diff --git a/poky/meta/classes/gio-module-cache.bbclass b/poky/meta/classes/gio-module-cache.bbclass
index e429bd3..0520c22 100644
--- a/poky/meta/classes/gio-module-cache.bbclass
+++ b/poky/meta/classes/gio-module-cache.bbclass
@@ -2,6 +2,7 @@
 inherit qemu
 
 GIO_MODULE_PACKAGES ??= "${PN}"
+GIO_MODULE_PACKAGES_class-nativesdk = ""
 
 gio_module_cache_common() {
 if [ "x$D" != "x" ]; then
diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass
index fa15460..eb2d967 100644
--- a/poky/meta/classes/insane.bbclass
+++ b/poky/meta/classes/insane.bbclass
@@ -534,9 +534,9 @@
     if path.find(name + "/CONTROL/") != -1 or path.find(name + "/DEBIAN/") != -1:
         return
 
-    tmpdir = d.getVar('TMPDIR')
+    tmpdir = bytes(d.getVar('TMPDIR'), encoding="utf-8")
     with open(path, 'rb') as f:
-        file_content = f.read().decode('utf-8', errors='ignore')
+        file_content = f.read()
         if tmpdir in file_content:
             package_qa_add_message(messages, "buildpaths", "File %s in package contained reference to tmpdir" % package_qa_clean_path(path,d))
 
diff --git a/poky/meta/classes/mirrors.bbclass b/poky/meta/classes/mirrors.bbclass
index b331afc..ed53dfb 100644
--- a/poky/meta/classes/mirrors.bbclass
+++ b/poky/meta/classes/mirrors.bbclass
@@ -1,4 +1,5 @@
 MIRRORS += "\
+${DEBIAN_MIRROR}	http://snapshot.debian.org/archive/debian/20180310T215105Z/pool \n \
 ${DEBIAN_MIRROR}	http://snapshot.debian.org/archive/debian-archive/20120328T092752Z/debian/pool \n \
 ${DEBIAN_MIRROR}	http://snapshot.debian.org/archive/debian-archive/20110127T084257Z/debian/pool \n \
 ${DEBIAN_MIRROR}	http://snapshot.debian.org/archive/debian-archive/20090802T004153Z/debian/pool \n \
diff --git a/poky/meta/classes/rootfs-postcommands.bbclass b/poky/meta/classes/rootfs-postcommands.bbclass
index 5522209..221869e 100644
--- a/poky/meta/classes/rootfs-postcommands.bbclass
+++ b/poky/meta/classes/rootfs-postcommands.bbclass
@@ -112,14 +112,11 @@
 
 	# Also tweak the key location for dropbear in the same way.
 	if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
-		if [ -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
-			echo "DROPBEAR_RSAKEY_DIR=/etc/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
-		else
+		if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
 			echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
 		fi
 	fi
 
-
 	if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
 		# Change the value of ROOTFS_READ_ONLY in /etc/default/rcS to yes
 		if [ -e ${IMAGE_ROOTFS}/etc/default/rcS ]; then
diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass
index e0e57ce..4e8eae8 100644
--- a/poky/meta/classes/sanity.bbclass
+++ b/poky/meta/classes/sanity.bbclass
@@ -336,11 +336,11 @@
     return ""
 
 def get_filesystem_id(path):
-    status, result = oe.utils.getstatusoutput("stat -f -c '%s' '%s'" % ("%t", path))
-    if status == 0:
-        return result
-    else:
-        bb.warn("Can't get the filesystem id of: %s" % path)
+    import subprocess
+    try:
+        return subprocess.check_output(["stat", "-f", "-c", "%t", path]).decode('utf-8')
+    except subprocess.CalledProcessError:
+        bb.warn("Can't get filesystem id of: %s" % path)
         return None
 
 # Check that the path isn't located on nfs.
@@ -463,7 +463,7 @@
     import re, subprocess
 
     try:
-        result = subprocess.check_output(["patch", "--version"], stderr=subprocess.STDOUT, universal_newlines=True)
+        result = subprocess.check_output(["patch", "--version"], stderr=subprocess.STDOUT).decode('utf-8')
         version = re.search(r"[0-9.]+", result.splitlines()[0]).group()
         if LooseVersion(version) < LooseVersion("2.7"):
             return "Your version of patch is older than 2.7 and has bugs which will break builds. Please install a newer version of patch.\n"
@@ -476,9 +476,12 @@
 # Use a modified reproducer from http://savannah.gnu.org/bugs/?30612 to validate.
 def check_make_version(sanity_data):
     from distutils.version import LooseVersion
-    status, result = oe.utils.getstatusoutput("make --version")
-    if status != 0:
-        return "Unable to execute make --version, exit code %d\n" % status
+    import subprocess
+
+    try:
+        result = subprocess.check_output(['make', '--version'], stderr=subprocess.STDOUT).decode('utf-8')
+    except subprocess.CalledProcessError as e:
+        return "Unable to execute make --version, exit code %d\n%s\n" % (e.returncode, e.output)
     version = result.split()[2]
     if LooseVersion(version) == LooseVersion("3.82"):
         # Construct a test file
@@ -493,18 +496,18 @@
         f.close()
 
         # Check if make 3.82 has been patched
-        status,result = oe.utils.getstatusoutput("make -f makefile_test")
-
-        os.remove("makefile_test")
-        if os.path.exists("makefile_test_a.c"):
-            os.remove("makefile_test_a.c")
-        if os.path.exists("makefile_test_b.c"):
-            os.remove("makefile_test_b.c")
-        if os.path.exists("makefile_test.a"):
-            os.remove("makefile_test.a")
-
-        if status != 0:
+        try:
+            subprocess.check_call(['make', '-f', 'makefile_test'])
+        except subprocess.CalledProcessError as e:
             return "Your version of make 3.82 is broken. Please revert to 3.81 or install a patched version.\n"
+        finally:
+            os.remove("makefile_test")
+            if os.path.exists("makefile_test_a.c"):
+                os.remove("makefile_test_a.c")
+            if os.path.exists("makefile_test_b.c"):
+                os.remove("makefile_test_b.c")
+            if os.path.exists("makefile_test.a"):
+                os.remove("makefile_test.a")
     return None
 
 
@@ -512,9 +515,11 @@
 # but earlier versions do not; this needs to work properly for sstate
 def check_tar_version(sanity_data):
     from distutils.version import LooseVersion
-    status, result = oe.utils.getstatusoutput("tar --version")
-    if status != 0:
-        return "Unable to execute tar --version, exit code %d\n" % status
+    import subprocess
+    try:
+        result = subprocess.check_output(["tar", "--version"], stderr=subprocess.STDOUT).decode('utf-8')
+    except subprocess.CalledProcessError as e:
+        return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output)
     version = result.split()[3]
     if LooseVersion(version) < LooseVersion("1.24"):
         return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar.\n"
@@ -525,9 +530,11 @@
 # The git fetcher also had workarounds for git < 1.7.9.2 which we've dropped
 def check_git_version(sanity_data):
     from distutils.version import LooseVersion
-    status, result = oe.utils.getstatusoutput("git --version 2> /dev/null")
-    if status != 0:
-        return "Unable to execute git --version, exit code %d\n" % status
+    import subprocess
+    try:
+        result = subprocess.check_output(["git", "--version"], stderr=subprocess.DEVNULL).decode('utf-8')
+    except subprocess.CalledProcessError as e:
+        return "Unable to execute git --version, exit code %d\n%s\n" % (e.returncode, e.output)
     version = result.split()[2]
     if LooseVersion(version) < LooseVersion("1.8.3.1"):
         return "Your version of git is older than 1.8.3.1 and has bugs which will break builds. Please install a newer version of git.\n"
@@ -535,13 +542,15 @@
 
 # Check the required perl modules which may not be installed by default
 def check_perl_modules(sanity_data):
+    import subprocess
     ret = ""
     modules = ( "Text::ParseWords", "Thread::Queue", "Data::Dumper" )
     errresult = ''
     for m in modules:
-        status, result = oe.utils.getstatusoutput("perl -e 'use %s'" % m)
-        if status != 0:
-            errresult += result
+        try:
+            subprocess.check_output(["perl", "-e", "use %s" % m])
+        except subprocess.CalledProcessError as e:
+            errresult += e.output
             ret += "%s " % m
     if ret:
         return "Required perl module(s) not found: %s\n\n%s\n" % (ret, errresult)
diff --git a/poky/meta/classes/staging.bbclass b/poky/meta/classes/staging.bbclass
index 3fcbc9f..939042e 100644
--- a/poky/meta/classes/staging.bbclass
+++ b/poky/meta/classes/staging.bbclass
@@ -383,8 +383,6 @@
     lock = bb.utils.lockfile(recipesysroot + "/sysroot.lock")
 
     fixme = {}
-    fixme[''] = []
-    fixme['native'] = []
     seendirs = set()
     postinsts = []
     multilibs = {}
@@ -471,7 +469,14 @@
         os.symlink(c + "." + taskhash, depdir + "/" + c)
 
         manifest, d2 = oe.sstatesig.find_sstate_manifest(c, setscenedeps[dep][2], "populate_sysroot", d, multilibs)
+        if d2 is not d:
+            # If we don't do this, the recipe sysroot will be placed in the wrong WORKDIR for multilibs
+            # We need a consistent WORKDIR for the image
+            d2.setVar("WORKDIR", d.getVar("WORKDIR"))
         destsysroot = d2.getVar("RECIPE_SYSROOT")
+        # We put allarch recipes into the default sysroot
+        if manifest and "allarch" in manifest:
+            destsysroot = d.getVar("RECIPE_SYSROOT")
 
         native = False
         if c.endswith("-native") or "-cross-" in c or "-crosssdk" in c:
@@ -479,12 +484,13 @@
 
         if manifest:
             newmanifest = collections.OrderedDict()
+            targetdir = destsysroot
             if native:
-                fm = fixme['native']
                 targetdir = recipesysrootnative
-            else:
-                fm = fixme['']
-                targetdir = destsysroot
+            if targetdir not in fixme:
+                fixme[targetdir] = []
+            fm = fixme[targetdir]
+
             with open(manifest, "r") as f:
                 manifests[dep] = manifest
                 for l in f:
@@ -542,12 +548,7 @@
     bb.note("Skipping as already exists in sysroot: %s" % str(msg_exists))
 
     for f in fixme:
-        if f == '':
-            staging_processfixme(fixme[f], recipesysroot, recipesysroot, recipesysrootnative, d)
-        elif f == 'native':
-            staging_processfixme(fixme[f], recipesysrootnative, recipesysroot, recipesysrootnative, d)
-        else:
-            staging_processfixme(fixme[f], multilibs[f].getVar("RECIPE_SYSROOT"), recipesysroot, recipesysrootnative, d)
+        staging_processfixme(fixme[f], f, recipesysroot, recipesysrootnative, d)
 
     for p in postinsts:
         subprocess.check_output(p, shell=True, stderr=subprocess.STDOUT)
diff --git a/poky/meta/classes/testimage.bbclass b/poky/meta/classes/testimage.bbclass
index 77291c2..9feb267 100644
--- a/poky/meta/classes/testimage.bbclass
+++ b/poky/meta/classes/testimage.bbclass
@@ -117,13 +117,6 @@
 }
 
 python do_testimage() {
-
-    testimage_sanity(d)
-
-    if (d.getVar('IMAGE_PKGTYPE') == 'rpm'
-       and 'dnf' in d.getVar('TEST_SUITES')):
-        create_rpm_index(d)
-
     testimage_main(d)
 }
 
@@ -159,6 +152,12 @@
         """
         raise RuntimeError
 
+    testimage_sanity(d)
+
+    if (d.getVar('IMAGE_PKGTYPE') == 'rpm'
+       and ('dnf' in d.getVar('TEST_SUITES') or 'auto' in d.getVar('TEST_SUITES'))):
+        create_rpm_index(d)
+
     logger = make_logger_bitbake_compatible(logging.getLogger("BitBake"))
     pn = d.getVar("PN")
 
@@ -260,10 +259,16 @@
     # Load tests before starting the target
     test_paths = get_runtime_paths(d)
     test_modules = d.getVar('TEST_SUITES').split()
+    if not test_modules:
+        bb.fatal('Empty test suite, please verify TEST_SUITES variable')
+
     tc.loadTests(test_paths, modules=test_modules)
 
-    if not getSuiteCases(tc.suites):
+    suitecases = getSuiteCases(tc.suites)
+    if not suitecases:
         bb.fatal('Empty test suite, please verify TEST_SUITES variable')
+    else:
+        bb.debug(2, 'test suites:\n\t%s' % '\n\t'.join([str(c) for c in suitecases]))
 
     package_extraction(d, tc.suites)
 
diff --git a/poky/meta/classes/utils.bbclass b/poky/meta/classes/utils.bbclass
index 4f016e3..3f4f51b 100644
--- a/poky/meta/classes/utils.bbclass
+++ b/poky/meta/classes/utils.bbclass
@@ -338,6 +338,8 @@
     variants = d.getVar("MULTILIB_VARIANTS") or ""
     for item in variants.split():
         localdata = get_multilib_datastore(item, d)
+        # We need WORKDIR to be consistent with the original datastore
+        localdata.setVar("WORKDIR", d.getVar("WORKDIR"))
         value = localdata.getVar(var) or ""
         if value != "":
             if need_split:
diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf
index a21b728..ecc43a4 100644
--- a/poky/meta/conf/bitbake.conf
+++ b/poky/meta/conf/bitbake.conf
@@ -487,7 +487,7 @@
 "
 
 # Tools needed to run testimage runtime image testing
-HOSTTOOLS += "${@['', 'ip ping ps scp ssh stty'][bb.data.inherits_class('testimage', d)]}"
+HOSTTOOLS += "${@'ip ping ps scp ssh stty' if (bb.data.inherits_class('testimage', d) or d.getVar('TEST_IMAGE') == '1') else ''}"
 
 # Link to these if present
 HOSTTOOLS_NONFATAL += "aws ccache gcc-ar gpg ld.bfd ld.gold nc sftp socat ssh sudo"
@@ -587,9 +587,6 @@
 
 export LDFLAGS = "${TARGET_LDFLAGS}"
 export TARGET_LDFLAGS = "-Wl,-O1 ${TARGET_LINK_HASH_STYLE}"
-#export TARGET_LDFLAGS = "-L${STAGING_DIR_TARGET}${libdir} \
-#                         -Wl,-rpath-link,${STAGING_DIR_TARGET}${libdir} \
-#                         -Wl,-O1"
 
 # Pass parallel make options to the compile task
 EXTRA_OEMAKE_prepend_task-compile = "${PARALLEL_MAKE} "
@@ -664,7 +661,7 @@
 
 FETCHCMD_svn = "/usr/bin/env svn --non-interactive --trust-server-cert"
 FETCHCMD_cvs = "/usr/bin/env cvs"
-FETCHCMD_wget = "/usr/bin/env wget -t 2 -T 30 -nv --passive-ftp --no-check-certificate"
+FETCHCMD_wget = "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
 FETCHCMD_bzr = "/usr/bin/env bzr"
 FETCHCMD_hg = "/usr/bin/env hg"
 
diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc
index a8e82cb..38080c6 100644
--- a/poky/meta/conf/distro/include/yocto-uninative.inc
+++ b/poky/meta/conf/distro/include/yocto-uninative.inc
@@ -8,6 +8,7 @@
 
 UNINATIVE_MAXGLIBCVERSION = "2.27"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/1.9/"
-UNINATIVE_CHECKSUM[i686] ?= "83a4f927da81d9889ef0cbe5c12cb782e21c6cc11e6155600b94ff0c99576dce"
-UNINATIVE_CHECKSUM[x86_64] ?= "c26622a1f27dbf5b25de986b11584b5c5b2f322d9eb367f705a744f58a5561ec"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.2/"
+UNINATIVE_CHECKSUM[i686] ?= "036b60092fe4acfa1a321d110673030db20344a2d56f33a4d047f0279498bdad"
+UNINATIVE_CHECKSUM[x86_64] ?= "e3b77208169bf1ac4e89496f3cdbf27695f5b18a2694a908a793390f28b67f83"
+
diff --git a/poky/meta/conf/licenses.conf b/poky/meta/conf/licenses.conf
index 3e2d258..90c486e 100644
--- a/poky/meta/conf/licenses.conf
+++ b/poky/meta/conf/licenses.conf
@@ -16,7 +16,7 @@
 SRC_DISTRIBUTE_LICENSES += "CDDL-1.0 CECILL-1.0 CECILL-2.0 CECILL-B CECILL-C"
 SRC_DISTRIBUTE_LICENSES += "ClArtistic CPAL-1.0 CPL-1.0 CUA-OPL-1.0 DSSSL"
 SRC_DISTRIBUTE_LICENSES += "ECL-1.0 ECL-2.0 eCos-2.0 EDL-1.0 EFL-1.0 EFL-2.0"
-SRC_DISTRIBUTE_LICENSES += "Elfutils-Exception Entessa EPL-1.0 ErlPL-1.1"
+SRC_DISTRIBUTE_LICENSES += "Elfutils-Exception Entessa EPL-1.0 EPL-2.0 ErlPL-1.1"
 SRC_DISTRIBUTE_LICENSES += "EUDatagrid EUPL-1.0 EUPL-1.1 Fair Frameworx-1.0"
 SRC_DISTRIBUTE_LICENSES += "FreeType GFDL-1.1 GFDL-1.2 GFDL-1.3 GPL-1.0"
 SRC_DISTRIBUTE_LICENSES += "GPL-2.0 GPL-2.0-with-autoconf-exception"
diff --git a/poky/meta/conf/machine/qemux86-64.conf b/poky/meta/conf/machine/qemux86-64.conf
index fcc4459..2330c7d 100644
--- a/poky/meta/conf/machine/qemux86-64.conf
+++ b/poky/meta/conf/machine/qemux86-64.conf
@@ -33,5 +33,5 @@
 KERNEL_MODULE_PROBECONF += "uvesafb"
 module_conf_uvesafb = "options uvesafb mode_option=${UVESA_MODE}"
 
-WKS_FILE ?= "directdisk.wks"
+WKS_FILE ?= "qemux86-directdisk.wks"
 do_image_wic[depends] += "syslinux:do_populate_sysroot syslinux-native:do_populate_sysroot mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot"
diff --git a/poky/meta/conf/machine/qemux86.conf b/poky/meta/conf/machine/qemux86.conf
index c53f7a9..811e3ef 100644
--- a/poky/meta/conf/machine/qemux86.conf
+++ b/poky/meta/conf/machine/qemux86.conf
@@ -32,5 +32,5 @@
 KERNEL_MODULE_PROBECONF += "uvesafb"
 module_conf_uvesafb = "options uvesafb mode_option=${UVESA_MODE}"
 
-WKS_FILE ?= "directdisk.wks"
+WKS_FILE ?= "qemux86-directdisk.wks"
 do_image_wic[depends] += "syslinux:do_populate_sysroot syslinux-native:do_populate_sysroot mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot"
diff --git a/poky/meta/files/common-licenses/EPL-2.0 b/poky/meta/files/common-licenses/EPL-2.0
new file mode 100644
index 0000000..e48e096
--- /dev/null
+++ b/poky/meta/files/common-licenses/EPL-2.0
@@ -0,0 +1,277 @@
+Eclipse Public License - v 2.0
+
+    THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE
+    PUBLIC LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION
+    OF THE PROGRAM CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
+
+1. DEFINITIONS
+
+"Contribution" means:
+
+  a) in the case of the initial Contributor, the initial content
+     Distributed under this Agreement, and
+
+  b) in the case of each subsequent Contributor:
+     i) changes to the Program, and
+     ii) additions to the Program;
+  where such changes and/or additions to the Program originate from
+  and are Distributed by that particular Contributor. A Contribution
+  "originates" from a Contributor if it was added to the Program by
+  such Contributor itself or anyone acting on such Contributor's behalf.
+  Contributions do not include changes or additions to the Program that
+  are not Modified Works.
+
+"Contributor" means any person or entity that Distributes the Program.
+
+"Licensed Patents" mean patent claims licensable by a Contributor which
+are necessarily infringed by the use or sale of its Contribution alone
+or when combined with the Program.
+
+"Program" means the Contributions Distributed in accordance with this
+Agreement.
+
+"Recipient" means anyone who receives the Program under this Agreement
+or any Secondary License (as applicable), including Contributors.
+
+"Derivative Works" shall mean any work, whether in Source Code or other
+form, that is based on (or derived from) the Program and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship.
+
+"Modified Works" shall mean any work in Source Code or other form that
+results from an addition to, deletion from, or modification of the
+contents of the Program, including, for purposes of clarity any new file
+in Source Code form that contains any contents of the Program. Modified
+Works shall not include works that contain only declarations,
+interfaces, types, classes, structures, or files of the Program solely
+in each case in order to link to, bind by name, or subclass the Program
+or Modified Works thereof.
+
+"Distribute" means the acts of a) distributing or b) making available
+in any manner that enables the transfer of a copy.
+
+"Source Code" means the form of a Program preferred for making
+modifications, including but not limited to software source code,
+documentation source, and configuration files.
+
+"Secondary License" means either the GNU General Public License,
+Version 2.0, or any later versions of that license, including any
+exceptions or additional permissions as identified by the initial
+Contributor.
+
+2. GRANT OF RIGHTS
+
+  a) Subject to the terms of this Agreement, each Contributor hereby
+  grants Recipient a non-exclusive, worldwide, royalty-free copyright
+  license to reproduce, prepare Derivative Works of, publicly display,
+  publicly perform, Distribute and sublicense the Contribution of such
+  Contributor, if any, and such Derivative Works.
+
+  b) Subject to the terms of this Agreement, each Contributor hereby
+  grants Recipient a non-exclusive, worldwide, royalty-free patent
+  license under Licensed Patents to make, use, sell, offer to sell,
+  import and otherwise transfer the Contribution of such Contributor,
+  if any, in Source Code or other form. This patent license shall
+  apply to the combination of the Contribution and the Program if, at
+  the time the Contribution is added by the Contributor, such addition
+  of the Contribution causes such combination to be covered by the
+  Licensed Patents. The patent license shall not apply to any other
+  combinations which include the Contribution. No hardware per se is
+  licensed hereunder.
+
+  c) Recipient understands that although each Contributor grants the
+  licenses to its Contributions set forth herein, no assurances are
+  provided by any Contributor that the Program does not infringe the
+  patent or other intellectual property rights of any other entity.
+  Each Contributor disclaims any liability to Recipient for claims
+  brought by any other entity based on infringement of intellectual
+  property rights or otherwise. As a condition to exercising the
+  rights and licenses granted hereunder, each Recipient hereby
+  assumes sole responsibility to secure any other intellectual
+  property rights needed, if any. For example, if a third party
+  patent license is required to allow Recipient to Distribute the
+  Program, it is Recipient's responsibility to acquire that license
+  before distributing the Program.
+
+  d) Each Contributor represents that to its knowledge it has
+  sufficient copyright rights in its Contribution, if any, to grant
+  the copyright license set forth in this Agreement.
+
+  e) Notwithstanding the terms of any Secondary License, no
+  Contributor makes additional grants to any Recipient (other than
+  those set forth in this Agreement) as a result of such Recipient's
+  receipt of the Program under the terms of a Secondary License
+  (if permitted under the terms of Section 3).
+
+3. REQUIREMENTS
+
+3.1 If a Contributor Distributes the Program in any form, then:
+
+  a) the Program must also be made available as Source Code, in
+  accordance with section 3.2, and the Contributor must accompany
+  the Program with a statement that the Source Code for the Program
+  is available under this Agreement, and informs Recipients how to
+  obtain it in a reasonable manner on or through a medium customarily
+  used for software exchange; and
+
+  b) the Contributor may Distribute the Program under a license
+  different than this Agreement, provided that such license:
+     i) effectively disclaims on behalf of all other Contributors all
+     warranties and conditions, express and implied, including
+     warranties or conditions of title and non-infringement, and
+     implied warranties or conditions of merchantability and fitness
+     for a particular purpose;
+
+     ii) effectively excludes on behalf of all other Contributors all
+     liability for damages, including direct, indirect, special,
+     incidental and consequential damages, such as lost profits;
+
+     iii) does not attempt to limit or alter the recipients' rights
+     in the Source Code under section 3.2; and
+
+     iv) requires any subsequent distribution of the Program by any
+     party to be under a license that satisfies the requirements
+     of this section 3.
+
+3.2 When the Program is Distributed as Source Code:
+
+  a) it must be made available under this Agreement, or if the
+  Program (i) is combined with other material in a separate file or
+  files made available under a Secondary License, and (ii) the initial
+  Contributor attached to the Source Code the notice described in
+  Exhibit A of this Agreement, then the Program may be made available
+  under the terms of such Secondary Licenses, and
+
+  b) a copy of this Agreement must be included with each copy of
+  the Program.
+
+3.3 Contributors may not remove or alter any copyright, patent,
+trademark, attribution notices, disclaimers of warranty, or limitations
+of liability ("notices") contained within the Program from any copy of
+the Program which they Distribute, provided that Contributors may add
+their own appropriate notices.
+
+4. COMMERCIAL DISTRIBUTION
+
+Commercial distributors of software may accept certain responsibilities
+with respect to end users, business partners and the like. While this
+license is intended to facilitate the commercial use of the Program,
+the Contributor who includes the Program in a commercial product
+offering should do so in a manner which does not create potential
+liability for other Contributors. Therefore, if a Contributor includes
+the Program in a commercial product offering, such Contributor
+("Commercial Contributor") hereby agrees to defend and indemnify every
+other Contributor ("Indemnified Contributor") against any losses,
+damages and costs (collectively "Losses") arising from claims, lawsuits
+and other legal actions brought by a third party against the Indemnified
+Contributor to the extent caused by the acts or omissions of such
+Commercial Contributor in connection with its distribution of the Program
+in a commercial product offering. The obligations in this section do not
+apply to any claims or Losses relating to any actual or alleged
+intellectual property infringement. In order to qualify, an Indemnified
+Contributor must: a) promptly notify the Commercial Contributor in
+writing of such claim, and b) allow the Commercial Contributor to control,
+and cooperate with the Commercial Contributor in, the defense and any
+related settlement negotiations. The Indemnified Contributor may
+participate in any such claim at its own expense.
+
+For example, a Contributor might include the Program in a commercial
+product offering, Product X. That Contributor is then a Commercial
+Contributor. If that Commercial Contributor then makes performance
+claims, or offers warranties related to Product X, those performance
+claims and warranties are such Commercial Contributor's responsibility
+alone. Under this section, the Commercial Contributor would have to
+defend claims against the other Contributors related to those performance
+claims and warranties, and if a court requires any other Contributor to
+pay any damages as a result, the Commercial Contributor must pay
+those damages.
+
+5. NO WARRANTY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
+PERMITTED BY APPLICABLE LAW, THE PROGRAM IS PROVIDED ON AN "AS IS"
+BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
+IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR CONDITIONS OF
+TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
+PURPOSE. Each Recipient is solely responsible for determining the
+appropriateness of using and distributing the Program and assumes all
+risks associated with its exercise of rights under this Agreement,
+including but not limited to the risks and costs of program errors,
+compliance with applicable laws, damage to or loss of data, programs
+or equipment, and unavailability or interruption of operations.
+
+6. DISCLAIMER OF LIABILITY
+
+EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, AND TO THE EXTENT
+PERMITTED BY APPLICABLE LAW, NEITHER RECIPIENT NOR ANY CONTRIBUTORS
+SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION LOST
+PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
+EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+7. GENERAL
+
+If any provision of this Agreement is invalid or unenforceable under
+applicable law, it shall not affect the validity or enforceability of
+the remainder of the terms of this Agreement, and without further
+action by the parties hereto, such provision shall be reformed to the
+minimum extent necessary to make such provision valid and enforceable.
+
+If Recipient institutes patent litigation against any entity
+(including a cross-claim or counterclaim in a lawsuit) alleging that the
+Program itself (excluding combinations of the Program with other software
+or hardware) infringes such Recipient's patent(s), then such Recipient's
+rights granted under Section 2(b) shall terminate as of the date such
+litigation is filed.
+
+All Recipient's rights under this Agreement shall terminate if it
+fails to comply with any of the material terms or conditions of this
+Agreement and does not cure such failure in a reasonable period of
+time after becoming aware of such noncompliance. If all Recipient's
+rights under this Agreement terminate, Recipient agrees to cease use
+and distribution of the Program as soon as reasonably practicable.
+However, Recipient's obligations under this Agreement and any licenses
+granted by Recipient relating to the Program shall continue and survive.
+
+Everyone is permitted to copy and distribute copies of this Agreement,
+but in order to avoid inconsistency the Agreement is copyrighted and
+may only be modified in the following manner. The Agreement Steward
+reserves the right to publish new versions (including revisions) of
+this Agreement from time to time. No one other than the Agreement
+Steward has the right to modify this Agreement. The Eclipse Foundation
+is the initial Agreement Steward. The Eclipse Foundation may assign the
+responsibility to serve as the Agreement Steward to a suitable separate
+entity. Each new version of the Agreement will be given a distinguishing
+version number. The Program (including Contributions) may always be
+Distributed subject to the version of the Agreement under which it was
+received. In addition, after a new version of the Agreement is published,
+Contributor may elect to Distribute the Program (including its
+Contributions) under the new version.
+
+Except as expressly stated in Sections 2(a) and 2(b) above, Recipient
+receives no rights or licenses to the intellectual property of any
+Contributor under this Agreement, whether expressly, by implication,
+estoppel or otherwise. All rights in the Program not expressly granted
+under this Agreement are reserved. Nothing in this Agreement is intended
+to be enforceable by any entity that is not a Contributor or Recipient.
+No third-party beneficiary rights are created under this Agreement.
+
+Exhibit A - Form of Secondary Licenses Notice
+
+"This Source Code may also be made available under the following
+Secondary Licenses when the conditions for such availability set forth
+in the Eclipse Public License, v. 2.0 are satisfied: {name license(s),
+version(s), and exceptions or additional permissions here}."
+
+  Simply including a copy of this Agreement, including this Exhibit A
+  is not sufficient to license the Source Code under Secondary Licenses.
+
+  If it is not possible or desirable to put the notice in a particular
+  file, then You may include the notice in a location (such as a LICENSE
+  file in a relevant directory) where a recipient would be likely to
+  look for such a notice.
+
+  You may add additional accurate notices of copyright ownership.
diff --git a/poky/meta/lib/bblayers/create.py b/poky/meta/lib/bblayers/create.py
index 6a41fe0..c192316 100644
--- a/poky/meta/lib/bblayers/create.py
+++ b/poky/meta/lib/bblayers/create.py
@@ -53,7 +53,7 @@
         example_template = read_template('example.bb')
         example = os.path.join(layerdir, 'recipes-' + args.examplerecipe, args.examplerecipe)
         bb.utils.mkdirhier(example)
-        with open(os.path.join(example, args.examplerecipe + '.bb'), 'w') as fd:
+        with open(os.path.join(example, args.examplerecipe + '_%s.bb') % args.version, 'w') as fd:
             fd.write(example_template)
 
         logger.plain('Add your new layer with \'bitbake-layers add-layer %s\'' % args.layerdir)
@@ -63,4 +63,5 @@
         parser_create_layer.add_argument('layerdir', help='Layer directory to create')
         parser_create_layer.add_argument('--priority', '-p', default=6, help='Layer directory to create')
         parser_create_layer.add_argument('--example-recipe-name', '-e', dest='examplerecipe', default='example', help='Filename of the example recipe')
+        parser_create_layer.add_argument('--example-recipe-version', '-v', dest='version', default='0.1', help='Version number for the example recipe')
 
diff --git a/poky/meta/lib/oeqa/core/decorator/__init__.py b/poky/meta/lib/oeqa/core/decorator/__init__.py
index 855b6b9..14d7bfc 100644
--- a/poky/meta/lib/oeqa/core/decorator/__init__.py
+++ b/poky/meta/lib/oeqa/core/decorator/__init__.py
@@ -2,15 +2,15 @@
 # Released under the MIT license (see COPYING.MIT)
 
 from functools import wraps
-from abc import abstractmethod
+from abc import abstractmethod, ABCMeta
 
 decoratorClasses = set()
 
-def registerDecorator(obj):
-    decoratorClasses.add(obj)
-    return obj
+def registerDecorator(cls):
+    decoratorClasses.add(cls)
+    return cls
 
-class OETestDecorator(object):
+class OETestDecorator(object, metaclass=ABCMeta):
     case = None # Reference of OETestCase decorated
     attrs = None # Attributes to be loaded by decorator implementation
 
diff --git a/poky/meta/lib/oeqa/core/decorator/data.py b/poky/meta/lib/oeqa/core/decorator/data.py
index ff7bdd9..31c6dd6 100644
--- a/poky/meta/lib/oeqa/core/decorator/data.py
+++ b/poky/meta/lib/oeqa/core/decorator/data.py
@@ -61,10 +61,10 @@
 
     attrs = ('var', 'value', 'msg')
     def setUpDecorator(self):
-        msg = ('Checking if %r value is in %r to run '
+        msg = ('Checking if %r value contains %r to run '
               'the test' % (self.var, self.value))
         self.logger.debug(msg)
-        if not self.value in self.case.td.get(self.var):
+        if not self.value in (self.case.td.get(self.var) or ""):
             self.case.skipTest(self.msg)
 
 @registerDecorator
diff --git a/poky/meta/lib/oeqa/core/loader.py b/poky/meta/lib/oeqa/core/loader.py
index a4744de..98fc0f6 100644
--- a/poky/meta/lib/oeqa/core/loader.py
+++ b/poky/meta/lib/oeqa/core/loader.py
@@ -155,7 +155,16 @@
         class_name = case.__class__.__name__
         test_name = case._testMethodName
 
-        if self.modules:
+        # 'auto' is a reserved key word to run test cases automatically
+        # warn users if their test case belong to a module named 'auto'
+        if module_name_small == "auto":
+            bb.warn("'auto' is a reserved key word for TEST_SUITES. "
+                    "But test case '%s' is detected to belong to auto module. "
+                    "Please condier using a new name for your module." % str(case))
+
+        # check if case belongs to any specified module
+        # if 'auto' is specified, such check is skipped
+        if self.modules and not 'auto' in self.modules:
             module = None
             try:
                 module = self.modules[module_name_small]
@@ -245,7 +254,7 @@
         for tcName in testCaseNames:
             case = self._getTestCase(testCaseClass, tcName)
             # Filer by case id
-            if not (self.tests and not 'all' in self.tests
+            if not (self.tests and not 'auto' in self.tests
                     and not getCaseID(case) in self.tests):
                 self._handleTestCaseDecorators(case)
 
@@ -309,14 +318,14 @@
         module_name = module.__name__
 
         # Normal test modules are loaded if no modules were specified,
-        # if module is in the specified module list or if 'all' is in
+        # if module is in the specified module list or if 'auto' is in
         # module list.
         # Underscore modules are loaded only if specified in module list.
         load_module = True if not module_name.startswith('_') \
                               and (not self.modules \
                                    or module_name in self.modules \
                                    or module_name_small in self.modules \
-                                   or 'all' in self.modules) \
+                                   or 'auto' in self.modules) \
                            else False
 
         load_underscore = True if module_name.startswith('_') \
diff --git a/poky/meta/lib/oeqa/core/target/ssh.py b/poky/meta/lib/oeqa/core/target/ssh.py
index 151b99a..8ff1f6c 100644
--- a/poky/meta/lib/oeqa/core/target/ssh.py
+++ b/poky/meta/lib/oeqa/core/target/ssh.py
@@ -208,7 +208,7 @@
                 try:
                     if select.select([process.stdout], [], [], 5)[0] != []:
                         reader = codecs.getreader('utf-8')(process.stdout)
-                        data = reader.read(1024, 1024)
+                        data = reader.read(1024, 4096)
                         if not data:
                             process.stdout.close()
                             eof = True
diff --git a/poky/meta/lib/oeqa/runtime/cases/multilib.py b/poky/meta/lib/oeqa/runtime/cases/multilib.py
index 8c167f1..8902038 100644
--- a/poky/meta/lib/oeqa/runtime/cases/multilib.py
+++ b/poky/meta/lib/oeqa/runtime/cases/multilib.py
@@ -27,6 +27,8 @@
     @skipIfNotInDataVar('MULTILIBS', 'multilib:lib32',
                         "This isn't a multilib:lib32 image")
     @OETestDepends(['ssh.SSHTest.test_ssh'])
+    @OEHasPackage(['binutils'])
+    @OEHasPackage(['lib32-libc6'])
     def test_check_multilib_libc(self):
         """
         Check that a multilib image has both 32-bit and 64-bit libc in.
@@ -36,6 +38,6 @@
 
     @OETestID(279)
     @OETestDepends(['multilib.MultilibTest.test_check_multilib_libc'])
-    @OEHasPackage(['lib32-connman'])
+    @OEHasPackage(['lib32-connman', '!connman'])
     def test_file_connman(self):
         self.archtest("/usr/sbin/connmand", "ELF32")
diff --git a/poky/meta/lib/oeqa/runtime/cases/rpm.py b/poky/meta/lib/oeqa/runtime/cases/rpm.py
index 05b94c7..84c59a6 100644
--- a/poky/meta/lib/oeqa/runtime/cases/rpm.py
+++ b/poky/meta/lib/oeqa/runtime/cases/rpm.py
@@ -16,6 +16,7 @@
             cls.skipTest('Tests require image to be build from rpm')
 
     @OETestID(960)
+    @OEHasPackage(['rpm'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     def test_rpm_help(self):
         status, output = self.target.run('rpm --help')
diff --git a/poky/meta/recipes-bsp/pcmciautils/pcmciautils.inc b/poky/meta/recipes-bsp/pcmciautils/pcmciautils.inc
index 0524980..26c6d75 100644
--- a/poky/meta/recipes-bsp/pcmciautils/pcmciautils.inc
+++ b/poky/meta/recipes-bsp/pcmciautils/pcmciautils.inc
@@ -5,7 +5,7 @@
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 
-DEPENDS = "udev sysfsutils flex-native"
+DEPENDS = "udev sysfsutils flex-native bison-native"
 RDEPENDS_${PN} = "udev module-init-tools"
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/kernel/pcmcia/${BP}.tar.xz"
diff --git a/poky/meta/recipes-bsp/u-boot/files/0001-efi_loader-avoid-make-race-condition.patch b/poky/meta/recipes-bsp/u-boot/files/0001-efi_loader-avoid-make-race-condition.patch
new file mode 100644
index 0000000..da7e27c
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0001-efi_loader-avoid-make-race-condition.patch
@@ -0,0 +1,51 @@
+From 5c2e24a9ed54dfee77d1844a080e998b4affe916 Mon Sep 17 00:00:00 2001
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Date: Sat, 2 Jun 2018 19:00:41 +0200
+Subject: [PATCH] efi_loader: avoid make race condition
+
+When U-Boot is built with 'make -j' there is not guarantee that targets in
+directory arch/ are built before targets in directory lib/. The current
+build instruction for EFI binaries in lib/ rely on dependencies in arch/.
+If $(EFI_CRT0) or $(EFI_RELOC) is not yet built before trying to build
+%.efi an error
+    *** No rule to make target '%.efi'
+occurs.
+
+With the patch separate copies of $(EFI_CRT0) and $(EFI_RELOC) named
+efi_crt0.o and efi_reloc.o are built in lib/efi_loader and
+lib/efi_selftest.
+
+Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Signed-off-by: Alexander Graf <agraf@suse.de>
+
+Upstream-Status: Backport from 2018.07
+
+Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
+---
+ scripts/Makefile.lib | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
+index 8f19b2db56..f2f398c935 100644
+--- a/scripts/Makefile.lib
++++ b/scripts/Makefile.lib
+@@ -404,8 +404,14 @@ cmd_efi_ld = $(LD) -nostdlib -znocombreloc -T $(EFI_LDS_PATH) -shared \
+ 
+ EFI_LDS_PATH = $(srctree)/arch/$(ARCH)/lib/$(EFI_LDS)
+ 
+-$(obj)/%_efi.so: $(obj)/%.o arch/$(ARCH)/lib/$(EFI_CRT0) \
+-		arch/$(ARCH)/lib/$(EFI_RELOC)
++$(obj)/efi_crt0.o: $(srctree)/arch/$(ARCH)/lib/$(EFI_CRT0:.o=.S)
++	$(call if_changed_dep,as_o_S)
++
++$(obj)/efi_reloc.o: $(srctree)/arch/$(ARCH)/lib/$(EFI_RELOC:.o=.c) $(recordmcount_source) FORCE
++	$(call cmd,force_checksrc)
++	$(call if_changed_rule,cc_o_c)
++
++$(obj)/%_efi.so: $(obj)/%.o $(obj)/efi_crt0.o $(obj)/efi_reloc.o
+ 	$(call cmd,efi_ld)
+ 
+ # ACPI
+-- 
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/u-boot-common_2018.01.inc b/poky/meta/recipes-bsp/u-boot/u-boot-common_2018.01.inc
index d2073ea..11b82b7 100644
--- a/poky/meta/recipes-bsp/u-boot/u-boot-common_2018.01.inc
+++ b/poky/meta/recipes-bsp/u-boot/u-boot-common_2018.01.inc
@@ -11,6 +11,7 @@
 
 SRC_URI = "git://git.denx.de/u-boot.git \
     file://MPC8315ERDB-enable-DHCP.patch \
+    file://0001-efi_loader-avoid-make-race-condition.patch \
 "
 
 S = "${WORKDIR}/git"
diff --git a/poky/meta/recipes-bsp/u-boot/u-boot.inc b/poky/meta/recipes-bsp/u-boot/u-boot.inc
index c2bcf99..95c2f4d 100644
--- a/poky/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/poky/meta/recipes-bsp/u-boot/u-boot.inc
@@ -7,8 +7,11 @@
 
 inherit uboot-config uboot-extlinux-config uboot-sign deploy
 
+DEPENDS += "swig-native python-native"
+
 EXTRA_OEMAKE = 'CROSS_COMPILE=${TARGET_PREFIX} CC="${TARGET_PREFIX}gcc ${TOOLCHAIN_OPTIONS}" V=1'
 EXTRA_OEMAKE += 'HOSTCC="${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_LDFLAGS}"'
+EXTRA_OEMAKE += 'PYTHON=nativepython STAGING_INCDIR=${STAGING_INCDIR_NATIVE} STAGING_LIBDIR=${STAGING_LIBDIR_NATIVE}'
 
 PACKAGECONFIG ??= "openssl"
 # u-boot will compile its own tools during the build, with specific
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
deleted file mode 100644
index 436520f..0000000
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple.patch
+++ /dev/null
@@ -1,1025 +0,0 @@
-The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
-result in unauthenticated clients gaining access to the network.
-
-Backport a number of patches from upstream to fix this.
-
-CVE: CVE-2017-13077
-CVE: CVE-2017-13078
-CVE: CVE-2017-13079
-CVE: CVE-2017-13080
-CVE: CVE-2017-13081
-CVE: CVE-2017-13082
-CVE: CVE-2017-13086
-CVE: CVE-2017-13087
-CVE: CVE-2017-13088
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/ap/ieee802_11.c  | 16 +++++++++++++---
- src/ap/wpa_auth.c    | 11 +++++++++++
- src/ap/wpa_auth.h    |  3 ++-
- src/ap/wpa_auth_ft.c | 10 ++++++++++
- src/ap/wpa_auth_i.h  |  1 +
- 5 files changed, 37 insertions(+), 4 deletions(-)
-
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index 4e04169..333035f 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
- {
- 	struct ieee80211_ht_capabilities ht_cap;
- 	struct ieee80211_vht_capabilities vht_cap;
-+	int set = 1;
- 
- 	/*
- 	 * Remove the STA entry to ensure the STA PS state gets cleared and
-@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
- 	 * FT-over-the-DS, where a station re-associates back to the same AP but
- 	 * skips the authentication flow, or if working with a driver that
- 	 * does not support full AP client state.
-+	 *
-+	 * Skip this if the STA has already completed FT reassociation and the
-+	 * TK has been configured since the TX/RX PN must not be reset to 0 for
-+	 * the same key.
- 	 */
--	if (!sta->added_unassoc)
-+	if (!sta->added_unassoc &&
-+	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
-+	     !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
- 		hostapd_drv_sta_remove(hapd, sta->addr);
-+		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
-+		set = 0;
-+	}
- 
- #ifdef CONFIG_IEEE80211N
- 	if (sta->flags & WLAN_STA_HT)
-@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
- 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
- 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
- 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
--			    sta->added_unassoc)) {
-+			    set)) {
- 		hostapd_logger(hapd, sta->addr,
- 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
- 			       "Could not %s STA to kernel driver",
--			       sta->added_unassoc ? "set" : "add");
-+			       set ? "set" : "add");
- 
- 		if (sta->added_unassoc) {
- 			hostapd_drv_sta_remove(hapd, sta->addr);
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 3587086..707971d 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
- #else /* CONFIG_IEEE80211R */
- 		break;
- #endif /* CONFIG_IEEE80211R */
-+	case WPA_DRV_STA_REMOVED:
-+		sm->tk_already_set = FALSE;
-+		return 0;
- 	}
- 
- #ifdef CONFIG_IEEE80211R
-@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
- }
- 
- 
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
-+{
-+	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-+		return 0;
-+	return sm->tk_already_set;
-+}
-+
-+
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- 			     struct rsn_pmksa_cache_entry *entry)
- {
-diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
-index 0de8d97..97461b0 100644
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
- 		 u8 *data, size_t data_len);
- enum wpa_event {
- 	WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
--	WPA_REAUTH_EAPOL, WPA_ASSOC_FT
-+	WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
- };
- void wpa_remove_ptk(struct wpa_state_machine *sm);
- int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
-@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
- int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
- int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
- int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- 			     struct rsn_pmksa_cache_entry *entry);
- struct rsn_pmksa_cache_entry *
-diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
-index 42242a5..e63b99a 100644
---- a/src/ap/wpa_auth_ft.c
-+++ b/src/ap/wpa_auth_ft.c
-@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- 		return;
- 	}
- 
-+	if (sm->tk_already_set) {
-+		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
-+		 * PN in the driver */
-+		wpa_printf(MSG_DEBUG,
-+			   "FT: Do not re-install same PTK to the driver");
-+		return;
-+	}
-+
- 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
- 	 * most likely without this.. At the moment, STA entry is added only
- 	 * after association has been completed. This function will be called
-@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- 
- 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
- 	sm->pairwise_set = TRUE;
-+	sm->tk_already_set = TRUE;
- }
- 
- 
-@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
- 
- 	sm->pairwise = pairwise;
- 	sm->PTK_valid = TRUE;
-+	sm->tk_already_set = FALSE;
- 	wpa_ft_install_ptk(sm);
- 
- 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
-diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
-index 72b7eb3..7fd8f05 100644
---- a/src/ap/wpa_auth_i.h
-+++ b/src/ap/wpa_auth_i.h
-@@ -65,6 +65,7 @@ struct wpa_state_machine {
- 	struct wpa_ptk PTK;
- 	Boolean PTK_valid;
- 	Boolean pairwise_set;
-+	Boolean tk_already_set;
- 	int keycount;
- 	Boolean Pair;
- 	struct wpa_key_replay_counter {
--- 
-2.7.4
-
-From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Wed, 12 Jul 2017 16:03:24 +0200
-Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
-
-Track the current GTK and IGTK that is in use and when receiving a
-(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
-not install the given key if it is already in use. This prevents an
-attacker from trying to trick the client into resetting or lowering the
-sequence counter associated to the group key.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h |  11 +++++
- src/rsn_supp/wpa.c      | 116 ++++++++++++++++++++++++++++++------------------
- src/rsn_supp/wpa_i.h    |   4 ++
- 3 files changed, 87 insertions(+), 44 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index af1d0f0..d200285 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -217,6 +217,17 @@ struct wpa_ptk {
- 	size_t tk_len;
- };
- 
-+struct wpa_gtk {
-+	u8 gtk[WPA_GTK_MAX_LEN];
-+	size_t gtk_len;
-+};
-+
-+#ifdef CONFIG_IEEE80211W
-+struct wpa_igtk {
-+	u8 igtk[WPA_IGTK_MAX_LEN];
-+	size_t igtk_len;
-+};
-+#endif /* CONFIG_IEEE80211W */
- 
- /* WPA IE version 1
-  * 00-50-f2:1 (OUI:OUI type)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 3c47879..95bd7be 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- 	const u8 *_gtk = gd->gtk;
- 	u8 gtk_buf[32];
- 
-+	/* Detect possible key reinstallation */
-+	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
-+			gd->keyidx, gd->tx, gd->gtk_len);
-+		return 0;
-+	}
-+
- 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
- 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
-@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- 	}
- 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
- 
-+	sm->gtk.gtk_len = gd->gtk_len;
-+	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+
- 	return 0;
- }
- 
-@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- }
- 
- 
-+#ifdef CONFIG_IEEE80211W
-+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-+				       const struct wpa_igtk_kde *igtk)
-+{
-+	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
-+	u16 keyidx = WPA_GET_LE16(igtk->keyid);
-+
-+	/* Detect possible key reinstallation */
-+	if (sm->igtk.igtk_len == len &&
-+	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
-+			keyidx);
-+		return  0;
-+	}
-+
-+	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+		"WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
-+		keyidx, MAC2STR(igtk->pn));
-+	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
-+	if (keyidx > 4095) {
-+		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+			"WPA: Invalid IGTK KeyID %d", keyidx);
-+		return -1;
-+	}
-+	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-+			   broadcast_ether_addr,
-+			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
-+			   igtk->igtk, len) < 0) {
-+		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+			"WPA: Failed to configure IGTK to the driver");
-+		return -1;
-+	}
-+
-+	sm->igtk.igtk_len = len;
-+	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+
-+	return 0;
-+}
-+#endif /* CONFIG_IEEE80211W */
-+
-+
- static int ieee80211w_set_keys(struct wpa_sm *sm,
- 			       struct wpa_eapol_ie_parse *ie)
- {
-@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- 	if (ie->igtk) {
- 		size_t len;
- 		const struct wpa_igtk_kde *igtk;
--		u16 keyidx;
-+
- 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
- 			return -1;
-+
- 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
--		keyidx = WPA_GET_LE16(igtk->keyid);
--		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
--			"pn %02x%02x%02x%02x%02x%02x",
--			keyidx, MAC2STR(igtk->pn));
--		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
--				igtk->igtk, len);
--		if (keyidx > 4095) {
--			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
--				"WPA: Invalid IGTK KeyID %d", keyidx);
--			return -1;
--		}
--		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
--				   broadcast_ether_addr,
--				   keyidx, 0, igtk->pn, sizeof(igtk->pn),
--				   igtk->igtk, len) < 0) {
--			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
--				"WPA: Failed to configure IGTK to the driver");
-+		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- 			return -1;
--		}
- 	}
- 
- 	return 0;
-@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
-  */
- void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- {
--	int clear_ptk = 1;
-+	int clear_keys = 1;
- 
- 	if (sm == NULL)
- 		return;
-@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- 		/* Prepare for the next transition */
- 		wpa_ft_prepare_auth_request(sm, NULL);
- 
--		clear_ptk = 0;
-+		clear_keys = 0;
- 	}
- #endif /* CONFIG_IEEE80211R */
- 
--	if (clear_ptk) {
-+	if (clear_keys) {
- 		/*
- 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
- 		 * this is not part of a Fast BSS Transition.
-@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- 		sm->tptk_set = 0;
- 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- 	}
- 
- #ifdef CONFIG_TDLS
-@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
- 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
- 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
-@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- 		os_memset(&gd, 0, sizeof(gd));
- #ifdef CONFIG_IEEE80211W
- 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
--		struct wpa_igtk_kde igd;
--		u16 keyidx;
--
--		os_memset(&igd, 0, sizeof(igd));
--		keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
--		os_memcpy(igd.keyid, buf + 2, 2);
--		os_memcpy(igd.pn, buf + 4, 6);
--
--		keyidx = WPA_GET_LE16(igd.keyid);
--		os_memcpy(igd.igtk, buf + 10, keylen);
--
--		wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
--				igd.igtk, keylen);
--		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
--				   broadcast_ether_addr,
--				   keyidx, 0, igd.pn, sizeof(igd.pn),
--				   igd.igtk, keylen) < 0) {
--			wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
--				   "WNM mode");
--			os_memset(&igd, 0, sizeof(igd));
-+		const struct wpa_igtk_kde *igtk;
-+
-+		igtk = (const struct wpa_igtk_kde *) (buf + 2);
-+		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- 			return -1;
--		}
--		os_memset(&igd, 0, sizeof(igd));
- #endif /* CONFIG_IEEE80211W */
- 	} else {
- 		wpa_printf(MSG_DEBUG, "Unknown element id");
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index f653ba6..afc9e37 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -31,6 +31,10 @@ struct wpa_sm {
- 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
- 	int rx_replay_counter_set;
- 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
-+	struct wpa_gtk gtk;
-+#ifdef CONFIG_IEEE80211W
-+	struct wpa_igtk igtk;
-+#endif /* CONFIG_IEEE80211W */
- 
- 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
- 
--- 
-2.7.4
-
-From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:12:24 +0300
-Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
- Mode cases
-
-This extends the protection to track last configured GTK/IGTK value
-separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
-corner case where these two different mechanisms may get used when the
-GTK/IGTK has changed and tracking a single value is not sufficient to
-detect a possible key reconfiguration.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c   | 53 +++++++++++++++++++++++++++++++++++++---------------
- src/rsn_supp/wpa_i.h |  2 ++
- 2 files changed, 40 insertions(+), 15 deletions(-)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 95bd7be..7a2c68d 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -709,14 +709,17 @@ struct wpa_gtk_data {
- 
- static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- 				      const struct wpa_gtk_data *gd,
--				      const u8 *key_rsc)
-+				      const u8 *key_rsc, int wnm_sleep)
- {
- 	const u8 *_gtk = gd->gtk;
- 	u8 gtk_buf[32];
- 
- 	/* Detect possible key reinstallation */
--	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
--	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
-+	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
-+	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
- 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
- 			gd->keyidx, gd->tx, gd->gtk_len);
-@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- 	}
- 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
- 
--	sm->gtk.gtk_len = gd->gtk_len;
--	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+	if (wnm_sleep) {
-+		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
-+		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+			  sm->gtk_wnm_sleep.gtk_len);
-+	} else {
-+		sm->gtk.gtk_len = gd->gtk_len;
-+		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+	}
- 
- 	return 0;
- }
-@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- 					       gtk_len, gtk_len,
- 					       &gd.key_rsc_len, &gd.alg) ||
--	     wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
-+	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
- 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- 			"RSN: Failed to install GTK");
- 		os_memset(&gd, 0, sizeof(gd));
-@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- 
- #ifdef CONFIG_IEEE80211W
- static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
--				       const struct wpa_igtk_kde *igtk)
-+				       const struct wpa_igtk_kde *igtk,
-+				       int wnm_sleep)
- {
- 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
- 
- 	/* Detect possible key reinstallation */
--	if (sm->igtk.igtk_len == len &&
--	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+	if ((sm->igtk.igtk_len == len &&
-+	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
-+	    (sm->igtk_wnm_sleep.igtk_len == len &&
-+	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
- 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
- 			keyidx);
-@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- 		return -1;
- 	}
- 
--	sm->igtk.igtk_len = len;
--	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+	if (wnm_sleep) {
-+		sm->igtk_wnm_sleep.igtk_len = len;
-+		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+			  sm->igtk_wnm_sleep.igtk_len);
-+	} else {
-+		sm->igtk.igtk_len = len;
-+		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+	}
- 
- 	return 0;
- }
-@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- 			return -1;
- 
- 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
--		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
- 			return -1;
- 	}
- 
-@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
- 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
- 		key_rsc = null_rsc;
- 
--	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
-+	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
- 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
- 		goto failed;
- 	os_memset(&gd, 0, sizeof(gd));
-@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- 		sm->tptk_set = 0;
- 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- 	}
- 
-@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
-@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- 
- 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
- 				gd.gtk, gd.gtk_len);
--		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
-+		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- 			os_memset(&gd, 0, sizeof(gd));
- 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
- 				   "WNM mode");
-@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- 		const struct wpa_igtk_kde *igtk;
- 
- 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
--		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
- 			return -1;
- #endif /* CONFIG_IEEE80211W */
- 	} else {
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index afc9e37..9a54631 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -32,8 +32,10 @@ struct wpa_sm {
- 	int rx_replay_counter_set;
- 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
- 	struct wpa_gtk gtk;
-+	struct wpa_gtk gtk_wnm_sleep;
- #ifdef CONFIG_IEEE80211W
- 	struct wpa_igtk igtk;
-+	struct wpa_igtk igtk_wnm_sleep;
- #endif /* CONFIG_IEEE80211W */
- 
- 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
--- 
-2.7.4
-
-From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 29 Sep 2017 04:22:51 +0200
-Subject: [PATCH 4/8] Prevent installation of an all-zero TK
-
-Properly track whether a PTK has already been installed to the driver
-and the TK part cleared from memory. This prevents an attacker from
-trying to trick the client into installing an all-zero TK.
-
-This fixes the earlier fix in commit
-ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
-driver in EAPOL-Key 3/4 retry case') which did not take into account
-possibility of an extra message 1/4 showing up between retries of
-message 3/4.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 1 +
- src/rsn_supp/wpa.c      | 5 ++---
- src/rsn_supp/wpa_i.h    | 1 -
- 3 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index d200285..1021ccb 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -215,6 +215,7 @@ struct wpa_ptk {
- 	size_t kck_len;
- 	size_t kek_len;
- 	size_t tk_len;
-+	int installed; /* 1 if key has already been installed to driver */
- };
- 
- struct wpa_gtk {
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 7a2c68d..0550a41 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
- 		os_memset(buf, 0, sizeof(buf));
- 	}
- 	sm->tptk_set = 1;
--	sm->tk_to_set = 1;
- 
- 	kde = sm->assoc_wpa_ie;
- 	kde_len = sm->assoc_wpa_ie_len;
-@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- 	enum wpa_alg alg;
- 	const u8 *key_rsc;
- 
--	if (!sm->tk_to_set) {
-+	if (sm->ptk.installed) {
- 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- 			"WPA: Do not re-install same PTK to the driver");
- 		return 0;
-@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- 
- 	/* TK is not needed anymore in supplicant */
- 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
--	sm->tk_to_set = 0;
-+	sm->ptk.installed = 1;
- 
- 	if (sm->wpa_ptk_rekey) {
- 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 9a54631..41f371f 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -24,7 +24,6 @@ struct wpa_sm {
- 	struct wpa_ptk ptk, tptk;
- 	int ptk_set, tptk_set;
- 	unsigned int msg_3_of_4_ok:1;
--	unsigned int tk_to_set:1;
- 	u8 snonce[WPA_NONCE_LEN];
- 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
- 	int renew_snonce;
--- 
-2.7.4
-
-From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:32:57 +0300
-Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
-
-The Authenticator state machine path for PTK rekeying ended up bypassing
-the AUTHENTICATION2 state where a new ANonce is generated when going
-directly to the PTKSTART state since there is no need to try to
-determine the PMK again in such a case. This is far from ideal since the
-new PTK would depend on a new nonce only from the supplicant.
-
-Fix this by generating a new ANonce when moving to the PTKSTART state
-for the purpose of starting new 4-way handshake to rekey PTK.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 707971d..bf10cc1 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
- }
- 
- 
-+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
-+{
-+	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-+		wpa_printf(MSG_ERROR,
-+			   "WPA: Failed to get random data for ANonce");
-+		sm->Disconnect = TRUE;
-+		return -1;
-+	}
-+	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
-+		    WPA_NONCE_LEN);
-+	sm->TimeoutCtr = 0;
-+	return 0;
-+}
-+
-+
- SM_STATE(WPA_PTK, INITPMK)
- {
- 	u8 msk[2 * PMK_LEN];
-@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
- 		SM_ENTER(WPA_PTK, AUTHENTICATION);
- 	else if (sm->ReAuthenticationRequest)
- 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
--	else if (sm->PTKRequest)
--		SM_ENTER(WPA_PTK, PTKSTART);
--	else switch (sm->wpa_ptk_state) {
-+	else if (sm->PTKRequest) {
-+		if (wpa_auth_sm_ptk_update(sm) < 0)
-+			SM_ENTER(WPA_PTK, DISCONNECTED);
-+		else
-+			SM_ENTER(WPA_PTK, PTKSTART);
-+	} else switch (sm->wpa_ptk_state) {
- 	case WPA_PTK_INITIALIZE:
- 		break;
- 	case WPA_PTK_DISCONNECT:
--- 
-2.7.4
-
-From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:03:15 +0300
-Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
-
-Do not try to reconfigure the same TPK-TK to the driver after it has
-been successfully configured. This is an explicit check to avoid issues
-related to resetting the TX/RX packet number. There was already a check
-for this for TPK M2 (retries of that message are ignored completely), so
-that behavior does not get modified.
-
-For TPK M3, the TPK-TK could have been reconfigured, but that was
-followed by immediate teardown of the link due to an issue in updating
-the STA entry. Furthermore, for TDLS with any real security (i.e.,
-ignoring open/WEP), the TPK message exchange is protected on the AP path
-and simple replay attacks are not feasible.
-
-As an additional corner case, make sure the local nonce gets updated if
-the peer uses a very unlikely "random nonce" of all zeros.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
-index e424168..9eb9738 100644
---- a/src/rsn_supp/tdls.c
-+++ b/src/rsn_supp/tdls.c
-@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
- 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
- 	} tpk;
- 	int tpk_set;
-+	int tk_set; /* TPK-TK configured to the driver */
- 	int tpk_success;
- 	int tpk_in_progress;
- 
-@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- 	u8 rsc[6];
- 	enum wpa_alg alg;
- 
-+	if (peer->tk_set) {
-+		/*
-+		 * This same TPK-TK has already been configured to the driver
-+		 * and this new configuration attempt (likely due to an
-+		 * unexpected retransmitted frame) would result in clearing
-+		 * the TX/RX sequence number which can break security, so must
-+		 * not allow that to happen.
-+		 */
-+		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
-+			   " has already been configured to the driver - do not reconfigure",
-+			   MAC2STR(peer->addr));
-+		return -1;
-+	}
-+
- 	os_memset(rsc, 0, 6);
- 
- 	switch (peer->cipher) {
-@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- 		return -1;
- 	}
- 
-+	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
-+		   MAC2STR(peer->addr));
- 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
- 			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
- 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
- 			   "driver");
- 		return -1;
- 	}
-+	peer->tk_set = 1;
- 	return 0;
- }
- 
-@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- 	peer->cipher = 0;
- 	peer->qos_info = 0;
- 	peer->wmm_capable = 0;
--	peer->tpk_set = peer->tpk_success = 0;
-+	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
- 	peer->chan_switch_enabled = 0;
- 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
- 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
-@@ -1159,6 +1177,7 @@ skip_rsnie:
- 		wpa_tdls_peer_free(sm, peer);
- 		return -1;
- 	}
-+	peer->tk_set = 0; /* A new nonce results in a new TK */
- 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
- 		    peer->inonce, WPA_NONCE_LEN);
- 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
-@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
- }
- 
- 
-+static int tdls_nonce_set(const u8 *nonce)
-+{
-+	int i;
-+
-+	for (i = 0; i < WPA_NONCE_LEN; i++) {
-+		if (nonce[i])
-+			return 1;
-+	}
-+
-+	return 0;
-+}
-+
-+
- static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
- 				   const u8 *buf, size_t len)
- {
-@@ -2004,7 +2036,8 @@ skip_rsn:
- 	peer->rsnie_i_len = kde.rsn_ie_len;
- 	peer->cipher = cipher;
- 
--	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
-+	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
-+	    !tdls_nonce_set(peer->inonce)) {
- 		/*
- 		 * There is no point in updating the RNonce for every obtained
- 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
-@@ -2020,6 +2053,7 @@ skip_rsn:
- 				"TDLS: Failed to get random data for responder nonce");
- 			goto error;
- 		}
-+		peer->tk_set = 0; /* A new nonce results in a new TK */
- 	}
- 
- #if 0
--- 
-2.7.4
-
-From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:25:02 +0300
-Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
- request
-
-Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
-Mode Response if WNM-Sleep Mode has not been used') started ignoring the
-response when no WNM-Sleep Mode Request had been used during the
-association. This can be made tighter by clearing the used flag when
-successfully processing a response. This adds an additional layer of
-protection against unexpected retransmissions of the response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 1b3409c..67a07ff 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- 
- 	if (!wpa_s->wnmsleep_used) {
- 		wpa_printf(MSG_DEBUG,
--			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
-+			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
- 		return;
- 	}
- 
-@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- 		return;
- 	}
- 
-+	wpa_s->wnmsleep_used = 0;
-+
- 	if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
- 	    wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
- 		wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
--- 
-2.7.4
-
-From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 12:06:37 +0300
-Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
-
-The driver is expected to not report a second association event without
-the station having explicitly request a new association. As such, this
-case should not be reachable. However, since reconfiguring the same
-pairwise or group keys to the driver could result in nonce reuse issues,
-be extra careful here and do an additional state check to avoid this
-even if the local driver ends up somehow accepting an unexpected
-Reassociation Response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c    | 3 +++
- src/rsn_supp/wpa_ft.c | 8 ++++++++
- src/rsn_supp/wpa_i.h  | 1 +
- 3 files changed, 12 insertions(+)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 0550a41..2a53c6f 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
- #ifdef CONFIG_TDLS
- 	wpa_tdls_disassoc(sm);
- #endif /* CONFIG_TDLS */
-+#ifdef CONFIG_IEEE80211R
-+	sm->ft_reassoc_completed = 0;
-+#endif /* CONFIG_IEEE80211R */
- 
- 	/* Keys are not needed in the WPA state machine anymore */
- 	wpa_sm_drop_sa(sm);
-diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
-index 205793e..d45bb45 100644
---- a/src/rsn_supp/wpa_ft.c
-+++ b/src/rsn_supp/wpa_ft.c
-@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
- 	u16 capab;
- 
- 	sm->ft_completed = 0;
-+	sm->ft_reassoc_completed = 0;
- 
- 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
- 		2 + sm->r0kh_id_len + ric_ies_len + 100;
-@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- 		return -1;
- 	}
- 
-+	if (sm->ft_reassoc_completed) {
-+		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
-+		return 0;
-+	}
-+
- 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
- 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
- 		return -1;
-@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- 		return -1;
- 	}
- 
-+	sm->ft_reassoc_completed = 1;
-+
- 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
- 		return -1;
- 
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 41f371f..56f88dc 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -128,6 +128,7 @@ struct wpa_sm {
- 	size_t r0kh_id_len;
- 	u8 r1kh_id[FT_R1KH_ID_LEN];
- 	int ft_completed;
-+	int ft_reassoc_completed;
- 	int over_the_ds_in_progress;
- 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
- 	int set_ptk_after_assoc;
--- 
-2.7.4
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch
new file mode 100644
index 0000000..d4d49e7
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple1.patch
@@ -0,0 +1,191 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/ap/ieee802_11.c  | 16 +++++++++++++---
+ src/ap/wpa_auth.c    | 11 +++++++++++
+ src/ap/wpa_auth.h    |  3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++++++++++
+ src/ap/wpa_auth_i.h  |  1 +
+ 5 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index 4e04169..333035f 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ {
+ 	struct ieee80211_ht_capabilities ht_cap;
+ 	struct ieee80211_vht_capabilities vht_cap;
++	int set = 1;
+ 
+ 	/*
+ 	 * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ 	 * FT-over-the-DS, where a station re-associates back to the same AP but
+ 	 * skips the authentication flow, or if working with a driver that
+ 	 * does not support full AP client state.
++	 *
++	 * Skip this if the STA has already completed FT reassociation and the
++	 * TK has been configured since the TX/RX PN must not be reset to 0 for
++	 * the same key.
+ 	 */
+-	if (!sta->added_unassoc)
++	if (!sta->added_unassoc &&
++	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++	     !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+ 		hostapd_drv_sta_remove(hapd, sta->addr);
++		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++		set = 0;
++	}
+ 
+ #ifdef CONFIG_IEEE80211N
+ 	if (sta->flags & WLAN_STA_HT)
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+ 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+ 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+-			    sta->added_unassoc)) {
++			    set)) {
+ 		hostapd_logger(hapd, sta->addr,
+ 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+ 			       "Could not %s STA to kernel driver",
+-			       sta->added_unassoc ? "set" : "add");
++			       set ? "set" : "add");
+ 
+ 		if (sta->added_unassoc) {
+ 			hostapd_drv_sta_remove(hapd, sta->addr);
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 3587086..707971d 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
+ #else /* CONFIG_IEEE80211R */
+ 		break;
+ #endif /* CONFIG_IEEE80211R */
++	case WPA_DRV_STA_REMOVED:
++		sm->tk_already_set = FALSE;
++		return 0;
+ 	}
+ 
+ #ifdef CONFIG_IEEE80211R
+@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
+ }
+ 
+ 
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++		return 0;
++	return sm->tk_already_set;
++}
++
++
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry)
+ {
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 0de8d97..97461b0 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
+ 		 u8 *data, size_t data_len);
+ enum wpa_event {
+ 	WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-	WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++	WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
+index 42242a5..e63b99a 100644
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 		return;
+ 	}
+ 
++	if (sm->tk_already_set) {
++		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
++		 * PN in the driver */
++		wpa_printf(MSG_DEBUG,
++			   "FT: Do not re-install same PTK to the driver");
++		return;
++	}
++
+ 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
+ 	 * most likely without this.. At the moment, STA entry is added only
+ 	 * after association has been completed. This function will be called
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+ 
+ 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+ 	sm->pairwise_set = TRUE;
++	sm->tk_already_set = TRUE;
+ }
+ 
+ 
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
+ 
+ 	sm->pairwise = pairwise;
+ 	sm->PTK_valid = TRUE;
++	sm->tk_already_set = FALSE;
+ 	wpa_ft_install_ptk(sm);
+ 
+ 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 72b7eb3..7fd8f05 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+ 	struct wpa_ptk PTK;
+ 	Boolean PTK_valid;
+ 	Boolean pairwise_set;
++	Boolean tk_already_set;
+ 	int keycount;
+ 	Boolean Pair;
+ 	struct wpa_key_replay_counter {
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
new file mode 100644
index 0000000..501bb4b
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
@@ -0,0 +1,267 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h |  11 +++++
+ src/rsn_supp/wpa.c      | 116 ++++++++++++++++++++++++++++++------------------
+ src/rsn_supp/wpa_i.h    |   4 ++
+ 3 files changed, 87 insertions(+), 44 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index af1d0f0..d200285 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -217,6 +217,17 @@ struct wpa_ptk {
+ 	size_t tk_len;
+ };
+ 
++struct wpa_gtk {
++	u8 gtk[WPA_GTK_MAX_LEN];
++	size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++	u8 igtk[WPA_IGTK_MAX_LEN];
++	size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+ 
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..95bd7be 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
++	/* Detect possible key reinstallation */
++	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++			gd->keyidx, gd->tx, gd->gtk_len);
++		return 0;
++	}
++
+ 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+ 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
++	sm->gtk.gtk_len = gd->gtk_len;
++	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+ 	return 0;
+ }
+ 
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ }
+ 
+ 
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++				       const struct wpa_igtk_kde *igtk)
++{
++	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++	u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++	/* Detect possible key reinstallation */
++	if (sm->igtk.igtk_len == len &&
++	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++			keyidx);
++		return  0;
++	}
++
++	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++		"WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++		keyidx, MAC2STR(igtk->pn));
++	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++	if (keyidx > 4095) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Invalid IGTK KeyID %d", keyidx);
++		return -1;
++	}
++	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++			   broadcast_ether_addr,
++			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
++			   igtk->igtk, len) < 0) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Failed to configure IGTK to the driver");
++		return -1;
++	}
++
++	sm->igtk.igtk_len = len;
++	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++	return 0;
++}
++#endif /* CONFIG_IEEE80211W */
++
++
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			       struct wpa_eapol_ie_parse *ie)
+ {
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 	if (ie->igtk) {
+ 		size_t len;
+ 		const struct wpa_igtk_kde *igtk;
+-		u16 keyidx;
++
+ 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+ 			return -1;
++
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		keyidx = WPA_GET_LE16(igtk->keyid);
+-		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-			"pn %02x%02x%02x%02x%02x%02x",
+-			keyidx, MAC2STR(igtk->pn));
+-		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-				igtk->igtk, len);
+-		if (keyidx > 4095) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Invalid IGTK KeyID %d", keyidx);
+-			return -1;
+-		}
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-				   igtk->igtk, len) < 0) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Failed to configure IGTK to the driver");
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+ 	}
+ 
+ 	return 0;
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-	int clear_ptk = 1;
++	int clear_keys = 1;
+ 
+ 	if (sm == NULL)
+ 		return;
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		/* Prepare for the next transition */
+ 		wpa_ft_prepare_auth_request(sm, NULL);
+ 
+-		clear_ptk = 0;
++		clear_keys = 0;
+ 	}
+ #endif /* CONFIG_IEEE80211R */
+ 
+-	if (clear_ptk) {
++	if (clear_keys) {
+ 		/*
+ 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+ 		 * this is not part of a Fast BSS Transition.
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+ #ifdef CONFIG_TDLS
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+ 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-		struct wpa_igtk_kde igd;
+-		u16 keyidx;
+-
+-		os_memset(&igd, 0, sizeof(igd));
+-		keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-		os_memcpy(igd.keyid, buf + 2, 2);
+-		os_memcpy(igd.pn, buf + 4, 6);
+-
+-		keyidx = WPA_GET_LE16(igd.keyid);
+-		os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-		wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-				igd.igtk, keylen);
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igd.pn, sizeof(igd.pn),
+-				   igd.igtk, keylen) < 0) {
+-			wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-				   "WNM mode");
+-			os_memset(&igd, 0, sizeof(igd));
++		const struct wpa_igtk_kde *igtk;
++
++		igtk = (const struct wpa_igtk_kde *) (buf + 2);
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+-		os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+ 		wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index f653ba6..afc9e37 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+ 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++	struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++	struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+ 
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch
new file mode 100644
index 0000000..2e22655
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple3.patch
@@ -0,0 +1,201 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:12:24 +0300
+Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c   | 53 +++++++++++++++++++++++++++++++++++++---------------
+ src/rsn_supp/wpa_i.h |  2 ++
+ 2 files changed, 40 insertions(+), 15 deletions(-)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 95bd7be..7a2c68d 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -709,14 +709,17 @@ struct wpa_gtk_data {
+ 
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 				      const struct wpa_gtk_data *gd,
+-				      const u8 *key_rsc)
++				      const u8 *key_rsc, int wnm_sleep)
+ {
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+-	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ 			gd->keyidx, gd->tx, gd->gtk_len);
+@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
+-	sm->gtk.gtk_len = gd->gtk_len;
+-	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	if (wnm_sleep) {
++		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++			  sm->gtk_wnm_sleep.gtk_len);
++	} else {
++		sm->gtk.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ 					       gtk_len, gtk_len,
+ 					       &gd.key_rsc_len, &gd.alg) ||
+-	     wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
++	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"RSN: Failed to install GTK");
+ 		os_memset(&gd, 0, sizeof(gd));
+@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ 
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+-				       const struct wpa_igtk_kde *igtk)
++				       const struct wpa_igtk_kde *igtk,
++				       int wnm_sleep)
+ {
+ 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->igtk.igtk_len == len &&
+-	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++	if ((sm->igtk.igtk_len == len &&
++	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++	    (sm->igtk_wnm_sleep.igtk_len == len &&
++	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ 			keyidx);
+@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+ 		return -1;
+ 	}
+ 
+-	sm->igtk.igtk_len = len;
+-	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	if (wnm_sleep) {
++		sm->igtk_wnm_sleep.igtk_len = len;
++		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++			  sm->igtk_wnm_sleep.igtk_len);
++	} else {
++		sm->igtk.igtk_len = len;
++		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			return -1;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+ 			return -1;
+ 	}
+ 
+@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
+ 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
+ 		key_rsc = null_rsc;
+ 
+-	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
++	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
+ 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
+ 		goto failed;
+ 	os_memset(&gd, 0, sizeof(gd));
+@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 
+ 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+ 				gd.gtk, gd.gtk_len);
+-		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+ 			os_memset(&gd, 0, sizeof(gd));
+ 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+ 				   "WNM mode");
+@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+ 		const struct wpa_igtk_kde *igtk;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+ 			return -1;
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index afc9e37..9a54631 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -32,8 +32,10 @@ struct wpa_sm {
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ 	struct wpa_gtk gtk;
++	struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+ 	struct wpa_igtk igtk;
++	struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
new file mode 100644
index 0000000..6c19486
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple4.patch
@@ -0,0 +1,96 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c      | 5 ++---
+ src/rsn_supp/wpa_i.h    | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index d200285..1021ccb 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+ 	size_t kck_len;
+ 	size_t kek_len;
+ 	size_t tk_len;
++	int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 7a2c68d..0550a41 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
+ 		os_memset(buf, 0, sizeof(buf));
+ 	}
+ 	sm->tptk_set = 1;
+-	sm->tk_to_set = 1;
+ 
+ 	kde = sm->assoc_wpa_ie;
+ 	kde_len = sm->assoc_wpa_ie_len;
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 	enum wpa_alg alg;
+ 	const u8 *key_rsc;
+ 
+-	if (!sm->tk_to_set) {
++	if (sm->ptk.installed) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Do not re-install same PTK to the driver");
+ 		return 0;
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+ 
+ 	/* TK is not needed anymore in supplicant */
+ 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-	sm->tk_to_set = 0;
++	sm->ptk.installed = 1;
+ 
+ 	if (sm->wpa_ptk_rekey) {
+ 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 9a54631..41f371f 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+ 	struct wpa_ptk ptk, tptk;
+ 	int ptk_set, tptk_set;
+ 	unsigned int msg_3_of_4_ok:1;
+-	unsigned int tk_to_set:1;
+ 	u8 snonce[WPA_NONCE_LEN];
+ 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+ 	int renew_snonce;
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch
new file mode 100644
index 0000000..b262dca
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple5.patch
@@ -0,0 +1,81 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:32:57 +0300
+Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 707971d..bf10cc1 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
+ 
+ 
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++		wpa_printf(MSG_ERROR,
++			   "WPA: Failed to get random data for ANonce");
++		sm->Disconnect = TRUE;
++		return -1;
++	}
++	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++		    WPA_NONCE_LEN);
++	sm->TimeoutCtr = 0;
++	return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+ 	u8 msk[2 * PMK_LEN];
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION);
+ 	else if (sm->ReAuthenticationRequest)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-	else if (sm->PTKRequest)
+-		SM_ENTER(WPA_PTK, PTKSTART);
+-	else switch (sm->wpa_ptk_state) {
++	else if (sm->PTKRequest) {
++		if (wpa_auth_sm_ptk_update(sm) < 0)
++			SM_ENTER(WPA_PTK, DISCONNECTED);
++		else
++			SM_ENTER(WPA_PTK, PTKSTART);
++	} else switch (sm->wpa_ptk_state) {
+ 	case WPA_PTK_INITIALIZE:
+ 		break;
+ 	case WPA_PTK_DISCONNECT:
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch
new file mode 100644
index 0000000..15183f4
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple6.patch
@@ -0,0 +1,149 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:03:15 +0300
+Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
+index e424168..9eb9738 100644
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+ 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ 	} tpk;
+ 	int tpk_set;
++	int tk_set; /* TPK-TK configured to the driver */
+ 	int tpk_success;
+ 	int tpk_in_progress;
+ 
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	u8 rsc[6];
+ 	enum wpa_alg alg;
+ 
++	if (peer->tk_set) {
++		/*
++		 * This same TPK-TK has already been configured to the driver
++		 * and this new configuration attempt (likely due to an
++		 * unexpected retransmitted frame) would result in clearing
++		 * the TX/RX sequence number which can break security, so must
++		 * not allow that to happen.
++		 */
++		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++			   " has already been configured to the driver - do not reconfigure",
++			   MAC2STR(peer->addr));
++		return -1;
++	}
++
+ 	os_memset(rsc, 0, 6);
+ 
+ 	switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 		return -1;
+ 	}
+ 
++	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++		   MAC2STR(peer->addr));
+ 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ 			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ 			   "driver");
+ 		return -1;
+ 	}
++	peer->tk_set = 1;
+ 	return 0;
+ }
+ 
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+ 	peer->cipher = 0;
+ 	peer->qos_info = 0;
+ 	peer->wmm_capable = 0;
+-	peer->tpk_set = peer->tpk_success = 0;
++	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+ 	peer->chan_switch_enabled = 0;
+ 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+ 		wpa_tdls_peer_free(sm, peer);
+ 		return -1;
+ 	}
++	peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ 		    peer->inonce, WPA_NONCE_LEN);
+ 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ }
+ 
+ 
++static int tdls_nonce_set(const u8 *nonce)
++{
++	int i;
++
++	for (i = 0; i < WPA_NONCE_LEN; i++) {
++		if (nonce[i])
++			return 1;
++	}
++
++	return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ 				   const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+ 	peer->rsnie_i_len = kde.rsn_ie_len;
+ 	peer->cipher = cipher;
+ 
+-	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++	    !tdls_nonce_set(peer->inonce)) {
+ 		/*
+ 		 * There is no point in updating the RNonce for every obtained
+ 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+ 				"TDLS: Failed to get random data for responder nonce");
+ 			goto error;
+ 		}
++		peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	}
+ 
+ #if 0
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch
new file mode 100644
index 0000000..2e12bc7
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple7.patch
@@ -0,0 +1,60 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:25:02 +0300
+Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
+ request
+
+Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
+Mode Response if WNM-Sleep Mode has not been used') started ignoring the
+response when no WNM-Sleep Mode Request had been used during the
+association. This can be made tighter by clearing the used flag when
+successfully processing a response. This adds an additional layer of
+protection against unexpected retransmissions of the response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 1b3409c..67a07ff 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+ 
+ 	if (!wpa_s->wnmsleep_used) {
+ 		wpa_printf(MSG_DEBUG,
+-			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+ 		return;
+ 	}
+ 
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+ 		return;
+ 	}
+ 
++	wpa_s->wnmsleep_used = 0;
++
+ 	if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+ 	    wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+ 		wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
new file mode 100644
index 0000000..7f5390c
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple8.patch
@@ -0,0 +1,99 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+
+Backport a number of patches from upstream to fix this.
+
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 12:06:37 +0300
+Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c    | 3 +++
+ src/rsn_supp/wpa_ft.c | 8 ++++++++
+ src/rsn_supp/wpa_i.h  | 1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 0550a41..2a53c6f 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
+ #ifdef CONFIG_TDLS
+ 	wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++	sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+ 
+ 	/* Keys are not needed in the WPA state machine anymore */
+ 	wpa_sm_drop_sa(sm);
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
+index 205793e..d45bb45 100644
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
+ 	u16 capab;
+ 
+ 	sm->ft_completed = 0;
++	sm->ft_reassoc_completed = 0;
+ 
+ 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+ 		2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	if (sm->ft_reassoc_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++		return 0;
++	}
++
+ 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+ 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+ 		return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+ 		return -1;
+ 	}
+ 
++	sm->ft_reassoc_completed = 1;
++
+ 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+ 		return -1;
+ 
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 41f371f..56f88dc 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+ 	size_t r0kh_id_len;
+ 	u8 r1kh_id[FT_R1KH_ID_LEN];
+ 	int ft_completed;
++	int ft_reassoc_completed;
+ 	int over_the_ds_in_progress;
+ 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+ 	int set_ptk_after_assoc;
+-- 
+2.7.4
\ No newline at end of file
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index d6d4206..e684537 100644
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -24,7 +24,14 @@
            file://wpa_supplicant.conf \
            file://wpa_supplicant.conf-sane \
            file://99_wpa_supplicant \
-           file://key-replay-cve-multiple.patch \
+           file://key-replay-cve-multiple1.patch \
+           file://key-replay-cve-multiple2.patch \
+           file://key-replay-cve-multiple3.patch \
+           file://key-replay-cve-multiple4.patch \
+           file://key-replay-cve-multiple5.patch \
+           file://key-replay-cve-multiple6.patch \
+           file://key-replay-cve-multiple7.patch \
+           file://key-replay-cve-multiple8.patch \
           "
 SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
 SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
diff --git a/poky/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch b/poky/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
new file mode 100644
index 0000000..da6dfa8
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/busybox-fix-lzma-segfaults.patch
@@ -0,0 +1,106 @@
+busybox-1.27.2: Fix lzma segfaults
+
+[No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871
+
+libarchive: check buffer index in lzma_decompress
+
+With specific defconfig busybox fails to check zip fileheader magic
+(archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c)
+for decompression which leads to segmentation fault. It prevents accessing into
+buffer, which is smaller than pos index. Patch includes multiple segmentation
+fault fixes.
+
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b]
+bug: 10436 10871
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
+index a904087..29eee2a 100644
+--- a/archival/libarchive/decompress_unlzma.c
++++ b/archival/libarchive/decompress_unlzma.c
+@@ -11,6 +11,14 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
++
++#if 0
++# define dbg(...) bb_error_msg(__VA_ARGS__)
++#else
++# define dbg(...) ((void)0)
++#endif
++
++
+ #if ENABLE_FEATURE_LZMA_FAST
+ #  define speed_inline ALWAYS_INLINE
+ #  define size_inline
+@@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	rc_t *rc;
+ 	int i;
+ 	uint8_t *buffer;
++	uint32_t buffer_size;
+ 	uint8_t previous_byte = 0;
+ 	size_t buffer_pos = 0, global_pos = 0;
+ 	int len = 0;
+@@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 	if (header.dict_size == 0)
+ 		header.dict_size++;
+ 
+-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
++	buffer_size = MIN(header.dst_size, header.dict_size);
++	buffer = xmalloc(buffer_size);
+ 
+ 	{
+ 		int num_probs;
+@@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
+ 
+ 						pos = buffer_pos - rep0;
+-						if ((int32_t)pos < 0)
++						if ((int32_t)pos < 0) {
+ 							pos += header.dict_size;
++							/* see unzip_bad_lzma_2.zip: */
++							if (pos >= buffer_size)
++								goto bad;
++						}
+ 						previous_byte = buffer[pos];
+ 						goto one_byte1;
+ #else
+@@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
+ 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
+ 						rep0 <<= LZMA_NUM_ALIGN_BITS;
++						if ((int32_t)rep0 < 0) {
++							dbg("%d rep0:%d", __LINE__, rep0);
++							goto bad;
++						}
+ 						prob3 = p + LZMA_ALIGN;
+ 					}
+ 					i2 = 1;
+@@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+  IF_NOT_FEATURE_LZMA_FAST(string:)
+ 			do {
+ 				uint32_t pos = buffer_pos - rep0;
+-				if ((int32_t)pos < 0)
++				if ((int32_t)pos < 0) {
+ 					pos += header.dict_size;
++					/* more stringent test (see unzip_bad_lzma_1.zip): */
++					if (pos >= buffer_size)
++						goto bad;
++				}
+ 				previous_byte = buffer[pos];
+  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
+ 				buffer[buffer_pos++] = previous_byte;
+@@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
+ 		IF_DESKTOP(total_written += buffer_pos;)
+ 		if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
+  bad:
++			/* One of our users, bbunpack(), expects _us_ to emit
++			 * the error message (since it's the best place to give
++			 * potentially more detailed information).
++			 * Do not fail silently.
++			 */
++			bb_error_msg("corrupted data");
+ 			total_written = -1; /* failure */
+ 		}
+ 		rc_free(rc);
+ 
diff --git a/poky/meta/recipes-core/busybox/busybox/umount-ignore-c.patch b/poky/meta/recipes-core/busybox/busybox/umount-ignore-c.patch
new file mode 100644
index 0000000..9fe7998
--- /dev/null
+++ b/poky/meta/recipes-core/busybox/busybox/umount-ignore-c.patch
@@ -0,0 +1,40 @@
+Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=426134128112738c97a665170b21153ef0764b7d]
+
+From 95ea12791c8623bf825bc711ac7790306e7e1adb Mon Sep 17 00:00:00 2001
+From: Shawn Landden <slandden@gmail.com>
+Date: Mon, 8 Jan 2018 13:31:58 +0100
+Subject: [PATCH] umount: ignore -c
+Organization: O.S. Systems Software LTDA.
+
+"-c, --no-canonicalize: Do not canonicalize paths."
+
+As busybox doesn't canonicalize paths in the first place it is safe to ignore
+this option.
+
+See https://github.com/systemd/systemd/issues/7786
+
+Signed-off-by: Shawn Landden <slandden@gmail.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ util-linux/umount.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/util-linux/umount.c b/util-linux/umount.c
+index 0c50dc9ee..0425c5b76 100644
+--- a/util-linux/umount.c
++++ b/util-linux/umount.c
+@@ -68,8 +68,8 @@ static struct mntent *getmntent_r(FILE* stream, struct mntent* result,
+ }
+ #endif
+ 
+-/* ignored: -v -t -i */
+-#define OPTION_STRING           "fldnra" "vt:i"
++/* ignored: -c -v -t -i */
++#define OPTION_STRING           "fldnra" "cvt:i"
+ #define OPT_FORCE               (1 << 0) // Same as MNT_FORCE
+ #define OPT_LAZY                (1 << 1) // Same as MNT_DETACH
+ #define OPT_FREELOOP            (1 << 2)
+-- 
+2.18.0
+
diff --git a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
index 36a6342..1ce4823 100644
--- a/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
+++ b/poky/meta/recipes-core/busybox/busybox_1.27.2.bb
@@ -45,6 +45,8 @@
            file://CVE-2011-5325.patch \
            file://CVE-2017-15873.patch \
            file://busybox-CVE-2017-16544.patch \
+           file://busybox-fix-lzma-segfaults.patch \
+           file://umount-ignore-c.patch \
 "
 SRC_URI_append_libc-musl = " file://musl.cfg "
 
diff --git a/poky/meta/recipes-core/coreutils/coreutils_8.29.bb b/poky/meta/recipes-core/coreutils/coreutils_8.29.bb
index 0b8acc5..4704f32 100644
--- a/poky/meta/recipes-core/coreutils/coreutils_8.29.bb
+++ b/poky/meta/recipes-core/coreutils/coreutils_8.29.bb
@@ -26,7 +26,7 @@
 
 EXTRA_OECONF_class-native = "--without-gmp"
 EXTRA_OECONF_class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
-EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch"
+EXTRA_OECONF_class-nativesdk = "--enable-install-program=arch,hostname"
 
 # acl and xattr are not default features
 #
diff --git a/poky/meta/recipes-core/dropbear/dropbear/init b/poky/meta/recipes-core/dropbear/dropbear/init
index f6e1c46..ffab7a2 100755
--- a/poky/meta/recipes-core/dropbear/dropbear/init
+++ b/poky/meta/recipes-core/dropbear/dropbear/init
@@ -17,8 +17,11 @@
 DESC="Dropbear SSH server"
 PIDFILE=/var/run/dropbear.pid
 
+# These values may be replaced by those from /etc/default/dropbear
+DROPBEAR_RSAKEY_DIR="/etc/dropbear"
 DROPBEAR_PORT=22
 DROPBEAR_EXTRA_ARGS=
+DROPBEAR_RSAKEY_ARGS=
 NO_START=0
 
 set -e
@@ -28,32 +31,19 @@
 test -x "$DAEMON" || exit 0
 test ! -h /var/service/dropbear || exit 0
 
-readonly_rootfs=0
-for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
-  case $flag in
-   ro)
-     readonly_rootfs=1
-     ;;
-  esac
-done
-
-if [ $readonly_rootfs = "1" ]; then
-  mkdir -p /var/lib/dropbear
-  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
-else
-  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
-fi
-
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
 test -n "$DROPBEAR_RSAKEY" || \
-  DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
+  DROPBEAR_RSAKEY="${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key"
 
 gen_keys() {
     if [ -f "$DROPBEAR_RSAKEY" -a ! -s "$DROPBEAR_RSAKEY" ]; then
         rm $DROPBEAR_RSAKEY || true
     fi
-    test -f $DROPBEAR_RSAKEY || dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS
+    if [ ! -f "$DROPBEAR_RSAKEY" ]; then
+        mkdir -p ${DROPBEAR_RSAKEY%/*}
+        dropbearkey -t rsa -f $DROPBEAR_RSAKEY $DROPBEAR_RSAKEY_ARGS
+    fi
 }
 
 case "$1" in
diff --git a/poky/meta/recipes-core/glibc/glibc-locale.inc b/poky/meta/recipes-core/glibc/glibc-locale.inc
index b3cb10b..e50e5cf 100644
--- a/poky/meta/recipes-core/glibc/glibc-locale.inc
+++ b/poky/meta/recipes-core/glibc/glibc-locale.inc
@@ -74,23 +74,22 @@
 do_install () {
 	mkdir -p ${D}${bindir} ${D}${datadir} ${D}${libdir}
 	if [ -n "$(ls ${LOCALETREESRC}/${bindir})" ]; then
-		cp -fpPR ${LOCALETREESRC}/${bindir}/* ${D}${bindir}
+		cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/${bindir}/* ${D}${bindir}
 	fi
 	if [ -n "$(ls ${LOCALETREESRC}/${localedir})" ]; then
 		mkdir -p ${D}${localedir}
-		cp -fpPR ${LOCALETREESRC}/${localedir}/* ${D}${localedir}
+		cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/${localedir}/* ${D}${localedir}
 	fi
 	if [ -e ${LOCALETREESRC}/${libdir}/gconv ]; then
-		cp -fpPR ${LOCALETREESRC}/${libdir}/gconv ${D}${libdir}
+		cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/${libdir}/gconv ${D}${libdir}
 	fi
 	if [ -e ${LOCALETREESRC}/${datadir}/i18n ]; then
-		cp -fpPR ${LOCALETREESRC}/${datadir}/i18n ${D}${datadir}
+		cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/${datadir}/i18n ${D}${datadir}
 	fi
 	if [ -e ${LOCALETREESRC}/${datadir}/locale ]; then
-		cp -fpPR ${LOCALETREESRC}/${datadir}/locale ${D}${datadir}
+		cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/${datadir}/locale ${D}${datadir}
 	fi
-	chown root:root -R ${D}
-	cp -fpPR ${LOCALETREESRC}/SUPPORTED ${WORKDIR}
+	cp -R --no-dereference --preserve=mode,links ${LOCALETREESRC}/SUPPORTED ${WORKDIR}
 }
 
 inherit libc-package
diff --git a/poky/meta/recipes-core/glibc/glibc-package.inc b/poky/meta/recipes-core/glibc/glibc-package.inc
index 728bc53..c1d186a 100644
--- a/poky/meta/recipes-core/glibc/glibc-package.inc
+++ b/poky/meta/recipes-core/glibc/glibc-package.inc
@@ -137,7 +137,6 @@
 }
 
 do_install_armmultilib () {
-
 	oe_multilib_header bits/endian.h bits/fcntl.h bits/fenv.h bits/fp-fast.h bits/hwcap.h bits/ipc.h bits/link.h bits/wordsize.h
 	oe_multilib_header bits/local_lim.h bits/mman.h bits/msq.h bits/pthreadtypes.h bits/pthreadtypes-arch.h  bits/sem.h  bits/semaphore.h bits/setjmp.h
 	oe_multilib_header bits/shm.h bits/sigstack.h bits/stat.h bits/statfs.h bits/typesizes.h
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch
new file mode 100644
index 0000000..d873c51
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/CVE-2017-18269.patch
@@ -0,0 +1,178 @@
+From cd66c0e584c6d692bc8347b5e72723d02b8a8ada Mon Sep 17 00:00:00 2001
+From: Andrew Senkevich <andrew.n.senkevich@gmail.com>
+Date: Fri, 23 Mar 2018 16:19:45 +0100
+Subject: [PATCH] Fix i386 memmove issue (bug 22644).
+
+	[BZ #22644]
+	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
+	branch conditions.
+	* string/test-memmove.c (do_test2): New testcase.
+
+Upstream-Status: Backport
+CVE: CVE-2017-18269
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ ChangeLog                                          |  8 +++
+ string/test-memmove.c                              | 58 ++++++++++++++++++++++
+ .../i386/i686/multiarch/memcpy-sse2-unaligned.S    | 12 ++---
+ 3 files changed, 72 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 18ed09e..afdb766 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,11 @@
++2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
++	    Max Horn  <max@quendi.de>
++
++	[BZ #22644]
++	* sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: Fixed
++	branch conditions.
++	* string/test-memmove.c (do_test2): New testcase.
++
+ 2018-02-22  Andrew Waterman <andrew@sifive.com>
+ 
+ 	[BZ # 22884]
+diff --git a/string/test-memmove.c b/string/test-memmove.c
+index edc7a4c..64e3651 100644
+--- a/string/test-memmove.c
++++ b/string/test-memmove.c
+@@ -24,6 +24,7 @@
+ # define TEST_NAME "memmove"
+ #endif
+ #include "test-string.h"
++#include <support/test-driver.h>
+ 
+ char *simple_memmove (char *, const char *, size_t);
+ 
+@@ -245,6 +246,60 @@ do_random_tests (void)
+     }
+ }
+ 
++static void
++do_test2 (void)
++{
++  size_t size = 0x20000000;
++  uint32_t * large_buf;
++
++  large_buf = mmap ((void*) 0x70000000, size, PROT_READ | PROT_WRITE,
++		    MAP_PRIVATE | MAP_ANON, -1, 0);
++
++  if (large_buf == MAP_FAILED)
++    error (EXIT_UNSUPPORTED, errno, "Large mmap failed");
++
++  if ((uintptr_t) large_buf > 0x80000000 - 128
++      || 0x80000000 - (uintptr_t) large_buf > 0x20000000)
++    {
++      error (0, 0, "Large mmap allocated improperly");
++      ret = EXIT_UNSUPPORTED;
++      munmap ((void *) large_buf, size);
++      return;
++    }
++
++  size_t bytes_move = 0x80000000 - (uintptr_t) large_buf;
++  size_t arr_size = bytes_move / sizeof (uint32_t);
++  size_t i;
++
++  FOR_EACH_IMPL (impl, 0)
++    {
++      for (i = 0; i < arr_size; i++)
++        large_buf[i] = (uint32_t) i;
++
++      uint32_t * dst = &large_buf[33];
++
++#ifdef TEST_BCOPY
++      CALL (impl, (char *) large_buf, (char *) dst, bytes_move);
++#else
++      CALL (impl, (char *) dst, (char *) large_buf, bytes_move);
++#endif
++
++      for (i = 0; i < arr_size; i++)
++	{
++	  if (dst[i] != (uint32_t) i)
++	    {
++	      error (0, 0,
++		     "Wrong result in function %s dst \"%p\" src \"%p\" offset \"%zd\"",
++		     impl->name, dst, large_buf, i);
++	      ret = 1;
++	      break;
++	    }
++	}
++    }
++
++  munmap ((void *) large_buf, size);
++}
++
+ int
+ test_main (void)
+ {
+@@ -284,6 +339,9 @@ test_main (void)
+     }
+ 
+   do_random_tests ();
++
++  do_test2 ();
++
+   return ret;
+ }
+ 
+diff --git a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
+index 9c3bbe7..9aa17de 100644
+--- a/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
++++ b/sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S
+@@ -72,7 +72,7 @@ ENTRY (MEMCPY)
+ 	cmp	%edx, %eax
+ 
+ # ifdef USE_AS_MEMMOVE
+-	jg	L(check_forward)
++	ja	L(check_forward)
+ 
+ L(mm_len_0_or_more_backward):
+ /* Now do checks for lengths. We do [0..16], [16..32], [32..64], [64..128]
+@@ -81,7 +81,7 @@ L(mm_len_0_or_more_backward):
+ 	jbe	L(mm_len_0_16_bytes_backward)
+ 
+ 	cmpl	$32, %ecx
+-	jg	L(mm_len_32_or_more_backward)
++	ja	L(mm_len_32_or_more_backward)
+ 
+ /* Copy [0..32] and return.  */
+ 	movdqu	(%eax), %xmm0
+@@ -92,7 +92,7 @@ L(mm_len_0_or_more_backward):
+ 
+ L(mm_len_32_or_more_backward):
+ 	cmpl	$64, %ecx
+-	jg	L(mm_len_64_or_more_backward)
++	ja	L(mm_len_64_or_more_backward)
+ 
+ /* Copy [0..64] and return.  */
+ 	movdqu	(%eax), %xmm0
+@@ -107,7 +107,7 @@ L(mm_len_32_or_more_backward):
+ 
+ L(mm_len_64_or_more_backward):
+ 	cmpl	$128, %ecx
+-	jg	L(mm_len_128_or_more_backward)
++	ja	L(mm_len_128_or_more_backward)
+ 
+ /* Copy [0..128] and return.  */
+ 	movdqu	(%eax), %xmm0
+@@ -132,7 +132,7 @@ L(mm_len_128_or_more_backward):
+ 	add	%ecx, %eax
+ 	cmp	%edx, %eax
+ 	movl	SRC(%esp), %eax
+-	jle	L(forward)
++	jbe	L(forward)
+ 	PUSH (%esi)
+ 	PUSH (%edi)
+ 	PUSH (%ebx)
+@@ -269,7 +269,7 @@ L(check_forward):
+ 	add	%edx, %ecx
+ 	cmp	%eax, %ecx
+ 	movl	LEN(%esp), %ecx
+-	jle	L(forward)
++	jbe	L(forward)
+ 
+ /* Now do checks for lengths. We do [0..16], [0..32], [0..64], [0..128]
+ 	separately.  */
+-- 
+2.9.3
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch
new file mode 100644
index 0000000..e2bb40b
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/CVE-2018-11236.patch
@@ -0,0 +1,164 @@
+From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Tue, 8 May 2018 18:12:41 -0700
+Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
+ buffer overflow when realpath() input length is close to SSIZE_MAX.
+
+2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #22786]
+	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
+	computation.
+	* stdlib/Makefile (test-bz22786): New test.
+	* stdlib/test-bz22786.c: New test.
+
+CVE: CVE-2018-11236
+Upstream-Status: Backport
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ ChangeLog             |  8 +++++
+ stdlib/Makefile       |  2 +-
+ stdlib/canonicalize.c |  2 +-
+ stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 100 insertions(+), 2 deletions(-)
+ create mode 100644 stdlib/test-bz22786.c
+
+diff --git a/ChangeLog b/ChangeLog
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,11 @@
++2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++	[BZ #22786]
++	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
++	computation.
++	* stdlib/Makefile (test-bz22786): New test.
++	* stdlib/test-bz22786.c: New test.
++
+ 2018-03-23  Andrew Senkevich  <andrew.senkevich@intel.com>
+ 	    Max Horn  <max@quendi.de>
+ 
+diff --git a/stdlib/Makefile b/stdlib/Makefile
+index af1643c..1ddb1f9 100644
+--- a/stdlib/Makefile
++++ b/stdlib/Makefile
+@@ -84,7 +84,7 @@ tests		:= tst-strtol tst-strtod testmb testrand testsort testdiv   \
+ 		   tst-cxa_atexit tst-on_exit test-atexit-race 		    \
+ 		   test-at_quick_exit-race test-cxa_atexit-race             \
+ 		   test-on_exit-race test-dlclose-exit-race 		    \
+-		   tst-makecontext-align
++		   tst-makecontext-align test-bz22786
+ 
+ tests-internal	:= tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \
+ 		   tst-tls-atexit tst-tls-atexit-nodelete
+diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
+index 4135f3f..390fb43 100644
+--- a/stdlib/canonicalize.c
++++ b/stdlib/canonicalize.c
+@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
+ 		extra_buf = __alloca (path_max);
+ 
+ 	      len = strlen (end);
+-	      if ((long int) (n + len) >= path_max)
++	      if (path_max - n <= len)
+ 		{
+ 		  __set_errno (ENAMETOOLONG);
+ 		  goto error;
+diff --git a/stdlib/test-bz22786.c b/stdlib/test-bz22786.c
+new file mode 100644
+index 0000000..e7837f9
+--- /dev/null
++++ b/stdlib/test-bz22786.c
+@@ -0,0 +1,90 @@
++/* Bug 22786: test for buffer overflow in realpath.
++   Copyright (C) 2018 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++/* This file must be run from within a directory called "stdlib".  */
++
++#include <errno.h>
++#include <limits.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <support/test-driver.h>
++#include <libc-diag.h>
++
++static int
++do_test (void)
++{
++  const char dir[] = "bz22786";
++  const char lnk[] = "bz22786/symlink";
++
++  rmdir (dir);
++  if (mkdir (dir, 0755) != 0 && errno != EEXIST)
++    {
++      printf ("mkdir %s: %m\n", dir);
++      return EXIT_FAILURE;
++    }
++  if (symlink (".", lnk) != 0 && errno != EEXIST)
++    {
++      printf ("symlink (%s, %s): %m\n", dir, lnk);
++      return EXIT_FAILURE;
++    }
++
++  const size_t path_len = (size_t) INT_MAX + 1;
++
++  DIAG_PUSH_NEEDS_COMMENT;
++#if __GNUC_PREREQ (7, 0)
++  /* GCC 7 warns about too-large allocations; here we need such
++     allocation to succeed for the test to work.  */
++  DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than=");
++#endif
++  char *path = malloc (path_len);
++  DIAG_POP_NEEDS_COMMENT;
++
++  if (path == NULL)
++    {
++      printf ("malloc (%zu): %m\n", path_len);
++      return EXIT_UNSUPPORTED;
++    }
++
++  /* Construct very long path = "bz22786/symlink/aaaa....."  */
++  char *p = mempcpy (path, lnk, sizeof (lnk) - 1);
++  *(p++) = '/';
++  memset (p, 'a', path_len - (path - p) - 2);
++  p[path_len - (path - p) - 1] = '\0';
++
++  /* This call crashes before the fix for bz22786 on 32-bit platforms.  */
++  p = realpath (path, NULL);
++
++  if (p != NULL || errno != ENAMETOOLONG)
++    {
++      printf ("realpath: %s (%m)", p);
++      return EXIT_FAILURE;
++    }
++
++  /* Cleanup.  */
++  unlink (lnk);
++  rmdir (dir);
++
++  return 0;
++}
++
++#define TEST_FUNCTION do_test
++#include <support/test-driver.c>
+-- 
+2.9.3
diff --git a/poky/meta/recipes-core/glibc/glibc_2.27.bb b/poky/meta/recipes-core/glibc/glibc_2.27.bb
index c814798..22a9881 100644
--- a/poky/meta/recipes-core/glibc/glibc_2.27.bb
+++ b/poky/meta/recipes-core/glibc/glibc_2.27.bb
@@ -45,6 +45,8 @@
            file://0028-bits-siginfo-consts.h-enum-definition-for-TRAP_HWBKP.patch \
            file://0029-Replace-strncpy-with-memccpy-to-fix-Wstringop-trunca.patch \
            file://0030-plural_c_no_preprocessor_lines.patch \
+           file://CVE-2017-18269.patch \
+           file://CVE-2018-11236.patch \
 "
 
 NATIVESDKFIXES ?= ""
diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index db2f58d..1e78f4f 100644
--- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,7 +22,7 @@
 
 inherit core-image module-base setuptools3
 
-SRCREV ?= "14d62d5c14e3552f2aeabdbd80d1504bb2c6ed64"
+SRCREV ?= "2464dd404041a7a00b18e42950cbf4719180141d"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=sumo \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
diff --git a/poky/meta/recipes-core/initrdscripts/files/init-install.sh b/poky/meta/recipes-core/initrdscripts/files/init-install.sh
index 28e8f09..e715796 100644
--- a/poky/meta/recipes-core/initrdscripts/files/init-install.sh
+++ b/poky/meta/recipes-core/initrdscripts/files/init-install.sh
@@ -302,6 +302,8 @@
     GRUBCFG="/boot/grub/grub.cfg"
     mkdir -p $(dirname $GRUBCFG)
     cat >$GRUBCFG <<_EOF
+timeout=5
+default=0
 menuentry "Linux" {
     search --no-floppy --fs-uuid $boot_uuid --set root
     linux /$kernel root=PARTUUID=$root_part_uuid $rootwait rw $5 $3 $4 quiet
diff --git a/poky/meta/recipes-core/initscripts/initscripts-1.0/mountnfs.sh b/poky/meta/recipes-core/initscripts/initscripts-1.0/mountnfs.sh
index fe6c196..be9f597 100755
--- a/poky/meta/recipes-core/initscripts/initscripts-1.0/mountnfs.sh
+++ b/poky/meta/recipes-core/initscripts/initscripts-1.0/mountnfs.sh
@@ -67,9 +67,12 @@
 then
 	if test -x /usr/sbin/rpcbind
 	then
-		echo -n "Starting rpcbind... "
-		start-stop-daemon --start --quiet --exec /usr/sbin/rpcbind
-		sleep 2
+		service rpcbind status > /dev/null
+		if [ $? != 0 ]; then
+			echo -n "Starting rpcbind..."
+			start-stop-daemon --start --quiet --exec /usr/sbin/rpcbind
+			sleep 2
+		fi
 	fi
 fi
 
diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb
index 2fb90a6..deb3488 100644
--- a/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb
+++ b/poky/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -44,7 +44,12 @@
 
 RDEPENDS_${PN}-python += "${@bb.utils.contains('PACKAGECONFIG', 'python', 'python3-core', '', d)}"
 
-RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-gconv-ebcdic-us glibc-gconv-ibm1141 glibc-gconv-iso8859-5"
+RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-gconv-ebcdic-us \
+                                           glibc-gconv-ibm1141 \
+                                           glibc-gconv-iso8859-5 \
+                                           glibc-gconv-euc-jp \
+                                           locale-base-en-us \
+                                         "
 
 export PYTHON_SITE_PACKAGES="${PYTHON_SITEPACKAGES_DIR}"
 
diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
new file mode 100644
index 0000000..342fcc6
--- /dev/null
+++ b/poky/meta/recipes-core/ovmf/ovmf/0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch
@@ -0,0 +1,71 @@
+From 9fce4bab014b9aa618060eba13d6dd04b0fa1b70 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 2 Mar 2018 17:11:52 +0100
+Subject: [PATCH 1/4] BaseTools/header.makefile: add "-Wno-stringop-truncation"
+
+gcc-8 (which is part of Fedora 28) enables the new warning
+"-Wstringop-truncation" in "-Wall". This warning is documented in detail
+at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
+introduction says
+
+> Warn for calls to bounded string manipulation functions such as strncat,
+> strncpy, and stpncpy that may either truncate the copied string or leave
+> the destination unchanged.
+
+It breaks the BaseTools build with:
+
+> EfiUtilityMsgs.c: In function 'PrintMessage':
+> EfiUtilityMsgs.c:484:9: error: 'strncat' output may be truncated copying
+> between 0 and 511 bytes from a string of length 511
+> [-Werror=stringop-truncation]
+>          strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
+>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+> EfiUtilityMsgs.c:469:9: error: 'strncat' output may be truncated copying
+> between 0 and 511 bytes from a string of length 511
+> [-Werror=stringop-truncation]
+>          strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
+>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+> EfiUtilityMsgs.c:511:5: error: 'strncat' output may be truncated copying
+> between 0 and 511 bytes from a string of length 511
+> [-Werror=stringop-truncation]
+>      strncat (Line, Line2, MAX_LINE_LEN - strlen (Line) - 1);
+>      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The right way to fix the warning would be to implement string concat with
+snprintf(). However, Microsoft does not appear to support snprintf()
+before VS2015
+<https://stackoverflow.com/questions/2915672/snprintf-and-visual-studio-2010>,
+so we just have to shut up the warning. The strncat() calls flagged above
+are valid BTW.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Cole Robinson <crobinso@redhat.com>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+
+ BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/BaseTools/Source/C/Makefiles/header.makefile
+===================================================================
+--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
++++ git/BaseTools/Source/C/Makefiles/header.makefile
+@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
+ BUILD_CPPFLAGS += $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+ else
+-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
+ endif
+ BUILD_LFLAGS = $(LDFLAGS)
+ BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch b/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
new file mode 100644
index 0000000..a076665
--- /dev/null
+++ b/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-header.makefile-add-Wno-restrict.patch
@@ -0,0 +1,102 @@
+From 86dbdac5a25bd23deb4a0e0a97b527407e02184d Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 2 Mar 2018 17:11:52 +0100
+Subject: [PATCH 2/4] BaseTools/header.makefile: add "-Wno-restrict"
+
+gcc-8 (which is part of Fedora 28) enables the new warning
+"-Wrestrict" in "-Wall". This warning is documented in detail
+at <https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
+introduction says
+
+> Warn when an object referenced by a restrict-qualified parameter (or, in
+> C++, a __restrict-qualified parameter) is aliased by another argument,
+> or when copies between such objects overlap.
+
+It breaks the BaseTools build (in the Brotli compression library) with:
+
+> In function 'ProcessCommandsInternal',
+>     inlined from 'ProcessCommands' at dec/decode.c:1828:10:
+> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
+> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
+> offset 16 [-Werror=restrict]
+>          memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
+>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+> In function 'ProcessCommandsInternal',
+>     inlined from 'SafeProcessCommands' at dec/decode.c:1833:10:
+> dec/decode.c:1781:9: error: 'memcpy' accessing between 17 and 2147483631
+> bytes at offsets 16 and 16 overlaps between 17 and 2147483631 bytes at
+> offset 16 [-Werror=restrict]
+>          memcpy(copy_dst + 16, copy_src + 16, (size_t)(i - 16));
+>          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Paolo Bonzini <pbonzini@redhat.com> analyzed the Brotli source in detail,
+and concluded that the warning is a false positive:
+
+> This seems safe to me, because it's preceded by:
+>
+>     uint8_t* copy_dst = &s->ringbuffer[pos];
+>     uint8_t* copy_src = &s->ringbuffer[src_start];
+>     int dst_end = pos + i;
+>     int src_end = src_start + i;
+>     if (src_end > pos && dst_end > src_start) {
+>       /* Regions intersect. */
+>       goto CommandPostWrapCopy;
+>     }
+>
+> If [src_start, src_start + i) and [pos, pos + i) don't intersect, then
+> neither do [src_start + 16, src_start + i) and [pos + 16, pos + i).
+>
+> The if seems okay:
+>
+>        (src_start + i > pos && pos + i > src_start)
+>
+> which can be rewritten to:
+>
+>        (pos < src_start + i && src_start < pos + i)
+>
+> Then the numbers are in one of these two orders:
+>
+>      pos <= src_start < pos + i <= src_start + i
+>      src_start <= pos < src_start + i <= pos + i
+>
+> These two would be allowed by the "if", but they can only happen if pos
+> == src_start so they degenerate to the same two orders above:
+>
+>      pos <= src_start < src_start + i <= pos + i
+>      src_start <= pos < pos + i <= src_start + i
+>
+> So it is a false positive in GCC.
+
+Disable the warning for now.
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Cole Robinson <crobinso@redhat.com>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reported-by: Cole Robinson <crobinso@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+ BaseTools/Source/C/Makefiles/header.makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/BaseTools/Source/C/Makefiles/header.makefile
+===================================================================
+--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
++++ git/BaseTools/Source/C/Makefiles/header.makefile
+@@ -47,9 +47,9 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
+ BUILD_CPPFLAGS += $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+ else
+-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
+ endif
+ BUILD_LFLAGS = $(LDFLAGS)
+ BUILD_CXXFLAGS += -Wno-unused-result
diff --git a/poky/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch b/poky/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
new file mode 100644
index 0000000..920723e
--- /dev/null
+++ b/poky/meta/recipes-core/ovmf/ovmf/0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch
@@ -0,0 +1,53 @@
+From 6866325dd9c17412e555974dde41f9631224db52 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 7 Mar 2018 10:17:28 +0100
+Subject: [PATCH 3/4] BaseTools/header.makefile: revert gcc-8 "-Wno-xxx"
+ options on OSX
+
+I recently added the gcc-8 specific "-Wno-stringop-truncation" and
+"-Wno-restrict" options to BUILD_CFLAGS, both for "Darwin" (XCODE5 /
+clang, OSX) and otherwise (gcc, Linux / Cygwin).
+
+I also regression-tested the change with gcc-4.8 on Linux -- gcc-4.8 does
+not know either of the (gcc-8 specific) "-Wno-stringop-truncation" and
+"-Wno-restrict" options, yet the build completed fine (by GCC design).
+
+Regarding OSX, my expectation was that
+
+- XCODE5 / clang would either recognize these warnings options (because
+  clang does recognize most -W options of gcc),
+
+- or, similarly to gcc, clang would simply ignore the "-Wno-xxx" flags
+  that it didn't recognize.
+
+Neither is the case; the new flags have broken the BaseTools build on OSX.
+Revert them (for OSX only).
+
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reported-by: Liming Gao <liming.gao@intel.com>
+Fixes: 1d212a83df0eaf32a6f5d4159beb2d77832e0231
+Fixes: 9222154ae7b3eef75ae88cdb56158256227cb929
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+ BaseTools/Source/C/Makefiles/header.makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/BaseTools/Source/C/Makefiles/header.makefile
+===================================================================
+--- git.orig/BaseTools/Source/C/Makefiles/header.makefile
++++ git/BaseTools/Source/C/Makefiles/header.makefile
+@@ -47,7 +47,7 @@ INCLUDE = $(TOOL_INCLUDE) -I $(MAKEROOT)
+ BUILD_CPPFLAGS += $(INCLUDE) -O2
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-self-assign -Wno-unused-result -nostdlib -c -g
++BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -c -g
+ else
+ BUILD_CFLAGS += -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict -Wno-unused-result -nostdlib -c -g
+ endif
diff --git a/poky/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch b/poky/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
new file mode 100644
index 0000000..7ad7cdf
--- /dev/null
+++ b/poky/meta/recipes-core/ovmf/ovmf/0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch
@@ -0,0 +1,66 @@
+From dfb42a5bff78d9239a80731e337855234badef3e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Fri, 2 Mar 2018 17:11:52 +0100
+Subject: [PATCH 4/4] BaseTools/GenVtf: silence false "stringop-overflow"
+ warning with memcpy()
+
+gcc-8 (which is part of Fedora 28) enables the new warning
+"-Wstringop-overflow" in "-Wall". This warning is documented in detail at
+<https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html>; the
+introduction says
+
+> Warn for calls to string manipulation functions such as memcpy and
+> strcpy that are determined to overflow the destination buffer.
+
+It breaks the BaseTools build with:
+
+> GenVtf.c: In function 'ConvertVersionInfo':
+> GenVtf.c:132:7: error: 'strncpy' specified bound depends on the length
+> of the source argument [-Werror=stringop-overflow=]
+>        strncpy (TemStr + 4 - Length, Str, Length);
+>        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+> GenVtf.c:130:14: note: length computed here
+>      Length = strlen(Str);
+>               ^~~~~~~~~~~
+
+It is a false positive because, while the bound equals the length of the
+source argument, the destination pointer is moved back towards the
+beginning of the destination buffer by the same amount (and this amount is
+range-checked first, so we can't precede the start of the dest buffer).
+
+Replace both strncpy() calls with memcpy().
+
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Cole Robinson <crobinso@redhat.com>
+Cc: Liming Gao <liming.gao@intel.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Yonghong Zhu <yonghong.zhu@intel.com>
+Reported-by: Cole Robinson <crobinso@redhat.com>
+Contributed-under: TianoCore Contribution Agreement 1.1
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <liming.gao@intel.com>
+---
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Upstream-Status: Backport
+ BaseTools/Source/C/GenVtf/GenVtf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/BaseTools/Source/C/GenVtf/GenVtf.c b/BaseTools/Source/C/GenVtf/GenVtf.c
+index 2ae9a7be2c..0cd33e71e9 100644
+--- a/BaseTools/Source/C/GenVtf/GenVtf.c
++++ b/BaseTools/Source/C/GenVtf/GenVtf.c
+@@ -129,9 +129,9 @@ Returns:
+   } else {
+     Length = strlen(Str);
+     if (Length < 4) {
+-      strncpy (TemStr + 4 - Length, Str, Length);
++      memcpy (TemStr + 4 - Length, Str, Length);
+     } else {
+-      strncpy (TemStr, Str + Length - 4, 4);
++      memcpy (TemStr, Str + Length - 4, 4);
+     }
+   
+     sscanf (
+-- 
+2.17.0
+
diff --git a/poky/meta/recipes-core/ovmf/ovmf_git.bb b/poky/meta/recipes-core/ovmf/ovmf_git.bb
index 8750b3c..e57fa09 100644
--- a/poky/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/poky/meta/recipes-core/ovmf/ovmf_git.bb
@@ -19,6 +19,10 @@
 	file://0004-ovmf-enable-long-path-file.patch \
 	file://VfrCompile-increase-path-length-limit.patch \
 	file://no-stack-protector-all-archs.patch \
+	file://0001-BaseTools-header.makefile-add-Wno-stringop-truncatio.patch \
+	file://0002-BaseTools-header.makefile-add-Wno-restrict.patch \
+	file://0003-BaseTools-header.makefile-revert-gcc-8-Wno-xxx-optio.patch \
+	file://0004-BaseTools-GenVtf-silence-false-stringop-overflow-war.patch \
         "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
@@ -35,7 +39,7 @@
 
 inherit deploy
 
-PARALLEL_MAKE_class-native = ""
+PARALLEL_MAKE = ""
 
 S = "${WORKDIR}/git"
 
diff --git a/poky/meta/recipes-core/systemd/systemd_237.bb b/poky/meta/recipes-core/systemd/systemd_237.bb
index 2e6558d..a409b18 100644
--- a/poky/meta/recipes-core/systemd/systemd_237.bb
+++ b/poky/meta/recipes-core/systemd/systemd_237.bb
@@ -312,7 +312,7 @@
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}"
 USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}"
-GROUPADD_PARAM_${PN} = "-r lock; -r systemd-journal"
+GROUPADD_PARAM_${PN} = "-r systemd-journal"
 USERADD_PARAM_${PN}-extra-utils += "--system -d / -M --shell /bin/nologin systemd-bus-proxy;"
 
 FILES_${PN}-analyze = "${bindir}/systemd-analyze"
diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
index 9c883ac..37243db 100644
--- a/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
+++ b/poky/meta/recipes-devtools/binutils/binutils-2.30.inc
@@ -35,6 +35,18 @@
      file://0013-fix-the-incorrect-assembling-for-ppc-wait-mnemonic.patch \
      file://0014-Detect-64-bit-MIPS-targets.patch \
      file://0015-sync-with-OE-libtool-changes.patch \
+     file://CVE-2018-8945.patch \
+     file://CVE-2018-7643.patch \
+     file://CVE-2018-6872.patch \ 
+     file://CVE-2018-6759.patch \
+     file://CVE-2018-7642.patch \
+     file://CVE-2018-7208.patch \
+     file://CVE-2018-7569.patch \
+     file://CVE-2018-7568.patch \
+     file://CVE-2018-10373.patch \
+     file://CVE-2018-10372.patch \
+     file://CVE-2018-10535.patch \
+     file://CVE-2018-10534.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch
new file mode 100644
index 0000000..053e9d8
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10372.patch
@@ -0,0 +1,58 @@
+From 6aea08d9f3e3d6475a65454da488a0c51f5dc97d Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 17 Apr 2018 12:35:55 +0100
+Subject: [PATCH] Fix illegal memory access when parsing corrupt DWARF
+ information.
+
+	PR 23064
+	* dwarf.c (process_cu_tu_index): Test for a potential buffer
+	overrun before copying signature pointer.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-10372
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/dwarf.c   | 13 ++++++++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -9252,7 +9252,18 @@ process_cu_tu_index (struct dwarf_sectio
+ 		}
+ 
+ 	      if (!do_display)
+-		memcpy (&this_set[row - 1].signature, ph, sizeof (uint64_t));
++		{
++		  size_t num_copy = sizeof (uint64_t);
++
++		  /* PR 23064: Beware of buffer overflow.  */
++		  if (ph + num_copy < limit)
++		    memcpy (&this_set[row - 1].signature, ph, num_copy);
++		  else
++		    {
++		      warn (_("Signature (%p) extends beyond end of space in section\n"), ph);
++		      return 0;
++		    }
++		}
+ 
+ 	      prow = poffsets + (row - 1) * ncols * 4;
+ 	      /* PR 17531: file: b8ce60a8.  */
+Index: git/binutils/ChangeLog
+===================================================================
+--- git.orig/binutils/ChangeLog
++++ git/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2018-04-17  Nick Clifton  <nickc@redhat.com>
++
++       PR 23064
++       * dwarf.c (process_cu_tu_index): Test for a potential buffer
++       overrun before copying signature pointer.
++
+ 2018-01-27  Nick Clifton  <nickc@redhat.com>
+ 
+ 	Back to development.
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch
new file mode 100644
index 0000000..d547cf1
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10373.patch
@@ -0,0 +1,45 @@
+From 6327533b1fd29fa86f6bf34e61c332c010e3c689 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 17 Apr 2018 14:30:07 +0100
+Subject: [PATCH] Add a check for a NULL table pointer before attempting to
+ compute a DWARF filename.
+
+	PR 23065
+	* dwarf2.c (concat_filename): Check for a NULL table pointer.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-10373
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/dwarf2.c  | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -1565,7 +1565,7 @@ concat_filename (struct line_info_table
+ {
+   char *filename;
+ 
+-  if (file - 1 >= table->num_files)
++  if (table == NULL || file - 1 >= table->num_files)
+     {
+       /* FILE == 0 means unknown.  */
+       if (file)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2018-04-17  Nick Clifton  <nickc@redhat.com>
++
++       PR 23065
++       * dwarf2.c (concat_filename): Check for a NULL table pointer.
++
+ 2018-01-29  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22741
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch
new file mode 100644
index 0000000..6847020
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10534.patch
@@ -0,0 +1,3429 @@
+From aa4a8c2a2a67545e90c877162c53cc9de42dc8b4 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 24 Apr 2018 16:31:27 +0100
+Subject: [PATCH] Fix an illegal memory access when copying a PE format file
+ with corrupt debug information.
+
+	PR 23110
+	* peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for
+	a negative PE_DEBUG_DATA size before iterating over the debug data.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-10534
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog  |    6 +
+ bfd/peXXigen.c |    9 +
+ bfd/po/bfd.pot | 5631 ++++++++++++++++++++++++++------------------------------
+ 3 files changed, 2662 insertions(+), 2984 deletions(-)
+
+Index: git/bfd/peXXigen.c
+===================================================================
+--- git.orig/bfd/peXXigen.c
++++ git/bfd/peXXigen.c
+@@ -2991,6 +2991,15 @@ _bfd_XX_bfd_copy_private_bfd_data_common
+ 				  bfd_get_section_size (section) - (addr - section->vma));
+ 	      return FALSE;
+ 	    }
++	  /* PR 23110.  */
++	  else if (ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size < 0)
++	    {
++	      /* xgettext:c-format */
++	      _bfd_error_handler
++		(_("%pB: Data Directory size (%#lx) is negative"),
++		 obfd, ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size);
++	      return FALSE;
++	    }
+ 
+ 	  for (i = 0; i < ope->pe_opthdr.DataDirectory[PE_DEBUG_DATA].Size
+ 		 / sizeof (struct external_IMAGE_DEBUG_DIRECTORY); i++)
+Index: git/bfd/po/bfd.pot
+===================================================================
+--- git.orig/bfd/po/bfd.pot
++++ git/bfd/po/bfd.pot
+@@ -18,175 +18,214 @@ msgstr ""
+ "Content-Transfer-Encoding: 8bit\n"
+ "Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
+ 
+-#: aout-adobe.c:126
+-#, c-format
+-msgid "%B: Unknown section type in a.out.adobe file: %x\n"
+-msgstr ""
+-
+ #: aout-cris.c:200
+ #, c-format
+-msgid "%B: Invalid relocation type exported: %d"
++msgid "%pB: unsupported relocation type exported: %#x"
+ msgstr ""
+ 
+ #: aout-cris.c:244
+ #, c-format
+-msgid "%B: Invalid relocation type imported: %d"
++msgid "%pB: unsupported relocation type imported: %#x"
+ msgstr ""
+ 
+ #: aout-cris.c:256
+ #, c-format
+-msgid "%B: Bad relocation record imported: %d"
++msgid "%pB: bad relocation record imported: %d"
+ msgstr ""
+ 
+-#: aoutx.h:1284 aoutx.h:1636 pdp11.c:1152 pdp11.c:1413
++#: aoutx.h:1264 aoutx.h:1617 pdp11.c:1138 pdp11.c:1399
+ #, c-format
+-msgid "%B: can not represent section `%A' in a.out object file format"
++msgid "%pB: can not represent section `%pA' in a.out object file format"
+ msgstr ""
+ 
+-#: aoutx.h:1600 pdp11.c:1385
++#: aoutx.h:1581 pdp11.c:1371
+ #, c-format
+ msgid ""
+-"%B: can not represent section for symbol `%s' in a.out object file format"
++"%pB: can not represent section for symbol `%s' in a.out object file format"
+ msgstr ""
+ 
+-#: aoutx.h:1603 vms-alpha.c:7853
++#: aoutx.h:1584 vms-alpha.c:7854
+ msgid "*unknown*"
+ msgstr ""
+ 
+-#: aoutx.h:2422 aoutx.h:2440
+-msgid "%B: attempt to write out unknown reloc type"
++#: aoutx.h:1720
++#, c-format
++msgid "%pB: invalid string offset %<PRIu64> >= %<PRIu64>"
+ msgstr ""
+ 
+-#: aoutx.h:4093 aoutx.h:4414
+-msgid "%P: %B: unexpected relocation type\n"
++#: aoutx.h:2411 aoutx.h:2429
++#, c-format
++msgid "%pB: attempt to write out unknown reloc type"
+ msgstr ""
+ 
+-#: aoutx.h:5440 pdp11.c:3708
++#: aoutx.h:4084
+ #, c-format
+-msgid "%B: relocatable link from %s to %s not supported"
++msgid "%pB: unsupported relocation type"
+ msgstr ""
+ 
+-#: archive.c:2305
+-msgid "Warning: writing archive was slow: rewriting timestamp\n"
++#. Unknown relocation.
++#: aoutx.h:4405 coff-alpha.c:601 coff-alpha.c:1514 coff-rs6000.c:2773
++#: coff-sh.c:504 coff-tic4x.c:184 coff-tic54x.c:279 elf-hppa.h:1040
++#: elf-hppa.h:1068 elf-m10200.c:226 elf-m10300.c:812 elf32-arc.c:519
++#: elf32-arm.c:1852 elf32-avr.c:959 elf32-bfin.c:1061 elf32-bfin.c:4698
++#: elf32-cr16.c:653 elf32-cr16.c:683 elf32-cr16c.c:186 elf32-cris.c:467
++#: elf32-crx.c:429 elf32-d10v.c:234 elf32-d30v.c:522 elf32-d30v.c:544
++#: elf32-dlx.c:548 elf32-epiphany.c:376 elf32-fr30.c:381 elf32-frv.c:2558
++#: elf32-frv.c:6262 elf32-ft32.c:306 elf32-h8300.c:302 elf32-i386.c:401
++#: elf32-ip2k.c:1245 elf32-iq2000.c:442 elf32-lm32.c:539 elf32-m32c.c:305
++#: elf32-m32r.c:1286 elf32-m32r.c:1311 elf32-m32r.c:2417 elf32-m68hc11.c:390
++#: elf32-m68hc12.c:510 elf32-m68k.c:352 elf32-mcore.c:354 elf32-mcore.c:440
++#: elf32-mep.c:389 elf32-metag.c:878 elf32-microblaze.c:692
++#: elf32-microblaze.c:969 elf32-mips.c:2229 elf32-moxie.c:137
++#: elf32-msp430.c:648 elf32-msp430.c:658 elf32-mt.c:241 elf32-nds32.c:2880
++#: elf32-nds32.c:2904 elf32-nds32.c:4423 elf32-nios2.c:3015 elf32-or1k.c:715
++#: elf32-pj.c:325 elf32-ppc.c:2061 elf32-ppc.c:2074 elf32-pru.c:420
++#: elf32-rl78.c:292 elf32-rx.c:314 elf32-rx.c:323 elf32-s390.c:347
++#: elf32-sh.c:438 elf32-spu.c:160 elf32-tic6x.c:1508 elf32-tic6x.c:1518
++#: elf32-tic6x.c:1537 elf32-tic6x.c:1547 elf32-tic6x.c:2642 elf32-tilepro.c:803
++#: elf32-v850.c:1899 elf32-v850.c:1921 elf32-v850.c:4270 elf32-vax.c:290
++#: elf32-visium.c:482 elf32-wasm32.c:106 elf32-xc16x.c:241 elf32-xgate.c:428
++#: elf32-xstormy16.c:395 elf32-xtensa.c:454 elf32-xtensa.c:488
++#: elf64-alpha.c:1112 elf64-alpha.c:4101 elf64-alpha.c:4249
++#: elf64-ia64-vms.c:254 elf64-ia64-vms.c:3440 elf64-mips.c:3623
++#: elf64-mips.c:3639 elf64-mmix.c:1264 elf64-ppc.c:2281 elf64-ppc.c:2555
++#: elf64-ppc.c:2564 elf64-s390.c:328 elf64-s390.c:378 elf64-x86-64.c:285
++#: elfn32-mips.c:3451 elfxx-ia64.c:325 elfxx-riscv.c:955 elfxx-sparc.c:589
++#: elfxx-sparc.c:639 elfxx-sparc.c:661 elfxx-tilegx.c:912 elfxx-tilegx.c:952
++#: /work/sources/binutils/current/bfd/elfnn-aarch64.c:2126
++#: /work/sources/binutils/current/bfd/elfnn-aarch64.c:2224 elf32-ia64.c:211
++#: elf32-ia64.c:3863 elf64-ia64.c:211 elf64-ia64.c:3863
++#, c-format
++msgid "%pB: unsupported relocation type %#x"
++msgstr ""
++
++#: aoutx.h:5432 pdp11.c:3694
++#, c-format
++msgid "%pB: relocatable link from %s to %s not supported"
++msgstr ""
++
++#: archive.c:2216
++msgid "warning: writing archive was slow: rewriting timestamp"
+ msgstr ""
+ 
+-#: archive.c:2421 linker.c:1410
+-msgid "%B: plugin needed to handle lto object"
++#: archive.c:2332 linker.c:1416
++#, c-format
++msgid "%pB: plugin needed to handle lto object"
+ msgstr ""
+ 
+-#: archive.c:2650
++#: archive.c:2561
+ msgid "Reading archive file mod timestamp"
+ msgstr ""
+ 
+-#: archive.c:2674
++#: archive.c:2585
+ msgid "Writing updated armap timestamp"
+ msgstr ""
+ 
++#: bfd.c:448
++msgid "no error"
++msgstr ""
++
++#: bfd.c:449
++msgid "system call error"
++msgstr ""
++
++#: bfd.c:450
++msgid "invalid bfd target"
++msgstr ""
++
++#: bfd.c:451
++msgid "file in wrong format"
++msgstr ""
++
++#: bfd.c:452
++msgid "archive object file in wrong format"
++msgstr ""
++
++#: bfd.c:453
++msgid "invalid operation"
++msgstr ""
++
+ #: bfd.c:454
+-msgid "No error"
++msgid "memory exhausted"
+ msgstr ""
+ 
+ #: bfd.c:455
+-msgid "System call error"
++msgid "no symbols"
+ msgstr ""
+ 
+ #: bfd.c:456
+-msgid "Invalid bfd target"
++msgid "archive has no index; run ranlib to add one"
+ msgstr ""
+ 
+ #: bfd.c:457
+-msgid "File in wrong format"
++msgid "no more archived files"
+ msgstr ""
+ 
+ #: bfd.c:458
+-msgid "Archive object file in wrong format"
++msgid "malformed archive"
+ msgstr ""
+ 
+ #: bfd.c:459
+-msgid "Invalid operation"
++msgid "DSO missing from command line"
+ msgstr ""
+ 
+ #: bfd.c:460
+-msgid "Memory exhausted"
++msgid "file format not recognized"
+ msgstr ""
+ 
+ #: bfd.c:461
+-msgid "No symbols"
++msgid "file format is ambiguous"
+ msgstr ""
+ 
+ #: bfd.c:462
+-msgid "Archive has no index; run ranlib to add one"
++msgid "section has no contents"
+ msgstr ""
+ 
+ #: bfd.c:463
+-msgid "No more archived files"
++msgid "nonrepresentable section on output"
+ msgstr ""
+ 
+ #: bfd.c:464
+-msgid "Malformed archive"
++msgid "symbol needs debug section which does not exist"
+ msgstr ""
+ 
+ #: bfd.c:465
+-msgid "DSO missing from command line"
++msgid "bad value"
+ msgstr ""
+ 
+ #: bfd.c:466
+-msgid "File format not recognized"
++msgid "file truncated"
+ msgstr ""
+ 
+ #: bfd.c:467
+-msgid "File format is ambiguous"
++msgid "file too big"
+ msgstr ""
+ 
+ #: bfd.c:468
+-msgid "Section has no contents"
+-msgstr ""
+-
+-#: bfd.c:469
+-msgid "Nonrepresentable section on output"
+-msgstr ""
+-
+-#: bfd.c:470
+-msgid "Symbol needs debug section which does not exist"
+-msgstr ""
+-
+-#: bfd.c:471
+-msgid "Bad value"
+-msgstr ""
+-
+-#: bfd.c:472
+-msgid "File truncated"
+-msgstr ""
+-
+-#: bfd.c:473
+-msgid "File too big"
+-msgstr ""
+-
+-#: bfd.c:474
+ #, c-format
+-msgid "Error reading %s: %s"
++msgid "error reading %s: %s"
+ msgstr ""
+ 
+-#: bfd.c:475
+-msgid "#<Invalid error code>"
++#: bfd.c:469
++msgid "#<invalid error code>"
+ msgstr ""
+ 
+-#: bfd.c:1442
++#: bfd.c:1416
+ #, c-format
+ msgid "BFD %s assertion fail %s:%d"
+ msgstr ""
+ 
+-#: bfd.c:1455
++#: bfd.c:1429
+ #, c-format
+ msgid "BFD %s internal error, aborting at %s:%d in %s\n"
+ msgstr ""
+ 
+-#: bfd.c:1460
++#: bfd.c:1434
+ #, c-format
+ msgid "BFD %s internal error, aborting at %s:%d\n"
+ msgstr ""
+ 
+-#: bfd.c:1462
++#: bfd.c:1436
+ msgid "Please report this bug.\n"
+ msgstr ""
+ 
+@@ -332,7 +371,7 @@ msgstr ""
+ msgid "private flags = %x:"
+ msgstr ""
+ 
+-#: coff-arm.c:2306 elf32-arm.c:14160
++#: coff-arm.c:2306 elf32-arm.c:14191
+ #, c-format
+ msgid " [floats passed in float registers]"
+ msgstr ""
+@@ -342,7 +381,7 @@ msgstr ""
+ msgid " [floats passed in integer registers]"
+ msgstr ""
+ 
+-#: coff-arm.c:2311 elf32-arm.c:14163
++#: coff-arm.c:2311 elf32-arm.c:14194
+ #, c-format
+ msgid " [position independent]"
+ msgstr ""
+@@ -2565,224 +2604,180 @@ msgstr ""
+ msgid "ip2k relaxer: switch table header corrupt."
+ msgstr ""
+ 
+-#: elf32-ip2k.c:1245
+-#, c-format
+-msgid "%B: invalid IP2K reloc number: %d"
+-msgstr ""
+-
+-#: elf32-ip2k.c:1298
+-#, c-format
+-msgid "ip2k linker: missing page instruction at %#Lx (dest = %#Lx)"
+-msgstr ""
+-
+-#: elf32-ip2k.c:1315
+-#, c-format
+-msgid "ip2k linker: redundant page instruction at %#Lx (dest = %#Lx)"
+-msgstr ""
+-
+-#: elf32-iq2000.c:441
++#: elf32-ip2k.c:1302
+ #, c-format
+-msgid "%B: invalid IQ2000 reloc number: %d"
++msgid "ip2k linker: missing page instruction at %#<PRIx64> (dest = %#<PRIx64>)"
+ msgstr ""
+ 
+-#: elf32-lm32.c:539
++#: elf32-ip2k.c:1321
+ #, c-format
+-msgid "%B: invalid LM32 reloc number: %d"
++msgid ""
++"ip2k linker: redundant page instruction at %#<PRIx64> (dest = %#<PRIx64>)"
+ msgstr ""
+ 
+-#: elf32-lm32.c:648 elf32-nios2.c:3133
++#: elf32-lm32.c:651 elf32-nios2.c:3141
+ msgid "global pointer relative relocation when _gp not defined"
+ msgstr ""
+ 
+-#: elf32-lm32.c:703 elf32-nios2.c:3570
++#: elf32-lm32.c:706 elf32-nios2.c:3578
+ msgid "global pointer relative address out of range"
+ msgstr ""
+ 
+-#: elf32-lm32.c:998
+-msgid "internal error: addend should be zero for R_LM32_16_GOT"
+-msgstr ""
+-
+-#: elf32-m32c.c:306
++#: elf32-lm32.c:1002 elf32-or1k.c:968
+ #, c-format
+-msgid "%B: invalid M32C reloc number: %d"
++msgid "internal error: addend should be zero for %s"
+ msgstr ""
+ 
+-#: elf32-m32r.c:1286
+-#, c-format
+-msgid "%B: invalid M32R reloc number: %d"
+-msgstr ""
+-
+-#: elf32-m32r.c:1458
++#: elf32-m32r.c:1471
+ msgid "SDA relocation when _SDA_BASE_ not defined"
+ msgstr ""
+ 
+-#: elf32-m32r.c:2971 elf32-microblaze.c:1064 elf32-microblaze.c:1112
++#: elf32-m32r.c:2984 elf32-microblaze.c:1101 elf32-microblaze.c:1149
+ #, c-format
+-msgid "%B: The target (%s) of an %s relocation is in the wrong section (%A)"
++msgid "%pB: the target (%s) of an %s relocation is in the wrong section (%pA)"
+ msgstr ""
+ 
+-#: elf32-m32r.c:3473
+-msgid "%B: Instruction set mismatch with previous modules"
++#: elf32-m32r.c:3487
++#, c-format
++msgid "%pB: instruction set mismatch with previous modules"
+ msgstr ""
+ 
+-#: elf32-m32r.c:3494 elf32-nds32.c:6037
++#: elf32-m32r.c:3508 elf32-nds32.c:6010
+ #, c-format
+ msgid "private flags = %lx"
+ msgstr ""
+ 
+-#: elf32-m32r.c:3499
++#: elf32-m32r.c:3513
+ #, c-format
+ msgid ": m32r instructions"
+ msgstr ""
+ 
+-#: elf32-m32r.c:3500
++#: elf32-m32r.c:3514
+ #, c-format
+ msgid ": m32rx instructions"
+ msgstr ""
+ 
+-#: elf32-m32r.c:3501
++#: elf32-m32r.c:3515
+ #, c-format
+ msgid ": m32r2 instructions"
+ msgstr ""
+ 
+-#: elf32-m68hc11.c:390
+-#, c-format
+-msgid "%B: invalid M68HC11 reloc number: %d"
+-msgstr ""
+-
+-#: elf32-m68hc12.c:510
+-#, c-format
+-msgid "%B: invalid M68HC12 reloc number: %d"
+-msgstr ""
+-
+-#: elf32-m68hc1x.c:1115
++#: elf32-m68hc1x.c:1116
+ #, c-format
+ msgid ""
+-"Reference to the far symbol `%s' using a wrong relocation may result in "
++"reference to the far symbol `%s' using a wrong relocation may result in "
+ "incorrect execution"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1149
++#: elf32-m68hc1x.c:1150
+ #, c-format
+ msgid ""
+ "XGATE address (%lx) is not within shared RAM(0xE000-0xFFFF), therefore you "
+ "must manually offset the address, and possibly manage the page, in your code."
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1167
++#: elf32-m68hc1x.c:1168
+ #, c-format
+ msgid ""
+ "banked address [%lx:%04lx] (%lx) is not in the same bank as current banked "
+ "address [%lx:%04lx] (%lx)"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1183
++#: elf32-m68hc1x.c:1184
+ #, c-format
+ msgid ""
+ "reference to a banked address [%lx:%04lx] in the normal address space at "
+ "%04lx"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1224
++#: elf32-m68hc1x.c:1225
+ #, c-format
+ msgid ""
+ "S12 address (%lx) is not within shared RAM(0x2000-0x4000), therefore you "
+ "must manually offset the address in your code"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1351
++#: elf32-m68hc1x.c:1352
++#, c-format
+ msgid ""
+-"%B: linking files compiled for 16-bit integers (-mshort) and others for 32-"
++"%pB: linking files compiled for 16-bit integers (-mshort) and others for 32-"
+ "bit integers"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1358
++#: elf32-m68hc1x.c:1359
++#, c-format
+ msgid ""
+-"%B: linking files compiled for 32-bit double (-fshort-double) and others for "
+-"64-bit double"
++"%pB: linking files compiled for 32-bit double (-fshort-double) and others "
++"for 64-bit double"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1367
+-msgid "%B: linking files compiled for HCS12 with others compiled for HC12"
++#: elf32-m68hc1x.c:1368
++#, c-format
++msgid "%pB: linking files compiled for HCS12 with others compiled for HC12"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1412 elf32-xgate.c:672
++#: elf32-m68hc1x.c:1413 elf32-xgate.c:675
+ #, c-format
+ msgid "[abi=32-bit int, "
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1414 elf32-xgate.c:674
++#: elf32-m68hc1x.c:1415 elf32-xgate.c:677
+ #, c-format
+ msgid "[abi=16-bit int, "
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1417 elf32-xgate.c:677
++#: elf32-m68hc1x.c:1418 elf32-xgate.c:680
+ #, c-format
+ msgid "64-bit double, "
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1419 elf32-xgate.c:679
++#: elf32-m68hc1x.c:1420 elf32-xgate.c:682
+ #, c-format
+ msgid "32-bit double, "
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1422
++#: elf32-m68hc1x.c:1423
+ #, c-format
+ msgid "cpu=HC11]"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1424
++#: elf32-m68hc1x.c:1425
+ #, c-format
+ msgid "cpu=HCS12]"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1426
++#: elf32-m68hc1x.c:1427
+ #, c-format
+ msgid "cpu=HC12]"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1429
++#: elf32-m68hc1x.c:1430
+ #, c-format
+ msgid " [memory=bank-model]"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1431
++#: elf32-m68hc1x.c:1432
+ #, c-format
+ msgid " [memory=flat]"
+ msgstr ""
+ 
+-#: elf32-m68hc1x.c:1434
++#: elf32-m68hc1x.c:1435
+ #, c-format
+ msgid " [XGATE RAM offsetting]"
+ msgstr ""
+ 
+-#: elf32-m68k.c:1214 elf32-m68k.c:1215 vms-alpha.c:7477 vms-alpha.c:7493
++#: elf32-m68k.c:1216 elf32-m68k.c:1217 vms-alpha.c:7478 vms-alpha.c:7494
+ msgid "unknown"
+ msgstr ""
+ 
+-#: elf32-m68k.c:1658
+-#, c-format
+-msgid "%B: GOT overflow: Number of relocations with 8-bit offset > %d"
+-msgstr ""
+-
+-#: elf32-m68k.c:1665
+-#, c-format
+-msgid "%B: GOT overflow: Number of relocations with 8- or 16-bit offset > %d"
+-msgstr ""
+-
+-#: elf32-mcore.c:100 elf32-mcore.c:455
++#: elf32-m68k.c:1660
+ #, c-format
+-msgid "%B: Relocation %s (%d) is not currently supported.\n"
++msgid "%pB: GOT overflow: number of relocations with 8-bit offset > %d"
+ msgstr ""
+ 
+-#: elf32-mcore.c:355
++#: elf32-m68k.c:1667
+ #, c-format
+-msgid "%B: unrecognised MCore reloc number: %d"
+-msgstr ""
+-
+-#: elf32-mcore.c:440
+-#, c-format
+-msgid "%B: Unknown relocation type %d\n"
++msgid "%pB: GOT overflow: number of relocations with 8- or 16-bit offset > %d"
+ msgstr ""
+ 
+ #. Pacify gcc -Wall.
+@@ -5936,124 +5931,128 @@ msgstr ""
+ #. XXX code yet to be written.
+ #: peicode.h:775
+ #, c-format
+-msgid "%B: Unhandled import type; %x"
++msgid "%pB: unhandled import type; %x"
+ msgstr ""
+ 
+ #: peicode.h:781
+ #, c-format
+-msgid "%B: Unrecognised import type; %x"
++msgid "%pB: unrecognized import type; %x"
+ msgstr ""
+ 
+ #: peicode.h:796
+ #, c-format
+-msgid "%B: Unrecognised import name type; %x"
++msgid "%pB: unrecognized import name type; %x"
+ msgstr ""
+ 
+-#: peicode.h:1217
++#: peicode.h:1211
+ #, c-format
+-msgid "%B: Unrecognised machine type (0x%x) in Import Library Format archive"
++msgid "%pB: unrecognised machine type (0x%x) in Import Library Format archive"
+ msgstr ""
+ 
+-#: peicode.h:1230
++#: peicode.h:1224
+ #, c-format
+ msgid ""
+-"%B: Recognised but unhandled machine type (0x%x) in Import Library Format "
++"%pB: recognised but unhandled machine type (0x%x) in Import Library Format "
+ "archive"
+ msgstr ""
+ 
+-#: peicode.h:1248
+-msgid "%B: size field is zero in Import Library Format header"
++#: peicode.h:1242
++#, c-format
++msgid "%pB: size field is zero in Import Library Format header"
+ msgstr ""
+ 
+-#: peicode.h:1280
+-msgid "%B: string not null terminated in ILF object file."
++#: peicode.h:1274
++#, c-format
++msgid "%pB: string not null terminated in ILF object file"
+ msgstr ""
+ 
+-#: peicode.h:1335
+-msgid "%B: Error: Debug Data ends beyond end of debug directory."
++#: peicode.h:1330
++#, c-format
++msgid "%pB: error: debug data ends beyond end of debug directory"
+ msgstr ""
+ 
+-#: ppcboot.c:393
++#: ppcboot.c:392
+ #, c-format
+ msgid ""
+ "\n"
+ "ppcboot header:\n"
+ msgstr ""
+ 
+-#: ppcboot.c:394
++#: ppcboot.c:393
+ #, c-format
+ msgid "Entry offset        = 0x%.8lx (%ld)\n"
+ msgstr ""
+ 
+-#: ppcboot.c:396
++#: ppcboot.c:395
+ #, c-format
+ msgid "Length              = 0x%.8lx (%ld)\n"
+ msgstr ""
+ 
+-#: ppcboot.c:400
++#: ppcboot.c:399
+ #, c-format
+ msgid "Flag field          = 0x%.2x\n"
+ msgstr ""
+ 
+-#: ppcboot.c:406
++#: ppcboot.c:405
+ #, c-format
+ msgid "Partition name      = \"%s\"\n"
+ msgstr ""
+ 
+-#: ppcboot.c:426
++#: ppcboot.c:425
+ #, c-format
+ msgid ""
+ "\n"
+ "Partition[%d] start  = { 0x%.2x, 0x%.2x, 0x%.2x, 0x%.2x }\n"
+ msgstr ""
+ 
+-#: ppcboot.c:433
++#: ppcboot.c:432
+ #, c-format
+ msgid "Partition[%d] end    = { 0x%.2x, 0x%.2x, 0x%.2x, 0x%.2x }\n"
+ msgstr ""
+ 
+-#: ppcboot.c:440
++#: ppcboot.c:439
+ #, c-format
+ msgid "Partition[%d] sector = 0x%.8lx (%ld)\n"
+ msgstr ""
+ 
+-#: ppcboot.c:444
++#: ppcboot.c:443
+ #, c-format
+ msgid "Partition[%d] length = 0x%.8lx (%ld)\n"
+ msgstr ""
+ 
+-#: reloc.c:8106
+-msgid "INPUT_SECTION_FLAGS are not supported.\n"
++#: reloc.c:8125
++msgid "INPUT_SECTION_FLAGS are not supported"
+ msgstr ""
+ 
+-#: reloc.c:8207
++#: reloc.c:8226
+ #, c-format
+-msgid "%X%P: %B(%A): error: relocation for offset %V has no value\n"
++msgid "%X%P: %pB(%pA): error: relocation for offset %V has no value\n"
+ msgstr ""
+ 
+-#: reloc.c:8283
++#: reloc.c:8302
+ #, c-format
+-msgid "%X%P: %B(%A): relocation \"%R\" is not supported\n"
++msgid "%X%P: %pB(%pA): relocation \"%pR\" is not supported\n"
+ msgstr ""
+ 
+-#: reloc.c:8292
++#: reloc.c:8311
+ #, c-format
+-msgid "%X%P: %B(%A): relocation \"%R\" returns an unrecognized value %x\n"
++msgid "%X%P: %pB(%pA): relocation \"%pR\" returns an unrecognized value %x\n"
+ msgstr ""
+ 
+-#: reloc.c:8354
++#: reloc.c:8373
+ #, c-format
+-msgid "%B: unrecognized relocation (%#x) in section `%A'"
++msgid "%pB: unrecognized relocation type %#x in section `%pA'"
+ msgstr ""
+ 
+ #. PR 21803: Suggest the most likely cause of this error.
+-#: reloc.c:8358
++#: reloc.c:8377
+ #, c-format
+-msgid "Is this version of the linker - %s - out of date ?"
++msgid "is this version of the linker - %s - out of date ?"
+ msgstr ""
+ 
+ #: rs6000-core.c:471
+-msgid "%B: warning core file truncated"
++#, c-format
++msgid "%pB: warning core file truncated"
+ msgstr ""
+ 
+ #: som.c:5478
+@@ -6069,91 +6068,91 @@ msgstr ""
+ 
+ #: srec.c:260
+ #, c-format
+-msgid "%B:%d: Unexpected character `%s' in S-record file\n"
++msgid "%pB:%d: unexpected character `%s' in S-record file"
+ msgstr ""
+ 
+ #: srec.c:488
+ #, c-format
+-msgid "%B:%d: byte count %d too small\n"
++msgid "%pB:%d: byte count %d too small"
+ msgstr ""
+ 
+ #: srec.c:581 srec.c:615
+ #, c-format
+-msgid "%B:%d: Bad checksum in S-record file\n"
++msgid "%pB:%d: bad checksum in S-record file"
+ msgstr ""
+ 
+ #: stabs.c:279
+ #, c-format
+-msgid "%B(%A+%#lx): Stabs entry has invalid string index."
++msgid "%pB(%pA+%#lx): stabs entry has invalid string index"
+ msgstr ""
+ 
+ #: syms.c:1079
+-msgid "Unsupported .stab relocation"
++msgid "unsupported .stab relocation"
+ msgstr ""
+ 
+ #: vms-alpha.c:479
+-msgid "Corrupt EIHD record - size is too small"
++msgid "corrupt EIHD record - size is too small"
+ msgstr ""
+ 
+ #: vms-alpha.c:660
+ #, c-format
+-msgid "Unable to read EIHS record at offset %#x"
++msgid "unable to read EIHS record at offset %#x"
+ msgstr ""
+ 
+-#: vms-alpha.c:1172
++#: vms-alpha.c:1173
+ #, c-format
+-msgid "Corrupt EGSD record: its size (%#x) is too small"
++msgid "corrupt EGSD record: its size (%#x) is too small"
+ msgstr ""
+ 
+-#: vms-alpha.c:1196
++#: vms-alpha.c:1197
+ #, c-format
+-msgid "Corrupt EGSD record: size (%#x) is larger than remaining space (%#x)"
++msgid "corrupt EGSD record: size (%#x) is larger than remaining space (%#x)"
+ msgstr ""
+ 
+-#: vms-alpha.c:1204
++#: vms-alpha.c:1205
+ #, c-format
+-msgid "Corrupt EGSD record: size (%#x) is too small"
++msgid "corrupt EGSD record: size (%#x) is too small"
+ msgstr ""
+ 
+-#: vms-alpha.c:1333 vms-alpha.c:1349 vms-alpha.c:1389
++#: vms-alpha.c:1334 vms-alpha.c:1350 vms-alpha.c:1390
+ #, c-format
+-msgid "Corrupt EGSD record: its psindx field is too big (%#lx)"
++msgid "corrupt EGSD record: its psindx field is too big (%#lx)"
+ msgstr ""
+ 
+-#: vms-alpha.c:1418
++#: vms-alpha.c:1419
+ #, c-format
+-msgid "Unknown EGSD subtype %d"
++msgid "unknown EGSD subtype %d"
+ msgstr ""
+ 
+-#: vms-alpha.c:1451
++#: vms-alpha.c:1452
+ #, c-format
+-msgid "Stack overflow (%d) in _bfd_vms_push"
++msgid "stack overflow (%d) in _bfd_vms_push"
+ msgstr ""
+ 
+-#: vms-alpha.c:1464
+-msgid "Stack underflow in _bfd_vms_pop"
++#: vms-alpha.c:1465
++msgid "stack underflow in _bfd_vms_pop"
+ msgstr ""
+ 
+ #. These names have not yet been added to this switch statement.
+-#: vms-alpha.c:1706
++#: vms-alpha.c:1707
+ #, c-format
+ msgid "unknown ETIR command %d"
+ msgstr ""
+ 
+-#: vms-alpha.c:1737
+-msgid "Corrupt vms value"
++#: vms-alpha.c:1738
++msgid "corrupt vms value"
+ msgstr ""
+ 
+-#: vms-alpha.c:1865
+-msgid "Corrupt ETIR record encountered"
++#: vms-alpha.c:1866
++msgid "corrupt ETIR record encountered"
+ msgstr ""
+ 
+-#: vms-alpha.c:1922
++#: vms-alpha.c:1923
+ #, c-format
+ msgid "bad section index in %s"
+ msgstr ""
+ 
+-#: vms-alpha.c:1935
++#: vms-alpha.c:1936
+ #, c-format
+ msgid "unsupported STA cmd %s"
+ msgstr ""
+@@ -6163,1961 +6162,1932 @@ msgstr ""
+ #. Rotate.
+ #. Redefine symbol to current location.
+ #. Define a literal.
+-#: vms-alpha.c:2115 vms-alpha.c:2146 vms-alpha.c:2237 vms-alpha.c:2395
++#: vms-alpha.c:2116 vms-alpha.c:2147 vms-alpha.c:2238 vms-alpha.c:2396
+ #, c-format
+ msgid "%s: not supported"
+ msgstr ""
+ 
+-#: vms-alpha.c:2121
++#: vms-alpha.c:2122
+ #, c-format
+ msgid "%s: not implemented"
+ msgstr ""
+ 
+-#: vms-alpha.c:2379
++#: vms-alpha.c:2380
+ #, c-format
+ msgid "invalid use of %s with contexts"
+ msgstr ""
+ 
+-#: vms-alpha.c:2413
++#: vms-alpha.c:2414
+ #, c-format
+ msgid "reserved cmd %d"
+ msgstr ""
+ 
+-#: vms-alpha.c:2497
+-msgid "Corrupt EEOM record - size is too small"
++#: vms-alpha.c:2498
++msgid "corrupt EEOM record - size is too small"
+ msgstr ""
+ 
+-#: vms-alpha.c:2506
+-msgid "Object module NOT error-free !\n"
++#: vms-alpha.c:2507
++msgid "object module not error-free !"
+ msgstr ""
+ 
+-#: vms-alpha.c:3830
++#: vms-alpha.c:3831
+ #, c-format
+-msgid "SEC_RELOC with no relocs in section %A"
++msgid "SEC_RELOC with no relocs in section %pA"
+ msgstr ""
+ 
+-#: vms-alpha.c:3882 vms-alpha.c:4095
++#: vms-alpha.c:3883 vms-alpha.c:4096
+ #, c-format
+-msgid "Size error in section %A"
++msgid "size error in section %pA"
+ msgstr ""
+ 
+-#: vms-alpha.c:4041
+-msgid "Spurious ALPHA_R_BSR reloc"
++#: vms-alpha.c:4042
++msgid "spurious ALPHA_R_BSR reloc"
+ msgstr ""
+ 
+-#: vms-alpha.c:4082
++#: vms-alpha.c:4083
+ #, c-format
+-msgid "Unhandled relocation %s"
++msgid "unhandled relocation %s"
+ msgstr ""
+ 
+-#: vms-alpha.c:4375
++#: vms-alpha.c:4376
+ #, c-format
+ msgid "unknown source command %d"
+ msgstr ""
+ 
+-#: vms-alpha.c:4436
+-msgid "DST__K_SET_LINUM_INCR not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4442
+-msgid "DST__K_SET_LINUM_INCR_W not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4448
+-msgid "DST__K_RESET_LINUM_INCR not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4454
+-msgid "DST__K_BEG_STMT_MODE not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4460
+-msgid "DST__K_END_STMT_MODE not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4487
+-msgid "DST__K_SET_PC not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4493
+-msgid "DST__K_SET_PC_W not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4499
+-msgid "DST__K_SET_PC_L not implemented"
+-msgstr ""
+-
+-#: vms-alpha.c:4505
+-msgid "DST__K_SET_STMTNUM not implemented"
++#: vms-alpha.c:4437 vms-alpha.c:4443 vms-alpha.c:4449 vms-alpha.c:4455
++#: vms-alpha.c:4461 vms-alpha.c:4488 vms-alpha.c:4494 vms-alpha.c:4500
++#: vms-alpha.c:4506
++#, c-format
++msgid "%s not implemented"
+ msgstr ""
+ 
+-#: vms-alpha.c:4548
++#: vms-alpha.c:4549
+ #, c-format
+ msgid "unknown line command %d"
+ msgstr ""
+ 
+-#: vms-alpha.c:5008 vms-alpha.c:5026 vms-alpha.c:5041 vms-alpha.c:5057
+-#: vms-alpha.c:5070 vms-alpha.c:5082 vms-alpha.c:5095
++#: vms-alpha.c:5009 vms-alpha.c:5027 vms-alpha.c:5042 vms-alpha.c:5058
++#: vms-alpha.c:5071 vms-alpha.c:5083 vms-alpha.c:5096
+ #, c-format
+-msgid "Unknown reloc %s + %s"
++msgid "unknown reloc %s + %s"
+ msgstr ""
+ 
+-#: vms-alpha.c:5150
++#: vms-alpha.c:5151
+ #, c-format
+-msgid "Unknown reloc %s"
++msgid "unknown reloc %s"
+ msgstr ""
+ 
+-#: vms-alpha.c:5163
+-msgid "Invalid section index in ETIR"
++#: vms-alpha.c:5164
++msgid "invalid section index in ETIR"
+ msgstr ""
+ 
+-#: vms-alpha.c:5172
+-msgid "Relocation for non-REL psect"
++#: vms-alpha.c:5173
++msgid "relocation for non-REL psect"
+ msgstr ""
+ 
+-#: vms-alpha.c:5219
++#: vms-alpha.c:5220
+ #, c-format
+-msgid "Unknown symbol in command %s"
++msgid "unknown symbol in command %s"
+ msgstr ""
+ 
+-#: vms-alpha.c:5629
++#: vms-alpha.c:5630
+ #, c-format
+ msgid "reloc (%d) is *UNKNOWN*"
+ msgstr ""
+ 
+-#: vms-alpha.c:5745
++#: vms-alpha.c:5746
+ #, c-format
+ msgid "  EMH %u (len=%u): "
+ msgstr ""
+ 
+-#: vms-alpha.c:5750
++#: vms-alpha.c:5751
+ #, c-format
+ msgid "   Error: The length is less than the length of an EMH record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5767
++#: vms-alpha.c:5768
+ #, c-format
+ msgid ""
+ "   Error: The record length is less than the size of an EMH_MHD record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5770
++#: vms-alpha.c:5771
+ #, c-format
+ msgid "Module header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5771
++#: vms-alpha.c:5772
+ #, c-format
+ msgid "   structure level: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5772
++#: vms-alpha.c:5773
+ #, c-format
+ msgid "   max record size: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5778
++#: vms-alpha.c:5779
+ #, c-format
+ msgid "   Error: The module name is missing\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5784
++#: vms-alpha.c:5785
+ #, c-format
+ msgid "   Error: The module name is too long\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5787
++#: vms-alpha.c:5788
+ #, c-format
+ msgid "   module name    : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5791
++#: vms-alpha.c:5792
+ #, c-format
+ msgid "   Error: The module version is missing\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5797
++#: vms-alpha.c:5798
+ #, c-format
+ msgid "   Error: The module version is too long\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5800
++#: vms-alpha.c:5801
+ #, c-format
+ msgid "   module version : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5803
++#: vms-alpha.c:5804
+ #, c-format
+ msgid "   Error: The compile date is truncated\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5805
++#: vms-alpha.c:5806
+ #, c-format
+ msgid "   compile date   : %.17s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5810
++#: vms-alpha.c:5811
+ #, c-format
+ msgid "Language Processor Name\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5811
++#: vms-alpha.c:5812
+ #, c-format
+ msgid "   language name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5815
++#: vms-alpha.c:5816
+ #, c-format
+ msgid "Source Files Header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5816
++#: vms-alpha.c:5817
+ #, c-format
+ msgid "   file: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5820
++#: vms-alpha.c:5821
+ #, c-format
+ msgid "Title Text Header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5821
++#: vms-alpha.c:5822
+ #, c-format
+ msgid "   title: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5825
++#: vms-alpha.c:5826
+ #, c-format
+ msgid "Copyright Header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5826
++#: vms-alpha.c:5827
+ #, c-format
+ msgid "   copyright: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5830
++#: vms-alpha.c:5831
+ #, c-format
+ msgid "unhandled emh subtype %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5840
++#: vms-alpha.c:5841
+ #, c-format
+ msgid "  EEOM (len=%u):\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5845
++#: vms-alpha.c:5846
+ #, c-format
+ msgid "   Error: The length is less than the length of an EEOM record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5849
++#: vms-alpha.c:5850
+ #, c-format
+ msgid "   number of cond linkage pairs: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5851
++#: vms-alpha.c:5852
+ #, c-format
+ msgid "   completion code: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5855
++#: vms-alpha.c:5856
+ #, c-format
+ msgid "   transfer addr flags: 0x%02x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5856
++#: vms-alpha.c:5857
+ #, c-format
+ msgid "   transfer addr psect: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5858
++#: vms-alpha.c:5859
+ #, c-format
+ msgid "   transfer address   : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5867
++#: vms-alpha.c:5868
+ msgid " WEAK"
+ msgstr ""
+ 
+-#: vms-alpha.c:5869
++#: vms-alpha.c:5870
+ msgid " DEF"
+ msgstr ""
+ 
+-#: vms-alpha.c:5871
++#: vms-alpha.c:5872
+ msgid " UNI"
+ msgstr ""
+ 
+-#: vms-alpha.c:5873 vms-alpha.c:5894
++#: vms-alpha.c:5874 vms-alpha.c:5895
+ msgid " REL"
+ msgstr ""
+ 
+-#: vms-alpha.c:5875
++#: vms-alpha.c:5876
+ msgid " COMM"
+ msgstr ""
+ 
+-#: vms-alpha.c:5877
++#: vms-alpha.c:5878
+ msgid " VECEP"
+ msgstr ""
+ 
+-#: vms-alpha.c:5879
++#: vms-alpha.c:5880
+ msgid " NORM"
+ msgstr ""
+ 
+-#: vms-alpha.c:5881
++#: vms-alpha.c:5882
+ msgid " QVAL"
+ msgstr ""
+ 
+-#: vms-alpha.c:5888
++#: vms-alpha.c:5889
+ msgid " PIC"
+ msgstr ""
+ 
+-#: vms-alpha.c:5890
++#: vms-alpha.c:5891
+ msgid " LIB"
+ msgstr ""
+ 
+-#: vms-alpha.c:5892
++#: vms-alpha.c:5893
+ msgid " OVR"
+ msgstr ""
+ 
+-#: vms-alpha.c:5896
++#: vms-alpha.c:5897
+ msgid " GBL"
+ msgstr ""
+ 
+-#: vms-alpha.c:5898
++#: vms-alpha.c:5899
+ msgid " SHR"
+ msgstr ""
+ 
+-#: vms-alpha.c:5900
++#: vms-alpha.c:5901
+ msgid " EXE"
+ msgstr ""
+ 
+-#: vms-alpha.c:5902
++#: vms-alpha.c:5903
+ msgid " RD"
+ msgstr ""
+ 
+-#: vms-alpha.c:5904
++#: vms-alpha.c:5905
+ msgid " WRT"
+ msgstr ""
+ 
+-#: vms-alpha.c:5906
++#: vms-alpha.c:5907
+ msgid " VEC"
+ msgstr ""
+ 
+-#: vms-alpha.c:5908
++#: vms-alpha.c:5909
+ msgid " NOMOD"
+ msgstr ""
+ 
+-#: vms-alpha.c:5910
++#: vms-alpha.c:5911
+ msgid " COM"
+ msgstr ""
+ 
+-#: vms-alpha.c:5912
++#: vms-alpha.c:5913
+ msgid " 64B"
+ msgstr ""
+ 
+-#: vms-alpha.c:5921
++#: vms-alpha.c:5922
+ #, c-format
+ msgid "  EGSD (len=%u):\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5934
++#: vms-alpha.c:5935
+ #, c-format
+ msgid "  EGSD entry %2u (type: %u, len: %u): "
+ msgstr ""
+ 
+-#: vms-alpha.c:5940 vms-alpha.c:6191
++#: vms-alpha.c:5941 vms-alpha.c:6192
+ #, c-format
+ msgid "   Error: length larger than remaining space in record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5952
++#: vms-alpha.c:5953
+ #, c-format
+ msgid "PSC - Program section definition\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5953 vms-alpha.c:5970
++#: vms-alpha.c:5954 vms-alpha.c:5971
+ #, c-format
+ msgid "   alignment  : 2**%u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5954 vms-alpha.c:5971
++#: vms-alpha.c:5955 vms-alpha.c:5972
+ #, c-format
+ msgid "   flags      : 0x%04x"
+ msgstr ""
+ 
+-#: vms-alpha.c:5958
++#: vms-alpha.c:5959
+ #, c-format
+ msgid "   alloc (len): %u (0x%08x)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5959 vms-alpha.c:6016 vms-alpha.c:6065
++#: vms-alpha.c:5960 vms-alpha.c:6017 vms-alpha.c:6066
+ #, c-format
+ msgid "   name       : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5969
++#: vms-alpha.c:5970
+ #, c-format
+ msgid "SPSC - Shared Image Program section def\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5975
++#: vms-alpha.c:5976
+ #, c-format
+ msgid "   alloc (len)   : %u (0x%08x)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5976
++#: vms-alpha.c:5977
+ #, c-format
+ msgid "   image offset  : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5978
++#: vms-alpha.c:5979
+ #, c-format
+ msgid "   symvec offset : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5980
++#: vms-alpha.c:5981
+ #, c-format
+ msgid "   name          : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5993
++#: vms-alpha.c:5994
+ #, c-format
+ msgid "SYM - Global symbol definition\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:5994 vms-alpha.c:6054 vms-alpha.c:6075 vms-alpha.c:6094
++#: vms-alpha.c:5995 vms-alpha.c:6055 vms-alpha.c:6076 vms-alpha.c:6095
+ #, c-format
+ msgid "   flags: 0x%04x"
+ msgstr ""
+ 
+-#: vms-alpha.c:5997
++#: vms-alpha.c:5998
+ #, c-format
+ msgid "   psect offset: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6001
++#: vms-alpha.c:6002
+ #, c-format
+ msgid "   code address: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6003
++#: vms-alpha.c:6004
+ #, c-format
+ msgid "   psect index for entry point : %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6006 vms-alpha.c:6082 vms-alpha.c:6101
++#: vms-alpha.c:6007 vms-alpha.c:6083 vms-alpha.c:6102
+ #, c-format
+ msgid "   psect index : %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6008 vms-alpha.c:6084 vms-alpha.c:6103
++#: vms-alpha.c:6009 vms-alpha.c:6085 vms-alpha.c:6104
+ #, c-format
+ msgid "   name        : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6015
++#: vms-alpha.c:6016
+ #, c-format
+ msgid "SYM - Global symbol reference\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6027
++#: vms-alpha.c:6028
+ #, c-format
+ msgid "IDC - Ident Consistency check\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6028
++#: vms-alpha.c:6029
+ #, c-format
+ msgid "   flags         : 0x%08x"
+ msgstr ""
+ 
+-#: vms-alpha.c:6032
++#: vms-alpha.c:6033
+ #, c-format
+ msgid "   id match      : %x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6034
++#: vms-alpha.c:6035
+ #, c-format
+ msgid "   error severity: %x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6037
++#: vms-alpha.c:6038
+ #, c-format
+ msgid "   entity name   : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6039
++#: vms-alpha.c:6040
+ #, c-format
+ msgid "   object name   : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6042
++#: vms-alpha.c:6043
+ #, c-format
+ msgid "   binary ident  : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6045
++#: vms-alpha.c:6046
+ #, c-format
+ msgid "   ascii ident   : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6053
++#: vms-alpha.c:6054
+ #, c-format
+ msgid "SYMG - Universal symbol definition\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6057
++#: vms-alpha.c:6058
+ #, c-format
+ msgid "   symbol vector offset: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6059
++#: vms-alpha.c:6060
+ #, c-format
+ msgid "   entry point: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6061
++#: vms-alpha.c:6062
+ #, c-format
+ msgid "   proc descr : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6063
++#: vms-alpha.c:6064
+ #, c-format
+ msgid "   psect index: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6074
++#: vms-alpha.c:6075
+ #, c-format
+ msgid "SYMV - Vectored symbol definition\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6078
++#: vms-alpha.c:6079
+ #, c-format
+ msgid "   vector      : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6080 vms-alpha.c:6099
++#: vms-alpha.c:6081 vms-alpha.c:6100
+ #, c-format
+ msgid "   psect offset: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6093
++#: vms-alpha.c:6094
+ #, c-format
+ msgid "SYMM - Global symbol definition with version\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6097
++#: vms-alpha.c:6098
+ #, c-format
+ msgid "   version mask: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6108
++#: vms-alpha.c:6109
+ #, c-format
+ msgid "unhandled egsd entry type %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6143
++#: vms-alpha.c:6144
+ #, c-format
+ msgid "    linkage index: %u, replacement insn: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6147
++#: vms-alpha.c:6148
+ #, c-format
+ msgid "    psect idx 1: %u, offset 1: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6152
++#: vms-alpha.c:6153
+ #, c-format
+ msgid "    psect idx 2: %u, offset 2: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6158
++#: vms-alpha.c:6159
+ #, c-format
+ msgid "    psect idx 3: %u, offset 3: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6163
++#: vms-alpha.c:6164
+ #, c-format
+ msgid "    global name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6174
++#: vms-alpha.c:6175
+ #, c-format
+ msgid "  %s (len=%u+%u):\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6196
++#: vms-alpha.c:6197
+ #, c-format
+ msgid "   (type: %3u, size: 4+%3u): "
+ msgstr ""
+ 
+-#: vms-alpha.c:6200
++#: vms-alpha.c:6201
+ #, c-format
+ msgid "STA_GBL (stack global) %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6204
++#: vms-alpha.c:6205
+ #, c-format
+ msgid "STA_LW (stack longword) 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6208
++#: vms-alpha.c:6209
+ #, c-format
+ msgid "STA_QW (stack quadword) 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6213
++#: vms-alpha.c:6214
+ #, c-format
+ msgid "STA_PQ (stack psect base + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6215
++#: vms-alpha.c:6216
+ #, c-format
+ msgid "    psect: %u, offset: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6221
++#: vms-alpha.c:6222
+ #, c-format
+ msgid "STA_LI (stack literal)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6224
++#: vms-alpha.c:6225
+ #, c-format
+ msgid "STA_MOD (stack module)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6227
++#: vms-alpha.c:6228
+ #, c-format
+ msgid "STA_CKARG (compare procedure argument)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6231
++#: vms-alpha.c:6232
+ #, c-format
+ msgid "STO_B (store byte)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6234
++#: vms-alpha.c:6235
+ #, c-format
+ msgid "STO_W (store word)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6237
++#: vms-alpha.c:6238
+ #, c-format
+ msgid "STO_LW (store longword)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6240
++#: vms-alpha.c:6241
+ #, c-format
+ msgid "STO_QW (store quadword)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6246
++#: vms-alpha.c:6247
+ #, c-format
+ msgid "STO_IMMR (store immediate repeat) %u bytes\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6253
++#: vms-alpha.c:6254
+ #, c-format
+ msgid "STO_GBL (store global) %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6257
++#: vms-alpha.c:6258
+ #, c-format
+ msgid "STO_CA (store code address) %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6261
++#: vms-alpha.c:6262
+ #, c-format
+ msgid "STO_RB (store relative branch)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6264
++#: vms-alpha.c:6265
+ #, c-format
+ msgid "STO_AB (store absolute branch)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6267
++#: vms-alpha.c:6268
+ #, c-format
+ msgid "STO_OFF (store offset to psect)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6273
++#: vms-alpha.c:6274
+ #, c-format
+ msgid "STO_IMM (store immediate) %u bytes\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6280
++#: vms-alpha.c:6281
+ #, c-format
+ msgid "STO_GBL_LW (store global longword) %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6284
++#: vms-alpha.c:6285
+ #, c-format
+ msgid "STO_OFF (store LP with procedure signature)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6287
++#: vms-alpha.c:6288
+ #, c-format
+ msgid "STO_BR_GBL (store branch global) *todo*\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6290
++#: vms-alpha.c:6291
+ #, c-format
+ msgid "STO_BR_PS (store branch psect + offset) *todo*\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6294
++#: vms-alpha.c:6295
+ #, c-format
+ msgid "OPR_NOP (no-operation)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6297
++#: vms-alpha.c:6298
+ #, c-format
+ msgid "OPR_ADD (add)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6300
++#: vms-alpha.c:6301
+ #, c-format
+ msgid "OPR_SUB (subtract)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6303
++#: vms-alpha.c:6304
+ #, c-format
+ msgid "OPR_MUL (multiply)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6306
++#: vms-alpha.c:6307
+ #, c-format
+ msgid "OPR_DIV (divide)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6309
++#: vms-alpha.c:6310
+ #, c-format
+ msgid "OPR_AND (logical and)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6312
++#: vms-alpha.c:6313
+ #, c-format
+ msgid "OPR_IOR (logical inclusive or)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6315
++#: vms-alpha.c:6316
+ #, c-format
+ msgid "OPR_EOR (logical exclusive or)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6318
++#: vms-alpha.c:6319
+ #, c-format
+ msgid "OPR_NEG (negate)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6321
++#: vms-alpha.c:6322
+ #, c-format
+ msgid "OPR_COM (complement)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6324
++#: vms-alpha.c:6325
+ #, c-format
+ msgid "OPR_INSV (insert field)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6327
++#: vms-alpha.c:6328
+ #, c-format
+ msgid "OPR_ASH (arithmetic shift)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6330
++#: vms-alpha.c:6331
+ #, c-format
+ msgid "OPR_USH (unsigned shift)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6333
++#: vms-alpha.c:6334
+ #, c-format
+ msgid "OPR_ROT (rotate)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6336
++#: vms-alpha.c:6337
+ #, c-format
+ msgid "OPR_SEL (select)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6339
++#: vms-alpha.c:6340
+ #, c-format
+ msgid "OPR_REDEF (redefine symbol to curr location)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6342
++#: vms-alpha.c:6343
+ #, c-format
+ msgid "OPR_REDEF (define a literal)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6346
++#: vms-alpha.c:6347
+ #, c-format
+ msgid "STC_LP (store cond linkage pair)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6350
++#: vms-alpha.c:6351
+ #, c-format
+ msgid "STC_LP_PSB (store cond linkage pair + signature)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6352
++#: vms-alpha.c:6353
+ #, c-format
+ msgid "   linkage index: %u, procedure: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6355
++#: vms-alpha.c:6356
+ #, c-format
+ msgid "   signature: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6358
++#: vms-alpha.c:6359
+ #, c-format
+ msgid "STC_GBL (store cond global)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6360
++#: vms-alpha.c:6361
+ #, c-format
+ msgid "   linkage index: %u, global: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6364
++#: vms-alpha.c:6365
+ #, c-format
+ msgid "STC_GCA (store cond code address)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6366
++#: vms-alpha.c:6367
+ #, c-format
+ msgid "   linkage index: %u, procedure name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6370
++#: vms-alpha.c:6371
+ #, c-format
+ msgid "STC_PS (store cond psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6373
++#: vms-alpha.c:6374
+ #, c-format
+ msgid "   linkage index: %u, psect: %u, offset: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6380
++#: vms-alpha.c:6381
+ #, c-format
+ msgid "STC_NOP_GBL (store cond NOP at global addr)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6384
++#: vms-alpha.c:6385
+ #, c-format
+ msgid "STC_NOP_PS (store cond NOP at psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6388
++#: vms-alpha.c:6389
+ #, c-format
+ msgid "STC_BSR_GBL (store cond BSR at global addr)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6392
++#: vms-alpha.c:6393
+ #, c-format
+ msgid "STC_BSR_PS (store cond BSR at psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6396
++#: vms-alpha.c:6397
+ #, c-format
+ msgid "STC_LDA_GBL (store cond LDA at global addr)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6400
++#: vms-alpha.c:6401
+ #, c-format
+ msgid "STC_LDA_PS (store cond LDA at psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6404
++#: vms-alpha.c:6405
+ #, c-format
+ msgid "STC_BOH_GBL (store cond BOH at global addr)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6408
++#: vms-alpha.c:6409
+ #, c-format
+ msgid "STC_BOH_PS (store cond BOH at psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6413
++#: vms-alpha.c:6414
+ #, c-format
+ msgid "STC_NBH_GBL (store cond or hint at global addr)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6417
++#: vms-alpha.c:6418
+ #, c-format
+ msgid "STC_NBH_PS (store cond or hint at psect + offset)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6421
++#: vms-alpha.c:6422
+ #, c-format
+ msgid "CTL_SETRB (set relocation base)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6427
++#: vms-alpha.c:6428
+ #, c-format
+ msgid "CTL_AUGRB (augment relocation base) %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6431
++#: vms-alpha.c:6432
+ #, c-format
+ msgid "CTL_DFLOC (define location)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6434
++#: vms-alpha.c:6435
+ #, c-format
+ msgid "CTL_STLOC (set location)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6437
++#: vms-alpha.c:6438
+ #, c-format
+ msgid "CTL_STKDL (stack defined location)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6440 vms-alpha.c:6864 vms-alpha.c:6990
++#: vms-alpha.c:6441 vms-alpha.c:6865 vms-alpha.c:6991
+ #, c-format
+ msgid "*unhandled*\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6470 vms-alpha.c:6509
++#: vms-alpha.c:6471 vms-alpha.c:6510
+ #, c-format
+ msgid "cannot read GST record length\n"
+ msgstr ""
+ 
+ #. Ill-formed.
+-#: vms-alpha.c:6491
++#: vms-alpha.c:6492
+ #, c-format
+ msgid "cannot find EMH in first GST record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6517
++#: vms-alpha.c:6518
+ #, c-format
+ msgid "cannot read GST record header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6530
++#: vms-alpha.c:6531
+ #, c-format
+ msgid " corrupted GST\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6538
++#: vms-alpha.c:6539
+ #, c-format
+ msgid "cannot read GST record\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6567
++#: vms-alpha.c:6568
+ #, c-format
+ msgid " unhandled EOBJ record type %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6591
++#: vms-alpha.c:6592
+ #, c-format
+ msgid "  bitcount: %u, base addr: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6605
++#: vms-alpha.c:6606
+ #, c-format
+ msgid "   bitmap: 0x%08x (count: %u):\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6612
++#: vms-alpha.c:6613
+ #, c-format
+ msgid " %08x"
+ msgstr ""
+ 
+-#: vms-alpha.c:6638
++#: vms-alpha.c:6639
+ #, c-format
+ msgid "  image %u (%u entries)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6644
++#: vms-alpha.c:6645
+ #, c-format
+ msgid "   offset: 0x%08x, val: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6666
++#: vms-alpha.c:6667
+ #, c-format
+ msgid "  image %u (%u entries), offsets:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6673
++#: vms-alpha.c:6674
+ #, c-format
+ msgid " 0x%08x"
+ msgstr ""
+ 
+ #. 64 bits.
+-#: vms-alpha.c:6795
++#: vms-alpha.c:6796
+ #, c-format
+ msgid "64 bits *unhandled*\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6800
++#: vms-alpha.c:6801
+ #, c-format
+ msgid "class: %u, dtype: %u, length: %u, pointer: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6811
++#: vms-alpha.c:6812
+ #, c-format
+ msgid "non-contiguous array of %s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6816
++#: vms-alpha.c:6817
+ #, c-format
+ msgid "dimct: %u, aflags: 0x%02x, digits: %u, scale: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6821
++#: vms-alpha.c:6822
+ #, c-format
+ msgid "arsize: %u, a0: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6825
++#: vms-alpha.c:6826
+ #, c-format
+ msgid "Strides:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6835
++#: vms-alpha.c:6836
+ #, c-format
+ msgid "Bounds:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6841
++#: vms-alpha.c:6842
+ #, c-format
+ msgid "[%u]: Lower: %u, upper: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6853
++#: vms-alpha.c:6854
+ #, c-format
+ msgid "unaligned bit-string of %s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6858
++#: vms-alpha.c:6859
+ #, c-format
+ msgid "base: %u, pos: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6879
++#: vms-alpha.c:6880
+ #, c-format
+ msgid "vflags: 0x%02x, value: 0x%08x "
+ msgstr ""
+ 
+-#: vms-alpha.c:6885
++#: vms-alpha.c:6886
+ #, c-format
+ msgid "(no value)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6888
++#: vms-alpha.c:6889
+ #, c-format
+ msgid "(not active)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6891
++#: vms-alpha.c:6892
+ #, c-format
+ msgid "(not allocated)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6894
++#: vms-alpha.c:6895
+ #, c-format
+ msgid "(descriptor)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6898
++#: vms-alpha.c:6899
+ #, c-format
+ msgid "(trailing value)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6901
++#: vms-alpha.c:6902
+ #, c-format
+ msgid "(value spec follows)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6904
++#: vms-alpha.c:6905
+ #, c-format
+ msgid "(at bit offset %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6908
++#: vms-alpha.c:6909
+ #, c-format
+ msgid "(reg: %u, disp: %u, indir: %u, kind: "
+ msgstr ""
+ 
+-#: vms-alpha.c:6915
++#: vms-alpha.c:6916
+ msgid "literal"
+ msgstr ""
+ 
+-#: vms-alpha.c:6918
++#: vms-alpha.c:6919
+ msgid "address"
+ msgstr ""
+ 
+-#: vms-alpha.c:6921
++#: vms-alpha.c:6922
+ msgid "desc"
+ msgstr ""
+ 
+-#: vms-alpha.c:6924
++#: vms-alpha.c:6925
+ msgid "reg"
+ msgstr ""
+ 
+-#: vms-alpha.c:6941
++#: vms-alpha.c:6942
+ #, c-format
+ msgid "len: %2u, kind: %2u "
+ msgstr ""
+ 
+-#: vms-alpha.c:6947
++#: vms-alpha.c:6948
+ #, c-format
+ msgid "atomic, type=0x%02x %s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6951
++#: vms-alpha.c:6952
+ #, c-format
+ msgid "indirect, defined at 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6955
++#: vms-alpha.c:6956
+ #, c-format
+ msgid "typed pointer\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6959
++#: vms-alpha.c:6960
+ #, c-format
+ msgid "pointer\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6967
++#: vms-alpha.c:6968
+ #, c-format
+ msgid "array, dim: %u, bitmap: "
+ msgstr ""
+ 
+-#: vms-alpha.c:6974
++#: vms-alpha.c:6975
+ #, c-format
+ msgid "array descriptor:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6981
++#: vms-alpha.c:6982
+ #, c-format
+ msgid "type spec for element:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:6983
++#: vms-alpha.c:6984
+ #, c-format
+ msgid "type spec for subscript %u:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7001
++#: vms-alpha.c:7002
+ #, c-format
+ msgid "Debug symbol table:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7012
++#: vms-alpha.c:7013
+ #, c-format
+ msgid "cannot read DST header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7018
++#: vms-alpha.c:7019
+ #, c-format
+ msgid " type: %3u, len: %3u (at 0x%08x): "
+ msgstr ""
+ 
+-#: vms-alpha.c:7032
++#: vms-alpha.c:7033
+ #, c-format
+ msgid "cannot read DST symbol\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7075
++#: vms-alpha.c:7076
+ #, c-format
+ msgid "standard data: %s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7078 vms-alpha.c:7166
++#: vms-alpha.c:7079 vms-alpha.c:7167
+ #, c-format
+ msgid "    name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7085
++#: vms-alpha.c:7086
+ #, c-format
+ msgid "modbeg\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7087
++#: vms-alpha.c:7088
+ #, c-format
+ msgid "   flags: %d, language: %u, major: %u, minor: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7093 vms-alpha.c:7367
++#: vms-alpha.c:7094 vms-alpha.c:7368
+ #, c-format
+ msgid "   module name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7096
++#: vms-alpha.c:7097
+ #, c-format
+ msgid "   compiler   : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7101
++#: vms-alpha.c:7102
+ #, c-format
+ msgid "modend\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7108
++#: vms-alpha.c:7109
+ msgid "rtnbeg\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7110
++#: vms-alpha.c:7111
+ #, c-format
+ msgid "    flags: %u, address: 0x%08x, pd-address: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7115
++#: vms-alpha.c:7116
+ #, c-format
+ msgid "    routine name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7123
++#: vms-alpha.c:7124
+ #, c-format
+ msgid "rtnend: size 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7131
++#: vms-alpha.c:7132
+ #, c-format
+ msgid "prolog: bkpt address 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7140
++#: vms-alpha.c:7141
+ #, c-format
+ msgid "epilog: flags: %u, count: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7150
++#: vms-alpha.c:7151
+ #, c-format
+ msgid "blkbeg: address: 0x%08x, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7159
++#: vms-alpha.c:7160
+ #, c-format
+ msgid "blkend: size: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7165
++#: vms-alpha.c:7166
+ #, c-format
+ msgid "typspec (len: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7172
++#: vms-alpha.c:7173
+ #, c-format
+ msgid "septyp, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7181
++#: vms-alpha.c:7182
+ #, c-format
+ msgid "recbeg: name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7183
++#: vms-alpha.c:7184
+ #, c-format
+ msgid "    len: %u bits\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7188
++#: vms-alpha.c:7189
+ #, c-format
+ msgid "recend\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7192
++#: vms-alpha.c:7193
+ #, c-format
+ msgid "enumbeg, len: %u, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7196
++#: vms-alpha.c:7197
+ #, c-format
+ msgid "enumelt, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7200
++#: vms-alpha.c:7201
+ #, c-format
+ msgid "enumend\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7205
++#: vms-alpha.c:7206
+ #, c-format
+ msgid "label, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7207
++#: vms-alpha.c:7208
+ #, c-format
+ msgid "    address: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7217
++#: vms-alpha.c:7218
+ #, c-format
+ msgid "discontiguous range (nbr: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7220
++#: vms-alpha.c:7221
+ #, c-format
+ msgid "    address: 0x%08x, size: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7230
++#: vms-alpha.c:7231
+ #, c-format
+ msgid "line num  (len: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7247
++#: vms-alpha.c:7248
+ #, c-format
+ msgid "delta_pc_w %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7254
++#: vms-alpha.c:7255
+ #, c-format
+ msgid "incr_linum(b): +%u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7260
++#: vms-alpha.c:7261
+ #, c-format
+ msgid "incr_linum_w: +%u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7266
++#: vms-alpha.c:7267
+ #, c-format
+ msgid "incr_linum_l: +%u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7272
++#: vms-alpha.c:7273
+ #, c-format
+ msgid "set_line_num(w) %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7277
++#: vms-alpha.c:7278
+ #, c-format
+ msgid "set_line_num_b %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7282
++#: vms-alpha.c:7283
+ #, c-format
+ msgid "set_line_num_l %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7287
++#: vms-alpha.c:7288
+ #, c-format
+ msgid "set_abs_pc: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7291
++#: vms-alpha.c:7292
+ #, c-format
+ msgid "delta_pc_l: +0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7296
++#: vms-alpha.c:7297
+ #, c-format
+ msgid "term(b): 0x%02x"
+ msgstr ""
+ 
+-#: vms-alpha.c:7298
++#: vms-alpha.c:7299
+ #, c-format
+ msgid "        pc: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7303
++#: vms-alpha.c:7304
+ #, c-format
+ msgid "term_w: 0x%04x"
+ msgstr ""
+ 
+-#: vms-alpha.c:7305
++#: vms-alpha.c:7306
+ #, c-format
+ msgid "    pc: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7311
++#: vms-alpha.c:7312
+ #, c-format
+ msgid "delta pc +%-4d"
+ msgstr ""
+ 
+-#: vms-alpha.c:7315
++#: vms-alpha.c:7316
+ #, c-format
+ msgid "    pc: 0x%08x line: %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7320
++#: vms-alpha.c:7321
+ #, c-format
+ msgid "    *unhandled* cmd %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7335
++#: vms-alpha.c:7336
+ #, c-format
+ msgid "source (len: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7350
++#: vms-alpha.c:7351
+ #, c-format
+ msgid "   declfile: len: %u, flags: %u, fileid: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7355
++#: vms-alpha.c:7356
+ #, c-format
+ msgid "   rms: cdt: 0x%08x %08x, ebk: 0x%08x, ffb: 0x%04x, rfo: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7364
++#: vms-alpha.c:7365
+ #, c-format
+ msgid "   filename   : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7373
++#: vms-alpha.c:7374
+ #, c-format
+ msgid "   setfile %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7378 vms-alpha.c:7383
++#: vms-alpha.c:7379 vms-alpha.c:7384
+ #, c-format
+ msgid "   setrec %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7388 vms-alpha.c:7393
++#: vms-alpha.c:7389 vms-alpha.c:7394
+ #, c-format
+ msgid "   setlnum %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7398 vms-alpha.c:7403
++#: vms-alpha.c:7399 vms-alpha.c:7404
+ #, c-format
+ msgid "   deflines %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7407
++#: vms-alpha.c:7408
+ #, c-format
+ msgid "   formfeed\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7411
++#: vms-alpha.c:7412
+ #, c-format
+ msgid "   *unhandled* cmd %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7423
++#: vms-alpha.c:7424
+ #, c-format
+ msgid "*unhandled* dst type %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7455
++#: vms-alpha.c:7456
+ #, c-format
+ msgid "cannot read EIHD\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7459
++#: vms-alpha.c:7460
+ #, c-format
+ msgid "EIHD: (size: %u, nbr blocks: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7463
++#: vms-alpha.c:7464
+ #, c-format
+ msgid " majorid: %u, minorid: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7471
++#: vms-alpha.c:7472
+ msgid "executable"
+ msgstr ""
+ 
+-#: vms-alpha.c:7474
++#: vms-alpha.c:7475
+ msgid "linkable image"
+ msgstr ""
+ 
+-#: vms-alpha.c:7481
++#: vms-alpha.c:7482
+ #, c-format
+ msgid " image type: %u (%s)"
+ msgstr ""
+ 
+-#: vms-alpha.c:7487
++#: vms-alpha.c:7488
+ msgid "native"
+ msgstr ""
+ 
+-#: vms-alpha.c:7490
++#: vms-alpha.c:7491
+ msgid "CLI"
+ msgstr ""
+ 
+-#: vms-alpha.c:7497
++#: vms-alpha.c:7498
+ #, c-format
+ msgid ", subtype: %u (%s)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7504
++#: vms-alpha.c:7505
+ #, c-format
+ msgid " offsets: isd: %u, activ: %u, symdbg: %u, imgid: %u, patch: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7508
++#: vms-alpha.c:7509
+ #, c-format
+ msgid " fixup info rva: "
+ msgstr ""
+ 
+-#: vms-alpha.c:7510
++#: vms-alpha.c:7511
+ #, c-format
+ msgid ", symbol vector rva: "
+ msgstr ""
+ 
+-#: vms-alpha.c:7513
++#: vms-alpha.c:7514
+ #, c-format
+ msgid ""
+ "\n"
+ " version array off: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7518
++#: vms-alpha.c:7519
+ #, c-format
+ msgid " img I/O count: %u, nbr channels: %u, req pri: %08x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7524
++#: vms-alpha.c:7525
+ #, c-format
+ msgid " linker flags: %08x:"
+ msgstr ""
+ 
+-#: vms-alpha.c:7555
++#: vms-alpha.c:7556
+ #, c-format
+ msgid " ident: 0x%08x, sysver: 0x%08x, match ctrl: %u, symvect_size: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7561
++#: vms-alpha.c:7562
+ #, c-format
+ msgid " BPAGE: %u"
+ msgstr ""
+ 
+-#: vms-alpha.c:7568
++#: vms-alpha.c:7569
+ #, c-format
+ msgid ", ext fixup offset: %u, no_opt psect off: %u"
+ msgstr ""
+ 
+-#: vms-alpha.c:7571
++#: vms-alpha.c:7572
+ #, c-format
+ msgid ", alias: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7579
++#: vms-alpha.c:7580
+ #, c-format
+ msgid "system version array information:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7583
++#: vms-alpha.c:7584
+ #, c-format
+ msgid "cannot read EIHVN header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7593
++#: vms-alpha.c:7594
+ #, c-format
+ msgid "cannot read EIHVN version\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7596
++#: vms-alpha.c:7597
+ #, c-format
+ msgid "   %02u "
+ msgstr ""
+ 
+-#: vms-alpha.c:7600
++#: vms-alpha.c:7601
+ msgid "BASE_IMAGE       "
+ msgstr ""
+ 
+-#: vms-alpha.c:7603
++#: vms-alpha.c:7604
+ msgid "MEMORY_MANAGEMENT"
+ msgstr ""
+ 
+-#: vms-alpha.c:7606
++#: vms-alpha.c:7607
+ msgid "IO               "
+ msgstr ""
+ 
+-#: vms-alpha.c:7609
++#: vms-alpha.c:7610
+ msgid "FILES_VOLUMES    "
+ msgstr ""
+ 
+-#: vms-alpha.c:7612
++#: vms-alpha.c:7613
+ msgid "PROCESS_SCHED    "
+ msgstr ""
+ 
+-#: vms-alpha.c:7615
++#: vms-alpha.c:7616
+ msgid "SYSGEN           "
+ msgstr ""
+ 
+-#: vms-alpha.c:7618
++#: vms-alpha.c:7619
+ msgid "CLUSTERS_LOCKMGR "
+ msgstr ""
+ 
+-#: vms-alpha.c:7621
++#: vms-alpha.c:7622
+ msgid "LOGICAL_NAMES    "
+ msgstr ""
+ 
+-#: vms-alpha.c:7624
++#: vms-alpha.c:7625
+ msgid "SECURITY         "
+ msgstr ""
+ 
+-#: vms-alpha.c:7627
++#: vms-alpha.c:7628
+ msgid "IMAGE_ACTIVATOR  "
+ msgstr ""
+ 
+-#: vms-alpha.c:7630
++#: vms-alpha.c:7631
+ msgid "NETWORKS         "
+ msgstr ""
+ 
+-#: vms-alpha.c:7633
++#: vms-alpha.c:7634
+ msgid "COUNTERS         "
+ msgstr ""
+ 
+-#: vms-alpha.c:7636
++#: vms-alpha.c:7637
+ msgid "STABLE           "
+ msgstr ""
+ 
+-#: vms-alpha.c:7639
++#: vms-alpha.c:7640
+ msgid "MISC             "
+ msgstr ""
+ 
+-#: vms-alpha.c:7642
++#: vms-alpha.c:7643
+ msgid "CPU              "
+ msgstr ""
+ 
+-#: vms-alpha.c:7645
++#: vms-alpha.c:7646
+ msgid "VOLATILE         "
+ msgstr ""
+ 
+-#: vms-alpha.c:7648
++#: vms-alpha.c:7649
+ msgid "SHELL            "
+ msgstr ""
+ 
+-#: vms-alpha.c:7651
++#: vms-alpha.c:7652
+ msgid "POSIX            "
+ msgstr ""
+ 
+-#: vms-alpha.c:7654
++#: vms-alpha.c:7655
+ msgid "MULTI_PROCESSING "
+ msgstr ""
+ 
+-#: vms-alpha.c:7657
++#: vms-alpha.c:7658
+ msgid "GALAXY           "
+ msgstr ""
+ 
+-#: vms-alpha.c:7660
++#: vms-alpha.c:7661
+ msgid "*unknown*        "
+ msgstr ""
+ 
+-#: vms-alpha.c:7676 vms-alpha.c:7951
++#: vms-alpha.c:7677 vms-alpha.c:7952
+ #, c-format
+ msgid "cannot read EIHA\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7679
++#: vms-alpha.c:7680
+ #, c-format
+ msgid "Image activation:  (size=%u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7682
++#: vms-alpha.c:7683
+ #, c-format
+ msgid " First address : 0x%08x 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7686
++#: vms-alpha.c:7687
+ #, c-format
+ msgid " Second address: 0x%08x 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7690
++#: vms-alpha.c:7691
+ #, c-format
+ msgid " Third address : 0x%08x 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7694
++#: vms-alpha.c:7695
+ #, c-format
+ msgid " Fourth address: 0x%08x 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7698
++#: vms-alpha.c:7699
+ #, c-format
+ msgid " Shared image  : 0x%08x 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7709
++#: vms-alpha.c:7710
+ #, c-format
+ msgid "cannot read EIHI\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7713
++#: vms-alpha.c:7714
+ #, c-format
+ msgid "Image identification: (major: %u, minor: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7716
++#: vms-alpha.c:7717
+ #, c-format
+ msgid " image name       : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7718
++#: vms-alpha.c:7719
+ #, c-format
+ msgid " link time        : %s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7720
++#: vms-alpha.c:7721
+ #, c-format
+ msgid " image ident      : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7722
++#: vms-alpha.c:7723
+ #, c-format
+ msgid " linker ident     : %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7724
++#: vms-alpha.c:7725
+ #, c-format
+ msgid " image build ident: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7734
++#: vms-alpha.c:7735
+ #, c-format
+ msgid "cannot read EIHS\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7738
++#: vms-alpha.c:7739
+ #, c-format
+ msgid "Image symbol & debug table: (major: %u, minor: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7744
++#: vms-alpha.c:7745
+ #, c-format
+ msgid " debug symbol table : vbn: %u, size: %u (0x%x)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7749
++#: vms-alpha.c:7750
+ #, c-format
+ msgid " global symbol table: vbn: %u, records: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7754
++#: vms-alpha.c:7755
+ #, c-format
+ msgid " debug module table : vbn: %u, size: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7767
++#: vms-alpha.c:7768
+ #, c-format
+ msgid "cannot read EISD\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7778
++#: vms-alpha.c:7779
+ #, c-format
+ msgid ""
+ "Image section descriptor: (major: %u, minor: %u, size: %u, offset: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7786
++#: vms-alpha.c:7787
+ #, c-format
+ msgid " section: base: 0x%08x%08x size: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7791
++#: vms-alpha.c:7792
+ #, c-format
+ msgid " flags: 0x%04x"
+ msgstr ""
+ 
+-#: vms-alpha.c:7829
++#: vms-alpha.c:7830
+ #, c-format
+ msgid " vbn: %u, pfc: %u, matchctl: %u type: %u ("
+ msgstr ""
+ 
+-#: vms-alpha.c:7835
++#: vms-alpha.c:7836
+ msgid "NORMAL"
+ msgstr ""
+ 
+-#: vms-alpha.c:7838
++#: vms-alpha.c:7839
+ msgid "SHRFXD"
+ msgstr ""
+ 
+-#: vms-alpha.c:7841
++#: vms-alpha.c:7842
+ msgid "PRVFXD"
+ msgstr ""
+ 
+-#: vms-alpha.c:7844
++#: vms-alpha.c:7845
+ msgid "SHRPIC"
+ msgstr ""
+ 
+-#: vms-alpha.c:7847
++#: vms-alpha.c:7848
+ msgid "PRVPIC"
+ msgstr ""
+ 
+-#: vms-alpha.c:7850
++#: vms-alpha.c:7851
+ msgid "USRSTACK"
+ msgstr ""
+ 
+-#: vms-alpha.c:7856
++#: vms-alpha.c:7857
+ msgid ")\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7859
++#: vms-alpha.c:7860
+ #, c-format
+ msgid " ident: 0x%08x, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7869
++#: vms-alpha.c:7870
+ #, c-format
+ msgid "cannot read DMT\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7873
++#: vms-alpha.c:7874
+ #, c-format
+ msgid "Debug module table:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7882
++#: vms-alpha.c:7883
+ #, c-format
+ msgid "cannot read DMT header\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7888
++#: vms-alpha.c:7889
+ #, c-format
+ msgid " module offset: 0x%08x, size: 0x%08x, (%u psects)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7898
++#: vms-alpha.c:7899
+ #, c-format
+ msgid "cannot read DMT psect\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7902
++#: vms-alpha.c:7903
+ #, c-format
+ msgid "  psect start: 0x%08x, length: %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7915
++#: vms-alpha.c:7916
+ #, c-format
+ msgid "cannot read DST\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7925
++#: vms-alpha.c:7926
+ #, c-format
+ msgid "cannot read GST\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7929
++#: vms-alpha.c:7930
+ #, c-format
+ msgid "Global symbol table:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7958
++#: vms-alpha.c:7959
+ #, c-format
+ msgid "Image activator fixup: (major: %u, minor: %u)\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7962
++#: vms-alpha.c:7963
+ #, c-format
+ msgid "  iaflink : 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7966
++#: vms-alpha.c:7967
+ #, c-format
+ msgid "  fixuplnk: 0x%08x %08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7969
++#: vms-alpha.c:7970
+ #, c-format
+ msgid "  size : %u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7971
++#: vms-alpha.c:7972
+ #, c-format
+ msgid "  flags: 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7976
++#: vms-alpha.c:7977
+ #, c-format
+ msgid "  qrelfixoff: %5u, lrelfixoff: %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7981
++#: vms-alpha.c:7982
+ #, c-format
+ msgid "  qdotadroff: %5u, ldotadroff: %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7986
++#: vms-alpha.c:7987
+ #, c-format
+ msgid "  codeadroff: %5u, lpfixoff  : %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7989
++#: vms-alpha.c:7990
+ #, c-format
+ msgid "  chgprtoff : %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7993
++#: vms-alpha.c:7994
+ #, c-format
+ msgid "  shlstoff  : %5u, shrimgcnt : %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7996
++#: vms-alpha.c:7997
+ #, c-format
+ msgid "  shlextra  : %5u, permctx   : %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:7999
++#: vms-alpha.c:8000
+ #, c-format
+ msgid "  base_va : 0x%08x\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8001
++#: vms-alpha.c:8002
+ #, c-format
+ msgid "  lppsbfixoff: %5u\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8009
++#: vms-alpha.c:8010
+ #, c-format
+ msgid " Shareable images:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8014
++#: vms-alpha.c:8015
+ #, c-format
+ msgid "  %u: size: %u, flags: 0x%02x, name: %.*s\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8021
++#: vms-alpha.c:8022
+ #, c-format
+ msgid " quad-word relocation fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8026
++#: vms-alpha.c:8027
+ #, c-format
+ msgid " long-word relocation fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8031
++#: vms-alpha.c:8032
+ #, c-format
+ msgid " quad-word .address reference fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8036
++#: vms-alpha.c:8037
+ #, c-format
+ msgid " long-word .address reference fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8041
++#: vms-alpha.c:8042
+ #, c-format
+ msgid " Code Address Reference Fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8046
++#: vms-alpha.c:8047
+ #, c-format
+ msgid " Linkage Pairs Reference Fixups:\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8055
++#: vms-alpha.c:8056
+ #, c-format
+ msgid " Change Protection (%u entries):\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8061
++#: vms-alpha.c:8062
+ #, c-format
+ msgid "  base: 0x%08x %08x, size: 0x%08x, prot: 0x%08x "
+ msgstr ""
+ 
+ #. FIXME: we do not yet support relocatable link.  It is not obvious
+ #. how to do it for debug infos.
+-#: vms-alpha.c:8901
++#: vms-alpha.c:8902
+ msgid "%P: relocatable link is not supported\n"
+ msgstr ""
+ 
+-#: vms-alpha.c:8972
++#: vms-alpha.c:8973
+ #, c-format
+-msgid "%P: multiple entry points: in modules %B and %B\n"
++msgid "%P: multiple entry points: in modules %pB and %pB\n"
+ msgstr ""
+ 
+ #: vms-lib.c:1445
+@@ -8594,7 +8564,7 @@ msgstr ""
+ #: peigen.c:1906 peigen.c:2103 pepigen.c:1906 pepigen.c:2103 pex64igen.c:1906
+ #: pex64igen.c:2103
+ #, c-format
+-msgid "Warning, .pdata section size (%ld) is not a multiple of %d\n"
++msgid "warning, .pdata section size (%ld) is not a multiple of %d\n"
+ msgstr ""
+ 
+ #: peigen.c:1910 peigen.c:2107 pepigen.c:1910 pepigen.c:2107 pex64igen.c:1910
+@@ -8795,82 +8765,92 @@ msgid ""
+ "Characteristics 0x%x\n"
+ msgstr ""
+ 
+-#: peigen.c:2989 pepigen.c:2989 pex64igen.c:2989
++#: peigen.c:2990 pepigen.c:2990 pex64igen.c:2990
+ #, c-format
+-msgid "%B: Data Directory size (%lx) exceeds space left in section (%Lx)"
++msgid ""
++"%pB: Data Directory size (%lx) exceeds space left in section (%<PRIx64>)"
+ msgstr ""
+ 
+-#: peigen.c:3019 pepigen.c:3019 pex64igen.c:3019
+-msgid "Failed to update file offsets in debug directory"
++#: peigen.c:3021 pepigen.c:3021 pex64igen.c:3021
++msgid "failed to update file offsets in debug directory"
+ msgstr ""
+ 
+-#: peigen.c:3025 pepigen.c:3025 pex64igen.c:3025
+-msgid "%B: Failed to read debug data section"
++#: peigen.c:3027 pepigen.c:3027 pex64igen.c:3027
++#, c-format
++msgid "%pB: failed to read debug data section"
+ msgstr ""
+ 
+-#: peigen.c:3841 pepigen.c:3841 pex64igen.c:3841
++#: peigen.c:3843 pepigen.c:3843 pex64igen.c:3843
+ #, c-format
+ msgid ".rsrc merge failure: duplicate string resource: %d"
+ msgstr ""
+ 
+-#: peigen.c:3976 pepigen.c:3976 pex64igen.c:3976
++#: peigen.c:3978 pepigen.c:3978 pex64igen.c:3978
+ msgid ".rsrc merge failure: multiple non-default manifests"
+ msgstr ""
+ 
+-#: peigen.c:3994 pepigen.c:3994 pex64igen.c:3994
++#: peigen.c:3996 pepigen.c:3996 pex64igen.c:3996
+ msgid ".rsrc merge failure: a directory matches a leaf"
+ msgstr ""
+ 
+-#: peigen.c:4036 pepigen.c:4036 pex64igen.c:4036
++#: peigen.c:4038 pepigen.c:4038 pex64igen.c:4038
+ msgid ".rsrc merge failure: duplicate leaf"
+ msgstr ""
+ 
+-#: peigen.c:4038 pepigen.c:4038 pex64igen.c:4038
++#: peigen.c:4040 pepigen.c:4040 pex64igen.c:4040
+ #, c-format
+ msgid ".rsrc merge failure: duplicate leaf: %s"
+ msgstr ""
+ 
+-#: peigen.c:4104 pepigen.c:4104 pex64igen.c:4104
+-msgid ".rsrc merge failure: dirs with differing characteristics\n"
++#: peigen.c:4106 pepigen.c:4106 pex64igen.c:4106
++msgid ".rsrc merge failure: dirs with differing characteristics"
+ msgstr ""
+ 
+-#: peigen.c:4111 pepigen.c:4111 pex64igen.c:4111
+-msgid ".rsrc merge failure: differing directory versions\n"
++#: peigen.c:4113 pepigen.c:4113 pex64igen.c:4113
++msgid ".rsrc merge failure: differing directory versions"
+ msgstr ""
+ 
+ #. Corrupted .rsrc section - cannot merge.
+-#: peigen.c:4228 pepigen.c:4228 pex64igen.c:4228
+-msgid "%B: .rsrc merge failure: corrupt .rsrc section"
++#: peigen.c:4230 pepigen.c:4230 pex64igen.c:4230
++#, c-format
++msgid "%pB: .rsrc merge failure: corrupt .rsrc section"
+ msgstr ""
+ 
+-#: peigen.c:4236 pepigen.c:4236 pex64igen.c:4236
+-msgid "%B: .rsrc merge failure: unexpected .rsrc size"
++#: peigen.c:4238 pepigen.c:4238 pex64igen.c:4238
++#, c-format
++msgid "%pB: .rsrc merge failure: unexpected .rsrc size"
+ msgstr ""
+ 
+-#: peigen.c:4375 pepigen.c:4375 pex64igen.c:4375
+-msgid "%B: unable to fill in DataDictionary[1] because .idata$2 is missing"
++#: peigen.c:4377 pepigen.c:4377 pex64igen.c:4377
++#, c-format
++msgid "%pB: unable to fill in DataDictionary[1] because .idata$2 is missing"
+ msgstr ""
+ 
+-#: peigen.c:4395 pepigen.c:4395 pex64igen.c:4395
+-msgid "%B: unable to fill in DataDictionary[1] because .idata$4 is missing"
++#: peigen.c:4397 pepigen.c:4397 pex64igen.c:4397
++#, c-format
++msgid "%pB: unable to fill in DataDictionary[1] because .idata$4 is missing"
+ msgstr ""
+ 
+-#: peigen.c:4416 pepigen.c:4416 pex64igen.c:4416
+-msgid "%B: unable to fill in DataDictionary[12] because .idata$5 is missing"
++#: peigen.c:4418 pepigen.c:4418 pex64igen.c:4418
++#, c-format
++msgid "%pB: unable to fill in DataDictionary[12] because .idata$5 is missing"
+ msgstr ""
+ 
+-#: peigen.c:4436 pepigen.c:4436 pex64igen.c:4436
++#: peigen.c:4438 pepigen.c:4438 pex64igen.c:4438
++#, c-format
+ msgid ""
+-"%B: unable to fill in DataDictionary[PE_IMPORT_ADDRESS_TABLE (12)] because ."
++"%pB: unable to fill in DataDictionary[PE_IMPORT_ADDRESS_TABLE (12)] because ."
+ "idata$6 is missing"
+ msgstr ""
+ 
+-#: peigen.c:4478 pepigen.c:4478 pex64igen.c:4478
++#: peigen.c:4480 pepigen.c:4480 pex64igen.c:4480
++#, c-format
+ msgid ""
+-"%B: unable to fill in DataDictionary[PE_IMPORT_ADDRESS_TABLE(12)] because ."
++"%pB: unable to fill in DataDictionary[PE_IMPORT_ADDRESS_TABLE(12)] because ."
+ "idata$6 is missing"
+ msgstr ""
+ 
+-#: peigen.c:4503 pepigen.c:4503 pex64igen.c:4503
+-msgid "%B: unable to fill in DataDictionary[9] because __tls_used is missing"
++#: peigen.c:4505 pepigen.c:4505 pex64igen.c:4505
++#, c-format
++msgid "%pB: unable to fill in DataDictionary[9] because __tls_used is missing"
+ msgstr ""
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,5 +1,9 @@
+ 2018-04-24  Nick Clifton  <nickc@redhat.com>
+ 
++       PR 23110
++       * peXXigen.c (_bfd_XX_bfd_copy_private_bfd_data_common): Check for
++       a negative PE_DEBUG_DATA size before iterating over the debug data.
++
+        PR 23113
+        * elf.c (ignore_section_sym): Check for the output_section pointer
+        being NULL before dereferencing it.
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
new file mode 100644
index 0000000..fa8fbd2
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-10535.patch
@@ -0,0 +1,61 @@
+From db0c309f4011ca94a4abc8458e27f3734dab92ac Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 24 Apr 2018 16:57:04 +0100
+Subject: [PATCH] Fix an illegal memory access when trying to copy an ELF
+ binary with corrupt section symbols.
+
+	PR 23113
+	* elf.c (ignore_section_sym): Check for the output_section pointer
+	being NULL before dereferencing it.
+
+Upstream-Status: Backport
+CVE: CVE-2018-10535
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 4 ++++
+ bfd/elf.c     | 9 ++++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -4021,15 +4021,22 @@ ignore_section_sym (bfd *abfd, asymbol *
+ {
+   elf_symbol_type *type_ptr;
+ 
++  if (sym == NULL)
++    return FALSE;
++
+   if ((sym->flags & BSF_SECTION_SYM) == 0)
+     return FALSE;
+ 
++  if (sym->section == NULL)
++    return TRUE;
++
+   type_ptr = elf_symbol_from (abfd, sym);
+   return ((type_ptr != NULL
+ 	   && type_ptr->internal_elf_sym.st_shndx != 0
+ 	   && bfd_is_abs_section (sym->section))
+ 	  || !(sym->section->owner == abfd
+-	       || (sym->section->output_section->owner == abfd
++	       || (sym->section->output_section != NULL
++		   && sym->section->output_section->owner == abfd
+ 		   && sym->section->output_offset == 0)
+ 	       || bfd_is_abs_section (sym->section)));
+ }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2018-04-24  Nick Clifton  <nickc@redhat.com>
++
++       PR 23113
++       * elf.c (ignore_section_sym): Check for the output_section pointer
++       being NULL before dereferencing it.
++
+ 2018-04-17  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 23065
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
new file mode 100644
index 0000000..fff4979
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6759.patch
@@ -0,0 +1,108 @@
+From 64e234d417d5685a4aec0edc618114d9991c031b Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 6 Feb 2018 15:48:29 +0000
+Subject: [PATCH] Prevent attempts to call strncpy with a zero-length field by
+ chacking the size of debuglink sections.
+
+	PR 22794
+	* opncls.c (bfd_get_debug_link_info_1): Check the size of the
+	section before attempting to read it in.
+	(bfd_get_alt_debug_link_info): Likewise.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-6759
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  7 +++++++
+ bfd/opncls.c  | 22 +++++++++++++++++-----
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: git/bfd/opncls.c
+===================================================================
+--- git.orig/bfd/opncls.c
++++ git/bfd/opncls.c
+@@ -1179,6 +1179,7 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   bfd_byte *contents;
+   unsigned int crc_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (crc32_out);
+@@ -1188,6 +1189,12 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++
++  /* PR 22794: Make sure that the section has a reasonable size.  */
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, &contents))
+     {
+       if (contents != NULL)
+@@ -1197,10 +1204,10 @@ bfd_get_debug_link_info_1 (bfd *abfd, vo
+ 
+   /* CRC value is stored after the filename, aligned up to 4 bytes.  */
+   name = (char *) contents;
+-  /* PR 17597: avoid reading off the end of the buffer.  */
+-  crc_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  /* PR 17597: Avoid reading off the end of the buffer.  */
++  crc_offset = strnlen (name, size) + 1;
+   crc_offset = (crc_offset + 3) & ~3;
+-  if (crc_offset + 4 > bfd_get_section_size (sect))
++  if (crc_offset + 4 > size)
+     return NULL;
+ 
+   *crc32 = bfd_get_32 (abfd, contents + crc_offset);
+@@ -1261,6 +1268,7 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   bfd_byte *contents;
+   unsigned int buildid_offset;
+   char *name;
++  bfd_size_type size;
+ 
+   BFD_ASSERT (abfd);
+   BFD_ASSERT (buildid_len);
+@@ -1271,6 +1279,10 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+   if (sect == NULL)
+     return NULL;
+ 
++  size = bfd_get_section_size (sect);
++  if (size < 8 || size >= bfd_get_size (abfd))
++    return NULL;
++
+   if (!bfd_malloc_and_get_section (abfd, sect, & contents))
+     {
+       if (contents != NULL)
+@@ -1280,11 +1292,11 @@ bfd_get_alt_debug_link_info (bfd * abfd,
+ 
+   /* BuildID value is stored after the filename.  */
+   name = (char *) contents;
+-  buildid_offset = strnlen (name, bfd_get_section_size (sect)) + 1;
++  buildid_offset = strnlen (name, size) + 1;
+   if (buildid_offset >= bfd_get_section_size (sect))
+     return NULL;
+ 
+-  *buildid_len = bfd_get_section_size (sect) - buildid_offset;
++  *buildid_len = size - buildid_offset;
+   *buildid_out = bfd_malloc (*buildid_len);
+   memcpy (*buildid_out, contents + buildid_offset, *buildid_len);
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,10 @@
++2018-02-06  Nick Clifton  <nickc@redhat.com>
++
++       PR 22794
++       * opncls.c (bfd_get_debug_link_info_1): Check the size of the
++       section before attempting to read it in.
++       (bfd_get_alt_debug_link_info): Likewise.
++
+ 2018-02-09  Nick Clifton  <nickc@redhat.com>
+ 
+        Import patch from mainline:
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6872.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6872.patch
new file mode 100644
index 0000000..2ef36c2
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-6872.patch
@@ -0,0 +1,50 @@
+From d895ef77ffc94e02e748856c2ab54f5bb8cc867e Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 9 Feb 2018 09:28:45 +0000
+Subject: [PATCH] Import patch from mainline to fix possible seg-fault whilst
+ parsing corrupt ELF notes with extravagent alignments.
+
+	PR 22788
+	* elf.c (elf_parse_notes): Reject notes with excessuively large
+	alignments.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-6872
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 9 +++++++++
+ bfd/elf.c     | 2 ++
+ 2 files changed, 11 insertions(+)
+
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -11020,6 +11020,8 @@ elf_parse_notes (bfd *abfd, char *buf, s
+      align is less than 4, we use 4 byte alignment.   */
+   if (align < 4)
+     align = 4;
++  if (align != 4 && align != 8)
++    return FALSE;
+ 
+   p = buf;
+   while (p < buf + size)
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,12 @@
++2018-02-09  Nick Clifton  <nickc@redhat.com>
++
++       Import patch from mainline:
++       2018-02-08  Nick Clifton  <nickc@redhat.com>
++
++       PR 22788
++       * elf.c (elf_parse_notes): Reject notes with excessuively large
++       alignments.
++
+ 2018-03-01  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22905
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
new file mode 100644
index 0000000..8efefeb
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7208.patch
@@ -0,0 +1,47 @@
+From eb77f6a4621795367a39cdd30957903af9dbb815 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 27 Jan 2018 08:19:33 +1030
+Subject: [PATCH] PR22741, objcopy segfault on fuzzed COFF object
+
+	PR 22741
+	* coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+	range before converting to a symbol table pointer.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE:  CVE-2018-7208
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/coffgen.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+Index: git/bfd/coffgen.c
+===================================================================
+--- git.orig/bfd/coffgen.c
++++ git/bfd/coffgen.c
+@@ -1555,7 +1555,8 @@ coff_pointerize_aux (bfd *abfd,
+     }
+   /* A negative tagndx is meaningless, but the SCO 3.2v4 cc can
+      generate one, so we must be careful to ignore it.  */
+-  if (auxent->u.auxent.x_sym.x_tagndx.l > 0)
++  if ((unsigned long) auxent->u.auxent.x_sym.x_tagndx.l
++      < obj_raw_syment_count (abfd))
+     {
+       auxent->u.auxent.x_sym.x_tagndx.p =
+ 	table_base + auxent->u.auxent.x_sym.x_tagndx.l;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2018-01-29  Alan Modra  <amodra@gmail.com>
++
++       PR 22741
++       * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
++       range before converting to a symbol table pointer.
++
+ 2018-02-28  Alan Modra  <amodra@gmail.com>
+ 
+        PR 22887
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch
new file mode 100644
index 0000000..815b32c
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7568.patch
@@ -0,0 +1,85 @@
+From eef104664efb52965d85a28bc3fc7c77e52e48e2 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 10:13:54 +0000
+Subject: [PATCH] Fix potential integer overflow when reading corrupt dwarf1
+ debug information.
+
+	PR 22894
+	* dwarf1.c (parse_die): Check the length of form blocks before
+	advancing the data pointer.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7568
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog |  6 ++++++
+ bfd/dwarf1.c  | 17 +++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+Index: git/bfd/dwarf1.c
+===================================================================
+--- git.orig/bfd/dwarf1.c
++++ git/bfd/dwarf1.c
+@@ -213,6 +213,7 @@ parse_die (bfd *	     abfd,
+   /* Then the attributes.  */
+   while (xptr + 2 <= aDiePtrEnd)
+     {
++      unsigned int   block_len;
+       unsigned short attr;
+ 
+       /* Parse the attribute based on its form.  This section
+@@ -255,12 +256,24 @@ parse_die (bfd *	     abfd,
+ 	  break;
+ 	case FORM_BLOCK2:
+ 	  if (xptr + 2 <= aDiePtrEnd)
+-	    xptr += bfd_get_16 (abfd, xptr);
++	    {
++	      block_len = bfd_get_16 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 2;
+ 	  break;
+ 	case FORM_BLOCK4:
+ 	  if (xptr + 4 <= aDiePtrEnd)
+-	    xptr += bfd_get_32 (abfd, xptr);
++	    {
++	      block_len = bfd_get_32 (abfd, xptr);
++	      if (xptr + block_len > aDiePtrEnd
++		  || xptr + block_len < xptr)
++		return FALSE;
++	      xptr += block_len;
++	    }
+ 	  xptr += 4;
+ 	  break;
+ 	case FORM_STRING:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -4,7 +4,11 @@
+        * coffgen.c (coff_pointerize_aux): Ensure auxent tagndx is in
+        range before converting to a symbol table pointer.
+ 
+-2018-02-28  Alan Modra  <amodra@gmail.com>
++2018-02-28  Nick Clifton  <nickc@redhat.com>
++
++       PR 22894
++       * dwarf1.c (parse_die): Check the length of form blocks before
++       advancing the data pointer.
+ 
+        PR 22895
+        PR 22893
+@@ -14,6 +18,8 @@
+        size is invalid.
+        (read_attribute_value): Adjust invocations of read_n_bytes.
+ 
++2018-02-28  Alan Modra  <amodra@gmail.com>
++
+        PR 22887
+        * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+ 
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
new file mode 100644
index 0000000..96c0fd2
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7569.patch
@@ -0,0 +1,119 @@
+From 12c963421d045a127c413a0722062b9932c50aa9 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 28 Feb 2018 11:50:49 +0000
+Subject: [PATCH] Catch integer overflows/underflows when parsing corrupt DWARF
+ FORM blocks.
+
+	PR 22895
+	PR 22893
+	* dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
+	pointer.  Drop unused abfd parameter.  Check the size of the block
+	before initialising the data field.  Return the end pointer if the
+	size is invalid.
+	(read_attribute_value): Adjust invocations of read_n_bytes.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7569
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog |  8 ++++++++
+ bfd/dwarf2.c  | 36 +++++++++++++++++++++---------------
+ 2 files changed, 29 insertions(+), 15 deletions(-)
+
+Index: git/bfd/dwarf2.c
+===================================================================
+--- git.orig/bfd/dwarf2.c
++++ git/bfd/dwarf2.c
+@@ -622,14 +622,24 @@ read_8_bytes (bfd *abfd, bfd_byte *buf,
+ }
+ 
+ static bfd_byte *
+-read_n_bytes (bfd *abfd ATTRIBUTE_UNUSED,
+-	      bfd_byte *buf,
+-	      bfd_byte *end,
+-	      unsigned int size ATTRIBUTE_UNUSED)
+-{
+-  if (buf + size > end)
+-    return NULL;
+-  return buf;
++read_n_bytes (bfd_byte *           buf,
++	      bfd_byte *           end,
++	      struct dwarf_block * block)
++{
++  unsigned int  size = block->size;
++  bfd_byte *    block_end = buf + size;
++
++  if (block_end > end || block_end < buf)
++    {
++      block->data = NULL;
++      block->size = 0;
++      return end;
++    }
++  else
++    {
++      block->data = buf;
++      return block_end;
++    }
+ }
+ 
+ /* Scans a NUL terminated string starting at BUF, returning a pointer to it.
+@@ -1127,8 +1137,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_2_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 2;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block4:
+@@ -1138,8 +1147,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_4_bytes (abfd, info_ptr, info_ptr_end);
+       info_ptr += 4;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data2:
+@@ -1179,8 +1187,7 @@ read_attribute_value (struct attribute *
+       blk->size = _bfd_safe_read_leb128 (abfd, info_ptr, &bytes_read,
+ 					 FALSE, info_ptr_end);
+       info_ptr += bytes_read;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_block1:
+@@ -1190,8 +1197,7 @@ read_attribute_value (struct attribute *
+ 	return NULL;
+       blk->size = read_1_byte (abfd, info_ptr, info_ptr_end);
+       info_ptr += 1;
+-      blk->data = read_n_bytes (abfd, info_ptr, info_ptr_end, blk->size);
+-      info_ptr += blk->size;
++      info_ptr = read_n_bytes (info_ptr, info_ptr_end, blk);
+       attr->u.blk = blk;
+       break;
+     case DW_FORM_data1:
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -6,6 +6,14 @@
+ 
+ 2018-02-28  Alan Modra  <amodra@gmail.com>
+ 
++       PR 22895
++       PR 22893
++       * dwarf2.c (read_n_bytes): Replace size parameter with dwarf_block
++       pointer.  Drop unused abfd parameter.  Check the size of the block
++       before initialising the data field.  Return the end pointer if the
++       size is invalid.
++       (read_attribute_value): Adjust invocations of read_n_bytes.
++
+        PR 22887
+        * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+ 
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch
new file mode 100644
index 0000000..9def46c
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7642.patch
@@ -0,0 +1,51 @@
+From 116acb2c268c89c89186673a7c92620d21825b25 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 28 Feb 2018 22:09:50 +1030
+Subject: [PATCH] PR22887, null pointer dereference in
+ aout_32_swap_std_reloc_out
+
+	PR 22887
+	* aoutx.h (swap_std_reloc_in): Correct r_index bound check.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7642
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/aoutx.h   | 6 ++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+Index: git/bfd/aoutx.h
+===================================================================
+--- git.orig/bfd/aoutx.h
++++ git/bfd/aoutx.h
+@@ -2284,10 +2284,12 @@ NAME (aout, swap_std_reloc_in) (bfd *abf
+   if (r_baserel)
+     r_extern = 1;
+ 
+-  if (r_extern && r_index > symcount)
++  if (r_extern && r_index >= symcount)
+     {
+       /* We could arrange to return an error, but it might be useful
+-	 to see the file even if it is bad.  */
++	 to see the file even if it is bad.  FIXME: Of course this
++	 means that objdump -r *doesn't* see the actual reloc, and
++	 objcopy silently writes a different reloc.  */
+       r_extern = 0;
+       r_index = N_ABS;
+     }
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,8 @@
++2018-02-28  Alan Modra  <amodra@gmail.com>
++
++       PR 22887
++       * aoutx.h (swap_std_reloc_in): Correct r_index bound check.
++
+ 2018-02-06  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22794
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch
new file mode 100644
index 0000000..2a2dec3
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-7643.patch
@@ -0,0 +1,102 @@
+From d11ae95ea3403559f052903ab053f43ad7821e37 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Thu, 1 Mar 2018 16:14:08 +0000
+Subject: [PATCH] Prevent illegal memory accesses triggerd by intger overflow
+ when parsing corrupt DWARF information on a 32-bit host.
+
+	PR 22905
+	* dwarf.c (display_debug_ranges): Check that the offset loaded
+	from the range_entry structure is valid.
+
+Upstream-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-7643
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/ChangeLog |  6 ++++++
+ binutils/dwarf.c   | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+Index: git/binutils/dwarf.c
+===================================================================
+--- git.orig/binutils/dwarf.c
++++ git/binutils/dwarf.c
+@@ -387,6 +387,9 @@ read_uleb128 (unsigned char * data,
+     }								\
+   while (0)
+ 
++/* Read AMOUNT bytes from PTR and store them in VAL as an unsigned value.
++   Checks to make sure that the read will not reach or pass END
++   and that VAL is big enough to hold AMOUNT bytes.  */
+ #define SAFE_BYTE_GET(VAL, PTR, AMOUNT, END)	\
+   do						\
+     {						\
+@@ -415,6 +418,7 @@ read_uleb128 (unsigned char * data,
+     }						\
+   while (0)
+ 
++/* Like SAFE_BYTE_GET, but also increments PTR by AMOUNT.  */
+ #define SAFE_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
+   do							\
+     {							\
+@@ -423,6 +427,7 @@ read_uleb128 (unsigned char * data,
+     }							\
+   while (0)
+ 
++/* Like SAFE_BYTE_GET, but reads a signed value.  */
+ #define SAFE_SIGNED_BYTE_GET(VAL, PTR, AMOUNT, END)	\
+   do							\
+     {							\
+@@ -441,6 +446,7 @@ read_uleb128 (unsigned char * data,
+     }							\
+   while (0)
+ 
++/* Like SAFE_SIGNED_BYTE_GET, but also increments PTR by AMOUNT.  */
+ #define SAFE_SIGNED_BYTE_GET_AND_INC(VAL, PTR, AMOUNT, END)	\
+   do								\
+     {								\
+@@ -6543,6 +6549,7 @@ display_debug_ranges_list (unsigned char
+ 	break;
+       SAFE_SIGNED_BYTE_GET_AND_INC (end, start, pointer_size, finish);
+ 
++      
+       printf ("    %8.8lx ", offset);
+ 
+       if (begin == 0 && end == 0)
+@@ -6810,6 +6817,13 @@ display_debug_ranges (struct dwarf_secti
+ 	  continue;
+ 	}
+ 
++      if (next < section_begin || next >= finish)
++	{
++	  warn (_("Corrupt offset (%#8.8lx) in range entry %u\n"),
++		(unsigned long) offset, i);
++	  continue;
++	}
++
+       if (dwarf_check != 0 && i > 0)
+ 	{
+ 	  if (start < next)
+@@ -6825,6 +6839,7 @@ display_debug_ranges (struct dwarf_secti
+ 		    (unsigned long) (next - section_begin), section->name);
+ 	    }
+ 	}
++
+       start = next;
+       last_start = next;
+ 
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2018-03-01  Nick Clifton  <nickc@redhat.com>
++
++       PR 22905
++       * dwarf.c (display_debug_ranges): Check that the offset loaded
++       from the range_entry structure is valid.
++
+ 2018-05-08  Nick Clifton  <nickc@redhat.com>
+ 
+        PR 22809
diff --git a/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch
new file mode 100644
index 0000000..6a43168
--- /dev/null
+++ b/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-8945.patch
@@ -0,0 +1,70 @@
+From 95a6d23566165208853a68d9cd3c6eedca840ec6 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Tue, 8 May 2018 12:51:06 +0100
+Subject: [PATCH] Prevent a memory exhaustion failure when running objdump on a
+ fuzzed input file with corrupt string and attribute sections.
+
+	PR 22809
+	* elf.c (bfd_elf_get_str_section): Check for an excessively large
+	string section.
+	* elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
+	attribute section is larger than the size of the file.
+
+Upsteram-Status: Backport
+Affects: Binutils <= 2.30
+CVE: CVE-2018-8945
+Signed-off-by: Armin kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog   | 8 ++++++++
+ bfd/elf-attrs.c | 9 +++++++++
+ bfd/elf.c       | 1 +
+ 3 files changed, 18 insertions(+)
+
+Index: git/bfd/elf-attrs.c
+===================================================================
+--- git.orig/bfd/elf-attrs.c
++++ git/bfd/elf-attrs.c
+@@ -438,6 +438,15 @@ _bfd_elf_parse_attributes (bfd *abfd, El
+   /* PR 17512: file: 2844a11d.  */
+   if (hdr->sh_size == 0)
+     return;
++  if (hdr->sh_size > bfd_get_file_size (abfd))
++    {
++      /* xgettext:c-format */
++      _bfd_error_handler (_("%pB: error: attribute section '%pA' too big: %#llx"),
++			  abfd, hdr->bfd_section, (long long) hdr->sh_size);
++      bfd_set_error (bfd_error_invalid_operation);
++      return;
++    }
++
+   contents = (bfd_byte *) bfd_malloc (hdr->sh_size + 1);
+   if (!contents)
+     return;
+Index: git/bfd/elf.c
+===================================================================
+--- git.orig/bfd/elf.c
++++ git/bfd/elf.c
+@@ -298,6 +298,7 @@ bfd_elf_get_str_section (bfd *abfd, unsi
+       /* Allocate and clear an extra byte at the end, to prevent crashes
+ 	 in case the string table is not terminated.  */
+       if (shstrtabsize + 1 <= 1
++	  || shstrtabsize > bfd_get_file_size (abfd)
+ 	  || bfd_seek (abfd, offset, SEEK_SET) != 0
+ 	  || (shstrtab = (bfd_byte *) bfd_alloc (abfd, shstrtabsize + 1)) == NULL)
+ 	shstrtab = NULL;
+Index: git/bfd/ChangeLog
+===================================================================
+--- git.orig/bfd/ChangeLog
++++ git/bfd/ChangeLog
+@@ -1,3 +1,11 @@
++2018-05-08  Nick Clifton  <nickc@redhat.com>
++
++       PR 22809
++       * elf.c (bfd_elf_get_str_section): Check for an excessively large
++       string section.
++       * elf-attrs.c (_bfd_elf_parse_attributes): Issue an error if the
++       attribute section is larger than the size of the file.
++
+ 2018-02-07  Alan Modra  <amodra@gmail.com>
+ 
+ 	Revert 2018-01-17  Alan Modra  <amodra@gmail.com>
diff --git a/poky/meta/recipes-devtools/chrpath/chrpath_0.16.bb b/poky/meta/recipes-devtools/chrpath/chrpath_0.16.bb
index b61eef9..8de8850 100644
--- a/poky/meta/recipes-devtools/chrpath/chrpath_0.16.bb
+++ b/poky/meta/recipes-devtools/chrpath/chrpath_0.16.bb
@@ -7,14 +7,12 @@
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
 
-SRC_URI = "https://alioth.debian.org/frs/download.php/file/3979/chrpath-0.16.tar.gz \
+SRC_URI = "${DEBIAN_MIRROR}/main/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
            file://standarddoc.patch"
 
 SRC_URI[md5sum] = "2bf8d1d1ee345fc8a7915576f5649982"
 SRC_URI[sha256sum] = "bb0d4c54bac2990e1bdf8132f2c9477ae752859d523e141e72b3b11a12c26e7b"
 
-UPSTREAM_CHECK_URI = "http://alioth.debian.org/frs/?group_id=31052"
-
 inherit autotools
 
 # We don't have a staged chrpath-native for ensuring our binary is
diff --git a/poky/meta/recipes-devtools/gcc/gcc-7.3.inc b/poky/meta/recipes-devtools/gcc/gcc-7.3.inc
index 6dff694..d4aaca4 100644
--- a/poky/meta/recipes-devtools/gcc/gcc-7.3.inc
+++ b/poky/meta/recipes-devtools/gcc/gcc-7.3.inc
@@ -79,8 +79,8 @@
 BACKPORTS = "\
            file://0001-Fix-internal-compiler-error-in-testcase.patch \
            file://0001-PR-rtl-optimization-83030.patch \
-           file://0001-PR-c-80290-memory-hog-with-std-pair.patch \
            file://0001-Fix-ppc64le-build-Partial-backport-r256656.patch \
+           file://0001-PR-c-80290-memory-hog-with-std-pair.patch \
 "
 
 SRC_URI[md5sum] = "be2da21680f27624f3a87055c4ba5af2"
diff --git a/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-Fix-ppc64le-build-Partial-backport-r256656.patch b/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-Fix-ppc64le-build-Partial-backport-r256656.patch
index 5d8ffb7..cfb70e1 100644
--- a/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-Fix-ppc64le-build-Partial-backport-r256656.patch
+++ b/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-Fix-ppc64le-build-Partial-backport-r256656.patch
@@ -13,10 +13,7 @@
 	use of __builtin_vec_vsx_ld () built-in function, which operates
 	on unaligned pointer values.
 
-git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-6-branch@261621 138bc75d-0d04-0410-961f-82ee72b054a4
-
-
-git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-7-branch@262243 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  libcpp/lex.c  |  2 +-
diff --git a/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-PR-c-80290-memory-hog-with-std-pair.patch b/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-PR-c-80290-memory-hog-with-std-pair.patch
index ba43af9..603a29a 100644
--- a/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-PR-c-80290-memory-hog-with-std-pair.patch
+++ b/poky/meta/recipes-devtools/gcc/gcc-7.3/0001-PR-c-80290-memory-hog-with-std-pair.patch
@@ -7,7 +7,7 @@
 	check for a nested list argument.
 	(braced_init_depth): New.
 
-git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-7-branch@262204 138bc75d-0d04-0410-961f-82ee72b054a4
+Upstream-Status: Backport
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
  gcc/cp/pt.c      | 22 ++++++++++++++++++++++
diff --git a/poky/meta/recipes-devtools/go/go-1.10.inc b/poky/meta/recipes-devtools/go/go-1.10.inc
index 3a135bf..1df0fc5 100644
--- a/poky/meta/recipes-devtools/go/go-1.10.inc
+++ b/poky/meta/recipes-devtools/go/go-1.10.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.10"
-GO_MINOR = ".2"
+GO_MINOR = ".3"
 PV .= "${GO_MINOR}"
 FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 
@@ -20,5 +20,5 @@
 
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 
-SRC_URI[main.md5sum] = "c63b35075bed693bbfc84d4a6262948a"
-SRC_URI[main.sha256sum] = "6264609c6b9cd8ed8e02ca84605d727ce1898d74efa79841660b2e3e985a98bd"
+SRC_URI[main.md5sum] = "d15dfb264105c5e84fbe33f4a4aa5021"
+SRC_URI[main.sha256sum] = "567b1cc66c9704d1c019c50bef946272e911ec6baf244310f87f4e678be155f2"
diff --git a/poky/meta/recipes-devtools/go/go-1.9.inc b/poky/meta/recipes-devtools/go/go-1.9.inc
index a942f6d..329cee0 100644
--- a/poky/meta/recipes-devtools/go/go-1.9.inc
+++ b/poky/meta/recipes-devtools/go/go-1.9.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.9"
-GO_MINOR = ".6"
+GO_MINOR = ".7"
 PV .= "${GO_MINOR}"
 
 FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
@@ -22,5 +22,5 @@
 "
 SRC_URI_append_libc-musl = " file://set-external-linker.patch"
 
-SRC_URI[main.md5sum] = "52c1a3063291036597552d3fed0b2917"
-SRC_URI[main.sha256sum] = "36f4059be658f7f07091e27fe04bb9e97a0c4836eb446e4c5bac3c90ff9e5828"
+SRC_URI[main.md5sum] = "3c2cf876ed6612a022574a565206c6ea"
+SRC_URI[main.sha256sum] = "582814fa45e8ecb0859a208e517b48aa0ad951e3b36c7fff203d834e0ef27722"
diff --git a/poky/meta/recipes-devtools/python/python-scons-native_3.0.1.bb b/poky/meta/recipes-devtools/python/python-scons-native_3.0.1.bb
index dae89ab..68b63c9 100644
--- a/poky/meta/recipes-devtools/python/python-scons-native_3.0.1.bb
+++ b/poky/meta/recipes-devtools/python/python-scons-native_3.0.1.bb
@@ -4,5 +4,5 @@
 RDEPENDS_${PN} = ""
 
 do_install_append() {
-    create_wrapper ${D}${bindir}/scons SCONS_LIB_DIR='${STAGING_DIR_HOST}/${PYTHON_SITEPACKAGES_DIR}'
+    create_wrapper ${D}${bindir}/scons SCONS_LIB_DIR='${STAGING_DIR_HOST}/${PYTHON_SITEPACKAGES_DIR}' PYTHONNOUSERSITE='1'
 }
diff --git a/poky/meta/recipes-devtools/python/python3_3.5.5.bb b/poky/meta/recipes-devtools/python/python3_3.5.5.bb
index f893b84..4dae4fa 100644
--- a/poky/meta/recipes-devtools/python/python3_3.5.5.bb
+++ b/poky/meta/recipes-devtools/python/python3_3.5.5.bb
@@ -176,7 +176,7 @@
 }
 
 do_install_append_class-nativesdk () {
-	create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo'
+	create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
 }
 
 SSTATE_SCAN_FILES += "Makefile"
diff --git a/poky/meta/recipes-devtools/python/python_2.7.14.bb b/poky/meta/recipes-devtools/python/python_2.7.14.bb
index 41a8609..b923b92 100644
--- a/poky/meta/recipes-devtools/python/python_2.7.14.bb
+++ b/poky/meta/recipes-devtools/python/python_2.7.14.bb
@@ -130,7 +130,7 @@
 }
 
 do_install_append_class-nativesdk () {
-	create_wrapper ${D}${bindir}/python2.7 PYTHONHOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo'
+	create_wrapper ${D}${bindir}/python2.7 PYTHONHOME='${prefix}' TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1'
 }
 
 SSTATE_SCAN_FILES += "Makefile"
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
new file mode 100644
index 0000000..8622360
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
@@ -0,0 +1,69 @@
+Upstream-Status: Backport
+
+https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
+
+From dc21a9d2951f0a2a7e63633e2b5c68c54e4edc4b Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Thu, 14 Jun 2018 01:28:49 +0000
+Subject: [PATCH] CVE-2018-11806 QEMU: slirp: heap buffer overflow
+
+Subject: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
+Date:	Tue, 5 Jun 2018 23:38:35 +0530
+From: Prasad J Pandit <address@hidden>
+
+While reassembling incoming fragmented datagrams, 'm_cat' routine
+extends the 'mbuf' buffer, if it has insufficient room. It computes
+a wrong buffer size, which leads to overwriting adjacent heap buffer
+area. Correct this size computation in m_cat.
+
+Reported-by: ZDI Disclosures <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ slirp/mbuf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+---
+ slirp/mbuf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 5ff2455..7fb4501 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ 	 * If there's no room, realloc
+ 	 */
+ 	if (M_FREEROOM(m) < n->m_len)
+-		m_inc(m,m->m_size+MINCSIZE);
++               m_inc(m, m->m_len + n->m_len);
+ 
+ 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
+ 	m->m_len += n->m_len;
+@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
+ 
+         if (m->m_flags & M_EXT) {
+ 	  datasize = m->m_data - m->m_ext;
+-          m->m_ext = g_realloc(m->m_ext, size);
++          m->m_ext = g_realloc(m->m_ext, size + datasize);
+ 	  m->m_data = m->m_ext + datasize;
+         } else {
+ 	  char *dat;
+ 	  datasize = m->m_data - m->m_dat;
+-          dat = g_malloc(size);
++          dat = g_malloc(size + datasize);
+ 	  memcpy(dat, m->m_dat, m->m_size);
+ 
+ 	  m->m_ext = dat;
+@@ -171,7 +171,7 @@ m_inc(struct mbuf *m, int size)
+ 	  m->m_flags |= M_EXT;
+         }
+ 
+-        m->m_size = size;
++        m->m_size = size + datasize;
+ 
+ }
+ 
+-- 
+2.13.3
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
similarity index 86%
rename from poky/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
index 7711789..add5d8b 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/disable-grabs.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch
@@ -1,3 +1,11 @@
+From 273e1af49d3e0a58bb9464369deb2652f243e649 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Wed, 18 Sep 2013 14:04:54 +0100
+Subject: [PATCH] sdl.c: allow user to disable pointer grabs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
 When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls
 XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already
 a pointer grab (screen is locked, a menu is open) then qemu will hang until the
@@ -12,22 +20,15 @@
 
 Upstream-Status: Pending
 Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 4b1988ecb01a178269ec0513a75f2ec620c7ef6a Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@intel.com>
-Date: Wed, 18 Sep 2013 14:04:54 +0100
-Subject: [PATCH] sdl.c: allow user to disable pointer grabs
-
-Signed-off-by: Ross Burton <ross.burton@intel.com>
 Signed-off-by: Eric Bénard <eric@eukrea.com>
 ---
  ui/sdl.c | 12 ++++++++++--
  1 file changed, 10 insertions(+), 2 deletions(-)
 
-Index: qemu-2.11.1/ui/sdl.c
-===================================================================
---- qemu-2.11.1.orig/ui/sdl.c
-+++ qemu-2.11.1/ui/sdl.c
+diff --git a/ui/sdl.c b/ui/sdl.c
+index 7b71a9a..29ce1b9 100644
+--- a/ui/sdl.c
++++ b/ui/sdl.c
 @@ -63,6 +63,10 @@ static SDL_PixelFormat host_format;
  static int scaling_active = 0;
  static Notifier mouse_mode_notifier;
@@ -58,7 +59,7 @@
      gui_grab = 0;
      sdl_show_cursor();
      sdl_update_caption();
-@@ -986,6 +992,8 @@ void sdl_display_init(DisplayState *ds,
+@@ -986,6 +992,8 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
       * This requires SDL >= 1.2.14. */
      setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
  
diff --git a/poky/meta/recipes-devtools/qemu/qemu/wacom.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch
similarity index 87%
rename from poky/meta/recipes-devtools/qemu/qemu/wacom.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch
index cd06aa4..281803e 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/wacom.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -1,19 +1,27 @@
+From a42726e017605ed3ca2b3fc2b1cc8d01ccf34730 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Thu, 27 Nov 2014 14:04:29 +0000
+Subject: [PATCH] qemu: Add missing wacom HID descriptor
+
 The USB wacom device is missing a HID descriptor which causes it
 to fail to operate with recent kernels (e.g. 3.17).
 
-This patch adds a HID desriptor to the device, based upon one from 
+This patch adds a HID desriptor to the device, based upon one from
 real wcom device.
 
 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 
 Upstream-Status: Submitted
 2014/11/27
+---
+ hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 93 insertions(+), 1 deletion(-)
 
-Index: qemu-2.1.0/hw/usb/dev-wacom.c
-===================================================================
---- qemu-2.1.0.orig/hw/usb/dev-wacom.c	2014-08-01 15:12:17.000000000 +0100
-+++ qemu-2.1.0/hw/usb/dev-wacom.c	2014-10-12 12:13:30.540306042 +0100
-@@ -68,6 +68,89 @@
+diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
+index bf70013..2f6e129 100644
+--- a/hw/usb/dev-wacom.c
++++ b/hw/usb/dev-wacom.c
+@@ -72,6 +72,89 @@ static const USBDescStrings desc_strings = {
      [STR_SERIALNUMBER]     = "1",
  };
  
@@ -103,7 +111,7 @@
  static const USBDescIface desc_iface_wacom = {
      .bInterfaceNumber              = 0,
      .bNumEndpoints                 = 1,
-@@ -85,7 +168,7 @@
+@@ -89,7 +172,7 @@ static const USBDescIface desc_iface_wacom = {
                  0x00,          /*  u8  country_code */
                  0x01,          /*  u8  num_descriptors */
                  0x22,          /*  u8  type: Report */
@@ -112,7 +120,7 @@
              },
          },
      },
-@@ -265,6 +350,15 @@
+@@ -269,6 +352,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
      }
  
      switch (request) {
diff --git a/poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile-v10.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
similarity index 65%
rename from poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile-v10.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
index e963982..dc07300 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile-v10.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -1,19 +1,23 @@
-From 4201a5791fc4798a45a9b9f881602d7bacb74ed1 Mon Sep 17 00:00:00 2001
+From fda1eee8bc717528d57f6ff454f72c5325043c31 Mon Sep 17 00:00:00 2001
 From: Juro Bystricky <juro.bystricky@intel.com>
 Date: Thu, 31 Aug 2017 11:06:56 -0700
-Subject: Add subpackage -ptest which runs all unit test cases for qemu.
+Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
+ qemu.
 
 Upstream-Status: Pending
 
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
 
 Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
+---
+ tests/Makefile.include | 8 ++++++++
+ 1 file changed, 8 insertions(+)
 
 diff --git a/tests/Makefile.include b/tests/Makefile.include
-index f08b741..3d1b3e9 100644
+index c002352..f557c26 100644
 --- a/tests/Makefile.include
 +++ b/tests/Makefile.include
-@@ -924,4 +924,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
+@@ -935,4 +935,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
  -include $(wildcard tests/*.d)
  -include $(wildcard tests/libqos/*.d)
  
diff --git a/poky/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch
similarity index 66%
rename from poky/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch
index c7425ab..4f28e16 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -1,4 +1,8 @@
-qemu: Add addition environment space to boot loader qemu-system-mips 
+From ad70fdcaf75084da2e02474c61d1d441ca100ab2 Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Fri, 28 Mar 2014 17:42:43 +0800
+Subject: [PATCH] qemu: Add addition environment space to boot loader
+ qemu-system-mips
 
 Upstream-Status: Inappropriate - OE uses deep paths
 
@@ -10,14 +14,14 @@
 Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
 Signed-off-by: Roy Li <rongqing.li@windriver.com>
 ---
- hw/mips/mips_malta.c    |    2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
+ hw/mips/mips_malta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
-index 9d521cc..17c0391 100644
+index ec6af4a..6e76166 100644
 --- a/hw/mips/mips_malta.c
 +++ b/hw/mips/mips_malta.c
-@@ -53,7 +53,7 @@
+@@ -61,7 +61,7 @@
  
  #define ENVP_ADDR		0x80002000l
  #define ENVP_NB_ENTRIES	 	16
@@ -26,6 +30,3 @@
  
  /* Hardware addresses */
  #define FLASH_ADDRESS 0x1e000000ULL
--- 
-1.7.10.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch
new file mode 100644
index 0000000..b9e0183
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch
@@ -0,0 +1,33 @@
+From e85ee3cc9988172662d6969af01f23fa8ffd5262 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@intel.com>
+Date: Tue, 20 Oct 2015 22:19:08 +0100
+Subject: [PATCH] qemu: disable Valgrind
+
+There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+---
+ configure | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/configure b/configure
+index 0c6e757..c30fd45 100755
+--- a/configure
++++ b/configure
+@@ -4741,15 +4741,6 @@ fi
+ # check if we have valgrind/valgrind.h
+ 
+ valgrind_h=no
+-cat > $TMPC << EOF
+-#include <valgrind/valgrind.h>
+-int main(void) {
+-  return 0;
+-}
+-EOF
+-if compile_prog "" "" ; then
+-    valgrind_h=yes
+-fi
+ 
+ ########################################
+ # check if environ is declared
diff --git a/poky/meta/recipes-devtools/qemu/qemu/pathlimit.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch
similarity index 78%
rename from poky/meta/recipes-devtools/qemu/qemu/pathlimit.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch
index 57ab981..9315f85 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/pathlimit.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch
@@ -1,3 +1,8 @@
+From c79c48a79710d0e2ef68062435596ac455cd9f71 Mon Sep 17 00:00:00 2001
+From: Richard Purdie <richard.purdie@linuxfoundation.org>
+Date: Wed, 9 Mar 2016 22:49:02 +0000
+Subject: [PATCH] qemu: Limit paths searched during user mode emulation
+
 By default qemu builds a complete list of directories within the user
 emulation sysroot (-L option). The OE sysroot directory is large and
 this is confusing, for example it indexes all pkgdata. In particular this
@@ -8,18 +13,21 @@
 reads and reduces memory usage and cleans up strace.
 
 It would also avoid the infinite directory traversal bug in [YOCTO #6996]
-although the code could still be vulnerable if it parsed those specific 
+although the code could still be vulnerable if it parsed those specific
 paths.
 
 RP
 2016/3/9
 Upstream-Status: Pending
+---
+ util/path.c | 44 ++++++++++++++++++++++----------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
 
-Index: qemu-2.5.0/util/path.c
-===================================================================
---- qemu-2.5.0.orig/util/path.c
-+++ qemu-2.5.0/util/path.c
-@@ -19,6 +19,7 @@ struct pathelem
+diff --git a/util/path.c b/util/path.c
+index 7f9fc27..a416cd4 100644
+--- a/util/path.c
++++ b/util/path.c
+@@ -15,6 +15,7 @@ struct pathelem
      char *name;
      /* Full path name, eg. /usr/gnemul/x86-linux/lib. */
      char *pathname;
@@ -27,7 +35,7 @@
      struct pathelem *parent;
      /* Children */
      unsigned int num_entries;
-@@ -49,6 +50,7 @@ static struct pathelem *new_entry(const
+@@ -45,6 +46,7 @@ static struct pathelem *new_entry(const char *root,
      new->name = g_strdup(name);
      new->pathname = g_strdup_printf("%s/%s", root, name);
      new->num_entries = 0;
@@ -35,7 +43,7 @@
      return new;
  }
  
-@@ -57,15 +59,16 @@ static struct pathelem *new_entry(const
+@@ -53,15 +55,16 @@ static struct pathelem *new_entry(const char *root,
  /* Not all systems provide this feature */
  #if defined(DT_DIR) && defined(DT_UNKNOWN) && defined(DT_LNK)
  # define dirent_type(dirent) ((dirent)->d_type)
@@ -55,7 +63,7 @@
      DIR *dir;
  
      if ((dir = opendir(path->pathname)) != NULL) {
-@@ -78,6 +81,11 @@ static struct pathelem *add_dir_maybe(st
+@@ -74,6 +77,11 @@ static struct pathelem *add_dir_maybe(struct pathelem *path)
          }
          closedir(dir);
      }
@@ -67,7 +75,7 @@
      return path;
  }
  
-@@ -93,26 +101,16 @@ static struct pathelem *add_entry(struct
+@@ -89,26 +97,16 @@ static struct pathelem *add_entry(struct pathelem *root, const char *name,
      e = &root->entries[root->num_entries-1];
  
      *e = new_entry(root->pathname, root, name);
@@ -97,7 +105,7 @@
  {
      unsigned int i, namelen;
  
-@@ -123,14 +121,18 @@ follow_path(const struct pathelem *curso
+@@ -119,14 +117,18 @@ follow_path(const struct pathelem *cursor, const char *name)
          return cursor->pathname;
  
      if (strneq(name, namelen, ".."))
@@ -119,7 +127,7 @@
  
      /* Not found */
      return NULL;
-@@ -164,8 +166,6 @@ void init_paths(const char *prefix)
+@@ -160,8 +162,6 @@ void init_paths(const char *prefix)
          g_free(base->name);
          g_free(base);
          base = NULL;
@@ -128,7 +136,7 @@
      }
  }
  
-@@ -177,5 +177,5 @@ const char *path(const char *name)
+@@ -173,5 +173,5 @@ const char *path(const char *name)
      if (!base || !name || name[0] != '/')
          return name;
  
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
new file mode 100644
index 0000000..ad52f37
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -0,0 +1,25 @@
+From 4b21a8db60c32f93df56e6111bb926c91680d6f2 Mon Sep 17 00:00:00 2001
+From: Stephen Arnold <sarnold@vctlabs.com>
+Date: Sun, 12 Jun 2016 18:09:56 -0700
+Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
+
+Upstream-Status: Pending
+---
+ configure | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/configure b/configure
+index c30fd45..b5312f4 100755
+--- a/configure
++++ b/configure
+@@ -5115,10 +5115,6 @@ fi
+ if test "$gcov" = "yes" ; then
+   CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
+   LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
+-elif test "$fortify_source" = "yes" ; then
+-  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
+-elif test "$debug" = "no"; then
+-  CFLAGS="-O2 $CFLAGS"
+ fi
+ 
+ ##########################################
diff --git a/poky/meta/recipes-devtools/qemu/qemu/chardev-connect-socket-to-a-spawned-command.patch b/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch
similarity index 92%
rename from poky/meta/recipes-devtools/qemu/qemu/chardev-connect-socket-to-a-spawned-command.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch
index 6e6bf95..f0c0fa1 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/chardev-connect-socket-to-a-spawned-command.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch
@@ -1,4 +1,4 @@
-From 3bb3100c22eb30146a69656480bdffeef8663575 Mon Sep 17 00:00:00 2001
+From 55c9510311b7481a0c8f3f71b3ce130cc25563f9 Mon Sep 17 00:00:00 2001
 From: Alistair Francis <alistair.francis@xilinx.com>
 Date: Thu, 21 Dec 2017 11:35:16 -0800
 Subject: [PATCH] chardev: connect socket to a spawned command
@@ -45,13 +45,13 @@
 
 Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
 ---
- chardev/char-socket.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++---
+ chardev/char-socket.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++
  chardev/char.c        |  3 ++
  qapi/char.json        |  5 +++
- 3 files changed, 90 insertions(+), 4 deletions(-)
+ 3 files changed, 107 insertions(+)
 
 diff --git a/chardev/char-socket.c b/chardev/char-socket.c
-index 53eda8ef00..f566107c35 100644
+index 53eda8e..6c63555 100644
 --- a/chardev/char-socket.c
 +++ b/chardev/char-socket.c
 @@ -852,6 +852,68 @@ static gboolean socket_reconnect_timeout(gpointer opaque)
@@ -123,7 +123,7 @@
  static void qmp_chardev_open_socket(Chardev *chr,
                                      ChardevBackend *backend,
                                      bool *be_opened,
-@@ -859,6 +921,9 @@
+@@ -859,6 +921,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
  {
      SocketChardev *s = SOCKET_CHARDEV(chr);
      ChardevSocket *sock = backend->u.socket.data;
@@ -133,15 +133,14 @@
      bool do_nodelay     = sock->has_nodelay ? sock->nodelay : false;
      bool is_listen      = sock->has_server  ? sock->server  : true;
      bool is_telnet      = sock->has_telnet  ? sock->telnet  : false;
-@@ -925,7 +990,14 @@
+@@ -925,7 +990,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
      } else if (reconnect > 0) {
          s->reconnect_time = reconnect;
      }
--
 +#ifndef _WIN32
 +    if (cmd) {
 +        chardev_open_socket_cmd(chr, cmd, errp);
-+
+ 
 +        /* everything ready (or failed permanently) before we return */
 +        *be_opened = true;
 +    } else
@@ -149,7 +148,7 @@
      if (s->reconnect_time) {
          sioc = qio_channel_socket_new();
          tcp_chr_set_client_ioc_name(chr, sioc);
-@@ -985,10 +1057,26 @@
+@@ -985,10 +1057,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
      const char *host = qemu_opt_get(opts, "host");
      const char *port = qemu_opt_get(opts, "port");
      const char *tls_creds = qemu_opt_get(opts, "tls-creds");
@@ -176,7 +175,7 @@
      if (!path) {
          if (!host) {
              error_setg(errp, "chardev: socket: no host given");
-@@ -1021,13 +1109,24 @@
+@@ -1021,13 +1109,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
      sock->has_reconnect = true;
      sock->reconnect = reconnect;
      sock->tls_creds = g_strdup(tls_creds);
@@ -202,21 +201,21 @@
          addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET;
          addr->u.inet.data = g_new(InetSocketAddress, 1);
 diff --git a/chardev/char.c b/chardev/char.c
-index 2ae4f465ec..5d52cd5de5 100644
+index 2ae4f46..5d52cd5 100644
 --- a/chardev/char.c
 +++ b/chardev/char.c
-@@ -792,6 +792,9 @@ QemuOptsList qemu_chardev_opts = {
-         },{
+@@ -793,6 +793,9 @@ QemuOptsList qemu_chardev_opts = {
              .name = "path",
              .type = QEMU_OPT_STRING,
-+        },{
+         },{
 +            .name = "cmd",
 +            .type = QEMU_OPT_STRING,
-         },{
++        },{
              .name = "host",
              .type = QEMU_OPT_STRING,
+         },{
 diff --git a/qapi/char.json b/qapi/char.json
-index ae19dcd1ed..6de0f29bcd 100644
+index ae19dcd..6de0f29 100644
 --- a/qapi/char.json
 +++ b/qapi/char.json
 @@ -241,6 +241,10 @@
@@ -238,5 +237,3 @@
                                       '*tls-creds'  : 'str',
                                       '*server'    : 'bool',
                                       '*wait'      : 'bool',
--- 
-2.14.1
diff --git a/poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch b/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch
similarity index 80%
rename from poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch
index d6a3522..915bfda 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/apic-fixup-fallthrough-to-PIC.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch
@@ -1,7 +1,7 @@
-From bef93bb81588b5323a52d2e1886f2a77b64a976b Mon Sep 17 00:00:00 2001
+From 945f428016f278fa8e38bc8d153397c3195f85a5 Mon Sep 17 00:00:00 2001
 From: Mark Asselstine <mark.asselstine@windriver.com>
 Date: Tue, 26 Feb 2013 11:43:28 -0500
-Subject: [PATCH 03/18] apic: fixup fallthrough to PIC
+Subject: [PATCH] apic: fixup fallthrough to PIC
 
 Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC
 interrupts through the local APIC if the local APIC config says so.]
@@ -28,11 +28,11 @@
  hw/intc/apic.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-Index: qemu-2.11.1/hw/intc/apic.c
-===================================================================
---- qemu-2.11.1.orig/hw/intc/apic.c
-+++ qemu-2.11.1/hw/intc/apic.c
-@@ -591,7 +591,7 @@ int apic_accept_pic_intr(DeviceState *de
+diff --git a/hw/intc/apic.c b/hw/intc/apic.c
+index fe15fb6..8352c39 100644
+--- a/hw/intc/apic.c
++++ b/hw/intc/apic.c
+@@ -591,7 +591,7 @@ int apic_accept_pic_intr(DeviceState *dev)
      APICCommonState *s = APIC(dev);
      uint32_t lvt0;
  
diff --git a/poky/meta/recipes-devtools/qemu/qemu/linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
similarity index 87%
rename from poky/meta/recipes-devtools/qemu/qemu/linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
index d2c5225..ceb3980 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -1,4 +1,4 @@
-From 4fa4aae4176ef6d8f4d4b8323d061e2433918a26 Mon Sep 17 00:00:00 2001
+From 4333b2b269d997a719e19f00d044105e17700be2 Mon Sep 17 00:00:00 2001
 From: Alistair Francis <alistair.francis@xilinx.com>
 Date: Wed, 17 Jan 2018 10:51:49 -0800
 Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
@@ -18,10 +18,10 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/linux-user/main.c b/linux-user/main.c
-index 450eb3ce65..c7cc0a184e 100644
+index 146ee3e..1332b5c 100644
 --- a/linux-user/main.c
 +++ b/linux-user/main.c
-@@ -77,7 +77,7 @@ do {                                                                    \
+@@ -78,7 +78,7 @@ do {                                                                    \
        (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
  /* There are a number of places where we assign reserved_va to a variable
     of type abi_ulong and expect it to fit.  Avoid the last page.  */
@@ -30,6 +30,3 @@
  #  else
  #   define MAX_RESERVED_VA  (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
  #  endif
--- 
-2.14.1
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/memfd.patch b/poky/meta/recipes-devtools/qemu/qemu/0011-memfd-fix-configure-test.patch
similarity index 88%
rename from poky/meta/recipes-devtools/qemu/qemu/memfd.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0011-memfd-fix-configure-test.patch
index 62e8d38..880cb98 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/memfd.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0011-memfd-fix-configure-test.patch
@@ -1,7 +1,4 @@
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
+From 0c8af3f651a125d636a71d93bafd35ff5240431a Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Tue, 28 Nov 2017 11:51:27 +0100
 Subject: [PATCH] memfd: fix configure test
@@ -19,6 +16,8 @@
 page.
 
 Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 ---
  configure    | 2 +-
@@ -26,10 +25,10 @@
  2 files changed, 2 insertions(+), 4 deletions(-)
 
 diff --git a/configure b/configure
-index 9c8aa5a98b..99ccc1725a 100755
+index b5312f4..ec12f36 100755
 --- a/configure
 +++ b/configure
-@@ -3923,7 +3923,7 @@ fi
+@@ -3920,7 +3920,7 @@ fi
  # check if memfd is supported
  memfd=no
  cat > $TMPC << EOF
@@ -39,7 +38,7 @@
  int main(void)
  {
 diff --git a/util/memfd.c b/util/memfd.c
-index 4571d1aba8..412e94a405 100644
+index 4571d1a..412e94a 100644
 --- a/util/memfd.c
 +++ b/util/memfd.c
 @@ -31,9 +31,7 @@
@@ -53,5 +52,3 @@
  #include <sys/syscall.h>
  #include <asm/unistd.h>
  
--- 
-2.11.0
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch b/poky/meta/recipes-devtools/qemu/qemu/0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
similarity index 93%
rename from poky/meta/recipes-devtools/qemu/qemu/0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
index f90cae6..be92502 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch
@@ -1,4 +1,4 @@
-From a75a52d62418dafe462be4fe30485501d1010bb9 Mon Sep 17 00:00:00 2001
+From 7354b9b24c36ee712bb6e881d39504bf1b6a4c8b Mon Sep 17 00:00:00 2001
 From: Victor Kamensky <kamensky@cisco.com>
 Date: Fri, 23 Mar 2018 18:26:45 +0000
 Subject: [PATCH] arm/translate-a64: treat DISAS_UPDATE as variant of
@@ -43,10 +43,10 @@
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index 31ff047..327513e 100644
+index 625ef2d..c381091 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -13378,12 +13378,12 @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+@@ -11384,12 +11384,12 @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_UPDATE:
              gen_a64_set_pc_im(dc->pc);
              /* fall through */
@@ -62,6 +62,3 @@
          case DISAS_NORETURN:
          case DISAS_SWI:
              break;
--- 
-2.7.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch b/poky/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch
similarity index 96%
rename from poky/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch
index f8d7f66..d2bdf6b 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/check-PS2Queue-pointers-in-post_load-routine.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch
@@ -1,4 +1,4 @@
-From ee9a17d0e12143971a9676227cce953c0dbe52fb Mon Sep 17 00:00:00 2001
+From 065061dca34fa5b91be6dce9a87a8755d8826c78 Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Thu, 16 Nov 2017 13:21:55 +0530
 Subject: [PATCH] ps2: check PS2Queue pointers in post_load routine
@@ -58,6 +58,3 @@
      /* reset rptr/wptr/count */
      q->rptr = 0;
      q->wptr = size;
--- 
-2.7.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/poky/meta/recipes-devtools/qemu/qemu/0014-fix-libcap-header-issue-on-some-distro.patch
similarity index 88%
rename from poky/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0014-fix-libcap-header-issue-on-some-distro.patch
index cee6a67..b662a41 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0014-fix-libcap-header-issue-on-some-distro.patch
@@ -1,4 +1,7 @@
-fix libcap header issue on some distro
+From 47fdb0b6e2e393194a8c81544c647fdd997aec7f Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Tue, 12 Mar 2013 09:54:06 +0800
+Subject: [PATCH] fix libcap header issue on some distro
 
 1, When build qemu-native on SLED 11.2, there is an error:
 ...
@@ -52,13 +55,14 @@
 Upstream-Status: Pending
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 ---
- fsdev/virtfs-proxy-helper.c |    7 +++++--
+ fsdev/virtfs-proxy-helper.c | 7 +++++--
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 8e48500..6490030 100644
 --- a/fsdev/virtfs-proxy-helper.c
 +++ b/fsdev/virtfs-proxy-helper.c
-@@ -12,7 +12,6 @@
+@@ -13,7 +13,6 @@
  #include <sys/resource.h>
  #include <getopt.h>
  #include <syslog.h>
@@ -66,7 +70,7 @@
  #include <sys/fsuid.h>
  #include <sys/vfs.h>
  #include <sys/ioctl.h>
-@@ -26,7 +25,11 @@
+@@ -27,7 +26,11 @@
  #include "9p-iov-marshal.h"
  #include "hw/9pfs/9p-proxy.h"
  #include "fsdev/9p-iov-marshal.h"
@@ -79,6 +83,3 @@
  #define PROGNAME "virtfs-proxy-helper"
  
  #ifndef XFS_SUPER_MAGIC
--- 
-1.7.10.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/poky/meta/recipes-devtools/qemu/qemu/0015-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
similarity index 88%
rename from poky/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0015-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
index 6822132..a5621ca 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0015-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
@@ -1,4 +1,4 @@
-From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001
+From db914e0f93a32b6731a636517002ecadc207718b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
 Date: Wed, 12 Aug 2015 15:11:30 -0500
 Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
@@ -19,10 +19,10 @@
  create mode 100644 custom_debug.h
 
 diff --git a/cpus.c b/cpus.c
-index a822ce3..7e4786e 100644
+index 114c29b..c3dd2e0 100644
 --- a/cpus.c
 +++ b/cpus.c
-@@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
+@@ -1510,6 +1510,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
      return NULL;
  }
  
@@ -31,7 +31,7 @@
  static void qemu_cpu_kick_thread(CPUState *cpu)
  {
  #ifndef _WIN32
-@@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
+@@ -1522,6 +1524,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
      err = pthread_kill(cpu->thread->thread, SIG_IPI);
      if (err) {
          fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
@@ -71,6 +71,3 @@
 +
 +	free(symbols);
 +}
--- 
-1.9.1
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/poky/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
deleted file mode 100644
index 91f7280..0000000
--- a/poky/meta/recipes-devtools/qemu/qemu/no-valgrind.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/configure b/configure
-index b3c4f51..4d3929e 100755
---- a/configure
-+++ b/configure
-@@ -4193,9 +4192,0 @@ valgrind_h=no
--cat > $TMPC << EOF
--#include <valgrind/valgrind.h>
--int main(void) {
--  return 0;
--}
--EOF
--if compile_prog "" "" ; then
--    valgrind_h=yes
--fi
diff --git a/poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch b/poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch
deleted file mode 100644
index eb99d14..0000000
--- a/poky/meta/recipes-devtools/qemu/qemu/qemu-2.5.0-cflags.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Upstream-Status: Pending
-
---- a/configure
-+++ b/configure
-@@ -4468,10 +4468,6 @@ fi
- if test "$gcov" = "yes" ; then
-   CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
-   LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
--elif test "$fortify_source" = "yes" ; then
--  CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
--elif test "$debug" = "no"; then
--  CFLAGS="-O2 $CFLAGS"
- fi
- 
- ##########################################
diff --git a/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb
index ab82c5f..7de21ac 100644
--- a/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb
+++ b/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb
@@ -9,27 +9,27 @@
 
 SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
            file://powerpc_rom.bin \
-           file://disable-grabs.patch \
-           file://wacom.patch \
-           file://add-ptest-in-makefile-v10.patch \
+           file://0001-sdl.c-allow-user-to-disable-pointer-grabs.patch \
+           file://0002-qemu-Add-missing-wacom-HID-descriptor.patch \
+           file://0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \
            file://run-ptest \
-           file://qemu-enlarge-env-entry-size.patch \
-           file://no-valgrind.patch \
-           file://pathlimit.patch \
-           file://qemu-2.5.0-cflags.patch \
-           file://chardev-connect-socket-to-a-spawned-command.patch \
-           file://apic-fixup-fallthrough-to-PIC.patch \
-           file://linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
-           file://memfd.patch \
-           file://0001-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \
-           file://check-PS2Queue-pointers-in-post_load-routine.patch \
+           file://0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch \
+           file://0005-qemu-disable-Valgrind.patch \
+           file://0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch \
+           file://0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \
+           file://0008-chardev-connect-socket-to-a-spawned-command.patch \
+           file://0009-apic-fixup-fallthrough-to-PIC.patch \
+           file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
+           file://0011-memfd-fix-configure-test.patch \
+           file://0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \
+           file://0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch \
+           file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
 
-
 SRC_URI_append_class-native = " \
-            file://fix-libcap-header-issue-on-some-distro.patch \
-            file://cpus.c-qemu_cpu_kick_thread_debugging.patch \
+            file://0014-fix-libcap-header-issue-on-some-distro.patch \
+            file://0015-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \
             "
 
 SRC_URI[md5sum] = "61cf862b6007eba4ac98247776af2e27"
diff --git a/poky/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch b/poky/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch
index 2be3cb5..4020a31 100644
--- a/poky/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch
+++ b/poky/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch
@@ -1,4 +1,4 @@
-From a6f269f879221f2777169c5f7291322afe6b661b Mon Sep 17 00:00:00 2001
+From a89daa75ac970d8e247edc762d1181e9a5b0c5d0 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Tue, 17 Jan 2017 14:07:17 +0200
 Subject: [PATCH] When cross-installing, execute package scriptlets without
@@ -7,17 +7,42 @@
 This is triggered only when RPM_NO_CHROOT_FOR_SCRIPTS environment variable is defined.
 Otherwise they will trigger an explosion of failures, obviously.
 
+Amended 2018-07-03 by Olof Johansson <olofjn@axis.com>:
+
+  Remove leaking temporary scriptlet files
+
+  Since we tell dnf to run rpm with debug output, this will result in rpm not
+  cleaning up written temporary scriptlet files (same flag controls both
+  behaviors). This wouldn't have been a problem since we normally would use the
+  target sysroot also for temporary files, but we need to chroot out to be able
+  to actually run the rpm scriptlets (purpose of this patch), so the temporary
+  files are written to the host's /var/tmp/ directory, causing a gradual
+  resource leakage on the host system for every RPM based do_rootfs task
+  executed.
+
+  Signed-off-by: Olof Johansson <olofjn@axis.com>
+
 Upstream-Status: Inappropriate [oe-core specific]
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
 ---
- lib/rpmscript.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
+ lib/rpmscript.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/lib/rpmscript.c b/lib/rpmscript.c
-index 98d3f420d..b95b5d606 100644
+index cc98c4885..f8bd3df04 100644
 --- a/lib/rpmscript.c
 +++ b/lib/rpmscript.c
-@@ -467,7 +467,13 @@ rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, FD_t scriptFd,
+@@ -394,8 +394,7 @@ exit:
+ 	Fclose(out);	/* XXX dup'd STDOUT_FILENO */
+ 
+     if (fn) {
+-	if (!rpmIsDebug())
+-	    unlink(fn);
++	unlink(fn);
+ 	free(fn);
+     }
+     free(mline);
+@@ -428,7 +427,13 @@ rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, FD_t scriptFd,
  
      if (rc != RPMRC_FAIL) {
  	if (script_type & RPMSCRIPTLET_EXEC) {
diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.14.1.bb b/poky/meta/recipes-devtools/rpm/rpm_4.14.1.bb
index 6012922..1a03a0f 100644
--- a/poky/meta/recipes-devtools/rpm/rpm_4.14.1.bb
+++ b/poky/meta/recipes-devtools/rpm/rpm_4.14.1.bb
@@ -69,6 +69,7 @@
 # Disable dbus for native, so that rpm doesn't attempt to inhibit shutdown via session dbus even when plugins support is enabled.
 # Also disable plugins by default for native.
 EXTRA_OECONF_append_class-native = " --sysconfdir=/etc --localstatedir=/var --without-dbus --disable-plugins"
+EXTRA_OECONF_append_class-nativesdk = " --sysconfdir=/etc --localstatedir=/var --without-dbus --disable-plugins"
 
 BBCLASSEXTEND = "native nativesdk"
 
@@ -77,21 +78,22 @@
 
 # Direct rpm-native to read configuration from our sysroot, not the one it was compiled in
 # libmagic also has sysroot path contamination, so override it
-do_install_append_class-native() {
-        tools="\
-                ${bindir}/rpm \
-                ${bindir}/rpm2archive \
-                ${bindir}/rpm2cpio \
-                ${bindir}/rpmbuild \
-                ${bindir}/rpmdb \
-                ${bindir}/rpmgraph \
-                ${bindir}/rpmkeys \
-                ${bindir}/rpmsign \
-                ${bindir}/rpmspec \
-                ${libdir}/rpm/rpmdeps \
-        "
 
-        for tool in $tools; do
+WRAPPER_TOOLS = " \
+   ${bindir}/rpm \
+   ${bindir}/rpm2archive \
+   ${bindir}/rpm2cpio \
+   ${bindir}/rpmbuild \
+   ${bindir}/rpmdb \
+   ${bindir}/rpmgraph \
+   ${bindir}/rpmkeys \
+   ${bindir}/rpmsign \
+   ${bindir}/rpmspec \
+   ${libdir}/rpm/rpmdeps \
+"
+
+do_install_append_class-native() {
+        for tool in ${WRAPPER_TOOLS}; do
                 create_wrapper ${D}$tool \
                         RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \
                         RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} \
@@ -100,6 +102,18 @@
         done
 }
 
+do_install_append_class-nativesdk() {
+        for tool in ${WRAPPER_TOOLS}; do
+                create_wrapper ${D}$tool \
+                        RPM_CONFIGDIR='`dirname $''realpath`'/${@os.path.relpath(d.getVar('libdir', True), d.getVar('bindir', True))}/rpm \
+                        RPM_ETCCONFIGDIR='$'{RPM_ETCCONFIGDIR-'`dirname $''realpath`'/${@os.path.relpath(d.getVar('sysconfdir', True), d.getVar('bindir', True))}/..} \
+                        MAGIC='`dirname $''realpath`'/${@os.path.relpath(d.getVar('datadir', True), d.getVar('bindir', True))}/misc/magic.mgc \
+                        RPM_NO_CHROOT_FOR_SCRIPTS=1
+        done
+
+        rm -rf ${D}/var
+}
+
 # Rpm's make install creates var/tmp which clashes with base-files packaging
 do_install_append_class-target() {
     rm -rf ${D}/var
diff --git a/poky/meta/recipes-extended/at/at_3.1.20.bb b/poky/meta/recipes-extended/at/at_3.1.20.bb
index 8fe3b43..b76e83d 100644
--- a/poky/meta/recipes-extended/at/at_3.1.20.bb
+++ b/poky/meta/recipes-extended/at/at_3.1.20.bb
@@ -8,6 +8,12 @@
 DEPENDS = "flex flex-native bison-native \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
+PACKAGECONFIG ?= "\
+    ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)} \
+"
+
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux,"
+
 RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_DEPS}', '', d)} \
 "
 
diff --git a/poky/meta/recipes-extended/bash/bash.inc b/poky/meta/recipes-extended/bash/bash.inc
index 9c2b065..2e7f261 100644
--- a/poky/meta/recipes-extended/bash/bash.inc
+++ b/poky/meta/recipes-extended/bash/bash.inc
@@ -7,7 +7,7 @@
 inherit autotools gettext texinfo update-alternatives ptest
 
 EXTRA_AUTORECONF += "--exclude=autoheader --exclude=aclocal"
-EXTRA_OECONF = "--enable-job-control --without-bash-malloc"
+EXTRA_OECONF = "--enable-job-control --without-bash-malloc bash_cv_wexitstatus_offset=8"
 
 # If NON_INTERACTIVE_LOGIN_SHELLS is defined, all login shells read the
 # startup files, even if they are not interactive.
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch b/poky/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
new file mode 100644
index 0000000..0a30544
--- /dev/null
+++ b/poky/meta/recipes-extended/cpio/cpio-2.12/0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch
@@ -0,0 +1,346 @@
+From ebf9a2d776474181936a720ce811d72bbd1da3b6 Mon Sep 17 00:00:00 2001
+From: Pavel Raiskup <praiskup@redhat.com>
+Date: Tue, 26 Jan 2016 23:17:54 +0100
+Subject: [PATCH] CVE-2016-2037 - 1 byte out-of-bounds write
+
+Ensure that cpio_safer_name_suffix always works with dynamically
+allocated buffer, and that it has size of at least 32 bytes.
+Then, any call to cpio_safer_name_suffix is safe (it requires at
+least 2 bytes in the buffer).
+
+Also ensure that c_namesize is always correctly initialized (by
+cpio_set_c_name) to avoid undefined behavior when reading
+file_hdr.c_namesize (previously happened for tar archives).
+
+References:
+http://www.mail-archive.com/bug-cpio@gnu.org/msg00545.html
+
+* src/copyin.c (query_rename): Drop the hack, as we now work with
+dynamically allocated buffer.  Use cpio_set_c_name.
+(create_defered_links_to_skipped): Use cpio_set_c_name rather than
+manual assignment.
+(read_name_from_file): New function to avoid C&P.
+(read_in_old_ascii, read_in_new_ascii, read_in_binary): Use
+read_name_from_file.
+(process_copy_in): Initialize file_hdr.c_namesize.
+* src/copyout.c (process_copy_out): Use cpio_set_c_name.
+* src/cpiohdr.h (cpio_set_c_name): New prototype.
+* src/tar.c (read_in_tar_header): Use cpio_set_c_name.
+* src/util.c (cpio_set_c_name): New function to set
+file_hdr->c_name and c_namesize from arbitrary string.
+(cpio_safer_name_suffix): Some docs fixes.
+* tests/inout.at: Also test copy-in, and try various formats.
+
+CVE: CVE-2016-2037
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b]
+
+Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
+---
+ src/copyin.c   | 68 +++++++++++++++++++---------------------------------------
+ src/copyout.c  | 13 +++++------
+ src/cpiohdr.h  |  1 +
+ src/tar.c      | 10 +++++----
+ src/util.c     | 32 ++++++++++++++++++++++++++-
+ tests/inout.at | 19 ++++++++++++++--
+ 6 files changed, 82 insertions(+), 61 deletions(-)
+
+diff --git a/src/copyin.c b/src/copyin.c
+index cde911e..972f8a6 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -76,28 +76,7 @@ query_rename(struct cpio_file_stat* file_hdr, FILE *tty_in, FILE *tty_out,
+       return -1;
+     }
+   else
+-  /* Debian hack: file_hrd.c_name is sometimes set to
+-     point to static memory by code in tar.c.  This
+-     causes a segfault.  This has been fixed and an
+-     additional check to ensure that the file name
+-     is not too long has been added.  (Reported by
+-     Horst Knobloch.)  This bug has been reported to
+-     "bug-gnu-utils@prep.ai.mit.edu". (99/1/6) -BEM */
+-    {
+-      if (archive_format != arf_tar && archive_format != arf_ustar)
+-	{
+-	  free (file_hdr->c_name);
+-	  file_hdr->c_name = xstrdup (new_name.ds_string);
+-	}
+-      else
+-	{
+-	  if (is_tar_filename_too_long (new_name.ds_string))
+-	    error (0, 0, _("%s: file name too long"),
+-		   new_name.ds_string);
+-	  else
+-	    strcpy (file_hdr->c_name, new_name.ds_string);
+-	}
+-    }
++    cpio_set_c_name (file_hdr, new_name.ds_string);
+   return 0;
+ }
+ 
+@@ -344,8 +323,7 @@ create_defered_links_to_skipped (struct cpio_file_stat *file_hdr,
+ 	    d_prev->next = d->next;
+ 	  else
+ 	    deferments = d->next;
+-	  free (file_hdr->c_name);
+-	  file_hdr->c_name = xstrdup(d->header.c_name);
++	  cpio_set_c_name (file_hdr, d->header.c_name);
+ 	  free_deferment (d);
+ 	  copyin_regular_file(file_hdr, in_file_des);
+ 	  return 0;
+@@ -1064,6 +1042,22 @@ read_in_header (struct cpio_file_stat *file_hdr, int in_des)
+     }
+ }
+ 
++static void
++read_name_from_file (struct cpio_file_stat *file_hdr, int fd, uintmax_t len)
++{
++  static char *tmp_filename;
++  static size_t buflen;
++
++  if (buflen < len)
++    {
++      buflen = len;
++      tmp_filename = xrealloc (tmp_filename, buflen);
++    }
++
++  tape_buffered_read (tmp_filename, fd, len);
++  cpio_set_c_name (file_hdr, tmp_filename);
++}
++
+ /* Fill in FILE_HDR by reading an old-format ASCII format cpio header from
+    file descriptor IN_DES, except for the magic number, which is
+    already filled in.  */
+@@ -1090,14 +1084,8 @@ read_in_old_ascii (struct cpio_file_stat *file_hdr, int in_des)
+   file_hdr->c_rdev_min = minor (dev);
+ 
+   file_hdr->c_mtime = FROM_OCTAL (ascii_header.c_mtime);
+-  file_hdr->c_namesize = FROM_OCTAL (ascii_header.c_namesize);
+   file_hdr->c_filesize = FROM_OCTAL (ascii_header.c_filesize);
+-  
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize + 1);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++  read_name_from_file (file_hdr, in_des, FROM_OCTAL (ascii_header.c_namesize));
+ 
+   /* HP/UX cpio creates archives that look just like ordinary archives,
+      but for devices it sets major = 0, minor = 1, and puts the
+@@ -1152,14 +1140,8 @@ read_in_new_ascii (struct cpio_file_stat *file_hdr, int in_des)
+   file_hdr->c_dev_min = FROM_HEX (ascii_header.c_dev_min);
+   file_hdr->c_rdev_maj = FROM_HEX (ascii_header.c_rdev_maj);
+   file_hdr->c_rdev_min = FROM_HEX (ascii_header.c_rdev_min);
+-  file_hdr->c_namesize = FROM_HEX (ascii_header.c_namesize);
+   file_hdr->c_chksum = FROM_HEX (ascii_header.c_chksum);
+-  
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++  read_name_from_file (file_hdr, in_des, FROM_HEX (ascii_header.c_namesize));
+ 
+   /* In SVR4 ASCII format, the amount of space allocated for the header
+      is rounded up to the next long-word, so we might need to drop
+@@ -1207,16 +1189,9 @@ read_in_binary (struct cpio_file_stat *file_hdr,
+   file_hdr->c_rdev_min = minor (short_hdr->c_rdev);
+   file_hdr->c_mtime = (unsigned long) short_hdr->c_mtimes[0] << 16
+                       | short_hdr->c_mtimes[1];
+-
+-  file_hdr->c_namesize = short_hdr->c_namesize;
+   file_hdr->c_filesize = (unsigned long) short_hdr->c_filesizes[0] << 16
+                       | short_hdr->c_filesizes[1];
+-
+-  /* Read file name from input.  */
+-  if (file_hdr->c_name != NULL)
+-    free (file_hdr->c_name);
+-  file_hdr->c_name = (char *) xmalloc (file_hdr->c_namesize);
+-  tape_buffered_read (file_hdr->c_name, in_des, (long) file_hdr->c_namesize);
++  read_name_from_file (file_hdr, in_des, short_hdr->c_namesize);
+ 
+   /* In binary mode, the amount of space allocated in the header for
+      the filename is `c_namesize' rounded up to the next short-word,
+@@ -1297,6 +1272,7 @@ process_copy_in ()
+       read_pattern_file ();
+     }
+   file_hdr.c_name = NULL;
++  file_hdr.c_namesize = 0;
+ 
+   if (rename_batch_file)
+     {
+diff --git a/src/copyout.c b/src/copyout.c
+index 1f0987a..bb39559 100644
+--- a/src/copyout.c
++++ b/src/copyout.c
+@@ -660,8 +660,7 @@ process_copy_out ()
+ 	  cpio_safer_name_suffix (input_name.ds_string, false,
+ 				  !no_abs_paths_flag, true);
+ #ifndef HPUX_CDF
+-	  file_hdr.c_name = input_name.ds_string;
+-	  file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
++	  cpio_set_c_name (&file_hdr, input_name.ds_string);
+ #else
+ 	  if ( (archive_format != arf_tar) && (archive_format != arf_ustar) )
+ 	    {
+@@ -670,16 +669,15 @@ process_copy_out ()
+ 		 properly recreate the directory as hidden (in case the
+ 		 files of a directory go into the archive before the
+ 		 directory itself (e.g from "find ... -depth ... | cpio")).  */
+-	      file_hdr.c_name = add_cdf_double_slashes (input_name.ds_string);
+-	      file_hdr.c_namesize = strlen (file_hdr.c_name) + 1;
++              cpio_set_c_name (&file_hdr,
++                               add_cdf_double_slashes (input_name.ds_string));
+ 	    }
+ 	  else
+ 	    {
+ 	      /* We don't mark CDF's in tar files.  We assume the "hidden"
+ 		 directory will always go into the archive before any of
+ 		 its files.  */
+-	      file_hdr.c_name = input_name.ds_string;
+-	      file_hdr.c_namesize = strlen (input_name.ds_string) + 1;
++              cpio_set_c_name (&file_hdr, input_name.ds_string);
+ 	    }
+ #endif
+ 
+@@ -866,8 +864,7 @@ process_copy_out ()
+   file_hdr.c_chksum = 0;
+ 
+   file_hdr.c_filesize = 0;
+-  file_hdr.c_namesize = 11;
+-  file_hdr.c_name = CPIO_TRAILER_NAME;
++  cpio_set_c_name (&file_hdr, CPIO_TRAILER_NAME);
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     write_out_header (&file_hdr, out_file_des);
+   else
+diff --git a/src/cpiohdr.h b/src/cpiohdr.h
+index b29e6fb..f4c63be 100644
+--- a/src/cpiohdr.h
++++ b/src/cpiohdr.h
+@@ -129,5 +129,6 @@ struct cpio_file_stat /* Internal representation of a CPIO header */
+   char *c_tar_linkname;
+ };
+ 
++void cpio_set_c_name(struct cpio_file_stat *file_hdr, char *name);
+ 
+ #endif /* cpiohdr.h */
+diff --git a/src/tar.c b/src/tar.c
+index a2ce171..e41f89d 100644
+--- a/src/tar.c
++++ b/src/tar.c
+@@ -282,7 +282,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+       if (null_block ((long *) &tar_rec, TARRECORDSIZE))
+ #endif
+ 	{
+-	  file_hdr->c_name = CPIO_TRAILER_NAME;
++	  cpio_set_c_name (file_hdr, CPIO_TRAILER_NAME);
+ 	  return;
+ 	}
+ #if 0
+@@ -316,9 +316,11 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+ 	}
+ 
+       if (archive_format != arf_ustar)
+-	file_hdr->c_name = stash_tar_filename (NULL, tar_hdr->name);
++        cpio_set_c_name (file_hdr, stash_tar_filename (NULL, tar_hdr->name));
+       else
+-	file_hdr->c_name = stash_tar_filename (tar_hdr->prefix, tar_hdr->name);
++        cpio_set_c_name (file_hdr, stash_tar_filename (tar_hdr->prefix,
++                                                      tar_hdr->name));
++
+       file_hdr->c_nlink = 1;
+       file_hdr->c_mode = FROM_OCTAL (tar_hdr->mode);
+       file_hdr->c_mode = file_hdr->c_mode & 07777;
+@@ -398,7 +400,7 @@ read_in_tar_header (struct cpio_file_stat *file_hdr, int in_des)
+ 	case AREGTYPE:
+ 	  /* Old tar format; if the last char in filename is '/' then it is
+ 	     a directory, otherwise it's a regular file.  */
+-	  if (file_hdr->c_name[strlen (file_hdr->c_name) - 1] == '/')
++	  if (file_hdr->c_name[file_hdr->c_namesize - 1] == '/')
+ 	    file_hdr->c_mode |= CP_IFDIR;
+ 	  else
+ 	    file_hdr->c_mode |= CP_IFREG;
+diff --git a/src/util.c b/src/util.c
+index 6ff6032..4f3c073 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -1410,8 +1410,34 @@ set_file_times (int fd,
+     utime_error (name);
+ }
+ 
++
++void
++cpio_set_c_name (struct cpio_file_stat *file_hdr, char *name)
++{
++  static size_t buflen = 0;
++  size_t len = strlen (name) + 1;
++
++  if (buflen == 0)
++    {
++      buflen = len;
++      if (buflen < 32)
++        buflen = 32;
++      file_hdr->c_name = xmalloc (buflen);
++    }
++  else if (buflen < len)
++    {
++      buflen = len;
++      file_hdr->c_name = xrealloc (file_hdr->c_name, buflen);
++    }
++
++  file_hdr->c_namesize = len;
++  memmove (file_hdr->c_name, name, len);
++}
++
+ /* Do we have to ignore absolute paths, and if so, does the filename
+-   have an absolute path?  */
++   have an absolute path?  Before calling this function make sure that the
++   allocated NAME buffer has capacity at least 2 bytes. */
++
+ void
+ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ 			bool strip_leading_dots)
+@@ -1426,6 +1452,10 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ 	  ++p;
+       }
+   if (p != name)
++    /* The 'p' string is shortened version of 'name' with one exception;  when
++       the 'name' points to an empty string (buffer where name[0] == '\0') the
++       'p' then points to static string ".".  So caller needs to ensure there
++       are at least two bytes available in 'name' buffer so memmove succeeds. */
+     memmove (name, p, (size_t)(strlen (p) + 1));
+ }
+ 
+diff --git a/tests/inout.at b/tests/inout.at
+index 60c3716..730cbd2 100644
+--- a/tests/inout.at
++++ b/tests/inout.at
+@@ -35,7 +35,22 @@ while read NAME LENGTH
+ do
+ 	genfile --length $LENGTH > $NAME
+ 	echo $NAME
+-done < filelist |
+- cpio --quiet -o > archive])
++done < filelist > filelist_raw
++
++for format in bin odc newc crc tar ustar hpbin hpodc
++do
++    cpio --format=$format --quiet -o < filelist_raw > archive.$format
++    rm -rf output
++    mkdir output && cd output
++    cpio -i --quiet < ../archive.$format
++
++    while read file
++    do
++        test -f $file || echo "$file not found"
++    done < ../filelist_raw
++
++    cd ..
++done
++])
+ 
+ AT_CLEANUP
+-- 
+1.9.1
+
diff --git a/poky/meta/recipes-extended/cpio/cpio_2.12.bb b/poky/meta/recipes-extended/cpio/cpio_2.12.bb
index 405a90e..69d3698 100644
--- a/poky/meta/recipes-extended/cpio/cpio_2.12.bb
+++ b/poky/meta/recipes-extended/cpio/cpio_2.12.bb
@@ -1,12 +1,47 @@
-require cpio_v2.inc
-
+SUMMARY = "GNU cpio is a program to manage archives of files"
+DESCRIPTION = "GNU cpio is a tool for creating and extracting archives, or copying files from one place to \
+another. It handles a number of cpio formats as well as reading and writing tar files."
+HOMEPAGE = "http://www.gnu.org/software/cpio/"
+SECTION = "base"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949"
 
 SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-Fix-CVE-2015-1197.patch \
+           file://0001-CVE-2016-2037-1-byte-out-of-bounds-write.patch \
            "
 
 SRC_URI[md5sum] = "fc207561a86b63862eea4b8300313e86"
 SRC_URI[sha256sum] = "08a35e92deb3c85d269a0059a27d4140a9667a6369459299d08c17f713a92e73"
+
+inherit autotools gettext texinfo
+
+EXTRA_OECONF += "DEFAULT_RMT_DIR=${base_sbindir}"
+
+do_install () {
+    autotools_do_install
+    if [ "${base_bindir}" != "${bindir}" ]; then
+        install -d ${D}${base_bindir}/
+        mv "${D}${bindir}/cpio" "${D}${base_bindir}/cpio"
+        rmdir ${D}${bindir}/
+    fi
+}
+
+PACKAGES =+ "${PN}-rmt"
+
+FILES_${PN}-rmt = "${base_sbindir}/rmt*"
+
+inherit update-alternatives
+
+ALTERNATIVE_PRIORITY = "100"
+
+ALTERNATIVE_${PN} = "cpio"
+ALTERNATIVE_${PN}-rmt = "rmt"
+
+ALTERNATIVE_LINK_NAME[cpio] = "${base_bindir}/cpio"
+
+ALTERNATIVE_PRIORITY[rmt] = "50"
+ALTERNATIVE_LINK_NAME[rmt] = "${base_sbindir}/rmt"
+
+BBCLASSEXTEND = "native"
diff --git a/poky/meta/recipes-extended/cpio/cpio_v2.inc b/poky/meta/recipes-extended/cpio/cpio_v2.inc
deleted file mode 100644
index 31adb71..0000000
--- a/poky/meta/recipes-extended/cpio/cpio_v2.inc
+++ /dev/null
@@ -1,43 +0,0 @@
-SUMMARY = "GNU cpio is a program to manage archives of files"
-DESCRIPTION = "GNU cpio is a tool for creating and extracting archives, or copying files from one place to \
-another. It handles a number of cpio formats as well as reading and writing tar files."
-HOMEPAGE = "http://www.gnu.org/software/cpio/"
-SECTION = "base"
-
-DEPENDS = "texinfo-native"
-
-SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
-    "
-
-inherit autotools gettext texinfo
-
-S = "${WORKDIR}/cpio-${PV}"
-
-EXTRA_OECONF += "DEFAULT_RMT_DIR=${base_sbindir}"
-
-do_install () {
-    autotools_do_install
-    if [ "${base_bindir}" != "${bindir}" ]; then
-        install -d ${D}${base_bindir}/
-        mv "${D}${bindir}/cpio" "${D}${base_bindir}/cpio"
-        rmdir ${D}${bindir}/
-    fi
-}
-
-PACKAGES =+ "${PN}-rmt"
-
-FILES_${PN}-rmt = "${base_sbindir}/rmt*"
-
-inherit update-alternatives
-
-ALTERNATIVE_PRIORITY = "100"
-
-ALTERNATIVE_${PN} = "cpio"
-ALTERNATIVE_${PN}-rmt = "rmt"
-
-ALTERNATIVE_LINK_NAME[cpio] = "${base_bindir}/cpio"
-
-ALTERNATIVE_PRIORITY[rmt] = "50"
-ALTERNATIVE_LINK_NAME[rmt] = "${base_sbindir}/rmt"
-
-BBCLASSEXTEND = "native"
diff --git a/poky/meta/recipes-extended/gawk/gawk_4.2.0.bb b/poky/meta/recipes-extended/gawk/gawk_4.2.1.bb
similarity index 82%
rename from poky/meta/recipes-extended/gawk/gawk_4.2.0.bb
rename to poky/meta/recipes-extended/gawk/gawk_4.2.1.bb
index 27f79a2..9663752 100644
--- a/poky/meta/recipes-extended/gawk/gawk_4.2.0.bb
+++ b/poky/meta/recipes-extended/gawk/gawk_4.2.1.bb
@@ -19,8 +19,8 @@
            file://run-ptest \
 "
 
-SRC_URI[md5sum] = "0b598c31bc703d66082bd958d4189980"
-SRC_URI[sha256sum] = "c88046c6e8396ee548bcb941e16def809b7b55b60a1044b5dd254094f347c7d9"
+SRC_URI[md5sum] = "0256724a0af50cb83ac92f833488673d"
+SRC_URI[sha256sum] = "2b23d51503b2df9a41aa6fddc6002ad7ebf2a386ac19dc1b6be0dd48b0acf6db"
 
 inherit autotools gettext texinfo update-alternatives
 
@@ -43,6 +43,8 @@
 	for i in `grep -vE "@|^$|#|Gt-dummy" ${S}/test/Maketests |awk -F: '{print $1}'` Maketests inclib.awk; \
 	  do cp ${S}/test/$i* ${D}${PTEST_PATH}/test; \
 	done
+	sed -i -e 's|/usr/local/bin|${bindir}|g' \
+	    -e 's|#!${base_bindir}/awk|#!${bindir}/awk|g' ${D}${PTEST_PATH}/test/*.awk
 }
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/poky/meta/recipes-extended/ltp/ltp_20180118.bb b/poky/meta/recipes-extended/ltp/ltp_20180118.bb
index 14fb41b..8754fcd 100644
--- a/poky/meta/recipes-extended/ltp/ltp_20180118.bb
+++ b/poky/meta/recipes-extended/ltp/ltp_20180118.bb
@@ -58,7 +58,7 @@
 
 PACKAGECONFIG[numa] = "--with-numa, --without-numa, numactl,"
 EXTRA_AUTORECONF += "-I ${S}/testcases/realtime/m4"
-EXTRA_OECONF = " --with-power-management-testsuite --with-realtime-testsuite "
+EXTRA_OECONF = " --with-power-management-testsuite --with-realtime-testsuite --with-open-posix-testsuite "
 # ltp network/rpc test cases ftbfs when libtirpc is found
 EXTRA_OECONF += " --without-tirpc "
 
diff --git a/poky/meta/recipes-extended/minicom/minicom_2.7.1.bb b/poky/meta/recipes-extended/minicom/minicom_2.7.1.bb
index e6afe2b..be0b48d 100644
--- a/poky/meta/recipes-extended/minicom/minicom_2.7.1.bb
+++ b/poky/meta/recipes-extended/minicom/minicom_2.7.1.bb
@@ -7,7 +7,7 @@
 LIC_FILES_CHKSUM = "file://COPYING;md5=420477abc567404debca0a2a1cb6b645 \
                     file://src/minicom.h;beginline=1;endline=12;md5=a58838cb709f0db517f4e42730c49e81"
 
-SRC_URI = "https://alioth.debian.org/frs/download.php/latestfile/3/${BP}.tar.gz \
+SRC_URI = "${DEBIAN_MIRROR}/main/m/${BPN}/${BPN}_${PV}.orig.tar.gz \
            file://allow.to.disable.lockdev.patch \
            file://0001-fix-minicom-h-v-return-value-is-not-0.patch \
            file://0001-Fix-build-issus-surfaced-due-to-musl.patch \
diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
new file mode 100644
index 0000000..ee728f0
--- /dev/null
+++ b/poky/meta/recipes-extended/shadow/files/CVE-2017-2616.patch
@@ -0,0 +1,64 @@
+shadow-4.2.1: Fix CVE-2017-2616
+
+[No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943
+
+su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686]
+CVE: CVE-2017-2616
+bug: 855943
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+ 				/* wake child when resumed */
+ 				kill (pid, SIGCONT);
+ 				stop = false;
++			} else {
++				pid_child = 0;
+ 			}
+ 		} while (!stop);
+ 	}
+ 
+-	if (0 != caught) {
++	if (0 != caught && 0 != pid_child) {
+ 		(void) fputs ("\n", stderr);
+ 		(void) fputs (_("Session terminated, terminating shell..."),
+ 		              stderr);
+ 		(void) kill (-pid_child, caught);
+ 
+ 		(void) signal (SIGALRM, kill_child);
++		(void) signal (SIGCHLD, catch_signals);
+ 		(void) alarm (2);
+ 
+-		(void) wait (&status);
++		sigemptyset (&ourset);
++		if ((sigaddset (&ourset, SIGALRM) != 0)
++		    || (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0)) {
++			fprintf (stderr, _("%s: signal masking malfunction\n"), Prog);
++			kill_child (0);
++		} else {
++			while (0 == waitpid (pid_child, &status, WNOHANG)) {
++				sigsuspend (&ourset);
++			}
++			pid_child = 0;
++			(void) sigprocmask (SIG_UNBLOCK, &ourset, NULL);
++		}
++
+ 		(void) fputs (_(" ...terminated.\n"), stderr);
+ 	}
+ 
diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
index 9e3efa6..b769d92 100644
--- a/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
+++ b/poky/meta/recipes-extended/shadow/files/pam.d/chpasswd
@@ -1,4 +1,6 @@
 # The PAM configuration file for the Shadow 'chpasswd' service
 #
 
+auth       sufficient   pam_rootok.so
+account    required     pam_permit.so
 password   include      common-password
diff --git a/poky/meta/recipes-extended/shadow/files/pam.d/newusers b/poky/meta/recipes-extended/shadow/files/pam.d/newusers
index 4aa3dde..4c59dfa 100644
--- a/poky/meta/recipes-extended/shadow/files/pam.d/newusers
+++ b/poky/meta/recipes-extended/shadow/files/pam.d/newusers
@@ -1,4 +1,6 @@
 # The PAM configuration file for the Shadow 'newusers' service
 #
 
+auth       sufficient   pam_rootok.so
+account    required     pam_permit.so
 password   include      common-password
diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc
index 673207f..6efe4a9 100644
--- a/poky/meta/recipes-extended/shadow/shadow.inc
+++ b/poky/meta/recipes-extended/shadow/shadow.inc
@@ -8,7 +8,9 @@
 
 DEPENDS = "virtual/crypt"
 
-SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
+UPSTREAM_CHECK_URI = "https://github.com/shadow-maint/shadow/releases"
+
+SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
            file://shadow-4.1.3-dots-in-usernames.patch \
            file://usermod-fix-compilation-failure-with-subids-disabled.patch \
            file://fix-installation-failure-with-subids-disabled.patch \
@@ -16,6 +18,7 @@
            file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
            file://0001-useradd-copy-extended-attributes-of-home.patch \
            file://0001-shadow-CVE-2017-12424 \
+           file://CVE-2017-2616.patch \
            ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
            "
 
@@ -127,7 +130,8 @@
 	# Ensure that the image has as a /var/spool/mail dir so shadow can
 	# put mailboxes there if the user reconfigures shadow to its
 	# defaults (see sed below).
-	install -d ${D}${localstatedir}/spool/mail
+	install -m 0775 -d ${D}${localstatedir}/spool/mail
+	chown root:mail ${D}${localstatedir}/spool/mail
 
 	if [ -e ${WORKDIR}/pam.d ]; then
 		install -d ${D}${sysconfdir}/pam.d/
diff --git a/poky/meta/recipes-extended/sysklogd/sysklogd.inc b/poky/meta/recipes-extended/sysklogd/sysklogd.inc
index 1a537fa..fc4e67c 100644
--- a/poky/meta/recipes-extended/sysklogd/sysklogd.inc
+++ b/poky/meta/recipes-extended/sysklogd/sysklogd.inc
@@ -33,7 +33,7 @@
 
 INITSCRIPT_NAME = "syslog"
 CONFFILES_${PN} = "${sysconfdir}/syslog.conf"
-RCONFLICTS_${PN}-syslog = "rsyslog busybox-syslog syslog-ng"
+RCONFLICTS_${PN} = "rsyslog busybox-syslog syslog-ng"
 
 CFLAGS += "-DSYSV -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
 
diff --git a/poky/meta/recipes-extended/xinetd/xinetd/xinetd.service b/poky/meta/recipes-extended/xinetd/xinetd/xinetd.service
index d5fdc5b..6da92f2 100644
--- a/poky/meta/recipes-extended/xinetd/xinetd/xinetd.service
+++ b/poky/meta/recipes-extended/xinetd/xinetd/xinetd.service
@@ -3,11 +3,8 @@
 After=syslog.target network.target
 
 [Service]
-Type=forking
-PIDFile=/var/run/xinetd.pid
 EnvironmentFile=-/etc/sysconfig/xinetd
-ExecStart=@SBINDIR@/xinetd -stayalive -pidfile /var/run/xinetd.pid "$EXTRAOPTIONS"
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
+ExecStart=@SBINDIR@/xinetd -dontfork "$EXTRAOPTIONS"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.9.bb b/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.9.bb
index ed6d0ec..6052650 100644
--- a/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.9.bb
+++ b/poky/meta/recipes-kernel/cryptodev/cryptodev-module_1.9.bb
@@ -10,6 +10,7 @@
 SRC_URI += " \
 file://0001-Disable-installing-header-file-provided-by-another-p.patch \
 file://0001-ioctl.c-Fix-build-with-linux-4.13.patch \
+file://0001-ioctl.c-Fix-build-with-linux-4.17.patch \
 "
 
 EXTRA_OEMAKE='KERNEL_DIR="${STAGING_KERNEL_DIR}" PREFIX="${D}"'
diff --git a/poky/meta/recipes-kernel/cryptodev/files/0001-ioctl.c-Fix-build-with-linux-4.17.patch b/poky/meta/recipes-kernel/cryptodev/files/0001-ioctl.c-Fix-build-with-linux-4.17.patch
new file mode 100644
index 0000000..5881d1c
--- /dev/null
+++ b/poky/meta/recipes-kernel/cryptodev/files/0001-ioctl.c-Fix-build-with-linux-4.17.patch
@@ -0,0 +1,43 @@
+From f60aa08c63fc02780554a0a12180a478ca27d49f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>
+Date: Wed, 23 May 2018 18:43:39 +0300
+Subject: [PATCH] ioctl.c: Fix build with linux 4.17
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since kernel 4.17-rc1, sys_* syscalls can no longer be called directly:
+819671ff849b ("syscalls: define and explain goal to not call syscalls in the kernel")
+
+Since cryptodev uses sys_close() - and this has been removed in commit:
+2ca2a09d6215 ("fs: add ksys_close() wrapper; remove in-kernel calls to sys_close()")
+cryptodev has to be updated to use the ksys_close() wrapper.
+
+Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
+
+Upstream-Status: Backport
+
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+---
+ ioctl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ioctl.c b/ioctl.c
+index d831b0c..2571034 100644
+--- a/ioctl.c
++++ b/ioctl.c
+@@ -828,7 +828,11 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_)
+ 		fd = clonefd(filp);
+ 		ret = put_user(fd, p);
+ 		if (unlikely(ret)) {
++#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 17, 0))
+ 			sys_close(fd);
++#else
++			ksys_close(fd);
++#endif
+ 			return ret;
+ 		}
+ 		return ret;
+-- 
+2.7.4
+
diff --git a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
index 8ccd8ce..4ccf9b0 100644
--- a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
+++ b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb
@@ -4,7 +4,7 @@
 
 DEPENDS = "git-native"
 
-SRCREV = "b46b1c4f0973bf1eb09cf1191f5f4e69bcd0475d"
+SRCREV = "8cd13500a27c0a6a911cc83c0349dec01ef66e27"
 PR = "r12"
 PV = "0.2+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/kexec/kexec-tools/kdump.service b/poky/meta/recipes-kernel/kexec/kexec-tools/kdump.service
index 4e65a46..013c5a6 100644
--- a/poky/meta/recipes-kernel/kexec/kexec-tools/kdump.service
+++ b/poky/meta/recipes-kernel/kexec/kexec-tools/kdump.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Reboot and dump vmcore via kexec
 DefaultDependencies=no
+After=basic.target
 
 [Service]
 Type=oneshot
diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
index 8d6f2f2..cf7abb0 100644
--- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
+++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
@@ -14,6 +14,7 @@
     & Firmware-cavium \
     & Firmware-chelsio_firmware \
     & Firmware-cw1200 \
+    & Firmware-cypress \
     & Firmware-dib0700 \
     & Firmware-e100 \
     & Firmware-ene_firmware \
@@ -66,7 +67,7 @@
     file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \
     file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
     file://LICENSE.amdgpu;md5=0aa3c2f3e736af320a08a3aeeccecf29 \
-    file://LICENSE.amd-ucode;md5=3a0de451253cc1edbf30a3c621effee3 \
+    file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \
     file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
     file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \
     file://LICENCE.broadcom_bcm43xx;md5=3160c14df7228891b868060e1951dfbc \
@@ -74,6 +75,7 @@
     file://LICENCE.cavium;md5=c37aaffb1ebe5939b2580d073a95daea \
     file://LICENCE.chelsio_firmware;md5=819aa8c3fa453f1b258ed8d168a9d903 \
     file://LICENCE.cw1200;md5=f0f770864e7a8444a5c5aa9d12a3a7ed \
+    file://LICENCE.cypress;md5=48cd9436c763bf873961f9ed7b5c147b \
     file://LICENSE.dib0700;md5=f7411825c8a555a1a3e5eab9ca773431 \
     file://LICENCE.e100;md5=ec0f84136766df159a3ae6d02acdf5a8 \
     file://LICENCE.ene_firmware;md5=ed67f0f62f8f798130c296720b7d3921 \
@@ -118,7 +120,7 @@
     file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \
     file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
     file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \
-    file://WHENCE;md5=6f46986f4e913ef16b765c2319cc5141 \
+    file://WHENCE;md5=eaaf310bac02fee05ea1b334f58c5caf \
 "
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
@@ -135,6 +137,7 @@
 NO_GENERIC_LICENSE[Firmware-cavium] = "LICENCE.cavium"
 NO_GENERIC_LICENSE[Firmware-chelsio_firmware] = "LICENCE.chelsio_firmware"
 NO_GENERIC_LICENSE[Firmware-cw1200] = "LICENCE.cw1200"
+NO_GENERIC_LICENSE[Firmware-cypress] = "LICENCE.cypress"
 NO_GENERIC_LICENSE[Firmware-dib0700] = "LICENSE.dib0700"
 NO_GENERIC_LICENSE[Firmware-e100] = "LICENCE.e100"
 NO_GENERIC_LICENSE[Firmware-ene_firmware] = "LICENCE.ene_firmware"
@@ -181,7 +184,7 @@
 NO_GENERIC_LICENSE[Firmware-xc5000c] = "LICENCE.xc5000c"
 NO_GENERIC_LICENSE[WHENCE] = "WHENCE"
 
-SRCREV = "8fc2d4e55685bf73b6f7752383da9067404a74bb"
+SRCREV = "d1147327232ec4616a66ab898df84f9700c816c1"
 PE = "1"
 PV = "0.0+git${SRCPV}"
 
@@ -232,9 +235,41 @@
              ${PN}-ti-connectivity-license ${PN}-wl12xx ${PN}-wl18xx \
              ${PN}-vt6656-license ${PN}-vt6656 \
              ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \
+             ${PN}-rtl8168 \
+             ${PN}-cypress-license \
              ${PN}-broadcom-license \
-             ${PN}-bcm4329 ${PN}-bcm4330 ${PN}-bcm4334 ${PN}-bcm43340 \
-             ${PN}-bcm43362 ${PN}-bcm4339 ${PN}-bcm43430 ${PN}-bcm4354 \
+             ${PN}-bcm-0bb4-0306 \
+             ${PN}-bcm43143 \
+             ${PN}-bcm43236b \
+             ${PN}-bcm43241b0 \
+             ${PN}-bcm43241b4 \
+             ${PN}-bcm43241b5 \
+             ${PN}-bcm43242a \
+             ${PN}-bcm4329 \
+             ${PN}-bcm4329-fullmac \
+             ${PN}-bcm4330 \
+             ${PN}-bcm4334 \
+             ${PN}-bcm43340 \
+             ${PN}-bcm4335 \
+             ${PN}-bcm43362 \
+             ${PN}-bcm4339 \
+             ${PN}-bcm43430 \
+             ${PN}-bcm43430a0 \
+             ${PN}-bcm43455 \
+             ${PN}-bcm4350 \
+             ${PN}-bcm4350c2 \
+             ${PN}-bcm4354 \
+             ${PN}-bcm4356 \
+             ${PN}-bcm4356-pcie \
+             ${PN}-bcm43569 \
+             ${PN}-bcm43570 \
+             ${PN}-bcm4358 \
+             ${PN}-bcm43602 \
+             ${PN}-bcm4366b \
+             ${PN}-bcm4371 \
+             ${PN}-bcm4373 \
+             ${PN}-bcm43xx \
+             ${PN}-bcm43xx-hdr \
              ${PN}-atheros-license ${PN}-ar9170 ${PN}-ath6k ${PN}-ath9k \
              ${PN}-gplv2-license ${PN}-carl9170 \
              ${PN}-ar3k-license ${PN}-ar3k ${PN}-ath10k-license ${PN}-ath10k ${PN}-qca \
@@ -440,6 +475,7 @@
 LICENSE_${PN}-rtl8723 = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl8821 = "Firmware-rtlwifi_firmware"
 LICENSE_${PN}-rtl-license = "Firmware-rtlwifi_firmware"
+LICENSE_${PN}-rtl8168 = "WHENCE"
 
 FILES_${PN}-rtl-license = " \
   ${nonarch_base_libdir}/firmware/LICENCE.rtlwifi_firmware.txt \
@@ -462,6 +498,9 @@
 FILES_${PN}-rtl8821 = " \
   ${nonarch_base_libdir}/firmware/rtlwifi/rtl8821*.bin \
 "
+FILES_${PN}-rtl8168 = " \
+  ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \
+"
 
 RDEPENDS_${PN}-rtl8188 += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8192ce += "${PN}-rtl-license"
@@ -469,6 +508,7 @@
 RDEPENDS_${PN}-rtl8192su = "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8723 += "${PN}-rtl-license"
 RDEPENDS_${PN}-rtl8821 += "${PN}-rtl-license"
+RDEPENDS_${PN}-rtl8168 += "${PN}-whence-license"
 
 # For ti-connectivity
 LICENSE_${PN}-wl12xx = "Firmware-ti-connectivity"
@@ -503,52 +543,126 @@
 
 # For broadcom
 
-LICENSE_${PN}-bcm4329 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm4330 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm4334 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm43340 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm43362 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm4339 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm43430 = "Firmware-broadcom_bcm43xx"
-LICENSE_${PN}-bcm4354 = "Firmware-broadcom_bcm43xx"
+# for i in `grep brcm WHENCE  | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e "             \${PN}-$pkg \\"; done  | sort -u
+
 LICENSE_${PN}-broadcom-license = "Firmware-broadcom_bcm43xx"
+FILES_${PN}-broadcom-license = "${nonarch_base_libdir}/firmware/LICENCE.broadcom_bcm43xx"
 
-FILES_${PN}-broadcom-license = " \
-  ${nonarch_base_libdir}/firmware/LICENCE.broadcom_bcm43xx \
-"
-FILES_${PN}-bcm4329 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bin \
-"
-FILES_${PN}-bcm4330 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.bin \
-"
-FILES_${PN}-bcm4334 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin \
-"
-FILES_${PN}-bcm43340 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.bin \
-"
-FILES_${PN}-bcm43362 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.bin \
-"
-FILES_${PN}-bcm4339 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \
-"
-FILES_${PN}-bcm43430 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.bin \
-"
-FILES_${PN}-bcm4354 = " \
-  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \
-"
+# for i in `grep brcm WHENCE  | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo "$i - $pkg"; echo -e "FILES_\${PN}-$pkg = \"\${nonarch_base_libdir}/firmware/brcm/$i\""; done | grep ^FILES
 
+FILES_${PN}-bcm43xx = "${nonarch_base_libdir}/firmware/brcm/bcm43xx-0.fw"
+FILES_${PN}-bcm43xx-hdr = "${nonarch_base_libdir}/firmware/brcm/bcm43xx_hdr-0.fw"
+FILES_${PN}-bcm4329-fullmac = "${nonarch_base_libdir}/firmware/brcm/bcm4329-fullmac-4.bin"
+FILES_${PN}-bcm43236b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43236b.bin"
+FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bin"
+FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.bin"
+FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin"
+FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin"
+FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin"
+FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin"
+FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin"
+FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin"
+FILES_${PN}-bcm43242a = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43242a.bin"
+FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \
+  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \
+"
+FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.bin"
+FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.bin"
+FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin"
+FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin"
+FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin"
+FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin"
+FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin"
+FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin"
+FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \
+  ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \
+"
+FILES_${PN}-bcm4366b = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4366b-pcie.bin"
+FILES_${PN}-bcm4371 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4371-pcie.bin"
+
+# for i in `grep brcm WHENCE  | grep ^File | sed 's/File: brcm.//g'`; do pkg=`echo $i | sed 's/-[sp40].*//g; s/\.bin//g; s/brcmfmac/bcm/g; s/_hdr/-hdr/g; s/BCM/bcm-0bb4-0306/g'`; echo -e "LICENSE_\${PN}-$pkg = \"Firmware-broadcom_bcm43xx\"\nRDEPENDS_\${PN}-$pkg += \"\${PN}-broadcom-license\""; done
+# Currently 1st one and last 6 have cypress LICENSE
+
+LICENSE_${PN}-bcm43xx = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43xx += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43xx-hdr = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43xx-hdr += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4329-fullmac = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4329-fullmac += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43236b = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43236b += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4329 = "Firmware-broadcom_bcm43xx"
 RDEPENDS_${PN}-bcm4329 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4330 = "Firmware-broadcom_bcm43xx"
 RDEPENDS_${PN}-bcm4330 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4334 = "Firmware-broadcom_bcm43xx"
 RDEPENDS_${PN}-bcm4334 += "${PN}-broadcom-license"
-RDEPENDS_${PN}-bcm43340 += "${PN}-broadcom-license"
-RDEPENDS_${PN}-bcm43362 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4335 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4335 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4339 = "Firmware-broadcom_bcm43xx"
 RDEPENDS_${PN}-bcm4339 += "${PN}-broadcom-license"
-RDEPENDS_${PN}-bcm43430 += "${PN}-broadcom-license"
-RDEPENDS_${PN}-bcm4354 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43241b0 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43241b0 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43241b4 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43241b4 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43241b5 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43241b5 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43242a = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43242a += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43143 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43143 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43430a0 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43430a0 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43455 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43455 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4350c2 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4350c2 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4350 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4350 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4356 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4356 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43569 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43569 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43570 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43570 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4358 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4358 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm43602 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm43602 += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4366b = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4366b += "${PN}-broadcom-license"
+LICENSE_${PN}-bcm4371 = "Firmware-broadcom_bcm43xx"
+RDEPENDS_${PN}-bcm4371 += "${PN}-broadcom-license"
+
+# For broadcom cypress
+
+LICENSE_${PN}-cypress-license = "Firmware-cypress"
+FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress"
+
+FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd"
+FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.bin"
+FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.bin"
+FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.bin"
+FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin"
+FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.bin"
+FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \
+  ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \
+"
+
+LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm-0bb4-0306 += "${PN}-cypress-license"
+LICENSE_${PN}-bcm43340 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm43340 += "${PN}-cypress-license"
+LICENSE_${PN}-bcm43362 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm43362 += "${PN}-cypress-license"
+LICENSE_${PN}-bcm43430 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm43430 += "${PN}-cypress-license"
+LICENSE_${PN}-bcm4354 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm4354 += "${PN}-cypress-license"
+LICENSE_${PN}-bcm4356-pcie = "Firmware-cypress"
+RDEPENDS_${PN}-bcm4356-pcie += "${PN}-cypress-license"
+LICENSE_${PN}-bcm4373 = "Firmware-cypress"
+RDEPENDS_${PN}-bcm4373 += "${PN}-cypress-license"
 
 # For Broadcom bnx2-mips
 #
diff --git a/poky/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc b/poky/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
index 9903c06..b5cf96d 100644
--- a/poky/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
+++ b/poky/meta/recipes-kernel/linux-libc-headers/linux-libc-headers.inc
@@ -77,6 +77,10 @@
 	do_install_armmultilib
 }
 
+do_install_append_armeb () {
+	do_install_armmultilib
+}
+
 do_install_armmultilib () {
 	oe_multilib_header asm/auxvec.h asm/bitsperlong.h asm/byteorder.h asm/fcntl.h asm/hwcap.h asm/ioctls.h asm/kvm.h asm/kvm_para.h asm/mman.h asm/param.h asm/perf_regs.h asm/bpf_perf_event.h
 	oe_multilib_header asm/posix_types.h asm/ptrace.h  asm/setup.h  asm/sigcontext.h asm/siginfo.h asm/signal.h asm/stat.h  asm/statfs.h asm/swab.h  asm/types.h asm/unistd.h
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
index 5edc0fa..cf6a733 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.12.bb
@@ -11,13 +11,13 @@
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "705d03507a0c10dcbf9cad3ff70f5d60b70f2d99"
-SRCREV_meta ?= "46171de19220c49d670544017cfbeffc1ec70e80"
+SRCREV_machine ?= "7ba09f891939cbf2c58801a7a4a740365896d6ba"
+SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.12.24"
+LINUX_VERSION ?= "4.12.26"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 81306a9..0067118 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "7272e9132fdaaf0dd78bc94e9f297aaf73452982"
-SRCREV_meta ?= "ea9330894eea727bd1655569b16f338976b72563"
+SRCREV_machine ?= "aeeb2d73f2a828a9c0b121b2aa3bb345009f5698"
+SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.30"
+LINUX_VERSION ?= "4.14.48"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.15.bb
index c5d3ee0..d166a40 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.15.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.15.bb
@@ -11,13 +11,13 @@
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_meta ?= "939d935b0c992c6f1e51a7a1c9e4fbe6ef3c3174"
+SRCREV_machine ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_meta ?= "45c256a5ca6f9478bce212fec19e2bc273472631"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.15;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.15.13"
+LINUX_VERSION ?= "4.15.18"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
index 31307a6..9d5e158 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.12.bb
@@ -4,13 +4,13 @@
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.12.24"
+LINUX_VERSION ?= "4.12.26"
 
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_meta ?= "46171de19220c49d670544017cfbeffc1ec70e80"
+SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index 34bee09..58945f2 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.14.30"
+LINUX_VERSION ?= "4.14.48"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "ad31896630f8bf6a459164263adc0a8faf984d9e"
-SRCREV_meta ?= "ea9330894eea727bd1655569b16f338976b72563"
+SRCREV_machine ?= "9e246607d5c23f8bb3b8800734b1707766e0b2b9"
+SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.15.bb
index 05b9ca3..5f9b3c7 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.15.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.15.bb
@@ -4,13 +4,13 @@
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.15.13"
+LINUX_VERSION ?= "4.15.18"
 
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_meta ?= "939d935b0c992c6f1e51a7a1c9e4fbe6ef3c3174"
+SRCREV_machine ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_meta ?= "45c256a5ca6f9478bce212fec19e2bc273472631"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
index 8d56012..ac98ca8 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.12.bb
@@ -11,22 +11,22 @@
 KBRANCH_qemux86-64 ?= "standard/base"
 KBRANCH_qemumips64 ?= "standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "45824c60ca37f414a5ac5783e970338db9a5a2af"
-SRCREV_machine_qemuarm64 ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_machine_qemumips ?= "66f741b0b3d093e6b6df0f44120913ef3a259e23"
-SRCREV_machine_qemuppc ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_machine_qemux86 ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_machine_qemux86-64 ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_machine_qemumips64 ?= "c5d838c9e26bd657b49dfe28b115e5bc4b580850"
-SRCREV_machine ?= "f9d67777b07ac97966186c1b56db78afe2a16f92"
-SRCREV_meta ?= "46171de19220c49d670544017cfbeffc1ec70e80"
+SRCREV_machine_qemuarm ?= "86b02dd23be1e3b3449885b38ed1b876ebec31e8"
+SRCREV_machine_qemuarm64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_machine_qemumips ?= "67b93101c52504fd5077166c70baa296190e6166"
+SRCREV_machine_qemuppc ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_machine_qemux86 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_machine_qemux86-64 ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_machine_qemumips64 ?= "38da8c72733da9619bbbddf14140204631faf488"
+SRCREV_machine ?= "bd8f931e213614bc5fdc6aeaa132d273caa002af"
+SRCREV_meta ?= "367bd3633d5a661035f90f0b8daa38e97da1a587"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.12.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
 
 DEPENDS += "openssl-native util-linux-native"
 
-LINUX_VERSION ?= "4.12.24"
+LINUX_VERSION ?= "4.12.26"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 16142f8..0449213 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@
 KBRANCH_qemux86-64 ?= "v4.14/standard/base"
 KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "d6268fc3460d3904fd49087f7a822efbaab9bfe8"
-SRCREV_machine_qemuarm64 ?= "c94189843b8ad62cafe9a307e7f7d60741690505"
-SRCREV_machine_qemumips ?= "4afd92347b2b35dc8e0006712f8fa00ac57f2a36"
-SRCREV_machine_qemuppc ?= "e8af5c9b65c5187d148ecd11bd7979489460ca64"
-SRCREV_machine_qemux86 ?= "74f6cd2b6976e37491779fcb1bc4966d3a61492c"
-SRCREV_machine_qemux86-64 ?= "74f6cd2b6976e37491779fcb1bc4966d3a61492c"
-SRCREV_machine_qemumips64 ?= "9863b327e770b42b8c18da3e0cfaf06e8f99ae97"
-SRCREV_machine ?= "74f6cd2b6976e37491779fcb1bc4966d3a61492c"
-SRCREV_meta ?= "ea9330894eea727bd1655569b16f338976b72563"
+SRCREV_machine_qemuarm ?= "363723ef50c06df54e146c8fe78faa962e96a8c8"
+SRCREV_machine_qemuarm64 ?= "798d15552a4d5d9355a300290ed6bf72106b7e96"
+SRCREV_machine_qemumips ?= "6c2433d7c51c3e78b1be2c7d1fbfe840b13d04df"
+SRCREV_machine_qemuppc ?= "c03babad17499489b20216576d608c94e7fddc5d"
+SRCREV_machine_qemux86 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
+SRCREV_machine_qemux86-64 ?= "65d1c849534179bbfa494f77947f8be615e9871a"
+SRCREV_machine_qemumips64 ?= "59f70381cbde371e41206b7902390ae78558c310"
+SRCREV_machine ?= "65d1c849534179bbfa494f77947f8be615e9871a"
+SRCREV_meta ?= "94457657b8d621868672917d1c2631df4a4fadd8"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.30"
+LINUX_VERSION ?= "4.14.48"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_4.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto_4.15.bb
index 70bd711..693670c 100644
--- a/poky/meta/recipes-kernel/linux/linux-yocto_4.15.bb
+++ b/poky/meta/recipes-kernel/linux/linux-yocto_4.15.bb
@@ -11,20 +11,20 @@
 KBRANCH_qemux86-64 ?= "v4.15/standard/base"
 KBRANCH_qemumips64 ?= "v4.15/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "4b6902b42f47593928117b2ff0900cd965cf6443"
-SRCREV_machine_qemuarm64 ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_machine_qemumips ?= "19ba2d843750ff65d8fe590acdfc99aea6153945"
-SRCREV_machine_qemuppc ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_machine_qemux86 ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_machine_qemux86-64 ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_machine_qemumips64 ?= "97000c3f4664643bac7828bbdc048f7ec216cc31"
-SRCREV_machine ?= "91084d030bc841c483c31e8664289c7940aa5506"
-SRCREV_meta ?= "939d935b0c992c6f1e51a7a1c9e4fbe6ef3c3174"
+SRCREV_machine_qemuarm ?= "d16b10fb69974f1804a02f2678f40d22c80526cf"
+SRCREV_machine_qemuarm64 ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_machine_qemumips ?= "182eaefab712f4360126e044c758e75d763d05c4"
+SRCREV_machine_qemuppc ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_machine_qemux86 ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_machine_qemux86-64 ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_machine_qemumips64 ?= "ce3876a091477260fcb1197e3c6565dfbf9c6e80"
+SRCREV_machine ?= "e25dbfe95302eeaa1a03a828d05c09479574488a"
+SRCREV_meta ?= "45c256a5ca6f9478bce212fec19e2bc273472631"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.15;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.15.13"
+LINUX_VERSION ?= "4.15.18"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules_2.10.5.bb b/poky/meta/recipes-kernel/lttng/lttng-modules_2.10.6.bb
similarity index 89%
rename from poky/meta/recipes-kernel/lttng/lttng-modules_2.10.5.bb
rename to poky/meta/recipes-kernel/lttng/lttng-modules_2.10.6.bb
index 370b78a..6146966 100644
--- a/poky/meta/recipes-kernel/lttng/lttng-modules_2.10.5.bb
+++ b/poky/meta/recipes-kernel/lttng/lttng-modules_2.10.6.bb
@@ -16,8 +16,8 @@
            file://BUILD_RUNTIME_BUG_ON-vs-gcc7.patch \
 "
 
-SRC_URI[md5sum] = "4aaabaafd15d9455c83972e26ccfbca7"
-SRC_URI[sha256sum] = "b8dbbbee45a673c381f51b99c555e36655c3c2c7a5477aab927591cc7f003a1f"
+SRC_URI[md5sum] = "8110099f4615fc89a74ffe9189b56cfc"
+SRC_URI[sha256sum] = "04a080c81743eb29d181bac29ceb0c15819a2f4210793f2cc9958d885435029f"
 
 export INSTALL_MOD_DIR="kernel/lttng-modules"
 
diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb
index 51f5597..90bbed2 100644
--- a/poky/meta/recipes-kernel/perf/perf.bb
+++ b/poky/meta/recipes-kernel/perf/perf.bb
@@ -97,6 +97,13 @@
     'infodir=${@os.path.relpath(infodir, prefix)}' \
 "
 
+# During do_configure, we might run a 'make clean'. That often breaks
+# when done in parallel, so disable parallelism for do_configure. Note
+# that it has to be done this way rather than by passing -j1, since
+# perf's build system by default ignores any -j argument, but does
+# honour a JOBS variable.
+EXTRA_OEMAKE_append_task-configure = " JOBS=1"
+
 PERF_SRC ?= "Makefile \
              include \
              tools/arch \
diff --git a/poky/meta/recipes-multimedia/lame/lame_3.100.bb b/poky/meta/recipes-multimedia/lame/lame_3.100.bb
index ff6ac7e..7f8996f 100644
--- a/poky/meta/recipes-multimedia/lame/lame_3.100.bb
+++ b/poky/meta/recipes-multimedia/lame/lame_3.100.bb
@@ -3,14 +3,12 @@
 BUGTRACKER = "http://sourceforge.net/tracker/?group_id=290&atid=100290"
 SECTION = "console/utils"
 LICENSE = "LGPLv2+"
-LICENSE_FLAGS = "commercial"
-
-DEPENDS = "ncurses gettext-native"
-
 LIC_FILES_CHKSUM = "file://COPYING;md5=c46bda00ffbb0ba1dac22f8d087f54d9 \
                     file://include/lame.h;beginline=1;endline=20;md5=a2258182c593c398d15a48262130a92b \
 "
 
+DEPENDS = "ncurses gettext-native"
+
 SRC_URI = "${SOURCEFORGE_MIRROR}/lame/lame-${PV}.tar.gz \
            file://no-gtk1.patch \
            "
diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch
new file mode 100644
index 0000000..7252298
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-10963.patch
@@ -0,0 +1,39 @@
+From de144fd228e4be8aa484c3caf3d814b6fa88c6d9 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 14:24:15 +0200
+Subject: [PATCH] TIFFWriteDirectorySec: avoid assertion. Fixes
+ http://bugzilla.maptools.org/show_bug.cgi?id=2795.
+ CVE-2018-10963
+
+---
+CVE: CVE-2018-10963
+
+Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/de144f...]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ libtiff/tif_dirwrite.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c
+index 2430de6..c15a28d 100644
+--- a/libtiff/tif_dirwrite.c
++++ b/libtiff/tif_dirwrite.c
+@@ -695,8 +695,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64* pdiroff)
+ 								}
+ 								break;
+ 							default:
+-								assert(0);   /* we should never get here */
+-								break;
++								TIFFErrorExt(tif->tif_clientdata,module,
++								            "Cannot write tag %d (%s)",
++								            TIFFFieldTag(o),
++                                                                            o->field_name ? o->field_name : "unknown");
++								goto bad;
+ 						}
+ 					}
+ 				}
+-- 
+1.7.9.5
+
diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
new file mode 100644
index 0000000..2c11f93
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-7456.patch
@@ -0,0 +1,178 @@
+From be4c85b16e8801a16eec25e80eb9f3dd6a96731b Mon Sep 17 00:00:00 2001
+From: Hugo Lefeuvre <hle@debian.org>
+Date: Sun, 8 Apr 2018 14:07:08 -0400
+Subject: [PATCH] Fix NULL pointer dereference in TIFFPrintDirectory
+
+The TIFFPrintDirectory function relies on the following assumptions,
+supposed to be guaranteed by the specification:
+
+(a) A Transfer Function field is only present if the TIFF file has
+    photometric type < 3.
+
+(b) If SamplesPerPixel > Color Channels, then the ExtraSamples field
+    has count SamplesPerPixel - (Color Channels) and contains
+    information about supplementary channels.
+
+While respect of (a) and (b) are essential for the well functioning of
+TIFFPrintDirectory, no checks are realized neither by the callee nor
+by TIFFPrintDirectory itself. Hence, following scenarios might happen
+and trigger the NULL pointer dereference:
+
+(1) TIFF File of photometric type 4 or more has illegal Transfer
+    Function field.
+
+(2) TIFF File has photometric type 3 or less and defines a
+    SamplesPerPixel field such that SamplesPerPixel > Color Channels
+    without defining all extra samples in the ExtraSamples fields.
+
+In this patch, we address both issues with respect of the following
+principles:
+
+(A) In the case of (1), the defined transfer table should be printed
+    safely even if it isn't 'legal'. This allows us to avoid expensive
+    checks in TIFFPrintDirectory. Also, it is quite possible that
+    an alternative photometric type would be developed (not part of the
+    standard) and would allow definition of Transfer Table. We want
+    libtiff to be able to handle this scenario out of the box.
+
+(B) In the case of (2), the transfer table should be printed at its
+    right size, that is if TIFF file has photometric type Palette
+    then the transfer table should have one row and not three, even
+    if two extra samples are declared.
+
+In order to fulfill (A) we simply add a new 'i < 3' end condition to
+the broken TIFFPrintDirectory loop. This makes sure that in any case
+where (b) would be respected but not (a), everything stays fine.
+
+(B) is fulfilled by the loop condition
+'i < td->td_samplesperpixel - td->td_extrasamples'. This is enough as
+long as (b) is respected.
+
+Naturally, we also make sure (b) is respected. This is done in the
+TIFFReadDirectory function by making sure any non-color channel is
+counted in ExtraSamples.
+
+This commit addresses CVE-2018-7456.
+
+---
+CVE: CVE-2018-7456
+
+Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/be4c85b...]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ libtiff/tif_dirread.c |   62 +++++++++++++++++++++++++++++++++++++++++++++++++
+ libtiff/tif_print.c   |    2 +-
+ 2 files changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c
+index 6baa7b3..af5b84a 100644
+--- a/libtiff/tif_dirread.c
++++ b/libtiff/tif_dirread.c
+@@ -165,6 +165,7 @@ static int TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32 nstrips, uin
+ static int TIFFFetchSubjectDistance(TIFF*, TIFFDirEntry*);
+ static void ChopUpSingleUncompressedStrip(TIFF*);
+ static uint64 TIFFReadUInt64(const uint8 *value);
++static int _TIFFGetMaxColorChannels(uint16 photometric);
+ 
+ static int _TIFFFillStrilesInternal( TIFF *tif, int loadStripByteCount );
+ 
+@@ -3505,6 +3506,35 @@ static void TIFFReadDirEntryOutputErr(TIFF* tif, enum TIFFReadDirEntryErr err, c
+ }
+ 
+ /*
++ * Return the maximum number of color channels specified for a given photometric
++ * type. 0 is returned if photometric type isn't supported or no default value
++ * is defined by the specification.
++ */
++static int _TIFFGetMaxColorChannels( uint16 photometric )
++{
++    switch (photometric) {
++	case PHOTOMETRIC_PALETTE:
++	case PHOTOMETRIC_MINISWHITE:
++	case PHOTOMETRIC_MINISBLACK:
++            return 1;
++	case PHOTOMETRIC_YCBCR:
++	case PHOTOMETRIC_RGB:
++	case PHOTOMETRIC_CIELAB:
++            return 3;
++	case PHOTOMETRIC_SEPARATED:
++	case PHOTOMETRIC_MASK:
++            return 4;
++	case PHOTOMETRIC_LOGL:
++	case PHOTOMETRIC_LOGLUV:
++	case PHOTOMETRIC_CFA:
++	case PHOTOMETRIC_ITULAB:
++	case PHOTOMETRIC_ICCLAB:
++	default:
++            return 0;
++    }
++}
++
++/*
+  * Read the next TIFF directory from a file and convert it to the internal
+  * format. We read directories sequentially.
+  */
+@@ -3520,6 +3550,7 @@ TIFFReadDirectory(TIFF* tif)
+ 	uint32 fii=FAILED_FII;
+         toff_t nextdiroff;
+     int bitspersample_read = FALSE;
++        int color_channels;
+ 
+ 	tif->tif_diroff=tif->tif_nextdiroff;
+ 	if (!TIFFCheckDirOffset(tif,tif->tif_nextdiroff))
+@@ -4024,6 +4055,37 @@ TIFFReadDirectory(TIFF* tif)
+ 			}
+ 		}
+ 	}
++
++	/*
++	 * Make sure all non-color channels are extrasamples.
++	 * If it's not the case, define them as such.
++	 */
++        color_channels = _TIFFGetMaxColorChannels(tif->tif_dir.td_photometric);
++        if (color_channels && tif->tif_dir.td_samplesperpixel - tif->tif_dir.td_extrasamples > color_channels) {
++                uint16 old_extrasamples;
++                uint16 *new_sampleinfo;
++
++                TIFFWarningExt(tif->tif_clientdata,module, "Sum of Photometric type-related "
++                    "color channels and ExtraSamples doesn't match SamplesPerPixel. "
++                    "Defining non-color channels as ExtraSamples.");
++
++                old_extrasamples = tif->tif_dir.td_extrasamples;
++                tif->tif_dir.td_extrasamples = (tif->tif_dir.td_samplesperpixel - color_channels);
++
++                // sampleinfo should contain information relative to these new extra samples
++                new_sampleinfo = (uint16*) _TIFFcalloc(tif->tif_dir.td_extrasamples, sizeof(uint16));
++                if (!new_sampleinfo) {
++                    TIFFErrorExt(tif->tif_clientdata, module, "Failed to allocate memory for "
++                                "temporary new sampleinfo array (%d 16 bit elements)",
++                                tif->tif_dir.td_extrasamples);
++                    goto bad;
++                }
++
++                memcpy(new_sampleinfo, tif->tif_dir.td_sampleinfo, old_extrasamples * sizeof(uint16));
++                _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples);
++                _TIFFfree(new_sampleinfo);
++        }
++
+ 	/*
+ 	 * Verify Palette image has a Colormap.
+ 	 */
+diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c
+index 8deceb2..1d86adb 100644
+--- a/libtiff/tif_print.c
++++ b/libtiff/tif_print.c
+@@ -544,7 +544,7 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags)
+ 				uint16 i;
+ 				fprintf(fd, "    %2ld: %5u",
+ 				    l, td->td_transferfunction[0][l]);
+-				for (i = 1; i < td->td_samplesperpixel; i++)
++				for (i = 1; i < td->td_samplesperpixel - td->td_extrasamples && i < 3; i++)
+ 					fprintf(fd, " %5u",
+ 					    td->td_transferfunction[i][l]);
+ 				fputc('\n', fd);
+-- 
+1.7.9.5
+
diff --git a/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
new file mode 100644
index 0000000..962646d
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libtiff/files/CVE-2018-8905.patch
@@ -0,0 +1,61 @@
+From 58a898cb4459055bb488ca815c23b880c242a27d Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sat, 12 May 2018 15:32:31 +0200
+Subject: [PATCH] LZWDecodeCompat(): fix potential index-out-of-bounds write.
+ Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2780 /
+ CVE-2018-8905
+
+The fix consists in using the similar code LZWDecode() to validate we
+don't write outside of the output buffer.
+
+---
+CVE: CVE-2018-8905
+
+Upstream-Status: Backport [gitlab.com/libtiff/libtiff/commit/58a898...]
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ libtiff/tif_lzw.c |   18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/libtiff/tif_lzw.c b/libtiff/tif_lzw.c
+index 4ccb443..94d85e3 100644
+--- a/libtiff/tif_lzw.c
++++ b/libtiff/tif_lzw.c
+@@ -602,6 +602,7 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 	char *tp;
+ 	unsigned char *bp;
+ 	int code, nbits;
++	int len;
+ 	long nextbits, nextdata, nbitsmask;
+ 	code_t *codep, *free_entp, *maxcodep, *oldcodep;
+ 
+@@ -753,13 +754,18 @@ LZWDecodeCompat(TIFF* tif, uint8* op0, tmsize_t occ0, uint16 s)
+ 				}  while (--occ);
+ 				break;
+ 			}
+-			assert(occ >= codep->length);
+-			op += codep->length;
+-			occ -= codep->length;
+-			tp = op;
++			len = codep->length;
++			tp = op + len;
+ 			do {
+-				*--tp = codep->value;
+-			} while( (codep = codep->next) != NULL );
++				int t;
++				--tp;
++				t = codep->value;
++				codep = codep->next;
++				*tp = (char)t;
++			} while (codep && tp > op);
++			assert(occ >= len);
++			op += len;
++			occ -= len;
+ 		} else {
+ 			*op++ = (char)code;
+ 			occ--;
+-- 
+1.7.9.5
+
diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
index 8c3bba5..fa64d11 100644
--- a/poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
+++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.0.9.bb
@@ -9,6 +9,9 @@
            file://CVE-2017-9935.patch \
            file://CVE-2017-18013.patch \
            file://CVE-2018-5784.patch \
+           file://CVE-2018-10963.patch \
+           file://CVE-2018-8905.patch \
+           file://CVE-2018-7456.patch \
           "
 
 SRC_URI[md5sum] = "54bad211279cc93eb4fca31ba9bfdc79"
diff --git a/poky/meta/recipes-multimedia/mpg123/mpg123_1.25.10.bb b/poky/meta/recipes-multimedia/mpg123/mpg123_1.25.10.bb
index 929069a..ff2b7d8 100644
--- a/poky/meta/recipes-multimedia/mpg123/mpg123_1.25.10.bb
+++ b/poky/meta/recipes-multimedia/mpg123/mpg123_1.25.10.bb
@@ -7,7 +7,6 @@
 SECTION = "multimedia"
 
 LICENSE = "LGPLv2.1"
-LICENSE_FLAGS = "commercial"
 LIC_FILES_CHKSUM = "file://COPYING;md5=1e86753638d3cf2512528b99079bc4f3"
 
 SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2"
diff --git a/poky/meta/recipes-support/attr/ea-acl.inc b/poky/meta/recipes-support/attr/ea-acl.inc
index 1339ecc..9336ffc 100644
--- a/poky/meta/recipes-support/attr/ea-acl.inc
+++ b/poky/meta/recipes-support/attr/ea-acl.inc
@@ -7,6 +7,9 @@
 
 inherit autotools-brokensep gettext
 
+# When upstream is using automake properly, this can be removed
+CLEANBROKEN = "1"
+
 # the package comes with a custom config.h.in, it cannot be
 # overwritten by autoheader
 EXTRA_AUTORECONF += "--exclude=autoheader"
diff --git a/poky/meta/recipes-support/bmap-tools/bmap-tools_3.4.bb b/poky/meta/recipes-support/bmap-tools/bmap-tools_3.4.bb
index 9d8191f..2aae9a3 100644
--- a/poky/meta/recipes-support/bmap-tools/bmap-tools_3.4.bb
+++ b/poky/meta/recipes-support/bmap-tools/bmap-tools_3.4.bb
@@ -16,7 +16,7 @@
 
 UPSTREAM_CHECK_URI = "https://github.com/intel/${BPN}/releases"
 
-RDEPENDS_${PN} = "python3-core python3-compression python3-mmap python3-setuptools"
+RDEPENDS_${PN} = "python3-core python3-compression python3-mmap python3-setuptools python3-fcntl"
 
 inherit python3native
 inherit setuptools3
diff --git a/poky/meta/recipes-support/curl/curl_7.60.0.bb b/poky/meta/recipes-support/curl/curl_7.61.0.bb
similarity index 95%
rename from poky/meta/recipes-support/curl/curl_7.60.0.bb
rename to poky/meta/recipes-support/curl/curl_7.61.0.bb
index fe04fa6..d118c3f 100644
--- a/poky/meta/recipes-support/curl/curl_7.60.0.bb
+++ b/poky/meta/recipes-support/curl/curl_7.61.0.bb
@@ -9,8 +9,8 @@
            file://0001-replace-krb5-config-with-pkg-config.patch \
 "
 
-SRC_URI[md5sum] = "bd2aabf78ded6a9aec8a54532fd6b5d7"
-SRC_URI[sha256sum] = "897dfb2204bd99be328279f88f55b7c61592216b0542fcbe995c60aa92871e9b"
+SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
+SRC_URI[sha256sum] = "5f6f336921cf5b84de56afbd08dfb70adeef2303751ffb3e570c936c6d656c9c"
 
 CVE_PRODUCT = "libcurl"
 inherit autotools pkgconfig binconfig multilib_header
diff --git a/poky/meta/recipes-support/gnutls/gnutls.inc b/poky/meta/recipes-support/gnutls/gnutls.inc
index 7bcb913..98ec8d9 100644
--- a/poky/meta/recipes-support/gnutls/gnutls.inc
+++ b/poky/meta/recipes-support/gnutls/gnutls.inc
@@ -17,7 +17,7 @@
 
 SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
-SRC_URI = "ftp://ftp.gnutls.org/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz"
+SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz"
 
 inherit autotools texinfo binconfig pkgconfig gettext lib_package gtk-doc
 
diff --git a/poky/meta/recipes-support/iso-codes/iso-codes_3.77.bb b/poky/meta/recipes-support/iso-codes/iso-codes_3.77.bb
index bd613ac..52e56ca 100644
--- a/poky/meta/recipes-support/iso-codes/iso-codes_3.77.bb
+++ b/poky/meta/recipes-support/iso-codes/iso-codes_3.77.bb
@@ -2,14 +2,15 @@
 LICENSE = "LGPLv2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
 
-SRC_URI = "https://pkg-isocodes.alioth.debian.org/downloads/iso-codes-${PV}.tar.xz"
-SRC_URI[md5sum] = "9d0d06cfb4634428b300845edcd7140a"
-SRC_URI[sha256sum] = "21cd73a4c6f95d9474ebfcffd4e065223857720f24858e564f4409b19f7f0d90"
+SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http"
+SRCREV = "0a932d3e1e6d9058a6ef874c8ff1dc4a193bc030"
 
 # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which
 # are inhibited by allarch
 DEPENDS = "gettext-native"
 
+S = "${WORKDIR}/git"
+
 inherit allarch autotools
 
 FILES_${PN} += "${datadir}/xml/"
diff --git a/poky/meta/recipes-support/nettle/nettle_3.4.bb b/poky/meta/recipes-support/nettle/nettle_3.4.bb
index 7a3cc65..ca8450e 100644
--- a/poky/meta/recipes-support/nettle/nettle_3.4.bb
+++ b/poky/meta/recipes-support/nettle/nettle_3.4.bb
@@ -25,7 +25,7 @@
 
 UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar"
 
-inherit autotools ptest
+inherit autotools ptest multilib_header
 
 EXTRA_AUTORECONF += "--exclude=aclocal"
 
@@ -35,6 +35,10 @@
         oe_runmake buildtest
 }
 
+do_install_append() {
+    oe_multilib_header nettle/nettle-stdint.h nettle/version.h
+}
+
 do_install_ptest() {
         install -d ${D}${PTEST_PATH}/testsuite/
         install ${S}/testsuite/gold-bug.txt ${D}${PTEST_PATH}/testsuite/
diff --git a/poky/meta/recipes-support/popt/popt_1.16.bb b/poky/meta/recipes-support/popt/popt_1.16.bb
index 478288f..377d108 100644
--- a/poky/meta/recipes-support/popt/popt_1.16.bb
+++ b/poky/meta/recipes-support/popt/popt_1.16.bb
@@ -8,7 +8,7 @@
 
 DEPENDS = "virtual/libiconv"
 
-SRC_URI = "http://rpm5.org/files/popt/popt-${PV}.tar.gz \
+SRC_URI = "https://fossies.org/linux/misc/popt-${PV}.tar.gz \
            file://pkgconfig_fix.patch \
            file://popt_fix_for_automake-1.12.patch \
            file://disable_tests.patch \
diff --git a/poky/meta/recipes-support/shared-mime-info/shared-mime-info.inc b/poky/meta/recipes-support/shared-mime-info/shared-mime-info.inc
index 1f51225..344da7e 100644
--- a/poky/meta/recipes-support/shared-mime-info/shared-mime-info.inc
+++ b/poky/meta/recipes-support/shared-mime-info/shared-mime-info.inc
@@ -2,7 +2,7 @@
 HOMEPAGE = "http://freedesktop.org/wiki/Software/shared-mime-info"
 SECTION = "base"
 
-LICENSE = "LGPLv2+"
+LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 DEPENDS = "libxml2 intltool-native glib-2.0 shared-mime-info-native"
diff --git a/poky/meta/recipes-support/sqlite/sqlite3.inc b/poky/meta/recipes-support/sqlite/sqlite3.inc
index 95ec89c..30847b9 100644
--- a/poky/meta/recipes-support/sqlite/sqlite3.inc
+++ b/poky/meta/recipes-support/sqlite/sqlite3.inc
@@ -37,10 +37,12 @@
 
 # pread() is in POSIX.1-2001 so any reasonable system must surely support it
 BUILD_CFLAGS += "-DUSE_PREAD"
+BUILDSDK_CFLAGS += "-DUSE_PREAD"
 TARGET_CFLAGS += "-DUSE_PREAD"
 
 # Provide column meta-data API
 BUILD_CFLAGS += "-DSQLITE_ENABLE_COLUMN_METADATA"
+BUILDSDK_CFLAGS += "-DSQLITE_ENABLE_COLUMN_METADATA"
 TARGET_CFLAGS += "-DSQLITE_ENABLE_COLUMN_METADATA"
 
 PACKAGES = "lib${BPN} lib${BPN}-dev lib${BPN}-doc ${PN}-dbg lib${BPN}-staticdev ${PN}"
diff --git a/poky/meta/site/powerpc64-linux b/poky/meta/site/powerpc64-linux
index d64e230..820a4b8 100644
--- a/poky/meta/site/powerpc64-linux
+++ b/poky/meta/site/powerpc64-linux
@@ -37,3 +37,5 @@
 # apr
 apr_cv_tcp_nodelay_with_cork=${apr_cv_tcp_nodelay_with_cork=yes}
 
+# cvs
+cvs_cv_func_printf_ptr=${cvs_cv_func_printf_ptr=yes}