Fix dead links that use the DISTRO macro

After introducing the DISTRO_LATEST_TAG and DISTRO_REL_LATEST_TAG macros, use them in links that currently use DISTRO/DISTRO_REL_TAG. When building for the tip of a branch, this will replace the current A.B.999 in links to the latest existing tag. The links were found across the documentation by running 'grep -r "http.*5\.2\.999"' inside the _build/html output after building the docs. [YOCTO #14802] (From yocto-docs rev: f264569312ffa8a4ad1f9e2022b4eaa14aeb3099) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 29be069ebbf2c55d72fc51d99ed5a558af37c05e) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
poky.yaml: introduce DISTRO_LATEST_TAG
2026-02-02 23:08:43 +01:00 · 2025-05-25 12:37:57 +01:00 · 2025-05-25 12:37:57 +01:00 · 2025-05-25 12:37:57 +01:00 · 2025-05-25 12:37:57 +01:00 · 2025-05-25 12:37:57 +01:00
141 changed files with 10356 additions and 569 deletions
--- a/bitbake/lib/bb/command.py
+++ b/bitbake/lib/bb/command.py
@@ -420,15 +420,30 @@ class CommandsSync:
        return command.cooker.recipecaches[mc].pkg_dp
    getDefaultPreference.readonly = True

+
    def getSkippedRecipes(self, command, params):
+        """
+        Get the map of skipped recipes for the specified multiconfig/mc name (`params[0]`).
+
+        Invoked by `bb.tinfoil.Tinfoil.get_skipped_recipes`
+
+        :param command: Internally used parameter.
+        :param params: Parameter array. params[0] is multiconfig/mc name. If not given, then default mc '' is assumed.
+        :return: Dict whose keys are virtualfns and values are `bb.cooker.SkippedPackage`
+        """
+        try:
+            mc = params[0]
+        except IndexError:
+            mc = ''
+
        # Return list sorted by reverse priority order
        import bb.cache
        def sortkey(x):
            vfn, _ = x
-            realfn, _, mc = bb.cache.virtualfn2realfn(vfn)
-            return (-command.cooker.collections[mc].calc_bbfile_priority(realfn)[0], vfn)
+            realfn, _, item_mc = bb.cache.virtualfn2realfn(vfn)
+            return -command.cooker.collections[item_mc].calc_bbfile_priority(realfn)[0], vfn

-        skipdict = OrderedDict(sorted(command.cooker.skiplist.items(), key=sortkey))
+        skipdict = OrderedDict(sorted(command.cooker.skiplist_by_mc[mc].items(), key=sortkey))
        return list(skipdict.items())
    getSkippedRecipes.readonly = True

--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -134,7 +134,8 @@ class BBCooker:
        self.baseconfig_valid = False
        self.parsecache_valid = False
        self.eventlog = None
-        self.skiplist = {}
+        # The skiplists, one per multiconfig
+        self.skiplist_by_mc = defaultdict(dict)
        self.featureset = CookerFeatures()
        if featureSet:
            for f in featureSet:
@@ -616,8 +617,8 @@ class BBCooker:
        localdata = {}

        for mc in self.multiconfigs:
-            taskdata[mc] = bb.taskdata.TaskData(halt, skiplist=self.skiplist, allowincomplete=allowincomplete)
-            localdata[mc] = data.createCopy(self.databuilder.mcdata[mc])
+            taskdata[mc] = bb.taskdata.TaskData(halt, skiplist=self.skiplist_by_mc[mc], allowincomplete=allowincomplete)
+            localdata[mc] = bb.data.createCopy(self.databuilder.mcdata[mc])
            bb.data.expandKeys(localdata[mc])

        current = 0
@@ -937,7 +938,7 @@ class BBCooker:
        for mc in self.multiconfigs:
            # First get list of recipes, including skipped
            recipefns = list(self.recipecaches[mc].pkg_fn.keys())
-            recipefns.extend(self.skiplist.keys())
+            recipefns.extend(self.skiplist_by_mc[mc].keys())

            # Work out list of bbappends that have been applied
            applied_appends = []
@@ -2362,7 +2363,7 @@ class CookerParser(object):
        for virtualfn, info_array in result:
            if info_array[0].skipped:
                self.skipped += 1
-                self.cooker.skiplist[virtualfn] = SkippedPackage(info_array[0])
+                self.cooker.skiplist_by_mc[mc][virtualfn] = SkippedPackage(info_array[0])
            self.bb_caches[mc].add_info(virtualfn, info_array, self.cooker.recipecaches[mc],
                                        parsed=parsed, watcher = self.cooker.add_filewatch)
        return True
--- a/bitbake/lib/bb/event.py
+++ b/bitbake/lib/bb/event.py
@@ -194,7 +194,12 @@ def fire_ui_handlers(event, d):
        ui_queue.append(event)
        return

-    with bb.utils.lock_timeout(_thread_lock):
+    with bb.utils.lock_timeout_nocheck(_thread_lock) as lock:
+        if not lock:
+            # If we can't get the lock, we may be recursively called, queue and return
+            ui_queue.append(event)
+            return
+
        errors = []
        for h in _ui_handlers:
            #print "Sending event %s" % event
@@ -213,6 +218,9 @@ def fire_ui_handlers(event, d):
        for h in errors:
            del _ui_handlers[h]

+    while ui_queue:
+        fire_ui_handlers(ui_queue.pop(), d)
+
 def fire(event, d):
    """Fire off an Event"""

--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -1739,6 +1739,8 @@ class GitShallowTest(FetcherTest):
        if cwd is None:
            cwd = self.gitdir
        actual_refs = self.git(['for-each-ref', '--format=%(refname)'], cwd=cwd).splitlines()
+        # Resolve references into the same format as the comparision (needed by git 2.48 onwards)
+        actual_refs = self.git(['rev-parse', '--symbolic-full-name'] + actual_refs, cwd=cwd).splitlines()
        full_expected = self.git(['rev-parse', '--symbolic-full-name'] + expected_refs, cwd=cwd).splitlines()
        self.assertEqual(sorted(set(full_expected)), sorted(set(actual_refs)))

--- a/bitbake/lib/bb/tinfoil.py
+++ b/bitbake/lib/bb/tinfoil.py
@@ -188,11 +188,19 @@ class TinfoilCookerAdapter:
            self._cache[name] = attrvalue
            return attrvalue

+    class TinfoilSkiplistByMcAdapter:
+        def __init__(self, tinfoil):
+            self.tinfoil = tinfoil
+
+        def __getitem__(self, mc):
+            return self.tinfoil.get_skipped_recipes(mc)
+
    def __init__(self, tinfoil):
        self.tinfoil = tinfoil
        self.multiconfigs = [''] + (tinfoil.config_data.getVar('BBMULTICONFIG') or '').split()
        self.collections = {}
        self.recipecaches = {}
+        self.skiplist_by_mc = self.TinfoilSkiplistByMcAdapter(tinfoil)
        for mc in self.multiconfigs:
            self.collections[mc] = self.TinfoilCookerCollectionAdapter(tinfoil, mc)
            self.recipecaches[mc] = self.TinfoilRecipeCacheAdapter(tinfoil, mc)
@@ -201,8 +209,6 @@ class TinfoilCookerAdapter:
        # Grab these only when they are requested since they aren't always used
        if name in self._cache:
            return self._cache[name]
-        elif name == 'skiplist':
-            attrvalue = self.tinfoil.get_skipped_recipes()
        elif name == 'bbfile_config_priorities':
            ret = self.tinfoil.run_command('getLayerPriorities')
            bbfile_config_priorities = []
@@ -514,12 +520,12 @@ class Tinfoil:
        """
        return defaultdict(list, self.run_command('getOverlayedRecipes', mc))

-    def get_skipped_recipes(self):
+    def get_skipped_recipes(self, mc=''):
        """
        Find recipes which were skipped (i.e. SkipRecipe was raised
        during parsing).
        """
-        return OrderedDict(self.run_command('getSkippedRecipes'))
+        return OrderedDict(self.run_command('getSkippedRecipes', mc))

    def get_all_providers(self, mc=''):
        return defaultdict(list, self.run_command('allProviders', mc))
@@ -533,6 +539,7 @@ class Tinfoil:
    def get_runtime_providers(self, rdep):
        return self.run_command('getRuntimeProviders', rdep)

+    # TODO: teach this method about mc
    def get_recipe_file(self, pn):
        """
        Get the file name for the specified recipe/target. Raises
@@ -541,6 +548,7 @@ class Tinfoil:
        """
        best = self.find_best_provider(pn)
        if not best or (len(best) > 3 and not best[3]):
+            # TODO: pass down mc
            skiplist = self.get_skipped_recipes()
            taskdata = bb.taskdata.TaskData(None, skiplist=skiplist)
            skipreasons = taskdata.get_reasons(pn)
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -1857,12 +1857,30 @@ def path_is_descendant(descendant, ancestor):
 # If we don't have a timeout of some kind and a process/thread exits badly (for example
 # OOM killed) and held a lock, we'd just hang in the lock futex forever. It is better
 # we exit at some point than hang. 5 minutes with no progress means we're probably deadlocked.
+# This function can still deadlock python since it can't signal the other threads to exit
+# (signals are handled in the main thread) and even os._exit() will wait on non-daemon threads
+# to exit.
@contextmanager
 def lock_timeout(lock):
-    held = lock.acquire(timeout=5*60)
    try:
+        s = signal.pthread_sigmask(signal.SIG_BLOCK, signal.valid_signals())
+        held = lock.acquire(timeout=5*60)
        if not held:
+            bb.server.process.serverlog("Couldn't get the lock for 5 mins, timed out, exiting.\n%s" % traceback.format_stack())
            os._exit(1)
        yield held
    finally:
        lock.release()
+        signal.pthread_sigmask(signal.SIG_SETMASK, s)
+
+# A version of lock_timeout without the check that the lock was locked and a shorter timeout
+@contextmanager
+def lock_timeout_nocheck(lock):
+    try:
+        s = signal.pthread_sigmask(signal.SIG_BLOCK, signal.valid_signals())
+        l = lock.acquire(timeout=10)
+        yield l
+    finally:
+        if l:
+            lock.release()
+        signal.pthread_sigmask(signal.SIG_SETMASK, s)
--- a/bitbake/lib/bblayers/query.py
+++ b/bitbake/lib/bblayers/query.py
@@ -142,10 +142,11 @@ skipped recipes will also be listed, with a " (skipped)" suffix.
        # Ensure we list skipped recipes
        # We are largely guessing about PN, PV and the preferred version here,
        # but we have no choice since skipped recipes are not fully parsed
-        skiplist = list(self.tinfoil.cooker.skiplist.keys())
-        mcspec = 'mc:%s:' % mc
+        skiplist = list(self.tinfoil.cooker.skiplist_by_mc[mc].keys())
+
        if mc:
-            skiplist = [s[len(mcspec):] for s in skiplist if s.startswith(mcspec)]
+            mcspec = f'mc:{mc}:'
+            skiplist = [s[len(mcspec):] if s.startswith(mcspec) else s for s in skiplist]

        for fn in skiplist:
            recipe_parts = os.path.splitext(os.path.basename(fn))[0].split('_')
@@ -162,7 +163,7 @@ skipped recipes will also be listed, with a " (skipped)" suffix.
        def print_item(f, pn, ver, layer, ispref):
            if not selected_layer or layer == selected_layer:
                if not bare and f in skiplist:
-                    skipped = ' (skipped: %s)' % self.tinfoil.cooker.skiplist[f].skipreason
+                    skipped = ' (skipped: %s)' % self.tinfoil.cooker.skiplist_by_mc[mc][f].skipreason
                else:
                    skipped = ''
                if show_filenames:
@@ -301,7 +302,7 @@ Lists recipes with the bbappends that apply to them as subitems.
            if self.show_appends_for_pn(pn, cooker_data, args.mc):
                appends = True

-        if not args.pnspec and self.show_appends_for_skipped():
+        if not args.pnspec and self.show_appends_for_skipped(args.mc):
            appends = True

        if not appends:
@@ -317,9 +318,9 @@ Lists recipes with the bbappends that apply to them as subitems.

        return self.show_appends_output(filenames, best_filename)

-    def show_appends_for_skipped(self):
+    def show_appends_for_skipped(self, mc):
        filenames = [os.path.basename(f)
-                    for f in self.tinfoil.cooker.skiplist.keys()]
+                    for f in self.tinfoil.cooker.skiplist_by_mc[mc].keys()]
        return self.show_appends_output(filenames, None, " (skipped)")

    def show_appends_output(self, filenames, best_filename, name_suffix = ''):
--- a/documentation/brief-yoctoprojectqs/index.rst
+++ b/documentation/brief-yoctoprojectqs/index.rst
@@ -44,7 +44,7 @@ following requirements:
   much more will help to run multiple builds and increase
   performance by reusing build artifacts.

-  At least &MIN_RAM; Gbytes of RAM, though a modern modern build host with as
+-  At least &MIN_RAM; Gbytes of RAM, though a modern build host with as
   much RAM and as many CPU cores as possible is strongly recommended to
   maximize build performance.

--- a/documentation/bsp-guide/bsp.rst
+++ b/documentation/bsp-guide/bsp.rst
@@ -166,7 +166,7 @@ section.
   BSPs, which are maintained in their own layers or in layers designed
   to contain several BSPs. To get an idea of machine support through
   BSP layers, you can look at the
-   :yocto_dl:`index of machines </releases/yocto/yocto-&DISTRO;/machines>`
+   :yocto_dl:`index of machines </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines>`
   for the release.

 #. *Optionally Clone the meta-intel BSP Layer:* If your hardware is
--- a/documentation/conf.py
+++ b/documentation/conf.py
@@ -111,6 +111,9 @@ extlinks = {
    'wikipedia': ('https://en.wikipedia.org/wiki/%s', None),
 }

+# To be able to use :manpage:`<something>` in the docs.
+manpages_url = 'https://manpages.debian.org/{path}'
+
 # Intersphinx config to use cross reference with BitBake user manual
 intersphinx_mapping = {
    'bitbake': ('https://docs.yoctoproject.org/bitbake/' + bitbake_version, None)
@@ -136,6 +139,7 @@ except ImportError:
    sys.exit(1)

 html_logo = 'sphinx-static/YoctoProject_Logo_RGB.jpg'
+html_favicon = 'sphinx-static/favicon.ico'

 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
--- a/documentation/contributor-guide/submit-changes.rst
+++ b/documentation/contributor-guide/submit-changes.rst
@@ -832,3 +832,52 @@ Other layers may have similar testing branches but there is no formal
 requirement or standard for these so please check the documentation for the
 layers you are contributing to.

+Acceptance of AI Generated Code
+===============================
+
+The Yocto Project and OpenEmbedded follow the guidance of the Linux Foundation
+in regards to the use of generative AI tools. See:
+https://www.linuxfoundation.org/legal/generative-ai.
+
+All of the existing guidelines in this document are expected to be followed,
+including in the :doc:`recipe-style-guide`, and contributing the changes with
+additional requirements to the items in section
+:ref:`contributor-guide/submit-changes:Implement and commit changes`.
+
+All AI Generated Code must be labeled as such in the commit message,
+prior to your ``Signed-off-by`` line. It is also strongly recommended,
+that any patches or code within the commit also have a comment or other
+indication that this code was AI generated.
+
+For example, here is a properly formatted commit message::
+
+   component: Add the ability to ...
+
+   AI-Generated: Uses GitHub Copilot
+
+   Signed-off-by: Your Name <your.name@domain>
+
+The ``Signed-off-by`` line must be written by you, and not the AI helper.
+As a reminder, when contributing a change, your ``Signed-off-by`` line is
+required and the stipulations in the `Developer's Statement of Origin
+1.1 <https://developercertificate.org/>`__ still apply.
+
+Additionally, you must stipulate AI contributions conform to the Linux
+Foundation policy, specifically:
+
+#. Contributors should ensure that the terms and conditions of the generative AI
+   tool do not place any contractual restrictions on how the tool's output can
+   be used that are inconsistent with the project's open source software
+   license, the project's intellectual property policies, or the Open Source
+   Definition.
+
+#. If any pre-existing copyrighted materials (including pre-existing open
+   source code) authored or owned by third parties are included in the AI tool's
+   output, prior to contributing such output to the project, the Contributor
+   should confirm that they have permission from the third party
+   owners -- such as the form of an open source license or public domain
+   declaration that complies with the project's licensing policies -- to use and
+   modify such pre-existing materials and contribute them to the project.
+   Additionally, the contributor should provide notice and attribution of such
+   third party rights, along with information about the applicable license
+   terms, with their contribution.
--- a/documentation/dev-manual/building.rst
+++ b/documentation/dev-manual/building.rst
@@ -280,7 +280,9 @@ Follow these steps to create an :term:`Initramfs` image:
 #. *Create the Initramfs Image Recipe:* You can reference the
   ``core-image-minimal-initramfs.bb`` recipe found in the
   ``meta/recipes-core`` directory of the :term:`Source Directory`
-   as an example from which to work.
+   as an example from which to work. The ``core-image-minimal-initramfs`` recipe
+   is based on the :ref:`initramfs-framework <dev-manual/building:Customizing an
+   Initramfs using \`\`initramfs-framework\`\`>` recipe described below.

 #. *Decide if You Need to Bundle the Initramfs Image Into the Kernel
   Image:* If you want the :term:`Initramfs` image that is built to be bundled
@@ -308,6 +310,86 @@ Follow these steps to create an :term:`Initramfs` image:
   and bundled with the kernel image if you used the
   :term:`INITRAMFS_IMAGE_BUNDLE` variable described earlier.

+Customizing an Initramfs using ``initramfs-framework``
+------------------------------------------------------
+
+The ``core-image-minimal-initramfs.bb`` recipe found in
+:oe_git:`meta/recipes-core/images
+</openembedded-core/tree/meta/recipes-core/images>` uses the
+:oe_git:`initramfs-framework_1.0.bb
+</openembedded-core/tree/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb>`
+recipe as its base component. The goal of the ``initramfs-framework`` recipe is
+to provide the building blocks to build a customized :term:`Initramfs`.
+
+The ``initramfs-framework`` recipe relies on shell initialization scripts
+defined in :oe_git:`meta/recipes-core/initrdscripts/initramfs-framework
+</openembedded-core/tree/meta/recipes-core/initrdscripts/initramfs-framework>`. Since some of
+these scripts do not apply for all use cases, the ``initramfs-framework`` recipe
+defines different packages:
+
+-  ``initramfs-framework-base``: this package installs the basic components of
+   an :term:`Initramfs`, such as the ``init`` script or the ``/dev/console``
+   character special file. As this package is a runtime dependency of all
+   modules listed below, it is automatically pulled in when one of the modules
+   is installed in the image.
+-  ``initramfs-module-exec``: support for execution of applications.
+-  ``initramfs-module-mdev``: support for `mdev
+   <https://wiki.gentoo.org/wiki/Mdev>`__.
+-  ``initramfs-module-udev``: support for :wikipedia:`Udev <Udev>`.
+-  ``initramfs-module-e2fs``: support for :wikipedia:`ext4/ext3/ext2
+   <Extended_file_system>` filesystems.
+-  ``initramfs-module-nfsrootfs``: support for locating and mounting the root
+   partition via :wikipedia:`NFS <Network_File_System>`.
+-  ``initramfs-module-rootfs``: support for locating and mounting the root
+   partition.
+-  ``initramfs-module-debug``: dynamic debug support.
+-  ``initramfs-module-lvm``: :wikipedia:`LVM <Logical_volume_management>` rootfs support.
+-  ``initramfs-module-overlayroot``: support for mounting a read-write overlay
+   on top of a read-only root filesystem.
+
+In addition to the packages defined by the ``initramfs-framework`` recipe
+itself, the following packages are defined by the recipes present in
+:oe_git:`meta/recipes-core/initrdscripts </openembedded-core/tree/meta/recipes-core/initrdscripts>`:
+
+-  ``initramfs-module-install``: module to create and install a partition layout
+   on a selected block device.
+-  ``initramfs-module-install-efi``: module to create and install an EFI
+   partition layout on a selected block device.
+-  ``initramfs-module-setup-live``: module to start a shell in the
+   :term:`Initramfs` if ``root=/dev/ram0`` in passed in the `Kernel command-line
+   <https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html>`__
+   or the ``root=`` parameter was not passed.
+
+To customize the :term:`Initramfs`, you can add or remove packages listed
+earlier from the :term:`PACKAGE_INSTALL` variable with a :ref:`bbappend
+<dev-manual/layers:Appending Other Layers Metadata With Your Layer>` on the
+``core-image-minimal-initramfs`` recipe, or create a custom recipe for the
+:term:`Initramfs` taking ``core-image-minimal-initramfs`` as example.
+
+Custom scripts can be added to the :term:`Initramfs` by writing your own
+recipes. The recipes are conventionally named ``initramfs-module-<module name>``
+where ``<module name>`` is the name of the module. The recipe should set its
+:term:`RDEPENDS` package-specific variables to include
+``initramfs-framework-base`` and the other packages on which the module depends
+at runtime.
+
+The recipe must install shell initialization scripts in :term:`${D} <D>`\
+``/init.d`` and must follow the ``<number>-<script name>`` naming scheme where:
+
+-  ``<number>`` is a *two-digit* number that affects the execution order of the
+   script compared to others. For example, the script ``80-setup-live`` would be
+   executed after ``01-udev`` because 80 is greater than 01.
+
+   This number being two-digits is important here as the scripts are executed
+   alphabetically. For example, the script ``10-script`` would be executed
+   before the script ``8-script``, because ``1`` is inferior to ``8``.
+   Therefore, the script should be named ``08-script``.
+
+-  ``<script name>`` is the script name which you can choose freely.
+
+   If two script use the same ``<number>``, they are sorted alphabetically based
+   on ``<script name>``.
+
 Bundling an Initramfs Image From a Separate Multiconfig
 -------------------------------------------------------

--- a/documentation/dev-manual/customizing-images.rst
+++ b/documentation/dev-manual/customizing-images.rst
@@ -80,15 +80,14 @@ recipe that are enabled with :term:`IMAGE_FEATURES`. The value of
 :term:`EXTRA_IMAGE_FEATURES` is added to :term:`IMAGE_FEATURES` within
 ``meta/conf/bitbake.conf``.

-To illustrate how you can use these variables to modify your image,
-consider an example that selects the SSH server. The Yocto Project ships
-with two SSH servers you can use with your images: Dropbear and OpenSSH.
-Dropbear is a minimal SSH server appropriate for resource-constrained
-environments, while OpenSSH is a well-known standard SSH server
-implementation. By default, the ``core-image-sato`` image is configured
-to use Dropbear. The ``core-image-full-cmdline`` and ``core-image-lsb``
-images both include OpenSSH. The ``core-image-minimal`` image does not
-contain an SSH server.
+To illustrate how you can use these variables to modify your image, consider an
+example that selects the SSH server. The Yocto Project ships with two SSH
+servers you can use with your images: Dropbear and OpenSSH. Dropbear is a
+minimal SSH server appropriate for resource-constrained environments, while
+OpenSSH is a well-known standard SSH server implementation. By default, the
+``core-image-sato`` image is configured to use Dropbear. The
+``core-image-full-cmdline`` image includes OpenSSH. The ``core-image-minimal``
+image does not contain an SSH server.

 You can customize your image and change these defaults. Edit the
 :term:`IMAGE_FEATURES` variable in your recipe or use the
--- a/documentation/dev-manual/qemu.rst
+++ b/documentation/dev-manual/qemu.rst
@@ -75,7 +75,7 @@ available. Follow these general steps to run QEMU:
      your :term:`Build Directory`.

   -  If you have not built an image, you can go to the
-      :yocto_dl:`machines/qemu </releases/yocto/yocto-&DISTRO;/machines/qemu/>` area and download a
+      :yocto_dl:`machines/qemu </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines/qemu/>` area and download a
      pre-built image that matches your architecture and can be run on
      QEMU.

@@ -280,12 +280,11 @@ present, the toolchain is also automatically used.
      networking.

   -  SSH servers are available in some QEMU images. The ``core-image-sato``
-      QEMU image has a Dropbear secure shell (SSH) server that runs with
-      the root password disabled. The ``core-image-full-cmdline`` and
-      ``core-image-lsb`` QEMU images have OpenSSH instead of Dropbear.
-      Including these SSH servers allow you to use standard ``ssh`` and
-      ``scp`` commands. The ``core-image-minimal`` QEMU image, however,
-      contains no SSH server.
+      QEMU image has a Dropbear secure shell (SSH) server that runs with the
+      root password disabled. The ``core-image-full-cmdline`` QEMU image has
+      OpenSSH instead of Dropbear. Including these SSH servers allow you to use
+      standard ``ssh`` and ``scp`` commands. The ``core-image-minimal`` QEMU
+      image, however, contains no SSH server.

   -  You can use a provided, user-space NFS server to boot the QEMU
      session using a local copy of the root filesystem on the host. In
--- a/documentation/dev-manual/start.rst
+++ b/documentation/dev-manual/start.rst
@@ -615,7 +615,7 @@ Accessing Source Archives
 The Yocto Project also provides source archives of its releases, which
 are available on :yocto_dl:`/releases/yocto/`. Then, choose the subdirectory
 containing the release you wish to use, for example
-:yocto_dl:`yocto-&DISTRO; </releases/yocto/yocto-&DISTRO;/>`.
+:yocto_dl:`&DISTRO_REL_LATEST_TAG; </releases/yocto/&DISTRO_REL_LATEST_TAG;/>`.

 You will find there source archives of individual components (if you wish
 to use them individually), and of the corresponding Poky release bundling
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -66,37 +66,77 @@ found in ``build/tmp/deploy/cve``.

 For example the CVE check report for the ``flex-native`` recipe looks like::

-   $ cat poky/build/tmp/deploy/cve/flex-native
-   LAYER: meta
-   PACKAGE NAME: flex-native
-   PACKAGE VERSION: 2.6.4
-   CVE: CVE-2016-6354
-   CVE STATUS: Patched
-   CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
-   CVSS v2 BASE SCORE: 7.5
-   CVSS v3 BASE SCORE: 9.8
-   VECTOR: NETWORK
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
-
-   LAYER: meta
-   PACKAGE NAME: flex-native
-   PACKAGE VERSION: 2.6.4
-   CVE: CVE-2019-6293
-   CVE STATUS: Ignored
-   CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
-   CVSS v2 BASE SCORE: 4.3
-   CVSS v3 BASE SCORE: 5.5
-   VECTOR: NETWORK
-   MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
+   $ cat ./tmp/deploy/cve/flex-native_cve.json
+   {
+     "version": "1",
+     "package": [
+       {
+         "name": "flex-native",
+         "layer": "meta",
+         "version": "2.6.4",
+         "products": [
+           {
+             "product": "flex",
+             "cvesInRecord": "No"
+           },
+           {
+             "product": "flex",
+             "cvesInRecord": "Yes"
+           }
+         ],
+         "issue": [
+           {
+             "id": "CVE-2006-0459",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
+             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
+             "scorev2": "7.5",
+             "scorev3": "0.0",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T00:06Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2016-6354",
+             "status": "Patched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
+             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T02:55Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "detail": "version-not-in-range"
+           },
+           {
+             "id": "CVE-2019-6293",
+             "status": "Ignored",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
+             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
+             "scorev2": "4.3",
+             "scorev3": "5.5",
+             "scorev4": "0.0",
+             "modified": "2024-11-21T04:46Z",
+             "vector": "NETWORK",
+             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
+             "detail": "upstream-wontfix",
+             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+           }
+         ]
+       }
+     ]
+   }

 For images, a summary of all recipes included in the image and their CVEs is also
-generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
+generated in the JSON format. These ``.json`` reports can be found
 in the ``tmp/deploy/images`` directory for each compiled image.

 At build time CVE check will also throw warnings about ``Unpatched`` CVEs::

-   WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
-   WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
+   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)

 It is also possible to check the CVE status of individual packages as follows::

@@ -115,10 +155,10 @@ upstream `NIST CVE database <https://nvd.nist.gov/>`__.

 The variable supports using vendor and product names like this::

-   CVE_PRODUCT = "flex_project:flex"
+   CVE_PRODUCT = "flex_project:flex westes:flex"

-In this example the vendor name used in the CVE database is ``flex_project`` and the
-product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
+In this example we have two possible vendors names,  ``flex_project`` and ``westes``,
+with the product name ``flex``. With this setting the ``flex`` recipe only maps to this specific
 product and not products from other vendors with same name ``flex``.

 Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
--- a/documentation/migration-guides/release-4.0.rst
+++ b/documentation/migration-guides/release-4.0.rst
@@ -30,4 +30,5 @@ Release 4.0 (kirkstone)
   release-notes-4.0.21
   release-notes-4.0.22
   release-notes-4.0.23
-
+   release-notes-4.0.24
+   release-notes-4.0.25
--- a/documentation/migration-guides/release-5.0.rst
+++ b/documentation/migration-guides/release-5.0.rst
@@ -12,3 +12,6 @@ Release 5.0 (scarthgap)
   release-notes-5.0.3
   release-notes-5.0.4
   release-notes-5.0.5
+   release-notes-5.0.6
+   release-notes-5.0.7
+   release-notes-5.0.8
--- a/documentation/migration-guides/release-5.1.rst
+++ b/documentation/migration-guides/release-5.1.rst
@@ -8,3 +8,6 @@ Release 5.1 (styhead)
   migration-5.1
   release-notes-5.1
   release-notes-5.1.1
+   release-notes-5.1.2
+   release-notes-5.1.3
+   release-notes-5.1.4
--- a/documentation/migration-guides/release-notes-4.0.24.rst
+++ b/documentation/migration-guides/release-notes-4.0.24.rst
@@ -0,0 +1,383 @@
+Release notes for Yocto-4.0.24 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  coreutils: Fix :cve_nist:`2024-0684`
+-  cpio: Ignore :cve_nist:`2023-7216`
+-  diffoscope: Fix :cve_nist:`2024-25711`
+-  ffmpeg: fix :cve_mitre:`2023-47342`, :cve_nist:`2023-50007`, :cve_nist:`2023-50008`,
+   :cve_nist:`2023-51793`, :cve_nist:`2023-51794`, :cve_nist:`2023-51796`, :cve_nist:`2023-51798`,
+   :cve_nist:`2024-7055`, :cve_nist:`2024-31578`, :cve_nist:`2024-31582`, :cve_nist:`2024-32230`,
+   :cve_nist:`2024-35366`, :cve_nist:`2024-35367` and :cve_nist:`2024-35368`
+-  ghostscript: Fix :cve_nist:`2024-46951`, :cve_nist:`2024-46952`, :cve_nist:`2024-46953`,
+   :cve_nist:`2024-46955` and :cve_nist:`2024-46956`
+-  ghostscript: Ignore :cve_nist:`2024-46954`
+-  glib-2.0: Fix :cve_nist:`2024-52533`
+-  gnupg: Ignore :cve_nist:`2022-3515`
+-  grub: Ignore :cve_nist:`2024-1048` and :cve_nist:`2023-4001`
+-  gstreame1.0: Ignore :cve_nist:`2023-40474`, :cve_nist:`2023-40475`, :cve_nist:`2023-40476`,
+   :cve_nist:`2023-44429`, :cve_nist:`2023-44446`, :cve_nist:`2023-50186` and :cve_nist:`2024-0444`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2024-47538`, :cve_nist:`2024-47541`,
+   :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`, :cve_nist:`2024-47615`
+   and :cve_nist:`2024-47835`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2024-47537`, :cve_nist:`2024-47539`,
+   :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`,
+   :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, :cve_nist:`2024-47598`,
+   :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`,
+   :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`,
+   :cve_nist:`2024-47776`, :cve_nist:`2024-47777`, :cve_nist:`2024-47778` and :cve_nist:`2024-47834`
+-  gstreamer1.0: Fix :cve_nist:`2024-47606`
+-  libarchive: Fix :cve_nist:`2024-20696`
+-  libpam: Fix :cve_nist:`2024-10041`
+-  libsdl2: Ignore :cve_nist:`2020-14409` and :cve_nist:`2020-14410`
+-  libsndfile1: Fix :cve_nist:`2022-33065` and :cve_nist:`2024-50612`
+-  libsoup-2.4: Fix :cve_nist:`2024-52530`, :cve_nist:`2024-52531` and :cve_nist:`2024-52532`
+-  libsoup: Fix :cve_nist:`2024-52530`, :cve_nist:`2024-52531` and :cve_nist:`2024-52532`
+-  linux-yocto/5.10: Fix :cve_nist:`2023-52889`, :cve_nist:`2023-52917`, :cve_nist:`2023-52918`,
+   :cve_nist:`2024-41011`, :cve_nist:`2024-42259`, :cve_nist:`2024-42271`, :cve_nist:`2024-42272`,
+   :cve_nist:`2024-42280`, :cve_nist:`2024-42283`, :cve_nist:`2024-42284`, :cve_nist:`2024-42285`,
+   :cve_nist:`2024-42286`, :cve_nist:`2024-42287`, :cve_nist:`2024-42288`, :cve_nist:`2024-42289`,
+   :cve_nist:`2024-42301`, :cve_nist:`2024-42302`, :cve_nist:`2024-42309`, :cve_nist:`2024-42310`,
+   :cve_nist:`2024-42311`, :cve_nist:`2024-42313`, :cve_nist:`2024-43828`, :cve_nist:`2024-43856`,
+   :cve_nist:`2024-43858`, :cve_nist:`2024-43860`, :cve_nist:`2024-43861`, :cve_nist:`2024-43871`,
+   :cve_nist:`2024-43882`, :cve_nist:`2024-43889`, :cve_nist:`2024-43890`, :cve_nist:`2024-43893`,
+   :cve_nist:`2024-43894`, :cve_nist:`2024-43907`, :cve_nist:`2024-43908`, :cve_nist:`2024-43914`,
+   :cve_nist:`2024-44935`, :cve_nist:`2024-44944`, :cve_nist:`2024-44947`, :cve_nist:`2024-44954`,
+   :cve_nist:`2024-44960`, :cve_nist:`2024-44965`, :cve_nist:`2024-44969`, :cve_nist:`2024-44971`,
+   :cve_nist:`2024-44987`, :cve_nist:`2024-44988`, :cve_nist:`2024-44989`, :cve_nist:`2024-44990`,
+   :cve_nist:`2024-44995`, :cve_nist:`2024-44998`, :cve_nist:`2024-44999`, :cve_nist:`2024-45003`,
+   :cve_nist:`2024-45006`, :cve_nist:`2024-45016`, :cve_nist:`2024-45018`, :cve_nist:`2024-45021`,
+   :cve_nist:`2024-45025`, :cve_nist:`2024-45026`, :cve_nist:`2024-45028`, :cve_nist:`2024-46673`,
+   :cve_nist:`2024-46674`, :cve_nist:`2024-46675`, :cve_nist:`2024-46676`, :cve_nist:`2024-46677`,
+   :cve_nist:`2024-46679`, :cve_nist:`2024-46685`, :cve_nist:`2024-46689`, :cve_nist:`2024-46702`,
+   :cve_nist:`2024-46707`, :cve_nist:`2024-46714`, :cve_nist:`2024-46719`, :cve_nist:`2024-46721`,
+   :cve_nist:`2024-46722`, :cve_nist:`2024-46723`, :cve_nist:`2024-46724`, :cve_nist:`2024-46725`,
+   :cve_nist:`2024-46731`, :cve_nist:`2024-46737`, :cve_nist:`2024-46738`, :cve_nist:`2024-46739`,
+   :cve_nist:`2024-46740`, :cve_nist:`2024-46743`, :cve_nist:`2024-46744`, :cve_nist:`2024-46747`,
+   :cve_nist:`2024-46750`, :cve_nist:`2024-46755`, :cve_nist:`2024-46759`, :cve_nist:`2024-46761`,
+   :cve_nist:`2024-46763`, :cve_nist:`2024-46771`, :cve_nist:`2024-46777`, :cve_nist:`2024-46780`,
+   :cve_nist:`2024-46781`, :cve_nist:`2024-46782`, :cve_nist:`2024-46783`, :cve_nist:`2024-46791`,
+   :cve_nist:`2024-46798`, :cve_nist:`2024-46800`, :cve_nist:`2024-46804`, :cve_nist:`2024-46814`,
+   :cve_nist:`2024-46815`, :cve_nist:`2024-46817`, :cve_nist:`2024-46818`, :cve_nist:`2024-46819`,
+   :cve_nist:`2024-46822`, :cve_nist:`2024-46828`, :cve_nist:`2024-46829`, :cve_nist:`2024-46832`,
+   :cve_nist:`2024-46840`, :cve_nist:`2024-46844`, :cve_nist:`2024-47659`, :cve_nist:`2024-47660`,
+   :cve_nist:`2024-47663`, :cve_nist:`2024-47667`, :cve_nist:`2024-47668`, :cve_nist:`2024-47669`,
+   :cve_nist:`2024-47679`, :cve_nist:`2024-47684`, :cve_nist:`2024-47685`, :cve_nist:`2024-47692`,
+   :cve_nist:`2024-47697`, :cve_nist:`2024-47698`, :cve_nist:`2024-47699`, :cve_nist:`2024-47701`,
+   :cve_nist:`2024-47705`, :cve_nist:`2024-47706`, :cve_nist:`2024-47710`, :cve_nist:`2024-47712`,
+   :cve_nist:`2024-47713`, :cve_nist:`2024-47718`, :cve_nist:`2024-47723`, :cve_nist:`2024-47735`,
+   :cve_nist:`2024-47737`, :cve_nist:`2024-47739`, :cve_nist:`2024-47742`, :cve_nist:`2024-47747`,
+   :cve_nist:`2024-47748`, :cve_nist:`2024-47749`, :cve_nist:`2024-47757`, :cve_nist:`2024-49851`,
+   :cve_nist:`2024-49858`, :cve_nist:`2024-49860`, :cve_nist:`2024-49863`, :cve_nist:`2024-49867`,
+   :cve_nist:`2024-49868`, :cve_nist:`2024-49875`, :cve_nist:`2024-49877`, :cve_nist:`2024-49878`,
+   :cve_nist:`2024-49879`, :cve_nist:`2024-49881`, :cve_nist:`2024-49882`, :cve_nist:`2024-49883`,
+   :cve_nist:`2024-49884`, :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`,
+   :cve_nist:`2024-49894`, :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49907`, :cve_nist:`2024-49913`,
+   :cve_nist:`2024-49924`, :cve_nist:`2024-49930`, :cve_nist:`2024-49933`, :cve_nist:`2024-49936`,
+   :cve_nist:`2024-49938`, :cve_nist:`2024-49944`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`,
+   :cve_nist:`2024-49952`, :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`,
+   :cve_nist:`2024-49959`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`, :cve_nist:`2024-49965`,
+   :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`, :cve_nist:`2024-49975`,
+   :cve_nist:`2024-49977`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49995`, :cve_nist:`2024-49997`, :cve_nist:`2024-50001`,
+   :cve_nist:`2024-50006`, :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50013`,
+   :cve_nist:`2024-50015`, :cve_nist:`2024-50024`, :cve_nist:`2024-50033`, :cve_nist:`2024-50035`,
+   :cve_nist:`2024-50039`, :cve_nist:`2024-50040`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`,
+   :cve_nist:`2024-50046`, :cve_nist:`2024-50049`, :cve_nist:`2024-50059`, :cve_nist:`2024-50095`,
+   :cve_nist:`2024-50096`, :cve_nist:`2024-50179`, :cve_nist:`2024-50180`, :cve_nist:`2024-50181`,
+   :cve_nist:`2024-50184` and :cve_nist:`2024-50188`
+-  linux-yocto/5.15: Fix :cve_nist:`2022-48695`, :cve_nist:`2023-52530`, :cve_nist:`2023-52917`,
+   :cve_nist:`2024-45009`, :cve_nist:`2024-46714`, :cve_nist:`2024-46719`, :cve_nist:`2024-46721`,
+   :cve_nist:`2024-46722`, :cve_nist:`2024-46723`, :cve_nist:`2024-46724`, :cve_nist:`2024-46725`,
+   :cve_nist:`2024-46731`, :cve_nist:`2024-46732`, :cve_nist:`2024-46737`, :cve_nist:`2024-46738`,
+   :cve_nist:`2024-46739`, :cve_nist:`2024-46740`, :cve_nist:`2024-46743`, :cve_nist:`2024-46744`,
+   :cve_nist:`2024-46746`, :cve_nist:`2024-46747`, :cve_nist:`2024-46750`, :cve_nist:`2024-46755`,
+   :cve_nist:`2024-46759`, :cve_nist:`2024-46761`, :cve_nist:`2024-46763`, :cve_nist:`2024-46771`,
+   :cve_nist:`2024-46777`, :cve_nist:`2024-46780`, :cve_nist:`2024-46781`, :cve_nist:`2024-46782`,
+   :cve_nist:`2024-46783`, :cve_nist:`2024-46791`, :cve_nist:`2024-46795`, :cve_nist:`2024-46798`,
+   :cve_nist:`2024-46800`, :cve_nist:`2024-46804`, :cve_nist:`2024-46805`, :cve_nist:`2024-46807`,
+   :cve_nist:`2024-46810`, :cve_nist:`2024-46814`, :cve_nist:`2024-46815`, :cve_nist:`2024-46817`,
+   :cve_nist:`2024-46818`, :cve_nist:`2024-46819`, :cve_nist:`2024-46822`, :cve_nist:`2024-46828`,
+   :cve_nist:`2024-46829`, :cve_nist:`2024-46832`, :cve_nist:`2024-46840`, :cve_nist:`2024-46844`,
+   :cve_nist:`2024-47659`, :cve_nist:`2024-47660`, :cve_nist:`2024-47663`, :cve_nist:`2024-47665`,
+   :cve_nist:`2024-47667`, :cve_nist:`2024-47668`, :cve_nist:`2024-47669`, :cve_nist:`2024-47674`,
+   :cve_nist:`2024-47679`, :cve_nist:`2024-47684`, :cve_nist:`2024-47685`, :cve_nist:`2024-47690`,
+   :cve_nist:`2024-47692`, :cve_nist:`2024-47693`, :cve_nist:`2024-47695`, :cve_nist:`2024-47696`,
+   :cve_nist:`2024-47697`, :cve_nist:`2024-47698`, :cve_nist:`2024-47699`, :cve_nist:`2024-47701`,
+   :cve_nist:`2024-47705`, :cve_nist:`2024-47706`, :cve_nist:`2024-47710`, :cve_nist:`2024-47712`,
+   :cve_nist:`2024-47713`, :cve_nist:`2024-47718`, :cve_nist:`2024-47720`, :cve_nist:`2024-47723`,
+   :cve_nist:`2024-47734`, :cve_nist:`2024-47735`, :cve_nist:`2024-47737`, :cve_nist:`2024-47739`,
+   :cve_nist:`2024-47742`, :cve_nist:`2024-47747`, :cve_nist:`2024-47748`, :cve_nist:`2024-47749`,
+   :cve_nist:`2024-47757`, :cve_nist:`2024-49851`, :cve_nist:`2024-49852`, :cve_nist:`2024-49854`,
+   :cve_nist:`2024-49856`, :cve_nist:`2024-49858`, :cve_nist:`2024-49860`, :cve_nist:`2024-49863`,
+   :cve_nist:`2024-49866`, :cve_nist:`2024-49867`, :cve_nist:`2024-49868`, :cve_nist:`2024-49871`,
+   :cve_nist:`2024-49875`, :cve_nist:`2024-49877`, :cve_nist:`2024-49878`, :cve_nist:`2024-49879`,
+   :cve_nist:`2024-49881`, :cve_nist:`2024-49882`, :cve_nist:`2024-49883`, :cve_nist:`2024-49884`,
+   :cve_nist:`2024-49886`, :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`,
+   :cve_nist:`2024-49894`, :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49907`, :cve_nist:`2024-49913`,
+   :cve_nist:`2024-49924`, :cve_nist:`2024-49927`, :cve_nist:`2024-49930`, :cve_nist:`2024-49933`,
+   :cve_nist:`2024-49935`, :cve_nist:`2024-49936`, :cve_nist:`2024-49938`, :cve_nist:`2024-49944`,
+   :cve_nist:`2024-49946`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`, :cve_nist:`2024-49952`,
+   :cve_nist:`2024-49954`, :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`,
+   :cve_nist:`2024-49959`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`, :cve_nist:`2024-49965`,
+   :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`, :cve_nist:`2024-49975`,
+   :cve_nist:`2024-49977`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49995`, :cve_nist:`2024-49997`, :cve_nist:`2024-50000`,
+   :cve_nist:`2024-50001`, :cve_nist:`2024-50002`, :cve_nist:`2024-50003`, :cve_nist:`2024-50006`,
+   :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50013`, :cve_nist:`2024-50015`,
+   :cve_nist:`2024-50019`, :cve_nist:`2024-50024`, :cve_nist:`2024-50031`, :cve_nist:`2024-50033`,
+   :cve_nist:`2024-50035`, :cve_nist:`2024-50038`, :cve_nist:`2024-50039`, :cve_nist:`2024-50040`,
+   :cve_nist:`2024-50041`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`, :cve_nist:`2024-50046`,
+   :cve_nist:`2024-50049`, :cve_nist:`2024-50059`, :cve_nist:`2024-50062`, :cve_nist:`2024-50074`,
+   :cve_nist:`2024-50082`, :cve_nist:`2024-50083`, :cve_nist:`2024-50093`, :cve_nist:`2024-50095`,
+   :cve_nist:`2024-50096`, :cve_nist:`2024-50099`, :cve_nist:`2024-50101`, :cve_nist:`2024-50103`,
+   :cve_nist:`2024-50110`, :cve_nist:`2024-50115`, :cve_nist:`2024-50116`, :cve_nist:`2024-50117`,
+   :cve_nist:`2024-50127`, :cve_nist:`2024-50128`, :cve_nist:`2024-50131`, :cve_nist:`2024-50134`,
+   :cve_nist:`2024-50141`, :cve_nist:`2024-50142`, :cve_nist:`2024-50143`, :cve_nist:`2024-50148`,
+   :cve_nist:`2024-50150`, :cve_nist:`2024-50151`, :cve_nist:`2024-50153`, :cve_nist:`2024-50154`,
+   :cve_nist:`2024-50156`, :cve_nist:`2024-50160`, :cve_nist:`2024-50162`, :cve_nist:`2024-50163`,
+   :cve_nist:`2024-50167`, :cve_nist:`2024-50168`, :cve_nist:`2024-50171`, :cve_nist:`2024-50179`,
+   :cve_nist:`2024-50180`, :cve_nist:`2024-50181`, :cve_nist:`2024-50182`, :cve_nist:`2024-50184`,
+   :cve_nist:`2024-50185`, :cve_nist:`2024-50186`, :cve_nist:`2024-50188`, :cve_nist:`2024-50189`,
+   :cve_nist:`2024-50191`, :cve_nist:`2024-50192`, :cve_nist:`2024-50193`, :cve_nist:`2024-50194`,
+   :cve_nist:`2024-50195`, :cve_nist:`2024-50196`, :cve_nist:`2024-50198`, :cve_nist:`2024-50201`,
+   :cve_nist:`2024-50202`, :cve_nist:`2024-50205`, :cve_nist:`2024-50208`, :cve_nist:`2024-50209`,
+   :cve_nist:`2024-50229`, :cve_nist:`2024-50230`, :cve_nist:`2024-50232`, :cve_nist:`2024-50233`,
+   :cve_nist:`2024-50234`, :cve_nist:`2024-50236`, :cve_nist:`2024-50237`, :cve_nist:`2024-50244`,
+   :cve_nist:`2024-50245`, :cve_nist:`2024-50247`, :cve_nist:`2024-50251`, :cve_nist:`2024-50257`,
+   :cve_nist:`2024-50259`, :cve_nist:`2024-50262`, :cve_nist:`2024-50264`, :cve_nist:`2024-50265`,
+   :cve_nist:`2024-50267`, :cve_nist:`2024-50268`, :cve_nist:`2024-50269`, :cve_nist:`2024-50273`,
+   :cve_nist:`2024-50278`, :cve_nist:`2024-50279`, :cve_nist:`2024-50282`, :cve_nist:`2024-50287`,
+   :cve_nist:`2024-50292`, :cve_nist:`2024-50296`, :cve_nist:`2024-50299`, :cve_nist:`2024-50301`,
+   :cve_nist:`2024-50302`, :cve_nist:`2024-53052`, :cve_nist:`2024-53055`, :cve_nist:`2024-53057`,
+   :cve_nist:`2024-53058`, :cve_nist:`2024-53059`, :cve_nist:`2024-53060`, :cve_nist:`2024-53061`,
+   :cve_nist:`2024-53063`, :cve_nist:`2024-53066`, :cve_nist:`2024-53088`, :cve_nist:`2024-53096`,
+   :cve_nist:`2024-53101`, :cve_nist:`2024-53103`, :cve_nist:`2024-53145`, :cve_nist:`2024-53146`,
+   :cve_nist:`2024-53150`, :cve_nist:`2024-53151`, :cve_nist:`2024-53155`, :cve_nist:`2024-53156`,
+   :cve_nist:`2024-53157`, :cve_nist:`2024-53165`, :cve_nist:`2024-53171`, :cve_nist:`2024-53173`,
+   :cve_nist:`2024-53226`, :cve_nist:`2024-53227`, :cve_nist:`2024-53237`, :cve_nist:`2024-56567`,
+   :cve_nist:`2024-56572`, :cve_nist:`2024-56574`, :cve_nist:`2024-56578`, :cve_nist:`2024-56581`,
+   :cve_nist:`2024-56593`, :cve_nist:`2024-56600`, :cve_nist:`2024-56601`, :cve_nist:`2024-56602`,
+   :cve_nist:`2024-56603`, :cve_nist:`2024-56605`, :cve_nist:`2024-56606`, :cve_nist:`2024-56614`,
+   :cve_nist:`2024-56622`, :cve_nist:`2024-56623`, :cve_nist:`2024-56629`, :cve_nist:`2024-56634`,
+   :cve_nist:`2024-56640`, :cve_nist:`2024-56642`, :cve_nist:`2024-56643`, :cve_nist:`2024-56648`,
+   :cve_nist:`2024-56650`, :cve_nist:`2024-56659`, :cve_nist:`2024-56662`, :cve_nist:`2024-56670`,
+   :cve_nist:`2024-56688`, :cve_nist:`2024-56694`, :cve_nist:`2024-56704`, :cve_nist:`2024-56708`,
+   :cve_nist:`2024-56720`, :cve_nist:`2024-56723`, :cve_nist:`2024-56724`, :cve_nist:`2024-56726`,
+   :cve_nist:`2024-56728`, :cve_nist:`2024-56739`, :cve_nist:`2024-56741`, :cve_nist:`2024-56745`,
+   :cve_nist:`2024-56746`, :cve_nist:`2024-56747`, :cve_nist:`2024-56748`, :cve_nist:`2024-56754`,
+   :cve_nist:`2024-56756`, :cve_nist:`2024-56770`, :cve_nist:`2024-56774`, :cve_nist:`2024-56776`,
+   :cve_nist:`2024-56777`, :cve_nist:`2024-56778`, :cve_nist:`2024-56779`, :cve_nist:`2024-56780`,
+   :cve_nist:`2024-56781`, :cve_nist:`2024-56785` and :cve_nist:`2024-56787`
+-  ovmf: Fix :cve_nist:`2022-36763`, :cve_nist:`2022-36764`, :cve_nist:`2022-36765`,
+   :cve_nist:`2023-45229`, :cve_nist:`2023-45230`, :cve_nist:`2023-45231`, :cve_nist:`2023-45232`,
+   :cve_nist:`2023-45233`, :cve_nist:`2023-45234`, :cve_nist:`2023-45235`, :cve_nist:`2023-45236`,
+   :cve_nist:`2023-45237`, :cve_nist:`2024-1298` and :cve_nist:`2024-38796`
+-  pixman: Ignore :cve_nist:`2023-37769`
+-  python3: Fix :cve_nist:`2024-9287`, :cve_nist:`2024-11168` and :cve_nist:`2024-50602`
+-  python3-pip: Fix :cve_nist:`2023-5752`
+-  python3-requests: Fix :cve_nist:`2024-35195`
+-  python3-zipp: Fix :cve_nist:`2024-5569`
+-  qemu: Fix :cve_nist:`2024-3446`, :cve_nist:`2024-3447` and :cve_nist:`2024-6505`
+-  qemu: Ignore :cve_nist:`2022-36648`
+-  subversion: Fix :cve_nist:`2024-46901`
+-  tiff: Fix :cve_nist:`2023-3164`
+-  tiff: Ignore :cve_nist:`2023-2731`
+-  webkitgtk: Fix :cve_nist:`2024-40776` and :cve_nist:`2024-40780`
+-  xserver-xorg: Fix :cve_nist:`2024-9632`
+-  xwayland: Fix :cve_nist:`2023-5380` and :cve_nist:`2024-0229`
+
+
+Fixes in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~
+
+-  base-passwd: Add the sgx group
+-  base-passwd: Regenerate the patches
+-  base-passwd: Update the status for two patches
+-  base-passwd: Update to 3.5.52
+-  base-passwd: add the wheel group
+-  base-passwd: fix patchreview warning
+-  bitbake: fetch2: use persist_data context managers
+-  bitbake: fetch/wget: Increase timeout to 100s from 30s
+-  bitbake: persist_data: close connection in SQLTable __exit__
+-  build-appliance-image: Update to kirkstone head revision
+-  builder: set :term:`CVE_PRODUCT`
+-  contributor-guide: submit-changes.rst: suggest to remove the git signature
+-  cve-update-nvd2-native: Tweak to work better with NFS :term:`DL_DIR`
+-  dbus: disable assertions and enable only modular tests
+-  do_package/sstate/sstatesig: Change timestamp clamping to hash output only
+-  docs: Gather dependencies in poky.yaml.in
+-  docs: standards.md: add a section on admonitions
+-  gstreamer1.0: improve test reliability
+-  linux-yocto/5.10: update to v5.10.227
+-  linux-yocto/5.15: update to v5.15.175
+-  llvm: reduce size of -dbg package
+-  lttng-modules: fix build error after kernel update to 5.15.171
+-  migration-guides: add release notes for 4.0.23
+-  ninja: fix build with python 3.13
+-  oeqa/utils/gitarchive: Return tag name and improve exclude handling
+-  ovmf-native: remove .pyc files from install
+-  package.bbclass: Use shlex instead of deprecated pipes
+-  package_rpm: restrict rpm to 4 threads
+-  package_rpm: use zstd's default compression level
+-  poky.conf: add new tested distros
+-  poky.conf: bump version for 4.0.24
+-  poky.yaml.in: add missing locales dependency
+-  python3: upgrade to 3.10.16
+-  ref-manual: SSTATE_MIRRORS/SOURCE_MIRROR_URL: add instructions for mirror authentication
+-  ref-manual: classes: fix bin_package description
+-  ref-manual: devtool-reference: add warning note on deploy-target and shared objects
+-  ref-manual: move runtime-testing section to the test-manual
+-  ref-manual: packages: move ptest section to the test-manual
+-  ref-manual: system-requirements: update list of supported distros
+-  ref-manual: use standardized method accross both ubuntu and debian for locale install
+-  resulttool: Add --logfile-archive option to store mode
+-  resulttool: Allow store to filter to specific revisions
+-  resulttool: Clean up repoducible build logs
+-  resulttool: Fix passthrough of --all files in store mode
+-  resulttool: Handle ltp rawlogs as well as ptest
+-  resulttool: Improve repo layout for oeselftest results
+-  resulttool: Trim the precision of duration information
+-  resulttool: Use single space indentation in json output
+-  rootfs-postcommands.bbclass: make opkg status reproducible
+-  rxvt-unicode.inc: disable the terminfo installation by setting TIC to :
+-  sanity: check for working user namespaces
+-  scripts/install-buildtools: Update to 4.0.22
+-  selftest/reproducible: Clean up pathnames
+-  selftest/reproducible: Drop rawlogs
+-  test-manual: reproducible-builds.rst: document :term:`OEQA_REPRODUCIBLE_TEST_TARGET` and
+   :term:`OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS`
+-  test-manual: reproducible-builds.rst: show how to build a single package
+-  toolchain-shar-extract.sh: exit when post-relocate-setup.sh fails
+-  tzdata & tzcode-native: upgrade 2024b
+-  udev-extraconf: fix network.sh script did not configure hotplugged interfaces
+-  unzip: Fix configure tests to use modern C
+-  webkitgtk: Fix build on 32bit arm
+-  webkitgtk: fix perl-native dependency
+-  webkitgtk: reduce size of -dbg package
+-  wireless-regdb: upgrade to 2024.10.07
+
+
+Known Issues in Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Aleksandar Nikolic
+-  Alex Kiernan
+-  Alexander Kanavin
+-  Alexandre Belloni
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Changqing Li
+-  Chen Qi
+-  Chris Laplante
+-  Divya Chellam
+-  Ernst Persson
+-  Guénaël Muller
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jiaying Song
+-  Jinfeng Wang
+-  Khem Raj
+-  Lee Chee Yang
+-  Liyin Zhang
+-  Louis Rannou
+-  Markus Volk
+-  Mikko Rapeli
+-  Ovidiu Panait
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Regis Dargent
+-  Richard Purdie
+-  Rohini Sangam
+-  Ross Burton
+-  Soumya Sambu
+-  Steve Sakoman
+-  Trevor Gamblin
+-  Vijay Anusuri
+-  Wang Mingyu
+-  Yogita Urade
+-  Zahir Hussain
+
+
+Repositories / Downloads for Yocto-4.0.24
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </poky/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`f50532593651dff82bc952288d786c55038c2c86 </poky/commit/?id=f50532593651dff82bc952288d786c55038c2c86>`
+-  Release Artefact: poky-f50532593651dff82bc952288d786c55038c2c86
+-  sha: 0aa062d19510394748db9a2d6ded2d764f435383296d9c94fb6b25755280556e
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/poky-f50532593651dff82bc952288d786c55038c2c86.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/poky-f50532593651dff82bc952288d786c55038c2c86.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.24 </openembedded-core/log/?h=yocto-4.0.24>`
+-  Git Revision: :oe_git:`a270d4c957259761bcc7382fcc54642a02f9fc7d </openembedded-core/commit/?id=a270d4c957259761bcc7382fcc54642a02f9fc7d>`
+-  Release Artefact: oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d
+-  sha: b08b9b16c8ffa587d521ad28e24e38c79d757a6f0839d18165ebac3081a34b68
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/oecore-a270d4c957259761bcc7382fcc54642a02f9fc7d.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </meta-mingw/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.24 </meta-gplv2/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.24 </bitbake/log/?h=yocto-4.0.24>`
+-  Git Revision: :oe_git:`3f88b005244a0afb5d5c7260e54a94a453ec9b3e </bitbake/commit/?id=3f88b005244a0afb5d5c7260e54a94a453ec9b3e>`
+-  Release Artefact: bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e
+-  sha: 31f442b72ec7d81ca75509b1a7179c3fe3942528b1e31c823b21a413244bd15b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.24/bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.24/bitbake-3f88b005244a0afb5d5c7260e54a94a453ec9b3e.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.24 </yocto-docs/log/?h=yocto-4.0.24>`
+-  Git Revision: :yocto_git:`3128bf149f40928e6c2a3e264590a0c6c9778c6a </yocto-docs/commit/?id=3128bf149f40928e6c2a3e264590a0c6c9778c6a>`
+
--- a/documentation/migration-guides/release-notes-4.0.25.rst
+++ b/documentation/migration-guides/release-notes-4.0.25.rst
@@ -0,0 +1,167 @@
+Release notes for Yocto-4.0.25 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  avahi: Fix :cve_nist:`2024-52616`
+-  binutils: Fix :cve_nist:`2024-53589`
+-  gdb: Fix :cve_nist:`2024-53589`
+-  go: Fix :cve_nist:`2024-34155`, :cve_nist:`2024-34156`, :cve_nist:`2024-34158` and
+   :cve_nist:`2024-45336`
+-  gstreamer1.0: Ignore :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`,
+   :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47538`,
+   :cve_nist:`2024-47541`, :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`,
+   :cve_nist:`2024-47615`, :cve_nist:`2024-47835`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`,
+   :cve_nist:`2024-47597`, :cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`,
+   :cve_nist:`2024-47777`, :cve_nist:`2024-47778`, :cve_nist:`2024-47834`, :cve_nist:`2024-47602`,
+   :cve_nist:`2024-47603`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`
+   and :cve_nist:`2024-47776`
+-  linux-yocto/5.15: Fix :cve_nist:`2024-36476`, :cve_nist:`2024-55916`, :cve_nist:`2024-56369`,
+   :cve_nist:`2024-56626`, :cve_nist:`2024-56627`, :cve_nist:`2024-56715`, :cve_nist:`2024-56716`,
+   :cve_nist:`2024-57802`, :cve_nist:`2024-57807`, :cve_nist:`2024-57841`, :cve_nist:`2024-57890`,
+   :cve_nist:`2024-57896`, :cve_nist:`2024-57900`, :cve_nist:`2024-57910`, :cve_nist:`2024-57911`,
+   :cve_nist:`2024-57938`, :cve_nist:`2024-57951`, :cve_nist:`2025-21631`, :cve_nist:`2025-21665`,
+   :cve_nist:`2025-21666`, :cve_nist:`2025-21669`, :cve_nist:`2025-21680`, :cve_nist:`2025-21683`,
+   :cve_nist:`2025-21694`, :cve_nist:`2025-21697` and :cve_nist:`2025-21699`
+-  ofono: Fix :cve_nist:`2024-7539`, :cve_nist:`2024-7540`, :cve_nist:`2024-7541`,
+   :cve_nist:`2024-7542`, :cve_nist:`2024-7543`, :cve_nist:`2024-7544`, :cve_nist:`2024-7545`,
+   :cve_nist:`2024-7546` and :cve_nist:`2024-7547`
+-  openssl: Fix :cve_nist:`2024-13176`
+-  rsync: Fix :cve_nist:`2024-12084`, :cve_nist:`2024-12085`, :cve_nist:`2024-12086`,
+   :cve_nist:`2024-12087`, :cve_nist:`2024-12088` and :cve_nist:`2024-12747`
+-  ruby: Fix :cve_nist:`2024-49761`
+-  socat: Fix :cve_nist:`2024-54661`
+-  vte: Fix :cve_nist:`2024-37535`
+-  wget: Fix :cve_nist:`2024-10524`
+
+
+Fixes in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: tests/fetch: Fix git shallow test failure with git >= 2.48
+-  build-appliance-image: Update to kirkstone head revision
+-  classes-global/insane: Look up all runtime providers for file-rdeps
+-  classes/nativesdk: also override :term:`TUNE_PKGARCH`
+-  classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture
+-  cmake: apply parallel build settings to ptest tasks
+-  dev-manual/building: document the initramfs-framework recipe
+-  docs: Update autobuilder URLs to valkyrie
+-  documentation: Fix typo in standards.md
+-  glibc: Suppress GCC -Os warning on user2netname for sunrpc
+-  glibc: stable 2.35 branch updates
+-  lib/packagedata.py: Add API to iterate over rprovides
+-  linux-yocto/5.15: upgrade to v5.15.178
+-  migration-guides: add release notes for 4.0.24
+-  openssl: upgrade to 3.0.16
+-  poky.conf: bump version for 4.0.25
+-  python3: Treat UID/GID overflow as failure
+-  rsync: Delete pedantic errors re-ordering patch
+-  rsync: upgrade to 3.2.7
+-  rust-common.bbclass: soft assignment for RUSTLIB path
+-  scripts/install-buildtools: Update to 4.0.23
+-  test-manual/reproducible-builds: fix reproducible links
+
+
+Known Issues in Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Joshua Watt
+-  Khem Raj
+-  Lee Chee Yang
+-  Nikhil R
+-  Pedro Ferreira
+-  Peter Marko
+-  Praveen Kumar
+-  Richard Purdie
+-  Ross Burton
+-  Simon A. Eugster
+-  Steve Sakoman
+-  Yash Shinde
+-  Yogita Urade
+-  Zhang Peng
+
+
+Repositories / Downloads for Yocto-4.0.25
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </poky/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`b5aa03f336c121269551f9e7baed4c677c76bb39 </poky/commit/?id=b5aa03f336c121269551f9e7baed4c677c76bb39>`
+-  Release Artefact: poky-b5aa03f336c121269551f9e7baed4c677c76bb39
+-  sha: 7afbcb25f0dd89a4fb6dd4c5945061705ef9ce79a6863806278603273c2b3b4a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/poky-b5aa03f336c121269551f9e7baed4c677c76bb39.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/poky-b5aa03f336c121269551f9e7baed4c677c76bb39.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.25 </openembedded-core/log/?h=yocto-4.0.25>`
+-  Git Revision: :oe_git:`5a794fd244f7fdeb426bd5e3def6b4effc0e8c62 </openembedded-core/commit/?id=5a794fd244f7fdeb426bd5e3def6b4effc0e8c62>`
+-  Release Artefact: oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62
+-  sha: 8fc93109693e5f4702b3fe0633b6be833605291b3d595dc8bdeb6379f40cd2de
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/oecore-5a794fd244f7fdeb426bd5e3def6b4effc0e8c62.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </meta-mingw/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.25 </meta-gplv2/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.25 </bitbake/log/?h=yocto-4.0.25>`
+-  Git Revision: :oe_git:`e71f1ce53cf3b8320caa481ae62d1ce2900c4670 </bitbake/commit/?id=e71f1ce53cf3b8320caa481ae62d1ce2900c4670>`
+-  Release Artefact: bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670
+-  sha: 007eef35174586c85b233f4ec91578956fe21e0236f7ca2c3f90f9d034f94b5b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.25/bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.25/bitbake-e71f1ce53cf3b8320caa481ae62d1ce2900c4670.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.25 </yocto-docs/log/?h=yocto-4.0.25>`
+-  Git Revision: :yocto_git:`c6dce0c77481dee7b0a0fcdc803f755ceccef234 </yocto-docs/commit/?id=c6dce0c77481dee7b0a0fcdc803f755ceccef234>`
+
--- a/documentation/migration-guides/release-notes-5.0.6.rst
+++ b/documentation/migration-guides/release-notes-5.0.6.rst
@@ -0,0 +1,223 @@
+Release notes for Yocto-5.0.6 (Scarthgap)
+-----------------------------------------
+
+Security Fixes in Yocto-5.0.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  acpica: Fix :cve_nist:`2024-24856`
+-  curl: Fix :cve_nist:`2024-9681`
+-  dropbear: Fix :cve_nist:`2023-48795`
+-  expat: Fix :cve_nist:`2024-50602`
+-  ffmpeg: Fix :cve_nist:`2023-49501`, :cve_nist:`2023-49528`, :cve_nist:`2023-50007`,
+   :cve_nist:`2024-7055` and :cve_mitre:`2024-28661`
+-  glib-2.0: Fix :cve_nist:`2024-52533`
+-  ghostscript: Fix :cve_nist:`2024-46951`, :cve_nist:`2024-46952`, :cve_nist:`2024-46953`,
+   :cve_nist:`2024-46954`, :cve_nist:`2024-46955` and :cve_nist:`2024-46956`
+-  gstreamer1.0: Ignore :cve_nist:`2024-0444`
+-  libpam: Fix :cve_nist:`2024-10041`
+-  libsndfile: Fix :cve_nist:`2024-50612`
+-  libsoup: Fix :cve_nist:`2024-52530`, :cve_nist:`2024-52531` and :cve_nist:`2024-52532`
+-  ovmf: Fix :cve_nist:`2024-1298` and :cve_nist:`2024-38796`
+-  python3-zipp: Fix :cve_nist:`2024-5569`
+-  qemu: Fix :cve_nist:`2024-4693`, :cve_nist:`2024-6505` and :cve_nist:`2024-7730`
+-  qemu: Ignore :cve_nist:`2024-6505`
+
+
+Fixes in Yocto-5.0.6
+~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Add missing perl modules to :term:`RDEPENDS` for nativesdk variant
+-  binutils: stable 2.42 branch update
+-  bitbake: Remove custom exception backtrace formatting
+-  bitbake: fetch2/git: Use quote from shlex, not pipes
+-  bitbake: fetch2: use persist_data context managers
+-  bitbake: fetch/wget: Increase timeout to 100s from 30s
+-  bitbake: persist_data: close connection in SQLTable __exit__
+-  bitbake: runqueue: Fix performance of multiconfigs with large overlap
+-  bitbake: runqueue: Fix scenetask processing performance issue
+-  bitbake: runqueue: Optimise setscene loop processing
+-  build-appliance-image: Update to scarthgap head revision
+-  builder: set :term:`CVE_PRODUCT`
+-  cmake: Fix sporadic issues when determining compiler internals
+-  cml1: do_diffconfig: Don't override .config with .config.orig
+-  contributor-guide: Remove duplicated words
+-  dev-manual: bblock: use warning block instead of attention
+-  dev-manual: document how to provide confs from layer.conf
+-  dnf: drop python3-iniparse from :term:`DEPENDS` and :term:`RDEPENDS`
+-  do_package/sstate/sstatesig: Change timestamp clamping to hash output only
+-  doc: Makefile: add support for xelatex
+-  doc: Makefile: publish pdf and epub versions too
+-  doc: Makefile: remove inkscape, replace by rsvg-convert
+-  doc: add a download page for epub and pdf
+-  doc: conf.py: add a bitbake_git extlink
+-  doc: standards.md: add a section on admonitions
+-  doc: sphinx-static: switchers.js.in: do not refer to URL_ROOT anymore
+-  dropbear: backport fix for concurrent channel open/close
+-  enchant2: fix do_fetch error
+-  expat: upgrade to 2.6.4
+-  gcc: backport patch to fix an issue with tzdata 2024b
+-  ghostscript: upgrade to 10.04.0
+-  glibc: stable 2.39 branch updates
+-  groff: fix rare build race in hdtbl
+-  libgcrypt: Fix building error with '-O2' in sysroot path
+-  libpam: drop cracklib from :term:`DEPENDS`
+-  libxml-parser-perl: fix do_fetch error
+-  llvm: reduce size of -dbg package
+-  lttng-ust: backport patch to fix cmake-multiple-shared-libraries build error
+-  migration-guides: add release notes for 4.0.23 and 5.0.5
+-  ninja: fix build with python 3.13
+-  oeqa/runtime/ssh: Fix incorrect timeout fix
+-  oeqa/runtime/ssh: Rework ssh timeout
+-  oeqa/utils/gitarchive: Return tag name and improve exclude handling
+-  package_rpm: Check if file exists before open()
+-  package_rpm: restrict rpm to 4 threads
+-  package_rpm: use zstd's default compression level
+-  poky.conf: bump version for 5.0.6
+-  pseudo: Fix envp bug and add posix_spawn wrapper
+-  python3-poetry-core: drop python3-six from :term:`RDEPENDS`
+-  python3-requests: upgrade to 2.32.2
+-  python3-urllib3: upgrade to 2.2.2
+-  qemu: upgrade to 8.2.7
+-  qemurunner: Clean up serial_lock handling
+-  ref-manual: classes: fix bin_package description
+-  resulttool: Add --logfile-archive option to store mode
+-  resulttool: Allow store to filter to specific revisions
+-  resulttool: Clean up repoducible build logs
+-  resulttool: Fix passthrough of --all files in store mode
+-  resulttool: Handle ltp rawlogs as well as ptest
+-  resulttool: Improve repo layout for oeselftest results
+-  resulttool: Trim the precision of duration information
+-  resulttool: Use single space indentation in json output
+-  rootfs: Ensure run-postinsts is not uninstalled for read-only-rootfs-delayed-postinsts
+-  rxvt-unicode.inc: disable the terminfo installation by setting TIC to :
+-  sanity: check for working user namespaces
+-  scripts/install-buildtools: Update to 5.0.5
+-  selftest/reproducible: Clean up pathnames
+-  selftest/reproducible: Drop rawlogs
+-  shared-mime-info: drop itstool-native from :term:`DEPENDS`
+-  strace: download release tarballs from GitHub
+-  systemd-boot: drop intltool-native from :term:`DEPENDS`
+-  systemd: drop intltool-native from :term:`DEPENDS`
+-  systemd: upgrade to 255.13
+-  sysvinit: backport patch for fixing one issue of pidof
+-  tcl: skip io-13.6 test case
+-  toolchain-shar-extract.sh: exit when post-relocate-setup.sh fails
+-  tune-cortexa32: set tune feature as armv8a
+-  tzcode-native: upgrade to 2024b
+-  tzdata: upgrade to 2024b
+-  uboot-sign: fix concat_dtb arguments
+-  udev-extraconf: fix network.sh script did not configure hotplugged interfaces
+-  webkitgtk: fix erroneous use of unsuported DEBUG_LEVELFLAG variable
+-  wireless-regdb: upgrade to 2024.10.07
+
+
+Known Issues in Yocto-5.0.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-5.0.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Antonin Godard
+-  Archana Polampalli
+-  Bin Lan
+-  Changqing Li
+-  Chen Qi
+-  Chris Laplante
+-  Clayton Casciato
+-  Deepthi Hemraj
+-  Divya Chellam
+-  Florian Kreutzer
+-  Gassner, Tobias.ext
+-  Guðni Már Gilbert
+-  Harish Sadineni
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jagadeesh Krishnanjanappa
+-  Jiaying Song
+-  Jinfeng Wang
+-  Joshua Watt
+-  Lee Chee Yang
+-  Markus Volk
+-  Michael Opdenacker
+-  Pavel Zhukov
+-  Peter Marko
+-  Philip Lorenz
+-  Randy MacLeod
+-  Regis Dargent
+-  Richard Purdie
+-  Robert Yang
+-  Ross Burton
+-  Soumya Sambu
+-  Steve Sakoman
+-  Talel BELHAJSALEM
+-  Trevor Gamblin
+-  Vijay Anusuri
+-  Wang Mingyu
+-  Yogita Urade
+
+
+Repositories / Downloads for Yocto-5.0.6
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`scarthgap </poky/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.6 </poky/log/?h=yocto-5.0.6>`
+-  Git Revision: :yocto_git:`2541a8171f91812a4b16e7dc4da0d77d2318a256 </poky/commit/?id=2541a8171f91812a4b16e7dc4da0d77d2318a256>`
+-  Release Artefact: poky-2541a8171f91812a4b16e7dc4da0d77d2318a256
+-  sha: b77157596ae75d163387a08a317397a57ab8fa6cf4725f28e344fae3f69cca4d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.6/poky-2541a8171f91812a4b16e7dc4da0d77d2318a256.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.6/poky-2541a8171f91812a4b16e7dc4da0d77d2318a256.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`scarthgap </openembedded-core/log/?h=scarthgap>`
+-  Tag:  :oe_git:`yocto-5.0.6 </openembedded-core/log/?h=yocto-5.0.6>`
+-  Git Revision: :oe_git:`336eec6808710f260a5336ca8ca98139a80ccb14 </openembedded-core/commit/?id=336eec6808710f260a5336ca8ca98139a80ccb14>`
+-  Release Artefact: oecore-336eec6808710f260a5336ca8ca98139a80ccb14
+-  sha: 38c4fa7e7e88c28361c012dd5baabe373e2ec3c8aba6194146768b146192cceb
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.6/oecore-336eec6808710f260a5336ca8ca98139a80ccb14.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.6/oecore-336eec6808710f260a5336ca8ca98139a80ccb14.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`scarthgap </meta-mingw/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.6 </meta-mingw/log/?h=yocto-5.0.6>`
+-  Git Revision: :yocto_git:`acbba477893ef87388effc4679b7f40ee49fc852 </meta-mingw/commit/?id=acbba477893ef87388effc4679b7f40ee49fc852>`
+-  Release Artefact: meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852
+-  sha: 3b7c2f475dad5130bace652b150367f587d44b391218b1364a8bbc430b48c54c
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.6/meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.6/meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.8 </bitbake/log/?h=2.8>`
+-  Tag:  :oe_git:`yocto-5.0.6 </bitbake/log/?h=yocto-5.0.6>`
+-  Git Revision: :oe_git:`f40a3a477d5241b697bf2fb030dd804c1ff5839f </bitbake/commit/?id=f40a3a477d5241b697bf2fb030dd804c1ff5839f>`
+-  Release Artefact: bitbake-f40a3a477d5241b697bf2fb030dd804c1ff5839f
+-  sha: dbfc056c7408a5547f624799621ab1261a05685112e0922a88007723b1edbc87
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.6/bitbake-f40a3a477d5241b697bf2fb030dd804c1ff5839f.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.6/bitbake-f40a3a477d5241b697bf2fb030dd804c1ff5839f.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`scarthgap </yocto-docs/log/?h=scarthgap>`
+-  Tag: :yocto_git:`yocto-5.0.6 </yocto-docs/log/?h=yocto-5.0.6>`
+-  Git Revision: :yocto_git:`TBD </yocto-docs/commit/?id=TBD>`
+
--- a/documentation/migration-guides/release-notes-5.0.7.rst
+++ b/documentation/migration-guides/release-notes-5.0.7.rst
@@ -0,0 +1,331 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-5.0.7 (Scarthgap)
+-----------------------------------------
+
+Security Fixes in Yocto-5.0.7
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  avahi: Fix :cve_nist:`2024-52616`
+-  binutils: Fix :cve_nist:`2024-53589`
+-  ffmpeg: Fix :cve_nist:`2024-35366`, :cve_nist:`2024-35367` and :cve_nist:`2024-35368`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2024-47538`, :cve_nist:`2024-47541`,
+   :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`, :cve_nist:`2024-47615`
+   and :cve_nist:`2024-47835`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2024-47537`, :cve_nist:`2024-47539`,
+   :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`,
+   :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, :cve_nist:`2024-47598`,
+   :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`,
+   :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`,
+   :cve_nist:`2024-47776`, :cve_nist:`2024-47777`, :cve_nist:`2024-47778` and :cve_nist:`2024-47834`
+-  gstreamer1.0: Ignore :cve_nist:`2024-47537`, :cve_nist:`2024-47539`, :cve_nist:`2024-47540`,
+   :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`, :cve_nist:`2024-47538`,
+   :cve_nist:`2024-47541`, :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`,
+   :cve_nist:`2024-47615`, :cve_nist:`2024-47835`, :cve_nist:`2024-47546`, :cve_nist:`2024-47596`,
+   :cve_nist:`2024-47597`, :cve_nist:`2024-47598`, :cve_nist:`2024-47599`, :cve_nist:`2024-47601`,
+   :cve_nist:`2024-47602`, :cve_nist:`2024-47603`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`,
+   :cve_nist:`2024-47775`, :cve_nist:`2024-47776`, :cve_nist:`2024-47777`, :cve_nist:`2024-47778`
+   and :cve_nist:`2024-47834`
+-  libarchive: Fix :cve_nist:`2024-20696`
+-  libxml2: Fix :cve_nist:`2024-40896`
+-  linux-yocto/6.6: Fix :cve_nist:`2024-27059`, :cve_nist:`2024-43098`, :cve_nist:`2024-45828`,
+   :cve_nist:`2024-47141`, :cve_nist:`2024-47143`, :cve_nist:`2024-47704`, :cve_nist:`2024-47809`,
+   :cve_nist:`2024-48873`, :cve_nist:`2024-48875`, :cve_nist:`2024-48881`, :cve_nist:`2024-49863`,
+   :cve_nist:`2024-49864`, :cve_nist:`2024-49866`, :cve_nist:`2024-49867`, :cve_nist:`2024-49868`,
+   :cve_nist:`2024-49870`, :cve_nist:`2024-49871`, :cve_nist:`2024-49874`, :cve_nist:`2024-49875`,
+   :cve_nist:`2024-49877`, :cve_nist:`2024-49878`, :cve_nist:`2024-49879`, :cve_nist:`2024-49881`,
+   :cve_nist:`2024-49882`, :cve_nist:`2024-49883`, :cve_nist:`2024-49884`, :cve_nist:`2024-49886`,
+   :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`, :cve_nist:`2024-49894`,
+   :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`, :cve_nist:`2024-49901`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49905`, :cve_nist:`2024-49907`,
+   :cve_nist:`2024-49912`, :cve_nist:`2024-49913`, :cve_nist:`2024-49924`, :cve_nist:`2024-49925`,
+   :cve_nist:`2024-49927`, :cve_nist:`2024-49929`, :cve_nist:`2024-49930`, :cve_nist:`2024-49931`,
+   :cve_nist:`2024-49933`, :cve_nist:`2024-49935`, :cve_nist:`2024-49936`, :cve_nist:`2024-49937`,
+   :cve_nist:`2024-49938`, :cve_nist:`2024-49939`, :cve_nist:`2024-49944`, :cve_nist:`2024-49946`,
+   :cve_nist:`2024-49947`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`, :cve_nist:`2024-49950`,
+   :cve_nist:`2024-49951`, :cve_nist:`2024-49952`, :cve_nist:`2024-49953`, :cve_nist:`2024-49954`,
+   :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`, :cve_nist:`2024-49959`,
+   :cve_nist:`2024-49960`, :cve_nist:`2024-49961`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`,
+   :cve_nist:`2024-49965`, :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`,
+   :cve_nist:`2024-49975`, :cve_nist:`2024-49976`, :cve_nist:`2024-49977`, :cve_nist:`2024-49978`,
+   :cve_nist:`2024-49980`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49986`, :cve_nist:`2024-49987`, :cve_nist:`2024-49988`,
+   :cve_nist:`2024-49989`, :cve_nist:`2024-49991`, :cve_nist:`2024-49992`, :cve_nist:`2024-49995`,
+   :cve_nist:`2024-49996`, :cve_nist:`2024-49997`, :cve_nist:`2024-50000`, :cve_nist:`2024-50001`,
+   :cve_nist:`2024-50002`, :cve_nist:`2024-50003`, :cve_nist:`2024-50005`, :cve_nist:`2024-50006`,
+   :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50012`, :cve_nist:`2024-50013`,
+   :cve_nist:`2024-50015`, :cve_nist:`2024-50016`, :cve_nist:`2024-50019`, :cve_nist:`2024-50022`,
+   :cve_nist:`2024-50023`, :cve_nist:`2024-50024`, :cve_nist:`2024-50026`, :cve_nist:`2024-50029`,
+   :cve_nist:`2024-50031`, :cve_nist:`2024-50032`, :cve_nist:`2024-50033`, :cve_nist:`2024-50035`,
+   :cve_nist:`2024-50036`, :cve_nist:`2024-50038`, :cve_nist:`2024-50039`, :cve_nist:`2024-50040`,
+   :cve_nist:`2024-50041`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`, :cve_nist:`2024-50046`,
+   :cve_nist:`2024-50047`, :cve_nist:`2024-50048`, :cve_nist:`2024-50049`, :cve_nist:`2024-50051`,
+   :cve_nist:`2024-50055`, :cve_nist:`2024-50057`, :cve_nist:`2024-50058`, :cve_nist:`2024-50059`,
+   :cve_nist:`2024-50060`, :cve_nist:`2024-50061`, :cve_nist:`2024-50062`, :cve_nist:`2024-50063`,
+   :cve_nist:`2024-50064`, :cve_nist:`2024-50065`, :cve_nist:`2024-50066`, :cve_nist:`2024-50069`,
+   :cve_nist:`2024-50070`, :cve_nist:`2024-50072`, :cve_nist:`2024-50073`, :cve_nist:`2024-50074`,
+   :cve_nist:`2024-50075`, :cve_nist:`2024-50076`, :cve_nist:`2024-50077`, :cve_nist:`2024-50078`,
+   :cve_nist:`2024-50080`, :cve_nist:`2024-50082`, :cve_nist:`2024-50083`, :cve_nist:`2024-50084`,
+   :cve_nist:`2024-50085`, :cve_nist:`2024-50086`, :cve_nist:`2024-50087`, :cve_nist:`2024-50088`,
+   :cve_nist:`2024-50093`, :cve_nist:`2024-50095`, :cve_nist:`2024-50096`, :cve_nist:`2024-50098`,
+   :cve_nist:`2024-50099`, :cve_nist:`2024-50101`, :cve_nist:`2024-50103`, :cve_nist:`2024-50108`,
+   :cve_nist:`2024-50110`, :cve_nist:`2024-50111`, :cve_nist:`2024-50112`, :cve_nist:`2024-50115`,
+   :cve_nist:`2024-50116`, :cve_nist:`2024-50117`, :cve_nist:`2024-50120`, :cve_nist:`2024-50121`,
+   :cve_nist:`2024-50124`, :cve_nist:`2024-50125`, :cve_nist:`2024-50126`, :cve_nist:`2024-50127`,
+   :cve_nist:`2024-50128`, :cve_nist:`2024-50130`, :cve_nist:`2024-50131`, :cve_nist:`2024-50133`,
+   :cve_nist:`2024-50134`, :cve_nist:`2024-50135`, :cve_nist:`2024-50136`, :cve_nist:`2024-50139`,
+   :cve_nist:`2024-50140`, :cve_nist:`2024-50141`, :cve_nist:`2024-50142`, :cve_nist:`2024-50143`,
+   :cve_nist:`2024-50145`, :cve_nist:`2024-50147`, :cve_nist:`2024-50148`, :cve_nist:`2024-50150`,
+   :cve_nist:`2024-50151`, :cve_nist:`2024-50152`, :cve_nist:`2024-50153`, :cve_nist:`2024-50154`,
+   :cve_nist:`2024-50155`, :cve_nist:`2024-50156`, :cve_nist:`2024-50158`, :cve_nist:`2024-50159`,
+   :cve_nist:`2024-50160`, :cve_nist:`2024-50162`, :cve_nist:`2024-50163`, :cve_nist:`2024-50164`,
+   :cve_nist:`2024-50166`, :cve_nist:`2024-50167`, :cve_nist:`2024-50168`, :cve_nist:`2024-50169`,
+   :cve_nist:`2024-50170`, :cve_nist:`2024-50171`, :cve_nist:`2024-50172`, :cve_nist:`2024-50175`,
+   :cve_nist:`2024-50176`, :cve_nist:`2024-50179`, :cve_nist:`2024-50180`, :cve_nist:`2024-50181`,
+   :cve_nist:`2024-50182`, :cve_nist:`2024-50183`, :cve_nist:`2024-50184`, :cve_nist:`2024-50185`,
+   :cve_nist:`2024-50186`, :cve_nist:`2024-50187`, :cve_nist:`2024-50188`, :cve_nist:`2024-50189`,
+   :cve_nist:`2024-50191`, :cve_nist:`2024-50192`, :cve_nist:`2024-50193`, :cve_nist:`2024-50194`,
+   :cve_nist:`2024-50195`, :cve_nist:`2024-50196`, :cve_nist:`2024-50198`, :cve_nist:`2024-50201`,
+   :cve_nist:`2024-50202`, :cve_nist:`2024-50205`, :cve_nist:`2024-50208`, :cve_nist:`2024-50209`,
+   :cve_nist:`2024-50211`, :cve_nist:`2024-50215`, :cve_nist:`2024-50222`, :cve_nist:`2024-50223`,
+   :cve_nist:`2024-50224`, :cve_nist:`2024-50226`, :cve_nist:`2024-50229`, :cve_nist:`2024-50230`,
+   :cve_nist:`2024-50231`, :cve_nist:`2024-50232`, :cve_nist:`2024-50233`, :cve_nist:`2024-50234`,
+   :cve_nist:`2024-50235`, :cve_nist:`2024-50236`, :cve_nist:`2024-50237`, :cve_nist:`2024-50239`,
+   :cve_nist:`2024-50240`, :cve_nist:`2024-50242`, :cve_nist:`2024-50243`, :cve_nist:`2024-50244`,
+   :cve_nist:`2024-50245`, :cve_nist:`2024-50246`, :cve_nist:`2024-50247`, :cve_nist:`2024-50248`,
+   :cve_nist:`2024-50249`, :cve_nist:`2024-50250`, :cve_nist:`2024-50251`, :cve_nist:`2024-50252`,
+   :cve_nist:`2024-50255`, :cve_nist:`2024-50256`, :cve_nist:`2024-50257`, :cve_nist:`2024-50258`,
+   :cve_nist:`2024-50259`, :cve_nist:`2024-50261`, :cve_nist:`2024-50262`, :cve_nist:`2024-50264`,
+   :cve_nist:`2024-50265`, :cve_nist:`2024-50267`, :cve_nist:`2024-50268`, :cve_nist:`2024-50269`,
+   :cve_nist:`2024-50271`, :cve_nist:`2024-50272`, :cve_nist:`2024-50273`, :cve_nist:`2024-50275`,
+   :cve_nist:`2024-50276`, :cve_nist:`2024-50278`, :cve_nist:`2024-50279`, :cve_nist:`2024-50282`,
+   :cve_nist:`2024-50283`, :cve_nist:`2024-50284`, :cve_nist:`2024-50285`, :cve_nist:`2024-50286`,
+   :cve_nist:`2024-50287`, :cve_nist:`2024-50292`, :cve_nist:`2024-50296`, :cve_nist:`2024-50298`,
+   :cve_nist:`2024-50299`, :cve_nist:`2024-50300`, :cve_nist:`2024-50301`, :cve_nist:`2024-50302`,
+   :cve_nist:`2024-53042`, :cve_nist:`2024-53043`, :cve_nist:`2024-53046`, :cve_nist:`2024-53047`,
+   :cve_nist:`2024-53052`, :cve_nist:`2024-53055`, :cve_nist:`2024-53057`, :cve_nist:`2024-53058`,
+   :cve_nist:`2024-53059`, :cve_nist:`2024-53060`, :cve_nist:`2024-53061`, :cve_nist:`2024-53063`,
+   :cve_nist:`2024-53066`, :cve_nist:`2024-53068`, :cve_nist:`2024-53072`, :cve_nist:`2024-53076`,
+   :cve_nist:`2024-53079`, :cve_nist:`2024-53081`, :cve_nist:`2024-53082`, :cve_nist:`2024-53083`,
+   :cve_nist:`2024-53088`, :cve_nist:`2024-53091`, :cve_nist:`2024-53093`, :cve_nist:`2024-53094`,
+   :cve_nist:`2024-53096`, :cve_nist:`2024-53099`, :cve_nist:`2024-53100`, :cve_nist:`2024-53101`,
+   :cve_nist:`2024-53103`, :cve_nist:`2024-53108`, :cve_nist:`2024-53109`, :cve_nist:`2024-53110`,
+   :cve_nist:`2024-53112`, :cve_nist:`2024-53113`, :cve_nist:`2024-53119`, :cve_nist:`2024-53120`,
+   :cve_nist:`2024-53121`, :cve_nist:`2024-53122`, :cve_nist:`2024-53123`, :cve_nist:`2024-53126`,
+   :cve_nist:`2024-53127`, :cve_nist:`2024-53129`, :cve_nist:`2024-53130`, :cve_nist:`2024-53131`,
+   :cve_nist:`2024-53134`, :cve_nist:`2024-53135`, :cve_nist:`2024-53138`, :cve_nist:`2024-53139`,
+   :cve_nist:`2024-53140`, :cve_nist:`2024-53141`, :cve_nist:`2024-53142`, :cve_nist:`2024-53145`,
+   :cve_nist:`2024-53146`, :cve_nist:`2024-53150`, :cve_nist:`2024-53151`, :cve_nist:`2024-53154`,
+   :cve_nist:`2024-53155`, :cve_nist:`2024-53156`, :cve_nist:`2024-53157`, :cve_nist:`2024-53161`,
+   :cve_nist:`2024-53165`, :cve_nist:`2024-53166`, :cve_nist:`2024-53168`, :cve_nist:`2024-53171`,
+   :cve_nist:`2024-53173`, :cve_nist:`2024-53175`, :cve_nist:`2024-53180`, :cve_nist:`2024-53188`,
+   :cve_nist:`2024-53191`, :cve_nist:`2024-53200`, :cve_nist:`2024-53202`, :cve_nist:`2024-53208`,
+   :cve_nist:`2024-53210`, :cve_nist:`2024-53213`, :cve_nist:`2024-53215`, :cve_nist:`2024-53217`,
+   :cve_nist:`2024-53224`, :cve_nist:`2024-53226`, :cve_nist:`2024-53227`, :cve_nist:`2024-53230`,
+   :cve_nist:`2024-53231`, :cve_nist:`2024-53237`, :cve_nist:`2024-53239`, :cve_nist:`2024-54683`,
+   :cve_nist:`2024-55916`, :cve_nist:`2024-56369`, :cve_nist:`2024-56538`, :cve_nist:`2024-56551`,
+   :cve_nist:`2024-56567`, :cve_nist:`2024-56568`, :cve_nist:`2024-56569`, :cve_nist:`2024-56572`,
+   :cve_nist:`2024-56574`, :cve_nist:`2024-56575`, :cve_nist:`2024-56577`, :cve_nist:`2024-56578`,
+   :cve_nist:`2024-56579`, :cve_nist:`2024-56581`, :cve_nist:`2024-56587`, :cve_nist:`2024-56593`,
+   :cve_nist:`2024-56595`, :cve_nist:`2024-56596`, :cve_nist:`2024-56598`, :cve_nist:`2024-56600`,
+   :cve_nist:`2024-56601`, :cve_nist:`2024-56602`, :cve_nist:`2024-56603`, :cve_nist:`2024-56604`,
+   :cve_nist:`2024-56605`, :cve_nist:`2024-56606`, :cve_nist:`2024-56611`, :cve_nist:`2024-56613`,
+   :cve_nist:`2024-56614`, :cve_nist:`2024-56615`, :cve_nist:`2024-56617`, :cve_nist:`2024-56622`,
+   :cve_nist:`2024-56623`, :cve_nist:`2024-56626`, :cve_nist:`2024-56627`, :cve_nist:`2024-56629`,
+   :cve_nist:`2024-56631`, :cve_nist:`2024-56634`, :cve_nist:`2024-56635`, :cve_nist:`2024-56640`,
+   :cve_nist:`2024-56642`, :cve_nist:`2024-56643`, :cve_nist:`2024-56648`, :cve_nist:`2024-56649`,
+   :cve_nist:`2024-56650`, :cve_nist:`2024-56651`, :cve_nist:`2024-56653`, :cve_nist:`2024-56654`,
+   :cve_nist:`2024-56657`, :cve_nist:`2024-56658`, :cve_nist:`2024-56659`, :cve_nist:`2024-56660`,
+   :cve_nist:`2024-56662`, :cve_nist:`2024-56663`, :cve_nist:`2024-56664`, :cve_nist:`2024-56667`,
+   :cve_nist:`2024-56670`, :cve_nist:`2024-56672`, :cve_nist:`2024-56675`, :cve_nist:`2024-56687`,
+   :cve_nist:`2024-56688`, :cve_nist:`2024-56689`, :cve_nist:`2024-56692`, :cve_nist:`2024-56694`,
+   :cve_nist:`2024-56698`, :cve_nist:`2024-56704`, :cve_nist:`2024-56708`, :cve_nist:`2024-56710`,
+   :cve_nist:`2024-56715`, :cve_nist:`2024-56716`, :cve_nist:`2024-56717`, :cve_nist:`2024-56718`,
+   :cve_nist:`2024-56720`, :cve_nist:`2024-56722`, :cve_nist:`2024-56723`, :cve_nist:`2024-56724`,
+   :cve_nist:`2024-56725`, :cve_nist:`2024-56726`, :cve_nist:`2024-56727`, :cve_nist:`2024-56728`,
+   :cve_nist:`2024-56729`, :cve_nist:`2024-56739`, :cve_nist:`2024-56741`, :cve_nist:`2024-56744`,
+   :cve_nist:`2024-56745`, :cve_nist:`2024-56746`, :cve_nist:`2024-56747`, :cve_nist:`2024-56748`,
+   :cve_nist:`2024-56751`, :cve_nist:`2024-56752`, :cve_nist:`2024-56754`, :cve_nist:`2024-56755`,
+   :cve_nist:`2024-56756`, :cve_nist:`2024-56760`, :cve_nist:`2024-56763`, :cve_nist:`2024-56765`,
+   :cve_nist:`2024-56767`, :cve_nist:`2024-56769`, :cve_nist:`2024-56770`, :cve_nist:`2024-56774`,
+   :cve_nist:`2024-56776`, :cve_nist:`2024-56777`, :cve_nist:`2024-56778`, :cve_nist:`2024-56779`,
+   :cve_nist:`2024-56780`, :cve_nist:`2024-56781`, :cve_nist:`2024-56783`, :cve_nist:`2024-56785`,
+   :cve_nist:`2024-56786`, :cve_nist:`2024-56787`, :cve_nist:`2024-57798`, :cve_nist:`2024-57807`
+   and :cve_nist:`2024-57874`
+-  ofono: Fix :cve_nist:`2023-4232`, :cve_nist:`2023-4235`, :cve_nist:`2024-7539`,
+   :cve_nist:`2024-7540`, :cve_nist:`2024-7541`, :cve_nist:`2024-7542`, :cve_nist:`2024-7543`,
+   :cve_nist:`2024-7544`, :cve_nist:`2024-7545`, :cve_nist:`2024-7546` and :cve_nist:`2024-7547`
+-  rsync: Fix :cve_nist:`2024-12084`, :cve_nist:`2024-12085`, :cve_nist:`2024-12086`,
+   :cve_nist:`2024-12087`, :cve_nist:`2024-12088` and :cve_nist:`2024-12747`
+-  socat: Fix :cve_nist:`2024-54661`
+-  subversion: Fix :cve_nist:`2024-46901`
+-  wget: Fix :cve_nist:`2024-10524`
+
+
+Fixes in Yocto-5.0.7
+~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: cooker: Make cooker 'skiplist' per-multiconfig/mc
+-  bitbake: tests/fetch: Fix git shallow test failure with git >= 2.48
+-  bitbake: ui/knotty: print log paths for failed tasks in summary
+-  bitbake: ui/knotty: respect NO_COLOR & check for tty; rename print_hyperlink => format_hyperlink
+-  bluez5: Revert "bluez5: remove configuration files from install task"
+-  bluez5: backport patch to fix address type when loading keys
+-  boost: fix do_fetch error
+-  build-appliance-image: Update to scarthgap head revision
+-  classes/nativesdk: also override :term:`TUNE_PKGARCH`
+-  classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture
+-  contributor-guide/submit-changes.rst: suggest to remove the git signature
+-  cve-update-nvd2-native: Handle :term:`BB_NO_NETWORK` and missing db
+-  cve-update-nvd2-native: Tweak to work better with NFS :term:`DL_DIR`
+-  dev-manual/bmaptool.rst: correct command for bmaptool-native
+-  dev-manual/bmaptool.rst: simplify and fix instructions
+-  dev-manual: fix styling of references to bmaptool
+-  docs: Gather dependencies in poky.yaml.in
+-  docs: Update autobuilder URLs to valkyrie
+-  docs: Update the documentation for :term:`SRCPV`
+-  gcc: Fix c++: tweak for Wrange-loop-construct
+-  groff: Fix race issues for parallel build
+-  libgfortran: fix buildpath QA issue
+-  libxml2: Upgrade to 2.12.9
+-  linux-yocto/6.6: bsp/genericarm64: disable ARM64_SME
+-  linux-yocto/6.6: genericarm64.cfg: enable CONFIG_DMA_CMA
+-  linux-yocto/6.6: update to v6.6.69
+-  lttng-modules: fix sched_stat_runtime changed in Linux 6.6.66
+-  migration-guides: add release notes for 5.0.6
+-  oeqa/ssh: allow to retrieve raw, unformatted ouput
+-  ovmf-native: remove .pyc files from install
+-  poky.conf: add new tested distros
+-  poky.conf: bump version for 5.0.7
+-  poky.yaml.in: add missing locales dependency
+-  poky.yaml.in: replace inkscape dependency by librsvg2-bin
+-  populate_sdk_ext: write_local_conf add shutil import
+-  pulseaudio: fix webrtc audio depdency
+-  python3-requests: upgrade to 2.32.3
+-  python3: Drop empty patch
+-  python3: add dependency on -compression to -core
+-  python3: upgrade to 3.12.7
+-  ref-manual: move runtime-testing section to the test-manual
+-  ref-manual: use standardized method accross both ubuntu and debian for locale install
+-  ref-manual: SSTATE_MIRRORS/SOURCE_MIRROR_URL: add instructions for mirror authentication
+-  reproducible-builds.rst: show how to build a single package
+-  rust-target-config: Fix TARGET_C_INT_WIDTH with correct size
+-  rust: Revert "rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS"
+-  rust: add reproducibility patch to eliminate host leakage
+-  rust: build the default set of tools
+-  rust: correctly link rust-snapshot into build/stage0
+-  rust: use rust-snapshot binaries only in rust-native
+-  sanity.bbclass: skip check_userns for non-local uid
+-  scripts/install-buildtools: Update to 5.0.6
+-  system-requirements.rst: add dependencies for pdf builds
+-  system-requirements: add fedora 39 to supported distros
+-  system-requirements: update list of supported distros
+-  systemd: enable create-log-dirs
+-  test-manual/reproducible-builds: fix reproducible links
+
+
+Known Issues in Yocto-5.0.7
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-5.0.7
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Alexis Lothoré
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Catalin Popescu
+-  Changqing Li
+-  Chen Qi
+-  Chris Laplante
+-  Divya Chellam
+-  Esben Haabendal
+-  Guénaël Muller
+-  Guðni Már Gilbert
+-  Harish Sadineni
+-  Hiago De Franco
+-  Hitendra Prajapati
+-  Jiaying Song
+-  Khem Raj
+-  Lee Chee Yang
+-  Mark Hatle
+-  Michael Opdenacker
+-  Mikko Rapeli
+-  Peter Marko
+-  Richard Purdie
+-  Robert Yang
+-  Ross Burton
+-  Soumya Sambu
+-  Steve Sakoman
+-  Sunil Dora
+-  Trevor Gamblin
+-  Xiangyu Chen
+-  Yash Shinde
+-  Zhang Peng
+-  Zahir Hussain
+
+
+Repositories / Downloads for Yocto-5.0.7
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`scarthgap </poky/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.7 </poky/log/?h=yocto-5.0.7>`
+-  Git Revision: :yocto_git:`7dad83c7e5e9637c0ff5d5712409611fd4a14946 </poky/commit/?id=7dad83c7e5e9637c0ff5d5712409611fd4a14946>`
+-  Release Artefact: poky-7dad83c7e5e9637c0ff5d5712409611fd4a14946
+-  sha: ae688031b19b88582bb4a76d0525e3704b981ad1d21eb38a0873cd01dd9a4652
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.7/poky-7dad83c7e5e9637c0ff5d5712409611fd4a14946.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.7/poky-7dad83c7e5e9637c0ff5d5712409611fd4a14946.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`scarthgap </openembedded-core/log/?h=scarthgap>`
+-  Tag:  :oe_git:`yocto-5.0.7 </openembedded-core/log/?h=yocto-5.0.7>`
+-  Git Revision: :oe_git:`62cb12967391db709315820d48853ffa4c6b4740 </openembedded-core/commit/?id=62cb12967391db709315820d48853ffa4c6b4740>`
+-  Release Artefact: oecore-62cb12967391db709315820d48853ffa4c6b4740
+-  sha: bc45429df1805445b678f1b0ed6ce017edfac38c7226dce92ce393b3ef311f95
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.7/oecore-62cb12967391db709315820d48853ffa4c6b4740.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.7/oecore-62cb12967391db709315820d48853ffa4c6b4740.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`scarthgap </meta-mingw/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.7 </meta-mingw/log/?h=yocto-5.0.7>`
+-  Git Revision: :yocto_git:`acbba477893ef87388effc4679b7f40ee49fc852 </meta-mingw/commit/?id=acbba477893ef87388effc4679b7f40ee49fc852>`
+-  Release Artefact: meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852
+-  sha: 3b7c2f475dad5130bace652b150367f587d44b391218b1364a8bbc430b48c54c
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.7/meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.7/meta-mingw-acbba477893ef87388effc4679b7f40ee49fc852.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.8 </bitbake/log/?h=2.8>`
+-  Tag:  :oe_git:`yocto-5.0.7 </bitbake/log/?h=yocto-5.0.7>`
+-  Git Revision: :oe_git:`aa0e540fc31a1c26839efd2c7785a751ce24ebfb </bitbake/commit/?id=aa0e540fc31a1c26839efd2c7785a751ce24ebfb>`
+-  Release Artefact: bitbake-aa0e540fc31a1c26839efd2c7785a751ce24ebfb
+-  sha: 169b68ed7d5e55015b1c35a82d35efaa25c87cba4722c85e66514a15d31e1d28
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.7/bitbake-aa0e540fc31a1c26839efd2c7785a751ce24ebfb.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.7/bitbake-aa0e540fc31a1c26839efd2c7785a751ce24ebfb.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`scarthgap </yocto-docs/log/?h=scarthgap>`
+-  Tag: :yocto_git:`yocto-5.0.7 </yocto-docs/log/?h=yocto-5.0.7>`
+-  Git Revision: :yocto_git:`bb9e018adcc10c642f87d0b95432783b5eb8057b </yocto-docs/commit/?id=bb9e018adcc10c642f87d0b95432783b5eb8057b>`
+
--- a/documentation/migration-guides/release-notes-5.0.8.rst
+++ b/documentation/migration-guides/release-notes-5.0.8.rst
@@ -0,0 +1,226 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Release notes for Yocto-5.0.8 (Scarthgap)
+-----------------------------------------
+
+Security Fixes in Yocto-5.0.8
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-0840`
+-  curl: Ignore :cve_nist:`2025-0725`
+-  elfutils: Fix :cve_nist:`2025-1352`, :cve_nist:`2025-1365` and :cve_nist:`2025-1372`
+-  ffmpeg: Fix :cve_nist:`2024-35365`, :cve_nist:`2024-35369`, :cve_nist:`2024-36613`,
+   :cve_nist:`2024-36616`, :cve_nist:`2024-36617`, :cve_nist:`2024-36618`, :cve_nist:`2024-36619`,
+   :cve_nist:`2025-0518`, :cve_nist:`2025-22919`, :cve_nist:`2025-22921` and :cve_nist:`2025-25473`
+-  glibc: Fix :cve_nist:`2025-0395`
+-  gnutls: Fix :cve_nist:`2024-12243`
+-  go: Fix :cve_nist:`2024-45336`, :cve_nist:`2024-45341` and :cve_nist:`2025-22866`
+-  gstreamer1.0-rtsp-server: Fix :cve_nist:`2024-44331`
+-  libcap: Fix :cve_nist:`2025-1390`
+-  libtasn1: Fix :cve_nist:`2024-12133`
+-  libxml2: Fix :cve_nist:`2024-56171` and :cve_nist:`2025-24928`
+-  linux-yocto/6.6: Fix :cve_nist:`2024-36476`, :cve_nist:`2024-53179`, :cve_nist:`2024-56582`,
+   :cve_nist:`2024-56703`, :cve_nist:`2024-57801`, :cve_nist:`2024-57802`, :cve_nist:`2024-57841`,
+   :cve_nist:`2024-57882`, :cve_nist:`2024-57887`, :cve_nist:`2024-57890`, :cve_nist:`2024-57892`,
+   :cve_nist:`2024-57895`, :cve_nist:`2024-57896`, :cve_nist:`2024-57900`, :cve_nist:`2024-57901`,
+   :cve_nist:`2024-57902`, :cve_nist:`2024-57906`, :cve_nist:`2024-57907`, :cve_nist:`2024-57908`,
+   :cve_nist:`2024-57910`, :cve_nist:`2024-57911`, :cve_nist:`2024-57912`, :cve_nist:`2024-57913`,
+   :cve_nist:`2024-57916`, :cve_nist:`2024-57922`, :cve_nist:`2024-57925`, :cve_nist:`2024-57926`,
+   :cve_nist:`2024-57933`, :cve_nist:`2024-57938`, :cve_nist:`2024-57939`, :cve_nist:`2024-57940`,
+   :cve_nist:`2024-57949`, :cve_nist:`2024-57951`, :cve_nist:`2025-21631`, :cve_nist:`2025-21636`,
+   :cve_nist:`2025-21637`, :cve_nist:`2025-21638`, :cve_nist:`2025-21639`, :cve_nist:`2025-21640`,
+   :cve_nist:`2025-21642`, :cve_nist:`2025-21652`, :cve_nist:`2025-21658`, :cve_nist:`2025-21665`,
+   :cve_nist:`2025-21666`, :cve_nist:`2025-21667`, :cve_nist:`2025-21669`, :cve_nist:`2025-21670`,
+   :cve_nist:`2025-21671`, :cve_nist:`2025-21673`, :cve_nist:`2025-21674`, :cve_nist:`2025-21675`,
+   :cve_nist:`2025-21676`, :cve_nist:`2025-21680`, :cve_nist:`2025-21681`, :cve_nist:`2025-21683`,
+   :cve_nist:`2025-21684`, :cve_nist:`2025-21687`, :cve_nist:`2025-21689`, :cve_nist:`2025-21690`,
+   :cve_nist:`2025-21692`, :cve_nist:`2025-21694`, :cve_nist:`2025-21697` and :cve_nist:`2025-21699`
+-  openssh: Fix :cve_nist:`2025-26466`
+-  openssl: Fix :cve_nist:`2024-9143`, :cve_nist:`2024-12797` and :cve_nist:`2024-13176`
+-  pyhton3: Fix :cve_nist:`2024-12254` and :cve_nist:`2025-0938`
+-  subversion: Ignore :cve_nist:`2024-45720`
+-  u-boot: Fix :cve_nist:`2024-57254`, :cve_nist:`2024-57255`, :cve_nist:`2024-57256`,
+   :cve_nist:`2024-57257`, :cve_nist:`2024-57258` and :cve_nist:`2024-57259`
+-  vim: Fix :cve_nist:`2025-22134` and :cve_nist:`2025-24014`
+-  xwayland: Fix :cve_nist:`2024-9632`, :cve_nist:`2025-26594`, :cve_nist:`2025-26595`,
+   :cve_nist:`2025-26596`, :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`,
+   :cve_nist:`2025-26600` and :cve_nist:`2025-26601`
+
+
+Fixes in Yocto-5.0.8
+~~~~~~~~~~~~~~~~~~~~
+
+-  base-files: Drop /bin/sh dependency
+-  bind: upgrade to 9.18.33
+-  binutils: File name too long causing failure to open temporary head file in dlltool
+-  binutils: stable 2.42 branch update
+-  bitbake: bblayers/query: Fix using "removeprefix" string method
+-  bitbake: bitbake-diffsigs: fix handling when finding only a single sigfile
+-  bitbake: data_smart.py: clear expand_cache in _setvar_update_overridevars
+-  bitbake: data_smart.py: remove unnecessary ? from __expand_var_regexp__
+-  bitbake: data_smart.py: simple clean up
+-  build-appliance-image: Update to scarthgap head revision
+-  ccache.conf: Add include_file_ctime to sloppiness
+-  cmake: apply parallel build settings to ptest tasks
+-  contributor-guide/submit-changes: add policy on AI generated code
+-  dev-manual/building: document the initramfs-framework recipe
+-  devtool: ide-sdk recommend :term:`DEBUG_BUILD`
+-  devtool: ide-sdk remove the plugin from eSDK installer
+-  devtool: ide-sdk sort cmake preset
+-  devtool: modify support debug-builds
+-  docs: Add favicon for the documentation html
+-  docs: Fix typo in standards.md
+-  docs: Remove all mention of core-image-lsb
+-  docs: vulnerabilities/classes: remove references to cve-check text format
+-  files: Amend overlayfs unit descriptions with path information
+-  files: overlayfs-create-dirs: Improve mount unit dependency
+-  glibc: stable 2.39 branch updates
+-  gnupg: upgrade to 2.4.5
+-  go: upgrade 1.22.12
+-  icu: remove host references in nativesdk to fix reproducibility
+-  libtasn1: upgrade to 4.20.0
+-  libxml2: upgrade to 2.12.10
+-  linux-yocto/6.6: upgrade to v6.6.75
+-  meta: Enable '-o pipefail' for the SDK installer
+-  migration-guides: add release notes for 4.0.24, 4.0.25 and 5.0.7
+-  oe-selftest: devtool ide-sdk use modify debug-build
+-  oeqa/sdk/context: fix for gtk3 test failure during do_testsdk
+-  oeqa/selftest/rust: skip on all MIPS platforms
+-  openssl: upgrade to 3.2.4
+-  pkg-config-native: pick additional search paths from $EXTRA_NATIVE_PKGCONFIG_PATH
+-  poky.conf: add ubuntu2404 to :term:`SANITY_TESTED_DISTROS`
+-  poky.conf: bump version for 5.0.8
+-  ppp: Revert lock path to /var/lock
+-  python3-setuptools-scm: respect GIT_CEILING_DIRECTORIES
+-  python3: upgrade to 3.12.9
+-  qemu: Do not define sched_attr with glibc >= 2.41
+-  ref-manual/faq: add q&a on systemd as default
+-  ref-manual: Add missing variable :term:`IMAGE_ROOTFS_MAXSIZE`
+-  ref-manual: don't refer to poky-lsb
+-  ref-manual: remove OE_IMPORTS
+-  rust-common.bbclass: soft assignment for RUSTLIB path
+-  rust: fix for rust multilib sdk configuration
+-  rust: remove redundant cargo config file
+-  scripts/install-buildtools: Update to 5.0.7
+-  sdk-manual: extensible.rst: devtool ide-sdk improve
+-  sdk-manual: extensible.rst: update devtool ide-sdk
+-  selftest/rust: correctly form the PATH environment variable
+-  systemd: add libpcre2 as :term:`RRECOMMENDS` if pcre2 is enabled
+-  systemd: upgrade to 255.17
+-  test-manual/ptest: link to common framework ptest classes
+-  tzcode-native: Fix compiler setting from 2023d version
+-  tzdata/tzcode-native: upgrade to 2025a
+-  u-boot: kernel-fitimage: Fix dependency loop if :term:`UBOOT_SIGN_ENABLE` and UBOOT_ENV enabled
+-  u-boot: kernel-fitimage: Restore FIT_SIGN_INDIVIDUAL="1" behavior
+-  uboot-config: fix devtool modify with kernel-fitimage
+-  vim: upgrade to 9.1.1043
+
+
+Known Issues in Yocto-5.0.8
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  N/A
+
+Contributors to Yocto-5.0.8
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Adrian Freihofer
+-  Aleksandar Nikolic
+-  Alessio Cascone
+-  Alexander Kanavin
+-  Alexis Cellier
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Chen Qi
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Enrico Jörns
+-  Esben Haabendal
+-  Etienne Cordonnier
+-  Fabio Berton
+-  Guðni Már Gilbert
+-  Harish Sadineni
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jiaying Song
+-  Joerg Schmidt
+-  Johannes Schneider
+-  Khem Raj
+-  Lee Chee Yang
+-  Marek Vasut
+-  Marta Rybczynska
+-  Moritz Haase
+-  Oleksandr Hnatiuk
+-  Pedro Ferreira
+-  Peter Marko
+-  Poonam Jadhav
+-  Priyal Doshi
+-  Ross Burton
+-  Simon A. Eugster
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Wang Mingyu
+-  Weisser, Pascal
+
+
+Repositories / Downloads for Yocto-5.0.8
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`scarthgap </poky/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.8 </poky/log/?h=yocto-5.0.8>`
+-  Git Revision: :yocto_git:`dc4827b3660bc1a03a2bc3b0672615b50e9137ff </poky/commit/?id=dc4827b3660bc1a03a2bc3b0672615b50e9137ff>`
+-  Release Artefact: poky-dc4827b3660bc1a03a2bc3b0672615b50e9137ff
+-  sha: ace7264e16e18ed02ef0ad2935fa10b5fad2c4de38b2356f4192b38ef2184504
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.8/poky-dc4827b3660bc1a03a2bc3b0672615b50e9137ff.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.8/poky-dc4827b3660bc1a03a2bc3b0672615b50e9137ff.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`scarthgap </openembedded-core/log/?h=scarthgap>`
+-  Tag:  :oe_git:`yocto-5.0.8 </openembedded-core/log/?h=yocto-5.0.8>`
+-  Git Revision: :oe_git:`cd2b6080a4c0f2ed2c9939ec0b87763aef595048 </openembedded-core/commit/?id=cd2b6080a4c0f2ed2c9939ec0b87763aef595048>`
+-  Release Artefact: oecore-cd2b6080a4c0f2ed2c9939ec0b87763aef595048
+-  sha: 14c7cd5c62a96ceb9c2141164ea0f087fdbaed99ca3e9a722977a3f12d6381f6
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.8/oecore-cd2b6080a4c0f2ed2c9939ec0b87763aef595048.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.8/oecore-cd2b6080a4c0f2ed2c9939ec0b87763aef595048.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`scarthgap </meta-mingw/log/?h=scarthgap>`
+-  Tag:  :yocto_git:`yocto-5.0.8 </meta-mingw/log/?h=yocto-5.0.8>`
+-  Git Revision: :yocto_git:`bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f </meta-mingw/commit/?id=bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f>`
+-  Release Artefact: meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f
+-  sha: ab073def6487f237ac125d239b3739bf02415270959546b6b287778664f0ae65
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.8/meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.8/meta-mingw-bd9fef71ec005be3c3a6d7f8b99d8116daf70c4f.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.8 </bitbake/log/?h=2.8>`
+-  Tag:  :oe_git:`yocto-5.0.8 </bitbake/log/?h=yocto-5.0.8>`
+-  Git Revision: :oe_git:`7375d32e8c1af20c51abec4eb3b072b4ca58b239 </bitbake/commit/?id=7375d32e8c1af20c51abec4eb3b072b4ca58b239>`
+-  Release Artefact: bitbake-7375d32e8c1af20c51abec4eb3b072b4ca58b239
+-  sha: 13dffbc162c5b6e2c95fa72936a430b9a542d52d81d502a5d0afc592fbf4a16b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.0.8/bitbake-7375d32e8c1af20c51abec4eb3b072b4ca58b239.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.0.8/bitbake-7375d32e8c1af20c51abec4eb3b072b4ca58b239.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`scarthgap </yocto-docs/log/?h=scarthgap>`
+-  Tag: :yocto_git:`yocto-5.0.8 </yocto-docs/log/?h=yocto-5.0.8>`
+-  Git Revision: :yocto_git:`7d3cce5b962ca9f73b29affceb7ebc6710627739 </yocto-docs/commit/?id=7d3cce5b962ca9f73b29affceb7ebc6710627739>`
+
--- a/documentation/migration-guides/release-notes-5.1.2.rst
+++ b/documentation/migration-guides/release-notes-5.1.2.rst
@@ -0,0 +1,312 @@
+Release notes for Yocto-5.1.2 (Styhead)
+---------------------------------------
+
+Security Fixes in Yocto-5.1.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2024-53589`
+-  curl: Fix :cve_nist:`2024-9681`
+-  ghostscript: Fix :cve_nist:`2024-46951`, :cve_nist:`2024-46952`, :cve_nist:`2024-46953`,
+   :cve_nist:`2024-46954`, :cve_nist:`2024-46955` and :cve_nist:`2024-46956`
+-  gstreamer1.0: Fix :cve_nist:`2024-47606`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2024-47538`, :cve_nist:`2024-47541`,
+   :cve_nist:`2024-47542`, :cve_nist:`2024-47600`, :cve_nist:`2024-47607`, :cve_nist:`2024-47615`
+   and :cve_nist:`2024-47835`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2024-47537`, :cve_nist:`2024-47539`,
+   :cve_nist:`2024-47540`, :cve_nist:`2024-47543`, :cve_nist:`2024-47544`, :cve_nist:`2024-47545`,
+   :cve_nist:`2024-47546`, :cve_nist:`2024-47596`, :cve_nist:`2024-47597`, :cve_nist:`2024-47598`,
+   :cve_nist:`2024-47599`, :cve_nist:`2024-47601`, :cve_nist:`2024-47602`, :cve_nist:`2024-47603`,
+   :cve_nist:`2024-47606`, :cve_nist:`2024-47613`, :cve_nist:`2024-47774`, :cve_nist:`2024-47775`,
+   :cve_nist:`2024-47776`, :cve_nist:`2024-47777`, :cve_nist:`2024-47778` and :cve_nist:`2024-47834`
+-  gstreamer1.0-rtsp-server: Fix :cve_nist:`2024-44331`
+-  libarchive: Fix :cve_nist:`2024-48957` and :cve_nist:`2024-48958`
+-  libexpat: Fix :cve_nist:`2024-50602`
+-  libsndfile1: Fix :cve_nist:`2024-50612`
+-  linux-yocto/6.6: Fix :cve_nist:`2024-27059`, :cve_nist:`2024-47704`, :cve_nist:`2024-49863`,
+   :cve_nist:`2024-49864`, :cve_nist:`2024-49866`, :cve_nist:`2024-49867`, :cve_nist:`2024-49868`,
+   :cve_nist:`2024-49870`, :cve_nist:`2024-49871`, :cve_nist:`2024-49874`, :cve_nist:`2024-49875`,
+   :cve_nist:`2024-49877`, :cve_nist:`2024-49878`, :cve_nist:`2024-49879`, :cve_nist:`2024-49881`,
+   :cve_nist:`2024-49882`, :cve_nist:`2024-49883`, :cve_nist:`2024-49884`, :cve_nist:`2024-49886`,
+   :cve_nist:`2024-49889`, :cve_nist:`2024-49890`, :cve_nist:`2024-49892`, :cve_nist:`2024-49894`,
+   :cve_nist:`2024-49895`, :cve_nist:`2024-49896`, :cve_nist:`2024-49900`, :cve_nist:`2024-49901`,
+   :cve_nist:`2024-49902`, :cve_nist:`2024-49903`, :cve_nist:`2024-49905`, :cve_nist:`2024-49907`,
+   :cve_nist:`2024-49912`, :cve_nist:`2024-49913`, :cve_nist:`2024-49924`, :cve_nist:`2024-49925`,
+   :cve_nist:`2024-49927`, :cve_nist:`2024-49929`, :cve_nist:`2024-49930`, :cve_nist:`2024-49931`,
+   :cve_nist:`2024-49933`, :cve_nist:`2024-49935`, :cve_nist:`2024-49936`, :cve_nist:`2024-49937`,
+   :cve_nist:`2024-49938`, :cve_nist:`2024-49939`, :cve_nist:`2024-49944`, :cve_nist:`2024-49946`,
+   :cve_nist:`2024-49947`, :cve_nist:`2024-49948`, :cve_nist:`2024-49949`, :cve_nist:`2024-49950`,
+   :cve_nist:`2024-49951`, :cve_nist:`2024-49952`, :cve_nist:`2024-49953`, :cve_nist:`2024-49954`,
+   :cve_nist:`2024-49955`, :cve_nist:`2024-49957`, :cve_nist:`2024-49958`, :cve_nist:`2024-49959`,
+   :cve_nist:`2024-49960`, :cve_nist:`2024-49961`, :cve_nist:`2024-49962`, :cve_nist:`2024-49963`,
+   :cve_nist:`2024-49965`, :cve_nist:`2024-49966`, :cve_nist:`2024-49969`, :cve_nist:`2024-49973`,
+   :cve_nist:`2024-49975`, :cve_nist:`2024-49976`, :cve_nist:`2024-49977`, :cve_nist:`2024-49978`,
+   :cve_nist:`2024-49980`, :cve_nist:`2024-49981`, :cve_nist:`2024-49982`, :cve_nist:`2024-49983`,
+   :cve_nist:`2024-49985`, :cve_nist:`2024-49986`, :cve_nist:`2024-49987`, :cve_nist:`2024-49988`,
+   :cve_nist:`2024-49989`, :cve_nist:`2024-49991`, :cve_nist:`2024-49992`, :cve_nist:`2024-49995`,
+   :cve_nist:`2024-49996`, :cve_nist:`2024-49997`, :cve_nist:`2024-50000`, :cve_nist:`2024-50001`,
+   :cve_nist:`2024-50002`, :cve_nist:`2024-50003`, :cve_nist:`2024-50005`, :cve_nist:`2024-50006`,
+   :cve_nist:`2024-50007`, :cve_nist:`2024-50008`, :cve_nist:`2024-50012`, :cve_nist:`2024-50013`,
+   :cve_nist:`2024-50015`, :cve_nist:`2024-50016`, :cve_nist:`2024-50019`, :cve_nist:`2024-50022`,
+   :cve_nist:`2024-50023`, :cve_nist:`2024-50024`, :cve_nist:`2024-50026`, :cve_nist:`2024-50029`,
+   :cve_nist:`2024-50031`, :cve_nist:`2024-50032`, :cve_nist:`2024-50033`, :cve_nist:`2024-50035`,
+   :cve_nist:`2024-50036`, :cve_nist:`2024-50038`, :cve_nist:`2024-50039`, :cve_nist:`2024-50040`,
+   :cve_nist:`2024-50041`, :cve_nist:`2024-50044`, :cve_nist:`2024-50045`, :cve_nist:`2024-50046`,
+   :cve_nist:`2024-50047`, :cve_nist:`2024-50048`, :cve_nist:`2024-50049`, :cve_nist:`2024-50055`,
+   :cve_nist:`2024-50057`, :cve_nist:`2024-50058`, :cve_nist:`2024-50059`, :cve_nist:`2024-50060`,
+   :cve_nist:`2024-50061`, :cve_nist:`2024-50062`, :cve_nist:`2024-50063`, :cve_nist:`2024-50064`,
+   :cve_nist:`2024-50065`, :cve_nist:`2024-50066`, :cve_nist:`2024-50069`, :cve_nist:`2024-50070`,
+   :cve_nist:`2024-50072`, :cve_nist:`2024-50073`, :cve_nist:`2024-50074`, :cve_nist:`2024-50075`,
+   :cve_nist:`2024-50076`, :cve_nist:`2024-50077`, :cve_nist:`2024-50078`, :cve_nist:`2024-50080`,
+   :cve_nist:`2024-50082`, :cve_nist:`2024-50083`, :cve_nist:`2024-50084`, :cve_nist:`2024-50085`,
+   :cve_nist:`2024-50086`, :cve_nist:`2024-50087`, :cve_nist:`2024-50088`, :cve_nist:`2024-50093`,
+   :cve_nist:`2024-50095`, :cve_nist:`2024-50096`, :cve_nist:`2024-50098`, :cve_nist:`2024-50099`,
+   :cve_nist:`2024-50101`, :cve_nist:`2024-50103`, :cve_nist:`2024-50108`, :cve_nist:`2024-50110`,
+   :cve_nist:`2024-50111`, :cve_nist:`2024-50112`, :cve_nist:`2024-50115`, :cve_nist:`2024-50116`,
+   :cve_nist:`2024-50117`, :cve_nist:`2024-50120`, :cve_nist:`2024-50121`, :cve_nist:`2024-50124`,
+   :cve_nist:`2024-50125`, :cve_nist:`2024-50126`, :cve_nist:`2024-50127`, :cve_nist:`2024-50128`,
+   :cve_nist:`2024-50130`, :cve_nist:`2024-50131`, :cve_nist:`2024-50133`, :cve_nist:`2024-50134`,
+   :cve_nist:`2024-50135`, :cve_nist:`2024-50136`, :cve_nist:`2024-50139`, :cve_nist:`2024-50140`,
+   :cve_nist:`2024-50141`, :cve_nist:`2024-50142`, :cve_nist:`2024-50143`, :cve_nist:`2024-50145`,
+   :cve_nist:`2024-50147`, :cve_nist:`2024-50148`, :cve_nist:`2024-50150`, :cve_nist:`2024-50151`,
+   :cve_nist:`2024-50152`, :cve_nist:`2024-50153`, :cve_nist:`2024-50154`, :cve_nist:`2024-50155`,
+   :cve_nist:`2024-50156`, :cve_nist:`2024-50158`, :cve_nist:`2024-50159`, :cve_nist:`2024-50160`,
+   :cve_nist:`2024-50162`, :cve_nist:`2024-50163`, :cve_nist:`2024-50164`, :cve_nist:`2024-50166`,
+   :cve_nist:`2024-50167`, :cve_nist:`2024-50168`, :cve_nist:`2024-50169`, :cve_nist:`2024-50170`,
+   :cve_nist:`2024-50171`, :cve_nist:`2024-50172`, :cve_nist:`2024-50175`, :cve_nist:`2024-50176`,
+   :cve_nist:`2024-50179`, :cve_nist:`2024-50180`, :cve_nist:`2024-50181`, :cve_nist:`2024-50182`,
+   :cve_nist:`2024-50183`, :cve_nist:`2024-50184`, :cve_nist:`2024-50185`, :cve_nist:`2024-50186`,
+   :cve_nist:`2024-50187`, :cve_nist:`2024-50188`, :cve_nist:`2024-50189`, :cve_nist:`2024-50191`,
+   :cve_nist:`2024-50192`, :cve_nist:`2024-50193`, :cve_nist:`2024-50194`, :cve_nist:`2024-50195`,
+   :cve_nist:`2024-50196`, :cve_nist:`2024-50198`, :cve_nist:`2024-50201`, :cve_nist:`2024-50202`,
+   :cve_nist:`2024-50205`, :cve_nist:`2024-50208`, :cve_nist:`2024-50209`, :cve_nist:`2024-50211`,
+   :cve_nist:`2024-50215`, :cve_nist:`2024-50222`, :cve_nist:`2024-50223`, :cve_nist:`2024-50224`,
+   :cve_nist:`2024-50226`, :cve_nist:`2024-50229`, :cve_nist:`2024-50230`, :cve_nist:`2024-50231`,
+   :cve_nist:`2024-50232`, :cve_nist:`2024-50233`, :cve_nist:`2024-50234`, :cve_nist:`2024-50235`,
+   :cve_nist:`2024-50236`, :cve_nist:`2024-50237`, :cve_nist:`2024-50239`, :cve_nist:`2024-50240`,
+   :cve_nist:`2024-50242`, :cve_nist:`2024-50243`, :cve_nist:`2024-50244`, :cve_nist:`2024-50245`,
+   :cve_nist:`2024-50246`, :cve_nist:`2024-50247`, :cve_nist:`2024-50248`, :cve_nist:`2024-50249`,
+   :cve_nist:`2024-50250`, :cve_nist:`2024-50251`, :cve_nist:`2024-50252`, :cve_nist:`2024-50255`,
+   :cve_nist:`2024-50256`, :cve_nist:`2024-50257`, :cve_nist:`2024-50258`, :cve_nist:`2024-50259`,
+   :cve_nist:`2024-50261`, :cve_nist:`2024-50262`, :cve_nist:`2024-50264`, :cve_nist:`2024-50265`,
+   :cve_nist:`2024-50267`, :cve_nist:`2024-50268`, :cve_nist:`2024-50269`, :cve_nist:`2024-50271`,
+   :cve_nist:`2024-50272`, :cve_nist:`2024-50273`, :cve_nist:`2024-50275`, :cve_nist:`2024-50276`,
+   :cve_nist:`2024-50278`, :cve_nist:`2024-50279`, :cve_nist:`2024-50282`, :cve_nist:`2024-50283`,
+   :cve_nist:`2024-50284`, :cve_nist:`2024-50285`, :cve_nist:`2024-50286`, :cve_nist:`2024-50287`,
+   :cve_nist:`2024-50292`, :cve_nist:`2024-50296`, :cve_nist:`2024-50298`, :cve_nist:`2024-50299`,
+   :cve_nist:`2024-50300`, :cve_nist:`2024-50301`, :cve_nist:`2024-50302`, :cve_nist:`2024-53042`,
+   :cve_nist:`2024-53043`, :cve_nist:`2024-53046`, :cve_nist:`2024-53047`, :cve_nist:`2024-53052`,
+   :cve_nist:`2024-53055`, :cve_nist:`2024-53057`, :cve_nist:`2024-53058`, :cve_nist:`2024-53059`,
+   :cve_nist:`2024-53060`, :cve_nist:`2024-53061`, :cve_nist:`2024-53063`, :cve_nist:`2024-53066`,
+   :cve_nist:`2024-53068`, :cve_nist:`2024-53072`, :cve_nist:`2024-53076`, :cve_nist:`2024-53079`,
+   :cve_nist:`2024-53081`, :cve_nist:`2024-53082`, :cve_nist:`2024-53083`, :cve_nist:`2024-53088`,
+   :cve_nist:`2024-53091`, :cve_nist:`2024-53093`, :cve_nist:`2024-53094`, :cve_nist:`2024-53096`,
+   :cve_nist:`2024-53099`, :cve_nist:`2024-53100`, :cve_nist:`2024-53101`, :cve_nist:`2024-53103`,
+   :cve_nist:`2024-53108`, :cve_nist:`2024-53109`, :cve_nist:`2024-53110`, :cve_nist:`2024-53112`,
+   :cve_nist:`2024-53113`, :cve_nist:`2024-53119`, :cve_nist:`2024-53120`, :cve_nist:`2024-53121`,
+   :cve_nist:`2024-53122`, :cve_nist:`2024-53123`, :cve_nist:`2024-53126`, :cve_nist:`2024-53127`,
+   :cve_nist:`2024-53129`, :cve_nist:`2024-53130`, :cve_nist:`2024-53131`, :cve_nist:`2024-53134`,
+   :cve_nist:`2024-53135`, :cve_nist:`2024-53138`, :cve_nist:`2024-53139`, :cve_nist:`2024-53140`,
+   :cve_nist:`2024-53141`, :cve_nist:`2024-53142`, :cve_nist:`2024-53145`, :cve_nist:`2024-53146`,
+   :cve_nist:`2024-53150`, :cve_nist:`2024-53151`, :cve_nist:`2024-53154`, :cve_nist:`2024-53155`,
+   :cve_nist:`2024-53156`, :cve_nist:`2024-53157`, :cve_nist:`2024-53165`, :cve_nist:`2024-53166`,
+   :cve_nist:`2024-53171`, :cve_nist:`2024-53173`, :cve_nist:`2024-53180`, :cve_nist:`2024-53188`,
+   :cve_nist:`2024-53200`, :cve_nist:`2024-53202`, :cve_nist:`2024-53208`, :cve_nist:`2024-53210`,
+   :cve_nist:`2024-53213`, :cve_nist:`2024-53226`, :cve_nist:`2024-53227`, :cve_nist:`2024-53230`,
+   :cve_nist:`2024-53231`, :cve_nist:`2024-53237`, :cve_nist:`2024-54683`, :cve_nist:`2024-55916`,
+   :cve_nist:`2024-56369`, :cve_nist:`2024-56538`, :cve_nist:`2024-56551`, :cve_nist:`2024-56567`,
+   :cve_nist:`2024-56572`, :cve_nist:`2024-56574`, :cve_nist:`2024-56577`, :cve_nist:`2024-56578`,
+   :cve_nist:`2024-56579`, :cve_nist:`2024-56581`, :cve_nist:`2024-56593`, :cve_nist:`2024-56595`,
+   :cve_nist:`2024-56596`, :cve_nist:`2024-56598`, :cve_nist:`2024-56600`, :cve_nist:`2024-56601`,
+   :cve_nist:`2024-56602`, :cve_nist:`2024-56603`, :cve_nist:`2024-56604`, :cve_nist:`2024-56605`,
+   :cve_nist:`2024-56606`, :cve_nist:`2024-56611`, :cve_nist:`2024-56613`, :cve_nist:`2024-56614`,
+   :cve_nist:`2024-56615`, :cve_nist:`2024-56617`, :cve_nist:`2024-56622`, :cve_nist:`2024-56623`,
+   :cve_nist:`2024-56626`, :cve_nist:`2024-56627`, :cve_nist:`2024-56629`, :cve_nist:`2024-56631`,
+   :cve_nist:`2024-56634`, :cve_nist:`2024-56640`, :cve_nist:`2024-56642`, :cve_nist:`2024-56643`,
+   :cve_nist:`2024-56648`, :cve_nist:`2024-56649`, :cve_nist:`2024-56650`, :cve_nist:`2024-56651`,
+   :cve_nist:`2024-56653`, :cve_nist:`2024-56654`, :cve_nist:`2024-56657`, :cve_nist:`2024-56658`,
+   :cve_nist:`2024-56659`, :cve_nist:`2024-56660`, :cve_nist:`2024-56662`, :cve_nist:`2024-56663`,
+   :cve_nist:`2024-56664`, :cve_nist:`2024-56667`, :cve_nist:`2024-56670`, :cve_nist:`2024-56672`,
+   :cve_nist:`2024-56675`, :cve_nist:`2024-56688`, :cve_nist:`2024-56689`, :cve_nist:`2024-56692`,
+   :cve_nist:`2024-56694`, :cve_nist:`2024-56704`, :cve_nist:`2024-56708`, :cve_nist:`2024-56710`,
+   :cve_nist:`2024-56715`, :cve_nist:`2024-56716`, :cve_nist:`2024-56717`, :cve_nist:`2024-56718`,
+   :cve_nist:`2024-56720`, :cve_nist:`2024-56722`, :cve_nist:`2024-56723`, :cve_nist:`2024-56724`,
+   :cve_nist:`2024-56725`, :cve_nist:`2024-56726`, :cve_nist:`2024-56727`, :cve_nist:`2024-56728`,
+   :cve_nist:`2024-56729`, :cve_nist:`2024-56739`, :cve_nist:`2024-56741`, :cve_nist:`2024-56744`,
+   :cve_nist:`2024-56745`, :cve_nist:`2024-56746`, :cve_nist:`2024-56747`, :cve_nist:`2024-56748`,
+   :cve_nist:`2024-56751`, :cve_nist:`2024-56752`, :cve_nist:`2024-56754`, :cve_nist:`2024-56755`,
+   :cve_nist:`2024-56756`, :cve_nist:`2024-56760`, :cve_nist:`2024-56763`, :cve_nist:`2024-56765`,
+   :cve_nist:`2024-56767`, :cve_nist:`2024-56769`, :cve_nist:`2024-56770`, :cve_nist:`2024-56774`,
+   :cve_nist:`2024-56776`, :cve_nist:`2024-56777`, :cve_nist:`2024-56778`, :cve_nist:`2024-56779`,
+   :cve_nist:`2024-56780`, :cve_nist:`2024-56781`, :cve_nist:`2024-56783`, :cve_nist:`2024-56785`,
+   :cve_nist:`2024-56786`, :cve_nist:`2024-56787` and :cve_nist:`2024-57807`
+-  qemu: Fix :cve_nist:`2024-6505`
+-  rust: Ignore :cve_nist:`2024-43402`
+
+
+Fixes in Yocto-5.1.2
+~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: stable 2.43.1 branch update
+-  bitbake: runqueue: Fix performance of multiconfigs with large overlap
+-  bitbake: runqueue: Fix scenetask processing performance issue
+-  bitbake: runqueue: Optimise setscene loop processing
+-  build-appliance-image: Update to styhead head revision
+-  builder: set :term:`CVE_PRODUCT`
+-  buildtools-docs-tarball: Add rsvg so we can handle svg files in docs
+-  connman: Fix restart script
+-  contributor-guide: submit-changes.rst: suggest to remove the git signature
+-  cve-update-nvd2-native: Handle :term:`BB_NO_NETWORK` and missing db
+-  cve-update-nvd2-native: Tweak to work better with NFS :term:`DL_DIR`
+-  dev-manual: bmaptool.rst: correct command for bmaptool-native
+-  dev-manual: bmaptool.rst: simplify and fix instructions
+-  dev-manual: fix styling of references to bmaptool
+-  dnf: drop python3-iniparse from :term:`DEPENDS` and :term:`RDEPENDS`
+-  do_package/sstate/sstatesig: Change timestamp clamping to hash output only
+-  docs: Gather dependencies in poky.yaml.in
+-  docs: Update the documentation for :term:`SRCPV`
+-  docs: standards.md: add a section on admonitions
+-  docs: update current releases
+-  expat: upgrade to 2.6.4
+-  gcc: Fix c++: tweak for Wrange-loop-construct
+-  ghostscript: upgrade 10.04.0
+-  glibc: stable 2.40 branch updates.
+-  groff: Fix race issues for parallel build
+-  gstreamer1.0-libav: explicitly disable documentation
+-  gstreamer1.0: run ptests in parallel
+-  gstreamer1.0: upgrade to 1.24.10
+-  linux-yocto/6.6: bsp/genericarm64: disable ARM64_SME
+-  linux-yocto/6.6: genericarm64.cfg: enable CONFIG_DMA_CMA
+-  linux-yocto/6.6: update to v6.6.69
+-  lttng-modules: fix sched_stat_runtime changed in Linux 6.6.66
+-  migration-guides: add release notes for 4.0.23, 5.0.4, 5.0.5 and 5.1.1
+-  oeqa/ssh: Improve performance and log sizes
+-  oeqa/utils/gitarchive: Return tag name and improve exclude handling
+-  poky.conf: add new tested distros
+-  poky.conf: bump version for 5.1.2
+-  poky.yaml.in: add missing locales dependency
+-  poky.yaml.in: replace inkscape dependency by librsvg2-bin
+-  populate_sdk_ext: write_local_conf add shutil import
+-  python3-poetry-core: drop python3-six from :term:`RDEPENDS`
+-  python3: upgrade to 3.12.8
+-  ref-manual: SSTATE_MIRRORS/SOURCE_MIRROR_URL: add instructions for mirror authentication
+-  ref-manual: classes: fix bin_package description
+-  ref-manual: devtool-reference: add warning note on deploy-target and shared objects
+-  ref-manual: merge two separate descriptions of :term:`RECIPE_UPGRADE_EXTRA_TASKS`
+-  ref-manual: move runtime-testing section to the test-manual
+-  ref-manual: packages: move ptest section to the test-manual
+-  ref-manual: qa-checks: remove patch-status-core/patch-status-noncore
+-  ref-manual: use standardized method accross both ubuntu and debian for locale install
+-  reproducible-builds.rst: show how to build a single package
+-  resulttool: Add --logfile-archive option to store mode
+-  resulttool: Allow store to filter to specific revisions
+-  resulttool: Clean up repoducible build logs
+-  resulttool: Fix passthrough of --all files in store mode
+-  resulttool: Handle ltp rawlogs as well as ptest
+-  resulttool: Improve repo layout for oeselftest results
+-  resulttool: Trim the precision of duration information
+-  resulttool: Use single space indentation in json output
+-  rxvt-unicode.inc: disable the terminfo installation by setting TIC to :
+-  selftest/reproducible: Clean up pathnames
+-  selftest/reproducible: Drop rawlogs
+-  shadow: use update-alternatives to handle su.1 and nologin.8
+-  system-requirements.rst: add dependencies for pdf builds
+-  system-requirements: add fedora 39 to supported distros
+-  system-requirements: update list of supported distros
+-  systemd-boot: drop intltool-native from :term:`DEPENDS`
+-  systemd: drop intltool-native from :term:`DEPENDS`
+
+
+Known Issues in Yocto-5.1.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-5.1.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Alexander Kanavin
+-  Antonin Godard
+-  Bruce Ashfield
+-  Changqing Li
+-  Deepthi Hemraj
+-  Guénaël Muller
+-  Guðni Már Gilbert
+-  Hitendra Prajapati
+-  Lee Chee Yang
+-  Mark Hatle
+-  Michael Nazzareno Trimarchi
+-  Michael Opdenacker
+-  Peter Marko
+-  Richard Purdie
+-  Robert Yang
+-  Ross Burton
+-  Sid-Ali
+-  Steve Sakoman
+-  Sunil Dora
+-  Trevor Gamblin
+-  Wang Mingyu
+-  Xiangyu Chen
+-  Yash Shinde
+
+
+Repositories / Downloads for Yocto-5.1.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`styhead </poky/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.2 </poky/log/?h=yocto-5.1.2>`
+-  Git Revision: :yocto_git:`ff9ca74e170480578fcdb1f7bcd897f0e69e46a5 </poky/commit/?id=ff9ca74e170480578fcdb1f7bcd897f0e69e46a5>`
+-  Release Artefact: poky-ff9ca74e170480578fcdb1f7bcd897f0e69e46a5
+-  sha: 3c8d5504ebc988a6427e31d3a9e84e74f16f84b7e9b0884f77be6bd6231b7fef
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.2/poky-ff9ca74e170480578fcdb1f7bcd897f0e69e46a5.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.2/poky-ff9ca74e170480578fcdb1f7bcd897f0e69e46a5.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`styhead </openembedded-core/log/?h=styhead>`
+-  Tag:  :oe_git:`yocto-5.1.2 </openembedded-core/log/?h=yocto-5.1.2>`
+-  Git Revision: :oe_git:`62dfe689246d648f9970a5476716e486b1a33765 </openembedded-core/commit/?id=62dfe689246d648f9970a5476716e486b1a33765>`
+-  Release Artefact: oecore-62dfe689246d648f9970a5476716e486b1a33765
+-  sha: 8118c0260e673dbf9f3d7cd0a6d8364fc337f3e8ff75f0c449be88d2157e78fb
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.2/oecore-62dfe689246d648f9970a5476716e486b1a33765.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.2/oecore-62dfe689246d648f9970a5476716e486b1a33765.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`styhead </meta-mingw/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.2 </meta-mingw/log/?h=yocto-5.1.2>`
+-  Git Revision: :yocto_git:`77fe18d4f8ec34501045c5d92ce7e13b1bd129e9 </meta-mingw/commit/?id=77fe18d4f8ec34501045c5d92ce7e13b1bd129e9>`
+-  Release Artefact: meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9
+-  sha: 4c7f8100a3675d9863e51825def3df5b263ffc81cd57bae26eedbc156d771534
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.2/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.2/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.10 </bitbake/log/?h=2.10>`
+-  Tag:  :oe_git:`yocto-5.1.2 </bitbake/log/?h=yocto-5.1.2>`
+-  Git Revision: :oe_git:`1452e74cc4ddfaadc6537a049877a66cec253c8d </bitbake/commit/?id=1452e74cc4ddfaadc6537a049877a66cec253c8d>`
+-  Release Artefact: bitbake-1452e74cc4ddfaadc6537a049877a66cec253c8d
+-  sha: 26538d0b8ab907d962623707697bfc6826615239a724b1805e0c3acbd74fdcaa
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.2/bitbake-1452e74cc4ddfaadc6537a049877a66cec253c8d.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.2/bitbake-1452e74cc4ddfaadc6537a049877a66cec253c8d.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`styhead </yocto-docs/log/?h=styhead>`
+-  Tag: :yocto_git:`yocto-5.1.2 </yocto-docs/log/?h=yocto-5.1.2>`
+-  Git Revision: :yocto_git:`8ac3e2eb1dd4149b24af03666813dc6d94df466d </yocto-docs/commit/?id=8ac3e2eb1dd4149b24af03666813dc6d94df466d>`
+
--- a/documentation/migration-guides/release-notes-5.1.3.rst
+++ b/documentation/migration-guides/release-notes-5.1.3.rst
@@ -0,0 +1,160 @@
+Release notes for Yocto-5.1.3 (Styhead)
+---------------------------------------
+
+Security Fixes in Yocto-5.1.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  go: Fix :cve_nist:`2024-45336`, :cve_nist:`2024-45341` and :cve_nist:`2025-22866`
+-  linux-yocto/6.6: Fix :cve_nist:`2024-36476`, :cve_nist:`2024-53179`, :cve_nist:`2024-56582`,
+   :cve_nist:`2024-56703`, :cve_nist:`2024-57801`, :cve_nist:`2024-57802`, :cve_nist:`2024-57841`,
+   :cve_nist:`2024-57882`, :cve_nist:`2024-57887`, :cve_nist:`2024-57890`, :cve_nist:`2024-57892`,
+   :cve_nist:`2024-57895`, :cve_nist:`2024-57896`, :cve_nist:`2024-57900`, :cve_nist:`2024-57901`,
+   :cve_nist:`2024-57902`, :cve_nist:`2024-57906`, :cve_nist:`2024-57907`, :cve_nist:`2024-57908`,
+   :cve_nist:`2024-57910`, :cve_nist:`2024-57911`, :cve_nist:`2024-57912`, :cve_nist:`2024-57913`,
+   :cve_nist:`2024-57916`, :cve_nist:`2024-57922`, :cve_nist:`2024-57925`, :cve_nist:`2024-57926`,
+   :cve_nist:`2024-57933`, :cve_nist:`2024-57938`, :cve_nist:`2024-57939`, :cve_nist:`2024-57940`,
+   :cve_nist:`2024-57949`, :cve_nist:`2024-57951`, :cve_nist:`2025-21631`, :cve_nist:`2025-21636`,
+   :cve_nist:`2025-21637`, :cve_nist:`2025-21638`, :cve_nist:`2025-21639`, :cve_nist:`2025-21640`,
+   :cve_nist:`2025-21642`, :cve_nist:`2025-21652`, :cve_nist:`2025-21658`, :cve_nist:`2025-21665`,
+   :cve_nist:`2025-21666`, :cve_nist:`2025-21667`, :cve_nist:`2025-21669`, :cve_nist:`2025-21670`,
+   :cve_nist:`2025-21671`, :cve_nist:`2025-21673`, :cve_nist:`2025-21674`, :cve_nist:`2025-21675`,
+   :cve_nist:`2025-21676`, :cve_nist:`2025-21680`, :cve_nist:`2025-21681`, :cve_nist:`2025-21683`,
+   :cve_nist:`2025-21684`, :cve_nist:`2025-21687`, :cve_nist:`2025-21689`, :cve_nist:`2025-21690`,
+   :cve_nist:`2025-21692`, :cve_nist:`2025-21694`, :cve_nist:`2025-21697` and :cve_nist:`2025-21699`
+-  pyhton3: Fix CVE-2024-12254, :cve_nist:`2025-0938` and 3 other vulnerabilities (gh-80222, gh-119511
+   and gh-126108).
+-  socat: Fix :cve_nist:`2024-54661`
+-  vim: Fix :cve_nist:`2025-22134` and :cve_nist:`2025-24014`
+
+
+Fixes in Yocto-5.1.3
+~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: bblayers/query: Fix using "removeprefix" string method
+-  bitbake: cooker: Make cooker 'skiplist' per-multiconfig/mc
+-  bitbake: tests/fetch: Fix git shallow test failure with git >= 2.48
+-  boost: fix do_fetch error
+-  build-appliance-image: Update to styhead head revision
+-  classes/nativesdk: also override :term:`TUNE_PKGARCH`
+-  classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architecture
+-  cmake: apply parallel build settings to ptest tasks
+-  contributor-guide/submit-changes: add policy on AI generated code
+-  cve-check: fix cvesInRecord
+-  cve-check: restore :term:`CVE_CHECK_SHOW_WARNINGS` functionality
+-  dev-manual/building: document the initramfs-framework recipe
+-  devtool: ide-sdk recommend :term:`DEBUG_BUILD`
+-  devtool: ide-sdk remove the plugin from eSDK installer
+-  devtool: ide-sdk sort cmake preset
+-  devtool: modify support debug-builds
+-  docs: Add favicon for the documentation html
+-  docs: Fix typo in standards.md
+-  docs: Update autobuilder URLs to valkyrie
+-  enchant2: correct :term:`SRC_URI` and other uris
+-  go: upgrade to 1.22.12
+-  libnsl2: set :term:`CVE_PRODUCT`
+-  libxml-parser-perl: correct :term:`SRC_URI`
+-  linux-yocto/6.6: update to v6.6.75
+-  linux: Modify kernel configuration to fix runqlat issue
+-  lrzsz: update :term:`SRC_URI` to avoid redirect
+-  migration-guides: add release notes for 4.0.24, 5.0.6, 5.0.7 and 5.1.2
+-  oe-selftest: devtool ide-sdk use modify debug-build
+-  oeqa/gitarchive: Fix syntax warning
+-  poky.conf: bump version for 5.1.3
+-  python3: upgrade 3.12.9
+-  ref-manual/faq: add q&a on systemd as default
+-  resulttool/store: Fix permissions of logarchive
+-  rust-target-config: Fix TARGET_C_INT_WIDTH with correct size
+-  scripts/install-buildtools: Update to 5.1.2
+-  sdk-manual: extensible.rst: devtool ide-sdk improve
+-  sdk-manual: extensible.rst: update devtool ide-sdk
+-  systemd: set :term:`CVE_PRODUCT`
+-  test-manual/ptest: link to common framework ptest classes
+-  test-manual/reproducible-builds: fix reproducible links
+-  vim: Upgrade 9.1.1043
+
+
+Known Issues in Yocto-5.1.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-5.1.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Adrian Freihofer
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Antonin Godard
+-  Bruce Ashfield
+-  Chris Laplante
+-  Divya Chellam
+-  Harish Sadineni
+-  Jiaying Song
+-  Joerg Schmidt
+-  Lee Chee Yang
+-  Mikko Rapeli
+-  Peter Marko
+-  Richard Purdie
+-  Ross Burton
+-  Simon A. Eugster
+-  Steve Sakoman
+
+Repositories / Downloads for Yocto-5.1.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`styhead </poky/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.3 </poky/log/?h=yocto-5.1.3>`
+-  Git Revision: :yocto_git:`11a8dec6e29ac0b2fd942c0fc00dd7fc30658841 </poky/commit/?id=11a8dec6e29ac0b2fd942c0fc00dd7fc30658841>`
+-  Release Artefact: poky-11a8dec6e29ac0b2fd942c0fc00dd7fc30658841
+-  sha: 9ebcacaab53058fd97b06134e06b5883df3c7ddb25dae43a2f3809c4f65d24b5
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.3/poky-11a8dec6e29ac0b2fd942c0fc00dd7fc30658841.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.3/poky-11a8dec6e29ac0b2fd942c0fc00dd7fc30658841.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`styhead </openembedded-core/log/?h=styhead>`
+-  Tag:  :oe_git:`yocto-5.1.3 </openembedded-core/log/?h=yocto-5.1.3>`
+-  Git Revision: :oe_git:`35ffa0ed523ba95f069dff5b7df3f819ef031015 </openembedded-core/commit/?id=35ffa0ed523ba95f069dff5b7df3f819ef031015>`
+-  Release Artefact: oecore-35ffa0ed523ba95f069dff5b7df3f819ef031015
+-  sha: 67efedf0afa9ac9e4664f02923a4c5c2429f2f1be697e39f9cbffb9e3f2d9d2c
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.3/oecore-35ffa0ed523ba95f069dff5b7df3f819ef031015.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.3/oecore-35ffa0ed523ba95f069dff5b7df3f819ef031015.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`styhead </meta-mingw/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.3 </meta-mingw/log/?h=yocto-5.1.3>`
+-  Git Revision: :yocto_git:`77fe18d4f8ec34501045c5d92ce7e13b1bd129e9 </meta-mingw/commit/?id=77fe18d4f8ec34501045c5d92ce7e13b1bd129e9>`
+-  Release Artefact: meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9
+-  sha: 4c7f8100a3675d9863e51825def3df5b263ffc81cd57bae26eedbc156d771534
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.3/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.3/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.10 </bitbake/log/?h=2.10>`
+-  Tag:  :oe_git:`yocto-5.1.3 </bitbake/log/?h=yocto-5.1.3>`
+-  Git Revision: :oe_git:`58e5c70a0572ff5994dc181694e05cd5d3ddaf66 </bitbake/commit/?id=58e5c70a0572ff5994dc181694e05cd5d3ddaf66>`
+-  Release Artefact: bitbake-58e5c70a0572ff5994dc181694e05cd5d3ddaf66
+-  sha: 8b1d8aa3de6ca8c520f1b528e342e06de0cff918a11d77862c499185a9ba8fec
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.3/bitbake-58e5c70a0572ff5994dc181694e05cd5d3ddaf66.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.3/bitbake-58e5c70a0572ff5994dc181694e05cd5d3ddaf66.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`styhead </yocto-docs/log/?h=styhead>`
+-  Tag: :yocto_git:`yocto-5.1.3 </yocto-docs/log/?h=yocto-5.1.3>`
+-  Git Revision: :yocto_git:`fd9c744d6e73a5719e61a3c0063b1602ca386e91 </yocto-docs/commit/?id=fd9c744d6e73a5719e61a3c0063b1602ca386e91>`
+
--- a/documentation/migration-guides/release-notes-5.1.4.rst
+++ b/documentation/migration-guides/release-notes-5.1.4.rst
@@ -0,0 +1,137 @@
+Release notes for Yocto-5.1.4 (Styhead)
+---------------------------------------
+
+Security Fixes in Yocto-5.1.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-0840`
+-  grub: Fix :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2024-45776`,
+   :cve_nist:`2024-45777`, :cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2024-45780`,
+   :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-45783`, :cve_nist:`2024-56737`,
+   :cve_nist:`2025-0622`, :cve_nist:`2025-0624`, :cve_nist:`2025-0677`, :cve_nist:`2025-0678`,
+   :cve_nist:`2025-0684`, :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`,
+   :cve_nist:`2025-0690`, :cve_nist:`2025-1118` and :cve_nist:`2025-1125`
+-  libtasn1: fix :cve_nist:`2024-12133`
+-  libxml2: fix :cve_nist:`2024-56171`, :cve_nist:`2025-24928` and :cve_nist:`2025-27113`
+-  openssh: Fix :cve_nist:`2025-26465` and :cve_nist:`2025-26466`
+-  puzzles: Ignore :cve_nist:`2024-13769`, :cve_nist:`2024-13770` and :cve_nist:`2025-0837`
+-  subversion: Ignore :cve_nist:`2024-45720`
+-  xserver-xorg: Fix :cve_nist:`2025-26594`, :cve_nist:`2025-26595`, :cve_nist:`2025-26596`,
+   :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`, :cve_nist:`2025-26600`
+   and :cve_nist:`2025-26601`
+-  xwayland: Fix :cve_nist:`2025-26594`, :cve_nist:`2025-26595`, :cve_nist:`2025-26596`,
+   :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`, :cve_nist:`2025-26600`
+   and :cve_nist:`2025-26601`
+
+
+Fixes in Yocto-5.1.4
+~~~~~~~~~~~~~~~~~~~~
+
+-  bitbake: event/utils: Avoid deadlock from lock_timeout() and recursive events
+-  bitbake: utils: Add signal blocking for lock_timeout
+-  bitbake: utils: Print information about lock issue before exiting
+-  bitbake: utils: Tweak lock_timeout logic
+-  build-appliance-image: Update to styhead head revision
+-  docs: Remove all mention of core-image-lsb
+-  grub: backport strlcpy function
+-  grub: drop obsolete CVE statuses
+-  icu: Adjust ICU_DATA_DIR path on big endian targets
+-  libtasn1: upgrade to 4.20.0
+-  libxml2: upgrade to 2.13.6
+-  migration-guides: add release notes for 4.0.25 and 5.1.3
+-  poky.conf: bump version for 5.1.4
+-  ref-manual: Add missing variable :term:`IMAGE_ROOTFS_MAXSIZE`
+-  ref-manual: don't refer to poky-lsb
+-  ref-manual: remove OE_IMPORTS
+-  tzcode-native: Fix compiler setting from 2023d version
+-  tzdata/tzcode-native: upgrade to 2025a
+-  vulnerabilities/classes: remove references to cve-check text format
+-  xserver-xf86-config: add a configuration fragment to disable screen blanking
+-  xserver-xf86-config: remove obsolete configuration files
+-  xserver-xorg: upgrade to 21.1.16
+-  xwayland: upgrade to 21.1.6
+
+
+Known Issues in Yocto-5.1.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  NA
+
+Contributors to Yocto-5.1.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+Thanks to the following people who contributed to this release:
+
+-  Alessio Cascone
+-  Lee Chee Yang
+-  Makarios Christakis
+-  Marta Rybczynska
+-  Peter Marko
+-  Priyal Doshi
+-  Richard Purdie
+-  Ross Burton
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Wang Mingyu
+-  Weisser, Pascal
+
+
+Repositories / Downloads for Yocto-5.1.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`styhead </poky/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.4 </poky/log/?h=yocto-5.1.4>`
+-  Git Revision: :yocto_git:`70dc28ac287bf35541270cae1d99130a0f6b7b5f </poky/commit/?id=70dc28ac287bf35541270cae1d99130a0f6b7b5f>`
+-  Release Artefact: poky-70dc28ac287bf35541270cae1d99130a0f6b7b5f
+-  sha: 63f1d3d47a28bd9b41c89db6e1f2657c04233a00d10210795e766c0bc265d766
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.4/poky-70dc28ac287bf35541270cae1d99130a0f6b7b5f.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.4/poky-70dc28ac287bf35541270cae1d99130a0f6b7b5f.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`styhead </openembedded-core/log/?h=styhead>`
+-  Tag:  :oe_git:`yocto-5.1.4 </openembedded-core/log/?h=yocto-5.1.4>`
+-  Git Revision: :oe_git:`2d94f4b8a852dc761f89e5106347e239382df5fb </openembedded-core/commit/?id=2d94f4b8a852dc761f89e5106347e239382df5fb>`
+-  Release Artefact: oecore-2d94f4b8a852dc761f89e5106347e239382df5fb
+-  sha: 344ac23f814c049d69b06cee42c43b7b422506ce84397406caef09becb2555bf
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.4/oecore-2d94f4b8a852dc761f89e5106347e239382df5fb.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.4/oecore-2d94f4b8a852dc761f89e5106347e239382df5fb.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`styhead </meta-mingw/log/?h=styhead>`
+-  Tag:  :yocto_git:`yocto-5.1.4 </meta-mingw/log/?h=yocto-5.1.4>`
+-  Git Revision: :yocto_git:`77fe18d4f8ec34501045c5d92ce7e13b1bd129e9 </meta-mingw/commit/?id=77fe18d4f8ec34501045c5d92ce7e13b1bd129e9>`
+-  Release Artefact: meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9
+-  sha: 4c7f8100a3675d9863e51825def3df5b263ffc81cd57bae26eedbc156d771534
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.4/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.4/meta-mingw-77fe18d4f8ec34501045c5d92ce7e13b1bd129e9.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.10 </bitbake/log/?h=2.10>`
+-  Tag:  :oe_git:`yocto-5.1.4 </bitbake/log/?h=yocto-5.1.4>`
+-  Git Revision: :oe_git:`82b9f42126983579da03bdbb4e3ebf07346118a7 </bitbake/commit/?id=82b9f42126983579da03bdbb4e3ebf07346118a7>`
+-  Release Artefact: bitbake-82b9f42126983579da03bdbb4e3ebf07346118a7
+-  sha: 209d62c5262f2287af60e7fe2343c29ab25b5088de4da71de89016e75900285a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-5.1.4/bitbake-82b9f42126983579da03bdbb4e3ebf07346118a7.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-5.1.4/bitbake-82b9f42126983579da03bdbb4e3ebf07346118a7.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`styhead </yocto-docs/log/?h=styhead>`
+-  Tag: :yocto_git:`yocto-5.1.4 </yocto-docs/log/?h=yocto-5.1.4>`
+-  Git Revision: :yocto_git:`f0324b8f14881227336f84325cdebd0518e17796 </yocto-docs/commit/?id=f0324b8f14881227336f84325cdebd0518e17796>`
+
--- a/documentation/overview-manual/concepts.rst
+++ b/documentation/overview-manual/concepts.rst
@@ -683,7 +683,7 @@ Source Fetching
 The first stages of building a recipe are to fetch and unpack the source
 code:

-.. image:: figures/source-fetching.png
+.. image:: svg/source-fetching.*
   :width: 100%

 The :ref:`ref-tasks-fetch` and :ref:`ref-tasks-unpack` tasks fetch
@@ -704,10 +704,10 @@ a defined structure. For additional general information on the
 the Yocto Project Reference Manual.

 Each recipe has an area in the :term:`Build Directory` where the unpacked
-source code resides. The :term:`S` variable points to this area for a recipe's
-unpacked source code. The name of that directory for any given recipe is
-defined from several different variables. The preceding figure and the
-following list describe the :term:`Build Directory`'s hierarchy:
+source code resides. The :term:`UNPACKDIR` variable points to this area for a
+recipe's unpacked source code, and has the default ``sources-unpack`` name. The
+preceding figure and the following list describe the :term:`Build Directory`'s
+hierarchy:

 -  :term:`TMPDIR`: The base directory
   where the OpenEmbedded build system performs all its work during the
@@ -736,11 +736,11 @@ following list describe the :term:`Build Directory`'s hierarchy:
   -  :term:`PV`: The version of the
      recipe used to build the package.

-   -  :term:`PR`: The revision of the
-      recipe used to build the package.
+-  :term:`UNPACKDIR`: Contains the unpacked source files for a given recipe.

-  :term:`S`: Contains the unpacked source
-   files for a given recipe.
+-  :term:`S`: Contains the final location of the source code.
+
+   The default value for :term:`BP` is ``${BPN}-${PV}`` where:

   -  :term:`BPN`: The name of the recipe
      used to build the package. The :term:`BPN` variable is a version of
@@ -764,7 +764,7 @@ Patching
 Once source code is fetched and unpacked, BitBake locates patch files
 and applies them to the source files:

-.. image:: figures/patching.png
+.. image:: svg/patching.*
   :width: 100%

 The :ref:`ref-tasks-patch` task uses a
@@ -805,7 +805,7 @@ After source code is patched, BitBake executes tasks that configure and
 compile the source code. Once compilation occurs, the files are copied
 to a holding area (staged) in preparation for packaging:

-.. image:: figures/configuration-compile-autoreconf.png
+.. image:: svg/configuration-compile-autoreconf.*
   :width: 100%

 This step in the build process consists of the following tasks:
@@ -861,7 +861,7 @@ Package Splitting
 After source code is configured, compiled, and staged, the build system
 analyzes the results and splits the output into packages:

-.. image:: figures/analysis-for-package-splitting.png
+.. image:: svg/analysis-for-package-splitting.*
   :width: 100%

 The :ref:`ref-tasks-package` and
@@ -2204,7 +2204,7 @@ require root privileges, the fact that some earlier steps ran in a fake
 root environment does not cause problems.

 The capability to run tasks in a fake root environment is known as
-"`fakeroot <http://man.he.net/man1/fakeroot>`__", which is derived from
+":manpage:`fakeroot <fakeroot(1)>`", which is derived from
 the BitBake keyword/variable flag that requests a fake root environment
 for a task.

--- a/documentation/overview-manual/figures/analysis-for-package-splitting.png
+++ b/documentation/overview-manual/figures/analysis-for-package-splitting.png
--- a/documentation/overview-manual/figures/configuration-compile-autoreconf.png
+++ b/documentation/overview-manual/figures/configuration-compile-autoreconf.png
--- a/documentation/overview-manual/figures/patching.png
+++ b/documentation/overview-manual/figures/patching.png
--- a/documentation/overview-manual/figures/source-fetching.png
+++ b/documentation/overview-manual/figures/source-fetching.png
--- a/documentation/overview-manual/svg/analysis-for-package-splitting.svg
+++ b/documentation/overview-manual/svg/analysis-for-package-splitting.svg
--- a/documentation/overview-manual/svg/configuration-compile-autoreconf.svg
+++ b/documentation/overview-manual/svg/configuration-compile-autoreconf.svg
--- a/documentation/overview-manual/svg/patching.svg
+++ b/documentation/overview-manual/svg/patching.svg
--- a/documentation/overview-manual/svg/source-fetching.svg
+++ b/documentation/overview-manual/svg/source-fetching.svg
--- a/documentation/overview-manual/yp-intro.rst
+++ b/documentation/overview-manual/yp-intro.rst
@@ -400,7 +400,7 @@ Yocto Project:
   Autobuilder :doc:`here </test-manual/understand-autobuilder>`.

 -  *Pseudo:* Pseudo is the Yocto Project implementation of
-   `fakeroot <http://man.he.net/man1/fakeroot>`__, which is used to run
+   :manpage:`fakeroot <fakeroot(1)>`, which is used to run
   commands in an environment that seemingly has root privileges.

   During a build, it can be necessary to perform operations that
--- a/documentation/poky.yaml.in
+++ b/documentation/poky.yaml.in
@@ -2,17 +2,25 @@
 # Macros used in the documentation
 #

+# The DISTRO variable represents the current docs version. It should be used
+# when referring to the current docs version. See also DISTRO_LATEST_TAG.
 DISTRO : "5.1"
+# The DISTRO_LATEST_TAG represents the latest tag on the current branch. It
+# should be used in HTTP link referring to the current docs version. In these
+# cases, the DISTRO may point to A.B.999 which does not exist (just used to
+# represent the latest HEAD revision on the branch). DISTRO_LATEST_TAG should
+# always point to an existing tag.
+DISTRO_LATEST_TAG : "5.1"
 DISTRO_NAME_NO_CAP : "styhead"
 DISTRO_NAME : "Styhead"
 DISTRO_NAME_NO_CAP_MINUS_ONE : "scarthgap"
 DISTRO_NAME_NO_CAP_LTS : "scarthgap"
 YOCTO_DOC_VERSION : "5.1"
-DISTRO_REL_TAG : "yocto-5.1"
+DISTRO_REL_TAG : "yocto-$DISTRO;"
+DISTRO_REL_LATEST_TAG : "yocto-&DISTRO_LATEST_TAG;"
 DOCCONF_VERSION : "dev"
 BITBAKE_SERIES : ""
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"
-YOCTO_AB_URL : "https://autobuilder.yoctoproject.org"
 YOCTO_RELEASE_DL_URL : "&YOCTO_DL_URL;/releases/yocto/yocto-&DISTRO;"
 MIN_PYTHON_VERSION : "3.8.0"
 MIN_TAR_VERSION : "1.28"
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -563,7 +563,7 @@ You can also look for vulnerabilities in specific packages by passing
 ``-c cve_check`` to BitBake.

 After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
-and image specific summaries in ``tmp/deploy/images/*.cve`` or ``tmp/deploy/images/*.json`` files.
+and image specific summaries in ``tmp/deploy/images/*.json`` files.

 When building, the CVE checker will emit build time warnings for any detected
 issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
--- a/documentation/ref-manual/faq.rst
+++ b/documentation/ref-manual/faq.rst
@@ -45,6 +45,28 @@ See :yocto_wiki:`Products that use the Yocto Project
 Wiki. Don't hesitate to contribute to this page if you know other such
 products.

+Why isn't systemd the default init system for OpenEmbedded-Core/Yocto Project or in Poky?
+-----------------------------------------------------------------------------------------
+
+`systemd <https://systemd.io/>`__ is a desktop Linux init system with a specific
+focus that is not entirely aligned with a customisable "embedded" build
+system/environment.
+
+It understandably mandates certain layouts and configurations which may
+or may not align with what the objectives and direction :term:`OpenEmbedded-Core
+(OE-Core)` or Yocto Project want to take. It doesn't support all of our targets.
+For example `musl <https://www.musl-libc.org/>`__ support in systemd is
+problematic.
+
+If it were our default, we would have to align with all their choices
+and this doesn't make sense. It is therefore a configuration option and
+available to anyone where the design goals align. But we are clear it
+is not the only way to handle init.
+
+Our automated testing includes it through the ``poky-altcfg`` :term:`DISTRO` and
+we don't really need it to be the default: it is tested, it works, and people
+can choose to use it.
+
 Building environment
 ====================

--- a/documentation/ref-manual/features.rst
+++ b/documentation/ref-manual/features.rst
@@ -12,7 +12,7 @@ Features provide a mechanism for working out which packages should be
 included in the generated images. Distributions can select which
 features they want to support through the :term:`DISTRO_FEATURES` variable,
 which is set or appended to in a distribution's configuration file such
-as ``poky.conf``, ``poky-tiny.conf``, ``poky-lsb.conf`` and so forth.
+as ``poky.conf``, ``poky-tiny.conf``, ``poky-altcfg.conf`` and so forth.
 Machine features are set in the :term:`MACHINE_FEATURES` variable, which is
 set in the machine configuration file and specifies the hardware
 features for a given machine.
--- a/documentation/ref-manual/images.rst
+++ b/documentation/ref-manual/images.rst
@@ -51,27 +51,6 @@ Here is a list of supported recipes:
 -  ``core-image-full-cmdline``: A console-only image with more
   full-featured Linux system functionality installed.

-  ``core-image-lsb``: An image that conforms to the Linux Standard Base
-   (LSB) specification. This image requires a distribution configuration
-   that enables LSB compliance (e.g. ``poky-lsb``). If you build
-   ``core-image-lsb`` without that configuration, the image will not be
-   LSB-compliant.
-
-  ``core-image-lsb-dev``: A ``core-image-lsb`` image that is suitable
-   for development work using the host. The image includes headers and
-   libraries you can use in a host development environment. This image
-   requires a distribution configuration that enables LSB compliance
-   (e.g. ``poky-lsb``). If you build ``core-image-lsb-dev`` without that
-   configuration, the image will not be LSB-compliant.
-
-  ``core-image-lsb-sdk``: A ``core-image-lsb`` that includes everything
-   in the cross-toolchain but also includes development headers and
-   libraries to form a complete standalone SDK. This image requires a
-   distribution configuration that enables LSB compliance (e.g.
-   ``poky-lsb``). If you build ``core-image-lsb-sdk`` without that
-   configuration, the image will not be LSB-compliant. This image is
-   suitable for development using the target.
-
 -  ``core-image-minimal``: A small image just capable of allowing a
   device to boot.

--- a/documentation/ref-manual/release-process.rst
+++ b/documentation/ref-manual/release-process.rst
@@ -190,7 +190,7 @@ effort has been made to automate the tests so that more people can use
 them and the Yocto Project development team can run them faster and more
 efficiently.

-The Yocto Project's main Autobuilder (&YOCTO_AB_URL;) publicly tests each Yocto
+The Yocto Project's main :yocto_ab:`Autobuilder <>` publicly tests each Yocto
 Project release's code in the :oe_git:`openembedded-core </openembedded-core>`,
 :yocto_git:`poky </poky>` and :oe_git:`bitbake </bitbake>` repositories. The
 testing occurs for both the current state of the "master" branch and also for
--- a/documentation/ref-manual/system-requirements.rst
+++ b/documentation/ref-manual/system-requirements.rst
@@ -377,7 +377,7 @@ If you would prefer not to use the ``install-buildtools`` script, you can instea
 download and run a pre-built :term:`buildtools` installer yourself with the following
 steps:

-#. Go to :yocto_dl:`/releases/yocto/yocto-&DISTRO;/buildtools/`, locate and
+#. Go to :yocto_dl:`/releases/yocto/&DISTRO_REL_LATEST_TAG;/buildtools/`, locate and
   download the ``.sh`` file corresponding to your host architecture
   and to :term:`buildtools`, :term:`buildtools-extended` or :term:`buildtools-make`.

--- a/documentation/ref-manual/terms.rst
+++ b/documentation/ref-manual/terms.rst
@@ -452,7 +452,7 @@ universal, the list includes them just in case:
     the Source Directory, if you do, the top-level directory name of the
     Source Directory is derived from the Yocto Project release tarball.
     For example, downloading and unpacking poky tarballs from
-     :yocto_dl:`/releases/yocto/&DISTRO_REL_TAG;/`
+     :yocto_dl:`/releases/yocto/&DISTRO_REL_LATEST_TAG;/`
     results in a Source Directory whose root folder is named poky.


--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -143,7 +143,7 @@ system and gives an overview of their function and contents.
      information on how this variable is used.

   :term:`AR`
-      The minimal command and arguments used to run ``ar``.
+      The minimal command and arguments used to run :manpage:`ar <ar(1)>`.

   :term:`ARCHIVER_MODE`
      When used with the :ref:`ref-classes-archiver` class,
@@ -165,7 +165,8 @@ system and gives an overview of their function and contents.
      ``meta/classes/archiver.bbclass`` file in the :term:`Source Directory`.

   :term:`AS`
-      Minimal command and arguments needed to run the assembler.
+      Minimal command and arguments needed to run the :manpage:`assembler
+      <as(1)>`.

   :term:`ASSUME_PROVIDED`
      Lists recipe names (:term:`PN` values) BitBake does not
@@ -224,6 +225,12 @@ system and gives an overview of their function and contents.
      must set this variable in your recipe. The
      :ref:`ref-classes-syslinux` class checks this variable.

+   :term:`AUTOTOOLS_SCRIPT_PATH`
+      When using the :ref:`ref-classes-autotools` class, the
+      :term:`AUTOTOOLS_SCRIPT_PATH` variable stores the location of the
+      different scripts used by the Autotools build system. The default
+      value for this variable is :term:`S`.
+
   :term:`AVAILTUNES`
      The list of defined CPU and Application Binary Interface (ABI)
      tunings (i.e. "tunes") available for use by the OpenEmbedded build
@@ -971,55 +978,165 @@ system and gives an overview of their function and contents.
      variable is a useful pointer in case a bug in the software being
      built needs to be manually reported.

+   :term:`BUILD_AR`
+      Specifies the architecture-specific :manpage:`archiver <ar(1)>` for the
+      build host, and its default definition is derived in part from
+      :term:`BUILD_PREFIX`::
+
+         BUILD_AR = "${BUILD_PREFIX}ar"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`AR` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_AR` variable should not be set manually, and is rarely
+      used in recipes as :term:`AR` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the :manpage:`archiver <ar(1)>` from the build
+      host at some point during the build.
+
   :term:`BUILD_ARCH`
      Specifies the architecture of the build host (e.g. ``i686``). The
      OpenEmbedded build system sets the value of :term:`BUILD_ARCH` from the
      machine name reported by the ``uname`` command.

+   :term:`BUILD_AS`
+      Specifies the architecture-specific :manpage:`assembler <as(1)>` for the
+      build host, and its default definition is derived in part from
+      :term:`BUILD_PREFIX`::
+
+         BUILD_AS = "${BUILD_PREFIX}as ${BUILD_AS_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`AS` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_AS` variable should not be set manually, and is rarely
+      used in recipes as :term:`AS` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the :manpage:`assembler <as(1)>` from the build
+      host at some point during the build.
+
   :term:`BUILD_AS_ARCH`
      Specifies the architecture-specific assembler flags for the build
      host. By default, the value of :term:`BUILD_AS_ARCH` is empty.

+   :term:`BUILD_CC`
+      Specifies the architecture-specific C compiler for the build host,
+      and its default definition is derived in part from :term:`BUILD_PREFIX`
+      and :term:`BUILD_CC_ARCH`::
+
+         BUILD_CC = "${CCACHE}${BUILD_PREFIX}gcc ${BUILD_CC_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`CC` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_CC` variable should not be set manually, and is rarely
+      used in recipes as :term:`CC` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the compiler from the build host at some point
+      during the build.
+
   :term:`BUILD_CC_ARCH`
      Specifies the architecture-specific C compiler flags for the build
      host. By default, the value of :term:`BUILD_CC_ARCH` is empty.

   :term:`BUILD_CCLD`
-      Specifies the linker command to be used for the build host when the C
-      compiler is being used as the linker. By default, :term:`BUILD_CCLD`
-      points to GCC and passes as arguments the value of
-      :term:`BUILD_CC_ARCH`, assuming
-      :term:`BUILD_CC_ARCH` is set.
+      Specifies the :manpage:`linker <ld(1)>` command to be used for the build
+      host when the C compiler is being used as the linker, and its default
+      definition is derived in part from :term:`BUILD_PREFIX` and
+      :term:`BUILD_CC_ARCH`::
+
+         BUILD_CCLD = "${BUILD_PREFIX}gcc ${BUILD_CC_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`CCLD` is set to
+      the value of this variable by default.
+
+      The :term:`BUILD_CCLD` variable should not be set manually, and is rarely
+      used in recipes as :term:`CCLD` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the :manpage:`linker <ld(1)>` from the build host
+      at some point during the build.

   :term:`BUILD_CFLAGS`
      Specifies the flags to pass to the C compiler when building for the
-      build host. When building in the ``-native`` context,
+      build host. When building a :ref:`ref-classes-native` recipe,
      :term:`CFLAGS` is set to the value of this variable by
      default.

+   :term:`BUILD_CPP`
+      Specifies the C preprocessor command (to both the C and the C++ compilers)
+      when building for the build host, and its default definition is derived in
+      part from :term:`BUILD_PREFIX` and :term:`BUILD_CC_ARCH`::
+
+         BUILD_CPP = "${BUILD_PREFIX}gcc ${BUILD_CC_ARCH} -E"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`CPP` is set to
+      the value of this variable by default.
+
+      The :term:`BUILD_CPP` variable should not be set manually, and is rarely
+      used in recipes as :term:`CPP` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the preprocessor from the build host at some
+      point during the build.
+
   :term:`BUILD_CPPFLAGS`
      Specifies the flags to pass to the C preprocessor (i.e. to both the C
      and the C++ compilers) when building for the build host. When
      building in the ``-native`` context, :term:`CPPFLAGS`
      is set to the value of this variable by default.

+   :term:`BUILD_CXX`
+      Specifies the architecture-specific C++ compiler for the build host,
+      and its default definition is derived in part from :term:`BUILD_PREFIX`
+      and :term:`BUILD_CC_ARCH`::
+
+         BUILD_CXX = "${CCACHE}${BUILD_PREFIX}g++ ${BUILD_CC_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`CXX` is set to
+      the value of this variable by default.
+
+      The :term:`BUILD_CXX` variable should not be set manually, and is rarely
+      used in recipes as :term:`CXX` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the C++ compiler from the build host at some
+      point during the build.
+
   :term:`BUILD_CXXFLAGS`
      Specifies the flags to pass to the C++ compiler when building for the
-      build host. When building in the ``-native`` context,
+      build host. When building a :ref:`ref-classes-native` recipe,
      :term:`CXXFLAGS` is set to the value of this variable
      by default.

   :term:`BUILD_FC`
-      Specifies the Fortran compiler command for the build host. By
-      default, :term:`BUILD_FC` points to Gfortran and passes as arguments the
-      value of :term:`BUILD_CC_ARCH`, assuming
-      :term:`BUILD_CC_ARCH` is set.
+      Specifies the Fortran compiler command for the build host, and its default
+      definition is derived in part from :term:`BUILD_PREFIX` and
+      :term:`BUILD_CC_ARCH`::
+
+         BUILD_FC = "${BUILD_PREFIX}gfortran ${BUILD_CC_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`FC` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_FC` variable should not be set manually, and is rarely
+      used in recipes as :term:`FC` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the Fortran compiler from the build host at some
+      point during the build.

   :term:`BUILD_LD`
-      Specifies the linker command for the build host. By default,
-      :term:`BUILD_LD` points to the GNU linker (ld) and passes as arguments
-      the value of :term:`BUILD_LD_ARCH`, assuming
-      :term:`BUILD_LD_ARCH` is set.
+      Specifies the linker command for the build host, and its default
+      definition is derived in part from :term:`BUILD_PREFIX` and
+      :term:`BUILD_LD_ARCH`::
+
+         BUILD_LD = "${BUILD_PREFIX}ld ${BUILD_LD_ARCH}"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`LD` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_LD` variable should not be set manually, and is rarely
+      used in recipes as :term:`LD` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the linker from the build host at some point
+      during the build.

   :term:`BUILD_LD_ARCH`
      Specifies architecture-specific linker flags for the build host. By
@@ -1027,10 +1144,58 @@ system and gives an overview of their function and contents.

   :term:`BUILD_LDFLAGS`
      Specifies the flags to pass to the linker when building for the build
-      host. When building in the ``-native`` context,
+      host. When building a :ref:`ref-classes-native` recipe,
      :term:`LDFLAGS` is set to the value of this variable
      by default.

+   :term:`BUILD_NM`
+      Specifies the architecture-specific utility to list symbols from object
+      files for the build host, and its default definition is derived in part
+      from :term:`BUILD_PREFIX`::
+
+         BUILD_NM = "${BUILD_PREFIX}nm"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`NM` is set to the
+      value of this variable by default.
+
+      The :term:`BUILD_NM` variable should not be set manually, and is rarely
+      used in recipes as :term:`NM` contains the appropriate value depending on
+      the context (native or target recipes). Exception be made for target
+      recipes that need to use the utility from the build host at some point
+      during the build.
+
+   :term:`BUILD_OBJCOPY`
+      Specifies the architecture-specific utility to copy object files for the
+      build host, and its default definition is derived in part from
+      :term:`BUILD_PREFIX`::
+
+         BUILD_OBJCOPY = "${BUILD_PREFIX}objcopy"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`OBJCOPY` is set
+      to the value of this variable by default.
+
+      The :term:`BUILD_OBJCOPY` variable should not be set manually, and is
+      rarely used in recipes as :term:`OBJCOPY` contains the appropriate value
+      depending on the context (native or target recipes). Exception be made for
+      target recipes that need to use the utility from the build host at some
+      point during the build.
+
+   :term:`BUILD_OBJDUMP`
+      Specifies the architecture-specific utility to display object files
+      information for the build host, and its default definition is derived in
+      part from :term:`BUILD_PREFIX`::
+
+         BUILD_OBJDUMP = "${BUILD_PREFIX}objdump"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`OBJDUMP` is set
+      to the value of this variable by default.
+
+      The :term:`BUILD_OBJDUMP` variable should not be set manually, and is
+      rarely used in recipes as :term:`OBJDUMP` contains the appropriate value
+      depending on the context (native or target recipes). Exception be made for
+      target recipes that need to use the utility from the build host at some
+      point during the build.
+
   :term:`BUILD_OPTIMIZATION`
      Specifies the optimization flags passed to the C compiler when
      building for the build host or the SDK. The flags are passed through
@@ -1051,11 +1216,53 @@ system and gives an overview of their function and contents.
      build system uses the :term:`BUILD_PREFIX` value to set the
      :term:`TARGET_PREFIX` when building for :ref:`ref-classes-native` recipes.

+   :term:`BUILD_RANLIB`
+      Specifies the architecture-specific utility to generate indexes for
+      archives for the build host, and its default definition is derived in part
+      from :term:`BUILD_PREFIX`::
+
+         BUILD_RANLIB = "${BUILD_PREFIX}ranlib -D"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`RANLIB` is set to
+      the value of this variable by default.
+
+      The :term:`BUILD_RANLIB` variable should not be set manually, and is
+      rarely used in recipes as :term:`RANLIB` contains the appropriate value
+      depending on the context (native or target recipes). Exception be made for
+      target recipes that need to use the utility from the build host at some
+      point during the build.
+
+   :term:`BUILD_READELF`
+      Specifies the architecture-specific utility to display information about
+      ELF files for the build host, and its default definition is derived in
+      part from :term:`BUILD_PREFIX`::
+
+         BUILD_READELF = "${BUILD_PREFIX}readelf"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`READELF` is set
+      to the value of this variable by default.
+
+      The :term:`BUILD_READELF` variable should not be set manually, and is
+      rarely used in recipes as :term:`READELF` contains the appropriate value
+      depending on the context (native or target recipes). Exception be made for
+      target recipes that need to use the utility from the build host at some
+      point during the build.
+
   :term:`BUILD_STRIP`
-      Specifies the command to be used to strip debugging symbols from
-      binaries produced for the build host. By default, :term:`BUILD_STRIP`
-      points to
-      ``${``\ :term:`BUILD_PREFIX`\ ``}strip``.
+      Specifies the command to be used to strip debugging symbols from binaries
+      produced for the build host, and its default definition is derived in part
+      from :term:`BUILD_PREFIX`::
+
+         BUILD_STRIP = "${BUILD_PREFIX}strip"
+
+      When building a :ref:`ref-classes-native` recipe, :term:`STRIP` is set to
+      the value of this variable by default.
+
+      The :term:`BUILD_STRIP` variable should not be set manually, and is
+      rarely used in recipes as :term:`STRIP` contains the appropriate value
+      depending on the context (native or target recipes). Exception be made for
+      target recipes that need to use the utility from the build host at some
+      point during the build.

   :term:`BUILD_SYS`
      Specifies the system, including the architecture and the operating
@@ -1251,6 +1458,10 @@ system and gives an overview of their function and contents.
   :term:`CC`
      The minimal command and arguments used to run the C compiler.

+   :term:`CCLD`
+      The minimal command and arguments used to run the linker when the C
+      compiler is being used as the linker.
+
   :term:`CFLAGS`
      Specifies the flags to pass to the C compiler. This variable is
      exported to an environment variable and thus made visible to the
@@ -1494,6 +1705,17 @@ system and gives an overview of their function and contents.
   :term:`CONFIGURE_FLAGS`
      The minimal arguments for GNU configure.

+   :term:`CONFIGURE_SCRIPT`
+      When using the :ref:`ref-classes-autotools` class, the
+      :term:`CONFIGURE_SCRIPT` variable stores the location of the ``configure``
+      script for the Autotools build system. The default definition for this
+      variable is::
+
+         CONFIGURE_SCRIPT ?= "${AUTOTOOLS_SCRIPT_PATH}/configure"
+
+      Where :term:`AUTOTOOLS_SCRIPT_PATH` is the location of the of the
+      Autotools build system scripts, which defaults to :term:`S`.
+
   :term:`CONFLICT_DISTRO_FEATURES`
      When inheriting the :ref:`ref-classes-features_check`
      class, this variable identifies distribution features that would be
@@ -2775,6 +2997,9 @@ system and gives an overview of their function and contents.
   :term:`FAKEROOTNOENV`
      See :term:`bitbake:FAKEROOTNOENV` in the BitBake manual.

+   :term:`FC`
+      The minimal command and arguments used to run the Fortran compiler.
+
   :term:`FEATURE_PACKAGES`
      Defines one or more packages to include in an image when a specific
      item is included in :term:`IMAGE_FEATURES`.
@@ -3360,6 +3585,20 @@ system and gives an overview of their function and contents.
      - mips
      - mipsel

+   :term:`HOST_AS_ARCH`
+      Specifies architecture-specific assembler flags.
+
+      Default initialization for :term:`HOST_AS_ARCH` varies depending on what
+      is being built:
+
+      -  :term:`TARGET_AS_ARCH` when building for the
+         target
+
+      -  :term:`BUILD_AS_ARCH` when building for the build host (i.e.
+         ``-native``)
+
+      -  :term:`SDK_AS_ARCH` when building for an SDK (i.e. ``nativesdk-``)
+
   :term:`HOST_CC_ARCH`
      Specifies architecture-specific compiler flags that are passed to the
      C compiler.
@@ -3373,8 +3612,20 @@ system and gives an overview of their function and contents.
      -  :term:`BUILD_CC_ARCH` when building for the build host (i.e.
         ``-native``)

-      -  ``BUILDSDK_CC_ARCH`` when building for an SDK (i.e.
-         ``nativesdk-``)
+      -  :term:`SDK_CC_ARCH` when building for an SDK (i.e. ``nativesdk-``)
+
+   :term:`HOST_LD_ARCH`
+      Specifies architecture-specific linker flags.
+
+      Default initialization for :term:`HOST_LD_ARCH` varies depending on what
+      is being built:
+
+      -  :term:`TARGET_LD_ARCH` when building for the target
+
+      -  :term:`BUILD_LD_ARCH` when building for the build host (i.e.
+         ``-native``)
+
+      -  :term:`SDK_LD_ARCH` when building for an SDK (i.e. ``nativesdk-``)

   :term:`HOST_OS`
      Specifies the name of the target operating system, which is normally
@@ -3934,6 +4185,12 @@ system and gives an overview of their function and contents.

         IMAGE_ROOTFS_EXTRA_SPACE = "41943040"

+   :term:`IMAGE_ROOTFS_MAXSIZE`
+      Defines the maximum size in Kbytes for the generated image. If the
+      generated image size is above that, the build will fail. It's a good
+      idea to set this variable for images that need to fit on a limited
+      space (e.g. SD card, a fixed-size partition, ...).
+
   :term:`IMAGE_ROOTFS_SIZE`
      Defines the size in Kbytes for the generated image. The OpenEmbedded
      build system determines the final size for the generated image using
@@ -4403,8 +4660,7 @@ system and gives an overview of their function and contents.

      The value in :term:`INITSCRIPT_PARAMS` is passed through to the
      ``update-rc.d`` command. For more information on valid parameters,
-      please see the ``update-rc.d`` manual page at
-      https://manpages.debian.org/buster/init-system-helpers/update-rc.d.8.en.html
+      please see the manual page: :manpage:`update-rc.d <update-rc.d(8)>`.

   :term:`INSANE_SKIP`
      Specifies the QA checks to skip for a specific package within a
@@ -4973,7 +5229,8 @@ system and gives an overview of their function and contents.
      ``LAYERVERSION_mylayer``).

   :term:`LD`
-      The minimal command and arguments used to run the linker.
+      The minimal command and arguments used to run the :manpage:`linker
+      <ld(1)>`.

   :term:`LDFLAGS`
      Specifies the flags to pass to the linker. This variable is exported
@@ -5579,7 +5836,7 @@ system and gives an overview of their function and contents.
      variable is set.

   :term:`NM`
-      The minimal command and arguments to run ``nm``.
+      The minimal command and arguments to run :manpage:`nm <nm(1)>`.

   :term:`NO_GENERIC_LICENSE`
      Avoids QA errors when you use a non-common, non-CLOSED license in a
@@ -5668,10 +5925,10 @@ system and gives an overview of their function and contents.
          NVDCVE_API_KEY = "fe753&7a2-1427-347d-23ff-b2e2b7ca5f3"

   :term:`OBJCOPY`
-      The minimal command and arguments to run ``objcopy``.
+      The minimal command and arguments to run :manpage:`objcopy <objcopy(1)>`.

   :term:`OBJDUMP`
-      The minimal command and arguments to run ``objdump``.
+      The minimal command and arguments to run :manpage:`objdump <objdump(1)>`.

   :term:`OE_BINCONFIG_EXTRA_MANGLE`
      When inheriting the :ref:`ref-classes-binconfig` class,
@@ -5696,14 +5953,6 @@ system and gives an overview of their function and contents.

         OECMAKE_GENERATOR = "Unix Makefiles"

-   :term:`OE_IMPORTS`
-      An internal variable used to tell the OpenEmbedded build system what
-      Python modules to import for every Python function run by the system.
-
-      .. note::
-
-         Do not set this variable. It is for internal use only.
-
   :term:`OE_INIT_ENV_SCRIPT`
      The name of the build environment setup script for the purposes of
      setting up the environment within the extensible SDK. The default
@@ -6580,6 +6829,23 @@ system and gives an overview of their function and contents.
      The version of the package(s) built by the recipe. By default,
      :term:`PKGV` is set to :term:`PV`.

+      If :term:`PV` contains the ``+`` sign, source control information will be
+      included in :term:`PKGV` later in the packaging phase. For more
+      information, see the :doc:`/dev-manual/external-scm` section of the Yocto
+      Project Development Tasks Manual.
+
+      .. warning::
+
+         Since source control information is included in a late stage by the
+         :ref:`ref-classes-package` class, it cannot be seen from the BitBake
+         environment with ``bitbake -e`` or ``bitbake-getvar``. Instead, after
+         the package is built, the version information can be retrieved with
+         ``oe-pkgdata-util package-info <package name>``. See the
+         :ref:`dev-manual/debugging:Viewing Package Information with
+         \`\`oe-pkgdata-util\`\`` section of the Yocto Project Development Tasks
+         Manual for more information on ``oe-pkgdata-util``.
+
+
   :term:`PN`
      This variable can have two separate functions depending on the
      context: a recipe name or a resulting package name.
@@ -6961,7 +7227,7 @@ system and gives an overview of their function and contents.
         QA_EMPTY_DIRS_RECOMMENDATION:/dev = "but all devices must be created at runtime"

   :term:`RANLIB`
-      The minimal command and arguments to run ``ranlib``.
+      The minimal command and arguments to run :manpage:`ranlib <ranlib(1)>`.

   :term:`RCONFLICTS`
      The list of packages that conflict with packages. Note that packages
@@ -7098,6 +7364,9 @@ system and gives an overview of their function and contents.
      ":ref:`bitbake-user-manual/bitbake-user-manual-execution:dependencies`" sections in the
      BitBake User Manual for additional information on tasks and dependencies.

+   :term:`READELF`
+      The minimal command and arguments to run :manpage:`readelf <readelf(1)>`.
+
   :term:`RECIPE_MAINTAINER`
      This variable defines the name and e-mail address of the maintainer of a
      recipe. Such information can be used by human users submitted changes,
@@ -7493,11 +7762,21 @@ system and gives an overview of their function and contents.

      Only one archive type can be specified.

+   :term:`SDK_AS_ARCH`
+      Specifies architecture-specific assembler flags when building
+      :ref:`ref-classes-nativesdk` recipes. By default, the value of
+      :term:`SDK_AS_ARCH` equals the one of :term:`BUILD_AS_ARCH`.
+
   :term:`SDK_BUILDINFO_FILE`
      When using the :ref:`ref-classes-image-buildinfo` class,
      specifies the file in the SDK to write the build information into. The
      default value is "``/buildinfo``".

+   :term:`SDK_CC_ARCH`
+      Specifies the architecture-specific C compiler flags when building
+      :ref:`ref-classes-nativesdk` recipes. By default, the value of
+      :term:`SDK_CC_ARCH` equals the one of :term:`BUILD_CC_ARCH`.
+
   :term:`SDK_CUSTOM_TEMPLATECONF`
      When building the extensible SDK, if :term:`SDK_CUSTOM_TEMPLATECONF` is set to
      "1" and a ``conf/templateconf.cfg`` file exists in the :term:`Build Directory`
@@ -7579,6 +7858,11 @@ system and gives an overview of their function and contents.
      :term:`SDK_EXT_TYPE` is set to "minimal", and defaults to "1" if
      :term:`SDK_EXT_TYPE` is set to "full".

+   :term:`SDK_LD_ARCH`
+      Specifies architecture-specific linker flags when building
+      :ref:`ref-classes-nativesdk` recipes. By default, the value of
+      :term:`SDK_LD_ARCH` equals the one of :term:`BUILD_LD_ARCH`.
+
   :term:`SDK_NAME`
      The base name for SDK output files. The default value (as set in
      ``meta-poky/conf/distro/poky.conf``) is derived from the
@@ -8704,8 +8988,8 @@ system and gives an overview of their function and contents.
      places stamps. The default directory is ``${TMPDIR}/stamps``.

   :term:`STRIP`
-      The minimal command and arguments to run ``strip``, which is used to
-      strip symbols.
+      The minimal command and arguments to run :manpage:`strip <strip(1)>`,
+      which is used to strip symbols.

   :term:`SUMMARY`
      The short (72 characters or less) summary of the binary package for
@@ -10181,8 +10465,8 @@ system and gives an overview of their function and contents.
      ":ref:`ref-classes-insane`" section.

   :term:`WATCHDOG_TIMEOUT`
-      Specifies the timeout in seconds used by the ``watchdog`` recipe and
-      also by ``systemd`` during reboot. The default is 60 seconds.
+      Specifies the timeout in seconds used by the ``watchdog-config`` recipe
+      and also by ``systemd`` during reboot. The default is 60 seconds.

   :term:`WIRELESS_DAEMON`
      For ``connman`` and ``packagegroup-base``, specifies the wireless
--- a/documentation/sdk-manual/appendix-obtain.rst
+++ b/documentation/sdk-manual/appendix-obtain.rst
@@ -29,7 +29,7 @@ and then run the script to hand-install the toolchain.
 Follow these steps to locate and hand-install the toolchain:

 #. *Go to the Installers Directory:* Go to
-   :yocto_dl:`/releases/yocto/yocto-&DISTRO;/toolchain/`
+   :yocto_dl:`/releases/yocto/&DISTRO_REL_LATEST_TAG;/toolchain/`

 #. *Open the Folder for Your Build Host:* Open the folder that matches
   your :term:`Build Host` (i.e.
@@ -201,7 +201,7 @@ Follow these steps to extract the root filesystem:
   Image File:* You need to find and download the root filesystem image
   file that is appropriate for your target system. These files are kept
   in machine-specific folders in the
-   :yocto_dl:`Index of Releases </releases/yocto/yocto-&DISTRO;/machines/>`
+   :yocto_dl:`Index of Releases </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines/>`
   in the "machines" directory.

   The machine-specific folders of the "machines" directory contain
@@ -245,7 +245,7 @@ Follow these steps to extract the root filesystem:

   Here is an example command that extracts the root filesystem
   from a previously built root filesystem image that was downloaded
-   from the :yocto_dl:`Index of Releases </releases/yocto/yocto-&DISTRO;/machines/>`.
+   from the :yocto_dl:`Index of Releases </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines/>`.
   This command extracts the root filesystem into the ``core2-64-sato``
   directory::

--- a/documentation/sdk-manual/extensible.rst
+++ b/documentation/sdk-manual/extensible.rst
@@ -87,7 +87,7 @@ Host` by running the ``*.sh`` installation script.
 You can download a tarball installer, which includes the pre-built
 toolchain, the ``runqemu`` script, the internal build system,
 ``devtool``, and support files from the appropriate
-:yocto_dl:`toolchain </releases/yocto/yocto-&DISTRO;/toolchain/>` directory within the Index of
+:yocto_dl:`toolchain </releases/yocto/&DISTRO_REL_LATEST_TAG;/toolchain/>` directory within the Index of
 Releases. Toolchains are available for several 32-bit and 64-bit
 architectures with the ``x86_64`` directories, respectively. The
 toolchains the Yocto Project provides are based off the
@@ -178,7 +178,7 @@ Running the Extensible SDK Environment Setup Script
 Once you have the SDK installed, you must run the SDK environment setup
 script before you can actually use the SDK.

-When using a SDK directly in a Yocto build, you will find the script in
+When using an SDK directly in a Yocto build, you will find the script in
 ``tmp/deploy/images/qemux86-64/`` in your :term:`Build Directory`.

 When using a standalone SDK installer, this setup script resides in
@@ -622,28 +622,91 @@ command:
      decide you do not want to proceed with your work. If you do use this
      command, realize that the source tree is preserved.

-``devtool ide-sdk`` configures IDEs for the extensible SDK
----------------------------------------------------------
+``devtool ide-sdk`` configures IDEs and bootstraps SDKs
+-------------------------------------------------------

-``devtool ide-sdk`` automatically configures IDEs to use the extensible SDK.
-To make sure that all parts of the extensible SDK required by the generated
-IDE configuration are available, ``devtool ide-sdk`` uses BitBake in the
-background to bootstrap the extensible SDK.
+The ``devtool ide-sdk`` command can provide an IDE configuration for IDEs when
+working on the source code of one or more recipes.
+Depending on the programming language, and the build system used by the recipe,
+the tools required for cross-development and remote debugging are different.
+For example:

-The extensible SDK supports two different development modes.
-``devtool ide-sdk`` supports both of them:
+-  A C/C++ project usually uses CMake or Meson.
+
+-  A Python project uses setuptools or one of its successors.
+
+-  A Rust project uses Cargo.
+
+Also, the IDE plugins needed for the integration of a build system with the
+IDE and the corresponding settings are usually specific to these build-systems.
+To hide all these details from the user, ``devtool ide-sdk`` does two things:
+
+-  It generates any kind of SDK needed for cross-development and remote
+   debugging of the specified recipes.
+
+-  It generates the configuration for the IDE (and the IDE plugins) for using
+   the cross-toolchain and remote debugging tools provided by the SDK directly
+   from the IDE.
+
+For supported build systems the configurations generated by ``devtool ide-sdk``
+combine the advantages of the ``devtool modify`` based workflow
+(see :ref:`using_devtool`) with the advantages of the simple Environment Setup
+script based workflow (see :ref:`running_the_ext_sdk_env`) provided by Yocto's
+SDK or eSDK:
+
+-  The source code of the recipe is in the workspace created by
+   ``devtool modify`` or ``devtool add``.
+   Using ``devtool build``, ``devtool build-image``,
+   ``devtool deploy-target`` or ``bitbake`` is possible.
+   Also ``devtool ide-sdk`` can be used to update the SDK and the IDE
+   configuration at any time.
+
+-  ``devtool ide-sdk`` aims to support multiple programming languages and
+   multiple IDEs natively. "Natively" means that the IDE is configured to call
+   the build tool (e.g. ``cmake`` or ``meson``) directly. This has several
+   advantages.
+   First of all, it is usually much faster to call for example ``cmake`` than
+   ``devtool build``.
+   It also allows to benefit from the very good integration that IDEs like
+   VSCode offer for tools like CMake or GDB.
+   
+   However, supporting many programming languages and multiple
+   IDEs is quite an elaborate and constantly evolving thing. Support for IDEs
+   is therefore implemented as plugins. Plugins can also be provided by
+   optional layers.
+
+So much about the introduction to the default mode of ``devtool sdk-ide`` which
+is called the "modified" mode because it uses the workspace created by
+``devtool modify`` and the per recipe :term:`Sysroots <Sysroot>` of BitBake.
+
+For some recipes and use cases, this default behavior of ``devtool ide-sdk``
+with full ``devtool`` and ``bitbake`` integration might not be suitable.
+To offer full feature parity with the SDK and the eSDK, ``devtool ide-sdk`` has
+a second mode called "shared" mode.
+If ``devtool ide-sdk`` is called with the ``--mode=shared`` option, it
+bootstraps an SDK directly from the BitBake environment, which offers the same
+Environment Setup script as described in :ref:`running_the_ext_sdk_env`.
+In addition to the (e)SDK installer-based setup, the IDE gets configured
+to use the shared :term:`Sysroots <Sysroot>` and the tools from the SDK.
+``devtool ide-sdk --mode=shared`` is basically a wrapper for the setup of the
+extensible SDK as described in :ref:`setting_up_ext_sdk_in_build`.
+
+The use of ``devtool ide-sdk`` is an alternative to using one of the SDK
+installers.
+``devtool ide-sdk`` allows the creation of SDKs that offer all the
+functionality of the SDK and the eSDK installers. Compared to the installers,
+however, the SDK created with ``devtool ide-sdk`` is much more flexible.
+For example, it is very easy to change the :term:`MACHINE` in the
+``local.conf`` file, update the layer meta data and then regenerate the SDK.
+
+Let's take a look at an example of how to use ``devtool ide-sdk`` in each of
+the two modes:

 #. *Modified mode*:

-   By default ``devtool ide-sdk`` generates IDE configurations for recipes in
-   workspaces created by ``devtool modify`` or ``devtool add`` as described in
-   :ref:`using_devtool`.  This mode creates IDE configurations with support for
-   advanced features, such as deploying the binaries to the remote target
-   device and performing remote debugging sessions. The generated IDE
-   configurations use the per recipe sysroots as Bitbake does internally.
-
-   In order to use the tool, a few settings are needed. As a starting example,
-   the following lines of code can be added to the ``local.conf`` file::
+   In order to use the ``devtool ide-sdk``, a few settings are needed. As a
+   starting example, the following lines of code can be added to the
+   ``local.conf`` file::

      # Build the companion debug file system
      IMAGE_GEN_DEBUGFS = "1"
@@ -666,15 +729,20 @@ The extensible SDK supports two different development modes.
      IMAGE_INSTALL:append = " my-recipe"

   Assuming the BitBake environment is set up correctly and a workspace has
-   been created for the recipe using ``devtool modify my-recipe``, the
+   been created for the recipe using ``devtool modify my-recipe`` or probably
+   even better by using ``devtool modify my-recipe --debug-build``, the
   following command can create the SDK and the configuration for VSCode in
   the recipe workspace::

      $ devtool ide-sdk my-recipe core-image-minimal --target root@192.168.7.2

-   The command requires an image recipe (``core-image-minimal`` for this example)
-   that is used to create the SDK. This firmware image should also be installed
-   on the target device.  It is possible to pass multiple package recipes.
+   The command requires an image recipe (``core-image-minimal`` for this
+   example) that is used to create the SDK.
+   This firmware image should also be installed on the target device.
+   It is possible to pass multiple package recipes::
+
+      $ devtool ide-sdk my-recipe-1 my-recipe-2 core-image-minimal --target root@192.168.7.2
+
   ``devtool ide-sdk`` tries to create an IDE configuration for all package
   recipes.

@@ -684,9 +752,9 @@ The extensible SDK supports two different development modes.

   For example, a CMake preset is created for a recipe that inherits
   :ref:`ref-classes-cmake`. In the case of VSCode, CMake presets are supported
-   by the CMake Tools plugin.  This is an example of how the build
-   configuration used by ``bitbake`` is exported to an IDE configuration that
-   gives exactly the same build results.
+   by the CMake Tools plugin. This is an example of how the build configuration
+   used by ``bitbake`` is exported to an IDE configuration that gives exactly
+   the same build results.

   Support for remote debugging with seamless integration into the IDE is
   important for a cross-SDK. ``devtool ide-sdk`` automatically generates the
@@ -699,23 +767,54 @@ The extensible SDK supports two different development modes.
      running on the target device, it is essential that the image built by
      ``devtool ide-sdk`` is running on the target device.

-   ``devtool ide-sdk`` aims to support multiple programming languages and
-   multiple IDEs natively. "Natively" means that the IDE is configured to call
-   the build tool (e.g. CMake or Meson) directly. This has several advantages.
-   First of all, it is much faster than ``devtool build``, but it also allows
-   to use the very good integration of tools like CMake or GDB in VSCode and
-   other IDEs. However, supporting many programming languages and multiple
-   IDEs is quite an elaborate and constantly evolving thing. Support for IDEs
-   is therefore implemented as plugins. Plugins can also be provided by
-   optional layers.
-
   The default IDE is VSCode. Some hints about using VSCode:

-   -  To work on the source code of a recipe an instance of VSCode is started in
-      the recipe's workspace. Example::
+   -  VSCode can be used to work on the BitBake recipes or the application
+      source code.
+      Usually there is one instance of VSCode running in the folder where the
+      BitBake recipes are. This instance has the
+      `Yocto Project BitBake plugin <https://marketplace.visualstudio.com/items?itemName=yocto-project.yocto-bitbake>`_
+      running.
+
+      .. warning::
+
+         Some VSCode plugins (Python, BitBake and others) need a reasonable
+         configuration to work as expected. Otherwise, some plugins try to
+         index the build directory of BitBake, which keeps your system quite
+         busy until an out of memory exception stops this nonsense.
+         Other plugins, such as the BitBake plugin, do not behave as expected.
+
+         To work around such issues, the ``oe-init-build-env`` script creates
+         an initial ``.vscode/settings.json`` file if ``code`` can be found
+         and the ``.vscode`` folder does not yet exist.
+         It is best to run ``oe-init-build-env`` once before starting VSCode.
+         An alternative approach is to use a build folder outside the layers,
+         e.g. ``oe-init-build-env ../build``.
+
+      The BitBake plugin also offers to create devtool workspaces and run
+      ``devtool ide-sdk`` with a few mouse clicks.
+      Of course, issuing commands in the terminal works as well.
+
+   -  To work on the source code of a recipe another instance of VSCode is
+      started in the recipe's workspace. Example::

         code build/workspace/sources/my-recipe

+      This instance of VSCode uses plugins that are useful for the development
+      of the application. ``devtool ide-sdk`` generates the necessary
+      ``extensions.json``, ``settings.json``, ``tasks.json``and ``launch.json``
+      configuration files for all the involved plugins.
+
+      When the source code folder present in the workspace folder is opened in
+      VSCode for the first time, a pop-up message recommends installing the
+      required plugins.
+      After accepting the installation of the plugins, working with the source
+      code or some debugging tasks should work as usual with VSCode.
+
+      Starting the VSCode instances in the recipe workspace folders can also be
+      done by a mouse click on the recipe workspaces in the first VSCode
+      instance.
+
   -  To work with CMake press ``Ctrl + Shift + p``, type ``cmake``. This will
      show some possible commands like selecting a CMake preset, compiling or
      running CTest.
@@ -728,10 +827,9 @@ The extensible SDK supports two different development modes.
      show some possible commands like compiling or executing the unit tests.

      A note on running cross-compiled unit tests on the host: Meson enables
-      support for QEMU user-mode by default. It is expected that the execution
-      of the unit tests from the IDE will work easily without any additional
-      steps, provided that the code is suitable for execution on the host
-      machine.
+      support for QEMU user mode by default. It is expected that the execution
+      of the unit tests from the IDE will work without any additional steps,
+      given that the code is suitable for the execution on the host machine.

   -  For the deployment to the target device, just press ``Ctrl + Shift + p``,
      type ``task``.  Select ``install && deploy-target``.
@@ -742,23 +840,23 @@ The extensible SDK supports two different development modes.
      selected.  After selecting one of the generated configurations, press the
      "play" button.

-      Starting a remote debugging session automatically initiates the deployment
-      to the target device. If this is not desired, the
+      Starting a remote debugging session automatically initiates the
+      deployment to the target device. If this is not desired, the
      ``"dependsOn": ["install && deploy-target...]`` parameter of the tasks
      with ``"label": "gdbserver start...`` can be removed from the
      ``tasks.json`` file.

-      VSCode supports GDB with many different setups and configurations for many
-      different use cases.  However, most of these setups have some limitations
-      when it comes to cross-development, support only a few target
+      VSCode supports GDB with many different setups and configurations for
+      many different use cases.  However, most of these setups have some
+      limitations when it comes to cross-development, support only a few target
      architectures or require a high performance target device. Therefore
      ``devtool ide-sdk`` supports the classic, generic setup with GDB on the
      development host and gdbserver on the target device.

      Roughly summarized, this means:

-      -  The binaries are copied via SSH to the remote target device by a script
-         referred by ``tasks.json``.
+      -  The binaries are copied via SSH to the remote target device by a
+         script referred by ``tasks.json``.

      -  gdbserver is started on the remote target device via SSH by a script
         referred by ``tasks.json``.
@@ -783,8 +881,8 @@ The extensible SDK supports two different development modes.
   .. code-block:: sh

      # Create the SDK
-      devtool modify cmake-example
-      devtool ide-sdk cmake-example core-image-minimal -c --debug-build-config --ide=none
+      devtool modify cmake-example --debug-build
+      devtool ide-sdk cmake-example core-image-minimal -c --ide=none

      # Install the firmware on a target device or start QEMU
      runqemu
@@ -860,16 +958,9 @@ The extensible SDK supports two different development modes.

 #. *Shared sysroots mode*

-   For some recipes and use cases a per-recipe sysroot based SDK is not
-   suitable.  Optionally ``devtool ide-sdk`` configures the IDE to use the
-   toolchain provided by the extensible SDK as described in
-   :ref:`running_the_ext_sdk_env`. ``devtool ide-sdk --mode=shared`` is
-   basically a wrapper for the setup of the extensible SDK as described in
-   :ref:`setting_up_ext_sdk_in_build`. The IDE gets a configuration to use the
-   shared sysroots.
-
-   Creating a SDK with shared sysroots that contains all the dependencies needed
-   to work with ``my-recipe`` is possible with the following example command::
+   Creating an SDK with shared :term:`Sysroots <Sysroot>` that contains all the
+   dependencies needed to work with ``my-recipe`` is possible with the following
+   example command::

      $ devtool ide-sdk --mode=shared my-recipe

@@ -883,12 +974,14 @@ The extensible SDK supports two different development modes.
      echo "project(foo VERSION 1.0)" > kit-test/CMakeLists.txt
      code kit-test

-   If there is a CMake project in the workspace, cross-compilation is supported:
+   If there is a CMake project in the workspace, cross-compilation is
+   supported:

   - Press ``Ctrl + Shift + P``, type ``CMake: Scan for Kits``
   - Press ``Ctrl + Shift + P``, type ``CMake: Select a Kit``

-   Finally most of the features provided by CMake and the IDE should be available.
+   Finally most of the features provided by CMake and the IDE should be
+   available.

   Other IDEs than VSCode are supported as well. However,
   ``devtool ide-sdk --mode=shared --ide=none my-recipe`` is currently
--- a/documentation/sdk-manual/intro.rst
+++ b/documentation/sdk-manual/intro.rst
@@ -173,7 +173,7 @@ You just need to follow these general steps:
   root filesystem images.

   If you are going to develop your application on hardware, go to the
-   :yocto_dl:`machines </releases/yocto/yocto-&DISTRO;/machines/>` download area and choose a
+   :yocto_dl:`machines </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines/>` download area and choose a
   target machine area from which to download the kernel image and root
   filesystem. This download area could have several files in it that
   support development using actual hardware. For example, the area
@@ -183,7 +183,7 @@ You just need to follow these general steps:

   If you are going to develop your application and then run and test it
   using the QEMU emulator, go to the
-   :yocto_dl:`machines/qemu </releases/yocto/yocto-&DISTRO;/machines/qemu>` download area. From this
+   :yocto_dl:`machines/qemu </releases/yocto/&DISTRO_REL_LATEST_TAG;/machines/qemu>` download area. From this
   area, go down into the directory for your target architecture (e.g.
   ``qemux86_64`` for an Intel-based 64-bit architecture). Download the
   kernel, root filesystem, and any other files you need for your
--- a/documentation/sdk-manual/using.rst
+++ b/documentation/sdk-manual/using.rst
@@ -43,7 +43,7 @@ Host` by running the ``*.sh`` installation script.

 You can download a tarball installer, which includes the pre-built
 toolchain, the ``runqemu`` script, and support files from the
-appropriate :yocto_dl:`toolchain </releases/yocto/yocto-&DISTRO;/toolchain/>` directory within
+appropriate :yocto_dl:`toolchain </releases/yocto/&DISTRO_REL_LATEST_TAG;/toolchain/>` directory within
 the Index of Releases. Toolchains are available for several 32-bit and
 64-bit architectures with the ``x86_64`` directories, respectively. The
 toolchains the Yocto Project provides are based off the
--- a/documentation/set_versions.py
+++ b/documentation/set_versions.py
@@ -170,17 +170,29 @@ series = [k for k in release_series]
 previousseries = series[series.index(ourseries)+1:] or [""]
 lastlts = [k for k in previousseries if k in ltsseries] or "dunfell"

+latestreltag = subprocess.run(["git", "describe", "--abbrev=0", "--tags", "--match", "yocto-*"], capture_output=True, text=True).stdout
+latestreltag = latestreltag.strip()
+if latestreltag:
+    if latestreltag.startswith("yocto-"):
+        latesttag = latestreltag[6:]
+else:
+    # fallback on the calculated version
+    print("Did not find a tag with 'git describe', falling back to %s" % ourversion)
+    latestreltag = "yocto-" + ourversion
+    latesttag = ourversion
+
 print("Version calculated to be %s" % ourversion)
+print("Latest release tag found is %s" % latestreltag)
 print("Release series calculated to be %s" % ourseries)

 replacements = {
    "DISTRO" : ourversion,
+    "DISTRO_LATEST_TAG": latesttag,
    "DISTRO_NAME_NO_CAP" : ourseries,
    "DISTRO_NAME" : ourseries.capitalize(),
    "DISTRO_NAME_NO_CAP_MINUS_ONE" : previousseries[0],
    "DISTRO_NAME_NO_CAP_LTS" : lastlts[0],
    "YOCTO_DOC_VERSION" : ourversion,
-    "DISTRO_REL_TAG" : "yocto-" + ourversion,
    "DOCCONF_VERSION" : docconfver,
    "BITBAKE_SERIES" : bitbakeversion,
 }
@@ -318,3 +330,5 @@ with open('releases.rst', 'w') as f:
            if tag == release_series[series] or tag.startswith('%s.' % release_series[series]):
                f.write('- :yocto_docs:`%s Documentation </%s>`\n' % (tag, tag))
        f.write('\n')
+
+
--- a/documentation/sphinx-static/favicon.ico
+++ b/documentation/sphinx-static/favicon.ico
--- a/documentation/standards.md
+++ b/documentation/standards.md
@@ -1,6 +1,6 @@
 # Standards for contributing to Yocto Project documentation

-This document attemps to standardize the way the Yocto Project
+This document attempts to standardize the way the Yocto Project
 documentation is created.

 It is currently a work in progress.
--- a/documentation/test-manual/ptest.rst
+++ b/documentation/test-manual/ptest.rst
@@ -61,6 +61,20 @@ test. Here is what you have to do for each recipe:

      inherit ptest

+   .. note::
+
+      Classes for common frameworks already exist in :term:`OpenEmbedded-Core
+      (OE-Core)`, such as:
+
+      -  :oe_git:`go-ptest </openembedded-core/tree/meta/classes-recipe/go-ptest.bbclass>`
+      -  :ref:`ref-classes-ptest-cargo`
+      -  :ref:`ref-classes-ptest-gnome`
+      -  :oe_git:`ptest-perl </openembedded-core/tree/meta/classes-recipe/ptest-perl.bbclass>`
+      -  :oe_git:`ptest-python-pytest </openembedded-core/tree/meta/classes-recipe/ptest-python-pytest.bbclass>`
+
+      Inheriting these classes with the ``inherit`` keyword in your recipe will
+      make the next steps automatic.
+
 -  *Create run-ptest:* This script starts your test. Locate the
   script where you will refer to it using
   :term:`SRC_URI`. Here is an
--- a/documentation/test-manual/reproducible-builds.rst
+++ b/documentation/test-manual/reproducible-builds.rst
@@ -119,12 +119,8 @@ https://autobuilder.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
 The project's current reproducibility status can be seen at
 :yocto_home:`/reproducible-build-results/`

-You can also check the reproducibility status on supported host distributions:
-
-  CentOS: :yocto_ab:`/typhoon/#/builders/reproducible-centos`
-  Debian: :yocto_ab:`/typhoon/#/builders/reproducible-debian`
-  Fedora: :yocto_ab:`/typhoon/#/builders/reproducible-fedora`
-  Ubuntu: :yocto_ab:`/typhoon/#/builders/reproducible-ubuntu`
+You can also check the reproducibility status on the Autobuilder:
+:yocto_ab:`/valkyrie/#/builders/reproducible`.

 ===============================
 Can I test my layer or recipes?
--- a/documentation/test-manual/test-process.rst
+++ b/documentation/test-manual/test-process.rst
@@ -20,7 +20,7 @@ helps review and test patches and this is his testing tree).
 We have two broad categories of test builds, including "full" and
 "quick". On the Autobuilder, these can be seen as "a-quick" and
 "a-full", simply for ease of sorting in the UI. Use our Autobuilder
-:yocto_ab:`console view </typhoon/#/console>` to see where we manage most
+:yocto_ab:`console view </valkyrie/#/console>` to see where we manage most
 test-related items.

 Builds are triggered manually when the test branches are ready. The
--- a/documentation/test-manual/understand-autobuilder.rst
+++ b/documentation/test-manual/understand-autobuilder.rst
@@ -10,7 +10,7 @@ Execution Flow within the Autobuilder
 The "a-full" and "a-quick" targets are the usual entry points into the
 Autobuilder and it makes sense to follow the process through the system
 starting there. This is best visualized from the :yocto_ab:`Autobuilder
-Console view </typhoon/#/console>`.
+Console view </valkyrie/#/console>`.

 Each item along the top of that view represents some "target build" and
 these targets are all run in parallel. The 'full' build will trigger the
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "5.1.2"
+DISTRO_VERSION = "5.1.4"
 DISTRO_CODENAME = "styhead"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
--- a/meta/classes-recipe/cmake.bbclass
+++ b/meta/classes-recipe/cmake.bbclass
@@ -67,6 +67,8 @@ EXTRA_OECMAKE:append = " ${PACKAGECONFIG_CONFARGS}"
 export CMAKE_BUILD_PARALLEL_LEVEL
 CMAKE_BUILD_PARALLEL_LEVEL:task-compile = "${@oe.utils.parallel_make(d, False)}"
 CMAKE_BUILD_PARALLEL_LEVEL:task-install = "${@oe.utils.parallel_make(d, True)}"
+CMAKE_BUILD_PARALLEL_LEVEL:task-compile-ptest-base = "${@oe.utils.parallel_make(d, False)}"
+CMAKE_BUILD_PARALLEL_LEVEL:task-install-ptest-base = "${@oe.utils.parallel_make(d, True)}"

 OECMAKE_TARGET_COMPILE ?= "all"
 OECMAKE_TARGET_INSTALL ?= "install"
--- a/meta/classes-recipe/nativesdk.bbclass
+++ b/meta/classes-recipe/nativesdk.bbclass
@@ -32,6 +32,7 @@ RECIPE_SYSROOT = "${WORKDIR}/recipe-sysroot"
 #
 PACKAGE_ARCH = "${SDK_ARCH}-${SDKPKGSUFFIX}"
 PACKAGE_ARCHS = "${SDK_PACKAGE_ARCHS}"
+TUNE_PKGARCH = "${SDK_ARCH}"

 #
 # We need chrpath >= 0.14 to ensure we can deal with 32 and 64 bit
--- a/meta/classes-recipe/qemu.bbclass
+++ b/meta/classes-recipe/qemu.bbclass
@@ -60,8 +60,8 @@ def qemu_run_binary(data, rootfs_path, binary):
 # this dance). For others (e.g. arm) a -cpu option is not necessary, since the
 # qemu-arm default CPU supports all required architecture levels.

-QEMU_OPTIONS = "-r ${OLDEST_KERNEL} ${@d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')) or ""}"
-QEMU_OPTIONS[vardeps] += "QEMU_EXTRAOPTIONS_${PACKAGE_ARCH}"
+QEMU_OPTIONS = "-r ${OLDEST_KERNEL} ${@d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('TUNE_PKGARCH')) or ""}"
+QEMU_OPTIONS[vardeps] += "QEMU_EXTRAOPTIONS_${TUNE_PKGARCH}"

 QEMU_EXTRAOPTIONS_ppce500v2 = " -cpu e500v2"
 QEMU_EXTRAOPTIONS_ppce500mc = " -cpu e500mc"
@@ -71,7 +71,3 @@ QEMU_EXTRAOPTIONS_ppce6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc64e6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc7400 = " -cpu 7400"
 QEMU_EXTRAOPTIONS_powerpc64le = " -cpu POWER9"
-# Some packages e.g. fwupd sets PACKAGE_ARCH = MACHINE_ARCH and uses meson which
-# needs right options to usermode qemu
-QEMU_EXTRAOPTIONS_qemuppc = " -cpu 7400"
-QEMU_EXTRAOPTIONS_qemuppc64 = " -cpu POWER9"
--- a/meta/classes-recipe/rust-target-config.bbclass
+++ b/meta/classes-recipe/rust-target-config.bbclass
@@ -198,7 +198,7 @@ MAX_ATOMIC_WIDTH[mipsel] = "32"
 DATA_LAYOUT[mips64] = "E-m:e-i8:8:32-i16:16:32-i64:64-n32:64-S128"
 TARGET_ENDIAN[mips64] = "big"
 TARGET_POINTER_WIDTH[mips64] = "64"
-TARGET_C_INT_WIDTH[mips64] = "64"
+TARGET_C_INT_WIDTH[mips64] = "32"
 MAX_ATOMIC_WIDTH[mips64] = "64"

 ## mips64-n32-unknown-linux-{gnu, musl}
@@ -212,7 +212,7 @@ MAX_ATOMIC_WIDTH[mips64-n32] = "64"
 DATA_LAYOUT[mips64el] = "e-m:e-i8:8:32-i16:16:32-i64:64-n32:64-S128"
 TARGET_ENDIAN[mips64el] = "little"
 TARGET_POINTER_WIDTH[mips64el] = "64"
-TARGET_C_INT_WIDTH[mips64el] = "64"
+TARGET_C_INT_WIDTH[mips64el] = "32"
 MAX_ATOMIC_WIDTH[mips64el] = "64"

 ## powerpc-unknown-linux-{gnu, musl}
@@ -226,14 +226,14 @@ MAX_ATOMIC_WIDTH[powerpc] = "32"
 DATA_LAYOUT[powerpc64] = "E-m:e-i64:64-n32:64-S128-v256:256:256-v512:512:512"
 TARGET_ENDIAN[powerpc64] = "big"
 TARGET_POINTER_WIDTH[powerpc64] = "64"
-TARGET_C_INT_WIDTH[powerpc64] = "64"
+TARGET_C_INT_WIDTH[powerpc64] = "32"
 MAX_ATOMIC_WIDTH[powerpc64] = "64"

 ## powerpc64le-unknown-linux-{gnu, musl}
 DATA_LAYOUT[powerpc64le] = "e-m:e-i64:64-n32:64-v256:256:256-v512:512:512"
 TARGET_ENDIAN[powerpc64le] = "little"
 TARGET_POINTER_WIDTH[powerpc64le] = "64"
-TARGET_C_INT_WIDTH[powerpc64le] = "64"
+TARGET_C_INT_WIDTH[powerpc64le] = "32"
 MAX_ATOMIC_WIDTH[powerpc64le] = "64"

 ## riscv32gc-unknown-linux-{gnu, musl}
@@ -247,7 +247,7 @@ MAX_ATOMIC_WIDTH[riscv32gc] = "32"
 DATA_LAYOUT[riscv64gc] = "e-m:e-p:64:64-i64:64-i128:128-n64-S128"
 TARGET_ENDIAN[riscv64gc] = "little"
 TARGET_POINTER_WIDTH[riscv64gc] = "64"
-TARGET_C_INT_WIDTH[riscv64gc] = "64"
+TARGET_C_INT_WIDTH[riscv64gc] = "32"
 MAX_ATOMIC_WIDTH[riscv64gc] = "64"

 ## loongarch64-unknown-linux-{gnu, musl}
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -278,7 +278,7 @@ def cve_update(d, cve_data, cve, entry):
        cve_data[cve] = entry
        return
    # If we are updating, there might be change in the status
-    bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status']))
+    bb.debug(1, "Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status']))
    if cve_data[cve]['abbrev-status'] == "Unknown":
        cve_data[cve] = entry
        return
@@ -289,16 +289,16 @@ def cve_update(d, cve_data, cve, entry):
        if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range":
            # New result from the scan, vulnerable
            cve_data[cve] = entry
-            bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve)
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve)
            return
    if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched":
        if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range":
            # Range does not match the scan, but we already have a vulnerable match, ignore
-            bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
+            bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve)
            return
    # If we have an "Ignored", it has a priority
    if cve_data[cve]['abbrev-status'] == "Ignored":
-        bb.debug("CVE %s not updating because Ignored" % cve)
+        bb.debug(1, "CVE %s not updating because Ignored" % cve)
        return
    bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry))

@@ -343,17 +343,18 @@ def check_cves(d, cve_data):
        for cverow in cve_cursor:
            cve = cverow[0]

+            # Write status once only for each product
+            if not cves_in_product:
+                cves_status.append([product, True])
+                cves_in_product = True
+                cves_in_recipe = True
+
            if cve_is_ignored(d, cve_data, cve):
                bb.note("%s-%s ignores %s" % (product, pv, cve))
                continue
            elif cve_is_patched(d, cve_data, cve):
                bb.note("%s has been patched" % (cve))
                continue
-            # Write status once only for each product
-            if not cves_in_product:
-                cves_status.append([product, True])
-                cves_in_product = True
-                cves_in_recipe = True

            vulnerable = False
            ignored = False
@@ -422,6 +423,11 @@ def check_cves(d, cve_data):
    if not cves_in_recipe:
        bb.note("No CVE records for products in recipe %s" % (pn))

+    if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
+        unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"]
+        if unpatched_cves:
+            bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves))
+
    return (cve_data, cves_status)

 def get_cve_info(d, cve_data):
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -2533,7 +2533,7 @@ class DevtoolIdeSdkTests(DevtoolBase):
        self.track_for_cleanup(tempdir)
        self.add_command_to_tearDown('bitbake -c clean %s' % recipe_name)

-        result = runCmd('devtool modify %s -x %s' % (recipe_name, tempdir))
+        result = runCmd('devtool modify %s -x %s --debug-build' % (recipe_name, tempdir))
        self.assertExists(os.path.join(tempdir, build_file),
                          'Extracted source could not be found')
        self.assertExists(os.path.join(self.workspacedir, 'conf',
--- a/meta/lib/oeqa/utils/gitarchive.py
+++ b/meta/lib/oeqa/utils/gitarchive.py
@@ -146,7 +146,7 @@ def expand_tag_strings(repo, name_pattern, msg_subj_pattern, msg_body_pattern,
        keyws['tag_number'] = '{tag_number}'
        tag_re = format_str(name_pattern, keyws)
        # Replace parentheses for proper regex matching
-        tag_re = tag_re.replace('(', '\(').replace(')', '\)') + '$'
+        tag_re = tag_re.replace('(', r'\(').replace(')', r'\)') + '$'
        # Inject regex group pattern for 'tag_number'
        tag_re = tag_re.format(tag_number='(?P<tag_number>[0-9]{1,5})')

--- a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
+++ b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
@@ -0,0 +1,68 @@
+From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH 1/2] misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 1578f36c3..14d8f37ac 100644
+--- a/include/grub/misc.h
+++ b/include/grub/misc.h
+@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+  char *d = dest;
+  grub_size_t res = 0;
+  /*
+   * We do not subtract one from size here to avoid dealing with underflowing
+   * the value, which is why to_copy is always checked to be greater than one
+   * throughout this function.
+   */
+  grub_size_t to_copy = size;
+
+  /* Copy size - 1 bytes to dest. */
+  if (to_copy > 1)
+    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+      ;
+
+  /*
+   * NUL terminate if size != 0. The previous step may have copied a NUL byte
+   * if it reached the end of the string, but we know dest[size - 1] must always
+   * be a NUL byte.
+   */
+  if (size != 0)
+    dest[size - 1] = '\0';
+
+  /* If there is still space in dest, but are here, we reached the end of src. */
+  if (to_copy > 1)
+    return res;
+
+  /*
+   * If we haven't reached the end of the string, iterate through to determine
+   * the strings total length.
+   */
+  while (*src++ != '\0' && ++res)
+   ;
+
+  return res;
+}
+
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
--- a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
@@ -0,0 +1,37 @@
+From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 8 Mar 2024 22:47:20 +1100
+Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in
+ JPEG
+
+Otherwise a subsequent header could change the height and width
+allowing future OOB writes.
+
+Fixes: CVE-2024-45774
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45774
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index ae634fd41..631a89356 100644
+--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
+@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+   if (grub_errno != GRUB_ERR_NONE)
+     return grub_errno;
+ 
+  if (data->image_height != 0 || data->image_width != 0)
+    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+		       "jpeg: cannot have duplicate SOF0 markers");
+
+   if (grub_jpeg_get_byte (data) != 8)
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ 		       "jpeg: only 8-bit precision is supported");
--- a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
@@ -0,0 +1,38 @@
+From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:55 +0000
+Subject: [PATCH] commands/extcmd: Missing check for failed allocation
+
+The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
+a grub_arg_list struct but it does not verify the allocation was successful.
+In case of failed allocation the NULL state pointer can be accessed in
+parse_option() through grub_arg_parse() which may lead to a security issue.
+
+Fixes: CVE-2024-45775
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45775
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/extcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 90a5ca24a..c236be13a 100644
+--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
+@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
+     }
+ 
+   state = grub_arg_list_alloc (ext, argc, args);
+  if (state == NULL)
+    return grub_errno;
+
+   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
+     {
+       context.state = state;
--- a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
@@ -0,0 +1,39 @@
+From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:56 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
+
+Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
+overflow leading to subsequent OOB write or read. This patch fixes the
+issue by replacing grub_zalloc() and explicit multiplication with
+grub_calloc() which does the same thing in safe manner.
+
+Fixes: CVE-2024-45776
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45776
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/gettext/gettext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index e4f4f8ee6..63bb1ab73 100644
+--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
+@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
+   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
+        ctx->grub_gettext_max_log++);
+ 
+-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
+-					    * sizeof (ctx->grub_gettext_msg_list[0]));
+  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
+					    sizeof (ctx->grub_gettext_msg_list[0]));
+   if (!ctx->grub_gettext_msg_list)
+     {
+       grub_file_close (fd);
--- a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
@@ -0,0 +1,57 @@
+From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:57 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
+
+The size calculation of the translation buffer in
+grub_gettext_getstr_from_position() may overflow
+to 0 leading to heap OOB write. This patch fixes
+the issue by using grub_add() and checking for
+an overflow.
+
+Fixes: CVE-2024-45777
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45777
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/gettext/gettext.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 63bb1ab73..9ffc73428 100644
+--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
+@@ -26,6 +26,7 @@
+ #include <grub/file.h>
+ #include <grub/kernel.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   char *translation;
+   struct string_descriptor desc;
+   grub_err_t err;
+  grub_size_t alloc_sz;
+ 
+   internal_position = (off + position * sizeof (desc));
+ 
+@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   length = grub_cpu_to_le32 (desc.length);
+   offset = grub_cpu_to_le32 (desc.offset);
+ 
+-  translation = grub_malloc (length + 1);
+  if (grub_add (length, 1, &alloc_sz))
+    return NULL;
+
+  translation = grub_malloc (alloc_sz);
+   if (!translation)
+     return NULL;
+ 
--- a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
@@ -0,0 +1,55 @@
+From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 15:59:43 +1100
+Subject: [PATCH] fs/bfs: Disable under lockdown
+
+The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
+This will also disable the AFS.
+
+Fixes: CVE-2024-45778
+Fixes: CVE-2024-45779
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45778
+CVE: CVE-2024-45779
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/bfs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
+index 022f69fe2..78aeb051f 100644
+--- a/grub-core/fs/bfs.c
+++ b/grub-core/fs/bfs.c
+@@ -30,6 +30,7 @@
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+ #include <grub/fshelp.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1106,7 +1107,10 @@ GRUB_MOD_INIT (bfs)
+ {
+   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
+ 		       sizeof (struct grub_bfs_extent));
+-  grub_fs_register (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_bfs_fs);
+    }
+ }
+ 
+ #ifdef MODE_AFS
+@@ -1115,5 +1119,6 @@ GRUB_MOD_FINI (afs)
+ GRUB_MOD_FINI (bfs)
+ #endif
+ {
+-  grub_fs_unregister (&grub_bfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_bfs_fs);
+ }
--- a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
@@ -0,0 +1,93 @@
+From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:58 +0000
+Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
+
+Both namesize and linksize are derived from hd.size, a 12-digit octal
+number parsed by read_number(). Later direct arithmetic calculation like
+"namesize + 1" and "linksize + 1" may exceed the maximum value of
+grub_size_t leading to heap OOB write. This patch fixes the issue by
+using grub_add() and checking for an overflow.
+
+Fixes: CVE-2024-45780
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45780
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/tar.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index 646bce5eb..386c09022 100644
+--- a/grub-core/fs/tar.c
+++ b/grub-core/fs/tar.c
+@@ -25,6 +25,7 @@
+ #include <grub/mm.h>
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ {
+   struct head hd;
+   int reread = 0, have_longname = 0, have_longlink = 0;
+  grub_size_t sz;
+ 
+   data->hofs = data->next_hofs;
+ 
+@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
+-	  *name = grub_malloc (namesize + 1);
+
+	  if (grub_add (namesize, 1, &sz))
+	    return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
+
+	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
+-	  if (data->linkname_alloc < linksize + 1)
+
+	  if (grub_add (linksize, 1, &sz))
+	    return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
+
+	  if (data->linkname_alloc < sz)
+ 	    {
+ 	      char *n;
+-	      n = grub_calloc (2, linksize + 1);
+	      n = grub_calloc (2, sz);
+ 	      if (!n)
+ 		return grub_errno;
+ 	      grub_free (data->linkname);
+ 	      data->linkname = n;
+-	      data->linkname_alloc = 2 * (linksize + 1);
+	      data->linkname_alloc = 2 * (sz);
+ 	    }
+ 
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	  while (extra_size < sizeof (hd.prefix)
+ 		 && hd.prefix[extra_size])
+ 	    extra_size++;
+-	  *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
+
+	  if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
+	    return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
+	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  if (hd.prefix[0])
--- a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
@@ -0,0 +1,35 @@
+From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:03:33 +0100
+Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write
+
+grub_strcpy() was used to copy a symlink name from the filesystem
+image to a heap allocated buffer. This led to a OOB write to adjacent
+heap allocations. Fix by using grub_strlcpy().
+
+Fixes: CVE-2024-45781
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45781
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/ufs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index a354c92d9..01235101b 100644
+--- a/grub-core/fs/ufs.c
+++ b/grub-core/fs/ufs.c
+@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
+   /* Check against zero is paylindromic, no need to swap.  */
+   if (data->inode.nblocks == 0
+       && INODE_SIZE (data) <= sizeof (data->inode.symlink))
+-    grub_strcpy (symlink, (char *) data->inode.symlink);
+    grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
+   else
+     {
+       if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
--- a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
@@ -0,0 +1,36 @@
+From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:48:33 +0100
+Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()
+
+Replaced with grub_strlcpy().
+
+Fixes: CVE-2024-45782
+Fixes: CVE-2024-56737
+Fixes: https://savannah.gnu.org/bugs/?66599
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45782
+CVE: CVE-2024-56737
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/hfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index 91dc0e69c..920112b03 100644
+--- a/grub-core/fs/hfs.c
+++ b/grub-core/fs/hfs.c
+@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)
+      volume name.  */
+   key.parent_dir = grub_cpu_to_be32_compile_time (1);
+   key.strlen = data->sblock.volname[0];
+-  grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
+  grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));
+ 
+   if (grub_hfs_find_node (data, (char *) &key, data->cat_root,
+ 			  0, (char *) &dir, sizeof (dir)) == 0)
--- a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
@@ -0,0 +1,39 @@
+From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 06:22:51 +0100
+Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails
+
+It was possible for mount to fail but not set grub_errno. This led to
+a possible double decrement of the module reference count if the NULL
+page was mapped.
+
+Fixing in general as a similar bug was fixed in commit 61b13c187
+(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there
+are likely more variants around.
+
+Fixes: CVE-2024-45783
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45783
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/hfsplus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 295822f69..de71fd486 100644
+--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
+@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk)
+ 
+  fail:
+ 
+-  if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
+  if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)
+     grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem");
+ 
+   grub_free (data);
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
@@ -0,0 +1,35 @@
+From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 19:24:29 +0000
+Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on
+ module unload
+
+If the hooks are not removed they can be called after the module has
+been unloaded leading to an use-after-free.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/pgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
+index c6766f044..5fadc33c4 100644
+--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
+@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
+ 
+ GRUB_MOD_FINI(pgp)
+ {
+  grub_register_variable_hook ("check_signatures", NULL, NULL);
+  grub_env_unset ("check_signatures");
+   grub_verifier_unregister (&grub_pubkey_verifier);
+   grub_unregister_extcmd (cmd);
+   grub_unregister_extcmd (cmd_trust);
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
@@ -0,0 +1,41 @@
+From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:46:55 +0000
+Subject: [PATCH 2/3] normal: Remove variables hooks on module unload
+
+The normal module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload normal module now but fix the
+issues for completeness.
+
+On the occasion replace 0s with NULLs for "pager" variable
+hooks unregister.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/normal/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 838f57fa5..04d058f55 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -582,7 +582,9 @@ GRUB_MOD_FINI(normal)
+   grub_xputs = grub_xputs_saved;
+ 
+   grub_set_history (0);
+-  grub_register_variable_hook ("pager", 0, 0);
+  grub_register_variable_hook ("pager", NULL, NULL);
+  grub_register_variable_hook ("color_normal", NULL, NULL);
+  grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+ }
--- a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
@@ -0,0 +1,38 @@
+From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:52:06 +0000
+Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload
+
+The gettext module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload gettext module because normal
+module depends on it. Though fix the issues for completeness.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/gettext/gettext.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 7a1c14e4f..e4f4f8ee6 100644
+--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
+@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext)
+ 
+ GRUB_MOD_FINI (gettext)
+ {
+  grub_register_variable_hook ("locale_dir", NULL, NULL);
+  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+  grub_register_variable_hook ("lang", NULL, NULL);
+
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
--- a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
@@ -0,0 +1,84 @@
+From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 15 Nov 2024 13:12:09 +0000
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0624
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 0e41e21a5..9939ff601 100644
+--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
+@@ -1909,14 +1909,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
+  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
+  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -1942,7 +1943,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
+          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 90879dc21..838f57fa5 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+ 
+           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
+               !disable_net_search)
+-            grub_net_search_config_file (config);
+            grub_net_search_config_file (config, config_len);
+ 
+ 	  grub_enter_normal_mode (config);
+ 	  grub_free (config);
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 228d04963..58a4f83fc 100644
+--- a/include/grub/net.h
+++ b/include/grub/net.h
+@@ -579,7 +579,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
--- a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
@@ -0,0 +1,377 @@
+From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 16:20:45 +1100
+Subject: [PATCH] fs: Disable many filesystems under lockdown
+
+The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
+hfsplus, iso9660, squash4, tar, xfs and zfs.
+
+The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
+reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0677
+Fixes: CVE-2025-0684
+Fixes: CVE-2025-0685
+Fixes: CVE-2025-0686
+Fixes: CVE-2025-0689
+
+Suggested-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0677
+CVE: CVE-2025-0684
+CVE: CVE-2025-0685
+CVE: CVE-2025-0686
+CVE: CVE-2025-0689
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/affs.c     | 9 +++++++--
+ grub-core/fs/cbfs.c     | 9 +++++++--
+ grub-core/fs/jfs.c      | 9 +++++++--
+ grub-core/fs/minix.c    | 9 +++++++--
+ grub-core/fs/nilfs2.c   | 9 +++++++--
+ grub-core/fs/ntfs.c     | 9 +++++++--
+ grub-core/fs/reiserfs.c | 9 +++++++--
+ grub-core/fs/romfs.c    | 9 +++++++--
+ grub-core/fs/sfs.c      | 9 +++++++--
+ grub-core/fs/udf.c      | 9 +++++++--
+ grub-core/fs/ufs.c      | 9 +++++++--
+ 11 files changed, 77 insertions(+), 22 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index ed606b3f1..352f5d232 100644
+--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -703,11 +704,15 @@ static struct grub_fs grub_affs_fs =
+ 
+ GRUB_MOD_INIT(affs)
+ {
+-  grub_fs_register (&grub_affs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_affs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(affs)
+ {
+-  grub_fs_unregister (&grub_affs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_affs_fs);
+ }
+diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
+index 8ab7106af..f6349df34 100644
+--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/cbfs_core.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs)
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   init_cbfsdisk ();
+ #endif
+-  grub_fs_register (&grub_cbfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_cbfs_fs);
+    }
+ }
+ 
+ GRUB_MOD_FINI (cbfs)
+ {
+-  grub_fs_unregister (&grub_cbfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_cbfs_fs);
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   fini_cbfsdisk ();
+ #endif
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 6f7c43904..c0bbab8a9 100644
+--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/charset.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs =
+ 
+ GRUB_MOD_INIT(jfs)
+ {
+-  grub_fs_register (&grub_jfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_jfs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(jfs)
+ {
+-  grub_fs_unregister (&grub_jfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_jfs_fs);
+ }
+diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
+index 5354951d1..c267298b5 100644
+--- a/grub-core/fs/minix.c
+++ b/grub-core/fs/minix.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -734,7 +735,10 @@ GRUB_MOD_INIT(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_minix_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_minix_fs);
+    }
+   my_mod = mod;
+ }
+ 
+@@ -756,5 +760,6 @@ GRUB_MOD_FINI(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_minix_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_minix_fs);
+ }
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index fc7374ead..08abf173f 100644
+--- a/grub-core/fs/nilfs2.c
+++ b/grub-core/fs/nilfs2.c
+@@ -34,6 +34,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2)
+ 				  grub_nilfs2_dat_entry));
+   COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
+ 		       == sizeof (struct grub_nilfs2_inode));
+-  grub_fs_register (&grub_nilfs2_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_nilfs2_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (nilfs2)
+ {
+-  grub_fs_unregister (&grub_nilfs2_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_nilfs2_fs);
+ }
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index de435aa14..8cc2ba3d5 100644
+--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/ntfs.h>
+ #include <grub/charset.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1320,11 +1321,15 @@ static struct grub_fs grub_ntfs_fs =
+ 
+ GRUB_MOD_INIT (ntfs)
+ {
+-  grub_fs_register (&grub_ntfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_ntfs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (ntfs)
+ {
+-  grub_fs_unregister (&grub_ntfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_ntfs_fs);
+ }
+diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
+index 36b26ac98..cdef2eba0 100644
+--- a/grub-core/fs/reiserfs.c
+++ b/grub-core/fs/reiserfs.c
+@@ -39,6 +39,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs =
+ 
+ GRUB_MOD_INIT(reiserfs)
+ {
+-  grub_fs_register (&grub_reiserfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_reiserfs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(reiserfs)
+ {
+-  grub_fs_unregister (&grub_reiserfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_reiserfs_fs);
+ }
+diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
+index 1f7dcfca1..acf8dd21e 100644
+--- a/grub-core/fs/romfs.c
+++ b/grub-core/fs/romfs.c
+@@ -23,6 +23,7 @@
+ #include <grub/disk.h>
+ #include <grub/fs.h>
+ #include <grub/fshelp.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs =
+ 
+ GRUB_MOD_INIT(romfs)
+ {
+-  grub_fs_register (&grub_romfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_romfs_fs);
+    }
+ }
+ 
+ GRUB_MOD_FINI(romfs)
+ {
+-  grub_fs_unregister (&grub_romfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_romfs_fs);
+ }
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 983e88008..f64bdd2df 100644
+--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+#include <grub/lockdown.h>
+ #include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs =
+ 
+ GRUB_MOD_INIT(sfs)
+ {
+-  grub_fs_register (&grub_sfs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_sfs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(sfs)
+ {
+-  grub_fs_unregister (&grub_sfs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_sfs_fs);
+ }
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index b836e6107..a60643be1 100644
+--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
+#include <grub/lockdown.h>
+ #include <grub/udf.h>
+ #include <grub/safemath.h>
+ 
+@@ -1455,11 +1456,15 @@ static struct grub_fs grub_udf_fs = {
+ 
+ GRUB_MOD_INIT (udf)
+ {
+-  grub_fs_register (&grub_udf_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_udf_fs);
+    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (udf)
+ {
+-  grub_fs_unregister (&grub_udf_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_udf_fs);
+ }
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 01235101b..6b496e7b8 100644
+--- a/grub-core/fs/ufs.c
+++ b/grub-core/fs/ufs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_ufs_fs);
+  if (!grub_is_lockdown ())
+    {
+      grub_fs_register (&grub_ufs_fs);
+    }
+   my_mod = mod;
+ }
+ 
+@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_ufs_fs);
+  if (!grub_is_lockdown ())
+    grub_fs_unregister (&grub_ufs_fs);
+ }
+ 
--- a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
@@ -0,0 +1,87 @@
+From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Tue, 21 Jan 2025 19:02:37 +0000
+Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
+
+Use grub_calloc() when allocating memory for arrays to ensure proper
+overflow checks are in place.
+
+The HFS+ and squash4 security vulnerabilities were reported by
+Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0678
+Fixes: CVE-2025-1125
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0678
+CVE: CVE-2025-1125
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/fs/btrfs.c       | 4 ++--
+ grub-core/fs/hfspluscomp.c | 9 +++++++--
+ grub-core/fs/squash4.c     | 8 ++++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 0625b1166..9c1e925c9 100644
+--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
+@@ -1276,8 +1276,8 @@ grub_btrfs_mount (grub_device_t dev)
+     }
+ 
+   data->n_devices_allocated = 16;
+-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
+-					* data->n_devices_allocated);
+  data->devices_attached = grub_calloc (data->n_devices_allocated,
+					sizeof (data->devices_attached[0]));
+   if (!data->devices_attached)
+     {
+       grub_free (data);
+diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
+index 48ae438d8..a80954ee6 100644
+--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
+@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
+ 	  return 0;
+ 	}
+       node->compress_index_size = grub_le_to_cpu32 (index_size);
+-      node->compress_index = grub_malloc (node->compress_index_size
+-					  * sizeof (node->compress_index[0]));
+      node->compress_index = grub_calloc (node->compress_index_size,
+					  sizeof (node->compress_index[0]));
+       if (!node->compress_index)
+ 	{
+ 	  node->compressed = 0;
+ 	  grub_free (attr_node);
+ 	  return grub_errno;
+ 	}
+
+      /*
+       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+       * due to relevant checks done in grub_calloc() above.
+       */
+       if (grub_hfsplus_read_file (node, 0, 0,
+ 				  0x104 + sizeof (index_size),
+ 				  node->compress_index_size
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index f91ff3bfa..cf2bca822 100644
+--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
+@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
+ 	  break;
+ 	}
+       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
+-      ino->block_sizes = grub_malloc (total_blocks
+-				      * sizeof (ino->block_sizes[0]));
+-      ino->cumulated_block_sizes = grub_malloc (total_blocks
+-						* sizeof (ino->cumulated_block_sizes[0]));
+      ino->block_sizes = grub_calloc (total_blocks,
+				      sizeof (ino->block_sizes[0]));
+      ino->cumulated_block_sizes = grub_calloc (total_blocks,
+						sizeof (ino->cumulated_block_sizes[0]));
+       if (!ino->block_sizes || !ino->cumulated_block_sizes)
+ 	{
+ 	  grub_free (ino->block_sizes);
--- a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,73 @@
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+
+Fixes: CVE-2025-0690
+
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index 597c90706..8d72e45c9 100644
+--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
+@@ -25,6 +25,7 @@
+ #include <grub/types.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
+#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -37,13 +38,14 @@ static const struct grub_arg_option options[] =
+ static char *
+ grub_getline (int silent)
+ {
+-  int i;
+  grub_size_t i;
+   char *line;
+   char *tmp;
+   int c;
+  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
+  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -59,8 +61,17 @@ grub_getline (int silent)
+       line[i] = (char) c;
+       if (!silent)
+ 	grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+      if (grub_add (i, 1, &i))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+        {
+          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+          return NULL;
+        }
+      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+ 	{
+ 	  grub_free (line);
--- a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
@@ -0,0 +1,37 @@
+From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 20:29:39 +0100
+Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode
+
+The dump enables a user to read memory which should not be possible
+in lockdown mode.
+
+Fixes: CVE-2025-1118
+
+Reported-by: B Horn <b@horn.uk>
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-1118
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ grub-core/commands/minicmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index 286290866..8c5ee3e60 100644
+--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
+@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)
+     grub_register_command ("help", grub_mini_cmd_help,
+ 			   0, N_("Show this message."));
+   cmd_dump =
+-    grub_register_command ("dump", grub_mini_cmd_dump,
+-			   N_("ADDR [SIZE]"), N_("Show memory contents."));
+    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
+				    N_("ADDR [SIZE]"), N_("Show memory contents."));
+   cmd_rmmod =
+     grub_register_command ("rmmod", grub_mini_cmd_rmmod,
+ 			   N_("MODULE"), N_("Remove a module."));
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -18,16 +18,31 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
           file://grub-module-explicitly-keeps-symbole-.module_license.patch \
           file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
           file://0001-RISC-V-Restore-the-typcast-to-long.patch \
+           file://0001-misc-Implement-grub_strlcpy.patch \
+           file://CVE-2024-45781.patch \
+           file://CVE-2024-45782_CVE-2024-56737.patch \
+           file://CVE-2024-45780.patch \
+           file://CVE-2024-45783.patch \
+           file://CVE-2025-0624.patch \
+           file://CVE-2024-45774.patch \
+           file://CVE-2024-45775.patch \
+           file://CVE-2025-0622-01.patch \
+           file://CVE-2025-0622-02.patch \
+           file://CVE-2025-0622-03.patch \
+           file://CVE-2024-45776.patch \
+           file://CVE-2024-45777.patch \
+           file://CVE-2025-0690.patch \
+           file://CVE-2025-1118.patch \
+           file://CVE-2024-45778_CVE-2024-45779.patch \
+           file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
+           file://CVE-2025-0678_CVE-2025-1125.patch \
 "

 SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"

 CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
-CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
 CVE_STATUS[CVE-2023-4001]  = "not-applicable-platform: Applies only to RHEL/Fedora"
 CVE_STATUS[CVE-2024-1048]  = "not-applicable-platform: Applies only to RHEL/Fedora"
-CVE_STATUS[CVE-2023-4692]  = "cpe-incorrect: Fixed in version 2.12 already"
-CVE_STATUS[CVE-2023-4693]  = "cpe-incorrect: Fixed in version 2.12 already"

 DEPENDS = "flex-native bison-native gettext-native"

--- a/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
+++ b/meta/recipes-bsp/lrzsz/lrzsz_0.12.20.bb
@@ -11,10 +11,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \
 SECTION = "console/network"
 DEPENDS = ""

-SRC_URI = "http://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
+SRC_URI = "https://www.ohse.de/uwe/releases/lrzsz-${PV}.tar.gz \
           file://autotools-update.patch \
-	   file://autotools.patch \
-	   file://makefile.patch \
+           file://autotools.patch \
+           file://makefile.patch \
           file://lrzsz-check-locale.h.patch \
           file://cve-2018-10195.patch \
           file://include.patch \
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
@@ -0,0 +1,166 @@
+From 0832aac79517611dd4de93ad0a83577994d9c907 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:48 +0000
+Subject: [PATCH 2/2] upstream: Fix cases where error codes were not correctly
+ set
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: 7bcd4ffe0fa1e27ff98d451fb9c22f5fae6e610d
+
+CVE: CVE-2025-26465
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0832aac79517611dd4de93ad0a83577994d9c907]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ krl.c           | 4 +++-
+ ssh-agent.c     | 5 +++++
+ ssh-sk-client.c | 4 +++-
+ sshconnect2.c   | 5 ++++-
+ sshsig.c        | 1 +
+ 5 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/krl.c b/krl.c
+index e2efdf066..0d0f69534 100644
+--- a/krl.c
+++ b/krl.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: krl.c,v 1.59 2023/07/17 05:22:30 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.60 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
+  *
+@@ -674,6 +674,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
+ 			break;
+ 		case KRL_SECTION_CERT_SERIAL_BITMAP:
+ 			if (rs->lo - bitmap_start > INT_MAX) {
+				r = SSH_ERR_INVALID_FORMAT;
+ 				error_f("insane bitmap gap");
+ 				goto out;
+ 			}
+@@ -1059,6 +1060,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp)
+ 	}
+ 
+ 	if ((krl = ssh_krl_init()) == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+ 		error_f("alloc failed");
+ 		goto out;
+ 	}
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 48973b2c1..c27c5a956 100644
+--- a/ssh-agent.c
+++ b/ssh-agent.c
+@@ -1208,6 +1208,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 	    "restrict-destination-v00@openssh.com") == 0) {
+ 		if (*dcsp != NULL) {
+ 			error_f("%s already set", ext_name);
+			r = SSH_ERR_INVALID_FORMAT;
+ 			goto out;
+ 		}
+ 		if ((r = sshbuf_froms(m, &b)) != 0) {
+@@ -1217,6 +1218,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		while (sshbuf_len(b) != 0) {
+ 			if (*ndcsp >= AGENT_MAX_DEST_CONSTRAINTS) {
+ 				error_f("too many %s constraints", ext_name);
+				r = SSH_ERR_INVALID_FORMAT;
+ 				goto out;
+ 			}
+ 			*dcsp = xrecallocarray(*dcsp, *ndcsp, *ndcsp + 1,
+@@ -1234,6 +1236,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		}
+ 		if (*certs != NULL) {
+ 			error_f("%s already set", ext_name);
+			r = SSH_ERR_INVALID_FORMAT;
+ 			goto out;
+ 		}
+ 		if ((r = sshbuf_get_u8(m, &v)) != 0 ||
+@@ -1245,6 +1248,7 @@ parse_key_constraint_extension(struct sshbuf *m, char **sk_providerp,
+ 		while (sshbuf_len(b) != 0) {
+ 			if (*ncerts >= AGENT_MAX_EXT_CERTS) {
+ 				error_f("too many %s constraints", ext_name);
+				r = SSH_ERR_INVALID_FORMAT;
+ 				goto out;
+ 			}
+ 			*certs = xrecallocarray(*certs, *ncerts, *ncerts + 1,
+@@ -1741,6 +1745,7 @@ process_ext_session_bind(SocketEntry *e)
+ 	/* record new key/sid */
+ 	if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) {
+ 		error_f("too many session IDs recorded");
+		r = -1;
+ 		goto out;
+ 	}
+ 	e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids,
+diff --git a/ssh-sk-client.c b/ssh-sk-client.c
+index 321fe53a2..06fad2213 100644
+--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-sk-client.c,v 1.12 2022/01/14 03:34:00 djm Exp $ */
+/* $OpenBSD: ssh-sk-client.c,v 1.13 2025/02/18 08:02:48 djm Exp $ */
+ /*
+  * Copyright (c) 2019 Google LLC
+  *
+@@ -439,6 +439,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		}
+ 		if ((srk = calloc(1, sizeof(*srk))) == NULL) {
+ 			error_f("calloc failed");
+			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		srk->key = key;
+@@ -450,6 +451,7 @@ sshsk_load_resident(const char *provider_path, const char *device,
+ 		if ((tmp = recallocarray(srks, nsrks, nsrks + 1,
+ 		    sizeof(*srks))) == NULL) {
+ 			error_f("recallocarray keys failed");
+			r = SSH_ERR_ALLOC_FAIL;
+ 			goto out;
+ 		}
+ 		debug_f("srks[%zu]: %s %s uidlen %zu", nsrks,
+diff --git a/sshconnect2.c b/sshconnect2.c
+index a69c4da18..1ee6000ab 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -99,7 +99,7 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh)
+ 	    options.required_rsa_size)) != 0)
+ 		fatal_r(r, "Bad server host key");
+ 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
+-	    xxx_conn_info) == -1)
+	    xxx_conn_info) != 0)
+ 		fatal("Host key verification failed.");
+ 	return 0;
+ }
+@@ -698,6 +698,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 
+ 	if ((pktype = sshkey_type_from_name(pkalg)) == KEY_UNSPEC) {
+ 		debug_f("server sent unknown pkalg %s", pkalg);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+@@ -708,6 +709,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		error("input_userauth_pk_ok: type mismatch "
+ 		    "for decoded key (received %d, expected %d)",
+ 		    key->type, pktype);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 
+@@ -727,6 +729,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, struct ssh *ssh)
+ 		    SSH_FP_DEFAULT);
+ 		error_f("server replied with unknown key: %s %s",
+ 		    sshkey_type(key), fp == NULL ? "<ERROR>" : fp);
+		r = SSH_ERR_INVALID_FORMAT;
+ 		goto done;
+ 	}
+ 	ident = format_identity(id);
+diff --git a/sshsig.c b/sshsig.c
+index 6e03c0b06..3da005d62 100644
+--- a/sshsig.c
+++ b/sshsig.c
+@@ -874,6 +874,7 @@ cert_filter_principals(const char *path, u_long linenum,
+ 	}
+ 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
+ 		error_f("buffer error");
+		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+ 	/* success */
--- a/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2025-26466.patch
@@ -0,0 +1,36 @@
+From 6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Tue, 18 Feb 2025 08:02:12 +0000
+Subject: [PATCH 1/2] upstream: Don't reply to PING in preauth phase or during
+ KEX
+
+Reported by the Qualys Security Advisory team. ok markus@
+
+OpenBSD-Commit-ID: c656ac4abd1504389d1733d85152044b15830217
+
+CVE: CVE-2025-26466
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/6ce00f0c2ecbb9f75023dbe627ee6460bcec78c2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/packet.c b/packet.c
+index 486f85157..9dea2cfc5 100644
+--- a/packet.c
+++ b/packet.c
+@@ -1865,6 +1865,14 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+ 			if ((r = sshpkt_get_string_direct(ssh, &d, &len)) != 0)
+ 				return r;
+ 			DBG(debug("Received SSH2_MSG_PING len %zu", len));
+			if (!ssh->state->after_authentication) {
+				DBG(debug("Won't reply to PING in preauth"));
+				break;
+			}
+			if (ssh_packet_is_rekeying(ssh)) {
+				DBG(debug("Won't reply to PING during KEX"));
+				break;
+			}
+ 			if ((r = sshpkt_start(ssh, SSH2_MSG_PONG)) != 0 ||
+ 			    (r = sshpkt_put_string(ssh, d, len)) != 0 ||
+ 			    (r = sshpkt_send(ssh)) != 0)
--- a/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.8p1.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://0001-Cast-to-sockaddr-in-systemd-interface.patch \
           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
           file://0001-regress-test-exec-use-the-absolute-path-in-the-SSH-e.patch \
+           file://CVE-2025-26466.patch \
+           file://CVE-2025-26465.patch \
           "
 SRC_URI[sha256sum] = "dd8bd002a379b5d499dfb050dd1fa9af8029e80461f4bb6c523c49973f5a39f3"

--- a/meta/recipes-connectivity/socat/files/CVE-2024-54661.patch
+++ b/meta/recipes-connectivity/socat/files/CVE-2024-54661.patch
@@ -0,0 +1,113 @@
+From 4ee1f31cf80019c5907876576d6dfd49368d660f Mon Sep 17 00:00:00 2001
+From: Gerhard Rieger <gerhard@dest-unreach.org>
+Date: Fri, 6 Dec 2024 11:42:09 +0100
+Subject: [PATCH] Version 1.8.0.2 - CVE-2024-54661: Arbitrary file overwrite in
+ readline.sh
+
+CVE: CVE-2024-54661
+Upstream-Status: Backport [https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ readline.sh | 10 +++++++--
+ test.sh     | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 2 deletions(-)
+
+diff --git a/readline.sh b/readline.sh
+index b6f8438..1045303 100755
+--- a/readline.sh
+++ b/readline.sh
+@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
+ else
+     HISTOPT=
+ fi
+-mkdir -p /tmp/$USER || exit 1
+ #
+ #
+ 
+-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
+if test -w .; then
+    STDERR=./socat-readline.${1##*/}.log
+    rm -f $STDERR
+else
+    STDERR=/dev/null
+fi
+
+exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
+ 
+diff --git a/test.sh b/test.sh
+index 46bebf8..5204ac7 100755
+--- a/test.sh
+++ b/test.sh
+@@ -19154,6 +19154,69 @@ esac
+ N=$((N+1))
+ 
+ 
+# Test the readline.sh file overwrite vulnerability
+NAME=READLINE_SH_OVERWRITE
+case "$TESTS" in
+*%$N%*|*%functions%*|*%bugs%*|*%readline%*|*%security%*|*%$NAME%*)
+TEST="$NAME: Test the readline.sh file overwrite vulnerability"
+# Create a symlink /tmp/$USER/stderr2 pointing to a temporary file,
+# run readline.sh
+# When the temporary file is kept the test succeeded
+if ! eval $NUMCOND; then :
+elif ! cond=$(checkconds \
+		  "" \
+		  "" \
+		  "readline.sh" \
+		  "" \
+		  "" \
+		  "" \
+		  "" ); then
+    $PRINTF "test $F_n $TEST... ${YELLOW}$cond${NORMAL}\n" $N
+    numCANT=$((numCANT+1))
+    listCANT="$listCANT $N"
+    namesCANT="$namesCANT $NAME"
+else
+    tf="$td/test$N.file"
+    te="$td/test$N.stderr"
+    tdiff="$td/test$N.diff"
+    da="test$N $(date) $RANDOM"
+    echo "$da" >"$tf"
+    ln -sf "$tf" /tmp/$USER/stderr2
+    CMD0="readline.sh cat"
+    printf "test $F_n $TEST... " $N
+    $CMD0 </dev/null >/dev/null 2>"${te}0"
+    rc0=$?
+#    if [ "$rc0" -ne 0 ]; then
+#	$PRINTF "$CANT (rc0=$rc0)\n"
+#	echo "$CMD0"
+#	cat "${te}0" >&2
+#	numCANT=$((numCANT+1))
+#	listCANT="$listCANT $N"
+#	namesCANT="$namesCANT $NAME"
+#    elif ! echo "$da" |diff - "$tf" >$tdiff; then
+    if ! echo "$da" |diff - "$tf" >$tdiff; then
+	$PRINTF "$FAILED (diff)\n"
+	echo "$CMD0 &"
+	cat "${te}0" >&2
+	echo "// diff:" >&2
+	cat "$tdiff" >&2
+	numFAIL=$((numFAIL+1))
+	listFAIL="$listFAIL $N"
+	namesFAIL="$namesFAIL $NAME"
+    else
+	$PRINTF "$OK\n"
+	if [ "$VERBOSE" ]; then echo "$CMD0 &"; fi
+	if [ "$DEBUG" ];   then cat "${te}0" >&2; fi
+	if [ "$VERBOSE" ]; then echo "$CMD1"; fi
+	if [ "$DEBUG" ];   then cat "${te}1" >&2; fi
+	numOK=$((numOK+1))
+	listOK="$listOK $N"
+    fi
+fi # NUMCOND
+ ;;
+esac
+N=$((N+1))
+
+ # end of common tests
+ 
+ ##################################################################################
+-- 
+2.30.2
+
--- a/meta/recipes-connectivity/socat/socat_1.8.0.0.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.0.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \

 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
           file://0001-fix-compile-procan.c-failed.patch \
+           file://CVE-2024-54661.patch \
 "

 SRC_URI[sha256sum] = "e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7"
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check

 REQUIRED_DISTRO_FEATURES += "xattr"

-SRCREV ?= "ad4523044867fa0f45b6c6cb49b4f36aa5055d8d"
+SRCREV ?= "6a5ba188b79ee4a0d2e80ada159995f80f0e93c5"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=styhead \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
--- a/meta/recipes-core/libxml/libxml2/install-tests.patch
+++ b/meta/recipes-core/libxml/libxml2/install-tests.patch
@@ -1,4 +1,4 @@
-From 0779511838a8cbd1e0f431c22f28f286a2a37b1b Mon Sep 17 00:00:00 2001
+From 8c1054eacb430472068f21e4840749c384e8e866 Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@arm.com>
 Date: Mon, 5 Dec 2022 17:02:32 +0000
 Subject: [PATCH] add yocto-specific install-ptest target
@@ -12,7 +12,7 @@ Signed-off-by: Ross Burton <ross.burton@arm.com>
 1 file changed, 10 insertions(+)

 diff --git a/Makefile.am b/Makefile.am
-index 0a49d37..1097c63 100644
+index 4cb9a5c..8adcd7e 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -27,6 +27,16 @@ check_PROGRAMS = \
--- a/meta/recipes-core/libxml/libxml2_2.13.6.bb
+++ b/meta/recipes-core/libxml/libxml2_2.13.6.bb
@@ -19,7 +19,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
           file://install-tests.patch \
           "

-SRC_URI[archive.sha256sum] = "0805d7c180cf09caad71666c7a458a74f041561a532902454da5047d83948138"
+SRC_URI[archive.sha256sum] = "f453480307524968f7a04ec65e64f2a83a825973bcd260a2e7691be82ae70c96"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"

 # Disputed as a security issue, but fixed in d39f780
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -20,3 +20,5 @@ SRCBRANCH = "v256-stable"
 SRC_URI = "git://github.com/systemd/systemd.git;protocol=https;branch=${SRCBRANCH}"

 S = "${WORKDIR}/git"
+
+CVE_PRODUCT = "systemd"
--- a/meta/recipes-devtools/binutils/binutils-2.43.1.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.43.1.inc
@@ -36,5 +36,6 @@ SRC_URI = "\
     file://0013-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
     file://0014-Remove-duplicate-pe-dll.o-entry-deom-targ_extra_ofil.patch \
     file://0015-CVE-2024-53589.patch \
+     file://0016-CVE-2025-0840.patch \
 "
 S  = "${WORKDIR}/git"
--- a/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2025-0840.patch
@@ -0,0 +1,55 @@
+From baac6c221e9d69335bf41366a1c7d87d8ab2f893 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 15 Jan 2025 19:13:43 +1030
+Subject: [PATCH] PR32560 stack-buffer-overflow at objdump disassemble_bytes
+
+There's always someone pushing the boundaries.
+
+	PR 32560
+	* objdump.c (MAX_INSN_WIDTH): Define.
+	(insn_width): Make it an unsigned long.
+	(disassemble_bytes): Use MAX_INSN_WIDTH to size buffer.
+	(main <OPTION_INSN_WIDTH>): Restrict size of insn_width.
+
+CVE: CVE-2025-0840
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ binutils/objdump.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index ecbe39e942e..80044dea580 100644
+--- a/binutils/objdump.c
+++ b/binutils/objdump.c
+@@ -117,7 +117,8 @@ static bool disassemble_all;		/* -D */
+ static int disassemble_zeroes;		/* --disassemble-zeroes */
+ static bool formats_info;		/* -i */
+ int wide_output;			/* -w */
+-static int insn_width;			/* --insn-width */
+#define MAX_INSN_WIDTH 49
+static unsigned long insn_width;	/* --insn-width */
+ static bfd_vma start_address = (bfd_vma) -1; /* --start-address */
+ static bfd_vma stop_address = (bfd_vma) -1;  /* --stop-address */
+ static int dump_debugging;		/* --debugging */
+@@ -3391,7 +3392,7 @@ disassemble_bytes (struct disassemble_info *inf,
+ 	}
+       else
+ 	{
+-	  char buf[50];
+	  char buf[MAX_INSN_WIDTH + 1];
+ 	  unsigned int bpc = 0;
+ 	  unsigned int pb = 0;
+ 
+@@ -6091,8 +6092,9 @@ main (int argc, char **argv)
+ 	  break;
+ 	case OPTION_INSN_WIDTH:
+ 	  insn_width = strtoul (optarg, NULL, 0);
+-	  if (insn_width <= 0)
+-	    fatal (_("error: instruction width must be positive"));
+	  if (insn_width - 1 >= MAX_INSN_WIDTH)
+	    fatal (_("error: instruction width must be in the range 1 to "
+		     XSTRING (MAX_INSN_WIDTH)));
+ 	  break;
+ 	case OPTION_INLINES:
+ 	  unwind_inlines = true;
--- a/meta/recipes-devtools/gcc/gcc-testsuite.inc
+++ b/meta/recipes-devtools/gcc/gcc-testsuite.inc
@@ -53,8 +53,8 @@ python check_prepare() {
        #   - valid for x86*, powerpc, arm, arm64
        if qemu_binary.endswith(("x86_64", "i386", "arm", "aarch64")):
            args += ["-cpu", "max"]
-        elif qemu_binary.endswith(("ppc", "mips", "mips64")):
-            extra = d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH'))
+        else:
+            extra = d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('TUNE_PKGARCH'))
            if extra:
                args += extra.split()
        # For mips64 we could set a maximal CPU (e.g. Loongson-3A4000) however they either have MSA
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -15,4 +15,4 @@ SRC_URI += "\
    file://0008-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \
    file://0009-go-Filter-build-paths-on-staticly-linked-arches.patch \
 "
-SRC_URI[main.sha256sum] = "df12c23ebf19dea0f4bf46a22cbeda4a3eca6f474f318390ce774974278440b8"
+SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
--- a/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
+++ b/meta/recipes-devtools/go/go-binary-native_1.22.12.bb
@@ -9,9 +9,9 @@ PROVIDES = "go-native"

 # Checksums available at https://go.dev/dl/
 SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}"
-SRC_URI[go_linux_amd64.sha256sum] = "5f467d29fc67c7ae6468cb6ad5b047a274bae8180cac5e0b7ddbfeba3e47e18f"
-SRC_URI[go_linux_arm64.sha256sum] = "5c616b32dab04bb8c4c8700478381daea0174dc70083e4026321163879278a4a"
-SRC_URI[go_linux_ppc64le.sha256sum] = "c546f27866510bf8e54e86fe6f58c705af0e894341e5572c91f197a734152c27"
+SRC_URI[go_linux_amd64.sha256sum] = "4fa4f869b0f7fc6bb1eb2660e74657fbf04cdd290b5aef905585c86051b34d43"
+SRC_URI[go_linux_arm64.sha256sum] = "fd017e647ec28525e86ae8203236e0653242722a7436929b1f775744e26278e7"
+SRC_URI[go_linux_ppc64le.sha256sum] = "9573d30003b0796717a99d9e2e96c48fddd4fc0f29d840f212c503b03d7de112"

 UPSTREAM_CHECK_URI = "https://golang.org/dl/"
 UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux"
--- a/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb
+++ b/meta/recipes-devtools/go/go-cross-canadian_1.22.12.bb
--- a/Show More
+++ b/Show More