build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: fb45c5cf8c2b663af293acb069d446610f77ff1a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
poky.conf: bump version for 4.0.23
2026-02-21 17:09:42 +01:00 · 2024-11-15 12:20:43 -08:00 · 2024-11-15 12:17:56 -08:00 · 2024-11-15 06:51:25 -08:00 · 2024-11-15 06:51:25 -08:00 · 2024-11-15 06:51:25 -08:00
112 changed files with 5102 additions and 1209 deletions
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -401,7 +401,7 @@ overview of their function and contents.

      Example usage::

-         BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
+         BB_HASHSERVE_UPSTREAM = "hashserv.yoctoproject.org:8686"

   :term:`BB_INVALIDCONF`
      Used in combination with the ``ConfigParsed`` event to trigger
--- a/bitbake/lib/bb/codeparser.py
+++ b/bitbake/lib/bb/codeparser.py
@@ -201,6 +201,22 @@ class DummyLogger():
    def flush(self):
        return

+
+# Starting with Python 3.8, the ast module exposes all string nodes as a
+# Constant. While earlier versions of the module also have the Constant type
+# those use the Str type to encapsulate strings.
+if sys.version_info < (3, 8):
+    def node_str_value(node):
+        if isinstance(node, ast.Str):
+            return node.s
+        return None
+else:
+    def node_str_value(node):
+        if isinstance(node, ast.Constant) and isinstance(node.value, str):
+            return node.value
+        return None
+
+
 class PythonParser():
    getvars = (".getVar", ".appendVar", ".prependVar", "oe.utils.conditional")
    getvarflags = (".getVarFlag", ".appendVarFlag", ".prependVarFlag")
@@ -225,19 +241,22 @@ class PythonParser():
    def visit_Call(self, node):
        name = self.called_node_name(node.func)
        if name and (name.endswith(self.getvars) or name.endswith(self.getvarflags) or name in self.containsfuncs or name in self.containsanyfuncs):
-            if isinstance(node.args[0], ast.Constant) and isinstance(node.args[0].value, str):
-                varname = node.args[0].value
-                if name in self.containsfuncs and isinstance(node.args[1], ast.Constant):
+            varname = node_str_value(node.args[0])
+            if varname is not None:
+                arg_str_value = None
+                if len(node.args) >= 2:
+                    arg_str_value = node_str_value(node.args[1])
+                if name in self.containsfuncs and arg_str_value is not None:
                    if varname not in self.contains:
                        self.contains[varname] = set()
-                    self.contains[varname].add(node.args[1].value)
-                elif name in self.containsanyfuncs and isinstance(node.args[1], ast.Constant):
+                    self.contains[varname].add(arg_str_value)
+                elif name in self.containsanyfuncs and arg_str_value is not None:
                    if varname not in self.contains:
                        self.contains[varname] = set()
-                    self.contains[varname].update(node.args[1].value.split())
+                    self.contains[varname].update(arg_str_value.split())
                elif name.endswith(self.getvarflags):
-                    if isinstance(node.args[1], ast.Constant):
-                        self.references.add('%s[%s]' % (varname, node.args[1].value))
+                    if arg_str_value is not None:
+                        self.references.add('%s[%s]' % (varname, arg_str_value))
                    else:
                        self.warn(node.func, node.args[1])
                else:
@@ -245,10 +264,10 @@ class PythonParser():
            else:
                self.warn(node.func, node.args[0])
        elif name and name.endswith(".expand"):
-            if isinstance(node.args[0], ast.Constant):
-                value = node.args[0].value
+            arg_str_value = node_str_value(node.args[0])
+            if arg_str_value is not None:
                d = bb.data.init()
-                parser = d.expandWithRefs(value, self.name)
+                parser = d.expandWithRefs(arg_str_value, self.name)
                self.references |= parser.references
                self.execs |= parser.execs
                for varname in parser.contains:
@@ -256,8 +275,9 @@ class PythonParser():
                        self.contains[varname] = set()
                    self.contains[varname] |= parser.contains[varname]
        elif name in self.execfuncs:
-            if isinstance(node.args[0], ast.Constant):
-                self.var_execs.add(node.args[0].value)
+            arg_str_value = node_str_value(node.args[0])
+            if arg_str_value is not None:
+                self.var_execs.add(arg_str_value)
            else:
                self.warn(node.func, node.args[0])
        elif name and isinstance(node.func, (ast.Name, ast.Attribute)):
--- a/bitbake/lib/bb/fetch2/git.py
+++ b/bitbake/lib/bb/fetch2/git.py
@@ -861,9 +861,8 @@ class Git(FetchMethod):
            commits = None
        else:
            if not os.path.exists(rev_file) or not os.path.getsize(rev_file):
-                from pipes import quote
                commits = bb.fetch2.runfetchcmd(
-                        "git rev-list %s -- | wc -l" % quote(rev),
+                        "git rev-list %s -- | wc -l" % shlex.quote(rev),
                        d, quiet=True).strip().lstrip('0')
                if commits:
                    open(rev_file, "w").write("%d\n" % int(commits))
--- a/bitbake/lib/bb/fetch2/gitsm.py
+++ b/bitbake/lib/bb/fetch2/gitsm.py
@@ -139,6 +139,19 @@ class GitSM(Git):

        return submodules != []

+    def call_process_submodules(self, ud, d, extra_check, subfunc):
+        # If we're using a shallow mirror tarball it needs to be
+        # unpacked temporarily so that we can examine the .gitmodules file
+        if ud.shallow and os.path.exists(ud.fullshallow) and extra_check:
+            tmpdir = tempfile.mkdtemp(dir=d.getVar("DL_DIR"))
+            try:
+                runfetchcmd("tar -xzf %s" % ud.fullshallow, d, workdir=tmpdir)
+                self.process_submodules(ud, tmpdir, subfunc, d)
+            finally:
+                shutil.rmtree(tmpdir)
+        else:
+            self.process_submodules(ud, ud.clonedir, subfunc, d)
+
    def need_update(self, ud, d):
        if Git.need_update(self, ud, d):
            return True
@@ -156,15 +169,7 @@ class GitSM(Git):
                logger.error('gitsm: submodule update check failed: %s %s' % (type(e).__name__, str(e)))
                need_update_result = True

-        # If we're using a shallow mirror tarball it needs to be unpacked
-        # temporarily so that we can examine the .gitmodules file
-        if ud.shallow and os.path.exists(ud.fullshallow) and not os.path.exists(ud.clonedir):
-            tmpdir = tempfile.mkdtemp(dir=d.getVar("DL_DIR"))
-            runfetchcmd("tar -xzf %s" % ud.fullshallow, d, workdir=tmpdir)
-            self.process_submodules(ud, tmpdir, need_update_submodule, d)
-            shutil.rmtree(tmpdir)
-        else:
-            self.process_submodules(ud, ud.clonedir, need_update_submodule, d)
+        self.call_process_submodules(ud, d, not os.path.exists(ud.clonedir), need_update_submodule)

        if need_update_list:
            logger.debug('gitsm: Submodules requiring update: %s' % (' '.join(need_update_list)))
@@ -187,16 +192,7 @@ class GitSM(Git):
                raise

        Git.download(self, ud, d)
-
-        # If we're using a shallow mirror tarball it needs to be unpacked
-        # temporarily so that we can examine the .gitmodules file
-        if ud.shallow and os.path.exists(ud.fullshallow) and self.need_update(ud, d):
-            tmpdir = tempfile.mkdtemp(dir=d.getVar("DL_DIR"))
-            runfetchcmd("tar -xzf %s" % ud.fullshallow, d, workdir=tmpdir)
-            self.process_submodules(ud, tmpdir, download_submodule, d)
-            shutil.rmtree(tmpdir)
-        else:
-            self.process_submodules(ud, ud.clonedir, download_submodule, d)
+        self.call_process_submodules(ud, d, self.need_update(ud, d), download_submodule)

    def unpack(self, ud, destdir, d):
        def unpack_submodules(ud, url, module, modpath, workdir, d):
@@ -249,14 +245,6 @@ class GitSM(Git):
            newfetch = Fetch([url], d, cache=False)
            urldata.extend(newfetch.expanded_urldata())

-        # If we're using a shallow mirror tarball it needs to be unpacked
-        # temporarily so that we can examine the .gitmodules file
-        if ud.shallow and os.path.exists(ud.fullshallow) and ud.method.need_update(ud, d):
-            tmpdir = tempfile.mkdtemp(dir=d.getVar("DL_DIR"))
-            subprocess.check_call("tar -xzf %s" % ud.fullshallow, cwd=tmpdir, shell=True)
-            self.process_submodules(ud, tmpdir, add_submodule, d)
-            shutil.rmtree(tmpdir)
-        else:
-            self.process_submodules(ud, ud.clonedir, add_submodule, d)
+        self.call_process_submodules(ud, d, ud.method.need_update(ud, d), add_submodule)

        return urldata
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -1333,12 +1333,12 @@ class FetchLatestVersionTest(FetcherTest):
        ("dtc", "git://git.yoctoproject.org/bbfetchtests-dtc.git;branch=master", "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf", "")
            : "1.4.0",
        # combination version pattern
-        ("sysprof", "git://gitlab.gnome.org/GNOME/sysprof.git;protocol=https;branch=master", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
+        ("sysprof", "git://git.yoctoproject.org/sysprof.git;protocol=https;branch=master", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
            : "1.2.0",
        ("u-boot-mkimage", "git://source.denx.de/u-boot/u-boot.git;branch=master;protocol=https", "62c175fbb8a0f9a926c88294ea9f7e88eb898f6c", "")
            : "2014.01",
        # version pattern "yyyymmdd"
-        ("mobile-broadband-provider-info", "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=master", "4ed19e11c2975105b71b956440acdb25d46a347d", "")
+        ("mobile-broadband-provider-info", "git://git.yoctoproject.org/mobile-broadband-provider-info.git;protocol=https;branch=master", "4ed19e11c2975105b71b956440acdb25d46a347d", "")
            : "20120614",
        # packages with a valid UPSTREAM_CHECK_GITTAGREGEX
                # mirror of git://anongit.freedesktop.org/xorg/driver/xf86-video-omap since network issues interfered with testing
--- a/documentation/Makefile
+++ b/documentation/Makefile
@@ -3,17 +3,18 @@

 # You can set these variables from the command line, and also
 # from the environment for the first two.
-SPHINXOPTS    ?= -W --keep-going -j auto
-SPHINXBUILD   ?= sphinx-build
+SPHINXOPTS     ?= -W --keep-going -j auto
+SPHINXBUILD    ?= sphinx-build
 # Release notes are excluded because they contain contributor names and commit messages which can't be modified
-VALEOPTS      ?= --no-wrap --glob '!migration-guides/release-notes-*.rst'
-VALEDOCS      ?= .
-SOURCEDIR     = .
-IMAGEDIRS     = */svg
-BUILDDIR      = _build
-DESTDIR       = final
-SVG2PNG       = inkscape
-SVG2PDF       = inkscape
+VALEOPTS       ?= --no-wrap --glob '!migration-guides/release-notes-*.rst'
+SOURCEDIR      = .
+VALEDOCS       ?= $(SOURCEDIR)
+SPHINXLINTDOCS ?= $(SOURCEDIR)
+IMAGEDIRS      = */svg
+BUILDDIR       = _build
+DESTDIR        = final
+SVG2PNG        = inkscape
+SVG2PDF        = inkscape

 ifeq ($(shell if which $(SPHINXBUILD) >/dev/null 2>&1; then echo 1; else echo 0; fi),0)
 $(error "The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed")
@@ -54,12 +55,14 @@ stylecheck:
 	vale $(VALEOPTS) $(VALEDOCS)

 sphinx-lint:
-	sphinx-lint $(SOURCEDIR)
+	sphinx-lint $(SPHINXLINTDOCS)

 epub: $(PNGs)
+	$(SOURCEDIR)/set_versions.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

 latexpdf: $(PDFs)
+	$(SOURCEDIR)/set_versions.py
 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

 all: html epub latexpdf
--- a/documentation/README
+++ b/documentation/README
@@ -165,7 +165,15 @@ To run Vale:

 $ make stylecheck

-Link checking the Yocto Project documentation
+Style checking the whole documentation might take some time and generate a
+lot of warnings/errors, thus one can run Vale on a subset of files or
+directories:
+
+  $ make stylecheck VALEDOCS=<file>
+  $ make stylecheck VALEDOCS="<file1> <file2>"
+  $ make stylecheck VALEDOCS=<dir>
+
+Lint checking the Yocto Project documentation
 =============================================

 To fix errors which are not reported by Sphinx itself,
@@ -179,6 +187,14 @@ To run sphinx-lint:

 $ make sphinx-lint

+Lint checking the whole documentation might take some time and generate a
+lot of warnings/errors, thus one can run sphinx-lint on a subset of files
+or directories:
+
+  $ make sphinx-lint SPHINXLINTDOCS=<file>
+  $ make sphinx-lint SPHINXLINTDOCS="<file1> <file2>"
+  $ make sphinx-lint SPHINXLINTDOCS=<dir>
+
 Sphinx theme and CSS customization
 ==================================

--- a/documentation/brief-yoctoprojectqs/index.rst
+++ b/documentation/brief-yoctoprojectqs/index.rst
@@ -251,7 +251,7 @@ an entire Linux distribution, including the toolchain, from source.
      To use such mirrors, uncomment the below lines in your ``conf/local.conf``
      file in the :term:`Build Directory`::

-         BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
+         BB_HASHSERVE_UPSTREAM = "hashserv.yoctoproject.org:8686"
         SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
         BB_HASHSERVE = "auto"
         BB_SIGNATURE_HANDLER = "OEEquivHash"
--- a/documentation/conf.py
+++ b/documentation/conf.py
@@ -90,8 +90,9 @@ rst_prolog = """

 # external links and substitutions
 extlinks = {
-    'cve': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-%s'),
+    'bitbake_git': ('https://git.openembedded.org/bitbake%s', None),
    'cve_mitre': ('https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-%s', 'CVE-%s'),
+    'cve_nist': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-%s'),
    'yocto_home': ('https://www.yoctoproject.org%s', None),
    'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None),
    'yocto_dl': ('https://downloads.yoctoproject.org%s', None),
--- a/documentation/contributor-guide/recipe-style-guide.rst
+++ b/documentation/contributor-guide/recipe-style-guide.rst
@@ -395,7 +395,7 @@ one CVE is fixed, separate them using spaces.
 CVE Examples
 ------------

-This should be the header of patch that fixes :cve:`2015-8370` in GRUB2::
+This should be the header of patch that fixes :cve_nist:`2015-8370` in GRUB2::

   grub2: Fix CVE-2015-8370

--- a/documentation/contributor-guide/submit-changes.rst
+++ b/documentation/contributor-guide/submit-changes.rst
@@ -442,7 +442,7 @@ typical usage of ``git send-email``::
   git send-email --to <mailing-list-address> *.patch

 Then, review each subject line and list of recipients carefully, and then
-and then allow the command to send each message.
+allow the command to send each message.

 You will see that ``git send-email`` will automatically copy the people listed
 in any commit tags such as ``Signed-off-by`` or ``Reported-by``.
--- a/documentation/dev-manual/layers.rst
+++ b/documentation/dev-manual/layers.rst
@@ -644,6 +644,96 @@ variable and append the layer's root name::
   order of ``.conf`` or ``.bbclass`` files. Future versions of BitBake
   might address this.

+Providing Global-level Configurations With Your Layer
+-----------------------------------------------------
+
+When creating a layer, you may need to define configurations that should take
+effect globally in your build environment when the layer is part of the build.
+The ``layer.conf`` file is a :term:`configuration file` that affects the build
+system globally, so it is a candidate for this use-case.
+
+.. warning::
+
+   Providing unconditional global level configuration from the ``layer.conf``
+   file is *not* a good practice, and should be avoided. For this reason, the
+   section :ref:`ref-conditional-layer-confs` below shows how the ``layer.conf``
+   file can be used to provide configurations only if a certain condition is
+   met.
+
+For example, if your layer provides a Linux kernel recipe named
+``linux-custom``, you may want to make :term:`PREFERRED_PROVIDER_virtual/kernel
+<PREFERRED_PROVIDER>` point to ``linux-custom``::
+
+   PREFERRED_PROVIDER_virtual/kernel = "linux-custom"
+
+This can be defined in the ``layer.conf`` file. If your layer is at the last
+position in the :term:`BBLAYERS` list, it will take precedence over previous
+``PREFERRED_PROVIDER_virtual/kernel`` assignments (unless one is set from a
+:term:`configuration file` that is parsed later, such as machine or distro
+configuration files).
+
+.. _ref-conditional-layer-confs:
+
+Conditionally Provide Global-level Configurations With Your Layer
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In some cases, your layer may provide global configurations only if some
+features it provides are enabled. Since the ``layer.conf`` file is parsed at an
+earlier stage in the parsing process, the :term:`DISTRO_FEATURES` and
+:term:`MACHINE_FEATURES` variables are not yet available to ``layer.conf``, and
+declaring conditional assignments based on these variables is not possible. The
+following technique shows a way to bypass this limitation by using the
+:term:`USER_CLASSES` variable and a conditional ``require`` command.
+
+In the following steps, let's assume our layer is named ``meta-mylayer`` and
+that this layer defines a custom :ref:`distro feature <ref-features-distro>`
+named ``mylayer-kernel``. We will set the :term:`PREFERRED_PROVIDER` variable
+for the kernel only if our feature ``mylayer-kernel`` is part of the
+:term:`DISTRO_FEATURES`:
+
+#. Create an include file in the directory
+   ``meta-mylayer/conf/distro/include/``, for example a file named
+   ``mylayer-kernel-provider.inc`` that sets the kernel provider to
+   ``linux-custom``::
+
+      PREFERRED_PROVIDER_virtual/kernel = "linux-custom"
+
+#. Provide a path to this include file in your ``layer.conf``::
+
+      META_MYLAYER_KERNEL_PROVIDER_PATH = "${LAYERDIR}/conf/distro/include/mylayer-kernel-provider.inc"
+
+#. Create a new class in ``meta-mylayer/classes-global/``, for example a class
+   ``meta-mylayer-cfg.bbclass``. Make it conditionally require the file
+   ``mylayer-kernel-provider.inc`` defined above, using the variable
+   ``META_MYLAYER_KERNEL_PROVIDER_PATH`` defined in ``layer.conf``::
+
+      require ${@bb.utils.contains('DISTRO_FEATURES', 'mylayer-kernel', '${META_MYLAYER_KERNEL_PROVIDER_PATH}', '', d)}
+
+   For details on the ``bb.utils.contains`` function, see its definition in
+   :bitbake_git:`lib/bb/utils.py </tree/lib/bb/utils.py>`.
+
+   .. note::
+
+      The ``require`` command is designed to not fail if the function
+      ``bb.utils.contains`` returns an empty string.
+
+#. Back to your ``layer.conf`` file, add the class ``meta-mylayer-cfg`` class to
+   the :term:`USER_CLASSES` variable::
+
+      USER_CLASSES:append = " meta-mylayer-cfg"
+
+   This will add the class ``meta-mylayer-cfg`` to the list of classes to
+   globally inherit. Since the ``require`` command is conditional in
+   ``meta-mylayer-cfg.bbclass``, even though inherited the class will have no
+   effect unless the feature ``mylayer-kernel`` is enabled through
+   :term:`DISTRO_FEATURES`.
+
+This technique can also be used for :ref:`Machine features
+<ref-features-machine>` by following the same steps. Though not mandatory, it is
+recommended to put include files for :term:`DISTRO_FEATURES` in your layer's
+``conf/distro/include`` and the ones for :term:`MACHINE_FEATURES` in your
+layer's ``conf/machine/include``.
+
 Managing Layers
 ===============

--- a/documentation/migration-guides/release-4.0.rst
+++ b/documentation/migration-guides/release-4.0.rst
@@ -28,4 +28,5 @@ Release 4.0 (kirkstone)
   release-notes-4.0.19
   release-notes-4.0.20
   release-notes-4.0.21
+   release-notes-4.0.22

--- a/documentation/migration-guides/release-notes-3.4.1.rst
+++ b/documentation/migration-guides/release-notes-3.4.1.rst
@@ -9,14 +9,14 @@ Known Issues in 3.4.1
 Security Fixes in 3.4.1
 ~~~~~~~~~~~~~~~~~~~~~~~

-  glibc: Backport fix for :cve:`2021-43396`
-  vim: add patch number to :cve:`2021-3778` patch
-  vim: fix :cve:`2021-3796`, :cve:`2021-3872`, and :cve:`2021-3875`
-  squashfs-tools: follow-up fix for :cve:`2021-41072`
+-  glibc: Backport fix for :cve_nist:`2021-43396`
+-  vim: add patch number to :cve_nist:`2021-3778` patch
+-  vim: fix :cve_nist:`2021-3796`, :cve_nist:`2021-3872`, and :cve_nist:`2021-3875`
+-  squashfs-tools: follow-up fix for :cve_nist:`2021-41072`
 -  avahi: update CVE id fixed by local-ping.patch
-  squashfs-tools: fix :cve:`2021-41072`
-  ffmpeg: fix :cve:`2021-38114`
-  curl: fix :cve:`2021-22945`, :cve:`2021-22946` and :cve:`2021-22947`
+-  squashfs-tools: fix :cve_nist:`2021-41072`
+-  ffmpeg: fix :cve_nist:`2021-38114`
+-  curl: fix :cve_nist:`2021-22945`, :cve_nist:`2021-22946` and :cve_nist:`2021-22947`

 Fixes in 3.4.1
 ~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-3.4.2.rst
+++ b/documentation/migration-guides/release-notes-3.4.2.rst
@@ -4,29 +4,29 @@ Release notes for 3.4.2 (honister)
 Security Fixes in 3.4.2
 ~~~~~~~~~~~~~~~~~~~~~~~

-  tiff: backport fix for :cve:`2022-22844`
-  glibc : Fix :cve:`2021-3999`
-  glibc : Fix :cve:`2021-3998`
-  glibc : Fix :cve:`2022-23219`
-  glibc : Fix :cve:`2022-23218`
-  lighttpd: backport a fix for :cve:`2022-22707`
-  speex: fix :cve:`2020-23903`
-  linux-yocto/5.10: amdgpu: updates for :cve:`2021-42327`
-  libsndfile1: fix :cve:`2021-4156`
+-  tiff: backport fix for :cve_nist:`2022-22844`
+-  glibc : Fix :cve_nist:`2021-3999`
+-  glibc : Fix :cve_nist:`2021-3998`
+-  glibc : Fix :cve_nist:`2022-23219`
+-  glibc : Fix :cve_nist:`2022-23218`
+-  lighttpd: backport a fix for :cve_nist:`2022-22707`
+-  speex: fix :cve_nist:`2020-23903`
+-  linux-yocto/5.10: amdgpu: updates for :cve_nist:`2021-42327`
+-  libsndfile1: fix :cve_nist:`2021-4156`
 -  xserver-xorg: whitelist two CVEs
-  grub2: fix :cve:`2021-3981`
-  xserver-xorg: update CVE_PRODUCT
-  binutils: :cve:`2021-42574`
-  gcc: Fix :cve:`2021-42574`
-  gcc: Fix :cve:`2021-35465`
+-  grub2: fix :cve_nist:`2021-3981`
+-  xserver-xorg: update :term:`CVE_PRODUCT`
+-  binutils: :cve_nist:`2021-42574`
+-  gcc: Fix :cve_nist:`2021-42574`
+-  gcc: Fix :cve_nist:`2021-35465`
 -  cve-extra-exclusions: add db CVEs to exclusion list
-  gcc: Add :cve:`2021-37322` to the list of CVEs to ignore
-  bind: fix :cve:`2021-25219`
-  openssh: fix :cve:`2021-41617`
-  ncurses: fix :cve:`2021-39537`
-  vim: fix :cve:`2021-3968` and :cve:`2021-3973`
-  vim: fix :cve:`2021-3927` and :cve:`2021-3928`
-  gmp: fix :cve:`2021-43618`
+-  gcc: Add :cve_nist:`2021-37322` to the list of CVEs to ignore
+-  bind: fix :cve_nist:`2021-25219`
+-  openssh: fix :cve_nist:`2021-41617`
+-  ncurses: fix :cve_nist:`2021-39537`
+-  vim: fix :cve_nist:`2021-3968` and :cve_nist:`2021-3973`
+-  vim: fix :cve_nist:`2021-3927` and :cve_nist:`2021-3928`
+-  gmp: fix :cve_nist:`2021-43618`

 Fixes in 3.4.2
 ~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-3.4.3.rst
+++ b/documentation/migration-guides/release-notes-3.4.3.rst
@@ -4,12 +4,12 @@ Release notes for 3.4.3 (honister)
 Security Fixes in 3.4.3
 ~~~~~~~~~~~~~~~~~~~~~~~

-  ghostscript: fix :cve:`2021-3781`
-  ghostscript: fix :cve:`2021-45949`
-  tiff: Add backports for two CVEs from upstream (:cve:`2022-0561` & :cve:`2022-0562`)
-  gcc : Fix :cve:`2021-46195`
+-  ghostscript: fix :cve_nist:`2021-3781`
+-  ghostscript: fix :cve_nist:`2021-45949`
+-  tiff: Add backports for two CVEs from upstream (:cve_nist:`2022-0561` & :cve_nist:`2022-0562`)
+-  gcc : Fix :cve_nist:`2021-46195`
 -  virglrenderer: fix `CVE-2022-0135 <https://security-tracker.debian.org/tracker/CVE-2022-0135>`__ and `CVE-2022-0175 <https://security-tracker.debian.org/tracker/CVE-2022-0175>`__
-  binutils: Add fix for :cve:`2021-45078`
+-  binutils: Add fix for :cve_nist:`2021-45078`


 Fixes in 3.4.3
--- a/documentation/migration-guides/release-notes-3.4.4.rst
+++ b/documentation/migration-guides/release-notes-3.4.4.rst
@@ -4,11 +4,11 @@ Release notes for 3.4.4 (honister)
 Security Fixes in 3.4.4
 ~~~~~~~~~~~~~~~~~~~~~~~

-  tiff: fix :cve:`2022-0865`, :cve:`2022-0891`, :cve:`2022-0907`, :cve:`2022-0908`, :cve:`2022-0909` and :cve:`2022-0924`
+-  tiff: fix :cve_nist:`2022-0865`, :cve_nist:`2022-0891`, :cve_nist:`2022-0907`, :cve_nist:`2022-0908`, :cve_nist:`2022-0909` and :cve_nist:`2022-0924`
 -  xz: fix `CVE-2022-1271 <https://security-tracker.debian.org/tracker/CVE-2022-1271>`__
 -  unzip: fix `CVE-2021-4217 <https://security-tracker.debian.org/tracker/CVE-2021-4217>`__
-  zlib: fix :cve:`2018-25032`
-  grub: ignore :cve:`2021-46705`
+-  zlib: fix :cve_nist:`2018-25032`
+-  grub: ignore :cve_nist:`2021-46705`

 Fixes in 3.4.4
 ~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-3.4.rst
+++ b/documentation/migration-guides/release-notes-3.4.rst
@@ -216,34 +216,34 @@ Other license-related notes:
 Security Fixes in 3.4
 ~~~~~~~~~~~~~~~~~~~~~

-  apr: :cve:`2021-35940`
-  aspell: :cve:`2019-25051`
-  avahi: :cve:`2021-3468`, :cve:`2021-36217`
-  binutils: :cve:`2021-20197`
-  bluez: :cve:`2021-3658`
-  busybox: :cve:`2021-28831`
-  cairo: :cve:`2020-35492`
-  cpio: :cve:`2021-38185`
-  expat: :cve:`2013-0340`
-  ffmpeg: :cve:`2020-20446`, :cve:`2020-22015`, :cve:`2020-22021`, :cve:`2020-22033`, :cve:`2020-22019`, :cve:`2021-33815`, :cve:`2021-38171`, :cve:`2020-20453`
-  glibc: :cve:`2021-33574`, :cve:`2021-38604`
-  inetutils: :cve:`2021-40491`
-  libgcrypt: :cve:`2021-40528`
-  linux-yocto/5.10, 5.14: :cve:`2021-3653`, :cve:`2021-3656`
-  lz4: :cve:`2021-3520`
-  nettle: :cve:`2021-20305`
-  openssl: :cve:`2021-3711`, :cve:`2021-3712`
-  perl: :cve:`2021-36770`
-  python3: :cve:`2021-29921`
-  python3-pip: :cve:`2021-3572`
-  qemu: :cve:`2020-27821`, :cve:`2020-29443`, :cve:`2020-35517`, :cve:`2021-3392`, :cve:`2021-3409`, :cve:`2021-3416`, :cve:`2021-3527`, :cve:`2021-3544`, :cve:`2021-3545`, :cve:`2021-3546`, :cve:`2021-3682`, :cve:`2021-20181`, :cve:`2021-20221`, :cve:`2021-20257`, :cve:`2021-20263`
-  rpm: :cve:`2021-3421`, :cve:`2021-20271`
-  rsync: :cve:`2020-14387`
-  util-linux: :cve:`2021-37600`
-  vim: :cve:`2021-3770`, :cve:`2021-3778`
-  wpa-supplicant: :cve:`2021-30004`
-  xdg-utils: :cve:`2020-27748`
-  xserver-xorg: :cve:`2021-3472`
+-  apr: :cve_nist:`2021-35940`
+-  aspell: :cve_nist:`2019-25051`
+-  avahi: :cve_nist:`2021-3468`, :cve_nist:`2021-36217`
+-  binutils: :cve_nist:`2021-20197`
+-  bluez: :cve_nist:`2021-3658`
+-  busybox: :cve_nist:`2021-28831`
+-  cairo: :cve_nist:`2020-35492`
+-  cpio: :cve_nist:`2021-38185`
+-  expat: :cve_nist:`2013-0340`
+-  ffmpeg: :cve_nist:`2020-20446`, :cve_nist:`2020-22015`, :cve_nist:`2020-22021`, :cve_nist:`2020-22033`, :cve_nist:`2020-22019`, :cve_nist:`2021-33815`, :cve_nist:`2021-38171`, :cve_nist:`2020-20453`
+-  glibc: :cve_nist:`2021-33574`, :cve_nist:`2021-38604`
+-  inetutils: :cve_nist:`2021-40491`
+-  libgcrypt: :cve_nist:`2021-40528`
+-  linux-yocto/5.10, 5.14: :cve_nist:`2021-3653`, :cve_nist:`2021-3656`
+-  lz4: :cve_nist:`2021-3520`
+-  nettle: :cve_nist:`2021-20305`
+-  openssl: :cve_nist:`2021-3711`, :cve_nist:`2021-3712`
+-  perl: :cve_nist:`2021-36770`
+-  python3: :cve_nist:`2021-29921`
+-  python3-pip: :cve_nist:`2021-3572`
+-  qemu: :cve_nist:`2020-27821`, :cve_nist:`2020-29443`, :cve_nist:`2020-35517`, :cve_nist:`2021-3392`, :cve_nist:`2021-3409`, :cve_nist:`2021-3416`, :cve_nist:`2021-3527`, :cve_nist:`2021-3544`, :cve_nist:`2021-3545`, :cve_nist:`2021-3546`, :cve_nist:`2021-3682`, :cve_nist:`2021-20181`, :cve_nist:`2021-20221`, :cve_nist:`2021-20257`, :cve_nist:`2021-20263`
+-  rpm: :cve_nist:`2021-3421`, :cve_nist:`2021-20271`
+-  rsync: :cve_nist:`2020-14387`
+-  util-linux: :cve_nist:`2021-37600`
+-  vim: :cve_nist:`2021-3770`, :cve_nist:`2021-3778`
+-  wpa-supplicant: :cve_nist:`2021-30004`
+-  xdg-utils: :cve_nist:`2020-27748`
+-  xserver-xorg: :cve_nist:`2021-3472`

 Recipe Upgrades in 3.4
 ~~~~~~~~~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-4.0.1.rst
+++ b/documentation/migration-guides/release-notes-4.0.1.rst
@@ -4,11 +4,11 @@ Release notes for 4.0.1 (kirkstone)
 Security Fixes in 4.0.1
 ~~~~~~~~~~~~~~~~~~~~~~~

-  linux-yocto/5.15: fix :cve:`2022-28796`
-  python3: ignore :cve:`2015-20107`
-  e2fsprogs: fix :cve:`2022-1304`
-  lua: fix :cve:`2022-28805`
-  busybox: fix :cve:`2022-28391`
+-  linux-yocto/5.15: fix :cve_nist:`2022-28796`
+-  python3: ignore :cve_nist:`2015-20107`
+-  e2fsprogs: fix :cve_nist:`2022-1304`
+-  lua: fix :cve_nist:`2022-28805`
+-  busybox: fix :cve_nist:`2022-28391`

 Fixes in 4.0.1
 ~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-4.0.10.rst
+++ b/documentation/migration-guides/release-notes-4.0.10.rst
@@ -6,28 +6,28 @@ Release notes for Yocto-4.0.10 (Kirkstone)
 Security Fixes in Yocto-4.0.10
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  binutils: Fix :cve:`2023-1579`, :cve:`2023-1972`, :cve_mitre:`2023-25584`, :cve_mitre:`2023-25585` and :cve_mitre:`2023-25588`
-  cargo : Ignore :cve:`2022-46176`
-  connman: Fix :cve:`2023-28488`
-  curl: Fix :cve:`2023-27533`, :cve:`2023-27534`, :cve:`2023-27535`, :cve:`2023-27536` and :cve:`2023-27538`
-  ffmpeg: Fix :cve:`2022-48434`
-  freetype: Fix :cve:`2023-2004`
+-  binutils: Fix :cve_nist:`2023-1579`, :cve_nist:`2023-1972`, :cve_mitre:`2023-25584`, :cve_mitre:`2023-25585` and :cve_mitre:`2023-25588`
+-  cargo : Ignore :cve_nist:`2022-46176`
+-  connman: Fix :cve_nist:`2023-28488`
+-  curl: Fix :cve_nist:`2023-27533`, :cve_nist:`2023-27534`, :cve_nist:`2023-27535`, :cve_nist:`2023-27536` and :cve_nist:`2023-27538`
+-  ffmpeg: Fix :cve_nist:`2022-48434`
+-  freetype: Fix :cve_nist:`2023-2004`
 -  ghostscript: Fix :cve_mitre:`2023-29979`
-  git: Fix :cve:`2023-25652` and :cve:`2023-29007`
-  go: Fix :cve:`2022-41722`, :cve:`2022-41724`, :cve:`2022-41725`, :cve:`2023-24534`, :cve:`2023-24537` and :cve:`2023-24538`
-  go: Ignore :cve:`2022-41716`
-  libxml2: Fix :cve:`2023-28484` and :cve:`2023-29469`
-  libxpm: Fix :cve:`2022-44617`, :cve:`2022-46285` and :cve:`2022-4883`
-  linux-yocto: Ignore :cve:`2021-3759`, :cve:`2021-4135`, :cve:`2021-4155`, :cve:`2022-0168`, :cve:`2022-0171`, :cve:`2022-1016`, :cve:`2022-1184`, :cve:`2022-1198`, :cve:`2022-1199`, :cve:`2022-1462`, :cve:`2022-1734`, :cve:`2022-1852`, :cve:`2022-1882`, :cve:`2022-1998`, :cve:`2022-2078`, :cve:`2022-2196`, :cve:`2022-2318`, :cve:`2022-2380`, :cve:`2022-2503`, :cve:`2022-26365`, :cve:`2022-2663`, :cve:`2022-2873`, :cve:`2022-2905`, :cve:`2022-2959`, :cve:`2022-3028`, :cve:`2022-3078`, :cve:`2022-3104`, :cve:`2022-3105`, :cve:`2022-3106`, :cve:`2022-3107`, :cve:`2022-3111`, :cve:`2022-3112`, :cve:`2022-3113`, :cve:`2022-3115`, :cve:`2022-3202`, :cve:`2022-32250`, :cve:`2022-32296`, :cve:`2022-32981`, :cve:`2022-3303`, :cve:`2022-33740`, :cve:`2022-33741`, :cve:`2022-33742`, :cve:`2022-33743`, :cve:`2022-33744`, :cve:`2022-33981`, :cve:`2022-3424`, :cve:`2022-3435`, :cve:`2022-34918`, :cve:`2022-3521`, :cve:`2022-3545`, :cve:`2022-3564`, :cve:`2022-3586`, :cve:`2022-3594`, :cve:`2022-36123`, :cve:`2022-3621`, :cve:`2022-3623`, :cve:`2022-3629`, :cve:`2022-3633`, :cve:`2022-3635`, :cve:`2022-3646`, :cve:`2022-3649`, :cve:`2022-36879`, :cve:`2022-36946`, :cve:`2022-3707`, :cve:`2022-39188`, :cve:`2022-39190`, :cve:`2022-39842`, :cve:`2022-40307`, :cve:`2022-40768`, :cve:`2022-4095`, :cve:`2022-41218`, :cve:`2022-4139`, :cve:`2022-41849`, :cve:`2022-41850`, :cve:`2022-41858`, :cve:`2022-42328`, :cve:`2022-42329`, :cve:`2022-42703`, :cve:`2022-42721`, :cve:`2022-42722`, :cve:`2022-42895`, :cve:`2022-4382`, :cve:`2022-4662`, :cve:`2022-47518`, :cve:`2022-47519`, :cve:`2022-47520`, :cve:`2022-47929`, :cve:`2023-0179`, :cve:`2023-0394`, :cve:`2023-0461`, :cve:`2023-0590`, :cve:`2023-1073`, :cve:`2023-1074`, :cve:`2023-1077`, :cve:`2023-1078`, :cve:`2023-1079`, :cve:`2023-1095`, :cve:`2023-1118`, :cve:`2023-1249`, :cve:`2023-1252`, :cve:`2023-1281`, :cve:`2023-1382`, :cve:`2023-1513`, :cve:`2023-1829`, :cve:`2023-1838`, :cve:`2023-1998`, :cve:`2023-2006`, :cve:`2023-2008`, :cve:`2023-2162`, :cve:`2023-2166`, :cve:`2023-2177`, :cve:`2023-22999`, :cve:`2023-23002`, :cve:`2023-23004`, :cve:`2023-23454`, :cve:`2023-23455`, :cve:`2023-23559`, :cve:`2023-25012`, :cve:`2023-26545`, :cve:`2023-28327` and :cve:`2023-28328`
-  nasm: Fix :cve:`2022-44370`
-  python3-cryptography: Fix :cve:`2023-23931`
-  qemu: Ignore :cve:`2023-0664`
-  ruby: Fix :cve:`2023-28755` and :cve:`2023-28756`
-  screen: Fix :cve:`2023-24626`
-  shadow: Fix :cve:`2023-29383`
-  tiff: Fix :cve:`2022-4645`
-  webkitgtk: Fix :cve:`2022-32888` and :cve:`2022-32923`
-  xserver-xorg: Fix :cve:`2023-1393`
+-  git: Fix :cve_nist:`2023-25652` and :cve_nist:`2023-29007`
+-  go: Fix :cve_nist:`2022-41722`, :cve_nist:`2022-41724`, :cve_nist:`2022-41725`, :cve_nist:`2023-24534`, :cve_nist:`2023-24537` and :cve_nist:`2023-24538`
+-  go: Ignore :cve_nist:`2022-41716`
+-  libxml2: Fix :cve_nist:`2023-28484` and :cve_nist:`2023-29469`
+-  libxpm: Fix :cve_nist:`2022-44617`, :cve_nist:`2022-46285` and :cve_nist:`2022-4883`
+-  linux-yocto: Ignore :cve_nist:`2021-3759`, :cve_nist:`2021-4135`, :cve_nist:`2021-4155`, :cve_nist:`2022-0168`, :cve_nist:`2022-0171`, :cve_nist:`2022-1016`, :cve_nist:`2022-1184`, :cve_nist:`2022-1198`, :cve_nist:`2022-1199`, :cve_nist:`2022-1462`, :cve_nist:`2022-1734`, :cve_nist:`2022-1852`, :cve_nist:`2022-1882`, :cve_nist:`2022-1998`, :cve_nist:`2022-2078`, :cve_nist:`2022-2196`, :cve_nist:`2022-2318`, :cve_nist:`2022-2380`, :cve_nist:`2022-2503`, :cve_nist:`2022-26365`, :cve_nist:`2022-2663`, :cve_nist:`2022-2873`, :cve_nist:`2022-2905`, :cve_nist:`2022-2959`, :cve_nist:`2022-3028`, :cve_nist:`2022-3078`, :cve_nist:`2022-3104`, :cve_nist:`2022-3105`, :cve_nist:`2022-3106`, :cve_nist:`2022-3107`, :cve_nist:`2022-3111`, :cve_nist:`2022-3112`, :cve_nist:`2022-3113`, :cve_nist:`2022-3115`, :cve_nist:`2022-3202`, :cve_nist:`2022-32250`, :cve_nist:`2022-32296`, :cve_nist:`2022-32981`, :cve_nist:`2022-3303`, :cve_nist:`2022-33740`, :cve_nist:`2022-33741`, :cve_nist:`2022-33742`, :cve_nist:`2022-33743`, :cve_nist:`2022-33744`, :cve_nist:`2022-33981`, :cve_nist:`2022-3424`, :cve_nist:`2022-3435`, :cve_nist:`2022-34918`, :cve_nist:`2022-3521`, :cve_nist:`2022-3545`, :cve_nist:`2022-3564`, :cve_nist:`2022-3586`, :cve_nist:`2022-3594`, :cve_nist:`2022-36123`, :cve_nist:`2022-3621`, :cve_nist:`2022-3623`, :cve_nist:`2022-3629`, :cve_nist:`2022-3633`, :cve_nist:`2022-3635`, :cve_nist:`2022-3646`, :cve_nist:`2022-3649`, :cve_nist:`2022-36879`, :cve_nist:`2022-36946`, :cve_nist:`2022-3707`, :cve_nist:`2022-39188`, :cve_nist:`2022-39190`, :cve_nist:`2022-39842`, :cve_nist:`2022-40307`, :cve_nist:`2022-40768`, :cve_nist:`2022-4095`, :cve_nist:`2022-41218`, :cve_nist:`2022-4139`, :cve_nist:`2022-41849`, :cve_nist:`2022-41850`, :cve_nist:`2022-41858`, :cve_nist:`2022-42328`, :cve_nist:`2022-42329`, :cve_nist:`2022-42703`, :cve_nist:`2022-42721`, :cve_nist:`2022-42722`, :cve_nist:`2022-42895`, :cve_nist:`2022-4382`, :cve_nist:`2022-4662`, :cve_nist:`2022-47518`, :cve_nist:`2022-47519`, :cve_nist:`2022-47520`, :cve_nist:`2022-47929`, :cve_nist:`2023-0179`, :cve_nist:`2023-0394`, :cve_nist:`2023-0461`, :cve_nist:`2023-0590`, :cve_nist:`2023-1073`, :cve_nist:`2023-1074`, :cve_nist:`2023-1077`, :cve_nist:`2023-1078`, :cve_nist:`2023-1079`, :cve_nist:`2023-1095`, :cve_nist:`2023-1118`, :cve_nist:`2023-1249`, :cve_nist:`2023-1252`, :cve_nist:`2023-1281`, :cve_nist:`2023-1382`, :cve_nist:`2023-1513`, :cve_nist:`2023-1829`, :cve_nist:`2023-1838`, :cve_nist:`2023-1998`, :cve_nist:`2023-2006`, :cve_nist:`2023-2008`, :cve_nist:`2023-2162`, :cve_nist:`2023-2166`, :cve_nist:`2023-2177`, :cve_nist:`2023-22999`, :cve_nist:`2023-23002`, :cve_nist:`2023-23004`, :cve_nist:`2023-23454`, :cve_nist:`2023-23455`, :cve_nist:`2023-23559`, :cve_nist:`2023-25012`, :cve_nist:`2023-26545`, :cve_nist:`2023-28327` and :cve_nist:`2023-28328`
+-  nasm: Fix :cve_nist:`2022-44370`
+-  python3-cryptography: Fix :cve_nist:`2023-23931`
+-  qemu: Ignore :cve_nist:`2023-0664`
+-  ruby: Fix :cve_nist:`2023-28755` and :cve_nist:`2023-28756`
+-  screen: Fix :cve_nist:`2023-24626`
+-  shadow: Fix :cve_nist:`2023-29383`
+-  tiff: Fix :cve_nist:`2022-4645`
+-  webkitgtk: Fix :cve_nist:`2022-32888` and :cve_nist:`2022-32923`
+-  xserver-xorg: Fix :cve_nist:`2023-1393`


 Fixes in Yocto-4.0.10
--- a/documentation/migration-guides/release-notes-4.0.11.rst
+++ b/documentation/migration-guides/release-notes-4.0.11.rst
@@ -6,18 +6,18 @@ Release notes for Yocto-4.0.11 (Kirkstone)
 Security Fixes in Yocto-4.0.11
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  cups: Fix :cve:`2023-32324`
-  curl: Fix :cve:`2023-28319`, :cve:`2023-28320`, :cve:`2023-28321` and :cve:`2023-28322`
-  git: Ignore :cve:`2023-25815`
-  go: Fix :cve:`2023-24539` and :cve:`2023-24540`
-  nasm: Fix :cve:`2022-46457`
-  openssh: Fix :cve:`2023-28531`
-  openssl: Fix :cve:`2023-1255` and :cve:`2023-2650`
-  perl: Fix :cve:`2023-31484`
-  python3-requests: Fix for :cve:`2023-32681`
-  sysstat: Fix :cve:`2023-33204`
-  vim: Fix :cve:`2023-2426`
-  webkitgtk: fix :cve:`2022-42867`, :cve:`2022-46691`, :cve:`2022-46699` and :cve:`2022-46700`
+-  cups: Fix :cve_nist:`2023-32324`
+-  curl: Fix :cve_nist:`2023-28319`, :cve_nist:`2023-28320`, :cve_nist:`2023-28321` and :cve_nist:`2023-28322`
+-  git: Ignore :cve_nist:`2023-25815`
+-  go: Fix :cve_nist:`2023-24539` and :cve_nist:`2023-24540`
+-  nasm: Fix :cve_nist:`2022-46457`
+-  openssh: Fix :cve_nist:`2023-28531`
+-  openssl: Fix :cve_nist:`2023-1255` and :cve_nist:`2023-2650`
+-  perl: Fix :cve_nist:`2023-31484`
+-  python3-requests: Fix for :cve_nist:`2023-32681`
+-  sysstat: Fix :cve_nist:`2023-33204`
+-  vim: Fix :cve_nist:`2023-2426`
+-  webkitgtk: fix :cve_nist:`2022-42867`, :cve_nist:`2022-46691`, :cve_nist:`2022-46699` and :cve_nist:`2022-46700`


 Fixes in Yocto-4.0.11
--- a/documentation/migration-guides/release-notes-4.0.12.rst
+++ b/documentation/migration-guides/release-notes-4.0.12.rst
@@ -6,30 +6,30 @@ Release notes for Yocto-4.0.12 (Kirkstone)
 Security Fixes in Yocto-4.0.12
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  bind: Fix :cve:`2023-2828` and :cve:`2023-2911`
-  cups: Fix :cve:`2023-34241`
-  curl: Added :cve:`2023-28320` Follow-up patch
-  dbus: Fix :cve:`2023-34969`
-  dmidecode: fix :cve:`2023-30630`
-  ghostscript: fix :cve:`2023-36664`
-  go: fix :cve_mitre:`2023-24531`, :cve:`2023-24536`, :cve:`2023-29400`, :cve:`2023-29402`, :cve:`2023-29404`, :cve:`2023-29405` and :cve:`2023-29406`
-  libarchive: Ignore :cve:`2023-30571`
-  libcap: Fix :cve:`2023-2602` and :cve:`2023-2603`
-  libjpeg-turbo: Fix :cve:`2023-2804`
-  libpcre2: Fix :cve:`2022-41409`
-  libtiff: fix :cve:`2023-26965`
-  libwebp: Fix :cve:`2023-1999`
-  libx11: Fix :cve:`2023-3138`
-  libxpm: Fix :cve:`2022-44617`
-  ninja: Ignore :cve:`2021-4336`
-  openssh: Fix :cve:`2023-38408`
-  openssl: Fix :cve:`2023-2975`, :cve:`2023-3446` and :cve:`2023-3817`
-  perl: Fix :cve:`2023-31486`
-  python3: Ignore :cve:`2023-36632`
-  qemu: Fix :cve:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301`
-  sqlite3: Fix :cve:`2023-36191`
-  tiff: Fix :cve:`2023-0795`, :cve:`2023-0796`, :cve:`2023-0797`, :cve:`2023-0798`, :cve:`2023-0799`, :cve:`2023-25433`, :cve:`2023-25434` and :cve:`2023-25435`
-  vim: :cve:`2023-2609` and :cve:`2023-2610`
+-  bind: Fix :cve_nist:`2023-2828` and :cve_nist:`2023-2911`
+-  cups: Fix :cve_nist:`2023-34241`
+-  curl: Added :cve_nist:`2023-28320` Follow-up patch
+-  dbus: Fix :cve_nist:`2023-34969`
+-  dmidecode: fix :cve_nist:`2023-30630`
+-  ghostscript: fix :cve_nist:`2023-36664`
+-  go: fix :cve_mitre:`2023-24531`, :cve_nist:`2023-24536`, :cve_nist:`2023-29400`, :cve_nist:`2023-29402`, :cve_nist:`2023-29404`, :cve_nist:`2023-29405` and :cve_nist:`2023-29406`
+-  libarchive: Ignore :cve_nist:`2023-30571`
+-  libcap: Fix :cve_nist:`2023-2602` and :cve_nist:`2023-2603`
+-  libjpeg-turbo: Fix :cve_nist:`2023-2804`
+-  libpcre2: Fix :cve_nist:`2022-41409`
+-  libtiff: fix :cve_nist:`2023-26965`
+-  libwebp: Fix :cve_nist:`2023-1999`
+-  libx11: Fix :cve_nist:`2023-3138`
+-  libxpm: Fix :cve_nist:`2022-44617`
+-  ninja: Ignore :cve_nist:`2021-4336`
+-  openssh: Fix :cve_nist:`2023-38408`
+-  openssl: Fix :cve_nist:`2023-2975`, :cve_nist:`2023-3446` and :cve_nist:`2023-3817`
+-  perl: Fix :cve_nist:`2023-31486`
+-  python3: Ignore :cve_nist:`2023-36632`
+-  qemu: Fix :cve_nist:`2023-0330`, :cve_mitre:`2023-2861`, :cve_mitre:`2023-3255` and :cve_mitre:`2023-3301`
+-  sqlite3: Fix :cve_nist:`2023-36191`
+-  tiff: Fix :cve_nist:`2023-0795`, :cve_nist:`2023-0796`, :cve_nist:`2023-0797`, :cve_nist:`2023-0798`, :cve_nist:`2023-0799`, :cve_nist:`2023-25433`, :cve_nist:`2023-25434` and :cve_nist:`2023-25435`
+-  vim: :cve_nist:`2023-2609` and :cve_nist:`2023-2610`


 Fixes in Yocto-4.0.12
--- a/documentation/migration-guides/release-notes-4.0.13.rst
+++ b/documentation/migration-guides/release-notes-4.0.13.rst
--- a/documentation/migration-guides/release-notes-4.0.14.rst
+++ b/documentation/migration-guides/release-notes-4.0.14.rst
--- a/documentation/migration-guides/release-notes-4.0.15.rst
+++ b/documentation/migration-guides/release-notes-4.0.15.rst
@@ -6,24 +6,24 @@ Release notes for Yocto-4.0.15 (Kirkstone)
 Security Fixes in Yocto-4.0.15
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  avahi: Fix :cve:`2023-1981`, :cve:`2023-38469`, :cve:`2023-38470`, :cve:`2023-38471`, :cve:`2023-38472` and :cve:`2023-38473`
-  binutils: Fix :cve:`2022-47007`, :cve:`2022-47010` and :cve:`2022-48064`
-  bluez5: Fix :cve:`2023-45866`
-  ghostscript: Ignore GhostPCL :cve:`2023-38560`
-  gnutls: Fix :cve:`2023-5981`
-  go: Ignore :cve:`2023-45283` and :cve:`2023-45284`
-  grub: Fix :cve:`2023-4692` and :cve:`2023-4693`
+-  avahi: Fix :cve_nist:`2023-1981`, :cve_nist:`2023-38469`, :cve_nist:`2023-38470`, :cve_nist:`2023-38471`, :cve_nist:`2023-38472` and :cve_nist:`2023-38473`
+-  binutils: Fix :cve_nist:`2022-47007`, :cve_nist:`2022-47010` and :cve_nist:`2022-48064`
+-  bluez5: Fix :cve_nist:`2023-45866`
+-  ghostscript: Ignore GhostPCL :cve_nist:`2023-38560`
+-  gnutls: Fix :cve_nist:`2023-5981`
+-  go: Ignore :cve_nist:`2023-45283` and :cve_nist:`2023-45284`
+-  grub: Fix :cve_nist:`2023-4692` and :cve_nist:`2023-4693`
 -  gstreamer1.0-plugins-bad: Fix :cve_mitre:`2023-44429`
-  libsndfile: Fix :cve:`2022-33065`
-  libwebp: Fix :cve:`2023-4863`
-  openssl: Fix :cve:`2023-5678`
-  python3-cryptography: Fix :cve:`2023-49083`
-  qemu: Fix :cve:`2023-1544`
-  sudo: :cve:`2023-42456` and :cve_mitre:`2023-42465`
-  tiff: Fix :cve:`2023-41175`
-  vim: Fix :cve:`2023-46246`, :cve:`2023-48231`, :cve:`2023-48232`, :cve:`2023-48233`, :cve:`2023-48234`, :cve:`2023-48235`, :cve:`2023-48236`, :cve:`2023-48237` and :cve:`2023-48706`
-  xserver-xorg: Fix :cve:`2023-5367` and :cve:`2023-5380`
-  xwayland: Fix :cve:`2023-5367`
+-  libsndfile: Fix :cve_nist:`2022-33065`
+-  libwebp: Fix :cve_nist:`2023-4863`
+-  openssl: Fix :cve_nist:`2023-5678`
+-  python3-cryptography: Fix :cve_nist:`2023-49083`
+-  qemu: Fix :cve_nist:`2023-1544`
+-  sudo: :cve_nist:`2023-42456` and :cve_mitre:`2023-42465`
+-  tiff: Fix :cve_nist:`2023-41175`
+-  vim: Fix :cve_nist:`2023-46246`, :cve_nist:`2023-48231`, :cve_nist:`2023-48232`, :cve_nist:`2023-48233`, :cve_nist:`2023-48234`, :cve_nist:`2023-48235`, :cve_nist:`2023-48236`, :cve_nist:`2023-48237` and :cve_nist:`2023-48706`
+-  xserver-xorg: Fix :cve_nist:`2023-5367` and :cve_nist:`2023-5380`
+-  xwayland: Fix :cve_nist:`2023-5367`


 Fixes in Yocto-4.0.15
--- a/documentation/migration-guides/release-notes-4.0.16.rst
+++ b/documentation/migration-guides/release-notes-4.0.16.rst
@@ -8,22 +8,22 @@ Security Fixes in Yocto-4.0.16

 -  cpio: Fix :cve_mitre:`2023-7207`
 -  curl: Revert "curl: Backport fix CVE-2023-32001"
-  curl: Fix :cve:`2023-46218`
-  dropbear:Fix :cve:`2023-48795`
-  ffmpeg: Fix :cve:`2022-3964` and :cve:`2022-3965`
-  ghostscript: Fix :cve:`2023-46751`
-  gnutls: Fix :cve:`2024-0553` and :cve:`2024-0567`
-  go: Fix :cve:`2023-39326`
-  openssh: Fix :cve:`2023-48795`, :cve:`2023-51384` and :cve:`2023-51385`
-  openssl: Fix :cve:`2023-6129` and :cve_mitre:`2023-6237`
+-  curl: Fix :cve_nist:`2023-46218`
+-  dropbear:Fix :cve_nist:`2023-48795`
+-  ffmpeg: Fix :cve_nist:`2022-3964` and :cve_nist:`2022-3965`
+-  ghostscript: Fix :cve_nist:`2023-46751`
+-  gnutls: Fix :cve_nist:`2024-0553` and :cve_nist:`2024-0567`
+-  go: Fix :cve_nist:`2023-39326`
+-  openssh: Fix :cve_nist:`2023-48795`, :cve_nist:`2023-51384` and :cve_nist:`2023-51385`
+-  openssl: Fix :cve_nist:`2023-6129` and :cve_mitre:`2023-6237`
 -  pam: Fix :cve_mitre:`2024-22365`
-  perl: Fix :cve:`2023-47038`
-  qemu: Fix :cve:`2023-5088`
-  sqlite3: Fix :cve:`2023-7104`
-  systemd: Fix :cve:`2023-7008`
-  tiff: Fix :cve:`2023-6228`
-  xserver-xorg: Fix :cve:`2023-6377`, :cve:`2023-6478`, :cve:`2023-6816`, :cve_mitre:`2024-0229`, :cve:`2024-0408`, :cve:`2024-0409`, :cve_mitre:`2024-21885` and :cve_mitre:`2024-21886`
-  zlib: Ignore :cve:`2023-6992`
+-  perl: Fix :cve_nist:`2023-47038`
+-  qemu: Fix :cve_nist:`2023-5088`
+-  sqlite3: Fix :cve_nist:`2023-7104`
+-  systemd: Fix :cve_nist:`2023-7008`
+-  tiff: Fix :cve_nist:`2023-6228`
+-  xserver-xorg: Fix :cve_nist:`2023-6377`, :cve_nist:`2023-6478`, :cve_nist:`2023-6816`, :cve_mitre:`2024-0229`, :cve_nist:`2024-0408`, :cve_nist:`2024-0409`, :cve_mitre:`2024-21885` and :cve_mitre:`2024-21886`
+-  zlib: Ignore :cve_nist:`2023-6992`


 Fixes in Yocto-4.0.16
--- a/documentation/migration-guides/release-notes-4.0.17.rst
+++ b/documentation/migration-guides/release-notes-4.0.17.rst
@@ -6,27 +6,27 @@ Release notes for Yocto-4.0.17 (Kirkstone)
 Security Fixes in Yocto-4.0.17
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  bind: Fix :cve:`2023-4408`, :cve:`2023-5517`, :cve:`2023-5679`, :cve:`2023-50868` and :cve:`2023-50387`
-  binutils: Fix :cve:`2023-39129` and :cve:`2023-39130`
-  curl: Fix :cve:`2023-46219`
-  curl: Ignore :cve:`2023-42915`
-  gcc: Ignore :cve:`2023-4039`
-  gdb: Fix :cve:`2023-39129` and :cve:`2023-39130`
-  glibc: Ignore :cve:`2023-0687`
-  go: Fix :cve:`2023-29406`, :cve:`2023-45285`, :cve:`2023-45287`, :cve:`2023-45289`, :cve:`2023-45290`, :cve:`2024-24784` and :cve:`2024-24785`
-  less: Fix :cve:`2022-48624`
-  libgit2: Fix :cve:`2024-24575` and :cve:`2024-24577`
-  libuv: fix :cve:`2024-24806`
-  libxml2: Fix for :cve:`2024-25062`
-  linux-yocto/5.15: Fix :cve:`2022-36402`, :cve:`2022-40982`, :cve:`2022-47940`, :cve:`2023-1193`, :cve:`2023-1194`, :cve:`2023-3772`, :cve_mitre:`2023-3867`, :cve:`2023-4128`, :cve:`2023-4206`, :cve:`2023-4207`, :cve:`2023-4208`, :cve:`2023-4244`, :cve:`2023-4273`, :cve:`2023-4563`, :cve:`2023-4569`, :cve:`2023-4623`, :cve:`2023-4881`, :cve:`2023-4921`, :cve:`2023-5158`, :cve:`2023-5717`, :cve:`2023-6040`, :cve:`2023-6121`, :cve:`2023-6176`, :cve:`2023-6546`, :cve:`2023-6606`, :cve:`2023-6622`, :cve:`2023-6817`, :cve:`2023-6915`, :cve:`2023-6931`, :cve:`2023-6932`, :cve:`2023-20569`, :cve:`2023-20588`, :cve:`2023-25775`, :cve:`2023-31085`, :cve:`2023-32247`, :cve:`2023-32250`, :cve:`2023-32252`, :cve:`2023-32254`, :cve:`2023-32257`, :cve:`2023-32258`, :cve:`2023-34324`, :cve:`2023-35827`, :cve:`2023-38427`, :cve:`2023-38430`, :cve:`2023-38431`, :cve:`2023-39189`, :cve:`2023-39192`, :cve:`2023-39193`, :cve:`2023-39194`, :cve:`2023-39198`, :cve:`2023-40283`, :cve:`2023-42752`, :cve:`2023-42753`, :cve:`2023-42754`, :cve:`2023-42755`, :cve:`2023-45871`, :cve:`2023-46343`, :cve:`2023-46813`, :cve:`2023-46838`, :cve:`2023-46862`, :cve:`2023-51042`, :cve:`2023-51779`, :cve_mitre:`2023-52340`, :cve:`2023-52429`, :cve:`2023-52435`, :cve:`2023-52436`, :cve:`2023-52438`, :cve:`2023-52439`, :cve:`2023-52441`, :cve:`2023-52442`, :cve:`2023-52443`, :cve:`2023-52444`, :cve:`2023-52445`, :cve:`2023-52448`, :cve:`2023-52449`, :cve:`2023-52451`, :cve:`2023-52454`, :cve:`2023-52456`, :cve:`2023-52457`, :cve:`2023-52458`, :cve:`2023-52463`, :cve:`2023-52464`, :cve:`2024-0340`, :cve:`2024-0584`, :cve:`2024-0607`, :cve:`2024-0641`, :cve:`2024-0646`, :cve:`2024-1085`, :cve:`2024-1086`, :cve:`2024-1151`, :cve:`2024-22705`, :cve:`2024-23849`, :cve:`2024-23850`, :cve:`2024-23851`, :cve:`2024-24860`, :cve:`2024-26586`, :cve:`2024-26589`, :cve:`2024-26591`, :cve:`2024-26592`, :cve:`2024-26593`, :cve:`2024-26594`, :cve:`2024-26597` and :cve:`2024-26598`
-  linux-yocto/5.15: Ignore :cve:`2020-27418`, :cve:`2020-36766`, :cve:`2021-33630`, :cve:`2021-33631`, :cve:`2022-48619`, :cve:`2023-2430`, :cve:`2023-4610`, :cve:`2023-4732`, :cve:`2023-5090`, :cve:`2023-5178`, :cve:`2023-5197`, :cve:`2023-5345`, :cve:`2023-5633`, :cve:`2023-5972`, :cve:`2023-6111`, :cve:`2023-6200`, :cve:`2023-6531`, :cve:`2023-6679`, :cve:`2023-7192`, :cve:`2023-40791`, :cve:`2023-42756`, :cve:`2023-44466`, :cve:`2023-45862`, :cve:`2023-45863`, :cve:`2023-45898`, :cve:`2023-51043`, :cve:`2023-51780`, :cve:`2023-51781`, :cve:`2023-51782`, :cve:`2023-52433`, :cve:`2023-52440`, :cve:`2023-52446`, :cve:`2023-52450`, :cve:`2023-52453`, :cve:`2023-52455`, :cve:`2023-52459`, :cve:`2023-52460`, :cve:`2023-52461`, :cve:`2023-52462`, :cve:`2024-0193`, :cve:`2024-0443`, :cve:`2024-0562`, :cve:`2024-0582`, :cve:`2024-0639`, :cve:`2024-0775`, :cve:`2024-26581`, :cve:`2024-26582`, :cve:`2024-26590`, :cve:`2024-26596` and :cve:`2024-26599`
-  linux-yocto/5.10: Fix :cve:`2023-6040`, :cve:`2023-6121`, :cve:`2023-6606`, :cve:`2023-6817`, :cve:`2023-6915`, :cve:`2023-6931`, :cve:`2023-6932`, :cve:`2023-39198`, :cve:`2023-46838`, :cve:`2023-51779`, :cve:`2023-51780`, :cve:`2023-51781`, :cve:`2023-51782`, :cve_mitre:`2023-52340`, :cve:`2024-0584` and :cve:`2024-0646`
-  linux-yocto/5.10: Ignore :cve:`2021-33630`, :cve:`2021-33631`, :cve:`2022-1508`, :cve:`2022-36402`, :cve:`2022-48619`, :cve:`2023-2430`, :cve:`2023-4610`, :cve:`2023-5972`, :cve:`2023-6039`, :cve:`2023-6200`, :cve:`2023-6531`, :cve:`2023-6546`, :cve:`2023-6622`, :cve:`2023-6679`, :cve:`2023-7192`, :cve:`2023-46343`, :cve:`2023-51042`, :cve:`2023-51043`, :cve:`2024-0193`, :cve:`2024-0443`, :cve:`2024-0562`, :cve:`2024-0582`, :cve:`2024-0639`, :cve:`2024-0641`, :cve:`2024-0775`, :cve:`2024-1085` and :cve:`2024-22705`
-  openssl: Fix :cve:`2024-0727`
-  python3-pycryptodome: Fix :cve:`2023-52323`
-  qemu: Fix :cve:`2023-6693`, :cve:`2023-42467` and :cve:`2024-24474`
-  vim: Fix :cve:`2024-22667`
-  xwayland: Fix :cve:`2023-6377` and :cve:`2023-6478`
+-  bind: Fix :cve_nist:`2023-4408`, :cve_nist:`2023-5517`, :cve_nist:`2023-5679`, :cve_nist:`2023-50868` and :cve_nist:`2023-50387`
+-  binutils: Fix :cve_nist:`2023-39129` and :cve_nist:`2023-39130`
+-  curl: Fix :cve_nist:`2023-46219`
+-  curl: Ignore :cve_nist:`2023-42915`
+-  gcc: Ignore :cve_nist:`2023-4039`
+-  gdb: Fix :cve_nist:`2023-39129` and :cve_nist:`2023-39130`
+-  glibc: Ignore :cve_nist:`2023-0687`
+-  go: Fix :cve_nist:`2023-29406`, :cve_nist:`2023-45285`, :cve_nist:`2023-45287`, :cve_nist:`2023-45289`, :cve_nist:`2023-45290`, :cve_nist:`2024-24784` and :cve_nist:`2024-24785`
+-  less: Fix :cve_nist:`2022-48624`
+-  libgit2: Fix :cve_nist:`2024-24575` and :cve_nist:`2024-24577`
+-  libuv: fix :cve_nist:`2024-24806`
+-  libxml2: Fix for :cve_nist:`2024-25062`
+-  linux-yocto/5.15: Fix :cve_nist:`2022-36402`, :cve_nist:`2022-40982`, :cve_nist:`2022-47940`, :cve_nist:`2023-1193`, :cve_nist:`2023-1194`, :cve_nist:`2023-3772`, :cve_mitre:`2023-3867`, :cve_nist:`2023-4128`, :cve_nist:`2023-4206`, :cve_nist:`2023-4207`, :cve_nist:`2023-4208`, :cve_nist:`2023-4244`, :cve_nist:`2023-4273`, :cve_nist:`2023-4563`, :cve_nist:`2023-4569`, :cve_nist:`2023-4623`, :cve_nist:`2023-4881`, :cve_nist:`2023-4921`, :cve_nist:`2023-5158`, :cve_nist:`2023-5717`, :cve_nist:`2023-6040`, :cve_nist:`2023-6121`, :cve_nist:`2023-6176`, :cve_nist:`2023-6546`, :cve_nist:`2023-6606`, :cve_nist:`2023-6622`, :cve_nist:`2023-6817`, :cve_nist:`2023-6915`, :cve_nist:`2023-6931`, :cve_nist:`2023-6932`, :cve_nist:`2023-20569`, :cve_nist:`2023-20588`, :cve_nist:`2023-25775`, :cve_nist:`2023-31085`, :cve_nist:`2023-32247`, :cve_nist:`2023-32250`, :cve_nist:`2023-32252`, :cve_nist:`2023-32254`, :cve_nist:`2023-32257`, :cve_nist:`2023-32258`, :cve_nist:`2023-34324`, :cve_nist:`2023-35827`, :cve_nist:`2023-38427`, :cve_nist:`2023-38430`, :cve_nist:`2023-38431`, :cve_nist:`2023-39189`, :cve_nist:`2023-39192`, :cve_nist:`2023-39193`, :cve_nist:`2023-39194`, :cve_nist:`2023-39198`, :cve_nist:`2023-40283`, :cve_nist:`2023-42752`, :cve_nist:`2023-42753`, :cve_nist:`2023-42754`, :cve_nist:`2023-42755`, :cve_nist:`2023-45871`, :cve_nist:`2023-46343`, :cve_nist:`2023-46813`, :cve_nist:`2023-46838`, :cve_nist:`2023-46862`, :cve_nist:`2023-51042`, :cve_nist:`2023-51779`, :cve_mitre:`2023-52340`, :cve_nist:`2023-52429`, :cve_nist:`2023-52435`, :cve_nist:`2023-52436`, :cve_nist:`2023-52438`, :cve_nist:`2023-52439`, :cve_nist:`2023-52441`, :cve_nist:`2023-52442`, :cve_nist:`2023-52443`, :cve_nist:`2023-52444`, :cve_nist:`2023-52445`, :cve_nist:`2023-52448`, :cve_nist:`2023-52449`, :cve_nist:`2023-52451`, :cve_nist:`2023-52454`, :cve_nist:`2023-52456`, :cve_nist:`2023-52457`, :cve_nist:`2023-52458`, :cve_nist:`2023-52463`, :cve_nist:`2023-52464`, :cve_nist:`2024-0340`, :cve_nist:`2024-0584`, :cve_nist:`2024-0607`, :cve_nist:`2024-0641`, :cve_nist:`2024-0646`, :cve_nist:`2024-1085`, :cve_nist:`2024-1086`, :cve_nist:`2024-1151`, :cve_nist:`2024-22705`, :cve_nist:`2024-23849`, :cve_nist:`2024-23850`, :cve_nist:`2024-23851`, :cve_nist:`2024-24860`, :cve_nist:`2024-26586`, :cve_nist:`2024-26589`, :cve_nist:`2024-26591`, :cve_nist:`2024-26592`, :cve_nist:`2024-26593`, :cve_nist:`2024-26594`, :cve_nist:`2024-26597` and :cve_nist:`2024-26598`
+-  linux-yocto/5.15: Ignore :cve_nist:`2020-27418`, :cve_nist:`2020-36766`, :cve_nist:`2021-33630`, :cve_nist:`2021-33631`, :cve_nist:`2022-48619`, :cve_nist:`2023-2430`, :cve_nist:`2023-4610`, :cve_nist:`2023-4732`, :cve_nist:`2023-5090`, :cve_nist:`2023-5178`, :cve_nist:`2023-5197`, :cve_nist:`2023-5345`, :cve_nist:`2023-5633`, :cve_nist:`2023-5972`, :cve_nist:`2023-6111`, :cve_nist:`2023-6200`, :cve_nist:`2023-6531`, :cve_nist:`2023-6679`, :cve_nist:`2023-7192`, :cve_nist:`2023-40791`, :cve_nist:`2023-42756`, :cve_nist:`2023-44466`, :cve_nist:`2023-45862`, :cve_nist:`2023-45863`, :cve_nist:`2023-45898`, :cve_nist:`2023-51043`, :cve_nist:`2023-51780`, :cve_nist:`2023-51781`, :cve_nist:`2023-51782`, :cve_nist:`2023-52433`, :cve_nist:`2023-52440`, :cve_nist:`2023-52446`, :cve_nist:`2023-52450`, :cve_nist:`2023-52453`, :cve_nist:`2023-52455`, :cve_nist:`2023-52459`, :cve_nist:`2023-52460`, :cve_nist:`2023-52461`, :cve_nist:`2023-52462`, :cve_nist:`2024-0193`, :cve_nist:`2024-0443`, :cve_nist:`2024-0562`, :cve_nist:`2024-0582`, :cve_nist:`2024-0639`, :cve_nist:`2024-0775`, :cve_nist:`2024-26581`, :cve_nist:`2024-26582`, :cve_nist:`2024-26590`, :cve_nist:`2024-26596` and :cve_nist:`2024-26599`
+-  linux-yocto/5.10: Fix :cve_nist:`2023-6040`, :cve_nist:`2023-6121`, :cve_nist:`2023-6606`, :cve_nist:`2023-6817`, :cve_nist:`2023-6915`, :cve_nist:`2023-6931`, :cve_nist:`2023-6932`, :cve_nist:`2023-39198`, :cve_nist:`2023-46838`, :cve_nist:`2023-51779`, :cve_nist:`2023-51780`, :cve_nist:`2023-51781`, :cve_nist:`2023-51782`, :cve_mitre:`2023-52340`, :cve_nist:`2024-0584` and :cve_nist:`2024-0646`
+-  linux-yocto/5.10: Ignore :cve_nist:`2021-33630`, :cve_nist:`2021-33631`, :cve_nist:`2022-1508`, :cve_nist:`2022-36402`, :cve_nist:`2022-48619`, :cve_nist:`2023-2430`, :cve_nist:`2023-4610`, :cve_nist:`2023-5972`, :cve_nist:`2023-6039`, :cve_nist:`2023-6200`, :cve_nist:`2023-6531`, :cve_nist:`2023-6546`, :cve_nist:`2023-6622`, :cve_nist:`2023-6679`, :cve_nist:`2023-7192`, :cve_nist:`2023-46343`, :cve_nist:`2023-51042`, :cve_nist:`2023-51043`, :cve_nist:`2024-0193`, :cve_nist:`2024-0443`, :cve_nist:`2024-0562`, :cve_nist:`2024-0582`, :cve_nist:`2024-0639`, :cve_nist:`2024-0641`, :cve_nist:`2024-0775`, :cve_nist:`2024-1085` and :cve_nist:`2024-22705`
+-  openssl: Fix :cve_nist:`2024-0727`
+-  python3-pycryptodome: Fix :cve_nist:`2023-52323`
+-  qemu: Fix :cve_nist:`2023-6693`, :cve_nist:`2023-42467` and :cve_nist:`2024-24474`
+-  vim: Fix :cve_nist:`2024-22667`
+-  xwayland: Fix :cve_nist:`2023-6377` and :cve_nist:`2023-6478`


 Fixes in Yocto-4.0.17
--- a/documentation/migration-guides/release-notes-4.0.18.rst
+++ b/documentation/migration-guides/release-notes-4.0.18.rst
@@ -6,22 +6,22 @@ Release notes for Yocto-4.0.18 (Kirkstone)
 Security Fixes in Yocto-4.0.18
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  curl: Fix :cve:`2024-2398`
-  expat: fix :cve:`2023-52426` and :cve:`2024-28757`
-  libssh2: fix :cve:`2023-48795`
-  ncurses: Fix :cve:`2023-50495`
-  nghttp2: Fix :cve:`2024-28182` and :cve:`2023-44487`
-  openssh: Ignore :cve:`2023-51767`
-  openssl: Fix :cve:`2024-2511`
-  perl: Ignore :cve:`2023-47100`
-  python3-cryptography: Fix :cve:`2024-26130`
-  python3-urllib3: Fix :cve:`2023-45803`
-  qemu: Fix :cve:`2023-6683`
+-  curl: Fix :cve_nist:`2024-2398`
+-  expat: fix :cve_nist:`2023-52426` and :cve_nist:`2024-28757`
+-  libssh2: fix :cve_nist:`2023-48795`
+-  ncurses: Fix :cve_nist:`2023-50495`
+-  nghttp2: Fix :cve_nist:`2024-28182` and :cve_nist:`2023-44487`
+-  openssh: Ignore :cve_nist:`2023-51767`
+-  openssl: Fix :cve_nist:`2024-2511`
+-  perl: Ignore :cve_nist:`2023-47100`
+-  python3-cryptography: Fix :cve_nist:`2024-26130`
+-  python3-urllib3: Fix :cve_nist:`2023-45803`
+-  qemu: Fix :cve_nist:`2023-6683`
 -  ruby: fix :cve_mitre:`2024-27281`
-  rust: Ignore :cve:`2024-24576`
-  tiff: Fix :cve:`2023-52356` and :cve:`2023-6277`
-  xserver-xorg: Fix :cve:`2024-31080` and :cve:`2024-31081`
-  xwayland: Fix :cve:`2023-6816`, :cve:`2024-0408` and :cve:`2024-0409`
+-  rust: Ignore :cve_nist:`2024-24576`
+-  tiff: Fix :cve_nist:`2023-52356` and :cve_nist:`2023-6277`
+-  xserver-xorg: Fix :cve_nist:`2024-31080` and :cve_nist:`2024-31081`
+-  xwayland: Fix :cve_nist:`2023-6816`, :cve_nist:`2024-0408` and :cve_nist:`2024-0409`


 Fixes in Yocto-4.0.18
@@ -31,7 +31,7 @@ Fixes in Yocto-4.0.18
 -  common-licenses: Backport missing license
 -  contributor-guide: add notes for tests
 -  contributor-guide: be more specific about meta-* trees
-  cups: fix typo in :cve:`2023-32360` backport patch
+-  cups: fix typo in :cve_nist:`2023-32360` backport patch
 -  cve-update-nvd2-native: Add an age threshold for incremental update
 -  cve-update-nvd2-native: Fix CVE configuration update
 -  cve-update-nvd2-native: Fix typo in comment
--- a/documentation/migration-guides/release-notes-4.0.19.rst
+++ b/documentation/migration-guides/release-notes-4.0.19.rst
--- a/documentation/migration-guides/release-notes-4.0.2.rst
+++ b/documentation/migration-guides/release-notes-4.0.2.rst
@@ -4,13 +4,13 @@ Release notes for Yocto-4.0.2 (Kirkstone)
 Security Fixes in Yocto-4.0.2
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  libxslt: Mark :cve:`2022-29824` as not applying
-  tiff: Add jbig PACKAGECONFIG and clarify IGNORE :cve:`2022-1210`
-  tiff: mark :cve:`2022-1622` and :cve:`2022-1623` as invalid
-  pcre2:fix :cve:`2022-1586` Out-of-bounds read
-  curl: fix :cve:`2022-22576`, :cve:`2022-27775`, :cve:`2022-27776`, :cve:`2022-27774`, :cve:`2022-30115`, :cve:`2022-27780`, :cve:`2022-27781`, :cve:`2022-27779` and :cve:`2022-27782`
-  qemu: fix :cve:`2021-4206` and :cve:`2021-4207`
-  freetype: fix :cve:`2022-27404`, :cve:`2022-27405` and :cve:`2022-27406`
+-  libxslt: Mark :cve_nist:`2022-29824` as not applying
+-  tiff: Add jbig :term:`PACKAGECONFIG` and clarify IGNORE :cve_nist:`2022-1210`
+-  tiff: mark :cve_nist:`2022-1622` and :cve_nist:`2022-1623` as invalid
+-  pcre2:fix :cve_nist:`2022-1586` Out-of-bounds read
+-  curl: fix :cve_nist:`2022-22576`, :cve_nist:`2022-27775`, :cve_nist:`2022-27776`, :cve_nist:`2022-27774`, :cve_nist:`2022-30115`, :cve_nist:`2022-27780`, :cve_nist:`2022-27781`, :cve_nist:`2022-27779` and :cve_nist:`2022-27782`
+-  qemu: fix :cve_nist:`2021-4206` and :cve_nist:`2021-4207`
+-  freetype: fix :cve_nist:`2022-27404`, :cve_nist:`2022-27405` and :cve_nist:`2022-27406`

 Fixes in Yocto-4.0.2
 ~~~~~~~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-4.0.20.rst
+++ b/documentation/migration-guides/release-notes-4.0.20.rst
@@ -6,14 +6,14 @@ Release notes for Yocto-4.0.20 (Kirkstone)
 Security Fixes in Yocto-4.0.20
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  acpica: Fix :cve:`2024-24856`
-  glib-2.0: Fix :cve:`2024-34397`
-  gstreamer1.0-plugins-base: Fix :cve:`2024-4453`
-  libxml2: Fix :cve:`2024-34459`
-  openssh: fix :cve:`2024-6387`
-  openssl: Fix :cve_mitre:`2024-4741` and :cve:`2024-5535`
-  ruby: fix :cve:`2024-27280`
-  wget: Fix for :cve:`2024-38428`
+-  acpica: Fix :cve_nist:`2024-24856`
+-  glib-2.0: Fix :cve_nist:`2024-34397`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2024-4453`
+-  libxml2: Fix :cve_nist:`2024-34459`
+-  openssh: fix :cve_nist:`2024-6387`
+-  openssl: Fix :cve_mitre:`2024-4741` and :cve_nist:`2024-5535`
+-  ruby: fix :cve_nist:`2024-27280`
+-  wget: Fix for :cve_nist:`2024-38428`


 Fixes in Yocto-4.0.20
--- a/documentation/migration-guides/release-notes-4.0.21.rst
+++ b/documentation/migration-guides/release-notes-4.0.21.rst
@@ -6,28 +6,28 @@ Release notes for Yocto-4.0.21 (Kirkstone)
 Security Fixes in Yocto-4.0.21
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  bind: Fix :cve:`2024-4076`, :cve:`2024-1737`, :cve:`2024-0760` and :cve:`2024-1975`
-  apr: Fix :cve:`2023-49582`
-  busybox: Fix :cve:`2023-42363`, :cve:`2023-42364`, :cve:`2023-42365`, :cve:`2023-42366` and :cve:`2021-42380`
-  curl: Ignore :cve:`2024-32928`
-  curl: Fix :cve:`2024-7264`
-  ghostscript: Fix :cve:`2024-29506`, :cve:`2024-29509` and :cve:`2024-29511`
-  go: Fix :cve:`2024-24789` and :cve:`2024-24791`
-  gtk+3: Fix :cve:`2024-6655`
-  libarchive: Ignore :cve:`2024-37407`
-  libyaml: Ignore :cve:`2024-35325`, :cve:`2024-35326` and :cve:`2024-35328`
-  linux-yocto/5.15: Fix :cve:`2022-48772`, :cve:`2024-35972`, :cve:`2024-35984`, :cve:`2024-35990`, :cve:`2024-35997`, :cve:`2024-36008`, :cve:`2024-36270`, :cve:`2024-36489`, :cve:`2024-36897`, :cve:`2024-36938`, :cve:`2024-36965`, :cve:`2024-36967`, :cve:`2024-36969`, :cve:`2024-36971`, :cve:`2024-36978`, :cve:`2024-38546`, :cve:`2024-38547`, :cve:`2024-38549`, :cve:`2024-38552`, :cve:`2024-38555`, :cve:`2024-38571`, :cve:`2024-38583`, :cve:`2024-38591`, :cve:`2024-38597`, :cve:`2024-38598`, :cve:`2024-38600`, :cve:`2024-38627`, :cve:`2024-38633`, :cve:`2024-38661`, :cve:`2024-38662`, :cve:`2024-38780`, :cve:`2024-39277`, :cve:`2024-39292`, :cve:`2024-39301`, :cve:`2024-39466`, :cve:`2024-39468`, :cve:`2024-39471`, :cve:`2024-39475`, :cve:`2024-39476`, :cve:`2024-39480`, :cve:`2024-39482`, :cve:`2024-39484`, :cve:`2024-39487`, :cve:`2024-39489`, :cve:`2024-39493`, :cve:`2024-39495`, :cve:`2024-39506`, :cve:`2024-40902`, :cve:`2024-40911`, :cve:`2024-40912`, :cve:`2024-40932`, :cve:`2024-40934`, :cve:`2024-40954`, :cve:`2024-40956`, :cve:`2024-40957`, :cve:`2024-40958`, :cve:`2024-40959`, :cve:`2024-40960`, :cve:`2024-40961`, :cve:`2024-40967`, :cve:`2024-40970`, :cve:`2024-40980`, :cve:`2024-40981`, :cve:`2024-40994`, :cve:`2024-40995`, :cve:`2024-41000`, :cve:`2024-41002`, :cve:`2024-41006`, :cve:`2024-41007`, :cve:`2024-41046`, :cve:`2024-41049`, :cve:`2024-41055`, :cve:`2024-41064`, :cve:`2024-41070`, :cve:`2024-41073`, :cve:`2024-41087`, :cve:`2024-41089`, :cve:`2024-41092`, :cve:`2024-41093`, :cve:`2024-41095`, :cve:`2024-41097`, :cve:`2024-42068`, :cve:`2024-42070`, :cve:`2024-42076`, :cve:`2024-42077`, :cve:`2024-42080`, :cve:`2024-42082`, :cve:`2024-42085`, :cve:`2024-42090`, :cve:`2024-42093`, :cve:`2024-42094`, :cve:`2024-42101`, :cve:`2024-42102`, :cve:`2024-42104`, :cve:`2024-42109`, :cve:`2024-42140`, :cve:`2024-42148`, :cve:`2024-42152`, :cve:`2024-42153`, :cve:`2024-42154`, :cve:`2024-42157`, :cve:`2024-42161`, :cve:`2024-42223`, :cve:`2024-42224`, :cve:`2024-42225`, :cve:`2024-42229`, :cve:`2024-42232`, :cve:`2024-42236`, :cve:`2024-42244` and :cve:`2024-42247`
-  llvm: Fix :cve:`2023-46049` and :cve:`2024-31852`
-  ofono: fix :cve:`2023-2794`
-  orc: Fix :cve:`2024-40897`
-  python3-certifi: Fix :cve:`2024-39689`
-  python3-jinja2: Fix :cve:`2024-34064`
-  python3: Fix :cve:`2024-8088`
-  qemu: Fix :cve:`2024-7409`
-  ruby: Fix for :cve:`2024-27282`
-  tiff: Fix :cve:`2024-7006`
-  vim: Fix :cve:`2024-22667`, :cve:`2024-41957`, :cve:`2024-41965` and :cve:`2024-43374`
-  wpa-supplicant: Fix :cve:`2023-52160`
+-  bind: Fix :cve_nist:`2024-4076`, :cve_nist:`2024-1737`, :cve_nist:`2024-0760` and :cve_nist:`2024-1975`
+-  apr: Fix :cve_nist:`2023-49582`
+-  busybox: Fix :cve_nist:`2023-42363`, :cve_nist:`2023-42364`, :cve_nist:`2023-42365`, :cve_nist:`2023-42366` and :cve_nist:`2021-42380`
+-  curl: Ignore :cve_nist:`2024-32928`
+-  curl: Fix :cve_nist:`2024-7264`
+-  ghostscript: Fix :cve_nist:`2024-29506`, :cve_nist:`2024-29509` and :cve_nist:`2024-29511`
+-  go: Fix :cve_nist:`2024-24789` and :cve_nist:`2024-24791`
+-  gtk+3: Fix :cve_nist:`2024-6655`
+-  libarchive: Ignore :cve_nist:`2024-37407`
+-  libyaml: Ignore :cve_nist:`2024-35325`, :cve_nist:`2024-35326` and :cve_nist:`2024-35328`
+-  linux-yocto/5.15: Fix :cve_nist:`2022-48772`, :cve_nist:`2024-35972`, :cve_nist:`2024-35984`, :cve_nist:`2024-35990`, :cve_nist:`2024-35997`, :cve_nist:`2024-36008`, :cve_nist:`2024-36270`, :cve_nist:`2024-36489`, :cve_nist:`2024-36897`, :cve_nist:`2024-36938`, :cve_nist:`2024-36965`, :cve_nist:`2024-36967`, :cve_nist:`2024-36969`, :cve_nist:`2024-36971`, :cve_nist:`2024-36978`, :cve_nist:`2024-38546`, :cve_nist:`2024-38547`, :cve_nist:`2024-38549`, :cve_nist:`2024-38552`, :cve_nist:`2024-38555`, :cve_nist:`2024-38571`, :cve_nist:`2024-38583`, :cve_nist:`2024-38591`, :cve_nist:`2024-38597`, :cve_nist:`2024-38598`, :cve_nist:`2024-38600`, :cve_nist:`2024-38627`, :cve_nist:`2024-38633`, :cve_nist:`2024-38661`, :cve_nist:`2024-38662`, :cve_nist:`2024-38780`, :cve_nist:`2024-39277`, :cve_nist:`2024-39292`, :cve_nist:`2024-39301`, :cve_nist:`2024-39466`, :cve_nist:`2024-39468`, :cve_nist:`2024-39471`, :cve_nist:`2024-39475`, :cve_nist:`2024-39476`, :cve_nist:`2024-39480`, :cve_nist:`2024-39482`, :cve_nist:`2024-39484`, :cve_nist:`2024-39487`, :cve_nist:`2024-39489`, :cve_nist:`2024-39493`, :cve_nist:`2024-39495`, :cve_nist:`2024-39506`, :cve_nist:`2024-40902`, :cve_nist:`2024-40911`, :cve_nist:`2024-40912`, :cve_nist:`2024-40932`, :cve_nist:`2024-40934`, :cve_nist:`2024-40954`, :cve_nist:`2024-40956`, :cve_nist:`2024-40957`, :cve_nist:`2024-40958`, :cve_nist:`2024-40959`, :cve_nist:`2024-40960`, :cve_nist:`2024-40961`, :cve_nist:`2024-40967`, :cve_nist:`2024-40970`, :cve_nist:`2024-40980`, :cve_nist:`2024-40981`, :cve_nist:`2024-40994`, :cve_nist:`2024-40995`, :cve_nist:`2024-41000`, :cve_nist:`2024-41002`, :cve_nist:`2024-41006`, :cve_nist:`2024-41007`, :cve_nist:`2024-41046`, :cve_nist:`2024-41049`, :cve_nist:`2024-41055`, :cve_nist:`2024-41064`, :cve_nist:`2024-41070`, :cve_nist:`2024-41073`, :cve_nist:`2024-41087`, :cve_nist:`2024-41089`, :cve_nist:`2024-41092`, :cve_nist:`2024-41093`, :cve_nist:`2024-41095`, :cve_nist:`2024-41097`, :cve_nist:`2024-42068`, :cve_nist:`2024-42070`, :cve_nist:`2024-42076`, :cve_nist:`2024-42077`, :cve_nist:`2024-42080`, :cve_nist:`2024-42082`, :cve_nist:`2024-42085`, :cve_nist:`2024-42090`, :cve_nist:`2024-42093`, :cve_nist:`2024-42094`, :cve_nist:`2024-42101`, :cve_nist:`2024-42102`, :cve_nist:`2024-42104`, :cve_nist:`2024-42109`, :cve_nist:`2024-42140`, :cve_nist:`2024-42148`, :cve_nist:`2024-42152`, :cve_nist:`2024-42153`, :cve_nist:`2024-42154`, :cve_nist:`2024-42157`, :cve_nist:`2024-42161`, :cve_nist:`2024-42223`, :cve_nist:`2024-42224`, :cve_nist:`2024-42225`, :cve_nist:`2024-42229`, :cve_nist:`2024-42232`, :cve_nist:`2024-42236`, :cve_nist:`2024-42244` and :cve_nist:`2024-42247`
+-  llvm: Fix :cve_nist:`2023-46049` and :cve_nist:`2024-31852`
+-  ofono: fix :cve_nist:`2023-2794`
+-  orc: Fix :cve_nist:`2024-40897`
+-  python3-certifi: Fix :cve_nist:`2024-39689`
+-  python3-jinja2: Fix :cve_nist:`2024-34064`
+-  python3: Fix :cve_nist:`2024-8088`
+-  qemu: Fix :cve_nist:`2024-7409`
+-  ruby: Fix for :cve_nist:`2024-27282`
+-  tiff: Fix :cve_nist:`2024-7006`
+-  vim: Fix :cve_nist:`2024-22667`, :cve_nist:`2024-41957`, :cve_nist:`2024-41965` and :cve_nist:`2024-43374`
+-  wpa-supplicant: Fix :cve_nist:`2023-52160`


 Fixes in Yocto-4.0.21
@@ -51,8 +51,8 @@ Fixes in Yocto-4.0.21
 -  python3-pycryptodome(x): use python_setuptools_build_meta build class
 -  python3: add PACKAGECONFIG[editline]
 -  ref-manual: fix typo and move :term:`SYSROOT_DIRS` example
-  sqlite3: CVE_ID correction for :cve:`2023-7104` as patched
-  sqlite3: Rename patch for :cve:`2022-35737`
+-  sqlite3: CVE_ID correction for :cve_nist:`2023-7104` as patched
+-  sqlite3: Rename patch for :cve_nist:`2022-35737`
 -  uboot-sign: Fix index error in concat_dtb_helper() with multiple configs
 -  vim: upgrade to 9.1.0682
 -  wireless-regdb: upgrade to 2024.07.04
--- a/documentation/migration-guides/release-notes-4.0.22.rst
+++ b/documentation/migration-guides/release-notes-4.0.22.rst
@@ -0,0 +1,196 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-4.0.22 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  cups: Fix :cve_nist:`2024-35235` and :cve_nist:`2024-47175`
+-  curl: Fix :cve_nist:`2024-8096`
+-  expat: Fix :cve_nist:`2024-45490`, :cve_nist:`2024-45491` and :cve_nist:`2024-45492`
+-  gnupg: Ignore :cve_nist:`2022-3219`
+-  libpcap: Fix :cve_nist:`2023-7256` and :cve_nist:`2024-8006`
+-  linux-yocto/5.10: Fix :cve_nist:`2022-48772`, :cve_nist:`2023-52434`, :cve_nist:`2023-52447`, :cve_nist:`2023-52458`, :cve_nist:`2024-0841`, :cve_nist:`2024-26601`, :cve_nist:`2024-26882`, :cve_nist:`2024-26883`, :cve_nist:`2024-26884`, :cve_nist:`2024-26885`, :cve_nist:`2024-26898`, :cve_nist:`2024-26901`, :cve_nist:`2024-26903`, :cve_nist:`2024-26907`, :cve_nist:`2024-26934`, :cve_nist:`2024-26978`, :cve_nist:`2024-27013`, :cve_nist:`2024-27020`, :cve_nist:`2024-35972`, :cve_nist:`2024-35978`, :cve_nist:`2024-35982`, :cve_nist:`2024-35984`, :cve_nist:`2024-35990`, :cve_nist:`2024-35997`, :cve_nist:`2024-36008`, :cve_nist:`2024-36270`, :cve_nist:`2024-36489`, :cve_nist:`2024-36902`, :cve_nist:`2024-36971`, :cve_nist:`2024-36978`, :cve_nist:`2024-38546`, :cve_nist:`2024-38547`, :cve_nist:`2024-38549`, :cve_nist:`2024-38552`, :cve_nist:`2024-38555`, :cve_nist:`2024-38583`, :cve_nist:`2024-38590`, :cve_nist:`2024-38597`, :cve_nist:`2024-38598`, :cve_nist:`2024-38627`, :cve_nist:`2024-38633`, :cve_nist:`2024-38661`, :cve_nist:`2024-38662`, :cve_nist:`2024-38780`, :cve_nist:`2024-39292`, :cve_nist:`2024-39301`, :cve_nist:`2024-39468`, :cve_nist:`2024-39471`, :cve_nist:`2024-39475`, :cve_nist:`2024-39476`, :cve_nist:`2024-39480`, :cve_nist:`2024-39482`, :cve_nist:`2024-39484`, :cve_nist:`2024-39487`, :cve_nist:`2024-39489`, :cve_nist:`2024-39495`, :cve_nist:`2024-39506`, :cve_nist:`2024-40902`, :cve_nist:`2024-40904`, :cve_nist:`2024-40905`, :cve_nist:`2024-40912`, :cve_nist:`2024-40932`, :cve_nist:`2024-40934`, :cve_nist:`2024-40958`, :cve_nist:`2024-40959`, :cve_nist:`2024-40960`, :cve_nist:`2024-40961`, :cve_nist:`2024-40980`, :cve_nist:`2024-40981`, :cve_nist:`2024-40995`, :cve_nist:`2024-41000`, :cve_nist:`2024-41006`, :cve_nist:`2024-41007`, :cve_nist:`2024-41012`, :cve_nist:`2024-41040`, :cve_nist:`2024-41046`, :cve_nist:`2024-41049`, :cve_nist:`2024-41059`, :cve_nist:`2024-41063`, :cve_nist:`2024-41064`, :cve_nist:`2024-41070`, :cve_nist:`2024-41087`, :cve_nist:`2024-41089`, :cve_nist:`2024-41092`, :cve_nist:`2024-41095`, :cve_nist:`2024-41097`, :cve_nist:`2024-42070`, :cve_nist:`2024-42076`, :cve_nist:`2024-42077`, :cve_nist:`2024-42082`, :cve_nist:`2024-42090`, :cve_nist:`2024-42093`, :cve_nist:`2024-42094`, :cve_nist:`2024-42101`, :cve_nist:`2024-42102`, :cve_nist:`2024-42104`, :cve_nist:`2024-42131`, :cve_nist:`2024-42137`, :cve_nist:`2024-42148`, :cve_nist:`2024-42152`, :cve_nist:`2024-42153`, :cve_nist:`2024-42154`, :cve_nist:`2024-42157`, :cve_nist:`2024-42161`, :cve_nist:`2024-42223`, :cve_nist:`2024-42224`, :cve_nist:`2024-42229`, :cve_nist:`2024-42232`, :cve_nist:`2024-42236`, :cve_nist:`2024-42244` and :cve_nist:`2024-42247`
+-  linux-yocto/5.15: Fix :cve_nist:`2023-52889`, :cve_nist:`2024-41011`, :cve_nist:`2024-42114`, :cve_nist:`2024-42259`, :cve_nist:`2024-42271`, :cve_nist:`2024-42272`, :cve_nist:`2024-42277`, :cve_nist:`2024-42280`, :cve_nist:`2024-42283`, :cve_nist:`2024-42284`, :cve_nist:`2024-42285`, :cve_nist:`2024-42286`, :cve_nist:`2024-42287`, :cve_nist:`2024-42288`, :cve_nist:`2024-42289`, :cve_nist:`2024-42301`, :cve_nist:`2024-42302`, :cve_nist:`2024-42309`, :cve_nist:`2024-42310`, :cve_nist:`2024-42311`, :cve_nist:`2024-42313`, :cve_nist:`2024-43817`, :cve_nist:`2024-43828`, :cve_nist:`2024-43854`, :cve_nist:`2024-43856`, :cve_nist:`2024-43858`, :cve_nist:`2024-43860`, :cve_nist:`2024-43861`, :cve_nist:`2024-43863`, :cve_nist:`2024-43871`, :cve_nist:`2024-43873`, :cve_nist:`2024-43882`, :cve_nist:`2024-43889`, :cve_nist:`2024-43890`, :cve_nist:`2024-43893`, :cve_nist:`2024-43894`, :cve_nist:`2024-43902`, :cve_nist:`2024-43907`, :cve_nist:`2024-43908`, :cve_nist:`2024-43909`, :cve_nist:`2024-43914`, :cve_nist:`2024-44934`, :cve_nist:`2024-44935`, :cve_nist:`2024-44944`, :cve_nist:`2024-44947`, :cve_nist:`2024-44952`, :cve_nist:`2024-44954`, :cve_nist:`2024-44958`, :cve_nist:`2024-44960`, :cve_nist:`2024-44965`, :cve_nist:`2024-44966`, :cve_nist:`2024-44969`, :cve_nist:`2024-44971`, :cve_nist:`2024-44982`, :cve_nist:`2024-44983`, :cve_nist:`2024-44985`, :cve_nist:`2024-44986`, :cve_nist:`2024-44987`, :cve_nist:`2024-44988`, :cve_nist:`2024-44989`, :cve_nist:`2024-44990`, :cve_nist:`2024-44995`, :cve_nist:`2024-44998`, :cve_nist:`2024-44999`, :cve_nist:`2024-45003`, :cve_nist:`2024-45006`, :cve_nist:`2024-45011`, :cve_nist:`2024-45016`, :cve_nist:`2024-45018`, :cve_nist:`2024-45021`, :cve_nist:`2024-45025`, :cve_nist:`2024-45026`, :cve_nist:`2024-45028`, :cve_nist:`2024-46673`, :cve_nist:`2024-46674`, :cve_nist:`2024-46675`, :cve_nist:`2024-46676`, :cve_nist:`2024-46677`, :cve_nist:`2024-46679`, :cve_nist:`2024-46685`, :cve_nist:`2024-46689`, :cve_nist:`2024-46702` and :cve_nist:`2024-46707`
+-  openssl: Fix :cve_nist:`2024-6119`
+-  procps: Fix :cve_nist:`2023-4016`
+-  python3: Fix :cve_nist:`2023-27043`, :cve_nist:`2024-4030`, :cve_nist:`2024-4032`, :cve_nist:`2024-6923`, :cve_nist:`2024-6232`, :cve_nist:`2024-7592` and :cve_nist:`2024-8088`
+-  qemu: Fix :cve_nist:`2024-4467`
+-  rust: Ignore :cve_nist:`2024-43402`
+-  webkitgtk: Fix :cve_nist:`2024-40779`
+-  wpa-supplicant: Ignore :cve_nist:`2024-5290`
+-  wpa-supplicant: Fix :cve_nist:`2024-3596`
+
+
+Fixes in Yocto-4.0.22
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bintuils: stable 2.38 branch update
+-  bitbake: fetch2/wget: Canonicalize :term:`DL_DIR` paths for wget2 compatibility
+-  bitbake: fetch/wget: Move files into place atomically
+-  bitbake: hashserv: tests: Omit client in slow server start test
+-  bitbake: tests/fetch: Tweak to work on Fedora40
+-  bitbake: wget: Make wget --passive-ftp option conditional on ftp/ftps
+-  build-appliance-image: Update to kirkstone head revision
+-  buildhistory: Fix intermittent package file list creation
+-  buildhistory: Restoring files from preserve list
+-  buildhistory: Simplify intercept call sites and drop SSTATEPOSTINSTFUNC usage
+-  busybox: Fix cut with "-s" flag
+-  cdrtools-native: fix build with gcc-14
+-  curl: free old conn better on reuse
+-  cve-exclusion: Drop the version comparision/warning
+-  dejagnu: Fix :term:`LICENSE` (change to GPL-3.0-only)
+-  doc/features: remove duplicate word in distribution feature ext2
+-  gcc: upgrade to v11.5
+-  gcr: Fix :term:`LICENSE` (change to LGPL-2.0-only)
+-  glibc: stable 2.35 branch updates
+-  install-buildtools: fix "test installation" step
+-  install-buildtools: remove md5 checksum validation
+-  install-buildtools: support buildtools-make-tarball and update to 4.1
+-  iw: Fix :term:`LICENSE` (change to ISC)
+-  kmscube: Add patch to fix -int-conversion build error
+-  lib/oeqa: rename assertRaisesRegexp to assertRaisesRegex
+-  libedit: Make docs generation deterministic
+-  linux-yocto/5.10: fix NFSV3 config warning
+-  linux-yocto/5.10: remove obsolete options
+-  linux-yocto/5.10: update to v5.10.223
+-  linux-yocto/5.15: update to v5.15.166
+-  meta-world-pkgdata: Inherit nopackages
+-  migration-guide: add release notes for 4.0.21
+-  openssl: Upgrade to 3.0.15
+-  poky.conf: bump version for 4.0.22
+-  populate_sdk_base: inherit nopackages
+-  python3: Upgrade to 3.10.15
+-  ruby: Make docs generation deterministic
+-  runqemu: keep generating tap devices
+-  scripts/install-buildtools: Update to 4.0.21
+-  selftest/runtime_test/virgl: Disable for all fedora
+-  testexport: fallback for empty :term:`IMAGE_LINK_NAME`
+-  testimage: fallback for empty :term:`IMAGE_LINK_NAME`
+-  tiff: Fix :term:`LICENSE` (change to libtiff)
+-  udev-extraconf: Add collect flag to mount
+-  unzip: Fix :term:`LICENSE` (change to Info-ZIP)
+-  valgrind: disable avx_estimate_insn.vgtest
+-  wpa-supplicant: Patch security advisory 2024-2
+-  yocto-uninative: Update to 4.5 for gcc 14
+-  yocto-uninative: Update to 4.6 for glibc 2.40
+-  zip: Fix :term:`LICENSE` (change to Info-ZIP)
+-  zstd: fix :term:`LICENSE` statement (change to "BSD-3-Clause | GPL-2.0-only")
+
+
+Known Issues in Yocto-4.0.22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  ``oeqa/runtime``: the ``beaglebone-yocto`` target fails the ``parselogs``
+   runtime test due to unexpected kernel error messages in the log (see
+   :yocto_bugs:`bug 15624 </show_bug.cgi?id=15624>` on Bugzilla).
+
+
+Contributors to Yocto-4.0.22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Alexandre Belloni
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Colin McAllister
+-  Deepthi Hemraj
+-  Divya Chellam
+-  Hitendra Prajapati
+-  Hugo SIMELIERE
+-  Jinfeng Wang
+-  Joshua Watt
+-  Jörg Sommer
+-  Konrad Weihmann
+-  Lee Chee Yang
+-  Martin Jansa
+-  Massimiliano Minella
+-  Michael Halstead
+-  Mingli Yu
+-  Niko Mauno
+-  Paul Eggleton
+-  Pedro Ferreira
+-  Peter Marko
+-  Purushottam Choudhary
+-  Richard Purdie
+-  Rob Woolley
+-  Rohini Sangam
+-  Ross Burton
+-  Rudolf J Streif
+-  Siddharth Doshi
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Vivek Kumbhar
+
+
+Repositories / Downloads for Yocto-4.0.22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.22 </poky/log/?h=yocto-4.0.22>`
+-  Git Revision: :yocto_git:`7e87dc422d972e0dc98372318fcdc63a76347d16 </poky/commit/?id=7e87dc422d972e0dc98372318fcdc63a76347d16>`
+-  Release Artefact: poky-7e87dc422d972e0dc98372318fcdc63a76347d16
+-  sha: 5058e7b2474f8cb73c19e776ef58d9784321ef42109d5982747c8c432531239f
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/poky-7e87dc422d972e0dc98372318fcdc63a76347d16.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/poky-7e87dc422d972e0dc98372318fcdc63a76347d16.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.22 </openembedded-core/log/?h=yocto-4.0.22>`
+-  Git Revision: :oe_git:`f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf </openembedded-core/commit/?id=f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf>`
+-  Release Artefact: oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf
+-  sha: 378bcc840ba9fbf06a15fea1b5dacdd446f3ad4d85115d708e7bbb20629cdeb4
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/oecore-f09fca692f96c9c428e89c5ef53fbcb92ac0c9bf.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.22 </meta-mingw/log/?h=yocto-4.0.22>`
+-  Git Revision: :yocto_git:`f6b38ce3c90e1600d41c2ebb41e152936a0357d7 </meta-mingw/commit/?id=f6b38ce3c90e1600d41c2ebb41e152936a0357d7>`
+-  Release Artefact: meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7
+-  sha: 7d57167c19077f4ab95623d55a24c2267a3a3fb5ed83688659b4c03586373b25
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/meta-mingw-f6b38ce3c90e1600d41c2ebb41e152936a0357d7.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.22 </meta-gplv2/log/?h=yocto-4.0.22>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.22 </bitbake/log/?h=yocto-4.0.22>`
+-  Git Revision: :oe_git:`eb5c1ce6b1b8f33535ff7b9263ec7648044163ea </bitbake/commit/?id=eb5c1ce6b1b8f33535ff7b9263ec7648044163ea>`
+-  Release Artefact: bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea
+-  sha: 473d3e9539160633f3de9d88cce69123f6c623e4c8ab35beb7875868564593cf
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.22/bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.22/bitbake-eb5c1ce6b1b8f33535ff7b9263ec7648044163ea.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.22 </yocto-docs/log/?h=yocto-4.0.22>`
+-  Git Revision: :yocto_git:`2169a52a24ebd1906039c42632bae6c4285a3aca </yocto-docs/commit/?id=2169a52a24ebd1906039c42632bae6c4285a3aca>`
+
--- a/documentation/migration-guides/release-notes-4.0.3.rst
+++ b/documentation/migration-guides/release-notes-4.0.3.rst
@@ -4,21 +4,21 @@ Release notes for Yocto-4.0.3 (Kirkstone)
 Security Fixes in Yocto-4.0.3
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  binutils: fix :cve:`2019-1010204`
-  busybox: fix :cve:`2022-30065`
-  cups: ignore :cve:`2022-26691`
-  curl: Fix :cve:`2022-32205`, :cve:`2022-32206`, :cve:`2022-32207` and :cve:`2022-32208`
-  dpkg: fix :cve:`2022-1664`
-  ghostscript: fix :cve:`2022-2085`
-  harfbuzz: fix :cve:`2022-33068`
-  libtirpc: fix :cve:`2021-46828`
-  lua: fix :cve:`2022-33099`
-  nasm: ignore :cve:`2020-18974`
-  qemu: fix :cve:`2022-35414`
-  qemu: ignore :cve:`2021-20255` and :cve:`2019-12067`
-  tiff: fix :cve:`2022-1354`, :cve:`2022-1355`, :cve:`2022-2056`, :cve:`2022-2057` and :cve:`2022-2058`
-  u-boot: fix :cve:`2022-34835`
-  unzip: fix :cve:`2022-0529` and :cve:`2022-0530`
+-  binutils: fix :cve_nist:`2019-1010204`
+-  busybox: fix :cve_nist:`2022-30065`
+-  cups: ignore :cve_nist:`2022-26691`
+-  curl: Fix :cve_nist:`2022-32205`, :cve_nist:`2022-32206`, :cve_nist:`2022-32207` and :cve_nist:`2022-32208`
+-  dpkg: fix :cve_nist:`2022-1664`
+-  ghostscript: fix :cve_nist:`2022-2085`
+-  harfbuzz: fix :cve_nist:`2022-33068`
+-  libtirpc: fix :cve_nist:`2021-46828`
+-  lua: fix :cve_nist:`2022-33099`
+-  nasm: ignore :cve_nist:`2020-18974`
+-  qemu: fix :cve_nist:`2022-35414`
+-  qemu: ignore :cve_nist:`2021-20255` and :cve_nist:`2019-12067`
+-  tiff: fix :cve_nist:`2022-1354`, :cve_nist:`2022-1355`, :cve_nist:`2022-2056`, :cve_nist:`2022-2057` and :cve_nist:`2022-2058`
+-  u-boot: fix :cve_nist:`2022-34835`
+-  unzip: fix :cve_nist:`2022-0529` and :cve_nist:`2022-0530`


 Fixes in Yocto-4.0.3
--- a/documentation/migration-guides/release-notes-4.0.4.rst
+++ b/documentation/migration-guides/release-notes-4.0.4.rst
@@ -4,17 +4,17 @@ Release notes for Yocto-4.0.4 (Kirkstone)
 Security Fixes in Yocto-4.0.4
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  binutils : fix :cve:`2022-38533`
-  curl: fix :cve:`2022-35252`
-  sqlite: fix :cve:`2022-35737`
-  grub2: fix :cve:`2021-3695`, :cve:`2021-3696`, :cve:`2021-3697`, :cve:`2022-28733`, :cve:`2022-28734` and :cve:`2022-28735`
-  u-boot: fix :cve:`2022-30552` and :cve:`2022-33967`
-  libxml2: Ignore :cve:`2016-3709`
-  libtiff: fix :cve:`2022-34526`
-  zlib: fix :cve:`2022-37434`
-  gnutls: fix :cve:`2022-2509`
-  u-boot: fix :cve:`2022-33103`
-  qemu: fix :cve:`2021-3507`, :cve:`2021-3929`, :cve:`2021-4158`, :cve:`2022-0216` and :cve:`2022-0358`
+-  binutils : fix :cve_nist:`2022-38533`
+-  curl: fix :cve_nist:`2022-35252`
+-  sqlite: fix :cve_nist:`2022-35737`
+-  grub2: fix :cve_nist:`2021-3695`, :cve_nist:`2021-3696`, :cve_nist:`2021-3697`, :cve_nist:`2022-28733`, :cve_nist:`2022-28734` and :cve_nist:`2022-28735`
+-  u-boot: fix :cve_nist:`2022-30552` and :cve_nist:`2022-33967`
+-  libxml2: Ignore :cve_nist:`2016-3709`
+-  libtiff: fix :cve_nist:`2022-34526`
+-  zlib: fix :cve_nist:`2022-37434`
+-  gnutls: fix :cve_nist:`2022-2509`
+-  u-boot: fix :cve_nist:`2022-33103`
+-  qemu: fix :cve_nist:`2021-3507`, :cve_nist:`2021-3929`, :cve_nist:`2021-4158`, :cve_nist:`2022-0216` and :cve_nist:`2022-0358`


 Fixes in Yocto-4.0.4
--- a/documentation/migration-guides/release-notes-4.0.5.rst
+++ b/documentation/migration-guides/release-notes-4.0.5.rst
@@ -4,11 +4,11 @@ Release notes for Yocto-4.0.5 (Kirkstone)
 Security Fixes in Yocto-4.0.5
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  qemu: fix :cve:`2021-3750`, :cve:`2021-3611` and :cve:`2022-2962`
-  binutils : fix :cve:`2022-38126`, :cve:`2022-38127` and :cve:`2022-38128`
-  tff: fix :cve:`2022-2867`, :cve:`2022-2868` and :cve:`2022-2869`
-  inetutils: fix :cve:`2022-39028`
-  go: fix :cve:`2022-27664`
+-  qemu: fix :cve_nist:`2021-3750`, :cve_nist:`2021-3611` and :cve_nist:`2022-2962`
+-  binutils : fix :cve_nist:`2022-38126`, :cve_nist:`2022-38127` and :cve_nist:`2022-38128`
+-  tff: fix :cve_nist:`2022-2867`, :cve_nist:`2022-2868` and :cve_nist:`2022-2869`
+-  inetutils: fix :cve_nist:`2022-39028`
+-  go: fix :cve_nist:`2022-27664`

 Fixes in Yocto-4.0.5
 ~~~~~~~~~~~~~~~~~~~~
--- a/documentation/migration-guides/release-notes-4.0.6.rst
+++ b/documentation/migration-guides/release-notes-4.0.6.rst
@@ -6,28 +6,28 @@ Release notes for Yocto-4.0.6 (Kirkstone)
 Security Fixes in Yocto-4.0.6
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  bash: Fix :cve:`2022-3715`
-  curl: Fix :cve:`2022-32221`, :cve:`2022-42915` and :cve:`2022-42916`
-  dbus: Fix :cve:`2022-42010`, :cve:`2022-42011` and :cve:`2022-42012`
-  dropbear: Fix :cve:`2021-36369`
-  ffmpeg: Fix :cve:`2022-3964`, :cve:`2022-3965`
-  go: Fix :cve:`2022-2880`
-  grub2: Fix :cve:`2022-2601`, :cve:`2022-3775` and :cve:`2022-28736`
-  libarchive: Fix :cve:`2022-36227`
-  libpam: Fix :cve:`2022-28321`
-  libsndfile1: Fix :cve:`2021-4156`
-  lighttpd: Fix :cve:`2022-41556`
-  openssl: Fix :cve:`2022-3358`
-  pixman: Fix :cve:`2022-44638`
-  python3-mako: Fix :cve:`2022-40023`
-  python3: Fix :cve:`2022-42919`
-  qemu: Fix :cve:`2022-3165`
-  sysstat: Fix :cve:`2022-39377`
-  systemd: Fix :cve:`2022-3821`
-  tiff: Fix :cve:`2022-2953`, :cve:`2022-3599`, :cve:`2022-3597`, :cve:`2022-3626`, :cve:`2022-3627`, :cve:`2022-3570`, :cve:`2022-3598` and :cve:`2022-3970`
-  vim: Fix :cve:`2022-3352`, :cve:`2022-3705` and :cve:`2022-4141`
-  wayland: Fix :cve:`2021-3782`
-  xserver-xorg: Fix :cve:`2022-3550` and :cve:`2022-3551`
+-  bash: Fix :cve_nist:`2022-3715`
+-  curl: Fix :cve_nist:`2022-32221`, :cve_nist:`2022-42915` and :cve_nist:`2022-42916`
+-  dbus: Fix :cve_nist:`2022-42010`, :cve_nist:`2022-42011` and :cve_nist:`2022-42012`
+-  dropbear: Fix :cve_nist:`2021-36369`
+-  ffmpeg: Fix :cve_nist:`2022-3964`, :cve_nist:`2022-3965`
+-  go: Fix :cve_nist:`2022-2880`
+-  grub2: Fix :cve_nist:`2022-2601`, :cve_nist:`2022-3775` and :cve_nist:`2022-28736`
+-  libarchive: Fix :cve_nist:`2022-36227`
+-  libpam: Fix :cve_nist:`2022-28321`
+-  libsndfile1: Fix :cve_nist:`2021-4156`
+-  lighttpd: Fix :cve_nist:`2022-41556`
+-  openssl: Fix :cve_nist:`2022-3358`
+-  pixman: Fix :cve_nist:`2022-44638`
+-  python3-mako: Fix :cve_nist:`2022-40023`
+-  python3: Fix :cve_nist:`2022-42919`
+-  qemu: Fix :cve_nist:`2022-3165`
+-  sysstat: Fix :cve_nist:`2022-39377`
+-  systemd: Fix :cve_nist:`2022-3821`
+-  tiff: Fix :cve_nist:`2022-2953`, :cve_nist:`2022-3599`, :cve_nist:`2022-3597`, :cve_nist:`2022-3626`, :cve_nist:`2022-3627`, :cve_nist:`2022-3570`, :cve_nist:`2022-3598` and :cve_nist:`2022-3970`
+-  vim: Fix :cve_nist:`2022-3352`, :cve_nist:`2022-3705` and :cve_nist:`2022-4141`
+-  wayland: Fix :cve_nist:`2021-3782`
+-  xserver-xorg: Fix :cve_nist:`2022-3550` and :cve_nist:`2022-3551`


 Fixes in Yocto-4.0.6
--- a/documentation/migration-guides/release-notes-4.0.7.rst
+++ b/documentation/migration-guides/release-notes-4.0.7.rst
@@ -6,25 +6,25 @@ Release notes for Yocto-4.0.7 (Kirkstone)
 Security Fixes in Yocto-4.0.7
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  binutils: Fix :cve:`2022-4285`
-  curl: Fix :cve:`2022-43551` and :cve_mitre:`2022-43552`
-  ffmpeg: Fix :cve:`2022-3109` and :cve:`2022-3341`
-  go: Fix :cve:`2022-41715` and :cve:`2022-41717`
-  libX11: Fix :cve:`2022-3554` and :cve:`2022-3555`
-  libarchive: Fix :cve:`2022-36227`
-  libksba: Fix :cve:`2022-47629`
-  libpng: Fix :cve:`2019-6129`
-  libxml2: Fix :cve:`2022-40303` and :cve:`2022-40304`
-  openssl: Fix :cve:`2022-3996`
-  python3: Fix :cve:`2022-45061`
-  python3-git: Fix :cve:`2022-24439`
-  python3-setuptools: Fix :cve:`2022-40897`
-  python3-wheel: Fix :cve:`2022-40898`
-  qemu: Fix :cve:`2022-4144`
-  sqlite: Fix :cve:`2022-46908`
-  systemd: Fix :cve:`2022-45873`
-  vim: Fix :cve:`2023-0049`, :cve:`2023-0051`, :cve:`2023-0054` and :cve:`2023-0088`
-  webkitgtk: Fix :cve:`2022-32886`, :cve_mitre:`2022-32891`
+-  binutils: Fix :cve_nist:`2022-4285`
+-  curl: Fix :cve_nist:`2022-43551` and :cve_mitre:`2022-43552`
+-  ffmpeg: Fix :cve_nist:`2022-3109` and :cve_nist:`2022-3341`
+-  go: Fix :cve_nist:`2022-41715` and :cve_nist:`2022-41717`
+-  libX11: Fix :cve_nist:`2022-3554` and :cve_nist:`2022-3555`
+-  libarchive: Fix :cve_nist:`2022-36227`
+-  libksba: Fix :cve_nist:`2022-47629`
+-  libpng: Fix :cve_nist:`2019-6129`
+-  libxml2: Fix :cve_nist:`2022-40303` and :cve_nist:`2022-40304`
+-  openssl: Fix :cve_nist:`2022-3996`
+-  python3: Fix :cve_nist:`2022-45061`
+-  python3-git: Fix :cve_nist:`2022-24439`
+-  python3-setuptools: Fix :cve_nist:`2022-40897`
+-  python3-wheel: Fix :cve_nist:`2022-40898`
+-  qemu: Fix :cve_nist:`2022-4144`
+-  sqlite: Fix :cve_nist:`2022-46908`
+-  systemd: Fix :cve_nist:`2022-45873`
+-  vim: Fix :cve_nist:`2023-0049`, :cve_nist:`2023-0051`, :cve_nist:`2023-0054` and :cve_nist:`2023-0088`
+-  webkitgtk: Fix :cve_nist:`2022-32886`, :cve_mitre:`2022-32891` and :cve_nist:`2022-32912`


 Fixes in Yocto-4.0.7
@@ -39,7 +39,7 @@ Fixes in Yocto-4.0.7
 -  busybox: always start do_compile with orig config files
 -  busybox: rm temporary files if do_compile was interrupted
 -  cairo: fix CVE patches assigned wrong CVE number
-  cairo: update patch for :cve:`2019-6461` with upstream solution
+-  cairo: update patch for :cve_nist:`2019-6461` with upstream solution
 -  classes/create-spdx: Add SPDX_PRETTY option
 -  classes: image: Set empty weak default IMAGE_LINGUAS
 -  combo-layer: add sync-revs command
--- a/documentation/migration-guides/release-notes-4.0.8.rst
+++ b/documentation/migration-guides/release-notes-4.0.8.rst
@@ -6,16 +6,16 @@ Release notes for Yocto-4.0.8 (Kirkstone)
 Security Fixes in Yocto-4.0.8
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  apr-util: Fix :cve:`2022-25147`
-  apr: Fix :cve:`2022-24963`, :cve:`2022-28331` and :cve:`2021-35940`
-  bind: Fix :cve:`2022-3094`, :cve:`2022-3736` and :cve:`2022-3924`
-  git: Ignore :cve:`2022-41953`
-  git: Fix :cve:`2022-23521` and :cve:`2022-41903`
-  libgit2: Fix :cve:`2023-22742`
-  ppp: Fix :cve:`2022-4603`
-  python3-certifi: Fix :cve:`2022-23491`
-  sudo: Fix :cve:`2023-22809`
-  tar: Fix :cve:`2022-48303`
+-  apr-util: Fix :cve_nist:`2022-25147`
+-  apr: Fix :cve_nist:`2022-24963`, :cve_nist:`2022-28331` and :cve_nist:`2021-35940`
+-  bind: Fix :cve_nist:`2022-3094`, :cve_nist:`2022-3736` and :cve_nist:`2022-3924`
+-  git: Ignore :cve_nist:`2022-41953`
+-  git: Fix :cve_nist:`2022-23521` and :cve_nist:`2022-41903`
+-  libgit2: Fix :cve_nist:`2023-22742`
+-  ppp: Fix :cve_nist:`2022-4603`
+-  python3-certifi: Fix :cve_nist:`2022-23491`
+-  sudo: Fix :cve_nist:`2023-22809`
+-  tar: Fix :cve_nist:`2022-48303`


 Fixes in Yocto-4.0.8
--- a/documentation/migration-guides/release-notes-4.0.9.rst
+++ b/documentation/migration-guides/release-notes-4.0.9.rst
@@ -4,26 +4,26 @@ Release notes for Yocto-4.0.9 (Kirkstone)
 Security Fixes in Yocto-4.0.9
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-  binutils: Fix :cve:`2023-22608`
-  curl: Fix :cve:`2023-23914`, :cve:`2023-23915` and :cve:`2023-23916`
-  epiphany: Fix :cve:`2023-26081`
-  git: Ignore :cve:`2023-22743`
-  glibc: Fix  :cve:`2023-0687`
-  gnutls: Fix :cve:`2023-0361`
-  go: Fix :cve:`2022-2879`, :cve:`2022-41720` and :cve:`2022-41723`
-  harfbuzz: Fix :cve:`2023-25193`
-  less: Fix :cve:`2022-46663`
-  libmicrohttpd: Fix :cve:`2023-27371`
-  libsdl2: Fix :cve:`2022-4743`
-  openssl: Fix :cve:`2022-3996`, :cve:`2023-0464`, :cve:`2023-0465` and :cve:`2023-0466`
-  pkgconf: Fix :cve:`2023-24056`
-  python3: Fix :cve:`2023-24329`
-  shadow: Ignore :cve:`2016-15024`
-  systemd: Fix :cve:`2022-4415`
-  tiff: Fix :cve:`2023-0800`, :cve:`2023-0801`, :cve:`2023-0802`, :cve:`2023-0803` and :cve:`2023-0804`
-  vim: Fix :cve:`2023-0433`, :cve:`2023-0512`, :cve:`2023-1127`, :cve:`2023-1170`, :cve:`2023-1175`, :cve:`2023-1264` and :cve:`2023-1355`
-  xserver-xorg: Fix :cve:`2023-0494`
-  xwayland: Fix :cve:`2023-0494`
+-  binutils: Fix :cve_nist:`2023-22608`
+-  curl: Fix :cve_nist:`2023-23914`, :cve_nist:`2023-23915` and :cve_nist:`2023-23916`
+-  epiphany: Fix :cve_nist:`2023-26081`
+-  git: Ignore :cve_nist:`2023-22743`
+-  glibc: Fix  :cve_nist:`2023-0687`
+-  gnutls: Fix :cve_nist:`2023-0361`
+-  go: Fix :cve_nist:`2022-2879`, :cve_nist:`2022-41720` and :cve_nist:`2022-41723`
+-  harfbuzz: Fix :cve_nist:`2023-25193`
+-  less: Fix :cve_nist:`2022-46663`
+-  libmicrohttpd: Fix :cve_nist:`2023-27371`
+-  libsdl2: Fix :cve_nist:`2022-4743`
+-  openssl: Fix :cve_nist:`2022-3996`, :cve_nist:`2023-0464`, :cve_nist:`2023-0465` and :cve_nist:`2023-0466`
+-  pkgconf: Fix :cve_nist:`2023-24056`
+-  python3: Fix :cve_nist:`2023-24329`
+-  shadow: Ignore :cve_nist:`2016-15024`
+-  systemd: Fix :cve_nist:`2022-4415`
+-  tiff: Fix :cve_nist:`2023-0800`, :cve_nist:`2023-0801`, :cve_nist:`2023-0802`, :cve_nist:`2023-0803` and :cve_nist:`2023-0804`
+-  vim: Fix :cve_nist:`2023-0433`, :cve_nist:`2023-0512`, :cve_nist:`2023-1127`, :cve_nist:`2023-1170`, :cve_nist:`2023-1175`, :cve_nist:`2023-1264` and :cve_nist:`2023-1355`
+-  xserver-xorg: Fix :cve_nist:`2023-0494`
+-  xwayland: Fix :cve_nist:`2023-0494`


 Fixes in Yocto-4.0.9
@@ -88,7 +88,7 @@ Fixes in Yocto-4.0.9
 -  pybootchartui: Fix python syntax issue
 -  python3-git: fix indent error
 -  python3-setuptools-rust-native: Add direct dependency of native python3 modules
-  qemu: Revert "fix :cve:`2021-3507`" as not applicable for qemu 6.2
+-  qemu: Revert "fix :cve_nist:`2021-3507`" as not applicable for qemu 6.2
 -  rsync: Add missing prototypes to function declarations
 -  rsync: Turn on -pedantic-errors at the end of 'configure'
 -  runqemu: kill qemu if it hangs
--- a/documentation/migration-guides/release-notes-4.0.rst
+++ b/documentation/migration-guides/release-notes-4.0.rst
@@ -22,7 +22,7 @@ New Features / Enhancements in 4.0

     BB_SIGNATURE_HANDLER = "OEEquivHash"
     BB_HASHSERVE = "auto"
-     BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
+     BB_HASHSERVE_UPSTREAM = "hashserv.yoctoproject.org:8686"
     SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"

 - The Python package build process is now based on `wheels <https://pythonwheels.com/>`__
@@ -332,37 +332,37 @@ Other license-related notes:
 Security Fixes in 4.0
 ~~~~~~~~~~~~~~~~~~~~~

- binutils: :cve:`2021-42574`, :cve:`2021-45078`
- curl: :cve:`2021-22945`, :cve:`2021-22946`, :cve:`2021-22947`
- epiphany: :cve:`2021-45085`, :cve:`2021-45086`, :cve:`2021-45087`, :cve:`2021-45088`
- expat: :cve:`2021-45960`, :cve:`2021-46143`, :cve:`2022-22822`, :cve:`2022-22823`, :cve:`2022-22824`, :cve:`2022-22825`, :cve:`2022-22826`, :cve:`2022-22827`, :cve:`2022-23852`, :cve:`2022-23990`, :cve:`2022-25235`, :cve:`2022-25236`, :cve:`2022-25313`, :cve:`2022-25314`, :cve:`2022-25315`
- ffmpeg: :cve:`2021-38114`
- gcc: :cve:`2021-35465`, :cve:`2021-42574`, :cve:`2021-46195`, :cve:`2022-24765`
- glibc: :cve:`2021-3998`, :cve:`2021-3999`, :cve:`2021-43396`, :cve:`2022-23218`, :cve:`2022-23219`
- gmp: :cve:`2021-43618`
- go: :cve:`2021-41771` and :cve:`2021-41772`
- grub2: :cve:`2021-3981`
- gzip: :cve:`2022-1271`
- libarchive : :cve:`2021-31566`, :cve:`2021-36976`
- libxml2: :cve:`2022-23308`
- libxslt: :cve:`2021-30560`
- lighttpd: :cve:`2022-22707`
- linux-yocto/5.10: amdgpu: :cve:`2021-42327`
- lua: :cve:`2021-43396`
- openssl: :cve:`2021-4044`, :cve:`2022-0778`
- qemu: :cve:`2022-1050`, :cve:`2022-26353`, :cve:`2022-26354`
- rpm: :cve:`2021-3521`
- seatd: :cve:`2022-25643`
- speex: :cve:`2020-23903`
- squashfs-tools: :cve:`2021-41072`
- systemd: :cve:`2021-4034`
- tiff: :cve:`2022-0561`, :cve:`2022-0562`, :cve:`2022-0865`, :cve:`2022-0891`, :cve:`2022-0907`, :cve:`2022-0908`, :cve:`2022-0909`, :cve:`2022-0924`, :cve:`2022-1056`, :cve:`2022-22844`
- unzip: :cve:`2021-4217`
- vim: :cve:`2021-3796`, :cve:`2021-3872`, :cve:`2021-3875`, :cve:`2021-3927`, :cve:`2021-3928`, :cve:`2021-3968`, :cve:`2021-3973`, :cve:`2021-4187`, :cve:`2022-0128`, :cve:`2022-0156`, :cve:`2022-0158`, :cve:`2022-0261`, :cve:`2022-0318`, :cve:`2022-0319`, :cve:`2022-0554`, :cve:`2022-0696`, :cve:`2022-0714`, :cve:`2022-0729`, :cve:`2022-0943`
- virglrenderer: :cve:`2022-0135`, :cve:`2022-0175`
- webkitgtk: :cve:`2022-22589`, :cve:`2022-22590`, :cve:`2022-22592`
- xz: :cve:`2022-1271`
- zlib: :cve:`2018-25032`
+- binutils: :cve_nist:`2021-42574`, :cve_nist:`2021-45078`
+- curl: :cve_nist:`2021-22945`, :cve_nist:`2021-22946`, :cve_nist:`2021-22947`
+- epiphany: :cve_nist:`2021-45085`, :cve_nist:`2021-45086`, :cve_nist:`2021-45087`, :cve_nist:`2021-45088`
+- expat: :cve_nist:`2021-45960`, :cve_nist:`2021-46143`, :cve_nist:`2022-22822`, :cve_nist:`2022-22823`, :cve_nist:`2022-22824`, :cve_nist:`2022-22825`, :cve_nist:`2022-22826`, :cve_nist:`2022-22827`, :cve_nist:`2022-23852`, :cve_nist:`2022-23990`, :cve_nist:`2022-25235`, :cve_nist:`2022-25236`, :cve_nist:`2022-25313`, :cve_nist:`2022-25314`, :cve_nist:`2022-25315`
+- ffmpeg: :cve_nist:`2021-38114`
+- gcc: :cve_nist:`2021-35465`, :cve_nist:`2021-42574`, :cve_nist:`2021-46195`, :cve_nist:`2022-24765`
+- glibc: :cve_nist:`2021-3998`, :cve_nist:`2021-3999`, :cve_nist:`2021-43396`, :cve_nist:`2022-23218`, :cve_nist:`2022-23219`
+- gmp: :cve_nist:`2021-43618`
+- go: :cve_nist:`2021-41771` and :cve_nist:`2021-41772`
+- grub2: :cve_nist:`2021-3981`
+- gzip: :cve_nist:`2022-1271`
+- libarchive : :cve_nist:`2021-31566`, :cve_nist:`2021-36976`
+- libxml2: :cve_nist:`2022-23308`
+- libxslt: :cve_nist:`2021-30560`
+- lighttpd: :cve_nist:`2022-22707`
+- linux-yocto/5.10: amdgpu: :cve_nist:`2021-42327`
+- lua: :cve_nist:`2021-43396`
+- openssl: :cve_nist:`2021-4044`, :cve_nist:`2022-0778`
+- qemu: :cve_nist:`2022-1050`, :cve_nist:`2022-26353`, :cve_nist:`2022-26354`
+- rpm: :cve_nist:`2021-3521`
+- seatd: :cve_nist:`2022-25643`
+- speex: :cve_nist:`2020-23903`
+- squashfs-tools: :cve_nist:`2021-41072`
+- systemd: :cve_nist:`2021-4034`
+- tiff: :cve_nist:`2022-0561`, :cve_nist:`2022-0562`, :cve_nist:`2022-0865`, :cve_nist:`2022-0891`, :cve_nist:`2022-0907`, :cve_nist:`2022-0908`, :cve_nist:`2022-0909`, :cve_nist:`2022-0924`, :cve_nist:`2022-1056`, :cve_nist:`2022-22844`
+- unzip: :cve_nist:`2021-4217`
+- vim: :cve_nist:`2021-3796`, :cve_nist:`2021-3872`, :cve_nist:`2021-3875`, :cve_nist:`2021-3927`, :cve_nist:`2021-3928`, :cve_nist:`2021-3968`, :cve_nist:`2021-3973`, :cve_nist:`2021-4187`, :cve_nist:`2022-0128`, :cve_nist:`2022-0156`, :cve_nist:`2022-0158`, :cve_nist:`2022-0261`, :cve_nist:`2022-0318`, :cve_nist:`2022-0319`, :cve_nist:`2022-0554`, :cve_nist:`2022-0696`, :cve_nist:`2022-0714`, :cve_nist:`2022-0729`, :cve_nist:`2022-0943`
+- virglrenderer: :cve_nist:`2022-0135`, :cve_nist:`2022-0175`
+- webkitgtk: :cve_nist:`2022-22589`, :cve_nist:`2022-22590`, :cve_nist:`2022-22592`
+- xz: :cve_nist:`2022-1271`
+- zlib: :cve_nist:`2018-25032`



--- a/documentation/overview-manual/concepts.rst
+++ b/documentation/overview-manual/concepts.rst
@@ -939,11 +939,62 @@ the analysis and package splitting process use several areas:
   execute on a system and it generates code for yet another machine
   (e.g. cross-canadian recipes).

-The :term:`FILES` variable defines the
-files that go into each package in
-:term:`PACKAGES`. If you want
-details on how this is accomplished, you can look at
-:yocto_git:`package.bbclass </poky/tree/meta/classes/package.bbclass>`.
+Packages for a recipe are listed in the :term:`PACKAGES` variable. The
+:oe_git:`bitbake.conf </openembedded-core/tree/meta/conf/bitbake.conf>`
+configuration file defines the following default list of packages::
+
+  PACKAGES = "${PN}-src ${PN}-dbg ${PN}-staticdev ${PN}-dev ${PN}-doc ${PN}-locale ${PACKAGE_BEFORE_PN} ${PN}"
+
+Each of these packages contains a default list of files defined with the
+:term:`FILES` variable. For example, the package ``${PN}-dev`` represents files
+useful to the development of applications depending on ``${PN}``. The default
+list of files for ``${PN}-dev``, also defined in :oe_git:`bitbake.conf
+</openembedded-core/tree/meta/conf/bitbake.conf>`, is defined as follows::
+
+  FILES:${PN}-dev = "${includedir} ${FILES_SOLIBSDEV} ${libdir}/*.la \
+                  ${libdir}/*.o ${libdir}/pkgconfig ${datadir}/pkgconfig \
+                  ${datadir}/aclocal ${base_libdir}/*.o \
+                  ${libdir}/${BPN}/*.la ${base_libdir}/*.la \
+                  ${libdir}/cmake ${datadir}/cmake"
+
+The paths in this list must be *absolute* paths from the point of view of the
+root filesystem on the target, and must *not* make a reference to the variable
+:term:`D` or any :term:`WORKDIR` related variable. A correct example would be::
+
+  ${sysconfdir}/foo.conf
+
+.. note::
+
+   The list of files for a package is defined using the override syntax by
+   separating :term:`FILES` and the package name by a semi-colon (``:``).
+
+A given file can only ever be in one package. By iterating from the leftmost to
+rightmost package in :term:`PACKAGES`, each file matching one of the patterns
+defined in the corresponding :term:`FILES` definition is included in the
+package.
+
+.. note::
+
+  To find out which package installs a file, the ``oe-pkgdata-util``
+  command-line utility can be used::
+
+    $ oe-pkgdata-util find-path '/etc/fstab'
+    base-files: /etc/fstab
+
+  For more information on the ``oe-pkgdata-util`` utility, see the section
+  :ref:`dev-manual/debugging:Viewing Package Information with
+  \`\`oe-pkgdata-util\`\`` of the Yocto Project Development Tasks Manual.
+
+To add a custom package variant of the ``${PN}`` recipe named
+``${PN}-extra`` (name is arbitrary), one can add it to the
+:term:`PACKAGE_BEFORE_PN` variable::
+
+  PACKAGE_BEFORE_PN += "${PN}-extra"
+
+Alternatively, a custom package can be added by adding it to the
+:term:`PACKAGES` variable using the prepend operator (``=+``)::
+
+  PACKAGES =+ "${PN}-extra"

 Depending on the type of packages being created (RPM, DEB, or IPK), the
 :ref:`do_package_write_* <ref-tasks-package_write_deb>`
--- a/documentation/ref-manual/devtool-reference.rst
+++ b/documentation/ref-manual/devtool-reference.rst
@@ -24,7 +24,7 @@ The ``devtool`` command line is organized similarly to Git in that it
 has a number of sub-commands for each function. You can run
 ``devtool --help`` to see all the commands::

-   $ devtool -h
+   $ devtool --help
   NOTE: Starting bitbake server...
   usage: devtool [--basepath BASEPATH] [--bbpath BBPATH] [-d] [-q] [--color COLOR] [-h] <subcommand> ...

@@ -63,17 +63,11 @@ has a number of sub-commands for each function. You can run
       build-image           Build image including workspace recipe packages
     Advanced:
       create-workspace      Set up workspace in an alternative location
+       import                Import exported tar archive into workspace
+       export                Export workspace into a tar archive
       extract               Extract the source for an existing recipe
       sync                  Synchronize the source tree for an existing recipe
       menuconfig            Alter build-time configuration for a recipe
-       import                Import exported tar archive into workspace
-       export                Export workspace into a tar archive
-     other:
-       selftest-reverse      Reverse value (for selftest)
-       pluginfile            Print the filename of this plugin
-       bbdir                 Print the BBPATH directory of this plugin
-       count                 How many times have this plugin been registered.
-       multiloaded           How many times have this plugin been initialized
   Use devtool <subcommand> --help to get help on a specific command

 As directed in the general help output, you can
@@ -82,8 +76,8 @@ using ``--help``::

   $ devtool add --help
   NOTE: Starting bitbake server...
-   usage: devtool add [-h] [--same-dir | --no-same-dir] [--fetch URI] [--npm-dev] [--version VERSION] [--no-git] [--srcrev SRCREV | --autorev] [--srcbranch SRCBRANCH] [--binary] [--also-native] [--src-subdir SUBDIR] [--mirrors]
-                      [--provides PROVIDES]
+   usage: devtool add [-h] [--same-dir | --no-same-dir] [--fetch URI] [--npm-dev] [--no-pypi] [--version VERSION] [--no-git] [--srcrev SRCREV | --autorev]
+                      [--srcbranch SRCBRANCH] [--binary] [--also-native] [--src-subdir SUBDIR] [--mirrors] [--provides PROVIDES]
                      [recipename] [srctree] [fetchuri]

   Adds a new recipe to the workspace to build a specified source tree. Can optionally fetch a remote URI and unpack it to create the source tree.
@@ -99,6 +93,7 @@ using ``--help``::
     --no-same-dir         Force build in a separate build directory
     --fetch URI, -f URI   Fetch the specified URI and extract it to create the source tree (deprecated - pass as positional argument instead)
     --npm-dev             For npm, also fetch devDependencies
+     --no-pypi             Do not inherit pypi class
     --version VERSION, -V VERSION
                           Version to use within recipe (PV)
     --no-git, -g          If fetching source, do not set up source tree as a git repository
@@ -465,6 +460,20 @@ Here is an example that resets the workspace directory that contains the
   NOTE: Leaving source tree /home/scottrif/poky/build/workspace/sources/mtr as-is; if you no longer need it then please delete it manually
   $

+.. _devtool-finish-working-on-a-recipe:
+
+Finish Working on a Recipe
+==========================
+
+Use the ``devtool finish`` command to push any committed changes to the
+specified recipe in the specified layer and remove it from your workspace.
+
+This is roughly equivalent to the ``devtool update-recipe`` command followed by
+the ``devtool reset`` command. The changes must have been committed to the git
+repository created by ``devtool``. Here is an example::
+
+  $ devtool finish recipe /path/to/custom/layer
+
 .. _devtool-building-your-recipe:

 Building Your Recipe
@@ -617,3 +626,20 @@ a match.

 When you use the ``devtool search`` command, you must supply a keyword.
 The command uses the keyword when searching for a match.
+
+Alternatively, the ``devtool find-recipe`` command can be used to search for
+recipe files instead of recipe names. Likewise, you must supply a keyword.
+
+.. _devtool-get-the-configure-script-help:
+
+Get Information on Recipe Configuration Scripts
+===============================================
+
+Use the ``devtool configure-help`` command to get help on the configuration
+script options for a given recipe. You must supply the recipe name to the
+command. For example, it shows the output of ``./configure --help`` for
+:ref:`autotools <ref-classes-autotools>`-based recipes.
+
+The ``configure-help`` command will also display the configuration options
+currently in use, including the ones passed through the :term:`EXTRA_OECONF`
+variable.
--- a/documentation/ref-manual/release-process.rst
+++ b/documentation/ref-manual/release-process.rst
@@ -103,17 +103,22 @@ have reached their End of Life (EOL) won't receive such updates.

 This started with version 3.1 ("Dunfell"), released in April 2020, which
 the project initially committed to supporting for two years, but this duration
-was later extended to four years. Similarly, the following :term:`LTS` release,
-version 4.0 ("Kirkstone"), was released two years later in May 2022 and the
-project committed to supporting it for four years too.
+was later extended to four years.

-Therefore, a new :term:`LTS` release is made every two years and is supported
-for four years. This offers more stability to project users and leaves more
-time to upgrade to the following :term:`LTS` release.
+A new :term:`LTS` release is made every two years and is supported for four
+years. This offers more stability to project users and leaves more time to
+upgrade to the following :term:`LTS` release.
+
+The currently supported :term:`LTS` releases are:
+
+-  Version 5.0 ("Scarthgap"), released in April 2024 and supported until April 2028.
+-  Version 4.0 ("Kirkstone"), released in May 2022 and supported until May 2026.

 See :yocto_wiki:`/Stable_Release_and_LTS` for details about the management
 of stable and :term:`LTS` releases.

+This documentation was built for the &DISTRO_NAME; release.
+
 .. image:: svg/releases.*
   :width: 100%

--- a/documentation/ref-manual/structure.rst
+++ b/documentation/ref-manual/structure.rst
@@ -476,6 +476,30 @@ the ":ref:`sdk-manual/appendix-obtain:building an sdk installer`"
 section in the Yocto Project Application Development and the Extensible
 Software Development Kit (eSDK) manual.

+.. _structure-build-tmp-hosttools:
+
+``build/tmp/hosttools/``
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+The OpenEmbedded build system uses this directory to create symbolic links to
+some of the host components that are allowed to be called within tasks. These
+are basic components listed in the :ref:`ref-manual/system-requirements:required
+packages for the build host` section. These components are also listed in the
+:term:`HOSTTOOLS` variable and are limited to this list to prevent host
+contamination.
+
+.. _structure-build-tmp-pkgdata:
+
+``build/tmp/pkgdata/``
+~~~~~~~~~~~~~~~~~~~~~~
+
+The OpenEmbedded build system uses this directory to store package metadata
+generated during the :ref:`ref-tasks-packagedata` task. The files stored in this
+directory contain information about each output package produced by the
+OpenEmbedded build system, and are used in different ways by the build system
+such as ":ref:`dev-manual/debugging:viewing package information with
+\`\`oe-pkgdata-util\`\``".
+
 .. _structure-build-tmp-sstate-control:

 ``build/tmp/sstate-control/``
@@ -649,8 +673,15 @@ Here are key subdirectories within each recipe work directory:

 For efficiency, the OpenEmbedded build system creates and uses this
 directory to hold recipes that share a work directory with other
-recipes. In practice, this is only used for ``gcc`` and its variants
-(e.g. ``gcc-cross``, ``libgcc``, ``gcc-runtime``, and so forth).
+recipes. This is for example used for ``gcc`` and its variants (e.g.
+``gcc-cross``, ``libgcc``, ``gcc-runtime``, and so forth), or by the
+:ref:`ref-classes-kernel` class to make the kernel source code and kernel build
+artifacts available to out-of-tree kernel modules or other kernel-dependent
+recipes.
+
+In practice, only a few recipes make use of the ``work-shared`` directory. This
+directory is especially useful for recipes that would induce a lot of storage
+space if they were to be shared with the standard :term:`Sysroot` mechanism.

 .. _structure-meta:

--- a/documentation/ref-manual/svg/releases.svg
+++ b/documentation/ref-manual/svg/releases.svg
--- a/documentation/ref-manual/terms.rst
+++ b/documentation/ref-manual/terms.rst
@@ -483,6 +483,31 @@ universal, the list includes them just in case:
      and the ":ref:`dev-manual/sbom:creating a software bill of materials`"
      section of the Development Tasks manual.

+   :term:`Sysroot`
+      When cross-compiling, the target file system may be differently laid
+      out and contain different things compared to the host system. The concept
+      of a *sysroot* is directory which looks like the target filesystem and
+      can be used to cross-compile against.
+
+      In the context of cross-compiling toolchains, a *sysroot*
+      typically contains C library and kernel headers, plus the
+      compiled binaries for the C library. A *multilib toolchain*
+      can contain multiple variants of the C library binaries,
+      each compiled for a target instruction set (such as ``armv5``,
+      ``armv7`` and ``armv8``), and possibly optimized for a specific CPU core.
+
+      In the more specific context of the OpenEmbedded build System and
+      of the Yocto Project, each recipe has two sysroots:
+
+      -  A *target sysroot* contains all the **target** libraries and headers
+         needed to build the recipe.
+
+      -  A *native sysroot* contains all the **host** files and executables
+         needed to build the recipe.
+
+      See the :term:`SYSROOT_* <SYSROOT_DESTDIR>` variables controlling
+      how sysroots are created and stored.
+
   :term:`Task`
      A per-recipe unit of execution for BitBake (e.g.
      :ref:`ref-tasks-compile`,
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -135,7 +135,7 @@ system and gives an overview of their function and contents.
      appear in :term:`DISTRO_FEATURES` within the current configuration, then
      the recipe will be skipped, and if the build system attempts to build
      the recipe then an error will be triggered.
-      
+

   :term:`APPEND`
      An override list of append strings for each target specified with
@@ -1521,6 +1521,10 @@ system and gives an overview of their function and contents.
         variable only in certain contexts (e.g. when building for kernel
         and kernel module recipes).

+   :term:`CVE_CHECK_CREATE_MANIFEST`
+      Specifies whether to create a CVE manifest to place in the deploy
+      directory. The default is "1".
+
   :term:`CVE_CHECK_IGNORE`
      The list of CVE IDs which are ignored. Here is
      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
@@ -1528,6 +1532,16 @@ system and gives an overview of their function and contents.
         # This is windows only issue.
         CVE_CHECK_IGNORE += "CVE-2020-15523"

+   :term:`CVE_CHECK_MANIFEST_JSON`
+      Specifies the path to the CVE manifest in JSON format. See
+      :term:`CVE_CHECK_CREATE_MANIFEST`.
+
+   :term:`CVE_CHECK_REPORT_PATCHED`
+      Specifies whether or not the :ref:`ref-classes-cve-check`
+      class should report patched or ignored CVEs. The default is "1", but you
+      may wish to set it to "0" if you do not need patched or ignored CVEs in
+      the logs.
+
   :term:`CVE_CHECK_SHOW_WARNINGS`
      Specifies whether or not the :ref:`cve-check <ref-classes-cve-check>`
      class should generate warning messages on the console when unpatched
@@ -2293,6 +2307,18 @@ system and gives an overview of their function and contents.
      :ref:`kernel-yocto <ref-classes-kernel-yocto>` class in
      ``meta/classes`` to see how the variable is used.

+   :term:`EXTERNAL_KERNEL_DEVICETREE`
+      When inheriting :ref:`ref-classes-kernel-fitimage` and a
+      :term:`PREFERRED_PROVIDER` for ``virtual/dtb`` set to ``devicetree``, the
+      variable :term:`EXTERNAL_KERNEL_DEVICETREE` can be used to specify a
+      directory containing one or more compiled device tree or device tree
+      overlays to use.
+
+      Using this variable is only useful when you are using a kernel recipe
+      inheriting the :ref:`ref-classes-kernel` class, and which doesn't
+      already set a local version. Therefore, setting this variable has no
+      impact on ``linux-yocto`` kernels.
+
   :term:`EXTERNAL_TOOLCHAIN`
      When you intend to use an
      :ref:`external toolchain <dev-manual/external-toolchain:optionally using an external toolchain>`,
@@ -2483,8 +2509,8 @@ system and gives an overview of their function and contents.
      .. note::

         From a security perspective, hardcoding a default password is not
-         generally a good idea or even legal in some jurisdictions. It is 
-         recommended that you do not do this if you are building a production 
+         generally a good idea or even legal in some jurisdictions. It is
+         recommended that you do not do this if you are building a production
         image.

      Additionally there is a special ``passwd-expire`` command that will
@@ -5359,6 +5385,13 @@ system and gives an overview of their function and contents.
      default by setting the variable in a custom distribution
      configuration file.

+   :term:`OPKGBUILDCMD`
+      The variable :term:`OPKGBUILDCMD` specifies the command used to build opkg
+      packages when using the :ref:`ref-classes-package_ipk` class. It is
+      defined in :ref:`ref-classes-package_ipk` as::
+
+          OPKGBUILDCMD ??= 'opkg-build -Z zstd -a "${ZSTD_DEFAULTS}"'
+
   :term:`OVERRIDES`
      A colon-separated list of overrides that currently apply. Overrides
      are a BitBake mechanism that allows variables to be selectively
@@ -7340,6 +7373,50 @@ system and gives an overview of their function and contents.
         might break at runtime if the interface of the recipe was changed
         after the other had been built.

+   :term:`SIGGEN_LOCKEDSIGS`
+     The list of locked tasks, with the form::
+
+       SIGGEN_LOCKEDSIGS += "<package>:<task>:<signature>"
+
+     If ``<signature>`` exists for the specified ``<task>`` and ``<package>``
+     in the sstate cache, BitBake will use the cached output instead of
+     rebuilding the ``<task>``. If it does not exist, BitBake will build the
+     ``<task>`` and the sstate cache will be used next time.
+
+     Example::
+
+       SIGGEN_LOCKEDSIGS += "bc:do_compile:09772aa4532512baf96d433484f27234d4b7c11dd9cda0d6f56fa1b7ce6f25f0"
+
+     You can obtain the signature of all the tasks for the recipe ``bc`` using::
+
+       bitbake -S none bc
+
+     Then you can look at files in ``build/tmp/stamps/<arch>/bc`` and look for
+     files like: ``<PV>.do_compile.sigdata.09772aa4532512baf96d433484f27234d4b7c11dd9cda0d6f56fa1b7ce6f25f0``.
+
+   :term:`SIGGEN_LOCKEDSIGS_TASKSIG_CHECK`
+     Specifies the debug level of task signature check. 3 levels are supported:
+
+     * ``info``: displays a "Note" message to remind the user that a task is locked
+       and the current signature matches the locked one.
+     * ``warn``: displays a "Warning" message if a task is locked and the current
+       signature does not match the locked one.
+     * ``error``: same as warn but displays an "Error" message and aborts.
+
+   :term:`SIGGEN_LOCKEDSIGS_TYPES`
+     Allowed overrides for :term:`SIGGEN_LOCKEDSIGS`. This is mainly used
+     for architecture specific locks. A common value for
+     :term:`SIGGEN_LOCKEDSIGS_TYPES` is ``${PACKAGE_ARCHS}``::
+
+       SIGGEN_LOCKEDSIGS_TYPES += "${PACKAGE_ARCHS}"
+
+       SIGGEN_LOCKEDSIGS_core2-64 += "bc:do_compile:09772aa4532512baf96d433484f27234d4b7c11dd9cda0d6f56fa1b7ce6f25f0"
+       SIGGEN_LOCKEDSIGS_cortexa57 += "bc:do_compile:12178eb6d55ef602a8fe638e49862fd247e07b228f0f08967697b655bfe4bb61"
+
+     Here, the ``do_compile`` task from ``bc`` will be locked only for
+     ``core2-64`` and ``cortexa57`` but not for other architectures such as
+     ``mips32r2``.
+
   :term:`SITEINFO_BITS`
      Specifies the number of bits for the target system CPU. The value
      should be either "32" or "64".
@@ -9548,4 +9625,3 @@ system and gives an overview of their function and contents.

      On systems where many tasks run in parallel, setting a limit to this
      can be helpful in controlling system resource usage.
-
--- a/documentation/styles/config/vocabularies/Yocto/accept.txt
+++ b/documentation/styles/config/vocabularies/Yocto/accept.txt
@@ -2,4 +2,5 @@ BitBake
 BSP
 crosstap
 OpenEmbedded
+sstate
 Yocto
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.22"
+DISTRO_VERSION = "4.0.23"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -229,7 +229,7 @@ BB_DISKMON_DIRS ??= "\
 # which will depend on your network.
 # Note: For this to work you also need hash-equivalence passthrough to the matching server
 #
-#BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
+#BB_HASHSERVE_UPSTREAM = "hashserv.yoctoproject.org:8686"
 #SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"

 #
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -25,8 +25,9 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"

-CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
+CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
+CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"

 CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -157,7 +158,7 @@ python do_cve_check () {
 }

 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
+do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
 do_cve_check[nostamp] = "1"

 python cve_check_cleanup () {
@@ -397,8 +398,10 @@ def get_cve_info(d, cves):
            cve_data[row[0]]["summary"] = row[1]
            cve_data[row[0]]["scorev2"] = row[2]
            cve_data[row[0]]["scorev3"] = row[3]
-            cve_data[row[0]]["modified"] = row[4]
-            cve_data[row[0]]["vector"] = row[5]
+            cve_data[row[0]]["scorev4"] = row[4]
+            cve_data[row[0]]["modified"] = row[5]
+            cve_data[row[0]]["vector"] = row[6]
+            cve_data[row[0]]["vectorString"] = row[7]
        cursor.close()
    conn.close()
    return cve_data
@@ -454,7 +457,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
        write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
        write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
+        write_string += "CVSS v4 BASE SCORE: %s\n" % cve_data[cve]["scorev4"]
        write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
+        write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"]
        write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)

    if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
@@ -568,7 +573,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
            "summary" : cve_data[cve]["summary"],
            "scorev2" : cve_data[cve]["scorev2"],
            "scorev3" : cve_data[cve]["scorev3"],
+            "scorev4" : cve_data[cve]["scorev4"],
            "vector" : cve_data[cve]["vector"],
+            "vectorString" : cve_data[cve]["vectorString"],
            "status" : status,
            "link": issue_link
        }
--- a/meta/classes/overlayfs-etc.bbclass
+++ b/meta/classes/overlayfs-etc.bbclass
@@ -35,6 +35,7 @@ OVERLAYFS_ETC_USE_ORIG_INIT_NAME ??= "1"
 OVERLAYFS_ETC_MOUNT_OPTIONS ??= "defaults"
 OVERLAYFS_ETC_INIT_TEMPLATE ??= "${COREBASE}/meta/files/overlayfs-etc-preinit.sh.in"
 OVERLAYFS_ETC_EXPOSE_LOWER ??= "0"
+OVERLAYFS_ETC_CREATE_MOUNT_DIRS ??= "1"

 python create_overlayfs_etc_preinit() {
    overlayEtcMountPoint = d.getVar("OVERLAYFS_ETC_MOUNT_POINT")
@@ -56,6 +57,7 @@ python create_overlayfs_etc_preinit() {
    initBaseName = oe.path.join(d.getVar("base_sbindir"), "init")
    origInitNameSuffix = ".orig"
    exposeLower = oe.types.boolean(d.getVar('OVERLAYFS_ETC_EXPOSE_LOWER'))
+    createMoundDirs = oe.types.boolean(d.getVar('OVERLAYFS_ETC_CREATE_MOUNT_DIRS'))

    args = {
        'OVERLAYFS_ETC_MOUNT_POINT': overlayEtcMountPoint,
@@ -63,7 +65,8 @@ python create_overlayfs_etc_preinit() {
        'OVERLAYFS_ETC_FSTYPE': overlayEtcFsType,
        'OVERLAYFS_ETC_DEVICE': overlayEtcDevice,
        'SBIN_INIT_NAME': initBaseName + origInitNameSuffix if useOrigInit else initBaseName,
-        'OVERLAYFS_ETC_EXPOSE_LOWER': "true" if exposeLower else "false"
+        'OVERLAYFS_ETC_EXPOSE_LOWER': "true" if exposeLower else "false",
+        'CREATE_MOUNT_DIRS': "true" if createMoundDirs else "false"
    }

    if useOrigInit:
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -574,26 +574,16 @@ def copydebugsources(debugsrcdir, sources, d):
        objcopy = d.getVar("OBJCOPY")
        workdir = d.getVar("WORKDIR")
        sdir = d.getVar("S")
-        sparentdir = os.path.dirname(os.path.dirname(sdir))
-        sbasedir = os.path.basename(os.path.dirname(sdir)) + "/" + os.path.basename(sdir)
-        workparentdir = os.path.dirname(os.path.dirname(workdir))
-        workbasedir = os.path.basename(os.path.dirname(workdir)) + "/" + os.path.basename(workdir)
+        cflags = d.expand("${CFLAGS}")

-        # If S isnt based on WORKDIR we can infer our sources are located elsewhere,
-        # e.g. using externalsrc; use S as base for our dirs
-        if workdir in sdir or 'work-shared' in sdir:
-            basedir = workbasedir
-            parentdir = workparentdir
-        else:
-            basedir = sbasedir
-            parentdir = sparentdir
-
-        # If build path exists in sourcefile, it means toolchain did not use
-        # -fdebug-prefix-map to compile
-        if checkbuildpath(sourcefile, d):
-            localsrc_prefix = parentdir + "/"
-        else:
-            localsrc_prefix = "/usr/src/debug/"
+        prefixmap = {}
+        for flag in cflags.split():
+            if not flag.startswith("-fdebug-prefix-map"):
+                continue
+            if "recipe-sysroot" in flag:
+                continue
+            flag = flag.split("=")
+            prefixmap[flag[1]] = flag[2]

        nosuchdir = []
        basepath = dvar
@@ -604,28 +594,26 @@ def copydebugsources(debugsrcdir, sources, d):
        bb.utils.mkdirhier(basepath)
        cpath.updatecache(basepath)

-        # Ignore files from the recipe sysroots (target and native)
-        processdebugsrc =  "LC_ALL=C ; sort -z -u '%s' | egrep -v -z '((<internal>|<built-in>)$|/.*recipe-sysroot.*/)' | "
-        # We need to ignore files that are not actually ours
-        # we do this by only paying attention to items from this package
-        processdebugsrc += "fgrep -zw '%s' | "
-        # Remove prefix in the source paths
-        processdebugsrc += "sed 's#%s##g' | "
-        processdebugsrc += "(cd '%s' ; cpio -pd0mlL --no-preserve-owner '%s%s' 2>/dev/null)"
+        for pmap in prefixmap:
+            # Ignore files from the recipe sysroots (target and native)
+            cmd =  "LC_ALL=C ; sort -z -u '%s' | egrep -v -z '((<internal>|<built-in>)$|/.*recipe-sysroot.*/)' | " % sourcefile
+            # We need to ignore files that are not actually ours
+            # we do this by only paying attention to items from this package
+            cmd += "fgrep -zw '%s' | " % prefixmap[pmap]
+            # Remove prefix in the source paths
+            cmd += "sed 's#%s/##g' | " % (prefixmap[pmap])
+            cmd += "(cd '%s' ; cpio -pd0mlL --no-preserve-owner '%s%s' 2>/dev/null)" % (pmap, dvar, prefixmap[pmap])

-        cmd = processdebugsrc % (sourcefile, basedir, localsrc_prefix, parentdir, dvar, debugsrcdir)
-        try:
+            try:
+                subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
+            except subprocess.CalledProcessError:
+                # Can "fail" if internal headers/transient sources are attempted
+                pass
+            # cpio seems to have a bug with -lL together and symbolic links are just copied, not dereferenced.
+            # Work around this by manually finding and copying any symbolic links that made it through.
+            cmd = "find %s%s -type l -print0 -delete | sed s#%s%s/##g | (cd '%s' ; cpio -pd0mL --no-preserve-owner '%s%s')" % \
+                    (dvar, prefixmap[pmap], dvar, prefixmap[pmap], pmap, dvar, prefixmap[pmap])
            subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
-        except subprocess.CalledProcessError:
-            # Can "fail" if internal headers/transient sources are attempted
-            pass
-
-        # cpio seems to have a bug with -lL together and symbolic links are just copied, not dereferenced.
-        # Work around this by manually finding and copying any symbolic links that made it through.
-        cmd = "find %s%s -type l -print0 -delete | sed s#%s%s/##g | (cd '%s' ; cpio -pd0mL --no-preserve-owner '%s%s')" % \
-                (dvar, debugsrcdir, dvar, debugsrcdir, parentdir, dvar, debugsrcdir)
-        subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
-

        # debugsources.list may be polluted from the host if we used externalsrc,
        # cpio uses copy-pass and may have just created a directory structure
--- a/meta/files/overlayfs-etc-preinit.sh.in
+++ b/meta/files/overlayfs-etc-preinit.sh.in
@@ -3,12 +3,15 @@
 echo "PREINIT: Start"

 PATH=/sbin:/bin:/usr/sbin:/usr/bin
-mount -o remount,rw /
+if {CREATE_MOUNT_DIRS}; then
+    mount -o remount,rw /

-mkdir -p /proc
-mkdir -p /sys
-mkdir -p /run
-mkdir -p /var/run
+    mkdir -p /proc
+    mkdir -p /sys
+    mkdir -p /run
+    mkdir -p /var/run
+    mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}
+fi

 mount -t proc proc /proc
 mount -t sysfs sysfs /sys
@@ -20,7 +23,6 @@ UPPER_DIR=$BASE_OVERLAY_ETC_DIR/upper
 WORK_DIR=$BASE_OVERLAY_ETC_DIR/work
 LOWER_DIR=$BASE_OVERLAY_ETC_DIR/lower

-mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}
 if mount -n -t {OVERLAYFS_ETC_FSTYPE} \
    -o {OVERLAYFS_ETC_MOUNT_OPTIONS} \
    {OVERLAYFS_ETC_DEVICE} {OVERLAYFS_ETC_MOUNT_POINT}
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -2,9 +2,11 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #

+import os
+import shlex
+import subprocess
 import oe.path
 import oe.types
-import subprocess

 class NotFoundError(bb.BBHandledException):
    def __init__(self, path):
@@ -25,8 +27,6 @@ class CmdError(bb.BBHandledException):


 def runcmd(args, dir = None):
-    import pipes
-
    if dir:
        olddir = os.path.abspath(os.curdir)
        if not os.path.exists(dir):
@@ -35,7 +35,7 @@ def runcmd(args, dir = None):
        # print("cwd: %s -> %s" % (olddir, dir))

    try:
-        args = [ pipes.quote(str(arg)) for arg in args ]
+        args = [ shlex.quote(str(arg)) for arg in args ]
        cmd = " ".join(args)
        # print("cmd: %s" % cmd)
        proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
@@ -215,7 +215,7 @@ class PatchTree(PatchSet):
        with open(self.seriespath, 'w') as f:
            for p in patches:
                f.write(p)
-         
+
    def Import(self, patch, force = None):
        """"""
        PatchSet.Import(self, patch, force)
@@ -919,4 +919,3 @@ def should_apply(parm, d):
            return False, "applies to later version"

    return True, None
-
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
@@ -0,0 +1,202 @@
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+
+CVE: CVE-2024-9143
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6b15..bcc66613cc14d 100644
+--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
+ * coefficient.  The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1.  Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
+    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+        return 0;
+
+    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
+    return k + 1;
+ }
+ 
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd05631696..02cfd4e9d8858 100644
+--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+    int ret = 0;
+    BN_CTX *ctx = BN_CTX_new();
+    BIGNUM *p, *a, *b;
+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+    TEST_info("Testing GF2m hardening\n");
+
+    BN_CTX_start(ctx);
+    p = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    if (!TEST_ptr(b = BN_CTX_get(ctx))
+        || !TEST_true(BN_one(a))
+        || !TEST_true(BN_one(b)))
+        goto out;
+
+    /* Even pentanomial value should be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf2)))
+        goto out;
+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Zero constant term accepted in GF2m polynomial");
+
+    /* Odd hexanomial should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf3)))
+        goto out;
+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Hexanomial accepted as GF2m polynomial");
+
+    /* Excessive polynomial degree should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0x71))
+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+        goto out;
+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("GF2m polynomial degree > %d accepted",
+                   OPENSSL_ECC_MAX_FIELD_BITS);
+
+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+    EC_GROUP_free(group1);
+    EC_GROUP_free(group2);
+    EC_GROUP_free(group3);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+
+    return ret;
+}
+
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
+    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
--- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2024-9143.patch \
           "

 SRC_URI:append:class-nativesdk = " \
--- a/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-01.patch
@@ -0,0 +1,56 @@
+From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:42:54 +0200
+Subject: [PATCH 1/2] lib: Make XML_StopParser refuse to stop/suspend an
+ unstarted parser
+
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/51c7019069b862e88d94ed228659e70bddd5de09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/expat.h    | 4 +++-
+ expat/lib/xmlparse.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index d0d6015a..3ba61304 100644
+--- a/lib/expat.h
+++ b/lib/expat.h
+@@ -127,7 +127,9 @@ enum XML_Error {
+   /* Added in 2.3.0. */
+   XML_ERROR_NO_BUFFER,
+   /* Added in 2.4.0. */
+-  XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+  XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+  /* Added in 2.6.4. */
+  XML_ERROR_NOT_STARTED,
+ };
+ 
+ enum XML_Content_Type {
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d9285b21..fa02537f 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2189,6 +2189,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
+   switch (parser->m_parsingStatus.parsing) {
+  case XML_INITIALIZED:
+    parser->m_errorCode = XML_ERROR_NOT_STARTED;
+    return XML_STATUS_ERROR;
+   case XML_SUSPENDED:
+     if (resumable) {
+       parser->m_errorCode = XML_ERROR_SUSPENDED;
+@@ -2474,6 +2477,9 @@ XML_ErrorString(enum XML_Error code) {
+   case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
+     return XML_L(
+         "limit on input amplification factor (from DTD and entities) breached");
+  /* Added in 2.6.4. */
+  case XML_ERROR_NOT_STARTED:
+    return XML_L("parser not started");
+   }
+   return NULL;
+ }
+-- 
+2.30.2
+
--- a/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
+++ b/meta/recipes-core/expat/expat/CVE-2024-50602-02.patch
@@ -0,0 +1,38 @@
+From 5fb89e7b3afa1c314b34834fe729cd063f65a4d4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 21 Oct 2024 01:46:11 +0200
+Subject: [PATCH 2/2] lib: Be explicit about XML_PARSING in XML_StopParser
+
+CVE: CVE-2024-50602
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5fb89e7b3afa1c314b34834fe729cd063f65a4d4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ expat/lib/xmlparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index fa02537f..983f6df0 100644
+--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
+@@ -2202,7 +2202,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+   case XML_FINISHED:
+     parser->m_errorCode = XML_ERROR_FINISHED;
+     return XML_STATUS_ERROR;
+-  default:
+  case XML_PARSING:
+     if (resumable) {
+ #ifdef XML_DTD
+       if (parser->m_isParamEntity) {
+@@ -2213,6 +2213,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) {
+       parser->m_parsingStatus.parsing = XML_SUSPENDED;
+     } else
+       parser->m_parsingStatus.parsing = XML_FINISHED;
+    break;
+  default:
+    assert(0);
+   }
+   return XML_STATUS_OK;
+ }
+-- 
+2.30.2
+
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -28,6 +28,8 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
 	   file://CVE-2024-45490-0004.patch \
 	   file://CVE-2024-45491.patch \
 	   file://CVE-2024-45492.patch \
+	   file://CVE-2024-50602-01.patch \
+	   file://CVE-2024-50602-02.patch \
           "

 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--- a/meta/recipes-core/glib-2.0/glib-2.0/0001-gvariant-serialiser-Convert-endianness-of-offsets.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/0001-gvariant-serialiser-Convert-endianness-of-offsets.patch
@@ -0,0 +1,68 @@
+From dc16dffed0480d0c8cdd6a05ede68263fc8723a9 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 15 Dec 2022 12:51:37 +0000
+Subject: [PATCH] gvariant-serialiser: Convert endianness of offsets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The array of offsets is little-endian, even on big-endian architectures
+like s390x.
+
+Fixes: ade71fb5 "gvariant: Don’t allow child elements to overlap with each other"
+Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2839
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/dc16dffed0480d0c8cdd6a05ede68263fc8723a9]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-serialiser.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c
+index 25c85b30b..e9b0eab2b 100644
+--- a/glib/gvariant-serialiser.c
+++ b/glib/gvariant-serialiser.c
+@@ -712,17 +712,19 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
+ /* Find the index of the first out-of-order element in @data, assuming that
+  * @data is an array of elements of given @type, starting at index @start and
+  * containing a further @len-@start elements. */
+-#define DEFINE_FIND_UNORDERED(type) \
+#define DEFINE_FIND_UNORDERED(type, le_to_native) \
+   static gsize \
+   find_unordered_##type (const guint8 *data, gsize start, gsize len) \
+   { \
+     gsize off; \
+-    type current, previous; \
+    type current_le, previous_le, current, previous; \
+     \
+-    memcpy (&previous, data + start * sizeof (current), sizeof (current)); \
+    memcpy (&previous_le, data + start * sizeof (current), sizeof (current)); \
+    previous = le_to_native (previous_le); \
+     for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \
+       { \
+-        memcpy (&current, data + off, sizeof (current)); \
+        memcpy (&current_le, data + off, sizeof (current)); \
+        current = le_to_native (current_le); \
+         if (current < previous) \
+           break; \
+         previous = current; \
+@@ -730,10 +732,11 @@ gvs_variable_sized_array_n_children (GVariantSerialised value)
+     return off / sizeof (current) - 1; \
+   }
+ 
+-DEFINE_FIND_UNORDERED (guint8);
+-DEFINE_FIND_UNORDERED (guint16);
+-DEFINE_FIND_UNORDERED (guint32);
+-DEFINE_FIND_UNORDERED (guint64);
+#define NO_CONVERSION(x) (x)
+DEFINE_FIND_UNORDERED (guint8, NO_CONVERSION);
+DEFINE_FIND_UNORDERED (guint16, GUINT16_FROM_LE);
+DEFINE_FIND_UNORDERED (guint32, GUINT32_FROM_LE);
+DEFINE_FIND_UNORDERED (guint64, GUINT64_FROM_LE);
+ 
+ static GVariantSerialised
+ gvs_variable_sized_array_get_child (GVariantSerialised value,
+-- 
+2.30.2
+
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -49,6 +49,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2024-34397_16.patch \
           file://CVE-2024-34397_17.patch \
           file://CVE-2024-34397_18.patch \
+           file://0001-gvariant-serialiser-Convert-endianness-of-offsets.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"

--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"

 inherit core-image setuptools3

-SRCREV ?= "474121d387e30c8f34f091e0b29e22a30eeb2261"
+SRCREV ?= "1784189462779fc573c9537c3f352f8586a2e959"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -8,7 +8,6 @@ INHIBIT_DEFAULT_DEPS = "1"

 inherit native

-deltask do_unpack
 deltask do_patch
 deltask do_configure
 deltask do_compile
@@ -35,7 +34,9 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
 # Number of attempts for each http query to nvd server before giving up
 CVE_DB_UPDATE_ATTEMPTS ?= "5"

-CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
+CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}"
+CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock"
+CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp"

 python () {
    if not bb.data.inherits_class("cve-check", d):
@@ -52,9 +53,9 @@ python do_fetch() {

    bb.utils.export_proxies(d)

-    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE")
    db_dir = os.path.dirname(db_file)
-    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+    db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE")

    cleanup_db_download(db_file, db_tmp_file)
    # By default let's update the whole database (since time 0)
@@ -77,6 +78,7 @@ python do_fetch() {
        pass

    bb.utils.mkdirhier(db_dir)
+    bb.utils.mkdirhier(os.path.dirname(db_tmp_file))
    if os.path.exists(db_file):
        shutil.copy2(db_file, db_tmp_file)

@@ -89,10 +91,16 @@ python do_fetch() {
        os.remove(db_tmp_file)
 }

-do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}"
 do_fetch[file-checksums] = ""
 do_fetch[vardeps] = ""

+python do_unpack() {
+    import shutil
+    shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE"))
+}
+do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}"
+
 def cleanup_db_download(db_file, db_tmp_file):
    """
    Cleanup the download space from possible failed downloads
@@ -247,7 +255,7 @@ def initialize_db(conn):
        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")

        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
-            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+            SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")

        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -321,6 +329,7 @@ def update_db(conn, elt):
    """

    accessVector = None
+    vectorString = None
    cveId = elt['cve']['id']
    if elt['cve']['vulnStatus'] ==  "Rejected":
        c = conn.cursor()
@@ -335,25 +344,35 @@ def update_db(conn, elt):
    date = elt['cve']['lastModified']
    try:
        accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
+        vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
        cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
    except KeyError:
        cvssv2 = 0.0
    cvssv3 = None
    try:
        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
+        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
        cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
    except KeyError:
        pass
    try:
        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
+        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
        cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
    except KeyError:
        pass
-    accessVector = accessVector or "UNKNOWN"
    cvssv3 = cvssv3 or 0.0
+    try:
+        accessVector = accessVector or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['attackVector']
+        vectorString = vectorString or elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['vectorString']
+        cvssv4 = elt['cve']['metrics']['cvssMetricV40'][0]['cvssData']['baseScore']
+    except KeyError:
+        cvssv4 = 0.0
+    accessVector = accessVector or "UNKNOWN"
+    vectorString = vectorString or "UNKNOWN"

-    conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
-                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+    conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()

    try:
        # Remove any pre-existing CVE configuration. Even for partial database
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -35,6 +35,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
           file://run-ptest \
           file://display_testname_for_subtest.patch \
           file://avoid_parallel_tests.patch \
+           file://0001-check-for-sys-pidfd.h.patch \
           file://CVE-2024-28085-0001.patch \
           file://CVE-2024-28085-0002.patch \
           file://CVE-2024-28085-0003.patch \
--- a/meta/recipes-core/util-linux/util-linux/0001-check-for-sys-pidfd.h.patch
+++ b/meta/recipes-core/util-linux/util-linux/0001-check-for-sys-pidfd.h.patch
@@ -0,0 +1,50 @@
+From a77af2e46ea233d9e5d3b16396d41a252a5a3172 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 7 Aug 2022 14:39:19 -0700
+Subject: [PATCH] check for sys/pidfd.h
+
+This header in newer glibc defines the signatures of functions
+pidfd_send_signal() and pidfd_open() and when these functions are
+defined by libc then we need to include the relevant header to get
+the definitions. Clang 15+ has started to error out when function
+signatures are missing.
+
+Fixes errors like
+misc-utils/kill.c:402:6: error: call to undeclared function 'pidfd_send_signal'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
+        if (pidfd_send_signal(pfd, ctl->numsig, &info, 0) < 0)
+
+Upstream-Status: Submitted [https://github.com/util-linux/util-linux/pull/1769]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ configure.ac          | 1 +
+ include/pidfd-utils.h | 4 +++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index c38d871..72e893f 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -339,6 +339,7 @@ AC_CHECK_HEADERS([ \
+ 	sys/mkdev.h \
+ 	sys/mount.h \
+ 	sys/param.h \
+	sys/pidfd.h \
+ 	sys/prctl.h \
+ 	sys/resource.h \
+ 	sys/sendfile.h \
+diff --git a/include/pidfd-utils.h b/include/pidfd-utils.h
+index 4a6c3a6..7c0c061 100644
+--- a/include/pidfd-utils.h
+++ b/include/pidfd-utils.h
+@@ -4,8 +4,10 @@
+ #if defined(__linux__)
+ # include <sys/syscall.h>
+ # if defined(SYS_pidfd_send_signal) && defined(SYS_pidfd_open)
+#  ifdef HAVE_SYS_PIDFD_H
+#   include <sys/pidfd.h>
+#  endif
+ #  include <sys/types.h>
+-
+ #  ifndef HAVE_PIDFD_SEND_SIGNAL
+ static inline int pidfd_send_signal(int pidfd, int sig, siginfo_t *info,
+ 				    unsigned int flags)
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -17,6 +17,7 @@ LIC_FILES_CHKSUM = "file://Copyright.txt;md5=31023e1d3f51ca90a58f55bcee8e2339 \
 CMAKE_MAJOR_VERSION = "${@'.'.join(d.getVar('PV').split('.')[0:2])}"

 SRC_URI = "https://cmake.org/files/v${CMAKE_MAJOR_VERSION}/cmake-${PV}.tar.gz \
+           file://0001-CMakeDetermineCompilerABI-Strip-pipe-from-compile-fl.patch \
           file://0003-cmake-support-OpenEmbedded-Qt4-tool-binary-names.patch \
           file://0004-Fail-silently-if-system-Qt-installation-is-broken.patch \
 "
--- a/meta/recipes-devtools/cmake/cmake/0001-CMakeDetermineCompilerABI-Strip-pipe-from-compile-fl.patch
+++ b/meta/recipes-devtools/cmake/cmake/0001-CMakeDetermineCompilerABI-Strip-pipe-from-compile-fl.patch
@@ -0,0 +1,52 @@
+From dab7ba34f87be0172f6586325656ee962de0029e Mon Sep 17 00:00:00 2001
+From: Philip Lorenz <philip.lorenz@bmw.de>
+Date: Mon, 3 Jun 2024 13:19:24 +0200
+Subject: [PATCH] CMakeDetermineCompilerABI: Strip -pipe from compile flags
+
+When `-pipe` is enabled, GCC passes data between its different
+executables using pipes instead of temporary files. This leads to issues
+when cmake attempts to infer compiler internals via the `-v` parameter
+as each executable will print to `stderr` in parallel.
+
+For example we have observed the following outputs in our builds which
+sporadically lead to build failures as system include directories were
+not detected reliably:
+
+Parsed CXX implicit include dir info from above output: rv=done
+  found start of include info
+  found start of implicit include info
+    add: [.../usr/bin/x86_64-poky-linux/../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/11.4.0/include]
+    add: [.../usr/bin/x86_64-poky-linux/../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/11.4.0/include-fixed]
+    add: [.../usr/include/c++/11.4.0]
+    add: [.../usr/include/c++/11.4.0/x86_64-poky-linux]
+    add: [.../usr/include/c++/11.4.0/backward]
+    add: [.../usr/lib/x86_64-poky-linux/11.4.0/include]
+    add: [...GNU assembler version 2.38 (x86_64-poky-linux) using BFD version (GNU Binutils) 2.38.20220708]
+    add: [/usr/include]
+  end of search list found
+
+Fix this issue by stripping the `-pipe` parameter from the compilation
+flag when determining the toolchain configuration.
+
+Upstream-Status: Backport [3.32.0, 71be059f3f32b6791427893a48ba4815a19e2e78]
+Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
+---
+ Modules/CMakeDetermineCompilerABI.cmake | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/Modules/CMakeDetermineCompilerABI.cmake b/Modules/CMakeDetermineCompilerABI.cmake
+index 8191d819bf..ae4c9ee44e 100644
+--- a/Modules/CMakeDetermineCompilerABI.cmake
+++ b/Modules/CMakeDetermineCompilerABI.cmake
+@@ -35,6 +35,11 @@ function(CMAKE_DETERMINE_COMPILER_ABI lang src)
+ 
+     # Avoid failing ABI detection on warnings.
+     string(REGEX REPLACE "(^| )-Werror([= ][^ ]*)?( |$)" " " CMAKE_${lang}_FLAGS "${CMAKE_${lang}_FLAGS}")
+    # Avoid passing of "-pipe" when determining the compiler internals. With
+    # "-pipe" GCC will use pipes to pass data between the involved
+    # executables.  This may lead to issues when their stderr output (which
+    # contains the relevant compiler internals) becomes interweaved.
+    string(REGEX REPLACE "(^| )-pipe( |$)" " " CMAKE_${lang}_FLAGS "${CMAKE_${lang}_FLAGS}")
+ 
+     # Save the current LC_ALL, LC_MESSAGES, and LANG environment variables
+     # and set them to "C" that way GCC's "search starts here" text is in
--- a/meta/recipes-devtools/gcc/gcc-11.5.inc
+++ b/meta/recipes-devtools/gcc/gcc-11.5.inc
@@ -65,6 +65,7 @@ SRC_URI = "\
           file://0003-CVE-2021-42574.patch \
           file://0004-CVE-2021-42574.patch \
           file://0001-CVE-2021-46195.patch \
+           file://0001-aarch64-Update-Neoverse-N2-core-definition.patch \
 	   file://0002-aarch64-add-armv9-a-to-march.patch \
 	   file://0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch \
 	   file://0004-arm-add-armv9-a-architecture-to-march.patch \
@@ -121,3 +122,6 @@ EXTRA_OECONF_PATHS = "\

 # Is a binutils 2.26 issue, not gcc
 CVE_CHECK_IGNORE += "CVE-2021-37322"
+
+# This is fixed by commit 75c37e0314, nvd uses arm versioning (2023-09-12) which will alway be higher than 11.x
+CVE_CHECK_IGNORE += "CVE-2023-4039"
--- a/meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-definition.patch
+++ b/meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-definition.patch
@@ -0,0 +1,40 @@
+From 30ade014c7b7d22a2a26697b5a2079a278ea560d Mon Sep 17 00:00:00 2001
+From: Andre Vieira <andre.simoesdiasvieira@arm.com>
+Date: Thu, 8 Sep 2022 06:02:18 +0000
+Subject: [PATCH] aarch64: Update Neoverse N2 core definition
+
+commit 9f37d31324f89d0b7b2abac988a976d121ae29c6 from upstream.
+
+gcc/ChangeLog:
+
+        * config/aarch64/aarch64-cores.def: Update Neoverse N2 core entry.
+
+Upstream-Status: Backport
+Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com>
+---
+ gcc/config/aarch64/aarch64-cores.def | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/gcc/config/aarch64/aarch64-cores.def b/gcc/config/aarch64/aarch64-cores.def
+index 0243e3d4d..722f3e64e 100644
+--- a/gcc/config/aarch64/aarch64-cores.def
+++ b/gcc/config/aarch64/aarch64-cores.def
+@@ -147,7 +147,6 @@ AARCH64_CORE("neoverse-512tvb", neoverse512tvb, cortexa57, 8_4A,  AARCH64_FL_FOR
+ AARCH64_CORE("saphira",     saphira,    saphira,    8_4A,  AARCH64_FL_FOR_ARCH8_4 | AARCH64_FL_CRYPTO, saphira,   0x51, 0xC01, -1)
+ 
+ /* Armv8.5-A Architecture Processors.  */
+-AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoversen2, 0x41, 0xd49, -1)
+ AARCH64_CORE("cobalt-100",   cobalt100, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoversen2, 0x6d, 0xd49, -1)
+ AARCH64_CORE("neoverse-v2", neoversev2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoverse512tvb, 0x41, 0xd4f, -1)
+ AARCH64_CORE("grace", grace, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_CRYPTO | AARCH64_FL_SHA3 | AARCH64_FL_SM4 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_SVE2_AES | AARCH64_FL_SVE2_SM4 | AARCH64_FL_SVE2_SHA3, neoverse512tvb, 0x41, 0xd4f, -1)
+@@ -167,4 +166,7 @@ AARCH64_CORE("cortex-a76.cortex-a55",  cortexa76cortexa55, cortexa53, 8_2A,  AAR
+ /* Armv8-R Architecture Processors.  */
+ AARCH64_CORE("cortex-r82", cortexr82, cortexa53, 8R, AARCH64_FL_FOR_ARCH8_R, cortexa53, 0x41, 0xd15, -1)
+ 
+/* Armv9-A Architecture Processors. */
+AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 9A, AARCH64_FL_FOR_ARCH9 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG | AARCH64_FL_PROFILE, neoversen2, 0x41, 0xd49, -1)
+
+ #undef AARCH64_CORE
+-- 
+2.46.2
+
--- a/meta/recipes-devtools/orc/orc_0.4.40.bb
+++ b/meta/recipes-devtools/orc/orc_0.4.40.bb
@@ -5,7 +5,7 @@ LICENSE = "BSD-2-Clause & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=1400bd9d09e8af56b9ec982b3d85797e"

 SRC_URI = "http://gstreamer.freedesktop.org/src/orc/orc-${PV}.tar.xz"
-SRC_URI[sha256sum] = "33ed2387f49b825fa1b9c3b0072e05f259141b895474ad085ae51143d3040cc0"
+SRC_URI[sha256sum] = "3fc2bee78dfb7c41fd9605061fc69138db7df007eae2f669a1f56e8bacef74ab"

 inherit meson pkgconfig gtk-doc

--- a/meta/recipes-devtools/pseudo/files/glibc238.patch
+++ b/meta/recipes-devtools/pseudo/files/glibc238.patch
@@ -9,7 +9,7 @@ Index: git/pseudo_wrappers.c
 ===================================================================
 --- git.orig/pseudo_wrappers.c
 +++ git/pseudo_wrappers.c
-@@ -6,6 +6,15 @@
+@@ -6,6 +6,18 @@
  * SPDX-License-Identifier: LGPL-2.1-only
  *
  */
@@ -21,6 +21,9 @@ Index: git/pseudo_wrappers.c
 +#undef __GLIBC_USE_ISOC2X
 +#undef __GLIBC_USE_C2X_STRTOL
 +#define __GLIBC_USE_C2X_STRTOL 0
+#undef __GLIBC_USE_ISOC23
+#undef __GLIBC_USE_C23_STRTOL
+#define __GLIBC_USE_C23_STRTOL 0
 +
 #include <assert.h>
 #include <stdlib.h>
@@ -29,7 +32,7 @@ Index: git/pseudo_util.c
 ===================================================================
 --- git.orig/pseudo_util.c
 +++ git/pseudo_util.c
-@@ -8,6 +8,14 @@
+@@ -8,6 +8,17 @@
  */
 /* we need access to RTLD_NEXT for a horrible workaround */
 #define _GNU_SOURCE
@@ -41,22 +44,12 @@ Index: git/pseudo_util.c
 +#undef __GLIBC_USE_ISOC2X
 +#undef __GLIBC_USE_C2X_STRTOL
 +#define __GLIBC_USE_C2X_STRTOL 0
+#undef __GLIBC_USE_ISOC23
+#undef __GLIBC_USE_C23_STRTOL
+#define __GLIBC_USE_C23_STRTOL 0
 
 #include <ctype.h>
 #include <errno.h>
-Index: git/pseudolog.c
-===================================================================
--- git.orig/pseudolog.c
-+++ git/pseudolog.c
-@@ -8,7 +8,7 @@
-  */
- /* We need _XOPEN_SOURCE for strptime(), but if we define that,
-  * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */
-#define _GNU_SOURCE
-+#define _DEFAULT_SOURCE
- 
- #include <ctype.h>
- #include <limits.h>
 Index: git/pseudo_client.c
 ===================================================================
 --- git.orig/pseudo_client.c
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -1,6 +1,6 @@
 require pseudo.inc

-SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \
+SRC_URI = "git://git.yoctoproject.org/pseudo;branch=master \
           file://0001-configure-Prune-PIE-flags.patch \
           file://glibc238.patch \
           file://fallback-passwd \
@@ -14,9 +14,16 @@ SRC_URI:append:class-nativesdk = " \
    file://older-glibc-symbols.patch"
 SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"

-SRCREV = "c9670c27ff67ab899007ce749254b16091577e55"
+SRCREV = "28dcefb809ce95db997811b5662f0b893b9923e0"
 S = "${WORKDIR}/git"
 PV = "1.9.0+git${SRCPV}"

+# largefile and 64bit time_t support adds these macros via compiler flags globally
+# remove them for pseudo since pseudo intercepts some of the functions which will be
+# aliased due to this e.g. open/open64 and it will complain about duplicate definitions
+# pseudo on 32bit systems is not much of use anyway and these features are not of much
+# use for it.
+TARGET_CPPFLAGS:remove = "-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+
 # error: use of undeclared identifier '_STAT_VER'
 COMPATIBLE_HOST:libc-musl = 'null'
--- a/meta/recipes-devtools/python/python3_3.10.15.bb
+++ b/meta/recipes-devtools/python/python3_3.10.15.bb
@@ -63,6 +63,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
 CVE_CHECK_IGNORE += "CVE-2015-20107"
 # Not an issue, in fact expected behaviour
 CVE_CHECK_IGNORE += "CVE-2023-36632"
+# Fixes are included in 3.10.15
+CVE_CHECK_IGNORE += "CVE-2023-27043 CVE-2024-6232 CVE-2024-7592"

 PYTHON_MAJMIN = "3.10"

--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -97,14 +97,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2023-3301.patch \
           file://CVE-2023-3255.patch \
           file://CVE-2023-2861.patch \
-	   file://CVE-2020-14394.patch \
-	   file://CVE-2023-3354.patch \
-	   file://CVE-2023-3180.patch \
-	   file://CVE-2021-3638.patch \
-	   file://CVE-2023-1544.patch \
-	   file://CVE-2023-5088.patch \
-	   file://CVE-2024-24474.patch \
-	   file://CVE-2023-6693.patch \
+           file://CVE-2020-14394.patch \
+           file://CVE-2023-3354.patch \
+           file://CVE-2023-3180.patch \
+           file://CVE-2021-3638.patch \
+           file://CVE-2023-1544.patch \
+           file://CVE-2023-5088.patch \
+           file://CVE-2024-24474.patch \
+           file://CVE-2023-6693.patch \
           file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \
           file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \
           file://CVE-2023-42467.patch \
@@ -118,6 +118,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2024-4467-0003.patch \
           file://CVE-2024-4467-0004.patch \
           file://CVE-2024-4467-0005.patch \
+           file://CVE-2023-3019-0001.patch \
+           file://CVE-2023-3019-0002.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0001.patch
@@ -0,0 +1,622 @@
+From 7d0fefdf81f5973334c344f6b8e1896c309dff66 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Thu, 1 Jun 2023 12:18:58 +0900
+Subject: [PATCH] net: Provide MemReentrancyGuard * to qemu_new_nic()
+
+Recently MemReentrancyGuard was added to DeviceState to record that the
+device is engaging in I/O. The network device backend needs to update it
+when delivering a packet to a device.
+
+In preparation for such a change, add MemReentrancyGuard * as a
+parameter of qemu_new_nic().
+
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2023-3019
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/7d0fefdf81f5973334c344f6b8e1896c309dff66]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ hw/arm/musicpal.c             | 3 ++-
+ hw/net/allwinner-sun8i-emac.c | 3 ++-
+ hw/net/allwinner_emac.c       | 3 ++-
+ hw/net/cadence_gem.c          | 3 ++-
+ hw/net/dp8393x.c              | 3 ++-
+ hw/net/e1000.c                | 3 ++-
+ hw/net/e1000e.c               | 2 +-
+ hw/net/eepro100.c             | 4 +++-
+ hw/net/etraxfs_eth.c          | 3 ++-
+ hw/net/fsl_etsec/etsec.c      | 3 ++-
+ hw/net/ftgmac100.c            | 3 ++-
+ hw/net/imx_fec.c              | 2 +-
+ hw/net/lan9118.c              | 3 ++-
+ hw/net/mcf_fec.c              | 3 ++-
+ hw/net/mipsnet.c              | 3 ++-
+ hw/net/msf2-emac.c            | 3 ++-
+ hw/net/ne2000-isa.c           | 3 ++-
+ hw/net/ne2000-pci.c           | 3 ++-
+ hw/net/npcm7xx_emc.c          | 3 ++-
+ hw/net/opencores_eth.c        | 3 ++-
+ hw/net/pcnet.c                | 3 ++-
+ hw/net/rocker/rocker_fp.c     | 4 ++--
+ hw/net/rtl8139.c              | 3 ++-
+ hw/net/smc91c111.c            | 3 ++-
+ hw/net/spapr_llan.c           | 3 ++-
+ hw/net/stellaris_enet.c       | 3 ++-
+ hw/net/sungem.c               | 2 +-
+ hw/net/sunhme.c               | 3 ++-
+ hw/net/tulip.c                | 3 ++-
+ hw/net/virtio-net.c           | 6 ++++--
+ hw/net/vmxnet3.c              | 2 +-
+ hw/net/xen_nic.c              | 4 +++-
+ hw/net/xgmac.c                | 3 ++-
+ hw/net/xilinx_axienet.c       | 3 ++-
+ hw/net/xilinx_ethlite.c       | 3 ++-
+ hw/usb/dev-network.c          | 3 ++-
+ include/hw/qdev-core.h        | 7 +++++++
+ include/net/net.h             | 1 +
+ net/net.c                     | 1 +
+ 39 files changed, 81 insertions(+), 38 deletions(-)
+
+diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
+index 2680ec55b..15fc7fee4 100644
+--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
+@@ -418,7 +418,8 @@ static void mv88w8618_eth_realize(DeviceState *dev, Error **errp)
+ 
+     address_space_init(&s->dma_as, s->dma_mr, "emac-dma");
+     s->nic = qemu_new_nic(&net_mv88w8618_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+ }
+ 
+ static const VMStateDescription mv88w8618_eth_vmsd = {
+diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c
+index ecc0245fe..cf93b2fda 100644
+--- a/hw/net/allwinner-sun8i-emac.c
+++ b/hw/net/allwinner-sun8i-emac.c
+@@ -816,7 +816,8 @@ static void allwinner_sun8i_emac_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_allwinner_sun8i_emac_info, &s->conf,
+-                           object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/allwinner_emac.c b/hw/net/allwinner_emac.c
+index ddddf35c4..b3d73143b 100644
+--- a/hw/net/allwinner_emac.c
+++ b/hw/net/allwinner_emac.c
+@@ -453,7 +453,8 @@ static void aw_emac_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_aw_emac_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     fifo8_create(&s->rx_fifo, RX_FIFO_SIZE);
+diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
+index 24b3a0ff6..cb61a7641 100644
+--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
+@@ -1633,7 +1633,8 @@ static void gem_realize(DeviceState *dev, Error **errp)
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+ 
+     s->nic = qemu_new_nic(&net_gem_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+ 
+     if (s->jumbo_max_len > MAX_FRAME_SIZE) {
+         error_setg(errp, "jumbo-max-len is greater than %d",
+diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
+index 45b954e46..abfcc6f69 100644
+--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
+@@ -943,7 +943,8 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
+                           "dp8393x-regs", SONIC_REG_COUNT << s->it_shift);
+ 
+     s->nic = qemu_new_nic(&net_dp83932_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s);
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index f5bc81296..0857c2e7d 100644
+--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
+@@ -1733,7 +1733,8 @@ static void pci_e1000_realize(PCIDevice *pci_dev, Error **errp)
+                                macaddr);
+ 
+     d->nic = qemu_new_nic(&net_e1000_info, &d->conf,
+-                          object_get_typename(OBJECT(d)), dev->id, d);
+                          object_get_typename(OBJECT(d)), dev->id,
+                          &dev->mem_reentrancy_guard, d);
+ 
+     qemu_format_nic_info_str(qemu_get_queue(d->nic), macaddr);
+ 
+diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c
+index ac96f7665..b6e9b0e17 100644
+--- a/hw/net/e1000e.c
+++ b/hw/net/e1000e.c
+@@ -328,7 +328,7 @@ e1000e_init_net_peer(E1000EState *s, PCIDevice *pci_dev, uint8_t *macaddr)
+     int i;
+ 
+     s->nic = qemu_new_nic(&net_e1000e_info, &s->conf,
+-        object_get_typename(OBJECT(s)), dev->id, s);
+        object_get_typename(OBJECT(s)), dev->id, &dev->mem_reentrancy_guard, s);
+ 
+     s->core.max_queue_num = s->conf.peers.queues ? s->conf.peers.queues - 1 : 0;
+ 
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index 679f52f80..871d9a095 100644
+--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
+@@ -1874,7 +1874,9 @@ static void e100_nic_realize(PCIDevice *pci_dev, Error **errp)
+     nic_reset(s);
+ 
+     s->nic = qemu_new_nic(&net_eepro100_info, &s->conf,
+-                          object_get_typename(OBJECT(pci_dev)), pci_dev->qdev.id, s);
+                          object_get_typename(OBJECT(pci_dev)),
+                          pci_dev->qdev.id,
+                          &pci_dev->qdev.mem_reentrancy_guard, s);
+ 
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+     TRACE(OTHER, logout("%s\n", qemu_get_queue(s->nic)->info_str));
+diff --git a/hw/net/etraxfs_eth.c b/hw/net/etraxfs_eth.c
+index 1b82aec79..ba57a978d 100644
+--- a/hw/net/etraxfs_eth.c
+++ b/hw/net/etraxfs_eth.c
+@@ -618,7 +618,8 @@ static void etraxfs_eth_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_etraxfs_info, &s->conf,
+-                          object_get_typename(OBJECT(s)), dev->id, s);
+                          object_get_typename(OBJECT(s)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     s->phy.read = tdk_read;
+diff --git a/hw/net/fsl_etsec/etsec.c b/hw/net/fsl_etsec/etsec.c
+index bd9d62b55..f790613b5 100644
+--- a/hw/net/fsl_etsec/etsec.c
+++ b/hw/net/fsl_etsec/etsec.c
+@@ -391,7 +391,8 @@ static void etsec_realize(DeviceState *dev, Error **errp)
+     eTSEC        *etsec = ETSEC_COMMON(dev);
+ 
+     etsec->nic = qemu_new_nic(&net_etsec_info, &etsec->conf,
+-                              object_get_typename(OBJECT(dev)), dev->id, etsec);
+                              object_get_typename(OBJECT(dev)), dev->id,
+                              &dev->mem_reentrancy_guard, etsec);
+     qemu_format_nic_info_str(qemu_get_queue(etsec->nic), etsec->conf.macaddr.a);
+ 
+     etsec->ptimer = ptimer_init(etsec_timer_hit, etsec, PTIMER_POLICY_DEFAULT);
+diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
+index 83ef0a783..346485ab4 100644
+--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
+@@ -1118,7 +1118,8 @@ static void ftgmac100_realize(DeviceState *dev, Error **errp)
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+ 
+     s->nic = qemu_new_nic(&net_ftgmac100_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
+index 0db9aaf76..74e7e0d12 100644
+--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
+@@ -1318,7 +1318,7 @@ static void imx_eth_realize(DeviceState *dev, Error **errp)
+ 
+     s->nic = qemu_new_nic(&imx_eth_net_info, &s->conf,
+                           object_get_typename(OBJECT(dev)),
+-                          dev->id, s);
+                          dev->id, &dev->mem_reentrancy_guard, s);
+ 
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
+index 6aff424cb..942bce9ae 100644
+--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
+@@ -1354,7 +1354,8 @@ static void lan9118_realize(DeviceState *dev, Error **errp)
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+ 
+     s->nic = qemu_new_nic(&net_lan9118_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+     s->eeprom[0] = 0xa5;
+     for (i = 0; i < 6; i++) {
+diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
+index 25e3e453a..a6be7bf41 100644
+--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
+@@ -643,7 +643,8 @@ static void mcf_fec_realize(DeviceState *dev, Error **errp)
+     mcf_fec_state *s = MCF_FEC_NET(dev);
+ 
+     s->nic = qemu_new_nic(&net_mcf_fec_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
+index 2ade72dea..8e925de86 100644
+--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
+@@ -255,7 +255,8 @@ static void mipsnet_realize(DeviceState *dev, Error **errp)
+     sysbus_init_irq(sbd, &s->irq);
+ 
+     s->nic = qemu_new_nic(&net_mipsnet_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
+index 9278fdce0..1efa3dbf0 100644
+--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
+@@ -527,7 +527,8 @@ static void msf2_emac_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_msf2_emac_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/ne2000-isa.c b/hw/net/ne2000-isa.c
+index dd6f6e34d..30bd20c29 100644
+--- a/hw/net/ne2000-isa.c
+++ b/hw/net/ne2000-isa.c
+@@ -74,7 +74,8 @@ static void isa_ne2000_realizefn(DeviceState *dev, Error **errp)
+     ne2000_reset(s);
+ 
+     s->nic = qemu_new_nic(&net_ne2000_isa_info, &s->c,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
+ }
+ 
+diff --git a/hw/net/ne2000-pci.c b/hw/net/ne2000-pci.c
+index 9e5d10859..4f8a69908 100644
+--- a/hw/net/ne2000-pci.c
+++ b/hw/net/ne2000-pci.c
+@@ -71,7 +71,8 @@ static void pci_ne2000_realize(PCIDevice *pci_dev, Error **errp)
+ 
+     s->nic = qemu_new_nic(&net_ne2000_info, &s->c,
+                           object_get_typename(OBJECT(pci_dev)),
+-                          pci_dev->qdev.id, s);
+                          pci_dev->qdev.id,
+                          &pci_dev->qdev.mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
+ }
+ 
+diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
+index df2efe1bf..82e063ae9 100644
+--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
+@@ -806,7 +806,8 @@ static void npcm7xx_emc_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&emc->conf.macaddr);
+     emc->nic = qemu_new_nic(&net_npcm7xx_emc_info, &emc->conf,
+-                            object_get_typename(OBJECT(dev)), dev->id, emc);
+                            object_get_typename(OBJECT(dev)), dev->id,
+                            &dev->mem_reentrancy_guard, emc);
+     qemu_format_nic_info_str(qemu_get_queue(emc->nic), emc->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/opencores_eth.c b/hw/net/opencores_eth.c
+index 0b3dc3146..f96d6ea2c 100644
+--- a/hw/net/opencores_eth.c
+++ b/hw/net/opencores_eth.c
+@@ -732,7 +732,8 @@ static void sysbus_open_eth_realize(DeviceState *dev, Error **errp)
+     sysbus_init_irq(sbd, &s->irq);
+ 
+     s->nic = qemu_new_nic(&net_open_eth_info, &s->conf,
+-                          object_get_typename(OBJECT(s)), dev->id, s);
+                          object_get_typename(OBJECT(s)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+ }
+ 
+ static void qdev_open_eth_reset(DeviceState *dev)
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index dcd3fc494..da910a70b 100644
+--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
+@@ -1718,7 +1718,8 @@ void pcnet_common_init(DeviceState *dev, PCNetState *s, NetClientInfo *info)
+     s->poll_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pcnet_poll_timer, s);
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+-    s->nic = qemu_new_nic(info, &s->conf, object_get_typename(OBJECT(dev)), dev->id, s);
+    s->nic = qemu_new_nic(info, &s->conf, object_get_typename(OBJECT(dev)),
+                          dev->id, &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     /* Initialize the PROM */
+diff --git a/hw/net/rocker/rocker_fp.c b/hw/net/rocker/rocker_fp.c
+index cbeed65bd..0d21948ad 100644
+--- a/hw/net/rocker/rocker_fp.c
+++ b/hw/net/rocker/rocker_fp.c
+@@ -241,8 +241,8 @@ FpPort *fp_port_alloc(Rocker *r, char *sw_name,
+     port->conf.bootindex = -1;
+     port->conf.peers = *peers;
+ 
+-    port->nic = qemu_new_nic(&fp_port_info, &port->conf,
+-                             sw_name, NULL, port);
+    port->nic = qemu_new_nic(&fp_port_info, &port->conf, sw_name, NULL,
+                             &DEVICE(r)->mem_reentrancy_guard, port);
+     qemu_format_nic_info_str(qemu_get_queue(port->nic),
+                              port->conf.macaddr.a);
+ 
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 90b4fc63c..43d65d725 100644
+--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
+@@ -3398,7 +3398,8 @@ static void pci_rtl8139_realize(PCIDevice *dev, Error **errp)
+     s->eeprom.contents[9] = s->conf.macaddr.a[4] | s->conf.macaddr.a[5] << 8;
+ 
+     s->nic = qemu_new_nic(&net_rtl8139_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), d->id, s);
+                          object_get_typename(OBJECT(dev)), d->id,
+                          &d->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     s->cplus_txbuffer = NULL;
+diff --git a/hw/net/smc91c111.c b/hw/net/smc91c111.c
+index ad778cd8f..4eda971ef 100644
+--- a/hw/net/smc91c111.c
+++ b/hw/net/smc91c111.c
+@@ -783,7 +783,8 @@ static void smc91c111_realize(DeviceState *dev, Error **errp)
+     sysbus_init_irq(sbd, &s->irq);
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_smc91c111_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+     /* ??? Save/restore.  */
+ }
+diff --git a/hw/net/spapr_llan.c b/hw/net/spapr_llan.c
+index a6876a936..475d5f3a3 100644
+--- a/hw/net/spapr_llan.c
+++ b/hw/net/spapr_llan.c
+@@ -325,7 +325,8 @@ static void spapr_vlan_realize(SpaprVioDevice *sdev, Error **errp)
+     memcpy(&dev->perm_mac.a, &dev->nicconf.macaddr.a, sizeof(dev->perm_mac.a));
+ 
+     dev->nic = qemu_new_nic(&net_spapr_vlan_info, &dev->nicconf,
+-                            object_get_typename(OBJECT(sdev)), sdev->qdev.id, dev);
+                            object_get_typename(OBJECT(sdev)), sdev->qdev.id,
+                            &sdev->qdev.mem_reentrancy_guard, dev);
+     qemu_format_nic_info_str(qemu_get_queue(dev->nic), dev->nicconf.macaddr.a);
+ 
+     dev->rxp_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, spapr_vlan_flush_rx_queue,
+diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
+index 8dd60783d..6768a6912 100644
+--- a/hw/net/stellaris_enet.c
+++ b/hw/net/stellaris_enet.c
+@@ -492,7 +492,8 @@ static void stellaris_enet_realize(DeviceState *dev, Error **errp)
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+ 
+     s->nic = qemu_new_nic(&net_stellaris_enet_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/sungem.c b/hw/net/sungem.c
+index 3684a4d73..c12d44e9d 100644
+--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
+@@ -1361,7 +1361,7 @@ static void sungem_realize(PCIDevice *pci_dev, Error **errp)
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_sungem_info, &s->conf,
+                           object_get_typename(OBJECT(dev)),
+-                          dev->id, s);
+                          dev->id, &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic),
+                              s->conf.macaddr.a);
+ }
+diff --git a/hw/net/sunhme.c b/hw/net/sunhme.c
+index fc34905f8..fa98528d7 100644
+--- a/hw/net/sunhme.c
+++ b/hw/net/sunhme.c
+@@ -892,7 +892,8 @@ static void sunhme_realize(PCIDevice *pci_dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_sunhme_info, &s->conf,
+-                          object_get_typename(OBJECT(d)), d->id, s);
+                          object_get_typename(OBJECT(d)), d->id,
+                          &d->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index 5f8badefc..ccaa26fd8 100644
+--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
+@@ -985,7 +985,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
+ 
+     s->nic = qemu_new_nic(&net_tulip_info, &s->c,
+                           object_get_typename(OBJECT(pci_dev)),
+-                          pci_dev->qdev.id, s);
+                          pci_dev->qdev.id,
+                          &pci_dev->qdev.mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->c.macaddr.a);
+ }
+ 
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 42e66697f..f916813bc 100644
+--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
+@@ -3473,10 +3473,12 @@ static void virtio_net_device_realize(DeviceState *dev, Error **errp)
+          * Happen when virtio_net_set_netclient_name has been called.
+          */
+         n->nic = qemu_new_nic(&net_virtio_info, &n->nic_conf,
+-                              n->netclient_type, n->netclient_name, n);
+                              n->netclient_type, n->netclient_name,
+                              &dev->mem_reentrancy_guard, n);
+     } else {
+         n->nic = qemu_new_nic(&net_virtio_info, &n->nic_conf,
+-                              object_get_typename(OBJECT(dev)), dev->id, n);
+                              object_get_typename(OBJECT(dev)), dev->id,
+                              &dev->mem_reentrancy_guard, n);
+     }
+ 
+     for (i = 0; i < n->max_queue_pairs; i++) {
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index f65af4e9e..d4df039c5 100644
+--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
+@@ -2078,7 +2078,7 @@ static void vmxnet3_net_init(VMXNET3State *s)
+ 
+     s->nic = qemu_new_nic(&net_vmxnet3_info, &s->conf,
+                           object_get_typename(OBJECT(s)),
+-                          d->id, s);
+                          d->id, &d->mem_reentrancy_guard, s);
+ 
+     s->peer_has_vhdr = vmxnet3_peer_has_vnet_hdr(s);
+     s->tx_sop = true;
+diff --git a/hw/net/xen_nic.c b/hw/net/xen_nic.c
+index 5c815b4f0..0472ed81b 100644
+--- a/hw/net/xen_nic.c
+++ b/hw/net/xen_nic.c
+@@ -294,7 +294,9 @@ static int net_init(struct XenLegacyDevice *xendev)
+     }
+ 
+     netdev->nic = qemu_new_nic(&net_xen_info, &netdev->conf,
+-                               "xen", NULL, netdev);
+                               "xen",
+                               DEVICE(xendev)->id,
+                               &xendev->qdev.mem_reentrancy_guard, netdev);
+ 
+     snprintf(qemu_get_queue(netdev->nic)->info_str,
+              sizeof(qemu_get_queue(netdev->nic)->info_str),
+diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
+index 0ab6ae91a..1f4f277d8 100644
+--- a/hw/net/xgmac.c
+++ b/hw/net/xgmac.c
+@@ -402,7 +402,8 @@ static void xgmac_enet_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_xgmac_enet_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     s->regs[XGMAC_ADDR_HIGH(0)] = (s->conf.macaddr.a[5] << 8) |
+diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c
+index 990ff3a1c..8a3424380 100644
+--- a/hw/net/xilinx_axienet.c
+++ b/hw/net/xilinx_axienet.c
+@@ -968,7 +968,8 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_xilinx_enet_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ 
+     tdk_init(&s->TEMAC.phy);
+diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
+index 6e09f7e42..80cb869e2 100644
+--- a/hw/net/xilinx_ethlite.c
+++ b/hw/net/xilinx_ethlite.c
+@@ -235,7 +235,8 @@ static void xilinx_ethlite_realize(DeviceState *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_xilinx_ethlite_info, &s->conf,
+-                          object_get_typename(OBJECT(dev)), dev->id, s);
+                          object_get_typename(OBJECT(dev)), dev->id,
+                          &dev->mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+ }
+ 
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 6c49c1601..ae447a8bc 100644
+--- a/hw/usb/dev-network.c
+++ b/hw/usb/dev-network.c
+@@ -1362,7 +1362,8 @@ static void usb_net_realize(USBDevice *dev, Error **errp)
+ 
+     qemu_macaddr_default_if_unset(&s->conf.macaddr);
+     s->nic = qemu_new_nic(&net_usbnet_info, &s->conf,
+-                          object_get_typename(OBJECT(s)), s->dev.qdev.id, s);
+                          object_get_typename(OBJECT(s)), s->dev.qdev.id,
+                          &s->dev.qdev.mem_reentrancy_guard, s);
+     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
+     snprintf(s->usbstring_mac, sizeof(s->usbstring_mac),
+              "%02x%02x%02x%02x%02x%02x",
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 20d306659..77c0455d8 100644
+--- a/include/hw/qdev-core.h
+++ b/include/hw/qdev-core.h
+@@ -162,6 +162,10 @@ struct NamedClockList {
+     QLIST_ENTRY(NamedClockList) node;
+ };
+ 
+typedef struct {
+    bool engaged_in_io;
+} MemReentrancyGuard;
+
+ /**
+  * DeviceState:
+  * @realized: Indicates whether the device has been fully constructed.
+@@ -193,6 +197,9 @@ struct DeviceState {
+     int instance_id_alias;
+     int alias_required_for_version;
+     ResettableState reset;
+
+     /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */
+    MemReentrancyGuard mem_reentrancy_guard;
+ };
+ 
+ struct DeviceListener {
+diff --git a/include/net/net.h b/include/net/net.h
+index 523136c7a..1457b6c01 100644
+--- a/include/net/net.h
+++ b/include/net/net.h
+@@ -145,6 +145,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
+                        NICConf *conf,
+                        const char *model,
+                        const char *name,
+                       MemReentrancyGuard *reentrancy_guard,
+                        void *opaque);
+ void qemu_del_nic(NICState *nic);
+ NetClientState *qemu_get_subqueue(NICState *nic, int queue_index);
+diff --git a/net/net.c b/net/net.c
+index f0d14dbfc..669e194c4 100644
+--- a/net/net.c
+++ b/net/net.c
+@@ -299,6 +299,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
+                        NICConf *conf,
+                        const char *model,
+                        const char *name,
+                       MemReentrancyGuard *reentrancy_guard,
+                        void *opaque)
+ {
+     NetClientState **peers = conf->peers.ncs;
+-- 
+2.40.0
+
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3019-0002.patch
@@ -0,0 +1,91 @@
+From 3c0463a650008aec7de29cf84540652730510921 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Thu, 1 Jun 2023 12:18:59 +0900
+Subject: [PATCH] net: Update MemReentrancyGuard for NIC
+
+Recently MemReentrancyGuard was added to DeviceState to record that the
+device is engaging in I/O. The network device backend needs to update it
+when delivering a packet to a device.
+
+This implementation follows what bottom half does, but it does not add
+a tracepoint for the case that the network device backend started
+delivering a packet to a device which is already engaging in I/O. This
+is because such reentrancy frequently happens for
+qemu_flush_queued_packets() and is insignificant.
+
+Fixes: CVE-2023-3019
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Acked-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 9050f976e447444ea6ee2ba12c9f77e4b0dc54bc)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+
+CVE: CVE-2023-3019
+Upstream-Status: Backport [https://github.com/qemu/qemu/commit/3c0463a650008aec7de29cf84540652730510921]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ include/net/net.h |  1 +
+ net/net.c         | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/include/net/net.h b/include/net/net.h
+index 1457b6c01..11d4564ea 100644
+--- a/include/net/net.h
+++ b/include/net/net.h
+@@ -112,6 +112,7 @@ struct NetClientState {
+ typedef struct NICState {
+     NetClientState *ncs;
+     NICConf *conf;
+    MemReentrancyGuard *reentrancy_guard;
+     void *opaque;
+     bool peer_deleted;
+ } NICState;
+diff --git a/net/net.c b/net/net.c
+index 669e194c4..b3008a52b 100644
+--- a/net/net.c
+++ b/net/net.c
+@@ -312,6 +312,7 @@ NICState *qemu_new_nic(NetClientInfo *info,
+     nic = g_malloc0(info->size + sizeof(NetClientState) * queues);
+     nic->ncs = (void *)nic + info->size;
+     nic->conf = conf;
+    nic->reentrancy_guard = reentrancy_guard,
+     nic->opaque = opaque;
+
+     for (i = 0; i < queues; i++) {
+@@ -767,6 +768,7 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
+                                        int iovcnt,
+                                        void *opaque)
+ {
+    MemReentrancyGuard *owned_reentrancy_guard;
+     NetClientState *nc = opaque;
+     int ret;
+
+@@ -779,12 +781,24 @@ static ssize_t qemu_deliver_packet_iov(NetClientState *sender,
+         return 0;
+     }
+
+    if (nc->info->type != NET_CLIENT_DRIVER_NIC ||
+        qemu_get_nic(nc)->reentrancy_guard->engaged_in_io) {
+        owned_reentrancy_guard = NULL;
+    } else {
+        owned_reentrancy_guard = qemu_get_nic(nc)->reentrancy_guard;
+        owned_reentrancy_guard->engaged_in_io = true;
+    }
+
+     if (nc->info->receive_iov && !(flags & QEMU_NET_PACKET_FLAG_RAW)) {
+         ret = nc->info->receive_iov(nc, iov, iovcnt);
+     } else {
+         ret = nc_sendv_compat(nc, iov, iovcnt, flags);
+     }
+
+    if (owned_reentrancy_guard) {
+        owned_reentrancy_guard->engaged_in_io = false;
+    }
+
+     if (ret == 0) {
+         nc->receive_disabled = 1;
+     }
+--
+2.40.0
--- a/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
+++ b/meta/recipes-devtools/syslinux/syslinux_6.04-pre2.bb
@@ -48,7 +48,7 @@ TARGET_LDFLAGS = ""
 SECURITY_LDFLAGS = ""
 LDFLAGS_SECTION_REMOVAL = ""

-CFLAGS:append = " -DNO_INLINE_FUNCS"
+CFLAGS:append = " -DNO_INLINE_FUNCS -Wno-error=implicit-function-declaration"

 EXTRA_OEMAKE = " \
 	BINDIR=${bindir} SBINDIR=${sbindir} LIBDIR=${libdir} \
--- a/meta/recipes-devtools/vala/vala.inc
+++ b/meta/recipes-devtools/vala/vala.inc
@@ -39,6 +39,10 @@ EOF

 EXTRA_OECONF += " --disable-valadoc"

+# work around for vala-native build with gcc-14 instead of backporting
+# https://gitlab.gnome.org/GNOME/vala/-/commit/23ec71b1a5c4cead3d1bdac82e184d0a63fa7b79
+BUILD_CFLAGS += "-Wno-error=incompatible-pointer-types"
+
 # Vapigen wrapper needs to be available system-wide, because it will be used
 # to build vapi files from all other packages with vala support
 do_install:append:class-target() {
--- a/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Fix-return-type-of-main-function.patch
+++ b/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Fix-return-type-of-main-function.patch
@@ -0,0 +1,42 @@
+From 6347e1b9da2140acdd55e3e7ac1199456793e17c Mon Sep 17 00:00:00 2001
+From: Thomas Kuehne <thomas@kuehne.cn>
+Date: Sat, 11 Dec 2021 20:56:00 +0000
+Subject: [PATCH] Fix return type of main function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+xmlif/xmlif.l:242:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
+  242 | main(int argc, char *argv[])
+      | ^~~~
+
+Signed-off-by: Thomas Kuehne <thomas@kuehne.cn>
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+Upstream-Status: Backport [v0.0.29 https://pagure.io/xmlto/c/8e34f087bf410bcc5fe445933d6ad9bae54f24b5?branch=master]
+---
+ xmlif/xmlif.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlif/xmlif.l b/xmlif/xmlif.l
+index ac42136..78a62bc 100644
+--- a/xmlif/xmlif.l
+++ b/xmlif/xmlif.l
+@@ -239,7 +239,7 @@ WS		[ \t\n]*
+ 
+ int yywrap() {exit(0);};
+ 
+-main(int argc, char *argv[])
+int main(int argc, char *argv[])
+ {
+     int i;
+ 
+@@ -265,7 +265,7 @@ main(int argc, char *argv[])
+ 	    exit(1);
+ 	}
+ 
+-    yylex();
+    return yylex();
+ }
+ 
+ /*
--- a/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Regenerate-the-xmlif.c-and-update-xmlif.l-to-comply-.patch
+++ b/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-Regenerate-the-xmlif.c-and-update-xmlif.l-to-comply-.patch
--- a/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-fix-Wimplicit-int-for-ifsense.patch
+++ b/meta/recipes-devtools/xmlto/xmlto-0.0.28/0001-fix-Wimplicit-int-for-ifsense.patch
@@ -0,0 +1,33 @@
+From 1375e2df75530cd198bd16ac3de38e2b0d126276 Mon Sep 17 00:00:00 2001
+From: Thomas Kuehne <thomas@kuehne.cn>
+Date: Sat, 11 Dec 2021 21:10:41 +0100
+Subject: [PATCH] fix -Wimplicit-int for ifsense
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fixes:
+xmlif/xmlif.l:46:8: warning: type defaults to ‘int’ in declaration of ‘ifsense’ [-Wimplicit-int]
+   46 | static ifsense;                 /* sense of last `if' or unless seen */
+      |        ^~~~~~~
+
+Signed-off-by: Thomas Kuehne <thomas@kuehne.cn>
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+Upstream-Status: Backport [v0.0.29 https://pagure.io/xmlto/c/1375e2df75530cd198bd16ac3de38e2b0d126276?branch=master
+---
+ xmlif/xmlif.l | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmlif/xmlif.l b/xmlif/xmlif.l
+index ac42136..6e5970e 100644
+--- a/xmlif/xmlif.l
+++ b/xmlif/xmlif.l
+@@ -43,7 +43,7 @@
+ 
+ static char **selections;	/* selection tokens */
+ static int nselections;		/* number of selections */
+-static ifsense;			/* sense of last `if' or unless seen */
+static int ifsense;		/* sense of last `if' or unless seen */
+ static char *attribute;		/* last attribute scanned */
+ 
+ struct stack_t {
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb
@@ -8,6 +8,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"

 SRC_URI = "https://releases.pagure.org/xmlto/xmlto-${PV}.tar.gz \
           file://configure.in-drop-the-test-of-xmllint-and-xsltproc.patch \
+           file://0001-Fix-return-type-of-main-function.patch \
+           file://0001-fix-Wimplicit-int-for-ifsense.patch \
+           file://0001-Regenerate-the-xmlif.c-and-update-xmlif.l-to-comply-.patch \
 "
 SRC_URI[md5sum] = "a1fefad9d83499a15576768f60f847c6"
 SRC_URI[sha256sum] = "2f986b7c9a0e9ac6728147668e776d405465284e13c74d4146c9cbc51fd8aad3"
@@ -36,6 +39,13 @@ BBCLASSEXTEND = "native"

 EXTRA_OECONF:append = " BASH=/bin/bash GCP=/bin/cp XMLLINT=xmllint XSLTPROC=xsltproc"

+do_configure:prepend() {
+    # make sure xmlif.c is newer than xmlif.l after do_patch (order of
+    # .patch files in SRC_URI isn't enough) to prevent regenerating it
+    # with flex-native which isn't in DEPENDS
+    touch ${S}/xmlif/xmlif.c
+}
+
 do_install:append:class-native() {
    create_wrapper ${D}${bindir}/xmlto XML_CATALOG_FILES=${sysconfdir}/xml/catalog
 }
--- a/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch
+++ b/meta/recipes-extended/cracklib/cracklib/0001-packlib.c-support-dictionary-byte-order-dependent.patch
@@ -303,7 +303,7 @@ index 8acb7be..a9d8750 100644
 +	    PWDICT tmp_pwp;
 +
 +	    memcpy(&tmp_pwp, pwp, sizeof(PWDICT));
-+	    HwmsHostToBigEndian(tmp_pwp.hwms, sizeof(tmp_pwp.hwms), en_is32);
+	    HwmsHostToBigEndian((char *)tmp_pwp.hwms, sizeof(tmp_pwp.hwms), en_is32);
 +	    fwrite(tmp_pwp.hwms, 1, sizeof(tmp_pwp.hwms), pwp->wfp);
 	}
     }
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46361.patch
@@ -0,0 +1,32 @@
+From 44ca5b9d023e1de33fcb8984c85bb29619c4db7e Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Sun, 5 Nov 2023 12:21:52 +0100
+Subject: [PATCH] Bug 705041: jbig2dec: Avoid uninitialized allocator in
+ command-line tool.
+
+This fixes CVE-2023-46361.
+
+CVE: CVE-2023-46361
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=44ca5b9d023e1de33fcb8984c85bb29619c4db7e]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ jbig2dec/jbig2dec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c
+index dc1fd56..78c8e89 100644
+--- a/jbig2dec/jbig2dec.c
+++ b/jbig2dec/jbig2dec.c
+@@ -567,7 +567,7 @@ main(int argc, char **argv)
+ {
+     jbig2dec_params_t params;
+     jbig2dec_error_callback_state_t error_callback_state;
+-    jbig2dec_allocator_t allocator_;
+    jbig2dec_allocator_t allocator_ = { 0 };
+     jbig2dec_allocator_t *allocator = &allocator_;
+     Jbig2Ctx *ctx = NULL;
+     FILE *f = NULL, *f_page = NULL;
+--
+2.40.0
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-1.patch
@@ -0,0 +1,308 @@
+Backport of:
+Note: updated to fix compiler warning.
+
+From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 25 Jan 2024 11:53:44 +0000
+Subject: Bug 707510 - review printing of pointers
+
+This is for item 4 of the report, which is addressed by the change in
+gdevpdtb.c. That change uses a fixed name for fonts which have no name
+instead of using the pointer to the address of the font.
+
+The remaining changes are all due to reviewing the use of PRI_INTPTR.
+In general we only use that for debugging purposes but there were a few
+places which were printing pointers arbitrarily, even in a release build.
+
+We really don't want to do that so I've modified the places which were
+printing pointer unconditionally so that they only do so if DEBUG is
+set at compile time, or a specific debug flag is set.
+
+CVE: CVE-2024-29508
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
+Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ base/gsfont.c             | 4 ++--
+ base/gsicc_cache.c        | 8 ++++----
+ base/gsmalloc.c           | 4 ++--
+ base/gxclmem.c            | 5 ++---
+ base/gxcpath.c            | 6 +++++-
+ base/gxpath.c             | 8 +++++++-
+ base/szlibc.c             | 4 +++-
+ devices/gdevupd.c         | 7 ++++++-
+ devices/vector/gdevpdtb.c | 4 ++--
+ psi/ialloc.c              | 4 ++--
+ psi/igc.c                 | 6 +++---
+ psi/igcstr.c              | 6 +++---
+ psi/iinit.c               | 6 +++++-
+ psi/imainarg.c            | 5 +++--
+ psi/isave.c               | 4 ++--
+ psi/iutil.c               | 6 +++++-
+ 16 files changed, 56 insertions(+), 31 deletions(-)
+
+--- a/base/gsfont.c
+++ b/base/gsfont.c
+@@ -778,7 +778,7 @@ gs_purge_font(gs_font * pfont)
+     else if (pdir->scaled_fonts == pfont)
+         pdir->scaled_fonts = next;
+     else {			/* Shouldn't happen! */
+-        lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+        if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont);
+     }
+ 
+     /* Purge the font from the scaled font cache. */
+--- a/base/gsicc_cache.c
+++ b/base/gsicc_cache.c
+@@ -149,7 +149,7 @@ icc_linkcache_finalize(const gs_memory_t
+ 
+     while (link_cache->head != NULL) {
+         if (link_cache->head->ref_count != 0) {
+-            emprintf2(mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+            if_debug2m(gs_debug_flag_icc, mem, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n",
+                       (intptr_t)link_cache->head, link_cache->head->ref_count);
+             link_cache->head->ref_count = 0;	/* force removal */
+         }
+@@ -560,7 +560,7 @@ gsicc_findcachelink(gsicc_hashlink_t has
+                 /* that was building it failed to be able to complete building it		*/
+                 /* this is probably a fatal error. MV ???					*/
+                 if (curr->valid == false) {
+-		  emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr);	/* Breakpoint here */
+		  if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr);	/* Breakpoint here */
+                 }
+                 gx_monitor_enter(icc_link_cache->lock);	/* re-enter to loop and check */
+             }
+@@ -587,7 +587,7 @@ gsicc_remove_link(gsicc_link_t *link, co
+     /* NOTE: link->ref_count must be 0: assert ? */
+     gx_monitor_enter(icc_link_cache->lock);
+     if (link->ref_count != 0) {
+-      emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+      if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count);
+     }
+     curr = icc_link_cache->head;
+     prev = NULL;
+--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
+@@ -419,7 +419,7 @@ gs_heap_resize_string(gs_memory_t * mem,
+                       client_name_t cname)
+ {
+     if (gs_heap_object_type(mem, data) != &st_bytes)
+-        lprintf2("%s: resizing non-string "PRI_INTPTR"!\n",
+        if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n",
+                  client_name_string(cname), (intptr_t)data);
+     return gs_heap_resize_object(mem, data, new_num, cname);
+ }
+--- a/base/gxclmem.c
+++ b/base/gxclmem.c
+@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const
+     /* leaks if other users of the memfile don't 'fclose with delete=true */
+     if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) {
+         /* TODO: do the cleanup rather than just giving an error */
+-        emprintf1(f->memory,
+-                  "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+        if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n",
+                   (intptr_t)f);
+         return_error(gs_error_invalidfileaccess);
+     } else {
+--- a/base/gxcpath.c
+++ b/base/gxcpath.c
+@@ -172,8 +172,10 @@ gx_cpath_init_contained_shared(gx_clip_p
+ {
+     if (shared) {
+         if (shared->path.segments == &shared->path.local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *pcpath = *shared;
+@@ -230,8 +232,10 @@ gx_cpath_init_local_shared_nested(gx_cli
+     if (shared) {
+         if ((shared->path.segments == &shared->path.local_segments) &&
+             !safely_nested) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         pcpath->path = shared->path;
+--- a/base/gxpath.c
+++ b/base/gxpath.c
+@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path *
+ {
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *ppath = *shared;
+@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * sha
+     ppath->procs = &default_path_procs;
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             gs_free_object(mem, ppath, cname);
+             return 0;
+         }
+@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppat
+ {
+     if (shared) {
+         if (shared->segments == &shared->local_segments) {
+#ifdef DEBUG
+             lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n",
+                      (intptr_t)shared);
+#endif
+             return_error(gs_error_Fatal);
+         }
+         *ppath = *shared;
+--- a/base/szlibc.c
+++ b/base/szlibc.c
+@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data)
+     gs_free_object(mem, data, "s_zlib_free(data)");
+     for (; ; block = block->next) {
+         if (block == 0) {
+#ifdef DEBUG
+             lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data);
+#endif
+             return;
+         }
+         if (block->data == data)
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1039,8 +1039,13 @@ upd_print_page(gx_device_printer *pdev,
+  */
+    if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) {
+ #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS)
+#ifdef DEBUG
+          errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
+              (intptr_t)udev,(intptr_t) out);
+#else
+         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+             (intptr_t)udev,(intptr_t) out);
+#endif
+ #endif
+ 	 return_error(gs_error_undefined);
+    }
+--- a/devices/vector/gdevpdtb.c
+++ b/devices/vector/gdevpdtb.c
+@@ -371,7 +371,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
+             font_name.size -= SUBSET_PREFIX_SIZE;
+         }
+     } else {
+-        gs_sprintf(fnbuf, ".F" PRI_INTPTR, (intptr_t)copied);
+        gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous");
+         font_name.data = (byte *)fnbuf;
+         font_name.size = strlen(fnbuf);
+     }
+--- a/psi/ialloc.c
+++ b/psi/ialloc.c
+@@ -386,7 +386,7 @@ gs_free_ref_array(gs_ref_memory_t * mem,
+                 size = num_refs * sizeof(ref);
+                 break;
+             default:
+-                lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+                if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!",
+                          r_type(parr), num_refs, (intptr_t)obj);
+                 return;
+         }
+--- a/psi/igc.c
+++ b/psi/igc.c
+@@ -1061,7 +1061,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_
+ 
+             if (cp == 0) {	/* We were tracing outside collectible */
+                 /* storage.  This can't happen. */
+-                lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+                if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n",
+                          (intptr_t)cptr);
+                 gs_abort(pstate->heap);
+             }
+@@ -1290,7 +1290,7 @@ igc_reloc_struct_ptr(const void /*obj_he
+ 
+             if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj <cp->ctop) {
+                 if (back > (cp->ctop - cp->cbase) >> obj_back_shift) {
+-                    lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n",
+                    if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n",
+                              back, (intptr_t)obj);
+                     gs_abort(NULL);
+                 }
+--- a/psi/igcstr.c
+++ b/psi/igcstr.c
+@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint si
+         return false;
+ #ifdef DEBUG
+     if (ptr - HDR_ID_OFFSET < cp->ctop) {
+-        lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+        if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+                  (intptr_t)ptr - HDR_ID_OFFSET, size, (intptr_t)cp->ctop, (intptr_t)cp->climit);
+         return false;
+     } else if (ptr + size > cp->climit) {	/*
+@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint si
+         while (ptr - HDR_ID_OFFSET == scp->climit && scp->outer != 0)
+             scp = scp->outer;
+         if (ptr - HDR_ID_OFFSET + size > scp->climit) {
+-            lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+            if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n",
+                      (intptr_t)ptr - HDR_ID_OFFSET, size,
+                      (intptr_t)scp->ctop, (intptr_t)scp->climit);
+             return false;
+--- a/psi/iinit.c
+++ b/psi/iinit.c
+@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p)
+         if (def->proc != 0) {
+             code = def->proc(i_ctx_p);
+             if (code < 0) {
+#ifdef DEBUG
+                 lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n",
+                          (intptr_t)def->proc, code);
+#else
+                lprintf("op_init proc returned error !\n");
+#endif
+                 return code;
+             }
+         }
+--- a/psi/imainarg.c
+++ b/psi/imainarg.c
+@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instanc
+                 if (gs_debug[':'] && !have_dumped_args) {
+                     int i;
+ 
+-                    dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+                    if (gs_debug_c(gs_debug_flag_init_details))
+                        dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ",
+                               (intptr_t)minst);
+                     for (i=1; i<argc; i++)
+                         dmprintf1(minst->heap, "%s ", argv[i]);
+--- a/psi/isave.c
+++ b/psi/isave.c
+@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *me
+     else if (r_is_struct(pcont))
+         cp->offset = (byte *) where - (byte *) pcont->value.pstruct;
+     else {
+-        lprintf3("Bad type %u for save!  pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+        if_debug3('u', "Bad type %u for save!  pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n",
+                  r_type(pcont), (intptr_t) pcont, (intptr_t) where);
+         gs_abort((const gs_memory_t *)mem);
+     }
+--- a/psi/iutil.c
+++ b/psi/iutil.c
+@@ -537,7 +537,11 @@ other:
+             break;
+         }
+         /* Internal operator, no name. */
+-        gs_sprintf(buf, "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#ifdef DEBUG
+        gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc);
+#else
+        gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc);
+#endif
+         break;
+     }
+     case t_real:
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29508-2.patch
@@ -0,0 +1,29 @@
+From d084021e06ba1caa1373fbbcf24a8510f43830ab Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Sat, 27 Jan 2024 09:30:30 +0000
+Subject: [PATCH] Coverity IDs 414141 & 414145
+
+These are the same problem reported two different ways. I forgot to
+remove the arguments to errprintf when I removed the format specifiers
+from the string as part of reviewing the pointer printing.
+
+CVE: CVE-2024-29508
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a]
+Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ devices/gdevupd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/devices/gdevupd.c
+++ b/devices/gdevupd.c
+@@ -1043,8 +1043,7 @@ upd_print_page(gx_device_printer *pdev,
+          errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n",
+              (intptr_t)udev,(intptr_t) out);
+ #else
+-         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n",
+-             (intptr_t)udev,(intptr_t) out);
+         errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n");
+ #endif
+ #endif
+ 	 return_error(gs_error_undefined);
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -54,6 +54,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                file://CVE-2024-29511-0002.patch \
                file://CVE-2024-29509.patch \
                file://CVE-2024-29506.patch \
+                file://CVE-2024-29508-1.patch \
+                file://CVE-2024-29508-2.patch \
+                file://CVE-2023-46361.patch \
 "

 SRC_URI = "${SRC_URI_BASE} \
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48957.patch
@@ -0,0 +1,33 @@
+From 3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:53:19 +0900
+Subject: [PATCH] fix: OOB in rar audio filter (#2149)
+
+This patch ensures that `src` won't move ahead of `dst`, so `src` will
+not OOB. Similar situation like in a1cb648.
+
+CVE: CVE-2024-48957
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libarchive/archive_read_support_format_rar.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 619ee81e2..4fc6626ca 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -3722,6 +3722,13 @@ execute_filter_audio(struct rar_filter *filter, struct rar_virtual_machine *vm)
+     memset(&state, 0, sizeof(state));
+     for (j = i; j < length; j += numchannels)
+     {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
+
+       int8_t delta = (int8_t)*src++;
+       uint8_t predbyte, byte;
+       int prederror;
--- a/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-48958.patch
@@ -0,0 +1,37 @@
+From a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 Mon Sep 17 00:00:00 2001
+From: Wei-Cheng Pan <legnaleurc@gmail.com>
+Date: Mon, 29 Apr 2024 06:50:22 +0900
+Subject: [PATCH] fix: OOB in rar delta filter (#2148)
+
+Ensure that `src` won't move ahead of `dst`, so `src` will not OOB.
+Since `dst` won't move in this function, and we are only increasing `src`
+position, this check should be enough. It should be safe to early return
+because this function does not allocate resources.
+
+CVE: CVE-2024-48958
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7]
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ libarchive/archive_read_support_format_rar.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 79669a8f4..619ee81e2 100644
+--- a/libarchive/archive_read_support_format_rar.c
+++ b/libarchive/archive_read_support_format_rar.c
+@@ -3612,7 +3612,15 @@ execute_filter_delta(struct rar_filter *filter, struct rar_virtual_machine *vm)
+   {
+     uint8_t lastbyte = 0;
+     for (idx = i; idx < length; idx += numchannels)
+    {
+      /*
+       * The src block should not overlap with the dst block.
+       * If so it would be better to consider this archive is broken.
+       */
+      if (src >= dst)
+        return 0;
+       lastbyte = dst[idx] = lastbyte - *src++;
+    }
+   }
+ 
+   filter->filteredblockaddress = length;
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -31,6 +31,8 @@ EXTRA_OECONF += "--enable-largefile --without-iconv"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
           file://0001-pax-writer-fix-multiple-security-vulnerabilities.patch \
           file://CVE-2024-26256.patch \
+           file://CVE-2024-48957.patch \
+           file://CVE-2024-48958.patch \
           "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"

--- a/meta/recipes-extended/zip/zip-3.0/0001-configure-Include-dirent.h-for-closedir-opendir-APIs.patch
+++ b/meta/recipes-extended/zip/zip-3.0/0001-configure-Include-dirent.h-for-closedir-opendir-APIs.patch
@@ -0,0 +1,45 @@
+From 9db2f8cdbbc0dfb359d3b4e5dfe48c18652ce531 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 8 May 2024 19:02:46 -0700
+Subject: [PATCH] configure: Include dirent.h for closedir/opendir APIs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC-14 is strict about function prototypes and since the
+testcase tries to compile/link opendir/closedir functions
+without including signatures, it fails to build the test
+due to missing signatures which come from dirent.h
+
+Therefore include the needed system header and make it more
+robust.
+
+Fixes
+a.c:2:21: error: implicit declaration of function ‘closedir’ [-Wimplicit-function-declaration]
+    2 | int main() { return closedir(opendir(".")); }
+      |                     ^~~~~~~~
+a.c:2:30: error: implicit declaration of function ‘opendir’ [-Wimplicit-function-declaration]
+    2 | int main() { return closedir(opendir(".")); }
+      |                              ^~~~~~~
+
+Upstream-Status: Inactive-Upstream
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ unix/configure | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/unix/configure b/unix/configure
+index f917086..1dd98c6 100644
+--- a/unix/configure
+++ b/unix/configure
+@@ -591,6 +591,7 @@ $CC $CFLAGS -c conftest.c >/dev/null 2>/dev/null
+ 
+ echo Check for directory libraries
+ cat > conftest.c << _EOF_
+#include <dirent.h>
+ int main() { return closedir(opendir(".")); }
+ _EOF_
+ 
+-- 
+2.45.0
+
--- a/meta/recipes-extended/zip/zip-3.0/0001-configure-Specify-correct-function-signatures-and-de.patch
+++ b/meta/recipes-extended/zip/zip-3.0/0001-configure-Specify-correct-function-signatures-and-de.patch
@@ -0,0 +1,134 @@
+From 8810f2643c9372a8083272dc1fc157427646d961 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 10 Aug 2022 17:16:23 -0700
+Subject: [PATCH 1/2] configure: Specify correct function signatures and
+ declarations
+
+Include needed system headers in configure tests, this is needed because
+newer compilers are getting stricter about the C99 specs and turning
+-Wimplicit-function-declaration into hard error e.g. clang-15+
+
+Upstream-Status: Inactive-Upstream
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ unix/configure | 79 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 66 insertions(+), 13 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index 1d9a9bb..f2b3d02 100644
+--- a/unix/configure
+++ b/unix/configure
+@@ -513,21 +513,70 @@ $CC $CFLAGS -c conftest.c >/dev/null 2>/dev/null
+ # Check for missing functions
+ # add NO_'function_name' to flags if missing
+ 
+-for func in rmdir strchr strrchr rename mktemp mktime mkstemp
+-do
+-  echo Check for $func
+-  echo "int main(){ $func(); return 0; }" > conftest.c
+-  $CC $CFLAGS $LDFLAGS $BFLAG -o conftest conftest.c >/dev/null 2>/dev/null
+-  [ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_`echo $func | tr '[a-z]' '[A-Z]'`"
+-done
+echo Check for rmdir
+cat > conftest.c << _EOF_
+#include <unistd.h>
+int main(){ rmdir(NULL); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_RMDIR"
+
+echo Check for strchr
+cat > conftest.c << _EOF_
+#include <string.h>
+int main(){ strchr(NULL,0); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_STRCHR"
+ 
+echo Check for strrchr
+cat > conftest.c << _EOF_
+#include <string.h>
+int main(){ strrchr(NULL,0); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_STRRCHR"
+
+echo Check for rename
+cat > conftest.c << _EOF_
+#include <stdio.h>
+int main(){ rename(NULL,NULL); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_RENAME"
+
+echo Check for mktemp
+cat > conftest.c << _EOF_
+#include <stdlib.h>
+int main(){ mktemp(NULL); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_MKTEMP"
+
+echo Check for mktime
+cat > conftest.c << _EOF_
+#include <time.h>
+int main(){ mktime(NULL); return 0; }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_MKTIME"
+
+echo Check for mkstemp
+cat > conftest.c << _EOF_
+#include <stdlib.h>
+int main(){ return mkstemp(NULL); }
+_EOF_
+$CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+[ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_MKSTEMP"
+ 
+ echo Check for memset
+-echo "int main(){ char k; memset(&k,0,0); return 0; }" > conftest.c
+cat > conftest.c << _EOF_
+#include <string.h>
+int main(){ char k; memset(&k,0,0); return 0; }
+_EOF_
+ $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+ [ $? -ne 0 ] && CFLAGS="${CFLAGS} -DZMEM"
+ 
+-
+ echo Check for memmove
+ cat > conftest.c << _EOF_
+ #include <string.h>
+@@ -548,7 +597,7 @@ $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+ echo Check for errno declaration
+ cat > conftest.c << _EOF_
+ #include <errno.h>
+-main()
+int main()
+ {
+   errno = 0;
+   return 0;
+@@ -625,14 +674,18 @@ CFLAGS="${CFLAGS} ${OPT}"
+ 
+ echo Check for valloc
+ cat > conftest.c << _EOF_
+-main()
+#include <stdlib.h>
+int main()
+ {
+ #ifdef MMAP
+-    valloc();
+    valloc(0);
+ #endif
+    return 0;
+ }
+ _EOF_
+-$CC ${CFLAGS} -c conftest.c > /dev/null 2>/dev/null
+#$CC ${CFLAGS} -c conftest.c > /dev/null 2>/dev/null
+$CC ${CFLAGS} -c conftest.c
+echo "==========================================="
+ [ $? -ne 0 ] && CFLAGS="${CFLAGS} -DNO_VALLOC"
+ 
+ 
+-- 
+2.37.1
+
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -17,7 +17,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar.
           file://0001-configure-use-correct-CPP.patch \
           file://0002-configure-support-PIC-code-build.patch \
           file://0001-configure-Use-CFLAGS-and-LDFLAGS-when-doing-link-tes.patch \
+           file://0001-configure-Specify-correct-function-signatures-and-de.patch \
           file://0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch \
+           file://0001-configure-Include-dirent.h-for-closedir-opendir-APIs.patch \
           "
 UPSTREAM_VERSION_UNKNOWN = "1"

--- a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
+++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-1.patch
@@ -0,0 +1,66 @@
+From e1873ad576cb478fff0e6e44ad99599cd5fd2846 Mon Sep 17 00:00:00 2001
+From: Elliot Gorokhovsky <embg@fb.com>
+Date: Fri, 29 Jul 2022 11:10:47 -0700
+Subject: [PATCH 1/2] Fix buffer underflow for null dir1
+
+CVE: CVE-2022-4899
+Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/e1873ad576cb478fff0e6e44ad99599cd5fd2846]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ programs/util.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/programs/util.c b/programs/util.c
+index f53eb03fbe..b874344c4d 100644
+--- a/programs/util.c
+++ b/programs/util.c
+@@ -870,30 +870,30 @@ static const char * trimPath(const char *pathname)
+ 
+ static char* mallocAndJoin2Dir(const char *dir1, const char *dir2)
+ {
+-    const size_t dir1Size = strlen(dir1);
+-    const size_t dir2Size = strlen(dir2);
+-    char *outDirBuffer, *buffer, trailingChar;
+-
+     assert(dir1 != NULL && dir2 != NULL);
+-    outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
+-    CONTROL(outDirBuffer != NULL);
+    {   const size_t dir1Size = strlen(dir1);
+        const size_t dir2Size = strlen(dir2);
+        char *outDirBuffer, *buffer;
+ 
+-    memcpy(outDirBuffer, dir1, dir1Size);
+-    outDirBuffer[dir1Size] = '\0';
+        outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
+        CONTROL(outDirBuffer != NULL);
+ 
+-    if (dir2[0] == '.')
+-        return outDirBuffer;
+        memcpy(outDirBuffer, dir1, dir1Size);
+        outDirBuffer[dir1Size] = '\0';
+ 
+-    buffer = outDirBuffer + dir1Size;
+-    trailingChar = *(buffer - 1);
+-    if (trailingChar != PATH_SEP) {
+-        *buffer = PATH_SEP;
+-        buffer++;
+-    }
+-    memcpy(buffer, dir2, dir2Size);
+-    buffer[dir2Size] = '\0';
+        if (dir2[0] == '.')
+            return outDirBuffer;
+ 
+-    return outDirBuffer;
+        buffer = outDirBuffer + dir1Size;
+        if (dir1Size > 0 && *(buffer - 1) != PATH_SEP) {
+            *buffer = PATH_SEP;
+            buffer++;
+        }
+        memcpy(buffer, dir2, dir2Size);
+        buffer[dir2Size] = '\0';
+
+        return outDirBuffer;
+    }
+ }
+ 
+ /* this function will return NULL if input srcFileName is not valid name for mirrored output path */
--- a/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch
+++ b/meta/recipes-extended/zstd/zstd/CVE-2022-4899-2.patch
@@ -0,0 +1,83 @@
+From f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa Mon Sep 17 00:00:00 2001
+From: Elliot Gorokhovsky <embg@fb.com>
+Date: Fri, 29 Jul 2022 14:44:22 -0700
+Subject: [PATCH 2/2] Disallow empty output directory
+
+CVE: CVE-2022-4899
+Upstream-Status: Backport [https://github.com/facebook/zstd/pull/3220/commits/f9f27de91c89d826c6a39c3ef44fb1b02f9a43aa]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ programs/zstdcli.c                             | 18 ++++++++++++++++--
+ tests/cli-tests/basic/output_dir.sh            |  7 +++++++
+ .../cli-tests/basic/output_dir.sh.stderr.exact |  2 ++
+ .../cli-tests/basic/output_dir.sh.stdout.exact |  2 ++
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+ create mode 100755 tests/cli-tests/basic/output_dir.sh
+ create mode 100644 tests/cli-tests/basic/output_dir.sh.stderr.exact
+ create mode 100644 tests/cli-tests/basic/output_dir.sh.stdout.exact
+
+diff --git a/programs/zstdcli.c b/programs/zstdcli.c
+index fbacb908a9..1143ac3fe8 100644
+--- a/programs/zstdcli.c
+++ b/programs/zstdcli.c
+@@ -990,7 +990,14 @@ int main(int argCount, const char* argv[])
+                 if (longCommandWArg(&argument, "--stream-size=")) { streamSrcSize = readSizeTFromChar(&argument); continue; }
+                 if (longCommandWArg(&argument, "--target-compressed-block-size=")) { targetCBlockSize = readSizeTFromChar(&argument); continue; }
+                 if (longCommandWArg(&argument, "--size-hint=")) { srcSizeHint = readSizeTFromChar(&argument); continue; }
+-                if (longCommandWArg(&argument, "--output-dir-flat")) { NEXT_FIELD(outDirName); continue; }
+                if (longCommandWArg(&argument, "--output-dir-flat")) {
+                    NEXT_FIELD(outDirName);
+                    if (strlen(outDirName) == 0) {
+                        DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+                        CLEAN_RETURN(1);
+                    }
+                    continue;
+                }
+ #ifdef ZSTD_MULTITHREAD
+                 if (longCommandWArg(&argument, "--auto-threads")) {
+                     const char* threadDefault = NULL;
+@@ -1001,7 +1008,14 @@ int main(int argCount, const char* argv[])
+                 }
+ #endif
+ #ifdef UTIL_HAS_MIRRORFILELIST
+-                if (longCommandWArg(&argument, "--output-dir-mirror")) { NEXT_FIELD(outMirroredDirName); continue; }
+                if (longCommandWArg(&argument, "--output-dir-mirror")) {
+                    NEXT_FIELD(outMirroredDirName);
+                    if (strlen(outMirroredDirName) == 0) {
+                        DISPLAY("error: output dir cannot be empty string (did you mean to pass '.' instead?)\n");
+                        CLEAN_RETURN(1);
+                    }
+                    continue;
+                }
+ #endif
+ #ifndef ZSTD_NOTRACE
+                 if (longCommandWArg(&argument, "--trace")) { char const* traceFile; NEXT_FIELD(traceFile); TRACE_enable(traceFile); continue; }
+diff --git a/tests/cli-tests/basic/output_dir.sh b/tests/cli-tests/basic/output_dir.sh
+new file mode 100755
+index 0000000000..a8819d2926
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh
+@@ -0,0 +1,7 @@
+#!/bin/sh
+
+println "+ zstd -r * --output-dir-mirror=\"\""
+zstd -r * --output-dir-mirror="" && die "Should not allow empty output dir!"
+println "+ zstd -r * --output-dir-flat=\"\""
+zstd -r * --output-dir-flat="" && die "Should not allow empty output dir!"
+exit 0
+diff --git a/tests/cli-tests/basic/output_dir.sh.stderr.exact b/tests/cli-tests/basic/output_dir.sh.stderr.exact
+new file mode 100644
+index 0000000000..e12b50427c
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stderr.exact
+@@ -0,0 +1,2 @@
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
+error: output dir cannot be empty string (did you mean to pass '.' instead?)
+diff --git a/tests/cli-tests/basic/output_dir.sh.stdout.exact b/tests/cli-tests/basic/output_dir.sh.stdout.exact
+new file mode 100644
+index 0000000000..1e478cd753
+--- /dev/null
+++ b/tests/cli-tests/basic/output_dir.sh.stdout.exact
+@@ -0,0 +1,2 @@
++ zstd -r * --output-dir-mirror=""
++ zstd -r * --output-dir-flat=""
--- a/meta/recipes-extended/zstd/zstd_1.5.2.bb
+++ b/meta/recipes-extended/zstd/zstd_1.5.2.bb
@@ -9,7 +9,10 @@ LICENSE = "BSD-3-Clause | GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c7f0b161edbe52f5f345a3d1311d0b32 \
                    file://COPYING;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0"

-SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https"
+SRC_URI = "git://github.com/facebook/zstd.git;branch=release;protocol=https \
+    file://CVE-2022-4899-1.patch \
+    file://CVE-2022-4899-2.patch \
+"

 SRCREV = "e47e674cd09583ff0503f0f6defd6d23d8b718d3"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
--- a/meta/recipes-graphics/kmscube/kmscube/0001-drm-common.c-do-not-use-invalid-modifier.patch
+++ b/meta/recipes-graphics/kmscube/kmscube/0001-drm-common.c-do-not-use-invalid-modifier.patch
@@ -0,0 +1,31 @@
+From 23e3ab9b32258bfffd302769fdd290008da8277e Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 8 Aug 2022 20:22:39 +0200
+Subject: [PATCH] drm-common.c: do not use invalid modifier
+
+Prior to kernel 5.19 this was a soft failure, but 5.19
+adds checks that result in a hard syscall fail.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/mesa/kmscube/-/commit/23e3ab9b32258bfffd302769fdd290008da8277e]
+Signed-off-by: Randolph Sapp <rs@ti.com>
+
+---
+ drm-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drm-common.c b/drm-common.c
+index eb5ac20..e736922 100644
+--- a/drm-common.c
+++ b/drm-common.c
+@@ -92,7 +92,7 @@ struct drm_fb * drm_fb_get_from_bo(struct gbm_bo *bo)
+ 			modifiers[i] = modifiers[0];
+ 		}
+ 
+-		if (modifiers[0]) {
+		if (modifiers[0] && modifiers[0] != DRM_FORMAT_MOD_INVALID) {
+ 			flags = DRM_MODE_FB_MODIFIERS;
+ 			printf("Using modifier %" PRIx64 "\n", modifiers[0]);
+ 		}
+-- 
+2.46.0
+
--- a/meta/recipes-graphics/kmscube/kmscube_git.bb
+++ b/meta/recipes-graphics/kmscube/kmscube_git.bb
@@ -14,6 +14,7 @@ SRCREV = "9f63f359fab1b5d8e862508e4e51c9dfe339ccb0"
 SRC_URI = "git://gitlab.freedesktop.org/mesa/kmscube;branch=master;protocol=https \
           file://0001-texturator-Use-correct-GL-extension-header.patch \
           file://0001-common-fix-cast-type-in-init_egl.patch \
+           file://0001-drm-common.c-do-not-use-invalid-modifier.patch \
 "
 UPSTREAM_CHECK_COMMITS = "1"

--- a/Show More
+++ b/Show More