51 files changed, 953 insertions, 250 deletions

diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Add-build-rule-for-README.patch b/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Add-build-rule-for-README.patch
index 870d0ef056..229c58f1d0 100644
--- a/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Add-build-rule-for-README.patch
+++ b/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Add-build-rule-for-README.patch
@@ -17,11 +17,11 @@ diff --git a/Makefile.am b/Makefile.am
 index e0c4ad6..0449321 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -35,3 +35,4 @@ rpmcvs: preparerpm
+@@ -30,3 +30,5 @@ rpm: preparerpm
+ rpmcvs: preparerpm
         @LN_S@ -f `pwd`/@PACKAGE@-@VERSION@.tar.gz ${RPMDIR}/SOURCES/@PACKAGE@-@VERSION@_cvs_`date +"%Y%m%d"`.tar.gz
         cd ${RPMDIR}/SPECS && @RPMBUILD@ -ba @PACKAGE@.spec --define 'cvs 1'
- 
++
 +README: README.md
 -- 
 2.7.4
-
diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Fix-compilation-with-GCC10.patch b/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Fix-compilation-with-GCC10.patch
deleted file mode 100644
index 6426ecb247..0000000000
--- a/meta-filesystems/recipes-filesystems/owfs/owfs/0001-Fix-compilation-with-GCC10.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From a812202d22a2861318b8e39f1cd74cd222f8e76f Mon Sep 17 00:00:00 2001
-From: "Azamat H. Hackimov" <azamat.hackimov@gmail.com>
-Date: Tue, 9 Jun 2020 11:30:38 +0300
-Subject: [PATCH] Fix compilation with GCC10
-
-Fixed compilation with -fno-common, which enabled in GCC 10 by default.
-See https://bugs.gentoo.org/707438.
-
-Upstream-Status: Backport [https://github.com/owfs/owfs/pull/62]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- module/owserver/src/c/owserver.c       | 2 ++
- module/owserver/src/include/owserver.h | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/module/owserver/src/c/owserver.c b/module/owserver/src/c/owserver.c
-index db29988e..2ed29161 100644
---- a/module/owserver/src/c/owserver.c
-+++ b/module/owserver/src/c/owserver.c
-@@ -36,6 +36,8 @@
- 
- #include "owserver.h"
- 
-+pthread_mutex_t persistence_mutex ;
-+
- /* --- Prototypes ------------ */
- static void SetupAntiloop(int argc, char **argv);
- 
-diff --git a/module/owserver/src/include/owserver.h b/module/owserver/src/include/owserver.h
-index 8be582f0..a257ed02 100644
---- a/module/owserver/src/include/owserver.h
-+++ b/module/owserver/src/include/owserver.h
-@@ -18,7 +18,7 @@
- #include "ow.h"
- #include "ow_connection.h"
- 
--pthread_mutex_t persistence_mutex ;
-+extern pthread_mutex_t persistence_mutex ;
- #define PERSISTENCELOCK    _MUTEX_LOCK(   persistence_mutex ) ;
- #define PERSISTENCEUNLOCK  _MUTEX_UNLOCK( persistence_mutex ) ;
- 
--- 
-2.28.0
-
diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p4.bb
index 890c8aecc0..94379939de 100644
--- a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb
+++ b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p4.bb
@@ -8,11 +8,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=628b867016631792781a8735a04760e5 \
                     file://COPYING.LIB;md5=9021b7435efdd9fb22beef8291134099"
 
 DEPENDS = "fuse virtual/libusb0"
-# v3.2p3
-SRCREV = "3744375dfaa350e31c9b360eb1e1a517bbeb5c47"
-SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https \
+
+SRCREV = "c68deb1fc6d30fcc5eabe0a0d9c9dc2ca54e455a"
+SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https;tag=v${PV} \
            file://0001-Add-build-rule-for-README.patch \
-           file://0001-Fix-compilation-with-GCC10.patch \
            file://owhttpd \
            file://owserver \
            "
diff --git a/meta-filesystems/recipes-filesystems/packageconfigs/packagegroup-meta-filesystems.bb b/meta-filesystems/recipes-filesystems/packagegroups/packagegroup-meta-filesystems.bb
index 40f851364d..40f851364d 100644
--- a/meta-filesystems/recipes-filesystems/packageconfigs/packagegroup-meta-filesystems.bb
+++ b/meta-filesystems/recipes-filesystems/packagegroups/packagegroup-meta-filesystems.bb
diff --git a/meta-filesystems/recipes-filesystems/zfs/zfs/0001-Define-strndupa-if-it-does-not-exist.patch b/meta-filesystems/recipes-filesystems/zfs/zfs/0001-Define-strndupa-if-it-does-not-exist.patch
index 80955b3ca0..c607936e28 100644
--- a/meta-filesystems/recipes-filesystems/zfs/zfs/0001-Define-strndupa-if-it-does-not-exist.patch
+++ b/meta-filesystems/recipes-filesystems/zfs/zfs/0001-Define-strndupa-if-it-does-not-exist.patch
@@ -1,4 +1,4 @@
-From cc0cd6f71f6ef96fca2d7b730a3f0f6722fec696 Mon Sep 17 00:00:00 2001
+From 339359b9af5f24dedebe7234edd586e3fcacd436 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sat, 7 May 2022 12:15:22 -0700
 Subject: [PATCH] Define strndupa if it does not exist
@@ -7,13 +7,12 @@ musl e.g. does not supply strndupa, unlike glibc
 
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
 ---
  etc/systemd/system-generators/zfs-mount-generator.c | 9 +++++++++
  1 file changed, 9 insertions(+)
 
 diff --git a/etc/systemd/system-generators/zfs-mount-generator.c b/etc/systemd/system-generators/zfs-mount-generator.c
-index f4c6c26..255bee4 100644
+index ab5dc4d78..d70cd2617 100644
 --- a/etc/systemd/system-generators/zfs-mount-generator.c
 +++ b/etc/systemd/system-generators/zfs-mount-generator.c
 @@ -193,6 +193,15 @@ fopenat(int dirfd, const char *pathname, int flags,
diff --git a/meta-filesystems/recipes-filesystems/zfs/zfs/aaf28a4630af60496c9d33db1d06a7d7d8983422.patch b/meta-filesystems/recipes-filesystems/zfs/zfs/0002-fixes-broken-aarch64-inline-assembly-for-gcc-13.1.patch
index f5504b389d..63dc71555a 100644
--- a/meta-filesystems/recipes-filesystems/zfs/zfs/aaf28a4630af60496c9d33db1d06a7d7d8983422.patch
+++ b/meta-filesystems/recipes-filesystems/zfs/zfs/0002-fixes-broken-aarch64-inline-assembly-for-gcc-13.1.patch
@@ -1,4 +1,4 @@
-From aaf28a4630af60496c9d33db1d06a7d7d8983422 Mon Sep 17 00:00:00 2001
+From d05d2583ae1807e380492ea8570106c1f0a9effb Mon Sep 17 00:00:00 2001
 From: Sebastian Gottschall <s.gottschall@dd-wrt.com>
 Date: Tue, 23 May 2023 13:50:24 +0600
 Subject: [PATCH] fixes broken aarch64 inline assembly for gcc 13.1
@@ -39,9 +39,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  module/Kbuild.in | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
+diff --git a/module/Kbuild.in b/module/Kbuild.in
+index a72d2a4cc..c6134baec 100644
 --- a/module/Kbuild.in
 +++ b/module/Kbuild.in
-@@ -57,9 +57,9 @@ asflags-y := $(ZFS_MODULE_CFLAGS) $(ZFS_
+@@ -57,9 +57,9 @@ asflags-y := $(ZFS_MODULE_CFLAGS) $(ZFS_MODULE_CPPFLAGS)
  ccflags-y := $(ZFS_MODULE_CFLAGS) $(ZFS_MODULE_CPPFLAGS)
  
  ifeq ($(CONFIG_ARM64),y)
diff --git a/meta-filesystems/recipes-filesystems/zfs/zfs/0001-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch b/meta-filesystems/recipes-filesystems/zfs/zfs/0003-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch
index f1cfab4daf..d106bc0cdd 100644
--- a/meta-filesystems/recipes-filesystems/zfs/zfs/0001-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch
+++ b/meta-filesystems/recipes-filesystems/zfs/zfs/0003-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch
@@ -1,4 +1,4 @@
-From 1f9a5cb860b3509791e59a8cae9d5f265e832ed0 Mon Sep 17 00:00:00 2001
+From b37f4e0f11186206863f41e1a638ca4e57c3dc53 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Sun, 28 May 2023 16:33:15 -0700
 Subject: [PATCH] fs-tests/cmd/readmmap: Replace uint_t with uint32_t
@@ -12,7 +12,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/tests/zfs-tests/cmd/readmmap.c b/tests/zfs-tests/cmd/readmmap.c
-index 704ffd55c8..a2590e0e8d 100644
+index a5c8079d0..c22b58e9d 100644
 --- a/tests/zfs-tests/cmd/readmmap.c
 +++ b/tests/zfs-tests/cmd/readmmap.c
 @@ -38,6 +38,7 @@
@@ -23,7 +23,7 @@ index 704ffd55c8..a2590e0e8d 100644
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
-@@ -55,7 +56,7 @@ main(int argc, char **argv)
+@@ -56,7 +57,7 @@ main(int argc, char **argv)
         char *buf = NULL;
         char *map = NULL;
         int fd = -1, bytes, retval = 0;
@@ -32,7 +32,7 @@ index 704ffd55c8..a2590e0e8d 100644
  
         if (argc < 2 || optind == argc) {
                 (void) fprintf(stderr,
-@@ -92,7 +93,7 @@ main(int argc, char **argv)
+@@ -93,7 +94,7 @@ main(int argc, char **argv)
                 retval = 1;
                 goto end;
         }
@@ -41,6 +41,3 @@ index 704ffd55c8..a2590e0e8d 100644
         srandom(seed);
  
         idx = random() % size;
--- 
-2.40.1
-
diff --git a/meta-filesystems/recipes-filesystems/zfs/zfs/0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch b/meta-filesystems/recipes-filesystems/zfs/zfs/0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch
new file mode 100644
index 0000000000..53fa5d9b5c
--- /dev/null
+++ b/meta-filesystems/recipes-filesystems/zfs/zfs/0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch
@@ -0,0 +1,83 @@
+From a4d9aadf0094392e5e477dbc8c43f973692dab00 Mon Sep 17 00:00:00 2001
+From: classabbyamp <5366828+classabbyamp@users.noreply.github.com>
+Date: Wed, 27 Aug 2025 17:42:32 -0400
+Subject: [PATCH] linux: use sys/stat.h instead of linux/stat.h
+
+glibc includes linux/stat.h for statx, but musl defines its own statx
+struct and associated constants, which does not include STATX_MNT_ID
+yet. Thus, including linux/stat.h directly should be avoided for
+maximum libc compatibility.
+
+Tested on:
+  - glibc: x86_64, i686, aarch64, armv7l, armv6l
+  - musl: x86_64, aarch64, armv7l, armv6l
+
+Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
+Tested-By: Achill Gilgenast <achill@achill.org>
+Signed-off-by: classabbyamp <dev@placeviolette.net>
+Closes #17675
+(cherry picked from commit ccf5a8a6fcfdfbdaa2f0fdca5d787958224bf06d)
+
+Upstream-Status: Backport [https://github.com/openzfs/zfs/commit/ccf5a8a6fcfdfbdaa2f0fdca5d787958224bf06d]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ config/user-statx.m4                   | 6 +++---
+ include/os/linux/spl/sys/stat.h        | 2 +-
+ lib/libspl/include/os/linux/sys/stat.h | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/config/user-statx.m4 b/config/user-statx.m4
+index 0315f93e0..1ba74a40e 100644
+--- a/config/user-statx.m4
++++ b/config/user-statx.m4
+@@ -2,7 +2,7 @@ dnl #
+ dnl # Check for statx() function and STATX_MNT_ID availability
+ dnl #
+ AC_DEFUN([ZFS_AC_CONFIG_USER_STATX], [
+-       AC_CHECK_HEADERS([linux/stat.h],
++       AC_CHECK_HEADERS([sys/stat.h],
+                [have_stat_headers=yes],
+                [have_stat_headers=no])
+ 
+@@ -14,7 +14,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER_STATX], [
+                        AC_MSG_CHECKING([for STATX_MNT_ID])
+                        AC_COMPILE_IFELSE([
+                                AC_LANG_PROGRAM([[
+-                                       #include <linux/stat.h>
++                                       #include <sys/stat.h>
+                                ]], [[
+                                        struct statx stx;
+                                        int mask = STATX_MNT_ID;
+@@ -29,6 +29,6 @@ AC_DEFUN([ZFS_AC_CONFIG_USER_STATX], [
+                        ])
+                ])
+        ], [
+-               AC_MSG_WARN([linux/stat.h not found; skipping statx support])
++               AC_MSG_WARN([sys/stat.h not found; skipping statx support])
+        ])
+ ])  dnl end AC_DEFUN
+diff --git a/include/os/linux/spl/sys/stat.h b/include/os/linux/spl/sys/stat.h
+index 598784964..5c8cff72e 100644
+--- a/include/os/linux/spl/sys/stat.h
++++ b/include/os/linux/spl/sys/stat.h
+@@ -24,6 +24,6 @@
+ #ifndef _SPL_STAT_H
+ #define        _SPL_STAT_H
+ 
+-#include <linux/stat.h>
++#include <sys/stat.h>
+ 
+ #endif /* SPL_STAT_H */
+diff --git a/lib/libspl/include/os/linux/sys/stat.h b/lib/libspl/include/os/linux/sys/stat.h
+index 5fbe892ee..ef8738fa8 100644
+--- a/lib/libspl/include/os/linux/sys/stat.h
++++ b/lib/libspl/include/os/linux/sys/stat.h
+@@ -32,7 +32,7 @@
+ 
+ #ifdef HAVE_STATX
+ #include <fcntl.h>
+-#include <linux/stat.h>
++#include <sys/stat.h>
+ #endif
+ 
+ /*
diff --git a/meta-filesystems/recipes-filesystems/zfs/zfs_2.2.8.bb b/meta-filesystems/recipes-filesystems/zfs/zfs_2.2.9.bb
index 1fc1457b19..22d35516e7 100644
--- a/meta-filesystems/recipes-filesystems/zfs/zfs_2.2.8.bb
+++ b/meta-filesystems/recipes-filesystems/zfs/zfs_2.2.9.bb
@@ -4,11 +4,12 @@ LICENSE = "CDDL-1.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=7087caaf1dc8a2856585619f4a787faa"
 HOMEPAGE = "https://github.com/openzfs/zfs"
 
-SRCREV = "3e4a3e161c00273303cd9fa9e0dc09ead3499a8a"
-SRC_URI = "git://github.com/openzfs/zfs;protocol=https;branch=zfs-2.2-release \
+SRCREV = "079ba86d71571bf997ff688da061d8c4aa2fd052"
+SRC_URI = "git://github.com/openzfs/zfs;protocol=https;branch=zfs-2.2-release;tag=${BP} \
            file://0001-Define-strndupa-if-it-does-not-exist.patch \
-           file://aaf28a4630af60496c9d33db1d06a7d7d8983422.patch \
-           file://0001-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch \
+           file://0002-fixes-broken-aarch64-inline-assembly-for-gcc-13.1.patch \
+           file://0003-fs-tests-cmd-readmmap-Replace-uint_t-with-uint32_t.patch \
+           file://0004-linux-use-sys-stat.h-instead-of-linux-stat.h.patch \
 "
 
 
diff --git a/meta-filesystems/recipes-utils/btrfsmaintenance/btrfsmaintenance_0.5.bb b/meta-filesystems/recipes-utils/btrfsmaintenance/btrfsmaintenance_0.5.2.bb
index 645e38ca49..6722b63c10 100644
--- a/meta-filesystems/recipes-utils/btrfsmaintenance/btrfsmaintenance_0.5.bb
+++ b/meta-filesystems/recipes-utils/btrfsmaintenance/btrfsmaintenance_0.5.2.bb
@@ -9,11 +9,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a"
 
 SECTION = "base"
 
-SRC_URI = "git://github.com/kdave/${BPN};branch=master;protocol=https \
+SRC_URI = "git://github.com/kdave/${BPN};branch=master;protocol=https;tag=v${PV} \
     file://0001-change-sysconfig-path-to-etc-default.patch \
     file://0002-add-WantedBy-directive-to-btrfsmaintenance-refresh.s.patch \
 "
-SRCREV = "be42cb6267055d125994abd6927cf3a26deab74c"
+SRCREV = "beb9e2d166cbd856297fe8d28e89e8b36961a723"
 
 UPSTREAM_CHECK_URI = "https://github.com/kdave/${BPN}/tags"
 UPSTREAM_CHECK_REGEX = "${BPN}/releases/tag/v(?P<pver>\d+(?:\.\d+)*)"
diff --git a/meta-filesystems/recipes-utils/btrfsmaintenance/files/0001-change-sysconfig-path-to-etc-default.patch b/meta-filesystems/recipes-utils/btrfsmaintenance/files/0001-change-sysconfig-path-to-etc-default.patch
index d425206f0e..b064adcc86 100644
--- a/meta-filesystems/recipes-utils/btrfsmaintenance/files/0001-change-sysconfig-path-to-etc-default.patch
+++ b/meta-filesystems/recipes-utils/btrfsmaintenance/files/0001-change-sysconfig-path-to-etc-default.patch
@@ -1,6 +1,3 @@
-From b49dbe17e0d9ae463e5a34e6991aa2d3c70d2fb1 Mon Sep 17 00:00:00 2001
-From: Claudius Heine <ch@denx.de>
-Date: Wed, 11 May 2022 14:33:13 +0200
 Subject: [PATCH] change sysconfig path to /etc/default
 
 OE uses /etc/default for service configuration, not /etc/sysconfig which
@@ -11,6 +8,9 @@ Change the files accordingly
 Upstream-Status: Inappropriate [OE specific]
 
 Signed-off-by: Claudius Heine <ch@denx.de>
+
+Update for 0.5.2
+Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
 ---
  btrfsmaintenance-refresh.path    | 4 ++--
  btrfsmaintenance-refresh.service | 2 +-
@@ -32,16 +32,16 @@ index d56ad11..f0b4132 100644
  [Install]
  WantedBy=multi-user.target
 diff --git a/btrfsmaintenance-refresh.service b/btrfsmaintenance-refresh.service
-index 4ed1eb4..d6225a6 100644
+index 19e51c0..223fca9 100644
 --- a/btrfsmaintenance-refresh.service
 +++ b/btrfsmaintenance-refresh.service
 @@ -1,5 +1,5 @@
  [Unit]
--Description=Update cron periods from /etc/sysconfig/btrfsmaintenance
-+Description=Update cron periods from /etc/default/btrfsmaintenance
+-Description=Configure systemd timer schedule according to /etc/sysconfig/btrfsmaintenance
++Description=Configure systemd timer schedule according to /etc/default/btrfsmaintenance
+ Documentation="file:/usr/share/doc/btrfsmaintenance/README.man"
+ Documentation="file:/usr/share/doc/packages/btrfsmaintenance/README.man"
  
- [Service]
- ExecStart=/usr/share/btrfsmaintenance/btrfsmaintenance-refresh-cron.sh systemd-timer
 -- 
-2.33.3
+2.43.0
 
diff --git a/meta-multimedia/recipes-multimedia/bluealsa/bluealsa_4.3.0.bb b/meta-multimedia/recipes-multimedia/bluealsa/bluealsa_4.3.0.bb
index 162a51284e..4f15465371 100644
--- a/meta-multimedia/recipes-multimedia/bluealsa/bluealsa_4.3.0.bb
+++ b/meta-multimedia/recipes-multimedia/bluealsa/bluealsa_4.3.0.bb
@@ -58,6 +58,7 @@ EXTRA_OECONF = "\
 PACKAGE_BEFORE_PN = "${PN}-aplay"
 
 FILES:${PN}-aplay += "${bindir}/bluealsa-aplay"
+FILES:${PN}-staticdev += "${libdir}/alsa-lib/*.a"
 FILES:${PN} += "${libdir}/alsa-lib/* ${datadir}/dbus-1/system.d"
 
 RRECOMMENDS:${PN} = "${PN}-aplay"
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch
new file mode 100644
index 0000000000..e3c2ce40e7
--- /dev/null
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265/CVE-2025-61147.patch
@@ -0,0 +1,84 @@
+From 4f267b389e33e30f9eccfedd5768fb172a64d9c2 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 9 Sep 2025 15:14:05 +0200
+Subject: [PATCH] check for valid integer command line parameters (#484)
+
+OE comment:
+This is a partial backport of the below mentioned patch, without raising
+the required c++ standard.
+
+CVE: CVE-2025-61147
+Upstream-Status: Backport [https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ dec265/dec265.cc | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+diff --git a/dec265/dec265.cc b/dec265/dec265.cc
+index 79f67cd3..c38b0715 100644
+--- a/dec265/dec265.cc
++++ b/dec265/dec265.cc
+@@ -27,6 +27,9 @@
+ #define DO_MEMORY_LOGGING 0
+ 
+ #include "de265.h"
++#include <stdexcept>
++#include <iostream>
++
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+ #endif
+@@ -562,6 +565,32 @@ void (*volatile __malloc_initialize_hook)(void) = init_my_hooks;
+ #endif
+ #endif
+ 
++int parse_param(const char* arg, int lower_bound, const char* arg_name){
++  int value;
++
++  try {
++    size_t len;
++    value = std::stoi(optarg, &len);
++    if (arg[len] != 0) {
++      std::cerr << "invalid argument to " << arg_name << "\n";
++      exit(5);
++    }
++  } catch (std::invalid_argument const& ex) {
++    std::cerr << "invalid argument to " << arg_name << "\n";
++    exit(5);
++  }
++  catch (std::out_of_range const& ex) {
++    std::cerr << "argument to -T is out of range\n";
++    exit(5);
++  }
++
++  if (value < lower_bound) {
++    std::cerr << "argument to " << arg_name << " may not be smaller than " << lower_bound << "\n";
++    exit(5);
++  }
++
++  return value;
++}
+ 
+ int main(int argc, char** argv)
+ {
+@@ -578,9 +607,9 @@ int main(int argc, char** argv)
+ 
+     switch (c) {
+     case 'q': quiet++; break;
+-    case 't': nThreads=atoi(optarg); break;
++    case 't': nThreads=parse_param(optarg, 0, "-t"); break;
+     case 'c': check_hash=true; break;
+-    case 'f': max_frames=atoi(optarg); break;
++    case 'f': max_frames=parse_param(optarg, 1, "-f"); break;
+     case 'o': write_yuv=true; output_filename=optarg; break;
+     case 'h': show_help=true; break;
+     case 'd': dump_headers=true; break;
+@@ -592,7 +621,7 @@ int main(int argc, char** argv)
+     case 'm': measure_quality=true; reference_filename=optarg; break;
+     case 's': show_ssim_map=true; break;
+     case 'e': show_psnr_map=true; break;
+-    case 'T': highestTID=atoi(optarg); break;
++    case 'T': highestTID = parse_param(optarg, 0, "-T"); break;
+     case 'v': verbosity++; break;
+     }
+   }
diff --git a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb
index 3e3381b646..2676de5c2e 100644
--- a/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb
+++ b/meta-multimedia/recipes-multimedia/libde265/libde265_1.0.16.bb
@@ -8,7 +8,9 @@ LICENSE = "LGPL-3.0-only & MIT"
 LICENSE_FLAGS = "commercial"
 LIC_FILES_CHKSUM = "file://COPYING;md5=695b556799abb2435c97a113cdca512f"
 
-SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV}"
+SRC_URI = "git://github.com/strukturag/libde265.git;branch=master;protocol=https;tag=v${PV} \
+           file://CVE-2025-61147.patch \
+           "
 SRCREV = "7ba65889d3d6d8a0d99b5360b028243ba843be3a"
 
 
diff --git a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.20.bb b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.20.bb
index 044f1e0745..b7224d0f3d 100644
--- a/meta-networking/recipes-daemons/lldpd/lldpd_1.0.20.bb
+++ b/meta-networking/recipes-daemons/lldpd/lldpd_1.0.20.bb
@@ -29,7 +29,7 @@ EXTRA_OECONF += "--without-embedded-libevent \
 "
 
 PACKAGECONFIG ??= "cdp fdp edp sonmp lldpmed dot1 dot3"
-PACKAGECONFIG[xml] = "--with-xml,--without-xml,libxm2"
+PACKAGECONFIG[xml] = "--with-xml,--without-xml,libxml2"
 PACKAGECONFIG[snmp] = "--with-snmp,--without-snmp,net-snmp"
 PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 PACKAGECONFIG[seccomp] = "--with-seccomp,--without-seccomp,libseccomp"
diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.10.6.bb b/meta-networking/recipes-daemons/postfix/postfix_3.10.8.bb
index 6c091d9c56..757e6efa8c 100644
--- a/meta-networking/recipes-daemons/postfix/postfix_3.10.6.bb
+++ b/meta-networking/recipes-daemons/postfix/postfix_3.10.8.bb
@@ -28,7 +28,7 @@ SRC_URI = "http://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P
            file://0005-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \
            "
 
-SRC_URI[sha256sum] = "71b383f57d4cb363201be8a301bcbafe304aadbe7f38ebde41cd5b952248465b"
+SRC_URI[sha256sum] = "31d4b3eb8093d823b5a151f571719ff7c0462571bc95e6440d87ca525bfb096c"
 
 UPSTREAM_CHECK_URI = "https://www.postfix.org/announcements.html"
 UPSTREAM_CHECK_REGEX = "postfix-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3606.patch b/meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3606.patch
new file mode 100644
index 0000000000..6d3df3e596
--- /dev/null
+++ b/meta-networking/recipes-support/ettercap/ettercap/CVE-2026-3606.patch
@@ -0,0 +1,48 @@
+From 9b281e30a1e7fec481af7e07b40a00cd9edf1cf8 Mon Sep 17 00:00:00 2001
+From: Alexander Koeppe <alexander@koeppe.rocks>
+Date: Sun, 8 Mar 2026 17:57:39 +0100
+Subject: [PATCH] Fix heap-out-of-bounds read issue in etterfilter
+ (CVE-2026-3606)
+
+CVE: CVE-2026-3606
+Upstream-Status: Backport [https://github.com/Ettercap/ettercap/commit/41c312d4be6f6067968a275bf66b2abd2a0ba385]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ include/ec.h                  | 6 ++++++
+ utils/etterfilter/ef_output.c | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/include/ec.h b/include/ec.h
+index 4e363b0a..66da146e 100644
+--- a/include/ec.h
++++ b/include/ec.h
+@@ -81,6 +81,12 @@
+    ON_ERROR(x, NULL, "virtual memory exhausted"); \
+ } while(0)
+ 
++#define SAFE_RECALLOC(x, s) do { \
++   x = realloc(x, s); \
++   ON_ERROR(x, NULL, "virtual memory exhausted"); \
++   memset(x, 0, s); \
++} while(0)
++
+ #define SAFE_STRDUP(x, s) do{ \
+    x = strdup(s); \
+    ON_ERROR(x, NULL, "virtual memory exhausted"); \
+diff --git a/utils/etterfilter/ef_output.c b/utils/etterfilter/ef_output.c
+index 2530e599..2f49177e 100644
+--- a/utils/etterfilter/ef_output.c
++++ b/utils/etterfilter/ef_output.c
+@@ -150,10 +150,10 @@ static size_t create_data_segment(u_char** data, struct filter_header *fh, struc
+ static size_t add_data_segment(u_char **data, size_t base, u_char **string, size_t slen)
+ {
+    /* make room for the new string */
+-   SAFE_REALLOC(*data, base + slen + 1);
++   SAFE_RECALLOC(*data, base + slen + 1);
+ 
+    /* copy the string, NULL separated */
+-   memcpy(*data + base, *string, slen + 1);
++   memcpy(*data + base, *string, slen);
+ 
+    /* 
+     * change the pointer to the new string location 
diff --git a/meta-networking/recipes-support/ettercap/ettercap_0.8.3.1.bb b/meta-networking/recipes-support/ettercap/ettercap_0.8.3.1.bb
index 027b6dd190..b3b756dddc 100644
--- a/meta-networking/recipes-support/ettercap/ettercap_0.8.3.1.bb
+++ b/meta-networking/recipes-support/ettercap/ettercap_0.8.3.1.bb
@@ -22,7 +22,9 @@ RDEPENDS:${PN} += "bash ethtool libgcc"
 
 SRC_URI = "gitsm://github.com/Ettercap/ettercap;branch=master;protocol=https \
            file://0001-sslstrip-Enhance-the-libcurl-version-check-to-consid.patch \
-           file://0002-allow-build-with-cmake-4.patch"
+           file://0002-allow-build-with-cmake-4.patch \
+           file://CVE-2026-3606.patch \
+           "
 
 SRCREV = "7281fbddb7da7478beb1d21e3cb105fff3778b31"
 
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.24.1.bb b/meta-oe/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.24.1.bb
index add2ff01a8..33de2f4054 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.24.1.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.24.1.bb
@@ -15,9 +15,6 @@ DEPENDS += "bison-native \
             "
 DEPENDS += "${@bb.utils.contains('PTEST_ENABLED', '1', 'pahole-native llvm-native', '', d)}"
 
-RDEPENDS:${PN} += "bash python3 xz"
-RDEPENDS:${PN}-ptest += "bpftool"
-
 SRC_URI = "git://github.com/iovisor/bpftrace;branch=release/0.24.x;protocol=https;tag=v${PV} \
            file://run-ptest \
            file://0002-CMakeLists.txt-allow-to-set-BISON_FLAGS-like-l.patch \
@@ -41,9 +38,9 @@ do_install_ptest() {
         cp -rf ${B}/tests/test* ${D}${PTEST_PATH}/tests
     fi
     for f in testlibs/cmake_install.cmake \
-    testprogs/cmake_install.cmake \
-    testlibs/CTestTestfile.cmake \
-    testprogs/CTestTestfile.cmake
+             testprogs/cmake_install.cmake \
+             testlibs/CTestTestfile.cmake \
+             testprogs/CTestTestfile.cmake
     do
         sed -i -e 's|${STAGING_BINDIR_TOOLCHAIN}/||' ${D}${libdir}/bpftrace/ptest/tests/$f
         sed -i -e 's|${S}/||' ${D}${libdir}/bpftrace/ptest/tests/$f
@@ -59,6 +56,8 @@ EXTRA_OECMAKE = " \
     -DBISON_FLAGS='--file-prefix-map=${WORKDIR}=' \
 "
 
+RDEPENDS:${PN}-ptest += "bash bpftool python3"
+
 COMPATIBLE_HOST = "(x86_64.*|aarch64.*|powerpc64.*|riscv64.*)-linux"
 
 INHIBIT_PACKAGE_STRIP_FILES += "\
diff --git a/meta-oe/recipes-connectivity/ser2net/ser2net_4.6.6.bb b/meta-oe/recipes-connectivity/ser2net/ser2net_4.6.7.bb
index 56ade35bc7..db442e41dc 100644
--- a/meta-oe/recipes-connectivity/ser2net/ser2net_4.6.6.bb
+++ b/meta-oe/recipes-connectivity/ser2net/ser2net_4.6.7.bb
@@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/ser2net/ser2net/ser2net-${PV}.tar.gz \
     file://ser2net.service \
 "
 
-SRC_URI[sha256sum] = "a468073c7bf8166c78c61d30bba487916dc4088e98f96e190b37ea8100a94fd4"
+SRC_URI[sha256sum] = "6b921bc7efb1b9a8a78268d63332701902cc1c8dbac51842d46ede6ffb5fa2a4"
 
 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/ser2net/files/ser2net"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_11.4.9.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_11.4.10.bb
index ff48dcd806..ff48dcd806 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb-native_11.4.9.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb-native_11.4.10.bb
diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index 4fcb5a1e40..9470184d3d 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -23,12 +23,10 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://lfs64.patch \
            file://0001-Add-missing-includes-cstdint-and-cstdio.patch \
            file://riscv32.patch \
-           file://0001-Remove-x86-specific-loop-in-my_convert.patch \
            file://0001-support-reproducible-builds.patch \
            file://0001-storage-mroonga-CMakeLists.txt-fix-reproducible-buil.patch \
-           file://0001-MDEV-38029-my_tzinfo-t-fails-for-certain-TZ-values-o.patch \
           "
-SRC_URI[sha256sum] = "8e481ca29b5a740444d45451c8ea2d93711cf525d6fa5d27bc9512cf8973b075"
+SRC_URI[sha256sum] = "14783ddc5edd966ff05aa0efd5ed6d3d369ed5b9e4080a448f00f87a9f0a4a6b"
 
 UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/tags"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-38029-my_tzinfo-t-fails-for-certain-TZ-values-o.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-38029-my_tzinfo-t-fails-for-certain-TZ-values-o.patch
deleted file mode 100644
index f1e07e304a..0000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-38029-my_tzinfo-t-fails-for-certain-TZ-values-o.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 61bc216ff9e1d0a8a7fafce57ba916018cd6ac6d Mon Sep 17 00:00:00 2001
-From: Vladislav Vaintroub <vvaintroub@gmail.com>
-Date: Wed, 19 Nov 2025 13:01:56 +0100
-Subject: [PATCH] MDEV-38029 my_tzinfo-t fails for certain TZ values on musl
-
-From: Vladislav Vaintroub <vvaintroub@gmail.com>
-
-The test fails for TZ values such as `PST8PDT` (present but outdated in
-tzdb) and custom forms like `GST-1GDT`. On musl, these values do not
-trigger the expected DST transitions, leading to incorrect DST offsets
-or abbreviations.
-
-This appears to be a musl libc bug; the same TZ values behave correctly
-elsewhere, including Windows. We work around it by skipping the
-affected tests when musl is detected.
-
-Upstream-Status: Submitted [https://github.com/MariaDB/server/pull/4452]
-Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
----
- unittest/mysys/my_tzinfo-t.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/unittest/mysys/my_tzinfo-t.c b/unittest/mysys/my_tzinfo-t.c
-index b38ebd37..585d52f8 100644
---- a/unittest/mysys/my_tzinfo-t.c
-+++ b/unittest/mysys/my_tzinfo-t.c
-@@ -112,6 +112,20 @@ void test_timezone(const char *tz_env, const char **expected_tznames,
-     }
-   }
-   ok(found, "%s: timezone_name = %s", tz_env, timezone_name);
-+
-+#if defined __linux__ && !defined __GLIBC__ && !defined __UCLIBC__
-+  /*
-+    MUSL incorrectly calculates UTC offsets and abbreviations
-+    for certain values of TZ (DST related). See MDEV-38029
-+    Skip tests in this case.
-+  */
-+  if (!strcmp(tz_env, "PST8PDT") || !strcmp(tz_env, "GST-1GDT"))
-+  {
-+    skip(6, "musl UTC offset/abbreviation bug, tzname %s, see MDEV-38029", tz_env);
-+    return;
-+  }
-+#endif
-+
-   my_tzinfo(SUMMER_TIMESTAMP, &tz);
-   ok(summer_gmt_off == tz.seconds_offset, "%s: Summer GMT offset %ld", tz_env, tz.seconds_offset);
-   check_utc_offset(SUMMER_TIMESTAMP,tz.seconds_offset, tz_env);
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-x86-specific-loop-in-my_convert.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-x86-specific-loop-in-my_convert.patch
deleted file mode 100644
index afcf4fe843..0000000000
--- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-x86-specific-loop-in-my_convert.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 79d2a95391abc133e86688696ae21628b7035b2d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zolt=C3=A1n=20B=C3=B6sz=C3=B6rm=C3=A9nyi?=
- <zboszor@gmail.com>
-Date: Wed, 1 Oct 2025 09:29:04 +0200
-Subject: [PATCH] Remove x86 specific loop in my_convert()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-mysqldump/mariadb-dump crashes with this backtrace:
-
-| (gdb) bt
-| #0  my_convert (to=<optimized out>, to_length=160, to_cs=0x55b5740fbda0 <my_charset_utf8mb4_general_ci>, from=<optimized out>, from_length=40,
-|     from_cs=0x55b57408bda0 <my_charset_utf8mb3_unicode_ci>, errors=0x7f950c35cd6c) at /usr/src/debug/mariadb/11.8.3/strings/ctype.c:1256
-| #1  0x000055b572d9f4a0 in copy_and_convert (to=0x7f94fc00c9db "Configuratiogicate_log\020automagicate_log\017is_done_message\017is_done_message",
-|     to_length=<optimized out>, to_cs=<optimized out>, from=0x7f94fc059f37 "Configuration downloading from portal...", from_length=40, from_cs=<optimized out>,
-|     errors=0x7f950c35cd6c) at /usr/src/debug/mariadb/11.8.3/sql/sql_string.h:53
-| #2  Protocol::net_store_data_cs (this=0x7f94fc001260, from=0x7f94fc059f37 "Configuration downloading from portal...", length=40, from_cs=<optimized out>,
-|     to_cs=<optimized out>) at /usr/src/debug/mariadb/11.8.3/sql/protocol.cc:114
-| #3  0x000055b572da103f in Protocol::send_result_set_row (this=this@entry=0x7f94fc001260, row_items=row_items@entry=0x7f94fc013418)
-|     at /usr/src/debug/mariadb/11.8.3/sql/protocol.cc:1359
-| #4  0x000055b572e19442 in select_send::send_data (this=0x7f94fc014f78, items=...) at /usr/src/debug/mariadb/11.8.3/sql/sql_class.cc:3294
-| #5  0x000055b572ef7c69 in select_result_sink::send_data_with_check (u=<optimized out>, sent=<optimized out>, this=<optimized out>, items=...)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_class.h:6264
-| #6  select_result_sink::send_data_with_check (this=<optimized out>, items=..., u=<optimized out>, sent=<optimized out>)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_class.h:6254
-| #7  end_send (join=<optimized out>, join_tab=<optimized out>, end_of_records=<optimized out>) at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:25629
-| #8  0x000055b572ec38b6 in evaluate_join_record (join=join@entry=0x7f94fc014fa0, join_tab=join_tab@entry=0x7f94fc016940, error=error@entry=0)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:24523
-| #9  0x000055b572edcbf2 in sub_select (join=0x7f94fc014fa0, join_tab=0x7f94fc016940, end_of_records=<optimized out>)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:24290
-| #10 0x000055b572f119c6 in do_select (join=0x7f94fc014fa0, procedure=<optimized out>) at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:23801
-| #11 JOIN::exec_inner (this=this@entry=0x7f94fc014fa0) at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:5071
-| #12 0x000055b572f11d43 in JOIN::exec (this=this@entry=0x7f94fc014fa0) at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:4859
-| #13 0x000055b572f0ffe6 in mysql_select (thd=thd@entry=0x7f94fc000cd8, tables=0x7f94fc013f38, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0,
-|     proc_param=0x0, select_options=551922436864, result=0x7f94fc014f78, unit=0x7f94fc005038, select_lex=0x7f94fc013160)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:5387
-| #14 0x000055b572f107dd in handle_select (thd=thd@entry=0x7f94fc000cd8, lex=lex@entry=0x7f94fc004f58, result=result@entry=0x7f94fc014f78,
-|     setup_tables_done_option=setup_tables_done_option@entry=0) at /usr/src/debug/mariadb/11.8.3/sql/sql_select.cc:633
-| #15 0x000055b572e77d9e in execute_sqlcom_select (thd=thd@entry=0x7f94fc000cd8, all_tables=0x7f94fc013f38) at /usr/src/debug/mariadb/11.8.3/sql/sql_parse.cc:6190
-| #16 0x000055b572e877be in mysql_execute_command (thd=thd@entry=0x7f94fc000cd8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_parse.cc:3975
-| #17 0x000055b572e88e03 in mysql_parse (thd=0x7f94fc000cd8, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)
-|     at /usr/src/debug/mariadb/11.8.3/sql/sql_parse.cc:7905
-| #18 0x000055b572e8b2a1 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f94fc000cd8, packet=packet@entry=0x7f94fc0088a9 "",
-|     packet_length=packet_length@entry=152, blocking=blocking@entry=true) at /usr/src/debug/mariadb/11.8.3/sql/sql_parse.cc:1903
-| #19 0x000055b572e8cf7c in do_command (thd=thd@entry=0x7f94fc000cd8, blocking=blocking@entry=true) at /usr/src/debug/mariadb/11.8.3/sql/sql_parse.cc:1416
-| #20 0x000055b572fcfc0d in do_handle_one_connection (connect=<optimized out>, put_in_cache=true) at /usr/src/debug/mariadb/11.8.3/sql/sql_connect.cc:1415
-| #21 0x000055b572fcffc5 in handle_one_connection (arg=arg@entry=0x55b57943cbd8) at /usr/src/debug/mariadb/11.8.3/sql/sql_connect.cc:1327
-| #22 0x000055b573382440 in pfs_spawn_thread (arg=0x55b5795eb598) at /usr/src/debug/mariadb/11.8.3/storage/perfschema/pfs.cc:2198
-| #23 0x00007f952e8571dd in start_thread (arg=<optimized out>) at pthread_create.c:448
-| #24 0x00007f952e8d318c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
-
-See also:
-https://jira.mariadb.org/browse/MDEV-37786
-https://jira.mariadb.org/browse/MDEV-37148
-
-Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
-Upstream-Status: Inappropriate [oe specific]
----
- strings/ctype.c | 16 ----------------
- 1 file changed, 16 deletions(-)
-
-diff --git a/strings/ctype.c b/strings/ctype.c
-index 629514e5e9c..d7e788c693b 100644
---- a/strings/ctype.c
-+++ b/strings/ctype.c
-@@ -1243,22 +1243,6 @@ my_convert(char *to, uint32 to_length, CHARSET_INFO *to_cs,
- 
-   length= length2= MY_MIN(to_length, from_length);
- 
--#if defined(__i386__) || defined(__x86_64__)
--  /*
--    Special loop for i386, it allows to refer to a
--    non-aligned memory block as UINT32, which makes
--    it possible to copy four bytes at once. This
--    gives about 10% performance improvement comparing
--    to byte-by-byte loop.
--  */
--  for ( ; length >= 4; length-= 4, from+= 4, to+= 4)
--  {
--    if ((*(uint32*)from) & 0x80808080)
--      break;
--    *((uint32*) to)= *((const uint32*) from);
--  }
--#endif /* __i386__ */
--
-   for (; ; *to++= *from++, length--)
-   {
-     if (!length)
--- 
-2.51.0
-
diff --git a/meta-oe/recipes-dbs/mysql/mariadb_11.4.9.bb b/meta-oe/recipes-dbs/mysql/mariadb_11.4.10.bb
index b1d1355e2b..b1d1355e2b 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb_11.4.9.bb
+++ b/meta-oe/recipes-dbs/mysql/mariadb_11.4.10.bb
diff --git a/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch b/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch
new file mode 100644
index 0000000000..803a0d55ad
--- /dev/null
+++ b/meta-oe/recipes-devtools/capnproto/capnproto/CVE-2026-32239_CVE-2026-32240.patch
@@ -0,0 +1,160 @@
+From 0e77b95c0829c83a31be5e219aee2a4e3f9895a7 Mon Sep 17 00:00:00 2001
+From: Kenton Varda <kenton@cloudflare.com>
+Date: Tue, 10 Mar 2026 18:16:14 -0500
+Subject: [PATCH] Fix HTTP body size integer overflow bugs.
+
+The KJ-HTTP library was discovered to have two bugs related to integer overflows while handling message body sizes:
+1. A negative `Content-Length` value was converted to unsigned, treating it as an impossibly large length instead.
+2. When using `Transfer-Encoding: chunked`, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer.
+
+In theory, these bugs could enable HTTP request/response smuggling, although it would require integration with a proxy that has bugs of its own.
+
+For more details, see (in a future commit): security-advisories/2026-03-10-1-http-size-validation.md
+
+CVE: CVE-2026-32239 CVE-2026-32240
+Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ c++/src/kj/compat/http-test.c++ | 64 +++++++++++++++++++++++++++++++++
+ c++/src/kj/compat/http.c++      | 28 +++++++++++----
+ 2 files changed, 86 insertions(+), 6 deletions(-)
+
+diff --git a/c++/src/kj/compat/http-test.c++ b/c++/src/kj/compat/http-test.c++
+index f10ff8d1..daf08992 100644
+--- a/c++/src/kj/compat/http-test.c++
++++ b/c++/src/kj/compat/http-test.c++
+@@ -4038,6 +4038,70 @@ KJ_TEST("HttpServer invalid method") {
+   KJ_EXPECT(expectedResponse == response, expectedResponse, response);
+ }
+ 
++KJ_TEST("HttpServer rejects negative Content-Length") {
++  KJ_HTTP_TEST_SETUP_IO;
++  kj::TimerImpl timer(kj::origin<kj::TimePoint>());
++  auto pipe = KJ_HTTP_TEST_CREATE_2PIPE;
++
++  HttpHeaderTable table;
++  BrokenHttpService service;
++  HttpServer server(timer, table, service, {
++    .canceledUploadGraceBytes = 1024 * 1024,
++  });
++
++  auto listenTask = server.listenHttp(kj::mv(pipe.ends[0]));
++
++  auto msg =
++      "POST / HTTP/1.1\r\n"
++      "Content-Length: -1\r\n"
++      "\r\n"
++      "foo"_kj.asBytes();
++
++  auto writePromise = pipe.ends[1]->write(msg.begin(), msg.size());
++  auto response = pipe.ends[1]->readAllText().wait(waitScope);
++
++  // The server should reject the negative Content-Length. The KJ_FAIL_REQUIRE in getEntityBody()
++  // gets caught by the server loop and turned into a 500 error.
++  KJ_EXPECT(response.startsWith("HTTP/1.1 500 Internal Server Error"), response);
++
++  KJ_EXPECT(writePromise.poll(waitScope));
++  writePromise.catch_([](kj::Exception&&) {}).wait(waitScope);
++}
++
++KJ_TEST("HttpServer rejects chunked body with overflowing chunk size") {
++  KJ_HTTP_TEST_SETUP_IO;
++  kj::TimerImpl timer(kj::origin<kj::TimePoint>());
++  auto pipe = KJ_HTTP_TEST_CREATE_2PIPE;
++
++  HttpHeaderTable table;
++  BrokenHttpService service;
++  HttpServer server(timer, table, service, {
++    .canceledUploadGraceBytes = 1024 * 1024,
++  });
++
++  auto listenTask = server.listenHttp(kj::mv(pipe.ends[0]));
++
++  // 17 hex digits: 0x10000000000000000 = 2^64, which overflows uint64_t.
++  auto msg =
++      "POST / HTTP/1.1\r\n"
++      "Transfer-Encoding: chunked\r\n"
++      "\r\n"
++      "10000000000000000\r\n"
++      "x\r\n"
++      "0\r\n"
++      "\r\n"_kj.asBytes();
++
++  auto writePromise = pipe.ends[1]->write(msg.begin(), msg.size());
++  auto response = pipe.ends[1]->readAllText().wait(waitScope);
++
++  // The chunk size overflow causes a KJ_REQUIRE failure during body reading, which the server
++  // catches and turns into a 500 error.
++  KJ_EXPECT(response.startsWith("HTTP/1.1 500 Internal Server Error"), response);
++
++  KJ_EXPECT(writePromise.poll(waitScope));
++  writePromise.catch_([](kj::Exception&&) {}).wait(waitScope);
++}
++
+ // Ensure that HttpServerSettings can continue to be constexpr.
+ KJ_UNUSED static constexpr HttpServerSettings STATIC_CONSTEXPR_SETTINGS {};
+ 
+diff --git a/c++/src/kj/compat/http.c++ b/c++/src/kj/compat/http.c++
+index aae47ad1..da705e66 100644
+--- a/c++/src/kj/compat/http.c++
++++ b/c++/src/kj/compat/http.c++
+@@ -1406,16 +1406,20 @@ public:
+ 
+       uint64_t value = 0;
+       for (char c: text) {
++        uint64_t digit;
+         if ('0' <= c && c <= '9') {
+-          value = value * 16 + (c - '0');
++          digit = c - '0';
+         } else if ('a' <= c && c <= 'f') {
+-          value = value * 16 + (c - 'a' + 10);
++          digit = c - 'a' + 10;
+         } else if ('A' <= c && c <= 'F') {
+-          value = value * 16 + (c - 'A' + 10);
++          digit = c - 'A' + 10;
+         } else {
+           KJ_FAIL_REQUIRE("invalid HTTP chunk size", text, text.asBytes()) { break; }
+           return value;
+         }
++        KJ_REQUIRE(value <= (uint64_t(kj::maxValue) >> 4),
++            "HTTP chunk size overflow", text, text.asBytes()) { break; }
++        value = value * 16 + digit;
+       }
+ 
+       return value;
+@@ -1942,7 +1946,15 @@ kj::Own<kj::AsyncInputStream> HttpInputStreamImpl::getEntityBody(
+       // Body elided.
+       kj::Maybe<uint64_t> length;
+       KJ_IF_MAYBE(cl, headers.get(HttpHeaderId::CONTENT_LENGTH)) {
+-        length = strtoull(cl->cStr(), nullptr, 10);
++        // Validate that the Content-Length is a non-negative integer. Note that strtoull() accepts
++        // leading '-' signs and silently converts negative values to large unsigned values, so we
++        // must explicitly check for a leading digit.
++        char* end;
++        uint64_t parsedValue = strtoull(cl->cStr(), &end, 10);
++        if ((*cl)[0] >= '0' && (*cl)[0] <= '9' && end > cl->begin() && *end == '\0') {
++          length = parsedValue;
++        }
++        // If invalid, we just leave `length` as nullptr, since the body is elided anyway.
+       } else if (headers.get(HttpHeaderId::TRANSFER_ENCODING) == nullptr) {
+         // HACK: Neither Content-Length nor Transfer-Encoding header in response to HEAD
+         //   request. Propagate this fact with a 0 expected body length.
+@@ -1991,12 +2003,16 @@ kj::Own<kj::AsyncInputStream> HttpInputStreamImpl::getEntityBody(
+     //   "Content-Length: 5, 5, 5". Hopefully no one actually does that...
+     char* end;
+     uint64_t length = strtoull(cl->cStr(), &end, 10);
+-    if (end > cl->begin() && *end == '\0') {
++    // Note that strtoull() accepts leading '-' signs and silently converts negative values to
++    // large unsigned values, so we must explicitly check for a leading digit.
++    if ((*cl)[0] >= '0' && (*cl)[0] <= '9' && end > cl->begin() && *end == '\0') {
+       // #5
+       return kj::heap<HttpFixedLengthEntityReader>(*this, length);
+     } else {
+       // #4 (bad content-length)
+-      KJ_FAIL_REQUIRE("invalid Content-Length header value", *cl);
++      KJ_FAIL_REQUIRE("invalid Content-Length header value", *cl) { break; }
++      // To pass the -fno-exceptions test (but KJ-HTTP is really not safe to use in that mode).
++      return kj::heap<HttpNullEntityReader>(*this, uint64_t(0));
+     }
+   }
+ 
diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb b/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb
index 0ea243fd20..22c4b7cd0a 100644
--- a/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb
+++ b/meta-oe/recipes-devtools/capnproto/capnproto_1.0.2.bb
@@ -6,7 +6,9 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9"
 
 SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \
-           file://0001-Export-binaries-only-for-native-build.patch"
+           file://0001-Export-binaries-only-for-native-build.patch \
+           file://CVE-2026-32239_CVE-2026-32240.patch;patchdir=.. \
+           "
 SRCREV = "1a0e12c0a3ba1f0dbbad45ddfef555166e0a14fc"
 
 S = "${UNPACKDIR}/${BP}/c++"
diff --git a/meta-oe/recipes-devtools/php/php_8.4.18.bb b/meta-oe/recipes-devtools/php/php_8.4.19.bb
index a9be742317..4a5a5fa5b8 100644
--- a/meta-oe/recipes-devtools/php/php_8.4.18.bb
+++ b/meta-oe/recipes-devtools/php/php_8.4.19.bb
@@ -32,7 +32,7 @@ UPSTREAM_CHECK_REGEX = "releases/tag/php-(?P<pver>\d+(\.\d+)+)"
 
 S = "${UNPACKDIR}/php-${PV}"
 
-SRC_URI[sha256sum] = "586b32d92cebcfbca495c5f6ad1a33640553d0a9c0bfd2e6715334d959cf9858"
+SRC_URI[sha256sum] = "bceb7798ed37b442fe523ae7ef345ccc2231db0b022d30735c2e378d3254a0d4"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_PHP"
 CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."
diff --git a/meta-oe/recipes-graphics/jasper/jasper_4.2.8.bb b/meta-oe/recipes-graphics/jasper/jasper_4.2.9.bb
index e00b56ddbf..b48fff7081 100644
--- a/meta-oe/recipes-graphics/jasper/jasper_4.2.8.bb
+++ b/meta-oe/recipes-graphics/jasper/jasper_4.2.9.bb
@@ -4,7 +4,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a80440d1d8f17d041c71c7271d6e06eb"
 
 SRC_URI = "https://github.com/jasper-software/${BPN}/releases/download/version-${PV}/${BP}.tar.gz"
-SRC_URI[sha256sum] = "98058a94fbff57ec6e31dcaec37290589de0ba6f47c966f92654681a56c71fae"
+SRC_URI[sha256sum] = "f71cf643937a5fcaedcfeb30a22ba406912948ad4413148214df280afc425454"
 
 UPSTREAM_CHECK_URI = "https://github.com/jasper-software/jasper/releases"
 UPSTREAM_CHECK_REGEX = "releases/tag/version-(?P<pver>\d+(\.\d+)+)"
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch
new file mode 100644
index 0000000000..a2b41adcef
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch
@@ -0,0 +1,69 @@
+From 237f63c2abcd6c346bf5d27044ab76f5388bb4e8 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 7 Feb 2026 22:50:46 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_ghsa_9mxq_4j5g_5wrp.crw       | Bin 0 -> 74 bytes
+ .../github/test_issue_ghsa_9mxq_4j5g_5wrp.py  |  24 ++++++++++++++++++
+ .../test_regression_allfiles.py               |   1 +
+ 3 files changed, 25 insertions(+)
+ create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+
+diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+new file mode 100644
+index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640
+GIT binary patch
+literal 74
+zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13|Kip6i5oF1;hjZi0B7h
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+new file mode 100644
+index 000000000..199328f25
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+@@ -0,0 +1,24 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, CopyTmpFiles, path
++
++
++class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
++    """
++    Regression test for the bug described in:
++    https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
++    """
++
++    url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
++
++    filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
++    commands = ["$exiv2 $filename"]
++    stdout = ["""File name       : $filename
++File size       : 74 Bytes
++MIME type       : image/x-canon-crw
++Image size      : 0 x 0
++"""
++]
++    stderr   = ["""$filename: No Exif data found in the file
++"""]
++    retval = [253]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index d1bec2ed3..87caa9798 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -122,6 +122,7 @@ def get_valid_files(data_dir):
+         "issue_ghsa_g9xm_7538_mq8w_poc.mov",
+         "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+         "issue_ghsa_496f_x7cq_cq39_poc.jpg",
++        "issue_ghsa_9mxq_4j5g_5wrp.crw",
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch
new file mode 100644
index 0000000000..b461e09c71
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch
@@ -0,0 +1,25 @@
+From 5c5ab83247997396b8a7de8e4425a1a04db01c14 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 31 Jan 2026 15:31:55 +0000
+Subject: [PATCH] Fix out-of-bounds read.
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/crwimage_int.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 9e2c1c6a4..1d2378a61 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -646,7 +646,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
+ 
+ void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image,
+                           ByteOrder /*byteOrder*/) {
+-  std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
++  auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
+   image.setComment(s);
+ }  // CrwMap::decode0x0805
+ 
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-1.patch
new file mode 100644
index 0000000000..9f99937a71
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-1.patch
@@ -0,0 +1,71 @@
+From f42720d294852c3372fb34c328859e7442128b04 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Thu, 26 Feb 2026 20:44:18 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/issues/3511
+
+CVE: CVE-2026-27596
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/fe0d0154ab2886feb503e6cfd38c3b6d5722921f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_3511_poc.eps                    | 13 +++++++++++++
+ tests/bugfixes/github/test_issue_3511.py        | 17 +++++++++++++++++
+ .../test_regression_allfiles.py                 |  1 +
+ 3 files changed, 31 insertions(+)
+ create mode 100644 test/data/issue_3511_poc.eps
+ create mode 100644 tests/bugfixes/github/test_issue_3511.py
+
+diff --git a/test/data/issue_3511_poc.eps b/test/data/issue_3511_poc.eps
+new file mode 100644
+index 000000000..4d403cc51
+--- /dev/null
++++ b/test/data/issue_3511_poc.eps
+@@ -0,0 +1,13 @@
++%!PS-Adobe-3.0 EPSF-3.0
++%%BoundingBox: 0 0 100 100
++%%EndComments
++%%BeginProlog
++%%EndProlog
++%%Page: 1 1
++%%BeginPageSetup
++%%EndPageSetup
++%BeginPhotoshop: 16
++3842494D040C00000000000441424344
++%EndPhotoshop
++%%PageTrailer
++%%EOF
+diff --git a/tests/bugfixes/github/test_issue_3511.py b/tests/bugfixes/github/test_issue_3511.py
+new file mode 100644
+index 000000000..1825550a1
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_3511.py
+@@ -0,0 +1,17 @@
++# -*- coding: utf-8 -*-
++
++import system_tests
++
++
++class test_issue_3511_sigma_LoaderNative_getData(metaclass=system_tests.CaseMeta):
++    url = "https://github.com/Exiv2/exiv2/issues/3511"
++
++    filename = "$data_path/issue_3511_poc.eps"
++    commands = ["$exiv2 -pp $filename"]
++    retval = [1]
++    stderr = [
++        """$exiv2_exception_message $filename:
++$kerCorruptedMetadata
++"""
++    ]
++    stdout = [""]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index 87caa9798..6a230e6fc 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -126,6 +126,7 @@ def get_valid_files(data_dir):
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
++        "issue_3511_poc.eps",
+         # large file that creates 11Mb of output so let's exclude it
+         "ReaganLargeTiff.tiff",
+         # files that don't create any output
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-2.patch
new file mode 100644
index 0000000000..0cabc1ec55
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27596-2.patch
@@ -0,0 +1,24 @@
+From 8e017375e1cf8b1e5a0c37951152fc7f4c2b3409 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Thu, 26 Feb 2026 20:44:54 +0000
+Subject: [PATCH] Check for integer overflow.
+
+CVE: CVE-2026-27596
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/2cb728a850b4aa048a683711906d716c5f9a32ac]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/preview.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/preview.cpp b/src/preview.cpp
+index 993c3b749..90f60146f 100644
+--- a/src/preview.cpp
++++ b/src/preview.cpp
+@@ -422,6 +422,7 @@ DataBuf LoaderNative::getData() const {
+ #endif
+       return {};
+     }
++    Internal::enforce(sizeData >= 28, ErrorCode::kerCorruptedMetadata);
+     return {record + sizeHdr + 28, sizeData - 28};
+   }
+   throw Error(ErrorCode::kerErrorMessage, "Invalid native preview filter: " + nativePreview_.filter_);
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-1.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-1.patch
new file mode 100644
index 0000000000..0f85053091
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-1.patch
@@ -0,0 +1,63 @@
+From 7a93f203cd72a895b26bb633d51b2448a0f629a3 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Thu, 26 Feb 2026 21:14:10 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/issues/3513
+
+CVE: CVE-2026-27631
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/7adedce8c779e9c7bce843cbaf9eff26bc1659b6]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_3513_poc.psd                   | Bin 0 -> 206 bytes
+ tests/bugfixes/github/test_issue_3513.py       |  17 +++++++++++++++++
+ .../test_regression_allfiles.py                |   1 +
+ 3 files changed, 18 insertions(+)
+ create mode 100644 test/data/issue_3513_poc.psd
+ create mode 100644 tests/bugfixes/github/test_issue_3513.py
+
+diff --git a/test/data/issue_3513_poc.psd b/test/data/issue_3513_poc.psd
+new file mode 100644
+index 0000000000000000000000000000000000000000..b8cf982ccc29e4574783b1317347a8494bce4240
+GIT binary patch
+literal 206
+zcmcC;3J7LkWXND(VPIfj2I6QSp2oldW&@cF4i-+HzAOnKCIbVQ%?V)xNk#^S{{sU!
+VK$eS7U=ZX2Ii>-KnHh{ttN=+HebfK|
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/bugfixes/github/test_issue_3513.py b/tests/bugfixes/github/test_issue_3513.py
+new file mode 100644
+index 000000000..5383470e4
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_3513.py
+@@ -0,0 +1,17 @@
++# -*- coding: utf-8 -*-
++
++import system_tests
++
++
++class test_issue_3513_PsdImage_readResourceBlock(metaclass=system_tests.CaseMeta):
++    url = "https://github.com/Exiv2/exiv2/issues/3513"
++
++    filename = "$data_path/issue_3513_poc.psd"
++    commands = ["$exiv2 -pp $filename"]
++    retval = [1]
++    stderr = [
++        """$exiv2_exception_message $filename:
++$kerCorruptedMetadata
++"""
++    ]
++    stdout = [""]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index 6a230e6fc..31f9c844a 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -126,6 +126,7 @@ def get_valid_files(data_dir):
+         "pocIssue283.jpg",
+         "poc_1522.jp2",
+         "xmpsdk.xmp",
++        "issue_3513_poc.psd",
+         "issue_3511_poc.eps",
+         # large file that creates 11Mb of output so let's exclude it
+         "ReaganLargeTiff.tiff",
diff --git a/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-2.patch b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-2.patch
new file mode 100644
index 0000000000..712b40e22d
--- /dev/null
+++ b/meta-oe/recipes-support/exiv2/exiv2/CVE-2026-27631-2.patch
@@ -0,0 +1,26 @@
+From 1748fd9763e89a341bdf8a451534067abb964ab2 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Fri, 27 Feb 2026 10:38:22 +0000
+Subject: [PATCH] Check for integer overflow.
+
+CVE: CVE-2026-27631
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/284b4e20229dd6edf492e712871878ae320801fc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/psdimage.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/psdimage.cpp b/src/psdimage.cpp
+index 1a8e4c61c..b2f5247a2 100644
+--- a/src/psdimage.cpp
++++ b/src/psdimage.cpp
+@@ -287,6 +287,9 @@ void PsdImage::readResourceBlock(uint16_t resourceId, uint32_t resourceSize) {
+       nativePreview.height_ = getLong(buf + 8, bigEndian);
+       const uint32_t format = getLong(buf + 0, bigEndian);
+ 
++      Internal::enforce(nativePreview.size_ <= static_cast<size_t>(std::numeric_limits<long>::max()),
++                        Exiv2::ErrorCode::kerCorruptedMetadata);
++
+       if (nativePreview.size_ > 0 && nativePreview.position_ > 0) {
+         io_->seek(static_cast<long>(nativePreview.size_), BasicIo::cur);
+         if (io_->error() || io_->eof())
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
index e1f57ae8c7..25f35e203a 100644
--- a/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
+++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb
@@ -4,7 +4,16 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
 
 DEPENDS = "zlib expat brotli libinih"
 
-SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV}"
+SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV} \
+           file://CVE-2026-25884-1.patch \
+           file://CVE-2026-25884-2.patch \
+           file://CVE-2026-27596-1.patch \
+           file://CVE-2026-27596-2.patch \
+           file://CVE-2026-27631-1.patch \
+           file://CVE-2026-27631-2.patch \
+           "
 SRCREV = "afcb7a8ba84a7de36d2f1ee7689394e078697956"
 
+PATCHTOOL = "git"
+
 inherit cmake gettext
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-15.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-17.bb
index d48fae6bd3..989e87af3d 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-15.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.2-17.bb
@@ -17,7 +17,7 @@ SRC_URI = "git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://imagemagick-ptest.sh \
 "
 
-SRCREV = "b5fdb90dac0e6d0bf1bbd95704bbd60216a5bc23"
+SRCREV = "3f2f629405c62106d3569547c03634bc46fcd07d"
 
 
 inherit autotools pkgconfig update-alternatives ptest
diff --git a/meta-oe/recipes-support/imapfilter/imapfilter_2.8.3.bb b/meta-oe/recipes-support/imapfilter/imapfilter_2.8.5.bb
index f4905e3c0b..754e793faa 100644
--- a/meta-oe/recipes-support/imapfilter/imapfilter_2.8.3.bb
+++ b/meta-oe/recipes-support/imapfilter/imapfilter_2.8.5.bb
@@ -1,9 +1,9 @@
 SUMMARY = "IMAPFilter is a mail filtering utility that processes mailboxes based on IMAP queries"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f8d2fc4954306888fd0e4b27bef83525"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=c9e8d74e78283c6319317d3cb15eded4"
 
 # v2.7.6
-SRCREV = "72f7fa621357299bb6c8f5d29b4efbafcbd34bf7"
+SRCREV = "23b693f7f7cad8b459beb5cf748078f9cc0e5dc8"
 SRC_URI = "git://github.com/lefcha/imapfilter;protocol=https;branch=master;tag=v${PV} \
            file://ldflags.patch \
 "
diff --git a/meta-oe/recipes-support/libnice/libnice_0.1.23.bb b/meta-oe/recipes-support/libnice/libnice_0.1.23.bb
index bcdcf0ad7f..4411de955c 100644
--- a/meta-oe/recipes-support/libnice/libnice_0.1.23.bb
+++ b/meta-oe/recipes-support/libnice/libnice_0.1.23.bb
@@ -14,8 +14,11 @@ SRC_URI[sha256sum] = "618fc4e8de393b719b1641c1d8eec01826d4d39d15ade92679d221c7f5
 UPSTREAM_CHECK_URI = "https://gitlab.freedesktop.org/libnice/libnice/-/tags"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
 
-DEPENDS = "glib-2.0 gnutls ${@bb.utils.contains('DISTRO_FEATURES', 'api-documentation', 'graphviz-native', '', d)}"
+DEPENDS = "glib-2.0 ${@bb.utils.contains('DISTRO_FEATURES', 'api-documentation', 'graphviz-native', '', d)}"
 
+PACKAGECONFIG ??= "gnutls"
+PACKAGECONFIG[gnutls] = "-Dcrypto-library=gnutls,,gnutls"
+PACKAGECONFIG[openssl] = "-Dcrypto-library=openssl,,openssl"
 PACKAGECONFIG[gupnp] = "-Dgupnp=enabled,-Dgupnp=disabled,gupnp"
 PACKAGECONFIG[gstreamer] = "-Dgstreamer=enabled,-Dgstreamer=disabled,gstreamer1.0"
 PACKAGECONFIG[introspection] = "-Dintrospection=enabled,-Dintrospection=disabled,"
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
new file mode 100644
index 0000000000..bf1fbcc027
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p1.patch
@@ -0,0 +1,35 @@
+From 04d2f831fa8da74c973538cd3f621061a7656771 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:22:44 +0100
+Subject: [PATCH 1/2] sftp: Fix out-of-bound read from sftp extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE: CVE-2026-3731
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=f80670a7aba86cbb442c9b115c9eaf4ca04601b8]
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60)
+(cherry picked from commit f80670a7aba86cbb442c9b115c9eaf4ca04601b8)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/sftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sftp.c b/src/sftp.c
+index 37b4133b..05e05019 100644
+--- a/src/sftp.c
++++ b/src/sftp.c
+@@ -583,7 +583,7 @@ const char *sftp_extensions_get_name(sftp_session sftp, unsigned int idx) {
+     return NULL;
+   }
+
+-  if (idx > sftp->ext->count) {
++  if (idx >= sftp->ext->count) {
+     ssh_set_error_invalid(sftp->session);
+     return NULL;
+   }
+--
+2.35.6
diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
new file mode 100644
index 0000000000..b5a267b808
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/CVE-2026-3731_p2.patch
@@ -0,0 +1,102 @@
+From df01168bb3863306ba0f35b50e5b2e5dd00ba9f6 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 11 Dec 2025 13:21:23 +0100
+Subject: [PATCH 2/2] Reproducer for out of bounds read of SFTP extensions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE: CVE-2026-3731
+Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=02c6f5f7ec8629a7cff6a28cde9701ab10304540]
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Reviewed-by: Pavol Žáčik <pzacik@redhat.com>
+(cherry picked from commit b90b7f24517efa7ab21506db9379aa3dce9fee7d)
+(cherry picked from commit 02c6f5f7ec8629a7cff6a28cde9701ab10304540)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ tests/client/torture_sftp_init.c | 62 +++++++++++++++++++++++++++++++-
+ 1 file changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/tests/client/torture_sftp_init.c b/tests/client/torture_sftp_init.c
+index a17f01fe..cdc24426 100644
+--- a/tests/client/torture_sftp_init.c
++++ b/tests/client/torture_sftp_init.c
+@@ -72,6 +72,63 @@ static void session_setup_channel(void **state)
+     assert_non_null(s->ssh.tsftp);
+ }
+
++static void session_setup_extensions(void **state)
++{
++    struct torture_state *s = *state;
++    struct passwd *pwd = NULL;
++    int rc, count;
++    const char *name = NULL, *data = NULL;
++    sftp_session sftp = NULL;
++
++    pwd = getpwnam("bob");
++    assert_non_null(pwd);
++
++    rc = setuid(pwd->pw_uid);
++    assert_return_code(rc, errno);
++
++    s->ssh.session = torture_ssh_session(s,
++                                         TORTURE_SSH_SERVER,
++                                         NULL,
++                                         TORTURE_SSH_USER_ALICE,
++                                         NULL);
++    assert_non_null(s->ssh.session);
++
++    s->ssh.tsftp = torture_sftp_session(s->ssh.session);
++    assert_non_null(s->ssh.tsftp);
++    sftp = s->ssh.tsftp->sftp;
++
++    /* null parameter */
++    count = sftp_extensions_get_count(NULL);
++    assert_int_equal(count, 0);
++
++    count = sftp_extensions_get_count(sftp);
++    assert_int_not_equal(count, 0);
++
++    /* first null parameter */
++    name = sftp_extensions_get_name(NULL, 0);
++    assert_null(name);
++    data = sftp_extensions_get_data(NULL, 0);
++    assert_null(data);
++
++    /* First extension */
++    name = sftp_extensions_get_name(sftp, 0);
++    assert_non_null(name);
++    data = sftp_extensions_get_data(sftp, 0);
++    assert_non_null(data);
++
++    /* Last extension */
++    name = sftp_extensions_get_name(sftp, count - 1);
++    assert_non_null(name);
++    data = sftp_extensions_get_data(sftp, count - 1);
++    assert_non_null(data);
++
++    /* Overrun */
++    name = sftp_extensions_get_name(sftp, count);
++    assert_null(name);
++    data = sftp_extensions_get_data(sftp, count);
++    assert_null(data);
++}
++
+ static int session_teardown(void **state)
+ {
+     struct torture_state *s = *state;
+@@ -92,7 +149,10 @@ int torture_run_tests(void) {
+                                         session_teardown),
+         cmocka_unit_test_setup_teardown(session_setup_channel,
+                                         NULL,
+-                                        session_teardown)
++                                        session_teardown),
++        cmocka_unit_test_setup_teardown(session_setup_extensions,
++                                        NULL,
++                                        session_teardown),
+     };
+
+     ssh_init();
+--
+2.35.6
diff --git a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
index 5928581312..ab47931fa3 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.11.3.bb
@@ -9,6 +9,8 @@ DEPENDS = "zlib openssl"
 SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.11;tag=${BPN}-${PV} \
            file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
            file://run-ptest \
+           file://CVE-2026-3731_p1.patch \
+           file://CVE-2026-3731_p2.patch \
           "
 
 SRC_URI:append:toolchain-clang = " file://0001-CompilerChecks.cmake-drop-Wunused-variable-flag.patch"
diff --git a/meta-oe/recipes-support/pcp/pcp.inc b/meta-oe/recipes-support/pcp/pcp.inc
index 07de1d5328..7c6ecc2e22 100644
--- a/meta-oe/recipes-support/pcp/pcp.inc
+++ b/meta-oe/recipes-support/pcp/pcp.inc
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=37ab75b580d5aad4ada04260efa3702f \
                     "
 COMPATIBLE_HOST:libc-musl = "null"
 
-SRC_URI = "git://github.com/performancecopilot/pcp;branch=stable;protocol=https;tag=${PV} \
+SRC_URI = "git://github.com/performancecopilot/pcp;nobranch=1;protocol=https;tag=${PV} \
            file://0001-configure-Limit-the-header-search-to-sysroot.patch \
            file://0001-htop-Change-dependency-order-of-header-and-sourcefil.patch \
            file://config.linux \
diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.28.bb b/meta-python/recipes-devtools/python/python3-django_4.2.29.bb
index 2c6d33991c..ded9e6fc1f 100644
--- a/meta-python/recipes-devtools/python/python3-django_4.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_4.2.29.bb
@@ -1,7 +1,7 @@
 require python3-django.inc
 inherit python_setuptools_build_meta
 
-SRC_URI[sha256sum] = "a4b9cd881991add394cafa8bb3b11ad1742d1e1470ba99c3ef53dc540316ccfe"
+SRC_URI[sha256sum] = "86d91bc8086569c8d08f9c55888b583a921ac1f95ed3bdc7d5659d4709542014"
 
 RDEPENDS:${PN} += "\
     python3-sqlparse \
diff --git a/meta-python/recipes-devtools/python/python3-django_5.2.11.bb b/meta-python/recipes-devtools/python/python3-django_5.2.12.bb
index edf9aabb79..a7567265b5 100644
--- a/meta-python/recipes-devtools/python/python3-django_5.2.11.bb
+++ b/meta-python/recipes-devtools/python/python3-django_5.2.12.bb
@@ -1,7 +1,7 @@
 require python3-django.inc
 inherit python_setuptools_build_meta
 
-SRC_URI[sha256sum] = "7f2d292ad8b9ee35e405d965fbbad293758b858c34bbf7f3df551aeeac6f02d3"
+SRC_URI[sha256sum] = "6b809af7165c73eff5ce1c87fdae75d4da6520d6667f86401ecf55b681eb1eeb"
 
 RDEPENDS:${PN} += "\
     python3-sqlparse \
diff --git a/meta-python/recipes-devtools/python/python3-gpiod_2.4.0.bb b/meta-python/recipes-devtools/python/python3-gpiod_2.4.1.bb
index 405951fe0c..61a3fb929e 100644
--- a/meta-python/recipes-devtools/python/python3-gpiod_2.4.0.bb
+++ b/meta-python/recipes-devtools/python/python3-gpiod_2.4.1.bb
@@ -1,13 +1,11 @@
 SUMMARY = "Python bindings for libgpiod."
 
-LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later & CC-BY-SA-4.0"
-# The actual license files live in the upstream libgpiod from which the pypi
-# package is spun out.
-LIC_FILES_CHKSUM = "file://pyproject.toml;beginline=13;endline=13;md5=0fbc720d3e48432ee239eedb6adb0f07"
+LICENSE = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=4b54a1fd55a448865a0b32d41598759d"
 
 SRC_URI += "file://run-ptest"
 
-SRC_URI[sha256sum] = "9243a1a59d084ec749d1df4a1e2f238ffb9d94515b0d9f5335460175143c3aa1"
+SRC_URI[sha256sum] = "d29a1e8b2a065f7ed82f00a96009bc1486fc705bb2ad25820a8ae962ec6d7688"
 
 inherit python_setuptools_build_meta python_pep517 ptest pypi
 
diff --git a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb
index f3a905a36c..f058bd7123 100644
--- a/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb
+++ b/meta-python/recipes-devtools/python/python3-marshmallow_4.1.2.bb
@@ -30,3 +30,5 @@ RDEPENDS:${PN} += " \
         python3-pprint \
         python3-packaging \
 "
+
+CVE_STATUS[CVE-2025-68480] = "fixed-version: fixed in 4.1.2"
diff --git a/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2026-32597.patch b/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2026-32597.patch
new file mode 100644
index 0000000000..7fec45e13c
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pyjwt/CVE-2026-32597.patch
@@ -0,0 +1,79 @@
+From c77d816548bd768df262ba0204904168584c0bd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadilla@webapplicate.com>
+Date: Thu, 12 Mar 2026 12:46:08 -0400
+Subject: [PATCH] Merge commit from fork
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: José Padilla <jpadilla@users.noreply.github.com>
+
+CVE: CVE-2026-32597
+Upstream-Status: Backport [https://github.com/jpadilla/pyjwt/commit/051ea341b5573fe3edcd53042f347929b92c2b92]
+
+Dropped changes to the changelog, version bump and tests during backport.
+
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ jwt/api_jws.py | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+diff --git a/jwt/api_jws.py b/jwt/api_jws.py
+index 654ee0b..db2c80f 100644
+--- a/jwt/api_jws.py
++++ b/jwt/api_jws.py
+@@ -137,7 +137,7 @@ class PyJWS:
+         header: dict[str, Any] = {"typ": self.header_typ, "alg": algorithm_}
+ 
+         if headers:
+-            self._validate_headers(headers)
++            self._validate_headers(headers, encoding=True)
+             header.update(headers)
+ 
+         if not header["typ"]:
+@@ -208,6 +208,8 @@ class PyJWS:
+ 
+         payload, signing_input, header, signature = self._load(jwt)
+ 
++        self._validate_headers(header)
++
+         if header.get("b64", True) is False:
+             if detached_payload is None:
+                 raise DecodeError(
+@@ -327,14 +329,35 @@ class PyJWS:
+         if not alg_obj.verify(signing_input, prepared_key, signature):
+             raise InvalidSignatureError("Signature verification failed")
+ 
+-    def _validate_headers(self, headers: dict[str, Any]) -> None:
++    # Extensions that PyJWT actually understands and supports
++    _supported_crit: set[str] = {"b64"}
++
++    def _validate_headers(
++        self, headers: dict[str, Any], *, encoding: bool = False
++    ) -> None:
+         if "kid" in headers:
+             self._validate_kid(headers["kid"])
++        if not encoding and "crit" in headers:
++            self._validate_crit(headers)
+ 
+     def _validate_kid(self, kid: Any) -> None:
+         if not isinstance(kid, str):
+             raise InvalidTokenError("Key ID header parameter must be a string")
+ 
++    def _validate_crit(self, headers: dict[str, Any]) -> None:
++        crit = headers["crit"]
++        if not isinstance(crit, list) or len(crit) == 0:
++            raise InvalidTokenError("Invalid 'crit' header: must be a non-empty list")
++        for ext in crit:
++            if not isinstance(ext, str):
++                raise InvalidTokenError("Invalid 'crit' header: values must be strings")
++            if ext not in self._supported_crit:
++                raise InvalidTokenError(f"Unsupported critical extension: {ext}")
++            if ext not in headers:
++                raise InvalidTokenError(
++                    f"Critical extension '{ext}' is missing from headers"
++                )
++
+ 
+ _jws_global_obj = PyJWS()
+ encode = _jws_global_obj.encode
diff --git a/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb b/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb
index 3954c526f5..981f79a743 100644
--- a/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb
+++ b/meta-python/recipes-devtools/python/python3-pyjwt_2.10.1.bb
@@ -5,6 +5,8 @@ HOMEPAGE = "https://github.com/jpadilla/pyjwt"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e4b56d2c9973d8cf54655555be06e551"
 
+SRC_URI += "file://CVE-2026-32597.patch"
+
 SRC_URI[sha256sum] = "3cc5772eb20009233caf06e9d8a0577824723b44e6648ee0a2aedb6cf9381953"
 
 PYPI_PACKAGE = "pyjwt"
diff --git a/meta-python/recipes-devtools/python/python3-tornado_6.5.4.bb b/meta-python/recipes-devtools/python/python3-tornado_6.5.5.bb
index 9b43d98e1c..8e433fde2f 100644
--- a/meta-python/recipes-devtools/python/python3-tornado_6.5.4.bb
+++ b/meta-python/recipes-devtools/python/python3-tornado_6.5.5.bb
@@ -6,7 +6,7 @@ HOMEPAGE = "https://www.tornadoweb.org/en/stable/"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
-SRC_URI[sha256sum] = "a22fa9047405d03260b483980635f0b041989d8bcc9a313f8fe18b411d84b1d7"
+SRC_URI[sha256sum] = "192b8f3ea91bd7f1f50c06955416ed76c6b72f96779b962f07f911b91e8d30e9"
 
 inherit pypi python_setuptools_build_meta
 
diff --git a/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb b/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb
index 4e7e5fa31d..dfa99c3d90 100644
--- a/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb
+++ b/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb
@@ -6,7 +6,7 @@ DEPENDS = "libxml2 libxslt virtual/crypt"
 
 SECTION = "net"
 
-SRC_URI = "https://hiawatha.leisink.net/files/hiawatha-${PV}.tar.gz \
+SRC_URI = "https://hiawatha.leisink.net/files/download/hiawatha-11/hiawatha-${PV}.tar.gz \
            file://0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch;patchdir=mbedtls \
            file://0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch;patchdir=mbedtls \
            file://define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch;patchdir=mbedtls \