diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass
index 31c9b7e..d68add9 100644
--- a/poky/meta/classes/archiver.bbclass
+++ b/poky/meta/classes/archiver.bbclass
@@ -267,6 +267,14 @@
         create_tarball(d, srcdir, 'configured', ar_outdir)
 }
 
+def exclude_useless_paths(tarinfo):
+    if tarinfo.isdir():
+        if tarinfo.name.endswith('/temp') or tarinfo.name.endswith('/patches') or tarinfo.name.endswith('/.pc'):
+            return None
+        elif tarinfo.name == 'temp' or tarinfo.name == 'patches' or tarinfo.name == '.pc':
+            return None
+    return tarinfo
+
 def create_tarball(d, srcdir, suffix, ar_outdir):
     """
     create the tarball from srcdir
@@ -291,7 +299,7 @@
 
     bb.note('Creating %s' % tarname)
     tar = tarfile.open(tarname, 'w:gz')
-    tar.add(srcdir, arcname=os.path.basename(srcdir))
+    tar.add(srcdir, arcname=os.path.basename(srcdir), filter=exclude_useless_paths)
     tar.close()
 
 # creating .diff.gz between source.orig and source
diff --git a/poky/meta/classes/base.bbclass b/poky/meta/classes/base.bbclass
index abb4ead..2a6a6cb 100644
--- a/poky/meta/classes/base.bbclass
+++ b/poky/meta/classes/base.bbclass
@@ -303,7 +303,9 @@
 			if [ "${CLEANBROKEN}" != "1" -a \( -e Makefile -o -e makefile -o -e GNUmakefile \) ]; then
 				oe_runmake clean
 			fi
-			find ${B} -ignore_readdir_race -name \*.la -delete
+			# -ignore_readdir_race does not work correctly with -delete;
+			# use xargs to avoid spurious build failures
+			find ${B} -ignore_readdir_race -name \*.la -type f -print0 | xargs -0 rm -f
 		fi
 	fi
 	if [ -n "${CONFIGURESTAMPFILE}" ]; then
diff --git a/poky/meta/classes/crosssdk.bbclass b/poky/meta/classes/crosssdk.bbclass
index ddb98d2..03b0c60 100644
--- a/poky/meta/classes/crosssdk.bbclass
+++ b/poky/meta/classes/crosssdk.bbclass
@@ -21,10 +21,10 @@
 TARGET_CC_ARCH = "${SDK_CC_ARCH}"
 TARGET_LD_ARCH = "${SDK_LD_ARCH}"
 TARGET_AS_ARCH = "${SDK_AS_ARCH}"
-TARGET_CPPFLAGS = "${BUILD_CPPFLAGS}"
-TARGET_CFLAGS = "${BUILD_CFLAGS}"
-TARGET_CXXFLAGS = "${BUILD_CXXFLAGS}"
-TARGET_LDFLAGS = "${BUILD_LDFLAGS}"
+TARGET_CPPFLAGS = ""
+TARGET_CFLAGS = ""
+TARGET_CXXFLAGS = ""
+TARGET_LDFLAGS = ""
 TARGET_FPU = ""
 
 
diff --git a/poky/meta/files/common-licenses/FreeType b/poky/meta/files/common-licenses/FreeType
index b7d4d11..3666649 100644
--- a/poky/meta/files/common-licenses/FreeType
+++ b/poky/meta/files/common-licenses/FreeType
@@ -48,7 +48,7 @@
   encourage you to use the following text:
 
    """  
-    Portions of this software are copyright � <year> The FreeType
+    Portions of this software are copyright © <year> The FreeType
     Project (www.freetype.org).  All rights reserved.
    """
 
@@ -163,7 +163,7 @@
 
   Our home page can be found at
 
-    http://www.freetype.org
+    https://www.freetype.org
 
 
 --- end of FTL.TXT ---
diff --git a/poky/meta/lib/oeqa/selftest/cases/recipetool.py b/poky/meta/lib/oeqa/selftest/cases/recipetool.py
index 754ea94..437eb2a 100644
--- a/poky/meta/lib/oeqa/selftest/cases/recipetool.py
+++ b/poky/meta/lib/oeqa/selftest/cases/recipetool.py
@@ -431,12 +431,12 @@
         temprecipe = os.path.join(self.tempdir, 'recipe')
         os.makedirs(temprecipe)
         recipefile = os.path.join(temprecipe, 'navit_0.5.0.bb')
-        srcuri = 'http://downloads.sourceforge.net/project/navit/v0.5.0/navit-0.5.0.tar.gz'
+        srcuri = 'http://downloads.yoctoproject.org/mirror/sources/navit-0.5.0.tar.gz'
         result = runCmd('recipetool create -o %s %s' % (temprecipe, srcuri))
         self.assertTrue(os.path.isfile(recipefile))
         checkvars = {}
         checkvars['LICENSE'] = set(['Unknown', 'GPLv2', 'LGPLv2'])
-        checkvars['SRC_URI'] = 'http://downloads.sourceforge.net/project/navit/v${PV}/navit-${PV}.tar.gz'
+        checkvars['SRC_URI'] = 'http://downloads.yoctoproject.org/mirror/sources/navit-${PV}.tar.gz'
         checkvars['SRC_URI[md5sum]'] = '242f398e979a6b8c0f3c802b63435b68'
         checkvars['SRC_URI[sha256sum]'] = '13353481d7fc01a4f64e385dda460b51496366bba0fd2cc85a89a0747910e94d'
         checkvars['DEPENDS'] = set(['freetype', 'zlib', 'openssl', 'glib-2.0', 'virtual/libgl', 'virtual/egl', 'gtk+', 'libpng', 'libsdl', 'freeglut', 'dbus-glib'])
diff --git a/poky/meta/lib/oeqa/selftest/cases/wic.py b/poky/meta/lib/oeqa/selftest/cases/wic.py
index b84466d..baf3af6 100644
--- a/poky/meta/lib/oeqa/selftest/cases/wic.py
+++ b/poky/meta/lib/oeqa/selftest/cases/wic.py
@@ -64,13 +64,13 @@
 class Wic(OESelftestTestCase):
     """Wic test class."""
 
-    resultdir = "/var/tmp/wic.oe-selftest/"
     image_is_ready = False
     native_sysroot = None
     wicenv_cache = {}
 
     def setUpLocal(self):
         """This code is executed before each test method."""
+        self.resultdir = self.builddir + "/wic-tmp/"
         super(Wic, self).setUpLocal()
         if not self.native_sysroot:
             Wic.native_sysroot = get_bb_var('STAGING_DIR_NATIVE', 'wic-tools')
@@ -191,7 +191,7 @@
                  'MACHINE_FEATURES_append = " efi"\n'\
                  'DEPENDS_pn-core-image-minimal += "syslinux"\n'
         self.append_config(config)
-        bitbake('core-image-minimal')
+        bitbake('core-image-minimal core-image-minimal-initramfs')
         self.remove_config(config)
         cmd = "wic create mkhybridiso --image-name core-image-minimal -o %s" % self.resultdir
         self.assertEqual(0, runCmd(cmd).status)
@@ -691,9 +691,7 @@
 
         # verify partition size with wic
         res = runCmd("parted -m %s unit mib p 2>/dev/null" % wicimg,
-                     ignore_status=True,
                      native_sysroot=self.native_sysroot)
-        self.assertEqual(0, res.status)
 
         # parse parted output which looks like this:
         # BYT;\n
diff --git a/poky/meta/recipes-connectivity/dhcp/dhcp.inc b/poky/meta/recipes-connectivity/dhcp/dhcp.inc
index e943707..44e946c 100644
--- a/poky/meta/recipes-connectivity/dhcp/dhcp.inc
+++ b/poky/meta/recipes-connectivity/dhcp/dhcp.inc
@@ -10,7 +10,7 @@
 LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;md5=c5c64d696107f84b56fe337d14da1753"
 
-DEPENDS = "openssl bind"
+DEPENDS = "openssl"
 
 SRC_URI = "http://ftp.isc.org/isc/dhcp/${PV}/dhcp-${PV}.tar.gz \
            file://init-relay file://default-relay \
@@ -48,7 +48,6 @@
                 --with-srv6-lease-file=${localstatedir}/lib/dhcp/dhcpd6.leases \
                 --with-cli-lease-file=${localstatedir}/lib/dhcp/dhclient.leases \
                 --with-cli6-lease-file=${localstatedir}/lib/dhcp/dhclient6.leases \
-                --with-libbind=${STAGING_LIBDIR}/ \
                 --enable-paranoia --disable-static \
                 --with-randomdev=/dev/random \
                "
diff --git a/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch b/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch
index 006d18a..a20b5f9 100644
--- a/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch
+++ b/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch
@@ -20,10 +20,10 @@
  server/tests/Makefile.am | 2 +-
  8 files changed, 8 insertions(+), 8 deletions(-)
 
-diff --git a/client/Makefile.am b/client/Makefile.am
-index 4730bb3..84d8131 100644
---- a/client/Makefile.am
-+++ b/client/Makefile.am
+Index: dhcp-4.3.6/client/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/client/Makefile.am
++++ dhcp-4.3.6/client/Makefile.am
 @@ -4,7 +4,7 @@
  # production code. Sadly, we are not there yet.
  SUBDIRS = . tests
@@ -33,10 +33,10 @@
  
  AM_CPPFLAGS = -DCLIENT_PATH='"PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin"' \
  	      -DLOCALSTATEDIR='"$(localstatedir)"' -I$(top_srcdir)/includes
-diff --git a/client/tests/Makefile.am b/client/tests/Makefile.am
-index 5031d0c..a8dfd26 100644
---- a/client/tests/Makefile.am
-+++ b/client/tests/Makefile.am
+Index: dhcp-4.3.6/client/tests/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/client/tests/Makefile.am
++++ dhcp-4.3.6/client/tests/Makefile.am
 @@ -1,6 +1,6 @@
  SUBDIRS = .
  
@@ -45,10 +45,10 @@
  
  AM_CPPFLAGS = $(ATF_CFLAGS) -DUNIT_TEST -I$(top_srcdir)/includes
  AM_CPPFLAGS += -I@BINDDIR@/include -I$(top_srcdir)
-diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
-index f6a43e4..2f98d22 100644
---- a/common/tests/Makefile.am
-+++ b/common/tests/Makefile.am
+Index: dhcp-4.3.6/common/tests/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/common/tests/Makefile.am
++++ dhcp-4.3.6/common/tests/Makefile.am
 @@ -1,6 +1,6 @@
  SUBDIRS = .
  
@@ -57,40 +57,40 @@
  
  AM_CPPFLAGS = $(ATF_CFLAGS) -I$(top_srcdir)/includes
  
-diff --git a/dhcpctl/Makefile.am b/dhcpctl/Makefile.am
-index ba8dd8b..9b2486e 100644
---- a/dhcpctl/Makefile.am
-+++ b/dhcpctl/Makefile.am
+Index: dhcp-4.3.6/dhcpctl/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/dhcpctl/Makefile.am
++++ dhcp-4.3.6/dhcpctl/Makefile.am
 @@ -1,4 +1,4 @@
 -BINDLIBDIR = @BINDDIR@/lib
 +BINDLIBDIR = @BINDDIR@
  
  AM_CPPFLAGS = -I$(top_srcdir)/includes -I$(top_srcdir)
  
-diff --git a/omapip/Makefile.am b/omapip/Makefile.am
-index dd1afa0..e4a8599 100644
---- a/omapip/Makefile.am
-+++ b/omapip/Makefile.am
+Index: dhcp-4.3.6/omapip/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/omapip/Makefile.am
++++ dhcp-4.3.6/omapip/Makefile.am
 @@ -1,4 +1,4 @@
 -BINDLIBDIR = @BINDDIR@/lib
 +BINDLIBDIR = @BINDDIR@
  AM_CPPFLAGS = -I$(top_srcdir)/includes
  
- lib_LIBRARIES = libomapi.a
-diff --git a/relay/Makefile.am b/relay/Makefile.am
-index 6d652f6..b3bf578 100644
---- a/relay/Makefile.am
-+++ b/relay/Makefile.am
+ lib_LTLIBRARIES = libomapi.la
+Index: dhcp-4.3.6/relay/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/relay/Makefile.am
++++ dhcp-4.3.6/relay/Makefile.am
 @@ -1,4 +1,4 @@
 -BINDLIBDIR = @BINDDIR@/lib
 +BINDLIBDIR = @BINDDIR@
  
  AM_CPPFLAGS = -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
  
-diff --git a/server/Makefile.am b/server/Makefile.am
-index 3990b9c..b5d8c2d 100644
---- a/server/Makefile.am
-+++ b/server/Makefile.am
+Index: dhcp-4.3.6/server/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/server/Makefile.am
++++ dhcp-4.3.6/server/Makefile.am
 @@ -4,7 +4,7 @@
  # production code. Sadly, we are not there yet.
  SUBDIRS = . tests
@@ -100,10 +100,10 @@
  
  AM_CPPFLAGS = -I$(top_srcdir) -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
  
-diff --git a/server/tests/Makefile.am b/server/tests/Makefile.am
-index a87c5e7..9821081 100644
---- a/server/tests/Makefile.am
-+++ b/server/tests/Makefile.am
+Index: dhcp-4.3.6/server/tests/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/server/tests/Makefile.am
++++ dhcp-4.3.6/server/tests/Makefile.am
 @@ -1,6 +1,6 @@
  SUBDIRS = .
  
@@ -112,6 +112,3 @@
  
  AM_CPPFLAGS = $(ATF_CFLAGS) -DUNIT_TEST -I$(top_srcdir)/includes
  AM_CPPFLAGS += -I@BINDDIR@/include -I$(top_srcdir)
--- 
-1.8.3.1
-
diff --git a/poky/meta/recipes-connectivity/dhcp/dhcp/0010-build-shared-libs.patch b/poky/meta/recipes-connectivity/dhcp/dhcp/0010-build-shared-libs.patch
index f128731..898b1fc 100644
--- a/poky/meta/recipes-connectivity/dhcp/dhcp/0010-build-shared-libs.patch
+++ b/poky/meta/recipes-connectivity/dhcp/dhcp/0010-build-shared-libs.patch
@@ -23,11 +23,11 @@
  server/tests/Makefile.am |  7 +++----
  8 files changed, 26 insertions(+), 43 deletions(-)
 
-diff --git a/client/Makefile.am b/client/Makefile.am
-index 84d8131..e776bf0 100644
---- a/client/Makefile.am
-+++ b/client/Makefile.am
-@@ -15,7 +15,7 @@ dhclient_SOURCES = $(srcdir)/clparse.c $(srcdir)/dhclient.c $(srcdir)/dhc6.c \
+Index: dhcp-4.3.6/client/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/client/Makefile.am
++++ dhcp-4.3.6/client/Makefile.am
+@@ -15,7 +15,7 @@ dhclient_SOURCES = $(srcdir)/clparse.c $
  		   scripts/bsdos scripts/freebsd scripts/linux scripts/macos \
  		   scripts/netbsd scripts/nextstep scripts/openbsd \
  		   scripts/solaris scripts/openwrt
@@ -37,11 +37,11 @@
 +		  -L$(BINDLIBDIR) -lirs -ldns -lisccfg -lisc
  man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5
  EXTRA_DIST = $(man_MANS)
-diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
-index 2f98d22..8745e88 100644
---- a/common/tests/Makefile.am
-+++ b/common/tests/Makefile.am
-@@ -15,26 +15,23 @@ ATF_TESTS += alloc_unittest dns_unittest misc_unittest ns_name_unittest
+Index: dhcp-4.3.6/common/tests/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/common/tests/Makefile.am
++++ dhcp-4.3.6/common/tests/Makefile.am
+@@ -15,26 +15,23 @@ ATF_TESTS += alloc_unittest dns_unittest
  alloc_unittest_SOURCES = test_alloc.c $(top_srcdir)/tests/t_api_dhcp.c
  alloc_unittest_LDADD = $(ATF_LDFLAGS)
  alloc_unittest_LDADD += ../libdhcp.a  \
@@ -73,11 +73,11 @@
  
  check: $(ATF_TESTS)
  	@if test $(top_srcdir) != ${top_builddir}; then \
-diff --git a/configure.ac b/configure.ac
-index 8e9f509..bfe988a 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -47,16 +47,8 @@ AM_CONDITIONAL(CROSS_COMPILING, test "$cross_compiling" = "yes")
+Index: dhcp-4.3.6/configure.ac
+===================================================================
+--- dhcp-4.3.6.orig/configure.ac
++++ dhcp-4.3.6/configure.ac
+@@ -47,16 +47,8 @@ AM_CONDITIONAL(CROSS_COMPILING, test "$c
  # Use this to define _GNU_SOURCE to pull in the IPv6 Advanced Socket API.
  AC_USE_SYSTEM_EXTENSIONS
  
@@ -96,11 +96,11 @@
  
  AC_CONFIG_HEADERS([includes/config.h])
  
-diff --git a/dhcpctl/Makefile.am b/dhcpctl/Makefile.am
-index 9b2486e..784cdf7 100644
---- a/dhcpctl/Makefile.am
-+++ b/dhcpctl/Makefile.am
-@@ -3,19 +3,17 @@ BINDLIBDIR = @BINDDIR@
+Index: dhcp-4.3.6/dhcpctl/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/dhcpctl/Makefile.am
++++ dhcp-4.3.6/dhcpctl/Makefile.am
+@@ -3,19 +3,17 @@ BINDLIBDIR = @BINDDIR@/lib
  AM_CPPFLAGS = -I$(top_srcdir)/includes -I$(top_srcdir)
  
  bin_PROGRAMS = omshell
@@ -126,12 +126,12 @@
 -               $(BINDLIBDIR)/libisccfg.a $(BINDLIBDIR)/libisc.a
 +cltest_LDADD = libdhcpctl.la ../common/libdhcp.a ../omapip/libomapi.la \
 +	       -L$(BINDLIBDIR) -lirs -ldns -lisccfg -lisc
-diff --git a/omapip/Makefile.am b/omapip/Makefile.am
-index e4a8599..c0c7a1e 100644
---- a/omapip/Makefile.am
-+++ b/omapip/Makefile.am
+Index: dhcp-4.3.6/omapip/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/omapip/Makefile.am
++++ dhcp-4.3.6/omapip/Makefile.am
 @@ -1,10 +1,10 @@
- BINDLIBDIR = @BINDDIR@
+ BINDLIBDIR = @BINDDIR@/lib
  AM_CPPFLAGS = -I$(top_srcdir)/includes
  
 -lib_LIBRARIES = libomapi.a
@@ -151,11 +151,11 @@
 -		$(BINDLIBDIR)/libisccfg.a $(BINDLIBDIR)/libisc.a
 +svtest_LDADD = libomapi.la -L$(BINDLIBDIR) -lirs -ldns -lisccfg -lisc
  
-diff --git a/relay/Makefile.am b/relay/Makefile.am
-index b3bf578..f47009f 100644
---- a/relay/Makefile.am
-+++ b/relay/Makefile.am
-@@ -4,9 +4,8 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
+Index: dhcp-4.3.6/relay/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/relay/Makefile.am
++++ dhcp-4.3.6/relay/Makefile.am
+@@ -4,9 +4,8 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst
  
  sbin_PROGRAMS = dhcrelay
  dhcrelay_SOURCES = dhcrelay.c
@@ -167,11 +167,11 @@
  man_MANS = dhcrelay.8
  EXTRA_DIST = $(man_MANS)
  
-diff --git a/server/Makefile.am b/server/Makefile.am
-index b5d8c2d..d7f876d 100644
---- a/server/Makefile.am
-+++ b/server/Makefile.am
-@@ -15,10 +15,9 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c confpars.c db.c class.c failover.c \
+Index: dhcp-4.3.6/server/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/server/Makefile.am
++++ dhcp-4.3.6/server/Makefile.am
+@@ -15,10 +15,9 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c
  		dhcpv6.c mdb6.c ldap.c ldap_casa.c leasechain.c ldap_krb_helper.c
  
  dhcpd_CFLAGS = $(LDAP_CFLAGS)
@@ -185,11 +185,11 @@
  
  man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5
  EXTRA_DIST = $(man_MANS)
-diff --git a/server/tests/Makefile.am b/server/tests/Makefile.am
-index 9821081..de95872 100644
---- a/server/tests/Makefile.am
-+++ b/server/tests/Makefile.am
-@@ -19,10 +19,9 @@ DHCPSRC = ../dhcp.c ../bootp.c ../confpars.c ../db.c ../class.c      \
+Index: dhcp-4.3.6/server/tests/Makefile.am
+===================================================================
+--- dhcp-4.3.6.orig/server/tests/Makefile.am
++++ dhcp-4.3.6/server/tests/Makefile.am
+@@ -19,10 +19,9 @@ DHCPSRC = ../dhcp.c ../bootp.c ../confpa
            ../ddns.c ../dhcpleasequery.c ../dhcpv6.c ../mdb6.c        \
            ../ldap.c ../ldap_casa.c ../dhcpd.c ../leasechain.c
  
@@ -203,6 +203,3 @@
  
  ATF_TESTS =
  if HAVE_ATF
--- 
-1.8.3.1
-
diff --git a/poky/meta/recipes-connectivity/dhcp/dhcp_4.3.6.bb b/poky/meta/recipes-connectivity/dhcp/dhcp_4.3.6.bb
index cc13549..8b30579 100644
--- a/poky/meta/recipes-connectivity/dhcp/dhcp_4.3.6.bb
+++ b/poky/meta/recipes-connectivity/dhcp/dhcp_4.3.6.bb
@@ -7,7 +7,6 @@
             file://0005-dhcp-client-fix-invoke-dhclient-script-failed-on-Rea.patch \
             file://0006-site.h-enable-gentle-shutdown.patch \
             file://0007-Add-configure-argument-to-make-the-libxml2-dependenc.patch \
-            file://0008-tweak-to-support-external-bind.patch \
             file://0009-remove-dhclient-script-bash-dependency.patch \
             file://0010-build-shared-libs.patch \
             file://0011-Moved-the-call-to-isc_app_ctxstart-to-not-get-signal.patch \
@@ -15,8 +14,22 @@
             file://CVE-2017-3144.patch \
            "
 
+# use internal libisc libraries which are based on bind 9.9.11 - there
+# is a bug in bind 9.10.x (normally supplied by OE) that prevents
+# dhcpd/dhclient from shutting down cleanly on sigterm and from running
+# in the background
+#
+# [https://bugzilla.yoctoproject.org/show_bug.cgi?id=12744]
+#
+# remove "ext-bind" and
+# also set PARALLEL_MAKE = "" 
+# [ Yocto 12744 ]
+#
+SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'ext-bind', 'file://0008-tweak-to-support-external-bind.patch', '', d)}"
+
 SRC_URI[md5sum] = "afa6e9b3eb7539ea048421a82c668adc"
 SRC_URI[sha256sum] = "a41eaf6364f1377fe065d35671d9cf82bbbc8f21207819b2b9f33f652aec6f1b"
 
-PACKAGECONFIG ?= ""
+PACKAGECONFIG ?= "ext-bind"
 PACKAGECONFIG[bind-httpstats] = "--with-libxml2,--without-libxml2,libxml2"
+PACKAGECONFIG[ext-bind] = "--with-libbind=${STAGING_LIBDIR}, --without-libbind, bind"
diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 1e78f4f..6cb679a 100644
--- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -77,7 +77,7 @@
 	echo "# export ALL_PROXY=https://proxy.example.com:8080" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
 	echo "# export ALL_PROXY=socks://socks.example.com:1080" >> ${IMAGE_ROOTFS}/home/builder/.bashrc
 
-	chown -R builder.builder ${IMAGE_ROOTFS}/home/builder/poky
+	chown -R builder:builder ${IMAGE_ROOTFS}/home/builder/poky
 	chmod -R ug+rw ${IMAGE_ROOTFS}/home/builder/poky
 
 	# Assume we will need CDROM to install guest additions
@@ -105,8 +105,8 @@
 	   pip3_install_params="${pip3_install_params} --proxy ${http_proxy}"
 	fi
 	pip3 install ${pip3_install_params}
-	chown -R builder.builder ${IMAGE_ROOTFS}/home/builder/.local
-	chown -R builder.builder ${IMAGE_ROOTFS}/home/builder/.cache
+	chown -R builder:builder ${IMAGE_ROOTFS}/home/builder/.local
+	chown -R builder:builder ${IMAGE_ROOTFS}/home/builder/.cache
 }
 
 IMAGE_PREPROCESS_COMMAND += "do_populate_poky_src; "
diff --git a/poky/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh b/poky/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
index 35316ec..3cf3243 100755
--- a/poky/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
+++ b/poky/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
@@ -37,7 +37,7 @@
 	}
 	EXEC="
 	${EXEC}
-	chown ${TUSER}.${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1;
+	chown ${TUSER}:${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1;
 	chmod ${TMODE} $1 || echo \"Failed to set mode -${TMODE}- for -$1-.\" >/dev/tty0 2>&1 "
 
 	test "$VOLATILE_ENABLE_CACHE" = yes && echo "$EXEC" >> /etc/volatile.cache.build
@@ -60,7 +60,7 @@
 mk_dir() {
 	EXEC="
 	mkdir -p \"$1\";
-	chown ${TUSER}.${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1;
+	chown ${TUSER}:${TGROUP} $1 || echo \"Failed to set owner -${TUSER}- for -$1-.\" >/dev/tty0 2>&1;
 	chmod ${TMODE} $1 || echo \"Failed to set mode -${TMODE}- for -$1-.\" >/dev/tty0 2>&1 "
 
 	test "$VOLATILE_ENABLE_CACHE" = yes && echo "$EXEC" >> /etc/volatile.cache.build
diff --git a/poky/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb b/poky/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
index ad65819..89b1b69 100644
--- a/poky/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
+++ b/poky/meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb
@@ -104,6 +104,6 @@
 	install -d ${D}${sysconfdir}/default/volatiles
 	install -m 0644 ${WORKDIR}/01_bootlogd ${D}${sysconfdir}/default/volatiles
 
-	chown root.shutdown ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
+	chown root:shutdown ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
 	chmod o-x,u+s ${D}${base_sbindir}/halt ${D}${base_sbindir}/shutdown
 }
diff --git a/poky/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch b/poky/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
new file mode 100644
index 0000000..cc9e2c1
--- /dev/null
+++ b/poky/meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
@@ -0,0 +1,39 @@
+Upstream-Status: Backport [https://sourceforge.net/p/infozip/bugs/53/]
+CVE: CVE-2018-18384
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+--- unzip60/list.c	
++++ unzip60/list.c	
+@@ -97,7 +97,7 @@ int list_files(__G)    /* return PK-type
+ {
+     int do_this_file=FALSE, cfactor, error, error_in_archive=PK_COOL;
+ #ifndef WINDLL
+-    char sgn, cfactorstr[10];
++    char sgn, cfactorstr[1+10+1+1];	/* <sgn><int>%NUL */
+     int longhdr=(uO.vflag>1);
+ #endif
+     int date_format;
+@@ -389,9 +389,9 @@ int list_files(__G)    /* return PK-type
+             }
+ #else /* !WINDLL */
+             if (cfactor == 100)
+-                sprintf(cfactorstr, LoadFarString(CompFactor100));
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+             else
+-                sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++                snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+             if (longhdr)
+                 Info(slide, 0, ((char *)slide, LoadFarString(LongHdrStats),
+                   FmZofft(G.crec.ucsize, "8", "u"), methbuf,
+@@ -471,9 +471,9 @@ int list_files(__G)    /* return PK-type
+ 
+ #else /* !WINDLL */
+         if (cfactor == 100)
+-            sprintf(cfactorstr, LoadFarString(CompFactor100));
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactor100));
+         else
+-            sprintf(cfactorstr, LoadFarString(CompFactorStr), sgn, cfactor);
++            snprintf(cfactorstr, sizeof(cfactorstr), LoadFarString(CompFactorStr), sgn, cfactor);
+         if (longhdr) {
+             Info(slide, 0, ((char *)slide, LoadFarString(LongFileTrailer),
+               FmZofft(tot_ucsize, "8", "u"), FmZofft(tot_csize, "8", "u"),
diff --git a/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/poky/meta/recipes-extended/unzip/unzip_6.0.bb
index a47491e..f6a4cb6 100644
--- a/poky/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/poky/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -21,6 +21,7 @@
 	file://19-cve-2016-9844-zipinfo-buffer-overflow.patch \
 	file://symlink.patch \
 	file://0001-unzip-fix-CVE-2018-1000035.patch \
+	file://CVE-2018-18384.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman_0.34.0.bb b/poky/meta/recipes-graphics/xorg-lib/pixman_0.34.0.bb
index c4ca621..c290fa4 100644
--- a/poky/meta/recipes-graphics/xorg-lib/pixman_0.34.0.bb
+++ b/poky/meta/recipes-graphics/xorg-lib/pixman_0.34.0.bb
@@ -12,7 +12,7 @@
 
 LICENSE = "MIT & MIT-style & PD"
 LIC_FILES_CHKSUM = "file://COPYING;md5=14096c769ae0cbb5fcb94ec468be11b3 \
-                    file://pixman/pixman-matrix.c;endline=25;md5=ba6e8769bfaaee2c41698755af04c4be \
+                    file://pixman/pixman-matrix.c;endline=21;md5=4a018dff3e4e25302724c88ff95c2456 \
                     file://pixman/pixman-arm-neon-asm.h;endline=24;md5=9a9cc1e51abbf1da58f4d9528ec9d49b \
                    "
 DEPENDS += "zlib libpng"
diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
index 12d71cb..0c90f8d 100644
--- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
+++ b/poky/meta/recipes-support/apr/apr-util_1.6.1.bb
@@ -7,7 +7,7 @@
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=158aa0b1efe0c12f23d4b007ddb9a5db \
-                    file://include/apu_version.h;endline=17;md5=806685a84e71f10c80144c48eb35df42"
+                    file://include/apu_version.h;endline=15;md5=823b3d1a7225df8f7b68a69c3c2b4c71"
 
 SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \
            file://configfix.patch \
diff --git a/poky/meta/recipes-support/apr/apr_1.6.3.bb b/poky/meta/recipes-support/apr/apr_1.6.3.bb
index 87b8787..7563a38 100644
--- a/poky/meta/recipes-support/apr/apr_1.6.3.bb
+++ b/poky/meta/recipes-support/apr/apr_1.6.3.bb
@@ -5,7 +5,7 @@
 
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=4dfd4cd216828c8cae5de5a12f3844c8 \
-                    file://include/apr_lib.h;endline=17;md5=ee42fa7575dc40580a9e01c1b75fae96"
+                    file://include/apr_lib.h;endline=15;md5=823b3d1a7225df8f7b68a69c3c2b4c71"
 
 BBCLASSEXTEND = "native nativesdk"
 
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch b/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch
new file mode 100644
index 0000000..bf972d2
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2018-16839.patch
@@ -0,0 +1,35 @@
+From 55b90532f9190dce40a325b3312d014c66dc3ae1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:27:35 +0800
+Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
+
+CVE-2018-16839
+Reported-by: Harry Sintonen
+Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/f3a24d7916b9173c69a3e0ee790102993833d6c5?diff=unified]
+
+CVE: CVE-2018-16839
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/vauth/cleartext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
+index 5d61ce6..1367143 100644
+--- a/lib/vauth/cleartext.c
++++ b/lib/vauth/cleartext.c
+@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
+   plen = strlen(passwdp);
+ 
+   /* Compute binary message length. Check for overflows. */
+-  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
++  if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+     return CURLE_OUT_OF_MEMORY;
+   plainlen = 2 * ulen + plen + 2;
+ 
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch b/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch
new file mode 100644
index 0000000..3d086c4
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2018-16840.patch
@@ -0,0 +1,43 @@
+From 3c2846bec008e03d456e181d9ab55686da83f140 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:33:35 +0800
+Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
+ use-after-free
+
+Regression from b46cfbc (7.59.0)
+CVE-2018-16840
+Reported-by: Brian Carpenter (Geeknik Labs)
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit/
+81d135d67155c5295b1033679c606165d4e28f3f]
+
+CVE: CVE-2018-16840
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ lib/url.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 27b2c1e..7ef7c20 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -320,10 +320,12 @@ CURLcode Curl_close(struct Curl_easy *data)
+        and detach this handle from there. */
+     curl_multi_remove_handle(data->multi, data);
+ 
+-  if(data->multi_easy)
++  if(data->multi_easy) {
+     /* when curl_easy_perform() is used, it creates its own multi handle to
+        use and this is the one */
+     curl_multi_cleanup(data->multi_easy);
++    data->multi_easy = NULL;
++  }
+ 
+   /* Destroy the timeout list that is held in the easy handle. It is
+      /normally/ done by curl_multi_remove_handle() but this is "just in
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch b/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch
new file mode 100644
index 0000000..82e7557
--- /dev/null
+++ b/poky/meta/recipes-support/curl/curl/CVE-2018-16842.patch
@@ -0,0 +1,35 @@
+From 0e4a6058b130f07cfa52fde8a3cb6f2abfe4c700 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 1 Nov 2018 15:30:56 +0800
+Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr
+
+CVE-2018-16842
+Reported-by: Brian Carpenter
+Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
+
+Upstream-Status: Backport [https://github.com/curl/curl/commit
+/d530e92f59ae9bb2d47066c3c460b25d2ffeb211]
+
+CVE: CVE-2018-16842
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/tool_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tool_msgs.c b/src/tool_msgs.c
+index 9cce806..05bec39 100644
+--- a/src/tool_msgs.c
++++ b/src/tool_msgs.c
+@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
+         (void)fwrite(ptr, cut + 1, 1, config->errors);
+         fputs("\n", config->errors);
+         ptr += cut + 1; /* skip the space too */
+-        len -= cut;
++        len -= cut + 1;
+       }
+       else {
+         fputs(ptr, config->errors);
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-support/curl/curl_7.61.0.bb b/poky/meta/recipes-support/curl/curl_7.61.0.bb
index 31d5d9b..2078379 100644
--- a/poky/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/poky/meta/recipes-support/curl/curl_7.61.0.bb
@@ -8,6 +8,9 @@
 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://0001-replace-krb5-config-with-pkg-config.patch \
            file://CVE-2018-14618.patch \
+           file://CVE-2018-16839.patch \
+           file://CVE-2018-16840.patch \
+           file://CVE-2018-16842.patch \
 "
 
 SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
diff --git a/poky/meta/recipes-support/gnupg/gnupg/relocate.patch b/poky/meta/recipes-support/gnupg/gnupg/relocate.patch
new file mode 100644
index 0000000..87ec409
--- /dev/null
+++ b/poky/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -0,0 +1,81 @@
+Allow the environment to override where gnupg looks for its own files. Useful in native builds.
+
+Upstream-Status: Inappropriate [OE-specific]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/common/homedir.c b/common/homedir.c
+index e9e75d01e..19140aa0d 100644
+--- a/common/homedir.c
++++ b/common/homedir.c
+@@ -760,7 +760,7 @@ gnupg_socketdir (void)
+   if (!name)
+     {
+       unsigned int dummy;
+-      name = _gnupg_socketdir_internal (0, &dummy);
++      name = getenv("GNUPG_SOCKETDIR") ?: _gnupg_socketdir_internal (0, &dummy);
+     }
+ 
+   return name;
+@@ -786,7 +786,7 @@ gnupg_sysconfdir (void)
+     }
+   return name;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_SYSCONFDIR;
++  return getenv("GNUPG_SYSCONFDIR") ?: GNUPG_SYSCONFDIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -815,7 +815,7 @@ gnupg_bindir (void)
+   else
+     return rdir;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_BINDIR;
++  return getenv("GNUPG_BINDIR") ?: GNUPG_BINDIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -828,7 +828,7 @@ gnupg_libexecdir (void)
+ #ifdef HAVE_W32_SYSTEM
+   return gnupg_bindir ();
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_LIBEXECDIR;
++  return getenv("GNUPG_LIBEXECDIR") ?: GNUPG_LIBEXECDIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -842,7 +842,7 @@ gnupg_libdir (void)
+     name = xstrconcat (w32_rootdir (), DIRSEP_S "lib" DIRSEP_S "gnupg", NULL);
+   return name;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_LIBDIR;
++  return getenv("GNUPG_LIBDIR") ?: GNUPG_LIBDIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -856,7 +856,7 @@ gnupg_datadir (void)
+     name = xstrconcat (w32_rootdir (), DIRSEP_S "share" DIRSEP_S "gnupg", NULL);
+   return name;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_DATADIR;
++  return getenv("GNUPG_DATADIR") ?: GNUPG_DATADIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -872,7 +872,7 @@ gnupg_localedir (void)
+                        NULL);
+   return name;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return LOCALEDIR;
++  return getenv("LOCALEDIR") ?: LOCALEDIR;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
+@@ -940,7 +940,7 @@ gnupg_cachedir (void)
+     }
+   return dir;
+ #else /*!HAVE_W32_SYSTEM*/
+-  return GNUPG_LOCALSTATEDIR "/cache/" PACKAGE_NAME;
++  return getenv("GNUPG_LOCALSTATEDIR") ?: GNUPG_LOCALSTATEDIR "/cache/" PACKAGE_NAME;
+ #endif /*!HAVE_W32_SYSTEM*/
+ }
+ 
diff --git a/poky/meta/recipes-support/gnupg/gnupg_2.2.4.bb b/poky/meta/recipes-support/gnupg/gnupg_2.2.4.bb
index d777fcb..5a3688a 100644
--- a/poky/meta/recipes-support/gnupg/gnupg_2.2.4.bb
+++ b/poky/meta/recipes-support/gnupg/gnupg_2.2.4.bb
@@ -17,7 +17,8 @@
            file://CVE-2018-12020.patch \
            file://CVE-2018-9234.patch \
           "
-SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch"
+SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
+                                file://relocate.patch"
 
 
 SRC_URI[md5sum] = "709e5af5bba84d251c520222e720972f"
@@ -45,6 +46,10 @@
 	ln -sf gpgv2 ${D}${bindir}/gpgv
 }
 
+do_install_append_class-native() {
+	create_wrapper ${D}${bindir}/gpg2 GNUPG_BINDIR=${STAGING_BINDIR_NATIVE}
+}
+
 PACKAGECONFIG ??= "gnutls"
 PACKAGECONFIG[gnutls] = "--enable-gnutls, --disable-gnutls, gnutls"
 PACKAGECONFIG[sqlite3] = "--enable-sqlite, --disable-sqlite, sqlite3"