subtree updates

meta-security: 1f18c623e9..de6712a806:
  Armin Kuster (8):
        cryfs: drop recipe
        trousers: set precise BSD license
        ibmtpm2tss:  set precise BSD license
        ibmswtpm2:  set precise BSD license
        opendnssec:  set precise BSD license
        checksec:  set precise BSD license
        isic:  set precise BSD license
        tpm-quote-tools: Update SRC_URI

  Christer Fletcher (1):
        dm-verity-img.bbclass: Expose --data-block-size for configuration

  Kai Kang (1):
        sssd: 2.5.1 -> 2.5.2

meta-raspberrypi: a6fa6b3aec..9eb4879cf4:
  Andrew Penner (1):
        rpi-cmdline: Support ethernet over USB

  Khem Raj (2):
        linux-raspberrypi: Update to 5.10.63
        raspberrypi-firmware: Update to latest

meta-openembedded: e4a3c66505..cff8331f96:
  Armin Kuster (21):
        python3-cycler: set precise BSD license
        python3-dill: set precise BSD license
        python3-ipython-genutils: set precise BSD license
        python3-traitlets: set precise BSD license
        python3-parallax: set precise BSD license
        python3-ipython:set precise BSD license
        python3-mpmath: set precise BSD license
        python3-sympy: set precise BSD license
        python3-sqlparse: set precise BSD license
        python3-webencodings: set precise BSD license
        python3-pyperclip:set precise BSD license
        python3-geojson: set precise BSD license
        python3-aenum: set precise BSD license
        python3-gnupg: set precise BSD license
        python3-kiwisolver: set precise BSD license
        python3-jdcal: set precise BSD license
        python3-send2trash: set precise BSD license
        python3-flask-bootstrap: Update LICENSES
        autossh: set precise BSD licenses
        jemalloc: set precise BSD license
        gpsd-machine-conf: set precise BSD license

  Bruce Ashfield (1):
        vboxguestdrivers: fix build against 5.14+

  Ed Tanous (1):
        Boost-url Move to latest version

  Khem Raj (57):
        gdm: Add polkit to required distro features
        python3-lxml: Inherit pkgconfig
        python3-icu: Inherit pkgconfig
        python3-h5py: Inherit pkgconfig
        python3-pyparted: Inherit pkgconfig
        python3-systemd: Inherit pkgconfig
        rp-pppoe: Add configure cached variable via recipe
        site: Remove local site files
        postfix: Inherit pkgconfig
        emacs: Inherit pkgconfig
        libgnt: Inherit pkgconfig
        libgnt: Inherit pkgconfig
        portaudio-v19: Inherit pkgconfig
        sshfs-fuse: Inherit pkgconfig
        appstream-glib: Inherit pkgconfig
        volume-key: Inherit pkgconfig
        kronosnet: Inherit pkgconfig
        rrdtool: Inherit pkgconfig
        libbytesize: Inherit pkgconfig
        dlt-daemon: Inherit pkgconfig
        libmypaint: Inherit pkgconfig
        libubox: Inherit pkgconfig
        xfsprogs: Inherit pkgconfig
        pavucontrol: Inherit pkgconfig
        blueman: Inherit pkgconfig
        mimic: Inherit pkgconfig
        libchamplain: Inherit pkgconfig
        gst-shark: Inherit pkgconfig
        zchunk: Inherit pkgconfig
        libvdpau: Inherit pkgconfig
        tigervnc: Inherit pkgconfig
        mpc: Inherit pkgconfig
        avro-c: Inherit pkgconfig
        udevil: Inherit pkgconfig
        remmina: Inherit pkgconfig
        transmission: Inherit pkgconfig
        libuvc: Inherit pkgconfig
        crda: Inherit pkgconfig
        wxwidgets: Inherit pkgconfig
        mdbus2: Inherit pkgconfig
        firewalld: Inherit pkgconfig
        renderdoc: Inherit pkgconfig
        fetchmail: Inherit pkgconfig
        ncmpc: Inherit pkgconfig
        yad: Inherit pkgconfig
        mscgen: Inherit pkgconfig
        libldb: Inherit pkgconfig
        pahole: Inherit missing pkgconfig
        gerbera: Inherit pkgconfig
        xfce4-datetime-setter: Inherit pkgconfig
        libblockdev: Inherit pkgconfig
        ntopng: Inherit pkgconfig
        mosquitto: Inherit pkgconfig
        samba: Inherit pkgconfig
        fio: Upgrade to 3.28
        rdma-core: Inherit pkgconfig
        postfix: Add missing dependency on m4

  Marek Vasut (1):
        dstat: Add missing python-six runtime dependency

  Matteo Croce (1):
        pahole: call python via env in the shebang

  Pascal Bach (1):
        poco: update to 1.11.0

  Peter Kjellerstedt (1):
        libiio: Make libiio-python3 depend on python3-core

  Pierre-Jean Texier (1):
        cppzmq: upgrade 4.8.0 -> 4.8.1

  Sakib Sajal (3):
        bats: source files from correct directory
        gd: upgrade 2.3.2 -> 2.3.3
        lmdb: replace tag with commit id in SRCREV

  Trevor Woerner (2):
        vk-gl-cts: allow the user to specify the target
        vk-gl-cts: fix soname linking

  Yi Zhao (2):
        samba: upgrade 4.14.5 -> 4.14.7
        net-snmp: remove perllocal.pod when enable packageconfig[perl]

  jan (1):
        netdata: Fixed the recipe.

  wangmy (3):
        byacc: upgrade 20200910 -> 20210808
        nghttp2: upgrade 1.44.0 -> 1.45.1
        apache2: upgrade 2.4.48 -> 2.4.49

  zangrc (5):
        python3-beautifulsoup4: upgrade 4.9.3 -> 4.10.0
        python3-bitarray: upgrade 2.3.3 -> 2.3.4
        python3-decorator: upgrade 5.0.9 -> 5.1.0
        python3-grpcio-tools: upgrade 1.39.0 -> 1.40.0
        python3-grpcio: upgrade 1.39.0 -> 1.40.0

  zhengruoqin (5):
        python3-openpyxl: upgrade 3.0.7 -> 3.0.8
        python3-pandas: upgrade 1.3.2 -> 1.3.3
        python3-pulsectl: upgrade 21.5.18 -> 21.9.1
        protobuf: upgrade 3.17.3 -> 3.18.0
        span-lite: upgrade 0.10.0 -> 0.10.1

poky: 359e1cb62f..06dcace68b:
  Alexander Kanavin (13):
        lttng: update 2.12 -> 2.13.0
        core-image-ptest-all: bump RAM requirement to 4G
        bitbake: bitbake: drop old rules for python warnings
        bitbake: bitbake: correct the collections vs collections.abc deprecation
        bitbake: bitbake: fix regexp deprecation warnings
        bitbake: bitbake: do not import imp in layerindexlib
        bitbake: bitbake: adjust parser error check for python 3.10 compatibility
        bitbake: bitbake: correct deprecation warning in process.py
        bitbake: bitbake: enable python warnings at the first opportunity
        meta: correct collections vs collections.abc deprecation
        wic: keep rootfs_size as integer
        cpan-base.bbclass: use raw string for regexp
        testimage: symlink the task log and qemu console log to tmp/log/oeqa

  Armin Kuster (2):
        apr: Security fix for CVE-2021-35940
        tar: ignore node-tar CVEs

  Bruce Ashfield (11):
        linux-yocto/5.13: update to v5.13.13
        linux-yocto/5.13: update to v5.13.15
        linux-yocto/5.10: update to v5.10.61
        linux-yocto/5.10: update to v5.10.63
        yocto-bsp/5.10: update to v5.10.63
        yocto-bsp/5.13: update to v5.13.15
        libc-headers: bump to v5.14
        linux-yocto: introduce 5.14 reference kernel
        systemtap: update to 4.5-latest
        conf/machine: bump qemu preferred versions to 5.14
        poky: set default kernel to 5.14

  Changqing Li (1):
        lttng-ust: fix do_compile error when PACKAGECONFIG examples is enabled

  Chanho Park (1):
        binutils: inherit pkgconfig to address libdebuginfod depdency

  Claudius Heine (1):
        rng-tools: add systemd-udev-settle wants to service

  Daniel Ammann (1):
        bitbake: fetch2/wget: Enable ftps

  Daniel Wagenknecht (2):
        mirrors.bbclass: provide additional rule for git repo fallbacks
        mirrors.bbclass: remove redundant server-specific mirrors

  Denys Dmytriyenko (1):
        readline: correct pkg-config dependency for termcap

  Hsia-Jun(Randy) Li (1):
        cross-canadian: make android pass target sys check

  Jon Mason (6):
        Update mailing list address
        README: update mailing list address
        dev-manual: update mailing list address
        core-image-sato: Fix runqemu error for qemuarmv5
        machine/qemuarm*: use virtio graphics
        testimage: remove aarch64 xorg exclusion

  Joshua Watt (17):
        Add SPDX licenses
        classes/package: Add extended packaged data
        classes/create-spdx: Add class
        classes/create-spdx: Change creator
        classes/create-spdx: Add SHA1 to index file
        classes/create-spdx: Add index to DEPLOYDIR
        classes/create-spdx: Add runtime dependency mapping
        classes/create-spdx: Add NOASSERTION for unknown debug sources
        classes/create-spdx: Fix another creator
        classes/create-spdx: Fix up license reporting
        classes/create-spdx: Speed up hash calculations
        classes/create-spdx: Fix file:// in downloadLocation
        classes/create-spdx: Add special exception for Public Domain license
        classes/create-spdx: Collect all task dependencies
        classes/create-spdx: Skip package processing for native recipes
        classes/create-spdx: Comment out placeholder license warning
        bitbake: cooker: Allow upstream for local hash equivalence server

  Kai Kang (2):
        perl: fix CVE-2021-36770
        rust-common.bbclass: make sure ccache exist

  Kevin Hao (1):
        meta-yocto-bsp: Update the default kernel to v5.14

  Khem Raj (3):
        vim: Add packageconfig for sound notification support
        site: Drop caching libIDL_cv_long_long_format
        site: Drop ORBit2 relared cached variables

  Konrad Weihmann (1):
        expat: pull from github releases

  Kristian Klausen (3):
        systemd: Add homed PACKAGECONFIG
        wic: Add extra-space argument
        systemd: Add tpm2 PACKAGECONFIG

  Mark Hatle (3):
        reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking
        externalsrc: Work with reproducible_build
        tcf-agent: Move to the latest master version

  Markus Volk (1):
        util-linux: disable raw

  Martin Jansa (3):
        default-distrovars.inc: Set BBINCLUDELOGS to empty to disable printing failed task output multiple times
        bitbake: bitbake.conf: fix vars_from_file() call
        qemu-native: add direct dependency on ninja-native and meson-native

  Michael Halstead (1):
        releases: update to include 3.3.3

  Michael Opdenacker (9):
        dev-manual: explicit that devpyshell is a task
        bitbake: bitbake-user-manual: replace "file name" by "filename"
        manuals: replace Freenode by Libera Chat as IRC host
        manuals: delete unmaintained history sections
        ref-manual: document UPSTREAM_CHECK_COMMITS and UPSTREAM_VERSION_UNKNOWN
        ref-manual: remove checkpkg task
        ref-manual: improve "devtool check-upgrade-status" details
        ref-manual: improve documentation for RECIPE_NO_UPDATE_REASON
        ref-manual: update "devtool check-upgrade-status" output

  Mingli Yu (6):
        coreutils: add pkgconfig for selinux
        findutils: add pkgconfig for selinux
        tar: add pkgconfig for selinux
        multilib.bbclass: add RDEPENDS related check back
        insane.bbclass: add FILERDEPENDS related check back
        python3: fix multilib qa issue

  Peter Bergin (1):
        systemd: add packageconfig for wheel-group

  Peter Kjellerstedt (2):
        common-licenses, licenses.conf: Remove duplicate licenses
        create-spdx.bbclass: Search all license directories for licenses

  Quentin Schulz (3):
        bitbake: doc: bitbake-user-manual-execution: remove mention to long-gone BBHASHDEPS variable
        conf/mips: mips16e: prepend override to MACHINEOVERRIDES
        bitbake: doc: bitbake-user-manual-fetching: S should be set to WORKDIR/git for git fetcher

  Randy MacLeod (1):
        tcmode-default: add rust to the default toolchains

  Ranjitsinh Rathod (1):
        rpm: Handle proper return value to avoid major issues

  Richard Purdie (67):
        oeqa/runtime/parselogs: Make DVD ata error apply to all qemux86 machines
        tcl: Exclude CVE-2021-35331 from checks
        xdg-utils: Add fix for CVE-2020-27748
        build-appliance-image: Update to master head revision
        utils: Drop unused variable staging_install from oe_libinstall
        utils: Drop obsolete oe_machinstall function
        flex: Add CVE-2019-6293 to exclusions for checks
        go: Exclude CVE-2021-29923 from report list
        bitbake: runqueue: Avoid deadlock avoidance task graph corruption
        bitbake: runqueue: Fix issues with multiconfig deferred task deadlock messages
        oeqa/oescripts: Fix after tar recipe changes
        pseudo: Update with fcntl and glibc 2.34 fixes
        bitbake: persist_data: Drop deprecated/unused function
        bitbake: parse_py: Drop deprecated function reference
        bitbake: build: Match markup to real function name
        bitbake: build: Handle SystemExit in python tasks correctly
        bitbake: process: Don't include logs in error message if piping them
        bitbake: build: Avoid duplicating logs in verbose mode
        bitbake: data_smart: Make ExpansionErrors more readable
        bitbake: build: Catch and error upon circular task references
        bitbake: data_smart: Improve error display for handled exceptions
        bitbake: fetch2: Add recursion guard
        bitbake: cookerdata: Improve missing core layer error message
        bitbake: cookerdata: Show error for no BBLAYERS in bblayers.conf
        bitbake: runqueue: Clean up task stats handling
        Revert "default-distrovars.inc: Set BBINCLUDELOGS to empty to disable printing failed task output multiple times"
        bitbake.conf: Ensure XZ_THREADS doesn't change sstate checksums
        sstate: Avoid problems with recipes using SRCPV when fetching sstate
        local.conf.sample: Update sstate mirror entry with new hash equivalence setting
        useradd: Ensure preinst data is expanded correctly in pkgdata
        package: Fix pkgdata determinism issues
        sstate: Ensure SDE is accounted for in package task timestamps
        bash: Ensure deterministic build
        sstatesig: Allow exclusion of the root directory for do_package
        bitbake: bitbake-worker: Improve error handling
        bitbake: runqueue/knotty: Improve UI handling of setscene task counting
        bitbake: fetch2/git: Avoid races over mirror tarball creation
        README: Update email address for Bruce
        bitbake: cookerdata: Show a readable error for invalid multiconfig name
        bitbake: fetch2/git: Use os.rename instead of mv
        bitbake: tests/fetch2: Fix quoting warning
        bitbake: data_smart: Don't add None to ExpansionError varlist
        bitbake: fetch2/svn: Allow peg-revision functionality to be disabled
        vim: Backport fix for CVE-2021-3770
        libgcrypt: Upgrade 1.9.3 -> 1.9.4
        sqlite3: Exclude CVE-2021-36690 from cve checks
        recipes: Add missing pkgconfig inherit
        lttng-tools: Add missing DEPENDS on bison-native
        cross: Drop unused do_install
        pybootchart: Avoid divide by zero
        bitbake: tests/fetch2: Use our own git server for dtc test repo
        scripts/oe-publish-sdk: Disable git gc to avoid build errors
        image/qemu: Add explict depends for qemu-helper addto_recipe_sysroot task
        siteinfo/autotools: Ensure task checksums reflect site files
        package_ipk/deb/rpm: Drop recursive do_build task dependencies
        reproducible_build/package_XXX: Ensure SDE task is in dependency chain
        populate_sdk_base/images: Drop use of 'meta' class and hence do_build dependencies
        buildtools-tarball/uninative-tarball/meta-ide-support: Drop useless meta class
        meta: Drop useless class
        staging: Mark deploy an sstate task
        sstate: Ensure deploy tasks don't pull in toolchains
        sstate: Avoid deploy_source_date_epoch sstate when unneeded
        ssate: Cleanup directtasks handling
        bitbake: build: Ensure python stdout/stderr is logged correctly
        bitbake: build: Make exception printing clearer
        bitbake: build: Fix log flushing race
        oeqa/selftest: Add tests for bitbake shell/python task output

  Robert P. J. Day (16):
        dev-manual: pass False to d.getVar() for devpyshell example
        ref-manual: add missing "${PN}-src" to default PACKAGES list
        dev-manual: small number of minor aesthetic tweaks
        dev-manual: various pedantic nitpickery
        dev-manual: drop "three" since there are four requirements
        ref-manual: update SYSROOT_DIRS_* variable entries
        README: update manual list and names, online docs URL
        image_types_wic.bbclass: alphabetize list of WICVARS
        systemd: '${systemd_unitdir}/system' => '${systemd_system_unitdir}'
        ref-manual: render options in monospace to show quotes properly
        ref-manual: remove mention of obsolete devtool "--any-recipe" option
        ref-manual: correct typo in "classes" section, "${BPN}/{PV}"
        ref-manual: add potential of parallelism to defn of "Task"
        ref-manual: couple minor tweaks to Chapter 1
        dev-manual: emphasize that new layers live outside of poky
        dev-manual: update output of "wic list images"

  Robert Yang (1):
        assimp: Remove it

  Ross Burton (40):
        lz4: remove redundant BSD license
        python3-numpy: remove redundant BSD license
        quota: remove BSD license
        nfs-utils: set precise BSD license
        dtc: set precise BSD license
        acpica: set precise BSD license
        libevent: set precise BSD license
        openssh: remove redundant BSD license
        python3-packaging: fix license statement
        iputils: set precise BSD license
        libx11-compose-data: set precise BSD license
        webkitgtk: set precise BSD license
        libwpe: set precise BSD license
        wpebackend-fdo: set precise BSD license
        common-licenses: add missing SPDX licences
        dev-manual/common-tasks: sync libxpm fragment with the recipe
        lsof: correct LICENSE
        selftest/python-async-test: set precise BSD license
        lsof: add upstream check
        xinetd: correct LICENSE
        oeqa/recipeutils: update for license change to python-async-test
        libxfont: set precise BSD license
        valgrind: set precise BSD license
        shadow-sysroot: sync license with shadow
        ovmf: set precise BSD license
        ppp: set precise BSD license
        ffmpeg: update LICENSE
        hdparm: set correct license
        recipetool/create_buildsys_python: treat BSD as BSD-3-Clause
        oeqa/selftest/recipetool: update for license changes
        create-spdx: transform license list into a dict for faster lookups
        create-spdx: remove redundant test
        create-spdx: embed unknown license texts
        create-spdx: don't duplicate license texts in each package
        create-spdx: handle CLOSED license
        ffmpeg: fix LICENSE
        avahi: remove obsolete intltool-native dependency
        shared-mime-info: use a more concise description
        libsoup-2.4: remove obsolete intltool dependency
        oeqa/target/ssh: don't assume target_dumper is set

  Sakib Sajal (1):
        go: upgrade 1.16.5 -> 1.16.7

  Saul Wold (2):
        classes/create-spdx: extend DocumentRef to include name
        create-spdx: remove trailing comma

  Scott Weaver (3):
        bitbake: bitbake: fetch2: fix premirror URI when downloadfilename defined
        bitbake: bitbake: tests/fetch: add downloadfilename tests
        bitbake: bitbake: tests/fetch: add and fix npm tests

  Steve Sakoman (1):
        connman: add CVE_PRODUCT

  Tom Rini (1):
        common-tasks: Add an example of using bbappends to add a file

  Trevor Woerner (1):
        hello-mod/hello.c: convert to module_init/module_exit

  Valentin Danaila (1):
        bitbake: fetch2/s3: allow to switch profile from environment variable

  Vyacheslav Yurkov (1):
        ref-manual: add overlayfs class

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I194b13991cbaac7ae9e20cc2b552b508ab879905
diff --git a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb
deleted file mode 100644
index 74f32a4..0000000
--- a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb
+++ /dev/null
@@ -1,10 +0,0 @@
-SUMMARY = "CryFS encrypts your files, so you can safely store them anywhere."
-HOMEDIR = "https://www.cryfs.org"
-
-LICENSE = "LGPL-3.0"
-FILE_CHK_SUM = "file://;md5=12345"
-
-SRC_URI = "https://github.com/${BPN}/${BPN}.git"
-SRCREV = "0f83a1ab7e5ca9f37f97bc57b20d3fab0f351d11"
-
-inherit cmake
diff --git a/meta-security/recipes-security/isic/isic_0.07.bb b/meta-security/recipes-security/isic/isic_0.07.bb
index fb6e904..28153e3 100644
--- a/meta-security/recipes-security/isic/isic_0.07.bb
+++ b/meta-security/recipes-security/isic/isic_0.07.bb
@@ -2,7 +2,7 @@
 DESCRIPTION = "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)"
 HOMEPAGE = "http://isic.sourceforge.net/"
 SECTION = "security"
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=d41d8cd98f00b204e9800998ecf8427e"
 
 DEPENDS = "libnet"
diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
index 8e36812..6c1bd46 100644
--- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
+++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
@@ -1,6 +1,6 @@
 SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones"
 
-LICENSE = "BSD"
+LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937"
 
 DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml "
diff --git a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
new file mode 100644
index 0000000..7a59df9
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
@@ -0,0 +1,288 @@
+Backport patch to fix CVE-2021-3621.
+
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
+CVE: CVE-2021-3621
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 18 Jun 2021 13:17:19 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+:relnote: A flaw was found in SSSD, where the sssctl command was
+vulnerable to shell command injection via the logs-fetch and
+cache-expire subcommands. This flaw allows an attacker to trick
+the root user into running a specially crafted sssctl command,
+such as via sudo, to gain root access. The highest threat from this
+vulnerability is to confidentiality, integrity, as well as system
+availability.
+This patch fixes a flaw by replacing system() with execvp().
+
+:fixes: CVE-2021-3621
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 2997dbf968..8adaf30910 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
++errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
++    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
++    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
++    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         ERROR("Error while executing external command\n");
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
++    }
++
++    if (ret == 0) {
++        /* cast is safe - see
++        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
++        "The statement about argv[] and envp[] being constants ... "
++        */
++        execvp(argv[0], discard_const_p(char * const, argv));
+         ERROR("Error while executing external command\n");
+-        return EIO;
++        _exit(1);
++    } else {
++        if (waitpid(ret, &wstatus, 0) == -1) {
++            ERROR("Error while executing external command '%s'\n", argv[0]);
++            return EFAULT;
++        } else if (WEXITSTATUS(wstatus) != 0) {
++            ERROR("Command '%s' failed with [%d]\n",
++                  argv[0], WEXITSTATUS(wstatus));
++            return EIO;
++        }
+     }
+ 
+     return EOK;
+@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 0115b2457c..599ef65196 100644
+--- a/src/tools/sssctl/sssctl.h
++++ b/src/tools/sssctl/sssctl.h
+@@ -47,7 +47,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 8d79b977fd..bf22913416 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
++                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export user overrides\n");
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
++                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export group overrides\n");
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
++                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import user overrides\n");
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
++                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import group overrides\n");
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+-
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
+-    }
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
++    const char **args = talloc_array_size(tool_ctx,
++                                          sizeof(char *),
++                                          cmdline->argc + 2);
++    if (!args) {
++        return ENOMEM;
+     }
++    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
++    args[0] = SSS_CACHE;
++    args[cmdline->argc + 1] = NULL;
+ 
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
++    ret = sssctl_run_command(args);
+ 
++    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index 9ff2be05b6..ebb2c4571c 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -31,6 +31,7 @@
+ #include <ldb.h>
+ #include <popt.h>
+ #include <stdio.h>
++#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
++        globbuf.gl_offs = 4;
++        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++        if (ret != 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++            return ret;
++        }
++        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
++        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
++        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
++        globbuf.gl_pathv[3] = discard_const_p(char, "0");
++
+         PRINT("Truncating log files...\n");
+-        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
++        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++        globfree(&globbuf);
+         if (ret != EOK) {
+             ERROR("Unable to truncate log files\n");
+             return ret;
+@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        ERROR("Out of memory!");
++    globbuf.gl_offs = 3;
++    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++    if (ret != 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++        return ret;
+     }
++    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
++    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
++    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     PRINT("Archiving log files into %s...\n", file);
+-    ret = sssctl_run_command(cmd);
++    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++    globfree(&globbuf);
+     if (ret != EOK) {
+         ERROR("Unable to archive log files\n");
+         return ret;
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.1.bb b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
similarity index 97%
rename from meta-security/recipes-security/sssd/sssd_2.5.1.bb
rename to meta-security/recipes-security/sssd/sssd_2.5.2.bb
index 1c77480..76d6e03 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.1.bb
+++ b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
@@ -23,9 +23,10 @@
            file://drop_ntpdate_chk.patch \
            file://fix-ldblibdir.patch \
            file://musl_fixup.patch \
+           file://CVE-2021-3621.patch \
            "
 
-SRC_URI[sha256sum] = "ce2f5d84a3f1750093318afd27f4fd75b1e3e75f7d80fc42d21a40cc54b58ea4"
+SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
 
 inherit autotools pkgconfig gettext python3-dir features_check systemd