157 files changed, 6146 insertions, 1585 deletions

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 01b3637469..2a530a0489 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -52,11 +52,14 @@ python do_cve_check () {
     """
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
-        patched_cves = get_patches_cves(d)
-        patched, unpatched = check_cves(d, patched_cves)
+        try:
+            patched_cves = get_patches_cves(d)
+        except FileNotFoundError:
+            bb.fatal("Failure in searching patches")
+        whitelisted, patched, unpatched = check_cves(d, patched_cves)
         if patched or unpatched:
             cve_data = get_cve_info(d, patched + unpatched)
-            cve_write_data(d, patched, unpatched, cve_data)
+            cve_write_data(d, patched, unpatched, whitelisted, cve_data)
     else:
         bb.note("No CVE database found, skipping CVE check")
 
@@ -129,6 +132,10 @@ def get_patches_cves(d):
     for url in src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
 
+        if not os.path.isfile(patch_file):
+            bb.error("File Not found: %s" % patch_file)
+            raise FileNotFoundError
+
         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)
         if fname_match:
@@ -172,13 +179,13 @@ def check_cves(d, patched_cves):
     products = d.getVar("CVE_PRODUCT").split()
     # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
     if not products:
-        return ([], [])
+        return ([], [], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
     # If the recipe has been whitlisted we return empty lists
     if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
-        return ([], [])
+        return ([], [], [])
 
     old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
     if old_cve_whitelist:
@@ -214,7 +221,7 @@ def check_cves(d, patched_cves):
                 (_, _, _, version_start, operator_start, version_end, operator_end) = row
                 #bb.debug(2, "Evaluating row " + str(row))
 
-                if (operator_start == '=' and pv == version_start):
+                if (operator_start == '=' and pv == version_start) or version_start == '-':
                     vulnerable = True
                 else:
                     if operator_start:
@@ -256,7 +263,7 @@ def check_cves(d, patched_cves):
 
     conn.close()
 
-    return (list(patched_cves), cves_unpatched)
+    return (list(cve_whitelist), list(patched_cves), cves_unpatched)
 
 def get_cve_info(d, cves):
     """
@@ -280,7 +287,7 @@ def get_cve_info(d, cves):
     conn.close()
     return cve_data
 
-def cve_write_data(d, patched, unpatched, cve_data):
+def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     """
     Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
     CVE manifest if enabled.
@@ -296,7 +303,9 @@ def cve_write_data(d, patched, unpatched, cve_data):
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV")
         write_string += "CVE: %s\n" % cve
-        if cve in patched:
+        if cve in whitelisted:
+            write_string += "CVE STATUS: Whitelisted\n"
+        elif cve in patched:
             write_string += "CVE STATUS: Patched\n"
         else:
             unpatched_cves.append(cve)
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass
index ed9bcfa57c..ab05ac91f4 100644
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -1,5 +1,5 @@
 # remove tasks that modify the source tree in case externalsrc is inherited
-SRCTREECOVEREDTASKS += "do_kernel_configme do_validate_branches do_kernel_configcheck do_kernel_checkout do_fetch do_unpack do_patch"
+SRCTREECOVEREDTASKS += "do_validate_branches do_kernel_configcheck do_kernel_checkout do_fetch do_unpack do_patch"
 PATCH_GIT_USER_EMAIL ?= "kernel-yocto@oe"
 PATCH_GIT_USER_NAME ?= "OpenEmbedded"
 
@@ -301,6 +301,7 @@ do_validate_branches[depends] = "kern-tools-native:do_populate_sysroot"
 do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}binutils:do_populate_sysroot"
 do_kernel_configme[depends] += "virtual/${TARGET_PREFIX}gcc:do_populate_sysroot"
 do_kernel_configme[depends] += "bc-native:do_populate_sysroot bison-native:do_populate_sysroot"
+do_kernel_configme[depends] += "kern-tools-native:do_populate_sysroot"
 do_kernel_configme[dirs] += "${S} ${B}"
 do_kernel_configme() {
 	set +e
diff --git a/meta/classes/kernelsrc.bbclass b/meta/classes/kernelsrc.bbclass
index 675d40ec9a..a951ba3325 100644
--- a/meta/classes/kernelsrc.bbclass
+++ b/meta/classes/kernelsrc.bbclass
@@ -1,7 +1,7 @@
 S = "${STAGING_KERNEL_DIR}"
 deltask do_fetch
 deltask do_unpack
-do_patch[depends] += "virtual/kernel:do_patch"
+do_patch[depends] += "virtual/kernel:do_shared_workdir"
 do_patch[noexec] = "1"
 do_package[depends] += "virtual/kernel:do_populate_sysroot"
 KERNEL_VERSION = "${@get_kernelversion_file("${STAGING_KERNEL_BUILDDIR}")}"
diff --git a/meta/classes/patch.bbclass b/meta/classes/patch.bbclass
index cd241f1c84..25ec089ae1 100644
--- a/meta/classes/patch.bbclass
+++ b/meta/classes/patch.bbclass
@@ -5,6 +5,13 @@ QUILTRCFILE ?= "${STAGING_ETCDIR_NATIVE}/quiltrc"
 
 PATCHDEPENDENCY = "${PATCHTOOL}-native:do_populate_sysroot"
 
+# There is a bug in patch 2.7.3 and earlier where index lines
+# in patches can change file modes when they shouldn't:
+# http://git.savannah.gnu.org/cgit/patch.git/patch/?id=82b800c9552a088a241457948219d25ce0a407a4
+# This leaks into debug sources in particular. Add the dependency
+# to target recipes to avoid this problem until we can rely on 2.7.4 or later.
+PATCHDEPENDENCY_append_class-target = " patch-replacement-native:do_populate_sysroot"
+
 PATCH_GIT_USER_NAME ?= "OpenEmbedded"
 PATCH_GIT_USER_EMAIL ?= "oe.patch@oe"
 
diff --git a/meta/classes/reproducible_build.bbclass b/meta/classes/reproducible_build.bbclass
index 39b6e40cac..750eb950f2 100644
--- a/meta/classes/reproducible_build.bbclass
+++ b/meta/classes/reproducible_build.bbclass
@@ -44,10 +44,12 @@ SDE_DEPLOYDIR = "${WORKDIR}/deploy-source-date-epoch"
 SSTATETASKS += "do_deploy_source_date_epoch"
 
 do_deploy_source_date_epoch () {
-    echo "Deploying SDE to ${SDE_DIR}."
     mkdir -p ${SDE_DEPLOYDIR}
     if [ -e ${SDE_FILE} ]; then
+        echo "Deploying SDE from ${SDE_FILE} -> ${SDE_DEPLOYDIR}."
         cp -p ${SDE_FILE} ${SDE_DEPLOYDIR}/__source_date_epoch.txt
+    else
+        echo "${SDE_FILE} not found!"
     fi
 }
 
@@ -56,7 +58,11 @@ python do_deploy_source_date_epoch_setscene () {
     bb.utils.mkdirhier(d.getVar('SDE_DIR'))
     sde_file = os.path.join(d.getVar('SDE_DEPLOYDIR'), '__source_date_epoch.txt')
     if os.path.exists(sde_file):
-        os.rename(sde_file, d.getVar('SDE_FILE'))
+        target = d.getVar('SDE_FILE')
+        bb.debug(1, "Moving setscene SDE file %s -> %s" % (sde_file, target))
+        os.rename(sde_file, target)
+    else:
+        bb.debug(1, "%s not found!" % sde_file)
 }
 
 do_deploy_source_date_epoch[dirs] = "${SDE_DEPLOYDIR}"
@@ -164,16 +170,32 @@ python do_create_source_date_epoch_stamp() {
         f.write(str(source_date_epoch))
 }
 
+def get_source_date_epoch_value(d):
+    cached = d.getVar('__CACHED_SOURCE_DATE_EPOCH')
+    if cached:
+        return cached
+
+    epochfile = d.getVar('SDE_FILE')
+    source_date_epoch = 0
+    if os.path.isfile(epochfile):
+        with open(epochfile, 'r') as f:
+            s = f.read()
+            try:
+                source_date_epoch = int(s)
+            except ValueError:
+                bb.warn("SOURCE_DATE_EPOCH value '%s' is invalid. Reverting to 0" % s)
+                source_date_epoch = 0
+        bb.debug(1, "SOURCE_DATE_EPOCH: %d" % source_date_epoch)
+    else:
+        bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch))
+
+    d.setVar('__CACHED_SOURCE_DATE_EPOCH', str(source_date_epoch))
+    return str(source_date_epoch)
+
+export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}"
 BB_HASHBASE_WHITELIST += "SOURCE_DATE_EPOCH"
 
 python () {
     if d.getVar('BUILD_REPRODUCIBLE_BINARIES') == '1':
         d.appendVarFlag("do_unpack", "postfuncs", " do_create_source_date_epoch_stamp")
-        epochfile = d.getVar('SDE_FILE')
-        source_date_epoch = "0"
-        if os.path.isfile(epochfile):
-            with open(epochfile, 'r') as f:
-                source_date_epoch = f.read()
-            bb.debug(1, "SOURCE_DATE_EPOCH: %s" % source_date_epoch)
-        d.setVar('SOURCE_DATE_EPOCH', source_date_epoch)
 }
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index 936fe913b4..5c2f8f9d75 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -625,13 +625,14 @@ def check_sanity_version_change(status, d):
     # In other words, these tests run once in a given build directory and then 
     # never again until the sanity version or host distrubution id/version changes.
 
-    # Check the python install is complete. glib-2.0-natives requries
-    # xml.parsers.expat
+    # Check the python install is complete. Examples that are often removed in
+    # minimal installations: glib-2.0-natives requries # xml.parsers.expat and icu
+    # requires distutils.sysconfig.
     try:
         import xml.parsers.expat
-    except ImportError:
-        status.addresult('Your python is not a full install. Please install the module xml.parsers.expat (python-xml on openSUSE and SUSE Linux).\n')
-    import stat
+        import distutils.sysconfig
+    except ImportError as e:
+        status.addresult('Your Python 3 is not a full install. Please install the module %s (see the Getting Started guide for further information).\n' % e.name)
 
     status.addresult(check_make_version(d))
     status.addresult(check_patch_version(d))
@@ -667,6 +668,7 @@ def check_sanity_version_change(status, d):
         status.addresult('Please use ASSUME_PROVIDED +=, not ASSUME_PROVIDED = in your local.conf\n')
 
     # Check that TMPDIR isn't on a filesystem with limited filename length (eg. eCryptFS)
+    import stat
     tmpdir = d.getVar('TMPDIR')
     status.addresult(check_create_long_filename(tmpdir, "TMPDIR"))
     tmpdirmode = os.stat(tmpdir).st_mode
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index ab0c6c5541..7494873190 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -82,6 +82,7 @@ RECIPE_MAINTAINER_pn-build-appliance-image = "Richard Purdie <richard.purdie@lin
 RECIPE_MAINTAINER_pn-build-compare = "Paul Eggleton <paul.eggleton@linux.intel.com>"
 RECIPE_MAINTAINER_pn-build-sysroots = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-builder = "Richard Purdie <richard.purdie@linuxfoundation.org>"
+RECIPE_MAINTAINER_pn-buildtools-extended-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-buildtools-tarball = "Richard Purdie <richard.purdie@linuxfoundation.org>"
 RECIPE_MAINTAINER_pn-busybox = "Andrej Valek <andrej.valek@siemens.com>"
 RECIPE_MAINTAINER_pn-busybox-inittab = "Denys Dmytriyenko <denys@ti.com>"
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index aaf04e9e59..568d03693c 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -57,6 +57,8 @@ SECURITY_STRINGFORMAT_pn-gcc = ""
 
 TARGET_CC_ARCH_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
+TARGET_CC_ARCH_append_class-cross-canadian = " ${SECURITY_CFLAGS}"
+TARGET_LDFLAGS_append_class-cross-canadian = " ${SECURITY_LDFLAGS}"
 
 SECURITY_STACK_PROTECTOR_pn-gcc-runtime = ""
 SECURITY_STACK_PROTECTOR_pn-glibc = ""
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index ad75d3e2a3..889695eae3 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.30"
+UNINATIVE_MAXGLIBCVERSION = "2.31"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/"
-UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc"
-UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924"
-UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.8/"
+UNINATIVE_CHECKSUM[aarch64] ?= "989187344bf9539b464fb7ed9c223e51f4bdb4c7a677d2c314e6fed393176efe"
+UNINATIVE_CHECKSUM[i686] ?= "cc3e45bc8594488b407363e3fa9af5a099279dab2703c64342098719bd674990"
+UNINATIVE_CHECKSUM[x86_64] ?= "a09922172c3a439105e0ae6b943daad2d83505b17da0aba97961ff433b8c21ab"
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index ccc4f4e1ac..4c4b4deb4c 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -249,7 +249,7 @@ if [ @SDK_ARCHIVE_TYPE@ = "zip" ]; then
         rm sdk.zip && exit 1
     fi
 else
-    tail -n +$payload_offset $0| $SUDO_EXEC tar xJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
+    tail -n +$payload_offset $0| $SUDO_EXEC tar mxJ -C $target_sdk_dir --checkpoint=.2500 $EXTRA_TAR_OPTIONS || exit 1
 fi
 echo "done"
 
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index 7c373715ad..e0b15dc9b4 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -40,8 +40,9 @@ def opkg_query(cmd_output):
     ver = ""
     filename = ""
     dep = []
+    prov = []
     pkgarch = ""
-    for line in cmd_output.splitlines():
+    for line in cmd_output.splitlines()+['']:
         line = line.rstrip()
         if ':' in line:
             if line.startswith("Package: "):
@@ -64,6 +65,10 @@ def opkg_query(cmd_output):
                     dep.append("%s [REC]" % recommend)
             elif line.startswith("PackageArch: "):
                 pkgarch = line.split(": ")[1]
+            elif line.startswith("Provides: "):
+                provides = verregex.sub('', line.split(": ")[1])
+                for provide in provides.split(", "):
+                    prov.append(provide)
 
         # When there is a blank line save the package information
         elif not line:
@@ -72,20 +77,15 @@ def opkg_query(cmd_output):
                 filename = "%s_%s_%s.ipk" % (pkg, ver, arch)
             if pkg:
                 output[pkg] = {"arch":arch, "ver":ver,
-                        "filename":filename, "deps": dep, "pkgarch":pkgarch }
+                        "filename":filename, "deps": dep, "pkgarch":pkgarch, "provs": prov}
             pkg = ""
             arch = ""
             ver = ""
             filename = ""
             dep = []
+            prov = []
             pkgarch = ""
 
-    if pkg:
-        if not filename:
-            filename = "%s_%s_%s.ipk" % (pkg, ver, arch)
-        output[pkg] = {"arch":arch, "ver":ver,
-                "filename":filename, "deps": dep }
-
     return output
 
 def failed_postinsts_abort(pkgs, log_path):
@@ -360,7 +360,7 @@ class DpkgPkgsList(PkgsList):
                "--admindir=%s/var/lib/dpkg" % self.rootfs_dir,
                "-W"]
 
-        cmd.append("-f=Package: ${Package}\nArchitecture: ${PackageArch}\nVersion: ${Version}\nFile: ${Package}_${Version}_${Architecture}.deb\nDepends: ${Depends}\nRecommends: ${Recommends}\n\n")
+        cmd.append("-f=Package: ${Package}\nArchitecture: ${PackageArch}\nVersion: ${Version}\nFile: ${Package}_${Version}_${Architecture}.deb\nDepends: ${Depends}\nRecommends: ${Recommends}\nProvides: ${Provides}\n\n")
 
         try:
             cmd_output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).strip().decode("utf-8")
@@ -578,6 +578,11 @@ class PackageManager(object, metaclass=ABCMeta):
         # oe-pkgdata-util reads it from a file
         with tempfile.NamedTemporaryFile(mode="w+", prefix="installed-pkgs") as installed_pkgs:
             pkgs = self.list_installed()
+
+            provided_pkgs = set()
+            for pkg in pkgs.values():
+                provided_pkgs |= set(pkg.get('provs', []))
+
             output = oe.utils.format_pkg_list(pkgs, "arch")
             installed_pkgs.write(output)
             installed_pkgs.flush()
@@ -589,10 +594,15 @@ class PackageManager(object, metaclass=ABCMeta):
             if exclude:
                 cmd.extend(['--exclude=' + '|'.join(exclude.split())])
             try:
-                bb.note("Installing complementary packages ...")
                 bb.note('Running %s' % cmd)
                 complementary_pkgs = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
-                self.install(complementary_pkgs.split(), attempt_only=True)
+                complementary_pkgs = set(complementary_pkgs.split())
+                skip_pkgs = sorted(complementary_pkgs & provided_pkgs)
+                install_pkgs = sorted(complementary_pkgs - provided_pkgs)
+                bb.note("Installing complementary packages ... %s (skipped already provided packages %s)" % (
+                    ' '.join(install_pkgs),
+                    ' '.join(skip_pkgs)))
+                self.install(install_pkgs, attempt_only=True)
             except subprocess.CalledProcessError as e:
                 bb.fatal("Could not compute complementary packages list. Command "
                          "'%s' returned %d:\n%s" %
@@ -1619,7 +1629,7 @@ class DpkgPM(OpkgDpkgPM):
 
         os.environ['APT_CONFIG'] = self.apt_conf_file
 
-        cmd = "%s %s install --force-yes --allow-unauthenticated %s" % \
+        cmd = "%s %s install --force-yes --allow-unauthenticated --no-remove %s" % \
               (self.apt_get_cmd, self.apt_args, ' '.join(pkgs))
 
         try:
@@ -1781,8 +1791,7 @@ class DpkgPM(OpkgDpkgPM):
             open(os.path.join(target_dpkg_dir, "available"), "w+").close()
 
     def remove_packaging_data(self):
-        bb.utils.remove(os.path.join(self.target_rootfs,
-                                     self.d.getVar('opkglibdir')), True)
+        bb.utils.remove(self.target_rootfs + self.d.getVar('opkglibdir'), True)
         bb.utils.remove(self.target_rootfs + "/var/lib/dpkg/", True)
 
     def fix_broken_dependencies(self):
diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py
index 24a221eb1a..b2316b12b8 100644
--- a/meta/lib/oe/sstatesig.py
+++ b/meta/lib/oe/sstatesig.py
@@ -521,8 +521,12 @@ def OEOuthashBasic(path, sigfile, task, d):
                     add_perm(stat.S_IXOTH, 'x')
 
                 if include_owners:
-                    update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
-                    update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
+                    try:
+                        update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name)
+                        update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name)
+                    except KeyError:
+                        bb.warn("KeyError in %s" % path)
+                        raise
 
                 update_hash(" ")
                 if stat.S_ISBLK(s.st_mode) or stat.S_ISCHR(s.st_mode):
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index a9110565a9..1b0b5bae70 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -174,6 +174,8 @@ class ReproducibleTests(OESelftestTestCase):
         # NOTE: The temp directories from the reproducible build are purposely
         # kept after the build so it can be diffed for debugging.
 
+        fails = []
+
         for c in self.package_classes:
             with self.subTest(package_class=c):
                 package_class = 'package_' + c
@@ -197,6 +199,9 @@ class ReproducibleTests(OESelftestTestCase):
                         self.copy_file(d.test, '/'.join([save_dir, d.test]))
 
                 if result.missing or result.different:
-                    self.fail("The following %s packages are missing or different: %s" %
-                            (c, ' '.join(r.test for r in (result.missing + result.different))))
+                    fails.append("The following %s packages are missing or different: %s" %
+                            (c, '\n'.join(r.test for r in (result.missing + result.different))))
+
+        if fails:
+            self.fail('\n'.join(fails))
 
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index fe8b77d97a..0d63e44ea7 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -396,7 +396,10 @@ class QemuRunner:
         self.qemupid = None
         self.ip = None
         if os.path.exists(self.qemu_pidfile):
-            os.remove(self.qemu_pidfile)
+            try:
+                os.remove(self.qemu_pidfile)
+            except FileNotFoundError as e:
+                self.logger.warning('qemu pidfile is no longer present')
         if self.monitorpipe:
             self.monitorpipe.close()
 
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools.inc b/meta/recipes-bsp/u-boot/u-boot-tools.inc
new file mode 100644
index 0000000000..35894e1a8f
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/u-boot-tools.inc
@@ -0,0 +1,65 @@
+SUMMARY = "U-Boot bootloader tools"
+DEPENDS += "openssl"
+
+PROVIDES = "${MLPREFIX}u-boot-mkimage ${MLPREFIX}u-boot-mkenvimage"
+PROVIDES_class-native = "u-boot-mkimage-native u-boot-mkenvimage-native"
+
+PACKAGES += "${PN}-mkimage ${PN}-mkenvimage"
+
+# Required for backward compatibility with "u-boot-mkimage-xxx.bb"
+RPROVIDES_${PN}-mkimage = "u-boot-mkimage"
+RREPLACES_${PN}-mkimage = "u-boot-mkimage"
+RCONFLICTS_${PN}-mkimage = "u-boot-mkimage"
+
+EXTRA_OEMAKE_class-target = 'CROSS_COMPILE="${TARGET_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
+EXTRA_OEMAKE_class-native = 'CC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
+EXTRA_OEMAKE_class-nativesdk = 'CROSS_COMPILE="${HOST_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
+
+SED_CONFIG_EFI = '-e "s/CONFIG_EFI_LOADER=.*/# CONFIG_EFI_LOADER is not set/"'
+SED_CONFIG_EFI_x86 = ''
+SED_CONFIG_EFI_x86-64 = ''
+SED_CONFIG_EFI_arm = ''
+SED_CONFIG_EFI_armeb = ''
+SED_CONFIG_EFI_aarch64 = ''
+
+do_compile () {
+	oe_runmake sandbox_defconfig
+
+	# Disable CONFIG_CMD_LICENSE, license.h is not used by tools and
+	# generating it requires bin2header tool, which for target build
+	# is built with target tools and thus cannot be executed on host.
+	sed -i -e "s/CONFIG_CMD_LICENSE=.*/# CONFIG_CMD_LICENSE is not set/" ${SED_CONFIG_EFI} .config
+
+	oe_runmake cross_tools NO_SDL=1
+}
+
+do_install () {
+	install -d ${D}${bindir}
+
+	# mkimage
+	install -m 0755 tools/mkimage ${D}${bindir}/uboot-mkimage
+	ln -sf uboot-mkimage ${D}${bindir}/mkimage
+
+	# mkenvimage
+	install -m 0755 tools/mkenvimage ${D}${bindir}/uboot-mkenvimage
+	ln -sf uboot-mkenvimage ${D}${bindir}/mkenvimage
+
+	# dumpimage
+	install -m 0755 tools/dumpimage ${D}${bindir}/uboot-dumpimage
+	ln -sf uboot-dumpimage ${D}${bindir}/dumpimage
+
+	# fit_check_sign
+	install -m 0755 tools/fit_check_sign ${D}${bindir}/uboot-fit_check_sign
+	ln -sf uboot-fit_check_sign ${D}${bindir}/fit_check_sign
+}
+
+ALLOW_EMPTY_${PN} = "1"
+FILES_${PN} = ""
+FILES_${PN}-mkimage = "${bindir}/uboot-mkimage ${bindir}/mkimage ${bindir}/uboot-dumpimage ${bindir}/dumpimage ${bindir}/uboot-fit_check_sign ${bindir}/fit_check_sign"
+FILES_${PN}-mkenvimage = "${bindir}/uboot-mkenvimage ${bindir}/mkenvimage"
+
+RDEPENDS_${PN}-mkimage += "dtc"
+RDEPENDS_${PN} += "${PN}-mkimage ${PN}-mkenvimage"
+RDEPENDS_${PN}_class-native = ""
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb
index bede984ef7..7eaf721ca8 100644
--- a/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb
+++ b/meta/recipes-bsp/u-boot/u-boot-tools_2019.07.bb
@@ -1,67 +1,2 @@
 require u-boot-common.inc
-
-SUMMARY = "U-Boot bootloader tools"
-DEPENDS += "openssl"
-
-PROVIDES = "${MLPREFIX}u-boot-mkimage ${MLPREFIX}u-boot-mkenvimage"
-PROVIDES_class-native = "u-boot-mkimage-native u-boot-mkenvimage-native"
-
-PACKAGES += "${PN}-mkimage ${PN}-mkenvimage"
-
-# Required for backward compatibility with "u-boot-mkimage-xxx.bb"
-RPROVIDES_${PN}-mkimage = "u-boot-mkimage"
-RREPLACES_${PN}-mkimage = "u-boot-mkimage"
-RCONFLICTS_${PN}-mkimage = "u-boot-mkimage"
-
-EXTRA_OEMAKE_class-target = 'CROSS_COMPILE="${TARGET_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
-EXTRA_OEMAKE_class-native = 'CC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
-EXTRA_OEMAKE_class-nativesdk = 'CROSS_COMPILE="${HOST_PREFIX}" CC="${CC} ${CFLAGS} ${LDFLAGS}" HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}" STRIP=true V=1'
-
-SED_CONFIG_EFI = '-e "s/CONFIG_EFI_LOADER=.*/# CONFIG_EFI_LOADER is not set/"'
-SED_CONFIG_EFI_x86 = ''
-SED_CONFIG_EFI_x86-64 = ''
-SED_CONFIG_EFI_arm = ''
-SED_CONFIG_EFI_armeb = ''
-SED_CONFIG_EFI_aarch64 = ''
-
-do_compile () {
-	oe_runmake sandbox_defconfig
-
-	# Disable CONFIG_CMD_LICENSE, license.h is not used by tools and
-	# generating it requires bin2header tool, which for target build
-	# is built with target tools and thus cannot be executed on host.
-	sed -i -e "s/CONFIG_CMD_LICENSE=.*/# CONFIG_CMD_LICENSE is not set/" ${SED_CONFIG_EFI} .config
-
-	oe_runmake cross_tools NO_SDL=1
-}
-
-do_install () {
-	install -d ${D}${bindir}
-
-	# mkimage
-	install -m 0755 tools/mkimage ${D}${bindir}/uboot-mkimage
-	ln -sf uboot-mkimage ${D}${bindir}/mkimage
-
-	# mkenvimage
-	install -m 0755 tools/mkenvimage ${D}${bindir}/uboot-mkenvimage
-	ln -sf uboot-mkenvimage ${D}${bindir}/mkenvimage
-
-	# dumpimage
-	install -m 0755 tools/dumpimage ${D}${bindir}/uboot-dumpimage
-	ln -sf uboot-dumpimage ${D}${bindir}/dumpimage
-
-	# fit_check_sign
-	install -m 0755 tools/fit_check_sign ${D}${bindir}/uboot-fit_check_sign
-	ln -sf uboot-fit_check_sign ${D}${bindir}/fit_check_sign
-}
-
-ALLOW_EMPTY_${PN} = "1"
-FILES_${PN} = ""
-FILES_${PN}-mkimage = "${bindir}/uboot-mkimage ${bindir}/mkimage ${bindir}/uboot-dumpimage ${bindir}/dumpimage ${bindir}/uboot-fit_check_sign ${bindir}/fit_check_sign"
-FILES_${PN}-mkenvimage = "${bindir}/uboot-mkenvimage ${bindir}/mkenvimage"
-
-RDEPENDS_${PN}-mkimage += "dtc"
-RDEPENDS_${PN} += "${PN}-mkimage ${PN}-mkenvimage"
-RDEPENDS_${PN}_class-native = ""
-
-BBCLASSEXTEND = "native nativesdk"
+require u-boot-tools.inc
diff --git a/meta/recipes-bsp/u-boot/u-boot.inc b/meta/recipes-bsp/u-boot/u-boot.inc
index 9a754fd09b..d241347bf7 100644
--- a/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/meta/recipes-bsp/u-boot/u-boot.inc
@@ -87,6 +87,8 @@ do_configure () {
         fi
         merge_config.sh -m .config ${@" ".join(find_cfgs(d))}
         cml1_do_configure
+    else
+        DEVTOOL_DISABLE_MENUCONFIG=true
     fi
 }
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index f582a07e22..75fc2dbf4c 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -58,6 +58,8 @@ SRC_URI = "\
     file://CVE-2018-10910.patch \
     file://gcc9-fixes.patch \
     file://0001-tools-Fix-build-after-y2038-changes-in-glibc.patch \
+    file://CVE-2020-0556-1.patch \
+    file://CVE-2020-0556-2.patch \
 "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
new file mode 100644
index 0000000000..a6bf31e14b
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-1.patch
@@ -0,0 +1,35 @@
+From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:16 +0000
+Subject: [PATCH 1/2] HOGP must only accept data from bonded devices.
+
+HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2020-0556
+---
+ profiles/input/hog.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/profiles/input/hog.c b/profiles/input/hog.c
+index 83c017dcb..dfac68921 100644
+--- a/profiles/input/hog.c
++++ b/profiles/input/hog.c
+@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
+ 			return -EINVAL;
+ 	}
+ 
++	/* HOGP 1.0 Section 6.1 requires bonding */
++	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
++		return -ECONNREFUSED;
++
+ 	/* TODO: Replace GAttrib with bt_gatt_client */
+ 	bt_hog_attach(dev->hog, attrib);
+ 
+-- 
+2.24.1
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch
new file mode 100644
index 0000000000..8acb2f15ec
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2020-0556-2.patch
@@ -0,0 +1,143 @@
+From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
+From: Alain Michaud <alainm@chromium.org>
+Date: Tue, 10 Mar 2020 02:35:18 +0000
+Subject: [PATCH 2/2] HID accepts bonded device connections only.
+
+This change adds a configuration for platforms to choose a more secure
+posture for the HID profile.  While some older mice are known to not
+support pairing or encryption, some platform may choose a more secure
+posture by requiring the device to be bonded  and require the
+connection to be encrypted when bonding is required.
+
+Reference:
+https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+CVE: CVE-2020-0556
+
+---
+ profiles/input/device.c   | 23 ++++++++++++++++++++++-
+ profiles/input/device.h   |  1 +
+ profiles/input/input.conf |  8 ++++++++
+ profiles/input/manager.c  | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 2cb3811c8..d89da2d7c 100644
+--- a/profiles/input/device.c
++++ b/profiles/input/device.c
+@@ -92,6 +92,7 @@ struct input_device {
+ 
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
++static bool classic_bonded_only = false;
+ 
+ void input_set_idle_timeout(int timeout)
+ {
+@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
+ 	uhid_enabled = state;
+ }
+ 
++void input_set_classic_bonded_only(bool state)
++{
++	classic_bonded_only = state;
++}
++
+ static void input_device_enter_reconnect_mode(struct input_device *idev);
+ static int connection_disconnect(struct input_device *idev, uint32_t flags);
+ 
+@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
+ 	if (device_name_known(idev->device))
+ 		device_get_name(idev->device, req->name, sizeof(req->name));
+ 
++	/* Make sure the device is bonded if required */
++	if (classic_bonded_only && !device_is_bonded(idev->device,
++				btd_device_get_bdaddr_type(idev->device))) {
++		error("Rejected connection from !bonded device %s", dst_addr);
++		goto cleanup;
++	}
++
+ 	/* Encryption is mandatory for keyboards */
+-	if (req->subclass & 0x40) {
++	/* Some platforms may choose to require encryption for all devices */
++	/* Note that this only matters for pre 2.1 devices as otherwise the */
++	/* device is encrypted by default by the lower layers */
++	if (classic_bonded_only || req->subclass & 0x40) {
+ 		if (!bt_io_set(idev->intr_io, &gerr,
+ 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+ 					BT_IO_OPT_INVALID)) {
+@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
+ 	DBG("path=%s reconnect_mode=%s", idev->path,
+ 				reconnect_mode_to_string(idev->reconnect_mode));
+ 
++	/* Make sure the device is bonded if required */
++	if (classic_bonded_only && !device_is_bonded(idev->device,
++				btd_device_get_bdaddr_type(idev->device)))
++		return;
++
+ 	/* Only attempt an auto-reconnect when the device is required to
+ 	 * accept reconnections from the host.
+ 	 */
+diff --git a/profiles/input/device.h b/profiles/input/device.h
+index 51a9aee18..3044db673 100644
+--- a/profiles/input/device.h
++++ b/profiles/input/device.h
+@@ -29,6 +29,7 @@ struct input_conn;
+ 
+ void input_set_idle_timeout(int timeout);
+ void input_enable_userspace_hid(bool state);
++void input_set_classic_bonded_only(bool state);
+ 
+ int input_device_register(struct btd_service *service);
+ void input_device_unregister(struct btd_service *service);
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 3e1d65aae..166aff4a4 100644
+--- a/profiles/input/input.conf
++++ b/profiles/input/input.conf
+@@ -11,3 +11,11 @@
+ # Enable HID protocol handling in userspace input profile
+ # Defaults to false (HIDP handled in HIDP kernel module)
+ #UserspaceHID=true
++
++# Limit HID connections to bonded devices
++# The HID Profile does not specify that devices must be bonded, however some
++# platforms may want to make sure that input connections only come from bonded
++# device connections. Several older mice have been known for not supporting
++# pairing/encryption.
++# Defaults to false to maximize device compatibility.
++#ClassicBondedOnly=true
+diff --git a/profiles/input/manager.c b/profiles/input/manager.c
+index 1d31b0652..5cd27b839 100644
+--- a/profiles/input/manager.c
++++ b/profiles/input/manager.c
+@@ -96,7 +96,7 @@ static int input_init(void)
+ 	config = load_config_file(CONFIGDIR "/input.conf");
+ 	if (config) {
+ 		int idle_timeout;
+-		gboolean uhid_enabled;
++		gboolean uhid_enabled, classic_bonded_only;
+ 
+ 		idle_timeout = g_key_file_get_integer(config, "General",
+ 							"IdleTimeout", &err);
+@@ -114,6 +114,17 @@ static int input_init(void)
+ 			input_enable_userspace_hid(uhid_enabled);
+ 		} else
+ 			g_clear_error(&err);
++
++		classic_bonded_only = g_key_file_get_boolean(config, "General",
++						"ClassicBondedOnly", &err);
++
++		if (!err) {
++			DBG("input.conf: ClassicBondedOnly=%s",
++					classic_bonded_only ? "true" : "false");
++			input_set_classic_bonded_only(classic_bonded_only);
++		} else
++			g_clear_error(&err);
++
+ 	}
+ 
+ 	btd_profile_register(&input_profile);
+-- 
+2.24.1
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-Ensure-context-is-running-prior-to-calling-isc_app_c.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-Ensure-context-is-running-prior-to-calling-isc_app_c.patch
new file mode 100644
index 0000000000..34b2ae1e5c
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/0001-Ensure-context-is-running-prior-to-calling-isc_app_c.patch
@@ -0,0 +1,165 @@
+From f369dbb9e67eb5ef336944af63039b6d8f838384 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Thu, 12 Sep 2019 10:35:46 -0400
+Subject: [PATCH 1/3] Ensure context is running prior to calling
+ isc_app_ctxsuspend
+
+Add a release note.
+
+includes/omapip/isclib.h
+    Added actx_running flag to global context, dhcp_gbl_ctx
+
+omapip/isclib.c
+    set_ctx_running() - new function used as the ctxonrun callback
+
+    dhcp_context_create() - installs set_ctx_running callback
+
+    dhcp_signal_handler() - modified to use act_running flag to
+    determine is context is running and should be suspended
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/dhcp.git]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ RELNOTES                 |  7 +++++
+ includes/omapip/isclib.h |  3 ++-
+ omapip/isclib.c          | 57 +++++++++++++++++++++++++++++++++-------
+ 3 files changed, 57 insertions(+), 10 deletions(-)
+
+diff --git a/RELNOTES b/RELNOTES
+index f10305d..1730473 100644
+--- a/RELNOTES
++++ b/RELNOTES
+@@ -6,6 +6,13 @@
+ 
+                               NEW FEATURES
+ 
++- Closed a small window of time between the installation of graceful
++  shutdown signal handlers and application context startup, during which
++  the receipt of shutdown signal would cause a REQUIRE() assertion to
++  occur.  Note this issue is only visible when compiling with
++  ENABLE_GENTLE_SHUTDOWN defined.
++  [Gitlab #53,!18   git TBD]
++
+ Please note that that ISC DHCP is now licensed under the Mozilla Public License,
+ MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the MPL 2.0
+ license terms.
+diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
+index 6c20584..af6a6fc 100644
+--- a/includes/omapip/isclib.h
++++ b/includes/omapip/isclib.h
+@@ -94,7 +94,8 @@
+ typedef struct dhcp_context {
+ 	isc_mem_t	*mctx;
+ 	isc_appctx_t	*actx;
+-	int              actx_started;
++	int              actx_started; // ISC_TRUE if ctxstart has been called
++	int              actx_running; // ISC_TRUE if ctxrun has been called
+ 	isc_taskmgr_t	*taskmgr;
+ 	isc_task_t	*task;
+ 	isc_socketmgr_t *socketmgr;
+diff --git a/omapip/isclib.c b/omapip/isclib.c
+index ce4b4a1..73e017c 100644
+--- a/omapip/isclib.c
++++ b/omapip/isclib.c
+@@ -134,6 +134,35 @@ handle_signal(int sig, void (*handler)(int)) {
+ 	}
+ }
+ 
++/* Callback passed to isc_app_ctxonrun
++ *
++ * BIND9 context code will invoke this handler once the context has
++ * entered the running state.  We use it to set a global marker so that
++ * we can tell if the context is running.  Several of the isc_app_
++ * calls REQUIRE that the context is running and we need a way to
++ * know that.
++ *
++ * We also check to see if we received a shutdown signal prior to
++ * the context entering the run state.  If we did, then we can just
++ * simply shut the context down now.  This closes the relatively
++ * small window between start up and entering run via the call
++ * to dispatch().
++ *
++ */
++static void
++set_ctx_running(isc_task_t *task, isc_event_t *event) {
++        task = task; // unused;
++	dhcp_gbl_ctx.actx_running = ISC_TRUE;
++
++	if (shutdown_signal) {
++		// We got signaled shutdown before we entered running state.
++		// Now that we've reached running state, shut'er down.
++		isc_app_ctxsuspend(dhcp_gbl_ctx.actx);
++	}
++
++        isc_event_free(&event);
++}
++
+ isc_result_t
+ dhcp_context_create(int flags,
+ 		    struct in_addr  *local4,
+@@ -141,6 +170,9 @@ dhcp_context_create(int flags,
+ 	isc_result_t result;
+ 
+ 	if ((flags & DHCP_CONTEXT_PRE_DB) != 0) {
++		dhcp_gbl_ctx.actx_started = ISC_FALSE;
++		dhcp_gbl_ctx.actx_running = ISC_FALSE;
++
+ 		/*
+ 		 * Set up the error messages, this isn't the right place
+ 		 * for this call but it is convienent for now.
+@@ -204,15 +236,24 @@ dhcp_context_create(int flags,
+ 		if (result != ISC_R_SUCCESS)
+ 			goto cleanup;
+ 
+-		result = isc_task_create(dhcp_gbl_ctx.taskmgr, 0, &dhcp_gbl_ctx.task);
++		result = isc_task_create(dhcp_gbl_ctx.taskmgr, 0,
++					 &dhcp_gbl_ctx.task);
+ 		if (result != ISC_R_SUCCESS)
+ 			goto cleanup;
+ 
+ 		result = isc_app_ctxstart(dhcp_gbl_ctx.actx);
+ 		if (result != ISC_R_SUCCESS)
+-			return (result);
++			goto cleanup;
++
+ 		dhcp_gbl_ctx.actx_started = ISC_TRUE;
+ 
++		// Install the onrun callback.
++		result = isc_app_ctxonrun(dhcp_gbl_ctx.actx, dhcp_gbl_ctx.mctx,
++					  dhcp_gbl_ctx.task, set_ctx_running,
++					  dhcp_gbl_ctx.actx);
++		if (result != ISC_R_SUCCESS)
++			goto cleanup;
++
+ 		/* Not all OSs support suppressing SIGPIPE through socket
+ 		 * options, so set the sigal action to be ignore.  This allows
+ 		 * broken connections to fail gracefully with EPIPE on writes */
+@@ -335,19 +376,17 @@ isclib_make_dst_key(char          *inname,
+  * @param signal signal code that we received
+  */
+ void dhcp_signal_handler(int signal) {
+-	isc_appctx_t *ctx = dhcp_gbl_ctx.actx;
+-	int prev = shutdown_signal;
+-
+-	if (prev != 0) {
++	if (shutdown_signal != 0) {
+ 		/* Already in shutdown. */
+ 		return;
+ 	}
++
+ 	/* Possible race but does it matter? */
+ 	shutdown_signal = signal;
+ 
+-	/* Use reload (aka suspend) for easier dispatch() reenter. */
+-	if (ctx && ctx->methods && ctx->methods->ctxsuspend) {
+-		(void) isc_app_ctxsuspend(ctx);
++	/* If the application context is running tell it to shut down */
++	if (dhcp_gbl_ctx.actx_running == ISC_TRUE) {
++		(void) isc_app_ctxsuspend(dhcp_gbl_ctx.actx);
+ 	}
+ }
+ 
+-- 
+2.23.0
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0002-Added-shutdown-log-statment-to-dhcrelay.patch b/meta/recipes-connectivity/dhcp/dhcp/0002-Added-shutdown-log-statment-to-dhcrelay.patch
new file mode 100644
index 0000000000..78b2b74f45
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/0002-Added-shutdown-log-statment-to-dhcrelay.patch
@@ -0,0 +1,29 @@
+From adcd34ae1f56b16d7e9696d980332b4cf6c7ce91 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Fri, 13 Sep 2019 15:03:31 -0400
+Subject: [PATCH 2/3] Added shutdown log statment to dhcrelay
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/dhcp.git]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ relay/dhcrelay.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c
+index d8caaaf..4bd1d47 100644
+--- a/relay/dhcrelay.c
++++ b/relay/dhcrelay.c
+@@ -2076,6 +2076,9 @@ dhcp_set_control_state(control_object_state_t oldstate,
+ 	if (newstate != server_shutdown)
+ 		return ISC_R_SUCCESS;
+ 
++	/* Log shutdown on signal. */
++	log_info("Received signal %d, initiating shutdown.", shutdown_signal);
++
+ 	if (no_pid_file == ISC_FALSE)
+ 		(void) unlink(path_dhcrelay_pid);
+ 
+-- 
+2.23.0
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0003-Addressed-review-comment.patch b/meta/recipes-connectivity/dhcp/dhcp/0003-Addressed-review-comment.patch
new file mode 100644
index 0000000000..a51b6cf526
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/0003-Addressed-review-comment.patch
@@ -0,0 +1,31 @@
+From e4b54b4d676783152d487103714cba2913661ef8 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Wed, 6 Nov 2019 15:53:50 -0500
+Subject: [PATCH 3/3] Addressed review comment.
+
+omapip/isclib.c
+    Added use of IGNORE_UNUSED()
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/dhcp.git]
+
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+---
+ omapip/isclib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/omapip/isclib.c b/omapip/isclib.c
+index 73e017c..1d52463 100644
+--- a/omapip/isclib.c
++++ b/omapip/isclib.c
+@@ -151,7 +151,7 @@ handle_signal(int sig, void (*handler)(int)) {
+  */
+ static void
+ set_ctx_running(isc_task_t *task, isc_event_t *event) {
+-        task = task; // unused;
++    IGNORE_UNUSED(task);
+ 	dhcp_gbl_ctx.actx_running = ISC_TRUE;
+ 
+ 	if (shutdown_signal) {
+-- 
+2.23.0
+
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
index 275961a603..ddc8b60254 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
@@ -11,6 +11,9 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
             file://0013-fixup_use_libbind.patch \
             file://0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch \
             file://0001-Fix-a-NSUPDATE-compiling-issue.patch \
+            file://0001-Ensure-context-is-running-prior-to-calling-isc_app_c.patch \
+            file://0002-Added-shutdown-log-statment-to-dhcrelay.patch \
+            file://0003-Addressed-review-comment.patch \
 "
 
 SRC_URI[md5sum] = "18c7f4dcbb0a63df25098216d47b1ede"
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
index 684fbe09e1..cc9410b94e 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
@@ -143,11 +143,15 @@ ALTERNATIVE_${PN}-traceroute = "traceroute"
 ALTERNATIVE_${PN}-hostname = "hostname"
 ALTERNATIVE_LINK_NAME[hostname]  = "${base_bindir}/hostname"
 
-ALTERNATIVE_${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8"
+ALTERNATIVE_${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
+                         tftpd.8 tftp.1 telnetd.8"
 ALTERNATIVE_LINK_NAME[hostname.1] = "${mandir}/man1/hostname.1"
 ALTERNATIVE_LINK_NAME[dnsdomainname.1] = "${mandir}/man1/dnsdomainname.1"
 ALTERNATIVE_LINK_NAME[logger.1] = "${mandir}/man1/logger.1"
 ALTERNATIVE_LINK_NAME[syslogd.8] = "${mandir}/man8/syslogd.8"
+ALTERNATIVE_LINK_NAME[telnetd.8] = "${mandir}/man8/telnetd.8"
+ALTERNATIVE_LINK_NAME[tftpd.8] = "${mandir}/man8/tftpd.8"
+ALTERNATIVE_LINK_NAME[tftp.1] = "${mandir}/man1/tftp.1"
 
 ALTERNATIVE_${PN}-ifconfig = "ifconfig"
 ALTERNATIVE_LINK_NAME[ifconfig]  = "${base_sbindir}/ifconfig"
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch
new file mode 100644
index 0000000000..98b1391923
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Disable-statx-if-using-glibc-emulation.patch
@@ -0,0 +1,34 @@
+From ff3ad88c233ecd87f7983ad13836323f944540ec Mon Sep 17 00:00:00 2001
+From: Doug Nazar <nazard@nazar.ca>
+Date: Mon, 9 Dec 2019 10:53:37 -0500
+Subject: [PATCH] Disable statx if using glibc emulation
+
+On older kernels without statx, glibc with statx support will attempt
+to emulate the call. However it doesn't support AT_STATX_DONT_SYNC and
+will return EINVAL. This causes all xstat/xlstat calls to fail.
+
+Upstream-Status: Backport
+
+Signed-off-by: Doug Nazar <nazard@nazar.ca>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+---
+ support/misc/xstat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/support/misc/xstat.c b/support/misc/xstat.c
+index 661e29e4..a438fbcc 100644
+--- a/support/misc/xstat.c
++++ b/support/misc/xstat.c
+@@ -51,6 +51,9 @@ statx_do_stat(int fd, const char *pathname, struct stat *statbuf, int flags)
+ 			statx_copy(statbuf, &stxbuf);
+ 			return 0;
+ 		}
++		/* glibc emulation doesn't support AT_STATX_DONT_SYNC */
++		if (errno == EINVAL)
++			errno = ENOSYS;
+ 		if (errno == ENOSYS)
+ 			statx_supported = 0;
+ 	} else
+-- 
+2.19.1
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
index 7e80354e4e..3ae8f965c8 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
@@ -33,6 +33,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
            file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
            file://0001-Don-t-build-tools-with-CC_FOR_BUILD.patch \
            file://0001-Fix-include-order-between-config.h-and-stat.h.patch \
+           file://0001-Disable-statx-if-using-glibc-emulation.patch \
 "
 SRC_URI_append_libc-glibc = " file://0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch"
 SRC_URI_append_libc-musl = " file://nfs-utils-musl-res_querydomain.patch"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-what-bozo-decided-to-use-2020-as-a-future-d.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-what-bozo-decided-to-use-2020-as-a-future-d.patch
new file mode 100644
index 0000000000..e2930c3c7d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-what-bozo-decided-to-use-2020-as-a-future-d.patch
@@ -0,0 +1,46 @@
+From 3cccc0a2ab597b8273bddf08e9a3cc5551d7e530 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 3 Jan 2020 03:02:26 +0000
+Subject: [PATCH] upstream: what bozo decided to use 2020 as a future date in a
+ regress
+
+test?
+
+OpenBSD-Regress-ID: 3b953df5a7e14081ff6cf495d4e8d40e153cbc3a
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/ff31f15773ee173502eec4d7861ec56f26bba381]
+
+[Dropped the script version and copyright year change at the top]
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ regress/cert-hostkey.sh | 2 +-
+ regress/cert-userkey.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
+index 3ce7779..74d5a53 100644
+--- a/regress/cert-hostkey.sh
++++ b/regress/cert-hostkey.sh
+@@ -248,7 +248,7 @@ test_one() {
+ test_one "user-certificate"	failure "-n $HOSTS"
+ test_one "empty principals"	success "-h"
+ test_one "wrong principals"	failure "-h -n foo"
+-test_one "cert not yet valid"	failure "-h -V20200101:20300101"
++test_one "cert not yet valid"	failure "-h -V20300101:20320101"
+ test_one "cert expired"		failure "-h -V19800101:19900101"
+ test_one "cert valid interval"	success "-h -V-1w:+2w"
+ test_one "cert has constraints"	failure "-h -Oforce-command=false"
+diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
+index 6849e99..de455b8 100644
+--- a/regress/cert-userkey.sh
++++ b/regress/cert-userkey.sh
+@@ -327,7 +327,7 @@ test_one() {
+ test_one "correct principal"	success "-n ${USER}"
+ test_one "host-certificate"	failure "-n ${USER} -h"
+ test_one "wrong principals"	failure "-n foo"
+-test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
++test_one "cert not yet valid"	failure "-n ${USER} -V20300101:20320101"
+ test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+ test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+ test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
diff --git a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb b/meta/recipes-connectivity/openssh/openssh_8.0p1.bb
index 2ffbc9a95f..3d16f9d347 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.0p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
            file://0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch \
+           file://0001-upstream-what-bozo-decided-to-use-2020-as-a-future-d.patch \
            "
 SRC_URI[md5sum] = "bf050f002fe510e1daecd39044e1122d"
 SRC_URI[sha256sum] = "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2019-1551.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2019-1551.patch
deleted file mode 100644
index 0cc19cb5f4..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2019-1551.patch
+++ /dev/null
@@ -1,758 +0,0 @@
-From 419102400a2811582a7a3d4a4e317d72e5ce0a8f Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Wed, 4 Dec 2019 12:48:21 +0100
-Subject: [PATCH] Fix an overflow bug in rsaz_512_sqr
-
-There is an overflow bug in the x64_64 Montgomery squaring procedure used in
-exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis
-suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a
-result of this defect would be very difficult to perform and are not believed
-likely. Attacks against DH512 are considered just feasible. However, for an
-attack the target would have to re-use the DH512 private key, which is not
-recommended anyway. Also applications directly using the low level API
-BN_mod_exp may be affected if they use BN_FLG_CONSTTIME.
-
-CVE-2019-1551
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/10575)
-
-CVE: CVE-2019-1551
-Upstream-Status: Backport
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- crypto/bn/asm/rsaz-x86_64.pl | 381 ++++++++++++++++++-----------------
- 1 file changed, 197 insertions(+), 184 deletions(-)
-
-diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl
-index b1797b649f0..7534d5cd03e 100755
---- a/crypto/bn/asm/rsaz-x86_64.pl
-+++ b/crypto/bn/asm/rsaz-x86_64.pl
-@@ -116,7 +116,7 @@
- 	subq	\$128+24, %rsp
- .cfi_adjust_cfa_offset	128+24
- .Lsqr_body:
--	movq	$mod, %rbp		# common argument
-+	movq	$mod, %xmm1		# common off-load
- 	movq	($inp), %rdx
- 	movq	8($inp), %rax
- 	movq	$n0, 128(%rsp)
-@@ -134,7 +134,8 @@
- .Loop_sqr:
- 	movl	$times,128+8(%rsp)
- #first iteration
--	movq	%rdx, %rbx
-+	movq	%rdx, %rbx		# 0($inp)
-+	mov	%rax, %rbp		# 8($inp)
- 	mulq	%rdx
- 	movq	%rax, %r8
- 	movq	16($inp), %rax
-@@ -173,31 +174,29 @@
- 	mulq	%rbx
- 	addq	%rax, %r14
- 	movq	%rbx, %rax
--	movq	%rdx, %r15
--	adcq	\$0, %r15
-+	adcq	\$0, %rdx
- 
--	addq	%r8, %r8		#shlq	\$1, %r8
--	movq	%r9, %rcx
--	adcq	%r9, %r9		#shld	\$1, %r8, %r9
-+	xorq	%rcx,%rcx		# rcx:r8 = r8 << 1
-+	addq	%r8, %r8
-+	 movq	%rdx, %r15
-+	adcq	\$0, %rcx
- 
- 	mulq	%rax
--	movq	%rax, (%rsp)
--	addq	%rdx, %r8
--	adcq	\$0, %r9
-+	addq	%r8, %rdx
-+	adcq	\$0, %rcx
- 
--	movq	%r8, 8(%rsp)
--	shrq	\$63, %rcx
-+	movq	%rax, (%rsp)
-+	movq	%rdx, 8(%rsp)
- 
- #second iteration
--	movq	8($inp), %r8
- 	movq	16($inp), %rax
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r10
- 	movq	24($inp), %rax
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r11
- 	movq	32($inp), %rax
- 	adcq	\$0, %rdx
-@@ -205,7 +204,7 @@
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r12
- 	movq	40($inp), %rax
- 	adcq	\$0, %rdx
-@@ -213,7 +212,7 @@
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r13
- 	movq	48($inp), %rax
- 	adcq	\$0, %rdx
-@@ -221,7 +220,7 @@
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r14
- 	movq	56($inp), %rax
- 	adcq	\$0, %rdx
-@@ -229,39 +228,39 @@
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
--	mulq	%r8
-+	mulq	%rbp
- 	addq	%rax, %r15
--	movq	%r8, %rax
-+	movq	%rbp, %rax
- 	adcq	\$0, %rdx
- 	addq	%rbx, %r15
--	movq	%rdx, %r8
--	movq	%r10, %rdx
--	adcq	\$0, %r8
-+	adcq	\$0, %rdx
- 
--	add	%rdx, %rdx
--	lea	(%rcx,%r10,2), %r10	#shld	\$1, %rcx, %r10
--	movq	%r11, %rbx
--	adcq	%r11, %r11		#shld	\$1, %r10, %r11
-+	xorq	%rbx, %rbx		# rbx:r10:r9 = r10:r9 << 1
-+	addq	%r9, %r9
-+	 movq	%rdx, %r8
-+	adcq	%r10, %r10
-+	adcq	\$0, %rbx
- 
- 	mulq	%rax
-+	addq	%rcx, %rax
-+	 movq	16($inp), %rbp
-+	adcq	\$0, %rdx
- 	addq	%rax, %r9
-+	 movq	24($inp), %rax
- 	adcq	%rdx, %r10
--	adcq	\$0, %r11
-+	adcq	\$0, %rbx
- 
- 	movq	%r9, 16(%rsp)
- 	movq	%r10, 24(%rsp)
--	shrq	\$63, %rbx
- 
- #third iteration
--	movq	16($inp), %r9
--	movq	24($inp), %rax
--	mulq	%r9
-+	mulq	%rbp
- 	addq	%rax, %r12
- 	movq	32($inp), %rax
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
--	mulq	%r9
-+	mulq	%rbp
- 	addq	%rax, %r13
- 	movq	40($inp), %rax
- 	adcq	\$0, %rdx
-@@ -269,7 +268,7 @@
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
--	mulq	%r9
-+	mulq	%rbp
- 	addq	%rax, %r14
- 	movq	48($inp), %rax
- 	adcq	\$0, %rdx
-@@ -277,9 +276,7 @@
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
--	mulq	%r9
--	 movq	%r12, %r10
--	 lea	(%rbx,%r12,2), %r12	#shld	\$1, %rbx, %r12
-+	mulq	%rbp
- 	addq	%rax, %r15
- 	movq	56($inp), %rax
- 	adcq	\$0, %rdx
-@@ -287,36 +284,40 @@
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
--	mulq	%r9
--	 shrq	\$63, %r10
-+	mulq	%rbp
- 	addq	%rax, %r8
--	movq	%r9, %rax
-+	movq	%rbp, %rax
- 	adcq	\$0, %rdx
- 	addq	%rcx, %r8
--	movq	%rdx, %r9
--	adcq	\$0, %r9
-+	adcq	\$0, %rdx
- 
--	movq	%r13, %rcx
--	leaq	(%r10,%r13,2), %r13	#shld	\$1, %r12, %r13
-+	xorq	%rcx, %rcx		# rcx:r12:r11 = r12:r11 << 1
-+	addq	%r11, %r11
-+	 movq	%rdx, %r9
-+	adcq	%r12, %r12
-+	adcq	\$0, %rcx
- 
- 	mulq	%rax
-+	addq	%rbx, %rax
-+	 movq	24($inp), %r10
-+	adcq	\$0, %rdx
- 	addq	%rax, %r11
-+	 movq	32($inp), %rax
- 	adcq	%rdx, %r12
--	adcq	\$0, %r13
-+	adcq	\$0, %rcx
- 
- 	movq	%r11, 32(%rsp)
- 	movq	%r12, 40(%rsp)
--	shrq	\$63, %rcx
- 
- #fourth iteration
--	movq	24($inp), %r10
--	movq	32($inp), %rax
-+	mov	%rax, %r11		# 32($inp)
- 	mulq	%r10
- 	addq	%rax, %r14
- 	movq	40($inp), %rax
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
-+	mov	%rax, %r12		# 40($inp)
- 	mulq	%r10
- 	addq	%rax, %r15
- 	movq	48($inp), %rax
-@@ -325,9 +326,8 @@
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
-+	mov	%rax, %rbp		# 48($inp)
- 	mulq	%r10
--	 movq	%r14, %r12
--	 leaq	(%rcx,%r14,2), %r14	#shld	\$1, %rcx, %r14
- 	addq	%rax, %r8
- 	movq	56($inp), %rax
- 	adcq	\$0, %rdx
-@@ -336,32 +336,33 @@
- 	adcq	\$0, %rbx
- 
- 	mulq	%r10
--	 shrq	\$63, %r12
- 	addq	%rax, %r9
- 	movq	%r10, %rax
- 	adcq	\$0, %rdx
- 	addq	%rbx, %r9
--	movq	%rdx, %r10
--	adcq	\$0, %r10
-+	adcq	\$0, %rdx
- 
--	movq	%r15, %rbx
--	leaq	(%r12,%r15,2),%r15	#shld	\$1, %r14, %r15
-+	xorq	%rbx, %rbx		# rbx:r13:r14 = r13:r14 << 1
-+	addq	%r13, %r13
-+	 movq	%rdx, %r10
-+	adcq	%r14, %r14
-+	adcq	\$0, %rbx
- 
- 	mulq	%rax
-+	addq	%rcx, %rax
-+	adcq	\$0, %rdx
- 	addq	%rax, %r13
-+	 movq	%r12, %rax		# 40($inp)
- 	adcq	%rdx, %r14
--	adcq	\$0, %r15
-+	adcq	\$0, %rbx
- 
- 	movq	%r13, 48(%rsp)
- 	movq	%r14, 56(%rsp)
--	shrq	\$63, %rbx
- 
- #fifth iteration
--	movq	32($inp), %r11
--	movq	40($inp), %rax
- 	mulq	%r11
- 	addq	%rax, %r8
--	movq	48($inp), %rax
-+	movq	%rbp, %rax		# 48($inp)
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
-@@ -369,97 +370,99 @@
- 	addq	%rax, %r9
- 	movq	56($inp), %rax
- 	adcq	\$0, %rdx
--	 movq	%r8, %r12
--	 leaq	(%rbx,%r8,2), %r8	#shld	\$1, %rbx, %r8
- 	addq	%rcx, %r9
- 	movq	%rdx, %rcx
- 	adcq	\$0, %rcx
- 
-+	mov	%rax, %r14		# 56($inp)
- 	mulq	%r11
--	 shrq	\$63, %r12
- 	addq	%rax, %r10
- 	movq	%r11, %rax
- 	adcq	\$0, %rdx
- 	addq	%rcx, %r10
--	movq	%rdx, %r11
--	adcq	\$0, %r11
-+	adcq	\$0, %rdx
- 
--	movq	%r9, %rcx
--	leaq	(%r12,%r9,2), %r9	#shld	\$1, %r8, %r9
-+	xorq	%rcx, %rcx		# rcx:r8:r15 = r8:r15 << 1
-+	addq	%r15, %r15
-+	 movq	%rdx, %r11
-+	adcq	%r8, %r8
-+	adcq	\$0, %rcx
- 
- 	mulq	%rax
-+	addq	%rbx, %rax
-+	adcq	\$0, %rdx
- 	addq	%rax, %r15
-+	 movq	%rbp, %rax		# 48($inp)
- 	adcq	%rdx, %r8
--	adcq	\$0, %r9
-+	adcq	\$0, %rcx
- 
- 	movq	%r15, 64(%rsp)
- 	movq	%r8, 72(%rsp)
--	shrq	\$63, %rcx
- 
- #sixth iteration
--	movq	40($inp), %r12
--	movq	48($inp), %rax
- 	mulq	%r12
- 	addq	%rax, %r10
--	movq	56($inp), %rax
-+	movq	%r14, %rax		# 56($inp)
- 	movq	%rdx, %rbx
- 	adcq	\$0, %rbx
- 
- 	mulq	%r12
- 	addq	%rax, %r11
- 	movq	%r12, %rax
--	 movq	%r10, %r15
--	 leaq	(%rcx,%r10,2), %r10	#shld	\$1, %rcx, %r10
- 	adcq	\$0, %rdx
--	 shrq	\$63, %r15
- 	addq	%rbx, %r11
--	movq	%rdx, %r12
--	adcq	\$0, %r12
-+	adcq	\$0, %rdx
- 
--	movq	%r11, %rbx
--	leaq	(%r15,%r11,2), %r11	#shld	\$1, %r10, %r11
-+	xorq	%rbx, %rbx		# rbx:r10:r9 = r10:r9 << 1
-+	addq	%r9, %r9
-+	 movq	%rdx, %r12
-+	adcq	%r10, %r10
-+	adcq	\$0, %rbx
- 
- 	mulq	%rax
-+	addq	%rcx, %rax
-+	adcq	\$0, %rdx
- 	addq	%rax, %r9
-+	 movq	%r14, %rax		# 56($inp)
- 	adcq	%rdx, %r10
--	adcq	\$0, %r11
-+	adcq	\$0, %rbx
- 
- 	movq	%r9, 80(%rsp)
- 	movq	%r10, 88(%rsp)
- 
- #seventh iteration
--	movq	48($inp), %r13
--	movq	56($inp), %rax
--	mulq	%r13
-+	mulq	%rbp
- 	addq	%rax, %r12
--	movq	%r13, %rax
--	movq	%rdx, %r13
--	adcq	\$0, %r13
-+	movq	%rbp, %rax
-+	adcq	\$0, %rdx
- 
--	xorq	%r14, %r14
--	shlq	\$1, %rbx
--	adcq	%r12, %r12		#shld	\$1, %rbx, %r12
--	adcq	%r13, %r13		#shld	\$1, %r12, %r13
--	adcq	%r14, %r14		#shld	\$1, %r13, %r14
-+	xorq	%rcx, %rcx		# rcx:r12:r11 = r12:r11 << 1
-+	addq	%r11, %r11
-+	 movq	%rdx, %r13
-+	adcq	%r12, %r12
-+	adcq	\$0, %rcx
- 
- 	mulq	%rax
-+	addq	%rbx, %rax
-+	adcq	\$0, %rdx
- 	addq	%rax, %r11
-+	 movq	%r14, %rax		# 56($inp)
- 	adcq	%rdx, %r12
--	adcq	\$0, %r13
-+	adcq	\$0, %rcx
- 
- 	movq	%r11, 96(%rsp)
- 	movq	%r12, 104(%rsp)
- 
- #eighth iteration
--	movq	56($inp), %rax
-+	xorq	%rbx, %rbx		# rbx:r13 = r13 << 1
-+	addq	%r13, %r13
-+	adcq	\$0, %rbx
-+
- 	mulq	%rax
--	addq	%rax, %r13
-+	addq	%rcx, %rax
- 	adcq	\$0, %rdx
--
--	addq	%rdx, %r14
--
--	movq	%r13, 112(%rsp)
--	movq	%r14, 120(%rsp)
-+	addq	%r13, %rax
-+	adcq	%rbx, %rdx
- 
- 	movq	(%rsp), %r8
- 	movq	8(%rsp), %r9
-@@ -469,6 +472,10 @@
- 	movq	40(%rsp), %r13
- 	movq	48(%rsp), %r14
- 	movq	56(%rsp), %r15
-+	movq	%xmm1, %rbp
-+
-+	movq	%rax, 112(%rsp)
-+	movq	%rdx, 120(%rsp)
- 
- 	call	__rsaz_512_reduce
- 
-@@ -500,9 +507,9 @@
- .Loop_sqrx:
- 	movl	$times,128+8(%rsp)
- 	movq	$out, %xmm0		# off-load
--	movq	%rbp, %xmm1		# off-load
- #first iteration
- 	mulx	%rax, %r8, %r9
-+	mov	%rax, %rbx
- 
- 	mulx	16($inp), %rcx, %r10
- 	xor	%rbp, %rbp		# cf=0, of=0
-@@ -510,40 +517,39 @@
- 	mulx	24($inp), %rax, %r11
- 	adcx	%rcx, %r9
- 
--	mulx	32($inp), %rcx, %r12
-+	.byte	0xc4,0x62,0xf3,0xf6,0xa6,0x20,0x00,0x00,0x00	# mulx	32($inp), %rcx, %r12
- 	adcx	%rax, %r10
- 
--	mulx	40($inp), %rax, %r13
-+	.byte	0xc4,0x62,0xfb,0xf6,0xae,0x28,0x00,0x00,0x00	# mulx	40($inp), %rax, %r13
- 	adcx	%rcx, %r11
- 
--	.byte	0xc4,0x62,0xf3,0xf6,0xb6,0x30,0x00,0x00,0x00	# mulx	48($inp), %rcx, %r14
-+	mulx	48($inp), %rcx, %r14
- 	adcx	%rax, %r12
- 	adcx	%rcx, %r13
- 
--	.byte	0xc4,0x62,0xfb,0xf6,0xbe,0x38,0x00,0x00,0x00	# mulx	56($inp), %rax, %r15
-+	mulx	56($inp), %rax, %r15
- 	adcx	%rax, %r14
- 	adcx	%rbp, %r15		# %rbp is 0
- 
--	mov	%r9, %rcx
--	shld	\$1, %r8, %r9
--	shl	\$1, %r8
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
--	adcx	%rdx, %r8
--	 mov	8($inp), %rdx
--	adcx	%rbp, %r9
-+	mulx	%rdx, %rax, $out
-+	 mov	%rbx, %rdx		# 8($inp)
-+	xor	%rcx, %rcx
-+	adox	%r8, %r8
-+	adcx	$out, %r8
-+	adox	%rbp, %rcx
-+	adcx	%rbp, %rcx
- 
- 	mov	%rax, (%rsp)
- 	mov	%r8, 8(%rsp)
- 
- #second iteration
--	mulx	16($inp), %rax, %rbx
-+	.byte	0xc4,0xe2,0xfb,0xf6,0x9e,0x10,0x00,0x00,0x00	# mulx	16($inp), %rax, %rbx
- 	adox	%rax, %r10
- 	adcx	%rbx, %r11
- 
--	.byte	0xc4,0x62,0xc3,0xf6,0x86,0x18,0x00,0x00,0x00	# mulx	24($inp), $out, %r8
-+	mulx	24($inp), $out, %r8
- 	adox	$out, %r11
-+	.byte	0x66
- 	adcx	%r8, %r12
- 
- 	mulx	32($inp), %rax, %rbx
-@@ -561,24 +567,25 @@
- 	.byte	0xc4,0x62,0xc3,0xf6,0x86,0x38,0x00,0x00,0x00	# mulx	56($inp), $out, %r8
- 	adox	$out, %r15
- 	adcx	%rbp, %r8
-+	 mulx	%rdx, %rax, $out
- 	adox	%rbp, %r8
-+	 .byte	0x48,0x8b,0x96,0x10,0x00,0x00,0x00		# mov	16($inp), %rdx
- 
--	mov	%r11, %rbx
--	shld	\$1, %r10, %r11
--	shld	\$1, %rcx, %r10
--
--	xor	%ebp,%ebp
--	mulx	%rdx, %rax, %rcx
--	 mov	16($inp), %rdx
-+	xor	%rbx, %rbx
-+	adcx	%rcx, %rax
-+	adox	%r9, %r9
-+	adcx	%rbp, $out
-+	adox	%r10, %r10
- 	adcx	%rax, %r9
--	adcx	%rcx, %r10
--	adcx	%rbp, %r11
-+	adox	%rbp, %rbx
-+	adcx	$out, %r10
-+	adcx	%rbp, %rbx
- 
- 	mov	%r9, 16(%rsp)
- 	.byte	0x4c,0x89,0x94,0x24,0x18,0x00,0x00,0x00		# mov	%r10, 24(%rsp)
- 
- #third iteration
--	.byte	0xc4,0x62,0xc3,0xf6,0x8e,0x18,0x00,0x00,0x00	# mulx	24($inp), $out, %r9
-+	mulx	24($inp), $out, %r9
- 	adox	$out, %r12
- 	adcx	%r9, %r13
- 
-@@ -586,7 +593,7 @@
- 	adox	%rax, %r13
- 	adcx	%rcx, %r14
- 
--	mulx	40($inp), $out, %r9
-+	.byte	0xc4,0x62,0xc3,0xf6,0x8e,0x28,0x00,0x00,0x00	# mulx	40($inp), $out, %r9
- 	adox	$out, %r14
- 	adcx	%r9, %r15
- 
-@@ -594,27 +601,28 @@
- 	adox	%rax, %r15
- 	adcx	%rcx, %r8
- 
--	.byte	0xc4,0x62,0xc3,0xf6,0x8e,0x38,0x00,0x00,0x00	# mulx	56($inp), $out, %r9
-+	mulx	56($inp), $out, %r9
- 	adox	$out, %r8
- 	adcx	%rbp, %r9
-+	 mulx	%rdx, %rax, $out
- 	adox	%rbp, %r9
-+	 mov	24($inp), %rdx
- 
--	mov	%r13, %rcx
--	shld	\$1, %r12, %r13
--	shld	\$1, %rbx, %r12
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
-+	xor	%rcx, %rcx
-+	adcx	%rbx, %rax
-+	adox	%r11, %r11
-+	adcx	%rbp, $out
-+	adox	%r12, %r12
- 	adcx	%rax, %r11
--	adcx	%rdx, %r12
--	 mov	24($inp), %rdx
--	adcx	%rbp, %r13
-+	adox	%rbp, %rcx
-+	adcx	$out, %r12
-+	adcx	%rbp, %rcx
- 
- 	mov	%r11, 32(%rsp)
--	.byte	0x4c,0x89,0xa4,0x24,0x28,0x00,0x00,0x00		# mov	%r12, 40(%rsp)
-+	mov	%r12, 40(%rsp)
- 
- #fourth iteration
--	.byte	0xc4,0xe2,0xfb,0xf6,0x9e,0x20,0x00,0x00,0x00	# mulx	32($inp), %rax, %rbx
-+	mulx	32($inp), %rax, %rbx
- 	adox	%rax, %r14
- 	adcx	%rbx, %r15
- 
-@@ -629,25 +637,25 @@
- 	mulx	56($inp), $out, %r10
- 	adox	$out, %r9
- 	adcx	%rbp, %r10
-+	 mulx	%rdx, %rax, $out
- 	adox	%rbp, %r10
-+	 mov	32($inp), %rdx
- 
--	.byte	0x66
--	mov	%r15, %rbx
--	shld	\$1, %r14, %r15
--	shld	\$1, %rcx, %r14
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
-+	xor	%rbx, %rbx
-+	adcx	%rcx, %rax
-+	adox	%r13, %r13
-+	adcx	%rbp, $out
-+	adox	%r14, %r14
- 	adcx	%rax, %r13
--	adcx	%rdx, %r14
--	 mov	32($inp), %rdx
--	adcx	%rbp, %r15
-+	adox	%rbp, %rbx
-+	adcx	$out, %r14
-+	adcx	%rbp, %rbx
- 
- 	mov	%r13, 48(%rsp)
- 	mov	%r14, 56(%rsp)
- 
- #fifth iteration
--	.byte	0xc4,0x62,0xc3,0xf6,0x9e,0x28,0x00,0x00,0x00	# mulx	40($inp), $out, %r11
-+	mulx	40($inp), $out, %r11
- 	adox	$out, %r8
- 	adcx	%r11, %r9
- 
-@@ -658,18 +666,19 @@
- 	mulx	56($inp), $out, %r11
- 	adox	$out, %r10
- 	adcx	%rbp, %r11
-+	 mulx	%rdx, %rax, $out
-+	 mov	40($inp), %rdx
- 	adox	%rbp, %r11
- 
--	mov	%r9, %rcx
--	shld	\$1, %r8, %r9
--	shld	\$1, %rbx, %r8
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
-+	xor	%rcx, %rcx
-+	adcx	%rbx, %rax
-+	adox	%r15, %r15
-+	adcx	%rbp, $out
-+	adox	%r8, %r8
- 	adcx	%rax, %r15
--	adcx	%rdx, %r8
--	 mov	40($inp), %rdx
--	adcx	%rbp, %r9
-+	adox	%rbp, %rcx
-+	adcx	$out, %r8
-+	adcx	%rbp, %rcx
- 
- 	mov	%r15, 64(%rsp)
- 	mov	%r8, 72(%rsp)
-@@ -682,18 +691,19 @@
- 	.byte	0xc4,0x62,0xc3,0xf6,0xa6,0x38,0x00,0x00,0x00	# mulx	56($inp), $out, %r12
- 	adox	$out, %r11
- 	adcx	%rbp, %r12
-+	 mulx	%rdx, %rax, $out
- 	adox	%rbp, %r12
-+	 mov	48($inp), %rdx
- 
--	mov	%r11, %rbx
--	shld	\$1, %r10, %r11
--	shld	\$1, %rcx, %r10
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
-+	xor	%rbx, %rbx
-+	adcx	%rcx, %rax
-+	adox	%r9, %r9
-+	adcx	%rbp, $out
-+	adox	%r10, %r10
- 	adcx	%rax, %r9
--	adcx	%rdx, %r10
--	 mov	48($inp), %rdx
--	adcx	%rbp, %r11
-+	adcx	$out, %r10
-+	adox	%rbp, %rbx
-+	adcx	%rbp, %rbx
- 
- 	mov	%r9, 80(%rsp)
- 	mov	%r10, 88(%rsp)
-@@ -703,31 +713,31 @@
- 	adox	%rax, %r12
- 	adox	%rbp, %r13
- 
--	xor	%r14, %r14
--	shld	\$1, %r13, %r14
--	shld	\$1, %r12, %r13
--	shld	\$1, %rbx, %r12
--
--	xor	%ebp, %ebp
--	mulx	%rdx, %rax, %rdx
--	adcx	%rax, %r11
--	adcx	%rdx, %r12
-+	mulx	%rdx, %rax, $out
-+	xor	%rcx, %rcx
- 	 mov	56($inp), %rdx
--	adcx	%rbp, %r13
-+	adcx	%rbx, %rax
-+	adox	%r11, %r11
-+	adcx	%rbp, $out
-+	adox	%r12, %r12
-+	adcx	%rax, %r11
-+	adox	%rbp, %rcx
-+	adcx	$out, %r12
-+	adcx	%rbp, %rcx
- 
- 	.byte	0x4c,0x89,0x9c,0x24,0x60,0x00,0x00,0x00		# mov	%r11, 96(%rsp)
- 	.byte	0x4c,0x89,0xa4,0x24,0x68,0x00,0x00,0x00		# mov	%r12, 104(%rsp)
- 
- #eighth iteration
- 	mulx	%rdx, %rax, %rdx
--	adox	%rax, %r13
--	adox	%rbp, %rdx
-+	xor	%rbx, %rbx
-+	adcx	%rcx, %rax
-+	adox	%r13, %r13
-+	adcx	%rbp, %rdx
-+	adox	%rbp, %rbx
-+	adcx	%r13, %rax
-+	adcx	%rdx, %rbx
- 
--	.byte	0x66
--	add	%rdx, %r14
--
--	movq	%r13, 112(%rsp)
--	movq	%r14, 120(%rsp)
- 	movq	%xmm0, $out
- 	movq	%xmm1, %rbp
- 
-@@ -741,6 +751,9 @@
- 	movq	48(%rsp), %r14
- 	movq	56(%rsp), %r15
- 
-+	movq	%rax, 112(%rsp)
-+	movq	%rbx, 120(%rsp)
-+
- 	call	__rsaz_512_reducex
- 
- 	addq	64(%rsp), %r8
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducible.patch b/meta/recipes-connectivity/openssl/openssl/reproducible.patch
new file mode 100644
index 0000000000..a24260c95d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducible.patch
@@ -0,0 +1,32 @@
+The value for perl_archname can vary depending on the host, e.g. 
+x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which
+makes the ptest package non-reproducible. Its unused other than 
+these references so drop it.
+
+RP 2020/2/6
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: openssl-1.1.1d/Configure
+===================================================================
+--- openssl-1.1.1d.orig/Configure
++++ openssl-1.1.1d/Configure
+@@ -286,7 +286,7 @@ if (defined env($local_config_envname))
+ # Save away perl command information
+ $config{perl_cmd} = $^X;
+ $config{perl_version} = $Config{version};
+-$config{perl_archname} = $Config{archname};
++#$config{perl_archname} = $Config{archname};
+ 
+ $config{prefix}="";
+ $config{openssldir}="";
+@@ -2517,7 +2517,7 @@ _____
+                           @{$config{perlargv}}), "\n";
+         print "\nPerl information:\n\n";
+         print '    ',$config{perl_cmd},"\n";
+-        print '    ',$config{perl_version},' for ',$config{perl_archname},"\n";
++        print '    ',$config{perl_version},"\n";
+     }
+     if ($dump || $options) {
+         my $longest = 0;
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
index 458ae7daf4..aa4ef6f48a 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1f.bb
@@ -16,15 +16,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-skip-test_symbol_presence.patch \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
-           file://CVE-2019-1551.patch \
+           file://reproducible.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[md5sum] = "3be209000dbc7e1b95bcdf47980a3baa"
-SRC_URI[sha256sum] = "1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2"
+SRC_URI[sha256sum] = "186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -33,7 +32,7 @@ PACKAGECONFIG ?= ""
 PACKAGECONFIG_class-native = ""
 PACKAGECONFIG_class-nativesdk = ""
 
-PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux"
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
 
 B = "${WORKDIR}/build"
 do_configure[cleandirs] = "${B}"
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
new file mode 100644
index 0000000000..b7ba7ba643
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/0001-pppd-Fix-bounds-check-in-EAP-code.patch
@@ -0,0 +1,47 @@
+From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001
+From: Paul Mackerras <paulus@ozlabs.org>
+Date: Mon, 3 Feb 2020 15:53:28 +1100
+Subject: [PATCH] pppd: Fix bounds check in EAP code
+
+Given that we have just checked vallen < len, it can never be the case
+that vallen >= len + sizeof(rhostname).  This fixes the check so we
+actually avoid overflowing the rhostname array.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+
+Upstream-Status: Backport
+[https://github.com/paulusmack/ppp/commit/8d7970b8f3db727fe798b65f3377fe6787575426]
+
+CVE: CVE-2020-8597
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ pppd/eap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pppd/eap.c b/pppd/eap.c
+index 94407f5..1b93db0 100644
+--- a/pppd/eap.c
++++ b/pppd/eap.c
+@@ -1420,7 +1420,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
+@@ -1846,7 +1846,7 @@ int len;
+ 		}
+ 
+ 		/* Not so likely to happen. */
+-		if (vallen >= len + sizeof (rhostname)) {
++		if (len - vallen >= sizeof (rhostname)) {
+ 			dbglog("EAP: trimming really long peer name down");
+ 			BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1);
+ 			rhostname[sizeof (rhostname) - 1] = '\0';
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
index 644cde4562..60c56dd0bd 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
@@ -33,6 +33,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
            file://0001-pppoe-include-netinet-in.h-before-linux-in.h.patch \
            file://0001-ppp-Remove-unneeded-include.patch \
            file://ppp-2.4.7-DES-openssl.patch \
+           file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
 "
 
 SRC_URI_append_libc-musl = "\
diff --git a/meta/recipes-core/busybox/busybox.inc b/meta/recipes-core/busybox/busybox.inc
index bf6ddae7d1..33c84bc2c1 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -431,6 +431,32 @@ fi
     d.prependVar('pkg_postinst_%s' % pkg, postinst)
 }
 
+pkg_postinst_${PN}_prepend () {
+        # Need path to saved utils, but they may have be removed on upgrade of busybox
+        # Only use shell to get paths. Also capture if busybox was saved.
+        BUSYBOX=""
+        if [ "x$D" = "x" ] ; then 
+           for busybox_rmdir in /tmp/busyboxrm-*; do
+               if [ "$busybox_rmdir" != '/tmp/busyboxrm-*' ] ; then
+                  export PATH=$busybox_rmdir:$PATH
+                  if [ -e $busybox_rmdir/busybox* ] ; then
+                    BUSYBOX="$busybox_rmdir/busybox*"
+                  fi
+               fi
+           done
+        fi
+}
+
+pkg_postinst_${PN}_append () {
+        # If busybox exists in the remove directory it is because it was the only shell left.
+        if [ "x$D" = "x" ] ; then
+           if [ "x$BUSYBOX" != "x" ] ; then
+              update-alternatives --remove sh $BUSYBOX
+              rm -f $BUSYBOX
+           fi
+        fi
+} 
+
 pkg_prerm_${PN} () {
 	# This is so you can make busybox commit suicide - removing busybox with no other packages
 	# providing its files, this will make update-alternatives work, but the update-rc.d part
@@ -451,9 +477,26 @@ pkg_prerm_${PN} () {
 	ln -s ${base_bindir}/busybox $tmpdir/grep
 	ln -s ${base_bindir}/busybox $tmpdir/tail
 	export PATH=$PATH:$tmpdir
+
+        # If busybox is the shell, we need to save it since its the lowest priority shell
+        # Register saved bitbake as the lowest priority shell possible as back up.
+        if [ -n "$(readlink -f /bin/sh | grep busybox)" ] ; then
+           BUSYBOX=$(readlink -f /bin/sh)
+           cp $BUSYBOX $tmpdir/$(basename $BUSYBOX)
+           update-alternatives --install /bin/sh sh $tmpdir/$(basename $BUSYBOX) 1 
+        fi
 }
 
 pkg_postrm_${PN} () {
+        # Add path to remove dir in case we removed our only grep
+        if [ "x$D" = "x" ] ; then
+           for busybox_rmdir in /tmp/busyboxrm-*; do
+               if [ "$busybox_rmdir" != '/tmp/busyboxrm-*' ] ; then
+                  export PATH=$busybox_rmdir:$PATH
+               fi
+           done
+        fi
+
 	if grep -q "^${base_bindir}/bash$" $D${sysconfdir}/busybox.links* && [ ! -e $D${base_bindir}/bash ]; then
 		printf "$(grep -v "^${base_bindir}/bash$" $D${sysconfdir}/shells)\n" > $D${sysconfdir}/shells
 	fi
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-6750.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-6750.patch
new file mode 100644
index 0000000000..6db3934978
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2020-6750.patch
@@ -0,0 +1,741 @@
+From 747f2c646f5a86ac58ad59be08036e81388e971d Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <tingping@tingping.se>
+Date: Thu, 23 Jan 2020 19:58:41 -0800
+Subject: [PATCH] Refactor g_socket_client_connect_async()
+
+This is a fairly large refactoring. The highlights are:
+
+- Removing in-progress connections/addresses from GSocketClientAsyncConnectData:
+
+  This caused issues where multiple ConnectionAttempt's would step over eachother
+  and modify shared state causing bugs like accidentally bypassing a set proxy.
+
+  Fixes #1871
+  Fixes #1989
+  Fixes #1902
+
+- Cancelling address enumeration on error/completion
+
+- Queuing successful TCP connections and doing application layer work serially:
+
+  This is more in the spirit of Happy Eyeballs but it also greatly simplifies
+  the flow of connection handling so fewer tasks are happening in parallel
+  when they don't need to be.
+
+  The behavior also should more closely match that of g_socket_client_connect().
+
+- Better track the state of address enumeration:
+
+  Previously we were over eager to treat enumeration finishing as an error.
+
+  Fixes #1872
+  See also #1982
+
+- Add more detailed documentation and logging.
+
+Closes #1995
+
+CVE: CVE-2020-6750
+
+Upstream-Status: Backport [ https://gitlab.gnome.org/GNOME/glib.git;
+commit=2722620e3291b930a3a228100d7c0e07b69534e3 ]
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ gio/gsocketclient.c | 459 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 296 insertions(+), 163 deletions(-)
+
+diff --git a/gio/gsocketclient.c b/gio/gsocketclient.c
+index 81767c0..b1d5f6c 100644
+--- a/gio/gsocketclient.c
++++ b/gio/gsocketclient.c
+@@ -1332,13 +1332,15 @@ typedef struct
+ 
+   GSocketConnectable *connectable;
+   GSocketAddressEnumerator *enumerator;
+-  GProxyAddress *proxy_addr;
+-  GSocket *socket;
+-  GIOStream *connection;
++  GCancellable *enumeration_cancellable;
+ 
+   GSList *connection_attempts;
++  GSList *successful_connections;
+   GError *last_error;
+ 
++  gboolean enumerated_at_least_once;
++  gboolean enumeration_completed;
++  gboolean connection_in_progress;
+   gboolean completed;
+ } GSocketClientAsyncConnectData;
+ 
+@@ -1350,10 +1352,9 @@ g_socket_client_async_connect_data_free (GSocketClientAsyncConnectData *data)
+   data->task = NULL;
+   g_clear_object (&data->connectable);
+   g_clear_object (&data->enumerator);
+-  g_clear_object (&data->proxy_addr);
+-  g_clear_object (&data->socket);
+-  g_clear_object (&data->connection);
++  g_clear_object (&data->enumeration_cancellable);
+   g_slist_free_full (data->connection_attempts, connection_attempt_unref);
++  g_slist_free_full (data->successful_connections, connection_attempt_unref);
+ 
+   g_clear_error (&data->last_error);
+ 
+@@ -1365,6 +1366,7 @@ typedef struct
+   GSocketAddress *address;
+   GSocket *socket;
+   GIOStream *connection;
++  GProxyAddress *proxy_addr;
+   GSocketClientAsyncConnectData *data; /* unowned */
+   GSource *timeout_source;
+   GCancellable *cancellable;
+@@ -1396,6 +1398,7 @@ connection_attempt_unref (gpointer pointer)
+       g_clear_object (&attempt->socket);
+       g_clear_object (&attempt->connection);
+       g_clear_object (&attempt->cancellable);
++      g_clear_object (&attempt->proxy_addr);
+       if (attempt->timeout_source)
+         {
+           g_source_destroy (attempt->timeout_source);
+@@ -1413,37 +1416,59 @@ connection_attempt_remove (ConnectionAttempt *attempt)
+ }
+ 
+ static void
+-g_socket_client_async_connect_complete (GSocketClientAsyncConnectData *data)
++cancel_all_attempts (GSocketClientAsyncConnectData *data)
+ {
+-  g_assert (data->connection);
++  GSList *l;
+ 
+-  if (!G_IS_SOCKET_CONNECTION (data->connection))
++  for (l = data->connection_attempts; l; l = g_slist_next (l))
+     {
+-      GSocketConnection *wrapper_connection;
+-
+-      wrapper_connection = g_tcp_wrapper_connection_new (data->connection, data->socket);
+-      g_object_unref (data->connection);
+-      data->connection = (GIOStream *)wrapper_connection;
++      ConnectionAttempt *attempt_entry = l->data;
++      g_cancellable_cancel (attempt_entry->cancellable);
++      connection_attempt_unref (attempt_entry);
+     }
++  g_slist_free (data->connection_attempts);
++  data->connection_attempts = NULL;
+ 
+-  if (!data->completed)
++  g_slist_free_full (data->successful_connections, connection_attempt_unref);
++  data->successful_connections = NULL;
++
++  g_cancellable_cancel (data->enumeration_cancellable);
++}
++
++static void
++g_socket_client_async_connect_complete (ConnectionAttempt *attempt)
++{
++  GSocketClientAsyncConnectData *data = attempt->data;
++  GError *error = NULL;
++  g_assert (attempt->connection);
++  g_assert (!data->completed);
++
++  if (!G_IS_SOCKET_CONNECTION (attempt->connection))
+     {
+-      GError *error = NULL;
++      GSocketConnection *wrapper_connection;
+ 
+-      if (g_cancellable_set_error_if_cancelled (g_task_get_cancellable (data->task), &error))
+-        {
+-          g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, NULL);
+-          g_task_return_error (data->task, g_steal_pointer (&error));
+-        }
+-      else
+-        {
+-          g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, data->connection);
+-          g_task_return_pointer (data->task, g_steal_pointer (&data->connection), g_object_unref);
+-        }
++      wrapper_connection = g_tcp_wrapper_connection_new (attempt->connection, attempt->socket);
++      g_object_unref (attempt->connection);
++      attempt->connection = (GIOStream *)wrapper_connection;
++    }
+ 
+-      data->completed = TRUE;
++  data->completed = TRUE;
++  cancel_all_attempts (data);
++
++  if (g_cancellable_set_error_if_cancelled (g_task_get_cancellable (data->task), &error))
++    {
++      g_debug ("GSocketClient: Connection cancelled!");
++      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, NULL);
++      g_task_return_error (data->task, g_steal_pointer (&error));
++    }
++  else
++    {
++      g_debug ("GSocketClient: Connection successful!");
++      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, attempt->connection);
++      g_task_return_pointer (data->task, g_steal_pointer (&attempt->connection), g_object_unref);
+     }
+ 
++  connection_attempt_unref (attempt);
+   g_object_unref (data->task);
+ }
+ 
+@@ -1465,59 +1490,63 @@ static void
+ enumerator_next_async (GSocketClientAsyncConnectData *data,
+                        gboolean                       add_task_ref)
+ {
+-  /* We need to cleanup the state */
+-  g_clear_object (&data->socket);
+-  g_clear_object (&data->proxy_addr);
+-  g_clear_object (&data->connection);
+-
+   /* Each enumeration takes a ref. This arg just avoids repeated unrefs when
+      an enumeration starts another enumeration */
+   if (add_task_ref)
+     g_object_ref (data->task);
+ 
+   g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_RESOLVING, data->connectable, NULL);
++  g_debug ("GSocketClient: Starting new address enumeration");
+   g_socket_address_enumerator_next_async (data->enumerator,
+-					  g_task_get_cancellable (data->task),
++					  data->enumeration_cancellable,
+ 					  g_socket_client_enumerator_callback,
+ 					  data);
+ }
+ 
++static void try_next_connection_or_finish (GSocketClientAsyncConnectData *, gboolean);
++
+ static void
+ g_socket_client_tls_handshake_callback (GObject      *object,
+ 					GAsyncResult *result,
+ 					gpointer      user_data)
+ {
+-  GSocketClientAsyncConnectData *data = user_data;
++  ConnectionAttempt *attempt = user_data;
++  GSocketClientAsyncConnectData *data = attempt->data;
+ 
+   if (g_tls_connection_handshake_finish (G_TLS_CONNECTION (object),
+ 					 result,
+ 					 &data->last_error))
+     {
+-      g_object_unref (data->connection);
+-      data->connection = G_IO_STREAM (object);
++      g_object_unref (attempt->connection);
++      attempt->connection = G_IO_STREAM (object);
+ 
+-      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_TLS_HANDSHAKED, data->connectable, data->connection);
+-      g_socket_client_async_connect_complete (data);
++      g_debug ("GSocketClient: TLS handshake succeeded");
++      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_TLS_HANDSHAKED, data->connectable, attempt->connection);
++      g_socket_client_async_connect_complete (attempt);
+     }
+   else
+     {
+       g_object_unref (object);
+-      enumerator_next_async (data, FALSE);
++      connection_attempt_unref (attempt);
++      g_debug ("GSocketClient: TLS handshake failed: %s", data->last_error->message);
++      try_next_connection_or_finish (data, TRUE);
+     }
+ }
+ 
+ static void
+-g_socket_client_tls_handshake (GSocketClientAsyncConnectData *data)
++g_socket_client_tls_handshake (ConnectionAttempt *attempt)
+ {
++  GSocketClientAsyncConnectData *data = attempt->data;
+   GIOStream *tlsconn;
+ 
+   if (!data->client->priv->tls)
+     {
+-      g_socket_client_async_connect_complete (data);
++      g_socket_client_async_connect_complete (attempt);
+       return;
+     }
+ 
+-  tlsconn = g_tls_client_connection_new (data->connection,
++  g_debug ("GSocketClient: Starting TLS handshake");
++  tlsconn = g_tls_client_connection_new (attempt->connection,
+ 					 data->connectable,
+ 					 &data->last_error);
+   if (tlsconn)
+@@ -1529,11 +1558,12 @@ g_socket_client_tls_handshake (GSocketClientAsyncConnectData *data)
+ 					G_PRIORITY_DEFAULT,
+ 					g_task_get_cancellable (data->task),
+ 					g_socket_client_tls_handshake_callback,
+-					data);
++					attempt);
+     }
+   else
+     {
+-      enumerator_next_async (data, FALSE);
++      connection_attempt_unref (attempt);
++      try_next_connection_or_finish (data, TRUE);
+     }
+ }
+ 
+@@ -1542,23 +1572,38 @@ g_socket_client_proxy_connect_callback (GObject      *object,
+ 					GAsyncResult *result,
+ 					gpointer      user_data)
+ {
+-  GSocketClientAsyncConnectData *data = user_data;
++  ConnectionAttempt *attempt = user_data;
++  GSocketClientAsyncConnectData *data = attempt->data;
+ 
+-  g_object_unref (data->connection);
+-  data->connection = g_proxy_connect_finish (G_PROXY (object),
+-					     result,
+-					     &data->last_error);
+-  if (data->connection)
++  g_object_unref (attempt->connection);
++  attempt->connection = g_proxy_connect_finish (G_PROXY (object),
++                                                result,
++                                                &data->last_error);
++  if (attempt->connection)
+     {
+-      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_PROXY_NEGOTIATED, data->connectable, data->connection);
++      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_PROXY_NEGOTIATED, data->connectable, attempt->connection);
+     }
+   else
+     {
+-      enumerator_next_async (data, FALSE);
++      connection_attempt_unref (attempt);
++      try_next_connection_or_finish (data, TRUE);
+       return;
+     }
+ 
+-  g_socket_client_tls_handshake (data);
++  g_socket_client_tls_handshake (attempt);
++}
++
++static void
++complete_connection_with_error (GSocketClientAsyncConnectData *data,
++                                GError                        *error)
++{
++  g_debug ("GSocketClient: Connection failed: %s", error->message);
++  g_assert (!data->completed);
++
++  g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, NULL);
++  data->completed = TRUE;
++  cancel_all_attempts (data);
++  g_task_return_error (data->task, error);
+ }
+ 
+ static gboolean
+@@ -1572,15 +1617,114 @@ task_completed_or_cancelled (GSocketClientAsyncConnectData *data)
+     return TRUE;
+   else if (g_cancellable_set_error_if_cancelled (cancellable, &error))
+     {
+-      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, NULL);
+-      g_task_return_error (task, g_steal_pointer (&error));
+-      data->completed = TRUE;
++      complete_connection_with_error (data, g_steal_pointer (&error));
+       return TRUE;
+     }
+   else
+     return FALSE;
+ }
+ 
++static gboolean
++try_next_successful_connection (GSocketClientAsyncConnectData *data)
++{
++  ConnectionAttempt *attempt;
++  const gchar *protocol;
++  GProxy *proxy;
++
++  if (data->connection_in_progress)
++    return FALSE;
++
++  g_assert (data->successful_connections != NULL);
++  attempt = data->successful_connections->data;
++  g_assert (attempt != NULL);
++  data->successful_connections = g_slist_remove (data->successful_connections, attempt);
++  data->connection_in_progress = TRUE;
++
++  g_debug ("GSocketClient: Starting application layer connection");
++
++  if (!attempt->proxy_addr)
++    {
++      g_socket_client_tls_handshake (g_steal_pointer (&attempt));
++      return TRUE;
++    }
++
++  protocol = g_proxy_address_get_protocol (attempt->proxy_addr);
++
++  /* The connection should not be anything other than TCP,
++   * but let's put a safety guard in case
++   */
++  if (!G_IS_TCP_CONNECTION (attempt->connection))
++    {
++      g_critical ("Trying to proxy over non-TCP connection, this is "
++          "most likely a bug in GLib IO library.");
++
++      g_set_error_literal (&data->last_error,
++          G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
++          _("Proxying over a non-TCP connection is not supported."));
++    }
++  else if (g_hash_table_contains (data->client->priv->app_proxies, protocol))
++    {
++      /* Simply complete the connection, we don't want to do TLS handshake
++       * as the application proxy handling may need proxy handshake first */
++      g_socket_client_async_connect_complete (g_steal_pointer (&attempt));
++      return TRUE;
++    }
++  else if ((proxy = g_proxy_get_default_for_protocol (protocol)))
++    {
++      GIOStream *connection = attempt->connection;
++      GProxyAddress *proxy_addr = attempt->proxy_addr;
++
++      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_PROXY_NEGOTIATING, data->connectable, attempt->connection);
++      g_debug ("GSocketClient: Starting proxy connection");
++      g_proxy_connect_async (proxy,
++                             connection,
++                             proxy_addr,
++                             g_task_get_cancellable (data->task),
++                             g_socket_client_proxy_connect_callback,
++                             g_steal_pointer (&attempt));
++      g_object_unref (proxy);
++      return TRUE;
++    }
++  else
++    {
++      g_clear_error (&data->last_error);
++
++      g_set_error (&data->last_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
++          _("Proxy protocol “%s” is not supported."),
++          protocol);
++    }
++
++  data->connection_in_progress = FALSE;
++  g_clear_pointer (&attempt, connection_attempt_unref);
++  return FALSE; /* All non-return paths are failures */
++}
++
++static void
++try_next_connection_or_finish (GSocketClientAsyncConnectData *data,
++                               gboolean                       end_current_connection)
++{
++  if (end_current_connection)
++    data->connection_in_progress = FALSE;
++
++  if (data->connection_in_progress)
++    return;
++
++  /* Keep trying successful connections until one works, each iteration pops one */
++  while (data->successful_connections)
++    {
++      if (try_next_successful_connection (data))
++        return;
++    }
++
++  if (!data->enumeration_completed)
++    {
++      enumerator_next_async (data, FALSE);
++      return;
++    }
++
++  complete_connection_with_error (data, data->last_error);
++}
++
+ static void
+ g_socket_client_connected_callback (GObject      *source,
+ 				    GAsyncResult *result,
+@@ -1588,10 +1732,7 @@ g_socket_client_connected_callback (GObject      *source,
+ {
+   ConnectionAttempt *attempt = user_data;
+   GSocketClientAsyncConnectData *data = attempt->data;
+-  GSList *l;
+   GError *error = NULL;
+-  GProxy *proxy;
+-  const gchar *protocol;
+ 
+   if (task_completed_or_cancelled (data) || g_cancellable_is_cancelled (attempt->cancellable))
+     {
+@@ -1613,11 +1754,12 @@ g_socket_client_connected_callback (GObject      *source,
+         {
+           clarify_connect_error (error, data->connectable, attempt->address);
+           set_last_error (data, error);
++          g_debug ("GSocketClient: Connection attempt failed: %s", error->message);
+           connection_attempt_remove (attempt);
+-          enumerator_next_async (data, FALSE);
+           connection_attempt_unref (attempt);
++          try_next_connection_or_finish (data, FALSE);
+         }
+-      else
++      else /* Silently ignore cancelled attempts */
+         {
+           g_clear_error (&error);
+           g_object_unref (data->task);
+@@ -1627,74 +1769,21 @@ g_socket_client_connected_callback (GObject      *source,
+       return;
+     }
+ 
+-  data->socket = g_steal_pointer (&attempt->socket);
+-  data->connection = g_steal_pointer (&attempt->connection);
+-
+-  for (l = data->connection_attempts; l; l = g_slist_next (l))
+-    {
+-      ConnectionAttempt *attempt_entry = l->data;
+-      g_cancellable_cancel (attempt_entry->cancellable);
+-      connection_attempt_unref (attempt_entry);
+-    }
+-  g_slist_free (data->connection_attempts);
+-  data->connection_attempts = NULL;
+-  connection_attempt_unref (attempt);
+-
+-  g_socket_connection_set_cached_remote_address ((GSocketConnection*)data->connection, NULL);
+-  g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_CONNECTED, data->connectable, data->connection);
++  g_socket_connection_set_cached_remote_address ((GSocketConnection*)attempt->connection, NULL);
++  g_debug ("GSocketClient: TCP connection successful");
++  g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_CONNECTED, data->connectable, attempt->connection);
+ 
+   /* wrong, but backward compatible */
+-  g_socket_set_blocking (data->socket, TRUE);
++  g_socket_set_blocking (attempt->socket, TRUE);
+ 
+-  if (!data->proxy_addr)
+-    {
+-      g_socket_client_tls_handshake (data);
+-      return;
+-    }
+-
+-  protocol = g_proxy_address_get_protocol (data->proxy_addr);
+-
+-  /* The connection should not be anything other than TCP,
+-   * but let's put a safety guard in case
++  /* This ends the parallel "happy eyeballs" portion of connecting.
++     Now that we have a successful tcp connection we will attempt to connect
++     at the TLS/Proxy layer. If those layers fail we will move on to the next
++     connection.
+    */
+-  if (!G_IS_TCP_CONNECTION (data->connection))
+-    {
+-      g_critical ("Trying to proxy over non-TCP connection, this is "
+-          "most likely a bug in GLib IO library.");
+-
+-      g_set_error_literal (&data->last_error,
+-          G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
+-          _("Proxying over a non-TCP connection is not supported."));
+-
+-      enumerator_next_async (data, FALSE);
+-    }
+-  else if (g_hash_table_contains (data->client->priv->app_proxies, protocol))
+-    {
+-      /* Simply complete the connection, we don't want to do TLS handshake
+-       * as the application proxy handling may need proxy handshake first */
+-      g_socket_client_async_connect_complete (data);
+-    }
+-  else if ((proxy = g_proxy_get_default_for_protocol (protocol)))
+-    {
+-      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_PROXY_NEGOTIATING, data->connectable, data->connection);
+-      g_proxy_connect_async (proxy,
+-                             data->connection,
+-                             data->proxy_addr,
+-                             g_task_get_cancellable (data->task),
+-                             g_socket_client_proxy_connect_callback,
+-                             data);
+-      g_object_unref (proxy);
+-    }
+-  else
+-    {
+-      g_clear_error (&data->last_error);
+-
+-      g_set_error (&data->last_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED,
+-          _("Proxy protocol “%s” is not supported."),
+-          protocol);
+-
+-      enumerator_next_async (data, FALSE);
+-    }
++  connection_attempt_remove (attempt);
++  data->successful_connections = g_slist_append (data->successful_connections, g_steal_pointer (&attempt));
++  try_next_connection_or_finish (data, FALSE);
+ }
+ 
+ static gboolean
+@@ -1702,7 +1791,11 @@ on_connection_attempt_timeout (gpointer data)
+ {
+   ConnectionAttempt *attempt = data;
+ 
+-  enumerator_next_async (attempt->data, TRUE);
++  if (!attempt->data->enumeration_completed)
++    {
++      g_debug ("GSocketClient: Timeout reached, trying another enumeration");
++      enumerator_next_async (attempt->data, TRUE);
++    }
+ 
+   g_clear_pointer (&attempt->timeout_source, g_source_unref);
+   return G_SOURCE_REMOVE;
+@@ -1712,9 +1805,9 @@ static void
+ on_connection_cancelled (GCancellable *cancellable,
+                          gpointer      data)
+ {
+-  GCancellable *attempt_cancellable = data;
++  GCancellable *linked_cancellable = G_CANCELLABLE (data);
+ 
+-  g_cancellable_cancel (attempt_cancellable);
++  g_cancellable_cancel (linked_cancellable);
+ }
+ 
+ static void
+@@ -1738,39 +1831,49 @@ g_socket_client_enumerator_callback (GObject      *object,
+ 						     result, &error);
+   if (address == NULL)
+     {
+-      if (data->connection_attempts)
++      if (G_UNLIKELY (data->enumeration_completed))
++        return;
++
++      data->enumeration_completed = TRUE;
++      g_debug ("GSocketClient: Address enumeration completed (out of addresses)");
++
++      /* As per API docs: We only care about error if its the first call,
++         after that the enumerator is done.
++
++         Note that we don't care about cancellation errors because
++         task_completed_or_cancelled() above should handle that.
++
++         If this fails and nothing is in progress then we will complete task here.
++       */
++      if ((data->enumerated_at_least_once && !data->connection_attempts && !data->connection_in_progress) ||
++          !data->enumerated_at_least_once)
+         {
+-          g_object_unref (data->task);
+-          return;
++          g_debug ("GSocketClient: Address enumeration failed: %s", error ? error->message : NULL);
++          if (data->last_error)
++            {
++              g_clear_error (&error);
++              error = data->last_error;
++              data->last_error = NULL;
++            }
++          else if (!error)
++            {
++              g_set_error_literal (&error, G_IO_ERROR, G_IO_ERROR_FAILED,
++                _("Unknown error on connect"));
++            }
++
++          complete_connection_with_error (data, error);
+         }
+ 
+-      g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_COMPLETE, data->connectable, NULL);
+-      data->completed = TRUE;
+-      if (!error)
+-	{
+-	  if (data->last_error)
+-	    {
+-	      error = data->last_error;
+-	      data->last_error = NULL;
+-	    }
+-	  else
+-	    {
+-	      g_set_error_literal (&error, G_IO_ERROR, G_IO_ERROR_FAILED,
+-				   _("Unknown error on connect"));
+-	    }
+-	}
+-      g_task_return_error (data->task, error);
++      /* Enumeration should never trigger again, drop our ref */
+       g_object_unref (data->task);
+       return;
+     }
+ 
++  data->enumerated_at_least_once = TRUE;
++  g_debug ("GSocketClient: Address enumeration succeeded");
+   g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_RESOLVED,
+ 			      data->connectable, NULL);
+ 
+-  if (G_IS_PROXY_ADDRESS (address) &&
+-      data->client->priv->enable_proxy)
+-    data->proxy_addr = g_object_ref (G_PROXY_ADDRESS (address));
+-
+   g_clear_error (&data->last_error);
+ 
+   socket = create_socket (data->client, address, &data->last_error);
+@@ -1788,6 +1891,10 @@ g_socket_client_enumerator_callback (GObject      *object,
+   attempt->cancellable = g_cancellable_new ();
+   attempt->connection = (GIOStream *)g_socket_connection_factory_create_connection (socket);
+   attempt->timeout_source = g_timeout_source_new (HAPPY_EYEBALLS_CONNECTION_ATTEMPT_TIMEOUT_MS);
++
++  if (G_IS_PROXY_ADDRESS (address) && data->client->priv->enable_proxy)
++    attempt->proxy_addr = g_object_ref (G_PROXY_ADDRESS (address));
++
+   g_source_set_callback (attempt->timeout_source, on_connection_attempt_timeout, attempt, NULL);
+   g_source_attach (attempt->timeout_source, g_main_context_get_thread_default ());
+   data->connection_attempts = g_slist_append (data->connection_attempts, attempt);
+@@ -1797,6 +1904,7 @@ g_socket_client_enumerator_callback (GObject      *object,
+                            g_object_ref (attempt->cancellable), g_object_unref);
+ 
+   g_socket_connection_set_cached_remote_address ((GSocketConnection *)attempt->connection, address);
++  g_debug ("GSocketClient: Starting TCP connection attempt");
+   g_socket_client_emit_event (data->client, G_SOCKET_CLIENT_CONNECTING, data->connectable, attempt->connection);
+   g_socket_connection_connect_async (G_SOCKET_CONNECTION (attempt->connection),
+ 				     address,
+@@ -1849,24 +1957,48 @@ g_socket_client_connect_async (GSocketClient       *client,
+   else
+     data->enumerator = g_socket_connectable_enumerate (connectable);
+ 
+-  /* The flow and ownership here isn't quite obvious:
+-    - The task starts an async attempt to connect.
+-      - Each attempt holds a single ref on task.
+-      - Each attempt may create new attempts by timing out (not a failure) so
+-        there are multiple attempts happening in parallel.
+-      - Upon failure an attempt will start a new attempt that steals its ref
+-        until there are no more attempts left and it drops its ref.
+-      - Upon success it will cancel all other attempts and continue on
+-        to the rest of the connection (tls, proxies, etc) which do not
+-        happen in parallel and at the very end drop its ref.
+-      - Upon cancellation an attempt drops its ref.
+-   */
++  /* This function tries to match the behavior of g_socket_client_connect ()
++     which is simple enough but much of it is done in parallel to be as responsive
++     as possible as per Happy Eyeballs (RFC 8305). This complicates flow quite a
++     bit but we can describe it in 3 sections:
++
++     Firstly we have address enumeration (DNS):
++       - This may be triggered multiple times by enumerator_next_async().
++       - It also has its own cancellable (data->enumeration_cancellable).
++       - Enumeration is done lazily because GNetworkAddressAddressEnumerator
++         also does work in parallel and may lazily add new addresses.
++       - If the first enumeration errors then the task errors. Otherwise all enumerations
++         will potentially be used (until task or enumeration is cancelled).
++
++      Then we start attempting connections (TCP):
++        - Each connection is independent and kept in a ConnectionAttempt object.
++          - They each hold a ref on the main task and have their own cancellable.
++        - Multiple attempts may happen in parallel as per Happy Eyeballs.
++        - Upon failure or timeouts more connection attempts are made.
++          - If no connections succeed the task errors.
++        - Upon success they are kept in a list of successful connections.
++
++      Lastly we connect at the application layer (TLS, Proxies):
++        - These are done in serial.
++          - The reasoning here is that Happy Eyeballs is about making bad connections responsive
++            at the IP/TCP layers. Issues at the application layer are generally not due to
++            connectivity issues but rather misconfiguration.
++        - Upon failure it will try the next TCP connection until it runs out and
++          the task errors.
++        - Upon success it cancels everything remaining (enumeration and connections)
++          and returns the connection.
++  */
+ 
+   data->task = g_task_new (client, cancellable, callback, user_data);
+   g_task_set_check_cancellable (data->task, FALSE); /* We handle this manually */
+   g_task_set_source_tag (data->task, g_socket_client_connect_async);
+   g_task_set_task_data (data->task, data, (GDestroyNotify)g_socket_client_async_connect_data_free);
+ 
++  data->enumeration_cancellable = g_cancellable_new ();
++  if (cancellable)
++    g_cancellable_connect (cancellable, G_CALLBACK (on_connection_cancelled),
++                           g_object_ref (data->enumeration_cancellable), g_object_unref);
++
+   enumerator_next_async (data, FALSE);
+ }
+ 
+@@ -1985,6 +2117,7 @@ g_socket_client_connect_to_uri_async (GSocketClient        *client,
+     }
+   else
+     {
++      g_debug("g_socket_client_connect_to_uri_async");
+       g_socket_client_connect_async (client,
+ 				     connectable, cancellable,
+ 				     callback, user_data);
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
index 5aefa6ad8b..5be81a8f31 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.60.7.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
            file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \
            file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \
+           file://CVE-2020-6750.patch \
            "
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
index 657fd4dbc1..d887aeff79 100644
--- a/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
+++ b/meta/recipes-core/glibc/glibc-testsuite_2.30.bb
@@ -1,5 +1,7 @@
 require glibc_${PV}.bb
 
+EXCLUDE_FROM_WORLD = "1"
+
 # handle PN differences
 FILESEXTRAPATHS_prepend := "${THISDIR}/glibc:"
 
@@ -58,3 +60,4 @@ addtask do_check after do_compile
 
 inherit nopackages
 deltask do_stash_locale
+deltask do_install
diff --git a/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
new file mode 100644
index 0000000000..606b691bcf
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2020-10029.patch
@@ -0,0 +1,128 @@
+From ce265ec5bc25ec35fba53807abac1b0c8469895e Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Wed, 12 Feb 2020 23:31:56 +0000
+Subject: [PATCH] Avoid ldbl-96 stack corruption from range reduction of
+
+ pseudo-zero (bug 25487).
+
+Bug 25487 reports stack corruption in ldbl-96 sinl on a pseudo-zero
+argument (an representation where all the significand bits, including
+the explicit high bit, are zero, but the exponent is not zero, which
+is not a valid representation for the long double type).
+
+Although this is not a valid long double representation, existing
+practice in this area (see bug 4586, originally marked invalid but
+subsequently fixed) is that we still seek to avoid invalid memory
+accesses as a result, in case of programs that treat arbitrary binary
+data as long double representations, although the invalid
+representations of the ldbl-96 format do not need to be consistently
+handled the same as any particular valid representation.
+
+This patch makes the range reduction detect pseudo-zero and unnormal
+representations that would otherwise go to __kernel_rem_pio2, and
+returns a NaN for them instead of continuing with the range reduction
+process.  (Pseudo-zero and unnormal representations whose unbiased
+exponent is less than -1 have already been safely returned from the
+function before this point without going through the rest of range
+reduction.)  Pseudo-zero representations would previously result in
+the value passed to __kernel_rem_pio2 being all-zero, which is
+definitely unsafe; unnormal representations would previously result in
+a value passed whose high bit is zero, which might well be unsafe
+since that is not a form of input expected by __kernel_rem_pio2.
+
+Tested for x86_64.
+
+CVE: CVE-2020-10029
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;
+a=patch;h=9333498794cde1d5cca518badf79533a24114b6f]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+
+---
+ sysdeps/ieee754/ldbl-96/Makefile           |  3 ++-
+ sysdeps/ieee754/ldbl-96/e_rem_pio2l.c      | 12 +++++++++
+ sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c | 41 ++++++++++++++++++++++++++++++
+ 3 files changed, 55 insertions(+), 1 deletion(-)
+ create mode 100644 sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+
+diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile
+index b103254..052c1c7 100644
+--- a/sysdeps/ieee754/ldbl-96/Makefile
++++ b/sysdeps/ieee754/ldbl-96/Makefile
+@@ -17,5 +17,6 @@
+ # <http://www.gnu.org/licenses/>.
+ 
+ ifeq ($(subdir),math)
+-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96
++tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo
++CFLAGS-test-sinl-pseudo.c += -fstack-protector-all
+ endif
+diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+index 805de22..1aeccb4 100644
+--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
++++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c
+@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y)
+       return 0;
+     }
+ 
++  if ((i0 & 0x80000000) == 0)
++    {
++      /* Pseudo-zero and unnormal representations are not valid
++	 representations of long double.  We need to avoid stack
++	 corruption in __kernel_rem_pio2, which expects input in a
++	 particular normal form, but those representations do not need
++	 to be consistently handled like any particular floating-point
++	 value.  */
++      y[1] = y[0] = __builtin_nanl ("");
++      return 0;
++    }
++
+   /* Split the 64 bits of the mantissa into three 24-bit integers
+      stored in a double array.  */
+   exp = j0 - 23;
+diff --git a/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+new file mode 100644
+index 0000000..f59b977
+--- /dev/null
++++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c
+@@ -0,0 +1,41 @@
++/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487).
++   Copyright (C) 2020 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <math.h>
++#include <math_ldbl.h>
++#include <stdint.h>
++
++static int
++do_test (void)
++{
++  for (int i = 0; i < 64; i++)
++    {
++      uint64_t sig = i == 63 ? 0 : 1ULL << i;
++      long double ld;
++      SET_LDOUBLE_WORDS (ld, 0x4141,
++			 sig >> 32, sig & 0xffffffffULL);
++      /* The requirement is that no stack overflow occurs when the
++	 pseudo-zero or unnormal goes through range reduction.  */
++      volatile long double ldr;
++      ldr = sinl (ld);
++      (void) ldr;
++    }
++  return 0;
++}
++
++#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc_2.30.bb b/meta/recipes-core/glibc/glibc_2.30.bb
index 7913bc2812..c9e44a396d 100644
--- a/meta/recipes-core/glibc/glibc_2.30.bb
+++ b/meta/recipes-core/glibc/glibc_2.30.bb
@@ -42,6 +42,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0027-inject-file-assembly-directives.patch \
            file://0028-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
            file://CVE-2019-19126.patch \
+           file://CVE-2020-10029.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 6c9049f9ff..0c57d2a9f9 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk"
 
 inherit core-image module-base setuptools3
 
-SRCREV ?= "cf0cefd53c5d4f72e26c74571a10e098996a1ff2"
+SRCREV ?= "65d341daaf1edf7241b0ea518ef9beb4328f16e9"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=zeus \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch b/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch
new file mode 100644
index 0000000000..c3f068f61b
--- /dev/null
+++ b/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch
@@ -0,0 +1,31 @@
+From f7f357ef079b6d185f340e716d7c72a98d82bad0 Mon Sep 17 00:00:00 2001
+From: Garry Filakhtov <filakhtov@gmail.com>
+Date: Fri, 20 Jul 2018 15:58:56 +0200
+Subject: [PATCH] configure.ac: Fix logic of vlock configure switch
+
+Downstream bug report: https://bugs.gentoo.org/661650
+
+Upstream-Status: Backport [f7f357ef079b6d185f340e716d7c72a98d82bad0]
+
+Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
+Signed-off-by: De Huo <de.huo@windriver.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 87eb63c..07098cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -119,7 +119,7 @@ AM_CONDITIONAL(BUILD_LIBKEYMAP, test "$BUILD_LIBKEYMAP" = "yes")
+ 
+ AC_ARG_ENABLE(vlock,
+ 	AS_HELP_STRING(--disable-vlock, [do not build vlock]),
+-	[VLOCK_PROG=no],[VLOCK_PROG=yes])
++	[VLOCK_PROG=$enableval],[VLOCK_PROG=yes])
+ AM_CONDITIONAL(VLOCK, test "$VLOCK_PROG" = "yes")
+ 
+ if test "$VLOCK_PROG" = "yes"; then
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/kbd/kbd_2.0.4.bb b/meta/recipes-core/kbd/kbd_2.0.4.bb
index 4af3256fff..47e76da2b4 100644
--- a/meta/recipes-core/kbd/kbd_2.0.4.bb
+++ b/meta/recipes-core/kbd/kbd_2.0.4.bb
@@ -13,6 +13,7 @@ RCONFLICTS_${PN} = "console-tools"
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/${BP}.tar.xz \
            file://run-ptest \
            ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://set-proper-path-of-resources.patch', '', d)} \
+           file://0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch \
           "
 
 SRC_URI[md5sum] = "c1635a5a83b63aca7f97a3eab39ebaa6"
@@ -58,7 +59,8 @@ RDEPENDS_${PN}-ptest = "make"
 
 inherit update-alternatives
 
-ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt showkey"
+ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt showkey \
+                     ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'vlock','', d)}"
 ALTERNATIVE_PRIORITY = "100"
 
 BBCLASSEXTEND = "native"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2019-20388.patch b/meta/recipes-core/libxml/libxml2/CVE-2019-20388.patch
new file mode 100644
index 0000000000..4ee2d4fe62
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2019-20388.patch
@@ -0,0 +1,37 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a]
+CVE: CVE-2019-20388
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c8449..39d92182 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+2.24.1
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2020-7595.patch b/meta/recipes-core/libxml/libxml2/CVE-2020-7595.patch
new file mode 100644
index 0000000000..facfefd362
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2020-7595.patch
@@ -0,0 +1,36 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076]
+CVE: CVE-2020-7595
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> 
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index d1c31963..a34bb6cd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
+-- 
+2.24.1
+
diff --git a/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
new file mode 100644
index 0000000000..1c2dff9d5f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
@@ -0,0 +1,40 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549]
+CVE: CVE-2019-19956
+
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
+-- 
+2.24.1
+
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.9.bb b/meta/recipes-core/libxml/libxml2_2.9.9.bb
index c38f883e44..1d898ab020 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.9.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.9.bb
@@ -20,6 +20,9 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            file://fix-execution-of-ptests.patch \
+           file://Fix-CVE-2019-19956.patch \
+           file://CVE-2020-7595.patch \
+           file://CVE-2019-20388.patch \
            "
 
 SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6"
diff --git a/meta/recipes-core/meta/buildtools-tarball.bb b/meta/recipes-core/meta/buildtools-tarball.bb
index 91df6f1ae9..66201514d7 100644
--- a/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/meta/recipes-core/meta/buildtools-tarball.bb
@@ -25,6 +25,7 @@ TOOLCHAIN_HOST_TASK ?= "\
     nativesdk-texinfo \
     nativesdk-libnss-nis \
     nativesdk-rpcsvc-proto \
+    nativesdk-patch \
     "
 
 MULTIMACH_TARGET_SYS = "${SDK_ARCH}-nativesdk${SDK_VENDOR}-${SDK_OS}"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 575254af40..1b4f31692b 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -122,7 +122,7 @@ def parse_node_and_insert(c, node, cveId):
             product = cpe23[4]
             version = cpe23[5]
 
-            if version != '*':
+            if version != '*' and version != '-':
                 # Version is defined, this is a '=' match
                 yield [cveId, vendor, product, version, '=', '', '']
             else:
diff --git a/meta/recipes-core/meta/dummy-sdk-package.inc b/meta/recipes-core/meta/dummy-sdk-package.inc
index 4d653706b1..0d15a37c35 100644
--- a/meta/recipes-core/meta/dummy-sdk-package.inc
+++ b/meta/recipes-core/meta/dummy-sdk-package.inc
@@ -17,6 +17,9 @@ ALLOW_EMPTY_${PN} = "1"
 
 PR[vardeps] += "DUMMYPROVIDES"
 
+DUMMYPROVIDES_PACKAGES ??= ""
+DUMMYPROVIDES += "${@' '.join([multilib_pkg_extend(d, pkg) for pkg in d.getVar('DUMMYPROVIDES_PACKAGES').split()])}"
+
 python populate_packages_prepend() {
     p = d.getVar("PN")
     d.appendVar("RPROVIDES_%s" % p, "${DUMMYPROVIDES}")
diff --git a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
index 6a8748acdf..5bc11b9daf 100644
--- a/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-buildtools-perl-dummy.bb
@@ -1,6 +1,6 @@
 DUMMYARCH = "buildtools-dummy-${SDKPKGSUFFIX}"
 
-DUMMYPROVIDES = "\
+DUMMYPROVIDES_PACKAGES = "\
     nativesdk-perl \
     nativesdk-libxml-parser-perl \
     nativesdk-perl-module-bytes \
@@ -21,6 +21,9 @@ DUMMYPROVIDES = "\
     nativesdk-perl-module-posix \
     nativesdk-perl-module-thread-queue \
     nativesdk-perl-module-threads \
+"
+
+DUMMYPROVIDES = "\
     /usr/bin/perl \
     "
 
diff --git a/meta/recipes-core/meta/nativesdk-sdk-provides-dummy.bb b/meta/recipes-core/meta/nativesdk-sdk-provides-dummy.bb
index b891efa5ef..29f4dd3633 100644
--- a/meta/recipes-core/meta/nativesdk-sdk-provides-dummy.bb
+++ b/meta/recipes-core/meta/nativesdk-sdk-provides-dummy.bb
@@ -1,10 +1,13 @@
 DUMMYARCH = "sdk-provides-dummy-${SDKPKGSUFFIX}"
 
+DUMMYPROVIDES_PACKAGES = "\
+    pkgconfig \
+"
+
 # Add /bin/sh?
 DUMMYPROVIDES = "\
     /bin/bash \
     /usr/bin/env \
-    pkgconfig \
     libGL.so()(64bit) \
     libGL.so \
 "
diff --git a/meta/recipes-core/meta/target-sdk-provides-dummy.bb b/meta/recipes-core/meta/target-sdk-provides-dummy.bb
index 87b8bfab9c..e3beeb796c 100644
--- a/meta/recipes-core/meta/target-sdk-provides-dummy.bb
+++ b/meta/recipes-core/meta/target-sdk-provides-dummy.bb
@@ -48,7 +48,6 @@ DUMMYPROVIDES_PACKAGES = "\
 "
 
 DUMMYPROVIDES = "\
-    ${@' '.join([multilib_pkg_extend(d, pkg) for pkg in d.getVar('DUMMYPROVIDES_PACKAGES').split()])} \
     /bin/sh \
     /bin/bash \
     /usr/bin/env \
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index 5f2cc35823..b7bf4c0d81 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -87,6 +87,7 @@ ncurses_configure() {
 	        --disable-rpath-hack \
 		${EXCONFIG_ARGS} \
 	        --with-manpage-format=normal \
+	        --without-manpage-renames \
 	        --disable-stripping \
 	        "$@" || return 1
 	cd ..
diff --git a/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb b/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb
index e638a3737c..c3a89f1c4f 100644
--- a/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.1+20190803.bb
@@ -10,3 +10,5 @@ SRCREV = "3c9b2677c96c645496997321bf2fe465a5e7e21f"
 S = "${WORKDIR}/git"
 EXTRA_OECONF += "--with-abi-version=5 --cache-file=${B}/config.cache"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+(\+\d+)*)"
+
+CVE_VERSION = "6.1.${@d.getVar("PV").split('+')[1]}"
diff --git a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
index bfc1283f73..39f612be1f 100644
--- a/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
+++ b/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
@@ -31,6 +31,7 @@ B = "${S}/src"
 
 inherit update-alternatives distro_features_check
 DEPENDS_append = " update-rc.d-native base-passwd virtual/crypt"
+do_package_setscene[depends] = "${MLPREFIX}base-passwd:do_populate_sysroot"
 
 REQUIRED_DISTRO_FEATURES = "sysvinit"
 
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
new file mode 100644
index 0000000000..ba4e3a3c97
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch
@@ -0,0 +1,49 @@
+From 71ba13755337e19c9a826dfc874562a36e1b24d3 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:45:06 -0500
+Subject: [PATCH] e2fsck: don't try to rehash a deleted directory
+
+If directory has been deleted in pass1[bcd] processing, then we
+shouldn't try to rehash the directory in pass 3a when we try to
+rehash/reoptimize directories.
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=71ba13755337e19c9a826dfc874562a36e1b24d3]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ e2fsck/pass1b.c | 4 ++++
+ e2fsck/rehash.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/e2fsck/pass1b.c b/e2fsck/pass1b.c
+index 5693b9cf..bca701ca 100644
+--- a/e2fsck/pass1b.c
++++ b/e2fsck/pass1b.c
+@@ -705,6 +705,10 @@ static void delete_file(e2fsck_t ctx, ext2_ino_t ino,
+ 		fix_problem(ctx, PR_1B_BLOCK_ITERATE, &pctx);
+ 	if (ctx->inode_bad_map)
+ 		ext2fs_unmark_inode_bitmap2(ctx->inode_bad_map, ino);
++	if (ctx->inode_reg_map)
++		ext2fs_unmark_inode_bitmap2(ctx->inode_reg_map, ino);
++	ext2fs_unmark_inode_bitmap2(ctx->inode_dir_map, ino);
++	ext2fs_unmark_inode_bitmap2(ctx->inode_used_map, ino);
+ 	ext2fs_inode_alloc_stats2(fs, ino, -1, LINUX_S_ISDIR(dp->inode.i_mode));
+ 	quota_data_sub(ctx->qctx, &dp->inode, ino,
+ 		       pb.dup_blocks * fs->blocksize);
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index 3dd1e941..2c908be0 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -1028,6 +1028,8 @@ void e2fsck_rehash_directories(e2fsck_t ctx)
+ 			if (!ext2fs_u32_list_iterate(iter, &ino))
+ 				break;
+ 		}
++		if (!ext2fs_test_inode_bitmap2(ctx->inode_dir_map, ino))
++			continue;
+ 
+ 		pctx.dir = ino;
+ 		if (first) {
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
new file mode 100644
index 0000000000..de4bce0037
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2019-5188.patch
@@ -0,0 +1,57 @@
+From 8dd73c149f418238f19791f9d666089ef9734dff Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 19 Dec 2019 19:37:34 -0500
+Subject: [PATCH] e2fsck: abort if there is a corrupted directory block when
+ rehashing
+
+In e2fsck pass 3a, when we are rehashing directories, at least in
+theory, all of the directories should have had corruptions with
+respect to directory entry structure fixed.  However, it's possible
+(for example, if the user declined a fix) that we can reach this stage
+of processing with a corrupted directory entries.
+
+So check for that case and don't try to process a corrupted directory
+block so we don't run into trouble in mutate_name() if there is a
+zero-length file name.
+
+Addresses: TALOS-2019-0973
+Addresses: CVE-2019-5188
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+CVE: CVE-2019-5188
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff]
+---
+ e2fsck/rehash.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index a5fc1be1..3dd1e941 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -160,6 +160,10 @@ static int fill_dir_block(ext2_filsys fs,
+ 		dir_offset += rec_len;
+ 		if (dirent->inode == 0)
+ 			continue;
++		if ((name_len) == 0) {
++			fd->err = EXT2_ET_DIR_CORRUPTED;
++			return BLOCK_ABORT;
++		}
+ 		if (!fd->compress && (name_len == 1) &&
+ 		    (dirent->name[0] == '.'))
+ 			continue;
+@@ -401,6 +405,11 @@ static int duplicate_search_and_fix(e2fsck_t ctx, ext2_filsys fs,
+ 			continue;
+ 		}
+ 		new_len = ext2fs_dirent_name_len(ent->dir);
++		if (new_len == 0) {
++			 /* should never happen */
++			ext2fs_unmark_valid(fs);
++			continue;
++		}
+ 		memcpy(new_name, ent->dir->name, new_len);
+ 		mutate_name(new_name, &new_len);
+ 		for (j=0; j < fd->num_array; j++) {
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
new file mode 100644
index 0000000000..342a2b855b
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/e2fsck-fix-use-after-free-in-calculate_tree.patch
@@ -0,0 +1,76 @@
+From: Wang Shilong <wshilong@ddn.com>
+Date: Mon, 30 Dec 2019 19:52:39 -0500
+Subject: e2fsck: fix use after free in calculate_tree()
+
+The problem is alloc_blocks() will call get_next_block() which might
+reallocate outdir->buf, and memory address could be changed after
+this.  To fix this, pointers that point into outdir->buf, such as
+int_limit and root need to be recaulated based on the new starting
+address of outdir->buf.
+
+[ Changed to correctly recalculate int_limit, and to optimize how we
+  reallocate outdir->buf.  -TYT ]
+
+Addresses-Debian-Bug: 948517
+Signed-off-by: Wang Shilong <wshilong@ddn.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+(cherry picked from commit 101e73e99ccafa0403fcb27dd7413033b587ca01)
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=101e73e99ccafa0403fcb27dd7413033b587ca01]
+---
+ e2fsck/rehash.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/e2fsck/rehash.c b/e2fsck/rehash.c
+index 0a5888a9..2574e151 100644
+--- a/e2fsck/rehash.c
++++ b/e2fsck/rehash.c
+@@ -295,7 +295,11 @@ static errcode_t get_next_block(ext2_filsys fs, struct out_dir *outdir,
+ 	errcode_t	retval;
+ 
+ 	if (outdir->num >= outdir->max) {
+-		retval = alloc_size_dir(fs, outdir, outdir->max + 50);
++		int increment = outdir->max / 10;
++
++		if (increment < 50)
++			increment = 50;
++		retval = alloc_size_dir(fs, outdir, outdir->max + increment);
+ 		if (retval)
+ 			return retval;
+ 	}
+@@ -637,6 +641,9 @@ static int alloc_blocks(ext2_filsys fs,
+ 	if (retval)
+ 		return retval;
+ 
++	/* outdir->buf might be reallocated */
++	*prev_ent = (struct ext2_dx_entry *) (outdir->buf + *prev_offset);
++
+ 	*next_ent = set_int_node(fs, block_start);
+ 	*limit = (struct ext2_dx_countlimit *)(*next_ent);
+ 	if (next_offset)
+@@ -726,6 +733,9 @@ static errcode_t calculate_tree(ext2_filsys fs,
+ 					return retval;
+ 			}
+ 			if (c3 == 0) {
++				int delta1 = (char *)int_limit - outdir->buf;
++				int delta2 = (char *)root - outdir->buf;
++
+ 				retval = alloc_blocks(fs, &limit, &int_ent,
+ 						      &dx_ent, &int_offset,
+ 						      NULL, outdir, i, &c2,
+@@ -733,6 +743,11 @@ static errcode_t calculate_tree(ext2_filsys fs,
+ 				if (retval)
+ 					return retval;
+ 
++				/* outdir->buf might be reallocated */
++				int_limit = (struct ext2_dx_countlimit *)
++					(outdir->buf + delta1);
++				root = (struct ext2_dx_entry *)
++					(outdir->buf + delta2);
+ 			}
+ 			dx_ent->block = ext2fs_cpu_to_le32(i);
+ 			if (c3 != limit->limit)
+-- 
+2.24.1
+
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
index 14c05a446c..f81defb837 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.3.bb
@@ -6,6 +6,9 @@ SRC_URI += "file://remove.ldconfig.call.patch \
             file://mkdir_p.patch \
             file://0001-misc-create_inode.c-set-dir-s-mode-correctly.patch \
             file://CVE-2019-5094.patch \
+            file://CVE-2019-5188.patch \
+            file://0001-e2fsck-don-t-try-to-rehash-a-deleted-directory.patch \
+            file://e2fsck-fix-use-after-free-in-calculate_tree.patch \
             "
 
 SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
diff --git a/meta/recipes-devtools/gcc/gcc-9.2.inc b/meta/recipes-devtools/gcc/gcc-9.2.inc
index c6395998d5..4f068231f3 100644
--- a/meta/recipes-devtools/gcc/gcc-9.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.2.inc
@@ -68,6 +68,7 @@ SRC_URI = "\
 	   file://CVE-2019-15847_1.patch \
 	   file://CVE-2019-15847_2.patch \
 	   file://CVE-2019-15847_3.patch \
+           file://re-PR-target-91102-aarch64-ICE-on-Linux-kernel-with-.patch \
 "
 S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}"
 SRC_URI[md5sum] = "3818ad8600447f05349098232c2ddc78"
diff --git a/meta/recipes-devtools/gcc/gcc-9.2/re-PR-target-91102-aarch64-ICE-on-Linux-kernel-with-.patch b/meta/recipes-devtools/gcc/gcc-9.2/re-PR-target-91102-aarch64-ICE-on-Linux-kernel-with-.patch
new file mode 100644
index 0000000000..c37e0bb9dd
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-9.2/re-PR-target-91102-aarch64-ICE-on-Linux-kernel-with-.patch
@@ -0,0 +1,95 @@
+From efb0ee06f5c0186c2d1442ecd4dbbd55dbd97b44 Mon Sep 17 00:00:00 2001
+From: Vladimir Makarov <vmakarov@redhat.com>
+Date: Wed, 10 Jul 2019 16:07:10 +0000
+Subject: [PATCH] re PR target/91102 (aarch64 ICE on Linux kernel with -Os
+ starting with r270266)
+
+2019-07-10  Vladimir Makarov  <vmakarov@redhat.com>
+
+	PR target/91102
+	* lra-constraints.c (process_alt_operands): Don't match user
+	defined regs only if they are early clobbers.
+
+2019-07-10  Vladimir Makarov  <vmakarov@redhat.com>
+
+	PR target/91102
+	* gcc.target/aarch64/pr91102.c: New test.
+
+From-SVN: r273357
+Upstream-Status: Backport [https://github.com/gcc-mirror/gcc/commit/613caed2feb9cfc8158308670b59df3d031ec629]
+[takondra: dropped conflicting ChangeLog changes]
+Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
+---
+ gcc/lra-constraints.c                      | 17 ++++++++++----
+ gcc/testsuite/gcc.target/aarch64/pr91102.c | 26 ++++++++++++++++++++++
+ 2 files changed, 39 insertions(+), 4 deletions(-)
+ create mode 100644 gcc/testsuite/gcc.target/aarch64/pr91102.c
+
+diff --git a/gcc/lra-constraints.c b/gcc/lra-constraints.c
+index cf33da8013e4..6382dbf852b6 100644
+--- a/gcc/lra-constraints.c
++++ b/gcc/lra-constraints.c
+@@ -2172,8 +2172,9 @@ process_alt_operands (int only_alternative)
+ 		    else
+ 		      {
+ 			/* Operands don't match.  If the operands are
+-			   different user defined explicit hard registers,
+-			   then we cannot make them match.  */
++			   different user defined explicit hard
++			   registers, then we cannot make them match
++			   when one is early clobber operand.  */
+ 			if ((REG_P (*curr_id->operand_loc[nop])
+ 			     || SUBREG_P (*curr_id->operand_loc[nop]))
+ 			    && (REG_P (*curr_id->operand_loc[m])
+@@ -2192,9 +2193,17 @@ process_alt_operands (int only_alternative)
+ 				&& REG_P (m_reg)
+ 				&& HARD_REGISTER_P (m_reg)
+ 				&& REG_USERVAR_P (m_reg))
+-			      break;
++			      {
++				int i;
++				
++				for (i = 0; i < early_clobbered_regs_num; i++)
++				  if (m == early_clobbered_nops[i])
++				    break;
++				if (i < early_clobbered_regs_num
++				    || early_clobber_p)
++				  break;
++			      }
+ 			  }
+-
+ 			/* Both operands must allow a reload register,
+ 			   otherwise we cannot make them match.  */
+ 			if (curr_alt[m] == NO_REGS)
+diff --git a/gcc/testsuite/gcc.target/aarch64/pr91102.c b/gcc/testsuite/gcc.target/aarch64/pr91102.c
+new file mode 100644
+index 000000000000..70b99045a48e
+--- /dev/null
++++ b/gcc/testsuite/gcc.target/aarch64/pr91102.c
+@@ -0,0 +1,26 @@
++/* PR target/91102 */
++/* { dg-do compile } */
++/* { dg-options "-O2" } */
++
++int
++foo (long d, long l)
++{
++  register long e asm ("x1") = d;
++  register long f asm("x2") = l;
++  asm ("" : : "r" (e), "r" (f));
++  return 3;
++}
++
++struct T { int i; int j; };
++union S { long h; struct T t; };
++
++void
++bar (union S b)
++{
++  while (1)
++    {
++      union S c = b;
++      c.t.j++;
++      b.h = foo (b.h, c.h);
++    }
++}
diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
index f14cbf7152..4aac345bec 100644
--- a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
+++ b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc
@@ -158,7 +158,7 @@ SYSTEMLIBS1 = "${target_libdir}/"
 EXTRA_OECONF += "--enable-poison-system-directories"
 EXTRA_OECONF_remove_elf = "--with-sysroot=/not/exist"
 EXTRA_OECONF_remove_eabi = "--with-sysroot=/not/exist"
-EXTRA_OECONF_append_elf = "--without-headers --with-newlib"
-EXTRA_OECONF_append_eabi = "--without-headers --with-newlib"
+EXTRA_OECONF_append_elf = " --without-headers --with-newlib"
+EXTRA_OECONF_append_eabi = " --without-headers --with-newlib"
 # gcc 4.7 needs -isystem
 export ARCH_FLAGS_FOR_TARGET = "--sysroot=${STAGING_DIR_TARGET} -isystem=${target_includedir}"
diff --git a/meta/recipes-devtools/gcc/gcc-cross.inc b/meta/recipes-devtools/gcc/gcc-cross.inc
index 8855bb1f34..06ba3ccd15 100644
--- a/meta/recipes-devtools/gcc/gcc-cross.inc
+++ b/meta/recipes-devtools/gcc/gcc-cross.inc
@@ -61,6 +61,13 @@ do_compile () {
 	export CXXFLAGS_FOR_TARGET="${TARGET_CXXFLAGS}"
 	export LDFLAGS_FOR_TARGET="${TARGET_LDFLAGS}"
 
+	# Prevent native/host sysroot path from being used in configargs.h header,
+	# as it will be rewritten when used by other sysroots preventing support
+	# for gcc plugins
+	oe_runmake configure-gcc
+	sed -i 's@${STAGING_DIR_TARGET}@/host@g' ${B}/gcc/configargs.h
+	sed -i 's@${STAGING_DIR_HOST}@/host@g' ${B}/gcc/configargs.h
+
 	oe_runmake all-host configure-target-libgcc
 	(cd ${B}/${TARGET_SYS}/libgcc; oe_runmake enable-execute-stack.c unwind.h md-unwind-support.h sfp-machine.h gthr-default.h)
 	# now generate script to drive testing
diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc b/meta/recipes-devtools/gcc/gcc-runtime.inc
index 2da3c02ef0..536b18d97f 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -302,10 +302,6 @@ do_check() {
 
     # HACK: this works around the configure setting CXX with -nostd* args
     sed -i 's/-nostdinc++ -nostdlib++//g' $(find ${B} -name testsuite_flags | head -1)
-    # HACK: this works around the de-stashing changes to configargs.h, as well as recipe-sysroot changing the content
-    sed -i '/static const char configuration_arguments/d' ${B}/gcc/configargs.h
-    ${CC} -v 2>&1 | grep "^Configured with:" | \
-        sed 's/Configured with: \(.*\)/static const char configuration_arguments[] = "\1";/g' >> ${B}/gcc/configargs.h
 
     if [ "${TOOLCHAIN_TEST_TARGET}" = "user" ]; then
         # qemu user has issues allocating large amounts of memory
diff --git a/meta/recipes-devtools/gcc/gcc-target.inc b/meta/recipes-devtools/gcc/gcc-target.inc
index bdc6ff658f..987e88d32c 100644
--- a/meta/recipes-devtools/gcc/gcc-target.inc
+++ b/meta/recipes-devtools/gcc/gcc-target.inc
@@ -137,6 +137,14 @@ FILES_${PN}-doc = "\
 "
 
 do_compile () {
+	# Prevent full target sysroot path from being used in configargs.h header,
+	# as it will be rewritten when used by other sysroots preventing support
+	# for gcc plugins. Additionally the path is embeddeded into the output
+	# binary, this prevents building a reproducible binary.
+	oe_runmake configure-gcc
+	sed -i 's@${STAGING_DIR_TARGET}@/@g' ${B}/gcc/configargs.h
+	sed -i 's@${STAGING_DIR_HOST}@/@g' ${B}/gcc/configargs.h
+
 	oe_runmake all-host
 }
 
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-Switch-all-scripts-to-use-Python-3.x.patch b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-Switch-all-scripts-to-use-Python-3.x.patch
deleted file mode 100644
index 691ed50c2b..0000000000
--- a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-Switch-all-scripts-to-use-Python-3.x.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From d42b23f4fb5d6bd58e92e995fe5befc76efbae0c Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex.kanavin@gmail.com>
-Date: Thu, 27 Apr 2017 15:47:58 +0300
-Subject: [PATCH] Switch all scripts to use Python 3.x
-
-Upstream-Status: Pending
-Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
----
- makePackage          | 2 +-
- opkg-compare-indexes | 2 +-
- opkg-graph-deps      | 2 +-
- opkg-list-fields     | 2 +-
- opkg-make-index      | 2 +-
- opkg-show-deps       | 2 +-
- opkg-unbuild         | 2 +-
- opkg-update-index    | 2 +-
- opkg.py              | 2 +-
- 9 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/makePackage b/makePackage
-index 4bdfc56..02124dd 100755
---- a/makePackage
-+++ b/makePackage
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/env python3
- 
- # The general algorithm this program follows goes like this:
- #   Run tar to extract control from control.tar.gz from the package.
-diff --git a/opkg-compare-indexes b/opkg-compare-indexes
-index b60d20a..80c1263 100755
---- a/opkg-compare-indexes
-+++ b/opkg-compare-indexes
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- from __future__ import print_function
- 
-diff --git a/opkg-graph-deps b/opkg-graph-deps
-index 6653fd5..f1e376a 100755
---- a/opkg-graph-deps
-+++ b/opkg-graph-deps
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- from __future__ import print_function
- 
-diff --git a/opkg-list-fields b/opkg-list-fields
-index c14a90f..24f7955 100755
---- a/opkg-list-fields
-+++ b/opkg-list-fields
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- from __future__ import print_function
- 
-diff --git a/opkg-make-index b/opkg-make-index
-index 3f757f6..2988f9f 100755
---- a/opkg-make-index
-+++ b/opkg-make-index
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- """
-    Utility to create opkg compatible indexes
- """
- 
-diff --git a/opkg-show-deps b/opkg-show-deps
-index 153f21e..4e18b4f 100755
---- a/opkg-show-deps
-+++ b/opkg-show-deps
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- from __future__ import print_function
- 
-diff --git a/opkg-unbuild b/opkg-unbuild
-index 4f36bec..57642c9 100755
---- a/opkg-unbuild
-+++ b/opkg-unbuild
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- from __future__ import print_function
- 
-diff --git a/opkg-update-index b/opkg-update-index
-index 341c1c2..7bff8a1 100755
---- a/opkg-update-index
-+++ b/opkg-update-index
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- from __future__ import absolute_import
- 
- import sys, os
-diff --git a/opkg.py b/opkg.py
-index 2ecac8a..7e64de4 100644
---- a/opkg.py
-+++ b/opkg.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
- #   Copyright (C) 2001 Alexander S. Guy <a7r@andern.org>
- #                      Andern Research Labs
- #
--- 
-2.11.0
-
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-opkg-build-clamp-mtimes-to-SOURCE_DATE_EPOCH.patch b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-opkg-build-clamp-mtimes-to-SOURCE_DATE_EPOCH.patch
deleted file mode 100644
index a181169d47..0000000000
--- a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-opkg-build-clamp-mtimes-to-SOURCE_DATE_EPOCH.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 59da5577bf8df441c6ca958e50fcb83228702764 Mon Sep 17 00:00:00 2001
-From: Alejandro del Castillo <alejandro.delcastillo@ni.com>
-Date: Thu, 12 Sep 2019 10:24:58 -0500
-Subject: [PATCH] opkg-build: clamp mtimes to SOURCE_DATE_EPOCH
-
-For reproducible builds, clamp mtimes bigger than SOURCE_DATE_EPOCH to
-SOURCE_DATE_EPOCH (build generated files, usually).
-
-Fixes bugzilla 13450
-
-Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
-Signed-off-by: Ross Burton <ross.burton@intel.com>
----
- opkg-build | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/opkg-build b/opkg-build
-index dcd2d68..2517a2b 100755
---- a/opkg-build
-+++ b/opkg-build
-@@ -297,9 +297,16 @@ mkdir $tmp_dir
- 
- build_date="${SOURCE_DATE_EPOCH:-$(date +%s)}"
- 
-+mtime_args=""
-+# --clamp-mtime requires tar > 1.28. Only use it if SOURCE_DATE_EPOCH is set, to avoid having a generic case dependency on tar > 1.28.
-+# this setting will make sure files generated at build time have consistent mtimes, for reproducible builds.
-+if [ ! -z "$SOURCE_DATE_EPOCH"  ]; then
-+    mtime_args="--mtime=@$build_date --clamp-mtime"
-+fi
-+
- ( cd $pkg_dir/$CONTROL && find . -type f > $tmp_dir/control_list )
- ( cd $pkg_dir && find . -path ./$CONTROL -prune -o -print > $tmp_dir/file_list )
--( cd $pkg_dir && tar $ogargs $tsortargs --no-recursion -c $tarformat -T $tmp_dir/file_list | $compressor $compressorargs > $tmp_dir/data.tar.$cext )
-+( cd $pkg_dir && tar $ogargs $tsortargs --no-recursion $mtime_args -c $tarformat -T $tmp_dir/file_list | $compressor $compressorargs > $tmp_dir/data.tar.$cext )
- ( cd $pkg_dir/$CONTROL && tar $ogargs $tsortargs --no-recursion --mtime=@$build_date -c $tarformat -T $tmp_dir/control_list | gzip $zipargs > $tmp_dir/control.tar.gz )
- rm $tmp_dir/file_list
- rm $tmp_dir/control_list
--- 
-2.20.1
-
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils/fix-reproducibility.patch b/meta/recipes-devtools/opkg-utils/opkg-utils/fix-reproducibility.patch
new file mode 100644
index 0000000000..945979bc8a
--- /dev/null
+++ b/meta/recipes-devtools/opkg-utils/opkg-utils/fix-reproducibility.patch
@@ -0,0 +1,32 @@
+Fix reproducibility issues in opkg-build
+
+There is a sorting problem with opkg-build where the ipk generated is depending
+upon the order of files on disk. The reason is the --sort option to tar only
+influences the orders of files tar reads, not those passed by the -T option.
+
+Add in a sort call to resolve this issue. To ensure consistent sorting we
+also need to force to a specific locale (C) else the results are still not
+deterministic.
+
+RP 2020/2/5
+
+Upstream-Status: Submitted [https://groups.google.com/forum/#!topic/opkg-devel/YttZ73NLrYQ]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: opkg-utils-0.4.2/opkg-build
+===================================================================
+--- opkg-utils-0.4.2.orig/opkg-build
++++ opkg-utils-0.4.2/opkg-build
+@@ -305,8 +305,10 @@ if [ ! -z "$SOURCE_DATE_EPOCH"  ]; then
+     mtime_args="--mtime=@$build_date --clamp-mtime"
+ fi
+ 
+-( cd $pkg_dir/$CONTROL && find . -type f > $tmp_dir/control_list )
+-( cd $pkg_dir && find . -path ./$CONTROL -prune -o -path . -o -print  > $tmp_dir/file_list )
++export LANG=C
++export LC_ALL=C
++( cd $pkg_dir/$CONTROL && find . -type f | sort > $tmp_dir/control_list )
++( cd $pkg_dir && find . -path ./$CONTROL -prune -o -path . -o -print  | sort > $tmp_dir/file_list )
+ ( cd $pkg_dir && tar $ogargs $tsortargs --no-recursion $mtime_args -c $tarformat -T $tmp_dir/file_list | $compressor $compressorargs > $tmp_dir/data.tar.$cext )
+ ( cd $pkg_dir/$CONTROL && tar $ogargs $tsortargs --no-recursion --mtime=@$build_date -c $tarformat -T $tmp_dir/control_list | gzip $zipargs > $tmp_dir/control.tar.gz )
+ rm $tmp_dir/file_list
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils/pipefail.patch b/meta/recipes-devtools/opkg-utils/opkg-utils/pipefail.patch
deleted file mode 100644
index 55ddcc1fd2..0000000000
--- a/meta/recipes-devtools/opkg-utils/opkg-utils/pipefail.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-We need opkg-build to fail if for example the tar command is passed invalid 
-options. Without this, we see silently created empty packaged where data.tar
-is zero bytes in size. This creates hard to debug problems.
-
-An example is when reproducible builds are enabled and run on old hosts like
-centos7 which has tar < 1.28:
-
-Subprocess output:tar: unrecognized option '--clamp-mtime'
-Try `tar --help' or `tar --usage' for more information.
-
-Upstream-Status: Pending
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-
-Index: opkg-utils-0.4.1/opkg-build
-===================================================================
---- opkg-utils-0.4.1.orig/opkg-build
-+++ opkg-utils-0.4.1/opkg-build
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/bin/bash
- 
- : <<=cut
- =head1 NAME
-@@ -12,6 +12,7 @@ opkg-build - construct an .opk from a di
- #   Updated to work on Familiar Pre0.7rc1, with busybox tar.
- #   Note it Requires: binutils-ar (since the busybox ar can't create)
- set -e
-+set -o pipefail
- 
- version=1.0
- 
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils_0.4.1.bb b/meta/recipes-devtools/opkg-utils/opkg-utils_0.4.2.bb
index eb6c7a3a6a..042eec7e0e 100644
--- a/meta/recipes-devtools/opkg-utils/opkg-utils_0.4.1.bb
+++ b/meta/recipes-devtools/opkg-utils/opkg-utils_0.4.2.bb
@@ -4,19 +4,16 @@ SECTION = "base"
 HOMEPAGE = "http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
-                    file://opkg.py;beginline=2;endline=18;md5=63ce9e6bcc445181cd9e4baf4b4ccc35"
+                    file://opkg.py;beginline=2;endline=18;md5=ffa11ff3c15eb31c6a7ceaa00cc9f986"
 PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'update-alternatives', 'virtual/update-alternatives', '', d)}"
 
-SRC_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV}.tar.gz \
-           file://0001-Switch-all-scripts-to-use-Python-3.x.patch \
-           file://0001-opkg-build-clamp-mtimes-to-SOURCE_DATE_EPOCH.patch \
-           file://pipefail.patch \
+SRC_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV}.tar.gz \ 
+           file://fix-reproducibility.patch \
 "
 UPSTREAM_CHECK_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/refs/"
 
-
-SRC_URI[md5sum] = "8c140f835b694a0c27cfb23d2426a02b"
-SRC_URI[sha256sum] = "9ea9efdd9fe13661ad251e3a2860c1c93045adcfaa6659c3e86d9748ecda3b6e"
+SRC_URI[md5sum] = "cc210650644fcb9bba06ad5ec95a63ec"
+SRC_URI[sha256sum] = "5929ad87d541789e0b82d626db01a1201ac48df6f49f2262fcfb86cf815e5d6c"
 
 TARGET_CC_ARCH += "${LDFLAGS}"
 
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 5d7f55f8dc..b5897b357a 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -22,3 +22,6 @@ acpaths = "-I ${S}/m4 "
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'xattr', d)}"
 PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr,"
 
+PROVIDES_append_class-native = " patch-replacement-native"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/perl/files/0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch b/meta/recipes-devtools/perl/files/0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch
new file mode 100644
index 0000000000..0f3a2c6327
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch
@@ -0,0 +1,27 @@
+From b0d53cfd785f64002128ac5eecc4aed0663d9c30 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Thu, 9 Jan 2020 17:26:55 +0100
+Subject: [PATCH] tests: adjust to correctly exclude unbuilt extensions
+
+Issue is reported here:
+https://github.com/arsv/perl-cross/issues/85
+
+Upstream-Status: Inappropriate [issue caused by perl-cross]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+---
+ t/TEST | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/t/TEST b/t/TEST
+index a9c844f..8d3505f 100755
+--- a/t/TEST
++++ b/t/TEST
+@@ -419,7 +419,7 @@ sub _tests_from_manifest {
+ 	while (<MANI>) {
+ 	    if (m!^((?:cpan|dist|ext)/(\S+)/+(?:[^/\s]+\.t|test\.pl)|lib/\S+?(?:\.t|test\.pl))\s!) {
+ 		my $t = $1;
+-		my $extension = $2;
++		my $extension = $1."/".$2;
+ 
+ 		# XXX Generates way too many error lines currently.  Skip for
+ 		# v5.22
diff --git a/meta/recipes-devtools/perl/files/determinism.patch b/meta/recipes-devtools/perl/files/determinism.patch
new file mode 100644
index 0000000000..ed4d06f5ec
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/determinism.patch
@@ -0,0 +1,81 @@
+Fixes to make the perl build reproducible:
+
+a) Remove the \n from configure_attr.sh since it gets quoted differently depending on
+   whether the shell is bash or dash which can cause the test result to be incorrect.
+   Reported upstream: https://github.com/arsv/perl-cross/issues/87
+
+b) Sort the order of the module lists from configure_mods.sh since otherwise
+   the result isn't the same leading to makefile differences.
+   Reported upstream: https://github.com/arsv/perl-cross/issues/88
+
+c) Sort the Encode::Byte byte_t.fnm file output (and the makefile depends whilst 
+   there for good measure)
+   This needs to go to upstream perl (not done)
+
+d) Use bash for perl-cross configure since otherwise trnl gets set to "\n" with bash
+   and "" with dash
+   Reported upstream: https://github.com/arsv/perl-cross/issues/87
+
+RP 2020/2/7
+
+Upstream-Status: Pending [75% submitted]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
+
+Index: perl-5.30.1/cnf/configure_attr.sh
+===================================================================
+--- perl-5.30.1.orig/cnf/configure_attr.sh
++++ perl-5.30.1/cnf/configure_attr.sh
+@@ -131,7 +131,7 @@ if not hinted d_c99_variadic_macros 'sup
+ 	try_start
+ 	try_add '#include <stdio.h>'
+ 	try_add '#define foo(fmt, ...) printf(fmt, __VA_ARGS__)'
+-	try_add 'int main(void) { foo("%i\n", 1234); return 0; }'
++	try_add 'int main(void) { foo("%i", 1234); return 0; }'
+ 	try_compile
+ 	resdef d_c99_variadic_macros 'supported' 'missing'
+ fi
+Index: perl-5.30.1/cnf/configure_mods.sh
+===================================================================
+--- perl-5.30.1.orig/cnf/configure_mods.sh
++++ perl-5.30.1/cnf/configure_mods.sh
+@@ -82,7 +82,7 @@ extonlyif() {
+ }
+ 
+ definetrimspaces() {
+-	v=`echo "$2" | sed -r -e 's/\s+/ /g' -e 's/^\s+//' -e 's/\s+$//'`
++	v=`echo "$2" | sed -r -e 's/\s+/ /g' -e 's/^\s+//' -e 's/\s+$//' | xargs -n1 | LANG=C sort | xargs`
+ 	define $1 "$v"
+ }
+ 
+Index: perl-5.30.1/cpan/Encode/Byte/Makefile.PL
+===================================================================
+--- perl-5.30.1.orig/cpan/Encode/Byte/Makefile.PL
++++ perl-5.30.1/cpan/Encode/Byte/Makefile.PL
+@@ -171,7 +171,7 @@ sub postamble
+     my $lengthsofar = length($str);
+     my $continuator = '';
+     $str .= "$table.c : $enc2xs Makefile.PL";
+-    foreach my $file (@{$tables{$table}})
++    foreach my $file (sort (@{$tables{$table}}))
+     {
+         $str .= $continuator.' '.$self->catfile($dir,$file);
+         if ( length($str)-$lengthsofar > 128*$numlines )
+@@ -189,7 +189,7 @@ sub postamble
+         qq{\n\t\$(PERL) $plib $enc2xs $ucopts -o \$\@ -f $table.fnm\n\n};
+     open (FILELIST, ">$table.fnm")
+         || die "Could not open $table.fnm: $!";
+-    foreach my $file (@{$tables{$table}})
++    foreach my $file (sort (@{$tables{$table}}))
+     {
+         print FILELIST $self->catfile($dir,$file) . "\n";
+     }
+Index: perl-5.30.1/cnf/configure
+===================================================================
+--- perl-5.30.1.orig/cnf/configure
++++ perl-5.30.1/cnf/configure
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ 
+ base=${0%/*}; test -z "$base" && base=.
+ 
diff --git a/meta/recipes-devtools/perl/files/encodefix.patch b/meta/recipes-devtools/perl/files/encodefix.patch
new file mode 100644
index 0000000000..396ed0d53e
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/encodefix.patch
@@ -0,0 +1,20 @@
+The code is encoding host compiler parameters into target builds. Avoid
+this for our target builds (patch is target specific, not native)
+
+Upstream-Status: Inappropriate [Cross compile hack]
+RP 2020/2/18
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: perl-5.30.1/cpan/Encode/bin/enc2xs
+===================================================================
+--- perl-5.30.1.orig/cpan/Encode/bin/enc2xs
++++ perl-5.30.1/cpan/Encode/bin/enc2xs
+@@ -195,7 +195,7 @@ sub compiler_info {
+     # above becomes false.
+     my $sized  = $declaration && !($compat && !$pedantic);
+ 
+-    return ($cpp, $static, $sized);
++    return (0, 1, 1);
+ }
+ 
+ 
diff --git a/meta/recipes-devtools/perl/files/fix-setgroup.patch b/meta/recipes-devtools/perl/files/fix-setgroup.patch
deleted file mode 100644
index 2b490e6067..0000000000
--- a/meta/recipes-devtools/perl/files/fix-setgroup.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Test script to reproduce the problem:
-
-#!/usr/bin/env perl
-$) = "2 2";
-print $!;
-
-Result from perl 5.28 under strace:
-
-setgroups(1, [2])                       = 0
-setresgid(-1, 2, -1)                    = 0
-
-Result from perl 5.30 under strace:
-
-setgroups(1, [-1])                      = -1 EINVAL (Invalid argument)
-setresgid(-1, 2, -1)                    = 0
-
-Patch which broke this upstream:
-https://perl5.git.perl.org/perl.git/commitdiff/5d4a52b5c68a11bfc97c2e24806993b84a61eade
-
-Issue is that the new function changes the endptr to the end of the
-scanned number and needs to be reset to the end of the string for 
-each iteration of the loop.
-
-[YOCTO #13391]
-
-RP
-2019/6/14
-Upstream-Status: Pending
-
-Index: perl-5.30.0/mg.c
-===================================================================
---- perl-5.30.0.orig/mg.c
-+++ perl-5.30.0/mg.c
-@@ -3179,6 +3256,7 @@ Perl_magic_set(pTHX_ SV *sv, MAGIC *mg)
- 	    const char *p = SvPV_const(sv, len);
-             Groups_t *gary = NULL;
-             const char* endptr = p + len;
-+            const char* realend = p + len;
-             UV uv;
- #ifdef _SC_NGROUPS_MAX
-            int maxgrp = sysconf(_SC_NGROUPS_MAX);
-@@ -3209,6 +3287,7 @@ Perl_magic_set(pTHX_ SV *sv, MAGIC *mg)
-                     Newx(gary, i + 1, Groups_t);
-                 else
-                     Renew(gary, i + 1, Groups_t);
-+                endptr = realend;
-                 if (grok_atoUV(p, &uv, &endptr))
-                     gary[i] = (Groups_t)uv;
-                 else {
diff --git a/meta/recipes-devtools/perl/files/perl-configpm-switch.patch b/meta/recipes-devtools/perl/files/perl-configpm-switch.patch
index 3c2cecb8c1..80ce4a6de7 100644
--- a/meta/recipes-devtools/perl/files/perl-configpm-switch.patch
+++ b/meta/recipes-devtools/perl/files/perl-configpm-switch.patch
@@ -1,4 +1,4 @@
-From 7f313cac31c55cbe62a4d0cdfa8321cc05a8eb3a Mon Sep 17 00:00:00 2001
+From 5120acaa2be5787d9657f6b91bc8ee3c2d664fbe Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Sun, 27 May 2007 21:04:11 +0000
 Subject: [PATCH] perl: 5.8.7 -> 5.8.8 (from OE)
@@ -20,7 +20,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 16 insertions(+), 2 deletions(-)
 
 diff --git a/configpm b/configpm
-index 09c4a3b..6a0a680 100755
+index c8de8bf..204613c 100755
 --- a/configpm
 +++ b/configpm
 @@ -687,7 +687,7 @@ sub FETCH {
diff --git a/meta/recipes-devtools/perl/files/racefix.patch b/meta/recipes-devtools/perl/files/racefix.patch
new file mode 100644
index 0000000000..bac42d26ae
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/racefix.patch
@@ -0,0 +1,24 @@
+In our builds Config_heavy.pl sometimes has lines:
+cwarnflags=XXX
+ccstdflags=XXX
+and sometimes does not.
+The reason is that this information is pulled from cflags by configpm and yet
+there is no dependency in the Makefile. Add one to fix this.
+
+Upstream-Status: Submitted [https://github.com/arsv/perl-cross/pull/89]
+RP 2020/2/19
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: perl-5.30.1/Makefile
+===================================================================
+--- perl-5.30.1.orig/Makefile
++++ perl-5.30.1/Makefile
+@@ -204,7 +204,7 @@ configpod: $(CONFIGPOD)
+ git_version.h lib/Config_git.pl: make_patchnum.pl | miniperl$X
+ 	./miniperl_top make_patchnum.pl
+ 
+-lib/Config.pm lib/Config_heavy.pl lib/Config.pod: config.sh \
++lib/Config.pm lib/Config_heavy.pl lib/Config.pod: config.sh cflags \
+ 		lib/Config_git.pl Porting/Glossary | miniperl$X
+ 	./miniperl_top configpm
+ 
diff --git a/meta/recipes-devtools/perl/liberror-perl_0.17028.bb b/meta/recipes-devtools/perl/liberror-perl_0.17029.bb
index 8c6bbcba94..038808f0cd 100644
--- a/meta/recipes-devtools/perl/liberror-perl_0.17028.bb
+++ b/meta/recipes-devtools/perl/liberror-perl_0.17029.bb
@@ -32,8 +32,8 @@ RDEPENDS_${PN}-ptest += " \
 
 SRC_URI = "http://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/Error-${PV}.tar.gz"
 
-SRC_URI[md5sum] = "ec3522c60a43a368f19c0f89e2205cb1"
-SRC_URI[sha256sum] = "3ad85c5e58b31c8903006298424a51bba39f1840e324f5ae612eabc8b935e960"
+SRC_URI[md5sum] = "6732b1c6207e4a9a3e2987c88368039a"
+SRC_URI[sha256sum] = "1a23f7913032aed6d4b68321373a3899ca66590f4727391a091ec19c95bf7adc"
 
 S = "${WORKDIR}/Error-${PV}"
 
diff --git a/meta/recipes-devtools/perl/libmodule-build-perl/run-ptest b/meta/recipes-devtools/perl/libmodule-build-perl/run-ptest
index 0d63d1513b..d802781f9e 100644
--- a/meta/recipes-devtools/perl/libmodule-build-perl/run-ptest
+++ b/meta/recipes-devtools/perl/libmodule-build-perl/run-ptest
@@ -6,8 +6,6 @@ for case in `find t -type f -name '*.t'`; do
     cat $case.output
     if [ $ret -ne 0 ]; then
         echo "FAIL: ${case%.t}"
-    elif grep -i 'SKIP' $case.output; then
-        echo "SKIP: ${case%.t}"
     else
         echo "PASS: ${case%.t}"
     fi
diff --git a/meta/recipes-devtools/perl/libmodule-build-perl_0.4229.bb b/meta/recipes-devtools/perl/libmodule-build-perl_0.4229.bb
index f759f862fb..e3ba40d96c 100644
--- a/meta/recipes-devtools/perl/libmodule-build-perl_0.4229.bb
+++ b/meta/recipes-devtools/perl/libmodule-build-perl_0.4229.bb
@@ -36,7 +36,10 @@ do_patch[postfuncs] += "do_patch_module_build"
 do_install_ptest() {
 	cp -r ${B}/inc ${D}${PTEST_PATH}
 	cp -r ${B}/blib ${D}${PTEST_PATH}
+	cp -r ${B}/_build ${D}${PTEST_PATH}
+	cp -r ${B}/lib ${D}${PTEST_PATH}
 	chown -R root:root ${D}${PTEST_PATH}
+	sed -i -e "s,'perl' => .*,'perl' => '/usr/bin/perl'\,,g" ${D}${PTEST_PATH}/_build/build_params
 }
 
 RDEPENDS_${PN} += " \
diff --git a/meta/recipes-devtools/perl/perl-ptest.inc b/meta/recipes-devtools/perl/perl-ptest.inc
index 7152057762..98e3361fcc 100644
--- a/meta/recipes-devtools/perl/perl-ptest.inc
+++ b/meta/recipes-devtools/perl/perl-ptest.inc
@@ -42,6 +42,9 @@ do_install_ptest () {
 
 	 # Remove a useless timestamp...
 	 sed -i -e '/Autogenerated starting on/d' ${D}${PTEST_PATH}/lib/unicore/mktables.lst
+
+	 # Remove files with host-specific configuration for building native binaries
+	 rm ${D}${PTEST_PATH}/Makefile.config ${D}${PTEST_PATH}/xconfig.h ${D}${PTEST_PATH}/xconfig.sh
 }
 
 python populate_packages_prepend() {
diff --git a/meta/recipes-devtools/perl/perl_5.30.0.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index ba2a8437d4..32746c7095 100644
--- a/meta/recipes-devtools/perl/perl_5.30.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://Copying;md5=5b122a36d0f6dc55279a0ebc69f3c60b \
 
 
 SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
-           https://github.com/arsv/perl-cross/releases/download/1.3/perl-cross-1.3.tar.gz;name=perl-cross \
+           https://github.com/arsv/perl-cross/releases/download/1.3.1/perl-cross-1.3.1.tar.gz;name=perl-cross \
            file://perl-rdepends.txt \
            file://0001-configure_tool.sh-do-not-quote-the-argument-to-comma.patch \
            file://0001-ExtUtils-MakeMaker-add-LDFLAGS-when-linking-binary-m.patch \
@@ -18,18 +18,23 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
            file://0001-perl-cross-add-LDFLAGS-when-linking-libperl.patch \
            file://perl-dynloader.patch \
            file://0001-configure_path.sh-do-not-hardcode-prefix-lib-as-libr.patch \
-           file://fix-setgroup.patch \
            file://0001-enc2xs-Add-environment-variable-to-suppress-comments.patch \
            file://0002-Constant-Fix-up-shebang.patch \
+           file://0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch \
+           file://determinism.patch  \
+           file://racefix.patch \
            "
 SRC_URI_append_class-native = " \
            file://perl-configpm-switch.patch \
 "
+SRC_URI_append_class-target = " \
+           file://encodefix.patch \
+"
 
-SRC_URI[perl.md5sum] = "9770584cdf9b5631c38097645ce33549"
-SRC_URI[perl.sha256sum] = "851213c754d98ccff042caa40ba7a796b2cee88c5325f121be5cbb61bbf975f2"
-SRC_URI[perl-cross.md5sum] = "4dda3daf9c4fe42b3d6a5dd052852a48"
-SRC_URI[perl-cross.sha256sum] = "49edea1ea2cd6c5c47386ca71beda8d150c748835781354dbe7f75b1df27e703"
+SRC_URI[perl.md5sum] = "6438eb7b8db9bbde28e01086de376a46"
+SRC_URI[perl.sha256sum] = "bf3d25571ff1ee94186177c2cdef87867fd6a14aa5a84f0b1fb7bf798f42f964"
+SRC_URI[perl-cross.md5sum] = "1e463b105cfa56d251a86979af23e3a7"
+SRC_URI[perl-cross.sha256sum] = "edce0b0c2f725e2db3f203d6d8e9f3f7161256f5d1590551e40694f21200141d"
 
 S = "${WORKDIR}/perl-${PV}"
 
@@ -112,6 +117,14 @@ print(datetime.fromtimestamp($SOURCE_DATE_EPOCH, timezone.utc).strftime('%a %b %
 
 do_compile() {
     oe_runmake
+    # This isn't generated reliably so delete and re-generate.
+    # https://github.com/arsv/perl-cross/issues/86
+
+    if [ -e pod/perltoc.pod ]; then
+        bbnote Rebuilding perltoc.pod
+        rm -f pod/perltoc.pod
+        oe_runmake pod/perltoc.pod
+    fi
 }
 
 do_install() {
@@ -135,6 +148,9 @@ do_install_append_class-target() {
     # This is used to substitute target configuration when running native perl via perl-configpm-switch.patch
     ln -s Config_heavy.pl ${D}${libdir}/perl5/${PV}/${TARGET_ARCH}-linux/Config_heavy-target.pl
 
+    # This contains host-specific information used for building miniperl (a helper executable built with host compiler)
+    # and therefore isn't reproducible. I believe the file isn't actually needed on target.
+    rm ${D}${libdir}/perl5/${PV}/${TARGET_ARCH}-linux/CORE/xconfig.h
 }
 
 do_install_append_class-nativesdk() {
@@ -198,6 +214,7 @@ require perl-ptest.inc
 FILES_${PN} = "${bindir}/perl ${bindir}/perl.real ${bindir}/perl${PV} ${libdir}/libperl.so* \
                ${libdir}/perl5/site_perl \
                ${libdir}/perl5/${PV}/Config.pm \
+               ${libdir}/perl5/${PV}/${TARGET_ARCH}-linux/Config.pm \
                ${libdir}/perl5/${PV}/*/Config_git.pl \
                ${libdir}/perl5/${PV}/*/Config_heavy-target.pl \
                ${libdir}/perl5/config.sh \
@@ -206,6 +223,9 @@ FILES_${PN} = "${bindir}/perl ${bindir}/perl.real ${bindir}/perl${PV} ${libdir}/
                ${libdir}/perl5/${PV}/warnings \
                ${libdir}/perl5/${PV}/vars.pm \
                ${libdir}/perl5/site_perl \
+               ${libdir}/perl5/${PV}/ExtUtils/MANIFEST.SKIP \
+               ${libdir}/perl5/${PV}/ExtUtils/xsubpp \
+               ${libdir}/perl5/${PV}/ExtUtils/typemap \
                "
 RPROVIDES_${PN} += "perl-module-strict perl-module-vars perl-module-config perl-module-warnings \
                     perl-module-warnings-register"
@@ -216,9 +236,6 @@ FILES_${PN}-dev_append = " ${libdir}/perl5/${PV}/*/CORE"
 
 FILES_${PN}-doc_append = " ${libdir}/perl5/${PV}/Unicode/Collate/*.txt \
                            ${libdir}/perl5/${PV}/*/.packlist \
-                           ${libdir}/perl5/${PV}/ExtUtils/MANIFEST.SKIP \
-                           ${libdir}/perl5/${PV}/ExtUtils/xsubpp \
-                           ${libdir}/perl5/${PV}/ExtUtils/typemap \
                            ${libdir}/perl5/${PV}/Encode/encode.h \
                          "
 PACKAGES += "${PN}-misc"
diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 7ff8e449e9..50e30064bd 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -16,6 +16,7 @@ INSANE_SKIP_${PN}-dbg += "libdir"
 PROVIDES += "virtual/fakeroot"
 
 MAKEOPTS = ""
+MAKEOPTS_class-native = "'RPATH=-Wl,--rpath=XORIGIN/../../../sqlite3-native/usr/lib/'"
 
 inherit siteinfo pkgconfig
 
@@ -115,6 +116,7 @@ do_install () {
 }
 
 do_install_append_class-native () {
+	chrpath ${D}${bindir}/pseudo -r `chrpath ${D}${bindir}/pseudo | cut -d = -f 2 | sed s/XORIGIN/\\$ORIGIN/`
 	install -d ${D}${sysconfdir}
 	# The fallback files should never be modified
 	install -m 444 ${WORKDIR}/fallback-passwd ${D}${sysconfdir}/passwd
diff --git a/meta/recipes-devtools/python/python/python2-manifest.json b/meta/recipes-devtools/python/python/python2-manifest.json
index eb52e862ab..fd98774d00 100644
--- a/meta/recipes-devtools/python/python/python2-manifest.json
+++ b/meta/recipes-devtools/python/python/python2-manifest.json
@@ -267,6 +267,7 @@
             "${libdir}/python2.7/lib-dynload/xreadlines.so", 
             "${libdir}/python2.7/linecache.py", 
             "${libdir}/python2.7/new.py", 
+            "${libdir}/python2.7/ntpath.py",
             "${libdir}/python2.7/os.py", 
             "${libdir}/python2.7/platform.py", 
             "${libdir}/python2.7/posixpath.py", 
diff --git a/meta/recipes-devtools/python/python3_3.7.6.bb b/meta/recipes-devtools/python/python3_3.7.7.bb
index b33b7028d4..823eb2f8fd 100644
--- a/meta/recipes-devtools/python/python3_3.7.6.bb
+++ b/meta/recipes-devtools/python/python3_3.7.7.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.python.org"
 LICENSE = "PSFv2"
 SECTION = "devel/python"
 
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"
 
 SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
            file://run-ptest \
@@ -38,8 +38,8 @@ SRC_URI_append_class-nativesdk = " \
            file://0001-main.c-if-OEPYTHON3HOME-is-set-use-instead-of-PYTHON.patch \
            "
 
-SRC_URI[md5sum] = "c08fbee72ad5c2c95b0f4e44bf6fd72c"
-SRC_URI[sha256sum] = "55a2cce72049f0794e9a11a84862e9039af9183603b78bc60d89539f82cf533f"
+SRC_URI[md5sum] = "172c650156f7bea68ce31b2fd01fa766"
+SRC_URI[sha256sum] = "06a0a9f1bf0d8cd1e4121194d666c4e28ddae4dd54346de6c343206599f02136"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bb444b63d9..f451017f6d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,7 +29,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
            file://CVE-2019-15890.patch \
            file://CVE-2019-12068.patch \
-           "
+           file://CVE-2020-1711.patch \
+           file://CVE-2019-20382.patch \
+	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
 SRC_URI[md5sum] = "cdf2b5ca52b9abac9bacb5842fa420f8"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch
new file mode 100644
index 0000000000..183d100398
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-20382.patch
@@ -0,0 +1,1018 @@
+From 6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@163.com>
+Date: Sat, 31 Aug 2019 08:39:22 -0700
+Subject: [PATCH] vnc: fix memory leak when vnc disconnect
+
+Currently when qemu receives a vnc connect, it creates a 'VncState' to
+represent this connection. In 'vnc_worker_thread_loop' it creates a
+local 'VncState'. The connection 'VcnState' and local 'VncState' exchange
+data in 'vnc_async_encoding_start' and 'vnc_async_encoding_end'.
+In 'zrle_compress_data' it calls 'deflateInit2' to allocate the libz library
+opaque data. The 'VncState' used in 'zrle_compress_data' is the local
+'VncState'. In 'vnc_zrle_clear' it calls 'deflateEnd' to free the libz
+library opaque data. The 'VncState' used in 'vnc_zrle_clear' is the connection
+'VncState'. In currently implementation there will be a memory leak when the
+vnc disconnect. Following is the asan output backtrack:
+
+Direct leak of 29760 byte(s) in 5 object(s) allocated from:
+    0 0xffffa67ef3c3 in __interceptor_calloc (/lib64/libasan.so.4+0xd33c3)
+    1 0xffffa65071cb in g_malloc0 (/lib64/libglib-2.0.so.0+0x571cb)
+    2 0xffffa5e968f7 in deflateInit2_ (/lib64/libz.so.1+0x78f7)
+    3 0xaaaacec58613 in zrle_compress_data ui/vnc-enc-zrle.c:87
+    4 0xaaaacec58613 in zrle_send_framebuffer_update ui/vnc-enc-zrle.c:344
+    5 0xaaaacec34e77 in vnc_send_framebuffer_update ui/vnc.c:919
+    6 0xaaaacec5e023 in vnc_worker_thread_loop ui/vnc-jobs.c:271
+    7 0xaaaacec5e5e7 in vnc_worker_thread ui/vnc-jobs.c:340
+    8 0xaaaacee4d3c3 in qemu_thread_start util/qemu-thread-posix.c:502
+    9 0xffffa544e8bb in start_thread (/lib64/libpthread.so.0+0x78bb)
+    10 0xffffa53965cb in thread_start (/lib64/libc.so.6+0xd55cb)
+
+This is because the opaque allocated in 'deflateInit2' is not freed in
+'deflateEnd'. The reason is that the 'deflateEnd' calls 'deflateStateCheck'
+and in the latter will check whether 's->strm != strm'(libz's data structure).
+This check will be true so in 'deflateEnd' it just return 'Z_STREAM_ERROR' and
+not free the data allocated in 'deflateInit2'.
+
+The reason this happens is that the 'VncState' contains the whole 'VncZrle',
+so when calling 'deflateInit2', the 's->strm' will be the local address.
+So 's->strm != strm' will be true.
+
+To fix this issue, we need to make 'zrle' of 'VncState' to be a pointer.
+Then the connection 'VncState' and local 'VncState' exchange mechanism will
+work as expection. The 'tight' of 'VncState' has the same issue, let's also turn
+it to a pointer.
+
+Reported-by: Ying Fang <fangying1@huawei.com>
+Signed-off-by: Li Qiang <liq3ea@163.com>
+Message-id: 20190831153922.121308-1-liq3ea@163.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0]
+CVE: CVE-2019-20382
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+---
+ ui/vnc-enc-tight.c    | 219 +++++++++++++++++++++++++-------------------------
+ ui/vnc-enc-zlib.c     |  11 +--
+ ui/vnc-enc-zrle.c     |  68 ++++++++--------
+ ui/vnc-enc-zrle.inc.c |   2 +-
+ ui/vnc.c              |  28 ++++---
+ ui/vnc.h              |   4 +-
+ 6 files changed, 170 insertions(+), 162 deletions(-)
+
+diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
+index 9084c22..1e08518 100644
+--- a/ui/vnc-enc-tight.c
++++ b/ui/vnc-enc-tight.c
+@@ -116,7 +116,7 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+ 
+ static bool tight_can_send_png_rect(VncState *vs, int w, int h)
+ {
+-    if (vs->tight.type != VNC_ENCODING_TIGHT_PNG) {
++    if (vs->tight->type != VNC_ENCODING_TIGHT_PNG) {
+         return false;
+     }
+ 
+@@ -144,7 +144,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
+     int pixels = 0;
+     int pix, left[3];
+     unsigned int errors;
+-    unsigned char *buf = vs->tight.tight.buffer;
++    unsigned char *buf = vs->tight->tight.buffer;
+ 
+     /*
+      * If client is big-endian, color samples begin from the second
+@@ -215,7 +215,7 @@ tight_detect_smooth_image24(VncState *vs, int w, int h)
+         int pixels = 0;                                                 \
+         int sample, sum, left[3];                                       \
+         unsigned int errors;                                            \
+-        unsigned char *buf = vs->tight.tight.buffer;                    \
++        unsigned char *buf = vs->tight->tight.buffer;                    \
+                                                                         \
+         endian = 0; /* FIXME */                                         \
+                                                                         \
+@@ -296,8 +296,8 @@ static int
+ tight_detect_smooth_image(VncState *vs, int w, int h)
+ {
+     unsigned int errors;
+-    int compression = vs->tight.compression;
+-    int quality = vs->tight.quality;
++    int compression = vs->tight->compression;
++    int quality = vs->tight->quality;
+ 
+     if (!vs->vd->lossy) {
+         return 0;
+@@ -309,7 +309,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+         return 0;
+     }
+ 
+-    if (vs->tight.quality != (uint8_t)-1) {
++    if (vs->tight->quality != (uint8_t)-1) {
+         if (w * h < VNC_TIGHT_JPEG_MIN_RECT_SIZE) {
+             return 0;
+         }
+@@ -320,9 +320,9 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+     }
+ 
+     if (vs->client_pf.bytes_per_pixel == 4) {
+-        if (vs->tight.pixel24) {
++        if (vs->tight->pixel24) {
+             errors = tight_detect_smooth_image24(vs, w, h);
+-            if (vs->tight.quality != (uint8_t)-1) {
++            if (vs->tight->quality != (uint8_t)-1) {
+                 return (errors < tight_conf[quality].jpeg_threshold24);
+             }
+             return (errors < tight_conf[compression].gradient_threshold24);
+@@ -352,7 +352,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
+         uint##bpp##_t c0, c1, ci;                                       \
+         int i, n0, n1;                                                  \
+                                                                         \
+-        data = (uint##bpp##_t *)vs->tight.tight.buffer;                 \
++        data = (uint##bpp##_t *)vs->tight->tight.buffer;                \
+                                                                         \
+         c0 = data[0];                                                   \
+         i = 1;                                                          \
+@@ -423,9 +423,9 @@ static int tight_fill_palette(VncState *vs, int x, int y,
+ {
+     int max;
+ 
+-    max = count / tight_conf[vs->tight.compression].idx_max_colors_divisor;
++    max = count / tight_conf[vs->tight->compression].idx_max_colors_divisor;
+     if (max < 2 &&
+-        count >= tight_conf[vs->tight.compression].mono_min_rect_size) {
++        count >= tight_conf[vs->tight->compression].mono_min_rect_size) {
+         max = 2;
+     }
+     if (max >= 256) {
+@@ -558,7 +558,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+     int x, y, c;
+ 
+     buf32 = (uint32_t *)buf;
+-    memset(vs->tight.gradient.buffer, 0, w * 3 * sizeof(int));
++    memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int));
+ 
+     if (1 /* FIXME */) {
+         shift[0] = vs->client_pf.rshift;
+@@ -575,7 +575,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+             upper[c] = 0;
+             here[c] = 0;
+         }
+-        prev = (int *)vs->tight.gradient.buffer;
++        prev = (int *)vs->tight->gradient.buffer;
+         for (x = 0; x < w; x++) {
+             pix32 = *buf32++;
+             for (c = 0; c < 3; c++) {
+@@ -615,7 +615,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+         int prediction;                                                 \
+         int x, y, c;                                                    \
+                                                                         \
+-        memset (vs->tight.gradient.buffer, 0, w * 3 * sizeof(int));     \
++        memset(vs->tight->gradient.buffer, 0, w * 3 * sizeof(int));     \
+                                                                         \
+         endian = 0; /* FIXME */                                         \
+                                                                         \
+@@ -631,7 +631,7 @@ tight_filter_gradient24(VncState *vs, uint8_t *buf, int w, int h)
+                 upper[c] = 0;                                           \
+                 here[c] = 0;                                            \
+             }                                                           \
+-            prev = (int *)vs->tight.gradient.buffer;                    \
++            prev = (int *)vs->tight->gradient.buffer;                    \
+             for (x = 0; x < w; x++) {                                   \
+                 pix = *buf;                                             \
+                 if (endian) {                                           \
+@@ -785,7 +785,7 @@ static void extend_solid_area(VncState *vs, int x, int y, int w, int h,
+ static int tight_init_stream(VncState *vs, int stream_id,
+                              int level, int strategy)
+ {
+-    z_streamp zstream = &vs->tight.stream[stream_id];
++    z_streamp zstream = &vs->tight->stream[stream_id];
+ 
+     if (zstream->opaque == NULL) {
+         int err;
+@@ -803,15 +803,15 @@ static int tight_init_stream(VncState *vs, int stream_id,
+             return -1;
+         }
+ 
+-        vs->tight.levels[stream_id] = level;
++        vs->tight->levels[stream_id] = level;
+         zstream->opaque = vs;
+     }
+ 
+-    if (vs->tight.levels[stream_id] != level) {
++    if (vs->tight->levels[stream_id] != level) {
+         if (deflateParams(zstream, level, strategy) != Z_OK) {
+             return -1;
+         }
+-        vs->tight.levels[stream_id] = level;
++        vs->tight->levels[stream_id] = level;
+     }
+     return 0;
+ }
+@@ -839,11 +839,11 @@ static void tight_send_compact_size(VncState *vs, size_t len)
+ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+                                int level, int strategy)
+ {
+-    z_streamp zstream = &vs->tight.stream[stream_id];
++    z_streamp zstream = &vs->tight->stream[stream_id];
+     int previous_out;
+ 
+     if (bytes < VNC_TIGHT_MIN_TO_COMPRESS) {
+-        vnc_write(vs, vs->tight.tight.buffer, vs->tight.tight.offset);
++        vnc_write(vs, vs->tight->tight.buffer, vs->tight->tight.offset);
+         return bytes;
+     }
+ 
+@@ -852,13 +852,13 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+     }
+ 
+     /* reserve memory in output buffer */
+-    buffer_reserve(&vs->tight.zlib, bytes + 64);
++    buffer_reserve(&vs->tight->zlib, bytes + 64);
+ 
+     /* set pointers */
+-    zstream->next_in = vs->tight.tight.buffer;
+-    zstream->avail_in = vs->tight.tight.offset;
+-    zstream->next_out = vs->tight.zlib.buffer + vs->tight.zlib.offset;
+-    zstream->avail_out = vs->tight.zlib.capacity - vs->tight.zlib.offset;
++    zstream->next_in = vs->tight->tight.buffer;
++    zstream->avail_in = vs->tight->tight.offset;
++    zstream->next_out = vs->tight->zlib.buffer + vs->tight->zlib.offset;
++    zstream->avail_out = vs->tight->zlib.capacity - vs->tight->zlib.offset;
+     previous_out = zstream->avail_out;
+     zstream->data_type = Z_BINARY;
+ 
+@@ -868,14 +868,14 @@ static int tight_compress_data(VncState *vs, int stream_id, size_t bytes,
+         return -1;
+     }
+ 
+-    vs->tight.zlib.offset = vs->tight.zlib.capacity - zstream->avail_out;
++    vs->tight->zlib.offset = vs->tight->zlib.capacity - zstream->avail_out;
+     /* ...how much data has actually been produced by deflate() */
+     bytes = previous_out - zstream->avail_out;
+ 
+     tight_send_compact_size(vs, bytes);
+-    vnc_write(vs, vs->tight.zlib.buffer, bytes);
++    vnc_write(vs, vs->tight->zlib.buffer, bytes);
+ 
+-    buffer_reset(&vs->tight.zlib);
++    buffer_reset(&vs->tight->zlib);
+ 
+     return bytes;
+ }
+@@ -927,16 +927,17 @@ static int send_full_color_rect(VncState *vs, int x, int y, int w, int h)
+ 
+     vnc_write_u8(vs, stream << 4); /* no flushing, no filter */
+ 
+-    if (vs->tight.pixel24) {
+-        tight_pack24(vs, vs->tight.tight.buffer, w * h, &vs->tight.tight.offset);
++    if (vs->tight->pixel24) {
++        tight_pack24(vs, vs->tight->tight.buffer, w * h,
++                     &vs->tight->tight.offset);
+         bytes = 3;
+     } else {
+         bytes = vs->client_pf.bytes_per_pixel;
+     }
+ 
+     bytes = tight_compress_data(vs, stream, w * h * bytes,
+-                                tight_conf[vs->tight.compression].raw_zlib_level,
+-                                Z_DEFAULT_STRATEGY);
++                            tight_conf[vs->tight->compression].raw_zlib_level,
++                            Z_DEFAULT_STRATEGY);
+ 
+     return (bytes >= 0);
+ }
+@@ -947,14 +948,14 @@ static int send_solid_rect(VncState *vs)
+ 
+     vnc_write_u8(vs, VNC_TIGHT_FILL << 4); /* no flushing, no filter */
+ 
+-    if (vs->tight.pixel24) {
+-        tight_pack24(vs, vs->tight.tight.buffer, 1, &vs->tight.tight.offset);
++    if (vs->tight->pixel24) {
++        tight_pack24(vs, vs->tight->tight.buffer, 1, &vs->tight->tight.offset);
+         bytes = 3;
+     } else {
+         bytes = vs->client_pf.bytes_per_pixel;
+     }
+ 
+-    vnc_write(vs, vs->tight.tight.buffer, bytes);
++    vnc_write(vs, vs->tight->tight.buffer, bytes);
+     return 1;
+ }
+ 
+@@ -963,7 +964,7 @@ static int send_mono_rect(VncState *vs, int x, int y,
+ {
+     ssize_t bytes;
+     int stream = 1;
+-    int level = tight_conf[vs->tight.compression].mono_zlib_level;
++    int level = tight_conf[vs->tight->compression].mono_zlib_level;
+ 
+ #ifdef CONFIG_VNC_PNG
+     if (tight_can_send_png_rect(vs, w, h)) {
+@@ -991,26 +992,26 @@ static int send_mono_rect(VncState *vs, int x, int y,
+         uint32_t buf[2] = {bg, fg};
+         size_t ret = sizeof (buf);
+ 
+-        if (vs->tight.pixel24) {
++        if (vs->tight->pixel24) {
+             tight_pack24(vs, (unsigned char*)buf, 2, &ret);
+         }
+         vnc_write(vs, buf, ret);
+ 
+-        tight_encode_mono_rect32(vs->tight.tight.buffer, w, h, bg, fg);
++        tight_encode_mono_rect32(vs->tight->tight.buffer, w, h, bg, fg);
+         break;
+     }
+     case 2:
+         vnc_write(vs, &bg, 2);
+         vnc_write(vs, &fg, 2);
+-        tight_encode_mono_rect16(vs->tight.tight.buffer, w, h, bg, fg);
++        tight_encode_mono_rect16(vs->tight->tight.buffer, w, h, bg, fg);
+         break;
+     default:
+         vnc_write_u8(vs, bg);
+         vnc_write_u8(vs, fg);
+-        tight_encode_mono_rect8(vs->tight.tight.buffer, w, h, bg, fg);
++        tight_encode_mono_rect8(vs->tight->tight.buffer, w, h, bg, fg);
+         break;
+     }
+-    vs->tight.tight.offset = bytes;
++    vs->tight->tight.offset = bytes;
+ 
+     bytes = tight_compress_data(vs, stream, bytes, level, Z_DEFAULT_STRATEGY);
+     return (bytes >= 0);
+@@ -1040,7 +1041,7 @@ static void write_palette(int idx, uint32_t color, void *opaque)
+ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
+ {
+     int stream = 3;
+-    int level = tight_conf[vs->tight.compression].gradient_zlib_level;
++    int level = tight_conf[vs->tight->compression].gradient_zlib_level;
+     ssize_t bytes;
+ 
+     if (vs->client_pf.bytes_per_pixel == 1) {
+@@ -1050,23 +1051,23 @@ static bool send_gradient_rect(VncState *vs, int x, int y, int w, int h)
+     vnc_write_u8(vs, (stream | VNC_TIGHT_EXPLICIT_FILTER) << 4);
+     vnc_write_u8(vs, VNC_TIGHT_FILTER_GRADIENT);
+ 
+-    buffer_reserve(&vs->tight.gradient, w * 3 * sizeof (int));
++    buffer_reserve(&vs->tight->gradient, w * 3 * sizeof(int));
+ 
+-    if (vs->tight.pixel24) {
+-        tight_filter_gradient24(vs, vs->tight.tight.buffer, w, h);
++    if (vs->tight->pixel24) {
++        tight_filter_gradient24(vs, vs->tight->tight.buffer, w, h);
+         bytes = 3;
+     } else if (vs->client_pf.bytes_per_pixel == 4) {
+-        tight_filter_gradient32(vs, (uint32_t *)vs->tight.tight.buffer, w, h);
++        tight_filter_gradient32(vs, (uint32_t *)vs->tight->tight.buffer, w, h);
+         bytes = 4;
+     } else {
+-        tight_filter_gradient16(vs, (uint16_t *)vs->tight.tight.buffer, w, h);
++        tight_filter_gradient16(vs, (uint16_t *)vs->tight->tight.buffer, w, h);
+         bytes = 2;
+     }
+ 
+-    buffer_reset(&vs->tight.gradient);
++    buffer_reset(&vs->tight->gradient);
+ 
+     bytes = w * h * bytes;
+-    vs->tight.tight.offset = bytes;
++    vs->tight->tight.offset = bytes;
+ 
+     bytes = tight_compress_data(vs, stream, bytes,
+                                 level, Z_FILTERED);
+@@ -1077,7 +1078,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+                              int w, int h, VncPalette *palette)
+ {
+     int stream = 2;
+-    int level = tight_conf[vs->tight.compression].idx_zlib_level;
++    int level = tight_conf[vs->tight->compression].idx_zlib_level;
+     int colors;
+     ssize_t bytes;
+ 
+@@ -1104,12 +1105,12 @@ static int send_palette_rect(VncState *vs, int x, int y,
+         palette_iter(palette, write_palette, &priv);
+         vnc_write(vs, header, sizeof(header));
+ 
+-        if (vs->tight.pixel24) {
++        if (vs->tight->pixel24) {
+             tight_pack24(vs, vs->output.buffer + old_offset, colors, &offset);
+             vs->output.offset = old_offset + offset;
+         }
+ 
+-        tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
++        tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h, palette);
+         break;
+     }
+     case 2:
+@@ -1119,7 +1120,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ 
+         palette_iter(palette, write_palette, &priv);
+         vnc_write(vs, header, sizeof(header));
+-        tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
++        tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h, palette);
+         break;
+     }
+     default:
+@@ -1127,7 +1128,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+         break;
+     }
+     bytes = w * h;
+-    vs->tight.tight.offset = bytes;
++    vs->tight->tight.offset = bytes;
+ 
+     bytes = tight_compress_data(vs, stream, bytes,
+                                 level, Z_DEFAULT_STRATEGY);
+@@ -1146,7 +1147,7 @@ static int send_palette_rect(VncState *vs, int x, int y,
+ static void jpeg_init_destination(j_compress_ptr cinfo)
+ {
+     VncState *vs = cinfo->client_data;
+-    Buffer *buffer = &vs->tight.jpeg;
++    Buffer *buffer = &vs->tight->jpeg;
+ 
+     cinfo->dest->next_output_byte = (JOCTET *)buffer->buffer + buffer->offset;
+     cinfo->dest->free_in_buffer = (size_t)(buffer->capacity - buffer->offset);
+@@ -1156,7 +1157,7 @@ static void jpeg_init_destination(j_compress_ptr cinfo)
+ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
+ {
+     VncState *vs = cinfo->client_data;
+-    Buffer *buffer = &vs->tight.jpeg;
++    Buffer *buffer = &vs->tight->jpeg;
+ 
+     buffer->offset = buffer->capacity;
+     buffer_reserve(buffer, 2048);
+@@ -1168,7 +1169,7 @@ static boolean jpeg_empty_output_buffer(j_compress_ptr cinfo)
+ static void jpeg_term_destination(j_compress_ptr cinfo)
+ {
+     VncState *vs = cinfo->client_data;
+-    Buffer *buffer = &vs->tight.jpeg;
++    Buffer *buffer = &vs->tight->jpeg;
+ 
+     buffer->offset = buffer->capacity - cinfo->dest->free_in_buffer;
+ }
+@@ -1187,7 +1188,7 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
+         return send_full_color_rect(vs, x, y, w, h);
+     }
+ 
+-    buffer_reserve(&vs->tight.jpeg, 2048);
++    buffer_reserve(&vs->tight->jpeg, 2048);
+ 
+     cinfo.err = jpeg_std_error(&jerr);
+     jpeg_create_compress(&cinfo);
+@@ -1222,9 +1223,9 @@ static int send_jpeg_rect(VncState *vs, int x, int y, int w, int h, int quality)
+ 
+     vnc_write_u8(vs, VNC_TIGHT_JPEG << 4);
+ 
+-    tight_send_compact_size(vs, vs->tight.jpeg.offset);
+-    vnc_write(vs, vs->tight.jpeg.buffer, vs->tight.jpeg.offset);
+-    buffer_reset(&vs->tight.jpeg);
++    tight_send_compact_size(vs, vs->tight->jpeg.offset);
++    vnc_write(vs, vs->tight->jpeg.buffer, vs->tight->jpeg.offset);
++    buffer_reset(&vs->tight->jpeg);
+ 
+     return 1;
+ }
+@@ -1240,7 +1241,7 @@ static void write_png_palette(int idx, uint32_t pix, void *opaque)
+     VncState *vs = priv->vs;
+     png_colorp color = &priv->png_palette[idx];
+ 
+-    if (vs->tight.pixel24)
++    if (vs->tight->pixel24)
+     {
+         color->red = (pix >> vs->client_pf.rshift) & vs->client_pf.rmax;
+         color->green = (pix >> vs->client_pf.gshift) & vs->client_pf.gmax;
+@@ -1267,10 +1268,10 @@ static void png_write_data(png_structp png_ptr, png_bytep data,
+ {
+     VncState *vs = png_get_io_ptr(png_ptr);
+ 
+-    buffer_reserve(&vs->tight.png, vs->tight.png.offset + length);
+-    memcpy(vs->tight.png.buffer + vs->tight.png.offset, data, length);
++    buffer_reserve(&vs->tight->png, vs->tight->png.offset + length);
++    memcpy(vs->tight->png.buffer + vs->tight->png.offset, data, length);
+ 
+-    vs->tight.png.offset += length;
++    vs->tight->png.offset += length;
+ }
+ 
+ static void png_flush_data(png_structp png_ptr)
+@@ -1295,8 +1296,8 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+     png_infop info_ptr;
+     png_colorp png_palette = NULL;
+     pixman_image_t *linebuf;
+-    int level = tight_png_conf[vs->tight.compression].png_zlib_level;
+-    int filters = tight_png_conf[vs->tight.compression].png_filters;
++    int level = tight_png_conf[vs->tight->compression].png_zlib_level;
++    int filters = tight_png_conf[vs->tight->compression].png_filters;
+     uint8_t *buf;
+     int dy;
+ 
+@@ -1340,21 +1341,23 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+         png_set_PLTE(png_ptr, info_ptr, png_palette, palette_size(palette));
+ 
+         if (vs->client_pf.bytes_per_pixel == 4) {
+-            tight_encode_indexed_rect32(vs->tight.tight.buffer, w * h, palette);
++            tight_encode_indexed_rect32(vs->tight->tight.buffer, w * h,
++                                        palette);
+         } else {
+-            tight_encode_indexed_rect16(vs->tight.tight.buffer, w * h, palette);
++            tight_encode_indexed_rect16(vs->tight->tight.buffer, w * h,
++                                        palette);
+         }
+     }
+ 
+     png_write_info(png_ptr, info_ptr);
+ 
+-    buffer_reserve(&vs->tight.png, 2048);
++    buffer_reserve(&vs->tight->png, 2048);
+     linebuf = qemu_pixman_linebuf_create(PIXMAN_BE_r8g8b8, w);
+     buf = (uint8_t *)pixman_image_get_data(linebuf);
+     for (dy = 0; dy < h; dy++)
+     {
+         if (color_type == PNG_COLOR_TYPE_PALETTE) {
+-            memcpy(buf, vs->tight.tight.buffer + (dy * w), w);
++            memcpy(buf, vs->tight->tight.buffer + (dy * w), w);
+         } else {
+             qemu_pixman_linebuf_fill(linebuf, vs->vd->server, w, x, y + dy);
+         }
+@@ -1372,27 +1375,27 @@ static int send_png_rect(VncState *vs, int x, int y, int w, int h,
+ 
+     vnc_write_u8(vs, VNC_TIGHT_PNG << 4);
+ 
+-    tight_send_compact_size(vs, vs->tight.png.offset);
+-    vnc_write(vs, vs->tight.png.buffer, vs->tight.png.offset);
+-    buffer_reset(&vs->tight.png);
++    tight_send_compact_size(vs, vs->tight->png.offset);
++    vnc_write(vs, vs->tight->png.buffer, vs->tight->png.offset);
++    buffer_reset(&vs->tight->png);
+     return 1;
+ }
+ #endif /* CONFIG_VNC_PNG */
+ 
+ static void vnc_tight_start(VncState *vs)
+ {
+-    buffer_reset(&vs->tight.tight);
++    buffer_reset(&vs->tight->tight);
+ 
+     // make the output buffer be the zlib buffer, so we can compress it later
+-    vs->tight.tmp = vs->output;
+-    vs->output = vs->tight.tight;
++    vs->tight->tmp = vs->output;
++    vs->output = vs->tight->tight;
+ }
+ 
+ static void vnc_tight_stop(VncState *vs)
+ {
+     // switch back to normal output/zlib buffers
+-    vs->tight.tight = vs->output;
+-    vs->output = vs->tight.tmp;
++    vs->tight->tight = vs->output;
++    vs->output = vs->tight->tmp;
+ }
+ 
+ static int send_sub_rect_nojpeg(VncState *vs, int x, int y, int w, int h,
+@@ -1426,9 +1429,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
+     int ret;
+ 
+     if (colors == 0) {
+-        if (force || (tight_jpeg_conf[vs->tight.quality].jpeg_full &&
++        if (force || (tight_jpeg_conf[vs->tight->quality].jpeg_full &&
+                       tight_detect_smooth_image(vs, w, h))) {
+-            int quality = tight_conf[vs->tight.quality].jpeg_quality;
++            int quality = tight_conf[vs->tight->quality].jpeg_quality;
+ 
+             ret = send_jpeg_rect(vs, x, y, w, h, quality);
+         } else {
+@@ -1440,9 +1443,9 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
+         ret = send_mono_rect(vs, x, y, w, h, bg, fg);
+     } else if (colors <= 256) {
+         if (force || (colors > 96 &&
+-                      tight_jpeg_conf[vs->tight.quality].jpeg_idx &&
++                      tight_jpeg_conf[vs->tight->quality].jpeg_idx &&
+                       tight_detect_smooth_image(vs, w, h))) {
+-            int quality = tight_conf[vs->tight.quality].jpeg_quality;
++            int quality = tight_conf[vs->tight->quality].jpeg_quality;
+ 
+             ret = send_jpeg_rect(vs, x, y, w, h, quality);
+         } else {
+@@ -1480,20 +1483,20 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+         qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
+     }
+ 
+-    vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
++    vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
+ 
+     vnc_tight_start(vs);
+     vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+     vnc_tight_stop(vs);
+ 
+ #ifdef CONFIG_VNC_JPEG
+-    if (!vs->vd->non_adaptive && vs->tight.quality != (uint8_t)-1) {
++    if (!vs->vd->non_adaptive && vs->tight->quality != (uint8_t)-1) {
+         double freq = vnc_update_freq(vs, x, y, w, h);
+ 
+-        if (freq < tight_jpeg_conf[vs->tight.quality].jpeg_freq_min) {
++        if (freq < tight_jpeg_conf[vs->tight->quality].jpeg_freq_min) {
+             allow_jpeg = false;
+         }
+-        if (freq >= tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
++        if (freq >= tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
+             force_jpeg = true;
+             vnc_sent_lossy_rect(vs, x, y, w, h);
+         }
+@@ -1503,7 +1506,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+     colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
+ 
+ #ifdef CONFIG_VNC_JPEG
+-    if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
++    if (allow_jpeg && vs->tight->quality != (uint8_t)-1) {
+         ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
+                                  color_count_palette, force_jpeg);
+     } else {
+@@ -1520,7 +1523,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
+ 
+ static int send_sub_rect_solid(VncState *vs, int x, int y, int w, int h)
+ {
+-    vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
++    vnc_framebuffer_update(vs, x, y, w, h, vs->tight->type);
+ 
+     vnc_tight_start(vs);
+     vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+@@ -1538,8 +1541,8 @@ static int send_rect_simple(VncState *vs, int x, int y, int w, int h,
+     int rw, rh;
+     int n = 0;
+ 
+-    max_size = tight_conf[vs->tight.compression].max_rect_size;
+-    max_width = tight_conf[vs->tight.compression].max_rect_width;
++    max_size = tight_conf[vs->tight->compression].max_rect_size;
++    max_width = tight_conf[vs->tight->compression].max_rect_width;
+ 
+     if (split && (w > max_width || w * h > max_size)) {
+         max_sub_width = (w > max_width) ? max_width : w;
+@@ -1648,16 +1651,16 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+ 
+     if (vs->client_pf.bytes_per_pixel == 4 && vs->client_pf.rmax == 0xFF &&
+         vs->client_pf.bmax == 0xFF && vs->client_pf.gmax == 0xFF) {
+-        vs->tight.pixel24 = true;
++        vs->tight->pixel24 = true;
+     } else {
+-        vs->tight.pixel24 = false;
++        vs->tight->pixel24 = false;
+     }
+ 
+ #ifdef CONFIG_VNC_JPEG
+-    if (vs->tight.quality != (uint8_t)-1) {
++    if (vs->tight->quality != (uint8_t)-1) {
+         double freq = vnc_update_freq(vs, x, y, w, h);
+ 
+-        if (freq > tight_jpeg_conf[vs->tight.quality].jpeg_freq_threshold) {
++        if (freq > tight_jpeg_conf[vs->tight->quality].jpeg_freq_threshold) {
+             return send_rect_simple(vs, x, y, w, h, false);
+         }
+     }
+@@ -1669,8 +1672,8 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+ 
+     /* Calculate maximum number of rows in one non-solid rectangle. */
+ 
+-    max_rows = tight_conf[vs->tight.compression].max_rect_size;
+-    max_rows /= MIN(tight_conf[vs->tight.compression].max_rect_width, w);
++    max_rows = tight_conf[vs->tight->compression].max_rect_size;
++    max_rows /= MIN(tight_conf[vs->tight->compression].max_rect_width, w);
+ 
+     return find_large_solid_color_rect(vs, x, y, w, h, max_rows);
+ }
+@@ -1678,33 +1681,33 @@ static int tight_send_framebuffer_update(VncState *vs, int x, int y,
+ int vnc_tight_send_framebuffer_update(VncState *vs, int x, int y,
+                                       int w, int h)
+ {
+-    vs->tight.type = VNC_ENCODING_TIGHT;
++    vs->tight->type = VNC_ENCODING_TIGHT;
+     return tight_send_framebuffer_update(vs, x, y, w, h);
+ }
+ 
+ int vnc_tight_png_send_framebuffer_update(VncState *vs, int x, int y,
+                                           int w, int h)
+ {
+-    vs->tight.type = VNC_ENCODING_TIGHT_PNG;
++    vs->tight->type = VNC_ENCODING_TIGHT_PNG;
+     return tight_send_framebuffer_update(vs, x, y, w, h);
+ }
+ 
+ void vnc_tight_clear(VncState *vs)
+ {
+     int i;
+-    for (i=0; i<ARRAY_SIZE(vs->tight.stream); i++) {
+-        if (vs->tight.stream[i].opaque) {
+-            deflateEnd(&vs->tight.stream[i]);
++    for (i = 0; i < ARRAY_SIZE(vs->tight->stream); i++) {
++        if (vs->tight->stream[i].opaque) {
++            deflateEnd(&vs->tight->stream[i]);
+         }
+     }
+ 
+-    buffer_free(&vs->tight.tight);
+-    buffer_free(&vs->tight.zlib);
+-    buffer_free(&vs->tight.gradient);
++    buffer_free(&vs->tight->tight);
++    buffer_free(&vs->tight->zlib);
++    buffer_free(&vs->tight->gradient);
+ #ifdef CONFIG_VNC_JPEG
+-    buffer_free(&vs->tight.jpeg);
++    buffer_free(&vs->tight->jpeg);
+ #endif
+ #ifdef CONFIG_VNC_PNG
+-    buffer_free(&vs->tight.png);
++    buffer_free(&vs->tight->png);
+ #endif
+ }
+diff --git a/ui/vnc-enc-zlib.c b/ui/vnc-enc-zlib.c
+index 33e9df2..900ae5b 100644
+--- a/ui/vnc-enc-zlib.c
++++ b/ui/vnc-enc-zlib.c
+@@ -76,7 +76,8 @@ static int vnc_zlib_stop(VncState *vs)
+         zstream->zalloc = vnc_zlib_zalloc;
+         zstream->zfree = vnc_zlib_zfree;
+ 
+-        err = deflateInit2(zstream, vs->tight.compression, Z_DEFLATED, MAX_WBITS,
++        err = deflateInit2(zstream, vs->tight->compression, Z_DEFLATED,
++                           MAX_WBITS,
+                            MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
+ 
+         if (err != Z_OK) {
+@@ -84,16 +85,16 @@ static int vnc_zlib_stop(VncState *vs)
+             return -1;
+         }
+ 
+-        vs->zlib.level = vs->tight.compression;
++        vs->zlib.level = vs->tight->compression;
+         zstream->opaque = vs;
+     }
+ 
+-    if (vs->tight.compression != vs->zlib.level) {
+-        if (deflateParams(zstream, vs->tight.compression,
++    if (vs->tight->compression != vs->zlib.level) {
++        if (deflateParams(zstream, vs->tight->compression,
+                           Z_DEFAULT_STRATEGY) != Z_OK) {
+             return -1;
+         }
+-        vs->zlib.level = vs->tight.compression;
++        vs->zlib.level = vs->tight->compression;
+     }
+ 
+     // reserve memory in output buffer
+diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c
+index 7493a84..17fd28a 100644
+--- a/ui/vnc-enc-zrle.c
++++ b/ui/vnc-enc-zrle.c
+@@ -37,18 +37,18 @@ static const int bits_per_packed_pixel[] = {
+ 
+ static void vnc_zrle_start(VncState *vs)
+ {
+-    buffer_reset(&vs->zrle.zrle);
++    buffer_reset(&vs->zrle->zrle);
+ 
+     /* make the output buffer be the zlib buffer, so we can compress it later */
+-    vs->zrle.tmp = vs->output;
+-    vs->output = vs->zrle.zrle;
++    vs->zrle->tmp = vs->output;
++    vs->output = vs->zrle->zrle;
+ }
+ 
+ static void vnc_zrle_stop(VncState *vs)
+ {
+     /* switch back to normal output/zlib buffers */
+-    vs->zrle.zrle = vs->output;
+-    vs->output = vs->zrle.tmp;
++    vs->zrle->zrle = vs->output;
++    vs->output = vs->zrle->tmp;
+ }
+ 
+ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
+@@ -56,24 +56,24 @@ static void *zrle_convert_fb(VncState *vs, int x, int y, int w, int h,
+ {
+     Buffer tmp;
+ 
+-    buffer_reset(&vs->zrle.fb);
+-    buffer_reserve(&vs->zrle.fb, w * h * bpp + bpp);
++    buffer_reset(&vs->zrle->fb);
++    buffer_reserve(&vs->zrle->fb, w * h * bpp + bpp);
+ 
+     tmp = vs->output;
+-    vs->output = vs->zrle.fb;
++    vs->output = vs->zrle->fb;
+ 
+     vnc_raw_send_framebuffer_update(vs, x, y, w, h);
+ 
+-    vs->zrle.fb = vs->output;
++    vs->zrle->fb = vs->output;
+     vs->output = tmp;
+-    return vs->zrle.fb.buffer;
++    return vs->zrle->fb.buffer;
+ }
+ 
+ static int zrle_compress_data(VncState *vs, int level)
+ {
+-    z_streamp zstream = &vs->zrle.stream;
++    z_streamp zstream = &vs->zrle->stream;
+ 
+-    buffer_reset(&vs->zrle.zlib);
++    buffer_reset(&vs->zrle->zlib);
+ 
+     if (zstream->opaque != vs) {
+         int err;
+@@ -93,13 +93,13 @@ static int zrle_compress_data(VncState *vs, int level)
+     }
+ 
+     /* reserve memory in output buffer */
+-    buffer_reserve(&vs->zrle.zlib, vs->zrle.zrle.offset + 64);
++    buffer_reserve(&vs->zrle->zlib, vs->zrle->zrle.offset + 64);
+ 
+     /* set pointers */
+-    zstream->next_in = vs->zrle.zrle.buffer;
+-    zstream->avail_in = vs->zrle.zrle.offset;
+-    zstream->next_out = vs->zrle.zlib.buffer + vs->zrle.zlib.offset;
+-    zstream->avail_out = vs->zrle.zlib.capacity - vs->zrle.zlib.offset;
++    zstream->next_in = vs->zrle->zrle.buffer;
++    zstream->avail_in = vs->zrle->zrle.offset;
++    zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset;
++    zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset;
+     zstream->data_type = Z_BINARY;
+ 
+     /* start encoding */
+@@ -108,8 +108,8 @@ static int zrle_compress_data(VncState *vs, int level)
+         return -1;
+     }
+ 
+-    vs->zrle.zlib.offset = vs->zrle.zlib.capacity - zstream->avail_out;
+-    return vs->zrle.zlib.offset;
++    vs->zrle->zlib.offset = vs->zrle->zlib.capacity - zstream->avail_out;
++    return vs->zrle->zlib.offset;
+ }
+ 
+ /* Try to work out whether to use RLE and/or a palette.  We do this by
+@@ -259,14 +259,14 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
+     size_t bytes;
+     int zywrle_level;
+ 
+-    if (vs->zrle.type == VNC_ENCODING_ZYWRLE) {
+-        if (!vs->vd->lossy || vs->tight.quality == (uint8_t)-1
+-            || vs->tight.quality == 9) {
++    if (vs->zrle->type == VNC_ENCODING_ZYWRLE) {
++        if (!vs->vd->lossy || vs->tight->quality == (uint8_t)-1
++            || vs->tight->quality == 9) {
+             zywrle_level = 0;
+-            vs->zrle.type = VNC_ENCODING_ZRLE;
+-        } else if (vs->tight.quality < 3) {
++            vs->zrle->type = VNC_ENCODING_ZRLE;
++        } else if (vs->tight->quality < 3) {
+             zywrle_level = 3;
+-        } else if (vs->tight.quality < 6) {
++        } else if (vs->tight->quality < 6) {
+             zywrle_level = 2;
+         } else {
+             zywrle_level = 1;
+@@ -337,30 +337,30 @@ static int zrle_send_framebuffer_update(VncState *vs, int x, int y,
+ 
+     vnc_zrle_stop(vs);
+     bytes = zrle_compress_data(vs, Z_DEFAULT_COMPRESSION);
+-    vnc_framebuffer_update(vs, x, y, w, h, vs->zrle.type);
++    vnc_framebuffer_update(vs, x, y, w, h, vs->zrle->type);
+     vnc_write_u32(vs, bytes);
+-    vnc_write(vs, vs->zrle.zlib.buffer, vs->zrle.zlib.offset);
++    vnc_write(vs, vs->zrle->zlib.buffer, vs->zrle->zlib.offset);
+     return 1;
+ }
+ 
+ int vnc_zrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+ {
+-    vs->zrle.type = VNC_ENCODING_ZRLE;
++    vs->zrle->type = VNC_ENCODING_ZRLE;
+     return zrle_send_framebuffer_update(vs, x, y, w, h);
+ }
+ 
+ int vnc_zywrle_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
+ {
+-    vs->zrle.type = VNC_ENCODING_ZYWRLE;
++    vs->zrle->type = VNC_ENCODING_ZYWRLE;
+     return zrle_send_framebuffer_update(vs, x, y, w, h);
+ }
+ 
+ void vnc_zrle_clear(VncState *vs)
+ {
+-    if (vs->zrle.stream.opaque) {
+-        deflateEnd(&vs->zrle.stream);
++    if (vs->zrle->stream.opaque) {
++        deflateEnd(&vs->zrle->stream);
+     }
+-    buffer_free(&vs->zrle.zrle);
+-    buffer_free(&vs->zrle.fb);
+-    buffer_free(&vs->zrle.zlib);
++    buffer_free(&vs->zrle->zrle);
++    buffer_free(&vs->zrle->fb);
++    buffer_free(&vs->zrle->zlib);
+ }
+diff --git a/ui/vnc-enc-zrle.inc.c b/ui/vnc-enc-zrle.inc.c
+index abf6b86..c107d8a 100644
+--- a/ui/vnc-enc-zrle.inc.c
++++ b/ui/vnc-enc-zrle.inc.c
+@@ -96,7 +96,7 @@ static void ZRLE_ENCODE(VncState *vs, int x, int y, int w, int h,
+ static void ZRLE_ENCODE_TILE(VncState *vs, ZRLE_PIXEL *data, int w, int h,
+                              int zywrle_level)
+ {
+-    VncPalette *palette = &vs->zrle.palette;
++    VncPalette *palette = &vs->zrle->palette;
+ 
+     int runs = 0;
+     int single_pixels = 0;
+diff --git a/ui/vnc.c b/ui/vnc.c
+index bc43c4c..87b8045 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -1307,6 +1307,8 @@ void vnc_disconnect_finish(VncState *vs)
+     object_unref(OBJECT(vs->sioc));
+     vs->sioc = NULL;
+     vs->magic = 0;
++    g_free(vs->zrle);
++    g_free(vs->tight);
+     g_free(vs);
+ }
+ 
+@@ -2058,8 +2060,8 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
+ 
+     vs->features = 0;
+     vs->vnc_encoding = 0;
+-    vs->tight.compression = 9;
+-    vs->tight.quality = -1; /* Lossless by default */
++    vs->tight->compression = 9;
++    vs->tight->quality = -1; /* Lossless by default */
+     vs->absolute = -1;
+ 
+     /*
+@@ -2127,11 +2129,11 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
+             vs->features |= VNC_FEATURE_LED_STATE_MASK;
+             break;
+         case VNC_ENCODING_COMPRESSLEVEL0 ... VNC_ENCODING_COMPRESSLEVEL0 + 9:
+-            vs->tight.compression = (enc & 0x0F);
++            vs->tight->compression = (enc & 0x0F);
+             break;
+         case VNC_ENCODING_QUALITYLEVEL0 ... VNC_ENCODING_QUALITYLEVEL0 + 9:
+             if (vs->vd->lossy) {
+-                vs->tight.quality = (enc & 0x0F);
++                vs->tight->quality = (enc & 0x0F);
+             }
+             break;
+         default:
+@@ -3034,6 +3036,8 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
+     int i;
+ 
+     trace_vnc_client_connect(vs, sioc);
++    vs->zrle = g_new0(VncZrle, 1);
++    vs->tight = g_new0(VncTight, 1);
+     vs->magic = VNC_MAGIC;
+     vs->sioc = sioc;
+     object_ref(OBJECT(vs->sioc));
+@@ -3045,19 +3049,19 @@ static void vnc_connect(VncDisplay *vd, QIOChannelSocket *sioc,
+     buffer_init(&vs->output,         "vnc-output/%p", sioc);
+     buffer_init(&vs->jobs_buffer,    "vnc-jobs_buffer/%p", sioc);
+ 
+-    buffer_init(&vs->tight.tight,    "vnc-tight/%p", sioc);
+-    buffer_init(&vs->tight.zlib,     "vnc-tight-zlib/%p", sioc);
+-    buffer_init(&vs->tight.gradient, "vnc-tight-gradient/%p", sioc);
++    buffer_init(&vs->tight->tight,    "vnc-tight/%p", sioc);
++    buffer_init(&vs->tight->zlib,     "vnc-tight-zlib/%p", sioc);
++    buffer_init(&vs->tight->gradient, "vnc-tight-gradient/%p", sioc);
+ #ifdef CONFIG_VNC_JPEG
+-    buffer_init(&vs->tight.jpeg,     "vnc-tight-jpeg/%p", sioc);
++    buffer_init(&vs->tight->jpeg,     "vnc-tight-jpeg/%p", sioc);
+ #endif
+ #ifdef CONFIG_VNC_PNG
+-    buffer_init(&vs->tight.png,      "vnc-tight-png/%p", sioc);
++    buffer_init(&vs->tight->png,      "vnc-tight-png/%p", sioc);
+ #endif
+     buffer_init(&vs->zlib.zlib,      "vnc-zlib/%p", sioc);
+-    buffer_init(&vs->zrle.zrle,      "vnc-zrle/%p", sioc);
+-    buffer_init(&vs->zrle.fb,        "vnc-zrle-fb/%p", sioc);
+-    buffer_init(&vs->zrle.zlib,      "vnc-zrle-zlib/%p", sioc);
++    buffer_init(&vs->zrle->zrle,      "vnc-zrle/%p", sioc);
++    buffer_init(&vs->zrle->fb,        "vnc-zrle-fb/%p", sioc);
++    buffer_init(&vs->zrle->zlib,      "vnc-zrle-zlib/%p", sioc);
+ 
+     if (skipauth) {
+         vs->auth = VNC_AUTH_NONE;
+diff --git a/ui/vnc.h b/ui/vnc.h
+index 8643860..fea79c2 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -338,10 +338,10 @@ struct VncState
+     /* Encoding specific, if you add something here, don't forget to
+      *  update vnc_async_encoding_start()
+      */
+-    VncTight tight;
++    VncTight *tight;
+     VncZlib zlib;
+     VncHextile hextile;
+-    VncZrle zrle;
++    VncZrle *zrle;
+     VncZywrle zywrle;
+ 
+     Notifier mouse_mode_notifier;
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
new file mode 100644
index 0000000000..aa7bc82329
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
@@ -0,0 +1,64 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc]
+CVE: CVE-2020-1711
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3..cbd5729 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     struct scsi_get_lba_status *lbas = NULL;
+     struct scsi_lba_status_descriptor *lbasd = NULL;
+     struct IscsiTask iTask;
+-    uint64_t lba;
++    uint64_t lba, max_bytes;
+     int ret;
+ 
+     iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+     }
+ 
+     lba = offset / iscsilun->block_size;
++    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+ 
+     qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+         goto out_unlock;
+     }
+ 
+-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+ 
+     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+-- 
+1.8.3.1
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
index ffb1d061c0..152ff02a25 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
@@ -20,6 +20,9 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
 SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"
 SRC_URI[sha256sum] = "55cc554efec5fdaad70de921cd5a5eeb6c29a95524c715f3bbf849235b0800c0"
 
+# -16548 required for v3.1.3pre1. Already in v3.1.3.
+CVE_CHECK_WHITELIST += " CVE-2017-16548 "
+
 inherit autotools
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/ruby/ruby/fix-CVE-2019-16254.patch b/meta/recipes-devtools/ruby/ruby/fix-CVE-2019-16254.patch
new file mode 100644
index 0000000000..704c850c50
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/fix-CVE-2019-16254.patch
@@ -0,0 +1,106 @@
+From 18d5289b4579822e391b3f5c16541e6552e9f06c Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 1 Oct 2019 12:29:18 +0900
+Subject: [PATCH] WEBrick: prevent response splitting and header injection
+
+This is a follow up to d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16.
+The commit prevented CRLR, but did not address an isolated CR or an
+isolated LF.
+
+Upstream-Status: Backport https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
+CVE: CVE-2019-16254
+
+Co-Authored-By: NARUSE, Yui <naruse@airemix.jp>
+Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
+---
+ lib/webrick/httpresponse.rb       |  3 ++-
+ test/webrick/test_httpresponse.rb | 46 +++++++++++++++++++++++++++++++++++++--
+ 2 files changed, 46 insertions(+), 3 deletions(-)
+
+diff --git a/lib/webrick/httpresponse.rb b/lib/webrick/httpresponse.rb
+index 6d77692..d26324c 100644
+--- a/lib/webrick/httpresponse.rb
++++ b/lib/webrick/httpresponse.rb
+@@ -367,7 +367,8 @@ def set_error(ex, backtrace=false)
+     private
+
+     def check_header(header_value)
+-      if header_value =~ /\r\n/
++      header_value = header_value.to_s
++      if /[\r\n]/ =~ header_value
+         raise InvalidHeader
+       else
+         header_value
+diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb
+index 6263e0a..24a6968 100644
+--- a/test/webrick/test_httpresponse.rb
++++ b/test/webrick/test_httpresponse.rb
+@@ -29,7 +29,7 @@ def setup
+       @res.keep_alive  = true
+     end
+
+-    def test_prevent_response_splitting_headers
++    def test_prevent_response_splitting_headers_crlf
+       res['X-header'] = "malicious\r\nCookie: hack"
+       io = StringIO.new
+       res.send_response io
+@@ -39,7 +39,7 @@ def test_prevent_response_splitting_headers
+       refute_match 'hack', io.string
+     end
+
+-    def test_prevent_response_splitting_cookie_headers
++    def test_prevent_response_splitting_cookie_headers_crlf
+       user_input = "malicious\r\nCookie: hack"
+       res.cookies << WEBrick::Cookie.new('author', user_input)
+       io = StringIO.new
+@@ -50,6 +50,48 @@ def test_prevent_response_splitting_cookie_headers
+       refute_match 'hack', io.string
+     end
+
++    def test_prevent_response_splitting_headers_cr
++      res['X-header'] = "malicious\rCookie: hack"
++      io = StringIO.new
++      res.send_response io
++      io.rewind
++      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
++      assert_equal '500', res.code
++      refute_match 'hack', io.string
++    end
++
++    def test_prevent_response_splitting_cookie_headers_cr
++      user_input = "malicious\rCookie: hack"
++      res.cookies << WEBrick::Cookie.new('author', user_input)
++      io = StringIO.new
++      res.send_response io
++      io.rewind
++      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
++      assert_equal '500', res.code
++      refute_match 'hack', io.string
++    end
++
++    def test_prevent_response_splitting_headers_lf
++      res['X-header'] = "malicious\nCookie: hack"
++      io = StringIO.new
++      res.send_response io
++      io.rewind
++      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
++      assert_equal '500', res.code
++      refute_match 'hack', io.string
++    end
++
++    def test_prevent_response_splitting_cookie_headers_lf
++      user_input = "malicious\nCookie: hack"
++      res.cookies << WEBrick::Cookie.new('author', user_input)
++      io = StringIO.new
++      res.send_response io
++      io.rewind
++      res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
++      assert_equal '500', res.code
++      refute_match 'hack', io.string
++    end
++
+     def test_304_does_not_log_warning
+       res.status      = 304
+       res.setup_header
+--
+2.7.4
diff --git a/meta/recipes-devtools/ruby/ruby_2.5.5.bb b/meta/recipes-devtools/ruby/ruby_2.5.5.bb
index 223b0371eb..58bb97f4bd 100644
--- a/meta/recipes-devtools/ruby/ruby_2.5.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.5.5.bb
@@ -3,6 +3,7 @@ require ruby.inc
 SRC_URI += " \
            file://0001-configure.ac-check-finite-isinf-isnan-as-macros-firs.patch \
            file://run-ptest \
+           file://fix-CVE-2019-16254.patch \
            "
 
 SRC_URI[md5sum] = "7e156fb526b8f4bb1b30a3dd8a7ce400"
diff --git a/meta/recipes-extended/cpio/cpio-2.12/CVE-2019-14866.patch b/meta/recipes-extended/cpio/cpio-2.12/CVE-2019-14866.patch
new file mode 100644
index 0000000000..5d587fc832
--- /dev/null
+++ b/meta/recipes-extended/cpio/cpio-2.12/CVE-2019-14866.patch
@@ -0,0 +1,316 @@
+CVE: CVE-2019-14866
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+From a052401293e45a13cded5959b258204dae6d0af5 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sun, 3 Nov 2019 23:59:39 +0200
+Subject: [PATCH] Fix CVE-2019-14866
+
+* src/copyout.c (to_ascii): Additional argument nul controls whether
+to add the terminating nul character.
+(field_width_error): Improve diagnostics: print the actual and the
+maximum allowed field value.
+* src/extern.h (to_ascii, field_width_error): New prototypes.
+* src/tar.c (to_oct): Remove.
+(to_oct_or_error): New function.
+(TO_OCT): New macro.
+(write_out_tar_header): Use TO_OCT and to_ascii. Return 0 on
+success, 1 on error.
+---
+ src/copyout.c | 49 ++++++++++++++++++++++--------------
+ src/extern.h  | 15 +++++++++--
+ src/tar.c     | 69 ++++++++++++++++++++++++---------------------------
+ 3 files changed, 75 insertions(+), 58 deletions(-)
+
+diff --git a/src/copyout.c b/src/copyout.c
+index 1f0987a..1ae5477 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -269,26 +269,32 @@ writeout_final_defers (int out_des)
+    so it should be moved to paxutils too.
+    Allowed values for logbase are: 1 (binary), 2, 3 (octal), 4 (hex) */
+ int
+-to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase)
++to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase, bool nul)
+ {
+   static char codetab[] = "0123456789ABCDEF";
+-  int i = digits;
+-  
+-  do
++
++  if (nul)
++    where[--digits] = 0;
++  while (digits > 0)
+     {
+-      where[--i] = codetab[(v & ((1 << logbase) - 1))];
++      where[--digits] = codetab[(v & ((1 << logbase) - 1))];
+       v >>= logbase;
+     }
+-  while (i);
+ 
+   return v != 0;
+ }
+ 
+-static void
+-field_width_error (const char *filename, const char *fieldname)
++void
++field_width_error (const char *filename, const char *fieldname,
++		   uintmax_t value, size_t width, bool nul)
+ {
+-  error (0, 0, _("%s: field width not sufficient for storing %s"),
+-	 filename, fieldname);
++  char valbuf[UINTMAX_STRSIZE_BOUND + 1];
++  char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++  error (0, 0, _("%s: value %s %s out of allowed range 0..%s"),
++	 filename, fieldname,
++	 STRINGIFY_BIGINT (value, valbuf),
++	 STRINGIFY_BIGINT (MAX_VAL_WITH_DIGITS (width - nul, LG_8),
++			   maxbuf));
+ }
+ 
+ static void
+@@ -303,7 +309,7 @@ to_ascii_or_warn (char *where, uintmax_t n, size_t digits,
+ 		  unsigned logbase,
+ 		  const char *filename, const char *fieldname)
+ {
+-  if (to_ascii (where, n, digits, logbase))
++  if (to_ascii (where, n, digits, logbase, false))
+     field_width_warning (filename, fieldname);
+ }    
+ 
+@@ -312,9 +318,9 @@ to_ascii_or_error (char *where, uintmax_t n, size_t digits,
+ 		   unsigned logbase,
+ 		   const char *filename, const char *fieldname)
+ {
+-  if (to_ascii (where, n, digits, logbase))
++  if (to_ascii (where, n, digits, logbase, false))
+     {
+-      field_width_error (filename, fieldname);
++      field_width_error (filename, fieldname, n, digits, false);
+       return 1;
+     }
+   return 0;
+@@ -371,7 +377,7 @@ write_out_new_ascii_header (const char *magic_string,
+ 			 _("name size")))
+     return 1;
+   p += 8;
+-  to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16);
++  to_ascii (p, file_hdr->c_chksum & 0xffffffff, 8, LG_16, false);
+ 
+   tape_buffered_write (ascii_header, out_des, sizeof ascii_header);
+ 
+@@ -388,7 +394,7 @@ write_out_old_ascii_header (dev_t dev, dev_t rdev,
+   char ascii_header[76];
+   char *p = ascii_header;
+   
+-  to_ascii (p, file_hdr->c_magic, 6, LG_8);
++  to_ascii (p, file_hdr->c_magic, 6, LG_8, false);
+   p += 6;
+   to_ascii_or_warn (p, dev, 6, LG_8, file_hdr->c_name, _("device number"));
+   p += 6;
+@@ -492,7 +498,10 @@ write_out_binary_header (dev_t rdev,
+   short_hdr.c_namesize = file_hdr->c_namesize & 0xFFFF;
+   if (short_hdr.c_namesize != file_hdr->c_namesize)
+     {
+-      field_width_error (file_hdr->c_name, _("name size"));
++      char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++      error (0, 0, _("%s: value %s %s out of allowed range 0..%u"),
++	     file_hdr->c_name, _("name size"),
++	     STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFu);
+       return 1;
+     }
+ 		      
+@@ -502,7 +511,10 @@ write_out_binary_header (dev_t rdev,
+   if (((off_t)short_hdr.c_filesizes[0] << 16) + short_hdr.c_filesizes[1]
+        != file_hdr->c_filesize)
+     {
+-      field_width_error (file_hdr->c_name, _("file size"));
++      char maxbuf[UINTMAX_STRSIZE_BOUND + 1];
++      error (0, 0, _("%s: value %s %s out of allowed range 0..%lu"),
++	     file_hdr->c_name, _("file size"),
++	     STRINGIFY_BIGINT (file_hdr->c_namesize, maxbuf), 0xFFFFFFFFlu);
+       return 1;
+     }
+ 		      
+@@ -552,8 +564,7 @@ write_out_header (struct cpio_file_stat *file_hdr, int out_des)
+ 	  error (0, 0, _("%s: file name too long"), file_hdr->c_name);
+ 	  return 1;
+ 	}
+-      write_out_tar_header (file_hdr, out_des); /* FIXME: No error checking */
+-      return 0;
++      return write_out_tar_header (file_hdr, out_des);
+ 
+     case arf_binary:
+       return write_out_binary_header (makedev (file_hdr->c_rdev_maj,
+diff --git a/src/extern.h b/src/extern.h
+index e27d662..f9ef56a 100644
+--- a/src/extern.h
++++ b/src/extern.h
+@@ -117,6 +117,10 @@ void print_name_with_quoting (char *p);
+ /* copyout.c */
+ int write_out_header (struct cpio_file_stat *file_hdr, int out_des);
+ void process_copy_out (void);
++int to_ascii (char *where, uintmax_t v, size_t digits, unsigned logbase,
++	      bool nul);
++void field_width_error (const char *filename, const char *fieldname,
++			uintmax_t value, size_t width, bool nul);
+ 
+ /* copypass.c */
+ void process_copy_pass (void);
+@@ -145,7 +149,7 @@ int make_path (char *argpath, uid_t owner, gid_t group,
+ 	       const char *verbose_fmt_string);
+ 
+ /* tar.c */
+-void write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
++int write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des);
+ int null_block (long *block, int size);
+ void read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des);
+ int otoa (char *s, unsigned long *n);
+@@ -204,9 +208,16 @@ void cpio_safer_name_suffix (char *name, bool link_target,
+ int cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir);
+ void change_dir (void);
+ 
+-/* FIXME: These two defines should be defined in paxutils */
++/* FIXME: The following three should be defined in paxutils */
+ #define LG_8  3
+ #define LG_16 4
++/* The maximum uintmax_t value that can be represented with DIGITS digits,
++   assuming that each digit is BITS_PER_DIGIT wide.  */
++#define MAX_VAL_WITH_DIGITS(digits, bits_per_digit) \
++   ((digits) * (bits_per_digit) < sizeof (uintmax_t) * CHAR_BIT \
++    ? ((uintmax_t) 1 << ((digits) * (bits_per_digit))) - 1 \
++    : (uintmax_t) -1)
++
+ 
+ uintmax_t from_ascii (char const *where, size_t digs, unsigned logbase);
+ 
+diff --git a/src/tar.c b/src/tar.c
+index a2ce171..ef58027 100644
+--- a/src/tar.c
++++ b/src/tar.c
+@@ -79,36 +79,17 @@ stash_tar_filename (char *prefix, char *filename)
+   return hold_tar_filename;
+ }
+ 
+-/* Convert a number into a string of octal digits.
+-   Convert long VALUE into a DIGITS-digit field at WHERE,
+-   including a trailing space and room for a NUL.  DIGITS==3 means
+-   1 digit, a space, and room for a NUL.
+-
+-   We assume the trailing NUL is already there and don't fill it in.
+-   This fact is used by start_header and finish_header, so don't change it!
+-
+-   This is be equivalent to:
+-   sprintf (where, "%*lo ", digits - 2, value);
+-   except that sprintf fills in the trailing NUL and we don't.  */
+-
+-static void
+-to_oct (register long value, register int digits, register char *where)
++static int
++to_oct_or_error (uintmax_t value, size_t digits, char *where, char const *field,
++		 char const *file)
+ {
+-  --digits;			/* Leave the trailing NUL slot alone.  */
+-
+-  /* Produce the digits -- at least one.  */
+-  do
++  if (to_ascii (where, value, digits, LG_8, true))
+     {
+-      where[--digits] = '0' + (char) (value & 7); /* One octal digit.  */
+-      value >>= 3;
++      field_width_error (file, field, value, digits, true);
++      return 1;
+     }
+-  while (digits > 0 && value != 0);
+-
+-  /* Add leading zeroes, if necessary.  */
+-  while (digits > 0)
+-    where[--digits] = '0';
++  return 0;
+ }
+-
+ 
+ 
+ /* Compute and return a checksum for TAR_HDR,
+@@ -134,10 +115,22 @@ tar_checksum (struct tar_header *tar_hdr)
+   return sum;
+ }
+ 
++#define TO_OCT(file_hdr, c_fld, digits, tar_hdr, tar_field) \
++  do							    \
++    {							    \
++       if (to_oct_or_error (file_hdr -> c_fld,		    \
++			    digits,			    \
++			    tar_hdr -> tar_field,	    \
++			    #tar_field,			    \
++			    file_hdr->c_name))		    \
++	 return 1;					    \
++    }							    \
++  while (0)
++
+ /* Write out header FILE_HDR, including the file name, to file
+    descriptor OUT_DES.  */
+ 
+-void
++int
+ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
+ {
+   int name_len;
+@@ -166,11 +159,11 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
+ 
+   /* Ustar standard (POSIX.1-1988) requires the mode to contain only 3 octal
+      digits */
+-  to_oct (file_hdr->c_mode & MODE_ALL, 8, tar_hdr->mode);
+-  to_oct (file_hdr->c_uid, 8, tar_hdr->uid);
+-  to_oct (file_hdr->c_gid, 8, tar_hdr->gid);
+-  to_oct (file_hdr->c_filesize, 12, tar_hdr->size);
+-  to_oct (file_hdr->c_mtime, 12, tar_hdr->mtime);
++  TO_OCT (file_hdr, c_mode & MODE_ALL, 8, tar_hdr, mode);
++  TO_OCT (file_hdr, c_uid, 8, tar_hdr, uid);
++  TO_OCT (file_hdr, c_gid, 8, tar_hdr, gid);
++  TO_OCT (file_hdr, c_filesize, 12, tar_hdr, size);
++  TO_OCT (file_hdr, c_mtime, 12, tar_hdr, mtime);
+ 
+   switch (file_hdr->c_mode & CP_IFMT)
+     {
+@@ -182,7 +175,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
+ 	  strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
+ 		   TARLINKNAMESIZE);
+ 	  tar_hdr->typeflag = LNKTYPE;
+-	  to_oct (0, 12, tar_hdr->size);
++	  to_ascii (tar_hdr->size, 0, 12, LG_8, true);
+ 	}
+       else
+ 	tar_hdr->typeflag = REGTYPE;
+@@ -208,7 +201,7 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
+ 	 than TARLINKNAMESIZE.  */
+       strncpy (tar_hdr->linkname, file_hdr->c_tar_linkname,
+ 	       TARLINKNAMESIZE);
+-      to_oct (0, 12, tar_hdr->size);
++      to_ascii (tar_hdr->size, 0, 12, LG_8, true);
+       break;
+ #endif /* CP_IFLNK */
+     }
+@@ -227,13 +220,15 @@ write_out_tar_header (struct cpio_file_stat *file_hdr, int out_des)
+       if (name)
+ 	strcpy (tar_hdr->gname, name);
+ 
+-      to_oct (file_hdr->c_rdev_maj, 8, tar_hdr->devmajor);
+-      to_oct (file_hdr->c_rdev_min, 8, tar_hdr->devminor);
++      TO_OCT (file_hdr, c_rdev_maj, 8, tar_hdr, devmajor);
++      TO_OCT (file_hdr, c_rdev_min, 8, tar_hdr, devminor);
+     }
+ 
+-  to_oct (tar_checksum (tar_hdr), 8, tar_hdr->chksum);
++  to_ascii (tar_hdr->chksum, tar_checksum (tar_hdr), 8, LG_8, true);
+ 
+   tape_buffered_write ((char *) &tar_rec, out_des, TARRECORDSIZE);
++
++  return 0;
+ }
+ 
+ /* Return nonzero iff all the bytes in BLOCK are NUL.
+-- 
+2.24.1
+
diff --git a/meta/recipes-extended/cpio/cpio_2.12.bb b/meta/recipes-extended/cpio/cpio_2.12.bb
index 3713bf0b1f..5abe494ebc 100644
--- a/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -11,6 +11,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Fix-CVE-2015-1197.patch \
            file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
            file://0001-Fix-segfault-with-append.patch \
+           file://CVE-2019-14866.patch \
            "
 
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index 3f9e9917f0..42260f531e 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -32,7 +32,8 @@ PACKAGECONFIG[docs] = "-DBUILD_HTML_MANS=true -DBUILD_MANS=true,-DBUILD_HTML_MAN
 
 inherit meson update-alternatives
 
-EXTRA_OEMESON += "--prefix=${root_prefix}/"
+# Have to disable setcap/suid as its not deterministic
+EXTRA_OEMESON += "--prefix=${root_prefix}/ -DNO_SETCAP_OR_SUID=true"
 
 ALTERNATIVE_PRIORITY = "100"
 
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch
new file mode 100644
index 0000000000..a84c1f1f76
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/0001-RAR5-reader-reject-files-that-declare-invalid-header.patch
@@ -0,0 +1,124 @@
+From c1fe0a8cc8dde8ba3eae3d17e34060d2d6e4eb96 Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sun, 2 Feb 2020 08:04:41 +0100
+Subject: [PATCH] RAR5 reader: reject files that declare invalid header flags
+
+One of the fields in RAR5's base block structure is the size of the
+header. Some invalid files declare a 0 header size setting, which can
+confuse the unpacker. Minimum header size for RAR5 base blocks is 7
+bytes (4 bytes for CRC, and 3 bytes for the rest), so block size of 0
+bytes should be rejected at header parsing stage.
+
+The fix adds an error condition if header size of 0 bytes is detected.
+In this case, the unpacker will not attempt to unpack the file, as the
+header is corrupted.
+
+The commit also adds OSSFuzz #20459 sample to test further regressions
+in this area.
+
+Upstream-Status: Backport[https://github.com/libarchive/libarchive/commit/94821008d6eea81e315c5881cdf739202961040a]
+CVE: CVE-2020-9308
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ Makefile.am                                     |  1 +
+ libarchive/archive_read_support_format_rar5.c   | 17 +++++++++++++++--
+ libarchive/test/test_read_format_rar5.c         | 15 +++++++++++++++
+ ...d_format_rar5_block_size_is_too_small.rar.uu |  8 ++++++++
+ 4 files changed, 39 insertions(+), 2 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+
+diff --git a/Makefile.am b/Makefile.am
+index da78b24..01abf20 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -863,6 +863,7 @@ libarchive_test_EXTRA_DIST=\
+ 	libarchive/test/test_read_format_rar5_symlink.rar.uu \
+ 	libarchive/test/test_read_format_rar5_truncated_huff.rar.uu \
+ 	libarchive/test/test_read_format_rar5_win32.rar.uu \
++	libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+ 	libarchive/test/test_read_format_raw.bufr.uu \
+ 	libarchive/test/test_read_format_raw.data.gz.uu \
+ 	libarchive/test/test_read_format_raw.data.Z.uu \
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index 7c24627..f73393c 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -2034,6 +2034,8 @@ static int scan_for_signature(struct archive_read* a);
+ static int process_base_block(struct archive_read* a,
+     struct archive_entry* entry)
+ {
++	const size_t SMALLEST_RAR5_BLOCK_SIZE = 3;
++
+ 	struct rar5* rar = get_context(a);
+ 	uint32_t hdr_crc, computed_crc;
+ 	size_t raw_hdr_size = 0, hdr_size_len, hdr_size;
+@@ -2057,15 +2059,26 @@ static int process_base_block(struct archive_read* a,
+ 		return ARCHIVE_EOF;
+ 	}
+ 
++	hdr_size = raw_hdr_size + hdr_size_len;
++
+ 	/* Sanity check, maximum header size for RAR5 is 2MB. */
+-	if(raw_hdr_size > (2 * 1024 * 1024)) {
++	if(hdr_size > (2 * 1024 * 1024)) {
+ 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Base block header is too large");
+ 
+ 		return ARCHIVE_FATAL;
+ 	}
+ 
+-	hdr_size = raw_hdr_size + hdr_size_len;
++	/* Additional sanity checks to weed out invalid files. */
++	if(raw_hdr_size == 0 || hdr_size_len == 0 ||
++		hdr_size < SMALLEST_RAR5_BLOCK_SIZE)
++	{
++		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++			"Too small block encountered (%ld bytes)",
++			raw_hdr_size);
++
++		return ARCHIVE_FATAL;
++	}
+ 
+ 	/* Read the whole header data into memory, maximum memory use here is
+ 	 * 2MB. */
+diff --git a/libarchive/test/test_read_format_rar5.c b/libarchive/test/test_read_format_rar5.c
+index 1408f37..32e7ed8 100644
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1194,3 +1194,18 @@ DEFINE_TEST(test_read_format_rar5_fileattr)
+ 
+ 	EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_block_size_is_too_small)
++{
++	char buf[4096];
++	PROLOGUE("test_read_format_rar5_block_size_is_too_small.rar");
++
++	/* This file is damaged, so those functions should return failure.
++	 * Additionally, SIGSEGV shouldn't be raised during execution
++	 * of those functions. */
++
++	assertA(archive_read_next_header(a, &ae) != ARCHIVE_OK);
++	assertA(archive_read_data(a, buf, sizeof(buf)) <= 0);
++
++	EPILOGUE();
++}
+diff --git a/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+new file mode 100644
+index 0000000..5cad219
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu
+@@ -0,0 +1,8 @@
++begin 644 test_read_format_rar5_block_size_is_too_small.rar
++M4F%R(1H'`0"-[P+2``+'(!P,("`@N`,!`B`@("`@("`@("`@("`@("#_("`@
++M("`@("`@("`@((:Q;2!4-'-^4B`!((WO`M(``O\@$/\@-R`@("`@("`@("`@
++M``X@("`@("`@____("`@("`@(/\@("`@("`@("`@("#_(+6U,2"UM;6UM[CU
++M)B`@*(0G(`!.`#D\3R``(/__(,+_````-0#_($&%*/HE=C+N`"```"```"`D
++J`)$#("#_("#__P`@__\@_R#_("`@("`@("#_("#__R`@(/__("#__R`"
++`
++end
+-- 
+2.23.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
index c196382b07..db45ccf654 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.0.bb
@@ -33,6 +33,7 @@ EXTRA_OECONF += "--enable-largefile"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2019-19221.patch \
+           file://0001-RAR5-reader-reject-files-that-declare-invalid-header.patch \
 "
 
 SRC_URI[md5sum] = "6046396255bd7cf6d0f6603a9bda39ac"
diff --git a/meta/recipes-extended/libidn/libidn2_2.2.0.bb b/meta/recipes-extended/libidn/libidn2_2.2.0.bb
index bcbfdd85b9..71314149e1 100644
--- a/meta/recipes-extended/libidn/libidn2_2.2.0.bb
+++ b/meta/recipes-extended/libidn/libidn2_2.2.0.bb
@@ -22,7 +22,8 @@ EXTRA_OECONF += "--disable-rpath \
                  "
 
 do_install_append() {
-	sed -i -e 's|-L${STAGING_LIBDIR}||' ${D}${libdir}/pkgconfig/libidn2.pc
+	# Need to remove any duplicate whitespace too for reproducibility
+	sed -i -e 's|-L${STAGING_LIBDIR}||' -e 's/  */ /g' ${D}${libdir}/pkgconfig/libidn2.pc
 }
 
 LICENSE_${PN} = "(GPLv2+ | LGPLv3)"
diff --git a/meta/recipes-extended/man-db/man-db_2.8.7.bb b/meta/recipes-extended/man-db/man-db_2.8.7.bb
index 083b2374aa..0d73b03482 100644
--- a/meta/recipes-extended/man-db/man-db_2.8.7.bb
+++ b/meta/recipes-extended/man-db/man-db_2.8.7.bb
@@ -10,7 +10,7 @@ SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/man-db/man-db-${PV}.tar.xz \
 SRC_URI[md5sum] = "ec0b23c8314a1654c4d059b2c18ce43d"
 SRC_URI[sha256sum] = "b9cd5bb996305d08bfe9e1114edc30b4c97be807093b88af8033ed1cf9beb326"
 
-DEPENDS = "libpipeline gdbm groff-native base-passwd"
+DEPENDS = "libpipeline gdbm groff-native base-passwd flex-native"
 RDEPENDS_${PN} += "base-passwd"
 
 # | /usr/src/debug/man-db/2.8.0-r0/man-db-2.8.0/src/whatis.c:939: undefined reference to `_nl_msg_cat_cntr'
diff --git a/meta/recipes-extended/mc/files/0001-Add-option-to-control-configure-args.patch b/meta/recipes-extended/mc/files/0001-Add-option-to-control-configure-args.patch
new file mode 100644
index 0000000000..e76aac8161
--- /dev/null
+++ b/meta/recipes-extended/mc/files/0001-Add-option-to-control-configure-args.patch
@@ -0,0 +1,99 @@
+From a54501d3c9541bc8600225aa2d42531f93c6def7 Mon Sep 17 00:00:00 2001
+From: Joshua Watt <JPEWhacker@gmail.com>
+Date: Sat, 9 Nov 2019 20:01:48 -0600
+Subject: [PATCH] Add option to control configure args
+
+Embedding the configure time options into the executable can lead to
+non-reproducible builds, since configure options often have embedded
+paths. Add a configure time option to control if the configure args are
+embedded so this can be disabled.
+
+Upstream-Status: Submitted [https://midnight-commander.org/ticket/4031]
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+---
+ configure.ac   | 6 ++++++
+ src/args.c     | 6 ++++++
+ src/textconf.c | 2 ++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 19d1a76be..a1948f6b9 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -544,6 +544,12 @@ dnl Clarify do we really need GModule
+ AM_CONDITIONAL([HAVE_GMODULE], [test -n "$g_module_supported" && \
+                                 test x"$textmode_x11_support" = x"yes" -o x"$enable_aspell" = x"yes"])
+ 
++AC_ARG_ENABLE([configure-args],
++    AS_HELP_STRING([--enable-configure-args], [Handle all compiler warnings as errors]))
++if test "x$enable_configure_args" != xno; then
++    AC_DEFINE([ENABLE_CONFIGURE_ARGS], 1, [Define to enable showing configure arguments in help])
++fi
++
+ AC_DEFINE_UNQUOTED([MC_CONFIGURE_ARGS], ["$ac_configure_args"], [MC configure arguments])
+ 
+ AC_CONFIG_FILES(
+diff --git a/src/args.c b/src/args.c
+index baef1a1c8..f8dc24020 100644
+--- a/src/args.c
++++ b/src/args.c
+@@ -95,7 +95,9 @@ static gboolean mc_args__nouse_subshell = FALSE;
+ #endif /* ENABLE_SUBSHELL */
+ static gboolean mc_args__show_datadirs = FALSE;
+ static gboolean mc_args__show_datadirs_extended = FALSE;
++#ifdef ENABLE_CONFIGURE_ARGS
+ static gboolean mc_args__show_configure_opts = FALSE;
++#endif
+ 
+ static GOptionGroup *main_group;
+ 
+@@ -125,6 +127,7 @@ static const GOptionEntry argument_main_table[] = {
+      NULL
+     },
+ 
++#ifdef ENABLE_CONFIGURE_ARGS
+     /* show configure options */
+     {
+      "configure-options", '\0', G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_NONE,
+@@ -132,6 +135,7 @@ static const GOptionEntry argument_main_table[] = {
+      N_("Print configure options"),
+      NULL
+     },
++#endif
+ 
+     {
+      "printwd", 'P', G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_STRING,
+@@ -758,11 +762,13 @@ mc_args_show_info (void)
+         return FALSE;
+     }
+ 
++#ifdef ENABLE_CONFIGURE_ARGS
+     if (mc_args__show_configure_opts)
+     {
+         show_configure_options ();
+         return FALSE;
+     }
++#endif
+ 
+     return TRUE;
+ }
+diff --git a/src/textconf.c b/src/textconf.c
+index 1e0613e58..f39b9e028 100644
+--- a/src/textconf.c
++++ b/src/textconf.c
+@@ -232,10 +232,12 @@ show_datadirs_extended (void)
+ 
+ /* --------------------------------------------------------------------------------------------- */
+ 
++#ifdef ENABLE_CONFIGURE_ARGS
+ void
+ show_configure_options (void)
+ {
+     (void) printf ("%s\n", MC_CONFIGURE_ARGS);
+ }
++#endif
+ 
+ /* --------------------------------------------------------------------------------------------- */
+-- 
+2.23.0
+
diff --git a/meta/recipes-extended/mc/files/nomandate.patch b/meta/recipes-extended/mc/files/nomandate.patch
new file mode 100644
index 0000000000..48bd73b110
--- /dev/null
+++ b/meta/recipes-extended/mc/files/nomandate.patch
@@ -0,0 +1,21 @@
+The man page date can vary depending upon the host perl, e.g. in Russian
+some versions print 'июня', others 'Июнь' or Polish 'czerwca' or 'czerwiec'.
+Rather than depend upon perl-native to fix this, just remove the date from 
+the manpages.
+
+RP 2020/2/4
+
+Upstream-Status: Inappropriate [OE specficic reproducibility workaround]
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: mc-4.8.23/doc/man/date-of-man-include.am
+===================================================================
+--- mc-4.8.23.orig/doc/man/date-of-man-include.am
++++ mc-4.8.23/doc/man/date-of-man-include.am
+@@ -1,5 +1,5 @@
+ SED_PARAMETERS = \
+-	-e "s/%DATE_OF_MAN_PAGE%/$${MAN_DATE}/g" \
++	-e "s/%DATE_OF_MAN_PAGE%//g" \
+ 	-e "s/%DISTR_VERSION%/@DISTR_VERSION@/g" \
+ 	-e "s{%prefix%{@prefix@{g" \
+ 	-e "s{%sysconfdir%{@sysconfdir@{g" \
diff --git a/meta/recipes-extended/mc/mc_4.8.23.bb b/meta/recipes-extended/mc/mc_4.8.23.bb
index 83de8dbb2c..de76591d9b 100644
--- a/meta/recipes-extended/mc/mc_4.8.23.bb
+++ b/meta/recipes-extended/mc/mc_4.8.23.bb
@@ -8,6 +8,8 @@ RDEPENDS_${PN} = "ncurses-terminfo"
 
 SRC_URI = "http://www.midnight-commander.org/downloads/${BPN}-${PV}.tar.bz2 \
            file://0001-mc-replace-perl-w-with-use-warnings.patch \
+           file://0001-Add-option-to-control-configure-args.patch \
+           file://nomandate.patch \
            "
 SRC_URI[md5sum] = "152927ac29cf0e61d7d019f261bb7d89"
 SRC_URI[sha256sum] = "238c4552545dcf3065359bd50753abbb150c1b22ec5a36eaa02c82808293267d"
@@ -21,9 +23,12 @@ PACKAGECONFIG ??= ""
 PACKAGECONFIG[smb] = "--enable-vfs-smb,--disable-vfs-smb,samba,"
 PACKAGECONFIG[sftp] = "--enable-vfs-sftp,--disable-vfs-sftp,libssh2,"
 
-EXTRA_OECONF = "--with-screen=ncurses --without-gpm-mouse --without-x"
+EXTRA_OECONF = "--with-screen=ncurses --without-gpm-mouse --without-x --disable-configure-args"
 
 CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl'"
+CACHED_CONFIGUREVARS += "ac_cv_path_PYTHON='/usr/bin/env python'"
+CACHED_CONFIGUREVARS += "ac_cv_path_GREP='/usr/bin/env grep'"
+CACHED_CONFIGUREVARS += "mc_cv_have_zipinfo=yes"
 
 do_install_append () {
 	sed -i -e '1s,#!.*perl,#!${bindir}/env perl,' ${D}${libexecdir}/mc/extfs.d/*
diff --git a/meta/recipes-extended/psmisc/psmisc.inc b/meta/recipes-extended/psmisc/psmisc.inc
index 594a10cf22..6de5acb71b 100644
--- a/meta/recipes-extended/psmisc/psmisc.inc
+++ b/meta/recipes-extended/psmisc/psmisc.inc
@@ -7,7 +7,7 @@ command sends a specified signal (SIGTERM if nothing is specified) to \
 processes identified by name.  The fuser command identifies the PIDs \
 of processes that are using specified files or filesystems."
 SECTION = "base"
-DEPENDS = "ncurses virtual/libintl gettext-native"
+DEPENDS = "ncurses virtual/libintl gettext-native xz-native"
 LICENSE = "GPLv2"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/psmisc/psmisc-${PV}.tar.gz"
diff --git a/meta/recipes-extended/screen/screen/CVE-2020-9366.patch b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
new file mode 100644
index 0000000000..a52b9e6e68
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2020-9366.patch
@@ -0,0 +1,48 @@
+From 8ce90c1d3d5bece150479d8bc9303fd9d9f45e03 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+Date: Thu, 30 Jan 2020 17:56:27 +0100
+Subject: [PATCH] Fix out of bounds access when setting w_xtermosc after OSC 49
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Amadeusz=20S=C5=82awi=C5=84ski?= <amade@asmblr.net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+echo -e "\e]49\e;                                    \n\ec"
+crashes screen.
+
+This happens because 49 is divided by 10 and used as table index
+resulting in access to w_xtermosc[4], which is out of bounds with table
+itself being size 4. Increase size of table by 1 to 5, which is enough
+for all current uses.
+
+As this overwrites memory based on user input it is potential security
+issue.
+
+Reported-by: pippin@gimp.org
+Signed-off-by: Amadeusz Sławiński <amade@asmblr.net>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?h=v.4.8.0&id=68386dfb1fa33471372a8cd2e74686758a2f527b]
+CVE: CVE-2020-9366
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ window.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/window.h b/window.h
+index bd10dcd..a8afa19 100644
+--- a/window.h
++++ b/window.h
+@@ -237,7 +237,7 @@ struct win
+   char	 w_vbwait;
+   char	 w_norefresh;		/* dont redisplay when switching to that win */
+ #ifdef RXVT_OSC
+-  char	 w_xtermosc[4][MAXSTR];	/* special xterm/rxvt escapes */
++  char	 w_xtermosc[5][MAXSTR];	/* special xterm/rxvt escapes */
+ #endif
+   int    w_mouse;		/* mouse mode 0,9,1000 */
+ #ifdef HAVE_BRAILLE
diff --git a/meta/recipes-extended/screen/screen_4.6.2.bb b/meta/recipes-extended/screen/screen_4.6.2.bb
index 21b476ddb0..d00b849021 100644
--- a/meta/recipes-extended/screen/screen_4.6.2.bb
+++ b/meta/recipes-extended/screen/screen_4.6.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
            file://0001-fix-for-multijob-build.patch \
            file://0001-configure.ac-fix-configure-failed-while-build-dir-ha.patch \
            file://0001-Remove-more-compatibility-stuff.patch \
+           file://CVE-2020-9366.patch \
           "
 
 SRC_URI[md5sum] = "a0f529d3333b128dfaa324d978ba73a8"
diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc
index 15075bcefd..4edfabe510 100644
--- a/meta/recipes-extended/sudo/sudo.inc
+++ b/meta/recipes-extended/sudo/sudo.inc
@@ -26,7 +26,7 @@ PACKAGECONFIG[pam-wheel] = ",,,pam-plugin-wheel"
 
 CONFFILES_${PN} = "${sysconfdir}/sudoers"
 
-EXTRA_OECONF = "--with-editor=/bin/vi --with-env-editor"
+EXTRA_OECONF = "--with-editor=${base_bindir}/vi --with-env-editor"
 
 EXTRA_OECONF_append_libc-musl = " --disable-hardening "
 
diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb b/meta/recipes-extended/sudo/sudo_1.8.27.bb
index 0a11a1b28f..6d470d0373 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.27.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.27.bb
@@ -15,10 +15,18 @@ SRC_URI[sha256sum] = "7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd3
 DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"
 
+CACHED_CONFIGUREVARS = " \
+        ac_cv_type_rsize_t=no \
+        ac_cv_path_MVPROG=${base_bindir}/mv \
+        ac_cv_path_BSHELLPROG=${base_bindir}/sh \
+        ac_cv_path_SENDMAILPROG=${sbindir}/sendmail \
+        ac_cv_path_VIPROG=${base_bindir}/vi \
+        "
+
 EXTRA_OECONF += " \
-             ac_cv_type_rsize_t=no \
              ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
              ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${nonarch_libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \
+             --with-vardir=/var/lib/sudo \
              "
 
 do_install_append () {
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index 18f09b5711..ebe6cb0dbd 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -22,6 +22,8 @@ PACKAGECONFIG[acl] = "--with-posix-acls,--without-posix-acls,acl"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
+CACHED_CONFIGUREVARS += "tar_cv_path_RSH=no"
+
 # Let aclocal use the relative path for the m4 file rather than the
 # absolute since tar has a lot of m4 files, otherwise there might
 # be an "Argument list too long" error when it is built in a long/deep
diff --git a/meta/recipes-gnome/gtk+/gtk+3/sort-resources.patch b/meta/recipes-gnome/gtk+/gtk+3/sort-resources.patch
new file mode 100644
index 0000000000..7f87372c52
--- /dev/null
+++ b/meta/recipes-gnome/gtk+/gtk+3/sort-resources.patch
@@ -0,0 +1,19 @@
+If the resources file isn't sorted in some way then libgdk.so will differ
+depending on the inode order of the resource files.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/gdk/Makefile.am b/gdk/Makefile.am
+index e25b57ba50..26f2d57c6e 100644
+--- a/gdk/Makefile.am
++++ b/gdk/Makefile.am
+@@ -465,7 +465,7 @@ stamp-gc-h: $(top_builddir)/config.status
+ # Resources
+ #
+ 
+-glsl_sources := $(wildcard $(srcdir)/resources/glsl/*.glsl)
++glsl_sources := $(sort $(wildcard $(srcdir)/resources/glsl/*.glsl))
+ 
+ gdk.gresource.xml: Makefile.am
+ 	$(AM_V_GEN) echo "<?xml version='1.0' encoding='UTF-8'?>" > $@; \
diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.8.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.8.bb
index d79b18bee0..596dee6264 100644
--- a/meta/recipes-gnome/gtk+/gtk+3_3.24.8.bb
+++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.8.bb
@@ -7,6 +7,7 @@ SRC_URI = "http://ftp.gnome.org/pub/gnome/sources/gtk+/${MAJ_VER}/gtk+-${PV}.tar
            file://0002-Do-not-try-to-initialize-GL-without-libGL.patch \
            file://0003-Add-disable-opengl-configure-option.patch \
            file://link_fribidi.patch \
+           file://sort-resources.patch \
           "
 SRC_URI[md5sum] = "eeedde01856238114dcf4df3ebc942a5"
 SRC_URI[sha256sum] = "666962de9b9768fe9ca785b0e2f42c8b9db3868a12fa9b356b167238d70ac799"
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
new file mode 100644
index 0000000000..ad61c95be3
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18390.patch
@@ -0,0 +1,66 @@
+From 24f67de7a9088a873844a39be03cee6882260ac9 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Mon, 7 Oct 2019 10:59:56 +0200
+Subject: [PATCH] vrend: check info formats in blits
+
+Closes #141
+Closes #142
+
+v2 : drop colon in error description (Emil)
+
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/24f67de7a9088a873844a39be03cee6882260ac9]
+CVE: CVE-2019-18390
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/virgl_hw.h       |  1 +
+ src/vrend_renderer.c | 11 +++++++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/virgl_hw.h b/src/virgl_hw.h
+index 145780bf..5ccf3073 100644
+--- a/src/virgl_hw.h
++++ b/src/virgl_hw.h
+@@ -426,6 +426,7 @@ enum virgl_ctx_errors {
+         VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER,
+         VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS,
+         VIRGL_ERROR_GL_ANY_SAMPLES_PASSED,
++        VIRGL_ERROR_CTX_ILLEGAL_FORMAT,
+ };
+ 
+ #define VIRGL_RESOURCE_Y_0_TOP (1 << 0)
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 14fefb38..aa6a89c1 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -758,6 +758,7 @@ static const char *vrend_ctx_error_strings[] = {
+    [VIRGL_ERROR_CTX_ILLEGAL_CMD_BUFFER]    = "Illegal command buffer",
+    [VIRGL_ERROR_CTX_GLES_HAVE_TES_BUT_MISS_TCS] = "On GLES context and shader program has tesselation evaluation shader but no tesselation control shader",
+    [VIRGL_ERROR_GL_ANY_SAMPLES_PASSED] = "Query for ANY_SAMPLES_PASSED not supported",
++   [VIRGL_ERROR_CTX_ILLEGAL_FORMAT]        = "Illegal format ID",
+ };
+ 
+ static void __report_context_error(const char *fname, struct vrend_context *ctx,
+@@ -8492,6 +8493,16 @@ void vrend_renderer_blit(struct vrend_context *ctx,
+    if (ctx->in_error)
+       return;
+ 
++   if (!info->src.format || (enum virgl_formats)info->src.format >= VIRGL_FORMAT_MAX) {
++      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->src.format);
++      return;
++   }
++
++   if (!info->dst.format || (enum virgl_formats)info->dst.format >= VIRGL_FORMAT_MAX) {
++      report_context_error(ctx, VIRGL_ERROR_CTX_ILLEGAL_FORMAT, info->dst.format);
++      return;
++   }
++
+    if (info->render_condition_enable == false)
+       vrend_pause_render_condition(ctx, true);
+ 
+-- 
+2.24.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
new file mode 100644
index 0000000000..cc641d8293
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2019-18391.patch
@@ -0,0 +1,51 @@
+From 2abeb1802e3c005b17a7123e382171b3fb665971 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Tue, 8 Oct 2019 17:27:01 +0200
+Subject: [PATCH] vrend: check that the transfer iov holds enough data for the
+ data upload
+
+Closes #140
+
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
+
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/commit/2abeb1802e3c005b17a7123e382171b3fb665971]
+CVE: CVE-2019-18391
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 694e1d0e..fe23846b 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -7005,15 +7005,22 @@ static int vrend_renderer_transfer_write_iov(struct vrend_context *ctx,
+             invert = true;
+       }
+ 
++      send_size = util_format_get_nblocks(res->base.format, info->box->width,
++                                          info->box->height) * elsize;
++      if (res->target == GL_TEXTURE_3D ||
++          res->target == GL_TEXTURE_2D_ARRAY ||
++          res->target == GL_TEXTURE_CUBE_MAP_ARRAY)
++          send_size *= info->box->depth;
++
+       if (need_temp) {
+-         send_size = util_format_get_nblocks(res->base.format, info->box->width,
+-                                             info->box->height) * elsize * info->box->depth;
+          data = malloc(send_size);
+          if (!data)
+             return ENOMEM;
+          read_transfer_data(iov, num_iovs, data, res->base.format, info->offset,
+                             stride, layer_stride, info->box, invert);
+       } else {
++         if (send_size > iov[0].iov_len - info->offset)
++            return EINVAL;
+          data = (char*)iov[0].iov_base + info->offset;
+       }
+ 
+-- 
+2.24.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
new file mode 100644
index 0000000000..925f2c8eb0
--- /dev/null
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer/CVE-2020-8002.patch
@@ -0,0 +1,39 @@
+From 63bcca251f093d83da7e290ab4bbd38ae69089b5 Mon Sep 17 00:00:00 2001
+From: Gert Wollny <gert.wollny@collabora.com>
+Date: Wed, 15 Jan 2020 13:43:58 +0100
+Subject: [PATCH] vrend: Don't try launching a grid if no CS is available
+
+Closes #155
+
+Signed-off-by: Gert Wollny <gert.wollny@collabora.com>
+Reviewed-by: Gurchetan Singh <gurchetansingh@chromium.org>
+
+Upstream-Status: Backport 
+[https://gitlab.freedesktop.org/virgl/virglrenderer/-/commit/63bcca251f093d83da7e290ab4bbd38ae69089b5.patch]
+CVE: CVE-2020-8002
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ src/vrend_renderer.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index a054bad8..2280fc43 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -4604,6 +4604,13 @@ void vrend_launch_grid(struct vrend_context *ctx,
+       }
+       ctx->sub->shader_dirty = true;
+    }
++
++   if (!ctx->sub->prog) {
++      vrend_printf("%s: Skipping compute shader execution due to missing shaders: %s\n",
++                   __func__, ctx->debug_name);
++      return;
++   }
++
+    vrend_use_program(ctx, ctx->sub->prog->id);
+ 
+    vrend_draw_bind_ubo_shader(ctx, PIPE_SHADER_COMPUTE, 0);
+-- 
+2.24.1
+
diff --git a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
index d2b11c103a..e91ccc6c57 100644
--- a/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
+++ b/meta/recipes-graphics/virglrenderer/virglrenderer_0.8.0.bb
@@ -8,6 +8,9 @@ DEPENDS = "libdrm mesa libepoxy"
 SRCREV = "48cc96c9aebb9d0164830a157efc8916f08f00c0"
 SRC_URI = "git://anongit.freedesktop.org/virglrenderer \
            file://0001-gallium-Expand-libc-check-to-be-platform-OS-check.patch \
+           file://CVE-2019-18390.patch \
+           file://CVE-2019-18391.patch \
+           file://CVE-2020-8002.patch  \
            "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-graphics/waffle/waffle_1.6.0.bb b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
index 8a1d5748f6..82cead9ad1 100644
--- a/meta/recipes-graphics/waffle/waffle_1.6.0.bb
+++ b/meta/recipes-graphics/waffle/waffle_1.6.0.bb
@@ -35,3 +35,8 @@ PACKAGECONFIG[x11-egl] = "-Dx11_egl=enabled,-Dx11_egl=disabled,virtual/${MLPREFI
 PACKAGECONFIG[surfaceless-egl] = "-Dsurfaceless_egl=enabled,-Dsurfaceless_egl=disabled,virtual/${MLPREFIX}libgl"
 
 # TODO: optionally build manpages and examples
+
+# Unset these to stop python trying to report the target Python setup
+_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1"
+STAGING_INCDIR[unexport] = "1"
+STAGING_LIBDIR[unexport] = "1"
diff --git a/meta/recipes-graphics/wayland/libinput/determinism.patch b/meta/recipes-graphics/wayland/libinput/determinism.patch
new file mode 100644
index 0000000000..cb554030cf
--- /dev/null
+++ b/meta/recipes-graphics/wayland/libinput/determinism.patch
@@ -0,0 +1,21 @@
+This finds our outer git tree and that version information breaks
+determinism of this recipe. Disable it.
+
+RP 2020/2/6
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: libinput-1.14.3/meson.build
+===================================================================
+--- libinput-1.14.3.orig/meson.build
++++ libinput-1.14.3/meson.build
+@@ -387,7 +387,7 @@ pkgconfig.generate(
+ 	libraries : lib_libinput
+ )
+ 
+-git_version_h = vcs_tag(command : ['git', 'describe'],
++git_version_h = vcs_tag(command : ['false'],
+ 			fallback : 'unknown',
+ 			input : 'src/libinput-git-version.h.in',
+ 			output :'libinput-git-version.h')
diff --git a/meta/recipes-graphics/wayland/libinput_1.14.1.bb b/meta/recipes-graphics/wayland/libinput_1.14.1.bb
index 38bc8d2c33..2c5733f33a 100644
--- a/meta/recipes-graphics/wayland/libinput_1.14.1.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.14.1.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1f2ea9ebff3a2c6d458faf58492efb63"
 
 DEPENDS = "libevdev udev mtdev"
 
-SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz"
+SRC_URI = "http://www.freedesktop.org/software/${BPN}/${BP}.tar.xz \
+           file://determinism.patch \
+"
 SRC_URI[md5sum] = "da29a704dc6f7ea2d5aac754db046340"
 SRC_URI[sha256sum] = "e333a3242835c019ca37d2cef8b51a87d3138eb47444119c0153dc7a8656ee70"
 
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
new file mode 100644
index 0000000000..7ab7460816
--- /dev/null
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/capability.conf
@@ -0,0 +1,2 @@
+cap_sys_admin	@USER@
+none	*
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
index 6c548551b8..116bb278bc 100755
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init/xserver-nodm
@@ -38,6 +38,14 @@ case "$1" in
            if [ -e /dev/hidraw0 ]; then
                chmod o+rw /dev/hidraw*
            fi
+           # Make sure that the Xorg has the cap_sys_admin capability which is
+           # needed for setting the drm master
+           if ! grep -q "^auth.*pam_cap\.so" /etc/pam.d/su; then
+               echo "auth	optional	pam_cap.so" >>/etc/pam.d/su
+           fi
+           if ! /usr/sbin/getcap $XSERVER |  grep -q cap_sys_admin; then
+               /usr/sbin/setcap cap_sys_admin+eip $XSERVER
+           fi
        fi
 
        # Using su rather than sudo as latest 1.8.1 cause failure [YOCTO #1211]
diff --git a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
index a77c56445c..7f4e1e29f1 100644
--- a/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
+++ b/meta/recipes-graphics/x11-common/xserver-nodm-init_3.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "file://xserver-nodm \
            file://gplv2-license.patch \
            file://xserver-nodm.service.in \
            file://xserver-nodm.conf.in \
+           file://capability.conf \
 "
 
 S = "${WORKDIR}"
@@ -19,7 +20,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
 
 inherit update-rc.d systemd distro_features_check
 
-REQUIRED_DISTRO_FEATURES = "x11"
+REQUIRED_DISTRO_FEATURES = "x11 ${@oe.utils.conditional('ROOTLESS_X', '1', 'pam', '', d)}"
 
 PACKAGECONFIG ??= "blank"
 # dpms and screen saver will be on only if 'blank' is in PACKAGECONFIG
@@ -40,6 +41,8 @@ do_install() {
     if [ "${ROOTLESS_X}" = "1" ] ; then
         XUSER_HOME="/home/xuser"
         XUSER="xuser"
+        install -D capability.conf ${D}${sysconfdir}/security/capability.conf
+        sed -i "s:@USER@:${XUSER}:" ${D}${sysconfdir}/security/capability.conf
     else
         XUSER_HOME=${ROOT_HOME}
         XUSER="root"
@@ -60,7 +63,7 @@ do_install() {
     fi
 }
 
-RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account', '', d)}"
+RDEPENDS_${PN} = "xinit ${@oe.utils.conditional('ROOTLESS_X', '1', 'xuser-account libcap libcap-bin', '', d)}"
 
 INITSCRIPT_NAME = "xserver-nodm"
 INITSCRIPT_PARAMS = "start 9 5 . stop 20 0 1 2 3 6 ."
diff --git a/meta/recipes-graphics/xorg-app/xorg-app-common.inc b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
index 3529cb26ef..211e399cf0 100644
--- a/meta/recipes-graphics/xorg-app/xorg-app-common.inc
+++ b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
@@ -12,6 +12,6 @@ INC_PR = "r8"
 
 SRC_URI = "${XORG_MIRROR}/individual/app/${BPN}-${PV}.tar.bz2"
 
-inherit autotools pkgconfig distro_features_check
+inherit autotools pkgconfig distro_features_check gettext
 
 FILES_${PN} += " ${libdir}/X11/${BPN} ${datadir}/X11/app-defaults/"
diff --git a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
index 85a48e4c58..cc45696530 100644
--- a/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb
@@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=47e508ca280fde97906eacb77892c3ac"
 
 DEPENDS += "virtual/libx11"
 
+EXTRA_OECONF += "--with-shared-memory-dir=/dev/shm"
+
 BBCLASSEXTEND = "native nativesdk"
 
 SRC_URI[md5sum] = "42dda8016943dc12aff2c03a036e0937"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
index b6e0a1e9e2..93c4472316 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.19.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "2fbf678238302f33b3aec5a2cba829f260744f24"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine ?= "40e34fdcb540e35b1a97e8e52c11dfe52bd68b16"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.2.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.2.bb
index 5391e052c5..a23a5e6f93 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.2.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.2.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "e2d396270864afd14f5882ce8921d8fb562f5665"
-SRCREV_meta ?= "dd6019025cbb701b9818102f267c26e87031a59b"
+SRCREV_machine ?= "78e147f949b5b18524aa7bd72f1cc8f7ae8039f8"
+SRCREV_meta ?= "bb2776d6beaae64b1a0fc902b64376f082085498"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.2;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "5.2.28"
+LINUX_VERSION ?= "5.2.32"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
index e2626ab4c9..76b2467ef5 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.19.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "bd239fb802a15c2759ea456dd1f09f5e106fc88a"
-SRCREV_machine ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine_qemuarm ?= "e2c947b59c650f2aa2f0f88d6af90f9dfb336e04"
+SRCREV_machine ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.2.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.2.bb
index 986dd6e351..ac9904f415 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.2.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.2.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "5.2.28"
+LINUX_VERSION ?= "5.2.32"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine_qemuarm ?= "d79fa780eef7c3b08fcff8a44070c211afa91214"
-SRCREV_machine ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_meta ?= "dd6019025cbb701b9818102f267c26e87031a59b"
+SRCREV_machine_qemuarm ?= "e0a3a01b24070b15121e938ea19755091bf0d662"
+SRCREV_machine ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_meta ?= "bb2776d6beaae64b1a0fc902b64376f082085498"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.19.bb b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
index c6e482a984..6e3b00e0e5 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.19.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.19.bb
@@ -11,22 +11,22 @@ KBRANCH_qemux86  ?= "v4.19/standard/base"
 KBRANCH_qemux86-64 ?= "v4.19/standard/base"
 KBRANCH_qemumips64 ?= "v4.19/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "19fa1657d1d82d01647c6f73a2bbf39305505294"
-SRCREV_machine_qemuarm64 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemumips ?= "8fb7ab96b84852ee3d9e1d9d9e7bc35e1249b653"
-SRCREV_machine_qemuppc ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemux86 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemux86-64 ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_machine_qemumips64 ?= "c8a036abd7d469013dddab15a23e0d2dde1d0000"
-SRCREV_machine ?= "b44ad1b1e7c685e75b7788a026a2416edc2ee656"
-SRCREV_meta ?= "4f5d761316a9cf14605e5d0cc91b53c1b2e9dc6a"
+SRCREV_machine_qemuarm ?= "c8b87f4d12eb957d8a95442a928ef4820037bb55"
+SRCREV_machine_qemuarm64 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemumips ?= "94f102eaca76ffdcc3d47ea94b47486d7157c531"
+SRCREV_machine_qemuppc ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemux86 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemux86-64 ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_machine_qemumips64 ?= "98288b7e79bc8130c2a889d763c9c1aa15ff4939"
+SRCREV_machine ?= "16ae5406361af8329b74580697cb738dadeb1ecb"
+SRCREV_meta ?= "7cb520d405cd5ca8f21a333941fbc0861bbb36b0"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.19;destsuffix=${KMETA} \
           "
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "4.19.87"
+LINUX_VERSION ?= "4.19.107"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.2.bb b/meta/recipes-kernel/linux/linux-yocto_5.2.bb
index 358c0ad80a..eab142e1c6 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.2.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.2.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86  ?= "v5.2/standard/base"
 KBRANCH_qemux86-64 ?= "v5.2/standard/base"
 KBRANCH_qemumips64 ?= "v5.2/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "ed43b791f2cca6e87928fa47556e540333385187"
-SRCREV_machine_qemuarm64 ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_machine_qemumips ?= "5d47f37ab0b7bcd5c0aaf0ecbd6d00bb8a22ddf4"
-SRCREV_machine_qemuppc ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_machine_qemuriscv64 ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_machine_qemux86 ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_machine_qemux86-64 ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_machine_qemumips64 ?= "894ee953d9c4036003f41e0800315efe3bab8492"
-SRCREV_machine ?= "992280855e88289b7e7019ee2cf9dff867c58b94"
-SRCREV_meta ?= "dd6019025cbb701b9818102f267c26e87031a59b"
+SRCREV_machine_qemuarm ?= "fdb7cd1bb5e4238e5b3d120ce9db31119ec2b5ee"
+SRCREV_machine_qemuarm64 ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_machine_qemumips ?= "eb7faee13cfce200e9add4ba1852a3fe5d8b92e6"
+SRCREV_machine_qemuppc ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_machine_qemuriscv64 ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_machine_qemux86 ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_machine_qemux86-64 ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_machine_qemumips64 ?= "8e3bfeb7e9b5aa92c5bea941d361ff5b081a2aaa"
+SRCREV_machine ?= "73b12de4c879e4569bef3b2d0ee9c783a9788b27"
+SRCREV_meta ?= "bb2776d6beaae64b1a0fc902b64376f082085498"
 
 # remap qemuarm to qemuarma15 for the 5.2 kernel
 # KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.2;destsuffix=${KMETA}"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.2.28"
+LINUX_VERSION ?= "5.2.32"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-SUNRPC-Fix-oops-when-trace-sunrpc_task-events-in.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-SUNRPC-Fix-oops-when-trace-sunrpc_task-events-in.patch
deleted file mode 100644
index bdbc4f811e..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-SUNRPC-Fix-oops-when-trace-sunrpc_task-events-in.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 1ff7013bcf7f068cf4371d12d758f9c0fd16a619 Mon Sep 17 00:00:00 2001
-From: Quanyang Wang <quanyang.wang@windriver.com>
-Date: Thu, 5 Dec 2019 15:35:32 +0800
-Subject: [PATCH 1/4] Fix: SUNRPC: Fix oops when trace sunrpc_task events in
- nfs client
-
-See upstream commit :
-
-	commit 2ca310fc4160ed0420da65534a21ae77b24326a8
-	Author: Ditang Chen <chendt.fnst@cn.fujitsu.com>
-	Date: Fri, 7 Mar 2014 13:27:57 +0800
-	Subject: SUNRPC: Fix oops when trace sunrpc_task events in nfs client
-
-	When tracking sunrpc_task events in nfs client, the clnt pointer may be NULL.
-
-	[  139.269266] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
-	[  139.269915] IP: [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
-	[  139.269915] PGD 1d293067 PUD 1d294067 PMD 0
-	[  139.269915] Oops: 0000 [#1] SMP
-	[  139.269915] Modules linked in: nfsv4 dns_resolver nfs lockd sunrpc fscache sg ppdev e1000
-	serio_raw pcspkr parport_pc parport i2c_piix4 i2c_core microcode xfs libcrc32c sd_mod sr_mod
-	cdrom ata_generic crc_t10dif crct10dif_common pata_acpi ahci libahci ata_piix libata dm_mirror
-	dm_region_hash dm_log dm_mod
-	[  139.269915] CPU: 0 PID: 59 Comm: kworker/0:2 Not tainted 3.10.0-84.el7.x86_64 #1
-	[  139.269915] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
-	[  139.269915] Workqueue: rpciod rpc_async_schedule [sunrpc]
-	[  139.269915] task: ffff88001b598000 ti: ffff88001b632000 task.ti: ffff88001b632000
-	[  139.269915] RIP: 0010:[<ffffffffa026f216>]  [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
-	[  139.269915] RSP: 0018:ffff88001b633d70  EFLAGS: 00010206
-	[  139.269915] RAX: ffff88001dfc5338 RBX: ffff88001cc37a00 RCX: ffff88001dfc5334
-	[  139.269915] RDX: ffff88001dfc5338 RSI: 0000000000000000 RDI: ffff88001dfc533c
-	[  139.269915] RBP: ffff88001b633db0 R08: 000000000000002c R09: 000000000000000a
-	[  139.269915] R10: 0000000000062180 R11: 00000020759fb9dc R12: ffffffffa0292c20
-	[  139.269915] R13: ffff88001dfc5334 R14: 0000000000000000 R15: 0000000000000000
-	[  139.269915] FS:  0000000000000000(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
-	[  139.269915] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
-	[  139.269915] CR2: 0000000000000004 CR3: 000000001d290000 CR4: 00000000000006f0
-	[  139.269915] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-	[  139.269915] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
-	[  139.269915] Stack:
-	[  139.269915]  000000001b633d98 0000000000000246 ffff88001df1dc00 ffff88001cc37a00
-	[  139.269915]  ffff88001bc35e60 0000000000000000 ffff88001ffa0a48 ffff88001bc35ee0
-	[  139.269915]  ffff88001b633e08 ffffffffa02704b5 0000000000010000 ffff88001cc37a70
-	[  139.269915] Call Trace:
-	[  139.269915]  [<ffffffffa02704b5>] __rpc_execute+0x1d5/0x400 [sunrpc]
-	[  139.269915]  [<ffffffffa0270706>] rpc_async_schedule+0x26/0x30 [sunrpc]
-	[  139.269915]  [<ffffffff8107867b>] process_one_work+0x17b/0x460
-	[  139.269915]  [<ffffffff8107942b>] worker_thread+0x11b/0x400
-	[  139.269915]  [<ffffffff81079310>] ? rescuer_thread+0x3e0/0x3e0
-	[  139.269915]  [<ffffffff8107fc80>] kthread+0xc0/0xd0
-	[  139.269915]  [<ffffffff8107fbc0>] ? kthread_create_on_node+0x110/0x110
-	[  139.269915]  [<ffffffff815d122c>] ret_from_fork+0x7c/0xb0
-	[  139.269915]  [<ffffffff8107fbc0>] ? kthread_create_on_node+0x110/0x110
-	[  139.269915] Code: 4c 8b 45 c8 48 8d 7d d0 89 4d c4 41 89 c9 b9 28 00 00 00 e8 9d b4 e9
-	e0 48 85 c0 49 89 c5 74 a2 48 89 c7 e8 9d 3f e9 e0 48 89 c2 <41> 8b 46 04 48 8b 7d d0 4c
-	89 e9 4c 89 e6 89 42 0c 0f b7 83 d4
-	[  139.269915] RIP  [<ffffffffa026f216>] ftrace_raw_event_rpc_task_running+0x86/0xf0 [sunrpc]
-	[  139.269915]  RSP <ffff88001b633d70>
-	[  139.269915] CR2: 0000000000000004
-	[  140.946406] ---[ end trace ba486328b98d7622 ]---
-
-Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/2b228b503cad10bf0c5a99b42a908ca906eab5b9]
-
-Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
----
- instrumentation/events/lttng-module/rpc.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/instrumentation/events/lttng-module/rpc.h b/instrumentation/events/lttng-module/rpc.h
-index 3798e8e..fb13106 100644
---- a/instrumentation/events/lttng-module/rpc.h
-+++ b/instrumentation/events/lttng-module/rpc.h
-@@ -139,7 +139,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(unsigned int, client_id, task->tk_client ? task->tk_client->cl_clid : -1)
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -208,7 +208,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(unsigned int, client_id, task->tk_client ? task->tk_client->cl_clid : -1)
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
--- 
-2.17.1
-
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-sunrpc-null-rpc_clnt-dereference-in-rpc_task_que.patch b/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-sunrpc-null-rpc_clnt-dereference-in-rpc_task_que.patch
deleted file mode 100644
index 03264bac68..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-sunrpc-null-rpc_clnt-dereference-in-rpc_task_que.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 032a74d83b263c4faead8e4c25d497fb8ea07b6e Mon Sep 17 00:00:00 2001
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Date: Thu, 12 Dec 2019 10:29:02 -0500
-Subject: [PATCH 2/4] Fix: sunrpc: null rpc_clnt dereference in rpc_task_queued
- tracepoint
-
-Based on upstream Linux commit:
-
-commit 0be283f676a1e7b208db0c992283197ef8b52158
-Author: Benjamin Coddington <bcodding@redhat.com>
-Date:   Tue Jan 23 09:32:35 2018 -0500
-
-    SUNRPC: Fix null rpc_clnt dereference in rpc_task_queued tracepoint
-
-    Backchannel tasks will not have a reference to the rpc_clnt.  Return -1 for
-    cl_clid in that case.
-
-    Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
-    Signed-off-by: Trond Myklebust <trondmy@gmail.com>
-
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/8f83a9103dcdf4f6b73783427fc5ded4869309d5]
-Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
----
- instrumentation/events/lttng-module/rpc.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/instrumentation/events/lttng-module/rpc.h b/instrumentation/events/lttng-module/rpc.h
-index fb13106..68c622c 100644
---- a/instrumentation/events/lttng-module/rpc.h
-+++ b/instrumentation/events/lttng-module/rpc.h
-@@ -176,7 +176,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_queued,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(unsigned int, client_id, task->tk_client ?
-+				task->tk_client->cl_clid : -1)
- 		ctf_integer(unsigned long, timeout, task->tk_timeout)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
--- 
-2.17.1
-
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0003-Fix-sunrpc-use-signed-integer-for-client-id.patch b/meta/recipes-kernel/lttng/lttng-modules/0003-Fix-sunrpc-use-signed-integer-for-client-id.patch
deleted file mode 100644
index c7529f16dd..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0003-Fix-sunrpc-use-signed-integer-for-client-id.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 70389e422dd3146161089d454f525367c9046ecd Mon Sep 17 00:00:00 2001
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Date: Thu, 12 Dec 2019 10:29:37 -0500
-Subject: [PATCH 3/4] Fix: sunrpc: use signed integer for client id
-
-Within include/linux/sunrpc/clnt.h:struct rpc_cltn, the cl_clid field
-is an unsigned integer, which is the type expected by the tracepoint
-signature.
-
-However, looking into net/sunrpc/clnt.c:rpc_alloc_clid(), its allocation
-considers negative signed integer as errors.
-
-Therefore, in order to properly show "-1" in the trace output (rather
-than MAX_INT) when called with a NULL task->tk_client, move to a
-signed integer as backing type for the client_id field.
-
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/cc7bb0aa52cae22255581d67841449bb8ea36fda]
-Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
----
- instrumentation/events/lttng-module/rpc.h | 19 +++++++++++--------
- 1 file changed, 11 insertions(+), 8 deletions(-)
-
-diff --git a/instrumentation/events/lttng-module/rpc.h b/instrumentation/events/lttng-module/rpc.h
-index 68c622c..2d06e55 100644
---- a/instrumentation/events/lttng-module/rpc.h
-+++ b/instrumentation/events/lttng-module/rpc.h
-@@ -18,7 +18,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, task->tk_client->cl_clid)
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -43,7 +43,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, task->tk_client->cl_clid)
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -100,7 +100,7 @@ LTTNG_TRACEPOINT_EVENT(rpc_connect_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, task->tk_client->cl_clid)
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -112,7 +112,7 @@ LTTNG_TRACEPOINT_EVENT(rpc_connect_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, task->tk_client->cl_clid)
- 		ctf_integer(int, status, status)
- 	)
- )
-@@ -139,7 +139,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client ? task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, task->tk_client ?
-+			task->tk_client->cl_clid : -1)
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -176,7 +177,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_queued,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client ?
-+		ctf_integer(int, client_id, task->tk_client ?
- 				task->tk_client->cl_clid : -1)
- 		ctf_integer(unsigned long, timeout, task->tk_timeout)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
-@@ -209,7 +210,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client ? task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, task->tk_client ?
-+			task->tk_client->cl_clid : -1)
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -246,7 +248,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_queued,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(unsigned int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, task->tk_client ?
-+			task->tk_client->cl_clid : -1)
- 		ctf_integer(unsigned long, timeout, task->tk_timeout)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
--- 
-2.17.1
-
diff --git a/meta/recipes-kernel/lttng/lttng-modules/0004-sunrpc-introduce-lttng_get_clid-helper.patch b/meta/recipes-kernel/lttng/lttng-modules/0004-sunrpc-introduce-lttng_get_clid-helper.patch
deleted file mode 100644
index 4dd726cf2c..0000000000
--- a/meta/recipes-kernel/lttng/lttng-modules/0004-sunrpc-introduce-lttng_get_clid-helper.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From b6903d57e4c3234ec5b1c7f72e232023cdee0fab Mon Sep 17 00:00:00 2001
-From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Date: Thu, 12 Dec 2019 10:39:38 -0500
-Subject: [PATCH 4/4] sunrpc: introduce lttng_get_clid helper
-
-Introduce the lttng_get_clid helper to always check for NULL pointer
-when getting the client id. While not always strictly needed depending
-on the tracepoint callsite, prefer robustness of instrumentation and
-always check for NULL rather than play whack-a-mole.
-
-Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
-Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/1330a091a687a406513c3a326c2fc2a0dbe75536]
-Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
----
- instrumentation/events/lttng-module/rpc.h | 43 ++++++++++++++++-------
- 1 file changed, 31 insertions(+), 12 deletions(-)
-
-diff --git a/instrumentation/events/lttng-module/rpc.h b/instrumentation/events/lttng-module/rpc.h
-index 2d06e55..ceaf9db 100644
---- a/instrumentation/events/lttng-module/rpc.h
-+++ b/instrumentation/events/lttng-module/rpc.h
-@@ -9,6 +9,29 @@
- #include <linux/sunrpc/sched.h>
- #include <linux/sunrpc/clnt.h>
- 
-+#ifndef ONCE_LTTNG_RPC_H
-+#define ONCE_LTTNG_RPC_H
-+
-+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,12,0))
-+static inline
-+int lttng_get_clid(const struct rpc_task *task)
-+{
-+	struct rpc_clnt *tk_client;
-+
-+	tk_client = task->tk_client;
-+	if (!tk_client)
-+		return -1;
-+	/*
-+	 * The cl_clid field is always initialized to positive signed
-+	 * integers. Negative signed integer values are treated as
-+	 * errors.
-+	 */
-+	return (int) tk_client->cl_clid;
-+}
-+#endif /* #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,12,0)) */
-+
-+#endif /* ONCE_LTTNG_RPC_H */
-+
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0))
- LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_status,
- 
-@@ -18,7 +41,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -43,7 +66,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -100,7 +123,7 @@ LTTNG_TRACEPOINT_EVENT(rpc_connect_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(int, status, task->tk_status)
- 	)
- )
-@@ -112,7 +135,7 @@ LTTNG_TRACEPOINT_EVENT(rpc_connect_status,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client->cl_clid)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(int, status, status)
- 	)
- )
-@@ -139,8 +162,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client ?
--			task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -177,8 +199,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_queued,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client ?
--				task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(unsigned long, timeout, task->tk_timeout)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -210,8 +231,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_running,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client ?
--			task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer_hex(const void *, action, action)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
-@@ -248,8 +268,7 @@ LTTNG_TRACEPOINT_EVENT_CLASS(rpc_task_queued,
- 
- 	TP_FIELDS(
- 		ctf_integer(unsigned int, task_id, task->tk_pid)
--		ctf_integer(int, client_id, task->tk_client ?
--			task->tk_client->cl_clid : -1)
-+		ctf_integer(int, client_id, lttng_get_clid(task))
- 		ctf_integer(unsigned long, timeout, task->tk_timeout)
- 		ctf_integer(unsigned long, runstate, task->tk_runstate)
- 		ctf_integer(int, status, task->tk_status)
--- 
-2.17.1
-
diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.10.11.bb b/meta/recipes-kernel/lttng/lttng-modules_2.10.14.bb
index cc4f44519a..1c24e94902 100644
--- a/meta/recipes-kernel/lttng/lttng-modules_2.10.11.bb
+++ b/meta/recipes-kernel/lttng/lttng-modules_2.10.14.bb
@@ -14,14 +14,10 @@ COMPATIBLE_HOST = '(x86_64|i.86|powerpc|aarch64|mips|nios2|arm|riscv).*-linux'
 SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
            file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
-           file://0001-Fix-SUNRPC-Fix-oops-when-trace-sunrpc_task-events-in.patch \
-           file://0002-Fix-sunrpc-null-rpc_clnt-dereference-in-rpc_task_que.patch \
-           file://0003-Fix-sunrpc-use-signed-integer-for-client-id.patch \
-           file://0004-sunrpc-introduce-lttng_get_clid-helper.patch \
            "
 
-SRC_URI[md5sum] = "c618fb646514dfc1bf910cfd7cda4256"
-SRC_URI[sha256sum] = "7f91e39b2e8e46d8bbba2b4c8c1614f1fb380611cd1a1fccc1d1859be26112f1"
+SRC_URI[md5sum] = "3e9ed67a2da17edf93194f8a5e75a246"
+SRC_URI[sha256sum] = "d0ba614a9cac3daf8ac034837f8b786e6be2ce0242aeecef7096bed5e03b762c"
 
 export INSTALL_MOD_DIR="kernel/lttng-modules"
 
@@ -44,7 +40,7 @@ SRC_URI_class-devupstream = "git://git.lttng.org/lttng-modules;branch=stable-2.1
            file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \
            file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
            "
-SRCREV_class-devupstream = "624aca5d7507fbd11ea4a1a474c3aa1031bd9a31"
-PV_class-devupstream = "2.10.10+git${SRCPV}"
+SRCREV_class-devupstream = "b34304f146ea234ea764580d7ce1b03d05a215f9"
+PV_class-devupstream = "2.10.14+git${SRCPV}"
 S_class-devupstream = "${WORKDIR}/git"
 SRCREV_FORMAT ?= "lttng_git"
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 8201c0cb60..90f05c0e62 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -51,7 +51,7 @@ export PYTHON_SITEPACKAGES_DIR
 #kernel 3.1+ supports WERROR to disable warnings as errors
 export WERROR = "0"
 
-do_populate_lic[depends] += "virtual/kernel:do_patch"
+do_populate_lic[depends] += "virtual/kernel:do_shared_workdir"
 
 # needed for building the tools/perf Perl binding
 include ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'perf-perl.inc', '', d)}
diff --git a/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch b/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch
new file mode 100755
index 0000000000..9696ddd691
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch
@@ -0,0 +1,45 @@
+webkitgtk: fix an occasional link error
+
+Part of ae465a4e...  Changelog is not included in the source tarball.
+
+Upstream-Status:  backport [git://git.webkit.org/WebKit.git]
+
+commit ae465a4e3b1498b6c4038fc7e596e0e3662d116f
+Author: Hironori.Fujii@sony.com <Hironori.Fujii@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date:   Fri Jun 28 07:38:09 2019 +0000
+
+    [Win] unresolved external symbol "JSC::JSObject::didBecomePrototype(void)" referenced in function "JSC::Structure::create(...)"
+    https://bugs.webkit.org/show_bug.cgi?id=199312
+    
+    Reviewed by Keith Miller.
+    
+    WinCairo port, clang-cl Release builds reported a following linkage error:
+    
+    > WebCore.lib(UnifiedSource-4babe430-10.cpp.obj) : error LNK2019: unresolved external symbol "public: void __cdecl JSC::JSObject::didBecomePrototype(void)" (?didBecomePrototype@JSObject@JSC@@QEAAXXZ) referenced in function "public: static class JSC::Structure * __cdecl JSC::Structure::create(class JSC::VM &,class JSC::JSGlobalObject *,class JSC::JSValue,class JSC::TypeInfo const &,struct JSC::ClassInfo const *,unsigned char,unsigned int)" (?create@Structure@JSC@@SAPEAV12@AEAVVM@2@PEAVJSGlobalObject@2@VJSValue@2@AEBVTypeInfo@2@PEBUClassInfo@2@EI@Z)
+    
+    No new tests because there is no behavior change.
+    
+    * Modules/indexeddb/server/SQLiteIDBBackingStore.cpp: Include <JavaScriptCore/JSCInlines.h>,
+    and do not include headers which is included by it.
+    
+    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@246922 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+[ modification of Changelog deleted ]
+
+diff --git a/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp b/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
+index d1b047c..0899a9a 100644
+--- a/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
++++ b/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
+@@ -49,11 +49,8 @@
+ #include "SQLiteTransaction.h"
+ #include "ThreadSafeDataBuffer.h"
+ #include <JavaScriptCore/AuxiliaryBarrierInlines.h>
+-#include <JavaScriptCore/HeapInlines.h>
+-#include <JavaScriptCore/JSCJSValueInlines.h>
+-#include <JavaScriptCore/JSGlobalObject.h>
++#include <JavaScriptCore/JSCInlines.h>
+ #include <JavaScriptCore/StrongInlines.h>
+-#include <JavaScriptCore/StructureInlines.h>
+ #include <wtf/FileSystem.h>
+ #include <wtf/NeverDestroyed.h>
+ #include <wtf/text/StringConcatenateNumbers.h>
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb b/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
index c090782411..1c71762945 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://include_array.patch \
            file://narrowing.patch \
            file://0001-gstreamer-add-a-missing-format-string.patch \
+           file://fix-link-error.patch \
            "
 
 SRC_URI[md5sum] = "c214963d8c0e7d83460da04a0d8dda87"
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
new file mode 100644
index 0000000000..fd68461e32
--- /dev/null
+++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0001.patch
@@ -0,0 +1,999 @@
+From de29341638833ba7717bd6b5e6850998454b044b Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 17 Aug 2019 17:06:53 -0400
+Subject: [PATCH 1/2] Don't allow null-terminated UCS-2/4 strings using the
+ original API.
+
+Detect if the encoding is UCS-2/4 and the length is -1 in affected API
+functions and refuse to convert the string.  If the string ends up
+being converted somehow, abort with an error message in DecodeDirect
+and ConvDirect.  To convert a null terminated string in
+Decode/ConvDirect, a negative number corresponding to the width of the
+underlying character type for the encoding is expected; for example,
+if the encoding is "ucs-2" then a the size is expected to be -2.
+
+Also fix a 1-3 byte over-read in DecodeDirect when reading UCS-2/4
+strings when a size is provided (found by OSS-Fuzz).
+
+Also fix a bug in DecodeDirect that caused DocumentChecker to return
+the wrong offsets when working with UCS-2/4 strings.
+
+CVE: CVE-2019-20433
+Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/de29341638833ba7717bd6b5e6850998454b044b]
+
+[SG: - adjusted context
+     - discarded test changes as test framework is not available
+     - discarded manual entry changes for features that aren't backported]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ auto/MkSrc/CcHelper.pm      | 99 ++++++++++++++++++++++++++++++++++---
+ auto/MkSrc/Create.pm        |  5 +-
+ auto/MkSrc/Info.pm          |  5 +-
+ auto/MkSrc/ProcCc.pm        | 24 +++++----
+ auto/MkSrc/ProcImpl.pm      | 57 +++++++++++++++------
+ auto/MkSrc/Read.pm          |  4 +-
+ auto/mk-src.in              | 44 +++++++++++++++--
+ common/convert.cpp          | 39 ++++++++++++---
+ common/convert.hpp          | 38 +++++++++++++-
+ common/document_checker.cpp | 17 ++++++-
+ common/document_checker.hpp |  1 +
+ common/version.cpp          | 15 ++++--
+ configure.ac                |  8 +++
+ manual/aspell.texi          | 58 ++++++++++++++++------
+ manual/readme.texi          | 70 +++++++++++++++++++++-----
+ 15 files changed, 409 insertions(+), 75 deletions(-)
+
+diff --git a/auto/MkSrc/CcHelper.pm b/auto/MkSrc/CcHelper.pm
+index f2de991..0044335 100644
+--- a/auto/MkSrc/CcHelper.pm
++++ b/auto/MkSrc/CcHelper.pm
+@@ -10,8 +10,8 @@ BEGIN {
+   use Exporter;
+   our @ISA = qw(Exporter);
+   our @EXPORT = qw(to_c_return_type c_error_cond
+-		   to_type_name make_desc make_func call_func
+-		   make_c_method call_c_method form_c_method
++		   to_type_name make_desc make_func call_func get_c_func_name
++		   make_c_method make_wide_macro call_c_method form_c_method
+ 		   make_cxx_method);
+ }
+ 
+@@ -90,6 +90,69 @@ sub make_func ( $ \@ $ ; \% ) {
+ 	   ')'));
+ }
+ 
++=item make_wide_version NAME @TYPES PARMS ; %ACCUM
++
++Creates the wide character version of the function if needed
++
++=cut
++
++sub make_wide_version ( $ \@ $ ; \% ) {
++  my ($name, $d, $p, $accum) = @_;
++  my @d = @$d;
++  shift @d;
++  return '' unless grep {$_->{type} eq 'encoded string'} @d;
++  $accum->{sys_headers}{'stddef.h'} = true;
++  $accum->{suffix}[5] = <<'---';
++
++/******************* private implemantion details *********************/
++
++#ifdef __cplusplus
++#  define aspell_cast_(type, expr) (static_cast<type>(expr))
++#  define aspell_cast_from_wide_(str) (static_cast<const void *>(str))
++#else
++#  define aspell_cast_(type, expr) ((type)(expr))
++#  define aspell_cast_from_wide_(str) ((const char *)(str))
++#endif
++---
++  my @parms = map {$_->{type} eq 'encoded string'
++                       ? ($_->{name}, $_->{name}.'_size')
++                       : $_->{name}} @d;
++  $name = to_lower $name;
++  $accum->{suffix}[0] = <<'---';
++/**********************************************************************/
++
++#ifdef ASPELL_ENCODE_SETTING_SECURE
++---
++  $accum->{suffix}[2] = "#endif\n";
++  my @args = map  {$_->{type} eq 'encoded string'
++                       ? ($_->{name}, "$_->{name}_size", '-1')
++                       : $_->{name}} @d;
++  $accum->{suffix}[1] .=
++      (join '',
++       "#define $name",
++       '(', join(', ', @parms), ')',
++       "\\\n    ",
++       $name, '_wide',
++       '(', join(', ', @args), ')',
++       "\n");
++  @args = map  {$_->{type} eq 'encoded string'
++                    ? ("aspell_cast_from_wide_($_->{name})",
++                       "$_->{name}_size*aspell_cast_(int,sizeof(*($_->{name})))",
++                       "sizeof(*($_->{name}))")
++                    : $_->{name}} @d;
++  return (join '',
++          "\n",
++          "/* version of $name that is safe to use with (null terminated) wide characters */\n",
++          '#define ',
++          $name, '_w',
++          '(', join(', ', @parms), ')', 
++          "\\\n    ",
++          $name, '_wide',
++          '(', join(', ', @args), ')',
++          "\n");
++}
++
++
+ =item call_func NAME @TYPES PARMS ; %ACCUM
+ 
+ Return a string to call a func.  Will prefix the function with return
+@@ -103,7 +166,6 @@ Parms can be any of:
+ 
+ sub call_func ( $ \@ $ ; \% ) {
+   my ($name, $d, $p, $accum) = @_;
+-  $accum = {} unless defined $accum;
+   my @d = @$d;
+   my $func_ret = to_type_name(shift @d, {%$p,pos=>'return'}, %$accum);
+   return (join '',
+@@ -148,8 +210,14 @@ sub to_type_name ( $ $ ; \% ) {
+   my $name = $t->{name};
+   my $type = $t->{type};
+ 
+-  return ( (to_type_name {%$d, type=>'string'}, $p, %$accum) ,
+-	   (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) )
++  if ($name eq 'encoded string' && $is_cc && $pos eq 'parm') {
++    my @types = ((to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum),
++                 (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum));
++    push @types, (to_type_name {%$d, type=>'int', name=>"$d->{name}_type_width"}, $p, %$accum) if $p->{wide};
++    return @types;
++  }
++  return ( (to_type_name {%$d, type=>($p->{wide}?'const void pointer':'string')}, $p, %$accum) ,
++           (to_type_name {%$d, type=>'int', name=>"$d->{name}_size"}, $p, %$accum) )
+       if $name eq 'encoded string' && $is_cc && $pos eq 'parm';
+ 
+   my $str;
+@@ -174,7 +242,7 @@ sub to_type_name ( $ $ ; \% ) {
+ 	$str .= "String";
+       }
+     } elsif ($name eq 'encoded string') {
+-      $str .= "const char *";
++      $str .= $p->{wide} ? "const void *" : "const char *";
+     } elsif ($name eq '') {
+       $str .= "void";
+     } elsif ($name eq 'bool' && $is_cc) {
+@@ -186,7 +254,7 @@ sub to_type_name ( $ $ ; \% ) {
+       if ($t->{pointer}) {
+ 	$accum->{types}->{$name} = $t;
+       } else {
+-	$accum->{headers}->{$t->{created_in}} = true;
++        $accum->{headers}->{$t->{created_in}} = true unless $mode eq 'cc';
+       }
+       $str .= "$c_type Aspell" if $mode eq 'cc';
+       $str .= to_mixed($name);
+@@ -214,6 +282,7 @@ sub to_type_name ( $ $ ; \% ) {
+   return $str;
+ }
+ 
++
+ =item make_desc DESC ; LEVEL
+ 
+ Make a C comment out of DESC optionally indenting it LEVEL spaces.
+@@ -286,6 +355,7 @@ sub form_c_method ($ $ $ ; \% )
+     } else {
+       $func = "aspell $class $name";
+     }
++    $func .= " wide" if $p->{wide};
+     if (exists $d->{'const'}) {
+       splice @data, 1, 0, {type => "const $class", name=> $this_name};
+     } else {
+@@ -306,6 +376,21 @@ sub make_c_method ($ $ $ ; \%)
+   return &make_func(@ret);
+ }
+ 
++sub get_c_func_name ($ $ $)
++{
++  my @ret = &form_c_method(@_);
++  return undef unless @ret > 0;
++  return to_lower $ret[0];
++}
++
++sub make_wide_macro ($ $ $ ; \%)
++{
++  my @ret = &form_c_method(@_);
++  return undef unless @ret > 0;
++  my $str = &make_wide_version(@ret);
++  return $str;
++}
++
+ sub call_c_method ($ $ $ ; \%)
+ {
+   my @ret = &form_c_method(@_);
+diff --git a/auto/MkSrc/Create.pm b/auto/MkSrc/Create.pm
+index d39b60e..630ede5 100644
+--- a/auto/MkSrc/Create.pm
++++ b/auto/MkSrc/Create.pm
+@@ -77,8 +77,10 @@ sub create_cc_file ( % )  {
+   $file .= "#include \"aspell.h\"\n" if $p{type} eq 'cxx';
+   $file .= "#include \"settings.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors';
+   $file .= "#include \"gettext.h\"\n" if $p{type} eq 'native_impl' && $p{name} eq 'errors';
++  $file .= cmap {"#include <$_>\n"} sort keys %{$accum{sys_headers}};
+   $file .= cmap {"#include \"".to_lower($_).".hpp\"\n"} sort keys %{$accum{headers}};
+-  $file .= "#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx};
++  $file .= "\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n" if $p{header} && !$p{cxx};
++  $file .= join('', grep {defined $_} @{$accum{prefix}});
+   $file .= "\nnamespace $p{namespace} {\n\n" if $p{cxx};
+   if (defined $info{forward}{proc}{$p{type}}) {
+     my @types = sort {$a->{name} cmp $b->{name}} (values %{$accum{types}});
+@@ -86,6 +88,7 @@ sub create_cc_file ( % )  {
+   }
+   $file .= "\n";
+   $file .= $body;
++  $file .= join('', grep {defined $_} @{$accum{suffix}});
+   $file .= "\n\n}\n\n" if $p{cxx};
+   $file .= "#ifdef __cplusplus\n}\n#endif\n" if $p{header} && !$p{cxx};
+   $file .= "#endif /* $hm */\n" if $p{header};
+diff --git a/auto/MkSrc/Info.pm b/auto/MkSrc/Info.pm
+index c644028..ace8e21 100644
+--- a/auto/MkSrc/Info.pm
++++ b/auto/MkSrc/Info.pm
+@@ -60,6 +60,7 @@ each proc sub should take the following argv
+     the object from which it is a member of
+   no native: do not attempt to create a native implementation
+   treat as object: treat as a object rather than a pointer
++  no conv: do not converted an encoded string
+ 
+ The %info structure is initialized as follows:
+ 
+@@ -104,8 +105,8 @@ The %info structure is initialized as follows:
+   errors => {}, # possible errors
+   method => {
+     # A class method
+-    options => ['desc', 'posib err', 'c func', 'const',
+-		'c only', 'c impl', 'cxx impl'],
++    options => ['desc', 'posib err', 'c func', 'const', 'no conv', 'on conv error',
++		'c only', 'c impl', 'cxx impl', 'cc extra'],
+     groups => undef},
+   constructor => {
+     # A class constructor
+diff --git a/auto/MkSrc/ProcCc.pm b/auto/MkSrc/ProcCc.pm
+index 47c4338..98cc435 100644
+--- a/auto/MkSrc/ProcCc.pm
++++ b/auto/MkSrc/ProcCc.pm
+@@ -23,7 +23,7 @@ use MkSrc::Info;
+ sub make_c_object ( $ @ );
+ 
+ $info{group}{proc}{cc} = sub {
+-  my ($data) = @_;
++  my ($data,@rest) = @_;
+   my $ret;
+   my $stars = (70 - length $data->{name})/2;
+   $ret .= "/";
+@@ -33,14 +33,14 @@ $info{group}{proc}{cc} = sub {
+   $ret .= "/\n";
+   foreach my $d (@{$data->{data}}) {
+     $ret .= "\n\n";
+-    $ret .= $info{$d->{type}}{proc}{cc}->($d);
++    $ret .= $info{$d->{type}}{proc}{cc}->($d,@rest);
+   }
+   $ret .= "\n\n";
+   return $ret;
+ };
+ 
+ $info{enum}{proc}{cc} = sub {
+-  my ($d) = @_;
++  my ($d,@rest) = @_;
+   my $n = "Aspell".to_mixed($d->{name});
+   return ("\n".
+ 	  make_desc($d->{desc}).
+@@ -58,21 +58,26 @@ $info{struct}{proc}{cc} = sub {
+ };
+ 
+ $info{union}{proc}{cc} = sub {
+-  return make_c_object "union", $_[0];
++  return make_c_object "union", @_;
+ };
+ 
+ $info{class}{proc}{cc} = sub {
+-  my ($d) = @_;
++  my ($d,$accum) = @_;
+   my $class = $d->{name};
+   my $classname = "Aspell".to_mixed($class);
+   my $ret = "";
+   $ret .= "typedef struct $classname $classname;\n\n";
+   foreach (@{$d->{data}}) {
+-    my $s = make_c_method($class, $_, {mode=>'cc'});
++    my $s = make_c_method($class, $_, {mode=>'cc'}, %$accum);
+     next unless defined $s;
+     $ret .= "\n";
+     $ret .= make_desc($_->{desc});
+-    $ret .= make_c_method($class, $_, {mode=>'cc'}).";\n";
++    $ret .= make_c_method($class, $_, {mode=>'cc'}, %$accum).";\n";
++    if (grep {$_->{type} eq 'encoded string'} @{$_->{data}}) {
++      $ret .= make_c_method($class, $_, {mode=>'cc', wide=>true}, %$accum).";\n";
++      $ret .= make_wide_macro($class, $_, {mode=>'cc'}, %$accum);
++    }
++    $ret .= "\n".$_->{'cc extra'}."\n" if defined $_->{'cc extra'};
+   }
+   $ret .= "\n";
+   return $ret;
+@@ -105,7 +110,8 @@ $info{errors}{proc}{cc} = sub {
+ };
+ 
+ sub make_c_object ( $ @ ) {
+-  my ($t, $d) = @_;
++  my ($t, $d, $accum) = @_;
++  $accum = {} unless defined $accum;
+   my $struct;
+   $struct .= "Aspell";
+   $struct .= to_mixed($d->{name});
+@@ -120,7 +126,7 @@ sub make_c_object ( $ @ ) {
+ 		"\n};\n"),
+ 	  "typedef $t $struct $struct;",
+ 	  join ("\n",
+-		map {make_c_method($d->{name}, $_, {mode=>'cc'}).";"}
++		map {make_c_method($d->{name}, $_, {mode=>'cc'}, %$accum).";"}
+ 		grep {$_->{type} eq 'method'}
+ 		@{$d->{data}})
+ 	  )."\n";
+diff --git a/auto/MkSrc/ProcImpl.pm b/auto/MkSrc/ProcImpl.pm
+index b8628fd..3d0f220 100644
+--- a/auto/MkSrc/ProcImpl.pm
++++ b/auto/MkSrc/ProcImpl.pm
+@@ -45,10 +45,13 @@ $info{class}{proc}{impl} = sub {
+   foreach (grep {$_ ne ''} split /\s*,\s*/, $data->{'c impl headers'}) {
+     $accum->{headers}{$_} = true;
+   }
+-  foreach my $d (@{$data->{data}}) {
++  my @d = @{$data->{data}};
++  while (@d) {
++    my $d = shift @d;
++    my $need_wide = false;
+     next unless one_of $d->{type}, qw(method constructor destructor);
+     my @parms = @{$d->{data}} if exists $d->{data};
+-    my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true}, %$accum;
++    my $m = make_c_method $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}}, %$accum;
+     next unless defined $m;
+     $ret .= "extern \"C\" $m\n";
+     $ret .= "{\n";
+@@ -57,24 +60,49 @@ $info{class}{proc}{impl} = sub {
+     } else {
+       if ($d->{type} eq 'method') {
+ 	my $ret_type = shift @parms;
+-	my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return'}, %$accum;
++	my $ret_native = to_type_name $ret_type, {mode=>'native_no_err', pos=>'return', wide=>$d->{wide}}, %$accum;
+ 	my $snum = 0;
++        my $call_fun = $d->{name};
++        my @call_parms;
+ 	foreach (@parms) {
+ 	  my $n = to_lower($_->{name});
+-	  if ($_->{type} eq 'encoded string') {
+-	    $accum->{headers}{'mutable string'} = true;
+-	    $accum->{headers}{'convert'} = true;
+-	    $ret .= "  ths->temp_str_$snum.clear();\n";
+-	    $ret .= "  ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n";
+-	    $ret .= "  unsigned int s$snum = ths->temp_str_$snum.size();\n";
+-	    $_ = "MutableString(ths->temp_str_$snum.mstr(), s$snum)";
+-	    $snum++;
++	  if ($_->{type} eq 'encoded string' && !exists($d->{'no conv'})) {
++            $need_wide = true unless $d->{wide};
++            die unless exists $d->{'posib err'};
++            $accum->{headers}{'mutable string'} = true;
++            $accum->{headers}{'convert'} = true;
++            my $name = get_c_func_name $data->{name}, $d, {mode=>'cc_cxx', use_name=>true, wide=>$d->{wide}};
++            $ret .= "  ths->temp_str_$snum.clear();\n";
++            if ($d->{wide}) {
++              $ret .= "  ${n}_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size, ${n}_type_width);\n";
++            } else {
++              $ret .= "  PosibErr<int> ${n}_fixed_size = get_correct_size(\"$name\", ths->to_internal_->in_type_width(), ${n}_size);\n";
++              if (exists($d->{'on conv error'})) {
++                $ret .= "  if (${n}_fixed_size.get_err()) {\n";
++                $ret .= "    ".$d->{'on conv error'}."\n";
++                $ret .= "  } else {\n";
++                $ret .= "    ${n}_size = ${n}_fixed_size;\n";
++                $ret .= "  }\n";
++              } else {
++                $ret .= "  ths->err_.reset(${n}_fixed_size.release_err());\n";
++                $ret .= "  if (ths->err_ != 0) return ".(c_error_cond $ret_type).";\n";
++              }
++            }
++            $ret .= "  ths->to_internal_->convert($n, ${n}_size, ths->temp_str_$snum);\n";
++            $ret .= "  unsigned int s$snum = ths->temp_str_$snum.size();\n";
++            push @call_parms, "MutableString(ths->temp_str_$snum.mstr(), s$snum)";
++            $snum++;
++          } elsif ($_->{type} eq 'encoded string') {
++            $need_wide = true unless $d->{wide};
++            push @call_parms, $n, "${n}_size";
++            push @call_parms, "${n}_type_width" if $d->{wide};
++            $call_fun .= " wide" if $d->{wide};
+ 	  } else {
+-	    $_ = $n;
++	    push @call_parms, $n;
+ 	  }
+ 	}
+-	my $parms = '('.(join ', ', @parms).')';
+-	my $exp = "ths->".to_lower($d->{name})."$parms";
++	my $parms = '('.(join ', ', @call_parms).')';
++	my $exp = "ths->".to_lower($call_fun)."$parms";
+ 	if (exists $d->{'posib err'}) {
+ 	  $accum->{headers}{'posib err'} = true;
+ 	  $ret .= "  PosibErr<$ret_native> ret = $exp;\n";
+@@ -118,6 +146,7 @@ $info{class}{proc}{impl} = sub {
+       }
+     }
+     $ret .= "}\n\n";
++    unshift @d,{%$d, wide=>true} if $need_wide;
+   }
+   return $ret;
+ };
+diff --git a/auto/MkSrc/Read.pm b/auto/MkSrc/Read.pm
+index 4b3d1d0..4bf640e 100644
+--- a/auto/MkSrc/Read.pm
++++ b/auto/MkSrc/Read.pm
+@@ -88,13 +88,13 @@ sub advance ( ) {
+     $in_pod = $1 if $line =~ /^\=(\w+)/;
+     $line = '' if $in_pod;
+     $in_pod = undef if $in_pod && $in_pod eq 'cut';
+-    $line =~ s/\#.*$//;
++    $line =~ s/(?<!\\)\#.*$//;
+     $line =~ s/^(\t*)//;
+     $level = $base_level + length($1);
+       $line =~ s/\s*$//;
+     ++$base_level if $line =~ s/^\{$//;
+     --$base_level if $line =~ s/^\}$//;
+-    $line =~ s/\\([{}])/$1/g;
++    $line =~ s/\\([{}#\\])/$1/g;
+   } while ($line eq '');
+   #print "$level:$line\n";
+ }
+diff --git a/auto/mk-src.in b/auto/mk-src.in
+index 0e7833a..eb3353f 100644
+--- a/auto/mk-src.in
++++ b/auto/mk-src.in
+@@ -608,6 +608,7 @@ errors:
+ 		invalid expression
+ 			mesg => "%expression" is not a valid regular expression.
+ 			parms => expression
++
+ }
+ group: speller
+ {
+@@ -650,6 +651,7 @@ class: speller
+ 		posib err
+ 		desc => Returns 0 if it is not in the dictionary,
+ 			1 if it is, or -1 on error.
++		on conv error => return 0;
+ 		/
+ 		bool
+ 		encoded string: word
+@@ -715,6 +717,8 @@ class: speller
+ 		desc => Return NULL on error.
+ 			The word list returned by suggest is only
+ 			valid until the next call to suggest.
++		on conv error =>
++			word = NULL; word_size = 0;
+ 		/
+ 		const word list
+ 		encoded string: word
+@@ -840,7 +844,6 @@ class: document checker
+ 		void
+ 
+ 	method: process
+-
+ 		desc => Process a string.
+ 			The string passed in should only be split on
+ 			white space characters.  Furthermore, between
+@@ -849,10 +852,10 @@ class: document checker
+ 			in the document.  Passing in strings out of
+ 			order, skipping strings or passing them in
+ 			more than once may lead to undefined results.
++		no conv
+ 		/
+ 		void
+-		string: str
+-		int: size
++		encoded string: str
+ 
+ 	method: next misspelling
+ 
+@@ -860,9 +863,23 @@ class: document checker
+ 			processed string.  If there are no more
+ 			misspelled words, then token.word will be
+ 			NULL and token.size will be 0
++		cc extra =>
++			\#define aspell_document_checker_next_misspelling_w(type, ths) \\
++			    aspell_document_checker_next_misspelling_adj(ths, sizeof(type))
+ 		/
+ 		token object
+ 
++	method: next misspelling adj
++		desc => internal: do not use
++		c impl =>
++			Token res = ths->next_misspelling();
++			res.offset /= type_width;
++			res.len /= type_width;
++			return res;
++		/
++		token object
++		int: type_width
++
+ 	method: filter
+ 
+ 		desc => Returns the underlying filter class.
+@@ -922,9 +939,30 @@ class: string enumeration
+ 			  ths->from_internal_->append_null(ths->temp_str);
+ 			  return ths->temp_str.data();
+ 			\}
++		cc extra =>
++			\#define aspell_string_enumeration_next_w(type, ths) \\
++			    aspell_cast_(const type *, aspell_string_enumeration_next_wide(ths, sizeof(type)))
+ 		/
+ 		const string
+ 
++	method: next wide
++		c impl =>
++			const char * s = ths->next();
++			if (s == 0) {
++			  return s;
++			} else if (ths->from_internal_ == 0) \{
++			  assert(type_width == 1);
++			  return s;
++			\} else \{
++			  assert(type_width == ths->from_internal_->out_type_width());
++			  ths->temp_str.clear();
++			  ths->from_internal_->convert(s,-1,ths->temp_str);
++			  ths->from_internal_->append_null(ths->temp_str);
++			  return ths->temp_str.data();
++			\}
++		/
++		const void pointer
++		int: type_width
+ }
+ group: info
+ {
+diff --git a/common/convert.cpp b/common/convert.cpp
+index 1add95a..7ae0317 100644
+--- a/common/convert.cpp
++++ b/common/convert.cpp
+@@ -541,18 +541,25 @@ namespace acommon {
+   // Trivial Conversion
+   //
+ 
++  const char * unsupported_null_term_wide_string_msg =
++    "Null-terminated wide-character strings unsupported when used this way.";
++
+   template <typename Chr>
+   struct DecodeDirect : public Decode 
+   {
++    DecodeDirect() {type_width = sizeof(Chr);}
+     void decode(const char * in0, int size, FilterCharVector & out) const {
+       const Chr * in = reinterpret_cast<const Chr *>(in0);
+-      if (size == -1) {
++      if (size == -sizeof(Chr)) {
+         for (;*in; ++in)
+-          out.append(*in);
++          out.append(*in, sizeof(Chr));
++      } else if (size <= -1) {
++        fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg);
++        abort();
+       } else {
+-        const Chr * stop = reinterpret_cast<const Chr *>(in0 +size);
++        const Chr * stop = reinterpret_cast<const Chr *>(in0) + size/sizeof(Chr);
+         for (;in != stop; ++in)
+-          out.append(*in);
++          out.append(*in, sizeof(Chr));
+       }
+     }
+     PosibErr<void> decode_ec(const char * in0, int size, 
+@@ -565,6 +572,7 @@ namespace acommon {
+   template <typename Chr>
+   struct EncodeDirect : public Encode
+   {
++    EncodeDirect() {type_width = sizeof(Chr);}
+     void encode(const FilterChar * in, const FilterChar * stop, 
+                 CharVector & out) const {
+       for (; in != stop; ++in) {
+@@ -594,11 +602,15 @@ namespace acommon {
+   template <typename Chr>
+   struct ConvDirect : public DirectConv
+   {
++    ConvDirect() {type_width = sizeof(Chr);}
+     void convert(const char * in0, int size, CharVector & out) const {
+-      if (size == -1) {
++      if (size == -sizeof(Chr)) {
+         const Chr * in = reinterpret_cast<const Chr *>(in0);
+         for (;*in != 0; ++in)
+           out.append(in, sizeof(Chr));
++      } else if (size <= -1) {
++        fprintf(stderr, "%s\n", unsupported_null_term_wide_string_msg);
++        abort();
+       } else {
+         out.append(in0, size);
+       }
+@@ -1121,5 +1133,20 @@ namespace acommon {
+     }
+     return 0;
+   }
+-  
++
++  PosibErr<void> unsupported_null_term_wide_string_err_(const char * func) {
++    static bool reported_to_stderr = false;
++    PosibErr<void> err = make_err(other_error, unsupported_null_term_wide_string_msg);
++    if (!reported_to_stderr) {
++      CERR.printf("ERROR: %s: %s\n", func, unsupported_null_term_wide_string_msg);
++      reported_to_stderr = true;
++    }
++    return err;
++  }
++
++  void unsupported_null_term_wide_string_abort_(const char * func) {
++    CERR.printf("%s: %s\n", unsupported_null_term_wide_string_msg);
++    abort();
++  }
++ 
+ }
+diff --git a/common/convert.hpp b/common/convert.hpp
+index 76332ee..c948973 100644
+--- a/common/convert.hpp
++++ b/common/convert.hpp
+@@ -7,6 +7,8 @@
+ #ifndef ASPELL_CONVERT__HPP
+ #define ASPELL_CONVERT__HPP
+ 
++#include "settings.h"
++
+ #include "string.hpp"
+ #include "posib_err.hpp"
+ #include "char_vector.hpp"
+@@ -25,8 +27,9 @@ namespace acommon {
+     typedef const Config CacheConfig;
+     typedef const char * CacheKey;
+     String key;
++    int type_width; // type width in bytes
+     bool cache_key_eq(const char * l) const  {return key == l;}
+-    ConvBase() {}
++    ConvBase() : type_width(1) {}
+   private:
+     ConvBase(const ConvBase &);
+     void operator=(const ConvBase &);
+@@ -56,6 +59,8 @@ namespace acommon {
+     virtual ~Encode() {}
+   };
+   struct DirectConv { // convert directly from in_code to out_code.
++    int type_width; // type width in bytes
++    DirectConv() : type_width(1) {}
+     // should not take ownership of decode and encode.
+     // decode and encode guaranteed to stick around for the life
+     // of the object.
+@@ -126,6 +131,9 @@ namespace acommon {
+     const char * in_code() const   {return decode_->key.c_str();}
+     const char * out_code() const  {return encode_->key.c_str();}
+ 
++    int in_type_width() const {return decode_->type_width;}
++    int out_type_width() const {return encode_->type_width;}
++
+     void append_null(CharVector & out) const
+     {
+       const char nul[4] = {0,0,0,0}; // 4 should be enough
+@@ -191,6 +199,10 @@ namespace acommon {
+       }
+     }
+ 
++    void convert(const void * in, int size, CharVector & out) {
++      convert(static_cast<const char *>(in), size, out);
++    }
++
+     void generic_convert(const char * in, int size, CharVector & out);
+     
+   };
+@@ -412,6 +424,30 @@ namespace acommon {
+       return operator()(str, str + byte_size);}
+   };
+ 
++#ifdef SLOPPY_NULL_TERM_STRINGS
++  static const bool sloppy_null_term_strings = true;
++#else
++  static const bool sloppy_null_term_strings = false;
++#endif
++  
++  PosibErr<void> unsupported_null_term_wide_string_err_(const char * func);
++  void unsupported_null_term_wide_string_abort_(const char * func);
++    
++  static inline PosibErr<int> get_correct_size(const char * func, int conv_type_width, int size) {
++    if (sloppy_null_term_strings && size <= -1)
++      return -conv_type_width;
++    if (size <= -1 && -conv_type_width != size)
++      return unsupported_null_term_wide_string_err_(func);
++    return size;
++  }
++  static inline int get_correct_size(const char * func, int conv_type_width, int size, int type_width) {
++    if ((sloppy_null_term_strings || type_width <= -1) && size <= -1)
++      return -conv_type_width;
++    if (size <= -1 && conv_type_width != type_width)
++      unsupported_null_term_wide_string_abort_(func);
++    return size;
++  }
++
+ }
+ 
+ #endif
+diff --git a/common/document_checker.cpp b/common/document_checker.cpp
+index 5e510c4..0ccf1cd 100644
+--- a/common/document_checker.cpp
++++ b/common/document_checker.cpp
+@@ -44,7 +44,9 @@ namespace acommon {
+   void DocumentChecker::process(const char * str, int size)
+   {
+     proc_str_.clear();
+-    conv_->decode(str, size, proc_str_);
++    PosibErr<int> fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size);
++    if (!fixed_size.has_err())
++      conv_->decode(str, fixed_size, proc_str_);
+     proc_str_.append(0);
+     FilterChar * begin = proc_str_.pbegin();
+     FilterChar * end   = proc_str_.pend() - 1;
+@@ -53,6 +55,19 @@ namespace acommon {
+     tokenizer_->reset(begin, end);
+   }
+ 
++  void DocumentChecker::process_wide(const void * str, int size, int type_width)
++  {
++    proc_str_.clear();
++    int fixed_size = get_correct_size("aspell_document_checker_process", conv_->in_type_width(), size, type_width);
++    conv_->decode(static_cast<const char *>(str), fixed_size, proc_str_);
++    proc_str_.append(0);
++    FilterChar * begin = proc_str_.pbegin();
++    FilterChar * end   = proc_str_.pend() - 1;
++    if (filter_)
++      filter_->process(begin, end);
++    tokenizer_->reset(begin, end);
++  }
++  
+   Token DocumentChecker::next_misspelling()
+   {
+     bool correct;
+diff --git a/common/document_checker.hpp b/common/document_checker.hpp
+index d35bb88..11a3c73 100644
+--- a/common/document_checker.hpp
++++ b/common/document_checker.hpp
+@@ -36,6 +36,7 @@ namespace acommon {
+     PosibErr<void> setup(Tokenizer *, Speller *, Filter *);
+     void reset();
+     void process(const char * str, int size);
++    void process_wide(const void * str, int size, int type_width);
+     Token next_misspelling();
+     
+     Filter * filter() {return filter_;}
+diff --git a/common/version.cpp b/common/version.cpp
+index 414d938..9e60b75 100644
+--- a/common/version.cpp
++++ b/common/version.cpp
+@@ -1,8 +1,17 @@
+ #include "settings.h"
+ 
+-extern "C" const char * aspell_version_string() {
+ #ifdef NDEBUG
+-  return VERSION " NDEBUG";
++#  define NDEBUG_STR " NDEBUG"
++#else
++#  define NDEBUG_STR
++#endif
++
++#ifdef SLOPPY_NULL_TERM_STRINGS
++#  define SLOPPY_STR " SLOPPY"
++#else
++#  define SLOPPY_STR
+ #endif
+-  return VERSION;
++
++extern "C" const char * aspell_version_string() {
++  return VERSION NDEBUG_STR SLOPPY_STR;
+ }
+diff --git a/configure.ac b/configure.ac
+index 60e3b39..a5d51e3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -73,6 +73,9 @@ AC_ARG_ENABLE(filter-version-control,
+ AC_ARG_ENABLE(32-bit-hash-fun,
+   AS_HELP_STRING([--enable-32-bit-hash-fun],[use 32-bit hash function for compiled dictionaries]))
+ 
++AC_ARG_ENABLE(sloppy-null-term-strings,
++  AS_HELP_STRING([--enable-sloppy-null-term-strings],[allows allow null terminated UCS-2 and UCS-4 strings]))
++
+ AC_ARG_ENABLE(pspell-compatibility,
+   AS_HELP_STRING([--disable-pspell-compatibility],[don't install pspell compatibility libraries]))
+ 
+@@ -141,6 +144,11 @@ then
+   AC_DEFINE(USE_32_BIT_HASH_FUN, 1, [Defined if 32-bit hash function should be used for compiled dictionaries.])
+ fi
+ 
++if test "$enable_sloppy_null_term_strings" = "yes"
++then
++  AC_DEFINE(SLOPPY_NULL_TERM_STRINGS, 1, [Defined if null-terminated UCS-2 and UCS-4 strings should always be allowed.])
++fi
++
+ AM_CONDITIONAL(PSPELL_COMPATIBILITY,  
+   [test "$enable_pspell_compatibility" != "no"])
+ AM_CONDITIONAL(INCREMENTED_SONAME,    
+diff --git a/manual/aspell.texi b/manual/aspell.texi
+index 45fa091..f400e06 100644
+--- a/manual/aspell.texi
++++ b/manual/aspell.texi
+@@ -158,7 +158,8 @@ Installing
+ 
+ * Generic Install Instructions::  
+ * HTML Manuals and "make clean"::  
+-* Curses Notes::                
++* Curses Notes::
++* Upgrading from Aspell 0.60.7::
+ * Loadable Filter Notes::       
+ * Upgrading from Aspell 0.50::  
+ * Upgrading from Aspell .33/Pspell .12::  
+@@ -2206,18 +2207,26 @@ int correct = aspell_speller_check(spell_checker, @var{word}, @var{size});
+ @end smallexample
+ 
+ @noindent
+-@var{word} is expected to be a @code{const char *} character
+-string.  If the encoding is set to be @code{ucs-2} or
+-@code{ucs-4} @var{word} is expected to be a cast
+-from either @code{const u16int *} or @code{const u32int *}
+-respectively.  @code{u16int} and @code{u32int} are generally
+-@code{unsigned short} and @code{unsigned int} respectively.
+-@var{size} is the length of the string or @code{-1} if the string
+-is null terminated.  If the string is a cast from @code{const u16int
+-*} or @code{const u32int *} then @code{@i{size}} is the amount of
+-space in bytes the string takes up after being cast to @code{const
+-char *} and not the true size of the string.  @code{sspell_speller_check}
+-will return @code{0} if it is not found and non-zero otherwise.
++@var{word} is expected to be a @code{const char *} character string.
++@var{size} is the length of the string or @code{-1} if the string is
++null terminated.  @code{aspell_speller_check} will return @code{0} if it is not found
++and non-zero otherwise.
++
++If you are using the @code{ucs-2} or @code{ucs-4} encoding then the
++string is expected to be either a 2 or 4 byte wide integer
++(respectively) and the @code{_w} macro vesion should be used:
++
++@smallexample
++int correct = aspell_speller_check_w(spell_checker, @var{word}, @var{size});
++@end smallexample
++
++The macro will cast the string to to the correct type and convert
++@var{size} into bytes for you and then a call the special wide version of the
++function that will make sure the encoding is correct for the type
++passed in.  For compatibility with older versions of Aspell the normal
++non-wide functions can still be used provided that the size of the
++string, in bytes, is also passed in.  Null terminated @code{ucs-2} or
++@code{ucs-4} are no longer supported when using the non-wide functions.
+ 
+ If the word is not correct, then the @code{suggest} method can be used
+ to come up with likely replacements.
+@@ -2236,7 +2245,28 @@ delete_aspell_string_enumeration(elements);
+ 
+ Notice how @code{elements} is deleted but @code{suggestions} is not.
+ The value returned by @code{suggestions} is only valid to the next
+-call to @code{suggest}.  Once a replacement is made the
++call to @code{suggest}.
++
++If you are using the @code{ucs-2} or @code{ucs-4} encoding then, in
++addition to using the @code{_w} macro for the @code{suggest} method, you
++should also use the @code{_w} macro with the @code{next} method which
++will cast the string to the correct type for you.  For example, if you
++are using the @code{ucs-2} encoding and the string is a @code{const
++uint16_t *} then you should use:
++
++@smallexample
++AspellWordList * suggestions = aspell_speller_suggest_w(spell_checker,
++                                                        @var{word}, @var{size});
++AspellStringEnumeration * elements = aspell_word_list_elements(suggestions);
++const uint16_t * word;
++while ( (word = aspell_string_enumeration_next_w(uint16_t, aspell_elements)) != NULL )
++@{
++  // add to suggestion list
++@}
++delete_aspell_string_enumeration(elements);
++@end smallexample
++
++Once a replacement is made the
+ @code{store_repl} method should be used to communicate the replacement
+ pair back to the spell checker (for the reason, @pxref{Notes on
+ Storing Replacement Pairs}).  Its usage is as follows:
+diff --git a/manual/readme.texi b/manual/readme.texi
+index 669ab8e..531721f 100644
+--- a/manual/readme.texi
++++ b/manual/readme.texi
+@@ -15,15 +15,16 @@ The latest version can always be found at GNU Aspell's home page at
+ @uref{http://aspell.net}.
+ 
+ @menu
+-* Generic Install Instructions::  
+-* HTML Manuals and "make clean"::  
+-* Curses Notes::                
+-* Loadable Filter Notes::       
+-* Using 32-Bit Dictionaries on a 64-Bit System::  
+-* Upgrading from Aspell 0.50::  
+-* Upgrading from Aspell .33/Pspell .12::  
+-* Upgrading from a Pre-0.50 snapshot::  
+-* WIN32 Notes::                 
++* Generic Install Instructions::
++* HTML Manuals and "make clean"::
++* Curses Notes::
++* Upgrading from Aspell 0.60.7::
++* Loadable Filter Notes::
++* Using 32-Bit Dictionaries on a 64-Bit System::
++* Upgrading from Aspell 0.50::
++* Upgrading from Aspell .33/Pspell .12::
++* Upgrading from a Pre-0.50 snapshot::
++* WIN32 Notes::
+ @end menu
+ 
+ @node Generic Install Instructions
+@@ -121,17 +122,62 @@ In addition your system must also support the @code{mblen} function.
+ Although this function was defined in the ISO C89 standard (ANSI
+ X3.159-1989), not all systems have it.
+ 
++@node Upgrading from Aspell 0.60.7
++@appendixsec Upgrading from Aspell 0.60.7
++
++To prevent a potentially unbounded buffer over-read, Aspell no longer
++supports null-terminated UCS-2 and UCS-4 encoded strings with the
++original C API.  Null-termianted 8-bit or UTF-8 encoded strings are
++still supported, as are UCS-2 and UCS-4 encoded strings when the
++length is passed in.
++
++As of Aspell 0.60.8 a function from the original API that expects an
++encoded string as a parameter will return meaningless results (or an
++error code) if string is null terminated and the encoding is set to
++@code{ucs-2} or @code{ucs-4}.  In addition, a single:
++@example
++ERROR: aspell_speller_check: Null-terminated wide-character strings unsupported when used this way.
++@end example
++will be printed to standard error the first time one of those
++functions is called.
++
++Application that use null-terminated UCS-2/4 strings should either (1)
++use the interface intended for working with wide-characters
++(@xref{Through the C API}); or (2) define
++@code{ASPELL_ENCODE_SETTING_SECURE} before including @code{aspell.h}.
++In the latter case is is important that the application explicitly
++sets the encoding to a known value.  Defining
++@code{ASPELL_ENCODE_SETTING_SECURE} and not setting the encoding
++explicitly or allowing user of the application to set the encoding
++could result in an unbounded buffer over-read.
++
++If it is necessary to preserve binary compatibility with older
++versions of Aspell, the easiest thing would be to determine the length
++of the UCS-2/4 string---in bytes---and pass that in.  Due to an
++implemenation detail, existing API functions can be made to work with
++null-terminated UCS-2/4 strings safely by passing in either @code{-2}
++or @code{-4} (corresponding to the width of the character type) as the
++size.  Doing so, however, will cause a buffer over-read for unpatched
++version of Aspell.  To avoid this it will be necessary to parse the
++version string to determine the correct value to use.  However, no
++official support will be provided for the latter method.
++
++If the application can not be recompiled, then Aspell can be configured
++to preserve the old behavior by passing
++@option{--enable-sloppy-null-term-strings} to @command{configure}.  When Aspell
++is compiled this way the version string will include the string
++@samp{ SLOPPY}.
++
+ @node Loadable Filter Notes
+ @appendixsec Loadable Filter Notes
+-
++             
+ Support for being able to load additional filter modules at run-time
+ has only been verified to work on Linux platforms.  If you get linker
+ errors when trying to use a filter, then it is likely that loadable
+ filter support is not working yet on your platform.  Thus, in order to
+ get Aspell to work correctly you will need to avoid compiling the
+ filters as individual modules by using the
+-@option{--enable-compile-in-filters} when configuring Aspell with
+-@command{./configure}.
++@option{--enable-compile-in-filters} @command{configure} option.
+ 
+ @node Using 32-Bit Dictionaries on a 64-Bit System
+ @appendixsec Using 32-Bit Dictionaries on a 64-Bit System
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch
new file mode 100644
index 0000000000..9569ddeebe
--- /dev/null
+++ b/meta/recipes-support/aspell/aspell/CVE-2019-20433-0002.patch
@@ -0,0 +1,68 @@
+From cefd447e5528b08bb0cd6656bc52b4255692cefc Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 17 Aug 2019 20:25:21 -0400
+Subject: [PATCH 2/2] Increment library version to reflect API changes.
+
+CVE: CVE-2019-20433
+Upstream-Status: Backport [https://github.com/GNUAspell/aspell/commit/cefd447e5528b08bb0cd6656bc52b4255692cefc]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ Makefile.am | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 7e15851..19dc044 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -94,18 +94,25 @@ libaspell_la_SOURCES =\
+ 
+ libaspell_la_LIBADD =  $(LTLIBINTL) $(PTHREAD_LIB)
+ 
+-## Libtool to so name
+-## C:R:A => (C-A).(A).(R)
+-## 16:5:0 => 16.0.5
+-## 16:5:1 => 15.1.5
+-## 18:0:2 => 16.2.0 
+-## 17:0:2 => 15.2.0
+-
++## The version string is current[:revision[:age]]
++##
++## Before a release that has changed the source code at all
++## increment revision.
++##
++## After merging changes that have changed the API in a backwards
++## comptable way set revision to 0 and bump both current and age.
++##
++## Do not change the API in a backwards incompatible way.
++##
++## See "Libtool: Updating version info"
++## (https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html)
++## for more into
++##
+ if INCREMENTED_SONAME
+-libaspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined
++libaspell_la_LDFLAGS = -version-info 19:0:3 -no-undefined
+ else
+ ## Use C-1:R:A 
+-libaspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined
++libaspell_la_LDFLAGS = -version-info 18:0:3 -no-undefined
+ endif
+ 
+ if PSPELL_COMPATIBILITY
+@@ -113,11 +120,7 @@ libpspell_la_SOURCES = lib/dummy.cpp
+ 
+ libpspell_la_LIBADD = libaspell.la
+ 
+-if INCREMENTED_SONAME
+-libpspell_la_LDFLAGS = -version-info 18:0:2 -no-undefined
+-else
+-libpspell_la_LDFLAGS = -version-info 17:0:2 -no-undefined
+-endif
++libpspell_la_LDFLAGS = $(libaspell_la_LDFLAGS)
+ 
+ endif
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/aspell/aspell_0.60.7.bb b/meta/recipes-support/aspell/aspell_0.60.7.bb
index b565cb3c6e..1e104c263c 100644
--- a/meta/recipes-support/aspell/aspell_0.60.7.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.7.bb
@@ -8,6 +8,8 @@ PR = "r1"
 
 SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
            file://0001-Fix-various-bugs-found-by-OSS-Fuze.patch \
+           file://CVE-2019-20433-0001.patch \
+           file://CVE-2019-20433-0002.patch \
           "
 SRC_URI[md5sum] = "8ef2252609c511cd2bb26f3a3932ef28"
 SRC_URI[sha256sum] = "5ca8fc8cb0370cc6c9eb5b64c6d1bc5d57b3750dbf17887726c3407d833b70e4"
diff --git a/meta/recipes-support/curl/curl/CVE-2019-15601.patch b/meta/recipes-support/curl/curl/CVE-2019-15601.patch
new file mode 100644
index 0000000000..7bfaae7b21
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-15601.patch
@@ -0,0 +1,46 @@
+Upstream-Status: Backport [https://github.com/curl/curl/commit/1b71bc532bde8621fd3260843f8197182a467ff2]
+CVE: CVE-2019-15601
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 7 Nov 2019 10:13:01 +0100
+Subject: [PATCH] file: on Windows, refuse paths that start with \\
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+... as that might cause an unexpected SMB connection to a given host
+name.
+
+Reported-by: Fernando Muñoz
+CVE-2019-15601
+Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
+---
+ lib/file.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/file.c b/lib/file.c
+index d349cd9241..166931d7f1 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+   struct Curl_easy *data = conn->data;
+   char *real_path;
+   struct FILEPROTO *file = data->req.protop;
+-  int fd;
++  int fd = -1;
+ #ifdef DOS_FILESYSTEM
+   size_t i;
+   char *actual_path;
+@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
+       return CURLE_URL_MALFORMAT;
+     }
+ 
+-  fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
++  if(strncmp("\\\\", actual_path, 2))
++    /* refuse to open path that starts with two backslashes */
++    fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
+   file->path = actual_path;
+ #else
+   if(memchr(real_path, 0, real_path_len)) {
diff --git a/meta/recipes-support/curl/curl_7.66.0.bb b/meta/recipes-support/curl/curl_7.66.0.bb
index d1975f2460..a54e0536e9 100644
--- a/meta/recipes-support/curl/curl_7.66.0.bb
+++ b/meta/recipes-support/curl/curl_7.66.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=be5d9e1419c4363f4b32037a2d3b7ffa"
 
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://0001-replace-krb5-config-with-pkg-config.patch \
+           file://CVE-2019-15601.patch \
 "
 
 SRC_URI[md5sum] = "c238aa394e3aa47ca4fcb0491774149f"
diff --git a/meta/recipes-support/icu/icu/CVE-2020-10531.patch b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
new file mode 100644
index 0000000000..56303fc0f2
--- /dev/null
+++ b/meta/recipes-support/icu/icu/CVE-2020-10531.patch
@@ -0,0 +1,122 @@
+From b7d08bc04a4296982fcef8b6b8a354a9e4e7afca Mon Sep 17 00:00:00 2001
+From: Frank Tang <ftang@chromium.org>
+Date: Sat, 1 Feb 2020 02:39:04 +0000
+Subject: [PATCH] ICU-20958 Prevent SEGV_MAPERR in append
+
+See #971
+
+Upstream-Status: Backport [https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca]
+CVE: CVE-2020-10531
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ icu4c/source/common/unistr.cpp          |  6 ++-
+ icu4c/source/test/intltest/ustrtest.cpp | 62 +++++++++++++++++++++++++
+ icu4c/source/test/intltest/ustrtest.h   |  1 +
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/icu4c/source/common/unistr.cpp b/icu4c/source/common/unistr.cpp
+index 901bb3358ba..077b4d6ef20 100644
+--- a/icu4c/source/common/unistr.cpp
++++ b/icu4c/source/common/unistr.cpp
+@@ -1563,7 +1563,11 @@ UnicodeString::doAppend(const UChar *srcChars, int32_t srcStart, int32_t srcLeng
+   }
+ 
+   int32_t oldLength = length();
+-  int32_t newLength = oldLength + srcLength;
++  int32_t newLength;
++  if (uprv_add32_overflow(oldLength, srcLength, &newLength)) {
++    setToBogus();
++    return *this;
++  }
+ 
+   // Check for append onto ourself
+   const UChar* oldArray = getArrayStart();
+diff --git a/icu4c/source/test/intltest/ustrtest.cpp b/icu4c/source/test/intltest/ustrtest.cpp
+index b6515ea813c..ad38bdf53a3 100644
+--- a/icu4c/source/test/intltest/ustrtest.cpp
++++ b/icu4c/source/test/intltest/ustrtest.cpp
+@@ -67,6 +67,7 @@ void UnicodeStringTest::runIndexedTest( int32_t index, UBool exec, const char* &
+     TESTCASE_AUTO(TestWCharPointers);
+     TESTCASE_AUTO(TestNullPointers);
+     TESTCASE_AUTO(TestUnicodeStringInsertAppendToSelf);
++    TESTCASE_AUTO(TestLargeAppend);
+     TESTCASE_AUTO_END;
+ }
+ 
+@@ -2310,3 +2311,64 @@ void UnicodeStringTest::TestUnicodeStringInsertAppendToSelf() {
+     str.insert(2, sub);
+     assertEquals("", u"abbcdcde", str);
+ }
++
++void UnicodeStringTest::TestLargeAppend() {
++    if(quick) return;
++
++    IcuTestErrorCode status(*this, "TestLargeAppend");
++    // Make a large UnicodeString
++    int32_t len = 0xAFFFFFF;
++    UnicodeString str;
++    char16_t *buf = str.getBuffer(len);
++    // A fast way to set buffer to valid Unicode.
++    // 4E4E is a valid unicode character
++    uprv_memset(buf, 0x4e, len * 2);
++    str.releaseBuffer(len);
++    UnicodeString dest;
++    // Append it 16 times
++    // 0xAFFFFFF times 16 is 0xA4FFFFF1,
++    // which is greater than INT32_MAX, which is 0x7FFFFFFF.
++    int64_t total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++    dest.remove();
++    total = 0;
++    for (int32_t i = 0; i < 16; i++) {
++        dest.append(str);
++        total += len;
++        if (total + len <= INT32_MAX) {
++            assertFalse("dest is not bogus", dest.isBogus());
++        } else if (total <= INT32_MAX) {
++            // Check that a string of exactly the maximum size works
++            UnicodeString str2;
++            int32_t remain = INT32_MAX - total;
++            char16_t *buf2 = str2.getBuffer(remain);
++            if (buf2 == nullptr) {
++                // if somehow memory allocation fail, return the test
++                return;
++            }
++            uprv_memset(buf2, 0x4e, remain * 2);
++            str2.releaseBuffer(remain);
++            dest.append(str2);
++            total += remain;
++            assertEquals("When a string of exactly the maximum size works", (int64_t)INT32_MAX, total);
++            assertEquals("When a string of exactly the maximum size works", INT32_MAX, dest.length());
++            assertFalse("dest is not bogus", dest.isBogus());
++
++            // Check that a string size+1 goes bogus
++            str2.truncate(1);
++            dest.append(str2);
++            total++;
++            assertTrue("dest should be bogus", dest.isBogus());
++        } else {
++            assertTrue("dest should be bogus", dest.isBogus());
++        }
++    }
++}
+diff --git a/icu4c/source/test/intltest/ustrtest.h b/icu4c/source/test/intltest/ustrtest.h
+index 218befdcc68..4a356a92c7a 100644
+--- a/icu4c/source/test/intltest/ustrtest.h
++++ b/icu4c/source/test/intltest/ustrtest.h
+@@ -97,6 +97,7 @@ class UnicodeStringTest: public IntlTest {
+     void TestWCharPointers();
+     void TestNullPointers();
+     void TestUnicodeStringInsertAppendToSelf();
++    void TestLargeAppend();
+ };
+ 
+ #endif
diff --git a/meta/recipes-support/icu/icu_64.2.bb b/meta/recipes-support/icu/icu_64.2.bb
index 10bac7aac0..2ed807787d 100644
--- a/meta/recipes-support/icu/icu_64.2.bb
+++ b/meta/recipes-support/icu/icu_64.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "${BASE_SRC_URI} \
            file://fix-install-manx.patch \
            file://0001-Fix-big-endian-build.patch \
            file://0001-icu-Added-armeb-support.patch \
+           file://CVE-2020-10531.patch;striplevel=3 \
            "
 
 SRC_URI_append_class-target = "\
diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch
new file mode 100644
index 0000000000..33a6076b78
--- /dev/null
+++ b/meta/recipes-support/libevdev/libevdev/determinism.patch
@@ -0,0 +1,34 @@
+The order of dict values is not deterministic leading to differing header file generation.
+Sort to remove this inconsistency.
+
+RP 2020/2/7
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending
+
+Index: a/libevdev/make-event-names.py
+===================================================================
+--- a/libevdev/make-event-names.py
++++ b/libevdev/make-event-names.py
+@@ -67,10 +67,10 @@ def print_bits(bits, prefix):
+ 	if  not hasattr(bits, prefix):
+ 		return
+ 	print("static const char * const %s_map[%s_MAX + 1] = {" % (prefix, prefix.upper()))
+-	for val, name in list(getattr(bits, prefix).items()):
++	for val, name in sorted(list(getattr(bits, prefix).items())):
+ 		print("	[%s] = \"%s\"," % (name, name))
+ 	if prefix == "key":
+-		for val, name in list(getattr(bits, "btn").items()):
++		for val, name in sorted(list(getattr(bits, "btn").items())):
+ 			print("	[%s] = \"%s\"," % (name, name))
+ 	print("};")
+ 	print("")
+@@ -111,7 +111,7 @@ def print_lookup(bits, prefix):
+ 	if not hasattr(bits, prefix):
+ 		return
+ 
+-	names = list(getattr(bits, prefix).items())
++	names = sorted(list(getattr(bits, prefix).items()))
+ 	if prefix == "btn":
+ 		names = names + btn_additional;
+ 
diff --git a/meta/recipes-support/libevdev/libevdev_1.8.0.bb b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
index 84274987d7..46ed5d786a 100644
--- a/meta/recipes-support/libevdev/libevdev_1.8.0.bb
+++ b/meta/recipes-support/libevdev/libevdev_1.8.0.bb
@@ -6,7 +6,8 @@ LICENSE = "MIT-X"
 LIC_FILES_CHKSUM = "file://COPYING;md5=75aae0d38feea6fda97ca381cb9132eb \
                     file://libevdev/libevdev.h;endline=21;md5=7ff4f0b5113252c2f1a828e0bbad98d1"
 
-SRC_URI = "http://www.freedesktop.org/software/libevdev/${BP}.tar.xz"
+SRC_URI = "http://www.freedesktop.org/software/libevdev/${BP}.tar.xz \
+           file://determinism.patch"
 SRC_URI[md5sum] = "879631080be18526737e33b63d848039"
 SRC_URI[sha256sum] = "20d3cae4efd277f485abdf8f2a7c46588e539998b5a08c2c4d368218379d4211"
 
diff --git a/meta/recipes-support/libgcrypt/files/determinism.patch b/meta/recipes-support/libgcrypt/files/determinism.patch
new file mode 100644
index 0000000000..ad0b8c7950
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/determinism.patch
@@ -0,0 +1,32 @@
+gnutls detects our outer git trees and injects that revision into its objects.
+That isn't deterministic so stop it. Also ensure we're not marked as a development
+build as its git detection is faulty.
+
+RP 2020/2/6
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+
+Index: libgcrypt-1.8.5/configure.ac
+===================================================================
+--- libgcrypt-1.8.5.orig/configure.ac
++++ libgcrypt-1.8.5/configure.ac
+@@ -45,7 +45,7 @@ m4_define([mym4_revision_dec],
+ m4_define([mym4_betastring],
+           m4_esyscmd_s([git describe --match 'libgcrypt-[0-9].*[0-9]' --long|\
+                         awk -F- '$3!=0{print"-beta"$3}']))
+-m4_define([mym4_isgit],m4_if(mym4_betastring,[],[no],[yes]))
++m4_define([mym4_isgit],[no])
+ m4_define([mym4_full_version],[mym4_version[]mym4_betastring])
+ 
+ AC_INIT([libgcrypt],[mym4_full_version],[http://bugs.gnupg.org])
+@@ -2575,7 +2575,7 @@ AM_CONDITIONAL([BUILD_DOC], [test "x$bui
+ #
+ # Provide information about the build.
+ #
+-BUILD_REVISION="mym4_revision"
++BUILD_REVISION="None"
+ AC_SUBST(BUILD_REVISION)
+ AC_DEFINE_UNQUOTED(BUILD_REVISION, "$BUILD_REVISION",
+                    [GIT commit id revision used to build this package])
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index 1bd355133e..92eb2d257a 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -26,6 +26,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
            file://0001-ecc-Add-mitigation-against-timing-attack.patch \
            file://0001-dsa-ecdsa-Fix-use-of-nonce-use-larger-one.patch \
+           file://determinism.patch \
 "
 SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
 SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch
new file mode 100644
index 0000000000..51f95a7097
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2019-20454.patch
@@ -0,0 +1,19 @@
+Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_jit_compile.c?r1=1092&r2=1091&pathrev=1092]
+CVE: CVE-2020-8002
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+--- pcre2-10.30/src/pcre2_jit_compile.c	2019/05/13 16:26:17	1091
++++ pcre2-10.30/src/pcre2_jit_compile.c	2019/05/13 16:38:18	1092
+@@ -8571,7 +8571,10 @@
+ PCRE2_SPTR bptr;
+ uint32_t c;
+ 
+-GETCHARINC(c, cc);
++/* Patch by PH */
++/* GETCHARINC(c, cc); */
++
++c = *cc++;
+ #if PCRE2_CODE_UNIT_WIDTH == 32
+ if (c >= 0x110000)
+   return NULL;
+
diff --git a/meta/recipes-support/libpcre/libpcre2_10.33.bb b/meta/recipes-support/libpcre/libpcre2_10.33.bb
index 50b26753b4..1020df99b8 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.33.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.33.bb
@@ -12,6 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
 
 SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \
            file://pcre-cross.patch \
+           file://CVE-2019-20454.patch \
 "
 
 SRC_URI[md5sum] = "80b355f2dce909a2e2424f5c79eddb44"
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
new file mode 100644
index 0000000000..3f70979acc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19244.patch
@@ -0,0 +1,33 @@
+CVE: CVE-2019-19244
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 0f690d4ae5ffe656762fdbb7f36cc4c2dcbb2d9d Mon Sep 17 00:00:00 2001
+From: dan <dan@noemail.net>
+Date: Fri, 22 Nov 2019 10:14:01 +0000
+Subject: [PATCH] Fix a crash that could occur if a sub-select that uses both
+ DISTINCT and window functions also used an ORDER BY that is the same as its
+ select list.
+
+Amalgamation version of the patch:
+FossilOrigin-Name: bcdd66c1691955c697f3d756c2b035acfe98f6aad72e90b0021bab6e9023b3ba
+---
+ sqlite3.c | 5 +++--
+ sqlite3.h | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 8fd740b..db1c649 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -131679,6 +131679,7 @@ SQLITE_PRIVATE int sqlite3Select(
+   */
+   if( (p->selFlags & (SF_Distinct|SF_Aggregate))==SF_Distinct 
+    && sqlite3ExprListCompare(sSort.pOrderBy, pEList, -1)==0
++   && p->pWin==0
+   ){
+     p->selFlags &= ~SF_Distinct;
+     pGroupBy = p->pGroupBy = sqlite3ExprListDup(db, pEList, 0);
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
new file mode 100644
index 0000000000..b1b866b250
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19923.patch
@@ -0,0 +1,50 @@
+CVE: CVE-2019-19923
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From b64463719dc53bde98b0ce3930b10a32560c3a02 Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Wed, 18 Dec 2019 20:51:58 +0000
+Subject: [PATCH] Continue to back away from the LEFT JOIN optimization of
+ check-in [41c27bc0ff1d3135] by disallowing query flattening if the outer
+ query is DISTINCT.  Without this fix, if an index scan is run on the table
+ within the view on the right-hand side of the LEFT JOIN, stale result
+ registers might be accessed yielding incorrect results, and/or an
+ OP_IfNullRow opcode might be invoked on the un-opened table, resulting in a
+ NULL-pointer dereference.  This problem was found by the Yongheng and Rui
+ fuzzer.
+
+FossilOrigin-Name: 862974312edf00e9d1068115d1a39b7235b7db68b6d86b81d38a12f025a4748e
+---
+ sqlite3.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index d29da07..5bc06c8 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -129216,6 +129216,7 @@ static void substSelect(
+ **        (3b) the FROM clause of the subquery may not contain a virtual
+ **             table and
+ **        (3c) the outer query may not be an aggregate.
++**        (3d) the outer query may not be DISTINCT.
+ **
+ **   (4)  The subquery can not be DISTINCT.
+ **
+@@ -129412,8 +129413,11 @@ static int flattenSubquery(
+   */
+   if( (pSubitem->fg.jointype & JT_OUTER)!=0 ){
+     isLeftJoin = 1;
+-    if( pSubSrc->nSrc>1 || isAgg || IsVirtual(pSubSrc->a[0].pTab) ){
+-      /*  (3a)             (3c)     (3b) */
++    if( pSubSrc->nSrc>1                   /* (3a) */
++     || isAgg                             /* (3b) */
++     || IsVirtual(pSubSrc->a[0].pTab)     /* (3c) */
++     || (p->selFlags & SF_Distinct)!=0    /* (3d) */
++    ){
+       return 0;
+     }
+   }
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
new file mode 100644
index 0000000000..80d5edbb0c
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19924.patch
@@ -0,0 +1,65 @@
+CVE: CVE-2019-19924
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 854fe21e8a987f84da81f6bb9e90abc5355c6621 Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Thu, 19 Dec 2019 20:37:32 +0000
+Subject: [PATCH] When an error occurs while rewriting the parser tree for
+ window functions in the sqlite3WindowRewrite() routine, make sure that
+ pParse->nErr is set, and make sure that this shuts down any subsequent code
+ generation that might depend on the transformations that were implemented. 
+ This fixes a problem discovered by the Yongheng and Rui fuzzer.
+
+Amalgamation format of backported patch
+FossilOrigin-Name: e2bddcd4c55ba3cbe0130332679ff4b048630d0ced9a8899982edb5a3569ba7f
+---
+ sqlite3.c | 16 +++++++++++-----
+ sqlite3.h |  2 +-
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 408ec4c..857c28e 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -77798,7 +77798,8 @@ SQLITE_PRIVATE void sqlite3VdbeSetP4KeyInfo(Parse *pParse, Index *pIdx){
+ */
+ static void vdbeVComment(Vdbe *p, const char *zFormat, va_list ap){
+   assert( p->nOp>0 || p->aOp==0 );
+-  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed );
++  assert( p->aOp==0 || p->aOp[p->nOp-1].zComment==0 || p->db->mallocFailed
++          || p->pParse->nErr>0 );
+   if( p->nOp ){
+     assert( p->aOp );
+     sqlite3DbFree(p->db, p->aOp[p->nOp-1].zComment);
+@@ -97872,6 +97873,7 @@ static int codeCompare(
+   int addr;
+   CollSeq *p4;
+ 
++  if( pParse->nErr ) return 0;
+   p4 = sqlite3BinaryCompareCollSeq(pParse, pLeft, pRight);
+   p5 = binaryCompareP5(pLeft, pRight, jumpIfNull);
+   addr = sqlite3VdbeAddOp4(pParse->pVdbe, opcode, in2, dest, in1,
+@@ -147627,7 +147629,7 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
+ 
+     pTab = sqlite3DbMallocZero(db, sizeof(Table));
+     if( pTab==0 ){
+-      return SQLITE_NOMEM;
++      return sqlite3ErrorToParser(db, SQLITE_NOMEM);
+     }
+ 
+     p->pSrc = 0;
+@@ -147731,6 +147733,10 @@ SQLITE_PRIVATE int sqlite3WindowRewrite(Parse *pParse, Select *p){
+     sqlite3DbFree(db, pTab);
+   }
+ 
++  if( rc && pParse->nErr==0 ){
++    assert( pParse->db->mallocFailed );
++    return sqlite3ErrorToParser(pParse->db, SQLITE_NOMEM);
++  }
+   return rc;
+ }
+ 
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
new file mode 100644
index 0000000000..ffc2c6afff
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19925.patch
@@ -0,0 +1,33 @@
+CVE: CVE-2019-19925
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From e92580434d2cdca228649d32f76167492de4f512 Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Thu, 19 Dec 2019 15:15:40 +0000
+Subject: [PATCH] Fix the zipfile extension so that INSERT works even if the
+ pathname of the file being inserted is a NULL.  Bug discovered by the
+ Yongheng and Rui fuzzer.
+
+FossilOrigin-Name: a80f84b511231204658304226de3e075a55afc2e3f39ac063716f7a57f585c06
+---
+ shell.c   | 1 +
+ sqlite3.c | 4 ++--
+ sqlite3.h | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/shell.c b/shell.c
+index 053180c..404a8d4 100644
+--- a/shell.c
++++ b/shell.c
+@@ -5827,6 +5827,7 @@ static int zipfileUpdate(
+ 
+     if( rc==SQLITE_OK ){
+       zPath = (const char*)sqlite3_value_text(apVal[2]);
++      if( zPath==0 ) zPath = "";
+       nPath = (int)strlen(zPath);
+       mTime = zipfileGetTime(apVal[4]);
+     }
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
new file mode 100644
index 0000000000..92bc7908bc
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19926.patch
@@ -0,0 +1,31 @@
+CVE: CVE-2019-19926
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 4165b1e1e0001165ace9051a70f938099505eadc Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Thu, 19 Dec 2019 22:08:19 +0000
+Subject: [PATCH] Continuation of [e2bddcd4c55ba3cb]: Add another spot where it
+ is necessary to abort early due to prior errors in sqlite3WindowRewrite().
+
+FossilOrigin-Name: cba2a2a44cdf138a629109bb0ad088ed4ef67fc66bed3e0373554681a39615d2
+---
+ sqlite3.c | 7 ++++---
+ sqlite3.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 857c28e..19a474d 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -128427,6 +128427,7 @@ static int multiSelect(
+     }
+   #endif
+   }
++  if( pParse->nErr ) goto multi_select_end;
+   
+   /* Compute collating sequences used by 
+   ** temporary tables needed to implement the compound select.
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
new file mode 100644
index 0000000000..cba8ec9d30
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-19959.patch
@@ -0,0 +1,46 @@
+CVE: CVE-2019-19959
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From f83f7e8141ee7cbbf7f2dc8985279a7372b259b6 Mon Sep 17 00:00:00 2001
+From: "D. Richard Hipp" <drh@hwaci.com>
+Date: Mon, 23 Dec 2019 21:04:33 +0000
+Subject: [PATCH] Fix the zipfile() function in the zipfile extension so that
+ it is able to deal with goofy filenames that contain embedded zeros.
+
+FossilOrigin-Name: cc0fb00a128fd0773db5ff7891f7aa577a3671d570166d2cbb30df922344adcf
+---
+ shell.c   | 4 ++--
+ sqlite3.c | 4 ++--
+ sqlite3.h | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/shell.c b/shell.c
+index 404a8d4..48065e9 100644
+--- a/shell.c
++++ b/shell.c
+@@ -5841,7 +5841,7 @@ static int zipfileUpdate(
+         zFree = sqlite3_mprintf("%s/", zPath);
+         if( zFree==0 ){ rc = SQLITE_NOMEM; }
+         zPath = (const char*)zFree;
+-        nPath++;
++        nPath = (int)strlen(zPath);
+       }
+     }
+ 
+@@ -6242,11 +6242,11 @@ void zipfileStep(sqlite3_context *pCtx, int nVal, sqlite3_value **apVal){
+   }else{
+     if( zName[nName-1]!='/' ){
+       zName = zFree = sqlite3_mprintf("%s/", zName);
+-      nName++;
+       if( zName==0 ){
+         rc = SQLITE_NOMEM;
+         goto zipfile_step_out;
+       }
++      nName = (int)strlen(zName);
+     }else{
+       while( nName>1 && zName[nName-2]=='/' ) nName--;
+     }
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
new file mode 100644
index 0000000000..fb6cd6df2d
--- /dev/null
+++ b/meta/recipes-support/sqlite/sqlite3/CVE-2019-20218.patch
@@ -0,0 +1,31 @@
+CVE: CVE-2019-20218
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 6bbd76d34f29f61483791231f2ce579dcadab8a5 Mon Sep 17 00:00:00 2001
+From: Dan Kennedy <danielk1977@gmail.com>
+Date: Fri, 27 Dec 2019 20:54:42 +0000
+Subject: [PATCH] Do not attempt to unwind the WITH stack in the Parse object
+ following an error. This fixes a separate case to [de6e6d68].
+
+FossilOrigin-Name: d29edef93451cc67a5d69c1cce1b1832d9ca8fff1f600afdd51338b74d077b92
+---
+ sqlite3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 5bc06c8..408ec4c 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -130570,7 +130570,7 @@ static int selectExpander(Walker *pWalker, Select *p){
+ 
+   /* Process NATURAL keywords, and ON and USING clauses of joins.
+   */
+-  if( db->mallocFailed || sqliteProcessJoin(pParse, p) ){
++  if( pParse->nErr || db->mallocFailed || sqliteProcessJoin(pParse, p) ){
+     return WRC_Abort;
+   }
+ 
+-- 
+2.24.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
index 34066fbe89..cf3b179845 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.29.0.bb
@@ -4,6 +4,14 @@ LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
 
 SRC_URI = "http://www.sqlite.org/2019/sqlite-autoconf-${SQLITE_PV}.tar.gz \
-           file://0001-Fix-CVE-2019-16168.patch"
+           file://0001-Fix-CVE-2019-16168.patch \
+           file://CVE-2019-19244.patch \
+           file://CVE-2019-19923.patch \
+           file://CVE-2019-19924.patch \
+           file://CVE-2019-19925.patch \
+           file://CVE-2019-19926.patch \
+           file://CVE-2019-19959.patch \
+           file://CVE-2019-20218.patch \
+"
 SRC_URI[md5sum] = "8f3dfe83387e62ecb91c7c5c09c688dc"
 SRC_URI[sha256sum] = "8e7c1e2950b5b04c5944a981cb31fffbf9d2ddda939d536838ebc854481afd5b"