contributor-guide: fix type "maintainance" to "maintenance"

Correct "maintainance" typo in recipe-style-guide.rst.

(From yocto-docs rev: f39ba5141cd518f08d491b2255a4acd74442e87b)

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d7376cca64a0784e59d4fd60b9baefb4da2ce289)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>

bitbake/lib/bb/fetch2/crate.py

@@ -68,8 +68,11 @@ class Crate(Wget):
         # if using upstream just fix it up nicely
         if host == 'crates.io':
             host = 'crates.io/api/v1/crates'
+            cdn_host = 'static.crates.io/crates'
+        else:
+            cdn_host = host
 
-        ud.url = "https://%s/%s/%s/download" % (host, name, version)
+        ud.url = "https://%s/%s/%s/download" % (cdn_host, name, version)
         ud.parm['downloadfilename'] = "%s-%s.crate" % (name, version)
         if 'name' not in ud.parm:
             ud.parm['name'] = '%s-%s' % (name, version)

bitbake/lib/bb/fetch2/git.py

@@ -399,14 +399,14 @@ class Git(FetchMethod):
                 bb.utils.mkdirhier(ud.clonedir)
                 runfetchcmd("tar -xzf %s" % ud.fullmirror, d, workdir=ud.clonedir)
             else:
-                tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR'))
-                runfetchcmd("tar -xzf %s" % ud.fullmirror, d, workdir=tmpdir)
-                output = runfetchcmd("%s remote" % ud.basecmd, d, quiet=True, workdir=ud.clonedir)
-                if 'mirror' in output:
-                    runfetchcmd("%s remote rm mirror" % ud.basecmd, d, workdir=ud.clonedir)
-                runfetchcmd("%s remote add --mirror=fetch mirror %s" % (ud.basecmd, tmpdir), d, workdir=ud.clonedir)
-                fetch_cmd = "LANG=C %s fetch -f --update-head-ok  --progress mirror " % (ud.basecmd)
-                runfetchcmd(fetch_cmd, d, workdir=ud.clonedir)
+                with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+                    runfetchcmd("tar -xzf %s" % ud.fullmirror, d, workdir=tmpdir)
+                    output = runfetchcmd("%s remote" % ud.basecmd, d, quiet=True, workdir=ud.clonedir)
+                    if 'mirror' in output:
+                        runfetchcmd("%s remote rm mirror" % ud.basecmd, d, workdir=ud.clonedir)
+                    runfetchcmd("%s remote add --mirror=fetch mirror %s" % (ud.basecmd, tmpdir), d, workdir=ud.clonedir)
+                    fetch_cmd = "LANG=C %s fetch -f --update-head-ok  --progress mirror " % (ud.basecmd)
+                    runfetchcmd(fetch_cmd, d, workdir=ud.clonedir)
         repourl = self._get_repo_url(ud)
 
         needs_clone = False

bitbake/lib/bb/runqueue.py

@@ -22,11 +22,12 @@ from bb import msg, event
 from bb import monitordisk
 import subprocess
 import pickle
-from multiprocessing import Process
 import shlex
 import pprint
 import time
 
+Process = bb.multiprocessing.Process
+
 bblogger = logging.getLogger("BitBake")
 logger = logging.getLogger("BitBake.RunQueue")
 hashequiv_logger = logging.getLogger("BitBake.RunQueue.HashEquiv")

bitbake/lib/bb/tests/fetch.py

@@ -1107,7 +1107,7 @@ class FetcherNetworkTest(FetcherTest):
         # URL with ssh submodules
         url = "gitsm://git.yoctoproject.org/git-submodule-test;branch=ssh-gitsm-tests;rev=049da4a6cb198d7c0302e9e8b243a1443cb809a7;branch=master;protocol=https"
         # Original URL (comment this if you have ssh access to git.yoctoproject.org)
-        url = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master;rev=a2885dd7d25380d23627e7544b7bbb55014b16ee;branch=master;protocol=https"
+        url = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master;rev=38e61644af90dccd73c03ed3acaed98c8dda9294;branch=master;protocol=https"
         fetcher = bb.fetch.Fetch([url], self.d)
         fetcher.download()
         # Previous cwd has been deleted
@@ -3267,6 +3267,7 @@ class FetchPremirroronlyNetworkTest(FetcherTest):
         self.reponame = "fstests"
         self.clonedir = os.path.join(self.tempdir, "git")
         self.gitdir = os.path.join(self.tempdir, "git", "{}.git".format(self.reponame))
+        self.giturl = "https://git.yoctoproject.org/fstests"
         self.recipe_url = "git://git.yoctoproject.org/fstests;protocol=https"
         self.d.setVar("BB_FETCH_PREMIRRORONLY", "1")
         self.d.setVar("BB_NO_NETWORK", "0")
@@ -3276,7 +3277,7 @@ class FetchPremirroronlyNetworkTest(FetcherTest):
         import shutil
         self.mirrorname = "git2_git.yoctoproject.org.fstests.tar.gz"
         os.makedirs(self.clonedir)
-        self.git("clone --bare --shallow-since=\"01.01.2013\" {}".format(self.recipe_url), self.clonedir)
+        self.git("clone --bare --shallow-since=\"01.01.2013\" {}".format(self.giturl), self.clonedir)
         bb.process.run('tar -czvf {} .'.format(os.path.join(self.mirrordir, self.mirrorname)), cwd =  self.gitdir)
         shutil.rmtree(self.clonedir)
 

documentation/brief-yoctoprojectqs/index.rst

@@ -61,8 +61,8 @@ following requirements:
 
    -  Git &MIN_GIT_VERSION; or greater
    -  tar &MIN_TAR_VERSION; or greater
-   -  Python &MIN_PYTHON_VERSION; or greater.
-   -  gcc &MIN_GCC_VERSION; or greater.
+   -  Python &MIN_PYTHON_VERSION; or greater
+   -  gcc &MIN_GCC_VERSION; or greater
    -  GNU make &MIN_MAKE_VERSION; or greater
 
 If your build host does not satisfy all of the above version

documentation/contributor-guide/recipe-style-guide.rst

@@ -315,7 +315,7 @@ following status strings:
    No determination has been made yet, or patch has not yet been submitted to
    upstream.
 
-   Keep in mind that every patch submitted upstream reduces the maintainance
+   Keep in mind that every patch submitted upstream reduces the maintenance
    burden in OpenEmbedded and Yocto Project in the long run, so this patch
    status should only be used in exceptional cases if there are genuine
    obstacles to submitting a patch upstream; the reason for that should be
@@ -346,7 +346,7 @@ following status strings:
    The patch is not appropriate for upstream, include a brief reason on the
    same line enclosed with ``[]``. In the past, there were several different
    reasons not to submit patches upstream, but we have to consider that every
-   non-upstreamed patch means a maintainance burden for recipe maintainers.
+   non-upstreamed patch means a maintenance burden for recipe maintainers.
    Currently, the only reasons to mark patches as inappropriate for upstream
    submission are:
 

documentation/contributor-guide/submit-changes.rst

@@ -752,7 +752,7 @@ Taking Patch Review into Account
 You may get feedback on your submitted patches from other community members
 or from the automated patchtest service. If issues are identified in your
 patches then it is usually necessary to address these before the patches are
-accepted into the project. In this case you should your commits according
+accepted into the project. In this case you should revise your commits according
 to the feedback and submit an updated version to the relevant mailing list.
 
 In any case, never fix reported issues by fixing them in new commits

documentation/dev-manual/building.rst

@@ -948,7 +948,7 @@ Follow these steps to populate your Downloads directory:
 #. *Populate Your Downloads Directory Without Building:* Use BitBake to
    fetch your sources but inhibit the build::
 
-      $ bitbake target --runonly=fetch
+      $ bitbake target --runall=fetch
 
    The downloads directory (i.e. ``${DL_DIR}``) now has
    a "snapshot" of the source files in the form of tarballs, which can

documentation/index.rst

@@ -17,7 +17,7 @@ Welcome to the Yocto Project Documentation
    Quick Build <brief-yoctoprojectqs/index>
    what-i-wish-id-known
    transitioning-to-a-custom-environment
-   Yocto Project Software Overview <https://www.yoctoproject.org/software-overview/>
+   Yocto Project Technical Overview <https://www.yoctoproject.org/development/technical-overview/>
    Tips and Tricks Wiki <https://wiki.yoctoproject.org/wiki/TipsAndTricks>
 
 .. toctree::

documentation/migration-guides/release-4.0.rst

@@ -39,3 +39,6 @@ Release 4.0 (kirkstone)
    release-notes-4.0.30
    release-notes-4.0.31
    release-notes-4.0.32
+   release-notes-4.0.33
+   release-notes-4.0.34
+   release-notes-4.0.35

documentation/migration-guides/release-5.0.rst

@@ -23,3 +23,4 @@ Release 5.0 (scarthgap)
    release-notes-5.0.14
    release-notes-5.0.15
    release-notes-5.0.16
+   release-notes-5.0.17

documentation/migration-guides/release-notes-4.0.33.rst

@@ -0,0 +1,182 @@
+Release notes for Yocto-4.0.33 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.33
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-1181`, :cve_nist:`2025-11494`, :cve_nist:`2025-11839` and
+   :cve_nist:`2025-11840`
+-  cups: Fix :cve_nist:`2025-58436` and :cve_nist:`2025-61915`
+-  curl: Fix :cve_nist:`2025-14017`, :cve_nist:`2025-15079` and :cve_nist:`2025-15224`
+-  dropbear: Fix :cve_nist:`2019-6111`
+-  glib-2.0: Fix :cve_nist:`2025-13601`, :cve_nist:`2025-14087` and :cve_nist:`2025-14512`
+-  gnupg: Fix :cve_nist:`2025-68973`
+-  go: Fix :cve_nist:`2023-39323`, :cve_nist:`2025-61727` and :cve_nist:`2025-61729`
+-  go: Fix :cve_nist:`2025-58187` (update patch)
+-  grub: Fix :cve_nist:`2025-61661`, :cve_nist:`2025-61662`, :cve_nist:`2025-61663` and
+   :cve_nist:`2025-61664`
+-  libarchive: Fix :cve_nist:`2025-60753` (update patch)
+-  libpcap: Fix :cve_nist:`2025-11961` and :cve_nist:`2025-11964`
+-  libsoup: fix :cve_nist:`2025-12105`
+-  libxslt: Fix :cve_nist:`2025-11731`
+-  python3: Fix :cve_nist:`2025-13836`
+-  python3-urllib3: Fix :cve_nist:`2025-66418`
+-  qemu: Fix :cve_nist:`2025-12464`
+-  qemu: Ignore :cve_nist:`2025-54566` and :cve_nist:`2025-54567`
+-  rsync: Fix :cve_nist:`2025-10158`
+-  util-linux: Fix :cve_nist:`2025-14104`
+
+
+Fixes in Yocto-4.0.33
+~~~~~~~~~~~~~~~~~~~~~
+
+-  build-appliance-image: Update to kirkstone head revision
+-  contributor-guide/recipe-style-guide.rst: explain difference between layer and recipe license(s)
+-  cross.bbclass: Propagate dependencies to outhash
+-  cups: allow unknown directives in conf files
+-  docs: Add a new "Security" section
+-  oeqa: Use 2.14 release of cpio instead of 2.13
+-  overview-manual/yp-intro.rst: change removed ECOSYSTEM to ABOUT
+-  overview-manual/yp-intro.rst: fix SDK type in bullet list
+-  overview-manual/yp-intro.rst: link to YP members and participants
+-  overview-manual: convert YP-flow-diagram.png to SVG
+-  poky.conf: Bump version for 4.0.33 release
+-  pseudo: Upgrade to 1.9.2+git125b020dd2
+-  ref-manual/classes.rst: document the image-container class
+-  ref-manual/release-process.rst: add a "Development Cycle" section
+-  ref-manual/svg/releases.svg: mark styhead and walnascar EOL
+-  ref-manual/svg/releases.svg: mark whinlatter as current release
+-  ref-manual/variables.rst: document the :term:`CCACHE_TOP_DIR` variable
+-  scripts/install-buildtools: Update to 4.0.31
+-  test-manual/ptest.rst: detail the exit code and output requirements
+
+
+Known Issues in Yocto-4.0.33
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.33
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Antonin Godard
+-  Changqing Li
+-  Deepesh Varatharajan
+-  Hitendra Prajapati
+-  Jiaying Song
+-  Kai Kang
+-  Khem Raj
+-  Libo Chen
+-  Liyin Zhang
+-  Martin Jansa
+-  Mingli Yu
+-  Paul Barker
+-  Peter Marko
+-  Richard Purdie
+-  Robert Yang
+-  Vijay Anusuri
+-  Yash Shinde
+
+Repositories / Downloads for Yocto-4.0.33
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.33 </yocto-docs/log/?h=yocto-4.0.33>`
+-  Git Revision: :yocto_git:`6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9 </yocto-docs/commit/?id=6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9>`
+-  Release Artefact: yocto-docs-6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9
+-  sha: 42a0eb89c8f87a9a966aecb8265f463486d4383cb67d1e67382ddf9d4d7f88b5
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/yocto-docs-6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/yocto-docs-6799b1be5d48f4bf5dcd0b16c2dbc2e297d4ecd9.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.33 </poky/log/?h=yocto-4.0.33>`
+-  Git Revision: :yocto_git:`ff118ede826a9ae45eb35025a5f7f612880fba01 </poky/commit/?id=ff118ede826a9ae45eb35025a5f7f612880fba01>`
+-  Release Artefact: poky-ff118ede826a9ae45eb35025a5f7f612880fba01
+-  sha: 2a8c24406fa96fc52728a96f25136a3fd7ee652eea6e12319a6b7c0457ccfdfd
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/poky-ff118ede826a9ae45eb35025a5f7f612880fba01.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/poky-ff118ede826a9ae45eb35025a5f7f612880fba01.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.33 </openembedded-core/log/?h=yocto-4.0.33>`
+-  Git Revision: :oe_git:`036f76ea35c49a78d612093dcd8eb1fac7ded8d7 </openembedded-core/commit/?id=036f76ea35c49a78d612093dcd8eb1fac7ded8d7>`
+-  Release Artefact: oecore-036f76ea35c49a78d612093dcd8eb1fac7ded8d7
+-  sha: fc180ff224529fd73a7aec4a4cf5beb40fba17646ee694715cf603baba26610c
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/oecore-036f76ea35c49a78d612093dcd8eb1fac7ded8d7.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/oecore-036f76ea35c49a78d612093dcd8eb1fac7ded8d7.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.33 </meta-yocto/log/?h=yocto-4.0.33>`
+-  Git Revision: :yocto_git:`677379f21941363d50f9d946963542b4ccb7e27c </meta-yocto/commit/?id=677379f21941363d50f9d946963542b4ccb7e27c>`
+-  Release Artefact: meta-yocto-677379f21941363d50f9d946963542b4ccb7e27c
+-  sha: 90f52c406f4e69748b8d73eee07b8a1247d19cc29f4893174f110a034b10415f
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/meta-yocto-677379f21941363d50f9d946963542b4ccb7e27c.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/meta-yocto-677379f21941363d50f9d946963542b4ccb7e27c.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.33 </meta-mingw/log/?h=yocto-4.0.33>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.33 </meta-gplv2/log/?h=yocto-4.0.33>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.33 </bitbake/log/?h=yocto-4.0.33>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.33/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.33/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+

documentation/migration-guides/release-notes-4.0.34.rst

@@ -0,0 +1,191 @@
+Release notes for Yocto-4.0.34 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.34
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  avahi: Fix :cve_nist:`2026-24401`, :cve_nist:`2025-68276`, :cve_nist:`2025-68468` and
+   :cve_nist:`2025-68471`
+-  bind: Fix :cve_nist:`2025-13878`
+-  expat: Fix :cve_nist:`2026-24515` and :cve_nist:`2026-25210`
+-  ffmpeg: Ignore :cve_nist:`2025-25468` and :cve_nist:`2025-25469`
+-  glib-2.0: Fix :cve_nist:`2026-0988`, :cve_nist:`2026-1484`, :cve_nist:`2026-1485` and
+   :cve_nist:`2026-1489`
+-  glibc: Fix :cve_nist:`2025-15281`, :cve_nist:`2026-0861` and :cve_nist:`2026-0915`
+-  harfbuzz: Ignore :cve_nist:`2026-22693`
+-  inetutils: Fix :cve_nist:`2026-24061`
+-  libpng: Fix :cve_nist:`2026-22695`, :cve_nist:`2026-22801` and :cve_nist:`2026-25646`
+-  libtasn1: Fix :cve_nist:`2025-13151`
+-  libxml2: Fix :cve_nist:`2026-0990` and :cve_nist:`2026-0992`
+-  linux-yocto/5.15: Fix :cve_nist:`2022-49465`, :cve_nist:`2023-54207`, :cve_nist:`2025-22058`,
+   :cve_nist:`2025-40040`, :cve_nist:`2025-40149`, :cve_nist:`2025-40164`, :cve_nist:`2025-68211`,
+   :cve_nist:`2025-68340`, :cve_nist:`2025-68365`, :cve_nist:`2025-68725`, :cve_nist:`2025-68817`,
+   :cve_nist:`2025-71147`, :cve_nist:`2025-71154`, :cve_nist:`2025-71162`, :cve_nist:`2025-71163`,
+   :cve_nist:`2026-22976`, :cve_nist:`2026-22977`, :cve_nist:`2026-22978`, :cve_nist:`2026-22980`,
+   :cve_nist:`2026-22982`, :cve_nist:`2026-22984`, :cve_nist:`2026-22990`, :cve_nist:`2026-22991`,
+   :cve_nist:`2026-22992`, :cve_nist:`2026-22997`, :cve_nist:`2026-22998`, :cve_nist:`2026-22999`,
+   :cve_nist:`2026-23060`, :cve_nist:`2026-23061`, :cve_nist:`2026-23063`, :cve_nist:`2026-23064`,
+   :cve_nist:`2026-23076`, :cve_nist:`2026-23078`, :cve_nist:`2026-23080`, :cve_nist:`2026-23083`,
+   :cve_nist:`2026-23084`, :cve_nist:`2026-23085`, :cve_nist:`2026-23087`, :cve_nist:`2026-23089`,
+   :cve_nist:`2026-23090`, :cve_nist:`2026-23091`, :cve_nist:`2026-23093`, :cve_nist:`2026-23095`,
+   :cve_nist:`2026-23096`, :cve_nist:`2026-23097`, :cve_nist:`2026-23119`, :cve_nist:`2026-23120`,
+   :cve_nist:`2026-23121`, :cve_nist:`2026-23124`, :cve_nist:`2026-23125`, :cve_nist:`2026-23133`,
+   :cve_nist:`2026-23146`, :cve_nist:`2026-23150`, :cve_nist:`2026-23164`, :cve_nist:`2026-23167`
+   and :cve_nist:`2026-23170`
+-  openssl: Fix :cve_nist:`2025-15467`, :cve_nist:`2026-22795`, :cve_nist:`2026-22796`,
+   :cve_nist:`2025-68160`, :cve_nist:`2025-69418`, :cve_nist:`2025-69419`, :cve_nist:`2025-69420`
+   and :cve_nist:`2025-69421`
+-  python3: Fix :cve_nist:`2025-12084` and :cve_nist:`2025-13837`
+-  vim: Ignore :cve_nist:`2025-66476`
+-  zlib: Ignore :cve_nist:`2026-22184`
+
+
+Fixes in Yocto-4.0.34
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bind: Upgrade to 9.18.44
+-  build-appliance-image: Update to kirkstone head revision
+-  classes/buildhistory: Do not sign buildhistory commits
+-  dev-manual/packages.rst: fix example recipe version
+-  dev-manual/packages.rst: pr server: fix and explain why r0.X increments on :term:`SRCREV` change
+-  dev-manual/packages.rst: rename r0.0 to r0 when :term:`PR` server is not enabled
+-  glibc: stable 2.35 branch updates
+-  linux-yocto/5.15: update to v5.15.199
+-  migration-guides: add release notes for 4.0.32
+-  openssl: upgrade to 3.0.19
+-  poky.conf: Bump version for 4.0.34 release
+-  poky.conf: add fedora-41, debian-12, rocky-8&9 to :term:`SANITY_TESTED_DISTROS`
+-  pseudo: Update to 1.9.3+git43cbd8fb49
+-  ref-manual/classes.rst: fix broken links to U-Boot documentation
+-  ref-manual/system-requirements.rst: update untested distros
+-  scripts/install-buildtools: Update to 4.0.32
+-  u-boot: move CVE patch out of u-boot-common.inc
+-  what-i-wish-id-known.rst: replace figure by the new SVG
+
+
+Known Issues in Yocto-4.0.34
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.34
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Amaury Couderc
+-  Ankur Tyagi
+-  Antonin Godard
+-  Bruce Ashfield
+-  Fabio Berton
+-  Hugo SIMELIERE
+-  Lee Chee Yang
+-  Michael Opdenacker
+-  Paul Barker
+-  Peter Marko
+-  Richard Purdie
+-  Scott Murray
+-  Vijay Anusuri
+-  Yoann Congal
+
+Repositories / Downloads for Yocto-4.0.34
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.34 </yocto-docs/log/?h=yocto-4.0.34>`
+-  Git Revision: :yocto_git:`7c348dd67cfd169b1a56bf969606b03dccb76c56 </yocto-docs/commit/?id=7c348dd67cfd169b1a56bf969606b03dccb76c56>`
+-  Release Artefact: yocto-docs-7c348dd67cfd169b1a56bf969606b03dccb76c56
+-  sha: 0677fc3aee3c936599f3bcffbe16792494058bd3506ca3ab1697ceac1822829b
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/yocto-docs-7c348dd67cfd169b1a56bf969606b03dccb76c56.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/yocto-docs-7c348dd67cfd169b1a56bf969606b03dccb76c56.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.34 </poky/log/?h=yocto-4.0.34>`
+-  Git Revision: :yocto_git:`8334e82e1d85e50557bd3da64054fc9e3eafc495 </poky/commit/?id=8334e82e1d85e50557bd3da64054fc9e3eafc495>`
+-  Release Artefact: poky-8334e82e1d85e50557bd3da64054fc9e3eafc495
+-  sha: 74fcc57d1dd3bb0c6ef77bfaaeca7504f393e705a55149cf52d4b61981c9c387
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/poky-8334e82e1d85e50557bd3da64054fc9e3eafc495.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/poky-8334e82e1d85e50557bd3da64054fc9e3eafc495.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.34 </openembedded-core/log/?h=yocto-4.0.34>`
+-  Git Revision: :oe_git:`7b6c9faa301a6d058ca34e230586f6a81ffa3ffb </openembedded-core/commit/?id=7b6c9faa301a6d058ca34e230586f6a81ffa3ffb>`
+-  Release Artefact: oecore-7b6c9faa301a6d058ca34e230586f6a81ffa3ffb
+-  sha: 375a22e3e229064749e78c80c44cde95adcedd26df76045fccefa3a9d3fa14ad
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/oecore-7b6c9faa301a6d058ca34e230586f6a81ffa3ffb.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/oecore-7b6c9faa301a6d058ca34e230586f6a81ffa3ffb.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.34 </meta-yocto/log/?h=yocto-4.0.34>`
+-  Git Revision: :yocto_git:`1d3874a383023a5e2433e0fcfd87ac5d1e6d341d </meta-yocto/commit/?id=1d3874a383023a5e2433e0fcfd87ac5d1e6d341d>`
+-  Release Artefact: meta-yocto-1d3874a383023a5e2433e0fcfd87ac5d1e6d341d
+-  sha: baf48bbe1f29686d502c0c6f311c7723b0a18f08e7efbf89c150589102285dbe
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/meta-yocto-1d3874a383023a5e2433e0fcfd87ac5d1e6d341d.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/meta-yocto-1d3874a383023a5e2433e0fcfd87ac5d1e6d341d.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.34 </meta-mingw/log/?h=yocto-4.0.34>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.34 </meta-gplv2/log/?h=yocto-4.0.34>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.34 </bitbake/log/?h=yocto-4.0.34>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.34/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.34/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+

documentation/migration-guides/release-notes-4.0.35.rst

@@ -0,0 +1,198 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-4.0.35 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.35
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  alsa-lib: Fix :cve_nist:`2026-25068`
+-  busybox: Fix :cve_nist:`2025-60876`
+-  curl: Fix :cve_nist:`2025-14524`, :cve_nist:`2026-1965`, :cve_nist:`2026-3783` and
+   :cve_nist:`2026-3784`
+-  ffmpeg: Fix :cve_nist:`2025-10256`
+-  gdk-pixbuf: Fix :cve_nist:`2025-6199`
+-  inetutils: Fix :cve_nist:`2026-28372`
+-  libarchive: Fix :cve_nist:`2026-4111`
+-  libpam: Fix :cve_nist:`2024-10963`
+-  linux-yocto/5.15: Fix :cve_nist:`2025-40082`, :cve_nist:`2025-68358`, :cve_nist:`2025-71089`,
+   :cve_nist:`2025-71220`, :cve_nist:`2025-71222`, :cve_nist:`2025-71232`, :cve_nist:`2025-71233`,
+   :cve_nist:`2025-71235`, :cve_nist:`2025-71236`, :cve_nist:`2025-71237`, :cve_nist:`2025-71238`,
+   :cve_nist:`2026-23111`, :cve_nist:`2026-23112`, :cve_nist:`2026-23169`, :cve_nist:`2026-23190`,
+   :cve_nist:`2026-23193`, :cve_nist:`2026-23198`, :cve_nist:`2026-23202`, :cve_nist:`2026-23206`,
+   :cve_nist:`2026-23209`, :cve_nist:`2026-23216`, :cve_nist:`2026-23221`, :cve_nist:`2026-23222`,
+   :cve_nist:`2026-23228`, :cve_nist:`2026-23229`, :cve_nist:`2026-23231`, :cve_nist:`2026-23234`,
+   :cve_nist:`2026-23235`, :cve_nist:`2026-23236`, :cve_nist:`2026-23237` and :cve_nist:`2026-23238`
+-  ncurses: Fix :cve_nist:`2025-69720`
+-  python3: Fix :cve_nist:`2024-6923`, :cve_nist:`2025-15282`, :cve_nist:`2025-59375`,
+   :cve_nist:`2026-0865`, :cve_nist:`2026-24515` and :cve_nist:`2026-25210`
+-  python3-pip: Fix :cve_nist:`2026-1703`
+-  python3-pyopenssl: Fix :cve_nist:`2026-27448` and :cve_nist:`2026-27459`
+-  sqlite3: Fix :cve_nist:`2025-70873`
+-  tiff: Fix :cve_nist:`2025-61143` and :cve_nist:`2025-61144`
+-  vim: Fix :cve_nist:`2026-25749`, :cve_nist:`2026-26269`, :cve_nist:`2026-28418`,
+   :cve_nist:`2026-28419` and :cve_nist:`2026-33412`
+
+
+Fixes in Yocto-4.0.35
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: tests/fetch: Avoid using git protocol in tests
+-  build-appliance-image: Update to kirkstone head revision
+-  contributor-guide/submit-changes.rst: Added missing word
+-  create-pull-request: Keep commit hash to be pulled in cover email
+-  createrepo-c: Fix createrepo-c-native build on GCC14 hosts (e.g. Fedora 41)
+-  gtk+3: fix incompatible-pointer-types errors for native build on Fedora 41
+-  libcomps: Fix libcomps-native build on GCC14 hosts (e.g. Fedora 41)
+-  libpam: re-add missing libgen include
+-  libtheora: set :term:`CVE_PRODUCT`
+-  linux-yocto/5.15: update to v5.15.201
+-  lsb.py: strip ' from os-release file
+-  migration-guide: add release notes for 4.0.33 4.0.34
+-  oeqa/manual: Default to https git protocol for YP/OE repos
+-  oeqa/sdk: Default to https git protocol for YP/OE repos
+-  oeqa/selftest/git-submodule-test: Default to https git protocol for YP/OE repos
+-  overview-manual: escape wildcard in inline markup
+-  poky.conf: Bump version for 4.0.35 release
+-  python3: upgrade to 3.10.20
+-  README.OE-Core: update contributor links and add kirkstone prefix
+-  recipes: Default to https git protocol for YP/OE repos
+-  recipetool: Recognise https://git. as git urls
+-  ref-manual/system-requirements.rst: update end-of-life distros
+-  scripts/install-buildtools: Update to 4.0.34
+-  scripts: Default to https git protocol for YP/OE repos
+-  selftest/scripts: Update old git protocol references
+-  tcl: skip http11 tests
+-  tiff: set status of CVE-2025-61145 as fixed by patch for :cve_nist:`2025-8961`
+-  tzdata,tzcode-native: Upgrade to 2026a
+
+
+Known Issues in Yocto-4.0.35
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.35
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Antonin Godard
+-  Bruce Ashfield
+-  Fabien Thomas
+-  Hitendra Prajapati
+-  Jinfeng Wang
+-  Ken Kurematsu
+-  Kristiyan Chakarov
+-  Lee Chee Yang
+-  Martin Jansa
+-  Paul Barker
+-  Peter Marko
+-  Richard Purdie
+-  Ross Burton
+-  Shaik Moin
+-  Vijay Anusuri
+-  Yanis BINARD
+-  Yoann Congal
+
+Repositories / Downloads for Yocto-4.0.35
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.35 </yocto-docs/log/?h=yocto-4.0.35>`
+-  Git Revision: :yocto_git:`ce6734c68649739c635675a133fa77edb9865028 </yocto-docs/commit/?id=ce6734c68649739c635675a133fa77edb9865028>`
+-  Release Artefact: yocto-docs-ce6734c68649739c635675a133fa77edb9865028
+-  sha: ddb6fac4d257f4f76836055cafad529729e99c293d3b8d3dabef926fad5e725f
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/yocto-docs-ce6734c68649739c635675a133fa77edb9865028.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/yocto-docs-ce6734c68649739c635675a133fa77edb9865028.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.35 </poky/log/?h=yocto-4.0.35>`
+-  Git Revision: :yocto_git:`93431249a6260da7bd29ee3ca32145d89e5b8259 </poky/commit/?id=93431249a6260da7bd29ee3ca32145d89e5b8259>`
+-  Release Artefact: poky-93431249a6260da7bd29ee3ca32145d89e5b8259
+-  sha: a8e95213248c5400276611754f2c98b8d8972e166bdf41433c45fcdd2bf668cb
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/poky-93431249a6260da7bd29ee3ca32145d89e5b8259.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/poky-93431249a6260da7bd29ee3ca32145d89e5b8259.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.35 </openembedded-core/log/?h=yocto-4.0.35>`
+-  Git Revision: :oe_git:`51259c7e933a2ac8ebc01604d6e65607b76b7b56 </openembedded-core/commit/?id=51259c7e933a2ac8ebc01604d6e65607b76b7b56>`
+-  Release Artefact: oecore-51259c7e933a2ac8ebc01604d6e65607b76b7b56
+-  sha: 2cd531e2a107849e7a452e71e41f22b42160979066e10d0661e97acfab125b1f
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/oecore-51259c7e933a2ac8ebc01604d6e65607b76b7b56.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/oecore-51259c7e933a2ac8ebc01604d6e65607b76b7b56.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.35 </meta-yocto/log/?h=yocto-4.0.35>`
+-  Git Revision: :yocto_git:`34e3c9a19b8b955116109a2e9528966db3fced37 </meta-yocto/commit/?id=34e3c9a19b8b955116109a2e9528966db3fced37>`
+-  Release Artefact: meta-yocto-34e3c9a19b8b955116109a2e9528966db3fced37
+-  sha: 18da6dbb745d5e4e42a93527c36751778155e3762728b0b1020b890480402dde
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/meta-yocto-34e3c9a19b8b955116109a2e9528966db3fced37.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/meta-yocto-34e3c9a19b8b955116109a2e9528966db3fced37.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.35 </meta-mingw/log/?h=yocto-4.0.35>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.35 </meta-gplv2/log/?h=yocto-4.0.35>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.35 </bitbake/log/?h=yocto-4.0.35>`
+-  Git Revision: :oe_git:`7fd0197fd5fedd23cc885b5e7e816d86a392fdf9 </bitbake/commit/?id=7fd0197fd5fedd23cc885b5e7e816d86a392fdf9>`
+-  Release Artefact: bitbake-7fd0197fd5fedd23cc885b5e7e816d86a392fdf9
+-  sha: 6c01ff2b4b0060ef3d6d3f1fc11690094b22865af4989946544d08d74b473ec9
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.35/bitbake-7fd0197fd5fedd23cc885b5e7e816d86a392fdf9.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.35/bitbake-7fd0197fd5fedd23cc885b5e7e816d86a392fdf9.tar.bz2
+

documentation/migration-guides/release-notes-5.0.17.rst

@@ -0,0 +1,263 @@
+Release notes for Yocto-5.0.17 (Scarthgap)
+------------------------------------------
+
+Openssl 3.2 has reached EOL. Some projects would like to use LTS version due to criticality and exposure of this component, so upgrade to 3.5 branch.
+
+Security Fixes in Yocto-5.0.17
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  alsa-lib: Fix :cve_nist:`2026-25068`
+-  avahi: Fix :cve_nist:`2025-68276`, :cve_nist:`2025-68468`, :cve_nist:`2025-68471` and
+   :cve_nist:`2026-24401`
+-  bind: Fix :cve_nist:`2025-13878`
+-  busybox: Fix :cve_nist:`2025-60876`
+-  ffmpeg: ignore :cve_nist:`2025-1594`, :cve_nist:`2025-10256`, :cve_nist:`2025-12343` and
+   :cve_nist:`2025-25468`
+-  freetype: Fix :cve_nist:`2026-23865`
+-  gdk-pixbuf: Fix :cve_nist:`2025-6199`
+-  glib-2.0: Fix :cve_nist:`2026-1484`, :cve_nist:`2026-1485` and :cve_nist:`2026-1489`
+-  gnupg: Fix :cve_nist:`2025-68973`
+-  gnutls: Fix :cve_nist:`2025-14831`
+-  go 1.22.12: Fix :cve_nist:`2025-61726`, :cve_nist:`2025-61728`, :cve_nist:`2025-61730`,
+   :cve_nist:`2025-61731`, :cve_nist:`2025-61732`, :cve_nist:`2025-68119` and :cve_nist:`2025-68121`
+-  harfbuzz: Fix :cve_nist:`2026-22693`
+-  inetutils: Fix :cve_nist:`2026-28372` and :cve_nist:`2026-32746`
+-  libpng: Fix :cve_nist:`2026-25646`
+-  libsndfile1: Fix :cve_nist:`2025-56226`
+-  libtheora: Ignore :cve_nist:`2024-56431`
+-  linux-yocto/6.6: Fix :cve_nist:`2025-38593`, :cve_nist:`2025-38643`, :cve_nist:`2025-38678`,
+   :cve_nist:`2025-40039`, :cve_nist:`2025-40040`, :cve_nist:`2025-40149`, :cve_nist:`2025-40164`,
+   :cve_nist:`2025-40251`, :cve_nist:`2025-68211`, :cve_nist:`2025-68214`, :cve_nist:`2025-68223`,
+   :cve_nist:`2025-68340`, :cve_nist:`2025-68365`, :cve_nist:`2025-68725`, :cve_nist:`2025-68817`,
+   :cve_nist:`2025-71068`, :cve_nist:`2025-71071`, :cve_nist:`2025-71075`, :cve_nist:`2025-71077`,
+   :cve_nist:`2025-71078`, :cve_nist:`2025-71079`, :cve_nist:`2025-71081`, :cve_nist:`2025-71082`,
+   :cve_nist:`2025-71083`, :cve_nist:`2025-71084`, :cve_nist:`2025-71085`, :cve_nist:`2025-71086`,
+   :cve_nist:`2025-71087`, :cve_nist:`2025-71088`, :cve_nist:`2025-71089`, :cve_nist:`2025-71091`,
+   :cve_nist:`2025-71093`, :cve_nist:`2025-71094`, :cve_nist:`2025-71095`, :cve_nist:`2025-71096`,
+   :cve_nist:`2025-71097`, :cve_nist:`2025-71098`, :cve_nist:`2025-71101`, :cve_nist:`2025-71102`,
+   :cve_nist:`2025-71104`, :cve_nist:`2025-71105`, :cve_nist:`2025-71107`, :cve_nist:`2025-71108`,
+   :cve_nist:`2025-71111`, :cve_nist:`2025-71112`, :cve_nist:`2025-71113`, :cve_nist:`2025-71114`,
+   :cve_nist:`2025-71116`, :cve_nist:`2025-71118`, :cve_nist:`2025-71119`, :cve_nist:`2025-71120`,
+   :cve_nist:`2025-71121`, :cve_nist:`2025-71122`, :cve_nist:`2025-71125`, :cve_nist:`2025-71126`,
+   :cve_nist:`2025-71127`, :cve_nist:`2025-71129`, :cve_nist:`2025-71130`, :cve_nist:`2025-71131`,
+   :cve_nist:`2025-71132`, :cve_nist:`2025-71133`, :cve_nist:`2025-71136`, :cve_nist:`2025-71137`,
+   :cve_nist:`2025-71138`, :cve_nist:`2025-71141`, :cve_nist:`2025-71143`, :cve_nist:`2025-71147`,
+   :cve_nist:`2025-71148`, :cve_nist:`2025-71149`, :cve_nist:`2025-71150`, :cve_nist:`2025-71151`,
+   :cve_nist:`2025-71153`, :cve_nist:`2025-71154`, :cve_nist:`2025-71160`, :cve_nist:`2025-71162`,
+   :cve_nist:`2025-71163`, :cve_nist:`2025-71180`, :cve_nist:`2025-71182`, :cve_nist:`2025-71183`,
+   :cve_nist:`2025-71185`, :cve_nist:`2025-71186`, :cve_nist:`2025-71188`, :cve_nist:`2025-71189`,
+   :cve_nist:`2025-71190`, :cve_nist:`2025-71191`, :cve_nist:`2025-71200`, :cve_nist:`2026-22976`,
+   :cve_nist:`2026-22977`, :cve_nist:`2026-22978`, :cve_nist:`2026-22979`, :cve_nist:`2026-22980`,
+   :cve_nist:`2026-22982`, :cve_nist:`2026-22984`, :cve_nist:`2026-22990`, :cve_nist:`2026-22991`,
+   :cve_nist:`2026-22992`, :cve_nist:`2026-22994`, :cve_nist:`2026-22997`, :cve_nist:`2026-22998`,
+   :cve_nist:`2026-22999`, :cve_nist:`2026-23001`, :cve_nist:`2026-23003`, :cve_nist:`2026-23005`,
+   :cve_nist:`2026-23006`, :cve_nist:`2026-23010`, :cve_nist:`2026-23011`, :cve_nist:`2026-23019`,
+   :cve_nist:`2026-23020`, :cve_nist:`2026-23021`, :cve_nist:`2026-23025`, :cve_nist:`2026-23026`,
+   :cve_nist:`2026-23060`, :cve_nist:`2026-23061`, :cve_nist:`2026-23062`, :cve_nist:`2026-23063`,
+   :cve_nist:`2026-23064`, :cve_nist:`2026-23068`, :cve_nist:`2026-23069`, :cve_nist:`2026-23071`,
+   :cve_nist:`2026-23073`, :cve_nist:`2026-23074`, :cve_nist:`2026-23075`, :cve_nist:`2026-23076`,
+   :cve_nist:`2026-23078`, :cve_nist:`2026-23080`, :cve_nist:`2026-23083`, :cve_nist:`2026-23084`,
+   :cve_nist:`2026-23085`, :cve_nist:`2026-23086`, :cve_nist:`2026-23087`, :cve_nist:`2026-23088`,
+   :cve_nist:`2026-23089`, :cve_nist:`2026-23090`, :cve_nist:`2026-23091`, :cve_nist:`2026-23093`,
+   :cve_nist:`2026-23094`, :cve_nist:`2026-23095`, :cve_nist:`2026-23096`, :cve_nist:`2026-23097`,
+   :cve_nist:`2026-23098`, :cve_nist:`2026-23099`, :cve_nist:`2026-23101`, :cve_nist:`2026-23102`,
+   :cve_nist:`2026-23103`, :cve_nist:`2026-23105`, :cve_nist:`2026-23107`, :cve_nist:`2026-23108`,
+   :cve_nist:`2026-23110`, :cve_nist:`2026-23113`, :cve_nist:`2026-23116`, :cve_nist:`2026-23119`,
+   :cve_nist:`2026-23120`, :cve_nist:`2026-23121`, :cve_nist:`2026-23123`, :cve_nist:`2026-23124`,
+   :cve_nist:`2026-23125`, :cve_nist:`2026-23126`, :cve_nist:`2026-23128`, :cve_nist:`2026-23131`,
+   :cve_nist:`2026-23133`, :cve_nist:`2026-23135`, :cve_nist:`2026-23136`, :cve_nist:`2026-23139`,
+   :cve_nist:`2026-23140`, :cve_nist:`2026-23141`, :cve_nist:`2026-23142`, :cve_nist:`2026-23144`,
+   :cve_nist:`2026-23146`, :cve_nist:`2026-23150`, :cve_nist:`2026-23156`, :cve_nist:`2026-23160`,
+   :cve_nist:`2026-23163`, :cve_nist:`2026-23164`, :cve_nist:`2026-23167`, :cve_nist:`2026-23168`,
+   :cve_nist:`2026-23170`, :cve_nist:`2026-23172`, :cve_nist:`2026-23173` and :cve_nist:`2026-23212`
+-  openssl: fix :cve_nist:`2025-15468` and :cve_nist:`2025-69419`
+-  python3-cryptography: Fix :cve_nist:`2026-26007`
+-  python3-pip: Fix :cve_nist:`2026-1703`
+-  python3-pyopenssl: Fix :cve_nist:`2026-27448` and :cve_nist:`2026-27459`
+-  tiff: ignore :cve_nist:`2025-61144` and :cve_nist:`2025-61145`
+-  vim: ignore :cve_nist:`2025-66476`
+-  zlib: Fix :cve_nist:`2026-27171`
+
+
+Fixes in Yocto-5.0.17
+~~~~~~~~~~~~~~~~~~~~~
+
+-  README: Add scarthgap subject-prefix to git-send-email suggestion
+-  bind: upgrade to 9.18.44
+-  bitbake: COW: Fix hardcoded magic numbers and work with python 3.13
+-  bitbake: fetch2: Fix LFS object checkout in submodules
+-  bitbake: fetch2: Fix incorrect lfs parametrization for submodules
+-  bitbake: fetch2: don't try to preserve all attributes when unpacking files
+-  bitbake: gitsm: Add clean function
+-  build-appliance-image: Update to scarthgap head revision
+-  classes/buildhistory: Do not sign buildhistory commits
+-  create-pull-request: Keep commit hash to be pulled in cover email
+-  dev-manual: delete references to "tar" package format
+-  docs: Makefile: pass -silent to latexmk
+-  go-vendor: Fix absolute paths issue
+-  improve_kernel_cve_report: add option to read debugsources.zstd
+-  improve_kernel_cve_report: do not override backported-patch
+-  improve_kernel_cve_report: do not use custom version
+-  linux-yocto/6.6: upgrade to v6.6.123
+-  lsb.py: strip ' from os-release file
+-  migration-guides: add release notes for 5.0.16
+-  mobile-broadband-provider-info: upgrade to 20251101
+-  oe-setup-build: Fix typo
+-  oeqa/selftest/wic: test recursive dir copy on ext partitions
+-  openssl: upgrade to 3.5.5
+-  overview-manual/concepts: list other possible class directories
+-  overview-manual: escape wildcard in inline markup
+-  poky.conf: Bump version for 5.0.17 release
+-  poky.conf: add Centos Stream 9, fedora-41, rocky-8 to :term:`SANITY_TESTED_DISTROS`
+-  pseudo: Update to include a fix for systems with kernel <5.6
+-  python3-pip: drop unused Windows distlib launcher templates
+-  python3-setuptools: drop Windows launcher executables on non-mingw builds
+-  ref-manual/classes.rst: fix broken links to U-Boot documentation
+-  ref-manual/system-requirements.rst: update supported, end-of-life and untested distros
+-  scripts/install-buildtools: Update to 5.0.15
+-  spdx30_tasks: Exclude 'doc' when exporting :term:`PACKAGECONFIG` to :term:`SPDX`
+-  spdx: add option to include only compiled sources
+-  systemd-systemctl: Fix instance name parsing with escapes or periods
+-  tzdata,tzcode-native: upgrade to 2025c
+-  u-boot: move CVE Fixes out of the common .inc file
+-  uboot-config: Fix devtool modify
+-  weston: fix a touch-calibrator issue
+-  what-i-wish-id-known.rst: replace figure by the new SVG
+-  wic/engine: error on old host debugfs for standalone directory copy
+-  wic/engine: fix copying directories into wic image with ext* partition
+-  wireless-regdb: upgrade to 2026.02.04
+
+
+Known Issues in Yocto-5.0.17
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-5.0.17
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Amaury Couderc
+-  Ankur Tyagi
+-  Antonin Godard
+-  Benjamin Robin (Schneider Electric)
+-  Bruce Ashfield
+-  Daniel Dragomir
+-  Daniel Turull
+-  Deepak Rathore
+-  Dragomir, Daniel
+-  Eduardo Ferreira
+-  Fabio Berton
+-  Hitendra Prajapati
+-  Hugo SIMELIERE
+-  João Marcos Costa (Schneider Electric)
+-  Kristiyan Chakarov
+-  Krupal Ka Patel
+-  Lee Chee Yang
+-  Livin Sunny
+-  Martin Jansa
+-  Michael Opdenacker
+-  Ming Liu
+-  Nguyen Dat Tho
+-  Paul Barker
+-  Peter Marko
+-  Philip Lorenz
+-  Quentin Schulz
+-  Richard Purdie
+-  Robert P. J. Day
+-  Robert Yang
+-  Ross Burton
+-  Ryan Eatmon
+-  Shaik Moin
+-  Tom Hochstein
+-  Trent Piepho
+-  Vijay Anusuri
+-  Yoann Congal
+
+Repositories / Downloads for Yocto-5.0.17
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`scarthgap </yocto-docs/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.17 </yocto-docs/log/?h=yocto-5.0.17>`
+-  Git Revision: :yocto_git:`aa7226705451e6c1ef964d49963bbed29b267c27 </yocto-docs/commit/?id=aa7226705451e6c1ef964d49963bbed29b267c27>`
+-  Release Artefact: yocto-docs-aa7226705451e6c1ef964d49963bbed29b267c27
+-  sha: d429833609637657f213611317dfadbd70293fff2f9e22753d1f71ef8515a6c0
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/yocto-docs-aa7226705451e6c1ef964d49963bbed29b267c27.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/yocto-docs-aa7226705451e6c1ef964d49963bbed29b267c27.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`scarthgap </poky/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.17 </poky/log/?h=yocto-5.0.17>`
+-  Git Revision: :yocto_git:`1e8099846661571ede077f533eb1b6c86818ddce </poky/commit/?id=1e8099846661571ede077f533eb1b6c86818ddce>`
+-  Release Artefact: poky-1e8099846661571ede077f533eb1b6c86818ddce
+-  sha: b56890576f593cc881ea8e467562d842cfca248099ce653d28ca14d250f6219e
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/poky-1e8099846661571ede077f533eb1b6c86818ddce.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/poky-1e8099846661571ede077f533eb1b6c86818ddce.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`scarthgap </openembedded-core/log/?h=scarthgap>`
+-  Tag:  :oe_git:`yocto-5.0.17 </openembedded-core/log/?h=yocto-5.0.17>`
+-  Git Revision: :oe_git:`52380df998b3a8fe6a091f8547434a3231320a8e </openembedded-core/commit/?id=52380df998b3a8fe6a091f8547434a3231320a8e>`
+-  Release Artefact: oecore-52380df998b3a8fe6a091f8547434a3231320a8e
+-  sha: a948d75acf76a392d170129ce6eb6f5fe45082d95b4fd28045aac58b8373cb26
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/oecore-52380df998b3a8fe6a091f8547434a3231320a8e.tar.bz
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/oecore-52380df998b3a8fe6a091f8547434a3231320a8e.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`scarthgap </meta-yocto/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.17 </meta-yocto/log/?h=yocto-5.0.17>`
+-  Git Revision: :yocto_git:`c7c38663a1cafb1fa8593c0b246811e51d3bbe20 </meta-yocto/commit/?id=c7c38663a1cafb1fa8593c0b246811e51d3bbe20>`
+-  Release Artefact: meta-yocto-c7c38663a1cafb1fa8593c0b246811e51d3bbe20
+-  sha: 5a2a9360249e639694cc2a75985e3907085512b3eb236e8491cb07f1e0cb0f19
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/meta-yocto-c7c38663a1cafb1fa8593c0b246811e51d3bbe20.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/meta-yocto-c7c38663a1cafb1fa8593c0b246811e51d3bbe20.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`scarthgap </meta-mingw/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.17 </meta-mingw/log/?h=yocto-5.0.17>`
+-  Git Revision: :yocto_git:`bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f </meta-mingw/commit/?id=bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f>`
+-  Release Artefact: meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f
+-  sha: ab073def6487f237ac125d239b3739bf02415270959546b6b287778664f0ae65
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.8 </bitbake/log/?h=2.8>`
+-  Tag:  :oe_git:`yocto-5.0.17 </bitbake/log/?h=yocto-5.0.17>`
+-  Git Revision: :oe_git:`d3b4c352dd33fca90cd31649eda054b884478739 </bitbake/commit/?id=d3b4c352dd33fca90cd31649eda054b884478739>`
+-  Release Artefact: bitbake-d3b4c352dd33fca90cd31649eda054b884478739
+-  sha: 1021fc412780e21b25ccb045b66368ebe3fc4e785a65066ac0cafb9bdd5492fa
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.17/bitbake-d3b4c352dd33fca90cd31649eda054b884478739.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-5.0.17/bitbake-d3b4c352dd33fca90cd31649eda054b884478739.tar.bz2
+

documentation/overview-manual/concepts.rst

@@ -808,17 +808,20 @@ to a holding area (staged) in preparation for packaging:
 This step in the build process consists of the following tasks:
 
 -  :ref:`ref-tasks-prepare_recipe_sysroot`:
-   This task sets up the two sysroots in
-   ``${``\ :term:`WORKDIR`\ ``}``
-   (i.e. ``recipe-sysroot`` and ``recipe-sysroot-native``) so that
-   during the packaging phase the sysroots can contain the contents of
-   the
-   :ref:`ref-tasks-populate_sysroot`
-   tasks of the recipes on which the recipe containing the tasks
-   depends. A sysroot exists for both the target and for the native
-   binaries, which run on the host system.
+   This task sets up the two sysroots in the ``${``\ :term:`WORKDIR`\ ``}`` (i.e.
+   ``recipe-sysroot`` and ``recipe-sysroot-native``) so that the subsequent tasks
+   of the recipe (notably :ref:`ref-tasks-configure` and :ref:`ref-tasks-compile`)
+   can access the libraries, headers, and similar files built by the recipes on
+   which it depends.
 
--  *do_configure*: This task configures the source by enabling and
+   -  ``recipe-sysroot``: contains target libraries, and associated headers and
+      other data needed to cross-build software from its sources
+
+   -  ``recipe-sysroot-native``: contains host-native executables with their libraries
+      and other data, so that they can be run directly on the build host when
+      that is required by the build process
+
+-  :ref:`ref-tasks-configure`: This task configures the source by enabling and
    disabling any build-time and configuration options for the software
    being built. Configurations can come from the recipe itself as well
    as from an inherited class. Additionally, the software itself might
@@ -837,7 +840,7 @@ This step in the build process consists of the following tasks:
    class, see the :ref:`ref-classes-autotools` class
    :yocto_git:`here </poky/tree/meta/classes-recipe/autotools.bbclass>`.
 
--  *do_compile*: Once a configuration task has been satisfied,
+-  :ref:`ref-tasks-compile`: Once a configuration task has been satisfied,
    BitBake compiles the source using the
    :ref:`ref-tasks-compile` task.
    Compilation occurs in the directory pointed to by the
@@ -845,7 +848,7 @@ This step in the build process consists of the following tasks:
    :term:`B` directory is, by default, the same as the
    :term:`S` directory.
 
--  *do_install*: After compilation completes, BitBake executes the
+-  :ref:`ref-tasks-install`: After compilation completes, BitBake executes the
    :ref:`ref-tasks-install` task.
    This task copies files from the :term:`B` directory and places them in a
    holding area pointed to by the :term:`D`

documentation/overview-manual/development-environment.rst

@@ -172,7 +172,7 @@ these tarballs gives you a snapshot of the released files.
       BSP repository and the Source Directory (i.e. ``poky``)
       repository. For example, if you have checked out the "&DISTRO_NAME_NO_CAP;"
       branch of ``poky`` and you are going to use ``meta-intel``, be
-      sure to checkout the "&DISTRO_NAME_NO_CAP;" branch of ``meta-intel``.
+      sure to check out the "&DISTRO_NAME_NO_CAP;" branch of ``meta-intel``.
 
 In summary, here is where you can get the project files needed for
 development:
@@ -438,7 +438,7 @@ local branch named "&DISTRO_NAME_NO_CAP;", which tracks the upstream
 branch would ultimately affect the upstream "&DISTRO_NAME_NO_CAP;" branch
 of the ``poky`` repository.
 
-It is important to understand that when you create and checkout a local
+It is important to understand that when you create and check out a local
 working branch based on a branch name, your local environment matches
 the "tip" of that particular development branch at the time you created
 your local branch, which could be different from the files in the
@@ -461,10 +461,10 @@ releases.
 
 When you create a local copy of the Git repository, you also have access
 to all the tags in the upstream repository. Similar to branches, you can
-create and checkout a local working Git branch based on a tag name. When
+create and check out a local working Git branch based on a tag name. When
 you do this, you get a snapshot of the Git repository that reflects the
 state of the files when the change was made associated with that tag.
-The most common use is to checkout a working branch that matches a
+The most common use is to check out a working branch that matches a
 specific Yocto Project release. Here is an example::
 
    $ cd ~
@@ -483,7 +483,7 @@ whose "HEAD" matches the commit in the repository associated with the
 "rocko-18.0.0" tag. The files in your repository now exactly match that
 particular Yocto Project release as it is tagged in the upstream Git
 repository. It is important to understand that when you create and
-checkout a local working branch based on a tag, your environment matches
+check out a local working branch based on a tag, your environment matches
 a specific point in time and not the entire development branch (i.e.
 from the "tip" of the branch backwards).
 

documentation/overview-manual/yp-intro.rst

@@ -26,12 +26,6 @@ platforms as well as software stacks that can be maintained and scaled.
 .. image:: svg/key-dev-elements.*
     :width: 100%
 
-For further introductory information on the Yocto Project, you might be
-interested in this
-`article <https://www.embedded.com/why-the-yocto-project-for-my-iot-project/>`__
-by Drew Moseley and in this short introductory
-`video <https://www.youtube.com/watch?v=utZpKM7i5Z4>`__.
-
 The remainder of this section overviews advantages and challenges tied
 to the Yocto Project.
 
@@ -387,7 +381,7 @@ Yocto Project:
 
    .. note::
 
-      AutoBuilder is based on buildbot.
+      AutoBuilder is based on `buildbot <https://buildbot.net/>`__.
 
    A goal of the Yocto Project is to lead the open source industry with
    a project that automates testing and QA procedures. In doing so, the

documentation/ref-manual/variables.rst

@@ -1638,7 +1638,7 @@ system and gives an overview of their function and contents.
          (set via :term:`RRECOMMENDS`) are always ignored.
 
    :term:`COMPONENTS_DIR`
-      Stores sysroot components for each recipe. The OpenEmbedded build
+      Stores sysroot components provided by each recipe. The OpenEmbedded build
       system uses :term:`COMPONENTS_DIR` when constructing recipe-specific
       sysroots for other recipes.
 
@@ -2144,7 +2144,7 @@ system and gives an overview of their function and contents.
 
       The practical effect of the previous assignment is that all files
       installed by bar will be available in the appropriate staging sysroot,
-      given by the :term:`STAGING_DIR* <STAGING_DIR>` variables, by the time
+      given by the :term:`STAGING_DIR* <STAGING_DIR_HOST>` variables, by the time
       the :ref:`ref-tasks-configure` task for ``foo`` runs. This mechanism is
       implemented by having :ref:`ref-tasks-configure` depend on the
       :ref:`ref-tasks-populate_sysroot` task of each recipe listed in
@@ -6841,19 +6841,17 @@ system and gives an overview of their function and contents.
       Points to a shared, global-state directory that holds data generated
       during the packaging process. During the packaging process, the
       :ref:`ref-tasks-packagedata` task packages data
-      for each recipe and installs it into this temporary, shared area.
+      for each recipe and installs it into this shared area.
       This directory defaults to the following, which you should not
       change::
 
-         ${STAGING_DIR_HOST}/pkgdata
+         ${TMPDIR}/pkgdata/${MACHINE}
 
       For examples of how this data is used, see the
       ":ref:`overview-manual/concepts:automatically added runtime dependencies`"
       section in the Yocto Project Overview and Concepts Manual and the
       ":ref:`dev-manual/debugging:viewing package information with ``oe-pkgdata-util```"
-      section in the Yocto Project Development Tasks Manual. For more
-      information on the shared, global-state directory, see
-      :term:`STAGING_DIR_HOST`.
+      section in the Yocto Project Development Tasks Manual.
 
    :term:`PKGDEST`
       Points to the parent directory for files to be packaged after they
@@ -7435,13 +7433,13 @@ system and gives an overview of their function and contents.
       section.
 
    :term:`RECIPE_SYSROOT`
-      This variable points to the directory that holds all files populated from
+      This variable points to the directory populated with all files provided by
       recipes specified in :term:`DEPENDS`. As the name indicates,
-      think of this variable as a custom root (``/``) for the recipe that will be
+      think of this variable as a custom root (``/``) for the recipe, that will be
       used by the compiler in order to find headers and other files needed to complete
       its job.
 
-      This variable is related to :term:`STAGING_DIR_HOST` or :term:`STAGING_DIR_TARGET`
+      This variable is used to define :term:`STAGING_DIR_HOST` or :term:`STAGING_DIR_TARGET`
       according to the type of the recipe and the build target.
 
       To better understand this variable, consider the following examples:
@@ -7455,11 +7453,11 @@ system and gives an overview of their function and contents.
       Do not modify it.
 
    :term:`RECIPE_SYSROOT_NATIVE`
-      This is similar to :term:`RECIPE_SYSROOT` but the populated files are from
-      ``-native`` recipes. This allows a recipe built for the target machine to
-      use ``native`` tools.
+      This is similar to :term:`RECIPE_SYSROOT` but files in it are provided by
+      native recipes. This allows a recipe built for the target machine to
+      use native tools.
 
-      This variable is related to :term:`STAGING_DIR_NATIVE`.
+      This variable is used to define :term:`STAGING_DIR_NATIVE`.
 
       The default value is ``"${WORKDIR}/recipe-sysroot-native"``.
       Do not modify it.
@@ -7720,7 +7718,9 @@ system and gives an overview of their function and contents.
    :term:`RSUGGESTS`
       A list of additional packages that you can suggest for installation
       by the package manager at the time a package is installed. Not all
-      package managers support this functionality.
+      package managers support this functionality. This feature takes effect
+      only when the package manager is being used to install packages on
+      the target system from a package feed.
 
       As with all package-controlling variables, you must always use this
       variable in conjunction with a package name override. Here is an
@@ -7728,6 +7728,10 @@ system and gives an overview of their function and contents.
 
          RSUGGESTS:${PN} = "useful_package another_package"
 
+      For more information on package management, see the
+      :ref:`dev-manual/packages:Using Runtime Package Management` section
+      of the Yocto Project Development Tasks Manual.
+
    :term:`RUST_CHANNEL`
       Specifies which version of Rust to build - "stable", "beta" or "nightly".
       The default value is "stable". Set this at your own risk, as values other
@@ -8893,8 +8897,7 @@ system and gives an overview of their function and contents.
       directory for the build host.
 
    :term:`STAGING_DIR`
-      Helps construct the ``recipe-sysroot*`` directories, which are used
-      during packaging.
+      Used for constructing directory trees used during staging.
 
       For information on how staging for recipe-specific sysroots occurs,
       see the :ref:`ref-tasks-populate_sysroot`
@@ -8914,31 +8917,31 @@ system and gives an overview of their function and contents.
          those files into the sysroot.
 
    :term:`STAGING_DIR_HOST`
-      Specifies the path to the sysroot directory for the system on which
-      the component is built to run (the system that hosts the component).
-      For most recipes, this sysroot is the one in which that recipe's
-      :ref:`ref-tasks-populate_sysroot` task copies
-      files. Exceptions include ``-native`` recipes, where the
-      :ref:`ref-tasks-populate_sysroot` task instead uses
-      :term:`STAGING_DIR_NATIVE`. Depending on
-      the type of recipe and the build target, :term:`STAGING_DIR_HOST` can
-      have the following values:
+      Specifies the path to the recipe's input sysroot directory, populated with files
+      for the system on which the component is built to run
+      (the system that hosts the component).
+      For most recipes, this sysroot is populated by their
+      :ref:`ref-tasks-populate_sysroot` task (when sharing files
+      between recipes). Exceptions include native recipes, for which the files from
+      :ref:`ref-tasks-populate_sysroot` task are instead copied to
+      :term:`STAGING_DIR_NATIVE`. Depending on the type of recipe and the build target,
+      :term:`STAGING_DIR_HOST` can have the following values:
 
       -  For recipes building for the target machine, the value is
-         "${:term:`STAGING_DIR`}/${:term:`MACHINE`}".
+         ``"${RECIPE_SYSROOT}"``, check :term:`RECIPE_SYSROOT`.
 
-      -  For native recipes building for the build host, the value is empty
-         given the assumption that when building for the build host, the
-         build host's own directories should be used.
+      -  For native recipes (building for the :term:`build host`), the value is empty
+         given the assumption that when building for the :term:`build host`, the
+         :term:`build host`'s own directories should be used.
 
          .. note::
 
-            ``-native`` recipes are not installed into host paths like such
-            as ``/usr``. Rather, these recipes are installed into
-            :term:`STAGING_DIR_NATIVE`. When compiling ``-native`` recipes,
+            Native recipe files are not installed into host paths such
+            as ``/usr``. Rather, such files are installed into
+            :term:`STAGING_DIR_NATIVE`. When compiling native recipes,
             standard build environment variables such as
             :term:`CPPFLAGS` and
-            :term:`CFLAGS` are set up so that both host paths
+            :term:`CFLAGS` are set up so that both :term:`build host`'s paths
             and :term:`STAGING_DIR_NATIVE` are searched for libraries and
             headers using, for example, GCC's ``-isystem`` option.
 
@@ -8946,16 +8949,15 @@ system and gives an overview of their function and contents.
             should be viewed as input variables by tasks such as
             :ref:`ref-tasks-configure`,
             :ref:`ref-tasks-compile`, and
-            :ref:`ref-tasks-install`. Having the real system
-            root correspond to :term:`STAGING_DIR_HOST` makes conceptual sense
-            for ``-native`` recipes, as they make use of host headers and
-            libraries.
-
-      Check :term:`RECIPE_SYSROOT` and :term:`RECIPE_SYSROOT_NATIVE`.
+            :ref:`ref-tasks-install`. Having the real system root
+            (the :term:`build host`'s root) play the role of :term:`STAGING_DIR_HOST`
+            makes conceptual sense for native recipes, as they make use
+            of the :term:`build host`'s headers and libraries.
 
    :term:`STAGING_DIR_NATIVE`
-      Specifies the path to the sysroot directory used when building
-      components that run on the build host itself.
+      Specifies the path to the recipe's input sysroot directory, populated with
+      files provided by native recipes (recipes building components that
+      run on the :term:`build host` itself).
 
       The default value is ``"${RECIPE_SYSROOT_NATIVE}"``,
       check :term:`RECIPE_SYSROOT_NATIVE`.

documentation/sphinx-static/theme_overrides.css

@@ -99,14 +99,19 @@ em {
 [alt='Permalink'] { color: #eee; }
 [alt='Permalink']:hover { color: black; }
 
-@media screen {
-    /* content column
-     *
-     * RTD theme's default is 800px as max width for the content, but we have
-     * tables with tons of columns, which need the full width of the view-port.
-     */
+.literal-block {
+    background: #f8f8f8;
+}
 
-    .wy-nav-content{max-width: none; }
+@media screen {
+    .wy-nav-content {
+       max-width: 1000px;
+       background: #fcfcfc;
+    }
+
+    .wy-nav-content-wrap {
+       background: #efefef;
+    }
 
     /* inline literal: drop the borderbox, padding and red color */
     code, .rst-content tt, .rst-content code {

documentation/transitioning-to-a-custom-environment.rst

@@ -9,10 +9,10 @@ Transitioning to a custom environment for systems development
 .. note::
 
    So you've finished the :doc:`brief-yoctoprojectqs/index` and
-   glanced over the document :doc:`what-i-wish-id-known`, the latter contains
+   glanced over the document :doc:`what-i-wish-id-known`, the latter containing
    important information learned from other users. You're well prepared. But
    now, as you are starting your own project, it isn't exactly straightforward what
-   to do. And, the documentation is daunting. We've put together a few hints to
+   to do, and the documentation is daunting. We've put together a few hints to
    get you started.
 
 #. **Make a list of the processor, target board, technologies, and capabilities
@@ -23,7 +23,7 @@ Transitioning to a custom environment for systems development
 #. **Set up your board support**.
    Even if you're using custom hardware, it might be easier to start with an
    existing target board that uses the same processor or at least the same
-   architecture as your custom hardware. Knowing the board already has a
+   architecture as your custom hardware. Knowing that the board already has a
    functioning Board Support Package (BSP) within the project makes it easier
    for you to get comfortable with project concepts.
 
@@ -34,19 +34,19 @@ Transitioning to a custom environment for systems development
    target board. The Yocto Project layer index BSPs are regularly validated. The
    best place to get your first BSP is from your silicon manufacturer or board
    vendor – they can point you to their most qualified efforts. In general, for
-   Intel silicon use meta-intel, for Texas Instruments use meta-ti, and so
+   Intel silicon use ``meta-intel``, for Texas Instruments use ``meta-ti``, and so
    forth. Choose a BSP that has been tested with the same Yocto Project release
    that you've downloaded. Be aware that some BSPs may not be immediately
    supported on the very latest release, but they will be eventually.
 
    You might want to start with the build specification that Poky provides
-   (which is reference embedded distribution) and then add your newly chosen
+   (which is reference embedded distribution) and then add your newly-chosen
    layers to that. Here is the information :ref:`about adding layers
    <dev-manual/layers:Understanding and Creating Layers>`.
 
 #. **Based on the layers you've chosen, make needed changes in your
    configuration**.
-   For instance, you've chosen a machine type and added in the corresponding BSP
+   For instance, assume you've chosen a machine type and added in the corresponding BSP
    layer. You'll then need to change the value of the :term:`MACHINE` variable in your
    configuration file (build/local.conf) to point to that same machine
    type. There could be other layer-specific settings you need to change as
@@ -68,8 +68,8 @@ Transitioning to a custom environment for systems development
    bsp layer using the \`\`bitbake-layers\`\` script>`. For example, given a
    64-bit x86-based machine, copy the conf/intel-corei7-64 definition and give
    the machine a relevant name (think board name, not product name). Make sure
-   the layer configuration is dependent on the meta-intel layer (or at least,
-   meta-intel remains in your bblayers.conf). Now you can put your custom BSP
+   the layer configuration is dependent on the ``meta-intel`` layer (or at least,
+   ``meta-intel`` remains in your ``bblayers.conf`` file). Now you can put your custom BSP
    settings into your layer and you can re-use it for different applications.
 
 #. **Write your own recipe to build additional software support that isn't

documentation/what-i-wish-id-known.rst

@@ -9,7 +9,7 @@ What I wish I'd known about Yocto Project
 .. note::
 
    Before reading further, make sure you've taken a look at the
-   :yocto_home:`Software Overview</software-overview>` page which presents the
+   :yocto_home:`Technical Overview</development/technical-overview>` page which presents the
    definitions for many of the terms referenced here. Also, know that some of the
    information here won't make sense now, but as you start developing, it is the
    information you'll want to keep close at hand. These are best known methods for
@@ -22,8 +22,8 @@ known before embarking on their first build with Yocto Project. Feel free to
 contact us with other suggestions.
 
 #. **Use Git, not the tarball download:**
-   If you use git the software will be automatically updated with bug updates
-   because of how git works. If you download the tarball instead, you will need
+   If you use Git, the software will be automatically updated with bug updates
+   because of how Git works. If you download the tarball instead, you will need
    to be responsible for your own updates.
 
 #. **Get to know the layer index:**
@@ -165,19 +165,19 @@ contact us with other suggestions.
 
    * deal with corporate proxies
    * add a package to an image
-   * understand the difference between a recipe and package
-   * build a package by itself and why that's useful
+   * understand the difference between a recipe and a package
+   * build a package by itself and understand why that's useful
    * find out what packages are created by a recipe
    * find out what files are in a package
    * find out what files are in an image
-   * add an ssh server to an image (enable transferring of files to target)
+   * add an SSH server to an image (enable transferring of files to target)
    * know the anatomy of a recipe
    * know how to create and use layers
    * find recipes (with the :oe_layerindex:`OpenEmbedded Layer index <>`)
-   * understand difference between machine and distro settings
+   * understand the difference between MACHINE and DISTRO settings
    * find and use the right BSP (machine) for your hardware
-   * find examples of distro features and know where to set them
-   * understanding the task pipeline and executing individual tasks
+   * find examples of DISTRO features and know where to set them
+   * understand the task pipeline and how to execute individual tasks
    * understand devtool and how it simplifies your workflow
    * improve build speeds with shared downloads and shared state cache
    * generate and understand a dependency graph

meta-poky/conf/distro/poky.conf

@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "5.0.17"
+DISTRO_VERSION = "5.0.18"
 DISTRO_CODENAME = "scarthgap"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
@@ -43,8 +43,8 @@ SANITY_TESTED_DISTROS ?= " \
             fedora-39 \n \
             fedora-40 \n \
             fedora-41 \n \
-            centosstream-8 \n \
-            centosstream-9 \n \
+            centos-8 \n \
+            centos-9 \n \
             debian-11 \n \
             debian-12 \n \
             opensuseleap-15.4 \n \

meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb

@@ -11,7 +11,7 @@ SRCREV = "1a3e1343761b30750bed70e0fd688f6d3c7b3717"
 PV = "0.1+git"
 PR = "r2"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master;protocol=https"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 

meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded

@@ -10,7 +10,7 @@ DEPENDS = "dbus"
 SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
 PV = "0.1+git"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master;protocol=https"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 

meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb

@@ -7,8 +7,8 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-SRC_URI = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master"
-SRCREV = "a2885dd7d25380d23627e7544b7bbb55014b16ee"
+SRC_URI = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master;protocol=https"
+SRCREV = "f280847494763cdcf71197557a81ba7d8a6bce42"
 
 S = "${WORKDIR}/git"
 

meta/classes/archiver.bbclass

@@ -397,7 +397,7 @@ python do_ar_mirror() {
 
         # We now have an appropriate localpath
         bb.note('Copying source mirror')
-        cmd = 'cp -fpPRH %s %s' % (localpath, destdir)
+        cmd = 'cp --force --preserve=timestamps --no-dereference --recursive -H %s %s' % (localpath, destdir)
         subprocess.check_call(cmd, shell=True)
 }
 

meta/conf/distro/include/yocto-uninative.inc

@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "4.9"
+UNINATIVE_MAXGLIBCVERSION = "2.43"
+UNINATIVE_VERSION = "5.1"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
-UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
-UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+UNINATIVE_CHECKSUM[aarch64] ?= "4166237a9dabd222dcb9627a9435dffd756764fabf76ed7ef2e93dc2964567ad"
+UNINATIVE_CHECKSUM[i686] ?= "761502cc9aef4d54d0c6fe9418beb9fdd2c6220da6f2b04128c89f47902ab9ae"
+UNINATIVE_CHECKSUM[x86_64] ?= "2b63a078c26535e0786e87f81ae69509df30f4dce40693004c527bd5e4ab2b85"

meta/files/layers.example.json

@@ -20,7 +20,7 @@
                 "describe": "15.0-hardknott-3.3-310-g0a96edae",
                 "remotes": {
                     "origin": {
-                        "uri": "git://git.yoctoproject.org/meta-intel"
+                        "uri": "https://git.yoctoproject.org/meta-intel"
                     }
                 },
                 "rev": "0a96edae609a3f48befac36af82cf1eed6786b4a"
@@ -33,7 +33,7 @@
                 "describe": "4.1_M1-374-g9dda719b2a",
                 "remotes": {
                     "origin": {
-                        "uri": "git://git.yoctoproject.org/poky"
+                        "uri": "https://git.yoctoproject.org/poky"
                     },
                     "poky-contrib": {
                         "uri": "ssh://git@push.yoctoproject.org/poky-contrib"

meta/lib/oe/spdx30_tasks.py

@@ -535,7 +535,7 @@ def create_spdx(d):
             # specified.
             if (
                 include_vex != "all"
-                and "detail" in ("fixed-version", "cpe-stable-backport")
+                and detail in ("fixed-version", "cpe-stable-backport")
             ):
                 bb.debug(1, "Skipping %s since it is already fixed upstream" % cve_id)
                 continue

meta/lib/oeqa/sdk/buildtools-docs-cases/build.py

@@ -15,5 +15,5 @@ class BuildTests(OESDKTestCase):
     """
     def test_docs_build(self):
         with tempfile.TemporaryDirectory(prefix='docs-tarball-build-', dir=self.tc.sdk_dir) as testdir:
-            self._run('git clone git://git.yoctoproject.org/yocto-docs %s' % testdir)
+            self._run('git clone https://git.yoctoproject.org/yocto-docs %s' % testdir)
             self._run('cd %s/documentation && make html' % testdir)

meta/lib/oeqa/selftest/cases/archiver.py

@@ -335,8 +335,8 @@ class Archiver(OESelftestTestCase):
 
         bb_vars = get_bb_vars(['DEPLOY_DIR_SRC'])
         for target_file_name in [
-            'gitsmshallow_git.yoctoproject.org.git-submodule-test_a2885dd-1_master.tar.gz',
-            'gitsmshallow_git.yoctoproject.org.bitbake-gitsm-test1_bare_120f4c7-1.tar.gz',
+            'gitsmshallow_git.yoctoproject.org.git-submodule-test_f280847-1_master.tar.gz',
+            'gitsmshallow_git.yoctoproject.org.bitbake-gitsm-test1_bare_79a0efa-1.tar.gz',
             'gitsmshallow_git.yoctoproject.org.bitbake-gitsm-test2_bare_f66699e-1.tar.gz',
             'gitsmshallow_git.openembedded.org.bitbake_bare_52a144a-1.tar.gz',
             'gitsmshallow_git.openembedded.org.bitbake_bare_c39b997-1.tar.gz'

meta/lib/oeqa/selftest/cases/devtool.py

@@ -585,7 +585,7 @@ class DevtoolAddTests(DevtoolBase):
     def test_devtool_add_fetch_git(self):
         tempdir = tempfile.mkdtemp(prefix='devtoolqa')
         self.track_for_cleanup(tempdir)
-        url = 'gitsm://git.yoctoproject.org/mraa'
+        url = 'gitsm://git.yoctoproject.org/mraa;protocol=https'
         url_branch = '%s;branch=master' % url
         checkrev = 'ae127b19a50aa54255e4330ccfdd9a5d058e581d'
         testrecipe = 'mraa'
@@ -594,7 +594,7 @@ class DevtoolAddTests(DevtoolBase):
         self.track_for_cleanup(self.workspacedir)
         self.add_command_to_tearDown('bitbake -c cleansstate %s' % testrecipe)
         self.add_command_to_tearDown('bitbake-layers remove-layer */workspace')
-        result = runCmd('devtool add %s %s -a -f %s' % (testrecipe, srcdir, url))
+        result = runCmd('devtool add %s %s -a "%s"' % (testrecipe, srcdir, url))
         self.assertExists(os.path.join(self.workspacedir, 'conf', 'layer.conf'), 'Workspace directory not created: %s' % result.output)
         self.assertTrue(os.path.isfile(os.path.join(srcdir, 'imraa', 'imraa.c')), 'Unable to find imraa/imraa.c in source directory')
         # Test devtool status

meta/lib/oeqa/selftest/cases/externalsrc.py

@@ -17,7 +17,7 @@ class ExternalSrc(OESelftestTestCase):
     #     so we check only that a recipe with externalsrc can be parsed
     def test_externalsrc_srctree_hash_files(self):
         test_recipe = "git-submodule-test"
-        git_url = "git://git.yoctoproject.org/git-submodule-test"
+        git_url = "https://git.yoctoproject.org/git-submodule-test"
         externalsrc_dir = tempfile.TemporaryDirectory(prefix="externalsrc").name
 
         self.write_config(

meta/lib/oeqa/selftest/cases/gdbserver.py

@@ -7,6 +7,7 @@ import os
 import time
 import tempfile
 import shutil
+import tarfile
 import concurrent.futures
 
 from oeqa.selftest.case import OESelftestTestCase
@@ -40,7 +41,8 @@ CORE_IMAGE_EXTRA_INSTALL = "gdbserver"
             filename = os.path.join(bb_vars['DEPLOY_DIR_IMAGE'], "%s-dbg.tar.bz2" % bb_vars['IMAGE_LINK_NAME'])
             shutil.unpack_archive(filename, debugfs)
             filename = os.path.join(bb_vars['DEPLOY_DIR_IMAGE'], "%s.tar.bz2" % bb_vars['IMAGE_LINK_NAME'])
-            shutil.unpack_archive(filename, debugfs)
+            with tarfile.open(filename) as tar:
+                tar.extract("./bin/kmod", path=debugfs)
 
             with runqemu("core-image-minimal", runqemuparams="nographic") as qemu:
                 status, output = qemu.run_serial("kmod --help")

meta/lib/oeqa/selftest/cases/gitarchivetests.py

@@ -105,7 +105,7 @@ class GitArchiveTests(OESelftestTestCase):
         delete_fake_repository(path)
 
     def test_get_tags_without_valid_remote(self):
-        url = 'git://git.yoctoproject.org/poky'
+        url = 'https://git.yoctoproject.org/poky'
         path, git_obj = create_fake_repository(False, None, False)
 
         tags = ga.get_tags(git_obj, self.log, pattern="yocto-*", url=url)

meta/lib/oeqa/selftest/cases/minidebuginfo.py

@@ -6,7 +6,7 @@
 import os
 import subprocess
 import tempfile
-import shutil
+import tarfile
 
 from oeqa.selftest.case import OESelftestTestCase
 from oeqa.utils.commands import bitbake, get_bb_var, get_bb_vars, runCmd
@@ -32,7 +32,10 @@ IMAGE_FSTYPES = "tar.bz2"
         # ".gnu_debugdata" which stores minidebuginfo.
         with tempfile.TemporaryDirectory(prefix = "unpackfs-") as unpackedfs:
             filename = os.path.join(bb_vars['DEPLOY_DIR_IMAGE'], "{}.tar.bz2".format(bb_vars['IMAGE_LINK_NAME']))
-            shutil.unpack_archive(filename, unpackedfs)
+            with tarfile.open(filename) as tar:
+                tar.extract("./bin/busybox", path=unpackedfs)
+                tar.extract("./bin/busybox.nosuid", path=unpackedfs)
+                tar.extract("./lib/libc.so.6", path=unpackedfs)
 
             r = runCmd([bb_vars['READELF'], "-W", "-S", os.path.join(unpackedfs, "bin", "busybox")],
                     native_sysroot = native_sysroot, target_sys = target_sys)

meta/lib/oeqa/selftest/cases/oelib/license.py

@@ -12,8 +12,8 @@ class SeenVisitor(oe.license.LicenseVisitor):
         self.seen = []
         oe.license.LicenseVisitor.__init__(self)
 
-    def visit_Str(self, node):
-        self.seen.append(node.s)
+    def visit_Constant(self, node):
+        self.seen.append(node.value)
 
 class TestSingleLicense(TestCase):
     licenses = [

meta/lib/oeqa/selftest/cases/sstatetests.py

@@ -228,7 +228,7 @@ class SStateTests(SStateBase):
         # Use dbus-wait as a local git repo we can add a commit between two builds in
         pn = 'dbus-wait'
         srcrev = '6cc6077a36fe2648a5f993fe7c16c9632f946517'
-        url = 'git://git.yoctoproject.org/dbus-wait'
+        url = 'https://git.yoctoproject.org/dbus-wait'
         result = runCmd('git clone %s noname' % url, cwd=tempdir)
         srcdir = os.path.join(tempdir, 'noname')
         result = runCmd('git reset --hard %s' % srcrev, cwd=srcdir)

meta/lib/oeqa/selftest/cases/yoctotestresultsquerytests.py

@@ -36,4 +36,4 @@ class TestResultsQueryTests(OESelftestTestCase):
             shutil.rmtree(workdir, ignore_errors=True)
             self.fail(f"Can not execute git commands in {workdir}")
         shutil.rmtree(workdir)
-        self.assertEqual(url, "git://git.yoctoproject.org/yocto-testresults")
+        self.assertEqual(url, "https://git.yoctoproject.org/yocto-testresults")

meta/lib/oeqa/utils/httpserver.py

@@ -6,7 +6,7 @@
 
 import http.server
 import logging
-import multiprocessing
+from bb import multiprocessing
 import os
 import signal
 from socketserver import ThreadingMixIn

meta/recipes-bsp/grub/files/cfg

@@ -1,2 +1,2 @@
-search.file ($cmdpath)/EFI/BOOT/grub.cfg root
+search --file --set=root --hint-efi=$cmdpath /EFI/BOOT/grub.cfg
 set prefix=($root)/EFI/BOOT

meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch

@@ -0,0 +1,42 @@
+From 15a46d72515c04d0eeaca19bf0356a39efc9cf93 Mon Sep 17 00:00:00 2001
+From: Tom Rini <trini@konsulko.com>
+Date: Tue, 9 Dec 2025 15:23:01 -0600
+Subject: [PATCH] fs: fat: Perform sanity checks on getsize in get_fatent()
+
+We do not perform a check on the value of getsize in get_fatent to
+ensure that it will fit within the allocated buffer. For safety sake,
+add a check now and if the value exceeds FATBUFBLOCKS use that value
+instead. While not currently actively exploitable, it was in the past so
+adding this check is worthwhile.
+
+This addresses CVE-2025-24857 and was originally reported by Harvey
+Phillips of Amazon Element55.
+
+Signed-off-by: Tom Rini <trini@konsulko.com>
+
+CVE: CVE-2025-24857
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/fat/fat.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/fat/fat.c b/fs/fat/fat.c
+index e2570e81676..f6dc7ed15fe 100644
+--- a/fs/fat/fat.c
++++ b/fs/fat/fat.c
+@@ -215,6 +215,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
+ 		if (flush_dirty_fat_buffer(mydata) < 0)
+ 			return -1;
+ 
++		if (getsize > FATBUFBLOCKS) {
++			debug("getsize is too large for bufptr\n");
++			getsize = FATBUFBLOCKS;
++		}
++
+ 		if (disk_read(startblock, getsize, bufptr) < 0) {
+ 			debug("Error reading FAT blocks\n");
+ 			return ret;
+-- 
+2.49.0
+

meta/recipes-bsp/u-boot/u-boot-common.inc

@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
 
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2025-24857.patch \
+"
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"

meta/recipes-connectivity/avahi/avahi_0.8.bb

@@ -41,6 +41,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://CVE-2025-68468.patch \
            file://CVE-2025-68471.patch \
            file://CVE-2026-24401.patch \
+           file://CVE-2026-34933-1.patch \
+           file://CVE-2026-34933-2.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"

meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch

@@ -0,0 +1,108 @@
+From 0be89b6bb5c3983837b5e0febcbbbf452ecf7675 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 1 Apr 2026 05:31:58 +0000
+Subject: [PATCH] core: refuse to accept publish flags where both wide_area and
+ multicast are set
+
+It fixes a bug where it was possible for unprivileged local users to
+crash avahi-daemon via D-Bus by calling EntryGroup methods accepting
+flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and
+AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was
+invoked like that avahi-daemon crashed with
+```
+dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord
+avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed.
+==84944==
+==84944== Process terminating with default action of signal 6 (SIGABRT)
+==84944==    at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44)
+==84944==    by 0x4ADE941: raise (raise.c:26)
+==84944==    by 0x4AC64AB: abort (abort.c:77)
+==84944==    by 0x4AC641F: __assert_fail_base.cold (assert.c:118)
+==84944==    by 0x48A9404: transport_flags_from_domain (entry.c:57)
+==84944==    by 0x48A9F8F: server_add_internal (entry.c:224)
+==84944==    by 0x48AA49F: avahi_server_add (entry.c:324)
+==84944==    by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348)
+==84944==    by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
+==84944==    by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
+==84944==    by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105)
+==84944==    by 0x488E3AE: timeout_callback (simple-watch.c:447)
+==84944==
+```
+It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where
+those flags were introduced and consistent with the other places
+where wide_area/multicast flags are used.
+
+It was discovered by
+Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense
+
+https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc
+
+CVE-2026-34933
+
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675]
+CVE: CVE-2026-34933
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/entry.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/avahi-core/entry.c b/avahi-core/entry.c
+index 0d862133d..06eb12076 100644
+--- a/avahi-core/entry.c
++++ b/avahi-core/entry.c
+@@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal(
+                                          AVAHI_PUBLISH_UPDATE|
+                                          AVAHI_PUBLISH_USE_WIDE_AREA|
+                                          AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN);
+@@ -454,6 +455,7 @@ int avahi_server_add_address(
+                                               AVAHI_PUBLISH_UPDATE|
+                                               AVAHI_PUBLISH_USE_WIDE_AREA|
+                                               AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     /* Prepare the host naem */
+@@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy(
+                                                                 AVAHI_PUBLISH_UPDATE|
+                                                                 AVAHI_PUBLISH_USE_WIDE_AREA|
+                                                                 AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy(
+                                                                 AVAHI_PUBLISH_NO_COOKIE|
+                                                                 AVAHI_PUBLISH_USE_WIDE_AREA|
+                                                                 AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -843,6 +847,7 @@ int avahi_server_add_service_subtype(
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+     AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name(
+     assert(name);
+ 
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address(
+     AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
+     AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL);
+     AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
++    AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
+     AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT);
+     AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);

meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch

@@ -0,0 +1,96 @@
+From a93fdd980d2db5d453475c0aa2b39946bd6611bd Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 1 Apr 2026 05:30:58 +0000
+Subject: [PATCH] tests: make sure AVAHI_PUBLISH_USE_WIDE_AREA is refused
+
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/a93fdd980d2db5d453475c0aa2b39946bd6611bd]
+CVE: CVE-2026-34933
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c | 25 +++++++++++++++++++++++++
+ avahi-core/avahi-test.c    | 12 +++++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index 9a015d7..c80e12f 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -212,6 +212,28 @@ static void terminate(AVAHI_GCC_UNUSED AvahiTimeout *timeout, AVAHI_GCC_UNUSED v
+     avahi_simple_poll_quit(simple_poll);
+ }
+ 
++static void test_refuse_publish_flags(AvahiEntryGroup *g, AvahiPublishFlags flags, int expected) {
++    AvahiAddress a;
++    AvahiStringList *l = NULL;
++    int r;
++
++    r = avahi_entry_group_add_record(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", AVAHI_DNS_CLASS_IN, AVAHI_DNS_TYPE_CNAME, 120, "\0", 1);
++    assert(r == expected);
++
++    avahi_address_parse("224.0.0.251", AVAHI_PROTO_UNSPEC, &a);
++    r = avahi_entry_group_add_address(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", &a);
++    assert(r == expected);
++
++    r = avahi_entry_group_add_service_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, NULL, 80, l);
++    assert(r == expected);
++
++    r = avahi_entry_group_update_service_txt_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, l);
++    assert(r == expected);
++
++    r = avahi_entry_group_add_service_subtype(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, "_magic._sub._http._tcp");
++    assert(r == expected);
++}
++
+ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     AvahiClient *avahi;
+     AvahiEntryGroup *group, *group2;
+@@ -275,6 +297,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+     assert(error != AVAHI_OK);
+ 
++    test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA, AVAHI_ERR_NOT_SUPPORTED);
++    test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, AVAHI_ERR_INVALID_FLAGS);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-core/avahi-test.c b/avahi-core/avahi-test.c
+index 2a7872b..2bae82b 100644
+--- a/avahi-core/avahi-test.c
++++ b/avahi-core/avahi-test.c
+@@ -30,6 +30,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#include <avahi-common/error.h>
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/simple-watch.h>
+ #include <avahi-common/alternative.h>
+@@ -150,6 +151,7 @@ static void remove_entries(void) {
+ static void create_entries(int new_name) {
+     AvahiAddress a;
+     AvahiRecord *r;
++    int error;
+ 
+     remove_entries();
+ 
+@@ -181,7 +183,15 @@ static void create_entries(int new_name) {
+         goto fail;
+     }
+ 
+-    if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a), 53) < 0) {
++    avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a);
++
++    error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
++    assert(error == AVAHI_ERR_NOT_SUPPORTED);
++
++    error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
++    assert(error == AVAHI_ERR_INVALID_FLAGS);
++
++    if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53) < 0) {
+         avahi_log_error("Failed to add new DNS Server address");
+         goto fail;
+     }
+-- 
+2.43.0
+

meta/recipes-connectivity/inetutils/inetutils/CVE-2026-32772.patch

@@ -0,0 +1,172 @@
+From d6b8b83aa51616946fd314bc48087312d13c99f8 Mon Sep 17 00:00:00 2001
+From: Collin Funk <collin.funk1@gmail.com>
+Date: Thu, 26 Mar 2026 22:52:54 -0700
+Subject: telnet: don't leak the value of unexported environment variables
+
+Patch based on the following OpenBSD commit:
+<https://github.com/openbsd/src/commit/1a11dc7253488a97d6df686dae9230f78682e8df>
+
+* telnet/commands.c (env_getvalue): Add a boolean argument to prevent
+prevent unexported variables from being returned.
+* telnet/externs.h (env_getvalue): Adjust the function declaration.
+* telnet/authenc.c (telnet_getenv): Add the new argument.
+* telnet/telnet.c (dooption, gettermname, suboption, env_opt_add)
+(telnet): Likewise.
+
+A telnet server can read a client's environment variables with the
+NEW-ENVIRON option and the SEND ENV_USERVAR command.
+
+This had previously been reported as CVE-2005-0488, but inetutils never
+got a fix for it.
+
+Reported-by: Justin Swartz <justin.swartz@risingedge.co.za>
+Based-on-patch: https://gitlab.com/redhat/centos-stream/rpms/telnet/-/blob/c9s/telnet-0.17-env.patch
+Link: https://www.openwall.com/lists/oss-security/2026/03/13/1
+
+CVE: CVE-2026-32772
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/inetutils.git/patch/?id=d6b8b83aa51616946fd314bc48087312d13c99f8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtelnet/misc-proto.h |  4 +++-
+ telnet/authenc.c       |  4 ++--
+ telnet/commands.c      |  5 +++--
+ telnet/externs.h       |  4 +++-
+ telnet/telnet.c        | 10 +++++-----
+ 5 files changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/libtelnet/misc-proto.h b/libtelnet/misc-proto.h
+index abf8316..a836a69 100644
+--- a/libtelnet/misc-proto.h
++++ b/libtelnet/misc-proto.h
+@@ -68,6 +68,8 @@
+ #ifndef __MISC_PROTO__
+ # define __MISC_PROTO__
+ 
++#include <stdbool.h>
++
+ void auth_encrypt_init (char *, char *, char *, char *, int);
+ void auth_encrypt_user (char *);
+ void auth_encrypt_connect (int);
+@@ -79,6 +81,6 @@ void printd (unsigned char *, int);
+ int net_write (unsigned char *, int);
+ void net_encrypt (void);
+ int telnet_spin (void);
+-char *telnet_getenv (char *);
++char *telnet_getenv (char *, bool);
+ char *telnet_gets (char *, char *, int, int);
+ #endif
+diff --git a/telnet/authenc.c b/telnet/authenc.c
+index b019251..dcd19e8 100644
+--- a/telnet/authenc.c
++++ b/telnet/authenc.c
+@@ -91,9 +91,9 @@ telnet_spin ()
+ }
+ 
+ char *
+-telnet_getenv (char *val)
++telnet_getenv (char *val, bool exported_only)
+ {
+-  return ((char *) env_getvalue (val));
++  return ((char *) env_getvalue (val, exported_only));
+ }
+ 
+ char *
+diff --git a/telnet/commands.c b/telnet/commands.c
+index 2a133c9..d8d0864 100644
+--- a/telnet/commands.c
++++ b/telnet/commands.c
+@@ -66,6 +66,7 @@
+ #include <stdarg.h>
+ #include <errno.h>
+ 
++#include <stdbool.h>
+ #include <stdlib.h>
+ #include <limits.h>		/* LLONG_MAX for Solaris. */
+ 
+@@ -2059,10 +2060,10 @@ env_default (int init, int welldefined)
+ }
+ 
+ unsigned char *
+-env_getvalue (const char *var)
++env_getvalue (const char *var, bool exported_only)
+ {
+   register struct env_lst *ep = env_find (var);
+-  if (ep)
++  if (ep && (!exported_only || ep->export))
+     return (ep->value);
+   return (NULL);
+ }
+diff --git a/telnet/externs.h b/telnet/externs.h
+index f79c6ae..e0d9fbc 100644
+--- a/telnet/externs.h
++++ b/telnet/externs.h
+@@ -67,6 +67,7 @@
+ # endif
+ #endif
+ 
++#include <stdbool.h>
+ #include <stdio.h>
+ #include <setjmp.h>
+ #if defined CRAY && !defined NO_BSD_SETJMP
+@@ -331,7 +332,8 @@ env_opt (unsigned char *, int),
+ env_opt_start (void),
+ env_opt_start_info (void), env_opt_add (unsigned char *), env_opt_end (int);
+ 
+-extern unsigned char *env_default (int, int), *env_getvalue (const char *);
++extern unsigned char *env_default (int, int);
++extern unsigned char *env_getvalue (const char *, bool);
+ 
+ int dosynch (const char *);
+ int get_status (const char *);
+diff --git a/telnet/telnet.c b/telnet/telnet.c
+index 8884b6e..6a5cf8b 100644
+--- a/telnet/telnet.c
++++ b/telnet/telnet.c
+@@ -496,7 +496,7 @@ dooption (int option)
+ #endif
+ 
+ 	    case TELOPT_XDISPLOC:	/* X Display location */
+-	      if (env_getvalue ("DISPLAY"))
++	      if (env_getvalue ("DISPLAY", false))
+ 		new_state_ok = 1;
+ 	      break;
+ 
+@@ -793,7 +793,7 @@ gettermname (void)
+       resettermname = 0;
+       if (tnamep && tnamep != unknown)
+ 	free (tnamep);
+-      if ((tname = (char *) env_getvalue ("TERM")) &&
++      if ((tname = (char *) env_getvalue ("TERM", false)) &&
+ 	  (init_term (tname, &err) == 0))
+ 	{
+ 	  tnamep = mklist (termbuf, tname);
+@@ -992,7 +992,7 @@ suboption (void)
+ 	  unsigned char temp[50], *dp;
+ 	  int len;
+ 
+-	  if ((dp = env_getvalue ("DISPLAY")) == NULL)
++	  if ((dp = env_getvalue ("DISPLAY", false)) == NULL)
+ 	    {
+ 	      /*
+ 	       * Something happened, we no longer have a DISPLAY
+@@ -1727,7 +1727,7 @@ env_opt_add (register unsigned char *ep)
+ 	env_opt_add (ep);
+       return;
+     }
+-  vp = env_getvalue ((char *) ep);
++  vp = env_getvalue ((char *) ep, true);
+   if (opt_replyp + (vp ? strlen ((char *) vp) : 0) +
+       strlen ((char *) ep) + 6 > opt_replyend)
+     {
+@@ -2484,7 +2484,7 @@ telnet (char *user)
+       send_will (TELOPT_LINEMODE, 1);
+       send_will (TELOPT_NEW_ENVIRON, 1);
+       send_do (TELOPT_STATUS, 1);
+-      if (env_getvalue ("DISPLAY"))
++      if (env_getvalue ("DISPLAY", false))
+ 	send_will (TELOPT_XDISPLOC, 1);
+       if (eight)
+ 	tel_enter_binary (eight);
+-- 
+2.50.1
+

meta/recipes-connectivity/inetutils/inetutils_2.5.bb

@@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://CVE-2026-24061-2.patch \
            file://CVE-2026-28372.patch \
            file://CVE-2026-32746.patch \
+           file://CVE-2026-32772.patch \
            "
 
 inherit autotools gettext update-alternatives texinfo

meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch

@@ -38,7 +38,7 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm
 index 09303c4..011bda1 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
-@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -514,13 +514,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  

meta/recipes-connectivity/openssl/openssl_3.5.6.bb

@@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89"
+SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"

meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch

@@ -1,4 +1,4 @@
-From 8f3ace87df3aaad85946c22cae240532ea3e73b8 Mon Sep 17 00:00:00 2001
+From 6f714635792a14fd3ee8d2ce0318c0185add5c00 Mon Sep 17 00:00:00 2001
 From: Saul Wold <sgw@linux.intel.com>
 Date: Fri, 29 Apr 2022 13:32:27 +0000
 Subject: [PATCH] Add a shutdown group
@@ -14,10 +14,10 @@ Signed-off-by: Saul Wold <sgw@linux.intel.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/group.master b/group.master
-index ad1dd2d..1b5e2fb 100644
+index 3e7bf1c..72108a8 100644
 --- a/group.master
 +++ b/group.master
-@@ -35,5 +35,6 @@ sasl:*:45:
+@@ -34,5 +34,6 @@ sasl:*:45:
  plugdev:*:46:
  staff:*:50:
  games:*:60:

meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch

@@ -1,4 +1,4 @@
-From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001
+From ff622d69e9c06c00dacdffc163a383f8d2903475 Mon Sep 17 00:00:00 2001
 From: Alex Kiernan <alexk@zuma.ai>
 Date: Fri, 28 Jul 2023 10:28:57 +0100
 Subject: [PATCH] base-passwd: Add the sgx group
@@ -17,7 +17,7 @@ Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/group.master b/group.master
-index d34d2b832d43..e54fd1d2c6dc 100644
+index d34d2b8..e54fd1d 100644
 --- a/group.master
 +++ b/group.master
 @@ -34,6 +34,7 @@ video:*:44:

meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch

@@ -1,4 +1,4 @@
-From 4411fc0df77566d52bee11ec0bad4be30a96e99e Mon Sep 17 00:00:00 2001
+From c30862c6892d17ae2f4578101dcb050250956cec Mon Sep 17 00:00:00 2001
 From: Scott Garman <scott.a.garman@intel.com>
 Date: Fri, 29 Apr 2022 13:32:27 +0000
 Subject: [PATCH] Use /bin/sh instead of /bin/bash for the root user
@@ -12,7 +12,7 @@ Signed-off-by: Scott Garman <scott.a.garman@intel.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/passwd.master b/passwd.master
-index 7cd4e24..041685a 100644
+index 90514a5..bd3efc2 100644
 --- a/passwd.master
 +++ b/passwd.master
 @@ -1,4 +1,4 @@

meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch

@@ -1,4 +1,4 @@
-From 13a1a284a134d18a454625a5b4485c0d99079ae9 Mon Sep 17 00:00:00 2001
+From 0d35229f01e3a38a27338320e67c4cb5652a3249 Mon Sep 17 00:00:00 2001
 From: Scott Garman <scott.a.garman@intel.com>
 Date: Fri, 29 Apr 2022 13:32:28 +0000
 Subject: [PATCH] Remove "*" for root since we do not have an /etc/shadow
@@ -10,7 +10,7 @@ Signed-off-by: Scott Garman <scott.a.garman@intel.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/passwd.master b/passwd.master
-index 041685a..31a84d4 100644
+index bd3efc2..66e9033 100644
 --- a/passwd.master
 +++ b/passwd.master
 @@ -1,4 +1,4 @@

meta/recipes-core/base-passwd/base-passwd/0004-Add-an-input-group-for-the-dev-input-devices.patch

@@ -1,4 +1,4 @@
-From c5f012750f8102ff54af73ccc2d2b7bfa1f26db4 Mon Sep 17 00:00:00 2001
+From d2cdd4c8d7332d05ac86fb0625e8c2b3c7bf7728 Mon Sep 17 00:00:00 2001
 From: Darren Hart <dvhart@linux.intel.com>
 Date: Fri, 29 Apr 2022 13:32:28 +0000
 Subject: [PATCH] Add an input group for the /dev/input/* devices
@@ -10,7 +10,7 @@ Signed-off-by: Darren Hart <dvhart@linux.intel.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/group.master b/group.master
-index 1b5e2fb..cea9d60 100644
+index 72108a8..7d794b2 100644
 --- a/group.master
 +++ b/group.master
 @@ -12,6 +12,7 @@ uucp:*:10:

meta/recipes-core/base-passwd/base-passwd/0005-Add-kvm-group.patch

@@ -1,4 +1,4 @@
-From 6cf19461fb31d7a7a3010629aae9aab49c26a01b Mon Sep 17 00:00:00 2001
+From 07af34abb10b1455e065cfb1ce7ce766614da7e8 Mon Sep 17 00:00:00 2001
 From: Jacob Kroon <jacob.kroon@gmail.com>
 Date: Wed, 30 Jan 2019 04:53:48 +0000
 Subject: [PATCH] Add kvm group
@@ -10,10 +10,10 @@ Signed-off-by: Jacob Kroon <jacob.kroon@gmail.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/group.master b/group.master
-index cea9d60..5b62284 100644
+index 7d794b2..7fdd8bf 100644
 --- a/group.master
 +++ b/group.master
-@@ -34,6 +34,7 @@ utmp:*:43:
+@@ -33,6 +33,7 @@ utmp:*:43:
  video:*:44:
  sasl:*:45:
  plugdev:*:46:

meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch

@@ -1,3 +1,7 @@
+From 3c88afb923de603d126f89f2979b2cd232a180c8 Mon Sep 17 00:00:00 2001
+From: Louis Rannou <lrannou@baylibre.com>
+Date: Thu, 15 Jun 2023 13:43:55 +0200
+Subject: [PATCH] base-passwd: add the wheel group
 
 We need to have a wheel group which has some system privileges to consult the
 systemd journal or manage printers with cups.
@@ -7,11 +11,15 @@ Upstream says the group does not exist by default.
 Upstream-Status: Inappropriate [enable feature]
 
 Signed-off-by: Louis Rannou <lrannou@baylibre.com>
-Index: base-passwd-3.5.26/group.master
-===================================================================
---- base-passwd-3.5.29.orig/group.master
-+++ base-passwd-3.5.29/group.master
-@@ -38,5 +38,6 @@
+---
+ group.master | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/group.master b/group.master
+index 7fdd8bf..d34d2b8 100644
+--- a/group.master
++++ b/group.master
+@@ -37,5 +37,6 @@ kvm:*:47:
  staff:*:50:
  games:*:60:
  shutdown:*:70:

meta/recipes-core/base-passwd/base-passwd_3.6.8.bb

@@ -15,7 +15,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
            file://0001-base-passwd-Add-the-sgx-group.patch \
            "
 
-SRC_URI[sha256sum] = "83575327d8318a419caf2d543341215c046044073d1afec2acc0ac4d8095ff39"
+SRC_URI[sha256sum] = "fab3d0e6e8b641e116bda9bd5f7a7ed24482384c1513f6a369b506327fbc8dde"
 
 # the package is taken from launchpad; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated

meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch

@@ -0,0 +1,198 @@
+From 3fb6b31c716669e12f75a2accd31bb7685b1a1cb Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 29 Jan 2026 11:48:02 +0100
+Subject: [PATCH] tar: strip unsafe hardlink components - GNU tar does the same
+
+Defends against files like these (python reproducer):
+
+import tarfile
+ti = tarfile.TarInfo("leak_hosts")
+ti.type = tarfile.LNKTYPE
+ti.linkname = "/etc/hosts"  # or "../etc/hosts" or ".."
+ti.size = 0
+with tarfile.open("/tmp/hardlink.tar", "w") as t:
+	t.addfile(ti)
+
+function                                             old     new   delta
+skip_unsafe_prefix                                     -     127    +127
+get_header_tar                                      1752    1754      +2
+.rodata                                           106861  106856      -5
+unzip_main                                          2715    2706      -9
+strip_unsafe_prefix                                  102      18     -84
+------------------------------------------------------------------------------
+(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98)            Total: 31 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2026-26157, CVE-2026-26158
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb]
+(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb)
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ archival/libarchive/data_extract_all.c      |  7 +++--
+ archival/libarchive/get_header_tar.c        | 11 ++++++--
+ archival/libarchive/unsafe_prefix.c         | 30 +++++++++++++++++----
+ archival/libarchive/unsafe_symlink_target.c |  1 +
+ archival/tar.c                              |  2 +-
+ archival/unzip.c                            |  2 +-
+ include/bb_archive.h                        |  3 ++-
+ 7 files changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 8a69711..b84b960 100644
+--- a/archival/libarchive/data_extract_all.c
++++ b/archival/libarchive/data_extract_all.c
+@@ -66,8 +66,8 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ 	}
+ #endif
+ #if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+-	/* Strip leading "/" and up to last "/../" path component */
+-	dst_name = (char *)strip_unsafe_prefix(dst_name);
++	/* Skip leading "/" and past last ".." path component */
++	dst_name = (char *)skip_unsafe_prefix(dst_name);
+ #endif
+ // ^^^ This may be a problem if some applets do need to extract absolute names.
+ // (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
+@@ -185,8 +185,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ 
+ 		/* To avoid a directory traversal attack via symlinks,
+ 		 * do not restore symlinks with ".." components
+-		 * or symlinks starting with "/", unless a magic
+-		 * envvar is set.
++		 * or symlinks starting with "/"
+ 		 *
+ 		 * For example, consider a .tar created via:
+ 		 *  $ tar cvf bug.tar anything.txt
+diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
+index cc6f3f0..1c40ece 100644
+--- a/archival/libarchive/get_header_tar.c
++++ b/archival/libarchive/get_header_tar.c
+@@ -454,8 +454,15 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
+ #endif
+ 
+ 	/* Everything up to and including last ".." component is stripped */
+-	overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
+-//TODO: do the same for file_header->link_target?
++	strip_unsafe_prefix(file_header->name);
++	if (file_header->link_target) {
++		/* GNU tar 1.34 examples:
++		 * tar: Removing leading '/' from hard link targets
++		 * tar: Removing leading '../' from hard link targets
++		 * tar: Removing leading 'etc/../' from hard link targets
++		 */
++		strip_unsafe_prefix(file_header->link_target);
++	}
+ 
+ 	/* Strip trailing '/' in directories */
+ 	/* Must be done after mode is set as '/' is used to check if it's a directory */
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 6670811..89a371a 100644
+--- a/archival/libarchive/unsafe_prefix.c
++++ b/archival/libarchive/unsafe_prefix.c
+@@ -5,11 +5,11 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
+-const char* FAST_FUNC strip_unsafe_prefix(const char *str)
++const char* FAST_FUNC skip_unsafe_prefix(const char *str)
+ {
+ 	const char *cp = str;
+ 	while (1) {
+-		char *cp2;
++		const char *cp2;
+ 		if (*cp == '/') {
+ 			cp++;
+ 			continue;
+@@ -22,10 +22,25 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ 			cp += 3;
+ 			continue;
+ 		}
+-		cp2 = strstr(cp, "/../");
++		cp2 = cp;
++ find_dotdot:
++		cp2 = strstr(cp2, "/..");
+ 		if (!cp2)
+-			break;
+-		cp = cp2 + 4;
++			break; /* No (more) malicious components */
++
++		/* We found "/..something" */
++		cp2 += 3;
++		if (*cp2 != '/') {
++			if (*cp2 == '\0') {
++				/* Trailing "/..": malicious, return "" */
++				/* (causes harmless errors trying to create or hardlink a file named "") */
++				return cp2;
++			}
++			/* "/..name" is not malicious, look for next "/.." */
++			goto find_dotdot;
++		}
++		/* Found "/../": malicious, advance past it */
++		cp = cp2 + 1;
+ 	}
+ 	if (cp != str) {
+ 		static smallint warned = 0;
+@@ -37,3 +52,8 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ 	}
+ 	return cp;
+ }
++
++void FAST_FUNC strip_unsafe_prefix(char *str)
++{
++	overlapping_strcpy(str, skip_unsafe_prefix(str));
++}
+diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
+index f8dc803..d764c89 100644
+--- a/archival/libarchive/unsafe_symlink_target.c
++++ b/archival/libarchive/unsafe_symlink_target.c
+@@ -36,6 +36,7 @@ void FAST_FUNC create_links_from_list(llist_t *list)
+ 				*list->data ? "hard" : "sym",
+ 				list->data + 1, target
+ 			);
++			/* Note: GNU tar 1.34 errors out only _after_ all links are (attempted to be) created */
+ 		}
+ 		list = list->link;
+ 	}
+diff --git a/archival/tar.c b/archival/tar.c
+index 9de3759..cf8c2d1 100644
+--- a/archival/tar.c
++++ b/archival/tar.c
+@@ -475,7 +475,7 @@ static int FAST_FUNC writeFileToTarball(struct recursive_state *state,
+ 	DBG("writeFileToTarball('%s')", fileName);
+ 
+ 	/* Strip leading '/' and such (must be before memorizing hardlink's name) */
+-	header_name = strip_unsafe_prefix(fileName);
++	header_name = skip_unsafe_prefix(fileName);
+ 
+ 	if (header_name[0] == '\0')
+ 		return TRUE;
+diff --git a/archival/unzip.c b/archival/unzip.c
+index 691a2d8..5844215 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -853,7 +853,7 @@ int unzip_main(int argc, char **argv)
+ 		unzip_skip(zip.fmt.extra_len);
+ 
+ 		/* Guard against "/abspath", "/../" and similar attacks */
+-		overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
++		strip_unsafe_prefix(dst_fn);
+ 
+ 		/* Filter zip entries */
+ 		if (find_list_entry(zreject, dst_fn)
+diff --git a/include/bb_archive.h b/include/bb_archive.h
+index e0ef8fc..1dc77f3 100644
+--- a/include/bb_archive.h
++++ b/include/bb_archive.h
+@@ -202,7 +202,8 @@ char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
+ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
+ void seek_by_read(int fd, off_t amount) FAST_FUNC;
+ 
+-const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
++const char *skip_unsafe_prefix(const char *str) FAST_FUNC;
++void strip_unsafe_prefix(char *str) FAST_FUNC;
+ void create_or_remember_link(llist_t **link_placeholders,
+ 		const char *target,
+ 		const char *linkname,
+-- 
+2.50.1
+

meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch

@@ -0,0 +1,37 @@
+From 599f5dd8fac390c18b79cba4c14c334957605dae Mon Sep 17 00:00:00 2001
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Mon, 16 Feb 2026 11:50:04 +0200
+Subject: [PATCH] tar: only strip unsafe components from hardlinks, not
+ symlinks
+
+commit 3fb6b31c7 introduced a check for unsafe components in
+tar archive hardlinks, but it was being applied to symlinks too
+which broke "Symlinks and hardlinks coexist" tar test.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2026-26157, CVE-2026-26158
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=599f5dd8fac390c18b79cba4c14c334957605dae]
+(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/599f5dd8fac390c18b79cba4c14c334957605dae)
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ archival/libarchive/get_header_tar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
+index 1c40ece..606d806 100644
+--- a/archival/libarchive/get_header_tar.c
++++ b/archival/libarchive/get_header_tar.c
+@@ -455,7 +455,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
+ 
+ 	/* Everything up to and including last ".." component is stripped */
+ 	strip_unsafe_prefix(file_header->name);
+-	if (file_header->link_target) {
++	if (file_header->link_target && !S_ISLNK(file_header->mode)) {
+ 		/* GNU tar 1.34 examples:
+ 		 * tar: Removing leading '/' from hard link targets
+ 		 * tar: Removing leading '../' from hard link targets
+-- 
+2.50.1
+

meta/recipes-core/busybox/busybox_1.36.1.bb

@@ -62,6 +62,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
            file://CVE-2025-60876.patch \
+           file://CVE-2026-26157-CVE-2026-26158-01.patch \
+           file://CVE-2026-26157-CVE-2026-26158-02.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html

meta/recipes-core/coreutils/coreutils_9.4.bb

@@ -23,6 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
            "
 SRC_URI[sha256sum] = "ea613a4cf44612326e917201bbbcdfbd301de21ffc3b59b6e5c07e040b275e52"
 
+CVE_PRODUCT = "gnu:coreutils"
+
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
 #
 CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."

meta/recipes-core/dbus/dbus_1.14.10.bb

@@ -29,7 +29,7 @@ EXTRA_OECONF = "--disable-xml-docs \
 EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
-                   user-session \
+                   ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'user-session', '', d)} \
                   "
 PACKAGECONFIG:class-native = ""
 PACKAGECONFIG:class-nativesdk = ""
@@ -109,7 +109,7 @@ FILES:${PN}-dev += "${libdir}/dbus-1.0/include ${bindir}/dbus-test-tool ${datadi
 RDEPENDS:${PN}-ptest += "bash make dbus"
 
 PACKAGE_WRITE_DEPS += "${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','systemd-systemctl-native','',d)}"
-pkg_postinst:dbus() {
+pkg_postinst:${PN}() {
 	# If both systemd and sysvinit are enabled, mask the dbus-1 init script
         if ${@bb.utils.contains('DISTRO_FEATURES','systemd sysvinit','true','false',d)}; then
 		if [ -n "$D" ]; then

meta/recipes-core/expat/expat/CVE-2026-32776.patch

@@ -0,0 +1,91 @@
+From 3340f971f2f92e499adf03156024105bb9bb7ed9 Mon Sep 17 00:00:00 2001
+From: Francesco Bertolaccini <francesco.bertolaccini@trailofbits.com>
+Date: Tue, 3 Mar 2026 16:41:43 +0100
+Subject: [PATCH] Fix NULL function-pointer dereference for empty external
+ parameter entities
+
+When an external parameter entity with empty text is referenced inside
+an entity declaration value, the sub-parser created to handle it receives
+0 bytes of input.  Processing enters entityValueInitProcessor which calls
+storeEntityValue() with the parser's encoding; since no bytes were ever
+processed, encoding detection has not yet occurred and the encoding is
+still the initial probing encoding set up by XmlInitEncoding().  That
+encoding only populates scanners[] (for prolog and content), not
+literalScanners[].  XmlEntityValueTok() calls through
+literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a
+SEGV.
+
+Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd,
+and initialize the `next` pointer before the early exit so that callers
+(callStoreEntityValue) receive a valid value through nextPtr.
+
+CVE: CVE-2026-32776
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c]
+
+(cherry picked from commit 5be25657583ea91b09025c858b4785834c20f59c)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/xmlparse.c      |  9 ++++++++-
+ tests/basic_tests.c | 19 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index aa5e91e4..56faf2eb 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6777,7 +6777,14 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+       return XML_ERROR_NO_MEMORY;
+   }
+ 
+-  const char *next;
++  const char *next = entityTextPtr;
++
++  /* Nothing to tokenize. */
++  if (entityTextPtr >= entityTextEnd) {
++    result = XML_ERROR_NONE;
++    goto endEntityValue;
++  }
++
+   for (;;) {
+     next
+         = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 2a5e43d6..023d9ce4 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -6210,6 +6210,24 @@ START_TEST(test_varying_buffer_fills) {
+ }
+ END_TEST
+ 
++START_TEST(test_empty_ext_param_entity_in_value) {
++  const char *text = "<!DOCTYPE r SYSTEM \"ext.dtd\"><r/>";
++  ExtOption options[] = {
++      {XCS("ext.dtd"), "<!ENTITY % pe SYSTEM \"empty\">"
++                       "<!ENTITY ge \"%pe;\">"},
++      {XCS("empty"), ""},
++      {NULL, NULL},
++  };
++
++  XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++  XML_SetExternalEntityRefHandler(g_parser, external_entity_optioner);
++  XML_SetUserData(g_parser, options);
++  if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE)
++      == XML_STATUS_ERROR)
++    xml_failure(g_parser);
++}
++END_TEST
++
+ void
+ make_basic_test_case(Suite *s) {
+   TCase *tc_basic = tcase_create("basic tests");
+@@ -6456,6 +6474,7 @@ make_basic_test_case(Suite *s) {
+   tcase_add_test(tc_basic, test_empty_element_abort);
+   tcase_add_test__ifdef_xml_dtd(tc_basic,
+                                 test_pool_integrity_with_unfinished_attr);
++  tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_ext_param_entity_in_value);
+   tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements);
+   tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity);
+   tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity);
+-- 
+2.43.0
+

meta/recipes-core/expat/expat/CVE-2026-32777-01.patch

@@ -0,0 +1,49 @@
+From a6e6cf7c30e54402b2fa3c49f9d98702e74f8c34 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 1 Mar 2026 20:16:13 +0100
+Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in
+ entityValueProcessor
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02]
+
+(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/xmlparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 56faf2eb..bfb8ac58 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5077,7 +5077,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+     }
+     /* If we get this token, we have the start of what might be a
+        normal tag, but not a declaration (i.e. it doesn't begin with
+-       "<!").  In a DTD context, that isn't legal.
++       "<!" or "<?").  In a DTD context, that isn't legal.
+     */
+     else if (tok == XML_TOK_INSTANCE_START) {
+       *nextPtr = next;
+@@ -5166,6 +5166,15 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+       /* found end of entity value - can store it now */
+       return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);
+     }
++    /* If we get this token, we have the start of what might be a
++       normal tag, but not a declaration (i.e. it doesn't begin with
++       "<!" or "<?").  In a DTD context, that isn't legal.
++    */
++    else if (tok == XML_TOK_INSTANCE_START) {
++      *nextPtr = next;
++      return XML_ERROR_SYNTAX;
++    }
++
+     start = next;
+   }
+ }
+-- 
+2.43.0
+

meta/recipes-core/expat/expat/CVE-2026-32777-02.patch

@@ -0,0 +1,66 @@
+From 4b91fc7eb4998c49bfd3b701a679ad6eb7ce7682 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 6 Mar 2026 18:31:34 +0100
+Subject: [PATCH 2/2] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop
+ case
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8]
+
+(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 07902d52..cdcdd507 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -713,6 +713,35 @@ START_TEST(test_misc_async_entity_rejected) {
+ }
+ END_TEST
+ 
++START_TEST(test_misc_no_infinite_loop_issue_1161) {
++  XML_Parser parser = XML_ParserCreate(NULL);
++
++  const char *text = "<!DOCTYPE d SYSTEM 'secondary.txt'>";
++
++  struct ExtOption options[] = {
++      {XCS("secondary.txt"),
++       "<!ENTITY % p SYSTEM 'tertiary.txt'><!ENTITY g '%p;'>"},
++      {XCS("tertiary.txt"), "<?xml version='1.0'?><a"},
++      {NULL, NULL},
++  };
++
++  XML_SetUserData(parser, options);
++  XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++  XML_SetExternalEntityRefHandler(parser, external_entity_optioner);
++
++  assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++              == XML_STATUS_ERROR);
++
++#if defined(XML_DTD)
++  assert_true(XML_GetErrorCode(parser) == XML_ERROR_EXTERNAL_ENTITY_HANDLING);
++#else
++  assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS);
++#endif
++
++  XML_ParserFree(parser);
++}
++END_TEST
++
+ void
+ make_miscellaneous_test_case(Suite *s) {
+   TCase *tc_misc = tcase_create("miscellaneous tests");
+@@ -743,4 +772,5 @@ make_miscellaneous_test_case(Suite *s) {
+   tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980);
+   tcase_add_test(tc_misc, test_misc_sync_entity_tolerated);
+   tcase_add_test(tc_misc, test_misc_async_entity_rejected);
++  tcase_add_test(tc_misc, test_misc_no_infinite_loop_issue_1161);
+ }
+-- 
+2.43.0
+

meta/recipes-core/expat/expat/CVE-2026-32778-01.patch

@@ -0,0 +1,91 @@
+From b878628b560a2ba1e11b3a12ff8df0dab7d6b8bb Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH 1/2] copy prefix name to pool before lookup
+
+.. so that we cannot end up with a zombie PREFIX in the pool
+that has NULL for a name.
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387]
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+(cherry picked from commit 576b61e42feeea704253cb7c7bedb2eeb3754387)
+Signed-off-by: Hugo SIMELIERE <simeliere.hugo@non.se.com>
+---
+ lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index bfb8ac58..9bc67f38 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -590,6 +590,8 @@ static XML_Char *poolStoreString(STRING_POOL *pool, const ENCODING *enc,
+ static XML_Bool FASTCALL poolGrow(STRING_POOL *pool);
+ static const XML_Char *FASTCALL poolCopyString(STRING_POOL *pool,
+                                                const XML_Char *s);
++static const XML_Char *FASTCALL poolCopyStringNoFinish(STRING_POOL *pool,
++                                                       const XML_Char *s);
+ static const XML_Char *poolCopyStringN(STRING_POOL *pool, const XML_Char *s,
+                                        int n);
+ static const XML_Char *FASTCALL poolAppendString(STRING_POOL *pool,
+@@ -7443,16 +7445,24 @@ setContext(XML_Parser parser, const XML_Char *context) {
+       else {
+         if (! poolAppendChar(&parser->m_tempPool, XML_T('\0')))
+           return XML_FALSE;
+-        prefix
+-            = (PREFIX *)lookup(parser, &dtd->prefixes,
+-                               poolStart(&parser->m_tempPool), sizeof(PREFIX));
+-        if (! prefix)
++        const XML_Char *const prefixName = poolCopyStringNoFinish(
++            &dtd->pool, poolStart(&parser->m_tempPool));
++        if (! prefixName) {
+           return XML_FALSE;
+-        if (prefix->name == poolStart(&parser->m_tempPool)) {
+-          prefix->name = poolCopyString(&dtd->pool, prefix->name);
+-          if (! prefix->name)
+-            return XML_FALSE;
+         }
++
++        prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName,
++                                  sizeof(PREFIX));
++
++        const bool prefixNameUsed = prefix && prefix->name == prefixName;
++        if (prefixNameUsed)
++          poolFinish(&dtd->pool);
++        else
++          poolDiscard(&dtd->pool);
++
++        if (! prefix)
++          return XML_FALSE;
++
+         poolDiscard(&parser->m_tempPool);
+       }
+       for (context = s + 1; *context != CONTEXT_SEP && *context != XML_T('\0');
+@@ -8041,6 +8051,23 @@ poolCopyString(STRING_POOL *pool, const XML_Char *s) {
+   return s;
+ }
+ 
++// A version of `poolCopyString` that does not call `poolFinish`
++// and reverts any partial advancement upon failure.
++static const XML_Char *FASTCALL
++poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) {
++  const XML_Char *const original = s;
++  do {
++    if (! poolAppendChar(pool, *s)) {
++      // Revert any previously successful advancement
++      const ptrdiff_t advancedBy = s - original;
++      if (advancedBy > 0)
++        pool->ptr -= advancedBy;
++      return NULL;
++    }
++  } while (*s++);
++  return pool->start;
++}
++
+ static const XML_Char *
+ poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) {
+   if (! pool->ptr && ! poolGrow(pool)) {
+-- 
+2.43.0
+

meta/recipes-core/expat/expat/CVE-2026-32778-02.patch

@@ -0,0 +1,61 @@
+From c26728576de3850258c7762c036dd0eb7783ea15 Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH 2/2] test that we do not end up with a zombie PREFIX in the
+ pool
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030]
+
+(cherry picked from commit d5fa769b7a7290a7e2c4a0b2287106dec9b3c030)
+Signed-off-by: Hugo SIMELIERE <simeliere.hugo@non.se.com>
+---
+ tests/nsalloc_tests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c
+index a8f5718d..d284a58a 100644
+--- a/tests/nsalloc_tests.c
++++ b/tests/nsalloc_tests.c
+@@ -1505,6 +1505,32 @@ START_TEST(test_nsalloc_prefixed_element) {
+ }
+ END_TEST
+ 
++/* Verify that retry after OOM in setContext() does not crash.
++ */
++START_TEST(test_nsalloc_setContext_zombie) {
++  const char *text = "<doc>Hello</doc>";
++  unsigned int i;
++  const unsigned int max_alloc_count = 30;
++
++  for (i = 0; i < max_alloc_count; i++) {
++    g_allocation_count = (int)i;
++    if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++        != XML_STATUS_ERROR)
++      break;
++    /* Retry on the same parser — must not crash */
++    g_allocation_count = ALLOC_ALWAYS_SUCCEED;
++    XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE);
++
++    nsalloc_teardown();
++    nsalloc_setup();
++  }
++  if (i == 0)
++    fail("Parsing worked despite failing allocations");
++  else if (i == max_alloc_count)
++    fail("Parsing failed even at maximum allocation count");
++}
++END_TEST
++
+ void
+ make_nsalloc_test_case(Suite *s) {
+   TCase *tc_nsalloc = tcase_create("namespace allocation tests");
+@@ -1539,4 +1565,5 @@ make_nsalloc_test_case(Suite *s) {
+   tcase_add_test__if_xml_ge(tc_nsalloc, test_nsalloc_long_default_in_ext);
+   tcase_add_test(tc_nsalloc, test_nsalloc_long_systemid_in_ext);
+   tcase_add_test(tc_nsalloc, test_nsalloc_prefixed_element);
++  tcase_add_test(tc_nsalloc, test_nsalloc_setContext_zombie);
+ }
+-- 
+2.43.0
+

meta/recipes-core/expat/expat_2.6.4.bb

@@ -46,6 +46,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://CVE-2026-25210-01.patch \
            file://CVE-2026-25210-02.patch \
            file://CVE-2026-25210-03.patch \
+           file://CVE-2026-32776.patch \
+           file://CVE-2026-32777-01.patch \
+           file://CVE-2026-32777-02.patch \
+           file://CVE-2026-32778-01.patch \
+           file://CVE-2026-32778-02.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"

meta/recipes-core/glibc/glibc.inc

@@ -17,9 +17,6 @@ CACHED_CONFIGUREVARS += " \
   libc_cv_slibdir=${base_libdir} \
   libc_cv_rootsbindir=${base_sbindir} \
   libc_cv_localedir=${localedir} \
-  libc_cv_ssp_strong=no \
-  libc_cv_ssp_all=no \
-  libc_cv_ssp=no \
   libc_cv_include_x86_isa_level=no \
 "
 

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -26,8 +26,8 @@ inherit core-image setuptools3 features_check
 
 REQUIRED_DISTRO_FEATURES += "xattr"
 
-SRCREV ?= "f4877d8e682ed22e339fe6c07f3ffa28e50c7b98"
-SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap \
+SRCREV ?= "3a813d72a872c2ab2b7f02035a73ae3def21f565"
+SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap;protocol=https \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
            file://README_VirtualBox_Guest_Additions.txt \

meta/recipes-core/libxcrypt/files/174c24d6e87aeae631bc0a7bb1ba983cf8def4de.patch

@@ -0,0 +1,29 @@
+From 174c24d6e87aeae631bc0a7bb1ba983cf8def4de Mon Sep 17 00:00:00 2001
+From: Stanislav Zidek <szidek@redhat.com>
+Date: Wed, 10 Dec 2025 14:03:54 +0100
+Subject: [PATCH] fix -Werror=discarded-qualifiers
+
+On Fedora rawhide (to be Fedora 44), gcc became more strict
+wrt. const-ness.
+
+Upstream-Status: Backport [https://github.com/besser82/libxcrypt/pull/220 without lib/crypt-sm3-yescrypt.c]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+---
+ lib/crypt-gost-yescrypt.c | 2 +-
+ lib/crypt-sm3-yescrypt.c  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/crypt-gost-yescrypt.c b/lib/crypt-gost-yescrypt.c
+index 190ae94b..e9dc7e80 100644
+--- a/lib/crypt-gost-yescrypt.c
++++ b/lib/crypt-gost-yescrypt.c
+@@ -131,7 +131,7 @@ crypt_gost_yescrypt_rn (const char *phrase, size_t phr_size,
+   intbuf->outbuf[1] = 'g';
+ 
+   /* extract yescrypt output from "$y$param$salt$output" */
+-  char *hptr = strchr ((const char *) intbuf->retval + 3, '$');
++  char *hptr = strchr ((char *) intbuf->retval + 3, '$');
+   if (!hptr)
+     {
+       errno = EINVAL;

meta/recipes-core/libxcrypt/libxcrypt.inc

@@ -9,7 +9,9 @@ LIC_FILES_CHKSUM = "file://LICENSING;md5=c0a30e2b1502c55a7f37e412cd6c6a4b \
 
 inherit autotools pkgconfig
 
-SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https"
+SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https \
+           file://174c24d6e87aeae631bc0a7bb1ba983cf8def4de.patch \
+"
 SRCREV = "f531a36aa916a22ef2ce7d270ba381e264250cbf"
 SRCBRANCH ?= "master"
 
@@ -21,8 +23,9 @@ PROVIDES = "virtual/crypt"
 S = "${WORKDIR}/git"
 
 BUILD_CPPFLAGS = "-I${STAGING_INCDIR_NATIVE}"
-TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir} -Wno-error"
-CPPFLAGS:append:class-nativesdk = " -Wno-error"
+TARGET_CPPFLAGS = "-I${STAGING_DIR_TARGET}${includedir}"
+
+EXTRA_OECONF += "--disable-werror"
 
 API = "--disable-obsolete-api"
 EXTRA_OECONF += "${API}"

meta/recipes-core/libxml/libxml2/CVE-2026-1757.patch

@@ -0,0 +1,49 @@
+From bbe186902eddca01cc2049780a1d1a37937d3862 Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Wed, 25 Feb 2026 16:16:14 +0800
+Subject: [PATCH] shell: free cmdline before continue
+
+This patch frees the cmdline when it's not empty but it doesn't contain
+any actual character.
+
+If the cmdline is just whitespaces or \r and \n, the loop continues
+without freeing the cmdline string, so it's a leak.
+
+Fix #1009
+
+Reference https://gitlab.gnome.org/GNOME/libxml2/-/commit/160c8a43
+
+CVE: CVE-2026-1757
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/160c8a43]
+
+The shell is refactored [1], so backport the related code from shell.c
+to debugXML.c.
+
+[1] https://gitlab.gnome.org/GNOME/libxml2/-/commit/1341deac
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ debugXML.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/debugXML.c b/debugXML.c
+index 9d9618f..2d5c99d 100644
+--- a/debugXML.c
++++ b/debugXML.c
+@@ -2866,8 +2866,11 @@ xmlShell(xmlDocPtr doc, char *filename, xmlShellReadlineFunc input,
+             command[i++] = *cur++;
+         }
+         command[i] = 0;
+-        if (i == 0)
++        if (i == 0) {
++            free(cmdline);
++            cmdline = NULL;
+             continue;
++        }
+ 
+         /*
+          * Parse the argument
+-- 
+2.34.1
+

meta/recipes-core/libxml/libxml2_2.12.10.bb

@@ -30,6 +30,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://CVE-2026-0992-01.patch \
            file://CVE-2026-0992-02.patch \
            file://CVE-2026-0992-03.patch \
+           file://CVE-2026-1757.patch \
            "
 
 SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"

meta/recipes-core/ncurses/files/CVE-2025-69720.patch

@@ -0,0 +1,42 @@
+From 6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Mon, 6 Apr 2026 18:08:09 +0530
+Subject: [PATCH] add limit-check in infocmp
+
+origin : https://invisible-island.net/archives/ncurses/6.5/ncurses-6.5-20251213.patch.gz
+Refer: https://github.com/Cao-Wuhui/CVE-2025-69720
+patch by : Thomas E. Dickey <dickey@invisible-island.net>
+
+CVE: CVE-2025-69720
+Upstream-Status: Backport [https://github.com/ThomasDickey/ncurses-snapshots/commit/6f6db0e8fd14e40096a0ee6f8bdf32dedbd3fc9e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ progs/infocmp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/progs/infocmp.c b/progs/infocmp.c
+index 171d794d..2fc1f035 100644
+--- a/progs/infocmp.c
++++ b/progs/infocmp.c
+@@ -816,7 +816,7 @@ lookup_params(const assoc * table, char *dst, char *src)
+ static void
+ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ {
+-    char buf2[MAX_TERMINFO_LENGTH];
++    char buf2[MAX_TERMINFO_LENGTH + 1];
+     const char *sp;
+     const assoc *ap;
+     int tp_lines = tp->Numbers[2];
+@@ -846,7 +846,8 @@ analyze_string(const char *name, const char *cap, TERMTYPE2 *tp)
+ 	    if (VALID_STRING(cp) &&
+ 		cp[0] != '\0' &&
+ 		cp != cap) {
+-		len = strlen(cp);
++		if ((len = strlen(cp)) > MAX_TERMINFO_LENGTH)
++		    len = MAX_TERMINFO_LENGTH;
+ 		_nc_STRNCPY(buf2, sp, len);
+ 		buf2[len] = '\0';
+ 
+-- 
+2.50.1
+

meta/recipes-core/ncurses/ncurses_6.4.bb

@@ -9,6 +9,7 @@ SRC_URI += "file://0001-tic-hang.patch \
            file://CVE-2023-50495.patch \
            file://CVE-2023-45918.patch \
            file://CVE-2025-6141.patch \
+           file://CVE-2025-69720.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"

meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch

@@ -0,0 +1,159 @@
+From dbec8dc5ba6341d816ffd495fcd7eeece1716bb4 Mon Sep 17 00:00:00 2001
+From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
+Date: Mon, 29 Apr 2024 20:07:19 +0000
+Subject: [PATCH] AmdSev: Halt on failed blob allocation
+
+A malicious host may be able to undermine the fw_cfg
+interface such that loading a blob fails.
+
+In this case rather than continuing to the next boot
+option, the blob verifier should halt.
+
+For non-confidential guests, the error should be non-fatal.
+
+Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/10b4bb8d6d0c515ed9663691aea3684be8f7b0fc]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../BlobVerifierSevHashes.c                     | 17 ++++++++++++++++-
+ OvmfPkg/Include/Library/BlobVerifierLib.h       | 11 +++++++----
+ .../BlobVerifierLibNull/BlobVerifierNull.c      | 13 ++++++++-----
+ .../QemuKernelLoaderFsDxe.c                     |  9 ++++-----
+ 4 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
+index 2e58794c3c..6477c5c3d3 100644
+--- a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
++++ b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
+@@ -80,6 +80,7 @@ FindBlobEntryGuid (
+   @param[in] BlobName           The name of the blob
+   @param[in] Buf                The data of the blob
+   @param[in] BufSize            The size of the blob in bytes
++  @param[in] FetchStatus        The status of the previous blob fetch
+ 
+   @retval EFI_SUCCESS           The blob was verified successfully.
+   @retval EFI_ACCESS_DENIED     The blob could not be verified, and therefore
+@@ -90,13 +91,27 @@ EFIAPI
+ VerifyBlob (
+   IN  CONST CHAR16  *BlobName,
+   IN  CONST VOID    *Buf,
+-  IN  UINT32        BufSize
++  IN  UINT32        BufSize,
++  IN  EFI_STATUS    FetchStatus
+   )
+ {
+   CONST GUID  *Guid;
+   INT32       Remaining;
+   HASH_TABLE  *Entry;
+ 
++  // Enter a dead loop if the fetching of this blob
++  // failed. This prevents a malicious host from
++  // circumventing the following checks.
++  if (EFI_ERROR (FetchStatus)) {
++    DEBUG ((
++      DEBUG_ERROR,
++      "%a: Fetching blob failed.\n",
++      __func__
++      ));
++
++    CpuDeadLoop ();
++  }
++
+   if ((mHashesTable == NULL) || (mHashesTableSize == 0)) {
+     DEBUG ((
+       DEBUG_ERROR,
+diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Library/BlobVerifierLib.h
+index 7e1af27574..09af1b77de 100644
+--- a/OvmfPkg/Include/Library/BlobVerifierLib.h
++++ b/OvmfPkg/Include/Library/BlobVerifierLib.h
+@@ -22,17 +22,20 @@
+   @param[in] BlobName           The name of the blob
+   @param[in] Buf                The data of the blob
+   @param[in] BufSize            The size of the blob in bytes
++  @param[in] FetchStatus        The status of fetching this blob
+ 
+-  @retval EFI_SUCCESS           The blob was verified successfully.
+-  @retval EFI_ACCESS_DENIED     The blob could not be verified, and therefore
+-                                should be considered non-secure.
++  @retval EFI_SUCCESS           The blob was verified successfully or was not
++                                found in the hash table.
++  @retval EFI_ACCESS_DENIED     Kernel hashes not supported but the boot can
++                                continue safely.
+ **/
+ EFI_STATUS
+ EFIAPI
+ VerifyBlob (
+   IN  CONST CHAR16  *BlobName,
+   IN  CONST VOID    *Buf,
+-  IN  UINT32        BufSize
++  IN  UINT32        BufSize,
++  IN  EFI_STATUS    FetchStatus
+   );
+ 
+ #endif
+diff --git a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
+index e817c3cc95..db5320571c 100644
+--- a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
++++ b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
+@@ -16,18 +16,21 @@
+   @param[in] BlobName           The name of the blob
+   @param[in] Buf                The data of the blob
+   @param[in] BufSize            The size of the blob in bytes
++  @param[in] FetchStatus        The status of the fetch of this blob
+ 
+-  @retval EFI_SUCCESS           The blob was verified successfully.
+-  @retval EFI_ACCESS_DENIED     The blob could not be verified, and therefore
+-                                should be considered non-secure.
++  @retval EFI_SUCCESS           The blob was verified successfully or was not
++                                found in the hash table.
++  @retval EFI_ACCESS_DENIED     Kernel hashes not supported but the boot can
++                                continue safely.
+ **/
+ EFI_STATUS
+ EFIAPI
+ VerifyBlob (
+   IN  CONST CHAR16  *BlobName,
+   IN  CONST VOID    *Buf,
+-  IN  UINT32        BufSize
++  IN  UINT32        BufSize,
++  IN  EFI_STATUS    FetchStatus
+   )
+ {
+-  return EFI_SUCCESS;
++  return FetchStatus;
+ }
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 3c12085f6c..cf58c97cd2 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -1042,6 +1042,7 @@ QemuKernelLoaderFsDxeEntrypoint (
+   KERNEL_BLOB  *CurrentBlob;
+   KERNEL_BLOB  *KernelBlob;
+   EFI_STATUS   Status;
++  EFI_STATUS   FetchStatus;
+   EFI_HANDLE   FileSystemHandle;
+   EFI_HANDLE   InitrdLoadFile2Handle;
+ 
+@@ -1060,15 +1061,13 @@ QemuKernelLoaderFsDxeEntrypoint (
+   //
+   for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+     CurrentBlob = &mKernelBlob[BlobType];
+-    Status      = FetchBlob (CurrentBlob);
+-    if (EFI_ERROR (Status)) {
+-      goto FreeBlobs;
+-    }
++    FetchStatus = FetchBlob (CurrentBlob);
+ 
+     Status = VerifyBlob (
+                CurrentBlob->Name,
+                CurrentBlob->Data,
+-               CurrentBlob->Size
++               CurrentBlob->Size,
++               FetchStatus
+                );
+     if (EFI_ERROR (Status)) {
+       goto FreeBlobs;
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/0006-BaseTools-StringFuncs-fix-gcc-16-warning.patch

@@ -0,0 +1,42 @@
+From 015c26aea52a54e96319887ea542870b4804fb91 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 29 Jan 2026 09:23:32 +0100
+Subject: [PATCH] BaseTools/StringFuncs: fix gcc 16 warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+StringFuncs.c: In function ‘SplitStringByWhitespace’:
+StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
+  113 |   UINTN       Item;
+      |               ^~~~
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [edk2-stable202602 https://github.com/tianocore/edk2/commit/3597306191297b504683b83fe7750e49c6a2e836]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ BaseTools/Source/C/Common/StringFuncs.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/Common/StringFuncs.c b/BaseTools/Source/C/Common/StringFuncs.c
+index 53e44365e9..df02d9c808 100644
+--- a/BaseTools/Source/C/Common/StringFuncs.c
++++ b/BaseTools/Source/C/Common/StringFuncs.c
+@@ -110,7 +110,6 @@ SplitStringByWhitespace (
+   CHAR8       *EndOfSubString;
+   CHAR8       *EndOfString;
+   STRING_LIST *Output;
+-  UINTN       Item;
+ 
+   String = CloneString (String);
+   if (String == NULL) {
+@@ -120,7 +119,7 @@ SplitStringByWhitespace (
+ 
+   Output = NewStringList ();
+ 
+-  for (Pos = String, Item = 0; Pos < EndOfString; Item++) {
++  for (Pos = String; Pos < EndOfString;) {
+     while (isspace ((int)*Pos)) {
+       Pos++;
+     }

meta/recipes-core/ovmf/ovmf/0007-BaseTools-EfiRom-fix-compiler-warning.patch

@@ -0,0 +1,44 @@
+From 4d2bdadcd6d45f6708b1b4827b0dc9b6e4b8edd2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 8 Dec 2025 10:28:50 +0100
+Subject: [PATCH] BaseTools/EfiRom: fix compiler warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+New warning after updating gcc:
+
+EfiRom.c: In function ‘main’:
+EfiRom.c:78:17: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
+
+The assigned value is not used, so fix the warning by just removing it.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [edk2-stable202602 https://github.com/tianocore/edk2/commit/9af06ef3cbb052b142f9660c2c01e7aeb401300c]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ BaseTools/Source/C/EfiRom/EfiRom.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/EfiRom/EfiRom.c b/BaseTools/Source/C/EfiRom/EfiRom.c
+index fa7bf0e62e..6e903b3504 100644
+--- a/BaseTools/Source/C/EfiRom/EfiRom.c
++++ b/BaseTools/Source/C/EfiRom/EfiRom.c
+@@ -44,7 +44,6 @@ Returns:
+   FILE_LIST *FList;
+   UINT32    TotalSize;
+   UINT32    Size;
+-  CHAR8     *Ptr0;
+ 
+   SetUtilityName(UTILITY_NAME);
+ 
+@@ -75,7 +74,7 @@ Returns:
+   //
+   if (mOptions.DumpOption == 1) {
+     if (mOptions.FileList != NULL) {
+-      if ((Ptr0 = strstr ((CONST CHAR8 *) mOptions.FileList->FileName, DEFAULT_OUTPUT_EXTENSION)) != NULL) {
++      if (strstr ((CONST CHAR8 *) mOptions.FileList->FileName, DEFAULT_OUTPUT_EXTENSION) != NULL) {
+         DumpImage (mOptions.FileList);
+         goto BailOut;
+       } else {

meta/recipes-core/ovmf/ovmf/0008-BaseTools-Pccts-set-C-standard.patch

@@ -0,0 +1,44 @@
+From 74bc6545e72707a47dd9dae42ce33b8877b10000 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Jan 2025 09:40:31 +0100
+Subject: [PATCH] BaseTools/Pccts: set C standard
+
+The prehistoric code base doesn't build with ISO C23.  Set the C
+standard to C11 (for both clang and gcc) so it continues to build with
+gcc 15 (which uses C23 by default).
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [edk2-stable202502 https://github.com/tianocore/edk2/commit/e063f8b8a53861043b9872cc35b08a3dc03b0942]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile | 2 +-
+ BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile   | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile b/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
+index 746d58b5e2..b47c8a37af 100644
+--- a/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
++++ b/BaseTools/Source/C/VfrCompile/Pccts/antlr/makefile
+@@ -169,7 +169,7 @@ ANTLR=${BIN_DIR}/antlr
+ DLG=${BIN_DIR}/dlg
+ OBJ_EXT=o
+ OUT_OBJ = -o
+-CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN $(COTHER) -DZZLEXBUFSIZE=65536
++CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN $(COTHER) -DZZLEXBUFSIZE=65536 -std=gnu11
+ CPPFLAGS=
+ #
+ # SGI Users, use this CFLAGS
+diff --git a/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile b/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
+index e45ac98e04..d72bee3d70 100644
+--- a/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
++++ b/BaseTools/Source/C/VfrCompile/Pccts/dlg/makefile
+@@ -123,7 +123,7 @@ endif
+ COPT=-O
+ ANTLR=${BIN_DIR}/antlr
+ DLG=${BIN_DIR}/dlg
+-CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN -DZZLEXBUFSIZE=65536
++CFLAGS= $(COPT) -I. -I$(SET) -I$(PCCTS_H) -DUSER_ZZSYN -DZZLEXBUFSIZE=65536 -std=gnu11
+ CPPFLAGS=
+ OBJ_EXT=o
+ OUT_OBJ = -o

meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch

@@ -0,0 +1,116 @@
+From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 5 Jan 2026 13:04:18 +0800
+Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
+
+There is a possibility to retrieve user input keystroke data stored in the
+queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
+exposure of the password string, clear the queue buffer by filling it
+with zeros after reading.
+
+Signed-off-by: Nick Wang <nick.wang@insyde.com>
+
+CVE: CVE-2024-38798
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c       | 2 ++
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c        | 1 +
+ MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c                  | 2 +-
+ .../Universal/Console/ConSplitterDxe/ConSplitter.c        | 1 +
+ .../Universal/Console/TerminalDxe/TerminalConIn.c         | 8 ++++++--
+ 5 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+index 981309f..32757a7 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+@@ -650,6 +650,8 @@ PopScancodeBufHead (
+     if (Buf != NULL) {
+       Buf[Index] = Queue->Buffer[Queue->Head];
+     }
++
++    Queue->Buffer[Queue->Head] = 0;
+   }
+ 
+   return EFI_SUCCESS;
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+index 81d3c6e..e03c88f 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+@@ -51,6 +51,7 @@ PopEfikeyBufHead (
+     CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   }
+ 
++  ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+   Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
+   return EFI_SUCCESS;
+ }
+diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+index b5a6459..7df1566 100644
+--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+@@ -1840,7 +1840,7 @@ Dequeue (
+   }
+ 
+   CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
+-
++  ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
+   //
+   // Adjust the head pointer of the FIFO keyboard buffer.
+   //
+diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+index 0a776f3..5c1a35e 100644
+--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
+     &Private->KeyQueue[1],
+     Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
+     );
++  ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
+   return EFI_SUCCESS;
+ }
+ 
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+index f1d0a34..8aafb4b 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
+     return FALSE;
+   }
+ 
+-  *Output = TerminalDevice->RawFiFo->Data[Head];
++  *Output                             = TerminalDevice->RawFiFo->Data[Head];
++  TerminalDevice->RawFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
+ 
+@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
+   }
+ 
+   CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++  ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+ 
+   TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ 
+@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
+   Head = TerminalDevice->UnicodeFiFo->Head;
+   ASSERT (Head < FIFO_MAX_NUMBER + 1);
+ 
+-  *Output = TerminalDevice->UnicodeFiFo->Data[Head];
++  *Output                                 = TerminalDevice->UnicodeFiFo->Data[Head];
++  TerminalDevice->UnicodeFiFo->Data[Head] = 0;
+ 
+   TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ }
+-- 
+2.34.1
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch

@@ -0,0 +1,762 @@
+From 459f5ffa24ae8574657c4105af0ff7dc30ac428d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Jan 2025 17:36:39 +0100
+Subject: [PATCH 01/10] OvmfPkg/QemuKernelLoaderFsDxe: rework direct kernel
+ boot filesystem
+
+Split KERNEL_BLOB struct into two:
+
+ * One (KERNEL_BLOB_ITEMS) static array describing how to load (unnamed)
+   blobs from fw_cfg.
+ * And one (KERNEL_BLOB) dynamically allocated linked list carrying the
+   data blobs for the pseudo filesystem.
+
+Also add some debug logging.  Prefix most functions with 'QemuKernel'
+for consistency and easier log file grepping.  Add some small helper
+functions.
+
+This refactoring prepares for loading blobs in other ways.
+No (intentional) change in filesystem protocol behavior.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/459f5ffa24ae8574657c4105af0ff7dc30ac428d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../QemuKernelLoaderFsDxe.c                   | 345 +++++++++++-------
+ 1 file changed, 205 insertions(+), 140 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index cf58c97cd2..7ad1b3828f 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -31,13 +31,6 @@
+ //
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+-typedef enum {
+-  KernelBlobTypeKernel,
+-  KernelBlobTypeInitrd,
+-  KernelBlobTypeCommandLine,
+-  KernelBlobTypeMax
+-} KERNEL_BLOB_TYPE;
+-
+ typedef struct {
+   CONST CHAR16    Name[8];
+   struct {
+@@ -45,11 +38,17 @@ typedef struct {
+     FIRMWARE_CONFIG_ITEM CONST    DataKey;
+     UINT32                        Size;
+   }                             FwCfgItem[2];
+-  UINT32          Size;
+-  UINT8           *Data;
+-} KERNEL_BLOB;
++} KERNEL_BLOB_ITEMS;
++
++typedef struct KERNEL_BLOB KERNEL_BLOB;
++struct KERNEL_BLOB {
++  CHAR16         Name[8];
++  UINT32         Size;
++  UINT8          *Data;
++  KERNEL_BLOB    *Next;
++};
+ 
+-STATIC KERNEL_BLOB  mKernelBlob[KernelBlobTypeMax] = {
++STATIC KERNEL_BLOB_ITEMS  mKernelBlobItems[] = {
+   {
+     L"kernel",
+     {
+@@ -69,7 +68,9 @@ STATIC KERNEL_BLOB  mKernelBlob[KernelBlobTypeMax] = {
+   }
+ };
+ 
+-STATIC UINT64  mTotalBlobBytes;
++STATIC KERNEL_BLOB  *mKernelBlobs;
++STATIC UINT64       mKernelBlobCount;
++STATIC UINT64       mTotalBlobBytes;
+ 
+ //
+ // Device path for the handle that incorporates our "EFI stub filesystem".
+@@ -117,7 +118,7 @@ STATIC EFI_TIME  mInitTime;
+ typedef struct {
+   UINT64               Signature; // Carries STUB_FILE_SIG.
+ 
+-  KERNEL_BLOB_TYPE     BlobType; // Index into mKernelBlob. KernelBlobTypeMax
++  KERNEL_BLOB          *Blob;    // Index into mKernelBlob. KernelBlobTypeMax
+                                  // denotes the root directory of the filesystem.
+ 
+   UINT64               Position; // Byte position for regular files;
+@@ -177,7 +178,7 @@ typedef struct {
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileOpen (
++QemuKernelStubFileOpen (
+   IN EFI_FILE_PROTOCOL   *This,
+   OUT EFI_FILE_PROTOCOL  **NewHandle,
+   IN CHAR16              *FileName,
+@@ -196,7 +197,7 @@ StubFileOpen (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileClose (
++QemuKernelStubFileClose (
+   IN EFI_FILE_PROTOCOL  *This
+   )
+ {
+@@ -219,7 +220,7 @@ StubFileClose (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileDelete (
++QemuKernelStubFileDelete (
+   IN EFI_FILE_PROTOCOL  *This
+   )
+ {
+@@ -229,18 +230,17 @@ StubFileDelete (
+ 
+ /**
+   Helper function that formats an EFI_FILE_INFO structure into the
+-  user-allocated buffer, for any valid KERNEL_BLOB_TYPE value (including
+-  KernelBlobTypeMax, which stands for the root directory).
++  user-allocated buffer, for any valid KERNEL_BLOB (including NULL,
++  which stands for the root directory).
+ 
+   The interface follows the EFI_FILE_GET_INFO -- and for directories, the
+   EFI_FILE_READ -- interfaces.
+ 
+-  @param[in]     BlobType     The KERNEL_BLOB_TYPE value identifying the fw_cfg
++  @param[in]     Blob         The KERNEL_BLOB identifying the fw_cfg
+                               blob backing the STUB_FILE that information is
+-                              being requested about. If BlobType equals
+-                              KernelBlobTypeMax, then information will be
+-                              provided about the root directory of the
+-                              filesystem.
++                              being requested about. If Blob is NULL,
++                              then information will be provided about the root
++                              directory of the filesystem.
+ 
+   @param[in,out] BufferSize  On input, the size of Buffer. On output, the
+                              amount of data returned in Buffer. In both cases,
+@@ -257,10 +257,10 @@ StubFileDelete (
+ **/
+ STATIC
+ EFI_STATUS
+-ConvertKernelBlobTypeToFileInfo (
+-  IN KERNEL_BLOB_TYPE  BlobType,
+-  IN OUT UINTN         *BufferSize,
+-  OUT VOID             *Buffer
++QemuKernelBlobTypeToFileInfo (
++  IN KERNEL_BLOB  *Blob,
++  IN OUT UINTN    *BufferSize,
++  OUT VOID        *Buffer
+   )
+ {
+   CONST CHAR16  *Name;
+@@ -272,17 +272,16 @@ ConvertKernelBlobTypeToFileInfo (
+   EFI_FILE_INFO  *FileInfo;
+   UINTN          OriginalBufferSize;
+ 
+-  if (BlobType == KernelBlobTypeMax) {
++  if (Blob == NULL) {
+     //
+     // getting file info about the root directory
+     //
++    DEBUG ((DEBUG_INFO, "%a: file info: directory\n", __func__));
+     Name      = L"\\";
+-    FileSize  = KernelBlobTypeMax;
++    FileSize  = mKernelBlobCount;
+     Attribute = EFI_FILE_READ_ONLY | EFI_FILE_DIRECTORY;
+   } else {
+-    CONST KERNEL_BLOB  *Blob;
+-
+-    Blob      = &mKernelBlob[BlobType];
++    DEBUG ((DEBUG_INFO, "%a: file info: \"%s\"\n", __func__, Blob->Name));
+     Name      = Blob->Name;
+     FileSize  = Blob->Size;
+     Attribute = EFI_FILE_READ_ONLY;
+@@ -312,6 +311,23 @@ ConvertKernelBlobTypeToFileInfo (
+   return EFI_SUCCESS;
+ }
+ 
++STATIC
++KERNEL_BLOB *
++FindKernelBlob (
++  CHAR16  *FileName
++  )
++{
++  KERNEL_BLOB  *Blob;
++
++  for (Blob = mKernelBlobs; Blob != NULL; Blob = Blob->Next) {
++    if (StrCmp (FileName, Blob->Name) == 0) {
++      return Blob;
++    }
++  }
++
++  return NULL;
++}
++
+ /**
+   Reads data from a file, or continues scanning a directory.
+ 
+@@ -349,25 +365,25 @@ ConvertKernelBlobTypeToFileInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileRead (
++QemuKernelStubFileRead (
+   IN EFI_FILE_PROTOCOL  *This,
+   IN OUT UINTN          *BufferSize,
+   OUT VOID              *Buffer
+   )
+ {
+-  STUB_FILE          *StubFile;
+-  CONST KERNEL_BLOB  *Blob;
+-  UINT64             Left;
++  STUB_FILE    *StubFile;
++  KERNEL_BLOB  *Blob;
++  UINT64       Left, Pos;
+ 
+   StubFile = STUB_FILE_FROM_FILE (This);
+ 
+   //
+   // Scanning the root directory?
+   //
+-  if (StubFile->BlobType == KernelBlobTypeMax) {
++  if (StubFile->Blob == NULL) {
+     EFI_STATUS  Status;
+ 
+-    if (StubFile->Position == KernelBlobTypeMax) {
++    if (StubFile->Position == mKernelBlobCount) {
+       //
+       // Scanning complete.
+       //
+@@ -375,8 +391,16 @@ StubFileRead (
+       return EFI_SUCCESS;
+     }
+ 
+-    Status = ConvertKernelBlobTypeToFileInfo (
+-               (KERNEL_BLOB_TYPE)StubFile->Position,
++    for (Pos = 0, Blob = mKernelBlobs;
++         Pos < StubFile->Position;
++         Pos++, Blob = Blob->Next)
++    {
++    }
++
++    DEBUG ((DEBUG_INFO, "%a: file list: #%d \"%s\"\n", __func__, Pos, Blob->Name));
++
++    Status = QemuKernelBlobTypeToFileInfo (
++               Blob,
+                BufferSize,
+                Buffer
+                );
+@@ -391,7 +415,7 @@ StubFileRead (
+   //
+   // Reading a file.
+   //
+-  Blob = &mKernelBlob[StubFile->BlobType];
++  Blob = StubFile->Blob;
+   if (StubFile->Position > Blob->Size) {
+     return EFI_DEVICE_ERROR;
+   }
+@@ -402,6 +426,7 @@ StubFileRead (
+   }
+ 
+   if (Blob->Data != NULL) {
++    DEBUG ((DEBUG_INFO, "%a: file read: \"%s\", %d bytes\n", __func__, Blob->Name, *BufferSize));
+     CopyMem (Buffer, Blob->Data + StubFile->Position, *BufferSize);
+   }
+ 
+@@ -435,7 +460,7 @@ StubFileRead (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileWrite (
++QemuKernelStubFileWrite (
+   IN EFI_FILE_PROTOCOL  *This,
+   IN OUT UINTN          *BufferSize,
+   IN VOID               *Buffer
+@@ -444,7 +469,7 @@ StubFileWrite (
+   STUB_FILE  *StubFile;
+ 
+   StubFile = STUB_FILE_FROM_FILE (This);
+-  return (StubFile->BlobType == KernelBlobTypeMax) ?
++  return (StubFile->Blob == NULL) ?
+          EFI_UNSUPPORTED :
+          EFI_WRITE_PROTECTED;
+ }
+@@ -466,7 +491,7 @@ StubFileWrite (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileGetPosition (
++QemuKernelStubFileGetPosition (
+   IN EFI_FILE_PROTOCOL  *This,
+   OUT UINT64            *Position
+   )
+@@ -474,7 +499,7 @@ StubFileGetPosition (
+   STUB_FILE  *StubFile;
+ 
+   StubFile = STUB_FILE_FROM_FILE (This);
+-  if (StubFile->BlobType == KernelBlobTypeMax) {
++  if (StubFile->Blob == NULL) {
+     return EFI_UNSUPPORTED;
+   }
+ 
+@@ -501,7 +526,7 @@ StubFileGetPosition (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSetPosition (
++QemuKernelStubFileSetPosition (
+   IN EFI_FILE_PROTOCOL  *This,
+   IN UINT64             Position
+   )
+@@ -511,7 +536,7 @@ StubFileSetPosition (
+ 
+   StubFile = STUB_FILE_FROM_FILE (This);
+ 
+-  if (StubFile->BlobType == KernelBlobTypeMax) {
++  if (StubFile->Blob == NULL) {
+     if (Position == 0) {
+       //
+       // rewinding a directory scan is allowed
+@@ -526,7 +551,7 @@ StubFileSetPosition (
+   //
+   // regular file seek
+   //
+-  Blob = &mKernelBlob[StubFile->BlobType];
++  Blob = StubFile->Blob;
+   if (Position == MAX_UINT64) {
+     //
+     // seek to end
+@@ -583,7 +608,7 @@ StubFileSetPosition (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileGetInfo (
++QemuKernelStubFileGetInfo (
+   IN EFI_FILE_PROTOCOL  *This,
+   IN EFI_GUID           *InformationType,
+   IN OUT UINTN          *BufferSize,
+@@ -596,8 +621,8 @@ StubFileGetInfo (
+   StubFile = STUB_FILE_FROM_FILE (This);
+ 
+   if (CompareGuid (InformationType, &gEfiFileInfoGuid)) {
+-    return ConvertKernelBlobTypeToFileInfo (
+-             StubFile->BlobType,
++    return QemuKernelBlobTypeToFileInfo (
++             StubFile->Blob,
+              BufferSize,
+              Buffer
+              );
+@@ -685,7 +710,7 @@ StubFileGetInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSetInfo (
++QemuKernelStubFileSetInfo (
+   IN EFI_FILE_PROTOCOL  *This,
+   IN EFI_GUID           *InformationType,
+   IN UINTN              BufferSize,
+@@ -712,7 +737,7 @@ StubFileSetInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileFlush (
++QemuKernelStubFileFlush (
+   IN EFI_FILE_PROTOCOL  *This
+   )
+ {
+@@ -724,16 +749,16 @@ StubFileFlush (
+ //
+ STATIC CONST EFI_FILE_PROTOCOL  mEfiFileProtocolTemplate = {
+   EFI_FILE_PROTOCOL_REVISION, // revision 1
+-  StubFileOpen,
+-  StubFileClose,
+-  StubFileDelete,
+-  StubFileRead,
+-  StubFileWrite,
+-  StubFileGetPosition,
+-  StubFileSetPosition,
+-  StubFileGetInfo,
+-  StubFileSetInfo,
+-  StubFileFlush,
++  QemuKernelStubFileOpen,
++  QemuKernelStubFileClose,
++  QemuKernelStubFileDelete,
++  QemuKernelStubFileRead,
++  QemuKernelStubFileWrite,
++  QemuKernelStubFileGetPosition,
++  QemuKernelStubFileSetPosition,
++  QemuKernelStubFileGetInfo,
++  QemuKernelStubFileSetInfo,
++  QemuKernelStubFileFlush,
+   NULL,                       // OpenEx, revision 2
+   NULL,                       // ReadEx, revision 2
+   NULL,                       // WriteEx, revision 2
+@@ -743,7 +768,7 @@ STATIC CONST EFI_FILE_PROTOCOL  mEfiFileProtocolTemplate = {
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileOpen (
++QemuKernelStubFileOpen (
+   IN EFI_FILE_PROTOCOL   *This,
+   OUT EFI_FILE_PROTOCOL  **NewHandle,
+   IN CHAR16              *FileName,
+@@ -752,7 +777,7 @@ StubFileOpen (
+   )
+ {
+   CONST STUB_FILE  *StubFile;
+-  UINTN            BlobType;
++  KERNEL_BLOB      *Blob;
+   STUB_FILE        *NewStubFile;
+ 
+   //
+@@ -774,21 +799,20 @@ StubFileOpen (
+   // Only the root directory supports opening files in it.
+   //
+   StubFile = STUB_FILE_FROM_FILE (This);
+-  if (StubFile->BlobType != KernelBlobTypeMax) {
++  if (StubFile->Blob != NULL) {
+     return EFI_UNSUPPORTED;
+   }
+ 
+   //
+   // Locate the file.
+   //
+-  for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+-    if (StrCmp (FileName, mKernelBlob[BlobType].Name) == 0) {
+-      break;
+-    }
+-  }
++  Blob = FindKernelBlob (FileName);
+ 
+-  if (BlobType == KernelBlobTypeMax) {
++  if (Blob == NULL) {
++    DEBUG ((DEBUG_INFO, "%a: file not found: \"%s\"\n", __func__, FileName));
+     return EFI_NOT_FOUND;
++  } else {
++    DEBUG ((DEBUG_INFO, "%a: file opened: \"%s\"\n", __func__, FileName));
+   }
+ 
+   //
+@@ -800,7 +824,7 @@ StubFileOpen (
+   }
+ 
+   NewStubFile->Signature = STUB_FILE_SIG;
+-  NewStubFile->BlobType  = (KERNEL_BLOB_TYPE)BlobType;
++  NewStubFile->Blob      = Blob;
+   NewStubFile->Position  = 0;
+   CopyMem (
+     &NewStubFile->File,
+@@ -842,7 +866,7 @@ StubFileOpen (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSystemOpenVolume (
++QemuKernelStubFileSystemOpenVolume (
+   IN EFI_SIMPLE_FILE_SYSTEM_PROTOCOL  *This,
+   OUT EFI_FILE_PROTOCOL               **Root
+   )
+@@ -855,7 +879,7 @@ StubFileSystemOpenVolume (
+   }
+ 
+   StubFile->Signature = STUB_FILE_SIG;
+-  StubFile->BlobType  = KernelBlobTypeMax;
++  StubFile->Blob      = NULL;
+   StubFile->Position  = 0;
+   CopyMem (
+     &StubFile->File,
+@@ -869,13 +893,13 @@ StubFileSystemOpenVolume (
+ 
+ STATIC CONST EFI_SIMPLE_FILE_SYSTEM_PROTOCOL  mFileSystem = {
+   EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_REVISION,
+-  StubFileSystemOpenVolume
++  QemuKernelStubFileSystemOpenVolume
+ };
+ 
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-InitrdLoadFile2 (
++QemuKernelInitrdLoadFile2 (
+   IN      EFI_LOAD_FILE2_PROTOCOL   *This,
+   IN      EFI_DEVICE_PATH_PROTOCOL  *FilePath,
+   IN      BOOLEAN                   BootPolicy,
+@@ -883,8 +907,11 @@ InitrdLoadFile2 (
+   OUT     VOID                      *Buffer     OPTIONAL
+   )
+ {
+-  CONST KERNEL_BLOB  *InitrdBlob = &mKernelBlob[KernelBlobTypeInitrd];
++  KERNEL_BLOB  *InitrdBlob;
+ 
++  DEBUG ((DEBUG_INFO, "%a: initrd read\n", __func__));
++  InitrdBlob = FindKernelBlob (L"initrd");
++  ASSERT (InitrdBlob != NULL);
+   ASSERT (InitrdBlob->Size > 0);
+ 
+   if (BootPolicy) {
+@@ -913,17 +940,33 @@ InitrdLoadFile2 (
+ }
+ 
+ STATIC CONST EFI_LOAD_FILE2_PROTOCOL  mInitrdLoadFile2 = {
+-  InitrdLoadFile2,
++  QemuKernelInitrdLoadFile2,
+ };
+ 
+ //
+ // Utility functions.
+ //
+ 
++STATIC VOID
++QemuKernelChunkedRead (
++  UINT8   *Dest,
++  UINT32  Bytes
++  )
++{
++  UINT32  Chunk;
++
++  while (Bytes > 0) {
++    Chunk = (Bytes < SIZE_1MB) ? Bytes : SIZE_1MB;
++    QemuFwCfgReadBytes (Chunk, Dest);
++    Bytes -= Chunk;
++    Dest  += Chunk;
++  }
++}
++
+ /**
+   Populate a blob in mKernelBlob.
+ 
+-  param[in,out] Blob  Pointer to the KERNEL_BLOB element in mKernelBlob that is
++  param[in,out] Blob  Pointer to the KERNEL_BLOB_ITEMS that is
+                       to be filled from fw_cfg.
+ 
+   @retval EFI_SUCCESS           Blob has been populated. If fw_cfg reported a
+@@ -934,35 +977,46 @@ STATIC CONST EFI_LOAD_FILE2_PROTOCOL  mInitrdLoadFile2 = {
+ **/
+ STATIC
+ EFI_STATUS
+-FetchBlob (
+-  IN OUT KERNEL_BLOB  *Blob
++QemuKernelFetchBlob (
++  IN KERNEL_BLOB_ITEMS  *BlobItems
+   )
+ {
+-  UINT32  Left;
+-  UINTN   Idx;
+-  UINT8   *ChunkData;
++  UINT32       Size;
++  UINTN        Idx;
++  UINT8        *ChunkData;
++  KERNEL_BLOB  *Blob;
++  EFI_STATUS   Status;
+ 
+   //
+   // Read blob size.
+   //
+-  Blob->Size = 0;
+-  for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) {
+-    if (Blob->FwCfgItem[Idx].SizeKey == 0) {
++  for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
++    if (BlobItems->FwCfgItem[Idx].SizeKey == 0) {
+       break;
+     }
+ 
+-    QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].SizeKey);
+-    Blob->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
+-    Blob->Size               += Blob->FwCfgItem[Idx].Size;
++    QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
++    BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
++    Size                          += BlobItems->FwCfgItem[Idx].Size;
+   }
+ 
+-  if (Blob->Size == 0) {
++  if (Size == 0) {
+     return EFI_SUCCESS;
+   }
+ 
++  Blob = AllocatePool (sizeof (*Blob));
++  if (Blob->Data == NULL) {
++    return EFI_OUT_OF_RESOURCES;
++  }
++
++  ZeroMem (Blob, sizeof (*Blob));
++
+   //
+   // Read blob.
+   //
++  Status = StrCpyS (Blob->Name, sizeof (Blob->Name), BlobItems->Name);
++  ASSERT (!EFI_ERROR (Status));
++  Blob->Size = Size;
+   Blob->Data = AllocatePool (Blob->Size);
+   if (Blob->Data == NULL) {
+     DEBUG ((
+@@ -972,6 +1026,7 @@ FetchBlob (
+       (INT64)Blob->Size,
+       Blob->Name
+       ));
++    FreePool (Blob);
+     return EFI_OUT_OF_RESOURCES;
+   }
+ 
+@@ -984,34 +1039,48 @@ FetchBlob (
+     ));
+ 
+   ChunkData = Blob->Data;
+-  for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) {
+-    if (Blob->FwCfgItem[Idx].DataKey == 0) {
++  for (Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
++    if (BlobItems->FwCfgItem[Idx].DataKey == 0) {
+       break;
+     }
+ 
+-    QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].DataKey);
++    QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].DataKey);
++    QemuKernelChunkedRead (ChunkData, BlobItems->FwCfgItem[Idx].Size);
++    ChunkData += BlobItems->FwCfgItem[Idx].Size;
++  }
+ 
+-    Left = Blob->FwCfgItem[Idx].Size;
+-    while (Left > 0) {
+-      UINT32  Chunk;
++  Blob->Next   = mKernelBlobs;
++  mKernelBlobs = Blob;
++  mKernelBlobCount++;
++  mTotalBlobBytes += Blob->Size;
++  return EFI_SUCCESS;
++}
+ 
+-      Chunk = (Left < SIZE_1MB) ? Left : SIZE_1MB;
+-      QemuFwCfgReadBytes (Chunk, ChunkData + Blob->FwCfgItem[Idx].Size - Left);
+-      Left -= Chunk;
+-      DEBUG ((
+-        DEBUG_VERBOSE,
+-        "%a: %Ld bytes remaining for \"%s\" (%d)\n",
+-        __func__,
+-        (INT64)Left,
+-        Blob->Name,
+-        (INT32)Idx
+-        ));
+-    }
++STATIC
++EFI_STATUS
++QemuKernelVerifyBlob (
++  CHAR16      *FileName,
++  EFI_STATUS  FetchStatus
++  )
++{
++  KERNEL_BLOB  *Blob;
++  EFI_STATUS   Status;
+ 
+-    ChunkData += Blob->FwCfgItem[Idx].Size;
++  if ((StrCmp (FileName, L"kernel") != 0) &&
++      (StrCmp (FileName, L"initrd") != 0) &&
++      (StrCmp (FileName, L"cmdline") != 0))
++  {
++    return EFI_SUCCESS;
+   }
+ 
+-  return EFI_SUCCESS;
++  Blob   = FindKernelBlob (FileName);
++  Status = VerifyBlob (
++             FileName,
++             Blob ? Blob->Data : NULL,
++             Blob ? Blob->Size : 0,
++             FetchStatus
++             );
++  return Status;
+ }
+ 
+ //
+@@ -1038,13 +1107,13 @@ QemuKernelLoaderFsDxeEntrypoint (
+   IN EFI_SYSTEM_TABLE  *SystemTable
+   )
+ {
+-  UINTN        BlobType;
+-  KERNEL_BLOB  *CurrentBlob;
+-  KERNEL_BLOB  *KernelBlob;
+-  EFI_STATUS   Status;
+-  EFI_STATUS   FetchStatus;
+-  EFI_HANDLE   FileSystemHandle;
+-  EFI_HANDLE   InitrdLoadFile2Handle;
++  UINTN              BlobIdx;
++  KERNEL_BLOB_ITEMS  *BlobItems;
++  KERNEL_BLOB        *Blob;
++  EFI_STATUS         Status;
++  EFI_STATUS         FetchStatus;
++  EFI_HANDLE         FileSystemHandle;
++  EFI_HANDLE         InitrdLoadFile2Handle;
+ 
+   if (!QemuFwCfgIsAvailable ()) {
+     return EFI_NOT_FOUND;
+@@ -1059,26 +1128,22 @@ QemuKernelLoaderFsDxeEntrypoint (
+   //
+   // Fetch all blobs.
+   //
+-  for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+-    CurrentBlob = &mKernelBlob[BlobType];
+-    FetchStatus = FetchBlob (CurrentBlob);
+-
+-    Status = VerifyBlob (
+-               CurrentBlob->Name,
+-               CurrentBlob->Data,
+-               CurrentBlob->Size,
++  for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) {
++    BlobItems   = &mKernelBlobItems[BlobIdx];
++    FetchStatus = QemuKernelFetchBlob (BlobItems);
++
++    Status = QemuKernelVerifyBlob (
++               (CHAR16 *)BlobItems->Name,
+                FetchStatus
+                );
+     if (EFI_ERROR (Status)) {
+       goto FreeBlobs;
+     }
+-
+-    mTotalBlobBytes += CurrentBlob->Size;
+   }
+ 
+-  KernelBlob = &mKernelBlob[KernelBlobTypeKernel];
+-
+-  if (KernelBlob->Data == NULL) {
++  Blob = FindKernelBlob (L"kernel");
++  if (Blob == NULL) {
++    DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__));
+     Status = EFI_NOT_FOUND;
+     goto FreeBlobs;
+   }
+@@ -1106,7 +1171,9 @@ QemuKernelLoaderFsDxeEntrypoint (
+     goto FreeBlobs;
+   }
+ 
+-  if (KernelBlob[KernelBlobTypeInitrd].Size > 0) {
++  Blob = FindKernelBlob (L"initrd");
++  if (Blob != NULL) {
++    DEBUG ((DEBUG_INFO, "%a: initrd setup\n", __func__));
+     InitrdLoadFile2Handle = NULL;
+     Status                = gBS->InstallMultipleProtocolInterfaces (
+                                    &InitrdLoadFile2Handle,
+@@ -1141,13 +1208,11 @@ UninstallFileSystemHandle:
+   ASSERT_EFI_ERROR (Status);
+ 
+ FreeBlobs:
+-  while (BlobType > 0) {
+-    CurrentBlob = &mKernelBlob[--BlobType];
+-    if (CurrentBlob->Data != NULL) {
+-      FreePool (CurrentBlob->Data);
+-      CurrentBlob->Size = 0;
+-      CurrentBlob->Data = NULL;
+-    }
++  while (mKernelBlobs != NULL) {
++    Blob         = mKernelBlobs;
++    mKernelBlobs = Blob->Next;
++    FreePool (Blob->Data);
++    FreePool (Blob);
+   }
+ 
+   return Status;
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch

@@ -0,0 +1,175 @@
+From 20df7c42bd446fe725bfc78cdb40577456c421d8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Jan 2025 00:29:52 +0100
+Subject: [PATCH 02/10] OvmfPkg/QemuKernelLoaderFsDxe: add support for named
+ blobs
+
+Load all named fw_cfg blobs with "etc/boot/" prefix into the pseudo
+filesystem.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/20df7c42bd446fe725bfc78cdb40577456c421d8]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../QemuKernelLoaderFsDxe.c                   | 94 ++++++++++++++++---
+ .../QemuKernelLoaderFsDxe.inf                 |  1 +
+ 2 files changed, 84 insertions(+), 11 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 7ad1b3828f..1f63adda0b 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -21,6 +21,7 @@
+ #include <Library/DebugLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/MemoryAllocationLib.h>
++#include <Library/PrintLib.h>
+ #include <Library/QemuFwCfgLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/UefiRuntimeServicesTableLib.h>
+@@ -32,12 +33,12 @@
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+ typedef struct {
+-  CONST CHAR16    Name[8];
++  CHAR16    Name[8];
+   struct {
+-    FIRMWARE_CONFIG_ITEM CONST    SizeKey;
+-    FIRMWARE_CONFIG_ITEM CONST    DataKey;
+-    UINT32                        Size;
+-  }                             FwCfgItem[2];
++    FIRMWARE_CONFIG_ITEM    SizeKey;
++    FIRMWARE_CONFIG_ITEM    DataKey;
++    UINT32                  Size;
++  }                         FwCfgItem[2];
+ } KERNEL_BLOB_ITEMS;
+ 
+ typedef struct KERNEL_BLOB KERNEL_BLOB;
+@@ -989,15 +990,23 @@ QemuKernelFetchBlob (
+ 
+   //
+   // Read blob size.
++  //   Size != 0      ->  use size as-is
++  //   SizeKey != 0   ->  read size from fw_cfg
++  //   both are 0     ->  unused entry
+   //
+   for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
+-    if (BlobItems->FwCfgItem[Idx].SizeKey == 0) {
++    if ((BlobItems->FwCfgItem[Idx].SizeKey == 0) &&
++        (BlobItems->FwCfgItem[Idx].Size == 0))
++    {
+       break;
+     }
+ 
+-    QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
+-    BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
+-    Size                          += BlobItems->FwCfgItem[Idx].Size;
++    if (BlobItems->FwCfgItem[Idx].SizeKey) {
++      QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
++      BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
++    }
++
++    Size += BlobItems->FwCfgItem[Idx].Size;
+   }
+ 
+   if (Size == 0) {
+@@ -1083,6 +1092,55 @@ QemuKernelVerifyBlob (
+   return Status;
+ }
+ 
++STATIC
++EFI_STATUS
++QemuKernelFetchNamedBlobs (
++  VOID
++  )
++{
++  struct {
++    UINT32    FileSize;
++    UINT16    FileSelect;
++    UINT16    Reserved;
++    CHAR8     FileName[QEMU_FW_CFG_FNAME_SIZE];
++  } *DirEntry;
++  KERNEL_BLOB_ITEMS  Items;
++  EFI_STATUS         Status;
++  EFI_STATUS         FetchStatus;
++  UINT32             Count;
++  UINT32             Idx;
++
++  QemuFwCfgSelectItem (QemuFwCfgItemFileDir);
++  Count = SwapBytes32 (QemuFwCfgRead32 ());
++
++  DirEntry = AllocatePool (sizeof (*DirEntry) * Count);
++  QemuFwCfgReadBytes (sizeof (*DirEntry) * Count, DirEntry);
++
++  for (Idx = 0; Idx < Count; ++Idx) {
++    if (AsciiStrnCmp (DirEntry[Idx].FileName, "etc/boot/", 9) != 0) {
++      continue;
++    }
++
++    ZeroMem (&Items, sizeof (Items));
++    UnicodeSPrint (Items.Name, sizeof (Items.Name), L"%a", DirEntry[Idx].FileName + 9);
++    Items.FwCfgItem[0].DataKey = SwapBytes16 (DirEntry[Idx].FileSelect);
++    Items.FwCfgItem[0].Size    = SwapBytes32 (DirEntry[Idx].FileSize);
++
++    FetchStatus = QemuKernelFetchBlob (&Items);
++    Status      = QemuKernelVerifyBlob (
++                    (CHAR16 *)Items.Name,
++                    FetchStatus
++                    );
++    if (EFI_ERROR (Status)) {
++      FreePool (DirEntry);
++      return Status;
++    }
++  }
++
++  FreePool (DirEntry);
++  return EFI_SUCCESS;
++}
++
+ //
+ // The entry point of the feature.
+ //
+@@ -1126,10 +1184,24 @@ QemuKernelLoaderFsDxeEntrypoint (
+   }
+ 
+   //
+-  // Fetch all blobs.
++  // Fetch named blobs.
+   //
++  DEBUG ((DEBUG_INFO, "%a: named blobs (etc/boot/*)\n", __func__));
++  Status = QemuKernelFetchNamedBlobs ();
++  if (EFI_ERROR (Status)) {
++    goto FreeBlobs;
++  }
++
++  //
++  // Fetch traditional blobs.
++  //
++  DEBUG ((DEBUG_INFO, "%a: traditional blobs\n", __func__));
+   for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) {
+-    BlobItems   = &mKernelBlobItems[BlobIdx];
++    BlobItems = &mKernelBlobItems[BlobIdx];
++    if (FindKernelBlob (BlobItems->Name)) {
++      continue;
++    }
++
+     FetchStatus = QemuKernelFetchBlob (BlobItems);
+ 
+     Status = QemuKernelVerifyBlob (
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+index 7b35adb8e0..a2f44bbca1 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+@@ -30,6 +30,7 @@
+   DebugLib
+   DevicePathLib
+   MemoryAllocationLib
++  PrintLib
+   QemuFwCfgLib
+   UefiBootServicesTableLib
+   UefiDriverEntryPoint
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch

@@ -0,0 +1,42 @@
+From adf385ecab69631952bdc8b774ebd77e82b94a00 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 15:42:13 +0100
+Subject: [PATCH 03/10] OvmfPkg/QemuKernelLoaderFsDxe: allow longer file names
+
+QEMU_FW_CFG_FNAME_SIZE is 56. 'etc/boot/' prefix is minus 9.  Add one
+for the terminating '\0'.  Effective max size is 48.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/adf385ecab69631952bdc8b774ebd77e82b94a00]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 1f63adda0b..0947b6bf2d 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -33,7 +33,7 @@
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+ typedef struct {
+-  CHAR16    Name[8];
++  CHAR16    Name[48];
+   struct {
+     FIRMWARE_CONFIG_ITEM    SizeKey;
+     FIRMWARE_CONFIG_ITEM    DataKey;
+@@ -43,7 +43,7 @@ typedef struct {
+ 
+ typedef struct KERNEL_BLOB KERNEL_BLOB;
+ struct KERNEL_BLOB {
+-  CHAR16         Name[8];
++  CHAR16         Name[48];
+   UINT32         Size;
+   UINT8          *Data;
+   KERNEL_BLOB    *Next;
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch

@@ -0,0 +1,34 @@
+From 1111e9fe7078eed9e5c50e1808776ee40a629e16 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 15:52:54 +0100
+Subject: [PATCH 04/10] OvmfPkg/QemuKernelLoaderFsDxe: drop bogus assert
+
+Triggers when trying to get root directory info.
+Reproducer:
+ * Use qemu -kernel with something edk2 can not load.
+ * When dropped into the efi shell try inspect the file system.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1111e9fe7078eed9e5c50e1808776ee40a629e16]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 0947b6bf2d..3e1a876bf0 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -290,7 +290,6 @@ QemuKernelBlobTypeToFileInfo (
+ 
+   NameSize     = (StrLen (Name) + 1) * 2;
+   FileInfoSize = OFFSET_OF (EFI_FILE_INFO, FileName) + NameSize;
+-  ASSERT (FileInfoSize >= sizeof *FileInfo);
+ 
+   OriginalBufferSize = *BufferSize;
+   *BufferSize        = FileInfoSize;
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch

@@ -0,0 +1,36 @@
+From 46ae4e4b9574530e5081e98af0495d6f6d28379f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 16:03:01 +0100
+Subject: [PATCH 05/10] OvmfPkg/QemuKernelLoaderFsDxe: accept absolute paths
+
+EFI shell looks for "\startup.nsh".
+Try "-fw_cfg name=etc/boot/startup.nsh,string='echo hello'" ;)
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/46ae4e4b9574530e5081e98af0495d6f6d28379f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 3e1a876bf0..5b90420dad 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -806,6 +806,11 @@ QemuKernelStubFileOpen (
+   //
+   // Locate the file.
+   //
++  if (FileName[0] == '\\') {
++    // also accept absolute paths, i.e. '\kernel' for 'kernel'
++    FileName++;
++  }
++
+   Blob = FindKernelBlob (FileName);
+ 
+   if (Blob == NULL) {
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch

@@ -0,0 +1,54 @@
+From c45051450efbdae4a38f07998b3e7b77abe7173a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Jan 2025 11:28:37 +0100
+Subject: [PATCH 06/10] OvmfPkg/QemuKernelLoaderFsDxe: don't quit when named
+ blobs are present
+
+Allows to use the qemu kernel loader pseudo file system for other
+purposes than loading a linux kernel (or efi binary).  Passing
+startup.nsh for EFI shell is one example.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c45051450efbdae4a38f07998b3e7b77abe7173a]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 5b90420dad..add914daa8 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -71,6 +71,7 @@ STATIC KERNEL_BLOB_ITEMS  mKernelBlobItems[] = {
+ 
+ STATIC KERNEL_BLOB  *mKernelBlobs;
+ STATIC UINT64       mKernelBlobCount;
++STATIC UINT64       mKernelNamedBlobCount;
+ STATIC UINT64       mTotalBlobBytes;
+ 
+ //
+@@ -1139,6 +1140,8 @@ QemuKernelFetchNamedBlobs (
+       FreePool (DirEntry);
+       return Status;
+     }
++
++    mKernelNamedBlobCount++;
+   }
+ 
+   FreePool (DirEntry);
+@@ -1218,8 +1221,8 @@ QemuKernelLoaderFsDxeEntrypoint (
+   }
+ 
+   Blob = FindKernelBlob (L"kernel");
+-  if (Blob == NULL) {
+-    DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__));
++  if ((Blob == NULL) && (mKernelNamedBlobCount == 0)) {
++    DEBUG ((DEBUG_INFO, "%a: no kernel and no named blobs present -> quit\n", __func__));
+     Status = EFI_NOT_FOUND;
+     goto FreeBlobs;
+   }
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch

@@ -0,0 +1,124 @@
+From 3da39f2cb681eb69f4eef54acd4b25d25cd7103d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 10 Apr 2024 17:25:03 +0200
+Subject: [PATCH 07/10] OvmfPkg/X86QemuLoadImageLib: support booting via shim
+
+Try load shim first.  In case that succeeded update the command line to
+list 'kernel' first so shim will fetch the kernel from the kernel loader
+file system.
+
+This allows to use direct kernel boot with distro kernels and secure
+boot enabled.  Usually distro kernels can only be verified by distro
+shim using the distro keys compiled into the shim binary.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/3da39f2cb681eb69f4eef54acd4b25d25cd7103d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 56 ++++++++++++++++++-
+ 1 file changed, 54 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+index a7ab43ca74..e4dbc2dc7e 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH  mKernelDevicePath = {
+   }
+ };
+ 
++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH  mShimDevicePath = {
++  {
++    {
++      MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP,
++      { sizeof (VENDOR_DEVICE_PATH)       }
++    },
++    QEMU_KERNEL_LOADER_FS_MEDIA_GUID
++  },  {
++    {
++      MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP,
++      { sizeof (KERNEL_FILE_DEVPATH)      }
++    },
++    L"shim",
++  },  {
++    END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE,
++    { sizeof (EFI_DEVICE_PATH_PROTOCOL) }
++  }
++};
++
+ STATIC
+ VOID
+ FreeLegacyImage (
+@@ -339,6 +358,7 @@ QemuLoadKernelImage (
+   UINTN                      CommandLineSize;
+   CHAR8                      *CommandLine;
+   UINTN                      InitrdSize;
++  BOOLEAN                    Shim;
+ 
+   //
+   // Redundant assignment to work around GCC48/GCC49 limitations.
+@@ -351,11 +371,35 @@ QemuLoadKernelImage (
+   Status = gBS->LoadImage (
+                   FALSE,                    // BootPolicy: exact match required
+                   gImageHandle,             // ParentImageHandle
+-                  (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++                  (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath,
+                   NULL,                     // SourceBuffer
+                   0,                        // SourceSize
+                   &KernelImageHandle
+                   );
++  if (Status == EFI_SUCCESS) {
++    Shim = TRUE;
++    DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__));
++  } else {
++    Shim = FALSE;
++    if (Status == EFI_SECURITY_VIOLATION) {
++      gBS->UnloadImage (KernelImageHandle);
++    }
++
++    if (Status != EFI_NOT_FOUND) {
++      DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status));
++      return Status;
++    }
++
++    Status = gBS->LoadImage (
++                    FALSE,                  // BootPolicy: exact match required
++                    gImageHandle,           // ParentImageHandle
++                    (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++                    NULL,                   // SourceBuffer
++                    0,                      // SourceSize
++                    &KernelImageHandle
++                    );
++  }
++
+   switch (Status) {
+     case EFI_SUCCESS:
+       break;
+@@ -465,6 +509,13 @@ QemuLoadKernelImage (
+     KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2;
+   }
+ 
++  if (Shim) {
++    //
++    // Prefix 'kernel ' in UTF-16.
++    //
++    KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2;
++  }
++
+   if (KernelLoadedImage->LoadOptionsSize == 0) {
+     KernelLoadedImage->LoadOptions = NULL;
+   } else {
+@@ -485,7 +536,8 @@ QemuLoadKernelImage (
+     UnicodeSPrintAsciiFormat (
+       KernelLoadedImage->LoadOptions,
+       KernelLoadedImage->LoadOptionsSize,
+-      "%a%a",
++      "%a%a%a",
++      (Shim == FALSE)        ?  "" : "kernel ",
+       (CommandLineSize == 0) ?  "" : CommandLine,
+       (InitrdSize == 0)      ?  "" : " initrd=initrd"
+       );
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch

@@ -0,0 +1,125 @@
+From 4b507b49664514d7f09e6b7a9ca2da25a5e440fd Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 11 Apr 2024 08:15:22 +0200
+Subject: [PATCH 08/10] OvmfPkg/GenericQemuLoadImageLib: support booting via
+ shim
+
+Try load shim first.  In case that succeeded update the command line to
+list 'kernel' first so shim will fetch the kernel from the kernel loader
+file system.
+
+This allows to use direct kernel boot with distro kernels and secure
+boot enabled.  Usually distro kernels can only be verified by distro
+shim using the distro keys compiled into the shim binary.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4b507b49664514d7f09e6b7a9ca2da25a5e440fd]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../GenericQemuLoadImageLib.c                 | 56 ++++++++++++++++++-
+ 1 file changed, 54 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+index b99fb350aa..9d0ba77755 100644
+--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
++++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH  mKernelDevicePath = {
+   }
+ };
+ 
++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH  mShimDevicePath = {
++  {
++    {
++      MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP,
++      { sizeof (VENDOR_DEVICE_PATH)       }
++    },
++    QEMU_KERNEL_LOADER_FS_MEDIA_GUID
++  },  {
++    {
++      MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP,
++      { sizeof (KERNEL_FILE_DEVPATH)      }
++    },
++    L"shim",
++  },  {
++    END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE,
++    { sizeof (EFI_DEVICE_PATH_PROTOCOL) }
++  }
++};
++
+ STATIC CONST SINGLE_VENMEDIA_NODE_DEVPATH  mQemuKernelLoaderFsDevicePath = {
+   {
+     {
+@@ -174,6 +193,7 @@ QemuLoadKernelImage (
+   UINTN                            CommandLineSize;
+   CHAR8                            *CommandLine;
+   UINTN                            InitrdSize;
++  BOOLEAN                          Shim;
+ 
+   //
+   // Load the image. This should call back into the QEMU EFI loader file system.
+@@ -181,11 +201,35 @@ QemuLoadKernelImage (
+   Status = gBS->LoadImage (
+                   FALSE,                    // BootPolicy: exact match required
+                   gImageHandle,             // ParentImageHandle
+-                  (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++                  (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath,
+                   NULL,                     // SourceBuffer
+                   0,                        // SourceSize
+                   &KernelImageHandle
+                   );
++  if (Status == EFI_SUCCESS) {
++    Shim = TRUE;
++    DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__));
++  } else {
++    Shim = FALSE;
++    if (Status == EFI_SECURITY_VIOLATION) {
++      gBS->UnloadImage (KernelImageHandle);
++    }
++
++    if (Status != EFI_NOT_FOUND) {
++      DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status));
++      return Status;
++    }
++
++    Status = gBS->LoadImage (
++                    FALSE,        // BootPolicy: exact match required
++                    gImageHandle, // ParentImageHandle
++                    (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++                    NULL,       // SourceBuffer
++                    0,          // SourceSize
++                    &KernelImageHandle
++                    );
++  }
++
+   switch (Status) {
+     case EFI_SUCCESS:
+       break;
+@@ -303,6 +347,13 @@ QemuLoadKernelImage (
+     KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2;
+   }
+ 
++  if (Shim) {
++    //
++    // Prefix 'kernel ' in UTF-16.
++    //
++    KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2;
++  }
++
+   if (KernelLoadedImage->LoadOptionsSize == 0) {
+     KernelLoadedImage->LoadOptions = NULL;
+   } else {
+@@ -323,7 +374,8 @@ QemuLoadKernelImage (
+     UnicodeSPrintAsciiFormat (
+       KernelLoadedImage->LoadOptions,
+       KernelLoadedImage->LoadOptionsSize,
+-      "%a%a",
++      "%a%a%a",
++      (Shim == FALSE)        ?  "" : "kernel ",
+       (CommandLineSize == 0) ?  "" : CommandLine,
+       (InitrdSize == 0)      ?  "" : " initrd=initrd"
+       );
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch

@@ -0,0 +1,108 @@
+From 1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 17 Dec 2024 09:59:21 +0100
+Subject: [PATCH 09/10] OvmfPkg/X86QemuLoadImageLib: make legacy loader
+ configurable.
+
+Add the 'opt/org.tianocore/EnableLegacyLoader' FwCfg option to
+enable/disable the insecure legacy linux kernel loader.
+
+For now this is enabled by default.  Probably the default will be
+flipped to disabled at some point in the future.
+
+Also print a warning to the screen in case the linux kernel secure
+boot verification has failed.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 48 ++++++++++++++++---
+ .../X86QemuLoadImageLib.inf                   |  1 +
+ 2 files changed, 42 insertions(+), 7 deletions(-)
+
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+index e4dbc2dc7e..2d610f6bd3 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+@@ -19,8 +19,10 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/PrintLib.h>
+ #include <Library/QemuFwCfgLib.h>
++#include <Library/QemuFwCfgSimpleParserLib.h>
+ #include <Library/QemuLoadImageLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
++#include <Library/UefiLib.h>
+ #include <Protocol/DevicePath.h>
+ #include <Protocol/LoadedImage.h>
+ #include <Protocol/OvmfLoadedX86LinuxKernel.h>
+@@ -421,13 +423,45 @@ QemuLoadKernelImage (
+     // Fall through
+     //
+     case EFI_ACCESS_DENIED:
+-    //
+-    // We are running with UEFI secure boot enabled, and the image failed to
+-    // authenticate. For compatibility reasons, we fall back to the legacy
+-    // loader in this case.
+-    //
+-    // Fall through
+-    //
++      //
++      // We are running with UEFI secure boot enabled, and the image failed to
++      // authenticate. For compatibility reasons, we fall back to the legacy
++      // loader in this case (unless disabled via fw_cfg).
++      //
++    {
++      EFI_STATUS  RetStatus;
++      BOOLEAN     Enabled = TRUE;
++
++      AsciiPrint (
++        "OVMF: Secure boot image verification failed.  Consider using the '-shim'\n"
++        "OVMF: command line switch for qemu (available in version 10.0 + newer).\n"
++        "\n"
++        );
++
++      RetStatus = QemuFwCfgParseBool (
++                    "opt/org.tianocore/EnableLegacyLoader",
++                    &Enabled
++                    );
++      if (EFI_ERROR (RetStatus)) {
++        Enabled = TRUE;
++      }
++
++      if (!Enabled) {
++        AsciiPrint (
++          "OVMF: Fallback to insecure legacy linux kernel loader is disabled.\n"
++          "\n"
++          );
++        return EFI_ACCESS_DENIED;
++      } else {
++        AsciiPrint (
++          "OVMF: Using legacy linux kernel loader (insecure and deprecated).\n"
++          "\n"
++          );
++        //
++        // Fall through
++        //
++      }
++    }
+     case EFI_UNSUPPORTED:
+       //
+       // The image is not natively supported or cross-type supported. Let's try
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+index c7ec041cb7..09babd3be8 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+@@ -33,6 +33,7 @@
+   LoadLinuxLib
+   PrintLib
+   QemuFwCfgLib
++  QemuFwCfgSimpleParserLib
+   ReportStatusCodeLib
+   UefiBootServicesTableLib
+ 
+-- 
+2.49.0
+

meta/recipes-core/ovmf/ovmf_git.bb

@@ -26,6 +26,20 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0004-reproducible.patch \
            file://0001-MdePkg-Fix-overflow-issue-in-BasePeCoffLib.patch \
            file://0001-MdeModulePkg-Potential-UINT32-overflow-in-S3-ResumeC.patch \
+           file://0006-BaseTools-StringFuncs-fix-gcc-16-warning.patch \
+           file://0007-BaseTools-EfiRom-fix-compiler-warning.patch \
+           file://0008-BaseTools-Pccts-set-C-standard.patch \
+           file://0001-AmdSev-Halt-on-failed-blob-allocation.patch \
+           file://CVE-2025-2296-1.patch \
+           file://CVE-2025-2296-2.patch \
+           file://CVE-2025-2296-3.patch \
+           file://CVE-2025-2296-4.patch \
+           file://CVE-2025-2296-5.patch \
+           file://CVE-2025-2296-6.patch \
+           file://CVE-2025-2296-7.patch \
+           file://CVE-2025-2296-8.patch \
+           file://CVE-2025-2296-9.patch \
+           file://CVE-2024-38798.patch \
            "
 
 PV = "edk2-stable202402"

meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch

@@ -0,0 +1,131 @@
+From 03bb697b8df0339c37f4b845025320b261aeb7cc Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 19:32:35 +0000
+Subject: [PATCH] udev: check for invalid chars in various fields received from
+ the kernel
+
+(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
+(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
+(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++-
+ src/udev/scsi_id/scsi_id.c             | 5 +++--
+ src/udev/udev-builtin-net_id.c         | 9 +++++++++
+ src/udev/v4l_id/v4l_id.c               | 5 ++++-
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
+index 52ea250af8..4f2c21b80b 100644
+--- a/src/udev/dmi_memory_id/dmi_memory_id.c
++++ b/src/udev/dmi_memory_id/dmi_memory_id.c
+@@ -51,6 +51,7 @@
+ #include "string-util.h"
+ #include "udev-util.h"
+ #include "unaligned.h"
++#include "utf8.h"
+ 
+ #define SUPPORTED_SMBIOS_VER 0x030300
+ 
+@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
+ 
+         str = strdupa_safe(dmi_string(h, s));
+         str = strstrip(str);
+-        if (!isempty(str))
++        if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
+                 printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
+ }
+ 
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 6308c52b7e..7e18bc755a 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -27,6 +27,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-util.h"
++#include "utf8.h"
+ 
+ static const struct option options[] = {
+         { "device",             required_argument, NULL, 'd' },
+@@ -443,8 +444,8 @@ static int scsi_id(char *maj_min_dev) {
+                 }
+                 if (dev_scsi.tgpt_group[0] != '\0')
+                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+-                if (dev_scsi.unit_serial_number[0] != '\0')
+-                        printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
++                if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
++                        printf("ID_SCSI_SERIAL=%s\n", serial_str);
+                 goto out;
+         }
+ 
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 91b40088f4..715184e282 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -39,6 +39,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-builtin.h"
++#include "utf8.h"
+ 
+ #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
+ #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
+@@ -247,6 +248,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
+                         }
+                 }
+ 
++                if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++                        return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++
+                 /* Otherwise, use phys_port_name as is. */
+                 buf = strjoin("n", phys_port_name);
+                 if (!buf)
+@@ -351,6 +355,9 @@ static int names_pci_onboard_label(sd_device *dev, sd_device *pci_dev, const cha
+         if (r < 0)
+                 return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+ 
++        if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
++                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
++
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%s%s",
+                         naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix,
+@@ -1209,6 +1216,8 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) {
+         if (isempty(phys_port_name))
+                 return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
+                                               "The 'phys_port_name' attribute is empty.");
++        if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++                return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+ 
+         char str[ALTIFNAMSIZ];
+         if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
+diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
+index 30527e9556..2ec96d8d3a 100644
+--- a/src/udev/v4l_id/v4l_id.c
++++ b/src/udev/v4l_id/v4l_id.c
+@@ -29,6 +29,8 @@
+ #include "build.h"
+ #include "fd-util.h"
+ #include "main-func.h"
++#include "string-util.h"
++#include "utf8.h"
+ 
+ static const char *arg_device = NULL;
+ 
+@@ -82,7 +84,8 @@ static int run(int argc, char *argv[]) {
+                 int capabilities;
+ 
+                 printf("ID_V4L_VERSION=2\n");
+-                printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
++                if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
++                        printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+                 printf("ID_V4L_CAPABILITIES=:");
+ 
+                 if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
+-- 
+2.50.1
+

meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch

@@ -0,0 +1,39 @@
+From 5887e72ff87d3a66a4c3fa91897fbec1545f4d3d Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 13 Mar 2026 11:10:47 +0000
+Subject: [PATCH] udev: fix review mixup
+
+The previous version in the PR changed variable and sanitized it
+in place. The second version switched to skip if CCs are in the
+string instead, but didn't move back to the original variable.
+Because it's an existing variable, no CI caught it.
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
+
+(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820)
+(cherry picked from commit 4425d8523e79f3cc00b3b93a0b5e7c6cdc284a97)
+(cherry picked from commit 75c585beae60e73208941e6b3f64cf249223f53d)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/scsi_id/scsi_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 7e18bc755a..b2df8d9f7f 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -445,7 +445,7 @@ static int scsi_id(char *maj_min_dev) {
+                 if (dev_scsi.tgpt_group[0] != '\0')
+                         printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+                 if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
+-                        printf("ID_SCSI_SERIAL=%s\n", serial_str);
++                        printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+                 goto out;
+         }
+ 
+-- 
+2.50.1
+

meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch

@@ -0,0 +1,63 @@
+From 773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 12:15:26 +0000
+Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if
+ trusted
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
+Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a
+
+(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
+(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91)
+(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc)
+
+
+CVE: CVE-2026-40226
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/nspawn/nspawn.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 005a3d2be1..0ac0c94f06 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -4275,8 +4275,13 @@ static int merge_settings(Settings *settings, const char *path) {
+         }
+ 
+         if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&
+-            settings->ephemeral >= 0)
+-                arg_ephemeral = settings->ephemeral;
++            settings->ephemeral >= 0) {
++
++                if (!arg_settings_trusted)
++                        log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
++                else
++                        arg_ephemeral = settings->ephemeral;
++        }
+ 
+         if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
+             settings->root) {
+@@ -4444,8 +4449,13 @@ static int merge_settings(Settings *settings, const char *path) {
+         }
+ 
+         if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&
+-            !strv_isempty(settings->bind_user))
+-                strv_free_and_replace(arg_bind_user, settings->bind_user);
++            !strv_isempty(settings->bind_user)) {
++
++                if (!arg_settings_trusted)
++                        log_warning("Ignoring bind user setting, file %s is not trusted.", path);
++                else
++                        strv_free_and_replace(arg_bind_user, settings->bind_user);
++        }
+ 
+         if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&
+             settings->notify_ready >= 0)
+-- 
+2.50.1
+

meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch

@@ -0,0 +1,39 @@
+From bfa0a842822c4f79da9d47f8a773fd128d8f8a0a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 13:27:14 +0000
+Subject: [PATCH] nspawn: normalize pivot_root paths
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672
+
+(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373)
+(cherry picked from commit 6566dc1451089e07090f5a114ae2eb43ed39188d)
+(cherry picked from commit 1c55a0a5e26a07df828f72092ad1203e221b60db)
+
+CVE: CVE-2026-40226
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/nspawn/nspawn-mount.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index 470f477f22..09c442a63a 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -1255,7 +1255,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s
+ 
+         if (!path_is_absolute(root_new))
+                 return -EINVAL;
+-        if (root_old && !path_is_absolute(root_old))
++        if (!path_is_normalized(root_new))
++                return -EINVAL;
++        if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old)))
+                 return -EINVAL;
+ 
+         free_and_replace(*pivot_root_new, root_new);
+-- 
+2.50.1
+

meta/recipes-core/systemd/systemd_255.21.bb

@@ -29,6 +29,10 @@ SRC_URI += " \
            file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
            file://0008-implment-systemd-sysv-install-for-OE.patch \
+           file://CVE-2026-40225-01.patch \
+           file://CVE-2026-40225-02.patch \
+           file://CVE-2026-40226-01.patch \
+           file://CVE-2026-40226-02.patch \
            "
 
 # patches needed by musl

meta/recipes-devtools/apt/apt/0001-strutl-Add-missing-include-cstdint-gcc-15.patch

@@ -0,0 +1,26 @@
+From 9da1b0dbdcc90455bc9de49f73a96e7d18f83493 Mon Sep 17 00:00:00 2001
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Tue, 18 Feb 2025 10:29:40 +0100
+Subject: [PATCH] strutl: Add missing #include <cstdint> [gcc 15]
+
+Closes: #1096322
+
+Upstream-Status: Backport [https://salsa.debian.org/apt-team/apt/-/commit/f82dcd7e4ebb3f70d28e9feb3621676f8c0cc024]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ apt-pkg/contrib/strutl.cc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc
+index 67100f1..c0a1cbc 100644
+--- a/apt-pkg/contrib/strutl.cc
++++ b/apt-pkg/contrib/strutl.cc
+@@ -26,6 +26,7 @@
+ 
+ #include <algorithm>
+ #include <array>
++#include <cstdint>
+ #include <iomanip>
+ #include <limits>
+ #include <locale>

meta/recipes-devtools/apt/apt_2.6.1.bb

@@ -14,6 +14,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/${BPN}_${PV}.tar.xz \
            file://0001-Hide-fstatat64-and-prlimit64-defines-on-musl.patch \
            file://0001-aptwebserver.cc-Include-array.patch \
            file://0001-Remove-using-std-binary_function.patch \
+           file://0001-strutl-Add-missing-include-cstdint-gcc-15.patch \
            "
 
 SRC_URI:append:class-native = " \
@@ -140,3 +141,6 @@ do_install:append() {
 	# Avoid non-reproducible -src package
 	sed -i -e "s,${B}/include/,,g" ${B}/apt-pkg/tagfile-keys.cc
 }
+
+# Add CVE_PRODUCT to match the NVD CPE product name
+CVE_PRODUCT = "debian:apt debian:advanced_package_tool"