99 files changed, 716 insertions, 225 deletions

diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb b/meta/recipes-core/base-files/base-files_3.0.14.bb
index 59b084d141..3f01bb35d9 100644
--- a/meta/recipes-core/base-files/base-files_3.0.14.bb
+++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
@@ -25,8 +25,7 @@ SRC_URI = "file://rotation \
            file://licenses/GPL-2 \
            "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
index 3d5247ee87..177927d674 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.6.7.bb
@@ -21,7 +21,7 @@ SRC_URI[sha256sum] = "cf869870fed7862b57bfa9e99cd5cd6f365e2349705a1b65af7fc18262
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/"
 
-S = "${WORKDIR}/work"
+S = "${UNPACKDIR}/work"
 
 PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
 PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
diff --git a/meta/recipes-core/busybox/busybox-inittab_1.37.0.bb b/meta/recipes-core/busybox/busybox-inittab_1.37.0.bb
index 4ffc44c808..8b46b5763e 100644
--- a/meta/recipes-core/busybox/busybox-inittab_1.37.0.bb
+++ b/meta/recipes-core/busybox/busybox-inittab_1.37.0.bb
@@ -4,8 +4,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;m
 
 SRC_URI = "file://inittab"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
@@ -49,7 +48,6 @@ EOF
 
 }
 
-
 # SERIAL_CONSOLES is generally defined by the MACHINE .conf.
 # Set PACKAGE_ARCH appropriately.
 PACKAGE_ARCH = "${MACHINE_ARCH}"
diff --git a/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch
new file mode 100644
index 0000000000..41be1635b5
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch
@@ -0,0 +1,112 @@
+From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: [PATCH] sort: fix buffer under-read (CWE-127)
+
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+* NEWS: Mention bug fix introduced in v7.2 (2009).
+Fixes https://bugs.gnu.org/78507
+
+CVE: CVE-2025-5278
+
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/sort/sort-field-limit.sh
+
+diff --git a/src/sort.c b/src/sort.c
+index b10183b6f..7af1a2512 100644
+--- a/src/sort.c
++++ b/src/sort.c
+@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
++  size_t remaining_bytes = lim - ptr;
++  if (schar < remaining_bytes)
++    ptr += schar;
++  else
++    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
++      size_t remaining_bytes = lim - ptr;
++      if (echar < remaining_bytes)
++        ptr += echar;
++      else
++        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index 4da6756ac..642d225fa 100644
+--- a/tests/local.mk
++++ b/tests/local.mk
+@@ -388,6 +388,7 @@ all_tests =                                 \
+   tests/sort/sort-debug-keys.sh                        \
+   tests/sort/sort-debug-warn.sh                        \
+   tests/sort/sort-discrim.sh                   \
++  tests/sort/sort-field-limit.sh               \
+   tests/sort/sort-files0-from.pl               \
+   tests/sort/sort-float.sh                     \
+   tests/sort/sort-h-thousands-sep.sh           \
+diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
+new file mode 100755
+index 000000000..52d8e1d17
+--- /dev/null
++++ b/tests/sort/sort-field-limit.sh
+@@ -0,0 +1,35 @@
++#!/bin/sh
++# From 7.2-9.7, this would trigger an out of bounds mem read
++
++# Copyright (C) 2025 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
++print_ver_ sort
++getlimits_
++
++# This issue triggers with valgrind or ASAN
++valgrind --error-exitcode=1 sort --version 2>/dev/null &&
++  VALGRIND='valgrind --error-exitcode=1'
++
++{ printf '%s\n' aa bb; } > in || framework_failure_
++
++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++Exit $fail
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/coreutils/coreutils_9.7.bb b/meta/recipes-core/coreutils/coreutils_9.7.bb
index 091e1ea2c5..5a6456d65e 100644
--- a/meta/recipes-core/coreutils/coreutils_9.7.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.7.bb
@@ -15,6 +15,7 @@ inherit autotools gettext texinfo
 
 SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            file://remove-usr-local-lib-from-m4.patch \
+           file://0001-sort-fix-buffer-under-read-CWE-127.patch \
            file://run-ptest \
            "
 SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf"
@@ -74,11 +75,6 @@ RDEPENDS:coreutils:class-target += "${@bb.utils.contains('PACKAGECONFIG', 'singl
 # regardless of whether single-binary is in effect.
 RPROVIDES:coreutils += "${@bb.utils.contains('PACKAGECONFIG', 'single-binary', 'coreutils-stdbuf', '', d)}"
 
-# put getlimits into coreutils-getlimits, because other ptest packages such as
-# findutils-ptest may need this command. Note that getlimits is a noinst_PROGRAM
-PACKAGE_BEFORE_PN:class-target += "${PN}-getlimits"
-FILES:${PN}-getlimits = "${bindir}/getlimits"
-
 # Deal with a separate builddir failure if src doesn't exist when creating version.c/version.h
 do_compile:prepend () {
         mkdir -p ${B}/src
@@ -106,9 +102,6 @@ do_install:append() {
         # in update-alternatives to fail, therefore use lbracket - the name used
         # for the actual source file.
         mv ${D}${bindir}/[ ${D}${bindir}/lbracket.${BPN}
-
-        # this getlimits noinst_PROGRAM would possibly be needed by other ptest packages
-        install ${B}/src/getlimits ${D}/${bindir}
 }
 
 inherit update-alternatives
@@ -213,6 +206,7 @@ do_install_ptest () {
         fi
     done
 
+    install ${B}/src/getlimits ${D}/${bindir}
     # handle multilib
     sed -i s:@libdir@:${libdir}:g ${D}${PTEST_PATH}/run-ptest
 }
@@ -224,6 +218,7 @@ do_install_ptest:append:libc-musl () {
     sed -i -e '/tests\/split\/line-bytes.sh/d' ${D}${PTEST_PATH}/Makefile
 }
 
-RDEPENDS:${PN}-ptest += "${PN}-getlimits xz  \
+RDEPENDS:${PN}-ptest += "xz  \
                          ${@bb.utils.contains('PACKAGECONFIG', 'acl', 'acl', '', d)} \
                          ${@bb.utils.contains('PACKAGECONFIG', 'xattr', 'attr', '', d)}"
+FILES:${PN}-ptest += "${bindir}/getlimits"
diff --git a/meta/recipes-core/dbus-wait/dbus-wait_git.bb b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
index 39363b9b3a..c6a9abde63 100644
--- a/meta/recipes-core/dbus-wait/dbus-wait_git.bb
+++ b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
@@ -13,6 +13,4 @@ PV = "0.1+git"
 SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master;protocol=https"
 UPSTREAM_CHECK_COMMITS = "1"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig
diff --git a/meta/recipes-core/dbus/dbus_1.16.2.bb b/meta/recipes-core/dbus/dbus_1.16.2.bb
index caff4c079b..65f7028b4f 100644
--- a/meta/recipes-core/dbus/dbus_1.16.2.bb
+++ b/meta/recipes-core/dbus/dbus_1.16.2.bb
@@ -148,7 +148,6 @@ do_install:append:class-target() {
                 ln -fs ../dbus.service ${D}${systemd_system_unitdir}/multi-user.target.wants/dbus.service
         fi
 
-
         mkdir -p ${D}${localstatedir}/lib/dbus
 
         chown messagebus:messagebus ${D}${localstatedir}/lib/dbus
diff --git a/meta/recipes-core/dropbear/dropbear_2025.88.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb
index f203763b17..72a886d907 100644
--- a/meta/recipes-core/dropbear/dropbear_2025.88.bb
+++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -48,10 +48,10 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
 
-PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam x11', d)}"
 PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
-PACKAGECONFIG[enable-x11-forwarding] = ""
+PACKAGECONFIG[x11] = ",,,,xauth"
 
 # This option appends to CFLAGS and LDFLAGS from OE
 # This is causing [textrel] QA warning
@@ -62,7 +62,7 @@ EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
 
 do_configure:append() {
         echo "/* Dropbear features */" > ${B}/localoptions.h
-        if ${@bb.utils.contains('PACKAGECONFIG', 'enable-x11-forwarding', 'true', 'false', d)}; then
+        if ${@bb.utils.contains('PACKAGECONFIG', 'x11', 'true', 'false', d)}; then
                 echo "#define DROPBEAR_X11FWD 1" >> ${B}/localoptions.h
         fi
 }
diff --git a/meta/recipes-core/fts/fts_1.2.7.bb b/meta/recipes-core/fts/fts_1.2.7.bb
index 10103830af..699dc5ddd3 100644
--- a/meta/recipes-core/fts/fts_1.2.7.bb
+++ b/meta/recipes-core/fts/fts_1.2.7.bb
@@ -12,8 +12,6 @@ SRCREV = "0bde52df588e8969879a2cae51c3a4774ec62472"
 
 SRC_URI = "git://github.com/pullmoll/musl-fts.git;branch=master;protocol=https"
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig
 #
 # We will skip parsing for non-musl systems
diff --git a/meta/recipes-core/gettext/gettext-minimal-native_0.23.1.bb b/meta/recipes-core/gettext/gettext-minimal-native_0.23.1.bb
index e443b6b34f..941896ec48 100644
--- a/meta/recipes-core/gettext/gettext-minimal-native_0.23.1.bb
+++ b/meta/recipes-core/gettext/gettext-minimal-native_0.23.1.bb
@@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = "file://${UNPACKDIR}/COPYING;md5=4bd090a20bfcd1a18f1f79837b5e
 
 inherit native
 
-S = "${WORKDIR}/gettext-${PV}"
+S = "${UNPACKDIR}/gettext-${PV}"
 
 python get_aclocal_files() {
     fpath = oe.path.join(d.getVar("S"), "/gettext-tools/m4/Makefile.am")
diff --git a/meta/recipes-core/gettext/gettext_0.23.1.bb b/meta/recipes-core/gettext/gettext_0.23.1.bb
index cbc3e48890..c704a3b6d7 100644
--- a/meta/recipes-core/gettext/gettext_0.23.1.bb
+++ b/meta/recipes-core/gettext/gettext_0.23.1.bb
@@ -13,7 +13,6 @@ LIC_FILES_CHKSUM:append = " ${@bb.utils.contains('PACKAGECONFIG', 'libxml', '',
 # without glib in PACKAGECONFIG vendor copy of the lib will be used
 LIC_FILES_CHKSUM:append = " ${@bb.utils.contains('PACKAGECONFIG', 'glib', '', 'file://libtextstyle/lib/glib/ghash.c;md5=e3159f5ac38dfe77af5cc0ee104dab2d;beginline=10;endline=27', d)}"
 
-
 DEPENDS = "gettext-native virtual/libiconv"
 DEPENDS:class-native = "gettext-minimal-native"
 PROVIDES = "virtual/libintl virtual/gettext"
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index 38e75aab61..ba7763c841 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -30,7 +30,7 @@ LEAD_SONAME = "libglib-2.0.*"
 
 inherit meson gettext gi-docgen pkgconfig ptest-gnome upstream-version-is-even bash-completion gio-module-cache manpages gobject-introspection-data
 
-S = "${WORKDIR}/glib-${PV}"
+S = "${UNPACKDIR}/glib-${PV}"
 
 GIDOCGEN_MESON_OPTION = "documentation"
 
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.41.bb b/meta/recipes-core/glibc/cross-localedef-native_2.41.bb
index 5aeb84ac80..95acb3fc56 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.41.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.41.bb
@@ -20,7 +20,7 @@ inherit native
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:"
 
 SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
-           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef;protocol=https \
+           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=${BB_GIT_DEFAULT_DESTSUFFIX}/localedef;protocol=https \
            \
            file://0001-localedef-Add-hardlink-resolver-from-util-linux.patch \
            file://0002-localedef-fix-ups-hardlink-to-make-it-compile.patch \
@@ -37,8 +37,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
 #
 SRCREV_FORMAT = "glibc_localedef"
 
-S = "${WORKDIR}/git"
-
 EXTRA_OECONF = "--with-glibc=${S}"
 
 # We do not need bash to run tzselect script, the default is to use
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index d84106fb95..2d31131e03 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.41/master"
 PV = "2.41+git"
-SRCREV_glibc ?= "5b4c4617016d28569106549dff6f9fec73eed5ce"
+SRCREV_glibc ?= "0c76c951620f9e12df2a89b2c684878b55bb6795"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git a/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch b/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch
index 862c7b9086..b42b186418 100644
--- a/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch
+++ b/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch
@@ -13,7 +13,7 @@ diff --git a/Makeconfig b/Makeconfig
 index e35c5cfe4e..7a19c731c6 100644
 --- a/Makeconfig
 +++ b/Makeconfig
-@@ -1176,7 +1176,7 @@ endif
+@@ -1172,7 +1172,7 @@ endif
  
  # The assembler can generate debug information too.
  ifndef ASFLAGS
diff --git a/meta/recipes-core/glibc/glibc/0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch b/meta/recipes-core/glibc/glibc/0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch
index 71777d3f2c..50d80ed577 100644
--- a/meta/recipes-core/glibc/glibc/0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch
+++ b/meta/recipes-core/glibc/glibc/0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch
@@ -40,7 +40,7 @@ index 8a755293b3..22dafcaad1 100644
    # tests
  
  # process_madvise requires CAP_SYS_ADMIN.
-@@ -277,9 +278,10 @@ tests-time64 += \
+@@ -282,9 +283,10 @@ tests-time64 += \
    tst-ntp_gettimex-time64 \
    tst-ppoll-time64 \
    tst-prctl-time64 \
diff --git a/meta/recipes-core/glibc/glibc_2.41.bb b/meta/recipes-core/glibc/glibc_2.41.bb
index 82dcf08fcd..7771fac041 100644
--- a/meta/recipes-core/glibc/glibc_2.41.bb
+++ b/meta/recipes-core/glibc/glibc_2.41.bb
@@ -17,7 +17,7 @@ Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, m
 easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
-CVE_STATUS_STABLE_BACKPORTS = ""
+CVE_STATUS_STABLE_BACKPORTS = "CVE-2025-4802 CVE-2025-5702 CVE-2025-5745"
 CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
 
 DEPENDS += "gperf-native bison-native"
@@ -56,7 +56,6 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \
            file://0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch \
 "
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
 
 PACKAGES_DYNAMIC = ""
diff --git a/meta/recipes-core/glibc/ldconfig-native_2.12.1.bb b/meta/recipes-core/glibc/ldconfig-native_2.12.1.bb
index 9ca95d1e52..1c475eeb8a 100644
--- a/meta/recipes-core/glibc/ldconfig-native_2.12.1.bb
+++ b/meta/recipes-core/glibc/ldconfig-native_2.12.1.bb
@@ -19,12 +19,11 @@ SRC_URI = "file://ldconfig-native-2.12.1.tar.bz2 \
            file://ldconfig-handle-.dynstr-located-in-separate-segment.patch \
 "
 
-
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/${P}:"
 
 inherit native
 
-S = "${WORKDIR}/${PN}-${PV}"
+S = "${UNPACKDIR}/${PN}-${PV}"
 
 do_compile () {
         $CC ldconfig.c -std=gnu99 chroot_canon.c xmalloc.c xstrdup.c cache.c readlib.c  -I. dl-cache.c -o ldconfig
diff --git a/meta/recipes-core/ifupdown/ifupdown_0.8.44.bb b/meta/recipes-core/ifupdown/ifupdown_0.8.44.bb
index 3e7bece41b..8a8f477361 100644
--- a/meta/recipes-core/ifupdown/ifupdown_0.8.44.bb
+++ b/meta/recipes-core/ifupdown/ifupdown_0.8.44.bb
@@ -18,9 +18,6 @@ SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https;branch=mast
            "
 SRCREV = "7d44f9ce6717a4a496fd46f28c52e12dbf5bafdd"
 
-S = "${WORKDIR}/git"
-
-
 inherit ptest update-alternatives
 
 do_compile () {
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 03f02d14ae..4daedfb43c 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -26,8 +26,8 @@ inherit core-image setuptools3 features_check
 
 REQUIRED_DISTRO_FEATURES += "xattr"
 
-SRCREV ?= "52b5f6a95de7228a12a9156a4aaa932daf54456f"
-SRC_URI = "git://git.yoctoproject.org/poky;branch=master \
+SRCREV ?= "b1b3318eff36d4d9b2d3a935dee607c4f012f992"
+SRC_URI = "git://git.yoctoproject.org/poky;branch=master;destsuffix=poky \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
            file://README_VirtualBox_Guest_Additions.txt \
@@ -44,10 +44,10 @@ IMAGE_CMD:ext4:append () {
 fakeroot do_populate_poky_src () {
         # Because fetch2's git's unpack uses -s cloneflag, the unpacked git repo
         # will become invalid in the target.
-        rm -rf ${UNPACKDIR}/git/.git
-        rm -f ${UNPACKDIR}/git/.gitignore
+        rm -rf ${UNPACKDIR}/poky/.git
+        rm -f ${UNPACKDIR}/poky/.gitignore
 
-        cp -R ${UNPACKDIR}/git ${IMAGE_ROOTFS}/home/builder/poky
+        cp -R ${UNPACKDIR}/poky ${IMAGE_ROOTFS}/home/builder/poky
 
         mkdir -p ${IMAGE_ROOTFS}/home/builder/poky/build/conf
         mkdir -p ${IMAGE_ROOTFS}/home/builder/poky/build/downloads
diff --git a/meta/recipes-core/init-ifupdown/init-ifupdown_1.0.bb b/meta/recipes-core/init-ifupdown/init-ifupdown_1.0.bb
index ddf9d1b311..da594d00b7 100644
--- a/meta/recipes-core/init-ifupdown/init-ifupdown_1.0.bb
+++ b/meta/recipes-core/init-ifupdown/init-ifupdown_1.0.bb
@@ -15,8 +15,7 @@ SRC_URI = "file://copyright \
            file://interfaces \
            file://nfsroot"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install () {
         install -d ${D}${sysconfdir}/init.d \
diff --git a/meta/recipes-core/initrdscripts/initramfs-boot_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-boot_1.0.bb
index ec3544c67a..e0a6319ccf 100644
--- a/meta/recipes-core/initrdscripts/initramfs-boot_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-boot_1.0.bb
@@ -3,8 +3,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 SRC_URI = "file://init-boot.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-boot.sh ${D}/init
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/nfsrootfs b/meta/recipes-core/initrdscripts/initramfs-framework/nfsrootfs
index e67ee4c25d..30555aef55 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/nfsrootfs
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/nfsrootfs
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 nfsrootfs_enabled() {
-        if [ ${bootparam_root} != "/dev/nfs" ] || [ -z ${bootparam_nfsroot} ]; then
+        if [ "${bootparam_root}" != "/dev/nfs" ] || [ -z ${bootparam_nfsroot} ]; then
                 return 1
         fi
         return 0
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
index bb4984366d..2ec03bc34c 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
@@ -4,7 +4,6 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 RDEPENDS:${PN} += "${VIRTUAL-RUNTIME_base-utils}"
 RRECOMMENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog}"
 
-
 inherit allarch
 
 SRC_URI = "file://init \
@@ -20,8 +19,7 @@ SRC_URI = "file://init \
            file://overlayroot \
           "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
     install -d ${D}/init.d
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-boot-tiny_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-boot-tiny_1.0.bb
index 40046f30a7..6b99ab1843 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-boot-tiny_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-boot-tiny_1.0.bb
@@ -5,8 +5,7 @@ DEPENDS = "virtual/kernel"
 RDEPENDS:${PN} = "busybox-mdev"
 SRC_URI = "file://init-live.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-live.sh ${D}/init
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-boot_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-boot_1.0.bb
index 7851cc9605..8c8355a53e 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-boot_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-boot_1.0.bb
@@ -5,8 +5,7 @@ DEPENDS = "virtual/kernel"
 RDEPENDS:${PN} = "udev udev-extraconf"
 SRC_URI = "file://init-live.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-live.sh ${D}/init
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-install-efi-testfs_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-install-efi-testfs_1.0.bb
index 31291bcdf2..e308727320 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-install-efi-testfs_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-install-efi-testfs_1.0.bb
@@ -5,8 +5,7 @@ SRC_URI = "file://init-install-efi-testfs.sh"
 
 RDEPENDS:${PN} = "parted e2fsprogs-mke2fs dosfstools"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-install-efi-testfs.sh ${D}/install-efi.sh
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-install-efi_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-install-efi_1.0.bb
index ff3b5622db..77462f4425 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-install-efi_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-install-efi_1.0.bb
@@ -6,8 +6,7 @@ SRC_URI = "file://init-install-efi.sh"
 RDEPENDS:${PN} = "parted e2fsprogs-mke2fs dosfstools util-linux-blkid ${VIRTUAL-RUNTIME_base-utils}"
 RRECOMMENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog}"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-install-efi.sh ${D}/install-efi.sh
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-install-testfs_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-install-testfs_1.0.bb
index 19f05f9fec..05f92203cd 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-install-testfs_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-install-testfs_1.0.bb
@@ -5,8 +5,7 @@ SRC_URI = "file://init-install-testfs.sh"
 
 RDEPENDS:${PN} = "grub parted e2fsprogs-mke2fs"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -m 0755 ${S}/init-install-testfs.sh ${D}/install.sh
diff --git a/meta/recipes-core/initrdscripts/initramfs-live-install_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-live-install_1.0.bb
index 1d489e2b64..791bd57171 100644
--- a/meta/recipes-core/initrdscripts/initramfs-live-install_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-live-install_1.0.bb
@@ -3,8 +3,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 SRC_URI = "file://init-install.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 RDEPENDS:${PN} = "grub parted e2fsprogs-mke2fs util-linux-blkid ${VIRTUAL-RUNTIME_base-utils}"
 RRECOMMENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog}"
diff --git a/meta/recipes-core/initrdscripts/initramfs-module-install-efi_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-module-install-efi_1.0.bb
index bb3f275f26..0283149899 100644
--- a/meta/recipes-core/initrdscripts/initramfs-module-install-efi_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-module-install-efi_1.0.bb
@@ -4,11 +4,9 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 RDEPENDS:${PN} = "initramfs-framework-base parted e2fsprogs-mke2fs dosfstools util-linux-blkid ${VIRTUAL-RUNTIME_base-utils}"
 RRECOMMENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog}"
 
-
 SRC_URI = "file://init-install-efi.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
     install -d ${D}/init.d
diff --git a/meta/recipes-core/initrdscripts/initramfs-module-install_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-module-install_1.0.bb
index d6d8348731..f44c753da0 100644
--- a/meta/recipes-core/initrdscripts/initramfs-module-install_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-module-install_1.0.bb
@@ -9,11 +9,9 @@ COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*)-(linux.*|freebsd.*)'
 COMPATIBLE_HOST:armv7a = 'null'
 COMPATIBLE_HOST:armv7ve = 'null'
 
-
 SRC_URI = "file://init-install.sh"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
     install -d ${D}/init.d
diff --git a/meta/recipes-core/initrdscripts/initramfs-module-setup-live_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-module-setup-live_1.0.bb
index 4d9ef79a63..3afbd5d47d 100644
--- a/meta/recipes-core/initrdscripts/initramfs-module-setup-live_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-module-setup-live_1.0.bb
@@ -3,14 +3,12 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 RDEPENDS:${PN} = "initramfs-framework-base udev-extraconf"
 
-
 inherit allarch
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/initramfs-framework:"
 SRC_URI = "file://setup-live"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
     install -d ${D}/init.d
diff --git a/meta/recipes-core/initscripts/init-system-helpers_1.68.bb b/meta/recipes-core/initscripts/init-system-helpers_1.68.bb
index 036c86a536..48ac7792d3 100644
--- a/meta/recipes-core/initscripts/init-system-helpers_1.68.bb
+++ b/meta/recipes-core/initscripts/init-system-helpers_1.68.bb
@@ -20,8 +20,6 @@ SRCREV = "78486a4a2a305170b66ce4d907bedadbaed10daf"
 SRC_URI = "git://salsa.debian.org/debian/init-system-helpers.git;protocol=https;branch=master"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>(\d+(\.\d+)+))(?!_exp)"
 
-S = "${WORKDIR}/git"
-
 do_configure[noexec] = "1"
 do_compile[noexec] = "1"
 
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index 0bc078c5eb..c984257c5c 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -35,8 +35,7 @@ SRC_URI = "file://functions \
            ${@bb.utils.contains('DISTRO_FEATURES','selinux','file://sushell','',d)} \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 SRC_URI:append:arm = " file://alignment.sh"
 SRC_URI:append:armeb = " file://alignment.sh"
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc
index 55619daef7..77fec83234 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.inc
+++ b/meta/recipes-core/libxcrypt/libxcrypt.inc
@@ -16,8 +16,6 @@ SRCBRANCH ?= "master"
 
 PROVIDES = "virtual/crypt"
 
-S = "${WORKDIR}/git"
-
 BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}"
 TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error"
 CPPFLAGS:append:class-nativesdk = " -Wno-error"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
new file mode 100644
index 0000000000..157486848b
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -0,0 +1,59 @@
+From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 27 May 2025 12:53:17 +0200
+Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
+
+This issue affects memory safety and might receive a CVE ID later.
+
+Fixes #926.
+
+Signed-off-by: Nick Wellnhofer <wellnhofer@aevum.de>
+
+Add '#include <stdint.h>' to assure the definition of SIZE_MAX
+CVE: CVE-2025-6021
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ tree.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 7454b07..22ec11c 100644
+--- a/tree.c
++++ b/tree.c
+@@ -23,6 +23,7 @@
+ #include <limits.h>
+ #include <ctype.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ 
+ #ifdef LIBXML_ZLIB_ENABLED
+ #include <zlib.h>
+@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
+ xmlChar *
+ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+              xmlChar *memory, int len) {
+-    int lenn, lenp;
++    size_t lenn, lenp;
+     xmlChar *ret;
+ 
+-    if (ncname == NULL) return(NULL);
++    if ((ncname == NULL) || (len < 0)) return(NULL);
+     if (prefix == NULL) return((xmlChar *) ncname);
+ 
+ #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
+ 
+     lenn = strlen((char *) ncname);
+     lenp = strlen((char *) prefix);
++    if (lenn >= SIZE_MAX - lenp - 1)
++        return(NULL);
+ 
+-    if ((memory == NULL) || (len < lenn + lenp + 2)) {
++    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
+        ret = xmlMalloc(lenn + lenp + 2);
+        if (ret == NULL)
+            return(NULL);
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.3.bb
index da75cbe450..4baab59186 100644
--- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
+++ b/meta/recipes-core/libxml/libxml2_2.14.3.bb
@@ -18,6 +18,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://run-ptest \
            file://install-tests.patch \
            file://0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch \
+           file://CVE-2025-6021.patch \
            "
 
 SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"
diff --git a/meta/recipes-core/meta/buildtools-docs-tarball.bb b/meta/recipes-core/meta/buildtools-docs-tarball.bb
index b9ef68eb6d..98d47f7b71 100644
--- a/meta/recipes-core/meta/buildtools-docs-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-docs-tarball.bb
@@ -7,6 +7,8 @@ LICENSE = "MIT"
 # Add nativesdk equivalent of build-essentials
 TOOLCHAIN_HOST_TASK += "\
     nativesdk-python3-sphinx \
+    nativesdk-python3-sphinx-argparse \
+    nativesdk-python3-sphinx-copybutton \
     nativesdk-python3-sphinx-rtd-theme \
     nativesdk-python3-pyyaml \
     nativesdk-rsvg \
@@ -16,4 +18,5 @@ TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-docs-nativesdk-standalone-${DISTR
 
 SDK_TITLE = "Docs Build tools tarball"
 
-TESTSDK_CASES = "buildtools-docs-cases"
+# Directory that contains testcases
+TESTSDK_CASE_DIRS = "buildtools-docs"
\ No newline at end of file
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 6fa6d93a3d..02117ab84d 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -124,22 +124,7 @@ TOOLCHAIN_NEED_CONFIGSITE_CACHE = ""
 # The recipe doesn't need any default deps
 INHIBIT_DEFAULT_DEPS = "1"
 
-# Directory in testsdk that contains testcases
-TESTSDK_CASES = "buildtools-cases"
+inherit testsdk
 
-# We have our own code, avoid deferred inherit
-SDK_CLASSES:remove = "testsdk"
-
-python do_testsdk() {
-    import oeqa.sdk.testsdk
-    testsdk = oeqa.sdk.testsdk.TestSDK()
-
-    cases_path = os.path.join(os.path.abspath(os.path.dirname(oeqa.sdk.testsdk.__file__)), d.getVar("TESTSDK_CASES"))
-    testsdk.context_executor_class.default_cases = [cases_path,]
-
-    testsdk.run(d)
-}
-addtask testsdk
-do_testsdk[nostamp] = "1"
-do_testsdk[network] = "1"
-do_testsdk[depends] += "xz-native:do_populate_sysroot"
+# Directory that contains testcases
+TESTSDK_CASE_DIRS = "buildtools"
\ No newline at end of file
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 792252f510..86cd1a1a21 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -393,7 +393,6 @@ def update_db_fkie(conn, jsondata):
             for node in config["nodes"]:
                 parse_node_and_insert(conn, node, cveId, False)
 
-
 def update_db(d, conn, jsondata):
     if (d.getVar("NVD_DB_VERSION") == "FKIE"):
         return update_db_fkie(conn, jsondata)
diff --git a/meta/recipes-core/meta/meta-toolchain.bb b/meta/recipes-core/meta/meta-toolchain.bb
index 260e03934e..1b108f0a1c 100644
--- a/meta/recipes-core/meta/meta-toolchain.bb
+++ b/meta/recipes-core/meta/meta-toolchain.bb
@@ -1,5 +1,4 @@
 SUMMARY = "Meta package for building a installable toolchain"
 LICENSE = "MIT"
 
-
 inherit populate_sdk
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index 2813fbc397..0ba1ca6e42 100644
--- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -41,7 +41,6 @@ DUMMYPROVIDES = "\
     /usr/bin/perl \
     "
 
-
 require dummy-sdk-package.inc
 
 inherit nativesdk
diff --git a/meta/recipes-core/meta/signing-keys.bb b/meta/recipes-core/meta/signing-keys.bb
index 107a39d658..94f4032911 100644
--- a/meta/recipes-core/meta/signing-keys.bb
+++ b/meta/recipes-core/meta/signing-keys.bb
@@ -4,7 +4,6 @@
 SUMMARY = "Makes public keys of the signing keys available"
 LICENSE = "MIT"
 
-
 inherit allarch deploy
 
 EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-core/meta/uninative-tarball.bb b/meta/recipes-core/meta/uninative-tarball.bb
index 0fd01fdb64..0dbc698ccd 100644
--- a/meta/recipes-core/meta/uninative-tarball.bb
+++ b/meta/recipes-core/meta/uninative-tarball.bb
@@ -51,7 +51,6 @@ fakeroot create_sdk_files() {
         sed -i -e "s:##DEFAULT_INSTALL_DIR##:$escaped_sdkpath:" ${SDK_OUTPUT}/${SDKPATH}/relocate_sdk.py
 }
 
-
 fakeroot archive_sdk() {
         cd ${SDK_OUTPUT}/${SDKPATH}
 
diff --git a/meta/recipes-core/musl/bsd-headers.bb b/meta/recipes-core/musl/bsd-headers.bb
index 7d0bdee870..ad9ba81e4f 100644
--- a/meta/recipes-core/musl/bsd-headers.bb
+++ b/meta/recipes-core/musl/bsd-headers.bb
@@ -15,8 +15,7 @@ do_compile[noexec] = "1"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -Dm 0644 ${S}/sys-queue.h ${D}${includedir}/sys/queue.h
diff --git a/meta/recipes-core/musl/gcompat_git.bb b/meta/recipes-core/musl/gcompat_git.bb
index 40fe8c6a5f..6f9710e71a 100644
--- a/meta/recipes-core/musl/gcompat_git.bb
+++ b/meta/recipes-core/musl/gcompat_git.bb
@@ -16,8 +16,6 @@ SRC_URI:append:powerpc = "\
 PV = "1.1.0"
 SRCREV = "b7bfe0b08c52fdc72e0c1d9d4dcb2129f1642bd6"
 
-S = "${WORKDIR}/git"
-
 inherit pkgconfig linuxloader siteinfo
 
 DEPENDS += "musl-obstack"
diff --git a/meta/recipes-core/musl/libc-test_git.bb b/meta/recipes-core/musl/libc-test_git.bb
index f55a125a89..71a111cfa4 100644
--- a/meta/recipes-core/musl/libc-test_git.bb
+++ b/meta/recipes-core/musl/libc-test_git.bb
@@ -18,8 +18,6 @@ SRC_URI = " \
 
 PV = "0+git"
 
-S = "${WORKDIR}/git"
-
 # libc-test 'make' or 'make run' command is designed to build and run tests. It
 # reports both build and test failures. The commands should be run on target.
 do_compile() {
diff --git a/meta/recipes-core/musl/libssp-nonshared.bb b/meta/recipes-core/musl/libssp-nonshared.bb
index fde3bc97b4..4bcbaef7ea 100644
--- a/meta/recipes-core/musl/libssp-nonshared.bb
+++ b/meta/recipes-core/musl/libssp-nonshared.bb
@@ -17,8 +17,7 @@ DEPENDS = "virtual/cross-binutils \
 
 do_configure[noexec] = "1"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_compile() {
         ${CC} ${CPPFLAGS} ${CFLAGS} -fPIE -c stack_chk.c -o stack_chk.o
diff --git a/meta/recipes-core/musl/libucontext_1.3.2.bb b/meta/recipes-core/musl/libucontext_1.3.2.bb
index 65ee77d06e..c5b802207b 100644
--- a/meta/recipes-core/musl/libucontext_1.3.2.bb
+++ b/meta/recipes-core/musl/libucontext_1.3.2.bb
@@ -12,8 +12,6 @@ SRCREV = "a0323579ac50b9a9d4033754d089f1fed0f59a00"
 SRC_URI = "git://github.com/kaniini/libucontext;branch=master;protocol=https \
            "
 
-S = "${WORKDIR}/git"
-
 COMPATIBLE_HOST = ".*-musl.*"
 
 valid_archs = " \
@@ -50,3 +48,9 @@ def map_kernel_arch(a, d):
 
 EXTRA_OEMESON = "-Dcpu=${@map_kernel_arch(d.getVar('TARGET_ARCH'), d)}"
 inherit meson
+
+ARM_TARGET_CPPFLAGS = ""
+ARM_TARGET_CPPFLAGS:append:arm = "${@bb.utils.contains('TARGET_FPU', 'hard', ' -DFORCE_HARD_FLOAT', '', d)}"
+ARM_TARGET_CPPFLAGS:append:arm = "${@bb.utils.contains('TARGET_FPU', 'soft', ' -DFORCE_SOFT_FLOAT', '', d)}"
+
+TARGET_CPPFLAGS .= "${ARM_TARGET_CPPFLAGS}"
diff --git a/meta/recipes-core/musl/musl-legacy-error.bb b/meta/recipes-core/musl/musl-legacy-error.bb
index 11a838a6e8..b40075c0b6 100644
--- a/meta/recipes-core/musl/musl-legacy-error.bb
+++ b/meta/recipes-core/musl/musl-legacy-error.bb
@@ -13,8 +13,7 @@ do_compile[noexec] = "1"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -Dm 0644 ${S}/error.h -t ${D}${includedir}
diff --git a/meta/recipes-core/musl/musl-locales_git.bb b/meta/recipes-core/musl/musl-locales_git.bb
index 2815e2ddf0..c8510596cf 100644
--- a/meta/recipes-core/musl/musl-locales_git.bb
+++ b/meta/recipes-core/musl/musl-locales_git.bb
@@ -12,8 +12,6 @@ SRC_URI = "git://git.adelielinux.org/adelie/musl-locales;protocol=https;branch=m
 PV = "1.0+git"
 SRCREV = "5663f5bfd30bf9e1e0ba3fc5fe2da6725969f30e"
 
-S = "${WORKDIR}/git"
-
 DEPENDS = "virtual/libintl gettext-native"
 
 PROVIDES = "virtual/libc-locale"
diff --git a/meta/recipes-core/musl/musl-obstack.bb b/meta/recipes-core/musl/musl-obstack.bb
index 4c71a141b2..d8a5ae8d82 100644
--- a/meta/recipes-core/musl/musl-obstack.bb
+++ b/meta/recipes-core/musl/musl-obstack.bb
@@ -16,7 +16,5 @@ UPSTREAM_CHECK_COMMITS = "1"
 
 inherit autotools pkgconfig
 
-S = "${WORKDIR}/git"
-
 COMPATIBLE_HOST = ".*-musl.*"
 
diff --git a/meta/recipes-core/musl/musl-utils.bb b/meta/recipes-core/musl/musl-utils.bb
index 8280333daf..4b685640c8 100644
--- a/meta/recipes-core/musl/musl-utils.bb
+++ b/meta/recipes-core/musl/musl-utils.bb
@@ -17,8 +17,6 @@ UPSTREAM_CHECK_COMMITS = "1"
 
 inherit autotools
 
-S = "${WORKDIR}/git"
-
 PACKAGES =+ "${PN}-iconv"
 
 FILES:${PN}-iconv = "${bindir}/iconv"
diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb
index afc459bf1c..51e429b093 100644
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -16,8 +16,6 @@ SRC_URI = "git://git.musl-libc.org/musl;branch=master \
            file://0001-Update-syscalls-for-r32-rv64-from-kernel-6.4-through.patch \
           "
 
-S = "${WORKDIR}/git"
-
 PROVIDES += "virtual/libc virtual/libiconv virtual/libintl virtual/crypt"
 
 DEPENDS = "virtual/cross-binutils \
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 1e9ec38cea..951f96beb5 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -175,7 +175,6 @@ do_install() {
         oe_runmake -C narrowc ${_install_cfgs} \
                 install.data
 
-
         ! ${ENABLE_WIDEC} || \
             oe_runmake -C widec ${_install_cfgs} ${_install_opts}
 
@@ -263,7 +262,6 @@ python populate_packages:prepend () {
         do_split_packages(d, base_libdir, r'^lib(.*)\.so\..*', pnbase, 'ncurses %s library', prepend=True, extra_depends = '', allow_links=True)
 }
 
-
 inherit update-alternatives
 
 ALTERNATIVE_PRIORITY = "100"
diff --git a/meta/recipes-core/ncurses/ncurses_6.5.bb b/meta/recipes-core/ncurses/ncurses_6.5.bb
index 2e3ee337ea..bba3495266 100644
--- a/meta/recipes-core/ncurses/ncurses_6.5.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.5.bb
@@ -7,7 +7,6 @@ SRC_URI += "file://0001-tic-hang.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "1c55d64d9d3e00399a21f04e9cac1e472ab5f70a"
-S = "${WORKDIR}/git"
 EXTRA_OECONF += "--with-abi-version=5"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+_\d+)$"
 
diff --git a/meta/recipes-core/netbase/netbase_6.5.bb b/meta/recipes-core/netbase/netbase_6.5.bb
index d273dbfe66..c6cf798421 100644
--- a/meta/recipes-core/netbase/netbase_6.5.bb
+++ b/meta/recipes-core/netbase/netbase_6.5.bb
@@ -22,4 +22,4 @@ do_install () {
         install -m 0644 ${S}/etc/ethertypes ${D}${sysconfdir}/ethertypes
 }
 
-S = "${WORKDIR}/netbase"
+S = "${UNPACKDIR}/netbase"
diff --git a/meta/recipes-core/newlib/newlib.inc b/meta/recipes-core/newlib/newlib.inc
index 5b5025148e..a8794dd1d9 100644
--- a/meta/recipes-core/newlib/newlib.inc
+++ b/meta/recipes-core/newlib/newlib.inc
@@ -22,7 +22,6 @@ SRCREV = "5e5e51f1dc56a99eb4648c28e00d73b6ea44a8b0"
 INHIBIT_DEFAULT_DEPS = "1"
 DEPENDS = "virtual/cross-cc"
 
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
 
 ## disable stdlib
@@ -35,7 +34,6 @@ TARGET_CC_ARCH:append = " -nostdlib"
 # Keep RISC-V 32 using -mcmodel=medlow (symbols lie between -2GB:2GB)
 TARGET_CFLAGS:append:qemuriscv64 = " -mcmodel=medany"
 
-
 EXTRA_OECONF = " \
                 --build=${BUILD_SYS}  \
                 --target=${TARGET_SYS} \
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
new file mode 100644
index 0000000000..066dfa0ff0
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-1.patch
@@ -0,0 +1,43 @@
+From 2c8fb3e5164effc8a370e800fe91db7341e69116 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Mon, 7 Apr 2025 11:23:41 -0700
+Subject: [PATCH 1/4] SecurityPkg: Update SecurityFixes.yaml for CVE-2024-38797
+
+This commit updates the SecurityFixes.yaml file to include
+information about the CVE-2024-38797 vulnerability.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/519366f542e9370bee982b1c3687ffedb5cabc21]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ SecurityPkg/SecurityFixes.yaml | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/SecurityPkg/SecurityFixes.yaml b/SecurityPkg/SecurityFixes.yaml
+index b4006b4..06b597a 100644
+--- a/SecurityPkg/SecurityFixes.yaml
++++ b/SecurityPkg/SecurityFixes.yaml
+@@ -40,3 +40,18 @@ CVE_2022_36764:
+     - Library\DxeTpmMeasureBootLib\DxeTpmMeasureBootLib.c

+   links:

+     - https://bugzilla.tianocore.org/show_bug.cgi?id=4118

++CVE_2024_38797:

++  commit-titles:

++    - "SecurityPkg: Out of bound read in HashPeImageByType()"

++    - "SecurityPkg: Improving HashPeImageByType () logic"

++    - "SecurityPkg: Improving SecureBootConfigImpl:HashPeImageByType () logic"

++  cve: CVE-2024-38797

++  date_reported: 2024-06-04 12:00 UTC

++  description: Out of bound read in HashPeImageByType()

++  note:

++  files_impacted:

++    - SecurityPkg\Library\DxeImageVerificationLib\DxeImageVerificationLib.c

++    - SecurityPkg\VariableAuthenticated\SecureBootConfigDxe\SecureBootConfigImpl.c

++  links:

++    - https://bugzilla.tianocore.org/show_bug.cgi?id=2214

++    - https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf

+-- 
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
new file mode 100644
index 0000000000..9bf6645681
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-2.patch
@@ -0,0 +1,63 @@
+From 1a7be26382c4a34504875f094e15fe371d44192e Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 09:37:18 -0700
+Subject: [PATCH 2/4] SecurityPkg: Out of bound read in HashPeImageByType()
+
+In HashPeImageByType(), the hash of PE/COFF image is calculated.
+This function may get untrusted input.
+
+Inside this function, the following code verifies the loaded image has
+the correct format, by reading the second byte of the buffer.
+
+```c
+  if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {
+        ...
+  }
+```
+
+The input image is not trusted and that may not have the second byte to
+read. So this poses an out of bound read error.
+
+With below fix we are assuring that we don't do out of bound read. i.e,
+we make sure that AuthDataSize is greater than 1.
+
+```c
+  if (AuthDataSize > 1
+      && (*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE){
+    ...
+  }
+```
+
+AuthDataSize size is verified before reading the second byte.
+So if AuthDataSize is less than 2, the second byte will not be read, and
+the out of bound read situation won't occur.
+
+Tested the patch on real platform with and without TPM connected and
+verified image is booting fine.
+
+Authored-by: Raj AlwinX Selvaraj <Alw...@intel.com>
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/2dcdb41b564aa3cb846644b4b1722a0b3ae5e06b]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c   | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index b05da19..2afa2c9 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -642,7 +642,7 @@ HashPeImageByType (
+     //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

+     //    Fixed offset (+32) is calculated based on two bytes of length encoding.

+     //

+-    if ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {

++    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

+       //

+       // Only support two bytes of Long Form of Length Encoding.

+       //

+-- 
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
new file mode 100644
index 0000000000..169c78daab
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-3.patch
@@ -0,0 +1,99 @@
+From 4db363db013a92937431234252fc9d84e44fc120 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Thu, 3 Oct 2024 10:16:57 -0700
+Subject: [PATCH 3/4] SecurityPkg: Improving HashPeImageByType () logic
+
+Namely:
+
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+    to TRUE for Index==0, then it will evaluate to TRUE for all other
+    Index values as well. As a result, the (Index == HASHALG_MAX)
+    condition will fire after the loop, and we'll return
+    EFI_UNSUPPORTED.
+
+    While this is correct, functionally speaking, it is wasteful to
+    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+    should be made at the top of the function, and EFI_UNSUPPORTED
+    should be returned at once, if appropriate.
+
+(2) If the hash algorithm selected by Index has such a large OID that
+    the OID comparison cannot even be performed (because AuthDataSize
+    is not large enough for containing the OID in question, starting
+    at offset 32), then the function returns EFI_UNSUPPORTED at once.
+
+    This is bogus; this case should simply be treated as an OID
+    mismatch, and the loop should advance to the next Index value /
+    hash algorithm candidate. A remaining hash algo may have a shorter
+    OID and yield an OID match.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/5df518ec510324f48ed1cf0376150960644b41f0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../DxeImageVerificationLib.c                 | 37 ++++++++++---------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+index 2afa2c9..2eca39d 100644
+--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
++++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+@@ -618,6 +618,7 @@ Done:
+   @param[in]  AuthDataSize        Size of the Authenticode Signature in bytes.

+ 

+   @retval EFI_UNSUPPORTED             Hash algorithm is not supported.

++  @retval EFI_BAD_BUFFER_SIZE         AuthData provided is invalid size.

+   @retval EFI_SUCCESS                 Hash successfully.

+ 

+ **/

+@@ -629,28 +630,28 @@ HashPeImageByType (
+ {

+   UINT8  Index;

+ 

+-  for (Index = 0; Index < HASHALG_MAX; Index++) {

++  //

++  // Check the Hash algorithm in PE/COFF Authenticode.

++  //    According to PKCS#7 Definition:

++  //        SignedData ::= SEQUENCE {

++  //            version Version,

++  //            digestAlgorithms DigestAlgorithmIdentifiers,

++  //            contentInfo ContentInfo,

++  //            .... }

++  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

++  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

++  //    Fixed offset (+32) is calculated based on two bytes of length encoding.

++  //

++  if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

+     //

+-    // Check the Hash algorithm in PE/COFF Authenticode.

+-    //    According to PKCS#7 Definition:

+-    //        SignedData ::= SEQUENCE {

+-    //            version Version,

+-    //            digestAlgorithms DigestAlgorithmIdentifiers,

+-    //            contentInfo ContentInfo,

+-    //            .... }

+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.

++    // Only support two bytes of Long Form of Length Encoding.

+     //

+-    if ((AuthDataSize > 1) && ((*(AuthData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

+-      //

+-      // Only support two bytes of Long Form of Length Encoding.

+-      //

+-      continue;

+-    }

++    return EFI_BAD_BUFFER_SIZE;

++  }

+ 

++  for (Index = 0; Index < HASHALG_MAX; Index++) {

+     if (AuthDataSize < 32 + mHash[Index].OidLength) {

+-      return EFI_UNSUPPORTED;

++      continue;

+     }

+ 

+     if (CompareMem (AuthData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {

+-- 
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
new file mode 100644
index 0000000000..86bc950e7d
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38797-4.patch
@@ -0,0 +1,97 @@
+From cb3342702c5c1f8a4ddbb6d503a98ed720d14eb3 Mon Sep 17 00:00:00 2001
+From: Doug Flick <dougflick@microsoft.com>
+Date: Fri, 17 Jan 2025 11:30:17 -0800
+Subject: [PATCH 4/4] SecurityPkg: Improving
+ SecureBootConfigImpl:HashPeImageByType () logic
+
+Namely:
+
+(1) The TWO_BYTE_ENCODE check is independent of Index. If it evalutes
+    to TRUE for Index==0, then it will evaluate to TRUE for all other
+    Index values as well. As a result, the (Index == HASHALG_MAX)
+    condition will fire after the loop, and we'll return
+    EFI_UNSUPPORTED.
+
+    While this is correct, functionally speaking, it is wasteful to
+    keep re-checking TWO_BYTE_ENCODE in the loop body. The check
+    should be made at the top of the function, and EFI_UNSUPPORTED
+    should be returned at once, if appropriate.
+
+(2) If the hash algorithm selected by Index has such a large OID that
+    the OID comparison cannot even be performed (because AuthDataSize
+    is not large enough for containing the OID in question, starting
+    at offset 32), then the function returns EFI_UNSUPPORTED at once.
+
+    This is bogus; this case should simply be treated as an OID
+    mismatch, and the loop should advance to the next Index value /
+    hash algorithm candidate. A remaining hash algo may have a shorter
+    OID and yield an OID match.
+
+Signed-off-by: Doug Flick <DougFlick@microsoft.com>
+
+CVE: CVE-2024-38797
+Upstream-Status: Backport [https://github.com/tianocore/edk2/pull/10928/commits/8676572908b950dd4d1f8985006011be99c0a5b6]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../SecureBootConfigImpl.c                    | 37 +++++++++++--------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+index 6d4560c..155e755 100644
+--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
++++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c
+@@ -2096,30 +2096,35 @@ HashPeImageByType (
+ {

+   UINT8                     Index;

+   WIN_CERTIFICATE_EFI_PKCS  *PkcsCertData;

++  UINT32                    PkcsCertSize;

+ 

+   PkcsCertData = (WIN_CERTIFICATE_EFI_PKCS *)(mImageBase + mSecDataDir->Offset);

++  PkcsCertSize = mSecDataDir->SizeOfCert;

+ 

+-  for (Index = 0; Index < HASHALG_MAX; Index++) {

++  //

++  // Check the Hash algorithm in PE/COFF Authenticode.

++  //    According to PKCS#7 Definition:

++  //        SignedData ::= SEQUENCE {

++  //            version Version,

++  //            digestAlgorithms DigestAlgorithmIdentifiers,

++  //            contentInfo ContentInfo,

++  //            .... }

++  //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

++  //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

++  //    Fixed offset (+32) is calculated based on two bytes of length encoding.

++  //

++  if ((PkcsCertSize > 1) && ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE)) {

+     //

+-    // Check the Hash algorithm in PE/COFF Authenticode.

+-    //    According to PKCS#7 Definition:

+-    //        SignedData ::= SEQUENCE {

+-    //            version Version,

+-    //            digestAlgorithms DigestAlgorithmIdentifiers,

+-    //            contentInfo ContentInfo,

+-    //            .... }

+-    //    The DigestAlgorithmIdentifiers can be used to determine the hash algorithm in PE/COFF hashing

+-    //    This field has the fixed offset (+32) in final Authenticode ASN.1 data.

+-    //    Fixed offset (+32) is calculated based on two bytes of length encoding.

++    // Only support two bytes of Long Form of Length Encoding.

+     //

+-    if ((*(PkcsCertData->CertData + 1) & TWO_BYTE_ENCODE) != TWO_BYTE_ENCODE) {

+-      //

+-      // Only support two bytes of Long Form of Length Encoding.

+-      //

++    return EFI_BAD_BUFFER_SIZE;

++  }

++

++  for (Index = 0; Index < HASHALG_MAX; Index++) {

++    if (PkcsCertSize < 32 + mHash[Index].OidLength) {

+       continue;

+     }

+ 

+-    //

+     if (CompareMem (PkcsCertData->CertData + 32, mHash[Index].OidValue, mHash[Index].OidLength) == 0) {

+       break;

+     }

+-- 
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index aa7de3af2b..08879966c3 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -16,7 +16,6 @@ PACKAGECONFIG[debug] = ",,,"
 PACKAGECONFIG[secureboot] = ",,,"
 PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,,"
 
-
 # GCC12 trips on it
 #see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
 BUILD_CFLAGS += "-Wno-error=stringop-overflow"
@@ -27,6 +26,10 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0003-debug-prefix-map.patch \
            file://0004-reproducible.patch \
            file://CVE-2025-2295.patch \
+           file://CVE-2024-38797-1.patch \
+           file://CVE-2024-38797-2.patch \
+           file://CVE-2024-38797-3.patch \
+           file://CVE-2024-38797-4.patch \
            "
 
 PV = "edk2-stable202502"
@@ -51,8 +54,6 @@ inherit deploy
 
 PARALLEL_MAKE = ""
 
-S = "${WORKDIR}/git"
-
 DEPENDS = "nasm-native acpica-native ovmf-native util-linux-native"
 
 EDK_TOOLS_DIR = "edk2_basetools"
diff --git a/meta/recipes-core/packagegroups/packagegroup-base.bb b/meta/recipes-core/packagegroups/packagegroup-base.bb
index cb9d1f07af..fd61ba4437 100644
--- a/meta/recipes-core/packagegroups/packagegroup-base.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-base.bb
@@ -72,7 +72,6 @@ RDEPENDS:packagegroup-base = "\
     ${@bb.utils.contains('DISTRO_FEATURES', 'zeroconf', 'packagegroup-base-zeroconf', '',d)} \
     "
 
-
 RRECOMMENDS:packagegroup-base = "\
     kernel-module-nls-utf8 \
     kernel-module-input \
@@ -119,7 +118,7 @@ python __anonymous () {
 # packages added by distribution
 #
 SUMMARY:packagegroup-distro-base = "${DISTRO} extras"
-DEPENDS_packagegroup-distro-base = "${DISTRO_EXTRA_DEPENDS}"
+DEPENDS:packagegroup-distro-base = "${DISTRO_EXTRA_DEPENDS}"
 RDEPENDS:packagegroup-distro-base = "${DISTRO_EXTRA_RDEPENDS}"
 RRECOMMENDS:packagegroup-distro-base = "${DISTRO_EXTRA_RRECOMMENDS}"
 
diff --git a/meta/recipes-core/packagegroups/packagegroup-core-tools-debug.bb b/meta/recipes-core/packagegroups/packagegroup-core-tools-debug.bb
index 56ff1d2b06..f19fd64ec1 100644
--- a/meta/recipes-core/packagegroups/packagegroup-core-tools-debug.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-core-tools-debug.bb
@@ -8,7 +8,6 @@ PACKAGE_ARCH = "${TUNE_PKGARCH}"
 
 inherit packagegroup
 
-
 MTRACE = ""
 MTRACE:libc-glibc = "libc-mtrace"
 
diff --git a/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb b/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
index 4e324caa96..54915e4f0c 100644
--- a/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb
@@ -4,7 +4,6 @@
 
 SUMMARY = "Profiling tools"
 
-
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit packagegroup
diff --git a/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb b/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
index d7ea8e937f..25561f6878 100644
--- a/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb
@@ -4,7 +4,6 @@
 
 SUMMARY = "Testing tools/applications"
 
-
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit packagegroup
diff --git a/meta/recipes-core/packagegroups/packagegroup-self-hosted.bb b/meta/recipes-core/packagegroups/packagegroup-self-hosted.bb
index df71695a97..c386267781 100644
--- a/meta/recipes-core/packagegroups/packagegroup-self-hosted.bb
+++ b/meta/recipes-core/packagegroups/packagegroup-self-hosted.bb
@@ -107,7 +107,6 @@ RDEPENDS:packagegroup-self-hosted-debug = " \
     ${STRACE} \
     tcf-agent"
 
-
 RDEPENDS:packagegroup-self-hosted-extended = "\
     bzip2 \
     chrpath \
@@ -178,7 +177,6 @@ RDEPENDS:packagegroup-self-hosted-extended = "\
     zstd \
     "
 
-
 RDEPENDS:packagegroup-self-hosted-graphics = "\
     adwaita-icon-theme \
     builder \
diff --git a/meta/recipes-core/picolibc/picolibc.inc b/meta/recipes-core/picolibc/picolibc.inc
index 640be819a3..68c32894a7 100644
--- a/meta/recipes-core/picolibc/picolibc.inc
+++ b/meta/recipes-core/picolibc/picolibc.inc
@@ -17,5 +17,4 @@ PV = "${BASEVER}+git"
 SRC_URI = "git://github.com/picolibc/picolibc.git;protocol=https;branch=main"
 SRCREV = "764ef4e401a8f4c6a86ab723533841f072885a5b"
 
-S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
diff --git a/meta/recipes-core/picolibc/picolibc_git.bb b/meta/recipes-core/picolibc/picolibc_git.bb
index e6735184cd..eaa6c8de1e 100644
--- a/meta/recipes-core/picolibc/picolibc_git.bb
+++ b/meta/recipes-core/picolibc/picolibc_git.bb
@@ -28,7 +28,6 @@ PACKAGECONFIG ??= " specsdir"
 # Install GCC specs on libdir
 PACKAGECONFIG[specsdir] = "-Dspecsdir=${libdir},-Dspecsdir=none"
 
-
 FILES:${PN}-dev:append = " ${libdir}/*.specs ${libdir}/*.ld"
 
 # No rpm package is actually created but -dev depends on it, avoid dnf error
diff --git a/meta/recipes-core/psplash/psplash_git.bb b/meta/recipes-core/psplash/psplash_git.bb
index f3647d389d..3be0e26a0c 100644
--- a/meta/recipes-core/psplash/psplash_git.bb
+++ b/meta/recipes-core/psplash/psplash_git.bb
@@ -62,8 +62,6 @@ python __anonymous() {
             d.appendVar("RDEPENDS:%s" % pn, " %s" % ep)
 }
 
-S = "${WORKDIR}/git"
-
 inherit autotools pkgconfig update-rc.d update-alternatives systemd
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} progress-bar fullscreen"
diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.1.bb
index 87e1c3b67d..3be27dda9d 100644
--- a/meta/recipes-core/seatd/seatd_0.9.1.bb
+++ b/meta/recipes-core/seatd/seatd_0.9.1.bb
@@ -9,7 +9,6 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=715a99d2dd552e6188e74d4ed2914d5a"
 SRC_URI = "git://git.sr.ht/~kennylevinsen/seatd;protocol=https;branch=master \
            file://init"
 SRCREV = "566ffeb032af42865dc1210e48cec08368059bb9"
-S = "${WORKDIR}/git"
 
 inherit meson pkgconfig systemd update-rc.d useradd
 
@@ -35,9 +34,8 @@ PACKAGECONFIG[systemd] = "-Dlibseat-logind=systemd,,systemd"
 do_install:append() {
         if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then
                 install -Dm755 ${UNPACKDIR}/init ${D}/${sysconfdir}/init.d/seatd
-        else
-                install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
         fi
+        install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
 }
 
 USERADD_PACKAGES = "${PN}"
diff --git a/meta/recipes-core/sysfsutils/files/0001-Modify-my_strncat-function.patch b/meta/recipes-core/sysfsutils/files/0001-Modify-my_strncat-function.patch
new file mode 100644
index 0000000000..a8a49a80cd
--- /dev/null
+++ b/meta/recipes-core/sysfsutils/files/0001-Modify-my_strncat-function.patch
@@ -0,0 +1,34 @@
+From a13fc5a57ea7c6b1761bc204cb79d8ce4745f57a Mon Sep 17 00:00:00 2001
+From: songliang <YS.songliang@h3c.com>
+Date: Wed, 4 Jun 2025 15:58:53 +0800
+Subject: [PATCH] Modify "my_strncat" function
+
+The meaning of the "len" parameter in the my_strncat function is the size limit for copying characters from "from", not the size limit for "to" after copying.
+Also, the "#define safestrcat(to, from) my_strncat(to, from, sizeof(to) - strlen(to) - 1)" has already imposed a limit on max based on the size of "to".
+Modify the function to prevent truncation of content when too many bytes are passed to the my_strcat function.
+
+Upstream-Status: Submitted [https://github.com/linux-ras/sysfsutils/pull/30/commits/c2326946c0c2a4206c9b079a9fe25f7f9115295c]
+Signed-off-by: songliang <YS.songliang@h3c.com>
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ lib/sysfs_utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/sysfs_utils.c b/lib/sysfs_utils.c
+index 46e0849..c0176d1 100644
+--- a/lib/sysfs_utils.c
++++ b/lib/sysfs_utils.c
+@@ -375,8 +375,8 @@ char *my_strncat(char *to, const char *from, size_t max)
+ {
+        size_t i = 0;
+ 
+-       while (i < max && to[i] != '\0')
++       while (to[i] != '\0')
+                i++;
+-       my_strncpy(to+i, from, max-i);
++       my_strncpy(to+i, from, max);
+        return to;
+ }
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/sysfsutils/sysfsutils_2.1.1.bb b/meta/recipes-core/sysfsutils/sysfsutils_2.1.1.bb
index 86cc06a2cd..5040d8864e 100644
--- a/meta/recipes-core/sysfsutils/sysfsutils_2.1.1.bb
+++ b/meta/recipes-core/sysfsutils/sysfsutils_2.1.1.bb
@@ -9,12 +9,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dcc19fa9307a50017fca61423a7d9754 \
                     file://cmd/GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://lib/LGPL;md5=4fbd65380cdd255951079008b364516c"
 
-SRC_URI = "git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master"
+SRC_URI = "git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master \
+           file://0001-Modify-my_strncat-function.patch \
+"
 
 SRCREV = "da2f1f8500c0af6663a56ce2bff07f67e60a92e0"
 
-S = "${WORKDIR}/git"
-
 inherit autotools
 
 PACKAGES =+ "libsysfs"
diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.5.bb b/meta/recipes-core/systemd/systemd-boot-native_257.6.bb
index 05ebe7b63e..05ebe7b63e 100644
--- a/meta/recipes-core/systemd/systemd-boot-native_257.5.bb
+++ b/meta/recipes-core/systemd/systemd-boot-native_257.6.bb
diff --git a/meta/recipes-core/systemd/systemd-boot_257.5.bb b/meta/recipes-core/systemd/systemd-boot_257.6.bb
index c6c443f929..c6c443f929 100644
--- a/meta/recipes-core/systemd/systemd-boot_257.5.bb
+++ b/meta/recipes-core/systemd/systemd-boot_257.6.bb
diff --git a/meta/recipes-core/systemd/systemd-bootconf_1.00.bb b/meta/recipes-core/systemd/systemd-bootconf_1.00.bb
index 0ec49365d0..5efac3e410 100644
--- a/meta/recipes-core/systemd/systemd-bootconf_1.00.bb
+++ b/meta/recipes-core/systemd/systemd-bootconf_1.00.bb
@@ -7,8 +7,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit systemd-boot-cfg
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 LABELS = "boot"
 
diff --git a/meta/recipes-core/systemd/systemd-compat-units.bb b/meta/recipes-core/systemd/systemd-compat-units.bb
index 3325739544..d6da34e9b8 100644
--- a/meta/recipes-core/systemd/systemd-compat-units.bb
+++ b/meta/recipes-core/systemd/systemd-compat-units.bb
@@ -2,11 +2,9 @@ SUMMARY = "Enhances systemd compatilibity with existing SysVinit scripts"
 HOMEPAGE = "http://www.freedesktop.org/wiki/Software/systemd"
 LICENSE = "MIT"
 
-
 PACKAGE_WRITE_DEPS += "systemd-systemctl-native"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 inherit features_check
 
diff --git a/meta/recipes-core/systemd/systemd-conf_1.0.bb b/meta/recipes-core/systemd/systemd-conf_1.0.bb
index b8bea0c25b..60066cd60a 100644
--- a/meta/recipes-core/systemd/systemd-conf_1.0.bb
+++ b/meta/recipes-core/systemd/systemd-conf_1.0.bb
@@ -21,8 +21,7 @@ SRC_URI = "\
     file://wired.network \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 do_install() {
         install -D -m0644 ${S}/journald.conf ${D}${systemd_unitdir}/journald.conf.d/00-${PN}.conf
diff --git a/meta/recipes-core/systemd/systemd-machine-units_1.0.bb b/meta/recipes-core/systemd/systemd-machine-units_1.0.bb
index 8df7ff7cf1..a366f199ee 100644
--- a/meta/recipes-core/systemd/systemd-machine-units_1.0.bb
+++ b/meta/recipes-core/systemd/systemd-machine-units_1.0.bb
@@ -5,7 +5,6 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-
 inherit systemd features_check
 REQUIRED_DISTRO_FEATURES += "usrmerge"
 SYSTEMD_SERVICE:${PN} = ""
diff --git a/meta/recipes-core/systemd/systemd-systemctl-native_257.5.bb b/meta/recipes-core/systemd/systemd-systemctl-native_257.6.bb
index 041a040a26..041a040a26 100644
--- a/meta/recipes-core/systemd/systemd-systemctl-native_257.5.bb
+++ b/meta/recipes-core/systemd/systemd-systemctl-native_257.6.bb
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 243053a8c7..101457140f 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -15,10 +15,8 @@ LICENSE:libsystemd = "LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
                     file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
 
-SRCREV = "1c93ed4c72a4513d9cefcd1f89d11a9dc828d06c"
+SRCREV = "00a12c234e2506f5cab683460199575f13c454db"
 SRCBRANCH = "v257-stable"
 SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH};tag=v${PV}"
 
-S = "${WORKDIR}/git"
-
 CVE_PRODUCT = "systemd"
diff --git a/meta/recipes-core/systemd/systemd/0004-add-fallback-parse_printf_format-implementation.patch b/meta/recipes-core/systemd/systemd/0004-add-fallback-parse_printf_format-implementation.patch
index f9a45bb40b..47b8583e7a 100644
--- a/meta/recipes-core/systemd/systemd/0004-add-fallback-parse_printf_format-implementation.patch
+++ b/meta/recipes-core/systemd/systemd/0004-add-fallback-parse_printf_format-implementation.patch
@@ -25,7 +25,7 @@ diff --git a/meson.build b/meson.build
 index bffda86845..4146f4beef 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -773,6 +773,7 @@ foreach header : ['crypt.h',
+@@ -770,6 +770,7 @@ foreach header : ['crypt.h',
                    'linux/ioprio.h',
                    'linux/memfd.h',
                    'linux/time_types.h',
diff --git a/meta/recipes-core/systemd/systemd/0012-do-not-disable-buffer-in-writing-files.patch b/meta/recipes-core/systemd/systemd/0012-do-not-disable-buffer-in-writing-files.patch
index 00b4b777f4..0bbc6bbac7 100644
--- a/meta/recipes-core/systemd/systemd/0012-do-not-disable-buffer-in-writing-files.patch
+++ b/meta/recipes-core/systemd/systemd/0012-do-not-disable-buffer-in-writing-files.patch
@@ -71,7 +71,7 @@ diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c
 index 332e8cdfd5..804498127d 100644
 --- a/src/basic/namespace-util.c
 +++ b/src/basic/namespace-util.c
-@@ -354,12 +354,12 @@ int userns_acquire(const char *uid_map, const char *gid_map) {
+@@ -359,12 +359,12 @@ int userns_acquire(const char *uid_map, const char *gid_map) {
                  freeze();
  
          xsprintf(path, "/proc/" PID_FMT "/uid_map", pid);
@@ -154,7 +154,7 @@ diff --git a/src/core/cgroup.c b/src/core/cgroup.c
 index 6933aae54d..ab6fccc0e4 100644
 --- a/src/core/cgroup.c
 +++ b/src/core/cgroup.c
-@@ -5167,7 +5167,7 @@ int unit_cgroup_freezer_action(Unit *u, FreezerAction action) {
+@@ -5175,7 +5175,7 @@ int unit_cgroup_freezer_action(Unit *u, FreezerAction action) {
          if (r < 0)
                  return r;
  
@@ -180,7 +180,7 @@ diff --git a/src/core/main.c b/src/core/main.c
 index 172742c769..e68ce2a6d8 100644
 --- a/src/core/main.c
 +++ b/src/core/main.c
-@@ -1812,7 +1812,7 @@ static void initialize_core_pattern(bool skip_setup) {
+@@ -1826,7 +1826,7 @@ static void initialize_core_pattern(bool skip_setup) {
          if (getpid_cached() != 1)
                  return;
  
@@ -231,7 +231,7 @@ diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-
 index 01fa90b1ff..83ab655bf4 100644
 --- a/src/libsystemd/sd-device/sd-device.c
 +++ b/src/libsystemd/sd-device/sd-device.c
-@@ -2563,7 +2563,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
+@@ -2564,7 +2564,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
          if (!value)
                  return -ENOMEM;
  
@@ -359,7 +359,7 @@ diff --git a/src/shared/coredump-util.c b/src/shared/coredump-util.c
 index 805503f366..3234a1d76e 100644
 --- a/src/shared/coredump-util.c
 +++ b/src/shared/coredump-util.c
-@@ -173,7 +173,7 @@ void disable_coredumps(void) {
+@@ -180,7 +180,7 @@ void disable_coredumps(void) {
          if (detect_container() > 0)
                  return;
  
@@ -372,7 +372,7 @@ diff --git a/src/shared/hibernate-util.c b/src/shared/hibernate-util.c
 index 1213fdc2c7..4c26e6a4ee 100644
 --- a/src/shared/hibernate-util.c
 +++ b/src/shared/hibernate-util.c
-@@ -495,7 +495,7 @@ int write_resume_config(dev_t devno, uint64_t offset, const char *device) {
+@@ -498,7 +498,7 @@ int write_resume_config(dev_t devno, uint64_t offset, const char *device) {
  
          /* We write the offset first since it's safer. Note that this file is only available in 4.17+, so
           * fail gracefully if it doesn't exist and we're only overwriting it with 0. */
@@ -381,7 +381,7 @@ index 1213fdc2c7..4c26e6a4ee 100644
          if (r == -ENOENT) {
                  if (offset != 0)
                          return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
-@@ -511,7 +511,7 @@ int write_resume_config(dev_t devno, uint64_t offset, const char *device) {
+@@ -514,7 +514,7 @@ int write_resume_config(dev_t devno, uint64_t offset, const char *device) {
                  log_debug("Wrote resume_offset=%s for device '%s' to /sys/power/resume_offset.",
                            offset_str, device);
  
diff --git a/meta/recipes-core/systemd/systemd/0014-Handle-missing-gshadow.patch b/meta/recipes-core/systemd/systemd/0014-Handle-missing-gshadow.patch
index 08d4e384ff..0aabae6d82 100644
--- a/meta/recipes-core/systemd/systemd/0014-Handle-missing-gshadow.patch
+++ b/meta/recipes-core/systemd/systemd/0014-Handle-missing-gshadow.patch
@@ -140,7 +140,7 @@ diff --git a/src/shared/userdb.c b/src/shared/userdb.c
 index ff83d4bf90..54d36cc706 100644
 --- a/src/shared/userdb.c
 +++ b/src/shared/userdb.c
-@@ -1041,13 +1041,15 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
+@@ -1042,13 +1042,15 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                  if (gr) {
                          _cleanup_free_ char *buffer = NULL;
                          bool incomplete = false;
@@ -157,7 +157,7 @@ index ff83d4bf90..54d36cc706 100644
                          if (!FLAGS_SET(iterator->flags, USERDB_SUPPRESS_SHADOW)) {
                                  r = nss_sgrp_for_group(gr, &sgrp, &buffer);
                                  if (r < 0) {
-@@ -1060,6 +1062,9 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
+@@ -1061,6 +1063,9 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
                          }
  
                          r = nss_group_to_group_record(gr, r >= 0 ? &sgrp : NULL, ret);
diff --git a/meta/recipes-core/systemd/systemd/0015-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch b/meta/recipes-core/systemd/systemd/0015-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch
index f0aa3a0bd8..1443c5082b 100644
--- a/meta/recipes-core/systemd/systemd/0015-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch
+++ b/meta/recipes-core/systemd/systemd/0015-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch
@@ -15,8 +15,6 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
  src/shared/base-filesystem.c | 1 +
  2 files changed, 7 insertions(+)
 
-diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
-index e2cd8b4e35..f2fe489de7 100644
 --- a/src/basic/missing_syscall.h
 +++ b/src/basic/missing_syscall.h
 @@ -20,6 +20,12 @@
@@ -32,8 +30,6 @@ index e2cd8b4e35..f2fe489de7 100644
  #include "macro.h"
  #include "missing_keyctl.h"
  #include "missing_sched.h"
-diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
-index 389c77eee0..e3627c4603 100644
 --- a/src/shared/base-filesystem.c
 +++ b/src/shared/base-filesystem.c
 @@ -20,6 +20,7 @@
@@ -42,8 +38,5 @@ index 389c77eee0..e3627c4603 100644
  #include "user-util.h"
 +#include "missing_syscall.h"
  
- typedef struct BaseFilesystem {
-         const char *dir;      /* directory or symlink to create */
--- 
-2.34.1
-
+ typedef enum BaseFilesystemFlags {
+         BASE_FILESYSTEM_IGNORE_ON_FAILURE = 1 << 0,
diff --git a/meta/recipes-core/systemd/systemd/0019-errno-util-Make-STRERROR-portable-for-musl.patch b/meta/recipes-core/systemd/systemd/0019-errno-util-Make-STRERROR-portable-for-musl.patch
index 791079a19f..56083cc7b3 100644
--- a/meta/recipes-core/systemd/systemd/0019-errno-util-Make-STRERROR-portable-for-musl.patch
+++ b/meta/recipes-core/systemd/systemd/0019-errno-util-Make-STRERROR-portable-for-musl.patch
@@ -11,8 +11,8 @@ Upstream-Status: Inappropriate [musl specific]
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- src/basic/errno-util.h | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
+ src/basic/errno-util.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
 
 diff --git a/src/basic/errno-util.h b/src/basic/errno-util.h
 index 48b76e4bf7..6e7653e2d9 100644
@@ -23,9 +23,8 @@ index 48b76e4bf7..6e7653e2d9 100644
   *
   * Note that we use the GNU variant of strerror_r() here. */
 -#define STRERROR(errnum) strerror_r(abs(errnum), (char[ERRNO_BUF_LEN]){}, ERRNO_BUF_LEN)
--
 +static inline const char * STRERROR(int errnum);
-+
+ 
 +static inline const char * STRERROR(int errnum) {
 +#ifdef __GLIBC__
 +        return strerror_r(abs(errnum), (char[ERRNO_BUF_LEN]){}, ERRNO_BUF_LEN);
diff --git a/meta/recipes-core/systemd/systemd_257.5.bb b/meta/recipes-core/systemd/systemd_257.6.bb
index 995b55580e..5f7f20c434 100644
--- a/meta/recipes-core/systemd/systemd_257.5.bb
+++ b/meta/recipes-core/systemd/systemd_257.6.bb
@@ -519,7 +519,6 @@ RRECOMMENDS:${PN}-binfmt = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', 'ker
 
 RDEPENDS:${PN}-vconsole-setup = "${@bb.utils.contains('PACKAGECONFIG', 'vconsole', 'kbd kbd-consolefonts kbd-keymaps', '', d)}"
 
-
 FILES:${PN}-journal-gatewayd = "${nonarch_libdir}/systemd/systemd-journal-gatewayd \
                                 ${systemd_system_unitdir}/systemd-journal-gatewayd.service \
                                 ${systemd_system_unitdir}/systemd-journal-gatewayd.socket \
@@ -542,7 +541,6 @@ FILES:${PN}-journal-remote = "${nonarch_libdir}/systemd/systemd-journal-remote \
                              "
 SYSTEMD_SERVICE:${PN}-journal-remote = "systemd-journal-remote.socket"
 
-
 FILES:${PN}-container = "${sysconfdir}/dbus-1/system.d/org.freedesktop.import1.conf \
                          ${sysconfdir}/dbus-1/system.d/org.freedesktop.machine1.conf \
                          ${sysconfdir}/systemd/system/multi-user.target.wants/machines.target \
diff --git a/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb b/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
index 6ff2ca1bf4..c77266e71e 100644
--- a/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
+++ b/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb
@@ -2,12 +2,10 @@ SUMMARY = "Inittab configuration for SysVinit"
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-
 SRC_URI = "file://inittab \
            file://start_getty"
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 INHIBIT_DEFAULT_DEPS = "1"
 
diff --git a/meta/recipes-core/sysvinit/sysvinit_3.14.bb b/meta/recipes-core/sysvinit/sysvinit_3.14.bb
index 521eda0bfb..d4bb797624 100644
--- a/meta/recipes-core/sysvinit/sysvinit_3.14.bb
+++ b/meta/recipes-core/sysvinit/sysvinit_3.14.bb
@@ -20,7 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
            "
 SRC_URI[sha256sum] = "c90874b8c054a35991fb8c4d30c443ed1e9b1815ff6165c7b483f558be4e4b53"
 
-S = "${WORKDIR}/sysvinit-${PV}"
+S = "${UNPACKDIR}/sysvinit-${PV}"
 
 inherit update-alternatives features_check github-releases
 DEPENDS:append = " update-rc.d-native base-passwd virtual/crypt"
diff --git a/meta/recipes-core/ttyrun/ttyrun_2.37.0.bb b/meta/recipes-core/ttyrun/ttyrun_2.38.0.bb
index e8fb4831e2..90380e51ea 100644
--- a/meta/recipes-core/ttyrun/ttyrun_2.37.0.bb
+++ b/meta/recipes-core/ttyrun/ttyrun_2.38.0.bb
@@ -6,13 +6,11 @@ HOMEPAGE = "https://github.com/ibm-s390-linux/s390-tools"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=f5118f167b055bfd7c3450803f1847af"
 
-SRC_URI = "git://github.com/ibm-s390-linux/s390-tools;protocol=https;branch=master"
-SRCREV = "793c037ded98cd001075cdb55a9c58e122380256"
+SRC_URI = "git://github.com/ibm-s390-linux/s390-tools;protocol=https;branch=master;tag=v${PV}"
+SRCREV = "660bab6e68fded26b2117e1dcec0844549a22fed"
 
 CVE_PRODUCT = "s390-tools"
 
-S = "${WORKDIR}/git"
-
 EXTRA_OEMAKE = "\
     V=1 \
     CC="${CC}" \
diff --git a/meta/recipes-core/udev/udev-extraconf_1.1.bb b/meta/recipes-core/udev/udev-extraconf_1.1.bb
index 0d7e4f4f36..2ba6606c05 100644
--- a/meta/recipes-core/udev/udev-extraconf_1.1.bb
+++ b/meta/recipes-core/udev/udev-extraconf_1.1.bb
@@ -13,8 +13,7 @@ SRC_URI = " \
        file://localextra.rules \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 MOUNT_BASE = "/run/media"
 MOUNT_GROUP ?= "disk"
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index 27723c88ef..124b7d32a2 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -12,8 +12,6 @@ PV .= "+git"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
-S = "${WORKDIR}/git"
-
 inherit allarch
 
 do_compile() {
diff --git a/meta/recipes-core/util-linux/util-linux-libuuid_2.41.bb b/meta/recipes-core/util-linux/util-linux-libuuid_2.41.bb
index ec04c1d384..5ad2997c27 100644
--- a/meta/recipes-core/util-linux/util-linux-libuuid_2.41.bb
+++ b/meta/recipes-core/util-linux/util-linux-libuuid_2.41.bb
@@ -3,15 +3,17 @@
 
 require util-linux.inc
 
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://libuuid/COPYING;md5=6d2cafc999feb2c2de84d4d24b23290c \
+                    file://Documentation/licenses/COPYING.BSD-3-Clause;md5=58dcd8452651fc8b07d1f65ce07ca8af"
+
 inherit autotools gettext pkgconfig
 
-S = "${WORKDIR}/util-linux-${PV}"
+S = "${UNPACKDIR}/util-linux-${PV}"
 
 EXTRA_AUTORECONF += "--exclude=gtkdocize"
 EXTRA_OECONF += "--disable-all-programs --enable-libuuid"
 
-LICENSE = "BSD-3-Clause"
-
 do_install:append() {
         rm -rf ${D}${datadir} ${D}${bindir} ${D}${base_bindir} ${D}${sbindir} ${D}${base_sbindir} ${D}${exec_prefix}/sbin
 }
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index b0f2a9d497..111f29cb92 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -6,29 +6,6 @@ disk partitioning, kernel message management, filesystem creation, and system lo
 
 SECTION = "base"
 
-LICENSE = "GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-2-Clause & BSD-3-Clause & BSD-4-Clause-UC & MIT & EUPL-1.2"
-LICENSE:${PN}-fcntl-lock = "MIT"
-LICENSE:${PN}-fdisk = "GPL-1.0-or-later"
-LICENSE:${PN}-libblkid = "LGPL-2.1-or-later"
-LICENSE:${PN}-libfdisk = "LGPL-2.1-or-later"
-LICENSE:${PN}-libmount = "LGPL-2.1-or-later"
-LICENSE:${PN}-libsmartcols = "LGPL-2.1-or-later"
-LICENSE:${PN}-coresched = "EUPL-1.2"
-
-LIC_FILES_CHKSUM = "file://README.licensing;md5=55e895a80bdd4ffc65e167a76d2e7569 \
-                    file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://Documentation/licenses/COPYING.GPL-2.0-or-later;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://Documentation/licenses/COPYING.LGPL-2.1-or-later;md5=4fbd65380cdd255951079008b364516c \
-                    file://Documentation/licenses/COPYING.BSD-3-Clause;md5=58dcd8452651fc8b07d1f65ce07ca8af \
-                    file://Documentation/licenses/COPYING.BSD-4-Clause-UC;md5=263860f8968d8bafa5392cab74285262 \
-                    file://Documentation/licenses/COPYING.EUPL-1.2;md5=c075d2767167a2355b23392018a1cbbd \
-                    file://libuuid/COPYING;md5=6d2cafc999feb2c2de84d4d24b23290c \
-                    file://libmount/COPYING;md5=7c7e39fb7d70ffe5d693a643e29987c2 \
-                    file://libblkid/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
-                    file://libfdisk/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
-                    file://libsmartcols/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
-                    "
-
 FILESEXTRAPATHS:prepend := "${THISDIR}/util-linux:"
 MAJOR_VERSION = "${@'.'.join(d.getVar('PV').split('.')[0:2])}"
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-linux-${PV}.tar.xz \
@@ -42,6 +19,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://fcntl-lock.c \
            file://0001-tests-ts-kill-decode-avoid-using-shell-built-in-kill.patch \
            file://0001-lsfd-mkfds-foreign-sockets-skip-when-lacking-sock_di.patch \
+           file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
            "
 
 SRC_URI[sha256sum] = "81ee93b3cfdfeb7d7c4090cedeba1d7bbce9141fd0b501b686b3fe475ddca4c6"
diff --git a/meta/recipes-core/util-linux/util-linux/0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch b/meta/recipes-core/util-linux/util-linux/0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch
new file mode 100644
index 0000000000..f4e2f9e745
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch
@@ -0,0 +1,58 @@
+From c5d5e8873029d170fcab38a6fbd5d5a355574b9f Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 4 Jun 2025 16:27:19 +0800
+Subject: [PATCH] ts/kill/decode: use RTMIN from 'kill -L' instead of
+ hardcoding 34
+
+glibc uses 34 as the value of SIGRTMIN:
+https://sourceware.org/git/?p=glibc.git;a=blob;f=signal/allocrtsig.c;h=8ed8e37dd6c41f94be6eef042ce9db1af1153228;hb=HEAD#l27 """
+static int current_rtmin = __SIGRTMIN + RESERVED_SIGRT; """
+
+musl uses 35 as the value of SIGRTMIN:
+https://git.musl-libc.org/cgit/musl/tree/src/signal/sigrtmin.c
+
+With the hardcoded 34, test case fails with the following difference:
+
+-Ignored: HUP QUIT TRAP PIPE ALRM
++Ignored: HUP QUIT TRAP PIPE ALRM 34
+
+Extract the value of RTMIN from 'kill -L' to avoid such hardcoding.
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/c5d5e8873029d170fcab38a6fbd5d5a355574b9f]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ tests/ts/kill/decode | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tests/ts/kill/decode b/tests/ts/kill/decode
+index 57149899e..524b4e5e2 100755
+--- a/tests/ts/kill/decode
++++ b/tests/ts/kill/decode
+@@ -53,14 +53,19 @@ ACK=
+            # Sending one more USR1 is for making the signal pending state.
+            "$TS_CMD_KILL" -USR1 "$PID"
+            "$TS_CMD_KILL" -d "$PID" | {
+-               if [[ $("$TS_CMD_KILL" --list=34) == RT0 ]]; then
++               SIGRTMIN=$("$TS_CMD_KILL" -L | grep -o '[0-9]\+ RTMIN' | cut -d " " -f 1)
++               if [[ $("$TS_CMD_KILL" --list=$SIGRTMIN) == RT0 ]]; then
+                    # See man signal(7).
+                    #   The  Linux  kernel  supports a range of 33 different real-time signals,
+                    #   numbered 32 to 64.  However, the glibc POSIX threads implementation in‐
+                    #   ternally uses two (for NPTL) or three (for LinuxThreads) real-time sig‐
+                    #   nals (see pthreads(7)), and adjusts the value of SIGRTMIN suitably  (to
+                    #   34 or 35).
+-                   sed -e s/' 32 33'// -e s/' 34'//
++                   sed_cmd="sed"
++                   for ((i=32; i<=SIGRTMIN; i++)); do
++                       sed_cmd+=" -e s/' $i'//"
++                   done
++                   eval $sed_cmd
+                else
+                    cat
+                fi
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/util-linux/util-linux_2.41.bb b/meta/recipes-core/util-linux/util-linux_2.41.bb
index 00036e8a68..41fb3e5951 100644
--- a/meta/recipes-core/util-linux/util-linux_2.41.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.41.bb
@@ -1,5 +1,58 @@
 require util-linux.inc
 
+# Most of the applications and the libraries are linked with libcommon.la,
+# which uses these licenses
+LIBCOMMON_LICENSES = "LGPL-2.1-or-later & BSD-2-Clause & BSD-3-Clause & MIT"
+
+# The default license is GPL-2.0-or-later
+DEFAULT_LICENSES = "GPL-2.0-or-later & ${LIBCOMMON_LICENSES}"
+
+LICENSE = "GPL-1.0-or-later & GPL-2.0-only & GPL-2.0-or-later & LGPL-2.1-or-later & BSD-2-Clause & BSD-3-Clause & BSD-4-Clause-UC & MIT & EUPL-1.2"
+LICENSE:${PN}-bash-completion = "GPL-2.0-or-later"
+LICENSE:${PN}-dev = "${LIBCOMMON_LICENSES}"
+# All dynamic packages use ${DEFAULT_LICENSES} with the following exceptions
+LICENSE:${PN}-cal = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-col = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-colcrt = "BSD-4-Clause-UC"
+LICENSE:${PN}-colrm = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-column = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-coresched = "EUPL-1.2 & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-fcntl-lock = "MIT"
+LICENSE:${PN}-fdisk = "GPL-1.0-or-later & ${DEFAULT_LICENSES}"
+LICENSE:${PN}-fsfreeze = "GPL-1.0-or-later"
+LICENSE:${PN}-hexdump = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-kill = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-libblkid = "${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-libfdisk = "${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-libmount = "${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-libsmartcols = "${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-logger = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-look = "BSD-4-Clause-UC"
+LICENSE:${PN}-lscpu = "GPL-2.0-only & ${DEFAULT_LICENSES}"
+LICENSE:${PN}-mesg = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-nsenter = "GPL-2.0-only & ${DEFAULT_LICENSES}"
+LICENSE:${PN}-renice = "BSD-4-Clause-UC"
+LICENSE:${PN}-rev = "BSD-4-Clause-UC"
+LICENSE:${PN}-script = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-ul = "BSD-4-Clause-UC"
+LICENSE:${PN}-vipw = "BSD-4-Clause-UC & ${DEFAULT_LICENSES}"
+LICENSE:${PN}-wall = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-whereis = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+LICENSE:${PN}-write = "BSD-4-Clause-UC & ${LIBCOMMON_LICENSES}"
+
+LIC_FILES_CHKSUM = "file://README.licensing;md5=55e895a80bdd4ffc65e167a76d2e7569 \
+                    file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://Documentation/licenses/COPYING.GPL-2.0-or-later;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://Documentation/licenses/COPYING.LGPL-2.1-or-later;md5=4fbd65380cdd255951079008b364516c \
+                    file://Documentation/licenses/COPYING.BSD-3-Clause;md5=58dcd8452651fc8b07d1f65ce07ca8af \
+                    file://Documentation/licenses/COPYING.BSD-4-Clause-UC;md5=263860f8968d8bafa5392cab74285262 \
+                    file://Documentation/licenses/COPYING.EUPL-1.2;md5=c075d2767167a2355b23392018a1cbbd \
+                    file://libmount/COPYING;md5=7c7e39fb7d70ffe5d693a643e29987c2 \
+                    file://libblkid/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
+                    file://libfdisk/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
+                    file://libsmartcols/COPYING;md5=693bcbbe16d3a4a4b37bc906bc01cc04 \
+                    "
+
 inherit autotools gettext manpages pkgconfig systemd update-alternatives python3-dir bash-completion ptest gtk-doc
 DEPENDS = "libcap-ng ncurses virtual/crypt zlib util-linux-libuuid"
 
@@ -11,6 +64,9 @@ python util_linux_binpackages () {
         pn = d.getVar('PN')
         d.appendVar('RRECOMMENDS:%s' % pn, ' %s' % pkg)
 
+        if not d.getVar('LICENSE:' + pkg):
+            d.setVar('LICENSE:' + pkg, '${DEFAULT_LICENSES}')
+
         if d.getVar('ALTERNATIVE:' + pkg):
             return
         if d.getVarFlag('ALTERNATIVE_LINK_NAME', modulename):
diff --git a/meta/recipes-core/volatile-binds/volatile-binds.bb b/meta/recipes-core/volatile-binds/volatile-binds.bb
index 3597ec7356..857bcc93ff 100644
--- a/meta/recipes-core/volatile-binds/volatile-binds.bb
+++ b/meta/recipes-core/volatile-binds/volatile-binds.bb
@@ -9,8 +9,7 @@ SRC_URI = "\
     file://volatile-binds.service.in \
 "
 
-S = "${WORKDIR}/sources"
-UNPACKDIR = "${S}"
+S = "${UNPACKDIR}"
 
 inherit allarch systemd features_check