135 files changed, 3294 insertions, 3576 deletions

diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
index e455a60bd5..d45c06357d 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb
+++ b/meta/recipes-connectivity/avahi/avahi-libnss-mdns_0.15.1.bb
@@ -3,18 +3,16 @@ HOMEPAGE = "https://github.com/lathiat/nss-mdns"
 DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
 SECTION = "libs"
 
-LICENSE = "LGPLv2.1+"
+LICENSE = "LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
 
 DEPENDS = "avahi"
 
-SRC_URI = "git://github.com/lathiat/nss-mdns \
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
            "
 
 SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig
 
 COMPATIBLE_HOST:libc-musl = 'null'
@@ -22,6 +20,7 @@ COMPATIBLE_HOST:libc-musl = 'null'
 EXTRA_OECONF = "--libdir=${base_libdir}"
 
 RDEPENDS:${PN} = "avahi-daemon"
+RPROVIDES:${PN} = "libnss-mdns"
 
 pkg_postinst:${PN} () {
         sed '
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 4b15d11b61..220160a7e1 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -5,37 +5,44 @@ with no specific configuration. This tool implements IPv4LL, "Dynamic Configurat
 IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \
 configuration from the link-local 169.254.0.0/16 range without the need for a central \
 server.'
-AUTHOR = "Lennart Poettering <lennart@poettering.net>"
 HOMEPAGE = "http://avahi.org"
-BUGTRACKER = "https://github.com/lathiat/avahi/issues"
+BUGTRACKER = "https://github.com/avahi/avahi/issues"
 SECTION = "network"
 
-# major part is under LGPLv2.1+, but several .dtd, .xsl, initscripts and
-# python scripts are under GPLv2+
-LICENSE = "GPLv2+ & LGPLv2.1+"
+# major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and
+# python scripts are under GPL-2.0-or-later
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                     file://avahi-common/address.h;endline=25;md5=b1d1d2cda1c07eb848ea7d6215712d9d \
                     file://avahi-core/dns.h;endline=23;md5=6fe82590b81aa0ddea5095b548e2fdcb \
                     file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
                     file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
 
-SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
+SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://00avahi-autoipd \
            file://99avahi-autoipd \
            file://initscript.patch \
            file://0001-Fix-opening-etc-resolv.conf-error.patch \
            file://handle-hup.patch \
            file://local-ping.patch \
+           file://invalid-service.patch \
+           file://CVE-2023-1981.patch \
+           file://CVE-2023-38469-1.patch \
+           file://CVE-2023-38469-2.patch \
+           file://CVE-2023-38470-1.patch \
+           file://CVE-2023-38470-2.patch \
+           file://CVE-2023-38471-1.patch \
+           file://CVE-2023-38471-2.patch \
+           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
            "
 
-UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
-SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
+GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_WHITELIST += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
 
-DEPENDS = "expat libcap libdaemon glib-2.0"
+DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 
 # For gtk related PACKAGECONFIGs: gtk, gtk3
 AVAHI_GTK ?= ""
@@ -48,7 +55,7 @@ PACKAGECONFIG[libdns_sd] = "--enable-compat-libdns_sd --enable-dbus,,dbus"
 PACKAGECONFIG[libevent] = "--enable-libevent,--disable-libevent,libevent"
 PACKAGECONFIG[qt5] = "--enable-qt5,--disable-qt5,qtbase"
 
-inherit autotools pkgconfig gettext gobject-introspection
+inherit autotools pkgconfig gettext gobject-introspection github-releases
 
 EXTRA_OECONF = "--with-avahi-priv-access-group=adm \
              --disable-stack-protector \
@@ -78,12 +85,11 @@ do_compile:prepend() {
     export GIR_EXTRA_LIBS_PATH="${B}/avahi-gobject/.libs:${B}/avahi-common/.libs:${B}/avahi-client/.libs:${B}/avahi-glib/.libs"
 }
 
-RRECOMMENDS:${PN}:append:libc-glibc = " libnss-mdns"
+RRECOMMENDS:${PN}:append:libc-glibc = " avahi-libnss-mdns"
 
 do_install() {
         autotools_do_install
         rm -rf ${D}/run
-        rm -rf ${D}${datadir}/dbus-1/interfaces
         test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1
         rm -rf ${D}${libdir}/avahi
 
@@ -109,15 +115,15 @@ FILES:avahi-discover = "${datadir}/applications/avahi-discover.desktop \
                         ${bindir}/avahi-discover-standalone \
                         "
 
-LICENSE:libavahi-gobject = "LGPLv2.1+"
-LICENSE:avahi-daemon = "LGPLv2.1+"
-LICENSE:libavahi-common = "LGPLv2.1+"
-LICENSE:libavahi-core = "LGPLv2.1+"
-LICENSE:libavahi-client = "LGPLv2.1+"
-LICENSE:avahi-dnsconfd = "LGPLv2.1+"
-LICENSE:libavahi-glib = "LGPLv2.1+"
-LICENSE:avahi-autoipd = "LGPLv2.1+"
-LICENSE:avahi-utils = "LGPLv2.1+"
+LICENSE:libavahi-gobject = "LGPL-2.1-or-later"
+LICENSE:avahi-daemon = "LGPL-2.1-or-later"
+LICENSE:libavahi-common = "LGPL-2.1-or-later"
+LICENSE:libavahi-core = "LGPL-2.1-or-later"
+LICENSE:libavahi-client = "LGPL-2.1-or-later"
+LICENSE:avahi-dnsconfd = "LGPL-2.1-or-later"
+LICENSE:libavahi-glib = "LGPL-2.1-or-later"
+LICENSE:avahi-autoipd = "LGPL-2.1-or-later"
+LICENSE:avahi-utils = "LGPL-2.1-or-later"
 
 # As avahi doesn't put any files into PN, clear the files list to avoid problems
 # if extra libraries appear.
@@ -135,7 +141,7 @@ FILES:avahi-daemon = "${sbindir}/avahi-daemon \
                       ${sysconfdir}/avahi/services \
                       ${sysconfdir}/dbus-1 \
                       ${sysconfdir}/init.d/avahi-daemon \
-                      ${datadir}/avahi/introspection/*.introspect \
+                      ${datadir}/dbus-1/interfaces \
                       ${datadir}/avahi/avahi-service.dtd \
                       ${datadir}/avahi/service-types \
                       ${datadir}/dbus-1/system-services"
@@ -147,11 +153,11 @@ FILES:libavahi-glib = "${libdir}/libavahi-glib.so.*"
 FILES:libavahi-gobject = "${libdir}/libavahi-gobject.so.*  ${libdir}/girepository-1.0/Avahi*.typelib"
 FILES:avahi-utils = "${bindir}/avahi-* ${bindir}/b* ${datadir}/applications/b*"
 
-RDEPENDS:${PN}-dev = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
-RDEPENDS:${PN}-dev += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
+DEV_PKG_DEPENDENCY = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
+DEV_PKG_DEPENDENCY += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
 RDEPENDS:${PN}-dnsconfd = "${PN}-daemon"
 
-RRECOMMENDS:avahi-daemon:append:libc-glibc = " libnss-mdns"
+RRECOMMENDS:avahi-daemon:append:libc-glibc = " avahi-libnss-mdns"
 
 CONFFILES:avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
 
@@ -178,8 +184,8 @@ SYSTEMD_SERVICE:${PN}-dnsconfd = "avahi-dnsconfd.service"
 
 do_install:append() {
         install -d ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
-        install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+        install ${UNPACKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
 }
 
 # At the time the postinst runs, dbus might not be setup so only restart if running 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
+     }
+ 
+     t = avahi_alternative_host_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
+     }
+ 
+     t = avahi_alternative_service_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..a078f66102
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
+From 72842945085cc3adaccfdfa2853771b0e75ef991 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] avahi: core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 7fa0bee..b03a24c 100644
+--- a/avahi-core/rr.c
++++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+
+             AvahiStringList *strlst;
++            size_t used = 0;
+
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..f8f60ddca1
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Canonical notes:
+nickgalanis> removed first hunk since there is no .github dir in this release
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
++++ avahi-0.8/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
++#include <avahi-core/dns.h>
++
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
++    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
++    AvahiStringList *txt = NULL;
++    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
++    memset(rdata, 1, sizeof(rdata));
++    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
++    assert(r >= 0);
++    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
++    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
++    assert(error == AVAHI_ERR_INVALID_RECORD);
++    avahi_string_list_free(txt);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..91f9e677ac
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,59 @@
+From af7bfad67ca53a7c4042a4a2d85456b847e9f249 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] avahi: Ensure each label is at least one byte long
+
+The only allowed exception is single dot, where it should return empty
+string.
+
+Fixes #454.
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
+CVE: CVE-2023-38470
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
+index cf763ec..3acc1c1 100644
+--- a/avahi-common/domain-test.c
++++ b/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+
++    printf("%s\n", s = avahi_normalize_name_strdup("."));
++    avahi_free(s);
++
++    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++                   "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++                   ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++                   "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++                   "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++                   "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++                   "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++                   "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++                   "}.?.?.?.}.=.?.?.}");
++    assert(s == NULL);
++
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+
+diff --git a/avahi-common/domain.c b/avahi-common/domain.c
+index 3b1ab68..e66d241 100644
+--- a/avahi-common/domain.c
++++ b/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
+         }
+
+         if (!empty) {
+-            if (size < 1)
++            if (size < 2)
+                 return NULL;
+
+             *(r++) = '.';
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..e0736bf210
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,52 @@
+From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 19 Sep 2023 03:21:25 +0000
+Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
+
+Fixes:
+```
+==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
+READ of size 1110 at 0x7f9e76f14c16 thread T0
+    #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
+    #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
+    #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
+```
+and
+```
+fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
+==101571== ERROR: libFuzzer: deadly signal
+    #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #3 0x7f1581d7ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
+```
+
+It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security
+CVE: CVE-2023-38470 #Follow-up patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: avahi-0.8/avahi-common/domain.c
+===================================================================
+--- avahi-0.8.orig/avahi-common/domain.c
++++ avahi-0.8/avahi-common/domain.c
+@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
+         } else
+             empty = 0;
+ 
+-        avahi_escape_label(label, strlen(label), &r, &size);
++        if (!(avahi_escape_label(label, strlen(label), &r, &size)))
++            return NULL;
+     }
+ 
+     return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..b3f716495d
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index e507750..40f1d68 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
++    char label_escaped[AVAHI_LABEL_MAX*4+1];
++    char label[AVAHI_LABEL_MAX];
++    char *hn = NULL, *h;
++    size_t len;
++
+     assert(s);
+
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+
+-    hn[strcspn(hn, ".")] = 0;
++    h = hn;
++    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++        avahi_free(h);
++        return AVAHI_ERR_INVALID_HOST_NAME;
++    }
++
++    avahi_free(h);
++
++    h = label_escaped;
++    len = sizeof(label_escaped);
++    if (!avahi_escape_label(label, strlen(label), &h, &len))
++        return AVAHI_ERR_INVALID_HOST_NAME;
+
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
++    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+
+     withdraw_host_rrs(s);
+
+     avahi_free(s->host_name);
+-    s->host_name = hn;
++    s->host_name = avahi_strdup(label_escaped);
++    if (!s->host_name)
++        return AVAHI_ERR_NO_MEMORY;
+
+     update_fqdn(s);
+
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..44737bfc2e
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
+CVE: CVE-2023-38471 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: avahi-0.8/avahi-core/server.c
+===================================================================
+--- avahi-0.8.orig/avahi-core/server.c
++++ avahi-0.8/avahi-core/server.c
+@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
++    if (!hn)
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
++
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServ
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServ
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..85dbded73b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,46 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
++++ avahi-0.8/avahi-client/client-test.c
+@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     assert(error == AVAHI_ERR_INVALID_RECORD);
+     avahi_string_list_free(txt);
+ 
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+Index: avahi-0.8/avahi-daemon/dbus-entry-group.c
+===================================================================
+--- avahi-0.8.orig/avahi-daemon/dbus-entry-group.c
++++ avahi-0.8/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..707acb60fe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,110 @@
+From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] avahi: common: derive alternative host name from its
+ unescaped version
+
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+
+Fixes #451 #487
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
+index 9255435..681fc15 100644
+--- a/avahi-common/alternative-test.c
++++ b/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
++        ").",
++        "\\.",
++        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
+index b3d39f0..a094e6d 100644
+--- a/avahi-common/alternative.c
++++ b/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
+ }
+
+ char *avahi_alternative_host_name(const char *s) {
++    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
++    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
++    size_t len;
+
+     assert(s);
+
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+
+-    if ((e = strrchr(s, '-'))) {
++    if (!avahi_unescape_label(&s, label, sizeof(label)))
++        return NULL;
++
++    if ((e = strrchr(label, '-'))) {
+         const char *p;
+
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
+
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+
+-        l = e-s-1;
++        len = e-label-1;
+
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
++        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
++            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+
+-        if (!(c = avahi_strndup(s, l))) {
++        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
+     } else {
+         char *c;
+
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
++        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
+         avahi_free(c);
+     }
+
++    alt = alternative;
++    len = sizeof(alternative);
++    ret = avahi_escape_label(r, strlen(r), &alt, &len);
++
++    avahi_free(r);
++    r = avahi_strdup(ret);
++
+     assert(avahi_is_valid_host_name(r));
+
+     return r;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/initscript.patch b/meta/recipes-connectivity/avahi/files/initscript.patch
index c856c3df04..e1176888df 100644
--- a/meta/recipes-connectivity/avahi/files/initscript.patch
+++ b/meta/recipes-connectivity/avahi/files/initscript.patch
@@ -1,4 +1,8 @@
-Upstream-Status: Pending
+Note: upcoming avahi 0.9 drops debian initscripts altogether,
+so any version update would probably have to copy the last
+upstream versions into oe-core, and install them from the recipe.
+
+Upstream-Status: Inappropriate [upstream removed the files]
 
 Index: avahi-0.7/initscript/debian/avahi-daemon.in
 ===================================================================
diff --git a/meta/recipes-connectivity/avahi/files/invalid-service.patch b/meta/recipes-connectivity/avahi/files/invalid-service.patch
new file mode 100644
index 0000000000..8f188aff2c
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/invalid-service.patch
@@ -0,0 +1,29 @@
+From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001
+From: Asger Hautop Drewsen <asger@princh.com>
+Date: Mon, 9 Aug 2021 14:25:08 +0200
+Subject: [PATCH] Fix avahi-browse: Invalid service type
+
+Invalid service types will stop the browse from completing, or
+in simple terms "my washing machine stops me from printing".
+
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ avahi-core/browse-service.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 63e0275a..ac3d2ecb 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare(
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+-    AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE);
++
++    if (!avahi_is_valid_service_type_generic(service_type))
++        service_type = "_invalid._tcp";
+ 
+     if (!domain)
+         domain = server->domain_name;
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
index 94116ad1f3..29c192d296 100644
--- a/meta/recipes-connectivity/avahi/files/local-ping.patch
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -1,4 +1,5 @@
 CVE: CVE-2021-36217
+CVE: CVE-2021-3502
 Upstream-Status: Backport
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind-9.16.21/0001-named-lwresd-V-and-start-log-hide-build-options.patch
deleted file mode 100644
index 5bcc16c9b2..0000000000
--- a/meta/recipes-connectivity/bind/bind-9.16.21/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a3af4a405baf5ff582e82aaba392dd9667d94bdc Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 27 Aug 2018 21:24:20 +0800
-Subject: [PATCH] `named/lwresd -V' and start log hide build options
-
-The build options expose build path directories, so hide them.
-[snip]
-$ named -V
-|built by make with *** (options are hidden)
-[snip]
-
-Upstream-Status: Inappropriate [oe-core specific]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-
-Refreshed for 9.16.0
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- bin/named/include/named/globals.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: bind-9.16.0/bin/named/include/named/globals.h
-===================================================================
---- bind-9.16.0.orig/bin/named/include/named/globals.h
-+++ bind-9.16.0/bin/named/include/named/globals.h
-@@ -69,7 +69,7 @@ EXTERN const char *named_g_version     I
- EXTERN const char *named_g_product     INIT(PRODUCT);
- EXTERN const char *named_g_description INIT(DESCRIPTION);
- EXTERN const char *named_g_srcid       INIT(SRCID);
--EXTERN const char *named_g_configargs  INIT(CONFIGARGS);
-+EXTERN const char *named_g_configargs  INIT("*** (options are hidden)");
- EXTERN const char *named_g_builder     INIT(BUILDER);
- EXTERN in_port_t named_g_port         INIT(0);
- EXTERN isc_dscp_t named_g_dscp        INIT(-1);
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
index 8db96ec049..78ab6b87fc 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/0001-avoid-start-failure-with-bind-user.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
@@ -1,4 +1,4 @@
-From 31dde3562f287429eea94b77250d184818b49063 Mon Sep 17 00:00:00 2001
+From c70f74164bea8a8c54c03becffb2f21103dd1f31 Mon Sep 17 00:00:00 2001
 From: Chen Qi <Qi.Chen@windriver.com>
 Date: Mon, 15 Oct 2018 16:55:09 +0800
 Subject: [PATCH] avoid start failure with bind user
@@ -11,17 +11,14 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/init.d b/init.d
-index b2eec60..6e03936 100644
+index 95e8909..771d349 100644
 --- a/init.d
 +++ b/init.d
 @@ -57,6 +57,7 @@ case "$1" in
         modprobe capability >/dev/null 2>&1 || true
         if [ ! -f /etc/bind/rndc.key ]; then
-            /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+            /usr/sbin/rndc-confgen -a -b 512
 +           chown root:bind /etc/bind/rndc.key >/dev/null 2>&1 || true
             chmod 0640 /etc/bind/rndc.key
         fi
         if [ -f /var/run/named/named.pid ]; then
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
new file mode 100644
index 0000000000..53e439721f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
@@ -0,0 +1,34 @@
+From 0dd67d85705cbcfa9a2759c46f3cdf3d0d6375de Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 27 Aug 2018 21:24:20 +0800
+Subject: [PATCH] `named/lwresd -V' and start log hide build options
+
+The build options expose build path directories, so hide them.
+[snip]
+$ named -V
+|built by make with *** (options are hidden)
+[snip]
+
+Upstream-Status: Inappropriate [oe-core specific]
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+Refreshed for 9.16.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f9cf4a4..0ce3d26 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,7 @@ AC_DEFINE([PACKAGE_VERSION_EXTRA], ["][bind_VERSION_EXTRA]["], [BIND 9 Extra par
+ AC_DEFINE([PACKAGE_DESCRIPTION], [m4_ifnblank(bind_DESCRIPTION, [" ]bind_DESCRIPTION["], [])], [An extra string to print after PACKAGE_STRING])
+ AC_DEFINE([PACKAGE_SRCID], ["][bind_SRCID]["], [A short hash from git])
+ 
+-bind_CONFIGARGS="${ac_configure_args:-default}"
++bind_CONFIGARGS="(removed for reproducibility)"
+ AC_DEFINE_UNQUOTED([PACKAGE_CONFIGARGS], ["$bind_CONFIGARGS"], [Either 'defaults' or used ./configure options])
+ 
+ AC_DEFINE([PACKAGE_BUILDER], ["make"], [make or Visual Studio])
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index f9cdc7ca4d..38d208fc1c 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From edda20fb5a6e88548f85e39d34d6c074306e15bc Mon Sep 17 00:00:00 2001
+From 8c9c817933eef20328f10237bbd964580db0a3ad Mon Sep 17 00:00:00 2001
 From: Paul Gortmaker <paul.gortmaker@windriver.com>
 Date: Tue, 9 Jun 2015 11:22:00 -0400
 Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -27,21 +27,20 @@ to make use of the combination some day.
 
 Upstream-Status: Inappropriate [OE Specific]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-
 ---
  configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-Index: bind-9.16.4/configure.ac
-===================================================================
---- bind-9.16.4.orig/configure.ac
-+++ bind-9.16.4/configure.ac
-@@ -1232,7 +1232,7 @@ case "$use_lmdb" in
-                LMDB_LIBS=""
-                ;;
-        auto|yes)
--               for d in /usr /usr/local /opt/local
-+               for d in "${STAGING_INCDIR}"
-                do
-                        if test -f "${d}/include/lmdb.h"
-                        then
+diff --git a/configure.ac b/configure.ac
+index 334b551..f9cf4a4 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -863,7 +863,7 @@ AS_CASE([$with_lmdb],
+        [no],[],
+        [auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb],
+                                       [ac_lib_lmdb_found=yes],
+-                                      [for ac_lib_lmdb_path in /usr /usr/local /opt /opt/local; do
++                                      [for ac_lib_lmdb_path in "${STAGING_INCDIR}"; do
+                                                AX_LIB_LMDB([$ac_lib_lmdb_path],
+                                                            [ac_lib_lmdb_found=yes
+                                                             break])
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/bind9 b/meta/recipes-connectivity/bind/bind/bind9
index 968679ff7f..968679ff7f 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/bind9
+++ b/meta/recipes-connectivity/bind/bind/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch
index aad345f9fc..102fe46ffe 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/conf.patch
+++ b/meta/recipes-connectivity/bind/bind/conf.patch
@@ -1,12 +1,43 @@
+From 83a892af19bf1455ce7132350332ed6d7f1e2b94 Mon Sep 17 00:00:00 2001
+From: Qing He <qing.he@intel.com>
+Date: Tue, 30 Nov 2010 13:35:42 +0800
+Subject: [PATCH] bind: add new recipe
+
 Upstream-Status: Inappropriate [configuration]
 
 the patch is imported from openembedded project
 
 11/30/2010 - Qing He <qing.he@intel.com>
+---
+ conf/db.0               | 12 +++++++
+ conf/db.127             | 13 ++++++++
+ conf/db.255             | 12 +++++++
+ conf/db.empty           | 14 +++++++++
+ conf/db.local           | 13 ++++++++
+ conf/db.root            | 45 ++++++++++++++++++++++++++
+ conf/named.conf         | 49 +++++++++++++++++++++++++++++
+ conf/named.conf.local   |  8 +++++
+ conf/named.conf.options | 24 ++++++++++++++
+ conf/zones.rfc1918      | 20 ++++++++++++
+ init.d                  | 70 +++++++++++++++++++++++++++++++++++++++++
+ 11 files changed, 280 insertions(+)
+ create mode 100644 conf/db.0
+ create mode 100644 conf/db.127
+ create mode 100644 conf/db.255
+ create mode 100644 conf/db.empty
+ create mode 100644 conf/db.local
+ create mode 100644 conf/db.root
+ create mode 100644 conf/named.conf
+ create mode 100644 conf/named.conf.local
+ create mode 100644 conf/named.conf.options
+ create mode 100644 conf/zones.rfc1918
+ create mode 100644 init.d
 
-diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
---- bind-9.3.1.orig/conf/db.0   1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.0        2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.0 b/conf/db.0
+new file mode 100644
+index 0000000..e3aabdb
+--- /dev/null
++++ b/conf/db.0
 @@ -0,0 +1,12 @@
 +;
 +; BIND reverse data file for broadcast zone
@@ -20,9 +51,11 @@ diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
 +                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
---- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.127      2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.127 b/conf/db.127
+new file mode 100644
+index 0000000..cd05bef
+--- /dev/null
++++ b/conf/db.127
 @@ -0,0 +1,13 @@
 +;
 +; BIND reverse data file for local loopback interface
@@ -37,43 +70,49 @@ diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
 +;
 +@      IN      NS      localhost.
 +1.0.0  IN      PTR     localhost.
-diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
---- bind-9.3.1.orig/conf/db.empty       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.empty    2005-07-10 22:14:00.000000000 +0200
-@@ -0,0 +1,14 @@
-+; BIND reverse data file for empty rfc1918 zone
+diff --git a/conf/db.255 b/conf/db.255
+new file mode 100644
+index 0000000..16cd819
+--- /dev/null
++++ b/conf/db.255
+@@ -0,0 +1,12 @@
 +;
-+; DO NOT EDIT THIS FILE - it is used for multiple zones.
-+; Instead, copy it, edit named.conf, and use that copy.
++; BIND reserve data file for broadcast zone
 +;
-+$TTL   86400
++$TTL   604800
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                         86400 )       ; Negative Cache TTL
++                        604800 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.255 bind-9.3.1/conf/db.255
---- bind-9.3.1.orig/conf/db.255 1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.255      2005-07-10 22:14:00.000000000 +0200
-@@ -0,0 +1,12 @@
+diff --git a/conf/db.empty b/conf/db.empty
+new file mode 100644
+index 0000000..8a12858
+--- /dev/null
++++ b/conf/db.empty
+@@ -0,0 +1,14 @@
++; BIND reverse data file for empty rfc1918 zone
 +;
-+; BIND reserve data file for broadcast zone
++; DO NOT EDIT THIS FILE - it is used for multiple zones.
++; Instead, copy it, edit named.conf, and use that copy.
 +;
-+$TTL   604800
++$TTL   86400
 +@      IN      SOA     localhost. root.localhost. (
 +                             1         ; Serial
 +                        604800         ; Refresh
 +                         86400         ; Retry
 +                       2419200         ; Expire
-+                        604800 )       ; Negative Cache TTL
++                         86400 )       ; Negative Cache TTL
 +;
 +@      IN      NS      localhost.
-diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
---- bind-9.3.1.orig/conf/db.local       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.local    2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.local b/conf/db.local
+new file mode 100644
+index 0000000..66b4892
+--- /dev/null
++++ b/conf/db.local
 @@ -0,0 +1,13 @@
 +;
 +; BIND data file for local loopback interface
@@ -88,9 +127,11 @@ diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
 +;
 +@      IN      NS      localhost.
 +@      IN      A       127.0.0.1
-diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
---- bind-9.3.1.orig/conf/db.root        1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/db.root     2005-07-10 22:14:00.000000000 +0200
+diff --git a/conf/db.root b/conf/db.root
+new file mode 100644
+index 0000000..01c20f0
+--- /dev/null
++++ b/conf/db.root
 @@ -0,0 +1,45 @@
 +
 +; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
@@ -137,9 +178,11 @@ diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
 +;; WHEN: Sun Feb  1 11:27:14 2004
 +;; MSG SIZE  rcvd: 436
 +
-diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
---- bind-9.3.1.orig/conf/named.conf     1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf  2005-07-10 22:33:46.000000000 +0200
+diff --git a/conf/named.conf b/conf/named.conf
+new file mode 100644
+index 0000000..95829cf
+--- /dev/null
++++ b/conf/named.conf
 @@ -0,0 +1,49 @@
 +// This is the primary configuration file for the BIND DNS server named.
 +//
@@ -190,9 +233,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
 +// root-delegation-only exclude { "DE"; "MUSEUM"; };
 +
 +include "/etc/bind/named.conf.local";
-diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
---- bind-9.3.1.orig/conf/named.conf.local       1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf.local    2005-07-10 22:14:06.000000000 +0200
+diff --git a/conf/named.conf.local b/conf/named.conf.local
+new file mode 100644
+index 0000000..7a57b10
+--- /dev/null
++++ b/conf/named.conf.local
 @@ -0,0 +1,8 @@
 +//
 +// Do any local configuration here
@@ -202,9 +247,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
 +// organization
 +//include "/etc/bind/zones.rfc1918";
 +
-diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
---- bind-9.3.1.orig/conf/named.conf.options     1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/named.conf.options  2005-07-10 22:14:06.000000000 +0200
+diff --git a/conf/named.conf.options b/conf/named.conf.options
+new file mode 100644
+index 0000000..813193d
+--- /dev/null
++++ b/conf/named.conf.options
 @@ -0,0 +1,24 @@
 +options {
 +       directory "/var/cache/bind";
@@ -230,9 +277,11 @@ diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.opt
 +
 +};
 +
-diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
---- bind-9.3.1.orig/conf/zones.rfc1918  1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/conf/zones.rfc1918       2005-07-10 22:14:10.000000000 +0200
+diff --git a/conf/zones.rfc1918 b/conf/zones.rfc1918
+new file mode 100644
+index 0000000..03b5546
+--- /dev/null
++++ b/conf/zones.rfc1918
 @@ -0,0 +1,20 @@
 +zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
 + 
@@ -254,9 +303,11 @@ diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
 +zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
 +
 +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
-diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
---- bind-9.3.1.orig/init.d      1970-01-01 01:00:00.000000000 +0100
-+++ bind-9.3.1/init.d   2005-07-10 23:09:58.000000000 +0200
+diff --git a/init.d b/init.d
+new file mode 100644
+index 0000000..2ef2277
+--- /dev/null
++++ b/init.d
 @@ -0,0 +1,70 @@
 +#!/bin/sh
 +
@@ -276,7 +327,7 @@ diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
 +
 +       modprobe capability >/dev/null 2>&1 || true
 +       if [ ! -f /etc/bind/rndc.key ]; then
-+           /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
++           /usr/sbin/rndc-confgen -a -b 512
 +           chmod 0640 /etc/bind/rndc.key
 +       fi
 +       if [ -f /var/run/named/named.pid ]; then
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
index 633e29c0e6..633e29c0e6 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/generate-rndc-key.sh
+++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
index 11db95ede1..984d401c70 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/init.d-add-support-for-read-only-rootfs.patch
+++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
@@ -1,14 +1,17 @@
-Subject: init.d: add support for read-only rootfs
+From 1393cbf6b0084128fdfc9b5afb3bcc307265d094 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 27 Mar 2014 02:34:41 +0000
+Subject: [PATCH] init.d: add support for read-only rootfs
 
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
 ---
- init.d |   40 ++++++++++++++++++++++++++++++++++++++++
+ init.d | 40 ++++++++++++++++++++++++++++++++++++++++
  1 file changed, 40 insertions(+)
 
 diff --git a/init.d b/init.d
-index 0111ed4..24677c8 100644
+index 2ef2277..95e8909 100644
 --- a/init.d
 +++ b/init.d
 @@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
@@ -60,6 +63,3 @@ index 0111ed4..24677c8 100644
  test -x /usr/sbin/rndc || exit 0
  
  case "$1" in
--- 
-1.7.9.5
-
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
index 146f3e35db..74f2ef83a0 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/make-etc-initd-bind-stop-work.patch
+++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
@@ -1,4 +1,7 @@
-bind: make "/etc/init.d/bind stop" work
+From ce06506bb3fe661e03161af3a603bd228590a254 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Thu, 15 Nov 2012 02:27:54 +0000
+Subject: [PATCH] bind: make "/etc/init.d/bind stop" work
 
 Upstream-Status: Inappropriate [configuration]
 
@@ -7,13 +10,13 @@ the named daemon.
 
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 ---
- conf/named.conf |    5 +++++
- conf/rndc.conf  |    5 +++++
- 2 files changed, 10 insertions(+), 0 deletions(-)
+ conf/named.conf | 5 +++++
+ conf/rndc.conf  | 5 +++++
+ 2 files changed, 10 insertions(+)
  create mode 100644 conf/rndc.conf
 
 diff --git a/conf/named.conf b/conf/named.conf
-index 95829cf..c8899e7 100644
+index 95829cf..021dbca 100644
 --- a/conf/named.conf
 +++ b/conf/named.conf
 @@ -47,3 +47,8 @@ zone "255.in-addr.arpa" {
@@ -27,7 +30,7 @@ index 95829cf..c8899e7 100644
 +};
 diff --git a/conf/rndc.conf b/conf/rndc.conf
 new file mode 100644
-index 0000000..a0b481d
+index 0000000..4b43a3d
 --- /dev/null
 +++ b/conf/rndc.conf
 @@ -0,0 +1,5 @@
@@ -36,7 +39,3 @@ index 0000000..a0b481d
 +       default-server  localhost;
 +       default-key     rndc-key;
 +};
-
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/bind/bind-9.16.21/named.service b/meta/recipes-connectivity/bind/bind/named.service
index cda56ef015..cda56ef015 100644
--- a/meta/recipes-connectivity/bind/bind-9.16.21/named.service
+++ b/meta/recipes-connectivity/bind/bind/named.service
diff --git a/meta/recipes-connectivity/bind/bind_9.16.21.bb b/meta/recipes-connectivity/bind/bind_9.20.10.bb
index 390c84248d..32f0bdf7b5 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.21.bb
+++ b/meta/recipes-connectivity/bind/bind_9.20.10.bb
@@ -4,9 +4,9 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
 SECTION = "console/network"
 
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=ef10b4de6371115dcecdc38ca2af4561"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
 
-DEPENDS = "openssl libcap zlib libuv"
+DEPENDS = "openssl libcap zlib libuv liburcu"
 
 SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://conf.patch \
@@ -20,33 +20,31 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "65da5fd4fb80b7d0d7452876f81fd6d67cdcee54a5e3c1d65610334665dfa815"
+SRC_URI[sha256sum] = "0fb3ba2c337bb488ca68f5df296c435cd255058fb63d0822e91db0235c905716"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
-# stay at 9.16 follow the ESV versions divisible by 4
-UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/"
+# follow the ESV versions divisible by 2
+UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_WHITELIST += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
 PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
-PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline"
-PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit"
-PACKAGECONFIG[python3] = "--with-python=yes --with-python-install-dir=${PYTHON_SITEPACKAGES_DIR} , --without-python, python3-ply-native,"
+PACKAGECONFIG[httpstats] = "--with-libxml2,--without-libxml2,libxml2"
+PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
+PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
+PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
 
-EXTRA_OECONF = " --with-libtool --disable-devpoll --disable-auto-validation --enable-epoll \
+EXTRA_OECONF = " --disable-auto-validation \
                  --with-gssapi=no --with-lmdb=no --with-zlib \
                  --sysconfdir=${sysconfdir}/bind \
                  --with-openssl=${STAGING_DIR_HOST}${prefix} \
                "
-LDFLAGS:append = " -lz"
-
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native distutils3-base', '', d)}
+LDFLAGS += "-lz"
 
 # dhcp needs .la so keep them
 REMOVE_LIBTOOL_LA = "0"
@@ -67,31 +65,23 @@ do_install:append() {
         install -d "${D}${sysconfdir}/init.d"
         install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
         install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
-        if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
-                sed -i -e '1s,#!.*python3,#! /usr/bin/python3,' \
-                ${D}${sbindir}/dnssec-coverage \
-                ${D}${sbindir}/dnssec-checkds \
-                ${D}${sbindir}/dnssec-keymgr
-        fi
 
         # Install systemd related files
         install -d ${D}${sbindir}
-        install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
+        install -m 755 ${UNPACKDIR}/generate-rndc-key.sh ${D}${sbindir}
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/named.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/named.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                -e 's,@SBINDIR@,${sbindir},g' \
                ${D}${systemd_system_unitdir}/named.service
 
         install -d ${D}${sysconfdir}/default
-        install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
+        install -m 0644 ${UNPACKDIR}/bind9 ${D}${sysconfdir}/default
 
         if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/tmpfiles.d
                 echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
         fi
-
-    oe_multilib_header isc/platform.h
 }
 
 CONFFILES:${PN} = " \
@@ -119,11 +109,5 @@ PACKAGE_BEFORE_PN += "${PN}-libs"
 # https://github.com/isc-projects/bind9/commit/0e25af628cd776f98c04fc4cc59048f5448f6c88
 FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so"
 FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so"
-FILES:${PN}-staticdev += "${libdir}/*.la"
-
-PACKAGE_BEFORE_PN += "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-bind', '', d)}"
-FILES:python3-bind = "${sbindir}/dnssec-coverage ${sbindir}/dnssec-checkds \
-                ${sbindir}/dnssec-keymgr ${PYTHON_SITEPACKAGES_DIR}"
 
-RDEPENDS:${PN}-dev = ""
-RDEPENDS:python3-bind = "python3-core python3-ply"
+DEV_PKG_DEPENDENCY = ""
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 0a5fc9d4b8..287ebf658e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -2,7 +2,7 @@ SUMMARY = "Linux Bluetooth Stack Userland V5"
 DESCRIPTION = "Linux Bluetooth stack V5 userland components.  These include a system configurations, daemons, tools and system libraries."
 HOMEPAGE = "http://www.bluez.org"
 SECTION = "libs"
-LICENSE = "GPLv2+ & LGPLv2.1+"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
                     file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac"
@@ -17,6 +17,14 @@ PACKAGECONFIG ??= "obex-profiles \
     ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
     a2dp-profiles \
     avrcp-profiles \
+    bap-profiles \
+    bass-profiles \
+    mcp-profiles \
+    ccp-profiles \
+    vcp-profiles \
+    micp-profiles \
+    csip-profiles \
+    asha-profiles \
     network-profiles \
     hid-profiles \
     hog-profiles \
@@ -38,6 +46,14 @@ PACKAGECONFIG[network-profiles] = "--enable-network,--disable-network"
 PACKAGECONFIG[hid-profiles] = "--enable-hid,--disable-hid"
 PACKAGECONFIG[hog-profiles] = "--enable-hog,--disable-hog"
 PACKAGECONFIG[health-profiles] = "--enable-health,--disable-health"
+PACKAGECONFIG[bap-profiles] = "--enable-bap,--disable-bap"
+PACKAGECONFIG[bass-profiles] = "--enable-bass,--disable-bass"
+PACKAGECONFIG[mcp-profiles] = "--enable-mcp,--disable-mcp"
+PACKAGECONFIG[ccp-profiles] = "--enable-ccp,--disable-ccp"
+PACKAGECONFIG[vcp-profiles] = "--enable-vcp,--disable-vcp"
+PACKAGECONFIG[micp-profiles] = "--enable-micp,--disable-micp"
+PACKAGECONFIG[csip-profiles] = "--enable-csip,--disable-csip"
+PACKAGECONFIG[asha-profiles] = "--enable-asha,--disable-asha"
 PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis"
 PACKAGECONFIG[tools] = "--enable-tools,--disable-tools"
 PACKAGECONFIG[threads] = "--enable-threads,--disable-threads"
@@ -50,11 +66,10 @@ PACKAGECONFIG[manpages] = "--enable-manpages,--disable-manpages,python3-docutils
 SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            file://init \
            file://run-ptest \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
-           file://0001-test-gatt-Fix-hung-issue.patch \
+           file://0001-bluez5-disable-aics-tests.patch \
            "
-S = "${WORKDIR}/bluez-${PV}"
+S = "${UNPACKDIR}/bluez-${PV}"
 
 CVE_PRODUCT = "bluez"
 
@@ -64,9 +79,12 @@ EXTRA_OECONF = "\
   --enable-test \
   --enable-datafiles \
   --enable-library \
+  --enable-pie  \
   --without-zsh-completion-dir \
 "
 
+CFLAGS += "-DFIRMWARE_DIR=\\"${nonarch_base_libdir}/firmware\\""
+
 # bluez5 builds a large number of useful utilities but does not
 # install them.  Specify which ones we want put into ${PN}-noinst-tools.
 NOINST_TOOLS_READLINE ??= ""
@@ -80,28 +98,16 @@ NOINST_TOOLS = " \
 
 do_install:append() {
         install -d ${D}${INIT_D_DIR}
-        install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth
+        install -m 0755 ${UNPACKDIR}/init ${D}${INIT_D_DIR}/bluetooth
 
-        install -d ${D}${sysconfdir}/bluetooth/
-        if [ -f ${S}/profiles/network/network.conf ]; then
-                install -m 0644 ${S}/profiles/network/network.conf ${D}/${sysconfdir}/bluetooth/
-        fi
-        if [ -f ${S}/profiles/input/input.conf ]; then
-                install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/
-        fi
-
-        if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then
-                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth
+        if [ -f ${D}${sysconfdir}/init.d/bluetooth ]; then
+                sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}${sysconfdir}/init.d/bluetooth
         fi
 
         # Install desired tools that upstream leaves in build area
         for f in ${NOINST_TOOLS} ; do
-                install -m 755 ${B}/$f ${D}/${bindir}
+                install -m 755 ${B}/$f ${D}${bindir}
         done
-
-        # Patch python tools to use Python 3; they should be source compatible, but
-        # still refer to Python 2 in the shebang
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${libdir}/bluez/test/*
 }
 
 PACKAGES =+ "${PN}-testtools ${PN}-obex ${PN}-noinst-tools"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
deleted file mode 100644
index 618ed734a9..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From f74eb97c9fb3c0ee2895742e773ac6a3c41c999c Mon Sep 17 00:00:00 2001
-From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org>
-Date: Sat, 12 Oct 2013 17:45:25 +0200
-Subject: [PATCH] Allow using obexd without systemd in the user session
-
-Not all sessions run systemd --user (actually, the majority
-doesn't), so the dbus daemon must be able to spawn obexd
-directly, and to do so it needs the full path of the daemon.
-
-Upstream-Status: Denied
-
-Not accepted by upstream maintainer for being a distro specific
-configuration. See thread:
-
-http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843
-
-Signed-off-by: Javier Viguera <javier.viguera@digi.com>
-
----
- Makefile.obexd                                                | 4 ++--
- .../src/{org.bluez.obex.service => org.bluez.obex.service.in} | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
- rename obexd/src/{org.bluez.obex.service => org.bluez.obex.service.in} (76%)
-
-diff --git a/Makefile.obexd b/Makefile.obexd
-index de59d29..73004a3 100644
---- a/Makefile.obexd
-+++ b/Makefile.obexd
-@@ -1,12 +1,12 @@
- if SYSTEMD
- systemduserunitdir = $(SYSTEMD_USERUNITDIR)
- systemduserunit_DATA = obexd/src/obex.service
-+endif
- 
- dbussessionbusdir = $(DBUS_SESSIONBUSDIR)
- dbussessionbus_DATA = obexd/src/org.bluez.obex.service
--endif
- 
--EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service
-+EXTRA_DIST += obexd/src/obex.service.in obexd/src/org.bluez.obex.service.in
- 
- if OBEX
- 
-diff --git a/obexd/src/org.bluez.obex.service b/obexd/src/org.bluez.obex.service.in
-similarity index 76%
-rename from obexd/src/org.bluez.obex.service
-rename to obexd/src/org.bluez.obex.service.in
-index a538088..9c815f2 100644
---- a/obexd/src/org.bluez.obex.service
-+++ b/obexd/src/org.bluez.obex.service.in
-@@ -1,4 +1,4 @@
- [D-BUS Service]
- Name=org.bluez.obex
--Exec=/bin/false
-+Exec=@libexecdir@/obexd
- SystemdService=dbus-org.bluez.obex.service
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
new file mode 100644
index 0000000000..3f01843ea3
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-bluez5-disable-aics-tests.patch
@@ -0,0 +1,40 @@
+From 182545f2504255d67d9ec2071fd5c82ab53c5a2e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gu=C3=B0ni=20M=C3=A1r=20Gilbert?= <gudni.m.g@gmail.com>
+Date: Sun, 30 Mar 2025 02:20:24 +0000
+Subject: [PATCH] bluez5: disable aics tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Temporarily disable aics tests as they can fail
+depending on how the tests are executed. Sometimes they pass,
+sometimes they fail. The issue has been observed since BlueZ 5.72 to 5.80
+
+Starting with BlueZ 5.80, the tests began failing when using the
+ptest-runner script. This is not a new issue in BlueZ 5.80 which is
+why the test is disabled with this commit until a solution is found.
+
+See discussion on Github:
+https://github.com/bluez/bluez/issues/726
+https://github.com/bluez/bluez/issues/683
+
+Upstream-Status: Inappropriate [OE-Specific]
+
+Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
+---
+ unit/test-vcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unit/test-vcp.c b/unit/test-vcp.c
+index 6a61ea2..04b92e4 100644
+--- a/unit/test-vcp.c
++++ b/unit/test-vcp.c
+@@ -2754,7 +2754,7 @@ int main(int argc, char *argv[])
+        tester_init(&argc, &argv);
+ 
+        test_vocs_unit_testcases();
+-       test_aics_unit_testcases();
++       //test_aics_unit_testcases();
+ 
+        return tester_run();
+ }
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
deleted file mode 100644
index e90b6a546f..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 61e741654cc2eb167bca212a3bb2ba8f3ba280c1 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 24 Aug 2018 12:04:03 +0800
-Subject: [PATCH] test-gatt: Fix hung issue
-
-The below test hangs infinitely
-$ unit/test-gatt -p  /robustness/unkown-request -d
-/robustness/unkown-request - init
-/robustness/unkown-request - setup
-/robustness/unkown-request - setup complete
-/robustness/unkown-request - run
-  GATT: < 02 17 00                                         ...
-  bt_gatt_server:MTU exchange complete, with MTU: 23
-  GATT: > 03 00 02                                         ...
-  PDU: = 03 00 02                                         ...
-  GATT: < bf 00
-
-Actually, the /robustness/unkown-request test does
-no action.
-
-Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=153508881804635&w=2]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
----
- unit/test-gatt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unit/test-gatt.c b/unit/test-gatt.c
-index c7e28f8..b57373b 100644
---- a/unit/test-gatt.c
-+++ b/unit/test-gatt.c
-@@ -4463,7 +4463,7 @@ int main(int argc, char *argv[])
-                        test_server, service_db_1, NULL,
-                        raw_pdu(0x03, 0x00, 0x02),
-                        raw_pdu(0xbf, 0x00),
--                       raw_pdu(0x01, 0xbf, 0x00, 0x00, 0x06));
-+                       raw_pdu());
- 
-        define_test_server("/robustness/unkown-command",
-                        test_server, service_db_1, NULL,
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
index 24ddae6b63..a9af56f141 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
@@ -1,4 +1,4 @@
-From 4bdf0f96dcaa945fd29f26d56e5b36d8c23e4c8b Mon Sep 17 00:00:00 2001
+From fa5da30786837b437707cea921056e9c1c22ffba Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 1 Apr 2016 17:07:34 +0300
 Subject: [PATCH] tests: add a target for building tests without running them
@@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 3 insertions(+)
 
 diff --git a/Makefile.am b/Makefile.am
-index 1a48a71..ba3b92f 100644
+index 02ad23c..169269d 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -425,6 +425,9 @@ endif
+@@ -722,6 +722,9 @@ endif
  TESTS = $(unit_tests)
  AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69
  
@@ -23,6 +23,3 @@ index 1a48a71..ba3b92f 100644
  if DBUS_RUN_SESSION
  AM_TESTS_ENVIRONMENT += dbus-run-session --
  endif
--- 
-2.8.0.rc3
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.62.bb b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
index 411ac8b5a3..8af6bdb67e 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.62.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.83.bb
@@ -1,9 +1,8 @@
 require bluez5.inc
 
-SRC_URI[sha256sum] = "38090a5b750e17fc08d3e52178ed8d3254c5f4bd2c48830d5c1955b88e3bc0c2"
+SRC_URI[sha256sum] = "108522d909d220581399bfec93daab62035539ceef3dda3e79970785c63bd24c"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
@@ -33,6 +32,9 @@ NOINST_TOOLS_TESTING ?= " \
     tools/rfcomm-tester \
     tools/bnep-tester \
     tools/userchan-tester \
+    tools/iso-tester \
+    tools/mesh-tester \
+    tools/ioctl-tester \
 "
 
 # noinst programs in Makefile.tools that are conditional on TOOLS
@@ -42,11 +44,11 @@ NOINST_TOOLS_BT ?= " \
     tools/avinfo \
     tools/avtest \
     tools/scotest \
-    tools/amptest \
     tools/hwdb \
     tools/hcieventmask \
     tools/hcisecfilter \
     tools/btinfo \
+    tools/btconfig \
     tools/btsnoop \
     tools/btproxy \
     tools/btiotest \
@@ -57,6 +59,8 @@ NOINST_TOOLS_BT ?= " \
     tools/advtest \
     tools/seq2bseq \
     tools/nokfw \
+    tools/rtlfw \
+    tools/bcmfw \
     tools/create-image \
     tools/eddystone \
     tools/ibeacon \
@@ -66,5 +70,5 @@ NOINST_TOOLS_BT ?= " \
     tools/check-selftest \
     tools/gatt-service \
     profiles/iap/iapd \
-    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'btpclient', 'tools/btpclient tools/btpclientctl', '', d)} \
 "
diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb
index 006f976997..854e1f1f29 100644
--- a/meta/recipes-connectivity/connman/connman-conf.bb
+++ b/meta/recipes-connectivity/connman/connman-conf.bb
@@ -1,36 +1,20 @@
-SUMMARY = "Connman config to setup wired interface on qemu machines"
-DESCRIPTION = "This is the ConnMan configuration to set up a Wired \
-network interface for a qemu machine."
-LICENSE = "GPLv2"
+SUMMARY = "Connman config to ignore wired interface on qemu machines"
+DESCRIPTION = "This is the ConnMan configuration to avoid touching wired \
+network interface inside qemu machines."
+LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-inherit systemd
+SRC_URI = "file://main.conf \
+          "
 
-SRC_URI:append:qemuall = " file://wired.config \
-                           file://wired-setup \
-                           file://wired-connection.service \
-"
-PR = "r2"
-
-S = "${WORKDIR}"
+S = "${UNPACKDIR}"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-FILES:${PN} = "${localstatedir}/* ${datadir}/*"
+FILES:${PN} = "${sysconfdir}/*"
 
-do_install() {
-    #Configure Wired network interface in case of qemu* machines
-    if test -e ${WORKDIR}/wired.config &&
-       test -e ${WORKDIR}/wired-setup &&
-       test -e ${WORKDIR}/wired-connection.service; then
-        install -d ${D}${localstatedir}/lib/connman
-        install -m 0644 ${WORKDIR}/wired.config ${D}${localstatedir}/lib/connman
-        install -d ${D}${datadir}/connman
-        install -m 0755 ${WORKDIR}/wired-setup ${D}${datadir}/connman
-        install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/wired-connection.service ${D}${systemd_system_unitdir}
-        sed -i -e 's|@SCRIPTDIR@|${datadir}/connman|g' ${D}${systemd_system_unitdir}/wired-connection.service
-    fi
+# Kernel IP-Config is perfectly capable of setting up networking passed in via ip=
+do_install:append:qemuall() {
+    mkdir -p ${D}${sysconfdir}/connman
+    cp ${S}/main.conf ${D}${sysconfdir}/connman/main.conf
 }
-
-SYSTEMD_SERVICE:${PN}:qemuall = "wired-connection.service"
diff --git a/meta/recipes-connectivity/connman/connman-conf/main.conf b/meta/recipes-connectivity/connman/connman-conf/main.conf
new file mode 100644
index 0000000000..3c9dd396f6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman-conf/main.conf
@@ -0,0 +1,2 @@
+[General]
+NetworkInterfaceBlacklist = eth,en
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
deleted file mode 100644
index 48adfc08ac..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=Setup a wired interface
-Before=connman.service
-
-[Service]
-Type=oneshot
-ExecStart=@SCRIPTDIR@/wired-setup
-
-[Install]
-WantedBy=network.target
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
deleted file mode 100644
index c46899ef32..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-CONFIGF=/var/lib/connman/wired.config
-
-# Extract wired network config from /proc/cmdline
-NET_CONF=`cat /proc/cmdline |sed -ne 's/^.*ip=\([^ ]*\):\([^ ]*\):\([^ ]*\):\([^ ]*\).*$/\1\/\4\/\3/p'`
-
-# Check if eth0 is already set via kernel cmdline
-if [ "x$NET_CONF" = "x" ]; then
-        # Wired interface is not configured via kernel cmdline
-        # Remove connman config file template
-        rm -f ${CONFIGF}
-else
-        # Setup a connman config accordingly
-        sed -i -e "s|^IPv4 =.*|IPv4 = ${NET_CONF}|" ${CONFIGF}
-fi
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
deleted file mode 100644
index 42998ce897..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
+++ /dev/null
@@ -1,9 +0,0 @@
-[global]
-Name = Wired
-Description = Wired network configuration
-
-[service_ethernet]
-Type = ethernet
-IPv4 =
-MAC = 52:54:00:12:34:56
-Nameservers = 8.8.8.8
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index 55c687968f..8bfc1540b3 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -1,7 +1,7 @@
 SUMMARY = "GTK+ frontend for the ConnMan network connection manager"
 HOMEPAGE = "http://connman.net/"
 SECTION = "libs/network"
-LICENSE = "GPLv2 & LGPLv2.1"
+LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
                     file://properties/main.c;beginline=1;endline=20;md5=50c77c81871308b033ab7a1504626afb \
                     file://common/connman-dbus.c;beginline=1;endline=20;md5=de6b485c0e717a0236402d220187717a"
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
            file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
            file://null_check_for_ipv4_config.patch \
            file://images/ \
@@ -18,13 +18,15 @@ SRC_URI = "git://github.com/connectivity/connman-gnome.git \
            file://0001-Port-to-Gtk3.patch \
           "
 
-S = "${WORKDIR}/git"
-
 inherit autotools-brokensep gtk-icon-cache pkgconfig features_check
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
 
 RDEPENDS:${PN} = "connman"
 
 do_install:append() {
-    install -m 0644 ${WORKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
+    install -m 0644 ${UNPACKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
 }
+
+# http://errors.yoctoproject.org/Errors/Details/766926/
+# connman-client.c:200:15: error: assignment to 'GtkTreeModel *' {aka 'struct _GtkTreeModel *'} from incompatible pointer type 'GtkTreeStore *' {aka 'struct _GtkTreeStore *'} [-Wincompatible-pointer-types]
+CFLAGS += "-Wno-error=incompatible-pointer-types"
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
deleted file mode 100644
index 8e2e0bd02d..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
-From: "Maxin B. John" <maxin.john@intel.com>
-Date: Mon, 12 Jun 2017 16:52:39 +0300
-Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
-
-Stop systemd-resolved service when we use connman as network manager.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
----
- src/connman.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/connman.service.in b/src/connman.service.in
-index 9f5c10f..dab48bc 100644
---- a/src/connman.service.in
-+++ b/src/connman.service.in
-@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
- After=dbus.service network-pre.target systemd-sysusers.service
- Before=network.target multi-user.target shutdown.target
- Wants=network.target
-+Conflicts=systemd-resolved.service
- 
- [Service]
- Type=dbus
--- 
-2.4.0
-
diff --git a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch b/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
deleted file mode 100644
index e6f03e632e..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 4ddaf78dad5a9ee4a0658235f71b75132192123e Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 7 Apr 2012 18:52:12 -0700
-Subject: [PATCH] plugin.h: Change visibility to default for debug symbols
-
-gold refuses to link in undefined weak symbols which
-have hidden visibility
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-
-Upstream-Status: Pending
----
- include/plugin.h |    4 ++--
- 1 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/plugin.h b/include/plugin.h
-index 692a4e5..a9361c3 100644
---- a/include/plugin.h
-+++ b/include/plugin.h
-@@ -89,9 +89,9 @@ struct connman_plugin_desc {
- #else
- #define CONNMAN_PLUGIN_DEFINE(name, description, version, priority, init, exit) \
-                extern struct connman_debug_desc __start___debug[] \
--                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_debug_desc __stop___debug[] \
--                               __attribute__ ((weak, visibility("hidden"))); \
-+                               __attribute__ ((weak, visibility("default"))); \
-                extern struct connman_plugin_desc connman_plugin_desc \
-                                __attribute__ ((visibility("default"))); \
-                struct connman_plugin_desc connman_plugin_desc = { \
--- 
-1.7.5.4
-
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index 9dca21a02f..2c612039ee 100644
--- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,83 +1,85 @@
-From 01974865e4d331eeaf25248bee1bb96539c450d9 Mon Sep 17 00:00:00 2001
+From 4e726a5aaa75d60fab6a56bc37dbec48be53ff79 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 6 Apr 2015 23:02:21 -0700
-Subject: [PATCH] resolve: musl does not implement res_ninit
+Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to
+ __RES
 
-ported from
+Not all libc implementation have those functions, and the way to determine
+if they do is to check __RES which is explained in resolv.h thusly:
+
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your resolver
+ * is new enough to contain a certain feature.
+ */
+
+Indeed, it needs to be at least 19991006.
+
+The portion of the patch that implements a fallback is ported from
+Alpine Linux:
 http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
 
-Upstream-Status: Pending
+Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org]
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
 ---
- gweb/gresolv.c | 34 +++++++++++++---------------------
- 1 file changed, 13 insertions(+), 21 deletions(-)
+ gweb/gresolv.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
 
 diff --git a/gweb/gresolv.c b/gweb/gresolv.c
-index 954e7cf..2a9bc51 100644
+index 8101d71..9f1477c 100644
 --- a/gweb/gresolv.c
 +++ b/gweb/gresolv.c
-@@ -36,6 +36,7 @@
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <net/if.h>
-+#include <ctype.h>
- 
- #include "gresolv.h"
- 
-@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index)
+@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index)
         resolv->index = index;
         resolv->nameserver_list = NULL;
  
--       res_ninit(&resolv->res);
--
++#if (__RES >= 19991006)
+        res_ninit(&resolv->res);
++#endif
+ 
         return resolv;
  }
- 
-@@ -919,8 +918,6 @@ void g_resolv_unref(GResolv *resolv)
+@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv)
  
         flush_nameservers(resolv);
  
--       res_nclose(&resolv->res);
--
++#if (__RES >= 19991006)
+        res_nclose(&resolv->res);
++#endif
+ 
         g_free(resolv);
  }
- 
-@@ -1023,24 +1020,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
         debug(resolv, "hostname %s", hostname);
  
         if (!resolv->nameserver_list) {
--               int i;
--
--               for (i = 0; i < resolv->res.nscount; i++) {
--                       char buf[100];
--                       int family = resolv->res.nsaddr_list[i].sin_family;
--                       void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
--
--                       if (family != AF_INET &&
--                                       resolv->res._u._ext.nsaddrs[i]) {
--                               family = AF_INET6;
--                               sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
-+               FILE *f = fopen("/etc/resolv.conf", "r");
-+               if (f) {
-+                       char line[256], *s;
-+                       int i;
-+                       while (fgets(line, sizeof(line), f)) {
-+                               if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
-+                                       continue;
-+                               for (s = &line[11]; isspace(s[0]); s++);
-+                               for (i = 0; s[i] && !isspace(s[i]); i++);
-+                               s[i] = 0;
-+                               g_resolv_add_nameserver(resolv, s, 53, 0);
-                        }
--
--                       if (family != AF_INET && family != AF_INET6)
--                               continue;
--
--                       if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
--                               g_resolv_add_nameserver(resolv, buf, 53, 0);
-+                       fclose(f);
++#if (__RES >= 19991006)
+                int i;
+ 
+                for (i = 0; i < resolv->res.nscount; i++) {
+@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+                        if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
+                                g_resolv_add_nameserver(resolv, buf, 53, 0);
                 }
++#else
++                FILE *f = fopen("/etc/resolv.conf", "r");
++                if (f) {
++                        char line[256], *s;
++                        int i;
++                        while (fgets(line, sizeof(line), f)) {
++                                if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
++                                        continue;
++                                for (s = &line[11]; isspace(s[0]); s++);
++                                for (i = 0; s[i] && !isspace(s[i]); i++);
++                                s[i] = 0;
++                                g_resolv_add_nameserver(resolv, s, 53, 0);
++                        }
++                        fclose(f);
++                }
++#endif
  
                 if (!resolv->nameserver_list)
+                        g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0);
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..62f07e707a
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+CVE: CVE-2025-32366
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9..1dd2f7f 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+        if ((offset + *rdlen) > *response_size)
+                return -ENOBUFS;
+
++       if ((*end + *rdlen) > max)
++               return -EINVAL;
++
+        memcpy(response + offset, *end, *rdlen);
+
+        *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..c114589679
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+
+CVE: CVE-2025-32743
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7..7ee26d9 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+                                gpointer request, gpointer name)
+ {
+        int sk = -1;
++       int err;
+        const char *lookup = (const char *)name;
+-       int err = ns_try_resolv_from_cache(req, request, lookup);
++
++       if (!lookup || strlen(lookup) == 0)
++               return -EINVAL;
++
++       err = ns_try_resolv_from_cache(req, request, lookup);
+
+        if (err > 0)
+                /* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index c64fa0d715..adb5d44fed 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -10,53 +10,15 @@ fi
 
 set -e
 
-nfsroot=0
-
-exec 9<&0 < /proc/mounts
-while read dev mtpt fstype rest; do
-        if test $mtpt = "/" ; then
-                case $fstype in
-                    nfs | nfs4)
-                        nfsroot=1
-                        break
-                        ;;
-                    *)
-                        ;;
-                esac
-        fi
-done
-
 do_start() {
-        EXTRA_PARAM=""
-        if test $nfsroot -eq 1 ; then
-            NET_DEVS=`cat /proc/net/dev | sed -ne 's/^\([a-zA-Z0-9 ]*\):.*$/\1/p'`
-            NET_ADDR=`cat /proc/cmdline | sed -ne 's/^.*ip=\([^ :]*\).*$/\1/p'`
-
-            if [ ! -z "$NET_ADDR" ]; then
-                if [ "$NET_ADDR" = dhcp ]; then
-                    ethn=`ifconfig | grep "^eth" | sed -e "s/\(eth[0-9]\)\(.*\)/\1/"`
-                    if [ ! -z "$ethn" ]; then
-                        EXTRA_PARAM="-I $ethn"
-                    fi
-                else
-                    for i in $NET_DEVS; do
-                        ADDR=`ifconfig $i | sed 's/addr://g' | sed -ne 's/^.*inet \([0-9.]*\) .*$/\1/p'`
-                        if [ "$NET_ADDR" = "$ADDR" ]; then
-                            EXTRA_PARAM="-I $i"
-                            break
-                        fi
-                    done
-                fi
-            fi
-        fi
         if [ -f @DATADIR@/connman/wired-setup ] ; then
                 . @DATADIR@/connman/wired-setup
         fi
-        $DAEMON $EXTRA_PARAM
+        $DAEMON
 }
 
 do_stop() {
-        start-stop-daemon --stop --name connmand --quiet
+        start-stop-daemon --stop --oknodo --name connmand --quiet
 }
 
 case "$1" in
diff --git a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch b/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
deleted file mode 100644
index e96e38bcf9..0000000000
--- a/meta/recipes-connectivity/connman/connman/no-version-scripts.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-With binutils 2.27 on at least MIPS, connmand will crash on startup.  This
-appears to be due to the symbol visibilty scripts hiding symbols that stdio
-looks up at runtime, resulting in it segfaulting.
-
-This certainly appears to be a bug in binutils 2.27 although the problem has
-been known about for some time:
-
-https://sourceware.org/bugzilla/show_bug.cgi?id=17908
-
-As the version scripts are only used to hide symbols from plugins we can safely
-remove the scripts to work around the problem until binutils is fixed.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/Makefile.am b/Makefile.am
-index d70725c..76ae432 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -132,2 +132 @@ src_connmand_LDADD = gdbus/libgdbus-internal.la $(builtin_libadd) \
--src_connmand_LDFLAGS = -Wl,--export-dynamic \
--                               -Wl,--version-script=$(srcdir)/src/connman.ver
-+src_connmand_LDFLAGS = -Wl,--export-dynamic
-@@ -166,2 +165 @@ vpn_connman_vpnd_LDADD = gdbus/libgdbus-internal.la $(builtin_vpn_libadd) \
--vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic \
--                               -Wl,--version-script=$(srcdir)/vpn/vpn.ver
-+vpn_connman_vpnd_LDFLAGS = -Wl,--export-dynamic
diff --git a/meta/recipes-connectivity/connman/connman_1.40.bb b/meta/recipes-connectivity/connman/connman_1.40.bb
deleted file mode 100644
index edb23a1267..0000000000
--- a/meta/recipes-connectivity/connman/connman_1.40.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-require connman.inc
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-           file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-           file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
-           file://connman \
-           file://no-version-scripts.patch \
-           "
-
-SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-
-SRC_URI[sha256sum] = "1a57ae7ce234aa3a1744aac3be5c2121d98dce999440ef8ab9cc4edfd5edcb12"
-
-RRECOMMENDS:${PN} = "connman-conf"
-RCONFLICTS:${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman_1.44.bb
index 748eefa748..1b0fbe438c 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -7,9 +7,8 @@ It is a fully modular system that can be extended, through plug-ins, \
 to support all kinds of wired or wireless technologies. Also, \
 configuration methods, like DHCP and domain name resolving, are \
 implemented using plug-ins."
-HOMEPAGE = "http://connman.net/"
-BUGTRACKER = "https://01.org/jira/browse/CM"
-LICENSE  = "GPLv2"
+HOMEPAGE = "https://web.git.kernel.org/pub/scm/network/connman/connman.git/about/"
+LICENSE  = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://src/main.c;beginline=1;endline=20;md5=486a279a6ab0c8d152bcda3a5b5edc36"
 
@@ -17,21 +16,42 @@ inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
 CVE_PRODUCT = "connman connection_manager"
 
-DEPENDS  = "dbus glib-2.0 ppp"
+DEPENDS  = "dbus glib-2.0"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://connman \
+           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+           file://CVE-2025-32743.patch \
+           file://CVE-2025-32366.patch \
+           "
+
+SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"
+
+RRECOMMENDS:${PN} = "connman-conf"
+RCONFLICTS:${PN} = "networkmanager"
 
 EXTRA_OECONF += "\
-    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
+    ac_cv_path_IP6TABLES_SAVE=${sbindir}/ip6tables-save \
+    ac_cv_path_IPTABLES_SAVE=${sbindir}/iptables-save \
     ac_cv_path_PPPD=${sbindir}/pppd \
+    ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
     --enable-debug \
     --enable-loopback \
     --enable-ethernet \
     --enable-tools \
     --disable-polkit \
+    --runstatedir='${runtimedir}' \
+    --with-dns-backend='${@bb.utils.contains("DISTRO_FEATURES", "systemd-resolved", "systemd-resolved", "internal", d)}' \
 "
+# For smooth operation it would be best to start only one wireless daemon at a time.
+# If wpa-supplicant is running, connman will use it preferentially.
+# Select either wpa-supplicant or iwd
+WIRELESS_DAEMON ??= "wpa-supplicant"
 
 PACKAGECONFIG ??= "wispr iptables client\
-                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd wifi', d)} \
+                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
+                   ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'wifi ${WIRELESS_DAEMON}', '', d)} \
 "
 
 # If you want ConnMan to support VPN, add following statement into
@@ -39,18 +59,20 @@ PACKAGECONFIG ??= "wispr iptables client\
 # PACKAGECONFIG:append:pn-connman = " openvpn vpnc l2tp pptp"
 
 PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_system_unitdir}/ --with-tmpfilesdir=${sysconfdir}/tmpfiles.d/,--with-systemdunitdir='' --with-tmpfilesdir=''"
-PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi, wpa-supplicant, wpa-supplicant"
+PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi"
 PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5, bluez5"
 PACKAGECONFIG[3g] = "--enable-ofono, --disable-ofono, ofono, ofono"
+PACKAGECONFIG[wpa-supplicant] = ",,wpa-supplicant,wpa-supplicant"
+PACKAGECONFIG[iwd] = "--enable-iwd,--disable-iwd,,iwd"
 PACKAGECONFIG[tist] = "--enable-tist,--disable-tist,"
 PACKAGECONFIG[openvpn] = "--enable-openvpn --with-openvpn=${sbindir}/openvpn,--disable-openvpn,,openvpn"
 PACKAGECONFIG[vpnc] = "--enable-vpnc --with-vpnc=${sbindir}/vpnc,--disable-vpnc,,vpnc"
-PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,,xl2tpd"
-PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,,pptp-linux"
+PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2tp,ppp,xl2tpd"
+PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,ppp,pptp-linux"
 # WISPr support for logging into hotspots, requires TLS
 PACKAGECONFIG[wispr] = "--enable-wispr,--disable-wispr,gnutls,"
-PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat"
-PACKAGECONFIG[iptables] = "--with-firewall=iptables ,,iptables,iptables"
+PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat,iptables"
+PACKAGECONFIG[iptables] = "--with-firewall=iptables,,iptables,,,nftables"
 PACKAGECONFIG[nfc] = "--enable-neard, --disable-neard, neard, neard"
 PACKAGECONFIG[client] = "--enable-client,--disable-client,readline"
 PACKAGECONFIG[wireguard] = "--enable-wireguard,--disable-wireguard,libmnl"
@@ -70,7 +92,7 @@ SYSTEMD_SERVICE:${PN} = "connman.service"
 SYSTEMD_SERVICE:${PN}-vpn = "connman-vpn.service"
 SYSTEMD_SERVICE:${PN}-wait-online = "connman-wait-online.service"
 
-ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_PRIORITY = "${@bb.utils.contains('DISTRO_FEATURES','systemd-resolved','10','100',d)}"
 ALTERNATIVE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
 ALTERNATIVE_TARGET[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv-conf.connman','',d)}"
 ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv.conf','',d)}"
@@ -78,7 +100,7 @@ ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','sy
 do_install:append() {
         if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
                 install -d ${D}${sysconfdir}/init.d
-                install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman
+                install -m 0755 ${UNPACKDIR}/connman ${D}${sysconfdir}/init.d/connman
                 sed -i s%@DATADIR@%${datadir}% ${D}${sysconfdir}/init.d/connman
         fi
 
@@ -95,10 +117,11 @@ do_install:append() {
         # plugins directory to be present for ownership
         mkdir -p ${D}${libdir}/connman/plugins
 
-    # For read-only filesystem, do not create links during bootup
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-        ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
-    fi
+        # For read-only filesystem, do not create links during bootup
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+                install -d ${D}${sysconfdir}
+                ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
+        fi
 }
 
 # These used to be plugins, but now they are core
@@ -110,10 +133,6 @@ RPROVIDES:${PN} = "\
         ${@bb.utils.contains('PACKAGECONFIG', '3g','connman-plugin-ofono', '', d)} \
         "
 
-RDEPENDS:${PN} = "\
-        dbus \
-        "
-
 PACKAGES_DYNAMIC += "^${PN}-plugin-.*"
 
 def add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, add_insane_skip):
@@ -147,12 +166,13 @@ python populate_packages:prepend() {
 PACKAGES =+ "${PN}-tools ${PN}-tests ${PN}-client"
 
 FILES:${PN}-tools = "${bindir}/wispr"
-RDEPENDS:${PN}-tools ="${PN}"
+RDEPENDS:${PN}-tools = "${PN}"
 
 FILES:${PN}-tests = "${bindir}/*-test"
+RDEPENDS:${PN}-tests = "${@bb.utils.contains('PACKAGECONFIG', 'iptables', 'iptables', '', d)}"
 
 FILES:${PN}-client = "${bindir}/connmanctl"
-RDEPENDS:${PN}-client ="${PN}"
+RDEPENDS:${PN}-client = "${PN}"
 
 FILES:${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
             ${libdir}/connman/plugins \
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.0.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
index dbad8c8728..bfb24aa58c 100644
--- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.0.bb
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.2.4.bb
@@ -7,19 +7,19 @@ DESCRIPTION = "dhcpcd runs on your machine and silently configures your \
 HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/"
 
 LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=9674cc803c5d71306941e6e8b5c002f2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=4dda5beb433a809f2e0aeffbf9da3d91"
 
-UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/"
-
-SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \
+SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=master \
            file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \
-           file://0002-src-privsep-linux.c-add-support-for-arc-28.patch \
+           file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \
            file://dhcpcd.service \
            file://dhcpcd@.service \
+           file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
            "
 
-SRC_URI[sha256sum] = "41a69297f380bf15ee8f94f73154f8c2bca7157a087c0d5aca8de000ba1d4513"
+SRCREV = "93df2b254caf9639f9ffb66e0fe2b584eeba6220"
 
+# Doesn't use automake so we can't do out-of-tree builds
 inherit pkgconfig autotools-brokensep systemd useradd
 
 SYSTEMD_SERVICE:${PN} = "dhcpcd.service"
@@ -33,8 +33,11 @@ PACKAGECONFIG[ntp] = "--with-hook=ntp, , ,ntp"
 PACKAGECONFIG[chrony] = "--with-hook=ntp, , ,chrony"
 PACKAGECONFIG[ypbind] = "--with-eghook=yp, , ,ypbind-mt"
 
+# add option to override DBDIR location
+DBDIR ?= "${localstatedir}/lib/${BPN}"
+
 EXTRA_OECONF = "--enable-ipv4 \
-                --dbdir=${localstatedir}/lib/${BPN} \
+                --dbdir=${DBDIR} \
                 --sbindir=${base_sbindir} \
                 --runstatedir=/run \
                 --enable-privsep \
@@ -44,15 +47,21 @@ EXTRA_OECONF = "--enable-ipv4 \
                "
 
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM:${PN} = "--system -d ${localstatedir}/lib/${BPN} -M -s /bin/false -U dhcpcd"
+USERADD_PARAM:${PN} = "--system -d ${DBDIR} -M -s /bin/false -U dhcpcd"
+
+# This isn't autoconf but is instead a configure script that tries to look like
+# autoconf, so just run it directly.
+do_configure() {
+    oe_runconf
+}
 
 do_install:append () {
     # install systemd unit files
     install -d ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
+    install -m 0644 ${UNPACKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
 
-    chmod 700 ${D}${localstatedir}/lib/${BPN}
-    chown dhcpcd:dhcpcd ${D}${localstatedir}/lib/${BPN}
+    chmod 700 ${D}${DBDIR}
+    chown dhcpcd:dhcpcd ${D}${DBDIR}
 }
 
 FILES:${PN}-dbg += "${libdir}/dhcpcd/dev/.debug"
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
new file mode 100644
index 0000000000..512e33aebf
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
@@ -0,0 +1,79 @@
+From d1581ce103db0a5db0b1761907fff9ddd6b55a8a Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 9 Nov 2022 16:33:18 +0800
+Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd
+
+systemd's resolvconf implementation ignores the protocol part.
+See https://github.com/systemd/systemd/issues/25032.
+
+When using 'dhcp server + dns server + dhcpcd + systemd', we
+get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra',
+yet systemd's resolvconf treats it as eth0. This will delete the
+DNS information set by 'resolvconf -a eth0.dhcp'.
+
+Fortunately, 20-resolv.conf has the ability to build the resolv.conf
+file contents itself. We can just pass the generated contents to
+systemd's resolvconf. This way, the DNS information is not incorrectly
+deleted. Also, it does not cause behavior regression for dhcpcd
+in other cases.
+
+Upstream-Status: Inappropriate [OE Specific]
+This patch has been rejected by dhcpcd upstream.
+See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ hooks/20-resolv.conf | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
+index bd0b0df5..9c7721de 100644
+--- a/hooks/20-resolv.conf
++++ b/hooks/20-resolv.conf
+@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming"
+ NL="
+ "
+ : ${resolvconf:=resolvconf}
++resolvconf_from_systemd=false
+ if command -v "$resolvconf" >/dev/null 2>&1; then
+        have_resolvconf=true
++       if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then
++               resolvconf_from_systemd=true
++       fi
+ else
+        have_resolvconf=false
+ fi
+@@ -69,8 +73,13 @@ build_resolv_conf()
+        else
+                echo "# /etc/resolv.conf.tail can replace this line" >> "$cf"
+        fi
+-       if change_file /etc/resolv.conf "$cf"; then
+-               chmod 644 /etc/resolv.conf
++       if $resolvconf_from_systemd; then
++               [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
++               "$resolvconf" -a "$ifname" <"$cf"
++       else
++               if change_file /etc/resolv.conf "$cf"; then
++                       chmod 644 /etc/resolv.conf
++               fi
+        fi
+        rm -f "$cf"
+ }
+@@ -179,7 +188,7 @@ add_resolv_conf()
+        for x in ${new_domain_name_servers}; do
+                conf="${conf}nameserver $x$NL"
+        done
+-       if $have_resolvconf; then
++       if $have_resolvconf && ! $resolvconf_from_systemd; then
+                [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
+                printf %s "$conf" | "$resolvconf" -a "$ifname"
+                return $?
+@@ -195,7 +204,7 @@ add_resolv_conf()
+ 
+ remove_resolv_conf()
+ {
+-       if $have_resolvconf; then
++       if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then
+                "$resolvconf" -d "$ifname" -f
+        else
+                if [ -e "$resolv_conf_dir/$ifname" ]; then
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
new file mode 100644
index 0000000000..484b84f94a
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
@@ -0,0 +1,43 @@
+From e9b1376c59b15e7b03611429187d9d89167154b5 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 10 Mar 2023 03:48:46 +0000
+Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib.
+
+Error: Transaction test error:
+ file /usr/share/man/man8/dhcpcd.8 conflicts between attempted
+ installs of dhcpcd-doc-9.4.1-r0.cortexa57 and
+ lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon
+
+The differences between the two files are as follows:
+@@ -821,7 +821,7 @@
+ If you always use the same options, put them here.
+ .It Pa /usr/libexec/dhcpcd-run-hooks
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa /usr/lib64/dhcpcd/dev
++.It Pa /usr/lib/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
+
+It is just a man file, there is no necessary to manage multiple
+versions.
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+---
+ src/dhcpcd.8.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in
+index 91fdde2c..b467dc3b 100644
+--- a/src/dhcpcd.8.in
++++ b/src/dhcpcd.8.in
+@@ -826,7 +826,7 @@ Configuration file for dhcpcd.
+ If you always use the same options, put them here.
+ .It Pa @SCRIPT@
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa @LIBDIR@/dhcpcd/dev
++.It Pa /usr/<libdir>/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
index 37d2344438..fd3fae7e7e 100644
--- a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
@@ -1,4 +1,4 @@
-From aa9e3982c1e75ad49945a62f5e262279c7a905a4 Mon Sep 17 00:00:00 2001
+From c2ebc32112e0cd29390b4dc951b65efae36d607b Mon Sep 17 00:00:00 2001
 From: Stefano Cappa <stefano.cappa.ks89@gmail.com>
 Date: Sun, 13 Jan 2019 01:50:52 +0100
 Subject: [PATCH] remove INCLUDEDIR to prevent build issues
@@ -11,10 +11,10 @@ Signed-off-by: Stefano Cappa <stefano.cappa.ks89@gmail.com>
  1 file changed, 5 deletions(-)
 
 diff --git a/configure b/configure
-index 6c81e0db..32dea2b4 100755
+index a60da137..3673de8b 100755
 --- a/configure
 +++ b/configure
-@@ -20,7 +20,6 @@ BUILD=
+@@ -26,7 +26,6 @@ BUILD=
  HOST=
  HOSTCC=
  TARGET=
@@ -22,7 +22,7 @@ index 6c81e0db..32dea2b4 100755
  DEBUG=
  FORK=
  STATIC=
-@@ -72,7 +71,6 @@ for x do
+@@ -89,7 +88,6 @@ for x do
         --mandir) MANDIR=$var;;
         --datadir) DATADIR=$var;;
         --with-ccopts|CFLAGS) CFLAGS=$var;;
@@ -30,7 +30,7 @@ index 6c81e0db..32dea2b4 100755
         CC) CC=$var;;
         CPPFLAGS) CPPFLAGS=$var;;
         PKG_CONFIG) PKG_CONFIG=$var;;
-@@ -309,9 +307,6 @@ if [ -n "$CPPFLAGS" ]; then
+@@ -346,9 +344,6 @@ if [ -n "$CPPFLAGS" ]; then
         echo "CPPFLAGS=" >>$CONFIG_MK
         echo "CPPFLAGS+=        $CPPFLAGS" >>$CONFIG_MK
  fi
@@ -40,6 +40,3 @@ index 6c81e0db..32dea2b4 100755
  if [ -n "$LDFLAGS" ]; then
         echo "LDFLAGS=" >>$CONFIG_MK
         echo "LDFLAGS+= $LDFLAGS" >>$CONFIG_MK
--- 
-2.17.2 (Apple Git-113)
-
diff --git a/meta/recipes-connectivity/dhcpcd/files/0002-src-privsep-linux.c-add-support-for-arc-28.patch b/meta/recipes-connectivity/dhcpcd/files/0002-src-privsep-linux.c-add-support-for-arc-28.patch
deleted file mode 100644
index 045f06a9aa..0000000000
--- a/meta/recipes-connectivity/dhcpcd/files/0002-src-privsep-linux.c-add-support-for-arc-28.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 82386110e67cf75c224e9817fce55e6b0f143266 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Mon, 8 Feb 2021 07:23:54 +0100
-Subject: [PATCH] src/privsep-linux.c: add support for arc (#28)
-
-Fix the following build failure:
-
-privsep-linux.c:206:4: error: #error "Platform does not support seccomp filter yet"
- #  error "Platform does not support seccomp filter yet"
-    ^~~~~
-In file included from privsep-linux.c:36:
-privsep-linux.c:213:38: error: 'SECCOMP_AUDIT_ARCH' undeclared here (not in a function); did you mean 'SECCOMP_ALLOW_ARG'?
-  BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_AUDIT_ARCH, 1, 0),
-                                      ^~~~~~~~~~~~~~~~~~
-
-It should be noted that AUDIT_ARCH_{ARCOMPACT,ARCV2} is only defined
-since kernel 5.2 and
-https://github.com/torvalds/linux/commit/67f2a8a29311841ba6ab9b0e2d1b8f1e9978cd84
-
-Detection of arc compact and arc v2 have been "copy/pasted" from
-https://github.com/wbx-github/uclibc-ng/commit/afab56958f1cbb47b831ee3ebff231dfbae74af2
-
-Fixes:
- - http://autobuild.buildroot.org/results/d29083700a80dd647621eed06faeeae03f0587d3
-
-Upstream-Status: Backport [https://github.com/NetworkConfiguration/dhcpcd/commit/82386110e67cf75c224e9817fce55e6b0f143266]
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
----
- src/privsep-linux.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/src/privsep-linux.c b/src/privsep-linux.c
-index 402667af..21d41a9a 100644
---- a/src/privsep-linux.c
-+++ b/src/privsep-linux.c
-@@ -149,6 +149,22 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg)
- #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386
- #elif defined(__x86_64__)
- #  define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64
-+#elif defined(__arc__)
-+#  if defined(__A7__)
-+#    if (BYTE_ORDER == LITTLE_ENDIAN)
-+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACT
-+#    else
-+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCOMPACTBE
-+#    endif
-+#  elif defined(__HS__)
-+#    if (BYTE_ORDER == LITTLE_ENDIAN)
-+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2
-+#    else
-+#      define SECCOMP_AUDIT_ARCH AUDIT_ARCH_ARCV2BE
-+#    endif
-+#  else
-+#    error "Platform does not support seccomp filter yet"
-+#  endif
- #elif defined(__arm__)
- #  ifndef EM_ARM
- #    define EM_ARM 40
--- 
-2.16.2
-
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch
deleted file mode 100644
index 49d319f59d..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 7d39930468e272c740b0eed3c7e5b7fb3abf29e8 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 5 Aug 2020 10:36:22 -0700
-Subject: [PATCH] ftpd,telnetd: Fix multiple definitions of errcatch and not42
-
-This helps fix build failures when -fno-common option is used
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- ftpd/extern.h     | 2 +-
- ftpd/ftpcmd.c     | 1 +
- telnetd/utility.c | 2 +-
- 3 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/ftpd/extern.h b/ftpd/extern.h
-index ab33cf3..91dbbee 100644
---- a/ftpd/extern.h
-+++ b/ftpd/extern.h
-@@ -90,7 +90,7 @@ extern void user (const char *);
- extern char *sgetsave (const char *);
- 
- /* Exported from ftpd.c.  */
--jmp_buf errcatch;
-+extern jmp_buf errcatch;
- extern struct sockaddr_storage data_dest;
- extern socklen_t data_dest_len;
- extern struct sockaddr_storage his_addr;
-diff --git a/ftpd/ftpcmd.c b/ftpd/ftpcmd.c
-index beb1f06..d272e9d 100644
---- a/ftpd/ftpcmd.c
-+++ b/ftpd/ftpcmd.c
-@@ -106,6 +106,7 @@
- #endif
- 
- off_t restart_point;
-+jmp_buf errcatch;
- 
- static char cbuf[512];           /* Command Buffer.  */
- static char *fromname;
-diff --git a/telnetd/utility.c b/telnetd/utility.c
-index e7ffb8e..46bf91e 100644
---- a/telnetd/utility.c
-+++ b/telnetd/utility.c
-@@ -63,7 +63,7 @@ static int ncc;
- static char ptyibuf[BUFSIZ], *ptyip;
- static int pcc;
- 
--int not42;
-+extern int not42;
- 
- static int
- readstream (int p, char *ibuf, int bufsize)
--- 
-2.28.0
-
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
deleted file mode 100644
index a91913cb51..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-tftpd: Fix abort on error path
-
-When trying to fetch a non existent file, the app crashes with:
-
-*** buffer overflow detected ***: 
-Aborted
-
-
-Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205]
-Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
-diff --git a/src/tftpd.c b/src/tftpd.c
-index 56002a0..144012f 100644
---- a/src/tftpd.c
-+++ b/src/tftpd.c
-@@ -864,9 +864,8 @@ nak (int error)
-       pe->e_msg = strerror (error - 100);
-       tp->th_code = EUNDEF;    /* set 'undef' errorcode */
-     }
--  strcpy (tp->th_msg, pe->e_msg);
-   length = strlen (pe->e_msg);
--  tp->th_msg[length] = '\0';
-+  memcpy(tp->th_msg, pe->e_msg, length + 1);
-   length += 5;
-   if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length)
-     syslog (LOG_ERR, "nak: %m\n");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
deleted file mode 100644
index 603d2baf9d..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From c7c27ba763c613f83c1561e56448b49315c271c5 Mon Sep 17 00:00:00 2001
-From: Jackie Huang <jackie.huang@windriver.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] Upstream:
- http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html
-
-Upstream-Status: Pending
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
-
----
- ping/ping_common.h | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/ping/ping_common.h b/ping/ping_common.h
-index 65e3e60..3e84db0 100644
---- a/ping/ping_common.h
-+++ b/ping/ping_common.h
-@@ -18,10 +18,14 @@
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see `http://www.gnu.org/licenses/'. */
- 
-+#include <config.h>
-+
- #include <netinet/in_systm.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
-+#ifdef HAVE_IPV6
- #include <netinet/icmp6.h>
-+#endif
- #include <icmp.h>
- #include <error.h>
- #include <progname.h>
-@@ -63,7 +67,12 @@ struct ping_stat
-    want to follow the traditional behaviour of ping.  */
- #define DEFAULT_PING_COUNT 0
- 
-+#ifdef HAVE_IPV6
- #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN)
-+#else
-+#define PING_HEADER_LEN (ICMP_MINLEN)
-+#endif
-+
- #define PING_TIMING(s)  ((s) >= sizeof (struct timeval))
- #define PING_DATALEN    (64 - PING_HEADER_LEN)  /* default data length */
- 
-@@ -78,13 +87,20 @@ struct ping_stat
- 
- #define PING_MIN_USER_INTERVAL (200000/PING_PRECISION)
- 
-+#ifdef HAVE_IPV6
- /* FIXME: Adjust IPv6 case for options and their consumption.  */
- #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \
-                                   (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN))
- 
-+#else
-+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)
-+#endif
-+
-+#ifdef HAVE_IPV6
- typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest,
-                          struct sockaddr_in6 * from, struct icmp6_hdr * icmp,
-                          int datalen);
-+#endif
- 
- typedef int (*ping_efp) (int code,
-                         void *closure,
-@@ -93,13 +109,17 @@ typedef int (*ping_efp) (int code,
-                         struct ip * ip, icmphdr_t * icmp, int datalen);
- 
- union event {
-+#ifdef HAVE_IPV6
-   ping_efp6 handler6;
-+#endif
-   ping_efp handler;
- };
- 
- union ping_address {
-   struct sockaddr_in ping_sockaddr;
-+#ifdef HAVE_IPV6
-   struct sockaddr_in6 ping_sockaddr6;
-+#endif
- };
- 
- typedef struct ping_data PING;
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
deleted file mode 100644
index 2974bd4f94..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From f7f785c21306010b2367572250b2822df5bc7728 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier at gentoo.org>
-Date: Thu, 18 Nov 2010 16:59:14 -0500
-Subject: [PATCH] printf-parse: pull in features.h for __GLIBC__
-
-Upstream-Status: Pending
-
-Signed-off-by: Mike Frysinger <vapier at gentoo.org>
-
----
- lib/printf-parse.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/printf-parse.h b/lib/printf-parse.h
-index e7d0f82..d7b4534 100644
---- a/lib/printf-parse.h
-+++ b/lib/printf-parse.h
-@@ -28,6 +28,9 @@
- 
- #include "printf-args.h"
- 
-+#ifdef HAVE_FEATURES_H
-+# include <features.h> /* for __GLIBC__ */
-+#endif
- 
- /* Flags */
- #define FLAG_GROUP       1      /* ' flag */
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
deleted file mode 100644
index 1ef7e21073..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 9089c6eafbf5903174dce87b68476e35db80beb9 Mon Sep 17 00:00:00 2001
-From: Martin Jansa <martin.jansa@gmail.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: Import version 1.9.4
-
-Upstream-Status: Pending
-
----
- lib/wchar.in.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/lib/wchar.in.h b/lib/wchar.in.h
-index cdda680..043866a 100644
---- a/lib/wchar.in.h
-+++ b/lib/wchar.in.h
-@@ -77,6 +77,9 @@
- /* The include_next requires a split double-inclusion guard.  */
- #if @HAVE_WCHAR_H@
- # @INCLUDE_NEXT@ @NEXT_WCHAR_H@
-+#else
-+# include <stddef.h>
-+# define MB_CUR_MAX 1
- #endif
- 
- #undef _GL_ALREADY_INCLUDING_WCHAR_H
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
deleted file mode 100644
index 460ddf9830..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 101130f422dd5c01a1459645d7b2a5b8d19720ab Mon Sep 17 00:00:00 2001
-From: Martin Jansa <martin.jansa@gmail.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: define PATH_PROCNET_DEV if not already defined
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-this prevents the following compilation error :
-system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function)
-
-this patch comes from :
- http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/
-
-Upstream-Status: Inappropriate [not author]
-
-Signed-of-by: Eric Bénard <eric@eukrea.com>
-
----
- ifconfig/system/linux.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ifconfig/system/linux.c b/ifconfig/system/linux.c
-index e453b46..4268ca9 100644
---- a/ifconfig/system/linux.c
-+++ b/ifconfig/system/linux.c
-@@ -53,6 +53,10 @@
- #include "../ifconfig.h"
- 
- 
-+#ifndef PATH_PROCNET_DEV
-+  #define PATH_PROCNET_DEV "/proc/net/dev"
-+#endif
-+
- /* ARPHRD stuff.  */
- 
- static void
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
deleted file mode 100644
index 2343c03cb4..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From cc66e842e037fba9f06761f942abe5c4856492b8 Mon Sep 17 00:00:00 2001
-From: Kai Kang <kai.kang@windriver.com>
-Date: Wed, 6 Mar 2019 09:36:11 -0500
-Subject: [PATCH] inetutils: Import version 1.9.4
-
-Only check security/pam_appl.h which is provided by package libpam when pam is
-enabled.
-
-Upstream-Status: Pending
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
----
- configure.ac | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5e16c3a..18510a8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -182,6 +182,19 @@ AC_SUBST(LIBUTIL)
- 
- # See if we have libpam.a.  Investigate PAM versus Linux-PAM.
- if test "$with_pam" = yes ; then
-+  AC_CHECK_HEADERS([security/pam_appl.h], [], [], [
-+#include <sys/types.h>
-+#ifdef HAVE_NETINET_IN_SYSTM_H
-+# include <netinet/in_systm.h>
-+#endif
-+#include <netinet/in.h>
-+#ifdef HAVE_NETINET_IP_H
-+# include <netinet/ip.h>
-+#endif
-+#ifdef HAVE_SYS_PARAM_H
-+# include <sys/param.h>
-+#endif
-+])
-   AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl)
-   AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam)
-   if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then
-@@ -617,7 +630,7 @@ AC_HEADER_DIRENT
- AC_CHECK_HEADERS([arpa/nameser.h arpa/tftp.h fcntl.h features.h \
-                  glob.h memory.h netinet/ether.h netinet/in_systm.h \
-                  netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \
--                 security/pam_appl.h shadow.h \
-+                 shadow.h \
-                  stropts.h sys/tty.h \
-                  sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \
-                  sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
index 3bab137eb4..6e03195f2d 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.2.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.6.bb
@@ -1,3 +1,4 @@
+SUMMARY = "The GNU inetutils are a collection of common networking utilities and servers."
 DESCRIPTION = "The GNU inetutils are a collection of common \
 networking utilities and servers including ftp, ftpd, rcp, \
 rexec, rlogin, rlogind, rsh, rshd, syslog, syslogd, talk, \
@@ -6,29 +7,21 @@ HOMEPAGE = "http://www.gnu.org/software/inetutils"
 SECTION = "net"
 DEPENDS = "ncurses netbase readline virtual/crypt"
 
-LICENSE = "GPLv3"
+LICENSE = "GPL-3.0-only"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7"
 
-SRC_URI[sha256sum] = "d547f69172df73afef691a0f7886280fd781acea28def4ff4b4b212086a89d80"
+SRC_URI[sha256sum] = "68bedbfeaf73f7d86be2a7d99bcfbd4093d829f52770893919ae174c0b2357ca"
 SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
-           file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \
-           file://inetutils-1.8-0003-wchar.patch \
-           file://rexec.xinetd.inetutils  \
+           file://rexec.xinetd.inetutils \
            file://rlogin.xinetd.inetutils \
            file://rsh.xinetd.inetutils \
            file://telnet.xinetd.inetutils \
            file://tftpd.xinetd.inetutils \
-           file://inetutils-1.9-PATH_PROCNET_DEV.patch \
-           file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
-"
+           "
 
 inherit autotools gettext update-alternatives texinfo
 
-acpaths = "-I ./m4"
-
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}"
-
 PACKAGECONFIG ??= "ftp uucpd \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \
@@ -40,21 +33,33 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no,"
 PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6,"
 
 EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \
-        inetutils_cv_path_login=${base_bindir}/login \
         --with-libreadline-prefix=${STAGING_LIBDIR} \
         --enable-rpath=no \
-"
+        --with-path-login=${base_bindir}/login \
+        --with-path-cp=${base_bindir}/cp \
+        --with-path-uucico=${libexecdir}/uuico \
+        --with-path-procnet-dev=/proc/net/dev \
+        "
+
+EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx"
 
 # These are horrible for security, disable them
 EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \
         --disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd"
 
+# The configure script guesses many paths in cross builds, check for this happening
+do_configure_cross_check() {
+    if grep "may be incorrect because of cross-compilation" ${B}/config.log; then
+        bberror Default path values used, these must be set explicitly
+    fi
+}
+do_configure[postfuncs] += "do_configure_cross_check"
+
+# The --with-path options are not actually options, so this check needs to be silenced
+ERROR_QA:remove = "unknown-configure-option"
+
 do_configure:prepend () {
     export HELP2MAN='true'
-    cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S}
-    rm -f ${S}/glob/configure*
 }
 
 do_install:append () {
@@ -73,23 +78,23 @@ do_install:append () {
     mv ${D}${libexecdir}/telnetd ${D}${sbindir}/in.telnetd
     if [ -e ${D}${libexecdir}/rexecd ]; then
         mv ${D}${libexecdir}/rexecd ${D}${sbindir}/in.rexecd
-        cp ${WORKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
+        cp ${UNPACKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec
     fi
     if [ -e ${D}${libexecdir}/rlogind ]; then
         mv ${D}${libexecdir}/rlogind ${D}${sbindir}/in.rlogind
-        cp ${WORKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
+        cp ${UNPACKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin
     fi
     if [ -e ${D}${libexecdir}/rshd ]; then
         mv ${D}${libexecdir}/rshd ${D}${sbindir}/in.rshd
-        cp ${WORKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
+        cp ${UNPACKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh
     fi
     if [ -e ${D}${libexecdir}/talkd ]; then
         mv ${D}${libexecdir}/talkd ${D}${sbindir}/in.talkd
     fi
     mv ${D}${libexecdir}/uucpd ${D}${sbindir}/in.uucpd
     mv ${D}${libexecdir}/* ${D}${bindir}/
-    cp ${WORKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
-    cp ${WORKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
+    cp ${UNPACKDIR}/telnet.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/telnet
+    cp ${UNPACKDIR}/tftpd.xinetd.inetutils  ${D}/${sysconfdir}/xinetd.d/tftpd
 
     sed -e 's,@SBINDIR@,${sbindir},g' -i ${D}/${sysconfdir}/xinetd.d/*
     if [ -e ${D}${libdir}/charset.alias ]; then
@@ -134,11 +139,12 @@ ALTERNATIVE:${PN}-telnetd = "telnetd"
 ALTERNATIVE_LINK_NAME[telnetd] = "${sbindir}/telnetd"
 ALTERNATIVE_TARGET[telnetd] = "${sbindir}/in.telnetd"
 
-ALTERNATIVE:${PN}-inetd= "inetd"
+ALTERNATIVE:${PN}-inetd = "inetd"
 ALTERNATIVE:${PN}-traceroute = "traceroute"
 
 ALTERNATIVE:${PN}-hostname = "hostname"
 ALTERNATIVE_LINK_NAME[hostname]  = "${base_bindir}/hostname"
+ALTERNATIVE_PRIORITY[hostname] = "100"
 
 ALTERNATIVE:${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
                          tftpd.8 tftp.1 telnetd.8"
@@ -159,7 +165,6 @@ ALTERNATIVE_LINK_NAME[ping]   = "${base_bindir}/ping"
 ALTERNATIVE:${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
 ALTERNATIVE_LINK_NAME[ping6]  = "${base_bindir}/ping6"
 
-
 FILES:${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
 FILES:${PN}-ping = "${base_bindir}/ping.${BPN}"
 FILES:${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
new file mode 100644
index 0000000000..c4dea39676
--- /dev/null
+++ b/meta/recipes-connectivity/iproute2/iproute2/0001-include-libnetlink.h-add-missing-include-for-htobe64.patch
@@ -0,0 +1,24 @@
+From 9e427aa1c647f741b08a1f0c44483ea974c7fc61 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Sat, 24 Aug 2024 15:32:25 +0200
+Subject: [PATCH] include/libnetlink.h: add missing include for htobe64
+ definitions
+
+Upstream-Status: Submitted [by email to stephen@networkplumber.org netdev@vger.kernel.org]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ include/libnetlink.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/libnetlink.h b/include/libnetlink.h
+index 7074e91..3dbfa42 100644
+--- a/include/libnetlink.h
++++ b/include/libnetlink.h
+@@ -13,6 +13,7 @@
+ #include <linux/neighbour.h>
+ #include <linux/netconf.h>
+ #include <arpa/inet.h>
++#include <endian.h>
+ 
+ struct rtnl_handle {
+        int                     fd;
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
deleted file mode 100644
index 74e3de1ce9..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From c25f8d1f7a6203dfeb10b39f80ffd314bb84a58d Mon Sep 17 00:00:00 2001
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Thu, 22 Dec 2016 15:26:30 +0200
-Subject: [PATCH] libc-compat.h: add musl workaround
-
-The libc-compat.h kernel header uses glibc specific macros (__GLIBC__ and
-__USE_MISC) to solve conflicts with libc provided headers. This patch makes
-libc-compat.h work for musl libc as well.
-
-Upstream-Status: Pending
-
-Taken From:
-https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-workaround-to-the-libc-compat.h-copy.patch
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-Signed-off-by: Maxin B. John <maxin.john@intel.com>
-
----
- include/uapi/linux/libc-compat.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
-index a159991..22198fa 100644
---- a/include/uapi/linux/libc-compat.h
-+++ b/include/uapi/linux/libc-compat.h
-@@ -50,10 +50,12 @@
- #define _LIBC_COMPAT_H
- 
- /* We have included glibc headers... */
--#if defined(__GLIBC__)
-+#if 1
-+#define __USE_MISC
- 
- /* Coordinate with glibc net/if.h header. */
- #if defined(_NET_IF_H) && defined(__USE_MISC)
-+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0
- 
- /* GLIBC headers included first so don't define anything
-  * that would already be defined. */
diff --git a/meta/recipes-connectivity/iproute2/iproute2_5.14.0.bb b/meta/recipes-connectivity/iproute2/iproute2_5.14.0.bb
deleted file mode 100644
index 27fb5c8866..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2_5.14.0.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require iproute2.inc
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
-           file://0001-libc-compat.h-add-musl-workaround.patch \
-           "
-
-SRC_URI[sha256sum] = "210fa785a52f3763c4287fd5ae63e246f6311bfaa48c424baab6d383bb7591d4"
-
-# CFLAGS are computed in Makefile and reference CCOPTS
-#
-EXTRA_OEMAKE:append = " CCOPTS='${CFLAGS}'"
diff --git a/meta/recipes-connectivity/iproute2/iproute2.inc b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
index 3f070d6799..592e3e15af 100644
--- a/meta/recipes-connectivity/iproute2/iproute2.inc
+++ b/meta/recipes-connectivity/iproute2/iproute2_6.15.0.bb
@@ -5,31 +5,43 @@ and tc are the most important.  ip controls IPv4 and IPv6 \
 configuration and tc stands for traffic control."
 HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
 SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://ip/ip.c;beginline=3;endline=8;md5=689d691d0410a4b64d3899f8d6e31817"
+                    "
 
-DEPENDS = "flex-native bison-native iptables libcap"
+DEPENDS = "flex-native bison-native libcap"
 
-inherit update-alternatives bash-completion pkgconfig
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
+           file://0001-include-libnetlink.h-add-missing-include-for-htobe64.patch \
+           "
+
+SRC_URI[sha256sum] = "8041854a882583ad5263466736c9c8c68c74b1a35754ab770d23343f947528fb"
 
-CLEANBROKEN = "1"
+inherit update-alternatives bash-completion pkgconfig
 
-PACKAGECONFIG ??= "tipc elf devlink"
+PACKAGECONFIG ??= "tipc elf devlink iptables"
 PACKAGECONFIG[tipc] = ",,libmnl,"
 PACKAGECONFIG[elf] = ",,elfutils,"
 PACKAGECONFIG[devlink] = ",,libmnl,"
+PACKAGECONFIG[iptables] = ",,iptables"
 PACKAGECONFIG[rdma] = ",,libmnl,"
+PACKAGECONFIG[selinux] = ",,libselinux"
 
 IPROUTE2_MAKE_SUBDIRS = "lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc rdma', d)}"
 
+# This is needed with GCC-14 and musl
+CFLAGS += "-Wno-error=incompatible-pointer-types"
+# CFLAGS are computed in Makefile and reference CCOPTS
+#
 EXTRA_OEMAKE = "\
     CC='${CC}' \
     KERNEL_INCLUDE=${STAGING_INCDIR} \
     DOCDIR=${docdir}/iproute2 \
     SUBDIRS='${IPROUTE2_MAKE_SUBDIRS}' \
     SBINDIR='${base_sbindir}' \
+    CONF_USR_DIR='${libdir}/iproute2' \
     LIBDIR='${libdir}' \
+    CCOPTS='${CFLAGS}' \
 "
 
 do_configure:append () {
@@ -44,18 +56,23 @@ do_install () {
     install -d ${D}${datadir}
     mv ${D}/share/* ${D}${datadir}/ || true
     rm ${D}/share -rf || true
+
+    # Remove support fot ipt and xt in tc. So tc library directory is not needed.
+    rm ${D}${libdir}/tc -rf
 }
 
 # The .so files in iproute2-tc are modules, not traditional libraries
 INSANE_SKIP:${PN}-tc = "dev-so"
 
 IPROUTE2_PACKAGES =+ "\
+    ${PN}-bridge \
     ${PN}-devlink \
     ${PN}-genl \
     ${PN}-ifstat \
     ${PN}-ip \
     ${PN}-lnstat \
     ${PN}-nstat \
+    ${PN}-routel \
     ${PN}-rtacct \
     ${PN}-ss \
     ${PN}-tc \
@@ -72,7 +89,7 @@ FILES:${PN}-lnstat = "${base_sbindir}/lnstat \
                       ${base_sbindir}/ctstat \
                       ${base_sbindir}/rtstat"
 FILES:${PN}-ifstat = "${base_sbindir}/ifstat"
-FILES:${PN}-ip = "${base_sbindir}/ip.${PN} ${sysconfdir}/iproute2"
+FILES:${PN}-ip = "${base_sbindir}/ip.* ${libdir}/iproute2"
 FILES:${PN}-genl = "${base_sbindir}/genl"
 FILES:${PN}-rtacct = "${base_sbindir}/rtacct"
 FILES:${PN}-nstat = "${base_sbindir}/nstat"
@@ -80,6 +97,10 @@ FILES:${PN}-ss = "${base_sbindir}/ss"
 FILES:${PN}-tipc = "${base_sbindir}/tipc"
 FILES:${PN}-devlink = "${base_sbindir}/devlink"
 FILES:${PN}-rdma = "${base_sbindir}/rdma"
+FILES:${PN}-routel = "${base_sbindir}/routel"
+FILES:${PN}-bridge = "${base_sbindir}/bridge"
+
+RDEPENDS:${PN}-routel = "python3-core"
 
 ALTERNATIVE:${PN}-ip = "ip"
 ALTERNATIVE_TARGET[ip] = "${base_sbindir}/ip.${BPN}"
diff --git a/meta/recipes-connectivity/iw/iw_5.9.bb b/meta/recipes-connectivity/iw/iw_6.9.bb
index 3d1e1c7e79..e34400e18b 100644
--- a/meta/recipes-connectivity/iw/iw_5.9.bb
+++ b/meta/recipes-connectivity/iw/iw_6.9.bb
@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
 HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
 
 DEPENDS = "libnl"
@@ -14,7 +14,7 @@ SRC_URI = "http://www.kernel.org/pub/software/network/iw/${BP}.tar.gz \
            file://separate-objdir.patch \
 "
 
-SRC_URI[sha256sum] = "6e7d3c9f8b4ee68e412f20fe229c9854c2dba383e3e650ce6af8eb8dbd12efc3"
+SRC_URI[sha256sum] = "4c3194778b175d58442907d51d1977e7270fce5cbebff0eab11c45c1da287a4b"
 
 inherit pkgconfig
 
diff --git a/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
new file mode 100644
index 0000000000..15c09d4c41
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-make-kea-environment-available-to-lfc.patch
@@ -0,0 +1,96 @@
+From 72d7e6c0b6b5af4fea2e4db9ed33757984ccdc5b Mon Sep 17 00:00:00 2001
+From: Razvan Becheriu <razvan@isc.org>
+Date: Fri, 14 Jun 2024 17:09:50 +0300
+Subject: [PATCH] make kea environment available to lfc
+
+Upstream-Status: Backport
+[https://gitlab.isc.org/isc-projects/kea/-/commit/f477e8ebcc8b8e1f1adaad4d55031084c0ff6f40]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ configure.ac                                  |  2 ++
+ src/lib/dhcpsrv/memfile_lease_mgr.cc          |  3 ++-
+ .../tests/memfile_lease_mgr_unittest.cc       | 26 +++++++++++++++++++
+ src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in  |  6 +++++
+ 4 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+
+diff --git a/configure.ac b/configure.ac
+index c00edb5..7b572b0 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1629,6 +1629,8 @@ AC_CONFIG_FILES([src/lib/dhcp_ddns/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/Makefile])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_libraries.h])
++AC_CONFIG_FILES([src/lib/dhcpsrv/tests/test_kea_lfc_env.sh],
++                [chmod +x src/lib/dhcpsrv/tests/test_kea_lfc_env.sh])
+ AC_CONFIG_FILES([src/lib/dhcpsrv/testutils/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/Makefile])
+ AC_CONFIG_FILES([src/lib/dns/tests/Makefile])
+diff --git a/src/lib/dhcpsrv/memfile_lease_mgr.cc b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+index db4f5d5..0ecf3e7 100644
+--- a/src/lib/dhcpsrv/memfile_lease_mgr.cc
++++ b/src/lib/dhcpsrv/memfile_lease_mgr.cc
+@@ -209,7 +209,8 @@ LFCSetup::setup(const uint32_t lfc_interval,
+     args.push_back("ignored-path");
+ 
+     // Create the process (do not start it yet).
+-    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args));
++    process_.reset(new ProcessSpawn(ProcessSpawn::ASYNC, executable, args,
++                                    ProcessEnvVars(), true));
+ 
+     // If we've been told to run it once now, invoke the callback directly.
+     if (run_once_now) {
+diff --git a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+index 034f1f5..9edf637 100644
+--- a/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
++++ b/src/lib/dhcpsrv/tests/memfile_lease_mgr_unittest.cc
+@@ -534,6 +534,32 @@ TEST_F(MemfileLeaseMgrTest, lfcTimer) {
+     EXPECT_EQ(2, lease_mgr->getLFCCount());
+ }
+ 
++/// @brief Check that the kea environment is accesible to the Lease
++/// File Cleanup process.
++TEST_F(MemfileLeaseMgrTest, lfcEnv) {
++    DatabaseConnection::ParameterMap pmap;
++    pmap["type"] = "memfile";
++    pmap["universe"] = "4";
++    pmap["name"] = getLeaseFilePath("leasefile4_0.csv");
++    pmap["lfc-interval"] = "1";
++
++    std::ostringstream s;
++    s << DHCP_DATA_DIR << "/test_kea_lfc_env.sh";
++    setenv("KEA_LFC_EXECUTABLE", s.str().c_str(), 1);
++
++    boost::scoped_ptr<NakedMemfileLeaseMgr> lease_mgr(new NakedMemfileLeaseMgr(pmap));
++
++    // Try to run the lease file cleanup.
++    ASSERT_NO_THROW(lease_mgr->lfcCallback());
++
++    // Wait for the LFC process to complete.
++    ASSERT_TRUE(waitForProcess(*lease_mgr, 1));
++
++    // And make sure it has returned an exit status of 0.
++    EXPECT_EQ(0, lease_mgr->getLFCExitStatus())
++        << "environment not available to LFC";
++}
++
+ /// @brief This test checks if the LFC timer is disabled (doesn't trigger)
+ /// cleanups when the lfc-interval is set to 0.
+ TEST_F(MemfileLeaseMgrTest, lfcTimerDisabled) {
+diff --git a/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+new file mode 100644
+index 0000000..3eb71d5
+--- /dev/null
++++ b/src/lib/dhcpsrv/tests/test_kea_lfc_env.sh.in
+@@ -0,0 +1,6 @@
++#!/bin/sh
++
++if [ $(env | grep -c KEA_LFC_EXECUTABLE) != 0 ]; then
++    exit 0
++fi
++exit 1
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
index 8de9fce4b4..763639327a 100644
--- a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
+++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
@@ -1,4 +1,4 @@
-From d027b1d85a8c1a0193b6e4a00083d3038d699a59 Mon Sep 17 00:00:00 2001
+From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001
 From: Kai Kang <kai.kang@windriver.com>
 Date: Tue, 22 Sep 2020 15:02:33 +0800
 Subject: [PATCH] There are conflict of config files between kea and lib32-kea:
@@ -8,16 +8,21 @@ Subject: [PATCH] There are conflict of config files between kea and lib32-kea:
      lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
 |  file /etc/kea/kea-dhcp4.conf conflicts between attempted installs of
      lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
+|  file /etc/kea/kea-dhcp6.conf conflicts between attempted installs of
+     lib32-kea-2.6.1-r0.core2_32 and kea-2.6.1-r0.core2_64
 
 Because they are all commented out, replace the expanded libdir path with
 '$libdir' in the config files to avoid conflict.
 
+Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602]
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
 
 ---
  src/bin/keactrl/kea-ctrl-agent.conf.pre | 3 ++-
  src/bin/keactrl/kea-dhcp4.conf.pre      | 4 ++--
- 2 files changed, 4 insertions(+), 3 deletions(-)
+ src/bin/keactrl/kea-dhcp6.conf.pre      | 4 ++--
+ 3 files changed, 6 insertions(+), 5 deletions(-)
 
 diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre
 index e6ae8b8..50a3092 100644
@@ -34,10 +39,10 @@ index e6ae8b8..50a3092 100644
  //          "param1": "foo"
  //      }
 diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre
-index 26bf163..49ddb0a 100644
+index 6edb8a1..b2a7385 100644
 --- a/src/bin/keactrl/kea-dhcp4.conf.pre
 +++ b/src/bin/keactrl/kea-dhcp4.conf.pre
-@@ -252,7 +252,7 @@
+@@ -255,7 +255,7 @@
      //       // of all devices serviced by Kea, including their identifiers
      //       // (like MAC address), their location in the network, times
      //       // when they were active etc.
@@ -46,7 +51,7 @@ index 26bf163..49ddb0a 100644
      //       "parameters": {
      //           "path": "/var/lib/kea",
      //           "base-name": "kea-forensic4"
-@@ -269,7 +269,7 @@
+@@ -272,7 +272,7 @@
      //       // of specific options or perhaps even a combination of several
      //       // options and fields to uniquely identify a client. Those scenarios
      //       // are addressed by the Flexible Identifiers hook application.
@@ -55,3 +60,25 @@ index 26bf163..49ddb0a 100644
      //       "parameters": {
      //           "identifier-expression": "relay4[2].hex"
      //       }
+diff --git a/src/bin/keactrl/kea-dhcp6.conf.pre b/src/bin/keactrl/kea-dhcp6.conf.pre
+index 271021b..5b85854 100644
+--- a/src/bin/keactrl/kea-dhcp6.conf.pre
++++ b/src/bin/keactrl/kea-dhcp6.conf.pre
+@@ -201,7 +201,7 @@
+     //       // of all devices serviced by Kea, including their identifiers
+     //       // (like MAC address), their location in the network, times
+     //       // when they were active etc.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_legal_log.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_legal_log.so",
+     //       "parameters": {
+     //           "path": "/var/lib/kea",
+     //           "base-name": "kea-forensic6"
+@@ -218,7 +218,7 @@
+     //       // of specific options or perhaps even a combination of several
+     //       // options and fields to uniquely identify a client. Those scenarios
+     //       // are addressed by the Flexible Identifiers hook application.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
+     //       "parameters": {
+     //           "identifier-expression": "relay6[0].option[37].hex"
+     //       }
diff --git a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
index b7c2fd4f0d..2f5a217d3f 100644
--- a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
+++ b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
@@ -1,4 +1,4 @@
-From 18f4f6206c248d6169aa67b3ecf16bf54e9292e8 Mon Sep 17 00:00:00 2001
+From f5125725e4e2e250ccc78a17a8b77431100e7c15 Mon Sep 17 00:00:00 2001
 From: Armin kuster <akuster808@gmail.com>
 Date: Wed, 14 Oct 2020 22:48:31 -0700
 Subject: [PATCH] Busybox does not support ps -p so use pgrep
@@ -8,15 +8,18 @@ Based on changes from Diego Sueiro <Diego.Sueiro@arm.com>
 
 Signed-off-by: Armin kuster <akuster808@gmail.com>
 
+Refresh to apply on top of 2.6.1.
+
+Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
 ---
  src/bin/keactrl/keactrl.in | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in
-index ae5bd8e..e9f9b73 100644
+index cccfdac303..20ae2e6ec5 100644
 --- a/src/bin/keactrl/keactrl.in
 +++ b/src/bin/keactrl/keactrl.in
-@@ -151,8 +151,8 @@ check_running() {
+@@ -146,8 +146,8 @@ check_running() {
      # Get the PID from the PID file (if it exists)
      get_pid_from_file "${proc_name}"
      if [ ${_pid} -gt 0 ]; then
@@ -27,3 +30,6 @@ index ae5bd8e..e9f9b73 100644
              # No error, so PID IS ALIVE
              _running=1
          fi
+-- 
+2.39.2
+
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
index 91aa2eb14f..f6059d73cb 100644
--- a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
@@ -6,7 +6,6 @@ After=time-sync.target
 
 [Service]
 ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
-ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/kea
 ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf
 
 [Install]
diff --git a/meta/recipes-connectivity/kea/kea_2.0.0.bb b/meta/recipes-connectivity/kea/kea_2.6.3.bb
index 9f33c325bd..1df91e4522 100644
--- a/meta/recipes-connectivity/kea/kea_2.0.0.bb
+++ b/meta/recipes-connectivity/kea/kea_2.6.3.bb
@@ -2,8 +2,8 @@ SUMMARY = "ISC Kea DHCP Server"
 DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It supports both DHCPv4 and DHCPv6 protocols along with their extensions, e.g. prefix delegation and dynamic updates to DNS."
 HOMEPAGE = "http://kea.isc.org"
 SECTION = "connectivity"
-LICENSE = "MPL-2.0 & Apache-2.0"
-LIC_FILES_CHKSUM = "file://COPYING;md5=07b7477a1d815a4aacab73b1531f577a"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ee16e7280a6cf2a1487717faf33190dc"
 
 DEPENDS = "boost log4cplus openssl"
 
@@ -17,8 +17,9 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
            file://fix-multilib-conflict.patch \
            file://fix_pid_keactrl.patch \
            file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
+           file://0001-make-kea-environment-available-to-lfc.patch \
            "
-SRC_URI[sha256sum] = "05854e0c3871b452edace18eccc6ab618940e0249fbe7c232a36d06ae59bf41d"
+SRC_URI[sha256sum] = "00241a5955ffd3d215a2c098c4527f9d7f4b203188b276f9a36250dd3d9dd612"
 
 inherit autotools systemd update-rc.d upstream-version-is-even
 
@@ -38,6 +39,7 @@ DEBUG_OPTIMIZATION:append:mipsel = " -O"
 BUILD_OPTIMIZATION:remove:mipsel = " -Og"
 BUILD_OPTIMIZATION:append:mipsel = " -O"
 
+CXXFLAGS:remove = "-fvisibility-inlines-hidden"
 EXTRA_OECONF = "--with-boost-libs=-lboost_system \
                 --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \
                 --with-openssl=${STAGING_DIR_TARGET}${prefix}"
@@ -46,7 +48,7 @@ do_configure:prepend() {
     # replace abs_top_builddir to avoid introducing the build path
     # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target
     find ${S} -type f -name *.sh.in | xargs sed -i  "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g"
-    sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
+    sed -i "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
 }
 
 # patch out build host paths for reproducibility
@@ -58,11 +60,12 @@ do_install:append() {
     install -d ${D}${sysconfdir}/init.d
     install -d ${D}${systemd_system_unitdir}
 
-    install -m 0644 ${WORKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
-    install -m 0755 ${WORKDIR}/kea-*-server ${D}${sysconfdir}/init.d
+    install -m 0644 ${UNPACKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
+    install -m 0755 ${UNPACKDIR}/kea-*-server ${D}${sysconfdir}/init.d
     sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \
            -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \
            ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl
+    sed -i "s:${B}:@abs_top_builddir_placeholder@:g" ${D}${sbindir}/kea-admin
 }
 
 do_install:append() {
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
index 9a8c46e0ef..7ad52acd06 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.5.bb
@@ -10,8 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
-SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.xz"
+SRC_URI[sha256sum] = "84fa89ac6d303028c1c5b754abff77224f45eca0a94eb1a34ff0aa9ceece3925"
 
 inherit autotools binconfig-disabled pkgconfig
 
@@ -19,10 +19,11 @@ BINCONFIG = "${bindir}/pcap-config"
 
 # Explicitly disable dag support. We don't have recipe for it and if enabled here,
 # configure script poisons the include dirs with /usr/local/include even when the
-# support hasn't been detected.
+# support hasn't been detected. Do the same thing for DPDK.
 EXTRA_OECONF = " \
                  --with-pcap=linux \
                  --without-dag \
+                 --without-dpdk \
                  "
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -39,4 +40,4 @@ do_configure:prepend () {
     sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.ac
 }
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/libuv/libuv_1.42.0.bb b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
index 169bd6206b..9ff9cf35e2 100644
--- a/meta/recipes-connectivity/libuv/libuv_1.42.0.bb
+++ b/meta/recipes-connectivity/libuv/libuv_1.51.0.bb
@@ -3,12 +3,12 @@ HOMEPAGE = "https://github.com/libuv/libuv"
 DESCRIPTION = "libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it's also used by Luvit, Julia, pyuv, and others."
 BUGTRACKER = "https://github.com/libuv/libuv/issues"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b \
+                    file://LICENSE-extra;md5=f9307417749e19bd1d6d68a394b49324"
 
-SRCREV = "6ce14710da7079eb248868171f6343bc409ea3a4"
-SRC_URI = "git://github.com/libuv/libuv;branch=v1.x"
-
-S = "${WORKDIR}/git"
+SRCREV = "5152db2cbfeb5582e9c27c5ea1dba2cd9e10759b"
+SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https;tag=v${PV}"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
 inherit autotools
 
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20250613.bb
index 837490f15f..72663c7e0a 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_20250613.bb
@@ -4,13 +4,12 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "11f2247eccd3c161b8fd9b41143862e9fb81193c"
-PV = "20210805"
+
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
-S = "${WORKDIR}/git"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main;tag=${PV}"
+SRCREV = "2a1b409491a531aedcf3eb3ba907929d96bd181a"
 
-inherit autotools
+inherit meson
 
 DEPENDS += "libxslt-native"
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.19.bb
index b6cc1d6ced..41c7e55f44 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.19.bb
@@ -1,22 +1,21 @@
 SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
 
-DEPENDS = "dbus glib-2.0 libnl"
+DEPENDS = "dbus glib-2.0 libnl autoconf-archive-native"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;branch=master \
            file://neard.in \
            file://Makefile.am-fix-parallel-issue.patch \
            file://Makefile.am-do-not-ship-version.h.patch \
            file://0001-Add-header-dependency-to-nciattach.o.patch \
           "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
+SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7"
 
 inherit autotools pkgconfig systemd update-rc.d
 
@@ -30,18 +29,17 @@ EXTRA_OECONF += "--enable-tools"
 do_install:append() {
         if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/init.d/
-                sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \
+                sed "s:@installpath@:${libexecdir}/nfc:" ${UNPACKDIR}/neard.in \
                   > ${D}${sysconfdir}/init.d/neard
                 chmod 0755 ${D}${sysconfdir}/init.d/neard
         fi
 }
 
-RDEPENDS:${PN} = "dbus"
-
 # Bluez & Wifi are not mandatory except for handover
+WIRELESS_DAEMON ??= "wpa-supplicant"
 RRECOMMENDS:${PN} = "\
                      ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez5', '', d)} \
-                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','wpa-supplicant', '', d)} \
+                     ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','${WIRELESS_DAEMON}', '', d)} \
                     "
 
 INITSCRIPT_NAME = "neard"
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
deleted file mode 100644
index bd350144e3..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
+++ /dev/null
@@ -1,299 +0,0 @@
-From 690a90a5b7786e40b5447ad7c5f19a7657d27405 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Fri, 14 Dec 2018 17:44:32 +0800
-Subject: [PATCH] Makefile.am: fix undefined function for libnsm.a
-
-The source file of libnsm.a uses some function
-in ../support/misc/file.c, add ../support/misc/file.c
-to libnsm_a_SOURCES to fix build error when run
-"make -C tests statdb_dump":
-| ../support/nsm/libnsm.a(file.o): In function `nsm_make_pathname':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:175: undefined reference to `generic_make_pathname'
-| ../support/nsm/libnsm.a(file.o): In function `nsm_setup_pathnames':
-| /usr/src/debug/nfs-utils/2.3.3-r0/nfs-utils-2.3.3/support/nsm/file.c:280: undefined reference to `generic_setup_basedir'
-| collect2: error: ld returned 1 exit status
-
-As there is already one source file named file.c
-as support/nsm/file.c in support/nsm/Makefile.am,
-so rename ../support/misc/file.c to ../support/misc/misc.c.
-
-Upstream-Status: Submitted[https://marc.info/?l=linux-nfs&m=154502780423058&w=2]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
-
-Rebase it.
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- support/misc/Makefile.am |   2 +-
- support/misc/file.c      | 115 ---------------------------------------------------------------------------------------------------------------
- support/misc/misc.c      | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- support/nsm/Makefile.am  |   2 +-
- 4 files changed, 113 insertions(+), 117 deletions(-)
-
-diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am
-index f9993e3..8b0e9db 100644
---- a/support/misc/Makefile.am
-+++ b/support/misc/Makefile.am
-@@ -1,7 +1,7 @@
- ## Process this file with automake to produce Makefile.in
- 
- noinst_LIBRARIES = libmisc.a
--libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c file.c \
-+libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \
-                    nfsd_path.c workqueue.c xstat.c
- 
- MAINTAINERCLEANFILES = Makefile.in
-diff --git a/support/misc/file.c b/support/misc/file.c
-deleted file mode 100644
-index 06f6bb2..0000000
---- a/support/misc/file.c
-+++ /dev/null
-@@ -1,115 +0,0 @@
--/*
-- * Copyright 2009 Oracle.  All rights reserved.
-- * Copyright 2017 Red Hat, Inc.  All rights reserved.
-- *
-- * This file is part of nfs-utils.
-- *
-- * nfs-utils is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License as published by
-- * the Free Software Foundation; either version 2 of the License, or
-- * (at your option) any later version.
-- *
-- * nfs-utils is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- *
-- * You should have received a copy of the GNU General Public License
-- * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
-- */
--
--#ifdef HAVE_CONFIG_H
--#include <config.h>
--#endif
--
--#include <sys/stat.h>
--
--#include <string.h>
--#include <libgen.h>
--#include <stdio.h>
--#include <errno.h>
--#include <dirent.h>
--#include <stdlib.h>
--#include <stdbool.h>
--#include <limits.h>
--
--#include "xlog.h"
--#include "misc.h"
--
--/*
-- * Returns a dynamically allocated, '\0'-terminated buffer
-- * containing an appropriate pathname, or NULL if an error
-- * occurs.  Caller must free the returned result with free(3).
-- */
--__attribute__((__malloc__))
--char *
--generic_make_pathname(const char *base, const char *leaf)
--{
--       size_t size;
--       char *path;
--       int len;
--
--       size = strlen(base) + strlen(leaf) + 2;
--       if (size > PATH_MAX)
--               return NULL;
--
--       path = malloc(size);
--       if (path == NULL)
--               return NULL;
--
--       len = snprintf(path, size, "%s/%s", base, leaf);
--       if ((len < 0) || ((size_t)len >= size)) {
--               free(path);
--               return NULL;
--       }
--
--       return path;
--}
--
--
--/**
-- * generic_setup_basedir - set up basedir
-- * @progname: C string containing name of program, for error messages
-- * @parentdir: C string containing pathname to on-disk state, or NULL
-- * @base: character buffer to contain the basedir that is set up
-- * @baselen: size of @base in bytes
-- *
-- * This runs before logging is set up, so error messages are directed
-- * to stderr.
-- *
-- * Returns true and sets up our basedir, if @parentdir was valid
-- * and usable; otherwise false is returned.
-- */
--_Bool
--generic_setup_basedir(const char *progname, const char *parentdir, char *base,
--                     const size_t baselen)
--{
--       static char buf[PATH_MAX];
--       struct stat st;
--       char *path;
--
--       /* First: test length of name and whether it exists */
--       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
--               (void)fprintf(stderr, "%s: Directory name too long: %s",
--                               progname, parentdir);
--               return false;
--       }
--       if (lstat(parentdir, &st) == -1) {
--               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
--                               progname, parentdir, strerror(errno));
--               return false;
--       }
--
--       /* Ensure we have a clean directory pathname */
--       strncpy(buf, parentdir, sizeof(buf)-1);
--       path = dirname(buf);
--       if (*path == '.') {
--               (void)fprintf(stderr, "%s: Unusable directory %s",
--                               progname, parentdir);
--               return false;
--       }
--
--       xlog(D_CALL, "Using %s as the state directory", parentdir);
--       strcpy(base, parentdir);
--       return true;
--}
-diff --git a/support/misc/misc.c b/support/misc/misc.c
-new file mode 100644
-index 0000000..e7c3819
---- /dev/null
-+++ b/support/misc/misc.c
-@@ -0,0 +1,111 @@
-+/*
-+ * Copyright 2009 Oracle.  All rights reserved.
-+ * Copyright 2017 Red Hat, Inc.  All rights reserved.
-+ *
-+ * This file is part of nfs-utils.
-+ *
-+ * nfs-utils is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * nfs-utils is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include <sys/stat.h>
-+
-+#include <string.h>
-+#include <libgen.h>
-+#include <stdio.h>
-+#include <errno.h>
-+#include <dirent.h>
-+#include <stdlib.h>
-+#include <stdbool.h>
-+#include <limits.h>
-+
-+#include "xlog.h"
-+#include "misc.h"
-+
-+/*
-+ * Returns a dynamically allocated, '\0'-terminated buffer
-+ * containing an appropriate pathname, or NULL if an error
-+ * occurs.  Caller must free the returned result with free(3).
-+ */
-+__attribute__((__malloc__))
-+char *
-+generic_make_pathname(const char *base, const char *leaf)
-+{
-+       size_t size;
-+       char *path;
-+       int len;
-+
-+       size = strlen(base) + strlen(leaf) + 2;
-+       if (size > PATH_MAX)
-+               return NULL;
-+
-+       path = malloc(size);
-+       if (path == NULL)
-+               return NULL;
-+
-+       len = snprintf(path, size, "%s/%s", base, leaf);
-+       if ((len < 0) || ((size_t)len >= size)) {
-+               free(path);
-+               return NULL;
-+       }
-+
-+       return path;
-+}
-+
-+
-+/**
-+ * generic_setup_basedir - set up basedir
-+ * @progname: C string containing name of program, for error messages
-+ * @parentdir: C string containing pathname to on-disk state, or NULL
-+ * @base: character buffer to contain the basedir that is set up
-+ * @baselen: size of @base in bytes
-+ *
-+ * This runs before logging is set up, so error messages are directed
-+ * to stderr.
-+ *
-+ * Returns true and sets up our basedir, if @parentdir was valid
-+ * and usable; otherwise false is returned.
-+ */
-+_Bool
-+generic_setup_basedir(const char *progname, const char *parentdir, char *base,
-+                     const size_t baselen)
-+{
-+       static char buf[PATH_MAX];
-+       struct stat st;
-+       char *path;
-+
-+       /* First: test length of name and whether it exists */
-+       if ((strlen(parentdir) >= baselen) || (strlen(parentdir) >= PATH_MAX)) {
-+               (void)fprintf(stderr, "%s: Directory name too long: %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+       if (lstat(parentdir, &st) == -1) {
-+               (void)fprintf(stderr, "%s: Failed to stat %s: %s",
-+                               progname, parentdir, strerror(errno));
-+               return false;
-+       }
-+
-+       /* Ensure we have a clean directory pathname */
-+       strncpy(buf, parentdir, sizeof(buf)-1);
-+       path = dirname(buf);
-+       if (*path == '.') {
-+               (void)fprintf(stderr, "%s: Unusable directory %s",
-+                               progname, parentdir);
-+               return false;
-+       }
-+
-+       xlog(D_CALL, "Using %s as the state directory", parentdir);
-+       strcpy(base, parentdir);
-+       return true;
-+}
-diff --git a/support/nsm/Makefile.am b/support/nsm/Makefile.am
-index 8f5874e..68f1a46 100644
---- a/support/nsm/Makefile.am
-+++ b/support/nsm/Makefile.am
-@@ -10,7 +10,7 @@ GENFILES      = $(GENFILES_CLNT) $(GENFILES_SVC) $(GENFILES_XDR) $(GENFILES_H)
- EXTRA_DIST     = sm_inter.x
- 
- noinst_LIBRARIES = libnsm.a
--libnsm_a_SOURCES = $(GENFILES) file.c rpc.c
-+libnsm_a_SOURCES = $(GENFILES) ../misc/misc.c file.c rpc.c
- 
- BUILT_SOURCES = $(GENFILES)
- 
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
new file mode 100644
index 0000000000..351407ddcd
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
@@ -0,0 +1,36 @@
+From 9efa7a0d37665d9bb0f46d2407883a5ab42c2b84 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 24 Jul 2023 20:39:16 -0700
+Subject: [PATCH] locktest: Makefile.am: Do not use build flags
+
+Using CFLAGS_FOR_BUILD etc. here means it is using wrong flags
+when thse flags are speficied different than target flags which
+is common when cross-building. It can pass wrong paths to linker
+and it would find incompatible libraries during link since they
+are from host system and target maybe not same as build host.
+
+Fixes subtle errors like
+| aarch64-yoe-linux-ld.lld: error: /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/nfs-utils/2.6.3-r0/recipe-sysroot-native/usr/lib/libsqlite3.so is incompatible with elf64-littleaarch64
+
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169025681008001&w=2]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/locktest/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am
+index e8914655..2fd36971 100644
+--- a/tools/locktest/Makefile.am
++++ b/tools/locktest/Makefile.am
+@@ -2,8 +2,5 @@
+ 
+ noinst_PROGRAMS = testlk
+ testlk_SOURCES = testlk.c
+-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
+-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
+ 
+ MAINTAINERCLEANFILES = Makefile.in
+-- 
+2.41.0
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
new file mode 100644
index 0000000000..bbf44d5977
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0004-Use-nogroup-for-nobody-group.patch
@@ -0,0 +1,38 @@
+From 001913c5eb0aad933a93ee966252905cd46d776b Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Tue, 6 Jun 2023 16:07:53 -0600
+Subject: [PATCH] Use "nogroup" for nobody group
+
+Upstream-Status: Inappropriate [oe-core specific, configuration]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ support/nfsidmap/idmapd.conf | 2 +-
+ utils/idmapd/idmapd.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/support/nfsidmap/idmapd.conf b/support/nfsidmap/idmapd.conf
+index 2a2f79a1..e6f3724f 100644
+--- a/support/nfsidmap/idmapd.conf
++++ b/support/nfsidmap/idmapd.conf
+@@ -41,7 +41,7 @@
+ [Mapping]
+ 
+ #Nobody-User = nobody
+-#Nobody-Group = nobody
++#Nobody-Group = nogroup
+ 
+ [Translation]
+ 
+diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
+index cd9a965f..3be805e9 100644
+--- a/utils/idmapd/idmapd.c
++++ b/utils/idmapd/idmapd.c
+@@ -89,7 +89,7 @@
+ #endif
+ 
+ #ifndef NFS4NOBODY_GROUP
+-#define NFS4NOBODY_GROUP "nobody"
++#define NFS4NOBODY_GROUP "nogroup"
+ #endif
+ 
+ /* From Niels */
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
new file mode 100644
index 0000000000..3241e8e859
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-find-OE-provided-Kerberos.patch
@@ -0,0 +1,42 @@
+From a2af266f013722a64c5d04e0fe097cd711393a53 Mon Sep 17 00:00:00 2001
+From: Daniel McGregor <daniel.mcgregor@vecima.com>
+Date: Wed, 8 Nov 2023 16:24:20 -0600
+Subject: [PATCH] find OE provided Kerberos
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Daniel McGregor <daniel.mcgregor@vecima.com>
+---
+ aclocal/kerberos5.m4 | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/aclocal/kerberos5.m4 b/aclocal/kerberos5.m4
+index f96f0fd4..ad85fdf2 100644
+--- a/aclocal/kerberos5.m4
++++ b/aclocal/kerberos5.m4
+@@ -22,8 +22,8 @@ AC_DEFUN([AC_KERBEROS_V5],[
+     dnl This ugly hack brought on by the split installation of
+     dnl MIT Kerberos on Fedora Core 1
+     K5CONFIG=""
+-    if test -f $dir/bin/krb5-config; then
+-      K5CONFIG=$dir/bin/krb5-config
++    if test -f $dir/bin/crossscripts/krb5-config; then
++      K5CONFIG=$dir/bin/crossscripts/krb5-config
+     elif test -f "/usr/kerberos/bin/krb5-config"; then
+       K5CONFIG="/usr/kerberos/bin/krb5-config"
+     elif test -f "/usr/lib/mit/bin/krb5-config"; then
+@@ -72,6 +72,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   AC_MSG_RESULT($KRBDIR)
+ 
+   dnl Check if -rpath=$(KRBDIR)/lib is needed
++  if false; then
+   echo "The current KRBDIR is $KRBDIR"
+   if test "$KRBDIR/lib" = "/lib" -o "$KRBDIR/lib" = "/usr/lib" \
+        -o "$KRBDIR/lib" = "//lib" -o "$KRBDIR/lib" = "/usr//lib" ; then
+@@ -81,6 +82,7 @@ AC_DEFUN([AC_KERBEROS_V5],[
+   else
+     KRBLDFLAGS="-Wl,-rpath=$KRBDIR/lib"
+   fi
++  fi
+ 
+   dnl Now check for functions within gssapi library
+   AC_CHECK_LIB($gssapi_lib, gss_krb5_export_lucid_sec_context,
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
deleted file mode 100644
index f13d7b380c..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/bugfix-adjust-statd-service-name.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 398fed3bb0350cb1229e54e7020ae0e044c206d1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de>
-Date: Wed, 17 Feb 2016 08:33:45 +0100
-Subject: bugfix: adjust statd service name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream uses 'rpc-statd.service' and Yocto introduced 'nfs-statd.service'
-instead but forgot to update the mount.nfs helper 'start-statd' accordingly.
-
-Upstream-Status: Inappropriate [other]
-
-Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
-
-Rebase it.
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- utils/statd/start-statd | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index af5c950..df9b9be 100755
---- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -28,10 +28,10 @@ fi
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
--    if systemctl start rpc-statd.service; then
-+    if systemctl start nfs-statd.service; then
-         # Ensure systemd knows not to stop rpc.statd or its dependencies
-         # on 'systemctl isolate ..'
--        systemctl add-wants --runtime remote-fs.target rpc-statd.service
-+        systemctl add-wants --runtime remote-fs.target nfs-statd.service
-         exit 0
-     fi
- fi
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
deleted file mode 100644
index fde99b599e..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 1ab0c326405c6daa06f1a7eb4b0b60bf4e0584c2 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Tue, 31 Dec 2019 08:15:34 -0800
-Subject: [PATCH] Detect warning options during configure
-
-Certain options maybe compiler specific therefore its better
-to detect them before use.
-
-nfs_error copies the format string and appends newline to it
-but compiler can forget that it was format string since its not
-same fmt string that was passed. Ignore the warning
-
-Wdiscarded-qualifiers is gcc specific and this is no longer needed
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
----
- support/nfs/xcommon.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/support/nfs/xcommon.c b/support/nfs/xcommon.c
-index 3989f0b..e080423 100644
---- a/support/nfs/xcommon.c
-+++ b/support/nfs/xcommon.c
-@@ -98,7 +98,10 @@ nfs_error (const char *fmt, ...) {
- 
-      fmt2 = xstrconcat2 (fmt, "\n");
-      va_start (args, fmt);
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
-      vfprintf (stderr, fmt2, args);
-+#pragma GCC diagnostic pop
-      va_end (args);
-      free (fmt2);
- }
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
deleted file mode 100644
index c01415de84..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=NFS Mount Daemon
-DefaultDependencies=no
-After=rpcbind.socket
-Requires=proc-fs-nfsd.mount
-After=proc-fs-nfsd.mount
-After=network.target local-fs.target
-BindsTo=nfs-server.service
-ConditionPathExists=@SYSCONFDIR@/exports
-
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.mountd -F $MOUNTD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
deleted file mode 100644
index 5c845b7e82..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
+++ /dev/null
@@ -1,23 +0,0 @@
-[Unit]
-Description=NFS server and services
-DefaultDependencies=no
-Requires=network.target proc-fs-nfsd.mount
-Requires=nfs-mountd.service
-Wants=rpcbind.service
-After=local-fs.target
-After=network.target proc-fs-nfsd.mount rpcbind.service nfs-mountd.service
-ConditionPathExists=@SYSCONFDIR@/exports
-
-[Service]
-Type=oneshot
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStartPre=@SBINDIR@/exportfs -r
-ExecStart=@SBINDIR@/rpc.nfsd $NFSD_OPTS $NFSD_COUNT
-ExecStop=@SBINDIR@/rpc.nfsd 0
-ExecStopPost=@SBINDIR@/exportfs -au
-ExecStopPost=@SBINDIR@/exportfs -f
-ExecReload=@SBINDIR@/exportfs -r
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
deleted file mode 100644
index 4fa64e1998..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=NFS status monitor for NFSv2/3 locking.
-DefaultDependencies=no
-Conflicts=umount.target
-Requires=nss-lookup.target rpcbind.service
-After=network.target nss-lookup.target rpcbind.service
-
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
-ExecStart=@SBINDIR@/rpc.statd -F $STATD_OPTS
-LimitNOFILE=@HIGH_RLIMIT_NOFILE@
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
deleted file mode 100644
index ede0dcefc4..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-debianize-start-statd.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-[PATCH] nfs-utils: debianize start-statd
-
-Upstream-Status: Pending
-
-make start-statd command to use nfscommon configure, too.
-
-Signed-off-by: Henrik Riomar <henrik.riomar@ericsson.com>
-Signed-off-by: Li Wang <li.wang@windriver.com>
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
----
- utils/statd/start-statd | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/utils/statd/start-statd b/utils/statd/start-statd
-index 2fd6039..f591b34 100755
---- a/utils/statd/start-statd
-+++ b/utils/statd/start-statd
-@@ -17,6 +17,14 @@ then
-     # statd already running - must have been slow to respond.
-     exit 0
- fi
-+
-+# Read config
-+DEFAULTFILE=/etc/default/nfs-common
-+NEED_IDMAPD=
-+if [ -f $DEFAULTFILE ]; then
-+    . $DEFAULTFILE
-+fi
-+
- # First try systemd if it's installed.
- if [ -d /run/systemd/system ]; then
-     # Quit only if the call worked.
-@@ -25,4 +33,4 @@ fi
- 
- cd /
- # Fall back to launching it ourselves.
--exec rpc.statd --no-notify
-+exec rpc.statd --no-notify $STATDOPTS
--- 
-2.6.6
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
deleted file mode 100644
index a1007a7fbf..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-# Parameters to be passed to nfs-utils (clients & server) service files.
-#
-
-# Options to pass to rpc.nfsd.
-NFSD_OPTS=""
-
-# Number of servers to start up; the default is 8 servers.
-NFSD_COUNT=""
-
-# Where to mount nfsd filesystem; the default is "/proc/fs/nfsd".
-PROCNFSD_MOUNTPOINT=""
-
-# Options used to mount nfsd filesystem; the default is "rw,nodev,noexec,nosuid".
-PROCNFSD_MOUNTOPTS=""
-
-# Options for rpc.mountd.
-# If you have a port-based firewall, you might want to set up
-# a fixed port here using the --port option.
-MOUNTD_OPTS=""
-
-# Parameters to be passed to nfs-common (nfs clients & server) init script.
-#
-
-# If you do not set values for the NEED_ options, they will be attempted
-# autodetected; this should be sufficient for most people. Valid alternatives
-# for the NEED_ options are "yes" and "no".
-
-# Do you want to start the statd daemon? It is not needed for NFSv4.
-NEED_STATD=""
-
-# Options to pass to rpc.statd.
-# N.B. statd normally runs on both client and server, and run-time
-# options should be specified accordingly.
-# STATD_OPTS="-p 32765 -o 32766"
-STATD_OPTS=""
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
index 992267d5a1..9b7fd17b41 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfscommon
@@ -1,63 +1,279 @@
 #!/bin/sh
+
 ### BEGIN INIT INFO
 # Provides:          nfs-common
-# Required-Start:    $portmap hwclock
-# Required-Stop:     $portmap hwclock
-# Default-Start:     2 3 4 5
+# Required-Start:    $portmap $time
+# Required-Stop:     $portmap $time
+# Default-Start:     S
 # Default-Stop:      0 1 6
-# Short-Description: NFS support for both client and server
+# Short-Description: NFS support files common to client and server
 # Description:       NFS is a popular protocol for file sharing across
-#                    TCP/IP networks. This service provides various
+#                    TCP/IP networks. This service provides various
 #                    support functions for NFS mounts.
 ### END INIT INFO
-#
-# Startup script for nfs-utils
-#
-#
-# Location of executables:
 
-# Source function library.
+# What is this?
+DESC="NFS common utilities"
+
+# Read config
+DEFAULTFILE=/etc/default/nfs-utils
+NEED_STATD=
+NEED_GSSD=
+if nfsconf --isset general pipefs-directory; then
+    PIPEFS_MOUNTPOINT=$(nfsconf --get general pipefs-directory)
+else
+    PIPEFS_MOUNTPOINT=/var/lib/nfs/rpc_pipefs
+fi
+if [ -f $DEFAULTFILE ]; then
+    . $DEFAULTFILE
+fi
+
 . /etc/init.d/functions
 
-test -x "$NFS_STATD" || NFS_STATD=/usr/sbin/rpc.statd
-test -z "$STATD_PID" && STATD_PID=/var/run/rpc.statd.pid
+# Exit if required binaries are missing.
+[ -x /usr/sbin/rpc.statd ] || exit 0
+
 #
-# The default state directory is /var/lib/nfs
-test -n "$NFS_STATEDIR" || NFS_STATEDIR=/var/lib/nfs
+# Parse the fstab file, and determine whether we need gssd. (The
+# /etc/defaults settings, if any, will override our autodetection.) This code
+# is partially adapted from the mountnfs.sh script in the sysvinit package.
 #
-#----------------------------------------------------------------------
-# Startup and shutdown functions.
-#  Actual startup/shutdown is at the end of this file.
-
-start_statd(){
-        echo -n "starting statd: "
-        start-stop-daemon --start --exec "$NFS_STATD" --pidfile "$STATD_PID"
-        echo done
+AUTO_NEED_GSSD=no
+
+if [ -f /etc/fstab ]; then
+    exec 9<&0 </etc/fstab
+
+    while read -r DEV _ _ OPTS _
+    do
+        case $DEV in
+            ''|\#*)
+                continue
+                ;;
+        esac
+        OLDIFS="$IFS"
+        IFS=","
+        for OPT in $OPTS; do
+            case "$OPT" in
+                sec=krb5|sec=krb5i|sec=krb5p)
+                    AUTO_NEED_GSSD=yes
+                ;;
+            esac
+        done
+        IFS="$OLDIFS"
+    done
+
+    exec 0<&9 9<&-
+fi
+
+case "$NEED_STATD" in
+    yes|no)
+        ;;
+    *)
+        NEED_STATD=yes
+        ;;
+esac
+
+case "$NEED_IDMAPD" in
+    yes|no)
+        ;;
+    *)
+        NEED_IDMAPD=yes
+        ;;
+esac
+
+case "$NEED_GSSD" in
+    yes|no)
+        ;;
+    *)
+        NEED_GSSD=$AUTO_NEED_GSSD
+        ;;
+esac
+
+do_modprobe() {
+    if [ -x /sbin/modprobe ] && [ -f /proc/modules ]
+    then
+        modprobe -q "$1" || true
+    fi
+}
+
+do_mount() {
+    if ! grep -E -qs "$1\$" /proc/filesystems
+    then
+        return 1
+    fi
+    if ! mountpoint -q "$2"
+    then
+        mount -t "$1" "$1" "$2"
+        return
+    fi
+    return 0
 }
-stop_statd(){
-        echo -n 'stopping statd: '
-        start-stop-daemon --stop --quiet --signal 1 --pidfile "$STATD_PID"
-        echo done
+
+do_umount() {
+    if mountpoint -q "$1"
+    then
+        umount "$1"
+    fi
+    return 0
 }
-#----------------------------------------------------------------------
-#
-# supported options:
-#  start
-#  stop
-#  restart: stops and starts mountd
-#FIXME: need to create the /var/lib/nfs/... directories
+
+# See how we were called.
 case "$1" in
   start)
-        start_statd;;
+        echo -n "Starting $DESC ..."
+
+        if [ "$NEED_STATD" = yes ]; then
+            echo -n " statd"
+
+            # See if rpcbind is running
+            if [ -x /usr/sbin/rpcinfo ]; then
+                /usr/sbin/rpcinfo -p >/dev/null 2>&1
+                RET=$?
+                if [ $RET != 0 ]; then
+                   echo
+                   echo "Not starting: portmapper is not running"
+                   exit 0
+                fi
+            fi
+            start-stop-daemon --start --oknodo --quiet \
+                --pidfile /run/rpc.statd.pid \
+                --exec /usr/sbin/rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            else
+                if [ -d /run/sendsigs.omit.d ]; then
+                    rm -f /run/sendsigs.omit.d/statd
+                    ln -s /run/rpc.statd.pid /run/sendsigs.omit.d/statd
+                fi
+            fi
+        fi
+
+        # Don't start idmapd and gssd if we don't have them (say, if /usr is not
+        # up yet).
+        [ -x /usr/sbin/rpc.idmapd ] || NEED_IDMAPD=no
+        [ -x /usr/sbin/rpc.gssd   ] || NEED_GSSD=no
+
+        if [ "$NEED_IDMAPD" = yes ] || [ "$NEED_GSSD" = yes ]
+        then
+            do_modprobe sunrpc
+            do_modprobe nfs
+            do_modprobe nfsd
+            mkdir -p "$PIPEFS_MOUNTPOINT"
+            if do_mount rpc_pipefs $PIPEFS_MOUNTPOINT
+            then
+                if [ "$NEED_IDMAPD" = yes ]
+                then
+                    ecno -n " idmapd"
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.idmapd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+                if [ "$NEED_GSSD" = yes ]
+                then
+                    do_modprobe rpcsec_gss_krb5
+                    echo -n " gssd"
+
+                    start-stop-daemon --start --oknodo --quiet \
+                            --exec /usr/sbin/rpc.gssd
+                    RET=$?
+                    if [ $RET != 0 ]; then
+                        echo " failed" $RET
+                        exit $RET
+                    fi
+                fi
+            fi
+        fi
+        echo " done"
+        ;;
+
   stop)
-        stop_statd;;
+        echo -n "Stopping $DESC ..."
+
+        if [ "$NEED_GSSD" = yes ]
+        then
+            echo -n " gssd"
+            start-stop-daemon --stop --oknodo --quiet \
+                    --name rpc.gssd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            echo -n " idmapd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.idmapd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        if [ "$NEED_STATD" = yes ]
+        then
+            echo -n " statd"
+            start-stop-daemon --stop --oknodo --quiet \
+                --name rpc.statd
+            RET=$?
+            if [ $RET != 0 ]; then
+                echo " failed" $RET
+                exit $RET
+            fi
+        fi
+        do_umount $PIPEFS_MOUNTPOINT 2>/dev/null || true
+        echo " done"
+        ;;
+
   status)
-        status $NFS_STATD
-        exit $?;;
-  restart)
+        if [ "$NEED_STATD" = yes ]
+        then
+            if ! pidof rpc.statd >/dev/null
+            then
+                echo "rpc.statd not running"
+                exit 3
+            fi
+        fi
+
+        if [ "$NEED_GSSD" = yes ]
+        then
+            if ! pidof rpc.gssd >/dev/null
+            then
+                echo "rpc.gssd not running"
+                exit 3
+            fi
+        fi
+
+        if [ "$NEED_IDMAPD" = yes ]
+        then
+            if ! pidof rpc.idmapd >/dev/null
+            then
+                echo "rpc.idmapd not running"
+                exit 3
+            fi
+        fi
+
+        echo "all daemons running"
+        exit 0
+        ;;
+
+  restart | force-reload)
         $0 stop
-        $0 start;;
+        sleep 1
+        $0 start
+        ;;
+
   *)
-        echo "Usage: $0 {start|stop|status|restart}"
-        exit 1;;
+        echo "Usage: nfscommon {start|stop|status|restart}"
+        exit 1
+        ;;
 esac
+
+exit 0
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
index 0f5747cc6d..99ec280b35 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver
@@ -1,8 +1,10 @@
 #!/bin/sh
+
 ### BEGIN INIT INFO
 # Provides:          nfs-kernel-server
-# Required-Start:    $remote_fs nfs-common $portmap hwclock
-# Required-Stop:     $remote_fs nfs-common $portmap hwclock
+# Required-Start:    $remote_fs nfs-common $portmap $time
+# Required-Stop:     $remote_fs nfs-common $portmap $time
+# Should-Start:      $named
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Kernel NFS server support
@@ -19,20 +21,25 @@
 #
 # The environment variable NFS_SERVERS may be set in /etc/default/nfsd
 # Other control variables may be overridden here too
-test -r /etc/default/nfsd && . /etc/default/nfsd
+test -r /etc/default/nfs-utils && . /etc/default/nfs-utils
 #
 # Location of executables:
 test -x "$NFS_MOUNTD" || NFS_MOUNTD=/usr/sbin/rpc.mountd
 test -x "$NFS_NFSD" || NFS_NFSD=/usr/sbin/rpc.nfsd
+test -x "$NFS_SVCGSSD" || NFS_SVCGSSD=/usr/sbin/rpc.svcgssd
 #
 # The user mode program must also exist (it just starts the kernel
 # threads using the kernel module code).
 test -x "$NFS_MOUNTD" || exit 0
 test -x "$NFS_NFSD" || exit 0
-#
-# Default is 8 threads, value is settable between 1 and the truely
-# ridiculous 99
-test "$NFS_SERVERS" != "" && test "$NFS_SERVERS" -gt 0 && test "$NFS_SERVERS" -lt 100 || NFS_SERVERS=8
+
+case "$NEED_SVCGSSD" in
+        yes|no)
+                ;;
+        *)
+                NEED_SVCGSSD=no
+                ;;
+esac
 #
 #----------------------------------------------------------------------
 # Startup and shutdown functions.
@@ -49,6 +56,22 @@ stop_mountd(){
         echo done
 }
 #
+#svcgssd
+start_svcgssd(){
+        modprobe -q rpcsec_gss_krb5
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "starting svcgssd: "
+                start-stop-daemon --start --exec "$NFS_SVCGSSD" -- "$@"
+                echo done
+        fi
+}
+stop_svcgssd(){
+        if [ "$NEED_SVCGSSD" = "yes" ]; then
+                echo -n "stop svcgssd: "
+                start-stop-daemon --stop --exec "$NFS_SVCGSSD"
+                echo done
+        fi
+}
 #nfsd
 start_nfsd(){
         modprobe -q nfsd
@@ -62,38 +85,18 @@ start_nfsd(){
                 exit 1
         }
 
-        echo -n "starting $1 nfsd kernel threads: "
+        echo -n "starting nfsd: "
         start-stop-daemon --start --exec "$NFS_NFSD" -- "$@"
         echo done
 }
-delay_nfsd(){
-        for delay in 0 1 2 3 4 5 6 7 8 9 
-        do
-                if pidof nfsd >/dev/null
-                then
-                        echo -n .
-                        sleep 1
-                else
-                        return 0
-                fi
-        done
-        return 1
-}
 stop_nfsd(){
-        # WARNING: this kills any process with the executable
-        # name 'nfsd'.
         echo -n 'stopping nfsd: '
-        start-stop-daemon --stop --quiet --signal 1 --name nfsd
-        if delay_nfsd || {
-                echo failed
-                echo ' using signal 9: '
-                start-stop-daemon --stop --quiet --signal 9 --name nfsd
-                delay_nfsd
-        }
+        $NFS_NFSD 0
+        if pidof nfsd
         then
-                echo done
-        else
                 echo failed
+        else
+                echo done
         fi
 }
 
@@ -108,11 +111,13 @@ stop_nfsd(){
 case "$1" in
   start)
         test -r /etc/exports && exportfs -r
-        start_nfsd "$NFS_SERVERS"
+        start_nfsd
+        start_svcgssd
         start_mountd
         test -r /etc/exports && exportfs -a;;
   stop) exportfs -ua
         stop_mountd
+        stop_svcgssd
         stop_nfsd;;
   status)
         status /usr/sbin/rpc.mountd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount b/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
deleted file mode 100644
index 630801b375..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/proc-fs-nfsd.mount
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=NFSD configuration filesystem
-After=systemd-modules-load.service
-
-[Mount]
-What=nfsd
-Where=/proc/fs/nfsd
-Type=nfsd
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
index 459f68f05e..9668ac0e86 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.5.4.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.8.3.bb
@@ -4,11 +4,11 @@ NFS server and related tools."
 HOMEPAGE = "http://nfs.sourceforge.net/"
 SECTION = "console/network"
 
-LICENSE = "MIT & GPLv2+ & BSD-3-Clause"
+LICENSE = "MIT & GPL-2.0-or-later & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=95f3a93a5c3c7888de623b46ea085a84"
 
 # util-linux for libblkid
-DEPENDS = "libcap libevent util-linux sqlite3 libtirpc"
+DEPENDS = "libcap libevent util-linux sqlite3 libtirpc libxml2"
 RDEPENDS:${PN} = "${PN}-client"
 RRECOMMENDS:${PN} = "kernel-module-nfsd"
 
@@ -21,17 +21,12 @@ USERADD_PARAM:${PN}-client = "--system  --home-dir /var/lib/nfs \
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.xz \
            file://nfsserver \
            file://nfscommon \
-           file://nfs-utils.conf \
-           file://nfs-server.service \
-           file://nfs-mountd.service \
-           file://nfs-statd.service \
-           file://proc-fs-nfsd.mount \
-           file://nfs-utils-debianize-start-statd.patch \
-           file://bugfix-adjust-statd-service-name.patch \
-           file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
-           file://clang-warnings.patch \
+           file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \
+           file://0004-Use-nogroup-for-nobody-group.patch \
+           file://0005-find-OE-provided-Kerberos.patch \
            "
-SRC_URI[sha256sum] = "51997d94e4c8bcef5456dd36a9ccc38e231207c4e9b6a9a2c108841e6aebe3dd"
+
+SRC_URI[sha256sum] = "11e7c5847a8423a72931c865bd9296e7fd56ff270a795a849183900961711725"
 
 # Only kernel-module-nfsd is required here (but can be built-in)  - the nfsd module will
 # pull in the remainder of the dependencies.
@@ -45,47 +40,71 @@ INITSCRIPT_PARAMS:${PN}-client = "defaults 19 21"
 inherit autotools-brokensep update-rc.d systemd pkgconfig
 
 SYSTEMD_PACKAGES = "${PN} ${PN}-client"
-SYSTEMD_SERVICE:${PN} = "nfs-server.service nfs-mountd.service"
-SYSTEMD_SERVICE:${PN}-client = "nfs-statd.service"
+SYSTEMD_SERVICE:${PN} = "nfs-server.service"
+SYSTEMD_SERVICE:${PN}-client = "nfs-client.target"
 
 # --enable-uuid is need for cross-compiling
 EXTRA_OECONF = "--with-statduser=rpcuser \
                 --enable-mountconfig \
                 --enable-libmount-mount \
                 --enable-uuid \
-                --disable-gss \
-                --disable-nfsdcltrack \
                 --with-statdpath=/var/lib/nfs/statd \
+                --with-pluginpath=${libdir}/libnfsidmap \
                 --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
                "
 
+LDFLAGS += "-lsqlite3 -levent"
+
 PACKAGECONFIG ??= "tcp-wrappers \
-    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
+    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} \
 "
+
 PACKAGECONFIG:remove:libc-musl = "tcp-wrappers"
+#krb5 is available in meta-oe
+PACKAGECONFIG[gssapi] = "--with-krb5=${STAGING_EXECPREFIXDIR} --enable-gss --enable-svcgss,--disable-gss --disable-svcgss,krb5"
 PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 # libdevmapper is available in meta-oe
 PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
 # keyutils is available in meta-oe
-PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils,python3-core"
+PACKAGECONFIG[nfsv4] = "--enable-nfsv4 --enable-nfsdcltrack,--disable-nfsv4 --disable-nfsdcltrack,keyutils,python3-core"
+PACKAGECONFIG[nfsdctl] = "--enable-nfsdctl,--disable-nfsdctl,libnl readline,"
+PACKAGECONFIG[systemd] = "--with-systemd=${systemd_unitdir}/system,--without-systemd"
 
-PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats"
+PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats ${PN}-rpcctl"
 
 CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \
                            ${localstatedir}/lib/nfs/rmtab \
                            ${localstatedir}/lib/nfs/xtab \
                            ${localstatedir}/lib/nfs/statd/state \
+                           ${sysconfdir}/idmapd.conf \
+                           ${sysconfdir}/nfs.conf \
                            ${sysconfdir}/nfsmount.conf"
 
 FILES:${PN}-client = "${sbindir}/*statd \
                       ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
                       ${sbindir}/showmount ${sbindir}/nfsstat \
+                      ${sbindir}/rpc.gssd \
+                      ${sbindir}/nfsconf \
+                      ${libdir}/libnfsidmap.so.* \
+                      ${libdir}/libnfsidmap/*.so \
+                      ${libexecdir}/nfsrahead \
                       ${localstatedir}/lib/nfs \
-                      ${sysconfdir}/nfs-utils.conf \
-                      ${sysconfdir}/nfsmount.conf \
+                      ${sysconfdir}/idmapd.conf \
                       ${sysconfdir}/init.d/nfscommon \
-                      ${systemd_system_unitdir}/nfs-statd.service"
+                      ${sysconfdir}/nfs.conf \
+                      ${sysconfdir}/nfsmount.conf \
+                      ${systemd_system_unitdir}/auth-rpcgss-module.service \
+                      ${systemd_system_unitdir}/nfs-client.target \
+                      ${systemd_system_unitdir}/nfs-idmapd.service \
+                      ${systemd_system_unitdir}/nfs-statd.service \
+                      ${systemd_system_unitdir}/nfscommon.service \
+                      ${systemd_system_unitdir}/rpc-gssd.service \
+                      ${systemd_system_unitdir}/rpc-statd-notify.service \
+                      ${systemd_system_unitdir}/rpc-statd.service \
+                      ${systemd_system_unitdir}/rpc_pipefs.target \
+                      ${systemd_system_unitdir}/var-lib-nfs-rpc_pipefs.mount \
+                      ${nonarch_libdir}/udev/rules.d/*"
 RDEPENDS:${PN}-client = "${PN}-mount rpcbind"
 
 FILES:${PN}-mount = "${base_sbindir}/*mount.nfs*"
@@ -93,13 +112,18 @@ FILES:${PN}-mount = "${base_sbindir}/*mount.nfs*"
 FILES:${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat ${sbindir}/nfsdclnts"
 RDEPENDS:${PN}-stats = "python3-core"
 
+FILES:${PN}-rpcctl = "${sbindir}/rpcctl"
+RDEPENDS:${PN}-rpcctl = "python3-core"
+
 FILES:${PN}-staticdev += "${libdir}/libnfsidmap/*.a"
 
-FILES:${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/"
+FILES:${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/ ${nonarch_libdir}/modprobe.d"
 
 do_configure:prepend() {
         sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
-                ${S}/utils/mount/Makefile.am
+                -e 's,udev_rulesdir = /usr/lib/udev/rules.d/,udev_rulesdir = ${nonarch_base_libdir}/udev/rules.d/,g' \
+                ${S}/utils/mount/Makefile.am ${S}/utils/nfsdcltrack/Makefile.am \
+                ${S}/systemd/Makefile.am ${S}/tools/nfsrahead/Makefile.am
 }
 
 # Make clean needed because the package comes with
@@ -113,25 +137,18 @@ HIGH_RLIMIT_NOFILE ??= "4096"
 
 do_install:append () {
         install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
-        install -m 0755 ${WORKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
+        install -m 0755 ${UNPACKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
+        install -m 0755 ${UNPACKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
 
-        install -m 0755 ${WORKDIR}/nfs-utils.conf ${D}${sysconfdir}
-        install -m 0755 ${S}/utils/mount/nfsmount.conf ${D}${sysconfdir}
+        install -m 0644 ${S}/support/nfsidmap/idmapd.conf ${D}${sysconfdir}
+        install -m 0644 ${S}/nfs.conf ${D}${sysconfdir}
 
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_system_unitdir}/
-        install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_system_unitdir}/
-        install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_system_unitdir}/
-        sed -i -e 's,@SBINDIR@,${sbindir},g' \
-                -e 's,@SYSCONFDIR@,${sysconfdir},g' \
-                -e 's,@HIGH_RLIMIT_NOFILE@,${HIGH_RLIMIT_NOFILE},g' \
-                ${D}${systemd_system_unitdir}/*.service
-        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-                install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/
-                install -d ${D}${systemd_system_unitdir}/sysinit.target.wants/
-                ln -sf ../proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/sysinit.target.wants/proc-fs-nfsd.mount
-        fi
+        # Retain historical service name so old scripts keep working
+        ln -s rpc-statd.service ${D}${systemd_system_unitdir}/nfs-statd.service
+        # Add compatibility symlinks for the sysvinit scripts
+        ln -s nfs-server.service ${D}${systemd_system_unitdir}/nfsserver.service
+        ln -s /dev/null ${D}${systemd_system_unitdir}/nfscommon.service
 
         # kernel code as of 3.8 hard-codes this path as a default
         install -d ${D}/var/lib/nfs/v4recovery
@@ -139,7 +156,4 @@ do_install:append () {
         # chown the directories and files
         chown -R rpcuser:rpcuser ${D}${localstatedir}/lib/nfs/statd
         chmod 0644 ${D}${localstatedir}/lib/nfs/statd/state
-
-        # Make python tools use python 3
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${sbindir}/mountstats ${D}${sbindir}/nfsiostat
 }
diff --git a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch b/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
deleted file mode 100644
index 8a5a300adc..0000000000
--- a/meta/recipes-connectivity/ofono/ofono/0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 22b52db4842611ac31a356f023fc09595384e2ad Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Thu, 23 May 2019 18:11:22 -0700
-Subject: [PATCH] mbim: add an optional TEMP_FAILURE_RETRY macro copy
-
-Fixes build on musl which does not provide this macro
-
-Upstream-Status: Submitted [https://lists.ofono.org/pipermail/ofono/2019-May/019370.html]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- drivers/mbimmodem/mbim-private.h | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
-index e159235..51693ea 100644
---- a/drivers/mbimmodem/mbim-private.h
-+++ b/drivers/mbimmodem/mbim-private.h
-@@ -21,6 +21,15 @@
- 
- #define align_len(len, boundary) (((len)+(boundary)-1) & ~((boundary)-1))
- 
-+#ifndef TEMP_FAILURE_RETRY
-+#define TEMP_FAILURE_RETRY(expression) ({     \
-+  __typeof(expression) __result;              \
-+  do {                                        \
-+    __result = (expression);                  \
-+  } while (__result == -1 && errno == EINTR); \
-+  __result; })
-+#endif
-+
- enum mbim_control_message {
-        MBIM_OPEN_MSG = 0x1,
-        MBIM_CLOSE_MSG = 0x2,
--- 
-2.21.0
-
diff --git a/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch b/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
deleted file mode 100644
index 3655b3fd66..0000000000
--- a/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 76e4054801350ebd4a44057379431a33d460ad0f Mon Sep 17 00:00:00 2001
-From: Martin Jansa <Martin.Jansa@gmail.com>
-Date: Wed, 21 Apr 2021 11:01:34 +0000
-Subject: [PATCH] mbim: Fix build with ell-0.39 by restoring unlikely macro
- from ell/util.h
-
-Upstream-Status: Pending
-
-Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
----
- drivers/mbimmodem/mbim-private.h | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
-index 51693eae..d917312c 100644
---- a/drivers/mbimmodem/mbim-private.h
-+++ b/drivers/mbimmodem/mbim-private.h
-@@ -30,6 +30,10 @@
-   __result; })
- #endif
- 
-+/* used to be part of ell/util.h before 0.39:
-+   https://git.kernel.org/pub/scm/libs/ell/ell.git/commit/?id=2a682421b06e41c45098217a686157f576847021 */
-+#define unlikely(x) __builtin_expect(!!(x), 0)
-+
- enum mbim_control_message {
-        MBIM_OPEN_MSG = 0x1,
-        MBIM_CLOSE_MSG = 0x2,
diff --git a/meta/recipes-connectivity/ofono/ofono_1.33.bb b/meta/recipes-connectivity/ofono/ofono_2.17.bb
index 1fab90c08e..36bbe9439a 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.33.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.17.bb
@@ -2,18 +2,15 @@ SUMMARY = "open source telephony"
 DESCRIPTION = "oFono is a stack for mobile telephony devices on Linux. oFono supports speaking to telephony devices through specific drivers, or with generic AT commands."
 HOMEPAGE = "http://www.ofono.org"
 BUGTRACKER = "https://01.org/jira/browse/OF"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://src/ofono.h;beginline=1;endline=20;md5=3ce17d5978ef3445def265b98899c2ee"
+                    file://src/ofono.h;beginline=1;endline=6;md5=13e42133935ceecfc9bcb547f256e277"
 DEPENDS = "dbus glib-2.0 udev mobile-broadband-provider-info ell"
 
-SRC_URI = "\
-    ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-    file://ofono \
-    file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
-    file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
-"
-SRC_URI[sha256sum] = "e4591c5353ad2069cb9c0861fad3f1bf655137f9785fc5f16151d509e49ba708"
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://ofono \
+           "
+SRC_URI[sha256sum] = "70bb50997d3a7657edf133355677f8e04b2158bcb031118a67b296107f6ea73e"
 
 inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data
 
@@ -30,14 +27,9 @@ PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5"
 
 EXTRA_OECONF += "--enable-test --enable-external-ell"
 
-do_configure:prepend() {
-    bbnote "Removing bundled ell from ${S}/ell to prevent including it"
-    rm -rf ${S}/ell
-}
-
 do_install:append() {
     install -d ${D}${sysconfdir}/init.d/
-    install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
+    install -m 0755 ${UNPACKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
 }
 
 PACKAGES =+ "${PN}-tests"
@@ -45,7 +37,6 @@ PACKAGES =+ "${PN}-tests"
 FILES:${PN} += "${systemd_unitdir}"
 FILES:${PN}-tests = "${libdir}/${BPN}/test"
 
-RDEPENDS:${PN} += "dbus"
 RDEPENDS:${PN}-tests = "\
     python3-core \
     python3-dbus \
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
new file mode 100644
index 0000000000..f424288e37
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -0,0 +1,59 @@
+From 5cc897fe2effe549e1e280c2f606bce8b532b61e Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Mon, 11 Sep 2023 09:55:21 +0100
+Subject: [PATCH] regress/banner.sh: log input and output files on error
+
+Some test environments like yocto with qemu are seeing these
+tests failing. There may be additional error messages in the
+stderr of ssh cloent command. busybox cmp shows this error when
+first input file has less new line characters then second
+input file:
+
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+
+Logging the full banner.out will show what other error messages
+are captured in addition of the expected banner.
+
+Full log of a failing banner test runs is:
+
+run test banner.sh ...
+test banner: missing banner file
+test banner: size 0
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 0 mismatch
+test banner: size 10
+test banner: size 100
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 100 mismatch
+test banner: size 1000
+test banner: size 10000
+test banner: size 100000
+test banner: suppress banner (-q)
+FAIL:  banner
+return value: 1
+
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
+
+Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/banner.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/regress/banner.sh b/regress/banner.sh
+index a84feb5..de84957 100644
+--- a/regress/banner.sh
++++ b/regress/banner.sh
+@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
+        verbose "test $tid: size $s"
+        ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+                cmp $OBJ/banner.in $OBJ/banner.out ) || \
+-               fail "banner size $s mismatch"
++               ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
++                 verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
++                 fail "banner size $s mismatch" )
+ done
+ 
+ trace "test suppress banner (-q)"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
new file mode 100644
index 0000000000..360b62af34
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch
@@ -0,0 +1,35 @@
+From 9dcccafe44ea17e972e7cddea205bbe9fe71d8d6 Mon Sep 17 00:00:00 2001
+From: Jose Quaresma <jose.quaresma@foundries.io>
+Date: Mon, 15 Jul 2024 18:43:08 +0100
+Subject: [PATCH] regress/test-exec: use the absolute path in the SSH env
+
+The SSHAGENT_BIN was changed in [1] to SSH_BIN but
+the last one don't use the absolute path and consequently
+the function increase_datafile_size can loops forever
+if the binary not found.
+
+[1] https://github.com/openssh/openssh-portable/commit/a68f80f2511f0e0c5cef737a8284cc2dfabad818
+
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/510]
+
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ regress/test-exec.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/regress/test-exec.sh b/regress/test-exec.sh
+index 8a00c72..2891f27 100644
+--- a/regress/test-exec.sh
++++ b/regress/test-exec.sh
+@@ -179,6 +179,11 @@ if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
+ fi
+ 
+ # Path to sshd must be absolute for rexec
++case "$SSH" in
++/*) ;;
++*) SSH=`which $SSH` ;;
++esac
++
+ case "$SSHD" in
+ /*) ;;
+ *) SSHD=`which $SSHD` ;;
diff --git a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch b/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
deleted file mode 100644
index b8402a4dee..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/add-test-support-for-busybox.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Adjust test cases to work with busybox.
-
-- Replace dd parameter "obs" with "bs".
-- Replace "head -<num>" with "head -n <num>".
-
-Signed-off-by: Maxin B. John <maxin.john@enea.com>
-Upstream-Status: Pending
-
-Index: openssh-7.6p1/regress/cipher-speed.sh
-===================================================================
---- openssh-7.6p1.orig/regress/cipher-speed.sh
-+++ openssh-7.6p1/regress/cipher-speed.sh
-@@ -17,7 +17,7 @@ for c in `${SSH} -Q cipher`; do n=0; for
-                printf "%-60s" "$c/$m:"
-                ( ${SSH} -o 'compression no' \
-                        -F $OBJ/ssh_proxy -m $m -c $c somehost \
--                       exec sh -c \'"dd of=/dev/null obs=32k"\' \
-+                       exec sh -c \'"dd of=/dev/null bs=32k"\' \
-                < ${DATA} ) 2>&1 | getbytes
- 
-                if [ $? -ne 0 ]; then
-Index: openssh-7.6p1/regress/transfer.sh
-===================================================================
---- openssh-7.6p1.orig/regress/transfer.sh
-+++ openssh-7.6p1/regress/transfer.sh
-@@ -13,7 +13,7 @@ cmp ${DATA} ${COPY}           || fail "corrupted
- for s in 10 100 1k 32k 64k 128k 256k; do
-        trace "dd-size ${s}"
-        rm -f ${COPY}
--       dd if=$DATA obs=${s} 2> /dev/null | \
-+       dd if=$DATA bs=${s} 2> /dev/null | \
-                ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-        if [ $? -ne 0 ]; then
-                fail "ssh cat $DATA failed"
-Index: openssh-7.6p1/regress/key-options.sh
-===================================================================
---- openssh-7.6p1.orig/regress/key-options.sh
-+++ openssh-7.6p1/regress/key-options.sh
-@@ -47,7 +47,7 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
-        fi
- 
-        sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
--       from=`head -1 $authkeys | cut -f1 -d ' '`
-+       from=`head -n 1 $authkeys | cut -f1 -d ' '`
-        verbose "key option $from"
-        r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
-        if [ "$r" = "true" ]; then
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch b/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
deleted file mode 100644
index 20036da931..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/fix-potential-signed-overflow-in-pointer-arithmatic.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 3328e98bcbf2930cd7eea3e6c92ad5dcbdf4794f Mon Sep 17 00:00:00 2001
-From: Yuanjie Huang <yuanjie.huang@windriver.com>
-Date: Wed, 24 Aug 2016 03:15:43 +0000
-Subject: [PATCH] Fix potential signed overflow in pointer arithmatic
-
-Pointer arithmatic results in implementation defined signed integer
-type, so that 's - src' in strlcpy and others may trigger signed overflow.
-In case of compilation by gcc or clang with -ftrapv option, the overflow
-would lead to program abort.
-
-Upstream-Status: Submitted [http://bugzilla.mindrot.org/show_bug.cgi?id=2608]
-
-Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com>
-
-Complete the fix
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- openbsd-compat/strlcat.c | 10 +++++++---
- openbsd-compat/strlcpy.c |  8 ++++++--
- openbsd-compat/strnlen.c |  8 ++++++--
- 3 files changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c
-index bcc1b61..124e1e3 100644
---- a/openbsd-compat/strlcat.c
-+++ b/openbsd-compat/strlcat.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Appends src to string dst of size siz (unlike strncat, siz is the
-@@ -42,7 +43,7 @@ strlcat(char *dst, const char *src, size_t siz)
-        /* Find the end of dst and adjust bytes left but don't go past end */
-        while (n-- != 0 && *d != '\0')
-                d++;
--       dlen = d - dst;
-+       dlen = (uintptr_t)d - (uintptr_t)dst;
-        n = siz - dlen;
- 
-        if (n == 0)
-@@ -55,8 +56,11 @@ strlcat(char *dst, const char *src, size_t siz)
-                s++;
-        }
-        *d = '\0';
--
--       return(dlen + (s - src));       /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (dlen + ((uintptr_t)s - (uintptr_t)src));        /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCAT */
-diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c
-index b4b1b60..b06f374 100644
---- a/openbsd-compat/strlcpy.c
-+++ b/openbsd-compat/strlcpy.c
-@@ -23,6 +23,7 @@
- 
- #include <sys/types.h>
- #include <string.h>
-+#include <stdint.h>
- 
- /*
-  * Copy src to string dst of size siz.  At most siz-1 characters
-@@ -51,8 +52,11 @@ strlcpy(char *dst, const char *src, size_t siz)
-                while (*s++)
-                        ;
-        }
--
--       return(s - src - 1);    /* count does not include NUL */
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return ((uintptr_t)s - (uintptr_t)src - 1);     /* count does not include NUL */
- }
- 
- #endif /* !HAVE_STRLCPY */
-diff --git a/openbsd-compat/strnlen.c b/openbsd-compat/strnlen.c
-index 7ad3573..7040f1f 100644
---- a/openbsd-compat/strnlen.c
-+++ b/openbsd-compat/strnlen.c
-@@ -23,6 +23,7 @@
- #include <sys/types.h>
- 
- #include <string.h>
-+#include <stdint.h>
- 
- size_t
- strnlen(const char *str, size_t maxlen)
-@@ -31,7 +32,10 @@ strnlen(const char *str, size_t maxlen)
- 
-        for (cp = str; maxlen != 0 && *cp != '\0'; cp++, maxlen--)
-                ;
--
--       return (size_t)(cp - str);
-+        /*
-+        * Cast pointers to unsigned type before calculation, to avoid signed
-+        * overflow when the string ends where the MSB has changed.
-+        */
-+       return (size_t)((uintptr_t)cp - (uintptr_t)str);
- }
- #endif
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index ae03e929b2..c9100f9f37 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,11 +1,26 @@
 #!/bin/sh
 
+export TEST_SSH_SSH=ssh
 export TEST_SHELL=sh
 export SKIP_UNIT=1
 
 cd regress
+
+# copied from openssh-portable/.github/run_test.sh
+output_failed_logs() {
+    for i in failed*.log; do
+        if [ -f "$i" ]; then
+            echo -------------------------------------------------------------------------
+            echo LOGFILE $i
+            cat $i
+            echo -------------------------------------------------------------------------
+        fi
+    done
+}
+trap output_failed_logs 0
+
 sed -i "/\t\tagent-ptrace /d" Makefile
-make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \
+make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
         | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
 
 SSHAGENT=`which ssh-agent`
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803e..cb2774a163 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
+#       $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -17,11 +17,11 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
-Host *
-  ForwardAgent yes
-  ForwardX11 yes
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
+Include /etc/ssh/ssh_config.d/*.conf
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@@ -36,7 +36,6 @@ Host *
 #   IdentityFile ~/.ssh/id_ecdsa
 #   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
@@ -46,3 +45,4 @@ Host *
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd b/meta/recipes-connectivity/openssh/openssh/sshd
index 4882e58b48..cf675a4dad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd
+++ b/meta/recipes-connectivity/openssh/openssh/sshd
@@ -7,4 +7,4 @@ password   include      common-password
 session    optional     pam_keyinit.so force revoke
 session    include      common-session
 session    required     pam_loginuid.so
-
+session    required     pam_env.so
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
new file mode 100644
index 0000000000..c71fff1cc1
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=OpenSSH server daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=nss-user-lookup.target
+
+[Service]
+Type=notify-reload
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
+ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..7dd2ed0626 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,7 @@
 [Unit]
 Conflicts=sshd.service
 Wants=sshdgenkeys.service
+After=nss-user-lookup.target
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index ef117de897..bbb6a14908 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -8,7 +8,7 @@ generate_key() {
     mkdir -p "$DIR"
     rm -f ${FILE}.tmp
     ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
-
+    chmod go-rwx "$FILE.tmp"
     # Atomically rename file public key
     mv -f "${FILE}.tmp.pub" "${FILE}.pub"
 
@@ -57,8 +57,7 @@ while true ; do
     esac
 done
 
-HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
-[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
 
 for key in ${HOST_KEYS} ; do
     [ -f $key ] && continue
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570..e9eaf93157 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -10,6 +10,8 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+Include /etc/ssh/sshd_config.d/*.conf
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -57,9 +59,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
+# Change to yes to enable keyboard-interactive authentication (beware issues
+# with some PAM modules and threads)
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 #UsePAM no
 
 #AllowAgentForwarding yes
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
diff --git a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
index ee86bb92ab..2f446b5540 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_10.0p1.bb
@@ -5,37 +5,38 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
 and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
-LICENSE = "BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & ISC & MIT"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=d9d2753bdef9f19466dc7bc959114b11"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=78ffb36e5a48c0d8c5648603a3b6c8eb"
 
 DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
-SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
+SRC_URI = "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.gz \
            file://sshd_config \
            file://ssh_config \
            file://init \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://sshd.service \
            file://sshd.socket \
            file://sshd@.service \
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
            file://run-ptest \
-           file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
-           file://add-test-support-for-busybox.patch \
+           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
+           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
            "
-SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9"
+SRC_URI[sha256sum] = "021a2e709a0edf4250b1256bd5a9e500411a90dddabea830ed59cef90eb9d85c"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_WHITELIST += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_WHITELIST += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_WHITELIST += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
+CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
 
 PAM_SRC_URI = "file://sshd"
 
@@ -48,18 +49,23 @@ INITSCRIPT_NAME:${PN}-sshd = "sshd"
 INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
 
 SYSTEMD_PACKAGES = "${PN}-sshd"
-SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket"
+SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
 
-inherit autotools-brokensep ptest
+inherit autotools-brokensep ptest pkgconfig
 
-PACKAGECONFIG ??= "rng-tools"
+# systemd-sshd-socket-mode means installing sshd.socket
+# and systemd-sshd-service-mode corresponding to sshd.service
+PACKAGECONFIG ??= "systemd-sshd-socket-mode hostkey-ecdsa"
+PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
 PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
 PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
 PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
 PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
-
-# Add RRECOMMENDS to rng-tools for sshd package
-PACKAGECONFIG[rng-tools] = ""
+PACKAGECONFIG[systemd-sshd-socket-mode] = ""
+PACKAGECONFIG[systemd-sshd-service-mode] = ""
+PACKAGECONFIG[hostkey-rsa] = ""
+PACKAGECONFIG[hostkey-ecdsa] = ""
+PACKAGECONFIG[hostkey-ed25519] = ""
 
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -76,6 +82,13 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
 # musl doesn't implement wtmp/utmp and logwtmp
 EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
 
+# Work around ICE on mips/mips64 starting in 9.6p1
+EXTRA_OECONF:append:mips = " --without-hardening"
+EXTRA_OECONF:append:mips64 = " --without-hardening"
+
+# Work around ICE on powerpc64le starting in 9.6p1
+EXTRA_OECONF:append:powerpc64le = " --without-hardening"
+
 # Since we do not depend on libbsd, we do not want configure to use it
 # just because it finds libutil.h.  But, specifying --disable-libutil
 # causes compile errors, so...
@@ -89,20 +102,42 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
 do_configure:prepend () {
         export LD="${CC}"
-        install -m 0644 ${WORKDIR}/sshd_config ${B}/
-        install -m 0644 ${WORKDIR}/ssh_config ${B}/
+        install -m 0600 ${UNPACKDIR}/sshd_config ${B}/
+        install -m 0644 ${UNPACKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
-        # skip regress/unittests/ binaries: this will silently skip
-        # unittests in run-ptests which is good because they are so slow.
-        oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
-                   regress/check-perm regress/mkdtemp
+        oe_runmake regress-binaries regress-unit-binaries
+}
+
+sshd_hostkey_setup() {
+        # Enable specific ssh host keys
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /etc/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config
+        fi
+
+        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-rsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ecdsa','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','hostkey-ed25519','true','false',d)}; then
+                echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        fi
 }
 
 do_install:append () {
         if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
-                install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
+                install -D -m 0644 ${UNPACKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
                 sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
         fi
 
@@ -111,40 +146,51 @@ do_install:append () {
         fi
 
         install -d ${D}${sysconfdir}/init.d
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/sshd
         rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
         rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
         install -d ${D}/${sysconfdir}/default/volatiles
-        install -m 644 ${WORKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
+        install -m 644 ${UNPACKDIR}/volatiles.99_sshd ${D}/${sysconfdir}/default/volatiles/99_sshd
         install -m 0755 ${S}/contrib/ssh-copy-id ${D}${bindir}
 
+        # Limit sshd_config access to the owner (default is 0644)
+        chmod 0600 ${D}${sysconfdir}/ssh/sshd_config
+
         # Create config files for read-only rootfs
         install -d ${D}${sysconfdir}/ssh
-        install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
-        sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
-        echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
+        install -m 0600 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
 
         install -d ${D}${systemd_system_unitdir}
-        install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
-        install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
-        install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
+        if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
+            install -c -m 0644 ${UNPACKDIR}/sshd.socket ${D}${systemd_system_unitdir}
+            install -c -m 0644 ${UNPACKDIR}/sshd@.service ${D}${systemd_system_unitdir}
+            sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+                    -e 's,@SBINDIR@,${sbindir},g' \
+                    -e 's,@BINDIR@,${bindir},g' \
+                    -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+            ${D}${systemd_system_unitdir}/sshd.socket
+        fi
+        if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
+            install -c -m 0644 ${UNPACKDIR}/sshd.service ${D}${systemd_system_unitdir}
+        fi
+        install -c -m 0644 ${UNPACKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
                 -e 's,@SBINDIR@,${sbindir},g' \
                 -e 's,@BINDIR@,${bindir},g' \
                 -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
-                ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service
+                ${D}${systemd_system_unitdir}/*.service
 
         sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
                 ${D}${sysconfdir}/init.d/sshd
 
-        install -D -m 0755 ${WORKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+        install -D -m 0755 ${UNPACKDIR}/sshd_check_keys ${D}${libexecdir}/${BPN}/sshd_check_keys
+        sshd_hostkey_setup
 }
 
 do_install_ptest () {
         sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
         cp -r regress ${D}${PTEST_PATH}
+        cp config.h ${D}${PTEST_PATH}
 }
 
 ALLOW_EMPTY:${PN} = "1"
@@ -152,22 +198,18 @@ ALLOW_EMPTY:${PN} = "1"
 PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
 FILES:${PN}-scp = "${bindir}/scp.${BPN}"
 FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd = "${sbindir}/sshd ${libexecdir}/sshd-session ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
 FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
-FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
+FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys ${libexecdir}/sshd-auth"
 FILES:${PN}-sftp = "${bindir}/sftp"
 FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
 FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
 FILES:${PN}-keygen = "${bindir}/ssh-keygen"
 
-RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
+RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
 RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS:${PN}-sshd:append:class-target = "\
-    ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \
-"
-
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
-RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
+RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
 
 RPROVIDES:${PN}-ssh = "ssh"
 RPROVIDES:${PN}-sshd = "sshd"
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7ac..71d378734c 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,24 @@
-export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf"
+export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
+export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES"
+
+# Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools
+# CAFILE/CAPATH is auto-deteced when source buildtools
+if [ -z "$SSL_CERT_FILE" ]; then
+        if [ -n "$CAFILE" ];then
+                export SSL_CERT_FILE="$CAFILE"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt"
+        fi
+fi
+
+if [ -z "$SSL_CERT_DIR" ]; then
+        if [ -n "$CAPATH" ];then
+                export SSL_CERT_DIR="$CAPATH"
+        elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then
+                export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs"
+        fi
+fi
+
+export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} SSL_CERT_DIR SSL_CERT_FILE"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
new file mode 100644
index 0000000000..5b7365a353
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -0,0 +1,367 @@
+From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
+From: William Lyu <William.Lyu@windriver.com>
+Date: Fri, 20 Oct 2023 16:22:37 -0400
+Subject: [PATCH] Added handshake history reporting when test fails
+
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
+
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.h |  70 +++++++++++++++++++-
+ test/ssl_test.c          |  44 +++++++++++++
+ 3 files changed, 217 insertions(+), 34 deletions(-)
+
+diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
+index f611b3a..5703b48 100644
+--- a/test/helpers/handshake.c
++++ b/test/helpers/handshake.c
+@@ -25,6 +25,102 @@
+ #include <netinet/sctp.h>
+ #endif
+ 
++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
++/* Maps string names to various enumeration type */
++typedef struct {
++    const char *name;
++    int value;
++} enum_name_map;
++
++static const enum_name_map connect_phase_names[] = {
++    {"Handshake", HANDSHAKE},
++    {"RenegAppData", RENEG_APPLICATION_DATA},
++    {"RenegSetup", RENEG_SETUP},
++    {"RenegHandshake", RENEG_HANDSHAKE},
++    {"AppData", APPLICATION_DATA},
++    {"Shutdown", SHUTDOWN},
++    {"ConnectionDone", CONNECTION_DONE}
++};
++
++static const enum_name_map peer_status_names[] = {
++    {"PeerSuccess", PEER_SUCCESS},
++    {"PeerRetry", PEER_RETRY},
++    {"PeerError", PEER_ERROR},
++    {"PeerWaiting", PEER_WAITING},
++    {"PeerTestFail", PEER_TEST_FAILURE}
++};
++
++static const enum_name_map handshake_status_names[] = {
++    {"HandshakeSuccess", HANDSHAKE_SUCCESS},
++    {"ClientError", CLIENT_ERROR},
++    {"ServerError", SERVER_ERROR},
++    {"InternalError", INTERNAL_ERROR},
++    {"HandshakeRetry", HANDSHAKE_RETRY}
++};
++
++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
++static const char *enum_name(const enum_name_map *enums, size_t num_enums,
++                             int value)
++{
++    size_t i;
++    for (i = 0; i < num_enums; i++) {
++        if (enums[i].value == value) {
++            return enums[i].name;
++        }
++    }
++    return "InvalidValue";
++}
++
++const char *handshake_connect_phase_name(connect_phase_t phase)
++{
++    return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names),
++                     (int)phase);
++}
++
++const char *handshake_status_name(handshake_status_t handshake_status)
++{
++    return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names),
++                     (int)handshake_status);
++}
++
++const char *handshake_peer_status_name(peer_status_t peer_status)
++{
++    return enum_name(peer_status_names, OSSL_NELEM(peer_status_names),
++                     (int)peer_status);
++}
++
++static void save_loop_history(HANDSHAKE_HISTORY *history,
++                              connect_phase_t phase,
++                              handshake_status_t handshake_status,
++                              peer_status_t server_status,
++                              peer_status_t client_status,
++                              int client_turn_count,
++                              int is_client_turn)
++{
++    HANDSHAKE_HISTORY_ENTRY *new_entry = NULL;
++
++    /*
++     * Create a new history entry for a handshake loop with statuses given in
++     * the arguments. Potentially evicting the oldest entry when the
++     * ring buffer is full.
++     */
++    ++(history->last_idx);
++    history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++
++    new_entry = &((history->entries)[history->last_idx]);
++    new_entry->phase = phase;
++    new_entry->handshake_status = handshake_status;
++    new_entry->server_status = server_status;
++    new_entry->client_status = client_status;
++    new_entry->client_turn_count = client_turn_count;
++    new_entry->is_client_turn = is_client_turn;
++
++    /* Evict the oldest handshake loop entry when the ring buffer is full. */
++    if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) {
++        ++(history->entry_count);
++    }
++}
++
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
+ {
+     HANDSHAKE_RESULT *ret;
+@@ -726,15 +822,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+         SSL_set_post_handshake_auth(client, 1);
+ }
+ 
+-/* The status for each connection phase. */
+-typedef enum {
+-    PEER_SUCCESS,
+-    PEER_RETRY,
+-    PEER_ERROR,
+-    PEER_WAITING,
+-    PEER_TEST_FAILURE
+-} peer_status_t;
+-
+ /* An SSL object and associated read-write buffers. */
+ typedef struct peer_st {
+     SSL *ssl;
+@@ -1081,17 +1168,6 @@ static void do_shutdown_step(PEER *peer)
+     }
+ }
+ 
+-typedef enum {
+-    HANDSHAKE,
+-    RENEG_APPLICATION_DATA,
+-    RENEG_SETUP,
+-    RENEG_HANDSHAKE,
+-    APPLICATION_DATA,
+-    SHUTDOWN,
+-    CONNECTION_DONE
+-} connect_phase_t;
+-
+-
+ static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
+ {
+     switch (test_ctx->handshake_mode) {
+@@ -1169,19 +1245,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+     }
+ }
+ 
+-typedef enum {
+-    /* Both parties succeeded. */
+-    HANDSHAKE_SUCCESS,
+-    /* Client errored. */
+-    CLIENT_ERROR,
+-    /* Server errored. */
+-    SERVER_ERROR,
+-    /* Peers are in inconsistent state. */
+-    INTERNAL_ERROR,
+-    /* One or both peers not done. */
+-    HANDSHAKE_RETRY
+-} handshake_status_t;
+-
+ /*
+  * Determine the handshake outcome.
+  * last_status: the status of the peer to have acted last.
+@@ -1546,6 +1609,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+ 
+     start = time(NULL);
+ 
++    save_loop_history(&(ret->history),
++                      phase, status, server.status, client.status,
++                      client_turn_count, client_turn);
++
+     /*
+      * Half-duplex handshake loop.
+      * Client and server speak to each other synchronously in the same process.
+@@ -1567,6 +1634,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                                       0 /* server went last */);
+         }
+ 
++        save_loop_history(&(ret->history),
++                          phase, status, server.status, client.status,
++                          client_turn_count, client_turn);
++
+         switch (status) {
+         case HANDSHAKE_SUCCESS:
+             client_turn_count = 0;
+diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
+index 78b03f9..b9967c2 100644
+--- a/test/helpers/handshake.h
++++ b/test/helpers/handshake.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -12,6 +12,11 @@
+ 
+ #include "ssl_test_ctx.h"
+ 
++#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
++#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
++#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
++    ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1)
++
+ typedef struct ctx_data_st {
+     unsigned char *npn_protocols;
+     size_t npn_protocols_len;
+@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
+     char *session_ticket_app_data;
+ } CTX_DATA;
+ 
++typedef enum {
++    HANDSHAKE,
++    RENEG_APPLICATION_DATA,
++    RENEG_SETUP,
++    RENEG_HANDSHAKE,
++    APPLICATION_DATA,
++    SHUTDOWN,
++    CONNECTION_DONE
++} connect_phase_t;
++
++/* The status for each connection phase. */
++typedef enum {
++    PEER_SUCCESS,
++    PEER_RETRY,
++    PEER_ERROR,
++    PEER_WAITING,
++    PEER_TEST_FAILURE
++} peer_status_t;
++
++typedef enum {
++    /* Both parties succeeded. */
++    HANDSHAKE_SUCCESS,
++    /* Client errored. */
++    CLIENT_ERROR,
++    /* Server errored. */
++    SERVER_ERROR,
++    /* Peers are in inconsistent state. */
++    INTERNAL_ERROR,
++    /* One or both peers not done. */
++    HANDSHAKE_RETRY
++} handshake_status_t;
++
++/* Stores the various status information in a handshake loop. */
++typedef struct handshake_history_entry_st {
++    connect_phase_t phase;
++    handshake_status_t handshake_status;
++    peer_status_t server_status;
++    peer_status_t client_status;
++    int client_turn_count;
++    int is_client_turn;
++} HANDSHAKE_HISTORY_ENTRY;
++
++typedef struct handshake_history_st {
++    /* Implemented using ring buffer. */
++    /*
++     * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|,
++     * ..., etc., going up to |entry_count| number of entries. Note that when
++     * the index into the array |entries| becomes < 0, we wrap around to
++     * the end of |entries|.
++     */
++    HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY];
++    /* The number of valid entries in |entries| array. */
++    size_t entry_count;
++    /* The index of the last valid entry in the |entries| array. */
++    size_t last_idx;
++} HANDSHAKE_HISTORY;
++
+ typedef struct handshake_result {
+     ssl_test_result_t result;
+     /* These alerts are in the 2-byte format returned by the info_callback. */
+@@ -77,6 +139,8 @@ typedef struct handshake_result {
+     char *cipher;
+     /* session ticket application data */
+     char *result_session_ticket_app_data;
++    /* handshake loop history */
++    HANDSHAKE_HISTORY history;
+ } HANDSHAKE_RESULT;
+ 
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
+@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                                     CTX_DATA *server2_ctx_data,
+                                     CTX_DATA *client_ctx_data);
+ 
++const char *handshake_connect_phase_name(connect_phase_t phase);
++const char *handshake_status_name(handshake_status_t handshake_status);
++const char *handshake_peer_status_name(peer_status_t peer_status);
++
+ #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+diff --git a/test/ssl_test.c b/test/ssl_test.c
+index ea60851..9d6b093 100644
+--- a/test/ssl_test.c
++++ b/test/ssl_test.c
+@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
+ /* Currently the section names are of the form test-<number>, e.g. test-15. */
+ #define MAX_TESTCASE_NAME_LENGTH 100
+ 
++static void print_handshake_history(const HANDSHAKE_HISTORY *history)
++{
++    size_t first_idx;
++    size_t i;
++    size_t cur_idx;
++    const HANDSHAKE_HISTORY_ENTRY *cur_entry;
++    const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|";
++    const char body_template[]   = "|%14s|%16s|%16s|%16s|%17d|%14s|";
++
++    TEST_info("The following is the server/client state "
++              "in the most recent %d handshake loops.",
++              MAX_HANDSHAKE_HISTORY_ENTRY);
++
++    TEST_note("=================================================="
++              "==================================================");
++    TEST_note(header_template,
++              "phase", "handshake status", "server status",
++              "client status", "client turn count", "is client turn");
++    TEST_note("+--------------+----------------+----------------"
++              "+----------------+-----------------+--------------+");
++
++    first_idx = (history->last_idx - history->entry_count + 1) &
++                MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++    for (i = 0; i < history->entry_count; ++i) {
++        cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++        cur_entry = &(history->entries)[cur_idx];
++        TEST_note(body_template,
++                  handshake_connect_phase_name(cur_entry->phase),
++                  handshake_status_name(cur_entry->handshake_status),
++                  handshake_peer_status_name(cur_entry->server_status),
++                  handshake_peer_status_name(cur_entry->client_status),
++                  cur_entry->client_turn_count,
++                  cur_entry->is_client_turn ? "true" : "false");
++    }
++    TEST_note("=================================================="
++              "==================================================");
++}
++
+ static const char *print_alert(int alert)
+ {
+     return alert ? SSL_alert_desc_string_long(alert) : "no alert";
+@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+         ret &= check_client_sign_type(result, test_ctx);
+         ret &= check_client_ca_names(result, test_ctx);
+     }
++
++    /* Print handshake loop history if any check fails. */
++    if (!ret) {
++        print_handshake_history(&(result->history));
++    }
++
+     return ret;
+ }
+
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index 5effa6c6f6..7043188973 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -1,6 +1,6 @@
-From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex@linutronix.de>
-Date: Tue, 14 Sep 2021 12:18:25 +0200
+Date: Tue, 30 May 2023 09:11:27 -0700
 Subject: [PATCH] Configure: do not tweak mips cflags
 
 This conflicts with mips machine definitons from yocto,
@@ -9,20 +9,23 @@ e.g.
 
 Upstream-Status: Inappropriate [oe-core specific]
 Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
 ---
  Configure | 10 ----------
  1 file changed, 10 deletions(-)
 
 diff --git a/Configure b/Configure
-index 821e680..0387a74 100755
+index fff97bd..5ee54c1 100755
 --- a/Configure
 +++ b/Configure
-@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1551,16 +1551,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
          push @{$config{shared_ldflag}}, "-mno-cygwin";
          }
  
 -if ($target =~ /linux.*-mips/ && !$disabled{asm}
--        && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
 -        # minimally required architecture flags for assembly modules
 -        my $value;
 -        $value = '-mips2' if ($target =~ /mips32/);
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 60890c666d..687d682976 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'.
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
 ---
- Configurations/unix-Makefile.tmpl | 12 +++++++++++-
+ Configurations/unix-Makefile.tmpl | 16 +++++++++++++++-
  crypto/build.info                 |  2 +-
- 2 files changed, 12 insertions(+), 2 deletions(-)
+ 2 files changed, 16 insertions(+), 2 deletions(-)
 
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index f88a70f..528cdef 100644
+index 09303c4..011bda1 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
-@@ -471,13 +471,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -502,13 +502,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  
 -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
 +# *_Q variables are used for one thing only: to build up buildinf.h
  CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
++              $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g;
                $cppflags2 =~ s|([\\"])|\\$1|g;
++              $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g;
                $lib_cppflags =~ s|([\\"])|\\$1|g;
++              $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g;
                join(' ', $lib_cppflags || (), $cppflags2 || (),
                          $cppflags1 || ()) -}
  
@@ -54,6 +57,7 @@ index f88a70f..528cdef 100644
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
 +              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
++              s|-isystem/[^ ]+/usr/include ||g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -64,15 +68,15 @@ index f88a70f..528cdef 100644
  
  # For x86 assembler: Set PROCESSOR to 386 if you want to support
 diff --git a/crypto/build.info b/crypto/build.info
-index efca6cc..eda433e 100644
+index aee5c46..95c9577 100644
 --- a/crypto/build.info
 +++ b/crypto/build.info
-@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+@@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
  
  DEPEND[info.o]=buildinf.h
  DEPEND[cversion.o]=buildinf.h
 -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
 +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
  
- GENERATE[uplink-x86.s]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
  GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/Configure b/Configure
-index 3baa8ce..9ef52ed 100755
---- a/Configure
-+++ b/Configure
-@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
- unless ($disabled{afalgeng}) {
-     $config{afalgeng}="";
-     if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
--        my $minver = 4*10000 + 1*100 + 0;
--        if ($config{CROSS_COMPILE} eq "") {
--            my $verstr = `uname -r`;
--            my ($ma, $mi1, $mi2) = split("\\.", $verstr);
--            ($mi2) = $mi2 =~ /(\d+)/;
--            my $ver = $ma*10000 + $mi1*100 + $mi2;
--            if ($ver < $minver) {
--                disable('too-old-kernel', 'afalgeng');
--            } else {
--                push @{$config{engdirs}}, "afalg";
--            }
--        } else {
--            disable('cross-compiling', 'afalgeng');
--        }
-+        push @{$config{engdirs}}, "afalg";
-     } else {
-         disable('not-linux', 'afalgeng');
-     }
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index 8dff79101f..cd29bb1446 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -1,12 +1,19 @@
 #!/bin/sh
 
-set -e
+set -eu
 
-# Optional arguments are 'list' to lists all tests, or the test name (base name
-# ie test_evp, not 03_test_evp.t).
+# Optional arguments are 'list' to lists the tests, or the test name (base name
+# ie test_evp, not 03_test_evp.t). Without any arguments we run all tests.
+
+if test $# -gt 0; then
+    TESTS=$*
+else
+    # Skip test_symbol_presence as this is for developers
+    TESTS="alltests -test_symbol_presence"
+fi
 
 export TOP=.
-# OPENSSL_ENGINES is relative from the test binaries
-export OPENSSL_ENGINES=../engines
+# Run four jobs in parallel
+export HARNESS_JOBS=4
 
-perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
+{ perl ./test/run_tests.pl $TESTS || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
index 67343bedcc..0f5c28dafa 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.0.bb
@@ -10,17 +10,17 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
 SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://run-ptest \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-           file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536"
+SRC_URI[sha256sum] = "344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0"
 
-inherit lib_package multilib_header multilib_script ptest perlnative
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
 
 PACKAGECONFIG ?= ""
@@ -30,10 +30,14 @@ PACKAGECONFIG:class-nativesdk = ""
 PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
 PACKAGECONFIG[no-tls1] = "no-tls1"
 PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
+PACKAGECONFIG[fips] = "enable-fips"
 
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
 
+EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}"
+
 #| ./libcrypto.so: undefined reference to `getcontext'
 #| ./libcrypto.so: undefined reference to `setcontext'
 #| ./libcrypto.so: undefined reference to `makecontext'
@@ -42,18 +46,30 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
 
 # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
 # (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom"
+EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom"
 
 # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"'
+
+#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free'
+EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic"
 
 # This allows disabling deprecated or undesirable crypto algorithms.
 # The default is to trust upstream choices.
 DEPRECATED_CRYPTO_FLAGS ?= ""
 
 do_configure () {
+        # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+        # the issue really clear that perl isn't functional due to symbol mismatch issues.
+        cat <<- EOF > ${WORKDIR}/perltest
+        #!/usr/bin/env perl
+        use POSIX;
+        EOF
+        chmod a+x ${WORKDIR}/perltest
+        ${WORKDIR}/perltest
+
         os=${HOST_OS}
         case $os in
         linux-gnueabi |\
@@ -68,6 +84,9 @@ do_configure () {
         esac
         target="$os-${HOST_ARCH}"
         case $target in
+        linux-arc | linux-microblaze*)
+                target=linux-latomic
+                ;;
         linux-arm*)
                 target=linux-armv4
                 ;;
@@ -83,6 +102,9 @@ do_configure () {
         linux-gnu64-x86_64)
                 target=linux-x86_64
                 ;;
+        linux-loongarch64)
+                target=linux64-loongarch64
+                ;;
         linux-mips | linux-mipsel)
                 # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
                 target="linux-mips32 ${TARGET_CC_ARCH}"
@@ -93,7 +115,7 @@ do_configure () {
         linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
                 target=linux64-mips64
                 ;;
-        linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+        linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
                 target=linux-generic32
                 ;;
         linux-powerpc)
@@ -106,10 +128,10 @@ do_configure () {
                 target=linux-ppc64le
                 ;;
         linux-riscv32)
-                target=linux-generic32
+                target=linux32-riscv32
                 ;;
         linux-riscv64)
-                target=linux-generic64
+                target=linux64-riscv64
                 ;;
         linux-sparc | linux-supersparc)
                 target=linux-sparcv9
@@ -119,19 +141,26 @@ do_configure () {
                 ;;
         esac
 
-        useprefix=${prefix}
-        if [ "x$useprefix" = "x" ]; then
-                useprefix=/
-        fi
         # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
         # environment variables set by bitbake. Adjust the environment variables instead.
-        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
-        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target
         perl ${B}/configdata.pm --dump
 }
 
+do_compile:append () {
+        # The test suite binaries are large and we don't need the debugging in them
+        if test -d ${B}/test; then
+                find ${B}/test -type f -executable -exec ${STRIP} {} \;
+        fi
+}
+
 do_install () {
-        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \
+            ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \
+            ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)}
 
         oe_multilib_header openssl/opensslconf.h
         oe_multilib_header openssl/configuration.h
@@ -149,61 +178,72 @@ do_install () {
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
         ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+
+        # Generate fipsmodule.cnf in pkg_postinst_ontarget
+        if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then
+                rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf
+        fi
 }
 
 do_install:append:class-native () {
         create_wrapper ${D}${bindir}/openssl \
-            OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
-            SSL_CERT_DIR=${libdir}/ssl-3/certs \
-            SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
-            OPENSSL_ENGINES=${libdir}/engines-3
+            OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \
+            SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \
+            SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \
+            OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \
+            OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules}
 }
 
 do_install:append:class-nativesdk () {
         mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
 }
 
 PTEST_BUILD_HOST_FILES += "configdata.pm"
 PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
-        install -d ${D}${PTEST_PATH}/test
-        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
-        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
-
-        # Prune the build tree
-        rm -f ${B}/fuzz/*.* ${B}/test/*.*
-
-        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
-        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
-        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-
-        # For test_shlibload
-        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
-        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+do_install_ptest() {
+        install -m644 ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        cp -rf ${S}/Configurations ${S}/external ${D}${PTEST_PATH}/
 
         install -d ${D}${PTEST_PATH}/apps
         ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
-        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
-        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-
-        install -d ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
-
-        install -d ${D}${PTEST_PATH}/providers
-        install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
-
-        install -d ${D}${PTEST_PATH}/Configurations
-        cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
 
-        # seems to be needed with perl 5.32.1
-        install -d ${D}${PTEST_PATH}/util/perl/recipes
-        cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+        cd ${S}
+        find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find util -name \*.p[lm] -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+
+        cd ${B}
+        # Everything but .? (.o and .d)
+        find test -type f -name \*[^.]? -exec install -m755 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        find apps test -name \*.srl -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+        install -m755 ${B}/util/*wrap.* ${D}${PTEST_PATH}/util/
+
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps/
+        install -m755 ${S}/test/*.pl ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/shibboleth.pfx ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/*.bin ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/dane*.in ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/smcont*.txt ${D}${PTEST_PATH}/test/
+        install -m755 ${S}/test/ssl_test.tmpl ${D}${PTEST_PATH}/test/
+
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm ${D}${PTEST_PATH}/util/wrap.pl
 
-        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines/
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/engines-3/loader_attic.so ${D}${PTEST_PATH}/engines/
+        ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers
+}
 
+pkg_postinst_ontarget:${PN}-ossl-module-fips () {
+        if test -f ${libdir}/ossl-modules/fips.so; then
+                ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so
+        fi
 }
 
 # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
@@ -211,7 +251,7 @@ do_install_ptest () {
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -222,23 +262,22 @@ FILES:${PN}-engines = "${libdir}/engines-3"
 # ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
 FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
 FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so"
 FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
 FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
 CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
-RRECOMMENDS:libcrypto += "openssl-conf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
 RDEPENDS:${PN}-misc = "perl"
-RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines openssl-ossl-module-legacy"
 
 RDEPENDS:${PN}-bin += "openssl-conf"
 
+# The test suite is installed stripped
+INSANE_SKIP:${PN} = "already-stripped"
+
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_PRODUCT = "openssl:openssl"
-
-CVE_VERSION_SUFFIX = "alphabetical"
-
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
-# Apache in meta-webserver is already recent enough
-CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index 8a6c297cb0..5c9c8219d7 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -3,7 +3,6 @@ SECTION = "console/network"
 DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
 DEPENDS = "ppp"
 RDEPENDS:${PN} = "ppp"
-PR = "r8"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
@@ -12,14 +11,14 @@ SRC_URI = "file://host-peer \
 
 inherit allarch useradd
 
-S = "${WORKDIR}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -d ${D}${sysconfdir}/ppp/peers
-        install -m 0644 ${WORKDIR}/host-peer ${D}${sysconfdir}/ppp/peers/host
+        install -m 0644 ${S}/host-peer ${D}${sysconfdir}/ppp/peers/host
 
         install -d ${D}${sbindir}
-        install -m 0755 ${WORKDIR}/ppp-dialin ${D}${sbindir}
+        install -m 0755 ${S}/ppp-dialin ${D}${sbindir}
 }
 
 USERADD_PACKAGES = "${PN}"
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
new file mode 100644
index 0000000000..a00706c184
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch
@@ -0,0 +1,98 @@
+From a6eb65162db5bcc5ec26cff7361885c0a44cbbfa Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 17 Mar 2025 11:12:07 +0100
+Subject: [PATCH] pppd/pppdconf.h: remove erroneous generated header
+
+Upstream-Status: Inappropriate [tarball generation issue tracked at https://github.com/ppp-project/ppp/issues/541]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ pppd/pppdconf.h | 80 -------------------------------------------------
+ 1 file changed, 80 deletions(-)
+ delete mode 100644 pppd/pppdconf.h
+
+diff --git a/pppd/pppdconf.h b/pppd/pppdconf.h
+deleted file mode 100644
+index 51a8f02..0000000
+--- a/pppd/pppdconf.h
++++ /dev/null
+@@ -1,80 +0,0 @@
+-/* pppd/pppdconf.h.  Generated from pppdconf.h.in by configure.  */
+-/* 
+- * Copyright (c) 2022 Eivind Næss. All rights reserved.
+- *
+- * Redistribution and use in source and binary forms, with or without
+- * modification, are permitted provided that the following conditions
+- * are met:
+- *
+- * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer.
+- *
+- * 2. Redistributions in binary form must reproduce the above copyright
+- *    notice, this list of conditions and the following disclaimer in
+- *    the documentation and/or other materials provided with the
+- *    distribution.
+- *
+- * 3. The name(s) of the authors of this software must not be used to
+- *    endorse or promote products derived from this software without
+- *    prior written permission.
+- *
+- * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
+- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+- * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
+- * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
+- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+- */
+-
+-/*
+- * This file is generated by configure and sets the features enabled
+- *   in pppd when configured.
+- */
+-
+-#ifndef PPP_PPPDCONF_H
+-#define PPP_PPPDCONF_H
+-
+-/* Have Microsoft CHAP support */
+-#define PPP_WITH_CHAPMS 1
+-
+-/* Have Microsoft LAN Manager support */
+-/* #undef PPP_WITH_MSLANMAN */
+-
+-/* Have Microsoft MPPE support */
+-#define PPP_WITH_MPPE 1
+-
+-/* Have multilink support */
+-#define PPP_WITH_MULTILINK 1
+-
+-/* Have packet activity filter support */
+-#define PPP_WITH_FILTER 1
+-
+-/* Have support for loadable plugins */
+-#define PPP_WITH_PLUGINS 1
+-
+-/* Have Callback Protocol support */
+-/* #undef PPP_WITH_CBCP */
+-
+-/* Include TDB support */
+-#define PPP_WITH_TDB 1
+-
+-/* Have IPv6 Control Protocol */
+-#define PPP_WITH_IPV6CP 1
+-
+-/* Support for Pluggable Authentication Modules */
+-/* #undef PPP_WITH_PAM */
+-
+-/* Have EAP-SRP authentication support */
+-/* #undef PPP_WITH_SRP */
+-
+-/* Have EAP-TLS authentication support */
+-#define PPP_WITH_EAPTLS 1
+-
+-/* Have PEAP authentication support */
+-#define PPP_WITH_PEAP 1
+-
+-/* The pppd version */
+-#define PPPD_VERSION "2.5.2"
+-
+-#endif
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
new file mode 100644
index 0000000000..d95c72e96b
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-session-Fixed-building-with-GCC-15.patch
@@ -0,0 +1,33 @@
+From 5edcb01f1d8d521c819d45df1f1bb87697252130 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 17 Mar 2025 14:38:26 -0700
+Subject: [PATCH] pppd/session: Fixed building with GCC 15
+
+Fixed building with GCC 15 which defaults to C23
+and find conflicting declration of getspnam() here
+with the one provided by shadow.h (extern struct spwd *getspnam (const char *__name);)
+
+Fixes
+../../ppp-2.5.2/pppd/session.c: In function 'session_start':
+../../ppp-2.5.2/pppd/session.c:185:18: error: conflicting types for 'getspnam'; have 'struct spwd *(void)'
+  185 |     struct spwd *getspnam();
+      |                  ^~~~~~~~
+
+Upstream-Status: Submitted [https://github.com/ppp-project/ppp/pull/553]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppd/session.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/pppd/session.c b/pppd/session.c
+index f08d8e1..9cc7538 100644
+--- a/pppd/session.c
++++ b/pppd/session.c
+@@ -182,7 +182,6 @@ session_start(const int flags, const char *user, const char *passwd, const char
+     char *cbuf;
+ #ifdef HAVE_SHADOW_H
+     struct spwd *spwd;
+-    struct spwd *getspnam();
+     long now = 0;
+ #endif /* #ifdef HAVE_SHADOW_H */
+ #endif /* #ifdef PPP_WITH_PAM */
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
new file mode 100644
index 0000000000..2a3b3cc84a
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppdump-Fixed-building-with-GCC-15-548.patch
@@ -0,0 +1,75 @@
+From 44a766a3d086f10cb584a0c423e5bed6af2e3615 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
+Date: Thu, 27 Feb 2025 23:00:16 +0100
+Subject: [PATCH] pppdump: Fixed building with GCC 15 (#548)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 15 defaults to C23 which does not allow K&R declarations.
+
+Credit Yaakov Selkowitz in:
+https://src.fedoraproject.org/rpms/ppp/pull-request/12
+
+Upstream-Status: Backport [https://github.com/ppp-project/ppp/pull/548]
+
+Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ pppdump/pppdump.c | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
+index c24208a..1534036 100644
+--- a/pppdump/pppdump.c
++++ b/pppdump/pppdump.c
+@@ -42,14 +42,12 @@ int tot_sent, tot_rcvd;
+ extern int optind;
+ extern char *optarg;
+ 
+-void dumplog();
+-void dumpppp();
+-void show_time();
++void dumplog(FILE *);
++void dumpppp(FILE *);
++void show_time(FILE *, int);
+ 
+ int
+-main(ac, av)
+-    int ac;
+-    char **av;
++main(int ac, char **av)
+ {
+     int i;
+     char *p;
+@@ -97,8 +95,7 @@ main(ac, av)
+ }
+ 
+ void
+-dumplog(f)
+-    FILE *f;
++dumplog(FILE *f)
+ {
+     int c, n, k, col;
+     int nb, c2;
+@@ -241,8 +238,7 @@ struct pkt {
+ unsigned char dbuf[8192];
+ 
+ void
+-dumpppp(f)
+-    FILE *f;
++dumpppp(FILE *f)
+ {
+     int c, n, k;
+     int nb, nl, dn, proto, rv;
+@@ -375,9 +371,7 @@ dumpppp(f)
+ }
+ 
+ void
+-show_time(f, c)
+-    FILE *f;
+-    int c;
++show_time(FILE *f, int c)
+ {
+     time_t t;
+     int n;
diff --git a/meta/recipes-connectivity/ppp/ppp/makefix.patch b/meta/recipes-connectivity/ppp/ppp/makefix.patch
deleted file mode 100644
index fce068cae0..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/makefix.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-We were seeing reproducibility issues where one host would use the internal 
-logwtmp wrapper, another would use the one in libutil. The issue was that in
-some cases the "\#include" was making it to CC, in others, "#include". The
-issue seems to be related to shell escaping.
-
-The root cause looks to be:
-http://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b576b907b06aea5f4
-
-Instead of relying on shell quoting, use make to indirect the variable
-and avoid the problem.
-
-See https://github.com/paulusmack/ppp/issues/233
-
-Upstream-Status: Backport [https://github.com/paulusmack/ppp/commit/b4430f7092ececdff2504d5f3393a4c6528c3686]
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-Index: ppp-2.4.9/pppd/Makefile.linux
-===================================================================
---- ppp-2.4.9.orig/pppd/Makefile.linux
-+++ ppp-2.4.9/pppd/Makefile.linux
-@@ -80,7 +80,8 @@ PLUGIN=y
- #USE_SRP=y
- 
- # Use libutil; test if logwtmp is declared in <utmp.h> to detect
--ifeq ($(shell echo '\#include <utmp.h>' | $(CC) -E - 2>/dev/null | grep -q logwtmp && echo yes),yes)
-+UTMPHEADER = "\#include <utmp.h>"
-+ifeq ($(shell echo $(UTMPHEADER) | $(CC) -E - 2>/dev/null | grep -q logwtmp && echo yes),yes)
- USE_LIBUTIL=y
- endif
- 
-@@ -143,7 +144,8 @@ CFLAGS   += -DHAS_SHADOW
- #LIBS     += -lshadow $(LIBS)
- endif
- 
--ifeq ($(shell echo '\#include <crypt.h>' | $(CC) -E - >/dev/null 2>&1 && echo yes),yes)
-+CRYPTHEADER = "\#include <crypt.h>"
-+ifeq ($(shell echo $(CRYPTHEADER) | $(CC) -E - >/dev/null 2>&1 && echo yes),yes)
- CFLAGS  += -DHAVE_CRYPT_H=1
- LIBS   += -lcrypt
- endif
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
index 235595ff76..607678db8b 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.2.bb
@@ -4,15 +4,14 @@ the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
 SECTION = "console/network"
 HOMEPAGE = "http://samba.org/ppp/"
 BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
-DEPENDS = "libpcap openssl virtual/crypt"
-LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPLv2+ & LGPLv2+ & PD"
-LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
-                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
+DEPENDS = "libpcap virtual/crypt"
+LICENSE = "BSD-2-Clause & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD & MIT"
+LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=25;md5=f0463bd67ae70535c709fca554089bd8 \
                     file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
-                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
+                    file://chat/chat.c;beginline=1;endline=1;md5=234d7d4edd08962c0144e4604050e0b6 \
+                    "
 
 SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
-           file://makefix.patch \
            file://pon \
            file://poff \
            file://init \
@@ -24,52 +23,40 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://ppp_on_boot \
            file://provider \
            file://ppp@.service \
+           file://0001-pppdump-Fixed-building-with-GCC-15-548.patch \
+           file://0001-pppd-pppdconf.h-remove-erroneous-generated-header.patch \
+           file://0001-pppd-session-Fixed-building-with-GCC-15.patch \
            "
 
-SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d"
+SRC_URI[sha256sum] = "47da358de54a10cb10bf6ff2cf9b1c03c0d3555518f6182e8f701b8e55733cb2"
 
-inherit autotools-brokensep systemd
+inherit autotools pkgconfig systemd
 
-TARGET_CC_ARCH += " ${LDFLAGS}"
-EXTRA_OEMAKE = "CC='${CC}' STRIPPROG=${STRIP} MANDIR=${D}${datadir}/man/man8 INCDIR=${D}${includedir} LIBDIR=${D}${libdir}/pppd/${PV} BINDIR=${D}${sbindir}"
-EXTRA_OECONF = "--disable-strip"
-
-# Package Makefile computes CFLAGS, referencing COPTS.
-# Typically hard-coded to '-O2 -g' in the Makefile's.
-#
-EXTRA_OEMAKE += ' COPTS="${CFLAGS} -I${STAGING_INCDIR}/openssl -I${S}/include"'
-
-do_configure () {
-        oe_runconf
-}
+PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} openssl"
+PACKAGECONFIG[pam] = "--with-pam=yes,--with-pam=no,libpam"
+PACKAGECONFIG[openssl] = "--with-openssl=yes,--with-openssl=no,openssl"
+PACKAGECONFIG[multilink] = "--enable-multilink,--disable-multilink"
 
 do_install:append () {
-        make install-etcppp ETCDIR=${D}/${sysconfdir}/ppp
         mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
         mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
         mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
-        install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon
-        install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff
-        install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp
-        install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/
-        install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
-        install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
+        install -m 0755 ${UNPACKDIR}/pon ${D}${bindir}/pon
+        install -m 0755 ${UNPACKDIR}/poff ${D}${bindir}/poff
+        install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/ppp
+        install -m 0755 ${UNPACKDIR}/ip-up ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/ip-down ${D}${sysconfdir}/ppp/
+        install -m 0755 ${UNPACKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
+        install -m 0755 ${UNPACKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
         mkdir -p ${D}${sysconfdir}/chatscripts
         mkdir -p ${D}${sysconfdir}/ppp/peers
-        install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts
-        install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
-        install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
+        install -m 0755 ${UNPACKDIR}/pap ${D}${sysconfdir}/chatscripts
+        install -m 0755 ${UNPACKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
+        install -m 0755 ${UNPACKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
         install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_system_unitdir}
+        install -m 0644 ${UNPACKDIR}/ppp@.service ${D}${systemd_system_unitdir}
         sed -i -e 's,@SBINDIR@,${sbindir},g' \
                ${D}${systemd_system_unitdir}/ppp@.service
-        rm -rf ${D}/${mandir}/man8/man8
-        chmod u+s ${D}${sbindir}/pppd
-}
-
-do_install:append:libc-musl () {
-        install -Dm 0644 ${S}/include/net/ppp_defs.h ${D}${includedir}/net/ppp_defs.h
 }
 
 CONFFILES:${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options"
@@ -92,5 +79,3 @@ SUMMARY:${PN}-password = "Plugin for PPP to get passwords via a pipe"
 SUMMARY:${PN}-l2tp     = "Plugin for PPP for l2tp support"
 SUMMARY:${PN}-tools    = "Additional tools for the PPP package"
 
-# Ignore compatibility symlink rp-pppoe.so->pppoe.so
-INSANE_SKIP:${PN}-oe += "dev-so"
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
new file mode 100644
index 0000000000..ab32f26754
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
@@ -0,0 +1,37 @@
+From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 17 Nov 2022 17:26:30 +0800
+Subject: [PATCH] avoid using -m option for readlink
+
+Use a more widely used option '-f' instead of '-m' here to
+avoid dependency on coreutils.
+
+Looking at the git history of the resolvconf repo, the '-m'
+is deliberately used. And it wants to depend on coreutils.
+But in case of OE, the existence of /etc is ensured, and busybox
+readlink provides '-f' option, so we can just use '-f'. In this
+way, the coreutils dependency is not necessary any more.
+
+Upstream-Status: Inappropriate [OE Specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ etc/resolvconf/update.d/libc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc
+index 1c4f6bc..f75d22c 100755
+--- a/etc/resolvconf/update.d/libc
++++ b/etc/resolvconf/update.d/libc
+@@ -57,7 +57,7 @@ fi
+ report_warning() { echo "$0: Warning: $*" >&2 ; }
+ 
+ resolv_conf_is_symlinked_to_dynamic_file() {
+-       [ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
++       [ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
+ }
+ 
+ if ! resolv_conf_is_symlinked_to_dynamic_file ; then
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch b/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
deleted file mode 100644
index 1aead07869..0000000000
--- a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-
-busybox installs readlink into /usr/bin, so ensure /usr/bin
-is in the path.
-
-Upstream-Status: Submitted
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-
-Index: resolvconf-1.76/etc/resolvconf/update.d/libc
-===================================================================
---- resolvconf-1.76.orig/etc/resolvconf/update.d/libc
-+++ resolvconf-1.76/etc/resolvconf/update.d/libc
-@@ -16,7 +16,7 @@
- #
- 
- set -e
--PATH=/sbin:/bin
-+PATH=/sbin:/bin:/usr/bin
- 
- [ -x /lib/resolvconf/list-records ] || exit 1
- 
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.87.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
index f57abe3619..c10c57267a 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.87.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.93.bb
@@ -5,34 +5,29 @@ itself up as the intermediary between programs that supply \
 nameserver information and programs that need nameserver \
 information."
 SECTION = "console/network"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
-AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
-RDEPENDS:${PN} = "bash"
+RDEPENDS:${PN} = "bash sed util-linux-flock"
 
 SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
-           file://fix-path-for-busybox.patch \
            file://99_resolvconf \
+           file://0001-avoid-using-m-option-for-readlink.patch \
            "
 
-SRCREV = "1dda36d8465e335c60190c41e7185d782da1bd7b"
-
-S = "${WORKDIR}/git"
+SRCREV = "ab766fa31f7939f6d879123236b4275320b7ff64"
 
 # the package is taken from snapshots.debian.org; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/"
 
-inherit allarch
-
 do_compile () {
         :
 }
 
 do_install () {
         install -d ${D}${sysconfdir}/default/volatiles
-        install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles
         if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
                 install -d ${D}${sysconfdir}/tmpfiles.d
                 echo "d /run/${BPN}/interface - - - -" \
@@ -40,12 +35,14 @@ do_install () {
         fi
         install -d ${D}${base_libdir}/${BPN}
         install -d ${D}${sysconfdir}/${BPN}
+        install -d ${D}${nonarch_base_libdir}/${BPN}
         ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
         install -d ${D}${sysconfdir} ${D}${base_sbindir}
         install -d ${D}${mandir}/man8 ${D}${docdir}/${P}
         cp -pPR etc/resolvconf ${D}${sysconfdir}/
         chown -R root:root ${D}${sysconfdir}/
         install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+        install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN}
         install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
         install -d ${D}/${sysconfdir}/network/if-up.d
         install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
@@ -65,4 +62,4 @@ pkg_postinst:${PN} () {
         fi
 }
 
-FILES:${PN} += "${base_libdir}/${BPN}"
+FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}"
diff --git a/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
new file mode 100644
index 0000000000..9f7005d709
--- /dev/null
+++ b/meta/recipes-connectivity/slirp/libslirp_4.9.1.bb
@@ -0,0 +1,14 @@
+SUMMARY = "A general purpose TCP-IP emulator"
+DESCRIPTION = "A general purpose TCP-IP emulator used by virtual machine hypervisors to provide virtual networking services."
+HOMEPAGE = "https://gitlab.freedesktop.org/slirp/libslirp"
+LICENSE = "BSD-3-Clause & MIT"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bca0186b14e6b05e338e729f106db727"
+
+SRC_URI = "git://gitlab.freedesktop.org/slirp/libslirp.git;protocol=https;branch=master"
+SRCREV = "9c744e1e52aa0d9646ed91d789d588696292c21e"
+
+DEPENDS = "glib-2.0"
+
+inherit meson pkgconfig
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
new file mode 100644
index 0000000000..ea00dfa0a9
--- /dev/null
+++ b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
@@ -0,0 +1,62 @@
+From c4c3d5f2d4dfe8167205e8d20b4cb7a197706c16 Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Wed, 27 Nov 2024 04:09:59 -0800
+Subject: [PATCH] fix compile procan.c failed
+
+1. Compile socat failed if out of tree build (build dir != source dir)
+...
+gcc -c -D CC="gcc" -o procan.o procan.c
+cc1: fatal error: procan.c: No such file or directory
+...
+Explicitly add $srcdir to makefile rule
+
+2. Compile socat failed if multiple words in $(CC), such as CC="gcc -m64"
+...
+from ../socat-1.8.0.0/procan.c:10:
+../socat-1.8.0.0/sysincludes.h:18:10: fatal error: inttypes.h: No such file or directory
+   18 | #include <inttypes.h>   /* uint16_t */
+...
+
+In commit [Procan: print umask, CC, and couple more new infos][1],
+it defeines marcro CC in C source, the space in CC will break
+C source compile. Use first word of $(CC) to defeine marco CC
+
+[1] https://repo.or.cz/socat.git/commit/cd5673dbd0786c94e0b3ace7e35fab14c01e3185
+
+Upstream-Status: Submitted [socat@dest-unreach.org]
+
+Rebase to 1.8.0.1
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ Makefile.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 631d31d..103d4d1 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -110,7 +110,7 @@ socat: socat.o libxio.a
+        $(CC) $(CFLAGS) $(LDFLAGS) -o $@ socat.o libxio.a $(CLIBS)
+ 
+ procan.o: $(srcdir)/procan.c
+-       $(CC) $(CFLAGS) -c -D CC="\"$(CC)\"" -o $@ $(srcdir)/procan.c
++       $(CC) $(CFLAGS) -c -D CC="\"$(firstword $(CC))\"" -o $@ $(srcdir)/procan.c
+ 
+ PROCAN_OBJS=procan_main.o procan.o procan-cdefs.o hostan.o error.o sycls.o sysutils.o utils.o vsnprintf_r.o snprinterr.o
+ procan: $(PROCAN_OBJS)
+@@ -132,9 +132,9 @@ install: progs $(srcdir)/doc/socat.1
+        mkdir -p $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 socat $(DESTDIR)$(BINDEST)/socat1
+        ln -sf socat1 $(DESTDIR)$(BINDEST)/socat
+-       $(INSTALL) -m 755 socat-chain.sh  $(DESTDIR)$(BINDEST)
+-       $(INSTALL) -m 755 socat-mux.sh    $(DESTDIR)$(BINDEST)
+-       $(INSTALL) -m 755 socat-broker.sh $(DESTDIR)$(BINDEST)
++       $(INSTALL) -m 755 $(srcdir)/socat-chain.sh  $(DESTDIR)$(BINDEST)
++       $(INSTALL) -m 755 $(srcdir)/socat-mux.sh    $(DESTDIR)$(BINDEST)
++       $(INSTALL) -m 755 $(srcdir)/socat-broker.sh $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 procan $(DESTDIR)$(BINDEST)
+        $(INSTALL) -m 755 filan $(DESTDIR)$(BINDEST)
+        mkdir -p $(DESTDIR)$(MANDEST)/man1
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
index 1ad5f15b93..ee6ca1fe44 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.0.3.bb
@@ -7,13 +7,13 @@ SECTION = "console/network"
 
 LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86"
+                    file://README;beginline=248;endline=278;md5=338c05eadd013872abb1d6e198e10a3f"
 
 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
+           file://0001-fix-compile-procan.c-failed.patch \
 "
 
-SRC_URI[md5sum] = "36cad050ecf4981ab044c3fbd75c643f"
-SRC_URI[sha256sum] = "3faca25614e89123dff5045680549ecef519d02e331aaf3c4f5a8f6837c675e9"
+SRC_URI[sha256sum] = "01eb017361d95bb3a6941e840b59e4463a3fabf92df4154ed02b16a2ed6a0095"
 
 inherit autotools
 
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
index ddd10e6eeb..57b0534929 100644
--- a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
@@ -6,14 +6,18 @@ SRC_URI = "file://dropbear_rsa_host_key \
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
 
+S = "${UNPACKDIR}"
+
 INHIBIT_DEFAULT_DEPS = "1"
 
+COMPATIBLE_MACHINE = "^qemu.*$"
+
 do_install () {
         install -d ${D}${sysconfdir}/dropbear
-        install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
+        install ${UNPACKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
 
         install -d ${D}${sysconfdir}/ssh
-        install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/
+        install ${UNPACKDIR}/openssh/* ${D}${sysconfdir}/ssh/
         chmod 0600 ${D}${sysconfdir}/ssh/*
         chmod 0644 ${D}${sysconfdir}/ssh/*.pub
-}
\ No newline at end of file
+}
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
deleted file mode 100644
index 7b0713cf6d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
-of disconnection in certain situations because source address validation is
-mishandled. This is a denial of service that should have been prevented by PMF
-(aka management frame protection). The attacker must send a crafted 802.11 frame
-from a location that is within the 802.11 communications range.
-
-CVE: CVE-2019-16275
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Thu, 29 Aug 2019 11:52:04 +0300
-Subject: [PATCH] AP: Silently ignore management frame from unexpected source
- address
-
-Do not process any received Management frames with unexpected/invalid SA
-so that we do not add any state for unexpected STA addresses or end up
-sending out frames to unexpected destination. This prevents unexpected
-sequences where an unprotected frame might end up causing the AP to send
-out a response to another device and that other device processing the
-unexpected response.
-
-In particular, this prevents some potential denial of service cases
-where the unexpected response frame from the AP might result in a
-connected station dropping its association.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/drv_callbacks.c | 13 +++++++++++++
- src/ap/ieee802_11.c    | 12 ++++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
-index 31587685fe3b..34ca379edc3d 100644
---- a/src/ap/drv_callbacks.c
-+++ b/src/ap/drv_callbacks.c
-@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
-                           "hostapd_notif_assoc: Skip event with no address");
-                return -1;
-        }
-+
-+       if (is_multicast_ether_addr(addr) ||
-+           is_zero_ether_addr(addr) ||
-+           os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
-+               /* Do not process any frames with unexpected/invalid SA so that
-+                * we do not add any state for unexpected STA addresses or end
-+                * up sending out frames to unexpected destination. */
-+               wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
-+                          " in received indication - ignore this indication silently",
-+                          __func__, MAC2STR(addr));
-+               return 0;
-+       }
-+
-        random_add_randomness(addr, ETH_ALEN);
- 
-        hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index c85a28db44b7..e7065372e158 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
-        fc = le_to_host16(mgmt->frame_control);
-        stype = WLAN_FC_GET_STYPE(fc);
- 
-+       if (is_multicast_ether_addr(mgmt->sa) ||
-+           is_zero_ether_addr(mgmt->sa) ||
-+           os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
-+               /* Do not process any frames with unexpected/invalid SA so that
-+                * we do not add any state for unexpected STA addresses or end
-+                * up sending out frames to unexpected destination. */
-+               wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
-+                          " in received frame - ignore this frame silently",
-+                          MAC2STR(mgmt->sa));
-+               return 0;
-+       }
-+
-        if (stype == WLAN_FC_STYPE_BEACON) {
-                handle_beacon(hapd, mgmt, len, fi);
-                return 1;
--- 
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
deleted file mode 100644
index 53ad5d028a..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From 5b78c8f961f25f4dc22d6f2b77ddd06d712cec63 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Wed, 3 Jun 2020 23:17:35 +0300
-Subject: [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to
- other networks
-
-The UPnP Device Architecture 2.0 specification errata ("UDA errata
-16-04-2020.docx") addresses a problem with notifications being allowed
-to go out to other domains by disallowing such cases. Do such filtering
-for the notification callback URLs to avoid undesired connections to
-external networks based on subscriptions that any device in the local
-network could request when WPS support for external registrars is
-enabled (the upnp_iface parameter in hostapd configuration).
-
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #1
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/wps/wps_er.c     |  2 +-
- src/wps/wps_upnp.c   | 38 ++++++++++++++++++++++++++++++++++++--
- src/wps/wps_upnp_i.h |  3 ++-
- 3 files changed, 39 insertions(+), 4 deletions(-)
-
-Index: wpa_supplicant-2.9/src/wps/wps_er.c
-===================================================================
---- wpa_supplicant-2.9.orig/src/wps/wps_er.c
-+++ wpa_supplicant-2.9/src/wps/wps_er.c
-@@ -1298,7 +1298,7 @@ wps_er_init(struct wps_context *wps, con
-                           "with %s", filter);
-        }
-        if (get_netif_info(er->ifname, &er->ip_addr, &er->ip_addr_text,
--                          er->mac_addr)) {
-+                          NULL, er->mac_addr)) {
-                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
-                           "for %s. Does it have IP address?", er->ifname);
-                wps_er_deinit(er, NULL, NULL);
-Index: wpa_supplicant-2.9/src/wps/wps_upnp.c
-===================================================================
---- wpa_supplicant-2.9.orig/src/wps/wps_upnp.c
-+++ wpa_supplicant-2.9/src/wps/wps_upnp.c
-@@ -303,6 +303,14 @@ static void subscr_addr_free_all(struct
- }
-
-
-+static int local_network_addr(struct upnp_wps_device_sm *sm,
-+                             struct sockaddr_in *addr)
-+{
-+       return (addr->sin_addr.s_addr & sm->netmask.s_addr) ==
-+               (sm->ip_addr & sm->netmask.s_addr);
-+}
-+
-+
- /* subscr_addr_add_url -- add address(es) for one url to subscription */
- static void subscr_addr_add_url(struct subscription *s, const char *url,
-                                size_t url_len)
-@@ -381,6 +389,7 @@ static void subscr_addr_add_url(struct s
-
-        for (rp = result; rp; rp = rp->ai_next) {
-                struct subscr_addr *a;
-+               struct sockaddr_in *addr = (struct sockaddr_in *) rp->ai_addr;
-
-                /* Limit no. of address to avoid denial of service attack */
-                if (dl_list_len(&s->addr_list) >= MAX_ADDR_PER_SUBSCRIPTION) {
-@@ -389,6 +398,13 @@ static void subscr_addr_add_url(struct s
-                        break;
-                }
-
-+               if (!local_network_addr(s->sm, addr)) {
-+                       wpa_printf(MSG_INFO,
-+                                  "WPS UPnP: Ignore a delivery URL that points to another network %s",
-+                                  inet_ntoa(addr->sin_addr));
-+                       continue;
-+               }
-+
-                a = os_zalloc(sizeof(*a) + alloc_len);
-                if (a == NULL)
-                        break;
-@@ -889,11 +905,12 @@ static int eth_get(const char *device, u
-  * @net_if: Selected network interface name
-  * @ip_addr: Buffer for returning IP address in network byte order
-  * @ip_addr_text: Buffer for returning a pointer to allocated IP address text
-+ * @netmask: Buffer for returning netmask or %NULL if not needed
-  * @mac: Buffer for returning MAC address
-  * Returns: 0 on success, -1 on failure
-  */
- int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
--                  u8 mac[ETH_ALEN])
-+                  struct in_addr *netmask, u8 mac[ETH_ALEN])
- {
-        struct ifreq req;
-        int sock = -1;
-@@ -919,6 +936,19 @@ int get_netif_info(const char *net_if, u
-        in_addr.s_addr = *ip_addr;
-        os_snprintf(*ip_addr_text, 16, "%s", inet_ntoa(in_addr));
-
-+       if (netmask) {
-+               os_memset(&req, 0, sizeof(req));
-+               os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
-+               if (ioctl(sock, SIOCGIFNETMASK, &req) < 0) {
-+                       wpa_printf(MSG_ERROR,
-+                                  "WPS UPnP: SIOCGIFNETMASK failed: %d (%s)",
-+                                  errno, strerror(errno));
-+                       goto fail;
-+               }
-+               addr = (struct sockaddr_in *) &req.ifr_netmask;
-+               netmask->s_addr = addr->sin_addr.s_addr;
-+       }
-+
- #ifdef __linux__
-        os_strlcpy(req.ifr_name, net_if, sizeof(req.ifr_name));
-        if (ioctl(sock, SIOCGIFHWADDR, &req) < 0) {
-@@ -1025,11 +1055,15 @@ static int upnp_wps_device_start(struct
-
-        /* Determine which IP and mac address we're using */
-        if (get_netif_info(net_if, &sm->ip_addr, &sm->ip_addr_text,
--                          sm->mac_addr)) {
-+                          &sm->netmask, sm->mac_addr)) {
-                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "
-                           "for %s. Does it have IP address?", net_if);
-                goto fail;
-        }
-+       wpa_printf(MSG_DEBUG, "WPS UPnP: Local IP address %s netmask %s hwaddr "
-+                  MACSTR,
-+                  sm->ip_addr_text, inet_ntoa(sm->netmask),
-+                  MAC2STR(sm->mac_addr));
-
-        /* Listen for incoming TCP connections so that others
-         * can fetch our "xml files" from us.
-Index: wpa_supplicant-2.9/src/wps/wps_upnp_i.h
-===================================================================
---- wpa_supplicant-2.9.orig/src/wps/wps_upnp_i.h
-+++ wpa_supplicant-2.9/src/wps/wps_upnp_i.h
-@@ -128,6 +128,7 @@ struct upnp_wps_device_sm {
-        u8 mac_addr[ETH_ALEN]; /* mac addr of network i.f. we use */
-        char *ip_addr_text; /* IP address of network i.f. we use */
-        unsigned ip_addr; /* IP address of network i.f. we use (host order) */
-+       struct in_addr netmask;
-        int multicast_sd; /* send multicast messages over this socket */
-        int ssdp_sd; /* receive discovery UPD packets on socket */
-        int ssdp_sd_registered; /* nonzero if we must unregister */
-@@ -158,7 +159,7 @@ struct subscription * subscription_find(
-                                        const u8 uuid[UUID_LEN]);
- void subscr_addr_delete(struct subscr_addr *a);
- int get_netif_info(const char *net_if, unsigned *ip_addr, char **ip_addr_text,
--                  u8 mac[ETH_ALEN]);
-+                  struct in_addr *netmask, u8 mac[ETH_ALEN]);
-
- /* wps_upnp_ssdp.c */
- void msearchreply_state_machine_stop(struct advertisement_state_machine *a);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
new file mode 100644
index 0000000000..f9634e47c9
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch
@@ -0,0 +1,53 @@
+From 809d9d8172db8e2a08ff639875f838b5b86d2641 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <geomatsi@gmail.com>
+Date: Thu, 22 Aug 2024 00:03:41 +0300
+Subject: [PATCH] macsec_linux: Hardware offload requires Linux headers >= v5.7
+
+Hardware offload in Linux macsec driver is enabled in compile time if
+libnl version is >= v3.6. This is not sufficient for successful build
+since enum 'macsec_offload' has been added to Linux header if_link.h
+in kernels v5.6 and v5.7, see commits:
+- https://github.com/torvalds/linux/commit/21114b7feec29e4425a3ac48a037569c016a46c8
+- https://github.com/torvalds/linux/commit/76564261a7db80c5f5c624e0122a28787f266bdf
+
+New libnl with older Linux headers is a valid combination. This is how
+hostapd build failure has been detected by Buildroot autobuilder, see:
+- http://autobuild.buildroot.net/results/b59d5bc5bd17683a3a1e3577c40c802e81911f84/
+
+Extend compile time condition for the enablement of the macsec hardware
+offload adding Linux headers version check.
+
+Fixes: 40c139664439 ("macsec_linux: Add support for MACsec hardware offload")
+Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
+
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/patch/?id=809d9d8172db8e2a08ff639875f838b5b86d2641]
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+---
+ src/drivers/driver_macsec_linux.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
+index c867154981e9..fad47a292f9f 100644
+--- a/src/drivers/driver_macsec_linux.c
++++ b/src/drivers/driver_macsec_linux.c
+@@ -19,6 +19,7 @@
+ #include <netlink/route/link.h>
+ #include <netlink/route/link/macsec.h>
+ #include <linux/if_macsec.h>
++#include <linux/version.h>
+ #include <inttypes.h>
+ 
+ #include "utils/common.h"
+@@ -32,7 +33,8 @@
+ 
+ #define UNUSED_SCI 0xffffffffffffffff
+ 
+-#if LIBNL_VER_NUM >= LIBNL_VER(3, 6)
++#if (LIBNL_VER_NUM >= LIBNL_VER(3, 6) && \
++     LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0))
+ #define LIBNL_HAS_OFFLOAD
+ #endif
+ 
+-- 
+2.39.2
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
deleted file mode 100644
index a476cf040e..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001
-From: Joshua DeWeese <jdeweese@hennypenny.com>
-Date: Wed, 30 Jan 2019 16:19:47 -0500
-Subject: [PATCH] replace systemd install Alias with WantedBy
-
-According to the systemd documentation "WantedBy=foo.service in a
-service bar.service is mostly equivalent to
-Alias=foo.service.wants/bar.service in the same file." However,
-this is not really the intended purpose of install Aliases.
-
-Upstream-Status: Submitted [hostap@lists.infradead.org]
-
-Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
----
- wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +-
- wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in   | 2 +-
- wpa_supplicant/systemd/wpa_supplicant.service.arg.in         | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-index 03ac507..da69a87 100644
---- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-index c8a744d..ca3054b 100644
---- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-index 7788b38..55d2b9c 100644
---- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant@%i.service
-+WantedBy=multi-user.target
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
deleted file mode 100644
index 59640859dd..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Wed, 3 Jun 2020 22:41:02 +0300
-Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
- path
-
-More than about 700 character URL ended up overflowing the wpabuf used
-for building the event notification and this resulted in the wpabuf
-buffer overflow checks terminating the hostapd process. Fix this by
-allocating the buffer to be large enough to contain the full URL path.
-However, since that around 700 character limit has been the practical
-limit for more than ten years, start explicitly enforcing that as the
-limit or the callback URLs since any longer ones had not worked before
-and there is no need to enable them now either.
-
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #2
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/wps/wps_upnp.c       | 9 +++++++--
- src/wps/wps_upnp_event.c | 3 ++-
- 2 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
-index 7d4b7439940e..ab685d52ecab 100644
---- a/src/wps/wps_upnp.c
-+++ b/src/wps/wps_upnp.c
-@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
-        int rerr;
-        size_t host_len, path_len;
-
--       /* url MUST begin with http: */
--       if (url_len < 7 || os_strncasecmp(url, "http://", 7))
-+       /* URL MUST begin with HTTP scheme. In addition, limit the length of
-+        * the URL to 700 characters which is around the limit that was
-+        * implicitly enforced for more than 10 years due to a bug in
-+        * generating the event messages. */
-+       if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
-+               wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
-                goto fail;
-+       }
-        url += 7;
-        url_len -= 7;
-
-diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
-index d7e6edcc6503..08a23612f338 100644
---- a/src/wps/wps_upnp_event.c
-+++ b/src/wps/wps_upnp_event.c
-@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
-        struct wpabuf *buf;
-        char *b;
-
--       buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
-+       buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
-+                          wpabuf_len(e->data));
-        if (buf == NULL)
-                return NULL;
-        wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
---
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
deleted file mode 100644
index 8a014ef28a..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 85aac526af8612c21b3117dadc8ef5944985b476 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Thu, 4 Jun 2020 21:24:04 +0300
-Subject: [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more
- properly
-
-While it is appropriate to try to retransmit the event to another
-callback URL on a failure to initiate the HTTP client connection, there
-is no point in trying the exact same operation multiple times in a row.
-Replve the event_retry() calls with event_addr_failure() for these cases
-to avoid busy loops trying to repeat the same failing operation.
-
-These potential busy loops would go through eloop callbacks, so the
-process is not completely stuck on handling them, but unnecessary CPU
-would be used to process the continues retries that will keep failing
-for the same reason.
-
-Upstream-Status: Backport
-CVE: CVE-2020-12695 patch #2
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/wps/wps_upnp_event.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
-index 08a23612f338..c0d9e41d9a38 100644
---- a/src/wps/wps_upnp_event.c
-+++ b/src/wps/wps_upnp_event.c
-@@ -294,7 +294,7 @@ static int event_send_start(struct subscription *s)
-
-        buf = event_build_message(e);
-        if (buf == NULL) {
--               event_retry(e, 0);
-+               event_addr_failure(e);
-                return -1;
-        }
-
-@@ -302,7 +302,7 @@ static int event_send_start(struct subscription *s)
-                                         event_http_cb, e);
-        if (e->http_event == NULL) {
-                wpabuf_free(buf);
--               event_retry(e, 0);
-+               event_addr_failure(e);
-                return -1;
-        }
-
---
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
deleted file mode 100644
index 8c90fa3421..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Mon, 9 Nov 2020 11:43:12 +0200
-Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group
- client
-
-Parsing and copying of WPS secondary device types list was verifying
-that the contents is not too long for the internal maximum in the case
-of WPS messages, but similar validation was missing from the case of P2P
-group information which encodes this information in a different
-attribute. This could result in writing beyond the memory area assigned
-for these entries and corrupting memory within an instance of struct
-p2p_device. This could result in invalid operations and unexpected
-behavior when trying to free pointers from that corrupted memory.
-
-Upstream-Status: Backport
-CVE: CVE-2021-0326
-
-Reference to upstream patch:
-[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e]
-
-Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
-Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- src/p2p/p2p.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
-index a08ba02..079270f 100644
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev,
-        dev->info.config_methods = cli->config_methods;
-        os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8);
-        dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types;
-+       if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN)
-+               dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN;
-        os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types,
-                  dev->info.wps_sec_dev_type_list_len);
- }
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
deleted file mode 100644
index 004b1dbd19..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@codeaurora.org>
-Date: Tue, 8 Dec 2020 23:52:50 +0200
-Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request
-
-p2p_add_device() may remove the oldest entry if there is no room in the
-peer table for a new peer. This would result in any pointer to that
-removed entry becoming stale. A corner case with an invalid PD Request
-frame could result in such a case ending up using (read+write) freed
-memory. This could only by triggered when the peer table has reached its
-maximum size and the PD Request frame is received from the P2P Device
-Address of the oldest remaining entry and the frame has incorrect P2P
-Device Address in the payload.
-
-Fix this by fetching the dev pointer again after having called
-p2p_add_device() so that the stale pointer cannot be used.
-
-Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-
-Upstream-Status: Backport
-CVE: CVE-2021-27803
-
-Reference to upstream patch:
-[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32]
-
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- src/p2p/p2p_pd.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
-index 3994ec0..05fd593 100644
---- a/src/p2p/p2p_pd.c
-+++ b/src/p2p/p2p_pd.c
-@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa,
-                        goto out;
-                }
- 
-+               dev = p2p_get_device(p2p, sa);
-                if (!dev) {
--                       dev = p2p_get_device(p2p, sa);
--                       if (!dev) {
--                               p2p_dbg(p2p,
--                                       "Provision Discovery device not found "
--                                       MACSTR, MAC2STR(sa));
--                               goto out;
--                       }
-+                       p2p_dbg(p2p,
-+                               "Provision Discovery device not found "
-+                               MACSTR, MAC2STR(sa));
-+                       goto out;
-                }
-        } else if (msg.wfd_subelems) {
-                wpabuf_free(dev->info.wfd_subelems);
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
deleted file mode 100644
index e2540fc26b..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 13 Mar 2021 18:19:31 +0200
-Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters
-
-The supported hash algorithms do not use AlgorithmIdentifier parameters.
-However, there are implementations that include NULL parameters in
-addition to ones that omit the parameters. Previous implementation did
-not check the parameters value at all which supported both these cases,
-but did not reject any other unexpected information.
-
-Use strict validation of digest algorithm parameters and reject any
-unexpected value when validating a signature. This is needed to prevent
-potential forging attacks.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
-
-Upstream-Status: Backport
-CVE: CVE-2021-30004
-
-Reference to upstream patch:
-[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15]
-
-Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
----
- src/tls/pkcs1.c  | 21 +++++++++++++++++++++
- src/tls/x509v3.c | 20 ++++++++++++++++++++
- 2 files changed, 41 insertions(+)
-
-diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c
-index 141ac50..e09db07 100644
---- a/src/tls/pkcs1.c
-+++ b/src/tls/pkcs1.c
-@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
-                os_free(decrypted);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo",
-+                   hdr.payload, hdr.length);
- 
-        pos = hdr.payload;
-        end = pos + hdr.length;
-@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
-                os_free(decrypted);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier",
-+                   hdr.payload, hdr.length);
-        da_end = hdr.payload + hdr.length;
- 
-        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
-@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk,
-                os_free(decrypted);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters",
-+                   next, da_end - next);
-+
-+       /*
-+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
-+        * omit the parameters, but there are implementation that encode these
-+        * as a NULL element. Allow these two cases and reject anything else.
-+        */
-+       if (da_end > next &&
-+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
-+            !asn1_is_null(&hdr) ||
-+            hdr.payload + hdr.length != da_end)) {
-+               wpa_printf(MSG_DEBUG,
-+                          "PKCS #1: Unexpected digest algorithm parameters");
-+               os_free(decrypted);
-+               return -1;
-+       }
- 
-        if (!asn1_oid_equal(&oid, hash_alg)) {
-                char txt[100], txt2[100];
-diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
-index 1bd5aa0..bf2289f 100644
---- a/src/tls/x509v3.c
-+++ b/src/tls/x509v3.c
-@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer,
-                os_free(data);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length);
- 
-        pos = hdr.payload;
-        end = pos + hdr.length;
-@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer,
-                os_free(data);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier",
-+                   hdr.payload, hdr.length);
-        da_end = hdr.payload + hdr.length;
- 
-        if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) {
-@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer,
-                os_free(data);
-                return -1;
-        }
-+       wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters",
-+                   next, da_end - next);
-+
-+       /*
-+        * RFC 5754: The correct encoding for the SHA2 algorithms would be to
-+        * omit the parameters, but there are implementation that encode these
-+        * as a NULL element. Allow these two cases and reject anything else.
-+        */
-+       if (da_end > next &&
-+           (asn1_get_next(next, da_end - next, &hdr) < 0 ||
-+            !asn1_is_null(&hdr) ||
-+            hdr.payload + hdr.length != da_end)) {
-+               wpa_printf(MSG_DEBUG,
-+                          "X509: Unexpected digest algorithm parameters");
-+               os_free(data);
-+               return -1;
-+       }
- 
-        if (x509_sha1_oid(&oid)) {
-                if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) {
--- 
-2.17.1
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
deleted file mode 100644
index f04e398fdb..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
+++ /dev/null
@@ -1,552 +0,0 @@
-# Example wpa_supplicant build time configuration
-#
-# This file lists the configuration options that are used when building the
-# hostapd binary. All lines starting with # are ignored. Configuration option
-# lines must be commented out complete, if they are not to be included, i.e.,
-# just setting VARIABLE=n is not disabling that variable.
-#
-# This file is included in Makefile, so variables like CFLAGS and LIBS can also
-# be modified from here. In most cases, these lines should use += in order not
-# to override previous values of the variables.
-
-
-# Uncomment following two lines and fix the paths if you have installed OpenSSL
-# or GnuTLS in non-default location
-#CFLAGS += -I/usr/local/openssl/include
-#LIBS += -L/usr/local/openssl/lib
-
-# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
-# the kerberos files are not in the default include path. Following line can be
-# used to fix build issues on such systems (krb5.h not found).
-#CFLAGS += -I/usr/include/kerberos
-
-# Example configuration for various cross-compilation platforms
-
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-#       -I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-
-
-# Driver interface for Host AP driver
-CONFIG_DRIVER_HOSTAP=y
-
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-
-# Driver interface for madwifi driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_MADWIFI=y
-# Set include directory to the madwifi source tree
-#CFLAGS += -I../../madwifi
-
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-
-# Driver interface for Atmel driver
-# CONFIG_DRIVER_ATMEL=y
-
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-
-# Driver interface for generic Linux wireless extensions
-# Note: WEXT is deprecated in the current Linux kernel version and no new
-# functionality is added to it. nl80211-based interface is the new
-# replacement for WEXT and its use allows wpa_supplicant to properly control
-# the driver to improve existing functionality like roaming and to support new
-# functionality.
-CONFIG_DRIVER_WEXT=y
-
-# Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
-
-# driver_nl80211.c requires libnl. If you are compiling it yourself
-# you may need to point hostapd to your version of libnl.
-#
-#CFLAGS += -I$<path to libnl include files>
-#LIBS += -L$<path to libnl library files>
-
-# Use libnl v2.0 (or 3.0) libraries.
-#CONFIG_LIBNL20=y
-
-# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
-CONFIG_LIBNL32=y
-
-
-# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
-#CONFIG_DRIVER_BSD=y
-#CFLAGS += -I/usr/local/include
-#LIBS += -L/usr/local/lib
-#LIBS_p += -L/usr/local/lib
-#LIBS_c += -L/usr/local/lib
-
-# Driver interface for Windows NDIS
-#CONFIG_DRIVER_NDIS=y
-#CFLAGS += -I/usr/include/w32api/ddk
-#LIBS += -L/usr/local/lib
-# For native build using mingw
-#CONFIG_NATIVE_WINDOWS=y
-# Additional directories for cross-compilation on Linux host for mingw target
-#CFLAGS += -I/opt/mingw/mingw32/include/ddk
-#LIBS += -L/opt/mingw/mingw32/lib
-#CC=mingw32-gcc
-# By default, driver_ndis uses WinPcap for low-level operations. This can be
-# replaced with the following option which replaces WinPcap calls with NDISUIO.
-# However, this requires that WZC is disabled (net stop wzcsvc) before starting
-# wpa_supplicant.
-# CONFIG_USE_NDISUIO=y
-
-# Driver interface for development testing
-#CONFIG_DRIVER_TEST=y
-
-# Driver interface for wired Ethernet drivers
-CONFIG_DRIVER_WIRED=y
-
-# Driver interface for the Broadcom RoboSwitch family
-#CONFIG_DRIVER_ROBOSWITCH=y
-
-# Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
-
-# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
-# included)
-CONFIG_IEEE8021X_EAPOL=y
-
-# EAP-MD5
-CONFIG_EAP_MD5=y
-
-# EAP-MSCHAPv2
-CONFIG_EAP_MSCHAPV2=y
-
-# EAP-TLS
-CONFIG_EAP_TLS=y
-
-# EAL-PEAP
-CONFIG_EAP_PEAP=y
-
-# EAP-TTLS
-CONFIG_EAP_TTLS=y
-
-# EAP-FAST
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
-#CONFIG_EAP_FAST=y
-
-# EAP-GTC
-CONFIG_EAP_GTC=y
-
-# EAP-OTP
-CONFIG_EAP_OTP=y
-
-# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
-#CONFIG_EAP_SIM=y
-
-# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
-#CONFIG_EAP_PSK=y
-
-# EAP-pwd (secure authentication using only a password)
-#CONFIG_EAP_PWD=y
-
-# EAP-PAX
-#CONFIG_EAP_PAX=y
-
-# LEAP
-CONFIG_EAP_LEAP=y
-
-# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
-#CONFIG_EAP_AKA=y
-
-# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
-# This requires CONFIG_EAP_AKA to be enabled, too.
-#CONFIG_EAP_AKA_PRIME=y
-
-# Enable USIM simulator (Milenage) for EAP-AKA
-#CONFIG_USIM_SIMULATOR=y
-
-# EAP-SAKE
-#CONFIG_EAP_SAKE=y
-
-# EAP-GPSK
-#CONFIG_EAP_GPSK=y
-# Include support for optional SHA256 cipher suite in EAP-GPSK
-#CONFIG_EAP_GPSK_SHA256=y
-
-# EAP-TNC and related Trusted Network Connect support (experimental)
-#CONFIG_EAP_TNC=y
-
-# Wi-Fi Protected Setup (WPS)
-CONFIG_WPS=y
-# Enable WSC 2.0 support
-#CONFIG_WPS2=y
-# Enable WPS external registrar functionality
-#CONFIG_WPS_ER=y
-# Disable credentials for an open network by default when acting as a WPS
-# registrar.
-#CONFIG_WPS_REG_DISABLE_OPEN=y
-# Enable WPS support with NFC config method
-#CONFIG_WPS_NFC=y
-
-# EAP-IKEv2
-#CONFIG_EAP_IKEV2=y
-
-# EAP-EKE
-#CONFIG_EAP_EKE=y
-
-# PKCS#12 (PFX) support (used to read private key and certificate file from
-# a file that usually has extension .p12 or .pfx)
-CONFIG_PKCS12=y
-
-# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
-# engine.
-CONFIG_SMARTCARD=y
-
-# PC/SC interface for smartcards (USIM, GSM SIM)
-# Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
-
-# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
-#CONFIG_HT_OVERRIDES=y
-
-# Support VHT overrides (disable VHT, mask MCS rates, etc.)
-#CONFIG_VHT_OVERRIDES=y
-
-# Development testing
-#CONFIG_EAPOL_TEST=y
-
-# Select control interface backend for external programs, e.g, wpa_cli:
-# unix = UNIX domain sockets (default for Linux/*BSD)
-# udp = UDP sockets using localhost (127.0.0.1)
-# named_pipe = Windows Named Pipe (default for Windows)
-# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
-# y = use default (backwards compatibility)
-# If this option is commented out, control interface is not included in the
-# build.
-CONFIG_CTRL_IFACE=y
-
-# Include support for GNU Readline and History Libraries in wpa_cli.
-# When building a wpa_cli binary for distribution, please note that these
-# libraries are licensed under GPL and as such, BSD license may not apply for
-# the resulting binary.
-#CONFIG_READLINE=y
-
-# Include internal line edit mode in wpa_cli. This can be used as a replacement
-# for GNU Readline to provide limited command line editing and history support.
-#CONFIG_WPA_CLI_EDIT=y
-
-# Remove debugging code that is printing out debug message to stdout.
-# This can be used to reduce the size of the wpa_supplicant considerably
-# if debugging code is not needed. The size reduction can be around 35%
-# (e.g., 90 kB).
-#CONFIG_NO_STDOUT_DEBUG=y
-
-# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
-# 35-50 kB in code size.
-#CONFIG_NO_WPA=y
-
-# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
-# This option can be used to reduce code size by removing support for
-# converting ASCII passphrases into PSK. If this functionality is removed, the
-# PSK can only be configured as the 64-octet hexstring (e.g., from
-# wpa_passphrase). This saves about 0.5 kB in code size.
-#CONFIG_NO_WPA_PASSPHRASE=y
-
-# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
-# This can be used if ap_scan=1 mode is never enabled.
-#CONFIG_NO_SCAN_PROCESSING=y
-
-# Select configuration backend:
-# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
-#       path is given on command line, not here; this option is just used to
-#       select the backend that allows configuration files to be used)
-# winreg = Windows registry (see win_example.reg for an example)
-CONFIG_BACKEND=file
-
-# Remove configuration write functionality (i.e., to allow the configuration
-# file to be updated based on runtime configuration changes). The runtime
-# configuration can still be changed, the changes are just not going to be
-# persistent over restarts. This option can be used to reduce code size by
-# about 3.5 kB.
-#CONFIG_NO_CONFIG_WRITE=y
-
-# Remove support for configuration blobs to reduce code size by about 1.5 kB.
-#CONFIG_NO_CONFIG_BLOBS=y
-
-# Select program entry point implementation:
-# main = UNIX/POSIX like main() function (default)
-# main_winsvc = Windows service (read parameters from registry)
-# main_none = Very basic example (development use only)
-#CONFIG_MAIN=main
-
-# Select wrapper for operatins system and C library specific functions
-# unix = UNIX/POSIX like systems (default)
-# win32 = Windows systems
-# none = Empty template
-#CONFIG_OS=unix
-
-# Select event loop implementation
-# eloop = select() loop (default)
-# eloop_win = Windows events and WaitForMultipleObject() loop
-#CONFIG_ELOOP=eloop
-
-# Should we use poll instead of select? Select is used by default.
-#CONFIG_ELOOP_POLL=y
-
-# Select layer 2 packet implementation
-# linux = Linux packet socket (default)
-# pcap = libpcap/libdnet/WinPcap
-# freebsd = FreeBSD libpcap
-# winpcap = WinPcap with receive thread
-# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
-# none = Empty template
-#CONFIG_L2_PACKET=linux
-
-# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
-CONFIG_PEERKEY=y
-
-# IEEE 802.11w (management frame protection), also known as PMF
-# Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
-
-# Select TLS implementation
-# openssl = OpenSSL (default)
-# gnutls = GnuTLS
-# internal = Internal TLSv1 implementation (experimental)
-# none = Empty template
-#CONFIG_TLS=openssl
-
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
-# can be enabled to get a stronger construction of messages when block ciphers
-# are used. It should be noted that some existing TLS v1.0 -based
-# implementation may not be compatible with TLS v1.1 message (ClientHello is
-# sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
-
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
-# can be enabled to enable use of stronger crypto algorithms. It should be
-# noted that some existing TLS v1.0 -based implementation may not be compatible
-# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
-# will be used)
-#CONFIG_TLSV12=y
-
-# If CONFIG_TLS=internal is used, additional library and include paths are
-# needed for LibTomMath. Alternatively, an integrated, minimal version of
-# LibTomMath can be used. See beginning of libtommath.c for details on benefits
-# and drawbacks of this option.
-#CONFIG_INTERNAL_LIBTOMMATH=y
-#ifndef CONFIG_INTERNAL_LIBTOMMATH
-#LTM_PATH=/usr/src/libtommath-0.39
-#CFLAGS += -I$(LTM_PATH)
-#LIBS += -L$(LTM_PATH)
-#LIBS_p += -L$(LTM_PATH)
-#endif
-# At the cost of about 4 kB of additional binary size, the internal LibTomMath
-# can be configured to include faster routines for exptmod, sqr, and div to
-# speed up DH and RSA calculation considerably
-#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
-
-# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
-# This is only for Windows builds and requires WMI-related header files and
-# WbemUuid.Lib from Platform SDK even when building with MinGW.
-#CONFIG_NDIS_EVENTS_INTEGRATED=y
-#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
-
-# Add support for old DBus control interface
-# (fi.epitest.hostap.WPASupplicant)
-#CONFIG_CTRL_IFACE_DBUS=y
-
-# Add support for new DBus control interface
-# (fi.w1.hostap.wpa_supplicant1)
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-
-# Add introspection support for new DBus control interface
-#CONFIG_CTRL_IFACE_DBUS_INTRO=y
-
-# Add support for loading EAP methods dynamically as shared libraries.
-# When this option is enabled, each EAP method can be either included
-# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
-# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
-# be loaded in the beginning of the wpa_supplicant configuration file
-# (see load_dynamic_eap parameter in the example file) before being used in
-# the network blocks.
-#
-# Note that some shared parts of EAP methods are included in the main program
-# and in order to be able to use dynamic EAP methods using these parts, the
-# main program must have been build with the EAP method enabled (=y or =dyn).
-# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
-# unless at least one of them was included in the main build to force inclusion
-# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
-# in the main build to be able to load these methods dynamically.
-#
-# Please also note that using dynamic libraries will increase the total binary
-# size. Thus, it may not be the best option for targets that have limited
-# amount of memory/flash.
-#CONFIG_DYNAMIC_EAP_METHODS=y
-
-# IEEE Std 802.11r-2008 (Fast BSS Transition)
-#CONFIG_IEEE80211R=y
-
-# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
-#CONFIG_DEBUG_FILE=y
-
-# Send debug messages to syslog instead of stdout
-#CONFIG_DEBUG_SYSLOG=y
-# Set syslog facility for debug messages
-#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
-
-# Add support for sending all debug messages (regardless of debug verbosity)
-# to the Linux kernel tracing facility. This helps debug the entire stack by
-# making it easy to record everything happening from the driver up into the
-# same file, e.g., using trace-cmd.
-#CONFIG_DEBUG_LINUX_TRACING=y
-
-# Enable privilege separation (see README 'Privilege separation' for details)
-#CONFIG_PRIVSEP=y
-
-# Enable mitigation against certain attacks against TKIP by delaying Michael
-# MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
-
-# Enable tracing code for developer debugging
-# This tracks use of memory allocations and other registrations and reports
-# incorrect use with a backtrace of call (or allocation) location.
-#CONFIG_WPA_TRACE=y
-# For BSD, uncomment these.
-#LIBS += -lexecinfo
-#LIBS_p += -lexecinfo
-#LIBS_c += -lexecinfo
-
-# Use libbfd to get more details for developer debugging
-# This enables use of libbfd to get more detailed symbols for the backtraces
-# generated by CONFIG_WPA_TRACE=y.
-#CONFIG_WPA_TRACE_BFD=y
-# For BSD, uncomment these.
-#LIBS += -lbfd -liberty -lz
-#LIBS_p += -lbfd -liberty -lz
-#LIBS_c += -lbfd -liberty -lz
-
-CONFIG_TLS = %ssl%
-CONFIG_CTRL_IFACE_DBUS=y
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-
-# wpa_supplicant depends on strong random number generation being available
-# from the operating system. os_get_random() function is used to fetch random
-# data when needed, e.g., for key generation. On Linux and BSD systems, this
-# works by reading /dev/urandom. It should be noted that the OS entropy pool
-# needs to be properly initialized before wpa_supplicant is started. This is
-# important especially on embedded devices that do not have a hardware random
-# number generator and may by default start up with minimal entropy available
-# for random number generation.
-#
-# As a safety net, wpa_supplicant is by default trying to internally collect
-# additional entropy for generating random data to mix in with the data fetched
-# from the OS. This by itself is not considered to be very strong, but it may
-# help in cases where the system pool is not initialized properly. However, it
-# is very strongly recommended that the system pool is initialized with enough
-# entropy either by using hardware assisted random number generator or by
-# storing state over device reboots.
-#
-# wpa_supplicant can be configured to maintain its own entropy store over
-# restarts to enhance random number generation. This is not perfect, but it is
-# much more secure than using the same sequence of random numbers after every
-# reboot. This can be enabled with -e<entropy file> command line option. The
-# specified file needs to be readable and writable by wpa_supplicant.
-#
-# If the os_get_random() is known to provide strong random data (e.g., on
-# Linux/BSD, the board in question is known to have reliable source of random
-# data from /dev/urandom), the internal wpa_supplicant random pool can be
-# disabled. This will save some in binary size and CPU use. However, this
-# should only be considered for builds that are known to be used on devices
-# that meet the requirements described above.
-#CONFIG_NO_RANDOM_POOL=y
-
-# IEEE 802.11n (High Throughput) support (mainly for AP mode)
-#CONFIG_IEEE80211N=y
-
-# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
-# (depends on CONFIG_IEEE80211N)
-#CONFIG_IEEE80211AC=y
-
-# Wireless Network Management (IEEE Std 802.11v-2011)
-# Note: This is experimental and not complete implementation.
-#CONFIG_WNM=y
-
-# Interworking (IEEE 802.11u)
-# This can be used to enable functionality to improve interworking with
-# external networks (GAS/ANQP to learn more about the networks and network
-# selection based on available credentials).
-#CONFIG_INTERWORKING=y
-
-# Hotspot 2.0
-#CONFIG_HS20=y
-
-# Disable roaming in wpa_supplicant
-#CONFIG_NO_ROAMING=y
-
-# AP mode operations with wpa_supplicant
-# This can be used for controlling AP mode operations with wpa_supplicant. It
-# should be noted that this is mainly aimed at simple cases like
-# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
-# external RADIUS server can be supported with hostapd.
-CONFIG_AP=y
-
-CONFIG_BGSCAN_SIMPLE=y
-
-# P2P (Wi-Fi Direct)
-# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
-# more information on P2P operations.
-#CONFIG_P2P=y
-
-# Enable TDLS support
-#CONFIG_TDLS=y
-
-# Wi-Fi Direct
-# This can be used to enable Wi-Fi Direct extensions for P2P using an external
-# program to control the additional information exchanges in the messages.
-#CONFIG_WIFI_DISPLAY=y
-
-# Autoscan
-# This can be used to enable automatic scan support in wpa_supplicant.
-# See wpa_supplicant.conf for more information on autoscan usage.
-#
-# Enabling directly a module will enable autoscan support.
-# For exponential module:
-CONFIG_AUTOSCAN_EXPONENTIAL=y
-# For periodic module:
-#CONFIG_AUTOSCAN_PERIODIC=y
-
-# Password (and passphrase, etc.) backend for external storage
-# These optional mechanisms can be used to add support for storing passwords
-# and other secrets in external (to wpa_supplicant) location. This allows, for
-# example, operating system specific key storage to be used
-#
-# External password backend for testing purposes (developer use)
-#CONFIG_EXT_PASSWORD_TEST=y
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
new file mode 100644
index 0000000000..6dc76494f7
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -0,0 +1,137 @@
+SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
+DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
+HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+BUGTRACKER = "http://w1.fi/security/"
+SECTION = "network"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
+                    file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4"
+
+DEPENDS = "dbus libnl"
+
+SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
+           file://wpa-supplicant.sh \
+           file://wpa_supplicant.conf \
+           file://wpa_supplicant.conf-sane \
+           file://99_wpa_supplicant \
+           file://0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch \
+           "
+SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a"
+
+S = "${UNPACKDIR}/wpa_supplicant-${PV}"
+
+inherit pkgconfig systemd
+
+PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
+PACKAGECONFIG[openssl] = ",,openssl"
+
+CVE_PRODUCT = "wpa_supplicant"
+
+CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant"
+
+EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
+
+do_configure () {
+        ${MAKE} -C wpa_supplicant clean
+        sed -e '/^CONFIG_TLS=/d' <wpa_supplicant/defconfig >wpa_supplicant/.config
+
+        if ${@ bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d) }; then
+                echo 'CONFIG_TLS=openssl' >>wpa_supplicant/.config
+        elif ${@ bb.utils.contains('PACKAGECONFIG', 'gnutls', 'true', 'false', d) }; then
+                echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config
+        sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \
+               -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \
+               -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config
+        fi
+
+        # For rebuild
+        rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
+}
+
+do_compile () {
+        oe_runmake -C wpa_supplicant
+        if [ -z "${DISABLE_STATIC}" ]; then
+                oe_runmake -C wpa_supplicant libwpa_client.a
+        fi
+}
+
+do_install () {
+        oe_runmake -C wpa_supplicant DESTDIR="${D}" install
+
+        install -d ${D}${docdir}/wpa_supplicant
+        install -m 644 wpa_supplicant/README ${UNPACKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
+
+        install -d ${D}${sysconfdir}
+        install -m 600 ${UNPACKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
+
+        install -d ${D}${sysconfdir}/network/if-pre-up.d/
+        install -d ${D}${sysconfdir}/network/if-post-down.d/
+        install -d ${D}${sysconfdir}/network/if-down.d/
+        install -m 755 ${UNPACKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
+        ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant
+
+        install -d ${D}/${sysconfdir}/dbus-1/system.d
+        install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
+        install -d ${D}/${datadir}/dbus-1/system-services
+        install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
+
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+                install -d ${D}/${systemd_system_unitdir}
+                install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir}
+        fi
+
+        install -d ${D}/etc/default/volatiles
+        install -m 0644 ${UNPACKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
+
+        install -d ${D}${includedir}
+        install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir}
+
+        if [ -z "${DISABLE_STATIC}" ]; then
+                install -d ${D}${libdir}
+                install -m 0644 wpa_supplicant/libwpa_client.a ${D}${libdir}
+        fi
+}
+
+pkg_postinst:${PN} () {
+        # If we're offline, we don't need to do this.
+        if [ "x$D" = "x" ]; then
+                killall -q -HUP dbus-daemon || true
+        fi
+}
+
+PACKAGE_BEFORE_PN += "${PN}-passphrase ${PN}-cli"
+PACKAGES =+ "${PN}-lib"
+PACKAGES += "${PN}-plugins"
+ALLOW_EMPTY:${PN}-plugins = "1"
+
+PACKAGES_DYNAMIC += "^${PN}-plugin-.*$"
+NOAUTOPACKAGEDEBUG = "1"
+
+FILES:${PN}-passphrase = "${sbindir}/wpa_passphrase"
+FILES:${PN}-cli = "${sbindir}/wpa_cli"
+FILES:${PN}-lib = "${libdir}/libwpa_client*${SOLIBSDEV}"
+FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
+FILES:${PN}-dbg += "${sbindir}/.debug ${libdir}/.debug"
+
+CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf"
+
+RRECOMMENDS:${PN} = "${PN}-passphrase ${PN}-cli ${PN}-plugins"
+
+SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+python split_wpa_supplicant_libs () {
+    libdir = d.expand('${libdir}/wpa_supplicant')
+    dbglibdir = os.path.join(libdir, '.debug')
+
+    split_packages = do_split_packages(d, libdir, r'^(.*)\.so', '${PN}-plugin-%s', 'wpa_supplicant %s plugin', prepend=True)
+    split_dbg_packages = do_split_packages(d, dbglibdir, r'^(.*)\.so', '${PN}-plugin-%s-dbg', 'wpa_supplicant %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg')
+
+    if split_packages:
+        pn = d.getVar('PN')
+        d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages))
+        d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages))
+}
+PACKAGESPLITFUNCS += "split_wpa_supplicant_libs"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
deleted file mode 100644
index 33b1495bb2..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ /dev/null
@@ -1,117 +0,0 @@
-SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
-HOMEPAGE = "http://w1.fi/wpa_supplicant/"
-DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
-BUGTRACKER = "http://w1.fi/security/"
-SECTION = "network"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \
-                    file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b"
-DEPENDS = "dbus libnl"
-RRECOMMENDS:${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
-
-PACKAGECONFIG ??= "openssl"
-PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
-PACKAGECONFIG[openssl] = ",,openssl"
-
-inherit pkgconfig systemd
-
-SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-
-SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
-           file://defconfig \
-           file://wpa-supplicant.sh \
-           file://wpa_supplicant.conf \
-           file://wpa_supplicant.conf-sane \
-           file://99_wpa_supplicant \
-           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
-           file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
-           file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
-           file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
-           file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \
-           file://CVE-2021-0326.patch \
-           file://CVE-2021-27803.patch \
-           file://CVE-2021-30004.patch \
-          "
-SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
-SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
-
-CVE_PRODUCT = "wpa_supplicant"
-
-S = "${WORKDIR}/wpa_supplicant-${PV}"
-
-PACKAGES:prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
-FILES:wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
-FILES:wpa-supplicant-cli = "${sbindir}/wpa_cli"
-FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
-CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf"
-
-do_configure () {
-        ${MAKE} -C wpa_supplicant clean
-        install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
-
-        if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
-                ssl=openssl
-        elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
-                ssl=gnutls
-        fi
-        if [ -n "$ssl" ]; then
-                sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
-        fi
-
-        # For rebuild
-        rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
-}
-
-export EXTRA_CFLAGS = "${CFLAGS}"
-export BINDIR = "${sbindir}"
-
-do_compile () {
-        unset CFLAGS CPPFLAGS CXXFLAGS
-        sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
-        oe_runmake -C wpa_supplicant
-}
-
-do_install () {
-        install -d ${D}${sbindir}
-        install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
-        install -m 755 wpa_supplicant/wpa_cli        ${D}${sbindir}
-
-        install -d ${D}${bindir}
-        install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
-
-        install -d ${D}${docdir}/wpa_supplicant
-        install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
-
-        install -d ${D}${sysconfdir}
-        install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
-
-        install -d ${D}${sysconfdir}/network/if-pre-up.d/
-        install -d ${D}${sysconfdir}/network/if-post-down.d/
-        install -d ${D}${sysconfdir}/network/if-down.d/
-        install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
-        cd ${D}${sysconfdir}/network/ && \
-        ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
-
-        install -d ${D}/${sysconfdir}/dbus-1/system.d
-        install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
-        install -d ${D}/${datadir}/dbus-1/system-services
-        install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
-
-        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-                install -d ${D}/${systemd_system_unitdir}
-                install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir}
-        fi
-
-        install -d ${D}/etc/default/volatiles
-        install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
-}
-
-pkg_postinst:wpa-supplicant () {
-        # If we're offline, we don't need to do this.
-        if [ "x$D" = "x" ]; then
-                killall -q -HUP dbus-daemon || true
-        fi
-
-}