migration-guides: add release notes for 4.0.32

(From yocto-docs rev: 398a2a080361eb22b9c447dbde31fca58bf4e0bb) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 095981c08b9d63905472df5d1d60c07af96f0250) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dev-manual/packages.rst: fix example recipe version
2026-02-20 16:39:40 +01:00 · 2026-02-12 17:00:21 +00:00 · 2026-02-12 17:00:21 +00:00 · 2026-02-12 17:00:21 +00:00 · 2026-02-12 17:00:21 +00:00 · 2026-02-12 17:00:21 +00:00
254 changed files with 20072 additions and 1392 deletions
--- a/documentation/contributor-guide/recipe-style-guide.rst
+++ b/documentation/contributor-guide/recipe-style-guide.rst
@@ -221,6 +221,20 @@ Recipes need to define both the :term:`LICENSE` and
   ``meta/files/common-licenses/`` or the :term:`SPDXLICENSEMAP` flag names
   defined in ``meta/conf/licenses.conf``.

+   .. note::
+
+      Setting a :term:`LICENSE` in a recipe applies to the software to be built
+      by this recipe, not to the recipe file itself. The license of recipes,
+      configuration files and scripts should also be clearly specified, for
+      example via comments or via a license found in the :term:`layer` that
+      holds these files. These license files are usually found at the root of
+      the layer. Exceptions should be clearly stated in the layer README or
+      LICENSE file.
+
+      For example, the :term:`OpenEmbedded-Core (OE-Core)` layer provides both
+      the GPL-2.0-only and MIT license files, and a "LICENSE" file to explain
+      how these two licenses are attributed to files found in the layer.
+
 -  :term:`LIC_FILES_CHKSUM`: The OpenEmbedded build system uses this
   variable to make sure the license text has not changed. If it has,
   the build produces an error and it affords you the chance to figure
--- a/documentation/contributor-guide/submit-changes.rst
+++ b/documentation/contributor-guide/submit-changes.rst
@@ -123,110 +123,116 @@ to add the upgraded version.

      $ git commit -s file1 file2 dir1 dir2 ...

-   To include **a**\ ll staged files::
+   To include all staged files::

      $ git commit -sa

-   -  The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line
-      to your commit message. There is the same requirement for contributing
-      to the Linux kernel. Adding such a line signifies that you, the
-      submitter, have agreed to the `Developer's Certificate of Origin 1.1
-      <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>`__
-      as follows:
+   #.  The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line
+       to your commit message. There is the same requirement for contributing
+       to the Linux kernel. Adding such a line signifies that you, the
+       submitter, have agreed to the `Developer's Certificate of Origin 1.1
+       <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>`__
+       as follows:

-      .. code-block:: none
+       .. code-block:: none

-         Developer's Certificate of Origin 1.1
+          Developer's Certificate of Origin 1.1

-         By making a contribution to this project, I certify that:
+          By making a contribution to this project, I certify that:

-         (a) The contribution was created in whole or in part by me and I
-             have the right to submit it under the open source license
-             indicated in the file; or
+          (a) The contribution was created in whole or in part by me and I
+              have the right to submit it under the open source license
+              indicated in the file; or

-         (b) The contribution is based upon previous work that, to the best
-             of my knowledge, is covered under an appropriate open source
-             license and I have the right under that license to submit that
-             work with modifications, whether created in whole or in part
-             by me, under the same open source license (unless I am
-             permitted to submit under a different license), as indicated
-             in the file; or
+          (b) The contribution is based upon previous work that, to the best
+              of my knowledge, is covered under an appropriate open source
+              license and I have the right under that license to submit that
+              work with modifications, whether created in whole or in part
+              by me, under the same open source license (unless I am
+              permitted to submit under a different license), as indicated
+              in the file; or

-         (c) The contribution was provided directly to me by some other
-             person who certified (a), (b) or (c) and I have not modified
-             it.
+          (c) The contribution was provided directly to me by some other
+              person who certified (a), (b) or (c) and I have not modified
+              it.

-         (d) I understand and agree that this project and the contribution
-             are public and that a record of the contribution (including all
-             personal information I submit with it, including my sign-off) is
-             maintained indefinitely and may be redistributed consistent with
-             this project or the open source license(s) involved.
+          (d) I understand and agree that this project and the contribution
+              are public and that a record of the contribution (including all
+              personal information I submit with it, including my sign-off) is
+              maintained indefinitely and may be redistributed consistent with
+              this project or the open source license(s) involved.

-   -  Provide a single-line summary of the change and, if more
-      explanation is needed, provide more detail in the body of the
-      commit. This summary is typically viewable in the "shortlist" of
-      changes. Thus, providing something short and descriptive that
-      gives the reader a summary of the change is useful when viewing a
-      list of many commits. You should prefix this short description
-      with the recipe name (if changing a recipe), or else with the
-      short form path to the file being changed.
+   #.  Provide a single-line summary of the change and, if more
+       explanation is needed, provide more detail in the description of the
+       commit. This summary is typically viewable in the "shortlist" of
+       changes. Thus, providing something short and descriptive that
+       gives the reader a summary of the change is useful when viewing a
+       list of many commits. You should prefix this short description
+       with the recipe name (if changing a recipe), or else with the
+       short form path to the file being changed.
+
+       .. note::
+
+          To find a suitable prefix for the commit summary, a good idea
+          is to look for prefixes used in previous commits touching the
+          same files or directories::
+
+             git log --oneline <paths>
+
+   #.  For the commit description, provide detailed information
+       that describes what you changed, why you made the change, and the
+       approach you used. It might also be helpful if you mention how you
+       tested the change. Provide as much detail as you can in the commit
+       description.
+
+       .. note::
+
+          If the single line summary is enough to describe a simple
+          change, the commit description can be left empty.
+
+   #.  If the change addresses a specific bug or issue that is associated
+       with a bug-tracking ID, include a reference to that ID in the body of the
+       commit message. For example, the Yocto Project uses a
+       specific convention for bug references --- any commit that addresses
+       a specific bug should use the following form for the body of the commit
+       message. Be sure to use the actual bug-tracking ID from
+       Bugzilla for bug-id::
+
+          single-line summary of change
+
+          Fixes [YOCTO #bug-id]
+
+          detailed description of change
+
+   #. If other people participated in this patch, add some tags to the commit
+      description to credit other contributors to the change:
+
+      -  ``Reported-by``: name and email of a person reporting a bug
+         that your commit is trying to fix. This is a good practice
+         to encourage people to go on reporting bugs and let them
+         know that their reports are taken into account.
+
+      -  ``Suggested-by``: name and email of a person to credit for the
+         idea of making the change.
+
+      -  ``Tested-by``, ``Reviewed-by``: name and email for people having
+         tested your changes or reviewed their code. These fields are
+         usually added by the maintainer accepting a patch, or by
+         yourself if you submitted your patches to early reviewers,
+         or are submitting an unmodified patch again as part of a
+         new iteration of your patch series.
+
+      -  ``Cc``: name and email of people you want to send a copy
+         of your changes to. This field will be used by ``git send-email``.
+
+      See `more guidance about using such tags
+      <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes>`__
+      in the Linux kernel documentation.

      .. note::

-         To find a suitable prefix for the commit summary, a good idea
-         is to look for prefixes used in previous commits touching the
-         same files or directories::
-
-            git log --oneline <paths>
-
-   -  For the body of the commit message, provide detailed information
-      that describes what you changed, why you made the change, and the
-      approach you used. It might also be helpful if you mention how you
-      tested the change. Provide as much detail as you can in the body
-      of the commit message.
-
-      .. note::
-
-         If the single line summary is enough to describe a simple
-         change, the body of the commit message can be left empty.
-
-   -  If the change addresses a specific bug or issue that is associated
-      with a bug-tracking ID, include a reference to that ID in your
-      detailed description. For example, the Yocto Project uses a
-      specific convention for bug references --- any commit that addresses
-      a specific bug should use the following form for the detailed
-      description. Be sure to use the actual bug-tracking ID from
-      Bugzilla for bug-id::
-
-         Fixes [YOCTO #bug-id]
-
-         detailed description of change
-
-#. *Crediting contributors:* By using the ``git commit --amend`` command,
-   you can add some tags to the commit description to credit other contributors
-   to the change:
-
-   -  ``Reported-by``: name and email of a person reporting a bug
-      that your commit is trying to fix. This is a good practice
-      to encourage people to go on reporting bugs and let them
-      know that their reports are taken into account.
-
-   -  ``Suggested-by``: name and email of a person to credit for the
-      idea of making the change.
-
-   -  ``Tested-by``, ``Reviewed-by``: name and email for people having
-      tested your changes or reviewed their code. These fields are
-      usually added by the maintainer accepting a patch, or by
-      yourself if you submitted your patches to early reviewers,
-      or are submitting an unmodified patch again as part of a
-      new iteration of your patch series.
-
-   -  ``CC:`` Name and email of people you want to send a copy
-      of your changes to. This field will be used by ``git send-email``.
-
-   See `more guidance about using such tags
-   <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes>`__
-   in the Linux kernel documentation.
+         One can amend an existing git commit message to add missing tags for
+         contributors with the ``git commit --amend`` command.

 Test your changes
 -----------------
@@ -650,8 +656,8 @@ backported to a stable branch unless the bug in question does not affect the
 master branch or the fix on the master branch is unsuitable for backporting.

 The list of stable branches along with the status and maintainer for each
-branch can be obtained from the
-:yocto_wiki:`Releases wiki page </Releases>`.
+branch can be obtained from the :yocto_home:`Releases </development/releases/>`
+page.

 .. note::

--- a/documentation/dev-manual/building.rst
+++ b/documentation/dev-manual/building.rst
@@ -909,6 +909,11 @@ to point to that directory::

   EXTERNALSRC_BUILD:pn-myrecipe = "path-to-your-source-tree"

+.. note::
+
+   The values of :term:`EXTERNALSRC` and :term:`EXTERNALSRC_BUILD`
+   must be absolute paths.
+
 Replicating a Build Offline
 ===========================

--- a/documentation/dev-manual/debugging.rst
+++ b/documentation/dev-manual/debugging.rst
@@ -111,17 +111,17 @@ occurred in your project. Perhaps an attempt to :ref:`modify a variable
 <bitbake-user-manual/bitbake-user-manual-metadata:modifying existing
 variables>` did not work out as expected.

-BitBake's ``-e`` option is used to display variable values after
-parsing. The following command displays the variable values after the
-configuration files (i.e. ``local.conf``, ``bblayers.conf``,
+BitBake's ``bitbake-getvar`` command is used to display variable values after
+parsing. The following command displays the variable value for :term:`OVERRIDES`
+after the configuration files (i.e. ``local.conf``, ``bblayers.conf``,
 ``bitbake.conf`` and so forth) have been parsed::

-   $ bitbake -e
+   $ bitbake-getvar OVERRIDES

-The following command displays variable values after a specific recipe has
-been parsed. The variables include those from the configuration as well::
+The following command displays the value of :term:`PV` after a specific recipe
+has been parsed::

-   $ bitbake -e recipename
+   $ bitbake-getvar -r recipename PV

 .. note::

@@ -135,19 +135,25 @@ been parsed. The variables include those from the configuration as well::
   the recipe datastore, which means that variables set within one task
   will not be visible to other tasks.

-In the output of ``bitbake -e``, each variable is preceded by a
-description of how the variable got its value, including temporary
-values that were later overridden. This description also includes
-variable flags (varflags) set on the variable. The output can be very
+In the output of ``bitbake-getvar``, the line containing the value of the
+variable is preceded by a description of how the variable got its value,
+including temporary values that were later overridden. This description also
+includes variable flags (varflags) set on the variable. The output can be very
 helpful during debugging.

 Variables that are exported to the environment are preceded by
-``export`` in the output of ``bitbake -e``. See the following example::
+``export`` in the output of ``bitbake-getvar``. See the following example::

   export CC="i586-poky-linux-gcc -m32 -march=i586 --sysroot=/home/ulf/poky/build/tmp/sysroots/qemux86"

-In addition to variable values, the output of the ``bitbake -e`` and
-``bitbake -e`` recipe commands includes the following information:
+Shell functions and tasks can also be inspected with the same mechanism::
+
+   $ bitbake-getvar -r recipename do_install
+
+For Python functions and tasks, ``bitbake -e recipename`` can be used instead.
+
+Moreover, the output of the ``bitbake -e`` and ``bitbake -e`` recipe commands
+includes the following information:

 -  The output starts with a tree listing all configuration files and
   classes included globally, recursively listing the files they include
--- a/documentation/dev-manual/index.rst
+++ b/documentation/dev-manual/index.rst
@@ -41,7 +41,6 @@ Yocto Project Development Tasks Manual
   build-quality
   debugging
   licenses
-   security-subjects
   vulnerabilities
   sbom
   error-reporting-tool
--- a/documentation/dev-manual/layers.rst
+++ b/documentation/dev-manual/layers.rst
@@ -123,10 +123,9 @@ Follow these general steps to create your layer without using tools:
      Lists all layers on which this layer depends (if any).

   -  :term:`LAYERSERIES_COMPAT`:
-      Lists the :yocto_wiki:`Yocto Project </Releases>`
-      releases for which the current version is compatible. This
-      variable is a good way to indicate if your particular layer is
-      current.
+      Lists the :yocto_home:`Yocto Project releases </development/releases/>`
+      for which the current version is compatible. This variable is a good
+      way to indicate if your particular layer is current.


   .. note::
@@ -822,6 +821,8 @@ The following list describes the available commands:

 -  ``create-layer``: Creates a basic layer.

+-  ``show-machines``: Lists the machines available in the currently configured layers.
+
 Creating a General Layer Using the ``bitbake-layers`` Script
 ============================================================

--- a/documentation/dev-manual/new-recipe.rst
+++ b/documentation/dev-manual/new-recipe.rst
@@ -83,19 +83,20 @@ command::
   OpenEmbedded recipe tool

   options:
-     -d, --debug     Enable debug output
-     -q, --quiet     Print only errors
-     --color COLOR   Colorize output (where COLOR is auto, always, never)
-     -h, --help      show this help message and exit
+     -d, --debug       Enable debug output
+     -q, --quiet       Print only errors
+     --color COLOR     Colorize output (where COLOR is auto, always, never)
+     -h, --help        show this help message and exit

   subcommands:
-     create          Create a new recipe
-     newappend       Create a bbappend for the specified target in the specified
-                       layer
-     setvar          Set a variable within a recipe
-     appendfile      Create/update a bbappend to replace a target file
-     appendsrcfiles  Create/update a bbappend to add or replace source files
-     appendsrcfile   Create/update a bbappend to add or replace a source file
+     newappend         Create a bbappend for the specified target in the specified layer
+     create            Create a new recipe
+     setvar            Set a variable within a recipe
+     appendfile        Create/update a bbappend to replace a target file
+     appendsrcfiles    Create/update a bbappend to add or replace source files
+     appendsrcfile     Create/update a bbappend to add or replace a source file
+     edit              Edit the recipe and appends for the specified target. This obeys $VISUAL if set,
+                       otherwise $EDITOR, otherwise vi.
   Use recipetool <subcommand> --help to get help on a specific command

 Running ``recipetool create -o OUTFILE`` creates the base recipe and
@@ -218,9 +219,9 @@ compilation and packaging files, and so forth.

 The path to the per-recipe temporary work directory depends on the
 context in which it is being built. The quickest way to find this path
-is to have BitBake return it by running the following::
+is to use the ``bitbake-getvar`` utility::

-   $ bitbake -e basename | grep ^WORKDIR=
+   $ bitbake-getvar -r basename WORKDIR

 As an example, assume a Source Directory
 top-level folder named ``poky``, a default :term:`Build Directory` at
@@ -438,7 +439,7 @@ Licensing
 =========

 Your recipe needs to define variables related to the license
-under whith the software is distributed. See the
+under which the software is distributed. See the
 :ref:`contributor-guide/recipe-style-guide:recipe license fields`
 section in the Contributor Guide for details.

--- a/documentation/dev-manual/packages.rst
+++ b/documentation/dev-manual/packages.rst
@@ -279,8 +279,23 @@ with a number. The number used depends on the state of the PR Service:

   .. code-block:: none

-      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-      hello-world-git_0.0+git1+dd2f5c3565-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git1+dd2f5c3565-r0.1_armv7a-neon.ipk
+
+   Two numbers got incremented here:
+
+   -  ``gitX`` changed from ``git0`` to ``git1``. This is because there was a
+      change in the source code (``SRCREV``).
+
+   -  ``r0.X`` changed from ``r0.0`` to ``r0.1``. This is because the hash of
+      the :ref:`ref-tasks-package` task changed.
+
+      The reason for this change can be many. To understand why the hash of the
+      :ref:`ref-tasks-package` task changed, you can run the following command:
+
+      .. code-block:: console
+
+         $ bitbake-diffsigs -t hello-world package

 -  If PR Service is not enabled, the build system replaces the
   ``AUTOINC`` placeholder with zero (i.e. "0"). This results in
@@ -290,8 +305,8 @@ with a number. The number used depends on the state of the PR Service:

   .. code-block:: none

-      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-      hello-world-git_0.0+git0+dd2f5c3565-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+b6558dd387-r0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+dd2f5c3565-r0_armv7a-neon.ipk

 In summary, the OpenEmbedded build system does not track the history of
 binary package versions for this purpose. ``AUTOINC``, in this case, is
--- a/documentation/dev-manual/security-subjects.rst
+++ b/documentation/dev-manual/security-subjects.rst
@@ -1,194 +0,0 @@
-.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
-
-Dealing with Vulnerability Reports
-**********************************
-
-The Yocto Project and OpenEmbedded are open-source, community-based projects
-used in numerous products. They assemble multiple other open-source projects,
-and need to handle security issues and practices both internal (in the code
-maintained by both projects), and external (maintained by other projects and
-organizations).
-
-This manual assembles security-related information concerning the whole
-ecosystem. It includes information on reporting a potential security issue,
-the operation of the YP Security team and how to contribute in the
-related code. It is written to be useful for both security researchers and
-YP developers.
-
-How to report a potential security vulnerability?
-=================================================
-
-If you would like to report a public issue (for example, one with a released
-CVE number), please report it using the
-:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`.
-
-If you are dealing with a not-yet-released issue, or an urgent one, please send
-a message to security AT yoctoproject DOT org, including as many details as
-possible: the layer or software module affected, the recipe and its version,
-and any example code, if available. This mailing list is monitored by the
-Yocto Project Security team.
-
-For each layer, you might also look for specific instructions (if any) for
-reporting potential security issues in the specific ``SECURITY.md`` file at the
-root of the repository. Instructions on how and where submit a patch are
-usually available in ``README.md``. If this is your first patch to the
-Yocto Project/OpenEmbedded, you might want to have a look into the
-Contributor's Manual section
-":ref:`contributor-guide/submit-changes:preparing changes for submission`".
-
-Branches maintained with security fixes
---------------------------------------
-
-See the
-:ref:`Release process <ref-manual/release-process:Stable Release Process>`
-documentation for details regarding the policies and maintenance of stable
-branches.
-
-The :yocto_wiki:`Releases page </Releases>` contains a list
-of all releases of the Yocto Project. Versions in gray are no longer actively
-maintained with security patches, but well-tested patches may still be accepted
-for them for significant issues.
-
-Security-related discussions at the Yocto Project
-------------------------------------------------
-
-We have set up two security-related emails/mailing lists:
-
-  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
-
-     This is a public mailing list for anyone to subscribe to. This list is an
-     open list to discuss public security issues/patches and security-related
-     initiatives. For more information, including subscription information,
-     please see the  :yocto_lists:`yocto-security mailing list info page
-     </g/yocto-security>`.
-
-     This list requires moderator approval for new topics to be posted, to avoid
-     private security reports to be posted by mistake.
-
-  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
-
-     This is an email for reporting non-published potential vulnerabilities.
-     Emails sent to this address are forwarded to the Yocto Project Security
-     Team members.
-
-
-What you should do if you find a security vulnerability
-------------------------------------------------------
-
-If you find a security flaw: a crash, an information leakage, or anything that
-can have a security impact if exploited in any Open Source software built or
-used by the Yocto Project, please report this to the Yocto Project Security
-Team. If you prefer to contact the upstream project directly, please send a
-copy to the security team at the Yocto Project as well. If you believe this is
-highly sensitive information, please report the vulnerability in a secure way,
-i.e. encrypt the email and send it to the private list. This ensures that
-the exploit is not leaked and exploited before a response/fix has been generated.
-
-Security team
-=============
-
-The Yocto Project/OpenEmbedded security team coordinates the work on security
-subjects in the project. All general discussion takes place publicly. The
-Security Team only uses confidential communication tools to deal with private
-vulnerability reports before they are released.
-
-Security team appointment
-------------------------
-
-The Yocto Project Security Team consists of at least three members. When new
-members are needed, the Yocto Project Technical Steering Committee (YP TSC)
-asks for nominations by public channels including a nomination deadline.
-Self-nominations are possible. When the limit time is
-reached, the YP TSC posts the list of candidates for the comments of project
-participants and developers. Comments may be sent publicly or privately to the
-YP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded
-Technical Steering Committee (OE TSC) and the final list of the team members
-is announced publicly. The aim is to have people representing technical
-leadership, security knowledge and infrastructure present with enough people
-to provide backup/coverage but keep the notification list small enough to
-minimize information risk and maintain trust.
-
-YP Security Team members may resign at any time.
-
-Security Team Operations
------------------------
-
-The work of the Security Team might require high confidentiality. Team members
-are individuals selected by merit and do not represent the companies they work
-for. They do not share information about confidential issues outside of the team
-and do not hint about ongoing embargoes.
-
-Team members can bring in domain experts as needed. Those people should be
-added to individual issues only and adhere to the same standards as the YP
-Security Team.
-
-The YP security team organizes its meetings and communication as needed.
-
-When the YP Security team receives a report about a potential security
-vulnerability, they quickly analyze and notify the reporter of the result.
-They might also request more information.
-
-If the issue is confirmed and affects the code maintained by the YP, they
-confidentially notify maintainers of that code and work with them to prepare
-a fix.
-
-If the issue is confirmed and affects an upstream project, the YP security team
-notifies the project. Usually, the upstream project analyzes the problem again.
-If they deem it a real security problem in their software, they develop and
-release a fix following their security policy. They may want to include the
-original reporter in the loop. There is also sometimes some coordination for
-handling patches, backporting patches etc, or just understanding the problem
-or what caused it.
-
-When the fix is publicly available, the YP security team member or the
-package maintainer sends patches against the YP code base, following usual
-procedures, including public code review.
-
-What Yocto Security Team does when it receives a security vulnerability
-----------------------------------------------------------------------
-
-The YP Security Team team performs a quick analysis and would usually report
-the flaw to the upstream project. Normally the upstream project analyzes the
-problem. If they deem it a real security problem in their software, they
-develop and release a fix following their own security policy. They may want
-to include the original reporter in the loop. There is also sometimes some
-coordination for handling patches, backporting patches etc, or just
-understanding the problem or what caused it.
-
-The security policy of the upstream project might include a notification to
-Linux distributions or other important downstream projects in advance to
-discuss coordinated disclosure. These mailing lists are normally non-public.
-
-When the upstream project releases a version with the fix, they are responsible
-for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
-the CVE record published.
-
-If an upstream project does not respond quickly
-----------------------------------------------
-
-If an upstream project does not fix the problem in a reasonable time,
-the Yocto's Security Team will contact other interested parties (usually
-other distributions) in the community and together try to solve the
-vulnerability as quickly as possible.
-
-The Yocto Project Security team adheres to the 90 days disclosure policy
-by default. An increase of the embargo time is possible when necessary.
-
-Current Security Team members
-----------------------------
-
-For secure communications, please send your messages encrypted using the GPG
-keys. Remember, message headers are not encrypted so do not include sensitive
-information in the subject line.
-
-  -  Ross Burton: <ross@burtonini.com> `Public key <https://keys.openpgp.org/search?q=ross%40burtonini.com>`__
-
-  -  Michael Halstead: <mhalstead [at] linuxfoundation [dot] org>
-     `Public key <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3373170601861969>`__
-     or `Public key <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd1f2407285e571ed12a407a73373170601861969>`__
-
-  -  Richard Purdie: <richard.purdie@linuxfoundation.org> `Public key <https://keys.openpgp.org/search?q=richard.purdie%40linuxfoundation.org>`__
-
-  -  Marta Rybczynska: <marta DOT rybczynska [at] syslinbit [dot] com> `Public key <https://keys.openpgp.org/search?q=marta.rybczynska@syslinbit.com>`__
-
-  -  Steve Sakoman: <steve [at] sakoman [dot] com> `Public key <https://keys.openpgp.org/search?q=steve%40sakoman.com>`__
--- a/documentation/dev-manual/start.rst
+++ b/documentation/dev-manual/start.rst
@@ -676,7 +676,7 @@ described in the ":ref:`dev-manual/start:accessing index of releases`" section.
   .. note::

      For a "map" of Yocto Project releases to version numbers, see the
-      :yocto_wiki:`Releases </Releases>` wiki page.
+      :yocto_home:`Releases </development/releases/>` page.

   You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto
   Project releases.
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -12,7 +12,7 @@ known security vulnerabilities, as tracked by the public
 database.

 The Yocto Project maintains a `list of known vulnerabilities
-<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__
+<https://valkyrie.yocto.io/pub/non-release/patchmetrics/>`__
 for packages in Poky and OE-Core, tracking the evolution of the number of
 unpatched CVEs and the status of patches. Such information is available for
 the current development version and for each supported release.
@@ -235,7 +235,7 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
 The CVE database is stored in :term:`DL_DIR` and can be inspected using
 ``sqlite3`` command as follows::

-   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
+   sqlite3 downloads/CVE_CHECK/nvd*.db .dump | grep CVE-2021-37462

 When analyzing CVEs, it is recommended to:

--- a/documentation/index.rst
+++ b/documentation/index.rst
@@ -20,7 +20,6 @@ Welcome to the Yocto Project Documentation
   Yocto Project Software Overview <https://www.yoctoproject.org/software-overview/>
   Tips and Tricks Wiki <https://wiki.yoctoproject.org/wiki/TipsAndTricks>

-
 .. toctree::
   :maxdepth: 1
   :caption: Manuals
@@ -37,6 +36,12 @@ Welcome to the Yocto Project Documentation
   Test Environment Manual <test-manual/index>
   bitbake

+.. toctree::
+   :maxdepth: 1
+   :caption: Security
+
+   Yocto Project Security Reference <security-reference/index>
+
 .. toctree::
   :maxdepth: 1
   :caption: Release Manuals
--- a/documentation/kernel-dev/common.rst
+++ b/documentation/kernel-dev/common.rst
@@ -724,13 +724,9 @@ a Raspberry Pi 2, which is based on the Broadcom 2708/2709 chipset::

   KBUILD_DEFCONFIG:raspberrypi2 ?= "bcm2709_defconfig"

-Aside from modifying your kernel recipe and providing your own
-``defconfig`` file, you need to be sure no files or statements set
-:term:`SRC_URI` to use a ``defconfig`` other than your "in-tree" file (e.g.
-a kernel's ``linux-``\ `machine`\ ``.inc`` file). In other words, if the
-build system detects a statement that identifies an "out-of-tree"
-``defconfig`` file, that statement will override your
-:term:`KBUILD_DEFCONFIG` variable.
+If the build system detects a statement that identifies an "out-of-tree"
+``defconfig`` file, your :term:`KBUILD_DEFCONFIG` variable will take precedence
+over it.

 See the
 :term:`KBUILD_DEFCONFIG`
@@ -1276,10 +1272,12 @@ appear in the ``.config`` file, which is in the :term:`Build Directory`.

 It is simple to create a configuration fragment. One method is to use
 shell commands. For example, issuing the following from the shell
-creates a configuration fragment file named ``my_smp.cfg`` that enables
-multi-processor support within the kernel::
+creates a configuration fragment file named ``my_changes.cfg`` that enables
+multi-processor support within the kernel and disables the FPGA
+Configuration Framework::

-   $ echo "CONFIG_SMP=y" >> my_smp.cfg
+   $ echo "CONFIG_SMP=y" >> my_changes.cfg
+   $ echo "# CONFIG_FPGA is not set" >> my_changes.cfg

 .. note::

@@ -1516,15 +1514,13 @@ Expanding Variables
 ===================

 Sometimes it is helpful to determine what a variable expands to during a
-build. You can examine the values of variables by examining the
-output of the ``bitbake -e`` command. The output is long and is more
-easily managed in a text file, which allows for easy searches::
+build. You can examine the value of a variable by running the ``bitbake-getvar``
+command::

-   $ bitbake -e virtual/kernel > some_text_file
+   $ bitbake-getvar -r virtual/kernel VARIABLE

-Within the text file, you can see
-exactly how each variable is expanded and used by the OpenEmbedded build
-system.
+The output of the command explains exactly how the variable is expanded and used
+by the :term:`OpenEmbedded Build System`.

 Working with a "Dirty" Kernel Version String
 ============================================
--- a/documentation/migration-guides/release-4.0.rst
+++ b/documentation/migration-guides/release-4.0.rst
@@ -36,3 +36,6 @@ Release 4.0 (kirkstone)
   release-notes-4.0.27
   release-notes-4.0.28
   release-notes-4.0.29
+   release-notes-4.0.30
+   release-notes-4.0.31
+   release-notes-4.0.32
--- a/documentation/migration-guides/release-notes-4.0.30.rst
+++ b/documentation/migration-guides/release-notes-4.0.30.rst
@@ -0,0 +1,170 @@
+Release notes for Yocto-4.0.30 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  cups: Fix :cve_nist:`2025-58060` and :cve_nist:`2025-58364`
+-  dpkg: Fix :cve_nist:`2025-6297`
+-  ffmpeg: Fix :cve_nist:`2023-6602`, :cve_nist:`2023-6604`, :cve_nist:`2023-6605`,
+   :cve_nist:`2025-1594` and CVE-2025-7700
+-  git: Fix :cve_nist:`2025-27613`, :cve_nist:`2025-27614`, :cve_nist:`2025-46334`,
+   :cve_nist:`2025-46835` and :cve_nist:`2025-48384`
+-  glib-2.0: Fix :cve_nist:`2025-7039`
+-  glib-2.0: Ignore :cve_nist:`2025-4056`
+-  go: Ignore :cve_nist:`2024-24790` and :cve_nist:`2025-0913`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2025-47806`, :cve_nist:`2025-47807` and
+   :cve_nist:`2025-47808`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2025-47183` and :cve_nist:`2025-47219`
+-  libarchive: Fix :cve_nist:`2025-5918`
+-  libxslt: Fix :cve_nist:`2023-40403`
+-  openssl: Fix :cve_nist:`2023-50781`
+-  python3: Fix :cve_nist:`2025-8194`
+-  qemu: Ignore :cve_nist:`2024-7730`
+-  sqlite3: Revert "sqlite3: patch CVE-2025-7458"
+-  tiff: Fix :cve_nist:`2024-13978`, :cve_nist:`2025-8176`, :cve_nist:`2025-8177`,
+   :cve_nist:`2025-8534` and :cve_nist:`2025-8851`
+-  vim: Fix :cve_nist:`2025-53905` and :cve_nist:`2025-53906`
+-  wpa-supplicant: Fix :cve_nist:`2022-37660`
+-  xserver-xorg: Fix :cve_nist:`2025-49175`, :cve_nist:`2025-49176`, :cve_nist:`2025-49177`,
+   :cve_nist:`2025-49178`, :cve_nist:`2025-49179` and :cve_nist:`2025-49180`
+
+
+Fixes in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~
+
+-  build-appliance-image: Update to kirkstone head revision
+-  default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue
+-  dev-manual/security-subjects.rst: update mailing lists
+-  gnupg: disable tests to avoid running target binaries at build time
+-  go-helloworld: fix license
+-  insane: Ensure that `src-uri-bad` fails correctly
+-  insane: Improve patch warning/error handling
+-  libubootenv: backport patch to fix unknown type name 'size_t'
+-  llvm: fix typo in CVE-2024-0151.patch
+-  migration-guides: add release notes for 4.0.29
+-  overview-manual/yp-intro.rst: fix broken link to article
+-  poky.conf: bump version for 4.0.30
+-  pulseaudio: Add audio group explicitly
+-  ref-manual/classes.rst: document the testexport class
+-  ref-manual/system-requirements.rst: update supported distributions
+-  ref-manual/variables.rst: document :term:`FIT_CONF_PREFIX` :term:`SPL_DTB_BINARY` variable
+-  ref-manual/variables.rst: expand :term:`IMAGE_OVERHEAD_FACTOR` glossary entry
+-  sdk: The main in the C example should return an int
+-  sudo: remove devtool FIXME comment
+-  systemd: Fix manpage build after :cve_nist:`2025-4598`
+-  vim: not adjust script pathnames for native scripts either
+-  vim: upgrade to 9.1.1652
+
+
+Known Issues in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Antonin Godard
+-  Archana Polampalli
+-  Dan McGregor
+-  Deepak Rathore
+-  Divya Chellam
+-  Erik Lindsten
+-  Guocai He
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  Jan Vermaete
+-  Jiaying Song
+-  Joao Marcos Costa
+-  Kyungjik Min
+-  Lee Chee Yang
+-  Mingli Yu
+-  Peter Marko
+-  Philip Lorenz
+-  Praveen Kumar
+-  Quentin Schulz
+-  Richard Purdie
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Yogita Urade
+-  Youngseok Jeong
+
+
+Repositories / Downloads for Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </poky/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`51dc9c464de0703bfbc6f1ee71ac9bea20933a45 </poky/commit/?id=51dc9c464de0703bfbc6f1ee71ac9bea20933a45>`
+-  Release Artefact: poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45
+-  sha: 2b5db0a07598df7684975c0839e6f31515a8e78d366503feb9917ef1ca56c0b2
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.30 </openembedded-core/log/?h=yocto-4.0.30>`
+-  Git Revision: :oe_git:`d381eeb5e70bd0ce9e78032c909e4a23564f4dd7 </openembedded-core/commit/?id=d381eeb5e70bd0ce9e78032c909e4a23564f4dd7>`
+-  Release Artefact: oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7
+-  sha: 022ab4ef5ac59ac3f01a9dacd8b1d6310cc117c6bed2e86e195ced88e0689c85
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </meta-mingw/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </meta-gplv2/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.30 </bitbake/log/?h=yocto-4.0.30>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.30 </meta-yocto/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`edf7950e4d81dd31f29a58acdd8022dabd2be494 </meta-yocto/commit/?id=edf7950e4d81dd31f29a58acdd8022dabd2be494>`
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.30 </yocto-docs/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`71a3933c609ce73ff07e5be48d9e7b03f22ef8d7 </yocto-docs/commit/?id=71a3933c609ce73ff07e5be48d9e7b03f22ef8d7>`
+
--- a/documentation/migration-guides/release-notes-4.0.31.rst
+++ b/documentation/migration-guides/release-notes-4.0.31.rst
@@ -0,0 +1,210 @@
+Release notes for Yocto-4.0.31 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-8225`, :cve_nist:`2025-11081`, :cve_nist:`2025-11082` and
+   :cve_nist:`2025-11083`
+-  busybox: Fix :cve_nist:`2025-46394`
+-  cmake: Fix :cve_nist:`2025-9301`
+-  curl: Fix :cve_nist:`2025-9086`
+-  ffmpeg: Ignore :cve_nist:`2023-6603`
+-  ffmpeg: mark :cve_nist:`2023-6601` as Fixed
+-  ghostscript: Fix :cve_nist:`2025-59798`, :cve_nist:`2025-59799` and :cve_nist:`2025-59800`
+-  git: Fix :cve_nist:`2025-48386`
+-  glib-networking: Fix :cve_nist:`2025-60018` and :cve_nist:`2025-60019`
+-  go: Fix :cve_nist:`2025-47906` and :cve_nist:`2025-47907`
+-  grub2: Fix :cve_nist:`2024-56738`
+-  grub: Ignore :cve_nist:`2024-2312`
+-  gstreamer1.0-plugins-bad: Fix :cve_nist:`2025-3887`
+-  gstreamer1.0: Ignore :cve_nist:`2025-2759`, :cve_nist:`2025-3887`, :cve_nist:`2025-47183`,
+   :cve_nist:`2025-47219`, :cve_nist:`2025-47806`, :cve_nist:`2025-47807` and :cve_nist:`2025-47808`
+-  python3-jinja2: Fix :cve_nist:`2024-56201`, :cve_nist:`2024-56326` and :cve_nist:`2025-27516`
+-  libxml2: Fix :cve_nist:`2025-9714`
+-  libxslt: Fix :cve_nist:`2025-7424`
+-  lz4: Fix :cve_nist:`2025-62813`
+-  openssl: Fix :cve_nist:`2025-9230` and :cve_nist:`2025-9232`
+-  pulseaudio: Ignore :cve_nist:`2024-11586`
+-  python3: Fix :cve_nist:`2024-6345`, :cve_nist:`2025-47273` and :cve_nist:`2025-59375`
+-  qemu: Fix :cve_nist:`2024-8354`
+-  tiff: Fix :cve_nist:`2025-8961`, :cve_nist:`2025-9165` and :cve_nist:`2025-9900`
+-  vim: Fix :cve_nist:`2025-9389`
+
+
+Fixes in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~
+
+-  build-appliance-image: Update to kirkstone head revision
+-  poky.conf: bump version for 4.0.31
+-  ref-manual/classes.rst: document the relative_symlinks class
+-  ref-manual/classes.rst: gettext: extend the documentation of the class
+-  ref-manual/variables.rst: document the CCACHE_DISABLE, UNINATIVE_CHECKSUM, UNINATIVE_URL, USE_NLS,
+   REQUIRED_COMBINED_FEATURES, REQUIRED_IMAGE_FEATURES, :term:`REQUIRED_MACHINE_FEATURES` variable
+-  ref-manual/variables.rst: fix :term:`LAYERDEPENDS` description
+-  dev-manual, test-manual: Update autobuilder output links
+-  ref-manual/classes.rst: extend the uninative class documentation
+-  python3: upgrade to 3.10.19
+-  linux-yocto/5.15: update to v5.15.194
+-  glibc: : PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
+-  glibc: nptl Use all of g1_start and g_signals
+-  glibc: nptl rename __condvar_quiesce_and_switch_g1
+-  glibc: nptl Fix indentation
+-  glibc: nptl Use a single loop in pthread_cond_wait instaed of a nested loop
+-  glibc: Remove g_refs from condition variables
+-  glibc: nptl Remove unnecessary quadruple check in pthread_cond_wait
+-  glibc: nptl Remove unnecessary catch-all-wake in condvar group switch
+-  glibc: nptl Update comments and indentation for new condvar implementation
+-  glibc: pthreads NPTL lost wakeup fix 2
+-  glibc: Remove partial BZ#25847 backport patches
+-  vulnerabilities: update nvdcve file name
+-  migration-guides: add release notes for 4.0.30
+-  oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server
+-  selftest/cases/meta_ide.py: use use gnu mirror instead of main server
+-  conf/bitbake.conf: use gnu mirror instead of main server
+-  p11-kit: backport fix for handle :term:`USE_NLS` from master
+-  systemd: backport fix for handle :term:`USE_NLS` from master
+-  glibc: stable 2.35 branch updates
+-  openssl: upgrade to 3.0.18
+-  scripts/install-buildtools: Update to 4.0.30
+-  ref-manual/variables.rst: fix the description of :term:`STAGING_DIR`
+-  ref-manual/structure: document the auto.conf file
+-  dev-manual/building.rst: add note about externalsrc variables absolute paths
+-  ref-manual/variables.rst: fix the description of :term:`KBUILD_DEFCONFIG`
+-  kernel-dev/common.rst: fix the in-tree defconfig description
+-  test-manual/yocto-project-compatible.rst: fix a typo
+-  contributor-guide: submit-changes: make "Crediting contributors" part of "Commit your changes"
+-  contributor-guide: submit-changes: number instruction list in commit your changes
+-  contributor-guide: submit-changes: reword commit message instructions
+-  contributor-guide: submit-changes: make the Cc tag follow kernel guidelines
+-  contributor-guide: submit-changes: align :term:`CC` tag description
+-  contributor-guide: submit-changes: clarify example with Yocto bug ID
+-  contributor-guide: submit-changes: fix improper bold string
+-  libhandy: update git branch name
+-  python3-jinja2: upgrade to 3.1.6
+-  vim: upgrade to 9.1.1683
+
+
+Known Issues in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Adam Blank
+-  Aleksandar Nikolic
+-  Antonin Godard
+-  Archana Polampalli
+-  AshishKumar Mishra
+-  Bruce Ashfield
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  João Marcos Costa
+-  Lee Chee Yang
+-  Paul Barker
+-  Peter Marko
+-  Praveen Kumar
+-  Quentin Schulz
+-  Rajeshkumar Ramasamy
+-  Saravanan
+-  Soumya Sambu
+-  Steve Sakoman
+-  Sunil Dora
+-  Talel BELHAJ SALEM
+-  Theo GAIGE
+-  Vijay Anusuri
+-  Yash Shinde
+-  Yogita Urade
+
+Repositories / Downloads for Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </yocto-docs/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`073f3bca4c374b03398317e7f445d2440a287741 </yocto-docs/commit/?id=073f3bca4c374b03398317e7f445d2440a287741>`
+-  Release Artefact: yocto-docs-073f3bca4c374b03398317e7f445d2440a287741
+-  sha: 3bfde9b6ad310dd42817509b67f61cd69552f74b2bc5011bd20788fe96d6823b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/yocto-docs-073f3bca4c374b03398317e7f445d2440a287741.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/yocto-docs-073f3bca4c374b03398317e7f445d2440a287741.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </poky/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`04b39e5b7eb19498215d85c88a5fffb460fea1eb </poky/commit/?id=04b39e5b7eb19498215d85c88a5fffb460fea1eb>`
+-  Release Artefact: poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb
+-  sha: 0ca18ab1ed25c0d77412ba30dbb03d74811756c7c2fe2401940f848a5e734930
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.31 </openembedded-core/log/?h=yocto-4.0.31>`
+-  Git Revision: :oe_git:`99204008786f659ab03538cd2ae2fd23ed4164c5 </openembedded-core/commit/?id=99204008786f659ab03538cd2ae2fd23ed4164c5>`
+-  Release Artefact: oecore-99204008786f659ab03538cd2ae2fd23ed4164c5
+-  sha: aa97bf826ad217b3a5278b4ad60bef4d194f0f1ff617677cf2323d3cc4897687
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/oecore-99204008786f659ab03538cd2ae2fd23ed4164c5.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/oecore-99204008786f659ab03538cd2ae2fd23ed4164c5.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-yocto/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`3b2df00345b46479237fe0218675a818249f891c </meta-yocto/commit/?id=3b2df00345b46479237fe0218675a818249f891c>`
+-  Release Artefact: meta-yocto-3b2df00345b46479237fe0218675a818249f891c
+-  sha: 630e99e0f515bab8a316b2e32aff1352b4404f15aa087e8821b84093596a08ce
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-yocto-3b2df00345b46479237fe0218675a818249f891c.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-yocto-3b2df00345b46479237fe0218675a818249f891c.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-mingw/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-gplv2/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.31 </bitbake/log/?h=yocto-4.0.31>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
--- a/documentation/migration-guides/release-notes-4.0.32.rst
+++ b/documentation/migration-guides/release-notes-4.0.32.rst
@@ -0,0 +1,194 @@
+Release notes for Yocto-4.0.32 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  bind: Fix :cve_nist:`2025-8677`, :cve_nist:`2025-40778` and :cve_nist:`2025-40780`
+-  binutils: Fix :cve_nist:`2025-11412` and :cve_nist:`2025-11413`
+-  curl: Ignore :cve_nist:`2025-10966`
+-  elfutils: Fix :cve_nist:`2025-1376` and :cve_nist:`2025-1377`
+-  gnutls: Fix :cve_nist:`2025-9820`
+-  go: Fix :cve_nist:`2024-24783`, :cve_nist:`2025-58187`, :cve_nist:`2025-58189`,
+   :cve_nist:`2025-61723` and :cve_nist:`2025-61724`
+-  libarchive: Fix :cve_nist:`2025-60753`
+-  libarchive: Fix 2 security issue (https://github.com/libarchive/libarchive/pull/2753 and
+   https://github.com/libarchive/libarchive/pull/2768)
+-  libpng: Fix :cve_nist:`2025-64505`, :cve_nist:`2025-64506`, :cve_nist:`2025-64720`,
+   :cve_nist:`2025-65018` and :cve_nist:`2025-66293`
+-  libxml2: Fix :cve_nist:`2025-7425`
+-  musl: Fix :cve_nist:`2025-26519`
+-  openssh: Fix :cve_nist:`2025-61984` and :cve_nist:`2025-61985`
+-  python3-idna: Fix :cve_nist:`2024-3651`
+-  python3-urllib3: Fix :cve_nist:`2024-37891`
+-  python3: fix :cve_nist:`2025-6075`
+-  ruby: Fix :cve_nist:`2024-35176`, :cve_nist:`2024-39908` and :cve_nist:`2024-41123`
+-  rust-cross-canadian: Ignore :cve_nist:`2024-43402`
+-  u-boot: Fix :cve_nist:`2024-42040`
+-  wpa-supplicant: Fix :cve_nist:`2025-24912`
+-  xserver-xorg: Fix :cve_nist:`2025-62229`, :cve_nist:`2025-62230` and :cve_nist:`2025-62231`
+-  xwayland: Fix :cve_nist:`2025-62229`, :cve_nist:`2025-62230` and :cve_nist:`2025-62231`
+
+
+Fixes in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~
+
+-  babeltrace2: fetch with https protocol
+-  bind: upgrade to 9.18.41
+-  build-appliance-image: Update to kirkstone head revision
+-  dev-manual/layers.rst: document "bitbake-layers show-machines"
+-  dev-manual/new-recipe.rst: replace 'bitbake -e' with 'bitbake-getvar'
+-  dev-manual/new-recipe.rst: typo, "whith" -> "which"
+-  dev-manual/new-recipe.rst: update "recipetool -h" output
+-  dev-manual: debugging: use bitbake-getvar in Viewing Variable Values section
+-  documentation: link to the Releases page on yoctoproject.org instead of wiki
+-  efibootmgr: update :term:`SRC_URI` branch
+-  flac: patch seeking bug
+-  goarch.bbclass: do not leak :term:`TUNE_FEATURES` into crosssdk task signatures
+-  kernel-dev: add disable config example
+-  kernel-dev: common: migrate bitbake -e to bitbake-getvar
+-  libmicrohttpd: disable experimental code by default
+-  migration-guides: add release notes for 4.0.31
+-  oe-build-perf-report: relax metadata matching rules
+-  overview-manual: migrate to SVG + fix typo
+-  poky.conf: bump version for 4.0.32
+-  python3-urllib3: upgrade to 1.26.20
+-  recipes: Don't use ftp.gnome.org
+-  ref-manual: variables: migrate the :term:`OVERRIDES` note to bitbake-getvar
+-  systemd-bootchart: update :term:`SRC_URI` branch
+-  xf86-video-intel: correct :term:`SRC_URI` as freedesktop anongit is down
+
+
+Known Issues in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Alexander Kanavin
+-  Archana Polampalli
+-  Divya Chellam
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jason Schonberg
+-  Lee Chee Yang
+-  Peter Marko
+-  Praveen Kumar
+-  Quentin Schulz
+-  Richard Purdie
+-  Robert P. J. Day
+-  Ross Burton
+-  Saquib Iltaf
+-  Soumya Sambu
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Walter Werner SCHNEIDER
+
+
+Repositories / Downloads for Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </yocto-docs/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`4b9df539fa06fb19ed8b51ef2d46e5c56779de81 </yocto-docs/commit/?id=4b9df539fa06fb19ed8b51ef2d46e5c56779de81>`
+-  Release Artefact: yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81
+-  sha: 70ee2caf576683c5f31ac5a592cde1c0650ece25cfcd5ff3cc7eedf531575611
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </poky/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`2c05660b21c7cc1082aeac8b75d8a2d82e249f63 </poky/commit/?id=2c05660b21c7cc1082aeac8b75d8a2d82e249f63>`
+-  Release Artefact: poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63
+-  sha: d7a55a18a597a7b140a81586b7ca6379c208ebbb3285de36c48fde10882947d8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.32 </openembedded-core/log/?h=yocto-4.0.32>`
+-  Git Revision: :oe_git:`2ed3f8b938579dbbb804e04c45a968cc57761db7 </openembedded-core/commit/?id=2ed3f8b938579dbbb804e04c45a968cc57761db7>`
+-  Release Artefact: oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7
+-  sha: 11b9632586dfbf3f0ef69eca2014a8002f25ca8d53cfe9424e27361ba3a20831
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-yocto/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`77b40877c179ea3ce5c37c7ba1831e9c0e289266 </meta-yocto/commit/?id=77b40877c179ea3ce5c37c7ba1831e9c0e289266>`
+-  Release Artefact: meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266
+-  sha: e908d42690881cd6e07b9ca18a21eb8761a0ec72d940b12905622e75ba913974
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-mingw/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-gplv2/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.32 </bitbake/log/?h=yocto-4.0.32>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
--- a/documentation/overview-manual/concepts.rst
+++ b/documentation/overview-manual/concepts.rst
@@ -165,7 +165,7 @@ The following diagram represents the high-level workflow of a build. The
 remainder of this section expands on the fundamental input, output,
 process, and metadata logical blocks that make up the workflow.

-.. image:: figures/YP-flow-diagram.png
+.. image:: svg/yp-flow-diagram.*
   :align: center

 In general, the build's workflow consists of several functional areas:
--- a/documentation/overview-manual/figures/YP-flow-diagram.png
+++ b/documentation/overview-manual/figures/YP-flow-diagram.png
--- a/documentation/overview-manual/figures/key-dev-elements.png
+++ b/documentation/overview-manual/figures/key-dev-elements.png
--- a/documentation/overview-manual/svg/key-dev-elements.svg
+++ b/documentation/overview-manual/svg/key-dev-elements.svg
@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="164.765mm"
+   height="72.988113mm"
+   viewBox="0 0 164.765 72.988114"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
+   sodipodi:docname="key-dev-elements.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="false"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="mm"
+     inkscape:zoom="1"
+     inkscape:cx="341.5"
+     inkscape:cy="-31.5"
+     inkscape:window-width="2560"
+     inkscape:window-height="1440"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="layer2"
+     showborder="false"
+     borderlayer="false"
+     inkscape:antialias-rendering="true"
+     showguides="true" /><defs
+     id="defs1" /><g
+     inkscape:groupmode="layer"
+     id="layer2"
+     inkscape:label="Layer "
+     style="display:inline"
+     transform="translate(-20.664242,-129.6793)"><rect
+       style="display:inline;fill:#f1e9cc;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect1"
+       width="164.112"
+       height="54.273098"
+       x="20.990742"
+       y="130.0058"
+       ry="0"
+       inkscape:label="yp-rect" /><rect
+       style="display:inline;fill:#f3d770;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect2"
+       width="101.45864"
+       height="41.151588"
+       x="28.1292"
+       y="137.10953"
+       inkscape:label="poky-rect" /><rect
+       style="display:inline;fill:#c0ebf5;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect3"
+       width="50.652737"
+       height="53.04562"
+       x="35.516178"
+       y="149.29529"
+       inkscape:label="oe-rect" /><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3"
+       inkscape:label="poky-title"
+       transform="matrix(0.90889596,0,0,0.81399719,-26.072941,39.399474)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan2">Poky</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3-8"
+       inkscape:label="oe-title"
+       transform="matrix(0.90889596,0,0,0.81399719,-78.327995,83.175189)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan4">OpenEmbedded</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3-0"
+       inkscape:label="yp-title"
+       transform="matrix(0.8469291,0,0,0.81399719,21.497595,28.033837)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan5">YOCTO PROJECT (YP)</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="137.19444"
+       y="150.50006"
+       id="text4"
+       transform="scale(1.0050579,0.9949676)"
+       inkscape:label="yp-text"><tspan
+         sodipodi:role="line"
+         id="tspan3"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="150.50006">Umbrella Open Source Project</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="154.2294"
+         id="tspan6">that Builds and Maintains</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="157.95874"
+         id="tspan7">Validated Open Source Tools and</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="161.68808"
+         id="tspan8">Components Associated with</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="165.4174"
+         id="tspan9">Embedded Linux</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="90.582634"
+       y="159.10139"
+       id="text10"
+       transform="scale(1.0018079,0.9981954)"
+       inkscape:label="poky-text"><tspan
+         sodipodi:role="line"
+         id="tspan10"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="159.10139">Yocto Project Open</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="162.81487"
+         id="tspan11">Source Reference</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="166.52835"
+         id="tspan12">Embedded Distribution</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="40.36692"
+       y="160.98824"
+       id="text13"
+       transform="scale(0.99784993,1.0021547)"
+       inkscape:label="oe-text"><tspan
+         sodipodi:role="line"
+         id="tspan13"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="160.98824">Open Source Build Engine</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="164.7592"
+         id="tspan14">and YP-Compatible Metadata</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="168.53017"
+         id="tspan15">for Embedded Linux</tspan></text></g></svg>
--- a/documentation/overview-manual/svg/yp-flow-diagram.svg
+++ b/documentation/overview-manual/svg/yp-flow-diagram.svg
@@ -0,0 +1,950 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Generator: Adobe Illustrator 13.0.2, SVG Export Plug-In . SVG Version: 6.00 Build 14948)  -->
+
+<svg
+   version="1.1"
+   id="Layer_1"
+   x="0px"
+   y="0px"
+   width="760.50098"
+   height="352.582"
+   viewBox="0 0 760.50095 352.582"
+   enable-background="new 0 0 758.189 424.276"
+   xml:space="preserve"
+   sodipodi:docname="yp-flow-diagram.svg"
+   inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+   id="defs86">
+		
+	</defs><sodipodi:namedview
+   id="namedview86"
+   pagecolor="#ffffff"
+   bordercolor="#000000"
+   borderopacity="0.25"
+   inkscape:showpageshadow="2"
+   inkscape:pageopacity="0.0"
+   inkscape:pagecheckerboard="0"
+   inkscape:deskcolor="#d1d1d1"
+   inkscape:zoom="2.8284271"
+   inkscape:cx="296.80807"
+   inkscape:cy="212.83914"
+   inkscape:window-width="1906"
+   inkscape:window-height="934"
+   inkscape:window-x="0"
+   inkscape:window-y="0"
+   inkscape:window-maximized="0"
+   inkscape:current-layer="Layer_1" />
+<g
+   id="g17"
+   transform="matrix(1,0,0,1.0035497,-2.0824824,-11.037238)"><rect
+     style="opacity:1;fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11"
+     width="484.25"
+     height="249"
+     x="90"
+     y="112.5" /><rect
+     style="fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8"
+     width="12"
+     height="12"
+     x="507.56818"
+     y="-301.10004"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1"
+     width="12"
+     height="12"
+     x="361.46231"
+     y="-89.463524"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1-1"
+     width="12"
+     height="12"
+     x="389.40585"
+     y="-60.842598"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1-1-0"
+     width="12"
+     height="12"
+     x="416.47607"
+     y="-33.116081"
+     ry="0"
+     transform="rotate(44.313856)" /></g><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-9"
+   width="87"
+   height="216"
+   x="193.91776"
+   y="119.24599" /><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-8-1-4"
+   width="12"
+   height="12"
+   x="487.27533"
+   y="-296.15897"
+   ry="0"
+   transform="rotate(44.313856)" /><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-9-3"
+   width="85.75"
+   height="219.75"
+   x="470.16751"
+   y="119.49599" /><g
+   id="g2"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g1">
+		<polygon
+   fill="#00b6de"
+   points="703.77,340.194 712.852,349.277 721.934,340.194 758.189,340.194 758.189,256.861 723.582,256.861 713.171,267.274 702.758,256.861 628.582,256.861 618.171,267.274 607.758,256.861 561.523,256.861 561.523,340.194 609.104,340.194 618.186,349.277 627.268,340.194 "
+   id="polygon1" />
+	</g>
+</g>
+<g
+   id="g4"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g3">
+		<polygon
+   fill="#e6e6e6"
+   points="712.837,278.274 707.221,272.658 676.557,272.658 676.557,333.657 706.983,333.657 713.055,339.729 719.128,333.657 751.557,333.657 751.557,272.658 718.452,272.658 "
+   id="polygon2" />
+	</g>
+</g>
+<g
+   id="g6"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g5">
+		<polygon
+   fill="#e6e6e6"
+   points="618.171,278.274 611.555,271.658 581.558,271.658 581.558,332.657 611.983,332.657 618.056,338.729 624.128,332.657 656.558,332.657 656.558,271.658 624.786,271.658 "
+   id="polygon4" />
+	</g>
+</g>
+<g
+   id="g8"
+   transform="translate(2.3119996,-71.694)"
+   style="fill:#000080">
+	<g
+   id="g7"
+   style="fill:#000080">
+		<polygon
+   fill="#ed1849"
+   points="722.166,349.277 712.504,358.941 702.84,349.277 670.523,349.277 670.523,424.276 757.523,424.276 757.523,349.277 "
+   id="polygon6"
+   style="fill:#000080" />
+	</g>
+</g>
+<g
+   id="g10"
+   transform="translate(2.3119996,-71.694)"
+   style="fill:#000080">
+	<g
+   id="g9"
+   style="fill:#000080">
+		<polygon
+   fill="#ed1849"
+   points="628.371,348.611 618.043,358.941 607.713,348.611 575.523,348.611 575.523,423.61 662.523,423.61 662.523,348.611 "
+   id="polygon8"
+   style="fill:#000080" />
+	</g>
+</g>
+
+<g
+   id="g14"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g13">
+		<polygon
+   fill="#c1d82f"
+   points="575.428,217.35 575.428,250.526 610.09,250.526 618.171,258.607 626.251,250.526 705.09,250.526 713.171,258.607 721.251,250.526 757.427,250.526 757.427,173.527 575.428,173.527 575.428,199.703 584.252,208.525 "
+   id="polygon12" />
+	</g>
+</g>
+
+
+
+
+
+<g
+   id="g26"
+   transform="translate(0.4155534,-73.944)">
+	<g
+   id="g25">
+		<polygon
+   fill="#4a4a30"
+   points="177.974,133.944 125.111,133.944 118.043,141.013 110.974,133.944 86.834,133.944 86.834,166.944 178.263,166.944 184.834,173.514 191.403,166.944 281.833,166.944 281.833,133.944 258.611,133.944 251.543,141.013 244.474,133.944 192.111,133.944 185.043,141.013 "
+   id="polygon24" />
+	</g>
+</g>
+<g
+   id="g28"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g27">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,290.202 330.188,296.444 511.188,296.444 511.188,289.015 517.259,282.942 511.188,276.87 511.188,268.444 330.188,268.444 330.188,277.683 336.447,283.942 "
+   id="polygon26" />
+	</g>
+</g>
+<g
+   id="g30"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g29">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,251.536 330.188,257.944 511.188,257.944 511.188,250.515 517.259,244.442 511.188,238.37 511.188,229.944 330.188,229.944 330.188,239.016 336.447,245.276 "
+   id="polygon28" />
+	</g>
+</g>
+<g
+   id="g32"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g31">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,211.18 330.188,218.444 511.188,218.444 511.188,211.015 517.259,204.942 511.188,198.87 511.188,190.444 330.188,190.444 330.188,199.372 336.092,205.276 "
+   id="polygon30" />
+	</g>
+</g>
+<g
+   id="g34"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g33">
+		<polygon
+   fill="#e6e6e6"
+   points="144.188,342.944 144.188,406.944 225.188,406.944 225.188,381.515 231.259,375.442 225.188,369.37 225.188,342.944 190.445,342.944 184.043,349.348 177.639,342.944 "
+   id="polygon32" />
+	</g>
+</g>
+<g
+   id="g36"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g35">
+		<polygon
+   fill="#e6e6e6"
+   points="177.618,330.944 184.188,337.514 190.757,330.944 225.188,330.944 225.188,266.944 190.778,266.944 183.71,274.014 176.64,266.944 144.188,266.944 144.188,330.944 "
+   id="polygon34" />
+	</g>
+</g>
+<g
+   id="g38"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g37">
+		<polygon
+   fill="#e6e6e6"
+   points="177.118,254.944 183.688,261.514 190.257,254.944 224.688,254.944 224.688,190.944 191.445,190.944 184.376,198.014 177.306,190.944 143.688,190.944 143.688,254.944 "
+   id="polygon36" />
+	</g>
+</g>
+<g
+   id="g40"
+   transform="matrix(1,0,0,0.86327911,0.062,-77.645148)">
+	<g
+   id="g39">
+		<polygon
+   fill="#4a4a30"
+   points="81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 87.259,254.109 81.188,248.037 "
+   id="polygon38" />
+	</g>
+</g><g
+   id="g40-0"
+   transform="matrix(1,0,0,0.86327911,0.312,-18.368819)">
+	<g
+   id="g39-6">
+		<polygon
+   fill="#4a4a30"
+   points="87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 "
+   id="polygon38-4" />
+	</g>
+</g><g
+   id="g40-0-2"
+   transform="matrix(1,0,0,0.86327911,0.062,40.907511)">
+	<g
+   id="g39-6-5">
+		<polygon
+   fill="#4a4a30"
+   points="87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 "
+   id="polygon38-4-8" />
+	</g>
+</g><g
+   id="g40-0-28"
+   transform="matrix(1,0,0,0.86327911,-0.188,100.18384)">
+	<g
+   id="g39-6-4">
+		<polygon
+   fill="#4a4a30"
+   points="81.188,285.61 81.188,260.181 87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 "
+   id="polygon38-4-7" />
+	</g>
+</g>
+<g
+   id="g42"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g41"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="178.618,123.944 185.188,130.514 191.757,123.944 215.188,123.944 215.188,71.944 154.188,71.944 154.188,123.944 "
+   id="polygon40"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="126.062"
+   y="75.334"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect42" />
+<text
+   fill="#ffffff"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text42"
+   x="139.47949"
+   y="82.440079"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Source Materials</text>
+<rect
+   x="155.41699"
+   y="10.834001"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect43" />
+<text
+   id="text44"
+   x="190.00726"
+   y="29.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:49.6985"
+   transform="translate(-5.5244746,-7.8775879)"
+   xml:space="preserve"><tspan
+     x="190.00726"
+     y="29.10741"
+     id="tspan1">Local<tspan
+   y="29.10741"
+   id="tspan2"> </tspan></tspan><tspan
+     x="190.00726"
+     y="42.440787"
+     id="tspan3">Projects</tspan></text>
+<g
+   id="g45"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g44"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="245.118,123.944 251.688,130.514 258.257,123.944 281.688,123.944 281.688,71.944 220.688,71.944 220.688,123.944 "
+   id="polygon44"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="221.91699"
+   y="7.8340006"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect45" />
+<text
+   id="text47"
+   x="258.17291"
+   y="26.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:56.5275;fill:#000000"
+   transform="translate(-6.4360358,-3.6326896)"
+   xml:space="preserve"><tspan
+     x="258.17291"
+     y="26.10741"
+     id="tspan4">SCMs<tspan
+   y="26.10741"
+   id="tspan5"> </tspan></tspan><tspan
+     x="258.17291"
+     y="39.440787"
+     id="tspan6">(optional)</tspan></text>
+<g
+   id="g48"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g47"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="111.618,123.944 118.188,130.514 124.757,123.944 148.188,123.944 148.188,71.944 87.188,71.944 87.188,123.944 "
+   id="polygon47"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="88.417007"
+   y="10.834001"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect48" />
+<text
+   id="text49"
+   x="125.51399"
+   y="29.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:64.823"
+   transform="translate(-8.2169997,-13.75401)"
+   xml:space="preserve"><tspan
+     x="125.51399"
+     y="29.10741"
+     id="tspan7">Upstream<tspan
+   y="29.10741"
+   id="tspan8"> </tspan></tspan><tspan
+     x="125.51399"
+     y="42.440787"
+     id="tspan9">Project<tspan
+   y="42.440787"
+   id="tspan10"> </tspan></tspan><tspan
+     x="125.51399"
+     y="55.774165"
+     id="tspan11">Releases</tspan></text>
+<rect
+   x="115.167"
+   y="137.084"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect49" />
+<text
+   id="text51"
+   x="128.34723"
+   y="147.37112"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="128.34723"
+     y="147.37112"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan50"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Source </tspan><tspan
+     x="123.54125"
+     y="161.77113"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan51"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Fetching</tspan></text>
+<rect
+   x="115.167"
+   y="215.08401"
+   fill="none"
+   width="58.666"
+   height="40.666"
+   id="rect51" />
+<text
+   id="text53"
+   x="131.82678"
+   y="224.31099"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="131.82678"
+     y="224.31099"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan52"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Patch </tspan><tspan
+     x="117.00081"
+     y="238.70999"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan53"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Application</tspan></text>
+<rect
+   x="107.167"
+   y="279.08401"
+   fill="none"
+   width="74.166"
+   height="69.237"
+   id="rect53" />
+<text
+   id="text57"
+   x="149.00055"
+   y="297.35791"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:74.8743"
+   transform="translate(-3.496696,4.953096)"
+   xml:space="preserve"><tspan
+     x="149.00055"
+     y="297.35791"
+     id="tspan12">Configuration /<tspan
+   y="297.35791"
+   id="tspan13"> </tspan></tspan><tspan
+     x="149.00055"
+     y="310.69127"
+     id="tspan14">Compile</tspan></text>
+<rect
+   x="201.16699"
+   y="184.084"
+   fill="none"
+   width="74.166"
+   height="89.237"
+   id="rect57" />
+<text
+   id="text63"
+   x="221.86859"
+   y="192.60429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="221.86859"
+     y="192.60429"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan58"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Output </tspan><tspan
+     x="211.42859"
+     y="207.0043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan59"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Analysis for </tspan><tspan
+     x="218.94058"
+     y="221.4043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan60"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">package </tspan><tspan
+     x="207.54759"
+     y="235.80429"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan61"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">splitting plus </tspan><tspan
+     x="218.94058"
+     y="250.2043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan62"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">package </tspan><tspan
+     x="207.81059"
+     y="264.60431"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan63"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">relationships</tspan></text><text
+   id="text63-1"
+   x="555.48315"
+   y="202.90402"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:31.0495"
+   transform="translate(-42.334211,23.629617)"
+   xml:space="preserve"><tspan
+     x="555.48315"
+     y="202.90402"
+     id="tspan15">QA<tspan
+   y="202.90402"
+   id="tspan16"> </tspan></tspan><tspan
+     x="555.48315"
+     y="216.2374"
+     id="tspan18">Tests</tspan></text>
+<rect
+   x="319.146"
+   y="127.084"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect63" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text64"
+   x="335.19238"
+   y="189.60429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.rpm generation</text>
+<rect
+   x="319.146"
+   y="166.584"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect64" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text65"
+   x="335.76849"
+   y="229.10429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.deb generation</text>
+<rect
+   x="319.146"
+   y="205.08401"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect65" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text66"
+   x="337.9404"
+   y="267.60391"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.ipk generation</text>
+<rect
+   x="296.16699"
+   y="307.08401"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect66" />
+
+<rect
+   x="299.66699"
+   y="261.08401"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect67" />
+
+<rect
+   x="395.97998"
+   y="261.08401"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect69" />
+
+<rect
+   x="390.66699"
+   y="307.08401"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect71" />
+
+<rect
+   y="133"
+   fill="none"
+   width="81.666"
+   height="39.334"
+   id="rect73"
+   x="0.061999973" />
+<text
+   id="text75"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-23.458902,-49.50401)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan20"><tspan
+   style="fill:#ffffff"
+   id="tspan19">User</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan22"><tspan
+       style="fill:#ffffff"
+       id="tspan21">Configuration</tspan></tspan></text><text
+   id="text75-4"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-24.603766,70.32617)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan24"><tspan
+   style="fill:#ffffff"
+   id="tspan23">Machine BSP</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan26"><tspan
+       style="fill:#ffffff"
+       id="tspan25">Configuration</tspan></tspan></text><text
+   id="text75-4-6"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-25.353766,128.82617)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan28"><tspan
+   style="fill:#ffffff"
+   id="tspan27">Policy</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan30"><tspan
+       style="fill:#ffffff"
+       id="tspan29">Configuration</tspan></tspan></text>
+
+<rect
+   y="211.16798"
+   fill="none"
+   width="81.666"
+   height="39.333"
+   id="rect76"
+   x="0.061999973" />
+<text
+   id="text78"
+   x="70.02713"
+   y="265.4418"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:89.4625"
+   transform="translate(-28.848315,-69.549143)"
+   xml:space="preserve"><tspan
+     x="70.02713"
+     y="265.4418"
+     id="tspan32"><tspan
+       style="fill:#ffffff"
+       id="tspan31">Metadata
+</tspan></tspan><tspan
+     x="70.02713"
+     y="278.77516"
+     id="tspan34"><tspan
+       style="fill:#ffffff"
+       id="tspan33">(.bb + patches)</tspan></tspan></text>
+<rect
+   x="612.83502"
+   y="131.418"
+   fill="none"
+   width="112.186"
+   height="20.163"
+   id="rect78" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text79"
+   x="629.87451"
+   y="142.68779"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Package Feeds</text>
+<rect
+   x="579.98102"
+   y="306.25101"
+   fill="none"
+   width="81.666"
+   height="39.332001"
+   id="rect79" />
+<text
+   fill="#ffffff"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text80"
+   x="604.24854"
+   y="319.7699"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Images</text>
+<rect
+   x="584.14703"
+   y="216.08499"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect80" />
+<text
+   id="text81"
+   x="606.88434"
+   y="227.1058"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="606.88434"
+     y="227.1058"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan80"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Image </tspan><tspan
+     x="594.48834"
+     y="241.50479"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan81"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Generation</tspan></text>
+<rect
+   x="678.83301"
+   y="215.08499"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect81" />
+<text
+   id="text83"
+   x="708.21045"
+   y="228.6058"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="708.21045"
+     y="228.6058"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan82"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">SDK </tspan><tspan
+     x="690.33142"
+     y="243.00479"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan83"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Generation</tspan></text>
+<rect
+   x="379.06299"
+   y="86.834"
+   fill="none"
+   width="199.03999"
+   height="21.164"
+   id="rect83" />
+<text
+   fill="#333333"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text84"
+   x="426.28253"
+   y="26.005543"
+   style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333">OpenEmbedded Architecture Workflow</text><g
+   id="g18"
+   transform="translate(-10.254525,-9.75401)"><rect
+     style="fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17">Build System</tspan></text></g><g
+   id="g18-4"
+   transform="translate(-10.254525,-25.970712)"><rect
+     style="fill:#4a4a30;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4">Metadata/Inputs</tspan></text></g><g
+   id="g18-4-9"
+   transform="translate(-10.254525,-42.187414)"><rect
+     style="fill:#ff7f2a;fill-opacity:1;stroke:#ff631a;stroke-width:0.49911493;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0">Upstream Source</tspan></text></g><g
+   id="g18-4-9-2"
+   transform="translate(101.50803,-40.934366)"><rect
+     style="fill:#c1d82f;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0">Output Packages</tspan></text></g><g
+   id="g18-4-9-2-5"
+   transform="translate(101.50803,-24.709046)"><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2-2"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2-9"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0-0">Process steps (tasks)</tspan></text></g><g
+   id="g18-4-9-2-5-8"
+   transform="translate(101.50803,-8.4837252)"><rect
+     style="fill:#000080;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2-2-3"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2-9-8"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0-0-0">Output Imaga Data</tspan></text></g>
+
+
+<rect
+   x="675.64801"
+   y="304.91699"
+   fill="none"
+   width="81.666"
+   height="39.332001"
+   id="rect85" />
+<text
+   id="text86"
+   x="720.58508"
+   y="322.93991"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:65.518"
+   transform="translate(-2.5824824,-12.25401)"
+   xml:space="preserve"><tspan
+     x="720.58508"
+     y="322.93991"
+     id="tspan36"><tspan
+   style="fill:#ffffff"
+   id="tspan35">Application</tspan><tspan
+   y="322.93991"
+   id="tspan37"> </tspan></tspan><tspan
+     x="720.58508"
+     y="336.27327"
+     id="tspan39"><tspan
+   style="fill:#ffffff"
+   id="tspan38">Development</tspan><tspan
+   y="336.27327"
+   id="tspan40"> </tspan></tspan><tspan
+     x="720.58508"
+     y="349.60665"
+     id="tspan42"><tspan
+       style="fill:#ffffff"
+       id="tspan41">SDK</tspan></tspan></text>
+</svg>
--- a/documentation/overview-manual/yp-intro.rst
+++ b/documentation/overview-manual/yp-intro.rst
@@ -23,8 +23,8 @@ comes to delivering embedded software stacks. The project allows
 software customizations and build interchange for multiple hardware
 platforms as well as software stacks that can be maintained and scaled.

-.. image:: figures/key-dev-elements.png
-    :align: center
+.. image:: svg/key-dev-elements.*
+    :width: 100%

 For further introductory information on the Yocto Project, you might be
 interested in this
@@ -44,7 +44,7 @@ Here are features and advantages of the Yocto Project:
   system, software, and service vendors adopt and support the Yocto
   Project in their products and services. For a look at the Yocto
   Project community and the companies involved with the Yocto Project,
-   see the "COMMUNITY" and "ECOSYSTEM" tabs on the
+   see the "COMMUNITY" and "ABOUT" tabs on the
   :yocto_home:`Yocto Project <>` home page.

 -  *Architecture Agnostic:* Yocto Project supports Intel, ARM, MIPS,
@@ -60,10 +60,9 @@ Here are features and advantages of the Yocto Project:
   move between architectures without moving to new development
   environments. Additionally, if you have used the Yocto Project to
   create an image or application and you find yourself not able to
-   support it, commercial Linux vendors such as Wind River, Mentor
-   Graphics, Timesys, and ENEA could take it and provide ongoing
-   support. These vendors have offerings that are built using the Yocto
-   Project.
+   support it, commercial Linux vendors listed on :yocto_home:`/members/` and
+   :yocto_home:`/about/participants/` could take it and provide ongoing
+   support.

 -  *Flexibility:* Corporations use the Yocto Project many different
   ways. One example is to create an internal Linux distribution as a
@@ -734,7 +733,7 @@ The :term:`OpenEmbedded Build System` uses a "workflow" to
 accomplish image and SDK generation. The following figure overviews that
 workflow:

-.. image:: figures/YP-flow-diagram.png
+.. image:: svg/yp-flow-diagram.*
    :align: center

 Here is a brief summary of the "workflow":
@@ -760,7 +759,8 @@ Here is a brief summary of the "workflow":
   package feed that is used to create the final root file image.

 7. The build system generates the file system image and a customized
-   Extensible SDK (eSDK) for application development in parallel.
+   :doc:`SDK </sdk-manual/index>` (Software Development Kit) for application
+   development in parallel.

 For a very detailed look at this workflow, see the
 ":ref:`overview-manual/concepts:openembedded build system concepts`" section.
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -309,8 +309,12 @@ file for details about how to enable this mechanism in your configuration
 file, how to disable it for specific recipes, and how to share ``ccache``
 files between builds.

-However, using the class can lead to unexpected side-effects. Thus, using
-this class is not recommended.
+Recipes can also explicitly disable `Ccache` support even when the
+:ref:`ref-classes-ccache` class is enabled, by setting the
+:term:`CCACHE_DISABLE` variable to "1".
+
+Using the :ref:`ref-classes-ccache` class can lead to unexpected side-effects.
+Using this class is not recommended.

 .. _ref-classes-chrpath:

@@ -825,6 +829,14 @@ software that uses the GNU ``gettext`` internationalization and localization
 system. All recipes building software that use ``gettext`` should inherit this
 class.

+This class will configure recipes to build translations *unless*:
+
+-  the :term:`USE_NLS` variable is set to ``no``, or
+
+-  the :term:`INHIBIT_DEFAULT_DEPS` variable is set and the recipe inheriting
+   the :ref:`ref-classes-gettext` class does not also inherit the
+   :ref:`ref-classes-cross-canadian` class.
+
 .. _ref-classes-gnomebase:

 ``gnomebase``
@@ -1106,6 +1118,53 @@ The :ref:`ref-classes-image_types` class also handles conversion and compression
   :term:`IMAGE_FSTYPES`. This would also be similar for Virtual Box Virtual Disk
   Image ("vdi") and QEMU Copy On Write Version 2 ("qcow2") images.

+.. _ref-classes-image-container:
+
+``image-container``
+===================
+
+The :ref:`ref-classes-image-container` class is automatically inherited in
+:doc:`image </ref-manual/images>` recipes that have the ``container`` image type
+in :term:`IMAGE_FSTYPES`. It provides relevant settings to generate an image
+ready for use with an :wikipedia:`OCI <Open_Container_Initiative>`-compliant
+container management tool, such as :wikipedia:`Podman <Podman>` or
+:wikipedia:`Docker <Docker_(software)>`.
+
+.. note::
+
+   This class neither builds nor installs container management tools on the
+   target. Those tools are available in the :yocto_git:`meta-virtualization
+   </meta-virtualization>` layer.
+
+You should set the :term:`PREFERRED_PROVIDER` for the Linux kernel to
+``linux-dummy`` in a :term:`configuration file`::
+
+   PREFERRED_PROVIDER_virtual/kernel = "linux-dummy"
+
+Otherwise an error is triggered. If desired, the
+:term:`IMAGE_CONTAINER_NO_DUMMY` variable can be set to "1" to avoid triggering
+this error.
+
+The ``linux-dummy`` recipe acts as a Linux kernel recipe but builds nothing. It
+is relevant to use as the preferred Linux kernel provider in this case as a
+container image does not need to include a Linux kernel. Selecting it as the
+preferred provider for the kernel will also decrease build time.
+
+Using this class only deploys an additional ``tar.bz2`` archive to
+:term:`DEPLOY_DIR_IMAGE`. This archive can be used in a container file (a file
+typically named ``Dockerfile`` or ``Containerfile``). For example, to be used with
+:wikipedia:`Podman <Podman>` or :wikipedia:`Docker <Docker_(software)>`, the
+`container file <https://docs.docker.com/reference/dockerfile/>`__ could contain
+the following instructions:
+
+.. code-block:: dockerfile
+
+   FROM scratch
+   ADD ./image-container-qemux86-64.rootfs.tar.bz2 /
+   ENTRYPOINT /bin/sh
+
+This is suitable to build a container using our generated root filesystem image.
+
 .. _ref-classes-image-live:

 ``image-live``
@@ -2544,6 +2603,25 @@ The :ref:`ref-classes-recipe_sanity` class checks for the presence of any host s
 recipe prerequisites that might affect the build (e.g. variables that
 are set or software that is present).

+.. _ref-classes-relative_symlinks:
+
+``relative_symlinks``
+=====================
+
+The :ref:`ref-classes-relative_symlinks` class walks the symbolic links in the
+:term:`D` directory and replaces links pointing to absolute paths to relative
+paths. This is occasionally used in some recipes that create wrong symbolic
+links when their :ref:`ref-classes-native` version is built, and/or would cause
+breakage in the :ref:`overview-manual/concepts:shared state cache`.
+
+For example, if the following symbolic link is found in :term:`D`::
+
+   /usr/bin/foo -> /sbin/bar
+
+It is replaced by::
+
+   /usr/bin/foo -> ../../sbin/bar
+
 .. _ref-classes-relocatable:

 ``relocatable``
@@ -3214,22 +3292,51 @@ imitates.
 ``uninative``
 =============

-Attempts to isolate the build system from the host distribution's C
-library in order to make re-use of native shared state artifacts across
-different host distributions practical. With this class enabled, a
-tarball containing a pre-built C library is downloaded at the start of
-the build. In the Poky reference distribution this is enabled by default
-through ``meta/conf/distro/include/yocto-uninative.inc``. Other
-distributions that do not derive from poky can also
-"``require conf/distro/include/yocto-uninative.inc``" to use this.
-Alternatively if you prefer, you can build the uninative-tarball recipe
-yourself, publish the resulting tarball (e.g. via HTTP) and set
-``UNINATIVE_URL`` and ``UNINATIVE_CHECKSUM`` appropriately. For an
-example, see the ``meta/conf/distro/include/yocto-uninative.inc``.
+The :ref:`ref-classes-uninative` class allows binaries to run on systems with
+older or newer :wikipedia:`Glibc <Glibc>` versions. This means
+:ref:`ref-classes-native` recipe :ref:`overview-manual/concepts:shared state
+cache` can be shared among different host distributions of different versions,
+i.e. the :ref:`overview-manual/concepts:shared state cache` is "universal".

-The :ref:`ref-classes-uninative` class is also used unconditionally by the extensible
-SDK. When building the extensible SDK, ``uninative-tarball`` is built
-and the resulting tarball is included within the SDK.
+To allow this to work, the dynamic loader is changed to our own :manpage:`ld.so
+<ld.so.8>` when binaries are compiled using the
+``--dynamic-linker`` option. This means when the binary is executed, it finds
+our own :manpage:`ld.so <ld.so.8>` and that loader has a modified search path
+which finds a newer Glibc version.
+
+The linking of the binaries is not changed at link time since the
+headers on the system wouldn't match the newer Glibc and this causes
+obtuse failures. Changing the loader is effectively the same as if the
+system had a Glibc upgrade after the binary was compiled, so it is a
+mechanism supported by upstream.
+
+One caveat to this approach is that the uninative Glibc binary must be
+equal to or newer in version to the versions on all the systems using
+the common :ref:`overview-manual/concepts:shared state cache`. This is why
+:ref:`ref-classes-uninative`  is regularly changed on the development and stable
+branches.
+
+Another potential issue is static linking: static libraries created on
+a system with a new Glibc version may have symbols not present in older
+versions, which would then fail during linking on older systems. This
+is one reason we don't use static linking for our :ref:`ref-classes-native`
+binaries.
+
+With this class enabled, a tarball containing a pre-built C library is
+downloaded at the start of the build. In the Poky reference distribution this is
+enabled by default through :oe_git:`meta/conf/distro/include/yocto-uninative.inc
+</openembedded-core/tree/meta/conf/distro/include/yocto-uninative.inc>`. Other distributions that do
+not derive from Poky can also "``require conf/distro/include/yocto-uninative.inc``"
+to use this. Alternatively if you prefer, you can build the uninative-tarball
+recipe yourself, publish the resulting tarball (e.g. via HTTP) and set
+:term:`UNINATIVE_URL` and :term:`UNINATIVE_CHECKSUM` appropriately. For an
+example, see :oe_git:`meta/conf/distro/include/yocto-uninative.inc
+</openembedded-core/tree/meta/conf/distro/include/yocto-uninative.inc>`.
+
+The :ref:`ref-classes-uninative` class is also used unconditionally by the
+:doc:`extensible SDK </sdk-manual/extensible>`. When building the extensible
+SDK, ``uninative-tarball`` is built and the resulting tarball is included within
+the SDK.

 .. _ref-classes-update-alternatives:

--- a/documentation/ref-manual/release-process.rst
+++ b/documentation/ref-manual/release-process.rst
@@ -45,6 +45,45 @@ release process validates the content of the new branch.
   Realize that there can be patches merged onto the stable release
   branches as and when they become available.

+.. _ref-yp-development-cycle:
+
+Development Cycle
+=================
+
+As explained in the previous :ref:`ref-manual/release-process:Major and Minor
+Release Cadence` section, a new release comes out every six months.
+
+During this six-months period of time, the Yocto Project releases four
+"Milestone" releases which represent distinct points of time. The milestone
+releases are tested through the :ref:`ref-manual/release-process:Testing and
+Quality Assurance` process and helps spotting issues before the actual release
+is out.
+
+The time span between milestone releases can vary, but they are in general
+evenly spaced out during this six-months period of time.
+
+These milestone releases are tagged with a capital "M" after the future release
+tag name. For example, the milestone tags "&DISTRO_RELEASE_SERIES;M1",
+"&DISTRO_RELEASE_SERIES;M2", and "&DISTRO_RELEASE_SERIES;M3" are released before
+the actual "&DISTRO_RELEASE_SERIES;" release.
+
+.. note::
+
+   The fourth milestone (M4) is not actually released and announced, but
+   represents a point of time for the Quality Assurance team to start the
+   :ref:`ref-manual/release-process:Testing and Quality Assurance` process
+   before tagging and delivering the final release.
+
+After the third milestone release (M3), the Yocto Project enters **Feature
+Freeze**. This means that the maintainers of :term:`OpenEmbedded-Core
+(OE-Core)`, :term:`BitBake` and other core repositories stop accepting
+significant changes on the "master" branch. Changes that may be accepted are
+minor upgrades to core components and security/bug fixes.
+
+During feature freeze, a new branch is created and maintained separately to
+test new features and enhancements received from contributors, but these changes
+will only make it to the master branch after the release is out.
+
 Major Release Codenames
 =======================

@@ -62,7 +101,8 @@ codename are likely to be compatible and thus work together.

 Releases are given a nominal release version as well but the codename is
 used in repositories for this reason. You can find information on Yocto
-Project releases and codenames at :yocto_wiki:`/Releases`.
+Project releases and codenames in the :yocto_home:`Releases page
+</development/releases/>`.

 Our :doc:`/migration-guides/index` detail how to migrate from one release of
 the Yocto Project to the next.
--- a/documentation/ref-manual/structure.rst
+++ b/documentation/ref-manual/structure.rst
@@ -328,6 +328,15 @@ Once the build process gets the sample file, it uses ``sed`` to substitute final
 This file indicates the state of the sanity checks and is created during
 the build.

+.. _structure-build-conf-auto.conf:
+
+``build/conf/auto.conf``
+------------------------
+
+This file contains configuration variables that are automatically modified by
+tools such as :oe_git:`bitbake-config-build </bitbake/tree/bin/bitbake-config-build>`.
+This file should not be modified manually.
+
 .. _structure-build-downloads:

 ``build/downloads/``
--- a/documentation/ref-manual/svg/releases.svg
+++ b/documentation/ref-manual/svg/releases.svg
@@ -608,7 +608,7 @@
         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
         id="tspan10317-2-9-1-4">4.2</tspan></text>
    <rect
-       style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
+       style="opacity:0.5;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
       id="rect917-0-0-4-4-9-4-5-3-9-2-3-6"
       width="140"
       height="45.000004"
@@ -632,7 +632,7 @@
         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
         id="tspan10317-2-9-1-4-6-5-6">5.1</tspan></text>
    <rect
-       style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
+       style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1;opacity:0.5"
       id="rect917-0-0-4-4-9-4-5-3-9-2-3-6-2"
       width="140"
       height="45.000004"
@@ -656,26 +656,26 @@
         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
         id="tspan10317-2-9-1-4-6-5-6-9">5.2</tspan></text>
    <rect
-       style="opacity:0.75;fill:#251f32;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
+       style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
       id="rect917-0-0-4-4-9-4-5-3-9-2-3-67"
       width="140"
       height="45.000004"
-       x="1163.6425"
+       x="1223.8723"
       y="-382.27469"
       ry="2.2558987" />
    <text
       xml:space="preserve"
       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1214.9716"
+       x="1275.2014"
       y="-363.89413"
       id="text1185-3-55-4-0-0-0-1-1-6-4-3-53"><tspan
         sodipodi:role="line"
-         x="1214.9716"
+         x="1275.2014"
         y="-363.89413"
         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
         id="tspan957-2-8-6-3-9-7-4-2-0-5-5">Whinlatter</tspan><tspan
         sodipodi:role="line"
-         x="1214.9716"
+         x="1275.2014"
         y="-345.89746"
         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
         id="tspan10317-2-9-1-4-6-5-6-6-6">5.3</tspan></text>
@@ -1847,7 +1847,7 @@
         x="2128.7158"
         y="-7.6722765"
         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none"
-         id="tspan10317-2-9-1-4-6-5-6-6-5-9-7">Current (Apr. 25)</tspan></text>
+         id="tspan10317-2-9-1-4-6-5-6-6-5-9-7">Current (Dec. 25)</tspan></text>
    <text
       xml:space="preserve"
       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1097,6 +1097,17 @@ system and gives an overview of their function and contents.
   :term:`CC`
      The minimal command and arguments used to run the C compiler.

+   :term:`CCACHE_DISABLE`
+      When inheriting the :ref:`ref-classes-ccache` class, the
+      :term:`CCACHE_DISABLE` variable can be set to "1" in a recipe to disable
+      `Ccache` support. This is useful when the recipe is known to not support it.
+
+   :term:`CCACHE_TOP_DIR`
+      When inheriting the :ref:`ref-classes-ccache` class, the
+      :term:`CCACHE_TOP_DIR` variable can be set to the location of where
+      `Ccache` stores its cache files. This directory can be shared between
+      builds.
+
   :term:`CFLAGS`
      Specifies the flags to pass to the C compiler. This variable is
      exported to an environment variable and thus made visible to the
@@ -3309,6 +3320,24 @@ system and gives an overview of their function and contents.
      variable, see the :ref:`image_types <ref-classes-image_types>`
      class file, which is ``meta/classes/image_types.bbclass``.

+   :term:`IMAGE_CONTAINER_NO_DUMMY`
+      When an image recipe has the ``container`` image type in
+      :term:`IMAGE_FSTYPES`, it expects the :term:`PREFERRED_PROVIDER` for
+      the Linux kernel (``virtual/kernel``) to be set to ``linux-dummy`` from a
+      :term:`configuration file`. Otherwise, an error is triggered.
+
+      When set to "1", the :term:`IMAGE_CONTAINER_NO_DUMMY` variable allows the
+      :term:`PREFERRED_PROVIDER` variable to be set to another value, thus
+      skipping the check and not triggering the build error. Any other value
+      will keep the check.
+
+      This variable should be set from the image recipe using the ``container``
+      image type.
+
+      See the documentation of the :ref:`ref-classes-image-container` class for
+      more information on why setting the :term:`PREFERRED_PROVIDER` to
+      ``linux-dummy`` is advised with this class.
+
   :term:`IMAGE_DEVICE_TABLES`
      Specifies one or more files that contain custom device tables that
      are passed to the ``makedevs`` command as part of creating an image.
@@ -4251,8 +4280,7 @@ system and gives an overview of their function and contents.
      would place patch files and configuration fragment files (i.e.
      "out-of-tree"). However, if you want to use a ``defconfig`` file that
      is part of the kernel tree (i.e. "in-tree"), you can use the
-      :term:`KBUILD_DEFCONFIG` variable and append the
-      :term:`KMACHINE` variable to point to the
+      :term:`KBUILD_DEFCONFIG` variable to point to the
      ``defconfig`` file.

      To use the variable, set it in the append file for your kernel recipe
@@ -4688,7 +4716,7 @@ system and gives an overview of their function and contents.
      information on how this variable is used.

   :term:`LAYERDEPENDS`
-      Lists the layers, separated by spaces, on which this recipe depends.
+      Lists the layers, separated by spaces, on which this layer depends.
      Optionally, you can specify a specific layer version for a dependency
      by adding it to the end of the layer name. Here is an example::

@@ -5545,8 +5573,8 @@ system and gives an overview of their function and contents.

      .. note::

-         An easy way to see what overrides apply is to search for :term:`OVERRIDES`
-         in the output of the ``bitbake -e`` command. See the
+         An easy way to see what overrides apply is to run the command
+         ``bitbake-getvar -r myrecipe OVERRIDES``. See the
         ":ref:`dev-manual/debugging:viewing variable values`" section in the Yocto
         Project Development Tasks Manual for more information.

@@ -6822,6 +6850,16 @@ system and gives an overview of their function and contents.
   :term:`REPODIR`
      See :term:`bitbake:REPODIR` in the BitBake manual.

+   :term:`REQUIRED_COMBINED_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies combined features (the intersection of :term:`MACHINE_FEATURES`
+      and :term:`DISTRO_FEATURES`) that must exist in the current configuration
+      in order for the :term:`OpenEmbedded Build System` to build the recipe. In
+      other words, if the :term:`REQUIRED_COMBINED_FEATURES` variable lists a
+      feature that does not appear in :term:`COMBINED_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
   :term:`REQUIRED_DISTRO_FEATURES`
      When inheriting the
      :ref:`features_check <ref-classes-features_check>`
@@ -6833,6 +6871,32 @@ system and gives an overview of their function and contents.
      the recipe will be skipped, and if the build system attempts to build
      the recipe then an error will be triggered.

+   :term:`REQUIRED_IMAGE_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies image features that must exist in the current
+      configuration in order for the :term:`OpenEmbedded Build System` to build
+      the recipe. In other words, if the :term:`REQUIRED_IMAGE_FEATURES` variable
+      lists a feature that does not appear in :term:`IMAGE_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
+      Compared to other ``REQUIRED_*_FEATURES`` variables, the
+      :term:`REQUIRED_IMAGE_FEATURES` varible only targets image recipes, as the
+      :term:`IMAGE_FEATURES` variable is handled by the :ref:`ref-classes-core-image`
+      class). However, the :term:`REQUIRED_IMAGE_FEATURES` varible can also be
+      set from a :term:`Configuration File`, such as a distro
+      configuration file, if the list of required image features should apply to
+      all images using this :term:`DISTRO`.
+
+   :term:`REQUIRED_MACHINE_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies :term:`MACHINE_FEATURES` that must exist in the current
+      configuration in order for the :term:`OpenEmbedded Build System` to build
+      the recipe. In other words, if the :term:`REQUIRED_MACHINE_FEATURES` variable
+      lists a feature that does not appear in :term:`MACHINE_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
   :term:`REQUIRED_VERSION`
      If there are multiple versions of a recipe available, this variable
      determines which version should be given preference.
@@ -8174,7 +8238,7 @@ system and gives an overview of their function and contents.
      directory for the build host.

   :term:`STAGING_DIR`
-      Helps construct the ``recipe-sysroots`` directory, which is used
+      Helps construct the ``recipe-sysroot*`` directories, which are used
      during packaging.

      For information on how staging for recipe-specific sysroots occurs,
@@ -9422,6 +9486,22 @@ system and gives an overview of their function and contents.
      passes and uses "all" for the target during the U-Boot building
      process.

+   :term:`UNINATIVE_CHECKSUM`
+      When inheriting the :ref:`ref-classes-uninative` class, the
+      :term:`UNINATIVE_CHECKSUM` variable flags contain the checksums of the
+      uninative tarball as specified by the :term:`UNINATIVE_URL` variable.
+      There should be one checksum per tarballs published at
+      :term:`UNINATIVE_URL`, which match architectures. For example::
+
+         UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
+         UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
+         UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+
+   :term:`UNINATIVE_URL`
+      When inheriting the :ref:`ref-classes-uninative` class, the
+      :term:`UNINATIVE_URL` variable contains the URL where the uninative
+      tarballs are published.
+
   :term:`UNKNOWN_CONFIGURE_OPT_IGNORE`
      Specifies a list of options that, if reported by the configure script
      as being invalid, should not generate a warning during the
@@ -9517,6 +9597,18 @@ system and gives an overview of their function and contents.
      the Yocto Project Development Tasks Manual for information on how to
      use this variable.

+   :term:`USE_NLS`
+      Determine if language translations should be built for recipes that can
+      build them. This variable can be equal to:
+
+      -  ``yes``: translations are enabled.
+      -  ``no``: translation are disabled.
+
+      Recipes can use the value of this variable to enable language
+      translations in their build. Classes such as :ref:`ref-classes-gettext`
+      use the value of this variable to enable :wikipedia:`Gettext <Gettext>`
+      support.
+
   :term:`USE_VT`
      When using
      :ref:`SysVinit <dev-manual/new-recipe:enabling system services>`,
--- a/documentation/security-reference/index.rst
+++ b/documentation/security-reference/index.rst
@@ -0,0 +1,14 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+================================
+Yocto Project Security Reference
+================================
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   security-team
+   reporting-vulnerabilities
+
+.. include:: /boilerplate.rst
--- a/documentation/security-reference/reporting-vulnerabilities.rst
+++ b/documentation/security-reference/reporting-vulnerabilities.rst
@@ -0,0 +1,85 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Reporting Vulnerabilities
+*************************
+
+The Yocto Project and OpenEmbedded are open-source, community-based projects
+used in numerous products. They assemble multiple other open-source projects,
+and need to handle security issues and practices both internal (in the code
+maintained by both projects), and external (maintained by other projects and
+organizations).
+
+This manual assembles security-related information concerning the whole
+ecosystem. It includes information on reporting a potential security issue,
+the operation of the YP Security team and how to contribute in the
+related code. It is written to be useful for both security researchers and
+YP developers.
+
+How to report a potential security vulnerability?
+=================================================
+
+If you would like to report a public issue (for example, one with a released
+CVE number), please report it using the
+:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`.
+
+If you are dealing with a not-yet-released issue, or an urgent one, please send
+a message to security AT yoctoproject DOT org, including as many details as
+possible: the layer or software module affected, the recipe and its version,
+and any example code, if available. This mailing list is monitored by the
+Yocto Project Security team.
+
+For each layer, you might also look for specific instructions (if any) for
+reporting potential security issues in the specific ``SECURITY.md`` file at the
+root of the repository. Instructions on how and where submit a patch are
+usually available in ``README.md``. If this is your first patch to the
+Yocto Project/OpenEmbedded, you might want to have a look into the
+Contributor's Manual section
+":ref:`contributor-guide/submit-changes:preparing changes for submission`".
+
+Branches maintained with security fixes
+---------------------------------------
+
+See the
+:ref:`Release process <ref-manual/release-process:Stable Release Process>`
+documentation for details regarding the policies and maintenance of stable
+branches.
+
+The :yocto_home:`Releases </development/releases/>` page contains a list of all
+releases of the Yocto Project, grouped into current and previous releases.
+Previous releases are no longer actively maintained with security patches, but
+well-tested patches may still be accepted for them for significant issues.
+
+Security-related discussions at the Yocto Project
+-------------------------------------------------
+
+We have set up two security-related emails/mailing lists:
+
+  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
+
+     This is a public mailing list for anyone to subscribe to. This list is an
+     open list to discuss public security issues/patches and security-related
+     initiatives. For more information, including subscription information,
+     please see the  :yocto_lists:`yocto-security mailing list info page
+     </g/yocto-security>`.
+
+     This list requires moderator approval for new topics to be posted, to avoid
+     private security reports to be posted by mistake.
+
+  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
+
+     This is an email for reporting non-published potential vulnerabilities.
+     Emails sent to this address are forwarded to the Yocto Project Security
+     Team members.
+
+
+What you should do if you find a security vulnerability
+-------------------------------------------------------
+
+If you find a security flaw: a crash, an information leakage, or anything that
+can have a security impact if exploited in any Open Source software built or
+used by the Yocto Project, please report this to the Yocto Project Security
+Team. If you prefer to contact the upstream project directly, please send a
+copy to the security team at the Yocto Project as well. If you believe this is
+highly sensitive information, please report the vulnerability in a secure way,
+i.e. encrypt the email and send it to the private list. This ensures that
+the exploit is not leaked and exploited before a response/fix has been generated.
--- a/documentation/security-reference/security-team.rst
+++ b/documentation/security-reference/security-team.rst
@@ -0,0 +1,110 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Security team
+*************
+
+The Yocto Project/OpenEmbedded security team coordinates the work on security
+subjects in the project. All general discussion takes place publicly. The
+Security Team only uses confidential communication tools to deal with private
+vulnerability reports before they are released.
+
+Security team appointment
+=========================
+
+The Yocto Project Security Team consists of at least three members. When new
+members are needed, the Yocto Project Technical Steering Committee (YP TSC)
+asks for nominations by public channels including a nomination deadline.
+Self-nominations are possible. When the limit time is
+reached, the YP TSC posts the list of candidates for the comments of project
+participants and developers. Comments may be sent publicly or privately to the
+YP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded
+Technical Steering Committee (OE TSC) and the final list of the team members
+is announced publicly. The aim is to have people representing technical
+leadership, security knowledge and infrastructure present with enough people
+to provide backup/coverage but keep the notification list small enough to
+minimize information risk and maintain trust.
+
+YP Security Team members may resign at any time.
+
+Security Team Operations
+========================
+
+The work of the Security Team might require high confidentiality. Team members
+are individuals selected by merit and do not represent the companies they work
+for. They do not share information about confidential issues outside of the team
+and do not hint about ongoing embargoes.
+
+Team members can bring in domain experts as needed. Those people should be
+added to individual issues only and adhere to the same standards as the YP
+Security Team.
+
+The YP security team organizes its meetings and communication as needed.
+
+When the YP Security team receives a report about a potential security
+vulnerability, they quickly analyze and notify the reporter of the result.
+They might also request more information.
+
+If the issue is confirmed and affects the code maintained by the YP, they
+confidentially notify maintainers of that code and work with them to prepare
+a fix.
+
+If the issue is confirmed and affects an upstream project, the YP security team
+notifies the project. Usually, the upstream project analyzes the problem again.
+If they deem it a real security problem in their software, they develop and
+release a fix following their security policy. They may want to include the
+original reporter in the loop. There is also sometimes some coordination for
+handling patches, backporting patches etc, or just understanding the problem
+or what caused it.
+
+When the fix is publicly available, the YP security team member or the
+package maintainer sends patches against the YP code base, following usual
+procedures, including public code review.
+
+What Yocto Security Team does when it receives a security vulnerability
+=======================================================================
+
+The YP Security Team team performs a quick analysis and would usually report
+the flaw to the upstream project. Normally the upstream project analyzes the
+problem. If they deem it a real security problem in their software, they
+develop and release a fix following their own security policy. They may want
+to include the original reporter in the loop. There is also sometimes some
+coordination for handling patches, backporting patches etc, or just
+understanding the problem or what caused it.
+
+The security policy of the upstream project might include a notification to
+Linux distributions or other important downstream projects in advance to
+discuss coordinated disclosure. These mailing lists are normally non-public.
+
+When the upstream project releases a version with the fix, they are responsible
+for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
+the CVE record published.
+
+If an upstream project does not respond quickly
+===============================================
+
+If an upstream project does not fix the problem in a reasonable time,
+the Yocto's Security Team will contact other interested parties (usually
+other distributions) in the community and together try to solve the
+vulnerability as quickly as possible.
+
+The Yocto Project Security team adheres to the 90 days disclosure policy
+by default. An increase of the embargo time is possible when necessary.
+
+Security Team Members
+=====================
+
+For secure communications, please send your messages encrypted using the GPG
+keys. Remember, message headers are not encrypted so do not include sensitive
+information in the subject line.
+
+-  Ross Burton: <ross [at] burtonini [dot] com> `Public key <https://keys.openpgp.org/search?q=ross%40burtonini.com>`__
+
+-  Michael Halstead: <mhalstead [at] linuxfoundation [dot] org>
+   `Public key <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3373170601861969>`__
+   or `Public key <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd1f2407285e571ed12a407a73373170601861969>`__
+
+-  Richard Purdie: <richard.purdie [at] linuxfoundation [dot] org> `Public key <https://keys.openpgp.org/search?q=richard.purdie%40linuxfoundation.org>`__
+
+-  Marta Rybczynska: <marta DOT rybczynska [at] syslinbit [dot] com> `Public key <https://keys.openpgp.org/search?q=marta.rybczynska@syslinbit.com>`__
+
+-  Steve Sakoman: <steve [at] sakoman [dot] com> `Public key <https://keys.openpgp.org/search?q=steve%40sakoman.com>`__
--- a/documentation/test-manual/ptest.rst
+++ b/documentation/test-manual/ptest.rst
@@ -70,6 +70,25 @@ test. Here is what you have to do for each recipe:
      cd test
      make -k runtest-TESTS

+-  *Return an appropriate exit code*: The ``run-ptest`` script must return 0 on
+   success, 1 on failure. This is needed by ``ptest-runner`` to keep track of
+   the successful and failed tests.
+
+-  *Make sure the test prints at least one test result*: The execution of the
+   ``run-ptest`` script must result in at least one test result output on the
+   console, with the following format::
+
+      result: testname
+
+   Where ``result`` can be one of ``PASS``, ``SKIP``, or ``FAIL``. ``testname``
+   can be any name.
+
+   There can be as many test results as desired.
+
+   This information is read by the :ref:`ref-classes-testimage` class and
+   :oe_git:`logparser </openembedded-core/tree/meta/lib/oeqa/utils/logparser.py>`
+   module.
+
 -  *Ensure dependencies are met:* If the test adds build or runtime
   dependencies that normally do not exist for the package (such as
   requiring "make" to run the test suite), use the
--- a/documentation/test-manual/reproducible-builds.rst
+++ b/documentation/test-manual/reproducible-builds.rst
@@ -113,7 +113,7 @@ If ``OEQA_DEBUGGING_SAVED_OUTPUT`` is set, any differing packages will be saved
 here. The test is also able to run the ``diffoscope`` command on the output to
 generate HTML files showing the differences between the packages, to aid
 debugging. On the Autobuilder, these appear under
-https://autobuilder.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
+https://valkyrie.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
 <date> + <random ID>``, e.g. ``oe-reproducible-20200202-1lm8o1th``.

 The project's current reproducibility status can be seen at
--- a/documentation/test-manual/test-process.rst
+++ b/documentation/test-manual/test-process.rst
@@ -69,7 +69,7 @@ box to "generate an email to QA" is also checked.
 When the build completes, an email is sent out using the ``send-qa-email``
 script in the :yocto_git:`yocto-autobuilder-helper </yocto-autobuilder-helper>`
 repository to the list of people configured for that release. Release builds
-are placed into a directory in https://autobuilder.yocto.io/pub/releases on the
+are placed into a directory in https://valkyrie.yocto.io/pub/releases on the
 Autobuilder which is included in the email. The process from here is
 more manual and control is effectively passed to release engineering.
 The next steps include:
--- a/documentation/test-manual/yocto-project-compatible.rst
+++ b/documentation/test-manual/yocto-project-compatible.rst
@@ -38,7 +38,7 @@ Benefits
 and flexible: it gives users the ultimate power to change pretty much any
 aspect of the system but as with most things, power comes with responsibility.
 The Yocto Project would like to see people able to mix and match BSPs with
-distro configs or software stacks and be able to merge succesfully.
+distro configs or software stacks and be able to merge successfully.
 Over time, the project identified characteristics in layers that allow them
 to operate well together. "anti-patterns" were also found, preventing layers
 from working well together.
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.30"
+DISTRO_VERSION = "4.0.33"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
--- a/meta/classes/cross.bbclass
+++ b/meta/classes/cross.bbclass
@@ -95,3 +95,39 @@ addtask addto_recipe_sysroot after do_populate_sysroot
 do_addto_recipe_sysroot[deptask] = "do_populate_sysroot"

 PATH:prepend = "${COREBASE}/scripts/cross-intercept:"
+
+#
+# Cross task outputs can call native dependencies and even when cross
+# recipe output doesn't change it might produce different results when
+# the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
+# contains symlink to clang binary from clang-native, but when clang-native
+# outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
+# equivalent and target recipes aren't rebuilt with new clang binary, see
+# work around in https://github.com/kraj/meta-clang/pull/1140 to make target
+# recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
+# clang-native as well.
+#
+# This can cause poor interactions with hash equivalence, since this recipes
+# output-changing dependency is "hidden" and downstream task only see that this
+# recipe has the same outhash and therefore is equivalent. This can result in
+# different output in different cases.
+#
+# To resolve this, unhide the output-changing dependency by adding its unihash
+# to this tasks outhash calculation. Unfortunately, don't know specifically
+# know which dependencies are output-changing, so we have to add all of them.
+#
+python cross_add_do_populate_sysroot_deps () {
+    current_task = "do_" + d.getVar("BB_CURRENTTASK")
+    if current_task != "do_populate_sysroot":
+        return
+
+    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+    pn = d.getVar("PN")
+    deps = {
+        dep[0]:dep[6] for dep in taskdepdata.values() if
+            dep[1] == current_task and dep[0] != pn
+    }
+
+    d.setVar("HASHEQUIV_EXTRA_SIGDATA", "\n".join("%s: %s" % (k, deps[k]) for k in sorted(deps.keys())))
+}
+SSTATECREATEFUNCS += "cross_add_do_populate_sysroot_deps"
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -18,6 +18,9 @@ TARGET_GOMIPS = "${@go_map_mips(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES
 TARGET_GOARM:class-native = "7"
 TARGET_GO386:class-native = "sse2"
 TARGET_GOMIPS:class-native = "hardfloat"
+TARGET_GOARM:class-crosssdk = "7"
+TARGET_GO386:class-crosssdk = "sse2"
+TARGET_GOMIPS:class-crosssdk = "hardfloat"
 TARGET_GOTUPLE = "${TARGET_GOOS}_${TARGET_GOARCH}"
 GO_BUILD_BINDIR = "${@['bin/${HOST_GOTUPLE}','bin'][d.getVar('BUILD_GOTUPLE') == d.getVar('HOST_GOTUPLE')]}"

--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -690,7 +690,7 @@ DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
 GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
 GNOME_GIT = "git://gitlab.gnome.org/GNOME"
 GNOME_MIRROR = "https://download.gnome.org/sources/"
-GNU_MIRROR = "https://ftp.gnu.org/gnu"
+GNU_MIRROR = "https://ftpmirror.gnu.org/gnu"
 GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
 GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
 KERNELORG_MIRROR = "https://cdn.kernel.org/pub"
--- a/meta/lib/oeqa/runtime/cases/buildcpio.py
+++ b/meta/lib/oeqa/runtime/cases/buildcpio.py
@@ -12,7 +12,7 @@ class BuildCpioTest(OERuntimeTestCase):

    @classmethod
    def setUpClass(cls):
-        uri = 'https://downloads.yoctoproject.org/mirror/sources/cpio-2.13.tar.gz'
+        uri = 'https://downloads.yoctoproject.org/mirror/sources/cpio-2.14.tar.gz'
        cls.project = TargetBuildProject(cls.tc.target,
                                         uri,
                                         dl_dir = cls.tc.td['DL_DIR'])
--- a/meta/lib/oeqa/sdk/cases/buildcpio.py
+++ b/meta/lib/oeqa/sdk/cases/buildcpio.py
@@ -17,10 +17,10 @@ class BuildCpioTest(OESDKTestCase):
    """
    def test_cpio(self):
        with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir:
-            tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz")
+            tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.14.tar.gz")

            dirs = {}
-            dirs["source"] = os.path.join(testdir, "cpio-2.13")
+            dirs["source"] = os.path.join(testdir, "cpio-2.14")
            dirs["build"] = os.path.join(testdir, "build")
            dirs["install"] = os.path.join(testdir, "install")

--- a/meta/lib/oeqa/selftest/cases/meta_ide.py
+++ b/meta/lib/oeqa/selftest/cases/meta_ide.py
@@ -40,7 +40,7 @@ class MetaIDE(OESelftestTestCase):
    def test_meta_ide_can_build_cpio_project(self):
        dl_dir = self.td.get('DL_DIR', None)
        self.project = SDKBuildProject(self.tmpdir_metaideQA + "/cpio/", self.environment_script_path,
-                        "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz",
+                        "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.14.tar.gz",
                        self.tmpdir_metaideQA, self.td['DATETIME'], dl_dir=dl_dir)
        self.project.download_archive()
        self.assertEqual(self.project.run_configure('$CONFIGURE_FLAGS --disable-maintainer-mode','sed -i -e "/char \*program_name/d" src/global.c;'), 0,
--- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
+++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
@@ -10,7 +10,7 @@ DEPENDS = "efivar popt"

 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"

-SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \
+SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=main \
           file://0001-remove-extra-decl.patch \
           file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \
           file://0001-src-make-compatible-with-efivar-38.patch \
--- a/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-56738.patch
@@ -0,0 +1,75 @@
+From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 9 Sep 2025 14:23:14 +0100
+Subject: [PATCH] CVE-2024-56738
+
+Backport an algorithmic change to grub_crypto_memcmp() so that it completes in
+constant time and thus isn't susceptible to side-channel attacks.
+
+This is a partial backport of grub 0739d24cd
+("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11")
+
+CVE: CVE-2024-56738
+Upstream-Status: Backport [0739d24cd]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ grub-core/lib/crypto.c | 23 ++++++++++++++++-------
+ include/grub/crypto.h  |  2 +-
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
+index ca334d5..1bfa922 100644
+--- a/grub-core/lib/crypto.c
+++ b/grub-core/lib/crypto.c
+@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
+   return GRUB_ACCESS_DENIED;
+ }
+
+/*
+ * Compare byte arrays of length LEN, return 1 if it's not same,
+ * 0, otherwise.
+ */
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
+ {
+-  register grub_size_t counter = 0;
+-  const grub_uint8_t *pa, *pb;
+  const grub_uint8_t *a = b1;
+  const grub_uint8_t *b = b2;
+  int ab, ba;
+  grub_size_t i;
+
+-  for (pa = a, pb = b; n; pa++, pb++, n--)
+  /* Constant-time compare. */
+  for (i = 0, ab = 0, ba = 0; i < len; i++)
+     {
+-      if (*pa != *pb)
+-	counter++;
+      /* If a[i] != b[i], either ab or ba will be negative. */
+      ab |= a[i] - b[i];
+      ba |= b[i] - a[i];
+     }
+
+-  return !!counter;
+  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
+  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
+ }
+
+ #ifndef GRUB_UTIL
+diff --git a/include/grub/crypto.h b/include/grub/crypto.h
+index 21cd1f7..432912b 100644
+--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
+@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+		    grub_uint8_t *DK, grub_size_t dkLen);
+
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
+grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len);
+
+ int
+ grub_password_get (char buf[], unsigned buf_size);
+--
+2.40.0
--- a/meta/recipes-bsp/grub/files/CVE-2025-61661.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-61661.patch
@@ -0,0 +1,40 @@
+From 9c2ae73b549a653f5f1bd5d4edebc50a764bad06 Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 09:52:59 +0100
+Subject: [PATCH 1/3] commands/usbtest: Use correct string length field
+
+An incorrect length field is used for buffer allocation. This leads to
+grub_utf16_to_utf8() receiving an incorrect/different length and possibly
+causing OOB write. This makes sure to use the correct length.
+
+Fixes: CVE-2025-61661
+
+CVE: CVE-2025-61661
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=549a9cc372fd0b96a4ccdfad0e12140476cc62a3]
+
+Reported-by: Jamie <volticks@gmail.com>
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 2c6d93fe6..8ef187a9a 100644
+--- a/grub-core/commands/usbtest.c
+++ b/grub-core/commands/usbtest.c
+@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+       return GRUB_USB_ERR_NONE;
+     }
+ 
+-  *string = grub_malloc (descstr.length * 2 + 1);
+  *string = grub_malloc (descstrp->length * 2 + 1);
+   if (! *string)
+     {
+       grub_free (descstrp);
+-- 
+2.34.1
+
--- a/meta/recipes-bsp/grub/files/CVE-2025-61662.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-61662.patch
@@ -0,0 +1,72 @@
+From c47760a907c91283bac9a8400d6975574b1d3986 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:06 +0000
+Subject: [PATCH 2/3] gettext/gettext: Unregister gettext command on module
+ unload
+
+When the gettext module is loaded, the gettext command is registered but
+isn't unregistered when the module is unloaded. We need to add a call to
+grub_unregister_command() when unloading the module.
+
+Fixes: CVE-2025-61662
+
+CVE: CVE-2025-61662
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=8ed78fd9f0852ab218cc1f991c38e5a229e43807]
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/gettext/gettext.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 7a25c9d67..ef1258ee0 100644
+--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
+@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
+static grub_command_t cmd;
+
+ GRUB_MOD_INIT (gettext)
+ {
+   const char *lang;
+@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext)
+   grub_register_variable_hook ("locale_dir", NULL, read_main);
+   grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
+ 
+-  grub_register_command_p1 ("gettext", grub_cmd_translate,
+-			    N_("STRING"),
+-			    /* TRANSLATORS: It refers to passing the string through gettext.
+-			       So it's "translate" in the same meaning as in what you're 
+-			       doing now.
+-			     */
+-			    N_("Translates the string with the current settings."));
+  cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
+				  N_("STRING"),
+				  /*
+				   * TRANSLATORS: It refers to passing the string through gettext.
+				   * So it's "translate" in the same meaning as in what you're
+				   * doing now.
+				   */
+				  N_("Translates the string with the current settings."));
+ 
+   /* Reload .mo file information if lang changes.  */
+   grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
+@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext)
+   grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+   grub_register_variable_hook ("lang", NULL, NULL);
+ 
+  grub_unregister_command (cmd);
+
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.34.1
+
--- a/meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch
@@ -0,0 +1,64 @@
+From a182bd873e4aa93205ecbb7845ef7f0eda99dcf5 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:07 +0000
+Subject: [PATCH 3/3] normal/main: Unregister commands on module unload
+
+When the normal module is loaded, the normal and normal_exit commands
+are registered but aren't unregistered when the module is unloaded. We
+need to add calls to grub_unregister_command() when unloading the module
+for these commands.
+
+Fixes: CVE-2025-61663
+Fixes: CVE-2025-61664
+
+CVE: CVE-2025-61663 CVE-2025-61664
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=05d3698b8b03eccc49e53491bbd75dba15f40917]
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/normal/main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index a95c25e5f..9d576de7a 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -499,7 +499,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
+-static grub_command_t cmd_clear;
+static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit;
+ 
+ static void (*grub_xputs_saved) (const char *str);
+ static const char *features[] = {
+@@ -541,10 +541,10 @@ GRUB_MOD_INIT(normal)
+   grub_env_export ("pager");
+ 
+   /* Register a command "normal" for the rescue mode.  */
+-  grub_register_command ("normal", grub_cmd_normal,
+-			 0, N_("Enter normal mode."));
+-  grub_register_command ("normal_exit", grub_cmd_normal_exit,
+-			 0, N_("Exit from normal mode."));
+  cmd_normal = grub_register_command ("normal", grub_cmd_normal,
+				      0, N_("Enter normal mode."));
+  cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit,
+					   0, N_("Exit from normal mode."));
+ 
+   /* Reload terminal colors when these variables are written to.  */
+   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
+@@ -586,4 +586,6 @@ GRUB_MOD_FINI(normal)
+   grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+  grub_unregister_command (cmd_normal);
+  grub_unregister_command (cmd_normal_exit);
+ }
+-- 
+2.34.1
+
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -59,6 +59,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://CVE-2025-0678_CVE-2025-1125.patch \
           file://CVE-2025-0690.patch \
           file://CVE-2025-1118.patch \
+           file://CVE-2024-56738.patch \
+           file://CVE-2025-61661.patch \
+           file://CVE-2025-61662.patch \
+           file://CVE-2025-61663_61664.patch \
 "

 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
@@ -69,6 +73,8 @@ CVE_CHECK_IGNORE += "CVE-2019-14865"
 CVE_CHECK_IGNORE += "CVE-2021-46705"
 # not-applicable-platform: Applies only to RHEL/Fedora
 CVE_CHECK_IGNORE += "CVE-2024-1048 CVE-2023-4001"
+# not-applicable-platform: Applies only to Ubuntu
+CVE_CHECK_IGNORE += "CVE-2024-2312"

 DEPENDS = "flex-native bison-native gettext-native"

--- a/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
+++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 	debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+ 	      src, dest, len, sizeof(struct bootp_hdr));
+ 
+	/* Check the minimum size of a BOOTP packet is respected.
+	 * A BOOTP packet is between 300 bytes and 576 bytes big
+	 */
+	if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
+		printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
+		return;
+	}
+
+ 	bp = (struct bootp_hdr *)pkt;
+ 
+ 	/* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+ 	/* Retrieve extended information (we must parse the vendor area) */
+ 	if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+-		bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
+		bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
+				     (offsetof(struct bootp_hdr, bp_vend) + 4));
+ 
+ 	net_set_timeout_handler(0, (thand_f *)0);
+ 	bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+-- 
+2.49.0
+
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"

-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2024-42040.patch \
+"

 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
--- a/meta/recipes-connectivity/bind/bind_9.18.41.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.41.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
           file://0001-avoid-start-failure-with-bind-user.patch \
           "

-SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
+SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"

 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
--- a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch
@@ -0,0 +1,38 @@
+From 7224be0fe2f4beb916b7b69141f478facd0f0634 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Sat, 27 Dec 2025 21:36:11 +0000
+Subject: [PATCH] Rename one of the xdtoi() copies to simplify backporting.
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7224be0fe2f4beb916b7b69141f478facd0f0634]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ nametoaddr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/nametoaddr.c b/nametoaddr.c
+index dc75495c..bdaacbf1 100644
+--- a/nametoaddr.c
+++ b/nametoaddr.c
+@@ -646,7 +646,7 @@ pcap_nametollc(const char *s)
+ 
+ /* Hex digit to 8-bit unsigned integer. */
+ static inline u_char
+-xdtoi(u_char c)
+pcapint_xdtoi(u_char c)
+ {
+ 	if (c >= '0' && c <= '9')
+ 		return (u_char)(c - '0');
+@@ -728,10 +728,10 @@ pcap_ether_aton(const char *s)
+ 	while (*s) {
+ 		if (*s == ':' || *s == '.' || *s == '-')
+ 			s += 1;
+-		d = xdtoi(*s++);
+		d = pcapint_xdtoi(*s++);
+ 		if (PCAP_ISXDIGIT(*s)) {
+ 			d <<= 4;
+-			d |= xdtoi(*s++);
+			d |= pcapint_xdtoi(*s++);
+ 		}
+ 		*ep++ = d;
+ 	}
--- a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch
@@ -0,0 +1,433 @@
+From b2d2f9a9a0581c40780bde509f7cc715920f1c02 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Fri, 19 Dec 2025 17:31:13 +0000
+Subject: [PATCH] CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton().
+
+pcap_ether_aton() has for a long time required its string argument to be
+a well-formed MAC-48 address, which is always the case when the argument
+comes from other libpcap code, so the function has never validated the
+input and used a simple loop to parse any of the three common MAC-48
+address formats.  However, the function has also been a part of the
+public API, so calling it directly with a malformed address can cause
+the loop to read beyond the end of the input string and/or to write
+beyond the end of the allocated output buffer.
+
+To handle invalid input more appropriately, replace the simple loop with
+new functions and require the input to match a supported address format.
+
+This problem was reported by Jin Wei, Kunwei Qian and Ping Chen.
+
+(backported from commit dd08e53e9380e217ae7c7768da9cc3d7bf37bf83)
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gencode.c    |   5 +
+ nametoaddr.c | 367 +++++++++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 349 insertions(+), 23 deletions(-)
+
+diff --git a/gencode.c b/gencode.c
+index 3ddd15f8..76fb2d82 100644
+--- a/gencode.c
+++ b/gencode.c
+@@ -7206,6 +7206,11 @@ gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
+ 		return (NULL);
+ 
+ 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
+		/*
+		 * Because the lexer guards the input string format, in this
+		 * context the function returns NULL iff the implicit malloc()
+		 * has failed.
+		 */
+ 		cstate->e = pcap_ether_aton(s);
+ 		if (cstate->e == NULL)
+ 			bpf_error(cstate, "malloc");
+diff --git a/nametoaddr.c b/nametoaddr.c
+index f9fcd288..f50d0da5 100644
+--- a/nametoaddr.c
+++ b/nametoaddr.c
+@@ -703,39 +703,360 @@ __pcap_atodn(const char *s, bpf_u_int32 *addr)
+ 	return(32);
+ }
+ 
+// Man page: "xxxxxxxxxxxx", regexp: "^[0-9a-fA-F]{12}$".
+static u_char
+pcapint_atomac48_xxxxxxxxxxxx(const char *s, uint8_t *addr)
+{
+	if (strlen(s) == 12 &&
+	    PCAP_ISXDIGIT(s[0]) &&
+	    PCAP_ISXDIGIT(s[1]) &&
+	    PCAP_ISXDIGIT(s[2]) &&
+	    PCAP_ISXDIGIT(s[3]) &&
+	    PCAP_ISXDIGIT(s[4]) &&
+	    PCAP_ISXDIGIT(s[5]) &&
+	    PCAP_ISXDIGIT(s[6]) &&
+	    PCAP_ISXDIGIT(s[7]) &&
+	    PCAP_ISXDIGIT(s[8]) &&
+	    PCAP_ISXDIGIT(s[9]) &&
+	    PCAP_ISXDIGIT(s[10]) &&
+	    PCAP_ISXDIGIT(s[11])) {
+		addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
+		addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
+		addr[2] = pcapint_xdtoi(s[4]) << 4 | pcapint_xdtoi(s[5]);
+		addr[3] = pcapint_xdtoi(s[6]) << 4 | pcapint_xdtoi(s[7]);
+		addr[4] = pcapint_xdtoi(s[8]) << 4 | pcapint_xdtoi(s[9]);
+		addr[5] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
+		return 1;
+	}
+	return 0;
+}
+
+// Man page: "xxxx.xxxx.xxxx", regexp: "^[0-9a-fA-F]{4}(\.[0-9a-fA-F]{4}){2}$".
+static u_char
+pcapint_atomac48_xxxx_3_times(const char *s, uint8_t *addr)
+{
+	const char sep = '.';
+	if (strlen(s) == 14 &&
+	    PCAP_ISXDIGIT(s[0]) &&
+	    PCAP_ISXDIGIT(s[1]) &&
+	    PCAP_ISXDIGIT(s[2]) &&
+	    PCAP_ISXDIGIT(s[3]) &&
+	    s[4] == sep &&
+	    PCAP_ISXDIGIT(s[5]) &&
+	    PCAP_ISXDIGIT(s[6]) &&
+	    PCAP_ISXDIGIT(s[7]) &&
+	    PCAP_ISXDIGIT(s[8]) &&
+	    s[9] == sep &&
+	    PCAP_ISXDIGIT(s[10]) &&
+	    PCAP_ISXDIGIT(s[11]) &&
+	    PCAP_ISXDIGIT(s[12]) &&
+	    PCAP_ISXDIGIT(s[13])) {
+		addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
+		addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
+		addr[2] = pcapint_xdtoi(s[5]) << 4 | pcapint_xdtoi(s[6]);
+		addr[3] = pcapint_xdtoi(s[7]) << 4 | pcapint_xdtoi(s[8]);
+		addr[4] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
+		addr[5] = pcapint_xdtoi(s[12]) << 4 | pcapint_xdtoi(s[13]);
+		return 1;
+	}
+	return 0;
+}
+
+ /*
+- * Convert 's', which can have the one of the forms:
+ * Man page: "xx:xx:xx:xx:xx:xx", regexp: "^[0-9a-fA-F]{1,2}(:[0-9a-fA-F]{1,2}){5}$".
+ * Man page: "xx-xx-xx-xx-xx-xx", regexp: "^[0-9a-fA-F]{1,2}(-[0-9a-fA-F]{1,2}){5}$".
+ * Man page: "xx.xx.xx.xx.xx.xx", regexp: "^[0-9a-fA-F]{1,2}(\.[0-9a-fA-F]{1,2}){5}$".
+ * (Any "xx" above can be "x", which is equivalent to "0x".)
+  *
+- *	"xx:xx:xx:xx:xx:xx"
+- *	"xx.xx.xx.xx.xx.xx"
+- *	"xx-xx-xx-xx-xx-xx"
+- *	"xxxx.xxxx.xxxx"
+- *	"xxxxxxxxxxxx"
+ * An equivalent (and parametrisable for EUI-64) FSM could be implemented using
+ * a smaller graph, but that graph would be neither acyclic nor planar nor
+ * trivial to verify.
+  *
+- * (or various mixes of ':', '.', and '-') into a new
+- * ethernet address.  Assumes 's' is well formed.
+ *                |
+ *    [.]         v
+ * +<---------- START
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE0_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE0_XX          | [:\.-]
+ * |              |              |
+ * |              | [:\.-]       |
+ * |  [.]         v              |
+ * +<----- BYTE0_SEP_BYTE1 <-----+
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE1_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE1_XX          | <sep>
+ * |              |              |
+ * |              | <sep>        |
+ * |  [.]         v              |
+ * +<----- BYTE1_SEP_BYTE2 <-----+
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE2_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE2_XX          | <sep>
+ * |              |              |
+ * |              | <sep>        |
+ * |  [.]         v              |
+ * +<----- BYTE2_SEP_BYTE3 <-----+
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE3_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE3_XX          | <sep>
+ * |              |              |
+ * |              | <sep>        |
+ * |  [.]         v              |
+ * +<----- BYTE3_SEP_BYTE4 <-----+
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE4_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE4_XX          | <sep>
+ * |              |              |
+ * |              | <sep>        |
+ * |  [.]         v              |
+ * +<----- BYTE4_SEP_BYTE5 <-----+
+ * |              |
+ * |              | [0-9a-fA-F]
+ * |  [.]         v
+ * +<--------- BYTE5_X ----------+
+ * |              |              |
+ * |              | [0-9a-fA-F]  |
+ * |  [.]         v              |
+ * +<--------- BYTE5_XX          | \0
+ * |              |              |
+ * |              | \0           |
+ * |              |              v
+ * +--> (reject)  +---------> (accept)
+ *
+ */
+static u_char
+pcapint_atomac48_x_xx_6_times(const char *s, uint8_t *addr)
+{
+	enum {
+		START,
+		BYTE0_X,
+		BYTE0_XX,
+		BYTE0_SEP_BYTE1,
+		BYTE1_X,
+		BYTE1_XX,
+		BYTE1_SEP_BYTE2,
+		BYTE2_X,
+		BYTE2_XX,
+		BYTE2_SEP_BYTE3,
+		BYTE3_X,
+		BYTE3_XX,
+		BYTE3_SEP_BYTE4,
+		BYTE4_X,
+		BYTE4_XX,
+		BYTE4_SEP_BYTE5,
+		BYTE5_X,
+		BYTE5_XX,
+	} fsm_state = START;
+	uint8_t buf[6];
+	const char *seplist = ":.-";
+	char sep;
+
+	while (*s) {
+		switch (fsm_state) {
+		case START:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[0] = pcapint_xdtoi(*s);
+				fsm_state = BYTE0_X;
+				break;
+			}
+			goto reject;
+		case BYTE0_X:
+			if (strchr(seplist, *s)) {
+				sep = *s;
+				fsm_state = BYTE0_SEP_BYTE1;
+				break;
+			}
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[0] = buf[0] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE0_XX;
+				break;
+			}
+			goto reject;
+		case BYTE0_XX:
+			if (strchr(seplist, *s)) {
+				sep = *s;
+				fsm_state = BYTE0_SEP_BYTE1;
+				break;
+			}
+			goto reject;
+		case BYTE0_SEP_BYTE1:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[1] = pcapint_xdtoi(*s);
+				fsm_state = BYTE1_X;
+				break;
+			}
+			goto reject;
+		case BYTE1_X:
+			if (*s == sep) {
+				fsm_state = BYTE1_SEP_BYTE2;
+				break;
+			}
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[1] = buf[1] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE1_XX;
+				break;
+			}
+			goto reject;
+		case BYTE1_XX:
+			if (*s == sep) {
+				fsm_state = BYTE1_SEP_BYTE2;
+				break;
+			}
+			goto reject;
+		case BYTE1_SEP_BYTE2:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[2] = pcapint_xdtoi(*s);
+				fsm_state = BYTE2_X;
+				break;
+			}
+			goto reject;
+		case BYTE2_X:
+			if (*s == sep) {
+				fsm_state = BYTE2_SEP_BYTE3;
+				break;
+			}
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[2] = buf[2] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE2_XX;
+				break;
+			}
+			goto reject;
+		case BYTE2_XX:
+			if (*s == sep) {
+				fsm_state = BYTE2_SEP_BYTE3;
+				break;
+			}
+			goto reject;
+		case BYTE2_SEP_BYTE3:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[3] = pcapint_xdtoi(*s);
+				fsm_state = BYTE3_X;
+				break;
+			}
+			goto reject;
+		case BYTE3_X:
+			if (*s == sep) {
+				fsm_state = BYTE3_SEP_BYTE4;
+				break;
+			}
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[3] = buf[3] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE3_XX;
+				break;
+			}
+			goto reject;
+		case BYTE3_XX:
+			if (*s == sep) {
+				fsm_state = BYTE3_SEP_BYTE4;
+				break;
+			}
+			goto reject;
+		case BYTE3_SEP_BYTE4:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[4] = pcapint_xdtoi(*s);
+				fsm_state = BYTE4_X;
+				break;
+			}
+			goto reject;
+		case BYTE4_X:
+			if (*s == sep) {
+				fsm_state = BYTE4_SEP_BYTE5;
+				break;
+			}
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[4] = buf[4] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE4_XX;
+				break;
+			}
+			goto reject;
+		case BYTE4_XX:
+			if (*s == sep) {
+				fsm_state = BYTE4_SEP_BYTE5;
+				break;
+			}
+			goto reject;
+		case BYTE4_SEP_BYTE5:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[5] = pcapint_xdtoi(*s);
+				fsm_state = BYTE5_X;
+				break;
+			}
+			goto reject;
+		case BYTE5_X:
+			if (PCAP_ISXDIGIT(*s)) {
+				buf[5] = buf[5] << 4 | pcapint_xdtoi(*s);
+				fsm_state = BYTE5_XX;
+				break;
+			}
+			goto reject;
+		case BYTE5_XX:
+			goto reject;
+		} // switch
+		s++;
+	} // while
+
+	if (fsm_state == BYTE5_X || fsm_state == BYTE5_XX) {
+		// accept
+		memcpy(addr, buf, sizeof(buf));
+		return 1;
+	}
+
+reject:
+	return 0;
+}
+
+// The 'addr' argument must point to an array of at least 6 elements.
+static int
+pcapint_atomac48(const char *s, uint8_t *addr)
+{
+	return s && (
+	    pcapint_atomac48_xxxxxxxxxxxx(s, addr) ||
+	    pcapint_atomac48_xxxx_3_times(s, addr) ||
+	    pcapint_atomac48_x_xx_6_times(s, addr)
+	);
+}
+
+/*
+ * If 's' is a MAC-48 address in one of the forms documented in pcap-filter(7)
+ * for "ether host", return a pointer to an allocated buffer with the binary
+ * value of the address.  Return NULL on any error.
+  */
+ u_char *
+ pcap_ether_aton(const char *s)
+ {
+-	register u_char *ep, *e;
+-	register u_char d;
+	uint8_t tmp[6];
+	if (! pcapint_atomac48(s, tmp))
+		return (NULL);
+ 
+-	e = ep = (u_char *)malloc(6);
+	u_char *e = malloc(6);
+ 	if (e == NULL)
+ 		return (NULL);
+-
+-	while (*s) {
+-		if (*s == ':' || *s == '.' || *s == '-')
+-			s += 1;
+-		d = pcapint_xdtoi(*s++);
+-		if (PCAP_ISXDIGIT(*s)) {
+-			d <<= 4;
+-			d |= pcapint_xdtoi(*s++);
+-		}
+-		*ep++ = d;
+-	}
+-
+	memcpy(e, tmp, sizeof(tmp));
+ 	return (e);
+ }
+ 
--- a/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
+++ b/meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch
@@ -0,0 +1,33 @@
+From 7fabf607f2319a36a0bd78444247180acb838e69 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 7 Sep 2025 12:51:56 -0700
+Subject: [PATCH] Fix a copy-and-pasteo in utf_16le_to_utf_8_truncated().
+
+For the four octets of UTF-8 case, it was decrementing the remaining
+buffer length by 3, not 4.
+
+Thanks to a team of developers from the Univesity of Waterloo for
+reporting this.
+
+(cherry picked from commit aebfca1aea2fc8c177760a26e8f4de27b51d1b3b)
+
+CVE: CVE-2025-11964
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fmtutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fmtutils.c b/fmtutils.c
+index a5a4fe62..78a0f8b7 100644
+--- a/fmtutils.c
+++ b/fmtutils.c
+@@ -235,7 +235,7 @@ utf_16le_to_utf_8_truncated(const wchar_t *utf_16, char *utf_8,
+ 			*utf_8++ = ((uc >> 12) & 0x3F) | 0x80;
+ 			*utf_8++ = ((uc >> 6) & 0x3F) | 0x80;
+ 			*utf_8++ = ((uc >> 0) & 0x3F) | 0x80;
+-			utf_8_len -= 3;
+			utf_8_len -= 4;
+ 		}
+ 	}
+ 
--- a/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb
@@ -17,6 +17,9 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
           file://CVE-2023-7256-pre4.patch \
           file://CVE-2023-7256.patch \
           file://CVE-2024-8006.patch \
+           file://CVE-2025-11961-01.patch \
+           file://CVE-2025-11961-02.patch \
+           file://CVE-2025-11964.patch \
          "

 SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4"
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch
@@ -0,0 +1,98 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: [PATCH] upstream: Improve rules for %-expansion of username.
+
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+
+Pointed out by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+
+CVE: CVE-2025-61984
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ ssh.c | 11 +++++++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 82ed15f..d4e2040 100644
+--- a/ssh.c
+++ b/ssh.c
+@@ -634,6 +634,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
+		if (iscntrl((u_char)s[i]))
+			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -655,6 +657,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
+	int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
+ 	char *p, *cp, *line, *argv0, *logfile, *host_arg;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -995,8 +998,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
+			if (options.user == NULL) {
+ 				options.user = optarg;
+				user_on_commandline = 1;
+			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1099,6 +1104,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
+				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1113,6 +1119,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
+					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1265,8 +1272,10 @@ main(int ac, char **av)
+ 	if (fill_default_options(&options) != 0)
+ 		cleanup_exit(255);
+ 
+-	if (options.user == NULL)
+	if (options.user == NULL) {
+		user_was_default = 1;
+ 		options.user = xstrdup(pw->pw_name);
+	}
+ 
+ 	/*
+ 	 * If ProxyJump option specified, then construct a ProxyCommand now.
+-- 
+2.50.1
+
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
@@ -0,0 +1,35 @@
+From 54928cb9eaa7143ff17f463efa7ed3109afdbf30 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:30:06 +0000
+Subject: [PATCH] upstream: don't allow \0 characters in url-encoded strings.
+ Suggested by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c
+
+CVE: CVE-2025-61985
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ misc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/misc.c b/misc.c
+index 6135b15..3d133b5 100644
+--- a/misc.c
+++ b/misc.c
+@@ -934,9 +934,10 @@ urldecode(const char *src)
+			*dst++ = ' ';
+			break;
+		case '%':
+			/* note: don't allow \0 characters */
+			if (!isxdigit((unsigned char)src[1]) ||
+			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
+			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+				free(ret);
+				return NULL;
+			}
+--
+2.40.0
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -39,6 +39,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://CVE-2024-6387.patch \
           file://CVE-2025-26465.patch \
           file://CVE-2025-32728.patch \
+           file://CVE-2025-61985.patch \
+           file://CVE-2025-61984.patch \
           "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"

--- a/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.18.bb
@@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
           file://environment.d-openssl.sh \
           "

-SRC_URI[sha256sum] = "dfdd77e4ea1b57ff3a6dbde6b0bdc3f31db5ac99e7fdd4eaf9e1fbb6ec2db8ce"
+SRC_URI[sha256sum] = "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b"

 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
@@ -0,0 +1,79 @@
+From 726432d7622cc0088ac353d073b59628b590ea44 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 25 Jan 2025 11:21:16 +0200
+Subject: [PATCH] RADIUS: Drop pending request only when accepting the response
+
+The case of an invalid authenticator in a RADIUS response could imply
+that the response is not from the correct RADIUS server and as such,
+such a response should be discarded without changing internal state for
+the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
+is somewhat more complex since it could have been indicated before
+validating the authenticator. In any case, it seems better to change the
+state for the pending request only when we have fully accepted the
+response.
+
+Allowing the internal state of pending RADIUS request to change based on
+responses that are not fully validation could have allow at least a
+theoretical DoS attack if an attacker were to have means for injecting
+RADIUS messages to the network using the IP address of the real RADIUS
+server and being able to do so more quickly than the real server and
+with the matching identifier from the request header (i.e., either by
+flooding 256 responses quickly or by having means to capture the RADIUS
+request). These should not really be realistic options in a properly
+protected deployment, but nevertheless it is good to be more careful in
+processing RADIUS responses.
+
+Remove a pending RADIUS request from the internal list only when having
+fully accepted a matching RADIUS response, i.e., after one of the
+registered handlers has confirmed that the authenticator is valid and
+processing of the response has succeeded.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 2a7f36170..7909b29a7 100644
+--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
+@@ -922,13 +922,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       roundtrip / 100, roundtrip % 100);
+ 	rconf->round_trip_time = roundtrip;
+ 
+-	/* Remove ACKed RADIUS packet from retransmit list */
+-	if (prev_req)
+-		prev_req->next = req->next;
+-	else
+-		radius->msgs = req->next;
+-	radius->num_msgs--;
+-
+ 	for (i = 0; i < num_handlers; i++) {
+ 		RadiusRxResult res;
+ 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
+@@ -939,6 +932,13 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			radius_msg_free(msg);
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
+			/* Remove ACKed RADIUS packet from retransmit list */
+			if (prev_req)
+				prev_req->next = req->next;
+			else
+				radius->msgs = req->next;
+			radius->num_msgs--;
+
+ 			radius_client_msg_free(req);
+ 			return;
+ 		case RADIUS_RX_INVALID_AUTHENTICATOR:
+@@ -960,7 +960,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       msg_type, hdr->code, hdr->identifier,
+ 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+ 		       "");
+-	radius_client_msg_free(req);
+ 
+  fail:
+ 	radius_msg_free(msg);
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
@@ -0,0 +1,70 @@
+From 339a334551ca911187cc870f4f97ef08e11db109 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 5 Feb 2025 19:23:39 +0200
+Subject: [PATCH] RADIUS: Fix pending request dropping
+
+A recent change to this moved the place where the processed RADIUS
+request was removed from the pending list to happen after the message
+handler had been called. This did not take into account possibility of
+the handler adding a new pending request in the list and the prev_req
+pointer not necessarily pointing to the correct entry anymore. As such,
+some of the pending requests could have been lost and that would result
+in not being able to process responses to those requests and also, to a
+memory leak.
+
+Fix this by determining prev_req at the point when the pending request
+is being removed, i.e., after the handler function has already added a
+new entry.
+
+Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 7909b29a7..d4faa7936 100644
+--- a/src/radius/radius_client.c
+++ b/src/radius/radius_client.c
+@@ -824,7 +824,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 	struct radius_hdr *hdr;
+ 	struct radius_rx_handler *handlers;
+ 	size_t num_handlers, i;
+-	struct radius_msg_list *req, *prev_req;
+	struct radius_msg_list *req, *prev_req, *r;
+ 	struct os_reltime now;
+ 	struct hostapd_radius_server *rconf;
+ 	int invalid_authenticator = 0;
+@@ -887,7 +887,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		break;
+ 	}
+ 
+-	prev_req = NULL;
+ 	req = radius->msgs;
+ 	while (req) {
+ 		/* TODO: also match by src addr:port of the packet when using
+@@ -899,7 +898,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		    hdr->identifier)
+ 			break;
+ 
+-		prev_req = req;
+ 		req = req->next;
+ 	}
+ 
+@@ -933,6 +931,12 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
+ 			/* Remove ACKed RADIUS packet from retransmit list */
+			prev_req = NULL;
+			for (r = radius->msgs; r; r = r->next) {
+				if (r == req)
+					break;
+				prev_req = r;
+			}
+ 			if (prev_req)
+ 				prev_req->next = req->next;
+ 			else
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -43,6 +43,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
           file://CVE-2022-37660-0003.patch \
           file://CVE-2022-37660-0004.patch \
           file://CVE-2022-37660-0005.patch \
+           file://CVE-2025-24912-01.patch \
+           file://CVE-2025-24912-02.patch \
           "
 SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"

--- a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
@@ -0,0 +1,57 @@
+From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 24 Sep 2025 03:28:47 +0200
+Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent
+ control sequence attacks
+
+This fixes CVE-2025-46394 (terminal escape sequence injection)
+
+Original credit: Ian.Norton at entrust.com
+
+function                                             old     new   delta
+header_list                                            9      15      +6
+header_verbose_list                                  239     244      +5
+------------------------------------------------------------------------------
+(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0)               Total: 11 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2025-46394
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ archival/libarchive/header_list.c         | 2 +-
+ archival/libarchive/header_verbose_list.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
+index 0621aa406..9490b3635 100644
+--- a/archival/libarchive/header_list.c
+++ b/archival/libarchive/header_list.c
+@@ -8,5 +8,5 @@
+ void FAST_FUNC header_list(const file_header_t *file_header)
+ {
+ //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
+-	puts(file_header->name);
+	puts(printable_string(file_header->name));
+ }
+diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
+index a575a08a0..e7a09430d 100644
+--- a/archival/libarchive/header_verbose_list.c
+++ b/archival/libarchive/header_verbose_list.c
+@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
+ 		ptm->tm_hour,
+ 		ptm->tm_min,
+ 		ptm->tm_sec,
+-		file_header->name);
+		printable_string(file_header->name));
+ 
+ #endif /* FEATURE_TAR_UNAME_GNAME */
+ 
+ 	/* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
+ 	if (file_header->link_target) {
+-		printf(" -> %s", file_header->link_target);
+		printf(" -> %s", printable_string(file_header->link_target));
+ 	}
+ 	bb_putchar('\n');
+ }
--- a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
@@ -0,0 +1,32 @@
+From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Fri, 3 Oct 2025 16:12:56 +0200
+Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394
+
+tar now sanitizes output and this test needs to expect that.
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+CVE: CVE-2025-46394
+Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ testsuite/tar.tests | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/testsuite/tar.tests b/testsuite/tar.tests
+index 0f2e89112..48fc38114 100755
+--- a/testsuite/tar.tests
+++ b/testsuite/tar.tests
+@@ -325,9 +325,9 @@ unset LANG
+ rm -rf etc usr
+ ' "\
+ etc/ssl/certs/3b2716e5.0
+-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem
+ etc/ssl/certs/f80cc7f6.0
+-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
+usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt
+ 0
+ etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
+ etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
--- a/meta/recipes-core/busybox/busybox_1.35.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.35.0.bb
@@ -59,6 +59,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
           file://CVE-2023-42366.patch \
           file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
           file://CVE-2023-39810.patch \
+           file://CVE-2025-46394-01.patch \
+           file://CVE-2025-46394-02.patch \
           "
 SRC_URI:append:libc-musl = " file://musl.cfg "

--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -34,6 +34,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://0001-Add-m_snprintf-that-won-t-return-negative.patch \
           file://0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch \
           file://CVE-2025-47203.patch \
+           file://CVE-2019-6111.patch \
 	   "

 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
--- a/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2019-6111.patch
@@ -0,0 +1,157 @@
+From 48a17cff6aa104b8e806ddb2191f83f1024060f1 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Tue, 9 Dec 2025 22:59:19 +0900
+Subject: [PATCH] scp CVE-2019-6111 fix
+
+Cherry-pick from OpenSSH portable
+
+391ffc4b9d31 ("upstream: check in scp client that filenames sent during")
+
+upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+CVE: CVE-2019-6111
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/48a17cff6aa104b8e806ddb2191f83f1024060f1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ scp.c | 38 +++++++++++++++++++++++++++++---------
+ 1 file changed, 29 insertions(+), 9 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 384f2cb..bf98986 100644
+--- a/scp.c
+++ b/scp.c
+@@ -76,6 +76,8 @@
+ #include "includes.h"
+ /*RCSID("$OpenBSD: scp.c,v 1.130 2006/01/31 10:35:43 djm Exp $");*/
+ 
+#include <fnmatch.h>
+
+ #include "atomicio.h"
+ #include "compat.h"
+ #include "scpmisc.h"
+@@ -291,14 +293,14 @@ void verifydir(char *);
+ 
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
+int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+ 
+ #define	CMDNEEDS	64
+ char cmd[CMDNEEDS];		/* must hold "rcp -r -p -d\0" */
+ 
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
+void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(char *, int, char *[]);
+@@ -325,8 +327,8 @@ main(int argc, char **argv)
+ 	args.list = NULL;
+ 	addargs(&args, "%s", ssh_program);
+ 
+-	fflag = tflag = 0;
+-	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
+	fflag = Tflag = tflag = 0;
+	while ((ch = getopt(argc, argv, "dfl:prtTvBCc:i:P:q1246S:o:F:")) != -1)
+ 		switch (ch) {
+ 		/* User-visible flags. */
+ 		case '1':
+@@ -389,9 +391,12 @@ main(int argc, char **argv)
+ 			setmode(0, O_BINARY);
+ #endif
+ 			break;
+		case 'T':
+			Tflag = 1;
+			break;
+ 		default:
+ 			usage();
+-		}
+	}
+ 	argc -= optind;
+ 	argv += optind;
+ 
+@@ -409,7 +414,7 @@ main(int argc, char **argv)
+ 	}
+ 	if (tflag) {
+ 		/* Receive data. */
+-		sink(argc, argv);
+		sink(argc, argv, NULL);
+ 		exit(errs != 0);
+ 	}
+ 	if (argc < 2)
+@@ -590,7 +595,7 @@ tolocal(int argc, char **argv)
+ 			continue;
+ 		}
+ 		xfree(bp);
+-		sink(1, argv + argc - 1);
+		sink(1, argv + argc - 1, src);
+ 		(void) close(remin);
+ 		remin = remout = -1;
+ 	}
+@@ -823,7 +828,7 @@ bwlimit(int amount)
+ }
+ 
+ void
+-sink(int argc, char **argv)
+sink(int argc, char **argv, const char *src)
+ {
+ 	static BUF buffer;
+ 	struct stat stb;
+@@ -837,6 +842,7 @@ sink(int argc, char **argv)
+ 	off_t size, statbytes;
+ 	int setimes, targisdir, wrerrno = 0;
+ 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
+	char *src_copy = NULL, *restrict_pattern = NULL;
+ 	struct timeval tv[2];
+ 
+ #define	atime	tv[0]
+@@ -858,6 +864,17 @@ sink(int argc, char **argv)
+ 	(void) atomicio(vwrite, remout, "", 1);
+ 	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ 		targisdir = 1;
+	if (src != NULL && !iamrecursive && !Tflag) {
+		/*
+		 * Prepare to try to restrict incoming filenames to match
+		 * the requested destination file glob.
+		 */
+		if ((src_copy = strdup(src)) == NULL)
+			fatal("strdup failed");
+		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
+			*restrict_pattern++ = '\0';
+		}
+	}
+ 	for (first = 1;; first = 0) {
+ 		cp = buf;
+ 		if (atomicio(read, remin, cp, 1) != 1)
+@@ -940,6 +957,9 @@ sink(int argc, char **argv)
+ 			run_err("error: unexpected filename: %s", cp);
+ 			exit(1);
+ 		}
+		if (restrict_pattern != NULL &&
+		    fnmatch(restrict_pattern, cp, 0) != 0)
+			SCREWUP("filename does not match request");
+ 		if (targisdir) {
+ 			static char *namebuf = NULL;
+ 			static size_t cursize = 0;
+@@ -978,7 +998,7 @@ sink(int argc, char **argv)
+ 					goto bad;
+ 			}
+ 			vect[0] = xstrdup(np);
+-			sink(1, vect);
+			sink(1, vect, src);
+ 			if (setimes) {
+ 				setimes = 0;
+ 				if (utimes(vect[0], tv) < 0)
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-01.patch
@@ -0,0 +1,125 @@
+From f28340ee62c655487972ad3c632d231ee098fb7f Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:27:22 +0000
+Subject: [PATCH] gconvert: Error out if g_escape_uri_string() would overflow
+
+If the string to escape contains a very large number of unacceptable
+characters (which would need escaping), the calculation of the length of
+the escaped string could overflow, leading to a potential write off the
+end of the newly allocated string.
+
+In addition to that, the number of unacceptable characters was counted
+in a signed integer, which would overflow to become negative, making it
+easier for an attacker to craft an input string which would cause an
+out-of-bounds write.
+
+Fix that by validating the allocation length, and using an unsigned
+integer to count the number of unacceptable characters.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-134
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3827
+
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/f28340ee62c655487972ad3c632d231ee098fb7f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gconvert.c | 36 +++++++++++++++++++++++++-----------
+ 1 file changed, 25 insertions(+), 11 deletions(-)
+
+diff --git a/glib/gconvert.c b/glib/gconvert.c
+index b066dd5a8..a02d2ea73 100644
+--- a/glib/gconvert.c
+++ b/glib/gconvert.c
+@@ -1425,8 +1425,9 @@ static const gchar hex[] = "0123456789ABCDEF";
+ /* Note: This escape function works on file: URIs, but if you want to
+  * escape something else, please read RFC-2396 */
+ static gchar *
+-g_escape_uri_string (const gchar *string, 
+-		     UnsafeCharacterSet mask)
+g_escape_uri_string (const gchar         *string,
+                     UnsafeCharacterSet   mask,
+                     GError             **error)
+ {
+ #define ACCEPTABLE(a) ((a)>=32 && (a)<128 && (acceptable[(a)-32] & use_mask))
+ 
+@@ -1434,7 +1435,7 @@ g_escape_uri_string (const gchar *string,
+   gchar *q;
+   gchar *result;
+   int c;
+-  gint unacceptable;
+  size_t unacceptable;
+   UnsafeCharacterSet use_mask;
+   
+   g_return_val_if_fail (mask == UNSAFE_ALL
+@@ -1451,7 +1452,14 @@ g_escape_uri_string (const gchar *string,
+       if (!ACCEPTABLE (c)) 
+ 	unacceptable++;
+     }
+-  
+
+  if (unacceptable >= (G_MAXSIZE - (p - string)) / 2)
+    {
+      g_set_error_literal (error, G_CONVERT_ERROR, G_CONVERT_ERROR_BAD_URI,
+                           _("The URI is too long"));
+      return NULL;
+    }
+
+   result = g_malloc (p - string + unacceptable * 2 + 1);
+   
+   use_mask = mask;
+@@ -1476,12 +1484,13 @@ g_escape_uri_string (const gchar *string,
+ 
+ 
+ static gchar *
+-g_escape_file_uri (const gchar *hostname,
+-		   const gchar *pathname)
+g_escape_file_uri (const gchar  *hostname,
+                   const gchar  *pathname,
+                   GError      **error)
+ {
+   char *escaped_hostname = NULL;
+-  char *escaped_path;
+-  char *res;
+  char *escaped_path = NULL;
+  char *res = NULL;
+ 
+ #ifdef G_OS_WIN32
+   char *p, *backslash;
+@@ -1502,10 +1511,14 @@ g_escape_file_uri (const gchar *hostname,
+ 
+   if (hostname && *hostname != '\0')
+     {
+-      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST);
+      escaped_hostname = g_escape_uri_string (hostname, UNSAFE_HOST, error);
+      if (escaped_hostname == NULL)
+        goto out;
+     }
+ 
+-  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH);
+  escaped_path = g_escape_uri_string (pathname, UNSAFE_PATH, error);
+  if (escaped_path == NULL)
+    goto out;
+ 
+   res = g_strconcat ("file://",
+ 		     (escaped_hostname) ? escaped_hostname : "",
+@@ -1513,6 +1526,7 @@ g_escape_file_uri (const gchar *hostname,
+ 		     escaped_path,
+ 		     NULL);
+ 
+out:
+ #ifdef G_OS_WIN32
+   g_free ((char *) pathname);
+ #endif
+@@ -1832,7 +1846,7 @@ g_filename_to_uri (const gchar *filename,
+     hostname = NULL;
+ #endif
+ 
+-  escaped_uri = g_escape_file_uri (hostname, filename);
+  escaped_uri = g_escape_file_uri (hostname, filename, error);
+ 
+   return escaped_uri;
+ }
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-13601-02.patch
@@ -0,0 +1,128 @@
+From 7bd3fc372040cdf8eada7f65c32c30da52a7461d Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 13 Nov 2025 18:31:43 +0000
+Subject: [PATCH] fuzzing: Add fuzz tests for g_filename_{to,from}_uri()
+
+These functions could be called on untrusted input data, and since they
+do URI escaping/unescaping, they have non-trivial string handling code.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+See: #3827
+
+CVE: CVE-2025-13601
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/7bd3fc372040cdf8eada7f65c32c30da52a7461d]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fuzzing/fuzz_filename_from_uri.c | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/fuzz_filename_to_uri.c   | 40 ++++++++++++++++++++++++++++++++
+ fuzzing/meson.build              |  2 ++
+ 3 files changed, 82 insertions(+)
+ create mode 100644 fuzzing/fuzz_filename_from_uri.c
+ create mode 100644 fuzzing/fuzz_filename_to_uri.c
+
+diff --git a/fuzzing/fuzz_filename_from_uri.c b/fuzzing/fuzz_filename_from_uri.c
+new file mode 100644
+index 000000000..9b7a715f0
+--- /dev/null
+++ b/fuzzing/fuzz_filename_from_uri.c
+@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *filename = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_from_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  filename = g_filename_from_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (filename);
+  g_clear_error (&local_error);
+
+  return 0;
+}
+diff --git a/fuzzing/fuzz_filename_to_uri.c b/fuzzing/fuzz_filename_to_uri.c
+new file mode 100644
+index 000000000..acb319203
+--- /dev/null
+++ b/fuzzing/fuzz_filename_to_uri.c
+@@ -0,0 +1,40 @@
+/*
+ * Copyright 2025 GNOME Foundation, Inc.
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "fuzz.h"
+
+int
+LLVMFuzzerTestOneInput (const unsigned char *data, size_t size)
+{
+  unsigned char *nul_terminated_data = NULL;
+  char *uri = NULL;
+  GError *local_error = NULL;
+
+  fuzz_set_logging_func ();
+
+  /* ignore @size (g_filename_to_uri() doesn’t support it); ensure @data is nul-terminated */
+  nul_terminated_data = (unsigned char *) g_strndup ((const char *) data, size);
+  uri = g_filename_to_uri ((const char *) nul_terminated_data, NULL, &local_error);
+  g_free (nul_terminated_data);
+
+  g_free (uri);
+  g_clear_error (&local_error);
+
+  return 0;
+}
+diff --git a/fuzzing/meson.build b/fuzzing/meson.build
+index addbe9071..05f936eeb 100644
+--- a/fuzzing/meson.build
+++ b/fuzzing/meson.build
+@@ -4,6 +4,8 @@ fuzz_targets = [
+   'fuzz_date_parse',
+   'fuzz_date_time_new_from_iso8601',
+   'fuzz_dbus_message',
+  'fuzz_filename_from_uri',
+  'fuzz_filename_to_uri',
+   'fuzz_inet_address_mask_new_from_string',
+   'fuzz_inet_address_new_from_string',
+   'fuzz_inet_socket_address_new_from_string',
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-01.patch
@@ -0,0 +1,69 @@
+From 31f82e22e21bae520b7228f7f57d357fb20df8a4 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:02:56 +0000
+Subject: [PATCH] gvariant-parser: Fix potential integer overflow parsing
+ (byte)strings
+
+The termination condition for parsing string and bytestring literals in
+GVariant text format input was subject to an integer overflow for input
+string (or bytestring) literals longer than `INT_MAX`.
+
+Fix that by counting as a `size_t` rather than as an `int`. The counter
+can never correctly be negative.
+
+Spotted by treeplus. Thanks to the Sovereign Tech Resilience programme
+from the Sovereign Tech Agency. ID: #YWH-PGM9867-145
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+Fixes: #3834
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/31f82e22e21bae520b7228f7f57d357fb20df8a4]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2f1d3db9f..2d6e9856f 100644
+--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
+@@ -594,7 +594,7 @@ ast_resolve (AST     *ast,
+ {
+   GVariant *value;
+   gchar *pattern;
+-  gint i, j = 0;
+  size_t i, j = 0;
+ 
+   pattern = ast_get_pattern (ast, error);
+ 
+@@ -1555,9 +1555,9 @@ string_free (AST *ast)
+  * No leading/trailing space allowed. */
+ static gboolean
+ unicode_unescape (const gchar  *src,
+-                  gint         *src_ofs,
+                  size_t       *src_ofs,
+                   gchar        *dest,
+-                  gint         *dest_ofs,
+                  size_t       *dest_ofs,
+                   gsize         length,
+                   SourceRef    *ref,
+                   GError      **error)
+@@ -1618,7 +1618,7 @@ string_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
+  size_t i, j;
+ 
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
+@@ -1748,7 +1748,7 @@ bytestring_parse (TokenStream  *stream,
+   gsize length;
+   gchar quote;
+   gchar *str;
+-  gint i, j;
+  size_t i, j;
+ 
+   token_stream_start_ref (stream, &ref);
+   token = token_stream_get (stream);
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-02.patch
@@ -0,0 +1,240 @@
+From ac9de0871281cf734f6e269988f90a2521582a08 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:19:16 +0000
+Subject: [PATCH] gvariant-parser: Use size_t to count numbers of child
+ elements
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Rather than using `gint`, which could overflow for arrays (or dicts, or
+tuples) longer than `INT_MAX`. There may be other limits which prevent
+parsed containers becoming that long, but we might as well make the type
+system reflect the programmer’s intention as best it can anyway.
+
+For arrays and tuples this is straightforward. For dictionaries, it’s
+slightly complicated by the fact that the code used
+`dict->n_children == -1` to indicate that the `Dictionary` struct in
+question actually represented a single freestanding dict entry. In
+GVariant text format, that would be `{1, "one"}`.
+
+The implementation previously didn’t define the semantics of
+`dict->n_children < -1`.
+
+Now, instead, change `Dictionary.n_children` to `size_t`, and define a
+magic value `DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY` to indicate that
+the `Dictionary` represents a single freestanding dict entry.
+
+This magic value is `SIZE_MAX`, and given that a dictionary entry takes
+more than one byte to represent in GVariant text format, that means it’s
+not possible to have that many entries in a parsed dictionary, so this
+magic value won’t be hit by a normal dictionary. An assertion checks
+this anyway.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ac9de0871281cf734f6e269988f90a2521582a08]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 58 ++++++++++++++++++++++++------------------
+ 1 file changed, 33 insertions(+), 25 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 2d6e9856f..519baa3f3 100644
+--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
+@@ -647,9 +647,9 @@ static AST *parse (TokenStream  *stream,
+                    GError      **error);
+ 
+ static void
+-ast_array_append (AST  ***array,
+-                  gint   *n_items,
+-                  AST    *ast)
+ast_array_append (AST    ***array,
+                  size_t   *n_items,
+                  AST      *ast)
+ {
+   if ((*n_items & (*n_items - 1)) == 0)
+     *array = g_renew (AST *, *array, *n_items ? 2 ** n_items : 1);
+@@ -658,10 +658,10 @@ ast_array_append (AST  ***array,
+ }
+ 
+ static void
+-ast_array_free (AST  **array,
+-                gint   n_items)
+ast_array_free (AST    **array,
+                size_t   n_items)
+ {
+-  gint i;
+  size_t i;
+ 
+   for (i = 0; i < n_items; i++)
+     ast_free (array[i]);
+@@ -670,11 +670,11 @@ ast_array_free (AST  **array,
+ 
+ static gchar *
+ ast_array_get_pattern (AST    **array,
+-                       gint     n_items,
+                       size_t   n_items,
+                        GError **error)
+ {
+   gchar *pattern;
+-  gint i;
+  size_t i;
+ 
+   /* Find the pattern which applies to all children in the array, by l-folding a
+    * coalesce operation.
+@@ -706,7 +706,7 @@ ast_array_get_pattern (AST    **array,
+          * pair of values.
+          */
+         {
+-          int j = 0;
+          size_t j = 0;
+ 
+           while (TRUE)
+             {
+@@ -891,7 +891,7 @@ typedef struct
+   AST ast;
+ 
+   AST **children;
+-  gint n_children;
+  size_t n_children;
+ } Array;
+ 
+ static gchar *
+@@ -924,7 +924,7 @@ array_get_value (AST                 *ast,
+   Array *array = (Array *) ast;
+   const GVariantType *childtype;
+   GVariantBuilder builder;
+-  gint i;
+  size_t i;
+ 
+   if (!g_variant_type_is_array (type))
+     return ast_type_error (ast, type, error);
+@@ -1010,7 +1010,7 @@ typedef struct
+   AST ast;
+ 
+   AST **children;
+-  gint n_children;
+  size_t n_children;
+ } Tuple;
+ 
+ static gchar *
+@@ -1020,7 +1020,7 @@ tuple_get_pattern (AST     *ast,
+   Tuple *tuple = (Tuple *) ast;
+   gchar *result = NULL;
+   gchar **parts;
+-  gint i;
+  size_t i;
+ 
+   parts = g_new (gchar *, tuple->n_children + 4);
+   parts[tuple->n_children + 1] = (gchar *) ")";
+@@ -1050,7 +1050,7 @@ tuple_get_value (AST                 *ast,
+   Tuple *tuple = (Tuple *) ast;
+   const GVariantType *childtype;
+   GVariantBuilder builder;
+-  gint i;
+  size_t i;
+ 
+   if (!g_variant_type_is_tuple (type))
+     return ast_type_error (ast, type, error);
+@@ -1242,9 +1242,16 @@ typedef struct
+ 
+   AST **keys;
+   AST **values;
+-  gint n_children;
+
+  /* Iff this is DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY then this struct
+   * represents a single freestanding dict entry (`{1, "one"}`) rather than a
+   * full dict. In the freestanding case, @keys and @values have exactly one
+   * member each. */
+  size_t n_children;
+ } Dictionary;
+ 
+#define DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY ((size_t) -1)
+
+ static gchar *
+ dictionary_get_pattern (AST     *ast,
+                         GError **error)
+@@ -1259,7 +1266,7 @@ dictionary_get_pattern (AST     *ast,
+     return g_strdup ("Ma{**}");
+ 
+   key_pattern = ast_array_get_pattern (dict->keys,
+-                                       abs (dict->n_children),
+                                       (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? 1 : dict->n_children,
+                                        error);
+ 
+   if (key_pattern == NULL)
+@@ -1290,7 +1297,7 @@ dictionary_get_pattern (AST     *ast,
+     return NULL;
+ 
+   result = g_strdup_printf ("M%s{%c%s}",
+-                            dict->n_children > 0 ? "a" : "",
+                            (dict->n_children > 0 && dict->n_children != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY) ? "a" : "",
+                             key_char, value_pattern);
+   g_free (value_pattern);
+ 
+@@ -1304,7 +1311,7 @@ dictionary_get_value (AST                 *ast,
+ {
+   Dictionary *dict = (Dictionary *) ast;
+ 
+-  if (dict->n_children == -1)
+  if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+     {
+       const GVariantType *subtype;
+       GVariantBuilder builder;
+@@ -1337,7 +1344,7 @@ dictionary_get_value (AST                 *ast,
+     {
+       const GVariantType *entry, *key, *val;
+       GVariantBuilder builder;
+-      gint i;
+      size_t i;
+ 
+       if (!g_variant_type_is_subtype_of (type, G_VARIANT_TYPE_DICTIONARY))
+         return ast_type_error (ast, type, error);
+@@ -1378,12 +1385,12 @@ static void
+ dictionary_free (AST *ast)
+ {
+   Dictionary *dict = (Dictionary *) ast;
+-  gint n_children;
+  size_t n_children;
+ 
+-  if (dict->n_children > -1)
+-    n_children = dict->n_children;
+-  else
+  if (dict->n_children == DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY)
+     n_children = 1;
+  else
+    n_children = dict->n_children;
+ 
+   ast_array_free (dict->keys, n_children);
+   ast_array_free (dict->values, n_children);
+@@ -1401,7 +1408,7 @@ dictionary_parse (TokenStream  *stream,
+     maybe_wrapper, dictionary_get_value,
+     dictionary_free
+   };
+-  gint n_keys, n_values;
+  size_t n_keys, n_values;
+   gboolean only_one;
+   Dictionary *dict;
+   AST *first;
+@@ -1444,7 +1451,7 @@ dictionary_parse (TokenStream  *stream,
+         goto error;
+ 
+       g_assert (n_keys == 1 && n_values == 1);
+-      dict->n_children = -1;
+      dict->n_children = DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY;
+ 
+       return (AST *) dict;
+     }
+@@ -1477,6 +1484,7 @@ dictionary_parse (TokenStream  *stream,
+     }
+ 
+   g_assert (n_keys == n_values);
+  g_assert (n_keys != DICTIONARY_N_CHILDREN_FREESTANDING_ENTRY);
+   dict->n_children = n_keys;
+ 
+   return (AST *) dict;
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14087-03.patch
@@ -0,0 +1,150 @@
+From acaabfedff42e974334dd5368e6103d2845aaba6 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Tue, 25 Nov 2025 19:25:58 +0000
+Subject: [PATCH] gvariant-parser: Convert error handling code to use size_t
+
+The error handling code allows for printing out the range of input bytes
+related to a parsing error. This was previously done using `gint`, but
+the input could be longer than `INT_MAX`, so it should really be done
+using `size_t`.
+
+Spotted while working on #3834.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+CVE: CVE-2025-14087
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/acaabfedff42e974334dd5368e6103d2845aaba6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ glib/gvariant-parser.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/glib/gvariant-parser.c b/glib/gvariant-parser.c
+index 519baa3f3..1b1ddd654 100644
+--- a/glib/gvariant-parser.c
+++ b/glib/gvariant-parser.c
+@@ -88,7 +88,9 @@ g_variant_parser_get_error_quark (void)
+ 
+ typedef struct
+ {
+-  gint start, end;
+  /* Offsets from the start of the input, in bytes. Can be equal when referring
+   * to a point rather than a range. The invariant `end >= start` always holds. */
+  size_t start, end;
+ } SourceRef;
+ 
+ G_GNUC_PRINTF(5, 0)
+@@ -103,14 +105,16 @@ parser_set_error_va (GError      **error,
+   GString *msg = g_string_new (NULL);
+ 
+   if (location->start == location->end)
+-    g_string_append_printf (msg, "%d", location->start);
+    g_string_append_printf (msg, "%" G_GSIZE_FORMAT, location->start);
+   else
+-    g_string_append_printf (msg, "%d-%d", location->start, location->end);
+    g_string_append_printf (msg, "%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+                            location->start, location->end);
+ 
+   if (other != NULL)
+     {
+       g_assert (other->start != other->end);
+-      g_string_append_printf (msg, ",%d-%d", other->start, other->end);
+      g_string_append_printf (msg, ",%" G_GSIZE_FORMAT "-%" G_GSIZE_FORMAT,
+                              other->start, other->end);
+     }
+   g_string_append_c (msg, ':');
+ 
+@@ -137,11 +141,15 @@ parser_set_error (GError      **error,
+ 
+ typedef struct
+ {
+  /* We should always have the following ordering constraint:
+   *   start <= this <= stream <= end
+   * Additionally, unless in an error or EOF state, `this < stream`.
+   */
+   const gchar *start;
+   const gchar *stream;
+   const gchar *end;
+ 
+-  const gchar *this;
+  const gchar *this;  /* (nullable) */
+ } TokenStream;
+ 
+ 
+@@ -172,7 +180,7 @@ token_stream_set_error (TokenStream  *stream,
+ static gboolean
+ token_stream_prepare (TokenStream *stream)
+ {
+-  gint brackets = 0;
+  gssize brackets = 0;
+   const gchar *end;
+ 
+   if (stream->this != NULL)
+@@ -402,7 +410,7 @@ static void
+ pattern_copy (gchar       **out,
+               const gchar **in)
+ {
+-  gint brackets = 0;
+  gssize brackets = 0;
+ 
+   while (**in == 'a' || **in == 'm' || **in == 'M')
+     *(*out)++ = *(*in)++;
+@@ -2666,7 +2674,7 @@ g_variant_builder_add_parsed (GVariantBuilder *builder,
+ static gboolean
+ parse_num (const gchar *num,
+            const gchar *limit,
+-           guint       *result)
+           size_t      *result)
+ {
+   gchar *endptr;
+   gint64 bignum;
+@@ -2676,10 +2684,12 @@ parse_num (const gchar *num,
+   if (endptr != limit)
+     return FALSE;
+ 
+  /* The upper bound here is more restrictive than it technically needs to be,
+   * but should be enough for any practical situation: */
+   if (bignum < 0 || bignum > G_MAXINT)
+     return FALSE;
+ 
+-  *result = (guint) bignum;
+  *result = (size_t) bignum;
+ 
+   return TRUE;
+ }
+@@ -2690,7 +2700,7 @@ add_last_line (GString     *err,
+ {
+   const gchar *last_nl;
+   gchar *chomped;
+-  gint i;
+  size_t i;
+ 
+   /* This is an error at the end of input.  If we have a file
+    * with newlines, that's probably the empty string after the
+@@ -2835,7 +2845,7 @@ g_variant_parse_error_print_context (GError      *error,
+ 
+   if (dash == NULL || colon < dash)
+     {
+-      guint point;
+      size_t point;
+ 
+       /* we have a single point */
+       if (!parse_num (error->message, colon, &point))
+@@ -2853,7 +2863,7 @@ g_variant_parse_error_print_context (GError      *error,
+       /* We have one or two ranges... */
+       if (comma && comma < colon)
+         {
+-          guint start1, end1, start2, end2;
+          size_t start1, end1, start2, end2;
+           const gchar *dash2;
+ 
+           /* Two ranges */
+@@ -2869,7 +2879,7 @@ g_variant_parse_error_print_context (GError      *error,
+         }
+       else
+         {
+-          guint start, end;
+          size_t start, end;
+ 
+           /* One range */
+           if (!parse_num (error->message, dash, &start) || !parse_num (dash + 1, colon, &end))
--- a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-14512.patch
@@ -0,0 +1,70 @@
+From 1909d8ea9297287f1ff6862968608dcf06e60523 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 4 Dec 2025 16:37:19 +0000
+Subject: [PATCH] gfileattribute: Fix integer overflow calculating escaping for
+ byte strings
+
+The number of invalid characters in the byte string (characters which
+would have to be percent-encoded) was only stored in an `int`, which
+gave the possibility of a long string largely full of invalid
+characters overflowing this and allowing an attacker-controlled buffer
+size to be allocated.
+
+This could be triggered by an attacker controlled file attribute (of
+type `G_FILE_ATTRIBUTE_TYPE_BYTE_STRING`), such as
+`G_FILE_ATTRIBUTE_THUMBNAIL_PATH` or `G_FILE_ATTRIBUTE_STANDARD_NAME`,
+being read by user code.
+
+Spotted by Codean Labs.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3845
+
+CVE: CVE-2025-14512
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/1909d8ea9297287f1ff6862968608dcf06e60523]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gio/gfileattribute.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gfileattribute.c b/gio/gfileattribute.c
+index c6fde60fa..d3083e5bd 100644
+--- a/gio/gfileattribute.c
+++ b/gio/gfileattribute.c
+@@ -20,6 +20,7 @@
+ 
+ #include "config.h"
+ 
+#include <stdint.h>
+ #include <string.h>
+ 
+ #include "gfileattribute.h"
+@@ -271,11 +272,12 @@ valid_char (char c)
+   return c >= 32 && c <= 126 && c != '\\';
+ }
+ 
+/* Returns NULL on error */
+ static char *
+ escape_byte_string (const char *str)
+ {
+   size_t i, len;
+-  int num_invalid;
+  size_t num_invalid;
+   char *escaped_val, *p;
+   unsigned char c;
+   const char hex_digits[] = "0123456789abcdef";
+@@ -293,7 +295,12 @@ escape_byte_string (const char *str)
+     return g_strdup (str);
+   else
+     {
+-      escaped_val = g_malloc (len + num_invalid*3 + 1);
+      /* Check for overflow. We want to check the inequality:
+       * !(len + num_invalid * 3 + 1 > SIZE_MAX) */
+      if (num_invalid >= (SIZE_MAX - len) / 3)
+        return NULL;
+
+      escaped_val = g_malloc (len + num_invalid * 3 + 1);
+ 
+       p = escaped_val;
+       for (i = 0; i < len; i++)
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb
@@ -64,6 +64,12 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
           file://CVE-2025-4373-02.patch \
           file://CVE-2025-7039-01.patch \
           file://CVE-2025-7039-02.patch \
+           file://CVE-2025-13601-01.patch \
+           file://CVE-2025-13601-02.patch \
+           file://CVE-2025-14087-01.patch \
+           file://CVE-2025-14087-02.patch \
+           file://CVE-2025-14087-03.patch \
+           file://CVE-2025-14512.patch \
           "
 SRC_URI:append:class-native = " file://relocate-modules.patch"

--- a/meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch
+++ b/meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch
@@ -0,0 +1,83 @@
+From 4dd540505d40babe488404f3174ec39f49a84485 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Mon, 4 Aug 2025 15:10:21 -0500
+Subject: [PATCH] openssl: properly check return value when writing to BIO
+ objects
+
+In particular, we will read out of bounds, and then write the invalid
+memory, if BIO_write() fails when getting the PROP_CERTIFICATE_PEM
+property. Here we attempt to check the return value, but the check is
+not correct.
+
+This also fixes a leak of the BIO in the same place.
+
+Also add error checking to PROP_SUBJECT_NAME and PROP_ISSUER_NAME, for
+good measure.
+
+Fixes #226
+
+CVE: CVE-2025-60018
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib-networking/-/commit/4dd540505d40babe488404f3174ec39f49a84485]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 648f3e8..b536559 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
+++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -362,15 +362,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_CERTIFICATE_PEM:
+       bio = BIO_new (BIO_s_mem ());
+
+-      if (!PEM_write_bio_X509 (bio, openssl->cert) || !BIO_write (bio, "\0", 1))
+-        certificate_pem = NULL;
+-      else
+      if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+         {
+           BIO_get_mem_data (bio, &certificate_pem);
+           g_value_set_string (value, certificate_pem);
+-
+-          BIO_free_all (bio);
+         }
+      BIO_free_all (bio);
+       break;
+
+     case PROP_PRIVATE_KEY:
+@@ -411,8 +408,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_SUBJECT_NAME:
+       bio = BIO_new (BIO_s_mem ());
+       name = X509_get_subject_name (openssl->cert);
+-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+-      BIO_write (bio, "\0", 1);
+      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+          BIO_write (bio, "\0", 1) != 1)
+        {
+          BIO_free_all (bio);
+          break;
+        }
+       BIO_get_mem_data (bio, (char **)&name_string);
+       g_value_set_string (value, name_string);
+       BIO_free_all (bio);
+@@ -421,9 +422,13 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_ISSUER_NAME:
+       bio = BIO_new (BIO_s_mem ());
+       name = X509_get_issuer_name (openssl->cert);
+-      X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS);
+-      BIO_write (bio, "\0", 1);
+-      BIO_get_mem_data (bio, &name_string);
+      if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+          BIO_write (bio, "\0", 1) != 1)
+        {
+          BIO_free_all (bio);
+          break;
+        }
+      BIO_get_mem_data (bio, (char **)&name_string);
+       g_value_set_string (value, name_string);
+       BIO_free_all (bio);
+       break;
+--
+2.48.1
--- a/meta/recipes-core/glib-networking/glib-networking/CVE-2025-60019.patch
+++ b/meta/recipes-core/glib-networking/glib-networking/CVE-2025-60019.patch
@@ -0,0 +1,137 @@
+From 70df675dd4f5e4a593b2f95406c1aac031aa8bc7 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 21 Aug 2025 17:21:01 -0500
+Subject: [PATCH] openssl: check return values of BIO_new()
+
+We probably need to check even more return values of even more OpenSSL
+functions, but these ones allocate memory and that's particularly
+important to get right.
+
+CVE: CVE-2025-60019
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib-networking/-/commit/70df675dd4f5e4a593b2f95406c1aac031aa8bc7]
+
+Signed-off-by: Rajeshkumar Ramasamy <rajeshkumar.ramasamy@windriver.com>
+---
+ tls/openssl/gtlscertificate-openssl.c | 39 ++++++++++++++++++++-------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/tls/openssl/gtlscertificate-openssl.c b/tls/openssl/gtlscertificate-openssl.c
+index 8f828a7..f7fde51 100644
+--- a/tls/openssl/gtlscertificate-openssl.c
+++ b/tls/openssl/gtlscertificate-openssl.c
+@@ -156,6 +156,9 @@ export_privkey_to_der (GTlsCertificateOpenssl  *openssl,
+     goto err;
+
+   bio = BIO_new (BIO_s_mem ());
+  if (!bio)
+    goto err;
+
+   if (i2d_PKCS8_PRIV_KEY_INFO_bio (bio, pkcs8) == 0)
+     goto err;
+
+@@ -189,6 +192,9 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+     return NULL;
+
+   bio = BIO_new (BIO_s_mem ());
+  if (!bio)
+    goto out;
+
+   ret = PEM_write_bio_PKCS8PrivateKey (bio, openssl->key, NULL, NULL, 0, NULL, NULL);
+   if (ret == 0)
+     goto out;
+@@ -201,7 +207,7 @@ export_privkey_to_pem (GTlsCertificateOpenssl *openssl)
+   result = g_strdup (data);
+
+ out:
+-  BIO_free_all (bio);
+  g_clear_pointer (&bio, BIO_free_all);
+   return result;
+ }
+
+@@ -216,7 +222,7 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+   guint8 *data;
+   BIO *bio;
+   GByteArray *byte_array;
+-  char *certificate_pem;
+  const char *certificate_pem;
+   long size;
+
+   const ASN1_TIME *time_asn1;
+@@ -251,12 +257,12 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+     case PROP_CERTIFICATE_PEM:
+       bio = BIO_new (BIO_s_mem ());
+
+-      if (PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+      if (bio && PEM_write_bio_X509 (bio, openssl->cert) == 1 && BIO_write (bio, "\0", 1) == 1)
+         {
+           BIO_get_mem_data (bio, &certificate_pem);
+           g_value_set_string (value, certificate_pem);
+         }
+-      BIO_free_all (bio);
+      g_clear_pointer (&bio, BIO_free_all);
+       break;
+
+     case PROP_PRIVATE_KEY:
+@@ -296,6 +302,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+
+     case PROP_SUBJECT_NAME:
+       bio = BIO_new (BIO_s_mem ());
+      if (!bio)
+        break;
+       name = X509_get_subject_name (openssl->cert);
+       if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+           BIO_write (bio, "\0", 1) != 1)
+@@ -310,6 +318,8 @@ g_tls_certificate_openssl_get_property (GObject    *object,
+
+     case PROP_ISSUER_NAME:
+       bio = BIO_new (BIO_s_mem ());
+      if (!bio)
+        break;
+       name = X509_get_issuer_name (openssl->cert);
+       if (X509_NAME_print_ex (bio, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0 ||
+           BIO_write (bio, "\0", 1) != 1)
+@@ -377,8 +387,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+         break;
+       g_return_if_fail (openssl->have_cert == FALSE);
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
+      if (bio)
+        {
+          openssl->cert = PEM_read_bio_X509 (bio, NULL, NULL, NULL);
+          BIO_free (bio);
+        }
+       if (openssl->cert)
+         openssl->have_cert = TRUE;
+       else if (!openssl->construct_error)
+@@ -397,8 +410,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+         break;
+       g_return_if_fail (openssl->have_key == FALSE);
+       bio = BIO_new_mem_buf (bytes->data, bytes->len);
+-      openssl->key = d2i_PrivateKey_bio (bio, NULL);
+-      BIO_free (bio);
+      if (bio)
+        {
+          openssl->key = d2i_PrivateKey_bio (bio, NULL);
+          BIO_free (bio);
+        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+@@ -417,8 +433,11 @@ g_tls_certificate_openssl_set_property (GObject      *object,
+         break;
+       g_return_if_fail (openssl->have_key == FALSE);
+       bio = BIO_new_mem_buf ((gpointer)string, -1);
+-      openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
+-      BIO_free (bio);
+      if (bio)
+        {
+          openssl->key = PEM_read_bio_PrivateKey (bio, NULL, NULL, NULL);
+          BIO_free (bio);
+        }
+       if (openssl->key)
+         openssl->have_key = TRUE;
+       else if (!openssl->construct_error)
+--
+2.48.1
--- a/meta/recipes-core/glib-networking/glib-networking_2.72.2.bb
+++ b/meta/recipes-core/glib-networking/glib-networking_2.72.2.bb
@@ -24,6 +24,8 @@ GNOMEBASEBUILDCLASS = "meson"
 inherit gnomebase gettext upstream-version-is-even gio-module-cache ptest-gnome

 SRC_URI += "file://run-ptest"
+SRC_URI += "file://CVE-2025-60018.patch"
+SRC_URI += "file://CVE-2025-60019.patch"

 FILES:${PN} += "\
                ${libdir}/gio/modules/libgio*.so \
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "a66bc3941ff298e474d5f02d0c3303401951141f"
+SRCREV_glibc ?= "4e50046821f05ada5f14c76803845125ddb3ed7d"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"

 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-1.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-1.patch
@@ -1,6 +1,6 @@
-From 31d9848830e496f57d4182b518467c4c63bfd4bd Mon Sep 17 00:00:00 2001
+From 0402999b82f697011de388f61bad68da26060bef Mon Sep 17 00:00:00 2001
 From: Frank Barrus <frankbarrus_sw@shaggy.cc>
-Date: Mon, 16 Jun 2025 22:37:54 -0700
+Date: Tue, 14 Oct 2025 03:55:17 -0700
 Subject: [PATCH] pthreads NPTL: lost wakeup fix 2

 This fixes the lost wakeup (from a bug in signal stealing) with a change
@@ -65,18 +65,19 @@ full wakeup from a G1/G2 switch.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+Commit : 1db84775f831a1494993ce9c118deaf9537cc50a

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=1db84775f831a1494993ce9c118deaf9537cc50a]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002277.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
- nptl/pthread_cond_common.c | 106 +++++++++------------------
+ nptl/pthread_cond_common.c | 105 +++++++++------------------
 nptl/pthread_cond_wait.c   | 144 ++++++++++++-------------------------
- 2 files changed, 81 insertions(+), 169 deletions(-)
+ 2 files changed, 81 insertions(+), 168 deletions(-)

 diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
-index fb035f72c3..8dd7037923 100644
+index fb035f72..a55eee3e 100644
 --- a/nptl/pthread_cond_common.c
 +++ b/nptl/pthread_cond_common.c
@@ -201,7 +201,6 @@ static bool __attribute__ ((unused))
@@ -87,7 +88,7 @@ index fb035f72c3..8dd7037923 100644
   unsigned int g1 = *g1index;
 
   /* If there is no waiter in G2, we don't do anything.  The expression may
-@@ -222,85 +221,46 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+@@ -222,84 +221,46 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
      * New waiters arriving concurrently with the group switching will all go
        into G2 until we atomically make the switch.  Waiters existing in G2
        are not affected.
@@ -176,7 +177,6 @@ index fb035f72c3..8dd7037923 100644
 -     that this is now a new group (see __pthread_cond_wait_common for the
 -     matching acquire MO loads).  */
 -  atomic_store_release (cond->__data.__g_signals + g1, 0);
-
 +  unsigned int lowseq = ((old_g1_start + old_orig_size) << 1) & ~1U;
 +
 +  /* If any waiters still hold group references (and thus could be blocked),
@@ -201,10 +201,10 @@ index fb035f72c3..8dd7037923 100644
 +
 +    futex_wake (cond->__data.__g_signals + g1, INT_MAX, private);
 +   }
+ 
   /* At this point, the old G1 is now a valid new G2 (but not in use yet).
      No old waiter can neither grab a signal nor acquire a reference without
-      noticing that __g1_start is larger.
-@@ -311,6 +271,10 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+@@ -311,6 +272,10 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
   g1 ^= 1;
   *g1index ^= 1;
 
@@ -216,7 +216,7 @@ index fb035f72c3..8dd7037923 100644
      lock.  */
   unsigned int orig_size = wseq - (old_g1_start + old_orig_size);
 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index 20c348a503..1cb3dbf7b0 100644
+index 20c348a5..1cb3dbf7 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
@@ -238,9 +238,7 @@ __condvar_cleanup_waiting (void *arg)
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-10.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-10.patch
@@ -0,0 +1,54 @@
+From 4f78382dd671f381db6d1f452e6f1593d17b177e Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 14 Oct 2025 06:53:40 -0700
+Subject: [PATCH] nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41
+ versions (bug 32786)
+
+The new initializer and struct layout does not initialize the
+__g_signals field in the old struct layout before the change in
+commit c36fc50781995e6758cae2b6927839d0157f213c ("nptl: Remove
+g_refs from condition variables").  Bring back fields at the end
+of struct __pthread_cond_s, so that they are again zero-initialized.
+
+The following commits have been cherry-picked from Glibc master branch:
+Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: dbc5a50d12eff4cb3f782129029d04b8a76f58e7
+
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002282.html]
+
+Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
+---
+ sysdeps/nptl/bits/thread-shared-types.h | 2 ++
+ sysdeps/nptl/pthread.h                  | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/nptl/bits/thread-shared-types.h b/sysdeps/nptl/bits/thread-shared-types.h
+index 6f17afa4..2354ea21 100644
+--- a/sysdeps/nptl/bits/thread-shared-types.h
+++ b/sysdeps/nptl/bits/thread-shared-types.h
+@@ -99,6 +99,8 @@ struct __pthread_cond_s
+   unsigned int __g1_orig_size;
+   unsigned int __wrefs;
+   unsigned int __g_signals[2];
+  unsigned int __unused_initialized_1;
+  unsigned int __unused_initialized_2;
+ };
+ 
+ typedef unsigned int __tss_t;
+diff --git a/sysdeps/nptl/pthread.h b/sysdeps/nptl/pthread.h
+index bbb36540..8d6d24ff 100644
+--- a/sysdeps/nptl/pthread.h
+++ b/sysdeps/nptl/pthread.h
+@@ -152,7 +152,7 @@ enum
+ 
+ 
+ /* Conditional variable handling.  */
+-#define PTHREAD_COND_INITIALIZER { { {0}, {0}, {0, 0}, 0, 0, {0, 0} } }
+#define PTHREAD_COND_INITIALIZER { { {0}, {0}, {0, 0}, 0, 0, {0, 0}, 0, 0 } }
+ 
+ 
+ /* Cleanup buffers */
+-- 
+2.49.0
+
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-2.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-2.patch
@@ -1,6 +1,6 @@
-From 6aab1191e35a3da66e8c49d95178a9d77c119a1f Mon Sep 17 00:00:00 2001
+From 306ea7810f5f6709ef3942a7be75077203b5d201 Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Mon, 16 Jun 2025 23:17:53 -0700
+Date: Tue, 14 Oct 2025 04:27:19 -0700
 Subject: [PATCH] nptl: Update comments and indentation for new condvar
 implementation

@@ -9,9 +9,10 @@ Also fixing indentation where it was using spaces instead of tabs.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: 0cc973160c23bb67f895bc887dd6942d29f8fee3

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=0cc973160c23bb67f895bc887dd6942d29f8fee3]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002275.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
@@ -20,7 +21,7 @@ Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 2 files changed, 22 insertions(+), 22 deletions(-)

 diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
-index 8dd7037923..306a207dd6 100644
+index a55eee3e..350a16fa 100644
 --- a/nptl/pthread_cond_common.c
 +++ b/nptl/pthread_cond_common.c
@@ -221,8 +221,9 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
@@ -36,7 +37,7 @@ index 8dd7037923..306a207dd6 100644
        __g_signals since it provides enough signals for all possible
        remaining waiters.  As a result, they can each consume a signal
 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index 1cb3dbf7b0..cee1968756 100644
+index 1cb3dbf7..cee19687 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
@@ -249,7 +249,7 @@ __condvar_cleanup_waiting (void *arg)
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-3.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-3.patch
@@ -1,6 +1,6 @@
-From 28a5082045429fdc5a4744d45fdc5b5202528eaa Mon Sep 17 00:00:00 2001
+From 5f22e8cf95cf6b3b2e16ddb03820ae3e77fd420d Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Mon, 16 Jun 2025 23:29:49 -0700
+Date: Tue, 14 Oct 2025 04:47:48 -0700
 Subject: [PATCH] nptl: Remove unnecessary catch-all-wake in condvar group
 switch

@@ -15,17 +15,18 @@ switch g1 when it should, so we wouldn't even have entered this code path.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: b42cc6af11062c260c7dfa91f1c89891366fed3e

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=b42cc6af11062c260c7dfa91f1c89891366fed3e]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002274.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
- nptl/pthread_cond_common.c | 30 +-----------------------------
- 1 file changed, 1 insertion(+), 29 deletions(-)
+ nptl/pthread_cond_common.c | 31 +------------------------------
+ 1 file changed, 1 insertion(+), 30 deletions(-)

 diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
-index 306a207dd6..f976a533a1 100644
+index 350a16fa..f976a533 100644
 --- a/nptl/pthread_cond_common.c
 +++ b/nptl/pthread_cond_common.c
@@ -221,13 +221,7 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
@@ -43,7 +44,7 @@ index 306a207dd6..f976a533a1 100644
 
   /* Update __g1_start, which finishes closing this group.  The value we add
      will never be negative because old_orig_size can only be zero when we
-@@ -240,28 +234,6 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+@@ -240,29 +234,6 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
 
   unsigned int lowseq = ((old_g1_start + old_orig_size) << 1) & ~1U;
 
@@ -69,6 +70,7 @@ index 306a207dd6..f976a533a1 100644
 -
 -    futex_wake (cond->__data.__g_signals + g1, INT_MAX, private);
 -   }
+-
   /* At this point, the old G1 is now a valid new G2 (but not in use yet).
      No old waiter can neither grab a signal nor acquire a reference without
      noticing that __g1_start is larger.
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-4.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-4.patch
@@ -1,6 +1,6 @@
-From 16b9af737c77b153fca4f36cbdbe94f7416c0b42 Mon Sep 17 00:00:00 2001
+From d714165c8bb3cac420077cfa61e3df87ea7f8b2c Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Mon, 16 Jun 2025 23:38:40 -0700
+Date: Tue, 14 Oct 2025 05:34:06 -0700
 Subject: [PATCH] nptl: Remove unnecessary quadruple check in pthread_cond_wait

 pthread_cond_wait was checking whether it was in a closed group no less than
@@ -22,9 +22,10 @@ Removing the duplicate checks clarifies the code.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: 4f7b051f8ee3feff1b53b27a906f245afaa9cee1

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=4f7b051f8ee3feff1b53b27a906f245afaa9cee1]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002276.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
@@ -32,7 +33,7 @@ Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 1 file changed, 49 deletions(-)

 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index cee1968756..47e834cade 100644
+index cee19687..47e834ca 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
@@ -366,7 +366,6 @@ static __always_inline int
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-5.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-5.patch
@@ -1,105 +1,188 @@
-From d9ffb50dc55f77e584a5d0275eea758c7a6b04e3 Mon Sep 17 00:00:00 2001
+From f904a81ff8d0469ceaf3220329e716c03fcbd2d3 Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Mon, 16 Jun 2025 23:53:35 -0700
-Subject: [PATCH] nptl: Use a single loop in pthread_cond_wait instaed of a
- nested loop
+Date: Tue, 14 Oct 2025 05:59:02 -0700
+Subject: [PATCH] nptl: Remove g_refs from condition variables

-The loop was a little more complicated than necessary. There was only one
-break statement out of the inner loop, and the outer loop was nearly empty.
-So just remove the outer loop, moving its code to the one break statement in
-the inner loop. This allows us to replace all gotos with break statements.
+This variable used to be needed to wait in group switching until all sleepers
+have confirmed that they have woken. This is no longer needed. Nothing waits
+on this variable so there is no need to track how many threads are currently
+asleep in each group.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+cmmit: c36fc50781995e6758cae2b6927839d0157f213c

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=929a4764ac90382616b6a21f099192b2475da674]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002278.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
- nptl/pthread_cond_wait.c | 41 +++++++++++++++++++---------------------
- 1 file changed, 19 insertions(+), 22 deletions(-)
+ nptl/pthread_cond_wait.c                | 52 +------------------------
+ nptl/tst-cond22.c                       | 12 +++---
+ sysdeps/nptl/bits/thread-shared-types.h |  3 +-
+ sysdeps/nptl/pthread.h                  |  2 +-
+ 4 files changed, 9 insertions(+), 60 deletions(-)

 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index 47e834cade..5c86880105 100644
+index 47e834ca..8a9219e0 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
-@@ -410,17 +410,15 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
-       return err;
+@@ -143,23 +143,6 @@ __condvar_cancel_waiting (pthread_cond_t *cond, uint64_t seq, unsigned int g,
     }
+ }
 
-  /* Now wait until a signal is available in our group or it is closed.
-     Acquire MO so that if we observe (signals == lowseq) after group
-     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
-     store and will see the prior update of __g1_start done while switching
-     groups too.  */
-  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
-
-  do
+-/* Wake up any signalers that might be waiting.  */
+-static void
+-__condvar_dec_grefs (pthread_cond_t *cond, unsigned int g, int private)
+-{
+-  /* Release MO to synchronize-with the acquire load in
+-     __condvar_quiesce_and_switch_g1.  */
+-  if (atomic_fetch_add_release (cond->__data.__g_refs + g, -2) == 3)
 -    {
-+
-       while (1)
- 	{
-+	  /* Now wait until a signal is available in our group or it is closed.
-+	     Acquire MO so that if we observe (signals == lowseq) after group
-+	     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
-+	     store and will see the prior update of __g1_start done while switching
-+	     groups too.  */
-+	  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
- 	  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
- 	  unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
- 
-@@ -429,7 +427,7 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
- 	      /* If the group is closed already,
- 	         then this waiter originally had enough extra signals to
- 	         consume, up until the time its group was closed.  */
-	       goto done;
-+	       break;
- 	    }
- 
- 	  /* If there is an available signal, don't block.
-@@ -438,8 +436,16 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
- 	     G2, but in either case we're allowed to consume the available
- 	     signal and should not block anymore.  */
- 	  if ((int)(signals - lowseq) >= 2)
-	    break;
+-      /* Clear the wake-up request flag before waking up.  We do not need more
+-	 than relaxed MO and it doesn't matter if we apply this for an aliased
+-	 group because we wake all futex waiters right after clearing the
+-	 flag.  */
+-      atomic_fetch_and_relaxed (cond->__data.__g_refs + g, ~(unsigned int) 1);
+-      futex_wake (cond->__data.__g_refs + g, INT_MAX, private);
+-    }
+-}
 -
-+           {
-+             /* Try to grab a signal.  See above for MO.  (if we do another loop
-+                iteration we need to see the correct value of g1_start)  */
-+                     if (atomic_compare_exchange_weak_acquire (
-+                               cond->__data.__g_signals + g,
-+                       &signals, signals - 2))
-+                       break;
-+                     else
-+                       continue;
-+           }
- 	  /* No signals available after spinning, so prepare to block.
- 	     We first acquire a group reference and use acquire MO for that so
- 	     that we synchronize with the dummy read-modify-write in
-@@ -479,21 +485,12 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
- 		 the lock during cancellation is not possible.  */
+ /* Clean-up for cancellation of waiters waiting for normal signals.  We cancel
+    our registration as a waiter, confirm we have woken up, and re-acquire the
+    mutex.  */
+@@ -171,8 +154,6 @@ __condvar_cleanup_waiting (void *arg)
+   pthread_cond_t *cond = cbuffer->cond;
+   unsigned g = cbuffer->wseq & 1;
+ 
+-  __condvar_dec_grefs (cond, g, cbuffer->private);
+-
+   __condvar_cancel_waiting (cond, cbuffer->wseq >> 1, g, cbuffer->private);
+   /* FIXME With the current cancellation implementation, it is possible that
+      a thread is cancelled after it has returned from a syscall.  This could
+@@ -327,15 +308,6 @@ __condvar_cleanup_waiting (void *arg)
+    sufficient because if a waiter can see a sufficiently large value, it could
+    have also consume a signal in the waiters group.
+ 
+-   It is essential that the last field in pthread_cond_t is __g_signals[1]:
+-   The previous condvar used a pointer-sized field in pthread_cond_t, so a
+-   PTHREAD_COND_INITIALIZER from that condvar implementation might only
+-   initialize 4 bytes to zero instead of the 8 bytes we need (i.e., 44 bytes
+-   in total instead of the 48 we need).  __g_signals[1] is not accessed before
+-   the first group switch (G2 starts at index 0), which will set its value to
+-   zero after a harmless fetch-or whose return value is ignored.  This
+-   effectively completes initialization.
+-
+ 
+    Limitations:
+    * This condvar isn't designed to allow for more than
+@@ -440,21 +412,6 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+ 	  if ((int)(signals - lowseq) >= 2)
+ 	    break;
+ 
+-	  /* No signals available after spinning, so prepare to block.
+-	     We first acquire a group reference and use acquire MO for that so
+-	     that we synchronize with the dummy read-modify-write in
+-	     __condvar_quiesce_and_switch_g1 if we read from that.  In turn,
+-	     in this case this will make us see the advancement of __g_signals
+-	     to the upcoming new g1_start that occurs with a concurrent
+-	     attempt to reuse the group's slot.
+-	     We use acquire MO for the __g_signals check to make the
+-	     __g1_start check work (see spinning above).
+-	     Note that the group reference acquisition will not mask the
+-	     release MO when decrementing the reference count because we use
+-	     an atomic read-modify-write operation and thus extend the release
+-	     sequence.  */
+-	  atomic_fetch_add_acquire (cond->__data.__g_refs + g, 2);
+-
+ 	  // Now block.
+ 	  struct _pthread_cleanup_buffer buffer;
+ 	  struct _condvar_cleanup_buffer cbuffer;
+@@ -471,18 +428,11 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+ 
+ 	  if (__glibc_unlikely (err == ETIMEDOUT || err == EOVERFLOW))
+ 	    {
+-	      __condvar_dec_grefs (cond, g, private);
+-	      /* If we timed out, we effectively cancel waiting.  Note that
+-		 we have decremented __g_refs before cancellation, so that a
+-		 deadlock between waiting for quiescence of our group in
+-		 __condvar_quiesce_and_switch_g1 and us trying to acquire
+-		 the lock during cancellation is not possible.  */
+	      /* If we timed out, we effectively cancel waiting.  */
 	      __condvar_cancel_waiting (cond, seq, g, private);
 	      result = err;
-	      goto done;
-+	      break;
+ 	      goto done;
 	    }
- 	  else
- 	    __condvar_dec_grefs (cond, g, private);
+-	  else
+-	    __condvar_dec_grefs (cond, g, private);
 
-	  /* Reload signals.  See above for MO.  */
-	  signals = atomic_load_acquire (cond->__data.__g_signals + g);
- 	}
-    }
-  /* Try to grab a signal.  See above for MO.  (if we do another loop
-     iteration we need to see the correct value of g1_start)  */
-  while (!atomic_compare_exchange_weak_acquire (cond->__data.__g_signals + g,
-						&signals, signals - 2));
-
- done:
+ 	  /* Reload signals.  See above for MO.  */
+ 	  signals = atomic_load_acquire (cond->__data.__g_signals + g);
+diff --git a/nptl/tst-cond22.c b/nptl/tst-cond22.c
+index 1336e9c7..bdcb45c5 100644
+--- a/nptl/tst-cond22.c
+++ b/nptl/tst-cond22.c
+@@ -106,13 +106,13 @@ do_test (void)
+       status = 1;
+     }
 
-   /* Confirm that we have been woken.  We do that before acquiring the mutex
-      to allow for execution of pthread_cond_destroy while having acquired the
+-  printf ("cond = { 0x%x:%x, 0x%x:%x, %u/%u/%u, %u/%u/%u, %u, %u }\n",
+  printf ("cond = { 0x%x:%x, 0x%x:%x, %u/%u, %u/%u, %u, %u }\n",
+ 	  c.__data.__wseq.__value32.__high,
+ 	  c.__data.__wseq.__value32.__low,
+ 	  c.__data.__g1_start.__value32.__high,
+ 	  c.__data.__g1_start.__value32.__low,
+-	  c.__data.__g_signals[0], c.__data.__g_refs[0], c.__data.__g_size[0],
+-	  c.__data.__g_signals[1], c.__data.__g_refs[1], c.__data.__g_size[1],
+	  c.__data.__g_signals[0], c.__data.__g_size[0],
+	  c.__data.__g_signals[1], c.__data.__g_size[1],
+ 	  c.__data.__g1_orig_size, c.__data.__wrefs);
+ 
+   if (pthread_create (&th, NULL, tf, (void *) 1l) != 0)
+@@ -152,13 +152,13 @@ do_test (void)
+       status = 1;
+     }
+ 
+-  printf ("cond = { 0x%x:%x, 0x%x:%x, %u/%u/%u, %u/%u/%u, %u, %u }\n",
+  printf ("cond = { 0x%x:%x, 0x%x:%x, %u/%u, %u/%u, %u, %u }\n",
+ 	  c.__data.__wseq.__value32.__high,
+ 	  c.__data.__wseq.__value32.__low,
+ 	  c.__data.__g1_start.__value32.__high,
+ 	  c.__data.__g1_start.__value32.__low,
+-	  c.__data.__g_signals[0], c.__data.__g_refs[0], c.__data.__g_size[0],
+-	  c.__data.__g_signals[1], c.__data.__g_refs[1], c.__data.__g_size[1],
+	  c.__data.__g_signals[0], c.__data.__g_size[0],
+	  c.__data.__g_signals[1], c.__data.__g_size[1],
+ 	  c.__data.__g1_orig_size, c.__data.__wrefs);
+ 
+   return status;
+diff --git a/sysdeps/nptl/bits/thread-shared-types.h b/sysdeps/nptl/bits/thread-shared-types.h
+index 5653507e..6f17afa4 100644
+--- a/sysdeps/nptl/bits/thread-shared-types.h
+++ b/sysdeps/nptl/bits/thread-shared-types.h
+@@ -95,8 +95,7 @@ struct __pthread_cond_s
+ {
+   __atomic_wide_counter __wseq;
+   __atomic_wide_counter __g1_start;
+-  unsigned int __g_refs[2] __LOCK_ALIGNMENT;
+-  unsigned int __g_size[2];
+  unsigned int __g_size[2] __LOCK_ALIGNMENT;
+   unsigned int __g1_orig_size;
+   unsigned int __wrefs;
+   unsigned int __g_signals[2];
+diff --git a/sysdeps/nptl/pthread.h b/sysdeps/nptl/pthread.h
+index dedad4ec..bbb36540 100644
+--- a/sysdeps/nptl/pthread.h
+++ b/sysdeps/nptl/pthread.h
+@@ -152,7 +152,7 @@ enum
+ 
+ 
+ /* Conditional variable handling.  */
+-#define PTHREAD_COND_INITIALIZER { { {0}, {0}, {0, 0}, {0, 0}, 0, 0, {0, 0} } }
+#define PTHREAD_COND_INITIALIZER { { {0}, {0}, {0, 0}, 0, 0, {0, 0} } }
+ 
+ 
+ /* Cleanup buffers */
 -- 
 2.49.0

--- a/meta/recipes-core/glibc/glibc/0026-PR25847-6.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-6.patch
@@ -1,166 +1,100 @@
-From a2faee6d0dac6e5232255da9afda4d9ed6cfb6e5 Mon Sep 17 00:00:00 2001
+From bbd7c84a1a14bf93bf1e5976d8a1540aabbf901b Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Tue, 17 Jun 2025 01:37:12 -0700
-Subject: [PATCH] nptl: Fix indentation
+Date: Tue, 14 Oct 2025 06:19:02 -0700
+Subject: [PATCH] nptl: Use a single loop in pthread_cond_wait instaed of a
+ nested loop

-In my previous change I turned a nested loop into a simple loop. I'm doing
-the resulting indentation changes in a separate commit to make the diff on
-the previous commit easier to review.
+The loop was a little more complicated than necessary. There was only one
+break statement out of the inner loop, and the outer loop was nearly empty.
+So just remove the outer loop, moving its code to the one break statement in
+the inner loop. This allows us to replace all gotos with break statements.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: 929a4764ac90382616b6a21f099192b2475da674

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=ee6c14ed59d480720721aaacc5fb03213dc153da]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002279.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
- nptl/pthread_cond_wait.c | 132 ++++++++++++++++-----------------------
- 1 file changed, 54 insertions(+), 78 deletions(-)
+ nptl/pthread_cond_wait.c | 41 +++++++++++++++++++---------------------
+ 1 file changed, 19 insertions(+), 22 deletions(-)

 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index 5c86880105..104ebd48ca 100644
+index 8a9219e0..c8c99bbf 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
-@@ -410,87 +410,63 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+@@ -382,17 +382,15 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
       return err;
     }
 
+-  /* Now wait until a signal is available in our group or it is closed.
+-     Acquire MO so that if we observe (signals == lowseq) after group
+-     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
+-     store and will see the prior update of __g1_start done while switching
+-     groups too.  */
+-  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
 -
-      while (1)
-	{
-	  /* Now wait until a signal is available in our group or it is closed.
-	     Acquire MO so that if we observe (signals == lowseq) after group
-	     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
-	     store and will see the prior update of __g1_start done while switching
-	     groups too.  */
-	  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
-	  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
-	  unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
-
-	  if (seq < (g1_start >> 1))
-	    {
-	      /* If the group is closed already,
-	         then this waiter originally had enough extra signals to
-	         consume, up until the time its group was closed.  */
-	       break;
-	    }
-
-	  /* If there is an available signal, don't block.
-	     If __g1_start has advanced at all, then we must be in G1
-	     by now, perhaps in the process of switching back to an older
-	     G2, but in either case we're allowed to consume the available
-	     signal and should not block anymore.  */
-	  if ((int)(signals - lowseq) >= 2)
-           {
-             /* Try to grab a signal.  See above for MO.  (if we do another loop
-                iteration we need to see the correct value of g1_start)  */
-                     if (atomic_compare_exchange_weak_acquire (
-                               cond->__data.__g_signals + g,
-+  while (1)
-+    {
-+      /* Now wait until a signal is available in our group or it is closed.
-+         Acquire MO so that if we observe (signals == lowseq) after group
-+         switching in __condvar_quiesce_and_switch_g1, we synchronize with that
-+         store and will see the prior update of __g1_start done while switching
-+         groups too.  */
-+      unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
-+      uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
-+      unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+-  do
+-    {
 +
-+      if (seq < (g1_start >> 1))
-+        {
-+          /* If the group is closed already,
-+             then this waiter originally had enough extra signals to
-+             consume, up until the time its group was closed.  */
-+           break;
-+        }
-+
-+      /* If there is an available signal, don't block.
-+         If __g1_start has advanced at all, then we must be in G1
-+         by now, perhaps in the process of switching back to an older
-+         G2, but in either case we're allowed to consume the available
-+         signal and should not block anymore.  */
-+      if ((int)(signals - lowseq) >= 2)
-+        {
-+         /* Try to grab a signal.  See above for MO.  (if we do another loop
-+            iteration we need to see the correct value of g1_start)  */
-+           if (atomic_compare_exchange_weak_acquire (
-+                       cond->__data.__g_signals + g,
-                        &signals, signals - 2))
-                       break;
-                     else
-                       continue;
-           }
-	  /* No signals available after spinning, so prepare to block.
-	     We first acquire a group reference and use acquire MO for that so
-	     that we synchronize with the dummy read-modify-write in
-	     __condvar_quiesce_and_switch_g1 if we read from that.  In turn,
-	     in this case this will make us see the advancement of __g_signals
-	     to the upcoming new g1_start that occurs with a concurrent
-	     attempt to reuse the group's slot.
-	     We use acquire MO for the __g_signals check to make the
-	     __g1_start check work (see spinning above).
-	     Note that the group reference acquisition will not mask the
-	     release MO when decrementing the reference count because we use
-	     an atomic read-modify-write operation and thus extend the release
-	     sequence.  */
-	  atomic_fetch_add_acquire (cond->__data.__g_refs + g, 2);
+       while (1)
+ 	{
+	  /* Now wait until a signal is available in our group or it is closed.
+	     Acquire MO so that if we observe (signals == lowseq) after group
+	     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
+	     store and will see the prior update of __g1_start done while switching
+	     groups too.  */
+	  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
+ 	  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
+ 	  unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+ 
+@@ -401,7 +399,7 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+ 	      /* If the group is closed already,
+ 	         then this waiter originally had enough extra signals to
+ 	         consume, up until the time its group was closed.  */
+-	       goto done;
+	       break;
+ 	    }
+ 
+ 	  /* If there is an available signal, don't block.
+@@ -410,7 +408,16 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+ 	     G2, but in either case we're allowed to consume the available
+ 	     signal and should not block anymore.  */
+ 	  if ((int)(signals - lowseq) >= 2)
+-	    break;
+           {
+             /* Try to grab a signal.  See above for MO.  (if we do another loop
+                iteration we need to see the correct value of g1_start)  */
+                     if (atomic_compare_exchange_weak_acquire (
+                               cond->__data.__g_signals + g,
+                       &signals, signals - 2))
+                       break;
+                     else
+                       continue;
+           }
+ 
+ 	  // Now block.
+ 	  struct _pthread_cleanup_buffer buffer;
+@@ -431,19 +438,9 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+ 	      /* If we timed out, we effectively cancel waiting.  */
+ 	      __condvar_cancel_waiting (cond, seq, g, private);
+ 	      result = err;
+-	      goto done;
+	      break;
+ 	    }
 -
-	  // Now block.
-	  struct _pthread_cleanup_buffer buffer;
-	  struct _condvar_cleanup_buffer cbuffer;
-	  cbuffer.wseq = wseq;
-	  cbuffer.cond = cond;
-	  cbuffer.mutex = mutex;
-	  cbuffer.private = private;
-	  __pthread_cleanup_push (&buffer, __condvar_cleanup_waiting, &cbuffer);
-
-	  err = __futex_abstimed_wait_cancelable64 (
-	    cond->__data.__g_signals + g, signals, clockid, abstime, private);
-
-	  __pthread_cleanup_pop (&buffer, 0);
-
-	  if (__glibc_unlikely (err == ETIMEDOUT || err == EOVERFLOW))
-	    {
-	      __condvar_dec_grefs (cond, g, private);
-	      /* If we timed out, we effectively cancel waiting.  Note that
-		 we have decremented __g_refs before cancellation, so that a
-		 deadlock between waiting for quiescence of our group in
-		 __condvar_quiesce_and_switch_g1 and us trying to acquire
-		 the lock during cancellation is not possible.  */
-	      __condvar_cancel_waiting (cond, seq, g, private);
-	      result = err;
- 	      break;
-	    }
-	  else
-	    __condvar_dec_grefs (cond, g, private);
-
-+	   else
-+	      continue;
+-	  /* Reload signals.  See above for MO.  */
+-	  signals = atomic_load_acquire (cond->__data.__g_signals + g);
 	}
-+      // Now block.
-+      struct _pthread_cleanup_buffer buffer;
-+      struct _condvar_cleanup_buffer cbuffer;
-+      cbuffer.wseq = wseq;
-+      cbuffer.cond = cond;
-+      cbuffer.mutex = mutex;
-+      cbuffer.private = private;
-+      __pthread_cleanup_push (&buffer, __condvar_cleanup_waiting, &cbuffer);
-+
-+      err = __futex_abstimed_wait_cancelable64 (
-+        cond->__data.__g_signals + g, signals, clockid, abstime, private);
-+
-+      __pthread_cleanup_pop (&buffer, 0);
-+
-+      if (__glibc_unlikely (err == ETIMEDOUT || err == EOVERFLOW))
-+        {
-+          /* If we timed out, we effectively cancel waiting.  */
-+          __condvar_cancel_waiting (cond, seq, g, private);
-+          result = err;
-+          break;
-+        }
-+    }
+-    }
+-  /* Try to grab a signal.  See above for MO.  (if we do another loop
+-     iteration we need to see the correct value of g1_start)  */
+-  while (!atomic_compare_exchange_weak_acquire (cond->__data.__g_signals + g,
+-						&signals, signals - 2));
+-
+- done:
 
   /* Confirm that we have been woken.  We do that before acquiring the mutex
      to allow for execution of pthread_cond_destroy while having acquired the
--- a/meta/recipes-core/glibc/glibc/0026-PR25847-7.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-7.patch
@@ -1,160 +1,149 @@
-From 2a601ac9041e2ca645acad2c174b1c545cfceafe Mon Sep 17 00:00:00 2001
+From 1077953950d1e8864c63222967141c67f51297f8 Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Tue, 17 Jun 2025 01:53:25 -0700
-Subject: [PATCH] nptl: rename __condvar_quiesce_and_switch_g1
+Date: Tue, 14 Oct 2025 06:27:04 -0700
+Subject: [PATCH] nptl: Fix indentation

-This function no longer waits for threads to leave g1, so rename it to
-__condvar_switch_g1
+In my previous change I turned a nested loop into a simple loop. I'm doing
+the resulting indentation changes in a separate commit to make the diff on
+the previous commit easier to review.

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: ee6c14ed59d480720721aaacc5fb03213dc153da

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=4b79e27a5073c02f6bff9aa8f4791230a0ab1867]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002280.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
- nptl/pthread_cond_broadcast.c |  4 ++--
- nptl/pthread_cond_common.c    | 26 ++++++++++++--------------
- nptl/pthread_cond_signal.c    | 17 ++++++++---------
- nptl/pthread_cond_wait.c      |  9 ++++-----
- 4 files changed, 26 insertions(+), 30 deletions(-)
+ nptl/pthread_cond_wait.c | 110 +++++++++++++++++++--------------------
+ 1 file changed, 55 insertions(+), 55 deletions(-)

-diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c
-index 5ae141ac81..a07435589a 100644
--- a/nptl/pthread_cond_broadcast.c
-+++ b/nptl/pthread_cond_broadcast.c
-@@ -60,7 +60,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
- 				cond->__data.__g_size[g1] << 1);
-       cond->__data.__g_size[g1] = 0;
- 
-      /* We need to wake G1 waiters before we quiesce G1 below.  */
-+      /* We need to wake G1 waiters before we switch G1 below.  */
-       /* TODO Only set it if there are indeed futex waiters.  We could
- 	 also try to move this out of the critical section in cases when
- 	 G2 is empty (and we don't need to quiesce).  */
-@@ -69,7 +69,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
- 
-   /* G1 is complete.  Step (2) is next unless there are no waiters in G2, in
-      which case we can stop.  */
-  if (__condvar_quiesce_and_switch_g1 (cond, wseq, &g1, private))
-+  if (__condvar_switch_g1 (cond, wseq, &g1, private))
-     {
-       /* Step (3): Send signals to all waiters in the old G2 / new G1.  */
-       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1,
-diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
-index f976a533a1..3baac4dabc 100644
--- a/nptl/pthread_cond_common.c
-+++ b/nptl/pthread_cond_common.c
-@@ -189,16 +189,15 @@ __condvar_get_private (int flags)
-     return FUTEX_SHARED;
- }
- 
-/* This closes G1 (whose index is in G1INDEX), waits for all futex waiters to
-   leave G1, converts G1 into a fresh G2, and then switches group roles so that
-   the former G2 becomes the new G1 ending at the current __wseq value when we
-   eventually make the switch (WSEQ is just an observation of __wseq by the
-   signaler).
-+/* This closes G1 (whose index is in G1INDEX), converts G1 into a fresh G2,
-+   and then switches group roles so that the former G2 becomes the new G1
-+   ending at the current __wseq value when we eventually make the switch
-+   (WSEQ is just an observation of __wseq by the signaler).
-    If G2 is empty, it will not switch groups because then it would create an
-    empty G1 which would require switching groups again on the next signal.
-    Returns false iff groups were not switched because G2 was empty.  */
- static bool __attribute__ ((unused))
-__condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
-+__condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
-     unsigned int *g1index, int private)
- {
-   unsigned int g1 = *g1index;
-@@ -214,8 +213,7 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
- 	  + cond->__data.__g_size[g1 ^ 1]) == 0)
- 	return false;
- 
-  /* Now try to close and quiesce G1.  We have to consider the following kinds
-     of waiters:
-+  /* We have to consider the following kinds of waiters:
-      * Waiters from less recent groups than G1 are not affected because
-        nothing will change for them apart from __g1_start getting larger.
-      * New waiters arriving concurrently with the group switching will all go
-@@ -223,12 +221,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
-        are not affected.
-      * Waiters in G1 have already received a signal and been woken.  */
- 
-  /* Update __g1_start, which finishes closing this group.  The value we add
-     will never be negative because old_orig_size can only be zero when we
-     switch groups the first time after a condvar was initialized, in which
-     case G1 will be at index 1 and we will add a value of 1.
-     Relaxed MO is fine because the change comes with no additional
-     constraints that others would have to observe.  */
-+  /* Update __g1_start, which closes this group.  The value we add will never
-+     be negative because old_orig_size can only be zero when we switch groups
-+     the first time after a condvar was initialized, in which case G1 will be
-+     at index 1 and we will add a value of 1. Relaxed MO is fine because the
-+     change comes with no additional constraints that others would have to
-+     observe.  */
-   __condvar_add_g1_start_relaxed (cond,
-       (old_orig_size << 1) + (g1 == 1 ? 1 : - 1));
- 
-diff --git a/nptl/pthread_cond_signal.c b/nptl/pthread_cond_signal.c
-index 14800ba00b..a9bc10dcca 100644
--- a/nptl/pthread_cond_signal.c
-+++ b/nptl/pthread_cond_signal.c
-@@ -69,18 +69,17 @@ ___pthread_cond_signal (pthread_cond_t *cond)
-   bool do_futex_wake = false;
- 
-   /* If G1 is still receiving signals, we put the signal there.  If not, we
-     check if G2 has waiters, and if so, quiesce and switch G1 to the former
-     G2; if this results in a new G1 with waiters (G2 might have cancellations
-     already, see __condvar_quiesce_and_switch_g1), we put the signal in the
-     new G1.  */
-+     check if G2 has waiters, and if so, switch G1 to the former G2; if this
-+     results in a new G1 with waiters (G2 might have cancellations already,
-+     see __condvar_switch_g1), we put the signal in the new G1. */
-   if ((cond->__data.__g_size[g1] != 0)
-      || __condvar_quiesce_and_switch_g1 (cond, wseq, &g1, private))
-+      || __condvar_switch_g1 (cond, wseq, &g1, private))
-     {
-       /* Add a signal.  Relaxed MO is fine because signaling does not need to
-	 establish a happens-before relation (see above).  We do not mask the
-	 release-MO store when initializing a group in
-	 __condvar_quiesce_and_switch_g1 because we use an atomic
-	 read-modify-write and thus extend that store's release sequence.  */
-+         establish a happens-before relation (see above).  We do not mask the
-+         release-MO store when initializing a group in __condvar_switch_g1
-+         because we use an atomic read-modify-write and thus extend that
-+         store's release sequence.  */
-       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 2);
-       cond->__data.__g_size[g1]--;
-       /* TODO Only set it if there are indeed futex waiters.  */
 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index 104ebd48ca..bb46f3605d 100644
+index c8c99bbf..adf26a80 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
-@@ -382,8 +382,7 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
-      because we do not need to establish any happens-before relation with
-      signalers (see __pthread_cond_signal); modification order alone
-      establishes a total order of waiters/signals.  We do need acquire MO
-     to synchronize with group reinitialization in
-     __condvar_quiesce_and_switch_g1.  */
-+     to synchronize with group reinitialization in __condvar_switch_g1.  */
-   uint64_t wseq = __condvar_fetch_add_wseq_acquire (cond, 2);
-   /* Find our group's index.  We always go into what was G2 when we acquired
-      our position.  */
-@@ -414,9 +413,9 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
-     {
-       /* Now wait until a signal is available in our group or it is closed.
-          Acquire MO so that if we observe (signals == lowseq) after group
-         switching in __condvar_quiesce_and_switch_g1, we synchronize with that
-         store and will see the prior update of __g1_start done while switching
-         groups too.  */
-+         switching in __condvar_switch_g1, we synchronize with that store and
-+         will see the prior update of __g1_start done while switching groups
-+         too.  */
-       unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
-       uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
-       unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+@@ -383,65 +383,65 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+     }
+ 
+ 
+-      while (1)
+-	{
+-	  /* Now wait until a signal is available in our group or it is closed.
+-	     Acquire MO so that if we observe (signals == lowseq) after group
+-	     switching in __condvar_quiesce_and_switch_g1, we synchronize with that
+-	     store and will see the prior update of __g1_start done while switching
+-	     groups too.  */
+-	  unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
+-	  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
+-	  unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+-
+-	  if (seq < (g1_start >> 1))
+-	    {
+-	      /* If the group is closed already,
+-	         then this waiter originally had enough extra signals to
+-	         consume, up until the time its group was closed.  */
+-	       break;
+-	    }
+-
+-	  /* If there is an available signal, don't block.
+-	     If __g1_start has advanced at all, then we must be in G1
+-	     by now, perhaps in the process of switching back to an older
+-	     G2, but in either case we're allowed to consume the available
+-	     signal and should not block anymore.  */
+-	  if ((int)(signals - lowseq) >= 2)
+-           {
+-             /* Try to grab a signal.  See above for MO.  (if we do another loop
+-                iteration we need to see the correct value of g1_start)  */
+-                     if (atomic_compare_exchange_weak_acquire (
+-                               cond->__data.__g_signals + g,
+  while (1)
+    {
+      /* Now wait until a signal is available in our group or it is closed.
+         Acquire MO so that if we observe (signals == lowseq) after group
+         switching in __condvar_quiesce_and_switch_g1, we synchronize with that
+         store and will see the prior update of __g1_start done while switching
+         groups too.  */
+      unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
+      uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
+      unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+
+      if (seq < (g1_start >> 1))
+        {
+          /* If the group is closed already,
+             then this waiter originally had enough extra signals to
+             consume, up until the time its group was closed.  */
+           break;
+        }
+
+      /* If there is an available signal, don't block.
+         If __g1_start has advanced at all, then we must be in G1
+         by now, perhaps in the process of switching back to an older
+         G2, but in either case we're allowed to consume the available
+         signal and should not block anymore.  */
+      if ((int)(signals - lowseq) >= 2)
+        {
+         /* Try to grab a signal.  See above for MO.  (if we do another loop
+            iteration we need to see the correct value of g1_start)  */
+           if (atomic_compare_exchange_weak_acquire (
+                       cond->__data.__g_signals + g,
+                        &signals, signals - 2))
+-                       break;
+-                     else
+-                       continue;
+-           }
+-
+-	  // Now block.
+-	  struct _pthread_cleanup_buffer buffer;
+-	  struct _condvar_cleanup_buffer cbuffer;
+-	  cbuffer.wseq = wseq;
+-	  cbuffer.cond = cond;
+-	  cbuffer.mutex = mutex;
+-	  cbuffer.private = private;
+-	  __pthread_cleanup_push (&buffer, __condvar_cleanup_waiting, &cbuffer);
+-
+-	  err = __futex_abstimed_wait_cancelable64 (
+-	    cond->__data.__g_signals + g, signals, clockid, abstime, private);
+-
+-	  __pthread_cleanup_pop (&buffer, 0);
+-
+-	  if (__glibc_unlikely (err == ETIMEDOUT || err == EOVERFLOW))
+-	    {
+-	      /* If we timed out, we effectively cancel waiting.  */
+-	      __condvar_cancel_waiting (cond, seq, g, private);
+-	      result = err;
+ 	      break;
+-	    }
+           else
+             continue;
+ 	}
+ 
+      // Now block.
+      struct _pthread_cleanup_buffer buffer;
+      struct _condvar_cleanup_buffer cbuffer;
+      cbuffer.wseq = wseq;
+      cbuffer.cond = cond;
+      cbuffer.mutex = mutex;
+      cbuffer.private = private;
+      __pthread_cleanup_push (&buffer, __condvar_cleanup_waiting, &cbuffer);
+
+      err = __futex_abstimed_wait_cancelable64 (
+        cond->__data.__g_signals + g, signals, clockid, abstime, private);
+
+      __pthread_cleanup_pop (&buffer, 0);
+
+      if (__glibc_unlikely (err == ETIMEDOUT || err == EOVERFLOW))
+        {
+          /* If we timed out, we effectively cancel waiting.  */
+          __condvar_cancel_waiting (cond, seq, g, private);
+          result = err;
+          break;
+        }
+    }
+
+   /* Confirm that we have been woken.  We do that before acquiring the mutex
+      to allow for execution of pthread_cond_destroy while having acquired the
+      mutex.  */
 -- 
 2.49.0

--- a/meta/recipes-core/glibc/glibc/0026-PR25847-8.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-8.patch
@@ -1,192 +1,161 @@
-From fc074de88796eb2036fbe9bade638e00adfd5cb2 Mon Sep 17 00:00:00 2001
+From 20d84dfa0b9a32f88259269bbeaae588744ae4ae Mon Sep 17 00:00:00 2001
 From: Malte Skarupke <malteskarupke@fastmail.fm>
-Date: Tue, 17 Jun 2025 02:08:36 -0700
-Subject: [PATCH] nptl: Use all of g1_start and g_signals
+Date: Tue, 14 Oct 2025 06:33:50 -0700
+Subject: [PATCH] nptl: rename __condvar_quiesce_and_switch_g1

-The LSB of g_signals was unused. The LSB of g1_start was used to indicate
-which group is G2. This was used to always go to sleep in pthread_cond_wait
-if a waiter is in G2. A comment earlier in the file says that this is not
-correct to do:
-
- "Waiters cannot determine whether they are currently in G2 or G1 -- but they
-  do not have to because all they are interested in is whether there are
-  available signals"
-
-I either would have had to update the comment, or get rid of the check. I
-chose to get rid of the check. In fact I don't quite know why it was there.
-There will never be available signals for group G2, so we didn't need the
-special case. Even if there were, this would just be a spurious wake. This
-might have caught some cases where the count has wrapped around, but it
-wouldn't reliably do that, (and even if it did, why would you want to force a
-sleep in that case?) and we don't support that many concurrent waiters
-anyway. Getting rid of it allows us to use one more bit, making us more
-robust to wraparound.
+This function no longer waits for threads to leave g1, so rename it to
+__condvar_switch_g1

 The following commits have been cherry-picked from Glibc master branch:
 Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: 4b79e27a5073c02f6bff9aa8f4791230a0ab1867

-Upstream-Status: Backport
-[https://sourceware.org/git/?p=glibc.git;a=commit;h=91bb902f58264a2fd50fbce8f39a9a290dd23706]
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002281.html]

 Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
 ---
 nptl/pthread_cond_broadcast.c |  4 ++--
- nptl/pthread_cond_common.c    | 26 ++++++++++----------------
- nptl/pthread_cond_signal.c    |  2 +-
- nptl/pthread_cond_wait.c      | 14 +++++---------
- 4 files changed, 18 insertions(+), 28 deletions(-)
+ nptl/pthread_cond_common.c    | 26 ++++++++++++--------------
+ nptl/pthread_cond_signal.c    | 17 ++++++++---------
+ nptl/pthread_cond_wait.c      |  9 ++++-----
+ 4 files changed, 26 insertions(+), 30 deletions(-)

 diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c
-index a07435589a..ef0943cdc5 100644
+index 5ae141ac..a0743558 100644
 --- a/nptl/pthread_cond_broadcast.c
 +++ b/nptl/pthread_cond_broadcast.c
-@@ -57,7 +57,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
-     {
-       /* Add as many signals as the remaining size of the group.  */
-       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1,
-				cond->__data.__g_size[g1] << 1);
-+				cond->__data.__g_size[g1]);
+@@ -60,7 +60,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
+ 				cond->__data.__g_size[g1] << 1);
       cond->__data.__g_size[g1] = 0;
 
-       /* We need to wake G1 waiters before we switch G1 below.  */
-@@ -73,7 +73,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
+-      /* We need to wake G1 waiters before we quiesce G1 below.  */
+      /* We need to wake G1 waiters before we switch G1 below.  */
+       /* TODO Only set it if there are indeed futex waiters.  We could
+ 	 also try to move this out of the critical section in cases when
+ 	 G2 is empty (and we don't need to quiesce).  */
+@@ -69,7 +69,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
+ 
+   /* G1 is complete.  Step (2) is next unless there are no waiters in G2, in
+      which case we can stop.  */
+-  if (__condvar_quiesce_and_switch_g1 (cond, wseq, &g1, private))
+  if (__condvar_switch_g1 (cond, wseq, &g1, private))
     {
       /* Step (3): Send signals to all waiters in the old G2 / new G1.  */
       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1,
-				cond->__data.__g_size[g1] << 1);
-+				cond->__data.__g_size[g1]);
-       cond->__data.__g_size[g1] = 0;
-       /* TODO Only set it if there are indeed futex waiters.  */
-       do_futex_wake = true;
 diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
-index 3baac4dabc..e48f914321 100644
+index f976a533..3baac4da 100644
 --- a/nptl/pthread_cond_common.c
 +++ b/nptl/pthread_cond_common.c
-@@ -208,9 +208,9 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
-      behavior.
-      Note that this works correctly for a zero-initialized condvar too.  */
-   unsigned int old_orig_size = __condvar_get_orig_size (cond);
-  uint64_t old_g1_start = __condvar_load_g1_start_relaxed (cond) >> 1;
-  if (((unsigned) (wseq - old_g1_start - old_orig_size)
-	  + cond->__data.__g_size[g1 ^ 1]) == 0)
-+  uint64_t old_g1_start = __condvar_load_g1_start_relaxed (cond);
-+  uint64_t new_g1_start = old_g1_start + old_orig_size;
-+  if (((unsigned) (wseq - new_g1_start) + cond->__data.__g_size[g1 ^ 1]) == 0)
+@@ -189,16 +189,15 @@ __condvar_get_private (int flags)
+     return FUTEX_SHARED;
+ }
+ 
+-/* This closes G1 (whose index is in G1INDEX), waits for all futex waiters to
+-   leave G1, converts G1 into a fresh G2, and then switches group roles so that
+-   the former G2 becomes the new G1 ending at the current __wseq value when we
+-   eventually make the switch (WSEQ is just an observation of __wseq by the
+-   signaler).
+/* This closes G1 (whose index is in G1INDEX), converts G1 into a fresh G2,
+   and then switches group roles so that the former G2 becomes the new G1
+   ending at the current __wseq value when we eventually make the switch
+   (WSEQ is just an observation of __wseq by the signaler).
+    If G2 is empty, it will not switch groups because then it would create an
+    empty G1 which would require switching groups again on the next signal.
+    Returns false iff groups were not switched because G2 was empty.  */
+ static bool __attribute__ ((unused))
+-__condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+__condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+     unsigned int *g1index, int private)
+ {
+   unsigned int g1 = *g1index;
+@@ -214,8 +213,7 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+ 	  + cond->__data.__g_size[g1 ^ 1]) == 0)
 	return false;
 
-   /* We have to consider the following kinds of waiters:
-@@ -221,16 +221,10 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+-  /* Now try to close and quiesce G1.  We have to consider the following kinds
+-     of waiters:
+  /* We have to consider the following kinds of waiters:
+      * Waiters from less recent groups than G1 are not affected because
+        nothing will change for them apart from __g1_start getting larger.
+      * New waiters arriving concurrently with the group switching will all go
+@@ -223,12 +221,12 @@ __condvar_quiesce_and_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
        are not affected.
      * Waiters in G1 have already received a signal and been woken.  */
 
-  /* Update __g1_start, which closes this group.  The value we add will never
-     be negative because old_orig_size can only be zero when we switch groups
-     the first time after a condvar was initialized, in which case G1 will be
-     at index 1 and we will add a value of 1. Relaxed MO is fine because the
-     change comes with no additional constraints that others would have to
-     observe.  */
-  __condvar_add_g1_start_relaxed (cond,
-      (old_orig_size << 1) + (g1 == 1 ? 1 : - 1));
-
-  unsigned int lowseq = ((old_g1_start + old_orig_size) << 1) & ~1U;
-+  /* Update __g1_start, which closes this group.  Relaxed MO is fine because
-+     the change comes with no additional constraints that others would have
-+     to observe.  */
-+  __condvar_add_g1_start_relaxed (cond, old_orig_size);
+-  /* Update __g1_start, which finishes closing this group.  The value we add
+-     will never be negative because old_orig_size can only be zero when we
+-     switch groups the first time after a condvar was initialized, in which
+-     case G1 will be at index 1 and we will add a value of 1.
+-     Relaxed MO is fine because the change comes with no additional
+-     constraints that others would have to observe.  */
+  /* Update __g1_start, which closes this group.  The value we add will never
+     be negative because old_orig_size can only be zero when we switch groups
+     the first time after a condvar was initialized, in which case G1 will be
+     at index 1 and we will add a value of 1. Relaxed MO is fine because the
+     change comes with no additional constraints that others would have to
+     observe.  */
+   __condvar_add_g1_start_relaxed (cond,
+       (old_orig_size << 1) + (g1 == 1 ? 1 : - 1));
 
-   /* At this point, the old G1 is now a valid new G2 (but not in use yet).
-      No old waiter can neither grab a signal nor acquire a reference without
-@@ -242,13 +236,13 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
-   g1 ^= 1;
-   *g1index ^= 1;
- 
-  /* Now advance the new G1 g_signals to the new lowseq, giving it
-+  /* Now advance the new G1 g_signals to the new g1_start, giving it
-      an effective signal count of 0 to start.  */
-  atomic_store_release (cond->__data.__g_signals + g1, lowseq);
-+  atomic_store_release (cond->__data.__g_signals + g1, (unsigned)new_g1_start);
- 
-   /* These values are just observed by signalers, and thus protected by the
-      lock.  */
-  unsigned int orig_size = wseq - (old_g1_start + old_orig_size);
-+  unsigned int orig_size = wseq - new_g1_start;
-   __condvar_set_orig_size (cond, orig_size);
-   /* Use and addition to not loose track of cancellations in what was
-      previously G2.  */
 diff --git a/nptl/pthread_cond_signal.c b/nptl/pthread_cond_signal.c
-index a9bc10dcca..07427369aa 100644
+index 14800ba0..a9bc10dc 100644
 --- a/nptl/pthread_cond_signal.c
 +++ b/nptl/pthread_cond_signal.c
-@@ -80,7 +80,7 @@ ___pthread_cond_signal (pthread_cond_t *cond)
-          release-MO store when initializing a group in __condvar_switch_g1
-          because we use an atomic read-modify-write and thus extend that
-          store's release sequence.  */
-      atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 2);
-+      atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 1);
+@@ -69,18 +69,17 @@ ___pthread_cond_signal (pthread_cond_t *cond)
+   bool do_futex_wake = false;
+ 
+   /* If G1 is still receiving signals, we put the signal there.  If not, we
+-     check if G2 has waiters, and if so, quiesce and switch G1 to the former
+-     G2; if this results in a new G1 with waiters (G2 might have cancellations
+-     already, see __condvar_quiesce_and_switch_g1), we put the signal in the
+-     new G1.  */
+     check if G2 has waiters, and if so, switch G1 to the former G2; if this
+     results in a new G1 with waiters (G2 might have cancellations already,
+     see __condvar_switch_g1), we put the signal in the new G1. */
+   if ((cond->__data.__g_size[g1] != 0)
+-      || __condvar_quiesce_and_switch_g1 (cond, wseq, &g1, private))
+      || __condvar_switch_g1 (cond, wseq, &g1, private))
+     {
+       /* Add a signal.  Relaxed MO is fine because signaling does not need to
+-	 establish a happens-before relation (see above).  We do not mask the
+-	 release-MO store when initializing a group in
+-	 __condvar_quiesce_and_switch_g1 because we use an atomic
+-	 read-modify-write and thus extend that store's release sequence.  */
+         establish a happens-before relation (see above).  We do not mask the
+         release-MO store when initializing a group in __condvar_switch_g1
+         because we use an atomic read-modify-write and thus extend that
+         store's release sequence.  */
+       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 2);
       cond->__data.__g_size[g1]--;
       /* TODO Only set it if there are indeed futex waiters.  */
-       do_futex_wake = true;
 diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
-index bb46f3605d..430cbe8a35 100644
+index adf26a80..40a74342 100644
 --- a/nptl/pthread_cond_wait.c
 +++ b/nptl/pthread_cond_wait.c
-@@ -84,7 +84,7 @@ __condvar_cancel_waiting (pthread_cond_t *cond, uint64_t seq, unsigned int g,
-      not hold a reference on the group.  */
-   __condvar_acquire_lock (cond, private);
- 
-  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond) >> 1;
-+  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
-   if (g1_start > seq)
+@@ -354,8 +354,7 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+      because we do not need to establish any happens-before relation with
+      signalers (see __pthread_cond_signal); modification order alone
+      establishes a total order of waiters/signals.  We do need acquire MO
+-     to synchronize with group reinitialization in
+-     __condvar_quiesce_and_switch_g1.  */
+     to synchronize with group reinitialization in __condvar_switch_g1.  */
+   uint64_t wseq = __condvar_fetch_add_wseq_acquire (cond, 2);
+   /* Find our group's index.  We always go into what was G2 when we acquired
+      our position.  */
+@@ -387,9 +386,9 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
     {
-       /* Our group is closed, so someone provided enough signals for it.
-@@ -278,7 +278,6 @@ __condvar_cleanup_waiting (void *arg)
-      * Waiters fetch-add while having acquire the mutex associated with the
-        condvar.  Signalers load it and fetch-xor it concurrently.
-    __g1_start: Starting position of G1 (inclusive)
-     * LSB is index of current G2.
-      * Modified by signalers while having acquired the condvar-internal lock
-        and observed concurrently by waiters.
-    __g1_orig_size: Initial size of G1
-@@ -299,11 +298,9 @@ __condvar_cleanup_waiting (void *arg)
-      * Reference count used by waiters concurrently with signalers that have
-        acquired the condvar-internal lock.
-    __g_signals: The number of signals that can still be consumed, relative to
-     the current g1_start.  (i.e. bits 31 to 1 of __g_signals are bits
-     31 to 1 of g1_start with the signal count added)
-+     the current g1_start.  (i.e. g1_start with the signal count added)
-      * Used as a futex word by waiters.  Used concurrently by waiters and
-        signalers.
-     * LSB is currently reserved and 0.
-    __g_size: Waiters remaining in this group (i.e., which have not been
-      signaled yet.
-      * Accessed by signalers and waiters that cancel waiting (both do so only
-@@ -418,9 +415,8 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
-          too.  */
+       /* Now wait until a signal is available in our group or it is closed.
+          Acquire MO so that if we observe (signals == lowseq) after group
+-         switching in __condvar_quiesce_and_switch_g1, we synchronize with that
+-         store and will see the prior update of __g1_start done while switching
+-         groups too.  */
+         switching in __condvar_switch_g1, we synchronize with that store and
+         will see the prior update of __g1_start done while switching groups
+         too.  */
       unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
       uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
-      unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
- 
-      if (seq < (g1_start >> 1))
-+      if (seq < g1_start)
-         {
-           /* If the group is closed already,
-              then this waiter originally had enough extra signals to
-@@ -433,13 +429,13 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
-          by now, perhaps in the process of switching back to an older
-          G2, but in either case we're allowed to consume the available
-          signal and should not block anymore.  */
-      if ((int)(signals - lowseq) >= 2)
-+      if ((int)(signals - (unsigned int)g1_start) > 0)
-         {
-          /* Try to grab a signal.  See above for MO.  (if we do another loop
-             iteration we need to see the correct value of g1_start)  */
-            if (atomic_compare_exchange_weak_acquire (
-                        cond->__data.__g_signals + g,
-                       &signals, signals - 2))
-+                       &signals, signals - 1))
- 	      break;
- 	   else
- 	      continue;
+       unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
 -- 
 2.49.0

--- a/meta/recipes-core/glibc/glibc/0026-PR25847-9.patch
+++ b/meta/recipes-core/glibc/glibc/0026-PR25847-9.patch
@@ -0,0 +1,193 @@
+From c2677e68956bb9677d8de4ee6c5341b1a744d490 Mon Sep 17 00:00:00 2001
+From: Malte Skarupke <malteskarupke@fastmail.fm>
+Date: Tue, 14 Oct 2025 06:40:57 -0700
+Subject: [PATCH] nptl: Use all of g1_start and g_signals
+
+The LSB of g_signals was unused. The LSB of g1_start was used to indicate
+which group is G2. This was used to always go to sleep in pthread_cond_wait
+if a waiter is in G2. A comment earlier in the file says that this is not
+correct to do:
+
+ "Waiters cannot determine whether they are currently in G2 or G1 -- but they
+  do not have to because all they are interested in is whether there are
+  available signals"
+
+I either would have had to update the comment, or get rid of the check. I
+chose to get rid of the check. In fact I don't quite know why it was there.
+There will never be available signals for group G2, so we didn't need the
+special case. Even if there were, this would just be a spurious wake. This
+might have caught some cases where the count has wrapped around, but it
+wouldn't reliably do that, (and even if it did, why would you want to force a
+sleep in that case?) and we don't support that many concurrent waiters
+anyway. Getting rid of it allows us to use one more bit, making us more
+robust to wraparound.
+
+The following commits have been cherry-picked from Glibc master branch:
+Bug : https://sourceware.org/bugzilla/show_bug.cgi?id=25847
+commit: 91bb902f58264a2fd50fbce8f39a9a290dd23706
+
+Upstream-Status: Submitted
+[https://sourceware.org/pipermail/libc-stable/2025-July/002283.html]
+
+Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
+---
+ nptl/pthread_cond_broadcast.c |  4 ++--
+ nptl/pthread_cond_common.c    | 26 ++++++++++----------------
+ nptl/pthread_cond_signal.c    |  2 +-
+ nptl/pthread_cond_wait.c      | 14 +++++---------
+ 4 files changed, 18 insertions(+), 28 deletions(-)
+
+diff --git a/nptl/pthread_cond_broadcast.c b/nptl/pthread_cond_broadcast.c
+index a0743558..ef0943cd 100644
+--- a/nptl/pthread_cond_broadcast.c
+++ b/nptl/pthread_cond_broadcast.c
+@@ -57,7 +57,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
+     {
+       /* Add as many signals as the remaining size of the group.  */
+       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1,
+-				cond->__data.__g_size[g1] << 1);
+				cond->__data.__g_size[g1]);
+       cond->__data.__g_size[g1] = 0;
+ 
+       /* We need to wake G1 waiters before we switch G1 below.  */
+@@ -73,7 +73,7 @@ ___pthread_cond_broadcast (pthread_cond_t *cond)
+     {
+       /* Step (3): Send signals to all waiters in the old G2 / new G1.  */
+       atomic_fetch_add_relaxed (cond->__data.__g_signals + g1,
+-				cond->__data.__g_size[g1] << 1);
+				cond->__data.__g_size[g1]);
+       cond->__data.__g_size[g1] = 0;
+       /* TODO Only set it if there are indeed futex waiters.  */
+       do_futex_wake = true;
+diff --git a/nptl/pthread_cond_common.c b/nptl/pthread_cond_common.c
+index 3baac4da..e48f9143 100644
+--- a/nptl/pthread_cond_common.c
+++ b/nptl/pthread_cond_common.c
+@@ -208,9 +208,9 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+      behavior.
+      Note that this works correctly for a zero-initialized condvar too.  */
+   unsigned int old_orig_size = __condvar_get_orig_size (cond);
+-  uint64_t old_g1_start = __condvar_load_g1_start_relaxed (cond) >> 1;
+-  if (((unsigned) (wseq - old_g1_start - old_orig_size)
+-	  + cond->__data.__g_size[g1 ^ 1]) == 0)
+  uint64_t old_g1_start = __condvar_load_g1_start_relaxed (cond);
+  uint64_t new_g1_start = old_g1_start + old_orig_size;
+  if (((unsigned) (wseq - new_g1_start) + cond->__data.__g_size[g1 ^ 1]) == 0)
+ 	return false;
+ 
+   /* We have to consider the following kinds of waiters:
+@@ -221,16 +221,10 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+        are not affected.
+      * Waiters in G1 have already received a signal and been woken.  */
+ 
+-  /* Update __g1_start, which closes this group.  The value we add will never
+-     be negative because old_orig_size can only be zero when we switch groups
+-     the first time after a condvar was initialized, in which case G1 will be
+-     at index 1 and we will add a value of 1. Relaxed MO is fine because the
+-     change comes with no additional constraints that others would have to
+-     observe.  */
+-  __condvar_add_g1_start_relaxed (cond,
+-      (old_orig_size << 1) + (g1 == 1 ? 1 : - 1));
+-
+-  unsigned int lowseq = ((old_g1_start + old_orig_size) << 1) & ~1U;
+  /* Update __g1_start, which closes this group.  Relaxed MO is fine because
+     the change comes with no additional constraints that others would have
+     to observe.  */
+  __condvar_add_g1_start_relaxed (cond, old_orig_size);
+ 
+   /* At this point, the old G1 is now a valid new G2 (but not in use yet).
+      No old waiter can neither grab a signal nor acquire a reference without
+@@ -242,13 +236,13 @@ __condvar_switch_g1 (pthread_cond_t *cond, uint64_t wseq,
+   g1 ^= 1;
+   *g1index ^= 1;
+ 
+-  /* Now advance the new G1 g_signals to the new lowseq, giving it
+  /* Now advance the new G1 g_signals to the new g1_start, giving it
+      an effective signal count of 0 to start.  */
+-  atomic_store_release (cond->__data.__g_signals + g1, lowseq);
+  atomic_store_release (cond->__data.__g_signals + g1, (unsigned)new_g1_start);
+ 
+   /* These values are just observed by signalers, and thus protected by the
+      lock.  */
+-  unsigned int orig_size = wseq - (old_g1_start + old_orig_size);
+  unsigned int orig_size = wseq - new_g1_start;
+   __condvar_set_orig_size (cond, orig_size);
+   /* Use and addition to not loose track of cancellations in what was
+      previously G2.  */
+diff --git a/nptl/pthread_cond_signal.c b/nptl/pthread_cond_signal.c
+index a9bc10dc..07427369 100644
+--- a/nptl/pthread_cond_signal.c
+++ b/nptl/pthread_cond_signal.c
+@@ -80,7 +80,7 @@ ___pthread_cond_signal (pthread_cond_t *cond)
+          release-MO store when initializing a group in __condvar_switch_g1
+          because we use an atomic read-modify-write and thus extend that
+          store's release sequence.  */
+-      atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 2);
+      atomic_fetch_add_relaxed (cond->__data.__g_signals + g1, 1);
+       cond->__data.__g_size[g1]--;
+       /* TODO Only set it if there are indeed futex waiters.  */
+       do_futex_wake = true;
+diff --git a/nptl/pthread_cond_wait.c b/nptl/pthread_cond_wait.c
+index 40a74342..d7e073ab 100644
+--- a/nptl/pthread_cond_wait.c
+++ b/nptl/pthread_cond_wait.c
+@@ -84,7 +84,7 @@ __condvar_cancel_waiting (pthread_cond_t *cond, uint64_t seq, unsigned int g,
+      not hold a reference on the group.  */
+   __condvar_acquire_lock (cond, private);
+ 
+-  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond) >> 1;
+  uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
+   if (g1_start > seq)
+     {
+       /* Our group is closed, so someone provided enough signals for it.
+@@ -259,7 +259,6 @@ __condvar_cleanup_waiting (void *arg)
+      * Waiters fetch-add while having acquire the mutex associated with the
+        condvar.  Signalers load it and fetch-xor it concurrently.
+    __g1_start: Starting position of G1 (inclusive)
+-     * LSB is index of current G2.
+      * Modified by signalers while having acquired the condvar-internal lock
+        and observed concurrently by waiters.
+    __g1_orig_size: Initial size of G1
+@@ -280,11 +279,9 @@ __condvar_cleanup_waiting (void *arg)
+      * Reference count used by waiters concurrently with signalers that have
+        acquired the condvar-internal lock.
+    __g_signals: The number of signals that can still be consumed, relative to
+-     the current g1_start.  (i.e. bits 31 to 1 of __g_signals are bits
+-     31 to 1 of g1_start with the signal count added)
+     the current g1_start.  (i.e. g1_start with the signal count added)
+      * Used as a futex word by waiters.  Used concurrently by waiters and
+        signalers.
+-     * LSB is currently reserved and 0.
+    __g_size: Waiters remaining in this group (i.e., which have not been
+      signaled yet.
+      * Accessed by signalers and waiters that cancel waiting (both do so only
+@@ -391,9 +388,8 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+          too.  */
+       unsigned int signals = atomic_load_acquire (cond->__data.__g_signals + g);
+       uint64_t g1_start = __condvar_load_g1_start_relaxed (cond);
+-      unsigned int lowseq = (g1_start & 1) == g ? signals : g1_start & ~1U;
+ 
+-      if (seq < (g1_start >> 1))
+      if (seq < g1_start)
+         {
+           /* If the group is closed already,
+              then this waiter originally had enough extra signals to
+@@ -406,13 +402,13 @@ __pthread_cond_wait_common (pthread_cond_t *cond, pthread_mutex_t *mutex,
+          by now, perhaps in the process of switching back to an older
+          G2, but in either case we're allowed to consume the available
+          signal and should not block anymore.  */
+-      if ((int)(signals - lowseq) >= 2)
+      if ((int)(signals - (unsigned int)g1_start) > 0)
+         {
+          /* Try to grab a signal.  See above for MO.  (if we do another loop
+             iteration we need to see the correct value of g1_start)  */
+            if (atomic_compare_exchange_weak_acquire (
+                        cond->__data.__g_signals + g,
+-                       &signals, signals - 2))
+                       &signals, signals - 1))
+ 	      break;
+            else
+              continue;
+-- 
+2.49.0
+
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -70,6 +70,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0026-PR25847-6.patch \
           file://0026-PR25847-7.patch \
           file://0026-PR25847-8.patch \
+           file://0026-PR25847-9.patch \
+           file://0026-PR25847-10.patch \
           \
           file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
           file://0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch \
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"

 inherit core-image setuptools3

-SRCREV ?= "49e837cefaa0d1844b32ff788c6e9de246a3a739"
+SRCREV ?= "ff118ede826a9ae45eb35025a5f7f612880fba01"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
--- a/meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
@@ -0,0 +1,802 @@
+From 87786d6200ae1f5ac98d21f04d451e17ff25a216 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Reviewed-By: Aron Xu <aron@debian.org>
+Date: Mon, 23 Jun 2025 14:41:56 -0700
+Subject: [PATCH] libxslt: heap-use-after-free in xmlFreeID caused by `atype`
+ corruption
+
+* include/libxml/tree.h:
+(XML_ATTR_CLEAR_ATYPE): Add.
+(XML_ATTR_GET_ATYPE): Add.
+(XML_ATTR_SET_ATYPE): Add.
+(XML_NODE_ADD_EXTRA): Add.
+(XML_NODE_CLEAR_EXTRA): Add.
+(XML_NODE_GET_EXTRA): Add.
+(XML_NODE_SET_EXTRA): Add.
+(XML_DOC_ADD_PROPERTIES): Add.
+(XML_DOC_CLEAR_PROPERTIES): Add.
+(XML_DOC_GET_PROPERTIES): Add.
+(XML_DOC_SET_PROPERTIES): Add.
+- Add macros for accessing fields with upper bits that may be set by
+  libxslt.
+
+* HTMLparser.c:
+(htmlNewDocNoDtD):
+* SAX2.c:
+(xmlSAX2StartDocument):
+(xmlSAX2EndDocument):
+* parser.c:
+(xmlParseEntityDecl):
+(xmlParseExternalSubset):
+(xmlParseReference):
+(xmlCtxtParseDtd):
+* runxmlconf.c:
+(xmlconfTestInvalid):
+(xmlconfTestValid):
+* tree.c:
+(xmlNewDoc):
+(xmlFreeProp):
+(xmlNodeSetDoc):
+(xmlSetNsProp):
+(xmlDOMWrapAdoptBranch):
+* valid.c:
+(xmlFreeID):
+(xmlAddIDInternal):
+(xmlValidateAttributeValueInternal):
+(xmlValidateOneAttribute):
+(xmlValidateRef):
+* xmlreader.c:
+(xmlTextReaderStartElement):
+(xmlTextReaderStartElementNs):
+(xmlTextReaderValidateEntity):
+(xmlTextReaderRead):
+(xmlTextReaderNext):
+(xmlTextReaderIsEmptyElement):
+(xmlTextReaderPreserve):
+* xmlschemas.c:
+(xmlSchemaPValAttrNodeID):
+* xmlschemastypes.c:
+(xmlSchemaValAtomicType):
+- Adopt macros by renaming the struct fields, recompiling and fixing
+  compiler failures, then changing the struct field names back.
+Origin: https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu3.6
+Ref : https://security-tracker.debian.org/tracker/CVE-2025-7425
+
+CVE: CVE-2025-7425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/issues/140]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ HTMLparser.c          |  1 +
+ SAX2.c                |  6 ++--
+ include/libxml/tree.h | 14 ++++++++-
+ parser.c              |  8 ++---
+ runxmlconf.c          |  4 +--
+ tree.c                | 20 ++++++-------
+ valid.c               | 68 +++++++++++++++++++++----------------------
+ xmlreader.c           | 30 +++++++++----------
+ xmlschemas.c          |  4 +--
+ xmlschemastypes.c     | 12 ++++----
+ 10 files changed, 90 insertions(+), 77 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index e720bb2..1307f71 100644
+--- a/HTMLparser.c
+++ b/HTMLparser.c
+@@ -2514,6 +2514,7 @@ htmlNewDocNoDtD(const xmlChar *URI, const xmlChar *ExternalID) {
+     cur->refs = NULL;
+     cur->_private = NULL;
+     cur->charset = XML_CHAR_ENCODING_UTF8;
+    XML_DOC_SET_PROPERTIES(cur, XML_DOC_HTML | XML_DOC_USERBUILT);
+     cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
+     if ((ExternalID != NULL) ||
+ 	(URI != NULL))
+diff --git a/SAX2.c b/SAX2.c
+index f7c77c2..0d8e84a 100644
+--- a/SAX2.c
+++ b/SAX2.c
+@@ -970,7 +970,7 @@ xmlSAX2StartDocument(void *ctx)
+ 	    xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument");
+ 	    return;
+ 	}
+-	ctxt->myDoc->properties = XML_DOC_HTML;
+	XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_HTML);
+ 	ctxt->myDoc->parseFlags = ctxt->options;
+ #else
+         xmlGenericError(xmlGenericErrorContext,
+@@ -983,9 +983,9 @@ xmlSAX2StartDocument(void *ctx)
+     } else {
+ 	doc = ctxt->myDoc = xmlNewDoc(ctxt->version);
+ 	if (doc != NULL) {
+-	    doc->properties = 0;
+	    XML_DOC_CLEAR_PROPERTIES(doc);
+ 	    if (ctxt->options & XML_PARSE_OLD10)
+-	        doc->properties |= XML_DOC_OLD10;
+	        XML_DOC_ADD_PROPERTIES(doc, XML_DOC_OLD10);
+ 	    doc->parseFlags = ctxt->options;
+ 	    if (ctxt->encoding != NULL)
+ 		doc->encoding = xmlStrdup(ctxt->encoding);
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 1e79be9..61178b2 100644
+--- a/include/libxml/tree.h
+++ b/include/libxml/tree.h
+@@ -365,7 +365,6 @@ struct _xmlElement {
+ #endif
+ };
+ 
+-
+ /**
+  * XML_LOCAL_NAMESPACE:
+  *
+@@ -446,6 +445,10 @@ struct _xmlAttr {
+     void            *psvi;	/* for type/PSVI information */
+ };
+ 
+#define XML_ATTR_CLEAR_ATYPE(attr) (((attr)->atype) = 0)
+#define XML_ATTR_GET_ATYPE(attr) (((attr)->atype) & ~(15U << 27))
+#define XML_ATTR_SET_ATYPE(attr, type) ((attr)->atype = ((((attr)->atype) & (15U << 27)) | ((type) & ~(15U << 27))))
+
+ /**
+  * xmlID:
+  *
+@@ -507,6 +510,11 @@ struct _xmlNode {
+     unsigned short   extra;	/* extra data for XPath/XSLT */
+ };
+ 
+#define XML_NODE_ADD_EXTRA(node, type) ((node)->extra |= ((type) & ~(15U << 12)))
+#define XML_NODE_CLEAR_EXTRA(node) (((node)->extra) = 0)
+#define XML_NODE_GET_EXTRA(node) (((node)->extra) & ~(15U << 12))
+#define XML_NODE_SET_EXTRA(node, type) ((node)->extra = ((((node)->extra) & (15U << 12)) | ((type) & ~(15U << 12))))
+
+ /**
+  * XML_GET_CONTENT:
+  *
+@@ -585,6 +593,10 @@ struct _xmlDoc {
+ 				   set at the end of parsing */
+ };
+ 
+#define XML_DOC_ADD_PROPERTIES(doc, type) ((doc)->properties |= ((type) & ~(15U << 27)))
+#define XML_DOC_CLEAR_PROPERTIES(doc) (((doc)->properties) = 0)
+#define XML_DOC_GET_PROPERTIES(doc) (((doc)->properties) & ~(15U << 27))
+#define XML_DOC_SET_PROPERTIES(doc, type) ((doc)->properties = ((((doc)->properties) & (15U << 27)) | ((type) & ~(15U << 27))))
+ 
+ typedef struct _xmlDOMWrapCtxt xmlDOMWrapCtxt;
+ typedef xmlDOMWrapCtxt *xmlDOMWrapCtxtPtr;
+diff --git a/parser.c b/parser.c
+index 738dbee..772d883 100644
+--- a/parser.c
+++ b/parser.c
+@@ -5523,7 +5523,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 			    xmlErrMemory(ctxt, "New Doc failed");
+ 			    return;
+ 			}
+-			ctxt->myDoc->properties = XML_DOC_INTERNAL;
+			XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ 		    }
+ 		    if (ctxt->myDoc->intSubset == NULL)
+ 			ctxt->myDoc->intSubset = xmlNewDtd(ctxt->myDoc,
+@@ -5594,7 +5594,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 			        xmlErrMemory(ctxt, "New Doc failed");
+ 				return;
+ 			    }
+-			    ctxt->myDoc->properties = XML_DOC_INTERNAL;
+			    XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ 			}
+ 
+ 			if (ctxt->myDoc->intSubset == NULL)
+@@ -7035,7 +7035,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ 	    xmlErrMemory(ctxt, "New Doc failed");
+ 	    return;
+ 	}
+-	ctxt->myDoc->properties = XML_DOC_INTERNAL;
+	XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+     }
+     if ((ctxt->myDoc != NULL) && (ctxt->myDoc->intSubset == NULL))
+         xmlCreateIntSubset(ctxt->myDoc, NULL, ExternalID, SystemID);
+@@ -7419,7 +7419,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ 			    (nw != NULL) &&
+ 			    (nw->type == XML_ELEMENT_NODE) &&
+ 			    (nw->children == NULL))
+-			    nw->extra = 1;
+			    XML_NODE_SET_EXTRA(nw, 1);
+ 
+ 			break;
+ 		    }
+diff --git a/runxmlconf.c b/runxmlconf.c
+index f43fdd3..82b7241 100644
+--- a/runxmlconf.c
+++ b/runxmlconf.c
+@@ -197,7 +197,7 @@ xmlconfTestInvalid(const char *id, const char *filename, int options) {
+ 	         id, filename);
+     } else {
+     /* invalidity should be reported both in the context and in the document */
+-        if ((ctxt->valid != 0) || (doc->properties & XML_DOC_DTDVALID)) {
+        if ((ctxt->valid != 0) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID)) {
+ 	    test_log("test %s : %s failed to detect invalid document\n",
+ 		     id, filename);
+ 	    nb_errors++;
+@@ -229,7 +229,7 @@ xmlconfTestValid(const char *id, const char *filename, int options) {
+ 	ret = 0;
+     } else {
+     /* validity should be reported both in the context and in the document */
+-        if ((ctxt->valid == 0) || ((doc->properties & XML_DOC_DTDVALID) == 0)) {
+        if ((ctxt->valid == 0) || ((XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID) == 0)) {
+ 	    test_log("test %s : %s failed to validate a valid document\n",
+ 		     id, filename);
+ 	    nb_errors++;
+diff --git a/tree.c b/tree.c
+index cdf863c..3bac0b8 100644
+--- a/tree.c
+++ b/tree.c
+@@ -1192,7 +1192,7 @@ xmlNewDoc(const xmlChar *version) {
+     cur->compression = -1; /* not initialized */
+     cur->doc = cur;
+     cur->parseFlags = 0;
+-    cur->properties = XML_DOC_USERBUILT;
+    XML_DOC_SET_PROPERTIES(cur, XML_DOC_USERBUILT);
+     /*
+      * The in memory encoding is always UTF8
+      * This field will never change and would
+@@ -2119,7 +2119,7 @@ xmlFreeProp(xmlAttrPtr cur) {
+ 	xmlDeregisterNodeDefaultValue((xmlNodePtr)cur);
+ 
+     /* Check for ID removal -> leading to invalid references ! */
+-    if ((cur->doc != NULL) && (cur->atype == XML_ATTRIBUTE_ID)) {
+    if ((cur->doc != NULL) && (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID)) {
+ 	    xmlRemoveID(cur->doc, cur);
+     }
+     if (cur->children != NULL) xmlFreeNodeList(cur->children);
+@@ -2838,7 +2838,7 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
+ 	if(tree->type == XML_ELEMENT_NODE) {
+ 	    prop = tree->properties;
+ 	    while (prop != NULL) {
+-                if (prop->atype == XML_ATTRIBUTE_ID) {
+                if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID) {
+                     xmlRemoveID(tree->doc, prop);
+                 }
+ 
+@@ -6953,9 +6953,9 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
+ 	/*
+ 	* Modify the attribute's value.
+ 	*/
+-	if (prop->atype == XML_ATTRIBUTE_ID) {
+	if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID) {
+ 	    xmlRemoveID(node->doc, prop);
+-	    prop->atype = XML_ATTRIBUTE_ID;
+	    XML_ATTR_SET_ATYPE(prop, XML_ATTRIBUTE_ID);
+ 	}
+ 	if (prop->children != NULL)
+ 	    xmlFreeNodeList(prop->children);
+@@ -6975,7 +6975,7 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
+ 		tmp = tmp->next;
+ 	    }
+ 	}
+-	if (prop->atype == XML_ATTRIBUTE_ID)
+	if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID)
+ 	    xmlAddID(NULL, node->doc, value, prop);
+ 	return(prop);
+     }
+@@ -9252,7 +9252,7 @@ ns_end:
+ 		if (cur->type == XML_ELEMENT_NODE) {
+ 		    cur->psvi = NULL;
+ 		    cur->line = 0;
+-		    cur->extra = 0;
+		    XML_NODE_CLEAR_EXTRA(cur);
+ 		    /*
+ 		    * Walk attributes.
+ 		    */
+@@ -9268,11 +9268,11 @@ ns_end:
+ 		    * Attributes.
+ 		    */
+ 		    if ((sourceDoc != NULL) &&
+-			(((xmlAttrPtr) cur)->atype == XML_ATTRIBUTE_ID))
+			(XML_ATTR_GET_ATYPE((xmlAttrPtr) cur) == XML_ATTRIBUTE_ID))
+ 		    {
+ 			xmlRemoveID(sourceDoc, (xmlAttrPtr) cur);
+ 		    }
+-		    ((xmlAttrPtr) cur)->atype = 0;
+		    XML_ATTR_CLEAR_ATYPE((xmlAttrPtr) cur);
+ 		    ((xmlAttrPtr) cur)->psvi = NULL;
+ 		}
+ 		break;
+@@ -9992,7 +9992,7 @@ xmlDOMWrapAdoptAttr(xmlDOMWrapCtxtPtr ctxt,
+     }
+ 
+     XML_TREE_ADOPT_STR(attr->name);
+-    attr->atype = 0;
+    XML_ATTR_CLEAR_ATYPE(attr);
+     attr->psvi = NULL;
+     /*
+     * Walk content.
+diff --git a/valid.c b/valid.c
+index 36a0435..8e76cfa 100644
+--- a/valid.c
+++ b/valid.c
+@@ -1906,7 +1906,7 @@ xmlScanIDAttributeDecl(xmlValidCtxtPtr ctxt, xmlElementPtr elem, int err) {
+     if (elem == NULL) return(0);
+     cur = elem->attributes;
+     while (cur != NULL) {
+-        if (cur->atype == XML_ATTRIBUTE_ID) {
+        if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID) {
+ 	    ret ++;
+ 	    if ((ret > 1) && (err))
+ 		xmlErrValidNode(ctxt, (xmlNodePtr) elem, XML_DTD_MULTIPLE_ID,
+@@ -2279,7 +2279,7 @@ xmlDumpAttributeDecl(xmlBufferPtr buf, xmlAttributePtr attr) {
+ 	xmlBufferWriteChar(buf, ":");
+     }
+     xmlBufferWriteCHAR(buf, attr->name);
+-    switch (attr->atype) {
+    switch (XML_ATTR_GET_ATYPE(attr)) {
+ 	case XML_ATTRIBUTE_CDATA:
+ 	    xmlBufferWriteChar(buf, " CDATA");
+ 	    break;
+@@ -2758,7 +2758,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+ 	return(NULL);
+     }
+     if (attr != NULL)
+-	attr->atype = XML_ATTRIBUTE_ID;
+	XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+     return(ret);
+ }
+ 
+@@ -2837,7 +2837,7 @@ xmlIsID(xmlDocPtr doc, xmlNodePtr elem, xmlAttrPtr attr) {
+ 	if ((fullelemname != felem) && (fullelemname != elem->name))
+ 	    xmlFree(fullelemname);
+ 
+-        if ((attrDecl != NULL) && (attrDecl->atype == XML_ATTRIBUTE_ID))
+        if ((attrDecl != NULL) && (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ID))
+ 	    return(1);
+     }
+     return(0);
+@@ -2878,7 +2878,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+ 
+     xmlHashRemoveEntry(table, ID, xmlFreeIDTableEntry);
+     xmlFree(ID);
+-    attr->atype = 0;
+    XML_ATTR_CLEAR_ATYPE(attr);
+     return(0);
+ }
+ 
+@@ -3157,8 +3157,8 @@ xmlIsRef(xmlDocPtr doc, xmlNodePtr elem, xmlAttrPtr attr) {
+ 		                         elem->name, attr->name);
+ 
+ 	if ((attrDecl != NULL) &&
+-	    (attrDecl->atype == XML_ATTRIBUTE_IDREF ||
+-	     attrDecl->atype == XML_ATTRIBUTE_IDREFS))
+	    (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF ||
+	     XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS))
+ 	return(1);
+     }
+     return(0);
+@@ -3532,7 +3532,7 @@ xmlIsMixedElement(xmlDocPtr doc, const xmlChar *name) {
+ 
+ static int
+ xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
+-    if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
+    if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
+         /*
+ 	 * Use the new checks of production [4] [4a] amd [5] of the
+ 	 * Update 5 of XML-1.0
+@@ -3562,7 +3562,7 @@ xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
+ 
+ static int
+ xmlIsDocNameChar(xmlDocPtr doc, int c) {
+-    if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
+    if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
+         /*
+ 	 * Use the new checks of production [4] [4a] amd [5] of the
+ 	 * Update 5 of XML-1.0
+@@ -4112,7 +4112,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 
+     if (attrDecl == NULL)
+ 	return(NULL);
+-    if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
+ 	return(NULL);
+ 
+     ret = xmlStrdup(value);
+@@ -4174,7 +4174,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ 
+     if (attrDecl == NULL)
+ 	return(NULL);
+-    if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
+ 	return(NULL);
+ 
+     ret = xmlStrdup(value);
+@@ -4189,7 +4189,7 @@ xmlValidateAttributeIdCallback(void *payload, void *data,
+ 	                       const xmlChar *name ATTRIBUTE_UNUSED) {
+     xmlAttributePtr attr = (xmlAttributePtr) payload;
+     int *count = (int *) data;
+-    if (attr->atype == XML_ATTRIBUTE_ID) (*count)++;
+    if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) (*count)++;
+ }
+ 
+ /**
+@@ -4221,7 +4221,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     /* Attribute Default Legal */
+     /* Enumeration */
+     if (attr->defaultValue != NULL) {
+-	val = xmlValidateAttributeValueInternal(doc, attr->atype,
+	val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attr),
+ 	                                        attr->defaultValue);
+ 	if (val == 0) {
+ 	    xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ATTRIBUTE_DEFAULT,
+@@ -4232,7 +4232,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     }
+ 
+     /* ID Attribute Default */
+-    if ((attr->atype == XML_ATTRIBUTE_ID)&&
+    if ((XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID)&&
+         (attr->def != XML_ATTRIBUTE_IMPLIED) &&
+ 	(attr->def != XML_ATTRIBUTE_REQUIRED)) {
+ 	xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ID_FIXED,
+@@ -4242,7 +4242,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     }
+ 
+     /* One ID per Element Type */
+-    if (attr->atype == XML_ATTRIBUTE_ID) {
+    if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) {
+         int nbId;
+ 
+ 	/* the trick is that we parse DtD as their own internal subset */
+@@ -4501,9 +4501,9 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 	       attr->name, elem->name, NULL);
+ 	return(0);
+     }
+-    attr->atype = attrDecl->atype;
+    XML_ATTR_SET_ATYPE(attr, attrDecl->atype);
+ 
+-    val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
+    val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attrDecl), value);
+     if (val == 0) {
+ 	    xmlErrValidNode(ctxt, elem, XML_DTD_ATTRIBUTE_VALUE,
+ 	   "Syntax of value for attribute %s of %s is not valid\n",
+@@ -4522,19 +4522,19 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     }
+ 
+     /* Validity Constraint: ID uniqueness */
+-    if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, attr) == NULL)
+ 	    ret = 0;
+     }
+ 
+-    if ((attrDecl->atype == XML_ATTRIBUTE_IDREF) ||
+-	(attrDecl->atype == XML_ATTRIBUTE_IDREFS)) {
+    if ((XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF) ||
+	(XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS)) {
+         if (xmlAddRef(ctxt, doc, value, attr) == NULL)
+ 	    ret = 0;
+     }
+ 
+     /* Validity Constraint: Notation Attributes */
+-    if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
+         xmlEnumerationPtr tree = attrDecl->tree;
+         xmlNotationPtr nota;
+ 
+@@ -4564,7 +4564,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     }
+ 
+     /* Validity Constraint: Enumeration */
+-    if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
+         xmlEnumerationPtr tree = attrDecl->tree;
+ 	while (tree != NULL) {
+ 	    if (xmlStrEqual(tree->name, value)) break;
+@@ -4589,7 +4589,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 
+     /* Extra check for the attribute value */
+     ret &= xmlValidateAttributeValue2(ctxt, doc, attr->name,
+-				      attrDecl->atype, value);
+				      XML_ATTR_GET_ATYPE(attrDecl), value);
+ 
+     return(ret);
+ }
+@@ -4688,7 +4688,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ 	return(0);
+     }
+ 
+-    val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
+    val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attrDecl), value);
+     if (val == 0) {
+ 	if (ns->prefix != NULL) {
+ 	    xmlErrValidNode(ctxt, elem, XML_DTD_INVALID_DEFAULT,
+@@ -4738,7 +4738,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ #endif
+ 
+     /* Validity Constraint: Notation Attributes */
+-    if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
+         xmlEnumerationPtr tree = attrDecl->tree;
+         xmlNotationPtr nota;
+ 
+@@ -4780,7 +4780,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+     }
+ 
+     /* Validity Constraint: Enumeration */
+-    if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
+    if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
+         xmlEnumerationPtr tree = attrDecl->tree;
+ 	while (tree != NULL) {
+ 	    if (xmlStrEqual(tree->name, value)) break;
+@@ -4818,10 +4818,10 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+     /* Extra check for the attribute value */
+     if (ns->prefix != NULL) {
+ 	ret &= xmlValidateAttributeValue2(ctxt, doc, ns->prefix,
+-					  attrDecl->atype, value);
+					  XML_ATTR_GET_ATYPE(attrDecl), value);
+     } else {
+ 	ret &= xmlValidateAttributeValue2(ctxt, doc, BAD_CAST "xmlns",
+-					  attrDecl->atype, value);
+					  XML_ATTR_GET_ATYPE(attrDecl), value);
+     }
+ 
+     return(ret);
+@@ -6574,7 +6574,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
+ 	    while (IS_BLANK_CH(*cur)) cur++;
+ 	}
+ 	xmlFree(dup);
+-    } else if (attr->atype == XML_ATTRIBUTE_IDREF) {
+    } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREF) {
+ 	id = xmlGetID(ctxt->doc, name);
+ 	if (id == NULL) {
+ 	    xmlErrValidNode(ctxt, attr->parent, XML_DTD_UNKNOWN_ID,
+@@ -6582,7 +6582,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
+ 		   attr->name, name, NULL);
+ 	    ctxt->valid = 0;
+ 	}
+-    } else if (attr->atype == XML_ATTRIBUTE_IDREFS) {
+    } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREFS) {
+ 	xmlChar *dup, *str = NULL, *cur, save;
+ 
+ 	dup = xmlStrdup(name);
+@@ -6782,7 +6782,7 @@ xmlValidateAttributeCallback(void *payload, void *data,
+ 
+     if (cur == NULL)
+ 	return;
+-    switch (cur->atype) {
+    switch (XML_ATTR_GET_ATYPE(cur)) {
+ 	case XML_ATTRIBUTE_CDATA:
+ 	case XML_ATTRIBUTE_ID:
+ 	case XML_ATTRIBUTE_IDREF	:
+@@ -6797,7 +6797,7 @@ xmlValidateAttributeCallback(void *payload, void *data,
+ 	    if (cur->defaultValue != NULL) {
+ 
+ 		ret = xmlValidateAttributeValue2(ctxt, ctxt->doc, cur->name,
+-			                         cur->atype, cur->defaultValue);
+			                         XML_ATTR_GET_ATYPE(cur), cur->defaultValue);
+ 		if ((ret == 0) && (ctxt->valid == 1))
+ 		    ctxt->valid = 0;
+ 	    }
+@@ -6805,14 +6805,14 @@ xmlValidateAttributeCallback(void *payload, void *data,
+ 		xmlEnumerationPtr tree = cur->tree;
+ 		while (tree != NULL) {
+ 		    ret = xmlValidateAttributeValue2(ctxt, ctxt->doc,
+-				    cur->name, cur->atype, tree->name);
+				    cur->name, XML_ATTR_GET_ATYPE(cur), tree->name);
+ 		    if ((ret == 0) && (ctxt->valid == 1))
+ 			ctxt->valid = 0;
+ 		    tree = tree->next;
+ 		}
+ 	    }
+     }
+-    if (cur->atype == XML_ATTRIBUTE_NOTATION) {
+    if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_NOTATION) {
+ 	doc = cur->doc;
+ 	if (cur->elem == NULL) {
+ 	    xmlErrValid(ctxt, XML_ERR_INTERNAL_ERROR,
+diff --git a/xmlreader.c b/xmlreader.c
+index 67ff2cd..2a1a66a 100644
+--- a/xmlreader.c
+++ b/xmlreader.c
+@@ -753,7 +753,7 @@ xmlTextReaderStartElement(void *ctx, const xmlChar *fullname,
+ 	if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
+ 	    (ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
+ 	    (ctxt->input->cur[1] == '>'))
+-	    ctxt->node->extra = NODE_IS_EMPTY;
+	    XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
+     }
+     if (reader != NULL)
+ 	reader->state = XML_TEXTREADER_ELEMENT;
+@@ -818,7 +818,7 @@ xmlTextReaderStartElementNs(void *ctx,
+ 	if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
+ 	    (ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
+ 	    (ctxt->input->cur[1] == '>'))
+-	    ctxt->node->extra = NODE_IS_EMPTY;
+	    XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
+     }
+     if (reader != NULL)
+ 	reader->state = XML_TEXTREADER_ELEMENT;
+@@ -1216,7 +1216,7 @@ skip_children:
+ 	        xmlNodePtr tmp;
+ 		if (reader->entNr == 0) {
+ 		    while ((tmp = node->last) != NULL) {
+-			if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
+			if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
+ 			    xmlUnlinkNode(tmp);
+ 			    xmlTextReaderFreeNode(reader, tmp);
+ 			} else
+@@ -1467,7 +1467,7 @@ get_next_node:
+ 	if ((oldstate == XML_TEXTREADER_ELEMENT) &&
+             (reader->node->type == XML_ELEMENT_NODE) &&
+ 	    (reader->node->children == NULL) &&
+-	    ((reader->node->extra & NODE_IS_EMPTY) == 0)
+	    ((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)
+ #ifdef LIBXML_XINCLUDE_ENABLED
+ 	    && (reader->in_xinclude <= 0)
+ #endif
+@@ -1481,7 +1481,7 @@ get_next_node:
+ 	    xmlTextReaderValidatePop(reader);
+ #endif /* LIBXML_REGEXP_ENABLED */
+         if ((reader->preserves > 0) &&
+-	    (reader->node->extra & NODE_IS_SPRESERVED))
+	    (XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
+ 	    reader->preserves--;
+ 	reader->node = reader->node->next;
+ 	reader->state = XML_TEXTREADER_ELEMENT;
+@@ -1497,7 +1497,7 @@ get_next_node:
+ 	    (reader->node->prev != NULL) &&
+             (reader->node->prev->type != XML_DTD_NODE)) {
+ 	    xmlNodePtr tmp = reader->node->prev;
+-	    if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
+	    if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
+                 if (oldnode == tmp)
+                     oldnode = NULL;
+ 		xmlUnlinkNode(tmp);
+@@ -1510,7 +1510,7 @@ get_next_node:
+     if ((oldstate == XML_TEXTREADER_ELEMENT) &&
+ 	(reader->node->type == XML_ELEMENT_NODE) &&
+ 	(reader->node->children == NULL) &&
+-	((reader->node->extra & NODE_IS_EMPTY) == 0)) {;
+	((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)) {;
+ 	reader->state = XML_TEXTREADER_END;
+ 	goto node_found;
+     }
+@@ -1519,7 +1519,7 @@ get_next_node:
+ 	xmlTextReaderValidatePop(reader);
+ #endif /* LIBXML_REGEXP_ENABLED */
+     if ((reader->preserves > 0) &&
+-	(reader->node->extra & NODE_IS_SPRESERVED))
+	(XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
+ 	reader->preserves--;
+     reader->node = reader->node->parent;
+     if ((reader->node == NULL) ||
+@@ -1546,7 +1546,7 @@ get_next_node:
+ #endif
+ 	    (reader->entNr == 0) &&
+ 	    (oldnode->type != XML_DTD_NODE) &&
+-	    ((oldnode->extra & NODE_IS_PRESERVED) == 0)) {
+	    ((XML_NODE_GET_EXTRA(oldnode) & NODE_IS_PRESERVED) == 0)) {
+ 	    xmlUnlinkNode(oldnode);
+ 	    xmlTextReaderFreeNode(reader, oldnode);
+ 	}
+@@ -1559,7 +1559,7 @@ get_next_node:
+ #endif
+ 	(reader->entNr == 0) &&
+         (reader->node->last != NULL) &&
+-        ((reader->node->last->extra & NODE_IS_PRESERVED) == 0)) {
+        ((XML_NODE_GET_EXTRA(reader->node->last) & NODE_IS_PRESERVED) == 0)) {
+ 	xmlNodePtr tmp = reader->node->last;
+ 	xmlUnlinkNode(tmp);
+ 	xmlTextReaderFreeNode(reader, tmp);
+@@ -1741,7 +1741,7 @@ xmlTextReaderNext(xmlTextReaderPtr reader) {
+         return(xmlTextReaderRead(reader));
+     if (reader->state == XML_TEXTREADER_END || reader->state == XML_TEXTREADER_BACKTRACK)
+         return(xmlTextReaderRead(reader));
+-    if (cur->extra & NODE_IS_EMPTY)
+    if (XML_NODE_GET_EXTRA(cur) & NODE_IS_EMPTY)
+         return(xmlTextReaderRead(reader));
+     do {
+         ret = xmlTextReaderRead(reader);
+@@ -3167,7 +3167,7 @@ xmlTextReaderIsEmptyElement(xmlTextReaderPtr reader) {
+     if (reader->in_xinclude > 0)
+         return(1);
+ #endif
+-    return((reader->node->extra & NODE_IS_EMPTY) != 0);
+    return((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) != 0);
+ }
+ 
+ /**
+@@ -4035,15 +4035,15 @@ xmlTextReaderPreserve(xmlTextReaderPtr reader) {
+         return(NULL);
+ 
+     if ((cur->type != XML_DOCUMENT_NODE) && (cur->type != XML_DTD_NODE)) {
+-	cur->extra |= NODE_IS_PRESERVED;
+-	cur->extra |= NODE_IS_SPRESERVED;
+	XML_NODE_ADD_EXTRA(cur, NODE_IS_PRESERVED);
+	XML_NODE_ADD_EXTRA(cur, NODE_IS_SPRESERVED);
+     }
+     reader->preserves++;
+ 
+     parent = cur->parent;;
+     while (parent != NULL) {
+         if (parent->type == XML_ELEMENT_NODE)
+-	    parent->extra |= NODE_IS_PRESERVED;
+	    XML_NODE_ADD_EXTRA(parent, NODE_IS_PRESERVED);
+ 	parent = parent->parent;
+     }
+     return(cur);
+diff --git a/xmlschemas.c b/xmlschemas.c
+index a2dd6cf..2e6c349 100644
+--- a/xmlschemas.c
+++ b/xmlschemas.c
+@@ -6024,7 +6024,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt, xmlAttrPtr attr)
+ 	/*
+ 	* NOTE: the IDness might have already be declared in the DTD
+ 	*/
+-	if (attr->atype != XML_ATTRIBUTE_ID) {
+	if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
+ 	    xmlIDPtr res;
+ 	    xmlChar *strip;
+ 
+@@ -6047,7 +6047,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt, xmlAttrPtr attr)
+ 		    NULL, NULL, "Duplicate value '%s' of simple "
+ 		    "type 'xs:ID'", value, NULL);
+ 	    } else
+-		attr->atype = XML_ATTRIBUTE_ID;
+		XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+ 	}
+     } else if (ret > 0) {
+ 	ret = XML_SCHEMAP_S4S_ATTR_INVALID_VALUE;
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index af31be5..d40da49 100644
+--- a/xmlschemastypes.c
+++ b/xmlschemastypes.c
+@@ -2867,7 +2867,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                 /*
+                  * NOTE: the IDness might have already be declared in the DTD
+                  */
+-                if (attr->atype != XML_ATTRIBUTE_ID) {
+                if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
+                     xmlIDPtr res;
+                     xmlChar *strip;
+ 
+@@ -2880,7 +2880,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                     if (res == NULL) {
+                         ret = 2;
+                     } else {
+-                        attr->atype = XML_ATTRIBUTE_ID;
+                        XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+                     }
+                 }
+             }
+@@ -2905,7 +2905,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                     xmlFree(strip);
+                 } else
+                     xmlAddRef(NULL, node->doc, value, attr);
+-                attr->atype = XML_ATTRIBUTE_IDREF;
+                XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREF);
+             }
+             goto done;
+         case XML_SCHEMAS_IDREFS:
+@@ -2919,7 +2919,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                 (node->type == XML_ATTRIBUTE_NODE)) {
+                 xmlAttrPtr attr = (xmlAttrPtr) node;
+ 
+-                attr->atype = XML_ATTRIBUTE_IDREFS;
+                XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREFS);
+             }
+             goto done;
+         case XML_SCHEMAS_ENTITY:{
+@@ -2950,7 +2950,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                     (node->type == XML_ATTRIBUTE_NODE)) {
+                     xmlAttrPtr attr = (xmlAttrPtr) node;
+ 
+-                    attr->atype = XML_ATTRIBUTE_ENTITY;
+                    XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITY);
+                 }
+                 goto done;
+             }
+@@ -2967,7 +2967,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+                 (node->type == XML_ATTRIBUTE_NODE)) {
+                 xmlAttrPtr attr = (xmlAttrPtr) node;
+ 
+-                attr->atype = XML_ATTRIBUTE_ENTITIES;
+                XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITIES);
+             }
+             goto done;
+         case XML_SCHEMAS_NOTATION:{
+-- 
+2.50.1
+
--- a/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-9714.patch
@@ -0,0 +1,117 @@
+From 6ef8b9f05cc21d3fc28156fe5d1251834c29c7d7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 28 Jul 2022 20:21:24 +0200
+Subject: [PATCH] Make XPath depth check work with recursive invocations
+
+EXSLT functions like dyn:map or dyn:evaluate invoke xmlXPathRunEval
+recursively. Don't set depth to zero but keep and restore the original
+value to avoid stack overflows when abusing these functions.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21]
+CVE: CVE-2025-9714
+
+Signed-off-by: Theo GAIGE <tgaige.opensource@witekio.com>
+---
+ xpath.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index c2d845888..028471d53 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -13883,12 +13883,11 @@ static int
+ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ {
+     xmlXPathCompExprPtr comp;
+    int oldDepth;
+ 
+     if ((ctxt == NULL) || (ctxt->comp == NULL))
+ 	return(-1);
+ 
+-    ctxt->context->depth = 0;
+-
+     if (ctxt->valueTab == NULL) {
+ 	/* Allocate the value stack */
+ 	ctxt->valueTab = (xmlXPathObjectPtr *)
+@@ -13942,11 +13941,13 @@ xmlXPathRunEval(xmlXPathParserContextPtr ctxt, int toBool)
+ 	    "xmlXPathRunEval: last is less than zero\n");
+ 	return(-1);
+     }
+    oldDepth = ctxt->context->depth;
+     if (toBool)
+ 	return(xmlXPathCompOpEvalToBoolean(ctxt,
+ 	    &comp->steps[comp->last], 0));
+     else
+ 	xmlXPathCompOpEval(ctxt, &comp->steps[comp->last]);
+    ctxt->context->depth = oldDepth;
+ 
+     return(0);
+ }
+@@ -14217,6 +14218,7 @@ xmlXPathCompExprPtr
+ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     xmlXPathParserContextPtr pctxt;
+     xmlXPathCompExprPtr comp;
+    int oldDepth = 0;
+ 
+ #ifdef XPATH_STREAMING
+     comp = xmlXPathTryStreamCompile(ctxt, str);
+@@ -14230,8 +14232,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+     if (pctxt == NULL)
+         return NULL;
+     if (ctxt != NULL)
+-        ctxt->depth = 0;
+        oldDepth = ctxt->depth;
+     xmlXPathCompileExpr(pctxt, 1);
+    if (ctxt != NULL)
+        ctxt->depth = oldDepth;
+ 
+     if( pctxt->error != XPATH_EXPRESSION_OK )
+     {
+@@ -14252,8 +14256,10 @@ xmlXPathCtxtCompile(xmlXPathContextPtr ctxt, const xmlChar *str) {
+ 	comp = pctxt->comp;
+ 	if ((comp->nbStep > 1) && (comp->last >= 0)) {
+             if (ctxt != NULL)
+-                ctxt->depth = 0;
+                oldDepth = ctxt->depth;
+ 	    xmlXPathOptimizeExpression(pctxt, &comp->steps[comp->last]);
+            if (ctxt != NULL)
+                ctxt->depth = oldDepth;
+ 	}
+ 	pctxt->comp = NULL;
+     }
+@@ -14409,6 +14415,7 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #ifdef XPATH_STREAMING
+     xmlXPathCompExprPtr comp;
+ #endif
+    int oldDepth = 0;
+ 
+     if (ctxt == NULL) return;
+ 
+@@ -14422,8 +14429,10 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ #endif
+     {
+         if (ctxt->context != NULL)
+-            ctxt->context->depth = 0;
+            oldDepth = ctxt->context->depth;
+ 	xmlXPathCompileExpr(ctxt, 1);
+        if (ctxt->context != NULL)
+            ctxt->context->depth = oldDepth;
+         CHECK_ERROR;
+ 
+         /* Check for trailing characters. */
+@@ -14432,9 +14441,11 @@ xmlXPathEvalExpr(xmlXPathParserContextPtr ctxt) {
+ 
+ 	if ((ctxt->comp->nbStep > 1) && (ctxt->comp->last >= 0)) {
+             if (ctxt->context != NULL)
+-                ctxt->context->depth = 0;
+                oldDepth = ctxt->context->depth;
+ 	    xmlXPathOptimizeExpression(ctxt,
+ 		&ctxt->comp->steps[ctxt->comp->last]);
+            if (ctxt->context != NULL)
+                ctxt->context->depth = oldDepth;
+         }
+     }
+ 
+-- 
+2.43.0
+
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -42,6 +42,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
           file://CVE-2025-6021.patch \
           file://CVE-2025-49794-CVE-2025-49796.patch \
           file://CVE-2025-6170.patch \
+           file://CVE-2025-9714.patch \
+           file://CVE-2025-7425.patch \
           "

 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
--- a/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
+++ b/meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
@@ -0,0 +1,39 @@
+From 345d2a053c32f3443dbfdd313f49346ce30b92f8 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 19 Nov 2025 13:23:38 +0100
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+
+CVE: CVE-2025-26519
+Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 3047c27b..1fb66bc8 100644
+--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
+@@ -495,7 +495,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
+				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
--- a/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
+++ b/meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
@@ -0,0 +1,38 @@
+From b81230050f6c3348038fe470d260028824b9a9e5 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 19 Nov 2025 13:27:15 +0100
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+
+CVE: CVE-2025-26519
+Upstream-Status: Backport [https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 1fb66bc8..fb1d3217 100644
+--- a/src/locale/iconv.c
+++ b/src/locale/iconv.c
+@@ -538,6 +538,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
+			/* This failure condition should be unreachable, but
+			 * is included to prevent decoder bugs from translating
+			 * into advancement outside the output buffer range. */
+			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -15,7 +15,9 @@ PV = "${BASEVER}+git${SRCPV}"
 SRC_URI = "git://git.musl-libc.org/musl;branch=master \
           file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
           file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
-          "
+           file://CVE-2025-26519-1.patch \
+           file://CVE-2025-26519-2.patch \
+           "

 S = "${WORKDIR}/git"

--- a/meta/recipes-core/systemd/systemd_250.14.bb
+++ b/meta/recipes-core/systemd/systemd_250.14.bb
@@ -235,6 +235,7 @@ EXTRA_OEMESON += "-Dnobody-user=nobody \
                  -Dmode=release \
                  -Dsystem-alloc-uid-min=101 \
                  -Dsystem-uid-max=999 \
+                  -Dtranslations=${@'false' if d.getVar('USE_NLS') == 'no' else 'true'} \
                  -Dsystem-alloc-gid-min=101 \
                  -Dsystem-gid-max=999 \
                  "
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -42,6 +42,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
           file://CVE-2024-28085-0004.patch \
           file://CVE-2024-28085-0005.patch \
 	   file://fstab-isolation.patch \
+           file://CVE-2025-14104-01.patch \
+           file://CVE-2025-14104-02.patch \
           "

 SRC_URI[sha256sum] = "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
--- a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-01.patch
@@ -0,0 +1,33 @@
+From aaa9e718c88d6916b003da7ebcfe38a3c88df8e6 Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Sat, 24 May 2025 03:16:09 +0100
+Subject: [PATCH] Update setpwnam.c
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 3e3c1abde..95e470b5a 100644
+--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
+@@ -126,10 +126,12 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		}
+ 
+ 		/* Is this the username we were sent to change? */
+-		if (!found && linebuf[namelen] == ':' &&
+-		    !strncmp(linebuf, pwd->pw_name, namelen)) {
+-			/* Yes! So go forth in the name of the Lord and
+-			 * change it!  */
+		if (!found &&
+		    strncmp(linebuf, pwd->pw_name, namelen) == 0 &&
+		    strlen(linebuf) > namelen &&
+		    linebuf[namelen] == ':') {
+			/* Yes! But this time let’s not walk past the end of the buffer
+			 * in the name of the Lord, SUID, or anything else. */
+ 			if (putpwent(pwd, fp) < 0)
+ 				goto fail;
+ 			found = 1;
--- a/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2025-14104-02.patch
@@ -0,0 +1,28 @@
+From 9a36d77012c4c771f8d51eba46b6e62c29bf572a Mon Sep 17 00:00:00 2001
+From: Mohamed Maatallah <hotelsmaatallahrecemail@gmail.com>
+Date: Mon, 26 May 2025 10:06:02 +0100
+Subject: [PATCH] Update bufflen
+
+Update buflen
+
+CVE: CVE-2025-14104
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ login-utils/setpwnam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
+index 95e470b5a..7778e98f7 100644
+--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
+@@ -99,7 +99,8 @@ int setpwnam(struct passwd *pwd, const char *prefix)
+ 		goto fail;
+ 
+ 	namelen = strlen(pwd->pw_name);
+-
+	if (namelen > buflen)
+		buflen += namelen;
+ 	linebuf = malloc(buflen);
+ 	if (!linebuf)
+ 		goto fail;
--- a/Show More
+++ b/Show More