518 files changed, 28814 insertions, 3232 deletions

diff --git a/README.OE-Core b/README.OE-Core
index 521916cd4f..2f2127fb03 100644
--- a/README.OE-Core
+++ b/README.OE-Core
@@ -6,24 +6,24 @@ of OpenEmbedded. It is distro-less (can build a functional image with
 DISTRO = "nodistro") and contains only emulated machine support.
 
 For information about OpenEmbedded, see the OpenEmbedded website:
-    http://www.openembedded.org/
+    https://www.openembedded.org/
 
 The Yocto Project has extensive documentation about OE including a reference manual
 which can be found at:
-    http://yoctoproject.org/documentation
+    https://docs.yoctoproject.org/
 
 
 Contributing
 ------------
 
 Please refer to
-http://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
+https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
 for guidelines on how to submit patches.
 
 Mailing list:
 
-    http://lists.openembedded.org/mailman/listinfo/openembedded-core
+    https://lists.openembedded.org/g/openembedded-core
 
 Source code:
 
-    http://git.openembedded.org/openembedded-core/
+    https://git.openembedded.org/openembedded-core/
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
index 07b83276fb..8a27e3a791 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb
@@ -11,7 +11,7 @@ SRCREV = "1a3e1343761b30750bed70e0fd688f6d3c7b3717"
 PV = "0.1+git${SRCPV}"
 PR = "r2"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 
diff --git a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
index 32ec4b14fa..fbe90d6c6b 100644
--- a/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
+++ b/meta-selftest/recipes-test/devtool/devtool-upgrade-test2_git.bb.upgraded
@@ -10,7 +10,7 @@ DEPENDS = "dbus"
 SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
 PV = "0.1+git${SRCPV}"
 
-SRC_URI = "git://git.yoctoproject.org/dbus-wait"
+SRC_URI = "git://git.yoctoproject.org/dbus-wait;branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 RECIPE_NO_UPDATE_REASON = "This recipe is used to test devtool upgrade feature"
 
diff --git a/meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb b/meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb
index 9429564df4..cc5d7eae5a 100644
--- a/meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb
+++ b/meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb
@@ -5,5 +5,5 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda
 
 INHIBIT_DEFAULT_DEPS = "1"
 
-SRC_URI = "gitsm://git.yoctoproject.org/git-submodule-test"
+SRC_URI = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master"
 SRCREV = "a2885dd7d25380d23627e7544b7bbb55014b16ee"
diff --git a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb
new file mode 100644
index 0000000000..f1b6c55833
--- /dev/null
+++ b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Test recipe for git repo initialization"
+HOMEPAGE = "https://git.yoctoproject.org/git/matchbox-panel-2"
+LICENSE = "GPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+PATCHTOOL="git"
+
+SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https \
+           file://0001-testpatch.patch \
+          "
+
+SRCREV = "f82ca3f42510fb3ef10f598b393eb373a2c34ca7"
+
+S = "${WORKDIR}/git"
diff --git a/meta-selftest/recipes-test/gitrepotest/gitrepotest/0001-testpatch.patch b/meta-selftest/recipes-test/gitrepotest/gitrepotest/0001-testpatch.patch
new file mode 100644
index 0000000000..bccda17ee9
--- /dev/null
+++ b/meta-selftest/recipes-test/gitrepotest/gitrepotest/0001-testpatch.patch
@@ -0,0 +1,9 @@
+diff --git a/Makefile.am b/Makefile.am
+index 432a9b4..bbf7c74 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1,3 +1,4 @@
++## This is useless comment to test if patch works
+ ACLOCAL_AMFLAGS = -I m4
+ 
+ SUBDIRS = matchbox-panel applets data po
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index a3962306b1..dd31dc0cd8 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -281,7 +281,10 @@ python do_ar_configured() {
         # ${STAGING_DATADIR}/aclocal/libtool.m4, so we can't re-run the
         # do_configure, we archive the already configured ${S} to
         # instead of.
-        elif pn != 'libtool-native':
+        # The kernel class functions require it to be on work-shared, we
+        # don't unpack, patch, configure again, just archive the already
+        # configured ${S}
+        elif not (pn == 'libtool-native' or is_work_shared(d)):
             def runTask(task):
                 prefuncs = d.getVarFlag(task, 'prefuncs') or ''
                 for func in prefuncs.split():
@@ -483,6 +486,9 @@ python do_unpack_and_patch() {
         src_orig = '%s.orig' % src
         oe.path.copytree(src, src_orig)
 
+    if bb.data.inherits_class('dos2unix', d):
+        bb.build.exec_func('do_convert_crlf_to_lf', d)
+
     # Make sure gcc and kernel sources are patched only once
     if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
         bb.build.exec_func('do_patch', d)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 49af61c9c5..b2cf9aa28a 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -960,23 +960,19 @@ def write_latest_srcrev(d, pkghistdir):
                         value = value.replace('"', '').strip()
                         old_tag_srcrevs[key] = value
         with open(srcrevfile, 'w') as f:
-            orig_srcrev = d.getVar('SRCREV', False) or 'INVALID'
-            if orig_srcrev != 'INVALID':
-                f.write('# SRCREV = "%s"\n' % orig_srcrev)
-            if len(srcrevs) > 1:
-                for name, srcrev in sorted(srcrevs.items()):
-                    orig_srcrev = d.getVar('SRCREV_%s' % name, False)
-                    if orig_srcrev:
-                        f.write('# SRCREV_%s = "%s"\n' % (name, orig_srcrev))
-                    f.write('SRCREV_%s = "%s"\n' % (name, srcrev))
-            else:
-                f.write('SRCREV = "%s"\n' % next(iter(srcrevs.values())))
-            if len(tag_srcrevs) > 0:
-                for name, srcrev in sorted(tag_srcrevs.items()):
-                    f.write('# tag_%s = "%s"\n' % (name, srcrev))
-                    if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
-                        pkg = d.getVar('PN')
-                        bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
+            for name, srcrev in sorted(srcrevs.items()):
+                suffix = "_" + name
+                if name == "default":
+                    suffix = ""
+                orig_srcrev = d.getVar('SRCREV%s' % suffix, False)
+                if orig_srcrev:
+                    f.write('# SRCREV%s = "%s"\n' % (suffix, orig_srcrev))
+                f.write('SRCREV%s = "%s"\n' % (suffix, srcrev))
+            for name, srcrev in sorted(tag_srcrevs.items()):
+                f.write('# tag_%s = "%s"\n' % (name, srcrev))
+                if name in old_tag_srcrevs and old_tag_srcrevs[name] != srcrev:
+                    pkg = d.getVar('PN')
+                    bb.warn("Revision for tag %s in package %s was changed since last build (from %s to %s)" % (name, pkg, old_tag_srcrevs[name], srcrev))
 
     else:
         if os.path.exists(srcrevfile):
diff --git a/meta/classes/cross-canadian.bbclass b/meta/classes/cross-canadian.bbclass
index f5c9f61595..3fc9cac442 100644
--- a/meta/classes/cross-canadian.bbclass
+++ b/meta/classes/cross-canadian.bbclass
@@ -155,7 +155,7 @@ libexecdir = "${exec_prefix}/libexec/${TARGET_ARCH}${TARGET_VENDOR}-${TARGET_OS}
 
 FILES_${PN} = "${prefix}"
 
-export PKG_CONFIG_DIR = "${STAGING_DIR_HOST}${layout_libdir}/pkgconfig"
+export PKG_CONFIG_DIR = "${STAGING_DIR_HOST}${exec_prefix}/lib/pkgconfig"
 export PKG_CONFIG_SYSROOT_DIR = "${STAGING_DIR_HOST}"
 
 do_populate_sysroot[stamp-extra-info] = ""
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d..a95e810605 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,7 +20,7 @@
 # the only method to check against CVEs. Running this tool
 # doesn't guarantee your packages are free of CVEs.
 
-# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# The product name that the CVE database uses defaults to BPN, but may need to
 # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
@@ -56,11 +56,11 @@ CVE_CHECK_WHITELIST ?= ""
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
-# Layers to be included 
+# Layers to be included
 CVE_CHECK_LAYER_INCLUDELIST ??= ""
 
 
-# set to "alphabetical" for version using single alphabetical character as increament release
+# set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
 python cve_save_summary_handler () {
@@ -110,6 +110,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build after do_fetch
+do_cve_check[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
 do_cve_check[depends] = "cve-update-db-native:do_fetch"
 do_cve_check[nostamp] = "1"
 
@@ -142,6 +143,7 @@ python cve_check_write_rootfs_manifest () {
         manifest_name = d.getVar("CVE_CHECK_MANIFEST")
         cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
 
+        bb.utils.mkdirhier(os.path.dirname(manifest_name))
         shutil.copyfile(cve_tmp_file, manifest_name)
 
         if manifest_name and os.path.exists(manifest_name):
@@ -166,9 +168,12 @@ def get_patches_cves(d):
     pn = d.getVar("PN")
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
 
-    # Matches last CVE-1234-211432 in the file name, also if written
-    # with small letters. Not supporting multiple CVE id's in a single
-    # file name.
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+
     cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
 
     patched_cves = set()
@@ -230,7 +235,7 @@ def check_cves(d, patched_cves):
         return ([], [], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
-    # If the recipe has been whitlisted we return empty lists
+    # If the recipe has been whitelisted we return empty lists
     if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
@@ -355,7 +360,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     if include_layers and layer not in include_layers:
         return
 
-    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
+    nvd_link = "https://nvd.nist.gov/vuln/detail/"
     write_string = ""
     unpatched_cves = []
     bb.utils.mkdirhier(os.path.dirname(cve_file))
diff --git a/meta/classes/devupstream.bbclass b/meta/classes/devupstream.bbclass
index 7780c5482c..97e137cb40 100644
--- a/meta/classes/devupstream.bbclass
+++ b/meta/classes/devupstream.bbclass
@@ -4,7 +4,7 @@
 #
 # Usage:
 # BBCLASSEXTEND = "devupstream:target"
-# SRC_URI_class-devupstream = "git://git.example.com/example"
+# SRC_URI_class-devupstream = "git://git.example.com/example;branch=master"
 # SRCREV_class-devupstream = "abcdef"
 #
 # If the first entry in SRC_URI is a git: URL then S is rewritten to
diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 3d6b80bee2..9fe9d36f76 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -109,6 +109,15 @@ python () {
             if local_srcuri and task in fetch_tasks:
                 continue
             bb.build.deltask(task, d)
+            if bb.data.inherits_class('reproducible_build', d) and task == 'do_unpack':
+                # The reproducible_build's create_source_date_epoch_stamp function must
+                # be run after the source is available and before the
+                # do_deploy_source_date_epoch task.  In the normal case, it's attached
+                # to do_unpack as a postfuncs, but since we removed do_unpack (above)
+                # we need to move the function elsewhere.  The easiest thing to do is
+                # move it into the prefuncs of the do_deploy_source_date_epoch task.
+                # This is safe, as externalsrc runs with the source already unpacked.
+                d.prependVarFlag('do_deploy_source_date_epoch', 'prefuncs', 'create_source_date_epoch_stamp ')
 
         d.prependVarFlag('do_compile', 'prefuncs', "externalsrc_compile_prefunc ")
         d.prependVarFlag('do_configure', 'prefuncs', "externalsrc_configure_prefunc ")
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 8028691405..cee577d5da 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -225,7 +225,7 @@ EXTRA_IMAGECMD_jffs2 ?= "--pad ${JFFS2_ENDIANNESS} --eraseblock=${JFFS2_ERASEBLO
 EXTRA_IMAGECMD_ext2 ?= "-i 4096"
 EXTRA_IMAGECMD_ext3 ?= "-i 4096"
 EXTRA_IMAGECMD_ext4 ?= "-i 4096"
-EXTRA_IMAGECMD_btrfs ?= "-n 4096"
+EXTRA_IMAGECMD_btrfs ?= "-n 4096 --shrink"
 EXTRA_IMAGECMD_f2fs ?= ""
 
 do_image_cpio[depends] += "cpio-native:do_populate_sysroot"
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass
index d38b60f519..8878573f6f 100644
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -341,6 +341,21 @@ do_kernel_checkout() {
 			fi
 		fi
 		cd ${S}
+
+		# convert any remote branches to local tracking ones
+		for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
+			b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
+			git show-ref --quiet --verify -- "refs/heads/$b"
+			if [ $? -ne 0 ]; then
+				git branch $b $i > /dev/null
+			fi
+		done
+
+		# Create a working tree copy of the kernel by checking out a branch
+		machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
+
+		# checkout and clobber any unimportant files
+		git checkout -f ${machine_branch}
 	else
 		# case: we have no git repository at all. 
 		# To support low bandwidth options for building the kernel, we'll just 
@@ -362,21 +377,6 @@ do_kernel_checkout() {
 		git commit -q -m "baseline commit: creating repo for ${PN}-${PV}"
 		git clean -d -f
 	fi
-
-	# convert any remote branches to local tracking ones
-	for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
-		b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
-		git show-ref --quiet --verify -- "refs/heads/$b"
-		if [ $? -ne 0 ]; then
-			git branch $b $i > /dev/null
-		fi
-	done
-
-	# Create a working tree copy of the kernel by checking out a branch
-	machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
-
-	# checkout and clobber any unimportant files
-	git checkout -f ${machine_branch}
 }
 do_kernel_checkout[dirs] = "${S} ${WORKDIR}"
 
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index f7978e266b..0d0faa28d7 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,7 +31,7 @@ python do_populate_lic() {
             f.write("%s: %s\n" % (key, info[key]))
 }
 
-PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}"
+PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}"
 # it would be better to copy them in do_install_append, but find_license_filesa is python
 python perform_packagecopy_prepend () {
     enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
diff --git a/meta/classes/mirrors.bbclass b/meta/classes/mirrors.bbclass
index 87bba41472..8a2c153d9b 100644
--- a/meta/classes/mirrors.bbclass
+++ b/meta/classes/mirrors.bbclass
@@ -62,6 +62,8 @@ ftp://.*/.*     http://sources.openembedded.org/ \n \
 npm://.*/?.*    http://sources.openembedded.org/ \n \
 ${CPAN_MIRROR}  http://cpan.metacpan.org/ \n \
 ${CPAN_MIRROR}  http://search.cpan.org/CPAN/ \n \
+https?$://downloads.yoctoproject.org/releases/uninative/ https://mirrors.kernel.org/yocto/uninative/ \n \
+https?://downloads.yoctoproject.org/mirror/sources/ https://mirrors.kernel.org/yocto-sources/ \
 "
 
 # Use MIRRORS to provide git repo fallbacks using the https protocol, for cases
diff --git a/meta/classes/multilib.bbclass b/meta/classes/multilib.bbclass
index 9f726e4537..2ef75c0d16 100644
--- a/meta/classes/multilib.bbclass
+++ b/meta/classes/multilib.bbclass
@@ -105,7 +105,6 @@ python __anonymous () {
         d.setVar("LINGUAS_INSTALL", "")
         # FIXME, we need to map this to something, not delete it!
         d.setVar("PACKAGE_INSTALL_ATTEMPTONLY", "")
-        bb.build.deltask('do_populate_sdk', d)
         bb.build.deltask('do_populate_sdk_ext', d)
         return
 }
diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass
index e3f0a7060b..5e51b89184 100644
--- a/meta/classes/package.bbclass
+++ b/meta/classes/package.bbclass
@@ -2079,12 +2079,12 @@ python package_do_pkgconfig () {
     for pkg in packages.split():
         pkgconfig_provided[pkg] = []
         pkgconfig_needed[pkg] = []
-        for file in pkgfiles[pkg]:
+        for file in sorted(pkgfiles[pkg]):
                 m = pc_re.match(file)
                 if m:
                     pd = bb.data.init()
                     name = m.group(1)
-                    pkgconfig_provided[pkg].append(name)
+                    pkgconfig_provided[pkg].append(os.path.basename(name))
                     if not os.access(file, os.R_OK):
                         continue
                     with open(file, 'r') as f:
@@ -2107,7 +2107,7 @@ python package_do_pkgconfig () {
         pkgs_file = os.path.join(shlibswork_dir, pkg + ".pclist")
         if pkgconfig_provided[pkg] != []:
             with open(pkgs_file, 'w') as f:
-                for p in pkgconfig_provided[pkg]:
+                for p in sorted(pkgconfig_provided[pkg]):
                     f.write('%s\n' % p)
 
     # Go from least to most specific since the last one found wins
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 600b3ac90c..67d6007e11 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -230,8 +230,8 @@ def ipk_write_pkg(pkg, d):
                                 shell=True)
 
         if d.getVar('IPK_SIGN_PACKAGES') == '1':
-            ipkver = "%s-%s" % (d.getVar('PKGV'), d.getVar('PKGR'))
-            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, d.getVar('PACKAGE_ARCH'))
+            ipkver = "%s-%s" % (localdata.getVar('PKGV'), localdata.getVar('PKGR'))
+            ipk_to_sign = "%s/%s_%s_%s.ipk" % (pkgoutdir, pkgname, ipkver, localdata.getVar('PACKAGE_ARCH'))
             sign_ipk(d, ipk_to_sign)
 
     finally:
diff --git a/meta/classes/patch.bbclass b/meta/classes/patch.bbclass
index cd491a563d..72bb1eb946 100644
--- a/meta/classes/patch.bbclass
+++ b/meta/classes/patch.bbclass
@@ -131,6 +131,9 @@ python patch_do_patch() {
             patchdir = parm["patchdir"]
             if not os.path.isabs(patchdir):
                 patchdir = os.path.join(s, patchdir)
+            if not os.path.isdir(patchdir):
+                bb.fatal("Target directory '%s' not found, patchdir '%s' is incorrect in patch file '%s'" %
+                    (patchdir, parm["patchdir"], parm['patchname']))
         else:
             patchdir = s
 
@@ -147,12 +150,12 @@ python patch_do_patch() {
             patchset.Import({"file":local, "strippath": parm['striplevel']}, True)
         except Exception as exc:
             bb.utils.remove(process_tmpdir, True)
-            bb.fatal(str(exc))
+            bb.fatal("Importing patch '%s' with striplevel '%s'\n%s" % (parm['patchname'], parm['striplevel'], str(exc)))
         try:
             resolver.Resolve()
         except bb.BBHandledException as e:
             bb.utils.remove(process_tmpdir, True)
-            bb.fatal(str(e))
+            bb.fatal("Applying patch '%s' on target directory '%s'\n%s" % (parm['patchname'], patchdir, str(e)))
 
     bb.utils.remove(process_tmpdir, True)
     del os.environ['TMPDIR']
diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass
index 33ba3fc3c1..76757a3a9d 100644
--- a/meta/classes/populate_sdk_base.bbclass
+++ b/meta/classes/populate_sdk_base.bbclass
@@ -66,7 +66,7 @@ python () {
 
 SDK_RDEPENDS = "${TOOLCHAIN_TARGET_TASK} ${TOOLCHAIN_HOST_TASK}"
 SDK_DEPENDS = "virtual/fakeroot-native ${SDK_ARCHIVE_DEPENDS} cross-localedef-native nativesdk-qemuwrapper-cross ${@' '.join(["%s-qemuwrapper-cross" % m for m in d.getVar("MULTILIB_VARIANTS").split()])} qemuwrapper-cross"
-PATH_prepend = "${STAGING_DIR_HOST}${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:"
+PATH_prepend = "${WORKDIR}/recipe-sysroot/${SDKPATHNATIVE}${bindir}/crossscripts:${@":".join(all_multilib_tune_values(d, 'STAGING_BINDIR_CROSS').split())}:"
 SDK_DEPENDS += "nativesdk-glibc-locale"
 
 # We want the MULTIARCH_TARGET_SYS to point to the TUNE_PKGARCH, not PACKAGE_ARCH as it
@@ -90,6 +90,8 @@ SDK_HOST_MANIFEST = "${SDKDEPLOYDIR}/${TOOLCHAIN_OUTPUTNAME}.host.manifest"
 SDK_EXT_TARGET_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.target.manifest"
 SDK_EXT_HOST_MANIFEST = "${SDK_DEPLOY}/${TOOLCHAINEXT_OUTPUTNAME}.host.manifest"
 
+SDK_PRUNE_SYSROOT_DIRS ?= "/dev"
+
 python write_target_sdk_manifest () {
     from oe.sdk import sdk_list_installed_packages
     from oe.utils import format_pkg_list
@@ -101,6 +103,12 @@ python write_target_sdk_manifest () {
         output.write(format_pkg_list(pkgs, 'ver'))
 }
 
+sdk_prune_dirs () {
+    for d in ${SDK_PRUNE_SYSROOT_DIRS}; do
+        rm -rf ${SDK_OUTPUT}${SDKTARGETSYSROOT}$d
+    done
+}
+
 python write_sdk_test_data() {
     from oe.data import export2json
     testdata = "%s/%s.testdata.json" % (d.getVar('SDKDEPLOYDIR'), d.getVar('TOOLCHAIN_OUTPUTNAME'))
@@ -120,8 +128,9 @@ python write_host_sdk_manifest () {
 }
 
 POPULATE_SDK_POST_TARGET_COMMAND_append = " write_sdk_test_data ; "
-POPULATE_SDK_POST_TARGET_COMMAND_append_task-populate-sdk  = " write_target_sdk_manifest ; "
+POPULATE_SDK_POST_TARGET_COMMAND_append_task-populate-sdk  = " write_target_sdk_manifest; sdk_prune_dirs; "
 POPULATE_SDK_POST_HOST_COMMAND_append_task-populate-sdk = " write_host_sdk_manifest; "
+
 SDK_PACKAGING_COMMAND = "${@'${SDK_PACKAGING_FUNC};' if '${SDK_PACKAGING_FUNC}' else ''}"
 SDK_POSTPROCESS_COMMAND = " create_sdk_files; check_sdk_sysroots; archive_sdk; ${SDK_PACKAGING_COMMAND} "
 
@@ -280,6 +289,7 @@ EOF
 	# substitute variables
 	sed -i -e 's#@SDK_ARCH@#${SDK_ARCH}#g' \
 		-e 's#@SDKPATH@#${SDKPATH}#g' \
+		-e 's#@SDKPATHINSTALL@#${SDKPATHINSTALL}#g' \
 		-e 's#@SDKEXTPATH@#${SDKEXTPATH}#g' \
 		-e 's#@OLDEST_KERNEL@#${SDK_OLDEST_KERNEL}#g' \
 		-e 's#@REAL_MULTIMACH_TARGET_SYS@#${REAL_MULTIMACH_TARGET_SYS}#g' \
diff --git a/meta/classes/reproducible_build.bbclass b/meta/classes/reproducible_build.bbclass
index 1277764fab..62655c2a5b 100644
--- a/meta/classes/reproducible_build.bbclass
+++ b/meta/classes/reproducible_build.bbclass
@@ -90,11 +90,14 @@ python create_source_date_epoch_stamp() {
 }
 
 def get_source_date_epoch_value(d):
-    cached = d.getVar('__CACHED_SOURCE_DATE_EPOCH')
-    if cached:
+    epochfile = d.getVar('SDE_FILE')
+    cached, efile = d.getVar('__CACHED_SOURCE_DATE_EPOCH') or (None, None)
+    if cached and efile == epochfile:
         return cached
 
-    epochfile = d.getVar('SDE_FILE')
+    if cached and epochfile != efile:
+        bb.debug(1, "Epoch file changed from %s to %s" % (efile, epochfile))
+
     source_date_epoch = int(d.getVar('SOURCE_DATE_EPOCH_FALLBACK'))
     try:
         with open(epochfile, 'r') as f:
@@ -112,7 +115,7 @@ def get_source_date_epoch_value(d):
     except FileNotFoundError:
         bb.debug(1, "Cannot find %s. SOURCE_DATE_EPOCH will default to %d" % (epochfile, source_date_epoch))
 
-    d.setVar('__CACHED_SOURCE_DATE_EPOCH', str(source_date_epoch))
+    d.setVar('__CACHED_SOURCE_DATE_EPOCH', (str(source_date_epoch), epochfile))
     return str(source_date_epoch)
 
 export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}"
diff --git a/meta/classes/rm_work.bbclass b/meta/classes/rm_work.bbclass
index 01c2ab1c78..2d5a56c238 100644
--- a/meta/classes/rm_work.bbclass
+++ b/meta/classes/rm_work.bbclass
@@ -73,7 +73,7 @@ do_rm_work () {
             # sstate version since otherwise we'd need to leave 'plaindirs' around
             # such as 'packages' and 'packages-split' and these can be large. No end
             # of chain tasks depend directly on do_package anymore.
-            rm -f $i;
+            rm -f -- $i;
             ;;
         *_setscene*)
             # Skip stamps which are already setscene versions
@@ -90,7 +90,7 @@ do_rm_work () {
                     ;;
                 esac
             done
-            rm -f $i
+            rm -f -- $i
         esac
     done
 
@@ -100,9 +100,9 @@ do_rm_work () {
         # Retain only logs and other files in temp, safely ignore
         # failures of removing pseudo folers on NFS2/3 server.
         if [ $dir = 'pseudo' ]; then
-            rm -rf $dir 2> /dev/null || true
+            rm -rf -- $dir 2> /dev/null || true
         elif ! echo "$excludes" | grep -q -w "$dir"; then
-            rm -rf $dir
+            rm -rf -- $dir
         fi
     done
 }
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index e66ed5938b..87b5751e24 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -60,7 +60,7 @@ python () {
 }
 
 systemd_create_users () {
-	for conffile in ${IMAGE_ROOTFS}/usr/lib/sysusers.d/systemd.conf ${IMAGE_ROOTFS}/usr/lib/sysusers.d/systemd-remote.conf; do
+	for conffile in ${IMAGE_ROOTFS}/usr/lib/sysusers.d/*.conf; do
 		[ -e $conffile ] || continue
 		grep -v "^#" $conffile | sed -e '/^$/d' | while read type name id comment; do
 		if [ "$type" = "u" ]; then
diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass
index a2ac4eeb80..c8a42dc8bf 100644
--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -395,7 +395,7 @@ def check_connectivity(d):
                 msg += "    Please ensure your host's network is configured correctly.\n"
                 msg += "    If your ISP or network is blocking the above URL,\n"
                 msg += "    try with another domain name, for example by setting:\n"
-                msg += "    CONNECTIVITY_CHECK_URIS = \"https://www.yoctoproject.org/\""
+                msg += "    CONNECTIVITY_CHECK_URIS = \"https://www.example.com/\""
                 msg += "    You could also set BB_NO_NETWORK = \"1\" to disable network\n"
                 msg += "    access if all required sources are on local disk.\n"
             retval = msg
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 2b5d94dd1f..de6e7fa960 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -20,7 +20,7 @@ def generate_sstatefn(spec, hash, taskname, siginfo, d):
         components = spec.split(":")
         # Fields 0,5,6 are mandatory, 1 is most useful, 2,3,4 are just for information
         # 7 is for the separators
-        avail = (254 - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3
+        avail = (limit - len(hash + "_" + taskname + extension) - len(components[0]) - len(components[1]) - len(components[5]) - len(components[6]) - 7) // 3
         components[2] = components[2][:avail]
         components[3] = components[3][:avail]
         components[4] = components[4][:avail]
@@ -123,8 +123,6 @@ SSTATE_HASHEQUIV_REPORT_TASKDATA[doc] = "Report additional useful data to the \
 python () {
     if bb.data.inherits_class('native', d):
         d.setVar('SSTATE_PKGARCH', d.getVar('BUILD_ARCH', False))
-        if d.getVar("PN") == "pseudo-native":
-            d.appendVar('SSTATE_PKGARCH', '_${ORIGNATIVELSBSTRING}')
     elif bb.data.inherits_class('crosssdk', d):
         d.setVar('SSTATE_PKGARCH', d.expand("${BUILD_ARCH}_${SDK_ARCH}_${SDK_OS}"))
     elif bb.data.inherits_class('cross', d):
@@ -707,6 +705,7 @@ def sstate_package(ss, d):
             pass
         except OSError as e:
             # Handle read-only file systems gracefully
+            import errno
             if e.errno != errno.EROFS:
                 raise e
 
@@ -732,6 +731,7 @@ def pstaging_fetch(sstatefetch, d):
     localdata.setVar('FILESPATH', dldir)
     localdata.setVar('DL_DIR', dldir)
     localdata.setVar('PREMIRRORS', mirrors)
+    localdata.setVar('SRCPV', d.getVar('SRCPV'))
 
     # if BB_NO_NETWORK is set but we also have SSTATE_MIRROR_ALLOW_NETWORK,
     # we'll want to allow network access for the current set of fetches.
@@ -756,6 +756,9 @@ def pstaging_fetch(sstatefetch, d):
         except bb.fetch2.BBFetchException:
             pass
 
+pstaging_fetch[vardepsexclude] += "SRCPV"
+
+
 def sstate_setscene(d):
     shared_state = sstate_state_fromvars(d)
     accelerate = sstate_installpkg(shared_state, d)
@@ -797,7 +800,7 @@ sstate_task_postfunc[dirs] = "${WORKDIR}"
 sstate_create_package () {
 	# Exit early if it already exists
 	if [ -e ${SSTATE_PKG} ]; then
-		[ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG}
+		touch ${SSTATE_PKG} 2>/dev/null || true
 		return
 	fi
 
@@ -824,14 +827,18 @@ sstate_create_package () {
 	fi
 	chmod 0664 $TFILE
 	# Skip if it was already created by some other process
-	if [ ! -e ${SSTATE_PKG} ]; then
+	if [ -h ${SSTATE_PKG} ] && [ ! -e ${SSTATE_PKG} ]; then
+		# There is a symbolic link, but it links to nothing.
+		# Forcefully replace it with the new file.
+		ln -f $TFILE ${SSTATE_PKG} || true
+	elif [ ! -e ${SSTATE_PKG} ]; then
 		# Move into place using ln to attempt an atomic op.
 		# Abort if it already exists
-		ln $TFILE ${SSTATE_PKG} && rm $TFILE
+		ln $TFILE ${SSTATE_PKG} || true
 	else
-		rm $TFILE
+		touch ${SSTATE_PKG} 2>/dev/null || true
 	fi
-	[ ! -w ${SSTATE_PKG} ] || touch ${SSTATE_PKG}
+	rm $TFILE
 }
 
 python sstate_sign_package () {
@@ -860,12 +867,12 @@ python sstate_report_unihash() {
 #
 sstate_unpack_package () {
 	tar -xvzf ${SSTATE_PKG}
-	# update .siginfo atime on local/NFS mirror
-	[ -O ${SSTATE_PKG}.siginfo ] && [ -w ${SSTATE_PKG}.siginfo ] && [ -h ${SSTATE_PKG}.siginfo ] && touch -a ${SSTATE_PKG}.siginfo
-	# Use "! -w ||" to return true for read only files
-	[ ! -w ${SSTATE_PKG} ] || touch --no-dereference ${SSTATE_PKG}
-	[ ! -w ${SSTATE_PKG}.sig ] || [ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig
-	[ ! -w ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo
+	# update .siginfo atime on local/NFS mirror if it is a symbolic link
+	[ ! -h ${SSTATE_PKG}.siginfo ] || [ ! -e ${SSTATE_PKG}.siginfo ] || touch -a ${SSTATE_PKG}.siginfo 2>/dev/null || true
+	# update each symbolic link instead of any referenced file
+	touch --no-dereference ${SSTATE_PKG} 2>/dev/null || true
+	[ ! -e ${SSTATE_PKG}.sig ] || touch --no-dereference ${SSTATE_PKG}.sig 2>/dev/null || true
+	[ ! -e ${SSTATE_PKG}.siginfo ] || touch --no-dereference ${SSTATE_PKG}.siginfo 2>/dev/null || true
 }
 
 BB_HASHCHECK_FUNCTION = "sstate_checkhashes"
@@ -943,7 +950,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
 
             localdata2 = bb.data.createCopy(localdata)
             srcuri = "file://" + sstatefile
-            localdata.setVar('SRC_URI', srcuri)
+            localdata2.setVar('SRC_URI', srcuri)
             bb.debug(2, "SState: Attempting to fetch %s" % srcuri)
 
             try:
@@ -1020,6 +1027,7 @@ def sstate_checkhashes(sq_data, d, siginfo=False, currentcount=0, summary=True,
         bb.parse.siggen.checkhashes(sq_data, missed, found, d)
 
     return found
+setscene_depvalid[vardepsexclude] = "SSTATE_EXCLUDEDEPS_SYSROOT"
 
 BB_SETSCENE_DEPVALID = "setscene_depvalid"
 
@@ -1153,6 +1161,7 @@ python sstate_eventhandler() {
                 pass
             except OSError as e:
                 # Handle read-only file systems gracefully
+                import errno
                 if e.errno != errno.EROFS:
                     raise e
 
diff --git a/meta/classes/terminal.bbclass b/meta/classes/terminal.bbclass
index 6059ae95e0..a564ee7494 100644
--- a/meta/classes/terminal.bbclass
+++ b/meta/classes/terminal.bbclass
@@ -26,6 +26,9 @@ def emit_terminal_func(command, envdata, d):
     bb.utils.mkdirhier(os.path.dirname(runfile))
 
     with open(runfile, 'w') as script:
+        # Override the shell shell_trap_code specifies.
+        # If our shell is bash, we might well face silent death.
+        script.write("#!/bin/bash\n")
         script.write(bb.build.shell_trap_code())
         bb.data.emit_func(cmd_func, script, envdata)
         script.write(cmd_func)
@@ -37,7 +40,7 @@ def emit_terminal_func(command, envdata, d):
 def oe_terminal(command, title, d):
     import oe.data
     import oe.terminal
-
+    
     envdata = bb.data.init()
 
     for v in os.environ:
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index e613759503..538ec4fc8a 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -230,9 +230,10 @@ def testimage_main(d):
 
     tdname = "%s.testdata.json" % image_name
     try:
-        td = json.load(open(tdname, "r"))
-    except (FileNotFoundError) as err:
-         bb.fatal('File %s Not Found. Have you built the image with INHERIT+="testimage" in the conf/local.conf?' % tdname)
+        with open(tdname, "r") as f:
+            td = json.load(f)
+    except FileNotFoundError as err:
+        bb.fatal('File %s not found (%s).\nHave you built the image with INHERIT += "testimage" in the conf/local.conf?' % (tdname, err))
 
     # Some variables need to be updates (mostly paths) with the
     # ones of the current environment because some tests require them.
diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index ba48f24b10..fca9de2934 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -131,6 +131,20 @@ concat_dtb_helper() {
 		elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "$deployed_uboot_dtb_binary" ]; then
 			cd ${DEPLOYDIR}
 			cat ${UBOOT_NODTB_IMAGE} $deployed_uboot_dtb_binary | tee ${B}/${CONFIG_B_PATH}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
+
+			if [ -n "${UBOOT_CONFIG}" ]
+			then
+				for config in ${UBOOT_MACHINE}; do
+					i=$(expr $i + 1);
+					for type in ${UBOOT_CONFIG}; do
+						j=$(expr $j + 1);
+						if [ $j -eq $i ]
+						then
+							cp ${UBOOT_IMAGE} ${B}/${CONFIG_B_PATH}/u-boot-$type.${UBOOT_SUFFIX}
+						fi
+					done
+				done
+			fi
 		else
 			bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available."
 		fi
@@ -205,7 +219,7 @@ install_helper() {
 	fi
 }
 
-# Install SPL dtb and u-boot nodtb to datadir, 
+# Install SPL dtb and u-boot nodtb to datadir,
 install_spl_helper() {
 	if [ -f "${SPL_DIR}/${SPL_DTB_BINARY}" ]; then
 		install -Dm 0644 ${SPL_DIR}/${SPL_DTB_BINARY} ${D}${datadir}/${SPL_DTB_IMAGE}
diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 1e19917a97..4412d7c567 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -2,7 +2,7 @@ UNINATIVE_LOADER ?= "${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/lib/
 UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}"
 
 UNINATIVE_URL ?= "unset"
-UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.xz"
+UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc-${UNINATIVE_VERSION}.tar.xz"
 # Example checksums
 #UNINATIVE_CHECKSUM[aarch64] = "dead"
 #UNINATIVE_CHECKSUM[i686] = "dead"
@@ -100,7 +100,7 @@ ${UNINATIVE_STAGING_DIR}-uninative/relocate_sdk.py \
   ${UNINATIVE_LOADER} \
   ${UNINATIVE_LOADER} \
   ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/${bindir_native}/patchelf-uninative \
-  ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so" % chksum)
+  ${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux${base_libdir_native}/libc*.so*" % chksum)
         subprocess.check_output(cmd, shell=True)
 
         with open(loaderchksum, "w") as f:
diff --git a/meta/classes/utils.bbclass b/meta/classes/utils.bbclass
index 120bcc64a6..072ea1f63c 100644
--- a/meta/classes/utils.bbclass
+++ b/meta/classes/utils.bbclass
@@ -214,7 +214,7 @@ create_cmdline_wrapper () {
 #!/bin/bash
 realpath=\`readlink -fn \$0\`
 realdir=\`dirname \$realpath\`
-exec -a \`dirname \$realpath\`/$cmdname \`dirname \$realpath\`/$cmdname.real $cmdoptions "\$@"
+exec -a \$realdir/$cmdname \$realdir/$cmdname.real $cmdoptions "\$@"
 END
 	chmod +x $cmd
 }
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 385fc7dd55..d0b92a996a 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -422,8 +422,10 @@ PKGDATA_DIR = "${TMPDIR}/pkgdata/${MACHINE}"
 
 SDK_NAME_PREFIX ?= "oecore"
 SDK_NAME = "${SDK_NAME_PREFIX}-${SDK_ARCH}-${TUNE_PKGARCH}"
-SDKPATH = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}"
+SDKPATH = "/usr/local/oe-sdk-hardcoded-buildpath"
 SDKPATHNATIVE = "${SDKPATH}/sysroots/${SDK_SYS}"
+# The path to default to installing the SDK to
+SDKPATHINSTALL = "/usr/local/${SDK_NAME_PREFIX}-${SDK_ARCH}"
 
 ##################################################################
 # Kernel info.
@@ -638,7 +640,7 @@ APACHE_MIRROR = "https://archive.apache.org/dist"
 DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
 GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
 GNOME_GIT = "git://gitlab.gnome.org/GNOME"
-GNOME_MIRROR = "https://ftp.gnome.org/pub/GNOME/sources"
+GNOME_MIRROR = "https://download.gnome.org/sources/"
 GNU_MIRROR = "https://ftp.gnu.org/gnu"
 GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
 GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 561386b706..0b8bec312b 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -43,3 +43,12 @@ CVE_CHECK_WHITELIST += "CVE-2010-4756"
 # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
 # exposing this interface in an exploitable way
 CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
+
+# db
+# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
+# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
+CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
+CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
+CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
+CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
diff --git a/meta/conf/distro/include/default-distrovars.inc b/meta/conf/distro/include/default-distrovars.inc
index 433d4b6651..038acc1504 100644
--- a/meta/conf/distro/include/default-distrovars.inc
+++ b/meta/conf/distro/include/default-distrovars.inc
@@ -47,5 +47,5 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
 # The CONNECTIVITY_CHECK_URIS are used to test whether we can succesfully
 # fetch from the network (and warn you if not). To disable the test set
 # the variable to be empty.
-# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master
-CONNECTIVITY_CHECK_URIS ?= "https://www.example.com/"
+# Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
+CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 6276331857..5064ee6b79 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -4,7 +4,7 @@
 #
 # Please submit any patches against recipes in meta to the
 # OE-Core mail list (openembedded-core@lists.openembedded.org)
-# For recipes in meta-yocto please use the Poky list (poky@yoctoproject.org)
+# For recipes in meta-yocto please use the Poky list (poky@lists.yoctoproject.org)
 #
 # If you have problems with or questions about a particular recipe, feel
 # free to contact the maintainer directly (cc:ing the appropriate mailing list
@@ -191,7 +191,7 @@ RECIPE_MAINTAINER_pn-gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "Khem Raj <r
 RECIPE_MAINTAINER_pn-gcc-crosssdk-${SDK_SYS} = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gcc-runtime = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gcc-sanitizers = "Khem Raj <raj.khem@gmail.com>"
-RECIPE_MAINTAINER_pn-gcc-source-10.2.0 = "Khem Raj <raj.khem@gmail.com>"
+RECIPE_MAINTAINER_pn-gcc-source-10.3.0 = "Khem Raj <raj.khem@gmail.com>"
 RECIPE_MAINTAINER_pn-gconf = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER_pn-gcr = "Alexander Kanavin <alex.kanavin@gmail.com>"
 RECIPE_MAINTAINER_pn-gdb = "Khem Raj <raj.khem@gmail.com>"
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 740cca0ecf..bfe05ce1eb 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.33"
+UNINATIVE_MAXGLIBCVERSION = "2.35"
+UNINATIVE_VERSION = "3.5"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.2/"
-UNINATIVE_CHECKSUM[aarch64] ?= "4f0872cdca2775b637a8a99815ca5c8dd42146abe903a24a50ee0448358c764b"
-UNINATIVE_CHECKSUM[i686] ?= "e2eeab92e67263db37d9bb6d4c58579abd1f47ff4cded3171bde572fece124b2"
-UNINATIVE_CHECKSUM[x86_64] ?= "3ee8c7d55e2d4c7ae3887cddb97219f97b94efddfeee2e24923c0cb0e8ce84c6"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
+UNINATIVE_CHECKSUM[aarch64] ?= "6de0771bd21e0fcb5e80388e5b561a8023b24083bcbf46e056a089982aff75d7"
+UNINATIVE_CHECKSUM[i686] ?= "8c8745becbfa1c341bae839c7eab56ddf17ce36c303bcd73d3b2f2f788b631c2"
+UNINATIVE_CHECKSUM[x86_64] ?= "e8047a5748e6f266165da141eb6d08b23674f30e477b0e5505b6403d50fbc4b2"
diff --git a/meta/conf/machine/include/arm/arch-armv8-5a.inc b/meta/conf/machine/include/arm/arch-armv8-5a.inc
new file mode 100644
index 0000000000..44c3b5bd22
--- /dev/null
+++ b/meta/conf/machine/include/arm/arch-armv8-5a.inc
@@ -0,0 +1,19 @@
+DEFAULTTUNE ?= "armv8-5a"
+
+TUNEVALID[armv8-5a] = "Enable instructions for ARMv8.5-a"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8-5a', ' -march=armv8.5-a', '', d)}"
+# TUNE crypto will be handled by arch-armv8a.inc below
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8-5a', 'armv8-5a:', '', d)}"
+
+require conf/machine/include/arm/arch-armv8a.inc
+
+# Little Endian base configs
+AVAILTUNES += "armv8-5a armv8-5a-crypto"
+ARMPKGARCH_tune-armv8-5a                    ?= "armv8-5a"
+ARMPKGARCH_tune-armv8-5a-crypto             ?= "armv8-5a"
+TUNE_FEATURES_tune-armv8-5a                  = "aarch64 armv8-5a"
+TUNE_FEATURES_tune-armv8-5a-crypto           = "${TUNE_FEATURES_tune-armv8-5a} crypto"
+PACKAGE_EXTRA_ARCHS_tune-armv8-5a            = "${PACKAGE_EXTRA_ARCHS_tune-armv8a} armv8-5a"
+PACKAGE_EXTRA_ARCHS_tune-armv8-5a-crypto     = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a} armv8-5a-crypto"
+BASE_LIB_tune-armv8-5a                       = "lib64"
+BASE_LIB_tune-armv8-5a-crypto                = "lib64"
diff --git a/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc b/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
new file mode 100644
index 0000000000..dedabcf46e
--- /dev/null
+++ b/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
@@ -0,0 +1,22 @@
+#
+# Tune Settings for Neoverse-N2
+#
+DEFAULTTUNE ?= "neoversen2"
+
+TUNEVALID[neoversen2] = "Enable Neoverse-N2 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'neoversen2', ' -mcpu=neoverse-n2', '', d)}"
+
+# Even though the Neoverse N2 core implemnts the Arm v9.0-A architecture,
+# but the support of it in GCC is based on the Arm v8.5-A architecture.
+require conf/machine/include/arm/arch-armv8-5a.inc
+
+# Little Endian base configs
+AVAILTUNES                                         += "neoversen2 neoversen2-crypto"
+ARMPKGARCH_tune-neoversen2                          = "neoversen2"
+ARMPKGARCH_tune-neoversen2-crypto                   = "neoversen2-crypto"
+TUNE_FEATURES_tune-neoversen2                       = "${TUNE_FEATURES_tune-armv8-5a} neoversen2"
+TUNE_FEATURES_tune-neoversen2-crypto                = "${TUNE_FEATURES_tune-neoversen2} crypto"
+PACKAGE_EXTRA_ARCHS_tune-neoversen2                 = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a} neoversen2"
+PACKAGE_EXTRA_ARCHS_tune-neoversen2-crypto          = "${PACKAGE_EXTRA_ARCHS_tune-armv8-5a-crypto} neoversen2 neoversen2-crypto"
+BASE_LIB_tune-neoversen2                            = "lib64"
+BASE_LIB_tune-neoversen2-crypto                     = "lib64"
diff --git a/meta/conf/machine/include/tune-cortexa72.inc b/meta/conf/machine/include/tune-cortexa72.inc
index b3f68ab6e3..efb71ee0a1 100644
--- a/meta/conf/machine/include/tune-cortexa72.inc
+++ b/meta/conf/machine/include/tune-cortexa72.inc
@@ -6,8 +6,12 @@ TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexa72', ' -mcpu=corte
 require conf/machine/include/arm/arch-armv8a.inc
 
 # Little Endian base configs
-AVAILTUNES += "cortexa72"
+AVAILTUNES += "cortexa72 cortexa72-crypto"
 ARMPKGARCH_tune-cortexa72             = "cortexa72"
-TUNE_FEATURES_tune-cortexa72          = "${TUNE_FEATURES_tune-armv8a-crc-crypto} cortexa72"
-PACKAGE_EXTRA_ARCHS_tune-cortexa72    = "${PACKAGE_EXTRA_ARCHS_tune-armv8a-crc-crypto} cortexa72"
-BASE_LIB_tune-cortexa72               = "lib64"
+ARMPKGARCH_tune-cortexa72-crypto      = "cortexa72"
+TUNE_FEATURES_tune-cortexa72          = "${TUNE_FEATURES_tune-armv8a-crc} cortexa72"
+TUNE_FEATURES_tune-cortexa72-crypto   = "${TUNE_FEATURES_tune-cortexa72} crypto"
+PACKAGE_EXTRA_ARCHS_tune-cortexa72        = "${PACKAGE_EXTRA_ARCHS_tune-armv8-crc} cortexa72"
+PACKAGE_EXTRA_ARCHS_tune-cortexa72-crypto = "${PACKAGE_EXTRA_ARCHS_tune-armv8a-crc-crypto} cortexa72 cortexa72-crypto"
+BASE_LIB_tune-cortexa72            = "lib64"
+BASE_LIB_tune-cortexa72-crypto     = "lib64"
diff --git a/meta/conf/multilib.conf b/meta/conf/multilib.conf
index d231107f8b..e9767c73b6 100644
--- a/meta/conf/multilib.conf
+++ b/meta/conf/multilib.conf
@@ -11,6 +11,8 @@ STAGING_DIR_TARGET = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
 RECIPE_SYSROOT = "${WORKDIR}/${MLPREFIX}recipe-sysroot"
 RECIPE_SYSROOT_class-native = "${WORKDIR}/recipe-sysroot"
 
+PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/${MLPREFIX}recipe-sysroot"
+
 INHERIT += "multilib_global"
 
 BBCLASSEXTEND_append = " ${MULTILIBS}"
diff --git a/meta/files/toolchain-shar-extract.sh b/meta/files/toolchain-shar-extract.sh
index dd9342758b..4386b985bb 100644
--- a/meta/files/toolchain-shar-extract.sh
+++ b/meta/files/toolchain-shar-extract.sh
@@ -56,7 +56,8 @@ if ! xz -V > /dev/null 2>&1; then
 	exit 1
 fi
 
-DEFAULT_INSTALL_DIR="@SDKPATH@"
+SDK_BUILD_PATH="@SDKPATH@"
+DEFAULT_INSTALL_DIR="@SDKPATHINSTALL@"
 SUDO_EXEC=""
 EXTRA_TAR_OPTIONS=""
 target_sdk_dir=""
diff --git a/meta/files/toolchain-shar-relocate.sh b/meta/files/toolchain-shar-relocate.sh
index 5433741296..cee9adbf39 100644
--- a/meta/files/toolchain-shar-relocate.sh
+++ b/meta/files/toolchain-shar-relocate.sh
@@ -5,7 +5,7 @@ fi
 
 # fix dynamic loader paths in all ELF SDK binaries
 native_sysroot=$($SUDO_EXEC cat $env_setup_script |grep 'OECORE_NATIVE_SYSROOT='|cut -d'=' -f2|tr -d '"')
-dl_path=$($SUDO_EXEC find $native_sysroot/lib -name "ld-linux*")
+dl_path=$($SUDO_EXEC find $native_sysroot/lib -maxdepth 1 -name "ld-linux*")
 if [ "$dl_path" = "" ] ; then
 	echo "SDK could not be set up. Relocate script unable to find ld-linux.so. Abort!"
 	exit 1
@@ -61,7 +61,7 @@ done | xargs -n100 file | grep ":.*\(ASCII\|script\|source\).*text" | \
              -e "$target_sdk_dir/post-relocate-setup" \
              -e "$target_sdk_dir/${0##*/}" | \
     xargs -n100 $SUDO_EXEC sed -i \
-        -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:g" \
+        -e "s:$SDK_BUILD_PATH:$target_sdk_dir:g" \
         -e "s:^#! */usr/bin/perl.*:#! /usr/bin/env perl:g" \
         -e "s: /usr/bin/perl: /usr/bin/env perl:g"
 
@@ -72,7 +72,7 @@ fi
 
 # change all symlinks pointing to @SDKPATH@
 for l in $($SUDO_EXEC find $native_sysroot -type l); do
-	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l
+	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l
 	if [ $? -ne 0 ]; then
 		echo "Failed to setup symlinks. Relocate script failed. Abort!"
 		exit 1
diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py
index fccbedb519..9034fcae03 100644
--- a/meta/lib/oe/patch.py
+++ b/meta/lib/oe/patch.py
@@ -4,6 +4,7 @@
 
 import oe.path
 import oe.types
+import subprocess
 
 class NotFoundError(bb.BBHandledException):
     def __init__(self, path):
@@ -25,7 +26,6 @@ class CmdError(bb.BBHandledException):
 
 def runcmd(args, dir = None):
     import pipes
-    import subprocess
 
     if dir:
         olddir = os.path.abspath(os.curdir)
@@ -56,6 +56,7 @@ def runcmd(args, dir = None):
         if dir:
             os.chdir(olddir)
 
+
 class PatchError(Exception):
     def __init__(self, msg):
         self.msg = msg
@@ -298,6 +299,24 @@ class GitApplyTree(PatchTree):
         PatchTree.__init__(self, dir, d)
         self.commituser = d.getVar('PATCH_GIT_USER_NAME')
         self.commitemail = d.getVar('PATCH_GIT_USER_EMAIL')
+        if not self._isInitialized():
+            self._initRepo()
+
+    def _isInitialized(self):
+        cmd = "git rev-parse --show-toplevel"
+        try:
+            output = runcmd(cmd.split(), self.dir).strip()
+        except CmdError as err:
+            ## runcmd returned non-zero which most likely means 128
+            ## Not a git directory
+            return False
+        ## Make sure repo is in builddir to not break top-level git repos
+        return os.path.samefile(output, self.dir)
+
+    def _initRepo(self):
+        runcmd("git init".split(), self.dir)
+        runcmd("git add .".split(), self.dir)
+        runcmd("git commit -a --allow-empty -m bitbake_patching_started".split(), self.dir)
 
     @staticmethod
     def extractPatchHeader(patchfile):
diff --git a/meta/lib/oe/reproducible.py b/meta/lib/oe/reproducible.py
index 204b9bd734..0938e4cb39 100644
--- a/meta/lib/oe/reproducible.py
+++ b/meta/lib/oe/reproducible.py
@@ -41,7 +41,7 @@ def find_git_folder(d, sourcedir):
     for root, dirs, files in os.walk(workdir, topdown=True):
         dirs[:] = [d for d in dirs if d not in exclude]
         if '.git' in dirs:
-            return root
+            return os.path.join(root, ".git")
 
     bb.warn("Failed to find a git repository in WORKDIR: %s" % workdir)
     return None
diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index 37b59afd1a..27347667e8 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -115,6 +115,10 @@ def sdk_list_installed_packages(d, target, rootfs_dir=None):
 
         rootfs_dir = [sdk_output, os.path.join(sdk_output, target_path)][target is True]
 
+    if target is False:
+        ipkgconf_sdk_target = d.getVar("IPKGCONF_SDK")
+        d.setVar("IPKGCONF_TARGET", ipkgconf_sdk_target)
+
     img_type = d.getVar('IMAGE_PKGTYPE')
     import importlib
     cls = importlib.import_module('oe.package_manager.' + img_type)
diff --git a/meta/lib/oe/utils.py b/meta/lib/oe/utils.py
index a84039f585..2a8771dc28 100644
--- a/meta/lib/oe/utils.py
+++ b/meta/lib/oe/utils.py
@@ -480,7 +480,8 @@ class ThreadedWorker(Thread):
             try:
                 func(self, *args, **kargs)
             except Exception as e:
-                print(e)
+                # Eat all exceptions
+                bb.mainlogger.debug("Worker task raised %s" % e, exc_info=e)
             finally:
                 self.tasks.task_done()
 
diff --git a/meta/lib/oeqa/manual/eclipse-plugin.json b/meta/lib/oeqa/manual/eclipse-plugin.json
index d77d0e673b..6c110d0656 100644
--- a/meta/lib/oeqa/manual/eclipse-plugin.json
+++ b/meta/lib/oeqa/manual/eclipse-plugin.json
@@ -44,7 +44,7 @@
                     "expected_results": ""
                 },
                 "2": {
-                    "action": "wget  autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/qemu (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux  \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk  \n\n",
+                    "action": "wget  https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/ (ex:core-image-sato-sdk-qemux86-date-rootfs-tar-bz2) \nsource /opt/poky/version/environment-setup-i585-poky-linux  \n\nExtract qemu with runqemu-extract-sdk /home/user/file(ex.core-image-sato-sdk-qemux86.bz2) \n/home/user/qemux86-sato-sdk  \n\n",
                     "expected_results": " Qemu can be lauched normally."
                 },
                 "3": {
@@ -60,7 +60,7 @@
                     "expected_results": ""
                 },
                 "6": {
-                    "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n      wget  autobuilder.yoctoproject.org/pub/releases//machines/qemu/qemux86/bzImage-qemux86.bin \n      e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin  \n\n",
+                    "action": "(d) QEMU: \nSelect this option if you will be using the QEMU emulator. Specify the Kernel matching the QEMU architecture you are using. \n      wget  https://downloads.yoctoproject.org/releases/yocto/yocto-$VERSION/machines/qemu/qemux86/bzImage-qemux86.bin \n      e.g: /home/$USER/yocto/adt-installer/download_image/bzImage-qemux86.bin  \n\n",
                     "expected_results": ""
                 },	
                 "7": {
@@ -247,7 +247,7 @@
             "execution": {
                 "1": {
                     "action": "Clone eclipse-poky source.   \n    \n    - git clone git://git.yoctoproject.org/eclipse-poky  \n\n",
-                    "expected_results": "Eclipse plugin is successfully installed  \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on   http://autobuilder.yoctoproject.org/pub/releases/yocto-2.0.1/eclipse-plugin/mars/  archive with documentation like org.yocto.doc-development-$date.zip  \n  \n"
+                    "expected_results": "Eclipse plugin is successfully installed  \n\nDocumentation is there. For example if you have release yocto-2.0.1 you will found on   https://downloads.yoctoproject.org/releases/yocto/yocto-2.0.1/eclipse-plugin/mars/  archive with documentation like org.yocto.doc-development-$date.zip  \n  \n"
                 },
                 "2": {
                     "action": "Checkout correct tag.  \n\n    - git checkout <eclipse-version>/<yocto-version> \n\n",
diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json
index 12374c7c64..9566d9d10e 100644
--- a/meta/lib/oeqa/manual/toaster-managed-mode.json
+++ b/meta/lib/oeqa/manual/toaster-managed-mode.json
@@ -136,7 +136,7 @@
           "expected_results": ""
         },
         "3": {
-          "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASES - package_rpm \n        SSTATE_DIR  - /homeDirectory/poky/sstate-cache \n\n",
+          "action": "Check that default values are as follows: \n\tDISTRO - poky \n\tIMAGE_FSTYPES - ext3 jffs2 tar.bz2 \n\tIMAGE_INSTALL_append - \"Not set\" \n\tPACKAGE_CLASSES - package_rpm \n        SSTATE_DIR  - /homeDirectory/poky/sstate-cache \n\n",
           "expected_results": ""
         },
         "4": {
diff --git a/meta/lib/oeqa/runtime/cases/date.py b/meta/lib/oeqa/runtime/cases/date.py
index e14322911d..bd6537400e 100644
--- a/meta/lib/oeqa/runtime/cases/date.py
+++ b/meta/lib/oeqa/runtime/cases/date.py
@@ -28,14 +28,13 @@ class DateTest(OERuntimeTestCase):
         self.assertEqual(status, 0, msg=msg)
         oldDate = output
 
-        sampleDate = '"2016-08-09 10:00:00"'
-        (status, output) = self.target.run("date -s %s" % sampleDate)
+        sampleTimestamp = 1488800000
+        (status, output) = self.target.run("date -s @%d" % sampleTimestamp)
         self.assertEqual(status, 0, msg='Date set failed, output: %s' % output)
 
-        (status, output) = self.target.run("date -R")
-        p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output)
+        (status, output) = self.target.run('date +"%s"')
         msg = 'The date was not set correctly, output: %s' % output
-        self.assertTrue(p, msg=msg)
+        self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg)
 
         (status, output) = self.target.run('date -s "%s"' % oldDate)
         msg = 'Failed to reset date, output: %s' % output
diff --git a/meta/lib/oeqa/runtime/cases/parselogs.py b/meta/lib/oeqa/runtime/cases/parselogs.py
index 1bb0425521..c842f95c34 100644
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -90,6 +90,7 @@ qemux86_common = [
     "glamor initialization failed",
     "blk_update_request: I/O error, dev fd0, sector 0 op 0x0:(READ)",
     "floppy: error",
+    'failed to IDENTIFY (I/O error, err_mask=0x4)',
 ] + common_errors
 
 ignore_errors = {
@@ -121,7 +122,7 @@ ignore_errors = {
         'synth uevent: /devices/vio: failed to send uevent',
         'PCI 0000:00 Cannot reserve Legacy IO [io  0x10000-0x10fff]',
         ] + common_errors,
-    'qemuarm' : [
+    'qemuarmv5' : [
         'mmci-pl18x: probe of fpga:05 failed with error -22',
         'mmci-pl18x: probe of fpga:0b failed with error -22',
         'Failed to load module "glx"',
@@ -135,6 +136,7 @@ ignore_errors = {
         'OF: amba_device_add() failed (-19) for /amba/fpga/sci@a000',
         'Failed to initialize \'/amba/timer@101e3000\': -22',
         'jitterentropy: Initialization failed with host not compliant with requirements: 2',
+        'clcd-pl11x: probe of 10120000.display failed with error -2',
         ] + common_errors,
     'qemuarm64' : [
         'Fatal server error:',
@@ -300,7 +302,7 @@ class ParseLogsTest(OERuntimeTestCase):
         grepcmd = 'grep '
         grepcmd += '-Ei "'
         for error in errors:
-            grepcmd += '\<' + error + '\>' + '|'
+            grepcmd += r'\<' + error + r'\>' + '|'
         grepcmd = grepcmd[:-1]
         grepcmd += '" ' + str(log) + " | grep -Eiv \'"
 
@@ -311,13 +313,13 @@ class ParseLogsTest(OERuntimeTestCase):
             errorlist = ignore_errors['default']
 
         for ignore_error in errorlist:
-            ignore_error = ignore_error.replace('(', '\(')
-            ignore_error = ignore_error.replace(')', '\)')
+            ignore_error = ignore_error.replace('(', r'\(')
+            ignore_error = ignore_error.replace(')', r'\)')
             ignore_error = ignore_error.replace("'", '.')
-            ignore_error = ignore_error.replace('?', '\?')
-            ignore_error = ignore_error.replace('[', '\[')
-            ignore_error = ignore_error.replace(']', '\]')
-            ignore_error = ignore_error.replace('*', '\*')
+            ignore_error = ignore_error.replace('?', r'\?')
+            ignore_error = ignore_error.replace('[', r'\[')
+            ignore_error = ignore_error.replace(']', r'\]')
+            ignore_error = ignore_error.replace('*', r'\*')
             ignore_error = ignore_error.replace('0-9', '[0-9]')
             grepcmd += ignore_error + '|'
         grepcmd = grepcmd[:-1]
diff --git a/meta/lib/oeqa/runtime/cases/ptest.py b/meta/lib/oeqa/runtime/cases/ptest.py
index 0800f3c27f..00742da2b5 100644
--- a/meta/lib/oeqa/runtime/cases/ptest.py
+++ b/meta/lib/oeqa/runtime/cases/ptest.py
@@ -57,7 +57,7 @@ class PtestRunnerTest(OERuntimeTestCase):
         ptest_dirs = [ '/usr/lib' ]
         if not libdir in ptest_dirs:
             ptest_dirs.append(libdir)
-        status, output = self.target.run('ptest-runner -d \"{}\"'.format(' '.join(ptest_dirs)), 0)
+        status, output = self.target.run('ptest-runner -t 450 -d \"{}\"'.format(' '.join(ptest_dirs)), 0)
         os.makedirs(ptest_log_dir)
         with open(ptest_runner_log, 'w') as f:
             f.write(output)
diff --git a/meta/lib/oeqa/selftest/cases/bbtests.py b/meta/lib/oeqa/selftest/cases/bbtests.py
index 79390acc0d..4187cb840a 100644
--- a/meta/lib/oeqa/selftest/cases/bbtests.py
+++ b/meta/lib/oeqa/selftest/cases/bbtests.py
@@ -83,8 +83,10 @@ class BitbakeTests(OESelftestTestCase):
 
     def test_force_task_1(self):
         # test 1 from bug 5875
+        import uuid
         test_recipe = 'zlib'
-        test_data = "Microsoft Made No Profit From Anyone's Zunes Yo"
+        # Need to use uuid otherwise hash equivlance would change the workflow
+        test_data = "Microsoft Made No Profit From Anyone's Zunes Yo %s" % uuid.uuid1()
         bb_vars = get_bb_vars(['D', 'PKGDEST', 'mandir'], test_recipe)
         image_dir = bb_vars['D']
         pkgsplit_dir = bb_vars['PKGDEST']
@@ -161,7 +163,7 @@ SSTATE_DIR = \"${TOPDIR}/download-selftest\"
 """)
         self.track_for_cleanup(os.path.join(self.builddir, "download-selftest"))
 
-        data = 'SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"'
+        data = 'SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/aspell-${PV}.tar.gz;downloadfilename=test-aspell.tar.gz"'
         self.write_recipeinc('aspell', data)
         result = bitbake('-f -c fetch aspell', ignore_status=True)
         self.delete_recipeinc('aspell')
@@ -298,3 +300,32 @@ INHERIT_remove = \"report-error\"
 
         test_recipe_summary_after = get_bb_var('SUMMARY', test_recipe)
         self.assertEqual(expected_recipe_summary, test_recipe_summary_after)
+
+    def test_git_patchtool(self):
+        """ PATCHTOOL=git should work with non-git sources like tarballs
+            test recipe for the test must NOT containt git:// repository in SRC_URI
+        """
+        test_recipe = "man-db"
+        self.write_recipeinc(test_recipe, 'PATCHTOOL=\"git\"')
+        src = get_bb_var("SRC_URI",test_recipe)
+        gitscm = re.search("git://", src)
+        self.assertFalse(gitscm, "test_git_patchtool pre-condition failed: {} test recipe contains git repo!".format(test_recipe))
+        result = bitbake('{} -c patch'.format(test_recipe), ignore_status=False)
+        fatal = re.search("fatal: not a git repository (or any of the parent directories)", result.output)
+        self.assertFalse(fatal, "Failed to patch using PATCHTOOL=\"git\"")
+        self.delete_recipeinc(test_recipe)
+        bitbake('-cclean {}'.format(test_recipe))
+
+    def test_git_patchtool2(self):
+        """ Test if PATCHTOOL=git works with git repo and doesn't reinitialize it
+        """
+        test_recipe = "gitrepotest"
+        src = get_bb_var("SRC_URI",test_recipe)
+        gitscm = re.search("git://", src)
+        self.assertTrue(gitscm, "test_git_patchtool pre-condition failed: {} test recipe doesn't contains git repo!".format(test_recipe))
+        result = bitbake('{} -c patch'.format(test_recipe), ignore_status=False)
+        srcdir = get_bb_var('S', test_recipe)
+        result = runCmd("git log", cwd = srcdir)
+        self.assertFalse("bitbake_patching_started" in result.output, msg = "Repository has been reinitialized. {}".format(srcdir))
+        self.delete_recipeinc(test_recipe)
+        bitbake('-cclean {}'.format(test_recipe))
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index 3385546e8e..7ac1fcfbeb 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -340,7 +340,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263'
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '0.1+git${SRCPV}'
-        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https'
+        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master'
         checkvars['SRCREV'] = srcrev
         checkvars['DEPENDS'] = set(['dbus'])
         self._test_recipe_contents(recipefile, checkvars, [])
@@ -442,6 +442,7 @@ class DevtoolAddTests(DevtoolBase):
         tempdir = tempfile.mkdtemp(prefix='devtoolqa')
         self.track_for_cleanup(tempdir)
         url = 'gitsm://git.yoctoproject.org/mraa'
+        url_branch = '%s;branch=master' % url
         checkrev = 'ae127b19a50aa54255e4330ccfdd9a5d058e581d'
         testrecipe = 'mraa'
         srcdir = os.path.join(tempdir, testrecipe)
@@ -462,7 +463,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars = {}
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '1.0+git${SRCPV}'
-        checkvars['SRC_URI'] = url
+        checkvars['SRC_URI'] = url_branch
         checkvars['SRCREV'] = '${AUTOREV}'
         self._test_recipe_contents(recipefile, checkvars, [])
         # Try with revision and version specified
@@ -481,7 +482,7 @@ class DevtoolAddTests(DevtoolBase):
         checkvars = {}
         checkvars['S'] = '${WORKDIR}/git'
         checkvars['PV'] = '1.5+git${SRCPV}'
-        checkvars['SRC_URI'] = url
+        checkvars['SRC_URI'] = url_branch
         checkvars['SRCREV'] = checkrev
         self._test_recipe_contents(recipefile, checkvars, [])
 
@@ -904,7 +905,7 @@ class DevtoolUpdateTests(DevtoolBase):
         self._check_repo_status(os.path.dirname(recipefile), expected_status)
 
         result = runCmd('git diff %s' % os.path.basename(recipefile), cwd=os.path.dirname(recipefile))
-        addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git"']
+        addlines = ['SRCREV = ".*"', 'SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master"']
         srcurilines = src_uri.split()
         srcurilines[0] = 'SRC_URI = "' + srcurilines[0]
         srcurilines.append('"')
diff --git a/meta/lib/oeqa/selftest/cases/fetch.py b/meta/lib/oeqa/selftest/cases/fetch.py
index cd15f65129..d2f0c38ef4 100644
--- a/meta/lib/oeqa/selftest/cases/fetch.py
+++ b/meta/lib/oeqa/selftest/cases/fetch.py
@@ -99,7 +99,7 @@ class Dependencies(OESelftestTestCase):
 
             r = """
             LICENSE="CLOSED"
-            SRC_URI="git://example.com/repo"
+            SRC_URI="git://example.com/repo;branch=master"
             """
             f = self.write_recipe(textwrap.dedent(r), tempdir)
             d = tinfoil.parse_recipe_file(f)
diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py
index c687f6ef93..cf8c92887b 100644
--- a/meta/lib/oeqa/selftest/cases/glibc.py
+++ b/meta/lib/oeqa/selftest/cases/glibc.py
@@ -33,7 +33,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase):
 
         ptestsuite = "glibc-user" if ssh is None else "glibc"
         self.ptest_section(ptestsuite)
-        with open(os.path.join(builddir, "tests.sum"), "r") as f:
+        with open(os.path.join(builddir, "tests.sum"), "r",  errors='replace') as f:
             for test, result in parse_values(f):
                 self.ptest_result(ptestsuite, test, result)
 
diff --git a/meta/lib/oeqa/selftest/cases/gotoolchain.py b/meta/lib/oeqa/selftest/cases/gotoolchain.py
index 4fc3605f42..c809d7c9b1 100644
--- a/meta/lib/oeqa/selftest/cases/gotoolchain.py
+++ b/meta/lib/oeqa/selftest/cases/gotoolchain.py
@@ -43,6 +43,12 @@ class oeGoToolchainSelfTest(OESelftestTestCase):
 
     @classmethod
     def tearDownClass(cls):
+        # Go creates file which are readonly
+        for dirpath, dirnames, filenames in os.walk(cls.tmpdir_SDKQA):
+            for filename in filenames + dirnames:
+                f = os.path.join(dirpath, filename)
+                if not os.path.islink(f):
+                    os.chmod(f, 0o775)
         shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True)
         super(oeGoToolchainSelfTest, cls).tearDownClass()
 
diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py
index 9d56e9e1e3..4f283cdc03 100644
--- a/meta/lib/oeqa/selftest/cases/recipetool.py
+++ b/meta/lib/oeqa/selftest/cases/recipetool.py
@@ -357,7 +357,7 @@ class RecipetoolTests(RecipetoolBase):
         tempsrc = os.path.join(self.tempdir, 'srctree')
         os.makedirs(tempsrc)
         recipefile = os.path.join(self.tempdir, 'libmatchbox.bb')
-        srcuri = 'git://git.yoctoproject.org/libmatchbox'
+        srcuri = 'git://git.yoctoproject.org/libmatchbox;branch=master'
         result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri + ";rev=9f7cf8895ae2d39c465c04cc78e918c157420269", '-x', tempsrc])
         self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
         checkvars = {}
@@ -375,7 +375,7 @@ class RecipetoolTests(RecipetoolBase):
         temprecipe = os.path.join(self.tempdir, 'recipe')
         os.makedirs(temprecipe)
         pv = '1.7.3.0'
-        srcuri = 'http://www.dest-unreach.org/socat/download/socat-%s.tar.bz2' % pv
+        srcuri = 'http://www.dest-unreach.org/socat/download/Archive/socat-%s.tar.bz2' % pv
         result = runCmd('recipetool create %s -o %s' % (srcuri, temprecipe))
         dirlist = os.listdir(temprecipe)
         if len(dirlist) > 1:
@@ -447,7 +447,7 @@ class RecipetoolTests(RecipetoolBase):
         self.assertTrue(os.path.isfile(recipefile))
         checkvars = {}
         checkvars['LICENSE'] = set(['Apache-2.0'])
-        checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https'
+        checkvars['SRC_URI'] = 'git://github.com/mesonbuild/meson;protocol=https;branch=master'
         inherits = ['setuptools3']
         self._test_recipe_contents(recipefile, checkvars, inherits)
 
@@ -514,7 +514,7 @@ class RecipetoolTests(RecipetoolBase):
         self.assertTrue(os.path.isfile(recipefile))
         checkvars = {}
         checkvars['LICENSE'] = set(['GPLv2'])
-        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http'
+        checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/matchbox-terminal;protocol=http;branch=master'
         inherits = ['pkgconfig', 'autotools']
         self._test_recipe_contents(recipefile, checkvars, inherits)
 
diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py
index a62757399b..546dc91120 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -114,8 +114,9 @@ def compare_file(reference, test, diffutils_sysroot):
     result.status = SAME
     return result
 
-def run_diffoscope(a_dir, b_dir, html_dir, **kwargs):
-    return runCmd(['diffoscope', '--no-default-limits', '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
+def run_diffoscope(a_dir, b_dir, html_dir, max_report_size=0, **kwargs):
+    return runCmd(['diffoscope', '--no-default-limits', '--max-report-size', str(max_report_size),
+                   '--exclude-directory-metadata', 'yes', '--html-dir', html_dir, a_dir, b_dir],
                 **kwargs)
 
 class DiffoscopeTests(OESelftestTestCase):
@@ -145,6 +146,9 @@ class ReproducibleTests(OESelftestTestCase):
 
     package_classes = ['deb', 'ipk', 'rpm']
 
+    # Maximum report size, in bytes
+    max_report_size = 250 * 1024 * 1024
+
     # targets are the things we want to test the reproducibility of
     targets = ['core-image-minimal', 'core-image-sato', 'core-image-full-cmdline', 'core-image-weston', 'world']
     # sstate targets are things to pull from sstate to potentially cut build/debugging time
@@ -321,7 +325,7 @@ class ReproducibleTests(OESelftestTestCase):
                 # Copy jquery to improve the diffoscope output usability
                 self.copy_file(os.path.join(jquery_sysroot, 'usr/share/javascript/jquery/jquery.min.js'), os.path.join(package_html_dir, 'jquery.js'))
 
-                run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir,
+                run_diffoscope('reproducibleA', 'reproducibleB', package_html_dir, max_report_size=self.max_report_size,
                         native_sysroot=diffoscope_sysroot, ignore_status=True, cwd=package_dir)
 
         if fails:
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index b20c5b427b..f9649339e5 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -185,6 +185,10 @@ class TestImage(OESelftestTestCase):
             self.skipTest('virgl isn\'t working with Debian 9')
         if distro and distro == 'centos-7':
             self.skipTest('virgl isn\'t working with Centos 7')
+        if distro and distro == 'centos-8':
+            self.skipTest('virgl isn\'t working with Centos 8')
+        if distro and distro == 'fedora-34':
+            self.skipTest('virgl isn\'t working with Fedora 34')
         if distro and distro == 'opensuseleap-15.0':
             self.skipTest('virgl isn\'t working with Opensuse 15.0')
 
@@ -228,6 +232,9 @@ class TestImage(OESelftestTestCase):
             dripath = subprocess.check_output("pkg-config --variable=dridriverdir dri", shell=True)
         except subprocess.CalledProcessError as e:
             self.skipTest("Could not determine the path to dri drivers on the host via pkg-config.\nPlease install Mesa development files (particularly, dri.pc) on the host machine.")
+        distro = oe.lsb.distro_identifier()
+        if distro and distro == 'fedora-34':
+            self.skipTest('virgl isn\'t working with Fedora 34')
         qemu_distrofeatures = get_bb_var('DISTRO_FEATURES', 'qemu-system-native')
         features = 'INHERIT += "testimage"\n'
         if 'opengl' not in qemu_distrofeatures:
diff --git a/meta/lib/oeqa/selftest/cases/sstatetests.py b/meta/lib/oeqa/selftest/cases/sstatetests.py
index c46e8ba489..e2fe38be87 100644
--- a/meta/lib/oeqa/selftest/cases/sstatetests.py
+++ b/meta/lib/oeqa/selftest/cases/sstatetests.py
@@ -39,7 +39,7 @@ class SStateTests(SStateBase):
 
         recipefile = os.path.join(tempdir, "recipes-test", "dbus-wait-test", 'dbus-wait-test_git.bb')
         os.makedirs(os.path.dirname(recipefile))
-        srcuri = 'git://' + srcdir + ';protocol=file'
+        srcuri = 'git://' + srcdir + ';protocol=file;branch=master'
         result = runCmd(['recipetool', 'create', '-o', recipefile, srcuri])
         self.assertTrue(os.path.isfile(recipefile), 'recipetool did not create recipe file; output:\n%s' % result.output)
 
diff --git a/meta/lib/oeqa/utils/buildproject.py b/meta/lib/oeqa/utils/buildproject.py
index e6d80cc8dc..dfb9661868 100644
--- a/meta/lib/oeqa/utils/buildproject.py
+++ b/meta/lib/oeqa/utils/buildproject.py
@@ -18,6 +18,7 @@ class BuildProject(metaclass=ABCMeta):
     def __init__(self, uri, foldername=None, tmpdir=None, dl_dir=None):
         self.uri = uri
         self.archive = os.path.basename(uri)
+        self.tempdirobj = None
         if not tmpdir:
             self.tempdirobj = tempfile.TemporaryDirectory(prefix='buildproject-')
             tmpdir = self.tempdirobj.name
@@ -57,6 +58,8 @@ class BuildProject(metaclass=ABCMeta):
         return self._run('cd %s; make install %s' % (self.targetdir, install_args))
 
     def clean(self):
+        if self.tempdirobj:
+            self.tempdirobj.cleanup()
         if not self.needclean:
              return
         self._run('rm -rf %s' % self.targetdir)
diff --git a/meta/lib/oeqa/utils/qemurunner.py b/meta/lib/oeqa/utils/qemurunner.py
index a0f17d557b..d6d47cfabb 100644
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -235,7 +235,7 @@ class QemuRunner:
             r = os.fdopen(r)
             x = r.read()
             os.killpg(os.getpgid(self.runqemu.pid), signal.SIGTERM)
-            sys.exit(0)
+            os._exit(0)
 
         self.logger.debug("runqemu started, pid is %s" % self.runqemu.pid)
         self.logger.debug("waiting at most %s seconds for qemu pid (%s)" %
diff --git a/meta/lib/oeqa/utils/targetbuild.py b/meta/lib/oeqa/utils/targetbuild.py
index 1055810ca3..09738add1d 100644
--- a/meta/lib/oeqa/utils/targetbuild.py
+++ b/meta/lib/oeqa/utils/targetbuild.py
@@ -19,6 +19,7 @@ class BuildProject(metaclass=ABCMeta):
         self.d = d
         self.uri = uri
         self.archive = os.path.basename(uri)
+        self.tempdirobj = None
         if not tmpdir:
             tmpdir = self.d.getVar('WORKDIR')
             if not tmpdir:
@@ -71,9 +72,10 @@ class BuildProject(metaclass=ABCMeta):
         return self._run('cd %s; make install %s' % (self.targetdir, install_args))
 
     def clean(self):
+        if self.tempdirobj:
+            self.tempdirobj.cleanup()
         self._run('rm -rf %s' % self.targetdir)
         subprocess.check_call('rm -f %s' % self.localarchive, shell=True)
-        pass
 
 class TargetBuildProject(BuildProject):
 
diff --git a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
index 5d6f200a73..e9dfa0770e 100644
--- a/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
+++ b/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb
@@ -10,7 +10,7 @@ DEPENDS = "efivar popt"
 
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
-SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https \
+SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \
            file://0001-remove-extra-decl.patch \
            file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \
           "
diff --git a/meta/recipes-bsp/efivar/efivar_37.bb b/meta/recipes-bsp/efivar/efivar_37.bb
index 5bf121ff6e..fa1fe1ecdf 100644
--- a/meta/recipes-bsp/efivar/efivar_37.bb
+++ b/meta/recipes-bsp/efivar/efivar_37.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6626bb1e20189cfa95f2c508ba286393"
 
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
-SRC_URI = "git://github.com/rhinstaller/efivar.git \
+SRC_URI = "git://github.com/rhinstaller/efivar.git;branch=master;protocol=https \
            file://determinism.patch \
            file://no-werror.patch"
 SRCREV = "c1d6b10e1ed4ba2be07f385eae5bceb694478a10"
diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
new file mode 100644
index 0000000000..dae26fd8bb
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch
@@ -0,0 +1,49 @@
+From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 3 Dec 2021 16:13:28 +0800
+Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg
+
+The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating
+configuration by grub-mkconfig) has inadvertently discarded umask for
+creating grub.cfg in the process of running grub-mkconfig. The resulting
+wrong permission (0644) would allow unprivileged users to read GRUB
+configuration file content. This presents a low confidentiality risk
+as grub.cfg may contain non-secured plain-text passwords.
+
+This patch restores the missing umask and sets the creation file mode
+to 0600 preventing unprivileged access.
+
+Fixes: CVE-2021-3981
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3981
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ util/grub-mkconfig.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index c3ea7612e..62335d027 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
++    oldumask=$(umask)
++    umask 077
+     cat ${grub_cfg}.new > ${grub_cfg}
++    umask $oldumask
+     rm -f ${grub_cfg}.new
+   fi
+ fi
+-- 
+2.31.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 3c6b434c2d..a70754e346 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://alpha.gnu.org/gnu/grub/grub-${REALPV}.tar.xz \
            file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
            file://determinism.patch \
            file://0001-RISC-V-Restore-the-typcast-to-long.patch \
+           file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \
 "
 
 SRC_URI[sha256sum] = "2c87f1f21e2ab50043e6cd9163c08f1b6c3a6171556bf23ff9ed65b074145484"
diff --git a/meta/recipes-bsp/opensbi/opensbi_0.9.bb b/meta/recipes-bsp/opensbi/opensbi_0.9.bb
index cb1c3f2ebf..e01491c9b7 100644
--- a/meta/recipes-bsp/opensbi/opensbi_0.9.bb
+++ b/meta/recipes-bsp/opensbi/opensbi_0.9.bb
@@ -9,7 +9,7 @@ require opensbi-payloads.inc
 inherit autotools-brokensep deploy
 
 SRCREV = "234ed8e427f4d92903123199f6590d144e0d9351"
-SRC_URI = "git://github.com/riscv/opensbi.git;branch=master \
+SRC_URI = "git://github.com/riscv/opensbi.git;branch=master;protocol=https \
            file://0001-Makefile-Don-t-specify-mabi-or-march.patch \
           "
 
diff --git a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
index 613e3161fb..8234b86162 100644
--- a/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
+++ b/meta/recipes-bsp/u-boot/libubootenv_0.3.1.bb
@@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c"
 SECTION = "libs"
 
-SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https"
+SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master"
 SRCREV = "824551ac77bab1d0f7ae34d7a7c77b155240e754"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 993478a73b..17c6140216 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,7 @@ PE = "1"
 # repo during parse
 SRCREV = "c4fddedc48f336eabc4ce3f74940e6aa372de18c"
 
-SRC_URI = "git://git.denx.de/u-boot.git \
+SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
            file://0001-add-valid-fdt-check.patch \
            file://CVE-2021-27097-1.patch \
            file://CVE-2021-27097-2.patch \
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index a07cdbd03c..69ac35ee07 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
            file://initscript.patch \
            file://0001-Fix-opening-etc-resolv.conf-error.patch \
            file://handle-hup.patch \
+           file://local-ping.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/local-ping.patch b/meta/recipes-connectivity/avahi/files/local-ping.patch
new file mode 100644
index 0000000000..29c192d296
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/local-ping.patch
@@ -0,0 +1,153 @@
+CVE: CVE-2021-36217
+CVE: CVE-2021-3502
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 9d31939e55280a733d930b15ac9e4dda4497680c Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+Date: Mon, 8 Feb 2021 11:04:43 +0200
+Subject: [PATCH] Fix NULL pointer crashes from #175
+
+avahi-daemon is crashing when running "ping .local".
+The crash is due to failing assertion from NULL pointer.
+Add missing NULL pointer checks to fix it.
+
+Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
+---
+ avahi-core/browse-dns-server.c   | 5 ++++-
+ avahi-core/browse-domain.c       | 5 ++++-
+ avahi-core/browse-service-type.c | 3 +++
+ avahi-core/browse-service.c      | 3 +++
+ avahi-core/browse.c              | 3 +++
+ avahi-core/resolve-address.c     | 5 ++++-
+ avahi-core/resolve-host-name.c   | 5 ++++-
+ avahi-core/resolve-service.c     | 5 ++++-
+ 8 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/avahi-core/browse-dns-server.c b/avahi-core/browse-dns-server.c
+index 049752e9..c2d914fa 100644
+--- a/avahi-core/browse-dns-server.c
++++ b/avahi-core/browse-dns-server.c
+@@ -343,7 +343,10 @@ AvahiSDNSServerBrowser *avahi_s_dns_server_browser_new(
+         AvahiSDNSServerBrowser* b;
+ 
+         b = avahi_s_dns_server_browser_prepare(server, interface, protocol, domain, type, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_dns_server_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-domain.c b/avahi-core/browse-domain.c
+index f145d56a..06fa70c0 100644
+--- a/avahi-core/browse-domain.c
++++ b/avahi-core/browse-domain.c
+@@ -253,7 +253,10 @@ AvahiSDomainBrowser *avahi_s_domain_browser_new(
+         AvahiSDomainBrowser *b;
+ 
+         b = avahi_s_domain_browser_prepare(server, interface, protocol, domain, type, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_domain_browser_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/browse-service-type.c b/avahi-core/browse-service-type.c
+index fdd22dcd..b1fc7af8 100644
+--- a/avahi-core/browse-service-type.c
++++ b/avahi-core/browse-service-type.c
+@@ -171,6 +171,9 @@ AvahiSServiceTypeBrowser *avahi_s_service_type_browser_new(
+         AvahiSServiceTypeBrowser *b;
+ 
+         b = avahi_s_service_type_browser_prepare(server, interface, protocol, domain, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_type_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c
+index 5531360c..63e0275a 100644
+--- a/avahi-core/browse-service.c
++++ b/avahi-core/browse-service.c
+@@ -184,6 +184,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_new(
+         AvahiSServiceBrowser *b;
+ 
+         b = avahi_s_service_browser_prepare(server, interface, protocol, service_type, domain, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_browser_start(b);
+ 
+         return b;
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index 2941e579..e8a915e9 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -634,6 +634,9 @@ AvahiSRecordBrowser *avahi_s_record_browser_new(
+         AvahiSRecordBrowser *b;
+ 
+         b = avahi_s_record_browser_prepare(server, interface, protocol, key, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_record_browser_start_query(b);
+ 
+         return b;
+diff --git a/avahi-core/resolve-address.c b/avahi-core/resolve-address.c
+index ac0b29b1..e61dd242 100644
+--- a/avahi-core/resolve-address.c
++++ b/avahi-core/resolve-address.c
+@@ -286,7 +286,10 @@ AvahiSAddressResolver *avahi_s_address_resolver_new(
+         AvahiSAddressResolver *b;
+ 
+         b = avahi_s_address_resolver_prepare(server, interface, protocol, address, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_address_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-host-name.c b/avahi-core/resolve-host-name.c
+index 808b0e72..4e8e5973 100644
+--- a/avahi-core/resolve-host-name.c
++++ b/avahi-core/resolve-host-name.c
+@@ -318,7 +318,10 @@ AvahiSHostNameResolver *avahi_s_host_name_resolver_new(
+         AvahiSHostNameResolver *b;
+ 
+         b = avahi_s_host_name_resolver_prepare(server, interface, protocol, host_name, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_host_name_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
+diff --git a/avahi-core/resolve-service.c b/avahi-core/resolve-service.c
+index 66bf3cae..43771763 100644
+--- a/avahi-core/resolve-service.c
++++ b/avahi-core/resolve-service.c
+@@ -519,7 +519,10 @@ AvahiSServiceResolver *avahi_s_service_resolver_new(
+         AvahiSServiceResolver *b;
+ 
+         b = avahi_s_service_resolver_prepare(server, interface, protocol, name, type, domain, aprotocol, flags, callback, userdata);
++        if (!b)
++            return NULL;
++
+         avahi_s_service_resolver_start(b);
+ 
+         return b;
+-}
+\ No newline at end of file
++}
diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch
new file mode 100644
index 0000000000..f63c333264
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-1.patch
@@ -0,0 +1,76 @@
+From 011e9418ce9bb25675de6ac8d47536efedeeb312 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Fri, 24 Sep 2021 09:35:11 +0200
+Subject: [PATCH] Disable lame-ttl cache
+
+The lame-ttl cache is implemented in ADB as per-server locked
+linked-list "indexed" with <qname,qtype>.  This list has to be walked
+every time there's a new query or new record added into the lame cache.
+Determined attacker can use this to degrade performance of the resolver.
+
+Resolver testing has shown that disabling the lame cache has little
+impact on the resolver performance and it's a minimal viable defense
+against this kind of attack.
+
+CVE: CVE-2021-25219
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/8fe18c0566c41228a568157287f5a44f96d37662]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ bin/named/config.c    | 2 +-
+ bin/named/server.c    | 7 +++++--
+ doc/arm/reference.rst | 6 +++---
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index fa8473db7c..b6453b814e 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -151,7 +151,7 @@ options {\n\
+ 	fetches-per-server 0;\n\
+ 	fetches-per-zone 0;\n\
+ 	glue-cache yes;\n\
+-	lame-ttl 600;\n"
++	lame-ttl 0;\n"
+ #ifdef HAVE_LMDB
+ 			    "	lmdb-mapsize 32M;\n"
+ #endif /* ifdef HAVE_LMDB */
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 638703e8c2..35ad6a0b7f 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
+ 	result = named_config_get(maps, "lame-ttl", &obj);
+ 	INSIST(result == ISC_R_SUCCESS);
+ 	lame_ttl = cfg_obj_asduration(obj);
+-	if (lame_ttl > 1800) {
+-		lame_ttl = 1800;
++	if (lame_ttl > 0) {
++		cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
++			    "disabling lame cache despite lame-ttl > 0 as it "
++			    "may cause performance issues");
++		lame_ttl = 0;
+ 	}
+ 	dns_resolver_setlamettl(view->resolver, lame_ttl);
+ 
+diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
+index 3bc4439745..fea854f3d1 100644
+--- a/doc/arm/reference.rst
++++ b/doc/arm/reference.rst
+@@ -3358,9 +3358,9 @@ Tuning
+ ^^^^^^
+ 
+ ``lame-ttl``
+-   This sets the number of seconds to cache a lame server indication. 0
+-   disables caching. (This is **NOT** recommended.) The default is
+-   ``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
++   This is always set to 0. More information is available in the
++   `security advisory for CVE-2021-25219
++   <https://kb.isc.org/docs/cve-2021-25219>`_.
+ 
+ ``servfail-ttl``
+    This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch
new file mode 100644
index 0000000000..1217f7f186
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.16.16/CVE-2021-25219-2.patch
@@ -0,0 +1,65 @@
+From 117cf776a7add27ac6d236b4062258da0d068486 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
+Date: Mon, 15 Nov 2021 16:26:52 +0800
+Subject: [PATCH] Enable lame response detection even with disabled lame cache
+
+Previously, when lame cache would be disabled by setting lame-ttl to 0,
+it would also disable lame answer detection.  In this commit, we enable
+the lame response detection even when the lame cache is disabled.  This
+enables stopping answer processing early rather than going through the
+whole answer processing flow.
+
+CVE: CVE-2021-25219
+
+Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/e4931584a34bdd0a0d18e4d918fb853bf5296787]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ lib/dns/resolver.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 50fadc0..9291bd4 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -10217,25 +10217,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
+  */
+ static isc_result_t
+ rctx_lameserver(respctx_t *rctx) {
+-	isc_result_t result;
++	isc_result_t result = ISC_R_SUCCESS;
+ 	fetchctx_t *fctx = rctx->fctx;
+ 	resquery_t *query = rctx->query;
+ 
+-	if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
+-	    !is_lame(fctx, query->rmessage))
+-	{
++	if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+ 	inc_stats(fctx->res, dns_resstatscounter_lame);
+ 	log_lame(fctx, query->addrinfo);
+-	result = dns_adb_marklame(fctx->adb, query->addrinfo, &fctx->name,
+-				  fctx->type, rctx->now + fctx->res->lame_ttl);
+-	if (result != ISC_R_SUCCESS) {
+-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+-			      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+-			      "could not mark server as lame: %s",
+-			      isc_result_totext(result));
++	if (fctx->res->lame_ttl != 0) {
++		result = dns_adb_marklame(fctx->adb, query->addrinfo,
++					  &fctx->name, fctx->type,
++					  rctx->now + fctx->res->lame_ttl);
++		if (result != ISC_R_SUCCESS) {
++			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
++				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
++				      "could not mark server as lame: %s",
++				      isc_result_totext(result));
++		}
+ 	}
+ 	rctx->broken_server = DNS_R_LAME;
+ 	rctx->next_server = true;
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.16.16.bb b/meta/recipes-connectivity/bind/bind_9.16.16.bb
index 27aa6221ba..4bfdeca9ce 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.16.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.16.bb
@@ -18,6 +18,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2021-25219-1.patch \
+           file://CVE-2021-25219-2.patch \
            "
 
 SRC_URI[sha256sum] = "6c913902adf878e7dc5e229cea94faefc9d40f44775a30213edd08860f761d7b"
@@ -26,6 +28,10 @@ UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.16 follow the ESV versions divisible by 4
 UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/"
 
+# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
+# so the issue doesn't affect us.
+CVE_CHECK_WHITELIST += "CVE-2019-6470"
+
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index a7b628ce1b..22e0f33610 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -52,6 +52,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0001-test-gatt-Fix-hung-issue.patch \
+           file://0001-adapter-Fix-storing-discoverable-setting.patch \
+           file://0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch \
            "
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch
new file mode 100644
index 0000000000..c2a5edd226
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-adapter-Fix-storing-discoverable-setting.patch
@@ -0,0 +1,100 @@
+From b497b5942a8beb8f89ca1c359c54ad67ec843055 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 24 Jun 2021 16:32:04 -0700
+Subject: [PATCH] adapter: Fix storing discoverable setting
+
+discoverable setting shall only be store when changed via Discoverable
+property and not when discovery client set it as that be considered
+temporary just for the lifetime of the discovery.
+
+Upstream-Status: Backport
+(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055)
+
+CVE: CVE-2021-3658
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/adapter.c | 35 ++++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+diff --git a/src/adapter.c b/src/adapter.c
+index 12e4ff5c0..663b778e4 100644
+--- a/src/adapter.c
++++ b/src/adapter.c
+@@ -560,7 +560,11 @@ static void settings_changed(struct btd_adapter *adapter, uint32_t settings)
+ 	if (changed_mask & MGMT_SETTING_DISCOVERABLE) {
+ 		g_dbus_emit_property_changed(dbus_conn, adapter->path,
+ 					ADAPTER_INTERFACE, "Discoverable");
+-		store_adapter_info(adapter);
++		/* Only persist discoverable setting if it was not set
++		 * temporarily by discovery.
++		 */
++		if (!adapter->discovery_discoverable)
++			store_adapter_info(adapter);
+ 		btd_adv_manager_refresh(adapter->adv_manager);
+ 	}
+ 
+@@ -2162,8 +2166,6 @@ static bool filters_equal(struct mgmt_cp_start_service_discovery *a,
+ static int update_discovery_filter(struct btd_adapter *adapter)
+ {
+ 	struct mgmt_cp_start_service_discovery *sd_cp;
+-	GSList *l;
+-
+ 
+ 	DBG("");
+ 
+@@ -2173,17 +2175,24 @@ static int update_discovery_filter(struct btd_adapter *adapter)
+ 		return -ENOMEM;
+ 	}
+ 
+-	for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
+-		struct discovery_client *client = l->data;
++	/* Only attempt to overwrite current discoverable setting when not
++	 * discoverable.
++	 */
++	if (!(adapter->current_settings & MGMT_OP_SET_DISCOVERABLE)) {
++		GSList *l;
+ 
+-		if (!client->discovery_filter)
+-			continue;
++		for (l = adapter->discovery_list; l; l = g_slist_next(l)) {
++			struct discovery_client *client = l->data;
+ 
+-		if (client->discovery_filter->discoverable)
+-			break;
+-	}
++			if (!client->discovery_filter)
++				continue;
+ 
+-	set_discovery_discoverable(adapter, l ? true : false);
++			if (client->discovery_filter->discoverable) {
++				set_discovery_discoverable(adapter, true);
++				break;
++			}
++		}
++	}
+ 
+ 	/*
+ 	 * If filters are equal, then don't update scan, except for when
+@@ -2216,8 +2225,7 @@ static int discovery_stop(struct discovery_client *client)
+ 		return 0;
+ 	}
+ 
+-	if (adapter->discovery_discoverable)
+-		set_discovery_discoverable(adapter, false);
++	set_discovery_discoverable(adapter, false);
+ 
+ 	/*
+ 	 * In the idle phase of a discovery, there is no need to stop it
+@@ -6913,6 +6921,7 @@ static void adapter_stop(struct btd_adapter *adapter)
+ 	g_free(adapter->current_discovery_filter);
+ 	adapter->current_discovery_filter = NULL;
+ 
++	set_discovery_discoverable(adapter, false);
+ 	adapter->discovering = false;
+ 
+ 	while (adapter->connections) {
+-- 
+2.33.0
+
diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
new file mode 100644
index 0000000000..422fd211ca
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/0001-shared-gatt-server-Fix-not-properly-checking-for-sec.patch
@@ -0,0 +1,113 @@
+From 00da0fb4972cf59e1c075f313da81ea549cb8738 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Mar 2021 11:38:33 -0800
+Subject: [PATCH] shared/gatt-server: Fix not properly checking for secure
+ flags
+
+When passing the mask to check_permissions all valid permissions for
+the operation must be set including BT_ATT_PERM_SECURE flags.
+
+Upstream-Status: Backport
+(https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738)
+
+CVE: CVE-2021-0129
+
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+---
+ src/shared/att-types.h   |  8 ++++++++
+ src/shared/gatt-server.c | 25 +++++++------------------
+ 2 files changed, 15 insertions(+), 18 deletions(-)
+
+diff --git a/src/shared/att-types.h b/src/shared/att-types.h
+index 7108b4e94..3adc05d9e 100644
+--- a/src/shared/att-types.h
++++ b/src/shared/att-types.h
+@@ -129,6 +129,14 @@ struct bt_att_pdu_error_rsp {
+ #define BT_ATT_PERM_WRITE_SECURE	0x0200
+ #define BT_ATT_PERM_SECURE		(BT_ATT_PERM_READ_SECURE | \
+ 					BT_ATT_PERM_WRITE_SECURE)
++#define BT_ATT_PERM_READ_MASK		(BT_ATT_PERM_READ | \
++					BT_ATT_PERM_READ_AUTHEN | \
++					BT_ATT_PERM_READ_ENCRYPT | \
++					BT_ATT_PERM_READ_SECURE)
++#define BT_ATT_PERM_WRITE_MASK		(BT_ATT_PERM_WRITE | \
++					BT_ATT_PERM_WRITE_AUTHEN | \
++					BT_ATT_PERM_WRITE_ENCRYPT | \
++					BT_ATT_PERM_WRITE_SECURE)
+ 
+ /* GATT Characteristic Properties Bitfield values */
+ #define BT_GATT_CHRC_PROP_BROADCAST			0x01
+diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
+index b5f7de7dc..970c35f94 100644
+--- a/src/shared/gatt-server.c
++++ b/src/shared/gatt-server.c
+@@ -444,9 +444,7 @@ static void process_read_by_type(struct async_read_op *op)
+ 		return;
+ 	}
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -811,9 +809,7 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
+ 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
+ 				handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -913,9 +909,7 @@ static void handle_read_req(struct bt_att_chan *chan,
+ 			opcode == BT_ATT_OP_READ_BLOB_REQ ? "Blob " : "",
+ 			handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1051,9 +1045,8 @@ static void read_multiple_complete_cb(struct gatt_db_attribute *attr, int err,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, next_attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, next_attr,
++						BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1129,9 +1122,7 @@ static void read_multiple_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 		goto error;
+ 	}
+ 
+-	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ |
+-						BT_ATT_PERM_READ_AUTHEN |
+-						BT_ATT_PERM_READ_ENCRYPT);
++	ecode = check_permissions(data->server, attr, BT_ATT_PERM_READ_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+@@ -1308,9 +1299,7 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
+ 	util_debug(server->debug_callback, server->debug_data,
+ 				"Prep Write Req - handle: 0x%04x", handle);
+ 
+-	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE |
+-						BT_ATT_PERM_WRITE_AUTHEN |
+-						BT_ATT_PERM_WRITE_ENCRYPT);
++	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
+ 	if (ecode)
+ 		goto error;
+ 
+-- 
+2.31.1
+
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index af986c4eab..e4eeb3c726 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
-SRC_URI = "git://github.com/connectivity/connman-gnome.git \
+SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
            file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
            file://null_check_for_ipv4_config.patch \
            file://images/ \
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 776bbfbff2..bd1dfd5b01 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
 
 inherit autotools pkgconfig systemd update-rc.d update-alternatives
 
+CVE_PRODUCT = "connman connection_manager"
+
 DEPENDS  = "dbus glib-2.0 ppp"
 
 EXTRA_OECONF += "\
diff --git a/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
new file mode 100644
index 0000000000..f05c696929
--- /dev/null
+++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch
@@ -0,0 +1,67 @@
+From 98ccabf68e5b3f0a177bd1925581753d10041448 Mon Sep 17 00:00:00 2001
+From: Simon Josefsson <simon@josefsson.org>
+Date: Wed, 1 Sep 2021 09:09:50 +0200
+Subject: [PATCH] ftp: check that PASV/LSPV addresses match.
+
+* NEWS: Mention change.
+* ftp/ftp.c (initconn): Validate returned addresses.
+
+CVE: CVE-2021-40491
+
+Upstream-Status: Backport
+[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ftp/ftp.c | 21 +++++++++++++++++++++
+ 1 files changed, 21 insertions(+)
+
+diff --git a/ftp/ftp.c b/ftp/ftp.c
+index d21dbdd..7513539 100644
+--- a/ftp/ftp.c
++++ b/ftp/ftp.c
+@@ -1365,6 +1365,13 @@ initconn (void)
+ 		  uint32_t *pu32 = (uint32_t *) &data_addr_sa4->sin_addr.s_addr;
+ 		  pu32[0] = htonl ( (h[0] << 24) | (h[1] << 16) | (h[2] << 8) | h[3]);
+ 		}
++		if (data_addr_sa4->sin_addr.s_addr
++		    != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv4 */
+ 	  else /* IPv6 */
+ 	    {
+@@ -1395,6 +1402,13 @@ initconn (void)
+ 		  pu32[2] = htonl ( (h[8] << 24) | (h[9] << 16) | (h[10] << 8) | h[11]);
+ 		  pu32[3] = htonl ( (h[12] << 24) | (h[13] << 16) | (h[14] << 8) | h[15]);
+ 		}
++		if (data_addr_sa6->sin6_addr.s6_addr
++		    != ((struct sockaddr_in6 *) &hisctladdr)->sin6_addr.s6_addr)
++		  {
++		    printf ("Passive mode address mismatch.\n");
++		    (void) command ("ABOR");	/* Cancel any open connection.  */
++		    goto bad;
++		  }
+ 	    } /* LPSV IPv6 */
+ 	}
+       else /* !EPSV && !LPSV */
+@@ -1415,6 +1429,13 @@ initconn (void)
+ 			 | ((a2 & 0xff) << 8) | (a3 & 0xff) );
+ 	      data_addr_sa4->sin_port =
+ 		  htons (((p0 & 0xff) << 8) | (p1 & 0xff));
++	      if (data_addr_sa4->sin_addr.s_addr
++		  != ((struct sockaddr_in *) &hisctladdr)->sin_addr.s_addr)
++		{
++		  printf ("Passive mode address mismatch.\n");
++		  (void) command ("ABOR");	/* Cancel any open connection.  */
++		  goto bad;
++		}
+ 	    } /* PASV */
+ 	  else
+ 	    {
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.0.bb b/meta/recipes-connectivity/inetutils/inetutils_2.0.bb
index a4d05b0542..d299bc359e 100644
--- a/meta/recipes-connectivity/inetutils/inetutils_2.0.bb
+++ b/meta/recipes-connectivity/inetutils/inetutils_2.0.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \
            file://tftpd.xinetd.inetutils \
            file://inetutils-1.9-PATH_PROCNET_DEV.patch \
            file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \
+           file://CVE-2021-40491.patch \
 "
 
 SRC_URI[md5sum] = "5e1018502cd131ed8e42339f6b5c98aa"
diff --git a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
index 9a83898e52..5213b28345 100644
--- a/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
+++ b/meta/recipes-connectivity/libnss-mdns/libnss-mdns_0.14.1.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1"
 
 DEPENDS = "avahi"
 
-SRC_URI = "git://github.com/lathiat/nss-mdns \
+SRC_URI = "git://github.com/lathiat/nss-mdns;branch=master;protocol=https \
            "
 
 SRCREV = "41c9c5e78f287ed4b41ac438c1873fa71bfa70ae"
diff --git a/meta/recipes-connectivity/libuv/libuv_1.41.0.bb b/meta/recipes-connectivity/libuv/libuv_1.41.0.bb
index 4987331dc8..e15d338941 100644
--- a/meta/recipes-connectivity/libuv/libuv_1.41.0.bb
+++ b/meta/recipes-connectivity/libuv/libuv_1.41.0.bb
@@ -6,7 +6,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47"
 
 SRCREV = "1dff88e5161cba5c59276d2070d2e304e4dcb242"
-SRC_URI = "git://github.com/libuv/libuv;branch=v1.x"
+SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
index f170cf4650..781b9216c5 100644
--- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
+++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb
@@ -4,11 +4,12 @@ DESCRIPTION = "Mobile Broadband Service Provider Database stores service provide
 SECTION = "network"
 LICENSE = "PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04"
-SRCREV = "90f3fe28aa25135b7e4a54a7816388913bfd4a2a"
-PV = "20201225"
+
+SRCREV = "4cbb44a9fe26aa6f0b28beb79f9488b37c097b5e"
+PV = "20220315"
 PE = "1"
 
-SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https"
+SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main"
 S = "${WORKDIR}/git"
 
 inherit autotools
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
new file mode 100644
index 0000000000..9ca7c2f202
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch
@@ -0,0 +1,49 @@
+From 1f0707e8e78ef290fd0f229df3fcd2236f29db89 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 28 Oct 2021 11:11:05 +0800
+Subject: [PATCH] upstream: need initgroups() before setresgid(); reported by
+ anton@,
+
+ok deraadt@
+
+OpenBSD-Commit-ID: 6aa003ee658b316960d94078f2a16edbc25087ce
+
+CVE: CVE-2021-41617
+Upstream-Status: [Backport]
+https://github.com/openssh/openssh-portable/commit/f3cbe43e28fe71427d41cfe3a17125b972710455
+https://github.com/openssh/openssh-portable/commit/bf944e3794eff5413f2df1ef37cddf96918c6bde
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/misc.c b/misc.c
+index d988ce3..33eca1c 100644
+--- a/misc.c
++++ b/misc.c
+@@ -56,6 +56,7 @@
+ #ifdef HAVE_PATHS_H
+ # include <paths.h>
+ #include <pwd.h>
++#include <grp.h>
+ #endif
+ #ifdef SSH_TUN_OPENBSD
+ #include <net/if.h>
+@@ -2629,6 +2630,13 @@ subprocess(const char *tag, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
++
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
+ 			    strerror(errno));
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
index c6de519884..9a5f37bc39 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.5p1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://CVE-2021-41617.patch \
            "
 SRC_URI[sha256sum] = "f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25"
 
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
new file mode 100644
index 0000000000..8accbc9df2
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch
@@ -0,0 +1,22 @@
+Using localtime() means the output can depend on the timezone of the build machine.
+Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set.
+
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Pending [should be suitable]
+
+Index: openssl-3.0.1/apps/progs.pl
+===================================================================
+--- openssl-3.0.1.orig/apps/progs.pl
++++ openssl-3.0.1/apps/progs.pl
+@@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or
+ my %commands     = ();
+ my $cmdre        = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+ my $apps_openssl = shift @ARGV;
+-my $YEAR         = [localtime()]->[5] + 1900;
++my $YEAR         = [gmtime()]->[5] + 1900;
++if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
++    $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900;
++}
+ 
+ # because the program apps/openssl has object files as sources, and
+ # they then have the corresponding C files as source, we need to chain
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
index e518cb6a02..df13abf54e 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://reproducible.patch \
+           file://reproducibility.patch \
            "
 
 SRC_URI_append_class-nativesdk = " \
@@ -28,7 +29,7 @@ SRC_URI_append_riscv32 = " \
            file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \
            "
 
-SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5"
+SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a"
 
 inherit lib_package multilib_header multilib_script ptest
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -203,6 +204,7 @@ do_install_ptest () {
 	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
 
 	install -d ${D}${PTEST_PATH}/engines
+	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
 	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
 
         # seems to be needed with perl 5.32.1
diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb
index 5a13af91bc..0a1b65a8ca 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.4.1.bb
+++ b/meta/recipes-connectivity/socat/socat_1.7.4.1.bb
@@ -9,7 +9,7 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
                     file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86"
 
-SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
+SRC_URI = "http://www.dest-unreach.org/socat/download/Archive/socat-${PV}.tar.bz2 \
 "
 
 SRC_URI[md5sum] = "36cad050ecf4981ab044c3fbd75c643f"
diff --git a/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb b/meta/recipes-core/busybox/busybox-inittab_1.33.2.bb
index 3804f4f7b2..3804f4f7b2 100644
--- a/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb
+++ b/meta/recipes-core/busybox/busybox-inittab_1.33.2.bb
diff --git a/meta/recipes-core/busybox/busybox/0001-awk-fix-CVEs.patch b/meta/recipes-core/busybox/busybox/0001-awk-fix-CVEs.patch
new file mode 100644
index 0000000000..c07b53ebfd
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-awk-fix-CVEs.patch
@@ -0,0 +1,3266 @@
+From cf542caeed195af05fa6205341f829ccee53f8c2 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Tue, 4 Jan 2022 17:48:03 -0800
+Subject: [PATCH] awk: fix CVEs
+
+The awk CVEs is hard to be separated, thus we use the following method
+to format the current patch.
+git rev-list --reverse 1_33_2..1_34_1 -- editors/awk.c | xargs git cherry-pick
+git reset HEAD~66 && git add . && git commit
+
+CVE: CVE-2021-42378
+CVE: CVE-2021-42379
+CVE: CVE-2021-42380
+CVE: CVE-2021-42381
+CVE: CVE-2021-42382
+CVE: CVE-2021-42383
+CVE: CVE-2021-42384
+CVE: CVE-2021-42385
+CVE: CVE-2021-42386
+
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ editors/awk.c          | 2060 +++++++++++++++++++++++-----------------
+ testsuite/awk.tests    |   62 +-
+ testsuite/printf.tests |    5 +
+ 3 files changed, 1264 insertions(+), 863 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index 2c15f9e4e..f6314ac72 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -66,6 +66,8 @@
+ #endif
+ #ifndef debug_printf_parse
+ # define debug_printf_parse(...) (fprintf(stderr, __VA_ARGS__))
++#else
++# define debug_parse_print_tc(...) ((void)0)
+ #endif
+ 
+ 
+@@ -91,7 +93,6 @@ enum {
+ };
+ 
+ #define	MAXVARFMT       240
+-#define	MINNVBLOCK      64
+ 
+ /* variable flags */
+ #define	VF_NUMBER       0x0001	/* 1 = primary type is number */
+@@ -101,7 +102,7 @@ enum {
+ #define	VF_USER         0x0200	/* 1 = user input (may be numeric string) */
+ #define	VF_SPECIAL      0x0400	/* 1 = requires extra handling when changed */
+ #define	VF_WALK         0x0800	/* 1 = variable has alloc'd x.walker list */
+-#define	VF_FSTR         0x1000	/* 1 = var::string points to fstring buffer */
++#define	VF_FSTR         0x1000	/* 1 = don't free() var::string (not malloced, or is owned by something else) */
+ #define	VF_CHILD        0x2000	/* 1 = function arg; x.parent points to source */
+ #define	VF_DIRTY        0x4000	/* 1 = variable was set explicitly */
+ 
+@@ -118,8 +119,8 @@ typedef struct walker_list {
+ /* Variable */
+ typedef struct var_s {
+ 	unsigned type;            /* flags */
+-	double number;
+ 	char *string;
++	double number;
+ 	union {
+ 		int aidx;               /* func arg idx (for compilation stage) */
+ 		struct xhash_s *array;  /* array ptr */
+@@ -138,6 +139,7 @@ typedef struct chain_s {
+ /* Function */
+ typedef struct func_s {
+ 	unsigned nargs;
++	smallint defined;
+ 	struct chain_s body;
+ } func;
+ 
+@@ -177,7 +179,7 @@ typedef struct node_s {
+ 		struct node_s *n;
+ 		var *v;
+ 		int aidx;
+-		char *new_progname;
++		const char *new_progname;
+ 		regex_t *re;
+ 	} l;
+ 	union {
+@@ -190,91 +192,120 @@ typedef struct node_s {
+ 	} a;
+ } node;
+ 
+-/* Block of temporary variables */
+-typedef struct nvblock_s {
+-	int size;
+-	var *pos;
+-	struct nvblock_s *prev;
+-	struct nvblock_s *next;
+-	var nv[];
+-} nvblock;
+-
+ typedef struct tsplitter_s {
+ 	node n;
+ 	regex_t re[2];
+ } tsplitter;
+ 
+ /* simple token classes */
+-/* Order and hex values are very important!!!  See next_token() */
+-#define	TC_SEQSTART	(1 << 0)		/* ( */
+-#define	TC_SEQTERM	(1 << 1)		/* ) */
+-#define	TC_REGEXP	(1 << 2)		/* /.../ */
+-#define	TC_OUTRDR	(1 << 3)		/* | > >> */
+-#define	TC_UOPPOST	(1 << 4)		/* unary postfix operator */
+-#define	TC_UOPPRE1	(1 << 5)		/* unary prefix operator */
+-#define	TC_BINOPX	(1 << 6)		/* two-opnd operator */
+-#define	TC_IN		(1 << 7)
+-#define	TC_COMMA	(1 << 8)
+-#define	TC_PIPE		(1 << 9)		/* input redirection pipe */
+-#define	TC_UOPPRE2	(1 << 10)		/* unary prefix operator */
+-#define	TC_ARRTERM	(1 << 11)		/* ] */
+-#define	TC_GRPSTART	(1 << 12)		/* { */
+-#define	TC_GRPTERM	(1 << 13)		/* } */
+-#define	TC_SEMICOL	(1 << 14)
+-#define	TC_NEWLINE	(1 << 15)
+-#define	TC_STATX	(1 << 16)		/* ctl statement (for, next...) */
+-#define	TC_WHILE	(1 << 17)
+-#define	TC_ELSE		(1 << 18)
+-#define	TC_BUILTIN	(1 << 19)
++/* order and hex values are very important!!!  See next_token() */
++#define TC_LPAREN       (1 << 0)        /* ( */
++#define TC_RPAREN       (1 << 1)        /* ) */
++#define TC_REGEXP       (1 << 2)        /* /.../ */
++#define TC_OUTRDR       (1 << 3)        /* | > >> */
++#define TC_UOPPOST      (1 << 4)        /* unary postfix operator ++ -- */
++#define TC_UOPPRE1      (1 << 5)        /* unary prefix operator ++ -- $ */
++#define TC_BINOPX       (1 << 6)        /* two-opnd operator */
++#define TC_IN           (1 << 7)        /* 'in' */
++#define TC_COMMA        (1 << 8)        /* , */
++#define TC_PIPE         (1 << 9)        /* input redirection pipe | */
++#define TC_UOPPRE2      (1 << 10)       /* unary prefix operator + - ! */
++#define TC_ARRTERM      (1 << 11)       /* ] */
++#define TC_LBRACE       (1 << 12)       /* { */
++#define TC_RBRACE       (1 << 13)       /* } */
++#define TC_SEMICOL      (1 << 14)       /* ; */
++#define TC_NEWLINE      (1 << 15)
++#define TC_STATX        (1 << 16)       /* ctl statement (for, next...) */
++#define TC_WHILE        (1 << 17)       /* 'while' */
++#define TC_ELSE         (1 << 18)       /* 'else' */
++#define TC_BUILTIN      (1 << 19)
+ /* This costs ~50 bytes of code.
+  * A separate class to support deprecated "length" form. If we don't need that
+  * (i.e. if we demand that only "length()" with () is valid), then TC_LENGTH
+  * can be merged with TC_BUILTIN:
+  */
+-#define	TC_LENGTH	(1 << 20)
+-#define	TC_GETLINE	(1 << 21)
+-#define	TC_FUNCDECL	(1 << 22)		/* 'function' 'func' */
+-#define	TC_BEGIN	(1 << 23)
+-#define	TC_END		(1 << 24)
+-#define	TC_EOF		(1 << 25)
+-#define	TC_VARIABLE	(1 << 26)
+-#define	TC_ARRAY	(1 << 27)
+-#define	TC_FUNCTION	(1 << 28)
+-#define	TC_STRING	(1 << 29)
+-#define	TC_NUMBER	(1 << 30)
+-
+-#define	TC_UOPPRE  (TC_UOPPRE1 | TC_UOPPRE2)
+-
+-/* combined token classes */
+-#define	TC_BINOP   (TC_BINOPX | TC_COMMA | TC_PIPE | TC_IN)
+-//#define	TC_UNARYOP (TC_UOPPRE | TC_UOPPOST)
+-#define	TC_OPERAND (TC_VARIABLE | TC_ARRAY | TC_FUNCTION \
+-                   | TC_BUILTIN | TC_LENGTH | TC_GETLINE \
+-                   | TC_SEQSTART | TC_STRING | TC_NUMBER)
+-
+-#define	TC_STATEMNT (TC_STATX | TC_WHILE)
+-#define	TC_OPTERM  (TC_SEMICOL | TC_NEWLINE)
++#define TC_LENGTH       (1 << 20)       /* 'length' */
++#define TC_GETLINE      (1 << 21)       /* 'getline' */
++#define TC_FUNCDECL     (1 << 22)       /* 'function' 'func' */
++#define TC_BEGIN        (1 << 23)       /* 'BEGIN' */
++#define TC_END          (1 << 24)       /* 'END' */
++#define TC_EOF          (1 << 25)
++#define TC_VARIABLE     (1 << 26)       /* name */
++#define TC_ARRAY        (1 << 27)       /* name[ */
++#define TC_FUNCTION     (1 << 28)       /* name( */
++#define TC_STRING       (1 << 29)       /* "..." */
++#define TC_NUMBER       (1 << 30)
++
++#ifndef debug_parse_print_tc
++static void debug_parse_print_tc(uint32_t n)
++{
++	if (n & TC_LPAREN  ) debug_printf_parse(" LPAREN"  );
++	if (n & TC_RPAREN  ) debug_printf_parse(" RPAREN"  );
++	if (n & TC_REGEXP  ) debug_printf_parse(" REGEXP"  );
++	if (n & TC_OUTRDR  ) debug_printf_parse(" OUTRDR"  );
++	if (n & TC_UOPPOST ) debug_printf_parse(" UOPPOST" );
++	if (n & TC_UOPPRE1 ) debug_printf_parse(" UOPPRE1" );
++	if (n & TC_BINOPX  ) debug_printf_parse(" BINOPX"  );
++	if (n & TC_IN      ) debug_printf_parse(" IN"      );
++	if (n & TC_COMMA   ) debug_printf_parse(" COMMA"   );
++	if (n & TC_PIPE    ) debug_printf_parse(" PIPE"    );
++	if (n & TC_UOPPRE2 ) debug_printf_parse(" UOPPRE2" );
++	if (n & TC_ARRTERM ) debug_printf_parse(" ARRTERM" );
++	if (n & TC_LBRACE  ) debug_printf_parse(" LBRACE"  );
++	if (n & TC_RBRACE  ) debug_printf_parse(" RBRACE"  );
++	if (n & TC_SEMICOL ) debug_printf_parse(" SEMICOL" );
++	if (n & TC_NEWLINE ) debug_printf_parse(" NEWLINE" );
++	if (n & TC_STATX   ) debug_printf_parse(" STATX"   );
++	if (n & TC_WHILE   ) debug_printf_parse(" WHILE"   );
++	if (n & TC_ELSE    ) debug_printf_parse(" ELSE"    );
++	if (n & TC_BUILTIN ) debug_printf_parse(" BUILTIN" );
++	if (n & TC_LENGTH  ) debug_printf_parse(" LENGTH"  );
++	if (n & TC_GETLINE ) debug_printf_parse(" GETLINE" );
++	if (n & TC_FUNCDECL) debug_printf_parse(" FUNCDECL");
++	if (n & TC_BEGIN   ) debug_printf_parse(" BEGIN"   );
++	if (n & TC_END     ) debug_printf_parse(" END"     );
++	if (n & TC_EOF     ) debug_printf_parse(" EOF"     );
++	if (n & TC_VARIABLE) debug_printf_parse(" VARIABLE");
++	if (n & TC_ARRAY   ) debug_printf_parse(" ARRAY"   );
++	if (n & TC_FUNCTION) debug_printf_parse(" FUNCTION");
++	if (n & TC_STRING  ) debug_printf_parse(" STRING"  );
++	if (n & TC_NUMBER  ) debug_printf_parse(" NUMBER"  );
++}
++#endif
++
++/* combined token classes ("token [class] sets") */
++#define	TS_UOPPRE   (TC_UOPPRE1 | TC_UOPPRE2)
++
++#define	TS_BINOP    (TC_BINOPX | TC_COMMA | TC_PIPE | TC_IN)
++//#define TS_UNARYOP (TS_UOPPRE | TC_UOPPOST)
++#define	TS_OPERAND  (TC_VARIABLE | TC_ARRAY | TC_FUNCTION \
++                    | TC_BUILTIN | TC_LENGTH | TC_GETLINE \
++                    | TC_LPAREN | TC_STRING | TC_NUMBER)
++
++#define	TS_LVALUE   (TC_VARIABLE | TC_ARRAY)
++#define	TS_STATEMNT (TC_STATX | TC_WHILE)
+ 
+ /* word tokens, cannot mean something else if not expected */
+-#define	TC_WORD    (TC_IN | TC_STATEMNT | TC_ELSE \
+-                   | TC_BUILTIN | TC_LENGTH | TC_GETLINE \
+-                   | TC_FUNCDECL | TC_BEGIN | TC_END)
++#define	TS_WORD     (TC_IN | TS_STATEMNT | TC_ELSE \
++                    | TC_BUILTIN | TC_LENGTH | TC_GETLINE \
++                    | TC_FUNCDECL | TC_BEGIN | TC_END)
+ 
+ /* discard newlines after these */
+-#define	TC_NOTERM  (TC_COMMA | TC_GRPSTART | TC_GRPTERM \
+-                   | TC_BINOP | TC_OPTERM)
++#define	TS_NOTERM   (TS_BINOP | TC_COMMA | TC_LBRACE | TC_RBRACE \
++                    | TC_SEMICOL | TC_NEWLINE)
+ 
+ /* what can expression begin with */
+-#define	TC_OPSEQ   (TC_OPERAND | TC_UOPPRE | TC_REGEXP)
++#define	TS_OPSEQ    (TS_OPERAND | TS_UOPPRE | TC_REGEXP)
+ /* what can group begin with */
+-#define	TC_GRPSEQ  (TC_OPSEQ | TC_OPTERM | TC_STATEMNT | TC_GRPSTART)
++#define	TS_GRPSEQ   (TS_OPSEQ | TS_STATEMNT \
++                    | TC_SEMICOL | TC_NEWLINE | TC_LBRACE)
+ 
+-/* if previous token class is CONCAT1 and next is CONCAT2, concatenation */
++/* if previous token class is CONCAT_L and next is CONCAT_R, concatenation */
+ /* operator is inserted between them */
+-#define	TC_CONCAT1 (TC_VARIABLE | TC_ARRTERM | TC_SEQTERM \
++#define	TS_CONCAT_L (TC_VARIABLE | TC_ARRTERM | TC_RPAREN \
+                    | TC_STRING | TC_NUMBER | TC_UOPPOST \
+                    | TC_LENGTH)
+-#define	TC_CONCAT2 (TC_OPERAND | TC_UOPPRE)
++#define	TS_CONCAT_R (TS_OPERAND | TS_UOPPRE)
+ 
+ #define	OF_RES1     0x010000
+ #define	OF_RES2     0x020000
+@@ -284,13 +315,12 @@ typedef struct tsplitter_s {
+ #define	OF_CHECKED  0x200000
+ #define	OF_REQUIRED 0x400000
+ 
+-
+ /* combined operator flags */
+ #define	xx	0
+ #define	xV	OF_RES2
+ #define	xS	(OF_RES2 | OF_STR2)
+ #define	Vx	OF_RES1
+-#define	Rx	(OF_RES1 | OF_NUM1 | OF_REQUIRED)
++#define	Rx	OF_REQUIRED
+ #define	VV	(OF_RES1 | OF_RES2)
+ #define	Nx	(OF_RES1 | OF_NUM1)
+ #define	NV	(OF_RES1 | OF_NUM1 | OF_RES2)
+@@ -302,8 +332,7 @@ typedef struct tsplitter_s {
+ #define	OPNMASK   0x007F
+ 
+ /* operator priority is a highest byte (even: r->l, odd: l->r grouping)
+- * For builtins it has different meaning: n n s3 s2 s1 v3 v2 v1,
+- * n - min. number of args, vN - resolve Nth arg to var, sN - resolve to string
++ * (for builtins it has different meaning)
+  */
+ #undef P
+ #undef PRIMASK
+@@ -313,10 +342,8 @@ typedef struct tsplitter_s {
+ #define PRIMASK2  0x7E000000
+ 
+ /* Operation classes */
+-
+ #define	SHIFT_TIL_THIS	0x0600
+ #define	RECUR_FROM_THIS	0x1000
+-
+ enum {
+ 	OC_DELETE = 0x0100,     OC_EXEC = 0x0200,       OC_NEWSOURCE = 0x0300,
+ 	OC_PRINT = 0x0400,      OC_PRINTF = 0x0500,     OC_WALKINIT = 0x0600,
+@@ -358,8 +385,8 @@ enum {
+ #define NTCC    '\377'
+ 
+ static const char tokenlist[] ALIGN1 =
+-	"\1("         NTC                                   /* TC_SEQSTART */
+-	"\1)"         NTC                                   /* TC_SEQTERM */
++	"\1("         NTC                                   /* TC_LPAREN */
++	"\1)"         NTC                                   /* TC_RPAREN */
+ 	"\1/"         NTC                                   /* TC_REGEXP */
+ 	"\2>>"        "\1>"         "\1|"       NTC         /* TC_OUTRDR */
+ 	"\2++"        "\2--"        NTC                     /* TC_UOPPOST */
+@@ -376,8 +403,8 @@ static const char tokenlist[] ALIGN1 =
+ 	"\1|"         NTC                                   /* TC_PIPE */
+ 	"\1+"         "\1-"         "\1!"       NTC         /* TC_UOPPRE2 */
+ 	"\1]"         NTC                                   /* TC_ARRTERM */
+-	"\1{"         NTC                                   /* TC_GRPSTART */
+-	"\1}"         NTC                                   /* TC_GRPTERM */
++	"\1{"         NTC                                   /* TC_LBRACE */
++	"\1}"         NTC                                   /* TC_RBRACE */
+ 	"\1;"         NTC                                   /* TC_SEMICOL */
+ 	"\1\n"        NTC                                   /* TC_NEWLINE */
+ 	"\2if"        "\2do"        "\3for"     "\5break"   /* TC_STATX */
+@@ -391,7 +418,7 @@ static const char tokenlist[] ALIGN1 =
+ 	"\5close"     "\6system"    "\6fflush"  "\5atan2"
+ 	"\3cos"       "\3exp"       "\3int"     "\3log"
+ 	"\4rand"      "\3sin"       "\4sqrt"    "\5srand"
+-	"\6gensub"    "\4gsub"      "\5index"	/* "\6length" was here */
++	"\6gensub"    "\4gsub"      "\5index"   /* "\6length" was here */
+ 	"\5match"     "\5split"     "\7sprintf" "\3sub"
+ 	"\6substr"    "\7systime"   "\10strftime" "\6mktime"
+ 	"\7tolower"   "\7toupper"   NTC
+@@ -403,25 +430,32 @@ static const char tokenlist[] ALIGN1 =
+ 	/* compiler adds trailing "\0" */
+ 	;
+ 
+-#define OC_B  OC_BUILTIN
+-
+ static const uint32_t tokeninfo[] ALIGN4 = {
+ 	0,
+ 	0,
+-	OC_REGEXP,
++#define TI_REGEXP OC_REGEXP
++	TI_REGEXP,
+ 	xS|'a',                  xS|'w',                  xS|'|',
+ 	OC_UNARY|xV|P(9)|'p',    OC_UNARY|xV|P(9)|'m',
+-	OC_UNARY|xV|P(9)|'P',    OC_UNARY|xV|P(9)|'M',    OC_FIELD|xV|P(5),
++#define TI_PREINC (OC_UNARY|xV|P(9)|'P')
++#define TI_PREDEC (OC_UNARY|xV|P(9)|'M')
++	TI_PREINC,               TI_PREDEC,               OC_FIELD|xV|P(5),
+ 	OC_COMPARE|VV|P(39)|5,   OC_MOVE|VV|P(74),        OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-',
+ 	OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&',
+ 	OC_BINARY|NV|P(29)|'+',  OC_BINARY|NV|P(29)|'-',  OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&',
+ 	OC_BINARY|NV|P(25)|'/',  OC_BINARY|NV|P(25)|'%',  OC_BINARY|NV|P(15)|'&',  OC_BINARY|NV|P(25)|'*',
+ 	OC_COMPARE|VV|P(39)|4,   OC_COMPARE|VV|P(39)|3,   OC_COMPARE|VV|P(39)|0,   OC_COMPARE|VV|P(39)|1,
+-	OC_COMPARE|VV|P(39)|2,   OC_MATCH|Sx|P(45)|'!',   OC_MATCH|Sx|P(45)|'~',   OC_LAND|Vx|P(55),
+-	OC_LOR|Vx|P(59),         OC_TERNARY|Vx|P(64)|'?', OC_COLON|xx|P(67)|':',
+-	OC_IN|SV|P(49), /* TC_IN */
+-	OC_COMMA|SS|P(80),
+-	OC_PGETLINE|SV|P(37),
++#define TI_LESS     (OC_COMPARE|VV|P(39)|2)
++	TI_LESS,                 OC_MATCH|Sx|P(45)|'!',   OC_MATCH|Sx|P(45)|'~',   OC_LAND|Vx|P(55),
++#define TI_TERNARY  (OC_TERNARY|Vx|P(64)|'?')
++#define TI_COLON    (OC_COLON|xx|P(67)|':')
++	OC_LOR|Vx|P(59),         TI_TERNARY,              TI_COLON,
++#define TI_IN       (OC_IN|SV|P(49))
++	TI_IN,
++#define TI_COMMA    (OC_COMMA|SS|P(80))
++	TI_COMMA,
++#define TI_PGETLINE (OC_PGETLINE|SV|P(37))
++	TI_PGETLINE,
+ 	OC_UNARY|xV|P(19)|'+',   OC_UNARY|xV|P(19)|'-',   OC_UNARY|xV|P(19)|'!',
+ 	0, /* ] */
+ 	0,
+@@ -434,20 +468,45 @@ static const uint32_t tokeninfo[] ALIGN4 = {
+ 	OC_RETURN|Vx, OC_EXIT|Nx,
+ 	ST_WHILE,
+ 	0, /* else */
+-	OC_B|B_an|P(0x83), OC_B|B_co|P(0x41), OC_B|B_ls|P(0x83), OC_B|B_or|P(0x83),
+-	OC_B|B_rs|P(0x83), OC_B|B_xo|P(0x83),
+-	OC_FBLTIN|Sx|F_cl, OC_FBLTIN|Sx|F_sy, OC_FBLTIN|Sx|F_ff, OC_B|B_a2|P(0x83),
+-	OC_FBLTIN|Nx|F_co, OC_FBLTIN|Nx|F_ex, OC_FBLTIN|Nx|F_in, OC_FBLTIN|Nx|F_lg,
+-	OC_FBLTIN|F_rn,    OC_FBLTIN|Nx|F_si, OC_FBLTIN|Nx|F_sq, OC_FBLTIN|Nx|F_sr,
+-	OC_B|B_ge|P(0xd6), OC_B|B_gs|P(0xb6), OC_B|B_ix|P(0x9b), /* OC_FBLTIN|Sx|F_le, was here */
+-	OC_B|B_ma|P(0x89), OC_B|B_sp|P(0x8b), OC_SPRINTF,        OC_B|B_su|P(0xb6),
+-	OC_B|B_ss|P(0x8f), OC_FBLTIN|F_ti,    OC_B|B_ti|P(0x0b), OC_B|B_mt|P(0x0b),
+-	OC_B|B_lo|P(0x49), OC_B|B_up|P(0x49),
+-	OC_FBLTIN|Sx|F_le, /* TC_LENGTH */
+-	OC_GETLINE|SV|P(0),
+-	0,                 0,
+-	0,
+-	0 /* TC_END */
++// OC_B's are builtins with enforced minimum number of arguments (two upper bits).
++//  Highest byte bit pattern: nn s3s2s1 v3v2v1
++//  nn - min. number of args, sN - resolve Nth arg to string, vN - resolve to var
++// OC_F's are builtins with zero or one argument.
++//  |Rx| enforces that arg is present for: system, close, cos, sin, exp, int, log, sqrt
++//  Check for no args is present in builtins' code (not in this table): rand, systime
++//  Have one _optional_ arg: fflush, srand, length
++#define OC_B   OC_BUILTIN
++#define OC_F   OC_FBLTIN
++#define A1     P(0x40) /*one arg*/
++#define A2     P(0x80) /*two args*/
++#define A3     P(0xc0) /*three args*/
++#define __v    P(1)
++#define _vv    P(3)
++#define __s__v P(9)
++#define __s_vv P(0x0b)
++#define __svvv P(0x0f)
++#define _ss_vv P(0x1b)
++#define _s_vv_ P(0x16)
++#define ss_vv_ P(0x36)
++	OC_B|B_an|_vv|A2,   OC_B|B_co|__v|A1,   OC_B|B_ls|_vv|A2,   OC_B|B_or|_vv|A2,   // and    compl   lshift   or
++	OC_B|B_rs|_vv|A2,   OC_B|B_xo|_vv|A2,                                           // rshift xor
++	OC_F|F_cl|Sx|Rx,    OC_F|F_sy|Sx|Rx,    OC_F|F_ff|Sx,       OC_B|B_a2|_vv|A2,   // close  system  fflush   atan2
++	OC_F|F_co|Nx|Rx,    OC_F|F_ex|Nx|Rx,    OC_F|F_in|Nx|Rx,    OC_F|F_lg|Nx|Rx,    // cos    exp     int      log
++	OC_F|F_rn,          OC_F|F_si|Nx|Rx,    OC_F|F_sq|Nx|Rx,    OC_F|F_sr|Nx,       // rand   sin     sqrt     srand
++	OC_B|B_ge|_s_vv_|A3,OC_B|B_gs|ss_vv_|A2,OC_B|B_ix|_ss_vv|A2,                    // gensub gsub    index  /*length was here*/
++	OC_B|B_ma|__s__v|A2,OC_B|B_sp|__s_vv|A2,OC_SPRINTF,         OC_B|B_su|ss_vv_|A2,// match  split   sprintf  sub
++	OC_B|B_ss|__svvv|A2,OC_F|F_ti,          OC_B|B_ti|__s_vv,   OC_B|B_mt|__s_vv,   // substr systime strftime mktime
++	OC_B|B_lo|__s__v|A1,OC_B|B_up|__s__v|A1,                                        // tolower toupper
++	OC_F|F_le|Sx,   // length
++	OC_GETLINE|SV,  // getline
++	0, 0, // func function
++	0, // BEGIN
++	0  // END
++#undef A1
++#undef A2
++#undef A3
++#undef OC_B
++#undef OC_F
+ };
+ 
+ /* internal variable names and their initial values       */
+@@ -488,21 +547,29 @@ struct globals {
+ 	chain *seq;
+ 	node *break_ptr, *continue_ptr;
+ 	rstream *iF;
+-	xhash *vhash, *ahash, *fdhash, *fnhash;
++	xhash *ahash;  /* argument names, used only while parsing function bodies */
++	xhash *fnhash; /* function names, used only in parsing stage */
++	xhash *vhash;  /* variables and arrays */
++	//xhash *fdhash; /* file objects, used only in execution stage */
++	//we are reusing ahash as fdhash, via define (see later)
+ 	const char *g_progname;
+ 	int g_lineno;
+ 	int nfields;
+ 	int maxfields; /* used in fsrealloc() only */
+ 	var *Fields;
+-	nvblock *g_cb;
+ 	char *g_pos;
+-	char *g_buf;
++	char g_saved_ch;
+ 	smallint icase;
+ 	smallint exiting;
+ 	smallint nextrec;
+ 	smallint nextfile;
+ 	smallint is_f0_split;
+ 	smallint t_rollback;
++
++	/* former statics from various functions */
++	smallint next_token__concat_inserted;
++	uint32_t next_token__save_tclass;
++	uint32_t next_token__save_info;
+ };
+ struct globals2 {
+ 	uint32_t t_info; /* often used */
+@@ -515,32 +582,35 @@ struct globals2 {
+ 	/* former statics from various functions */
+ 	char *split_f0__fstrings;
+ 
+-	uint32_t next_token__save_tclass;
+-	uint32_t next_token__save_info;
+-	uint32_t next_token__ltclass;
+-	smallint next_token__concat_inserted;
+-
+-	smallint next_input_file__files_happen;
+ 	rstream next_input_file__rsm;
++	smallint next_input_file__files_happen;
++
++	smalluint exitcode;
+ 
+-	var *evaluate__fnargs;
+ 	unsigned evaluate__seed;
++	var *evaluate__fnargs;
+ 	regex_t evaluate__sreg;
+ 
+-	var ptest__v;
++	var ptest__tmpvar;
++	var awk_printf__tmpvar;
++	var as_regex__tmpvar;
++	var exit__tmpvar;
++	var main__tmpvar;
+ 
+ 	tsplitter exec_builtin__tspl;
+ 
+ 	/* biggest and least used members go last */
+ 	tsplitter fsplitter, rsplitter;
++
++	char g_buf[MAXVARFMT + 1];
+ };
+ #define G1 (ptr_to_globals[-1])
+ #define G (*(struct globals2 *)ptr_to_globals)
+ /* For debug. nm --size-sort awk.o | grep -vi ' [tr] ' */
+-/*char G1size[sizeof(G1)]; - 0x74 */
+-/*char Gsize[sizeof(G)]; - 0x1c4 */
++//char G1size[sizeof(G1)]; // 0x70
++//char Gsize[sizeof(G)]; // 0x2f8
+ /* Trying to keep most of members accessible with short offsets: */
+-/*char Gofs_seed[offsetof(struct globals2, evaluate__seed)]; - 0x90 */
++//char Gofs_seed[offsetof(struct globals2, evaluate__seed)]; // 0x7c
+ #define t_double     (G1.t_double    )
+ #define beginseq     (G1.beginseq    )
+ #define mainseq      (G1.mainseq     )
+@@ -549,18 +619,20 @@ struct globals2 {
+ #define break_ptr    (G1.break_ptr   )
+ #define continue_ptr (G1.continue_ptr)
+ #define iF           (G1.iF          )
+-#define vhash        (G1.vhash       )
+ #define ahash        (G1.ahash       )
+-#define fdhash       (G1.fdhash      )
+ #define fnhash       (G1.fnhash      )
++#define vhash        (G1.vhash       )
++#define fdhash       ahash
++//^^^^^^^^^^^^^^^^^^ ahash is cleared after every function parsing,
++// and ends up empty after parsing phase. Thus, we can simply reuse it
++// for fdhash in execution stage.
+ #define g_progname   (G1.g_progname  )
+ #define g_lineno     (G1.g_lineno    )
+ #define nfields      (G1.nfields     )
+ #define maxfields    (G1.maxfields   )
+ #define Fields       (G1.Fields      )
+-#define g_cb         (G1.g_cb        )
+ #define g_pos        (G1.g_pos       )
+-#define g_buf        (G1.g_buf       )
++#define g_saved_ch   (G1.g_saved_ch  )
+ #define icase        (G1.icase       )
+ #define exiting      (G1.exiting     )
+ #define nextrec      (G1.nextrec     )
+@@ -574,25 +646,13 @@ struct globals2 {
+ #define intvar       (G.intvar      )
+ #define fsplitter    (G.fsplitter   )
+ #define rsplitter    (G.rsplitter   )
++#define g_buf        (G.g_buf       )
+ #define INIT_G() do { \
+ 	SET_PTR_TO_GLOBALS((char*)xzalloc(sizeof(G1)+sizeof(G)) + sizeof(G1)); \
+-	G.next_token__ltclass = TC_OPTERM; \
++	t_tclass = TC_NEWLINE; \
+ 	G.evaluate__seed = 1; \
+ } while (0)
+ 
+-
+-/* function prototypes */
+-static void handle_special(var *);
+-static node *parse_expr(uint32_t);
+-static void chain_group(void);
+-static var *evaluate(node *, var *);
+-static rstream *next_input_file(void);
+-static int fmt_num(char *, int, const char *, double, int);
+-static int awk_exit(int) NORETURN;
+-
+-/* ---- error handling ---- */
+-
+-static const char EMSG_INTERNAL_ERROR[] ALIGN1 = "Internal error";
+ static const char EMSG_UNEXP_EOS[] ALIGN1 = "Unexpected end of string";
+ static const char EMSG_UNEXP_TOKEN[] ALIGN1 = "Unexpected token";
+ static const char EMSG_DIV_BY_ZERO[] ALIGN1 = "Division by zero";
+@@ -604,10 +664,7 @@ static const char EMSG_UNDEF_FUNC[] ALIGN1 = "Call to undefined function";
+ static const char EMSG_NO_MATH[] ALIGN1 = "Math support is not compiled in";
+ static const char EMSG_NEGATIVE_FIELD[] ALIGN1 = "Access to negative field";
+ 
+-static void zero_out_var(var *vp)
+-{
+-	memset(vp, 0, sizeof(*vp));
+-}
++static int awk_exit(void) NORETURN;
+ 
+ static void syntax_error(const char *message) NORETURN;
+ static void syntax_error(const char *message)
+@@ -638,12 +695,40 @@ static xhash *hash_init(void)
+ 	return newhash;
+ }
+ 
++static void hash_clear(xhash *hash)
++{
++	unsigned i;
++	hash_item *hi, *thi;
++
++	for (i = 0; i < hash->csize; i++) {
++		hi = hash->items[i];
++		while (hi) {
++			thi = hi;
++			hi = hi->next;
++//FIXME: this assumes that it's a hash of *variables*:
++			free(thi->data.v.string);
++			free(thi);
++		}
++		hash->items[i] = NULL;
++	}
++	hash->glen = hash->nel = 0;
++}
++
++#if 0 //UNUSED
++static void hash_free(xhash *hash)
++{
++	hash_clear(hash);
++	free(hash->items);
++	free(hash);
++}
++#endif
++
+ /* find item in hash, return ptr to data, NULL if not found */
+-static void *hash_search(xhash *hash, const char *name)
++static NOINLINE void *hash_search3(xhash *hash, const char *name, unsigned idx)
+ {
+ 	hash_item *hi;
+ 
+-	hi = hash->items[hashidx(name) % hash->csize];
++	hi = hash->items[idx % hash->csize];
+ 	while (hi) {
+ 		if (strcmp(hi->name, name) == 0)
+ 			return &hi->data;
+@@ -652,6 +737,11 @@ static void *hash_search(xhash *hash, const char *name)
+ 	return NULL;
+ }
+ 
++static void *hash_search(xhash *hash, const char *name)
++{
++	return hash_search3(hash, name,	hashidx(name));
++}
++
+ /* grow hash if it becomes too big */
+ static void hash_rebuild(xhash *hash)
+ {
+@@ -687,16 +777,17 @@ static void *hash_find(xhash *hash, const char *name)
+ 	unsigned idx;
+ 	int l;
+ 
+-	hi = hash_search(hash, name);
++	idx = hashidx(name);
++	hi = hash_search3(hash, name, idx);
+ 	if (!hi) {
+-		if (++hash->nel / hash->csize > 10)
++		if (++hash->nel > hash->csize * 8)
+ 			hash_rebuild(hash);
+ 
+ 		l = strlen(name) + 1;
+ 		hi = xzalloc(sizeof(*hi) + l);
+ 		strcpy(hi->name, name);
+ 
+-		idx = hashidx(name) % hash->csize;
++		idx = idx % hash->csize;
+ 		hi->next = hash->items[idx];
+ 		hash->items[idx] = hi;
+ 		hash->glen += l;
+@@ -731,7 +822,7 @@ static void hash_remove(xhash *hash, const char *name)
+ 
+ static char *skip_spaces(char *p)
+ {
+-	while (1) {
++	for (;;) {
+ 		if (*p == '\\' && p[1] == '\n') {
+ 			p++;
+ 			t_lineno++;
+@@ -747,8 +838,10 @@ static char *skip_spaces(char *p)
+ static char *nextword(char **s)
+ {
+ 	char *p = *s;
+-	while (*(*s)++ != '\0')
++	char *q = p;
++	while (*q++ != '\0')
+ 		continue;
++	*s = q;
+ 	return p;
+ }
+ 
+@@ -811,10 +904,27 @@ static double my_strtod(char **pp)
+ 
+ /* -------- working with variables (set/get/copy/etc) -------- */
+ 
+-static xhash *iamarray(var *v)
++static void fmt_num(const char *format, double n)
+ {
+-	var *a = v;
++	if (n == (long long)n) {
++		snprintf(g_buf, MAXVARFMT, "%lld", (long long)n);
++	} else {
++		const char *s = format;
++		char c;
++
++		do { c = *s; } while (c && *++s);
++		if (strchr("diouxX", c)) {
++			snprintf(g_buf, MAXVARFMT, format, (int)n);
++		} else if (strchr("eEfFgGaA", c)) {
++			snprintf(g_buf, MAXVARFMT, format, n);
++		} else {
++			syntax_error(EMSG_INV_FMT);
++		}
++	}
++}
+ 
++static xhash *iamarray(var *a)
++{
+ 	while (a->type & VF_CHILD)
+ 		a = a->x.parent;
+ 
+@@ -825,23 +935,7 @@ static xhash *iamarray(var *v)
+ 	return a->x.array;
+ }
+ 
+-static void clear_array(xhash *array)
+-{
+-	unsigned i;
+-	hash_item *hi, *thi;
+-
+-	for (i = 0; i < array->csize; i++) {
+-		hi = array->items[i];
+-		while (hi) {
+-			thi = hi;
+-			hi = hi->next;
+-			free(thi->data.v.string);
+-			free(thi);
+-		}
+-		array->items[i] = NULL;
+-	}
+-	array->glen = array->nel = 0;
+-}
++#define clear_array(array) hash_clear(array)
+ 
+ /* clear a variable */
+ static var *clrvar(var *v)
+@@ -855,6 +949,8 @@ static var *clrvar(var *v)
+ 	return v;
+ }
+ 
++static void handle_special(var *);
++
+ /* assign string value to variable */
+ static var *setvar_p(var *v, char *value)
+ {
+@@ -901,7 +997,7 @@ static const char *getvar_s(var *v)
+ {
+ 	/* if v is numeric and has no cached string, convert it to string */
+ 	if ((v->type & (VF_NUMBER | VF_CACHED)) == VF_NUMBER) {
+-		fmt_num(g_buf, MAXVARFMT, getvar_s(intvar[CONVFMT]), v->number, TRUE);
++		fmt_num(getvar_s(intvar[CONVFMT]), v->number);
+ 		v->string = xstrdup(g_buf);
+ 		v->type |= VF_CACHED;
+ 	}
+@@ -920,6 +1016,7 @@ static double getvar_i(var *v)
+ 			v->number = my_strtod(&s);
+ 			debug_printf_eval("%f (s:'%s')\n", v->number, s);
+ 			if (v->type & VF_USER) {
++//TODO: skip_spaces() also skips backslash+newline, is it intended here?
+ 				s = skip_spaces(s);
+ 				if (*s != '\0')
+ 					v->type &= ~VF_USER;
+@@ -981,94 +1078,28 @@ static int istrue(var *v)
+ 	return (v->string && v->string[0]);
+ }
+ 
+-/* temporary variables allocator. Last allocated should be first freed */
+-static var *nvalloc(int n)
+-{
+-	nvblock *pb = NULL;
+-	var *v, *r;
+-	int size;
+-
+-	while (g_cb) {
+-		pb = g_cb;
+-		if ((g_cb->pos - g_cb->nv) + n <= g_cb->size)
+-			break;
+-		g_cb = g_cb->next;
+-	}
+-
+-	if (!g_cb) {
+-		size = (n <= MINNVBLOCK) ? MINNVBLOCK : n;
+-		g_cb = xzalloc(sizeof(nvblock) + size * sizeof(var));
+-		g_cb->size = size;
+-		g_cb->pos = g_cb->nv;
+-		g_cb->prev = pb;
+-		/*g_cb->next = NULL; - xzalloc did it */
+-		if (pb)
+-			pb->next = g_cb;
+-	}
+-
+-	v = r = g_cb->pos;
+-	g_cb->pos += n;
+-
+-	while (v < g_cb->pos) {
+-		v->type = 0;
+-		v->string = NULL;
+-		v++;
+-	}
+-
+-	return r;
+-}
+-
+-static void nvfree(var *v)
+-{
+-	var *p;
+-
+-	if (v < g_cb->nv || v >= g_cb->pos)
+-		syntax_error(EMSG_INTERNAL_ERROR);
+-
+-	for (p = v; p < g_cb->pos; p++) {
+-		if ((p->type & (VF_ARRAY | VF_CHILD)) == VF_ARRAY) {
+-			clear_array(iamarray(p));
+-			free(p->x.array->items);
+-			free(p->x.array);
+-		}
+-		if (p->type & VF_WALK) {
+-			walker_list *n;
+-			walker_list *w = p->x.walker;
+-			debug_printf_walker("nvfree: freeing walker @%p\n", &p->x.walker);
+-			p->x.walker = NULL;
+-			while (w) {
+-				n = w->prev;
+-				debug_printf_walker(" free(%p)\n", w);
+-				free(w);
+-				w = n;
+-			}
+-		}
+-		clrvar(p);
+-	}
+-
+-	g_cb->pos = v;
+-	while (g_cb->prev && g_cb->pos == g_cb->nv) {
+-		g_cb = g_cb->prev;
+-	}
+-}
+-
+ /* ------- awk program text parsing ------- */
+ 
+-/* Parse next token pointed by global pos, place results into global ttt.
+- * If token isn't expected, give away. Return token class
++/* Parse next token pointed by global pos, place results into global t_XYZ variables.
++ * If token isn't expected, print error message and die.
++ * Return token class (also store it in t_tclass).
+  */
+ static uint32_t next_token(uint32_t expected)
+ {
+-#define concat_inserted (G.next_token__concat_inserted)
+-#define save_tclass     (G.next_token__save_tclass)
+-#define save_info       (G.next_token__save_info)
+-/* Initialized to TC_OPTERM: */
+-#define ltclass         (G.next_token__ltclass)
++#define concat_inserted (G1.next_token__concat_inserted)
++#define save_tclass     (G1.next_token__save_tclass)
++#define save_info       (G1.next_token__save_info)
+ 
+-	char *p, *s;
++	char *p;
+ 	const char *tl;
+-	uint32_t tc;
+ 	const uint32_t *ti;
++	uint32_t tc, last_token_class;
++
++	last_token_class = t_tclass; /* t_tclass is initialized to TC_NEWLINE */
++
++	debug_printf_parse("%s() expected(%x):", __func__, expected);
++	debug_parse_print_tc(expected);
++	debug_printf_parse("\n");
+ 
+ 	if (t_rollback) {
+ 		debug_printf_parse("%s: using rolled-back token\n", __func__);
+@@ -1080,6 +1111,10 @@ static uint32_t next_token(uint32_t expected)
+ 		t_info = save_info;
+ 	} else {
+ 		p = g_pos;
++		if (g_saved_ch != '\0') {
++			*p = g_saved_ch;
++			g_saved_ch = '\0';
++		}
+  readnext:
+ 		p = skip_spaces(p);
+ 		g_lineno = t_lineno;
+@@ -1087,15 +1122,12 @@ static uint32_t next_token(uint32_t expected)
+ 			while (*p != '\n' && *p != '\0')
+ 				p++;
+ 
+-		if (*p == '\n')
+-			t_lineno++;
+-
+ 		if (*p == '\0') {
+ 			tc = TC_EOF;
+ 			debug_printf_parse("%s: token found: TC_EOF\n", __func__);
+ 		} else if (*p == '\"') {
+ 			/* it's a string */
+-			t_string = s = ++p;
++			char *s = t_string = ++p;
+ 			while (*p != '\"') {
+ 				char *pp;
+ 				if (*p == '\0' || *p == '\n')
+@@ -1110,7 +1142,7 @@ static uint32_t next_token(uint32_t expected)
+ 			debug_printf_parse("%s: token found:'%s' TC_STRING\n", __func__, t_string);
+ 		} else if ((expected & TC_REGEXP) && *p == '/') {
+ 			/* it's regexp */
+-			t_string = s = ++p;
++			char *s	= t_string = ++p;
+ 			while (*p != '/') {
+ 				if (*p == '\0' || *p == '\n')
+ 					syntax_error(EMSG_UNEXP_EOS);
+@@ -1141,6 +1173,11 @@ static uint32_t next_token(uint32_t expected)
+ 			tc = TC_NUMBER;
+ 			debug_printf_parse("%s: token found:%f TC_NUMBER\n", __func__, t_double);
+ 		} else {
++			char *end_of_name;
++
++			if (*p == '\n')
++				t_lineno++;
++
+ 			/* search for something known */
+ 			tl = tokenlist;
+ 			tc = 0x00000001;
+@@ -1155,9 +1192,9 @@ static uint32_t next_token(uint32_t expected)
+ 				 * token matches,
+ 				 * and it's not a longer word,
+ 				 */
+-				if ((tc & (expected | TC_WORD | TC_NEWLINE))
++				if ((tc & (expected | TS_WORD | TC_NEWLINE))
+ 				 && strncmp(p, tl, l) == 0
+-				 && !((tc & TC_WORD) && isalnum_(p[l]))
++				 && !((tc & TS_WORD) && isalnum_(p[l]))
+ 				) {
+ 					/* then this is what we are looking for */
+ 					t_info = *ti;
+@@ -1174,67 +1211,94 @@ static uint32_t next_token(uint32_t expected)
+ 			if (!isalnum_(*p))
+ 				syntax_error(EMSG_UNEXP_TOKEN); /* no */
+ 			/* yes */
+-			t_string = --p;
+-			while (isalnum_(*++p)) {
+-				p[-1] = *p;
+-			}
+-			p[-1] = '\0';
+-			tc = TC_VARIABLE;
+-			/* also consume whitespace between functionname and bracket */
+-			if (!(expected & TC_VARIABLE) || (expected & TC_ARRAY))
++			t_string = p;
++			while (isalnum_(*p))
++				p++;
++			end_of_name = p;
++
++			if (last_token_class == TC_FUNCDECL)
++				/* eat space in "function FUNC (...) {...}" declaration */
+ 				p = skip_spaces(p);
++			else if (expected & TC_ARRAY) {
++				/* eat space between array name and [ */
++				char *s = skip_spaces(p);
++				if (*s == '[') /* array ref, not just a name? */
++					p = s;
++			}
++			/* else: do NOT consume whitespace after variable name!
++			 * gawk allows definition "function FUNC (p) {...}" - note space,
++			 * but disallows the call "FUNC (p)" because it isn't one -
++			 * expression "v (a)" should NOT be parsed as TC_FUNCTION:
++			 * it is a valid concatenation if "v" is a variable,
++			 * not a function name (and type of name is not known at parse time).
++			 */
++
+ 			if (*p == '(') {
++				p++;
+ 				tc = TC_FUNCTION;
+ 				debug_printf_parse("%s: token found:'%s' TC_FUNCTION\n", __func__, t_string);
++			} else if (*p == '[') {
++				p++;
++				tc = TC_ARRAY;
++				debug_printf_parse("%s: token found:'%s' TC_ARRAY\n", __func__, t_string);
+ 			} else {
+-				if (*p == '[') {
+-					p++;
+-					tc = TC_ARRAY;
+-					debug_printf_parse("%s: token found:'%s' TC_ARRAY\n", __func__, t_string);
+-				} else
+-					debug_printf_parse("%s: token found:'%s' TC_VARIABLE\n", __func__, t_string);
++				tc = TC_VARIABLE;
++				debug_printf_parse("%s: token found:'%s' TC_VARIABLE\n", __func__, t_string);
++				if (end_of_name == p) {
++					/* there is no space for trailing NUL in t_string!
++					 * We need to save the char we are going to NUL.
++					 * (we'll use it in future call to next_token())
++					 */
++					g_saved_ch = *end_of_name;
++// especially pathological example is V="abc"; V.2 - it's V concatenated to .2
++// (it evaluates to "abc0.2"). Because of this case, we can't simply cache
++// '.' and analyze it later: we also have to *store it back* in next
++// next_token(), in order to give my_strtod() the undamaged ".2" string.
++				}
+ 			}
++			*end_of_name = '\0'; /* terminate t_string */
+ 		}
+  token_found:
+ 		g_pos = p;
+ 
+ 		/* skipping newlines in some cases */
+-		if ((ltclass & TC_NOTERM) && (tc & TC_NEWLINE))
++		if ((last_token_class & TS_NOTERM) && (tc & TC_NEWLINE))
+ 			goto readnext;
+ 
+ 		/* insert concatenation operator when needed */
+-		debug_printf_parse("%s: %x %x %x concat_inserted?\n", __func__,
+-			(ltclass & TC_CONCAT1), (tc & TC_CONCAT2), (expected & TC_BINOP));
+-		if ((ltclass & TC_CONCAT1) && (tc & TC_CONCAT2) && (expected & TC_BINOP)
+-		 && !(ltclass == TC_LENGTH && tc == TC_SEQSTART) /* but not for "length(..." */
++		debug_printf_parse("%s: concat_inserted if all nonzero: %x %x %x %x\n", __func__,
++			(last_token_class & TS_CONCAT_L), (tc & TS_CONCAT_R), (expected & TS_BINOP),
++			!(last_token_class == TC_LENGTH && tc == TC_LPAREN));
++		if ((last_token_class & TS_CONCAT_L) && (tc & TS_CONCAT_R) && (expected & TS_BINOP)
++		 && !(last_token_class == TC_LENGTH && tc == TC_LPAREN) /* but not for "length(..." */
+ 		) {
+ 			concat_inserted = TRUE;
+ 			save_tclass = tc;
+ 			save_info = t_info;
+-			tc = TC_BINOP;
++			tc = TC_BINOPX;
+ 			t_info = OC_CONCAT | SS | P(35);
+ 		}
+ 
+-		debug_printf_parse("%s: t_tclass=tc=%x\n", __func__, t_tclass);
+ 		t_tclass = tc;
++		debug_printf_parse("%s: t_tclass=tc=%x\n", __func__, tc);
+ 	}
+-	ltclass = t_tclass;
+-
+ 	/* Are we ready for this? */
+-	if (!(ltclass & expected)) {
+-		syntax_error((ltclass & (TC_NEWLINE | TC_EOF)) ?
++	if (!(t_tclass & expected)) {
++		syntax_error((last_token_class & (TC_NEWLINE | TC_EOF)) ?
+ 				EMSG_UNEXP_EOS : EMSG_UNEXP_TOKEN);
+ 	}
+ 
+-	debug_printf_parse("%s: returning, ltclass:%x t_double:%f\n", __func__, ltclass, t_double);
+-	return ltclass;
++	debug_printf_parse("%s: returning, t_double:%f t_tclass:", __func__, t_double);
++	debug_parse_print_tc(t_tclass);
++	debug_printf_parse("\n");
++
++	return t_tclass;
+ #undef concat_inserted
+ #undef save_tclass
+ #undef save_info
+-#undef ltclass
+ }
+ 
+-static void rollback_token(void)
++static ALWAYS_INLINE void rollback_token(void)
+ {
+ 	t_rollback = TRUE;
+ }
+@@ -1251,169 +1315,188 @@ static node *new_node(uint32_t info)
+ 
+ static void mk_re_node(const char *s, node *n, regex_t *re)
+ {
+-	n->info = OC_REGEXP;
++	n->info = TI_REGEXP;
+ 	n->l.re = re;
+ 	n->r.ire = re + 1;
+ 	xregcomp(re, s, REG_EXTENDED);
+ 	xregcomp(re + 1, s, REG_EXTENDED | REG_ICASE);
+ }
+ 
+-static node *condition(void)
++static node *parse_expr(uint32_t);
++
++static node *parse_lrparen_list(void)
+ {
+-	next_token(TC_SEQSTART);
+-	return parse_expr(TC_SEQTERM);
++	next_token(TC_LPAREN);
++	return parse_expr(TC_RPAREN);
+ }
+ 
+ /* parse expression terminated by given argument, return ptr
+  * to built subtree. Terminator is eaten by parse_expr */
+-static node *parse_expr(uint32_t iexp)
++static node *parse_expr(uint32_t term_tc)
+ {
+ 	node sn;
+ 	node *cn = &sn;
+ 	node *vn, *glptr;
+-	uint32_t tc, xtc;
++	uint32_t tc, expected_tc;
+ 	var *v;
+ 
+-	debug_printf_parse("%s(%x)\n", __func__, iexp);
++	debug_printf_parse("%s() term_tc(%x):", __func__, term_tc);
++	debug_parse_print_tc(term_tc);
++	debug_printf_parse("\n");
+ 
+ 	sn.info = PRIMASK;
+ 	sn.r.n = sn.a.n = glptr = NULL;
+-	xtc = TC_OPERAND | TC_UOPPRE | TC_REGEXP | iexp;
++	expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc;
+ 
+-	while (!((tc = next_token(xtc)) & iexp)) {
++	while (!((tc = next_token(expected_tc)) & term_tc)) {
+ 
+-		if (glptr && (t_info == (OC_COMPARE | VV | P(39) | 2))) {
++		if (glptr && (t_info == TI_LESS)) {
+ 			/* input redirection (<) attached to glptr node */
+ 			debug_printf_parse("%s: input redir\n", __func__);
+ 			cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37));
+ 			cn->a.n = glptr;
+-			xtc = TC_OPERAND | TC_UOPPRE;
++			expected_tc = TS_OPERAND | TS_UOPPRE;
+ 			glptr = NULL;
+-
+-		} else if (tc & (TC_BINOP | TC_UOPPOST)) {
+-			debug_printf_parse("%s: TC_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
++			continue;
++		}
++		if (tc & (TS_BINOP | TC_UOPPOST)) {
++			debug_printf_parse("%s: TS_BINOP | TC_UOPPOST tc:%x\n", __func__, tc);
+ 			/* for binary and postfix-unary operators, jump back over
+ 			 * previous operators with higher priority */
+ 			vn = cn;
+ 			while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2))
+-			    || ((t_info == vn->info) && ((t_info & OPCLSMASK) == OC_COLON))
++			    || ((t_info == vn->info) && t_info == TI_COLON)
+ 			) {
+ 				vn = vn->a.n;
+ 				if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN);
+ 			}
+-			if ((t_info & OPCLSMASK) == OC_TERNARY)
++			if (t_info == TI_TERNARY)
++//TODO: why?
+ 				t_info += P(6);
+ 			cn = vn->a.n->r.n = new_node(t_info);
+ 			cn->a.n = vn->a.n;
+-			if (tc & TC_BINOP) {
++			if (tc & TS_BINOP) {
+ 				cn->l.n = vn;
+-				xtc = TC_OPERAND | TC_UOPPRE | TC_REGEXP;
+-				if ((t_info & OPCLSMASK) == OC_PGETLINE) {
++//FIXME: this is the place to detect and reject assignments to non-lvalues.
++//Currently we allow "assignments" to consts and temporaries, nonsense like this:
++// awk 'BEGIN { "qwe" = 1 }'
++// awk 'BEGIN { 7 *= 7 }'
++// awk 'BEGIN { length("qwe") = 1 }'
++// awk 'BEGIN { (1+1) += 3 }'
++				expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP;
++				if (t_info == TI_PGETLINE) {
+ 					/* it's a pipe */
+ 					next_token(TC_GETLINE);
+ 					/* give maximum priority to this pipe */
+ 					cn->info &= ~PRIMASK;
+-					xtc = TC_OPERAND | TC_UOPPRE | TC_BINOP | iexp;
++					expected_tc = TS_OPERAND | TS_UOPPRE | TS_BINOP | term_tc;
+ 				}
+ 			} else {
+ 				cn->r.n = vn;
+-				xtc = TC_OPERAND | TC_UOPPRE | TC_BINOP | iexp;
++				expected_tc = TS_OPERAND | TS_UOPPRE | TS_BINOP | term_tc;
+ 			}
+ 			vn->a.n = cn;
++			continue;
++		}
+ 
+-		} else {
+-			debug_printf_parse("%s: other\n", __func__);
+-			/* for operands and prefix-unary operators, attach them
+-			 * to last node */
+-			vn = cn;
+-			cn = vn->r.n = new_node(t_info);
+-			cn->a.n = vn;
+-			xtc = TC_OPERAND | TC_UOPPRE | TC_REGEXP;
+-			if (tc & (TC_OPERAND | TC_REGEXP)) {
+-				debug_printf_parse("%s: TC_OPERAND | TC_REGEXP\n", __func__);
+-				xtc = TC_UOPPRE | TC_UOPPOST | TC_BINOP | TC_OPERAND | iexp;
+-				/* one should be very careful with switch on tclass -
+-				 * only simple tclasses should be used! */
+-				switch (tc) {
+-				case TC_VARIABLE:
+-				case TC_ARRAY:
+-					debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__);
+-					cn->info = OC_VAR;
+-					v = hash_search(ahash, t_string);
+-					if (v != NULL) {
+-						cn->info = OC_FNARG;
+-						cn->l.aidx = v->x.aidx;
+-					} else {
+-						cn->l.v = newvar(t_string);
+-					}
+-					if (tc & TC_ARRAY) {
+-						cn->info |= xS;
+-						cn->r.n = parse_expr(TC_ARRTERM);
+-					}
+-					break;
++		debug_printf_parse("%s: other, t_info:%x\n", __func__, t_info);
++		/* for operands and prefix-unary operators, attach them
++		 * to last node */
++		vn = cn;
++		cn = vn->r.n = new_node(t_info);
++		cn->a.n = vn;
+ 
+-				case TC_NUMBER:
+-				case TC_STRING:
+-					debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__);
+-					cn->info = OC_VAR;
+-					v = cn->l.v = xzalloc(sizeof(var));
+-					if (tc & TC_NUMBER)
+-						setvar_i(v, t_double);
+-					else {
+-						setvar_s(v, t_string);
+-						xtc &= ~TC_UOPPOST; /* "str"++ is not allowed */
+-					}
+-					break;
++		expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP;
++		if (t_info == TI_PREINC || t_info == TI_PREDEC)
++			expected_tc = TS_LVALUE | TC_UOPPRE1;
+ 
+-				case TC_REGEXP:
+-					debug_printf_parse("%s: TC_REGEXP\n", __func__);
+-					mk_re_node(t_string, cn, xzalloc(sizeof(regex_t)*2));
+-					break;
++		if (!(tc & (TS_OPERAND | TC_REGEXP)))
++			continue;
+ 
+-				case TC_FUNCTION:
+-					debug_printf_parse("%s: TC_FUNCTION\n", __func__);
+-					cn->info = OC_FUNC;
+-					cn->r.f = newfunc(t_string);
+-					cn->l.n = condition();
+-					break;
++		debug_printf_parse("%s: TS_OPERAND | TC_REGEXP\n", __func__);
++		expected_tc = TS_UOPPRE | TC_UOPPOST | TS_BINOP | TS_OPERAND | term_tc;
++		/* one should be very careful with switch on tclass -
++		 * only simple tclasses should be used (TC_xyz, not TS_xyz) */
++		switch (tc) {
++		case TC_VARIABLE:
++		case TC_ARRAY:
++			debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__);
++			cn->info = OC_VAR;
++			v = hash_search(ahash, t_string);
++			if (v != NULL) {
++				cn->info = OC_FNARG;
++				cn->l.aidx = v->x.aidx;
++			} else {
++				cn->l.v = newvar(t_string);
++			}
++			if (tc & TC_ARRAY) {
++				cn->info |= xS;
++				cn->r.n = parse_expr(TC_ARRTERM);
++			}
++			break;
+ 
+-				case TC_SEQSTART:
+-					debug_printf_parse("%s: TC_SEQSTART\n", __func__);
+-					cn = vn->r.n = parse_expr(TC_SEQTERM);
+-					if (!cn)
+-						syntax_error("Empty sequence");
+-					cn->a.n = vn;
+-					break;
++		case TC_NUMBER:
++		case TC_STRING:
++			debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__);
++			cn->info = OC_VAR;
++			v = cn->l.v = xzalloc(sizeof(var));
++			if (tc & TC_NUMBER)
++				setvar_i(v, t_double);
++			else {
++				setvar_s(v, t_string);
++				expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */
++			}
++			break;
+ 
+-				case TC_GETLINE:
+-					debug_printf_parse("%s: TC_GETLINE\n", __func__);
+-					glptr = cn;
+-					xtc = TC_OPERAND | TC_UOPPRE | TC_BINOP | iexp;
+-					break;
++		case TC_REGEXP:
++			debug_printf_parse("%s: TC_REGEXP\n", __func__);
++			mk_re_node(t_string, cn, xzalloc(sizeof(regex_t)*2));
++			break;
+ 
+-				case TC_BUILTIN:
+-					debug_printf_parse("%s: TC_BUILTIN\n", __func__);
+-					cn->l.n = condition();
+-					break;
++		case TC_FUNCTION:
++			debug_printf_parse("%s: TC_FUNCTION\n", __func__);
++			cn->info = OC_FUNC;
++			cn->r.f = newfunc(t_string);
++			cn->l.n = parse_expr(TC_RPAREN);
++			break;
+ 
+-				case TC_LENGTH:
+-					debug_printf_parse("%s: TC_LENGTH\n", __func__);
+-					next_token(TC_SEQSTART /* length(...) */
+-						| TC_OPTERM    /* length; (or newline)*/
+-						| TC_GRPTERM   /* length } */
+-						| TC_BINOPX    /* length <op> NUM */
+-						| TC_COMMA     /* print length, 1 */
+-					);
+-					rollback_token();
+-					if (t_tclass & TC_SEQSTART) {
+-						/* It was a "(" token. Handle just like TC_BUILTIN */
+-						cn->l.n = condition();
+-					}
+-					break;
+-				}
++		case TC_LPAREN:
++			debug_printf_parse("%s: TC_LPAREN\n", __func__);
++			cn = vn->r.n = parse_expr(TC_RPAREN);
++			if (!cn)
++				syntax_error("Empty sequence");
++			cn->a.n = vn;
++			break;
++
++		case TC_GETLINE:
++			debug_printf_parse("%s: TC_GETLINE\n", __func__);
++			glptr = cn;
++			expected_tc = TS_OPERAND | TS_UOPPRE | TS_BINOP | term_tc;
++			break;
++
++		case TC_BUILTIN:
++			debug_printf_parse("%s: TC_BUILTIN\n", __func__);
++			cn->l.n = parse_lrparen_list();
++			break;
++
++		case TC_LENGTH:
++			debug_printf_parse("%s: TC_LENGTH\n", __func__);
++			tc = next_token(TC_LPAREN /* length(...) */
++				| TC_SEMICOL   /* length; */
++				| TC_NEWLINE   /* length<newline> */
++				| TC_RBRACE    /* length } */
++				| TC_BINOPX    /* length <op> NUM */
++				| TC_COMMA     /* print length, 1 */
++			);
++			if (tc != TC_LPAREN)
++				rollback_token();
++			else {
++				/* It was a "(" token. Handle just like TC_BUILTIN */
++				cn->l.n = parse_expr(TC_RPAREN);
+ 			}
++			break;
+ 		}
+-	}
++	} /* while() */
+ 
+ 	debug_printf_parse("%s() returns %p\n", __func__, sn.r.n);
+ 	return sn.r.n;
+@@ -1430,7 +1513,7 @@ static node *chain_node(uint32_t info)
+ 	if (seq->programname != g_progname) {
+ 		seq->programname = g_progname;
+ 		n = chain_node(OC_NEWSOURCE);
+-		n->l.new_progname = xstrdup(g_progname);
++		n->l.new_progname = g_progname;
+ 	}
+ 
+ 	n = seq->last;
+@@ -1446,14 +1529,16 @@ static void chain_expr(uint32_t info)
+ 
+ 	n = chain_node(info);
+ 
+-	n->l.n = parse_expr(TC_OPTERM | TC_GRPTERM);
++	n->l.n = parse_expr(TC_SEMICOL | TC_NEWLINE | TC_RBRACE);
+ 	if ((info & OF_REQUIRED) && !n->l.n)
+ 		syntax_error(EMSG_TOO_FEW_ARGS);
+ 
+-	if (t_tclass & TC_GRPTERM)
++	if (t_tclass & TC_RBRACE)
+ 		rollback_token();
+ }
+ 
++static void chain_group(void);
++
+ static node *chain_loop(node *nn)
+ {
+ 	node *n, *n2, *save_brk, *save_cont;
+@@ -1477,207 +1562,284 @@ static node *chain_loop(node *nn)
+ 	return n;
+ }
+ 
++static void chain_until_rbrace(void)
++{
++	uint32_t tc;
++	while ((tc = next_token(TS_GRPSEQ | TC_RBRACE)) != TC_RBRACE) {
++		debug_printf_parse("%s: !TC_RBRACE\n", __func__);
++		if (tc == TC_NEWLINE)
++			continue;
++		rollback_token();
++		chain_group();
++	}
++	debug_printf_parse("%s: TC_RBRACE\n", __func__);
++}
++
+ /* parse group and attach it to chain */
+ static void chain_group(void)
+ {
+-	uint32_t c;
++	uint32_t tc;
+ 	node *n, *n2, *n3;
+ 
+ 	do {
+-		c = next_token(TC_GRPSEQ);
+-	} while (c & TC_NEWLINE);
+-
+-	if (c & TC_GRPSTART) {
+-		debug_printf_parse("%s: TC_GRPSTART\n", __func__);
+-		while (next_token(TC_GRPSEQ | TC_GRPTERM) != TC_GRPTERM) {
+-			debug_printf_parse("%s: !TC_GRPTERM\n", __func__);
+-			if (t_tclass & TC_NEWLINE)
+-				continue;
+-			rollback_token();
+-			chain_group();
+-		}
+-		debug_printf_parse("%s: TC_GRPTERM\n", __func__);
+-	} else if (c & (TC_OPSEQ | TC_OPTERM)) {
+-		debug_printf_parse("%s: TC_OPSEQ | TC_OPTERM\n", __func__);
++		tc = next_token(TS_GRPSEQ);
++	} while (tc == TC_NEWLINE);
++
++	if (tc == TC_LBRACE) {
++		debug_printf_parse("%s: TC_LBRACE\n", __func__);
++		chain_until_rbrace();
++		return;
++	}
++	if (tc & (TS_OPSEQ | TC_SEMICOL)) {
++		debug_printf_parse("%s: TS_OPSEQ | TC_SEMICOL\n", __func__);
+ 		rollback_token();
+ 		chain_expr(OC_EXEC | Vx);
+-	} else {
+-		/* TC_STATEMNT */
+-		debug_printf_parse("%s: TC_STATEMNT(?)\n", __func__);
+-		switch (t_info & OPCLSMASK) {
+-		case ST_IF:
+-			debug_printf_parse("%s: ST_IF\n", __func__);
+-			n = chain_node(OC_BR | Vx);
+-			n->l.n = condition();
++		return;
++	}
++
++	/* TS_STATEMNT */
++	debug_printf_parse("%s: TS_STATEMNT(?)\n", __func__);
++	switch (t_info & OPCLSMASK) {
++	case ST_IF:
++		debug_printf_parse("%s: ST_IF\n", __func__);
++		n = chain_node(OC_BR | Vx);
++		n->l.n = parse_lrparen_list();
++		chain_group();
++		n2 = chain_node(OC_EXEC);
++		n->r.n = seq->last;
++		if (next_token(TS_GRPSEQ | TC_RBRACE | TC_ELSE) == TC_ELSE) {
+ 			chain_group();
+-			n2 = chain_node(OC_EXEC);
+-			n->r.n = seq->last;
+-			if (next_token(TC_GRPSEQ | TC_GRPTERM | TC_ELSE) == TC_ELSE) {
+-				chain_group();
+-				n2->a.n = seq->last;
+-			} else {
+-				rollback_token();
+-			}
+-			break;
++			n2->a.n = seq->last;
++		} else {
++			rollback_token();
++		}
++		break;
+ 
+-		case ST_WHILE:
+-			debug_printf_parse("%s: ST_WHILE\n", __func__);
+-			n2 = condition();
+-			n = chain_loop(NULL);
+-			n->l.n = n2;
+-			break;
++	case ST_WHILE:
++		debug_printf_parse("%s: ST_WHILE\n", __func__);
++		n2 = parse_lrparen_list();
++		n = chain_loop(NULL);
++		n->l.n = n2;
++		break;
+ 
+-		case ST_DO:
+-			debug_printf_parse("%s: ST_DO\n", __func__);
+-			n2 = chain_node(OC_EXEC);
+-			n = chain_loop(NULL);
+-			n2->a.n = n->a.n;
+-			next_token(TC_WHILE);
+-			n->l.n = condition();
+-			break;
++	case ST_DO:
++		debug_printf_parse("%s: ST_DO\n", __func__);
++		n2 = chain_node(OC_EXEC);
++		n = chain_loop(NULL);
++		n2->a.n = n->a.n;
++		next_token(TC_WHILE);
++		n->l.n = parse_lrparen_list();
++		break;
+ 
+-		case ST_FOR:
+-			debug_printf_parse("%s: ST_FOR\n", __func__);
+-			next_token(TC_SEQSTART);
+-			n2 = parse_expr(TC_SEMICOL | TC_SEQTERM);
+-			if (t_tclass & TC_SEQTERM) {	/* for-in */
+-				if (!n2 || (n2->info & OPCLSMASK) != OC_IN)
+-					syntax_error(EMSG_UNEXP_TOKEN);
+-				n = chain_node(OC_WALKINIT | VV);
+-				n->l.n = n2->l.n;
+-				n->r.n = n2->r.n;
+-				n = chain_loop(NULL);
+-				n->info = OC_WALKNEXT | Vx;
+-				n->l.n = n2->l.n;
+-			} else {			/* for (;;) */
+-				n = chain_node(OC_EXEC | Vx);
+-				n->l.n = n2;
+-				n2 = parse_expr(TC_SEMICOL);
+-				n3 = parse_expr(TC_SEQTERM);
+-				n = chain_loop(n3);
+-				n->l.n = n2;
+-				if (!n2)
+-					n->info = OC_EXEC;
+-			}
+-			break;
++	case ST_FOR:
++		debug_printf_parse("%s: ST_FOR\n", __func__);
++		next_token(TC_LPAREN);
++		n2 = parse_expr(TC_SEMICOL | TC_RPAREN);
++		if (t_tclass & TC_RPAREN) {	/* for (I in ARRAY) */
++			if (!n2 || n2->info != TI_IN)
++				syntax_error(EMSG_UNEXP_TOKEN);
++			n = chain_node(OC_WALKINIT | VV);
++			n->l.n = n2->l.n;
++			n->r.n = n2->r.n;
++			n = chain_loop(NULL);
++			n->info = OC_WALKNEXT | Vx;
++			n->l.n = n2->l.n;
++		} else {			/* for (;;) */
++			n = chain_node(OC_EXEC | Vx);
++			n->l.n = n2;
++			n2 = parse_expr(TC_SEMICOL);
++			n3 = parse_expr(TC_RPAREN);
++			n = chain_loop(n3);
++			n->l.n = n2;
++			if (!n2)
++				n->info = OC_EXEC;
++		}
++		break;
+ 
+-		case OC_PRINT:
+-		case OC_PRINTF:
+-			debug_printf_parse("%s: OC_PRINT[F]\n", __func__);
+-			n = chain_node(t_info);
+-			n->l.n = parse_expr(TC_OPTERM | TC_OUTRDR | TC_GRPTERM);
+-			if (t_tclass & TC_OUTRDR) {
+-				n->info |= t_info;
+-				n->r.n = parse_expr(TC_OPTERM | TC_GRPTERM);
+-			}
+-			if (t_tclass & TC_GRPTERM)
+-				rollback_token();
+-			break;
++	case OC_PRINT:
++	case OC_PRINTF:
++		debug_printf_parse("%s: OC_PRINT[F]\n", __func__);
++		n = chain_node(t_info);
++		n->l.n = parse_expr(TC_SEMICOL | TC_NEWLINE | TC_OUTRDR | TC_RBRACE);
++		if (t_tclass & TC_OUTRDR) {
++			n->info |= t_info;
++			n->r.n = parse_expr(TC_SEMICOL | TC_NEWLINE | TC_RBRACE);
++		}
++		if (t_tclass & TC_RBRACE)
++			rollback_token();
++		break;
+ 
+-		case OC_BREAK:
+-			debug_printf_parse("%s: OC_BREAK\n", __func__);
+-			n = chain_node(OC_EXEC);
+-			n->a.n = break_ptr;
+-			chain_expr(t_info);
+-			break;
++	case OC_BREAK:
++		debug_printf_parse("%s: OC_BREAK\n", __func__);
++		n = chain_node(OC_EXEC);
++		if (!break_ptr)
++			syntax_error("'break' not in a loop");
++		n->a.n = break_ptr;
++		chain_expr(t_info);
++		break;
+ 
+-		case OC_CONTINUE:
+-			debug_printf_parse("%s: OC_CONTINUE\n", __func__);
+-			n = chain_node(OC_EXEC);
+-			n->a.n = continue_ptr;
+-			chain_expr(t_info);
+-			break;
++	case OC_CONTINUE:
++		debug_printf_parse("%s: OC_CONTINUE\n", __func__);
++		n = chain_node(OC_EXEC);
++		if (!continue_ptr)
++			syntax_error("'continue' not in a loop");
++		n->a.n = continue_ptr;
++		chain_expr(t_info);
++		break;
+ 
+-		/* delete, next, nextfile, return, exit */
+-		default:
+-			debug_printf_parse("%s: default\n", __func__);
+-			chain_expr(t_info);
+-		}
++	/* delete, next, nextfile, return, exit */
++	default:
++		debug_printf_parse("%s: default\n", __func__);
++		chain_expr(t_info);
+ 	}
+ }
+ 
+ static void parse_program(char *p)
+ {
+-	uint32_t tclass;
+-	node *cn;
+-	func *f;
+-	var *v;
++	debug_printf_parse("%s()\n", __func__);
+ 
+ 	g_pos = p;
+ 	t_lineno = 1;
+-	while ((tclass = next_token(TC_EOF | TC_OPSEQ | TC_GRPSTART |
+-			TC_OPTERM | TC_BEGIN | TC_END | TC_FUNCDECL)) != TC_EOF) {
++	for (;;) {
++		uint32_t tclass;
+ 
+-		if (tclass & TC_OPTERM) {
+-			debug_printf_parse("%s: TC_OPTERM\n", __func__);
++		tclass = next_token(TS_OPSEQ | TC_LBRACE | TC_BEGIN | TC_END | TC_FUNCDECL
++			| TC_EOF | TC_NEWLINE /* but not TC_SEMICOL */);
++ got_tok:
++		if (tclass == TC_EOF) {
++			debug_printf_parse("%s: TC_EOF\n", __func__);
++			break;
++		}
++		if (tclass == TC_NEWLINE) {
++			debug_printf_parse("%s: TC_NEWLINE\n", __func__);
+ 			continue;
+ 		}
+-
+-		seq = &mainseq;
+-		if (tclass & TC_BEGIN) {
++		if (tclass == TC_BEGIN) {
+ 			debug_printf_parse("%s: TC_BEGIN\n", __func__);
+ 			seq = &beginseq;
+-			chain_group();
+-		} else if (tclass & TC_END) {
++			/* ensure there is no newline between BEGIN and { */
++			next_token(TC_LBRACE);
++			chain_until_rbrace();
++			goto next_tok;
++		}
++		if (tclass == TC_END) {
+ 			debug_printf_parse("%s: TC_END\n", __func__);
+ 			seq = &endseq;
+-			chain_group();
+-		} else if (tclass & TC_FUNCDECL) {
++			/* ensure there is no newline between END and { */
++			next_token(TC_LBRACE);
++			chain_until_rbrace();
++			goto next_tok;
++		}
++		if (tclass == TC_FUNCDECL) {
++			func *f;
++
+ 			debug_printf_parse("%s: TC_FUNCDECL\n", __func__);
+ 			next_token(TC_FUNCTION);
+-			g_pos++;
+ 			f = newfunc(t_string);
+-			f->body.first = NULL;
+-			f->nargs = 0;
+-			/* Match func arg list: a comma sep list of >= 0 args, and a close paren */
+-			while (next_token(TC_VARIABLE | TC_SEQTERM | TC_COMMA)) {
+-				/* Either an empty arg list, or trailing comma from prev iter
+-				 * must be followed by an arg */
+-				if (f->nargs == 0 && t_tclass == TC_SEQTERM)
+-					break;
+-
+-				/* TC_SEQSTART/TC_COMMA must be followed by TC_VARIABLE */
+-				if (t_tclass != TC_VARIABLE)
++			if (f->defined)
++				syntax_error("Duplicate function");
++			f->defined = 1;
++			//f->body.first = NULL; - already is
++			//f->nargs = 0; - already is
++			/* func arg list: comma sep list of args, and a close paren */
++			for (;;) {
++				var *v;
++				if (next_token(TC_VARIABLE | TC_RPAREN) == TC_RPAREN) {
++					if (f->nargs == 0)
++						break; /* func() is ok */
++					/* func(a,) is not ok */
+ 					syntax_error(EMSG_UNEXP_TOKEN);
+-
++				}
+ 				v = findvar(ahash, t_string);
+ 				v->x.aidx = f->nargs++;
+-
+ 				/* Arg followed either by end of arg list or 1 comma */
+-				if (next_token(TC_COMMA | TC_SEQTERM) & TC_SEQTERM)
++				if (next_token(TC_COMMA | TC_RPAREN) == TC_RPAREN)
+ 					break;
+-				if (t_tclass != TC_COMMA)
+-					syntax_error(EMSG_UNEXP_TOKEN);
++				/* it was a comma, we ate it */
+ 			}
+ 			seq = &f->body;
+-			chain_group();
+-			clear_array(ahash);
+-		} else if (tclass & TC_OPSEQ) {
+-			debug_printf_parse("%s: TC_OPSEQ\n", __func__);
++			/* ensure there is { after "func F(...)" - but newlines are allowed */
++			while (next_token(TC_LBRACE | TC_NEWLINE) == TC_NEWLINE)
++				continue;
++			chain_until_rbrace();
++			hash_clear(ahash);
++			goto next_tok;
++		}
++		seq = &mainseq;
++		if (tclass & TS_OPSEQ) {
++			node *cn;
++
++			debug_printf_parse("%s: TS_OPSEQ\n", __func__);
+ 			rollback_token();
+ 			cn = chain_node(OC_TEST);
+-			cn->l.n = parse_expr(TC_OPTERM | TC_EOF | TC_GRPSTART);
+-			if (t_tclass & TC_GRPSTART) {
+-				debug_printf_parse("%s: TC_GRPSTART\n", __func__);
+-				rollback_token();
+-				chain_group();
++			cn->l.n = parse_expr(TC_SEMICOL | TC_NEWLINE | TC_EOF | TC_LBRACE);
++			if (t_tclass == TC_LBRACE) {
++				debug_printf_parse("%s: TC_LBRACE\n", __func__);
++				chain_until_rbrace();
+ 			} else {
+-				debug_printf_parse("%s: !TC_GRPSTART\n", __func__);
++				/* no action, assume default "{ print }" */
++				debug_printf_parse("%s: !TC_LBRACE\n", __func__);
+ 				chain_node(OC_PRINT);
+ 			}
+ 			cn->r.n = mainseq.last;
+-		} else /* if (tclass & TC_GRPSTART) */ {
+-			debug_printf_parse("%s: TC_GRPSTART(?)\n", __func__);
+-			rollback_token();
+-			chain_group();
++			goto next_tok;
+ 		}
+-	}
+-	debug_printf_parse("%s: TC_EOF\n", __func__);
++		/* tclass == TC_LBRACE */
++		debug_printf_parse("%s: TC_LBRACE(?)\n", __func__);
++		chain_until_rbrace();
++ next_tok:
++		/* Same as next_token() at the top of the loop, + TC_SEMICOL */
++		tclass = next_token(TS_OPSEQ | TC_LBRACE | TC_BEGIN | TC_END | TC_FUNCDECL
++			| TC_EOF | TC_NEWLINE | TC_SEMICOL);
++		/* gawk allows many newlines, but does not allow more than one semicolon:
++		 *  BEGIN {...}<newline>;<newline>;
++		 * would complain "each rule must have a pattern or an action part".
++		 * Same message for
++		 *  ; BEGIN {...}
++		 */
++		if (tclass != TC_SEMICOL)
++			goto got_tok; /* use this token */
++		/* else: loop back - ate the semicolon, get and use _next_ token */
++	} /* for (;;) */
+ }
+ 
+-
+ /* -------- program execution part -------- */
+ 
++/* temporary variables allocator */
++static var *nvalloc(int sz)
++{
++	return xzalloc(sz * sizeof(var));
++}
++
++static void nvfree(var *v, int sz)
++{
++	var *p = v;
++
++	while (--sz >= 0) {
++		if ((p->type & (VF_ARRAY | VF_CHILD)) == VF_ARRAY) {
++			clear_array(iamarray(p));
++			free(p->x.array->items);
++			free(p->x.array);
++		}
++		if (p->type & VF_WALK) {
++			walker_list *n;
++			walker_list *w = p->x.walker;
++			debug_printf_walker("nvfree: freeing walker @%p\n", &p->x.walker);
++			p->x.walker = NULL;
++			while (w) {
++				n = w->prev;
++				debug_printf_walker(" free(%p)\n", w);
++				free(w);
++				w = n;
++			}
++		}
++		clrvar(p);
++		p++;
++	}
++
++	free(v);
++}
++
+ static node *mk_splitter(const char *s, tsplitter *spl)
+ {
+ 	regex_t *re, *ire;
+@@ -1686,7 +1848,7 @@ static node *mk_splitter(const char *s, tsplitter *spl)
+ 	re = &spl->re[0];
+ 	ire = &spl->re[1];
+ 	n = &spl->n;
+-	if ((n->info & OPCLSMASK) == OC_REGEXP) {
++	if (n->info == TI_REGEXP) {
+ 		regfree(re);
+ 		regfree(ire); // TODO: nuke ire, use re+1?
+ 	}
+@@ -1699,21 +1861,28 @@ static node *mk_splitter(const char *s, tsplitter *spl)
+ 	return n;
+ }
+ 
+-/* use node as a regular expression. Supplied with node ptr and regex_t
++static var *evaluate(node *, var *);
++
++/* Use node as a regular expression. Supplied with node ptr and regex_t
+  * storage space. Return ptr to regex (if result points to preg, it should
+- * be later regfree'd manually
++ * be later regfree'd manually).
+  */
+ static regex_t *as_regex(node *op, regex_t *preg)
+ {
+ 	int cflags;
+-	var *v;
+ 	const char *s;
+ 
+-	if ((op->info & OPCLSMASK) == OC_REGEXP) {
++	if (op->info == TI_REGEXP) {
+ 		return icase ? op->r.ire : op->l.re;
+ 	}
+-	v = nvalloc(1);
+-	s = getvar_s(evaluate(op, v));
++
++	//tmpvar = nvalloc(1);
++#define TMPVAR (&G.as_regex__tmpvar)
++	// We use a single "static" tmpvar (instead of on-stack or malloced one)
++	// to decrease memory consumption in deeply-recursive awk programs.
++	// The rule to work safely is to never call evaluate() while our static
++	// TMPVAR's value is still needed.
++	s = getvar_s(evaluate(op, TMPVAR));
+ 
+ 	cflags = icase ? REG_EXTENDED | REG_ICASE : REG_EXTENDED;
+ 	/* Testcase where REG_EXTENDED fails (unpaired '{'):
+@@ -1725,7 +1894,8 @@ static regex_t *as_regex(node *op, regex_t *preg)
+ 		cflags &= ~REG_EXTENDED;
+ 		xregcomp(preg, s, cflags);
+ 	}
+-	nvfree(v);
++	//nvfree(tmpvar, 1);
++#undef TMPVAR
+ 	return preg;
+ }
+ 
+@@ -1745,12 +1915,22 @@ static char* qrealloc(char *b, int n, int *size)
+ /* resize field storage space */
+ static void fsrealloc(int size)
+ {
+-	int i;
++	int i, newsize;
+ 
+ 	if (size >= maxfields) {
++		/* Sanity cap, easier than catering for overflows */
++		if (size > 0xffffff)
++			bb_die_memory_exhausted();
++
+ 		i = maxfields;
+ 		maxfields = size + 16;
+-		Fields = xrealloc(Fields, maxfields * sizeof(Fields[0]));
++
++		newsize = maxfields * sizeof(Fields[0]);
++		debug_printf_eval("fsrealloc: xrealloc(%p, %u)\n", Fields, newsize);
++		Fields = xrealloc(Fields, newsize);
++		debug_printf_eval("fsrealloc: Fields=%p..%p\n", Fields, (char*)Fields + newsize - 1);
++		/* ^^^ did Fields[] move? debug aid for L.v getting "upstaged" by R.v in evaluate() */
++
+ 		for (; i < maxfields; i++) {
+ 			Fields[i].type = VF_SPECIAL;
+ 			Fields[i].string = NULL;
+@@ -1802,13 +1982,13 @@ static int awk_split(const char *s, node *spl, char **slist)
+ 		c[2] = '\n';
+ 
+ 	n = 0;
+-	if ((spl->info & OPCLSMASK) == OC_REGEXP) {  /* regex split */
++	if (spl->info == TI_REGEXP) {  /* regex split */
+ 		if (!*s)
+ 			return n; /* "": zero fields */
+ 		n++; /* at least one field will be there */
+ 		do {
+ 			int l;
+-			regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
++			regmatch_t pmatch[1];
+ 
+ 			l = strcspn(s, c+2); /* len till next NUL or \n */
+ 			if (regexec1_nonempty(icase ? spl->r.ire : spl->l.re, s, pmatch) == 0
+@@ -1969,7 +2149,7 @@ static node *nextarg(node **pn)
+ 	node *n;
+ 
+ 	n = *pn;
+-	if (n && (n->info & OPCLSMASK) == OC_COMMA) {
++	if (n && n->info == TI_COMMA) {
+ 		*pn = n->r.n;
+ 		n = n->l.n;
+ 	} else {
+@@ -2000,8 +2180,7 @@ static void hashwalk_init(var *v, xhash *array)
+ 	for (i = 0; i < array->csize; i++) {
+ 		hi = array->items[i];
+ 		while (hi) {
+-			strcpy(w->end, hi->name);
+-			nextword(&w->end);
++			w->end = stpcpy(w->end, hi->name) + 1;
+ 			hi = hi->next;
+ 		}
+ 	}
+@@ -2027,15 +2206,18 @@ static int hashwalk_next(var *v)
+ /* evaluate node, return 1 when result is true, 0 otherwise */
+ static int ptest(node *pattern)
+ {
+-	/* ptest__v is "static": to save stack space? */
+-	return istrue(evaluate(pattern, &G.ptest__v));
++	// We use a single "static" tmpvar (instead of on-stack or malloced one)
++	// to decrease memory consumption in deeply-recursive awk programs.
++	// The rule to work safely is to never call evaluate() while our static
++	// TMPVAR's value is still needed.
++	return istrue(evaluate(pattern, &G.ptest__tmpvar));
+ }
+ 
+ /* read next record from stream rsm into a variable v */
+ static int awk_getline(rstream *rsm, var *v)
+ {
+ 	char *b;
+-	regmatch_t pmatch[2]; // TODO: why [2]? [1] is enough...
++	regmatch_t pmatch[1];
+ 	int size, a, p, pp = 0;
+ 	int fd, so, eo, r, rp;
+ 	char c, *m, *s;
+@@ -2061,7 +2243,7 @@ static int awk_getline(rstream *rsm, var *v)
+ 		so = eo = p;
+ 		r = 1;
+ 		if (p > 0) {
+-			if ((rsplitter.n.info & OPCLSMASK) == OC_REGEXP) {
++			if (rsplitter.n.info == TI_REGEXP) {
+ 				if (regexec(icase ? rsplitter.n.r.ire : rsplitter.n.l.re,
+ 							b, 1, pmatch, 0) == 0) {
+ 					so = pmatch[0].rm_so;
+@@ -2133,82 +2315,126 @@ static int awk_getline(rstream *rsm, var *v)
+ 	return r;
+ }
+ 
+-static int fmt_num(char *b, int size, const char *format, double n, int int_as_int)
+-{
+-	int r = 0;
+-	char c;
+-	const char *s = format;
+-
+-	if (int_as_int && n == (long long)n) {
+-		r = snprintf(b, size, "%lld", (long long)n);
+-	} else {
+-		do { c = *s; } while (c && *++s);
+-		if (strchr("diouxX", c)) {
+-			r = snprintf(b, size, format, (int)n);
+-		} else if (strchr("eEfgG", c)) {
+-			r = snprintf(b, size, format, n);
+-		} else {
+-			syntax_error(EMSG_INV_FMT);
+-		}
+-	}
+-	return r;
+-}
+-
+ /* formatted output into an allocated buffer, return ptr to buffer */
+-static char *awk_printf(node *n)
++#if !ENABLE_FEATURE_AWK_GNU_EXTENSIONS
++# define awk_printf(a, b) awk_printf(a)
++#endif
++static char *awk_printf(node *n, size_t *len)
+ {
+-	char *b = NULL;
+-	char *fmt, *s, *f;
+-	const char *s1;
+-	int i, j, incr, bsize;
+-	char c, c1;
+-	var *v, *arg;
+-
+-	v = nvalloc(1);
+-	fmt = f = xstrdup(getvar_s(evaluate(nextarg(&n), v)));
+-
++	char *b;
++	char *fmt, *f;
++	size_t i;
++
++	//tmpvar = nvalloc(1);
++#define TMPVAR (&G.awk_printf__tmpvar)
++	// We use a single "static" tmpvar (instead of on-stack or malloced one)
++	// to decrease memory consumption in deeply-recursive awk programs.
++	// The rule to work safely is to never call evaluate() while our static
++	// TMPVAR's value is still needed.
++	fmt = f = xstrdup(getvar_s(evaluate(nextarg(&n), TMPVAR)));
++	// ^^^^^^^^^ here we immediately strdup() the value, so the later call
++	// to evaluate() potentially recursing into another awk_printf() can't
++	// mangle the value.
++
++	b = NULL;
+ 	i = 0;
+-	while (*f) {
++	while (1) { /* "print one format spec" loop */
++		char *s;
++		char c;
++		char sv;
++		var *arg;
++		size_t slen;
++
++		/* Find end of the next format spec, or end of line */
+ 		s = f;
+-		while (*f && (*f != '%' || *++f == '%'))
+-			f++;
+-		while (*f && !isalpha(*f)) {
+-			if (*f == '*')
+-				syntax_error("%*x formats are not supported");
++		while (1) {
++			c = *f;
++			if (!c) /* no percent chars found at all */
++				goto nul;
+ 			f++;
++			if (c == '%')
++				break;
+ 		}
+-
+-		incr = (f - s) + MAXVARFMT;
+-		b = qrealloc(b, incr + i, &bsize);
++		/* we are past % in "....%..." */
+ 		c = *f;
+-		if (c != '\0')
++		if (!c) /* "....%" */
++			goto nul;
++		if (c == '%') { /* "....%%...." */
++			slen = f - s;
++			s = xstrndup(s, slen);
+ 			f++;
+-		c1 = *f;
++			goto append; /* print "....%" part verbatim */
++		}
++		while (1) {
++			if (isalpha(c))
++				break;
++			if (c == '*')
++				syntax_error("%*x formats are not supported");
++			c = *++f;
++			if (!c) { /* "....%...." and no letter found after % */
++				/* Example: awk 'BEGIN { printf "^^^%^^^\n"; }' */
++ nul:
++				slen = f - s;
++				goto tail; /* print remaining string, exit loop */
++			}
++		}
++		/* we are at A in "....%...A..." */
++
++		arg = evaluate(nextarg(&n), TMPVAR);
++
++		/* Result can be arbitrarily long. Example:
++		 *  printf "%99999s", "BOOM"
++		 */
++		sv = *++f;
+ 		*f = '\0';
+-		arg = evaluate(nextarg(&n), v);
+-
+-		j = i;
+-		if (c == 'c' || !c) {
+-			i += sprintf(b+i, s, is_numeric(arg) ?
+-					(char)getvar_i(arg) : *getvar_s(arg));
+-		} else if (c == 's') {
+-			s1 = getvar_s(arg);
+-			b = qrealloc(b, incr+i+strlen(s1), &bsize);
+-			i += sprintf(b+i, s, s1);
++		if (c == 'c') {
++			char cc = is_numeric(arg) ? getvar_i(arg) : *getvar_s(arg);
++			char *r = xasprintf(s, cc ? cc : '^' /* else strlen will be wrong */);
++			slen = strlen(r);
++			if (cc == '\0') /* if cc is NUL, re-format the string with it */
++				sprintf(r, s, cc);
++			s = r;
+ 		} else {
+-			i += fmt_num(b+i, incr, s, getvar_i(arg), FALSE);
++			if (c == 's') {
++				s = xasprintf(s, getvar_s(arg));
++			} else {
++				double d = getvar_i(arg);
++				if (strchr("diouxX", c)) {
++//TODO: make it wider here (%x -> %llx etc)?
++					s = xasprintf(s, (int)d);
++				} else if (strchr("eEfFgGaA", c)) {
++					s = xasprintf(s, d);
++				} else {
++//TODO: GNU Awk 5.0.1: printf "%W" prints "%W", does not error out
++					syntax_error(EMSG_INV_FMT);
++				}
++			}
++			slen = strlen(s);
+ 		}
+-		*f = c1;
+-
+-		/* if there was an error while sprintf, return value is negative */
+-		if (i < j)
+-			i = j;
++		*f = sv;
++ append:
++		if (i == 0) {
++			b = s;
++			i = slen;
++			continue;
++		}
++ tail:
++		b = xrealloc(b, i + slen + 1);
++		strcpy(b + i, s);
++		i += slen;
++		if (!c) /* s is NOT allocated and this is the last part of string? */
++			break;
++		free(s);
+ 	}
+ 
+ 	free(fmt);
+-	nvfree(v);
+-	b = xrealloc(b, i + 1);
+-	b[i] = '\0';
++	//nvfree(tmpvar, 1);
++#undef TMPVAR
++
++#if ENABLE_FEATURE_AWK_GNU_EXTENSIONS
++	if (len)
++		*len = i;
++#endif
+ 	return b;
+ }
+ 
+@@ -2338,33 +2564,59 @@ static NOINLINE int do_mktime(const char *ds)
+ 	return mktime(&then);
+ }
+ 
++/* Reduce stack usage in exec_builtin() by keeping match() code separate */
++static NOINLINE var *do_match(node *an1, const char *as0)
++{
++	regmatch_t pmatch[1];
++	regex_t sreg, *re;
++	int n, start, len;
++
++	re = as_regex(an1, &sreg);
++	n = regexec(re, as0, 1, pmatch, 0);
++	if (re == &sreg)
++		regfree(re);
++	start = 0;
++	len = -1;
++	if (n == 0) {
++		start = pmatch[0].rm_so + 1;
++		len = pmatch[0].rm_eo - pmatch[0].rm_so;
++	}
++	setvar_i(newvar("RLENGTH"), len);
++	return setvar_i(newvar("RSTART"), start);
++}
++
++/* Reduce stack usage in evaluate() by keeping builtins' code separate */
+ static NOINLINE var *exec_builtin(node *op, var *res)
+ {
+ #define tspl (G.exec_builtin__tspl)
+ 
+-	var *tv;
++	var *tmpvars;
+ 	node *an[4];
+ 	var *av[4];
+ 	const char *as[4];
+-	regmatch_t pmatch[2];
+-	regex_t sreg, *re;
+ 	node *spl;
+ 	uint32_t isr, info;
+ 	int nargs;
+ 	time_t tt;
+ 	int i, l, ll, n;
+ 
+-	tv = nvalloc(4);
++	tmpvars = nvalloc(4);
++#define TMPVAR0 (tmpvars)
++#define TMPVAR1 (tmpvars + 1)
++#define TMPVAR2 (tmpvars + 2)
++#define TMPVAR3 (tmpvars + 3)
++#define TMPVAR(i) (tmpvars + (i))
+ 	isr = info = op->info;
+ 	op = op->l.n;
+ 
+ 	av[2] = av[3] = NULL;
+ 	for (i = 0; i < 4 && op; i++) {
+ 		an[i] = nextarg(&op);
+-		if (isr & 0x09000000)
+-			av[i] = evaluate(an[i], &tv[i]);
+-		if (isr & 0x08000000)
+-			as[i] = getvar_s(av[i]);
++		if (isr & 0x09000000) {
++			av[i] = evaluate(an[i], TMPVAR(i));
++			if (isr & 0x08000000)
++				as[i] = getvar_s(av[i]);
++		}
+ 		isr >>= 1;
+ 	}
+ 
+@@ -2386,8 +2638,8 @@ static NOINLINE var *exec_builtin(node *op, var *res)
+ 		char *s, *s1;
+ 
+ 		if (nargs > 2) {
+-			spl = (an[2]->info & OPCLSMASK) == OC_REGEXP ?
+-				an[2] : mk_splitter(getvar_s(evaluate(an[2], &tv[2])), &tspl);
++			spl = (an[2]->info == TI_REGEXP) ? an[2]
++				: mk_splitter(getvar_s(evaluate(an[2], TMPVAR2)), &tspl);
+ 		} else {
+ 			spl = &fsplitter.n;
+ 		}
+@@ -2501,20 +2753,7 @@ static NOINLINE var *exec_builtin(node *op, var *res)
+ 		break;
+ 
+ 	case B_ma:
+-		re = as_regex(an[1], &sreg);
+-		n = regexec(re, as[0], 1, pmatch, 0);
+-		if (n == 0) {
+-			pmatch[0].rm_so++;
+-			pmatch[0].rm_eo++;
+-		} else {
+-			pmatch[0].rm_so = 0;
+-			pmatch[0].rm_eo = -1;
+-		}
+-		setvar_i(newvar("RSTART"), pmatch[0].rm_so);
+-		setvar_i(newvar("RLENGTH"), pmatch[0].rm_eo - pmatch[0].rm_so);
+-		setvar_i(res, pmatch[0].rm_so);
+-		if (re == &sreg)
+-			regfree(re);
++		res = do_match(an[1], as[0]);
+ 		break;
+ 
+ 	case B_ge:
+@@ -2530,14 +2769,79 @@ static NOINLINE var *exec_builtin(node *op, var *res)
+ 		break;
+ 	}
+ 
+-	nvfree(tv);
++	nvfree(tmpvars, 4);
++#undef TMPVAR0
++#undef TMPVAR1
++#undef TMPVAR2
++#undef TMPVAR3
++#undef TMPVAR
++
+ 	return res;
+ #undef tspl
+ }
+ 
++/* if expr looks like "var=value", perform assignment and return 1,
++ * otherwise return 0 */
++static int is_assignment(const char *expr)
++{
++	char *exprc, *val;
++
++	val = (char*)endofname(expr);
++	if (val == (char*)expr || *val != '=') {
++		return FALSE;
++	}
++
++	exprc = xstrdup(expr);
++	val = exprc + (val - expr);
++	*val++ = '\0';
++
++	unescape_string_in_place(val);
++	setvar_u(newvar(exprc), val);
++	free(exprc);
++	return TRUE;
++}
++
++/* switch to next input file */
++static rstream *next_input_file(void)
++{
++#define rsm          (G.next_input_file__rsm)
++#define files_happen (G.next_input_file__files_happen)
++
++	const char *fname, *ind;
++
++	if (rsm.F)
++		fclose(rsm.F);
++	rsm.F = NULL;
++	rsm.pos = rsm.adv = 0;
++
++	for (;;) {
++		if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) {
++			if (files_happen)
++				return NULL;
++			fname = "-";
++			rsm.F = stdin;
++			break;
++		}
++		ind = getvar_s(incvar(intvar[ARGIND]));
++		fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind));
++		if (fname && *fname && !is_assignment(fname)) {
++			rsm.F = xfopen_stdin(fname);
++			break;
++		}
++	}
++
++	files_happen = TRUE;
++	setvar_s(intvar[FILENAME], fname);
++	return &rsm;
++#undef rsm
++#undef files_happen
++}
++
+ /*
+  * Evaluate node - the heart of the program. Supplied with subtree
+- * and place where to store result. returns ptr to result.
++ * and "res" variable to assign the result to if we evaluate an expression.
++ * If node refers to e.g. a variable or a field, no assignment happens.
++ * Return ptr to the result (which may or may not be the "res" variable!)
+  */
+ #define XC(n) ((n) >> 8)
+ 
+@@ -2549,14 +2853,16 @@ static var *evaluate(node *op, var *res)
+ #define seed   (G.evaluate__seed)
+ #define sreg   (G.evaluate__sreg)
+ 
+-	var *v1;
++	var *tmpvars;
+ 
+ 	if (!op)
+ 		return setvar_s(res, NULL);
+ 
+ 	debug_printf_eval("entered %s()\n", __func__);
+ 
+-	v1 = nvalloc(2);
++	tmpvars = nvalloc(2);
++#define TMPVAR0 (tmpvars)
++#define TMPVAR1 (tmpvars + 1)
+ 
+ 	while (op) {
+ 		struct {
+@@ -2578,48 +2884,35 @@ static var *evaluate(node *op, var *res)
+ 		op1 = op->l.n;
+ 		debug_printf_eval("opinfo:%08x opn:%08x\n", opinfo, opn);
+ 
+-		/* "delete" is special:
+-		 * "delete array[var--]" must evaluate index expr only once,
+-		 * must not evaluate it in "execute inevitable things" part.
+-		 */
+-		if (XC(opinfo & OPCLSMASK) == XC(OC_DELETE)) {
+-			uint32_t info = op1->info & OPCLSMASK;
+-			var *v;
+-
+-			debug_printf_eval("DELETE\n");
+-			if (info == OC_VAR) {
+-				v = op1->l.v;
+-			} else if (info == OC_FNARG) {
+-				v = &fnargs[op1->l.aidx];
+-			} else {
+-				syntax_error(EMSG_NOT_ARRAY);
++		/* execute inevitable things */
++		if (opinfo & OF_RES1) {
++			if ((opinfo & OF_REQUIRED) && !op1)
++				syntax_error(EMSG_TOO_FEW_ARGS);
++			L.v = evaluate(op1, TMPVAR0);
++			if (opinfo & OF_STR1) {
++				L.s = getvar_s(L.v);
++				debug_printf_eval("L.s:'%s'\n", L.s);
+ 			}
+-			if (op1->r.n) { /* array ref? */
+-				const char *s;
+-				s = getvar_s(evaluate(op1->r.n, v1));
+-				hash_remove(iamarray(v), s);
+-			} else {
+-				clear_array(iamarray(v));
++			if (opinfo & OF_NUM1) {
++				L_d = getvar_i(L.v);
++				debug_printf_eval("L_d:%f\n", L_d);
+ 			}
+-			goto next;
+ 		}
+-
+-		/* execute inevitable things */
+-		if (opinfo & OF_RES1)
+-			L.v = evaluate(op1, v1);
+-		if (opinfo & OF_RES2)
+-			R.v = evaluate(op->r.n, v1+1);
+-		if (opinfo & OF_STR1) {
+-			L.s = getvar_s(L.v);
+-			debug_printf_eval("L.s:'%s'\n", L.s);
+-		}
+-		if (opinfo & OF_STR2) {
+-			R.s = getvar_s(R.v);
+-			debug_printf_eval("R.s:'%s'\n", R.s);
+-		}
+-		if (opinfo & OF_NUM1) {
+-			L_d = getvar_i(L.v);
+-			debug_printf_eval("L_d:%f\n", L_d);
++		/* NB: Must get string/numeric values of L (done above)
++		 * _before_ evaluate()'ing R.v: if both L and R are $NNNs,
++		 * and right one is large, then L.v points to Fields[NNN1],
++		 * second evaluate() reallocates and moves (!) Fields[],
++		 * R.v points to Fields[NNN2] but L.v now points to freed mem!
++		 * (Seen trying to evaluate "$444 $44444")
++		 */
++		if (opinfo & OF_RES2) {
++			R.v = evaluate(op->r.n, TMPVAR1);
++			//TODO: L.v may be invalid now, set L.v to NULL to catch bugs?
++			//L.v = NULL;
++			if (opinfo & OF_STR2) {
++				R.s = getvar_s(R.v);
++				debug_printf_eval("R.s:'%s'\n", R.s);
++			}
+ 		}
+ 
+ 		debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK));
+@@ -2629,7 +2922,8 @@ static var *evaluate(node *op, var *res)
+ 
+ 		/* test pattern */
+ 		case XC( OC_TEST ):
+-			if ((op1->info & OPCLSMASK) == OC_COMMA) {
++			debug_printf_eval("TEST\n");
++			if (op1->info == TI_COMMA) {
+ 				/* it's range pattern */
+ 				if ((opinfo & OF_CHECKED) || ptest(op1->l.n)) {
+ 					op->info |= OF_CHECKED;
+@@ -2646,25 +2940,32 @@ static var *evaluate(node *op, var *res)
+ 
+ 		/* just evaluate an expression, also used as unconditional jump */
+ 		case XC( OC_EXEC ):
++			debug_printf_eval("EXEC\n");
+ 			break;
+ 
+ 		/* branch, used in if-else and various loops */
+ 		case XC( OC_BR ):
++			debug_printf_eval("BR\n");
+ 			op = istrue(L.v) ? op->a.n : op->r.n;
+ 			break;
+ 
+ 		/* initialize for-in loop */
+ 		case XC( OC_WALKINIT ):
++			debug_printf_eval("WALKINIT\n");
+ 			hashwalk_init(L.v, iamarray(R.v));
+ 			break;
+ 
+ 		/* get next array item */
+ 		case XC( OC_WALKNEXT ):
++			debug_printf_eval("WALKNEXT\n");
+ 			op = hashwalk_next(L.v) ? op->a.n : op->r.n;
+ 			break;
+ 
+ 		case XC( OC_PRINT ):
+-		case XC( OC_PRINTF ): {
++			debug_printf_eval("PRINT /\n");
++		case XC( OC_PRINTF ):
++			debug_printf_eval("PRINTF\n");
++		{
+ 			FILE *F = stdout;
+ 
+ 			if (op->r.n) {
+@@ -2682,55 +2983,94 @@ static var *evaluate(node *op, var *res)
+ 				F = rsm->F;
+ 			}
+ 
++			/* Can't just check 'opinfo == OC_PRINT' here, parser ORs
++			 * additional bits to opinfos of print/printf with redirects
++			 */
+ 			if ((opinfo & OPCLSMASK) == OC_PRINT) {
+ 				if (!op1) {
+ 					fputs(getvar_s(intvar[F0]), F);
+ 				} else {
+-					while (op1) {
+-						var *v = evaluate(nextarg(&op1), v1);
++					for (;;) {
++						var *v = evaluate(nextarg(&op1), TMPVAR0);
+ 						if (v->type & VF_NUMBER) {
+-							fmt_num(g_buf, MAXVARFMT, getvar_s(intvar[OFMT]),
+-									getvar_i(v), TRUE);
++							fmt_num(getvar_s(intvar[OFMT]),
++									getvar_i(v));
+ 							fputs(g_buf, F);
+ 						} else {
+ 							fputs(getvar_s(v), F);
+ 						}
+-
+-						if (op1)
+-							fputs(getvar_s(intvar[OFS]), F);
++						if (!op1)
++							break;
++						fputs(getvar_s(intvar[OFS]), F);
+ 					}
+ 				}
+ 				fputs(getvar_s(intvar[ORS]), F);
+-
+-			} else {	/* OC_PRINTF */
+-				char *s = awk_printf(op1);
++			} else {	/* PRINTF */
++				IF_FEATURE_AWK_GNU_EXTENSIONS(size_t len;)
++				char *s = awk_printf(op1, &len);
++#if ENABLE_FEATURE_AWK_GNU_EXTENSIONS
++				fwrite(s, len, 1, F);
++#else
+ 				fputs(s, F);
++#endif
+ 				free(s);
+ 			}
+ 			fflush(F);
+ 			break;
+ 		}
+ 
+-		/* case XC( OC_DELETE ): - moved to happen before arg evaluation */
++		case XC( OC_DELETE ):
++			debug_printf_eval("DELETE\n");
++		{
++			/* "delete" is special:
++			 * "delete array[var--]" must evaluate index expr only once.
++			 */
++			uint32_t info = op1->info & OPCLSMASK;
++			var *v;
++
++			if (info == OC_VAR) {
++				v = op1->l.v;
++			} else if (info == OC_FNARG) {
++				v = &fnargs[op1->l.aidx];
++			} else {
++				syntax_error(EMSG_NOT_ARRAY);
++			}
++			if (op1->r.n) { /* array ref? */
++				const char *s;
++				s = getvar_s(evaluate(op1->r.n, TMPVAR0));
++				hash_remove(iamarray(v), s);
++			} else {
++				clear_array(iamarray(v));
++			}
++			break;
++		}
+ 
+ 		case XC( OC_NEWSOURCE ):
++			debug_printf_eval("NEWSOURCE\n");
+ 			g_progname = op->l.new_progname;
+ 			break;
+ 
+ 		case XC( OC_RETURN ):
++			debug_printf_eval("RETURN\n");
+ 			copyvar(res, L.v);
+ 			break;
+ 
+ 		case XC( OC_NEXTFILE ):
++			debug_printf_eval("NEXTFILE\n");
+ 			nextfile = TRUE;
+ 		case XC( OC_NEXT ):
++			debug_printf_eval("NEXT\n");
+ 			nextrec = TRUE;
+ 		case XC( OC_DONE ):
++			debug_printf_eval("DONE\n");
+ 			clrvar(res);
+ 			break;
+ 
+ 		case XC( OC_EXIT ):
+-			awk_exit(L_d);
++			debug_printf_eval("EXIT\n");
++			if (op1)
++				G.exitcode = (int)L_d;
++			awk_exit();
+ 
+ 		/* -- recursive node type -- */
+ 
+@@ -2749,15 +3089,18 @@ static var *evaluate(node *op, var *res)
+ 			break;
+ 
+ 		case XC( OC_IN ):
++			debug_printf_eval("IN\n");
+ 			setvar_i(res, hash_search(iamarray(R.v), L.s) ? 1 : 0);
+ 			break;
+ 
+ 		case XC( OC_REGEXP ):
++			debug_printf_eval("REGEXP\n");
+ 			op1 = op;
+ 			L.s = getvar_s(intvar[F0]);
+ 			goto re_cont;
+ 
+ 		case XC( OC_MATCH ):
++			debug_printf_eval("MATCH\n");
+ 			op1 = op->r.n;
+  re_cont:
+ 			{
+@@ -2772,61 +3115,80 @@ static var *evaluate(node *op, var *res)
+ 		case XC( OC_MOVE ):
+ 			debug_printf_eval("MOVE\n");
+ 			/* if source is a temporary string, jusk relink it to dest */
+-//Disabled: if R.v is numeric but happens to have cached R.v->string,
+-//then L.v ends up being a string, which is wrong
+-//			if (R.v == v1+1 && R.v->string) {
+-//				res = setvar_p(L.v, R.v->string);
+-//				R.v->string = NULL;
+-//			} else {
++			if (R.v == TMPVAR1
++			 && !(R.v->type & VF_NUMBER)
++				/* Why check !NUMBER? if R.v is a number but has cached R.v->string,
++				 * L.v ends up a string, which is wrong */
++			 /*&& R.v->string - always not NULL (right?) */
++			) {
++				res = setvar_p(L.v, R.v->string); /* avoids strdup */
++				R.v->string = NULL;
++			} else {
+ 				res = copyvar(L.v, R.v);
+-//			}
++			}
+ 			break;
+ 
+ 		case XC( OC_TERNARY ):
+-			if ((op->r.n->info & OPCLSMASK) != OC_COLON)
++			debug_printf_eval("TERNARY\n");
++			if (op->r.n->info != TI_COLON)
+ 				syntax_error(EMSG_POSSIBLE_ERROR);
+ 			res = evaluate(istrue(L.v) ? op->r.n->l.n : op->r.n->r.n, res);
+ 			break;
+ 
+ 		case XC( OC_FUNC ): {
+-			var *vbeg, *v;
++			var *argvars, *sv_fnargs;
+ 			const char *sv_progname;
++			int nargs, i;
+ 
+-			/* The body might be empty, still has to eval the args */
+-			if (!op->r.n->info && !op->r.f->body.first)
++			debug_printf_eval("FUNC\n");
++
++			if (!op->r.f->defined)
+ 				syntax_error(EMSG_UNDEF_FUNC);
+ 
+-			vbeg = v = nvalloc(op->r.f->nargs + 1);
++			/* The body might be empty, still has to eval the args */
++			nargs = op->r.f->nargs;
++			argvars = nvalloc(nargs);
++			i = 0;
+ 			while (op1) {
+-				var *arg = evaluate(nextarg(&op1), v1);
+-				copyvar(v, arg);
+-				v->type |= VF_CHILD;
+-				v->x.parent = arg;
+-				if (++v - vbeg >= op->r.f->nargs)
+-					break;
++				var *arg = evaluate(nextarg(&op1), TMPVAR0);
++				if (i == nargs) {
++					/* call with more arguments than function takes.
++					 * (gawk warns: "warning: function 'f' called with more arguments than declared").
++					 * They are still evaluated, but discarded: */
++					clrvar(arg);
++					continue;
++				}
++				copyvar(&argvars[i], arg);
++				argvars[i].type |= VF_CHILD;
++				argvars[i].x.parent = arg;
++				i++;
+ 			}
+ 
+-			v = fnargs;
+-			fnargs = vbeg;
++			sv_fnargs = fnargs;
+ 			sv_progname = g_progname;
+ 
++			fnargs = argvars;
+ 			res = evaluate(op->r.f->body.first, res);
++			nvfree(argvars, nargs);
+ 
+ 			g_progname = sv_progname;
+-			nvfree(fnargs);
+-			fnargs = v;
++			fnargs = sv_fnargs;
+ 
+ 			break;
+ 		}
+ 
+ 		case XC( OC_GETLINE ):
+-		case XC( OC_PGETLINE ): {
++			debug_printf_eval("GETLINE /\n");
++		case XC( OC_PGETLINE ):
++			debug_printf_eval("PGETLINE\n");
++		{
+ 			rstream *rsm;
+ 			int i;
+ 
+ 			if (op1) {
+ 				rsm = newfile(L.s);
+ 				if (!rsm->F) {
++					/* NB: can't use "opinfo == TI_PGETLINE", would break "cmd" | getline */
+ 					if ((opinfo & OPCLSMASK) == OC_PGETLINE) {
+ 						rsm->F = popen(L.s, "r");
+ 						rsm->is_pipe = TRUE;
+@@ -2861,16 +3223,34 @@ static var *evaluate(node *op, var *res)
+ 		/* simple builtins */
+ 		case XC( OC_FBLTIN ): {
+ 			double R_d = R_d; /* for compiler */
++			debug_printf_eval("FBLTIN\n");
++
++			if (op1 && op1->info == TI_COMMA)
++				/* Simple builtins take one arg maximum */
++				syntax_error("Too many arguments");
+ 
+ 			switch (opn) {
+ 			case F_in:
+ 				R_d = (long long)L_d;
+ 				break;
+ 
+-			case F_rn:
+-				R_d = (double)rand() / (double)RAND_MAX;
++			case F_rn: /*rand*/
++				if (op1)
++					syntax_error("Too many arguments");
++			{
++#if RAND_MAX >= 0x7fffffff
++				uint32_t u = ((uint32_t)rand() << 16) ^ rand();
++				uint64_t v = ((uint64_t)rand() << 32) | u;
++				/* the above shift+or is optimized out on 32-bit arches */
++# if RAND_MAX > 0x7fffffff
++				v &= 0x7fffffffffffffffULL;
++# endif
++				R_d = (double)v / 0x8000000000000000ULL;
++#else
++# error Not implemented for this value of RAND_MAX
++#endif
+ 				break;
+-
++			}
+ 			case F_co:
+ 				if (ENABLE_FEATURE_AWK_LIBM) {
+ 					R_d = cos(L_d);
+@@ -2910,7 +3290,9 @@ static var *evaluate(node *op, var *res)
+ 				srand(seed);
+ 				break;
+ 
+-			case F_ti:
++			case F_ti: /*systime*/
++				if (op1)
++					syntax_error("Too many arguments");
+ 				R_d = time(NULL);
+ 				break;
+ 
+@@ -2949,7 +3331,7 @@ static var *evaluate(node *op, var *res)
+ 				rstream *rsm;
+ 				int err = 0;
+ 				rsm = (rstream *)hash_search(fdhash, L.s);
+-				debug_printf_eval("OC_FBLTIN F_cl rsm:%p\n", rsm);
++				debug_printf_eval("OC_FBLTIN close: op1:%p s:'%s' rsm:%p\n", op1, L.s, rsm);
+ 				if (rsm) {
+ 					debug_printf_eval("OC_FBLTIN F_cl "
+ 						"rsm->is_pipe:%d, ->F:%p\n",
+@@ -2960,6 +3342,11 @@ static var *evaluate(node *op, var *res)
+ 					 */
+ 					if (rsm->F)
+ 						err = rsm->is_pipe ? pclose(rsm->F) : fclose(rsm->F);
++//TODO: fix this case:
++// $ awk 'BEGIN { print close(""); print ERRNO }'
++// -1
++// close of redirection that was never opened
++// (we print 0, 0)
+ 					free(rsm->buffer);
+ 					hash_remove(fdhash, L.s);
+ 				}
+@@ -2974,14 +3361,18 @@ static var *evaluate(node *op, var *res)
+ 		}
+ 
+ 		case XC( OC_BUILTIN ):
++			debug_printf_eval("BUILTIN\n");
+ 			res = exec_builtin(op, res);
+ 			break;
+ 
+ 		case XC( OC_SPRINTF ):
+-			setvar_p(res, awk_printf(op1));
++			debug_printf_eval("SPRINTF\n");
++			setvar_p(res, awk_printf(op1, NULL));
+ 			break;
+ 
+-		case XC( OC_UNARY ): {
++		case XC( OC_UNARY ):
++			debug_printf_eval("UNARY\n");
++		{
+ 			double Ld, R_d;
+ 
+ 			Ld = R_d = getvar_i(R.v);
+@@ -3011,7 +3402,9 @@ static var *evaluate(node *op, var *res)
+ 			break;
+ 		}
+ 
+-		case XC( OC_FIELD ): {
++		case XC( OC_FIELD ):
++			debug_printf_eval("FIELD\n");
++		{
+ 			int i = (int)getvar_i(R.v);
+ 			if (i < 0)
+ 				syntax_error(EMSG_NEGATIVE_FIELD);
+@@ -3028,26 +3421,33 @@ static var *evaluate(node *op, var *res)
+ 
+ 		/* concatenation (" ") and index joining (",") */
+ 		case XC( OC_CONCAT ):
++			debug_printf_eval("CONCAT /\n");
+ 		case XC( OC_COMMA ): {
+ 			const char *sep = "";
+-			if ((opinfo & OPCLSMASK) == OC_COMMA)
++			debug_printf_eval("COMMA\n");
++			if (opinfo == TI_COMMA)
+ 				sep = getvar_s(intvar[SUBSEP]);
+ 			setvar_p(res, xasprintf("%s%s%s", L.s, sep, R.s));
+ 			break;
+ 		}
+ 
+ 		case XC( OC_LAND ):
++			debug_printf_eval("LAND\n");
+ 			setvar_i(res, istrue(L.v) ? ptest(op->r.n) : 0);
+ 			break;
+ 
+ 		case XC( OC_LOR ):
++			debug_printf_eval("LOR\n");
+ 			setvar_i(res, istrue(L.v) ? 1 : ptest(op->r.n));
+ 			break;
+ 
+ 		case XC( OC_BINARY ):
+-		case XC( OC_REPLACE ): {
++			debug_printf_eval("BINARY /\n");
++		case XC( OC_REPLACE ):
++			debug_printf_eval("REPLACE\n");
++		{
+ 			double R_d = getvar_i(R.v);
+-			debug_printf_eval("BINARY/REPLACE: R_d:%f opn:%c\n", R_d, opn);
++			debug_printf_eval("R_d:%f opn:%c\n", R_d, opn);
+ 			switch (opn) {
+ 			case '+':
+ 				L_d += R_d;
+@@ -3083,6 +3483,7 @@ static var *evaluate(node *op, var *res)
+ 		case XC( OC_COMPARE ): {
+ 			int i = i; /* for compiler */
+ 			double Ld;
++			debug_printf_eval("COMPARE\n");
+ 
+ 			if (is_numeric(L.v) && is_numeric(R.v)) {
+ 				Ld = getvar_i(L.v) - getvar_i(R.v);
+@@ -3109,7 +3510,7 @@ static var *evaluate(node *op, var *res)
+ 		default:
+ 			syntax_error(EMSG_POSSIBLE_ERROR);
+ 		} /* switch */
+- next:
++
+ 		if ((opinfo & OPCLSMASK) <= SHIFT_TIL_THIS)
+ 			op = op->a.n;
+ 		if ((opinfo & OPCLSMASK) >= RECUR_FROM_THIS)
+@@ -3118,7 +3519,10 @@ static var *evaluate(node *op, var *res)
+ 			break;
+ 	} /* while (op) */
+ 
+-	nvfree(v1);
++	nvfree(tmpvars, 2);
++#undef TMPVAR0
++#undef TMPVAR1
++
+ 	debug_printf_eval("returning from %s(): %p\n", __func__, res);
+ 	return res;
+ #undef fnargs
+@@ -3126,25 +3530,21 @@ static var *evaluate(node *op, var *res)
+ #undef sreg
+ }
+ 
+-
+ /* -------- main & co. -------- */
+ 
+-static int awk_exit(int r)
++static int awk_exit(void)
+ {
+-	var tv;
+ 	unsigned i;
+-	hash_item *hi;
+-
+-	zero_out_var(&tv);
+ 
+ 	if (!exiting) {
+ 		exiting = TRUE;
+ 		nextrec = FALSE;
+-		evaluate(endseq.first, &tv);
++		evaluate(endseq.first, &G.exit__tmpvar);
+ 	}
+ 
+ 	/* waiting for children */
+ 	for (i = 0; i < fdhash->csize; i++) {
++		hash_item *hi;
+ 		hi = fdhash->items[i];
+ 		while (hi) {
+ 			if (hi->data.rs.F && hi->data.rs.is_pipe)
+@@ -3153,65 +3553,7 @@ static int awk_exit(int r)
+ 		}
+ 	}
+ 
+-	exit(r);
+-}
+-
+-/* if expr looks like "var=value", perform assignment and return 1,
+- * otherwise return 0 */
+-static int is_assignment(const char *expr)
+-{
+-	char *exprc, *val;
+-
+-	if (!isalnum_(*expr) || (val = strchr(expr, '=')) == NULL) {
+-		return FALSE;
+-	}
+-
+-	exprc = xstrdup(expr);
+-	val = exprc + (val - expr);
+-	*val++ = '\0';
+-
+-	unescape_string_in_place(val);
+-	setvar_u(newvar(exprc), val);
+-	free(exprc);
+-	return TRUE;
+-}
+-
+-/* switch to next input file */
+-static rstream *next_input_file(void)
+-{
+-#define rsm          (G.next_input_file__rsm)
+-#define files_happen (G.next_input_file__files_happen)
+-
+-	FILE *F;
+-	const char *fname, *ind;
+-
+-	if (rsm.F)
+-		fclose(rsm.F);
+-	rsm.F = NULL;
+-	rsm.pos = rsm.adv = 0;
+-
+-	for (;;) {
+-		if (getvar_i(intvar[ARGIND])+1 >= getvar_i(intvar[ARGC])) {
+-			if (files_happen)
+-				return NULL;
+-			fname = "-";
+-			F = stdin;
+-			break;
+-		}
+-		ind = getvar_s(incvar(intvar[ARGIND]));
+-		fname = getvar_s(findvar(iamarray(intvar[ARGV]), ind));
+-		if (fname && *fname && !is_assignment(fname)) {
+-			F = xfopen_stdin(fname);
+-			break;
+-		}
+-	}
+-
+-	files_happen = TRUE;
+-	setvar_s(intvar[FILENAME], fname);
+-	rsm.F = F;
+-	return &rsm;
+-#undef rsm
+-#undef files_happen
++	exit(G.exitcode);
+ }
+ 
+ int awk_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+@@ -3224,12 +3566,7 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ #if ENABLE_FEATURE_AWK_GNU_EXTENSIONS
+ 	llist_t *list_e = NULL;
+ #endif
+-	int i, j;
+-	var *v;
+-	var tv;
+-	char **envp;
+-	char *vnames = (char *)vNames; /* cheat */
+-	char *vvalues = (char *)vValues;
++	int i;
+ 
+ 	INIT_G();
+ 
+@@ -3238,48 +3575,43 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 	if (ENABLE_LOCALE_SUPPORT)
+ 		setlocale(LC_NUMERIC, "C");
+ 
+-	zero_out_var(&tv);
+-
+-	/* allocate global buffer */
+-	g_buf = xmalloc(MAXVARFMT + 1);
+-
+-	vhash = hash_init();
+-	ahash = hash_init();
+-	fdhash = hash_init();
+-	fnhash = hash_init();
+-
+ 	/* initialize variables */
+-	for (i = 0; *vnames; i++) {
+-		intvar[i] = v = newvar(nextword(&vnames));
+-		if (*vvalues != '\377')
+-			setvar_s(v, nextword(&vvalues));
+-		else
+-			setvar_i(v, 0);
+-
+-		if (*vnames == '*') {
+-			v->type |= VF_SPECIAL;
+-			vnames++;
++	vhash = hash_init();
++	{
++		char *vnames = (char *)vNames; /* cheat */
++		char *vvalues = (char *)vValues;
++		for (i = 0; *vnames; i++) {
++			var *v;
++			intvar[i] = v = newvar(nextword(&vnames));
++			if (*vvalues != '\377')
++				setvar_s(v, nextword(&vvalues));
++			else
++				setvar_i(v, 0);
++
++			if (*vnames == '*') {
++				v->type |= VF_SPECIAL;
++				vnames++;
++			}
+ 		}
+ 	}
+ 
+ 	handle_special(intvar[FS]);
+ 	handle_special(intvar[RS]);
+ 
+-	newfile("/dev/stdin")->F = stdin;
+-	newfile("/dev/stdout")->F = stdout;
+-	newfile("/dev/stderr")->F = stderr;
+-
+ 	/* Huh, people report that sometimes environ is NULL. Oh well. */
+-	if (environ) for (envp = environ; *envp; envp++) {
+-		/* environ is writable, thus we don't strdup it needlessly */
+-		char *s = *envp;
+-		char *s1 = strchr(s, '=');
+-		if (s1) {
+-			*s1 = '\0';
+-			/* Both findvar and setvar_u take const char*
+-			 * as 2nd arg -> environment is not trashed */
+-			setvar_u(findvar(iamarray(intvar[ENVIRON]), s), s1 + 1);
+-			*s1 = '=';
++	if (environ) {
++		char **envp;
++		for (envp = environ; *envp; envp++) {
++			/* environ is writable, thus we don't strdup it needlessly */
++			char *s = *envp;
++			char *s1 = strchr(s, '=');
++			if (s1) {
++				*s1 = '\0';
++				/* Both findvar and setvar_u take const char*
++				 * as 2nd arg -> environment is not trashed */
++				setvar_u(findvar(iamarray(intvar[ENVIRON]), s), s1 + 1);
++				*s1 = '=';
++			}
+ 		}
+ 	}
+ 	opt = getopt32(argv, OPTSTR_AWK, &opt_F, &list_v, &list_f, IF_FEATURE_AWK_GNU_EXTENSIONS(&list_e,) NULL);
+@@ -3295,20 +3627,19 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 		if (!is_assignment(llist_pop(&list_v)))
+ 			bb_show_usage();
+ 	}
++
++	/* Parse all supplied programs */
++	fnhash = hash_init();
++	ahash = hash_init();
+ 	while (list_f) {
+-		char *s = NULL;
+-		FILE *from_file;
++		int fd;
++		char *s;
+ 
+ 		g_progname = llist_pop(&list_f);
+-		from_file = xfopen_stdin(g_progname);
+-		/* one byte is reserved for some trick in next_token */
+-		for (i = j = 1; j > 0; i += j) {
+-			s = xrealloc(s, i + 4096);
+-			j = fread(s + i, 1, 4094, from_file);
+-		}
+-		s[i] = '\0';
+-		fclose(from_file);
+-		parse_program(s + 1);
++		fd = xopen_stdin(g_progname);
++		s = xmalloc_read(fd, NULL); /* it's NUL-terminated */
++		close(fd);
++		parse_program(s);
+ 		free(s);
+ 	}
+ 	g_progname = "cmd. line";
+@@ -3317,11 +3648,23 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 		parse_program(llist_pop(&list_e));
+ 	}
+ #endif
++//FIXME: preserve order of -e and -f
++//TODO: implement -i LIBRARY and -E FILE too, they are easy-ish
+ 	if (!(opt & (OPT_f | OPT_e))) {
+ 		if (!*argv)
+ 			bb_show_usage();
+ 		parse_program(*argv++);
+ 	}
++	/* Free unused parse structures */
++	//hash_free(fnhash); // ~250 bytes when empty, used only for function names
++	//^^^^^^^^^^^^^^^^^ does not work, hash_clear() inside SEGVs
++	// (IOW: hash_clear() assumes it's a hash of variables. fnhash is not).
++	free(fnhash->items);
++	free(fnhash);
++	fnhash = NULL; // debug
++	//hash_free(ahash); // empty after parsing, will reuse as fdhash instead of freeing
++
++	/* Parsing done, on to executing */
+ 
+ 	/* fill in ARGV array */
+ 	setari_u(intvar[ARGV], 0, "awk");
+@@ -3330,9 +3673,14 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 		setari_u(intvar[ARGV], ++i, *argv++);
+ 	setvar_i(intvar[ARGC], i + 1);
+ 
+-	evaluate(beginseq.first, &tv);
++	//fdhash = ahash; // done via define
++	newfile("/dev/stdin")->F = stdin;
++	newfile("/dev/stdout")->F = stdout;
++	newfile("/dev/stderr")->F = stderr;
++
++	evaluate(beginseq.first, &G.main__tmpvar);
+ 	if (!mainseq.first && !endseq.first)
+-		awk_exit(EXIT_SUCCESS);
++		awk_exit();
+ 
+ 	/* input file could already be opened in BEGIN block */
+ 	if (!iF)
+@@ -3347,7 +3695,7 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 			nextrec = FALSE;
+ 			incvar(intvar[NR]);
+ 			incvar(intvar[FNR]);
+-			evaluate(mainseq.first, &tv);
++			evaluate(mainseq.first, &G.main__tmpvar);
+ 
+ 			if (nextfile)
+ 				break;
+@@ -3359,6 +3707,6 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
+ 		iF = next_input_file();
+ 	}
+ 
+-	awk_exit(EXIT_SUCCESS);
++	awk_exit();
+ 	/*return 0;*/
+ }
+diff --git a/testsuite/awk.tests b/testsuite/awk.tests
+index 92c83d719..4a7a01245 100755
+--- a/testsuite/awk.tests
++++ b/testsuite/awk.tests
+@@ -44,6 +44,16 @@ testing "awk handles empty function f(arg){}" \
+ 	"L1\n\nL2\n\n" \
+ 	"" ""
+ 
++prg='
++function empty_fun(){}
++END {empty_fun()
++  print "Ok"
++}'
++testing "awk handles empty function f(){}" \
++	"awk '$prg'" \
++	"Ok\n" \
++	"" ""
++
+ prg='
+ function outer_fun() {
+   return 1
+@@ -71,6 +81,23 @@ testing "awk properly handles undefined function" \
+ 	"L1\n\nawk: cmd. line:5: Call to undefined function\n" \
+ 	"" ""
+ 
++prg='
++BEGIN {
++  v=1
++  a=2
++  print v (a)
++}'
++testing "awk 'v (a)' is not a function call, it is a concatenation" \
++	"awk '$prg' 2>&1" \
++	"12\n" \
++	"" ""
++
++prg='func f(){print"F"};func g(){print"G"};BEGIN{f(g(),g())}'
++testing "awk unused function args are evaluated" \
++	"awk '$prg' 2>&1" \
++	"G\nG\nF\n" \
++	"" ""
++
+ 
+ optional DESKTOP
+ testing "awk hex const 1" "awk '{ print or(0xffffffff,1) }'" "4294967295\n" "" "\n"
+@@ -352,19 +379,14 @@ testing "awk -e and ARGC" \
+ 	""
+ SKIP=
+ 
+-# The examples are in fact not valid awk programs (break/continue
+-# can only be used inside loops).
+-# But we do accept them outside of loops.
+-# We had a bug with misparsing "break ; else" sequence.
+-# Test that *that* bug is fixed, using simplest possible scripts:
+ testing "awk break" \
+ 	"awk -f - 2>&1; echo \$?" \
+-	"0\n" \
++	"awk: -:1: 'break' not in a loop\n1\n" \
+ 	"" \
+ 	'BEGIN { if (1) break; else a = 1 }'
+ testing "awk continue" \
+ 	"awk -f - 2>&1; echo \$?" \
+-	"0\n" \
++	"awk: -:1: 'continue' not in a loop\n1\n" \
+ 	"" \
+ 	'BEGIN { if (1) continue; else a = 1 }'
+ 
+@@ -383,6 +405,11 @@ testing "awk errors on missing delete arg" \
+ 	"awk -e '{delete}' 2>&1" "awk: cmd. line:1: Too few arguments\n" "" ""
+ SKIP=
+ 
++optional FEATURE_AWK_GNU_EXTENSIONS
++testing "awk printf('%c') can output NUL" \
++	"awk '{printf(\"hello%c null\n\", 0)}'" "hello\0 null\n" "" "\n"
++SKIP=
++
+ # testing "description" "command" "result" "infile" "stdin"
+ testing 'awk negative field access' \
+ 	'awk 2>&1 -- '\''{ $(-1) }'\' \
+@@ -413,4 +440,25 @@ testing 'awk $NF is empty' \
+ 	'' \
+ 	'a=====123='
+ 
++testing "awk exit N propagates through END's exit" \
++	"awk 'BEGIN { exit 42 } END { exit }'; echo \$?" \
++	"42\n" \
++	'' ''
++
++testing "awk print + redirect" \
++	"awk 'BEGIN { print \"STDERR %s\" >\"/dev/stderr\" }' 2>&1" \
++	"STDERR %s\n" \
++	'' ''
++
++testing "awk \"cmd\" | getline" \
++	"awk 'BEGIN { \"echo HELLO\" | getline; print }'" \
++	"HELLO\n" \
++	'' ''
++
++# printf %% should print one % (had a bug where it didn't)
++testing 'awk printf %% prints one %' \
++	"awk 'BEGIN { printf \"%%\n\" }'" \
++	"%\n" \
++	'' ''
++
+ exit $FAILCOUNT
+diff --git a/testsuite/printf.tests b/testsuite/printf.tests
+index 34a65926e..050edef71 100755
+--- a/testsuite/printf.tests
++++ b/testsuite/printf.tests
+@@ -79,6 +79,11 @@ testing "printf understands %Ld" \
+ 	"-5\n""0\n" \
+ 	"" ""
+ 
++testing "printf understands %%" \
++	"${bb}printf '%%\n' 2>&1; echo \$?" \
++	"%\n""0\n" \
++	"" ""
++
+ testing "printf handles positive numbers for %d" \
+ 	"${bb}printf '%d\n' 3 +3 '   3' '   +3' 2>&1; echo \$?" \
+ 	"3\n"\
+-- 
+2.33.0
+
diff --git a/meta/recipes-core/busybox/busybox/0002-man-fix-segfault-in-man-1.patch b/meta/recipes-core/busybox/busybox/0002-man-fix-segfault-in-man-1.patch
new file mode 100644
index 0000000000..4a930b7b6f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0002-man-fix-segfault-in-man-1.patch
@@ -0,0 +1,30 @@
+From 4975cace9bf96bfde174f8bb5cc4068d2ea294d4 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 15 Jun 2021 14:47:46 +0200
+Subject: [PATCH] man: fix segfault in "man 1"
+
+function                                             old     new   delta
+man_main                                             942     954     +12
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport [4d4fc5ca5ee4f]
+CVE: CVE-2021-42373
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ miscutils/man.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/miscutils/man.c b/miscutils/man.c
+index 722f6641e..d319e8bba 100644
+--- a/miscutils/man.c
++++ b/miscutils/man.c
+@@ -324,7 +324,7 @@ int man_main(int argc UNUSED_PARAM, char **argv)
+ 
+ 	/* is 1st ARG a SECTION? */
+ 	sec_list = conf_sec_list;
+-	if (is_section_name(conf_sec_list, *argv)) {
++	if (is_section_name(conf_sec_list, *argv) && argv[1]) {
+ 		/* yes */
+ 		sec_list = *argv++;
+ 	}
diff --git a/meta/recipes-core/busybox/busybox_1.33.1.bb b/meta/recipes-core/busybox/busybox_1.33.2.bb
index 4002d6a5c6..4a0d3b4556 100644
--- a/meta/recipes-core/busybox/busybox_1.33.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.33.2.bb
@@ -48,7 +48,9 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \
            file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch \
            file://0001-mktemp-add-tmpdir-option.patch \
+           file://0001-awk-fix-CVEs.patch \
+           file://0002-man-fix-segfault-in-man-1.patch \
            "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
-SRC_URI[tarball.sha256sum] = "12cec6bd2b16d8a9446dd16130f2b92982f1819f6e1c5f5887b6db03f5660d28"
+SRC_URI[tarball.sha256sum] = "6843ba7977081e735fa0fdb05893e3c002c8c5ad7c9c80da206e603cc0ac47e7"
diff --git a/meta/recipes-core/dbus-wait/dbus-wait_git.bb b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
index 677768d35a..b39f7523c0 100644
--- a/meta/recipes-core/dbus-wait/dbus-wait_git.bb
+++ b/meta/recipes-core/dbus-wait/dbus-wait_git.bb
@@ -11,7 +11,7 @@ SRCREV = "6cc6077a36fe2648a5f993fe7c16c9632f946517"
 PV = "0.1+git${SRCPV}"
 PR = "r2"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN}"
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master"
 UPSTREAM_CHECK_COMMITS = "1"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/expat/expat/CVE-2021-45960.patch b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
new file mode 100644
index 0000000000..523449e22c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-45960.patch
@@ -0,0 +1,65 @@
+From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 27 Dec 2021 20:15:02 +0100
+Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
+ storeAtts (CVE-2021-45960)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
+
+CVE: CVE-2021-45960
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d730f41c3..b47c31b05 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   if (nPrefixes) {
+     int j; /* hash table index */
+     unsigned long version = parser->m_nsAttsVersion;
+-    int nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++    /* Detect and prevent invalid shift */
++    if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
++    unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
+     unsigned char oldNsAttsPower = parser->m_nsAttsPower;
+     /* size of hash table must be at least 2 * (# of prefixed attributes) */
+     if ((nPrefixes << 1)
+@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+         ;
+       if (parser->m_nsAttsPower < 3)
+         parser->m_nsAttsPower = 3;
+-      nsAttsSize = (int)1 << parser->m_nsAttsPower;
++
++      /* Detect and prevent invalid shift */
++      if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      nsAttsSize = 1u << parser->m_nsAttsPower;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
++        /* Restore actual size of memory in m_nsAtts */
++        parser->m_nsAttsPower = oldNsAttsPower;
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
+                                nsAttsSize * sizeof(NS_ATT));
+       if (! temp) {
diff --git a/meta/recipes-core/expat/expat/CVE-2021-46143.patch b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
new file mode 100644
index 0000000000..b1a726d9a8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2021-46143.patch
@@ -0,0 +1,49 @@
+From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 25 Dec 2021 20:52:08 +0100
+Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
+ doProlog (CVE-2021-46143)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
+
+CVE: CVE-2021-46143
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ expat/lib/xmlparse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index b47c31b0..8f243126 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (parser->m_prologState.level >= parser->m_groupSize) {
+         if (parser->m_groupSize) {
+           {
++            /* Detect and prevent integer overflow */
++            if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
++              return XML_ERROR_NO_MEMORY;
++            }
++
+             char *const new_connector = (char *)REALLOC(
+                 parser, parser->m_groupConnector, parser->m_groupSize *= 2);
+             if (new_connector == NULL) {
+@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+           }
+ 
+           if (dtd->scaffIndex) {
++            /* Detect and prevent integer overflow.
++             * The preprocessor guard addresses the "always false" warning
++             * from -Wtype-limits on platforms where
++             * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++            if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
++              return XML_ERROR_NO_MEMORY;
++            }
++#endif
++
+             int *const new_scaff_index = (int *)REALLOC(
+                 parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
+             if (new_scaff_index == NULL)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
new file mode 100644
index 0000000000..e569fbc7ab
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-22822-27.patch
@@ -0,0 +1,257 @@
+From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 30 Dec 2021 22:46:03 +0100
+Subject: [PATCH] lib: Prevent integer overflow at multiple places
+ (CVE-2022-22822 to CVE-2022-22827)
+
+The involved functions are:
+- addBinding (CVE-2022-22822)
+- build_model (CVE-2022-22823)
+- defineAttribute (CVE-2022-22824)
+- lookup (CVE-2022-22825)
+- nextScaffoldPart (CVE-2022-22826)
+- storeAtts (CVE-2022-22827)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
+
+CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 151 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 8f243126..575e73ee 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ 
+   /* get the attributes from the tokenizer */
+   n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
++
++  /* Detect and prevent integer overflow */
++  if (n > INT_MAX - nDefaultAtts) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   if (n + nDefaultAtts > parser->m_attsSize) {
+     int oldAttsSize = parser->m_attsSize;
+     ATTRIBUTE *temp;
+ #ifdef XML_ATTR_INFO
+     XML_AttrInfo *temp2;
+ #endif
++
++    /* Detect and prevent integer overflow */
++    if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
++        || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
++      return XML_ERROR_NO_MEMORY;
++    }
++
+     parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
++
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
+                                 parser->m_attsSize * sizeof(ATTRIBUTE));
+     if (temp == NULL) {
+@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+     }
+     parser->m_atts = temp;
+ #ifdef XML_ATTR_INFO
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#  if UINT_MAX >= SIZE_MAX
++    if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
++      parser->m_attsSize = oldAttsSize;
++      return XML_ERROR_NO_MEMORY;
++    }
++#  endif
++
+     temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
+                                     parser->m_attsSize * sizeof(XML_AttrInfo));
+     if (temp2 == NULL) {
+@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   tagNamePtr->prefixLen = prefixLen;
+   for (i = 0; localPart[i++];)
+     ; /* i includes null terminator */
++
++  /* Detect and prevent integer overflow */
++  if (binding->uriLen > INT_MAX - prefixLen
++      || i > INT_MAX - (binding->uriLen + prefixLen)) {
++    return XML_ERROR_NO_MEMORY;
++  }
++
+   n = i + binding->uriLen + prefixLen;
+   if (n > binding->uriAlloc) {
+     TAG *p;
++
++    /* Detect and prevent integer overflow */
++    if (n > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
+     if (! uri)
+       return XML_ERROR_NO_MEMORY;
+@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+   if (parser->m_freeBindingList) {
+     b = parser->m_freeBindingList;
+     if (len > b->uriAlloc) {
++      /* Detect and prevent integer overflow */
++      if (len > INT_MAX - EXPAND_SPARE) {
++        return XML_ERROR_NO_MEMORY;
++      }
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++        return XML_ERROR_NO_MEMORY;
++      }
++#endif
++
+       XML_Char *temp = (XML_Char *)REALLOC(
+           parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
+       if (temp == NULL)
+@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     b = (BINDING *)MALLOC(parser, sizeof(BINDING));
+     if (! b)
+       return XML_ERROR_NO_MEMORY;
++
++    /* Detect and prevent integer overflow */
++    if (len > INT_MAX - EXPAND_SPARE) {
++      return XML_ERROR_NO_MEMORY;
++    }
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
++      return XML_ERROR_NO_MEMORY;
++    }
++#endif
++
+     b->uri
+         = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
+     if (! b->uri) {
+@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+       }
+     } else {
+       DEFAULT_ATTRIBUTE *temp;
++
++      /* Detect and prevent integer overflow */
++      if (type->allocDefaultAtts > INT_MAX / 2) {
++        return 0;
++      }
++
+       int count = type->allocDefaultAtts * 2;
++
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
++        return 0;
++      }
++#endif
++
+       temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
+                                           (count * sizeof(DEFAULT_ATTRIBUTE)));
+       if (temp == NULL)
+@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
+     /* check for overflow (table is half full) */
+     if (table->used >> (table->power - 1)) {
+       unsigned char newPower = table->power + 1;
++
++      /* Detect and prevent invalid shift */
++      if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
++        return NULL;
++      }
++
+       size_t newSize = (size_t)1 << newPower;
+       unsigned long newMask = (unsigned long)newSize - 1;
++
++      /* Detect and prevent integer overflow */
++      if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
++        return NULL;
++      }
++
+       size_t tsize = newSize * sizeof(NAMED *);
+       NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
+       if (! newV)
+@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
+   if (dtd->scaffCount >= dtd->scaffSize) {
+     CONTENT_SCAFFOLD *temp;
+     if (dtd->scaffold) {
++      /* Detect and prevent integer overflow */
++      if (dtd->scaffSize > UINT_MAX / 2u) {
++        return -1;
++      }
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
++        return -1;
++      }
++#endif
++
+       temp = (CONTENT_SCAFFOLD *)REALLOC(
+           parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
+       if (temp == NULL)
+@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
+   XML_Content *ret;
+   XML_Content *cpos;
+   XML_Char *str;
+-  int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+-                   + (dtd->contentStringLen * sizeof(XML_Char)));
++
++  /* Detect and prevent integer overflow.
++   * The preprocessor guard addresses the "always false" warning
++   * from -Wtype-limits on platforms where
++   * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++  if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
++    return NULL;
++  }
++  if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
++    return NULL;
++  }
++#endif
++  if (dtd->scaffCount * sizeof(XML_Content)
++      > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
++    return NULL;
++  }
++
++  const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
++                            + (dtd->contentStringLen * sizeof(XML_Char)));
+ 
+   ret = (XML_Content *)MALLOC(parser, allocsize);
+   if (! ret)
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23852.patch b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
new file mode 100644
index 0000000000..41425c108b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23852.patch
@@ -0,0 +1,33 @@
+From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 22 Jan 2022 17:48:00 +0100
+Subject: [PATCH] lib: Detect and prevent integer overflow in XML_GetBuffer
+ (CVE-2022-23852)
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
+
+CVE: CVE-2022-23852
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index d54af683..5ce31402 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
+     keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+     if (keep > XML_CONTEXT_BYTES)
+       keep = XML_CONTEXT_BYTES;
++    /* Detect and prevent integer overflow */
++    if (keep > INT_MAX - neededSize) {
++      parser->m_errorCode = XML_ERROR_NO_MEMORY;
++      return NULL;
++    }
+     neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+     if (neededSize
diff --git a/meta/recipes-core/expat/expat/CVE-2022-23990.patch b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
new file mode 100644
index 0000000000..c599517b3e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-23990.patch
@@ -0,0 +1,49 @@
+From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 26 Jan 2022 02:36:43 +0100
+Subject: [PATCH] lib: Prevent integer overflow in doProlog (CVE-2022-23990)
+
+The change from "int nameLen" to "size_t nameLen"
+addresses the overflow on "nameLen++" in code
+"for (; name[nameLen++];)" right above the second
+change in the patch.
+
+Upstream-Status: Backport:
+https://github.com/libexpat/libexpat/pull/551/commits/ede41d1e186ed2aba88a06e84cac839b770af3a1
+
+CVE: CVE-2022-23990
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ lib/xmlparse.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 5ce31402..d1d17005 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+       if (dtd->in_eldecl) {
+         ELEMENT_TYPE *el;
+         const XML_Char *name;
+-        int nameLen;
++        size_t nameLen;
+         const char *nxt
+             = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
+         int myindex = nextScaffoldPart(parser);
+@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+         nameLen = 0;
+         for (; name[nameLen++];)
+           ;
+-        dtd->contentStringLen += nameLen;
++
++        /* Detect and prevent integer overflow */
++        if (nameLen > UINT_MAX - dtd->contentStringLen) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
++        dtd->contentStringLen += (unsigned)nameLen;
+         if (parser->m_elementDeclHandler)
+           handleDefault = XML_FALSE;
+       }
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25235.patch b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
new file mode 100644
index 0000000000..9febeae609
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
@@ -0,0 +1,261 @@
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/306b721]
+CVE: CVE-2022-25235
+
+The commit is a merge commit, and this patch is created by:
+
+$ git show -m -p --stat 306b72134f157bbfd1637b20a22cabf4acfa136a
+
+Remove modification for expat/Changes which fails to be applied.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+commit 306b72134f157bbfd1637b20a22cabf4acfa136a (from 2cc97e875ef84da4bcf55156c83599116f7523b4)
+Merge: 2cc97e87 c16300f0
+Author: Sebastian Pipping <sebastian@pipping.org>
+Date:   Fri Feb 18 20:12:32 2022 +0100
+
+    Merge pull request #562 from libexpat/utf8-security
+    
+    [CVE-2022-25235] lib: Protect against malformed encoding (e.g. malformed UTF-8)
+---
+ expat/Changes           |   7 ++++
+ expat/lib/xmltok.c      |   5 ---
+ expat/lib/xmltok_impl.c |  18 ++++----
+ expat/tests/runtests.c  | 109 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 127 insertions(+), 12 deletions(-)
+
+diff --git a/lib/xmltok.c b/lib/xmltok.c
+index a72200e8..3bddf125 100644
+--- a/lib/xmltok.c
++++ b/lib/xmltok.c
+@@ -98,11 +98,6 @@
+         + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)]                 \
+    & (1u << (((byte)[2]) & 0x1F)))
+ 
+-#define UTF8_GET_NAMING(pages, p, n)                                           \
+-  ((n) == 2                                                                    \
+-       ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p))                   \
+-       : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
+-
+ /* Detection of invalid UTF-8 sequences is based on Table 3.1B
+    of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
+    with the additional restriction of not allowing the Unicode
+diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
+index 0430591b..84ff35f9 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -69,7 +69,7 @@
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
+-    if (! IS_NAME_CHAR(enc, ptr, n)) {                                         \
++    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) {         \
+       *nextTokPtr = ptr;                                                       \
+       return XML_TOK_INVALID;                                                  \
+     }                                                                          \
+@@ -98,7 +98,7 @@
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
+-    if (! IS_NMSTRT_CHAR(enc, ptr, n)) {                                       \
++    if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) {       \
+       *nextTokPtr = ptr;                                                       \
+       return XML_TOK_INVALID;                                                  \
+     }                                                                          \
+@@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
+   case BT_LEAD##n:                                                             \
+     if (end - ptr < n)                                                         \
+       return XML_TOK_PARTIAL_CHAR;                                             \
++    if (IS_INVALID_CHAR(enc, ptr, n)) {                                        \
++      *nextTokPtr = ptr;                                                       \
++      return XML_TOK_INVALID;                                                  \
++    }                                                                          \
+     if (IS_NMSTRT_CHAR(enc, ptr, n)) {                                         \
+       ptr += n;                                                                \
+       tok = XML_TOK_NAME;                                                      \
+@@ -1270,7 +1274,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1339,7 +1343,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1518,7 +1522,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
+       state = inName;                                                          \
+     }
+ #  define LEAD_CASE(n)                                                         \
+-  case BT_LEAD##n:                                                             \
++  case BT_LEAD##n: /* NOTE: The encoding has already been validated. */        \
+     START_NAME ptr += (n - MINBPC(enc));                                       \
+     break;
+       LEAD_CASE(2)
+@@ -1730,7 +1734,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     break;
+       LEAD_CASE(2)
+       LEAD_CASE(3)
+@@ -1775,7 +1779,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
+     switch (BYTE_TYPE(enc, ptr)) {
+ #  define LEAD_CASE(n)                                                         \
+   case BT_LEAD##n:                                                             \
+-    ptr += n;                                                                  \
++    ptr += n; /* NOTE: The encoding has already been validated. */             \
+     pos->columnNumber++;                                                       \
+     break;
+       LEAD_CASE(2)
+diff --git a/tests/runtests.c b/tests/runtests.c
+index bc5344b1..9b155b82 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
+ }
+ END_TEST
+ 
++START_TEST(test_utf8_in_start_tags) {
++  struct test_case {
++    bool goodName;
++    bool goodNameStart;
++    const char *tagName;
++  };
++
++  // The idea with the tests below is this:
++  // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
++  // go to isNever and are hence not a concern.
++  //
++  // We start with a character that is a valid name character
++  // (or even name-start character, see XML 1.0r4 spec) and then we flip
++  // single bits at places where (1) the result leaves the UTF-8 encoding space
++  // and (2) we stay in the same n-byte sequence family.
++  //
++  // The flipped bits are highlighted in angle brackets in comments,
++  // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
++  // the most significant bit to 1 to leave UTF-8 encoding space.
++  struct test_case cases[] = {
++      // 1-byte UTF-8: [0xxx xxxx]
++      {true, true, "\x3A"},   // [0011 1010] = ASCII colon ':'
++      {false, false, "\xBA"}, // [<1>011 1010]
++      {true, false, "\x39"},  // [0011 1001] = ASCII nine '9'
++      {false, false, "\xB9"}, // [<1>011 1001]
++
++      // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
++      {true, true, "\xDB\xA5"},   // [1101 1011] [1010 0101] =
++                                  // Arabic small waw U+06E5
++      {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
++      {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
++      {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
++      {true, false, "\xCC\x81"},  // [1100 1100] [1000 0001] =
++                                  // combining char U+0301
++      {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
++      {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
++      {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
++
++      // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
++      {true, true, "\xE0\xA4\x85"},   // [1110 0000] [1010 0100] [1000 0101] =
++                                      // Devanagari Letter A U+0905
++      {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
++      {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
++      {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
++      {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
++      {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
++      {true, false, "\xE0\xA4\x81"},  // [1110 0000] [1010 0100] [1000 0001] =
++                                      // combining char U+0901
++      {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
++      {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
++      {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
++      {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
++      {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
++  };
++  const bool atNameStart[] = {true, false};
++
++  size_t i = 0;
++  char doc[1024];
++  size_t failCount = 0;
++
++  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    size_t j = 0;
++    for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
++      const bool expectedSuccess
++          = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
++      sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
++      XML_Parser parser = XML_ParserCreate(NULL);
++
++      const enum XML_Status status
++          = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
++
++      bool success = true;
++      if ((status == XML_STATUS_OK) != expectedSuccess) {
++        success = false;
++      }
++      if ((status == XML_STATUS_ERROR)
++          && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
++        success = false;
++      }
++
++      if (! success) {
++        fprintf(
++            stderr,
++            "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
++            (unsigned)i + 1u, atNameStart[j] ? "    " : "not ",
++            (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
++        failCount++;
++      }
++
++      XML_ParserFree(parser);
++    }
++  }
++
++  if (failCount > 0) {
++    fail("UTF-8 regression detected");
++  }
++}
++END_TEST
++
+ /* Test trailing spaces in elements are accepted */
+ static void XMLCALL
+ record_element_end_handler(void *userData, const XML_Char *name) {
+@@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
+ }
+ END_TEST
+ 
++START_TEST(test_bad_doctype_utf8) {
++  const char *text = "<!DOCTYPE \xDB\x25"
++                     "doc><doc/>"; // [1101 1011] [<0>010 0101]
++  expect_failure(text, XML_ERROR_INVALID_TOKEN,
++                 "Invalid UTF-8 in DOCTYPE not faulted");
++}
++END_TEST
++
+ START_TEST(test_bad_doctype_utf16) {
+   const char text[] =
+       /* <!DOCTYPE doc [ \x06f2 ]><doc/>
+@@ -11870,6 +11977,7 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom);
+   tcase_add_test(tc_basic, test_utf8_in_cdata_section);
+   tcase_add_test(tc_basic, test_utf8_in_cdata_section_2);
++  tcase_add_test(tc_basic, test_utf8_in_start_tags);
+   tcase_add_test(tc_basic, test_trailing_spaces_in_elements);
+   tcase_add_test(tc_basic, test_utf16_attribute);
+   tcase_add_test(tc_basic, test_utf16_second_attr);
+@@ -11878,6 +11986,7 @@ make_suite(void) {
+   tcase_add_test(tc_basic, test_bad_attr_desc_keyword);
+   tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16);
+   tcase_add_test(tc_basic, test_bad_doctype);
++  tcase_add_test(tc_basic, test_bad_doctype_utf8);
+   tcase_add_test(tc_basic, test_bad_doctype_utf16);
+   tcase_add_test(tc_basic, test_bad_doctype_plus);
+   tcase_add_test(tc_basic, test_bad_doctype_star);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch
new file mode 100644
index 0000000000..ab53d99c8f
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236-1.patch
@@ -0,0 +1,116 @@
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2cc97e87]
+CVE: CVE-2022-25236
+
+The commit is a merge commit, and this patch is created by:
+
+$ git diff -p --stat 2cc97e87~ 2cc97e87
+
+Remove modification for expat/Changes which fails to be applied.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+commit 2cc97e875ef84da4bcf55156c83599116f7523b4 (from d477fdd284468f2ab822024e75702f2c1b254f42)
+Merge: d477fdd2 e4d7e497
+Author: Sebastian Pipping <sebastian@pipping.org>
+Date:   Fri Feb 18 18:01:27 2022 +0100
+
+    Merge pull request #561 from libexpat/namesep-security
+    
+    [CVE-2022-25236] lib: Protect against insertion of namesep characters into namespace URIs
+
+---
+ expat/Changes          | 16 ++++++++++++++++
+ expat/lib/xmlparse.c   | 17 +++++++++++++----
+ expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7376aab1..c98e2e9f 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
+ 
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
++  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ 
+@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+      would be otherwise.
+   */
+   if (parser->m_ns) {
+-    XML_Char tmp[2];
+-    *tmp = parser->m_namespaceSeparator;
++    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   } else {
+     parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
+@@ -3761,6 +3759,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+     if (! mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
++
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++    //       we have to at least make sure that the XML processor on top of
++    //       Expat (that is splitting tag names by namespace separator into
++    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++    //       by an attacker putting additional namespace separator characters
++    //       into namespace declarations.  That would be ambiguous and not to
++    //       be expected.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++      return XML_ERROR_SYNTAX;
++    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
+diff --git a/tests/runtests.c b/tests/runtests.c
+index d07203f2..bc5344b1 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
+ }
+ END_TEST
+ 
++START_TEST(test_ns_separator_in_uri) {
++  struct test_case {
++    enum XML_Status expectedStatus;
++    const char *doc;
++  };
++  struct test_case cases[] = {
++      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
++      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
++  };
++
++  size_t i = 0;
++  size_t failCount = 0;
++  for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
++    XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
++    if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
++                  /*isFinal*/ XML_TRUE)
++        != cases[i].expectedStatus) {
++      failCount++;
++    }
++    XML_ParserFree(parser);
++  }
++
++  if (failCount) {
++    fail("Namespace separator handling is broken");
++  }
++}
++END_TEST
++
+ /* Control variable; the number of times duff_allocator() will successfully
+  * allocate */
+ #define ALLOC_ALWAYS_SUCCEED (-1)
+@@ -11905,6 +11934,7 @@ make_suite(void) {
+   tcase_add_test(tc_namespace, test_ns_utf16_doctype);
+   tcase_add_test(tc_namespace, test_ns_invalid_doctype);
+   tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
++  tcase_add_test(tc_namespace, test_ns_separator_in_uri);
+ 
+   suite_add_tcase(s, tc_misc);
+   tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236-2.patch b/meta/recipes-core/expat/expat/CVE-2022-25236-2.patch
new file mode 100644
index 0000000000..0f14c9631b
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236-2.patch
@@ -0,0 +1,232 @@
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/f178826b]
+CVE: CVE-2022-25236
+
+The commit is a merge commit, and this patch is created by:
+
+$ git show -m -p --stat f178826b
+
+Remove changes for expat/Changes and reference.html which fail to be applied.
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+commit f178826bb1e9c8ee23202f1be55ad4ac7b649e84 (from c99e0e7f2b15b48848038992ecbb4480f957cfe9)
+Merge: c99e0e7f 9579f7ea
+Author: Sebastian Pipping <sebastian@pipping.org>
+Date:   Fri Mar 4 18:43:39 2022 +0100
+
+    Merge pull request #577 from libexpat/namesep
+    
+    lib: Relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters (fixes #572)
+---
+ expat/Changes            |  16 ++++++
+ expat/doc/reference.html |   8 +++
+ expat/lib/expat.h        |  11 ++++
+ expat/lib/xmlparse.c     | 139 ++++++++++++++++++++++++++++++++++++++++++++---
+ expat/tests/runtests.c   |   8 ++-
+ 5 files changed, 171 insertions(+), 11 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 5ab493f7..181fc960 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -239,6 +239,17 @@ XML_ParserCreate(const XML_Char *encoding);
+    and the local part will be concatenated without any separator.
+    It is a programming error to use the separator '\0' with namespace
+    triplets (see XML_SetReturnNSTriplet).
++   If a namespace separator is chosen that can be part of a URI or
++   part of an XML name, splitting an expanded name back into its
++   1, 2 or 3 original parts on application level in the element handler
++   may end up vulnerable, so these are advised against;  sane choices for
++   a namespace separator are e.g. '\n' (line feed) and '|' (pipe).
++
++   Note that Expat does not validate namespace URIs (beyond encoding)
++   against RFC 3986 today (and is not required to do so with regard to
++   the XML 1.0 namespaces specification) but it may start doing that
++   in future releases.  Before that, an application using Expat must
++   be ready to receive namespace URIs containing non-URI characters.
+ */
+ XMLPARSEAPI(XML_Parser)
+ XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator);
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 59da19c8..6fe2cf1e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3705,6 +3705,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+   return XML_ERROR_NONE;
+ }
+ 
++static XML_Bool
++is_rfc3986_uri_char(XML_Char candidate) {
++  // For the RFC 3986 ANBF grammar see
++  // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
++
++  switch (candidate) {
++  // From rule "ALPHA" (uppercase half)
++  case 'A':
++  case 'B':
++  case 'C':
++  case 'D':
++  case 'E':
++  case 'F':
++  case 'G':
++  case 'H':
++  case 'I':
++  case 'J':
++  case 'K':
++  case 'L':
++  case 'M':
++  case 'N':
++  case 'O':
++  case 'P':
++  case 'Q':
++  case 'R':
++  case 'S':
++  case 'T':
++  case 'U':
++  case 'V':
++  case 'W':
++  case 'X':
++  case 'Y':
++  case 'Z':
++
++  // From rule "ALPHA" (lowercase half)
++  case 'a':
++  case 'b':
++  case 'c':
++  case 'd':
++  case 'e':
++  case 'f':
++  case 'g':
++  case 'h':
++  case 'i':
++  case 'j':
++  case 'k':
++  case 'l':
++  case 'm':
++  case 'n':
++  case 'o':
++  case 'p':
++  case 'q':
++  case 'r':
++  case 's':
++  case 't':
++  case 'u':
++  case 'v':
++  case 'w':
++  case 'x':
++  case 'y':
++  case 'z':
++
++  // From rule "DIGIT"
++  case '0':
++  case '1':
++  case '2':
++  case '3':
++  case '4':
++  case '5':
++  case '6':
++  case '7':
++  case '8':
++  case '9':
++
++  // From rule "pct-encoded"
++  case '%':
++
++  // From rule "unreserved"
++  case '-':
++  case '.':
++  case '_':
++  case '~':
++
++  // From rule "gen-delims"
++  case ':':
++  case '/':
++  case '?':
++  case '#':
++  case '[':
++  case ']':
++  case '@':
++
++  // From rule "sub-delims"
++  case '!':
++  case '$':
++  case '&':
++  case '\'':
++  case '(':
++  case ')':
++  case '*':
++  case '+':
++  case ',':
++  case ';':
++  case '=':
++    return XML_TRUE;
++
++  default:
++    return XML_FALSE;
++  }
++}
++
+ /* addBinding() overwrites the value of prefix->binding without checking.
+    Therefore one must keep track of the old value outside of addBinding().
+ */
+@@ -3763,14 +3874,26 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
+ 
+-    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+-    //       we have to at least make sure that the XML processor on top of
+-    //       Expat (that is splitting tag names by namespace separator into
+-    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+-    //       by an attacker putting additional namespace separator characters
+-    //       into namespace declarations.  That would be ambiguous and not to
+-    //       be expected.
+-    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986
++    //       today (and is not REQUIRED to do so with regard to the XML 1.0
++    //       namespaces specification) we have to at least make sure, that
++    //       the application on top of Expat (that is likely splitting expanded
++    //       element names ("qualified names") of form
++    //       "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
++    //       in its element handler code) cannot be confused by an attacker
++    //       putting additional namespace separator characters into namespace
++    //       declarations.  That would be ambiguous and not to be expected.
++    //
++    //       While the HTML API docs of function XML_ParserCreateNS have been
++    //       advising against use of a namespace separator character that can
++    //       appear in a URI for >20 years now, some widespread applications
++    //       are using URI characters (':' (colon) in particular) for a
++    //       namespace separator, in practice.  To keep these applications
++    //       functional, we only reject namespaces URIs containing the
++    //       application-chosen namespace separator if the chosen separator
++    //       is a non-URI character with regard to RFC 3986.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
++        && ! is_rfc3986_uri_char(uri[len])) {
+       return XML_ERROR_SYNTAX;
+     }
+   }
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 60da868e..712706c4 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -7406,16 +7406,18 @@ START_TEST(test_ns_separator_in_uri) {
+   struct test_case {
+     enum XML_Status expectedStatus;
+     const char *doc;
++    XML_Char namesep;
+   };
+   struct test_case cases[] = {
+-      {XML_STATUS_OK, "<doc xmlns='one_two' />"},
+-      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />"},
++      {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
++      {XML_STATUS_ERROR, "<doc xmlns='one&#x0A;two' />", XCS('\n')},
++      {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
+   };
+ 
+   size_t i = 0;
+   size_t failCount = 0;
+   for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
+-    XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
++    XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
+     XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
+     if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
+                   /*isFinal*/ XML_TRUE)
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb
index a54d832e52..f99fa7edb6 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -6,11 +6,23 @@ LICENSE = "MIT"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
+VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
+
+SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
            file://libtool-tag.patch \
-	   file://run-ptest \
-	   file://0001-Add-output-of-tests-result.patch \
-	  "
+           file://run-ptest \
+           file://0001-Add-output-of-tests-result.patch \
+           file://CVE-2022-22822-27.patch \
+           file://CVE-2021-45960.patch \
+           file://CVE-2021-46143.patch \
+           file://CVE-2022-23852.patch \
+           file://CVE-2022-23990.patch \
+           file://CVE-2022-25235.patch \
+           file://CVE-2022-25236-1.patch \
+           file://CVE-2022-25236-2.patch \
+           "
+
+UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
 
 SRC_URI[sha256sum] = "b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5"
 
diff --git a/meta/recipes-core/fts/fts_1.2.7.bb b/meta/recipes-core/fts/fts_1.2.7.bb
index ea820cb0c3..d3b0f31eda 100644
--- a/meta/recipes-core/fts/fts_1.2.7.bb
+++ b/meta/recipes-core/fts/fts_1.2.7.bb
@@ -10,7 +10,7 @@ SECTION = "libs"
 
 SRCREV = "0bde52df588e8969879a2cae51c3a4774ec62472"
 
-SRC_URI = "git://github.com/pullmoll/musl-fts.git"
+SRC_URI = "git://github.com/pullmoll/musl-fts.git;branch=master;protocol=https"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.33.bb b/meta/recipes-core/glibc/cross-localedef-native_2.33.bb
index ec59c6ba10..22d3f96c09 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.33.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.33.bb
@@ -20,7 +20,7 @@ inherit native
 FILESEXTRAPATHS =. "${FILE_DIRNAME}/${PN}:${FILE_DIRNAME}/glibc:"
 
 SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
-           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef \
+           git://github.com/kraj/localedef;branch=master;name=localedef;destsuffix=git/localedef;protocol=https \
            \
            file://0001-localedef-Add-hardlink-resolver-from-util-linux.patch \
            file://0002-localedef-fix-ups-hardlink-to-make-it-compile.patch \
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 3a95173175..e1eefdee49 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.33/master"
 PV = "2.33"
-SRCREV_glibc ?= "9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3"
+SRCREV_glibc ?= "3e2a15c666e40e5ee740e5079c56d83469280323"
 SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch b/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch
deleted file mode 100644
index 39fde5b785..0000000000
--- a/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From c4ad832276f4dadfa40904109b26a521468f66bc Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Thu, 4 Feb 2021 15:00:20 +0100
-Subject: [PATCH] nptl: Remove private futex optimization [BZ #27304]
-
-It is effectively used, unexcept for pthread_cond_destroy, where we do
-not want it; see bug 27304.  The internal locks do not support a
-process-shared mode.
-
-This fixes commit dc6cfdc934db9997c33728082d63552b9eee4563 ("nptl:
-Move pthread_cond_destroy implementation into libc").
-
-Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
-
-Upstream-Status: Backport [https://sourceware.org/bugzilla/show_bug.cgi?id=27304]
-Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
----
- sysdeps/nptl/lowlevellock-futex.h | 14 +-------------
- 1 file changed, 1 insertion(+), 13 deletions(-)
-
-diff --git a/sysdeps/nptl/lowlevellock-futex.h b/sysdeps/nptl/lowlevellock-futex.h
-index ecb729da6b..ca96397a4a 100644
---- a/sysdeps/nptl/lowlevellock-futex.h
-+++ b/sysdeps/nptl/lowlevellock-futex.h
-@@ -50,20 +50,8 @@
- #define LLL_SHARED	FUTEX_PRIVATE_FLAG
- 
- #ifndef __ASSEMBLER__
--
--# if IS_IN (libc) || IS_IN (rtld)
--/* In libc.so or ld.so all futexes are private.  */
--#  define __lll_private_flag(fl, private)			\
--  ({								\
--    /* Prevent warnings in callers of this macro.  */		\
--    int __lll_private_flag_priv __attribute__ ((unused));	\
--    __lll_private_flag_priv = (private);			\
--    ((fl) | FUTEX_PRIVATE_FLAG);				\
--  })
--# else
--#  define __lll_private_flag(fl, private) \
-+# define __lll_private_flag(fl, private) \
-   (((fl) | FUTEX_PRIVATE_FLAG) ^ (private))
--# endif
- 
- # define lll_futex_syscall(nargs, futexp, op, ...)                      \
-   ({                                                                    \
--- 
-2.27.0
-
diff --git a/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch b/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch
deleted file mode 100644
index 3cb60b2e55..0000000000
--- a/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From b1971f6f1331d738d1d6b376b4741668a7546125 Mon Sep 17 00:00:00 2001
-From: "H.J. Lu" <hjl.tools@gmail.com>
-Date: Tue, 2 Feb 2021 13:45:58 -0800
-Subject: [PATCH] x86: Require full ISA support for x86-64 level marker [BZ #27318]
-
-Since -march=sandybridge enables ISAs in x86-64 ISA level v3, the v3
-marker is set on libc.so.  We couldn't set the needed ISA marker to v2
-since this libc won't run on all v2 machines.  Technically, the v3 marker
-is correct.  But the resulting libc.so won't run on Sandy Brigde, which
-is a v2 machine, even when libc is compiled with -march=sandybridge:
-
-$ ./elf/ld.so ./libc.so
-./libc.so: (p) CPU ISA level is lower than required: needed: 7; got: 3
-
-Instead, we require full ISA support for x86-64 level marker and disable
-x86-64 level marker for -march=sandybridge which enables ISAs between v2
-and v3.
-
-Upstream-Status: Submitted [https://sourceware.org/pipermail/libc-alpha/2021-February/122297.html]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-
- sysdeps/x86/configure    |  7 ++++++-
- sysdeps/x86/configure.ac |  2 +-
- sysdeps/x86/isa-level.c  | 21 ++++++++++++++++++++-
- 3 files changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/sysdeps/x86/configure b/sysdeps/x86/configure
-index 5e32dc62b3..5b20646843 100644
---- a/sysdeps/x86/configure
-+++ b/sysdeps/x86/configure
-@@ -133,7 +133,12 @@ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest c
-   $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-   test $ac_status = 0; }; }; then
-   count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l`
--  if test "$count" = 1; then
-+  if test "$count" = 1 && { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -DINCLUDE_X86_ISA_LEVEL -S -o conftest.s $srcdir/sysdeps/x86/isa-level.c'
-+  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
-+  (eval $ac_try) 2>&5
-+  ac_status=$?
-+  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
-+  test $ac_status = 0; }; }; then
-     libc_cv_include_x86_isa_level=yes
-   fi
- fi
-diff --git a/sysdeps/x86/configure.ac b/sysdeps/x86/configure.ac
-index f94088f377..54ecd33d2c 100644
---- a/sysdeps/x86/configure.ac
-+++ b/sysdeps/x86/configure.ac
-@@ -100,7 +100,7 @@ EOF
- libc_cv_include_x86_isa_level=no
- if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S); then
-   count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l`
--  if test "$count" = 1; then
-+  if test "$count" = 1 && AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -DINCLUDE_X86_ISA_LEVEL -S -o conftest.s $srcdir/sysdeps/x86/isa-level.c); then
-     libc_cv_include_x86_isa_level=yes
-   fi
- fi
-diff --git a/sysdeps/x86/isa-level.c b/sysdeps/x86/isa-level.c
-index aaf524cb56..7f83449061 100644
---- a/sysdeps/x86/isa-level.c
-+++ b/sysdeps/x86/isa-level.c
-@@ -25,12 +25,17 @@
-    License along with the GNU C Library; if not, see
-    <https://www.gnu.org/licenses/>.  */
- 
--#include <elf.h>
-+#ifdef _LIBC
-+# include <elf.h>
-+#endif
- 
- /* ELF program property for x86 ISA level.  */
- #ifdef INCLUDE_X86_ISA_LEVEL
- # if defined __x86_64__ || defined __FXSR__ || !defined _SOFT_FLOAT \
-      || defined  __MMX__ || defined __SSE__ || defined __SSE2__
-+#  if !defined __SSE__ || !defined __SSE2__
-+#   error "Missing ISAs for x86-64 ISA level baseline"
-+#  endif
- #  define ISA_BASELINE	GNU_PROPERTY_X86_ISA_1_BASELINE
- # else
- #  define ISA_BASELINE	0
-@@ -40,6 +45,11 @@
-      || (defined __x86_64__ && defined __LAHF_SAHF__) \
-      || defined __POPCNT__ || defined __SSE3__ \
-      || defined __SSSE3__ || defined __SSE4_1__ || defined __SSE4_2__
-+#  if !defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \
-+     || !defined __POPCNT__ || !defined __SSE3__ \
-+     || !defined __SSSE3__ || !defined __SSE4_1__ || !defined __SSE4_2__
-+#   error "Missing ISAs for x86-64 ISA level v2"
-+#  endif
- #  define ISA_V2	GNU_PROPERTY_X86_ISA_1_V2
- # else
- #  define ISA_V2	0
-@@ -48,6 +58,10 @@
- # if defined __AVX__ || defined __AVX2__ || defined __F16C__ \
-      || defined __FMA__ || defined __LZCNT__ || defined __MOVBE__ \
-      || defined __XSAVE__
-+# if !defined __AVX__ || !defined __AVX2__ || !defined __F16C__ \
-+     || !defined __FMA__ || !defined __LZCNT__
-+#   error "Missing ISAs for x86-64 ISA level v3"
-+#  endif
- #  define ISA_V3	GNU_PROPERTY_X86_ISA_1_V3
- # else
- #  define ISA_V3	0
-@@ -55,6 +69,11 @@
- 
- # if defined __AVX512F__ || defined __AVX512BW__ || defined __AVX512CD__ \
-      || defined __AVX512DQ__ || defined __AVX512VL__
-+#  if !defined __AVX512F__ || !defined __AVX512BW__ \
-+      || !defined __AVX512CD__ || !defined __AVX512DQ__ \
-+      || !defined __AVX512VL__
-+#   error "Missing ISAs for x86-64 ISA level v4"
-+#  endif
- #  define ISA_V4	GNU_PROPERTY_X86_ISA_1_V4
- # else
- #  define ISA_V4	0
diff --git a/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch b/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch
deleted file mode 100644
index e904b28a05..0000000000
--- a/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 044e603b698093cf48f6e6229e0b66acf05227e4 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Fri, 19 Feb 2021 13:29:00 +0100
-Subject: [PATCH] string: Work around GCC PR 98512 in rawmemchr
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=044e603b698093cf48f6e6229e0b66acf05227e4]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- string/rawmemchr.c | 26 +++++++++++++++-----------
- 1 file changed, 15 insertions(+), 11 deletions(-)
-
-diff --git a/string/rawmemchr.c b/string/rawmemchr.c
-index 59bbeeaa42..b8523118e5 100644
---- a/string/rawmemchr.c
-+++ b/string/rawmemchr.c
-@@ -22,24 +22,28 @@
- # define RAWMEMCHR __rawmemchr
- #endif
- 
--/* Find the first occurrence of C in S.  */
--void *
--RAWMEMCHR (const void *s, int c)
--{
--  DIAG_PUSH_NEEDS_COMMENT;
-+/* The pragmata should be nested inside RAWMEMCHR below, but that
-+   triggers GCC PR 98512.  */
-+DIAG_PUSH_NEEDS_COMMENT;
- #if __GNUC_PREREQ (7, 0)
--  /* GCC 8 warns about the size passed to memchr being larger than
--     PTRDIFF_MAX; the use of SIZE_MAX is deliberate here.  */
--  DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow=");
-+/* GCC 8 warns about the size passed to memchr being larger than
-+   PTRDIFF_MAX; the use of SIZE_MAX is deliberate here.  */
-+DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow=");
- #endif
- #if __GNUC_PREREQ (11, 0)
--  /* Likewise GCC 11, with a different warning option.  */
--  DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread");
-+/* Likewise GCC 11, with a different warning option.  */
-+DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread");
- #endif
-+
-+/* Find the first occurrence of C in S.  */
-+void *
-+RAWMEMCHR (const void *s, int c)
-+{
-   if (c != '\0')
-     return memchr (s, c, (size_t)-1);
--  DIAG_POP_NEEDS_COMMENT;
-   return (char *)s + strlen (s);
- }
- libc_hidden_def (__rawmemchr)
- weak_alias (__rawmemchr, rawmemchr)
-+
-+DIAG_POP_NEEDS_COMMENT;
--- 
-2.30.1
-
diff --git a/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch b/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch
deleted file mode 100644
index 3a004e227f..0000000000
--- a/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 750b00a1ddae220403fd892a6fd4e0791ffd154a Mon Sep 17 00:00:00 2001
-From: "H.J. Lu" <hjl.tools@gmail.com>
-Date: Fri, 18 Sep 2020 07:55:14 -0700
-Subject: [PATCH] x86: Handle _SC_LEVEL1_ICACHE_LINESIZE [BZ #27444]
-
-    x86: Move x86 processor cache info to cpu_features
-
-missed _SC_LEVEL1_ICACHE_LINESIZE.
-
-1. Add level1_icache_linesize to struct cpu_features.
-2. Initialize level1_icache_linesize by calling handle_intel,
-handle_zhaoxin and handle_amd with _SC_LEVEL1_ICACHE_LINESIZE.
-3. Return level1_icache_linesize for _SC_LEVEL1_ICACHE_LINESIZE.
-
-Upstream-Status: Backport [https://sourceware.org/bugzilla/show_bug.cgi?id=27444]
-Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
----
- sysdeps/x86/Makefile                          |  8 +++
- sysdeps/x86/cacheinfo.c                       |  3 +
- sysdeps/x86/dl-cacheinfo.h                    |  6 ++
- sysdeps/x86/include/cpu-features.h            |  2 +
- .../x86/tst-sysconf-cache-linesize-static.c   |  1 +
- sysdeps/x86/tst-sysconf-cache-linesize.c      | 57 +++++++++++++++++++
- 6 files changed, 77 insertions(+)
- create mode 100644 sysdeps/x86/tst-sysconf-cache-linesize-static.c
- create mode 100644 sysdeps/x86/tst-sysconf-cache-linesize.c
-
-diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile
-index dd82674342..d231263051 100644
---- a/sysdeps/x86/Makefile
-+++ b/sysdeps/x86/Makefile
-@@ -208,3 +208,11 @@ $(objpfx)check-cet.out: $(..)sysdeps/x86/check-cet.awk \
- generated += check-cet.out
- endif
- endif
-+
-+ifeq ($(subdir),posix)
-+tests += \
-+  tst-sysconf-cache-linesize \
-+  tst-sysconf-cache-linesize-static
-+tests-static += \
-+  tst-sysconf-cache-linesize-static
-+endif
-diff --git a/sysdeps/x86/cacheinfo.c b/sysdeps/x86/cacheinfo.c
-index 7b8df45e3b..5ea4723ca6 100644
---- a/sysdeps/x86/cacheinfo.c
-+++ b/sysdeps/x86/cacheinfo.c
-@@ -32,6 +32,9 @@ __cache_sysconf (int name)
-     case _SC_LEVEL1_ICACHE_SIZE:
-       return cpu_features->level1_icache_size;
- 
-+    case _SC_LEVEL1_ICACHE_LINESIZE:
-+      return cpu_features->level1_icache_linesize;
-+
-     case _SC_LEVEL1_DCACHE_SIZE:
-       return cpu_features->level1_dcache_size;
- 
-diff --git a/sysdeps/x86/dl-cacheinfo.h b/sysdeps/x86/dl-cacheinfo.h
-index a31fa0783a..7cd00b92f1 100644
---- a/sysdeps/x86/dl-cacheinfo.h
-+++ b/sysdeps/x86/dl-cacheinfo.h
-@@ -707,6 +707,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features)
-   long int core;
-   unsigned int threads = 0;
-   unsigned long int level1_icache_size = -1;
-+  unsigned long int level1_icache_linesize = -1;
-   unsigned long int level1_dcache_size = -1;
-   unsigned long int level1_dcache_assoc = -1;
-   unsigned long int level1_dcache_linesize = -1;
-@@ -726,6 +727,8 @@ dl_init_cacheinfo (struct cpu_features *cpu_features)
- 
-       level1_icache_size
- 	= handle_intel (_SC_LEVEL1_ICACHE_SIZE, cpu_features);
-+      level1_icache_linesize
-+	= handle_intel (_SC_LEVEL1_ICACHE_LINESIZE, cpu_features);
-       level1_dcache_size = data;
-       level1_dcache_assoc
- 	= handle_intel (_SC_LEVEL1_DCACHE_ASSOC, cpu_features);
-@@ -753,6 +756,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features)
-       shared = handle_zhaoxin (_SC_LEVEL3_CACHE_SIZE);
- 
-       level1_icache_size = handle_zhaoxin (_SC_LEVEL1_ICACHE_SIZE);
-+      level1_icache_linesize = handle_zhaoxin (_SC_LEVEL1_ICACHE_LINESIZE);
-       level1_dcache_size = data;
-       level1_dcache_assoc = handle_zhaoxin (_SC_LEVEL1_DCACHE_ASSOC);
-       level1_dcache_linesize = handle_zhaoxin (_SC_LEVEL1_DCACHE_LINESIZE);
-@@ -772,6 +776,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features)
-       shared = handle_amd (_SC_LEVEL3_CACHE_SIZE);
- 
-       level1_icache_size = handle_amd (_SC_LEVEL1_ICACHE_SIZE);
-+      level1_icache_linesize = handle_amd (_SC_LEVEL1_ICACHE_LINESIZE);
-       level1_dcache_size = data;
-       level1_dcache_assoc = handle_amd (_SC_LEVEL1_DCACHE_ASSOC);
-       level1_dcache_linesize = handle_amd (_SC_LEVEL1_DCACHE_LINESIZE);
-@@ -833,6 +838,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features)
-     }
- 
-   cpu_features->level1_icache_size = level1_icache_size;
-+  cpu_features->level1_icache_linesize = level1_icache_linesize;
-   cpu_features->level1_dcache_size = level1_dcache_size;
-   cpu_features->level1_dcache_assoc = level1_dcache_assoc;
-   cpu_features->level1_dcache_linesize = level1_dcache_linesize;
-diff --git a/sysdeps/x86/include/cpu-features.h b/sysdeps/x86/include/cpu-features.h
-index 624736b40e..39a3f4f311 100644
---- a/sysdeps/x86/include/cpu-features.h
-+++ b/sysdeps/x86/include/cpu-features.h
-@@ -874,6 +874,8 @@ struct cpu_features
-   unsigned long int rep_stosb_threshold;
-   /* _SC_LEVEL1_ICACHE_SIZE.  */
-   unsigned long int level1_icache_size;
-+  /* _SC_LEVEL1_ICACHE_LINESIZE.  */
-+  unsigned long int level1_icache_linesize;
-   /* _SC_LEVEL1_DCACHE_SIZE.  */
-   unsigned long int level1_dcache_size;
-   /* _SC_LEVEL1_DCACHE_ASSOC.  */
-diff --git a/sysdeps/x86/tst-sysconf-cache-linesize-static.c b/sysdeps/x86/tst-sysconf-cache-linesize-static.c
-new file mode 100644
-index 0000000000..152ae68821
---- /dev/null
-+++ b/sysdeps/x86/tst-sysconf-cache-linesize-static.c
-@@ -0,0 +1 @@
-+#include "tst-sysconf-cache-linesize.c"
-diff --git a/sysdeps/x86/tst-sysconf-cache-linesize.c b/sysdeps/x86/tst-sysconf-cache-linesize.c
-new file mode 100644
-index 0000000000..642dbde5d2
---- /dev/null
-+++ b/sysdeps/x86/tst-sysconf-cache-linesize.c
-@@ -0,0 +1,57 @@
-+/* Test system cache line sizes.
-+   Copyright (C) 2021 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <https://www.gnu.org/licenses/>.  */
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <array_length.h>
-+
-+static struct
-+{
-+  const char *name;
-+  int _SC_val;
-+} sc_options[] =
-+  {
-+#define N(name) { "_SC_"#name, _SC_##name }
-+    N (LEVEL1_ICACHE_LINESIZE),
-+    N (LEVEL1_DCACHE_LINESIZE),
-+    N (LEVEL2_CACHE_LINESIZE)
-+  };
-+
-+static int
-+do_test (void)
-+{
-+  int result = EXIT_SUCCESS;
-+
-+  for (int i = 0; i < array_length (sc_options); ++i)
-+    {
-+      long int scret = sysconf (sc_options[i]._SC_val);
-+      if (scret < 0)
-+	{
-+	  printf ("sysconf (%s) returned < 0 (%ld)\n",
-+		  sc_options[i].name, scret);
-+	  result = EXIT_FAILURE;
-+	}
-+      else
-+	printf ("sysconf (%s): %ld\n", sc_options[i].name, scret);
-+    }
-+
-+  return result;
-+}
-+
-+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch
new file mode 100644
index 0000000000..2f08a90dd0
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch
@@ -0,0 +1,174 @@
+Since the full ISA set used in an ELF binary is unknown to compiler,
+an x86-64 ISA level marker indicates the minimum, not maximum, ISA set
+required to run such an ELF binary.  We never guarantee a library with
+an x86-64 ISA level v3 marker doesn't contain other ISAs beyond x86-64
+ISA level v3, like AVX VNNI.  We check the x86-64 ISA level marker for
+the minimum ISA set.  Since -march=sandybridge enables only some ISAs
+in x86-64 ISA level v3, we should set the needed ISA marker to v2.
+Otherwise, libc is compiled with -march=sandybridge will fail to run on
+Sandy Bridge:
+
+$ ./elf/ld.so ./libc.so
+./libc.so: (p) CPU ISA level is lower than required: needed: 7; got: 3
+
+Set the minimum, instead of maximum, x86-64 ISA level marker should have
+no impact on the b-hwcaps directory assignment logic in ldconfig nor
+ld.so.
+
+(cherry picked from commit 339bf918ea4830fb35614632e96f3aab3237adce)
+---
+ config.h.in              |  6 ++++++
+ sysdeps/x86/configure    | 28 ++++++++++++++++++++++++++++
+ sysdeps/x86/configure.ac | 16 ++++++++++++++++
+ sysdeps/x86/isa-level.c  | 25 ++++++++++++++-----------
+ 4 files changed, 64 insertions(+), 11 deletions(-)
+
+diff --git a/config.h.in b/config.h.in
+--- a/config.h.in	2021-10-16 03:28:49.447573081 -0700
++++ b/config.h.in	2021-10-16 03:29:38.626741181 -0700
+@@ -275,4 +275,10 @@
+ /* Define if x86 ISA level should be included in shared libraries.  */
+ #undef INCLUDE_X86_ISA_LEVEL
+ 
++/* Define if -msahf is enabled by default on x86.  */
++#undef HAVE_X86_LAHF_SAHF
++
++/* Define if -mmovbe is enabled by default on x86.  */
++#undef HAVE_X86_MOVBE
++
+ #endif
+diff --git a/sysdeps/x86/configure b/sysdeps/x86/configure
+--- a/sysdeps/x86/configure	2021-10-16 03:28:49.587570713 -0700
++++ b/sysdeps/x86/configure	2021-10-16 03:29:39.330729277 -0700
+@@ -126,6 +126,8 @@ cat > conftest2.S <<EOF
+ 4:
+ EOF
+ libc_cv_include_x86_isa_level=no
++libc_cv_have_x86_lahf_sahf=no
++libc_cv_have_x86_movbe=no
+ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S'
+   { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
+   (eval $ac_try) 2>&5
+@@ -135,6 +137,24 @@ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS
+   count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l`
+   if test "$count" = 1; then
+     libc_cv_include_x86_isa_level=yes
++    cat > conftest.c <<EOF
++EOF
++    if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c'
++  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; } | grep -q "\-msahf"; then
++      libc_cv_have_x86_lahf_sahf=yes
++    fi
++    if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c'
++  { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
++  (eval $ac_try) 2>&5
++  ac_status=$?
++  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }; } | grep -q "\-mmovbe"; then
++      libc_cv_have_x86_movbe=yes
++    fi
+   fi
+ fi
+ rm -f conftest*
+@@ -145,5 +165,13 @@ if test $libc_cv_include_x86_isa_level =
+   $as_echo "#define INCLUDE_X86_ISA_LEVEL 1" >>confdefs.h
+ 
+ fi
++if test $libc_cv_have_x86_lahf_sahf = yes; then
++  $as_echo "#define HAVE_X86_LAHF_SAHF 1" >>confdefs.h
++
++fi
++if test $libc_cv_have_x86_movbe = yes; then
++  $as_echo "#define HAVE_X86_MOVBE 1" >>confdefs.h
++
++fi
+ config_vars="$config_vars
+ enable-x86-isa-level = $libc_cv_include_x86_isa_level"
+diff --git a/sysdeps/x86/configure.ac b/sysdeps/x86/configure.ac
+--- a/sysdeps/x86/configure.ac	2021-10-16 03:28:49.587570713 -0700
++++ b/sysdeps/x86/configure.ac	2021-10-16 03:29:40.038717306 -0700
+@@ -98,14 +98,30 @@ cat > conftest2.S <<EOF
+ 4:
+ EOF
+ libc_cv_include_x86_isa_level=no
++libc_cv_have_x86_lahf_sahf=no
++libc_cv_have_x86_movbe=no
+ if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S); then
+   count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l`
+   if test "$count" = 1; then
+     libc_cv_include_x86_isa_level=yes
++    cat > conftest.c <<EOF
++EOF
++    if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c) | grep -q "\-msahf"; then
++      libc_cv_have_x86_lahf_sahf=yes
++    fi
++    if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c) | grep -q "\-mmovbe"; then
++      libc_cv_have_x86_movbe=yes
++    fi
+   fi
+ fi
+ rm -f conftest*])
+ if test $libc_cv_include_x86_isa_level = yes; then
+   AC_DEFINE(INCLUDE_X86_ISA_LEVEL)
+ fi
++if test $libc_cv_have_x86_lahf_sahf = yes; then
++  AC_DEFINE(HAVE_X86_LAHF_SAHF)
++fi
++if test $libc_cv_have_x86_movbe = yes; then
++  AC_DEFINE(HAVE_X86_MOVBE)
++fi
+ LIBC_CONFIG_VAR([enable-x86-isa-level], [$libc_cv_include_x86_isa_level])
+diff --git a/sysdeps/x86/isa-level.c b/sysdeps/x86/isa-level.c
+--- a/sysdeps/x86/isa-level.c	2021-10-16 03:28:49.587570713 -0700
++++ b/sysdeps/x86/isa-level.c	2021-10-16 03:29:40.766704997 -0700
+@@ -29,32 +29,35 @@
+ 
+ /* ELF program property for x86 ISA level.  */
+ #ifdef INCLUDE_X86_ISA_LEVEL
+-# if defined __x86_64__ || defined __FXSR__ || !defined _SOFT_FLOAT \
+-     || defined  __MMX__ || defined __SSE__ || defined __SSE2__
++# if defined __SSE__ && defined __SSE2__
++/* NB: ISAs, excluding MMX, in x86-64 ISA level baseline are used.  */
+ #  define ISA_BASELINE	GNU_PROPERTY_X86_ISA_1_BASELINE
+ # else
+ #  define ISA_BASELINE	0
+ # endif
+ 
+-# if defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \
+-     || (defined __x86_64__ && defined __LAHF_SAHF__) \
+-     || defined __POPCNT__ || defined __SSE3__ \
+-     || defined __SSSE3__ || defined __SSE4_1__ || defined __SSE4_2__
++# if ISA_BASELINE && defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \
++     && defined HAVE_X86_LAHF_SAHF && defined __POPCNT__ \
++     && defined __SSE3__ && defined __SSSE3__ && defined __SSE4_1__ \
++     && defined __SSE4_2__
++/* NB: ISAs in x86-64 ISA level v2 are used.  */
+ #  define ISA_V2	GNU_PROPERTY_X86_ISA_1_V2
+ # else
+ #  define ISA_V2	0
+ # endif
+ 
+-# if defined __AVX__ || defined __AVX2__ || defined __F16C__ \
+-     || defined __FMA__ || defined __LZCNT__ || defined __MOVBE__ \
+-     || defined __XSAVE__
++# if ISA_V2 && defined __AVX__ && defined __AVX2__ && defined __F16C__ \
++     && defined __FMA__ && defined __LZCNT__ && defined HAVE_X86_MOVBE
++/* NB: ISAs in x86-64 ISA level v3 are used.  */
+ #  define ISA_V3	GNU_PROPERTY_X86_ISA_1_V3
+ # else
+ #  define ISA_V3	0
+ # endif
+ 
+-# if defined __AVX512F__ || defined __AVX512BW__ || defined __AVX512CD__ \
+-     || defined __AVX512DQ__ || defined __AVX512VL__
++# if ISA_V3 && defined __AVX512F__ && defined __AVX512BW__ \
++     && defined __AVX512CD__ && defined __AVX512DQ__ \
++     && defined __AVX512VL__
++/* NB: ISAs in x86-64 ISA level v4 are used.  */
+ #  define ISA_V4	GNU_PROPERTY_X86_ISA_1_V4
+ # else
+ #  define ISA_V4	0
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
deleted file mode 100644
index 26c5c0d2a9..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001
-From: DJ Delorie <dj@redhat.com>
-Date: Thu, 25 Feb 2021 16:08:21 -0500
-Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
-
-In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
-was fixed, but this led to an occasional double-free.  This patch
-tracks the "live" allocation better.
-
-Tested manually by a third party.
-
-Related: RHBZ 1927877
-
-Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
-Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673]
-
-CVE: CVE-2021-27645
-
-Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
----
- nscd/netgroupcache.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
-index dba6ceec1b..ad2daddafd 100644
---- a/nscd/netgroupcache.c
-+++ b/nscd/netgroupcache.c
-@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- 					     : NULL);
- 				    ndomain = (ndomain ? newbuf + ndomaindiff
- 					       : NULL);
--				    buffer = newbuf;
-+				    *tofreep = buffer = newbuf;
- 				  }
- 
- 				nhost = memcpy (buffer + bufused,
-@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
- 		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
- 		      {
- 			buflen *= 2;
--			buffer = xrealloc (buffer, buflen);
-+			*tofreep = buffer = xrealloc (buffer, buflen);
- 		      }
- 		    else if (status == NSS_STATUS_RETURN
- 			     || status == NSS_STATUS_NOTFOUND
--- 
-2.27.0
-
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index 75a1f36d6b..a1e9eb3a16 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -56,11 +56,6 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
            file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
            file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
-           file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch \
-           file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \
-           file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \
-           file://CVE-2021-27645.patch \
-           file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
@@ -93,7 +88,7 @@ EXTRA_OECONF = "--enable-kernel=${OLDEST_KERNEL} \
 
 EXTRA_OECONF += "${@get_libc_fpu_setting(bb, d)}"
 
-EXTRA_OECONF_append_x86 = " --enable-cet"
+EXTRA_OECONF_append_x86 = " ${@bb.utils.contains_any('TUNE_FEATURES', 'i586 c3', '--disable-cet', '--enable-cet', d)}"
 EXTRA_OECONF_append_x86-64 = " --enable-cet"
 
 PACKAGECONFIG ??= "nscd"
diff --git a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
index 52986e61c7..d1835c7a10 100644
--- a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
+++ b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
@@ -400,7 +400,7 @@ Index: ldconfig-native-2.12.1/ldconfig.c
    return 0;
  }
  
-+#define REPORT_BUGS_TO "mailing list : poky@yoctoproject.org"
++#define REPORT_BUGS_TO "mailing list : poky@lists.yoctoproject.org"
  /* Print bug-reporting information in the help message.  */
  static char *
  more_help (int key, const char *text, void *input)
diff --git a/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb b/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb
index 0daf50acab..afc3196620 100644
--- a/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb
+++ b/meta/recipes-core/ifupdown/ifupdown_0.8.36.bb
@@ -7,7 +7,7 @@ the file /etc/network/interfaces."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 
-SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https \
+SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https;branch=master \
            file://defn2-c-man-don-t-rely-on-dpkg-architecture-to-set-a.patch \
            file://99_network \
            file://0001-Define-FNM_EXTMATCH-for-musl.patch \
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index fe1715f2e3..5631cd8ae6 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "96e8fcd6a24fd732e010607be347cbb3348ef725"
+SRCREV ?= "2954fa87a4d325f1a3c722d6fb8bf13b17f9e7a0"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=hardknott \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/finish b/meta/recipes-core/initrdscripts/initramfs-framework/finish
index 717383ebac..f08a920867 100755
--- a/meta/recipes-core/initrdscripts/initramfs-framework/finish
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/finish
@@ -12,6 +12,18 @@ finish_run() {
 			fatal "ERROR: There's no '/dev' on rootfs."
 		fi
 
+		# Unmount anything that was automounted by busybox via mdev-mount.sh.
+		# We're about to switch_root, and leaving anything mounted will prevent
+		# the next rootfs from modifying the block device.  Ignore ROOT_DISK,
+		# if it was set by setup-live, because it'll be mounted over loopback
+		# to ROOTFS_DIR.
+		local dev
+		for dev in /run/media/*; do
+			if mountpoint -q "${dev}" && [ "${dev##*/}" != "${ROOT_DISK}" ]; then
+				umount -f "${dev}" || debug "Failed to unmount ${dev}"
+			fi
+		done
+
 		info "Switching root to '$ROOTFS_DIR'..."
 
 		debug "Moving /dev, /proc and /sys onto rootfs..."
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
index 4c79f41285..7e92f93322 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
+++ b/meta/recipes-core/initrdscripts/initramfs-framework/setup-live
@@ -1,4 +1,4 @@
-#/bin/sh
+#!/bin/sh
 # Copyright (C) 2011 O.S. Systems Software LTDA.
 # Licensed on MIT
 
diff --git a/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb b/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
index c53a0c03ae..fe24215b46 100644
--- a/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
+++ b/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb
@@ -31,7 +31,7 @@ do_install() {
     install -m 0755 ${WORKDIR}/rootfs ${D}/init.d/90-rootfs
     install -m 0755 ${WORKDIR}/finish ${D}/init.d/99-finish
 
-	# exec
+    # exec
     install -m 0755 ${WORKDIR}/exec ${D}/init.d/89-exec
 
     # mdev
diff --git a/meta/recipes-core/initscripts/init-system-helpers_1.60.bb b/meta/recipes-core/initscripts/init-system-helpers_1.60.bb
index 33977e66c1..98f45e1355 100644
--- a/meta/recipes-core/initscripts/init-system-helpers_1.60.bb
+++ b/meta/recipes-core/initscripts/init-system-helpers_1.60.bb
@@ -17,7 +17,7 @@ LICENSE = "BSD-3-Clause & GPLv2"
 LIC_FILES_CHKSUM = "file://debian/copyright;md5=ee2b1830fcfead84d07bc060ec43e072"
 
 SRCREV = "dbd9197569c0935029acd5c9b02b84c68fd937ee"
-SRC_URI = "git://salsa.debian.org/debian/init-system-helpers.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/init-system-helpers.git;protocol=https;branch=master"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index 5e994f2b7f..65f9c0ae8d 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -106,7 +106,8 @@ do_install () {
 	install -m 0755    ${WORKDIR}/save-rtc.sh	${D}${sysconfdir}/init.d
 	install -m 0644    ${WORKDIR}/volatiles		${D}${sysconfdir}/default/volatiles/00_core
 	if [ ${@ oe.types.boolean('${VOLATILE_LOG_DIR}') } = True ]; then
-		echo "l root root 0755 /var/log /var/volatile/log" >> ${D}${sysconfdir}/default/volatiles/00_core
+		sed -i -e '\@^d root root 0755 /var/volatile/log none$@ a\l root root 0755 /var/log /var/volatile/log' \
+			${D}${sysconfdir}/default/volatiles/00_core
 	fi
 	install -m 0755    ${WORKDIR}/dmesg.sh		${D}${sysconfdir}/init.d
 	install -m 0644    ${WORKDIR}/logrotate-dmesg.conf ${D}${sysconfdir}/
diff --git a/meta/recipes-core/libxcrypt/libxcrypt.inc b/meta/recipes-core/libxcrypt/libxcrypt.inc
index b5ca863d54..8008ba2d38 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt.inc
+++ b/meta/recipes-core/libxcrypt/libxcrypt.inc
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSING;md5=bd5d9777dfe7076c4f2928f12fed226a \
 
 inherit autotools pkgconfig
 
-SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH} \
+SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https \
            file://0001-configure.ac-do-not-use-compute-symver-floor.patch \
            "
 SRCREV = "94d84f92ca123d851586016c4678eb1f21c19029"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
new file mode 100644
index 0000000000..eefecb9adb
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308-fix-regression.patch
@@ -0,0 +1,99 @@
+From 646fe48d1c8a74310c409ddf81fe7df6700052af Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 22 Feb 2022 11:51:08 +0100
+Subject: [PATCH] Fix --without-valid build
+
+Regressed in commit 652dd12a.
+---
+ valid.c | 58 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 29 insertions(+), 29 deletions(-)
+---
+
+From https://github.com/GNOME/libxml2.git
+ commit 646fe48d1c8a74310c409ddf81fe7df6700052af
+
+CVE: CVE-2022-23308
+Upstream-status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/valid.c b/valid.c
+index 8e596f1d..9684683a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,35 +479,6 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
+-/**
+- * xmlValidNormalizeString:
+- * @str: a string
+- *
+- * Normalize a string in-place.
+- */
+-static void
+-xmlValidNormalizeString(xmlChar *str) {
+-    xmlChar *dst;
+-    const xmlChar *src;
+-
+-    if (str == NULL)
+-        return;
+-    src = str;
+-    dst = str;
+-
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
+-}
+-
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2636,6 +2607,35 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ static int
+ xmlIsStreaming(xmlValidCtxtPtr ctxt) {
+     xmlParserCtxtPtr pctxt;
+-- 
+2.35.1
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
new file mode 100644
index 0000000000..708a98b45a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-23308.patch
@@ -0,0 +1,209 @@
+From 652dd12a858989b14eed4e84e453059cd3ba340e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Feb 2022 03:29:24 +0100
+Subject: [PATCH] [CVE-2022-23308] Use-after-free of ID and IDREF attributes
+
+If a document is parsed with XML_PARSE_DTDVALID and without
+XML_PARSE_NOENT, the value of ID attributes has to be normalized after
+potentially expanding entities in xmlRemoveID. Otherwise, later calls
+to xmlGetID can return a pointer to previously freed memory.
+
+ID attributes which are empty or contain only whitespace after
+entity expansion are affected in a similar way. This is fixed by
+not storing such attributes in the ID table.
+
+The test to detect streaming mode when validating against a DTD was
+broken. In connection with the defects above, this could result in a
+use-after-free when using the xmlReader interface with validation.
+Fix detection of streaming mode to avoid similar issues. (This changes
+the expected result of a test case. But as far as I can tell, using the
+XML reader with XIncludes referencing the root document never worked
+properly, anyway.)
+
+All of these issues can result in denial of service. Using xmlReader
+with validation could result in disclosure of memory via the error
+channel, typically stderr. The security impact of xmlGetID returning
+a pointer to freed memory depends on the application. The typical use
+case of calling xmlGetID on an unmodified document is not affected.
+---
+ result/XInclude/ns1.xml.rdr |  2 +-
+ valid.c                     | 88 +++++++++++++++++++++++--------------
+ 2 files changed, 56 insertions(+), 34 deletions(-)
+ ---
+ 
+From https://github.com/GNOME/libxml2.git
+ commit 652dd12a858989b14eed4e84e453059cd3ba340e
+
+Remove patch to ns1.xml.rdr which does not exist in version 2.9.10.
+
+CVE: CVE-2022-23308
+Upstream-status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/valid.c b/valid.c
+index 5ee391c0..8e596f1d 100644
+--- a/valid.c
++++ b/valid.c
+@@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt)
+     return (ret);
+ }
+ 
++/**
++ * xmlValidNormalizeString:
++ * @str: a string
++ *
++ * Normalize a string in-place.
++ */
++static void
++xmlValidNormalizeString(xmlChar *str) {
++    xmlChar *dst;
++    const xmlChar *src;
++
++    if (str == NULL)
++        return;
++    src = str;
++    dst = str;
++
++    while (*src == 0x20) src++;
++    while (*src != 0) {
++	if (*src == 0x20) {
++	    while (*src == 0x20) src++;
++	    if (*src != 0)
++		*dst++ = 0x20;
++	} else {
++	    *dst++ = *src++;
++	}
++    }
++    *dst = 0;
++}
++
+ #ifdef DEBUG_VALID_ALGO
+ static void
+ xmlValidPrintNode(xmlNodePtr cur) {
+@@ -2607,6 +2636,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) {
+ 	    (xmlDictOwns(dict, (const xmlChar *)(str)) == 0)))	\
+ 	    xmlFree((char *)(str));
+ 
++static int
++xmlIsStreaming(xmlValidCtxtPtr ctxt) {
++    xmlParserCtxtPtr pctxt;
++
++    if (ctxt == NULL)
++        return(0);
++    /*
++     * These magic values are also abused to detect whether we're validating
++     * while parsing a document. In this case, userData points to the parser
++     * context.
++     */
++    if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) &&
++        (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1))
++        return(0);
++    pctxt = ctxt->userData;
++    return(pctxt->parseMode == XML_PARSE_READER);
++}
++
+ /**
+  * xmlFreeID:
+  * @not:  A id
+@@ -2650,7 +2697,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+     if (doc == NULL) {
+ 	return(NULL);
+     }
+-    if (value == NULL) {
++    if ((value == NULL) || (value[0] == 0)) {
+ 	return(NULL);
+     }
+     if (attr == NULL) {
+@@ -2681,7 +2728,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      */
+     ret->value = xmlStrdup(value);
+     ret->doc = doc;
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -2820,6 +2867,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+     ID = xmlNodeListGetString(doc, attr->children, 1);
+     if (ID == NULL)
+         return(-1);
++    xmlValidNormalizeString(ID);
+ 
+     id = xmlHashLookup(table, ID);
+     if (id == NULL || id->attr != attr) {
+@@ -3009,7 +3057,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+      * fill the structure.
+      */
+     ret->value = xmlStrdup(value);
+-    if ((ctxt != NULL) && (ctxt->vstateNr != 0)) {
++    if (xmlIsStreaming(ctxt)) {
+ 	/*
+ 	 * Operating in streaming mode, attr is gonna disappear
+ 	 */
+@@ -4028,8 +4076,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ 	     xmlNodePtr elem, const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+     int extsubset = 0;
+ 
+@@ -4070,19 +4117,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) {
+ 	xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE,
+ "standalone: %s on %s value had to be normalized based on external subset declaration\n",
+@@ -4114,8 +4149,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ xmlChar *
+ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+ 			        const xmlChar *name, const xmlChar *value) {
+-    xmlChar *ret, *dst;
+-    const xmlChar *src;
++    xmlChar *ret;
+     xmlAttributePtr attrDecl = NULL;
+ 
+     if (doc == NULL) return(NULL);
+@@ -4145,19 +4179,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+     ret = xmlStrdup(value);
+     if (ret == NULL)
+ 	return(NULL);
+-    src = value;
+-    dst = ret;
+-    while (*src == 0x20) src++;
+-    while (*src != 0) {
+-	if (*src == 0x20) {
+-	    while (*src == 0x20) src++;
+-	    if (*src != 0)
+-		*dst++ = 0x20;
+-	} else {
+-	    *dst++ = *src++;
+-	}
+-    }
+-    *dst = 0;
++    xmlValidNormalizeString(ret);
+     return(ret);
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index ce4f9a3340..778312f662 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -30,6 +30,8 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2021-3518-0002.patch \
            file://CVE-2021-3537.patch \
            file://CVE-2021-3541.patch \
+           file://CVE-2022-23308.patch \
+           file://CVE-2022-23308-fix-regression.patch \
            "
 
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
@@ -47,7 +49,7 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
 
 inherit autotools pkgconfig binconfig-disabled ptest
 
-inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3native', '', d)}
+inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3targetconfig', '', d)}
 
 RDEPENDS_${PN}-ptest += "make ${@bb.utils.contains('PACKAGECONFIG', 'python', 'libgcc python3-core python3-logging python3-shell  python3-stringold python3-threading python3-unittest ${PN}-python', '', d)}"
 
diff --git a/meta/recipes-core/musl/libucontext_git.bb b/meta/recipes-core/musl/libucontext_git.bb
index 11affebb49..87946b7ec3 100644
--- a/meta/recipes-core/musl/libucontext_git.bb
+++ b/meta/recipes-core/musl/libucontext_git.bb
@@ -10,7 +10,7 @@ DEPENDS = ""
 
 PV = "0.10+${SRCPV}"
 SRCREV = "19fa1bbfc26efb92147b5e85cc0ca02a0e837561"
-SRC_URI = "git://github.com/kaniini/libucontext \
+SRC_URI = "git://github.com/kaniini/libucontext;branch=master;protocol=https \
 "
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/musl/musl-obstack.bb b/meta/recipes-core/musl/musl-obstack.bb
index 3003935fe5..74de48c2cd 100644
--- a/meta/recipes-core/musl/musl-obstack.bb
+++ b/meta/recipes-core/musl/musl-obstack.bb
@@ -10,7 +10,7 @@ SECTION = "libs"
 
 PV = "1.1"
 SRCREV = "d2ad66b0df44a4b784956f7f7f2717131ddc05f4"
-SRC_URI = "git://github.com/pullmoll/musl-obstack"
+SRC_URI = "git://github.com/pullmoll/musl-obstack;branch=master;protocol=https"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/musl/musl-utils.bb b/meta/recipes-core/musl/musl-utils.bb
index dd0ce33061..c30509469c 100644
--- a/meta/recipes-core/musl/musl-utils.bb
+++ b/meta/recipes-core/musl/musl-utils.bb
@@ -11,7 +11,7 @@ SECTION = "utils"
 PV = "20170421"
 
 SRCREV = "fb5630138ccabbbc14a19d372096a04e42573c7d"
-SRC_URI = "git://github.com/boltlinux/musl-utils"
+SRC_URI = "git://github.com/boltlinux/musl-utils;branch=master;protocol=https"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/musl/musl_git.bb b/meta/recipes-core/musl/musl_git.bb
index e6f9e2441e..a241a2fbbd 100644
--- a/meta/recipes-core/musl/musl_git.bb
+++ b/meta/recipes-core/musl/musl_git.bb
@@ -12,7 +12,7 @@ PV = "${BASEVER}+git${SRCPV}"
 
 # mirror is at git://github.com/kraj/musl.git
 
-SRC_URI = "git://git.musl-libc.org/musl \
+SRC_URI = "git://git.musl-libc.org/musl;branch=master \
            file://0001-Make-dynamic-linker-a-relative-symlink-to-libc.patch \
            file://0002-ldso-Use-syslibdir-and-libdir-as-default-pathes-to-l.patch \
           "
diff --git a/meta/recipes-core/ncurses/files/CVE-2021-39537.patch b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
new file mode 100644
index 0000000000..d63bf57e8d
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2021-39537.patch
@@ -0,0 +1,65 @@
+From e83ecbd26252bac163fc4377ef30edbd4acb0bad Mon Sep 17 00:00:00 2001
+From: Sven Joachim <svenjoac@gmx.de>
+Date: Mon, 1 Jun 2020 08:03:52 +0200
+Subject: [PATCH] Import upstream patch 20200531
+
+20200531
+	+ correct configure version-check/warnng for g++ to allow for 10.x
+	+ re-enable "bel" in konsole-base (report by Nia Huang)
+	+ add linux-s entry (patch by Alexandre Montaron).
+	+ drop long-obsolete convert_configure.pl
+	+ add test/test_parm.c, for checking tparm changes.
+	+ improve parameter-checking for tparm, adding function _nc_tiparm() to
+	  handle the most-used case, which accepts only numeric parameters
+	  (report/testcase by "puppet-meteor").
+	+ use a more conservative estimate of the buffer-size in lib_tparm.c's
+	  save_text() and save_number(), in case the sprintf() function
+	  passes-through unexpected characters from a format specifier
+	  (report/testcase by "puppet-meteor").
+	+ add a check for end-of-string in cvtchar to handle a malformed
+	  string in infotocap (report/testcase by "puppet-meteor").
+
+CVE: CVE-2021-39537
+
+Upstream-Status: Backport [https://github.com/mirror/ncurses/commit/790a85dbd4a81d5f5d8dd02a44d84f01512ef443]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ ncurses/tinfo/captoinfo.c        |   11 +-
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ncurses/tinfo/captoinfo.c b/ncurses/tinfo/captoinfo.c
+index 8b3b83d1..9362105a 100644
+--- a/ncurses/tinfo/captoinfo.c
++++ b/ncurses/tinfo/captoinfo.c
+@@ -98,7 +98,7 @@
+ #include <ctype.h>
+ #include <tic.h>
+ 
+-MODULE_ID("$Id: captoinfo.c,v 1.98 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: captoinfo.c,v 1.99 2020/05/25 21:28:29 tom Exp $")
+ 
+ #if 0
+ #define DEBUG_THIS(p) DEBUG(9, p)
+@@ -216,12 +216,15 @@ cvtchar(register const char *sp)
+ 	}
+ 	break;
+     case '^':
++	len = 2;
+ 	c = UChar(*++sp);
+-	if (c == '?')
++	if (c == '?') {
+ 	    c = 127;
+-	else
++	} else if (c == '\0') {
++	    len = 1;
++	} else {
+ 	    c &= 0x1f;
+-	len = 2;
++	}
+ 	break;
+     default:
+ 	c = UChar(*sp);
+-- 
+2.17.1
+
diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc
index ef59bc3b0a..9c74d2ec36 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config ${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https"
+SRC_URI = "git://salsa.debian.org/debian/ncurses.git;protocol=https;branch=master"
 
 EXTRA_AUTORECONF = "-I m4"
 
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index e7d7396a20..598c51b00b 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -3,6 +3,7 @@ require ncurses.inc
 SRC_URI += "file://0001-tic-hang.patch \
            file://0002-configure-reproducible.patch \
            file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
+           file://CVE-2021-39537.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
diff --git a/meta/recipes-core/netbase/netbase_6.2.bb b/meta/recipes-core/netbase/netbase_6.2.bb
index a54d2e7764..ad7e9becde 100644
--- a/meta/recipes-core/netbase/netbase_6.2.bb
+++ b/meta/recipes-core/netbase/netbase_6.2.bb
@@ -6,11 +6,12 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://debian/copyright;md5=3dd6192d306f582dee7687da3d8748ab"
 PE = "1"
 
-SRC_URI = "${DEBIAN_MIRROR}/main/n/${BPN}/${BPN}_${PV}.tar.xz"
+SRC_URI = "git://salsa.debian.org/md/netbase.git;protocol=https;branch=master"
+SRCREV = "1c892c96a078ef28ec1a94681b3a0da7a3d545f7"
 
 inherit allarch
 
-SRC_URI[sha256sum] = "309a24146a06347d654b261e9e07a82fab844b173674a42e223803dd8258541e"
+S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netbase/"
 
diff --git a/meta/recipes-core/os-release/os-release.bb b/meta/recipes-core/os-release/os-release.bb
index a29d678125..33f75e39b8 100644
--- a/meta/recipes-core/os-release/os-release.bb
+++ b/meta/recipes-core/os-release/os-release.bb
@@ -12,7 +12,9 @@ do_configure[noexec] = "1"
 
 # Other valid fields: BUILD_ID ID_LIKE ANSI_COLOR CPE_NAME
 #                     HOME_URL SUPPORT_URL BUG_REPORT_URL
-OS_RELEASE_FIELDS = "ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME"
+OS_RELEASE_FIELDS = "\
+    ID ID_LIKE NAME VERSION VERSION_ID PRETTY_NAME DISTRO_CODENAME \
+"
 OS_RELEASE_UNQUOTED_FIELDS = "ID VERSION_ID VARIANT_ID"
 
 ID = "${DISTRO}"
diff --git a/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
new file mode 100644
index 0000000000..d658123b81
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-Fix-VLA-parameter-warning.patch
@@ -0,0 +1,51 @@
+From 498627ebda6271b59920f43a0b9b6187edeb7b09 Mon Sep 17 00:00:00 2001
+From: Adrian Herrera <adr.her.arc.95@gmail.com>
+Date: Mon, 22 Mar 2021 21:06:47 +0000
+Subject: [PATCH] Fix VLA parameter warning
+
+Make VLA buffer types consistent in declarations and definitions.
+Resolves build crash when using -Werror due to "vla-parameter" warning.
+
+Upstream-Status: Submitted [https://github.com/google/brotli/pull/893]
+Signed-off-by: Adrian Herrera <adr.her.arc.95@gmail.com>
+---
+ c/dec/decode.c | 6 ++++--
+ c/enc/encode.c | 5 +++--
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+index 114c505..bb6f1ab 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
++++ b/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
+ }
+ 
+ BrotliDecoderResult BrotliDecoderDecompress(
+-    size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
+-    uint8_t* decoded_buffer) {
++    size_t encoded_size,
++    const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
++    size_t* decoded_size,
++    uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
+   BrotliDecoderState s;
+   BrotliDecoderResult result;
+   size_t total_out = 0;
+diff --git a/c/enc/encode.c b/c/enc/encode.c
+index 68548ef..ab0a490 100644
+--- a/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
++++ c/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
+@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
+ 
+ BROTLI_BOOL BrotliEncoderCompress(
+     int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
+-    const uint8_t* input_buffer, size_t* encoded_size,
+-    uint8_t* encoded_buffer) {
++    const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
++    size_t* encoded_size,
++    uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
+   BrotliEncoderState* s;
+   size_t out_size = *encoded_size;
+   const uint8_t* input_start = input_buffer;
+-- 
+2.31.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 896b3b6320..9a1bfbd69c 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -17,6 +17,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
            file://0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch \
            file://0004-ovmf-Update-to-latest.patch \
            file://zero.patch \
+           file://0001-Fix-VLA-parameter-warning.patch \
            "
 
 PV = "edk2-stable202102"
diff --git a/meta/recipes-core/psplash/psplash_git.bb b/meta/recipes-core/psplash/psplash_git.bb
index 59e1e3f194..e1236475fc 100644
--- a/meta/recipes-core/psplash/psplash_git.bb
+++ b/meta/recipes-core/psplash/psplash_git.bb
@@ -10,7 +10,7 @@ SRCREV = "0a902f7cd875ccf018456451be369f05fa55f962"
 PV = "0.1+git${SRCPV}"
 PR = "r15"
 
-SRC_URI = "git://git.yoctoproject.org/${BPN} \
+SRC_URI = "git://git.yoctoproject.org/${BPN};branch=master \
            file://psplash-init \
            file://psplash-start.service \
            file://psplash-systemd.service \
diff --git a/meta/recipes-core/systemd/systemd.inc b/meta/recipes-core/systemd/systemd.inc
index 7d3b3064ba..b11ab112af 100644
--- a/meta/recipes-core/systemd/systemd.inc
+++ b/meta/recipes-core/systemd/systemd.inc
@@ -16,6 +16,6 @@ LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
 
 SRCREV = "17472dca0160cbe7b807ca648475fd70d0d62fe5"
 SRCBRANCH = "v247-stable"
-SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}"
+SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
 
 S = "${WORKDIR}/git"
diff --git a/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
new file mode 100644
index 0000000000..0ab8174441
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
@@ -0,0 +1,72 @@
+From b00674347337b7531c92fdb65590ab253bb57538 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
+(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)
+(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b)
+
+CVE: CVE-2021-33910
+Upstream-Status: Backport [b00674347337b7531c92fdb65590ab253bb57538]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
+index 5f595af944..9b6cacde87 100644
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -378,12 +378,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+ 
+ int unit_name_path_escape(const char *f, char **ret) {
+-        char *p, *s;
++        _cleanup_free_ char *p = NULL;
++        char *s;
+ 
+         assert(f);
+         assert(ret);
+ 
+-        p = strdupa(f);
++        p = strdup(f);
+         if (!p)
+                 return -ENOMEM;
+ 
+@@ -395,13 +396,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+                 if (!path_is_normalized(p))
+                         return -EINVAL;
+ 
+-                /* Truncate trailing slashes */
++                /* Truncate trailing slashes and skip leading slashes */
+                 delete_trailing_chars(p, "/");
+-
+-                /* Truncate leading slashes */
+-                p = skip_leading_chars(p, "/");
+-
+-                s = unit_name_escape(p);
++                s = unit_name_escape(skip_leading_chars(p, "/"));
+         }
+         if (!s)
+                 return -ENOMEM;
+-- 
+2.33.0
+
diff --git a/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch
new file mode 100644
index 0000000000..ff877d9175
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch
@@ -0,0 +1,172 @@
+From ac6c7f2d2389c5c0ae90554a58f1c75f60cc8e5a Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 00:48:23 +0900
+Subject: [PATCH] sd-dhcp-client: check error earlier and reduce indentation
+
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 128 ++++++++++++------------
+ 1 file changed, 64 insertions(+), 64 deletions(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index d472fcd941..86bc3c6181 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1770,21 +1770,21 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+         case DHCP_STATE_SELECTING:
+ 
+                 r = client_handle_offer(client, message, len);
+-                if (r >= 0) {
++                if (r == -ENOMSG)
++                        return 0; /* invalid message, let's ignore it */
++                if (r < 0)
++                        goto error;
+ 
+-                        client->state = DHCP_STATE_REQUESTING;
+-                        client->attempt = 0;
++                client->state = DHCP_STATE_REQUESTING;
++                client->attempt = 0;
+ 
+-                        r = event_reset_time(client->event, &client->timeout_resend,
+-                                             clock_boottime_or_monotonic(),
+-                                             0, 0,
+-                                             client_timeout_resend, client,
+-                                             client->event_priority, "dhcp4-resend-timer", true);
+-                        if (r < 0)
+-                                goto error;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
++                r = event_reset_time(client->event, &client->timeout_resend,
++                                     clock_boottime_or_monotonic(),
++                                     0, 0,
++                                     client_timeout_resend, client,
++                                     client->event_priority, "dhcp4-resend-timer", true);
++                if (r < 0)
++                        goto error;
+ 
+                 break;
+ 
+@@ -1794,47 +1794,9 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+         case DHCP_STATE_REBINDING:
+ 
+                 r = client_handle_ack(client, message, len);
+-                if (r >= 0) {
+-                        client->start_delay = 0;
+-                        (void) event_source_disable(client->timeout_resend);
+-                        client->receive_message =
+-                                sd_event_source_unref(client->receive_message);
+-                        client->fd = safe_close(client->fd);
+-
+-                        if (IN_SET(client->state, DHCP_STATE_REQUESTING,
+-                                   DHCP_STATE_REBOOTING))
+-                                notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+-                        else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+-                                notify_event = r;
+-
+-                        client->state = DHCP_STATE_BOUND;
+-                        client->attempt = 0;
+-
+-                        client->last_addr = client->lease->address;
+-
+-                        r = client_set_lease_timeouts(client);
+-                        if (r < 0) {
+-                                log_dhcp_client(client, "could not set lease timeouts");
+-                                goto error;
+-                        }
+-
+-                        r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
+-                        if (r < 0) {
+-                                log_dhcp_client(client, "could not bind UDP socket");
+-                                goto error;
+-                        }
+-
+-                        client->fd = r;
+-
+-                        client_initialize_io_events(client, client_receive_message_udp);
+-
+-                        if (notify_event) {
+-                                client_notify(client, notify_event);
+-                                if (client->state == DHCP_STATE_STOPPED)
+-                                        return 0;
+-                        }
+-
+-                } else if (r == -EADDRNOTAVAIL) {
++                if (r == -ENOMSG)
++                        return 0; /* invalid message, let's ignore it */
++                if (r == -EADDRNOTAVAIL) {
+                         /* got a NAK, let's restart the client */
+                         client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
+ 
+@@ -1853,21 +1815,59 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                                                     RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
+ 
+                         return 0;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
++                }
++                if (r < 0)
++                        goto error;
++
++                client->start_delay = 0;
++                (void) event_source_disable(client->timeout_resend);
++                client->receive_message = sd_event_source_unref(client->receive_message);
++                client->fd = safe_close(client->fd);
++
++                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
++                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
++                else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
++                        notify_event = r;
++
++                client->state = DHCP_STATE_BOUND;
++                client->attempt = 0;
++
++                client->last_addr = client->lease->address;
++
++                r = client_set_lease_timeouts(client);
++                if (r < 0) {
++                        log_dhcp_client(client, "could not set lease timeouts");
++                        goto error;
++                }
++
++                r = dhcp_network_bind_udp_socket(client->ifindex, client->lease->address, client->port, client->ip_service_type);
++                if (r < 0) {
++                        log_dhcp_client(client, "could not bind UDP socket");
++                        goto error;
++                }
++
++                client->fd = r;
++
++                client_initialize_io_events(client, client_receive_message_udp);
++
++                if (notify_event) {
++                        client_notify(client, notify_event);
++                        if (client->state == DHCP_STATE_STOPPED)
++                                return 0;
++                }
+ 
+                 break;
+ 
+         case DHCP_STATE_BOUND:
+                 r = client_handle_forcerenew(client, message, len);
+-                if (r >= 0) {
+-                        r = client_timeout_t1(NULL, 0, client);
+-                        if (r < 0)
+-                                goto error;
+-                } else if (r == -ENOMSG)
+-                        /* invalid message, let's ignore it */
+-                        return 0;
++                if (r == -ENOMSG)
++                        return 0; /* invalid message, let's ignore it */
++                if (r < 0)
++                        goto error;
++
++                r = client_timeout_t1(NULL, 0, client);
++                if (r < 0)
++                        goto error;
+ 
+                 break;
+ 
diff --git a/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch
new file mode 100644
index 0000000000..41d0c7b1e4
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0002-sd-dhcp-client-shorten-code-a-bit.patch
@@ -0,0 +1,66 @@
+From 875f3773e383d99e7d43020f02acad7681a05914 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 00:51:52 +0900
+Subject: [PATCH] sd-dhcp-client: shorten code a bit
+
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index 86bc3c6181..ef3a7d2c6b 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
+ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) {
+         DHCP_CLIENT_DONT_DESTROY(client);
+         char time_string[FORMAT_TIMESPAN_MAX];
+-        int r = 0, notify_event = 0;
++        int r, notify_event = 0;
+ 
+         assert(client);
+         assert(client->event);
+@@ -1783,9 +1783,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                                      0, 0,
+                                      client_timeout_resend, client,
+                                      client->event_priority, "dhcp4-resend-timer", true);
+-                if (r < 0)
+-                        goto error;
+-
+                 break;
+ 
+         case DHCP_STATE_REBOOTING:
+@@ -1813,7 +1810,6 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+ 
+                         client->start_delay = CLAMP(client->start_delay * 2,
+                                                     RESTART_AFTER_NAK_MIN_USEC, RESTART_AFTER_NAK_MAX_USEC);
+-
+                         return 0;
+                 }
+                 if (r < 0)
+@@ -1866,19 +1862,18 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                         goto error;
+ 
+                 r = client_timeout_t1(NULL, 0, client);
+-                if (r < 0)
+-                        goto error;
+-
+                 break;
+ 
+         case DHCP_STATE_INIT:
+         case DHCP_STATE_INIT_REBOOT:
+-
++                r = 0;
+                 break;
+ 
+         case DHCP_STATE_STOPPED:
+                 r = -EINVAL;
+                 goto error;
++        default:
++                assert_not_reached("invalid state");
+         }
+ 
+ error:
diff --git a/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
new file mode 100644
index 0000000000..07c7da8c21
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch
@@ -0,0 +1,69 @@
+From 0ad3b0fffe622bffbe9f380c3e4cb99b0961bef5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:14:12 +0900
+Subject: [PATCH] sd-dhcp-client: logs when dhcp client unexpectedly gains a
+ new lease
+
+Previously, such situation is handled silently.
+
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index ef3a7d2c6b..04a75c6966 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1760,7 +1760,7 @@ static int client_set_lease_timeouts(sd_dhcp_client *client) {
+ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, int len) {
+         DHCP_CLIENT_DONT_DESTROY(client);
+         char time_string[FORMAT_TIMESPAN_MAX];
+-        int r, notify_event = 0;
++        int r, notify_event;
+ 
+         assert(client);
+         assert(client->event);
+@@ -1815,16 +1815,16 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                 if (r < 0)
+                         goto error;
+ 
++                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
++                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
++                else
++                        notify_event = r;
++
+                 client->start_delay = 0;
+                 (void) event_source_disable(client->timeout_resend);
+                 client->receive_message = sd_event_source_unref(client->receive_message);
+                 client->fd = safe_close(client->fd);
+ 
+-                if (IN_SET(client->state, DHCP_STATE_REQUESTING, DHCP_STATE_REBOOTING))
+-                        notify_event = SD_DHCP_CLIENT_EVENT_IP_ACQUIRE;
+-                else if (r != SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
+-                        notify_event = r;
+-
+                 client->state = DHCP_STATE_BOUND;
+                 client->attempt = 0;
+ 
+@@ -1846,12 +1846,13 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+ 
+                 client_initialize_io_events(client, client_receive_message_udp);
+ 
+-                if (notify_event) {
++                if (IN_SET(client->state, DHCP_STATE_RENEWING, DHCP_STATE_REBINDING) &&
++                    notify_event == SD_DHCP_CLIENT_EVENT_IP_ACQUIRE)
++                        /* FIXME: hmm, maybe this is a bug... */
++                        log_dhcp_client(client, "client_handle_ack() returned SD_DHCP_CLIENT_EVENT_IP_ACQUIRE while DHCP client is %s the address, skipping callback.",
++                                        client->state == DHCP_STATE_RENEWING ? "renewing" : "rebinding");
++                else
+                         client_notify(client, notify_event);
+-                        if (client->state == DHCP_STATE_STOPPED)
+-                                return 0;
+-                }
+-
+                 break;
+ 
+         case DHCP_STATE_BOUND:
diff --git a/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch
new file mode 100644
index 0000000000..c65fb45ab9
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch
@@ -0,0 +1,42 @@
+From ae18277a6cfd04af8a914780f04a867254ab2341 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+
+Fixes #16774.
+
+Upstream-Status: Backport
+CVE: CVE-2020-13529
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
+index 04a75c6966..54eb3a2ab0 100644
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1536,9 +1536,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+         if (r != DHCP_FORCERENEW)
+                 return -ENOMSG;
+ 
++#if 0
+         log_dhcp_client(client, "FORCERENEW");
+ 
+         return 0;
++#else
++        /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
++         * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
++         * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
++        log_dhcp_client(client, "Received FORCERENEW, ignoring.");
++        return -ENOMSG;
++#endif
+ }
+ 
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd_247.6.bb b/meta/recipes-core/systemd/systemd_247.6.bb
index 32afa159ec..e79c79a7fd 100644
--- a/meta/recipes-core/systemd/systemd_247.6.bb
+++ b/meta/recipes-core/systemd/systemd_247.6.bb
@@ -27,6 +27,11 @@ SRC_URI += "file://touchscreen.rules \
            file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \
            file://0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch \
            file://0001-analyze-resolve-executable-path-if-it-is-relative.patch \
+           file://0001-sd-dhcp-client-check-error-earlier-and-reduce-indent.patch \
+           file://0002-sd-dhcp-client-shorten-code-a-bit.patch \
+           file://0003-sd-dhcp-client-logs-when-dhcp-client-unexpectedly-ga.patch \
+           file://0004-sd-dhcp-client-tentatively-ignore-FORCERENEW-command.patch \
+           file://0001-basic-unit-name-do-not-use-strdupa-on-a-path.patch \
            "
 
 # patches needed by musl
diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index 75632d9434..daee5c224b 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -6,8 +6,8 @@ SECTION = "base"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9"
 
-SRC_URI = "git://git.yoctoproject.org/update-rc.d"
-SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748"
+SRC_URI = "git://git.yoctoproject.org/update-rc.d;branch=master"
+SRCREV = "8636cf478d426b568c1be11dbd9346f67e03adac"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 6b47f417aa..b21d6d46d2 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -36,5 +36,6 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://display_testname_for_subtest.patch \
            file://avoid_parallel_tests.patch \
            file://Automake-use-EXTRA_LTLIBRARIES-instead-of-noinst_LTL.patch \
+           file://CVE-2021-37600.patch \
            "
 SRC_URI[sha256sum] = "f7516ba9d8689343594356f0e5e1a5f0da34adfbc89023437735872bb5024c5f"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000000..11934eee8d
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,38 @@
+From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
+ nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-37600
+
+after version 2.37.1
+https://github.com/karelzak/util-linux.git 1c9143d0c1d...
+unmodified
+
+Upstream-Status: Backport
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index e784c4d..18868cf 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+ 	size_t i;
+ 
+-	if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++	if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+ 		return;
+ 
+ 	p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/util-linux/util-linux_2.36.2.bb b/meta/recipes-core/util-linux/util-linux_2.36.2.bb
index c79cf782d1..82cc8a3dbf 100644
--- a/meta/recipes-core/util-linux/util-linux_2.36.2.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.36.2.bb
@@ -73,7 +73,7 @@ EXTRA_OECONF = "\
     \
     --disable-bfs --disable-chfn-chsh --disable-login \
     --disable-makeinstall-chown --disable-minix --disable-newgrp \
-    --disable-use-tty-group --disable-vipw \
+    --disable-use-tty-group --disable-vipw --disable-raw \
     \
     --without-udev \
     \
diff --git a/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
new file mode 100644
index 0000000000..5cb6183641
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2018-25032.patch
@@ -0,0 +1,347 @@
+CVE: CVE-2018-25032
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: [PATCH] Fix a bug that can crash deflate on some input when using
+ Z_FIXED.
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ++++++++++++++++++++++++++++++++++++++++---------------
+ deflate.h | 25 +++++++++----------
+ trees.c   | 50 +++++++++++--------------------------
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00..19cba873a 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+     int wrap = 1;
+     static const char my_version[] = ZLIB_VERSION;
+ 
+-    ushf *overlay;
+-    /* We overlay pending_buf and d_buf+l_buf. This works since the average
+-     * output size for (length,distance) codes is <= 24 bits.
+-     */
+-
+     if (version == Z_NULL || version[0] != my_version[0] ||
+         stream_size != sizeof(z_stream)) {
+         return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+ 
+     s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+ 
+-    overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-    s->pending_buf = (uchf *) overlay;
+-    s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++    /* We overlay pending_buf and sym_buf. This works since the average size
++     * for length/distance pairs over any compressed block is assured to be 31
++     * bits or less.
++     *
++     * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++     * extra bits, for lengths 131 to 257. The longest fixed distance codes are
++     * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++     * possible fixed-codes length/distance pair is then 31 bits total.
++     *
++     * sym_buf starts one-fourth of the way into pending_buf. So there are
++     * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++     * in sym_buf is three bytes -- two for the distance and one for the
++     * literal/length. As each symbol is consumed, the pointer to the next
++     * sym_buf value to read moves forward three bytes. From that symbol, up to
++     * 31 bits are written to pending_buf. The closest the written pending_buf
++     * bits gets to the next sym_buf symbol to read is just before the last
++     * code is written. At that time, 31*(n-2) bits have been written, just
++     * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
++     * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
++     * symbols are written.) The closest the writing gets to what is unread is
++     * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
++     * can range from 128 to 32768.
++     *
++     * Therefore, at a minimum, there are 142 bits of space between what is
++     * written and what is read in the overlain buffers, so the symbols cannot
++     * be overwritten by the compressed data. That space is actually 139 bits,
++     * due to the three-bit fixed-code block header.
++     *
++     * That covers the case where either Z_FIXED is specified, forcing fixed
++     * codes, or when the use of fixed codes is chosen, because that choice
++     * results in a smaller compressed block than dynamic codes. That latter
++     * condition then assures that the above analysis also covers all dynamic
++     * blocks. A dynamic-code block will only be chosen to be emitted if it has
++     * fewer bits than a fixed-code block would for the same set of symbols.
++     * Therefore its average symbol length is assured to be less than 31. So
++     * the compressed data for a dynamic block also cannot overwrite the
++     * symbols from which it is being constructed.
++     */
++
++    s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);
++    s->pending_buf_size = (ulg)s->lit_bufsize * 4;
+ 
+     if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||
+         s->pending_buf == Z_NULL) {
+@@ -340,8 +373,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+         deflateEnd (strm);
+         return Z_MEM_ERROR;
+     }
+-    s->d_buf = overlay + s->lit_bufsize/sizeof(ush);
+-    s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize;
++    s->sym_buf = s->pending_buf + s->lit_bufsize;
++    s->sym_end = (s->lit_bufsize - 1) * 3;
++    /* We avoid equality with lit_bufsize*3 because of wraparound at 64K
++     * on 16 bit machines and because stored blocks are restricted to
++     * 64K-1 bytes.
++     */
+ 
+     s->level = level;
+     s->strategy = strategy;
+@@ -552,7 +589,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
+ 
+     if (deflateStateCheck(strm)) return Z_STREAM_ERROR;
+     s = strm->state;
+-    if ((Bytef *)(s->d_buf) < s->pending_out + ((Buf_size + 7) >> 3))
++    if (s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))
+         return Z_BUF_ERROR;
+     do {
+         put = Buf_size - s->bi_valid;
+@@ -1113,7 +1150,6 @@ int ZEXPORT deflateCopy (dest, source)
+ #else
+     deflate_state *ds;
+     deflate_state *ss;
+-    ushf *overlay;
+ 
+ 
+     if (deflateStateCheck(source) || dest == Z_NULL) {
+@@ -1133,8 +1169,7 @@ int ZEXPORT deflateCopy (dest, source)
+     ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));
+     ds->prev   = (Posf *)  ZALLOC(dest, ds->w_size, sizeof(Pos));
+     ds->head   = (Posf *)  ZALLOC(dest, ds->hash_size, sizeof(Pos));
+-    overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2);
+-    ds->pending_buf = (uchf *) overlay;
++    ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);
+ 
+     if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||
+         ds->pending_buf == Z_NULL) {
+@@ -1148,8 +1183,7 @@ int ZEXPORT deflateCopy (dest, source)
+     zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);
+ 
+     ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);
+-    ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush);
+-    ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize;
++    ds->sym_buf = ds->pending_buf + ds->lit_bufsize;
+ 
+     ds->l_desc.dyn_tree = ds->dyn_ltree;
+     ds->d_desc.dyn_tree = ds->dyn_dtree;
+@@ -1925,7 +1959,7 @@ local block_state deflate_fast(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2056,7 +2090,7 @@ local block_state deflate_slow(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2131,7 +2165,7 @@ local block_state deflate_rle(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+@@ -2170,7 +2204,7 @@ local block_state deflate_huff(s, flush)
+         FLUSH_BLOCK(s, 1);
+         return finish_done;
+     }
+-    if (s->last_lit)
++    if (s->sym_next)
+         FLUSH_BLOCK(s, 0);
+     return block_done;
+ }
+diff --git a/deflate.h b/deflate.h
+index 23ecdd312..d4cf1a98b 100644
+--- a/deflate.h
++++ b/deflate.h
+@@ -217,7 +217,7 @@ typedef struct internal_state {
+     /* Depth of each subtree used as tie breaker for trees of equal frequency
+      */
+ 
+-    uchf *l_buf;          /* buffer for literals or lengths */
++    uchf *sym_buf;        /* buffer for distances and literals/lengths */
+ 
+     uInt  lit_bufsize;
+     /* Size of match buffer for literals/lengths.  There are 4 reasons for
+@@ -239,13 +239,8 @@ typedef struct internal_state {
+      *   - I can't count above 4
+      */
+ 
+-    uInt last_lit;      /* running index in l_buf */
+-
+-    ushf *d_buf;
+-    /* Buffer for distances. To simplify the code, d_buf and l_buf have
+-     * the same number of elements. To use different lengths, an extra flag
+-     * array would be necessary.
+-     */
++    uInt sym_next;      /* running index in sym_buf */
++    uInt sym_end;       /* symbol table full when sym_next reaches this */
+ 
+     ulg opt_len;        /* bit length of current block with optimal trees */
+     ulg static_len;     /* bit length of current block with static trees */
+@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
+ 
+ # define _tr_tally_lit(s, c, flush) \
+   { uch cc = (c); \
+-    s->d_buf[s->last_lit] = 0; \
+-    s->l_buf[s->last_lit++] = cc; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = 0; \
++    s->sym_buf[s->sym_next++] = cc; \
+     s->dyn_ltree[cc].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+    }
+ # define _tr_tally_dist(s, distance, length, flush) \
+   { uch len = (uch)(length); \
+     ush dist = (ush)(distance); \
+-    s->d_buf[s->last_lit] = dist; \
+-    s->l_buf[s->last_lit++] = len; \
++    s->sym_buf[s->sym_next++] = dist; \
++    s->sym_buf[s->sym_next++] = dist >> 8; \
++    s->sym_buf[s->sym_next++] = len; \
+     dist--; \
+     s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
+     s->dyn_dtree[d_code(dist)].Freq++; \
+-    flush = (s->last_lit == s->lit_bufsize-1); \
++    flush = (s->sym_next == s->sym_end); \
+   }
+ #else
+ # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
+diff --git a/trees.c b/trees.c
+index 4f4a65011..decaeb7c3 100644
+--- a/trees.c
++++ b/trees.c
+@@ -416,7 +416,7 @@ local void init_block(s)
+ 
+     s->dyn_ltree[END_BLOCK].Freq = 1;
+     s->opt_len = s->static_len = 0L;
+-    s->last_lit = s->matches = 0;
++    s->sym_next = s->matches = 0;
+ }
+ 
+ #define SMALLEST 1
+@@ -948,7 +948,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
+ 
+         Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ",
+                 opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,
+-                s->last_lit));
++                s->sym_next / 3));
+ 
+         if (static_lenb <= opt_lenb) opt_lenb = static_lenb;
+ 
+@@ -1017,8 +1017,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+     unsigned dist;  /* distance of matched string */
+     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
+ {
+-    s->d_buf[s->last_lit] = (ush)dist;
+-    s->l_buf[s->last_lit++] = (uch)lc;
++    s->sym_buf[s->sym_next++] = dist;
++    s->sym_buf[s->sym_next++] = dist >> 8;
++    s->sym_buf[s->sym_next++] = lc;
+     if (dist == 0) {
+         /* lc is the unmatched char */
+         s->dyn_ltree[lc].Freq++;
+@@ -1033,30 +1034,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
+         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
+         s->dyn_dtree[d_code(dist)].Freq++;
+     }
+-
+-#ifdef TRUNCATE_BLOCK
+-    /* Try to guess if it is profitable to stop the current block here */
+-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
+-        /* Compute an upper bound for the compressed length */
+-        ulg out_length = (ulg)s->last_lit*8L;
+-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
+-        int dcode;
+-        for (dcode = 0; dcode < D_CODES; dcode++) {
+-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
+-                (5L+extra_dbits[dcode]);
+-        }
+-        out_length >>= 3;
+-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
+-               s->last_lit, in_length, out_length,
+-               100L - out_length*100L/in_length));
+-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
+-    }
+-#endif
+-    return (s->last_lit == s->lit_bufsize-1);
+-    /* We avoid equality with lit_bufsize because of wraparound at 64K
+-     * on 16 bit machines and because stored blocks are restricted to
+-     * 64K-1 bytes.
+-     */
++    return (s->sym_next == s->sym_end);
+ }
+ 
+ /* ===========================================================================
+@@ -1069,13 +1047,14 @@ local void compress_block(s, ltree, dtree)
+ {
+     unsigned dist;      /* distance of matched string */
+     int lc;             /* match length or unmatched char (if dist == 0) */
+-    unsigned lx = 0;    /* running index in l_buf */
++    unsigned sx = 0;    /* running index in sym_buf */
+     unsigned code;      /* the code to send */
+     int extra;          /* number of extra bits to send */
+ 
+-    if (s->last_lit != 0) do {
+-        dist = s->d_buf[lx];
+-        lc = s->l_buf[lx++];
++    if (s->sym_next != 0) do {
++        dist = s->sym_buf[sx++] & 0xff;
++        dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;
++        lc = s->sym_buf[sx++];
+         if (dist == 0) {
+             send_code(s, lc, ltree); /* send a literal byte */
+             Tracecv(isgraph(lc), (stderr," '%c' ", lc));
+@@ -1100,11 +1079,10 @@ local void compress_block(s, ltree, dtree)
+             }
+         } /* literal or match pair ? */
+ 
+-        /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
+-        Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx,
+-               "pendingBuf overflow");
++        /* Check that the overlay between pending_buf and sym_buf is ok: */
++        Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow");
+ 
+-    } while (lx < s->last_lit);
++    } while (sx < s->sym_next);
+ 
+     send_code(s, END_BLOCK, ltree);
+ }
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb b/meta/recipes-core/zlib/zlib_1.2.11.bb
index ef9431ae47..bc42cd64e9 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://ldflags-tests.patch \
+           file://CVE-2018-25032.patch \
            file://run-ptest \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
diff --git a/meta/recipes-devtools/binutils/binutils-2.36.inc b/meta/recipes-devtools/binutils/binutils-2.36.inc
index 9d770db5a8..fa28358c2d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.36.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.36.inc
@@ -24,7 +24,7 @@ BRANCH ?= "binutils-2_36-branch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
-SRCREV ?= "7651a4871c225925ffdfda0a8c91a6ed370cd9a1"
+SRCREV ?= "a281816c8aeb12619d34eec8959a43dfa5c6b4ec"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${BRANCH};protocol=git"
 SRC_URI = "\
      ${BINUTILS_GIT_URI} \
@@ -41,8 +41,9 @@ SRC_URI = "\
      file://0014-Fix-rpath-in-libtool-when-sysroot-is-enabled.patch \
      file://0015-sync-with-OE-libtool-changes.patch \
      file://0016-Check-for-clang-before-checking-gcc-version.patch \
-     file://0001-CVE-2021-20197.patch \
-     file://0002-CVE-2021-20197.patch \
-     file://0003-CVE-2021-20197.patch \
+     file://0017-CVE-2021-3530.patch \
+     file://0018-CVE-2021-3530.patch \
+     file://0001-CVE-2021-42574.patch \
+     file://0001-CVE-2021-45078.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch
deleted file mode 100644
index 2b4eaba26d..0000000000
--- a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-20197.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-From 8e03235147a9e774d3ba084e93c2da1aa94d1cec Mon Sep 17 00:00:00 2001
-From: Siddhesh Poyarekar <siddhesh@gotplt.org>
-Date: Mon, 22 Feb 2021 20:45:50 +0530
-Subject: [PATCH] binutils: Avoid renaming over existing files
-
-Renaming over existing files needs additional care to restore
-permissions and ownership, which may not always succeed.
-Additionally, other properties of the file such as extended attributes
-may be lost, making the operation flaky.
-
-For predictable results, resort to rename() only if the file does not
-exist, otherwise copy the file contents into the existing file.  This
-ensures that no additional tricks are needed to retain file
-properties.
-
-This also allows dropping of the redundant set_times on the tmpfile in
-objcopy/strip since now we no longer rename over existing files.
-
-binutils/
-
-	* ar.c (write_archive): Adjust call to SMART_RENAME.
-	* arsup.c (ar_save): Likewise.
-	* objcopy (strip_main): Don't set times on temporary file and
-	adjust call to SMART_RENAME.
-	(copy_main): Likewise.
-	* rename.c [!S_ISLNK]: Remove definitions.
-	(try_preserve_permissions): Remove function.
-	(smart_rename): Replace PRESERVE_DATES argument with
-	TARGET_STAT.  Use rename system call only if TO does not exist.
-	* bucomm.h (smart_rename): Adjust declaration.
-
-(cherry picked from commit 3685de750e6a091663a0abe42528cad29e960e35)
-
-Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8e03235147a9e774d3ba084e93c2da1aa94d1cec]
-CVE: CVE-2021-20197
-Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
----
- binutils/ar.c      |  2 +-
- binutils/arsup.c   |  2 +-
- binutils/bucomm.h  |  3 ++-
- binutils/objcopy.c |  8 ++-----
- binutils/rename.c  | 55 +++++++++-------------------------------------
- 6 files changed, 29 insertions(+), 54 deletions(-)
-
-diff --git a/binutils/ar.c b/binutils/ar.c
-index 45a34e3a6cf..3a91708b51c 100644
---- a/binutils/ar.c
-+++ b/binutils/ar.c
-@@ -1308,7 +1308,7 @@ write_archive (bfd *iarch)
-   /* We don't care if this fails; we might be creating the archive.  */
-   bfd_close (iarch);
- 
--  if (smart_rename (new_name, old_name, 0) != 0)
-+  if (smart_rename (new_name, old_name, NULL) != 0)
-     xexit (1);
-   free (old_name);
-   free (new_name);
-diff --git a/binutils/arsup.c b/binutils/arsup.c
-index 5403a0c5d74..0a1f63f6456 100644
---- a/binutils/arsup.c
-+++ b/binutils/arsup.c
-@@ -351,7 +351,7 @@ ar_save (void)
- 
-       bfd_close (obfd);
- 
--      smart_rename (ofilename, real_name, 0);
-+      smart_rename (ofilename, real_name, NULL);
-       obfd = 0;
-       free (ofilename);
-     }
-diff --git a/binutils/bucomm.h b/binutils/bucomm.h
-index 91f6a5b228f..aa7e33d8cd1 100644
---- a/binutils/bucomm.h
-+++ b/binutils/bucomm.h
-@@ -71,7 +71,8 @@ extern void print_version (const char *);
- /* In rename.c.  */
- extern void set_times (const char *, const struct stat *);
- 
--extern int smart_rename (const char *, const char *, int);
-+extern int smart_rename (const char *, const char *, struct stat *);
-+
- 
- /* In libiberty.  */
- void *xmalloc (size_t);
-diff --git a/binutils/objcopy.c b/binutils/objcopy.c
-index eab3b6db585..07a872b5a80 100644
---- a/binutils/objcopy.c
-+++ b/binutils/objcopy.c
-@@ -4861,12 +4861,10 @@ strip_main (int argc, char *argv[])
- 		 output_target, NULL);
-       if (status == 0)
- 	{
--	  if (preserve_dates)
--	    set_times (tmpname, &statbuf);
- 	  if (output_file != tmpname)
- 	    status = (smart_rename (tmpname,
- 				    output_file ? output_file : argv[i],
--				    preserve_dates) != 0);
-+				    preserve_dates ? &statbuf : NULL) != 0);
- 	  if (status == 0)
- 	    status = hold_status;
- 	}
-@@ -5931,11 +5929,9 @@ copy_main (int argc, char *argv[])
- 	     output_target, input_arch);
-   if (status == 0)
-     {
--      if (preserve_dates)
--	set_times (tmpname, &statbuf);
-       if (tmpname != output_filename)
- 	status = (smart_rename (tmpname, input_filename,
--				preserve_dates) != 0);
-+				preserve_dates ? &statbuf : NULL) != 0);
-     }
-   else
-     unlink_if_ordinary (tmpname);
-diff --git a/binutils/rename.c b/binutils/rename.c
-index 65ad5bf52c4..f471b45fd3f 100644
---- a/binutils/rename.c
-+++ b/binutils/rename.c
-@@ -122,20 +122,13 @@ set_times (const char *destination, const struct stat *statbuf)
-     non_fatal (_("%s: cannot set time: %s"), destination, strerror (errno));
- }
- 
--#ifndef S_ISLNK
--#ifdef S_IFLNK
--#define S_ISLNK(m) (((m) & S_IFMT) == S_IFLNK)
--#else
--#define S_ISLNK(m) 0
--#define lstat stat
--#endif
--#endif
--
--/* Rename FROM to TO, copying if TO is a link.
--   Return 0 if ok, -1 if error.  */
-+/* Rename FROM to TO, copying if TO exists.  TARGET_STAT has the file status
-+   that, if non-NULL, is used to fix up timestamps after rename.  Return 0 if
-+   ok, -1 if error.  */
- 
- int
--smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNUSED)
-+smart_rename (const char *from, const char *to,
-+	      struct stat *target_stat ATTRIBUTE_UNUSED)
- {
-   bfd_boolean exists;
-   struct stat s;
-@@ -158,38 +151,10 @@ smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNU
-       unlink (from);
-     }
- #else
--  /* Use rename only if TO is not a symbolic link and has
--     only one hard link, and we have permission to write to it.  */
--  if (! exists
--      || (!S_ISLNK (s.st_mode)
--	  && S_ISREG (s.st_mode)
--	  && (s.st_mode & S_IWUSR)
--	  && s.st_nlink == 1)
--      )
-+  /* Avoid a full copy and use rename if TO does not exist.  */
-+  if (!exists)
-     {
--      ret = rename (from, to);
--      if (ret == 0)
--	{
--	  if (exists)
--	    {
--	      /* Try to preserve the permission bits and ownership of
--		 TO.  First get the mode right except for the setuid
--		 bit.  Then change the ownership.  Then fix the setuid
--		 bit.  We do the chmod before the chown because if the
--		 chown succeeds, and we are a normal user, we won't be
--		 able to do the chmod afterward.  We don't bother to
--		 fix the setuid bit first because that might introduce
--		 a fleeting security problem, and because the chown
--		 will clear the setuid bit anyhow.  We only fix the
--		 setuid bit if the chown succeeds, because we don't
--		 want to introduce an unexpected setuid file owned by
--		 the user running objcopy.  */
--	      chmod (to, s.st_mode & 0777);
--	      if (chown (to, s.st_uid, s.st_gid) >= 0)
--		chmod (to, s.st_mode & 07777);
--	    }
--	}
--      else
-+      if ((ret = rename (from, to)) != 0)
- 	{
- 	  /* We have to clean up here.  */
- 	  non_fatal (_("unable to rename '%s'; reason: %s"), to, strerror (errno));
-@@ -202,8 +167,8 @@ smart_rename (const char *from, const char *to, int preserve_dates ATTRIBUTE_UNU
-       if (ret != 0)
- 	non_fatal (_("unable to copy file '%s'; reason: %s"), to, strerror (errno));
- 
--      if (preserve_dates)
--	set_times (to, &s);
-+      if (target_stat != NULL)
-+	set_times (to, target_stat);
-       unlink (from);
-     }
- #endif /* _WIN32 && !__CYGWIN32__ */
--- 
-2.31.1
-
diff --git a/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-42574.patch b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-42574.patch
new file mode 100644
index 0000000000..6adc438b5c
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0001-CVE-2021-42574.patch
@@ -0,0 +1,2006 @@
+From b3aa80b45c4f46029efeb204bb9f2d2c4278a0e5 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 9 Nov 2021 13:25:42 +0000
+Subject: [PATCH] Add --unicode option to control how unicode characters are
+ handled by display tools.
+
+	* nm.c: Add --unicode option to control how unicode characters are
+	handled.
+	* objdump.c: Likewise.
+	* readelf.c: Likewise.
+	* strings.c: Likewise.
+	* binutils.texi: Document the new feature.
+	* NEWS: Document the new feature.
+	* testsuite/binutils-all/unicode.exp: New file.
+	* testsuite/binutils-all/nm.hex.unicode
+	* testsuite/binutils-all/strings.escape.unicode
+	* testsuite/binutils-all/objdump.highlight.unicode
+	* testsuite/binutils-all/readelf.invalid.unicode
+
+CVE: CVE-2021-42574
+Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=b3aa80b45c4f46029efeb204bb9f2d2c4278a0e5]
+
+Signed-off-by: pgowda <pgowda.cve@gmail.com>
+---
+ binutils/ChangeLog         |  15 +
+ binutils/NEWS              |   9 +
+ binutils/doc/binutils.texi |  78 ++++
+ binutils/nm.c              | 228 ++++++++++-
+ binutils/objdump.c         | 235 ++++++++++--
+ binutils/readelf.c         | 190 +++++++++-
+ binutils/strings.c         | 757 ++++++++++++++++++++++++++++++++++---
+ 7 files changed, 1409 insertions(+), 103 deletions(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+--- a/binutils/ChangeLog	2021-12-23 03:23:38.425843662 -0800
++++ b/binutils/ChangeLog	2021-12-23 03:30:31.094968942 -0800
+@@ -1,3 +1,18 @@
++2021-11-09  Nick Clifton  <nickc@redhat.com>
++
++	* nm.c: Add --unicode option to control how unicode characters are
++	handled.
++	* objdump.c: Likewise.
++	* readelf.c: Likewise.
++	* strings.c: Likewise.
++	* binutils.texi: Document the new feature.
++	* NEWS: Document the new feature.
++	* testsuite/binutils-all/unicode.exp: New file.
++	* testsuite/binutils-all/nm.hex.unicode
++	* testsuite/binutils-all/strings.escape.unicode
++	* testsuite/binutils-all/objdump.highlight.unicode
++	* testsuite/binutils-all/readelf.invalid.unicode
++
+ 2021-04-15  Alan Modra  <amodra@gmail.com>
+ 
+ 	PR 27456
+diff --git a/binutils/doc/binutils.texi b/binutils/doc/binutils.texi
+--- a/binutils/doc/binutils.texi	2021-12-23 03:23:38.441843395 -0800
++++ b/binutils/doc/binutils.texi	2021-12-23 03:30:31.094968942 -0800
+@@ -805,6 +805,7 @@ nm [@option{-A}|@option{-o}|@option{--pr
+    [@option{-s}|@option{--print-armap}] [@option{-t} @var{radix}|@option{--radix=}@var{radix}]
+    [@option{-u}|@option{--undefined-only}] [@option{-V}|@option{--version}]
+    [@option{-X 32_64}] [@option{--defined-only}] [@option{--no-demangle}]
++   [@option{-U} @var{method}] [@option{--unicode=}@var{method}]
+    [@option{--plugin} @var{name}]
+    [@option{--no-recurse-limit}|@option{--recurse-limit}]]
+    [@option{--size-sort}] [@option{--special-syms}]
+@@ -1114,6 +1115,21 @@ Use @var{radix} as the radix for printin
+ @cindex undefined symbols
+ Display only undefined symbols (those external to each object file).
+ 
++@item -U @var{[d|i|l|e|x|h]}
++@itemx --unicode=@var{[default|invalid|locale|escape|hex|highlight]}
++Controls the display of UTF-8 encoded mulibyte characters in strings.
++The default (@option{--unicode=default}) is to give them no special
++treatment.  The @option{--unicode=locale} option displays the sequence
++in the current locale, which may or may not support them.  The options
++@option{--unicode=hex} and @option{--unicode=invalid} display them as
++hex byte sequences enclosed by either angle brackets or curly braces.
++
++The @option{--unicode=escape} option displays them as escape sequences
++(@var{\uxxxx}) and the @option{--unicode=highlight} option displays
++them as escape sequences highlighted in red (if supported by the
++output device).  The colouring is intended to draw attention to the
++presence of unicode sequences where they might not be expected.
++
+ @item -V
+ @itemx --version
+ Show the version number of @command{nm} and exit.
+@@ -2210,6 +2226,7 @@ objdump [@option{-a}|@option{--archive-h
+         [@option{--prefix-strip=}@var{level}]
+         [@option{--insn-width=}@var{width}]
+         [@option{--visualize-jumps[=color|=extended-color|=off]}
++        [@option{-U} @var{method}] [@option{--unicode=}@var{method}]
+         [@option{-V}|@option{--version}]
+         [@option{-H}|@option{--help}]
+         @var{objfile}@dots{}
+@@ -2877,6 +2894,21 @@ When displaying symbols include those wh
+ special in some way and which would not normally be of interest to the
+ user.
+ 
++@item -U @var{[d|i|l|e|x|h]}
++@itemx --unicode=@var{[default|invalid|locale|escape|hex|highlight]}
++Controls the display of UTF-8 encoded mulibyte characters in strings.
++The default (@option{--unicode=default}) is to give them no special
++treatment.  The @option{--unicode=locale} option displays the sequence
++in the current locale, which may or may not support them.  The options
++@option{--unicode=hex} and @option{--unicode=invalid} display them as
++hex byte sequences enclosed by either angle brackets or curly braces.
++
++The @option{--unicode=escape} option displays them as escape sequences
++(@var{\uxxxx}) and the @option{--unicode=highlight} option displays
++them as escape sequences highlighted in red (if supported by the
++output device).  The colouring is intended to draw attention to the
++presence of unicode sequences where they might not be expected.
++
+ @item -V
+ @itemx --version
+ Print the version number of @command{objdump} and exit.
+@@ -3153,6 +3185,7 @@ strings [@option{-afovV}] [@option{-}@va
+         [@option{-n} @var{min-len}] [@option{--bytes=}@var{min-len}]
+         [@option{-t} @var{radix}] [@option{--radix=}@var{radix}]
+         [@option{-e} @var{encoding}] [@option{--encoding=}@var{encoding}]
++        [@option{-U} @var{method}] [@option{--unicode=}@var{method}]
+         [@option{-}] [@option{--all}] [@option{--print-file-name}]
+         [@option{-T} @var{bfdname}] [@option{--target=}@var{bfdname}]
+         [@option{-w}] [@option{--include-all-whitespace}]
+@@ -3244,6 +3277,28 @@ single-8-bit-byte characters, @samp{b} =
+ littleendian.  Useful for finding wide character strings. (@samp{l}
+ and @samp{b} apply to, for example, Unicode UTF-16/UCS-2 encodings).
+ 
++@item -U @var{[d|i|l|e|x|h]}
++@itemx --unicode=@var{[default|invalid|locale|escape|hex|highlight]}
++Controls the display of UTF-8 encoded mulibyte characters in strings.
++The default (@option{--unicode=default}) is to give them no special
++treatment, and instead rely upon the setting of the
++@option{--encoding} option.  The other values for this option
++automatically enable @option{--encoding=S}.
++
++The @option{--unicode=invalid} option treats them as non-graphic
++characters and hence not part of a valid string.  All the remaining
++options treat them as valid string characters.
++
++The @option{--unicode=locale} option displays them in the current
++locale, which may or may not support UTF-8 encoding.  The
++@option{--unicode=hex} option displays them as hex byte sequences
++enclosed between @var{<>} characters.  The @option{--unicode=escape}
++option displays them as escape sequences (@var{\uxxxx}) and the
++@option{--unicode=highlight} option displays them as escape sequences
++highlighted in red (if supported by the output device).  The colouring
++is intended to draw attention to the presence of unicode sequences
++where they might not be expected.
++
+ @item -T @var{bfdname}
+ @itemx --target=@var{bfdname}
+ @cindex object code format
+@@ -4740,6 +4795,7 @@ readelf [@option{-a}|@option{--all}]
+         [@option{--dyn-syms}|@option{--lto-syms}]
+         [@option{--demangle@var{=style}}|@option{--no-demangle}]
+         [@option{--recurse-limit}|@option{--no-recurse-limit}]
++        [@option{-U} @var{method}|@option{--unicode=}@var{method}]
+         [@option{-n}|@option{--notes}]
+         [@option{-r}|@option{--relocs}]
+         [@option{-u}|@option{--unwind}]
+@@ -4887,6 +4943,28 @@ necessary in order to demangle truly com
+ that if the recursion limit is disabled then stack exhaustion is
+ possible and any bug reports about such an event will be rejected.
+ 
++@item -U @var{[d|i|l|e|x|h]}
++@itemx --unicode=[default|invalid|locale|escape|hex|highlight]
++Controls the display of non-ASCII characters in identifier names.
++The default (@option{--unicode=locale} or @option{--unicode=default}) is
++to treat them as multibyte characters and display them in the current
++locale.  All other versions of this option treat the bytes as UTF-8
++encoded values and attempt to interpret them.  If they cannot be
++interpreted or if the @option{--unicode=invalid} option is used then
++they are displayed as a sequence of hex bytes, encloses in curly
++parethesis characters.
++
++Using the @option{--unicode=escape} option will display the characters
++as as unicode escape sequences (@var{\uxxxx}).  Using the
++@option{--unicode=hex} will display the characters as hex byte
++sequences enclosed between angle brackets.
++
++Using the @option{--unicode=highlight} will display the characters as 
++unicode escape sequences but it will also highlighted them in red,
++assuming that colouring is supported by the output device.  The
++colouring is intended to draw attention to the presence of unicode
++sequences when they might not be expected.
++
+ @item -e
+ @itemx --headers
+ Display all the headers in the file.  Equivalent to @option{-h -l -S}.
+diff --git a/binutils/NEWS b/binutils/NEWS
+--- a/binutils/NEWS	2021-12-23 03:23:38.433843528 -0800
++++ b/binutils/NEWS	2021-12-23 03:30:31.094968942 -0800
+@@ -1,5 +1,14 @@
+ -*- text -*-
+ 
++* Tools which display symbols or strings (readelf, strings, nm, objdump)
++  have a new command line option which controls how unicode characters are
++  handled.  By default they are treated as normal for the tool.  Using
++  --unicode=locale will display them according to the current locale.
++  Using --unicode=hex will display them as hex byte values, whilst
++  --unicode=escape will display them as escape sequences.  In addition
++  using --unicode=highlight will display them as unicode escape sequences
++  highlighted in red (if supported by the output device).
++
+ Changes in 2.36:
+ 
+ * Update elfedit and readelf with LAM_U48 and LAM_U57 support.
+diff --git a/binutils/nm.c b/binutils/nm.c
+--- a/binutils/nm.c	2021-12-23 03:23:38.441843395 -0800
++++ b/binutils/nm.c	2021-12-23 03:30:31.098968875 -0800
+@@ -38,6 +38,11 @@
+ #include "bucomm.h"
+ #include "plugin-api.h"
+ #include "plugin.h"
++#include "safe-ctype.h"
++
++#ifndef streq
++#define streq(a,b) (strcmp ((a),(b)) == 0)
++#endif
+ 
+ /* When sorting by size, we use this structure to hold the size and a
+    pointer to the minisymbol.  */
+@@ -192,6 +197,18 @@ static const char *plugin_target = NULL;
+ static bfd *lineno_cache_bfd;
+ static bfd *lineno_cache_rel_bfd;
+ 
++typedef enum unicode_display_type
++{
++  unicode_default = 0,
++  unicode_locale,
++  unicode_escape,
++  unicode_hex,
++  unicode_highlight,
++  unicode_invalid
++} unicode_display_type;
++
++static unicode_display_type unicode_display = unicode_default;
++
+ enum long_option_values
+ {
+   OPTION_TARGET = 200,
+@@ -234,6 +251,7 @@ static struct option long_options[] =
+   {"target", required_argument, 0, OPTION_TARGET},
+   {"defined-only", no_argument, &defined_only, 1},
+   {"undefined-only", no_argument, &undefined_only, 1},
++  {"unicode", required_argument, NULL, 'U'},
+   {"version", no_argument, &show_version, 1},
+   {"with-symbol-versions", no_argument, NULL,
+    OPTION_WITH_SYMBOL_VERSIONS},
+@@ -285,6 +303,8 @@ usage (FILE *stream, int status)
+   -t, --radix=RADIX      Use RADIX for printing symbol values\n\
+       --target=BFDNAME   Specify the target object format as BFDNAME\n\
+   -u, --undefined-only   Display only undefined symbols\n\
++  -U {d|s|i|x|e|h}       Specify how to treat UTF-8 encoded unicode characters\n\
++      --unicode={default|show|invalid|hex|escape|highlight}\n\
+       --with-symbol-versions  Display version strings after symbol names\n\
+   -X 32_64               (ignored)\n\
+   @FILE                  Read options from FILE\n\
+@@ -399,6 +419,188 @@ get_coff_symbol_type (const struct inter
+     fatal ("%s", xstrerror (errno));
+   return bufp;
+ }
++
++/* Convert a potential UTF-8 encoded sequence in IN into characters in OUT.
++   The conversion format is controlled by the unicode_display variable.
++   Returns the number of characters added to OUT.
++   Returns the number of bytes consumed from IN in CONSUMED.
++   Always consumes at least one byte and displays at least one character.  */
++
++static unsigned int
++display_utf8 (const unsigned char * in, char * out, unsigned int * consumed)
++{
++  char *        orig_out = out;
++  unsigned int  nchars = 0;
++  unsigned int j;
++
++  if (unicode_display == unicode_default)
++    goto invalid;
++
++  if (in[0] < 0xc0)
++    goto invalid;
++
++  if ((in[1] & 0xc0) != 0x80)
++    goto invalid;
++
++  if ((in[0] & 0x20) == 0)
++    {
++      nchars = 2;
++      goto valid;
++    }
++
++  if ((in[2] & 0xc0) != 0x80)
++    goto invalid;
++
++  if ((in[0] & 0x10) == 0)
++    {
++      nchars = 3;
++      goto valid;
++    }
++
++  if ((in[3] & 0xc0) != 0x80)
++    goto invalid;
++
++  nchars = 4;
++
++ valid:
++  switch (unicode_display)
++    {
++    case unicode_locale:
++      /* Copy the bytes into the output buffer as is.  */
++      memcpy (out, in, nchars);
++      out += nchars;
++      break;
++
++    case unicode_invalid:
++    case unicode_hex:
++      out += sprintf (out, "%c", unicode_display == unicode_hex ? '<' : '{');
++      out += sprintf (out, "0x");
++      for (j = 0; j < nchars; j++)
++	out += sprintf (out, "%02x", in [j]);
++      out += sprintf (out, "%c", unicode_display == unicode_hex ? '>' : '}');
++      break;
++
++    case unicode_highlight:
++      if (isatty (1))
++	out += sprintf (out, "\x1B[31;47m"); /* Red.  */
++      /* Fall through.  */
++    case unicode_escape:
++      switch (nchars)
++	{
++	case 2:
++	  out += sprintf (out, "\\u%02x%02x",
++		  ((in[0] & 0x1c) >> 2),
++		  ((in[0] & 0x03) << 6) | (in[1] & 0x3f));
++	  break;
++
++	case 3:
++	  out += sprintf (out, "\\u%02x%02x",
++		  ((in[0] & 0x0f) << 4) | ((in[1] & 0x3c) >> 2),
++		  ((in[1] & 0x03) << 6) | ((in[2] & 0x3f)));
++	  break;
++
++	case 4:
++	  out += sprintf (out, "\\u%02x%02x%02x",
++		  ((in[0] & 0x07) << 6) | ((in[1] & 0x3c) >> 2),
++		  ((in[1] & 0x03) << 6) | ((in[2] & 0x3c) >> 2),
++		  ((in[2] & 0x03) << 6) | ((in[3] & 0x3f)));
++	  break;
++	default:
++	  /* URG.  */
++	  break;
++	}
++
++      if (unicode_display == unicode_highlight && isatty (1))
++	out += sprintf (out, "\033[0m"); /* Default colour.  */
++      break;
++
++    default:
++      /* URG */
++      break;
++    }
++
++  * consumed = nchars;
++  return out - orig_out;
++
++ invalid:
++  /* Not a valid UTF-8 sequence.  */
++  *out = *in;
++  * consumed = 1;
++  return 1;
++}
++
++/* Convert any UTF-8 encoded characters in NAME into the form specified by
++   unicode_display.  Also converts control characters.  Returns a static
++   buffer if conversion was necessary.
++   Code stolen from objdump.c:sanitize_string().  */
++
++static const char *
++convert_utf8 (const char * in)
++{
++  static char *  buffer = NULL;
++  static size_t  buffer_len = 0;
++  const char *   original = in;
++  char *         out;
++
++  /* Paranoia.  */
++  if (in == NULL)
++    return "";
++
++  /* See if any conversion is necessary.
++     In the majority of cases it will not be needed.  */
++  do
++    {
++      unsigned char c = *in++;
++
++      if (c == 0)
++	return original;
++
++      if (ISCNTRL (c))
++	break;
++
++      if (unicode_display != unicode_default && c >= 0xc0)
++	break;
++    }
++  while (1);
++
++  /* Copy the input, translating as needed.  */
++  in = original;
++  if (buffer_len < (strlen (in) * 9))
++    {
++      free ((void *) buffer);
++      buffer_len = strlen (in) * 9;
++      buffer = xmalloc (buffer_len + 1);
++    }
++
++  out = buffer;
++  do
++    {
++      unsigned char c = *in++;
++
++      if (c == 0)
++	break;
++
++      if (ISCNTRL (c))
++	{
++	  *out++ = '^';
++	  *out++ = c + 0x40;
++	}
++      else if (unicode_display != unicode_default && c >= 0xc0)
++	{
++	  unsigned int num_consumed;
++
++	  out += display_utf8 ((const unsigned char *)(in - 1), out, & num_consumed);
++	  in += num_consumed - 1;
++	}
++      else
++	*out++ = c;
++    }
++  while (1);
++
++  *out = 0;
++  return buffer;
++}
++
+ 
+ /* Print symbol name NAME, read from ABFD, with printf format FORM,
+    demangling it if requested.  */
+@@ -418,6 +620,11 @@ print_symname (const char *form, struct
+ 	name = alloc;
+     }
+ 
++  if (unicode_display != unicode_default)
++    {
++      name = convert_utf8 (name);
++    }
++
+   if (info != NULL && info->elfinfo)
+     {
+       const char *version_string;
+@@ -1738,7 +1945,7 @@ main (int argc, char **argv)
+     fatal (_("fatal error: libbfd ABI mismatch"));
+   set_default_bfd_target ();
+ 
+-  while ((c = getopt_long (argc, argv, "aABCDef:gHhlnopPrSst:uvVvX:",
++  while ((c = getopt_long (argc, argv, "aABCDef:gHhlnopPrSst:uU:vVvX:",
+ 			   long_options, (int *) 0)) != EOF)
+     {
+       switch (c)
+@@ -1828,6 +2035,24 @@ main (int argc, char **argv)
+ 	case 'u':
+ 	  undefined_only = 1;
+ 	  break;
++
++	case 'U':
++	  if (streq (optarg, "default") || streq (optarg, "d"))
++	    unicode_display = unicode_default;
++	  else if (streq (optarg, "locale") || streq (optarg, "l"))
++	    unicode_display = unicode_locale;
++	  else if (streq (optarg, "escape") || streq (optarg, "e"))
++	    unicode_display = unicode_escape;
++	  else if (streq (optarg, "invalid") || streq (optarg, "i"))
++	    unicode_display = unicode_invalid;
++	  else if (streq (optarg, "hex") || streq (optarg, "x"))
++	    unicode_display = unicode_hex;
++	  else if (streq (optarg, "highlight") || streq (optarg, "h"))
++	    unicode_display = unicode_highlight;
++	  else
++	    fatal (_("invalid argument to -U/--unicode: %s"), optarg);
++	  break;
++
+ 	case 'V':
+ 	  show_version = 1;
+ 	  break;
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+--- a/binutils/objdump.c	2021-12-23 03:23:38.445843329 -0800
++++ b/binutils/objdump.c	2021-12-23 03:30:31.098968875 -0800
+@@ -205,6 +205,19 @@ static const struct objdump_private_desc
+ 
+ /* The list of detected jumps inside a function.  */
+ static struct jump_info *detected_jumps = NULL;
++
++typedef enum unicode_display_type
++{
++  unicode_default = 0,
++  unicode_locale,
++  unicode_escape,
++  unicode_hex,
++  unicode_highlight,
++  unicode_invalid
++} unicode_display_type;
++
++static unicode_display_type unicode_display = unicode_default;
++
+ 
+ static void usage (FILE *, int) ATTRIBUTE_NORETURN;
+ static void
+@@ -274,6 +287,8 @@ usage (FILE *stream, int status)
+       --recurse-limit            Enable a limit on recursion whilst demangling.  [Default]\n\
+       --no-recurse-limit         Disable a limit on recursion whilst demangling\n\
+   -w, --wide                     Format output for more than 80 columns\n\
++  -U[d|l|i|x|e|h]                Controls the display of UTF-8 unicode characters\n\
++  --unicode=[default|locale|invalid|hex|escape|highlight]\n\
+   -z, --disassemble-zeroes       Do not skip blocks of zeroes when disassembling\n\
+       --start-address=ADDR       Only process data whose address is >= ADDR\n\
+       --stop-address=ADDR        Only process data whose address is < ADDR\n\
+@@ -348,17 +363,23 @@ static struct option long_options[]=
+ {
+   {"adjust-vma", required_argument, NULL, OPTION_ADJUST_VMA},
+   {"all-headers", no_argument, NULL, 'x'},
+-  {"private-headers", no_argument, NULL, 'p'},
+-  {"private", required_argument, NULL, 'P'},
+   {"architecture", required_argument, NULL, 'm'},
+   {"archive-headers", no_argument, NULL, 'a'},
++#ifdef ENABLE_LIBCTF
++  {"ctf", required_argument, NULL, OPTION_CTF},
++  {"ctf-parent", required_argument, NULL, OPTION_CTF_PARENT},
++#endif
+   {"debugging", no_argument, NULL, 'g'},
+   {"debugging-tags", no_argument, NULL, 'e'},
+   {"demangle", optional_argument, NULL, 'C'},
+   {"disassemble", optional_argument, NULL, 'd'},
+   {"disassemble-all", no_argument, NULL, 'D'},
+-  {"disassembler-options", required_argument, NULL, 'M'},
+   {"disassemble-zeroes", no_argument, NULL, 'z'},
++  {"disassembler-options", required_argument, NULL, 'M'},
++  {"dwarf", optional_argument, NULL, OPTION_DWARF},
++  {"dwarf-check", no_argument, 0, OPTION_DWARF_CHECK},
++  {"dwarf-depth", required_argument, 0, OPTION_DWARF_DEPTH},
++  {"dwarf-start", required_argument, 0, OPTION_DWARF_START},
+   {"dynamic-reloc", no_argument, NULL, 'R'},
+   {"dynamic-syms", no_argument, NULL, 'T'},
+   {"endian", required_argument, NULL, OPTION_ENDIAN},
+@@ -368,15 +389,22 @@ static struct option long_options[]=
+   {"full-contents", no_argument, NULL, 's'},
+   {"headers", no_argument, NULL, 'h'},
+   {"help", no_argument, NULL, 'H'},
++  {"include", required_argument, NULL, 'I'},
+   {"info", no_argument, NULL, 'i'},
++  {"inlines", no_argument, 0, OPTION_INLINES},
++  {"insn-width", required_argument, NULL, OPTION_INSN_WIDTH},
+   {"line-numbers", no_argument, NULL, 'l'},
+-  {"no-show-raw-insn", no_argument, &show_raw_insn, -1},
+   {"no-addresses", no_argument, &no_addresses, 1},
++  {"no-recurse-limit", no_argument, NULL, OPTION_NO_RECURSE_LIMIT},
++  {"no-recursion-limit", no_argument, NULL, OPTION_NO_RECURSE_LIMIT},
++  {"no-show-raw-insn", no_argument, &show_raw_insn, -1},
++  {"prefix", required_argument, NULL, OPTION_PREFIX},
+   {"prefix-addresses", no_argument, &prefix_addresses, 1},
++  {"prefix-strip", required_argument, NULL, OPTION_PREFIX_STRIP},
++  {"private", required_argument, NULL, 'P'},
++  {"private-headers", no_argument, NULL, 'p'},
+   {"recurse-limit", no_argument, NULL, OPTION_RECURSE_LIMIT},
+   {"recursion-limit", no_argument, NULL, OPTION_RECURSE_LIMIT},
+-  {"no-recurse-limit", no_argument, NULL, OPTION_NO_RECURSE_LIMIT},
+-  {"no-recursion-limit", no_argument, NULL, OPTION_NO_RECURSE_LIMIT},
+   {"reloc", no_argument, NULL, 'r'},
+   {"section", required_argument, NULL, 'j'},
+   {"section-headers", no_argument, NULL, 'h'},
+@@ -384,28 +412,16 @@ static struct option long_options[]=
+   {"source", no_argument, NULL, 'S'},
+   {"source-comment", optional_argument, NULL, OPTION_SOURCE_COMMENT},
+   {"special-syms", no_argument, &dump_special_syms, 1},
+-  {"include", required_argument, NULL, 'I'},
+-  {"dwarf", optional_argument, NULL, OPTION_DWARF},
+-#ifdef ENABLE_LIBCTF
+-  {"ctf", required_argument, NULL, OPTION_CTF},
+-  {"ctf-parent", required_argument, NULL, OPTION_CTF_PARENT},
+-#endif
+   {"stabs", no_argument, NULL, 'G'},
+   {"start-address", required_argument, NULL, OPTION_START_ADDRESS},
+   {"stop-address", required_argument, NULL, OPTION_STOP_ADDRESS},
+   {"syms", no_argument, NULL, 't'},
+   {"target", required_argument, NULL, 'b'},
++  {"unicode", required_argument, NULL, 'U'},
+   {"version", no_argument, NULL, 'V'},
+-  {"wide", no_argument, NULL, 'w'},
+-  {"prefix", required_argument, NULL, OPTION_PREFIX},
+-  {"prefix-strip", required_argument, NULL, OPTION_PREFIX_STRIP},
+-  {"insn-width", required_argument, NULL, OPTION_INSN_WIDTH},
+-  {"dwarf-depth", required_argument, 0, OPTION_DWARF_DEPTH},
+-  {"dwarf-start", required_argument, 0, OPTION_DWARF_START},
+-  {"dwarf-check", no_argument, 0, OPTION_DWARF_CHECK},
+-  {"inlines", no_argument, 0, OPTION_INLINES},
+   {"visualize-jumps", optional_argument, 0, OPTION_VISUALIZE_JUMPS},
+-  {0, no_argument, 0, 0}
++  {"wide", no_argument, NULL, 'w'},
++  {NULL, no_argument, NULL, 0}
+ };
+ 
+ static void
+@@ -415,9 +431,121 @@ nonfatal (const char *msg)
+   exit_status = 1;
+ }
+ 
++/* Convert a potential UTF-8 encoded sequence in IN into characters in OUT.
++   The conversion format is controlled by the unicode_display variable.
++   Returns the number of characters added to OUT.
++   Returns the number of bytes consumed from IN in CONSUMED.
++   Always consumes at least one byte and displays at least one character.  */
++   
++static unsigned int
++display_utf8 (const unsigned char * in, char * out, unsigned int * consumed)
++{
++  char *        orig_out = out;
++  unsigned int  nchars = 0;
++  unsigned int j;
++
++  if (unicode_display == unicode_default)
++    goto invalid;
++
++  if (in[0] < 0xc0)
++    goto invalid;
++
++  if ((in[1] & 0xc0) != 0x80)
++    goto invalid;
++
++  if ((in[0] & 0x20) == 0)
++    {
++      nchars = 2;
++      goto valid;
++    }
++
++  if ((in[2] & 0xc0) != 0x80)
++    goto invalid;
++
++  if ((in[0] & 0x10) == 0)
++    {
++      nchars = 3;
++      goto valid;
++    }
++
++  if ((in[3] & 0xc0) != 0x80)
++    goto invalid;
++
++  nchars = 4;
++
++ valid:
++  switch (unicode_display)
++    {
++    case unicode_locale:
++      /* Copy the bytes into the output buffer as is.  */
++      memcpy (out, in, nchars);
++      out += nchars;
++      break;
++
++    case unicode_invalid:
++    case unicode_hex:
++      out += sprintf (out, "%c", unicode_display == unicode_hex ? '<' : '{');
++      out += sprintf (out, "0x");
++      for (j = 0; j < nchars; j++)
++	out += sprintf (out, "%02x", in [j]);
++      out += sprintf (out, "%c", unicode_display == unicode_hex ? '>' : '}');
++      break;
++      
++    case unicode_highlight:
++      if (isatty (1))
++	out += sprintf (out, "\x1B[31;47m"); /* Red.  */
++      /* Fall through.  */
++    case unicode_escape:
++      switch (nchars)
++	{
++	case 2:
++	  out += sprintf (out, "\\u%02x%02x",
++		  ((in[0] & 0x1c) >> 2), 
++		  ((in[0] & 0x03) << 6) | (in[1] & 0x3f));
++	  break;
++
++	case 3:
++	  out += sprintf (out, "\\u%02x%02x",
++		  ((in[0] & 0x0f) << 4) | ((in[1] & 0x3c) >> 2),
++		  ((in[1] & 0x03) << 6) | ((in[2] & 0x3f)));
++	  break;
++
++	case 4:
++	  out += sprintf (out, "\\u%02x%02x%02x",
++		  ((in[0] & 0x07) << 6) | ((in[1] & 0x3c) >> 2),
++		  ((in[1] & 0x03) << 6) | ((in[2] & 0x3c) >> 2),
++		  ((in[2] & 0x03) << 6) | ((in[3] & 0x3f)));
++	  break;
++	default:
++	  /* URG.  */
++	  break;
++	}
++
++      if (unicode_display == unicode_highlight && isatty (1))
++	out += sprintf (out, "\033[0m"); /* Default colour.  */
++      break;
++
++    default:
++      /* URG */
++      break;
++    }
++
++  * consumed = nchars;
++  return out - orig_out;
++
++ invalid:
++  /* Not a valid UTF-8 sequence.  */
++  *out = *in;
++  * consumed = 1;
++  return 1;
++}
++
+ /* Returns a version of IN with any control characters
+    replaced by escape sequences.  Uses a static buffer
+-   if necessary.  */
++   if necessary.
++
++   If unicode display is enabled, then also handles the
++   conversion of unicode characters.  */
+ 
+ static const char *
+ sanitize_string (const char * in)
+@@ -435,40 +563,50 @@ sanitize_string (const char * in)
+      of cases it will not be needed.  */
+   do
+     {
+-      char c = *in++;
++      unsigned char c = *in++;
+ 
+       if (c == 0)
+ 	return original;
+ 
+       if (ISCNTRL (c))
+ 	break;
++
++      if (unicode_display != unicode_default && c >= 0xc0)
++	break;
+     }
+   while (1);
+ 
+   /* Copy the input, translating as needed.  */
+   in = original;
+-  if (buffer_len < (strlen (in) * 2))
++  if (buffer_len < (strlen (in) * 9))
+     {
+       free ((void *) buffer);
+-      buffer_len = strlen (in) * 2;
++      buffer_len = strlen (in) * 9;
+       buffer = xmalloc (buffer_len + 1);
+     }
+ 
+   out = buffer;
+   do
+     {
+-      char c = *in++;
++      unsigned char c = *in++;
+ 
+       if (c == 0)
+ 	break;
+ 
+-      if (!ISCNTRL (c))
+-	*out++ = c;
+-      else
++      if (ISCNTRL (c))
+ 	{
+ 	  *out++ = '^';
+ 	  *out++ = c + 0x40;
+ 	}
++      else if (unicode_display != unicode_default && c >= 0xc0)
++	{
++	  unsigned int num_consumed;
++
++	  out += display_utf8 ((const unsigned char *)(in - 1), out, & num_consumed);
++	  in += num_consumed - 1;
++	}
++      else
++	*out++ = c;
+     }
+   while (1);
+ 
+@@ -4481,6 +4619,24 @@ dump_symbols (bfd *abfd ATTRIBUTE_UNUSED
+ 		  free (alloc);
+ 		}
+ 	    }
++	  else if (unicode_display != unicode_default
++		   && name != NULL && *name != '\0')
++	    {
++	      const char * sanitized_name;
++
++	      /* If we want to sanitize the name, we do it here, and
++		 temporarily clobber it while calling bfd_print_symbol.
++		 FIXME: This is a gross hack.  */
++	      sanitized_name = sanitize_string (name);
++	      if (sanitized_name != name)
++		(*current)->name = sanitized_name;
++	      else
++		sanitized_name = NULL;
++	      bfd_print_symbol (cur_bfd, stdout, *current,
++				bfd_print_symbol_all);
++	      if (sanitized_name != NULL)
++		(*current)->name = name;
++	    }
+ 	  else
+ 	    bfd_print_symbol (cur_bfd, stdout, *current,
+ 			      bfd_print_symbol_all);
+@@ -5162,7 +5318,7 @@ main (int argc, char **argv)
+   set_default_bfd_target ();
+ 
+   while ((c = getopt_long (argc, argv,
+-			   "pP:ib:m:M:VvCdDlfFaHhrRtTxsSI:j:wE:zgeGW::",
++			   "pP:ib:m:U:M:VvCdDlfFaHhrRtTxsSI:j:wE:zgeGW::",
+ 			   long_options, (int *) 0))
+ 	 != EOF)
+     {
+@@ -5441,6 +5597,23 @@ main (int argc, char **argv)
+ 	  seenflag = TRUE;
+ 	  break;
+ 
++	case 'U':
++	  if (streq (optarg, "default") || streq (optarg, "d"))
++	    unicode_display = unicode_default;
++	  else if (streq (optarg, "locale") || streq (optarg, "l"))
++	    unicode_display = unicode_locale;
++	  else if (streq (optarg, "escape") || streq (optarg, "e"))
++	    unicode_display = unicode_escape;
++	  else if (streq (optarg, "invalid") || streq (optarg, "i"))
++	    unicode_display = unicode_invalid;
++	  else if (streq (optarg, "hex") || streq (optarg, "x"))
++	    unicode_display = unicode_hex;
++	  else if (streq (optarg, "highlight") || streq (optarg, "h"))
++	    unicode_display = unicode_highlight;
++	  else
++	    fatal (_("invalid argument to -U/--unicode: %s"), optarg);
++	  break;
++
+ 	case 'H':
+ 	  usage (stdout, 0);
+ 	  /* No need to set seenflag or to break - usage() does not return.  */
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+--- a/binutils/readelf.c	2021-12-23 03:23:42.065783023 -0800
++++ b/binutils/readelf.c	2021-12-23 03:30:36.582877519 -0800
+@@ -321,6 +321,19 @@ typedef enum print_mode
+ }
+ print_mode;
+ 
++typedef enum unicode_display_type
++{
++  unicode_default = 0,
++  unicode_locale,
++  unicode_escape,
++  unicode_hex,
++  unicode_highlight,
++  unicode_invalid
++} unicode_display_type;
++
++static unicode_display_type unicode_display = unicode_default;
++
++  
+ /* Versioned symbol info.  */
+ enum versioned_symbol_info
+ {
+@@ -613,11 +626,18 @@ print_symbol (signed int width, const ch
+       if (c == 0)
+ 	break;
+ 
+-      /* Do not print control characters directly as they can affect terminal
+-	 settings.  Such characters usually appear in the names generated
+-	 by the assembler for local labels.  */
+-      if (ISCNTRL (c))
++      if (ISPRINT (c))
++	{
++	  putchar (c);
++	  width_remaining --;
++	  num_printed ++;
++	}
++      else if (ISCNTRL (c))
+ 	{
++	  /* Do not print control characters directly as they can affect terminal
++	     settings.  Such characters usually appear in the names generated
++	     by the assembler for local labels.  */
++
+ 	  if (width_remaining < 2)
+ 	    break;
+ 
+@@ -625,11 +645,137 @@ print_symbol (signed int width, const ch
+ 	  width_remaining -= 2;
+ 	  num_printed += 2;
+ 	}
+-      else if (ISPRINT (c))
++      else if (c == 0x7f)
+ 	{
+-	  putchar (c);
+-	  width_remaining --;
+-	  num_printed ++;
++	  if (width_remaining < 5)
++	    break;
++	  printf ("<DEL>");
++	  width_remaining -= 5;
++	  num_printed += 5;
++	}
++      else if (unicode_display != unicode_locale
++	       && unicode_display != unicode_default)
++	{
++	  /* Display unicode characters as something else.  */
++	  unsigned char bytes[4];
++	  bfd_boolean   is_utf8;
++	  unsigned int  nbytes;
++
++	  bytes[0] = c;
++
++	  if (bytes[0] < 0xc0)
++	    {
++	      nbytes = 1;
++	      is_utf8 = FALSE;
++	    }
++	  else
++	    {
++	      bytes[1] = *symbol++;
++
++	      if ((bytes[1] & 0xc0) != 0x80)
++		{
++		  is_utf8 = FALSE;
++		  /* Do not consume this character.  It may only
++		     be the first byte in the sequence that was
++		     corrupt.  */
++		  --symbol;
++		  nbytes = 1;
++		}
++	      else if ((bytes[0] & 0x20) == 0)
++		{
++		  is_utf8 = TRUE;
++		  nbytes = 2;
++		}
++	      else
++		{
++		  bytes[2] = *symbol++;
++
++		  if ((bytes[2] & 0xc0) != 0x80)
++		    {
++		      is_utf8 = FALSE;
++		      symbol -= 2;
++		      nbytes = 1;
++		    }
++		  else if ((bytes[0] & 0x10) == 0)
++		    {
++		      is_utf8 = TRUE;
++		      nbytes = 3;
++		    }
++		  else
++		    {
++		      bytes[3] = *symbol++;
++
++		      nbytes = 4;
++
++		      if ((bytes[3] & 0xc0) != 0x80)
++			{
++			  is_utf8 = FALSE;
++			  symbol -= 3;
++			  nbytes = 1;
++			}
++		      else
++			is_utf8 = TRUE;
++		    }
++		}
++	    }
++
++	  if (unicode_display == unicode_invalid)
++	    is_utf8 = FALSE;
++
++	  if (unicode_display == unicode_hex || ! is_utf8)
++	    {
++	      unsigned int i;
++
++	      if (width_remaining < (nbytes * 2) + 2)
++		break;
++	  
++	      putchar (is_utf8 ? '<' : '{');
++	      printf ("0x");
++	      for (i = 0; i < nbytes; i++)
++		printf ("%02x", bytes[i]);
++	      putchar (is_utf8 ? '>' : '}');
++	    }
++	  else
++	    {
++	      if (unicode_display == unicode_highlight && isatty (1))
++		printf ("\x1B[31;47m"); /* Red.  */
++	      
++	      switch (nbytes)
++		{
++		case 2:
++		  if (width_remaining < 6)
++		    break;
++		  printf ("\\u%02x%02x",
++			  (bytes[0] & 0x1c) >> 2, 
++			  ((bytes[0] & 0x03) << 6) | (bytes[1] & 0x3f));
++		  break;
++		case 3:
++		  if (width_remaining < 6)
++		    break;
++		  printf ("\\u%02x%02x",
++			  ((bytes[0] & 0x0f) << 4) | ((bytes[1] & 0x3c) >> 2),
++			  ((bytes[1] & 0x03) << 6) | (bytes[2] & 0x3f));
++		  break;
++		case 4:
++		  if (width_remaining < 8)
++		    break;
++		  printf ("\\u%02x%02x%02x",
++			  ((bytes[0] & 0x07) << 6) | ((bytes[1] & 0x3c) >> 2),
++			  ((bytes[1] & 0x03) << 6) | ((bytes[2] & 0x3c) >> 2),
++			  ((bytes[2] & 0x03) << 6) | (bytes[3] & 0x3f));
++		  
++		  break;
++		default:
++		  /* URG.  */
++		  break;
++		}
++
++	      if (unicode_display == unicode_highlight && isatty (1))
++		printf ("\033[0m"); /* Default colour.  */
++	    }
++	  
++	  if (bytes[nbytes - 1] == 0)
++	    break;
+ 	}
+       else
+ 	{
+@@ -4556,6 +4702,7 @@ static struct option options[] =
+   {"syms",	       no_argument, 0, 's'},
+   {"silent-truncation",no_argument, 0, 'T'},
+   {"section-details",  no_argument, 0, 't'},
++  {"unicode",          required_argument, NULL, 'U'},
+   {"unwind",	       no_argument, 0, 'u'},
+   {"version-info",     no_argument, 0, 'V'},
+   {"version",	       no_argument, 0, 'v'},
+@@ -4609,6 +4756,11 @@ usage (FILE * stream)
+      --no-demangle       Do not demangle low-level symbol names.  (This is the default)\n\
+      --recurse-limit     Enable a demangling recursion limit.  (This is the default)\n\
+      --no-recurse-limit  Disable a demangling recursion limit\n\
++     -U[dlexhi] --unicode=[default|locale|escape|hex|highlight|invalid]\n\
++                         Display unicode characters as determined by the current locale\n\
++                          (default), escape sequences, \"<hex sequences>\", highlighted\n\
++                          escape sequences, or treat them as invalid and display as\n\
++                          \"{hex sequences}\"\n\
+   -n --notes             Display the core notes (if present)\n\
+   -r --relocs            Display the relocations (if present)\n\
+   -u --unwind            Display the unwind info (if present)\n\
+@@ -4749,7 +4901,7 @@ parse_args (struct dump_data *dumpdata,
+     usage (stderr);
+ 
+   while ((c = getopt_long
+-	  (argc, argv, "ACDHILNR:STVWacdeghi:lnp:rstuvw::x:z", options, NULL)) != EOF)
++	  (argc, argv, "ACDHILNR:STU:VWacdeghi:lnp:rstuvw::x:z", options, NULL)) != EOF)
+     {
+       switch (c)
+ 	{
+@@ -4943,6 +5095,24 @@ parse_args (struct dump_data *dumpdata,
+ 	case OPTION_WITH_SYMBOL_VERSIONS:
+ 	  /* Ignored for backward compatibility.  */
+ 	  break;
++	case 'U':
++	  if (optarg == NULL)
++	    error (_("Missing arg to -U/--unicode")); /* Can this happen ?  */
++	  else if (streq (optarg, "default") || streq (optarg, "d"))
++	    unicode_display = unicode_default;
++	  else if (streq (optarg, "locale") || streq (optarg, "l"))
++	    unicode_display = unicode_locale;
++	  else if (streq (optarg, "escape") || streq (optarg, "e"))
++	    unicode_display = unicode_escape;
++	  else if (streq (optarg, "invalid") || streq (optarg, "i"))
++	    unicode_display = unicode_invalid;
++	  else if (streq (optarg, "hex") || streq (optarg, "x"))
++	    unicode_display = unicode_hex;
++	  else if (streq (optarg, "highlight") || streq (optarg, "h"))
++	    unicode_display = unicode_highlight;
++	  else
++	    error (_("invalid argument to -U/--unicode: %s"), optarg);
++	  break;
+ 
+ 	default:
+ 	  /* xgettext:c-format */
+diff --git a/binutils/strings.c b/binutils/strings.c
+--- a/binutils/strings.c	2021-12-23 03:23:38.485842662 -0800
++++ b/binutils/strings.c	2021-12-23 03:30:36.586877452 -0800
+@@ -55,6 +55,19 @@
+    -T {bfdname}
+ 		Specify a non-default object file format.
+ 
++  --unicode={default|locale|invalid|hex|escape|highlight}
++  -u {d|l|i|x|e|h}
++		Determine how to handle UTF-8 unicode characters.  The default
++		is no special treatment.  All other versions of this option
++		only apply if the encoding is valid and enabling the option
++		implies --encoding=S.
++		The 'locale' option displays the characters according to the
++		current locale.  The 'invalid' option treats them as
++		non-string characters.  The 'hex' option displays them as hex
++		byte sequences.  The 'escape' option displays them as escape
++		sequences and the 'highlight' option displays them as
++		coloured escape sequences.
++
+   --output-separator=sep_string
+   -s sep_string	String used to separate parsed strings in output.
+ 		Default is newline.
+@@ -76,6 +89,22 @@
+ #include "safe-ctype.h"
+ #include "bucomm.h"
+ 
++#ifndef streq
++#define streq(a,b) (strcmp ((a),(b)) == 0)
++#endif
++
++typedef enum unicode_display_type
++{
++  unicode_default = 0,
++  unicode_locale,
++  unicode_escape,
++  unicode_hex,
++  unicode_highlight,
++  unicode_invalid
++} unicode_display_type;
++
++static unicode_display_type unicode_display = unicode_default;
++
+ #define STRING_ISGRAPHIC(c) \
+       (   (c) >= 0 \
+        && (c) <= 255 \
+@@ -94,7 +123,7 @@ extern int errno;
+ static int address_radix;
+ 
+ /* Minimum length of sequence of graphic chars to trigger output.  */
+-static int string_min;
++static unsigned int string_min;
+ 
+ /* Whether or not we include all whitespace as a graphic char.   */
+ static bfd_boolean include_all_whitespace;
+@@ -121,21 +150,22 @@ static char *output_separator;
+ static struct option long_options[] =
+ {
+   {"all", no_argument, NULL, 'a'},
++  {"bytes", required_argument, NULL, 'n'},
+   {"data", no_argument, NULL, 'd'},
++  {"encoding", required_argument, NULL, 'e'},
++  {"help", no_argument, NULL, 'h'},
++  {"include-all-whitespace", no_argument, NULL, 'w'},
++  {"output-separator", required_argument, NULL, 's'},
+   {"print-file-name", no_argument, NULL, 'f'},
+-  {"bytes", required_argument, NULL, 'n'},
+   {"radix", required_argument, NULL, 't'},
+-  {"include-all-whitespace", no_argument, NULL, 'w'},
+-  {"encoding", required_argument, NULL, 'e'},
+   {"target", required_argument, NULL, 'T'},
+-  {"output-separator", required_argument, NULL, 's'},
+-  {"help", no_argument, NULL, 'h'},
++  {"unicode", required_argument, NULL, 'U'},
+   {"version", no_argument, NULL, 'v'},
+   {NULL, 0, NULL, 0}
+ };
+ 
+ static bfd_boolean strings_file (char *);
+-static void print_strings (const char *, FILE *, file_ptr, int, int, char *);
++static void print_strings (const char *, FILE *, file_ptr, int, char *);
+ static void usage (FILE *, int) ATTRIBUTE_NORETURN;
+ 
+ int main (int, char **);
+@@ -173,7 +203,7 @@ main (int argc, char **argv)
+   encoding = 's';
+   output_separator = NULL;
+ 
+-  while ((optc = getopt_long (argc, argv, "adfhHn:wot:e:T:s:Vv0123456789",
++  while ((optc = getopt_long (argc, argv, "adfhHn:wot:e:T:s:U:Vv0123456789",
+ 			      long_options, (int *) 0)) != EOF)
+     {
+       switch (optc)
+@@ -244,7 +274,24 @@ main (int argc, char **argv)
+ 
+ 	case 's':
+ 	  output_separator = optarg;
+-          break;
++	  break;
++
++	case 'U':
++	  if (streq (optarg, "default") || streq (optarg, "d"))
++	    unicode_display = unicode_default;
++	  else if (streq (optarg, "locale") || streq (optarg, "l"))
++	    unicode_display = unicode_locale;
++	  else if (streq (optarg, "escape") || streq (optarg, "e"))
++	    unicode_display = unicode_escape;
++	  else if (streq (optarg, "invalid") || streq (optarg, "i"))
++	    unicode_display = unicode_invalid;
++	  else if (streq (optarg, "hex") || streq (optarg, "x"))
++	    unicode_display = unicode_hex;
++	  else if (streq (optarg, "highlight") || streq (optarg, "h"))
++	    unicode_display = unicode_highlight;
++	  else
++	    fatal (_("invalid argument to -U/--unicode: %s"), optarg);
++	  break;
+ 
+ 	case 'V':
+ 	case 'v':
+@@ -260,6 +307,9 @@ main (int argc, char **argv)
+ 	}
+     }
+ 
++  if (unicode_display != unicode_default)
++    encoding = 'S';
++
+   if (numeric_opt != 0)
+     {
+       string_min = (int) strtoul (argv[numeric_opt - 1] + 1, &s, 0);
+@@ -295,14 +345,14 @@ main (int argc, char **argv)
+     {
+       datasection_only = FALSE;
+       SET_BINARY (fileno (stdin));
+-      print_strings ("{standard input}", stdin, 0, 0, 0, (char *) NULL);
++      print_strings ("{standard input}", stdin, 0, 0, (char *) NULL);
+       files_given = TRUE;
+     }
+   else
+     {
+       for (; optind < argc; ++optind)
+ 	{
+-	  if (strcmp (argv[optind], "-") == 0)
++	  if (streq (argv[optind], "-"))
+ 	    datasection_only = FALSE;
+ 	  else
+ 	    {
+@@ -344,7 +394,7 @@ strings_a_section (bfd *abfd, asection *
+     }
+ 
+   *got_a_section = TRUE;
+-  print_strings (filename, NULL, sect->filepos, 0, sectsize, (char *) mem);
++  print_strings (filename, NULL, sect->filepos, sectsize, (char *) mem);
+   free (mem);
+ }
+ 
+@@ -429,7 +479,7 @@ strings_file (char *file)
+ 	  return FALSE;
+ 	}
+ 
+-      print_strings (file, stream, (file_ptr) 0, 0, 0, (char *) 0);
++      print_strings (file, stream, (file_ptr) 0, 0, (char *) NULL);
+ 
+       if (fclose (stream) == EOF)
+ 	{
+@@ -553,11 +603,632 @@ unget_part_char (long c, file_ptr *addre
+ 	}
+     }
+ }
++
++
++static void
++print_filename_and_address (const char * filename, file_ptr address)
++{
++  if (print_filenames)
++    printf ("%s: ", filename);
++
++  if (! print_addresses)
++    return;
++
++  switch (address_radix)
++    {
++    case 8:
++      if (sizeof (address) > sizeof (long))
++	{
++#ifndef __MSVCRT__
++	  printf ("%7llo ", (unsigned long long) address);
++#else
++	  printf ("%7I64o ", (unsigned long long) address);
++#endif
++	}
++      else
++	printf ("%7lo ", (unsigned long) address);
++      break;
++
++    case 10:
++      if (sizeof (address) > sizeof (long))
++	{
++#ifndef __MSVCRT__
++	  printf ("%7llu ", (unsigned long long) address);
++#else
++	  printf ("%7I64d ", (unsigned long long) address);
++#endif
++	}
++      else
++	printf ("%7ld ", (long) address);
++      break;
++
++    case 16:
++      if (sizeof (address) > sizeof (long))
++	{
++#ifndef __MSVCRT__
++	  printf ("%7llx ", (unsigned long long) address);
++#else
++	  printf ("%7I64x ", (unsigned long long) address);
++#endif
++	}
++      else
++	printf ("%7lx ", (unsigned long) address);
++      break;
++    }
++}
++
++/* Return non-zero if the bytes starting at BUFFER form a valid UTF-8 encoding.
++   If the encoding is valid then returns the number of bytes it uses.  */
++
++static unsigned int
++is_valid_utf8 (const unsigned char * buffer, unsigned long buflen)
++{
++  if (buffer[0] < 0xc0)
++    return 0;
++
++  if (buflen < 2)
++    return 0;
++
++  if ((buffer[1] & 0xc0) != 0x80)
++    return 0;
++
++  if ((buffer[0] & 0x20) == 0)
++    return 2;
++
++  if (buflen < 3)
++    return 0;
++
++  if ((buffer[2] & 0xc0) != 0x80)
++    return 0;
++
++  if ((buffer[0] & 0x10) == 0)
++    return 3;
++
++  if (buflen < 4)
++    return 0;
++
++  if ((buffer[3] & 0xc0) != 0x80)
++    return 0;
++
++  return 4;
++}
++
++/* Display a UTF-8 encoded character in BUFFER according to the setting
++   of unicode_display.  The character is known to be valid.
++   Returns the number of bytes consumed.  */
++
++static unsigned int
++display_utf8_char (const unsigned char * buffer)
++{
++  unsigned int j;
++  unsigned int utf8_len;
++
++  switch (buffer[0] & 0x30)
++    {
++    case 0x00:
++    case 0x10:
++      utf8_len = 2;
++      break;
++    case 0x20:
++      utf8_len = 3;
++      break;
++    default:
++      utf8_len = 4;
++    }
++
++  switch (unicode_display)
++    {
++    default:
++      fprintf (stderr, "ICE: unexpected unicode display type\n");
++      break;
++
++    case unicode_escape:
++    case unicode_highlight:
++      if (unicode_display == unicode_highlight && isatty (1))
++	printf ("\x1B[31;47m"); /* Red.  */
++
++      switch (utf8_len)
++	{
++	case 2:
++	  printf ("\\u%02x%02x",
++		  ((buffer[0] & 0x1c) >> 2),
++		  ((buffer[0] & 0x03) << 6) | (buffer[1] & 0x3f));
++	  break;
++
++	case 3:
++	  printf ("\\u%02x%02x",
++		  ((buffer[0] & 0x0f) << 4) | ((buffer[1] & 0x3c) >> 2),
++		  ((buffer[1] & 0x03) << 6) | ((buffer[2] & 0x3f)));
++	  break;
++
++	case 4:
++	  printf ("\\u%02x%02x%02x",
++		  ((buffer[0] & 0x07) << 6) | ((buffer[1] & 0x3c) >> 2),
++		  ((buffer[1] & 0x03) << 6) | ((buffer[2] & 0x3c) >> 2),
++		  ((buffer[2] & 0x03) << 6) | ((buffer[3] & 0x3f)));
++	  break;
++	default:
++	  /* URG.  */
++	  break;
++	}
++
++      if (unicode_display == unicode_highlight && isatty (1))
++	printf ("\033[0m"); /* Default colour.  */
++      break;
++
++    case unicode_hex:
++      putchar ('<');
++      printf ("0x");
++      for (j = 0; j < utf8_len; j++)
++	printf ("%02x", buffer [j]);
++      putchar ('>');
++      break;
++
++    case unicode_locale:
++      printf ("%.1s", buffer);
++      break;
++    }
++
++  return utf8_len;
++}
++
++/* Display strings in BUFFER.  Treat any UTF-8 encoded characters encountered
++   according to the setting of the unicode_display variable.  The buffer
++   contains BUFLEN bytes.
++
++   Display the characters as if they started at ADDRESS and are contained in
++   FILENAME.  */
++
++static void
++print_unicode_buffer (const char *            filename,
++		      file_ptr                address,
++		      const unsigned char *   buffer,
++		      unsigned long           buflen)
++{
++  /* Paranoia checks...  */
++  if (filename == NULL
++      || buffer == NULL
++      || unicode_display == unicode_default
++      || encoding != 'S'
++      || encoding_bytes != 1)
++    {
++      fprintf (stderr, "ICE: bad arguments to print_unicode_buffer\n");
++      return;
++    }
++
++  if (buflen == 0)
++    return;
++
++  /* We must only display strings that are at least string_min *characters*
++     long.  So we scan the buffer in two stages.  First we locate the start
++     of a potential string.  Then we walk along it until we have found
++     string_min characters.  Then we go back to the start point and start
++     displaying characters according to the unicode_display setting.  */
++
++  unsigned long start_point = 0;
++  unsigned long i = 0;
++  unsigned int char_len = 1;
++  unsigned int num_found = 0;
++
++  for (i = 0; i < buflen; i += char_len)
++    {
++      int c = buffer[i];
++
++      char_len = 1;
++
++      /* Find the first potential character of a string.  */
++      if (! STRING_ISGRAPHIC (c))
++	{
++	  num_found = 0;
++	  continue;
++	}
++
++      if (c > 126)
++	{
++	  if (c < 0xc0)
++	    {
++	      num_found = 0;
++	      continue;
++	    }
++
++	  if ((char_len = is_valid_utf8 (buffer + i, buflen - i)) == 0)
++	    {
++	      char_len = 1;
++	      num_found = 0;
++	      continue;
++	    }
++
++	  if (unicode_display == unicode_invalid)
++	    {
++	      /* We have found a valid UTF-8 character, but we treat it as non-graphic.  */
++	      num_found = 0;
++	      continue;
++	    }
++	}
++
++      if (num_found == 0)
++	/* We have found a potential starting point for a string.  */
++	start_point = i;
++
++      ++ num_found;
++
++      if (num_found >= string_min)
++	break;
++    }
++
++  if (num_found < string_min)
++    return;
++
++  print_filename_and_address (filename, address + start_point);
++
++  /* We have found string_min characters.  Display them and any
++     more that follow.  */
++  for (i = start_point; i < buflen; i += char_len)
++    {
++      int c = buffer[i];
++
++      char_len = 1;
++
++      if (! STRING_ISGRAPHIC (c))
++	break;
++      else if (c < 127)
++	putchar (c);
++      else if (! is_valid_utf8 (buffer + i, buflen - i))
++	break;
++      else if (unicode_display == unicode_invalid)
++	break;
++      else
++	char_len = display_utf8_char (buffer + i);
++    }
++
++  if (output_separator)
++    fputs (output_separator, stdout);
++  else
++    putchar ('\n');
++
++  /* FIXME: Using tail recursion here is lazy programming...  */
++  print_unicode_buffer (filename, address + i, buffer + i, buflen - i);
++}
++
++static int
++get_unicode_byte (FILE *          stream,
++		  unsigned char * putback,
++		  unsigned int *  num_putback,
++		  unsigned int *  num_read)
++{
++  if (* num_putback > 0)
++    {
++      * num_putback = * num_putback - 1;
++      return putback [* num_putback];
++    }
++
++  * num_read = * num_read + 1;
++
++#if defined(HAVE_GETC_UNLOCKED) && HAVE_DECL_GETC_UNLOCKED
++  return getc_unlocked (stream);
++#else
++  return getc (stream);
++#endif
++}
++
++/* Helper function for print_unicode_stream.  */
++
++static void
++print_unicode_stream_body (const char *     filename,
++			   file_ptr         address,
++			   FILE *           stream,
++			   unsigned char *  putback_buf,
++			   unsigned int     num_putback,
++			   unsigned char *  print_buf)
++{
++  /* It would be nice if we could just read the stream into a buffer
++     and then process if with print_unicode_buffer.  But the input
++     might be huge or it might time-locked (eg stdin).  So instead
++     we go one byte at a time...  */
++
++  file_ptr start_point   = 0;
++  unsigned int num_read  = 0;
++  unsigned int num_chars = 0;
++  unsigned int num_print = 0;
++  int c;
++
++  /* Find a series of string_min characters.  Put them into print_buf.  */
++  do
++    {
++      if (num_chars >= string_min)
++	break;
++
++      c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++      if (c == EOF)
++	break;
++
++      if (! STRING_ISGRAPHIC (c))
++	{
++	  num_chars = num_print = 0;
++	  continue;
++	}
++
++      if (num_chars == 0)
++	start_point = num_read - 1;
++
++      if (c < 127)
++	{
++	  print_buf[num_print] = c;
++	  num_chars ++;
++	  num_print ++;
++	  continue;
++	}
++
++      if (c < 0xc0)
++	{
++	  num_chars = num_print = 0;
++	  continue;
++	}
++
++      /* We *might* have a UTF-8 sequence.  Time to start peeking.  */
++      char utf8[4];
++
++      utf8[0] = c;
++      c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++      if (c == EOF)
++	break;
++      utf8[1] = c;
++
++      if ((utf8[1] & 0xc0) != 0x80)
++	{
++	  /* Invalid UTF-8.  */
++	  putback_buf[num_putback++] = utf8[1];
++	  num_chars = num_print = 0;
++	  continue;
++	}
++      else if ((utf8[0] & 0x20) == 0)
++	{
++	  /* A valid 2-byte UTF-8 encoding.  */
++	  if (unicode_display == unicode_invalid)
++	    {
++	      putback_buf[num_putback++] = utf8[1];
++	      num_chars = num_print = 0;
++	    }
++	  else
++	    {
++	      print_buf[num_print ++] = utf8[0];
++	      print_buf[num_print ++] = utf8[1];
++	      num_chars ++;
++	    }
++	  continue;
++	}
++
++      c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++      if (c == EOF)
++	break;
++      utf8[2] = c;
++
++      if ((utf8[2] & 0xc0) != 0x80)
++	{
++	  /* Invalid UTF-8.  */
++	  putback_buf[num_putback++] = utf8[2];
++	  putback_buf[num_putback++] = utf8[1];
++	  num_chars = num_print = 0;
++	  continue;
++	}
++      else if ((utf8[0] & 0x10) == 0)
++	{
++	  /* A valid 3-byte UTF-8 encoding.  */
++	  if (unicode_display == unicode_invalid)
++	    {
++	      putback_buf[num_putback++] = utf8[2];
++	      putback_buf[num_putback++] = utf8[1];
++	      num_chars = num_print = 0;
++	    }
++	  else
++	    {
++	      print_buf[num_print ++] = utf8[0];
++	      print_buf[num_print ++] = utf8[1];
++	      print_buf[num_print ++] = utf8[2];
++	      num_chars ++;
++	    }
++	  continue;
++	}
++
++      c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++      if (c == EOF)
++	break;
++      utf8[3] = c;
++
++      if ((utf8[3] & 0xc0) != 0x80)
++	{
++	  /* Invalid UTF-8.  */
++	  putback_buf[num_putback++] = utf8[3];
++	  putback_buf[num_putback++] = utf8[2];
++	  putback_buf[num_putback++] = utf8[1];
++	  num_chars = num_print = 0;
++	}
++      /* We have a valid 4-byte UTF-8 encoding.  */
++      else if (unicode_display == unicode_invalid)
++	{
++	  putback_buf[num_putback++] = utf8[3];
++	  putback_buf[num_putback++] = utf8[1];
++	  putback_buf[num_putback++] = utf8[2];
++	  num_chars = num_print = 0;
++	}
++      else
++	{
++	  print_buf[num_print ++] = utf8[0];
++	  print_buf[num_print ++] = utf8[1];
++	  print_buf[num_print ++] = utf8[2];
++	  print_buf[num_print ++] = utf8[3];
++	  num_chars ++;
++	}
++    }
++  while (1);
++
++  if (num_chars >= string_min)
++    {
++      /* We know that we have string_min valid characters in print_buf,
++	 and there may be more to come in the stream.  Start displaying
++	 them.  */
++
++      print_filename_and_address (filename, address + start_point);
++
++      unsigned int i;
++      for (i = 0; i < num_print;)
++	{
++	  if (print_buf[i] < 127)
++	    putchar (print_buf[i++]);
++	  else
++	    i += display_utf8_char (print_buf + i);
++	}
++
++      /* OK so now we have to start read unchecked bytes.  */
++
++      /* Find a series of string_min characters.  Put them into print_buf.  */
++      do
++	{
++	  c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++	  if (c == EOF)
++	    break;
++
++	  if (! STRING_ISGRAPHIC (c))
++	    break;
++
++	  if (c < 127)
++	    {
++	      putchar (c);
++	      continue;
++	    }
++
++	  if (c < 0xc0)
++	    break;
++
++	  /* We *might* have a UTF-8 sequence.  Time to start peeking.  */
++	  unsigned char utf8[4];
++
++	  utf8[0] = c;
++	  c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++	  if (c == EOF)
++	    break;
++	  utf8[1] = c;
++
++	  if ((utf8[1] & 0xc0) != 0x80)
++	    {
++	      /* Invalid UTF-8.  */
++	      putback_buf[num_putback++] = utf8[1];
++	      break;
++	    }
++	  else if ((utf8[0] & 0x20) == 0)
++	    {
++	      /* Valid 2-byte UTF-8.  */
++	      if (unicode_display == unicode_invalid)
++		{
++		  putback_buf[num_putback++] = utf8[1];
++		  break;
++		}
++	      else
++		{
++		  (void) display_utf8_char (utf8);
++		  continue;
++		}
++	    }
++
++	  c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++	  if (c == EOF)
++	    break;
++	  utf8[2] = c;
++
++	  if ((utf8[2] & 0xc0) != 0x80)
++	    {
++	      /* Invalid UTF-8.  */
++	      putback_buf[num_putback++] = utf8[2];
++	      putback_buf[num_putback++] = utf8[1];
++	      break;
++	    }
++	  else if ((utf8[0] & 0x10) == 0)
++	    {
++	      /* Valid 3-byte UTF-8.  */
++	      if (unicode_display == unicode_invalid)
++		{
++		  putback_buf[num_putback++] = utf8[2];
++		  putback_buf[num_putback++] = utf8[1];
++		  break;
++		}
++	      else
++		{
++		  (void) display_utf8_char (utf8);
++		  continue;
++		}
++	    }
++
++	  c = get_unicode_byte (stream, putback_buf, & num_putback, & num_read);
++	  if (c == EOF)
++	    break;
++	  utf8[3] = c;
++
++	  if ((utf8[3] & 0xc0) != 0x80)
++	    {
++	      /* Invalid UTF-8.  */
++	      putback_buf[num_putback++] = utf8[3]