getbytes
- 
-                if [ $? -ne 0 ]; then
-Index: openssh-7.6p1/regress/transfer.sh
-===================================================================
---- openssh-7.6p1.orig/regress/transfer.sh
-+++ openssh-7.6p1/regress/transfer.sh
-@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}           || fail "corrupted
- for s in 10 100 1k 32k 64k 128k 256k; do
-        trace "dd-size ${s}"
-        rm -f ${COPY}
--       dd if=$DATA obs=${s} 2> /dev/null | \
-+       dd if=$DATA bs=${s} 2> /dev/null | \
-                ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-        if [ $? -ne 0 ]; then
-                fail "ssh cat $DATA failed"
-Index: openssh-7.6p1/regress/key-options.sh
-===================================================================
---- openssh-7.6p1.orig/regress/key-options.sh
-+++ openssh-7.6p1/regress/key-options.sh
-@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
-        fi
- 
-        sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
--       from=`head -1 $authkeys | cut -f1 -d ' '`
-+       from=`head -n 1 $authkeys | cut -f1 -d ' '`
-        verbose "key option $from"
-        r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
-        if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
-From: Yuanjie Huang <yuanjie.huang@windriver.com>
-Date: Wed, 24 Aug 2016 03:15:43 +0000
-Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
-
-Pointer arithmatic results in implementation defined signed integer
-type, so that 's - src' in strlcpy and others may trigger signed overflow.
-In case of compilation by gcc or clang with -ftrapv option, the overflow
-would lead to program abort.
-
-Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
-
-Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
-
-Complete the fix
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- openbsd-compat/strlcat.c | 10 +++++++---
- openbsd-compat/strlcpy.c |  8 ++++++--
- openbsd-compat/strnlen.c |  8 ++++++--
- 3 files changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
-index bcc1b61..124e1e3 100644
---- a/openbsd-compat/strlcat.c
-+++ b/openbsd-compat/strlcat.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Appends src to string dst of size siz (unlike strncat, siz is the
-@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
-        /* Find the end of dst and adjust bytes left but don't go past end */
-        while (n-- != 0 && *d != '\0')
-                d++;
--       dlen = d - dst;
-+       dlen = (uintptr_t)d - (uintptr_t)dst;
-        n = siz - dlen;
- 
-        if (n == 0)
-@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
-                s++;
-        }
-        *d = '\0';
--
--       return(dlen + (s - src));       /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (dlen + ((uintptr_t)s - (uintptr_t)src));        /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCAT */
-diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
-index b4b1b60..b06f374 100644
---- a/openbsd-compat/strlcpy.c
-+++ b/openbsd-compat/strlcpy.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Copy src to string dst of size siz.  At most siz-1 characters
-@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
-                while (*s++)
-                        ;
-        }
--
--       return(s - src - 1);    /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return ((uintptr_t)s - (uintptr_t)src - 1);     /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCPY */
-diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 7ad3573..7040f1f 100644
---- a/openbsd-compat/strnlen.c
-+++ b/openbsd-compat/strnlen.c
-@@ -23,6 +23,7 @@
- #include <sys/types.h>
- 
- #include <string.h>
-+#include <stdint.h>
- 
- size_t
- strnlen(const char *str, size_t maxlen)
-@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
- 
-        for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
-                ;
--
--       return (size_t)(cp - str);
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (size_t)((uintptr_t)cp - (uintptr_t)str);
- }
- #endif
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index b2244d725a..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+export TEST_SSH_SSH=ssh
 export TEST_SHELL=sh
 export SKIP_UNIT=1
 
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
index 4882e58b48..cf675a4dad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -7,4 +7,4 @@ password   include      common-password
 session    optional     pam_keyinit.so force revoke
 session    include      common-session
 session    required     pam_loginuid.so
-
+session    required     pam_env.so
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
index 2a997b656a..c71fff1cc1 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -2,13 +2,14 @@
 Description=OpenSSH server daemon
 Wants=sshdgenkeys.service
 After=sshdgenkeys.service
+After=nss-user-lookup.target
 
 [Service]
+Type=notify-reload
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
 ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
 RestartSec=42s
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
 [Unit]
 Conflicts=sshd.service
 Wants=sshdgenkeys.service
+After=nss-user-lookup.target
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 606d1894b5..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
     mkdir -p "$DIR"
     rm -f ${FILE}.tmp
     ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
-
+    chmod go-rwx "$FILE.tmp"
     # Atomically rename file public key
     mv -f "${FILE}.tmp.pub" "${FILE}.pub"
 
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index d1468c59fc..a044aec063 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -6,12 +6,12 @@ and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
 LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=78ffb36e5a48c0d8c5648603a3b6c8eb"
 
 DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
-SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
+SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
            file://sshd_config \
            file://ssh_config \
            file://init \
@@ -22,13 +22,11 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
            file://run-ptest \
-           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
-           file://add-test-support-for-busybox.patch \
            file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
-           file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \
+           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
            "
-SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"
+SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
 
 CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
@@ -38,6 +36,7 @@ CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to Op
 Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
 CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
+CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
 
 PAM_SRC_URI = "file://sshd"
 
@@ -53,11 +52,10 @@ SYSTEMD_PACKAGES = "${PN}-sshd"
 SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
 
 inherit autotools-brokensep ptest pkgconfig
-DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
 # systemd-sshd-socket-mode means installing sshd.socket
 # and systemd-sshd-service-mode corresponding to sshd.service
-PACKAGECONFIG ??= "systemd-sshd-socket-mode"
+PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
 PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
 PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
 PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
@@ -65,6 +63,9 @@ PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
 PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
 PACKAGECONFIG[systemd-sshd-socket-mode] = ""
 PACKAGECONFIG[systemd-sshd-service-mode] = ""
+PACKAGECONFIG[hostkey-rsa] = ""
+PACKAGECONFIG[hostkey-ecdsa] = ""
+PACKAGECONFIG[hostkey-ed25519] = ""
 
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -76,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
                 --sysconfdir=${sysconfdir}/ssh \
                 --with-xauth=${bindir}/xauth \
                 --disable-strip \
-                ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
                 "
 
 # musl doesn't implement wtmp/utmp and logwtmp
@@ -102,17 +102,42 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
         export LD="${CC}"
-        install -m 0644 ${WORKDIR}/sshd_config ${B}/
-        install -m 0644 ${WORKDIR}/ssh_config ${B}/
+        install -m 0644 ${UNPACKDIR}/sshd_config ${B}/
+        install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
         oe_runmake regress-binaries regress-unit-binaries
 }
 
+sshd_hostkey_setup() {
+        # Enable specific ssh host keys
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+}
+
 do_install:append () {
         if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
-                install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
+                install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
                 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
         fi
 
@@ -121,25 +146,21 @@ do_install:append () {
         fi
 
         install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
         rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
         rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
         install -d ${D}/${sysconfdir}/default/volatiles
-        install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
+        install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
         install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
         # Create config files for read-only rootfs
         install -d ${D}${sysconfdir}/ssh
         install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
-        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 
         install -d ${D}${systemd_system_unitdir}
         if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
-            install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
-            install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
+            install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
+            install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
             sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                     -e 's,@SBINDIR@,${sbindir},g' \
                     -e 's,@BINDIR@,${bindir},g' \
@@ -147,9 +168,9 @@ do_install:append () {
             ${D}${systemd_system_unitdir}/sshd.socket
         fi
         if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
-            install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir}
+            install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
         fi
-        install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
+        install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                 -e 's,@SBINDIR@,${sbindir},g' \
                 -e 's,@BINDIR@,${bindir},g' \
@@ -159,7 +180,8 @@ do_install:append () {
         sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
                 ${D}${sysconfdir}/init.d/sshd
 
-        install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+        install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+        sshd_hostkey_setup
 }
 
 do_install_ptest () {
@@ -173,9 +195,9 @@ ALLOW_EMPTY:${PN} = "1"
 PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
 FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
-FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
+FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys ${libexecdir}/sshd-auth"
 FILES:${PN}-sftp = "${bindir}/sftp"
 FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index 6f23490c87..71d378734c 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1,5 +1,24 @@
-export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
-export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
-export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
 export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
 export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
+
+# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$SSL_CERT_FILE" ]; then
+        if [ -n "$CAFILE" ];then
+                export SSL_CERT_FILE="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
+        fi
+fi
+
+if [ -z "$SSL_CERT_DIR" ]; then
+        if [ -n "$CAPATH" ];then
+                export SSL_CERT_DIR="$CAPATH"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
+        fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
index aa2e5bb800..5b7365a353 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -7,26 +7,19 @@ Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
 
 Signed-off-by: William Lyu <William.Lyu@windriver.com>
 ---
- test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
  test/helpers/handshake.h |  70 +++++++++++++++++++-
  test/ssl_test.c          |  44 +++++++++++++
- 3 files changed, 218 insertions(+), 35 deletions(-)
+ 3 files changed, 217 insertions(+), 34 deletions(-)
 
 diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
-index e0422469e4..ae2ad59dd4 100644
+index f611b3a..5703b48 100644
 --- a/test/helpers/handshake.c
 +++ b/test/helpers/handshake.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -24,6 +24,102 @@
+@@ -25,6 +25,102 @@
  #include <netinet/sctp.h>
  #endif
-
+ 
 +/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
 +/* Maps string names to various enumeration type */
 +typedef struct {
@@ -126,10 +119,10 @@ index e0422469e4..ae2ad59dd4 100644
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
  {
      HANDSHAKE_RESULT *ret;
-@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
          SSL_set_post_handshake_auth(client, 1);
  }
-
+ 
 -/* The status for each connection phase. */
 -typedef enum {
 -    PEER_SUCCESS,
@@ -142,10 +135,10 @@ index e0422469e4..ae2ad59dd4 100644
  /* An SSL object and associated read-write buffers. */
  typedef struct peer_st {
      SSL *ssl;
-@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer)
+@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
      }
  }
-
+ 
 -typedef enum {
 -    HANDSHAKE,
 -    RENEG_APPLICATION_DATA,
@@ -160,10 +153,10 @@ index e0422469e4..ae2ad59dd4 100644
  static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
  {
      switch (test_ctx->handshake_mode) {
-@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
      }
  }
-
+ 
 -typedef enum {
 -    /* Both parties succeeded. */
 -    HANDSHAKE_SUCCESS,
@@ -180,10 +173,10 @@ index e0422469e4..ae2ad59dd4 100644
  /*
   * Determine the handshake outcome.
   * last_status: the status of the peer to have acted last.
-@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
-
+@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+ 
      start = time(NULL);
-
+ 
 +    save_loop_history(&(ret->history),
 +                      phase, status, server.status, client.status,
 +                      client_turn_count, client_turn);
@@ -191,10 +184,10 @@ index e0422469e4..ae2ad59dd4 100644
      /*
       * Half-duplex handshake loop.
       * Client and server speak to each other synchronously in the same process.
-@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
                                        0 /* server went last */);
          }
-
+ 
 +        save_loop_history(&(ret->history),
 +                          phase, status, server.status, client.status,
 +                          client_turn_count, client_turn);
@@ -203,7 +196,7 @@ index e0422469e4..ae2ad59dd4 100644
          case HANDSHAKE_SUCCESS:
              client_turn_count = 0;
 diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
-index 78b03f9f4b..b9967c2623 100644
+index 78b03f9..b9967c2 100644
 --- a/test/helpers/handshake.h
 +++ b/test/helpers/handshake.h
 @@ -1,5 +1,5 @@
@@ -214,9 +207,9 @@ index 78b03f9f4b..b9967c2623 100644
   * Licensed under the Apache License 2.0 (the "License").  You may not use
   * this file except in compliance with the License.  You can obtain a copy
 @@ -12,6 +12,11 @@
-
+ 
  #include "ssl_test_ctx.h"
-
+ 
 +#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
 +#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
 +#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
@@ -228,7 +221,7 @@ index 78b03f9f4b..b9967c2623 100644
 @@ -22,6 +27,63 @@ typedef struct ctx_data_st {
      char *session_ticket_app_data;
  } CTX_DATA;
-
+ 
 +typedef enum {
 +    HANDSHAKE,
 +    RENEG_APPLICATION_DATA,
@@ -296,25 +289,25 @@ index 78b03f9f4b..b9967c2623 100644
 +    /* handshake loop history */
 +    HANDSHAKE_HISTORY history;
  } HANDSHAKE_RESULT;
-
+ 
  HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
 @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
                                      CTX_DATA *server2_ctx_data,
                                      CTX_DATA *client_ctx_data);
-
+ 
 +const char *handshake_connect_phase_name(connect_phase_t phase);
 +const char *handshake_status_name(handshake_status_t handshake_status);
 +const char *handshake_peer_status_name(peer_status_t peer_status);
 +
  #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
 diff --git a/test/ssl_test.c b/test/ssl_test.c
-index ea608518f9..9d6b093c81 100644
+index ea60851..9d6b093 100644
 --- a/test/ssl_test.c
 +++ b/test/ssl_test.c
 @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
  /* Currently the section names are of the form test-<number>, e.g. test-15. */
  #define MAX_TESTCASE_NAME_LENGTH 100
-
+ 
 +static void print_handshake_history(const HANDSHAKE_HISTORY *history)
 +{
 +    size_t first_idx;
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 502a7aaf32..7043188973 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -17,10 +17,10 @@ Signed-off-by: Tim Orling <tim.orling@konsulko.com>
  1 file changed, 10 deletions(-)
 
 diff --git a/Configure b/Configure
-index 4569952..adf019b 100755
+index fff97bd..5ee54c1 100755
 --- a/Configure
 +++ b/Configure
-@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1551,16 +1551,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
          push @{$config{shared_ldflag}}, "-mno-cygwin";
          }
  
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index bafdbaa46f..687d682976 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
 ---
- Configurations/unix-Makefile.tmpl | 12 +++++++++++-
+ Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
  crypto/build.info                 |  2 +-
- 2 files changed, 12 insertions(+), 2 deletions(-)
+ 2 files changed, 16 insertions(+), 2 deletions(-)
 
-Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
-===================================================================
---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
-@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 09303c4..011bda1 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  
 -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
 +# *_Q variables are used for one thing only: to build up buildinf.h
  CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
++              $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
                $cppflags2 =~ s|([\\"])|\\$1|g;
++              $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
                $lib_cppflags =~ s|([\\"])|\\$1|g;
++              $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
                join(' ', $lib_cppflags || (), $cppflags2 || (),
                          $cppflags1 || ()) -}
  
@@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
 +              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
++              s|-isystem/[^ ]+/usr/include ||g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -63,11 +67,11 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
  PERLASM_SCHEME= {- $target{perlasm_scheme} -}
  
  # For x86 assembler: Set PROCESSOR to 386 if you want to support
-Index: openssl-3.0.4/crypto/build.info
-===================================================================
---- openssl-3.0.4.orig/crypto/build.info
-+++ openssl-3.0.4/crypto/build.info
-@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+diff --git a/crypto/build.info b/crypto/build.info
+index aee5c46..95c9577 100644
+--- a/crypto/build.info
++++ b/crypto/build.info
+@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
  
  DEPEND[info.o]=buildinf.h
  DEPEND[cversion.o]=buildinf.h
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
deleted file mode 100644
index 8772f716d5..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24043)
-
-CVE: CVE-2024-2511
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- ssl/ssl_lib.c            |  5 +++--
- ssl/ssl_sess.c           | 28 ++++++++++++++++++++++------
- ssl/statem/statem_srvr.c |  5 ++---
- 3 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 4afb43bc86e54..c51529ddab5bb 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
- 
-     /*
-      * If the session_id_length is 0, we are not supposed to cache it, and it
--     * would be rather hard to do anyway :-)
-+     * would be rather hard to do anyway :-). Also if the session has already
-+     * been marked as not_resumable we should not cache it for later reuse.
-      */
--    if (s->session->session_id_length == 0)
-+    if (s->session->session_id_length == 0 || s->session->not_resumable)
-         return;
- 
-     /*
-diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
-index 3dcc4d81e5bc6..1fa6d17c46863 100644
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
-     return ss;
- }
- 
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
--    return ssl_session_dup(src, 1);
--}
--
- /*
-  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
-  * ticket == 0 then no ticket information is duplicated, otherwise it is.
-  */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
-     SSL_SESSION *dest;
- 
-@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-     return NULL;
- }
- 
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+    return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+    if (sess != NULL)
-+        sess->not_resumable = 0;
-+
-+    return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
-     if (len)
-diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
-index 853af8c0aa9f9..d5f0ab091dacc 100644
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
-      * so the following won't overwrite an ID that we're supposed
-      * to send back.
-      */
--    if (s->session->not_resumable ||
--        (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
--         && !s->hit))
-+    if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+            && !s->hit)
-         s->session->session_id_length = 0;
- 
-     if (usetls13) {
diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch
deleted file mode 100644
index 748576c30c..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/bti.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
-From: Tom Cosgrove <tom.cosgrove@arm.com>
-Date: Tue, 26 Mar 2024 13:18:00 +0000
-Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
-
-In Arm systems where BTI is enabled but the Crypto extensions are not (more
-likely in FVPs than in real hardware), the bit-sliced assembler code will
-be used. However, this wasn't annotated with BTI instructions when BTI was
-enabled, so the moment libssl jumps into this code it (correctly) aborts.
-
-Solve this by adding the missing BTI landing pads.
-
-Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- crypto/aes/asm/bsaes-armv8.pl | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
-index b3c97e439f..c3c5ff3e05 100644
---- a/crypto/aes/asm/bsaes-armv8.pl
-+++ b/crypto/aes/asm/bsaes-armv8.pl
-@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
- //   Initialisation vector overwritten with last quadword of ciphertext
- //   No output registers, usual AAPCS64 register preservation
- ossl_bsaes_cbc_encrypt:
-+        AARCH64_VALID_CALL_TARGET
-         cmp     x2, #128
-         bhs     .Lcbc_do_bsaes
-         b       AES_cbc_encrypt
-@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
- //   Output text filled in
- //   No output registers, usual AAPCS64 register preservation
- ossl_bsaes_ctr32_encrypt_blocks:
--
-+        AARCH64_VALID_CALL_TARGET
-         cmp     x2, #8                      // use plain AES for
-         blo     .Lctr_enc_short             // small sizes
- 
-@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
- //   Output ciphertext filled in
- //   No output registers, usual AAPCS64 register preservation
- ossl_bsaes_xts_encrypt:
-+        AARCH64_VALID_CALL_TARGET
-         // Stack layout:
-         // sp ->
-         //        nrounds*128-96 bytes: key schedule
-@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
- //   Output plaintext filled in
- //   No output registers, usual AAPCS64 register preservation
- ossl_bsaes_xts_decrypt:
-+        AARCH64_VALID_CALL_TARGET
-         // Stack layout:
-         // sp ->
-         //        nrounds*128-96 bytes: key schedule
--- 
-2.34.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index c89ec5afa1..cd29bb1446 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -1,12 +1,19 @@
 #!/bin/sh
 
-set -e
+set -eu
 
-# Optional arguments are 'list' to lists all tests, or the test name (base name
-# ie test_evp, not 03_test_evp.t).
+# Optional arguments are 'list' to lists the tests, or the test name (base name
+# ie test_evp, not 03_test_evp.t). Without any arguments we run all tests.
+
+if test $# -gt 0; then
+    TESTS=$*
+else
+    # Skip test_symbol_presence as this is for developers
+    TESTS="alltests -test_symbol_presence"
+fi
 
 export TOP=.
-# OPENSSL_ENGINES is relative from the test binaries
-export OPENSSL_ENGINES=../engines
+# Run four jobs in parallel
+export HARNESS_JOBS=4
 
-{ HARNESS_JOBS=4 perl ./test/run_tests.pl $* || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
+{ perl ./test/run_tests.pl $TESTS || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
index d37b68abbb..0f5c28dafa 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -12,15 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
-           file://bti.patch \
-           file://CVE-2024-2511.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39"
+SRC_URI[sha256sum] = "344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -33,10 +31,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt
 PACKAGECONFIG[no-tls1] = "no-tls1"
 PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
 PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
 
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
 
+EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
+
 #| ./libcrypto.so: undefined reference to `getcontext'
 #| ./libcrypto.so: undefined reference to `setcontext'
 #| ./libcrypto.so: undefined reference to `makecontext'
@@ -45,12 +46,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
 
 # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
 # (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
 
 # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+
+#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
+EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
 
 # This allows disabling deprecated or undesirable crypto algorithms.
 # The default is to trust upstream choices.
@@ -137,21 +141,26 @@ do_configure () {
                 ;;
         esac
 
-        useprefix=${prefix}
-        if [ "x$useprefix" = "x" ]; then
-                useprefix=/
-        fi
         # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
         # environment variables set by bitbake. Adjust the environment variables instead.
         PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
         test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
         HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
-        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
         perl ${B}/configdata.pm --dump
 }
 
+do_compile:append () {
+        # The test suite binaries are large and we don't need the debugging in them
+        if test -d ${B}/test; then
+                find ${B}/test -type f -executable -exec ${STRIP} {} \;
+        fi
+}
+
 do_install () {
-        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+            ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+            ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
 
         oe_multilib_header openssl/opensslconf.h
         oe_multilib_header openssl/configuration.h
@@ -169,63 +178,72 @@ do_install () {
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+        # Generate fipsmodule.cnf in pkg_postinst_ontarget
+        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+                rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+        fi
 }
 
 do_install:append:class-native () {
         create_wrapper ${D}${bindir}/openssl \
-            OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
-            SSL_CERT_DIR=${libdir}/ssl-3/certs \
-            SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
-            OPENSSL_ENGINES=${libdir}/engines-3 \
-            OPENSSL_MODULES=${libdir}/ossl-modules
+            OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+            SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+            SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+            OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+            OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
 }
 
 do_install:append:class-nativesdk () {
         mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 }
 
 PTEST_BUILD_HOST_FILES += "configdata.pm"
 PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
-        install -d ${D}${PTEST_PATH}/test
-        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
-        install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
-        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
-
-        # Prune the build tree
-        rm -f ${B}/fuzz/*.* ${B}/test/*.*
-
-        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
-        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
-        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-
-        # For test_shlibload
-        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
-        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+do_install_ptest() {
+        install -m644 ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        cp -rf ${S}/Configurations ${S}/external ${D}${PTEST_PATH}/
 
         install -d ${D}${PTEST_PATH}/apps
         ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
-        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
-        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-
-        install -d ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 
-        install -d ${D}${PTEST_PATH}/providers
-        install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+        cd ${S}
+        find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find util -name \*.p[lm] -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+
+        cd ${B}
+        # Everything but .? (.o and .d)
+        find test -type f -name \*[^.]? -exec install -m755 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.srl -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        install -m755 ${B}/util/*wrap.* ${D}${PTEST_PATH}/util/
+
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps/
+        install -m755 ${S}/test/*.pl ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/shibboleth.pfx ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/*.bin ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/dane*.in ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/smcont*.txt ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/ssl_test.tmpl ${D}${PTEST_PATH}/test/
+
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm ${D}${PTEST_PATH}/util/wrap.pl
 
-        install -d ${D}${PTEST_PATH}/Configurations
-        cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
-
-        # seems to be needed with perl 5.32.1
-        install -d ${D}${PTEST_PATH}/util/perl/recipes
-        cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines/
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/engines-3/loader_attic.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
+}
 
-        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+        if test -f ${libdir}/ossl-modules/fips.so; then
+                ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+        fi
 }
 
 # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
@@ -233,7 +251,7 @@ do_install_ptest () {
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -245,6 +263,7 @@ FILES:${PN}-engines = "${libdir}/engines-3"
 FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
 FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
 FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
 FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
 FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
@@ -252,13 +271,13 @@ CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
 RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
 RDEPENDS:${PN}-misc = "perl"
-RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
 
 RDEPENDS:${PN}-bin += "openssl-conf"
 
+# The test suite is installed stripped
+INSANE_SKIP:${PN} = "already-stripped"
+
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "openssl:openssl"
-
-CVE_VERSION_SUFFIX = "alphabetical"
-
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index 099c58bfc7..5c9c8219d7 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -11,14 +11,14 @@ SRC_URI = "file://host-peer \
 
 inherit allarch useradd
 
-S = "${WORKDIR}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -d ${D}${sysconfdir}/ppp/peers
-        install -m 0644 ${WORKDIR}/host-peer ${D}${sysconfdir}/ppp/peers/host
+        install -m 0644 ${S}/host-peer ${D}${sysconfdir}/ppp/peers/host
 
         install -d ${D}${sbindir}
-        install -m 0755 ${WORKDIR}/ppp-dialin ${D}${sbindir}
+        install -m 0755 ${S}/ppp-dialin ${D}${sbindir}
 }
 
 USERADD_PACKAGES = "${PN}"
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
new file mode 100644
index 0000000000..a00706c184
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
@@ -0,0 +1,98 @@
+From a6eb65162db5bcc5ec26cff7361885c0a44cbbfa Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 17 Mar 2025 11:12:07 +0100
+Subject: [PATCH] pppd/pppdconf.h: remove erroneous generated header
+
+Upstream-Status: Inappropriate [tarball generation issue tracked at https://github.com/ppp-project/ppp/issues/541]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ pppd/pppdconf.h | 80 -------------------------------------------------
+ 1 file changed, 80 deletions(-)
+ delete mode 100644 pppd/pppdconf.h
+
+diff --git a/pppd/pppdconf.h b/pppd/pppdconf.h
+deleted file mode 100644
+index 51a8f02..0000000
+--- a/pppd/pppdconf.h
++++ /dev/null
+@@ -1,80 +0,0 @@
+-/* pppd/pppdconf.h.  Generated from pppdconf.h.in by configure.  */
+-/* 
+- * Copyright (c) 2022 Eivind Næss. All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- *
+- * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer.
+- *
+- * 2. Redistributions in binary form must reproduce the above copyright
+- *    notice, this list of conditions and the following disclaimer in
+- *    the documentation and/or other materials provided with the
+- *    distribution.
+- *
+- * 3. The name(s) of the authors of this software must not be used to
+- *    endorse or promote products derived from this software without
+- *    prior written permission.
+- *
+- * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
+- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+- * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
+- * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+- */
+-
+-/*
+- * This file is generated by configure and sets the features enabled
+- *   in pppd when configured.
+- */
+-
+-#ifndef PPP_PPPDCONF_H
+-#define PPP_PPPDCONF_H
+-
+-/* Have Microsoft CHAP support */
+-#define PPP_WITH_CHAPMS 1
+-
+-/* Have Microsoft LAN Manager support */
+-/* #undef PPP_WITH_MSLANMAN */
+-
+-/* Have Microsoft MPPE support */
+-#define PPP_WITH_MPPE 1
+-
+-/* Have multilink support */
+-#define PPP_WITH_MULTILINK 1
+-
+-/* Have packet activity filter support */
+-#define PPP_WITH_FILTER 1
+-
+-/* Have support for loadable plugins */
+-#define PPP_WITH_PLUGINS 1
+-
+-/* Have Callback Protocol support */
+-/* #undef PPP_WITH_CBCP */
+-
+-/* Include TDB support */
+-#define PPP_WITH_TDB 1
+-
+-/* Have IPv6 Control Protocol */
+-#define PPP_WITH_IPV6CP 1
+-
+-/* Support for Pluggable Authentication Modules */
+-/* #undef PPP_WITH_PAM */
+-
+-/* Have EAP-SRP authentication support */
+-/* #undef PPP_WITH_SRP */
+-
+-/* Have EAP-TLS authentication support */
+-#define PPP_WITH_EAPTLS 1
+-
+-/* Have PEAP authentication support */
+-#define PPP_WITH_PEAP 1
+-
+-/* The pppd version */
+-#define PPPD_VERSION "2.5.2"
+-
+-#endif
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
new file mode 100644
index 0000000000..d95c72e96b
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
@@ -0,0 +1,33 @@
+From 5edcb01f1d8d521c819d45df1f1bb87697252130 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 17 Mar 2025 14:38:26 -0700
+Subject: [PATCH] pppd/session: Fixed building with GCC 15
+
+Fixed building with GCC 15 which defaults to C23
+and find conflicting declration of getspnam() here
+with the one provided by shadow.h (extern struct spwd *getspnam (const char *__name);)
+
+Fixes
+../../ppp-2.5.2/pppd/session.c: In function 'session_start':
+../../ppp-2.5.2/pppd/session.c:185:18: error: conflicting types for 'getspnam'; have 'struct spwd *(void)'
+  185 |     struct spwd *getspnam();
+      |                  ^~~~~~~~
+
+Upstream-Status: Submitted [https://github.com/ppp-project/ppp/pull/553]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppd/session.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/pppd/session.c b/pppd/session.c
+index f08d8e1..9cc7538 100644
+--- a/pppd/session.c
++++ b/pppd/session.c
+@@ -182,7 +182,6 @@ session_start(const int flags, const char *user, const char *passwd, const char
+     char *cbuf;
+ #ifdef HAVE_SHADOW_H
+     struct spwd *spwd;
+-    struct spwd *getspnam();
+     long now = 0;
+ #endif /* #ifdef HAVE_SHADOW_H */
+ #endif /* #ifdef PPP_WITH_PAM */
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
new file mode 100644
index 0000000000..2a3b3cc84a
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
@@ -0,0 +1,75 @@
+From 44a766a3d086f10cb584a0c423e5bed6af2e3615 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
+Date: Thu, 27 Feb 2025 23:00:16 +0100
+Subject: [PATCH] pppdump: Fixed building with GCC 15 (#548)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 15 defaults to C23 which does not allow K&R declarations.
+
+Credit Yaakov Selkowitz in:
+https://src.fedoraproject.org/rpms/ppp/pull-request/12
+
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/pull/548]
+
+Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppdump/pppdump.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index c24208a..1534036 100644
+--- a/pppdump/pppdump.c
++++ b/pppdump/pppdump.c
+@@ -42,14 +42,12 @@ int tot_sent, tot_rcvd;
+ extern int optind;
+ extern char *optarg;
+ 
+-void dumplog();
+-void dumpppp();
+-void show_time();
++void dumplog(FILE *);
++void dumpppp(FILE *);
++void show_time(FILE *, int);
+ 
+ int
+-main(ac, av)
+-    int ac;
+-    char **av;
++main(int ac, char **av)
+ {
+     int i;
+     char *p;
+@@ -97,8 +95,7 @@ main(ac, av)
+ }
+ 
+ void
+-dumplog(f)
+-    FILE *f;
++dumplog(FILE *f)
+ {
+     int c, n, k, col;
+     int nb, c2;
+@@ -241,8 +238,7 @@ struct pkt {
+ unsigned char dbuf[8192];
+ 
+ void
+-dumpppp(f)
+-    FILE *f;
++dumpppp(FILE *f)
+ {
+     int c, n, k;
+     int nb, nl, dn, proto, rv;
+@@ -375,9 +371,7 @@ dumpppp(f)
+ }
+ 
+ void
+-show_time(f, c)
+-    FILE *f;
+-    int c;
++show_time(FILE *f, int c)
+ {
+     time_t t;
+     int n;
diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
index 4b052f8ed9..607678db8b 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
@@ -4,12 +4,12 @@ the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
 SECTION = "console/network"
 HOMEPAGE = "http://samba.org/ppp/"
 BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
-DEPENDS = "libpcap openssl virtual/crypt"
-LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD"
-LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
-                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
+DEPENDS = "libpcap virtual/crypt"
+LICENSE = "BSD-2-Clause & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD & MIT"
+LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=25;md5=f0463bd67ae70535c709fca554089bd8 \
                     file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
-                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
+                    file://chat/chat.c;beginline=1;endline=1;md5=234d7d4edd08962c0144e4604050e0b6 \
+                    "
 
 SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://pon \
@@ -23,32 +23,38 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://ppp_on_boot \
            file://provider \
            file://ppp@.service \
+           file://0001-pppdump-Fixed-building-with-GCC-15-548.patch \
+           file://0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch \
+           file://0001-pppd-session-Fixed-building-with-GCC-15.patch \
            "
 
-SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff"
+SRC_URI[sha256sum] = "47da358de54a10cb10bf6ff2cf9b1c03c0d3555518f6182e8f701b8e55733cb2"
 
-inherit autotools systemd
+inherit autotools pkgconfig systemd
 
-EXTRA_OECONF += "--with-openssl=${STAGING_EXECPREFIXDIR}"
+PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} openssl"
+PACKAGECONFIG[pam] = "--with-pam=yes,--with-pam=no,libpam"
+PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl"
+PACKAGECONFIG[multilink] = "--enable-multilink,--disable-multilink"
 
 do_install:append () {
         mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
         mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
         mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
-        install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon
-        install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp
-        install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
-        install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
+        install -m 0755 ${UNPACKDIR}/pon ${D}${bindir}/pon
+        install -m 0755 ${UNPACKDIR}/poff ${D}${bindir}/poff
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/ppp
+        install -m 0755 ${UNPACKDIR}/ip-up ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/ip-down ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
+        install -m 0755 ${UNPACKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
         mkdir -p ${D}${sysconfdir}/chatscripts
         mkdir -p ${D}${sysconfdir}/ppp/peers
-        install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts
-        install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
-        install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
+        install -m 0755 ${UNPACKDIR}/pap ${D}${sysconfdir}/chatscripts
+        install -m 0755 ${UNPACKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
+        install -m 0755 ${UNPACKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/ppp@.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@SBINDIR@,${sbindir},g' \
                ${D}${systemd_system_unitdir}/ppp@.service
 }
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
index 226cb7ee77..c10c57267a 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
@@ -15,9 +15,7 @@ SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=un
            file://0001-avoid-using-m-option-for-readlink.patch \
            "
 
-SRCREV = "86047276c80705c51859a19f0c472102e0822f34"
-
-S = "${WORKDIR}/git"
+SRCREV = "ab766fa31f7939f6d879123236b4275320b7ff64"
 
 # the package is taken from snapshots.debian.org; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
@@ -29,7 +27,7 @@ do_compile () {
 
 do_install () {
         install -d ${D}${sysconfdir}/default/volatiles
-        install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
         if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/tmpfiles.d
                 echo "d /run/${BPN}/interface - - - -" \
diff --git a/meta/recipes-connectivity/slirp/libslirp_git.bb b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
index 334b786b9b..9f7005d709 100644
--- a/meta/recipes-connectivity/slirp/libslirp_git.bb
+++ b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
@@ -5,13 +5,9 @@ LICENSE = "BSD-3-Clause & MIT"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bca0186b14e6b05e338e729f106db727"
 
 SRC_URI = "git://gitlab.freedesktop.org/slirp/libslirp.git;protocol=https;branch=master"
-SRCREV = "3ad1710a96678fe79066b1469cead4058713a1d9"
-PV = "4.7.0"
-S = "${WORKDIR}/git"
+SRCREV = "9c744e1e52aa0d9646ed91d789d588696292c21e"
 
-DEPENDS = " \
-    glib-2.0 \
-"
+DEPENDS = "glib-2.0"
 
 inherit meson pkgconfig
 
diff --git a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
index 9051ae1abe..ea00dfa0a9 100644
--- a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
+++ b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
@@ -1,7 +1,7 @@
-From 4f887cc665c9a48b83e20ef4abe57afa7e365e0e Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@eng.windriver.com>
-Date: Tue, 5 Dec 2023 23:02:22 -0800
-Subject: [PATCH v2] fix compile procan.c failed
+From c4c3d5f2d4dfe8167205e8d20b4cb7a197706c16 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 27 Nov 2024 04:09:59 -0800
+Subject: [PATCH] fix compile procan.c failed
 
 1. Compile socat failed if out of tree build (build dir != source dir)
 ...
@@ -24,23 +24,23 @@ C source compile. Use first word of $(CC) to defeine marco CC
 [1] https://repo.or.cz/socat.git/commit/cd5673dbd0786c94e0b3ace7e35fab14c01e3185
 
 Upstream-Status: Submitted [socat@dest-unreach.org]
-Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
+
+Rebase to 1.8.0.1
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 ---
- Makefile.in | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
+ Makefile.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index c01b1a4..48dad69 100644
+index 631d31d..103d4d1 100644
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -109,8 +109,8 @@ depend: $(CFILES) $(HFILES)
- socat: socat.o libxio.a
+@@ -110,7 +110,7 @@ socat: socat.o libxio.a
         $(CC) $(CFLAGS) $(LDFLAGS) -o $@ socat.o libxio.a $(CLIBS)
  
--procan.o: procan.c
--       $(CC) $(CFLAGS) -c -D CC=\"$(CC)\" -o $@ procan.c
-+procan.o: $(srcdir)/procan.c
-+       $(CC) $(CFLAGS) -c -D CC=\"$(firstword $(CC))\" -o $@ $(srcdir)/procan.c
+ procan.o: $(srcdir)/procan.c
+-       $(CC) $(CFLAGS) -c -D CC="\"$(CC)\"" -o $@ $(srcdir)/procan.c
++       $(CC) $(CFLAGS) -c -D CC="\"$(firstword $(CC))\"" -o $@ $(srcdir)/procan.c
  
  PROCAN_OBJS=procan_main.o procan.o procan-cdefs.o hostan.o error.o sycls.o sysutils.o utils.o vsnprintf_r.o snprinterr.o
  procan: $(PROCAN_OBJS)
@@ -58,5 +58,5 @@ index c01b1a4..48dad69 100644
         $(INSTALL) -m 755 filan $(DESTDIR)$(BINDEST)
         mkdir -p $(DESTDIR)$(MANDEST)/man1
 -- 
-2.42.0
+2.25.1
 
diff --git a/meta/recipes-connectivity/socat/socat_1.8.0.0.bb b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
index 912605c95c..ee6ca1fe44 100644
--- a/meta/recipes-connectivity/socat/socat_1.8.0.0.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
@@ -7,13 +7,13 @@ SECTION = "console/network"
 
 LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://README;beginline=241;endline=271;md5=338c05eadd013872abb1d6e198e10a3f"
+                    file://README;beginline=248;endline=278;md5=338c05eadd013872abb1d6e198e10a3f"
 
 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
            file://0001-fix-compile-procan.c-failed.patch \
 "
 
-SRC_URI[sha256sum] = "e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7"
+SRC_URI[sha256sum] = "01eb017361d95bb3a6941e840b59e4463a3fabf92df4154ed02b16a2ed6a0095"
 
 inherit autotools
 
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
index ddd10e6eeb..57b0534929 100644
--- a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
@@ -6,14 +6,18 @@ SRC_URI = "file://dropbear_rsa_host_key \
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
+S = "${UNPACKDIR}"
+
 INHIBIT_DEFAULT_DEPS = "1"
 
+COMPATIBLE_MACHINE = "^qemu.*$"
+
 do_install () {
         install -d ${D}${sysconfdir}/dropbear
-        install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
+        install ${UNPACKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
 
         install -d ${D}${sysconfdir}/ssh
-        install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/
+        install ${UNPACKDIR}/openssh/* ${D}${sysconfdir}/ssh/
         chmod 0600 ${D}${sysconfdir}/ssh/*
         chmod 0644 ${D}${sysconfdir}/ssh/*.pub
-}
\ No newline at end of file
+}
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
deleted file mode 100644
index c04c608bde..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
-From: Alex Kiernan <alexk@zuma.ai>
-Date: Thu, 21 Apr 2022 10:15:29 +0100
-Subject: [PATCH] Install wpa_passphrase when not disabled
-
-As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
-built, its not installed during `make install`.
-
-Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
-Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
----
- wpa_supplicant/Makefile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index 0bab313f2355..12787c0c7d0f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
- 
- install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
-        $(MAKE) -C ../src install
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+       install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
-+endif
- ifdef CONFIG_BUILD_WPA_CLIENT_SO
-        install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
-        install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
--- 
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
deleted file mode 100644
index 620560d3c7..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
-   (private_key/client_cert) is no used and TLS session resumption was
-   not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
-CVE: CVE-2023-52160
-Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
-
-Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
-
----
- src/eap_peer/eap_config.h          |  8 ++++++
- src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c      |  6 +++++
- src/eap_peer/eap_tls_common.h      |  5 ++++
- wpa_supplicant/wpa_supplicant.conf |  7 ++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
-index 3238f74..047eec2 100644
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -469,6 +469,14 @@ struct eap_peer_config {
-         * 1 = use cryptobinding if server supports it
-         * 2 = require cryptobinding
-         *
-+        * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+        * tunnel) behavior for PEAP:
-+        * 0 = do not require Phase 2 authentication
-+        * 1 = require Phase 2 authentication when client certificate
-+        *  (private_key/client_cert) is no used and TLS session resumption was
-+        *  not used (default)
-+        * 2 = require Phase 2 authentication in all cases
-+        *
-         * EAP-WSC (WPS) uses following options: pin=Device_Password and
-         * uuid=Device_UUID
-         *
-diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
-index 12e30df..6080697 100644
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
-        u8 cmk[20];
-        int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
-                  * is enabled. */
-+       enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
- 
- 
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
-                wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
-        }
- 
-+       if (os_strstr(phase1, "phase2_auth=0")) {
-+               data->phase2_auth = NO_AUTH;
-+               wpa_printf(MSG_DEBUG,
-+                          "EAP-PEAP: Do not require Phase 2 authentication");
-+       } else if (os_strstr(phase1, "phase2_auth=1")) {
-+               data->phase2_auth = FOR_INITIAL;
-+               wpa_printf(MSG_DEBUG,
-+                          "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+       } else if (os_strstr(phase1, "phase2_auth=2")) {
-+               data->phase2_auth = ALWAYS;
-+               wpa_printf(MSG_DEBUG,
-+                          "EAP-PEAP: Require Phase 2 authentication for all cases");
-+       }
- #ifdef EAP_TNC
-        if (os_strstr(phase1, "tnc=soh2")) {
-                data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
-        data->force_peap_version = -1;
-        data->peap_outer_success = 2;
-        data->crypto_binding = OPTIONAL_BINDING;
-+       data->phase2_auth = FOR_INITIAL;
- 
-        if (config && config->phase1)
-                eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
- }
- 
- 
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+                                  struct eap_peap_data *data)
-+{
-+       if ((data->phase2_auth == ALWAYS ||
-+            (data->phase2_auth == FOR_INITIAL &&
-+             !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+             !data->ssl.client_cert_conf) ||
-+            data->phase2_eap_started) &&
-+           !data->phase2_eap_success)
-+               return false;
-+       return true;
-+}
-+
-+
- /**
-  * eap_tlv_process - Process a received EAP-TLV message and generate a response
-  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
-                                           " - force failed Phase 2");
-                                resp_status = EAP_TLV_RESULT_FAILURE;
-                                ret->decision = DECISION_FAIL;
-+                       } else if (!peap_phase2_sufficient(sm, data)) {
-+                               wpa_printf(MSG_INFO,
-+                                          "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+                               resp_status = EAP_TLV_RESULT_FAILURE;
-+                               ret->decision = DECISION_FAIL;
-                        } else {
-                                resp_status = EAP_TLV_RESULT_SUCCESS;
-                                ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
-                        /* EAP-Success within TLS tunnel is used to indicate
-                         * shutdown of the TLS channel. The authentication has
-                         * been completed. */
--                       if (data->phase2_eap_started &&
--                           !data->phase2_eap_success) {
-+                       if (!peap_phase2_sufficient(sm, data)) {
-                                wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
-                                           "Success used to indicate success, "
-                                           "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
-        struct eap_peap_data *data = priv;
-+
-        return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
--               data->phase2_success;
-+               data->phase2_success && data->phase2_auth != ALWAYS;
- }
- 
- 
-diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
-index c1837db..a53eeb1 100644
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
- 
-        sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
- 
-+       if (!phase2)
-+               data->client_cert_conf = params->client_cert ||
-+                       params->client_cert_blob ||
-+                       params->private_key ||
-+                       params->private_key_blob;
-+
-        return 0;
- }
- 
-diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
-index 9ac0012..3348634 100644
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
-         * tls_v13 - Whether TLS v1.3 or newer is used
-         */
-        int tls_v13;
-+
-+       /**
-+        * client_cert_conf: Whether client certificate has been configured
-+        */
-+       bool client_cert_conf;
- };
- 
- 
-diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
-index 6619d6b..d63f73c 100644
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1321,6 +1321,13 @@ fast_reauth=1
- #       * 0 = do not use cryptobinding (default)
- #       * 1 = use cryptobinding if server supports it
- #       * 2 = require cryptobinding
-+#      'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+#      tunnel) behavior for PEAP:
-+#       * 0 = do not require Phase 2 authentication
-+#       * 1 = require Phase 2 authentication when client certificate
-+#         (private_key/client_cert) is no used and TLS session resumption was
-+#         not used (default)
-+#       * 2 = require Phase 2 authentication in all cases
- #      EAP-WSC (WPS) uses following options: pin=<Device Password> or
- #      pbc=1.
- #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
deleted file mode 100644
index 6e930fc98d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
-From: Sergey Matyukevich <geomatsi@gmail.com>
-Date: Tue, 22 Feb 2022 11:52:19 +0300
-Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
- wpa_passphrase
-
-Commit a41a29192e5d ("build: Pull common fragments into a build.rules
-file") introduced a regression into wpa_supplicant build process. The
-build target libwpa_client.so is not built regardless of whether the
-option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
-this config option is used before it is imported from the configuration
-file. Moving its use after including build.rules does not help: the
-variable ALL is processed by build.rules and further changes are not
-applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
-as expected: wpa_passphrase is always built regardless of whether the
-option is set or not.
-
-Re-enable these options by adding both build targets to _all
-dependencies.
-
-Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
-Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index cb66defac7c8..c456825ae75f 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -1,24 +1,29 @@
- BINALL=wpa_supplicant wpa_cli
- 
--ifndef CONFIG_NO_WPA_PASSPHRASE
--BINALL += wpa_passphrase
--endif
--
- ALL = $(BINALL)
- ALL += systemd/wpa_supplicant.service
- ALL += systemd/wpa_supplicant@.service
- ALL += systemd/wpa_supplicant-nl80211@.service
- ALL += systemd/wpa_supplicant-wired@.service
- ALL += dbus/fi.w1.wpa_supplicant1.service
--ifdef CONFIG_BUILD_WPA_CLIENT_SO
--ALL += libwpa_client.so
--endif
- 
- EXTRA_TARGETS=dynamic_eap_methods
- 
- CONFIG_FILE=.config
- include ../src/build.rules
- 
-+ifdef CONFIG_BUILD_WPA_CLIENT_SO
-+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
-+# being set in the config which is read by build.rules
-+_all: libwpa_client.so
-+endif
-+
-+ifndef CONFIG_NO_WPA_PASSPHRASE
-+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
-+# being set in the config which is read by build.rules
-+_all: wpa_passphrase
-+endif
-+
- ifdef LIBS
- # If LIBS is set with some global build system defaults, clone those for
- # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
--- 
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
new file mode 100644
index 0000000000..f9634e47c9
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
@@ -0,0 +1,53 @@
+From 809d9d8172db8e2a08ff639875f838b5b86d2641 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <geomatsi@gmail.com>
+Date: Thu, 22 Aug 2024 00:03:41 +0300
+Subject: [PATCH] macsec_linux: Hardware offload requires Linux headers >= v5.7
+
+Hardware offload in Linux macsec driver is enabled in compile time if
+libnl version is >= v3.6. This is not sufficient for successful build
+since enum 'macsec_offload' has been added to Linux header if_link.h
+in kernels v5.6 and v5.7, see commits:
+- https://github.com/torvalds/linux/commit/21114b7feec29e4425a3ac48a037569c016a46c8
+- https://github.com/torvalds/linux/commit/76564261a7db80c5f5c624e0122a28787f266bdf
+
+New libnl with older Linux headers is a valid combination. This is how
+hostapd build failure has been detected by Buildroot autobuilder, see:
+- http://autobuild.buildroot.net/results/b59d5bc5bd17683a3a1e3577c40c802e81911f84/
+
+Extend compile time condition for the enablement of the macsec hardware
+offload adding Linux headers version check.
+
+Fixes: 40c139664439 ("macsec_linux: Add support for MACsec hardware offload")
+Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/patch/?id=809d9d8172db8e2a08ff639875f838b5b86d2641]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+---
+ src/drivers/driver_macsec_linux.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
+index c867154981e9..fad47a292f9f 100644
+--- a/src/drivers/driver_macsec_linux.c
++++ b/src/drivers/driver_macsec_linux.c
+@@ -19,6 +19,7 @@
+ #include <netlink/route/link.h>
+ #include <netlink/route/link/macsec.h>
+ #include <linux/if_macsec.h>
++#include <linux/version.h>
+ #include <inttypes.h>
+ 
+ #include "utils/common.h"
+@@ -32,7 +33,8 @@
+ 
+ #define UNUSED_SCI 0xffffffffffffffff
+ 
+-#if LIBNL_VER_NUM >= LIBNL_VER(3, 6)
++#if (LIBNL_VER_NUM >= LIBNL_VER(3, 6) && \
++     LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
+ #define LIBNL_HAS_OFFLOAD
+ #endif
+ 
+-- 
+2.39.2
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
deleted file mode 100644
index 53b0fcdf53..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <quic_jouni@quicinc.com>
-Date: Thu, 3 Mar 2022 13:26:42 +0200
-Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
-
-Fixes: 0430bc8267b4 ("build: Add a common-clean target")
-Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alexk@zuma.ai>
-Signed-off-by: Alex Kiernan <alexk@gmail.com>
----
- wpa_supplicant/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
-index c456825ae75f..4b4688931b1d 100644
---- a/wpa_supplicant/Makefile
-+++ b/wpa_supplicant/Makefile
-@@ -2077,3 +2077,4 @@ clean: common-clean
-        rm -f libwpa_client.a
-        rm -f libwpa_client.so
-        rm -f libwpa_test1 libwpa_test2
-+       rm -f wpa_passphrase
--- 
-2.35.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
index 22028ce957..6dc76494f7 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/"
 SECTION = "network"
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
-                    file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
+                    file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
 
 DEPENDS = "dbus libnl"
 
@@ -15,14 +15,11 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://wpa_supplicant.conf \
            file://wpa_supplicant.conf-sane \
            file://99_wpa_supplicant \
-           file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
-           file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
-           file://0001-Install-wpa_passphrase-when-not-disabled.patch \
-           file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
+           file://0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch \
            "
-SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
+SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
 
-S = "${WORKDIR}/wpa_supplicant-${PV}"
+S = "${UNPACKDIR}/wpa_supplicant-${PV}"
 
 inherit pkgconfig systemd
 
@@ -32,6 +29,8 @@ PACKAGECONFIG[openssl] = ",,openssl"
 
 CVE_PRODUCT = "wpa_supplicant"
 
+CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant"
+
 EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
 
 do_configure () {
@@ -62,15 +61,15 @@ do_install () {
         oe_runmake -C wpa_supplicant DESTDIR="${D}" install
 
         install -d ${D}${docdir}/wpa_supplicant
-        install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
+        install -m 644 wpa_supplicant/README ${UNPACKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
 
         install -d ${D}${sysconfdir}
-        install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
+        install -m 600 ${UNPACKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
 
         install -d ${D}${sysconfdir}/network/if-pre-up.d/
         install -d ${D}${sysconfdir}/network/if-post-down.d/
         install -d ${D}${sysconfdir}/network/if-down.d/
-        install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
+        install -m 755 ${UNPACKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
         ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant
 
         install -d ${D}/${sysconfdir}/dbus-1/system.d
@@ -84,7 +83,7 @@ do_install () {
         fi
 
         install -d ${D}/etc/default/volatiles
-        install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
 
         install -d ${D}${includedir}
         install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir}