Squashed 'yocto-poky/' changes from 7b86c77..c8a4ed9

b1f23d1 build-appliance-image: Update to jethro head revision
7fe17a2 qemu: Security fix CVE-2016-2198
50700a7 qemu: Security fix CVE-2016-2197
1f0e615 libgcrypt: Security fix CVE-2015-7511
dc5f155 uclibc: Security fix CVE-2016-2225
ef13511 uclibc: Security fix CVE-2016-2224
ae57ea0 libbsd: Security fix CVE-2016-2090
eb9666a glibc: Security fix CVE-2015-7547
5b12268 build-appliance-image: Update to jethro head revision
a3a374a curl: Secuirty fix CVE-2016-0755
f4341a9 curl: Security fix CVE-2016-0754
35f4306 nettle: Security fix CVE-2015-8804
3e8a07b nettle: Security fix CVE-2015-8803 and CVE-2015-8805
5ffc326 socat: Security fix CVE-2016-2217
5cc5f99 libpng: Security fix CVE-2015-8472
21a816c libpng: Security fix CVE-2015-8126
6a0fbfa foomatic-filters: Security fixes CVE-2015-8327
d57aaf7 foomatic-filters: Security fix CVE-2015-8560
941874a build-appliance-image: Update to jethro head revision
d74a3cb cross-localedef-native: add ABI breaking glibc patch
12fae23 build-appliance-image: Update to jethro head revision
67ac9d6 e2fsprogs: Ensure we use the right mke2fs.conf when restoring from sstate
5812fc9 build-appliance-image: Update to jethro head revision
3de2492 ref-manual: Updated host package install requirements CentOS
79de8cf toaster-manual: Updated the "Installation" to have TOASTER_DIR information
a23d262 toaster-manual: Updated instructions for production setup.
b6def81 linux-yocto: Update SRCREV for genericx86* for 4.1, fixes CVE-2016-0728
db0f8ac linux-yocto: Update SRCREV for genericx86* for 3.19, fixes CVE-2016-0728
c8122a0 linux-yocto: Update SRCREV for genericx86* for 3.14, fixes CVE-2016-0728
cdeb241 meta-yocto-bsp: Remove uvesafb (v86d) from generic x86 features
52cd219 yocto-bsp: Set SRCREV meta/machine revisions to AUTOREV
a88d6cb yocto-bsp: Set KTYPE to user selected base branch
4e74b36 yocto-bsp: Avoid duplication of user patches ({{=machine}}-user-patches.scc)
6680773 yocto-bsp: Default kernel version to 4.1 on x86_64
4c075e7 piglit: don't use /tmp to write generated sources to
ee52ac6 gen-lockedsig-cache: fix bad destination path joining
e9f95df linux-yocto: Update SRCREV for qemux86* for 4.1, fixes CVE-2016-0728
e63bab1 linux-yocto: Update SRCREV for qemux86* for 3.19, fixes CVE-2016-0728
64a4920 linux-yocto: Update SRCREV for qemux86* for 3.14, fixes CVE-2016-0728
5b043da libpng12: update URL that no longer exists
655c8a5 libpng: update URL that no longer exists
96fda8c busybox: fix build of last applet
ae037d9 ghostscript: add dependency for pnglibconf.h
26eb877 gcr: Require x11 DISTRO_FEATURE
e632cdb uClibc: enable utmp for shadow compatibility
e8c9613 git: Security fix CVE-2015-7545
108ea6d glibc-locale: fix QA warning
9a88c1d grub: Security fix CVE-2015-8370
443b09a gdk-pixbuf: Security fix CVE-2015-7674
6c91068 librsvg: Security fix CVE-2015-7558
9fd2349 bind: Security fix CVE-2015-8461
5a40d9f bind: Security fix CVE-2015-8000
1bbf183 libxml2: Security fix CVE-2015-8710
2ec6d1d libxml2: Security fix CVE-2015-8241
55aafb5 dpkg: Security fix CVE-2015-0860
029948b tzdata: update to 2016a
2bcf141 tzcode: update to 2016a
cc3a391 kernel-yocto: fix checkout bare-cloned kernel repositories
049be17 libpcre: bug fixes include security
5e94ac7 qemu: Security fix CVE-2015-7295
7ee1828 qemu: Security fix CVE-2016-1568
ca6ec2e qemu: Security fix CVE-2015-8345
b55a677 qemu: Security fix CVE-2015-7512
4922f47 qemu: Security fix CVE-2015-7504
3ec0e95 qemu: Security fix CVE-2015-8504
942ce53 openssl: Security fix CVE-2016-0701
ce8ae1c openssl: Security fix CVE-2015-3197
080e027 tiff: Security fix CVE-2015-8784
c6ae9c1 tiff: Security fix CVE-2015-8781
049b7db bind: CVE-2015-8704 and CVE-2015-8705
d632a92 rpmresolve.c: Fix unfreed pointers that keep DB opened
5b993ed openssh: CVE-2016-1907
27ee5b4 glibc: CVE-2015-8776
a4134af glibc: CVE-2015-9761
e10ec6f glibc: CVE-2015-8779
a5a965d glibc: CVE-2015-8777.patch
2fb7ee2 bitbake: toaster: make runbuilds loop
b9ad87b nativesdk-buildtools-perl-dummy: Bump PR
0a1c63a nativesdk-buildtools-perl-dummy: properly set PACKAGE_ARCH
d4b400e nativesdk-buildtools-perl-dummy: fix rebuilding when SDKMACHINE changes
8c8c4ed Revert "gstreamer1.0-plugins-good.inc: add gudev back to PACKAGECONFIG"
b832202 Revert "gstreamer: Deal with merge conflict which breaks systemd builds"
dd0ba9e build-appliance-image: Update to jethro head revision
325d205 gstreamer: Deal with merge conflict which breaks systemd builds
53b114b build-appliance-image: Update to jethro head revision
02be35d poky.conf: Bump version for 2.0.1 jethro release
f5551f8 ref-manual: Updated the list of supported image types.
aa179ae dev-manual: Added three new wic option descriptions.
20007c8 dev-manual: Added the --overhead-factor wic option description.
2dd7f46 dev-manual: Added the --extra-space wic option description.
81cc737 dev-manual: Added wic --notable option description.
2b1dce5 dev-manual:
a6f5293 kernel/kernel-arch: Explicitly mapping between i386/x86_64 and x86 for kernel ARCH
e79a538 openssh: update to 7.1p2
b171076 devtool: reset: do clean for multiple recipes at once with -a
255115f devtool: sdk-update: fix error checking
3f69105 devtool: sdk-update: fix metadata update step
5ba94af devtool: sdk-update: fix not using updateserver config file option
d03d145 classes/populate_sdk_ext: disable signature warnings
00ff950 classes/populate_sdk_ext: fix cascading from preparation failure
22446c6 scripts/oe-publish-sdk: add missing call to git update-server-info
8597a61 devtool: use cp instead of shutil.copytree
95cc641 buildhistory: fix not recording SDK information
84d48ac recipetool: create: fix error when extracting source to a specified directory
4369329 recipetool: create: detect when specified URL returns a web page
4c3191f recipetool: create: prevent attempting to unpack entire DL_DIR
caca77e recipetool: create: fix do_install handling for makefile-only software
383159e recipetool: create: avoid traceback on fetch error
be40baa recipetool: create: handle https://....git URLs
a897bfd devtool: sdk-update: fix traceback without update server set
9c4b61e classes/populate_sdk_ext: error out of install if buildtools install fails
4c07dd2 gstreamer1.0-plugins-good.inc: add gudev back to PACKAGECONFIG
83b72d8 linux-yocto: Update Genericx86* BSP to 4.1.15 kernel
44639bd libaio: don't disable linking to the system libraries
a0be9bd linux-yocto/4.1: update to v4.1.15
53f0290 libxml2: security fix CVE-2015-5312
f4b0c49 libxml2: security fix CVE-2015-8242
fb409c9 libxml2: security fix CVE-2015-7500
55d097a libxml2: security fix CVE-2015-7499
8e6b2d6 libxml2: security fix CVE-2015-7497
332eb1d libxml2: security fix CVE-2015-7498
cbc4e83 libxml2: security fix CVE-2015-8035
c4b71e1 libxml2: security fix CVE-2015-7942
fdea03d libxml2: security fix CVE-2015-8317
6fc1109 libxml2: security fix CVE-2015-7941
9eb4ce0 openssl: fix for CVE-2015-3195
6880f82 openssl: fix for CVE-2015-3194
7dcaa84 openssl: fix for CVE-2015-3193
435139b logrotate: do not move binary logrotate to /usr/bin
5f49c0a cairo: fix license for cairo-script-interpreter
a29ec81 glibc: Fix ld.so / prelink interface for ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA
b1e980f gcc: Update default Power GCC settings to use secure-plt
ed82690 prelink: Fix various prelink issues on IA32, ARM, and MIPS.
9a620da autotools: Allow recipe-individual configure scripts
f828071 toolchain-scripts.bbclass: unset command_not_found_handle
49858bd devtool: upgrade: fetch remote repository before checking out new revision
d213452 devtool: upgrade: remove erroneous error when not renaming recipe
fec97f6 devtool: upgrade: fix updating PV and SRCREV
3b4f659 devtool: upgrade: fix removing other recipes from workspace on reset
61a7de0 devtool: include do_patch in SRCTREECOVEREDTASKS
82c0072 toolchain-shar-extract.sh: do not allow $ in paths for ext SDK
f181e72 scripts/gen-lockedsig-cache: improve output
4b5d4ca toolchain-shar-extract.sh: proper fix for additional env setup scripts
d2ea8f1 toolchain-shar-relocate: don't assume last state of env_setup_script is good
02ef437 populate_sdk_ext.bbclass: Be more permissive on the name of the buildtools
3653b17 classes/populate_sdk_ext: fail if SDK_ARCH != BUILD_ARCH
8879571 classes/populate_sdk_ext: tweak reporting of workspace exclusion
eeda3c6 classes/populate_sdk_ext: make it clear when SDK installation has failed
dee9fbe classes/populate_sdk_ext: tidy up preparation log file writing
d001d46 classes/license: fix intermittent license collection warning
777451c classes/metadata_scm: fix git errors showing up on non-git repositories
cb0ca72 oeqa/selftest/layerappend: fix test if build directory is not inside COREBASE
8970ad6 oeqa/selftest/devtool: fix test if build directory is not inside COREBASE
4f7fdd0 classes/distrodata: split SRC_URI properly before determining type
3b7df55 uninative.bbclass: Choose the correct loader based on BUILD_ARCH
f3d7c3f openssl: sanity check that the bignum module is present
96b1b5c glibc: Backported a patch to fix glibc's bug(18589)
7aecb57 directfb.inc: force bfd linker for armv7a
75ca2c8 texinfo: don't create dependency on INHERIT variable
02c7b3f package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default
003c94f libsdl2: require GLES when building Wayland support
ad6db01 gst-plugins-bad: add PACKAGECONFIGs for voamrwbenc, voaacenc, resindvd
f0d87fe gstreamer1.0-plugins-good: fix PACKAGECONFIG for gudev and add one for v4l2 and libv4l2
35f34a6 gstreamer1.0-plugins-bad: fix dependencies for uvch264 PACKAGECONFIG
3b77e20 gstreamer1.0-plugins-{base,good}: update PACKAGECONFIGs
e2d4412 libunwind: fix build for qemuarm
ef69078 guile, mailx, gcc, opensp, gstreamer1.0-libav, libunwind: disable thumb where it fails for qemuarm
4700e40 icu: force arm mode
743ee04 libxcb: Add a workaround for gcc5 bug on mips
8a3deca bitbake: fetch: use orig localpath when calling orig method
0073b23 yocto-bsp: Typo on the file extension
71dbbcd bsp-guide: Updated the license statement.
41f1026 dev-manual: Correction to the KVM stuff in the runqemu commands.
38e3c6e mega-manual: Added four new figures for GUI example.
b99ec28 poky.ent: Fixed POKYVERSION variable.
c670dc7 yocto-project-qs, ref-manual, poky.ent: CentOS Package updates
b968190 dev-manual: Updated runqemu command options list
1278753 toaster-manual: Removed SDKMACHINE from the json file example.
7b25b70 ref-manual: Updated list of supported distros.
d9423fb ref-manual: Updated the GCC 5 migration section for 2.0
347347a bitbake: lib/bb/utils: improve edit_bblayers_conf() handling of bblayers.conf formatting
5935783 bitbake: lib/bb/utils: fix error in edit_metadata() when deleting first line
7fdad70 rpcbind: Security Advisory - rpcbind - CVE-2015-7236
0cb2fa5 subversion: fix CVE-2015-3187
5b52e9b subversion: fix CVE-2015-3184
59bdde4 linux-firmware: rtl8192cx: Add latest available firmware
8ad2bcc init-install-efi: fix script for gummiboot loader
c3087bd init-install-efi: fix script for eMMC installation
d2bf9fb pulseaudio: Fix HDMI profile selection
0556c58 allarch: Force TARGET_*FLAGS variable values
e683dac libsndfile: fix CVE-2014-9756
092757e libxslt: CVE-2015-7995
dab5555 unzip: rename patch to reflect CVE fix
1753d4a readline: rename patch to contain CVE reference
9dd3422 libarchive: rename patch to reflect CVE
1401976 binutils: Fix octeon3 disassembly patch
a54a0db opkg: add cache filename length fixes
fc45dea build-appliance-image: Update to jethro head revision
e14498b meta-yocto/distro: Updated SANITY_TESTED_DISTROS.
01bba74 meta-yocto/distro: Updated SANITY_TESTED_DISTROS.
e1aa897 build-appliance-image: Update to jethro head revision
96cab33 unzip: CVE-2015-7696, CVE-2015-7697
1b2a942 vte: fix DoS from malicious escape sequence (CVE-2012-2738)
370a291 build-appliance-image: Update to jethro head revision
00911c9 linux-yocto_4.1: Update SRCREV for genericx86*
c86957a glibc: Allow 64 bit atomics for x86
b02c5f6 local.conf.sample: Disable image-prelink by default
1630dbb ref-manual: Applied a correction to the GCC 5 migration 2.0 section.
37677d6 ref-manual: Updated ADT Installer Extras
a79e303 kernel-dev: Added cross-reference to .config information
e03b19b ref-manual: Applied review updates to 2.0 migration section.
a0791c1 bitbake: toasterui: Create per-build logs
290534d bitbake: build/utils: Add BB_TASK_IONICE_LEVEL support
3ebf761 bitbake: cooker: Ensure BB_CONSOLE remains correct over server resets
5b19b71 bitbake: bb/ui: Use getSetVariable command for BB_CONSOLELOG
acc7b4d bitbake: command: Add getSetVariable command
c8051c5 bitbake: bitbake-user-manual: Added new description for BB_TASK_IONICE_LEVEL
183290a bitbake: bitbake-user-manual: Added BBTARGETS variable description.
66d3c35 bitbake: toaster: templates Add meaningful title tags
5724b2a perl: Remove errornous extra path-specs for Module::Build based modules
884cf7a perl: Correct path for vendorlib, vendorarch, sitelib and sitearch
2d0c499 perl: fix Perl5 module builds
24cfcc4 runqemu-export-rootfs: update location of unfsd binary
da386d3 gtk-icon-cache: pass the native libdir to the intercept
63a0311 connman: Move wired-setup to ${datadir}
1c3c76d useradd-staticids.bbclass: Do not require trailing colons
8a0d8ee toaster manual: Updated the set up and use chapter
f19b52c ref-manual: Updates to the 1.8 to 2.0 Migration section.
b73da6b toaster-manual: Added new Toaster functionality descriptions.
947e156 ref-manual: Updated the rootfs*.bbclass description.
62e200e bitbake: toaster: orm Fix restrictive LogMessage message length
78f935d bitbake: toaster: Remove all navigation when not in build mode
c5f147b bitbake: toaster: Run tests in build mode
1d17109 bitbake: toaster: Hide builds for non-cli projects in analysis mode
a580479 bitbake: toaster: Hide top bar buttons in analysis mode
1ec2ec3 bitbake: toaster: Show mode-appropriate landing page
bbac0f0 bitbake: toaster: Add BUILD_MODE flag to context
851f0d8 bitbake: toaster: add get_or_create_targets API
dcd9cd0 bitbake: fetcher: svn: Add support for checkout to a custom path
4ab7202 bitbake: cooker: preserve pre and post configs
fdfdfc8 oeqa/utils/decorators: fix missing keyword arguments on decorators
a2d5b7a classes/gtk-icon-cache: don't pass STAGING_LIBDIR_NATIVE to intercepts
5171329 intercepts/update_icon_cache: use STAGING_DIR_NATIVE from environment
d18d902 lib/oe/rootfs: tell intercepts where the native sysroot is
9336e1f subversion: add explicit dependency on file-replacement-native for native builds
19358d0 rpm: add explicit dependency on file-replacement-native for native builds
698c3de file: don't replace host file when built natively
83a2bde sanity: check that the host has file installed
43c46e9 bitbake: add file-native to ASSUME_PROVIDED
2925cd9 Revert "runqemu-export-rootfs: update location of unfsd binary"
d023d99 populate_sdk_base: Ensure PKGDATA_DIR exists
9b956c4 Perl: Use CC version not $Config(gccversion)
0f75740 wic/utils/oe/misc.py: Preserve PATH when running native tools
273bcb4 mtools_4.0.18.bb: Use create_wrapper() for mcopy
031d464 scripts/oe-pkgdata-util: Fix variable name in error handling
d8d4ce7 Add 850 codepage to uninative-tarball
c1d5e89 e2fsprogs: backport a patch to fix filetype for hardlink
426a9b7 oeqa/selftest: Added testcase decorators.
835525c runqemu-ifup: Check if the tap interface is set up correctly
b13c0be qemurunner: Show the output of runqemu script
9846275 runqemu-internal: Enable support for use virtio devices.
304c956 linux-yocto{, -rt}: Enable support for virtio drivers in qemu machines.
eebcbe1 runqemu: Enable support for kvm without vhost in x86 and x86_64
135d094 prserv.bbclass: remove it since it is null
c509c78 initscripts/sysfs.sh: Mount devtmpfs on /dev/ if needed
022f8cc image-mklibs.bbclass: update i586 TARGET_ARCH test to i*86
d492a70 base.bbclass: considering multilib when setting LICENSE_EXCLUSION
54b7471 gcc-target.inc: Add support for executable thats may have a suffix
0d69a171 cairo: backport fix for compatibility with OpenGL ES 2.0
64b5e3e mesa-demos: fix deadlock in sharedtex_mt
dc8495f bzip2: fix bunzip2 -qt returns 0 for corrupt archives
5bf1430 gnome-desktop: add xkeyboard-config dependency
48443cc gtk+3: Do not try to initialize GL without libgl
59fdbae classes/insane: rename invalid-pkgconfig QA check to invalid-packageconfig
73e1d33 uclibc: Implement syncfs and AT_EMPTY_PATH for all and O_PATH for arm
2e4575d systemd: Fix build with uclibc
40911f4 libtirpc: Fix a bug exposed by uclibc
d90d3e8 libpam: Fix build with uclibc
32c8625 coreutils: Do not use host paths in getloadavg.m4
20b7d87 coreutils-6.9: Add missing dependency on virtual/libiconv
8bb6436 uclibc: Fix build with gcc5
e5e8fce libtirpc: Refresh uclibc patches
fd66dd1 rpcbind: Fix build with uclibc
369c536 scripts/oe-publish-sdk: create directory before making git repo
8a555fe rootfs.py: add more info to the warning message
787253f package signing: automatically export public keys
579e254 package_manager: fail if signed feeds are enabled for ipk or dpkg
835e755 Add new bbclass for package feed signing
822844d sign_rpm.bbclass: make RPM_GPG_NAME a mandatory setting
48d60fc sign_rpm.bbclass: be more verbose in case of error
dbb9af6 package_manager: support GPG_PATH variable
b682fca sign_rpm.bbclass: introduce GPG_PATH variable
8ccbc26 apr: remove conflict with ccache
5e42593 linux-yocto: nf_tables: Add nf_tables feature
1c2fdd9 linux-yocto/3.19: fix ARM boot with gcc5.x
3bab714 linux-yocto: skip kernel meta data branches when finding machine branch
1561d0d kern-tools: avoid duplicate .scc file processing
47dcee2 linux-yocto/4.1: drm/i915: Fix the VBT child device parsing for BSW
380f2c6 linux-yocto: axxia configuration updates
505a826 build-appliance-image: Update to jethro head revision
7d30d67 ref-manual: Updated the allarch class description.
a8674ae ref-manual: Updated the MACHINE_ESSENTIAL_EXTRA_RRECOMMENDS variable
e7c8c79 ref-manual: Added the 1.8 to 2.0 migration section.
cd48ccc dev-manual: Added notes to clarify use of pkg-config
dc9e4cb ref-manual: Added correct class name as part of pkgconfig description
5bc8fa6 ref-manual: Fixed typo in 1.6 migration section for BitBake
2fe3809 ref-manual, dev-manual: Applied feedback to edit several classes
359b7fb ref-manual: Added three PACKAGE_FEED_* variable descriptions
2f4e90c toaster-manual: Updated the json file example bits to be current
66653cb ref-manual: Updated the image-swab.bbclass description
d66cf20 toaster-manual: New section on PREFERRED_VERSION
4b9daa8 ref-manual: Added many new class descriptions.
ae0d508 toaster-manual: Added note for creating virtual environment
98d7d24 toaster-manual: Updates to example toasterconf.json file
b263a3e dev-manual: Added CentOS packages to enable runtime tests on QEMU
9abc72c adt-manual: Fixed PMS typo
2e7d650 ref-manual: Updates to clarify Fetcher URL directory parameters
7facee6 toaster-manual: Updated the section for setting up virtual env.
10970a6 dev-manual: Added package requirements for runtime QEMU testing
acacf6b ref-manual: Added linuxloader.bbclass reference description.
8fc90a7 Makefile: Updated the make file to not create toaster-manual pdf
0889848 dev-manual: Updated devtool build --help example
1944d28 documentation: Updated files to support 2.0 release.
8d2a6f0 toaster-manual: Removed "dizzy" and replaced with "jethro"
3bff581 ref-manual: Added descriptions for 5 new variables and 2 tasks.
a87268e dev-manual: Updated the Marking Packages information.
1c7f462 ref-manual: Added oe-seltest package requirements sections.
3d82046 adt-manual: Updated the build toolchain section with more detail.
54b4aff adt-manual: Updated some hard-coded distro values
196210f dev-manual: Updated the multilib example.
3930f04 ref-manual: Updated the EXCLUDE_FROM_SHLIBS description
0d1c86b ref-manual: Updated EXCLUDE_FROM_SHLIBS description.
eea7521 ref-manual: Updated distrodata.bbclass example
2eaf843 ref-manual: Added new description for PACKAGE_EXCLUDE_COMPLEMENTARY
97298fb dev-manual: Fixed typo in path for wic plugins
05d8101 ref-manual: Added new EXCLUDE_FROM_SHLIB variable
316d432 ref-manual: Added new variable description for SKIP_FILEDEPS
a1b25e6 yocto-project-qs, ref-manual: Replaced "yum" with "dnf"
d284fba ref-manual: Added cross-reference phrase to some variables
5a226f7 dev-manual: Changed multilib example
6ca549f dev-manual: Added note about building out Autotools projects
92b26ad archiver.bbclass: Fixes and improves archiver class for kernel and gcc packages
2d00803 oeqa/selftest: improve config writing and cleanup
1881564 oeqa/selftest/wic: remove numbers from test names
2ac34d2 oeqa/selftest: clean up selftest.inc in teardown
a66ed33 oeqa/selftest/wic: fix cleaning
b67b1a4 oeqa/selftest/wic: corrected testcase decorator for test18_iso_image
e191120 oeqa/selftest: verify that devtool can use plugins in other layers
b8a9728 oeqa/selftest/buildoptions: Use the correct script for cleaning the workdir
94decbc oeqa/selftest/bbtests: Updated bitbake TCs
322c324 oeqa/selftest/bbtests: clean up local DL_DIR/SSTATE_DIR safely
cf311a7 oeqa/utils/ftools: From functions that expect data, check if None
900639c oeqa/utils/ftools: Ignore the exception if file does not exist
2e91cbd oeqa/selftest/manifest.py: Test support for manifests
c9bef34 useradd_base.bbclass: Do not warn without a reason
accb59e qemu: disable Valgrind
ac1bc7d i2c-tools: fix inverted RDEPENDS
35c043b rpm: remove spurious build dependencies
41cbfd7 gcc-5.2: Fix various _FOR_BUILD and related variables
a27da70 sudo: fix file permission for /etc/pam.d/sudo
abeaed9 openssh: fix file permission for /etc/pam.d/sshd
96a5cfd sanity.bbclass: expand warning when chmod fails
409e6e0 populate SDK: prepare calling of bb.utils for exceptions
db55d31 devtool: handle virtual providers
8578bc1 libc-package: Fix localedef multilib dependency issues
0942aff toolchain-shar-extract.sh: print full-length title underline
9630fc1 classes/populate_sdk_ext: detect and warn if running in OE environment
254ff38 classes/populate_sdk_ext: add note to env setup script
9a81ba7 classes/populate_sdk_ext: prevent image construction from executing on install
ec5ec35 classes/populate_sdk_ext: consistent indentation
b8f7042 oeqa/runtime: Fix setUp and tearDown methods
3327401 oetest: Add tearDownLocal class
3b7853a test-empty-image: rename from core-image-empty
5febb1d scripts/gen-lockedsig-cache: fix race with temp file creation
3b5d6ff image-live: make SYSLINUX_ROOT changable in image recipes
5009966 toolchain-shar-extract.sh: provide proper path for env_setup_script
ae7703f classes/base: provide hints on PACKAGECONFIG error
5a02ec2 devtool: extract: fix error handling
3aac110 metadata_scm: rewrite git hash logic
59668f2 linux-yocto-custom: fix typo in Upstream-Status tag
c52dcb0 grub-efi, gummiboot: Emit correct path in startup.nsh
f9d29ab coreutils: fix for native and nativesdk
b1a7405 gcc-4.x: fix wrong warning when using the universal zero initializer {0}
402723e tzdata: reinstate changes reverted in 2014c upgrade
3770461 build-compare: drop PATCHTOOL setting
4846260 common-licenses: use correct GFDL-1.1 license text
a9053ac bitbake: toaster: Add tests for error message display on the build dashboard
2517987 bitbake: toaster: Modify "New build" button behaviour for cli builds project
56d4c84 bitbake: toaster: Clean up template code
d96cedf bitbake: toaster: More linting of tests
7c8877e bitbake: toaster: Show tooltip next to cli builds project name in all builds
7670234 bitbake: toaster: Hide tabs and add info popups for command line builds
da4c614 bitbake: toaster: Make the builds view the project page for "command line builds"
ef6fc2b bitbake: toaster: Replace "Run again" button with help text for cli builds
7467b68 bitbake: toaster: Exclude "command line builds" project from projects typeahead
b5624c7 bitbake: toaster: Show 'not applicable' for default project machine and release
3c4c984 bitbake: toaster: Reorganise and lint tests
3ba43f2 bitbake: fetch2/hg: Include missing errno import
6fa3fec bitbake: cooker: normalize build targets
5effe8f bitbake: toaster: Allow any text input to machine configuration variable
320d05e bitbake: toaster: exit or return depending on the mode
2e2e40c bitbake: toaster: set TOASTER_MANAGED variable
a73895e bitbake: toaster: get rid of SRCFILE
779539c bitbake: toaster: use path to the script to guess config path
eb8b2b9 bitbake: toaster: Guard against builds with no targets
65e8bde bitbake: toaster: Remove Toaster exceptions section of build dashboard
93f0b61 bitbake: toaster: Record critical errors
069a611 bitbake: toaster: Test that exception isn't thrown by project page
026e981 bitbake: toaster: Check whether buildrequest exists before using it
1feeb8e bitbake: toaster: Always run bldcontrol migrations
ae82d77 bitbake: toaster: buildinfohelper Detect command line builds
596c219 bitbake: toaster: Disable add layer button when input is empty
24e5a17 bitbake: toaster: Have 'Version' next to recipe name
c895838 bitbake: toaster: Improve directory structure layout
2f52ef4 bitbake: toaster: importlayer Update property names for importlayer api calls
556c0ea lib/oe/image.py: Fix dependency handling for compressed types
d302c98 bitbake: toaster: Fix missing tooltips from layers on project configuration page
7e5464b bitbake: toaster: Fix broken test case
2e375e6 bitbake: toaster: exclude recipes with empty names
fa3e82d bitbake: toaster: delete recipe if it can't be saved
82675fc bitbake: toaster: Remove project name from latest project builds
6aeaca1 bitbake: toaster: test get_alldeps API
0fb6be0 bitbake: toaster: fix orm tests
dea679a bitbake: toaster: fix NameError
6e0c0fd bitbake: toaster: use get_alldeps in layerdetails renderer
bd2ec77 bitbake: toaster: implement API to get full list of deps
05594f8 bash: Disable custom memory allocator
adbbab7 icu: fix install race
b1d0aab webkitgtk, gcr, libsecret: force ARM mode
67d6500 gtk+3: gtk3-demo needs libgl
f385ed1 lib/oe/distro_check: Remove '_proxy' on dict values used by urllib.open
4bf7b7d cups: fix non-deterministic xinetd behaviour
32dbf71 cronie: clean up bugtracker info
6396d6a irda-utils: clean up bugtracker info
8d5878b screen: fix CVE-2015-6806
acdc2db kbd: provide a workaround for build failures
67959b9 machine/qemu: Fix OpenGL/GLX support with xserver-xorg.
fedff4f busybox.inc: remove redundant @DATADIR@ replacement
78b9d2d insane.bbclass: remove misleading path in warning
8995a30 iptables: only check libnetfilter-conntrack when libnfnetlink is enabled
e35c404 bitbake: toaster: Don't descend into directories for cached_layers
d9528d9 toasterconf: update meta-yocto to jethro and drop dizzy
2d6701f bitbake: toaster: Update JS unit tests
ab896df bitbake: toaster: Fix stale layer state buttons
41a5f82 bitbake: toaster: tables Add the recipe filter back into the Recipe table
2bebcd4 bitbake: toaster: Fix typo in returning pk list of layer versions in current project
d6d680d bitbake: toaster: layerdetails update build recipe button class name
7794b57 bitbake: toaster: Hide "Download build log" button if log doesn't exist
8c69539 bitbake: toaster: fix naming for clone directory
41286f4 bitbake: toaster: buildinfohelper Skip packages we have no build info about
97d0006 bitbake: toaster: buildinfohelper associate build data with built_recipe
0dcc963 bitbake: toaster: remove bashisms so script works in dash as well
8068aa3 bitbake: toaster: get rid of interactivity in bldcontrol
7d7823e bitbake: toaster: check for configuration file and exit if not found
315989c bitbake: toaster: remove layer and build dir interactive questions
489d5ff bitbake: toaster: removed superuser question from startup
c7d1dab bitbake: toaster: orm Machines filter don't pass self in as parameter
dd957fe bitbake: toaster: Rationalise mimetype guessing to fix artifact downloads
ce9011a bitbake: toaster: Use Python's mimetypes module
466bbec bitbake: toaster: display warnings for bad "IMAGE_FSTYPES" values
8b7d846 bitbake: toaster: Set default columns in recipes tables
9daf6ef bitbake: toaster: Comment out broken sorting and filters
b661f53 bitbake: toaster: Don't HTTP cache ToasterTable responses
a3742a0 bitbake: toaster: Don't add new history entries when table data loads
fa68ae0 bitbake: toaster: use meaningful logging levels
bd8b27b bitbake: toaster: ignore ReachableStamps event
ceeb52a linux-yocto: Update SRCREV for genericx86* BSPs
7766265 os-release: fix do_compile() when RPM signing is enabled
9a02df0 readline: actually apply readline63-003 (aka CVE-2014-2524)
a856580 rpm: fix return without value in patch
49bf4b1 Revert "qemu-native: Enable temporary debug info as default."
ad8c021 linux-yocto/4.1: drm/i915 backports
48e5579 oeqa/utils/qemurunner: Add support for Unicode from qemu
1f99452 report-error.bbclass: Support Unicode reports
b25af33 udev: add PROVIDES = "libgudev"
a0d9d2d lib/oe/image.py: Add image generation for companion debug filesystem
8ee9a93 package_manager.py: sort output of OpkgPkgsList().list
37c54af ThunderX: Add initial tune file
a0e7311 tzdata: update to 2015g
931dda4 tzcode: update to 2015g
8cacd22 recipetool: create: fix change in path structure if --extract-to path exists
e961688 devtool: update-recipe: avoid updating patches that have not changed
07fc8c2 oe-selftest: wic: fix LocalSetup
eac61f3 build-appliance-image: Update to jethro head revision
c9bdcf5 oeqa/runexported: Replaced optionparser with argparse.
038ae3f systemd: remove glib-2.0 build dependency
0516cd2 webkitgtk: Add some PACKAGECONFIG options.
dff30d2 fontcache: allow to pass extra parameters and environment to fc-cache
d5ce2f5 webkitgtk: Use ON/OFF for cmake switches.
ebd5035 testimage: Added IO commands to dumps
b73a35e distro-alias.inc: Updated for jethro 2.0 release
b7f9cde build-appliance-image: Update to jethro head revision
cf8ad8d toaster: Special case the openembedded-core layer to avoid duplicates
20b888b build-appliance-image: Update to jethro head revision
8fb5a5a bitbake: bitbake/lib: Update version to 1.28.0
0eca7ff build-appliance-image: Update to jethro head revision
34fede6 poky.conf: Bump version for 2.0 jethro release
a7329e1 Revert "oeqa/runtime: Added one runtime testcase in connman."
c2e78e3 qemu: Drop BROKEN usage
e788961 smart:cache.py: getPackages() matches name + arch
f3e57ba devtool: modify: use correct local files directory name
7cb0765 xuser-account: Take over xuser specific D-Bus policy
cdaa8fd bluez5: Use upstream D-Bus policy
e4a4961 ptest: run-ptest not required to run do_install_ptest
12cd705 distrodata: Take account proxies on distrodata tasks
f047ee8 devtool: update-recipe: enable var history tracking
979de77 lib/oeqa/selftest/yoctobsp: Basic tests for yocto-bsp script
e20d8b8 scripts/lib/bsp/engine: Indent the karch properties when stored into a file
f2933cc yocto-bsp: Update templates to 4.1 kernel
8283a57 scrips/lib/bsp/engine: List properties to stdout when output parameter is omitted
b355a5e scripts/yocto-bsp: Exit successfully when asking for help
ad9ee3d meta-yocto-bsp: bump to linux-yocto 4.1 for the non-x86 BSPs
cdc57f6 bitbake: siggen: Make it clear why nostamp tasks signatures don't match
1630f0a bitbake: runqueue: Add handling of virtual/xxx provider mappings
0b96e6f bitbake: taskdata: Add a function to return the virtual/ mapping data
40fae32 bitbake: cookerdata: Rename BBPKGS -> BBTARGETS
1e467b3 bitbake: bitbake-worker: Guard against multiprocessing corruption of event data
e5b9c2a oeqa/selftest/wic: Use SetupLocal instead of Setup
4266cc9 kernel.bbclass: fix the bug of checking the existing sections in do_strip()
ec1146e linux-yocto_{3.14,3.19,4.1}: qemuarm enable virtio drivers
2ea0e4c runqemu-internal: qemuarm enable usage of virtio devices
a23239a gnome-doc-utils: xslt - don't install Makefiles
f671163 apr-utils: cleanup buildpaths for target stuffs
f68d739 apr: cleanup buildpaths from target stuffs
a7ac905 curl: cleanup buildpaths from curl-config
833bfd3 dropbear: fix key generation when systemd is in use and rootfs is readonly
d592abd image.bbclass: tweak the key location for dropbear when rootfs is readonly
299806d openssh: fix sshd key generation when systemd is in use and rootfs is readonly
006497e image.bbclass: when building a readonly rootfs, tweak ssh settings regardless of init system in use
f1e2515 lttng-tools: Drop KERNELDIR reference
381a7bd meta-ide-support: No need to mark as nostamp anymore
ab9d2bb adt-installer: No need to mark as nostamp
d8ab563 distutils3: Avoid MACHINE specific checksums
a0d6322 gstreamer-omx: Improve variable expansion of ${S}
c71bd57 bitbake.conf: Exclude sstate-outputdirs flag from checksums
f02cbc6 deploy: Mark deploy tasks as MACHINE specific
a0435bf layer.conf: Add SIGGEN exclusion for oprofile kernel dependency
f4a8917 layer.conf: Improve siggen exclusion to handle virtual/libc
6fe4fd2 multilib_global: Add handling of SIGGEN variables for multilib
2c19695 lib/oe/sstate: Add tasks_resolved handler for virtual/xxx mappings
ff17f14 oeqa/selftest/sstatetests: Add test that MACHINE doesn't change target sigs
d822764 meta-selftest: Add qemux86copy machine
6cfc7c0 oeqa/selftest/sstatetests: Add check for same sigs for SDKMACHINE
5dbd061 multilib.conf: Ensure MACHINE doesn't change target sigs
71fdb36 gcc-multilib-config: Ensure SDK_ARCH doesn't change target sigs
c9ea0c6 lib/oe/package_manager: Handle empty package list in opkg case
ec504e0 oeqa/utils/decorators: Append the testname without the full path
8fe5b48 kern-tools: fix multi-layer patch application
b054506 linux-yocto/4.1: braswell bug fixes
c6c093b linux-yocto/4.1: update to 4.1.8 -stable
a502a2d linux-yocto-rt/4.1: integrate axxia BSP
38f0ffa meta: fix build with gettext 0.16.1
56c0fdf hostap-utils: Use C99 stddefs in defining local typedefs
34707c2 linux-yocto-custom: Update for newer kernel
df09a6f oetest: Change logic of a failed test
7a6cb2e cwautomacros: cleanup buildpath in autogen.sh
1222eb1 oeqa/runexported: Fix a problem with ssh_target_log existing in folder.
cb93670 qemurunner: Sanitize output from qemu and qemu pid
ba0f6ca oeqa/testimage: Add ability to run single test from suite.
3e40688 recipes-extended: remove duplicate recipe and .wks
6f2047a runqemu-internal: Make sure two serial ports always exist
385a5e8 cross-canadian.bbclass: big-endian ARM is also gnueabi.
7c96fcf openssl: fix ptest failures
d9ce095 python-async: inherit setuptools
adb6987 util-linux: add runuser PAM config files to fix runuser error
9549f57 oeqa/decorators: Fixed a problem with decorator logs link.
790b6c7 oeqa/selftest/wic: Added testcase decorator to all testcases + fixed minor typos.
ffd4bd6 toolchain-shar-extract: Correct environment-setup script names for multilib
249b810 lsb: add lsbinitscripts and util-linux rdepends
c7548b5 systemd: add PACKAGECONFIG for qrencode
3b04553 opkg: create opkg.lock in /run instead of /var/run
c275627 toolchain-shar-relocate.sh: make it faster
434665d populate_sdk_base: Simplify postprocess commands
5bfcd13 classes/meta: Add DISTRO_FEATURES check for gtk+/gtk3+
5b629a9 devtool: modify: make bitbake use local files from srctree
e9bae50 devtool: better support for local source files
a74fa38 devtool: file mover function that creates target dir
109c09b devtool: update_recipe: refactor patch generation
c976028 devtool: update-recipe: add new patches in correct order
2f8440b oe-selftest: devtool: add method for checking repo status
0a9f59e oe-selftest: devtool: add method for checking srctree repo
afb0142 oe-selftest: devtool: add setup() method
31c3078 oe.patch.GitApplyTree: add paths argument to extractPatches
d5e2dd4 recipeutils: implement get_recipe_local_files()
4bc3f09 bitbake: toaster: move clones into subdirectory
9e1516d bitbake: toaster: make clone directory name unique
552fd83 bitbake: toaster: fix reimporting module
55dc927 bitbake: toaster: fix bug in resetting git repository
6939340 bitbake: toaster: use git reset --hard instead of rebase
3d73dfa bitbake: toaster: don't use --single-branch when cloning
226e7da bitbake: utils: only add layer once in edit_bblayers_conf()
d48b7ef bitbake: toaster: display most recent builds for projects
f902dc6 bitbake: toaster: orm remove the complicated querying on the ORM
fe29297 bitbake: Revert "bitbake: toaster: don't re-create Target objects"
e6d967d bitbake: toaster: buildinfohelper Create a copy of the built layer and recipe
17fe16b bitbake: toaster: tables show all recipes in the layerdetails even duplicates
aed6d2e bitbake: toaster: Prioroitise the layer more generic vcs reference over the sha
922503f bitbake: toaster: Create a relationship between build information and toaster layers
0bc0a44 bitbake: toaster: Special case the openembedded-core layer to avoid duplicates
e68f63a bitbake: toaster: Add test cases for new Image customisation features
d98c771 bitbake: toaster: Add Image customisation frontend feature
37948cc bitbake: toaster: Add ToasterTables for Image customisation feature
a3ff4b2 bitbake: toaster: Add new ReST API for Image Customisation feature
28153ac bitbake: toaster: Fix indentation of jsunittests view
60f3ddb bitbake: toaster: implement decorator for REST responses
a7f43bd bitbake: toaster: add toggle for enabling image customisation feeature
3ff6401 bitbake: toaster: Add CustomImageRecipe model
8948d04 bitbake: toaster: ToasterTable remove unused class definition
c1157cf bitbake: toaster: add nocache option to the ToasterTable widget
1cafc39 bitbake: toaster: widgets ToasterTable Add more info to search field exception
c71bbad bitbake: toaster: widgets ToasterTable add logger to notify when cache hit
934f8d7 bitbake: toaster: create custom layer and recipes for Image customisation
340b398 bitbake: toaster: tables Move the title and name into the widget
e1851fe bitbake: toaster: make a workaround for old style index
f78f902 bitbake: prserv/serv.py: Better messaging when starting/stopping the server with port=0
134b267 bitbake: prserv/serv: Close the DB connection out of class destructor
caf422c multilib: Add TARGET_VENDOR to saved variables list
3af9f06 oeqa/sdk/gcc: Fix makefile test
00f0d2b gdk-pixbuf: Only apply native cleaning in normal task, not setscene
452237b runqemu-export-rootfs: update location of unfsd binary
aa1253f runqemu: don't complain about conflicting machines if they are equal
994915b oeqa/testimage: Remove absolute path to oeqa from json
f8da3b6 iproute2: fix the configure process
218d9f4 gcc-multilib-config: Expand ccargs variable
be13cdb Empty image: core-image-empty recipe
2bbec56 Empty image:rootfs.py:handle empty PACKAGE_INSTALL
4562f3f gstreamer1.0-plugins-bad: change glimagesink rank to marginal
677a463 linux-yocto/4.1: rt update to 4.1.x-rt8
cdd9c4c linux-yocto/4.1: common-pc-drivers: add CONFIG_PATA_SCH
9028d93 ltp: replace 'inline' with 'static inline' for gcc 5.x
5942dfe waffle: Fix build with musl
cfa3ed0 cups: fix pam configuration file's permission
8227d49 busybox: Use CC instead of bare LD to be the Linker
a3c4817 busybox: Use UTMPX instead of legacy UTMP
ea031f0 distrodata: handle recipes with empty or absent SRC_URI in checkpkg()
5cc44fe recipeutils.py: don't hardcode the upstream version as 1.0 when SRC_URI is empty or absent
320500e oeqa/parselogs: Updated log parser whitelist.
adeba9a connman: Don't use a blanket "allow" D-Bus policy
907c8a7 connman: Depend on xuser-account unconditionally
1b146c5 byacc: add missing patch header
5fd3089 sstate: run recipe-provided hooks outside of ${B}
3fb464f oeqa/decorators: Add timestamp to decorator logs.
5f371e5 image types: add hdddirect
ca52ca0 packagegroup-core-standalone-sdk-target: ensure libatomic is in SDK
6d68ba9 glibc/mmc-utils: Rename 'BRANCH' variable to 'SRCBRANCH' for clearness
c5aab3f sanity.bbclass: show warning when chmod fails
5702a19 systemd: apply persistent storage udev rules also for /dev/hd*
cb24cbb rpm: search for gpg if gpg2 is not found
217cccd openssl: Add mapping for nios2
3408d0d qemurunner: Handle qemu start failure correctly
79e3418 gcc-runtime: Add multilib C++ header mapping
09af262 oeqa/oetest: Fix SDK command execution
5d4f39f mulitlib: Ensure SDKTARGETSYSROOT is set correctly
c356961 gtk-icon-cache/pixbufcache: don't set GDK_PIXBUF_MODULEDIR
4a36842 librsvg: tell configure where gdk-pixbuf-query-loaders is
8a12632 gdk-pixbuf: move gdk-pixbuf-query-loaders to $libdir for multilib safety
b070778 gdk-pixbuf: move gdk-pixbuf-pixdata to gdk-pixbuf-dev
7fb583a multilib: Drop populate_sdk variable manipulation
eb7b1a5 package_manager.py: make rpm install mutilib pkgs corectly
5a51fb2 bitbake: prserv/serv: Start/Stop daemon using ip instead of host
2687b24 gdk-pixbuf: Avoid rebuild failures
94184a0 systemd: fix tmpfiles location when multilib in use
179ee77 p11-kit: configure without trust-paths
c7624b4 oe-pkgdata-util: avoid returning skipped packages
dd11f5c toolchain-shar-extract.sh: remove checkbashism
99fc786 archiver: stamp-base is dead, remove it
ce7bc12 gcc-shared-source: Set empty SRC_URI
47ef201 libgcc.inc: package baremetal multilib libraries
aff7e72 meta-selftest: add error recipe and error-image
261e68c libksba: fix pkgconfig patch
3235a64 systemd: disable problematic GCC 5.2 optimizations
6e7ed5e Revert "systemd: disable problematic GCC 5.2 optimizations"
9673278 oeqa/selftest/archiver: Test that archiver filters on recipe name
6807327 oeqa/utils/dump: Add default commands and directory
5d31e94 webkitgtk: add REQUIRED_DISTRO_FEATURES
8733b53 oeqa/runexported: Removed DEPLOY_DIR as mandatory.
f1e7fb0 oeqa/oetest: Remove bb as requirement for oetest.
d70c5cb gcc-5.2: disable isl
66dca4b kmod: Change SRCREV to fix return code in error path
61e77c7 oeqa/runtime/parselogs.py: Fix dmesg log retrieve in sato
dd26efb insane.bbclass: make package_qa_clean_path return a relative path
bdbd8b4 devtool: upgrade: use shutil.move instead of os.rename
346784b devtool: runqemu: avoid recipe parse
85d8b4a devtool: second fix for running from a different directory
6363a95 guile: cleanup buildpaths and add RDEPENDS on pkgconfig
6d1447b gmp: Use __gnu_inline__ attribute in 4.2.1
42dc902 pseudo_1.7.4.bb: fix f*open()
9f66aa1 bitbake: toaster: start script warning text formatting small improvement
c6eaef0 bitbake: tinfoil: remove logging handler at shutdown
fb26ea3 bitbake: toaster: remove time from builds in progress
15b482b bitbake: toaster: Add fake entry to Target_File for filesystem root
767fe69 bitbake: toaster: layerdetails Fix back button tab behaviour
4c0320f bitbake: toaster: UI test improvements
4c5af77 bitbake: toaster: support selenium testing from mac OS X
e6c4970 bitbake: toaster: add 2 UI tests
f6a70ad bitbake: toaster: change UI to show tasks
08000eb bitbake: toaster: don't re-create Target objects
ea37358 bitbake: toaster: store task name in Target objects
524ddd8 oeqa/utils/qemurunner.py: Remove duplicate message on LoggingThread start
376ce71 oeqa/utils/qemurunner.py: Fix HIGH CPU usage on LoggingThread
6c0066c devtool: add search command
0613301 devtool: add basic means of running runqemu within the extensible SDK
c4181c6 devtool / recipetool: add handling for binary-only packages
76084cd devtool: build-image: delete bbappend at end of build
ef197f9 devtool: build-image: improve image recipe handling
8f67bb7 devtool: build-image: tell user where to find output files
afb9340 devtool: build-image: fix recipe/package terminology
d736518 devtool: add: move important "recipe created" message to the end
3bd0f33 devtool: add: set up fetched source as a git repository by default
e759b0b devtool: better handling for recipes that don't unpack source
a34f733 devtool: fix extracting source for work-shared recipes
5bc437b devtool: show proper error when extracting source for recipes with disabled unpack task
210d959 recipetool: create: fix handling of URIs containing #
a35ad72 recipetool: create: fix creating empty shell functions
30c7e7a devtool: add: properly handle separate build directory
99fc284 devtool / lib/oe/recipeutils: ensure we can parse without bbappends
5d1a117 devtool: add: ensure --color=never turns off recipetool colour output
ae788fb devtool: check that source tree still exists
99cd79d scripts/contrib: add devtool stress tester
e0b9a96 lib/oe/patch: fix for git am not cleaning up after itself
8fb70c6 classes/externalsrc: fix setting of deps varflag as a string
586291f classes/externalsrc: scale back warning to a plain note
72810f9 toolchain-shar-extract.sh: show progress when extracting SDK
0dc9299 classes/populate_sdk_ext: drop work-config.inc
3a08728 classes/populate_sdk_ext: allow custom configuration for extensible SDK
b853dde classes/populate_sdk_ext: fix missing environment settings if running installer with sh
374e1fe lib/oe/recipeutils: properly split unexpanded variable values
7fb3fb9 linux-yocto/4.1: hid, bluetooth, aufs and yaffs2 updates
9241ec5 image_types.bbclass: Don't try to create ubi symlink twice
266e417 oeqa/selftest: buildoptions.py Removed unused imports
329d09f systemd: disable problematic GCC 5.2 optimizations
554c817 libgpg-error: Add support for nios2
84e1100 pixman: Fix missing FE_DIVBYZERO on nios2
9baffc1 libtool: Fix nios2 support
ba1e0ee linux-yocto: depend on libgcc for nios2
8efff24 kernel-arch: Add nios2 to valid archs
4d9af35 siteinfo: Add nios2-linux
76a8c74 insane: Add nios2 support
6adffd0 autotools: fix traversal bug in aclocal copying
6a02bbd python3-debugger: Adds pkgutils dependency to pdb
a7dd758 python3-debugger: fix importlib dependency
0e5a911 libsdl: depends on libglu when both x11 and opengl
d762ea1 lttng-tools: sessiond: disable: match app event by name
c8a7d76 testimage.bbclass: Fix break introduced with SIGTERM handling
7d166a6 sysstat: Include needed headers explicitly
d36384e connman: Fix build with musl
0df9b98 quota: Replace using -I= with STAGING_INCDIR
433a7a0 opkg: Include stdio.h for FILE definition
5aadabf syslinux: Dont bypass gcc driver for dependency generation options
05b9a0c gnu-efi, syslinux: Support gcc < 4.7
cdfd96e gummiboot: Fix build warnings seen with gcc5
0141652 qt4: Fix kmap2qmap build with clang
6b73a05 xz: Correctly specify GPL-3.0 with autoconf exception
a96069d insane.bbclass: drop extra line-feed in pkgname check
10fb575 insane.bbclass: show PN and relative path in package_qa_check_host_user
5624889 package.bbclass: add summary line to installed-vs-shipped QA check
d6e40e8 initramfs-framework: better error reporting for invalid root boot parameter
288a9ff initramfs-framework: fix "support dropping into shell on failure"
5ff7e8d qt4: remove already merged patch
9578b09 gdk-pixbuf: remove redundant libx11 DEPENDS line
fe70aa4 runqemu-internal: For qemumicroblaze use the QEMU provided device tree
9aaf7e3 runqemu-internal: Fix qemu networking for qemuzynq an qemumicroblaze
be493ba libpcre: Allow building 16 and 32bit libpcre versions
f32a6e1 oe-git-proxy: Allow socks4 as protocol in $ALL_PROXY
18309f0 oe-git-proxy: Correct the parsing of a port in $ALL_PROXY
c035f35 oe-git-proxy: Allow explicit IP addresses in $NO_PROXY
bbe06b4 oeqa/testimage: Enhance -v switch in testimage
e0b38f2 wic-image-minimal: add dependency to .wks
dd7726f wic: fix partition size calculation
219d73a wic: use ext4 in wic-image-minimal.wks
ce2cb45 wic: add dependencies to wic-image-minimal recipe
a66f586 testimage.bbclass: Don't require an image manifest
39c11d8 gstreamer1.0: Fix basesink drop buffer error
5f13793 grep: fix install if bindir == base_bindir
b17c02f gzip: fix install if bindir == base_bindir
b6f8ea1 cpio: fix install if bindir == base_bindir
fe0cdab tar: fix install if bindir == base_bindir
c6b52f3 bind: fix too long error from gen
81d65df ccache: fix file name too long
cdbe5c9 bitbake.conf: update APACHE_MIRROR
12772c8 linux-yocto/4.1: hid-core: Avoid uninitialized buffer access
88b11e6 kern-tools: optimize patching peformance
0864782 linux-yocto/4.1: aufs, yaffs2 and driver fixes

git-subtree-dir: yocto-poky
git-subtree-split: c8a4ed9a63de6124c8a3cceb80c7db48f12f7aea
diff --git a/meta/recipes-connectivity/avahi/avahi-ui_0.6.31.bb b/meta/recipes-connectivity/avahi/avahi-ui_0.6.31.bb
index eea4d70..0d42b90 100644
--- a/meta/recipes-connectivity/avahi/avahi-ui_0.6.31.bb
+++ b/meta/recipes-connectivity/avahi/avahi-ui_0.6.31.bb
@@ -6,7 +6,8 @@
 
 require avahi.inc
 
-inherit python-dir pythonnative
+inherit python-dir pythonnative distro_features_check
+ANY_OF_DISTRO_FEATURES = "${GTK2DISTROFEATURES}"
 
 PACKAGECONFIG ??= "python"
 PACKAGECONFIG[python] = "--enable-python,--disable-python,python-native python"
diff --git a/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch b/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
new file mode 100644
index 0000000..1ed858c
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/0001-lib-dns-gen.c-fix-too-long-error.patch
@@ -0,0 +1,34 @@
+From 5bc3167a8b714ec0c4a3f1c7f3b9411296ec0a23 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Wed, 16 Sep 2015 20:23:47 -0700
+Subject: [PATCH] lib/dns/gen.c: fix too long error
+
+The 512 is a little short when build in deep dir, and cause "too long"
+error, use PATH_MAX if defined.
+
+Upstream-Status: Pending
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ lib/dns/gen.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/dns/gen.c b/lib/dns/gen.c
+index 51a0435..3d7214f 100644
+--- a/lib/dns/gen.c
++++ b/lib/dns/gen.c
+@@ -148,7 +148,11 @@ static const char copyright[] =
+ #define TYPECLASSBUF (TYPECLASSLEN + 1)
+ #define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
+ #define ATTRIBUTESIZE 256
++#ifdef PATH_MAX
++#define DIRNAMESIZE PATH_MAX
++#else
+ #define DIRNAMESIZE 512
++#endif
+ 
+ static struct cc {
+ 	struct cc *next;
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
new file mode 100644
index 0000000..e1c8052
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
@@ -0,0 +1,278 @@
+From 8259daad7242ab2af8731681177ef7e948a15ece Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 16 Nov 2015 13:12:20 +1100
+Subject: [PATCH] 4260.   [security]      Insufficient testing when parsing a
+ message allowed                         records with an incorrect class to be
+ be accepted,                         triggering a REQUIRE failure when those
+ records                         were subsequently cached. (CVE-2015-8000) [RT
+ #4098]
+
+(cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3)
+(cherry picked from commit 3a4c24c4a52d4a2d21d2decbde3d4e514e27d51c)
+
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=8259daad7242ab2af8731681177ef7e948a15ece
+
+CVE: CVE-2015-8000
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                       |  5 +++++
+ bin/tests/system/start.pl     |  5 ++++-
+ doc/arm/notes.xml             |  9 +++++++++
+ lib/dns/include/dns/message.h | 13 +++++++++++--
+ lib/dns/message.c             | 45 ++++++++++++++++++++++++++++++++++++++-----
+ lib/dns/resolver.c            |  9 +++++++++
+ lib/dns/xfrin.c               |  2 ++
+ 7 files changed, 80 insertions(+), 8 deletions(-)
+
+Index: bind-9.10.2-P4/bin/tests/system/start.pl
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/start.pl
++++ bind-9.10.2-P4/bin/tests/system/start.pl
+@@ -68,6 +68,7 @@ my $NAMED = $ENV{'NAMED'};
+ my $LWRESD = $ENV{'LWRESD'};
+ my $DIG = $ENV{'DIG'};
+ my $PERL = $ENV{'PERL'};
++my $PYTHON = $ENV{'PYTHON'};
+ 
+ # Start the server(s)
+ 
+@@ -213,7 +214,9 @@ sub start_server {
+ 		$pid_file = "lwresd.pid";
+ 	} elsif ($server =~ /^ans/) {
+ 		$cleanup_files = "{ans.run}";
+-                if (-e "$testdir/$server/ans.pl") {
++                if (-e "$testdir/$server/ans.py") {
++                        $command = "$PYTHON ans.py 10.53.0.$' 5300";
++                } elsif (-e "$testdir/$server/ans.pl") {
+                         $command = "$PERL ans.pl";
+                 } else {
+                         $command = "$PERL $topdir/ans.pl 10.53.0.$'";
+Index: bind-9.10.2-P4/doc/arm/notes.xml
+===================================================================
+--- bind-9.10.2-P4.orig/doc/arm/notes.xml
++++ bind-9.10.2-P4/doc/arm/notes.xml
+@@ -62,6 +62,15 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
++	  Insufficient testing when parsing a message allowed
++	  records with an incorrect class to be be accepted,
++	  triggering a REQUIRE failure when those records
++	  were subsequently cached.  This flaw is disclosed
++	  in CVE-2015-8000. [RT #4098]
++	</para>
++      </listitem>
++      <listitem>
++	<para>
+ 	  An incorrect boundary check in the OPENPGPKEY rdatatype
+ 	  could trigger an assertion failure. This flaw is disclosed
+ 	  in CVE-2015-5986. [RT #40286]
+Index: bind-9.10.2-P4/lib/dns/include/dns/message.h
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/include/dns/message.h
++++ bind-9.10.2-P4/lib/dns/include/dns/message.h
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #ifndef DNS_MESSAGE_H
+ #define DNS_MESSAGE_H 1
+ 
+@@ -221,6 +219,8 @@ struct dns_message {
+ 	unsigned int			free_saved : 1;
+ 	unsigned int			sitok : 1;
+ 	unsigned int			sitbad : 1;
++	unsigned int			tkey : 1;
++	unsigned int			rdclass_set : 1;
+ 
+ 	unsigned int			opt_reserved;
+ 	unsigned int			sig_reserved;
+@@ -1400,6 +1400,15 @@ dns_message_buildopt(dns_message_t *msg,
+  * \li	 other.
+  */
+ 
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li   msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_MESSAGE_H */
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -439,6 +439,8 @@ msginit(dns_message_t *m) {
+ 	m->free_saved = 0;
+ 	m->sitok = 0;
+ 	m->sitbad = 0;
++	m->tkey = 0;
++	m->rdclass_set = 0;
+ 	m->querytsig = NULL;
+ }
+ 
+@@ -1091,13 +1093,19 @@ getquestions(isc_buffer_t *source, dns_m
+ 		 * If this class is different than the one we already read,
+ 		 * this is an error.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY) {
+-			msg->state = DNS_SECTION_QUESTION;
++		if (msg->rdclass_set == 0) {
+ 			msg->rdclass = rdclass;
++			msg->rdclass_set = 1;
+ 		} else if (msg->rdclass != rdclass)
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * Is this a TKEY query?
++		 */
++		if (rdtype == dns_rdatatype_tkey)
++			msg->tkey = 1;
++
++		/*
+ 		 * Can't ask the same question twice.
+ 		 */
+ 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1241,12 +1249,12 @@ getsection(isc_buffer_t *source, dns_mes
+ 		 * If there was no question section, we may not yet have
+ 		 * established a class.  Do so now.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY &&
++		if (msg->rdclass_set == 0 &&
+ 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+ 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+ 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+ 			msg->rdclass = rdclass;
+-			msg->state = DNS_SECTION_QUESTION;
++			msg->rdclass_set = 1;
+ 		}
+ 
+ 		/*
+@@ -1256,7 +1264,7 @@ getsection(isc_buffer_t *source, dns_mes
+ 		if (msg->opcode != dns_opcode_update
+ 		    && rdtype != dns_rdatatype_tsig
+ 		    && rdtype != dns_rdatatype_opt
+-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+ 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+ 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ 		    && msg->rdclass != dns_rdataclass_any
+@@ -1264,6 +1272,16 @@ getsection(isc_buffer_t *source, dns_mes
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * If this is not a TKEY query/response then the KEY
++		 * record's class needs to match.
++		 */
++		if (msg->opcode != dns_opcode_update && !msg->tkey &&
++		    rdtype == dns_rdatatype_key &&
++		    msg->rdclass != dns_rdataclass_any &&
++		    msg->rdclass != rdclass)
++			DO_FORMERR;
++
++		/*
+ 		 * Special type handling for TSIG, OPT, and TKEY.
+ 		 */
+ 		if (rdtype == dns_rdatatype_tsig) {
+@@ -1377,6 +1395,10 @@ getsection(isc_buffer_t *source, dns_mes
+ 				skip_name_search = ISC_TRUE;
+ 				skip_type_search = ISC_TRUE;
+ 				issigzero = ISC_TRUE;
++			} else {
++				if (msg->rdclass != dns_rdataclass_any &&
++				    msg->rdclass != rdclass)
++					DO_FORMERR;
+ 			}
+ 		} else
+ 			covers = 0;
+@@ -1625,6 +1647,7 @@ dns_message_parse(dns_message_t *msg, is
+ 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+ 
+ 	msg->header_ok = 1;
++	msg->state = DNS_SECTION_QUESTION;
+ 
+ 	/*
+ 	 * -1 means no EDNS.
+@@ -3706,3 +3729,15 @@ dns_message_buildopt(dns_message_t *mess
+ 		dns_message_puttemprdatalist(message, &rdatalist);
+ 	return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++	REQUIRE(DNS_MESSAGE_VALID(msg));
++	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++	REQUIRE(msg->state == DNS_SECTION_ANY);
++	REQUIRE(msg->rdclass_set == 0);
++
++	msg->rdclass = rdclass;
++	msg->rdclass_set = 1;
++}
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7309,6 +7309,8 @@ resquery_response(isc_task_t *task, isc_
+ 			goto done;
+ 	}
+ 
++	dns_message_setclass(message, fctx->res->rdclass);
++
+ 	if ((options & DNS_FETCHOPT_TCP) == 0) {
+ 		if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
+ 			dns_adb_setudpsize(fctx->adb, query->addrinfo,
+@@ -7391,6 +7393,13 @@ resquery_response(isc_task_t *task, isc_
+ 				 &dns_master_style_comment,
+ 				 ISC_LOG_DEBUG(10),
+ 				 fctx->res->mctx);
++
++	if (message->rdclass != fctx->res->rdclass) {
++		resend = ISC_TRUE;
++		FCTXTRACE("bad class");
++		goto done;
++	}
++
+ 	/*
+ 	 * Process receive opt record.
+ 	 */
+Index: bind-9.10.2-P4/lib/dns/xfrin.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/xfrin.c
++++ bind-9.10.2-P4/lib/dns/xfrin.c
+@@ -1225,6 +1225,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
+ 	msg->tsigctx = xfr->tsigctx;
+ 	xfr->tsigctx = NULL;
+ 
++	dns_message_setclass(msg, xfr->rdclass);
++
+ 	if (xfr->nmsg > 0)
+ 		msg->tcp_continuation = 1;
+ 
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,4 +1,9 @@
+-	--- 9.10.2-P4 released ---
++4260.  [security]      Insufficient testing when parsing a message allowed
++                       records with an incorrect class to be be accepted,
++                       triggering a REQUIRE failure when those records
++                       were subsequently cached. (CVE-2015-8000) [RT #4098]
++
++    --- 9.10.2-P4 released ---
+ 
+ 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+ 			rdatatype could trigger an assertion failure.
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
new file mode 100644
index 0000000..88e9c83
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
@@ -0,0 +1,44 @@
+From adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 25 Jun 2015 18:36:27 +1000
+Subject: [PATCH] 4146.   [bug]           Address reference leak that could
+ prevent a clean                         shutdown. [RT #37125]
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d
+
+CVE: CVE-2015-8461
+Signed-off-by:  Armin Kuster <akuster@mvista.com>
+---
+ CHANGES            | 3 +++
+ lib/dns/resolver.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4146.  [bug]           Address reference leak that could prevent a clean
++                       shutdown. [RT #37125]
++
+ 4260.  [security]      Insufficient testing when parsing a message allowed
+                        records with an incorrect class to be be accepted,
+                        triggering a REQUIRE failure when those records
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -1649,6 +1649,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
+ 	if (query->dispatch != NULL)
+ 		dns_dispatch_detach(&query->dispatch);
+ 
++	LOCK(&res->buckets[fctx->bucketnum].lock);
++	INSIST(fctx->references > 1);
++	fctx->references--;
++	UNLOCK(&res->buckets[fctx->bucketnum].lock);
++
+  cleanup_query:
+ 	if (query->connects == 0) {
+ 		query->magic = 0;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8704.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8704.patch
new file mode 100644
index 0000000..d5bf740
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8704.patch
@@ -0,0 +1,28 @@
+a buffer size check can cause denial of service under certain circumstances 
+
+[security]
+The following flaw in BIND was reported by ISC:
+
+A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c.
+
+A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8704
+
+[The patch is taken from BIND 9.10.3:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8704]
+
+Signed-off-by: Derek Straka <derek@asterius.io>
+diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
+index bedd38e..28eb7f2 100644
+--- a/lib/dns/rdata/in_1/apl_42.c
++++ b/lib/dns/rdata/in_1/apl_42.c
+@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	unsigned char buf[16];
+-	char txt[sizeof(" !64000")];
++	char txt[sizeof(" !64000:")];
+	const char *sep = "";
+	int n;
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8705.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8705.patch
new file mode 100644
index 0000000..c4a052d
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8705.patch
@@ -0,0 +1,44 @@
+a crash or assertion failure can during format processing 
+
+[security]
+The following flaw in BIND was reported by ISC:
+
+In versions of BIND 9.10, errors can occur when OPT pseudo-RR data or ECS options are formatted to text. In 9.10.3 through 9.10.3-P2, the issue may result in a REQUIRE assertion failure in buffer.c.
+
+This issue can affect both authoritative and recursive servers if they are performing debug logging. (It may also crash related tools which use the same code, such as dig or delv.)
+
+A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8705
+
+[The patch is taken from BIND 9.10.3:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8705]
+
+Signed-off-by: Derek Straka <derek@asterius.io>
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ea7b93a..810c58e 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -3310,9 +3310,19 @@
+ 			} else if (optcode == DNS_OPT_SIT) {
+ 				ADD_STRING(target, "; SIT");
+ 			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
++				isc_buffer_t ecsbuf;
+ 				ADD_STRING(target, "; CLIENT-SUBNET: ");
+-				render_ecs(&optbuf, target);
+-				ADD_STRING(target, "\n");
++				isc_buffer_init(&ecsbuf,
++							isc_buffer_current(&optbuf),
++							optlen);
++				isc_buffer_add(&ecsbuf, optlen);
++				result = render_ecs(&ecsbuf, target);
++				if (result == ISC_R_NOSPACE)
++					return (result);
++				if (result == ISC_R_SUCCESS) {
++					isc_buffer_forward(&optbuf, optlen);
++                                        ADD_STRING(target, "\n");
++                }
+ 				continue;
+ 			} else if (optcode == DNS_OPT_EXPIRE) {
+ 				if (optlen == 4) {
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index efae289..19f87d7 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -20,6 +20,11 @@
            file://0001-build-use-pkg-config-to-find-libxml2.patch \
            file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
            file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
+           file://0001-lib-dns-gen.c-fix-too-long-error.patch \
+           file://CVE-2015-8704.patch \
+           file://CVE-2015-8705.patch \
+           file://CVE-2015-8000.patch \
+           file://CVE-2015-8461.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc
index 039c443..df42c88 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -18,7 +18,6 @@
 
 SRC_URI = "\
     ${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
-    file://bluetooth.conf \
 "
 S = "${WORKDIR}/bluez-${PV}"
 
@@ -53,8 +52,8 @@
 	if [ -f ${S}/profiles/input/input.conf ]; then
 	    install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/
 	fi
-	# at_console doesn't really work with the current state of OE, so punch some more holes so people can actually use BT
-	install -m 0644 ${WORKDIR}/bluetooth.conf ${D}/${sysconfdir}/dbus-1/system.d/
+
+	install -m 0644 ${S}/src/bluetooth.conf ${D}/${sysconfdir}/dbus-1/system.d/
 
 	# Install desired tools that upstream leaves in build area
         for f in ${NOINST_TOOLS} ; do
diff --git a/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf b/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
deleted file mode 100644
index 26845bb..0000000
--- a/meta/recipes-connectivity/bluez5/bluez5/bluetooth.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-<!-- This configuration file specifies the required security policies
-     for Bluetooth core daemon to work. -->
-
-<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
- "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-
-  <!-- ../system.conf have denied everything, so we just punch some holes -->
-
-  <policy context="default">
-    <allow own="org.bluez"/>
-    <allow send_destination="org.bluez"/>
-    <allow send_interface="org.bluez.Agent1"/>
-    <allow send_type="method_call"/>
-  </policy>
-
-</busconfig>
diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb
index bd4c28d..9254ed7 100644
--- a/meta/recipes-connectivity/connman/connman-conf.bb
+++ b/meta/recipes-connectivity/connman/connman-conf.bb
@@ -13,14 +13,14 @@
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-FILES_${PN} = "${localstatedir}/* ${libdir}/*"
+FILES_${PN} = "${localstatedir}/* ${datadir}/*"
 
 do_install() {
     #Configure Wired network interface in case of qemu* machines
     if test -e ${WORKDIR}/wired.config && test -e ${WORKDIR}/wired-setup; then
         install -d ${D}${localstatedir}/lib/connman
         install -m 0644 ${WORKDIR}/wired.config ${D}${localstatedir}/lib/connman
-        install -d ${D}${libdir}/connman
-        install -m 0755 ${WORKDIR}/wired-setup ${D}${libdir}/connman
+        install -d ${D}${datadir}/connman
+        install -m 0755 ${WORKDIR}/wired-setup ${D}${datadir}/connman
     fi
 }
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index f5575d2..7b875f0 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -6,7 +6,7 @@
                     file://properties/main.c;beginline=1;endline=20;md5=50c77c81871308b033ab7a1504626afb \
                     file://common/connman-dbus.c;beginline=1;endline=20;md5=de6b485c0e717a0236402d220187717a"
 
-DEPENDS = "gtk+ dbus-glib intltool-native"
+DEPENDS = "gtk+ dbus-glib intltool-native gettext-native"
 
 # 0.7 tag
 SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
@@ -19,7 +19,8 @@
 
 S = "${WORKDIR}/git"
 
-inherit autotools-brokensep gtk-icon-cache pkgconfig
+inherit autotools-brokensep gtk-icon-cache pkgconfig distro_features_check
+ANY_OF_DISTRO_FEATURES = "${GTK2DISTROFEATURES}"
 
 RDEPENDS_${PN} = "connman"
 
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 17dc4b9..afdb3f2 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -30,6 +30,7 @@
     --disable-polkit \
     --enable-client \
 "
+CFLAGS += "-D_GNU_SOURCE"
 
 PACKAGECONFIG ??= "wispr \
                    ${@bb.utils.contains('DISTRO_FEATURES', 'systemd','systemd', '', d)} \
@@ -67,15 +68,9 @@
 
 SYSTEMD_SERVICE_${PN} = "connman.service"
 SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
-SYSTEMD_WIRED_SETUP = "ExecStartPre=-${libdir}/connman/wired-setup"
+SYSTEMD_WIRED_SETUP = "ExecStartPre=-${datadir}/connman/wired-setup"
 
-# This allows *everyone* to access ConnMan over DBus, without any access
-# control.  Really the at_console flag should work, which would mean that
-# both this and the xuser patch can be dropped.
 do_compile_append() {
-	sed -i -e s:deny:allow:g ${S}/src/connman-dbus.conf
-	sed -i -e s:deny:allow:g ${S}/vpn/vpn-dbus.conf
-
 	sed -i "s#ExecStart=#${SYSTEMD_WIRED_SETUP}\nExecStart=#" ${B}/src/connman.service
 }
 
@@ -83,7 +78,7 @@
 	if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
 		install -d ${D}${sysconfdir}/init.d
 		install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman
-		sed -i s%@LIBDIR@%${libdir}% ${D}${sysconfdir}/init.d/connman
+		sed -i s%@DATADIR@%${datadir}% ${D}${sysconfdir}/init.d/connman
 	fi
 
 	install -d ${D}${bindir}
@@ -112,7 +107,6 @@
 
 RDEPENDS_${PN} = "\
 	dbus \
-	${@base_conditional('ROOTLESS_X', '1', 'xuser-account', '', d)} \
 	"
 
 PACKAGES_DYNAMIC += "^${PN}-plugin-.*"
diff --git a/meta/recipes-connectivity/connman/connman/0001-Detect-backtrace-API-availability-before-using-it.patch b/meta/recipes-connectivity/connman/connman/0001-Detect-backtrace-API-availability-before-using-it.patch
new file mode 100644
index 0000000..5dc6fd6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0001-Detect-backtrace-API-availability-before-using-it.patch
@@ -0,0 +1,55 @@
+From 00d4447395725abaa651e12ed40095081e04011e Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 13 Sep 2015 13:22:01 -0700
+Subject: [PATCH 1/3] Detect backtrace() API availability before using it
+
+C libraries besides glibc do not have backtrace() implemented
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ configure.ac | 2 ++
+ src/log.c    | 5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 69c0eeb..90099f2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -171,6 +171,8 @@ fi
+ AM_CONDITIONAL(PPTP, test "${enable_pptp}" != "no")
+ AM_CONDITIONAL(PPTP_BUILTIN, test "${enable_pptp}" = "builtin")
+ 
++AC_CHECK_HEADERS([execinfo.h])
++
+ AC_CHECK_HEADERS(resolv.h, dummy=yes,
+ 	AC_MSG_ERROR(resolver header files are required))
+ AC_CHECK_LIB(resolv, ns_initparse, dummy=yes, [
+diff --git a/src/log.c b/src/log.c
+index a693bd0..5b40c1f 100644
+--- a/src/log.c
++++ b/src/log.c
+@@ -30,7 +30,6 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <syslog.h>
+-#include <execinfo.h>
+ #include <dlfcn.h>
+ 
+ #include "connman.h"
+@@ -215,9 +214,9 @@ static void print_backtrace(unsigned int offset)
+ static void signal_handler(int signo)
+ {
+ 	connman_error("Aborting (signal %d) [%s]", signo, program_exec);
+-
++#ifdef HAVE_EXECINFO_H
+ 	print_backtrace(2);
+-
++#endif /* HAVE_EXECINFO_H */
+ 	exit(EXIT_FAILURE);
+ }
+ 
+-- 
+2.5.1
+
diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
new file mode 100644
index 0000000..0593427
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch
@@ -0,0 +1,77 @@
+From 10b0d16d04b811b1ccd1f9b0cfe757bce8d876a1 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 6 Apr 2015 23:02:21 -0700
+Subject: [PATCH 2/3] resolve: musl does not implement res_ninit
+
+ported from
+http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ gweb/gresolv.c | 33 ++++++++++++---------------------
+ 1 file changed, 12 insertions(+), 21 deletions(-)
+
+diff --git a/gweb/gresolv.c b/gweb/gresolv.c
+index 5cf7a9a..3ad8e70 100644
+--- a/gweb/gresolv.c
++++ b/gweb/gresolv.c
+@@ -875,8 +875,6 @@ GResolv *g_resolv_new(int index)
+ 	resolv->index = index;
+ 	resolv->nameserver_list = NULL;
+ 
+-	res_ninit(&resolv->res);
+-
+ 	return resolv;
+ }
+ 
+@@ -916,8 +914,6 @@ void g_resolv_unref(GResolv *resolv)
+ 
+ 	flush_nameservers(resolv);
+ 
+-	res_nclose(&resolv->res);
+-
+ 	g_free(resolv);
+ }
+ 
+@@ -1020,24 +1016,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname,
+ 	debug(resolv, "hostname %s", hostname);
+ 
+ 	if (!resolv->nameserver_list) {
+-		int i;
+-
+-		for (i = 0; i < resolv->res.nscount; i++) {
+-			char buf[100];
+-			int family = resolv->res.nsaddr_list[i].sin_family;
+-			void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr;
+-
+-			if (family != AF_INET &&
+-					resolv->res._u._ext.nsaddrs[i]) {
+-				family = AF_INET6;
+-				sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr;
++		FILE *f = fopen("/etc/resolv.conf", "r");
++		if (f) {
++			char line[256], *s;
++			int i;
++			while (fgets(line, sizeof(line), f)) {
++				if (strncmp(line, "nameserver", 10) || !isspace(line[10]))
++					continue;
++				for (s = &line[11]; isspace(s[0]); s++);
++				for (i = 0; s[i] && !isspace(s[i]); i++);
++				s[i] = 0;
++				g_resolv_add_nameserver(resolv, s, 53, 0);
+ 			}
+-
+-			if (family != AF_INET && family != AF_INET6)
+-				continue;
+-
+-			if (inet_ntop(family, sa_addr, buf, sizeof(buf)))
+-				g_resolv_add_nameserver(resolv, buf, 53, 0);
++			fclose(f);
+ 		}
+ 
+ 		if (!resolv->nameserver_list)
+-- 
+2.5.1
+
diff --git a/meta/recipes-connectivity/connman/connman/0003-Fix-header-inclusions-for-musl.patch b/meta/recipes-connectivity/connman/connman/0003-Fix-header-inclusions-for-musl.patch
new file mode 100644
index 0000000..6327aa2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0003-Fix-header-inclusions-for-musl.patch
@@ -0,0 +1,85 @@
+From 67645a01a2f3f52625d8dd77f2811a9e213e1b7d Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 13 Sep 2015 13:28:20 -0700
+Subject: [PATCH] Fix header inclusions for musl
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ gweb/gresolv.c        | 1 +
+ plugins/wifi.c        | 3 +--
+ src/tethering.c       | 2 --
+ tools/dhcp-test.c     | 1 -
+ tools/dnsproxy-test.c | 1 +
+ 5 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/gweb/gresolv.c b/gweb/gresolv.c
+index 3ad8e70..61d6fe8 100644
+--- a/gweb/gresolv.c
++++ b/gweb/gresolv.c
+@@ -28,6 +28,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <stdio.h>
+ #include <resolv.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+diff --git a/plugins/wifi.c b/plugins/wifi.c
+index dfe849f..99cff3f 100644
+--- a/plugins/wifi.c
++++ b/plugins/wifi.c
+@@ -30,9 +30,8 @@
+ #include <string.h>
+ #include <sys/ioctl.h>
+ #include <sys/socket.h>
+-#include <linux/if_arp.h>
+-#include <linux/wireless.h>
+ #include <net/ethernet.h>
++#include <linux/wireless.h>
+ 
+ #ifndef IFF_LOWER_UP
+ #define IFF_LOWER_UP	0x10000
+diff --git a/src/tethering.c b/src/tethering.c
+index ceeec74..c44cb36 100644
+--- a/src/tethering.c
++++ b/src/tethering.c
+@@ -31,10 +31,8 @@
+ #include <stdio.h>
+ #include <sys/ioctl.h>
+ #include <net/if.h>
+-#include <linux/sockios.h>
+ #include <string.h>
+ #include <fcntl.h>
+-#include <linux/if_tun.h>
+ #include <netinet/in.h>
+ #include <linux/if_bridge.h>
+ 
+diff --git a/tools/dhcp-test.c b/tools/dhcp-test.c
+index c34e10a..eae66fc 100644
+--- a/tools/dhcp-test.c
++++ b/tools/dhcp-test.c
+@@ -33,7 +33,6 @@
+ #include <arpa/inet.h>
+ #include <net/route.h>
+ #include <net/ethernet.h>
+-#include <linux/if_arp.h>
+ 
+ #include <gdhcp/gdhcp.h>
+ 
+diff --git a/tools/dnsproxy-test.c b/tools/dnsproxy-test.c
+index 551cae9..226ba86 100644
+--- a/tools/dnsproxy-test.c
++++ b/tools/dnsproxy-test.c
+@@ -27,6 +27,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <stdio.h>
+ #include <arpa/inet.h>
+ #include <netinet/in.h>
+ #include <sys/types.h>
+-- 
+2.5.1
+
diff --git a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch b/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
deleted file mode 100644
index 707b3ca..0000000
--- a/meta/recipes-connectivity/connman/connman/add_xuser_dbus_permission.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Because Poky doesn't support at_console we need to special-case the session
-user.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/src/connman-dbus.conf b/src/connman-dbus.conf
-index 98a773e..466809c 100644
---- a/src/connman-dbus.conf
-+++ b/src/connman-dbus.conf
-@@ -8,6 +8,9 @@
-         <allow send_interface="net.connman.Counter"/>
-         <allow send_interface="net.connman.Notification"/>
-     </policy>
-+    <policy user="xuser">
-+        <allow send_destination="net.connman"/>
-+    </policy>
-     <policy at_console="true">
-         <allow send_destination="net.connman"/>
-     </policy>
diff --git a/meta/recipes-connectivity/connman/connman/connman b/meta/recipes-connectivity/connman/connman/connman
index bf7a94a..c64fa0d 100644
--- a/meta/recipes-connectivity/connman/connman/connman
+++ b/meta/recipes-connectivity/connman/connman/connman
@@ -49,8 +49,8 @@
 		fi
 	    fi
 	fi
-	if [ -f @LIBDIR@/connman/wired-setup ] ; then
-		. @LIBDIR@/connman/wired-setup
+	if [ -f @DATADIR@/connman/wired-setup ] ; then
+		. @DATADIR@/connman/wired-setup
 	fi
 	$DAEMON $EXTRA_PARAM
 }
diff --git a/meta/recipes-connectivity/connman/connman_1.30.bb b/meta/recipes-connectivity/connman/connman_1.30.bb
index 8c47353..7d65ac9 100644
--- a/meta/recipes-connectivity/connman/connman_1.30.bb
+++ b/meta/recipes-connectivity/connman/connman_1.30.bb
@@ -2,7 +2,9 @@
 
 SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
-            file://add_xuser_dbus_permission.patch \
+            file://0001-Detect-backtrace-API-availability-before-using-it.patch \
+            file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+            file://0003-Fix-header-inclusions-for-musl.patch \
             file://connman \
             "
 SRC_URI[md5sum] = "4a3efdbd6796922db9c6f66da57887fa"
diff --git a/meta/recipes-connectivity/iproute2/iproute2.inc b/meta/recipes-connectivity/iproute2/iproute2.inc
index a53a4e6..29f9062 100644
--- a/meta/recipes-connectivity/iproute2/iproute2.inc
+++ b/meta/recipes-connectivity/iproute2/iproute2.inc
@@ -15,6 +15,12 @@
 
 EXTRA_OEMAKE = "CC='${CC}' KERNEL_INCLUDE=${STAGING_INCDIR} DOCDIR=${docdir}/iproute2 SUBDIRS='lib tc ip' SBINDIR='${base_sbindir}' LIBDIR='${libdir}'"
 
+do_configure_append () {
+    sh configure ${STAGING_INCDIR}
+    # Explicitly disable ATM support
+    sed -i -e '/TC_CONFIG_ATM/d' Config
+}
+
 do_install () {
     oe_runmake DESTDIR=${D} install
     mv ${D}${base_sbindir}/ip ${D}${base_sbindir}/ip.iproute2
diff --git a/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb b/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
index 8ac3b18..bd2f815 100644
--- a/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
+++ b/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
@@ -3,7 +3,7 @@
 IrDA allows communication over Infrared with other devices \
 such as phones and laptops."
 HOMEPAGE = "http://irda.sourceforge.net/"
-BUGTRACKER = "irda-users@lists.sourceforge.net"
+BUGTRACKER = "http://sourceforge.net/p/irda/bugs/"
 SECTION = "base"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://irdadump/COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch
new file mode 100644
index 0000000..9fac69c
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_2.patch
@@ -0,0 +1,65 @@
+From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
+From: "mmcc@openbsd.org" <mmcc@openbsd.org>
+Date: Tue, 20 Oct 2015 03:36:35 +0000
+Subject: [PATCH] upstream commit
+
+Replace a function-local allocation with stack memory.
+
+ok djm@
+
+Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ clientloop.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/clientloop.c b/clientloop.c
+index 87ceb3d..1e05cba 100644
+--- a/clientloop.c
++++ b/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
++/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 	static char proto[512], data[512];
+ 	FILE *f;
+ 	int got_data = 0, generated = 0, do_unlink = 0, i;
+-	char *xauthdir, *xauthfile;
++	char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
+-	xauthdir = xauthfile = NULL;
+ 	*_proto = proto;
+ 	*_data = data;
+ 	proto[0] = data[0] = '\0';
+@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 			display = xdisplay;
+ 		}
+ 		if (trusted == 0) {
+-			xauthdir = xmalloc(PATH_MAX);
+-			xauthfile = xmalloc(PATH_MAX);
+ 			mktemp_proto(xauthdir, PATH_MAX);
+ 			/*
+ 			 * The authentication cookie should briefly outlive
+@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
+ 		unlink(xauthfile);
+ 		rmdir(xauthdir);
+ 	}
+-	free(xauthdir);
+-	free(xauthfile);
+ 
+ 	/*
+ 	 * If we didn't get authentication data, just make up some
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch
new file mode 100644
index 0000000..3dfc51a
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_3.patch
@@ -0,0 +1,329 @@
+From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 13 Jan 2016 23:04:47 +0000
+Subject: [PATCH] upstream commit
+
+eliminate fallback from untrusted X11 forwarding to trusted
+ forwarding when the X server disables the SECURITY extension; Reported by
+ Thomas Hoger; ok deraadt@
+
+Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
+ clientloop.h |   4 +--
+ mux.c        |  22 ++++++------
+ ssh.c        |  23 +++++-------
+ 4 files changed, 93 insertions(+), 70 deletions(-)
+
+Index: openssh-7.1p2/clientloop.c
+===================================================================
+--- openssh-7.1p2.orig/clientloop.c
++++ openssh-7.1p2/clientloop.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.c,v 1.276 2015/10/20 03:36:35 mmcc Exp $ */
++/* $OpenBSD: clientloop.c,v 1.279 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -288,6 +288,9 @@ client_x11_display_valid(const char *dis
+ {
+ 	size_t i, dlen;
+ 
++	if (display == NULL)
++		return 0;
++
+ 	dlen = strlen(display);
+ 	for (i = 0; i < dlen; i++) {
+ 		if (!isalnum((u_char)display[i]) &&
+@@ -301,34 +304,33 @@ client_x11_display_valid(const char *dis
+ 
+ #define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
+ #define X11_TIMEOUT_SLACK	60
+-void
++int
+ client_x11_get_proto(const char *display, const char *xauth_path,
+     u_int trusted, u_int timeout, char **_proto, char **_data)
+ {
+-	char cmd[1024];
+-	char line[512];
+-	char xdisplay[512];
++	char cmd[1024], line[512], xdisplay[512];
++	char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
+ 	static char proto[512], data[512];
+ 	FILE *f;
+-	int got_data = 0, generated = 0, do_unlink = 0, i;
+-	char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
++	int got_data = 0, generated = 0, do_unlink = 0, i, r;
+ 	struct stat st;
+ 	u_int now, x11_timeout_real;
+ 
+ 	*_proto = proto;
+ 	*_data = data;
+-	proto[0] = data[0] = '\0';
++	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
+ 
+-	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+-		debug("No xauth program.");
+-	} else if (!client_x11_display_valid(display)) {
+-		logit("DISPLAY '%s' invalid, falling back to fake xauth data",
++	if (!client_x11_display_valid(display)) {
++		logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
+ 		    display);
+-	} else {
+-		if (display == NULL) {
+-			debug("x11_get_proto: DISPLAY not set");
+-			return;
+-		}
++		return -1;
++	}
++	if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
++		debug("No xauth program.");
++		xauth_path = NULL;
++	}
++
++	if (xauth_path != NULL) {
+ 		/*
+ 		 * Handle FamilyLocal case where $DISPLAY does
+ 		 * not match an authorization entry.  For this we
+@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display
+ 		 *      is not perfect.
+ 		 */
+ 		if (strncmp(display, "localhost:", 10) == 0) {
+-			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+-			    display + 10);
++			if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
++			    display + 10)) < 0 ||
++			    (size_t)r >= sizeof(xdisplay)) {
++				error("%s: display name too long", __func__);
++				return -1;
++			}
+ 			display = xdisplay;
+ 		}
+ 		if (trusted == 0) {
+-			mktemp_proto(xauthdir, PATH_MAX);
+ 			/*
++			 * Generate an untrusted X11 auth cookie.
++			 *
+ 			 * The authentication cookie should briefly outlive
+ 			 * ssh's willingness to forward X11 connections to
+ 			 * avoid nasty fail-open behaviour in the X server.
+ 			 */
++			mktemp_proto(xauthdir, sizeof(xauthdir));
++			if (mkdtemp(xauthdir) == NULL) {
++				error("%s: mkdtemp: %s",
++				    __func__, strerror(errno));
++				return -1;
++			}
++			do_unlink = 1;
++			if ((r = snprintf(xauthfile, sizeof(xauthfile),
++			    "%s/xauthfile", xauthdir)) < 0 ||
++			    (size_t)r >= sizeof(xauthfile)) {
++				error("%s: xauthfile path too long", __func__);
++				unlink(xauthfile);
++				rmdir(xauthdir);
++				return -1;
++			}
++
+ 			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+ 				x11_timeout_real = UINT_MAX;
+ 			else
+ 				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+-			if (mkdtemp(xauthdir) != NULL) {
+-				do_unlink = 1;
+-				snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
+-				    xauthdir);
+-				snprintf(cmd, sizeof(cmd),
+-				    "%s -f %s generate %s " SSH_X11_PROTO
+-				    " untrusted timeout %u 2>" _PATH_DEVNULL,
+-				    xauth_path, xauthfile, display,
+-				    x11_timeout_real);
+-				debug2("x11_get_proto: %s", cmd);
+-				if (x11_refuse_time == 0) {
+-					now = monotime() + 1;
+-					if (UINT_MAX - timeout < now)
+-						x11_refuse_time = UINT_MAX;
+-					else
+-						x11_refuse_time = now + timeout;
+-					channel_set_x11_refuse_time(
+-					    x11_refuse_time);
+-				}
+-				if (system(cmd) == 0)
+-					generated = 1;
++			if ((r = snprintf(cmd, sizeof(cmd),
++			    "%s -f %s generate %s " SSH_X11_PROTO
++			    " untrusted timeout %u 2>" _PATH_DEVNULL,
++			    xauth_path, xauthfile, display,
++			    x11_timeout_real)) < 0 ||
++			    (size_t)r >= sizeof(cmd))
++				fatal("%s: cmd too long", __func__);
++			debug2("%s: %s", __func__, cmd);
++			if (x11_refuse_time == 0) {
++				now = monotime() + 1;
++				if (UINT_MAX - timeout < now)
++					x11_refuse_time = UINT_MAX;
++				else
++					x11_refuse_time = now + timeout;
++				channel_set_x11_refuse_time(x11_refuse_time);
+ 			}
++			if (system(cmd) == 0)
++				generated = 1;
+ 		}
+ 
+ 		/*
+@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display
+ 				got_data = 1;
+ 			if (f)
+ 				pclose(f);
+-		} else
+-			error("Warning: untrusted X11 forwarding setup failed: "
+-			    "xauth key data not generated");
++		}
+ 	}
+ 
+ 	if (do_unlink) {
+@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display
+ 		rmdir(xauthdir);
+ 	}
+ 
++	/* Don't fall back to fake X11 data for untrusted forwarding */
++	if (!trusted && !got_data) {
++		error("Warning: untrusted X11 forwarding setup failed: "
++		    "xauth key data not generated");
++		return -1;
++	}
++
+ 	/*
+ 	 * If we didn't get authentication data, just make up some
+ 	 * data.  The forwarding code will check the validity of the
+@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display
+ 			rnd >>= 8;
+ 		}
+ 	}
++
++	return 0;
+ }
+ 
+ /*
+Index: openssh-7.1p2/clientloop.h
+===================================================================
+--- openssh-7.1p2.orig/clientloop.h
++++ openssh-7.1p2/clientloop.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
++/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
+ 
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+@@ -39,7 +39,7 @@
+ 
+ /* Client side main loop for the interactive session. */
+ int	 client_loop(int, int, int);
+-void	 client_x11_get_proto(const char *, const char *, u_int, u_int,
++int	 client_x11_get_proto(const char *, const char *, u_int, u_int,
+ 	    char **, char **);
+ void	 client_global_request_reply_fwd(int, u_int32_t, void *);
+ void	 client_session2_setup(int, int, int, const char *, struct termios *,
+Index: openssh-7.1p2/mux.c
+===================================================================
+--- openssh-7.1p2.orig/mux.c
++++ openssh-7.1p2/mux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */
++/* $OpenBSD: mux.c,v 1.58 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
+  *
+@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success,
+ 		char *proto, *data;
+ 
+ 		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
++		if (client_x11_get_proto(display, options.xauth_location,
+ 		    options.forward_x11_trusted, options.forward_x11_timeout,
+-		    &proto, &data);
+-		/* Request forwarding with authentication spoofing. */
+-		debug("Requesting X11 forwarding with authentication "
+-		    "spoofing.");
+-		x11_request_forwarding_with_spoofing(id, display, proto,
+-		    data, 1);
+-		client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
+-		/* XXX exit_on_forward_failure */
++		    &proto, &data) == 0) {
++			/* Request forwarding with authentication spoofing. */
++			debug("Requesting X11 forwarding with authentication "
++			    "spoofing.");
++			x11_request_forwarding_with_spoofing(id, display, proto,
++			    data, 1);
++			/* XXX exit_on_forward_failure */
++			client_expect_confirm(id, "X11 forwarding",
++			    CONFIRM_WARN);
++		}
+ 	}
+ 
+ 	if (cctx->want_agent_fwd && options.forward_agent) {
+Index: openssh-7.1p2/ssh.c
+===================================================================
+--- openssh-7.1p2.orig/ssh.c
++++ openssh-7.1p2/ssh.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh.c,v 1.420 2015/07/30 00:01:34 djm Exp $ */
++/* $OpenBSD: ssh.c,v 1.433 2016/01/13 23:04:47 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -1604,6 +1604,7 @@ ssh_session(void)
+ 	struct winsize ws;
+ 	char *cp;
+ 	const char *display;
++	char *proto = NULL, *data = NULL;
+ 
+ 	/* Enable compression if requested. */
+ 	if (options.compression) {
+@@ -1674,13 +1675,9 @@ ssh_session(void)
+ 	display = getenv("DISPLAY");
+ 	if (display == NULL && options.forward_x11)
+ 		debug("X11 forwarding requested but DISPLAY not set");
+-	if (options.forward_x11 && display != NULL) {
+-		char *proto, *data;
+-		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
+-		    options.forward_x11_trusted,
+-		    options.forward_x11_timeout,
+-		    &proto, &data);
++	if (options.forward_x11 && client_x11_get_proto(display,
++	    options.xauth_location, options.forward_x11_trusted,
++	    options.forward_x11_timeout, &proto, &data) == 0) {
+ 		/* Request forwarding with authentication spoofing. */
+ 		debug("Requesting X11 forwarding with authentication "
+ 		    "spoofing.");
+@@ -1770,6 +1767,7 @@ ssh_session2_setup(int id, int success,
+ 	extern char **environ;
+ 	const char *display;
+ 	int interactive = tty_flag;
++	char *proto = NULL, *data = NULL;
+ 
+ 	if (!success)
+ 		return; /* No need for error message, channels code sens one */
+@@ -1777,12 +1775,9 @@ ssh_session2_setup(int id, int success,
+ 	display = getenv("DISPLAY");
+ 	if (display == NULL && options.forward_x11)
+ 		debug("X11 forwarding requested but DISPLAY not set");
+-	if (options.forward_x11 && display != NULL) {
+-		char *proto, *data;
+-		/* Get reasonable local authentication information. */
+-		client_x11_get_proto(display, options.xauth_location,
+-		    options.forward_x11_trusted,
+-		    options.forward_x11_timeout, &proto, &data);
++	if (options.forward_x11 && client_x11_get_proto(display,
++	    options.xauth_location, options.forward_x11_trusted,
++	    options.forward_x11_timeout, &proto, &data) == 0) {
+ 		/* Request forwarding with authentication spoofing. */
+ 		debug("Requesting X11 forwarding with authentication "
+ 		    "spoofing.");
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch
new file mode 100644
index 0000000..f3d132e
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2016-1907_upstream_commit.patch
@@ -0,0 +1,33 @@
+From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 8 Nov 2015 21:59:11 +0000
+Subject: [PATCH] upstream commit
+
+fix OOB read in packet code caused by missing return
+ statement found by Ben Hawkes; ok markus@ deraadt@
+
+Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
+
+Upstream-Status: Backport
+CVE: CVE-2016-1907
+
+[YOCTO #8935]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ packet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: openssh-7.1p2/packet.c
+===================================================================
+--- openssh-7.1p2.orig/packet.c
++++ openssh-7.1p2/packet.c
+@@ -1855,6 +1855,7 @@ ssh_packet_process_incoming(struct ssh *
+ 		if (len >= state->packet_discard) {
+ 			if ((r = ssh_packet_stop_discard(ssh)) != 0)
+ 				return r;
++			return SSH_ERR_CONN_CORRUPT;
+ 		}
+ 		state->packet_discard -= len;
+ 		return 0;
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index bb2d68e..9d83dfb 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -4,7 +4,9 @@
 After=sshdgenkeys.service
 
 [Service]
-ExecStart=-@SBINDIR@/sshd -i
+Environment="SSHD_OPTS="
+EnvironmentFile=-/etc/default/ssh
+ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS
 ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 StandardInput=socket
 StandardError=syslog
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index d65086f..148e6ad 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -1,11 +1,22 @@
 [Unit]
 Description=OpenSSH Key Generation
-ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
-ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+RequiresMountsFor=/var /run
+ConditionPathExists=!/var/run/ssh/ssh_host_rsa_key
+ConditionPathExists=!/var/run/ssh/ssh_host_dsa_key
+ConditionPathExists=!/var/run/ssh/ssh_host_ecdsa_key
+ConditionPathExists=!/var/run/ssh/ssh_host_ed25519_key
+ConditionPathExists=!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=!/etc/ssh/ssh_host_ed25519_key
 
 [Service]
-ExecStart=@BINDIR@/ssh-keygen -A
+Environment="SYSCONFDIR=/etc/ssh"
+EnvironmentFile=-/etc/default/ssh
+ExecStart=@BASE_BINDIR@/mkdir -p $SYSCONFDIR
+ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' -t rsa
+ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' -t dsa
+ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' -t ecdsa
+ExecStart=@BINDIR@/ssh-keygen -q -f ${SYSCONFDIR}/ssh_host_ed25519_key -N '' -t ed25519
 Type=oneshot
 RemainAfterExit=yes
diff --git a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
similarity index 93%
rename from meta/recipes-connectivity/openssh/openssh_7.1p1.bb
rename to meta/recipes-connectivity/openssh/openssh_7.1p2.bb
index eeeb4b4..714c391 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.1p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.1p2.bb
@@ -20,12 +20,15 @@
            file://sshdgenkeys.service \
            file://volatiles.99_sshd \
            file://add-test-support-for-busybox.patch \
-           file://run-ptest"
+           file://run-ptest \
+           file://CVE-2016-1907_upstream_commit.patch \
+           file://CVE-2016-1907_2.patch \
+           file://CVE-2016-1907_3.patch "
 
 PAM_SRC_URI = "file://sshd"
 
-SRC_URI[md5sum] = "8709736bc8a8c253bc4eeb4829888ca5"
-SRC_URI[sha256sum] = "fc0a6d2d1d063d5c66dffd952493d0cda256cad204f681de0f84ef85b2ad8428"
+SRC_URI[md5sum] = "4d8547670e2a220d5ef805ad9e47acf2"
+SRC_URI[sha256sum] = "dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd"
 
 inherit useradd update-rc.d update-alternatives systemd
 
@@ -87,7 +90,7 @@
 
 do_install_append () {
 	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
-		install -D -m 0755 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
+		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
 		sed -i -e 's:#UsePAM no:UsePAM yes:' ${WORKDIR}/sshd_config ${D}${sysconfdir}/ssh/sshd_config
 	fi
 
diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 53dcfd9..8af423f 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -118,7 +118,7 @@
         linux-*-mips64)
                target=linux-mips
                 ;;
-	linux-microblaze*)
+	linux-microblaze*|linux-nios2*)
 		target=linux-generic32
 		;;
 	linux-powerpc)
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
new file mode 100644
index 0000000..39a2e5a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Add-test-for-CVE-2015-3194.patch
@@ -0,0 +1,66 @@
+From 00456fded43eadd4bb94bf675ae4ea5d158a764f Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Wed, 4 Nov 2015 13:30:03 +0000
+Subject: [PATCH] Add test for CVE-2015-3194
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=00456fded43eadd4bb94bf675ae4ea5d158a764f
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ test/certs/pss1.pem | 21 +++++++++++++++++++++
+ test/tx509          |  7 +++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 test/certs/pss1.pem
+
+diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem
+new file mode 100644
+index 0000000..29da71d
+--- /dev/null
++++ b/test/certs/pss1.pem
+@@ -0,0 +1,21 @@
++-----BEGIN CERTIFICATE-----
++MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI
++AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD
++VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz
++NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj
++ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH
++qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL
++IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT
++IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k
++dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq
++QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa
++5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2
++4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB
++Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii
++BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb
++xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn
++plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY
++DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p
++NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ
++lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=
++-----END CERTIFICATE-----
+diff --git a/test/tx509 b/test/tx509
+index 0ce3b52..77f5cac 100644
+--- a/test/tx509
++++ b/test/tx509
+@@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi
+ cmp x509-f.p x509-ff.p3
+ if [ $? != 0 ]; then exit 1; fi
+ 
++echo "Parsing test certificates"
++
++$cmd -in certs/pss1.pem -text -noout >/dev/null
++if [ $? != 0 ]; then exit 1; fi
++
++echo OK
++
+ /bin/rm -f x509-f.* x509-ff.* x509-fff.*
+ exit 0
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
new file mode 100644
index 0000000..125016a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch
@@ -0,0 +1,101 @@
+From d73cc256c8e256c32ed959456101b73ba9842f72 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Tue, 1 Dec 2015 09:00:32 +0100
+Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry propagating bug
+ (CVE-2015-3193).
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/bn/asm/x86_64-mont5.pl | 22 +++++++++++++++++++---
+ crypto/bn/bntest.c            | 18 ++++++++++++++++++
+ 2 files changed, 37 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/asm/x86_64-mont5.pl
++++ openssl-1.0.2d/crypto/bn/asm/x86_64-mont5.pl
+@@ -1779,6 +1779,15 @@ sqr8x_reduction:
+ .align	32
+ .L8x_tail_done:
+ 	add	(%rdx),%r8		# can this overflow?
++	adc	\$0,%r9
++	adc	\$0,%r10
++	adc	\$0,%r11
++	adc	\$0,%r12
++	adc	\$0,%r13
++	adc	\$0,%r14
++	adc	\$0,%r15		# can't overflow, because we
++					# started with "overhung" part
++					# of multiplication
+ 	xor	%rax,%rax
+ 
+ 	neg	$carry
+@@ -3125,6 +3134,15 @@ sqrx8x_reduction:
+ .align	32
+ .Lsqrx8x_tail_done:
+ 	add	24+8(%rsp),%r8		# can this overflow?
++	adc	\$0,%r9
++	adc	\$0,%r10
++	adc	\$0,%r11
++	adc	\$0,%r12
++	adc	\$0,%r13
++	adc	\$0,%r14
++	adc	\$0,%r15		# can't overflow, because we
++					# started with "overhung" part
++					# of multiplication
+ 	mov	$carry,%rax		# xor	%rax,%rax
+ 
+ 	sub	16+8(%rsp),$carry	# mov 16(%rsp),%cf
+@@ -3168,13 +3186,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
+ my @ri=map("%r$_",(10..13));
+ my @ni=map("%r$_",(14..15));
+ $code.=<<___;
+-	xor	%rbx,%rbx
++	xor	%ebx,%ebx
+ 	sub	%r15,%rsi		# compare top-most words
+ 	adc	%rbx,%rbx
+ 	mov	%rcx,%r10		# -$num
+-	.byte	0x67
+ 	or	%rbx,%rax
+-	.byte	0x67
+ 	mov	%rcx,%r9		# -$num
+ 	xor	\$1,%rax
+ 	sar	\$3+2,%rcx		# cf=0
+Index: openssl-1.0.2d/crypto/bn/bntest.c
+===================================================================
+--- openssl-1.0.2d.orig/crypto/bn/bntest.c
++++ openssl-1.0.2d/crypto/bn/bntest.c
+@@ -1027,6 +1027,24 @@ int test_mod_exp_mont_consttime(BIO *bp,
+             return 0;
+         }
+     }
++
++    /* Regression test for carry propagation bug in sqr8x_reduction */
++    BN_hex2bn(&a, "050505050505");
++    BN_hex2bn(&b, "02");
++    BN_hex2bn(&c,
++        "4141414141414141414141274141414141414141414141414141414141414141"
++        "4141414141414141414141414141414141414141414141414141414141414141"
++        "4141414141414141414141800000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000000000000"
++        "0000000000000000000000000000000000000000000000000000000001");
++    BN_mod_exp(d, a, b, c, ctx);
++    BN_mul(e, a, a, ctx);
++    if (BN_cmp(d, e)) {
++        fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
++        return 0;
++    }
++
+     BN_free(a);
+     BN_free(b);
+     BN_free(c);
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
new file mode 100644
index 0000000..13d4891
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-1-Add-PSS-parameter-check.patch
@@ -0,0 +1,45 @@
+From c394a488942387246653833359a5c94b5832674e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 2 Oct 2015 12:35:19 +0100
+Subject: [PATCH] Add PSS parameter check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoid seg fault by checking mgf1 parameter is not NULL. This can be
+triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
+
+CVE-2015-3194
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from 
+https://git.openssl.org/?p=openssl.git;a=commit;h=c394a488942387246653833359a5c94b5832674e
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index ca3922e..4e06218 100644
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
+ {
+     const unsigned char *p;
+     int plen;
+-    if (alg == NULL)
++    if (alg == NULL || alg->parameter == NULL)
+         return NULL;
+     if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
+         return NULL;
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000..6fc4d0e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,66 @@
+From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +0000
+Subject: [PATCH] Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+
+This patch was imported from
+https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ crypto/asn1/tasn_dec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
++++ b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     int otag;
+     int ret = 0;
+     ASN1_VALUE **pchptr, *ptmpval;
++    int combine = aclass & ASN1_TFLG_COMBINE;
++    aclass &= ~ASN1_TFLG_COMBINE;
+     if (!pval)
+         return 0;
+     if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+  auxerr:
+     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-    ASN1_item_ex_free(pval, it);
++    if (combine == 0)
++        ASN1_item_ex_free(pval, it);
+     if (errtt)
+         ERR_add_error_data(4, "Field=", errtt->field_name,
+                            ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+     } else {
+         /* Nothing special */
+         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, 0, opt, ctx);
++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
new file mode 100644
index 0000000..dd288c9
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3197.patch
@@ -0,0 +1,63 @@
+From d81a1600588b726c2bdccda7efad3cc7a87d6245 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Wed, 30 Dec 2015 22:44:51 -0500
+Subject: [PATCH] Better SSLv2 cipher-suite enforcement
+
+Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>
+
+CVE-2015-3197
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+
+Upstream-Status: Backport
+https://github.com/openssl/openssl/commit/d81a1600588b726c2bdccda7efad3cc7a87d6245
+
+CVE: CVE-2015-3197
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ssl/s2_srvr.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+Index: openssl-1.0.2d/ssl/s2_srvr.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s2_srvr.c
++++ openssl-1.0.2d/ssl/s2_srvr.c
+@@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s)
+         }
+ 
+         cp = ssl2_get_cipher_by_char(p);
+-        if (cp == NULL) {
++        if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) {
+             ssl2_return_error(s, SSL2_PE_NO_CIPHER);
+             SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH);
+             return (-1);
+@@ -687,8 +687,12 @@ static int get_client_hello(SSL *s)
+             prio = cs;
+             allow = cl;
+         }
++
++        /* Generate list of SSLv2 ciphers shared between client and server */
+         for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) {
+-            if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) {
++            const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z);
++            if ((cp->algorithm_ssl & SSL_SSLV2) == 0 ||
++                sk_SSL_CIPHER_find(allow, cp) < 0) {
+                 (void)sk_SSL_CIPHER_delete(prio, z);
+                 z--;
+             }
+@@ -697,6 +701,13 @@ static int get_client_hello(SSL *s)
+             sk_SSL_CIPHER_free(s->session->ciphers);
+             s->session->ciphers = prio;
+         }
++
++        /* Make sure we have at least one cipher in common */
++        if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) {
++            ssl2_return_error(s, SSL2_PE_NO_CIPHER);
++            SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH);
++            return -1;
++        }
+         /*
+          * s->session->ciphers should now have a list of ciphers that are on
+          * both the client and server. This list is ordered by the order the
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
new file mode 100644
index 0000000..cf2d9a7
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_1.patch
@@ -0,0 +1,102 @@
+From 878e2c5b13010329c203f309ed0c8f2113f85648 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Mon, 18 Jan 2016 11:31:58 +0000
+Subject: [PATCH] Prevent small subgroup attacks on DH/DHE
+
+Historically OpenSSL only ever generated DH parameters based on "safe"
+primes. More recently (in version 1.0.2) support was provided for
+generating X9.42 style parameter files such as those required for RFC
+5114 support. The primes used in such files may not be "safe". Where an
+application is using DH configured with parameters based on primes that
+are not "safe" then an attacker could use this fact to find a peer's
+private DH exponent. This attack requires that the attacker complete
+multiple handshakes in which the peer uses the same DH exponent.
+
+A simple mitigation is to ensure that y^q (mod p) == 1
+
+CVE-2016-0701 (fix part 1 of 2)
+
+Issue reported by Antonio Sanso.
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+
+Upstream-Status: Backport
+
+https://github.com/openssl/openssl/commit/878e2c5b13010329c203f309ed0c8f2113f85648
+
+CVE: CVE-2016-0701
+Signed-of-by: Armin Kuster <akuster@mvisa.com>
+
+---
+ crypto/dh/dh.h       |  1 +
+ crypto/dh/dh_check.c | 35 +++++++++++++++++++++++++----------
+ 2 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/crypto/dh/dh.h b/crypto/dh/dh.h
+index b177673..5498a9d 100644
+--- a/crypto/dh/dh.h
++++ b/crypto/dh/dh.h
+@@ -174,6 +174,7 @@ struct dh_st {
+ /* DH_check_pub_key error codes */
+ # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
+ # define DH_CHECK_PUBKEY_TOO_LARGE       0x02
++# define DH_CHECK_PUBKEY_INVALID         0x03
+ 
+ /*
+  * primes p where (p-1)/2 is prime too are called "safe"; we define this for
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 347467c..5adedc0 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret)
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
+     int ok = 0;
+-    BIGNUM *q = NULL;
++    BIGNUM *tmp = NULL;
++    BN_CTX *ctx = NULL;
+ 
+     *ret = 0;
+-    q = BN_new();
+-    if (q == NULL)
++    ctx = BN_CTX_new();
++    if (ctx == NULL)
+         goto err;
+-    BN_set_word(q, 1);
+-    if (BN_cmp(pub_key, q) <= 0)
++    BN_CTX_start(ctx);
++    tmp = BN_CTX_get(ctx);
++    if (tmp == NULL)
++        goto err;
++    BN_set_word(tmp, 1);
++    if (BN_cmp(pub_key, tmp) <= 0)
+         *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
+-    BN_copy(q, dh->p);
+-    BN_sub_word(q, 1);
+-    if (BN_cmp(pub_key, q) >= 0)
++    BN_copy(tmp, dh->p);
++    BN_sub_word(tmp, 1);
++    if (BN_cmp(pub_key, tmp) >= 0)
+         *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+ 
++    if (dh->q != NULL) {
++        /* Check pub_key^q == 1 mod p */
++        if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
++            goto err;
++        if (!BN_is_one(tmp))
++            *ret |= DH_CHECK_PUBKEY_INVALID;
++    }
++
+     ok = 1;
+  err:
+-    if (q != NULL)
+-        BN_free(q);
++    if (ctx != NULL) {
++        BN_CTX_end(ctx);
++        BN_CTX_free(ctx);
++    }
+     return (ok);
+ }
+-- 
+2.3.5
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch
new file mode 100644
index 0000000..05caf0a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2016-0701_2.patch
@@ -0,0 +1,156 @@
+From c5b831f21d0d29d1e517d139d9d101763f60c9a2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 17 Dec 2015 02:57:20 +0000
+Subject: [PATCH] Always generate DH keys for ephemeral DH cipher suites
+
+Modified version of the commit ffaef3f15 in the master branch by Stephen
+Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
+generates a new DH key for every handshake regardless.
+
+CVE-2016-0701 (fix part 2 or 2)
+
+Issue reported by Antonio Sanso
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+
+Upstream-Status: Backport
+
+https://github.com/openssl/openssl/commit/c5b831f21d0d29d1e517d139d9d101763f60c9a2
+
+CVE: CVE-2016-0701 #2
+Signed-of-by: Armin Kuster <akuster@mvisa.com>
+
+---
+ doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +++++------------------------
+ ssl/s3_lib.c                            | 14 --------------
+ ssl/s3_srvr.c                           | 17 +++--------------
+ ssl/ssl.h                               |  2 +-
+ 4 files changed, 9 insertions(+), 53 deletions(-)
+
+Index: openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+===================================================================
+--- openssl-1.0.2d.orig/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
++++ openssl-1.0.2d/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+@@ -48,25 +48,8 @@ even if he gets hold of the normal (cert
+ only used for signing.
+ 
+ In order to perform a DH key exchange the server must use a DH group
+-(DH parameters) and generate a DH key.
+-The server will always generate a new DH key during the negotiation
+-if either the DH parameters are supplied via callback or the
+-SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both).
+-It will  immediately create a DH key if DH parameters are supplied via
+-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set.
+-In this case,
+-it may happen that a key is generated on initialization without later
+-being needed, while on the other hand the computer time during the
+-negotiation is being saved.
+-
+-If "strong" primes were used to generate the DH parameters, it is not strictly
+-necessary to generate a new key for each handshake but it does improve forward
+-secrecy. If it is not assured that "strong" primes were used,
+-SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup
+-attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the
+-computer time needed during negotiation, but it is not very large, so
+-application authors/users should consider always enabling this option.
+-The option is required to implement perfect forward secrecy (PFS).
++(DH parameters) and generate a DH key. The server will always generate
++a new DH key during the negotiation.
+ 
+ As generating DH parameters is extremely time consuming, an application
+ should not generate the parameters on the fly but supply the parameters.
+@@ -93,10 +76,9 @@ can supply the DH parameters via a callb
+ Previous versions of the callback used B<is_export> and B<keylength>
+ parameters to control parameter generation for export and non-export
+ cipher suites. Modern servers that do not support export ciphersuites
+-are advised to either use SSL_CTX_set_tmp_dh() in combination with
+-SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore
+-B<keylength> and B<is_export> and simply supply at least 2048-bit
+-parameters in the callback.
++are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
++the callback but ignore B<keylength> and B<is_export> and simply
++supply at least 2048-bit parameters in the callback.
+ 
+ =head1 EXAMPLES
+ 
+@@ -128,7 +110,6 @@ partly left out.)
+  if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
+    /* Error. */
+  }
+- SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+  ...
+ 
+ =head1 RETURN VALUES
+Index: openssl-1.0.2d/ssl/s3_lib.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s3_lib.c
++++ openssl-1.0.2d/ssl/s3_lib.c
+@@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
+                 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+                 return (ret);
+             }
+-            if (!(s->options & SSL_OP_SINGLE_DH_USE)) {
+-                if (!DH_generate_key(dh)) {
+-                    DH_free(dh);
+-                    SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+-                    return (ret);
+-                }
+-            }
+             if (s->cert->dh_tmp != NULL)
+                 DH_free(s->cert->dh_tmp);
+             s->cert->dh_tmp = dh;
+@@ -3710,13 +3703,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd
+                 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
+                 return 0;
+             }
+-            if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) {
+-                if (!DH_generate_key(new)) {
+-                    SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
+-                    DH_free(new);
+-                    return 0;
+-                }
+-            }
+             if (cert->dh_tmp != NULL)
+                 DH_free(cert->dh_tmp);
+             cert->dh_tmp = new;
+Index: openssl-1.0.2d/ssl/s3_srvr.c
+===================================================================
+--- openssl-1.0.2d.orig/ssl/s3_srvr.c
++++ openssl-1.0.2d/ssl/s3_srvr.c
+@@ -1684,20 +1684,9 @@ int ssl3_send_server_key_exchange(SSL *s
+             }
+ 
+             s->s3->tmp.dh = dh;
+-            if ((dhp->pub_key == NULL ||
+-                 dhp->priv_key == NULL ||
+-                 (s->options & SSL_OP_SINGLE_DH_USE))) {
+-                if (!DH_generate_key(dh)) {
+-                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
+-                    goto err;
+-                }
+-            } else {
+-                dh->pub_key = BN_dup(dhp->pub_key);
+-                dh->priv_key = BN_dup(dhp->priv_key);
+-                if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
+-                    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
+-                    goto err;
+-                }
++            if (!DH_generate_key(dh)) {
++                SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
++                goto err;
+             }
+             r[0] = dh->p;
+             r[1] = dh->g;
+Index: openssl-1.0.2d/ssl/ssl.h
+===================================================================
+--- openssl-1.0.2d.orig/ssl/ssl.h
++++ openssl-1.0.2d/ssl/ssl.h
+@@ -625,7 +625,7 @@ struct ssl_session_st {
+ # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
+ /* If set, always create a new key when using tmp_ecdh parameters */
+ # define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
+-/* If set, always create a new key when using tmp_dh parameters */
++/* Does nothing: retained for compatibility */
+ # define SSL_OP_SINGLE_DH_USE                            0x00100000L
+ /* Does nothing: retained for compatibiity */
+ # define SSL_OP_EPHEMERAL_RSA                            0x0
diff --git a/meta/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch b/meta/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch
new file mode 100644
index 0000000..4202e61
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/ptest_makefile_deps.patch
@@ -0,0 +1,248 @@
+Additional Makefile dependencies removal for test targets
+
+Removing the dependency check for test targets as these tests are
+causing a number of failures and "noise" during ptest execution.
+
+Upstream-Status: Inappropriate [config]
+
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+
+diff -Naur openssl-1.0.2d-orig/test/Makefile openssl-1.0.2d/test/Makefile
+--- openssl-1.0.2d-orig/test/Makefile	2015-09-28 12:50:41.530022979 +0300
++++ openssl-1.0.2d/test/Makefile	2015-09-28 12:57:45.930717240 +0300
+@@ -155,67 +155,67 @@
+ 	( $(MAKE) $$i && echo "PASS: $$i" ) || echo "FAIL: $$i"; \
+ 	done)
+ 
+-test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
++test_evp:
+ 	../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
+ 
+-test_evp_extra: $(EVPEXTRATEST)$(EXE_EXT)
++test_evp_extra:
+ 	../util/shlib_wrap.sh ./$(EVPEXTRATEST)
+ 
+-test_des: $(DESTEST)$(EXE_EXT)
++test_des:
+ 	../util/shlib_wrap.sh ./$(DESTEST)
+ 
+-test_idea: $(IDEATEST)$(EXE_EXT)
++test_idea:
+ 	../util/shlib_wrap.sh ./$(IDEATEST)
+ 
+-test_sha: $(SHATEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT)
++test_sha:
+ 	../util/shlib_wrap.sh ./$(SHATEST)
+ 	../util/shlib_wrap.sh ./$(SHA1TEST)
+ 	../util/shlib_wrap.sh ./$(SHA256TEST)
+ 	../util/shlib_wrap.sh ./$(SHA512TEST)
+ 
+-test_mdc2: $(MDC2TEST)$(EXE_EXT)
++test_mdc2:
+ 	../util/shlib_wrap.sh ./$(MDC2TEST)
+ 
+-test_md5: $(MD5TEST)$(EXE_EXT)
++test_md5:
+ 	../util/shlib_wrap.sh ./$(MD5TEST)
+ 
+-test_md4: $(MD4TEST)$(EXE_EXT)
++test_md4:
+ 	../util/shlib_wrap.sh ./$(MD4TEST)
+ 
+-test_hmac: $(HMACTEST)$(EXE_EXT)
++test_hmac:
+ 	../util/shlib_wrap.sh ./$(HMACTEST)
+ 
+-test_wp: $(WPTEST)$(EXE_EXT)
++test_wp:
+ 	../util/shlib_wrap.sh ./$(WPTEST)
+ 
+-test_md2: $(MD2TEST)$(EXE_EXT)
++test_md2:
+ 	../util/shlib_wrap.sh ./$(MD2TEST)
+ 
+-test_rmd: $(RMDTEST)$(EXE_EXT)
++test_rmd:
+ 	../util/shlib_wrap.sh ./$(RMDTEST)
+ 
+-test_bf: $(BFTEST)$(EXE_EXT)
++test_bf:
+ 	../util/shlib_wrap.sh ./$(BFTEST)
+ 
+-test_cast: $(CASTTEST)$(EXE_EXT)
++test_cast:
+ 	../util/shlib_wrap.sh ./$(CASTTEST)
+ 
+-test_rc2: $(RC2TEST)$(EXE_EXT)
++test_rc2:
+ 	../util/shlib_wrap.sh ./$(RC2TEST)
+ 
+-test_rc4: $(RC4TEST)$(EXE_EXT)
++test_rc4:
+ 	../util/shlib_wrap.sh ./$(RC4TEST)
+ 
+-test_rc5: $(RC5TEST)$(EXE_EXT)
++test_rc5:
+ 	../util/shlib_wrap.sh ./$(RC5TEST)
+ 
+-test_rand: $(RANDTEST)$(EXE_EXT)
++test_rand:
+ 	../util/shlib_wrap.sh ./$(RANDTEST)
+ 
+-test_enc: ../apps/openssl$(EXE_EXT) testenc
++test_enc:
+ 	@sh ./testenc
+ 
+-test_x509: ../apps/openssl$(EXE_EXT) tx509 testx509.pem v3-cert1.pem v3-cert2.pem
++test_x509:
+ 	echo test normal x509v1 certificate
+ 	sh ./tx509 2>/dev/null
+ 	echo test first x509v3 certificate
+@@ -223,25 +223,25 @@
+ 	echo test second x509v3 certificate
+ 	sh ./tx509 v3-cert2.pem 2>/dev/null
+ 
+-test_rsa: ../apps/openssl$(EXE_EXT) trsa testrsa.pem
++test_rsa:
+ 	@sh ./trsa 2>/dev/null
+ 	../util/shlib_wrap.sh ./$(RSATEST)
+ 
+-test_crl: ../apps/openssl$(EXE_EXT) tcrl testcrl.pem
++test_crl:
+ 	@sh ./tcrl 2>/dev/null
+ 
+-test_sid: ../apps/openssl$(EXE_EXT) tsid testsid.pem
++test_sid:
+ 	@sh ./tsid 2>/dev/null
+ 
+-test_req: ../apps/openssl$(EXE_EXT) treq testreq.pem testreq2.pem
++test_req:
+ 	@sh ./treq 2>/dev/null
+ 	@sh ./treq testreq2.pem 2>/dev/null
+ 
+-test_pkcs7: ../apps/openssl$(EXE_EXT) tpkcs7 tpkcs7d testp7.pem pkcs7-1.pem
++test_pkcs7:
+ 	@sh ./tpkcs7 2>/dev/null
+ 	@sh ./tpkcs7d 2>/dev/null
+ 
+-test_bn: $(BNTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) bctest
++test_bn:
+ 	@echo starting big number library test, could take a while...
+ 	@../util/shlib_wrap.sh ./$(BNTEST) >tmp.bntest
+ 	@echo quit >>tmp.bntest
+@@ -250,33 +250,33 @@
+ 	@echo 'test a^b%c implementations'
+ 	../util/shlib_wrap.sh ./$(EXPTEST)
+ 
+-test_ec: $(ECTEST)$(EXE_EXT)
++test_ec:
+ 	@echo 'test elliptic curves'
+ 	../util/shlib_wrap.sh ./$(ECTEST)
+ 
+-test_ecdsa: $(ECDSATEST)$(EXE_EXT)
++test_ecdsa:
+ 	@echo 'test ecdsa'
+ 	../util/shlib_wrap.sh ./$(ECDSATEST)
+ 
+-test_ecdh: $(ECDHTEST)$(EXE_EXT)
++test_ecdh:
+ 	@echo 'test ecdh'
+ 	../util/shlib_wrap.sh ./$(ECDHTEST)
+ 
+-test_verify: ../apps/openssl$(EXE_EXT)
++test_verify:
+ 	@echo "The following command should have some OK's and some failures"
+ 	@echo "There are definitly a few expired certificates"
+ 	../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
+ 
+-test_dh: $(DHTEST)$(EXE_EXT)
++test_dh:
+ 	@echo "Generate a set of DH parameters"
+ 	../util/shlib_wrap.sh ./$(DHTEST)
+ 
+-test_dsa: $(DSATEST)$(EXE_EXT)
++test_dsa:
+ 	@echo "Generate a set of DSA parameters"
+ 	../util/shlib_wrap.sh ./$(DSATEST)
+ 	../util/shlib_wrap.sh ./$(DSATEST) -app2_1
+ 
+-test_gen testreq.pem: ../apps/openssl$(EXE_EXT) testgen test.cnf
++test_gen testreq.pem:
+ 	@echo "Generate and verify a certificate request"
+ 	@sh ./testgen
+ 
+@@ -288,13 +288,11 @@
+ 	@cat certCA.ss certU.ss > intP1.ss
+ 	@cat certCA.ss certU.ss certP1.ss > intP2.ss
+ 
+-test_engine:  $(ENGINETEST)$(EXE_EXT)
++test_engine:
+ 	@echo "Manipulate the ENGINE structures"
+ 	../util/shlib_wrap.sh ./$(ENGINETEST)
+ 
+-test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
+-		intP1.ss intP2.ss $(SSLTEST)$(EXE_EXT) testssl testsslproxy \
+-		../apps/server2.pem serverinfo.pem
++test_ssl:
+ 	@echo "test SSL protocol"
+ 	@if [ -n "$(FIPSCANLIB)" ]; then \
+ 	  sh ./testfipsssl keyU.ss certU.ss certCA.ss; \
+@@ -304,7 +302,7 @@
+ 	@sh ./testsslproxy keyP1.ss certP1.ss intP1.ss
+ 	@sh ./testsslproxy keyP2.ss certP2.ss intP2.ss
+ 
+-test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf
++test_ca:
+ 	@if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \
+ 	  echo "skipping CA.sh test -- requires RSA"; \
+ 	else \
+@@ -312,11 +310,11 @@
+ 	  sh ./testca; \
+ 	fi
+ 
+-test_aes: #$(AESTEST)
++test_aes:
+ #	@echo "test Rijndael"
+ #	../util/shlib_wrap.sh ./$(AESTEST)
+ 
+-test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh
++test_tsa:
+ 	@if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \
+ 	  echo "skipping testtsa test -- requires RSA"; \
+ 	else \
+@@ -331,7 +329,7 @@
+ 	@echo "Test JPAKE"
+ 	../util/shlib_wrap.sh ./$(JPAKETEST)
+ 
+-test_cms: ../apps/openssl$(EXE_EXT) cms-test.pl smcont.txt
++test_cms:
+ 	@echo "CMS consistency test"
+ 	$(PERL) cms-test.pl
+ 
+@@ -339,22 +337,22 @@
+ 	@echo "Test SRP"
+ 	../util/shlib_wrap.sh ./srptest
+ 
+-test_ocsp: ../apps/openssl$(EXE_EXT) tocsp
++test_ocsp:
+ 	@echo "Test OCSP"
+ 	@sh ./tocsp
+ 
+-test_v3name: $(V3NAMETEST)$(EXE_EXT)
++test_v3name:
+ 	@echo "Test X509v3_check_*"
+ 	../util/shlib_wrap.sh ./$(V3NAMETEST)
+ 
+ test_heartbeat:
+ 	../util/shlib_wrap.sh ./$(HEARTBEATTEST)
+ 
+-test_constant_time: $(CONSTTIMETEST)$(EXE_EXT)
++test_constant_time:
+ 	@echo "Test constant time utilites"
+ 	../util/shlib_wrap.sh ./$(CONSTTIMETEST)
+ 
+-test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT)
++test_verify_extra:
+ 	@echo $(START) $@
+ 	../util/shlib_wrap.sh ./$(VERIFYEXTRATEST)
+ 
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
index 32d8dce..8defa5b 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
@@ -36,6 +36,14 @@
             file://run-ptest \
             file://crypto_use_bigint_in_x86-64_perl.patch \
             file://openssl-1.0.2a-x32-asm.patch \
+            file://ptest_makefile_deps.patch  \
+            file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
+            file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
+            file://0001-Add-test-for-CVE-2015-3194.patch \
+            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
+            file://CVE-2015-3197.patch \
+            file://CVE-2016-0701_1.patch \
+            file://CVE-2016-0701_2.patch \
            "
 
 SRC_URI[md5sum] = "38dd619b2e77cbac69b99f52a053d25a"
@@ -55,3 +63,13 @@
 do_configure_prepend() {
   cp ${WORKDIR}/find.pl ${S}/util/find.pl
 }
+
+# The crypto_use_bigint patch means that perl's bignum module needs to be
+# installed, but some distributions (for example Fedora 23) don't ship it by
+# default.  As the resulting error is very misleading check for bignum before
+# building.
+do_configure_prepend() {
+	if ! perl -Mbigint -e true; then
+		bbfatal "The perl module 'bignum' was not found but this is required to build openssl.  Please install this module (often packaged as perl-bignum) and re-run bitbake."
+	fi
+}
diff --git a/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
new file mode 100644
index 0000000..0cd4179
--- /dev/null
+++ b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
@@ -0,0 +1,372 @@
+Upstream-Status: Backport
+
+http://www.dest-unreach.org/socat/download/socat-1.7.3.1.patch 
+
+CVE: CVE-2016-2217
+[Yocto # 9024]
+Singed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: socat-1.7.3.0/CHANGES
+===================================================================
+--- socat-1.7.3.0.orig/CHANGES
++++ socat-1.7.3.0/CHANGES
+@@ -1,8 +1,39 @@
+ 
++####################### V 1.7.3.1:
++
++security:
++	Socat security advisory 8
++	A stack overflow in vulnerability was found that can be triggered when
++	command line arguments (complete address specifications, host names,
++	file names) are longer than 512 bytes.
++	Successful exploitation might allow an attacker to execute arbitrary
++	code with the privileges of the socat process.
++	This vulnerability can only be exploited when an attacker is able to
++	inject data into socat's command line.
++	A vulnerable scenario would be a CGI script that reads data from clients
++	and uses (parts of) this data as hostname for a Socat invocation.
++	Test: NESTEDOVFL
++	Credits to Takumi Akiyama for finding and reporting this issue.
++
++	Socat security advisory 7
++	MSVR-1499
++	In the OpenSSL address implementation the hard coded 1024 bit DH p
++	parameter was not prime. The effective cryptographic strength of a key
++	exchange using these parameters was weaker than the one one could get by
++	using a prime p. Moreover, since there is no indication of how these
++	parameters were chosen, the existence of a trapdoor that makes possible
++	for an eavesdropper to recover the shared secret from a key exchange
++	that uses them cannot be ruled out.
++	Futhermore, 1024bit is not considered sufficiently secure.
++	Fix: generated a new 2048bit prime.
++	Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
++	Research (MSVR) for finding and reporting this issue.
++
+ ####################### V 1.7.3.0:
+ 
+ security:
+-	(CVE Id pending)
++	Socat security advisory 6
++	CVE-2015-1379: Possible DoS with fork
+ 	Fixed problems with signal handling caused by use of not async signal
+ 	safe functions in signal handlers that could freeze socat, allowing
+ 	denial of service attacks.
+@@ -240,6 +271,7 @@ docu:
+ ####################### V 1.7.2.3:
+ 
+ security:
++	Socat security advisory 5
+ 	CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
+ 	overflow with data from command line (see socat-secadv5.txt)
+ 	Credits to Florian Weimer of the Red Hat Product Security Team
+@@ -247,6 +279,7 @@ security:
+ ####################### V 1.7.2.2:
+ 
+ security:
++	Socat security advisory 4
+ 	CVE-2013-3571:
+ 	after refusing a client connection due to bad source address or source
+ 	port socat shutdown() the socket but did not close() it, resulting in
+@@ -258,6 +291,7 @@ security:
+ ####################### V 1.7.2.1:
+ 
+ security:
++	Socat security advisory 3
+ 	CVE-2012-0219:
+ 	fixed a possible heap buffer overflow in the readline address. This bug
+ 	could be exploited when all of the following conditions were met:
+@@ -391,6 +425,7 @@ docu:
+ ####################### V 1.7.1.3:
+ 
+ security:
++	Socat security advisory 2
+ 	CVE-2010-2799:
+ 	fixed a stack overflow vulnerability that occurred when command
+ 	line arguments (whole addresses, host names, file names) were longer
+@@ -892,6 +927,7 @@ further corrections:
+ ####################### V 1.4.0.3:
+ 
+ security:
++	Socat security advisory 1
+ 	CVE-2004-1484:
+ 	fix to a syslog() based format string vulnerability that can lead to
+ 	remote code execution. See advisory socat-adv-1.txt
+Index: socat-1.7.3.0/VERSION
+===================================================================
+--- socat-1.7.3.0.orig/VERSION
++++ socat-1.7.3.0/VERSION
+@@ -1 +1 @@
+-"1.7.3.0"
++"1.7.3.1"
+Index: socat-1.7.3.0/nestlex.c
+===================================================================
+--- socat-1.7.3.0.orig/nestlex.c
++++ socat-1.7.3.0/nestlex.c
+@@ -1,5 +1,5 @@
+ /* source: nestlex.c */
+-/* Copyright Gerhard Rieger 2006-2010 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+ 
+ /* a function for lexical scanning of nested character patterns */
+@@ -9,6 +9,17 @@
+ 
+ #include "sysincludes.h"
+ 
++static int _nestlex(const char **addr,
++		    char **token,
++		    ptrdiff_t *len,
++		    const char *ends[],
++		    const char *hquotes[],
++		    const char *squotes[],
++		    const char *nests[],
++		    bool dropquotes,
++		    bool c_esc,
++		    bool html_esc
++		    );
+ 
+ /* sub: scan a string and copy its value to output string
+    end scanning when an unescaped, unnested string from ends array is found
+@@ -33,6 +44,22 @@ int nestlex(const char **addr,	/* input
+ 	    bool c_esc,		/* solve C char escapes: \n \t \0 etc */
+ 	    bool html_esc	/* solve HTML char escapes: %0d %08 etc */
+ 	    ) {
++   return
++      _nestlex(addr, token, (ptrdiff_t *)len, ends, hquotes, squotes, nests,
++	       dropquotes, c_esc, html_esc);
++}
++
++static int _nestlex(const char **addr,
++		    char **token,
++		    ptrdiff_t *len,
++		    const char *ends[],
++		    const char *hquotes[],
++		    const char *squotes[],
++		    const char *nests[],
++		    bool dropquotes,
++		    bool c_esc,
++		    bool html_esc
++		    ) {
+    const char *in = *addr;	/* pointer into input string */
+    const char **endx;	/* loops over end patterns */
+    const char **quotx;	/* loops over quote patterns */
+@@ -77,16 +104,18 @@ int nestlex(const char **addr,	/* input
+ 		  if (--*len <= 0) { *addr = in; *token = out; return -1; }
+ 	       }
+ 	    }
+-	    /* we call nestlex recursively */
++	    /* we call _nestlex recursively */
+ 	    endnest[0] = *quotx;
+ 	    endnest[1] = NULL;
+ 	    result =
+-	       nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
++	       _nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
+ 		       NULL/*squotes*/, NULL/*nests*/,
+ 		       false, c_esc, html_esc);
+ 	    if (result == 0 && dropquotes) {
+ 	       /* we strip this quote */
+ 	       in += strlen(*quotx);
++	    } else if (result < 0) {
++	       *addr = in; *token = out; return result;
+ 	    } else {
+ 	       /* we copy the trailing quote */
+ 	       for (i = strlen(*quotx); i > 0; --i) {
+@@ -110,7 +139,7 @@ int nestlex(const char **addr,	/* input
+ 	 if (!strncmp(in, *quotx, strlen(*quotx))) {
+ 	    /* this quote pattern matches */
+ 	    /* we strip this quote */
+-	    /* we call nestlex recursively */
++	    /* we call _nestlex recursively */
+ 	    const char *endnest[2];
+ 	    if (dropquotes) {
+ 	       /* we strip this quote */
+@@ -124,13 +153,15 @@ int nestlex(const char **addr,	/* input
+ 	    endnest[0] = *quotx;
+ 	    endnest[1] = NULL;
+ 	    result =
+-	       nestlex(&in, &out, len, endnest, hquotes,
++	       _nestlex(&in, &out, len, endnest, hquotes,
+ 		       squotes, nests,
+ 		       false, c_esc, html_esc);
+ 
+ 	    if (result == 0 && dropquotes) {
+ 	       /* we strip the trailing quote */
+ 	       in += strlen(*quotx);
++	    } else if (result < 0) {
++	       *addr = in; *token = out; return result;
+ 	    } else {
+ 	       /* we copy the trailing quote */
+ 	       for (i = strlen(*quotx); i > 0; --i) {
+@@ -162,7 +193,7 @@ int nestlex(const char **addr,	/* input
+ 	    }
+ 
+ 	    result =
+-	       nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
++	       _nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
+ 		       false, c_esc, html_esc);
+ 	    if (result == 0) {
+ 	       /* copy endnest */
+@@ -175,6 +206,8 @@ int nestlex(const char **addr,	/* input
+ 		  }
+ 		  --i;
+ 	       }
++	    } else if (result < 0) {
++	       *addr = in; *token = out; return result;
+ 	    }
+ 	    break;
+ 	 }
+@@ -211,7 +244,7 @@ int nestlex(const char **addr,	/* input
+ 	 }
+ 	 *out++ = c;
+ 	 --*len;
+-	 if (*len == 0) {
++	 if (*len <= 0) {
+ 	    *addr = in;
+ 	    *token = out;
+ 	    return -1;	/* output overflow */
+@@ -222,7 +255,7 @@ int nestlex(const char **addr,	/* input
+       /* just a simple char */
+       *out++ = c;
+       --*len;
+-      if (*len == 0) {
++      if (*len <= 0) {
+ 	 *addr = in;
+ 	 *token = out;
+ 	 return -1;	/* output overflow */
+Index: socat-1.7.3.0/nestlex.h
+===================================================================
+--- socat-1.7.3.0.orig/nestlex.h
++++ socat-1.7.3.0/nestlex.h
+@@ -1,5 +1,5 @@
+ /* source: nestlex.h */
+-/* Copyright Gerhard Rieger 2006 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+ 
+ #ifndef __nestlex_h_included
+Index: socat-1.7.3.0/socat.spec
+===================================================================
+--- socat-1.7.3.0.orig/socat.spec
++++ socat-1.7.3.0/socat.spec
+@@ -1,6 +1,6 @@
+ 
+ %define majorver 1.7
+-%define minorver 3.0
++%define minorver 3.1
+ 
+ Summary: socat - multipurpose relay
+ Name: socat
+Index: socat-1.7.3.0/test.sh
+===================================================================
+--- socat-1.7.3.0.orig/test.sh
++++ socat-1.7.3.0/test.sh
+@@ -2266,8 +2266,8 @@ gentestcert () {
+ gentestdsacert () {
+     local name="$1"
+     if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
+-    openssl dsaparam -out $name-dsa.pem 512 >/dev/null 2>&1
+-    openssl dhparam -dsaparam -out $name-dh.pem 512 >/dev/null 2>&1
++    openssl dsaparam -out $name-dsa.pem 1024 >/dev/null 2>&1
++    openssl dhparam -dsaparam -out $name-dh.pem 1024 >/dev/null 2>&1
+     openssl req -newkey dsa:$name-dsa.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
+     cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
+ }
+@@ -10973,6 +10973,42 @@ CMD0="$TRACE $SOCAT $opts OPENSSL:localh
+ printf "test $F_n $TEST... " $N
+ $CMD0 </dev/null 1>&0 2>"${te}0"
+ rc0=$?
++if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
++    $PRINTF "$OK\n"
++    numOK=$((numOK+1))
++else
++    $PRINTF "$FAILED\n"
++    echo "$CMD0"
++    cat "${te}0"
++    numFAIL=$((numFAIL+1))
++    listFAIL="$listFAIL $N"
++fi
++fi # NUMCOND
++ ;;
++esac
++PORT=$((PORT+1))
++N=$((N+1))
++
++# socat up to 1.7.3.0 had a stack overflow vulnerability that occurred when
++# command line arguments (whole addresses, host names, file names) were longer
++# than 512 bytes and specially crafted.
++NAME=NESTEDOVFL
++case "$TESTS" in
++*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%exec%*|*%$NAME%*)
++TEST="$NAME: stack overflow on overly long nested arg"
++# provide a long host name to TCP-CONNECT and check socats exit code
++if ! eval $NUMCOND; then :; else
++tf="$td/test$N.stdout"
++te="$td/test$N.stderr"
++tdiff="$td/test$N.diff"
++da="test$N $(date) $RANDOM"
++# prepare long data - perl might not be installed
++rm -f "$td/test$N.dat"
++i=0; while [ $i -lt 64 ]; do  echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
++CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO"
++printf "test $F_n $TEST... " $N
++$CMD0 </dev/null 1>&0 2>"${te}0"
++rc0=$?
+ if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+     $PRINTF "$OK\n"
+     numOK=$((numOK+1))
+Index: socat-1.7.3.0/xio-openssl.c
+===================================================================
+--- socat-1.7.3.0.orig/xio-openssl.c
++++ socat-1.7.3.0/xio-openssl.c
+@@ -912,20 +912,27 @@ int
+    }
+ 
+    {
+-      static unsigned char dh1024_p[] = {
+-	 0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E,
+-	 0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF,
+-	 0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F,
+-	 0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF,
+-	 0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6,
+-	 0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8,
+-	 0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69,
+-	 0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF,
+-	 0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E,
+-	 0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77,
+-	 0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D,
++      static unsigned char dh2048_p[] = {
++	 0x00,0xdc,0x21,0x64,0x56,0xbd,0x9c,0xb2,0xac,0xbe,0xc9,0x98,0xef,0x95,0x3e,
++	 0x26,0xfa,0xb5,0x57,0xbc,0xd9,0xe6,0x75,0xc0,0x43,0xa2,0x1c,0x7a,0x85,0xdf,
++	 0x34,0xab,0x57,0xa8,0xf6,0xbc,0xf6,0x84,0x7d,0x05,0x69,0x04,0x83,0x4c,0xd5,
++	 0x56,0xd3,0x85,0x09,0x0a,0x08,0xff,0xb5,0x37,0xa1,0xa3,0x8a,0x37,0x04,0x46,
++	 0xd2,0x93,0x31,0x96,0xf4,0xe4,0x0d,0x9f,0xbd,0x3e,0x7f,0x9e,0x4d,0xaf,0x08,
++	 0xe2,0xe8,0x03,0x94,0x73,0xc4,0xdc,0x06,0x87,0xbb,0x6d,0xae,0x66,0x2d,0x18,
++	 0x1f,0xd8,0x47,0x06,0x5c,0xcf,0x8a,0xb5,0x00,0x51,0x57,0x9b,0xea,0x1e,0xd8,
++	 0xdb,0x8e,0x3c,0x1f,0xd3,0x2f,0xba,0x1f,0x5f,0x3d,0x15,0xc1,0x3b,0x2c,0x82,
++	 0x42,0xc8,0x8c,0x87,0x79,0x5b,0x38,0x86,0x3a,0xeb,0xfd,0x81,0xa9,0xba,0xf7,
++	 0x26,0x5b,0x93,0xc5,0x3e,0x03,0x30,0x4b,0x00,0x5c,0xb6,0x23,0x3e,0xea,0x94,
++	 0xc3,0xb4,0x71,0xc7,0x6e,0x64,0x3b,0xf8,0x92,0x65,0xad,0x60,0x6c,0xd4,0x7b,
++	 0xa9,0x67,0x26,0x04,0xa8,0x0a,0xb2,0x06,0xeb,0xe0,0x7d,0x90,0xdd,0xdd,0xf5,
++	 0xcf,0xb4,0x11,0x7c,0xab,0xc1,0xa3,0x84,0xbe,0x27,0x77,0xc7,0xde,0x20,0x57,
++	 0x66,0x47,0xa7,0x35,0xfe,0x0d,0x6a,0x1c,0x52,0xb8,0x58,0xbf,0x26,0x33,0x81,
++	 0x5e,0xb7,0xa9,0xc0,0xee,0x58,0x11,0x74,0x86,0x19,0x08,0x89,0x1c,0x37,0x0d,
++	 0x52,0x47,0x70,0x75,0x8b,0xa8,0x8b,0x30,0x11,0x71,0x36,0x62,0xf0,0x73,0x41,
++	 0xee,0x34,0x9d,0x0a,0x2b,0x67,0x4e,0x6a,0xa3,0xe2,0x99,0x92,0x1b,0xf5,0x32,
++	 0x73,0x63
+       };
+-      static unsigned char dh1024_g[] = {
++      static unsigned char dh2048_g[] = {
+ 	 0x02,
+       };
+       DH *dh;
+@@ -938,8 +945,8 @@ int
+ 	 }
+ 	 Error("DH_new() failed");
+       } else {
+-	 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+-	 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++	 dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
++	 dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+ 	 if ((dh->p == NULL) || (dh->g == NULL)) {
+ 	    while (err = ERR_get_error()) {
+ 	       Warn1("BN_bin2bn(): %s",
diff --git a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
index b58e0a7..6d76d0f 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
+++ b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
@@ -14,6 +14,7 @@
 
 SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
            file://Makefile.in-fix-for-parallel-build.patch \
+           file://CVE-2016-2217.patch \
 "
 
 SRC_URI[md5sum] = "b607edb65bc6c57f4a43f06247504274"