202 files changed, 4744 insertions, 9081 deletions

diff --git a/meta/recipes-connectivity/avahi/avahi-ui_0.7.bb b/meta/recipes-connectivity/avahi/avahi-ui_0.7.bb
deleted file mode 100644
index 1c6e46aaba..0000000000
--- a/meta/recipes-connectivity/avahi/avahi-ui_0.7.bb
+++ /dev/null
@@ -1,54 +0,0 @@
-require avahi.inc
-
-inherit distro_features_check
-ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
-
-DEPENDS += "avahi"
-
-AVAHI_GTK = "gtk3"
-
-S = "${WORKDIR}/avahi-${PV}"
-
-PACKAGES += "${PN}-utils avahi-discover"
-
-FILES_${PN} = "${libdir}/libavahi-ui*.so.*"
-FILES_${PN}-utils = "${bindir}/b* ${datadir}/applications/b*"
-FILES_avahi-discover = "${datadir}/applications/avahi-discover.desktop \
-                        ${datadir}/avahi/interfaces/avahi-discover.ui \
-                        ${bindir}/avahi-discover-standalone \
-                        "
-
-do_install_append () {
-	rm ${D}${sysconfdir} -rf
-	if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
-               if [ "${nonarch_base_libdir}" != "${base_libdir}" ];then
-                   rm ${D}${nonarch_base_libdir} -rf
-               fi
-        else
-		rm ${D}${base_libdir} -rf
-        fi
-	rm ${D}${systemd_unitdir} -rf
-	# The ${systemd_unitdir} is /lib/systemd, so we need rmdir /lib,
-	# but not ${base_libdir} here. And the /lib may not exist
-	# whithout systemd.
-	[ ! -d ${D}/lib ] || rmdir ${D}/lib --ignore-fail-on-non-empty
-	rm ${D}${bindir}/avahi-b*
-	rm ${D}${bindir}/avahi-p*
-	rm ${D}${bindir}/avahi-r*
-	rm ${D}${bindir}/avahi-s*
-	rm ${D}${includedir}/avahi-c* -rf
-	rm ${D}${includedir}/avahi-g* -rf
-	rm ${D}${libdir}/libavahi-c*
-	rm ${D}${libdir}/libavahi-g*
-	rm ${D}${libdir}/pkgconfig/avahi-c*
-	rm ${D}${libdir}/pkgconfig/avahi-g*
-	rm ${D}${sbindir} -rf
-	rm ${D}${datadir}/avahi/a*
-	rm ${D}${datadir}/locale/ -rf
-	rm ${D}${datadir}/dbus* -rf
-	rm ${D}${mandir}/man1/a*
-	rm ${D}${mandir}/man5 -rf
-	rm ${D}${mandir}/man8 -rf
-        rm ${D}${libdir}/girepository-1.0/ -rf
-        rm ${D}${datadir}/gir-1.0/ -rf
-}
diff --git a/meta/recipes-connectivity/avahi/avahi.inc b/meta/recipes-connectivity/avahi/avahi.inc
deleted file mode 100644
index 94fe6a16b6..0000000000
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ /dev/null
@@ -1,86 +0,0 @@
-SUMMARY = "Avahi IPv4LL network address configuration daemon"
-DESCRIPTION = 'Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It \
-allows programs to publish and discover services and hosts running on a local network \
-with no specific configuration. This tool implements IPv4LL, "Dynamic Configuration of \
-IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \
-configuration from the link-local 169.254.0.0/16 range without the need for a central \
-server.'
-AUTHOR = "Lennart Poettering <lennart@poettering.net>"
-HOMEPAGE = "http://avahi.org"
-BUGTRACKER = "https://github.com/lathiat/avahi/issues"
-SECTION = "network"
-
-# major part is under LGPLv2.1+, but several .dtd, .xsl, initscripts and
-# python scripts are under GPLv2+
-LICENSE = "GPLv2+ & LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
-                    file://avahi-common/address.h;endline=25;md5=b1d1d2cda1c07eb848ea7d6215712d9d \
-                    file://avahi-core/dns.h;endline=23;md5=6fe82590b81aa0ddea5095b548e2fdcb \
-                    file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
-                    file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
-
-SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
-           file://fix-CVE-2017-6519.patch \
-           "
-
-UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
-SRC_URI[md5sum] = "d76c59d0882ac6c256d70a2a585362a6"
-SRC_URI[sha256sum] = "57a99b5dfe7fdae794e3d1ee7a62973a368e91e414bd0dfa5d84434de5b14804"
-
-DEPENDS = "expat libcap libdaemon glib-2.0 intltool-native"
-
-# For gtk related PACKAGECONFIGs: gtk, gtk3
-AVAHI_GTK ?= ""
-
-PACKAGECONFIG ??= "dbus ${AVAHI_GTK}"
-PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
-PACKAGECONFIG[gtk] = "--enable-gtk,--disable-gtk,gtk+"
-PACKAGECONFIG[gtk3] = "--enable-gtk3,--disable-gtk3,gtk+3"
-PACKAGECONFIG[libdns_sd] = "--enable-compat-libdns_sd --enable-dbus,,dbus"
-
-inherit autotools pkgconfig gettext gobject-introspection
-
-EXTRA_OECONF = "--with-avahi-priv-access-group=adm \
-             --disable-stack-protector \
-             --disable-gdbm \
-             --disable-mono \
-             --disable-monodoc \
-             --disable-qt3 \
-             --disable-qt4 \
-             --disable-python \
-             --disable-doxygen-doc \
-             --enable-manpages \
-             ${EXTRA_OECONF_SYSVINIT} \
-             ${EXTRA_OECONF_SYSTEMD} \
-           "
-
-# The distro choice determines what init scripts are installed
-EXTRA_OECONF_SYSVINIT = "${@bb.utils.contains('DISTRO_FEATURES','sysvinit','--with-distro=debian','--with-distro=none',d)}"
-EXTRA_OECONF_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES','systemd','--with-systemdsystemunitdir=${systemd_unitdir}/system/','--without-systemdsystemunitdir',d)}"
-
-do_configure_prepend() {
-    sed 's:AM_CHECK_PYMOD:echo "no pymod" #AM_CHECK_PYMOD:g' -i ${S}/configure.ac
-
-    # This m4 file will get in the way of our introspection.m4 with special cross-compilation fixes
-    rm "${S}/common/introspection.m4" || true
-}
-
-do_compile_prepend() {
-    export GIR_EXTRA_LIBS_PATH="${B}/avahi-gobject/.libs:${B}/avahi-common/.libs:${B}/avahi-client/.libs:${B}/avahi-glib/.libs"
-}
-
-RRECOMMENDS_${PN}_append_libc-glibc = " libnss-mdns"
-
-do_install() {
-	autotools_do_install
-	rm -rf ${D}/run
-	rm -rf ${D}${datadir}/dbus-1/interfaces
-	test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1
-	rm -rf ${D}${libdir}/avahi
-}
-
-PACKAGES =+ "${@bb.utils.contains("PACKAGECONFIG", "libdns_sd", "libavahi-compat-libdnssd", "", d)}"
-
-FILES_libavahi-compat-libdnssd = "${libdir}/libdns_sd.so.*"
-
-RPROVIDES_libavahi-compat-libdnssd = "libdns-sd"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.7.bb b/meta/recipes-connectivity/avahi/avahi_0.7.bb
deleted file mode 100644
index 2e04d304c7..0000000000
--- a/meta/recipes-connectivity/avahi/avahi_0.7.bb
+++ /dev/null
@@ -1,81 +0,0 @@
-require avahi.inc
-
-SRC_URI += "file://00avahi-autoipd \
-           file://99avahi-autoipd \
-           file://initscript.patch \
-           file://0001-Fix-opening-etc-resolv.conf-error.patch \
-           "
-
-inherit update-rc.d systemd useradd
-
-PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils"
-
-# As avahi doesn't put any files into PN, clear the files list to avoid problems
-# if extra libraries appear.
-FILES_${PN} = ""
-FILES_avahi-autoipd = "${sbindir}/avahi-autoipd \
-                       ${sysconfdir}/avahi/avahi-autoipd.action \
-                       ${sysconfdir}/dhcp/*/avahi-autoipd \
-                       ${sysconfdir}/udhcpc.d/00avahi-autoipd \
-                       ${sysconfdir}/udhcpc.d/99avahi-autoipd"
-FILES_libavahi-common = "${libdir}/libavahi-common.so.*"
-FILES_libavahi-core = "${libdir}/libavahi-core.so.* ${libdir}/girepository-1.0/AvahiCore*.typelib"
-FILES_avahi-daemon = "${sbindir}/avahi-daemon \
-                      ${sysconfdir}/avahi/avahi-daemon.conf \
-                      ${sysconfdir}/avahi/hosts \
-                      ${sysconfdir}/avahi/services \
-                      ${sysconfdir}/dbus-1 \
-                      ${sysconfdir}/init.d/avahi-daemon \
-                      ${datadir}/avahi/introspection/*.introspect \
-                      ${datadir}/avahi/avahi-service.dtd \
-                      ${datadir}/avahi/service-types \
-                      ${datadir}/dbus-1/system-services"
-FILES_libavahi-client = "${libdir}/libavahi-client.so.*"
-FILES_avahi-dnsconfd = "${sbindir}/avahi-dnsconfd \
-                        ${sysconfdir}/avahi/avahi-dnsconfd.action \
-                        ${sysconfdir}/init.d/avahi-dnsconfd"
-FILES_libavahi-glib = "${libdir}/libavahi-glib.so.*"
-FILES_libavahi-gobject = "${libdir}/libavahi-gobject.so.*  ${libdir}/girepository-1.0/Avahi*.typelib"
-FILES_avahi-utils = "${bindir}/avahi-*"
-
-RDEPENDS_${PN}-dev = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
-RDEPENDS_${PN}-dev += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
-
-RRECOMMENDS_avahi-daemon_append_libc-glibc = " libnss-mdns"
-
-CONFFILES_avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
-
-USERADD_PACKAGES = "avahi-daemon avahi-autoipd"
-USERADD_PARAM_avahi-daemon = "--system --home /run/avahi-daemon \
-                              --no-create-home --shell /bin/false \
-                              --user-group avahi"
-
-USERADD_PARAM_avahi-autoipd = "--system --home /run/avahi-autoipd \
-                              --no-create-home --shell /bin/false \
-                              --user-group \
-                              -c \"Avahi autoip daemon\" \
-                              avahi-autoipd"
-
-INITSCRIPT_PACKAGES = "avahi-daemon avahi-dnsconfd"
-INITSCRIPT_NAME_avahi-daemon = "avahi-daemon"
-INITSCRIPT_PARAMS_avahi-daemon = "defaults 21 19"
-INITSCRIPT_NAME_avahi-dnsconfd = "avahi-dnsconfd"
-INITSCRIPT_PARAMS_avahi-dnsconfd = "defaults 22 19"
-
-SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-dnsconfd"
-SYSTEMD_SERVICE_${PN}-daemon = "avahi-daemon.service"
-SYSTEMD_SERVICE_${PN}-dnsconfd = "avahi-dnsconfd.service"
-
-do_install_append() {
-	install -d ${D}${sysconfdir}/udhcpc.d
-	install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
-	install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
-}
-
-# At the time the postinst runs, dbus might not be setup so only restart if running 
-# Don't exit early, because update-rc.d needs to run subsequently.
-pkg_postinst_avahi-daemon () {
-if [ -z "$D" ]; then
-	killall -q -HUP dbus-daemon || true
-fi
-}
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
new file mode 100644
index 0000000000..1f18d4491d
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -0,0 +1,198 @@
+SUMMARY = "Avahi IPv4LL network address configuration daemon"
+DESCRIPTION = 'Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It \
+allows programs to publish and discover services and hosts running on a local network \
+with no specific configuration. This tool implements IPv4LL, "Dynamic Configuration of \
+IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \
+configuration from the link-local 169.254.0.0/16 range without the need for a central \
+server.'
+HOMEPAGE = "http://avahi.org"
+BUGTRACKER = "https://github.com/avahi/avahi/issues"
+SECTION = "network"
+
+# major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and
+# python scripts are under GPL-2.0-or-later
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://avahi-common/address.h;endline=25;md5=b1d1d2cda1c07eb848ea7d6215712d9d \
+                    file://avahi-core/dns.h;endline=23;md5=6fe82590b81aa0ddea5095b548e2fdcb \
+                    file://avahi-daemon/main.c;endline=21;md5=9ee77368c5407af77caaef1b07285969 \
+                    file://avahi-client/client.h;endline=23;md5=f4ac741a25c4f434039ba3e18c8674cf"
+
+SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
+           file://00avahi-autoipd \
+           file://99avahi-autoipd \
+           file://initscript.patch \
+           file://0001-Fix-opening-etc-resolv.conf-error.patch \
+           file://handle-hup.patch \
+           file://local-ping.patch \
+           file://invalid-service.patch \
+           file://CVE-2023-1981.patch \
+           file://CVE-2023-38469-1.patch \
+           file://CVE-2023-38469-2.patch \
+           file://CVE-2023-38470-1.patch \
+           file://CVE-2023-38470-2.patch \
+           file://CVE-2023-38471-1.patch \
+           file://CVE-2023-38471-2.patch \
+           file://CVE-2023-38472.patch \
+           file://CVE-2023-38473.patch \
+           "
+
+GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
+SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
+
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
+
+DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
+
+# For gtk related PACKAGECONFIGs: gtk, gtk3
+AVAHI_GTK ?= ""
+
+PACKAGECONFIG ??= "dbus ${@bb.utils.contains_any('DISTRO_FEATURES','x11 wayland','${AVAHI_GTK}','',d)}"
+PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
+PACKAGECONFIG[gtk] = "--enable-gtk,--disable-gtk,gtk+"
+PACKAGECONFIG[gtk3] = "--enable-gtk3,--disable-gtk3,gtk+3"
+PACKAGECONFIG[libdns_sd] = "--enable-compat-libdns_sd --enable-dbus,,dbus"
+PACKAGECONFIG[libevent] = "--enable-libevent,--disable-libevent,libevent"
+PACKAGECONFIG[qt5] = "--enable-qt5,--disable-qt5,qtbase"
+
+inherit autotools pkgconfig gettext gobject-introspection github-releases
+
+EXTRA_OECONF = "--with-avahi-priv-access-group=adm \
+             --disable-stack-protector \
+             --disable-gdbm \
+             --disable-dbm \
+             --disable-mono \
+             --disable-monodoc \
+             --disable-qt3 \
+             --disable-qt4 \
+             --disable-python \
+             --disable-doxygen-doc \
+             --enable-manpages \
+             ${EXTRA_OECONF_SYSVINIT} \
+             ${EXTRA_OECONF_SYSTEMD} \
+           "
+
+# The distro choice determines what init scripts are installed
+EXTRA_OECONF_SYSVINIT = "${@bb.utils.contains('DISTRO_FEATURES','sysvinit','--with-distro=debian','--with-distro=none',d)}"
+EXTRA_OECONF_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES','systemd','--with-systemdsystemunitdir=${systemd_system_unitdir}/','--without-systemdsystemunitdir',d)}"
+
+do_configure:prepend() {
+    # This m4 file will get in the way of our introspection.m4 with special cross-compilation fixes
+    rm "${S}/common/introspection.m4" || true
+}
+
+do_compile:prepend() {
+    export GIR_EXTRA_LIBS_PATH="${B}/avahi-gobject/.libs:${B}/avahi-common/.libs:${B}/avahi-client/.libs:${B}/avahi-glib/.libs"
+}
+
+RRECOMMENDS:${PN}:append:libc-glibc = " libnss-mdns"
+
+do_install() {
+	autotools_do_install
+	rm -rf ${D}/run
+	test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1
+	rm -rf ${D}${libdir}/avahi
+
+	# Move example service files out of /etc/avahi/services so we don't
+	# advertise ssh & sftp-ssh by default
+	install -d ${D}${docdir}/avahi
+	mv ${D}${sysconfdir}/avahi/services/* ${D}${docdir}/avahi
+}
+
+PACKAGES =+ "${@bb.utils.contains("PACKAGECONFIG", "libdns_sd", "libavahi-compat-libdnssd", "", d)}"
+
+FILES:libavahi-compat-libdnssd = "${libdir}/libdns_sd.so.*"
+
+RPROVIDES:libavahi-compat-libdnssd = "libdns-sd"
+
+inherit update-rc.d systemd useradd
+
+PACKAGES =+ "libavahi-gobject avahi-daemon libavahi-common libavahi-core libavahi-client avahi-dnsconfd libavahi-glib avahi-autoipd avahi-utils avahi-discover avahi-ui"
+
+FILES:avahi-ui = "${libdir}/libavahi-ui*.so.*"
+FILES:avahi-discover = "${datadir}/applications/avahi-discover.desktop \
+                        ${datadir}/avahi/interfaces/avahi-discover.ui \
+                        ${bindir}/avahi-discover-standalone \
+                        "
+
+LICENSE:libavahi-gobject = "LGPL-2.1-or-later"
+LICENSE:avahi-daemon = "LGPL-2.1-or-later"
+LICENSE:libavahi-common = "LGPL-2.1-or-later"
+LICENSE:libavahi-core = "LGPL-2.1-or-later"
+LICENSE:libavahi-client = "LGPL-2.1-or-later"
+LICENSE:avahi-dnsconfd = "LGPL-2.1-or-later"
+LICENSE:libavahi-glib = "LGPL-2.1-or-later"
+LICENSE:avahi-autoipd = "LGPL-2.1-or-later"
+LICENSE:avahi-utils = "LGPL-2.1-or-later"
+
+# As avahi doesn't put any files into PN, clear the files list to avoid problems
+# if extra libraries appear.
+FILES:${PN} = ""
+FILES:avahi-autoipd = "${sbindir}/avahi-autoipd \
+                       ${sysconfdir}/avahi/avahi-autoipd.action \
+                       ${sysconfdir}/dhcp/*/avahi-autoipd \
+                       ${sysconfdir}/udhcpc.d/00avahi-autoipd \
+                       ${sysconfdir}/udhcpc.d/99avahi-autoipd"
+FILES:libavahi-common = "${libdir}/libavahi-common.so.*"
+FILES:libavahi-core = "${libdir}/libavahi-core.so.* ${libdir}/girepository-1.0/AvahiCore*.typelib"
+FILES:avahi-daemon = "${sbindir}/avahi-daemon \
+                      ${sysconfdir}/avahi/avahi-daemon.conf \
+                      ${sysconfdir}/avahi/hosts \
+                      ${sysconfdir}/avahi/services \
+                      ${sysconfdir}/dbus-1 \
+                      ${sysconfdir}/init.d/avahi-daemon \
+                      ${datadir}/dbus-1/interfaces \
+                      ${datadir}/avahi/avahi-service.dtd \
+                      ${datadir}/avahi/service-types \
+                      ${datadir}/dbus-1/system-services"
+FILES:libavahi-client = "${libdir}/libavahi-client.so.*"
+FILES:avahi-dnsconfd = "${sbindir}/avahi-dnsconfd \
+                        ${sysconfdir}/avahi/avahi-dnsconfd.action \
+                        ${sysconfdir}/init.d/avahi-dnsconfd"
+FILES:libavahi-glib = "${libdir}/libavahi-glib.so.*"
+FILES:libavahi-gobject = "${libdir}/libavahi-gobject.so.*  ${libdir}/girepository-1.0/Avahi*.typelib"
+FILES:avahi-utils = "${bindir}/avahi-* ${bindir}/b* ${datadir}/applications/b*"
+
+DEV_PKG_DEPENDENCY = "avahi-daemon (= ${EXTENDPKGV}) libavahi-core (= ${EXTENDPKGV})"
+DEV_PKG_DEPENDENCY += "${@["", " libavahi-client (= ${EXTENDPKGV})"][bb.utils.contains('PACKAGECONFIG', 'dbus', 1, 0, d)]}"
+RDEPENDS:${PN}-dnsconfd = "${PN}-daemon"
+
+RRECOMMENDS:avahi-daemon:append:libc-glibc = " libnss-mdns"
+
+CONFFILES:avahi-daemon = "${sysconfdir}/avahi/avahi-daemon.conf"
+
+USERADD_PACKAGES = "avahi-daemon avahi-autoipd"
+USERADD_PARAM:avahi-daemon = "--system --home /run/avahi-daemon \
+                              --no-create-home --shell /bin/false \
+                              --user-group avahi"
+
+USERADD_PARAM:avahi-autoipd = "--system --home /run/avahi-autoipd \
+                              --no-create-home --shell /bin/false \
+                              --user-group \
+                              -c \"Avahi autoip daemon\" \
+                              avahi-autoipd"
+
+INITSCRIPT_PACKAGES = "avahi-daemon avahi-dnsconfd"
+INITSCRIPT_NAME:avahi-daemon = "avahi-daemon"
+INITSCRIPT_PARAMS:avahi-daemon = "defaults 21 19"
+INITSCRIPT_NAME:avahi-dnsconfd = "avahi-dnsconfd"
+INITSCRIPT_PARAMS:avahi-dnsconfd = "defaults 22 19"
+
+SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-dnsconfd"
+SYSTEMD_SERVICE:${PN}-daemon = "avahi-daemon.service"
+SYSTEMD_SERVICE:${PN}-dnsconfd = "avahi-dnsconfd.service"
+
+do_install:append() {
+	install -d ${D}${sysconfdir}/udhcpc.d
+	install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+	install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d
+}
+
+# At the time the postinst runs, dbus might not be setup so only restart if running 
+# Don't exit early, because update-rc.d needs to run subsequently.
+pkg_postinst:avahi-daemon () {
+if [ -z "$D" ]; then
+	killall -q -HUP dbus-daemon || true
+fi
+}
+
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 0000000000..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
++++ b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM
+     }
+ 
+     t = avahi_alternative_host_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB
+     }
+ 
+     t = avahi_alternative_service_name(n);
+-    avahi_dbus_respond_string(c, m, t);
+-    avahi_free(t);
++    if (t) {
++        avahi_dbus_respond_string(c, m, t);
++        avahi_free(t);
+ 
+-    return DBUS_HANDLER_RESULT_HANDLED;
++        return DBUS_HANDLER_RESULT_HANDLED;
++    } else {
++        return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found");
++    }
+ }
+ 
+ static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) {
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 0000000000..a078f66102
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,48 @@
+From 72842945085cc3adaccfdfa2853771b0e75ef991 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Mon, 23 Oct 2023 20:29:31 +0000
+Subject: [PATCH] avahi: core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/rr.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 7fa0bee..b03a24c 100644
+--- a/avahi-core/rr.c
++++ b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/defs.h>
+
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+         case AVAHI_DNS_TYPE_TXT: {
+
+             AvahiStringList *strlst;
++            size_t used = 0;
+
+-            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next)
++            for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) {
+                 if (strlst->size > 255 || strlst->size <= 0)
+                     return 0;
+
++                used += 1+strlst->size;
++                if (used > AVAHI_DNS_RDATA_MAX)
++                    return 0;
++            }
++
+             return 1;
+         }
+     }
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 0000000000..f8f60ddca1
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 25 Oct 2023 18:15:42 +0000
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Canonical notes:
+nickgalanis> removed first hunk since there is no .github dir in this release
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c       | 14 ++++++++++++++
+ 1 files changed, 14 insertions(+)
+
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
++++ avahi-0.8/avahi-client/client-test.c
+@@ -22,6 +22,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <string.h>
+ #include <assert.h>
+ 
+ #include <avahi-client/client.h>
+@@ -33,6 +34,8 @@
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/timeval.h>
+ 
++#include <avahi-core/dns.h>
++
+ static const AvahiPoll *poll_api = NULL;
+ static AvahiSimplePoll *simple_poll = NULL;
+ 
+@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     uint32_t cookie;
+     struct timeval tv;
+     AvahiAddress a;
++    uint8_t rdata[AVAHI_DNS_RDATA_MAX+1];
++    AvahiStringList *txt = NULL;
++    int r;
+ 
+     simple_poll = avahi_simple_poll_new();
+     poll_api = avahi_simple_poll_get(simple_poll);
+@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+     printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+ 
++    memset(rdata, 1, sizeof(rdata));
++    r = avahi_string_list_parse(rdata, sizeof(rdata), &txt);
++    assert(r >= 0);
++    assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata));
++    error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt);
++    assert(error == AVAHI_ERR_INVALID_RECORD);
++    avahi_string_list_free(txt);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
new file mode 100644
index 0000000000..91f9e677ac
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
@@ -0,0 +1,59 @@
+From af7bfad67ca53a7c4042a4a2d85456b847e9f249 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] avahi: Ensure each label is at least one byte long
+
+The only allowed exception is single dot, where it should return empty
+string.
+
+Fixes #454.
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c]
+CVE: CVE-2023-38470
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c      |  2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
+index cf763ec..3acc1c1 100644
+--- a/avahi-common/domain-test.c
++++ b/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+     avahi_free(s);
+
++    printf("%s\n", s = avahi_normalize_name_strdup("."));
++    avahi_free(s);
++
++    s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++		    "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++		    ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++		    "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++		    "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++		    "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++		    "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++		    "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++		    "}.?.?.?.}.=.?.?.}");
++    assert(s == NULL);
++
+     printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+     printf("%i\n", avahi_domain_equal("A", "a"));
+
+diff --git a/avahi-common/domain.c b/avahi-common/domain.c
+index 3b1ab68..e66d241 100644
+--- a/avahi-common/domain.c
++++ b/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
+         }
+
+         if (!empty) {
+-            if (size < 1)
++            if (size < 2)
+                 return NULL;
+
+             *(r++) = '.';
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
new file mode 100644
index 0000000000..e0736bf210
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
@@ -0,0 +1,52 @@
+From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 19 Sep 2023 03:21:25 +0000
+Subject: [PATCH] [common] bail out when escaped labels can't fit into ret
+
+Fixes:
+```
+==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8
+READ of size 1110 at 0x7f9e76f14c16 thread T0
+    #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba)
+    #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12
+    #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12
+```
+and
+```
+fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed.
+==101571== ERROR: libFuzzer: deadly signal
+    #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8)
+    #3 0x7f1581d7ebaf  (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25)
+    #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9
+```
+
+It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security
+CVE: CVE-2023-38470 #Follow-up patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-common/domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: avahi-0.8/avahi-common/domain.c
+===================================================================
+--- avahi-0.8.orig/avahi-common/domain.c
++++ avahi-0.8/avahi-common/domain.c
+@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s
+         } else
+             empty = 0;
+ 
+-        avahi_escape_label(label, strlen(label), &r, &size);
++        if (!(avahi_escape_label(label, strlen(label), &r, &size)))
++            return NULL;
+     }
+ 
+     return ret_s;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
new file mode 100644
index 0000000000..b3f716495d
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
@@ -0,0 +1,73 @@
+From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09]
+CVE: CVE-2023-38471
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index e507750..40f1d68 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+-    char *hn = NULL;
++    char label_escaped[AVAHI_LABEL_MAX*4+1];
++    char label[AVAHI_LABEL_MAX];
++    char *hn = NULL, *h;
++    size_t len;
++
+     assert(s);
+
+     AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+
+-    hn[strcspn(hn, ".")] = 0;
++    h = hn;
++    if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++        avahi_free(h);
++        return AVAHI_ERR_INVALID_HOST_NAME;
++    }
++
++    avahi_free(h);
++
++    h = label_escaped;
++    len = sizeof(label_escaped);
++    if (!avahi_escape_label(label, strlen(label), &h, &len))
++        return AVAHI_ERR_INVALID_HOST_NAME;
+
+-    if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+-        avahi_free(hn);
++    if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+-    }
+
+     withdraw_host_rrs(s);
+
+     avahi_free(s->host_name);
+-    s->host_name = hn;
++    s->host_name = avahi_strdup(label_escaped);
++    if (!s->host_name)
++        return AVAHI_ERR_NO_MEMORY;
+
+     update_fqdn(s);
+
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
new file mode 100644
index 0000000000..44737bfc2e
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
@@ -0,0 +1,52 @@
+From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 24 Oct 2023 22:04:51 +0000
+Subject: [PATCH] core: return errors from avahi_server_set_host_name properly
+
+It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]
+CVE: CVE-2023-38471 #Follow-up Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/server.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+Index: avahi-0.8/avahi-core/server.c
+===================================================================
+--- avahi-0.8.orig/avahi-core/server.c
++++ avahi-0.8/avahi-core/server.c
+@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServ
+     else
+         hn = avahi_normalize_name_strdup(host_name);
+ 
++    if (!hn)
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
++
+     h = hn;
+     if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
+         avahi_free(h);
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+     }
+ 
+     avahi_free(h);
+@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServ
+     h = label_escaped;
+     len = sizeof(label_escaped);
+     if (!avahi_escape_label(label, strlen(label), &h, &len))
+-        return AVAHI_ERR_INVALID_HOST_NAME;
++        return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME);
+ 
+     if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+         return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServ
+     avahi_free(s->host_name);
+     s->host_name = avahi_strdup(label_escaped);
+     if (!s->host_name)
+-        return AVAHI_ERR_NO_MEMORY;
++        return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY);
+ 
+     update_fqdn(s);
+ 
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
new file mode 100644
index 0000000000..85dbded73b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
@@ -0,0 +1,46 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40]
+CVE: CVE-2023-38472
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c      | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: avahi-0.8/avahi-client/client-test.c
+===================================================================
+--- avahi-0.8.orig/avahi-client/client-test.c
++++ avahi-0.8/avahi-client/client-test.c
+@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA
+     assert(error == AVAHI_ERR_INVALID_RECORD);
+     avahi_string_list_free(txt);
+ 
++    error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++    assert(error != AVAHI_OK);
++
+     avahi_entry_group_commit (group);
+ 
+     domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+Index: avahi-0.8/avahi-daemon/dbus-entry-group.c
+===================================================================
+--- avahi-0.8.orig/avahi-daemon/dbus-entry-group.c
++++ avahi-0.8/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g
+         if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+ 
+-        if (avahi_rdata_parse (r, rdata, size) < 0) {
++        if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+             avahi_record_unref (r);
+             return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+         }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
new file mode 100644
index 0000000000..707acb60fe
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
@@ -0,0 +1,110 @@
+From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] avahi: common: derive alternative host name from its
+ unescaped version
+
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+
+Fixes #451 #487
+
+Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]
+CVE: CVE-2023-38473
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ avahi-common/alternative-test.c |  3 +++
+ avahi-common/alternative.c      | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
+index 9255435..681fc15 100644
+--- a/avahi-common/alternative-test.c
++++ b/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+     const char* const test_strings[] = {
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+         "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
++        ").",
++        "\\.",
++        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+         "gurke",
+         "-",
+         " #",
+diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
+index b3d39f0..a094e6d 100644
+--- a/avahi-common/alternative.c
++++ b/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
+ }
+
+ char *avahi_alternative_host_name(const char *s) {
++    char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
++    char *alt, *r, *ret;
+     const char *e;
+-    char *r;
++    size_t len;
+
+     assert(s);
+
+     if (!avahi_is_valid_host_name(s))
+         return NULL;
+
+-    if ((e = strrchr(s, '-'))) {
++    if (!avahi_unescape_label(&s, label, sizeof(label)))
++        return NULL;
++
++    if ((e = strrchr(label, '-'))) {
+         const char *p;
+
+         e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
+
+     if (e) {
+         char *c, *m;
+-        size_t l;
+         int n;
+
+         n = atoi(e)+1;
+         if (!(m = avahi_strdup_printf("%i", n)))
+             return NULL;
+
+-        l = e-s-1;
++        len = e-label-1;
+
+-        if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+-            l = AVAHI_LABEL_MAX-1-strlen(m)-1;
++        if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
++            len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+
+-        if (!(c = avahi_strndup(s, l))) {
++        if (!(c = avahi_strndup(label, len))) {
+             avahi_free(m);
+             return NULL;
+         }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
+     } else {
+         char *c;
+
+-        if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
++        if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+             return NULL;
+
+         drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
+         avahi_free(c);
+     }
+
++    alt = alternative;
++    len = sizeof(alternative);
++    ret = avahi_escape_label(r, strlen(r), &alt, &len);
++
++    avahi_free(r);
++    r = avahi_strdup(ret);
++
+     assert(avahi_is_valid_host_name(r));
+
+     return r;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch b/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch
deleted file mode 100644
index 7461fe193d..0000000000
--- a/meta/recipes-connectivity/avahi/files/fix-CVE-2017-6519.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/e111def]
-
-CVE: CVE-2017-6519
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From e111def44a7df4624a4aa3f85fe98054bffb6b4f Mon Sep 17 00:00:00 2001
-From: Trent Lloyd <trent@lloyd.id.au>
-Date: Sat, 22 Dec 2018 09:06:07 +0800
-Subject: [PATCH] Drop legacy unicast queries from address not on local link
-
-When handling legacy unicast queries, ensure that the source IP is
-inside a subnet on the local link, otherwise drop the packet.
-
-Fixes #145
-Fixes #203
-CVE-2017-6519
-CVE-2018-1000845
----
- avahi-core/server.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/avahi-core/server.c b/avahi-core/server.c
-index a2cb19a8..a2580e38 100644
---- a/avahi-core/server.c
-+++ b/avahi-core/server.c
-@@ -930,6 +930,7 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
- 
-     if (avahi_dns_packet_is_query(p)) {
-         int legacy_unicast = 0;
-+        char t[AVAHI_ADDRESS_STR_MAX];
- 
-         /* For queries EDNS0 might allow ARCOUNT != 0. We ignore the
-          * AR section completely here, so far. Until the day we add
-@@ -947,6 +948,13 @@ static void dispatch_packet(AvahiServer *s, AvahiDnsPacket *p, const AvahiAddres
-             legacy_unicast = 1;
-         }
- 
-+        if (!is_mdns_mcast_address(dst_address) &&
-+            !avahi_interface_address_on_link(i, src_address)) {
-+
-+            avahi_log_debug("Received non-local unicast query from host %s on interface '%s.%i'.", avahi_address_snprint(t, sizeof(t), src_address), i->hardware->name, i->protocol);
-+            return;
-+        }
-+
-         if (legacy_unicast)
-             reflect_legacy_unicast_query_packet(s, p, i, src_address, port);
- 
diff --git a/meta/recipes-connectivity/avahi/files/handle-hup.patch b/meta/recipes-connectivity/avahi/files/handle-hup.patch
new file mode 100644
index 0000000000..26632e5443
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/handle-hup.patch
@@ -0,0 +1,41 @@
+CVE: CVE-2021-3468
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/330]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 447affe29991ee99c6b9732fc5f2c1048a611d3b Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <sirmy15@gmail.com>
+Date: Fri, 26 Mar 2021 11:50:24 +0100
+Subject: [PATCH] Avoid infinite-loop in avahi-daemon by handling HUP event in
+ client_work
+
+If a client fills the input buffer, client_work() disables the
+AVAHI_WATCH_IN event, thus preventing the function from executing the
+`read` syscall the next times it is called. However, if the client then
+terminates the connection, the socket file descriptor receives a HUP
+event, which is not handled, thus the kernel keeps marking the HUP event
+as occurring. While iterating over the file descriptors that triggered
+an event, the client file descriptor will keep having the HUP event and
+the client_work() function is always called with AVAHI_WATCH_HUP but
+without nothing being done, thus entering an infinite loop.
+
+See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984938
+---
+ avahi-daemon/simple-protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/avahi-daemon/simple-protocol.c b/avahi-daemon/simple-protocol.c
+index 3e0ebb11..6c0274d6 100644
+--- a/avahi-daemon/simple-protocol.c
++++ b/avahi-daemon/simple-protocol.c
+@@ -424,6 +424,11 @@ static void client_work(AvahiWatch *watch, AVAHI_GCC_UNUSED int fd, AvahiWatchEv
+         }
+     }
+ 
++    if (events & AVAHI_WATCH_HUP) {
++        client_free(c);
++        return;
++    }
++
+     c->server->poll_api->watch_update(
+         watch,
+         (c->outbuf_length > 0 ? AVAHI_WATCH_OUT : 0) |
diff --git a/meta/recipes-connectivity/avahi/files/invalid-service.patch b/meta/recipes-connectivity/avahi/files/invalid-service.patch
new file mode 100644
index 0000000000..8f188aff2c
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/invalid-service.patch
@@ -0,0 +1,29 @@
+From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001
+From: Asger Hautop Drewsen <asger@princh.com>
+Date: Mon, 9 Aug 2021 14:25:08 +0200
+Subject: [PATCH] Fix avahi-browse: Invalid service type
+
+Invalid service types will stop the browse from completing, or
+in simple terms "my washing machine stops me from printing".
+
+Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ avahi-core/browse-service.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 63e0275a..ac3d2ecb 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare(
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+     AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+-    AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE);
++
++    if (!avahi_is_valid_service_type_generic(service_type))
++        service_type = "_invalid._tcp";
+ 
+     if (!domain)
+         domain = server->domain_name;
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
new file mode 100644
index 0000000000..29c192d296
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -0,0 +1,153 @@
+CVE: CVE-2021-36217
+CVE: CVE-2021-3502
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: [PATCH] Fix NULL pointer crashes from #175
+
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+---
+ avahi-core/browse-dns-server.c   | 5 ++++-
+ avahi-core/browse-domain.c       | 5 ++++-
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c      | 3 +++
+ avahi-core/browse.c              | 3 +++
+ avahi-core/resolve-address.c     | 5 ++++-
+ avahi-core/resolve-host-name.c   | 5 ++++-
+ avahi-core/resolve-service.c     | 5 ++++-
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
+index 049752e9..c2d914fa 100644
+--- a/avahi-core/browse-dns-server.c
++++ b/avahi-core/browse-dns-server.c
+@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
+         AvahiSDNSServerBrowser* b;
+ 
+         b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_dns_server_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
+index f145d56a..06fa70c0 100644
+--- a/avahi-core/browse-domain.c
++++ b/avahi-core/browse-domain.c
+@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
+         AvahiSDomainBrowser *b;
+ 
+         b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_domain_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
+index fdd22dcd..b1fc7af8 100644
+--- a/avahi-core/browse-service-type.c
++++ b/avahi-core/browse-service-type.c
+@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
+         AvahiSServiceTypeBrowser *b;
+ 
+         b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_type_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 5531360c..63e0275a 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
+         AvahiSServiceBrowser *b;
+ 
+         b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e579..e8a915e9 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
+         AvahiSRecordBrowser *b;
+ 
+         b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_record_browser_start_query(b);
+ 
+         return b;
+diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
+index ac0b29b1..e61dd242 100644
+--- a/avahi-core/resolve-address.c
++++ b/avahi-core/resolve-address.c
+@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
+         AvahiSAddressResolver *b;
+ 
+         b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_address_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
+index 808b0e72..4e8e5973 100644
+--- a/avahi-core/resolve-host-name.c
++++ b/avahi-core/resolve-host-name.c
+@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
+         AvahiSHostNameResolver *b;
+ 
+         b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_host_name_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
+index 66bf3cae..43771763 100644
+--- a/avahi-core/resolve-service.c
++++ b/avahi-core/resolve-service.c
+@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
+         AvahiSServiceResolver *b;
+ 
+         b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
diff --git a/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
index 8db96ec049..ec1bc7b567 100644
--- a/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch
@@ -17,7 +17,7 @@ index b2eec60..6e03936 100644
 @@ -57,6 +57,7 @@ case "$1" in
  	modprobe capability >/dev/null 2>&1 || true
  	if [ ! -f /etc/bind/rndc.key ]; then
- 	    /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+ 	    /usr/sbin/rndc-confgen -a -b 512
 +	    chown root:bind /etc/bind/rndc.key >/dev/null 2>&1 || true
  	    chmod 0640 /etc/bind/rndc.key
  	fi
diff --git a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
deleted file mode 100644
index 2fed99e1bb..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Backport patch to fix CVE-2019-6471.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2019-6471
-
-CVE: CVE-2019-6471
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001
-From: Mark Andrews <marka@isc.org>
-Date: Tue, 19 Mar 2019 14:14:21 +1100
-Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext()
-
-(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
----
- lib/dns/dispatch.c | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
-index 408beda367..3278db4a07 100644
---- a/lib/dns/dispatch.c
-+++ b/lib/dns/dispatch.c
-@@ -134,7 +134,7 @@ struct dns_dispentry {
- 	isc_task_t		       *task;
- 	isc_taskaction_t		action;
- 	void			       *arg;
--	bool			item_out;
-+	bool				item_out;
- 	dispsocket_t			*dispsocket;
- 	ISC_LIST(dns_dispatchevent_t)	items;
- 	ISC_LINK(dns_dispentry_t)	link;
-@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
- 	disp = resp->disp;
- 	REQUIRE(VALID_DISPATCH(disp));
- 
--	REQUIRE(resp->item_out == true);
--	resp->item_out = false;
--
- 	ev = *sockevent;
- 	*sockevent = NULL;
- 
- 	LOCK(&disp->lock);
-+
-+	REQUIRE(resp->item_out == true);
-+	resp->item_out = false;
-+
- 	if (ev->buffer.base != NULL)
- 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
- 	free_devent(disp, ev);
-@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
- 		isc_task_send(disp->task[0], &disp->ctlevent);
- }
- 
-+/*
-+ * disp must be locked.
-+ */
- static void
- do_cancel(dns_dispatch_t *disp) {
- 	dns_dispatchevent_t *ev;
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch b/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch
deleted file mode 100644
index 871bb2a5f6..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-configure.in-remove-useless-L-use_openssl-lib.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 950867d9fd3f690e271c8c807b6eed144b2935b2 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Mon, 27 Aug 2018 15:00:51 +0800
-Subject: [PATCH] configure.in: remove useless `-L$use_openssl/lib'
-
-Since `--with-openssl=${STAGING_DIR_HOST}${prefix}' is used in bind recipe,
-the `-L$use_openssl/lib' has a hardcoded suffix, removing it is harmless
-and helpful for clean up host build path in isc-config.sh
-
-Upstream-Status: Inappropriate [oe-core specific]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- configure.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.in b/configure.in
-index 54efc55..76ac0eb 100644
---- a/configure.in
-+++ b/configure.in
-@@ -1691,7 +1691,7 @@ If you don't want OpenSSL, use --without-openssl])
- 				fi
- 				;;
- 			*)
--				DST_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-+				DST_OPENSSL_LIBS="-lcrypto"
- 				;;
- 			esac
- 		fi
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
deleted file mode 100644
index 48ae125f84..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
-Date: Thu, 3 Jan 2019 14:17:43 +0100
-Subject: [PATCH 1/6] fix enforcement of tcp-clients (v1)
-
-tcp-clients settings could be exceeded in some cases by
-creating more and more active TCP clients that are over
-the set quota limit, which in the end could lead to a
-DoS attack by e.g. exhaustion of file descriptors.
-
-If TCP client we're closing went over the quota (so it's
-not attached to a quota) mark it as mortal - so that it
-will be destroyed and not set up to listen for new
-connections - unless it's the last client for a specific
-interface.
-
-(cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115)
-(cherry picked from commit 9689ffc485df8f971f0ad81ab8ab1f5389493776)
----
- bin/named/client.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index d482da7121..0739dd48af 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -421,8 +421,19 @@ exit_check(ns_client_t *client) {
- 			isc_socket_detach(&client->tcpsocket);
- 		}
- 
--		if (client->tcpquota != NULL)
-+		if (client->tcpquota != NULL) {
- 			isc_quota_detach(&client->tcpquota);
-+		} else {
-+			/*
-+			 * We went over quota with this client, we don't
-+			 * want to restart listening unless this is the
-+			 * last client on this interface, which is
-+			 * checked later.
-+			 */
-+			if (TCP_CLIENT(client)) {
-+				client->mortal = true;
-+			}
-+		}
- 
- 		if (client->timerset) {
- 			(void)isc_timer_reset(client->timer,
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch b/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
deleted file mode 100644
index a8d601dcaa..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Upstream-Status: Pending
-
-Subject: gen.c: extend DIRNAMESIZE from 256 to 512
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- lib/dns/gen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: bind-9.11.3/lib/dns/gen.c
-===================================================================
---- bind-9.11.3.orig/lib/dns/gen.c
-+++ bind-9.11.3/lib/dns/gen.c
-@@ -130,7 +130,7 @@ static const char copyright[] =
- #define TYPECLASSBUF (TYPECLASSLEN + 1)
- #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
- #define ATTRIBUTESIZE 256
--#define DIRNAMESIZE 256
-+#define DIRNAMESIZE 512
- 
- static struct cc {
- 	struct cc *next;
diff --git a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
deleted file mode 100644
index 01874a4407..0000000000
--- a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Wed, 16 Sep 2015 20:23:47 -0700
-Subject: [PATCH] lib/dns/gen.c: fix too long error
-
-The 512 is a little short when build in deep dir, and cause "too long"
-error, use PATH_MAX if defined.
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- lib/dns/gen.c |    4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: bind-9.11.3/lib/dns/gen.c
-===================================================================
---- bind-9.11.3.orig/lib/dns/gen.c
-+++ bind-9.11.3/lib/dns/gen.c
-@@ -130,7 +130,11 @@ static const char copyright[] =
- #define TYPECLASSBUF (TYPECLASSLEN + 1)
- #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
- #define ATTRIBUTESIZE 256
-+#ifdef PATH_MAX
-+#define DIRNAMESIZE PATH_MAX
-+#else
- #define DIRNAMESIZE 512
-+#endif
- 
- static struct cc {
- 	struct cc *next;
diff --git a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
index 75908aa638..4c10f33f04 100644
--- a/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch
@@ -1,4 +1,4 @@
-From a3af4a405baf5ff582e82aaba392dd9667d94bdc Mon Sep 17 00:00:00 2001
+From 4e83392e840fa7b05e778710b8c202d102477a13 Mon Sep 17 00:00:00 2001
 From: Hongxu Jia <hongxu.jia@windriver.com>
 Date: Mon, 27 Aug 2018 21:24:20 +0800
 Subject: [PATCH] `named/lwresd -V' and start log hide build options
@@ -12,23 +12,24 @@ $ named -V
 Upstream-Status: Inappropriate [oe-core specific]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+
+Refreshed for 9.16.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
 ---
- bin/named/include/named/globals.h | 2 +-
+ configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
-index ba3457e..7741da7 100644
---- a/bin/named/include/named/globals.h
-+++ b/bin/named/include/named/globals.h
-@@ -68,7 +68,7 @@ EXTERN const char *		ns_g_version		INIT(VERSION);
- EXTERN const char *		ns_g_product		INIT(PRODUCT);
- EXTERN const char *		ns_g_description	INIT(DESCRIPTION);
- EXTERN const char *		ns_g_srcid		INIT(SRCID);
--EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
-+EXTERN const char *		ns_g_configargs		INIT("*** (options are hidden)");
- EXTERN const char *		ns_g_builder		INIT(BUILDER);
- EXTERN in_port_t		ns_g_port		INIT(0);
- EXTERN isc_dscp_t		ns_g_dscp		INIT(-1);
--- 
-2.7.4
-
+diff --git a/configure.ac b/configure.ac
+index bf20690..c5d330f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,7 +35,7 @@ AC_DEFINE([PACKAGE_VERSION_EXTRA], ["][bind_VERSION_EXTRA]["], [BIND 9 Extra par
+ AC_DEFINE([PACKAGE_DESCRIPTION], [m4_ifnblank(bind_DESCRIPTION, [" ]bind_DESCRIPTION["], [])], [An extra string to print after PACKAGE_STRING])
+ AC_DEFINE([PACKAGE_SRCID], ["][bind_SRCID]["], [A short hash from git])
+ 
+-bind_CONFIGARGS="${ac_configure_args:-default}"
++bind_CONFIGARGS="(removed for reproducibility)"
+ AC_DEFINE_UNQUOTED([PACKAGE_CONFIGARGS], ["$bind_CONFIGARGS"], [Either 'defaults' or used ./configure options])
+ 
+ AC_DEFINE([PACKAGE_BUILDER], ["make"], [make or Visual Studio])
diff --git a/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch b/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
deleted file mode 100644
index ca4e8b1a66..0000000000
--- a/meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
+++ /dev/null
@@ -1,670 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/719f604]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 719f604e3fad5b7479bd14e2fa0ef4413f0a8fdc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org>
-Date: Fri, 4 Jan 2019 12:50:51 +0100
-Subject: [PATCH 2/6] tcp-clients could still be exceeded (v2)
-
-the TCP client quota could still be ineffective under some
-circumstances.  this change:
-
-- improves quota accounting to ensure that TCP clients are
-  properly limited, while still guaranteeing that at least one client
-  is always available to serve TCP connections on each interface.
-- uses more descriptive names and removes one (ntcptarget) that
-  was no longer needed
-- adds comments
-
-(cherry picked from commit 924651f1d5e605cd186d03f4f7340bcc54d77cc2)
-(cherry picked from commit 55a7a458e30e47874d34bdf1079eb863a0512396)
----
- bin/named/client.c                     | 311 ++++++++++++++++++++-----
- bin/named/include/named/client.h       |  14 +-
- bin/named/include/named/interfacemgr.h |  11 +-
- bin/named/interfacemgr.c               |   8 +-
- 4 files changed, 267 insertions(+), 77 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 0739dd48af..a7b49a0f71 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -246,10 +246,11 @@ static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 			       dns_dispatch_t *disp, bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
--			       isc_socket_t *sock);
-+			       isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
--allowed(isc_netaddr_t *addr, dns_name_t *signer, isc_netaddr_t *ecs_addr,
--	uint8_t ecs_addrlen, uint8_t *ecs_scope, dns_acl_t *acl);
-+allowed(isc_netaddr_t *addr, dns_name_t *signer,
-+	isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
-+	uint8_t *ecs_scope, dns_acl_t *acl)
- static void compute_cookie(ns_client_t *client, uint32_t when,
- 			   uint32_t nonce, const unsigned char *secret,
- 			   isc_buffer_t *buf);
-@@ -405,8 +406,11 @@ exit_check(ns_client_t *client) {
- 		 */
- 		INSIST(client->recursionquota == NULL);
- 		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
--		if (client->nreads > 0)
-+
-+		if (client->nreads > 0) {
- 			dns_tcpmsg_cancelread(&client->tcpmsg);
-+		}
-+
- 		if (client->nreads != 0) {
- 			/* Still waiting for read cancel completion. */
- 			return (true);
-@@ -416,25 +420,58 @@ exit_check(ns_client_t *client) {
- 			dns_tcpmsg_invalidate(&client->tcpmsg);
- 			client->tcpmsg_valid = false;
- 		}
-+
- 		if (client->tcpsocket != NULL) {
- 			CTRACE("closetcp");
- 			isc_socket_detach(&client->tcpsocket);
-+
-+			if (client->tcpactive) {
-+				LOCK(&client->interface->lock);
-+				INSIST(client->interface->ntcpactive > 0);
-+				client->interface->ntcpactive--;
-+				UNLOCK(&client->interface->lock);
-+				client->tcpactive = false;
-+			}
- 		}
- 
- 		if (client->tcpquota != NULL) {
--			isc_quota_detach(&client->tcpquota);
--		} else {
- 			/*
--			 * We went over quota with this client, we don't
--			 * want to restart listening unless this is the
--			 * last client on this interface, which is
--			 * checked later.
-+			 * If we are not in a pipeline group, or
-+			 * we are the last client in the group, detach from
-+			 * tcpquota; otherwise, transfer the quota to
-+			 * another client in the same group.
- 			 */
--			if (TCP_CLIENT(client)) {
--				client->mortal = true;
-+			if (!ISC_LINK_LINKED(client, glink) ||
-+			    (client->glink.next == NULL &&
-+			     client->glink.prev == NULL))
-+			{
-+				isc_quota_detach(&client->tcpquota);
-+			} else if (client->glink.next != NULL) {
-+				INSIST(client->glink.next->tcpquota == NULL);
-+				client->glink.next->tcpquota = client->tcpquota;
-+				client->tcpquota = NULL;
-+			} else {
-+				INSIST(client->glink.prev->tcpquota == NULL);
-+				client->glink.prev->tcpquota = client->tcpquota;
-+				client->tcpquota = NULL;
- 			}
- 		}
- 
-+		/*
-+		 * Unlink from pipeline group.
-+		 */
-+		if (ISC_LINK_LINKED(client, glink)) {
-+			if (client->glink.next != NULL) {
-+				client->glink.next->glink.prev =
-+					client->glink.prev;
-+			}
-+			if (client->glink.prev != NULL) {
-+				client->glink.prev->glink.next =
-+					client->glink.next;
-+			}
-+			ISC_LINK_INIT(client, glink);
-+		}
-+
- 		if (client->timerset) {
- 			(void)isc_timer_reset(client->timer,
- 					      isc_timertype_inactive,
-@@ -455,15 +492,16 @@ exit_check(ns_client_t *client) {
- 		 * that already.  Check whether this client needs to remain
- 		 * active and force it to go inactive if not.
- 		 *
--		 * UDP clients go inactive at this point, but TCP clients
--		 * may remain active if we have fewer active TCP client
--		 * objects than desired due to an earlier quota exhaustion.
-+		 * UDP clients go inactive at this point, but a TCP client
-+		 * will needs to remain active if no other clients are
-+		 * listening for TCP requests on this interface, to
-+		 * prevent this interface from going nonresponsive.
- 		 */
- 		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- 			LOCK(&client->interface->lock);
--			if (client->interface->ntcpcurrent <
--				    client->interface->ntcptarget)
-+			if (client->interface->ntcpaccepting == 0) {
- 				client->mortal = false;
-+			}
- 			UNLOCK(&client->interface->lock);
- 		}
- 
-@@ -472,15 +510,17 @@ exit_check(ns_client_t *client) {
- 		 * queue for recycling.
- 		 */
- 		if (client->mortal) {
--			if (client->newstate > NS_CLIENTSTATE_INACTIVE)
-+			if (client->newstate > NS_CLIENTSTATE_INACTIVE) {
- 				client->newstate = NS_CLIENTSTATE_INACTIVE;
-+			}
- 		}
- 
- 		if (NS_CLIENTSTATE_READY == client->newstate) {
- 			if (TCP_CLIENT(client)) {
- 				client_accept(client);
--			} else
-+			} else {
- 				client_udprecv(client);
-+			}
- 			client->newstate = NS_CLIENTSTATE_MAX;
- 			return (true);
- 		}
-@@ -492,41 +532,57 @@ exit_check(ns_client_t *client) {
- 		/*
- 		 * We are trying to enter the inactive state.
- 		 */
--		if (client->naccepts > 0)
-+		if (client->naccepts > 0) {
- 			isc_socket_cancel(client->tcplistener, client->task,
- 					  ISC_SOCKCANCEL_ACCEPT);
-+		}
- 
- 		/* Still waiting for accept cancel completion. */
--		if (! (client->naccepts == 0))
-+		if (! (client->naccepts == 0)) {
- 			return (true);
-+		}
- 
- 		/* Accept cancel is complete. */
--		if (client->nrecvs > 0)
-+		if (client->nrecvs > 0) {
- 			isc_socket_cancel(client->udpsocket, client->task,
- 					  ISC_SOCKCANCEL_RECV);
-+		}
- 
- 		/* Still waiting for recv cancel completion. */
--		if (! (client->nrecvs == 0))
-+		if (! (client->nrecvs == 0)) {
- 			return (true);
-+		}
- 
- 		/* Still waiting for control event to be delivered */
--		if (client->nctls > 0)
-+		if (client->nctls > 0) {
- 			return (true);
--
--		/* Deactivate the client. */
--		if (client->interface)
--			ns_interface_detach(&client->interface);
-+		}
- 
- 		INSIST(client->naccepts == 0);
- 		INSIST(client->recursionquota == NULL);
--		if (client->tcplistener != NULL)
-+		if (client->tcplistener != NULL) {
- 			isc_socket_detach(&client->tcplistener);
- 
--		if (client->udpsocket != NULL)
-+			if (client->tcpactive) {
-+				LOCK(&client->interface->lock);
-+				INSIST(client->interface->ntcpactive > 0);
-+				client->interface->ntcpactive--;
-+				UNLOCK(&client->interface->lock);
-+				client->tcpactive = false;
-+			}
-+		}
-+		if (client->udpsocket != NULL) {
- 			isc_socket_detach(&client->udpsocket);
-+		}
- 
--		if (client->dispatch != NULL)
-+		/* Deactivate the client. */
-+		if (client->interface != NULL) {
-+			ns_interface_detach(&client->interface);
-+		}
-+
-+		if (client->dispatch != NULL) {
- 			dns_dispatch_detach(&client->dispatch);
-+		}
- 
- 		client->attributes = 0;
- 		client->mortal = false;
-@@ -551,10 +607,13 @@ exit_check(ns_client_t *client) {
- 			client->newstate = NS_CLIENTSTATE_MAX;
- 			if (!ns_g_clienttest && manager != NULL &&
- 			    !manager->exiting)
-+			{
- 				ISC_QUEUE_PUSH(manager->inactive, client,
- 					       ilink);
--			if (client->needshutdown)
-+			}
-+			if (client->needshutdown) {
- 				isc_task_shutdown(client->task);
-+			}
- 			return (true);
- 		}
- 	}
-@@ -675,7 +734,6 @@ client_start(isc_task_t *task, isc_event_t *event) {
- 	}
- }
- 
--
- /*%
-  * The client's task has received a shutdown event.
-  */
-@@ -2507,17 +2565,12 @@ client_request(isc_task_t *task, isc_event_t *event) {
- 	/*
- 	 * Pipeline TCP query processing.
- 	 */
--	if (client->message->opcode != dns_opcode_query)
-+	if (client->message->opcode != dns_opcode_query) {
- 		client->pipelined = false;
-+	}
- 	if (TCP_CLIENT(client) && client->pipelined) {
--		result = isc_quota_reserve(&ns_g_server->tcpquota);
--		if (result == ISC_R_SUCCESS)
--			result = ns_client_replace(client);
-+		result = ns_client_replace(client);
- 		if (result != ISC_R_SUCCESS) {
--			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
--				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
--				      "no more TCP clients(read): %s",
--				      isc_result_totext(result));
- 			client->pipelined = false;
- 		}
- 	}
-@@ -3087,6 +3140,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	client->filter_aaaa = dns_aaaa_ok;
- #endif
- 	client->needshutdown = ns_g_clienttest;
-+	client->tcpactive = false;
- 
- 	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
- 		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
-@@ -3100,6 +3154,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	client->formerrcache.id = 0;
- 	ISC_LINK_INIT(client, link);
- 	ISC_LINK_INIT(client, rlink);
-+	ISC_LINK_INIT(client, glink);
- 	ISC_QLINK_INIT(client, ilink);
- 	client->keytag = NULL;
- 	client->keytag_len = 0;
-@@ -3193,12 +3248,19 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 
- 	INSIST(client->state == NS_CLIENTSTATE_READY);
- 
-+	/*
-+	 * The accept() was successful and we're now establishing a new
-+	 * connection. We need to make note of it in the client and
-+	 * interface objects so client objects can do the right thing
-+	 * when going inactive in exit_check() (see comments in
-+	 * client_accept() for details).
-+	 */
- 	INSIST(client->naccepts == 1);
- 	client->naccepts--;
- 
- 	LOCK(&client->interface->lock);
--	INSIST(client->interface->ntcpcurrent > 0);
--	client->interface->ntcpcurrent--;
-+	INSIST(client->interface->ntcpaccepting > 0);
-+	client->interface->ntcpaccepting--;
- 	UNLOCK(&client->interface->lock);
- 
- 	/*
-@@ -3232,6 +3294,9 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- 			      "accept failed: %s",
- 			      isc_result_totext(nevent->result));
-+		if (client->tcpquota != NULL) {
-+			isc_quota_detach(&client->tcpquota);
-+		}
- 	}
- 
- 	if (exit_check(client))
-@@ -3270,18 +3335,12 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 		 * deny service to legitimate TCP clients.
- 		 */
- 		client->pipelined = false;
--		result = isc_quota_attach(&ns_g_server->tcpquota,
--					  &client->tcpquota);
--		if (result == ISC_R_SUCCESS)
--			result = ns_client_replace(client);
--		if (result != ISC_R_SUCCESS) {
--			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
--				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
--				      "no more TCP clients(accept): %s",
--				      isc_result_totext(result));
--		} else if (ns_g_server->keepresporder == NULL ||
--			   !allowed(&netaddr, NULL, NULL, 0, NULL,
--				    ns_g_server->keepresporder)) {
-+		result = ns_client_replace(client);
-+		if (result == ISC_R_SUCCESS &&
-+		    (client->sctx->keepresporder == NULL ||
-+		     !allowed(&netaddr, NULL, NULL, 0, NULL,
-+			      ns_g_server->keepresporder)))
-+		{
- 			client->pipelined = true;
- 		}
- 
-@@ -3298,12 +3357,80 @@ client_accept(ns_client_t *client) {
- 
- 	CTRACE("accept");
- 
-+	/*
-+	 * The tcpquota object can only be simultaneously referenced a
-+	 * pre-defined number of times; this is configured by 'tcp-clients'
-+	 * in named.conf. If we can't attach to it here, that means the TCP
-+	 * client quota has been exceeded.
-+	 */
-+	result = isc_quota_attach(&client->sctx->tcpquota,
-+				  &client->tcpquota);
-+	if (result != ISC_R_SUCCESS) {
-+			bool exit;
-+
-+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-+				      "no more TCP clients: %s",
-+				      isc_result_totext(result));
-+
-+			/*
-+			 * We have exceeded the system-wide TCP client
-+			 * quota.  But, we can't just block this accept
-+			 * in all cases, because if we did, a heavy TCP
-+			 * load on other interfaces might cause this
-+			 * interface to be starved, with no clients able
-+			 * to accept new connections.
-+			 *
-+			 * So, we check here to see if any other client
-+			 * is already servicing TCP queries on this
-+			 * interface (whether accepting, reading, or
-+			 * processing).
-+			 *
-+			 * If so, then it's okay *not* to call
-+			 * accept - we can let this client to go inactive
-+			 * and the other one handle the next connection
-+			 * when it's ready.
-+			 *
-+			 * But if not, then we need to be a little bit
-+			 * flexible about the quota. We allow *one* extra
-+			 * TCP client through, to ensure we're listening on
-+			 * every interface.
-+			 *
-+			 * (Note: In practice this means that the *real*
-+			 * TCP client quota is tcp-clients plus the number
-+			 * of interfaces.)
-+			 */
-+			LOCK(&client->interface->lock);
-+			exit = (client->interface->ntcpactive > 0);
-+			UNLOCK(&client->interface->lock);
-+
-+			if (exit) {
-+				client->newstate = NS_CLIENTSTATE_INACTIVE;
-+				(void)exit_check(client);
-+				return;
-+			}
-+	}
-+
-+	/*
-+	 * By incrementing the interface's ntcpactive counter we signal
-+	 * that there is at least one client servicing TCP queries for the
-+	 * interface.
-+	 *
-+	 * We also make note of the fact in the client itself with the
-+	 * tcpactive flag. This ensures proper accounting by preventing
-+	 * us from accidentally incrementing or decrementing ntcpactive
-+	 * more than once per client object.
-+	 */
-+	if (!client->tcpactive) {
-+		LOCK(&client->interface->lock);
-+		client->interface->ntcpactive++;
-+		UNLOCK(&client->interface->lock);
-+		client->tcpactive = true;
-+	}
-+
- 	result = isc_socket_accept(client->tcplistener, client->task,
- 				   client_newconn, client);
- 	if (result != ISC_R_SUCCESS) {
--		UNEXPECTED_ERROR(__FILE__, __LINE__,
--				 "isc_socket_accept() failed: %s",
--				 isc_result_totext(result));
- 		/*
- 		 * XXXRTH  What should we do?  We're trying to accept but
- 		 *	   it didn't work.  If we just give up, then TCP
-@@ -3311,12 +3438,39 @@ client_accept(ns_client_t *client) {
- 		 *
- 		 *	   For now, we just go idle.
- 		 */
-+		UNEXPECTED_ERROR(__FILE__, __LINE__,
-+				 "isc_socket_accept() failed: %s",
-+				 isc_result_totext(result));
-+		if (client->tcpquota != NULL) {
-+			isc_quota_detach(&client->tcpquota);
-+		}
- 		return;
- 	}
-+
-+	/*
-+	 * The client's 'naccepts' counter indicates that this client has
-+	 * called accept() and is waiting for a new connection. It should
-+	 * never exceed 1.
-+	 */
- 	INSIST(client->naccepts == 0);
- 	client->naccepts++;
-+
-+	/*
-+	 * The interface's 'ntcpaccepting' counter is incremented when
-+	 * any client calls accept(), and decremented in client_newconn()
-+	 * once the connection is established.
-+	 *
-+	 * When the client object is shutting down after handling a TCP
-+	 * request (see exit_check()), it looks to see whether this value is
-+	 * non-zero. If so, that means another client has already called
-+	 * accept() and is waiting to establish the next connection, which
-+	 * means the first client is free to go inactive. Otherwise,
-+	 * the first client must come back and call accept() again; this
-+	 * guarantees there will always be at least one client listening
-+	 * for new TCP connections on each interface.
-+	 */
- 	LOCK(&client->interface->lock);
--	client->interface->ntcpcurrent++;
-+	client->interface->ntcpaccepting++;
- 	UNLOCK(&client->interface->lock);
- }
- 
-@@ -3390,13 +3544,14 @@ ns_client_replace(ns_client_t *client) {
- 	tcp = TCP_CLIENT(client);
- 	if (tcp && client->pipelined) {
- 		result = get_worker(client->manager, client->interface,
--				    client->tcpsocket);
-+				    client->tcpsocket, client);
- 	} else {
- 		result = get_client(client->manager, client->interface,
- 				    client->dispatch, tcp);
- 	}
--	if (result != ISC_R_SUCCESS)
-+	if (result != ISC_R_SUCCESS) {
- 		return (result);
-+	}
- 
- 	/*
- 	 * The responsibility for listening for new requests is hereby
-@@ -3585,6 +3740,7 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 		client->attributes |= NS_CLIENTATTR_TCP;
- 		isc_socket_attach(ifp->tcpsocket,
- 				  &client->tcplistener);
-+
- 	} else {
- 		isc_socket_t *sock;
- 
-@@ -3602,7 +3758,8 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- }
- 
- static isc_result_t
--get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
-+get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
-+	   ns_client_t *oldclient)
- {
- 	isc_result_t result = ISC_R_SUCCESS;
- 	isc_event_t *ev;
-@@ -3610,6 +3767,7 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- 	MTRACE("get worker");
- 
- 	REQUIRE(manager != NULL);
-+	REQUIRE(oldclient != NULL);
- 
- 	if (manager->exiting)
- 		return (ISC_R_SHUTTINGDOWN);
-@@ -3642,7 +3800,28 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- 	ns_interface_attach(ifp, &client->interface);
- 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- 	INSIST(client->recursionquota == NULL);
--	client->tcpquota = &ns_g_server->tcpquota;
-+
-+	/*
-+	 * Transfer TCP quota to the new client.
-+	 */
-+	INSIST(client->tcpquota == NULL);
-+	INSIST(oldclient->tcpquota != NULL);
-+	client->tcpquota = oldclient->tcpquota;
-+	oldclient->tcpquota = NULL;
-+
-+	/*
-+	 * Link to a pipeline group, creating it if needed.
-+	 */
-+	if (!ISC_LINK_LINKED(oldclient, glink)) {
-+		oldclient->glink.next = NULL;
-+		oldclient->glink.prev = NULL;
-+	}
-+	client->glink.next = oldclient->glink.next;
-+	client->glink.prev = oldclient;
-+	if (oldclient->glink.next != NULL) {
-+		oldclient->glink.next->glink.prev = client;
-+	}
-+	oldclient->glink.next = client;
- 
- 	client->dscp = ifp->dscp;
- 
-@@ -3656,6 +3835,12 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock)
- 	(void)isc_socket_getpeername(client->tcpsocket, &client->peeraddr);
- 	client->peeraddr_valid = true;
- 
-+	LOCK(&client->interface->lock);
-+	client->interface->ntcpactive++;
-+	UNLOCK(&client->interface->lock);
-+
-+	client->tcpactive = true;
-+
- 	INSIST(client->tcpmsg_valid == false);
- 	dns_tcpmsg_init(client->mctx, client->tcpsocket, &client->tcpmsg);
- 	client->tcpmsg_valid = true;
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index b23a7b191d..1f7973f9c5 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -94,7 +94,8 @@ struct ns_client {
- 	int			nupdates;
- 	int			nctls;
- 	int			references;
--	bool		needshutdown; 	/*
-+	bool			tcpactive;
-+	bool			needshutdown; 	/*
- 						 * Used by clienttest to get
- 						 * the client to go from
- 						 * inactive to free state
-@@ -130,9 +131,9 @@ struct ns_client {
- 	isc_stdtime_t		now;
- 	isc_time_t		tnow;
- 	dns_name_t		signername;   /*%< [T]SIG key name */
--	dns_name_t *		signer;	      /*%< NULL if not valid sig */
--	bool		mortal;	      /*%< Die after handling request */
--	bool		pipelined;   /*%< TCP queries not in sequence */
-+	dns_name_t		*signer;      /*%< NULL if not valid sig */
-+	bool			mortal;	      /*%< Die after handling request */
-+	bool			pipelined;   /*%< TCP queries not in sequence */
- 	isc_quota_t		*tcpquota;
- 	isc_quota_t		*recursionquota;
- 	ns_interface_t		*interface;
-@@ -143,8 +144,8 @@ struct ns_client {
- 	isc_sockaddr_t		destsockaddr;
- 
- 	isc_netaddr_t		ecs_addr;	/*%< EDNS client subnet */
--	uint8_t		ecs_addrlen;
--	uint8_t		ecs_scope;
-+	uint8_t			ecs_addrlen;
-+	uint8_t			ecs_scope;
- 
- 	struct in6_pktinfo	pktinfo;
- 	isc_dscp_t		dscp;
-@@ -166,6 +167,7 @@ struct ns_client {
- 
- 	ISC_LINK(ns_client_t)	link;
- 	ISC_LINK(ns_client_t)	rlink;
-+	ISC_LINK(ns_client_t)	glink;
- 	ISC_QLINK(ns_client_t)	ilink;
- 	unsigned char		cookie[8];
- 	uint32_t		expire;
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 7d1883e1e8..61b08826a6 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -77,9 +77,14 @@ struct ns_interface {
- 						/*%< UDP dispatchers. */
- 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
- 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
--	int			ntcptarget;	/*%< Desired number of concurrent
--						     TCP accepts */
--	int			ntcpcurrent;	/*%< Current ditto, locked */
-+	int			ntcpaccepting;	/*%< Number of clients
-+						     ready to accept new
-+						     TCP connections on this
-+						     interface */
-+	int			ntcpactive;	/*%< Number of clients
-+						     servicing TCP queries
-+						     (whether accepting or
-+						     connected) */
- 	int			nudpdispatch;	/*%< Number of UDP dispatches */
- 	ns_clientmgr_t *	clientmgr;	/*%< Client manager. */
- 	ISC_LINK(ns_interface_t) link;
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 419927bf54..955096ef47 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- 	 * connections will be handled in parallel even though there is
- 	 * only one client initially.
- 	 */
--	ifp->ntcptarget = 1;
--	ifp->ntcpcurrent = 0;
-+	ifp->ntcpaccepting = 0;
-+	ifp->ntcpactive = 0;
- 	ifp->nudpdispatch = 0;
- 
- 	ifp->dscp = -1;
-@@ -522,9 +522,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
- 	 */
- 	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
- 
--	result = ns_clientmgr_createclients(ifp->clientmgr,
--					    ifp->ntcptarget, ifp,
--					    true);
-+	result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
- 	if (result != ISC_R_SUCCESS) {
- 		UNEXPECTED_ERROR(__FILE__, __LINE__,
- 				 "TCP ns_clientmgr_createclients(): %s",
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch b/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
deleted file mode 100644
index 032cfb8c44..0000000000
--- a/meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
+++ /dev/null
@@ -1,278 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/366b4e1]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 366b4e1ede8aed690e981e07137cb1cb77879c36 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
-Date: Thu, 17 Jan 2019 15:53:38 +0100
-Subject: [PATCH 3/6] use reference counter for pipeline groups (v3)
-
-Track pipeline groups using a shared reference counter
-instead of a linked list.
-
-(cherry picked from commit 513afd33eb17d5dc41a3f0d2d38204ef8c5f6f91)
-(cherry picked from commit 9446629b730c59c4215f08d37fbaf810282fbccb)
----
- bin/named/client.c               | 171 ++++++++++++++++++++-----------
- bin/named/include/named/client.h |   2 +-
- 2 files changed, 110 insertions(+), 63 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index a7b49a0f71..277656cef0 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -299,6 +299,75 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
- 	}
- }
- 
-+/*%
-+ * Allocate a reference counter that will track the number of client structures
-+ * using the TCP connection that 'client' called accept() for.  This counter
-+ * will be shared between all client structures associated with this TCP
-+ * connection.
-+ */
-+static void
-+pipeline_init(ns_client_t *client) {
-+	isc_refcount_t *refs;
-+
-+	REQUIRE(client->pipeline_refs == NULL);
-+
-+	/*
-+	 * A global memory context is used for the allocation as different
-+	 * client structures may have different memory contexts assigned and a
-+	 * reference counter allocated here might need to be freed by a
-+	 * different client.  The performance impact caused by memory context
-+	 * contention here is expected to be negligible, given that this code
-+	 * is only executed for TCP connections.
-+	 */
-+	refs = isc_mem_allocate(client->sctx->mctx, sizeof(*refs));
-+	isc_refcount_init(refs, 1);
-+	client->pipeline_refs = refs;
-+}
-+
-+/*%
-+ * Increase the count of client structures using the TCP connection that
-+ * 'source' is associated with and put a pointer to that count in 'target',
-+ * thus associating it with the same TCP connection.
-+ */
-+static void
-+pipeline_attach(ns_client_t *source, ns_client_t *target) {
-+	int old_refs;
-+
-+	REQUIRE(source->pipeline_refs != NULL);
-+	REQUIRE(target->pipeline_refs == NULL);
-+
-+	old_refs = isc_refcount_increment(source->pipeline_refs);
-+	INSIST(old_refs > 0);
-+	target->pipeline_refs = source->pipeline_refs;
-+}
-+
-+/*%
-+ * Decrease the count of client structures using the TCP connection that
-+ * 'client' is associated with.  If this is the last client using this TCP
-+ * connection, free the reference counter and return true; otherwise, return
-+ * false.
-+ */
-+static bool
-+pipeline_detach(ns_client_t *client) {
-+	isc_refcount_t *refs;
-+	int old_refs;
-+
-+	REQUIRE(client->pipeline_refs != NULL);
-+
-+	refs = client->pipeline_refs;
-+	client->pipeline_refs = NULL;
-+
-+	old_refs = isc_refcount_decrement(refs);
-+	INSIST(old_refs > 0);
-+
-+	if (old_refs == 1) {
-+		isc_mem_free(client->sctx->mctx, refs);
-+		return (true);
-+	}
-+
-+	return (false);
-+}
-+
- /*%
-  * Check for a deactivation or shutdown request and take appropriate
-  * action.  Returns true if either is in progress; in this case
-@@ -421,6 +490,40 @@ exit_check(ns_client_t *client) {
- 			client->tcpmsg_valid = false;
- 		}
- 
-+		if (client->tcpquota != NULL) {
-+			if (client->pipeline_refs == NULL ||
-+			    pipeline_detach(client))
-+			{
-+				/*
-+				 * Only detach from the TCP client quota if
-+				 * there are no more client structures using
-+				 * this TCP connection.
-+				 *
-+				 * Note that we check 'pipeline_refs' and not
-+				 * 'pipelined' because in some cases (e.g.
-+				 * after receiving a request with an opcode
-+				 * different than QUERY) 'pipelined' is set to
-+				 * false after the reference counter gets
-+				 * allocated in pipeline_init() and we must
-+				 * still drop our reference as failing to do so
-+				 * would prevent the reference counter itself
-+				 * from being freed.
-+				 */
-+				isc_quota_detach(&client->tcpquota);
-+			} else {
-+				/*
-+				 * There are other client structures using this
-+				 * TCP connection, so we cannot detach from the
-+				 * TCP client quota to prevent excess TCP
-+				 * connections from being accepted.  However,
-+				 * this client structure might later be reused
-+				 * for accepting new connections and thus must
-+				 * have its 'tcpquota' field set to NULL.
-+				 */
-+				client->tcpquota = NULL;
-+			}
-+		}
-+
- 		if (client->tcpsocket != NULL) {
- 			CTRACE("closetcp");
- 			isc_socket_detach(&client->tcpsocket);
-@@ -434,44 +537,6 @@ exit_check(ns_client_t *client) {
- 			}
- 		}
- 
--		if (client->tcpquota != NULL) {
--			/*
--			 * If we are not in a pipeline group, or
--			 * we are the last client in the group, detach from
--			 * tcpquota; otherwise, transfer the quota to
--			 * another client in the same group.
--			 */
--			if (!ISC_LINK_LINKED(client, glink) ||
--			    (client->glink.next == NULL &&
--			     client->glink.prev == NULL))
--			{
--				isc_quota_detach(&client->tcpquota);
--			} else if (client->glink.next != NULL) {
--				INSIST(client->glink.next->tcpquota == NULL);
--				client->glink.next->tcpquota = client->tcpquota;
--				client->tcpquota = NULL;
--			} else {
--				INSIST(client->glink.prev->tcpquota == NULL);
--				client->glink.prev->tcpquota = client->tcpquota;
--				client->tcpquota = NULL;
--			}
--		}
--
--		/*
--		 * Unlink from pipeline group.
--		 */
--		if (ISC_LINK_LINKED(client, glink)) {
--			if (client->glink.next != NULL) {
--				client->glink.next->glink.prev =
--					client->glink.prev;
--			}
--			if (client->glink.prev != NULL) {
--				client->glink.prev->glink.next =
--					client->glink.next;
--			}
--			ISC_LINK_INIT(client, glink);
--		}
--
- 		if (client->timerset) {
- 			(void)isc_timer_reset(client->timer,
- 					      isc_timertype_inactive,
-@@ -3130,6 +3195,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	dns_name_init(&client->signername, NULL);
- 	client->mortal = false;
- 	client->pipelined = false;
-+	client->pipeline_refs = NULL;
- 	client->tcpquota = NULL;
- 	client->recursionquota = NULL;
- 	client->interface = NULL;
-@@ -3154,7 +3220,6 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	client->formerrcache.id = 0;
- 	ISC_LINK_INIT(client, link);
- 	ISC_LINK_INIT(client, rlink);
--	ISC_LINK_INIT(client, glink);
- 	ISC_QLINK_INIT(client, ilink);
- 	client->keytag = NULL;
- 	client->keytag_len = 0;
-@@ -3341,6 +3406,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 		     !allowed(&netaddr, NULL, NULL, 0, NULL,
- 			      ns_g_server->keepresporder)))
- 		{
-+			pipeline_init(client);
- 			client->pipelined = true;
- 		}
- 
-@@ -3800,35 +3866,16 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- 	ns_interface_attach(ifp, &client->interface);
- 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- 	INSIST(client->recursionquota == NULL);
--
--	/*
--	 * Transfer TCP quota to the new client.
--	 */
--	INSIST(client->tcpquota == NULL);
--	INSIST(oldclient->tcpquota != NULL);
--	client->tcpquota = oldclient->tcpquota;
--	oldclient->tcpquota = NULL;
--
--	/*
--	 * Link to a pipeline group, creating it if needed.
--	 */
--	if (!ISC_LINK_LINKED(oldclient, glink)) {
--		oldclient->glink.next = NULL;
--		oldclient->glink.prev = NULL;
--	}
--	client->glink.next = oldclient->glink.next;
--	client->glink.prev = oldclient;
--	if (oldclient->glink.next != NULL) {
--		oldclient->glink.next->glink.prev = client;
--	}
--	oldclient->glink.next = client;
-+	client->tcpquota = &client->sctx->tcpquota;
- 
- 	client->dscp = ifp->dscp;
- 
- 	client->attributes |= NS_CLIENTATTR_TCP;
--	client->pipelined = true;
- 	client->mortal = true;
- 
-+	pipeline_attach(oldclient, client);
-+	client->pipelined = true;
-+
- 	isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
- 	isc_socket_attach(sock, &client->tcpsocket);
- 	isc_socket_setname(client->tcpsocket, "worker-tcp", NULL);
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index 1f7973f9c5..aeed9ccdda 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -134,6 +134,7 @@ struct ns_client {
- 	dns_name_t		*signer;      /*%< NULL if not valid sig */
- 	bool			mortal;	      /*%< Die after handling request */
- 	bool			pipelined;   /*%< TCP queries not in sequence */
-+	isc_refcount_t		*pipeline_refs;
- 	isc_quota_t		*tcpquota;
- 	isc_quota_t		*recursionquota;
- 	ns_interface_t		*interface;
-@@ -167,7 +168,6 @@ struct ns_client {
- 
- 	ISC_LINK(ns_client_t)	link;
- 	ISC_LINK(ns_client_t)	rlink;
--	ISC_LINK(ns_client_t)	glink;
- 	ISC_QLINK(ns_client_t)	ilink;
- 	unsigned char		cookie[8];
- 	uint32_t		expire;
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch b/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
deleted file mode 100644
index 034ab13303..0000000000
--- a/meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
+++ /dev/null
@@ -1,512 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/2ab8a08]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 2ab8a085b3c666f28f1f9229bd6ecb59915b26c3 Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:12:18 -0700
-Subject: [PATCH 4/6] better tcpquota accounting and client mortality checks
-
-- ensure that tcpactive is cleaned up correctly when accept() fails.
-- set 'client->tcpattached' when the client is attached to the tcpquota.
-  carry this value on to new clients sharing the same pipeline group.
-  don't call isc_quota_detach() on the tcpquota unless tcpattached is
-  set.  this way clients that were allowed to accept TCP connections
-  despite being over quota (and therefore, were never attached to the
-  quota) will not inadvertently detach from it and mess up the
-  accounting.
-- simplify the code for tcpquota disconnection by using a new function
-  tcpquota_disconnect().
-- before deciding whether to reject a new connection due to quota
-  exhaustion, check to see whether there are at least two active
-  clients. previously, this was "at least one", but that could be
-  insufficient if there was one other client in READING state (waiting
-  for messages on an open connection) but none in READY (listening
-  for new connections).
-- before deciding whether a TCP client object can to go inactive, we
-  must ensure there are enough other clients to maintain service
-  afterward -- both accepting new connections and reading/processing new
-  queries.  A TCP client can't shut down unless at least one
-  client is accepting new connections and (in the case of pipelined
-  clients) at least one additional client is waiting to read.
-
-(cherry picked from commit c7394738b2445c16f728a88394864dd61baad900)
-(cherry picked from commit e965d5f11d3d0f6d59704e614fceca2093cb1856)
-(cherry picked from commit 87d431161450777ea093821212abfb52d51b36e3)
----
- bin/named/client.c               | 244 +++++++++++++++++++------------
- bin/named/include/named/client.h |   3 +-
- 2 files changed, 152 insertions(+), 95 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 277656cef0..61e96dd28c 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -244,13 +244,14 @@ static void client_start(isc_task_t *task, isc_event_t *event);
- static void client_request(isc_task_t *task, isc_event_t *event);
- static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
--			       dns_dispatch_t *disp, bool tcp);
-+			       dns_dispatch_t *disp, ns_client_t *oldclient,
-+			       bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 			       isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
- allowed(isc_netaddr_t *addr, dns_name_t *signer,
- 	isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
--	uint8_t *ecs_scope, dns_acl_t *acl)
-+	uint8_t *ecs_scope, dns_acl_t *acl);
- static void compute_cookie(ns_client_t *client, uint32_t when,
- 			   uint32_t nonce, const unsigned char *secret,
- 			   isc_buffer_t *buf);
-@@ -319,7 +320,7 @@ pipeline_init(ns_client_t *client) {
- 	 * contention here is expected to be negligible, given that this code
- 	 * is only executed for TCP connections.
- 	 */
--	refs = isc_mem_allocate(client->sctx->mctx, sizeof(*refs));
-+	refs = isc_mem_allocate(ns_g_mctx, sizeof(*refs));
- 	isc_refcount_init(refs, 1);
- 	client->pipeline_refs = refs;
- }
-@@ -331,13 +332,13 @@ pipeline_init(ns_client_t *client) {
-  */
- static void
- pipeline_attach(ns_client_t *source, ns_client_t *target) {
--	int old_refs;
-+	int refs;
- 
- 	REQUIRE(source->pipeline_refs != NULL);
- 	REQUIRE(target->pipeline_refs == NULL);
- 
--	old_refs = isc_refcount_increment(source->pipeline_refs);
--	INSIST(old_refs > 0);
-+	isc_refcount_increment(source->pipeline_refs, &refs);
-+	INSIST(refs > 1);
- 	target->pipeline_refs = source->pipeline_refs;
- }
- 
-@@ -349,25 +350,51 @@ pipeline_attach(ns_client_t *source, ns_client_t *target) {
-  */
- static bool
- pipeline_detach(ns_client_t *client) {
--	isc_refcount_t *refs;
--	int old_refs;
-+	isc_refcount_t *refcount;
-+	int refs;
- 
- 	REQUIRE(client->pipeline_refs != NULL);
- 
--	refs = client->pipeline_refs;
-+	refcount = client->pipeline_refs;
- 	client->pipeline_refs = NULL;
- 
--	old_refs = isc_refcount_decrement(refs);
--	INSIST(old_refs > 0);
-+	isc_refcount_decrement(refcount, refs);
- 
--	if (old_refs == 1) {
--		isc_mem_free(client->sctx->mctx, refs);
-+	if (refs == 0) {
-+		isc_mem_free(ns_g_mctx, refs);
- 		return (true);
- 	}
- 
- 	return (false);
- }
- 
-+/*
-+ * Detach a client from the TCP client quota if appropriate, and set
-+ * the quota pointer to NULL.
-+ *
-+ * Sometimes when the TCP client quota is exhausted but there are no other
-+ * clients servicing the interface, a client will be allowed to continue
-+ * running despite not having been attached to the quota. In this event,
-+ * the TCP quota was never attached to the client, so when the client (or
-+ * associated pipeline group) shuts down, the quota must NOT be detached.
-+ *
-+ * Otherwise, if the quota pointer is set, it should be detached. If not
-+ * set at all, we just return without doing anything.
-+ */
-+static void
-+tcpquota_disconnect(ns_client_t *client) {
-+	if (client->tcpquota == NULL) {
-+		return;
-+	}
-+
-+	if (client->tcpattached) {
-+		isc_quota_detach(&client->tcpquota);
-+		client->tcpattached = false;
-+	} else {
-+		client->tcpquota = NULL;
-+	}
-+}
-+
- /*%
-  * Check for a deactivation or shutdown request and take appropriate
-  * action.  Returns true if either is in progress; in this case
-@@ -490,38 +517,31 @@ exit_check(ns_client_t *client) {
- 			client->tcpmsg_valid = false;
- 		}
- 
--		if (client->tcpquota != NULL) {
--			if (client->pipeline_refs == NULL ||
--			    pipeline_detach(client))
--			{
--				/*
--				 * Only detach from the TCP client quota if
--				 * there are no more client structures using
--				 * this TCP connection.
--				 *
--				 * Note that we check 'pipeline_refs' and not
--				 * 'pipelined' because in some cases (e.g.
--				 * after receiving a request with an opcode
--				 * different than QUERY) 'pipelined' is set to
--				 * false after the reference counter gets
--				 * allocated in pipeline_init() and we must
--				 * still drop our reference as failing to do so
--				 * would prevent the reference counter itself
--				 * from being freed.
--				 */
--				isc_quota_detach(&client->tcpquota);
--			} else {
--				/*
--				 * There are other client structures using this
--				 * TCP connection, so we cannot detach from the
--				 * TCP client quota to prevent excess TCP
--				 * connections from being accepted.  However,
--				 * this client structure might later be reused
--				 * for accepting new connections and thus must
--				 * have its 'tcpquota' field set to NULL.
--				 */
--				client->tcpquota = NULL;
--			}
-+		/*
-+		 * Detach from pipeline group and from TCP client quota,
-+		 * if appropriate.
-+		 *
-+		 * - If no pipeline group is active, attempt to
-+		 *   detach from the TCP client quota.
-+		 *
-+		 * - If a pipeline group is active, detach from it;
-+		 *   if the return code indicates that there no more
-+		 *   clients left if this pipeline group, we also detach
-+		 *   from the TCP client quota.
-+		 *
-+		 * - Otherwise we don't try to detach, we just set the
-+		 *   TCP quota pointer to NULL if it wasn't NULL already.
-+		 *
-+		 * tcpquota_disconnect() will set tcpquota to NULL, either
-+		 * by detaching it or by assignment, depending on the
-+		 * needs of the client. See the comments on that function
-+		 * for further information.
-+		 */
-+		if (client->pipeline_refs == NULL || pipeline_detach(client)) {
-+			tcpquota_disconnect(client);
-+		} else {
-+			client->tcpquota = NULL;
-+			client->tcpattached = false;
- 		}
- 
- 		if (client->tcpsocket != NULL) {
-@@ -544,8 +564,6 @@ exit_check(ns_client_t *client) {
- 			client->timerset = false;
- 		}
- 
--		client->pipelined = false;
--
- 		client->peeraddr_valid = false;
- 
- 		client->state = NS_CLIENTSTATE_READY;
-@@ -558,18 +576,27 @@ exit_check(ns_client_t *client) {
- 		 * active and force it to go inactive if not.
- 		 *
- 		 * UDP clients go inactive at this point, but a TCP client
--		 * will needs to remain active if no other clients are
--		 * listening for TCP requests on this interface, to
--		 * prevent this interface from going nonresponsive.
-+		 * may need to remain active and go into ready state if
-+		 * no other clients are available to listen for TCP
-+		 * requests on this interface or (in the case of pipelined
-+		 * clients) to read for additional messages on the current
-+		 * connection.
- 		 */
- 		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
- 			LOCK(&client->interface->lock);
--			if (client->interface->ntcpaccepting == 0) {
-+			if ((client->interface->ntcpaccepting == 0 ||
-+			    (client->pipelined &&
-+			     client->interface->ntcpactive < 2)) &&
-+			    client->newstate != NS_CLIENTSTATE_FREED)
-+			{
- 				client->mortal = false;
-+				client->newstate = NS_CLIENTSTATE_READY;
- 			}
- 			UNLOCK(&client->interface->lock);
- 		}
- 
-+		client->pipelined = false;
-+
- 		/*
- 		 * We don't need the client; send it to the inactive
- 		 * queue for recycling.
-@@ -2634,6 +2661,18 @@ client_request(isc_task_t *task, isc_event_t *event) {
- 		client->pipelined = false;
- 	}
- 	if (TCP_CLIENT(client) && client->pipelined) {
-+		/*
-+		 * We're pipelining. Replace the client; the
-+		 * the replacement can read the TCP socket looking
-+		 * for new messages and this client can process the
-+		 * current message asynchronously.
-+		 *
-+		 * There are now at least three clients using this
-+		 * TCP socket - one accepting new connections,
-+		 * one reading an existing connection to get new
-+		 * messages, and one answering the message already
-+		 * received.
-+		 */
- 		result = ns_client_replace(client);
- 		if (result != ISC_R_SUCCESS) {
- 			client->pipelined = false;
-@@ -3197,6 +3236,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	client->pipelined = false;
- 	client->pipeline_refs = NULL;
- 	client->tcpquota = NULL;
-+	client->tcpattached = false;
- 	client->recursionquota = NULL;
- 	client->interface = NULL;
- 	client->peeraddr_valid = false;
-@@ -3359,9 +3399,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- 			      "accept failed: %s",
- 			      isc_result_totext(nevent->result));
--		if (client->tcpquota != NULL) {
--			isc_quota_detach(&client->tcpquota);
--		}
-+		tcpquota_disconnect(client);
- 	}
- 
- 	if (exit_check(client))
-@@ -3402,7 +3440,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 		client->pipelined = false;
- 		result = ns_client_replace(client);
- 		if (result == ISC_R_SUCCESS &&
--		    (client->sctx->keepresporder == NULL ||
-+		    (ns_g_server->keepresporder == NULL ||
- 		     !allowed(&netaddr, NULL, NULL, 0, NULL,
- 			      ns_g_server->keepresporder)))
- 		{
-@@ -3429,7 +3467,7 @@ client_accept(ns_client_t *client) {
- 	 * in named.conf. If we can't attach to it here, that means the TCP
- 	 * client quota has been exceeded.
- 	 */
--	result = isc_quota_attach(&client->sctx->tcpquota,
-+	result = isc_quota_attach(&ns_g_server->tcpquota,
- 				  &client->tcpquota);
- 	if (result != ISC_R_SUCCESS) {
- 			bool exit;
-@@ -3447,27 +3485,27 @@ client_accept(ns_client_t *client) {
- 			 * interface to be starved, with no clients able
- 			 * to accept new connections.
- 			 *
--			 * So, we check here to see if any other client
--			 * is already servicing TCP queries on this
-+			 * So, we check here to see if any other clients
-+			 * are already servicing TCP queries on this
- 			 * interface (whether accepting, reading, or
--			 * processing).
--			 *
--			 * If so, then it's okay *not* to call
--			 * accept - we can let this client to go inactive
--			 * and the other one handle the next connection
--			 * when it's ready.
-+			 * processing). If there are at least two
-+			 * (one reading and one processing a request)
-+			 * then it's okay *not* to call accept - we
-+			 * can let this client go inactive and another
-+			 * one will resume accepting when it's done.
- 			 *
--			 * But if not, then we need to be a little bit
--			 * flexible about the quota. We allow *one* extra
--			 * TCP client through, to ensure we're listening on
--			 * every interface.
-+			 * If there aren't enough active clients on the
-+			 * interface, then we can be a little bit
-+			 * flexible about the quota. We'll allow *one*
-+			 * extra client through to ensure we're listening
-+			 * on every interface.
- 			 *
--			 * (Note: In practice this means that the *real*
--			 * TCP client quota is tcp-clients plus the number
--			 * of interfaces.)
-+			 * (Note: In practice this means that the real
-+			 * TCP client quota is tcp-clients plus the
-+			 * number of listening interfaces plus 2.)
- 			 */
- 			LOCK(&client->interface->lock);
--			exit = (client->interface->ntcpactive > 0);
-+			exit = (client->interface->ntcpactive > 1);
- 			UNLOCK(&client->interface->lock);
- 
- 			if (exit) {
-@@ -3475,6 +3513,9 @@ client_accept(ns_client_t *client) {
- 				(void)exit_check(client);
- 				return;
- 			}
-+
-+	} else {
-+		client->tcpattached = true;
- 	}
- 
- 	/*
-@@ -3507,9 +3548,16 @@ client_accept(ns_client_t *client) {
- 		UNEXPECTED_ERROR(__FILE__, __LINE__,
- 				 "isc_socket_accept() failed: %s",
- 				 isc_result_totext(result));
--		if (client->tcpquota != NULL) {
--			isc_quota_detach(&client->tcpquota);
-+
-+		tcpquota_disconnect(client);
-+
-+		if (client->tcpactive) {
-+			LOCK(&client->interface->lock);
-+			client->interface->ntcpactive--;
-+			UNLOCK(&client->interface->lock);
-+			client->tcpactive = false;
- 		}
-+
- 		return;
- 	}
- 
-@@ -3527,13 +3575,12 @@ client_accept(ns_client_t *client) {
- 	 * once the connection is established.
- 	 *
- 	 * When the client object is shutting down after handling a TCP
--	 * request (see exit_check()), it looks to see whether this value is
--	 * non-zero. If so, that means another client has already called
--	 * accept() and is waiting to establish the next connection, which
--	 * means the first client is free to go inactive. Otherwise,
--	 * the first client must come back and call accept() again; this
--	 * guarantees there will always be at least one client listening
--	 * for new TCP connections on each interface.
-+	 * request (see exit_check()), if this value is at least one, that
-+	 * means another client has called accept() and is waiting to
-+	 * establish the next connection. That means the client may be
-+	 * be free to become inactive; otherwise it may need to start
-+	 * listening for connections itself to prevent the interface
-+	 * going dead.
- 	 */
- 	LOCK(&client->interface->lock);
- 	client->interface->ntcpaccepting++;
-@@ -3613,19 +3660,19 @@ ns_client_replace(ns_client_t *client) {
- 				    client->tcpsocket, client);
- 	} else {
- 		result = get_client(client->manager, client->interface,
--				    client->dispatch, tcp);
-+				    client->dispatch, client, tcp);
-+
-+		/*
-+		 * The responsibility for listening for new requests is hereby
-+		 * transferred to the new client.  Therefore, the old client
-+		 * should refrain from listening for any more requests.
-+		 */
-+		client->mortal = true;
- 	}
- 	if (result != ISC_R_SUCCESS) {
- 		return (result);
- 	}
- 
--	/*
--	 * The responsibility for listening for new requests is hereby
--	 * transferred to the new client.  Therefore, the old client
--	 * should refrain from listening for any more requests.
--	 */
--	client->mortal = true;
--
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -3759,7 +3806,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
- 
- static isc_result_t
- get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
--	   dns_dispatch_t *disp, bool tcp)
-+	   dns_dispatch_t *disp, ns_client_t *oldclient, bool tcp)
- {
- 	isc_result_t result = ISC_R_SUCCESS;
- 	isc_event_t *ev;
-@@ -3803,6 +3850,16 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 	client->dscp = ifp->dscp;
- 
- 	if (tcp) {
-+		client->tcpattached = false;
-+		if (oldclient != NULL) {
-+			client->tcpattached = oldclient->tcpattached;
-+		}
-+
-+		LOCK(&client->interface->lock);
-+		client->interface->ntcpactive++;
-+		UNLOCK(&client->interface->lock);
-+		client->tcpactive = true;
-+
- 		client->attributes |= NS_CLIENTATTR_TCP;
- 		isc_socket_attach(ifp->tcpsocket,
- 				  &client->tcplistener);
-@@ -3866,7 +3923,8 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- 	ns_interface_attach(ifp, &client->interface);
- 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- 	INSIST(client->recursionquota == NULL);
--	client->tcpquota = &client->sctx->tcpquota;
-+	client->tcpquota = &ns_g_server->tcpquota;
-+	client->tcpattached = oldclient->tcpattached;
- 
- 	client->dscp = ifp->dscp;
- 
-@@ -3885,7 +3943,6 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- 	LOCK(&client->interface->lock);
- 	client->interface->ntcpactive++;
- 	UNLOCK(&client->interface->lock);
--
- 	client->tcpactive = true;
- 
- 	INSIST(client->tcpmsg_valid == false);
-@@ -3913,7 +3970,8 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
- 	MTRACE("createclients");
- 
- 	for (disp = 0; disp < n; disp++) {
--		result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp);
-+		result = get_client(manager, ifp, ifp->udpdispatch[disp],
-+				    NULL, tcp);
- 		if (result != ISC_R_SUCCESS)
- 			break;
- 	}
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index aeed9ccdda..e2c40acd28 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -9,8 +9,6 @@
-  * information regarding copyright ownership.
-  */
- 
--/* $Id: client.h,v 1.96 2012/01/31 23:47:31 tbox Exp $ */
--
- #ifndef NAMED_CLIENT_H
- #define NAMED_CLIENT_H 1
- 
-@@ -136,6 +134,7 @@ struct ns_client {
- 	bool			pipelined;   /*%< TCP queries not in sequence */
- 	isc_refcount_t		*pipeline_refs;
- 	isc_quota_t		*tcpquota;
-+	bool			tcpattached;
- 	isc_quota_t		*recursionquota;
- 	ns_interface_t		*interface;
- 
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch b/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
deleted file mode 100644
index 987e75bc0e..0000000000
--- a/meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
+++ /dev/null
@@ -1,911 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/c47ccf6]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From c47ccf630f147378568b33e8fdb7b754f228c346 Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:26:05 -0700
-Subject: [PATCH 5/6] refactor tcpquota and pipeline refs; allow special-case
- overrun in isc_quota
-
-- if the TCP quota has been exceeded but there are no clients listening
-  for new connections on the interface, we can now force attachment to the
-  quota using isc_quota_force(), instead of carrying on with the quota not
-  attached.
-- the TCP client quota is now referenced via a reference-counted
-  'ns_tcpconn' object, one of which is created whenever a client begins
-  listening for new connections, and attached to by members of that
-  client's pipeline group. when the last reference to the tcpconn
-  object is detached, it is freed and the TCP quota slot is released.
-- reduce code duplication by adding mark_tcp_active() function.
-- convert counters to atomic.
-
-(cherry picked from commit 7e8222378ca24f1302a0c1c638565050ab04681b)
-(cherry picked from commit 4939451275722bfda490ea86ca13e84f6bc71e46)
-(cherry picked from commit 13f7c918b8720d890408f678bd73c20e634539d9)
----
- bin/named/client.c                     | 444 +++++++++++--------------
- bin/named/include/named/client.h       |  12 +-
- bin/named/include/named/interfacemgr.h |   6 +-
- bin/named/interfacemgr.c               |   1 +
- lib/isc/include/isc/quota.h            |   7 +
- lib/isc/quota.c                        |  33 +-
- lib/isc/win32/libisc.def.in            |   1 +
- 7 files changed, 236 insertions(+), 268 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 61e96dd28c..d826ab32bf 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -244,8 +244,7 @@ static void client_start(isc_task_t *task, isc_event_t *event);
- static void client_request(isc_task_t *task, isc_event_t *event);
- static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
- static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
--			       dns_dispatch_t *disp, ns_client_t *oldclient,
--			       bool tcp);
-+			       dns_dispatch_t *disp, bool tcp);
- static isc_result_t get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 			       isc_socket_t *sock, ns_client_t *oldclient);
- static inline bool
-@@ -301,16 +300,32 @@ ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
- }
- 
- /*%
-- * Allocate a reference counter that will track the number of client structures
-- * using the TCP connection that 'client' called accept() for.  This counter
-- * will be shared between all client structures associated with this TCP
-- * connection.
-+ * Allocate a reference-counted object that will maintain a single pointer to
-+ * the (also reference-counted) TCP client quota, shared between all the
-+ * clients processing queries on a single TCP connection, so that all
-+ * clients sharing the one socket will together consume only one slot in
-+ * the 'tcp-clients' quota.
-  */
--static void
--pipeline_init(ns_client_t *client) {
--	isc_refcount_t *refs;
-+static isc_result_t
-+tcpconn_init(ns_client_t *client, bool force) {
-+	isc_result_t result;
-+	isc_quota_t *quota = NULL;
-+	ns_tcpconn_t *tconn = NULL;
- 
--	REQUIRE(client->pipeline_refs == NULL);
-+	REQUIRE(client->tcpconn == NULL);
-+
-+	/*
-+	 * Try to attach to the quota first, so we won't pointlessly
-+	 * allocate memory for a tcpconn object if we can't get one.
-+	 */
-+	if (force) {
-+		result = isc_quota_force(&ns_g_server->tcpquota, &quota);
-+	} else {
-+		result = isc_quota_attach(&ns_g_server->tcpquota, &quota);
-+	}
-+	if (result != ISC_R_SUCCESS) {
-+		return (result);
-+	}
- 
- 	/*
- 	 * A global memory context is used for the allocation as different
-@@ -320,78 +335,80 @@ pipeline_init(ns_client_t *client) {
- 	 * contention here is expected to be negligible, given that this code
- 	 * is only executed for TCP connections.
- 	 */
--	refs = isc_mem_allocate(ns_g_mctx, sizeof(*refs));
--	isc_refcount_init(refs, 1);
--	client->pipeline_refs = refs;
-+	tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));
-+
-+	isc_refcount_init(&tconn->refs, 1);
-+	tconn->tcpquota = quota;
-+	quota = NULL;
-+	tconn->pipelined = false;
-+
-+	client->tcpconn = tconn;
-+
-+	return (ISC_R_SUCCESS);
- }
- 
- /*%
-- * Increase the count of client structures using the TCP connection that
-- * 'source' is associated with and put a pointer to that count in 'target',
-- * thus associating it with the same TCP connection.
-+ * Increase the count of client structures sharing the TCP connection
-+ * that 'source' is associated with; add a pointer to the same tcpconn
-+ * to 'target', thus associating it with the same TCP connection.
-  */
- static void
--pipeline_attach(ns_client_t *source, ns_client_t *target) {
-+tcpconn_attach(ns_client_t *source, ns_client_t *target) {
- 	int refs;
- 
--	REQUIRE(source->pipeline_refs != NULL);
--	REQUIRE(target->pipeline_refs == NULL);
-+	REQUIRE(source->tcpconn != NULL);
-+	REQUIRE(target->tcpconn == NULL);
-+	REQUIRE(source->tcpconn->pipelined);
- 
--	isc_refcount_increment(source->pipeline_refs, &refs);
-+	isc_refcount_increment(&source->tcpconn->refs, &refs);
- 	INSIST(refs > 1);
--	target->pipeline_refs = source->pipeline_refs;
-+	target->tcpconn = source->tcpconn;
- }
- 
- /*%
-- * Decrease the count of client structures using the TCP connection that
-+ * Decrease the count of client structures sharing the TCP connection that
-  * 'client' is associated with.  If this is the last client using this TCP
-- * connection, free the reference counter and return true; otherwise, return
-- * false.
-+ * connection, we detach from the TCP quota and free the tcpconn
-+ * object. Either way, client->tcpconn is set to NULL.
-  */
--static bool
--pipeline_detach(ns_client_t *client) {
--	isc_refcount_t *refcount;
-+static void
-+tcpconn_detach(ns_client_t *client) {
-+	ns_tcpconn_t *tconn = NULL;
- 	int refs;
- 
--	REQUIRE(client->pipeline_refs != NULL);
--
--	refcount = client->pipeline_refs;
--	client->pipeline_refs = NULL;
-+	REQUIRE(client->tcpconn != NULL);
- 
--	isc_refcount_decrement(refcount, refs);
-+	tconn = client->tcpconn;
-+	client->tcpconn = NULL;
- 
-+	isc_refcount_decrement(&tconn->refs, &refs);
- 	if (refs == 0) {
--		isc_mem_free(ns_g_mctx, refs);
--		return (true);
-+		isc_quota_detach(&tconn->tcpquota);
-+		isc_mem_free(ns_g_mctx, tconn);
- 	}
--
--	return (false);
- }
- 
--/*
-- * Detach a client from the TCP client quota if appropriate, and set
-- * the quota pointer to NULL.
-- *
-- * Sometimes when the TCP client quota is exhausted but there are no other
-- * clients servicing the interface, a client will be allowed to continue
-- * running despite not having been attached to the quota. In this event,
-- * the TCP quota was never attached to the client, so when the client (or
-- * associated pipeline group) shuts down, the quota must NOT be detached.
-+/*%
-+ * Mark a client as active and increment the interface's 'ntcpactive'
-+ * counter, as a signal that there is at least one client servicing
-+ * TCP queries for the interface. If we reach the TCP client quota at
-+ * some point, this will be used to determine whether a quota overrun
-+ * should be permitted.
-  *
-- * Otherwise, if the quota pointer is set, it should be detached. If not
-- * set at all, we just return without doing anything.
-+ * Marking the client active with the 'tcpactive' flag ensures proper
-+ * accounting, by preventing us from incrementing or decrementing
-+ * 'ntcpactive' more than once per client.
-  */
- static void
--tcpquota_disconnect(ns_client_t *client) {
--	if (client->tcpquota == NULL) {
--		return;
--	}
--
--	if (client->tcpattached) {
--		isc_quota_detach(&client->tcpquota);
--		client->tcpattached = false;
--	} else {
--		client->tcpquota = NULL;
-+mark_tcp_active(ns_client_t *client, bool active) {
-+	if (active && !client->tcpactive) {
-+		isc_atomic_xadd(&client->interface->ntcpactive, 1);
-+		client->tcpactive = active;
-+	} else if (!active && client->tcpactive) {
-+		uint32_t old =
-+			isc_atomic_xadd(&client->interface->ntcpactive, -1);
-+		INSIST(old > 0);
-+		client->tcpactive = active;
- 	}
- }
- 
-@@ -484,7 +501,8 @@ exit_check(ns_client_t *client) {
- 		INSIST(client->recursionquota == NULL);
- 
- 		if (NS_CLIENTSTATE_READING == client->newstate) {
--			if (!client->pipelined) {
-+			INSIST(client->tcpconn != NULL);
-+			if (!client->tcpconn->pipelined) {
- 				client_read(client);
- 				client->newstate = NS_CLIENTSTATE_MAX;
- 				return (true); /* We're done. */
-@@ -507,8 +525,8 @@ exit_check(ns_client_t *client) {
- 			dns_tcpmsg_cancelread(&client->tcpmsg);
- 		}
- 
--		if (client->nreads != 0) {
--			/* Still waiting for read cancel completion. */
-+		/* Still waiting for read cancel completion. */
-+		if (client->nreads > 0) {
- 			return (true);
- 		}
- 
-@@ -518,43 +536,45 @@ exit_check(ns_client_t *client) {
- 		}
- 
- 		/*
--		 * Detach from pipeline group and from TCP client quota,
--		 * if appropriate.
-+		 * Soon the client will be ready to accept a new TCP
-+		 * connection or UDP request, but we may have enough
-+		 * clients doing that already.  Check whether this client
-+		 * needs to remain active and allow it go inactive if
-+		 * not.
- 		 *
--		 * - If no pipeline group is active, attempt to
--		 *   detach from the TCP client quota.
-+		 * UDP clients always go inactive at this point, but a TCP
-+		 * client may need to stay active and return to READY
-+		 * state if no other clients are available to listen
-+		 * for TCP requests on this interface.
- 		 *
--		 * - If a pipeline group is active, detach from it;
--		 *   if the return code indicates that there no more
--		 *   clients left if this pipeline group, we also detach
--		 *   from the TCP client quota.
--		 *
--		 * - Otherwise we don't try to detach, we just set the
--		 *   TCP quota pointer to NULL if it wasn't NULL already.
--		 *
--		 * tcpquota_disconnect() will set tcpquota to NULL, either
--		 * by detaching it or by assignment, depending on the
--		 * needs of the client. See the comments on that function
--		 * for further information.
-+		 * Regardless, if we're going to FREED state, that means
-+		 * the system is shutting down and we don't need to
-+		 * retain clients.
- 		 */
--		if (client->pipeline_refs == NULL || pipeline_detach(client)) {
--			tcpquota_disconnect(client);
--		} else {
--			client->tcpquota = NULL;
--			client->tcpattached = false;
-+		if (client->mortal && TCP_CLIENT(client) &&
-+		    client->newstate != NS_CLIENTSTATE_FREED &&
-+		    !ns_g_clienttest &&
-+		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
-+		{
-+			/* Nobody else is accepting */
-+			client->mortal = false;
-+			client->newstate = NS_CLIENTSTATE_READY;
-+		}
-+
-+		/*
-+		 * Detach from TCP connection and TCP client quota,
-+		 * if appropriate. If this is the last reference to
-+		 * the TCP connection in our pipeline group, the
-+		 * TCP quota slot will be released.
-+		 */
-+		if (client->tcpconn) {
-+			tcpconn_detach(client);
- 		}
- 
- 		if (client->tcpsocket != NULL) {
- 			CTRACE("closetcp");
- 			isc_socket_detach(&client->tcpsocket);
--
--			if (client->tcpactive) {
--				LOCK(&client->interface->lock);
--				INSIST(client->interface->ntcpactive > 0);
--				client->interface->ntcpactive--;
--				UNLOCK(&client->interface->lock);
--				client->tcpactive = false;
--			}
-+			mark_tcp_active(client, false);
- 		}
- 
- 		if (client->timerset) {
-@@ -567,35 +587,6 @@ exit_check(ns_client_t *client) {
- 		client->peeraddr_valid = false;
- 
- 		client->state = NS_CLIENTSTATE_READY;
--		INSIST(client->recursionquota == NULL);
--
--		/*
--		 * Now the client is ready to accept a new TCP connection
--		 * or UDP request, but we may have enough clients doing
--		 * that already.  Check whether this client needs to remain
--		 * active and force it to go inactive if not.
--		 *
--		 * UDP clients go inactive at this point, but a TCP client
--		 * may need to remain active and go into ready state if
--		 * no other clients are available to listen for TCP
--		 * requests on this interface or (in the case of pipelined
--		 * clients) to read for additional messages on the current
--		 * connection.
--		 */
--		if (client->mortal && TCP_CLIENT(client) && !ns_g_clienttest) {
--			LOCK(&client->interface->lock);
--			if ((client->interface->ntcpaccepting == 0 ||
--			    (client->pipelined &&
--			     client->interface->ntcpactive < 2)) &&
--			    client->newstate != NS_CLIENTSTATE_FREED)
--			{
--				client->mortal = false;
--				client->newstate = NS_CLIENTSTATE_READY;
--			}
--			UNLOCK(&client->interface->lock);
--		}
--
--		client->pipelined = false;
- 
- 		/*
- 		 * We don't need the client; send it to the inactive
-@@ -630,7 +621,7 @@ exit_check(ns_client_t *client) {
- 		}
- 
- 		/* Still waiting for accept cancel completion. */
--		if (! (client->naccepts == 0)) {
-+		if (client->naccepts > 0) {
- 			return (true);
- 		}
- 
-@@ -641,7 +632,7 @@ exit_check(ns_client_t *client) {
- 		}
- 
- 		/* Still waiting for recv cancel completion. */
--		if (! (client->nrecvs == 0)) {
-+		if (client->nrecvs > 0) {
- 			return (true);
- 		}
- 
-@@ -654,14 +645,7 @@ exit_check(ns_client_t *client) {
- 		INSIST(client->recursionquota == NULL);
- 		if (client->tcplistener != NULL) {
- 			isc_socket_detach(&client->tcplistener);
--
--			if (client->tcpactive) {
--				LOCK(&client->interface->lock);
--				INSIST(client->interface->ntcpactive > 0);
--				client->interface->ntcpactive--;
--				UNLOCK(&client->interface->lock);
--				client->tcpactive = false;
--			}
-+			mark_tcp_active(client, false);
- 		}
- 		if (client->udpsocket != NULL) {
- 			isc_socket_detach(&client->udpsocket);
-@@ -816,7 +800,7 @@ client_start(isc_task_t *task, isc_event_t *event) {
- 		return;
- 
- 	if (TCP_CLIENT(client)) {
--		if (client->pipelined) {
-+		if (client->tcpconn != NULL) {
- 			client_read(client);
- 		} else {
- 			client_accept(client);
-@@ -2470,6 +2454,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
- 		client->nrecvs--;
- 	} else {
- 		INSIST(TCP_CLIENT(client));
-+		INSIST(client->tcpconn != NULL);
- 		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
- 		REQUIRE(event->ev_sender == &client->tcpmsg);
- 		buffer = &client->tcpmsg.buffer;
-@@ -2657,17 +2642,19 @@ client_request(isc_task_t *task, isc_event_t *event) {
- 	/*
- 	 * Pipeline TCP query processing.
- 	 */
--	if (client->message->opcode != dns_opcode_query) {
--		client->pipelined = false;
-+	if (TCP_CLIENT(client) &&
-+	    client->message->opcode != dns_opcode_query)
-+	{
-+		client->tcpconn->pipelined = false;
- 	}
--	if (TCP_CLIENT(client) && client->pipelined) {
-+	if (TCP_CLIENT(client) && client->tcpconn->pipelined) {
- 		/*
- 		 * We're pipelining. Replace the client; the
--		 * the replacement can read the TCP socket looking
--		 * for new messages and this client can process the
-+		 * replacement can read the TCP socket looking
-+		 * for new messages and this one can process the
- 		 * current message asynchronously.
- 		 *
--		 * There are now at least three clients using this
-+		 * There will now be at least three clients using this
- 		 * TCP socket - one accepting new connections,
- 		 * one reading an existing connection to get new
- 		 * messages, and one answering the message already
-@@ -2675,7 +2662,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
- 		 */
- 		result = ns_client_replace(client);
- 		if (result != ISC_R_SUCCESS) {
--			client->pipelined = false;
-+			client->tcpconn->pipelined = false;
- 		}
- 	}
- 
-@@ -3233,10 +3220,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
- 	client->signer = NULL;
- 	dns_name_init(&client->signername, NULL);
- 	client->mortal = false;
--	client->pipelined = false;
--	client->pipeline_refs = NULL;
--	client->tcpquota = NULL;
--	client->tcpattached = false;
-+	client->tcpconn = NULL;
- 	client->recursionquota = NULL;
- 	client->interface = NULL;
- 	client->peeraddr_valid = false;
-@@ -3341,9 +3325,10 @@ client_read(ns_client_t *client) {
- 
- static void
- client_newconn(isc_task_t *task, isc_event_t *event) {
-+	isc_result_t result;
- 	ns_client_t *client = event->ev_arg;
- 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
--	isc_result_t result;
-+	uint32_t old;
- 
- 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
- 	REQUIRE(NS_CLIENT_VALID(client));
-@@ -3363,10 +3348,8 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 	INSIST(client->naccepts == 1);
- 	client->naccepts--;
- 
--	LOCK(&client->interface->lock);
--	INSIST(client->interface->ntcpaccepting > 0);
--	client->interface->ntcpaccepting--;
--	UNLOCK(&client->interface->lock);
-+	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
-+	INSIST(old > 0);
- 
- 	/*
- 	 * We must take ownership of the new socket before the exit
-@@ -3399,7 +3382,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
- 			      "accept failed: %s",
- 			      isc_result_totext(nevent->result));
--		tcpquota_disconnect(client);
-+		tcpconn_detach(client);
- 	}
- 
- 	if (exit_check(client))
-@@ -3437,15 +3420,13 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 		 * telnetting to port 53 (once per CPU) will
- 		 * deny service to legitimate TCP clients.
- 		 */
--		client->pipelined = false;
- 		result = ns_client_replace(client);
- 		if (result == ISC_R_SUCCESS &&
- 		    (ns_g_server->keepresporder == NULL ||
- 		     !allowed(&netaddr, NULL, NULL, 0, NULL,
- 			      ns_g_server->keepresporder)))
- 		{
--			pipeline_init(client);
--			client->pipelined = true;
-+			client->tcpconn->pipelined = true;
- 		}
- 
- 		client_read(client);
-@@ -3462,78 +3443,59 @@ client_accept(ns_client_t *client) {
- 	CTRACE("accept");
- 
- 	/*
--	 * The tcpquota object can only be simultaneously referenced a
--	 * pre-defined number of times; this is configured by 'tcp-clients'
--	 * in named.conf. If we can't attach to it here, that means the TCP
--	 * client quota has been exceeded.
-+	 * Set up a new TCP connection. This means try to attach to the
-+	 * TCP client quota (tcp-clients), but fail if we're over quota.
- 	 */
--	result = isc_quota_attach(&ns_g_server->tcpquota,
--				  &client->tcpquota);
-+	result = tcpconn_init(client, false);
- 	if (result != ISC_R_SUCCESS) {
--			bool exit;
-+		bool exit;
- 
--			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
--				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
--				      "no more TCP clients: %s",
--				      isc_result_totext(result));
--
--			/*
--			 * We have exceeded the system-wide TCP client
--			 * quota.  But, we can't just block this accept
--			 * in all cases, because if we did, a heavy TCP
--			 * load on other interfaces might cause this
--			 * interface to be starved, with no clients able
--			 * to accept new connections.
--			 *
--			 * So, we check here to see if any other clients
--			 * are already servicing TCP queries on this
--			 * interface (whether accepting, reading, or
--			 * processing). If there are at least two
--			 * (one reading and one processing a request)
--			 * then it's okay *not* to call accept - we
--			 * can let this client go inactive and another
--			 * one will resume accepting when it's done.
--			 *
--			 * If there aren't enough active clients on the
--			 * interface, then we can be a little bit
--			 * flexible about the quota. We'll allow *one*
--			 * extra client through to ensure we're listening
--			 * on every interface.
--			 *
--			 * (Note: In practice this means that the real
--			 * TCP client quota is tcp-clients plus the
--			 * number of listening interfaces plus 2.)
--			 */
--			LOCK(&client->interface->lock);
--			exit = (client->interface->ntcpactive > 1);
--			UNLOCK(&client->interface->lock);
-+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-+			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-+			      "TCP client quota reached: %s",
-+			      isc_result_totext(result));
- 
--			if (exit) {
--				client->newstate = NS_CLIENTSTATE_INACTIVE;
--				(void)exit_check(client);
--				return;
--			}
-+		/*
-+		 * We have exceeded the system-wide TCP client quota.  But,
-+		 * we can't just block this accept in all cases, because if
-+		 * we did, a heavy TCP load on other interfaces might cause
-+		 * this interface to be starved, with no clients able to
-+		 * accept new connections.
-+		 *
-+		 * So, we check here to see if any other clients are
-+		 * already servicing TCP queries on this interface (whether
-+		 * accepting, reading, or processing). If we find at least
-+		 * one, then it's okay *not* to call accept - we can let this
-+		 * client go inactive and another will take over when it's
-+		 * done.
-+		 *
-+		 * If there aren't enough active clients on the interface,
-+		 * then we can be a little bit flexible about the quota.
-+		 * We'll allow *one* extra client through to ensure we're
-+		 * listening on every interface; we do this by setting the
-+		 * 'force' option to tcpconn_init().
-+		 *
-+		 * (Note: In practice this means that the real TCP client
-+		 * quota is tcp-clients plus the number of listening
-+		 * interfaces plus 1.)
-+		 */
-+		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > 0);
-+		if (exit) {
-+			client->newstate = NS_CLIENTSTATE_INACTIVE;
-+			(void)exit_check(client);
-+			return;
-+		}
- 
--	} else {
--		client->tcpattached = true;
-+		result = tcpconn_init(client, true);
-+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
- 	}
- 
- 	/*
--	 * By incrementing the interface's ntcpactive counter we signal
--	 * that there is at least one client servicing TCP queries for the
--	 * interface.
--	 *
--	 * We also make note of the fact in the client itself with the
--	 * tcpactive flag. This ensures proper accounting by preventing
--	 * us from accidentally incrementing or decrementing ntcpactive
--	 * more than once per client object.
-+	 * If this client was set up using get_client() or get_worker(),
-+	 * then TCP is already marked active. However, if it was restarted
-+	 * from exit_check(), it might not be, so we take care of it now.
- 	 */
--	if (!client->tcpactive) {
--		LOCK(&client->interface->lock);
--		client->interface->ntcpactive++;
--		UNLOCK(&client->interface->lock);
--		client->tcpactive = true;
--	}
-+	mark_tcp_active(client, true);
- 
- 	result = isc_socket_accept(client->tcplistener, client->task,
- 				   client_newconn, client);
-@@ -3549,15 +3511,8 @@ client_accept(ns_client_t *client) {
- 				 "isc_socket_accept() failed: %s",
- 				 isc_result_totext(result));
- 
--		tcpquota_disconnect(client);
--
--		if (client->tcpactive) {
--			LOCK(&client->interface->lock);
--			client->interface->ntcpactive--;
--			UNLOCK(&client->interface->lock);
--			client->tcpactive = false;
--		}
--
-+		tcpconn_detach(client);
-+		mark_tcp_active(client, false);
- 		return;
- 	}
- 
-@@ -3582,9 +3537,7 @@ client_accept(ns_client_t *client) {
- 	 * listening for connections itself to prevent the interface
- 	 * going dead.
- 	 */
--	LOCK(&client->interface->lock);
--	client->interface->ntcpaccepting++;
--	UNLOCK(&client->interface->lock);
-+	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
- }
- 
- static void
-@@ -3655,24 +3608,25 @@ ns_client_replace(ns_client_t *client) {
- 	REQUIRE(client->manager != NULL);
- 
- 	tcp = TCP_CLIENT(client);
--	if (tcp && client->pipelined) {
-+	if (tcp && client->tcpconn != NULL && client->tcpconn->pipelined) {
- 		result = get_worker(client->manager, client->interface,
- 				    client->tcpsocket, client);
- 	} else {
- 		result = get_client(client->manager, client->interface,
--				    client->dispatch, client, tcp);
-+				    client->dispatch, tcp);
- 
--		/*
--		 * The responsibility for listening for new requests is hereby
--		 * transferred to the new client.  Therefore, the old client
--		 * should refrain from listening for any more requests.
--		 */
--		client->mortal = true;
- 	}
- 	if (result != ISC_R_SUCCESS) {
- 		return (result);
- 	}
- 
-+	/*
-+	 * The responsibility for listening for new requests is hereby
-+	 * transferred to the new client.  Therefore, the old client
-+	 * should refrain from listening for any more requests.
-+	 */
-+	client->mortal = true;
-+
- 	return (ISC_R_SUCCESS);
- }
- 
-@@ -3806,7 +3760,7 @@ ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
- 
- static isc_result_t
- get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
--	   dns_dispatch_t *disp, ns_client_t *oldclient, bool tcp)
-+	   dns_dispatch_t *disp, bool tcp)
- {
- 	isc_result_t result = ISC_R_SUCCESS;
- 	isc_event_t *ev;
-@@ -3850,15 +3804,7 @@ get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
- 	client->dscp = ifp->dscp;
- 
- 	if (tcp) {
--		client->tcpattached = false;
--		if (oldclient != NULL) {
--			client->tcpattached = oldclient->tcpattached;
--		}
--
--		LOCK(&client->interface->lock);
--		client->interface->ntcpactive++;
--		UNLOCK(&client->interface->lock);
--		client->tcpactive = true;
-+		mark_tcp_active(client, true);
- 
- 		client->attributes |= NS_CLIENTATTR_TCP;
- 		isc_socket_attach(ifp->tcpsocket,
-@@ -3923,16 +3869,14 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- 	ns_interface_attach(ifp, &client->interface);
- 	client->newstate = client->state = NS_CLIENTSTATE_WORKING;
- 	INSIST(client->recursionquota == NULL);
--	client->tcpquota = &ns_g_server->tcpquota;
--	client->tcpattached = oldclient->tcpattached;
- 
- 	client->dscp = ifp->dscp;
- 
- 	client->attributes |= NS_CLIENTATTR_TCP;
- 	client->mortal = true;
- 
--	pipeline_attach(oldclient, client);
--	client->pipelined = true;
-+	tcpconn_attach(oldclient, client);
-+	mark_tcp_active(client, true);
- 
- 	isc_socket_attach(ifp->tcpsocket, &client->tcplistener);
- 	isc_socket_attach(sock, &client->tcpsocket);
-@@ -3940,11 +3884,6 @@ get_worker(ns_clientmgr_t *manager, ns_interface_t *ifp, isc_socket_t *sock,
- 	(void)isc_socket_getpeername(client->tcpsocket, &client->peeraddr);
- 	client->peeraddr_valid = true;
- 
--	LOCK(&client->interface->lock);
--	client->interface->ntcpactive++;
--	UNLOCK(&client->interface->lock);
--	client->tcpactive = true;
--
- 	INSIST(client->tcpmsg_valid == false);
- 	dns_tcpmsg_init(client->mctx, client->tcpsocket, &client->tcpmsg);
- 	client->tcpmsg_valid = true;
-@@ -3970,8 +3909,7 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
- 	MTRACE("createclients");
- 
- 	for (disp = 0; disp < n; disp++) {
--		result = get_client(manager, ifp, ifp->udpdispatch[disp],
--				    NULL, tcp);
-+		result = get_client(manager, ifp, ifp->udpdispatch[disp], tcp);
- 		if (result != ISC_R_SUCCESS)
- 			break;
- 	}
-diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
-index e2c40acd28..969ee4c08f 100644
---- a/bin/named/include/named/client.h
-+++ b/bin/named/include/named/client.h
-@@ -78,6 +78,13 @@
-  *** Types
-  ***/
- 
-+/*% reference-counted TCP connection object */
-+typedef struct ns_tcpconn {
-+	isc_refcount_t		refs;
-+	isc_quota_t		*tcpquota;
-+	bool			pipelined;
-+} ns_tcpconn_t;
-+
- /*% nameserver client structure */
- struct ns_client {
- 	unsigned int		magic;
-@@ -131,10 +138,7 @@ struct ns_client {
- 	dns_name_t		signername;   /*%< [T]SIG key name */
- 	dns_name_t		*signer;      /*%< NULL if not valid sig */
- 	bool			mortal;	      /*%< Die after handling request */
--	bool			pipelined;   /*%< TCP queries not in sequence */
--	isc_refcount_t		*pipeline_refs;
--	isc_quota_t		*tcpquota;
--	bool			tcpattached;
-+	ns_tcpconn_t		*tcpconn;
- 	isc_quota_t		*recursionquota;
- 	ns_interface_t		*interface;
- 
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 61b08826a6..3535ef22a8 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -9,8 +9,6 @@
-  * information regarding copyright ownership.
-  */
- 
--/* $Id: interfacemgr.h,v 1.35 2011/07/28 23:47:58 tbox Exp $ */
--
- #ifndef NAMED_INTERFACEMGR_H
- #define NAMED_INTERFACEMGR_H 1
- 
-@@ -77,11 +75,11 @@ struct ns_interface {
- 						/*%< UDP dispatchers. */
- 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
- 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
--	int			ntcpaccepting;	/*%< Number of clients
-+	int32_t			ntcpaccepting;	/*%< Number of clients
- 						     ready to accept new
- 						     TCP connections on this
- 						     interface */
--	int			ntcpactive;	/*%< Number of clients
-+	int32_t			ntcpactive;	/*%< Number of clients
- 						     servicing TCP queries
- 						     (whether accepting or
- 						     connected) */
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index 955096ef47..d9f6df5802 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -388,6 +388,7 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- 	 */
- 	ifp->ntcpaccepting = 0;
- 	ifp->ntcpactive = 0;
-+
- 	ifp->nudpdispatch = 0;
- 
- 	ifp->dscp = -1;
-diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
-index b9bf59877a..36c5830242 100644
---- a/lib/isc/include/isc/quota.h
-+++ b/lib/isc/include/isc/quota.h
-@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
-  * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
-  */
- 
-+isc_result_t
-+isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
-+/*%<
-+ * Like isc_quota_attach, but will attach '*p' to the quota
-+ * even if the hard quota has been exceeded.
-+ */
-+
- void
- isc_quota_detach(isc_quota_t **p);
- /*%<
-diff --git a/lib/isc/quota.c b/lib/isc/quota.c
-index 3ddff0d875..556a61f21d 100644
---- a/lib/isc/quota.c
-+++ b/lib/isc/quota.c
-@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
- 	UNLOCK(&quota->lock);
- }
- 
--isc_result_t
--isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
--{
-+static isc_result_t
-+doattach(isc_quota_t *quota, isc_quota_t **p, bool force) {
- 	isc_result_t result;
--	INSIST(p != NULL && *p == NULL);
-+	REQUIRE(p != NULL && *p == NULL);
-+
- 	result = isc_quota_reserve(quota);
--	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
-+	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
-+		*p = quota;
-+	} else if (result == ISC_R_QUOTA && force) {
-+		/* attach anyway */
-+		LOCK(&quota->lock);
-+		quota->used++;
-+		UNLOCK(&quota->lock);
-+
- 		*p = quota;
-+		result = ISC_R_SUCCESS;
-+	}
-+
- 	return (result);
- }
- 
-+isc_result_t
-+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
-+	return (doattach(quota, p, false));
-+}
-+
-+isc_result_t
-+isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
-+	return (doattach(quota, p, true));
-+}
-+
- void
--isc_quota_detach(isc_quota_t **p)
--{
-+isc_quota_detach(isc_quota_t **p) {
- 	INSIST(p != NULL && *p != NULL);
- 	isc_quota_release(*p);
- 	*p = NULL;
-diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
-index a82facec0f..7b9f23d776 100644
---- a/lib/isc/win32/libisc.def.in
-+++ b/lib/isc/win32/libisc.def.in
-@@ -519,6 +519,7 @@ isc_portset_removerange
- isc_quota_attach
- isc_quota_destroy
- isc_quota_detach
-+isc_quota_force
- isc_quota_init
- isc_quota_max
- isc_quota_release
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch b/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
deleted file mode 100644
index 3821d18501..0000000000
--- a/meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-Backport patch to fix CVE-2018-5743.
-
-Ref:
-https://security-tracker.debian.org/tracker/CVE-2018-5743
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/59434b9]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 59434b987e8eb436b08c24e559ee094c4e939daa Mon Sep 17 00:00:00 2001
-From: Evan Hunt <each@isc.org>
-Date: Fri, 5 Apr 2019 16:26:19 -0700
-Subject: [PATCH 6/6] restore allowance for tcp-clients < interfaces
-
-in the "refactor tcpquota and pipeline refs" commit, the counting
-of active interfaces was tightened in such a way that named could
-fail to listen on an interface if there were more interfaces than
-tcp-clients. when checking the quota to start accepting on an
-interface, if the number of active clients was above zero, then
-it was presumed that some other client was able to handle accepting
-new connections. this, however, ignored the fact that the current client
-could be included in that count, so if the quota was already exceeded
-before all the interfaces were listening, some interfaces would never
-listen.
-
-we now check whether the current client has been marked active; if so,
-then the number of active clients on the interface must be greater
-than 1, not 0.
-
-(cherry picked from commit 0b4e2cd4c3192ba88569dd344f542a8cc43742b5)
-(cherry picked from commit d01023aaac35543daffbdf48464e320150235d41)
----
- bin/named/client.c      | 8 +++++---
- doc/arm/Bv9ARM-book.xml | 3 ++-
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index d826ab32bf..845326abc0 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -3464,8 +3464,9 @@ client_accept(ns_client_t *client) {
- 		 *
- 		 * So, we check here to see if any other clients are
- 		 * already servicing TCP queries on this interface (whether
--		 * accepting, reading, or processing). If we find at least
--		 * one, then it's okay *not* to call accept - we can let this
-+		 * accepting, reading, or processing). If we find that at
-+		 * least one client other than this one is active, then
-+		 * it's okay *not* to call accept - we can let this
- 		 * client go inactive and another will take over when it's
- 		 * done.
- 		 *
-@@ -3479,7 +3480,8 @@ client_accept(ns_client_t *client) {
- 		 * quota is tcp-clients plus the number of listening
- 		 * interfaces plus 1.)
- 		 */
--		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) > 0);
-+		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
-+			(client->tcpactive ? 1 : 0));
- 		if (exit) {
- 			client->newstate = NS_CLIENTSTATE_INACTIVE;
- 			(void)exit_check(client);
-diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
-index 381768d540..9c76d3cd6f 100644
---- a/doc/arm/Bv9ARM-book.xml
-+++ b/doc/arm/Bv9ARM-book.xml
-@@ -8493,7 +8493,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
- 		<para>
- 		  The number of file descriptors reserved for TCP, stdio,
- 		  etc.  This needs to be big enough to cover the number of
--		  interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
-+		  interfaces <command>named</command> listens on plus
-+		  <command>tcp-clients</command>, as well as
- 		  to provide room for outgoing TCP queries and incoming zone
- 		  transfers.  The default is <literal>512</literal>.
- 		  The minimum value is <literal>128</literal> and the
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch b/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
deleted file mode 100644
index 1a84eca58a..0000000000
--- a/meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
+++ /dev/null
@@ -1,140 +0,0 @@
-Backport commit to fix compile error on arm caused by commits which are
-to fix CVE-2018-5743.
-
-CVE: CVE-2018-5743
-Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ef49780]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From ef49780d30d3ddc5735cfc32561b678a634fa72f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
-Date: Wed, 17 Apr 2019 15:22:27 +0200
-Subject: [PATCH] Replace atomic operations in bin/named/client.c with
- isc_refcount reference counting
-
----
- bin/named/client.c                     | 18 +++++++-----------
- bin/named/include/named/interfacemgr.h |  5 +++--
- bin/named/interfacemgr.c               |  7 +++++--
- 3 files changed, 15 insertions(+), 15 deletions(-)
-
-diff --git a/bin/named/client.c b/bin/named/client.c
-index 845326abc0..29fecadca8 100644
---- a/bin/named/client.c
-+++ b/bin/named/client.c
-@@ -402,12 +402,10 @@ tcpconn_detach(ns_client_t *client) {
- static void
- mark_tcp_active(ns_client_t *client, bool active) {
- 	if (active && !client->tcpactive) {
--		isc_atomic_xadd(&client->interface->ntcpactive, 1);
-+		isc_refcount_increment0(&client->interface->ntcpactive, NULL);
- 		client->tcpactive = active;
- 	} else if (!active && client->tcpactive) {
--		uint32_t old =
--			isc_atomic_xadd(&client->interface->ntcpactive, -1);
--		INSIST(old > 0);
-+		isc_refcount_decrement(&client->interface->ntcpactive, NULL);
- 		client->tcpactive = active;
- 	}
- }
-@@ -554,7 +552,7 @@ exit_check(ns_client_t *client) {
- 		if (client->mortal && TCP_CLIENT(client) &&
- 		    client->newstate != NS_CLIENTSTATE_FREED &&
- 		    !ns_g_clienttest &&
--		    isc_atomic_xadd(&client->interface->ntcpaccepting, 0) == 0)
-+		    isc_refcount_current(&client->interface->ntcpaccepting) == 0)
- 		{
- 			/* Nobody else is accepting */
- 			client->mortal = false;
-@@ -3328,7 +3326,6 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 	isc_result_t result;
- 	ns_client_t *client = event->ev_arg;
- 	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
--	uint32_t old;
- 
- 	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
- 	REQUIRE(NS_CLIENT_VALID(client));
-@@ -3348,8 +3345,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
- 	INSIST(client->naccepts == 1);
- 	client->naccepts--;
- 
--	old = isc_atomic_xadd(&client->interface->ntcpaccepting, -1);
--	INSIST(old > 0);
-+	isc_refcount_decrement(&client->interface->ntcpaccepting, NULL);
- 
- 	/*
- 	 * We must take ownership of the new socket before the exit
-@@ -3480,8 +3476,8 @@ client_accept(ns_client_t *client) {
- 		 * quota is tcp-clients plus the number of listening
- 		 * interfaces plus 1.)
- 		 */
--		exit = (isc_atomic_xadd(&client->interface->ntcpactive, 0) >
--			(client->tcpactive ? 1 : 0));
-+		exit = (isc_refcount_current(&client->interface->ntcpactive) >
-+			(client->tcpactive ? 1U : 0U));
- 		if (exit) {
- 			client->newstate = NS_CLIENTSTATE_INACTIVE;
- 			(void)exit_check(client);
-@@ -3539,7 +3535,7 @@ client_accept(ns_client_t *client) {
- 	 * listening for connections itself to prevent the interface
- 	 * going dead.
- 	 */
--	isc_atomic_xadd(&client->interface->ntcpaccepting, 1);
-+	isc_refcount_increment0(&client->interface->ntcpaccepting, NULL);
- }
- 
- static void
-diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
-index 3535ef22a8..6e10f210fd 100644
---- a/bin/named/include/named/interfacemgr.h
-+++ b/bin/named/include/named/interfacemgr.h
-@@ -45,6 +45,7 @@
- #include <isc/magic.h>
- #include <isc/mem.h>
- #include <isc/socket.h>
-+#include <isc/refcount.h>
- 
- #include <dns/result.h>
- 
-@@ -75,11 +76,11 @@ struct ns_interface {
- 						/*%< UDP dispatchers. */
- 	isc_socket_t *		tcpsocket;	/*%< TCP socket. */
- 	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
--	int32_t			ntcpaccepting;	/*%< Number of clients
-+	isc_refcount_t		ntcpaccepting;	/*%< Number of clients
- 						     ready to accept new
- 						     TCP connections on this
- 						     interface */
--	int32_t			ntcpactive;	/*%< Number of clients
-+	isc_refcount_t		ntcpactive;	/*%< Number of clients
- 						     servicing TCP queries
- 						     (whether accepting or
- 						     connected) */
-diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
-index d9f6df5802..135533be6b 100644
---- a/bin/named/interfacemgr.c
-+++ b/bin/named/interfacemgr.c
-@@ -386,8 +386,8 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
- 	 * connections will be handled in parallel even though there is
- 	 * only one client initially.
- 	 */
--	ifp->ntcpaccepting = 0;
--	ifp->ntcpactive = 0;
-+	isc_refcount_init(&ifp->ntcpaccepting, 0);
-+	isc_refcount_init(&ifp->ntcpactive, 0);
- 
- 	ifp->nudpdispatch = 0;
- 
-@@ -618,6 +618,9 @@ ns_interface_destroy(ns_interface_t *ifp) {
- 
- 	ns_interfacemgr_detach(&ifp->mgr);
- 
-+	isc_refcount_destroy(&ifp->ntcpactive);
-+	isc_refcount_destroy(&ifp->ntcpaccepting);
-+
- 	ifp->magic = 0;
- 	isc_mem_put(mctx, ifp, sizeof(*ifp));
- }
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
index 37e210e6da..38d07cae39 100644
--- a/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch
@@ -1,4 +1,4 @@
-From 9473d29843579802e96b0293a3e953fed93de82c Mon Sep 17 00:00:00 2001
+From 5ae30329f168c1e8d2e0c3831988a4f3e9096e39 Mon Sep 17 00:00:00 2001
 From: Paul Gortmaker <paul.gortmaker@windriver.com>
 Date: Tue, 9 Jun 2015 11:22:00 -0400
 Subject: [PATCH] bind: ensure searching for json headers searches sysroot
@@ -27,20 +27,21 @@ to make use of the combination some day.
 
 Upstream-Status: Inappropriate [OE Specific]
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
 ---
- configure.in | 2 +-
+ configure.ac | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-Index: bind-9.11.3/configure.in
-===================================================================
---- bind-9.11.3.orig/configure.in
-+++ bind-9.11.3/configure.in
-@@ -2574,7 +2574,7 @@ case "$use_libjson" in
- 		libjson_libs=""
- 		;;
- 	auto|yes)
--		for d in /usr /usr/local /opt/local
-+		for d in "${STAGING_INCDIR}"
- 		do
- 			if test -f "${d}/include/json/json.h"
- 			then
+diff --git a/configure.ac b/configure.ac
+index 2ab8ddd..92fe983 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -761,7 +761,7 @@ AS_CASE([$with_lmdb],
+ 	[no],[],
+ 	[auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb],
+ 				       [ac_lib_lmdb_found=yes],
+-				       [for ac_lib_lmdb_path in /usr /usr/local /opt /opt/local; do
++				       [for ac_lib_lmdb_path in "${STAGING_INCDIR}"; do
+ 						AX_LIB_LMDB([$ac_lib_lmdb_path],
+ 							    [ac_lib_lmdb_found=yes
+ 							     break])
diff --git a/meta/recipes-connectivity/bind/bind/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch
index aad345f9fc..aa3642acec 100644
--- a/meta/recipes-connectivity/bind/bind/conf.patch
+++ b/meta/recipes-connectivity/bind/bind/conf.patch
@@ -276,7 +276,7 @@ diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
 +
 +	modprobe capability >/dev/null 2>&1 || true
 +	if [ ! -f /etc/bind/rndc.key ]; then
-+	    /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
++	    /usr/sbin/rndc-confgen -a -b 512
 +	    chmod 0640 /etc/bind/rndc.key
 +	fi
 +	if [ -f /var/run/named/named.pid ]; then
diff --git a/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
index ef915c0ae5..633e29c0e6 100644
--- a/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
+++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
@@ -2,7 +2,7 @@
 
 if [ ! -s /etc/bind/rndc.key ]; then
     echo -n "Generating /etc/bind/rndc.key:"
-    /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
+    /usr/sbin/rndc-confgen -a -b 512
     chown root:bind /etc/bind/rndc.key
     chmod 0640 /etc/bind/rndc.key
 fi
diff --git a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
deleted file mode 100644
index 3e2412dfa4..0000000000
--- a/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
+++ /dev/null
@@ -1,145 +0,0 @@
-SUMMARY = "ISC Internet Domain Name Server"
-HOMEPAGE = "http://www.isc.org/sw/bind/"
-SECTION = "console/network"
-
-LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
-
-DEPENDS = "openssl libcap zlib"
-
-SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
-           file://conf.patch \
-           file://named.service \
-           file://bind9 \
-           file://generate-rndc-key.sh \
-           file://make-etc-initd-bind-stop-work.patch \
-           file://init.d-add-support-for-read-only-rootfs.patch \
-           file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
-           file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
-           file://0001-lib-dns-gen.c-fix-too-long-error.patch \
-           file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
-           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
-           file://0001-avoid-start-failure-with-bind-user.patch \
-           file://0001-bind-fix-CVE-2019-6471.patch \
-           file://0001-fix-enforcement-of-tcp-clients-v1.patch \
-           file://0002-tcp-clients-could-still-be-exceeded-v2.patch \
-           file://0003-use-reference-counter-for-pipeline-groups-v3.patch \
-           file://0004-better-tcpquota-accounting-and-client-mortality-chec.patch \
-           file://0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch \
-           file://0006-restore-allowance-for-tcp-clients-interfaces.patch \
-           file://0007-Replace-atomic-operations-in-bin-named-client.c-with.patch \
-"
-
-SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960"
-SRC_URI[sha256sum] = "7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434"
-
-UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
-# stay at 9.11 until 9.16, from 9.16 follow the ESV versions divisible by 4
-UPSTREAM_CHECK_REGEX = "(?P<pver>9.(11|16|20|24|28)(\.\d+)+(-P\d+)*)/"
-
-inherit autotools update-rc.d systemd useradd pkgconfig multilib_script
-
-MULTILIB_SCRIPTS = "${PN}:${bindir}/bind9-config ${PN}:${bindir}/isc-config.sh"
-
-# PACKAGECONFIGs readline and libedit should NOT be set at same time
-PACKAGECONFIG ?= "readline"
-PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
-PACKAGECONFIG[readline] = "--with-readline=-lreadline,,readline"
-PACKAGECONFIG[libedit] = "--with-readline=-ledit,,libedit"
-PACKAGECONFIG[urandom] = "--with-randomdev=/dev/urandom,--with-randomdev=/dev/random,,"
-PACKAGECONFIG[python3] = "--with-python=yes --with-python-install-dir=${PYTHON_SITEPACKAGES_DIR} , --without-python, python3-ply-native,"
-
-ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
-EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
-                 --disable-devpoll --enable-epoll --with-gost=no \
-                 --with-gssapi=no --with-ecdsa=yes --with-eddsa=no \
-                 --with-lmdb=no \
-                 --sysconfdir=${sysconfdir}/bind \
-                 --with-openssl=${STAGING_DIR_HOST}${prefix} \
-               "
-
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native distutils3-base', '', d)}
-
-# dhcp needs .la so keep them
-REMOVE_LIBTOOL_LA = "0"
-
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home ${localstatedir}/cache/bind --no-create-home \
-                       --user-group bind"
-
-INITSCRIPT_NAME = "bind"
-INITSCRIPT_PARAMS = "defaults"
-
-SYSTEMD_SERVICE_${PN} = "named.service"
-
-do_install_prepend() {
-	# clean host path in isc-config.sh before the hardlink created
-	# by "make install":
-	#   bind9-config -> isc-config.sh
-	sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${B}/isc-config.sh
-}
-
-do_install_append() {
-
-	rmdir "${D}${localstatedir}/run"
-	rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
-	install -d -o bind "${D}${localstatedir}/cache/bind"
-	install -d "${D}${sysconfdir}/bind"
-	install -d "${D}${sysconfdir}/init.d"
-	install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
-	install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
-        if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
-		sed -i -e '1s,#!.*python3,#! /usr/bin/python3,' \
-		${D}${sbindir}/dnssec-coverage \
-		${D}${sbindir}/dnssec-checkds \
-		${D}${sbindir}/dnssec-keymgr
-	fi
-
-	# Install systemd related files
-	install -d ${D}${sbindir}
-	install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system
-	sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
-	       -e 's,@SBINDIR@,${sbindir},g' \
-	       ${D}${systemd_unitdir}/system/named.service
-
-	install -d ${D}${sysconfdir}/default
-	install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
-
-	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-		install -d ${D}${sysconfdir}/tmpfiles.d
-		echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
-	fi
-}
-
-CONFFILES_${PN} = " \
-	${sysconfdir}/bind/named.conf \
-	${sysconfdir}/bind/named.conf.local \
-	${sysconfdir}/bind/named.conf.options \
-	${sysconfdir}/bind/db.0 \
-	${sysconfdir}/bind/db.127 \
-	${sysconfdir}/bind/db.empty \
-	${sysconfdir}/bind/db.local \
-	${sysconfdir}/bind/db.root \
-	"
-
-ALTERNATIVE_${PN}-utils = "nslookup"
-ALTERNATIVE_LINK_NAME[nslookup] = "${bindir}/nslookup"
-ALTERNATIVE_PRIORITY = "100"
-
-PACKAGE_BEFORE_PN += "${PN}-utils"
-FILES_${PN}-utils = "${bindir}/host ${bindir}/dig ${bindir}/mdig ${bindir}/nslookup ${bindir}/nsupdate"
-FILES_${PN}-dev += "${bindir}/isc-config.h"
-FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
-
-PACKAGE_BEFORE_PN += "${PN}-libs"
-FILES_${PN}-libs = "${libdir}/*.so*"
-FILES_${PN}-staticdev += "${libdir}/*.la"
-
-PACKAGE_BEFORE_PN += "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3-bind', '', d)}"
-FILES_python3-bind = "${sbindir}/dnssec-coverage ${sbindir}/dnssec-checkds \
-                ${sbindir}/dnssec-keymgr ${PYTHON_SITEPACKAGES_DIR}"
-
-RDEPENDS_${PN}-dev = ""
-RDEPENDS_python3-bind = "python3-core python3-ply"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.25.bb b/meta/recipes-connectivity/bind/bind_9.18.25.bb
new file mode 100644
index 0000000000..cc35604aba
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind_9.18.25.bb
@@ -0,0 +1,113 @@
+SUMMARY = "ISC Internet Domain Name Server"
+HOMEPAGE = "https://www.isc.org/bind/"
+DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system"
+SECTION = "console/network"
+
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43"
+
+DEPENDS = "openssl libcap zlib libuv"
+
+SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
+           file://conf.patch \
+           file://named.service \
+           file://bind9 \
+           file://generate-rndc-key.sh \
+           file://make-etc-initd-bind-stop-work.patch \
+           file://init.d-add-support-for-read-only-rootfs.patch \
+           file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
+           file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
+           file://0001-avoid-start-failure-with-bind-user.patch \
+           "
+
+SRC_URI[sha256sum] = "5a4a70432a33d009f0e6e9dbb328aae7a5e27507e98e28bf3c0c6b250ccb2ab3"
+
+UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
+# follow the ESV versions divisible by 2
+UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
+
+# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
+# so the issue doesn't affect us.
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
+
+inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
+
+# PACKAGECONFIGs readline and libedit should NOT be set at same time
+PACKAGECONFIG ?= "readline"
+PACKAGECONFIG[httpstats] = "--with-libxml2=${STAGING_DIR_HOST}${prefix},--without-libxml2,libxml2"
+PACKAGECONFIG[readline] = "--with-readline=readline,,readline"
+PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit"
+PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2"
+
+EXTRA_OECONF = " --disable-auto-validation \
+                 --with-gssapi=no --with-lmdb=no --with-zlib \
+                 --sysconfdir=${sysconfdir}/bind \
+                 --with-openssl=${STAGING_DIR_HOST}${prefix} \
+               "
+LDFLAGS:append = " -lz"
+
+# dhcp needs .la so keep them
+REMOVE_LIBTOOL_LA = "0"
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "--system --home ${localstatedir}/cache/bind --no-create-home \
+                       --user-group bind"
+
+INITSCRIPT_NAME = "bind"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_SERVICE:${PN} = "named.service"
+
+do_install:append() {
+
+	install -d -o bind "${D}${localstatedir}/cache/bind"
+	install -d "${D}${sysconfdir}/bind"
+	install -d "${D}${sysconfdir}/init.d"
+	install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
+	install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
+
+	# Install systemd related files
+	install -d ${D}${sbindir}
+	install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
+	install -d ${D}${systemd_system_unitdir}
+	install -m 0644 ${WORKDIR}/named.service ${D}${systemd_system_unitdir}
+	sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+	       -e 's,@SBINDIR@,${sbindir},g' \
+	       ${D}${systemd_system_unitdir}/named.service
+
+	install -d ${D}${sysconfdir}/default
+	install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
+
+	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+		install -d ${D}${sysconfdir}/tmpfiles.d
+		echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
+	fi
+}
+
+CONFFILES:${PN} = " \
+	${sysconfdir}/bind/named.conf \
+	${sysconfdir}/bind/named.conf.local \
+	${sysconfdir}/bind/named.conf.options \
+	${sysconfdir}/bind/db.0 \
+	${sysconfdir}/bind/db.127 \
+	${sysconfdir}/bind/db.empty \
+	${sysconfdir}/bind/db.local \
+	${sysconfdir}/bind/db.root \
+	"
+
+ALTERNATIVE:${PN}-utils = "nslookup"
+ALTERNATIVE_LINK_NAME[nslookup] = "${bindir}/nslookup"
+ALTERNATIVE_PRIORITY = "100"
+
+PACKAGE_BEFORE_PN += "${PN}-utils"
+FILES:${PN}-utils = "${bindir}/host ${bindir}/dig ${bindir}/mdig ${bindir}/nslookup ${bindir}/nsupdate"
+FILES:${PN}-dev += "${bindir}/isc-config.h"
+FILES:${PN} += "${sbindir}/generate-rndc-key.sh"
+
+PACKAGE_BEFORE_PN += "${PN}-libs"
+# special arrangement below due to
+# https://github.com/isc-projects/bind9/commit/0e25af628cd776f98c04fc4cc59048f5448f6c88
+FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so"
+FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so"
+
+DEV_PKG_DEPENDENCY = ""
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 1702323288..a31d7076ba 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -2,15 +2,16 @@ SUMMARY = "Linux Bluetooth Stack Userland V5"
 DESCRIPTION = "Linux Bluetooth stack V5 userland components.  These include a system configurations, daemons, tools and system libraries."
 HOMEPAGE = "http://www.bluez.org"
 SECTION = "libs"
-LICENSE = "GPLv2+ & LGPLv2.1+"
+LICENSE = "GPL-2.0-or-later & LGPL-2.1-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \
-                    file://src/main.c;beginline=1;endline=24;md5=9bc54b93cd7e17bf03f52513f39f926e"
+                    file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac"
 DEPENDS = "dbus glib-2.0"
+RDEPENDS:${PN} += "dbus"
 PROVIDES += "bluez-hcidump"
-RPROVIDES_${PN} += "bluez-hcidump"
+RPROVIDES:${PN} += "bluez-hcidump"
 
-RCONFLICTS_${PN} = "bluez4"
+RCONFLICTS:${PN} = "bluez4"
 
 PACKAGECONFIG ??= "obex-profiles \
     readline \
@@ -42,36 +43,35 @@ PACKAGECONFIG[sixaxis] = "--enable-sixaxis,--disable-sixaxis"
 PACKAGECONFIG[tools] = "--enable-tools,--disable-tools"
 PACKAGECONFIG[threads] = "--enable-threads,--disable-threads"
 PACKAGECONFIG[deprecated] = "--enable-deprecated,--disable-deprecated"
-PACKAGECONFIG[mesh] = "--enable-mesh,--disable-mesh, json-c ell"
-PACKAGECONFIG[btpclient] = "--enable-btpclient,--disable-btpclient, ell"
+PACKAGECONFIG[mesh] = "--enable-mesh --enable-external-ell,--disable-mesh, json-c ell"
+PACKAGECONFIG[btpclient] = "--enable-btpclient --enable-external-ell,--disable-btpclient, ell"
 PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,udev"
-
-SRC_URI = "\
-    ${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
-    file://out-of-tree.patch \
-    file://init \
-    file://run-ptest \
-    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
-    file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
-    file://0001-test-gatt-Fix-hung-issue.patch \
-    file://0001-Makefile.am-Fix-a-race-issue-for-tools.patch \
-    file://CVE-2018-10910.patch \
-    file://gcc9-fixes.patch \
-    file://0001-tools-Fix-build-after-y2038-changes-in-glibc.patch \
-    file://0001-tools-btpclient.c-include-signal.h.patch \
-"
+PACKAGECONFIG[manpages] = "--enable-manpages,--disable-manpages,python3-docutils-native"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
+           file://init \
+           file://run-ptest \
+           ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
+           file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
+           file://0001-test-gatt-Fix-hung-issue.patch \
+           file://0004-src-shared-util.c-include-linux-limits.h.patch \
+           "
 S = "${WORKDIR}/bluez-${PV}"
 
 CVE_PRODUCT = "bluez"
 
-inherit autotools pkgconfig systemd update-rc.d distro_features_check ptest gobject-introspection-data
+inherit autotools pkgconfig systemd update-rc.d ptest gobject-introspection-data
 
 EXTRA_OECONF = "\
   --enable-test \
   --enable-datafiles \
   --enable-library \
+  --enable-pie  \
+  --without-zsh-completion-dir \
 "
 
+CFLAGS += "-DFIRMWARE_DIR=\\"${nonarch_base_libdir}/firmware\\""
+
 # bluez5 builds a large number of useful utilities but does not
 # install them.  Specify which ones we want put into ${PN}-noinst-tools.
 NOINST_TOOLS_READLINE ??= ""
@@ -83,18 +83,10 @@ NOINST_TOOLS = " \
     ${@bb.utils.contains('PACKAGECONFIG', 'tools', '${NOINST_TOOLS_BT}', '', d)} \
 "
 
-do_install_append() {
+do_install:append() {
 	install -d ${D}${INIT_D_DIR}
 	install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth
 
-	install -d ${D}${sysconfdir}/bluetooth/
-	if [ -f ${S}/profiles/network/network.conf ]; then
-		install -m 0644 ${S}/profiles/network/network.conf ${D}/${sysconfdir}/bluetooth/
-	fi
-	if [ -f ${S}/profiles/input/input.conf ]; then
-		install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/
-	fi
-
 	if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then
 		sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth
 	fi
@@ -111,25 +103,25 @@ do_install_append() {
 
 PACKAGES =+ "${PN}-testtools ${PN}-obex ${PN}-noinst-tools"
 
-FILES_${PN} += " \
+FILES:${PN} += " \
     ${libdir}/bluetooth/plugins/*.so \
     ${systemd_unitdir}/ ${datadir}/dbus-1 \
     ${libdir}/cups \
 "
-FILES_${PN}-dev += " \
+FILES:${PN}-dev += " \
     ${libdir}/bluetooth/plugins/*.la \
 "
 
-FILES_${PN}-obex = "${libexecdir}/bluetooth/obexd \
+FILES:${PN}-obex = "${libexecdir}/bluetooth/obexd \
                     ${exec_prefix}/lib/systemd/user/obex.service \
                     ${systemd_system_unitdir}/obex.service \
                     ${sysconfdir}/systemd/system/multi-user.target.wants/obex.service \
                     ${datadir}/dbus-1/services/org.bluez.obex.service \
                     ${sysconfdir}/dbus-1/system.d/obexd.conf \
                    "
-SYSTEMD_SERVICE_${PN}-obex = "obex.service"
+SYSTEMD_SERVICE:${PN}-obex = "obex.service"
 
-FILES_${PN}-testtools = "${libdir}/bluez/test/*"
+FILES:${PN}-testtools = "${libdir}/bluez/test/*"
 
 def get_noinst_tools_paths (d, bb, tools):
     s = list()
@@ -139,14 +131,14 @@ def get_noinst_tools_paths (d, bb, tools):
         s.append("%s/%s" % (bindir, f))
     return "\n".join(s)
 
-FILES_${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS'))}"
+FILES:${PN}-noinst-tools = "${@get_noinst_tools_paths(d, bb, d.getVar('NOINST_TOOLS'))}"
 
-RDEPENDS_${PN}-testtools += "python3-core python3-dbus"
-RDEPENDS_${PN}-testtools += "${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)}"
+RDEPENDS:${PN}-testtools += "python3-core python3-dbus"
+RDEPENDS:${PN}-testtools += "${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)}"
 
-SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'bluetooth.service', '', d)}"
+SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'bluetooth.service', '', d)}"
 INITSCRIPT_PACKAGES = "${PN}"
-INITSCRIPT_NAME_${PN} = "bluetooth"
+INITSCRIPT_NAME:${PN} = "bluetooth"
 
 do_compile_ptest() {
 	oe_runmake buildtests
@@ -157,4 +149,4 @@ do_install_ptest() {
 	rm -f ${D}${PTEST_PATH}/unit/*.o
 }
 
-RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-gconv-utf-16"
+RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-gconv-utf-16"
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
index da7140922d..618ed734a9 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
@@ -1,4 +1,4 @@
-From 99ccdbe155028c4c789803a429072675b87d0c3a Mon Sep 17 00:00:00 2001
+From f74eb97c9fb3c0ee2895742e773ac6a3c41c999c Mon Sep 17 00:00:00 2001
 From: Giovanni Campagna <gcampagna-cNUdlRotFMnNLxjTenLetw@public.gmane.org>
 Date: Sat, 12 Oct 2013 17:45:25 +0200
 Subject: [PATCH] Allow using obexd without systemd in the user session
@@ -17,22 +17,22 @@ http://thread.gmane.org/gmane.linux.bluez.kernel/38725/focus=38843
 Signed-off-by: Javier Viguera <javier.viguera@digi.com>
 
 ---
- Makefile.obexd                                                  | 4 ++--
- obexd/src/{org.bluez.obex.service => org.bluez.obex.service.in} | 2 +-
+ Makefile.obexd                                                | 4 ++--
+ .../src/{org.bluez.obex.service => org.bluez.obex.service.in} | 2 +-
  2 files changed, 3 insertions(+), 3 deletions(-)
  rename obexd/src/{org.bluez.obex.service => org.bluez.obex.service.in} (76%)
 
 diff --git a/Makefile.obexd b/Makefile.obexd
-index c462692..0325f66 100644
+index de59d29..73004a3 100644
 --- a/Makefile.obexd
 +++ b/Makefile.obexd
 @@ -1,12 +1,12 @@
  if SYSTEMD
- systemduserunitdir = @SYSTEMD_USERUNITDIR@
+ systemduserunitdir = $(SYSTEMD_USERUNITDIR)
  systemduserunit_DATA = obexd/src/obex.service
 +endif
  
- dbussessionbusdir = @DBUS_SESSIONBUSDIR@
+ dbussessionbusdir = $(DBUS_SESSIONBUSDIR)
  dbussessionbus_DATA = obexd/src/org.bluez.obex.service
 -endif
  
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-Fix-a-race-issue-for-tools.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-Fix-a-race-issue-for-tools.patch
deleted file mode 100644
index b6cb978393..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-Makefile.am-Fix-a-race-issue-for-tools.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 117c41242c01e057295aed80ed973c6dc7e35fe2 Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@intel.com>
-Date: Tue, 8 Oct 2019 11:01:56 +0100
-Subject: [PATCH BlueZ] Makefile.am: add missing mkdir in rules generation
-
-In parallel out-of-tree builds it's possible that tools/*.rules are
-generated before the target directory has been implicitly created. Solve this by
-creating the directory before writing into it.
----
- Makefile.am | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Makefile.am b/Makefile.am
-index 2ac28b23d..e7bcd2366 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -589,6 +589,7 @@ src/builtin.h: src/genbuiltin $(builtin_sources)
- 	$(AM_V_GEN)$(srcdir)/src/genbuiltin $(builtin_modules) > $@
- 
- tools/%.rules:
-+	$(AM_V_at)$(MKDIR_P) tools
- 	$(AM_V_GEN)cp $(srcdir)/$(subst 97-,,$@) $@
- 
- $(lib_libbluetooth_la_OBJECTS): $(local_headers)
--- 
-2.20.1
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
index e90b6a546f..b1e93dbe19 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch
@@ -1,4 +1,4 @@
-From 61e741654cc2eb167bca212a3bb2ba8f3ba280c1 Mon Sep 17 00:00:00 2001
+From fb583a57f9f4ab956a09e9bb96d89aa13553bf21 Mon Sep 17 00:00:00 2001
 From: Mingli Yu <Mingli.Yu@windriver.com>
 Date: Fri, 24 Aug 2018 12:04:03 +0800
 Subject: [PATCH] test-gatt: Fix hung issue
@@ -21,15 +21,16 @@ no action.
 Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=153508881804635&w=2]
 
 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+
 ---
  unit/test-gatt.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/unit/test-gatt.c b/unit/test-gatt.c
-index c7e28f8..b57373b 100644
+index 5e06d4e..4864d36 100644
 --- a/unit/test-gatt.c
 +++ b/unit/test-gatt.c
-@@ -4463,7 +4463,7 @@ int main(int argc, char *argv[])
+@@ -4546,7 +4546,7 @@ int main(int argc, char *argv[])
  			test_server, service_db_1, NULL,
  			raw_pdu(0x03, 0x00, 0x02),
  			raw_pdu(0xbf, 0x00),
@@ -38,6 +39,3 @@ index c7e28f8..b57373b 100644
  
  	define_test_server("/robustness/unkown-command",
  			test_server, service_db_1, NULL,
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
index 24ddae6b63..881494a354 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch
@@ -1,19 +1,20 @@
-From 4bdf0f96dcaa945fd29f26d56e5b36d8c23e4c8b Mon Sep 17 00:00:00 2001
+From 738e73b386352fd90f1f26cc1ee75427cf4dc23b Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 1 Apr 2016 17:07:34 +0300
 Subject: [PATCH] tests: add a target for building tests without running them
 
 Upstream-Status: Inappropriate [oe specific]
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
 ---
  Makefile.am | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/Makefile.am b/Makefile.am
-index 1a48a71..ba3b92f 100644
+index e738eb3..dab17dd 100644
 --- a/Makefile.am
 +++ b/Makefile.am
-@@ -425,6 +425,9 @@ endif
+@@ -710,6 +710,9 @@ endif
  TESTS = $(unit_tests)
  AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69
  
@@ -23,6 +24,3 @@ index 1a48a71..ba3b92f 100644
  if DBUS_RUN_SESSION
  AM_TESTS_ENVIRONMENT += dbus-run-session --
  endif
--- 
-2.8.0.rc3
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tools-Fix-build-after-y2038-changes-in-glibc.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tools-Fix-build-after-y2038-changes-in-glibc.patch
deleted file mode 100644
index 9ca20ae53b..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tools-Fix-build-after-y2038-changes-in-glibc.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From f36f71f60b1e68c0f12e615b9b128d089ec3dd19 Mon Sep 17 00:00:00 2001
-From: Bastien Nocera <hadess@hadess.net>
-Date: Fri, 7 Jun 2019 09:51:33 +0200
-Subject: [PATCH] tools: Fix build after y2038 changes in glibc
-
-The 32-bit SIOCGSTAMP has been deprecated. Use the deprecated name
-to fix the build.
-
-Upstream-Status: backport commit f36f71f60b1e68c0f12e615b9b128d089ec3dd19
-
-Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
-
----
- tools/l2test.c | 6 +++++-
- tools/rctest.c | 6 +++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/tools/l2test.c b/tools/l2test.c
-index e755ac881..e787c2ce2 100644
---- a/tools/l2test.c
-+++ b/tools/l2test.c
-@@ -55,6 +55,10 @@
- #define BREDR_DEFAULT_PSM	0x1011
- #define LE_DEFAULT_PSM		0x0080
- 
-+#ifndef SIOCGSTAMP_OLD
-+#define SIOCGSTAMP_OLD SIOCGSTAMP
-+#endif
-+
- /* Test modes */
- enum {
- 	SEND,
-@@ -907,7 +911,7 @@ static void recv_mode(int sk)
- 			if (timestamp) {
- 				struct timeval tv;
- 
--				if (ioctl(sk, SIOCGSTAMP, &tv) < 0) {
-+				if (ioctl(sk, SIOCGSTAMP_OLD, &tv) < 0) {
- 					timestamp = 0;
- 					memset(ts, 0, sizeof(ts));
- 				} else {
-diff --git a/tools/rctest.c b/tools/rctest.c
-index 94490f462..bc8ed875d 100644
---- a/tools/rctest.c
-+++ b/tools/rctest.c
-@@ -50,6 +50,10 @@
- 
- #include "src/shared/util.h"
- 
-+#ifndef SIOCGSTAMP_OLD
-+#define SIOCGSTAMP_OLD SIOCGSTAMP
-+#endif
-+
- /* Test modes */
- enum {
- 	SEND,
-@@ -505,7 +509,7 @@ static void recv_mode(int sk)
- 			if (timestamp) {
- 				struct timeval tv;
- 
--				if (ioctl(sk, SIOCGSTAMP, &tv) < 0) {
-+				if (ioctl(sk, SIOCGSTAMP_OLD, &tv) < 0) {
- 					timestamp = 0;
- 					memset(ts, 0, sizeof(ts));
- 				} else {
--- 
-2.19.1
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tools-btpclient.c-include-signal.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tools-btpclient.c-include-signal.h.patch
deleted file mode 100644
index 620aaabc68..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/0001-tools-btpclient.c-include-signal.h.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0b1766514f6847c7367fce07f19a750ec74c11a6 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Thu, 26 Sep 2019 16:19:34 +0800
-Subject: [PATCH] tools/btpclient.c: include signal.h
-
-Fix compile failure when configure --enable-btpclient:
-btpclient.c:2834:7: error: 'SIGINT' undeclared (first use in this function)
-
-Upstream-Status: Backport [A subset of the full fix that went upstream]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- tools/btpclient.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/btpclient.c b/tools/btpclient.c
-index b217df5..aece7fe 100644
---- a/tools/btpclient.c
-+++ b/tools/btpclient.c
-@@ -29,6 +29,7 @@
- #include <stdlib.h>
- #include <assert.h>
- #include <getopt.h>
-+#include <signal.h>
- 
- #include <ell/ell.h>
- 
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
new file mode 100644
index 0000000000..516d859069
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch
@@ -0,0 +1,27 @@
+From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Mon, 12 Dec 2022 13:10:19 +0100
+Subject: [PATCH] src/shared/util.c: include linux/limits.h
+
+MAX_INPUT is defined in that file. This matters on non-glibc
+systems such as those using musl.
+
+Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
+---
+ src/shared/util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/shared/util.c b/src/shared/util.c
+index c0c2c4a..036dc0d 100644
+--- a/src/shared/util.c
++++ b/src/shared/util.c
+@@ -23,6 +23,7 @@
+ #include <unistd.h>
+ #include <dirent.h>
+ #include <limits.h>
++#include <linux/limits.h>
+ #include <string.h>
+ 
+ #ifdef HAVE_SYS_RANDOM_H
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch b/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch
deleted file mode 100644
index 2a78077443..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/CVE-2018-10910.patch
+++ /dev/null
@@ -1,505 +0,0 @@
-From 977321f2c7f974ea68a3d90df296c66189a3f254 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Fri, 21 Jun 2019 17:57:35 +0900
-Subject: [PATCH] CVE-2018-10910
-
-A bug in Bluez may allow for the Bluetooth Discoverable state being set to on
-when no Bluetooth agent is registered with the system. This situation could
-lead to the unauthorized pairing of certain Bluetooth devices without any
-form of authentication.
-
-CVE: CVE-2018-10910
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-Subject:    [PATCH BlueZ 1/4] client: Add discoverable-timeout command
-From:       Luiz Augusto von Dentz <luiz.dentz () gmail ! com>
-Date:       2018-07-25 10:20:32
-Message-ID: 20180725102035.19439-1-luiz.dentz () gmail ! com
-[Download RAW message or body]
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-This adds discoverable-timeout command which can be used to get/set
-DiscoverableTimeout property:
-
-[bluetooth]# discoverable-timeout 180
-Changing discoverable-timeout 180 succeeded
----
- client/main.c       |  82 +++++++++++++++++++++++++++++++++-
- doc/adapter-api.txt |   6 +++
- src/adapter.c       | 125 ++++++++++++++++++++++++++++++++++++++++++++++------
- 3 files changed, 198 insertions(+), 15 deletions(-)
-
-diff --git a/client/main.c b/client/main.c
-index 87323d8..1a66a3a 100644
---- a/client/main.c
-+++ b/client/main.c
-@@ -877,6 +877,7 @@ static void cmd_show(int argc, char *argv[])
- 	print_property(proxy, "Class");
- 	print_property(proxy, "Powered");
- 	print_property(proxy, "Discoverable");
-+	print_property(proxy, "DiscoverableTimeout");
- 	print_property(proxy, "Pairable");
- 	print_uuids(proxy);
- 	print_property(proxy, "Modalias");
-@@ -1061,6 +1062,47 @@ static void cmd_discoverable(int argc, char *argv[])
- 	return bt_shell_noninteractive_quit(EXIT_FAILURE);
- }
- 
-+static void cmd_discoverable_timeout(int argc, char *argv[])
-+{
-+	uint32_t value;
-+	char *endptr = NULL;
-+	char *str;
-+
-+	if (argc < 2) {
-+		DBusMessageIter iter;
-+
-+		if (!g_dbus_proxy_get_property(default_ctrl->proxy,
-+					"DiscoverableTimeout", &iter)) {
-+			bt_shell_printf("Unable to get DiscoverableTimeout\n");
-+			return bt_shell_noninteractive_quit(EXIT_FAILURE);
-+		}
-+
-+		dbus_message_iter_get_basic(&iter, &value);
-+
-+		bt_shell_printf("DiscoverableTimeout: %d seconds\n", value);
-+
-+		return;
-+	}
-+
-+	value = strtol(argv[1], &endptr, 0);
-+	if (!endptr || *endptr != '\0' || value > UINT32_MAX) {
-+		bt_shell_printf("Invalid argument\n");
-+		return bt_shell_noninteractive_quit(EXIT_FAILURE);
-+	}
-+
-+	str = g_strdup_printf("discoverable-timeout %d", value);
-+
-+	if (g_dbus_proxy_set_property_basic(default_ctrl->proxy,
-+					"DiscoverableTimeout",
-+					DBUS_TYPE_UINT32, &value,
-+					generic_callback, str, g_free))
-+		return;
-+
-+	g_free(str);
-+
-+	return bt_shell_noninteractive_quit(EXIT_FAILURE);
-+}
-+
- static void cmd_agent(int argc, char *argv[])
- {
- 	dbus_bool_t enable;
-@@ -1124,6 +1166,7 @@ static struct set_discovery_filter_args {
- 	char **uuids;
- 	size_t uuids_len;
- 	dbus_bool_t duplicate;
-+	dbus_bool_t discoverable;
- 	bool set;
- } filter = {
- 	.rssi = DISTANCE_VAL_INVALID,
-@@ -1163,6 +1206,11 @@ static void set_discovery_filter_setup(DBusMessageIter *iter, void *user_data)
- 						DBUS_TYPE_BOOLEAN,
- 						&args->duplicate);
- 
-+	if (args->discoverable)
-+		g_dbus_dict_append_entry(&dict, "Discoverable",
-+						DBUS_TYPE_BOOLEAN,
-+						&args->discoverable);
-+
- 	dbus_message_iter_close_container(iter, &dict);
- }
- 
-@@ -1320,6 +1368,26 @@ static void cmd_scan_filter_duplicate_data(int argc, char *argv[])
- 	filter.set = false;
- }
- 
-+static void cmd_scan_filter_discoverable(int argc, char *argv[])
-+{
-+	if (argc < 2 || !strlen(argv[1])) {
-+		bt_shell_printf("Discoverable: %s\n",
-+				filter.discoverable ? "on" : "off");
-+		return bt_shell_noninteractive_quit(EXIT_SUCCESS);
-+	}
-+
-+	if (!strcmp(argv[1], "on"))
-+		filter.discoverable = true;
-+	else if (!strcmp(argv[1], "off"))
-+		filter.discoverable = false;
-+	else {
-+		bt_shell_printf("Invalid option: %s\n", argv[1]);
-+		return bt_shell_noninteractive_quit(EXIT_FAILURE);
-+	}
-+
-+	filter.set = false;
-+}
-+
- static void filter_clear_uuids(void)
- {
- 	g_strfreev(filter.uuids);
-@@ -1348,6 +1416,11 @@ static void filter_clear_duplicate(void)
- 	filter.duplicate = false;
- }
- 
-+static void filter_clear_discoverable(void)
-+{
-+	filter.discoverable = false;
-+}
-+
- struct clear_entry {
- 	const char *name;
- 	void (*clear) (void);
-@@ -1359,6 +1432,7 @@ static const struct clear_entry filter_clear[] = {
- 	{ "pathloss", filter_clear_pathloss },
- 	{ "transport", filter_clear_transport },
- 	{ "duplicate-data", filter_clear_duplicate },
-+	{ "discoverable", filter_clear_discoverable },
- 	{}
- };
- 
-@@ -2468,7 +2542,11 @@ static const struct bt_shell_menu scan_menu = {
- 	{ "duplicate-data", "[on/off]", cmd_scan_filter_duplicate_data,
- 				"Set/Get duplicate data filter",
- 				NULL },
--	{ "clear", "[uuids/rssi/pathloss/transport/duplicate-data]",
-+	{ "discoverable", "[on/off]", cmd_scan_filter_discoverable,
-+				"Set/Get discoverable filter",
-+				NULL },
-+	{ "clear",
-+		"[uuids/rssi/pathloss/transport/duplicate-data/discoverable]",
- 				cmd_scan_filter_clear,
- 				"Clears discovery filter.",
- 				filter_clear_generator },
-@@ -2549,6 +2627,8 @@ static const struct bt_shell_menu main_menu = {
- 	{ "discoverable", "<on/off>", cmd_discoverable,
- 					"Set controller discoverable mode",
- 							NULL },
-+	{ "discoverable-timeout", "[value]", cmd_discoverable_timeout,
-+					"Set discoverable timeout", NULL },
- 	{ "agent",        "<on/off/capability>", cmd_agent,
- 				"Enable/disable agent with given capability",
- 							capability_generator},
-diff --git a/doc/adapter-api.txt b/doc/adapter-api.txt
-index d14d0ca..4791af2 100644
---- a/doc/adapter-api.txt
-+++ b/doc/adapter-api.txt
-@@ -113,6 +113,12 @@ Methods		void StartDiscovery()
- 				generated for either ManufacturerData and
- 				ServiceData everytime they are discovered.
- 
-+			bool Discoverable (Default: false)
-+
-+				Make adapter discoverable while discovering,
-+				if the adapter is already discoverable this
-+				setting this filter won't do anything.
-+
- 			When discovery filter is set, Device objects will be
- 			created as new devices with matching criteria are
- 			discovered regardless of they are connectable or
-diff --git a/src/adapter.c b/src/adapter.c
-index af340fd..822bd34 100644
---- a/src/adapter.c
-+++ b/src/adapter.c
-@@ -157,6 +157,7 @@ struct discovery_filter {
- 	int16_t rssi;
- 	GSList *uuids;
- 	bool duplicate;
-+	bool discoverable;
- };
- 
- struct watch_client {
-@@ -196,6 +197,7 @@ struct btd_adapter {
- 	char *name;			/* controller device name */
- 	char *short_name;		/* controller short name */
- 	uint32_t supported_settings;	/* controller supported settings */
-+	uint32_t pending_settings;	/* pending controller settings */
- 	uint32_t current_settings;	/* current controller settings */
- 
- 	char *path;			/* adapter object path */
-@@ -213,6 +215,7 @@ struct btd_adapter {
- 
- 	bool discovering;		/* discovering property state */
- 	bool filtered_discovery;	/* we are doing filtered discovery */
-+	bool filtered_discoverable;	/* we are doing filtered discovery */
- 	bool no_scan_restart_delay;	/* when this flag is set, restart scan
- 					 * without delay */
- 	uint8_t discovery_type;		/* current active discovery type */
-@@ -509,8 +512,10 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
- 	changed_mask = adapter->current_settings ^ settings;
- 
- 	adapter->current_settings = settings;
-+	adapter->pending_settings &= ~changed_mask;
- 
- 	DBG("Changed settings: 0x%08x", changed_mask);
-+	DBG("Pending settings: 0x%08x", adapter->pending_settings);
- 
- 	if (changed_mask & MGMT_SETTING_POWERED) {
- 	        g_dbus_emit_property_changed(dbus_conn, adapter->path,
-@@ -596,10 +601,31 @@ static bool set_mode(struct btd_adapter *adapter, uint16_t opcode,
- 							uint8_t mode)
- {
- 	struct mgmt_mode cp;
-+	uint32_t setting = 0;
- 
- 	memset(&cp, 0, sizeof(cp));
- 	cp.val = mode;
- 
-+	switch (mode) {
-+	case MGMT_OP_SET_POWERED:
-+		setting = MGMT_SETTING_POWERED;
-+		break;
-+	case MGMT_OP_SET_CONNECTABLE:
-+		setting = MGMT_SETTING_CONNECTABLE;
-+		break;
-+	case MGMT_OP_SET_FAST_CONNECTABLE:
-+		setting = MGMT_SETTING_FAST_CONNECTABLE;
-+		break;
-+	case MGMT_OP_SET_DISCOVERABLE:
-+		setting = MGMT_SETTING_DISCOVERABLE;
-+		break;
-+	case MGMT_OP_SET_BONDABLE:
-+		setting = MGMT_SETTING_DISCOVERABLE;
-+		break;
-+	}
-+
-+	adapter->pending_settings |= setting;
-+
- 	DBG("sending set mode command for index %u", adapter->dev_id);
- 
- 	if (mgmt_send(adapter->mgmt, opcode,
-@@ -1818,7 +1844,17 @@ static void discovery_free(void *user_data)
- 	g_free(client);
- }
- 
--static void discovery_remove(struct watch_client *client)
-+static bool set_filtered_discoverable(struct btd_adapter *adapter, bool enable)
-+{
-+	if (adapter->filtered_discoverable == enable)
-+		return true;
-+
-+	adapter->filtered_discoverable = enable;
-+
-+	return set_discoverable(adapter, enable, 0);
-+}
-+
-+static void discovery_remove(struct watch_client *client, bool exit)
- {
- 	struct btd_adapter *adapter = client->adapter;
- 
-@@ -1830,7 +1866,27 @@ static void discovery_remove(struct watch_client *client)
- 	adapter->discovery_list = g_slist_remove(adapter->discovery_list,
- 								client);
- 
--	discovery_free(client);
-+	if (adapter->filtered_discoverable &&
-+			client->discovery_filter->discoverable) {
-+		GSList *l;
-+
-+		for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
-+			struct watch_client *client = l->data;
-+
-+			if (client->discovery_filter->discoverable)
-+				break;
-+		}
-+
-+		/* Disable filtered discoverable if there are no clients */
-+		if (!l)
-+			set_filtered_discoverable(adapter, false);
-+	}
-+
-+	if (!exit && client->discovery_filter)
-+		adapter->set_filter_list = g_slist_prepend(
-+					adapter->set_filter_list, client);
-+	else
-+		discovery_free(client);
- 
- 	/*
- 	 * If there are other client discoveries in progress, then leave
-@@ -1859,8 +1915,11 @@ static void stop_discovery_complete(uint8_t status, uint16_t length,
- 		goto done;
- 	}
- 
--	if (client->msg)
-+	if (client->msg) {
- 		g_dbus_send_reply(dbus_conn, client->msg, DBUS_TYPE_INVALID);
-+		dbus_message_unref(client->msg);
-+		client->msg = NULL;
-+	}
- 
- 	adapter->discovery_type = 0x00;
- 	adapter->discovery_enable = 0x00;
-@@ -1873,7 +1932,7 @@ static void stop_discovery_complete(uint8_t status, uint16_t length,
- 	trigger_passive_scanning(adapter);
- 
- done:
--	discovery_remove(client);
-+	discovery_remove(client, false);
- }
- 
- static int compare_sender(gconstpointer a, gconstpointer b)
-@@ -2094,14 +2153,14 @@ static int update_discovery_filter(struct btd_adapter *adapter)
- 	return -EINPROGRESS;
- }
- 
--static int discovery_stop(struct watch_client *client)
-+static int discovery_stop(struct watch_client *client, bool exit)
- {
- 	struct btd_adapter *adapter = client->adapter;
- 	struct mgmt_cp_stop_discovery cp;
- 
- 	/* Check if there are more client discovering */
- 	if (g_slist_next(adapter->discovery_list)) {
--		discovery_remove(client);
-+		discovery_remove(client, exit);
- 		update_discovery_filter(adapter);
- 		return 0;
- 	}
-@@ -2111,7 +2170,7 @@ static int discovery_stop(struct watch_client *client)
- 	 * and so it is enough to send out the signal and just return.
- 	 */
- 	if (adapter->discovery_enable == 0x00) {
--		discovery_remove(client);
-+		discovery_remove(client, exit);
- 		adapter->discovering = false;
- 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
- 					ADAPTER_INTERFACE, "Discovering");
-@@ -2136,7 +2195,7 @@ static void discovery_disconnect(DBusConnection *conn, void *user_data)
- 
- 	DBG("owner %s", client->owner);
- 
--	discovery_stop(client);
-+	discovery_stop(client, true);
- }
- 
- /*
-@@ -2200,6 +2259,15 @@ static DBusMessage *start_discovery(DBusConnection *conn,
- 					     adapter->set_filter_list, client);
- 		adapter->discovery_list = g_slist_prepend(
- 					      adapter->discovery_list, client);
-+
-+		/* Reset discoverable filter if already set */
-+		if (adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)
-+			goto done;
-+
-+		/* Set discoverable if filter requires and it*/
-+		if (client->discovery_filter->discoverable)
-+			set_filtered_discoverable(adapter, true);
-+
- 		goto done;
- 	}
- 
-@@ -2324,6 +2392,17 @@ static bool parse_duplicate_data(DBusMessageIter *value,
- 	return true;
- }
- 
-+static bool parse_discoverable(DBusMessageIter *value,
-+					struct discovery_filter *filter)
-+{
-+	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
-+		return false;
-+
-+	dbus_message_iter_get_basic(value, &filter->discoverable);
-+
-+	return true;
-+}
-+
- struct filter_parser {
- 	const char *name;
- 	bool (*func)(DBusMessageIter *iter, struct discovery_filter *filter);
-@@ -2333,6 +2412,7 @@ struct filter_parser {
- 	{ "Pathloss", parse_pathloss },
- 	{ "Transport", parse_transport },
- 	{ "DuplicateData", parse_duplicate_data },
-+	{ "Discoverable", parse_discoverable },
- 	{ }
- };
- 
-@@ -2372,6 +2452,7 @@ static bool parse_discovery_filter_dict(struct btd_adapter *adapter,
- 	(*filter)->rssi = DISTANCE_VAL_INVALID;
- 	(*filter)->type = get_scan_type(adapter);
- 	(*filter)->duplicate = false;
-+	(*filter)->discoverable = false;
- 
- 	dbus_message_iter_init(msg, &iter);
- 	if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY ||
-@@ -2417,8 +2498,10 @@ static bool parse_discovery_filter_dict(struct btd_adapter *adapter,
- 		goto invalid_args;
- 
- 	DBG("filtered discovery params: transport: %d rssi: %d pathloss: %d "
--		" duplicate data: %s ", (*filter)->type, (*filter)->rssi,
--		(*filter)->pathloss, (*filter)->duplicate ? "true" : "false");
-+		" duplicate data: %s discoverable %s", (*filter)->type,
-+		(*filter)->rssi, (*filter)->pathloss,
-+		(*filter)->duplicate ? "true" : "false",
-+		(*filter)->discoverable ? "true" : "false");
- 
- 	return true;
- 
-@@ -2510,7 +2593,7 @@ static DBusMessage *stop_discovery(DBusConnection *conn,
- 	if (client->msg)
- 		return btd_error_busy(msg);
- 
--	err = discovery_stop(client);
-+	err = discovery_stop(client, false);
- 	switch (err) {
- 	case 0:
- 		return dbus_message_new_method_return(msg);
-@@ -2739,13 +2822,15 @@ static void property_set_mode(struct btd_adapter *adapter, uint32_t setting,
- 	else
- 		current_enable = FALSE;
- 
--	if (enable == current_enable) {
-+	if (enable == current_enable || adapter->pending_settings & setting) {
- 		g_dbus_pending_property_success(id);
- 		return;
- 	}
- 
- 	mode = (enable == TRUE) ? 0x01 : 0x00;
- 
-+	adapter->pending_settings |= setting;
-+
- 	switch (setting) {
- 	case MGMT_SETTING_POWERED:
- 		opcode = MGMT_OP_SET_POWERED;
-@@ -2798,7 +2883,7 @@ static void property_set_mode(struct btd_adapter *adapter, uint32_t setting,
- 	data->id = id;
- 
- 	if (mgmt_send(adapter->mgmt, opcode, adapter->dev_id, len, param,
--				property_set_mode_complete, data, g_free) > 0)
-+			property_set_mode_complete, data, g_free) > 0)
- 		return;
- 
- 	g_free(data);
-@@ -2875,6 +2960,7 @@ static void property_set_discoverable_timeout(
- 				GDBusPendingPropertySet id, void *user_data)
- {
- 	struct btd_adapter *adapter = user_data;
-+	bool enabled;
- 	dbus_uint32_t value;
- 
- 	dbus_message_iter_get_basic(iter, &value);
-@@ -2888,8 +2974,19 @@ static void property_set_discoverable_timeout(
- 	g_dbus_emit_property_changed(dbus_conn, adapter->path,
- 				ADAPTER_INTERFACE, "DiscoverableTimeout");
- 
-+	if (adapter->pending_settings & MGMT_SETTING_DISCOVERABLE) {
-+		if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
-+			enabled = false;
-+		else
-+			enabled = true;
-+	} else {
-+		if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
-+			enabled = true;
-+		else
-+			enabled = false;
-+	}
- 
--	if (adapter->current_settings & MGMT_SETTING_DISCOVERABLE)
-+	if (enabled)
- 		set_discoverable(adapter, 0x01, adapter->discoverable_timeout);
- }
- 
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/gcc9-fixes.patch b/meta/recipes-connectivity/bluez5/bluez5/gcc9-fixes.patch
deleted file mode 100644
index ca678e601e..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/gcc9-fixes.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-Backported commit from upstream master branch (post 5.50 release), which
-resolves assertion failures in several unit tests.
-
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/patch/?id=0be5246170
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/unit/test-avctp.c b/unit/test-avctp.c
-index 3bc3569..24de663 100644
---- a/unit/test-avctp.c
-+++ b/unit/test-avctp.c
-@@ -43,7 +43,7 @@
- 
- struct test_pdu {
- 	bool valid;
--	const uint8_t *data;
-+	uint8_t *data;
- 	size_t size;
- };
- 
-@@ -66,7 +66,7 @@ struct context {
- #define raw_pdu(args...)					\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -91,6 +91,11 @@ static void test_debug(const char *str, void *user_data)
- static void test_free(gconstpointer user_data)
- {
- 	const struct test_data *data = user_data;
-+	struct test_pdu *pdu;
-+	int i;
-+
-+	for (i = 0; (pdu = &data->pdu_list[i]) && pdu->valid; i++)
-+		g_free(pdu->data);
- 
- 	g_free(data->test_name);
- 	g_free(data->pdu_list);
-diff --git a/unit/test-avdtp.c b/unit/test-avdtp.c
-index dd8aed7..e2c951a 100644
---- a/unit/test-avdtp.c
-+++ b/unit/test-avdtp.c
-@@ -47,7 +47,7 @@
- struct test_pdu {
- 	bool valid;
- 	bool fragmented;
--	const uint8_t *data;
-+	uint8_t *data;
- 	size_t size;
- };
- 
-@@ -61,7 +61,7 @@ struct test_data {
- #define raw_pdu(args...) \
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -69,7 +69,7 @@ struct test_data {
- 	{							\
- 		.valid = true,					\
- 		.fragmented = true,				\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -81,7 +81,7 @@ struct test_data {
- 		static struct test_data data;				\
- 		data.test_name = g_strdup(name);			\
- 		data.pdu_list = g_memdup(pdus, sizeof(pdus));		\
--		tester_add(name, &data, NULL, function, NULL);		\
-+		tester_add(name, &data, NULL, function, NULL);	\
- 	} while (0)
- 
- struct context {
-@@ -109,6 +109,11 @@ static void test_debug(const char *str, void *user_data)
- static void test_free(gconstpointer user_data)
- {
- 	const struct test_data *data = user_data;
-+	struct test_pdu *pdu;
-+	int i;
-+
-+	for (i = 0; (pdu = &data->pdu_list[i]) && pdu->valid; i++)
-+		g_free(pdu->data);
- 
- 	g_free(data->test_name);
- 	g_free(data->pdu_list);
-diff --git a/unit/test-avrcp.c b/unit/test-avrcp.c
-index 01307e6..f1aa353 100644
---- a/unit/test-avrcp.c
-+++ b/unit/test-avrcp.c
-@@ -49,7 +49,7 @@ struct test_pdu {
- 	bool fragmented;
- 	bool continuing;
- 	bool browse;
--	const uint8_t *data;
-+	uint8_t *data;
- 	size_t size;
- };
- 
-@@ -74,7 +74,7 @@ struct context {
- #define raw_pdu(args...)					\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -82,7 +82,7 @@ struct context {
- 	{							\
- 		.valid = true,					\
- 		.browse = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -90,7 +90,7 @@ struct context {
- 	{							\
- 		.valid = true,					\
- 		.fragmented = true,				\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -98,7 +98,7 @@ struct context {
- 	{							\
- 		.valid = true,					\
- 		.continuing = true,				\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -123,6 +123,11 @@ static void test_debug(const char *str, void *user_data)
- static void test_free(gconstpointer user_data)
- {
- 	const struct test_data *data = user_data;
-+	struct test_pdu *pdu;
-+	int i;
-+
-+	for (i = 0; (pdu = &data->pdu_list[i]) && pdu->valid; i++)
-+		g_free(pdu->data);
- 
- 	g_free(data->test_name);
- 	g_free(data->pdu_list);
-diff --git a/unit/test-gatt.c b/unit/test-gatt.c
-index c7e28f8..d49f7a0 100644
---- a/unit/test-gatt.c
-+++ b/unit/test-gatt.c
-@@ -48,7 +48,7 @@
- 
- struct test_pdu {
- 	bool valid;
--	const uint8_t *data;
-+	uint8_t *data;
- 	size_t size;
- };
- 
-@@ -86,7 +86,7 @@ struct context {
- #define raw_pdu(args...)					\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -306,6 +306,11 @@ static bt_uuid_t uuid_char_128 = {
- static void test_free(gconstpointer user_data)
- {
- 	const struct test_data *data = user_data;
-+	struct test_pdu *pdu;
-+	int i;
-+
-+	for (i = 0; (pdu = &data->pdu_list[i]) && pdu->valid; i++)
-+		g_free(pdu->data);
- 
- 	g_free(data->test_name);
- 	g_free(data->pdu_list);
-@@ -1911,6 +1916,8 @@ static void test_server(gconstpointer data)
- 	g_assert_cmpint(len, ==, pdu.size);
- 
- 	util_hexdump('<', pdu.data, len, test_debug, "GATT: ");
-+
-+	g_free(pdu.data);
- }
- 
- static void test_search_primary(gconstpointer data)
-diff --git a/unit/test-hfp.c b/unit/test-hfp.c
-index f2b9622..890eee6 100644
---- a/unit/test-hfp.c
-+++ b/unit/test-hfp.c
-@@ -43,7 +43,7 @@ struct context {
- 
- struct test_pdu {
- 	bool valid;
--	const uint8_t *data;
-+	uint8_t *data;
- 	size_t size;
- 	enum hfp_gw_cmd_type type;
- 	bool fragmented;
-@@ -63,7 +63,7 @@ struct test_data {
- #define raw_pdu(args...)					\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 	}
- 
-@@ -75,7 +75,7 @@ struct test_data {
- #define type_pdu(cmd_type, args...)				\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 		.type = cmd_type,				\
- 	}
-@@ -83,7 +83,7 @@ struct test_data {
- #define frg_pdu(args...)					\
- 	{							\
- 		.valid = true,					\
--		.data = data(args),				\
-+		.data = g_memdup(data(args), sizeof(data(args))), \
- 		.size = sizeof(data(args)),			\
- 		.fragmented = true,				\
- 	}
-@@ -119,6 +119,11 @@ struct test_data {
- static void test_free(gconstpointer user_data)
- {
- 	const struct test_data *data = user_data;
-+	struct test_pdu *pdu;
-+	int i;
-+
-+	for (i = 0; (pdu = &data->pdu_list[i]) && pdu->valid; i++)
-+		g_free(pdu->data);
- 
- 	g_free(data->test_name);
- 	g_free(data->pdu_list);
-diff --git a/unit/test-hog.c b/unit/test-hog.c
-index d117968..25bdb42 100644
---- a/unit/test-hog.c
-+++ b/unit/test-hog.c
-@@ -68,11 +68,11 @@ struct context {
- 
- #define data(args...) ((const unsigned char[]) { args })
- 
--#define raw_pdu(args...)    \
--{      \
--	.valid = true,		\
--	.data = data(args), \
--	.size = sizeof(data(args)),\
-+#define raw_pdu(args...)					\
-+{								\
-+	.valid = true,						\
-+	.data = g_memdup(data(args), sizeof(data(args))),	\
-+	.size = sizeof(data(args)),				\
- }
- 
- #define false_pdu()	\
-diff --git a/unit/test-sdp.c b/unit/test-sdp.c
-index ac921a9..c71ee1f 100644
---- a/unit/test-sdp.c
-+++ b/unit/test-sdp.c
-@@ -59,14 +59,14 @@ struct test_data {
- #define raw_pdu(args...) \
- 	{							\
- 		.valid = true,					\
--		.raw_data = raw_data(args),			\
-+		.raw_data = g_memdup(raw_data(args), sizeof(raw_data(args))), \
- 		.raw_size = sizeof(raw_data(args)),		\
- 	}
- 
- #define raw_pdu_cont(cont, args...) \
- 	{							\
- 		.valid = true,					\
--		.raw_data = raw_data(args),			\
-+		.raw_data = g_memdup(raw_data(args), sizeof(raw_data(args))), \
- 		.raw_size = sizeof(raw_data(args)),		\
- 		.cont_len = cont,				\
- 	}
-@@ -103,7 +103,7 @@ struct test_data_de {
- #define define_test_de_attr(name, input, exp) \
- 	do {								\
- 		static struct test_data_de data;			\
--		data.input_data = input;				\
-+		data.input_data = g_memdup(input, sizeof(input));	\
- 		data.input_size = sizeof(input);			\
- 		data.expected = exp;					\
- 		tester_add("/sdp/DE/ATTR/" name, &data,	NULL,		\
diff --git a/meta/recipes-connectivity/bluez5/bluez5/out-of-tree.patch b/meta/recipes-connectivity/bluez5/bluez5/out-of-tree.patch
deleted file mode 100644
index 76ed779258..0000000000
--- a/meta/recipes-connectivity/bluez5/bluez5/out-of-tree.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From ed55b49a226ca3909f52416be2ae5ce1c5ca2cb2 Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@intel.com>
-Date: Fri, 22 Apr 2016 15:40:37 +0100
-Subject: [PATCH] Makefile.obexd: add missing mkdir in builtin.h generation
-
-In parallel out-of-tree builds it's possible that obexd/src/builtin.h is
-generated before the target directory has been implicitly created. Solve this by
-creating the directory before writing into it.
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
----
- Makefile.obexd | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Makefile.obexd b/Makefile.obexd
-index 2e33cbc..c8286f0 100644
---- a/Makefile.obexd
-+++ b/Makefile.obexd
-@@ -105,2 +105,3 @@ obexd/src/plugin.$(OBJEXT): obexd/src/builtin.h
- obexd/src/builtin.h: obexd/src/genbuiltin $(obexd_builtin_sources)
-+	$(AM_V_at)$(MKDIR_P) $(dir $@)
- 	$(AM_V_GEN)$(srcdir)/obexd/src/genbuiltin $(obexd_builtin_modules) > $@
--- 
-2.8.0.rc3
-
diff --git a/meta/recipes-connectivity/bluez5/bluez5/run-ptest b/meta/recipes-connectivity/bluez5/bluez5/run-ptest
index 21df00c327..0335e68e48 100644
--- a/meta/recipes-connectivity/bluez5/bluez5/run-ptest
+++ b/meta/recipes-connectivity/bluez5/bluez5/run-ptest
@@ -6,7 +6,7 @@ failed=0
 all=0
 
 for f in test-*; do
-    "./$f"
+    "./$f" -q
     case "$?" in
         0)
             echo "PASS: $f"
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.50.bb b/meta/recipes-connectivity/bluez5/bluez5_5.72.bb
index 4e443e5fb0..9fda960ea7 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.50.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.72.bb
@@ -1,7 +1,8 @@
 require bluez5.inc
 
-SRC_URI[md5sum] = "8e35c67c81a55d3ad4c9f22280dae178"
-SRC_URI[sha256sum] = "5ffcaae18bbb6155f1591be8c24898dc12f062075a40b538b745bfd477481911"
+SRC_URI[sha256sum] = "499d7fa345a996c1bb650f5c6749e1d929111fa6ece0be0e98687fee6124536e"
+
+CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb
index 9a519ec866..a1a0e08faa 100644
--- a/meta/recipes-connectivity/connman/connman-conf.bb
+++ b/meta/recipes-connectivity/connman/connman-conf.bb
@@ -1,36 +1,21 @@
-SUMMARY = "Connman config to setup wired interface on qemu machines"
-DESCRIPTION = "This is the ConnMan configuration to set up a Wired \
-network interface for a qemu machine."
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+SUMMARY = "Connman config to ignore wired interface on qemu machines"
+DESCRIPTION = "This is the ConnMan configuration to avoid touching wired \
+network interface inside qemu machines."
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
-inherit systemd
 
-SRC_URI_append_qemuall = " file://wired.config \
-                           file://wired-setup \
-                           file://wired-connection.service \
-"
-PR = "r2"
+SRC_URI = "file://main.conf \
+          "
 
 S = "${WORKDIR}"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-FILES_${PN} = "${localstatedir}/* ${datadir}/*"
+FILES:${PN} = "${sysconfdir}/*"
 
-do_install() {
-    #Configure Wired network interface in case of qemu* machines
-    if test -e ${WORKDIR}/wired.config &&
-       test -e ${WORKDIR}/wired-setup &&
-       test -e ${WORKDIR}/wired-connection.service; then
-        install -d ${D}${localstatedir}/lib/connman
-        install -m 0644 ${WORKDIR}/wired.config ${D}${localstatedir}/lib/connman
-        install -d ${D}${datadir}/connman
-        install -m 0755 ${WORKDIR}/wired-setup ${D}${datadir}/connman
-        install -d ${D}${systemd_system_unitdir}
-        install -m 0644 ${WORKDIR}/wired-connection.service ${D}${systemd_system_unitdir}
-        sed -i -e 's|@SCRIPTDIR@|${datadir}/connman|g' ${D}${systemd_system_unitdir}/wired-connection.service
-    fi
+# Kernel IP-Config is perfectly capable of setting up networking passed in via ip=
+do_install:append:qemuall() {
+    mkdir -p ${D}${sysconfdir}/connman
+    cp ${S}/main.conf ${D}${sysconfdir}/connman/main.conf
 }
-
-SYSTEMD_SERVICE_${PN}_qemuall = "wired-connection.service"
diff --git a/meta/recipes-connectivity/connman/connman-conf/main.conf b/meta/recipes-connectivity/connman/connman-conf/main.conf
new file mode 100644
index 0000000000..3c9dd396f6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman-conf/main.conf
@@ -0,0 +1,2 @@
+[General]
+NetworkInterfaceBlacklist = eth,en
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
deleted file mode 100644
index 48adfc08ac..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-connection.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=Setup a wired interface
-Before=connman.service
-
-[Service]
-Type=oneshot
-ExecStart=@SCRIPTDIR@/wired-setup
-
-[Install]
-WantedBy=network.target
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
deleted file mode 100644
index c46899ef32..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired-setup
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-CONFIGF=/var/lib/connman/wired.config
-
-# Extract wired network config from /proc/cmdline
-NET_CONF=`cat /proc/cmdline |sed -ne 's/^.*ip=\([^ ]*\):\([^ ]*\):\([^ ]*\):\([^ ]*\).*$/\1\/\4\/\3/p'`
-
-# Check if eth0 is already set via kernel cmdline
-if [ "x$NET_CONF" = "x" ]; then
-	# Wired interface is not configured via kernel cmdline
-	# Remove connman config file template
-	rm -f ${CONFIGF}
-else
-	# Setup a connman config accordingly
-	sed -i -e "s|^IPv4 =.*|IPv4 = ${NET_CONF}|" ${CONFIGF}
-fi
diff --git a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config b/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
deleted file mode 100644
index 42998ce897..0000000000
--- a/meta/recipes-connectivity/connman/connman-conf/qemuall/wired.config
+++ /dev/null
@@ -1,9 +0,0 @@
-[global]
-Name = Wired
-Description = Wired network configuration
-
-[service_ethernet]
-Type = ethernet
-IPv4 =
-MAC = 52:54:00:12:34:56
-Nameservers = 8.8.8.8
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index a56bd3751f..fcd154b4b0 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -1,7 +1,7 @@
 SUMMARY = "GTK+ frontend for the ConnMan network connection manager"
 HOMEPAGE = "http://connman.net/"
 SECTION = "libs/network"
-LICENSE = "GPLv2 & LGPLv2.1"
+LICENSE = "GPL-2.0-only & LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
                     file://properties/main.c;beginline=1;endline=20;md5=50c77c81871308b033ab7a1504626afb \
                     file://common/connman-dbus.c;beginline=1;endline=20;md5=de6b485c0e717a0236402d220187717a"
@@ -10,21 +10,21 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
            file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
            file://null_check_for_ipv4_config.patch \
-           file://images/* \
+           file://images/ \
            file://connman-gnome-fix-dbus-interface-name.patch \
            file://0001-Port-to-Gtk3.patch \
           "
 
 S = "${WORKDIR}/git"
 
-inherit autotools-brokensep gtk-icon-cache pkgconfig distro_features_check
+inherit autotools-brokensep gtk-icon-cache pkgconfig features_check
 ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}"
 
-RDEPENDS_${PN} = "connman"
+RDEPENDS:${PN} = "connman"
 
-do_install_append() {
+do_install:append() {
     install -m 0644 ${WORKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/
 }
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index fb38ab4fc1..7487ca0d0c 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -9,15 +9,15 @@ configuration methods, like DHCP and domain name resolving, are \
 implemented using plug-ins."
 HOMEPAGE = "http://connman.net/"
 BUGTRACKER = "https://01.org/jira/browse/CM"
-LICENSE  = "GPLv2"
+LICENSE  = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://src/main.c;beginline=1;endline=20;md5=486a279a6ab0c8d152bcda3a5b5edc36"
 
 inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
-DEPENDS  = "dbus glib-2.0 ppp readline"
+CVE_PRODUCT = "connman connection_manager"
 
-INC_PR = "r20"
+DEPENDS  = "dbus glib-2.0 ppp"
 
 EXTRA_OECONF += "\
     ac_cv_path_WPASUPPLICANT=${sbindir}/wpa_supplicant \
@@ -27,23 +27,29 @@ EXTRA_OECONF += "\
     --enable-ethernet \
     --enable-tools \
     --disable-polkit \
-    --enable-client \
+    --runstatedir=/run \
 "
+# For smooth operation it would be best to start only one wireless daemon at a time.
+# If wpa-supplicant is running, connman will use it preferentially.
+# Select either wpa-supplicant or iwd
+WIRELESS_DAEMON ??= "wpa-supplicant"
 
-PACKAGECONFIG ??= "wispr \
-                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd wifi', d)} \
+PACKAGECONFIG ??= "wispr iptables client\
+                   ${@bb.utils.filter('DISTRO_FEATURES', '3g systemd', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
-                   iptables \
+                   ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'wifi ${WIRELESS_DAEMON}', '', d)} \
 "
 
 # If you want ConnMan to support VPN, add following statement into
 # local.conf or distro config
-# PACKAGECONFIG_append_pn-connman = " openvpn vpnc l2tp pptp"
+# PACKAGECONFIG:append:pn-connman = " openvpn vpnc l2tp pptp"
 
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/ --with-tmpfilesdir=${sysconfdir}/tmpfiles.d/,--with-systemdunitdir='' --with-tmpfilesdir=''"
-PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi, wpa-supplicant, wpa-supplicant"
+PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_system_unitdir}/ --with-tmpfilesdir=${sysconfdir}/tmpfiles.d/,--with-systemdunitdir='' --with-tmpfilesdir=''"
+PACKAGECONFIG[wifi] = "--enable-wifi, --disable-wifi"
 PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5, bluez5"
 PACKAGECONFIG[3g] = "--enable-ofono, --disable-ofono, ofono, ofono"
+PACKAGECONFIG[wpa-supplicant] = ",,wpa-supplicant,wpa-supplicant"
+PACKAGECONFIG[iwd] = "--enable-iwd,--disable-iwd,,iwd"
 PACKAGECONFIG[tist] = "--enable-tist,--disable-tist,"
 PACKAGECONFIG[openvpn] = "--enable-openvpn --with-openvpn=${sbindir}/openvpn,--disable-openvpn,,openvpn"
 PACKAGECONFIG[vpnc] = "--enable-vpnc --with-vpnc=${sbindir}/vpnc,--disable-vpnc,,vpnc"
@@ -51,9 +57,11 @@ PACKAGECONFIG[l2tp] = "--enable-l2tp --with-l2tp=${sbindir}/xl2tpd,--disable-l2t
 PACKAGECONFIG[pptp] = "--enable-pptp --with-pptp=${sbindir}/pptp,--disable-pptp,,pptp-linux"
 # WISPr support for logging into hotspots, requires TLS
 PACKAGECONFIG[wispr] = "--enable-wispr,--disable-wispr,gnutls,"
-PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables-ipv4 kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-meta kernel-module-nft-masq-ipv4 kernel-module-nft-nat"
+PACKAGECONFIG[nftables] = "--with-firewall=nftables ,,libmnl libnftnl,,kernel-module-nf-tables kernel-module-nft-chain-nat-ipv4 kernel-module-nft-chain-route-ipv4 kernel-module-nft-masq-ipv4 kernel-module-nft-nat"
 PACKAGECONFIG[iptables] = "--with-firewall=iptables ,,iptables,iptables"
 PACKAGECONFIG[nfc] = "--enable-neard, --disable-neard, neard, neard"
+PACKAGECONFIG[client] = "--enable-client,--disable-client,readline"
+PACKAGECONFIG[wireguard] = "--enable-wireguard,--disable-wireguard,libmnl"
 
 INITSCRIPT_NAME = "connman"
 INITSCRIPT_PARAMS = "start 05 5 2 3 . stop 22 0 1 6 ."
@@ -66,16 +74,16 @@ python __anonymous () {
     d.setVar('SYSTEMD_PACKAGES', systemd_packages)
 }
 
-SYSTEMD_SERVICE_${PN} = "connman.service"
-SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
-SYSTEMD_SERVICE_${PN}-wait-online = "connman-wait-online.service"
+SYSTEMD_SERVICE:${PN} = "connman.service"
+SYSTEMD_SERVICE:${PN}-vpn = "connman-vpn.service"
+SYSTEMD_SERVICE:${PN}-wait-online = "connman-wait-online.service"
 
 ALTERNATIVE_PRIORITY = "100"
-ALTERNATIVE_${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
+ALTERNATIVE:${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','resolv-conf','',d)}"
 ALTERNATIVE_TARGET[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv-conf.connman','',d)}"
 ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${sysconfdir}/resolv.conf','',d)}"
 
-do_install_append() {
+do_install:append() {
 	if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
 		install -d ${D}${sysconfdir}/init.d
 		install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman
@@ -87,7 +95,6 @@ do_install_append() {
 	if [ -e ${B}/tools/wispr ]; then
 		install -m 0755 ${B}/tools/wispr ${D}${bindir}
 	fi
-	install -m 0755 ${B}/client/connmanctl ${D}${bindir}
 
 	# We don't need to package an empty directory
 	rmdir --ignore-fail-on-non-empty ${D}${libdir}/connman/scripts
@@ -103,7 +110,7 @@ do_install_append() {
 }
 
 # These used to be plugins, but now they are core
-RPROVIDES_${PN} = "\
+RPROVIDES:${PN} = "\
 	connman-plugin-loopback \
 	connman-plugin-ethernet \
 	${@bb.utils.contains('PACKAGECONFIG', 'bluetooth','connman-plugin-bluetooth', '', d)} \
@@ -111,7 +118,7 @@ RPROVIDES_${PN} = "\
 	${@bb.utils.contains('PACKAGECONFIG', '3g','connman-plugin-ofono', '', d)} \
 	"
 
-RDEPENDS_${PN} = "\
+RDEPENDS:${PN} = "\
 	dbus \
 	"
 
@@ -122,11 +129,11 @@ def add_rdepends(bb, d, file, pkg, depmap, multilib_prefix, add_insane_skip):
     if plugintype in depmap:
         rdepends = map(lambda x: multilib_prefix + x, \
                        depmap[plugintype].split())
-        d.setVar("RDEPENDS_%s" % pkg, " ".join(rdepends))
+        d.setVar("RDEPENDS:%s" % pkg, " ".join(rdepends))
     if add_insane_skip:
-        d.appendVar("INSANE_SKIP_%s" % pkg, "dev-so")
+        d.appendVar("INSANE_SKIP:%s" % pkg, "dev-so")
 
-python populate_packages_prepend() {
+python populate_packages:prepend() {
     depmap = dict(pppd="ppp")
     multilib_prefix = (d.getVar("MLPREFIX") or "")
 
@@ -147,71 +154,72 @@ python populate_packages_prepend() {
 
 PACKAGES =+ "${PN}-tools ${PN}-tests ${PN}-client"
 
-FILES_${PN}-tools = "${bindir}/wispr"
-RDEPENDS_${PN}-tools ="${PN}"
+FILES:${PN}-tools = "${bindir}/wispr"
+RDEPENDS:${PN}-tools ="${PN}"
 
-FILES_${PN}-tests = "${bindir}/*-test"
+FILES:${PN}-tests = "${bindir}/*-test"
 
-FILES_${PN}-client = "${bindir}/connmanctl"
-RDEPENDS_${PN}-client ="${PN}"
+FILES:${PN}-client = "${bindir}/connmanctl"
+RDEPENDS:${PN}-client ="${PN}"
 
-FILES_${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
+FILES:${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*.so.* \
             ${libdir}/connman/plugins \
             ${sysconfdir} ${sharedstatedir} ${localstatedir} ${datadir} \
             ${base_bindir}/* ${base_sbindir}/* ${base_libdir}/*.so* ${datadir}/${PN} \
             ${datadir}/dbus-1/system-services/* \
             ${sysconfdir}/tmpfiles.d/connman_resolvconf.conf"
 
-FILES_${PN}-dev += "${libdir}/connman/*/*.la"
+FILES:${PN}-dev += "${libdir}/connman/*/*.la"
 
 PACKAGES =+ "${PN}-vpn ${PN}-wait-online"
 
-SUMMARY_${PN}-vpn = "A daemon for managing VPN connections within embedded devices"
-DESCRIPTION_${PN}-vpn = "The ConnMan VPN provides a daemon for \
+SUMMARY:${PN}-vpn = "A daemon for managing VPN connections within embedded devices"
+DESCRIPTION:${PN}-vpn = "The ConnMan VPN provides a daemon for \
 managing VPN connections within embedded devices running the Linux \
 operating system.  The connman-vpnd handles all the VPN connections \
 and starts/stops VPN client processes when necessary. The connman-vpnd \
 provides a DBus API for managing VPN connections. All the different \
 VPN technogies are implemented using plug-ins."
-FILES_${PN}-vpn += "${sbindir}/connman-vpnd \
+FILES:${PN}-vpn += "${sbindir}/connman-vpnd \
                     ${sysconfdir}/dbus-1/system.d/connman-vpn-dbus.conf \
                     ${datadir}/dbus-1/system-services/net.connman.vpn.service \
-                    ${systemd_unitdir}/system/connman-vpn.service"
+                    ${systemd_system_unitdir}/connman-vpn.service"
 
-SUMMARY_${PN}-wait-online = "A program that will return once ConnMan has connected to a network"
-DESCRIPTION_${PN}-wait-online = "A service that can be enabled so that \
+SUMMARY:${PN}-wait-online = "A program that will return once ConnMan has connected to a network"
+DESCRIPTION:${PN}-wait-online = "A service that can be enabled so that \
 the system waits until a network connection is established."
-FILES_${PN}-wait-online += "${sbindir}/connmand-wait-online \
-                            ${systemd_unitdir}/system/connman-wait-online.service"
+FILES:${PN}-wait-online += "${sbindir}/connmand-wait-online \
+                            ${systemd_system_unitdir}/connman-wait-online.service"
 
-SUMMARY_${PN}-plugin-vpn-openvpn = "An OpenVPN plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-openvpn = "The ConnMan OpenVPN plugin uses openvpn client \
+SUMMARY:${PN}-plugin-vpn-openvpn = "An OpenVPN plugin for ConnMan VPN"
+DESCRIPTION:${PN}-plugin-vpn-openvpn = "The ConnMan OpenVPN plugin uses openvpn client \
 to create a VPN connection to OpenVPN server."
-FILES_${PN}-plugin-vpn-openvpn += "${libdir}/connman/scripts/openvpn-script \
+FILES:${PN}-plugin-vpn-openvpn += "${libdir}/connman/scripts/openvpn-script \
                                    ${libdir}/connman/plugins-vpn/openvpn.so"
-RDEPENDS_${PN}-plugin-vpn-openvpn += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','openvpn','${PN}-plugin-vpn-openvpn', '', d)}"
+RDEPENDS:${PN}-plugin-vpn-openvpn += "${PN}-vpn"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','openvpn','${PN}-plugin-vpn-openvpn', '', d)}"
 
-SUMMARY_${PN}-plugin-vpn-vpnc = "A vpnc plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-vpnc = "The ConnMan vpnc plugin uses vpnc client \
+SUMMARY:${PN}-plugin-vpn-vpnc = "A vpnc plugin for ConnMan VPN"
+DESCRIPTION:${PN}-plugin-vpn-vpnc = "The ConnMan vpnc plugin uses vpnc client \
 to create a VPN connection to Cisco3000 VPN Concentrator."
-FILES_${PN}-plugin-vpn-vpnc += "${libdir}/connman/scripts/openconnect-script \
-                                ${libdir}/connman/plugins-vpn/vpnc.so"
-RDEPENDS_${PN}-plugin-vpn-vpnc += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','vpnc','${PN}-plugin-vpn-vpnc', '', d)}"
-
-SUMMARY_${PN}-plugin-vpn-l2tp = "A L2TP plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-l2tp = "The ConnMan L2TP plugin uses xl2tpd daemon \
+FILES:${PN}-plugin-vpn-vpnc += "${libdir}/connman/scripts/openconnect-script \
+                                ${libdir}/connman/plugins-vpn/vpnc.so \
+                                ${libdir}/connman/scripts/vpn-script"
+RDEPENDS:${PN}-plugin-vpn-vpnc += "${PN}-vpn"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','vpnc','${PN}-plugin-vpn-vpnc', '', d)}"
+
+SUMMARY:${PN}-plugin-vpn-l2tp = "A L2TP plugin for ConnMan VPN"
+DESCRIPTION:${PN}-plugin-vpn-l2tp = "The ConnMan L2TP plugin uses xl2tpd daemon \
 to create a VPN connection to L2TP server."
-FILES_${PN}-plugin-vpn-l2tp += "${libdir}/connman/scripts/libppp-plugin.so* \
+FILES:${PN}-plugin-vpn-l2tp += "${libdir}/connman/scripts/libppp-plugin.so* \
                                 ${libdir}/connman/plugins-vpn/l2tp.so"
-RDEPENDS_${PN}-plugin-vpn-l2tp += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','l2tp','${PN}-plugin-vpn-l2tp', '', d)}"
+RDEPENDS:${PN}-plugin-vpn-l2tp += "${PN}-vpn"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','l2tp','${PN}-plugin-vpn-l2tp', '', d)}"
 
-SUMMARY_${PN}-plugin-vpn-pptp = "A PPTP plugin for ConnMan VPN"
-DESCRIPTION_${PN}-plugin-vpn-pptp = "The ConnMan PPTP plugin uses pptp-linux client \
+SUMMARY:${PN}-plugin-vpn-pptp = "A PPTP plugin for ConnMan VPN"
+DESCRIPTION:${PN}-plugin-vpn-pptp = "The ConnMan PPTP plugin uses pptp-linux client \
 to create a VPN connection to PPTP server."
-FILES_${PN}-plugin-vpn-pptp += "${libdir}/connman/scripts/libppp-plugin.so* \
+FILES:${PN}-plugin-vpn-pptp += "${libdir}/connman/scripts/libppp-plugin.so* \
                                 ${libdir}/connman/plugins-vpn/pptp.so"
-RDEPENDS_${PN}-plugin-vpn-pptp += "${PN}-vpn"
-RRECOMMENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','pptp','${PN}-plugin-vpn-pptp', '', d)}"
+RDEPENDS:${PN}-plugin-vpn-pptp += "${PN}-vpn"
+RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG','pptp','${PN}-plugin-vpn-pptp', '', d)}"
diff --git a/meta/recipes-connectivity/connman/connman/0001-gweb-fix-segfault-with-musl-v1.1.21.patch b/meta/recipes-connectivity/connman/connman/0001-gweb-fix-segfault-with-musl-v1.1.21.patch
deleted file mode 100644
index 30f1432cd3..0000000000
--- a/meta/recipes-connectivity/connman/connman/0001-gweb-fix-segfault-with-musl-v1.1.21.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From f0a8c69971b30ea7ca255bb885fdd1179fa5d298 Mon Sep 17 00:00:00 2001
-From: Nicola Lunghi <nick83ola@gmail.com>
-Date: Thu, 23 May 2019 07:55:25 +0100
-Subject: [PATCH] gweb: fix segfault with musl v1.1.21
-
-In musl > v1.1.21 freeaddrinfo() implementation changed and
-was causing a segmentation fault on recent Yocto using musl.
-
-See this commit:
-
- https://git.musl-libc.org/cgit/musl/commit/src/network/freeaddrinfo.c?id=d1395c43c019aec6b855cf3c656bf47c8a719e7f
-
-Upstream-Status: Submitted
----
- gweb/gweb.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/gweb/gweb.c b/gweb/gweb.c
-index 393afe0a..12fcb1d8 100644
---- a/gweb/gweb.c
-+++ b/gweb/gweb.c
-@@ -1274,7 +1274,8 @@ static bool is_ip_address(const char *host)
- 	addr = NULL;
- 
- 	result = getaddrinfo(host, NULL, &hints, &addr);
--	freeaddrinfo(addr);
-+	if(!result)
-+		freeaddrinfo(addr);
- 
- 	return result == 0;
- }
--- 
-2.19.1
-
diff --git a/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch b/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch
new file mode 100644
index 0000000000..8012606db7
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch
@@ -0,0 +1,55 @@
+From cbba6638986c2de763981bf6fc59df6a86fed44f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 1 Jan 2024 17:42:21 -0800
+Subject: [PATCH v2] src/log.c: Include libgen.h for basename API
+
+Use POSIX version of basename. This comes to front with latest musl
+which dropped the declaration from string.h [1] it fails to build with
+clang-17+ because it treats implicit function declaration as error.
+
+Fix it by applying the basename on a copy of string since posix version
+may modify the input string.
+
+[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7
+
+Upstream-Status: Submitted [https://lore.kernel.org/connman/20240102015917.3732089-1-raj.khem@gmail.com/T/#u]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+
+ src/log.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/log.c b/src/log.c
+index 554b046..2df3af7 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <libgen.h>
+ #include <unistd.h>
+ #include <stdarg.h>
+ #include <stdlib.h>
+@@ -196,6 +197,7 @@ int __connman_log_init(const char *program, const char *debug,
+ 		const char *program_name, const char *program_version)
+ {
+ 	static char path[PATH_MAX];
++	char* tmp = strdup(program);
+ 	int option = LOG_NDELAY | LOG_PID;
+ 
+ 	program_exec = program;
+@@ -212,8 +214,8 @@ int __connman_log_init(const char *program, const char *debug,
+ 	if (backtrace)
+ 		signal_setup(signal_handler);
+ 
+-	openlog(basename(program), option, LOG_DAEMON);
+-
++	openlog(basename(tmp), option, LOG_DAEMON);
++	free(tmp);
+ 	syslog(LOG_INFO, "%s version %s", program_name, program_version);
+ 
+ 	return 0;
+-- 
+2.43.0
+
diff --git a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
new file mode 100644
index 0000000000..9e5ac8da15
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch
@@ -0,0 +1,152 @@
+From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com>
+Date: Sat, 25 Mar 2023 20:51:52 +0000
+Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release
+
+The API has gone through a significant overhaul, and this change fixes any compile issues.
+1) Fixes to configure.ac itself
+2) Cleanup in pppd plugin itself
+
+Adding a libppp-compat.h file to mask for any differences in the version.
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+
+---
+ scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 127 insertions(+)
+ create mode 100644 scripts/libppp-compat.h
+
+diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h
+new file mode 100644
+index 0000000..eee1d09
+--- /dev/null
++++ b/scripts/libppp-compat.h
+@@ -0,0 +1,127 @@
++/* Copyright (C) Eivind Naess, eivnaes@yahoo.com */
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++
++#ifndef __LIBPPP_COMPAT_H__
++#define __LIBPPP_COMPAT_H__
++
++/* Define USE_EAPTLS compile with EAP TLS support against older pppd headers,
++ * pppd >= 2.5.0 use PPP_WITH_EAPTLS and is defined in pppdconf.h */
++#define USE_EAPTLS 1
++
++/* Define INET6 to compile with IPv6 support against older pppd headers,
++ * pppd >= 2.5.0 use PPP_WITH_IPV6CP and is defined in pppdconf.h */
++#define INET6 1
++
++/* PPP < 2.5.0 defines and exports VERSION which overlaps with current package VERSION define.
++ * this silly macro magic is to work around that. */
++#undef VERSION
++#include <pppd/pppd.h>
++
++#ifndef PPPD_VERSION
++#define PPPD_VERSION VERSION
++#endif
++
++#include <pppd/fsm.h>
++#include <pppd/ccp.h>
++#include <pppd/eui64.h>
++#include <pppd/ipcp.h>
++#include <pppd/ipv6cp.h>
++#include <pppd/eap.h>
++#include <pppd/upap.h>
++
++#ifdef HAVE_PPPD_CHAP_H
++#include <pppd/chap.h>
++#endif
++
++#ifdef HAVE_PPPD_CHAP_NEW_H
++#include <pppd/chap-new.h>
++#endif
++
++#ifdef HAVE_PPPD_CHAP_MS_H
++#include <pppd/chap_ms.h>
++#endif
++
++#ifndef PPP_PROTO_CHAP
++#define PPP_PROTO_CHAP 0xc223
++#endif 
++
++#ifndef PPP_PROTO_EAP
++#define PPP_PROTO_EAP  0xc227
++#endif
++
++
++#if WITH_PPP_VERSION < PPP_VERSION(2,5,0)
++
++static inline bool
++debug_on (void)
++{
++	return debug;
++}
++
++static inline const char
++*ppp_ipparam (void)
++{
++	return ipparam;
++}
++
++static inline int
++ppp_ifunit (void)
++{
++	return ifunit;
++}
++
++static inline const char *
++ppp_ifname (void)
++{
++	return ifname;
++}
++
++static inline int
++ppp_get_mtu (int idx)
++{
++	return netif_get_mtu(idx);
++}
++
++typedef enum ppp_notify
++{
++    NF_PID_CHANGE,
++    NF_PHASE_CHANGE,
++    NF_EXIT,
++    NF_SIGNALED,
++    NF_IP_UP,
++    NF_IP_DOWN,
++    NF_IPV6_UP,
++    NF_IPV6_DOWN,
++    NF_AUTH_UP,
++    NF_LINK_DOWN,
++    NF_FORK,
++    NF_MAX_NOTIFY
++} ppp_notify_t;
++
++typedef void (ppp_notify_fn) (void *ctx, int arg);
++
++static inline void
++ppp_add_notify (ppp_notify_t type, ppp_notify_fn *func, void *ctx)
++{
++	struct notifier **list[NF_MAX_NOTIFY] = {
++		[NF_PID_CHANGE  ] = &pidchange,
++		[NF_PHASE_CHANGE] = &phasechange,
++		[NF_EXIT        ] = &exitnotify,
++		[NF_SIGNALED    ] = &sigreceived,
++		[NF_IP_UP       ] = &ip_up_notifier,
++		[NF_IP_DOWN     ] = &ip_down_notifier,
++		[NF_IPV6_UP     ] = &ipv6_up_notifier,
++		[NF_IPV6_DOWN   ] = &ipv6_down_notifier,
++		[NF_AUTH_UP     ] = &auth_up_notifier,
++		[NF_LINK_DOWN   ] = &link_down_notifier,
++		[NF_FORK        ] = &fork_notifier,
++	};
++
++	struct notifier **notify = list[type];
++	if (notify) {
++		add_notifier(notify, func, ctx);
++	}
++}
++
++#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */
++#endif /* #if__LIBPPP_COMPAT_H__ */
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
index 639ccfa2a2..aefdd3aa06 100644
--- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -1,7 +1,7 @@
-From 10b0d16d04b811b1ccd1f9b0cfe757bce8d876a1 Mon Sep 17 00:00:00 2001
+From 01974865e4d331eeaf25248bee1bb96539c450d9 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Mon, 6 Apr 2015 23:02:21 -0700
-Subject: [PATCH 2/3] resolve: musl does not implement res_ninit
+Subject: [PATCH] resolve: musl does not implement res_ninit
 
 ported from
 http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
@@ -9,23 +9,16 @@ http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
 Upstream-Status: Pending
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
 ---
- gweb/gresolv.c | 33 ++++++++++++---------------------
- 1 file changed, 12 insertions(+), 21 deletions(-)
+ gweb/gresolv.c | 34 +++++++++++++---------------------
+ 1 file changed, 13 insertions(+), 21 deletions(-)
 
 diff --git a/gweb/gresolv.c b/gweb/gresolv.c
-index 5cf7a9a..3ad8e70 100644
+index 954e7cf..2a9bc51 100644
 --- a/gweb/gresolv.c
 +++ b/gweb/gresolv.c
-@@ -36,6 +36,7 @@
- #include <arpa/inet.h>
- #include <arpa/nameser.h>
- #include <net/if.h>
-+#include <ctype.h>
- 
- #include "gresolv.h"
- 
-@@ -875,8 +875,6 @@ GResolv *g_resolv_new(int index)
+@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index)
  	resolv->index = index;
  	resolv->nameserver_list = NULL;
  
@@ -34,7 +27,7 @@ index 5cf7a9a..3ad8e70 100644
  	return resolv;
  }
  
-@@ -916,8 +914,6 @@ void g_resolv_unref(GResolv *resolv)
+@@ -919,8 +918,6 @@ void g_resolv_unref(GResolv *resolv)
  
  	flush_nameservers(resolv);
  
@@ -43,7 +36,7 @@ index 5cf7a9a..3ad8e70 100644
  	g_free(resolv);
  }
  
-@@ -1020,24 +1016,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+@@ -1023,24 +1020,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
  	debug(resolv, "hostname %s", hostname);
  
  	if (!resolv->nameserver_list) {
@@ -80,6 +73,3 @@ index 5cf7a9a..3ad8e70 100644
  		}
  
  		if (!resolv->nameserver_list)
--- 
-2.5.1
-
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index c64fa0d715..a021fd4655 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -10,49 +10,11 @@ fi
 
 set -e
 
-nfsroot=0
-
-exec 9<&0 < /proc/mounts
-while read dev mtpt fstype rest; do
-	if test $mtpt = "/" ; then
-		case $fstype in
-		    nfs | nfs4)
-			nfsroot=1
-			break
-			;;
-		    *)
-			;;
-		esac
-	fi
-done
-
 do_start() {
-	EXTRA_PARAM=""
-	if test $nfsroot -eq 1 ; then
-	    NET_DEVS=`cat /proc/net/dev | sed -ne 's/^\([a-zA-Z0-9 ]*\):.*$/\1/p'`
-	    NET_ADDR=`cat /proc/cmdline | sed -ne 's/^.*ip=\([^ :]*\).*$/\1/p'`
-
-	    if [ ! -z "$NET_ADDR" ]; then
-		if [ "$NET_ADDR" = dhcp ]; then
-		    ethn=`ifconfig | grep "^eth" | sed -e "s/\(eth[0-9]\)\(.*\)/\1/"`
-		    if [ ! -z "$ethn" ]; then
-			EXTRA_PARAM="-I $ethn"
-		    fi
-		else
-		    for i in $NET_DEVS; do
-			ADDR=`ifconfig $i | sed 's/addr://g' | sed -ne 's/^.*inet \([0-9.]*\) .*$/\1/p'`
-			if [ "$NET_ADDR" = "$ADDR" ]; then
-			    EXTRA_PARAM="-I $i"
-			    break
-			fi
-		    done
-		fi
-	    fi
-	fi
 	if [ -f @DATADIR@/connman/wired-setup ] ; then
 		. @DATADIR@/connman/wired-setup
 	fi
-	$DAEMON $EXTRA_PARAM
+	$DAEMON
 }
 
 do_stop() {
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
deleted file mode 100644
index 00852bf0d6..0000000000
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-require connman.inc
-
-SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
-            file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-            file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
-            file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \
-            file://connman \
-            file://no-version-scripts.patch \
-"
-
-SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
-
-SRC_URI[md5sum] = "75012084f14fb63a84b116e66c6e94fb"
-SRC_URI[sha256sum] = "6ce29b3eb0bb16a7387bc609c39455fd13064bdcde5a4d185fab3a0c71946e16"
-
-RRECOMMENDS_${PN} = "connman-conf"
-RCONFLICTS_${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/connman/connman_1.42.bb b/meta/recipes-connectivity/connman/connman_1.42.bb
new file mode 100644
index 0000000000..91ab9895ac
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman_1.42.bb
@@ -0,0 +1,17 @@
+require connman.inc
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
+           file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
+           file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
+           file://connman \
+           file://no-version-scripts.patch \
+           file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
+           file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
+           "
+
+SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
+
+SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa"
+
+RRECOMMENDS:${PN} = "connman-conf"
+RCONFLICTS:${PN} = "networkmanager"
diff --git a/meta/recipes-connectivity/dhcp/dhcp.inc b/meta/recipes-connectivity/dhcp/dhcp.inc
deleted file mode 100644
index c4697beaf1..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp.inc
+++ /dev/null
@@ -1,148 +0,0 @@
-SECTION = "console/network"
-SUMMARY = "Internet Software Consortium DHCP package"
-DESCRIPTION = "DHCP (Dynamic Host Configuration Protocol) is a protocol \
-which allows individual devices on an IP network to get their own \
-network configuration information from a server.  DHCP helps make it \
-easier to administer devices."
-
-HOMEPAGE = "http://www.isc.org/"
-
-LICENSE = "ISC"
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;md5=004a4db50a1e20972e924a8618747c01"
-
-DEPENDS = "openssl bind"
-
-SRC_URI = "http://ftp.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
-           file://init-relay file://default-relay \
-           file://init-server file://default-server \
-           file://dhclient.conf file://dhcpd.conf \
-           file://dhclient-systemd-wrapper \
-           file://dhclient.service \
-           file://dhcpd.service file://dhcrelay.service \
-           file://dhcpd6.service \
-           "
-UPSTREAM_CHECK_URI = "http://ftp.isc.org/isc/dhcp/"
-UPSTREAM_CHECK_REGEX = "(?P<pver>\d+\.\d+\.(\d+?))/"
-
-inherit autotools-brokensep systemd useradd update-rc.d
-
-USERADD_PACKAGES = "${PN}-server"
-USERADD_PARAM_${PN}-server = "--system --no-create-home --home-dir /var/run/${BPN} --shell /bin/false --user-group ${BPN}"
-
-SYSTEMD_PACKAGES = "${PN}-server ${PN}-relay ${PN}-client"
-SYSTEMD_SERVICE_${PN}-server = "dhcpd.service dhcpd6.service"
-SYSTEMD_AUTO_ENABLE_${PN}-server = "disable"
-
-SYSTEMD_SERVICE_${PN}-relay = "dhcrelay.service"
-SYSTEMD_AUTO_ENABLE_${PN}-relay = "disable"
-
-SYSTEMD_SERVICE_${PN}-client = "dhclient.service"
-SYSTEMD_AUTO_ENABLE_${PN}-client = "disable"
-
-INITSCRIPT_PACKAGES = "dhcp-server"
-INITSCRIPT_NAME_dhcp-server = "dhcp-server"
-INITSCRIPT_PARAMS_dhcp-server = "defaults"
-
-CFLAGS += "-D_GNU_SOURCE"
-EXTRA_OECONF = "--with-srv-lease-file=${localstatedir}/lib/dhcp/dhcpd.leases \
-                --with-srv6-lease-file=${localstatedir}/lib/dhcp/dhcpd6.leases \
-                --with-cli-lease-file=${localstatedir}/lib/dhcp/dhclient.leases \
-                --with-cli6-lease-file=${localstatedir}/lib/dhcp/dhclient6.leases \
-                --enable-paranoia --disable-static \
-                --with-randomdev=/dev/random \
-                --with-libbind=${STAGING_DIR_HOST} \
-		--enable-libtool \
-               "
-
-#Enable shared libs per dhcp README
-do_configure_prepend () {
-	cp configure.ac+lt configure.ac
-}
-
-do_install_append () {
-	install -d ${D}${sysconfdir}/init.d
-	install -d ${D}${sysconfdir}/default
-	install -d ${D}${sysconfdir}/dhcp
-	install -m 0755 ${WORKDIR}/init-relay ${D}${sysconfdir}/init.d/dhcp-relay
-	install -m 0644 ${WORKDIR}/default-relay ${D}${sysconfdir}/default/dhcp-relay
-	install -m 0755 ${WORKDIR}/init-server ${D}${sysconfdir}/init.d/dhcp-server
-	install -m 0644 ${WORKDIR}/default-server ${D}${sysconfdir}/default/dhcp-server
-
-	rm -f ${D}${sysconfdir}/dhclient.conf*
-	rm -f ${D}${sysconfdir}/dhcpd.conf*
-	install -m 0644 ${WORKDIR}/dhclient.conf ${D}${sysconfdir}/dhcp/dhclient.conf
-	install -m 0644 ${WORKDIR}/dhcpd.conf ${D}${sysconfdir}/dhcp/dhcpd.conf
-
-	install -d ${D}${base_sbindir}/
-	if [ "${sbindir}" != "${base_sbindir}" ]; then
-		mv ${D}${sbindir}/dhclient ${D}${base_sbindir}/
-	fi
-	install -m 0755 ${S}/client/scripts/linux ${D}${base_sbindir}/dhclient-script
-
-	# Install systemd unit files
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/dhcpd.service ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/dhcpd6.service ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/dhcrelay.service ${D}${systemd_unitdir}/system
-	sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/dhcpd*.service ${D}${systemd_unitdir}/system/dhcrelay.service
-	sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/dhcpd*.service
-	sed -i -e 's,@base_bindir@,${base_bindir},g' ${D}${systemd_unitdir}/system/dhcpd*.service
-	sed -i -e 's,@localstatedir@,${localstatedir},g' ${D}${systemd_unitdir}/system/dhcpd*.service
-	sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/dhcrelay.service
-
-	install -d ${D}${base_sbindir}
-	install -m 0755 ${WORKDIR}/dhclient-systemd-wrapper ${D}${base_sbindir}/dhclient-systemd-wrapper
-	install -m 0644 ${WORKDIR}/dhclient.service ${D}${systemd_unitdir}/system
-	sed -i -e 's,@SYSCONFDIR@,${sysconfdir},g' ${D}${systemd_unitdir}/system/dhclient.service
-	sed -i -e 's,@BASE_SBINDIR@,${base_sbindir},g' ${D}${systemd_unitdir}/system/dhclient.service
-}
-
-PACKAGES += "dhcp-libs dhcp-server dhcp-server-config dhcp-client dhcp-relay dhcp-omshell"
-
-PACKAGES_remove = "${PN}"
-RDEPENDS_${PN}-dev = ""
-RDEPENDS_${PN}-staticdev = ""
-FILES_${PN}-libs = "${libdir}/libdhcpctl.so.0* ${libdir}/libomapi.so.0* ${libdir}/libdhcp.so.0*"
-
-FILES_${PN}-server = "${sbindir}/dhcpd ${sysconfdir}/init.d/dhcp-server"
-RRECOMMENDS_${PN}-server = "dhcp-server-config"
-
-FILES_${PN}-server-config = "${sysconfdir}/default/dhcp-server ${sysconfdir}/dhcp/dhcpd.conf"
-
-FILES_${PN}-relay = "${sbindir}/dhcrelay ${sysconfdir}/init.d/dhcp-relay ${sysconfdir}/default/dhcp-relay"
-
-FILES_${PN}-client = "${base_sbindir}/dhclient \
-                      ${base_sbindir}/dhclient-script \
-                      ${sysconfdir}/dhcp/dhclient.conf \
-                      ${base_sbindir}/dhclient-systemd-wrapper \
-                     "
-
-FILES_${PN}-omshell = "${bindir}/omshell"
-
-pkg_postinst_dhcp-server() {
-    mkdir -p $D/${localstatedir}/lib/dhcp
-    touch $D/${localstatedir}/lib/dhcp/dhcpd.leases
-    touch $D/${localstatedir}/lib/dhcp/dhcpd6.leases
-}
-
-pkg_postinst_dhcp-client() {
-    mkdir -p $D/${localstatedir}/lib/dhcp
-}
-
-pkg_postrm_dhcp-server() {
-    rm -f $D/${localstatedir}/lib/dhcp/dhcpd.leases
-    rm -f $D/${localstatedir}/lib/dhcp/dhcpd6.leases
-
-    if ! rmdir $D/${localstatedir}/lib/dhcp 2>/dev/null; then
-        echo "Not removing ${localstatedir}/lib/dhcp as it is non-empty."
-    fi
-}
-
-pkg_postrm_dhcp-client() {
-    rm -f $D/${localstatedir}/lib/dhcp/dhclient.leases
-    rm -f $D/${localstatedir}/lib/dhcp/dhclient6.leases
-
-    if ! rmdir $D/${localstatedir}/lib/dhcp 2>/dev/null; then
-        echo "Not removing ${localstatedir}/lib/dhcp as it is non-empty."
-    fi
-}
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-Fix-a-NSUPDATE-compiling-issue.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-Fix-a-NSUPDATE-compiling-issue.patch
deleted file mode 100644
index f12a112fcf..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0001-Fix-a-NSUPDATE-compiling-issue.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From a59cb98a473caa2afd64d7ae368480b6e9f91b3f Mon Sep 17 00:00:00 2001
-From: Ming Liu <liu.ming50@gmail.com>
-Date: Tue, 14 May 2019 11:07:15 +0200
-Subject: [PATCH] Fix a NSUPDATE compiling issue
-
-Upstream-Status: Pending [Patch sent to: https://gitlab.isc.org/isc-projects/dhcp/issues/16]
-
-A following error was observed when NSUPDATE is not defined:
-| omapip/isclib.c: In function 'dns_client_init':
-| omapip/isclib.c:356:18: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'dnsclient'
-|   if (dhcp_gbl_ctx.dnsclient == NULL) {
-|                   ^
-| omapip/isclib.c:363:24: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'dnsclient'
-|            &dhcp_gbl_ctx.dnsclient,
-|                         ^
-| omapip/isclib.c:364:24: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'use_local4'
-|            (dhcp_gbl_ctx.use_local4 ?
-|                         ^
-| omapip/isclib.c:365:25: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'local4_sockaddr'
-|             &dhcp_gbl_ctx.local4_sockaddr
-|                          ^
-| omapip/isclib.c:367:24: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'use_local6'
-|            (dhcp_gbl_ctx.use_local6 ?
-|                         ^
-| omapip/isclib.c:368:25: error: 'dhcp_context_t {aka struct dhcp_context}' has no member named 'local6_sockaddr'
-|             &dhcp_gbl_ctx.local6_sockaddr
-
-Fix it by adding NSUPDATE conditional checking.
-
-Signed-off-by: Ming Liu <liu.ming50@gmail.com>
----
- includes/omapip/isclib.h | 2 ++
- omapip/isclib.c          | 2 ++
- 2 files changed, 4 insertions(+)
-
-diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
-index 538b927..6c20584 100644
---- a/includes/omapip/isclib.h
-+++ b/includes/omapip/isclib.h
-@@ -141,6 +141,8 @@ void isclib_cleanup(void);
- void dhcp_signal_handler(int signal);
- extern int shutdown_signal;
- 
-+#if defined (NSUPDATE)
- isc_result_t dns_client_init();
-+#endif
- 
- #endif /* ISCLIB_H */
-diff --git a/omapip/isclib.c b/omapip/isclib.c
-index db3b895..ce4b4a1 100644
---- a/omapip/isclib.c
-+++ b/omapip/isclib.c
-@@ -351,6 +351,7 @@ void dhcp_signal_handler(int signal) {
- 	}
- }
- 
-+#if defined (NSUPDATE)
- isc_result_t dns_client_init() {
- 	isc_result_t result;
- 	if (dhcp_gbl_ctx.dnsclient == NULL) {
-@@ -387,3 +388,4 @@ isc_result_t dns_client_init() {
- 
- 	return ISC_R_SUCCESS;
- }
-+#endif
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.patch
deleted file mode 100644
index d1b57f0bb4..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 7cc29144535a622fc671dc86eb1da65b0473a7c4 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 15 Aug 2017 16:14:22 +0800
-Subject: [PATCH 01/11] define macro _PATH_DHCPD_CONF and _PATH_DHCLIENT_CONF
-
-Upstream-Status: Inappropriate [OE specific]
-
-Rebase to 4.3.6
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- includes/site.h | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-Index: dhcp-4.4.1/includes/site.h
-===================================================================
---- dhcp-4.4.1.orig/includes/site.h
-+++ dhcp-4.4.1/includes/site.h
-@@ -148,7 +148,8 @@
- /* Define this if you want the dhcpd.conf file to go somewhere other than
-    the default location.   By default, it goes in /etc/dhcpd.conf. */
- 
--/* #define _PATH_DHCPD_CONF	"/etc/dhcpd.conf" */
-+#define _PATH_DHCPD_CONF	"/etc/dhcp/dhcpd.conf"
-+#define _PATH_DHCLIENT_CONF	"/etc/dhcp/dhclient.conf"
- 
- /* Network API definitions.   You do not need to choose one of these - if
-    you don't choose, one will be chosen for you in your system's config
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch
deleted file mode 100644
index 1bc1422475..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 8194daabfd590f17825f0c61e9534bee5c99cc86 Mon Sep 17 00:00:00 2001
-From: Thomas Markwalder <tmark@isc.org>
-Date: Fri, 14 Sep 2018 13:41:41 -0400
-Subject: [master] Added includes of new BIND9 compatibility headers
-
-    Merges in rt48072.
-
-Upstream-Status: Backport
-Signed-off-by: Adrian Bunk <bunk@stusta.de>
-
-diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
-index 75a87ff6..538b927f 100644
---- a/includes/omapip/isclib.h
-+++ b/includes/omapip/isclib.h
-@@ -48,6 +48,9 @@
- #include <string.h>
- #include <netdb.h>
- 
-+#include <isc/boolean.h>
-+#include <isc/int.h>
-+
- #include <isc/buffer.h>
- #include <isc/lex.h>
- #include <isc/lib.h>
-diff --git a/includes/omapip/result.h b/includes/omapip/result.h
-index 91243e1b..860298f6 100644
---- a/includes/omapip/result.h
-+++ b/includes/omapip/result.h
-@@ -26,6 +26,7 @@
- #ifndef DHCP_RESULT_H
- #define DHCP_RESULT_H 1
- 
-+#include <isc/boolean.h>
- #include <isc/lang.h>
- #include <isc/resultclass.h>
- #include <isc/types.h>
-diff --git a/server/dhcpv6.c b/server/dhcpv6.c
-index a7110f98..cde4f617 100644
---- a/server/dhcpv6.c
-+++ b/server/dhcpv6.c
-@@ -1034,7 +1034,8 @@ void check_pool6_threshold(struct reply_state *reply,
- 				  shared_name,
- 				  inet_ntop(AF_INET6, &lease->addr,
- 					    tmp_addr, sizeof(tmp_addr)),
--				  used, count);
-+				  (long long unsigned)(used),
-+				  (long long unsigned)(count));
- 		}
- 		return;
- 	}
-@@ -1066,7 +1067,8 @@ void check_pool6_threshold(struct reply_state *reply,
- 		  "address: %s; high threshold %d%% %llu/%llu.",
- 		  shared_name,
- 		  inet_ntop(AF_INET6, &lease->addr, tmp_addr, sizeof(tmp_addr)),
--		  poolhigh, used, count);
-+		  poolhigh, (long long unsigned)(used),
-+		  (long long unsigned)(count));
- 
- 	/* handle the low threshold now, if we don't
- 	 * have one we default to 0. */
-@@ -1436,12 +1438,15 @@ pick_v6_address(struct reply_state *reply)
- 		log_debug("Unable to pick client address: "
- 			  "no addresses available  - shared network %s: "
- 			  " 2^64-1 < total, %llu active,  %llu abandoned",
--			  shared_name, active - abandoned, abandoned);
-+			  shared_name, (long long unsigned)(active - abandoned),
-+			  (long long unsigned)(abandoned));
- 	} else {
- 		log_debug("Unable to pick client address: "
- 			  "no addresses available  - shared network %s: "
- 			  "%llu total, %llu active,  %llu abandoned",
--			  shared_name, total, active - abandoned, abandoned);
-+			  shared_name, (long long unsigned)(total),
-+			  (long long unsigned)(active - abandoned),
-+		          (long long unsigned)(abandoned));
- 	}
- 
- 	return ISC_R_NORESOURCES;
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-workaround-busybox-limitation-in-linux-dhclient-script.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-workaround-busybox-limitation-in-linux-dhclient-script.patch
deleted file mode 100644
index 2359381b93..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0001-workaround-busybox-limitation-in-linux-dhclient-script.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From eec0503cfc36f63d777f5cb3f2719cecedcb8468 Mon Sep 17 00:00:00 2001
-From: Haris Okanovic <haris.okanovic@ni.com>
-Date: Mon, 7 Jan 2019 13:22:09 -0600
-Subject: [PATCH] Workaround busybox limitation in Linux dhclient-script
-
-Busybox is a lightweight implementation of coreutils commonly used on
-space-constrained embedded Linux distributions. It's implementation of
-chown and chmod doesn't provide a "--reference" option added to
-client/scripts/linux as of commit 9261cb14. This change works around
-that limitation by using stat to read ownership and permissions flags
-and simple chown/chmod calls supported in both coreutils and busybox.
-
-    modified:   client/scripts/linux
-
-Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
-Upstream-Status: Pending [ISC-Bugs #48771]
----
- client/scripts/linux | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/client/scripts/linux b/client/scripts/linux
-index 0c429697..2435a44b 100755
---- a/client/scripts/linux
-+++ b/client/scripts/linux
-@@ -32,6 +32,17 @@
- # if your system holds ip tool in a non-standard location.
- ip=/sbin/ip
- 
-+chown_chmod_by_reference() {
-+    local reference_file="$1"
-+    local target_file="$2"
-+
-+    local owner=$(stat -c "%u:%g" "$reference_file")
-+    local perm=$(stat -c "%a" "$reference_file")
-+
-+    chown "$owner" "$target_file"
-+    chmod "$perm" "$target_file"
-+}
-+
- # update /etc/resolv.conf based on received values
- # This updated version mostly follows Debian script by Andrew Pollock et al.
- make_resolv_conf() {
-@@ -74,8 +85,7 @@ make_resolv_conf() {
-         fi
- 
- 	if [ -f /etc/resolv.conf ]; then
--	    chown --reference=/etc/resolv.conf $new_resolv_conf
--	    chmod --reference=/etc/resolv.conf $new_resolv_conf
-+	    chown_chmod_by_reference /etc/resolv.conf $new_resolv_conf
- 	fi
-         mv -f $new_resolv_conf /etc/resolv.conf
-     # DHCPv6
-@@ -101,8 +111,7 @@ make_resolv_conf() {
-         fi
- 
- 	if [ -f /etc/resolv.conf ]; then
--            chown --reference=/etc/resolv.conf $new_resolv_conf
--            chmod --reference=/etc/resolv.conf $new_resolv_conf
-+	    chown_chmod_by_reference /etc/resolv.conf $new_resolv_conf
- 	fi
-         mv -f $new_resolv_conf /etc/resolv.conf
-     fi
--- 
-2.20.0
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0002-dhclient-dbus.patch b/meta/recipes-connectivity/dhcp/dhcp/0002-dhclient-dbus.patch
deleted file mode 100644
index 101c33f677..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0002-dhclient-dbus.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From be7540d31c356e80ee02e90e8bf162b7ac6e5ba5 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 15 Aug 2017 14:56:56 +0800
-Subject: [PATCH 02/11] dhclient dbus
-
-Upstream-Status: Inappropriate [distribution]
-
-Rebase to 4.3.6
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- client/scripts/bsdos   | 5 +++++
- client/scripts/freebsd | 5 +++++
- client/scripts/linux   | 5 +++++
- client/scripts/netbsd  | 5 +++++
- client/scripts/openbsd | 5 +++++
- client/scripts/solaris | 5 +++++
- 6 files changed, 30 insertions(+)
-
-diff --git a/client/scripts/bsdos b/client/scripts/bsdos
-index d69d0d8..095b143 100755
---- a/client/scripts/bsdos
-+++ b/client/scripts/bsdos
-@@ -45,6 +45,11 @@ exit_with_hooks() {
-     . /etc/dhclient-exit-hooks
-   fi
- # probably should do something with exit status of the local script
-+  if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+    dbus-send --system --dest=com.redhat.dhcp \
-+      --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+      'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+  fi
-   exit $exit_status
- }
- 
-diff --git a/client/scripts/freebsd b/client/scripts/freebsd
-index 8f3e2a2..ad7fb44 100755
---- a/client/scripts/freebsd
-+++ b/client/scripts/freebsd
-@@ -89,6 +89,11 @@ exit_with_hooks() {
-     . /etc/dhclient-exit-hooks
-   fi
- # probably should do something with exit status of the local script
-+  if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+    dbus-send --system --dest=com.redhat.dhcp \
-+      --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+      'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+  fi
-   exit $exit_status
- }
- 
-diff --git a/client/scripts/linux b/client/scripts/linux
-index 5fb1612..3d447b6 100755
---- a/client/scripts/linux
-+++ b/client/scripts/linux
-@@ -174,6 +174,11 @@ exit_with_hooks() {
-         exit_status=$?
-     fi
- 
-+    if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+        dbus-send --system --dest=com.redhat.dhcp \
-+           --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+           'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+    fi
-     exit $exit_status
- }
- 
-diff --git a/client/scripts/netbsd b/client/scripts/netbsd
-index 07383b7..aaba8e8 100755
---- a/client/scripts/netbsd
-+++ b/client/scripts/netbsd
-@@ -45,6 +45,11 @@ exit_with_hooks() {
-     . /etc/dhclient-exit-hooks
-   fi
- # probably should do something with exit status of the local script
-+  if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+    dbus-send --system --dest=com.redhat.dhcp \
-+      --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+      'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+  fi
-   exit $exit_status
- }
- 
-diff --git a/client/scripts/openbsd b/client/scripts/openbsd
-index e7f4746..56b980c 100644
---- a/client/scripts/openbsd
-+++ b/client/scripts/openbsd
-@@ -45,6 +45,11 @@ exit_with_hooks() {
-     . /etc/dhclient-exit-hooks
-   fi
- # probably should do something with exit status of the local script
-+  if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+    dbus-send --system --dest=com.redhat.dhcp \
-+      --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+      'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+  fi
-   exit $exit_status
- }
- 
-diff --git a/client/scripts/solaris b/client/scripts/solaris
-index af553b9..4a2aa69 100755
---- a/client/scripts/solaris
-+++ b/client/scripts/solaris
-@@ -26,6 +26,11 @@ exit_with_hooks() {
-     . /etc/dhclient-exit-hooks
-   fi
- # probably should do something with exit status of the local script
-+  if [ x$dhc_dbus != x -a $exit_status -eq 0 ]; then
-+    dbus-send --system --dest=com.redhat.dhcp \
-+      --type=method_call /com/redhat/dhcp/$interface com.redhat.dhcp.set \
-+      'string:'"`env | grep -Ev '^(PATH|SHLVL|_|PWD|dhc_dbus)\='`"
-+  fi
-   exit $exit_status
- }
- 
--- 
-1.8.3.1
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0003-link-with-lcrypto.patch b/meta/recipes-connectivity/dhcp/dhcp/0003-link-with-lcrypto.patch
deleted file mode 100644
index 5b35933a54..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0003-link-with-lcrypto.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From d80bd792323dbd56269309f85b4506eb6b1b60e9 Mon Sep 17 00:00:00 2001
-From: Andrei Gherzan <andrei@gherzan.ro>
-Date: Tue, 15 Aug 2017 15:05:47 +0800
-Subject: [PATCH 03/11] link with lcrypto
-
-From 4.2.0 final release, -lcrypto check was removed and we compile
-static libraries
-from bind that are linked to libcrypto. This is why i added a patch in
-order to add
--lcrypto to LIBS.
-
-Upstream-Status: Pending
-Signed-off-by: Andrei Gherzan <andrei@gherzan.ro>
-
-Rebase to 4.3.6
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- configure.ac | 4 ++++
- 1 file changed, 4 insertions(+)
-
-Index: dhcp-4.4.1/configure.ac
-===================================================================
---- dhcp-4.4.1.orig/configure.ac
-+++ dhcp-4.4.1/configure.ac
-@@ -612,6 +612,10 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]],
- # Look for optional headers.
- AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h)
- 
-+# find an MD5 library
-+AC_SEARCH_LIBS(MD5_Init, [crypto])
-+AC_SEARCH_LIBS(MD5Init, [crypto])
-+
- # Solaris needs some libraries for functions
- AC_SEARCH_LIBS(socket, [socket])
- AC_SEARCH_LIBS(inet_ntoa, [nsl])
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0004-Fix-out-of-tree-builds.patch b/meta/recipes-connectivity/dhcp/dhcp/0004-Fix-out-of-tree-builds.patch
deleted file mode 100644
index b71c93dd6d..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0004-Fix-out-of-tree-builds.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From cccec0344d68dac4100b6f260ee24e7c2da9dfda Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 15 Aug 2017 15:08:22 +0800
-Subject: [PATCH 04/11] Fix out of tree builds
-
-Upstream-Status: Pending
-
-RP 2013/03/21
-
-Rebase to 4.3.6
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- client/Makefile.am  | 4 ++--
- common/Makefile.am  | 3 ++-
- dhcpctl/Makefile.am | 2 ++
- omapip/Makefile.am  | 1 +
- relay/Makefile.am   | 2 +-
- server/Makefile.am  | 2 +-
- 6 files changed, 9 insertions(+), 5 deletions(-)
-
-Index: dhcp-4.4.1/common/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/common/Makefile.am
-+++ dhcp-4.4.1/common/Makefile.am
-@@ -1,4 +1,5 @@
--AM_CPPFLAGS = -I$(top_srcdir) -DLOCALSTATEDIR='"@localstatedir@"'
-+AM_CPPFLAGS = -I$(top_srcdir)/includes -I$(top_srcdir) -DLOCALSTATEDIR='"@localstatedir@"'
-+
- AM_CFLAGS = $(LDAP_CFLAGS)
- 
- lib_LIBRARIES = libdhcp.a
-Index: dhcp-4.4.1/dhcpctl/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/dhcpctl/Makefile.am
-+++ dhcp-4.4.1/dhcpctl/Makefile.am
-@@ -3,6 +3,8 @@ BINDLIBDNSDIR=@BINDLIBDNSDIR@
- BINDLIBISCCFGDIR=@BINDLIBISCCFGDIR@
- BINDLIBISCDIR=@BINDLIBISCDIR@
- 
-+AM_CPPFLAGS = -I$(top_srcdir)/includes -I$(top_srcdir)
-+
- bin_PROGRAMS = omshell
- lib_LIBRARIES = libdhcpctl.a
- noinst_PROGRAMS = cltest
-Index: dhcp-4.4.1/server/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/server/Makefile.am
-+++ dhcp-4.4.1/server/Makefile.am
-@@ -4,7 +4,7 @@
- # production code. Sadly, we are not there yet.
- SUBDIRS = . tests
- 
--AM_CPPFLAGS = -I.. -DLOCALSTATEDIR='"@localstatedir@"'
-+AM_CPPFLAGS = -I$(top_srcdir) -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
- 
- dist_sysconf_DATA = dhcpd.conf.example
- sbin_PROGRAMS = dhcpd
-Index: dhcp-4.4.1/client/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/client/Makefile.am
-+++ dhcp-4.4.1/client/Makefile.am
-@@ -5,7 +5,7 @@
- SUBDIRS = . tests
- 
- AM_CPPFLAGS = -DCLIENT_PATH='"PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin"'
--AM_CPPFLAGS += -DLOCALSTATEDIR='"$(localstatedir)"'
-+AM_CPPFLAGS += -DLOCALSTATEDIR='"$(localstatedir)"' -I$(top_srcdir)/includes
- 
- dist_sysconf_DATA = dhclient.conf.example
- sbin_PROGRAMS = dhclient
-Index: dhcp-4.4.1/omapip/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/omapip/Makefile.am
-+++ dhcp-4.4.1/omapip/Makefile.am
-@@ -2,6 +2,7 @@ BINDLIBIRSDIR=@BINDLIBIRSDIR@
- BINDLIBDNSDIR=@BINDLIBDNSDIR@
- BINDLIBISCCFGDIR=@BINDLIBISCCFGDIR@
- BINDLIBISCDIR=@BINDLIBISCDIR@
-+AM_CPPFLAGS = -I$(top_srcdir)/includes
- 
- lib_LIBRARIES = libomapi.a
- noinst_PROGRAMS = svtest
-Index: dhcp-4.4.1/relay/Makefile.am
-===================================================================
---- dhcp-4.4.1.orig/relay/Makefile.am
-+++ dhcp-4.4.1/relay/Makefile.am
-@@ -1,4 +1,4 @@
--AM_CPPFLAGS = -DLOCALSTATEDIR='"@localstatedir@"'
-+AM_CPPFLAGS = -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
- 
- sbin_PROGRAMS = dhcrelay
- dhcrelay_SOURCES = dhcrelay.c
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0005-dhcp-client-fix-invoke-dhclient-script-failed-on-Rea.patch b/meta/recipes-connectivity/dhcp/dhcp/0005-dhcp-client-fix-invoke-dhclient-script-failed-on-Rea.patch
deleted file mode 100644
index dd56381b1d..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0005-dhcp-client-fix-invoke-dhclient-script-failed-on-Rea.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 2e8ff0e4f6d39e346ea86b8c514ab4ccc78fa359 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 15 Aug 2017 15:24:14 +0800
-Subject: [PATCH 05/11] dhcp-client: fix invoke dhclient-script failed on
- Read-only file system
-
-In read-only file system, '/etc' is on the readonly partition,
-and '/etc/resolv.conf' is symlinked to a separate writable
-partition.
-
-In this situation, we create temp files 'resolv.conf.dhclient-new'
-in /tmp dir.
-
-Upstream-Status: Pending
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- client/scripts/linux | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/scripts/linux b/client/scripts/linux
-index 3d447b6..3122a75 100755
---- a/client/scripts/linux
-+++ b/client/scripts/linux
-@@ -40,7 +40,7 @@ make_resolv_conf() {
-     # DHCPv4
-     if [ -n "$new_domain_search" ] || [ -n "$new_domain_name" ] ||
-        [ -n "$new_domain_name_servers" ]; then
--        new_resolv_conf=/etc/resolv.conf.dhclient-new
-+        new_resolv_conf=/tmp/resolv.conf.dhclient-new
-         rm -f $new_resolv_conf
- 
-         if [ -n "$new_domain_name" ]; then
--- 
-1.8.3.1
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0007-Add-configure-argument-to-make-the-libxml2-dependenc.patch b/meta/recipes-connectivity/dhcp/dhcp/0007-Add-configure-argument-to-make-the-libxml2-dependenc.patch
deleted file mode 100644
index feb0754fff..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0007-Add-configure-argument-to-make-the-libxml2-dependenc.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 7107511fd209f08f9a96f8938041ae48f3295895 Mon Sep 17 00:00:00 2001
-From: Christopher Larson <chris_larson@mentor.com>
-Date: Tue, 15 Aug 2017 16:17:49 +0800
-Subject: [PATCH 07/11] Add configure argument to make the libxml2 dependency
- explicit and determinisitic.
-
-Upstream-Status: Pending
-
-Signed-off-by: Christopher Larson <chris_larson@mentor.com>
-
-Rebase to 4.3.6
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- configure.ac | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-Index: dhcp-4.4.1/configure.ac
-===================================================================
---- dhcp-4.4.1.orig/configure.ac
-+++ dhcp-4.4.1/configure.ac
-@@ -642,6 +642,17 @@ if test "$have_nanosleep" = "rt"; then
- 	LIBS="-lrt $LIBS"
- fi
- 
-+AC_ARG_WITH(libxml2,
-+	AS_HELP_STRING([--with-libxml2], [link against libxml2. this is needed if bind was built with xml2 support enabled]),
-+	with_libxml2="$withval", with_libxml2="no")
-+
-+if test x$with_libxml2 != xno; then
-+	AC_SEARCH_LIBS(xmlTextWriterStartElement, [xml2],
-+		[if test x$with_libxml2 != xauto; then
-+			AC_MSG_FAILURE([*** Cannot find xmlTextWriterStartElement with -lxml2 and libxml2 was requested])
-+		fi])
-+fi
-+
- # check for /dev/random (declares HAVE_DEV_RANDOM)
- AC_MSG_CHECKING(for random device)
- AC_ARG_WITH(randomdev,
-Index: dhcp-4.4.1/configure.ac+lt
-===================================================================
---- dhcp-4.4.1.orig/configure.ac+lt
-+++ dhcp-4.4.1/configure.ac+lt
-@@ -909,6 +909,18 @@ elif test "$want_libtool" = "yes" -a "$u
- fi
- AM_CONDITIONAL(INSTALL_BIND, test "$want_install_bind" = "yes")
- 
-+AC_ARG_WITH(libxml2,
-+	AS_HELP_STRING([--with-libxml2], [link against libxml2. this is needed if bind was built with xml2 support enabled]),
-+	with_libxml2="$withval", with_libxml2="no")
-+
-+if test x$with_libxml2 != xno; then
-+	AC_SEARCH_LIBS(xmlTextWriterStartElement, [xml2],,
-+		[if test x$with_libxml2 != xauto; then
-+			AC_MSG_FAILURE([*** Cannot find xmlTextWriterStartElement with -lxml2 and libxml2 was requested])
-+		fi])
-+fi
-+
-+
- # OpenLDAP support.
- AC_ARG_WITH(ldap,
-     AS_HELP_STRING([--with-ldap],[enable OpenLDAP support in dhcpd (default is no)]),
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0009-remove-dhclient-script-bash-dependency.patch b/meta/recipes-connectivity/dhcp/dhcp/0009-remove-dhclient-script-bash-dependency.patch
deleted file mode 100644
index 912b6d6312..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0009-remove-dhclient-script-bash-dependency.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From f3f8b7726e50e24ef3edf5fa5a17e31d39118d7e Mon Sep 17 00:00:00 2001
-From: Andre McCurdy <armccurdy@gmail.com>
-Date: Tue, 15 Aug 2017 15:49:31 +0800
-Subject: [PATCH 09/11] remove dhclient-script bash dependency
-
-Upstream-Status: Inappropriate [OE specific]
-
-Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
-
-Rebase to 4.3.6
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- client/scripts/linux | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/client/scripts/linux b/client/scripts/linux
-index 3122a75..1712d7d 100755
---- a/client/scripts/linux
-+++ b/client/scripts/linux
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/bin/sh
- # dhclient-script for Linux. Dan Halbert, March, 1997.
- # Updated for Linux 2.[12] by Brian J. Murrell, January 1999.
- # No guarantees about this. I'm a novice at the details of Linux
--- 
-1.8.3.1
-
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0012-dhcp-correct-the-intention-for-xml2-lib-search.patch b/meta/recipes-connectivity/dhcp/dhcp/0012-dhcp-correct-the-intention-for-xml2-lib-search.patch
deleted file mode 100644
index 39ba65fbc4..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0012-dhcp-correct-the-intention-for-xml2-lib-search.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 501543b3ef715488a142e3d301ff2733aa33eec7 Mon Sep 17 00:00:00 2001
-From: Awais Belal <awais_belal@mentor.com>
-Date: Wed, 25 Oct 2017 21:00:05 +0500
-Subject: [PATCH] dhcp: correct the intention for xml2 lib search
-
-A missing case breaks the build when libxml2 is
-required and found appropriately. The third argument
-to the function AC_SEARCH_LIB is action-if-found which
-was mistakenly been used for the case where the library
-is not found and hence breaks the configure phase
-where it shoud actually pass.
-We now pass on silently when action-if-found is
-executed.
-
-Upstream-Status: Pending
-
-Signed-off-by: Awais Belal <awais_belal@mentor.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: dhcp-4.4.1/configure.ac
-===================================================================
---- dhcp-4.4.1.orig/configure.ac
-+++ dhcp-4.4.1/configure.ac
-@@ -647,7 +647,7 @@ AC_ARG_WITH(libxml2,
- 	with_libxml2="$withval", with_libxml2="no")
- 
- if test x$with_libxml2 != xno; then
--	AC_SEARCH_LIBS(xmlTextWriterStartElement, [xml2],
-+	AC_SEARCH_LIBS(xmlTextWriterStartElement, [xml2],,
- 		[if test x$with_libxml2 != xauto; then
- 			AC_MSG_FAILURE([*** Cannot find xmlTextWriterStartElement with -lxml2 and libxml2 was requested])
- 		fi])
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0013-fixup_use_libbind.patch b/meta/recipes-connectivity/dhcp/dhcp/0013-fixup_use_libbind.patch
deleted file mode 100644
index fcec010bd0..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp/0013-fixup_use_libbind.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-lib and include path is hardcoded for use_libbind 
-
-use libdir and includedir vars
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Index: dhcp-4.4.1/configure.ac+lt
-===================================================================
---- dhcp-4.4.1.orig/configure.ac+lt
-+++ dhcp-4.4.1/configure.ac+lt
-@@ -801,22 +801,22 @@ no)
- 	if test ! -d "$use_libbind"; then
- 		AC_MSG_ERROR([Cannot find bind directory at $use_libbind])
- 	fi
--	if test ! -d "$use_libbind/include" -o \
--	        ! -f "$use_libbind/include/isc/buffer.h"
-+	if test ! -d "$use_libbind/$includedir" -o \
-+	        ! -f "$use_libbind/$includedir/isc/buffer.h"
- 	then
--		AC_MSG_ERROR([Cannot find bind includes at $use_libbind/include])
-+		AC_MSG_ERROR([Cannot find bind includes at $use_libbind/$includedir])
- 	fi
--	if test	! -d "$use_libbind/lib" -o \
--	        \( ! -f "$use_libbind/lib/libisc.a" -a \
--		   ! -f	"$use_libbind/lib/libisc.la" \)
-+	if test	! -d "$use_libbind/$libdir" -o \
-+	        \( ! -f "$use_libbind/$libdir/libisc.a" -a \
-+		   ! -f	"$use_libbind/$libdir/libisc.la" \)
- 	then
--		AC_MSG_ERROR([Cannot find bind libraries at $use_libbind/lib])
-+		AC_MSG_ERROR([Cannot find bind libraries at $use_libbind/$libdir])
- 	fi
- 	BINDDIR="$use_libbind"
--	BINDLIBIRSDIR="$BINDDIR/lib"
--	BINDLIBDNSDIR="$BINDDIR/lib"
--	BINDLIBISCCFGDIR="$BINDDIR/lib"
--	BINDLIBISCDIR="$BINDDIR/lib"	
-+	BINDLIBIRSDIR="$BINDDIR/$libdir"
-+	BINDLIBDNSDIR="$BINDDIR/$libdir"
-+	BINDLIBISCCFGDIR="$BINDDIR/$libdir"
-+	BINDLIBISCDIR="$BINDDIR/$libdir"
- 	DISTCHECK_LIBBIND_CONFIGURE_FLAG="--with-libbind=$use_libbind"
- 	;;
- esac
-@@ -856,14 +856,14 @@ AC_ARG_ENABLE(libtool,
- 
- if test "$use_libbind" != "no"; then
- 	if test "$want_libtool" = "yes" -a \
--	        ! -f "$use_libbind/lib/libisc.la"
-+	        ! -f "$use_libbind/$libdir/libisc.la"
- 	then
--		AC_MSG_ERROR([Cannot find dynamic libraries at $use_libbind/lib])
-+		AC_MSG_ERROR([Cannot find dynamic libraries at $use_libbind/$libdir])
- 	fi
- 	if test "$want_libtool" = "no" -a \
--	        ! -f "$use_libbind/lib/libisc.a"
-+	        ! -f "$use_libbind/$libdir/libisc.a"
- 	then
--		AC_MSG_ERROR([Cannot find static libraries at $use_libbind/lib])
-+		AC_MSG_ERROR([Cannot find static libraries at $use_libbind/$libdir])
- 	fi
- fi
- 
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
deleted file mode 100644
index 020777b8f2..0000000000
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
+++ /dev/null
@@ -1,23 +0,0 @@
-require dhcp.inc
-
-SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.patch \
-            file://0002-dhclient-dbus.patch \
-            file://0003-link-with-lcrypto.patch \
-            file://0004-Fix-out-of-tree-builds.patch \
-            file://0005-dhcp-client-fix-invoke-dhclient-script-failed-on-Rea.patch \
-            file://0007-Add-configure-argument-to-make-the-libxml2-dependenc.patch \
-            file://0009-remove-dhclient-script-bash-dependency.patch \
-            file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
-            file://0013-fixup_use_libbind.patch \
-            file://0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch \
-            file://0001-Fix-a-NSUPDATE-compiling-issue.patch \
-            file://0001-workaround-busybox-limitation-in-linux-dhclient-script.patch \
-"
-
-SRC_URI[md5sum] = "18c7f4dcbb0a63df25098216d47b1ede"
-SRC_URI[sha256sum] = "2a22508922ab367b4af4664a0472dc220cc9603482cf3c16d9aff14f3a76b608"
-
-LDFLAGS_append = " -pthread"
-
-PACKAGECONFIG ?= ""
-PACKAGECONFIG[bind-httpstats] = "--with-libxml2,--without-libxml2,libxml2"
diff --git a/meta/recipes-connectivity/dhcp/files/default-relay b/meta/recipes-connectivity/dhcp/files/default-relay
deleted file mode 100644
index 7961f014be..0000000000
--- a/meta/recipes-connectivity/dhcp/files/default-relay
+++ /dev/null
@@ -1,12 +0,0 @@
-# Defaults for dhcp-relay initscript
-# sourced by /etc/init.d/dhcp-relay
-
-# What servers should the DHCP relay forward requests to?
-# e.g: SERVERS="192.168.0.1"
-SERVERS=""
-
-# On what interfaces should the DHCP relay (dhrelay) serve DHCP requests?
-INTERFACES=""
-
-# Additional options that are passed to the DHCP relay daemon?
-OPTIONS=""
diff --git a/meta/recipes-connectivity/dhcp/files/default-server b/meta/recipes-connectivity/dhcp/files/default-server
deleted file mode 100644
index 0385d16992..0000000000
--- a/meta/recipes-connectivity/dhcp/files/default-server
+++ /dev/null
@@ -1,7 +0,0 @@
-# Defaults for dhcp initscript
-# sourced by /etc/init.d/dhcp-server
-# installed at /etc/default/dhcp-server by the maintainer scripts
-
-# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
-#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
-INTERFACES=""
diff --git a/meta/recipes-connectivity/dhcp/files/dhclient-systemd-wrapper b/meta/recipes-connectivity/dhcp/files/dhclient-systemd-wrapper
deleted file mode 100644
index 7d0e224a1d..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhclient-systemd-wrapper
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh
-
-# In case the interface is used for nfs, skip it.
-nfsroot=0
-interfaces=""
-exec 9<&0 < /proc/mounts
-while read dev mtpt fstype rest; do
-    if test $mtpt = "/" ; then
-        case $fstype in
-            nfs | nfs4)
-                nfsroot=1
-                nfs_addr=`echo $rest | sed -e 's/^.*addr=\([0-9.]*\).*$/\1/'`
-                break
-                ;;
-            *)
-                ;;
-        esac
-    fi
-done
-exec 0<&9 9<&-
-
-if [ $nfsroot -eq 0 ]; then
-    interfaces="$INTERFACES"
-else
-    if [ -x /bin/ip -o -x /sbin/ip ] ; then
-	nfs_iface=`ip route get $nfs_addr | grep dev | sed -e 's/^.*dev \([-a-z0-9.]*\).*$/\1/'`
-    fi
-    for i in $INTERFACES; do
-	if test "x$i" = "x$nfs_iface"; then
-            echo "dhclient skipping nfsroot interface $i"
-	else
-	    interfaces="$interfaces $i"
-	fi
-    done
-fi
-
-if test "x$interfaces" != "x"; then
-    /sbin/dhclient -d -cf /etc/dhcp/dhclient.conf -q -lf /var/lib/dhcp/dhclient.leases $interfaces
-fi
diff --git a/meta/recipes-connectivity/dhcp/files/dhclient.conf b/meta/recipes-connectivity/dhcp/files/dhclient.conf
deleted file mode 100644
index 0e6dcf96c2..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhclient.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# Configuration file for /sbin/dhclient, which is included in Debian's
-#	dhcp3-client package.
-#
-# This is a sample configuration file for dhclient. See dhclient.conf's
-#	man page for more information about the syntax of this file
-#	and a more comprehensive list of the parameters understood by
-#	dhclient.
-#
-# Normally, if the DHCP server provides reasonable information and does
-#	not leave anything out (like the domain name, for example), then
-#	few changes must be made to this file, if any.
-#
-
-#send host-name "andare.fugue.com";
-#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
-#send dhcp-lease-time 3600;
-#supersede domain-name "fugue.com home.vix.com";
-#prepend domain-name-servers 127.0.0.1;
-request subnet-mask, broadcast-address, time-offset, routers,
-	domain-name, domain-name-servers, host-name,
-	netbios-name-servers, netbios-scope;
-#require subnet-mask, domain-name-servers;
-#timeout 60;
-#retry 60;
-#reboot 10;
-#select-timeout 5;
-#initial-interval 2;
-#script "/etc/dhcp3/dhclient-script";
-#media "-link0 -link1 -link2", "link0 link1";
-#reject 192.33.137.209;
-
-#alias {
-#  interface "eth0";
-#  fixed-address 192.5.5.213;
-#  option subnet-mask 255.255.255.255;
-#}
-
-#lease {
-#  interface "eth0";
-#  fixed-address 192.33.137.200;
-#  medium "link0 link1";
-#  option host-name "andare.swiftmedia.com";
-#  option subnet-mask 255.255.255.0;
-#  option broadcast-address 192.33.137.255;
-#  option routers 192.33.137.250;
-#  option domain-name-servers 127.0.0.1;
-#  renew 2 2000/1/12 00:00:01;
-#  rebind 2 2000/1/12 00:00:01;
-#  expire 2 2000/1/12 00:00:01;
-#}
diff --git a/meta/recipes-connectivity/dhcp/files/dhclient.service b/meta/recipes-connectivity/dhcp/files/dhclient.service
deleted file mode 100644
index 9ddb4d1dfe..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhclient.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Dynamic Host Configuration Protocol (DHCP)
-Wants=network.target
-Before=network.target
-After=systemd-udevd.service
-
-[Service]
-EnvironmentFile=-@SYSCONFDIR@/default/dhcp-client
-ExecStart=@BASE_SBINDIR@/dhclient-systemd-wrapper
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/dhcp/files/dhcpd.conf b/meta/recipes-connectivity/dhcp/files/dhcpd.conf
deleted file mode 100644
index 0001c0f00e..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhcpd.conf
+++ /dev/null
@@ -1,108 +0,0 @@
-#
-# Sample configuration file for ISC dhcpd for Debian
-#
-# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
-#
-
-# The ddns-updates-style parameter controls whether or not the server will
-# attempt to do a DNS update when a lease is confirmed. We default to the
-# behavior of the version 2 packages ('none', since DHCP v2 didn't
-# have support for DDNS.)
-ddns-update-style none;
-
-# option definitions common to all supported networks...
-option domain-name "example.org";
-option domain-name-servers ns1.example.org, ns2.example.org;
-
-default-lease-time 600;
-max-lease-time 7200;
-
-# If this DHCP server is the official DHCP server for the local
-# network, the authoritative directive should be uncommented.
-#authoritative;
-
-# Use this to send dhcp log messages to a different log file (you also
-# have to hack syslog.conf to complete the redirection).
-log-facility local7;
-
-# No service will be given on this subnet, but declaring it helps the 
-# DHCP server to understand the network topology.
-
-#subnet 10.152.187.0 netmask 255.255.255.0 {
-#}
-
-# This is a very basic subnet declaration.
-
-#subnet 10.254.239.0 netmask 255.255.255.224 {
-#  range 10.254.239.10 10.254.239.20;
-#  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
-#}
-
-# This declaration allows BOOTP clients to get dynamic addresses,
-# which we don't really recommend.
-
-#subnet 10.254.239.32 netmask 255.255.255.224 {
-#  range dynamic-bootp 10.254.239.40 10.254.239.60;
-#  option broadcast-address 10.254.239.31;
-#  option routers rtr-239-32-1.example.org;
-#}
-
-# A slightly different configuration for an internal subnet.
-#subnet 10.5.5.0 netmask 255.255.255.224 {
-#  range 10.5.5.26 10.5.5.30;
-#  option domain-name-servers ns1.internal.example.org;
-#  option domain-name "internal.example.org";
-#  option routers 10.5.5.1;
-#  option broadcast-address 10.5.5.31;
-#  default-lease-time 600;
-#  max-lease-time 7200;
-#}
-
-# Hosts which require special configuration options can be listed in
-# host statements.   If no address is specified, the address will be
-# allocated dynamically (if possible), but the host-specific information
-# will still come from the host declaration.
-
-#host passacaglia {
-#  hardware ethernet 0:0:c0:5d:bd:95;
-#  filename "vmunix.passacaglia";
-#  server-name "toccata.fugue.com";
-#}
-
-# Fixed IP addresses can also be specified for hosts.   These addresses
-# should not also be listed as being available for dynamic assignment.
-# Hosts for which fixed IP addresses have been specified can boot using
-# BOOTP or DHCP.   Hosts for which no fixed address is specified can only
-# be booted with DHCP, unless there is an address range on the subnet
-# to which a BOOTP client is connected which has the dynamic-bootp flag
-# set.
-#host fantasia {
-#  hardware ethernet 08:00:07:26:c0:a5;
-#  fixed-address fantasia.fugue.com;
-#}
-
-# You can declare a class of clients and then do address allocation
-# based on that.   The example below shows a case where all clients
-# in a certain class get addresses on the 10.17.224/24 subnet, and all
-# other clients get addresses on the 10.0.29/24 subnet.
-
-#class "foo" {
-#  match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
-#}
-
-#shared-network 224-29 {
-#  subnet 10.17.224.0 netmask 255.255.255.0 {
-#    option routers rtr-224.example.org;
-#  }
-#  subnet 10.0.29.0 netmask 255.255.255.0 {
-#    option routers rtr-29.example.org;
-#  }
-#  pool {
-#    allow members of "foo";
-#    range 10.17.224.10 10.17.224.250;
-#  }
-#  pool {
-#    deny members of "foo";
-#    range 10.0.29.10 10.0.29.230;
-#  }
-#}
diff --git a/meta/recipes-connectivity/dhcp/files/dhcpd.service b/meta/recipes-connectivity/dhcp/files/dhcpd.service
deleted file mode 100644
index ae4f93eca5..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhcpd.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=DHCPv4 Server Daemon
-Documentation=man:dhcpd(8) man:dhcpd.conf(5)
-After=network.target
-After=time-sync.target
-
-[Service]
-PIDFile=@localstatedir@/run/dhcpd.pid
-EnvironmentFile=@SYSCONFDIR@/default/dhcp-server
-EnvironmentFile=-@SYSCONFDIR@/sysconfig/dhcp-server
-ExecStartPre=@base_bindir@/touch @localstatedir@/lib/dhcp/dhcpd.leases
-ExecStart=@SBINDIR@/dhcpd -f -cf @SYSCONFDIR@/dhcp/dhcpd.conf -pf @localstatedir@/run/dhcpd.pid $DHCPDARGS -q $INTERFACES
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/dhcp/files/dhcpd6.service b/meta/recipes-connectivity/dhcp/files/dhcpd6.service
deleted file mode 100644
index 52a6224dc2..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhcpd6.service
+++ /dev/null
@@ -1,15 +0,0 @@
-[Unit]
-Description=DHCPv6 Server Daemon
-Documentation=man:dhcpd(8) man:dhcpd.conf(5)
-After=network.target
-After=time-sync.target
-
-[Service]
-PIDFile=@localstatedir@/run/dhcpd6.pid
-EnvironmentFile=@SYSCONFDIR@/default/dhcp-server
-EnvironmentFile=-@SYSCONFDIR@/sysconfig/dhcpd6
-ExecStartPre=@base_bindir@/touch @localstatedir@/lib/dhcp/dhcpd6.leases
-ExecStart=@SBINDIR@/dhcpd -f -6 -cf @SYSCONFDIR@/dhcp/dhcpd6.conf -pf @localstatedir@/run/dhcpd6.pid $DHCPDARGS -q $INTERFACES
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/dhcp/files/dhcrelay.service b/meta/recipes-connectivity/dhcp/files/dhcrelay.service
deleted file mode 100644
index 15ff927d34..0000000000
--- a/meta/recipes-connectivity/dhcp/files/dhcrelay.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-Description=DHCP Relay Agent Daemon
-After=network.target
-
-[Service]
-EnvironmentFile=@SYSCONFDIR@/default/dhcp-relay
-ExecStart=@SBINDIR@/dhcrelay -d --no-pid -q $SERVERS
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/dhcp/files/init-relay b/meta/recipes-connectivity/dhcp/files/init-relay
deleted file mode 100644
index 019a7e84cf..0000000000
--- a/meta/recipes-connectivity/dhcp/files/init-relay
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh
-#
-# $Id: dhcp3-relay,v 1.1 2004/04/16 15:41:08 ml Exp $
-#
-
-# It is not safe to start if we don't have a default configuration...
-if [ ! -f /etc/default/dhcp-relay ]; then
-	echo "/etc/default/dhcp-relay does not exist! - Aborting..."
-	echo "create this file to fix the problem."
-	exit 1
-fi
-
-# Read init script configuration (interfaces the daemon should listen on
-# and the DHCP server we should forward requests to.)
-. /etc/default/dhcp-relay
-
-# Build command line for interfaces (will be passed to dhrelay below.)
-IFCMD=""
-if test "$INTERFACES" != ""; then
-	for I in $INTERFACES; do
-		IFCMD=${IFCMD}"-i "${I}" "
-	done
-fi
-
-DHCRELAYPID=/var/run/dhcrelay.pid
-
-case "$1" in
-	start)
-		start-stop-daemon -S -x /usr/sbin/dhcrelay -- -q $OPTIONS $IFCMD $SERVERS
-		;;
-	stop)
-		start-stop-daemon -K -x /usr/sbin/dhcrelay
-		;;
-	restart | force-reload)
-		$0 stop
-		sleep 2
-		$0 start
-		;;
-	*)
-		echo "Usage: /etc/init.d/dhcp-relay {start|stop|restart|force-reload}"
-		exit 1 
-esac
-
-exit 0
diff --git a/meta/recipes-connectivity/dhcp/files/init-server b/meta/recipes-connectivity/dhcp/files/init-server
deleted file mode 100644
index 5e693adf78..0000000000
--- a/meta/recipes-connectivity/dhcp/files/init-server
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh
-#
-# $Id: dhcp3-server.init.d,v 1.4 2003/07/13 19:12:41 mdz Exp $
-#
-
-test -f /usr/sbin/dhcpd || exit 0
-
-# It is not safe to start if we don't have a default configuration...
-if [ ! -f /etc/default/dhcp-server ]; then
-	echo "/etc/default/dhcp-server does not exist! - Aborting..."
-	exit 0
-fi
-
-# Read init script configuration (so far only interfaces the daemon
-# should listen on.)
-. /etc/default/dhcp-server
-
-case "$1" in
-	start)
-		echo -n "Starting DHCP server: "
-		test -d /var/lib/dhcp/ || mkdir -p /var/lib/dhcp/
-		test -f /var/lib/dhcp/dhcpd.leases || touch /var/lib/dhcp/dhcpd.leases	
-		start-stop-daemon -S -x /usr/sbin/dhcpd -- -q $INTERFACES -user dhcp -group dhcp
-		echo "."
-		;;
-	stop)
-		echo -n "Stopping DHCP server: dhcpd3"
-		start-stop-daemon -K -x /usr/sbin/dhcpd
-		echo "."
-		;;
-	restart | force-reload)
-		$0 stop
-		sleep 2
-		$0 start
-		if [ "$?" != "0" ]; then
-			exit 1
-		fi
-		;;
-	*)
-		echo "Usage: /etc/init.d/dhcp-server {start|stop|restart|force-reload}"
-		exit 1 
-esac
-
-exit 0
diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
new file mode 100644
index 0000000000..6bde9b1f51
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb
@@ -0,0 +1,61 @@
+SECTION = "console/network"
+SUMMARY = "dhcpcd - a DHCP client"
+DESCRIPTION = "dhcpcd runs on your machine and silently configures your \
+               computer to work on the attached networks without trouble \
+               and mostly without configuration."
+
+HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=ba9c7e534853aaf3de76c905b2410ffd"
+
+SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=master \
+           file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \
+           file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \
+           file://dhcpcd.service \
+           file://dhcpcd@.service \
+           file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \
+           "
+
+SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862"
+S = "${WORKDIR}/git"
+
+inherit pkgconfig autotools-brokensep systemd useradd
+
+SYSTEMD_SERVICE:${PN} = "dhcpcd.service"
+
+PACKAGECONFIG ?= "udev ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
+
+PACKAGECONFIG[udev] = "--with-udev,--without-udev,udev,udev"
+PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6"
+# ntp conflicts with chrony
+PACKAGECONFIG[ntp] = "--with-hook=ntp, , ,ntp"
+PACKAGECONFIG[chrony] = "--with-hook=ntp, , ,chrony"
+PACKAGECONFIG[ypbind] = "--with-eghook=yp, , ,ypbind-mt"
+
+# add option to override DBDIR location
+DBDIR ?= "${localstatedir}/lib/${BPN}"
+
+EXTRA_OECONF = "--enable-ipv4 \
+                --dbdir=${DBDIR} \
+                --sbindir=${base_sbindir} \
+                --runstatedir=/run \
+                --enable-privsep \
+                --privsepuser=dhcpcd \
+                --with-hooks \
+                --with-eghooks \
+               "
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM:${PN} = "--system -d ${DBDIR} -M -s /bin/false -U dhcpcd"
+
+do_install:append () {
+    # install systemd unit files
+    install -d ${D}${systemd_system_unitdir}
+    install -m 0644 ${WORKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir}
+
+    chmod 700 ${D}${DBDIR}
+    chown dhcpcd:dhcpcd ${D}${DBDIR}
+}
+
+FILES:${PN}-dbg += "${libdir}/dhcpcd/dev/.debug"
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
new file mode 100644
index 0000000000..8d1ed6671a
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch
@@ -0,0 +1,82 @@
+From 02acc4d875ee81e6fd19ef66d69c9f55b4b4a7e7 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Wed, 9 Nov 2022 16:33:18 +0800
+Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd
+
+systemd's resolvconf implementation ignores the protocol part.
+See https://github.com/systemd/systemd/issues/25032.
+
+When using 'dhcp server + dns server + dhcpcd + systemd', we
+get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra',
+yet systemd's resolvconf treats it as eth0. This will delete the
+DNS information set by 'resolvconf -a eth0.dhcp'.
+
+Fortunately, 20-resolv.conf has the ability to build the resolv.conf
+file contents itself. We can just pass the generated contents to
+systemd's resolvconf. This way, the DNS information is not incorrectly
+deleted. Also, it does not cause behavior regression for dhcpcd
+in other cases.
+
+Upstream-Status: Inappropriate [OE Specific]
+This patch has been rejected by dhcpcd upstream.
+See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ hooks/20-resolv.conf | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf
+index 7c29e276..becc019f 100644
+--- a/hooks/20-resolv.conf
++++ b/hooks/20-resolv.conf
+@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming"
+ NL="
+ "
+ : ${resolvconf:=resolvconf}
++resolvconf_from_systemd=false
+ if command -v "$resolvconf" >/dev/null 2>&1; then
+ 	have_resolvconf=true
++	if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then
++		resolvconf_from_systemd=true
++	fi
+ else
+ 	have_resolvconf=false
+ fi
+@@ -69,8 +73,13 @@ build_resolv_conf()
+ 	else
+ 		echo "# /etc/resolv.conf.tail can replace this line" >> "$cf"
+ 	fi
+-	if change_file /etc/resolv.conf "$cf"; then
+-		chmod 644 /etc/resolv.conf
++	if $resolvconf_from_systemd; then
++		[ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
++		"$resolvconf" -a "$ifname" <"$cf"
++	else
++		if change_file /etc/resolv.conf "$cf"; then
++			chmod 644 /etc/resolv.conf
++		fi
+ 	fi
+ 	rm -f "$cf"
+ }
+@@ -170,7 +179,7 @@ add_resolv_conf()
+ 	for x in ${new_domain_name_servers}; do
+ 		conf="${conf}nameserver $x$NL"
+ 	done
+-	if $have_resolvconf; then
++	if $have_resolvconf && ! $resolvconf_from_systemd; then
+ 		[ -n "$ifmetric" ] && export IF_METRIC="$ifmetric"
+ 		printf %s "$conf" | "$resolvconf" -a "$ifname"
+ 		return $?
+@@ -186,7 +195,7 @@ add_resolv_conf()
+ 
+ remove_resolv_conf()
+ {
+-	if $have_resolvconf; then
++	if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then
+ 		"$resolvconf" -d "$ifname" -f
+ 	else
+ 		if [ -e "$resolv_conf_dir/$ifname" ]; then
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
new file mode 100644
index 0000000000..461d04bd1d
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch
@@ -0,0 +1,44 @@
+From 5d5ba8a2b8010db6bee68bd712f829cb737c9ac1 Mon Sep 17 00:00:00 2001
+From: Lei Maohui <leimaohui@fujitsu.com>
+Date: Fri, 10 Mar 2023 03:48:46 +0000
+Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib.
+
+Error: Transaction test error:
+ file /usr/share/man/man8/dhcpcd.8 conflicts between attempted
+ installs of dhcpcd-doc-9.4.1-r0.cortexa57 and
+ lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon
+
+The differences between the two files are as follows:
+@@ -821,7 +821,7 @@
+ If you always use the same options, put them here.
+ .It Pa /usr/libexec/dhcpcd-run-hooks
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa /usr/lib64/dhcpcd/dev
++.It Pa /usr/lib/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
+
+It is just a man file, there is no necessary to manage multiple
+versions.
+
+Upstream-Status: Inappropriate [oe specific]
+Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
+
+---
+ src/dhcpcd.8.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in
+index 93232840..09930a31 100644
+--- a/src/dhcpcd.8.in
++++ b/src/dhcpcd.8.in
+@@ -824,7 +824,7 @@ Configuration file for dhcpcd.
+ If you always use the same options, put them here.
+ .It Pa @SCRIPT@
+ Bourne shell script that is run to configure or de-configure an interface.
+-.It Pa @LIBDIR@/dhcpcd/dev
++.It Pa /usr/<libdir>/dhcpcd/dev
+ Linux
+ .Pa /dev
+ management modules.
diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
new file mode 100644
index 0000000000..c54942be4b
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch
@@ -0,0 +1,43 @@
+From ec9fc4e6086e1dbe0ac2f94a8a088a571596a581 Mon Sep 17 00:00:00 2001
+From: Stefano Cappa <stefano.cappa.ks89@gmail.com>
+Date: Sun, 13 Jan 2019 01:50:52 +0100
+Subject: [PATCH] remove INCLUDEDIR to prevent build issues
+
+Upstream-Status: Pending
+
+Signed-off-by: Stefano Cappa <stefano.cappa.ks89@gmail.com>
+
+---
+ configure | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/configure b/configure
+index 5237b0e2..7220718b 100755
+--- a/configure
++++ b/configure
+@@ -26,7 +26,6 @@ BUILD=
+ HOST=
+ HOSTCC=
+ TARGET=
+-INCLUDEDIR=
+ DEBUG=
+ FORK=
+ STATIC=
+@@ -86,7 +85,6 @@ for x do
+ 	--mandir) MANDIR=$var;;
+ 	--datadir) DATADIR=$var;;
+ 	--with-ccopts|CFLAGS) CFLAGS=$var;;
+-	-I|--includedir) INCLUDEDIR="$INCLUDEDIR${INCLUDEDIR:+ }-I$var";;
+ 	CC) CC=$var;;
+ 	CPPFLAGS) CPPFLAGS=$var;;
+ 	PKG_CONFIG) PKG_CONFIG=$var;;
+@@ -343,9 +341,6 @@ if [ -n "$CPPFLAGS" ]; then
+ 	echo "CPPFLAGS=" >>$CONFIG_MK
+ 	echo "CPPFLAGS+=	$CPPFLAGS" >>$CONFIG_MK
+ fi
+-if [ -n "$INCLUDEDIR" ]; then
+-	echo "CPPFLAGS+=	$INCLUDEDIR" >>$CONFIG_MK
+-fi
+ if [ -n "$LDFLAGS" ]; then
+ 	echo "LDFLAGS=" >>$CONFIG_MK
+ 	echo "LDFLAGS+=	$LDFLAGS" >>$CONFIG_MK
diff --git a/meta/recipes-connectivity/dhcpcd/files/dhcpcd.service b/meta/recipes-connectivity/dhcpcd/files/dhcpcd.service
new file mode 100644
index 0000000000..6c967ddaf0
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/dhcpcd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=A minimalistic network configuration daemon with DHCPv4, rdisc and DHCPv6 support
+Wants=network.target
+Before=network.target
+Conflicts=connman.service
+
+[Service]
+ExecStart=/sbin/dhcpcd -q --nobackground
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/dhcpcd/files/dhcpcd@.service b/meta/recipes-connectivity/dhcpcd/files/dhcpcd@.service
new file mode 100644
index 0000000000..845b83b9e5
--- /dev/null
+++ b/meta/recipes-connectivity/dhcpcd/files/dhcpcd@.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=dhcpcd on %I
+Wants=network.target
+Before=network.target
+BindsTo=sys-subsystem-net-devices-%i.device
+After=sys-subsystem-net-devices-%i.device
+Conflicts=connman.service
+
+[Service]
+Type=forking
+PIDFile=/run/dhcpcd/%I.pid
+ExecStart=/sbin/dhcpcd -q %I
+ExecStop=/sbin/dhcpcd -x %I
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch
deleted file mode 100644
index d4764f5867..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/0001-rcp-fix-to-work-with-large-files.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Upstream-Status: Pending
-
-Subject: rcp: fix to work with large files
-
-When we copy file by rcp command, if the file > 2GB, it will fail.
-The cause is that it used incorrect data type on file size in sink() of rcp.
-
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- src/rcp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/rcp.c b/src/rcp.c
-index 21f55b6..bafa35f 100644
---- a/src/rcp.c
-+++ b/src/rcp.c
-@@ -876,9 +876,9 @@ sink (int argc, char *argv[])
-   enum
-   { YES, NO, DISPLAYED } wrerr;
-   BUF *bp;
--  off_t i, j;
-+  off_t i, j, size;
-   int amt, count, exists, first, mask, mode, ofd, omode;
--  int setimes, size, targisdir, wrerrno;
-+  int setimes, targisdir, wrerrno;
-   char ch, *cp, *np, *targ, *vect[1], buf[BUFSIZ];
-   const char *why;
- 
--- 
-1.9.1
-
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
deleted file mode 100644
index a91913cb51..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-tftpd: Fix abort on error path
-
-When trying to fetch a non existent file, the app crashes with:
-
-*** buffer overflow detected ***: 
-Aborted
-
-
-Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205]
-Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
-diff --git a/src/tftpd.c b/src/tftpd.c
-index 56002a0..144012f 100644
---- a/src/tftpd.c
-+++ b/src/tftpd.c
-@@ -864,9 +864,8 @@ nak (int error)
-       pe->e_msg = strerror (error - 100);
-       tp->th_code = EUNDEF;	/* set 'undef' errorcode */
-     }
--  strcpy (tp->th_msg, pe->e_msg);
-   length = strlen (pe->e_msg);
--  tp->th_msg[length] = '\0';
-+  memcpy(tp->th_msg, pe->e_msg, length + 1);
-   length += 5;
-   if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length)
-     syslog (LOG_ERR, "nak: %m\n");
diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
deleted file mode 100644
index 24c134fcac..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-Upstream: http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html
-
-Upstream-Status: Pending
-
-Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
----
- ping/ping_common.h | 20 ++++++++++++++++++++
- 1 file changed, 20 insertions(+)
-
-diff --git a/ping/ping_common.h b/ping/ping_common.h
-index 1dfd1b5..3bfbd12 100644
---- a/ping/ping_common.h
-+++ b/ping/ping_common.h
-@@ -17,10 +17,14 @@
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see `http://www.gnu.org/licenses/'. */
- 
-+#include <config.h>
-+
- #include <netinet/in_systm.h>
- #include <netinet/in.h>
- #include <netinet/ip.h>
-+#ifdef HAVE_IPV6
- #include <netinet/icmp6.h>
-+#endif
- #include <icmp.h>
- #include <error.h>
- #include <progname.h>
-@@ -62,7 +66,12 @@ struct ping_stat
-    want to follow the traditional behaviour of ping.  */
- #define DEFAULT_PING_COUNT 0
- 
-+#ifdef HAVE_IPV6
- #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN)
-+#else
-+#define PING_HEADER_LEN (ICMP_MINLEN)
-+#endif
-+
- #define PING_TIMING(s)  ((s) >= sizeof (struct timeval))
- #define PING_DATALEN    (64 - PING_HEADER_LEN)  /* default data length */
- 
-@@ -74,13 +83,20 @@ struct ping_stat
-   (t).tv_usec = ((i)%PING_PRECISION)*(1000000/PING_PRECISION) ;\
- } while (0)
- 
-+#ifdef HAVE_IPV6
- /* FIXME: Adjust IPv6 case for options and their consumption.  */
- #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \
- 				   (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN))
- 
-+#else
-+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)
-+#endif
-+
-+#ifdef HAVE_IPV6
- typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest,
- 			  struct sockaddr_in6 * from, struct icmp6_hdr * icmp,
- 			  int datalen);
-+#endif
- 
- typedef int (*ping_efp) (int code,
- 			 void *closure,
-@@ -89,13 +105,17 @@ typedef int (*ping_efp) (int code,
- 			 struct ip * ip, icmphdr_t * icmp, int datalen);
- 
- union event {
-+#ifdef HAVE_IPV6
-   ping_efp6 handler6;
-+#endif
-   ping_efp handler;
- };
- 
- union ping_address {
-   struct sockaddr_in ping_sockaddr;
-+#ifdef HAVE_IPV6
-   struct sockaddr_in6 ping_sockaddr6;
-+#endif
- };
- 
- typedef struct ping_data PING;
--- 
-2.8.3
-
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
deleted file mode 100644
index 3da4e9f55a..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 552a7d64ad4a7188a9b7cd89933ae7caf7ebfe90 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier at gentoo.org>
-Date: Thu, 18 Nov 2010 16:59:14 -0500
-Subject: [PATCH gnulib] printf-parse: pull in features.h for __GLIBC__
-
-Upstream-Status: Pending
-
-Signed-off-by: Mike Frysinger <vapier at gentoo.org>
----
- lib/printf-parse.h |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/lib/printf-parse.h b/lib/printf-parse.h
-index 67a4a2a..3bd6152 100644
---- a/lib/printf-parse.h
-+++ b/lib/printf-parse.h
-@@ -25,6 +25,9 @@
- 
- #include "printf-args.h"
- 
-+#ifdef HAVE_FEATURES_H
-+# include <features.h>	/* for __GLIBC__ */
-+#endif
- 
- /* Flags */
- #define FLAG_GROUP       1      /* ' flag */
--- 
-1.7.3.2
-
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
deleted file mode 100644
index b13bb9229f..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Upstream-Status: Pending
-
---- inetutils-1.8/lib/wchar.in.h
-+++ inetutils-1.8/lib/wchar.in.h
-@@ -70,6 +70,9 @@
- /* The include_next requires a split double-inclusion guard.  */
- #if @HAVE_WCHAR_H@
- # @INCLUDE_NEXT@ @NEXT_WCHAR_H@
-+#else
-+# include <stddef.h>
-+# define MB_CUR_MAX 1
- #endif
- 
- #undef _GL_ALREADY_INCLUDING_WCHAR_H
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
deleted file mode 100644
index 2592989a90..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-inetutils: define PATH_PROCNET_DEV if not already defined
-
-this prevents the following compilation error :
-system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function)
-
-this patch comes from :
- http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/
-
-Upstream-Status: Inappropriate [not author]
-
-Signed-of-by: Eric Bénard <eric@eukrea.com>
----
-diff -Naur inetutils-1.9.orig/ifconfig/system/linux.c inetutils-1.9/ifconfig/system/linux.c
---- inetutils-1.9.orig/ifconfig/system/linux.c	2012-01-04 16:31:36.000000000 -0500
-+++ inetutils-1.9/ifconfig/system/linux.c	2012-01-04 16:40:53.000000000 -0500
-@@ -49,6 +49,10 @@
- #include "../ifconfig.h"
- 
- 
-+#ifndef PATH_PROCNET_DEV
-+  #define PATH_PROCNET_DEV "/proc/net/dev"
-+#endif
-+
- /* ARPHRD stuff.  */
- 
- static void
diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
deleted file mode 100644
index ff3abd86aa..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Only check security/pam_appl.h which is provided by package libpam when pam is
-enabled.
-
-Upstream-Status: Pending
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
----
-diff --git a/configure.ac b/configure.ac
-index b35e672..e78a751 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -195,6 +195,19 @@ fi
- 
- # See if we have libpam.a.  Investigate PAM versus Linux-PAM.
- if test "$with_pam" = yes ; then
-+  AC_CHECK_HEADERS([security/pam_appl.h], [], [], [
-+#include <sys/types.h>
-+#ifdef HAVE_NETINET_IN_SYSTM_H
-+# include <netinet/in_systm.h>
-+#endif
-+#include <netinet/in.h>
-+#ifdef HAVE_NETINET_IP_H
-+# include <netinet/ip.h>
-+#endif
-+#ifdef HAVE_SYS_PARAM_H
-+# include <sys/param.h>
-+#endif
-+])
-   AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl)
-   AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam)
-   if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then
-@@ -587,7 +600,7 @@ AC_HEADER_DIRENT
- AC_CHECK_HEADERS([arpa/nameser.h errno.h fcntl.h features.h \
- 		  glob.h memory.h netinet/ether.h netinet/in_systm.h \
- 		  netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \
--		  security/pam_appl.h shadow.h \
-+		  shadow.h \
- 		  stdarg.h stdlib.h string.h stropts.h sys/tty.h \
- 		  sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \
- 		  sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \
diff --git a/meta/recipes-connectivity/inetutils/inetutils/version.patch b/meta/recipes-connectivity/inetutils/inetutils/version.patch
deleted file mode 100644
index 532a0e5c08..0000000000
--- a/meta/recipes-connectivity/inetutils/inetutils/version.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Upstream-Status: Pending
-
-remove m4_esyscmd function
-
-Signed-off-by: Chunrong Guo <b40290@freescale.com>
---- inetutils-1.9.1/configure.ac	2012-01-06 22:05:05.000000000 +0800
-+++ inetutils-1.9.1/configure.ac	2012-11-12 14:01:11.732957019 +0800
-@@ -20,8 +20,7 @@
- 
- AC_PREREQ(2.59)
- 
--AC_INIT([GNU inetutils],
-- m4_esyscmd([build-aux/git-version-gen .tarball-version 's/inetutils-/v/;s/_/./g']),
-+AC_INIT([GNU inetutils],[1.9.4],
-  [bug-inetutils@gnu.org])
- 
- AC_CONFIG_SRCDIR([src/inetd.c])
diff --git a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
index 684fbe09e1..0f1a0736bd 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_1.9.4.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb
@@ -1,3 +1,4 @@
+SUMMARY = "The GNU inetutils are a collection of common networking utilities and servers."
 DESCRIPTION = "The GNU inetutils are a collection of common \
 networking utilities and servers including ftp, ftpd, rcp, \
 rexec, rlogin, rlogind, rsh, rshd, syslog, syslogd, talk, \
@@ -6,34 +7,23 @@ HOMEPAGE = "http://www.gnu.org/software/inetutils"
 SECTION = "net"
 DEPENDS = "ncurses netbase readline virtual/crypt"
 
-LICENSE = "GPLv3"
+LICENSE = "GPL-3.0-only"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7"
 
-SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.gz \
-           file://version.patch \
-           file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \
-           file://inetutils-1.8-0003-wchar.patch \
-           file://rexec.xinetd.inetutils  \
+SRC_URI[sha256sum] = "87697d60a31e10b5cb86a9f0651e1ec7bee98320d048c0739431aac3d5764fb6"
+SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
+           file://rexec.xinetd.inetutils \
            file://rlogin.xinetd.inetutils \
            file://rsh.xinetd.inetutils \
            file://telnet.xinetd.inetutils \
            file://tftpd.xinetd.inetutils \
-           file://inetutils-1.9-PATH_PROCNET_DEV.patch \
-           file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
-           file://0001-rcp-fix-to-work-with-large-files.patch \
-           file://fix-buffer-fortify-tfpt.patch \
-"
-
-SRC_URI[md5sum] = "04852c26c47cc8c6b825f2b74f191f52"
-SRC_URI[sha256sum] = "be8f75eff936b8e41b112462db51adf689715658a1b09e0d6b05d11ec92cc616"
+           "
 
 inherit autotools gettext update-alternatives texinfo
 
 acpaths = "-I ./m4"
 
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}"
-
 PACKAGECONFIG ??= "ftp uucpd \
                    ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \
@@ -45,24 +35,36 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no,"
 PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6,"
 
 EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \
-        inetutils_cv_path_login=${base_bindir}/login \
         --with-libreadline-prefix=${STAGING_LIBDIR} \
         --enable-rpath=no \
-"
+        --with-path-login=${base_bindir}/login \
+        --with-path-cp=${base_bindir}/cp \
+        --with-path-uucico=${libexecdir}/uuico \
+        --with-path-procnet-dev=/proc/net/dev \
+        "
+
+EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx"
 
 # These are horrible for security, disable them
-EXTRA_OECONF_append = " --disable-rsh --disable-rshd --disable-rcp \
+EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \
         --disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd"
 
-do_configure_prepend () {
+# The configure script guesses many paths in cross builds, check for this happening
+do_configure_cross_check() {
+    if grep "may be incorrect because of cross-compilation" ${B}/config.log; then
+        bberror Default path values used, these must be set explicitly
+    fi
+}
+do_configure[postfuncs] += "do_configure_cross_check"
+
+# The --with-path options are not actually options, so this check needs to be silenced
+ERROR_QA:remove = "unknown-configure-option"
+
+do_configure:prepend () {
     export HELP2MAN='true'
-    cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
-    install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S}
-    rm -f ${S}/glob/configure*
 }
 
-do_install_append () {
+do_install:append () {
     install -m 0755 -d ${D}${base_sbindir}
     install -m 0755 -d ${D}${sbindir}
     install -m 0755 -d ${D}${sysconfdir}/xinetd.d
@@ -70,6 +72,7 @@ do_install_append () {
          install -m 0755 -d ${D}${base_bindir}
          mv ${D}${bindir}/ping* ${D}${base_bindir}/
          mv ${D}${bindir}/hostname ${D}${base_bindir}/
+         mv ${D}${bindir}/dnsdomainname ${D}${base_bindir}/
     fi
     mv ${D}${bindir}/ifconfig ${D}${base_sbindir}/
     mv ${D}${libexecdir}/syslogd ${D}${base_sbindir}/
@@ -117,94 +120,99 @@ PACKAGES =+ "${PN}-tftpd-dbg ${PN}-telnetd-dbg ${PN}-rshd-dbg"
 NOAUTOPACKAGEDEBUG = "1"
 
 ALTERNATIVE_PRIORITY = "79"
-ALTERNATIVE_${PN} = "whois"
+ALTERNATIVE:${PN} = "whois dnsdomainname"
 ALTERNATIVE_LINK_NAME[uucpd]  = "${sbindir}/in.uucpd"
+ALTERNATIVE_LINK_NAME[dnsdomainname]  = "${base_bindir}/dnsdomainname"
 
 ALTERNATIVE_PRIORITY_${PN}-logger = "60"
-ALTERNATIVE_${PN}-logger = "logger"
-ALTERNATIVE_${PN}-syslogd = "syslogd"
+ALTERNATIVE:${PN}-logger = "logger"
+ALTERNATIVE:${PN}-syslogd = "syslogd"
 ALTERNATIVE_LINK_NAME[syslogd]  = "${base_sbindir}/syslogd"
 
-ALTERNATIVE_${PN}-ftp = "ftp"
-ALTERNATIVE_${PN}-ftpd = "ftpd"
-ALTERNATIVE_${PN}-tftp = "tftp"
-ALTERNATIVE_${PN}-tftpd = "tftpd"
+ALTERNATIVE:${PN}-ftp = "ftp"
+ALTERNATIVE:${PN}-ftpd = "ftpd"
+ALTERNATIVE:${PN}-tftp = "tftp"
+ALTERNATIVE:${PN}-tftpd = "tftpd"
 ALTERNATIVE_LINK_NAME[tftpd] = "${sbindir}/tftpd"
 ALTERNATIVE_TARGET[tftpd]  = "${sbindir}/in.tftpd"
 
-ALTERNATIVE_${PN}-telnet = "telnet"
-ALTERNATIVE_${PN}-telnetd = "telnetd"
+ALTERNATIVE:${PN}-telnet = "telnet"
+ALTERNATIVE:${PN}-telnetd = "telnetd"
 ALTERNATIVE_LINK_NAME[telnetd] = "${sbindir}/telnetd"
 ALTERNATIVE_TARGET[telnetd] = "${sbindir}/in.telnetd"
 
-ALTERNATIVE_${PN}-inetd= "inetd"
-ALTERNATIVE_${PN}-traceroute = "traceroute"
+ALTERNATIVE:${PN}-inetd= "inetd"
+ALTERNATIVE:${PN}-traceroute = "traceroute"
 
-ALTERNATIVE_${PN}-hostname = "hostname"
+ALTERNATIVE:${PN}-hostname = "hostname"
 ALTERNATIVE_LINK_NAME[hostname]  = "${base_bindir}/hostname"
 
-ALTERNATIVE_${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8"
+ALTERNATIVE:${PN}-doc = "hostname.1 dnsdomainname.1 logger.1 syslogd.8 \
+                         tftpd.8 tftp.1 telnetd.8"
 ALTERNATIVE_LINK_NAME[hostname.1] = "${mandir}/man1/hostname.1"
 ALTERNATIVE_LINK_NAME[dnsdomainname.1] = "${mandir}/man1/dnsdomainname.1"
 ALTERNATIVE_LINK_NAME[logger.1] = "${mandir}/man1/logger.1"
 ALTERNATIVE_LINK_NAME[syslogd.8] = "${mandir}/man8/syslogd.8"
+ALTERNATIVE_LINK_NAME[telnetd.8] = "${mandir}/man8/telnetd.8"
+ALTERNATIVE_LINK_NAME[tftpd.8] = "${mandir}/man8/tftpd.8"
+ALTERNATIVE_LINK_NAME[tftp.1] = "${mandir}/man1/tftp.1"
 
-ALTERNATIVE_${PN}-ifconfig = "ifconfig"
+ALTERNATIVE:${PN}-ifconfig = "ifconfig"
 ALTERNATIVE_LINK_NAME[ifconfig]  = "${base_sbindir}/ifconfig"
 
-ALTERNATIVE_${PN}-ping = "ping"
+ALTERNATIVE:${PN}-ping = "ping"
 ALTERNATIVE_LINK_NAME[ping]   = "${base_bindir}/ping"
 
-ALTERNATIVE_${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
+ALTERNATIVE:${PN}-ping6 = "${@bb.utils.filter('PACKAGECONFIG', 'ping6', d)}"
 ALTERNATIVE_LINK_NAME[ping6]  = "${base_bindir}/ping6"
 
 
-FILES_${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
-FILES_${PN}-ping = "${base_bindir}/ping.${BPN}"
-FILES_${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
-FILES_${PN}-hostname = "${base_bindir}/hostname.${BPN}"
-FILES_${PN}-ifconfig = "${base_sbindir}/ifconfig.${BPN}"
-FILES_${PN}-traceroute = "${bindir}/traceroute.${BPN}"
-FILES_${PN}-logger = "${bindir}/logger.${BPN}"
+FILES:${PN}-dbg += "${base_bindir}/.debug ${base_sbindir}/.debug ${bindir}/.debug ${sbindir}/.debug"
+FILES:${PN}-ping = "${base_bindir}/ping.${BPN}"
+FILES:${PN}-ping6 = "${base_bindir}/ping6.${BPN}"
+FILES:${PN}-hostname = "${base_bindir}/hostname.${BPN}"
+FILES:${PN}-ifconfig = "${base_sbindir}/ifconfig.${BPN}"
+FILES:${PN}-traceroute = "${bindir}/traceroute.${BPN}"
+FILES:${PN}-logger = "${bindir}/logger.${BPN}"
 
-FILES_${PN}-syslogd = "${base_sbindir}/syslogd.${BPN}"
-RCONFLICTS_${PN}-syslogd = "rsyslog busybox-syslog sysklogd syslog-ng"
+FILES:${PN}-syslogd = "${base_sbindir}/syslogd.${BPN}"
+RCONFLICTS:${PN}-syslogd = "rsyslog busybox-syslog sysklogd syslog-ng"
 
-FILES_${PN}-ftp = "${bindir}/ftp.${BPN}"
+FILES:${PN}-ftp = "${bindir}/ftp.${BPN}"
 
-FILES_${PN}-tftp = "${bindir}/tftp.${BPN}"
-FILES_${PN}-telnet = "${bindir}/telnet.${BPN}"
+FILES:${PN}-tftp = "${bindir}/tftp.${BPN}"
+FILES:${PN}-telnet = "${bindir}/telnet.${BPN}"
 
 # We make us of RCONFLICTS / RPROVIDES here rather than using the normal
 # alternatives method as this leads to packaging QA issues when using
 # musl as that library does not provide what these applications need to
 # build.
-FILES_${PN}-rsh = "${bindir}/rsh ${bindir}/rlogin ${bindir}/rexec ${bindir}/rcp"
-RCONFLICTS_${PN}-rsh += "netkit-rsh-client"
-RPROVIDES_${PN}-rsh = "rsh"
+FILES:${PN}-rsh = "${bindir}/rsh ${bindir}/rlogin ${bindir}/rexec ${bindir}/rcp"
+RCONFLICTS:${PN}-rsh += "netkit-rsh-client"
+RPROVIDES:${PN}-rsh = "rsh"
 
-FILES_${PN}-rshd = "${sbindir}/in.rshd ${sbindir}/in.rlogind ${sbindir}/in.rexecd \
+FILES:${PN}-rshd = "${sbindir}/in.rshd ${sbindir}/in.rlogind ${sbindir}/in.rexecd \
                     ${sysconfdir}/xinetd.d/rsh ${sysconfdir}/xinetd.d/rlogin ${sysconfdir}/xinetd.d/rexec"
-FILES_${PN}-rshd-dbg = "${sbindir}/.debug/in.rshd ${sbindir}/.debug/in.rlogind ${sbindir}/.debug/in.rexecd"
-RDEPENDS_${PN}-rshd += "xinetd tcp-wrappers"
-RCONFLICTS_${PN}-rshd += "netkit-rshd-server"
-RPROVIDES_${PN}-rshd = "rshd"
+FILES:${PN}-rshd-dbg = "${sbindir}/.debug/in.rshd ${sbindir}/.debug/in.rlogind ${sbindir}/.debug/in.rexecd"
+RDEPENDS:${PN}-rshd += "xinetd tcp-wrappers"
+RCONFLICTS:${PN}-rshd += "netkit-rshd-server"
+RPROVIDES:${PN}-rshd = "rshd"
 
-FILES_${PN}-ftpd = "${bindir}/ftpd.${BPN}"
-FILES_${PN}-ftpd-dbg = "${bindir}/.debug/ftpd.${BPN}"
-RDEPENDS_${PN}-ftpd += "xinetd"
+FILES:${PN}-ftpd = "${bindir}/ftpd.${BPN}"
+FILES:${PN}-ftpd-dbg = "${bindir}/.debug/ftpd.${BPN}"
+RDEPENDS:${PN}-ftpd += "xinetd"
 
-FILES_${PN}-tftpd = "${sbindir}/in.tftpd ${sysconfdir}/xinetd.d/tftpd"
-FILES_${PN}-tftpd-dbg = "${sbindir}/.debug/in.tftpd"
-RCONFLICTS_${PN}-tftpd += "netkit-tftpd"
-RDEPENDS_${PN}-tftpd += "xinetd"
+FILES:${PN}-tftpd = "${sbindir}/in.tftpd ${sysconfdir}/xinetd.d/tftpd"
+FILES:${PN}-tftpd-dbg = "${sbindir}/.debug/in.tftpd"
+RCONFLICTS:${PN}-tftpd += "netkit-tftpd"
+RDEPENDS:${PN}-tftpd += "xinetd"
 
-FILES_${PN}-telnetd = "${sbindir}/in.telnetd ${sysconfdir}/xinetd.d/telnet"
-FILES_${PN}-telnetd-dbg = "${sbindir}/.debug/in.telnetd"
-RCONFLICTS_${PN}-telnetd += "netkit-telnet"
-RPROVIDES_${PN}-telnetd = "telnetd"
-RDEPENDS_${PN}-telnetd += "xinetd"
+FILES:${PN}-telnetd = "${sbindir}/in.telnetd ${sysconfdir}/xinetd.d/telnet"
+FILES:${PN}-telnetd-dbg = "${sbindir}/.debug/in.telnetd"
+RCONFLICTS:${PN}-telnetd += "netkit-telnet"
+RPROVIDES:${PN}-telnetd = "telnetd"
+RDEPENDS:${PN}-telnetd += "xinetd"
 
-FILES_${PN}-inetd = "${bindir}/inetd.${BPN}"
+FILES:${PN}-inetd = "${bindir}/inetd.${BPN}"
 
-RDEPENDS_${PN} = "xinetd"
+RDEPENDS:${PN} = "xinetd"
diff --git a/meta/recipes-connectivity/iproute2/iproute2.inc b/meta/recipes-connectivity/iproute2/iproute2.inc
deleted file mode 100644
index fc31b8444e..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2.inc
+++ /dev/null
@@ -1,69 +0,0 @@
-SUMMARY = "TCP / IP networking and traffic control utilities"
-DESCRIPTION = "Iproute2 is a collection of utilities for controlling \
-TCP / IP networking and traffic control in Linux.  Of the utilities ip \
-and tc are the most important.  ip controls IPv4 and IPv6 \
-configuration and tc stands for traffic control."
-HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
-SECTION = "base"
-LICENSE = "GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
-                    file://ip/ip.c;beginline=3;endline=8;md5=689d691d0410a4b64d3899f8d6e31817"
-
-DEPENDS = "flex-native bison-native iptables libcap"
-
-inherit update-alternatives bash-completion pkgconfig
-
-CLEANBROKEN = "1"
-
-PACKAGECONFIG ??= "tipc elf"
-PACKAGECONFIG[tipc] = ",,libmnl,"
-PACKAGECONFIG[elf] = ",,elfutils,"
-
-EXTRA_OEMAKE = "CC='${CC}' KERNEL_INCLUDE=${STAGING_INCDIR} DOCDIR=${docdir}/iproute2 SUBDIRS='lib tc ip bridge misc genl \
-                ${@bb.utils.contains('PACKAGECONFIG', 'tipc', 'tipc', '', d)}' SBINDIR='${base_sbindir}' LIBDIR='${libdir}'"
-
-do_configure_append () {
-    sh configure ${STAGING_INCDIR}
-    # Explicitly disable ATM support
-    sed -i -e '/TC_CONFIG_ATM/d' config.mk
-}
-
-do_install () {
-    oe_runmake DESTDIR=${D} install
-    mv ${D}${base_sbindir}/ip ${D}${base_sbindir}/ip.iproute2
-    install -d ${D}${datadir}
-    mv ${D}/share/* ${D}${datadir}/ || true
-    rm ${D}/share -rf || true
-}
-
-# The .so files in iproute2-tc are modules, not traditional libraries
-INSANE_SKIP_${PN}-tc = "dev-so"
-
-PACKAGES =+ "${PN}-tc \
-             ${PN}-lnstat \
-             ${PN}-ifstat \
-             ${PN}-genl \
-             ${PN}-rtacct \
-             ${PN}-nstat \
-             ${PN}-ss \
-             ${@bb.utils.contains('PACKAGECONFIG', 'tipc', '${PN}-tipc', '', d)}"
-FILES_${PN}-tc = "${base_sbindir}/tc* \
-                  ${libdir}/tc/*.so"
-FILES_${PN}-lnstat = "${base_sbindir}/lnstat \
-                      ${base_sbindir}/ctstat \
-                      ${base_sbindir}/rtstat"
-FILES_${PN}-ifstat = "${base_sbindir}/ifstat"
-FILES_${PN}-genl = "${base_sbindir}/genl"
-FILES_${PN}-rtacct = "${base_sbindir}/rtacct"
-FILES_${PN}-nstat = "${base_sbindir}/nstat"
-FILES_${PN}-ss = "${base_sbindir}/ss"
-FILES_${PN}-tipc = "${base_sbindir}/tipc"
-
-ALTERNATIVE_${PN} = "ip"
-ALTERNATIVE_TARGET[ip] = "${base_sbindir}/ip.${BPN}"
-ALTERNATIVE_LINK_NAME[ip] = "${base_sbindir}/ip"
-ALTERNATIVE_PRIORITY = "100"
-
-ALTERNATIVE_${PN}-tc = "tc"
-ALTERNATIVE_LINK_NAME[tc] = "${base_sbindir}/tc"
-ALTERNATIVE_PRIORITY_${PN}-tc = "100"
diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
index 50c4bfb0f2..74e3de1ce9 100644
--- a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
+++ b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch
@@ -1,4 +1,4 @@
-From b7d96340c55afb7023ded0041107c63dbd886196 Mon Sep 17 00:00:00 2001
+From c25f8d1f7a6203dfeb10b39f80ffd314bb84a58d Mon Sep 17 00:00:00 2001
 From: Baruch Siach <baruch@tkos.co.il>
 Date: Thu, 22 Dec 2016 15:26:30 +0200
 Subject: [PATCH] libc-compat.h: add musl workaround
@@ -14,15 +14,16 @@ https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-work
 
 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
 Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
 ---
  include/uapi/linux/libc-compat.h | 4 +++-
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h
-index f38571d..30f0b67 100644
+index a159991..22198fa 100644
 --- a/include/uapi/linux/libc-compat.h
 +++ b/include/uapi/linux/libc-compat.h
-@@ -49,10 +49,12 @@
+@@ -50,10 +50,12 @@
  #define _LIBC_COMPAT_H
  
  /* We have included glibc headers... */
@@ -36,6 +37,3 @@ index f38571d..30f0b67 100644
  
  /* GLIBC headers included first so don't define anything
   * that would already be defined. */
--- 
-2.4.0
-
diff --git a/meta/recipes-connectivity/iproute2/iproute2_5.3.0.bb b/meta/recipes-connectivity/iproute2/iproute2_5.3.0.bb
deleted file mode 100644
index 8a86cbf78c..0000000000
--- a/meta/recipes-connectivity/iproute2/iproute2_5.3.0.bb
+++ /dev/null
@@ -1,12 +0,0 @@
-require iproute2.inc
-
-SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
-           file://0001-libc-compat.h-add-musl-workaround.patch \
-          "
-
-SRC_URI[md5sum] = "227404413c8d6db649d6188ead1e5a6e"
-SRC_URI[sha256sum] = "cb1c1e45993a3bd2438543fd4332d70f1726a6e6ff97dc613a8258c993117b3f"
-
-# CFLAGS are computed in Makefile and reference CCOPTS
-#
-EXTRA_OEMAKE_append = " CCOPTS='${CFLAGS}'"
diff --git a/meta/recipes-connectivity/iproute2/iproute2_6.7.0.bb b/meta/recipes-connectivity/iproute2/iproute2_6.7.0.bb
new file mode 100644
index 0000000000..8c460adf73
--- /dev/null
+++ b/meta/recipes-connectivity/iproute2/iproute2_6.7.0.bb
@@ -0,0 +1,106 @@
+SUMMARY = "TCP / IP networking and traffic control utilities"
+DESCRIPTION = "Iproute2 is a collection of utilities for controlling \
+TCP / IP networking and traffic control in Linux.  Of the utilities ip \
+and tc are the most important.  ip controls IPv4 and IPv6 \
+configuration and tc stands for traffic control."
+HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2"
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
+                    "
+
+DEPENDS = "flex-native bison-native iptables libcap"
+
+SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \
+           file://0001-libc-compat.h-add-musl-workaround.patch \
+           "
+
+SRC_URI[sha256sum] = "ff942dd9828d7d1f867f61fe72ce433078c31e5d8e4a78e20f02cb5892e8841d"
+
+inherit update-alternatives bash-completion pkgconfig
+
+PACKAGECONFIG ??= "tipc elf devlink"
+PACKAGECONFIG[tipc] = ",,libmnl,"
+PACKAGECONFIG[elf] = ",,elfutils,"
+PACKAGECONFIG[devlink] = ",,libmnl,"
+PACKAGECONFIG[rdma] = ",,libmnl,"
+PACKAGECONFIG[selinux] = ",,libselinux"
+
+IPROUTE2_MAKE_SUBDIRS = "lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc rdma', d)}"
+
+# CFLAGS are computed in Makefile and reference CCOPTS
+#
+EXTRA_OEMAKE = "\
+    CC='${CC}' \
+    KERNEL_INCLUDE=${STAGING_INCDIR} \
+    DOCDIR=${docdir}/iproute2 \
+    SUBDIRS='${IPROUTE2_MAKE_SUBDIRS}' \
+    SBINDIR='${base_sbindir}' \
+    CONF_USR_DIR='${libdir}/iproute2' \
+    LIBDIR='${libdir}' \
+    CCOPTS='${CFLAGS}' \
+"
+
+do_configure:append () {
+    sh configure ${STAGING_INCDIR}
+    # Explicitly disable ATM support
+    sed -i -e '/TC_CONFIG_ATM/d' config.mk
+}
+
+do_install () {
+    oe_runmake DESTDIR=${D} install
+    mv ${D}${base_sbindir}/ip ${D}${base_sbindir}/ip.iproute2
+    install -d ${D}${datadir}
+    mv ${D}/share/* ${D}${datadir}/ || true
+    rm ${D}/share -rf || true
+}
+
+# The .so files in iproute2-tc are modules, not traditional libraries
+INSANE_SKIP:${PN}-tc = "dev-so"
+
+IPROUTE2_PACKAGES =+ "\
+    ${PN}-bridge \
+    ${PN}-devlink \
+    ${PN}-genl \
+    ${PN}-ifstat \
+    ${PN}-ip \
+    ${PN}-lnstat \
+    ${PN}-nstat \
+    ${PN}-routel \
+    ${PN}-rtacct \
+    ${PN}-ss \
+    ${PN}-tc \
+    ${PN}-tipc \
+    ${PN}-rdma \
+"
+
+PACKAGE_BEFORE_PN = "${IPROUTE2_PACKAGES}"
+RDEPENDS:${PN} += "${PN}-ip"
+
+FILES:${PN}-tc = "${base_sbindir}/tc* \
+                  ${libdir}/tc/*.so"
+FILES:${PN}-lnstat = "${base_sbindir}/lnstat \
+                      ${base_sbindir}/ctstat \
+                      ${base_sbindir}/rtstat"
+FILES:${PN}-ifstat = "${base_sbindir}/ifstat"
+FILES:${PN}-ip = "${base_sbindir}/ip.* ${libdir}/iproute2"
+FILES:${PN}-genl = "${base_sbindir}/genl"
+FILES:${PN}-rtacct = "${base_sbindir}/rtacct"
+FILES:${PN}-nstat = "${base_sbindir}/nstat"
+FILES:${PN}-ss = "${base_sbindir}/ss"
+FILES:${PN}-tipc = "${base_sbindir}/tipc"
+FILES:${PN}-devlink = "${base_sbindir}/devlink"
+FILES:${PN}-rdma = "${base_sbindir}/rdma"
+FILES:${PN}-routel = "${base_sbindir}/routel"
+FILES:${PN}-bridge = "${base_sbindir}/bridge"
+
+RDEPENDS:${PN}-routel = "python3-core"
+
+ALTERNATIVE:${PN}-ip = "ip"
+ALTERNATIVE_TARGET[ip] = "${base_sbindir}/ip.${BPN}"
+ALTERNATIVE_LINK_NAME[ip] = "${base_sbindir}/ip"
+ALTERNATIVE_PRIORITY = "100"
+
+ALTERNATIVE:${PN}-tc = "tc"
+ALTERNATIVE_LINK_NAME[tc] = "${base_sbindir}/tc"
+ALTERNATIVE_PRIORITY_${PN}-tc = "100"
diff --git a/meta/recipes-connectivity/iw/iw/separate-objdir.patch b/meta/recipes-connectivity/iw/iw/separate-objdir.patch
index eb01a5a14e..179fd90124 100644
--- a/meta/recipes-connectivity/iw/iw/separate-objdir.patch
+++ b/meta/recipes-connectivity/iw/iw/separate-objdir.patch
@@ -1,3 +1,6 @@
+From ff9f0a631c99fb6e2677c02bf572a5e69c70f5cf Mon Sep 17 00:00:00 2001
+From: Changhyeok Bae <changhyeok.bae@gmail.com>
+Date: Mon, 27 Jan 2020 22:48:03 +0100
 Subject: [PATCH] Support separation of SRCDIR and OBJDIR
 
 Typical use of VPATH to locate the sources.
@@ -11,12 +14,12 @@ Signed-off-by: Maxin B. John <maxin.john@intel.com>
  1 file changed, 6 insertions(+), 2 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 33aaf6a..9030796 100644
+index 90f2251..714cdb9 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -1,5 +1,9 @@
  MAKEFLAGS += --no-print-directory
-
+ 
 +SRCDIR ?= $(dir $(lastword $(MAKEFILE_LIST)))
 +OBJDIR ?= $(PWD)
 +VPATH = $(SRCDIR)
@@ -24,19 +27,24 @@ index 33aaf6a..9030796 100644
  PREFIX ?= /usr
  SBINDIR ?= $(PREFIX)/sbin
  MANDIR ?= $(PREFIX)/share/man
-@@ -103,11 +107,11 @@ VERSION_OBJS := $(filter-out version.o, $(OBJS))
+@@ -92,7 +96,7 @@ all: $(ALL)
  version.c: version.sh $(patsubst %.o,%.c,$(VERSION_OBJS)) nl80211.h iw.h Makefile \
  		$(wildcard .git/index .git/refs/tags)
  	@$(NQ) ' GEN ' $@
 -	$(Q)./version.sh $@
 +	$(Q)cd $(SRCDIR) && ./version.sh $(OBJDIR)/$@
-
- %.o: %.c iw.h nl80211.h
+ 
+ nl80211-commands.inc: nl80211.h
+ 	@$(NQ) ' GEN ' $@
+@@ -100,7 +104,7 @@ nl80211-commands.inc: nl80211.h
+ 
+ %.o: %.c iw.h nl80211.h nl80211-commands.inc
  	@$(NQ) ' CC  ' $@
 -	$(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
 +	$(Q)$(CC) -I$(SRCDIR) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
-
+ 
  ifeq ($(IW_ANDROID_BUILD),)
  iw:	$(OBJS)
---
-2.20.1 (Apple Git-117)
+-- 
+2.23.0
+
diff --git a/meta/recipes-connectivity/iw/iw_5.3.bb b/meta/recipes-connectivity/iw/iw_6.7.bb
index f7f13f5a30..b46b54bc93 100644
--- a/meta/recipes-connectivity/iw/iw_5.3.bb
+++ b/meta/recipes-connectivity/iw/iw_6.7.bb
@@ -2,7 +2,7 @@ SUMMARY = "nl80211 based CLI configuration utility for wireless devices"
 DESCRIPTION = "iw is a new nl80211 based CLI configuration utility for \
 wireless devices. It supports almost all new drivers that have been added \
 to the kernel recently. "
-HOMEPAGE = "http://wireless.kernel.org/en/users/Documentation/iw"
+HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw"
 SECTION = "base"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
@@ -14,8 +14,7 @@ SRC_URI = "http://www.kernel.org/pub/software/network/iw/${BP}.tar.gz \
            file://separate-objdir.patch \
 "
 
-SRC_URI[md5sum] = "6d4d1c0ee34f3a7bda0e6aafcd7aaf31"
-SRC_URI[sha256sum] = "175abbfce86348c0b70e778c13a94c0bfc9abc7a506d2bd608261583aeedf64a"
+SRC_URI[sha256sum] = "b3ef3fa85fa1177b11d3e97d6d38cdfe10ee250ca31482b581f3bd0fc79cb015"
 
 inherit pkgconfig
 
diff --git a/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch b/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
new file mode 100644
index 0000000000..8a5bd00302
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-kea-fix-reproducible-build-failure.patch
@@ -0,0 +1,62 @@
+From f9bcfed5a1d44d9211c5f6eba403a9898c8c9057 Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Tue, 8 Aug 2023 19:03:13 +0100
+Subject: [PATCH] kea: fix reproducible build failure
+
+New version of Kea has started using path of build-dir instead of
+src-dir which results in reproducible builds failure.
+Use src-dir as is used in v2.2.0
+
+Upstream-Status: Pending
+https://gitlab.isc.org/isc-projects/kea/-/issues/3007
+
+Upstream has confirmed the patch will not be accepted but discussions
+with upstream is still going on, we might have a proper solution later.
+
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+---
+ src/bin/admin/kea-admin.in | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
+index 034a0ee..8ab11ab 100644
+--- a/src/bin/admin/kea-admin.in
++++ b/src/bin/admin/kea-admin.in
+@@ -51,14 +51,14 @@ dump_qry=""
+ if test -f "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"; then
+     . "@datarootdir@/@PACKAGE_NAME@/scripts/admin-utils.sh"
+ else
+-    . "@abs_top_builddir@/src/bin/admin/admin-utils.sh"
++    . "@abs_top_srcdir@/src/bin/admin/admin-utils.sh"
+ fi
+ 
+ # Find the installed kea-lfc if available. Fallback to sources otherwise.
+ if test -x "@sbindir@/kea-lfc"; then
+     kea_lfc="@sbindir@/kea-lfc"
+ else
+-    kea_lfc="@abs_top_builddir@/src/bin/lfc/kea-lfc"
++    kea_lfc="@abs_top_srcdir@/src/bin/lfc/kea-lfc"
+ fi
+ 
+ # Prints out usage version.
+@@ -355,7 +355,7 @@ mysql_upgrade() {
+     # Check if there are any files in it
+     num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
+     if [ "$num_files" -eq 0 ]; then
+-        upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/mysql
++        upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/mysql
+ 
+         # Check if the scripts directory exists at all.
+         if [ ! -d ${upgrade_scripts_dir} ]; then
+@@ -405,7 +405,7 @@ pgsql_upgrade() {
+     # Check if there are any files in it
+     num_files=$(find "${upgrade_scripts_dir}" -name 'upgrade*.sh' -type f | wc -l)
+     if [ "$num_files" -eq 0 ]; then
+-        upgrade_scripts_dir=@abs_top_builddir@/src/share/database/scripts/pgsql
++        upgrade_scripts_dir=@abs_top_srcdir@/src/share/database/scripts/pgsql
+ 
+         # Check if the scripts directory exists at all.
+         if [ ! -d ${upgrade_scripts_dir} ]; then
+-- 
+2.39.2
+
diff --git a/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
new file mode 100644
index 0000000000..94fbd12737
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch
@@ -0,0 +1,28 @@
+From 841924e1fe8db2bff3eab8d37634ef08f86c00ec Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex.kanavin@gmail.com>
+Date: Tue, 10 Nov 2020 15:57:03 +0000
+Subject: [PATCH] src/lib/log/logger_unittest_support.cc: do not write build
+ path into binary
+
+This breaks reproducibility and is needed only in unit testing.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
+
+---
+ src/lib/log/logger_unittest_support.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/lib/log/logger_unittest_support.cc b/src/lib/log/logger_unittest_support.cc
+index fc01c6e..f46d17e 100644
+--- a/src/lib/log/logger_unittest_support.cc
++++ b/src/lib/log/logger_unittest_support.cc
+@@ -84,7 +84,7 @@ void initLogger(isc::log::Severity severity, int dbglevel) {
+     const char* localfile = getenv("KEA_LOGGER_LOCALMSG");
+ 
+     // Set a directory for creating lockfiles when running tests
+-    setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
++    //setenv("KEA_LOCKFILE_DIR", TOP_BUILDDIR, 0);
+ 
+     // Initialize logging
+     initLogger(root, severity, dbglevel, localfile);
diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
new file mode 100644
index 0000000000..5b135b3aee
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch
@@ -0,0 +1,58 @@
+From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Tue, 22 Sep 2020 15:02:33 +0800
+Subject: [PATCH] There are conflict of config files between kea and lib32-kea:
+
+| Error: Transaction test error:
+|  file /etc/kea/kea-ctrl-agent.conf conflicts between attempted installs of
+     lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
+|  file /etc/kea/kea-dhcp4.conf conflicts between attempted installs of
+     lib32-kea-1.7.10-r0.core2_32 and kea-1.7.10-r0.core2_64
+
+Because they are all commented out, replace the expanded libdir path with
+'$libdir' in the config files to avoid conflict.
+
+Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+---
+ src/bin/keactrl/kea-ctrl-agent.conf.pre | 3 ++-
+ src/bin/keactrl/kea-dhcp4.conf.pre      | 4 ++--
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/bin/keactrl/kea-ctrl-agent.conf.pre b/src/bin/keactrl/kea-ctrl-agent.conf.pre
+index e6ae8b8..50a3092 100644
+--- a/src/bin/keactrl/kea-ctrl-agent.conf.pre
++++ b/src/bin/keactrl/kea-ctrl-agent.conf.pre
+@@ -51,7 +51,8 @@
+     // Agent will fail to start.
+     "hooks-libraries": [
+ //  {
+-//      "library": "@libdir@/kea/hooks/control-agent-commands.so",
++//      // Replace $libdir with real library path /usr/lib or /usr/lib64
++//      "library": "$libdir/kea/hooks/control-agent-commands.so",
+ //      "parameters": {
+ //          "param1": "foo"
+ //      }
+diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre
+index 6edb8a1..b2a7385 100644
+--- a/src/bin/keactrl/kea-dhcp4.conf.pre
++++ b/src/bin/keactrl/kea-dhcp4.conf.pre
+@@ -255,7 +255,7 @@
+     //       // of all devices serviced by Kea, including their identifiers
+     //       // (like MAC address), their location in the network, times
+     //       // when they were active etc.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_legal_log.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_legal_log.so",
+     //       "parameters": {
+     //           "path": "/var/lib/kea",
+     //           "base-name": "kea-forensic4"
+@@ -272,7 +272,7 @@
+     //       // of specific options or perhaps even a combination of several
+     //       // options and fields to uniquely identify a client. Those scenarios
+     //       // are addressed by the Flexible Identifiers hook application.
+-    //       "library": "@libdir@/kea/hooks/libdhcp_flex_id.so",
++    //       "library": "$libdir/kea/hooks/libdhcp_flex_id.so",
+     //       "parameters": {
+     //           "identifier-expression": "relay4[2].hex"
+     //       }
diff --git a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
new file mode 100644
index 0000000000..63a6a2805b
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch
@@ -0,0 +1,29 @@
+From c878a356712606549f7f188b62f7d1cae08a176e Mon Sep 17 00:00:00 2001
+From: Armin kuster <akuster808@gmail.com>
+Date: Wed, 14 Oct 2020 22:48:31 -0700
+Subject: [PATCH] Busybox does not support ps -p so use pgrep
+
+Upstream-Status: Inappropriate [embedded specific]
+Based on changes from Diego Sueiro <Diego.Sueiro@arm.com>
+
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+---
+ src/bin/keactrl/keactrl.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in
+index 450e997..c353ca9 100644
+--- a/src/bin/keactrl/keactrl.in
++++ b/src/bin/keactrl/keactrl.in
+@@ -149,8 +149,8 @@ check_running() {
+     # Get the PID from the PID file (if it exists)
+     get_pid_from_file "${proc_name}"
+     if [ ${_pid} -gt 0 ]; then
+-        # Use ps to check if PID is alive
+-        if ps -p ${_pid} 1>/dev/null; then
++        # Use pgrep and grep to check if PID is alive
++        if pgrep -v 1 | grep ${_pid} 1>/dev/null; then
+             # No error, so PID IS ALIVE
+             _running=1
+         fi
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns-server b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns-server
new file mode 100644
index 0000000000..50fe40d439
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns-server
@@ -0,0 +1,46 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          kea-dhcp-ddns-server
+# Required-Start:    $local_fs $network $remote_fs $syslog
+# Required-Stop:     $local_fs $network $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: ISC KEA DHCP IPv6 Server
+### END INIT INFO
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="kea-dhcp-ddns-server"
+NAME=kea-dhcp-ddns
+DAEMON=/usr/sbin/keactrl
+DAEMON_ARGS=" -s dhcp_ddns"
+
+set -e
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Source function library.
+. /etc/init.d/functions
+
+case "$1" in
+  start)
+        echo -n "Starting $DESC: "
+        start-stop-daemon -S -b -n $NAME -x $DAEMON -- start $DAEMON_ARGS
+        echo "done."
+        ;;
+  stop)
+        echo -n "Stopping $DESC: "
+        kpid=`pidof $NAME`
+        kill $kpid
+        echo "done."
+        ;;
+  restart|force-reload)
+        #
+        $0 stop
+        $0 start
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
+        exit 1
+        ;;
+esac
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
new file mode 100644
index 0000000000..f6059d73cb
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Kea DHCP-DDNS Server
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp4-server b/meta/recipes-connectivity/kea/files/kea-dhcp4-server
new file mode 100644
index 0000000000..e83e51025d
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp4-server
@@ -0,0 +1,46 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          kea-dhcp4-server
+# Required-Start:    $local_fs $network $remote_fs $syslog
+# Required-Stop:     $local_fs $network $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: ISC KEA DHCP IPv6 Server
+### END INIT INFO
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="kea-dhcp4-server"
+NAME=kea-dhcp4
+DAEMON=/usr/sbin/keactrl
+DAEMON_ARGS=" -s dhcp4"
+
+set -e
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Source function library.
+. /etc/init.d/functions
+
+case "$1" in
+  start)
+        echo -n "Starting $DESC: "
+        start-stop-daemon -S -b -n $NAME -x $DAEMON -- start $DAEMON_ARGS
+        echo "done."
+        ;;
+  stop)
+        echo -n "Stopping $DESC: "
+        kpid=`pidof $NAME`
+        kill $kpid
+        echo "done."
+        ;;
+  restart|force-reload)
+        #
+        $0 stop
+        $0 start
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
+        exit 1
+        ;;
+esac
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp4.service b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
new file mode 100644
index 0000000000..b851ea71c5
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp4.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Kea DHCPv4 Server
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
+ExecStart=@SBINDIR@/kea-dhcp4 -c @SYSCONFDIR@/kea/kea-dhcp4.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp6-server b/meta/recipes-connectivity/kea/files/kea-dhcp6-server
new file mode 100644
index 0000000000..10f2d22641
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp6-server
@@ -0,0 +1,47 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          kea-dhcp6-server
+# Required-Start:    $local_fs $network $remote_fs $syslog
+# Required-Stop:     $local_fs $network $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: ISC KEA DHCP IPv6 Server
+### END INIT INFO
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="kea-dhcp6-server"
+NAME=kea-dhcp6
+DAEMON=/usr/sbin/keactrl
+DAEMON_ARGS=" -s dhcp6"
+
+set -e
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Source function library.
+. /etc/init.d/functions
+
+case "$1" in
+  start)
+        echo -n "Starting $DESC: "
+        start-stop-daemon -S -b -n $NAME -x $DAEMON -- start $DAEMON_ARGS
+        echo "done."
+        ;;
+  stop)
+        echo -n "Stopping $DESC: "
+        kpid=`pidof $NAME`
+        kill $kpid
+        echo "done."
+        ;;
+  restart|force-reload)
+        #
+        $0 stop
+        $0 start
+        ;;
+  *)
+        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
+        exit 1
+        ;;
+esac
diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp6.service b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
new file mode 100644
index 0000000000..0f9f0ef8d9
--- /dev/null
+++ b/meta/recipes-connectivity/kea/files/kea-dhcp6.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Kea DHCPv6 Server
+Wants=network-online.target
+After=network-online.target
+After=time-sync.target
+
+[Service]
+ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/
+ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/lib/kea
+ExecStart=@SBINDIR@/kea-dhcp6 -c @SYSCONFDIR@/kea/kea-dhcp6.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/kea/kea_2.4.1.bb b/meta/recipes-connectivity/kea/kea_2.4.1.bb
new file mode 100644
index 0000000000..c3aa4dc8f0
--- /dev/null
+++ b/meta/recipes-connectivity/kea/kea_2.4.1.bb
@@ -0,0 +1,78 @@
+SUMMARY = "ISC Kea DHCP Server"
+DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It supports both DHCPv4 and DHCPv6 protocols along with their extensions, e.g. prefix delegation and dynamic updates to DNS."
+HOMEPAGE = "http://kea.isc.org"
+SECTION = "connectivity"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=ea061fa0188838072c4248c1318ec131"
+
+DEPENDS = "boost log4cplus openssl"
+
+SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \
+           file://kea-dhcp4.service \
+           file://kea-dhcp6.service \
+           file://kea-dhcp-ddns.service \
+           file://kea-dhcp4-server \
+           file://kea-dhcp6-server \
+           file://kea-dhcp-ddns-server \
+           file://fix-multilib-conflict.patch \
+           file://fix_pid_keactrl.patch \
+           file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \
+           file://0001-kea-fix-reproducible-build-failure.patch \
+           "
+SRC_URI[sha256sum] = "815c61f5c271caa4a1db31dd656eb50a7f6ea973da3690f7c8581408e180131a"
+
+inherit autotools systemd update-rc.d upstream-version-is-even
+
+INITSCRIPT_NAME = "kea-dhcp4-server"
+INITSCRIPT_PARAMS = "defaults 30"
+
+SYSTEMD_SERVICE:${PN} = "kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+DEBUG_OPTIMIZATION:remove:mips = " -Og"
+DEBUG_OPTIMIZATION:append:mips = " -O"
+BUILD_OPTIMIZATION:remove:mips = " -Og"
+BUILD_OPTIMIZATION:append:mips = " -O"
+
+DEBUG_OPTIMIZATION:remove:mipsel = " -Og"
+DEBUG_OPTIMIZATION:append:mipsel = " -O"
+BUILD_OPTIMIZATION:remove:mipsel = " -Og"
+BUILD_OPTIMIZATION:append:mipsel = " -O"
+
+EXTRA_OECONF = "--with-boost-libs=-lboost_system \
+                --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \
+                --with-openssl=${STAGING_DIR_TARGET}${prefix}"
+
+do_configure:prepend() {
+    # replace abs_top_builddir to avoid introducing the build path
+    # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target
+    find ${S} -type f -name *.sh.in | xargs sed -i  "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g"
+    sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in
+}
+
+# patch out build host paths for reproducibility
+do_compile:prepend:class-target() {
+        sed -i -e "s,${WORKDIR},,g" ${B}/config.report
+}
+
+do_install:append() {
+    install -d ${D}${sysconfdir}/init.d
+    install -d ${D}${systemd_system_unitdir}
+
+    install -m 0644 ${WORKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir}
+    install -m 0755 ${WORKDIR}/kea-*-server ${D}${sysconfdir}/init.d
+    sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \
+           -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \
+           ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl
+}
+
+do_install:append() {
+    rm -rf "${D}${localstatedir}"
+}
+
+CONFFILES:${PN} = "${sysconfdir}/kea/keactrl.conf"
+
+FILES:${PN}-staticdev += "${libdir}/kea/hooks/*.a ${libdir}/hooks/*.a"
+FILES:${PN} += "${libdir}/hooks/*.so"
+
+PARALLEL_MAKEINST = ""
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.10.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.10.bb
deleted file mode 100644
index 953505971a..0000000000
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.10.bb
+++ /dev/null
@@ -1,46 +0,0 @@
-SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
-HOMEPAGE = "http://0pointer.de/lennart/projects/nss-mdns/"
-SECTION = "libs"
-
-LICENSE = "LGPLv2.1+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
-
-DEPENDS = "avahi"
-PR = "r7"
-
-SRC_URI = "http://0pointer.de/lennart/projects/nss-mdns/nss-mdns-${PV}.tar.gz \
-           "
-
-SRC_URI[md5sum] = "03938f17646efbb50aa70ba5f99f51d7"
-SRC_URI[sha256sum] = "1e683c2e7c3921814706d62fbbd3e9cbf493a75fa00255e0e715508d8134fa6d"
-
-S = "${WORKDIR}/nss-mdns-${PV}"
-
-localstatedir = "/"
-
-inherit autotools
-
-COMPATIBLE_HOST_libc-musl = 'null'
-
-EXTRA_OECONF = "--libdir=${base_libdir} --disable-lynx --enable-avahi"
-
-# suppress warning, but don't bother with autonamer
-LEAD_SONAME = "libnss_mdns.so"
-DEBIANNAME_${PN} = "libnss-mdns"
-
-RDEPENDS_${PN} = "avahi-daemon"
-
-pkg_postinst_${PN} () {
-	sed '
-		/^hosts:/ !b
-		/\<mdns\(4\|6\)\?\(_minimal\)\?\>/ b
-		s/\([[:blank:]]\+\)dns\>/\1mdns4_minimal [NOTFOUND=return] dns/g
-		' -i $D${sysconfdir}/nsswitch.conf
-}
-
-pkg_prerm_${PN} () {
-	sed '
-		/^hosts:/ !b
-		s/[[:blank:]]\+mdns\(4\|6\)\?\(_minimal\( \[NOTFOUND=return\]\)\?\)\?//g
-		' -i $D${sysconfdir}/nsswitch.conf
-}
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb
new file mode 100644
index 0000000000..0db609fc47
--- /dev/null
+++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.15.1.bb
@@ -0,0 +1,39 @@
+SUMMARY = "Name Service Switch module for Multicast DNS (zeroconf) name resolution"
+HOMEPAGE = "https://github.com/lathiat/nss-mdns"
+DESCRIPTION = "nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local."
+SECTION = "libs"
+
+LICENSE = "LGPL-2.1-or-later"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
+
+DEPENDS = "avahi"
+
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
+           "
+
+SRCREV = "4b3cfe818bf72d99a02b8ca8b8813cb2d6b40633"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
+
+COMPATIBLE_HOST:libc-musl = 'null'
+
+EXTRA_OECONF = "--libdir=${base_libdir}"
+
+RDEPENDS:${PN} = "avahi-daemon"
+
+pkg_postinst:${PN} () {
+	sed '
+		/^hosts:/ !b
+		/\<mdns\(4\|6\)\?\(_minimal\)\?\>/ b
+		s/\([[:blank:]]\+\)dns\>/\1mdns4_minimal [NOTFOUND=return] dns/g
+		' -i $D${sysconfdir}/nsswitch.conf
+}
+
+pkg_prerm:${PN} () {
+	sed '
+		/^hosts:/ !b
+		s/[[:blank:]]\+mdns\(4\|6\)\?\(_minimal\( \[NOTFOUND=return\]\)\?\)\?//g
+		' -i $D${sysconfdir}/nsswitch.conf
+}
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
index 35bb5650b3..166654e280 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb
@@ -10,10 +10,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
                     file://pcap.h;beginline=1;endline=32;md5=39af3510e011f34b8872f120b1dc31d2"
 DEPENDS = "flex-native bison-native"
 
-SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
-           "
-SRC_URI[md5sum] = "21af603d9a591c7d96a6457021d84e6c"
-SRC_URI[sha256sum] = "635237637c5b619bcceba91900666b64d56ecb7be63f298f601ec786ce087094"
+SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz"
+SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f"
 
 inherit autotools binconfig-disabled pkgconfig
 
@@ -21,10 +19,11 @@ BINCONFIG = "${bindir}/pcap-config"
 
 # Explicitly disable dag support. We don't have recipe for it and if enabled here,
 # configure script poisons the include dirs with /usr/local/include even when the
-# support hasn't been detected.
+# support hasn't been detected. Do the same thing for DPDK.
 EXTRA_OECONF = " \
                  --with-pcap=linux \
                  --without-dag \
+                 --without-dpdk \
                  "
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -36,9 +35,9 @@ PACKAGECONFIG[dbus] = "--enable-dbus,--disable-dbus,dbus"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 PACKAGECONFIG[libnl] = "--with-libnl,--without-libnl,libnl"
 
-do_configure_prepend () {
+do_configure:prepend () {
     #remove hardcoded references to /usr/include
     sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.ac
 }
 
-BBCLASSEXTEND = "native"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/libuv/libuv_1.48.0.bb b/meta/recipes-connectivity/libuv/libuv_1.48.0.bb
new file mode 100644
index 0000000000..87a2c22a7c
--- /dev/null
+++ b/meta/recipes-connectivity/libuv/libuv_1.48.0.bb
@@ -0,0 +1,22 @@
+SUMMARY = "A multi-platform support library with a focus on asynchronous I/O"
+HOMEPAGE = "https://github.com/libuv/libuv"
+DESCRIPTION = "libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it's also used by Luvit, Julia, pyuv, and others."
+BUGTRACKER = "https://github.com/libuv/libuv/issues"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b \
+                    file://LICENSE-extra;md5=f9307417749e19bd1d6d68a394b49324"
+
+SRCREV = "e9f29cb984231524e3931aa0ae2c5dae1a32884e"
+SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
+
+S = "${WORKDIR}/git"
+
+inherit autotools
+
+do_configure() {
+    ${S}/autogen.sh || bbnote "${PN} failed to autogen.sh"
+    oe_runconf
+}
+
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index 0b0bbab168..a4030b7b32 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -1,13 +1,15 @@
 SUMMARY = "Mobile Broadband Service Provider Database"
 HOMEPAGE = "http://live.gnome.org/NetworkManager/MobileBroadband/ServiceProviders"
+DESCRIPTION = "Mobile Broadband Service Provider Database stores service provider specific information. When this Database is available the information can be fetched there"
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "22b49d86fb7aded2c195a9d49e5924da696b3228"
-PV = "20190618"
+
+SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe"
+PV = "20230416"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
 S = "${WORKDIR}/git"
 
 inherit autotools
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb b/meta/recipes-connectivity/neard/neard_0.19.bb
index 7c124a3c0b..a98f436b98 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.19.bb
@@ -1,33 +1,34 @@
 SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
 
-DEPENDS = "dbus glib-2.0 libnl"
+DEPENDS = "dbus glib-2.0 libnl autoconf-archive-native"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;branch=master \
            file://neard.in \
            file://Makefile.am-fix-parallel-issue.patch \
            file://Makefile.am-do-not-ship-version.h.patch \
            file://0001-Add-header-dependency-to-nciattach.o.patch \
           "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
+SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7"
+
+S = "${WORKDIR}/git"
 
 inherit autotools pkgconfig systemd update-rc.d
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
 
-PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_unitdir}/system/ --with-systemduserunitdir=${systemd_unitdir}/user/,--disable-systemd"
+PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_system_unitdir}/ --with-systemduserunitdir=${systemd_unitdir}/user/,--disable-systemd"
 
 EXTRA_OECONF += "--enable-tools"
 
 # This would copy neard start-stop shell and test scripts
-do_install_append() {
+do_install:append() {
 	if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
 		install -d ${D}${sysconfdir}/init.d/
 		sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \
@@ -36,10 +37,10 @@ do_install_append() {
 	fi
 }
 
-RDEPENDS_${PN} = "dbus"
+RDEPENDS:${PN} = "dbus"
 
 # Bluez & Wifi are not mandatory except for handover
-RRECOMMENDS_${PN} = "\
+RRECOMMENDS:${PN} = "\
                      ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez5', '', d)} \
                      ${@bb.utils.contains('DISTRO_FEATURES', 'wifi','wpa-supplicant', '', d)} \
                     "
@@ -47,4 +48,4 @@ RRECOMMENDS_${PN} = "\
 INITSCRIPT_NAME = "neard"
 INITSCRIPT_PARAMS = "defaults 64"
 
-SYSTEMD_SERVICE_${PN} = "neard.service"
+SYSTEMD_SERVICE:${PN} = "neard.service"
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Don-t-build-tools-with-CC_FOR_BUILD.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Don-t-build-tools-with-CC_FOR_BUILD.patch
deleted file mode 100644
index 23bc3eaf72..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Don-t-build-tools-with-CC_FOR_BUILD.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 79019d976584c598f8d0a9d8de43c989946f974b Mon Sep 17 00:00:00 2001
-From: Pascal Bach <pascal.bach@siemens.com>
-Date: Wed, 13 Feb 2019 09:28:07 +0100
-Subject: [PATCH] Don't build tools with CC_FOR_BUILD
-
-The tools are intended for the target not for the host.
-
-Upstream-Status: Pending
-
-Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
----
- tools/locktest/Makefile.am | 1 -
- tools/rpcgen/Makefile.am   | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am
-index 3156815..87d0bac 100644
---- a/tools/locktest/Makefile.am
-+++ b/tools/locktest/Makefile.am
-@@ -1,6 +1,5 @@
- ## Process this file with automake to produce Makefile.in
- 
--CC=$(CC_FOR_BUILD)
- LIBTOOL = @LIBTOOL@ --tag=CC
- 
- noinst_PROGRAMS = testlk
-diff --git a/tools/rpcgen/Makefile.am b/tools/rpcgen/Makefile.am
-index 8a9ec89..3e092c9 100644
---- a/tools/rpcgen/Makefile.am
-+++ b/tools/rpcgen/Makefile.am
-@@ -1,6 +1,5 @@
- ## Process this file with automake to produce Makefile.in
- 
--CC=$(CC_FOR_BUILD)
- LIBTOOL = @LIBTOOL@ --tag=CC
- 
- noinst_PROGRAMS = rpcgen
--- 
-2.11.0
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Fix-include-order-between-config.h-and-stat.h.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Fix-include-order-between-config.h-and-stat.h.patch
deleted file mode 100644
index 7b0f93535f..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Fix-include-order-between-config.h-and-stat.h.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From 2fbc62e2a13fc22b6ae4910e295a2c10fb790486 Mon Sep 17 00:00:00 2001
-From: Zoltan Karcagi <zkr7432@gmail.com>
-Date: Mon, 12 Aug 2019 13:27:16 -0400
-Subject: [PATCH] Fix include order between config.h and stat.h
-
-At least on Arch linux ARM, the definition of struct stat in stat.h depends
-on __USE_FILE_OFFSET64. This symbol comes from config.h when defined,
-therefore config.h must always be included before stat.h. Fix all
-occurrences where the order is wrong by moving config.h to the top.
-
-This fixes the client side error "Stale file handle" when mounting from
-a server running Arch Linux ARM.
-
-Signed-off-by: Zoltan Karcagi <zkr7432@gmail.com>
-Signed-off-by: Steve Dickson <steved@redhat.com>
-
-Upstream-Status: Backport
-[http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=2fbc62e2a13fc22b6ae4910e295a2c10fb790486]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- support/misc/nfsd_path.c         | 5 ++++-
- support/misc/xstat.c             | 5 ++++-
- support/nfs/conffile.c           | 8 +++++++-
- utils/blkmapd/device-discovery.c | 8 ++++----
- utils/idmapd/idmapd.c            | 8 ++++----
- 5 files changed, 23 insertions(+), 11 deletions(-)
-
-diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c
-index 84e4802..f078a66 100644
---- a/support/misc/nfsd_path.c
-+++ b/support/misc/nfsd_path.c
-@@ -1,3 +1,7 @@
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
- #include <errno.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-@@ -5,7 +9,6 @@
- #include <stdlib.h>
- #include <unistd.h>
- 
--#include "config.h"
- #include "conffile.h"
- #include "xmalloc.h"
- #include "xlog.h"
-diff --git a/support/misc/xstat.c b/support/misc/xstat.c
-index fa04788..4c997ee 100644
---- a/support/misc/xstat.c
-+++ b/support/misc/xstat.c
-@@ -1,3 +1,7 @@
-+#ifdef HAVE_CONFIG_H
-+#include <config.h>
-+#endif
-+
- #include <errno.h>
- #include <sys/types.h>
- #include <fcntl.h>
-@@ -5,7 +9,6 @@
- #include <sys/sysmacros.h>
- #include <unistd.h>
- 
--#include "config.h"
- #include "xstat.h"
- 
- #ifdef HAVE_FSTATAT
-diff --git a/support/nfs/conffile.c b/support/nfs/conffile.c
-index b6400be..6ba8a35 100644
---- a/support/nfs/conffile.c
-+++ b/support/nfs/conffile.c
-@@ -500,7 +500,7 @@ conf_readfile(const char *path)
- 
- 	if ((stat (path, &sb) == 0) || (errno != ENOENT)) {
- 		char *new_conf_addr = NULL;
--		size_t sz = sb.st_size;
-+		off_t sz;
- 		int fd = open (path, O_RDONLY, 0);
- 
- 		if (fd == -1) {
-@@ -517,6 +517,11 @@ conf_readfile(const char *path)
- 
- 		/* only after we have the lock, check the file size ready to read it */
- 		sz = lseek(fd, 0, SEEK_END);
-+		if (sz < 0) {
-+			xlog_warn("conf_readfile: unable to determine file size: %s",
-+				  strerror(errno));
-+			goto fail;
-+		}
- 		lseek(fd, 0, SEEK_SET);
- 
- 		new_conf_addr = malloc(sz+1);
-@@ -2162,6 +2167,7 @@ conf_write(const char *filename, const char *section, const char *arg,
- 	ret = 0;
- 
- cleanup:
-+	flush_outqueue(&inqueue, NULL);
- 	flush_outqueue(&outqueue, NULL);
- 
- 	if (buff)
-diff --git a/utils/blkmapd/device-discovery.c b/utils/blkmapd/device-discovery.c
-index e811703..f5f9b10 100644
---- a/utils/blkmapd/device-discovery.c
-+++ b/utils/blkmapd/device-discovery.c
-@@ -26,6 +26,10 @@
-  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
- 
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif /* HAVE_CONFIG_H */
-+
- #include <sys/sysmacros.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-@@ -51,10 +55,6 @@
- #include <errno.h>
- #include <libdevmapper.h>
- 
--#ifdef HAVE_CONFIG_H
--#include "config.h"
--#endif /* HAVE_CONFIG_H */
--
- #include "device-discovery.h"
- #include "xcommon.h"
- #include "nfslib.h"
-diff --git a/utils/idmapd/idmapd.c b/utils/idmapd/idmapd.c
-index 62e37b8..267acea 100644
---- a/utils/idmapd/idmapd.c
-+++ b/utils/idmapd/idmapd.c
-@@ -34,6 +34,10 @@
-  *  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-  */
- 
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#endif /* HAVE_CONFIG_H */
-+
- #include <sys/types.h>
- #include <sys/time.h>
- #include <sys/inotify.h>
-@@ -62,10 +66,6 @@
- #include <libgen.h>
- #include <nfsidmap.h>
- 
--#ifdef HAVE_CONFIG_H
--#include "config.h"
--#endif /* HAVE_CONFIG_H */
--
- #include "xlog.h"
- #include "conffile.h"
- #include "queue.h"
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
index fcb0e99b33..7603eb680d 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch
@@ -19,7 +19,7 @@ As there is already one source file named file.c
 as support/nsm/file.c in support/nsm/Makefile.am,
 so rename ../support/misc/file.c to ../support/misc/misc.c.
 
-Upstream-Status: Submitted[https://marc.info/?l=linux-nfs&m=154502780423058&w=2]
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=154502780423058&w=2]
 
 Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
 
@@ -28,10 +28,10 @@ Rebase it.
 Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
 ---
  support/misc/Makefile.am |   2 +-
- support/misc/file.c      | 111 ---------------------------------------------------------------------------------------------------------------
+ support/misc/file.c      | 115 ---------------------------------------------------------------------------------------------------------------
  support/misc/misc.c      | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  support/nsm/Makefile.am  |   2 +-
- 4 files changed, 113 insertions(+), 113 deletions(-)
+ 4 files changed, 113 insertions(+), 117 deletions(-)
 
 diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am
 index f9993e3..8b0e9db 100644
@@ -48,10 +48,10 @@ index f9993e3..8b0e9db 100644
  MAINTAINERCLEANFILES = Makefile.in
 diff --git a/support/misc/file.c b/support/misc/file.c
 deleted file mode 100644
-index e7c3819..0000000
+index 06f6bb2..0000000
 --- a/support/misc/file.c
 +++ /dev/null
-@@ -1,111 +0,0 @@
+@@ -1,115 +0,0 @@
 -/*
 - * Copyright 2009 Oracle.  All rights reserved.
 - * Copyright 2017 Red Hat, Inc.  All rights reserved.
@@ -72,6 +72,10 @@ index e7c3819..0000000
 - * along with nfs-utils.  If not, see <http://www.gnu.org/licenses/>.
 - */
 -
+-#ifdef HAVE_CONFIG_H
+-#include <config.h>
+-#endif
+-
 -#include <sys/stat.h>
 -
 -#include <string.h>
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-cacheio-use-intmax_t-for-formatted-IO.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-cacheio-use-intmax_t-for-formatted-IO.patch
deleted file mode 100644
index bafff5b9c0..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-cacheio-use-intmax_t-for-formatted-IO.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From ac32b813f5d6f9a2de944015cf9bb98d68e0203a Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 1 Dec 2018 10:02:12 -0800
-Subject: [PATCH] cacheio: use intmax_t for formatted IO
-
-time_t is not same size on x32 ABI (ILP32)
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- support/nfs/cacheio.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/support/nfs/cacheio.c b/support/nfs/cacheio.c
-index 9dc4cf1..2086a95 100644
---- a/support/nfs/cacheio.c
-+++ b/support/nfs/cacheio.c
-@@ -17,6 +17,7 @@
- 
- #include <nfslib.h>
- #include <stdio.h>
-+#include <inttypes.h>
- #include <stdio_ext.h>
- #include <string.h>
- #include <ctype.h>
-@@ -234,7 +235,7 @@ cache_flush(int force)
- 	    stb.st_mtime > now)
- 		stb.st_mtime = time(0);
- 	
--	sprintf(stime, "%ld\n", stb.st_mtime);
-+	sprintf(stime, "%jd\n", (intmax_t)stb.st_mtime);
- 	for (c=0; cachelist[c]; c++) {
- 		int fd;
- 		sprintf(path, "/proc/net/rpc/%s/flush", cachelist[c]);
--- 
-2.19.2
-
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch
deleted file mode 100644
index d14f0789ff..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 66471fbf7106917da7a1536b18a0a77d07479779 Mon Sep 17 00:00:00 2001
-From: Mingli Yu <Mingli.Yu@windriver.com>
-Date: Mon, 17 Dec 2018 15:29:47 +0800
-Subject: [PATCH] configure.ac: Do not fatalize -Wmissing-prototypes
-
-There comes below error when run "make -C tests/nsm_client nsm_client"
-| nlm_sm_inter_svc.c:20:1: error: no previous prototype for 'nlm_sm_prog_3' [-Werror=missing-prototypes]
-
-It is because rpcgen doesn't generate -Wmissing-prototypes
-free code for nlm_sm_inter_svc.c with below logic
-in tests/nsm_client/Makefile.am
-[snip]
-GENFILES_SVC    = nlm_sm_inter_svc.c
-[snip]
-$(GENFILES_SVC): %_svc.c: %.x $(RPCGEN)
-        test -f $@ && rm -rf $@ || true
-        $(RPCGEN) -m -o $@ $<
-
-So add the logic not to fatalize -Wmissing-prototypes.
-
-Upstream-Status: Submitted[https://marc.info/?l=linux-nfs&m=154503260323936&w=2]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index 50002b4..aebff01 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -582,7 +582,7 @@ my_am_cflags="\
-  -Wall \
-  -Wextra \
-  $rpcgen_cflags \
-- -Werror=missing-prototypes \
-+ -Wmissing-prototypes \
-  -Werror=missing-declarations \
-  -Werror=format=2 \
-  -Werror=undef \
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
new file mode 100644
index 0000000000..351407ddcd
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch
@@ -0,0 +1,36 @@
+From 9efa7a0d37665d9bb0f46d2407883a5ab42c2b84 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 24 Jul 2023 20:39:16 -0700
+Subject: [PATCH] locktest: Makefile.am: Do not use build flags
+
+Using CFLAGS_FOR_BUILD etc. here means it is using wrong flags
+when thse flags are speficied different than target flags which
+is common when cross-building. It can pass wrong paths to linker
+and it would find incompatible libraries during link since they
+are from host system and target maybe not same as build host.
+
+Fixes subtle errors like
+| aarch64-yoe-linux-ld.lld: error: /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/nfs-utils/2.6.3-r0/recipe-sysroot-native/usr/lib/libsqlite3.so is incompatible with elf64-littleaarch64
+
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169025681008001&w=2]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/locktest/Makefile.am | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am
+index e8914655..2fd36971 100644
+--- a/tools/locktest/Makefile.am
++++ b/tools/locktest/Makefile.am
+@@ -2,8 +2,5 @@
+ 
+ noinst_PROGRAMS = testlk
+ testlk_SOURCES = testlk.c
+-testlk_CFLAGS=$(CFLAGS_FOR_BUILD)
+-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
+-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD)
+ 
+ MAINTAINERCLEANFILES = Makefile.in
+-- 
+2.41.0
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch
new file mode 100644
index 0000000000..57d4660571
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch
@@ -0,0 +1,34 @@
+From 45597a58e98f351b18db8444292b1cf6dd0cd810 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Sat, 9 Dec 2023 23:34:08 -0800
+Subject: [PATCH] reexport.h: Include unistd.h to compile with musl
+
+Fixed error when compile with musl
+reexport.c: In function 'reexpdb_init':
+reexport.c:62:17: error: implicit declaration of function 'sleep' [-Werror=implicit-function-declaration]
+   62 |                 sleep(1);
+
+
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=170254661824522&w=2]
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ support/reexport/reexport.h | 1 +
+ 1 files changed, 1 insertions(+)
+
+diff --git a/support/reexport/reexport.h b/support/reexport/reexport.h
+index 85fd59c..02f8684 100644
+--- a/support/reexport/reexport.h
++++ b/support/reexport/reexport.h
+@@ -1,6 +1,8 @@
+ #ifndef REEXPORT_H
+ #define REEXPORT_H
+ 
++#include <unistd.h>
++
+ #include "nfslib.h"
+ 
+ enum {
+-- 
+2.42.0
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
new file mode 100644
index 0000000000..7d903e04bc
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch
@@ -0,0 +1,53 @@
+From e2e9251dbeb452f5382179023d8ae18b511167a1 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 25 Jul 2023 23:47:08 -0700
+Subject: [PATCH] tools/locktest: Use intmax_t to print off_t
+
+off_t could be 64bit on 32bit architectures which means using %z printf
+modifier is not enough to print it and compiler will complain about
+format mismatch
+
+Fixes
+| testlk.c:84:66: error: format '%zd' expects argument of type 'signed size_t', but argument 4 has type '__off64_t' {aka 'long long int'} [-Werror=format=]
+|    84 |                         printf("%s: conflicting lock by %d on (%zd;%zd)\n",
+|       |                                                                ~~^
+|       |                                                                  |
+|       |                                                                  int
+|       |                                                                %lld
+|    85 |                                 fname, fl.l_pid, fl.l_start, fl.l_len);
+|       |                                                  ~~~~~~~~~~
+|       |                                                    |
+|       |                                                    __off64_t {aka long long int}
+
+Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169035457128067&w=2]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/locktest/testlk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/locktest/testlk.c b/tools/locktest/testlk.c
+index ea51f788..9d4c88c4 100644
+--- a/tools/locktest/testlk.c
++++ b/tools/locktest/testlk.c
+@@ -2,6 +2,7 @@
+ #include <config.h>
+ #endif
+ 
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <unistd.h>
+@@ -81,8 +82,8 @@ main(int argc, char **argv)
+ 		if (fl.l_type == F_UNLCK) {
+ 			printf("%s: no conflicting lock\n", fname);
+ 		} else {
+-			printf("%s: conflicting lock by %d on (%zd;%zd)\n",
+-				fname, fl.l_pid, fl.l_start, fl.l_len);
++			printf("%s: conflicting lock by %d on (%jd;%jd)\n",
++				fname, fl.l_pid, (intmax_t)fl.l_start, (intmax_t)fl.l_len);
+ 		}
+ 		return 0;
+ 	}
+-- 
+2.41.0
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-format-string.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-format-string.patch
deleted file mode 100644
index 1d693e4142..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-format-string.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-Clang comes up with more printf format warnings
-Correcting “format string is not a string literal” warning
-requires us to declare that parameter is a printf style 
-format using the attribute flag
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Index: nfs-utils-2.3.3/support/include/xcommon.h
-===================================================================
---- nfs-utils-2.3.3.orig/support/include/xcommon.h
-+++ nfs-utils-2.3.3/support/include/xcommon.h
-@@ -27,7 +27,7 @@
- 
- /* Functions in sundries.c that are used in mount.c and umount.c  */ 
- char *canonicalize (const char *path);
--void nfs_error (const char *fmt, ...);
-+void nfs_error (const char *fmt, ...) __attribute__((__format__ (__printf__, 1, 2)));
- void *xmalloc (size_t size);
- void *xrealloc(void *p, size_t size);
- void xfree(void *);
-@@ -36,9 +36,9 @@ char *xstrndup (const char *s, int n);
- char *xstrconcat2 (const char *, const char *);
- char *xstrconcat3 (const char *, const char *, const char *);
- char *xstrconcat4 (const char *, const char *, const char *, const char *);
--void die (int errcode, const char *fmt, ...);
-+void die (int errcode, const char *fmt, ...) __attribute__((__format__ (__printf__, 2, 3)));
- 
--extern void die(int err, const char *fmt, ...);
-+extern void die(int err, const char *fmt, ...) __attribute__((__format__ (__printf__, 2, 3)));
- extern void (*at_die)(void);
- 
- /* exit status - bits below are ORed */
-Index: nfs-utils-2.3.3/support/include/xlog.h
-===================================================================
---- nfs-utils-2.3.3.orig/support/include/xlog.h
-+++ nfs-utils-2.3.3/support/include/xlog.h
-@@ -43,10 +43,10 @@ void			xlog_config(int fac, int on);
- void			xlog_sconfig(char *, int on);
- void			xlog_from_conffile(char *);
- int			xlog_enabled(int fac);
--void			xlog(int fac, const char *fmt, ...);
--void			xlog_warn(const char *fmt, ...);
--void			xlog_err(const char *fmt, ...);
--void			xlog_errno(int err, const char *fmt, ...);
--void			xlog_backend(int fac, const char *fmt, va_list args);
-+void			xlog(int fac, const char *fmt, ...) __attribute__((__format__ (__printf__, 2, 3)));
-+void			xlog_warn(const char *fmt, ...) __attribute__((__format__ (__printf__, 1, 2)));
-+void			xlog_err(const char *fmt, ...) __attribute__((__format__ (__printf__, 1, 2)));
-+void			xlog_errno(int err, const char *fmt, ...) __attribute__((__format__ (__printf__, 2, 3)));
-+void			xlog_backend(int fac, const char *fmt, va_list args) __attribute__((__format__ (__printf__, 2, 0)));
- 
- #endif /* XLOG_H */
-Index: nfs-utils-2.3.3/support/nfs/xcommon.c
-===================================================================
---- nfs-utils-2.3.3.orig/support/nfs/xcommon.c
-+++ nfs-utils-2.3.3/support/nfs/xcommon.c
-@@ -93,7 +93,10 @@ nfs_error (const char *fmt, ...) {
- 
-      fmt2 = xstrconcat2 (fmt, "\n");
-      va_start (args, fmt);
-+#pragma clang diagnostic push
-+#pragma clang diagnostic ignored "-Wformat-nonliteral"
-      vfprintf (stderr, fmt2, args);
-+#pragma clang diagnostic pop
-      va_end (args);
-      free (fmt2);
- }
-Index: nfs-utils-2.3.3/utils/exportfs/exportfs.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/exportfs/exportfs.c
-+++ nfs-utils-2.3.3/utils/exportfs/exportfs.c
-@@ -644,6 +644,7 @@ out:
- 	return result;
- }
- 
-+__attribute__((__format__ (__printf__, 2, 3)))
- static char
- dumpopt(char c, char *fmt, ...)
- {
-Index: nfs-utils-2.3.3/utils/statd/statd.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/statd/statd.c
-+++ nfs-utils-2.3.3/utils/statd/statd.c
-@@ -136,7 +136,7 @@ static void log_modes(void)
- 	strcat(buf, "TI-RPC ");
- #endif
- 
--	xlog_warn(buf);
-+	xlog_warn("%s", buf);
- }
- 
- /*
-Index: nfs-utils-2.3.3/support/nfs/svc_create.c
-===================================================================
---- nfs-utils-2.3.3.orig/support/nfs/svc_create.c
-+++ nfs-utils-2.3.3/support/nfs/svc_create.c
-@@ -184,7 +184,7 @@ svc_create_sock(const struct sockaddr *s
- 		type = SOCK_STREAM;
- 		break;
- 	default:
--		xlog(D_GENERAL, "%s: Unrecognized bind address semantics: %u",
-+		xlog(D_GENERAL, "%s: Unrecognized bind address semantics: %lu",
- 			__func__, nconf->nc_semantics);
- 		return -1;
- 	}
-Index: nfs-utils-2.3.3/support/nsm/rpc.c
-===================================================================
---- nfs-utils-2.3.3.orig/support/nsm/rpc.c
-+++ nfs-utils-2.3.3/support/nsm/rpc.c
-@@ -182,7 +182,7 @@ nsm_xmit_getport(const int sock, const s
- 	uint32_t xid;
- 	XDR xdr;
- 
--	xlog(D_CALL, "Sending PMAP_GETPORT for %u, %u, udp", program, version);
-+	xlog(D_CALL, "Sending PMAP_GETPORT for %lu, %lu, udp", program, version);
- 
- 	nsm_init_xdrmem(msgbuf, NSM_MAXMSGSIZE, &xdr);
- 	xid = nsm_init_rpc_header(PMAPPROG, PMAPVERS,
-Index: nfs-utils-2.3.3/utils/mountd/cache.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/mountd/cache.c
-+++ nfs-utils-2.3.3/utils/mountd/cache.c
-@@ -968,8 +968,7 @@ lookup_export(char *dom, char *path, str
- 			} else if (found_type == i && found->m_warned == 0) {
- 				xlog(L_WARNING, "%s exported to both %s and %s, "
- 				     "arbitrarily choosing options from first",
--				     path, found->m_client->m_hostname, exp->m_client->m_hostname,
--				     dom);
-+				     path, found->m_client->m_hostname, exp->m_client->m_hostname);
- 				found->m_warned = 1;
- 			}
- 		}
-Index: nfs-utils-2.3.3/utils/mountd/mountd.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/mountd/mountd.c
-+++ nfs-utils-2.3.3/utils/mountd/mountd.c
-@@ -213,7 +213,7 @@ static void
- sig_hup (int sig)
- {
- 	/* don't exit on SIGHUP */
--	xlog (L_NOTICE, "Received SIGHUP... Ignoring.\n", sig);
-+	xlog (L_NOTICE, "Received SIGHUP(%d)... Ignoring.\n", sig);
- 	return;
- }
- 
-Index: nfs-utils-2.3.3/utils/statd/rmtcall.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/statd/rmtcall.c
-+++ nfs-utils-2.3.3/utils/statd/rmtcall.c
-@@ -247,7 +247,7 @@ process_reply(FD_SET_TYPE *rfds)
- 		xlog_warn("%s: service %d not registered on localhost",
- 			__func__, NL_MY_PROG(lp));
- 	} else {
--		xlog(D_GENERAL, "%s: Callback to %s (for %d) succeeded",
-+		xlog(D_GENERAL, "%s: Callback to %s (for %s) succeeded",
- 			__func__, NL_MY_NAME(lp), NL_MON_NAME(lp));
- 	}
- 	nlist_free(&notify, lp);
-Index: nfs-utils-2.3.3/utils/statd/svc_run.c
-===================================================================
---- nfs-utils-2.3.3.orig/utils/statd/svc_run.c
-+++ nfs-utils-2.3.3/utils/statd/svc_run.c
-@@ -53,6 +53,7 @@
- 
- #include <errno.h>
- #include <time.h>
-+#include <inttypes.h>
- #include "statd.h"
- #include "notlist.h"
- 
-@@ -104,8 +105,8 @@ my_svc_run(int sockfd)
- 
- 			tv.tv_sec  = NL_WHEN(notify) - now;
- 			tv.tv_usec = 0;
--			xlog(D_GENERAL, "Waiting for reply... (timeo %d)",
--							tv.tv_sec);
-+			xlog(D_GENERAL, "Waiting for reply... (timeo %jd)",
-+							(intmax_t)tv.tv_sec);
- 			selret = select(FD_SETSIZE, &readfds,
- 				(void *) 0, (void *) 0, &tv);
- 		} else {
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
new file mode 100644
index 0000000000..fde99b599e
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/clang-warnings.patch
@@ -0,0 +1,36 @@
+From 1ab0c326405c6daa06f1a7eb4b0b60bf4e0584c2 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 31 Dec 2019 08:15:34 -0800
+Subject: [PATCH] Detect warning options during configure
+
+Certain options maybe compiler specific therefore its better
+to detect them before use.
+
+nfs_error copies the format string and appends newline to it
+but compiler can forget that it was format string since its not
+same fmt string that was passed. Ignore the warning
+
+Wdiscarded-qualifiers is gcc specific and this is no longer needed
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
+---
+ support/nfs/xcommon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/support/nfs/xcommon.c b/support/nfs/xcommon.c
+index 3989f0b..e080423 100644
+--- a/support/nfs/xcommon.c
++++ b/support/nfs/xcommon.c
+@@ -98,7 +98,10 @@ nfs_error (const char *fmt, ...) {
+ 
+      fmt2 = xstrconcat2 (fmt, "\n");
+      va_start (args, fmt);
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wformat-nonliteral"
+      vfprintf (stderr, fmt2, args);
++#pragma GCC diagnostic pop
+      va_end (args);
+      free (fmt2);
+ }
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
index c01415de84..ebfe64b9ce 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service
@@ -12,6 +12,7 @@ ConditionPathExists=@SYSCONFDIR@/exports
 EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
 ExecStart=@SBINDIR@/rpc.mountd -F $MOUNTD_OPTS
 LimitNOFILE=@HIGH_RLIMIT_NOFILE@
+StateDirectory=nfs
 
 [Install]
 WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
index 6481377d80..15ceee04d0 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service
@@ -17,8 +17,8 @@ ExecStop=@SBINDIR@/rpc.nfsd 0
 ExecStopPost=@SBINDIR@/exportfs -au
 ExecStopPost=@SBINDIR@/exportfs -f
 ExecReload=@SBINDIR@/exportfs -r
-StandardError=syslog
 RemainAfterExit=yes
+StateDirectory=nfs
 
 [Install]
 WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
index 4fa64e1998..b519194121 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service
@@ -4,11 +4,13 @@ DefaultDependencies=no
 Conflicts=umount.target
 Requires=nss-lookup.target rpcbind.service
 After=network.target nss-lookup.target rpcbind.service
+ConditionPathExists=@SYSCONFDIR@/exports
 
 [Service]
 EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf
 ExecStart=@SBINDIR@/rpc.statd -F $STATD_OPTS
 LimitNOFILE=@HIGH_RLIMIT_NOFILE@
+StateDirectory=nfs
 
 [Install]
 WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-musl-res_querydomain.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-musl-res_querydomain.patch
deleted file mode 100644
index 921f5edc82..0000000000
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-utils-musl-res_querydomain.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From caa19231196d73541445728e6813c8fa70345acb Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Tue, 26 Jun 2018 15:59:00 +0800
-Subject: [PATCH] nfs-utils: 2.1.1 -> 2.3.1
-
-Fixed:
-configure: error: res_querydomain needed
-
-Upstream-Status: Pending [https://github.com/alpinelinux/aports/blob/master/main/nfs-utils/musl-configure_ac.patch]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
-
----
- configure.ac | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 50002b4..dcadb23 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -582,10 +582,10 @@ my_am_cflags="\
-  -Wall \
-  -Wextra \
-  $rpcgen_cflags \
-- -Werror=missing-prototypes \
-- -Werror=missing-declarations \
-+ -Wmissing-prototypes \
-+ -Wmissing-declarations \
-  -Werror=format=2 \
-- -Werror=undef \
-+ -Wundef \
-  -Werror=missing-include-dirs \
-  -Werror=strict-aliasing=2 \
-  -Werror=init-self \
-@@ -614,10 +614,9 @@ AC_DEFUN([CHECK_CCSUPPORT], [
- 
- CHECK_CCSUPPORT([-Werror=format-overflow=2], [flg1])
- CHECK_CCSUPPORT([-Werror=int-conversion], [flg2])
--CHECK_CCSUPPORT([-Werror=incompatible-pointer-types], [flg3])
- CHECK_CCSUPPORT([-Werror=misleading-indentation], [flg4])
- 
--AC_SUBST([AM_CFLAGS], ["$my_am_cflags $flg1 $flg2 $flg3 $flg4"])
-+AC_SUBST([AM_CFLAGS], ["$my_am_cflags $flg1 $flg2 $flg4"])
- 
- # Make sure that $ACLOCAL_FLAGS are used during a rebuild
- AC_SUBST([ACLOCAL_AMFLAGS], ["-I $ac_macro_dir \$(ACLOCAL_FLAGS)"])
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
index eb32bccb57..2f2644f9a8 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.4.1.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
@@ -4,18 +4,18 @@ NFS server and related tools."
 HOMEPAGE = "http://nfs.sourceforge.net/"
 SECTION = "console/network"
 
-LICENSE = "MIT & GPLv2+ & BSD"
+LICENSE = "MIT & GPL-2.0-or-later & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=95f3a93a5c3c7888de623b46ea085a84"
 
 # util-linux for libblkid
 DEPENDS = "libcap libevent util-linux sqlite3 libtirpc"
-RDEPENDS_${PN} = "${PN}-client"
-RRECOMMENDS_${PN} = "kernel-module-nfsd"
+RDEPENDS:${PN} = "${PN}-client"
+RRECOMMENDS:${PN} = "kernel-module-nfsd"
 
 inherit useradd
 
 USERADD_PACKAGES = "${PN}-client"
-USERADD_PARAM_${PN}-client = "--system  --home-dir /var/lib/nfs \
+USERADD_PARAM:${PN}-client = "--system  --home-dir /var/lib/nfs \
 			      --shell /bin/false --user-group rpcuser"
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.xz \
@@ -28,17 +28,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
            file://proc-fs-nfsd.mount \
            file://nfs-utils-debianize-start-statd.patch \
            file://bugfix-adjust-statd-service-name.patch \
-           file://0001-cacheio-use-intmax_t-for-formatted-IO.patch \
-           file://clang-format-string.patch \
            file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \
-           file://0001-Don-t-build-tools-with-CC_FOR_BUILD.patch \
-           file://0001-Fix-include-order-between-config.h-and-stat.h.patch \
-"
-SRC_URI_append_libc-glibc = " file://0001-configure.ac-Do-not-fatalize-Wmissing-prototypes.patch"
-SRC_URI_append_libc-musl = " file://nfs-utils-musl-res_querydomain.patch"
-
-SRC_URI[md5sum] = "161efe469ec1b06f1c750bd87f8ba6dd"
-SRC_URI[sha256sum] = "85274ada94479b1beba9f8eeffd19f477c53a6710b9998d1192c807854087736"
+           file://clang-warnings.patch \
+           file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \
+           file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \
+           file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \
+           "
+SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d"
 
 # Only kernel-module-nfsd is required here (but can be built-in)  - the nfsd module will
 # pull in the remainder of the dependencies.
@@ -46,14 +42,14 @@ SRC_URI[sha256sum] = "85274ada94479b1beba9f8eeffd19f477c53a6710b9998d1192c807854
 INITSCRIPT_PACKAGES = "${PN} ${PN}-client"
 INITSCRIPT_NAME = "nfsserver"
 INITSCRIPT_PARAMS = "defaults"
-INITSCRIPT_NAME_${PN}-client = "nfscommon"
-INITSCRIPT_PARAMS_${PN}-client = "defaults 19 21"
+INITSCRIPT_NAME:${PN}-client = "nfscommon"
+INITSCRIPT_PARAMS:${PN}-client = "defaults 19 21"
 
 inherit autotools-brokensep update-rc.d systemd pkgconfig
 
 SYSTEMD_PACKAGES = "${PN} ${PN}-client"
-SYSTEMD_SERVICE_${PN} = "nfs-server.service nfs-mountd.service"
-SYSTEMD_SERVICE_${PN}-client = "nfs-statd.service"
+SYSTEMD_SERVICE:${PN} = "nfs-server.service nfs-mountd.service"
+SYSTEMD_SERVICE:${PN}-client = "nfs-statd.service"
 
 # --enable-uuid is need for cross-compiling
 EXTRA_OECONF = "--with-statduser=rpcuser \
@@ -63,61 +59,68 @@ EXTRA_OECONF = "--with-statduser=rpcuser \
                 --disable-gss \
                 --disable-nfsdcltrack \
                 --with-statdpath=/var/lib/nfs/statd \
+                --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \
                "
 
-CFLAGS += "-Wno-error=format-overflow"
+LDFLAGS:append = " -lsqlite3 -levent"
 
 PACKAGECONFIG ??= "tcp-wrappers \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
-PACKAGECONFIG_remove_libc-musl = "tcp-wrappers"
+PACKAGECONFIG:remove:libc-musl = "tcp-wrappers"
 PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,--without-tcp-wrappers,tcp-wrappers"
 PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 # libdevmapper is available in meta-oe
-PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper"
-# keyutils is available in meta-security
-PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils"
+PACKAGECONFIG[nfsv41] = "--enable-nfsv41,--disable-nfsv41,libdevmapper,libdevmapper"
+# keyutils is available in meta-oe
+PACKAGECONFIG[nfsv4] = "--enable-nfsv4,--disable-nfsv4,keyutils,python3-core"
 
-PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats"
+PACKAGES =+ "${PN}-client ${PN}-mount ${PN}-stats ${PN}-rpcctl"
 
-CONFFILES_${PN}-client += "${localstatedir}/lib/nfs/etab \
+CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \
 			   ${localstatedir}/lib/nfs/rmtab \
 			   ${localstatedir}/lib/nfs/xtab \
 			   ${localstatedir}/lib/nfs/statd/state \
 			   ${sysconfdir}/nfsmount.conf"
 
-FILES_${PN}-client = "${sbindir}/*statd \
+FILES:${PN}-client = "${sbindir}/*statd \
+		      ${libdir}/libnfsidmap.so.* \
 		      ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \
 		      ${sbindir}/showmount ${sbindir}/nfsstat \
 		      ${localstatedir}/lib/nfs \
 		      ${sysconfdir}/nfs-utils.conf \
 		      ${sysconfdir}/nfsmount.conf \
 		      ${sysconfdir}/init.d/nfscommon \
-		      ${systemd_unitdir}/system/nfs-statd.service"
-RDEPENDS_${PN}-client = "${PN}-mount rpcbind"
+		      ${systemd_system_unitdir}/nfs-statd.service"
+RDEPENDS:${PN}-client = "${PN}-mount rpcbind"
+
+FILES:${PN}-mount = "${base_sbindir}/*mount.nfs*"
 
-FILES_${PN}-mount = "${base_sbindir}/*mount.nfs*"
+FILES:${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat ${sbindir}/nfsdclnts"
+RDEPENDS:${PN}-stats = "python3-core"
 
-FILES_${PN}-stats = "${sbindir}/mountstats ${sbindir}/nfsiostat"
-RDEPENDS_${PN}-stats = "python3-core"
+FILES:${PN}-rpcctl = "${sbindir}/rpcctl"
+RDEPENDS:${PN}-rpcctl = "python3-core"
 
-FILES_${PN} += "${systemd_unitdir}"
+FILES:${PN}-staticdev += "${libdir}/libnfsidmap/*.a"
 
-do_configure_prepend() {
-        sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
-            ${S}/utils/mount/Makefile.am
+FILES:${PN} += "${systemd_unitdir} ${libdir}/libnfsidmap/ ${nonarch_libdir}/modprobe.d"
+
+do_configure:prepend() {
+	sed -i -e 's,sbindir = /sbin,sbindir = ${base_sbindir},g' \
+		${S}/utils/mount/Makefile.am
 }
 
 # Make clean needed because the package comes with
 # precompiled 64-bit objects that break the build
-do_compile_prepend() {
+do_compile:prepend() {
 	make clean
 }
 
 # Works on systemd only
 HIGH_RLIMIT_NOFILE ??= "4096"
 
-do_install_append () {
+do_install:append () {
 	install -d ${D}${sysconfdir}/init.d
 	install -m 0755 ${WORKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver
 	install -m 0755 ${WORKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon
@@ -125,18 +128,18 @@ do_install_append () {
 	install -m 0755 ${WORKDIR}/nfs-utils.conf ${D}${sysconfdir}
 	install -m 0755 ${S}/utils/mount/nfsmount.conf ${D}${sysconfdir}
 
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_unitdir}/system/
-	install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_unitdir}/system/
-	install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_unitdir}/system/
+	install -d ${D}${systemd_system_unitdir}
+	install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_system_unitdir}/
+	install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_system_unitdir}/
+	install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_system_unitdir}/
 	sed -i -e 's,@SBINDIR@,${sbindir},g' \
 		-e 's,@SYSCONFDIR@,${sysconfdir},g' \
 		-e 's,@HIGH_RLIMIT_NOFILE@,${HIGH_RLIMIT_NOFILE},g' \
-		${D}${systemd_unitdir}/system/*.service
+		${D}${systemd_system_unitdir}/*.service
 	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-	    install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/
-	    install -d ${D}${systemd_unitdir}/system/sysinit.target.wants/
-	    ln -sf ../proc-fs-nfsd.mount ${D}${systemd_unitdir}/system/sysinit.target.wants/proc-fs-nfsd.mount
+		install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/
+		install -d ${D}${systemd_system_unitdir}/sysinit.target.wants/
+		ln -sf ../proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/sysinit.target.wants/proc-fs-nfsd.mount
 	fi
 
 	# kernel code as of 3.8 hard-codes this path as a default
@@ -146,7 +149,6 @@ do_install_append () {
 	chown -R rpcuser:rpcuser ${D}${localstatedir}/lib/nfs/statd
 	chmod 0644 ${D}${localstatedir}/lib/nfs/statd/state
 
-        # Make python tools use python 3
-        sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${sbindir}/mountstats ${D}${sbindir}/nfsiostat
-
+	# Make python tools use python 3
+	sed -i -e '1s,#!.*python.*,#!${bindir}/python3,' ${D}${sbindir}/mountstats ${D}${sbindir}/nfsiostat
 }
diff --git a/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch b/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
new file mode 100644
index 0000000000..3655b3fd66
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch
@@ -0,0 +1,28 @@
+From 76e4054801350ebd4a44057379431a33d460ad0f Mon Sep 17 00:00:00 2001
+From: Martin Jansa <Martin.Jansa@gmail.com>
+Date: Wed, 21 Apr 2021 11:01:34 +0000
+Subject: [PATCH] mbim: Fix build with ell-0.39 by restoring unlikely macro
+ from ell/util.h
+
+Upstream-Status: Pending
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ drivers/mbimmodem/mbim-private.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/mbimmodem/mbim-private.h b/drivers/mbimmodem/mbim-private.h
+index 51693eae..d917312c 100644
+--- a/drivers/mbimmodem/mbim-private.h
++++ b/drivers/mbimmodem/mbim-private.h
+@@ -30,6 +30,10 @@
+   __result; })
+ #endif
+ 
++/* used to be part of ell/util.h before 0.39:
++   https://git.kernel.org/pub/scm/libs/ell/ell.git/commit/?id=2a682421b06e41c45098217a686157f576847021 */
++#define unlikely(x) __builtin_expect(!!(x), 0)
++
+ enum mbim_control_message {
+ 	MBIM_OPEN_MSG = 0x1,
+ 	MBIM_CLOSE_MSG = 0x2,
diff --git a/meta/recipes-connectivity/ofono/ofono_1.31.bb b/meta/recipes-connectivity/ofono/ofono_2.4.bb
index 7d0976ad7f..dae5cc3c25 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.31.bb
+++ b/meta/recipes-connectivity/ofono/ofono_2.4.bb
@@ -2,7 +2,7 @@ SUMMARY = "open source telephony"
 DESCRIPTION = "oFono is a stack for mobile telephony devices on Linux. oFono supports speaking to telephony devices through specific drivers, or with generic AT commands."
 HOMEPAGE = "http://www.ofono.org"
 BUGTRACKER = "https://01.org/jira/browse/OF"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \
                     file://src/ofono.h;beginline=1;endline=20;md5=3ce17d5978ef3445def265b98899c2ee"
 DEPENDS = "dbus glib-2.0 udev mobile-broadband-provider-info ell"
@@ -11,40 +11,45 @@ SRC_URI = "\
     ${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
     file://ofono \
     file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
+    file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
 "
-SRC_URI[md5sum] = "1c26340e3c6ed132cc812595081bb3dc"
-SRC_URI[sha256sum] = "a15c5d28096c10eb30e47a68b6dc2e7c4a5a99d7f4cfedf0b69624f33d859e9b"
+SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d"
 
 inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data
 
 INITSCRIPT_NAME = "ofono"
 INITSCRIPT_PARAMS = "defaults 22"
-SYSTEMD_SERVICE_${PN} = "ofono.service"
+SYSTEMD_SERVICE:${PN} = "ofono.service"
 
 PACKAGECONFIG ??= "\
     ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \
 "
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/,--with-systemdunitdir="
+PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_system_unitdir}/,--with-systemdunitdir="
 PACKAGECONFIG[bluez] = "--enable-bluetooth, --disable-bluetooth, bluez5"
 
 EXTRA_OECONF += "--enable-test --enable-external-ell"
 
-do_install_append() {
-  install -d ${D}${sysconfdir}/init.d/
-  install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
+do_configure:prepend() {
+    bbnote "Removing bundled ell from ${S}/ell to prevent including it"
+    rm -rf ${S}/ell
+}
+
+do_install:append() {
+    install -d ${D}${sysconfdir}/init.d/
+    install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono
 }
 
 PACKAGES =+ "${PN}-tests"
 
-FILES_${PN} += "${systemd_unitdir}"
-FILES_${PN}-tests = "${libdir}/${BPN}/test"
+FILES:${PN} += "${systemd_unitdir}"
+FILES:${PN}-tests = "${libdir}/${BPN}/test"
 
-RDEPENDS_${PN} += "dbus"
-RDEPENDS_${PN}-tests = "\
+RDEPENDS:${PN} += "dbus"
+RDEPENDS:${PN}-tests = "\
     python3-core \
     python3-dbus \
     ${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'python3-pygobject', '', d)} \
 "
 
-RRECOMMENDS_${PN} += "kernel-module-tun mobile-broadband-provider-info"
+RRECOMMENDS:${PN} += "kernel-module-tun mobile-broadband-provider-info"
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
new file mode 100644
index 0000000000..8763f30f4b
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch
@@ -0,0 +1,61 @@
+From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Mon, 11 Sep 2023 09:55:21 +0100
+Subject: [PATCH] regress/banner.sh: log input and output files on error
+
+Some test environments like yocto with qemu are seeing these
+tests failing. There may be additional error messages in the
+stderr of ssh cloent command. busybox cmp shows this error when
+first input file has less new line characters then second
+input file:
+
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+
+Logging the full banner.out will show what other error messages
+are captured in addition of the expected banner.
+
+Full log of a failing banner test runs is:
+
+run test banner.sh ...
+test banner: missing banner file
+test banner: size 0
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 0 mismatch
+test banner: size 10
+test banner: size 100
+cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in
+banner size 100 mismatch
+test banner: size 1000
+test banner: size 10000
+test banner: size 100000
+test banner: suppress banner (-q)
+FAIL:  banner
+return value: 1
+
+See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178
+
+Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437]
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+---
+ regress/banner.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/regress/banner.sh b/regress/banner.sh
+index a84feb5a..de84957a 100644
+--- a/regress/banner.sh
++++ b/regress/banner.sh
+@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do
+ 	verbose "test $tid: size $s"
+ 	( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+ 		cmp $OBJ/banner.in $OBJ/banner.out ) || \
+-		fail "banner size $s mismatch"
++		( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \
++		  verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \
++		  fail "banner size $s mismatch" )
+ done
+ 
+ trace "test suppress banner (-q)"
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
new file mode 100644
index 0000000000..f079d936a4
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
@@ -0,0 +1,96 @@
+From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001
+From: Matt Jolly <Matt.Jolly@footclan.ninja>
+Date: Thu, 2 Feb 2023 21:05:40 +1100
+Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
+
+This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
+patch based on Jakub Jelen's <jjelen@redhat.com> original patch
+
+Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ configure.ac | 24 ++++++++++++++++++++++++
+ sshd.c       | 13 +++++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 82e8bb7..d1145d3 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS])
+ AC_SUBST([K5LIBS])
+ AC_SUBST([CHANNELLIBS])
+ 
++# Check whether user wants systemd support
++SYSTEMD_MSG="no"
++AC_ARG_WITH(systemd,
++	[  --with-systemd          Enable systemd support],
++	[ if test "x$withval" != "xno" ; then
++		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
++		if test "$PKGCONFIG" != "no"; then
++			AC_MSG_CHECKING([for libsystemd])
++			if $PKGCONFIG --exists libsystemd; then
++				SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
++				SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++				CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
++				SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
++				AC_MSG_RESULT([yes])
++				AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
++				SYSTEMD_MSG="yes"
++			else
++				AC_MSG_RESULT([no])
++			fi
++		fi
++	fi ]
++)
++
+ # Looking for programs, paths and files
+ 
+ PRIVSEP_PATH=/var/empty
+@@ -5688,6 +5711,7 @@ echo "                   libldns support: $LDNS_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+ echo "           Solaris project support: $SP_MSG"
+ echo "         Solaris privilege support: $SPP_MSG"
++echo "                   systemd support: $SYSTEMD_MSG"
+ echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
+ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+ echo "                  BSD Auth support: $BSD_AUTH_MSG"
+diff --git a/sshd.c b/sshd.c
+index b4f2b97..6820a41 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -88,6 +88,10 @@
+ #include <prot.h>
+ #endif
+ 
++#ifdef HAVE_SYSTEMD
++#include <systemd/sd-daemon.h>
++#endif
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh2.h"
+@@ -308,6 +312,10 @@ static void
+ sighup_restart(void)
+ {
+ 	logit("Received SIGHUP; restarting.");
++#ifdef HAVE_SYSTEMD
++	/* Signal systemd that we are reloading */
++	sd_notify(0, "RELOADING=1");
++#endif
+ 	if (options.pid_file != NULL)
+ 		unlink(options.pid_file);
+ 	platform_pre_restart();
+@@ -2093,6 +2101,11 @@ main(int ac, char **av)
+ 			}
+ 		}
+ 
++#ifdef HAVE_SYSTEMD
++		/* Signal systemd that we are ready to accept connections */
++		sd_notify(0, "READY=1");
++#endif
++
+ 		/* Accept a connection and return in a forked child */
+ 		server_accept_loop(&sock_in, &sock_out,
+ 		    &newsock, config_s);
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch
deleted file mode 100644
index 3265be3485..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 2014fad3d28090b59d2f8a0971166c06e5fa6da6 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Fri, 18 Oct 2019 14:56:58 +0800
-Subject: [PATCH] upstream: fix integer overflow in XMSS private key parsing.
-
-Reported by Adam Zabrocki via SecuriTeam's SSH program.
-
-Note that this code is experimental and not compiled by default.
-
-ok markus@
-
-OpenBSD-Commit-ID: cd0361896d15e8a1bac495ac583ff065ffca2be1
-
-Signed-off-by: "djm@openbsd.org" <djm@openbsd.org>
-
-Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a]
-CVE: CVE-2019-16905
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- sshkey-xmss.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sshkey-xmss.c b/sshkey-xmss.c
-index aaae702..c57681a 100644
---- a/sshkey-xmss.c
-+++ b/sshkey-xmss.c
-@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
- 		goto out;
- 	}
- 	/* check that an appropriate amount of auth data is present */
--	if (sshbuf_len(encoded) < encrypted_len + authlen) {
-+	if (sshbuf_len(encoded) < authlen ||
-+	    sshbuf_len(encoded) - authlen < encrypted_len) {
- 		r = SSH_ERR_INVALID_FORMAT;
- 		goto out;
- 	}
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest
index daf62cca5b..b2244d725a 100755
--- a/meta/recipes-connectivity/openssh/openssh/run-ptest
+++ b/meta/recipes-connectivity/openssh/openssh/run-ptest
@@ -1,10 +1,25 @@
 #!/bin/sh
 
 export TEST_SHELL=sh
+export SKIP_UNIT=1
 
 cd regress
+
+# copied from openssh-portable/.github/run_test.sh
+output_failed_logs() {
+    for i in failed*.log; do
+        if [ -f "$i" ]; then
+            echo -------------------------------------------------------------------------
+            echo LOGFILE $i
+            cat $i
+            echo -------------------------------------------------------------------------
+        fi
+    done
+}
+trap output_failed_logs 0
+
 sed -i "/\t\tagent-ptrace /d" Makefile
-make -k .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \
+make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \
         | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g'
 
 SSHAGENT=`which ssh-agent`
diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config
index e0d023803e..cb2774a163 100644
--- a/meta/recipes-connectivity/openssh/openssh/ssh_config
+++ b/meta/recipes-connectivity/openssh/openssh/ssh_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $
+#	$OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -17,11 +17,11 @@
 # list of available options, their meanings and defaults, please see the
 # ssh_config(5) man page.
 
-Host *
-  ForwardAgent yes
-  ForwardX11 yes
-#   RhostsRSAAuthentication no
-#   RSAAuthentication yes
+Include /etc/ssh/ssh_config.d/*.conf
+
+# Host *
+#   ForwardAgent no
+#   ForwardX11 no
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   GSSAPIAuthentication no
@@ -36,7 +36,6 @@ Host *
 #   IdentityFile ~/.ssh/id_ecdsa
 #   IdentityFile ~/.ssh/id_ed25519
 #   Port 22
-#   Protocol 2
 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
 #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
 #   EscapeChar ~
@@ -46,3 +45,4 @@ Host *
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
+#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
new file mode 100644
index 0000000000..2a997b656a
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH server daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+
+[Service]
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
+ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
+ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=42s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 12c39b26b5..8d76d62309 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,5 +1,6 @@
 [Unit]
 Conflicts=sshd.service
+Wants=sshdgenkeys.service
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d83dfb2bb..9d9965e624 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,13 +1,10 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
-Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 
 [Service]
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
-StandardError=syslog
 KillMode=process
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
index 1931dc7153..606d1894b5 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys
@@ -6,6 +6,7 @@ generate_key() {
     local DIR="$(dirname "$FILE")"
 
     mkdir -p "$DIR"
+    rm -f ${FILE}.tmp
     ssh-keygen -q -f "${FILE}.tmp" -N '' -t $TYPE
 
     # Atomically rename file public key
@@ -56,8 +57,7 @@ while true ; do
     esac
 done
 
-HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}")
-[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key"
+HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ')
 
 for key in ${HOST_KEYS} ; do
     [ -f $key ] && continue
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_config b/meta/recipes-connectivity/openssh/openssh/sshd_config
index 15f061b570..e9eaf93157 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd_config
+++ b/meta/recipes-connectivity/openssh/openssh/sshd_config
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $
+#	$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -10,6 +10,8 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+Include /etc/ssh/sshd_config.d/*.conf
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
@@ -57,9 +59,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
+# Change to yes to enable keyboard-interactive authentication (beware issues
+# with some PAM modules and threads)
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -73,13 +75,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
+# PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 #UsePAM no
 
 #AllowAgentForwarding yes
@@ -92,7 +94,6 @@ ChallengeResponseAuthentication no
 #PrintMotd yes
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 Compression no
 ClientAliveInterval 15
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index 603c33787f..fd81793d51 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -6,3 +6,4 @@ RequiresMountsFor=/var /run
 ExecStart=@LIBEXECDIR@/sshd_check_keys
 Type=oneshot
 RemainAfterExit=yes
+Nice=10
diff --git a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
index 2ffbc9a95f..d1468c59fc 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.0p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb
@@ -5,8 +5,8 @@ Ssh (Secure Shell) is a program for logging into a remote machine \
 and for executing commands on a remote machine."
 HOMEPAGE = "http://www.openssh.com/"
 SECTION = "console/network"
-LICENSE = "BSD & ISC & MIT"
-LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
+LICENSE = "BSD-2-Clause & BSD-3-Clause & ISC & MIT"
+LIC_FILES_CHKSUM = "file://LICENCE;md5=072979064e691d342002f43cd89c0394"
 
 DEPENDS = "zlib openssl virtual/crypt"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
@@ -16,6 +16,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://ssh_config \
            file://init \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+           file://sshd.service \
            file://sshd.socket \
            file://sshd@.service \
            file://sshdgenkeys.service \
@@ -24,25 +25,46 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
-           file://0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch \
+           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
+           file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \
            "
-SRC_URI[md5sum] = "bf050f002fe510e1daecd39044e1122d"
-SRC_URI[sha256sum] = "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
+SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd"
+
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
+
+# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
+# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
+
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
-inherit useradd update-rc.d update-alternatives systemd
+inherit manpages useradd update-rc.d update-alternatives systemd
 
 USERADD_PACKAGES = "${PN}-sshd"
-USERADD_PARAM_${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
+USERADD_PARAM:${PN}-sshd = "--system --no-create-home --home-dir /var/run/sshd --shell /bin/false --user-group sshd"
 INITSCRIPT_PACKAGES = "${PN}-sshd"
-INITSCRIPT_NAME_${PN}-sshd = "sshd"
-INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
+INITSCRIPT_NAME:${PN}-sshd = "sshd"
+INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9"
 
 SYSTEMD_PACKAGES = "${PN}-sshd"
-SYSTEMD_SERVICE_${PN}-sshd = "sshd.socket"
-
-inherit autotools-brokensep ptest
+SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
+
+inherit autotools-brokensep ptest pkgconfig
+DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+
+# systemd-sshd-socket-mode means installing sshd.socket
+# and systemd-sshd-service-mode corresponding to sshd.service
+PACKAGECONFIG ??= "systemd-sshd-socket-mode"
+PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2"
+PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5"
+PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns"
+PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
+PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat"
+PACKAGECONFIG[systemd-sshd-socket-mode] = ""
+PACKAGECONFIG[systemd-sshd-service-mode] = ""
 
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -54,10 +76,18 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
                 --sysconfdir=${sysconfdir}/ssh \
                 --with-xauth=${bindir}/xauth \
                 --disable-strip \
+                ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
                 "
 
-# musl doesn't implement wtmp/utmp
-EXTRA_OECONF_append_libc-musl = " --disable-wtmp"
+# musl doesn't implement wtmp/utmp and logwtmp
+EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog"
+
+# Work around ICE on mips/mips64 starting in 9.6p1
+EXTRA_OECONF:append:mips = " --without-hardening"
+EXTRA_OECONF:append:mips64 = " --without-hardening"
+
+# Work around ICE on powerpc64le starting in 9.6p1
+EXTRA_OECONF:append:powerpc64le = " --without-hardening"
 
 # Since we do not depend on libbsd, we do not want configure to use it
 # just because it finds libutil.h.  But, specifying --disable-libutil
@@ -70,20 +100,17 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 # We don't want to depend on libblockfile
 CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
-do_configure_prepend () {
+do_configure:prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
 	install -m 0644 ${WORKDIR}/ssh_config ${B}/
 }
 
 do_compile_ptest() {
-        # skip regress/unittests/ binaries: this will silently skip
-        # unittests in run-ptests which is good because they are so slow.
-        oe_runmake regress/modpipe regress/setuid-allowed regress/netcat \
-                   regress/check-perm regress/mkdtemp
+	oe_runmake regress-binaries regress-unit-binaries
 }
 
-do_install_append () {
+do_install:append () {
 	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
 		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
 		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
@@ -109,15 +136,25 @@ do_install_append () {
 	echo "HostKey /var/run/ssh/ssh_host_ecdsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 	echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
 
-	install -d ${D}${systemd_unitdir}/system
-	install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_unitdir}/system
-	install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_unitdir}/system
-	install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_unitdir}/system
+	install -d ${D}${systemd_system_unitdir}
+	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then
+	    install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir}
+	    install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir}
+	    sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
+		    -e 's,@SBINDIR@,${sbindir},g' \
+		    -e 's,@BINDIR@,${bindir},g' \
+		    -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
+            ${D}${systemd_system_unitdir}/sshd.socket
+	fi
+	if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then
+	    install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir}
+	fi
+	install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir}
 	sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
 		-e 's,@SBINDIR@,${sbindir},g' \
 		-e 's,@BINDIR@,${bindir},g' \
 		-e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
-		${D}${systemd_unitdir}/system/sshd.socket ${D}${systemd_unitdir}/system/*.service
+		${D}${systemd_system_unitdir}/*.service
 
 	sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \
 		${D}${sysconfdir}/init.d/sshd
@@ -128,38 +165,38 @@ do_install_append () {
 do_install_ptest () {
 	sed -i -e "s|^SFTPSERVER=.*|SFTPSERVER=${libexecdir}/sftp-server|" regress/test-exec.sh
 	cp -r regress ${D}${PTEST_PATH}
+	cp config.h ${D}${PTEST_PATH}
 }
 
-ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY:${PN} = "1"
 
 PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
-FILES_${PN}-scp = "${bindir}/scp.${BPN}"
-FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
-FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
-FILES_${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
-FILES_${PN}-sftp = "${bindir}/sftp"
-FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
-FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
-FILES_${PN}-keygen = "${bindir}/ssh-keygen"
-
-RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
-RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
-RRECOMMENDS_${PN}-sshd_append_class-target = " rng-tools"
+FILES:${PN}-scp = "${bindir}/scp.${BPN}"
+FILES:${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
+FILES:${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_system_unitdir}"
+FILES:${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES:${PN}-sshd += "${libexecdir}/${BPN}/sshd_check_keys"
+FILES:${PN}-sftp = "${bindir}/sftp"
+FILES:${PN}-sftp-server = "${libexecdir}/sftp-server"
+FILES:${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
+FILES:${PN}-keygen = "${bindir}/ssh-keygen"
+
+RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server"
+RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
 # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies
-RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils"
+RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin"
 
-RPROVIDES_${PN}-ssh = "ssh"
-RPROVIDES_${PN}-sshd = "sshd"
+RPROVIDES:${PN}-ssh = "ssh"
+RPROVIDES:${PN}-sshd = "sshd"
 
-RCONFLICTS_${PN} = "dropbear"
-RCONFLICTS_${PN}-sshd = "dropbear"
+RCONFLICTS:${PN} = "dropbear"
+RCONFLICTS:${PN}-sshd = "dropbear"
 
-CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
-CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
+CONFFILES:${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
+CONFFILES:${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
 
 ALTERNATIVE_PRIORITY = "90"
-ALTERNATIVE_${PN}-scp = "scp"
-ALTERNATIVE_${PN}-ssh = "ssh"
+ALTERNATIVE:${PN}-scp = "scp"
+ALTERNATIVE:${PN}-ssh = "ssh"
 
 BBCLASSEXTEND += "nativesdk"
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7ac..6f23490c87 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,5 @@
 export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
+export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
new file mode 100644
index 0000000000..aa2e5bb800
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -0,0 +1,374 @@
+From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
+From: William Lyu <William.Lyu@windriver.com>
+Date: Fri, 20 Oct 2023 16:22:37 -0400
+Subject: [PATCH] Added handshake history reporting when test fails
+
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
+
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.h |  70 +++++++++++++++++++-
+ test/ssl_test.c          |  44 +++++++++++++
+ 3 files changed, 218 insertions(+), 35 deletions(-)
+
+diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
+index e0422469e4..ae2ad59dd4 100644
+--- a/test/helpers/handshake.c
++++ b/test/helpers/handshake.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -24,6 +24,102 @@
+ #include <netinet/sctp.h>
+ #endif
+
++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
++/* Maps string names to various enumeration type */
++typedef struct {
++    const char *name;
++    int value;
++} enum_name_map;
++
++static const enum_name_map connect_phase_names[] = {
++    {"Handshake", HANDSHAKE},
++    {"RenegAppData", RENEG_APPLICATION_DATA},
++    {"RenegSetup", RENEG_SETUP},
++    {"RenegHandshake", RENEG_HANDSHAKE},
++    {"AppData", APPLICATION_DATA},
++    {"Shutdown", SHUTDOWN},
++    {"ConnectionDone", CONNECTION_DONE}
++};
++
++static const enum_name_map peer_status_names[] = {
++    {"PeerSuccess", PEER_SUCCESS},
++    {"PeerRetry", PEER_RETRY},
++    {"PeerError", PEER_ERROR},
++    {"PeerWaiting", PEER_WAITING},
++    {"PeerTestFail", PEER_TEST_FAILURE}
++};
++
++static const enum_name_map handshake_status_names[] = {
++    {"HandshakeSuccess", HANDSHAKE_SUCCESS},
++    {"ClientError", CLIENT_ERROR},
++    {"ServerError", SERVER_ERROR},
++    {"InternalError", INTERNAL_ERROR},
++    {"HandshakeRetry", HANDSHAKE_RETRY}
++};
++
++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
++static const char *enum_name(const enum_name_map *enums, size_t num_enums,
++                             int value)
++{
++    size_t i;
++    for (i = 0; i < num_enums; i++) {
++        if (enums[i].value == value) {
++            return enums[i].name;
++        }
++    }
++    return "InvalidValue";
++}
++
++const char *handshake_connect_phase_name(connect_phase_t phase)
++{
++    return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names),
++                     (int)phase);
++}
++
++const char *handshake_status_name(handshake_status_t handshake_status)
++{
++    return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names),
++                     (int)handshake_status);
++}
++
++const char *handshake_peer_status_name(peer_status_t peer_status)
++{
++    return enum_name(peer_status_names, OSSL_NELEM(peer_status_names),
++                     (int)peer_status);
++}
++
++static void save_loop_history(HANDSHAKE_HISTORY *history,
++                              connect_phase_t phase,
++                              handshake_status_t handshake_status,
++                              peer_status_t server_status,
++                              peer_status_t client_status,
++                              int client_turn_count,
++                              int is_client_turn)
++{
++    HANDSHAKE_HISTORY_ENTRY *new_entry = NULL;
++
++    /*
++     * Create a new history entry for a handshake loop with statuses given in
++     * the arguments. Potentially evicting the oldest entry when the
++     * ring buffer is full.
++     */
++    ++(history->last_idx);
++    history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++
++    new_entry = &((history->entries)[history->last_idx]);
++    new_entry->phase = phase;
++    new_entry->handshake_status = handshake_status;
++    new_entry->server_status = server_status;
++    new_entry->client_status = client_status;
++    new_entry->client_turn_count = client_turn_count;
++    new_entry->is_client_turn = is_client_turn;
++
++    /* Evict the oldest handshake loop entry when the ring buffer is full. */
++    if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) {
++        ++(history->entry_count);
++    }
++}
++
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
+ {
+     HANDSHAKE_RESULT *ret;
+@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+         SSL_set_post_handshake_auth(client, 1);
+ }
+
+-/* The status for each connection phase. */
+-typedef enum {
+-    PEER_SUCCESS,
+-    PEER_RETRY,
+-    PEER_ERROR,
+-    PEER_WAITING,
+-    PEER_TEST_FAILURE
+-} peer_status_t;
+-
+ /* An SSL object and associated read-write buffers. */
+ typedef struct peer_st {
+     SSL *ssl;
+@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer)
+     }
+ }
+
+-typedef enum {
+-    HANDSHAKE,
+-    RENEG_APPLICATION_DATA,
+-    RENEG_SETUP,
+-    RENEG_HANDSHAKE,
+-    APPLICATION_DATA,
+-    SHUTDOWN,
+-    CONNECTION_DONE
+-} connect_phase_t;
+-
+-
+ static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
+ {
+     switch (test_ctx->handshake_mode) {
+@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+     }
+ }
+
+-typedef enum {
+-    /* Both parties succeeded. */
+-    HANDSHAKE_SUCCESS,
+-    /* Client errored. */
+-    CLIENT_ERROR,
+-    /* Server errored. */
+-    SERVER_ERROR,
+-    /* Peers are in inconsistent state. */
+-    INTERNAL_ERROR,
+-    /* One or both peers not done. */
+-    HANDSHAKE_RETRY
+-} handshake_status_t;
+-
+ /*
+  * Determine the handshake outcome.
+  * last_status: the status of the peer to have acted last.
+@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+
+     start = time(NULL);
+
++    save_loop_history(&(ret->history),
++                      phase, status, server.status, client.status,
++                      client_turn_count, client_turn);
++
+     /*
+      * Half-duplex handshake loop.
+      * Client and server speak to each other synchronously in the same process.
+@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                                       0 /* server went last */);
+         }
+
++        save_loop_history(&(ret->history),
++                          phase, status, server.status, client.status,
++                          client_turn_count, client_turn);
++
+         switch (status) {
+         case HANDSHAKE_SUCCESS:
+             client_turn_count = 0;
+diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
+index 78b03f9f4b..b9967c2623 100644
+--- a/test/helpers/handshake.h
++++ b/test/helpers/handshake.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -12,6 +12,11 @@
+
+ #include "ssl_test_ctx.h"
+
++#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
++#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
++#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
++    ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1)
++
+ typedef struct ctx_data_st {
+     unsigned char *npn_protocols;
+     size_t npn_protocols_len;
+@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
+     char *session_ticket_app_data;
+ } CTX_DATA;
+
++typedef enum {
++    HANDSHAKE,
++    RENEG_APPLICATION_DATA,
++    RENEG_SETUP,
++    RENEG_HANDSHAKE,
++    APPLICATION_DATA,
++    SHUTDOWN,
++    CONNECTION_DONE
++} connect_phase_t;
++
++/* The status for each connection phase. */
++typedef enum {
++    PEER_SUCCESS,
++    PEER_RETRY,
++    PEER_ERROR,
++    PEER_WAITING,
++    PEER_TEST_FAILURE
++} peer_status_t;
++
++typedef enum {
++    /* Both parties succeeded. */
++    HANDSHAKE_SUCCESS,
++    /* Client errored. */
++    CLIENT_ERROR,
++    /* Server errored. */
++    SERVER_ERROR,
++    /* Peers are in inconsistent state. */
++    INTERNAL_ERROR,
++    /* One or both peers not done. */
++    HANDSHAKE_RETRY
++} handshake_status_t;
++
++/* Stores the various status information in a handshake loop. */
++typedef struct handshake_history_entry_st {
++    connect_phase_t phase;
++    handshake_status_t handshake_status;
++    peer_status_t server_status;
++    peer_status_t client_status;
++    int client_turn_count;
++    int is_client_turn;
++} HANDSHAKE_HISTORY_ENTRY;
++
++typedef struct handshake_history_st {
++    /* Implemented using ring buffer. */
++    /*
++     * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|,
++     * ..., etc., going up to |entry_count| number of entries. Note that when
++     * the index into the array |entries| becomes < 0, we wrap around to
++     * the end of |entries|.
++     */
++    HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY];
++    /* The number of valid entries in |entries| array. */
++    size_t entry_count;
++    /* The index of the last valid entry in the |entries| array. */
++    size_t last_idx;
++} HANDSHAKE_HISTORY;
++
+ typedef struct handshake_result {
+     ssl_test_result_t result;
+     /* These alerts are in the 2-byte format returned by the info_callback. */
+@@ -77,6 +139,8 @@ typedef struct handshake_result {
+     char *cipher;
+     /* session ticket application data */
+     char *result_session_ticket_app_data;
++    /* handshake loop history */
++    HANDSHAKE_HISTORY history;
+ } HANDSHAKE_RESULT;
+
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
+@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                                     CTX_DATA *server2_ctx_data,
+                                     CTX_DATA *client_ctx_data);
+
++const char *handshake_connect_phase_name(connect_phase_t phase);
++const char *handshake_status_name(handshake_status_t handshake_status);
++const char *handshake_peer_status_name(peer_status_t peer_status);
++
+ #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+diff --git a/test/ssl_test.c b/test/ssl_test.c
+index ea608518f9..9d6b093c81 100644
+--- a/test/ssl_test.c
++++ b/test/ssl_test.c
+@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
+ /* Currently the section names are of the form test-<number>, e.g. test-15. */
+ #define MAX_TESTCASE_NAME_LENGTH 100
+
++static void print_handshake_history(const HANDSHAKE_HISTORY *history)
++{
++    size_t first_idx;
++    size_t i;
++    size_t cur_idx;
++    const HANDSHAKE_HISTORY_ENTRY *cur_entry;
++    const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|";
++    const char body_template[]   = "|%14s|%16s|%16s|%16s|%17d|%14s|";
++
++    TEST_info("The following is the server/client state "
++              "in the most recent %d handshake loops.",
++              MAX_HANDSHAKE_HISTORY_ENTRY);
++
++    TEST_note("=================================================="
++              "==================================================");
++    TEST_note(header_template,
++              "phase", "handshake status", "server status",
++              "client status", "client turn count", "is client turn");
++    TEST_note("+--------------+----------------+----------------"
++              "+----------------+-----------------+--------------+");
++
++    first_idx = (history->last_idx - history->entry_count + 1) &
++                MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++    for (i = 0; i < history->entry_count; ++i) {
++        cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
++        cur_entry = &(history->entries)[cur_idx];
++        TEST_note(body_template,
++                  handshake_connect_phase_name(cur_entry->phase),
++                  handshake_status_name(cur_entry->handshake_status),
++                  handshake_peer_status_name(cur_entry->server_status),
++                  handshake_peer_status_name(cur_entry->client_status),
++                  cur_entry->client_turn_count,
++                  cur_entry->is_client_turn ? "true" : "false");
++    }
++    TEST_note("=================================================="
++              "==================================================");
++}
++
+ static const char *print_alert(int alert)
+ {
+     return alert ? SSL_alert_desc_string_long(alert) : "no alert";
+@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+         ret &= check_client_sign_type(result, test_ctx);
+         ret &= check_client_ca_names(result, test_ctx);
+     }
++
++    /* Print handshake loop history if any check fails. */
++    if (!ret) {
++        print_handshake_history(&(result->history));
++    }
++
+     return ret;
+ }
+
+--
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..502a7aaf32
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,39 @@
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 30 May 2023 09:11:27 -0700
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/Configure b/Configure
+index 4569952..adf019b 100755
+--- a/Configure
++++ b/Configure
+@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 949c788344..bafdbaa46f 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -1,4 +1,4 @@
-From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
+From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
 Date: Tue, 6 Nov 2018 14:50:47 +0100
 Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
@@ -21,20 +21,24 @@ https://patchwork.openembedded.org/patch/147229/
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Martin Hundebøll <martin@geanix.com>
 
-
 Update to fix buildpaths qa issue for '-fmacro-prefix-map'.
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+Update to fix buildpaths qa issue for '-ffile-prefix-map'.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+
 ---
- Configurations/unix-Makefile.tmpl | 10 +++++++++-
+ Configurations/unix-Makefile.tmpl | 12 +++++++++++-
  crypto/build.info                 |  2 +-
- 2 files changed, 10 insertions(+), 2 deletions(-)
+ 2 files changed, 12 insertions(+), 2 deletions(-)
 
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 16af4d2087..54c162784c 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
+===================================================================
+--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
++++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
+@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
                           '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
  BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
  
@@ -49,6 +53,7 @@ index 16af4d2087..54c162784c 100644
 +CFLAGS_Q={- for (@{$config{CFLAGS}}) {
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
++              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -58,19 +63,16 @@ index 16af4d2087..54c162784c 100644
  PERLASM_SCHEME= {- $target{perlasm_scheme} -}
  
  # For x86 assembler: Set PROCESSOR to 386 if you want to support
-diff --git a/crypto/build.info b/crypto/build.info
-index b515b7318e..8c9cee2a09 100644
---- a/crypto/build.info
-+++ b/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
-         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+Index: openssl-3.0.4/crypto/build.info
+===================================================================
+--- openssl-3.0.4.orig/crypto/build.info
++++ openssl-3.0.4/crypto/build.info
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
  
+ DEPEND[info.o]=buildinf.h
  DEPEND[cversion.o]=buildinf.h
 -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
 +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
- DEPEND[buildinf.h]=../configdata.pm
  
- GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
--- 
-2.19.1
-
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
deleted file mode 100644
index d8d9651b64..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 2 Oct 2018 23:58:24 +0800
-Subject: [PATCH] skip test_symbol_presence
-
-We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared'
-as INSTALL told us the shared libraries will not be built.
-
-[INSTALL snip]
- Notes on shared libraries
- -------------------------
-
- For most systems the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl. On these systems
- the shared libraries will be created by default. This can be suppressed and
- only static libraries created by using the "no-shared" option. On systems
- where OpenSSL does not know how to build shared libraries the "no-shared"
- option will be forced and only static libraries will be created.
-[INSTALL snip]
-
-Hence directly modification the case to skip it.
-
-Upstream-Status: Inappropriate [OE Specific]
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- test/recipes/01-test_symbol_presence.t | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7f2a2d7..0b93745 100644
---- a/test/recipes/01-test_symbol_presence.t
-+++ b/test/recipes/01-test_symbol_presence.t
-@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils;
- 
- setup("test_symbol_presence");
- 
--plan skip_all => "Only useful when building shared libraries"
--    if disabled("shared");
-+plan skip_all => "The case needs debug symbols then we just disable it";
- 
- my @libnames = ("crypto", "ssl");
- my $testcount = scalar @libnames;
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
new file mode 100644
index 0000000000..8772f716d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
@@ -0,0 +1,120 @@
+From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 5 Mar 2024 15:43:53 +0000
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24043)
+
+CVE: CVE-2024-2511
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ssl/ssl_lib.c            |  5 +++--
+ ssl/ssl_sess.c           | 28 ++++++++++++++++++++++------
+ ssl/statem/statem_srvr.c |  5 ++---
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 4afb43bc86e54..c51529ddab5bb 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
+ 
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+ 
+     /*
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index 3dcc4d81e5bc6..1fa6d17c46863 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+ 
+@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+     return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 853af8c0aa9f9..d5f0ab091dacc 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+ 
+     if (usetls13) {
diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/Configure b/Configure
-index 3baa8ce..9ef52ed 100755
---- a/Configure
-+++ b/Configure
-@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
- unless ($disabled{afalgeng}) {
-     $config{afalgeng}="";
-     if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
--        my $minver = 4*10000 + 1*100 + 0;
--        if ($config{CROSS_COMPILE} eq "") {
--            my $verstr = `uname -r`;
--            my ($ma, $mi1, $mi2) = split("\\.", $verstr);
--            ($mi2) = $mi2 =~ /(\d+)/;
--            my $ver = $ma*10000 + $mi1*100 + $mi2;
--            if ($ver < $minver) {
--                disable('too-old-kernel', 'afalgeng');
--            } else {
--                push @{$config{engdirs}}, "afalg";
--            }
--        } else {
--            disable('cross-compiling', 'afalgeng');
--        }
-+        push @{$config{engdirs}}, "afalg";
-     } else {
-         disable('not-linux', 'afalgeng');
-     }
diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch
new file mode 100644
index 0000000000..748576c30c
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
+From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Tue, 26 Mar 2024 13:18:00 +0000
+Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
+
+In Arm systems where BTI is enabled but the Crypto extensions are not (more
+likely in FVPs than in real hardware), the bit-sliced assembler code will
+be used. However, this wasn't annotated with BTI instructions when BTI was
+enabled, so the moment libssl jumps into this code it (correctly) aborts.
+
+Solve this by adding the missing BTI landing pads.
+
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ crypto/aes/asm/bsaes-armv8.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
+index b3c97e439f..c3c5ff3e05 100644
+--- a/crypto/aes/asm/bsaes-armv8.pl
++++ b/crypto/aes/asm/bsaes-armv8.pl
+@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
+ //   Initialisation vector overwritten with last quadword of ciphertext
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_cbc_encrypt:
++        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #128
+         bhs     .Lcbc_do_bsaes
+         b       AES_cbc_encrypt
+@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
+ //   Output text filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_ctr32_encrypt_blocks:
+-
++        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #8                      // use plain AES for
+         blo     .Lctr_enc_short             // small sizes
+ 
+@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
+ //   Output ciphertext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_encrypt:
++        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
+ //   Output plaintext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_decrypt:
++        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+-- 
+2.34.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index 3fb22471f8..c89ec5afa1 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -9,4 +9,4 @@ export TOP=.
 # OPENSSL_ENGINES is relative from the test binaries
 export OPENSSL_ENGINES=../engines
 
-perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'
+{ HARNESS_JOBS=4 perl ./test/run_tests.pl $* || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
deleted file mode 100644
index 8819e19ec4..0000000000
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
+++ /dev/null
@@ -1,204 +0,0 @@
-SUMMARY = "Secure Socket Layer"
-DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
-HOMEPAGE = "http://www.openssl.org/"
-BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
-SECTION = "libs/network"
-
-# "openssl" here actually means both OpenSSL and SSLeay licenses apply
-# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
-LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
-
-DEPENDS = "hostperl-runtime-native"
-
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
-           file://run-ptest \
-           file://0001-skip-test_symbol_presence.patch \
-           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-           file://afalg.patch \
-           "
-
-SRC_URI_append_class-nativesdk = " \
-           file://environment.d-openssl.sh \
-           "
-
-SRC_URI[md5sum] = "3be209000dbc7e1b95bcdf47980a3baa"
-SRC_URI[sha256sum] = "1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2"
-
-inherit lib_package multilib_header multilib_script ptest
-MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-
-PACKAGECONFIG ?= ""
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-
-PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux"
-
-B = "${WORKDIR}/build"
-do_configure[cleandirs] = "${B}"
-
-#| ./libcrypto.so: undefined reference to `getcontext'
-#| ./libcrypto.so: undefined reference to `setcontext'
-#| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF_append_libc-musl = " no-async"
-EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
-
-# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
-# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
-
-# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-
-do_configure () {
-	os=${HOST_OS}
-	case $os in
-	linux-gnueabi |\
-	linux-gnuspe |\
-	linux-musleabi |\
-	linux-muslspe |\
-	linux-musl )
-		os=linux
-		;;
-	*)
-		;;
-	esac
-	target="$os-${HOST_ARCH}"
-	case $target in
-	linux-arm*)
-		target=linux-armv4
-		;;
-	linux-aarch64*)
-		target=linux-aarch64
-		;;
-	linux-i?86 | linux-viac3)
-		target=linux-x86
-		;;
-	linux-gnux32-x86_64 | linux-muslx32-x86_64 )
-		target=linux-x32
-		;;
-	linux-gnu64-x86_64)
-		target=linux-x86_64
-		;;
-	linux-mips | linux-mipsel)
-		# specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
-		target="linux-mips32 ${TARGET_CC_ARCH}"
-		;;
-	linux-gnun32-mips*)
-		target=linux-mips64
-		;;
-	linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
-		target=linux64-mips64
-		;;
-	linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
-		target=linux-generic32
-		;;
-	linux-powerpc)
-		target=linux-ppc
-		;;
-	linux-powerpc64)
-		target=linux-ppc64
-		;;
-	linux-riscv32)
-		target=linux-generic32
-		;;
-	linux-riscv64)
-		target=linux-generic64
-		;;
-	linux-sparc | linux-supersparc)
-		target=linux-sparcv9
-		;;
-	esac
-
-	useprefix=${prefix}
-	if [ "x$useprefix" = "x" ]; then
-		useprefix=/
-	fi
-	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
-	# environment variables set by bitbake. Adjust the environment variables instead.
-	PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
-	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
-	perl ${B}/configdata.pm --dump
-}
-
-do_install () {
-	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-
-	oe_multilib_header openssl/opensslconf.h
-
-	# Create SSL structure for packages such as ca-certificates which
-	# contain hard-coded paths to /etc/ssl. Debian does the same.
-	install -d ${D}${sysconfdir}/ssl
-	mv ${D}${libdir}/ssl-1.1/certs \
-	   ${D}${libdir}/ssl-1.1/private \
-	   ${D}${libdir}/ssl-1.1/openssl.cnf \
-	   ${D}${sysconfdir}/ssl/
-
-	# Although absolute symlinks would be OK for the target, they become
-	# invalid if native or nativesdk are relocated from sstate.
-	ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs
-	ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private
-	ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf
-}
-
-do_install_append_class-native () {
-	create_wrapper ${D}${bindir}/openssl \
-	    OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
-	    SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
-	    SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
-	    OPENSSL_ENGINES=${libdir}/engines-1.1
-}
-
-do_install_append_class-nativesdk () {
-	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-	sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-}
-
-PTEST_BUILD_HOST_FILES += "configdata.pm"
-PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
-	# Prune the build tree
-	rm -f ${B}/fuzz/*.* ${B}/test/*.*
-
-	cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
-	cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-
-	# For test_shlibload
-	ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
-	ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
-
-	install -d ${D}${PTEST_PATH}/apps
-	ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
-	install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
-	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-
-	install -d ${D}${PTEST_PATH}/engines
-	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
-}
-
-# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
-# package RRECOMMENDS on this package. This will enable the configuration
-# file to be installed for both the openssl-bin package and the libcrypto
-# package since the openssl-bin package depends on the libcrypto package.
-
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
-
-FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl${SOLIBS}"
-FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
-FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
-FILES_${PN} =+ "${libdir}/ssl-1.1/*"
-FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
-
-CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
-
-RRECOMMENDS_libcrypto += "openssl-conf"
-RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
-
-BBCLASSEXTEND = "native nativesdk"
-
-CVE_PRODUCT = "openssl:openssl"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
new file mode 100644
index 0000000000..d37b68abbb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
@@ -0,0 +1,264 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           file://bti.patch \
+           file://CVE-2024-2511.patch \
+           "
+
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-openssl.sh \
+           "
+
+SRC_URI[sha256sum] = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39"
+
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
+
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+
+do_configure () {
+	# When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+	# the issue really clear that perl isn't functional due to symbol mismatch issues.
+	cat <<- EOF > ${WORKDIR}/perltest
+	#!/usr/bin/env perl
+	use POSIX;
+	EOF
+	chmod a+x ${WORKDIR}/perltest
+	${WORKDIR}/perltest
+
+	os=${HOST_OS}
+	case $os in
+	linux-gnueabi |\
+	linux-gnuspe |\
+	linux-musleabi |\
+	linux-muslspe |\
+	linux-musl )
+		os=linux
+		;;
+	*)
+		;;
+	esac
+	target="$os-${HOST_ARCH}"
+	case $target in
+	linux-arc | linux-microblaze*)
+		target=linux-latomic
+		;;
+	linux-arm*)
+		target=linux-armv4
+		;;
+	linux-aarch64*)
+		target=linux-aarch64
+		;;
+	linux-i?86 | linux-viac3)
+		target=linux-x86
+		;;
+	linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+		target=linux-x32
+		;;
+	linux-gnu64-x86_64)
+		target=linux-x86_64
+		;;
+	linux-loongarch64)
+		target=linux64-loongarch64
+		;;
+	linux-mips | linux-mipsel)
+		# specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+		target="linux-mips32 ${TARGET_CC_ARCH}"
+		;;
+	linux-gnun32-mips*)
+		target=linux-mips64
+		;;
+	linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+		target=linux64-mips64
+		;;
+	linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+		target=linux-generic32
+		;;
+	linux-powerpc)
+		target=linux-ppc
+		;;
+	linux-powerpc64)
+		target=linux-ppc64
+		;;
+	linux-powerpc64le)
+		target=linux-ppc64le
+		;;
+	linux-riscv32)
+		target=linux32-riscv32
+		;;
+	linux-riscv64)
+		target=linux64-riscv64
+		;;
+	linux-sparc | linux-supersparc)
+		target=linux-sparcv9
+		;;
+	mingw32-x86_64)
+		target=mingw64
+		;;
+	esac
+
+	useprefix=${prefix}
+	if [ "x$useprefix" = "x" ]; then
+		useprefix=/
+	fi
+	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+	# environment variables set by bitbake. Adjust the environment variables instead.
+	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+	test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+	perl ${B}/configdata.pm --dump
+}
+
+do_install () {
+	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+
+	oe_multilib_header openssl/opensslconf.h
+	oe_multilib_header openssl/configuration.h
+
+	# Create SSL structure for packages such as ca-certificates which
+	# contain hard-coded paths to /etc/ssl. Debian does the same.
+	install -d ${D}${sysconfdir}/ssl
+	mv ${D}${libdir}/ssl-3/certs \
+	   ${D}${libdir}/ssl-3/private \
+	   ${D}${libdir}/ssl-3/openssl.cnf \
+	   ${D}${sysconfdir}/ssl/
+
+	# Although absolute symlinks would be OK for the target, they become
+	# invalid if native or nativesdk are relocated from sstate.
+	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+}
+
+do_install:append:class-native () {
+	create_wrapper ${D}${bindir}/openssl \
+	    OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
+	    SSL_CERT_DIR=${libdir}/ssl-3/certs \
+	    SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
+	    OPENSSL_ENGINES=${libdir}/engines-3 \
+	    OPENSSL_MODULES=${libdir}/ossl-modules
+}
+
+do_install:append:class-nativesdk () {
+	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+	sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest () {
+	install -d ${D}${PTEST_PATH}/test
+	install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+	install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
+	install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
+
+	# Prune the build tree
+	rm -f ${B}/fuzz/*.* ${B}/test/*.*
+
+	cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+	sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
+	cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
+
+	# For test_shlibload
+	ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+	ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+
+	install -d ${D}${PTEST_PATH}/apps
+	ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+	install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
+	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
+
+	install -d ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
+
+	install -d ${D}${PTEST_PATH}/providers
+	install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+
+	install -d ${D}${PTEST_PATH}/Configurations
+	cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
+
+	# seems to be needed with perl 5.32.1
+	install -d ${D}${PTEST_PATH}/util/perl/recipes
+	cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+
+	sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+}
+
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+                      ${libdir}/ssl-3/openssl.cnf* \
+                      "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+
+RDEPENDS:${PN}-bin += "openssl-conf"
+
+BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "openssl:openssl"
+
+CVE_VERSION_SUFFIX = "alphabetical"
+
diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
index b5f68951d7..099c58bfc7 100644
--- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
+++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb
@@ -1,8 +1,8 @@
 SUMMARY = "Enables PPP dial-in through a serial connection"
 SECTION = "console/network"
+DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks."
 DEPENDS = "ppp"
-RDEPENDS_${PN} = "ppp"
-PR = "r8"
+RDEPENDS:${PN} = "ppp"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
@@ -22,6 +22,6 @@ do_install() {
 }
 
 USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "--system --home /dev/null \
+USERADD_PARAM:${PN} = "--system --home /dev/null \
                        --no-create-home --shell ${sbindir}/ppp-dialin \
                        --no-user-group --gid nogroup ppp"
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch b/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch
deleted file mode 100644
index 763e374488..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-Fix-build-with-musl.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 52a1e41d7541b2c936285844c59bd1be21797860 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Fri, 29 May 2015 14:57:05 -0700
-Subject: [PATCH] Fix build with musl
-
-There are several assumption about glibc
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Pending
-
- include/net/ppp_defs.h                  | 2 ++
- pppd/Makefile.linux                     | 2 +-
- pppd/magic.h                            | 6 +++---
- pppd/plugins/rp-pppoe/config.h          | 5 ++++-
- pppd/plugins/rp-pppoe/plugin.c          | 1 -
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 8 ++++----
- pppd/plugins/rp-pppoe/pppoe.h           | 2 +-
- pppd/sys-linux.c                        | 3 ++-
- 8 files changed, 17 insertions(+), 12 deletions(-)
-
-diff --git a/include/net/ppp_defs.h b/include/net/ppp_defs.h
-index b06eda5..dafa36c 100644
---- a/include/net/ppp_defs.h
-+++ b/include/net/ppp_defs.h
-@@ -38,6 +38,8 @@
- #ifndef _PPP_DEFS_H_
- #define _PPP_DEFS_H_
- 
-+#include <sys/time.h>
-+
- /*
-  * The basic PPP frame.
-  */
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 8ab2102..d7e2564 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -126,7 +126,7 @@ LIBS	+= -lcrypt
- #endif
- 
- ifdef USE_LIBUTIL
--CFLAGS	+= -DHAVE_LOGWTMP=1
-+#CFLAGS	+= -DHAVE_LOGWTMP=1
- LIBS	+= -lutil
- endif
- 
-diff --git a/pppd/magic.h b/pppd/magic.h
-index c81213b..9d399e3 100644
---- a/pppd/magic.h
-+++ b/pppd/magic.h
-@@ -42,8 +42,8 @@
-  * $Id: magic.h,v 1.5 2003/06/11 23:56:26 paulus Exp $
-  */
- 
--void magic_init __P((void));	/* Initialize the magic number generator */
--u_int32_t magic __P((void));	/* Returns the next magic number */
-+void magic_init (void);	/* Initialize the magic number generator */
-+u_int32_t magic (void);	/* Returns the next magic number */
- 
- /* Fill buffer with random bytes */
--void random_bytes __P((unsigned char *buf, int len));
-+void random_bytes (unsigned char *buf, int len);
-diff --git a/pppd/plugins/rp-pppoe/config.h b/pppd/plugins/rp-pppoe/config.h
-index 5703087..fff032e 100644
---- a/pppd/plugins/rp-pppoe/config.h
-+++ b/pppd/plugins/rp-pppoe/config.h
-@@ -78,8 +78,9 @@
- #define HAVE_NET_IF_ARP_H 1
- 
- /* Define if you have the <net/ethernet.h> header file.  */
-+#ifdef __GLIBC__
- #define HAVE_NET_ETHERNET_H 1
--
-+#endif
- /* Define if you have the <net/if.h> header file.  */
- #define HAVE_NET_IF_H 1
- 
-@@ -102,7 +103,9 @@
- #define HAVE_NETPACKET_PACKET_H 1
- 
- /* Define if you have the <sys/cdefs.h> header file.  */
-+#ifdef __GLIBC__
- #define HAVE_SYS_CDEFS_H 1
-+#endif
- 
- /* Define if you have the <sys/dlpi.h> header file.  */
- /* #undef HAVE_SYS_DLPI_H */
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index a8c2bb4..ca34d79 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -46,7 +46,6 @@ static char const RCSID[] =
- #include <unistd.h>
- #include <fcntl.h>
- #include <signal.h>
--#include <net/ethernet.h>
- #include <net/if_arp.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_pppox.h>
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index 3d3bf4e..d42f619 100644
---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -27,10 +27,6 @@
- #include <linux/if_packet.h>
- #endif
- 
--#ifdef HAVE_NET_ETHERNET_H
--#include <net/ethernet.h>
--#endif
--
- #ifdef HAVE_ASM_TYPES_H
- #include <asm/types.h>
- #endif
-@@ -47,6 +43,10 @@
- #include <net/if_arp.h>
- #endif
- 
-+#ifndef __GLIBC__
-+#define error(x...) fprintf(stderr, x)
-+#endif
-+
- char *xstrdup(const char *s);
- void usage(void);
- 
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index 9ab2eee..75b9004 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -92,7 +92,7 @@ typedef unsigned long UINT32_t;
- #ifdef HAVE_SYS_SOCKET_H
- #include <sys/socket.h>
- #endif
--#ifndef HAVE_SYS_DLPI_H
-+#if !defined HAVE_SYS_DLPI_H && defined HAVE_NET_ETHERNET_H
- #include <netinet/if_ether.h>
- #endif
- #endif
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index a105505..49b0273 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -112,7 +112,7 @@
- #include <linux/types.h>
- #include <linux/if.h>
- #include <linux/if_arp.h>
--#include <linux/route.h>
-+/* #include <linux/route.h> */
- #include <linux/if_ether.h>
- #endif
- #include <netinet/in.h>
-@@ -145,6 +145,7 @@
- #endif
- 
- #ifdef INET6
-+#include <net/route.h>
- #ifndef _LINUX_IN6_H
- /*
-  *    This is in linux/include/net/ipv6.h.
--- 
-2.1.4
-
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch b/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch
deleted file mode 100644
index ea4969b366..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Fix-compilation-errors-in-Makefile.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From ba0f6058d1f25b2b60fc31ab2656bf12a71ffdab Mon Sep 17 00:00:00 2001
-From: Lu Chong <Chong.Lu@windriver.com>
-Date: Tue, 5 Nov 2013 17:32:56 +0800
-Subject: [PATCH] ppp: Fix compilation errors in Makefile
-
-Make can't exit while compilation error occurs in subdir for plugins building.
-
-Upstream-Status: Pending
-
-Signed-off-by: Lu Chong <Chong.Lu@windriver.com>
----
- pppd/plugins/Makefile.linux          |    1 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index 0a7ec7b..2a2c15a 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -20,7 +20,7 @@ include .depend
- endif
- 
- all:	$(PLUGINS)
--	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
-+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit 1; done
- 
- %.so: %.c
- 	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
--- 
-1.7.9.5
-
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch b/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
deleted file mode 100644
index a32f89fbc8..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-ppp-Remove-unneeded-include.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-commit cd90fd147844a0cfec101f1e2db7a3c59d236621
-Author: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date:   Wed Dec 28 14:11:22 2016 +0200
-
-pppol2tp plugin: Remove unneeded include
-
-The include is not required and will break compile on musl libc with
-    
-| In file included from pppol2tp.c:34:0:
-| /usr/include/linux/if.h:97:2: error: expected identifier before numeric constant
-|   IFF_LOWER_UP   = 1<<16, /* __volatile__ */
-
-Patch originally from Khem Raj.
-
-Upstream-Status: Pending [https://github.com/paulusmack/ppp/issues/73]
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-
-diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c
-index 9643b96..458316b 100644
---- a/pppd/plugins/pppol2tp/openl2tp.c
-+++ b/pppd/plugins/pppol2tp/openl2tp.c
-@@ -47,7 +47,6 @@
- #include <linux/if_ether.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_ppp.h>
--#include <linux/if_pppox.h>
- #include <linux/if_pppol2tp.h>
- 
- #include "l2tp_event.h"
-diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c
-index 0e28606..4f6d98c 100644
---- a/pppd/plugins/pppol2tp/pppol2tp.c
-+++ b/pppd/plugins/pppol2tp/pppol2tp.c
-@@ -46,7 +46,6 @@
- #include <linux/if_ether.h>
- #include <linux/ppp_defs.h>
- #include <linux/if_ppp.h>
--#include <linux/if_pppox.h>
- #include <linux/if_pppol2tp.h>
- 
- /* should be added to system's socket.h... */
----
-
diff --git a/meta/recipes-connectivity/ppp/ppp/0001-pppoe-include-netinet-in.h-before-linux-in.h.patch b/meta/recipes-connectivity/ppp/ppp/0001-pppoe-include-netinet-in.h-before-linux-in.h.patch
deleted file mode 100644
index 9362d12648..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/0001-pppoe-include-netinet-in.h-before-linux-in.h.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 50a2997b256e0e0ef7a46fae133f56f60fce539c Mon Sep 17 00:00:00 2001
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Mon, 9 Jan 2017 13:34:23 +0000
-Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h
-
-This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be
-included before <linux/in.h> otherwise the earlier, unaware of the latter,
-tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work
-alone anymore, since it pulls the headers in the wrong order, so we better
-include <netinet/in.h> early.
-
-Upstream-Status: Backport
-[https://github.com/paulusmack/ppp/commit/50a2997b256e0e0ef7a46fae133f56f60fce539c]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- pppd/plugins/rp-pppoe/pppoe.h | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index 9ab2eee..c4aaa6e 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -47,6 +47,10 @@
- #include <sys/socket.h>
- #endif
- 
-+/* This has to be included before Linux 4.8's linux/in.h
-+ * gets dragged in. */
-+#include <netinet/in.h>
-+
- /* Ugly header files on some Linux boxes... */
- #if defined(HAVE_LINUX_IF_H)
- #include <linux/if.h>
-@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t;
- #include <linux/if_ether.h>
- #endif
- 
--#include <netinet/in.h>
--
- #ifdef HAVE_NETINET_IF_ETHER_H
- #include <sys/types.h>
- 
-@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t;
- #endif
- 
- 
--
- /* Ethernet frame types according to RFC 2516 */
- #define ETH_PPPOE_DISCOVERY 0x8863
- #define ETH_PPPOE_SESSION   0x8864
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/ppp/ppp/cifdefroute.patch b/meta/recipes-connectivity/ppp/ppp/cifdefroute.patch
deleted file mode 100644
index 7dd69d8f4d..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/cifdefroute.patch
+++ /dev/null
@@ -1,297 +0,0 @@
-This patch comes from OpenEmbedded.
-The original patch is from Debian / SuSE to implement replacedefaultroute
-Rebased it to fit ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-
-Upstream-Status: Inappropriate [debian/suse patches]
-
-Index: ppp-2.4.7/pppd/ipcp.c
-===================================================================
---- ppp-2.4.7.orig/pppd/ipcp.c
-+++ ppp-2.4.7/pppd/ipcp.c
-@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = {
-       "disable defaultroute option", OPT_ALIAS | OPT_A2CLR,
-       &ipcp_wantoptions[0].default_route },
- 
-+#ifdef __linux__
-+    { "replacedefaultroute", o_bool,
-+                               &ipcp_wantoptions[0].replace_default_route,
-+      "Replace default route", 1
-+    },
-+    { "noreplacedefaultroute", o_bool,
-+                               &ipcp_allowoptions[0].replace_default_route,
-+      "Never replace default route", OPT_A2COPY,
-+                               &ipcp_wantoptions[0].replace_default_route },
-+#endif
-     { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp,
-       "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp },
-     { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp,
-@@ -271,7 +281,7 @@ struct protent ipcp_protent = {
-     ip_active_pkt
- };
- 
--static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t));
-+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool));
- static void ipcp_script __P((char *, int));	/* Run an up/down script */
- static void ipcp_script_done __P((void *));
- 
-@@ -1761,7 +1771,12 @@ ip_demand_conf(u)
-     if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE))
- 	return 0;
-     if (wo->default_route)
-+#ifndef __linux__
- 	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr))
-+#else
-+	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr,
-+                                            wo->replace_default_route))
-+#endif
- 	    default_route_set[u] = 1;
-     if (wo->proxy_arp)
- 	if (sifproxyarp(u, wo->hisaddr))
-@@ -1849,7 +1864,8 @@ ipcp_up(f)
-      */
-     if (demand) {
- 	if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) {
--	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr);
-+	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr, 
-+				      wo->replace_default_route);
- 	    if (go->ouraddr != wo->ouraddr) {
- 		warn("Local IP address changed to %I", go->ouraddr);
- 		script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0);
-@@ -1874,7 +1890,12 @@ ipcp_up(f)
- 
- 	    /* assign a default route through the interface if required */
- 	    if (ipcp_wantoptions[f->unit].default_route) 
-+#ifndef __linux__
- 		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+					     wo->replace_default_route))
-+#endif
- 		    default_route_set[f->unit] = 1;
- 
- 	    /* Make a proxy ARP entry if requested. */
-@@ -1924,7 +1945,12 @@ ipcp_up(f)
- 
- 	/* assign a default route through the interface if required */
- 	if (ipcp_wantoptions[f->unit].default_route) 
-+#ifndef __linux__
- 	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+					 wo->replace_default_route))
-+#endif
- 		default_route_set[f->unit] = 1;
- 
- 	/* Make a proxy ARP entry if requested. */
-@@ -2002,7 +2028,7 @@ ipcp_down(f)
- 	sifnpmode(f->unit, PPP_IP, NPMODE_DROP);
- 	sifdown(f->unit);
- 	ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr,
--			 ipcp_hisoptions[f->unit].hisaddr);
-+			 ipcp_hisoptions[f->unit].hisaddr, 0);
-     }
- 
-     /* Execute the ip-down script */
-@@ -2018,12 +2044,21 @@ ipcp_down(f)
-  * proxy arp entries, etc.
-  */
- static void
--ipcp_clear_addrs(unit, ouraddr, hisaddr)
-+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute)
-     int unit;
-     u_int32_t ouraddr;  /* local address */
-     u_int32_t hisaddr;  /* remote address */
-+    bool replacedefaultroute;
- {
--    if (proxy_arp_set[unit]) {
-+    /* If replacedefaultroute, sifdefaultroute will be called soon
-+     * with replacedefaultroute set and that will overwrite the current
-+     * default route. This is the case only when doing demand, otherwise
-+     * during demand, this cifdefaultroute would restore the old default
-+     * route which is not what we want in this case. In the non-demand
-+     * case, we'll delete the default route and restore the old if there
-+     * is one saved by an sifdefaultroute with replacedefaultroute.
-+     */
-+    if (!replacedefaultroute && default_route_set[unit]) {
- 	cifproxyarp(unit, hisaddr);
- 	proxy_arp_set[unit] = 0;
-     }
-Index: ppp-2.4.7/pppd/ipcp.h
-===================================================================
---- ppp-2.4.7.orig/pppd/ipcp.h
-+++ ppp-2.4.7/pppd/ipcp.h
-@@ -70,6 +70,7 @@ typedef struct ipcp_options {
-     bool old_addrs;		/* Use old (IP-Addresses) option? */
-     bool req_addr;		/* Ask peer to send IP address? */
-     bool default_route;		/* Assign default route through interface? */
-+    bool replace_default_route; /* Replace default route through interface? */
-     bool proxy_arp;		/* Make proxy ARP entry for peer? */
-     bool neg_vj;		/* Van Jacobson Compression? */
-     bool old_vj;		/* use old (short) form of VJ option? */
-Index: ppp-2.4.7/pppd/pppd.8
-===================================================================
---- ppp-2.4.7.orig/pppd/pppd.8
-+++ ppp-2.4.7/pppd/pppd.8
-@@ -121,6 +121,13 @@ the gateway, when IPCP negotiation is su
- This entry is removed when the PPP connection is broken.  This option
- is privileged if the \fInodefaultroute\fR option has been specified.
- .TP
-+.B replacedefaultroute
-+This option is a flag to the defaultroute option. If defaultroute is
-+set and this flag is also set, pppd replaces an existing default route
-+with the new default route.
-+
-+
-+.TP
- .B disconnect \fIscript
- Execute the command specified by \fIscript\fR, by passing it to a
- shell, after
-@@ -734,7 +741,12 @@ disable both forms of hardware flow cont
- .TP
- .B nodefaultroute
- Disable the \fIdefaultroute\fR option.  The system administrator who
--wishes to prevent users from creating default routes with pppd
-+wishes to prevent users from adding a default route with pppd
-+can do so by placing this option in the /etc/ppp/options file.
-+.TP
-+.B noreplacedefaultroute
-+Disable the \fIreplacedefaultroute\fR option. The system administrator who
-+wishes to prevent users from replacing a default route with pppd
- can do so by placing this option in the /etc/ppp/options file.
- .TP
- .B nodeflate
-Index: ppp-2.4.7/pppd/pppd.h
-===================================================================
---- ppp-2.4.7.orig/pppd/pppd.h
-+++ ppp-2.4.7/pppd/pppd.h
-@@ -665,7 +665,11 @@ int  sif6addr __P((int, eui64_t, eui64_t
- int  cif6addr __P((int, eui64_t, eui64_t));
- 				/* Remove an IPv6 address from i/f */
- #endif
-+#ifndef __linux__
- int  sifdefaultroute __P((int, u_int32_t, u_int32_t));
-+#else
-+int  sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt));
-+#endif
- 				/* Create default route through i/f */
- int  cifdefaultroute __P((int, u_int32_t, u_int32_t));
- 				/* Delete default route through i/f */
-Index: ppp-2.4.7/pppd/sys-linux.c
-===================================================================
---- ppp-2.4.7.orig/pppd/sys-linux.c
-+++ ppp-2.4.7/pppd/sys-linux.c
-@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buff
- static int	if_is_up;	/* Interface has been marked up */
- static int	if6_is_up;	/* Interface has been marked up for IPv6, to help differentiate */
- static int	have_default_route;	/* Gateway for default route added */
-+static struct rtentry old_def_rt;       /* Old default route */
-+static int       default_rt_repl_rest;  /* replace and restore old default rt */
- static u_int32_t proxy_arp_addr;	/* Addr for proxy arp entry added */
- static char proxy_arp_dev[16];		/* Device for proxy arp entry */
- static u_int32_t our_old_addr;		/* for detecting address changes */
-@@ -1545,6 +1547,9 @@ static int read_route_table(struct rtent
- 	p = NULL;
-     }
- 
-+    SET_SA_FAMILY (rt->rt_dst,     AF_INET);
-+    SET_SA_FAMILY (rt->rt_gateway, AF_INET);
-+
-     SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16);
-     SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16);
-     SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16);
-@@ -1614,20 +1619,51 @@ int have_route_to(u_int32_t addr)
- /********************************************************************
-  *
-  * sifdefaultroute - assign a default route through the address given.
-- */
--
--int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
--{
--    struct rtentry rt;
--
--    if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) {
--	if (rt.rt_flags & RTF_GATEWAY)
--	    error("not replacing existing default route via %I",
--		  SIN_ADDR(rt.rt_gateway));
--	else
--	    error("not replacing existing default route through %s",
--		  rt.rt_dev);
--	return 0;
-+ *
-+ * If the global default_rt_repl_rest flag is set, then this function
-+ * already replaced the original system defaultroute with some other
-+ * route and it should just replace the current defaultroute with
-+ * another one, without saving the current route. Use: demand mode,
-+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses
-+ * and then changes the temporary addresses to the addresses for the real
-+ * ppp connection when it has come up.
-+ */
-+
-+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace)
-+{
-+    struct rtentry rt, tmp_rt;
-+    struct rtentry *del_rt = NULL;
-+
-+    if (default_rt_repl_rest) {
-+	/* We have already reclaced the original defaultroute, if we
-+         * are called again, we will delete the current default route
-+         * and set the new default route in this function.  
-+         * - this is normally only the case the doing demand: */
-+	if (defaultroute_exists( &tmp_rt ))
-+		del_rt = &tmp_rt;
-+    } else if ( defaultroute_exists( &old_def_rt                ) &&
-+	                     strcmp(  old_def_rt.rt_dev, ifname ) != 0) {
-+	/* We did not yet replace an existing default route, let's
-+	 * check if we should save and replace a default route:
-+         */
-+	u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway);
-+	if (old_gateway != gateway) {
-+	    if (!replace) {
-+	        error("not replacing default route to %s [%I]",
-+			old_def_rt.rt_dev, old_gateway);
-+		return 0;
-+	    } else {
-+		// we need to copy rt_dev because we need it permanent too:
-+		char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1);
-+		strcpy(tmp_dev, old_def_rt.rt_dev);
-+		old_def_rt.rt_dev = tmp_dev;
-+
-+		notice("replacing old default route to %s [%I]",
-+			old_def_rt.rt_dev, old_gateway);
-+	        default_rt_repl_rest = 1;
-+		del_rt = &old_def_rt;
-+	    }
-+	}
-     }
- 
-     memset (&rt, 0, sizeof (rt));
-@@ -1646,6 +1682,12 @@ int sifdefaultroute (int unit, u_int32_t
- 	    error("default route ioctl(SIOCADDRT): %m");
- 	return 0;
-     }
-+    if (default_rt_repl_rest && del_rt)
-+        if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) {
-+	    if ( ! ok_error ( errno ))
-+	        error("del old default route ioctl(SIOCDELRT): %m(%d)", errno);
-+	    return 0;
-+        }
- 
-     have_default_route = 1;
-     return 1;
-@@ -1681,6 +1723,16 @@ int cifdefaultroute (int unit, u_int32_t
- 	    return 0;
- 	}
-     }
-+    if (default_rt_repl_rest) {
-+	notice("restoring old default route to %s [%I]",
-+			old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway));
-+        if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) {
-+	    if ( ! ok_error ( errno ))
-+	        error("restore default route ioctl(SIOCADDRT): %m(%d)", errno);
-+	    return 0;
-+        }
-+        default_rt_repl_rest = 0;
-+    }
- 
-     return 1;
- }
diff --git a/meta/recipes-connectivity/ppp/ppp/copts.patch b/meta/recipes-connectivity/ppp/ppp/copts.patch
deleted file mode 100644
index 53ff06e03e..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/copts.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-ppp: use build system CFLAGS when compiling
-
-Upstream-Status: Pending
-
-Override the hard-coded COPTS make variables with
-CFLAGS.  Add COPTS into one Makefile that did not
-use it.
-
-Signed-off-by: Joe Slater <jslater@windriver.com>
-
---- a/pppd/plugins/radius/Makefile.linux
-+++ b/pppd/plugins/radius/Makefile.linux
-@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ 
- INSTALL	= install
- 
- PLUGIN=radius.so radattr.so radrealms.so
--CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+CFLAGS=-I. -I../.. -I../../../include $(COPTS) -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
- 
- # Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol.
diff --git a/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch b/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
deleted file mode 100644
index c5a0be86f5..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-ppp: Buffer overflow in radius plugin
-
-From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450
-
-Upstream-Status: Backport
-CVE: CVE-2015-3310
-
-On systems with more than 65535 processes running, pppd aborts when
-sending a "start" accounting message to the RADIUS server because of a
-buffer overflow in rc_mksid.
-
-The process id is used in rc_mksid to generate a pseudo-unique string,
-assuming that the hex representation of the pid will be at most 4
-characters (FFFF). __sprintf_chk(), used when compiling with
-optimization levels greater than 0 and FORTIFY_SOURCE, detects the
-buffer overflow and makes pppd crash.
-
-The following patch fixes the problem.
-
---- ppp-2.4.6.orig/pppd/plugins/radius/util.c
-+++ ppp-2.4.6/pppd/plugins/radius/util.c
-@@ -77,7 +77,7 @@ rc_mksid (void)
-   static unsigned short int cnt = 0;
-   sprintf (buf, "%08lX%04X%02hX",
- 	   (unsigned long int) time (NULL),
--	   (unsigned int) getpid (),
-+	   (unsigned int) getpid () % 65535,
- 	   cnt & 0xFF);
-   cnt++;
-   return buf;
diff --git a/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch b/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch
deleted file mode 100644
index 8a69396cc7..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/makefile-remove-hard-usr-reference.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-The patch comes from OpenEmbedded.
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-
-Updated from OE-Classic to include the pcap hunk.
-Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
-
-Upstream-Status: Inappropriate [configuration]
-
-Index: ppp-2.4.7/pppd/Makefile.linux
-===================================================================
---- ppp-2.4.7.orig/pppd/Makefile.linux
-+++ ppp-2.4.7/pppd/Makefile.linux
-@@ -120,10 +120,10 @@ CFLAGS   += -DHAS_SHADOW
- #LIBS     += -lshadow $(LIBS)
- endif
- 
--ifneq ($(wildcard /usr/include/crypt.h),)
-+#ifneq ($(wildcard /usr/include/crypt.h),)
- CFLAGS  += -DHAVE_CRYPT_H=1
- LIBS	+= -lcrypt
--endif
-+#endif
- 
- ifdef USE_LIBUTIL
- CFLAGS	+= -DHAVE_LOGWTMP=1
-@@ -177,10 +177,10 @@ LIBS	+= -ldl
- endif
- 
- ifdef FILTER
--ifneq ($(wildcard /usr/include/pcap-bpf.h),)
-+#ifneq ($(wildcard /usr/include/pcap-bpf.h),)
- LIBS    += -lpcap
- CFLAGS  += -DPPP_FILTER
--endif
-+#endif
- endif
- 
- ifdef HAVE_INET6
diff --git a/meta/recipes-connectivity/ppp/ppp/makefile.patch b/meta/recipes-connectivity/ppp/ppp/makefile.patch
deleted file mode 100644
index 2d09baf5d0..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/makefile.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-The patch comes from OpenEmbedded
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-
-Upstream-Status: Inappropriate [configuration]
-
-diff -ruN ppp-2.4.5-orig/chat/Makefile.linux ppp-2.4.5/chat/Makefile.linux
---- ppp-2.4.5-orig/chat/Makefile.linux	2010-06-30 15:51:12.050166398 +0800
-+++ ppp-2.4.5/chat/Makefile.linux	2010-06-30 15:51:30.450118446 +0800
-@@ -25,7 +25,7 @@
- 
- install: chat
- 	mkdir -p $(BINDIR) $(MANDIR)
--	$(INSTALL) -s -c chat $(BINDIR)
-+	$(INSTALL) -c chat $(BINDIR)
- 	$(INSTALL) -c -m 644 chat.8 $(MANDIR)
- 
- clean:
-diff -ruN ppp-2.4.5-orig/pppd/Makefile.linux ppp-2.4.5/pppd/Makefile.linux
---- ppp-2.4.5-orig/pppd/Makefile.linux	2010-06-30 15:51:12.043682063 +0800
-+++ ppp-2.4.5/pppd/Makefile.linux	2010-06-30 15:52:11.214170607 +0800
-@@ -99,7 +99,7 @@
- CFLAGS	+= -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
- LIBS	+= -lsrp -L/usr/local/ssl/lib -lcrypto
- TARGETS	+= srp-entry
--EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry
-+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
- MANPAGES += srp-entry.8
- EXTRACLEAN += srp-entry.o
- NEEDDES=y
-@@ -200,7 +200,7 @@
- install: pppd
- 	mkdir -p $(BINDIR) $(MANDIR)
- 	$(EXTRAINSTALL)
--	$(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd
-+	$(INSTALL) -c -m 555 pppd $(BINDIR)/pppd
- 	if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \
- 	  chmod o-rx,u+s $(BINDIR)/pppd; fi
- 	$(INSTALL) -c -m 444 pppd.8 $(MANDIR)
-diff -ruN ppp-2.4.5-orig/pppd/plugins/radius/Makefile.linux ppp-2.4.5/pppd/plugins/radius/Makefile.linux
---- ppp-2.4.5-orig/pppd/plugins/radius/Makefile.linux	2010-06-30 15:51:12.047676187 +0800
-+++ ppp-2.4.5/pppd/plugins/radius/Makefile.linux	2010-06-30 15:53:47.750182267 +0800
-@@ -36,11 +36,11 @@
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radius.so $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radattr.so $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR)
--	$(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR)
--	$(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
-+	$(INSTALL) -c -m 755 radius.so $(LIBDIR)
-+	$(INSTALL) -c -m 755 radattr.so $(LIBDIR)
-+	$(INSTALL) -c -m 755 radrealms.so $(LIBDIR)
-+	$(INSTALL) -m 444 pppd-radius.8 $(MANDIR)
-+	$(INSTALL) -m 444 pppd-radattr.8 $(MANDIR)
- 
- radius.so: radius.o libradiusclient.a
- 	$(CC) -o radius.so -shared radius.o libradiusclient.a
-diff -ruN ppp-2.4.5-orig/pppd/plugins/rp-pppoe/Makefile.linux ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux
---- ppp-2.4.5-orig/pppd/plugins/rp-pppoe/Makefile.linux	2010-06-30 15:51:12.047676187 +0800
-+++ ppp-2.4.5/pppd/plugins/rp-pppoe/Makefile.linux	2010-06-30 15:53:15.454486877 +0800
-@@ -43,9 +43,9 @@
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
--	$(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR)
-+	$(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR)
- 	$(INSTALL) -d -m 755 $(BINDIR)
--	$(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR)
-+	$(INSTALL) -c -m 555 pppoe-discovery $(BINDIR)
- 
- clean:
- 	rm -f *.o *.so pppoe-discovery
-diff -ruN ppp-2.4.5-orig/pppdump/Makefile.linux ppp-2.4.5/pppdump/Makefile.linux
---- ppp-2.4.5-orig/pppdump/Makefile.linux	2010-06-30 15:51:12.058183383 +0800
-+++ ppp-2.4.5/pppdump/Makefile.linux	2010-06-30 15:52:25.762183537 +0800
-@@ -17,5 +17,5 @@
- 
- install:
- 	mkdir -p $(BINDIR) $(MANDIR)
--	$(INSTALL) -s -c pppdump $(BINDIR)
-+	$(INSTALL) -c pppdump $(BINDIR)
- 	$(INSTALL) -c -m 444 pppdump.8 $(MANDIR)
-diff -ruN ppp-2.4.5-orig/pppstats/Makefile.linux ppp-2.4.5/pppstats/Makefile.linux
---- ppp-2.4.5-orig/pppstats/Makefile.linux	2010-06-30 15:51:12.058183383 +0800
-+++ ppp-2.4.5/pppstats/Makefile.linux	2010-06-30 15:52:42.486341081 +0800
-@@ -22,7 +22,7 @@
- 
- install: pppstats
- 	-mkdir -p $(MANDIR)
--	$(INSTALL) -s -c pppstats $(BINDIR)
-+	$(INSTALL) -c pppstats $(BINDIR)
- 	$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
- 
- pppstats: $(PPPSTATSRCS)
diff --git a/meta/recipes-connectivity/ppp/ppp/ppp-2.4.7-DES-openssl.patch b/meta/recipes-connectivity/ppp/ppp/ppp-2.4.7-DES-openssl.patch
deleted file mode 100644
index e53f240543..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/ppp-2.4.7-DES-openssl.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-Used openssl for the DES instead of the libcrypt / glibc
-
-Upstream-Status: Pending
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
-Index: ppp-2.4.7/pppd/Makefile.linux
-===================================================================
---- ppp-2.4.7.orig/pppd/Makefile.linux
-+++ ppp-2.4.7/pppd/Makefile.linux
-@@ -38,7 +38,7 @@ LIBS =
- # Uncomment the next 2 lines to include support for Microsoft's
- # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
- CHAPMS=y
--USE_CRYPT=y
-+#USE_CRYPT=y
- # Don't use MSLANMAN unless you really know what you're doing.
- #MSLANMAN=y
- # Uncomment the next line to include support for MPPE.  CHAPMS (above) must
-@@ -132,7 +132,7 @@ endif
- 
- ifdef NEEDDES
- ifndef USE_CRYPT
--LIBS     += -ldes $(LIBS)
-+LIBS     += -lcrypto
- else
- CFLAGS   += -DUSE_CRYPT=1
- endif
-Index: ppp-2.4.7/pppd/pppcrypt.c
-===================================================================
---- ppp-2.4.7.orig/pppd/pppcrypt.c
-+++ ppp-2.4.7/pppd/pppcrypt.c
-@@ -64,7 +64,7 @@ u_char *des_key;	/* OUT 64 bit DES key w
- 	des_key[7] = Get7Bits(key, 49);
- 
- #ifndef USE_CRYPT
--	des_set_odd_parity((des_cblock *)des_key);
-+	DES_set_odd_parity((DES_cblock *)des_key);
- #endif
- }
- 
-@@ -158,25 +158,25 @@ u_char *clear;	/* OUT 8 octets */
- }
- 
- #else /* USE_CRYPT */
--static des_key_schedule	key_schedule;
-+static DES_key_schedule	key_schedule;
- 
- bool
- DesSetkey(key)
- u_char *key;
- {
--	des_cblock des_key;
-+	DES_cblock des_key;
- 	MakeKey(key, des_key);
--	des_set_key(&des_key, key_schedule);
-+	DES_set_key(&des_key, &key_schedule);
- 	return (1);
- }
- 
- bool
--DesEncrypt(clear, key, cipher)
-+DesEncrypt(clear, cipher)
- u_char *clear;	/* IN  8 octets */
- u_char *cipher;	/* OUT 8 octets */
- {
--	des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
--	    key_schedule, 1);
-+	DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
-+	    &key_schedule, 1);
- 	return (1);
- }
- 
-@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
- u_char *cipher;	/* IN  8 octets */
- u_char *clear;	/* OUT 8 octets */
- {
--	des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
--	    key_schedule, 0);
-+	DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
-+	    &key_schedule, 0);
- 	return (1);
- }
- 
diff --git a/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch b/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch
deleted file mode 100644
index a72414ff8a..0000000000
--- a/meta/recipes-connectivity/ppp/ppp/pppd-resolv-varrun.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-The patch comes from OpenEmbedded
-Rebased for ppp-2.4.5. Dongxiao Xu <dongxiao.xu@intel.com>
-
-Upstream-Status: Inappropriate [embedded specific]
-
-diff -ruN ppp-2.4.5-orig/pppd/ipcp.c ppp-2.4.5/pppd/ipcp.c
---- ppp-2.4.5-orig/pppd/ipcp.c	2010-06-30 15:51:12.050166398 +0800
-+++ ppp-2.4.5/pppd/ipcp.c	2010-06-30 17:02:33.930393283 +0800
-@@ -55,6 +55,8 @@
- #include <sys/socket.h>
- #include <netinet/in.h>
- #include <arpa/inet.h>
-+#include <sys/stat.h>
-+#include <unistd.h>
- 
- #include "pppd.h"
- #include "fsm.h"
-@@ -2095,6 +2097,14 @@
-     u_int32_t peerdns1, peerdns2;
- {
-     FILE *f;
-+    struct stat dirinfo;
-+
-+    if(stat(_PATH_OUTDIR, &dirinfo)) {
-+        if(mkdir(_PATH_OUTDIR, 0775)) {
-+            error("Failed to create directory %s: %m", _PATH_OUTDIR);
-+            return;
-+        }
-+    }
- 
-     f = fopen(_PATH_RESOLV, "w");
-     if (f == NULL) {
-diff -ruN ppp-2.4.5-orig/pppd/pathnames.h ppp-2.4.5/pppd/pathnames.h
---- ppp-2.4.5-orig/pppd/pathnames.h	2010-06-30 15:51:12.043682063 +0800
-+++ ppp-2.4.5/pppd/pathnames.h	2010-06-30 17:03:20.594371055 +0800
-@@ -30,7 +30,8 @@
- #define _PATH_TTYOPT	 _ROOT_PATH "/etc/ppp/options."
- #define _PATH_CONNERRS	 _ROOT_PATH "/etc/ppp/connect-errors"
- #define _PATH_PEERFILES	 _ROOT_PATH "/etc/ppp/peers/"
--#define _PATH_RESOLV	 _ROOT_PATH "/etc/ppp/resolv.conf"
-+#define _PATH_OUTDIR	_ROOT_PATH _PATH_VARRUN "/ppp"
-+#define _PATH_RESOLV	_PATH_OUTDIR "/resolv.conf"
- 
- #define _PATH_USEROPT	 ".ppprc"
- #define	_PATH_PSEUDONYM	 ".ppp_pseudonym"
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb b/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
deleted file mode 100644
index 644cde4562..0000000000
--- a/meta/recipes-connectivity/ppp/ppp_2.4.7.bb
+++ /dev/null
@@ -1,106 +0,0 @@
-SUMMARY = "Point-to-Point Protocol (PPP) support"
-DESCRIPTION = "ppp (Paul's PPP Package) is an open source package which implements \
-the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
-SECTION = "console/network"
-HOMEPAGE = "http://samba.org/ppp/"
-BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
-DEPENDS = "libpcap openssl virtual/crypt"
-LICENSE = "BSD & GPLv2+ & LGPLv2+ & PD"
-LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
-                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
-                    file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
-                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
-
-SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
-           file://makefile.patch \
-           file://cifdefroute.patch \
-           file://pppd-resolv-varrun.patch \
-           file://makefile-remove-hard-usr-reference.patch \
-           file://pon \
-           file://poff \
-           file://init \
-           file://ip-up \
-           file://ip-down \
-           file://08setupdns \
-           file://92removedns \
-           file://copts.patch \
-           file://pap \
-           file://ppp_on_boot \
-           file://provider \
-           file://0001-ppp-Fix-compilation-errors-in-Makefile.patch \
-           file://ppp@.service \
-           file://fix-CVE-2015-3310.patch \
-           file://0001-pppoe-include-netinet-in.h-before-linux-in.h.patch \
-           file://0001-ppp-Remove-unneeded-include.patch \
-           file://ppp-2.4.7-DES-openssl.patch \
-"
-
-SRC_URI_append_libc-musl = "\
-           file://0001-Fix-build-with-musl.patch \
-"
-SRC_URI[md5sum] = "78818f40e6d33a1d1de68a1551f6595a"
-SRC_URI[sha256sum] = "02e0a3dd3e4799e33103f70ec7df75348c8540966ee7c948e4ed8a42bbccfb30"
-
-inherit autotools-brokensep systemd
-
-TARGET_CC_ARCH += " ${LDFLAGS}"
-EXTRA_OEMAKE = "STRIPPROG=${STRIP} MANDIR=${D}${datadir}/man/man8 INCDIR=${D}${includedir} LIBDIR=${D}${libdir}/pppd/${PV} BINDIR=${D}${sbindir}"
-EXTRA_OECONF = "--disable-strip"
-
-# Package Makefile computes CFLAGS, referencing COPTS.
-# Typically hard-coded to '-O2 -g' in the Makefile's.
-#
-EXTRA_OEMAKE += ' COPTS="${CFLAGS} -I${STAGING_INCDIR}/openssl -I${S}/include"'
-
-do_configure () {
-	oe_runconf
-}
-
-do_install_append () {
-	make install-etcppp ETCDIR=${D}/${sysconfdir}/ppp
-	mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
-	mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
-	mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
-	install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon
-	install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff
-	install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp
-	install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/
-	install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/
-	install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
-	install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
-	mkdir -p ${D}${sysconfdir}/chatscripts
-	mkdir -p ${D}${sysconfdir}/ppp/peers
-	install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts
-	install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
-	install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
-	install -d ${D}${systemd_unitdir}/system
-	install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_unitdir}/system
-	sed -i -e 's,@SBINDIR@,${sbindir},g' \
-	       ${D}${systemd_unitdir}/system/ppp@.service
-	rm -rf ${D}/${mandir}/man8/man8
-	chmod u+s ${D}${sbindir}/pppd
-}
-
-do_install_append_libc-musl () {
-	install -Dm 0644 ${S}/include/net/ppp_defs.h ${D}${includedir}/net/ppp_defs.h
-}
-
-CONFFILES_${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options"
-PACKAGES =+ "${PN}-oa ${PN}-oe ${PN}-radius ${PN}-winbind ${PN}-minconn ${PN}-password ${PN}-l2tp ${PN}-tools"
-FILES_${PN}        = "${sysconfdir} ${bindir} ${sbindir}/chat ${sbindir}/pppd ${systemd_unitdir}/system/ppp@.service"
-FILES_${PN}-oa       = "${libdir}/pppd/${PV}/pppoatm.so"
-FILES_${PN}-oe       = "${sbindir}/pppoe-discovery ${libdir}/pppd/${PV}/rp-pppoe.so"
-FILES_${PN}-radius   = "${libdir}/pppd/${PV}/radius.so ${libdir}/pppd/${PV}/radattr.so ${libdir}/pppd/${PV}/radrealms.so"
-FILES_${PN}-winbind  = "${libdir}/pppd/${PV}/winbind.so"
-FILES_${PN}-minconn  = "${libdir}/pppd/${PV}/minconn.so"
-FILES_${PN}-password = "${libdir}/pppd/${PV}/pass*.so"
-FILES_${PN}-l2tp     = "${libdir}/pppd/${PV}/*l2tp.so"
-FILES_${PN}-tools    = "${sbindir}/pppstats ${sbindir}/pppdump"
-SUMMARY_${PN}-oa       = "Plugin for PPP for PPP-over-ATM support"
-SUMMARY_${PN}-oe       = "Plugin for PPP for PPP-over-Ethernet support"
-SUMMARY_${PN}-radius   = "Plugin for PPP for RADIUS support"
-SUMMARY_${PN}-winbind  = "Plugin for PPP to authenticate against Samba or Windows"
-SUMMARY_${PN}-minconn  = "Plugin for PPP to set a delay before the idle timeout applies"
-SUMMARY_${PN}-password = "Plugin for PPP to get passwords via a pipe"
-SUMMARY_${PN}-l2tp     = "Plugin for PPP for l2tp support"
-SUMMARY_${PN}-tools    = "Additional tools for the PPP package"
diff --git a/meta/recipes-connectivity/ppp/ppp_2.5.0.bb b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
new file mode 100644
index 0000000000..4b052f8ed9
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb
@@ -0,0 +1,75 @@
+SUMMARY = "Point-to-Point Protocol (PPP) support"
+DESCRIPTION = "ppp (Paul's PPP Package) is an open source package which implements \
+the Point-to-Point Protocol (PPP) on Linux and Solaris systems."
+SECTION = "console/network"
+HOMEPAGE = "http://samba.org/ppp/"
+BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs"
+DEPENDS = "libpcap openssl virtual/crypt"
+LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD"
+LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \
+                    file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \
+                    file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \
+                    file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2"
+
+SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
+           file://pon \
+           file://poff \
+           file://init \
+           file://ip-up \
+           file://ip-down \
+           file://08setupdns \
+           file://92removedns \
+           file://pap \
+           file://ppp_on_boot \
+           file://provider \
+           file://ppp@.service \
+           "
+
+SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff"
+
+inherit autotools systemd
+
+EXTRA_OECONF += "--with-openssl=${STAGING_EXECPREFIXDIR}"
+
+do_install:append () {
+	mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d
+	mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/
+	mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/
+	install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon
+	install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff
+	install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp
+	install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/
+	install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/
+	install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/
+	install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/
+	mkdir -p ${D}${sysconfdir}/chatscripts
+	mkdir -p ${D}${sysconfdir}/ppp/peers
+	install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts
+	install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot
+	install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider
+	install -d ${D}${systemd_system_unitdir}
+	install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_system_unitdir}
+	sed -i -e 's,@SBINDIR@,${sbindir},g' \
+	       ${D}${systemd_system_unitdir}/ppp@.service
+}
+
+CONFFILES:${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options"
+PACKAGES =+ "${PN}-oa ${PN}-oe ${PN}-radius ${PN}-winbind ${PN}-minconn ${PN}-password ${PN}-l2tp ${PN}-tools"
+FILES:${PN}        = "${sysconfdir} ${bindir} ${sbindir}/chat ${sbindir}/pppd ${systemd_system_unitdir}/ppp@.service"
+FILES:${PN}-oa       = "${libdir}/pppd/${PV}/pppoatm.so"
+FILES:${PN}-oe       = "${sbindir}/pppoe-discovery ${libdir}/pppd/${PV}/*pppoe.so"
+FILES:${PN}-radius   = "${libdir}/pppd/${PV}/radius.so ${libdir}/pppd/${PV}/radattr.so ${libdir}/pppd/${PV}/radrealms.so"
+FILES:${PN}-winbind  = "${libdir}/pppd/${PV}/winbind.so"
+FILES:${PN}-minconn  = "${libdir}/pppd/${PV}/minconn.so"
+FILES:${PN}-password = "${libdir}/pppd/${PV}/pass*.so"
+FILES:${PN}-l2tp     = "${libdir}/pppd/${PV}/*l2tp.so"
+FILES:${PN}-tools    = "${sbindir}/pppstats ${sbindir}/pppdump"
+SUMMARY:${PN}-oa       = "Plugin for PPP for PPP-over-ATM support"
+SUMMARY:${PN}-oe       = "Plugin for PPP for PPP-over-Ethernet support"
+SUMMARY:${PN}-radius   = "Plugin for PPP for RADIUS support"
+SUMMARY:${PN}-winbind  = "Plugin for PPP to authenticate against Samba or Windows"
+SUMMARY:${PN}-minconn  = "Plugin for PPP to set a delay before the idle timeout applies"
+SUMMARY:${PN}-password = "Plugin for PPP to get passwords via a pipe"
+SUMMARY:${PN}-l2tp     = "Plugin for PPP for l2tp support"
+SUMMARY:${PN}-tools    = "Additional tools for the PPP package"
+
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
new file mode 100644
index 0000000000..ab32f26754
--- /dev/null
+++ b/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch
@@ -0,0 +1,37 @@
+From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Thu, 17 Nov 2022 17:26:30 +0800
+Subject: [PATCH] avoid using -m option for readlink
+
+Use a more widely used option '-f' instead of '-m' here to
+avoid dependency on coreutils.
+
+Looking at the git history of the resolvconf repo, the '-m'
+is deliberately used. And it wants to depend on coreutils.
+But in case of OE, the existence of /etc is ensured, and busybox
+readlink provides '-f' option, so we can just use '-f'. In this
+way, the coreutils dependency is not necessary any more.
+
+Upstream-Status: Inappropriate [OE Specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ etc/resolvconf/update.d/libc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc
+index 1c4f6bc..f75d22c 100755
+--- a/etc/resolvconf/update.d/libc
++++ b/etc/resolvconf/update.d/libc
+@@ -57,7 +57,7 @@ fi
+ report_warning() { echo "$0: Warning: $*" >&2 ; }
+ 
+ resolv_conf_is_symlinked_to_dynamic_file() {
+-	[ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
++	[ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
+ }
+ 
+ if ! resolv_conf_is_symlinked_to_dynamic_file ; then
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch b/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
deleted file mode 100644
index 1aead07869..0000000000
--- a/meta/recipes-connectivity/resolvconf/resolvconf/fix-path-for-busybox.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-
-busybox installs readlink into /usr/bin, so ensure /usr/bin
-is in the path.
-
-Upstream-Status: Submitted
-Signed-off-by: Saul Wold <sgw@linux.intel.com>
-
-Index: resolvconf-1.76/etc/resolvconf/update.d/libc
-===================================================================
---- resolvconf-1.76.orig/etc/resolvconf/update.d/libc
-+++ resolvconf-1.76/etc/resolvconf/update.d/libc
-@@ -16,7 +16,7 @@
- #
- 
- set -e
--PATH=/sbin:/bin
-+PATH=/sbin:/bin:/usr/bin
- 
- [ -x /lib/resolvconf/list-records ] || exit 1
- 
diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.79.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb
index 8550177288..226cb7ee77 100644
--- a/meta/recipes-connectivity/resolvconf/resolvconf_1.79.bb
+++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb
@@ -5,26 +5,24 @@ itself up as the intermediary between programs that supply \
 nameserver information and programs that need nameserver \
 information."
 SECTION = "console/network"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
-AUTHOR = "Thomas Hood"
 HOMEPAGE = "http://packages.debian.org/resolvconf"
-RDEPENDS_${PN} = "bash"
+RDEPENDS:${PN} = "bash sed util-linux-flock"
 
-SRC_URI = "http://snapshot.debian.org/archive/debian/20160520T044340Z/pool/main/r/${BPN}/${BPN}_1.79.tar.xz \
-           file://fix-path-for-busybox.patch \
+SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \
            file://99_resolvconf \
-          "
+           file://0001-avoid-using-m-option-for-readlink.patch \
+           "
 
-SRC_URI[md5sum] = "aab2382020fc518f06a06e924c56d300"
-SRC_URI[sha256sum] = "8e2843cd4162b706f0481b3c281657728cbc2822e50a64fff79b79bd8aa870a0"
+SRCREV = "86047276c80705c51859a19f0c472102e0822f34"
+
+S = "${WORKDIR}/git"
 
 # the package is taken from snapshots.debian.org; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/"
 
-inherit allarch
-
 do_compile () {
 	:
 }
@@ -39,12 +37,14 @@ do_install () {
 	fi
 	install -d ${D}${base_libdir}/${BPN}
 	install -d ${D}${sysconfdir}/${BPN}
+	install -d ${D}${nonarch_base_libdir}/${BPN}
 	ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run
 	install -d ${D}${sysconfdir} ${D}${base_sbindir}
 	install -d ${D}${mandir}/man8 ${D}${docdir}/${P}
-	cp -pPR etc/* ${D}${sysconfdir}/
+	cp -pPR etc/resolvconf ${D}${sysconfdir}/
 	chown -R root:root ${D}${sysconfdir}/
 	install -m 0755 bin/resolvconf ${D}${base_sbindir}/
+	install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN}
 	install -m 0755 bin/list-records ${D}${base_libdir}/${BPN}
 	install -d ${D}/${sysconfdir}/network/if-up.d
 	install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf
@@ -54,7 +54,7 @@ do_install () {
 	install -m 0644 man/resolvconf.8 ${D}${mandir}/man8/
 }
 
-pkg_postinst_${PN} () {
+pkg_postinst:${PN} () {
 	if [ -z "$D" ]; then
 		if command -v systemd-tmpfiles >/dev/null; then
 			systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/resolvconf.conf
@@ -64,4 +64,4 @@ pkg_postinst_${PN} () {
 	fi
 }
 
-FILES_${PN} += "${base_libdir}/${BPN}"
+FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}"
diff --git a/meta/recipes-connectivity/slirp/libslirp_git.bb b/meta/recipes-connectivity/slirp/libslirp_git.bb
new file mode 100644
index 0000000000..334b786b9b
--- /dev/null
+++ b/meta/recipes-connectivity/slirp/libslirp_git.bb
@@ -0,0 +1,18 @@
+SUMMARY = "A general purpose TCP-IP emulator"
+DESCRIPTION = "A general purpose TCP-IP emulator used by virtual machine hypervisors to provide virtual networking services."
+HOMEPAGE = "https://gitlab.freedesktop.org/slirp/libslirp"
+LICENSE = "BSD-3-Clause & MIT"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=bca0186b14e6b05e338e729f106db727"
+
+SRC_URI = "git://gitlab.freedesktop.org/slirp/libslirp.git;protocol=https;branch=master"
+SRCREV = "3ad1710a96678fe79066b1469cead4058713a1d9"
+PV = "4.7.0"
+S = "${WORKDIR}/git"
+
+DEPENDS = " \
+    glib-2.0 \
+"
+
+inherit meson pkgconfig
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
new file mode 100644
index 0000000000..9051ae1abe
--- /dev/null
+++ b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch
@@ -0,0 +1,62 @@
+From 4f887cc665c9a48b83e20ef4abe57afa7e365e0e Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@eng.windriver.com>
+Date: Tue, 5 Dec 2023 23:02:22 -0800
+Subject: [PATCH v2] fix compile procan.c failed
+
+1. Compile socat failed if out of tree build (build dir != source dir)
+...
+gcc -c -D CC="gcc" -o procan.o procan.c
+cc1: fatal error: procan.c: No such file or directory
+...
+Explicitly add $srcdir to makefile rule
+
+2. Compile socat failed if multiple words in $(CC), such as CC="gcc -m64"
+...
+from ../socat-1.8.0.0/procan.c:10:
+../socat-1.8.0.0/sysincludes.h:18:10: fatal error: inttypes.h: No such file or directory
+   18 | #include <inttypes.h>   /* uint16_t */
+...
+
+In commit [Procan: print umask, CC, and couple more new infos][1],
+it defeines marcro CC in C source, the space in CC will break
+C source compile. Use first word of $(CC) to defeine marco CC
+
+[1] https://repo.or.cz/socat.git/commit/cd5673dbd0786c94e0b3ace7e35fab14c01e3185
+
+Upstream-Status: Submitted [socat@dest-unreach.org]
+Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com>
+---
+ Makefile.in | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index c01b1a4..48dad69 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -109,8 +109,8 @@ depend: $(CFILES) $(HFILES)
+ socat: socat.o libxio.a
+ 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ socat.o libxio.a $(CLIBS)
+ 
+-procan.o: procan.c
+-	$(CC) $(CFLAGS) -c -D CC=\"$(CC)\" -o $@ procan.c
++procan.o: $(srcdir)/procan.c
++	$(CC) $(CFLAGS) -c -D CC=\"$(firstword $(CC))\" -o $@ $(srcdir)/procan.c
+ 
+ PROCAN_OBJS=procan_main.o procan.o procan-cdefs.o hostan.o error.o sycls.o sysutils.o utils.o vsnprintf_r.o snprinterr.o
+ procan: $(PROCAN_OBJS)
+@@ -132,9 +132,9 @@ install: progs $(srcdir)/doc/socat.1
+ 	mkdir -p $(DESTDIR)$(BINDEST)
+ 	$(INSTALL) -m 755 socat $(DESTDIR)$(BINDEST)/socat1
+ 	ln -sf socat1 $(DESTDIR)$(BINDEST)/socat
+-	$(INSTALL) -m 755 socat-chain.sh  $(DESTDIR)$(BINDEST)
+-	$(INSTALL) -m 755 socat-mux.sh    $(DESTDIR)$(BINDEST)
+-	$(INSTALL) -m 755 socat-broker.sh $(DESTDIR)$(BINDEST)
++	$(INSTALL) -m 755 $(srcdir)/socat-chain.sh  $(DESTDIR)$(BINDEST)
++	$(INSTALL) -m 755 $(srcdir)/socat-mux.sh    $(DESTDIR)$(BINDEST)
++	$(INSTALL) -m 755 $(srcdir)/socat-broker.sh $(DESTDIR)$(BINDEST)
+ 	$(INSTALL) -m 755 procan $(DESTDIR)$(BINDEST)
+ 	$(INSTALL) -m 755 filan $(DESTDIR)$(BINDEST)
+ 	mkdir -p $(DESTDIR)$(MANDEST)/man1
+-- 
+2.42.0
+
diff --git a/meta/recipes-connectivity/socat/socat_1.7.3.3.bb b/meta/recipes-connectivity/socat/socat_1.8.0.0.bb
index 1dbbe5cd55..912605c95c 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.3.3.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.0.0.bb
@@ -5,17 +5,15 @@ HOMEPAGE = "http://www.dest-unreach.org/socat/"
 
 SECTION = "console/network"
 
-DEPENDS = "openssl"
-
 LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                    file://README;beginline=257;endline=287;md5=338c05eadd013872abb1d6e198e10a3f"
+                    file://README;beginline=241;endline=271;md5=338c05eadd013872abb1d6e198e10a3f"
 
 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
+           file://0001-fix-compile-procan.c-failed.patch \
 "
 
-SRC_URI[md5sum] = "b2a032a47b8b89a18485697fa975154f"
-SRC_URI[sha256sum] = "0dd63ffe498168a4aac41d307594c5076ff307aa0ac04b141f8f1cec6594d04a"
+SRC_URI[sha256sum] = "e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7"
 
 inherit autotools
 
@@ -31,20 +29,23 @@ TERMBITS_SHIFTS ?= "sc_cv_sys_crdly_shift=9 \
                     sc_cv_sys_tabdly_shift=11 \
                     sc_cv_sys_csize_shift=4"
 
-TERMBITS_SHIFTS_powerpc = "sc_cv_sys_crdly_shift=12 \
+TERMBITS_SHIFTS:powerpc = "sc_cv_sys_crdly_shift=12 \
                            sc_cv_sys_tabdly_shift=10 \
                            sc_cv_sys_csize_shift=8"
 
-TERMBITS_SHIFTS_powerpc64 = "sc_cv_sys_crdly_shift=12 \
+TERMBITS_SHIFTS:powerpc64 = "sc_cv_sys_crdly_shift=12 \
                              sc_cv_sys_tabdly_shift=10 \
                              sc_cv_sys_csize_shift=8"
 
-PACKAGECONFIG_class-target ??= "tcp-wrappers readline"
-PACKAGECONFIG ??= "readline"
+PACKAGECONFIG:class-target ??= "tcp-wrappers readline openssl"
+PACKAGECONFIG ??= "readline openssl"
 PACKAGECONFIG[tcp-wrappers] = "--enable-libwrap,--disable-libwrap,tcp-wrappers"
 PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline"
+PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl"
+
+CFLAGS += "-fcommon"
 
-do_install_prepend () {
+do_install:prepend () {
     mkdir -p ${D}${bindir}
     install -d ${D}${bindir} ${D}${mandir}/man1
 }
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
new file mode 100644
index 0000000000..30443c9438
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/dropbear_rsa_host_key
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
new file mode 100644
index 0000000000..86c2104ec8
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRJR6iZxr/NTqQN9NOwV+WPtu42r2eF
+rJ0xsnlqw5bpmfz6aDR8RQvVHUZjRGQfR/RXPbQ5x+bjjdm176TuXNhHAAAAqAoE27MKBN
+uzAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA30
+07BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2E
+cAAAAgLiHv/IWhxwosz9BiNILOOPlXaueL5hVTBKUJkpOi48sAAAANcm9vdEBxZW11bWlw
+cwECAw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
new file mode 100644
index 0000000000..a358aeb88a
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ecdsa_key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElHqJnGv81OpA3007BX5Y+27javZ4WsnTGyeWrDlumZ/PpoNHxFC9UdRmNEZB9H9Fc9tDnH5uON2bXvpO5c2Ec= root@qemupregen
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
new file mode 100644
index 0000000000..00ed9adae2
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbwAAAJChFtV0oRbV
+dAAAAAtzc2gtZWQyNTUxOQAAACDHSFTAbJ3OTd1r1E8G5JleCmsJEpQHmdTGtMcYqwWbbw
+AAAEA8UiUsygsTbP0HkDi5leXpQaVXihDyCHeitkBCItJGhcdIVMBsnc5N3WvUTwbkmV4K
+awkSlAeZ1Ma0xxirBZtvAAAADXJvb3RAcWVtdW1pcHM=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
new file mode 100644
index 0000000000..cc0e2f43ed
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdIVMBsnc5N3WvUTwbkmV4KawkSlAeZ1Ma0xxirBZtv root@qemupregen
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key
new file mode 100644
index 0000000000..a8e4406ba3
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA2Q6dzF1xziCQCFq+e+Fv6w0607gNlyKnkhuoRq8G7/HEqXU2eEtC
+i3AMUrAP8k7s9kP5vI5CyfSgFuC9MxDV2YL2bsmvRxBSKgg6KbNxkoTaFBqyqHopuWQca8
+KRahvzt5dh9fsmeqamIwgMWKTSwtDHcsbyt84nmO2Z2ZrNXobgueMIj+HiJVgmWn86FQFL
+EoONAA+qb4SciPsxvmTlaQ/DMAh3llVo/IMLD9oyAyAI2kbHNnZttlYv5TmY7ICd3yCW8z
+PXrxNcEF3Qs1d68gVJxLjLKTlYGzJW2J+RwY+1DJZ0w4lozeQiZXTXVtzcJB0tm2DcvQMz
+kqyARmncSUwcPbEClEW6Y2xQnLeSHjexzlCCndiUbBTeG5iRl4OL6DN40iI9Lw2VROtj2Y
+59n9PCfaoUs08dsgJLaNrDbRHrCRLSdZJ6OQFiC/nAx/t4e4+wdUgNOqLyJqomdNdaLXPq
+tzr9ssrcY5j1DmmwKtzfTI5VM9LRQo+REIiUCNTFAAAFiFh232tYdt9rAAAAB3NzaC1yc2
+EAAAGBANkOncxdcc4gkAhavnvhb+sNOtO4DZcip5IbqEavBu/xxKl1NnhLQotwDFKwD/JO
+7PZD+byOQsn0oBbgvTMQ1dmC9m7Jr0cQUioIOimzcZKE2hQasqh6KblkHGvCkWob87eXYf
+X7JnqmpiMIDFik0sLQx3LG8rfOJ5jtmdmazV6G4LnjCI/h4iVYJlp/OhUBSxKDjQAPqm+E
+nIj7Mb5k5WkPwzAId5ZVaPyDCw/aMgMgCNpGxzZ2bbZWL+U5mOyAnd8glvMz168TXBBd0L
+NXevIFScS4yyk5WBsyVtifkcGPtQyWdMOJaM3kImV011bc3CQdLZtg3L0DM5KsgEZp3ElM
+HD2xApRFumNsUJy3kh43sc5Qgp3YlGwU3huYkZeDi+gzeNIiPS8NlUTrY9mOfZ/Twn2qFL
+NPHbICS2jaw20R6wkS0nWSejkBYgv5wMf7eHuPsHVIDTqi8iaqJnTXWi1z6rc6/bLK3GOY
+9Q5psCrc30yOVTPS0UKPkRCIlAjUxQAAAAMBAAEAAAGAGIj+bUtiwdoMbeVUAszIydkE/U
+mgv6S7LFjT/KlsL1M017LYJWDcdMaFnhMouksRngSxBg9OnWV5cxyURmFwytVy5bMGjRHb
+N8UWTgBqphU+UWdzKngkn0AhtkyYA1aFhgsml5d8EgEkZnFSc/KtoDfZU7AJX519/FtfOK
+m27Shx3pE7Nohh97avHyuidR1gTwdvuMIMke57g0BhrxPYmredaKCMZAHjjCeD6JbRcGj+
+ly3I9u8MF8BGSbLpBlLDUFCwP8G5CdmMua8bPJYhPSRqMLQhclI7hc6FaYk+gZV9B74Iv/
+SAxcCwI97dNbE0IAsbbWoUdoKGpAYQ5gOdhu5ioqZwKWjNjB3Xx48mq8xtmIR9HEnYzEnk
+b/tDWNRWrGkvNK7vpLvnbsSSKBqOAbMzmQdJxogTgjE5doSmu2/krIMR6KUcUox2ZrR8Ot
+JM6bXyNFBviiXmYvw/SZTDrVJu8BPMu5EMS5pBl8jPFBGI/ePk4qg7lWAJeQ89ThtBAAAA
+wQDEU4HjomWwJsn9UWdoodXTV5aPY9B1OPkmYnRPtsjSAcXgtBzUXMEOsmXODOK3aQjsE0
+jQKpWDAUcUf6KKZKRehxUN4MlwujCG9czn65S6B8BsP1YUfZQjpNyub8vDBfeKzlxKBEEM
+lb4iBT+LEGkihK13H5CbqRg1GDAThZzwrV4pj3S40zgyHhn8JjK4x4djEY6NwkWH8E2DgD
+8vYG/FKh5E/VIZtCgtAHa4QNAgGB4VMRn1VpSJzxjCxb1wancAAADBAPT7F34WYEI3Vc52
+p1U5rPa6dZtg5QM14V0+KtMlb3frd0/F+JVj4t6COQ8J9pkOuD0YjOYJuFXIWAAYIjCdWt
+cbTi/sSERawOWxrgSwJo2vjt5izrBQtr3N8tiB6KDGa5sdgJl5XzJ0SsdStfBbyhcJO4RV
+p9lc+X8OsUfFsClmyIs45vlxBRH06DP6/zmYCAmqvlrfZJKqlpKAEWDDObRy/3+mSNhZ0J
+BdmncASiASRlPPIoIHznyA1COUn6+TnwAAAMEA4tH89Dez2JauyPVeCyHAC680vrBKjmMx
+WYdpq2Xzd/LNl2L9oc0IEZzerLTuaCh6qsbbk2wWj1nrYXvefz/xUtDR427tvRXckcsWhP
+2HYohdYBkwTpp9QuscIV76GdwbTImuNEzvABH1hpTG6DSzqeyf/EVmSq07nptJIs5lpU49
+tW2aWraSvswHR9xfts1U79w9f4BNDy1rTmfuLERTRNF/T9CIFsk9tArLUNT64mhHtoEs8F
+9AyGuq6v49bN0bAAAADXJvb3RAcWVtdW1pcHMBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub
new file mode 100644
index 0000000000..9eb8c3838f
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys/openssh/ssh_host_rsa_key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZDp3MXXHOIJAIWr574W/rDTrTuA2XIqeSG6hGrwbv8cSpdTZ4S0KLcAxSsA/yTuz2Q/m8jkLJ9KAW4L0zENXZgvZuya9HEFIqCDops3GShNoUGrKoeim5ZBxrwpFqG/O3l2H1+yZ6pqYjCAxYpNLC0MdyxvK3zieY7ZnZms1ehuC54wiP4eIlWCZafzoVAUsSg40AD6pvhJyI+zG+ZOVpD8MwCHeWVWj8gwsP2jIDIAjaRsc2dm22Vi/lOZjsgJ3fIJbzM9evE1wQXdCzV3ryBUnEuMspOVgbMlbYn5HBj7UMlnTDiWjN5CJldNdW3NwkHS2bYNy9AzOSrIBGadxJTBw9sQKURbpjbFCct5IeN7HOUIKd2JRsFN4bmJGXg4voM3jSIj0vDZVE62PZjn2f08J9qhSzTx2yAkto2sNtEesJEtJ1kno5AWIL+cDH+3h7j7B1SA06ovImqiZ011otc+q3Ov2yytxjmPUOabAq3N9MjlUz0tFCj5EQiJQI1MU= root@qemupregen
diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
new file mode 100644
index 0000000000..ddd10e6eeb
--- /dev/null
+++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb
@@ -0,0 +1,19 @@
+SUMMARY = "Pre generated host keys mainly for speeding up our qemu tests"
+
+SRC_URI = "file://dropbear_rsa_host_key \
+           file://openssh"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+do_install () {
+	install -d ${D}${sysconfdir}/dropbear
+	install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/
+
+	install -d ${D}${sysconfdir}/ssh
+	install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/
+	chmod 0600 ${D}${sysconfdir}/ssh/*
+	chmod 0644 ${D}${sysconfdir}/ssh/*.pub
+}
\ No newline at end of file
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
deleted file mode 100644
index 7b0713cf6d..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect indication
-of disconnection in certain situations because source address validation is
-mishandled. This is a denial of service that should have been prevented by PMF
-(aka management frame protection). The attacker must send a crafted 802.11 frame
-from a location that is within the 802.11 communications range.
-
-CVE: CVE-2019-16275
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 8c07fa9eda13e835f3f968b2e1c9a8be3a851ff9 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Thu, 29 Aug 2019 11:52:04 +0300
-Subject: [PATCH] AP: Silently ignore management frame from unexpected source
- address
-
-Do not process any received Management frames with unexpected/invalid SA
-so that we do not add any state for unexpected STA addresses or end up
-sending out frames to unexpected destination. This prevents unexpected
-sequences where an unprotected frame might end up causing the AP to send
-out a response to another device and that other device processing the
-unexpected response.
-
-In particular, this prevents some potential denial of service cases
-where the unexpected response frame from the AP might result in a
-connected station dropping its association.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/drv_callbacks.c | 13 +++++++++++++
- src/ap/ieee802_11.c    | 12 ++++++++++++
- 2 files changed, 25 insertions(+)
-
-diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c
-index 31587685fe3b..34ca379edc3d 100644
---- a/src/ap/drv_callbacks.c
-+++ b/src/ap/drv_callbacks.c
-@@ -131,6 +131,19 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr,
- 			   "hostapd_notif_assoc: Skip event with no address");
- 		return -1;
- 	}
-+
-+	if (is_multicast_ether_addr(addr) ||
-+	    is_zero_ether_addr(addr) ||
-+	    os_memcmp(addr, hapd->own_addr, ETH_ALEN) == 0) {
-+		/* Do not process any frames with unexpected/invalid SA so that
-+		 * we do not add any state for unexpected STA addresses or end
-+		 * up sending out frames to unexpected destination. */
-+		wpa_printf(MSG_DEBUG, "%s: Invalid SA=" MACSTR
-+			   " in received indication - ignore this indication silently",
-+			   __func__, MAC2STR(addr));
-+		return 0;
-+	}
-+
- 	random_add_randomness(addr, ETH_ALEN);
- 
- 	hostapd_logger(hapd, addr, HOSTAPD_MODULE_IEEE80211,
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index c85a28db44b7..e7065372e158 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -4626,6 +4626,18 @@ int ieee802_11_mgmt(struct hostapd_data *hapd, const u8 *buf, size_t len,
- 	fc = le_to_host16(mgmt->frame_control);
- 	stype = WLAN_FC_GET_STYPE(fc);
- 
-+	if (is_multicast_ether_addr(mgmt->sa) ||
-+	    is_zero_ether_addr(mgmt->sa) ||
-+	    os_memcmp(mgmt->sa, hapd->own_addr, ETH_ALEN) == 0) {
-+		/* Do not process any frames with unexpected/invalid SA so that
-+		 * we do not add any state for unexpected STA addresses or end
-+		 * up sending out frames to unexpected destination. */
-+		wpa_printf(MSG_DEBUG, "MGMT: Invalid SA=" MACSTR
-+			   " in received frame - ignore this frame silently",
-+			   MAC2STR(mgmt->sa));
-+		return 0;
-+	}
-+
- 	if (stype == WLAN_FC_STYPE_BEACON) {
- 		handle_beacon(hapd, mgmt, len, fi);
- 		return 1;
--- 
-2.20.1
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
new file mode 100644
index 0000000000..c04c608bde
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch
@@ -0,0 +1,33 @@
+From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001
+From: Alex Kiernan <alexk@zuma.ai>
+Date: Thu, 21 Apr 2022 10:15:29 +0100
+Subject: [PATCH] Install wpa_passphrase when not disabled
+
+As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
+built, its not installed during `make install`.
+
+Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
+Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html]
+---
+ wpa_supplicant/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index 0bab313f2355..12787c0c7d0f 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: %
+ 
+ install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
+ 	$(MAKE) -C ../src install
++ifndef CONFIG_NO_WPA_PASSPHRASE
++	install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
++endif
+ ifdef CONFIG_BUILD_WPA_CLIENT_SO
+ 	install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
+ 	install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
new file mode 100644
index 0000000000..620560d3c7
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
@@ -0,0 +1,213 @@
+From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2023-52160
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
+
+Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
+
+---
+ src/eap_peer/eap_config.h          |  8 ++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 +++++
+ src/eap_peer/eap_tls_common.h      |  5 ++++
+ wpa_supplicant/wpa_supplicant.conf |  7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 3238f74..047eec2 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df..6080697 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index c1837db..a53eeb1 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac0012..3348634 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ 	 * tls_v13 - Whether TLS v1.3 or newer is used
+ 	 */
+ 	int tls_v13;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 6619d6b..d63f73c 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1321,6 +1321,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
new file mode 100644
index 0000000000..6e930fc98d
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch
@@ -0,0 +1,73 @@
+From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <geomatsi@gmail.com>
+Date: Tue, 22 Feb 2022 11:52:19 +0300
+Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and
+ wpa_passphrase
+
+Commit a41a29192e5d ("build: Pull common fragments into a build.rules
+file") introduced a regression into wpa_supplicant build process. The
+build target libwpa_client.so is not built regardless of whether the
+option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
+this config option is used before it is imported from the configuration
+file. Moving its use after including build.rules does not help: the
+variable ALL is processed by build.rules and further changes are not
+applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
+as expected: wpa_passphrase is always built regardless of whether the
+option is set or not.
+
+Re-enable these options by adding both build targets to _all
+dependencies.
+
+Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file")
+Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alexk@gmail.com>
+---
+ wpa_supplicant/Makefile | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index cb66defac7c8..c456825ae75f 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1,24 +1,29 @@
+ BINALL=wpa_supplicant wpa_cli
+ 
+-ifndef CONFIG_NO_WPA_PASSPHRASE
+-BINALL += wpa_passphrase
+-endif
+-
+ ALL = $(BINALL)
+ ALL += systemd/wpa_supplicant.service
+ ALL += systemd/wpa_supplicant@.service
+ ALL += systemd/wpa_supplicant-nl80211@.service
+ ALL += systemd/wpa_supplicant-wired@.service
+ ALL += dbus/fi.w1.wpa_supplicant1.service
+-ifdef CONFIG_BUILD_WPA_CLIENT_SO
+-ALL += libwpa_client.so
+-endif
+ 
+ EXTRA_TARGETS=dynamic_eap_methods
+ 
+ CONFIG_FILE=.config
+ include ../src/build.rules
+ 
++ifdef CONFIG_BUILD_WPA_CLIENT_SO
++# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
++# being set in the config which is read by build.rules
++_all: libwpa_client.so
++endif
++
++ifndef CONFIG_NO_WPA_PASSPHRASE
++# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
++# being set in the config which is read by build.rules
++_all: wpa_passphrase
++endif
++
+ ifdef LIBS
+ # If LIBS is set with some global build system defaults, clone those for
+ # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
deleted file mode 100644
index a476cf040e..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001
-From: Joshua DeWeese <jdeweese@hennypenny.com>
-Date: Wed, 30 Jan 2019 16:19:47 -0500
-Subject: [PATCH] replace systemd install Alias with WantedBy
-
-According to the systemd documentation "WantedBy=foo.service in a
-service bar.service is mostly equivalent to
-Alias=foo.service.wants/bar.service in the same file." However,
-this is not really the intended purpose of install Aliases.
-
-Upstream-Status: Submitted [hostap@lists.infradead.org]
-
-Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
----
- wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +-
- wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in   | 2 +-
- wpa_supplicant/systemd/wpa_supplicant.service.arg.in         | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-index 03ac507..da69a87 100644
---- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-index c8a744d..ca3054b 100644
---- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service
-+WantedBy=multi-user.target
-diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-index 7788b38..55d2b9c 100644
---- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
-@@ -12,4 +12,4 @@ Type=simple
- ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I
- 
- [Install]
--Alias=multi-user.target.wants/wpa_supplicant@%i.service
-+WantedBy=multi-user.target
--- 
-2.7.4
-
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
new file mode 100644
index 0000000000..53b0fcdf53
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch
@@ -0,0 +1,26 @@
+From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Thu, 3 Mar 2022 13:26:42 +0200
+Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean'
+
+Fixes: 0430bc8267b4 ("build: Add a common-clean target")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+Upstream-Status: Backport
+Signed-off-by: Alex Kiernan <alexk@zuma.ai>
+Signed-off-by: Alex Kiernan <alexk@gmail.com>
+---
+ wpa_supplicant/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index c456825ae75f..4b4688931b1d 100644
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -2077,3 +2077,4 @@ clean: common-clean
+ 	rm -f libwpa_client.a
+ 	rm -f libwpa_client.so
+ 	rm -f libwpa_test1 libwpa_test2
++	rm -f wpa_passphrase
+-- 
+2.35.1
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
deleted file mode 100644
index f04e398fdb..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/defconfig
+++ /dev/null
@@ -1,552 +0,0 @@
-# Example wpa_supplicant build time configuration
-#
-# This file lists the configuration options that are used when building the
-# hostapd binary. All lines starting with # are ignored. Configuration option
-# lines must be commented out complete, if they are not to be included, i.e.,
-# just setting VARIABLE=n is not disabling that variable.
-#
-# This file is included in Makefile, so variables like CFLAGS and LIBS can also
-# be modified from here. In most cases, these lines should use += in order not
-# to override previous values of the variables.
-
-
-# Uncomment following two lines and fix the paths if you have installed OpenSSL
-# or GnuTLS in non-default location
-#CFLAGS += -I/usr/local/openssl/include
-#LIBS += -L/usr/local/openssl/lib
-
-# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
-# the kerberos files are not in the default include path. Following line can be
-# used to fix build issues on such systems (krb5.h not found).
-#CFLAGS += -I/usr/include/kerberos
-
-# Example configuration for various cross-compilation platforms
-
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-#	-I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-
-
-# Driver interface for Host AP driver
-CONFIG_DRIVER_HOSTAP=y
-
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-
-# Driver interface for madwifi driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_MADWIFI=y
-# Set include directory to the madwifi source tree
-#CFLAGS += -I../../madwifi
-
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-
-# Driver interface for Atmel driver
-# CONFIG_DRIVER_ATMEL=y
-
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-
-# Driver interface for generic Linux wireless extensions
-# Note: WEXT is deprecated in the current Linux kernel version and no new
-# functionality is added to it. nl80211-based interface is the new
-# replacement for WEXT and its use allows wpa_supplicant to properly control
-# the driver to improve existing functionality like roaming and to support new
-# functionality.
-CONFIG_DRIVER_WEXT=y
-
-# Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
-
-# driver_nl80211.c requires libnl. If you are compiling it yourself
-# you may need to point hostapd to your version of libnl.
-#
-#CFLAGS += -I$<path to libnl include files>
-#LIBS += -L$<path to libnl library files>
-
-# Use libnl v2.0 (or 3.0) libraries.
-#CONFIG_LIBNL20=y
-
-# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
-CONFIG_LIBNL32=y
-
-
-# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
-#CONFIG_DRIVER_BSD=y
-#CFLAGS += -I/usr/local/include
-#LIBS += -L/usr/local/lib
-#LIBS_p += -L/usr/local/lib
-#LIBS_c += -L/usr/local/lib
-
-# Driver interface for Windows NDIS
-#CONFIG_DRIVER_NDIS=y
-#CFLAGS += -I/usr/include/w32api/ddk
-#LIBS += -L/usr/local/lib
-# For native build using mingw
-#CONFIG_NATIVE_WINDOWS=y
-# Additional directories for cross-compilation on Linux host for mingw target
-#CFLAGS += -I/opt/mingw/mingw32/include/ddk
-#LIBS += -L/opt/mingw/mingw32/lib
-#CC=mingw32-gcc
-# By default, driver_ndis uses WinPcap for low-level operations. This can be
-# replaced with the following option which replaces WinPcap calls with NDISUIO.
-# However, this requires that WZC is disabled (net stop wzcsvc) before starting
-# wpa_supplicant.
-# CONFIG_USE_NDISUIO=y
-
-# Driver interface for development testing
-#CONFIG_DRIVER_TEST=y
-
-# Driver interface for wired Ethernet drivers
-CONFIG_DRIVER_WIRED=y
-
-# Driver interface for the Broadcom RoboSwitch family
-#CONFIG_DRIVER_ROBOSWITCH=y
-
-# Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
-
-# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
-# included)
-CONFIG_IEEE8021X_EAPOL=y
-
-# EAP-MD5
-CONFIG_EAP_MD5=y
-
-# EAP-MSCHAPv2
-CONFIG_EAP_MSCHAPV2=y
-
-# EAP-TLS
-CONFIG_EAP_TLS=y
-
-# EAL-PEAP
-CONFIG_EAP_PEAP=y
-
-# EAP-TTLS
-CONFIG_EAP_TTLS=y
-
-# EAP-FAST
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
-#CONFIG_EAP_FAST=y
-
-# EAP-GTC
-CONFIG_EAP_GTC=y
-
-# EAP-OTP
-CONFIG_EAP_OTP=y
-
-# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
-#CONFIG_EAP_SIM=y
-
-# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
-#CONFIG_EAP_PSK=y
-
-# EAP-pwd (secure authentication using only a password)
-#CONFIG_EAP_PWD=y
-
-# EAP-PAX
-#CONFIG_EAP_PAX=y
-
-# LEAP
-CONFIG_EAP_LEAP=y
-
-# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
-#CONFIG_EAP_AKA=y
-
-# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
-# This requires CONFIG_EAP_AKA to be enabled, too.
-#CONFIG_EAP_AKA_PRIME=y
-
-# Enable USIM simulator (Milenage) for EAP-AKA
-#CONFIG_USIM_SIMULATOR=y
-
-# EAP-SAKE
-#CONFIG_EAP_SAKE=y
-
-# EAP-GPSK
-#CONFIG_EAP_GPSK=y
-# Include support for optional SHA256 cipher suite in EAP-GPSK
-#CONFIG_EAP_GPSK_SHA256=y
-
-# EAP-TNC and related Trusted Network Connect support (experimental)
-#CONFIG_EAP_TNC=y
-
-# Wi-Fi Protected Setup (WPS)
-CONFIG_WPS=y
-# Enable WSC 2.0 support
-#CONFIG_WPS2=y
-# Enable WPS external registrar functionality
-#CONFIG_WPS_ER=y
-# Disable credentials for an open network by default when acting as a WPS
-# registrar.
-#CONFIG_WPS_REG_DISABLE_OPEN=y
-# Enable WPS support with NFC config method
-#CONFIG_WPS_NFC=y
-
-# EAP-IKEv2
-#CONFIG_EAP_IKEV2=y
-
-# EAP-EKE
-#CONFIG_EAP_EKE=y
-
-# PKCS#12 (PFX) support (used to read private key and certificate file from
-# a file that usually has extension .p12 or .pfx)
-CONFIG_PKCS12=y
-
-# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
-# engine.
-CONFIG_SMARTCARD=y
-
-# PC/SC interface for smartcards (USIM, GSM SIM)
-# Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
-
-# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
-#CONFIG_HT_OVERRIDES=y
-
-# Support VHT overrides (disable VHT, mask MCS rates, etc.)
-#CONFIG_VHT_OVERRIDES=y
-
-# Development testing
-#CONFIG_EAPOL_TEST=y
-
-# Select control interface backend for external programs, e.g, wpa_cli:
-# unix = UNIX domain sockets (default for Linux/*BSD)
-# udp = UDP sockets using localhost (127.0.0.1)
-# named_pipe = Windows Named Pipe (default for Windows)
-# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
-# y = use default (backwards compatibility)
-# If this option is commented out, control interface is not included in the
-# build.
-CONFIG_CTRL_IFACE=y
-
-# Include support for GNU Readline and History Libraries in wpa_cli.
-# When building a wpa_cli binary for distribution, please note that these
-# libraries are licensed under GPL and as such, BSD license may not apply for
-# the resulting binary.
-#CONFIG_READLINE=y
-
-# Include internal line edit mode in wpa_cli. This can be used as a replacement
-# for GNU Readline to provide limited command line editing and history support.
-#CONFIG_WPA_CLI_EDIT=y
-
-# Remove debugging code that is printing out debug message to stdout.
-# This can be used to reduce the size of the wpa_supplicant considerably
-# if debugging code is not needed. The size reduction can be around 35%
-# (e.g., 90 kB).
-#CONFIG_NO_STDOUT_DEBUG=y
-
-# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
-# 35-50 kB in code size.
-#CONFIG_NO_WPA=y
-
-# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
-# This option can be used to reduce code size by removing support for
-# converting ASCII passphrases into PSK. If this functionality is removed, the
-# PSK can only be configured as the 64-octet hexstring (e.g., from
-# wpa_passphrase). This saves about 0.5 kB in code size.
-#CONFIG_NO_WPA_PASSPHRASE=y
-
-# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
-# This can be used if ap_scan=1 mode is never enabled.
-#CONFIG_NO_SCAN_PROCESSING=y
-
-# Select configuration backend:
-# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
-#	path is given on command line, not here; this option is just used to
-#	select the backend that allows configuration files to be used)
-# winreg = Windows registry (see win_example.reg for an example)
-CONFIG_BACKEND=file
-
-# Remove configuration write functionality (i.e., to allow the configuration
-# file to be updated based on runtime configuration changes). The runtime
-# configuration can still be changed, the changes are just not going to be
-# persistent over restarts. This option can be used to reduce code size by
-# about 3.5 kB.
-#CONFIG_NO_CONFIG_WRITE=y
-
-# Remove support for configuration blobs to reduce code size by about 1.5 kB.
-#CONFIG_NO_CONFIG_BLOBS=y
-
-# Select program entry point implementation:
-# main = UNIX/POSIX like main() function (default)
-# main_winsvc = Windows service (read parameters from registry)
-# main_none = Very basic example (development use only)
-#CONFIG_MAIN=main
-
-# Select wrapper for operatins system and C library specific functions
-# unix = UNIX/POSIX like systems (default)
-# win32 = Windows systems
-# none = Empty template
-#CONFIG_OS=unix
-
-# Select event loop implementation
-# eloop = select() loop (default)
-# eloop_win = Windows events and WaitForMultipleObject() loop
-#CONFIG_ELOOP=eloop
-
-# Should we use poll instead of select? Select is used by default.
-#CONFIG_ELOOP_POLL=y
-
-# Select layer 2 packet implementation
-# linux = Linux packet socket (default)
-# pcap = libpcap/libdnet/WinPcap
-# freebsd = FreeBSD libpcap
-# winpcap = WinPcap with receive thread
-# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
-# none = Empty template
-#CONFIG_L2_PACKET=linux
-
-# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
-CONFIG_PEERKEY=y
-
-# IEEE 802.11w (management frame protection), also known as PMF
-# Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
-
-# Select TLS implementation
-# openssl = OpenSSL (default)
-# gnutls = GnuTLS
-# internal = Internal TLSv1 implementation (experimental)
-# none = Empty template
-#CONFIG_TLS=openssl
-
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
-# can be enabled to get a stronger construction of messages when block ciphers
-# are used. It should be noted that some existing TLS v1.0 -based
-# implementation may not be compatible with TLS v1.1 message (ClientHello is
-# sent prior to negotiating which version will be used)
-#CONFIG_TLSV11=y
-
-# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
-# can be enabled to enable use of stronger crypto algorithms. It should be
-# noted that some existing TLS v1.0 -based implementation may not be compatible
-# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
-# will be used)
-#CONFIG_TLSV12=y
-
-# If CONFIG_TLS=internal is used, additional library and include paths are
-# needed for LibTomMath. Alternatively, an integrated, minimal version of
-# LibTomMath can be used. See beginning of libtommath.c for details on benefits
-# and drawbacks of this option.
-#CONFIG_INTERNAL_LIBTOMMATH=y
-#ifndef CONFIG_INTERNAL_LIBTOMMATH
-#LTM_PATH=/usr/src/libtommath-0.39
-#CFLAGS += -I$(LTM_PATH)
-#LIBS += -L$(LTM_PATH)
-#LIBS_p += -L$(LTM_PATH)
-#endif
-# At the cost of about 4 kB of additional binary size, the internal LibTomMath
-# can be configured to include faster routines for exptmod, sqr, and div to
-# speed up DH and RSA calculation considerably
-#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
-
-# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
-# This is only for Windows builds and requires WMI-related header files and
-# WbemUuid.Lib from Platform SDK even when building with MinGW.
-#CONFIG_NDIS_EVENTS_INTEGRATED=y
-#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
-
-# Add support for old DBus control interface
-# (fi.epitest.hostap.WPASupplicant)
-#CONFIG_CTRL_IFACE_DBUS=y
-
-# Add support for new DBus control interface
-# (fi.w1.hostap.wpa_supplicant1)
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-
-# Add introspection support for new DBus control interface
-#CONFIG_CTRL_IFACE_DBUS_INTRO=y
-
-# Add support for loading EAP methods dynamically as shared libraries.
-# When this option is enabled, each EAP method can be either included
-# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
-# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
-# be loaded in the beginning of the wpa_supplicant configuration file
-# (see load_dynamic_eap parameter in the example file) before being used in
-# the network blocks.
-#
-# Note that some shared parts of EAP methods are included in the main program
-# and in order to be able to use dynamic EAP methods using these parts, the
-# main program must have been build with the EAP method enabled (=y or =dyn).
-# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
-# unless at least one of them was included in the main build to force inclusion
-# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
-# in the main build to be able to load these methods dynamically.
-#
-# Please also note that using dynamic libraries will increase the total binary
-# size. Thus, it may not be the best option for targets that have limited
-# amount of memory/flash.
-#CONFIG_DYNAMIC_EAP_METHODS=y
-
-# IEEE Std 802.11r-2008 (Fast BSS Transition)
-#CONFIG_IEEE80211R=y
-
-# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
-#CONFIG_DEBUG_FILE=y
-
-# Send debug messages to syslog instead of stdout
-#CONFIG_DEBUG_SYSLOG=y
-# Set syslog facility for debug messages
-#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
-
-# Add support for sending all debug messages (regardless of debug verbosity)
-# to the Linux kernel tracing facility. This helps debug the entire stack by
-# making it easy to record everything happening from the driver up into the
-# same file, e.g., using trace-cmd.
-#CONFIG_DEBUG_LINUX_TRACING=y
-
-# Enable privilege separation (see README 'Privilege separation' for details)
-#CONFIG_PRIVSEP=y
-
-# Enable mitigation against certain attacks against TKIP by delaying Michael
-# MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
-
-# Enable tracing code for developer debugging
-# This tracks use of memory allocations and other registrations and reports
-# incorrect use with a backtrace of call (or allocation) location.
-#CONFIG_WPA_TRACE=y
-# For BSD, uncomment these.
-#LIBS += -lexecinfo
-#LIBS_p += -lexecinfo
-#LIBS_c += -lexecinfo
-
-# Use libbfd to get more details for developer debugging
-# This enables use of libbfd to get more detailed symbols for the backtraces
-# generated by CONFIG_WPA_TRACE=y.
-#CONFIG_WPA_TRACE_BFD=y
-# For BSD, uncomment these.
-#LIBS += -lbfd -liberty -lz
-#LIBS_p += -lbfd -liberty -lz
-#LIBS_c += -lbfd -liberty -lz
-
-CONFIG_TLS = %ssl%
-CONFIG_CTRL_IFACE_DBUS=y
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-
-# wpa_supplicant depends on strong random number generation being available
-# from the operating system. os_get_random() function is used to fetch random
-# data when needed, e.g., for key generation. On Linux and BSD systems, this
-# works by reading /dev/urandom. It should be noted that the OS entropy pool
-# needs to be properly initialized before wpa_supplicant is started. This is
-# important especially on embedded devices that do not have a hardware random
-# number generator and may by default start up with minimal entropy available
-# for random number generation.
-#
-# As a safety net, wpa_supplicant is by default trying to internally collect
-# additional entropy for generating random data to mix in with the data fetched
-# from the OS. This by itself is not considered to be very strong, but it may
-# help in cases where the system pool is not initialized properly. However, it
-# is very strongly recommended that the system pool is initialized with enough
-# entropy either by using hardware assisted random number generator or by
-# storing state over device reboots.
-#
-# wpa_supplicant can be configured to maintain its own entropy store over
-# restarts to enhance random number generation. This is not perfect, but it is
-# much more secure than using the same sequence of random numbers after every
-# reboot. This can be enabled with -e<entropy file> command line option. The
-# specified file needs to be readable and writable by wpa_supplicant.
-#
-# If the os_get_random() is known to provide strong random data (e.g., on
-# Linux/BSD, the board in question is known to have reliable source of random
-# data from /dev/urandom), the internal wpa_supplicant random pool can be
-# disabled. This will save some in binary size and CPU use. However, this
-# should only be considered for builds that are known to be used on devices
-# that meet the requirements described above.
-#CONFIG_NO_RANDOM_POOL=y
-
-# IEEE 802.11n (High Throughput) support (mainly for AP mode)
-#CONFIG_IEEE80211N=y
-
-# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
-# (depends on CONFIG_IEEE80211N)
-#CONFIG_IEEE80211AC=y
-
-# Wireless Network Management (IEEE Std 802.11v-2011)
-# Note: This is experimental and not complete implementation.
-#CONFIG_WNM=y
-
-# Interworking (IEEE 802.11u)
-# This can be used to enable functionality to improve interworking with
-# external networks (GAS/ANQP to learn more about the networks and network
-# selection based on available credentials).
-#CONFIG_INTERWORKING=y
-
-# Hotspot 2.0
-#CONFIG_HS20=y
-
-# Disable roaming in wpa_supplicant
-#CONFIG_NO_ROAMING=y
-
-# AP mode operations with wpa_supplicant
-# This can be used for controlling AP mode operations with wpa_supplicant. It
-# should be noted that this is mainly aimed at simple cases like
-# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
-# external RADIUS server can be supported with hostapd.
-CONFIG_AP=y
-
-CONFIG_BGSCAN_SIMPLE=y
-
-# P2P (Wi-Fi Direct)
-# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
-# more information on P2P operations.
-#CONFIG_P2P=y
-
-# Enable TDLS support
-#CONFIG_TDLS=y
-
-# Wi-Fi Direct
-# This can be used to enable Wi-Fi Direct extensions for P2P using an external
-# program to control the additional information exchanges in the messages.
-#CONFIG_WIFI_DISPLAY=y
-
-# Autoscan
-# This can be used to enable automatic scan support in wpa_supplicant.
-# See wpa_supplicant.conf for more information on autoscan usage.
-#
-# Enabling directly a module will enable autoscan support.
-# For exponential module:
-CONFIG_AUTOSCAN_EXPONENTIAL=y
-# For periodic module:
-#CONFIG_AUTOSCAN_PERIODIC=y
-
-# Password (and passphrase, etc.) backend for external storage
-# These optional mechanisms can be used to add support for storing passwords
-# and other secrets in external (to wpa_supplicant) location. This allows, for
-# example, operating system specific key storage to be used
-#
-# External password backend for testing purposes (developer use)
-#CONFIG_EXT_PASSWORD_TEST=y
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
new file mode 100644
index 0000000000..22028ce957
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -0,0 +1,138 @@
+SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
+DESCRIPTION = "wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver."
+HOMEPAGE = "http://w1.fi/wpa_supplicant/"
+BUGTRACKER = "http://w1.fi/security/"
+SECTION = "network"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \
+                    file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \
+                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705"
+
+DEPENDS = "dbus libnl"
+
+SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
+           file://wpa-supplicant.sh \
+           file://wpa_supplicant.conf \
+           file://wpa_supplicant.conf-sane \
+           file://99_wpa_supplicant \
+           file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
+           file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
+           file://0001-Install-wpa_passphrase-when-not-disabled.patch \
+           file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
+           "
+SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
+
+S = "${WORKDIR}/wpa_supplicant-${PV}"
+
+inherit pkgconfig systemd
+
+PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
+PACKAGECONFIG[openssl] = ",,openssl"
+
+CVE_PRODUCT = "wpa_supplicant"
+
+EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
+
+do_configure () {
+	${MAKE} -C wpa_supplicant clean
+	sed -e '/^CONFIG_TLS=/d' <wpa_supplicant/defconfig >wpa_supplicant/.config
+
+	if ${@ bb.utils.contains('PACKAGECONFIG', 'openssl', 'true', 'false', d) }; then
+		echo 'CONFIG_TLS=openssl' >>wpa_supplicant/.config
+	elif ${@ bb.utils.contains('PACKAGECONFIG', 'gnutls', 'true', 'false', d) }; then
+		echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config
+        sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \
+               -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \
+               -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config
+	fi
+
+	# For rebuild
+	rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
+}
+
+do_compile () {
+	oe_runmake -C wpa_supplicant
+	if [ -z "${DISABLE_STATIC}" ]; then
+		oe_runmake -C wpa_supplicant libwpa_client.a
+	fi
+}
+
+do_install () {
+	oe_runmake -C wpa_supplicant DESTDIR="${D}" install
+
+	install -d ${D}${docdir}/wpa_supplicant
+	install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
+
+	install -d ${D}${sysconfdir}
+	install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
+
+	install -d ${D}${sysconfdir}/network/if-pre-up.d/
+	install -d ${D}${sysconfdir}/network/if-post-down.d/
+	install -d ${D}${sysconfdir}/network/if-down.d/
+	install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
+	ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant
+
+	install -d ${D}/${sysconfdir}/dbus-1/system.d
+	install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
+	install -d ${D}/${datadir}/dbus-1/system-services
+	install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
+
+	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+		install -d ${D}/${systemd_system_unitdir}
+		install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_system_unitdir}
+	fi
+
+	install -d ${D}/etc/default/volatiles
+	install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
+
+	install -d ${D}${includedir}
+	install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir}
+
+	if [ -z "${DISABLE_STATIC}" ]; then
+		install -d ${D}${libdir}
+		install -m 0644 wpa_supplicant/libwpa_client.a ${D}${libdir}
+	fi
+}
+
+pkg_postinst:${PN} () {
+	# If we're offline, we don't need to do this.
+	if [ "x$D" = "x" ]; then
+		killall -q -HUP dbus-daemon || true
+	fi
+}
+
+PACKAGE_BEFORE_PN += "${PN}-passphrase ${PN}-cli"
+PACKAGES =+ "${PN}-lib"
+PACKAGES += "${PN}-plugins"
+ALLOW_EMPTY:${PN}-plugins = "1"
+
+PACKAGES_DYNAMIC += "^${PN}-plugin-.*$"
+NOAUTOPACKAGEDEBUG = "1"
+
+FILES:${PN}-passphrase = "${sbindir}/wpa_passphrase"
+FILES:${PN}-cli = "${sbindir}/wpa_cli"
+FILES:${PN}-lib = "${libdir}/libwpa_client*${SOLIBSDEV}"
+FILES:${PN} += "${datadir}/dbus-1/system-services/* ${systemd_system_unitdir}/*"
+FILES:${PN}-dbg += "${sbindir}/.debug ${libdir}/.debug"
+
+CONFFILES:${PN} += "${sysconfdir}/wpa_supplicant.conf"
+
+RRECOMMENDS:${PN} = "${PN}-passphrase ${PN}-cli ${PN}-plugins"
+
+SYSTEMD_SERVICE:${PN} = "wpa_supplicant.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+python split_wpa_supplicant_libs () {
+    libdir = d.expand('${libdir}/wpa_supplicant')
+    dbglibdir = os.path.join(libdir, '.debug')
+
+    split_packages = do_split_packages(d, libdir, r'^(.*)\.so', '${PN}-plugin-%s', 'wpa_supplicant %s plugin', prepend=True)
+    split_dbg_packages = do_split_packages(d, dbglibdir, r'^(.*)\.so', '${PN}-plugin-%s-dbg', 'wpa_supplicant %s plugin - Debugging files', prepend=True, extra_depends='${PN}-dbg')
+
+    if split_packages:
+        pn = d.getVar('PN')
+        d.setVar('RRECOMMENDS:' + pn + '-plugins', ' '.join(split_packages))
+        d.appendVar('RRECOMMENDS:' + pn + '-dbg', ' ' + ' '.join(split_dbg_packages))
+}
+PACKAGESPLITFUNCS += "split_wpa_supplicant_libs"
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
deleted file mode 100644
index 3e92427bb0..0000000000
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb
+++ /dev/null
@@ -1,110 +0,0 @@
-SUMMARY = "Client for Wi-Fi Protected Access (WPA)"
-HOMEPAGE = "http://w1.fi/wpa_supplicant/"
-BUGTRACKER = "http://w1.fi/security/"
-SECTION = "network"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=279b4f5abb9c153c285221855ddb78cc \
-                    file://README;beginline=1;endline=56;md5=e7d3dbb01f75f0b9799e192731d1e1ff \
-                    file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=0a8b56d3543498b742b9c0e94cc2d18b"
-DEPENDS = "dbus libnl"
-RRECOMMENDS_${PN} = "wpa-supplicant-passphrase wpa-supplicant-cli"
-
-PACKAGECONFIG ??= "gnutls"
-PACKAGECONFIG[gnutls] = ",,gnutls libgcrypt"
-PACKAGECONFIG[openssl] = ",,openssl"
-
-inherit pkgconfig systemd
-
-SYSTEMD_SERVICE_${PN} = "wpa_supplicant.service wpa_supplicant-nl80211@.service wpa_supplicant-wired@.service"
-SYSTEMD_AUTO_ENABLE = "disable"
-
-SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz  \
-           file://defconfig \
-           file://wpa-supplicant.sh \
-           file://wpa_supplicant.conf \
-           file://wpa_supplicant.conf-sane \
-           file://99_wpa_supplicant \
-           file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
-		   file://0001-AP-Silently-ignore-management-frame-from-unexpected-.patch \
-          "
-SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190"
-SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17"
-
-CVE_PRODUCT = "wpa_supplicant"
-
-S = "${WORKDIR}/wpa_supplicant-${PV}"
-
-PACKAGES_prepend = "wpa-supplicant-passphrase wpa-supplicant-cli "
-FILES_wpa-supplicant-passphrase = "${bindir}/wpa_passphrase"
-FILES_wpa-supplicant-cli = "${sbindir}/wpa_cli"
-FILES_${PN} += "${datadir}/dbus-1/system-services/*"
-CONFFILES_${PN} += "${sysconfdir}/wpa_supplicant.conf"
-
-do_configure () {
-	${MAKE} -C wpa_supplicant clean
-	install -m 0755 ${WORKDIR}/defconfig wpa_supplicant/.config
-	
-	if echo "${PACKAGECONFIG}" | grep -qw "openssl"; then
-        	ssl=openssl
-	elif echo "${PACKAGECONFIG}" | grep -qw "gnutls"; then
-        	ssl=gnutls
-	fi
-	if [ -n "$ssl" ]; then
-        	sed -i "s/%ssl%/$ssl/" wpa_supplicant/.config
-	fi
-
-	# For rebuild
-	rm -f wpa_supplicant/*.d wpa_supplicant/dbus/*.d
-}
-
-export EXTRA_CFLAGS = "${CFLAGS}"
-export BINDIR = "${sbindir}"
-
-do_compile () {
-	unset CFLAGS CPPFLAGS CXXFLAGS
-	sed -e "s:CFLAGS\ =.*:& \$(EXTRA_CFLAGS):g" -i ${S}/src/lib.rules
-	oe_runmake -C wpa_supplicant
-}
-
-do_install () {
-	install -d ${D}${sbindir}
-	install -m 755 wpa_supplicant/wpa_supplicant ${D}${sbindir}
-	install -m 755 wpa_supplicant/wpa_cli        ${D}${sbindir}
-
-	install -d ${D}${bindir}
-	install -m 755 wpa_supplicant/wpa_passphrase ${D}${bindir}
-
-	install -d ${D}${docdir}/wpa_supplicant
-	install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant
-
-	install -d ${D}${sysconfdir}
-	install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf
-
-	install -d ${D}${sysconfdir}/network/if-pre-up.d/
-	install -d ${D}${sysconfdir}/network/if-post-down.d/
-	install -d ${D}${sysconfdir}/network/if-down.d/
-	install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant
-	cd ${D}${sysconfdir}/network/ && \
-	ln -sf ../if-pre-up.d/wpa-supplicant if-post-down.d/wpa-supplicant
-
-	install -d ${D}/${sysconfdir}/dbus-1/system.d
-	install -m 644 ${S}/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ${D}/${sysconfdir}/dbus-1/system.d
-	install -d ${D}/${datadir}/dbus-1/system-services
-	install -m 644 ${S}/wpa_supplicant/dbus/*.service ${D}/${datadir}/dbus-1/system-services
-
-	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-		install -d ${D}/${systemd_unitdir}/system
-		install -m 644 ${S}/wpa_supplicant/systemd/*.service ${D}/${systemd_unitdir}/system
-	fi
-
-	install -d ${D}/etc/default/volatiles
-	install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles
-}
-
-pkg_postinst_wpa-supplicant () {
-	# If we're offline, we don't need to do this.
-	if [ "x$D" = "x" ]; then
-		killall -q -HUP dbus-daemon || true
-	fi
-
-}