47 files changed, 2729 insertions, 689 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..19ed5548b3 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,39 +37,39 @@ CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 # Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
+CVE_CHECK_PN_WHITELIST ?= ""
-    glibc-locale \
-"
-# Whitelist for CVE and version of package
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
-CVE_CHECK_CVE_WHITELIST = "{\
+# The value is a string containing space separated CVE values:
-    'CVE-2014-2524': ('6.3','5.2',), \
+# 
-}"
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+# 
+CVE_CHECK_WHITELIST ?= ""
 python do_cve_check () {
    """
    Check recipe for patched and unpatched CVEs
    """
-    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
        patched_cves = get_patches_cves(d)
        patched, unpatched = check_cves(d, patched_cves)
        if patched or unpatched:
            cve_data = get_cve_info(d, patched + unpatched)
            cve_write_data(d, patched, unpatched, cve_data)
    else:
-        bb.note("Failed to update CVE database, skipping CVE check")
+        bb.note("No CVE database found, skipping CVE check")
 }
-addtask cve_check after do_unpack before do_build
+addtask cve_check before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
+do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
 do_cve_check[nostamp] = "1"
 python cve_check_cleanup () {
    """
    Delete the file used to gather all the CVE information.
    """
    bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
 }
@@ -163,89 +163,121 @@ def get_patches_cves(d):
 def check_cves(d, patched_cves):
    """
-    Run cve-check-tool looking for patched and unpatched CVEs.
+    Connect to the NVD database and find unpatched cves.
    """
+    from distutils.version import LooseVersion
-    import ast, csv, tempfile, subprocess, io
-    cves_patched = []
    cves_unpatched = []
-    bpn = d.getVar("CVE_PRODUCT")
+    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+    products = d.getVar("CVE_PRODUCT").split()
    # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
-    if not bpn:
+    if not products:
        return ([], [])
    pv = d.getVar("CVE_VERSION").split("+git")[0]
-    cves = " ".join(patched_cves)
-    cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
-    cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
-    cve_cmd = "cve-check-tool"
-    cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
    # If the recipe has been whitlisted we return empty lists
    if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
        bb.note("Recipe has been whitelisted, skipping check")
        return ([], [])
-    try:
+    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
-        # Write the faux CSV file to be used with cve-check-tool
+    if old_cve_whitelist:
-        fd, faux = tempfile.mkstemp(prefix="cve-faux-")
+        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
-        with os.fdopen(fd, "w") as f:
+    cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
-            for pn in bpn.split():
-                f.write("%s,%s,%s,\n" % (pn, pv, cves))
+    import sqlite3
-        cmd.append(faux)
+    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+    conn = sqlite3.connect(db_file, uri=True)
-        output = subprocess.check_output(cmd).decode("utf-8")
-        bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
+    # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
-    except subprocess.CalledProcessError as e:
+    for product in products:
-        bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
+        if ":" in product:
-    finally:
+            vendor, product = product.split(":", 1)
-        os.remove(faux)
+        else:
+            vendor = "%"
-    for row in csv.reader(io.StringIO(output)):
-        # Third row has the unpatched CVEs
+        # Find all relevant CVE IDs.
-        if row[2]:
+        for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
-            for cve in row[2].split():
+            cve = cverow[0]
-                # Skip if the CVE has been whitlisted for the current version
-                if pv in cve_whitelist.get(cve,[]):
+            if cve in cve_whitelist:
-                    bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
+                bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+                # TODO: this should be in the report as 'whitelisted'
+                patched_cves.add(cve)
+                continue
+            elif cve in patched_cves:
+                bb.note("%s has been patched" % (cve))
+                continue
+            vulnerable = False
+            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+                (_, _, _, version_start, operator_start, version_end, operator_end) = row
+                #bb.debug(2, "Evaluating row " + str(row))
+                if (operator_start == '=' and pv == version_start):
+                    vulnerable = True
                else:
+                    if operator_start:
+                        try:
+                            vulnerable_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+                            vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                        except:
+                            bb.warn("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_start, version_start, cve))
+                            vulnerable_start = False
+                    else:
+                        vulnerable_start = False
+                    if operator_end:
+                        try:
+                            vulnerable_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+                            vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                        except:
+                            bb.warn("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_end, version_end, cve))
+                            vulnerable_end = False
+                    else:
+                        vulnerable_end = False
+                    if operator_start and operator_end:
+                        vulnerable = vulnerable_start and vulnerable_end
+                    else:
+                        vulnerable = vulnerable_start or vulnerable_end
+                if vulnerable:
+                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
                    cves_unpatched.append(cve)
-                    bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
+                    break
-        # Fourth row has patched CVEs
-        if row[3]:
+            if not vulnerable:
-            for cve in row[3].split():
+                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
-                cves_patched.append(cve)
+                # TODO: not patched but not vulnerable
-                bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
+                patched_cves.add(cve)
+    conn.close()
-    return (cves_patched, cves_unpatched)
+    return (list(patched_cves), cves_unpatched)
 def get_cve_info(d, cves):
    """
-    Get CVE information from the database used by cve-check-tool.
+    Get CVE information from the database.
-    Unfortunately the only way to get CVE info is set the output to
-    html (hard to parse) or query directly the database.
    """
-    try:
+    import sqlite3
-        import sqlite3
-    except ImportError:
-        from pysqlite2 import dbapi2 as sqlite3
    cve_data = {}
-    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
-    placeholder = ",".join("?" * len(cves))
-    query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
-    conn = sqlite3.connect(db_file)
-    cur = conn.cursor()
-    for row in cur.execute(query, tuple(cves)):
-        cve_data[row[0]] = {}
-        cve_data[row[0]]["summary"] = row[1]
-        cve_data[row[0]]["score"] = row[2]
-        cve_data[row[0]]["modified"] = row[3]
-        cve_data[row[0]]["vector"] = row[4]
-    conn.close()
+    for cve in cves:
+        for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+            cve_data[row[0]] = {}
+            cve_data[row[0]]["summary"] = row[1]
+            cve_data[row[0]]["scorev2"] = row[2]
+            cve_data[row[0]]["scorev3"] = row[3]
+            cve_data[row[0]]["modified"] = row[4]
+            cve_data[row[0]]["vector"] = row[5]
+    conn.close()
    return cve_data
 def cve_write_data(d, patched, unpatched, cve_data):
@@ -270,7 +302,8 @@ def cve_write_data(d, patched, unpatched, cve_data):
            unpatched_cves.append(cve)
            write_string += "CVE STATUS: Unpatched\n"
        write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
-        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
+        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
+        write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
        write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
        write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index 40b0375e0b..9bab54c6bd 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -574,8 +574,8 @@ sdk_ext_preinst() {
                exit 1
        fi
        # The relocation script used by buildtools installer requires python
-        if ! command -v python > /dev/null; then
+        if ! command -v python3 > /dev/null; then
-                echo "ERROR: The installer requires python, please install it first"
+                echo "ERROR: The installer requires python3, please install it first"
                exit 1
        fi
        missing_utils=""
@@ -634,7 +634,7 @@ sdk_ext_postinst() {
                # current working directory when first ran, nor will it set $1 when
                # sourcing a script. That is why this has to look so ugly.
                LOGFILE="$target_sdk_dir/preparing_build_system.log"
-                sh -c ". buildtools/environment-setup* > $LOGFILE && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE && python $target_sdk_dir/ext-sdk-prepare.py $LOGFILE '${SDK_INSTALL_TARGETS}'" || { echo "printf 'ERROR: this SDK was not fully installed and needs reinstalling\n'" >> $env_setup_script ; exit 1 ; }
+                sh -c ". buildtools/environment-setup* > $LOGFILE && cd $target_sdk_dir/`dirname ${oe_init_build_env_path}` && set $target_sdk_dir && . $target_sdk_dir/${oe_init_build_env_path} $target_sdk_dir >> $LOGFILE && python3 $target_sdk_dir/ext-sdk-prepare.py $LOGFILE '${SDK_INSTALL_TARGETS}'" || { echo "printf 'ERROR: this SDK was not fully installed and needs reinstalling\n'" >> $env_setup_script ; exit 1 ; }
                rm $target_sdk_dir/ext-sdk-prepare.py
        fi
        echo done
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 672f067792..8eb5e7a864 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -81,6 +81,7 @@ RECIPE_MAINTAINER_pn-build-appliance-image = "Richard Purdie <richard.purdie@lin
 RECIPE_MAINTAINER_pn-build-compare = "Paul Eggleton <paul.eggleton@linux.intel.com>"
 RECIPE_MAINTAINER_pn-build-sysroots = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>"
 RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>"
@@ -116,6 +117,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER_pn-cups = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-curl = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton <ross.burton@intel.com>"
+RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton <ross.burton@intel.com>"
 RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton <ross.burton@intel.com>"
 RECIPE_MAINTAINER_pn-db = "Mark Hatle <mark.hatle@windriver.com>"
 RECIPE_MAINTAINER_pn-dbus = "Chen Qi <Qi.Chen@windriver.com>"
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index ad75d3e2a3..69b6edee5f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
-UNINATIVE_MAXGLIBCVERSION = "2.30"
+UNINATIVE_MAXGLIBCVERSION = "2.32"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/"
-UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc"
+UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81"
-UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924"
+UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36"
-UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216"
+UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423"
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index 9eabd62630..6c4d14a038 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -1,13 +1,8 @@
 #!/bin/sh
-[ -z "$ENVCLEANED" ] && exec /usr/bin/env -i ENVCLEANED=1 HOME="$HOME" \
+export LC_ALL=en_US.UTF-8
-        LC_ALL=en_US.UTF-8 \
+# Remove invalid PATH elements first (maybe from a previously setup toolchain now deleted
-        TERM=$TERM \
+PATH=`python3 -c 'import os; print(":".join(e for e in os.environ["PATH"].split(":") if os.path.exists(e)))'`
-        ICECC_PATH="$ICECC_PATH" \
-        http_proxy="$http_proxy" https_proxy="$https_proxy" ftp_proxy="$ftp_proxy" \
-        no_proxy="$no_proxy" all_proxy="$all_proxy" GIT_PROXY_COMMAND="$GIT_PROXY_COMMAND" "$0" "$@"
-[ -f /etc/environment ] && . /etc/environment
-export PATH=`echo "$PATH" | sed -e 's/:\.//' -e 's/::/:/'`
 tweakpath () {
    case ":${PATH}:" in
diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index 153b07d76b..ef81f8cf60 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -84,10 +84,6 @@ class Sdk(object, metaclass=ABCMeta):
            bb.warn("cannot remove SDK dir: %s" % path)
    def install_locales(self, pm):
-        # This is only relevant for glibc
-        if self.d.getVar("TCLIBC") != "glibc":
-            return
        linguas = self.d.getVar("SDKIMAGE_LINGUAS")
        if linguas:
            import fnmatch
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index 8a584d6ddd..96ebc36b8b 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -370,7 +370,7 @@ def host_gcc_version(d, taskcontextonly=False):
    except subprocess.CalledProcessError as e:
        bb.fatal("Error running %s --version: %s" % (compiler, e.output.decode("utf-8")))
-    match = re.match(".* (\d\.\d)\.\d.*", output.split('\n')[0])
+    match = re.match(r".* (\d+\.\d+)\.\d+.*", output.split('\n')[0])
    if not match:
        bb.fatal("Can't get compiler version from %s --version output" % compiler)
diff --git a/meta/lib/oeqa/core/utils/concurrencytest.py b/meta/lib/oeqa/core/utils/concurrencytest.py
index 1a58d35ba0..3e0e5d770c 100644
--- a/meta/lib/oeqa/core/utils/concurrencytest.py
+++ b/meta/lib/oeqa/core/utils/concurrencytest.py
@@ -194,7 +194,7 @@ def fork_for_tests(concurrency_num, suite):
                    oe.path.copytree(selftestdir, newselftestdir)
                    for e in os.environ:
-                        if builddir in os.environ[e]:
+                        if builddir + "/" in os.environ[e] or os.environ[e].endswith(builddir):
                            os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
                    subprocess.check_output("git init; git add *; git commit -a -m 'initial'", cwd=newselftestdir, shell=True)
diff --git a/meta/lib/oeqa/sdkext/testsdk.py b/meta/lib/oeqa/sdkext/testsdk.py
index 57b2e0e03f..8ec5262d56 100644
--- a/meta/lib/oeqa/sdkext/testsdk.py
+++ b/meta/lib/oeqa/sdkext/testsdk.py
@@ -22,11 +22,8 @@ class TestSDKExt(TestSDKBase):
        subprocesstweak.errors_have_output()
-        # extensible sdk can be contaminated if native programs are
+        # We need the original PATH for testing the eSDK, not with our manipulations
-        # in PATH, i.e. use perl-native instead of eSDK one.
+        os.environ['PATH'] = d.getVar("BB_ORIGENV", False).getVar("PATH")
-        paths_to_avoid = [d.getVar('STAGING_DIR'),
-                        d.getVar('BASE_WORKDIR')]
-        os.environ['PATH'] = avoid_paths_in_environ(paths_to_avoid)
        tcname = d.expand("${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.sh")
        if not os.path.exists(tcname):
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py
index 4fa99acbc9..8d585430be 100644
--- a/meta/lib/oeqa/selftest/cases/signing.py
+++ b/meta/lib/oeqa/selftest/cases/signing.py
@@ -40,7 +40,9 @@ class Signing(OESelftestTestCase):
        origenv = os.environ.copy()
        for e in os.environ:
-            if builddir in os.environ[e]:
+            if builddir + "/" in os.environ[e]:
+                os.environ[e] = os.environ[e].replace(builddir + "/", newbuilddir + "/")
+            if os.environ[e].endswith(builddir):
                os.environ[e] = os.environ[e].replace(builddir, newbuilddir)
        os.chdir(newbuilddir)
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
index 1b676dc26e..97d83cb856 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -95,3 +95,6 @@ do_install () {
 inherit libc-package
 BBCLASSEXTEND = "nativesdk"
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc
index d703c14bdc..ef9d60ec23 100644
--- a/meta/recipes-core/glibc/glibc-mtrace.inc
+++ b/meta/recipes-core/glibc/glibc-mtrace.inc
@@ -11,3 +11,6 @@ do_install() {
        install -d -m 0755 ${D}${bindir}
        install -m 0755 ${SRC}/mtrace ${D}${bindir}/
 }
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc
index 2a2b41507e..14a14e4512 100644
--- a/meta/recipes-core/glibc/glibc-scripts.inc
+++ b/meta/recipes-core/glibc/glibc-scripts.inc
@@ -18,3 +18,6 @@ do_install() {
 # sotruss script requires sotruss-lib.so (given by libsotruss package), 
 # to produce trace of the library calls.
 RDEPENDS_${PN} += "libsotruss"
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
index b53f2ef2e2..a5c2992f2e 100644
--- a/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
+++ b/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Make-relocatable-install-for-locales.patch
@@ -65,3 +65,36 @@ index 68822a6319..537bc35149 100644
 
 /* Load the locale data for CATEGORY from the file specified by *NAME.
    If *NAME is "", use environment variables as specified by POSIX, and
+Index: git/locale/programs/locale.c
+===================================================================
+--- git.orig/locale/programs/locale.c
+++ git/locale/programs/locale.c
+@@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b
+                  ((const struct nameent *) b)->name);
+ }
+ 
+static char _write_archive_locales_path[4096] attribute_hidden __attribute__ ((section (".gccrelocprefix"))) = ARCHIVE_NAME;
+ 
+ static int
+ write_archive_locales (void **all_datap, char *linebuf)
+@@ -645,7 +646,7 @@ write_archive_locales (void **all_datap,
+   int fd, ret = 0;
+   uint32_t cnt;
+ 
+-  fd = open64 (ARCHIVE_NAME, O_RDONLY);
+  fd = open64 (_write_archive_locales_path, O_RDONLY);
+   if (fd < 0)
+     return 0;
+ 
+@@ -700,8 +701,8 @@ write_archive_locales (void **all_datap,
+          if (cnt)
+            putchar_unlocked ('\n');
+ 
+-         printf ("locale: %-15.15s archive: " ARCHIVE_NAME "\n%s\n",
+-                 names[cnt].name, linebuf);
+         printf ("locale: %-15.15s archive: %s\n%s\n",
+                 names[cnt].name, _write_archive_locales_path, linebuf);
+ 
+          locrec = (struct locrecent *) (addr + names[cnt].locrec_offset);
+ 
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
index 7eb55d6663..7dc842887c 100644
--- a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
@@ -5,12 +5,12 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
 From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Mon, 21 Jan 2019 08:59:42 +0100
-Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
+Subject: [PATCH 1/4] resolv: Reformat inet_addr, inet_aton to GNU style
 (cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
 ---
 ChangeLog          |   5 ++
- resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
+ resolv/inet_addr.c | 192 ++++++++++++++++++++++++---------------------
 2 files changed, 106 insertions(+), 91 deletions(-)
 diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
@@ -229,4 +229,908 @@ index 022f7ea084..32f58b0e13 100644
 weak_alias (__inet_aton, inet_aton)
 libc_hidden_def (__inet_aton)
 -- 
-2.11.0
+2.20.1
+From 37edf1d3f8ab9adefb61cc466ac52b53114fbd5b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 09:26:41 +0100
+Subject: [PATCH 2/4] resolv: Do not send queries for non-host-names in nss_dns
+ [BZ #24112]
+Before this commit, nss_dns would send a query which did not contain a
+host name as the query name (such as invalid\032name.example.com) and
+then reject the answer in getanswer_r and gaih_getanswer_slice, using
+a check based on res_hnok.  With this commit, no query is sent, and a
+host-not-found error is returned to NSS without network interaction.
+(cherry picked from commit 6ca53a2453598804a2559a548a08424fca96434a)
+---
+ ChangeLog                 |  9 +++++++++
+ resolv/nss_dns/dns-host.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5dc2829cd1..99c3b61e1c 100644
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -274,11 +274,26 @@ gethostbyname3_context (struct resolv_context *ctx,
+   return status;
+ }
+ 
+/* Verify that the name looks like a host name.  There is no point in
+   sending a query which will not produce a usable name in the
+   response.  */
+static enum nss_status
+check_name (const char *name, int *h_errnop)
+{
+  if (res_hnok (name))
+    return NSS_STATUS_SUCCESS;
+  *h_errnop = HOST_NOT_FOUND;
+  return NSS_STATUS_NOTFOUND;
+}
+
+ enum nss_status
+ _nss_dns_gethostbyname2_r (const char *name, int af, struct hostent *result,
+                           char *buffer, size_t buflen, int *errnop,
+                           int *h_errnop)
+ {
+  enum nss_status status = check_name (name, h_errnop);
+  if (status != NSS_STATUS_SUCCESS)
+    return status;
+   return _nss_dns_gethostbyname3_r (name, af, result, buffer, buflen, errnop,
+                                    h_errnop, NULL, NULL);
+ }
+@@ -289,6 +304,9 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+                          char *buffer, size_t buflen, int *errnop,
+                          int *h_errnop)
+ {
+  enum nss_status status = check_name (name, h_errnop);
+  if (status != NSS_STATUS_SUCCESS)
+    return status;
+   struct resolv_context *ctx = __resolv_context_get ();
+   if (ctx == NULL)
+     {
+@@ -296,7 +314,7 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+       *h_errnop = NETDB_INTERNAL;
+       return NSS_STATUS_UNAVAIL;
+     }
+-  enum nss_status status = NSS_STATUS_NOTFOUND;
+  status = NSS_STATUS_NOTFOUND;
+   if (res_use_inet6 ())
+     status = gethostbyname3_context (ctx, name, AF_INET6, result, buffer,
+                                     buflen, errnop, h_errnop, NULL, NULL);
+@@ -313,6 +331,9 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+                           char *buffer, size_t buflen, int *errnop,
+                           int *herrnop, int32_t *ttlp)
+ {
+  enum nss_status status = check_name (name, herrnop);
+  if (status != NSS_STATUS_SUCCESS)
+    return status;
+   struct resolv_context *ctx = __resolv_context_get ();
+   if (ctx == NULL)
+     {
+@@ -347,7 +368,6 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+   int ans2p_malloced = 0;
+ 
+   int olderr = errno;
+-  enum nss_status status;
+   int n = __res_context_search (ctx, name, C_IN, T_QUERY_A_AND_AAAA,
+                                host_buffer.buf->buf, 2048, &host_buffer.ptr,
+                                &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+-- 
+2.20.1
+From 2373941bd73cb288c8a42a33e23e7f7bb81151e7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 21:26:03 +0100
+Subject: [PATCH 3/4] CVE-2016-10739: getaddrinfo: Fully parse IPv4 address
+ strings [BZ #20018]
+The IPv4 address parser in the getaddrinfo function is changed so that
+it does not ignore trailing whitespace and all characters after it.
+For backwards compatibility, the getaddrinfo function still recognizes
+legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8
+(octal).
+This commit does not change the behavior of inet_addr and inet_aton.
+gethostbyname already had additional sanity checks (but is switched
+over to the new __inet_aton_exact function for completeness as well).
+To avoid sending the problematic query names over DNS, commit
+6ca53a2453598804a2559a548a08424fca96434a ("resolv: Do not send queries
+for non-host-names in nss_dns [BZ #24112]") is needed.
+(cherry picked from commit 108bc4049f8ae82710aec26a92ffdb4b439c83fd)
+---
+ ChangeLog                      |  33 ++++++++
+ NEWS                           |   4 +
+ include/arpa/inet.h            |   6 +-
+ nscd/gai.c                     |   1 -
+ nscd/gethstbynm3_r.c           |   2 -
+ nss/digits_dots.c              |   3 +-
+ resolv/Makefile                |   7 ++
+ resolv/Versions                |   1 +
+ resolv/inet_addr.c             |  62 ++++++++++-----
+ resolv/res_init.c              |  17 ++--
+ resolv/tst-aton.c              |  35 +++++++--
+ resolv/tst-inet_aton_exact.c   |  47 +++++++++++
+ resolv/tst-resolv-nondecimal.c | 139 +++++++++++++++++++++++++++++++++
+ resolv/tst-resolv-trailing.c   | 136 ++++++++++++++++++++++++++++++++
+ sysdeps/posix/getaddrinfo.c    |   2 +-
+ 15 files changed, 455 insertions(+), 40 deletions(-)
+ create mode 100644 resolv/tst-inet_aton_exact.c
+ create mode 100644 resolv/tst-resolv-nondecimal.c
+ create mode 100644 resolv/tst-resolv-trailing.c
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index c3f28f2baa..19aec74275 100644
+--- a/include/arpa/inet.h
+++ b/include/arpa/inet.h
+@@ -1,10 +1,10 @@
+ #include <inet/arpa/inet.h>
+ 
+ #ifndef _ISOMAC
+-extern int __inet_aton (const char *__cp, struct in_addr *__inp);
+-libc_hidden_proto (__inet_aton)
+/* Variant of inet_aton which rejects trailing garbage.  */
+extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp);
+libc_hidden_proto (__inet_aton_exact)
+ 
+-libc_hidden_proto (inet_aton)
+ libc_hidden_proto (inet_ntop)
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+diff --git a/nscd/gai.c b/nscd/gai.c
+index 24bdfee1db..f57f396f57 100644
+--- a/nscd/gai.c
+++ b/nscd/gai.c
+@@ -19,7 +19,6 @@
+ 
+ /* This file uses the getaddrinfo code but it compiles it without NSCD
+    support.  We just need a few symbol renames.  */
+-#define __inet_aton inet_aton
+ #define __ioctl ioctl
+ #define __getsockname getsockname
+ #define __socket socket
+diff --git a/nscd/gethstbynm3_r.c b/nscd/gethstbynm3_r.c
+index 7beb9dce9f..f792c4fcd0 100644
+--- a/nscd/gethstbynm3_r.c
+++ b/nscd/gethstbynm3_r.c
+@@ -38,8 +38,6 @@
+ #define HAVE_LOOKUP_BUFFER     1
+ #define HAVE_AF                        1
+ 
+-#define __inet_aton inet_aton
+-
+ /* We are nscd, so we don't want to be talking to ourselves.  */
+ #undef USE_NSCD
+ 
+diff --git a/nss/digits_dots.c b/nss/digits_dots.c
+index 39bff38865..5441bce16e 100644
+--- a/nss/digits_dots.c
+++ b/nss/digits_dots.c
+@@ -29,7 +29,6 @@
+ #include "nsswitch.h"
+ 
+ #ifdef USE_NSCD
+-# define inet_aton __inet_aton
+ # include <nscd/nscd_proto.h>
+ #endif
+ 
+@@ -160,7 +159,7 @@ __nss_hostname_digits_dots_context (struct resolv_context *ctx,
+                     255.255.255.255?  The test below will succeed
+                     spuriously... ???  */
+                  if (af == AF_INET)
+-                   ok = __inet_aton (name, (struct in_addr *) host_addr);
+                   ok = __inet_aton_exact (name, (struct in_addr *) host_addr);
+                  else
+                    {
+                      assert (af == AF_INET6);
+diff --git a/resolv/Makefile b/resolv/Makefile
+index ea395ac3eb..d36eedd34a 100644
+--- a/resolv/Makefile
+++ b/resolv/Makefile
+@@ -34,6 +34,9 @@ routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
+ tests = tst-aton tst-leaks tst-inet_ntop
+ xtests = tst-leaks2
+ 
+tests-internal += tst-inet_aton_exact
+
+
+ generate := mtrace-tst-leaks.out tst-leaks.mtrace tst-leaks2.mtrace
+ 
+ extra-libs := libresolv libnss_dns
+@@ -54,8 +57,10 @@ tests += \
+   tst-resolv-binary \
+   tst-resolv-edns \
+   tst-resolv-network \
+  tst-resolv-nondecimal \
+   tst-resolv-res_init-multi \
+   tst-resolv-search \
+  tst-resolv-trailing \
+ 
+ # These tests need libdl.
+ ifeq (yes,$(build-shared))
+@@ -190,9 +195,11 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
+   $(shared-thread-library)
+ $(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
+   $(shared-thread-library)
+$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
+$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-threads: \
+   $(libdl) $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-canonname: \
+diff --git a/resolv/Versions b/resolv/Versions
+index b05778d965..9a82704af7 100644
+--- a/resolv/Versions
+++ b/resolv/Versions
+@@ -27,6 +27,7 @@ libc {
+     __h_errno; __resp;
+ 
+     __res_iclose;
+    __inet_aton_exact;
+     __inet_pton_length;
+     __resolv_context_get;
+     __resolv_context_get_preinit;
+diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
+index 32f58b0e13..41b6166a5b 100644
+--- a/resolv/inet_addr.c
+++ b/resolv/inet_addr.c
+@@ -96,26 +96,14 @@
+ #include <limits.h>
+ #include <errno.h>
+ 
+-/* ASCII IPv4 Internet address interpretation routine.  The value
+-   returned is in network order.  */
+-in_addr_t
+-__inet_addr (const char *cp)
+-{
+-  struct in_addr val;
+-
+-  if (__inet_aton (cp, &val))
+-    return val.s_addr;
+-  return INADDR_NONE;
+-}
+-weak_alias (__inet_addr, inet_addr)
+-
+ /* Check whether "cp" is a valid ASCII representation of an IPv4
+    Internet address and convert it to a binary address.  Returns 1 if
+    the address is valid, 0 if not.  This replaces inet_addr, the
+    return value from which cannot distinguish between failure and a
+-   local broadcast address.  */
+-int
+-__inet_aton (const char *cp, struct in_addr *addr)
+   local broadcast address.  Write a pointer to the first
+   non-converted character to *endp.  */
+static int
+inet_aton_end (const char *cp, struct in_addr *addr, const char **endp)
+ {
+   static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
+   in_addr_t val;
+@@ -180,6 +168,7 @@ __inet_aton (const char *cp, struct in_addr *addr)
+ 
+   if (addr != NULL)
+     addr->s_addr = res.word | htonl (val);
+  *endp = cp;
+ 
+   __set_errno (saved_errno);
+   return 1;
+@@ -188,6 +177,41 @@ __inet_aton (const char *cp, struct in_addr *addr)
+   __set_errno (saved_errno);
+   return 0;
+ }
+-weak_alias (__inet_aton, inet_aton)
+-libc_hidden_def (__inet_aton)
+-libc_hidden_weak (inet_aton)
+
+int
+__inet_aton_exact (const char *cp, struct in_addr *addr)
+{
+  struct in_addr val;
+  const char *endp;
+  /* Check that inet_aton_end parsed the entire string.  */
+  if (inet_aton_end (cp, &val, &endp) != 0 && *endp == 0)
+    {
+      *addr = val;
+      return 1;
+    }
+  else
+    return 0;
+}
+libc_hidden_def (__inet_aton_exact)
+
+/* inet_aton ignores trailing garbage.  */
+int
+__inet_aton_ignore_trailing (const char *cp, struct in_addr *addr)
+{
+  const char *endp;
+  return  inet_aton_end (cp, addr, &endp);
+}
+weak_alias (__inet_aton_ignore_trailing, inet_aton)
+
+/* ASCII IPv4 Internet address interpretation routine.  The value
+   returned is in network order.  */
+in_addr_t
+__inet_addr (const char *cp)
+{
+  struct in_addr val;
+  const char *endp;
+  if (inet_aton_end (cp, &val, &endp))
+    return val.s_addr;
+  return INADDR_NONE;
+}
+weak_alias (__inet_addr, inet_addr)
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index f5e52cbbb9..94743a252e 100644
+--- a/resolv/res_init.c
+++ b/resolv/res_init.c
+@@ -399,8 +399,16 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+               cp = parser->buffer + sizeof ("nameserver") - 1;
+               while (*cp == ' ' || *cp == '\t')
+                 cp++;
+
+              /* Ignore trailing contents on the name server line.  */
+              {
+                char *el;
+                if ((el = strpbrk (cp, " \t\n")) != NULL)
+                  *el = '\0';
+              }
+
+               struct sockaddr *sa;
+-              if ((*cp != '\0') && (*cp != '\n') && __inet_aton (cp, &a))
+              if ((*cp != '\0') && (*cp != '\n') && __inet_aton_exact (cp, &a))
+                 {
+                   sa = allocate_address_v4 (a, NAMESERVER_PORT);
+                   if (sa == NULL)
+@@ -410,9 +418,6 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                 {
+                   struct in6_addr a6;
+                   char *el;
+-
+-                  if ((el = strpbrk (cp, " \t\n")) != NULL)
+-                    *el = '\0';
+                   if ((el = strchr (cp, SCOPE_DELIMITER)) != NULL)
+                     *el = '\0';
+                   if ((*cp != '\0') && (__inet_pton (AF_INET6, cp, &a6) > 0))
+@@ -472,7 +477,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                   char separator = *cp;
+                   *cp = 0;
+                   struct resolv_sortlist_entry e;
+-                  if (__inet_aton (net, &a))
+                  if (__inet_aton_exact (net, &a))
+                     {
+                       e.addr = a;
+                       if (is_sort_mask (separator))
+@@ -484,7 +489,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                             cp++;
+                           separator = *cp;
+                           *cp = 0;
+-                          if (__inet_aton (net, &a))
+                          if (__inet_aton_exact (net, &a))
+                             e.mask = a.s_addr;
+                           else
+                             e.mask = net_mask (e.addr);
+diff --git a/resolv/tst-aton.c b/resolv/tst-aton.c
+index 08110a007a..eb734d7758 100644
+--- a/resolv/tst-aton.c
+++ b/resolv/tst-aton.c
+@@ -1,11 +1,29 @@
+/* Test legacy IPv4 text-to-address function inet_aton.
+   Copyright (C) 1998-2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <array_length.h>
+ #include <stdio.h>
+ #include <stdint.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
+-
+-static struct tests
+static const struct tests
+ {
+   const char *input;
+   int valid;
+@@ -16,6 +34,7 @@ static struct tests
+   { "-1", 0, 0 },
+   { "256", 1, 0x00000100 },
+   { "256.", 0, 0 },
+  { "255a", 0, 0 },
+   { "256a", 0, 0 },
+   { "0x100", 1, 0x00000100 },
+   { "0200.0x123456", 1, 0x80123456 },
+@@ -40,7 +59,12 @@ static struct tests
+   { "1.2.256.4", 0, 0 },
+   { "1.2.3.0x100", 0, 0 },
+   { "323543357756889", 0, 0 },
+-  { "10.1.2.3.4", 0, 0},
+  { "10.1.2.3.4", 0, 0 },
+  { "192.0.2.1", 1, 0xc0000201 },
+  { "192.0.2.2\nX", 1, 0xc0000202 },
+  { "192.0.2.3 Y", 1, 0xc0000203 },
+  { "192.0.2.3Z", 0, 0 },
+  { "192.000.002.010", 1, 0xc0000208 },
+ };
+ 
+ 
+@@ -50,7 +74,7 @@ do_test (void)
+   int result = 0;
+   size_t cnt;
+ 
+-  for (cnt = 0; cnt < sizeof (tests) / sizeof (tests[0]); ++cnt)
+  for (cnt = 0; cnt < array_length (tests); ++cnt)
+     {
+       struct in_addr addr;
+ 
+@@ -73,5 +97,4 @@ do_test (void)
+   return result;
+ }
+ 
+-#define TEST_FUNCTION do_test ()
+-#include "../test-skeleton.c"
+#include <support/test-driver.c>
+diff --git a/resolv/tst-inet_aton_exact.c b/resolv/tst-inet_aton_exact.c
+new file mode 100644
+index 0000000000..0fdfa3d6aa
+--- /dev/null
+++ b/resolv/tst-inet_aton_exact.c
+@@ -0,0 +1,47 @@
+/* Test internal legacy IPv4 text-to-address function __inet_aton_exact.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <arpa/inet.h>
+#include <support/check.h>
+
+static int
+do_test (void)
+{
+  struct in_addr addr = { };
+
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.1", &addr), 1);
+  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000201);
+
+  TEST_COMPARE (__inet_aton_exact ("192.000.002.010", &addr), 1);
+  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000208);
+  TEST_COMPARE (__inet_aton_exact ("0xC0000234", &addr), 1);
+  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000234);
+
+  /* Trailing content is not accepted.  */
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.2X", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.3 Y", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.4\nZ", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.5\tT", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.6 Y", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.7\n", &addr), 0);
+  TEST_COMPARE (__inet_aton_exact ("192.0.2.8\t", &addr), 0);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-nondecimal.c b/resolv/tst-resolv-nondecimal.c
+new file mode 100644
+index 0000000000..a0df6f332a
+--- /dev/null
+++ b/resolv/tst-resolv-nondecimal.c
+@@ -0,0 +1,139 @@
+/* Test name resolution behavior for octal, hexadecimal IPv4 addresses.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <netdb.h>
+#include <stdlib.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+
+static void
+response (const struct resolv_response_context *ctx,
+          struct resolv_response_builder *b,
+          const char *qname, uint16_t qclass, uint16_t qtype)
+{
+  /* The tests are not supposed send any DNS queries.  */
+  FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
+}
+
+static void
+run_query_addrinfo (const char *query, const char *address)
+{
+  char *quoted_query = support_quote_string (query);
+
+  struct addrinfo *ai;
+  struct addrinfo hints =
+    {
+     .ai_socktype = SOCK_STREAM,
+     .ai_protocol = IPPROTO_TCP,
+    };
+
+  char *context = xasprintf ("getaddrinfo \"%s\" AF_INET", quoted_query);
+  char *expected = xasprintf ("address: STREAM/TCP %s 80\n", address);
+  hints.ai_family = AF_INET;
+  int ret = getaddrinfo (query, "80", &hints, &ai);
+  check_addrinfo (context, ai, ret, expected);
+  if (ret == 0)
+    freeaddrinfo (ai);
+  free (context);
+
+  context = xasprintf ("getaddrinfo \"%s\" AF_UNSPEC", quoted_query);
+  hints.ai_family = AF_UNSPEC;
+  ret = getaddrinfo (query, "80", &hints, &ai);
+  check_addrinfo (context, ai, ret, expected);
+  if (ret == 0)
+    freeaddrinfo (ai);
+  free (expected);
+  free (context);
+
+  context = xasprintf ("getaddrinfo \"%s\" AF_INET6", quoted_query);
+  expected = xasprintf ("flags: AI_V4MAPPED\n"
+                        "address: STREAM/TCP ::ffff:%s 80\n",
+                        address);
+  hints.ai_family = AF_INET6;
+  hints.ai_flags = AI_V4MAPPED;
+  ret = getaddrinfo (query, "80", &hints, &ai);
+  check_addrinfo (context, ai, ret, expected);
+  if (ret == 0)
+    freeaddrinfo (ai);
+  free (expected);
+  free (context);
+
+  free (quoted_query);
+}
+
+static void
+run_query (const char *query, const char *address)
+{
+  char *quoted_query = support_quote_string (query);
+  char *context = xasprintf ("gethostbyname (\"%s\")", quoted_query);
+  char *expected = xasprintf ("name: %s\n"
+                              "address: %s\n", query, address);
+  check_hostent (context, gethostbyname (query), expected);
+  free (context);
+
+  context = xasprintf ("gethostbyname_r \"%s\"", quoted_query);
+  struct hostent storage;
+  char buf[4096];
+  struct hostent *e = NULL;
+  TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
+                                 &e, &h_errno), 0);
+  check_hostent (context, e, expected);
+  free (context);
+
+  context = xasprintf ("gethostbyname2 (\"%s\", AF_INET)", quoted_query);
+  check_hostent (context, gethostbyname2 (query, AF_INET), expected);
+  free (context);
+
+  context = xasprintf ("gethostbyname2_r \"%s\" AF_INET", quoted_query);
+  e = NULL;
+  TEST_COMPARE (gethostbyname2_r (query, AF_INET, &storage, buf, sizeof (buf),
+                                  &e, &h_errno), 0);
+  check_hostent (context, e, expected);
+  free (context);
+  free (expected);
+
+  free (quoted_query);
+
+  /* The gethostbyname tests are always valid for getaddrinfo, but not
+     vice versa.  */
+  run_query_addrinfo (query, address);
+}
+
+static int
+do_test (void)
+{
+  struct resolv_test *aux = resolv_test_start
+    ((struct resolv_redirect_config)
+     {
+       .response_callback = response,
+     });
+
+  run_query ("192.000.002.010", "192.0.2.8");
+
+  /* Hexadecimal numbers are not accepted by gethostbyname.  */
+  run_query_addrinfo ("0xc0000210", "192.0.2.16");
+  run_query_addrinfo ("192.0x234", "192.0.2.52");
+
+  resolv_test_end (aux);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-trailing.c b/resolv/tst-resolv-trailing.c
+new file mode 100644
+index 0000000000..7504bdae57
+--- /dev/null
+++ b/resolv/tst-resolv-trailing.c
+@@ -0,0 +1,136 @@
+/* Test name resolution behavior with trailing characters.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <array_length.h>
+#include <netdb.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+
+static void
+response (const struct resolv_response_context *ctx,
+          struct resolv_response_builder *b,
+          const char *qname, uint16_t qclass, uint16_t qtype)
+{
+  /* The tests are not supposed send any DNS queries.  */
+  FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
+}
+
+static int
+do_test (void)
+{
+  struct resolv_test *aux = resolv_test_start
+    ((struct resolv_redirect_config)
+     {
+       .response_callback = response,
+     });
+
+  static const char *const queries[] =
+    {
+     "192.0.2.1 ",
+     "192.0.2.2\t",
+     "192.0.2.3\n",
+     "192.0.2.4 X",
+     "192.0.2.5\tY",
+     "192.0.2.6\nZ",
+     "192.0.2. ",
+     "192.0.2.\t",
+     "192.0.2.\n",
+     "192.0.2. X",
+     "192.0.2.\tY",
+     "192.0.2.\nZ",
+     "2001:db8::1 ",
+     "2001:db8::2\t",
+     "2001:db8::3\n",
+     "2001:db8::4 X",
+     "2001:db8::5\tY",
+     "2001:db8::6\nZ",
+    };
+  for (size_t query_idx = 0; query_idx < array_length (queries); ++query_idx)
+    {
+      const char *query = queries[query_idx];
+      struct hostent storage;
+      char buf[4096];
+      struct hostent *e;
+
+      h_errno = 0;
+      TEST_VERIFY (gethostbyname (query) == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      h_errno = 0;
+      e = NULL;
+      TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
+                                     &e, &h_errno), 0);
+      TEST_VERIFY (e == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      h_errno = 0;
+      TEST_VERIFY (gethostbyname2 (query, AF_INET) == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      h_errno = 0;
+      e = NULL;
+      TEST_COMPARE (gethostbyname2_r (query, AF_INET,
+                                      &storage, buf, sizeof (buf),
+                                     &e, &h_errno), 0);
+      TEST_VERIFY (e == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      h_errno = 0;
+      TEST_VERIFY (gethostbyname2 (query, AF_INET6) == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      h_errno = 0;
+      e = NULL;
+      TEST_COMPARE (gethostbyname2_r (query, AF_INET6,
+                                      &storage, buf, sizeof (buf),
+                                     &e, &h_errno), 0);
+      TEST_VERIFY (e == NULL);
+      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
+
+      static const int gai_flags[] =
+        {
+         0,
+         AI_ADDRCONFIG,
+         AI_NUMERICHOST,
+         AI_IDN,
+         AI_IDN | AI_NUMERICHOST,
+         AI_V4MAPPED,
+         AI_V4MAPPED | AI_NUMERICHOST,
+        };
+      for (size_t gai_flags_idx; gai_flags_idx < array_length (gai_flags);
+             ++gai_flags_idx)
+        {
+          struct addrinfo hints = { .ai_flags = gai_flags[gai_flags_idx], };
+          struct addrinfo *ai;
+          hints.ai_family = AF_INET;
+          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
+          hints.ai_family = AF_INET6;
+          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
+          hints.ai_family = AF_UNSPEC;
+          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
+        }
+    };
+
+  resolv_test_end (aux);
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 553833d1f2..c91b281e31 100644
+--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
+@@ -488,7 +488,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+          malloc_name = true;
+        }
+ 
+-      if (__inet_aton (name, (struct in_addr *) at->addr) != 0)
+      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
+        {
+          if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+            at->family = AF_INET;
+-- 
+2.20.1
+From c533244b8e00ae701583ec50aeb43377d292452d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 4 Feb 2019 20:07:18 +0100
+Subject: [PATCH 4/4] nscd: Do not use __inet_aton_exact@GLIBC_PRIVATE [BZ
+ #20018]
+This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE
+symbol from nscd.  In master, the separately-compiled getaddrinfo
+implementation in nscd needs it, however such an internal ABI change
+is not desirable on a release branch if it can be avoided.
+---
+ ChangeLog             | 10 ++++++++++
+ nscd/Makefile         |  2 +-
+ nscd/gai.c            |  6 ++++++
+ nscd/nscd-inet_addr.c | 32 ++++++++++++++++++++++++++++++++
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 nscd/nscd-inet_addr.c
+diff --git a/nscd/Makefile b/nscd/Makefile
+index b713a84c49..eb23c01a39 100644
+--- a/nscd/Makefile
+++ b/nscd/Makefile
+@@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
+                getsrvbynm_r getsrvbypt_r servicescache \
+                dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \
+                xmalloc xstrdup aicache initgrcache gai res_hconf \
+-               netgroupcache
+               netgroupcache nscd-inet_addr
+ 
+ ifeq ($(build-nscd)$(have-thread-library),yesyes)
+ 
+diff --git a/nscd/gai.c b/nscd/gai.c
+index f57f396f57..68a4abd30e 100644
+--- a/nscd/gai.c
+++ b/nscd/gai.c
+@@ -33,6 +33,12 @@
+ #define __getifaddrs getifaddrs
+ #define __freeifaddrs freeifaddrs
+ 
+/* We do not want to export __inet_aton_exact.  Get the prototype and
+   change its visibility to hidden.  */
+#include <arpa/inet.h>
+__typeof__ (__inet_aton_exact) __inet_aton_exact
+  __attribute__ ((visibility ("hidden")));
+
+ /* We are nscd, so we don't want to be talking to ourselves.  */
+ #undef  USE_NSCD
+ 
+diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c
+new file mode 100644
+index 0000000000..f366b9567d
+--- /dev/null
+++ b/nscd/nscd-inet_addr.c
+@@ -0,0 +1,32 @@
+/* Legacy IPv4 text-to-address functions.  Version for nscd.
+   Copyright (C) 2019 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#include <arpa/inet.h>
+
+/* We do not want to export __inet_aton_exact.  Get the prototype and
+   change the visibility to hidden.  */
+#include <arpa/inet.h>
+__typeof__ (__inet_aton_exact) __inet_aton_exact
+  __attribute__ ((visibility ("hidden")));
+
+/* Do not provide definitions of the public symbols exported from
+   libc.  */
+#undef weak_alias
+#define weak_alias(from, to)
+
+#include <resolv/inet_addr.c>
+-- 
+2.20.1
diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb
new file mode 100644
index 0000000000..94ed57585b
--- /dev/null
+++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb
@@ -0,0 +1,36 @@
+require recipes-core/meta/buildtools-tarball.bb
+DESCRIPTION = "SDK type target for building a standalone tarball containing build-essentials, python3, chrpath, \
+               make, git and tar. The tarball can be used to run bitbake builds on systems which don't meet the \
+               usual version requirements and have ancient compilers."
+SUMMARY = "Standalone tarball for running builds on systems with inadequate software and ancient compilers"
+LICENSE = "MIT"
+# Add nativesdk equivalent of build-essentials
+TOOLCHAIN_HOST_TASK += "\
+    nativesdk-automake \
+    nativesdk-autoconf \
+    nativesdk-binutils \
+    nativesdk-binutils-symlinks \
+    nativesdk-cpp \
+    nativesdk-cpp-symlinks \
+    nativesdk-gcc \
+    nativesdk-gcc-symlinks \
+    nativesdk-g++ \
+    nativesdk-g++-symlinks \
+    nativesdk-gettext \
+    nativesdk-libatomic \
+    nativesdk-libgcc \
+    nativesdk-libstdc++ \
+    nativesdk-libstdc++-dev \
+    nativesdk-libstdc++-staticdev \
+    nativesdk-libtool \
+    nativesdk-pkgconfig \
+    nativesdk-glibc-utils \
+    nativesdk-python \
+    nativesdk-libxcrypt-dev \
+    "
+TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}"
+SDK_TITLE = "Extended Build tools"
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 91df6f1ae9..aba10b4cd6 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -72,7 +72,13 @@ create_sdk_files_append () {
        toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
        echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
+        echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
+        echo 'export OPENSSL_CONF="${SDKPATHNATIVE}${sysconfdir}/ssl/openssl.cnf"' >>$script
+        mkdir -p ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/
+        echo '${SDKPATHNATIVE}${libdir}
+${SDKPATHNATIVE}${base_libdir}
+include /etc/ld.so.conf' > ${SDK_OUTPUT}/${SDKPATHNATIVE}${sysconfdir}/ld.so.conf
        if [ "${SDKMACHINE}" = "i686" ]; then
                echo 'export NO32LIBS="0"' >>$script
                echo 'echo "$BB_ENV_EXTRAWHITE" | grep -q "NO32LIBS"' >>$script
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 0000000000..e9a023e9bd
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,190 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+INHIBIT_DEFAULT_DEPS = "1"
+inherit native
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+python () {
+    if not d.getVar("CVE_CHECK_DB_FILE"):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+python do_populate_cve_db() {
+    """
+    Update NVD database with json data feed
+    """
+    import bb.utils
+    import sqlite3, urllib, urllib.parse, shutil, gzip
+    from datetime import date
+    bb.utils.export_proxies(d)
+    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+    YEAR_START = 2002
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
+    # Don't refresh the database more than once an hour
+    try:
+        import time
+        if time.time() - os.path.getmtime(db_file) < (60*60):
+            return
+    except OSError:
+        pass
+    cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
+    if not os.path.isdir(db_dir):
+        os.mkdir(db_dir)
+    # Connect to database
+    conn = sqlite3.connect(db_file)
+    c = conn.cursor()
+    initialize_db(c)
+    for year in range(YEAR_START, date.today().year + 1):
+        year_url = BASE_URL + str(year)
+        meta_url = year_url + ".meta"
+        json_url = year_url + ".json.gz"
+        # Retrieve meta last modified date
+        response = urllib.request.urlopen(meta_url)
+        if response:
+            for l in response.read().decode("utf-8").splitlines():
+                key, value = l.split(":", 1)
+                if key == "lastModifiedDate":
+                    last_modified = value
+                    break
+            else:
+                bb.warn("Cannot parse CVE metadata, update failed")
+                return
+        # Compare with current db last modified date
+        c.execute("select DATE from META where YEAR = ?", (year,))
+        meta = c.fetchone()
+        if not meta or meta[0] != last_modified:
+            # Clear products table entries corresponding to current year
+            c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+            # Update db with current year json file
+            try:
+                response = urllib.request.urlopen(json_url)
+                if response:
+                    update_db(c, gzip.decompress(response.read()).decode('utf-8'))
+                c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+            except urllib.error.URLError as e:
+                cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                return
+        # Update success, set the date to cve_check file.
+        if year == date.today().year:
+            cve_f.write('CVE database update : %s\n\n' % date.today())
+    cve_f.close()
+    conn.commit()
+    conn.close()
+}
+def initialize_db(c):
+    c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+    c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+        SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+    c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+        VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+        VERSION_END TEXT, OPERATOR_END TEXT)")
+    c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+def parse_node_and_insert(c, node, cveId):
+    # Parse children node if needed
+    for child in node.get('children', ()):
+        parse_node_and_insert(c, child, cveId)
+    def cpe_generator():
+        for cpe in node.get('cpe_match', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe['cpe23Uri'].split(':')
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+            if version != '*':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version, '=', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+                yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+    c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
+def update_db(c, jsondata):
+    import json
+    root = json.loads(jsondata)
+    for elt in root['CVE_Items']:
+        if not elt['impact']:
+            continue
+        accessVector = None
+        cveId = elt['cve']['CVE_data_meta']['ID']
+        cveDesc = elt['cve']['description']['description_data'][0]['value']
+        date = elt['lastModifiedDate']
+        try:
+            accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+            cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+        except KeyError:
+            cvssv2 = 0.0
+        try:
+            accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+            cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+        c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
+        configurations = elt['configurations']['nodes']
+        for config in configurations:
+            parse_node_and_insert(c, config, cveId)
+addtask do_populate_cve_db before do_fetch
+do_populate_cve_db[nostamp] = "1"
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index 6a8748acdf..ee7d7cd660 100644
--- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -15,12 +15,15 @@ DUMMYPROVIDES = "\
    nativesdk-perl-module-file-find \
    nativesdk-perl-module-file-glob \
    nativesdk-perl-module-file-path \
+    nativesdk-perl-module-file-spec \
    nativesdk-perl-module-file-stat \
    nativesdk-perl-module-getopt-long \
    nativesdk-perl-module-io-file \
+    nativesdk-perl-module-overloading \
    nativesdk-perl-module-posix \
    nativesdk-perl-module-thread-queue \
    nativesdk-perl-module-threads \
+    nativesdk-perl-module-warnings \
    /usr/bin/perl \
    "
diff --git a/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch
new file mode 100644
index 0000000000..408f7d18b7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/nativesdk-relocation.patch
@@ -0,0 +1,80 @@
+We need binutils to look at our ld.so.conf file within the SDK to ensure 
+we search the SDK's libdirs as well as those from the host system.
+We therefore pass in the directory to the code using a define, then add
+it to a section we relocate in a similar way to the way we relocate the
+gcc internal paths. This ensures that ld works correctly in our buildtools
+tarball.
+Standard sysroot relocation doesn't work since we're not in a sysroot, 
+we want to use both the host system and SDK libs.
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+2020/1/17
+Upstream-Status: Inappropriate [OE specific tweak]
+Index: git/ld/Makefile.am
+===================================================================
+--- git.orig/ld/Makefile.am
+++ git/ld/Makefile.am
+@@ -36,7 +36,8 @@ am__skipyacc =
+ 
+ ELF_CLFAGS=-DELF_LIST_OPTIONS=@elf_list_options@ \
+           -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \
+-          -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@
+          -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \
+           -DSYSCONFDIR="\"$(sysconfdir)\""
+ WARN_CFLAGS = @WARN_CFLAGS@
+ NO_WERROR = @NO_WERROR@
+ AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS)
+Index: git/ld/Makefile.in
+===================================================================
+--- git.orig/ld/Makefile.in
+++ git/ld/Makefile.in
+@@ -546,7 +546,8 @@ am__skiplex =
+ am__skipyacc = 
+ ELF_CLFAGS = -DELF_LIST_OPTIONS=@elf_list_options@ \
+           -DELF_SHLIB_LIST_OPTIONS=@elf_shlib_list_options@ \
+-          -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@
+          -DELF_PLT_UNWIND_LIST_OPTIONS=@elf_plt_unwind_list_options@ \
+           -DSYSCONFDIR="\"$(sysconfdir)\""
+ 
+ AM_CFLAGS = $(WARN_CFLAGS) $(ELF_CLFAGS)
+ @ENABLE_PLUGINS_FALSE@PLUGIN_C = 
+Index: git/ld/emultempl/elf32.em
+===================================================================
+--- git.orig/ld/emultempl/elf32.em
+++ git/ld/emultempl/elf32.em
+@@ -1024,7 +1024,7 @@ gld${EMULATION_NAME}_check_ld_so_conf (c
+ 
+       info.path = NULL;
+       info.len = info.alloc = 0;
+-      tmppath = concat (ld_sysroot, "${prefix}/etc/ld.so.conf",
+      tmppath = concat (ld_sysconfdir, "/ld.so.conf",
+                        (const char *) NULL);
+       if (!gld${EMULATION_NAME}_parse_ld_so_conf (&info, tmppath))
+        {
+Index: git/ld/ldmain.c
+===================================================================
+--- git.orig/ld/ldmain.c
+++ git/ld/ldmain.c
+@@ -68,6 +68,7 @@ char *program_name;
+ 
+ /* The prefix for system library directories.  */
+ const char *ld_sysroot;
+char ld_sysconfdir[4096] __attribute__ ((section (".gccrelocprefix"))) = SYSCONFDIR;
+ 
+ /* The canonical representation of ld_sysroot.  */
+ char *ld_canon_sysroot;
+Index: git/ld/ldmain.h
+===================================================================
+--- git.orig/ld/ldmain.h
+++ git/ld/ldmain.h
+@@ -23,6 +23,7 @@
+ 
+ extern char *program_name;
+ extern const char *ld_sysroot;
+extern char ld_sysconfdir[4096];
+ extern char *ld_canon_sysroot;
+ extern int ld_canon_sysroot_len;
+ extern FILE *saved_script_handle;
diff --git a/meta/recipes-devtools/binutils/binutils_2.31.bb b/meta/recipes-devtools/binutils/binutils_2.31.bb
index 51a9748906..625e18c787 100644
--- a/meta/recipes-devtools/binutils/binutils_2.31.bb
+++ b/meta/recipes-devtools/binutils/binutils_2.31.bb
@@ -46,4 +46,9 @@ do_install_class-native () {
 PACKAGE_BEFORE_PN += "libbfd"
 FILES_libbfd = "${libdir}/libbfd-*.so"
+SRC_URI_append_class-nativesdk =  "file://nativesdk-relocation.patch"
+USE_ALTERNATIVES_FOR_class-nativesdk = ""
+FILES_${PN}_append_class-nativesdk = " ${bindir}"
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1cf2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
-           file://check-for-malloc_trim-before-using-it.patch \
-           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
-           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
-           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
-           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
-          "
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-RDEPENDS_${PN} = "ca-certificates"
-inherit pkgconfig autotools
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-do_populate_cve_db() {
-    if [ "${BB_NO_NETWORK}" = "1" ] ; then
-        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
-        return
-    fi
-    # In case we don't inherit cve-check class, use default values defined in the class.
-    cve_dir="${CVE_CHECK_DB_DIR}"
-    cve_file="${CVE_CHECK_TMP_FILE}"
-    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
-    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-    unused="${@bb.utils.export_proxies(d)}"
-    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    # --cacert works around curl-native not finding the CA bundle
-    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
-        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
-    else
-        bbwarn "Error in executing cve-check-update"
-        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
-            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
-        fi
-    fi
-}
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
deleted file mode 100644
index 4a82cf2dde..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
-From: Peter Marko <peter.marko@siemens.com>
-Date: Thu, 13 Apr 2017 23:09:52 +0200
-Subject: [PATCH] Fix freeing memory allocated by sqlite
-Upstream-Status: Backport
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
- src/core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-diff --git a/src/core.c b/src/core.c
-index 6263031..6788f16 100644
--- a/src/core.c
-+++ b/src/core.c
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
-                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
-                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
- 
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
-                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         if (err) {
-                free(err);
-+                sqlite3_free(err);
-         }
- 
-         return true;
-- 
-2.1.4
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1bd2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
- src/library/cve-check-tool.h |  1 +
- src/library/fetch.c          | 10 +++++++++-
- src/library/fetch.h          |  3 ++-
- src/main.c                   |  5 ++++-
- src/update-main.c            |  4 +++-
- src/update.c                 | 12 +++++++-----
- src/update.h                 |  2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
--- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
-     bool bugs;                          /**<Whether bug tracking is enabled */
-     GHashTable *mapping;                /**<CVE Mapping */
-     const char *output_file;            /**<Output file, if any */
-+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
- 
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
--- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
- 
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                      unsigned int start_percent, unsigned int end_percent)
-+                      unsigned int start_percent, unsigned int end_percent,
-+                      const char *cacert_file)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                 return ret;
-         }
- 
-+        if (cacert_file) {
-+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+                if (res != CURLE_OK) {
-+                        goto bail;
-+                }
-+        }
-+
-         if (stat(target, &st) == 0) {
-                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
-                 if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
--- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
-  * @return A FetchStatus, indicating the operation taken
-  */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                      unsigned int this_percent, unsigned int next_percent);
-+                      unsigned int this_percent, unsigned int next_percent,
-+                      const char *cacert_file);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
--- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
-         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
-         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
-         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
- 
-         quiet = csv_mode || !no_html;
-         self->output_file = output_file;
-+        self->cacert_file = cacert_file;
- 
-         if (!csv_mode && self->output_file) {
-                 quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
-                 if (status) {
-                         fprintf(stderr, "Update of db forced\n");
-                         cve_db_unlock();
-                        if (!update_db(quiet, db_path->str)) {
-+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
-                                 fprintf(stderr, "DB update failure\n");
-                                 goto cleanup;
-                         }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
--- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
-         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
-         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
-                 goto end;
-         }
- 
-        if (update_db(_quiet, db_path->str)) {
-+        if (update_db(_quiet, db_path->str, _cacert_file)) {
-                 ret = EXIT_SUCCESS;
-         } else {
-                 fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
--- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-                            bool db_exist, bool verbose,
-                           unsigned int this_percent, unsigned int next_percent)
-+                           unsigned int this_percent, unsigned int next_percent,
-+                           const char *cacert_file)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
-        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
-        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
-         return 0;
- }
- 
-bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
-         autofree(char) *db_dir = NULL;
-         autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
-                 if (!quiet)
-                         fprintf(stderr, "completed: %u%%\r", start_percent);
-                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-                                     start_percent, end_percent);
-+                                     start_percent, end_percent,
-+                                     cacert_file);
-                 switch (rc) {
-                 case 0:
-                         if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
--- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
- 
- int update_required(const char *db_file);
- 
-bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
- 
- 
- /*
-- 
-2.1.4
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
deleted file mode 100644
index 8ea6f686e3..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 26 Sep 2016 12:12:41 +0100
-Subject: [PATCH] print progress in percent when downloading CVE db
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Upstream-Status: Pending
-Signed-off-by: André Draszik <git@andred.net>
---
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-
- src/library/fetch.h |  3 ++-
- src/update.c        | 16 ++++++++++++----
- 3 files changed, 41 insertions(+), 6 deletions(-)
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 06d4b30..0fe6d76 100644
--- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
-         return fwrite(ptr, size, nmemb, f->f);
- }
- 
-FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-+struct percent_t {
-+        unsigned int start;
-+        unsigned int end;
-+};
-+
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
-+{
-+        (void) ultotal;
-+        (void) ulnow;
-+
-+        struct percent_t *percent = (struct percent_t *) ptr;
-+
-+        if (dltotal && percent && percent->end >= percent->start) {
-+                unsigned int diff = percent->end - percent->start;
-+                if (diff) {
-+                        fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
-+                }
-+        }
-+
-+        return 0;
-+}
-+
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int start_percent, unsigned int end_percent)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-         struct stat st;
-         CURL *curl = NULL;
-         struct fetch_t *f = NULL;
-+        struct percent_t percent = { .start = start_percent, .end = end_percent };
- 
-         curl = curl_easy_init();
-         if (!curl) {
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-         }
-         if (verbose) {
-                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
-         }
-         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
-         if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 70c3779..4cce5d1 100644
--- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -28,7 +28,8 @@ typedef enum {
-  * @param verbose Whether to be verbose
-  * @return A FetchStatus, indicating the operation taken
-  */
-FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int this_percent, unsigned int next_percent);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/update.c b/src/update.c
-index 30fbe96..eaeeefd 100644
--- a/src/update.c
-+++ b/src/update.c
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- }
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-                           bool db_exist, bool verbose)
-+                           bool db_exist, bool verbose,
-+                           unsigned int this_percent, unsigned int next_percent)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -330,14 +331,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
-        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
-        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
-         for (int i = YEAR_START; i <= year+1; i++) {
-                 int y = i > year ? -1 : i;
-                 int rc;
-+                unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
-+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
- 
-                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
-+                if (!quiet)
-+                        fprintf(stderr, "completed: %u%%\r", start_percent);
-+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-+                                     start_percent, end_percent);
-                 switch (rc) {
-                 case 0:
-+                        if (!quiet)
-+                                fprintf(stderr,"completed: %u%%\r", end_percent);
-                         continue;
-                 case ENOMEM:
-                         goto oom;
-- 
-2.9.3
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc84e..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
---
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
--- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
-                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
-         }
- 
-        ret = streq(csum_meta, csum_data);
-+        ret = !strcasecmp(csum_meta, csum_data);
- 
- err_unmap:
-         munmap(buffer, length);
-- 
-2.11.0
diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
deleted file mode 100644
index 0774ad946a..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 22 Aug 2016 22:54:24 -0700
-Subject: [PATCH] Check for malloc_trim before using it
-malloc_trim is gnu specific and not all libc
-implement it, threfore write a configure check
-to poke for it first and use the define to
-guard its use.
-Helps in compiling on musl based systems
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
- configure.ac | 2 ++
- src/core.c   | 4 ++--
- 2 files changed, 4 insertions(+), 2 deletions(-)
-diff --git a/configure.ac b/configure.ac
-index d3b66ce..79c3542 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
- m4_define([openssl_required_version],[1.0.0])
- # TODO: Set minimum sqlite
- 
-+AC_CHECK_FUNCS_ONCE(malloc_trim)
-+
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,
-                  [
-                   glib-2.0 >= glib_required_version,
-diff --git a/src/core.c b/src/core.c
-index 6263031..0d5df29 100644
--- a/src/core.c
-+++ b/src/core.c
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
-         }
- 
-         b = true;
-
-+#ifdef HAVE_MALLOC_TRIM
-         malloc_trim(0);
-
-+#endif
-         xmlFreeTextReader(r);
-         if (fd) {
-                 close(fd);
-- 
-2.9.3
diff --git a/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch
new file mode 100644
index 0000000000..594510342b
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-testtools/no_traceback2.patch
@@ -0,0 +1,23 @@
+traceback2 adds traceback for python2. Rather than depend on traceback2, we're
+python3 only so just use traceback.
+This caused breakage in oe-selftest -j which uses testtools on the autobuilder
+using buildtools-tarball.
+Upstream-Status: Inappropriate [Our recipe is python3 specific]
+(Once py2 is EOL upstream probably could/should take this)
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Index: testtools-2.3.0/testtools/content.py
+===================================================================
+--- testtools-2.3.0.orig/testtools/content.py
+++ testtools-2.3.0/testtools/content.py
+@@ -19,8 +19,7 @@ import os
+ import sys
+ 
+ from extras import try_import
+-# To let setup.py work, make this a conditional import.
+-traceback = try_import('traceback2')
+import traceback
+ 
+ from testtools.compat import (
+     _b,
diff --git a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
index 896ecee65c..a254b90a75 100644
--- a/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
+++ b/meta/recipes-devtools/python/python3-testtools_2.3.0.bb
@@ -1,2 +1,4 @@
 inherit setuptools3
 require python-testtools.inc
+SRC_URI += "file://no_traceback2.patch"
diff --git a/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch b/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch
new file mode 100644
index 0000000000..48d4f73e9c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch
@@ -0,0 +1,35 @@
+From ffe7797637f08cd6ee4c82e2d67462c5e194d30a Mon Sep 17 00:00:00 2001
+From: Jaewon Lee <jaewon.lee@xilinx.com>
+Date: Thu, 25 Apr 2019 15:34:26 -0700
+Subject: [PATCH] main.c: if OEPYTHON3HOME is set use instead of PYTHONHOME
+There is one variable PYTHONHOME to determine where libraries are coming
+from for both python2 and python3. This becomes an issue if only one has
+libraries in the specified PYTHONHOME path, but they are using the same
+PYTHONHOME. Creating another variable OEPYTHON3HOME to allow for a way
+to set a different path for python3
+Signed-off-by: Jaewon Lee <jaewon.lee@xilinx.com>
+RP: Backported to 3.5.6 (code totally different to original path for 
+later python versions)
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+---
+ Modules/main.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+Index: Python-3.5.6/Python/pylifecycle.c
+===================================================================
+--- Python-3.5.6.orig/Python/pylifecycle.c
+++ Python-3.5.6/Python/pylifecycle.c
+@@ -864,7 +864,9 @@ Py_GetPythonHome(void)
+ {
+     wchar_t *home = default_home;
+     if (home == NULL && !Py_IgnoreEnvironmentFlag) {
+-        char* chome = Py_GETENV("PYTHONHOME");
+        char* chome = Py_GETENV("OEPYTHON3HOME");
+        if (!chome)
+            chome = Py_GETENV("PYTHONHOME");
+         if (chome) {
+             size_t size = Py_ARRAY_LENGTH(env_home);
+             size_t r = mbstowcs(env_home, chome, size);
diff --git a/meta/recipes-devtools/python/python3_3.5.6.bb b/meta/recipes-devtools/python/python3_3.5.6.bb
index b2f8a3d034..4633a3d239 100644
--- a/meta/recipes-devtools/python/python3_3.5.6.bb
+++ b/meta/recipes-devtools/python/python3_3.5.6.bb
@@ -50,6 +50,10 @@ SRC_URI += "\
            file://CVE-2019-9636.patch \
           "
+SRC_URI_append_class-nativesdk = " \
+           file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
+           "
 inherit multilib_header python3native update-alternatives qemu ptest
 MULTILIB_SUFFIX = "${@d.getVar('base_libdir',1).split('/')[-1]}"
@@ -184,7 +188,7 @@ do_install() {
 }
 do_install_append_class-nativesdk () {
-        create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} PYTHONHOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
+        create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} OEPYTHON3HOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
 }
 SSTATE_SCAN_FILES += "Makefile"
diff --git a/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
new file mode 100644
index 0000000000..618ebcdc81
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0011-linux-user-remove-host-stime-syscall.patch
@@ -0,0 +1,62 @@
+From 0f1f2d4596aee037d3ccbcf10592466daa54107f Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <laurent@vivier.eu>
+Date: Tue, 12 Nov 2019 15:25:56 +0100
+Subject: [PATCH] linux-user: remove host stime() syscall
+stime() has been withdrawn from glibc
+(12cbde1dae6f "Use clock_settime to implement stime; withdraw stime.")
+Implement the target stime() syscall using host
+clock_settime(CLOCK_REALTIME, ...) as it is done internally in glibc.
+Tested qemu-ppc/x86_64 with:
+        #include <time.h>
+        #include <stdio.h>
+        int main(void)
+        {
+                time_t t;
+                int ret;
+                /* date -u -d"2019-11-12T15:11:00" "+%s" */
+                t = 1573571460;
+                ret = stime(&t);
+                printf("ret %d\n", ret);
+                return 0;
+        }
+        # date; ./stime; date
+        Tue Nov 12 14:18:32 UTC 2019
+        ret 0
+        Tue Nov 12 15:11:00 UTC 2019
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0f1f2d4596aee037d3ccbcf10592466daa54107f]
+Buglink: https://bugs.launchpad.net/qemu/+bug/1852115
+Reported-by: Cole Robinson <crobinso@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20191112142556.6335-1-laurent@vivier.eu>
+---
+ linux-user/syscall.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
+++ qemu-3.0.0/linux-user/syscall.c
+@@ -8520,10 +8520,11 @@ abi_long do_syscall(void *cpu_env, int n
+ #ifdef TARGET_NR_stime /* not on alpha */
+     case TARGET_NR_stime:
+         {
+-            time_t host_time;
+-            if (get_user_sal(host_time, arg1))
+            struct timespec ts;
+            ts.tv_nsec = 0;
+            if (get_user_sal(ts.tv_sec, arg1))
+                 goto efault;
+-            ret = get_errno(stime(&host_time));
+            ret = get_errno(clock_settime(CLOCK_REALTIME, &ts));
+         }
+         break;
+ #endif
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index e483acab55..1daee7211f 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2019-8934.patch \
           file://0001-linux-user-assume-__NR_gettid-always-exists.patch \
           file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \
+           file://0011-linux-user-remove-host-stime-syscall.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
new file mode 100644
index 0000000000..f954fac8fc
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
@@ -0,0 +1,170 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+Index: sudo-1.8.21p2/lib/util/strtoid.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/strtoid.c       2019-10-10 14:31:08.338476078 -0400
+++ sudo-1.8.21p2/lib/util/strtoid.c    2019-10-10 14:31:08.338476078 -0400
+@@ -42,6 +42,27 @@
+ #include "sudo_util.h"
+ 
+ /*
+ * Make sure that the ID ends with a valid separator char.
+ */
+static bool
+valid_separator(const char *p, const char *ep, const char *sep)
+{
+    bool valid = false;
+    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
+
+    if (ep != p) {
+       /* check for valid separator (including '\0') */
+       if (sep == NULL)
+           sep = "";
+       do {
+           if (*ep == *sep)
+               valid = true;
+       } while (*sep++ != '\0');
+    }
+    debug_return_bool(valid);
+}
+
+/*
+  * Parse a uid/gid in string form.
+  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+  * If endp is non-NULL it is set to the next char after the ID.
+@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha
+     char *ep;
+     id_t ret = 0;
+     long long llval;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+        p++;
+-    if (sep == NULL)
+-       sep = "";
+
+    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+     errno = 0;
+     llval = strtoll(p, &ep, 10);
+-    if (ep != p) {
+-       /* check for valid separator (including '\0') */
+-       do {
+-           if (*ep == *sep)
+-               valid = true;
+-       } while (*sep++ != '\0');
+    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
+       errno = ERANGE;
+       if (errstr != NULL)
+           *errstr = N_("value too large");
+       goto done;
+     }
+-    if (!valid) {
+    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
+       errno = ERANGE;
+        if (errstr != NULL)
+-           *errstr = N_("invalid value");
+-       errno = EINVAL;
+           *errstr = N_("value too small");
+        goto done;
+     }
+-    if (errno == ERANGE) {
+-       if (errstr != NULL) {
+-           if (llval == LLONG_MAX)
+-               *errstr = N_("value too large");
+-           else
+-               *errstr = N_("value too small");
+-       }
+
+    /* Disallow id -1, which means "no change". */
+    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
+       if (errstr != NULL)
+           *errstr = N_("invalid value");
+       errno = EINVAL;
+        goto done;
+     }
+     ret = (id_t)llval;
+@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+     char *ep;
+     id_t ret = 0;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+        p++;
+-    if (sep == NULL)
+-       sep = "";
+
+     errno = 0;
+     if (*p == '-') {
+        long lval = strtol(p, &ep, 10);
+-       if (ep != p) {
+-           /* check for valid separator (including '\0') */
+-           do {
+-               if (*ep == *sep)
+-                   valid = true;
+-           } while (*sep++ != '\0');
+-       }
+-       if (!valid) {
+-           if (errstr != NULL)
+-               *errstr = N_("invalid value");
+-           errno = EINVAL;
+-           goto done;
+-       }
+        if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+            errno = ERANGE;
+            if (errstr != NULL)
+@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha
+                *errstr = N_("value too small");
+            goto done;
+        }
+-       ret = (id_t)lval;
+-    } else {
+-       unsigned long ulval = strtoul(p, &ep, 10);
+-       if (ep != p) {
+-           /* check for valid separator (including '\0') */
+-           do {
+-               if (*ep == *sep)
+-                   valid = true;
+-           } while (*sep++ != '\0');
+-       }
+-       if (!valid) {
+
+       /* Disallow id -1, which means "no change". */
+       if (!valid_separator(p, ep, sep) || lval == -1) {
+            if (errstr != NULL)
+                *errstr = N_("invalid value");
+            errno = EINVAL;
+            goto done;
+        }
+       ret = (id_t)lval;
+    } else {
+       unsigned long ulval = strtoul(p, &ep, 10);
+        if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+            errno = ERANGE;
+            if (errstr != NULL)
+                *errstr = N_("value too large");
+            goto done;
+        }
+
+       /* Disallow id -1, which means "no change". */
+       if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
+           if (errstr != NULL)
+               *errstr = N_("invalid value");
+           errno = EINVAL;
+           goto done;
+       }
+        ret = (id_t)ulval;
+     }
+     if (errstr != NULL)
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
new file mode 100644
index 0000000000..dcb2703d23
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
@@ -0,0 +1,98 @@
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/db06a8336c09]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c    2019-10-11 07:11:49.874655384 -0400
+++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:13:07.471005893 -0400
+@@ -24,6 +24,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
+#include <errno.h>
+ 
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -78,15 +79,20 @@ static struct strtoid_data {
+     id_t id;
+     const char *sep;
+     const char *ep;
+    int errnum;
+ } strtoid_data[] = {
+-    { "0,1", 0, ",", "," },
+-    { "10", 10, NULL, NULL },
+-    { "-2", -2, NULL, NULL },
+    { "0,1", 0, ",", ",", 0 },
+    { "10", 10, NULL, NULL, 0 },
+    { "-1", 0, NULL, NULL, EINVAL },
+    { "4294967295", 0, NULL, NULL, EINVAL },
+    { "4294967296", 0, NULL, NULL, ERANGE },
+    { "-2147483649", 0, NULL, NULL, ERANGE },
+    { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+-    { "-2", 4294967294U, NULL, NULL },
+    { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+-    { "4294967294", 4294967294U, NULL, NULL },
+-    { NULL, 0, NULL, NULL }
+    { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
+    { NULL, 0, NULL, NULL, 0 }
+ };
+ 
+ static int
+@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
+        (*ntests)++;
+        errstr = "some error";
+        value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+-       if (errstr != NULL) {
+-           if (d->id != (id_t)-1) {
+-               sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+       if (d->errnum != 0) {
+           if (errstr == NULL) {
+               sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
+                   d->idstr, d->errnum);
+               errors++;
+           } else if (value != 0) {
+               sudo_warnx_nodebug("FAIL: %s should return 0 on error",
+                   d->idstr);
+               errors++;
+           } else if (errno != d->errnum) {
+               sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
+                   d->idstr, errno, d->errnum);
+                errors++;
+            }
+       } else if (errstr != NULL) {
+           sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
+           errors++;
+        } else if (value != d->id) {
+            sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+            errors++;
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.874655384 -0400
+++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok      2019-10-11 07:11:49.870655365 -0400
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+ 
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
+testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+ 
+ Entries for user root:
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh     2019-10-11 07:11:49.874655384 -0400
+++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh  2019-10-11 07:11:49.870655365 -0400
+@@ -24,7 +24,7 @@ EOF
+ 
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
+./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+ 
diff --git a/meta/recipes-extended/sudo/sudo_1.8.23.bb b/meta/recipes-extended/sudo/sudo_1.8.23.bb
index ce32bd187e..d12cf2d549 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.23.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.23.bb
@@ -3,6 +3,8 @@ require sudo.inc
 SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://0001-Include-sys-types.h-for-id_t-definition.patch \
+           file://CVE-2019-14287_p1.patch \
+           file://CVE-2019-14287_p2.patch \
           "
 PAM_SRC_URI = "file://sudo.pam"
diff --git a/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
new file mode 100644
index 0000000000..2a13148427
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
@@ -0,0 +1,405 @@
+From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Thu, 27 Dec 2018 17:48:57 +0200
+Subject: [PATCH] Fix CVE-2018-20482
+* NEWS: Update.
+* src/sparse.c (sparse_dump_region): Handle short read condition.
+(sparse_extract_region,check_data_region): Fix dumped_size calculation.
+Handle short read condition.
+(pax_decode_header): Fix dumped_size calculation.
+* tests/Makefile.am: Add new testcases.
+* tests/testsuite.at: Likewise.
+* tests/sptrcreat.at: New file.
+* tests/sptrdiff00.at: New file.
+* tests/sptrdiff01.at: New file.
+CVE: CVE-2018-20482
+Upstream-Status: Backport
+[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/sparse.c        | 50 +++++++++++++++++++++++++++++++-----
+ tests/Makefile.am   |  5 +++-
+ tests/sptrcreat.at  | 62 +++++++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/testsuite.at  |  5 +++-
+ 6 files changed, 224 insertions(+), 8 deletions(-)
+ create mode 100644 tests/sptrcreat.at
+ create mode 100644 tests/sptrdiff00.at
+ create mode 100644 tests/sptrdiff01.at
+diff --git a/src/sparse.c b/src/sparse.c
+index 0830f62..e8e8259 100644
+--- a/src/sparse.c
+++ b/src/sparse.c
+@@ -1,6 +1,6 @@
+ /* Functions for dealing with sparse files
+ 
+-   Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc.
+   Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by the
+@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i)
+                             bufsize);
+          return false;
+        }
+      else if (bytes_read == 0)
+       {
+         char buf[UINTMAX_STRSIZE_BOUND];
+         struct stat st;
+         size_t n;
+         if (fstat (file->fd, &st) == 0)
+           n = file->stat_info->stat.st_size - st.st_size;
+         else
+           n = file->stat_info->stat.st_size
+             - (file->stat_info->sparse_map[i].offset
+                + file->stat_info->sparse_map[i].numbytes
+                - bytes_left);
+         
+         WARNOPT (WARN_FILE_SHRANK,
+                  (0, 0,
+                   ngettext ("%s: File shrank by %s byte; padding with zeros",
+                             "%s: File shrank by %s bytes; padding with zeros",
+                             n),
+                   quotearg_colon (file->stat_info->orig_file_name),
+                   STRINGIFY_BIGINT (n, buf)));
+         if (! ignore_failed_read_option)
+           set_exit_status (TAREXIT_DIFFERS);
+         return false;
+       }
+ 
+       memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read);
+       bytes_left -= bytes_read;
+@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i)
+          return false;
+        }
+       set_next_block_after (blk);
+      file->dumped_size += BLOCKSIZE;
+       count = blocking_write (file->fd, blk->buffer, wrbytes);
+       write_size -= count;
+-      file->dumped_size += count;
+       mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+       file->offset += count;
+       if (count != wrbytes)
+@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+                             rdsize);
+          return false;
+        }
+      else if (bytes_read == 0)
+       {
+         report_difference (file->stat_info, _("Size differs"));
+         return false;
+       }
+      
+       if (!zero_block_p (diff_buffer, bytes_read))
+        {
+          char begbuf[INT_BUFSIZE_BOUND (off_t)];
+@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+ 
+       beg += bytes_read;
+     }
+
+   return true;
+ }
+ 
+@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+          return false;
+        }
+       set_next_block_after (blk);
+      file->dumped_size += BLOCKSIZE;      
+       bytes_read = safe_read (file->fd, diff_buffer, rdsize);
+       if (bytes_read == SAFE_READ_ERROR)
+        {
+@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+                             rdsize);
+          return false;
+        }
+-      file->dumped_size += bytes_read;
+      else if (bytes_read == 0)
+       {
+         report_difference (&current_stat_info, _("Size differs"));
+         return false;
+       }
+       size_left -= bytes_read;
+       mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+       if (memcmp (blk->buffer, diff_buffer, rdsize))
+@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file)
+       union block *blk;
+       char *p;
+       size_t i;
+-
+      off_t start;
+      
+ #define COPY_BUF(b,buf,src) do                                     \
+  {                                                                 \
+    char *endp = b->buffer + BLOCKSIZE;                             \
+@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file)
+        if (src == endp)                                            \
+         {                                                         \
+           set_next_block_after (b);                               \
+-           file->dumped_size += BLOCKSIZE;                         \
+            b = find_next_block ();                                 \
+            if (!b)                                                 \
+              FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
+@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file)
+    dst[-1] = 0;                                                    \
+  } while (0)
+ 
+      start = current_block_ordinal ();
+       set_next_block_after (current_header);
+-      file->dumped_size += BLOCKSIZE;
+       blk = find_next_block ();
+       if (!blk)
+         FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
+@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file)
+          sparse_add_map (file->stat_info, &sp);
+        }
+       set_next_block_after (blk);
+
+      file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start);
+     }
+ 
+   return true;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2d7939d..ac3b6e7 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -1,6 +1,6 @@
+ # Makefile for GNU tar regression tests.
+ 
+-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software
+# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software
+ 
+ # This file is part of GNU tar.
+ 
+@@ -228,6 +228,9 @@ TESTSUITE_AT = \
+  spmvp00.at\
+  spmvp01.at\
+  spmvp10.at\
+ sptrcreat.at\
+ sptrdiff00.at\
+ sptrdiff01.at\
+  time01.at\
+  time02.at\
+  truncate.at\
+diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at
+new file mode 100644
+index 0000000..8e28f0e
+--- /dev/null
+++ b/tests/sptrcreat.at
+@@ -0,0 +1,62 @@
+# Process this file with autom4te to create testsuite. -*- Autotest -*-
+
+# Test suite for GNU tar.
+# Copyright 2018 Free Software Foundation, Inc.
+
+# This file is part of GNU tar.
+
+# GNU tar is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# GNU tar is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Tar up to 1.30 would loop endlessly if a sparse file had been truncated
+# while being archived (with --sparse flag).
+#
+# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a
+# denial of service possibility).
+# 
+# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu>
+# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>,
+#   <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html>
+#   <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug>
+#   <https://nvd.nist.gov/vuln/detail/CVE-2018-20482>
+
+AT_SETUP([sparse file truncated while archiving])
+AT_KEYWORDS([truncate filechange sparse sptr sptrcreat])
+
+AT_TAR_CHECK([
+genfile --sparse --block-size=1024 --file foo \
+  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
+genfile --file baz
+genfile --run --checkpoint 3 --length 200m --truncate foo -- \
+ tar --checkpoint=1 \
+     --checkpoint-action=echo \
+     --checkpoint-action=sleep=1 \
+     --sparse -vcf bar foo baz
+echo Exit status: $?
+echo separator
+genfile --file foo --seek 200m --length 11575296 --pattern=zeros
+tar dvf bar],
+[1],
+[foo
+baz
+Exit status: 1
+separator
+foo
+foo: Mod time differs
+baz
+],
+[tar: foo: File shrank by 11575296 bytes; padding with zeros
+],
+[],[],[posix, gnu, oldgnu])
+
+AT_CLEANUP
+diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at
+new file mode 100644
+index 0000000..c410561
+--- /dev/null
+++ b/tests/sptrdiff00.at
+@@ -0,0 +1,55 @@
+# Process this file with autom4te to create testsuite. -*- Autotest -*-
+#
+# Test suite for GNU tar.
+# Copyright 2018 Free Software Foundation, Inc.
+#
+# This file is part of GNU tar.
+#
+# GNU tar is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GNU tar is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
+# that similar bug exists in file checking code (tar d). 
+# This test case checks if tar correctly handles a short read condition
+# appearing in check_sparse_region.
+
+AT_SETUP([file truncated in sparse region while comparing])
+AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
+
+# This triggers short read in check_sparse_region.
+AT_TAR_CHECK([
+genfile --sparse --block-size=1024 --file foo \
+  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
+genfile --file baz
+echo creating
+tar --sparse -vcf bar foo baz
+echo comparing
+genfile --run --checkpoint 3 --length 200m --truncate foo -- \
+ tar --checkpoint=1 \
+     --checkpoint-action=echo='Write checkpoint %u' \
+     --checkpoint-action=sleep=1 \
+     --sparse -vdf bar 
+],
+[1],
+[creating
+foo
+baz
+comparing
+foo
+foo: Size differs
+baz
+],
+[],
+[],[],[posix, gnu, oldgnu])
+
+AT_CLEANUP
+diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at
+new file mode 100644
+index 0000000..2da2267
+--- /dev/null
+++ b/tests/sptrdiff01.at
+@@ -0,0 +1,55 @@
+# Process this file with autom4te to create testsuite. -*- Autotest -*-
+#
+# Test suite for GNU tar.
+# Copyright 2018 Free Software Foundation, Inc.
+#
+# This file is part of GNU tar.
+#
+# GNU tar is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GNU tar is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
+# that similar bug exists in file checking code (tar d). 
+# This test case checks if tar correctly handles a short read condition
+# appearing in check_data_region.
+
+AT_SETUP([file truncated in data region while comparing])
+AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
+
+# This triggers short read in check_data_region.
+AT_TAR_CHECK([
+genfile --sparse --block-size=1024 --file foo \
+  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
+genfile --file baz
+echo creating
+tar --sparse -vcf bar foo baz
+echo comparing
+genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \
+ tar --checkpoint=1 \
+     --checkpoint-action=echo='Write checkpoint %u' \
+     --checkpoint-action=sleep=1 \
+     --sparse -vdf bar 
+],
+[1],
+[creating
+foo
+baz
+comparing
+foo
+foo: Size differs
+baz
+],
+[],
+[],[],[posix, gnu, oldgnu])
+
+AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 2a83757..23386f7 100644
+--- a/tests/testsuite.at
+++ b/tests/testsuite.at
+@@ -1,7 +1,7 @@
+ # Process this file with autom4te to create testsuite. -*- Autotest -*-
+ 
+ # Test suite for GNU tar.
+-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc.
+# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc.
+ 
+ # This file is part of GNU tar.
+ 
+@@ -405,6 +405,9 @@ m4_include([sparsemv.at])
+ m4_include([spmvp00.at])
+ m4_include([spmvp01.at])
+ m4_include([spmvp10.at])
+m4_include([sptrcreat.at])
+m4_include([sptrdiff00.at])
+m4_include([sptrdiff01.at])
+ 
+ AT_BANNER([Updates])
+ m4_include([update.at])
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-extended/tar/tar_1.30.bb b/meta/recipes-extended/tar/tar_1.30.bb
index ab1b33b378..7cf0522455 100644
--- a/meta/recipes-extended/tar/tar_1.30.bb
+++ b/meta/recipes-extended/tar/tar_1.30.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
           file://remove-gets.patch \
           file://musl_dirent.patch \
           file://CVE-2019-9923.patch \
+           file://CVE-2018-20482.patch \
 "
 SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 0ed290088a..de6f5c98bf 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
        raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
-SRCREV_machine ?= "72075349c6af55a7a6d024f0aa241711653fcb97"
+SRCREV_machine ?= "3aa9671ae072f45665e72591be5636522c8a6215"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
           git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index cb463074e1..52c02cad10 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
 require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "3d884bc92763f474cc0728d1feb0becad8ed37d5"
+SRCREV_machine ?= "38c3a6549d60a3b4a5ab0cb6a440929ba8502f7f"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 4a92d27e78..0048735c01 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86  ?= "v4.14/standard/base"
 KBRANCH_qemux86-64 ?= "v4.14/standard/base"
 KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "bd85f4880bb890bf9c45ee6c2fd95f077d2bf67e"
+SRCREV_machine_qemuarm ?= "e4e2990af921c2d1544d18efa5f7183f95289cd0"
-SRCREV_machine_qemuarm64 ?= "445a4787bd489eb6b3d5c172b9842dbe5a34d734"
+SRCREV_machine_qemuarm64 ?= "51c9e69ebef5d2d15dfbcdf098269d86e0e38317"
-SRCREV_machine_qemumips ?= "3d07ac9aa6ca729674dfb763563202f18f9eedde"
+SRCREV_machine_qemumips ?= "e70c76a3fe9cc785619d9e4c8e28cb4d4d76ecaf"
-SRCREV_machine_qemuppc ?= "81ba8dbab3b1bfc371e539956be905809db0e41a"
+SRCREV_machine_qemuppc ?= "6b6eab44d3a04294c233e0b47d6b7c6cbb6e9ffb"
-SRCREV_machine_qemux86 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_qemux86 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
-SRCREV_machine_qemux86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_qemux86-64 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
-SRCREV_machine_qemumips64 ?= "3c4acadcbe2ee11043f7d0fce43a5181511d0935"
+SRCREV_machine_qemumips64 ?= "4e099e87d223bfc1526543a5e4c5383cb2edda70"
-SRCREV_machine ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
           git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
index 7975f58bad..0bdb1e37f3 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
@@ -18,7 +18,7 @@ inherit meson gtk-doc gettext systemd pkgconfig distro_features_check upstream-v
 REQUIRED_DISTRO_FEATURES = "x11"
 EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \
-                  -Ddbus_daemon=${bindir}"
+                  -Ddbus_daemon=${bindir}/dbus-daemon"
 GTKDOC_ENABLE_FLAG = "-Denable_docs=true"
 GTKDOC_DISABLE_FLAG = "-Denable_docs=false"
diff --git a/meta/recipes-support/attr/attr_2.4.47.bb b/meta/recipes-support/attr/attr_2.4.47.bb
index fc88bef830..c3da66a0c7 100644
--- a/meta/recipes-support/attr/attr_2.4.47.bb
+++ b/meta/recipes-support/attr/attr_2.4.47.bb
@@ -12,4 +12,7 @@ SRC_URI += "file://attr-Missing-configure.ac.patch \
 SRC_URI[md5sum] = "84f58dec00b60f2dc8fd1c9709291cc7"
 SRC_URI[sha256sum] = "25772f653ac5b2e3ceeb89df50e4688891e21f723c460636548971652af0a859"
+# Has issues with newer versions of make
+PARALLEL_MAKEINST = ""
 BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-support/iso-codes/iso-codes_4.1.bb b/meta/recipes-support/iso-codes/iso-codes_4.1.bb
index 1761ded44e..a70513033d 100644
--- a/meta/recipes-support/iso-codes/iso-codes_4.1.bb
+++ b/meta/recipes-support/iso-codes/iso-codes_4.1.bb
@@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues"
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
-SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;"
 SRCREV = "164802d5fd8c7a8167816fd86a62b286680619f0"
 # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
new file mode 100644
index 0000000000..cda52119ba
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
@@ -0,0 +1,176 @@
+From 263ad8ae08f287e32656d4e3e0116479f3d9ad9d Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:27:25 +0300
+Subject: [PATCH] GCM: move look-up table to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+CVE: CVE-2019-12904_p1 
+Upstream-Status: Backport 
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> 
+Upstream-commit : https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
+* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
+(gcmR): Move to 'gcm_table' structure.
+(gcm_table): New structure for look-up table with counters before and
+after.
+(gcmR): New macro.
+(prefetch_table): Handle input with length not multiple of 256.
+(do_prefetch_tables): Modify pre- and post-table counters to unshare
+look-up table pages between processes.
+--
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/cipher-gcm.c | 129 ++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 95 insertions(+), 34 deletions(-)
+diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
+index 6169d14..97a8015 100644
+--- a/cipher/cipher-gcm.c
+++ b/cipher/cipher-gcm.c
+@@ -30,6 +30,14 @@
+ #include "./cipher-internal.h"
+ 
+ 
+/* Helper macro to force alignment to 16 or 64 bytes.  */
+#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
+#else
+# define ATTR_ALIGNED_64
+#endif
+
+
+ #ifdef GCM_USE_INTEL_PCLMUL
+ extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c);
+ 
+@@ -63,40 +71,93 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf,
+ 
+ 
+ #ifdef GCM_USE_TABLES
+-static const u16 gcmR[256] = {
+-  0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+-  0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+-  0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+-  0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+-  0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+-  0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+-  0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+-  0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+-  0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+-  0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+-  0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+-  0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+-  0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+-  0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+-  0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+-  0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+-  0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+-  0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+-  0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+-  0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+-  0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+-  0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+-  0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+-  0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+-  0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+-  0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+-  0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+-  0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+-  0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+-  0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+-  0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+-  0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+-};
+static struct
+{
+  volatile u32 counter_head;
+  u32 cacheline_align[64 / 4 - 1];
+  u16 R[256];
+  volatile u32 counter_tail;
+} gcm_table ATTR_ALIGNED_64 =
+  {
+    0,
+    { 0, },
+    {
+      0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+      0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+      0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+      0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+      0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+      0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+      0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+      0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+      0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+      0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+      0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+      0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+      0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+      0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+      0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+      0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+      0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+      0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+      0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+      0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+      0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+      0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+      0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+      0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+      0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+      0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+      0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+      0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+      0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+      0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+      0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+      0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+    },
+    0
+  };
+
+#define gcmR gcm_table.R
+static inline
+void prefetch_table(const void *tab, size_t len)
+{
+  const volatile byte *vtab = tab;
+  size_t i;
+
+  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
+    {
+      (void)vtab[i + 0 * 32];
+      (void)vtab[i + 1 * 32];
+      (void)vtab[i + 2 * 32];
+      (void)vtab[i + 3 * 32];
+      (void)vtab[i + 4 * 32];
+      (void)vtab[i + 5 * 32];
+      (void)vtab[i + 6 * 32];
+      (void)vtab[i + 7 * 32];
+    }
+  for (; i < len; i += 32)
+    {
+      (void)vtab[i];
+    }
+
+  (void)vtab[len - 1];
+}
+
+static inline void
+do_prefetch_tables (const void *gcmM, size_t gcmM_size)
+{
+  /* Modify counters to trigger copy-on-write and unsharing if physical pages
+   * of look-up table are shared between processes.  Modifying counters also
+   * causes checksums for pages to change and hint same-page merging algorithm
+   * that these pages are frequently changing.  */
+  gcm_table.counter_head++;
+  gcm_table.counter_tail++;
+
+  /* Prefetch look-up tables to cache.  */
+  prefetch_table(gcmM, gcmM_size);
+  prefetch_table(&gcm_table, sizeof(gcm_table));
+}
+ 
+ #ifdef GCM_TABLES_USE_U64
+ static void
+-- 
+2.7.4
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
new file mode 100644
index 0000000000..0cb503ed65
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
@@ -0,0 +1,330 @@
+From a5c359cc68a4def9bf39f63070837d89711b4e17 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:18:09 +0300
+Subject: [PATCH] AES: move look-up tables to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+CVE: CVE-2019-12904_p2 
+Upstream-status: Backport 
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> 
+Upstream-commit: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
+* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
+* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
+(enc_tables): New structure for encryption table with counters before
+and after.
+(encT): New macro.
+(dec_tables): Add counters before and after encryption table; Move
+from .rodata to .data section.
+(do_encrypt): Change 'encT' to 'enc_tables.T'.
+(do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
+* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
+with length not multiple of 256.
+(prefetch_enc, prefetch_dec): Modify pre- and post-table counters
+to unshare look-up table pages between processes.
+--
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/rijndael-internal.h |   4 +-
+ cipher/rijndael-tables.h   | 155 +++++++++++++++++++++++++--------------------
+ cipher/rijndael.c          |  35 ++++++++--
+ 3 files changed, 118 insertions(+), 76 deletions(-)
+diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h
+index 160fb8c..a62d4b7 100644
+--- a/cipher/rijndael-internal.h
+++ b/cipher/rijndael-internal.h
+@@ -29,11 +29,13 @@
+ #define BLOCKSIZE               (128/8)
+ 
+ 
+-/* Helper macro to force alignment to 16 bytes.  */
+/* Helper macro to force alignment to 16 or 64 bytes.  */
+ #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+ # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
+# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
+ #else
+ # define ATTR_ALIGNED_16
+# define ATTR_ALIGNED_64
+ #endif
+ 
+ 
+diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h
+index 8359470..b54d959 100644
+--- a/cipher/rijndael-tables.h
+++ b/cipher/rijndael-tables.h
+@@ -21,80 +21,98 @@
+ /* To keep the actual implementation at a readable size we use this
+    include file to define the tables.  */
+ 
+-static const u32 encT[256] =
+static struct
+{
+  volatile u32 counter_head;
+  u32 cacheline_align[64 / 4 - 1];
+  u32 T[256];
+  volatile u32 counter_tail;
+} enc_tables ATTR_ALIGNED_64 =
+   {
+-    0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+-    0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+-    0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+-    0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+-    0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+-    0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+-    0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+-    0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+-    0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+-    0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+-    0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+-    0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+-    0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+-    0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+-    0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+-    0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+-    0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+-    0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+-    0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+-    0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+-    0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+-    0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+-    0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+-    0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+-    0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+-    0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+-    0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+-    0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+-    0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+-    0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+-    0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+-    0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+-    0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+-    0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+-    0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+-    0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+-    0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+-    0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+-    0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+-    0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+-    0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+-    0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+-    0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+-    0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+-    0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+-    0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+-    0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+-    0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+-    0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+-    0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+-    0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+-    0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+-    0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+-    0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+-    0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+-    0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+-    0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+-    0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+-    0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+-    0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+-    0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+-    0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+-    0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+-    0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
+    0,
+    { 0, },
+    {
+      0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+      0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+      0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+      0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+      0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+      0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+      0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+      0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+      0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+      0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+      0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+      0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+      0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+      0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+      0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+      0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+      0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+      0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+      0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+      0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+      0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+      0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+      0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+      0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+      0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+      0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+      0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+      0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+      0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+      0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+      0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+      0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+      0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+      0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+      0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+      0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+      0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+      0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+      0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+      0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+      0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+      0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+      0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+      0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+      0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+      0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+      0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+      0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+      0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+      0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+      0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+      0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+      0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+      0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+      0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+      0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+      0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+      0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+      0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+      0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+      0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+      0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+      0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+      0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
+    },
+    0
+   };
+ 
+-static const struct
+#define encT enc_tables.T
+
+static struct
+ {
+  volatile u32 counter_head;
+  u32 cacheline_align[64 / 4 - 1];
+   u32 T[256];
+   byte inv_sbox[256];
+-} dec_tables =
+  volatile u32 counter_tail;
+} dec_tables ATTR_ALIGNED_64 =
+   {
+    0,
+    { 0, },
+     {
+       0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
+       0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
+@@ -194,7 +212,8 @@ static const struct
+       0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
+       0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
+       0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
+-    }
+    },
+    0
+   };
+ 
+ #define decT dec_tables.T
+diff --git a/cipher/rijndael.c b/cipher/rijndael.c
+index 8637195..d0edab2 100644
+--- a/cipher/rijndael.c
+++ b/cipher/rijndael.c
+@@ -227,11 +227,11 @@ static const char *selftest(void);
+ 
+ 
+ /* Prefetching for encryption/decryption tables. */
+-static void prefetch_table(const volatile byte *tab, size_t len)
+static inline void prefetch_table(const volatile byte *tab, size_t len)
+ {
+   size_t i;
+ 
+-  for (i = 0; i < len; i += 8 * 32)
+  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
+     {
+       (void)tab[i + 0 * 32];
+       (void)tab[i + 1 * 32];
+@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len)
+       (void)tab[i + 6 * 32];
+       (void)tab[i + 7 * 32];
+     }
+  for (; i < len; i += 32)
+    {
+      (void)tab[i];
+    }
+ 
+   (void)tab[len - 1];
+ }
+ 
+ static void prefetch_enc(void)
+ {
+-  prefetch_table((const void *)encT, sizeof(encT));
+  /* Modify counters to trigger copy-on-write and unsharing if physical pages
+   * of look-up table are shared between processes.  Modifying counters also
+   * causes checksums for pages to change and hint same-page merging algorithm
+   * that these pages are frequently changing.  */
+  enc_tables.counter_head++;
+  enc_tables.counter_tail++;
+
+  /* Prefetch look-up tables to cache.  */
+  prefetch_table((const void *)&enc_tables, sizeof(enc_tables));
+ }
+ 
+ static void prefetch_dec(void)
+ {
+  /* Modify counters to trigger copy-on-write and unsharing if physical pages
+   * of look-up table are shared between processes.  Modifying counters also
+   * causes checksums for pages to change and hint same-page merging algorithm
+   * that these pages are frequently changing.  */
+  dec_tables.counter_head++;
+  dec_tables.counter_tail++;
+
+  /* Prefetch look-up tables to cache.  */
+   prefetch_table((const void *)&dec_tables, sizeof(dec_tables));
+ }
+ 
+@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+-                                      encT);
+                                      enc_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx,
+   return ret;
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+-  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT);
+  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+                                    enc_tables.T);
+ #else
+   return do_encrypt_fn (ctx, bx, ax);
+ #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/
+@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-                                      &dec_tables);
+                                      dec_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+   return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-                                    &dec_tables);
+                                    dec_tables.T);
+ #else
+   return do_decrypt_fn (ctx, bx, ax);
+ #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/
+-- 
+2.7.4
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index fda68a2938..13d037880b 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
           file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
           file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
+           file://CVE-2019-12904_p1.patch \
+           file://CVE-2019-12904_p2.patch \
 "
 SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
 SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"