subtree updates

poky: ddb298ce89..fc25449687:
  Alex Kiernan (1):
        rust: Upgrade 1.68.1 -> 1.68.2

  Alexander Kanavin (5):
        selftest/distrodata: clean up exception lists in recipe maintainers test
        dhcpcd: use git instead of tarballs
        perl: patch out build paths from native binaries
        libgcrypt: update 1.10.1 -> 1.10.2
        rpm: update 4.18.0 -> 4.18.1

  Andrew Jeffery (1):
        Revert "ipk: Decode byte data to string in manifest handling"

  Archana Polampalli (1):
        git: ignore CVE-2023-25815

  Arslan Ahmad (1):
        kernel-fitimage: Fix the default dtb config check

  Bruce Ashfield (9):
        kernel: improve initramfs bundle processing time
        yocto-bsps: update to v5.15.106
        linux-yocto/5.15: update to v5.15.109
        linux-yocto/5.15: update to v5.15.110
        linux-yocto/5.15: update to v5.15.111
        linux-yocto/5.15: update to v5.15.112
        linux-yocto/5.15: update to v5.15.113
        kernel: don't force PAHOLE=false
        linux-yocto: move build / debug dependencies to .inc

  Chen Qi (1):
        staging.bbclass: do not add extend_recipe_sysroot to prefuncs of prepare_recipe_sysroot

  Chi Xu (1):
        expect: Add ptest support

  Daniel Ammann (1):
        overview-manual: concepts.rst: Fix a typo

  Deepthi Hemraj (1):
        binutils: stable 2.40 branch updates

  Denys Dmytriyenko (1):
        xz: upgrade 5.4.2 -> 5.4.3

  Dmitry Baryshkov (1):
        linux-firmware: upgrade 20230210 -> 20230404

  Eero Aaltonen (1):
        avahi: fix D-Bus introspection

  Enrico Jörns (1):
        package_manager/ipk: fix config path generation in _create_custom_config()

  Jan Vermaete (1):
        cve-update-nvd2-native: added the missing http import

  Joe Slater (1):
        ghostscript: fix CVE-2023-28879

  Johannes Schrimpf (1):
        python3targetconfig.bbclass: Extend PYTHONPATH instead of overwriting

  Kai Kang (1):
        libnotify: remove dependency dbus

  Khem Raj (10):
        cargo: Fix build on musl/riscv
        gawk: Disable known ptest fails on musl
        gawk: Remove redundant patch
        gawk: Add skipped.txt to emit test to ignore
        libxml2: Disable icu tests on musl
        quilt: Fix merge.test race condition
        piglit: Fix c++11-narrowing warnings in tests
        cpio: Run ptests under ptest user
        go: Upgrade 1.20.1 -> 1.20.4
        go: Use -no-pie to build target cgo

  Lee Chee Yang (3):
        release-notes-4.2: update known issues and Repositories/Downloads
        migration-guides: add release-notes for 4.1.4
        migration-guides: add release notes for 4.2.1

  Lorenzo Arena (1):
        conf: add nice level to the hash config ignred variables

  Luca Ceresoli (2):
        ref-manual: classes: kernel: remove incorrect sentence opening
        ref-manual: classes: kernel: document automatic defconfig usage

  Markus Volk (1):
        gtk4: update 4.10.0 -> 4.10.3

  Martin Jansa (7):
        populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
        populate_sdk_ext.bbclass: redirect stderr to stdout so that both end in LOGFILE
        populate_sdk_base.bbclass: respect MLPREFIX for ptest-pkgs's ptest-runner
        binutils: package static libs from gprofng
        go.bbclass: don't use test to check output from ls
        image-live.bbclass: respect IMAGE_MACHINE_SUFFIX
        rpm: drop unused 0001-Rip-out-partial-support-for-unused-MD2-and-RIPEMD160.patch

  Martin Siegumfeldt (1):
        systemd-systemctl: fix instance template WantedBy symlink construction

  Michael Halstead (2):
        uninative: Upgrade to 3.10 to support gcc 13
        uninative: Upgrade to 4.0 to include latest gcc 13.1.1

  Michael Opdenacker (2):
        migration-guides: release-notes-4.2: add doc improvement highlights
        releases.svg: fix and explain duration of Hardknott 3.3

  Mikko Rapeli (1):
        qemurunner: avoid leaking server_socket

  Ming Liu (1):
        weston: add xwayland to DEPENDS for PACKAGECONFIG xwayland

  Otavio Salvador (1):
        mesa: 23.0.2 -> 23.0.3

  Pablo Saavedra (1):
        gstreamer1.0: upgrade 1.22.0 -> 1.22.2

  Paul Gortmaker (1):
        scripts: fix buildstats diff/summary hard bound to host python3

  Pavel Zhukov (1):
        lib/terminal.py: Add urxvt terminal

  Pawan Badganchi (1):
        tiff: Add fix for CVE-2022-4645

  Peter Bergin (1):
        update-alternatives.bbclass: fix old override syntax

  Peter Kjellerstedt (3):
        license.bbclass: Include LICENSE in the output when it fails to parse
        musl: Correct SRC_URI
        xf86-video-intel: Use the HTTPS protocol to fetch the Git repositories

  Piotr Łobacz (1):
        libarchive: Enable acls, xattr for native as well as target

  Qiu Tingting (2):
        e2fsprogs: fix ptest bug for second running
        e2fsprogs: Fix error SRCDIR when using usrmerge DISTRO_FEATURES

  Randy MacLeod (1):
        vim: upgrade 9.0.1429 -> 9.0.1527

  Ranjitsinh Rathod (2):
        libbsd: Add correct license for all packages
        kmscube: Correct DEPENDS to avoid overwrite

  Richard Purdie (8):
        qemu: Add fix for powerpc instruction fallback issue
        qemu: Update ppc instruction fix to match revised upstream version
        glib-networking: Add test retry to avoid failures
        glib-networking: Correct glib error handling in test patch
        maintainers.inc: Fix email address typo
        maintainers.inc: Move repo to unassigned
        recipes: Default to https git protocol where possible
        selftest/reproducible: Allow native/cross reuse in test

  Ross Burton (5):
        connman: backport fix for CVE-2023-28488
        cpio: fix appending to archives larger than 2GB
        machine/qemuarm*: don't explicitly set vmalloc
        gdb: fix crashes when debugging threads with Arm Pointer Authentication enabled
        meta: depend on autoconf-archive-native, not autoconf-archive

  Steve Sakoman (3):
        Revert "xserver-xorg: backport fix for CVE-2023-1393"
        poky.conf: bump version for 4.2.1 release
        build-appliance-image: Update to mickledore head revision

  Sudip Mukherjee (4):
        libxfixes: Upgrade to v6.0.1
        xwininfo: upgrade to v1.1.6
        xinput: upgrade to v1.6.4
        libxi: upgrade to v1.8.1

  Thomas Roos (3):
        oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set
        oeqa/selftest/cases/devtool.py: skip all tests require folder a git repo
        oeqa: adding selftest-hello and use it to speed up tests

  Tim Orling (1):
        libmodule-build-perl: upgrade 0.4232 -> 0.4234

  Tom Hochstein (1):
        piglit: Add missing glslang dependencies

  Ulrich Ölmann (1):
        ref-manual: classes.rst: fix typo

  Upgrade Helper (1):
        waffle: upgrade 1.7.0 -> 1.7.2

  Virendra Thakur (1):
        qemu: Whitelist CVE-2023-0664

  Wang Mingyu (18):
        apr: upgrade 1.7.2 -> 1.7.3
        bind: upgrade 9.18.12 -> 9.18.13
        cracklib: upgrade 2.9.10 -> 2.9.11
        libhandy: upgrade 1.8.1 -> 1.8.2
        libpcap: upgrade 1.10.3 -> 1.10.4
        libsdl2: upgrade 2.26.3 -> 2.26.5
        mpg123: upgrade 1.31.2 -> 1.31.3
        man-pages: upgrade 6.03 -> 6.04
        mtools: upgrade 4.0.42 -> 4.0.43
        pango: upgrade 1.50.13 -> 1.50.14
        ruby: upgrade 3.2.1 -> 3.2.2
        texinfo: upgrade 7.0.2 -> 7.0.3
        wpebackend-fdo: upgrade 1.14.0 -> 1.14.2
        xserver-xorg: upgrade 21.1.7 -> 21.1.8
        xwayland: upgrade 22.1.8 -> 23.1.1
        vala: upgrade 0.56.4 -> 0.56.6
        mesa: upgrade 23.0.0 -> 23.0.2
        iso-codes: upgrade 4.13.0 -> 4.15.0

  Xiangyu Chen (1):
        sysstat: Fix CVE-2023-33204

  Yoann Congal (1):
        cve-extra-exclusions: linux-yocto: ignore fixed CVE-2023-1652 & CVE-2023-1829

  Zhixiong Chi (1):
        libpam: Fix the xtests/tst-pam_motd[1|3] failures

  bkylerussell@gmail.com (1):
        kernel-devsrc: depend on python3-core instead of python3

  hen Qi (1):
        unfs3: fix symlink time setting issue

  nikhil (1):
        tiff: Remove unused patch from tiff

meta-raspberrypi: bf948e0aa8..aa0aed9a08:
  Florin Sarbu (1):
        udev-rules-rpi: Use 99-com.rules directly from upstream

  Martin Jansa (3):
        rpi-libcamera-apps: fix flags used in aarch64 builds
        rpi-libcamera-apps: fix version generation on hosts with older python
        rpi-libcamera-apps: bump to latest SRCREV and set PV

meta-openembedded: 2d89a469e5..9286582126:
  Alexander Amelkin (1):
        ipmitool: Update links

  Arsalan H. Awan (1):
        meta-networking/licenses/netperf: remove unused license

  Bartosz Golaszewski (2):
        python3-gpiod: add missing run-time dependencies
        libgpiod: install the libgpiosim header

  Bergin, Peter (1):
        freediameter: fix typo and old overide syntax

  Bhargav Das (2):
        tslib: Add native & nativestdk package support
        pointercal: Add native & nativestdk package support

  Changqing Li (1):
        redis: upgrade 6.2.11 -> 6.2.12

  Chen Qi (1):
        frr: add CVE_PRODUCT

  Jasper Orschulko (1):
        python3-gcovr: Add missing runtime dependency

  Joe Slater (1):
        bats: use baselib

  Khem Raj (48):
        fwupd: Do not emit build time paths into generated headers
        libcereal: Fix TMPDIR leaking into debug_str section
        libtimezonemap: Point to a working SRC_URI
        unixODBC: Update SRC_URI to use updated location of tarball
        unicode-ucd: Update license URI to reflect renamed license
        libx86: Point to working SRC_URI
        ctapi-common: Point to working SRC_URI locations
        netkit-ftp: Update to debian patch 34
        nicstat: Use SOURCEFORGE_MIRROR in SRC_URI
        rp-pppoe: Point SRC_URI to valid location
        ttf-mplus: Point to valid download location for SRC_URI
        ttf-lklug: Point SRC_URI to a working location
        radiusclient-ng: Point SRC_URI to archive.ubuntu.com
        httpfs2: Do not use S during compile/install tasks
        p910nd: Switch to using github for SRC_URI
        mosh: Point SRC_URI to https://mosh.org/
        debootstrap: Update SRC_URI to point to valid URL
        debootstrap: Use DEBIAN_MIRROR for SRC_URI
        ttf-gentium: Switch to debian archive mirror for SRC_URI
        nfacct: Update SRC_URI to point to valid URL
        libencode-perl: Remove buildpaths from generated .exh files
        enca: Remove buildpaths from target scripts
        libirecovery: Add missing build dependency on readline
        fftw: Remove hardcoded sysroot into binaries
        lmdb: Pass CFLAGS to Makefile
        php: Remove buildpaths from scripts and generated headers
        uw-imap: Pass CFLAGS from environment
        libmad: Add a patch to pass cflags to build
        libpeas: Fix reference to TMPDIR in tests
        lirc: Define SH_PATH=/bin/sh
        mce-inject: Pass CFLAGS to make
        nbdkit: Remove buildpaths from binaries
        mpv: Remove references to builddir from mpv binary
        libnice: Remove buildpaths from binaries
        curlpp: Remove references to buildpaths e.g. TMPDIR
        unbound: Remove references to buildpaths
        uml-utilities: Fix references to TMPDIR
        openct: Fix buildpaths being emitted into generated types.h
        minifi-cpp: Remove references to buildpaths in generated files
        freerdp: Fix reference to TMPDIR in libfreerdp2.so
        nautilus: Fix buildpath QA errors
        cgdb: Fix buildpaths emitted into cgdb binary
        ibus: Point python interpreter to target location
        gimp: Fix buildpaths in binaries and scripts
        libgphoto2: Edit out sysroot from CC variable in configure
        vlan: Pass CFLAGS via CCFLAGS
        sgpio: Pass CFLAGS to make
        x265: Pass --debug-prefix-map to nasm

  Markus Volk (1):
        polkit: update SRC_URI

  Martin Jansa (16):
        lirc: fix do_install with multilib
        dleyna-{server,renderer}: fix dev-so QA issue with multilib
        libreport: add dependency on libarchive
        libxmlb: add missing dependency on glib-2.0 and xz
        geoclue: fix build without gobject-introspection-data
        appstream: fix build without gobject-introspection-data
        ostree: fix build without gobject-introspection-data
        rdfind: fix build with -Werror=return-type
        spice-gtk: respect gobject-introspection-data
        cpulimit: fix do_install with multilib
        libnfs: fix installed-vs-shipped issues with multilib
        btrfsmaintenance: install to ${datadir}/${BPN}
        libtomcrypt: pass LIBPATH to fix installed-vs-shipped with multilib
        nanopb: fix installed-vs-shipped with multilib
        nv-codec-headers: fix installed-vs-shipped with multilib
        zfs: fix installation paths for multilib

  Ming Liu (2):
        libusbgx: drop hard-coded /usr/bin,/etc
        libusbgx: check scripts in /etc/usbgx.d

  Mingli Yu (2):
        php: Link with libatomic on rv64
        minicoredumper: correct the sysvinit service file attribute

  Peter Marko (1):
        ntp: whitelist CVE-2019-11331

  Petr Gotthard (1):
        gensio: fix QA issue: non -staticdev package with .a libraries

  Valeria Petrov (1):
        apache2: upgrade 2.4.56 -> 2.4.57

  Virendra Thakur (2):
        p7zip: fix for CVE-2018-5996
        p7zip: Fix for CVE-2016-9296

  Wang Mingyu (6):
        redis: upgrade 7.0.10 -> 7.0.11
        hdf5: Fix install conflict when enable multilib.
        php: upgrade 8.2.4 -> 8.2.5
        postgresql: upgrade 15.2 -> 15.3
        php: upgrade 8.2.5 -> 8.2.6
        nautilus: upgrade 44.0 -> 44.1

  Yogita Urade (1):
        dlt-daemon: fix CVE-2023-26257

  schitrod=cisco.com@lists.openembedded.org (1):
        gnulib: Update recipe name to 2018-12-18

meta-security: 53c5cc794f..d7db0a3bd1:
  Peter Hoyes (1):
        meta-parsec/layer.conf: Insert addpylib declaration

meta-arm: 0b5724266a..8db460fa5d:
  Abdellatif El Khlifi (2):
        kas: corstone1000: set branches to mickledore
        arm-bsp/u-boot: corstone1000: upgrade NVMXIP support

  Emekcan Aras (3):
        arm-bsp/trusted-firmware-m: Align Capsule Update with GPT changes
        arm-bsp/wic: corstone1000: Fix and limit the partition size for corstone1000
        arm-bsp/u-boot: corstone1000: enable PSCI reset

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Id8a293d03f6c2320ff407a7aaed4416038ba04ed

19 files changed, 593 insertions, 68 deletions

diff --git a/poky/meta/recipes-extended/bzip2/bzip2_1.0.8.bb b/poky/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
index 78138d1543..4e3a06f240 100644
--- a/poky/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
+++ b/poky/meta/recipes-extended/bzip2/bzip2_1.0.8.bb
@@ -22,7 +22,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=600af43c50f1fcb82e
 "
 
 SRC_URI = "https://sourceware.org/pub/${BPN}/${BPN}-${PV}.tar.gz \
-           git://sourceware.org/git/bzip2-tests.git;name=bzip2-tests;branch=master \
+           git://sourceware.org/git/bzip2-tests.git;name=bzip2-tests;branch=master;protocol=https \
            file://configure.ac;subdir=${BP} \
            file://Makefile.am;subdir=${BP} \
            file://run-ptest \
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Fix-appending-to-archives-bigger-than-2G.patch b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Fix-appending-to-archives-bigger-than-2G.patch
new file mode 100644
index 0000000000..fefd5b2894
--- /dev/null
+++ b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Fix-appending-to-archives-bigger-than-2G.patch
@@ -0,0 +1,312 @@
+From 0987d63384f0419b4b14aecdc6a61729b75ce86a Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Fri, 28 Apr 2023 15:23:46 +0300
+Subject: [PATCH] Fix appending to archives bigger than 2G
+
+* src/extern.h (last_header_start): Change type to off_t.
+* src/global.c: Likewise.
+* src/util.c (prepare_append): Use off_t for file offsets.
+
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ src/extern.h | 11 ++++-----
+ src/global.c |  2 +-
+ src/util.c   | 66 ++++++++++++++++++++++++++--------------------------
+ 3 files changed, 39 insertions(+), 40 deletions(-)
+
+diff --git a/src/extern.h b/src/extern.h
+index df7d0ce..6afbdd2 100644
+--- a/src/extern.h
++++ b/src/extern.h
+@@ -68,7 +68,7 @@ extern int ignore_dirnlink_option;
+ 
+ extern bool to_stdout_option;
+ 
+-extern int last_header_start;
++extern off_t last_header_start;
+ extern int copy_matching_files;
+ extern int numeric_uid;
+ extern char *pattern_file_name;
+@@ -128,7 +128,7 @@ void field_width_error (const char *filename, const char *fieldname,
+ 
+ /* copypass.c */
+ void process_copy_pass (void);
+-int link_to_maj_min_ino (char *file_name, int st_dev_maj, 
++int link_to_maj_min_ino (char *file_name, int st_dev_maj,
+ 			 int st_dev_min, ino_t st_ino);
+ int link_to_name (char const *link_name, char const *link_target);
+ 
+@@ -176,7 +176,7 @@ void copy_files_tape_to_disk (int in_des, int out_des, off_t num_bytes);
+ void copy_files_disk_to_tape (int in_des, int out_des, off_t num_bytes, char *filename);
+ void copy_files_disk_to_disk (int in_des, int out_des, off_t num_bytes, char *filename);
+ void warn_if_file_changed (char *file_name, off_t old_file_size,
+-                           time_t old_file_mtime);
++			   time_t old_file_mtime);
+ void create_all_directories (char const *name);
+ void prepare_append (int out_file_des);
+ char *find_inode_file (ino_t node_num,
+@@ -190,7 +190,7 @@ void set_new_media_message (char *message);
+ #ifdef HPUX_CDF
+ char *add_cdf_double_slashes (char *filename);
+ #endif
+-void write_nuls_to_file (off_t num_bytes, int out_des, 
++void write_nuls_to_file (off_t num_bytes, int out_des,
+ 			 void (*writer) (char *in_buf,
+ 					 int out_des, off_t num_bytes));
+ #define DISK_IO_BLOCK_SIZE	512
+@@ -234,6 +234,5 @@ void delay_set_stat (char const *file_name, struct stat *st,
+ 		     mode_t invert_permissions);
+ int repair_delayed_set_stat (struct cpio_file_stat *file_hdr);
+ void apply_delayed_set_stat (void);
+-     
+-int arf_stores_inode_p (enum archive_format arf);
+ 
++int arf_stores_inode_p (enum archive_format arf);
+diff --git a/src/global.c b/src/global.c
+index d33516f..7c4bca8 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -113,7 +113,7 @@ int debug_flag = false;
+ 
+ /* File position of last header read.  Only used during -A to determine
+    where the old TRAILER!!! record started.  */
+-int last_header_start = 0;
++off_t last_header_start = 0;
+ 
+ /* With -i; if true, copy only files that match any of the given patterns;
+    if false, copy only files that do not match any of the patterns. (-f) */
+diff --git a/src/util.c b/src/util.c
+index a38333a..7415e10 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -59,8 +59,8 @@ tape_empty_output_buffer (int out_des)
+   static long output_bytes_before_lseek = 0;
+ 
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 2Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (output_is_special
+      && ( (output_bytes_before_lseek += output_size) >= 1073741824L) )
+@@ -104,7 +104,7 @@ static ssize_t sparse_write (int fildes, char *buf, size_t nbyte, bool flush);
+    descriptor OUT_DES and reset `output_size' and `out_buff'.
+    If `swapping_halfwords' or `swapping_bytes' is set,
+    do the appropriate swapping first.  Our callers have
+-   to make sure to only set these flags if `output_size' 
++   to make sure to only set these flags if `output_size'
+    is appropriate (a multiple of 4 for `swapping_halfwords',
+    2 for `swapping_bytes').  The fact that DISK_IO_BLOCK_SIZE
+    must always be a multiple of 4 helps us (and our callers)
+@@ -186,8 +186,8 @@ tape_fill_input_buffer (int in_des, int num_bytes)
+ {
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -330,8 +330,8 @@ tape_buffered_peek (char *peek_buf, int in_des, int num_bytes)
+ 
+ #ifdef BROKEN_LONG_TAPE_DRIVER
+   /* Some tape drivers seem to have a signed internal seek pointer and
+-     they lose if it overflows and becomes negative (e.g. when writing 
+-     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the 
++     they lose if it overflows and becomes negative (e.g. when writing
++     tapes > 4Gb).  Doing an lseek (des, 0, SEEK_SET) seems to reset the
+      seek pointer and prevent it from overflowing.  */
+   if (input_is_special
+       && ( (input_bytes_before_lseek += num_bytes) >= 1073741824L) )
+@@ -402,7 +402,7 @@ tape_toss_input (int in_des, off_t num_bytes)
+ 
+       if (crc_i_flag && only_verify_crc_flag)
+ 	{
+- 	  int k;
++	  int k;
+ 	  for (k = 0; k < space_left; ++k)
+ 	    crc += in_buff[k] & 0xff;
+ 	}
+@@ -414,14 +414,14 @@ tape_toss_input (int in_des, off_t num_bytes)
+ }
+ 
+ void
+-write_nuls_to_file (off_t num_bytes, int out_des, 
+-                    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
++write_nuls_to_file (off_t num_bytes, int out_des,
++		    void (*writer) (char *in_buf, int out_des, off_t num_bytes))
+ {
+   off_t	blocks;
+   off_t	extra_bytes;
+   off_t	i;
+   static char zeros_512[512];
+-  
++
+   blocks = num_bytes / sizeof zeros_512;
+   extra_bytes = num_bytes % sizeof zeros_512;
+   for (i = 0; i < blocks; ++i)
+@@ -601,7 +601,7 @@ create_all_directories (char const *name)
+   char *dir;
+ 
+   dir = dir_name (name);
+-  
++
+   if (dir == NULL)
+     error (PAXEXIT_FAILURE, 0, _("virtual memory exhausted"));
+ 
+@@ -635,9 +635,9 @@ create_all_directories (char const *name)
+ void
+ prepare_append (int out_file_des)
+ {
+-  int start_of_header;
+-  int start_of_block;
+-  int useful_bytes_in_block;
++  off_t start_of_header;
++  off_t start_of_block;
++  size_t useful_bytes_in_block;
+   char *tmp_buf;
+ 
+   start_of_header = last_header_start;
+@@ -695,8 +695,8 @@ inode_val_compare (const void *val1, const void *val2)
+   const struct inode_val *ival1 = val1;
+   const struct inode_val *ival2 = val2;
+   return ival1->inode == ival2->inode
+-         && ival1->major_num == ival2->major_num
+-         && ival1->minor_num == ival2->minor_num;
++	 && ival1->major_num == ival2->major_num
++	 && ival1->minor_num == ival2->minor_num;
+ }
+ 
+ static struct inode_val *
+@@ -704,10 +704,10 @@ find_inode_val (ino_t node_num, unsigned long major_num,
+ 		 unsigned long minor_num)
+ {
+   struct inode_val sample;
+-  
++
+   if (!hash_table)
+     return NULL;
+-  
++
+   sample.inode = node_num;
+   sample.major_num = major_num;
+   sample.minor_num = minor_num;
+@@ -732,7 +732,7 @@ add_inode (ino_t node_num, char *file_name, unsigned long major_num,
+ {
+   struct inode_val *temp;
+   struct inode_val *e = NULL;
+-  
++
+   /* Create new inode record.  */
+   temp = (struct inode_val *) xmalloc (sizeof (struct inode_val));
+   temp->inode = node_num;
+@@ -1003,7 +1003,7 @@ buf_all_zeros (char *buf, int bufsize)
+ 
+ /* Write NBYTE bytes from BUF to file descriptor FILDES, trying to
+    create holes instead of writing blockfuls of zeros.
+-   
++
+    Return the number of bytes written (including bytes in zero
+    regions) on success, -1 on error.
+ 
+@@ -1023,7 +1023,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 
+   enum { begin, in_zeros, not_in_zeros } state =
+ 			   delayed_seek_count ? in_zeros : begin;
+-  
++
+   while (nbytes)
+     {
+       size_t rest = nbytes;
+@@ -1038,7 +1038,7 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+ 	      if (state == not_in_zeros)
+ 		{
+ 		  ssize_t bytes = buf - start_ptr + rest;
+-		  
++
+ 		  n = write (fildes, start_ptr, bytes);
+ 		  if (n == -1)
+ 		    return -1;
+@@ -1087,8 +1087,8 @@ sparse_write (int fildes, char *buf, size_t nbytes, bool flush)
+       if (n != 1)
+ 	return n;
+       delayed_seek_count = 0;
+-    }      
+-  
++    }
++
+   return nwritten + seek_count;
+ }
+ 
+@@ -1226,7 +1226,7 @@ set_perms (int fd, struct cpio_file_stat *header)
+   if (!no_chown_flag)
+     {
+       uid_t uid = CPIO_UID (header->c_uid);
+-      gid_t gid = CPIO_GID (header->c_gid); 
++      gid_t gid = CPIO_GID (header->c_gid);
+       if ((fchown_or_chown (fd, header->c_name, uid, gid) < 0)
+ 	  && errno != EPERM)
+ 	chown_error_details (header->c_name, uid, gid);
+@@ -1243,13 +1243,13 @@ set_file_times (int fd,
+ 		const char *name, unsigned long atime, unsigned long mtime)
+ {
+   struct timespec ts[2];
+-  
++
+   memset (&ts, 0, sizeof ts);
+ 
+   ts[0].tv_sec = atime;
+   ts[1].tv_sec = mtime;
+ 
+-  /* Silently ignore EROFS because reading the file won't have upset its 
++  /* Silently ignore EROFS because reading the file won't have upset its
+      timestamp if it's on a read-only filesystem. */
+   if (fdutimens (fd, name, ts) < 0 && errno != EROFS)
+     utime_error (name);
+@@ -1301,7 +1301,7 @@ cpio_safer_name_suffix (char *name, bool link_target, bool absolute_names,
+ 
+ /* This is a simplified form of delayed set_stat used by GNU tar.
+    With the time, both forms will merge and pass to paxutils
+-   
++
+    List of directories whose statuses we need to extract after we've
+    finished extracting their subsidiary files.  If you consider each
+    contiguous subsequence of elements of the form [D]?[^D]*, where [D]
+@@ -1419,7 +1419,7 @@ cpio_mkdir (struct cpio_file_stat *file_hdr, int *setstat_delayed)
+ {
+   int rc;
+   mode_t mode = file_hdr->c_mode;
+-  
++
+   if (!(file_hdr->c_mode & S_IWUSR))
+     {
+       rc = mkdir (file_hdr->c_name, mode | S_IWUSR);
+@@ -1442,10 +1442,10 @@ cpio_create_dir (struct cpio_file_stat *file_hdr, int existing_dir)
+ {
+   int res;			/* Result of various function calls.  */
+   int setstat_delayed = 0;
+-  
++
+   if (to_stdout_option)
+     return 0;
+-  
++
+   /* Strip any trailing `/'s off the filename; tar puts
+      them on.  We might as well do it here in case anybody
+      else does too, since they cause strange things to happen.  */
+@@ -1534,7 +1534,7 @@ arf_stores_inode_p (enum archive_format arf)
+     }
+   return 1;
+ }
+-  
++
+ void
+ cpio_file_stat_init (struct cpio_file_stat *file_hdr)
+ {
+-- 
+2.34.1
+
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/run-ptest b/poky/meta/recipes-extended/cpio/cpio-2.13/run-ptest
index f027574e86..f35a756d6b 100644..100755
--- a/poky/meta/recipes-extended/cpio/cpio-2.13/run-ptest
+++ b/poky/meta/recipes-extended/cpio/cpio-2.13/run-ptest
@@ -1,10 +1,3 @@
 #!/bin/sh
 
-# Define cpio test work dir
-WORKDIR=@PTEST_PATH@/tests/
-
-# Run test
-cd ${WORKDIR}
-./atconfig ./atlocal ./testsuite
-
-./testsuite 2>&1 | grep -E '[0-9]{1,3}: ' | sed -e 's/^.....//' -e '/[ok]$/s/^/PASS: /;/FAILED (.*)/s/^/FAIL: /;/skipped (.*)/s/^/SKIP: /;/expected failure/ s/^/PASS: /;/UNEXPECTED PASS/s/^/FAIL: /' -e 's/ok$//g' -e 's/FAILED.*//g' -e 's/skipped.*//g' -e 's/expected failure.*//g' -e 's/UNEXPECTED PASS.*//g'
+su -c ./test.sh ptest
diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/test.sh b/poky/meta/recipes-extended/cpio/cpio-2.13/test.sh
new file mode 100644
index 0000000000..f027574e86
--- /dev/null
+++ b/poky/meta/recipes-extended/cpio/cpio-2.13/test.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Define cpio test work dir
+WORKDIR=@PTEST_PATH@/tests/
+
+# Run test
+cd ${WORKDIR}
+./atconfig ./atlocal ./testsuite
+
+./testsuite 2>&1 | grep -E '[0-9]{1,3}: ' | sed -e 's/^.....//' -e '/[ok]$/s/^/PASS: /;/FAILED (.*)/s/^/FAIL: /;/skipped (.*)/s/^/SKIP: /;/expected failure/ s/^/PASS: /;/UNEXPECTED PASS/s/^/FAIL: /' -e 's/ok$//g' -e 's/FAILED.*//g' -e 's/skipped.*//g' -e 's/expected failure.*//g' -e 's/UNEXPECTED PASS.*//g'
diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb
index df5e09cae8..400c6b2f90 100644
--- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -13,7 +13,9 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \
            file://CVE-2021-38185.patch \
            file://0001-Use-__alignof__-with-clang.patch \
            file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \
+           file://0001-Fix-appending-to-archives-bigger-than-2G.patch \
            file://run-ptest \
+           file://test.sh \
            "
 
 SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810"
@@ -57,9 +59,24 @@ do_install_ptest() {
     install --mode=755 ${B}/tests/atlocal ${D}${PTEST_PATH}/tests/
     install --mode=755 ${B}/tests/genfile ${D}${PTEST_PATH}/tests/
     install --mode=755 ${S}/tests/testsuite ${D}${PTEST_PATH}/tests/
-    sed -i "s#@PTEST_PATH@#${PTEST_PATH}#g" ${D}${PTEST_PATH}/run-ptest
+    install --mode=755 ${WORKDIR}/test.sh ${D}${PTEST_PATH}/test.sh
+    sed -i "s#@PTEST_PATH@#${PTEST_PATH}#g" ${D}${PTEST_PATH}/test.sh
 }
 
+# ptest.bbclass currently chowns the ptest directory explicitly, so we need to
+# change permission after that has happened so the ptest user can write a
+# temporary directory.
+do_install_ptest_base:append() {
+    chgrp -R ptest ${D}${PTEST_PATH}/
+    chmod -R g+w ${D}${PTEST_PATH}/
+}
+
+# The tests need to run as a non-root user, so pull in the ptest user
+DEPENDS:append:class-target = "${@bb.utils.contains('PTEST_ENABLED', '1', ' ptest-runner', '', d)}"
+PACKAGE_WRITE_DEPS += "ptest-runner"
+
+RDEPENDS:${PN}-ptest += "ptest-runner"
+
 PACKAGES =+ "${PN}-rmt"
 
 FILES:${PN}-rmt = "${sbindir}/rmt*"
diff --git a/poky/meta/recipes-extended/cracklib/cracklib_2.9.10.bb b/poky/meta/recipes-extended/cracklib/cracklib_2.9.11.bb
index 8197cdad9e..34ef2b65a1 100644
--- a/poky/meta/recipes-extended/cracklib/cracklib_2.9.10.bb
+++ b/poky/meta/recipes-extended/cracklib/cracklib_2.9.11.bb
@@ -13,7 +13,7 @@ SRC_URI = "git://github.com/cracklib/cracklib;protocol=https;branch=main \
            file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \
            "
 
-SRCREV = "e74c539344d024709ee76e2920b0af7f9a5c5556"
+SRCREV = "4cf5125250c6325ef0a2dc085eabff875227edc3"
 S = "${WORKDIR}/git/src"
 
 inherit autotools gettext
diff --git a/poky/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch b/poky/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
deleted file mode 100644
index ffae55058b..0000000000
--- a/poky/meta/recipes-extended/gawk/gawk/remove-sensitive-tests.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 354d24baf7c51977d22ff61ad42e6a2cbd4dc8ac Mon Sep 17 00:00:00 2001
-From: Ross Burton <ross.burton@arm.com>
-Date: Tue, 21 Dec 2021 17:09:12 +0000
-Subject: [PATCH] gawk: remove load-sensitive tests
-
-These tests require an unloaded host as otherwise timing sensitive tests can fail
-https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
----
- test/Maketests | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/test/Maketests b/test/Maketests
-index 3a667af..f117697 100644
---- a/test/Maketests
-+++ b/test/Maketests
-@@ -2137,11 +2137,6 @@ symtab12:
- 	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
- 	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
- 
--timeout:
--	@echo $@ $(ZOS_FAIL)
--	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
--	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
--
- typedregex1:
- 	@echo $@
- 	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
-@@ -2371,11 +2366,6 @@ rwarray:
- 	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  < "$(srcdir)"/$@.in >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
- 	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
- 
--time:
--	@echo $@
--	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
--	@-$(CMP) "$(srcdir)"/$@.ok _$@ && rm -f _$@
--
- mpfrbigint:
- 	@echo $@
- 	@-AWKPATH="$(srcdir)" $(AWK) -f $@.awk  -M >_$@ 2>&1 || echo EXIT CODE: $$? >>_$@
diff --git a/poky/meta/recipes-extended/gawk/gawk/run-ptest b/poky/meta/recipes-extended/gawk/gawk/run-ptest
index 2675650600..f4ef3e7bd4 100644
--- a/poky/meta/recipes-extended/gawk/gawk/run-ptest
+++ b/poky/meta/recipes-extended/gawk/gawk/run-ptest
@@ -3,6 +3,11 @@
 cd test
 for i in `grep -E "^[a-z0-9_-]*:$" Maketests |awk -F: '{print $1}'`; do
   unset LANG
+  grep -q "^$i$" skipped.txt
+  if [ $? -eq 0 ]; then
+    echo "SKIP: $i"
+    continue
+  fi
   srcdir=`pwd` AWKPROG=gawk AWK=gawk CMP=cmp make -f Maketests $i >$i.tmp 2>&1
   if [ -e _$i ]; then
     cat _$i
diff --git a/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb b/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb
index e381bad148..768c8eb364 100644
--- a/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb
+++ b/poky/meta/recipes-extended/gawk/gawk_5.2.1.bb
@@ -16,7 +16,6 @@ PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
 
 SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
-           file://remove-sensitive-tests.patch \
            file://run-ptest \
            "
 
@@ -60,10 +59,29 @@ do_install_ptest() {
 	# https://bugzilla.yoctoproject.org/show_bug.cgi?id=14371
 	rm -f ${D}${PTEST_PATH}/test/time.*
 	rm -f ${D}${PTEST_PATH}/test/timeout.*
+	for t in time timeout; do
+		echo $t >> ${D}${PTEST_PATH}/test/skipped.txt
+	done
+}
+
+do_install_ptest:append:libc-musl() {
+	# Reported  https://lists.gnu.org/archive/html/bug-gawk/2021-02/msg00005.html
+	rm -f ${D}${PTEST_PATH}/test/clos1way6.*
+	# Needs en_US.UTF-8 but then does not work with musl
+	rm -f ${D}${PTEST_PATH}/test/backsmalls1.*
+	# Needs en_US.UTF-8 but then does not work with musl
+	rm -f ${D}${PTEST_PATH}/test/commas.*
+	# The below two need LANG=C inside the make rule for musl
+	rm -f ${D}${PTEST_PATH}/test/rebt8b1.*
+	rm -f ${D}${PTEST_PATH}/test/regx8bit.*
+	for t in clos1way6 backsmalls1 commas rebt8b1 regx8bit; do
+		echo $t >> ${D}${PTEST_PATH}/test/skipped.txt
+	done
 }
 
-RDEPENDS:${PN}-ptest += "make"
+RDEPENDS:${PN}-ptest += "make locale-base-en-us"
 
-RDEPENDS:${PN}-ptest:append:libc-glibc = " locale-base-en-us locale-base-en-us.iso-8859-1"
+RDEPENDS:${PN}-ptest:append:libc-glibc = " locale-base-en-us.iso-8859-1"
+RDEPENDS:${PN}-ptest:append:libc-musl = " musl-locales"
 
 BBCLASSEXTEND = "native nativesdk"
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
new file mode 100644
index 0000000000..604b927521
--- /dev/null
+++ b/poky/meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
@@ -0,0 +1,60 @@
+From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Fri, 24 Mar 2023 13:19:57 +0000
+Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding
+
+Bug #706494 "Buffer Overflow in s_xBCPE_process"
+
+As described in detail in the bug report, if the write buffer is filled
+to one byte less than full, and we then try to write an escaped
+character, we overrun the buffer because we don't check before
+writing two bytes to it.
+
+This just checks if we have two bytes before starting to write an
+escaped character and exits if we don't (replacing the consumed byte
+of the input).
+
+Up for further discussion; why do we even permit a BCP encoding filter
+anyway ? I think we should remove this, at least when SAFER is true.
+---
+CVE: CVE-2023-28879
+
+Upstream-Status: Backport [see text]
+
+git://git.ghostscript.com/ghostpdl
+cherry-pick
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com.
+
+---
+ base/sbcp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/base/sbcp.c b/base/sbcp.c
+index 979ae0992..47fc233ec 100644
+--- a/base/sbcp.c
++++ b/base/sbcp.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2021 Artifex Software, Inc.
++/* Copyright (C) 2001-2023 Artifex Software, Inc.
+    All Rights Reserved.
+ 
+    This software is provided AS-IS with no warranty, either express or
+@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr,
+         byte ch = *++p;
+ 
+         if (ch <= 31 && escaped[ch]) {
++            /* Make sure we have space to store two characters in the write buffer,
++             * if we don't then exit without consuming the input character, we'll process
++             * that on the next time round.
++             */
++            if (pw->limit - q < 2) {
++                p--;
++                break;
++            }
+             if (p == rlimit) {
+                 p--;
+                 break;
+-- 
+2.25.1
+
diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 56a93632e2..86ecdbe24a 100644
--- a/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/poky/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -34,6 +34,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://avoid-host-contamination.patch \
                 file://mkdir-p.patch \
                 file://cross-compile.patch \
+                file://cve-2023-28879.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index f447035b67..aafede3da8 100644
--- a/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -7,11 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d499814247adaee08d88080841cb5665"
 
 DEPENDS = "e2fsprogs-native"
 
-PACKAGECONFIG ?= "zlib bz2 xz zstd"
-
-PACKAGECONFIG:append:class-target = "\
-	${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)} \
-"
+PACKAGECONFIG ?= "zlib bz2 xz zstd ${@bb.utils.filter('DISTRO_FEATURES', 'acl xattr', d)}"
 
 DEPENDS_BZIP2 = "bzip2-replacement-native"
 DEPENDS_BZIP2:class-target = "bzip2"
diff --git a/poky/meta/recipes-extended/man-pages/man-pages_6.03.bb b/poky/meta/recipes-extended/man-pages/man-pages_6.04.bb
index bc02597ef7..fee57e3fbd 100644
--- a/poky/meta/recipes-extended/man-pages/man-pages_6.03.bb
+++ b/poky/meta/recipes-extended/man-pages/man-pages_6.04.bb
@@ -4,7 +4,7 @@ SECTION = "console/utils"
 HOMEPAGE = "http://www.kernel.org/pub/linux/docs/man-pages"
 LICENSE = "GPL-2.0-or-later & GPL-2.0-only & GPL-1.0-or-later & BSD-2-Clause & BSD-3-Clause & BSD-4-Clause & MIT"
 
-LIC_FILES_CHKSUM = "file://README;md5=0fdad39ebaa973a50785f79f0f59f87f \
+LIC_FILES_CHKSUM = "file://README;md5=5b7d7488344f5af8841dc13aaec49cdf \
                     file://LICENSES/BSD-2-Clause.txt;md5=d0f280d1058e77e66264a9b9e10e6c89 \
                     file://LICENSES/BSD-3-Clause.txt;md5=71f739ef75581cae312e8c711bcdab16 \
                     file://LICENSES/BSD-4-Clause-UC.txt;md5=1da3cf8ad50cd8d5d1de3cfc53196d01 \
@@ -16,7 +16,7 @@ LIC_FILES_CHKSUM = "file://README;md5=0fdad39ebaa973a50785f79f0f59f87f \
                     "
 SRC_URI = "${KERNELORG_MIRROR}/linux/docs/${BPN}/${BP}.tar.gz"
 
-SRC_URI[sha256sum] = "76eca045b42a90dd25d094c46d97ac90187bc0f1bfca358bb5dae5c4337acbb0"
+SRC_URI[sha256sum] = "590623b99bf1f8ee958483c35cc0aaef2363e42998c4d927d1f705890d15d51e"
 
 inherit manpages
 
diff --git a/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch b/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
new file mode 100644
index 0000000000..94dcb04f0a
--- /dev/null
+++ b/poky/meta/recipes-extended/pam/libpam/0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch
@@ -0,0 +1,108 @@
+From 42404548721c653317c911c83d885e2fc7fbca70 Mon Sep 17 00:00:00 2001
+From: Per Jessen <per@jessen.ch>
+Date: Fri, 22 Apr 2022 18:15:36 +0200
+Subject: [PATCH] pam_motd: do not rely on all filesystems providing a filetype
+
+When using scandir() to look for MOTD files to display, we wrongly
+relied on all filesystems providing a filetype.  This is a fix to divert
+to lstat() when we have no filetype.  To maintain MT safety, it isn't
+possible to use lstat() in the scandir() filter function, so all of the
+filtering has been moved to an additional loop after scanning all the
+motd dirs.
+Also, remove superfluous alphasort from scandir(), we are doing
+a qsort() later.
+
+Resolves: https://github.com/linux-pam/linux-pam/issues/455
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/42404548721c653317c911c83d885e2fc7fbca70]
+
+Signed-off-by: Per Jessen <per@jessen.ch>
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ modules/pam_motd/pam_motd.c | 49 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
+index 6ac8cba2..5ca486e4 100644
+--- a/modules/pam_motd/pam_motd.c
++++ b/modules/pam_motd/pam_motd.c
+@@ -166,11 +166,6 @@ static int compare_strings(const void *a, const void *b)
+     }
+ }
+ 
+-static int filter_dirents(const struct dirent *d)
+-{
+-    return (d->d_type == DT_REG || d->d_type == DT_LNK);
+-}
+-
+ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 	char **motd_dir_path_split, unsigned int num_motd_dirs, int report_missing)
+ {
+@@ -199,8 +194,7 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 
+     for (i = 0; i < num_motd_dirs; i++) {
+ 	int rv;
+-	rv = scandir(motd_dir_path_split[i], &(dirscans[i]),
+-		filter_dirents, alphasort);
++	rv = scandir(motd_dir_path_split[i], &(dirscans[i]), NULL, NULL);
+ 	if (rv < 0) {
+ 	    if (errno != ENOENT || report_missing) {
+ 		pam_syslog(pamh, LOG_ERR, "error scanning directory %s: %m",
+@@ -215,6 +209,41 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+     if (dirscans_size_total == 0)
+         goto out;
+ 
++    /* filter out unwanted names, directories, and complement data with lstat() */
++    for (i = 0; i < num_motd_dirs; i++) {
++	struct dirent **d = dirscans[i];
++	for (unsigned int j = 0; j < dirscans_sizes[i]; j++) {
++	    int rc;
++	    char *fullpath;
++	    struct stat s;
++
++	    switch(d[j]->d_type) {    /* the filetype determines how to proceed */
++	    case DT_REG:              /* regular files and     */
++	    case DT_LNK:              /* symlinks              */
++		continue;             /* are good.             */
++	    case DT_UNKNOWN:   /* for file systems that do not provide */
++			       /* a filetype, we use lstat()           */
++		if (join_dir_strings(&fullpath, motd_dir_path_split[i],
++				     d[j]->d_name) <= 0)
++		    break;
++		rc = lstat(fullpath, &s);
++		_pam_drop(fullpath);  /* free the memory alloc'ed by join_dir_strings */
++		if (rc != 0)          /* if the lstat() somehow failed */
++		    break;
++
++		if (S_ISREG(s.st_mode) ||          /* regular files and  */
++		    S_ISLNK(s.st_mode)) continue;  /* symlinks are good  */
++		break;
++	    case DT_DIR:          /* We don't want directories     */
++	    default:              /* nor anything else             */
++		break;
++	    }
++	    _pam_drop(d[j]);  /* free memory                   */
++	    d[j] = NULL;      /* indicate this one was dropped */
++	    dirscans_size_total--;
++	}
++    }
++
+     /* Allocate space for all file names found in the directories, including duplicates. */
+     if ((dirnames_all = calloc(dirscans_size_total, sizeof(*dirnames_all))) == NULL) {
+ 	pam_syslog(pamh, LOG_CRIT, "failed to allocate dirname array");
+@@ -225,8 +254,10 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
+ 	unsigned int j;
+ 
+ 	for (j = 0; j < dirscans_sizes[i]; j++) {
+-	    dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
+-	    i_dirnames++;
++	    if (NULL != dirscans[i][j]) {
++	        dirnames_all[i_dirnames] = dirscans[i][j]->d_name;
++	        i_dirnames++;
++	    }
+ 	}
+     }
+ 
+-- 
+2.39.0
+
diff --git a/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
new file mode 100644
index 0000000000..a7b51f3217
--- /dev/null
+++ b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
@@ -0,0 +1,46 @@
+From 0764cb56df4a5afdf04980c9eb6735f789f5aa42 Mon Sep 17 00:00:00 2001
+From: Pavel Kopylov <pkopylov@cloudlinux.com>
+Date: Wed, 17 May 2023 11:33:45 +0200
+Subject: [PATCH] Fix an overflow which is still possible for some values.
+
+CVE: CVE-2023-33204
+Upstream-Status: Backport [https://github.com/sysstat/sysstat/commit/954ff2e2673c]
+
+Backport Changes:
+Adopt additional changes as per following merge commit of pull request:
+https://github.com/sysstat/sysstat/commit/6f8dc568e6ab
+
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
+---
+ common.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/common.c b/common.c
+index a3d31a5..138920c 100644
+--- a/common.c
++++ b/common.c
+@@ -447,15 +447,17 @@ int check_dir(char *dirname)
+ void check_overflow(unsigned int val1, unsigned int val2,
+ 		    unsigned int val3)
+ {
+-	if ((unsigned long long) val1 * (unsigned long long) val2 *
+-	    (unsigned long long) val3 > UINT_MAX) {
++	if ((val1 != 0) && (val2 != 0) && (val3 != 0) &&
++		(((unsigned long long)UINT_MAX / (unsigned long long)val1 <
++		(unsigned long long)val2) ||
++		((unsigned long long)UINT_MAX / ((unsigned long long)val1 *
++		(unsigned long long)val2) < (unsigned long long)val3))) {
+ #ifdef DEBUG
+-		fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n",
+-			__FUNCTION__, (unsigned long long) val1 * (unsigned long long) val2 *
+-			(unsigned long long) val3);
++		fprintf(stderr, "%s: Overflow detected (%u,%u,%u). Aborting...\n",
++			__FUNCTION__, val1, val2, val3);
+ #endif
+ 	exit(4);
+-		}
++	}
+ }
+ 
+ #ifndef SOURCE_SADC
diff --git a/poky/meta/recipes-extended/sysstat/sysstat_12.6.2.bb b/poky/meta/recipes-extended/sysstat/sysstat_12.6.2.bb
index f9e5778e76..b5014eaefb 100644
--- a/poky/meta/recipes-extended/sysstat/sysstat_12.6.2.bb
+++ b/poky/meta/recipes-extended/sysstat/sysstat_12.6.2.bb
@@ -2,6 +2,8 @@ require sysstat.inc
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb"
 
-SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch"
+SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \
+            file://CVE-2023-33204.patch \
+            "
 
 SRC_URI[sha256sum] = "3e77134aedaa6fc57d9745da67edfd8990e19adee71ac47196229261c563fb48"
diff --git a/poky/meta/recipes-extended/texinfo/texinfo_7.0.2.bb b/poky/meta/recipes-extended/texinfo/texinfo_7.0.3.bb
index da455df4bb..b149177b72 100644
--- a/poky/meta/recipes-extended/texinfo/texinfo_7.0.2.bb
+++ b/poky/meta/recipes-extended/texinfo/texinfo_7.0.3.bb
@@ -35,7 +35,7 @@ SRC_URI = "${GNU_MIRROR}/texinfo/${BP}.tar.gz \
            ${TARGET_PATCH} \
            "
 
-SRC_URI[sha256sum] = "a9c646bc4f6bb31843f129f8408a3a627334575faf7b22ebc416be5cb1570553"
+SRC_URI[sha256sum] = "3cc5706fb086b895e1dc2b407aade9f95a3a233ff856273e2b659b089f117683"
 
 tex_texinfo = "texmf/tex/texinfo"
 
diff --git a/poky/meta/recipes-extended/wget/wget.inc b/poky/meta/recipes-extended/wget/wget.inc
index 58cb5ca73d..d31756dbc8 100644
--- a/poky/meta/recipes-extended/wget/wget.inc
+++ b/poky/meta/recipes-extended/wget/wget.inc
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e"
 
 inherit autotools gettext texinfo update-alternatives pkgconfig
 
-DEPENDS += "autoconf-archive"
+DEPENDS += "autoconf-archive-native"
 
 EXTRA_OECONF = "--without-libgnutls-prefix --without-libssl-prefix \
                 --disable-rpath"
diff --git a/poky/meta/recipes-extended/xz/xz_5.4.2.bb b/poky/meta/recipes-extended/xz/xz_5.4.3.bb
index 87f9602bf6..e1cdac3014 100644
--- a/poky/meta/recipes-extended/xz/xz_5.4.2.bb
+++ b/poky/meta/recipes-extended/xz/xz_5.4.3.bb
@@ -25,7 +25,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
                     "
 
 SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz"
-SRC_URI[sha256sum] = "87947679abcf77cc509d8d1b474218fd16b72281e2797360e909deaee1ac9d05"
+SRC_URI[sha256sum] = "1c382e0bc2e4e0af58398a903dd62fff7e510171d2de47a1ebe06d1528e9b7e9"
 UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar"
 
 CACHED_CONFIGUREVARS += "gl_cv_posix_shell=/bin/sh"