378 files changed, 17073 insertions, 12753 deletions

diff --git a/external/meta-clang/COPYING.MIT b/external/meta-clang/COPYING.MIT
new file mode 100644
index 00000000..fb950dc6
--- /dev/null
+++ b/external/meta-clang/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy 
+of this software and associated documentation files (the "Software"), to deal 
+in the Software without restriction, including without limitation the rights 
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is 
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in 
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 
+THE SOFTWARE.
diff --git a/external/meta-clang/README.md b/external/meta-clang/README.md
new file mode 100644
index 00000000..986f77c3
--- /dev/null
+++ b/external/meta-clang/README.md
@@ -0,0 +1,113 @@
+# meta-clang (a C language family frontend and LLVM compiler backend)
+
+This layer provides [clang/llvm](http://clang.llvm.org/) as alternative to your system
+C/C++ compiler for OpenEmbedded based distributions along with gcc
+
+# Getting Started
+
+```shell
+git clone git://github.com/openembedded/openembedded-core.git
+cd openembeeded-core
+git clone git://github.com/openembedded/bitbake.git
+git clone git://github.com/kraj/meta-clang.git
+
+$ . ./oe-init-build-env
+```
+
+Edit conf/bblayers.conf to add meta-clang to layer mix e.g.
+
+```python
+BBLAYERS ?= " \
+  /home/kraj/openembedded-core/meta-clang \
+  /home/kraj/openembedded-core/meta \
+  "
+```
+
+# Default Compiler Switch
+
+Note that by default gcc will remain the system compiler, however if you wish
+clang to be the default compiler then set
+
+```python
+TOOLCHAIN ?= "clang"
+```
+
+in local.conf, this would now switch to using clang as default compiler systemwide
+you can select clang per package too by writing bbappends for them containing
+
+```python
+TOOLCHAIN = "clang"
+```
+
+# Default C++ Standard Library Switch
+
+Note that by default libstdc++ will remain the default C++ standard library, however if you wish
+libc++ to be the default one then set
+
+```python
+TARGET_CXXFLAGS_append_toolchain-clang ?= " -stdlib=libc++ "
+```
+
+in local.conf.
+You can select libc++ per package too by writing bbappends for them containing
+
+```python
+TARGET_CXXFLAGS_append_toolchain-clang = " -stdlib=libc++ "
+```
+
+# Building
+
+Below we build for qemuarm machine as an example
+
+```shell
+$ MACHINE=qemux86 bitbake core-image-minimal
+```
+# Running
+
+```shell
+$ runqemu qemux86
+```
+
+# Limitations
+
+Few components do not build with clang, if you have a component to add to that list
+simply add it to conf/nonclangable.inc e.g.
+
+```shell
+TOOLCHAIN_pn-<recipe> = "gcc"
+```
+
+and OE will start using gcc to cross compile that recipe.
+
+And if a component does not build with libc++, you can add it to conf/nonclangable.inc e.g.
+
+```shell
+TARGET_CXXFLAGS_remove_pn-<recipe>_toolchain-clang = " -stdlib=libc++ "
+```
+
+# Dependencies
+
+```
+URI: git://github.com/openembedded/openembedded-core.git
+branch: master
+revision: HEAD
+
+URI: git://github.com/openembedded/bitbake.git
+branch: master
+revision: HEAD
+```
+
+Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-clang]' in the subject'
+
+When sending single patches, please use something like:
+
+'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-clang][PATCH'
+
+You are encouraged to fork the mirror on [github](https://github.com/kraj/meta-clang/)
+to share your patches, this is preferred for patch sets consisting of more than
+one patch. Other services like gitorious, repo.or.cz or self hosted setups are
+of course accepted as well, 'git fetch <remote>' works the same on all of them.
+We recommend github because it is free, easy to use, has been proven to be reliable
+and has a really good web GUI.
+
+Layer Maintainer: [Khem Raj](<mailto:raj.khem@gmail.com>)
diff --git a/external/meta-clang/_config.yml b/external/meta-clang/_config.yml
new file mode 100644
index 00000000..c4192631
--- /dev/null
+++ b/external/meta-clang/_config.yml
@@ -0,0 +1 @@
+theme: jekyll-theme-cayman
\ No newline at end of file
diff --git a/external/meta-clang/classes/clang.bbclass b/external/meta-clang/classes/clang.bbclass
new file mode 100644
index 00000000..4d20ff07
--- /dev/null
+++ b/external/meta-clang/classes/clang.bbclass
@@ -0,0 +1,52 @@
+# Add the necessary override
+CC_toolchain-clang  = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CXX_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang++ ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E"
+CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}"
+RANLIB_toolchain-clang = "${HOST_PREFIX}ranlib"
+AR_toolchain-clang = "${HOST_PREFIX}ar"
+NM_toolchain-clang = "${HOST_PREFIX}nm"
+
+THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork"
+TUNE_CCARGS_remove_toolchain-clang = "-meb"
+TUNE_CCARGS_remove_toolchain-clang = "-mel"
+TUNE_CCARGS_append_toolchain-clang = "${@bb.utils.contains("TUNE_FEATURES", "bigendian", " -mbig-endian", " -mlittle-endian", d)}"
+
+TUNE_CCARGS_remove_toolchain-clang_powerpc = "-mhard-float"
+TUNE_CCARGS_remove_toolchain-clang_powerpc = "-mno-spe"
+
+TUNE_CCARGS_append_toolchain-clang = " --rtlib=compiler-rt -Wno-error=unused-command-line-argument -Qunused-arguments"
+
+TOOLCHAIN_OPTIONS_append_toolchain-clang_class-nativesdk_x86-64 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux-x86-64.so.2"
+TOOLCHAIN_OPTIONS_append_toolchain-clang_class-nativesdk_x86 = " -Wl,-dynamic-linker,${base_libdir}/ld-linux.so.2"
+
+# choose between 'gcc' 'clang' an empty '' can be used as well
+TOOLCHAIN ??= "gcc"
+
+TOOLCHAIN_class-native = "gcc"
+TOOLCHAIN_class-nativesdk = "gcc"
+TOOLCHAIN_class-cross-canadian = "gcc"
+TOOLCHAIN_class-crosssdk = "gcc"
+TOOLCHAIN_class-cross = "gcc"
+
+# -fmacro-prefix-map does not exist in clang 7.x
+DEBUG_PREFIX_MAP_toolchain-clang = " "
+
+OVERRIDES =. "${@['', 'toolchain-${TOOLCHAIN}:']['${TOOLCHAIN}' != '']}"
+OVERRIDES[vardepsexclude] += "TOOLCHAIN"
+
+#DEPENDS_append_toolchain-clang_class-target = " clang-cross-${TARGET_ARCH} "
+#DEPENDS_remove_toolchain-clang_allarch = "clang-cross-${TARGET_ARCH}"
+
+def clang_dep_prepend(d):
+    if not d.getVar('INHIBIT_DEFAULT_DEPS', False):
+        if not oe.utils.inherits(d, 'allarch') :
+            return " clang-cross-${TARGET_ARCH} compiler-rt libcxx"
+    return ""
+
+BASEDEPENDS_remove_toolchain-clang_class-target = "virtual/${TARGET_PREFIX}gcc"
+BASEDEPENDS_append_toolchain-clang_class-target = "${@clang_dep_prepend(d)}"
+
+PREFERRED_PROVIDER_libunwind = "libunwind"
+PREFERRED_PROVIDER_libunwind_mipsarch = "libunwind"
+PREFERRED_PROVIDER_libunwind_toolchain-clang = "libcxx"
diff --git a/external/meta-clang/classes/cmake-native.bbclass b/external/meta-clang/classes/cmake-native.bbclass
new file mode 100644
index 00000000..911476e1
--- /dev/null
+++ b/external/meta-clang/classes/cmake-native.bbclass
@@ -0,0 +1,47 @@
+# We need to unset CCACHE otherwise cmake gets too confused
+CCACHE = ""
+
+# Native C/C++ compiler (without cpu arch/tune arguments)
+OECMAKE_NATIVE_C_COMPILER ?= "`echo ${BUILD_CC} | sed 's/^\([^ ]*\).*/\1/'`"
+OECMAKE_NATIVE_CXX_COMPILER ?= "`echo ${BUILD_CXX} | sed 's/^\([^ ]*\).*/\1/'`"
+OECMAKE_NATIVE_AR ?= "${BUILD_AR}"
+
+# Native compiler flags
+OECMAKE_NATIVE_C_FLAGS ?= "${BUILD_CC_ARCH} ${BUILD_CFLAGS}"
+OECMAKE_NATIVE_CXX_FLAGS ?= "${BUILD_CC_ARCH} ${BUILD_CXXFLAGS}"
+OECMAKE_NATIVE_C_FLAGS_RELEASE ?= "-DNDEBUG"
+OECMAKE_NATIVE_CXX_FLAGS_RELEASE ?= "-DNDEBUG"
+OECMAKE_NATIVE_C_LINK_FLAGS ?= "${BUILD_CC_ARCH} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS}"
+OECMAKE_NATIVE_CXX_LINK_FLAGS ?= "${BUILD_CC_ARCH} ${BUILD_CXXFLAGS} ${BUILD_LDFLAGS}"
+BUILD_CXXFLAGS += "${BUILD_CC_ARCH}"
+BUILD_CFLAGS += "${BUILD_CC_ARCH}"
+
+do_generate_native_toolchain_file() {
+        cat > ${WORKDIR}/toolchain-native.cmake <<EOF
+set( CMAKE_SYSTEM_NAME `echo ${BUILD_OS} | sed -e 's/^./\u&/' -e 's/^\(Linux\).*/\1/'` )
+set( CMAKE_SYSTEM_PROCESSOR ${BUILD_ARCH} )
+set( CMAKE_C_COMPILER ${OECMAKE_NATIVE_C_COMPILER} )
+set( CMAKE_CXX_COMPILER ${OECMAKE_NATIVE_CXX_COMPILER} )
+set( CMAKE_ASM_COMPILER ${OECMAKE_NATIVE_C_COMPILER} )
+set( CMAKE_AR ${OECMAKE_NATIVE_AR} CACHE FILEPATH "Archiver" )
+set( CMAKE_C_FLAGS "${OECMAKE_NATIVE_C_FLAGS}" CACHE STRING "CFLAGS" )
+set( CMAKE_CXX_FLAGS "${OECMAKE_NATIVE_CXX_FLAGS}" CACHE STRING "CXXFLAGS" )
+set( CMAKE_ASM_FLAGS "${OECMAKE_NATIVE_C_FLAGS}" CACHE STRING "ASM FLAGS" )
+set( CMAKE_C_FLAGS_RELEASE "${OECMAKE_NATIVE_C_FLAGS_RELEASE}" CACHE STRING "Additional CFLAGS for release" )
+set( CMAKE_CXX_FLAGS_RELEASE "${OECMAKE_NATIVE_CXX_FLAGS_RELEASE}" CACHE STRING "Additional CXXFLAGS for release" )
+set( CMAKE_ASM_FLAGS_RELEASE "${OECMAKE_NATIVE_C_FLAGS_RELEASE}" CACHE STRING "Additional ASM FLAGS for release" )
+set( CMAKE_C_LINK_FLAGS "${OECMAKE_NATIVE_C_LINK_FLAGS}" CACHE STRING "LDFLAGS" )
+set( CMAKE_CXX_LINK_FLAGS "${OECMAKE_NATIVE_CXX_LINK_FLAGS}" CACHE STRING "LDFLAGS" )
+
+set( CMAKE_FIND_ROOT_PATH ${STAGING_DIR_NATIVE} )
+set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
+set( CMAKE_FIND_ROOT_PATH_MODE_PROGRAM BOTH )
+set( CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY )
+set( CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY )
+
+# Use native cmake modules
+list(APPEND CMAKE_MODULE_PATH "${STAGING_DATADIR_NATIVE}/cmake/Modules/")
+EOF
+}
+
+addtask generate_native_toolchain_file after do_patch before do_configure
diff --git a/external/meta-clang/classes/scan-build.bbclass b/external/meta-clang/classes/scan-build.bbclass
new file mode 100644
index 00000000..e0de56bb
--- /dev/null
+++ b/external/meta-clang/classes/scan-build.bbclass
@@ -0,0 +1,58 @@
+# Copyright (C) 2018 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+CFLAGS =+ "${TARGET_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
+CXXFLAGS =+ "${TARGET_CC_ARCH} ${TOOLCHAIN_OPTIONS}"
+
+#EXTRA_ANALYZER_OPTIONS ?= "-analyze-headers"
+CLANG_SCAN_ENABLED ??= "1"
+#CLANG_SCAN_SERVER_IP ??= "127.0.0.1"
+CLANG_SCAN_SERVER_IP ??= "10.0.0.10"
+CLANG_SCAN_PORT ??= "8181"
+SCAN_RESULTS_DIR ?= "${TMPDIR}/static-scan/${PN}"
+
+scanbuild_munge_cc_cxx() {
+        cc="`echo ${CC} | cut -f1 -d " "`"
+        cxx="`echo ${CXX} | cut -f1 -d " "`"
+        export CC="${cc}"
+        export CXX="${cxx}"
+}
+
+do_configure[prefuncs] += "scanbuild_munge_cc_cxx"
+
+do_scanbuild() {
+        cc="`echo ${CC} | cut -f1 -d " "`"
+        cxx="`echo ${CXX} | cut -f1 -d " "`"
+        #mk="scan-build --use-cc=${cc} --use-c++=${cxx} --analyzer-target=${HOST_SYS} --html-title="${BP}" -o ${SCAN_RESULTS_DIR} ${EXTRA_ANALYZER_OPTIONS} make"
+        #export MAKE="${mk}"
+        export CC="${cc}"
+        export CXX="${cxx}"
+        scan-build --use-cc=${cc} --use-c++=${cxx} --analyzer-target=${HOST_SYS} --html-title="${BP}" -o ${SCAN_RESULTS_DIR} ${EXTRA_ANALYZER_OPTIONS} ${MAKE} ${EXTRA_OEMAKE}
+}
+
+do_scanview() {
+        bbplain "================================================================"
+        bbplain "Stating scan-view server at: http://${CLANG_SCAN_SERVER_IP}:${CLANG_SCAN_PORT}"
+        bbplain "Use Ctrl-C to exit"
+        bbplain "================================================================"
+        scan-view --host ${CLANG_SCAN_SERVER_IP} --port ${CLANG_SCAN_PORT} --allow-all-hosts ${SCAN_RESULTS_DIR}/*/
+}
+
+do_scanview[depends] += "${PN}:do_scanbuild"
+do_scanbuild[cleandirs] += "${SCAN_RESULTS_DIR}"
+do_scanbuild[dirs] += "${B}"
+do_scanview[dirs] += "${SCAN_RESULTS_DIR}"
+#do_build[recrdeptask] += "do_scanbuild"
+
+do_scanbuild[doc] = "Build and scan static analysis data using clang"
+do_scanview[doc] = "Start a webserver to visualize static analysis data"
+
+addtask scanbuild after do_configure before do_compile
+addtask scanview
+
+python () {
+    # Remove scanbuild task when scanning is not enabled
+    if not(d.getVar('CLANG_SCAN_ENABLED') == "1"):
+        for i in ['do_scanbuild', 'do_scanview']:
+            bb.build.deltask(i, d)
+}
diff --git a/external/meta-clang/conf/layer.conf b/external/meta-clang/conf/layer.conf
new file mode 100644
index 00000000..a5c666fc
--- /dev/null
+++ b/external/meta-clang/conf/layer.conf
@@ -0,0 +1,23 @@
+# We have a conf and classes directory, append to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "clang-layer"
+BBFILE_PATTERN_clang-layer := "^${LAYERDIR}/"
+BBFILE_PRIORITY_clang-layer = "7"
+LAYERSERIES_COMPAT_clang-layer = "sumo thud"
+
+BBFILES_DYNAMIC += " \
+    openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+    openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend \
+"
+
+#PREFERRED_PROVIDER_gcc-cross-initial-${TARGET_ARCH}_forcevariable = "clang-cross"
+#PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}gcc-initial_forcevariable = "clang-cross"
+PREFERRED_PROVIDER_libgcc-initial = "libgcc-initial"
+
+INHERIT += "clang"
+
+require conf/nonclangable.conf
diff --git a/external/meta-clang/conf/nonclangable.conf b/external/meta-clang/conf/nonclangable.conf
new file mode 100644
index 00000000..54aa4114
--- /dev/null
+++ b/external/meta-clang/conf/nonclangable.conf
@@ -0,0 +1,160 @@
+TOOLCHAIN_pn-aspell = "gcc"
+TOOLCHAIN_pn-cpufrequtils = "gcc"
+# crash embeds version of gdb which is not buildable with clang
+TOOLCHAIN_pn-crash = "gcc"
+TOOLCHAIN_pn-elfutils = "gcc"
+# /mnt/a/yoe/build/tmp/work/cortexa7t2hf-neon-vfpv4-yoe-linux-gnueabi/firefox/60.1.0esr-r0/recipe-sysroot-native/usr/lib/clang/7.0.1/include/arm_neon.h:433:1: error: unknown type name 'inline'
+# __ai uint8x16_t vabdq_u8(uint8x16_t __p0, uint8x16_t __p1) {
+TOOLCHAIN_pn-firefox = "gcc"
+TOOLCHAIN_pn-gcc = "gcc"
+TOOLCHAIN_pn-gcc-runtime = "gcc"
+TOOLCHAIN_pn-gcc-sanitizers = "gcc"
+TOOLCHAIN_pn-glibc = "gcc"
+TOOLCHAIN_pn-glibc-initial = "gcc"
+TOOLCHAIN_pn-glibc-locale = "gcc"
+TOOLCHAIN_pn-glibc-mtrace = "gcc"
+TOOLCHAIN_pn-glibc-scripts = "gcc"
+TOOLCHAIN_pn-grub = "gcc"
+TOOLCHAIN_pn-grub-efi = "gcc"
+# VLAs
+#| control.c:286:19: error: fields must have a constant size: 'variable length array in structure' extension will never be supported
+#|             __u32 buffer[cam->max_response_quads];
+#|                   ^
+#| 1 error generated.
+TOOLCHAIN_pn-libdc1394 = "gcc"
+TOOLCHAIN_pn-libgcc = "gcc"
+TOOLCHAIN_pn-libgcc-initial = "gcc"
+TOOLCHAIN_pn-libgfortran = "gcc"
+TOOLCHAIN_pn-libssp-nonshared = "gcc"
+#| cargo:warning=/mnt/a/yoe/build/tmp/work/cortexa7t2hf-neon-vfpv4-yoe-linux-gnueabi/libstd-rs/1.27.1-r0/re
+#cipe-sysroot/usr/include/bits/stdlib.h:90:3: error: "Assumed value of MB_LEN_MAX wrong"
+#| cargo:warning=# error "Assumed value of MB_LEN_MAX wrong"
+#| cargo:warning=  ^
+TOOLCHAIN_pn-libstd-rs = "gcc"
+# clang does not have 64bit atomics on mips32
+TOOLCHAIN_pn-mesa_mips = "gcc"
+TOOLCHAIN_pn-mesa_mipsel = "gcc"
+TOOLCHAIN_pn-openjdk-8 = "gcc"
+TOOLCHAIN_pn-openjre-8 = "gcc"
+TOOLCHAIN_pn-piglit = "gcc"
+TOOLCHAIN_pn-prelink = "gcc"
+TOOLCHAIN_pn-polkit = "gcc"
+# has dpkg source which does not compile
+TOOLCHAIN_pn-start-stop-daemon = "gcc"
+TOOLCHAIN_pn-syslinux = "gcc"
+TOOLCHAIN_pn-systemtap = "gcc"
+# v4l-utils uses nested functions
+TOOLCHAIN_pn-v4l-utils = "gcc"
+TOOLCHAIN_pn-valgrind = "gcc"
+# uses C++ which clang does not like
+TOOLCHAIN_pn-wvstreams = "gcc"
+TOOLCHAIN_pn-wvdial = "gcc"
+#| ../../mpfr-3.1.4/src/mul.c:324:11: error: invalid output constraint '=h' in asm
+#|           umul_ppmm (tmp[1], tmp[0], MPFR_MANT (b)[0], MPFR_MANT (c)[0]);
+TOOLCHAIN_pn-mpfr_mips = "gcc"
+TOOLCHAIN_pn-mpfr_mips64 = "gcc"
+#
+#../../lib/libicui18n.so: undefined reference to `__atomic_fetch_sub_4'
+#../../lib/libicui18n.so: undefined reference to `__atomic_load_4'
+#../../lib/libicui18n.so: undefined reference to `__atomic_store_4'
+#../../lib/libicui18n.so: undefined reference to `__atomic_fetch_add_4'
+#
+TOOLCHAIN_pn-icu_armv4 = "gcc"
+TOOLCHAIN_pn-icu_armv5 = "gcc"
+
+#../../libgcrypt-1.6.5/mpi/mpih-div.c:98:3: error: invalid use of a cast in a inline asm context requiring an l-value: remove the cast or build with -fheinous-gnu-extensions
+TOOLCHAIN_pn-libgcrypt_mips64 = "gcc"
+
+#| ../../pixman-0.34.0/test/utils-prng.c:131:29: error: cannot convert between vector type '__attribute__((__vector_size__(16 * sizeof(char)))) char' (vector of 16 'char' values) and vector type 'uint8x16' (vector of 16 'uint8_t' values) as implicit conversion would cause truncation
+#|                 randdata.vb |= (t.vb >= const_C0#);
+#|                             ^
+# also see http://lists.llvm.org/pipermail/llvm-dev/2016-October/105997.html
+TOOLCHAIN_pn-pixman = "gcc"
+
+#| ./ports/linux/pseudo_wrappers.c:80:14: error: use of unknown builtin '__builtin_apply' [-Wimplicit-function-declaration]
+#|         void *res = __builtin_apply((void (*)()) real_syscall, __builtin_apply_args(), sizeof(long) * 7);
+#|                     ^
+#| ./ports/linux/pseudo_wrappers.c:80:57: error: use of unknown builtin '__builtin_apply_args' [-Wimplicit-function-declaration]
+#|         void *res = __builtin_apply((void (*)()) real_syscall, __builtin_apply_args(), sizeof(long) * 7);
+
+TOOLCHAIN_pn-pseudo = "gcc"
+#| ../../pulseaudio-10.0/src/pulsecore/mix_neon.c../../pulseaudio-10.0/src/pulsecore/sconv_neon.c:49::27: error: unknown register name 'q0' in asm
+#|         : "memory", "cc", "q0" /* clobber list */
+#|                           ^
+TOOLCHAIN_pn-pulseaudio_aarch64 = "gcc"
+# mix_neon.c:179:9: error: invalid operand in inline asm: 'vld1.s32 ${0:h}, [$2]
+#      vld1.s32 ${1:h}, [$3] '
+TOOLCHAIN_pn-pulseaudio_armv7ve = "gcc"
+TOOLCHAIN_pn-pulseaudio_armv7a = "gcc"
+
+# clang++ 6.0 crashes during link phase of a shared library
+TOOLCHAIN_pn-wpewebkit = "gcc"
+
+# x264 causes a infinite loop when compiling 1 source file
+#
+TOOLCHAIN_pn-x264_x86 = "gcc"
+
+#| /usr/src/debug/qemu/2.6.0-r1/qemu-2.6.0/util/bitmap.c:191: undefined reference to `__atomic_fetch_or_4'
+#| /usr/src/debug/qemu/2.6.0-r1/qemu-2.6.0/util/bitmap.c:210: undefined reference to `__atomic_fetch_or_4'
+#| libqemuutil.a(bitmap.o): In function `bitmap_test_and_clear_atomic':
+#| /usr/src/debug/qemu/2.6.0-r1/qemu-2.6.0/util/bitmap.c:250: undefined reference to `__atomic_fetch_and_4'
+#| /usr/src/debug/qemu/2.6.0-r1/qemu-2.6.0/util/bitmap.c:262: undefined reference to `__atomic_exchange_4'
+#| /usr/src/debug/qemu/2.6.0-r1/qemu-2.6.0/util/bitmap.c:273: undefined reference to `__atomic_fetch_and_4'
+# We need to link in with -latomic which comes from gcc-runtime anyway so just keep using gcc
+# to compile qemu for target
+TOOLCHAIN_pn-qemu_arm = "gcc"
+
+# llvm-profdata fails see
+# | error: Could not read profile code.profd: No such file or directory
+TOOLCHAIN_pn-python3 = "gcc"
+
+#| ./dsp/v4f_IIR2.h:554:12: error: no matching function for call to 'v4f_map'
+#|                                 a[5] = v4f_map<__builtin_cosf> (f);
+#|                                        ^~~~~~~~~~~~~~~~~~~~~~~
+TOOLCHAIN_pn-caps = "gcc"
+
+CFLAGS_append_pn-liboil_toolchain-clang_x86-64 = " -fheinous-gnu-extensions "
+
+#io_getevents.c:25:141: error: invalid use of a cast in a inline asm context requiring an l-value: remove the cast or build with -fheinous-gnu-extensions
+#io_syscall5(int, __io_getevents_0_4, io_getevents, io_context_t, ctx, long, min_nr, long, nr, struct io_event *, events, struct timespec *, timeout)
+CFLAGS_append_pn-libaio_toolchain-clang_mips = " -fheinous-gnu-extensions"
+
+#| error: unknown warning option '-Wimplicit-fallthrough=0'; did you mean '-Wimplicit-fallthrough'? [-Werror,-Wunknown-warning-option]
+CFLAGS_append_pn-mdadm_toolchain-clang = " -Wno-error=unknown-warning-option"
+
+#../libffi-3.2.1/src/arm/sysv.S:363:2: error: invalid instruction, did you mean: fldmiax?
+# fldmiadgt ip, {d0-d7}
+CFLAGS_append_pn-libffi_toolchain-clang = " -no-integrated-as"
+# ../db-5.3.28/src/mutex/mut_tas.c:150:34: error: unknown directive
+#<inline asm>:9:2: note: instantiated into assembly here
+# .force_thumb
+#        ^
+CFLAGS_append_pn-db_toolchain-clang = " -no-integrated-as"
+
+# Disable internal assembler for armv7 since it uses gnu assmebly syntax
+# which should be preprocessed via gcc/compiler
+#
+CFLAGS_append_pn-openssl_toolchain-clang_armv7ve = " -no-integrated-as"
+CFLAGS_append_pn-openssl_toolchain-clang_armv7a = " -no-integrated-as"
+CFLAGS_append_pn-userland_toolchain-clang = " -no-integrated-as"
+
+# regtest.cc:374:39: error: invalid suffix on literal; C++11 requires a
+# space between literal and identifier [-Wreserved-user-defined-literal]
+#|   snprintf_func (buf, sizeof(buf), "%"Q"u", x);
+#|                                       ^
+CXXFLAGS_append_pn-xdelta3_toolchain-clang = " -Wno-error=reserved-user-defined-literal"
+
+#memcached.c:6280:2: error: embedding a directive within macro arguments has undefined behavior [-Werror,-Wembedded-directive]
+CPPFLAGS_append_pn-memcached_toolchain-clang = " -Wno-error=embedded-directive"
+
+#| /tmp/mcp2515-578c41.s: Assembler messages:
+#| /tmp/mcp2515-578c41.s:1525: Error: r13 not allowed here -- `sub.w sp,r1,#8'
+#| /tmp/mcp2515-578c41.s:1821: Error: r13 not allowed here -- `sub.w sp,r6,#8'
+#| clang-7: error: assembler command failed with exit code 1 (use -v to see invocation)
+TUNE_CCARGS_remove_pn-upm_toolchain-clang = "-no-integrated-as"
+TUNE_CCARGS_remove_pn-omxplayer_toolchain-clang = "-no-integrated-as"
+
+#| /usr/src/debug/ruby/2.5.1-r0/build/../ruby-2.5.1/process.c:7073: undefined reference to `__mulodi4'
+#| clang-7: error: linker command failed with exit code 1 (use -v to see invocation)
+LDFLAGS_append_pn-ruby_toolchain-clang = " -rtlib=compiler-rt"
+LDFLAGS_append_pn-m4_toolchain-clang = " -rtlib=compiler-rt"
diff --git a/external/meta-clang/dynamic-layers/openembedded-layer/recipes-kernel/kernel-selftest/kernel-selftest.bbappend b/external/meta-clang/dynamic-layers/openembedded-layer/recipes-kernel/kernel-selftest/kernel-selftest.bbappend
new file mode 100644
index 00000000..53409624
--- /dev/null
+++ b/external/meta-clang/dynamic-layers/openembedded-layer/recipes-kernel/kernel-selftest/kernel-selftest.bbappend
@@ -0,0 +1 @@
+DEPENDS_append = " clang-native"
diff --git a/external/meta-clang/recipes-bsp/systemd-boot/systemd-boot_%.bbappend b/external/meta-clang/recipes-bsp/systemd-boot/systemd-boot_%.bbappend
new file mode 100644
index 00000000..d5e4bcc5
--- /dev/null
+++ b/external/meta-clang/recipes-bsp/systemd-boot/systemd-boot_%.bbappend
@@ -0,0 +1,4 @@
+do_configure_append_toolchain-clang() {
+	export EFI_CC="${CC}"
+	sed -i -e "s#O0#O#g" ${S}/src/boot/efi/meson.build
+}
diff --git a/external/meta-clang/recipes-connectivity/openssh/openssh_%.bbappend b/external/meta-clang/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 00000000..88966e5d
--- /dev/null
+++ b/external/meta-clang/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,3 @@
+do_configure_prepend() {
+	sed -i -e '/-ftrapv/d' ${S}/configure.ac
+}
diff --git a/external/meta-clang/recipes-core/busybox/busybox_%.bbappend b/external/meta-clang/recipes-core/busybox/busybox_%.bbappend
new file mode 100644
index 00000000..d7b9ca1d
--- /dev/null
+++ b/external/meta-clang/recipes-core/busybox/busybox_%.bbappend
@@ -0,0 +1 @@
+ARM_INSTRUCTION_SET_toolchain-clang = "arm"
diff --git a/external/meta-clang/recipes-core/glib-2.0/glib-2.0_%.bbappend b/external/meta-clang/recipes-core/glib-2.0/glib-2.0_%.bbappend
new file mode 100644
index 00000000..4a0f94af
--- /dev/null
+++ b/external/meta-clang/recipes-core/glib-2.0/glib-2.0_%.bbappend
@@ -0,0 +1 @@
+CFLAGS_append_libc-musl = " -Wno-format-nonliteral"
diff --git a/external/meta-clang/recipes-core/meta/meta-environment.bbappend b/external/meta-clang/recipes-core/meta/meta-environment.bbappend
new file mode 100644
index 00000000..734a9e65
--- /dev/null
+++ b/external/meta-clang/recipes-core/meta/meta-environment.bbappend
@@ -0,0 +1,16 @@
+export TARGET_CLANGCC_ARCH = "${TARGET_CC_ARCH}"
+TARGET_CLANGCC_ARCH_remove = "-mthumb-interwork"
+TARGET_CLANGCC_ARCH_remove = "-mmusl"
+TARGET_CLANGCC_ARCH_remove = "-muclibc"
+TARGET_CLANGCC_ARCH_remove = "-meb"
+TARGET_CLANGCC_ARCH_remove = "-mel"
+TARGET_CLANGCC_ARCH_append = "${@bb.utils.contains("TUNE_FEATURES", "bigendian", " -mbig-endian", " -mlittle-endian", d)}"
+TARGET_CLANGCC_ARCH_remove_powerpc = "-mhard-float"
+TARGET_CLANGCC_ARCH_remove_powerpc = "-mno-spe"
+
+create_sdk_files_append() {
+        script=${SDK_OUTPUT}/${SDKPATH}/environment-setup-${REAL_MULTIMACH_TARGET_SYS}
+        echo 'export CLANGCC="${TARGET_PREFIX}clang ${TARGET_CLANGCC_ARCH} --sysroot=$SDKTARGETSYSROOT"' >> $script
+        echo 'export CLANGCXX="${TARGET_PREFIX}clang++ ${TARGET_CLANGCC_ARCH} --sysroot=$SDKTARGETSYSROOT"' >> $script
+        echo 'export CLANGCPP="${TARGET_PREFIX}clang -E ${TARGET_CLANGCC_ARCH} --sysroot=$SDKTARGETSYSROOT"' >> $script
+}
diff --git a/external/meta-clang/recipes-core/musl/musl_%.bbappend b/external/meta-clang/recipes-core/musl/musl_%.bbappend
new file mode 100644
index 00000000..c8b9878e
--- /dev/null
+++ b/external/meta-clang/recipes-core/musl/musl_%.bbappend
@@ -0,0 +1 @@
+DEPENDS_append_toolchain-clang = " clang-cross-${TARGET_ARCH}"
diff --git a/external/meta-clang/recipes-core/ncurses/ncurses_%.bbappend b/external/meta-clang/recipes-core/ncurses/ncurses_%.bbappend
new file mode 100644
index 00000000..096d5bcb
--- /dev/null
+++ b/external/meta-clang/recipes-core/ncurses/ncurses_%.bbappend
@@ -0,0 +1 @@
+CACHED_CONFIGUREVARS_append_toolchain-clang = " cf_cv_prog_CC_c_o=yes cf_cv_prog_CXX_c_o=yes"
diff --git a/external/meta-clang/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend b/external/meta-clang/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend
new file mode 100644
index 00000000..a8e81aa5
--- /dev/null
+++ b/external/meta-clang/recipes-core/packagegroups/nativesdk-packagegroup-sdk-host.bbappend
@@ -0,0 +1,3 @@
+NATIVESDKCLANG ?= "nativesdk-clang"
+
+RDEPENDS_${PN} += "${NATIVESDKCLANG}"
diff --git a/external/meta-clang/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bbappend b/external/meta-clang/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bbappend
new file mode 100644
index 00000000..dd0f83c6
--- /dev/null
+++ b/external/meta-clang/recipes-core/packagegroups/packagegroup-core-standalone-sdk-target.bbappend
@@ -0,0 +1,6 @@
+RRECOMMENDS_${PN} += "\
+    libcxx-dev \
+    libcxx-staticdev \
+    compiler-rt-dev \
+    compiler-rt-staticdev \
+"
diff --git a/external/meta-clang/recipes-core/packagegroups/packagegroup-cross-canadian.bbappend b/external/meta-clang/recipes-core/packagegroups/packagegroup-cross-canadian.bbappend
new file mode 100644
index 00000000..2618d20d
--- /dev/null
+++ b/external/meta-clang/recipes-core/packagegroups/packagegroup-cross-canadian.bbappend
@@ -0,0 +1,5 @@
+CLANGCROSSCANADIAN ?= "clang-cross-canadian-${TRANSLATED_TARGET_ARCH}"
+CLANGCROSSCANADIAN_riscv64 = ""
+RDEPENDS_${PN} += "\
+    ${@all_multilib_tune_values(d, 'CLANGCROSSCANADIAN')} \
+"
diff --git a/external/meta-clang/recipes-devtools/clang/clang-cross-canadian_git.bb b/external/meta-clang/recipes-devtools/clang/clang-cross-canadian_git.bb
new file mode 100644
index 00000000..69a7e1fa
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang-cross-canadian_git.bb
@@ -0,0 +1,33 @@
+# Copyright (C) 2014 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "Clang/LLVM based C/C++ compiler (cross-canadian for ${TARGET_ARCH} target)"
+HOMEPAGE = "http://clang.llvm.org/"
+LICENSE = "NCSA"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7"
+SECTION = "devel"
+
+PN = "clang-cross-canadian-${TRANSLATED_TARGET_ARCH}"
+
+require clang.inc
+require common-source.inc
+inherit cross-canadian
+
+DEPENDS += "nativesdk-clang binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} virtual/${HOST_PREFIX}binutils-crosssdk virtual/nativesdk-libc"
+# We have to point gcc at a sysroot but we don't need to rebuild if this changes
+# e.g. we switch between different machines with different tunes.
+EXTRA_OECONF_PATHS[vardepsexclude] = "TUNE_PKGARCH"
+TARGET_ARCH[vardepsexclude] = "TUNE_ARCH"
+
+do_install() {
+        install -d ${D}${bindir}
+	for tool in clang clang++ llvm-profdata llvm-ar llvm-ranlib llvm-nm
+	do
+		ln -sf ../$tool ${D}${bindir}/${TARGET_PREFIX}$tool
+	done
+}
+SSTATE_SCAN_FILES += "*-clang *-clang++ *-llvm-profdata *-llvm-ar \
+                      *-llvm-ranlib *-llvm-nm"
+do_install_append() {
+        cross_canadian_bindirlinks
+}
diff --git a/external/meta-clang/recipes-devtools/clang/clang-cross_git.bb b/external/meta-clang/recipes-devtools/clang/clang-cross_git.bb
new file mode 100644
index 00000000..22f177f3
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang-cross_git.bb
@@ -0,0 +1,32 @@
+# Copyright (C) 2014 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "Cross compiler wrappers for LLVM based C/C++ compiler"
+HOMEPAGE = "http://clang.llvm.org/"
+LICENSE = "NCSA"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7"
+SECTION = "devel"
+
+PN = "clang-cross-${TARGET_ARCH}"
+
+require clang.inc
+require common-source.inc
+inherit cross
+DEPENDS += "clang-native binutils-cross-${TARGET_ARCH}"
+
+do_install() {
+        install -d ${D}${bindir}
+	for tool in clang clang++ llvm-profdata llvm-ar llvm-ranlib llvm-nm
+	do
+		ln -sf ../$tool ${D}${bindir}/${TARGET_PREFIX}$tool
+	done
+}
+
+SYSROOT_PREPROCESS_FUNCS += "clangcross_sysroot_preprocess"
+
+clangcross_sysroot_preprocess () {
+        sysroot_stage_dir ${D}${bindir} ${SYSROOT_DESTDIR}${bindir}
+}
+SSTATE_SCAN_FILES += "*-clang *-clang++ *-llvm-profdata *-llvm-ar \
+                      *-llvm-ranlib *-llvm-nm"
+PACKAGES = ""
diff --git a/external/meta-clang/recipes-devtools/clang/clang-crosssdk_git.bb b/external/meta-clang/recipes-devtools/clang/clang-crosssdk_git.bb
new file mode 100644
index 00000000..ac1dd63a
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang-crosssdk_git.bb
@@ -0,0 +1,30 @@
+# Copyright (C) 2014 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "SDK Cross compiler wrappers for LLVM based C/C++ compiler"
+HOMEPAGE = "http://clang.llvm.org/"
+LICENSE = "NCSA"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7"
+SECTION = "devel"
+
+PN = "clang-crosssdk-${TARGET_ARCH}"
+
+require clang.inc
+require common-source.inc
+inherit crosssdk
+DEPENDS += "clang-native nativesdk-clang-glue virtual/${TARGET_PREFIX}binutils-crosssdk virtual/nativesdk-libc"
+
+do_install() {
+        install -d ${D}${bindir}
+	for tool in clang clang++ llvm-profdata llvm-ar llvm-ranlib llvm-nm
+	do
+		ln -sf ../$tool ${D}${bindir}/${TARGET_PREFIX}$tool
+	done
+}
+SSTATE_SCAN_FILES += "*-clang *-clang++ *-llvm-profdata *-llvm-ar \
+                      *-llvm-ranlib *-llvm-nm"
+sysroot_stage_all () {
+        sysroot_stage_dir ${D}${bindir} ${SYSROOT_DESTDIR}${bindir}
+}
+
+PACKAGES = ""
diff --git a/external/meta-clang/recipes-devtools/clang/clang.inc b/external/meta-clang/recipes-devtools/clang/clang.inc
new file mode 100644
index 00000000..e8cf3f26
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang.inc
@@ -0,0 +1,21 @@
+LLVM_RELEASE = ""
+LLVM_DIR = "llvm${LLVM_RELEASE}"
+
+LLVM_GIT ?= "git://github.com/llvm"
+LLVM_GIT_PROTOCOL ?= "https"
+
+MAJOR_VER = "7"
+MINOR_VER = "1"
+PATCH_VER = "0"
+
+SRCREV ?= "4856a9330ee01d30e9e11b6c2f991662b4c04b07"
+
+PV = "${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}"
+BRANCH = "release/${MAJOR_VER}.x"
+
+LLVMMD5SUM = "c520ed40e11887bb1d24d86f7f5b1f05"
+CLANGMD5SUM = "444af0e124949f07f791f12c928e5994"
+LLDMD5SUM = "f4941ace8ddb3d6cf177fff94966319a"
+LLDBMD5SUM = "b6320ed0b0d00ae661dd94f277bbf024"
+
+require common.inc
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0001-clang-driver-Use-lib-for-ldso-on-OE.patch b/external/meta-clang/recipes-devtools/clang/clang/0001-clang-driver-Use-lib-for-ldso-on-OE.patch
new file mode 100644
index 00000000..2b06da25
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0001-clang-driver-Use-lib-for-ldso-on-OE.patch
@@ -0,0 +1,56 @@
+From 06033c7fa2d575a9a68b377f5ce9324433c23806 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 21 May 2016 21:52:36 -0700
+Subject: [PATCH 1/8] clang: driver: Use /lib for ldso on OE
+
+OE does not follow the default base_libdir
+that clang has, therefore adjust it for OE
+it wont be able to support multilib since
+in multilib case OE switches the base libdir
+for 64bit to /lib64 instead of /lib
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/Linux.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
+index f8f3623918..e662b6b262 100644
+--- a/lib/Driver/ToolChains/Linux.cpp
++++ b/lib/Driver/ToolChains/Linux.cpp
+@@ -566,12 +566,12 @@ std::string Linux::getDynamicLinker(const ArgList &Args) const {
+     Loader = "ld.so.1";
+     break;
+   case llvm::Triple::ppc64:
+-    LibDir = "lib64";
++    LibDir = "lib";
+     Loader =
+         (tools::ppc::hasPPCAbiArg(Args, "elfv2")) ? "ld64.so.2" : "ld64.so.1";
+     break;
+   case llvm::Triple::ppc64le:
+-    LibDir = "lib64";
++    LibDir = "lib";
+     Loader =
+         (tools::ppc::hasPPCAbiArg(Args, "elfv1")) ? "ld64.so.1" : "ld64.so.2";
+     break;
+@@ -593,7 +593,7 @@ std::string Linux::getDynamicLinker(const ArgList &Args) const {
+     Loader = "ld-linux.so.2";
+     break;
+   case llvm::Triple::sparcv9:
+-    LibDir = "lib64";
++    LibDir = "lib";
+     Loader = "ld-linux.so.2";
+     break;
+   case llvm::Triple::systemz:
+@@ -607,7 +607,7 @@ std::string Linux::getDynamicLinker(const ArgList &Args) const {
+   case llvm::Triple::x86_64: {
+     bool X32 = Triple.getEnvironment() == llvm::Triple::GNUX32;
+ 
+-    LibDir = X32 ? "libx32" : "lib64";
++    LibDir = "lib";
+     Loader = X32 ? "ld-linux-x32.so.2" : "ld-linux-x86-64.so.2";
+     break;
+   }
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0001-compiler-rt-support-a-new-embedded-linux-target.patch b/external/meta-clang/recipes-devtools/clang/clang/0001-compiler-rt-support-a-new-embedded-linux-target.patch
new file mode 100644
index 00000000..8b0c9feb
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0001-compiler-rt-support-a-new-embedded-linux-target.patch
@@ -0,0 +1,326 @@
+From 8b0d5d19e8ebec9b6508b51701cb0c64069091cb Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 19 Apr 2015 15:16:23 -0700
+Subject: [PATCH 1/4] compiler-rt: support a new embedded linux target
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/builtins/int_util.c                       |   3 +-
+ make/platform/clang_linux_embedded.mk         | 286 ++++++++++++++++++
+ .../clang_linux_embedded_test_input.c         |   0
+ 3 files changed, 287 insertions(+), 2 deletions(-)
+ create mode 100644 make/platform/clang_linux_embedded.mk
+ create mode 100644 make/platform/clang_linux_embedded_test_input.c
+
+diff --git a/lib/builtins/int_util.c b/lib/builtins/int_util.c
+index de87410db..0d5b56fe1 100644
+--- a/lib/builtins/int_util.c
++++ b/lib/builtins/int_util.c
+@@ -58,8 +58,7 @@ void compilerrt_abort_impl(const char *file, int line, const char *function) {
+ #else
+ 
+ /* Get the system definition of abort() */
+-#include <stdlib.h>
+-
++extern void abort (void) __attribute__ ((__noreturn__));
+ #ifndef _WIN32
+ __attribute__((weak))
+ __attribute__((visibility("hidden")))
+diff --git a/make/platform/clang_linux_embedded.mk b/make/platform/clang_linux_embedded.mk
+new file mode 100644
+index 000000000..d0a890075
+--- /dev/null
++++ b/make/platform/clang_linux_embedded.mk
+@@ -0,0 +1,286 @@
++# These are the functions which clang needs when it is targeting a previous
++# version of the OS. The issue is that the backend may use functions which were
++# not present in the libgcc that shipped on the platform. In such cases, we link
++# with a version of the library which contains private_extern definitions of all
++# the extra functions which might be referenced.
++
++Description := Static runtime libraries for embedded clang/Linux
++
++# A function that ensures we don't try to build for architectures that we
++# don't have working toolchains for.
++CheckArches = \
++  $(shell \
++    result=""; \
++    for arch in $(1); do \
++      if $(CC) -arch $$arch -c \
++	  -integrated-as \
++	  $(ProjSrcRoot)/make/platform/clang_linux_embedded_test_input.c \
++	  -o /dev/null > /dev/null 2> /dev/null; then \
++        result="$$result$$arch "; \
++      else \
++	printf 1>&2 \
++	  "warning: clang_linux_embedded.mk: dropping arch '$$arch' from lib '$(2)'\n"; \
++      fi; \
++    done; \
++    echo $$result)
++
++XCRun = \
++  $(shell \
++    result=`xcrun -find $(1) 2> /dev/null`; \
++    if [ "$$?" != "0" ]; then result=$(1); fi; \
++    echo $$result)
++
++###
++
++CC       := $(call XCRun,clang)
++AR       := $(call XCRun,ar)
++RANLIB   := $(call XCRun,ranlib)
++STRIP    := $(call XCRun,strip)
++LIPO     := $(call XCRun,lipo)
++DSYMUTIL := $(call XCRun,dsymutil)
++Configs :=
++UniversalArchs :=
++
++# Soft-float version of the runtime. No floating-point instructions will be used
++# and the ABI (out of necessity) passes floating values in normal registers:
++# non-VFP variant of the AAPCS.
++UniversalArchs.soft_static := $(call CheckArches,arm armv7m armv7em armv7,soft_static)
++Configs += $(if $(UniversalArchs.soft_static),soft_static)
++
++# Hard-float version of the runtime. On ARM VFP instructions and registers are
++# allowed, and floating point values get passed in them. VFP variant of the
++# AAPCS.
++UniversalArchs.hard_static := $(call CheckArches,armv7em armv7 i386 x86_64,hard_static)
++Configs += $(if $(UniversalArchs.hard_static),hard_static)
++
++UniversalArchs.soft_pic := $(call CheckArches,armv6m armv7m armv7em armv7,soft_pic)
++Configs += $(if $(UniversalArchs.soft_pic),soft_pic)
++
++UniversalArchs.hard_pic := $(call CheckArches,armv7em armv7 i386 x86_64,hard_pic)
++Configs += $(if $(UniversalArchs.hard_pic),hard_pic)
++
++CFLAGS := -Wall -Werror -Oz -fomit-frame-pointer -ffreestanding
++
++PIC_CFLAGS := -fPIC
++STATIC_CFLAGS := -static
++
++CFLAGS_SOFT := -mfloat-abi=soft
++CFLAGS_HARD := -mfloat-abi=hard
++
++CFLAGS_I386  := -march=pentium
++
++CFLAGS.soft_static := $(CFLAGS) $(STATIC_CFLAGS) $(CFLAGS_SOFT)
++CFLAGS.hard_static := $(CFLAGS) $(STATIC_CFLAGS) $(CFLAGS_HARD)
++CFLAGS.soft_pic    := $(CFLAGS) $(PIC_CFLAGS) $(CFLAGS_SOFT)
++CFLAGS.hard_pic    := $(CFLAGS) $(PIC_CFLAGS) $(CFLAGS_HARD)
++
++CFLAGS.soft_static.armv7 := $(CFLAGS.soft_static) $(CFLAGS_ARMV7)
++CFLAGS.hard_static.armv7 := $(CFLAGS.hard_static) $(CFLAGS_ARMV7)
++CFLAGS.soft_pic.armv7    := $(CFLAGS.soft_pic) $(CFLAGS_ARMV7)
++CFLAGS.hard_pic.armv7    := $(CFLAGS.hard_pic) $(CFLAGS_ARMV7)
++
++# x86 platforms ignore -mfloat-abi options and complain about doing so. Despite
++# this they're hard-float.
++CFLAGS.hard_static.i386   := $(CFLAGS) $(STATIC_CFLAGS) $(CFLAGS_I386)
++CFLAGS.hard_pic.i386      := $(CFLAGS) $(PIC_CFLAGS) $(CFLAGS_I386)
++CFLAGS.hard_static.x86_64 := $(CFLAGS) $(STATIC_CFLAGS)
++CFLAGS.hard_pic.x86_64    := $(CFLAGS) $(PIC_CFLAGS)
++
++# Functions not wanted:
++#   + eprintf is obsolete anyway
++#   + *vfp: designed for Thumb1 CPUs with VFPv2
++
++COMMON_FUNCTIONS := \
++	absvdi2 \
++	absvsi2 \
++	addvdi3 \
++	addvsi3 \
++	ashldi3 \
++	ashrdi3 \
++	bswapdi2 \
++	bswapsi2 \
++	clzdi2 \
++	clzsi2 \
++	cmpdi2 \
++	ctzdi2 \
++	ctzsi2 \
++	divdc3 \
++	divdi3 \
++	divsc3 \
++	divmodsi4 \
++	udivmodsi4 \
++	do_global_dtors \
++	ffsdi2 \
++	fixdfdi \
++	fixsfdi \
++	fixunsdfdi \
++	fixunsdfsi \
++	fixunssfdi \
++	fixunssfsi \
++	floatdidf \
++	floatdisf \
++	floatundidf \
++	floatundisf \
++	gcc_bcmp \
++	lshrdi3 \
++	moddi3 \
++	muldc3 \
++	muldi3 \
++	mulsc3 \
++	mulvdi3 \
++	mulvsi3 \
++	negdi2 \
++	negvdi2 \
++	negvsi2 \
++	paritydi2 \
++	paritysi2 \
++	popcountdi2 \
++	popcountsi2 \
++	powidf2 \
++	powisf2 \
++	subvdi3 \
++	subvsi3 \
++	ucmpdi2 \
++	udiv_w_sdiv \
++	udivdi3 \
++	udivmoddi4 \
++	umoddi3 \
++	adddf3 \
++	addsf3 \
++	cmpdf2 \
++	cmpsf2 \
++	div0 \
++	divdf3 \
++	divsf3 \
++	divsi3 \
++	extendsfdf2 \
++	ffssi2 \
++	fixdfsi \
++	fixsfsi \
++	floatsidf \
++	floatsisf \
++	floatunsidf \
++	floatunsisf \
++	comparedf2 \
++	comparesf2 \
++	modsi3 \
++	muldf3 \
++	mulsf3 \
++	negdf2 \
++	negsf2 \
++	subdf3 \
++	subsf3 \
++	truncdfsf2 \
++	udivsi3 \
++	umodsi3 \
++	unorddf2 \
++	unordsf2
++
++ARM_FUNCTIONS := \
++	aeabi_cdcmpeq \
++	aeabi_cdrcmple \
++	aeabi_cfcmpeq \
++	aeabi_cfrcmple \
++	aeabi_dcmpeq \
++	aeabi_dcmpge \
++	aeabi_dcmpgt \
++	aeabi_dcmple \
++	aeabi_dcmplt \
++	aeabi_drsub \
++	aeabi_fcmpeq \
++	aeabi_fcmpge \
++	aeabi_fcmpgt \
++	aeabi_fcmple \
++	aeabi_fcmplt \
++	aeabi_frsub \
++	aeabi_idivmod \
++	aeabi_uidivmod \
++
++# ARM Assembly implementation which requires Thumb2 (i.e. won't work on v6M).
++THUMB2_FUNCTIONS := \
++	switch16 \
++	switch32 \
++	switch8 \
++	switchu8 \
++	sync_fetch_and_add_4 \
++	sync_fetch_and_sub_4 \
++	sync_fetch_and_and_4 \
++	sync_fetch_and_or_4 \
++	sync_fetch_and_xor_4 \
++	sync_fetch_and_nand_4 \
++	sync_fetch_and_max_4 \
++	sync_fetch_and_umax_4 \
++	sync_fetch_and_min_4 \
++	sync_fetch_and_umin_4 \
++	sync_fetch_and_add_8 \
++	sync_fetch_and_sub_8 \
++	sync_fetch_and_and_8 \
++	sync_fetch_and_or_8 \
++	sync_fetch_and_xor_8 \
++	sync_fetch_and_nand_8 \
++	sync_fetch_and_max_8 \
++	sync_fetch_and_umax_8 \
++	sync_fetch_and_min_8 \
++	sync_fetch_and_umin_8
++
++I386_FUNCTIONS :=  \
++	i686.get_pc_thunk.eax \
++	i686.get_pc_thunk.ebp \
++	i686.get_pc_thunk.ebx \
++	i686.get_pc_thunk.ecx \
++	i686.get_pc_thunk.edi \
++	i686.get_pc_thunk.edx \
++	i686.get_pc_thunk.esi
++
++# FIXME: Currently, compiler-rt is missing implementations for a number of the
++# functions. Filter them out for now.
++MISSING_FUNCTIONS := \
++	cmpdf2 cmpsf2 div0 \
++	ffssi2 \
++	udiv_w_sdiv unorddf2 unordsf2 bswapdi2 \
++	bswapsi2 \
++	gcc_bcmp \
++	do_global_dtors \
++	i686.get_pc_thunk.eax i686.get_pc_thunk.ebp i686.get_pc_thunk.ebx \
++	i686.get_pc_thunk.ecx i686.get_pc_thunk.edi i686.get_pc_thunk.edx \
++	i686.get_pc_thunk.esi \
++	aeabi_cdcmpeq aeabi_cdrcmple aeabi_cfcmpeq aeabi_cfrcmple aeabi_dcmpeq \
++	aeabi_dcmpge aeabi_dcmpgt aeabi_dcmple aeabi_dcmplt aeabi_drsub \
++	aeabi_fcmpeq \ aeabi_fcmpge aeabi_fcmpgt aeabi_fcmple aeabi_fcmplt \
++	aeabi_frsub aeabi_idivmod aeabi_uidivmod
++
++FUNCTIONS_ARMV6M  := $(COMMON_FUNCTIONS) $(ARM_FUNCTIONS)
++FUNCTIONS_ARM_ALL := $(COMMON_FUNCTIONS) $(ARM_FUNCTIONS) $(THUMB2_FUNCTIONS)
++FUNCTIONS_I386    := $(COMMON_FUNCTIONS) $(I386_FUNCTIONS)
++FUNCTIONS_X86_64  := $(COMMON_FUNCTIONS)
++
++FUNCTIONS_ARMV6M := \
++	$(filter-out $(MISSING_FUNCTIONS),$(FUNCTIONS_ARMV6M))
++FUNCTIONS_ARM_ALL := \
++	$(filter-out $(MISSING_FUNCTIONS),$(FUNCTIONS_ARM_ALL))
++FUNCTIONS_I386 := \
++	$(filter-out $(MISSING_FUNCTIONS),$(FUNCTIONS_I386))
++FUNCTIONS_X86_64 := \
++	$(filter-out $(MISSING_FUNCTIONS),$(FUNCTIONS_X86_64))
++
++FUNCTIONS.soft_static.armv6m := $(FUNCTIONS_ARMV6M)
++FUNCTIONS.soft_pic.armv6m    := $(FUNCTIONS_ARMV6M)
++
++FUNCTIONS.soft_static.armv7m := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.soft_pic.armv7m    := $(FUNCTIONS_ARM_ALL)
++
++FUNCTIONS.soft_static.armv7em := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.hard_static.armv7em := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.soft_pic.armv7em    := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.hard_pic.armv7em    := $(FUNCTIONS_ARM_ALL)
++
++FUNCTIONS.soft_static.armv7 := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.hard_static.armv7 := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.soft_pic.armv7    := $(FUNCTIONS_ARM_ALL)
++FUNCTIONS.hard_pic.armv7    := $(FUNCTIONS_ARM_ALL)
++
++FUNCTIONS.hard_static.i386 := $(FUNCTIONS_I386)
++FUNCTIONS.hard_pic.i386    := $(FUNCTIONS_I386)
++
++FUNCTIONS.hard_static.x86_64 := $(FUNCTIONS_X86_64)
++FUNCTIONS.hard_pic.x86_64    := $(FUNCTIONS_X86_64)
+diff --git a/make/platform/clang_linux_embedded_test_input.c b/make/platform/clang_linux_embedded_test_input.c
+new file mode 100644
+index 000000000..e69de29bb
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0001-libcxxabi-Find-libunwind-headers-when-LIBCXXABI_LIBU.patch b/external/meta-clang/recipes-devtools/clang/clang/0001-libcxxabi-Find-libunwind-headers-when-LIBCXXABI_LIBU.patch
new file mode 100644
index 00000000..297b56d1
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0001-libcxxabi-Find-libunwind-headers-when-LIBCXXABI_LIBU.patch
@@ -0,0 +1,68 @@
+From a122717a9bc31e0ab44197e743aa466711c4bf79 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 27 Aug 2017 10:37:49 -0700
+Subject: [PATCH] libcxxabi: Find libunwind headers when
+ LIBCXXABI_LIBUNWIND_INCLUDES is set
+
+Currently, when LIBCXXABI_LIBUNWIND_INCLUDES is set via CMake arguments
+then it ends up not searching the specified dir and unwind.h is not found
+especially for ARM targets
+
+This patch makes the searching synthesized directories and then set
+LIBCXXABI_LIBUNWIND_INCLUDES if its there in environment
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ CMakeLists.txt | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index d6648ed..12c02f2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -434,15 +434,10 @@ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${LIBCXXABI_C_FLAGS}")
+ # Setup Source Code
+ #===============================================================================
+ 
+-set(LIBCXXABI_LIBUNWIND_INCLUDES "${LIBCXXABI_LIBUNWIND_INCLUDES}" CACHE PATH
+-    "Specify path to libunwind includes." FORCE)
+-set(LIBCXXABI_LIBUNWIND_PATH "${LIBCXXABI_LIBUNWIND_PATH}" CACHE PATH
+-    "Specify path to libunwind source." FORCE)
+-
+ include_directories(include)
+ if (LIBCXXABI_USE_LLVM_UNWINDER OR LLVM_NATIVE_ARCH MATCHES ARM)
+   find_path(
+-    LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL
++    LIBCXXABI_LIBUNWIND_INCLUDES
+     libunwind.h
+     PATHS ${LIBCXXABI_LIBUNWIND_INCLUDES}
+           ${LIBCXXABI_LIBUNWIND_PATH}/include
+@@ -454,15 +449,21 @@ if (LIBCXXABI_USE_LLVM_UNWINDER OR LLVM_NATIVE_ARCH MATCHES ARM)
+     NO_CMAKE_FIND_ROOT_PATH
+   )
+ 
+-  if (LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL STREQUAL "LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL-NOTFOUND")
+-    set(LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL "")
++  if (LIBCXXABI_LIBUNWIND_INCLUDES STREQUAL "LIBCXXABI_LIBUNWIND_INCLUDES-NOTFOUND")
++    set(LIBCXXABI_LIBUNWIND_INCLUDES "")
+   endif()
+ 
+-  if (NOT LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL STREQUAL "")
+-    include_directories("${LIBCXXABI_LIBUNWIND_INCLUDES_INTERNAL}")
++  if (NOT LIBCXXABI_LIBUNWIND_INCLUDES STREQUAL "")
++    include_directories("${LIBCXXABI_LIBUNWIND_INCLUDES}")
+   endif()
+ endif()
+ 
++set(LIBCXXABI_LIBUNWIND_INCLUDES "${LIBCXXABI_LIBUNWIND_INCLUDES}" CACHE PATH
++    "Specify path to libunwind includes." FORCE)
++set(LIBCXXABI_LIBUNWIND_PATH "${LIBCXXABI_LIBUNWIND_PATH}" CACHE PATH
++    "Specify path to libunwind source." FORCE)
++
++
+ # Add source code. This also contains all of the logic for deciding linker flags
+ # soname, etc...
+ add_subdirectory(src)
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0001-lldb-Include-limits.h-for-PATH_MAX-definition.patch b/external/meta-clang/recipes-devtools/clang/clang/0001-lldb-Include-limits.h-for-PATH_MAX-definition.patch
new file mode 100644
index 00000000..1c42931f
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0001-lldb-Include-limits.h-for-PATH_MAX-definition.patch
@@ -0,0 +1,28 @@
+From ff8d7137ed4d62e9db6d31581822a2ce06d5cbc6 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 18 May 2017 23:12:34 -0700
+Subject: [PATCH 1/2] lldb: Include limits.h for PATH_MAX definition
+
+Helps compiling on musl targets
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ source/Utility/FileSpec.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/Utility/FileSpec.cpp b/source/Utility/FileSpec.cpp
+index b6952f7e3..2cedf5d90 100644
+--- a/source/Utility/FileSpec.cpp
++++ b/source/Utility/FileSpec.cpp
+@@ -29,7 +29,7 @@
+ #include <assert.h> // for assert
+ #include <stdio.h>  // for size_t, NULL, snpr...
+ #include <string.h> // for strcmp
+-
++#include <limits.h> // for PATH_MAX
+ using namespace lldb;
+ using namespace lldb_private;
+ 
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch b/external/meta-clang/recipes-devtools/clang/clang/0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
new file mode 100644
index 00000000..de8da745
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch
@@ -0,0 +1,91 @@
+From fc9904be5d4ee1d1e92a1ff86b01218fbf91b12f Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 21 May 2016 00:33:20 +0000
+Subject: [PATCH 1/3] llvm: TargetLibraryInfo: Undefine libc functions if they
+ are macros
+
+musl defines some functions as macros and not inline functions
+if this is the case then make sure to undefine them
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ include/llvm/Analysis/TargetLibraryInfo.def | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/include/llvm/Analysis/TargetLibraryInfo.def b/include/llvm/Analysis/TargetLibraryInfo.def
+index f94debba9c5..e92dbc98c55 100644
+--- a/include/llvm/Analysis/TargetLibraryInfo.def
++++ b/include/llvm/Analysis/TargetLibraryInfo.def
+@@ -707,6 +707,9 @@ TLI_DEFINE_STRING_INTERNAL("fmodl")
+ TLI_DEFINE_ENUM_INTERNAL(fopen)
+ TLI_DEFINE_STRING_INTERNAL("fopen")
+ /// FILE *fopen64(const char *filename, const char *opentype)
++#ifdef fopen64
++#undef fopen64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(fopen64)
+ TLI_DEFINE_STRING_INTERNAL("fopen64")
+ /// int fprintf(FILE *stream, const char *format, ...);
+@@ -751,6 +754,9 @@ TLI_DEFINE_STRING_INTERNAL("fseek")
+ /// int fseeko(FILE *stream, off_t offset, int whence);
+ TLI_DEFINE_ENUM_INTERNAL(fseeko)
+ TLI_DEFINE_STRING_INTERNAL("fseeko")
++#ifdef fseeko64
++#undef fseeko64
++#endif
+ /// int fseeko64(FILE *stream, off64_t offset, int whence)
+ TLI_DEFINE_ENUM_INTERNAL(fseeko64)
+ TLI_DEFINE_STRING_INTERNAL("fseeko64")
+@@ -761,6 +767,9 @@ TLI_DEFINE_STRING_INTERNAL("fsetpos")
+ TLI_DEFINE_ENUM_INTERNAL(fstat)
+ TLI_DEFINE_STRING_INTERNAL("fstat")
+ /// int fstat64(int filedes, struct stat64 *buf)
++#ifdef fstat64
++#undef fstat64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(fstat64)
+ TLI_DEFINE_STRING_INTERNAL("fstat64")
+ /// int fstatvfs(int fildes, struct statvfs *buf);
+@@ -776,6 +785,9 @@ TLI_DEFINE_STRING_INTERNAL("ftell")
+ TLI_DEFINE_ENUM_INTERNAL(ftello)
+ TLI_DEFINE_STRING_INTERNAL("ftello")
+ /// off64_t ftello64(FILE *stream)
++#ifdef ftello64
++#undef ftello64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(ftello64)
+ TLI_DEFINE_STRING_INTERNAL("ftello64")
+ /// int ftrylockfile(FILE *file);
+@@ -902,6 +914,9 @@ TLI_DEFINE_STRING_INTERNAL("logl")
+ TLI_DEFINE_ENUM_INTERNAL(lstat)
+ TLI_DEFINE_STRING_INTERNAL("lstat")
+ /// int lstat64(const char *path, struct stat64 *buf);
++#ifdef lstat64
++#undef lstat64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(lstat64)
+ TLI_DEFINE_STRING_INTERNAL("lstat64")
+ /// void *malloc(size_t size);
+@@ -1127,6 +1142,9 @@ TLI_DEFINE_STRING_INTERNAL("sscanf")
+ TLI_DEFINE_ENUM_INTERNAL(stat)
+ TLI_DEFINE_STRING_INTERNAL("stat")
+ /// int stat64(const char *path, struct stat64 *buf);
++#ifdef stat64
++#undef stat64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(stat64)
+ TLI_DEFINE_STRING_INTERNAL("stat64")
+ /// int statvfs(const char *path, struct statvfs *buf);
+@@ -1256,6 +1274,9 @@ TLI_DEFINE_STRING_INTERNAL("times")
+ TLI_DEFINE_ENUM_INTERNAL(tmpfile)
+ TLI_DEFINE_STRING_INTERNAL("tmpfile")
+ /// FILE *tmpfile64(void)
++#ifdef tmpfile64
++#undef tmpfile64
++#endif
+ TLI_DEFINE_ENUM_INTERNAL(tmpfile64)
+ TLI_DEFINE_STRING_INTERNAL("tmpfile64")
+ /// int toascii(int c);
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0002-clang-Driver-tools.cpp-Add-lssp_nonshared-on-musl.patch b/external/meta-clang/recipes-devtools/clang/clang/0002-clang-Driver-tools.cpp-Add-lssp_nonshared-on-musl.patch
new file mode 100644
index 00000000..f73b1c0f
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0002-clang-Driver-tools.cpp-Add-lssp_nonshared-on-musl.patch
@@ -0,0 +1,34 @@
+From fc628b03a5ac41a446fd2dfea0ecbe03331e54d8 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 19 May 2016 21:11:06 -0700
+Subject: [PATCH 2/8] clang: Driver/tools.cpp: Add -lssp_nonshared on musl
+
+musl driver will need to add ssp_nonshared for stack_check_local
+on the linker cmdline when using stack protector commands on
+compiler cmdline
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/Gnu.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/Driver/ToolChains/Gnu.cpp b/lib/Driver/ToolChains/Gnu.cpp
+index 3755673250..766c650b3c 100644
+--- a/lib/Driver/ToolChains/Gnu.cpp
++++ b/lib/Driver/ToolChains/Gnu.cpp
+@@ -503,6 +503,12 @@ void tools::gnutools::Linker::ConstructJob(Compilation &C, const JobAction &JA,
+       if (IsIAMCU)
+         CmdArgs.push_back("-lgloss");
+ 
++      if (ToolChain.getTriple().isMusl() &&
++          (Args.hasArg(options::OPT_fstack_protector) ||
++          Args.hasArg(options::OPT_fstack_protector_strong) ||
++          Args.hasArg(options::OPT_fstack_protector_all))) {
++        CmdArgs.push_back("-lssp_nonshared");
++      }
+       if (Args.hasArg(options::OPT_static))
+         CmdArgs.push_back("--end-group");
+       else
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0002-compiler-rt-Simplify-cross-compilation.-Don-t-use-na.patch b/external/meta-clang/recipes-devtools/clang/clang/0002-compiler-rt-Simplify-cross-compilation.-Don-t-use-na.patch
new file mode 100644
index 00000000..2ff903b1
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0002-compiler-rt-Simplify-cross-compilation.-Don-t-use-na.patch
@@ -0,0 +1,46 @@
+From 5ee148af76169aa327bfa0bfc1c2618a68e873fb Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 19 May 2016 23:11:45 -0700
+Subject: [PATCH 2/4] compiler-rt: Simplify cross-compilation. Don't use
+ native-compiled llvm-config.
+
+    Note: AddLLVM.cmake does not expose the LLVM source directory.
+    So if you want to run the test suite, you need to either:
+
+    1) set LLVM_MAIN_SRC_DIR explicitly (to find lit.py)
+    2) change AddLLVM.cmake to point to an installed 'lit'.
+    3) add_subdirectory(compiler-rt/test) from clang instead of compiler-rt.
+
+https://us.codeaurora.org/patches/quic/llvm/50683/compiler-rt-cross-compilation.patch
+
+Signed-off-by: Greg Fitzgerald <gregf@codeaurora.org>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ CMakeLists.txt | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 86ca2b3ef..07d894c8a 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -63,7 +63,16 @@ set(COMPILER_RT_BAREMETAL_BUILD OFF CACHE BOOLEAN
+   "Build for a bare-metal target.")
+ 
+ if (COMPILER_RT_STANDALONE_BUILD)
+-  load_llvm_config()
++  find_package(LLVM REQUIRED)
++  list(APPEND CMAKE_MODULE_PATH "${LLVM_CMAKE_DIR}")
++
++  # Variables that AddLLVM.cmake depends on (included by AddCompilerRT)
++  set(LLVM_TOOLS_BINARY_DIR "${LLVM_INSTALL_PREFIX}/bin")
++  set(LLVM_LIBRARY_DIR "${LLVM_INSTALL_PREFIX}/lib")
++
++  set(LLVM_LIBRARY_OUTPUT_INTDIR
++    ${CMAKE_BINARY_DIR}/${CMAKE_CFG_INTDIR}/lib${LLVM_LIBDIR_SUFFIX})
++
+   if (TARGET intrinsics_gen)
+     # Loading the llvm config causes this target to be imported so place it
+     # under the appropriate folder in an IDE.
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0002-lldb-Add-lxml2-to-linker-cmdline-of-xml-is-found.patch b/external/meta-clang/recipes-devtools/clang/clang/0002-lldb-Add-lxml2-to-linker-cmdline-of-xml-is-found.patch
new file mode 100644
index 00000000..c331e7a7
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0002-lldb-Add-lxml2-to-linker-cmdline-of-xml-is-found.patch
@@ -0,0 +1,40 @@
+From fa140ec90e72da40d49301e674c84854fdac804b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 22 May 2017 17:36:16 -0700
+Subject: [PATCH 2/2] lldb: Add -lxml2 to linker cmdline of xml is found
+
+When cross compiling for systems where static libs
+for libxml are not available cmake's detection mechanism
+resort to linking with libxml.so but doesnt use -lxml2
+liblldbHost.a however requires libxml on linker
+cmdline _after_ itself so its use of symbols from libxml2
+can be resolved. Here check for libxml2 being detected and
+add it if its found.
+
+Fixes
+
+| ../../../../lib/liblldbHost.a(XML.cpp.o): In function `lldb_private::XMLDocument::Clear()':
+| /usr/src/debug/lldb/5.0.0+gitAUTOINC+69edad7913_08d6b47db9_cf6c5b3386-r0/git/tools/lldb/source/Host/common/XML.cpp:29: undefined reference to `xmlFreeDoc'
+| /usr/src/debug/lldb/5.0.0+gitAUTOINC+69edad7913_08d6b47db9_cf6c5b3386-r0/git/tools/lldb/source/Host/common/XML.cpp:29: undefined reference to `xmlFreeDoc'
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ source/Host/CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source/Host/CMakeLists.txt b/source/Host/CMakeLists.txt
+index 5a92447ed..22ce6eee4 100644
+--- a/source/Host/CMakeLists.txt
++++ b/source/Host/CMakeLists.txt
+@@ -149,7 +149,7 @@ if (APPLE)
+   list(APPEND EXTRA_LIBS xml2)
+ else ()
+   if (LIBXML2_FOUND)
+-    list(APPEND EXTRA_LIBS ${LIBXML2_LIBRARIES})
++    list(APPEND EXTRA_LIBS xml2)
+   endif()
+ endif ()
+ if (HAVE_LIBDL)
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0002-llvm-allow-env-override-of-exe-path.patch b/external/meta-clang/recipes-devtools/clang/clang/0002-llvm-allow-env-override-of-exe-path.patch
new file mode 100644
index 00000000..fa49e677
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0002-llvm-allow-env-override-of-exe-path.patch
@@ -0,0 +1,37 @@
+From c65c0af4a5721e3c0dfcc56c15ef3310a54e0008 Mon Sep 17 00:00:00 2001
+From: Martin Kelly <mkelly@xevo.com>
+Date: Fri, 19 May 2017 00:22:57 -0700
+Subject: [PATCH 2/3] llvm: allow env override of exe path
+
+When using a native llvm-config from inside a sysroot, we need llvm-config to
+return the libraries, include directories, etc. from inside the sysroot rather
+than from the native sysroot. Thus provide an env override for calling
+llvm-config from a target sysroot.
+
+Signed-off-by: Martin Kelly <mkelly@xevo.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/llvm-config/llvm-config.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/llvm-config/llvm-config.cpp b/tools/llvm-config/llvm-config.cpp
+index 892adc3b9dd..38f190ecbd1 100644
+--- a/tools/llvm-config/llvm-config.cpp
++++ b/tools/llvm-config/llvm-config.cpp
+@@ -226,6 +226,13 @@ Typical components:\n\
+ 
+ /// Compute the path to the main executable.
+ std::string GetExecutablePath(const char *Argv0) {
++  // Hack for Yocto: we need to override the root path when we are using
++  // llvm-config from within a target sysroot.
++  const char *Sysroot = std::getenv("YOCTO_ALTERNATE_EXE_PATH");
++  if (Sysroot != nullptr) {
++    return Sysroot;
++  }
++
+   // This just needs to be some symbol in the binary; C++ doesn't
+   // allow taking the address of ::main however.
+   void *P = (void *)(intptr_t)GetExecutablePath;
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0003-clang-musl-ppc-does-not-support-128-bit-long-double.patch b/external/meta-clang/recipes-devtools/clang/clang/0003-clang-musl-ppc-does-not-support-128-bit-long-double.patch
new file mode 100644
index 00000000..868fc3b6
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0003-clang-musl-ppc-does-not-support-128-bit-long-double.patch
@@ -0,0 +1,27 @@
+From 48fa180df65f7ee63a85dd69fd2c1382609c5e95 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 10 May 2016 02:00:11 -0700
+Subject: [PATCH 3/8] clang: musl/ppc does not support 128-bit long double
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Basic/Targets/PPC.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Basic/Targets/PPC.h b/lib/Basic/Targets/PPC.h
+index 439c73a0e3..8da698ee21 100644
+--- a/lib/Basic/Targets/PPC.h
++++ b/lib/Basic/Targets/PPC.h
+@@ -328,7 +328,8 @@ public:
+       break;
+     }
+ 
+-    if (getTriple().getOS() == llvm::Triple::FreeBSD) {
++    if (getTriple().getOS() == llvm::Triple::FreeBSD
++        || getTriple().isMusl()) {
+       LongDoubleWidth = LongDoubleAlign = 64;
+       LongDoubleFormat = &llvm::APFloat::IEEEdouble();
+     }
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0003-compiler-rt-Disable-tsan-on-OE-glibc.patch b/external/meta-clang/recipes-devtools/clang/clang/0003-compiler-rt-Disable-tsan-on-OE-glibc.patch
new file mode 100644
index 00000000..8f45c2b8
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0003-compiler-rt-Disable-tsan-on-OE-glibc.patch
@@ -0,0 +1,42 @@
+From c7d41a6e4dd61733530d2f44c377b91e13004b71 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 18 Jul 2016 08:05:02 +0000
+Subject: [PATCH 3/4] compiler-rt: Disable tsan on OE/glibc
+
+It does not build see
+http://lists.llvm.org/pipermail/llvm-dev/2016-July/102235.html
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ cmake/config-ix.cmake                | 2 +-
+ test/sanitizer_common/CMakeLists.txt | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/cmake/config-ix.cmake b/cmake/config-ix.cmake
+index f3935ffd6..2c651b756 100644
+--- a/cmake/config-ix.cmake
++++ b/cmake/config-ix.cmake
+@@ -564,7 +564,7 @@ else()
+ endif()
+ 
+ if (COMPILER_RT_HAS_SANITIZER_COMMON AND TSAN_SUPPORTED_ARCH AND
+-    OS_NAME MATCHES "Darwin|Linux|FreeBSD|Android|NetBSD")
++    OS_NAME MATCHES "Darwin|FreeBSD|Android|NetBSD")
+   set(COMPILER_RT_HAS_TSAN TRUE)
+ else()
+   set(COMPILER_RT_HAS_TSAN FALSE)
+diff --git a/test/sanitizer_common/CMakeLists.txt b/test/sanitizer_common/CMakeLists.txt
+index 4e2c80390..990315f11 100644
+--- a/test/sanitizer_common/CMakeLists.txt
++++ b/test/sanitizer_common/CMakeLists.txt
+@@ -8,7 +8,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux|FreeBSD|NetBSD|SunOS")
+   list(APPEND SUPPORTED_TOOLS asan)
+ endif()
+ if(CMAKE_SYSTEM_NAME MATCHES "NetBSD" OR (CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT ANDROID))
+-  list(APPEND SUPPORTED_TOOLS tsan)
+   list(APPEND SUPPORTED_TOOLS msan)
+   list(APPEND SUPPORTED_TOOLS ubsan)
+ endif()
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0003-llvm-Disable-calls-to-_finite-and-other-glibc-only-f.patch b/external/meta-clang/recipes-devtools/clang/clang/0003-llvm-Disable-calls-to-_finite-and-other-glibc-only-f.patch
new file mode 100644
index 00000000..9f665e36
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0003-llvm-Disable-calls-to-_finite-and-other-glibc-only-f.patch
@@ -0,0 +1,65 @@
+From cb1b6f021d2ce82d7d0084758b7efaa3917640f5 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 26 Aug 2018 22:43:19 -0700
+Subject: [PATCH 3/3] llvm: Disable calls to *_finite and other glibc-only
+ functions on Musl.
+
+glibc's finite lib calls are generated when possible.
+However, they are not supported on Musl/linux. This change also
+disables other functions not available on Musl.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Analysis/TargetLibraryInfo.cpp | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/lib/Analysis/TargetLibraryInfo.cpp b/lib/Analysis/TargetLibraryInfo.cpp
+index 102135fbf31..5bc4d2b47f5 100644
+--- a/lib/Analysis/TargetLibraryInfo.cpp
++++ b/lib/Analysis/TargetLibraryInfo.cpp
+@@ -415,27 +415,28 @@ static void initialize(TargetLibraryInfoImpl &TLI, const Triple &T,
+ 
+   // The following functions are available on Linux,
+   // but Android uses bionic instead of glibc.
+-  if (!T.isOSLinux() || T.isAndroid()) {
++  if (!T.isOSLinux() || T.isAndroid() || T.isMusl()) {
+     TLI.setUnavailable(LibFunc_dunder_strdup);
+     TLI.setUnavailable(LibFunc_dunder_strtok_r);
+     TLI.setUnavailable(LibFunc_dunder_isoc99_scanf);
+     TLI.setUnavailable(LibFunc_dunder_isoc99_sscanf);
+     TLI.setUnavailable(LibFunc_under_IO_getc);
+     TLI.setUnavailable(LibFunc_under_IO_putc);
+-    // But, Android has memalign.
+-    if (!T.isAndroid())
++    // But, Android/Musl has memalign.
++    if (!T.isAndroid() || !T.isMusl() )
+       TLI.setUnavailable(LibFunc_memalign);
+-    TLI.setUnavailable(LibFunc_fopen64);
+-    TLI.setUnavailable(LibFunc_fseeko64);
+-    TLI.setUnavailable(LibFunc_fstat64);
+-    TLI.setUnavailable(LibFunc_fstatvfs64);
+-    TLI.setUnavailable(LibFunc_ftello64);
+-    TLI.setUnavailable(LibFunc_lstat64);
+-    TLI.setUnavailable(LibFunc_open64);
+-    TLI.setUnavailable(LibFunc_stat64);
+-    TLI.setUnavailable(LibFunc_statvfs64);
+-    TLI.setUnavailable(LibFunc_tmpfile64);
+-
++    if (!T.isMusl()) {
++      TLI.setUnavailable(LibFunc_fopen64);
++      TLI.setUnavailable(LibFunc_fseeko64);
++      TLI.setUnavailable(LibFunc_fstat64);
++      TLI.setUnavailable(LibFunc_fstatvfs64);
++      TLI.setUnavailable(LibFunc_ftello64);
++      TLI.setUnavailable(LibFunc_lstat64);
++      TLI.setUnavailable(LibFunc_open64);
++      TLI.setUnavailable(LibFunc_stat64);
++      TLI.setUnavailable(LibFunc_statvfs64);
++      TLI.setUnavailable(LibFunc_tmpfile64);
++    }
+     // Relaxed math functions are included in math-finite.h on Linux (GLIBC).
+     TLI.setUnavailable(LibFunc_acos_finite);
+     TLI.setUnavailable(LibFunc_acosf_finite);
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0004-clang-Prepend-trailing-to-sysroot.patch b/external/meta-clang/recipes-devtools/clang/clang/0004-clang-Prepend-trailing-to-sysroot.patch
new file mode 100644
index 00000000..03c6babf
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0004-clang-Prepend-trailing-to-sysroot.patch
@@ -0,0 +1,41 @@
+From 4764d8f8b613631de2e3c9a3614427d07c599017 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 16 Mar 2017 09:02:13 -0700
+Subject: [PATCH 4/8] clang: Prepend trailing '/' to sysroot
+
+This is needed to handle a case where clang
+isntall and target sysroot are perilously same
+
+e.g.
+
+sysroot = /mnt/clang/recipe-sysroot
+clang install = /mnt/clang/recipe-sysroot-native
+
+in this case it will mistakenly assume that
+clang is installed under the same sysroot dir
+and it will try to add relative ../lib paths
+to linker steps which would then be wrong
+since they will become relative to clang
+installation and not sysroot
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/Linux.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
+index e662b6b262..5bca972cc2 100644
+--- a/lib/Driver/ToolChains/Linux.cpp
++++ b/lib/Driver/ToolChains/Linux.cpp
+@@ -211,7 +211,7 @@ Linux::Linux(const Driver &D, const llvm::Triple &Triple, const ArgList &Args)
+   GCCInstallation.init(Triple, Args);
+   Multilibs = GCCInstallation.getMultilibs();
+   llvm::Triple::ArchType Arch = Triple.getArch();
+-  std::string SysRoot = computeSysRoot();
++  std::string SysRoot = computeSysRoot() + "/";
+ 
+   // Cross-compiling binutils and GCC installations (vanilla and openSUSE at
+   // least) put various tools in a triple-prefixed directory off of the parent
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0004-compiler-rt-cmake-mips-Do-not-specify-target-with-OE.patch b/external/meta-clang/recipes-devtools/clang/clang/0004-compiler-rt-cmake-mips-Do-not-specify-target-with-OE.patch
new file mode 100644
index 00000000..0356e2a6
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0004-compiler-rt-cmake-mips-Do-not-specify-target-with-OE.patch
@@ -0,0 +1,44 @@
+From b29deaeb42a8f56bb5dd72b5a8c3e2c755a6bb9e Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 11 Feb 2017 17:54:33 +0000
+Subject: [PATCH 4/4] compiler-rt: cmake/mips: Do not specify --target with OE
+
+OE already specifies cross compiler correctly, adding this additional
+--target confuses the clang driver and it resorts to invoke host assembler
+when using -no-integrated-as
+
+Fixes errors e.g.
+|   Assembler messages:
+|
+|   Fatal error: invalid -march= option: `mips32r2'
+|
+|   clang-4.0: error: assembler command failed with exit code 1
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ cmake/base-config-ix.cmake | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/cmake/base-config-ix.cmake b/cmake/base-config-ix.cmake
+index 91fe2494b..789b80628 100644
+--- a/cmake/base-config-ix.cmake
++++ b/cmake/base-config-ix.cmake
+@@ -191,11 +191,11 @@ macro(test_targets)
+       # clang's default CPU's. In the 64-bit case, we must also specify the ABI
+       # since the default ABI differs between gcc and clang.
+       # FIXME: Ideally, we would build the N32 library too.
+-      test_target_arch(mipsel "" "-mips32r2" "--target=mipsel-linux-gnu")
+-      test_target_arch(mips64el "" "-mips64r2" "--target=mips64el-linux-gnu" "-mabi=64")
++      test_target_arch(mipsel "" "-mips32r2")
++      test_target_arch(mips64el "" "-mips64r2" "-mabi=64")
+     elseif("${COMPILER_RT_DEFAULT_TARGET_ARCH}" MATCHES "mips")
+-      test_target_arch(mips "" "-mips32r2" "--target=mips-linux-gnu")
+-      test_target_arch(mips64 "" "-mips64r2" "--target=mips64-linux-gnu" "-mabi=64")
++      test_target_arch(mips "" "-mips32r2")
++      test_target_arch(mips64 "" "-mips64r2" "-mabi=64")
+     elseif("${COMPILER_RT_DEFAULT_TARGET_ARCH}" MATCHES "arm")
+       if(WIN32)
+         test_target_arch(arm "" "" "")
+-- 
+2.20.1
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch b/external/meta-clang/recipes-devtools/clang/clang/0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch
new file mode 100644
index 00000000..8425f8d8
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch
@@ -0,0 +1,44 @@
+From e02d9f3e1c724a4161709952a3ef59f81432fc06 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 16 Mar 2017 19:06:26 -0700
+Subject: [PATCH 5/8] clang: Look inside the target sysroot for compiler
+ runtime
+
+In OE compiler-rt and libc++ are built and staged into target
+sysroot and not into resourcedir which is relative to clang
+driver installation where the libraries are not instlled
+
+Specific to cross compiling the way yocto/OE works
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChain.cpp | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/Driver/ToolChain.cpp b/lib/Driver/ToolChain.cpp
+index cf3db34688..dae3178380 100644
+--- a/lib/Driver/ToolChain.cpp
++++ b/lib/Driver/ToolChain.cpp
+@@ -13,6 +13,7 @@
+ #include "ToolChains/Clang.h"
+ #include "clang/Basic/ObjCRuntime.h"
+ #include "clang/Basic/Sanitizers.h"
++#include "clang/Basic/Version.h"
+ #include "clang/Basic/VirtualFileSystem.h"
+ #include "clang/Config/config.h"
+ #include "clang/Driver/Action.h"
+@@ -343,7 +344,10 @@ StringRef ToolChain::getOSLibName() const {
+ }
+ 
+ std::string ToolChain::getCompilerRTPath() const {
+-  SmallString<128> Path(getDriver().ResourceDir);
++  SmallString<128> Path(getDriver().SysRoot);
++  StringRef ClangLibdirSuffix(CLANG_LIBDIR_SUFFIX);
++  llvm::sys::path::append(Path, "/usr/", Twine("lib") + ClangLibdirSuffix, "clang",
++                            CLANG_VERSION_STRING);
+   if (Triple.isOSUnknown()) {
+     llvm::sys::path::append(Path, "lib");
+   } else {
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0006-clang-Define-releative-gcc-installation-dir.patch b/external/meta-clang/recipes-devtools/clang/clang/0006-clang-Define-releative-gcc-installation-dir.patch
new file mode 100644
index 00000000..b611dd50
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0006-clang-Define-releative-gcc-installation-dir.patch
@@ -0,0 +1,32 @@
+From e6232d22df73b80ced3784fd85166ebe24e6c31b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 21 May 2017 15:38:25 -0700
+Subject: [PATCH 6/8] clang: Define / releative gcc installation dir
+
+This is required for OE gcc installation to work.
+Without this its not able to find the paths for libgcc
+and other standard headers and libraries from gcc
+installation in OE
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/Gnu.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/Driver/ToolChains/Gnu.cpp b/lib/Driver/ToolChains/Gnu.cpp
+index 766c650b3c..777526e063 100644
+--- a/lib/Driver/ToolChains/Gnu.cpp
++++ b/lib/Driver/ToolChains/Gnu.cpp
+@@ -2190,6 +2190,9 @@ void Generic_GCC::GCCInstallationDetector::ScanLibDirForGCCTriple(
+       {"gcc-cross/" + CandidateTriple.str(), "../..",
+        TargetTriple.getOS() != llvm::Triple::Solaris},
+ 
++      // OE cross-compilers path structures
++      {"/" + CandidateTriple.str(), "..", true},
++
+       // The Freescale PPC SDK has the gcc libraries in
+       // <sysroot>/usr/lib/<triple>/x.y.z so have a look there as well. Only do
+       // this on Freescale triples, though, since some systems put a *lot* of
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0007-clang-Fix-ldso-for-musl-on-x86-and-x32-architectures.patch b/external/meta-clang/recipes-devtools/clang/clang/0007-clang-Fix-ldso-for-musl-on-x86-and-x32-architectures.patch
new file mode 100644
index 00000000..b456a59d
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0007-clang-Fix-ldso-for-musl-on-x86-and-x32-architectures.patch
@@ -0,0 +1,44 @@
+From 5840f5a6756f8f67dbba1b47015e75c8c3264b2b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 16 Aug 2017 15:16:15 -0700
+Subject: [PATCH 7/8] clang: Fix ldso for musl on x86 and x32 architectures
+
+x32 linker is called ld-musl-x32.so.1 and x86 linker
+is called ld-musl-i386.so.1, Currently, linker for
+x86 is returned as ld-musl-i586.so.1, when default
+arch is i586, which is not the right thing
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ lib/Driver/ToolChains/Linux.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
+index 5bca972cc2..2ca285679c 100644
+--- a/lib/Driver/ToolChains/Linux.cpp
++++ b/lib/Driver/ToolChains/Linux.cpp
+@@ -492,6 +492,7 @@ std::string Linux::getDynamicLinker(const ArgList &Args) const {
+   if (Triple.isMusl()) {
+     std::string ArchName;
+     bool IsArm = false;
++    bool isX32 = false;
+ 
+     switch (Arch) {
+     case llvm::Triple::arm:
+@@ -504,6 +505,13 @@ std::string Linux::getDynamicLinker(const ArgList &Args) const {
+       ArchName = "armeb";
+       IsArm = true;
+       break;
++    case llvm::Triple::x86:
++      ArchName = "i386";
++      break;
++    case llvm::Triple::x86_64:
++      isX32 = Triple.getEnvironment() == llvm::Triple::GNUX32;
++      ArchName = isX32 ? "x32" : Triple.getArchName().str();
++      break;
+     default:
+       ArchName = Triple.getArchName().str();
+     }
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0008-clang-scan-view-needs-python-2.x.patch b/external/meta-clang/recipes-devtools/clang/clang/0008-clang-scan-view-needs-python-2.x.patch
new file mode 100644
index 00000000..c55b309e
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0008-clang-scan-view-needs-python-2.x.patch
@@ -0,0 +1,27 @@
+From 846e59787ec12b6cd817640151d1f23d3b78d6b5 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 15 May 2018 10:28:43 -0700
+Subject: [PATCH 8/8] clang: scan-view needs python 2.x
+
+Some distributions e.g. archlinux have switched to pointing
+python to python3, therefore its better to be specific about
+python version needed.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ tools/scan-view/bin/scan-view | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/scan-view/bin/scan-view b/tools/scan-view/bin/scan-view
+index 1b6e8ba90d..7c5867d1be 100755
+--- a/tools/scan-view/bin/scan-view
++++ b/tools/scan-view/bin/scan-view
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env python
++#!/usr/bin/env python2
+ 
+ """The clang static analyzer results viewer.
+ """
+-- 
+2.18.0
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0009-clang-Enable-SSP-and-PIE-by-default.patch b/external/meta-clang/recipes-devtools/clang/clang/0009-clang-Enable-SSP-and-PIE-by-default.patch
new file mode 100644
index 00000000..d7b61bb1
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0009-clang-Enable-SSP-and-PIE-by-default.patch
@@ -0,0 +1,284 @@
+From 594abc54ce652e0490860c96038513cfb576bb92 Mon Sep 17 00:00:00 2001
+From: Evangelos Foutras <evangelos@foutrelis.com>
+Date: Thu, 20 Sep 2018 06:20:28 +0300
+Subject: [PATCH 9/9] clang: Enable SSP and PIE by default
+
+This is a minimal set of changes needed to make clang use SSP and PIE by
+default on Arch Linux. Tests that were easy to adjust have been changed
+accordingly; only test/Driver/linux-ld.c has been marked as "expected
+failure" due to the number of changes it would require (mostly replacing
+crtbegin.o with crtbeginS.o).
+
+Doing so is needed in order to align clang with the new default GCC
+behavior in Arch which generates PIE executables by default and also
+defaults to -fstack-protector-strong. It is not meant to be a long term
+solution, but a simple temporary fix.
+
+Hopefully these changes will be obsoleted by the introduction upstream
+of a compile-time option (https://bugs.llvm.org/show_bug.cgi?id=13410)
+---
+ lib/Driver/ToolChains/Linux.cpp     | 14 ++++++++++++--
+ lib/Driver/ToolChains/Linux.h       |  1 +
+ test/Driver/clang-offload-bundler.c |  2 +-
+ test/Driver/cross-linux.c           | 16 ++++++++--------
+ test/Driver/env.c                   |  2 +-
+ test/Driver/fsanitize.c             | 14 +++++++-------
+ test/Driver/gcc-toolchain.cpp       |  2 +-
+ test/Driver/hexagon-toolchain-elf.c |  2 +-
+ test/Driver/linux-as.c              |  4 ++--
+ test/Driver/linux-ld.c              |  2 ++
+ test/Driver/riscv32-toolchain.c     |  4 ++--
+ test/Driver/stack-protector.c       |  4 ++--
+ 12 files changed, 40 insertions(+), 27 deletions(-)
+
+diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp
+index 2ca285679c..22f1a1da6d 100644
+--- a/lib/Driver/ToolChains/Linux.cpp
++++ b/lib/Driver/ToolChains/Linux.cpp
+@@ -911,8 +911,18 @@ void Linux::AddIAMCUIncludeArgs(const ArgList &DriverArgs,
+ }
+ 
+ bool Linux::isPIEDefault() const {
+-  return (getTriple().isAndroid() && !getTriple().isAndroidVersionLT(16)) ||
+-          getTriple().isMusl() || getSanitizerArgs().requiresPIE();
++  const bool IsMips = getTriple().isMIPS();
++  const bool IsAndroid = getTriple().isAndroid();
++
++  if (IsMips || IsAndroid)
++    return (getTriple().isAndroid() && !getTriple().isAndroidVersionLT(16)) ||
++            getTriple().isMusl() || getSanitizerArgs().requiresPIE();
++
++  return true;
++}
++
++unsigned Linux::GetDefaultStackProtectorLevel(bool KernelOrKext) const {
++  return 2;
+ }
+ 
+ SanitizerMask Linux::getSupportedSanitizers() const {
+diff --git a/lib/Driver/ToolChains/Linux.h b/lib/Driver/ToolChains/Linux.h
+index 22dbbecf6b..ba0d5587e0 100644
+--- a/lib/Driver/ToolChains/Linux.h
++++ b/lib/Driver/ToolChains/Linux.h
+@@ -38,6 +38,7 @@ public:
+   void AddIAMCUIncludeArgs(const llvm::opt::ArgList &DriverArgs,
+                            llvm::opt::ArgStringList &CC1Args) const override;
+   bool isPIEDefault() const override;
++  unsigned GetDefaultStackProtectorLevel(bool KernelOrKext) const override;
+   SanitizerMask getSupportedSanitizers() const override;
+   void addProfileRTLibs(const llvm::opt::ArgList &Args,
+                         llvm::opt::ArgStringList &CmdArgs) const override;
+diff --git a/test/Driver/clang-offload-bundler.c b/test/Driver/clang-offload-bundler.c
+index adf13f59d4..fd2f6e5d8c 100644
+--- a/test/Driver/clang-offload-bundler.c
++++ b/test/Driver/clang-offload-bundler.c
+@@ -115,7 +115,7 @@
+ // CK-TEXTI: // __CLANG_OFFLOAD_BUNDLE____END__ openmp-x86_64-pc-linux-gnu
+ 
+ // CK-TEXTLL: ; __CLANG_OFFLOAD_BUNDLE____START__ host-powerpc64le-ibm-linux-gnu
+-// CK-TEXTLL: @A = global i32 0
++// CK-TEXTLL: @A = {{(dso_local )?}}global i32 0
+ // CK-TEXTLL: define {{.*}}@test_func()
+ // CK-TEXTLL: ; __CLANG_OFFLOAD_BUNDLE____END__ host-powerpc64le-ibm-linux-gnu
+ // CK-TEXTLL: ; __CLANG_OFFLOAD_BUNDLE____START__ openmp-powerpc64le-ibm-linux-gnu
+diff --git a/test/Driver/cross-linux.c b/test/Driver/cross-linux.c
+index a5ea832e77..1949c05a60 100644
+--- a/test/Driver/cross-linux.c
++++ b/test/Driver/cross-linux.c
+@@ -42,8 +42,8 @@
+ // CHECK-MULTI32-I386: "{{.*}}/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0/../../../../i386-unknown-linux/bin{{/|\\\\}}ld"
+ // CHECK-MULTI32-I386: "--sysroot=[[sysroot:.*/Inputs/basic_linux_tree]]"
+ // CHECK-MULTI32-I386: "-m" "elf_i386"
+-// CHECK-MULTI32-I386: "crti.o" "[[gcc_install:.*/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0]]{{/|\\\\}}crtbegin.o"
+-// CHECK-MULTI32-I386: "-L[[gcc_install]]"
++// CHECK-MULTI32-I386: "crti.o" "crtbeginS.o"
++// CHECK-MULTI32-I386: "-L[[gcc_install:.*/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0]]"
+ // CHECK-MULTI32-I386: "-L[[gcc_install]]/../../../../i386-unknown-linux/lib/../lib32"
+ // CHECK-MULTI32-I386: "-L[[gcc_install]]/../../../../i386-unknown-linux/lib"
+ // CHECK-MULTI32-I386: "-L[[sysroot]]/lib"
+@@ -59,8 +59,8 @@
+ // CHECK-MULTI32-X86-64: "{{.*}}/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0/../../../../i386-unknown-linux/bin{{/|\\\\}}ld"
+ // CHECK-MULTI32-X86-64: "--sysroot=[[sysroot:.*/Inputs/basic_linux_tree]]"
+ // CHECK-MULTI32-X86-64: "-m" "elf_x86_64"
+-// CHECK-MULTI32-X86-64: "crti.o" "[[gcc_install:.*/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0]]/64{{/|\\\\}}crtbegin.o"
+-// CHECK-MULTI32-X86-64: "-L[[gcc_install]]/64"
++// CHECK-MULTI32-X86-64: "crti.o" "crtbeginS.o"
++// CHECK-MULTI32-X86-64: "-L[[gcc_install:.*/Inputs/multilib_32bit_linux_tree/usr/lib/gcc/i386-unknown-linux/4.6.0]]/64"
+ // CHECK-MULTI32-X86-64: "-L[[gcc_install]]/../../../../i386-unknown-linux/lib/../lib64"
+ // CHECK-MULTI32-X86-64: "-L[[gcc_install]]"
+ // CHECK-MULTI32-X86-64: "-L[[gcc_install]]/../../../../i386-unknown-linux/lib"
+@@ -77,8 +77,8 @@
+ // CHECK-MULTI64-I386: "{{.*}}/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0/../../../../x86_64-unknown-linux/bin{{/|\\\\}}ld"
+ // CHECK-MULTI64-I386: "--sysroot=[[sysroot:.*/Inputs/basic_linux_tree]]"
+ // CHECK-MULTI64-I386: "-m" "elf_i386"
+-// CHECK-MULTI64-I386: "crti.o" "[[gcc_install:.*/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0]]/32{{/|\\\\}}crtbegin.o"
+-// CHECK-MULTI64-I386: "-L[[gcc_install]]/32"
++// CHECK-MULTI64-I386: "crti.o" "crtbeginS.o"
++// CHECK-MULTI64-I386: "-L[[gcc_install:.*/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0]]/32"
+ // CHECK-MULTI64-I386: "-L[[gcc_install]]/../../../../x86_64-unknown-linux/lib/../lib32"
+ // CHECK-MULTI64-I386: "-L[[gcc_install]]"
+ // CHECK-MULTI64-I386: "-L[[gcc_install]]/../../../../x86_64-unknown-linux/lib"
+@@ -95,8 +95,8 @@
+ // CHECK-MULTI64-X86-64: "{{.*}}/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0/../../../../x86_64-unknown-linux/bin{{/|\\\\}}ld"
+ // CHECK-MULTI64-X86-64: "--sysroot=[[sysroot:.*/Inputs/basic_linux_tree]]"
+ // CHECK-MULTI64-X86-64: "-m" "elf_x86_64"
+-// CHECK-MULTI64-X86-64: "crti.o" "[[gcc_install:.*/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0]]{{/|\\\\}}crtbegin.o"
+-// CHECK-MULTI64-X86-64: "-L[[gcc_install]]"
++// CHECK-MULTI64-X86-64: "crti.o" "crtbeginS.o"
++// CHECK-MULTI64-X86-64: "-L[[gcc_install:.*/Inputs/multilib_64bit_linux_tree/usr/lib/gcc/x86_64-unknown-linux/4.6.0]]"
+ // CHECK-MULTI64-X86-64: "-L[[gcc_install]]/../../../../x86_64-unknown-linux/lib/../lib64"
+ // CHECK-MULTI64-X86-64: "-L[[gcc_install]]/../../../../x86_64-unknown-linux/lib"
+ // CHECK-MULTI64-X86-64: "-L[[sysroot]]/lib"
+diff --git a/test/Driver/env.c b/test/Driver/env.c
+index 0371bc91c4..ea89f52512 100644
+--- a/test/Driver/env.c
++++ b/test/Driver/env.c
+@@ -20,7 +20,7 @@
+ //
+ // CHECK-LD-32-NOT: warning:
+ // CHECK-LD-32: "{{.*}}ld{{(.exe)?}}" "--sysroot=[[SYSROOT:[^"]+]]"
+-// CHECK-LD-32: "{{.*}}/usr/lib/gcc/i386-unknown-linux/4.6.0{{/|\\\\}}crtbegin.o"
++// CHECK-LD-32: "crtbeginS.o"
+ // CHECK-LD-32: "-L[[SYSROOT]]/usr/lib/gcc/i386-unknown-linux/4.6.0"
+ // CHECK-LD-32: "-L[[SYSROOT]]/usr/lib/gcc/i386-unknown-linux/4.6.0/../../../../i386-unknown-linux/lib"
+ // CHECK-LD-32: "-L[[SYSROOT]]/usr/lib/gcc/i386-unknown-linux/4.6.0/../../.."
+diff --git a/test/Driver/fsanitize.c b/test/Driver/fsanitize.c
+index 304e759302..c157f9fc48 100644
+--- a/test/Driver/fsanitize.c
++++ b/test/Driver/fsanitize.c
+@@ -238,15 +238,15 @@
+ // RUN: %clang -target x86_64-linux-gnu -fsanitize=vptr -fno-sanitize=vptr -fsanitize=undefined,address %s -### 2>&1
+ // OK
+ 
+-// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-PIE
+-// RUN: %clang -target x86_64-linux-gnu -fsanitize=memory %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-PIE
++// RUN: %clang -target x86_64-linux-gnu -fsanitize=thread %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
++// RUN: %clang -target x86_64-linux-gnu -fsanitize=memory %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+ // RUN: %clang -target x86_64-unknown-freebsd -fsanitize=memory %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+ // RUN: %clang -target aarch64-linux-gnu -fsanitize=memory %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+ // RUN: %clang -target arm-linux-androideabi -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIC-NO-PIE
+ // RUN: %clang -target arm-linux-androideabi24 -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+ // RUN: %clang -target aarch64-linux-android -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+-// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-PIE
+-// RUN: %clang -target i386-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-NO-PIE
++// RUN: %clang -target x86_64-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
++// RUN: %clang -target i386-linux-gnu -fsanitize=address %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-PIE
+ 
+ // CHECK-NO-PIE-NOT: "-pie"
+ // CHECK-NO-PIE: "-mrelocation-model" "static"
+@@ -585,12 +585,12 @@
+ // RUN: %clang -fno-sanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NOSP
+ // NOSP-NOT: "-fsanitize=safe-stack"
+ 
+-// RUN: %clang -target x86_64-linux-gnu -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NO-SP
++// RUN: %clang -target x86_64-linux-gnu -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
+ // RUN: %clang -target x86_64-linux-gnu -fsanitize=address,safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP-ASAN
+ // RUN: %clang -target x86_64-linux-gnu -fstack-protector -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
+ // RUN: %clang -target x86_64-linux-gnu -fsanitize=safe-stack -fstack-protector-all -### %s 2>&1 | FileCheck %s -check-prefix=SP
+-// RUN: %clang -target arm-linux-androideabi -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NO-SP
+-// RUN: %clang -target aarch64-linux-android -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NO-SP
++// RUN: %clang -target arm-linux-androideabi -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
++// RUN: %clang -target aarch64-linux-android -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=SP
+ // RUN: %clang -target i386-contiki-unknown -fsanitize=safe-stack -### %s 2>&1 | FileCheck %s -check-prefix=NO-SP
+ // NO-SP-NOT: stack-protector
+ // NO-SP: "-fsanitize=safe-stack"
+diff --git a/test/Driver/gcc-toolchain.cpp b/test/Driver/gcc-toolchain.cpp
+index ca96757a2b..ae1c25e989 100644
+--- a/test/Driver/gcc-toolchain.cpp
++++ b/test/Driver/gcc-toolchain.cpp
+@@ -24,6 +24,6 @@
+ // the same precise formatting of the path as the '-internal-system' flags
+ // above, so we just blanket wildcard match the 'crtbegin.o'.
+ // CHECK: "{{[^"]*}}ld{{(.exe)?}}"
+-// CHECK: "{{[^"]*}}/usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5{{/|\\\\}}crtbegin.o"
++// CHECK: "crtbeginS.o"
+ // CHECK: "-L[[TOOLCHAIN]]/usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5"
+ // CHECK: "-L[[TOOLCHAIN]]/usr/lib/i386-linux-gnu/gcc/i686-linux-gnu/4.5/../../../.."
+diff --git a/test/Driver/hexagon-toolchain-elf.c b/test/Driver/hexagon-toolchain-elf.c
+index 8f4c320ce4..a4d9ae502b 100644
+--- a/test/Driver/hexagon-toolchain-elf.c
++++ b/test/Driver/hexagon-toolchain-elf.c
+@@ -457,7 +457,7 @@
+ // RUN:   %s 2>&1 \
+ // RUN:   | FileCheck -check-prefix=CHECK042 %s
+ // CHECK042:      "-cc1"
+-// CHECK042:      "-mrelocation-model" "static"
++// CHECK042:      "-mrelocation-model" "pic"
+ // CHECK042:      "-mllvm" "-hexagon-small-data-threshold=8"
+ // CHECK042-NEXT: llvm-mc
+ // CHECK042:      "-gpsize=8"
+diff --git a/test/Driver/linux-as.c b/test/Driver/linux-as.c
+index 68cf403d97..92b556db73 100644
+--- a/test/Driver/linux-as.c
++++ b/test/Driver/linux-as.c
+@@ -133,7 +133,7 @@
+ // CHECK-PPC-NO-MCPU-NOT: as{{.*}} "-mcpu=invalid-cpu"
+ //
+ // RUN: %clang -target sparc64-linux -mcpu=invalid-cpu -### \
+-// RUN:   -no-integrated-as -c %s 2>&1 \
++// RUN:   -no-integrated-as -fno-pic -c %s 2>&1 \
+ // RUN:   | FileCheck -check-prefix=CHECK-SPARCV9 %s
+ // CHECK-SPARCV9: as
+ // CHECK-SPARCV9: -64
+@@ -142,7 +142,7 @@
+ // CHECK-SPARCV9: -o
+ //
+ // RUN: %clang -target sparc64-linux -mcpu=invalid-cpu -### \
+-// RUN:   -no-integrated-as -fpic -c %s 2>&1 \
++// RUN:   -no-integrated-as -c %s 2>&1 \
+ // RUN:   | FileCheck -check-prefix=CHECK-SPARCV9PIC %s
+ // CHECK-SPARCV9PIC: as
+ // CHECK-SPARCV9PIC: -64
+diff --git a/test/Driver/linux-ld.c b/test/Driver/linux-ld.c
+index 787013931a..cba173b354 100644
+--- a/test/Driver/linux-ld.c
++++ b/test/Driver/linux-ld.c
+@@ -1,3 +1,5 @@
++// XFAIL: linux
++
+ // General tests that ld invocations on Linux targets sane. Note that we use
+ // sysroot to make these tests independent of the host system.
+ //
+diff --git a/test/Driver/riscv32-toolchain.c b/test/Driver/riscv32-toolchain.c
+index 1e0c750a3f..563493a33b 100644
+--- a/test/Driver/riscv32-toolchain.c
++++ b/test/Driver/riscv32-toolchain.c
+@@ -44,7 +44,7 @@
+ // C-RV32-LINUX-MULTI-ILP32: "--sysroot={{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot"
+ // C-RV32-LINUX-MULTI-ILP32: "-m" "elf32lriscv"
+ // C-RV32-LINUX-MULTI-ILP32: "-dynamic-linker" "/lib/ld-linux-riscv32-ilp32.so.1"
+-// C-RV32-LINUX-MULTI-ILP32: "{{.*}}/Inputs/multilib_riscv_linux_sdk/lib/gcc/riscv64-unknown-linux-gnu/7.2.0/lib32/ilp32{{/|\\\\}}crtbegin.o"
++// C-RV32-LINUX-MULTI-ILP32: "crtbeginS.o"
+ // C-RV32-LINUX-MULTI-ILP32: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/lib/gcc/riscv64-unknown-linux-gnu/7.2.0/lib32/ilp32"
+ // C-RV32-LINUX-MULTI-ILP32: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot/lib32/ilp32"
+ // C-RV32-LINUX-MULTI-ILP32: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot/usr/lib32/ilp32"
+@@ -59,7 +59,7 @@
+ // C-RV32-LINUX-MULTI-ILP32D: "--sysroot={{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot"
+ // C-RV32-LINUX-MULTI-ILP32D: "-m" "elf32lriscv"
+ // C-RV32-LINUX-MULTI-ILP32D: "-dynamic-linker" "/lib/ld-linux-riscv32-ilp32d.so.1"
+-// C-RV32-LINUX-MULTI-ILP32D: "{{.*}}/Inputs/multilib_riscv_linux_sdk/lib/gcc/riscv64-unknown-linux-gnu/7.2.0/lib32/ilp32d{{/|\\\\}}crtbegin.o"
++// C-RV32-LINUX-MULTI-ILP32D: "crtbeginS.o"
+ // C-RV32-LINUX-MULTI-ILP32D: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/lib/gcc/riscv64-unknown-linux-gnu/7.2.0/lib32/ilp32d"
+ // C-RV32-LINUX-MULTI-ILP32D: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot/lib32/ilp32d"
+ // C-RV32-LINUX-MULTI-ILP32D: "-L{{.*}}/Inputs/multilib_riscv_linux_sdk/sysroot/usr/lib32/ilp32d"
+diff --git a/test/Driver/stack-protector.c b/test/Driver/stack-protector.c
+index a3e40b50ee..dfffe0d6cf 100644
+--- a/test/Driver/stack-protector.c
++++ b/test/Driver/stack-protector.c
+@@ -3,11 +3,11 @@
+ // NOSSP-NOT: "-stack-protector-buffer-size" 
+ 
+ // RUN: %clang -target i386-unknown-linux -fstack-protector -### %s 2>&1 | FileCheck %s -check-prefix=SSP
+-// SSP: "-stack-protector" "1"
++// SSP: "-stack-protector" "2"
+ // SSP-NOT: "-stack-protector-buffer-size" 
+ 
+ // RUN: %clang -target i386-unknown-linux -fstack-protector --param ssp-buffer-size=16 -### %s 2>&1 | FileCheck %s -check-prefix=SSP-BUF
+-// SSP-BUF: "-stack-protector" "1"
++// SSP-BUF: "-stack-protector" "2"
+ // SSP-BUF: "-stack-protector-buffer-size" "16" 
+ 
+ // RUN: %clang -target i386-pc-openbsd -### %s 2>&1 | FileCheck %s -check-prefix=OPENBSD
+-- 
+2.19.2
+
diff --git a/external/meta-clang/recipes-devtools/clang/clang/0020-clang-link-libgcc_eh-when-using-compiler-rt.patch b/external/meta-clang/recipes-devtools/clang/clang/0020-clang-link-libgcc_eh-when-using-compiler-rt.patch
new file mode 100644
index 00000000..d9eac9a6
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang/0020-clang-link-libgcc_eh-when-using-compiler-rt.patch
@@ -0,0 +1,24 @@
+From 98e1067695596c4c4a91f4c58e2a6f6aaeb56a0c Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 21 Sep 2019 08:57:36 -0700
+Subject: [PATCH] clang: link libgcc_eh when using compiler-rt
+
+we still need libgcc unwinder
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ clang/lib/Driver/ToolChains/CommonArgs.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/clang/lib/Driver/ToolChains/CommonArgs.cpp b/clang/lib/Driver/ToolChains/CommonArgs.cpp
+index 1e093b25b90..4b81ae2b50a 100644
+--- a/clang/lib/Driver/ToolChains/CommonArgs.cpp
++++ b/clang/lib/Driver/ToolChains/CommonArgs.cpp
+@@ -1162,6 +1162,7 @@ void tools::AddRunTimeLibs(const ToolChain &TC, const Driver &D,
+   switch (RLT) {
+   case ToolChain::RLT_CompilerRT:
+     CmdArgs.push_back(TC.getCompilerRTArgString(Args, "builtins"));
++    CmdArgs.push_back("-lgcc_eh");
+     break;
+   case ToolChain::RLT_Libgcc:
+     // Make sure libgcc is not used under MSVC environment by default
diff --git a/external/meta-clang/recipes-devtools/clang/clang_git.bb b/external/meta-clang/recipes-devtools/clang/clang_git.bb
new file mode 100644
index 00000000..b3b82724
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/clang_git.bb
@@ -0,0 +1,150 @@
+# Copyright (C) 2014 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "LLVM based C/C++ compiler"
+HOMEPAGE = "http://clang.llvm.org/"
+SECTION = "devel"
+
+require clang.inc
+require common-source.inc
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit cmake cmake-native
+
+OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM = "BOTH"
+
+def get_clang_arch(bb, d, arch_var):
+    import re
+    a = d.getVar(arch_var, True)
+    if   re.match('(i.86|athlon|x86.64)$', a):         return 'X86'
+    elif re.match('arm$', a):                          return 'ARM'
+    elif re.match('armeb$', a):                        return 'ARM'
+    elif re.match('aarch64$', a):                      return 'AArch64'
+    elif re.match('aarch64_be$', a):                   return 'AArch64'
+    elif re.match('mips(isa|)(32|64|)(r6|)(el|)$', a): return 'Mips'
+    elif re.match('p(pc|owerpc)(|64)', a):             return 'PowerPC'
+    elif re.match('riscv(32|64)$', a):                 return 'RISCV'
+    else:
+        bb.error("cannot map '%s' to a supported llvm architecture" % a)
+    return ""
+
+def get_clang_host_arch(bb, d):
+    return get_clang_arch(bb, d, 'HOST_ARCH')
+
+def get_clang_target_arch(bb, d):
+    return get_clang_arch(bb, d, 'TARGET_ARCH')
+
+PACKAGECONFIG ??= "compiler-rt libcplusplus shared-libs"
+PACKAGECONFIG_class-native = ""
+PACKAGECONFIG_class-nativesdk = "compiler-rt libcplusplus"
+
+PACKAGECONFIG[compiler-rt] = "-DCLANG_DEFAULT_RTLIB=compiler-rt,,compiler-rt"
+PACKAGECONFIG[libcplusplus] = "-DCLANG_DEFAULT_CXX_STDLIB=libc++,,libcxx"
+PACKAGECONFIG[shared-libs] = "-DLLVM_BUILD_LLVM_DYLIB=ON -DLLVM_LINK_LLVM_DYLIB=ON,,,"
+
+#
+# Default to build all OE-Core supported target arches (user overridable).
+#
+LLVM_TARGETS_TO_BUILD ?= "AArch64;ARM;BPF;Mips;PowerPC;X86"
+LLVM_TARGETS_TO_BUILD_append = ";${@get_clang_host_arch(bb, d)};${@get_clang_target_arch(bb, d)}"
+
+LLVM_TARGETS_TO_BUILD_TARGET ?= ""
+LLVM_TARGETS_TO_BUILD_TARGET_append ?= ";${@get_clang_target_arch(bb, d)}"
+EXTRA_OECMAKE += "-DLLVM_ENABLE_ASSERTIONS=OFF \
+                  -DLLVM_ENABLE_EXPENSIVE_CHECKS=OFF \
+                  -DLLVM_ENABLE_PIC=ON \
+                  -DLLVM_BINDINGS_LIST='' \
+                  -DLLVM_ENABLE_FFI=ON \
+                  -DFFI_INCLUDE_DIR=$(pkg-config --variable=includedir libffi) \
+                  -DLLVM_OPTIMIZED_TABLEGEN=ON \
+                  -DLLVM_ENABLE_RTTI=ON \
+                  -DLLVM_ENABLE_EH=ON \
+                  -DLLVM_BUILD_EXTERNAL_COMPILER_RT=ON \
+                  -DCMAKE_SYSTEM_NAME=Linux \
+                  -DCMAKE_BUILD_TYPE=Release \
+                  -DBUILD_SHARED_LIBS=OFF \
+                  -DLLVM_ENABLE_PROJECTS='clang;lld' \
+                  -G Ninja ${S}/llvm \
+"
+
+EXTRA_OECMAKE_append_class-native = "\
+                  -DLLVM_TARGETS_TO_BUILD='${LLVM_TARGETS_TO_BUILD}' \
+"
+EXTRA_OECMAKE_append_class-nativesdk = "\
+                  -DCMAKE_CROSSCOMPILING:BOOL=ON \
+                  -DCROSS_TOOLCHAIN_FLAGS_NATIVE='-DCMAKE_TOOLCHAIN_FILE=${WORKDIR}/toolchain-native.cmake' \
+                  -DLLVM_TARGETS_TO_BUILD='${LLVM_TARGETS_TO_BUILD}' \
+                  -DLLVM_TABLEGEN=${STAGING_BINDIR_NATIVE}/llvm-tblgen \
+                  -DCLANG_TABLEGEN=${STAGING_BINDIR_NATIVE}/clang-tblgen \
+"
+EXTRA_OECMAKE_append_class-target = "\
+                  -DCMAKE_CROSSCOMPILING:BOOL=ON \
+                  -DLLVM_TABLEGEN=${STAGING_BINDIR_NATIVE}/llvm-tblgen \
+                  -DCLANG_TABLEGEN=${STAGING_BINDIR_NATIVE}/clang-tblgen \
+                  -DLLVM_TARGETS_TO_BUILD='${LLVM_TARGETS_TO_BUILD_TARGET}' \
+                  -DLLVM_TARGET_ARCH=${@get_clang_target_arch(bb, d)} \
+                  -DLLVM_DEFAULT_TARGET_TRIPLE=${TARGET_SYS} \
+"
+
+DEPENDS = "zlib libffi libxml2 ninja-native"
+DEPENDS_append_class-nativesdk = " clang-native virtual/${TARGET_PREFIX}binutils-crosssdk virtual/${TARGET_PREFIX}gcc-crosssdk virtual/${TARGET_PREFIX}g++-crosssdk"
+DEPENDS_append_class-target = " clang-cross-${TARGET_ARCH} ${@bb.utils.contains('TOOLCHAIN', 'gcc', 'virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}g++', '', d)}"
+
+RRECOMMENDS_${PN} = "binutils"
+
+do_compile() {
+	ninja ${PARALLEL_MAKE}
+}
+
+do_install() {
+        DESTDIR=${D} ninja ${PARALLEL_MAKE} install
+}
+
+do_install_append_class-native () {
+	install -Dm 0755 ${B}/bin/clang-tblgen ${D}${bindir}/clang-tblgen
+	for f in `find ${D}${bindir} -executable -type f -not -type l`; do
+		test -n "`file $f|grep -i ELF`" && ${STRIP} $f
+		echo "stripped $f"
+	done
+}
+
+do_install_append_class-nativesdk () {
+	install -Dm 0755 ${B}/bin/clang-tblgen ${D}${bindir}/clang-tblgen
+	for f in `find ${D}${bindir} -executable -type f -not -type l`; do
+		test -n "`file $f|grep -i ELF`" && ${STRIP} $f
+	done
+	rm -rf ${D}${datadir}/llvm/cmake
+	rm -rf ${D}${datadir}/llvm
+}
+
+PACKAGE_DEBUG_SPLIT_STYLE_class-nativesdk = "debug-without-src"
+
+PACKAGES =+ "${PN}-libllvm"
+
+BBCLASSEXTEND = "native nativesdk"
+
+FILES_${PN} += "\
+  ${libdir}/BugpointPasses.so \
+  ${libdir}/LLVMHello.so \
+  ${libdir}/TestPlugin.so \
+  ${datadir}/scan-* \
+  ${datadir}/opt-viewer/ \
+"
+
+FILES_${PN}-libllvm += "\
+  ${libdir}/libLLVM-${MAJOR_VER}.${MINOR_VER}.so \
+  ${libdir}/libLLVM-${MAJOR_VER}.so \
+  ${libdir}/libLLVM-${MAJOR_VER}.${MINOR_VER}svn.so \
+"
+
+FILES_${PN}-dev += "\
+  ${datadir}/llvm/cmake \
+  ${libdir}/cmake \
+"
+
+INSANE_SKIP_${PN} += "already-stripped"
+INSANE_SKIP_${PN}-dev += "dev-elf"
+
+#Avoid SSTATE_SCAN_COMMAND running sed over llvm-config.
+SSTATE_SCAN_FILES_remove = "*-config"
diff --git a/external/meta-clang/recipes-devtools/clang/common-source.inc b/external/meta-clang/recipes-devtools/clang/common-source.inc
new file mode 100644
index 00000000..e7fb06fb
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/common-source.inc
@@ -0,0 +1,11 @@
+do_fetch() {
+        :
+}
+do_fetch[noexec] = "1"
+deltask do_unpack
+deltask do_patch
+
+SRC_URI = ""
+
+do_configure[depends] += "llvm-project-source-${PV}:do_patch"
+do_populate_lic[depends] += "llvm-project-source-${PV}:do_unpack"
diff --git a/external/meta-clang/recipes-devtools/clang/common.inc b/external/meta-clang/recipes-devtools/clang/common.inc
new file mode 100644
index 00000000..52f30c6d
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/common.inc
@@ -0,0 +1,71 @@
+FILESEXTRAPATHS =. "${FILE_DIRNAME}/clang:"
+
+LIC_FILES_CHKSUM = "file://llvm/LICENSE.TXT;md5=${LLVMMD5SUM} \
+                    file://clang/LICENSE.TXT;md5=${CLANGMD5SUM} \
+"
+LICENSE = "NCSA"
+
+BASEURI ??= "${LLVM_GIT}/llvm-project;protocol=${LLVM_GIT_PROTOCOL};branch=${BRANCH}"
+SRC_URI = "\
+    ${BASEURI} \
+    ${LLVMPATCHES} \
+    ${CLANGPATCHES} \
+    ${COMPILERRTPATCHES} \
+    ${LIBCXXABIPATCHES} \
+    ${LIBCXXPATCHES} \
+    ${LLDBPATCHES} \
+"
+
+# llvm patches
+#
+LLVMPATCHES = "\
+    file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;patchdir=llvm \
+    file://0002-llvm-allow-env-override-of-exe-path.patch;patchdir=llvm \
+    file://0003-llvm-Disable-calls-to-_finite-and-other-glibc-only-f.patch;patchdir=llvm \
+"
+# Fallback to no-PIE if not set
+GCCPIE ??= ""
+
+# Clang patches
+CLANGPATCHES = "\
+    file://0001-clang-driver-Use-lib-for-ldso-on-OE.patch;patchdir=clang \
+    file://0002-clang-Driver-tools.cpp-Add-lssp_nonshared-on-musl.patch;patchdir=clang \
+    file://0003-clang-musl-ppc-does-not-support-128-bit-long-double.patch;patchdir=clang \
+    file://0004-clang-Prepend-trailing-to-sysroot.patch;patchdir=clang \
+    file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=clang \
+    file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=clang \
+    file://0007-clang-Fix-ldso-for-musl-on-x86-and-x32-architectures.patch;patchdir=clang \
+    file://0008-clang-scan-view-needs-python-2.x.patch;patchdir=clang \
+    file://0020-clang-link-libgcc_eh-when-using-compiler-rt.patch \
+"
+CLANGPATCHES += "${@'file://0009-clang-Enable-SSP-and-PIE-by-default.patch;patchdir=clang' if '${GCCPIE}' else ''}"
+
+# compiler-rt patches
+COMPILERRTPATCHES = "\
+    file://0001-compiler-rt-support-a-new-embedded-linux-target.patch;patchdir=compiler-rt \
+    file://0002-compiler-rt-Simplify-cross-compilation.-Don-t-use-na.patch;patchdir=compiler-rt \
+    file://0003-compiler-rt-Disable-tsan-on-OE-glibc.patch;patchdir=compiler-rt \
+    file://0004-compiler-rt-cmake-mips-Do-not-specify-target-with-OE.patch;patchdir=compiler-rt \
+"
+# libcxxabi patches
+LIBCXXABIPATCHES ="\
+    file://0001-libcxxabi-Find-libunwind-headers-when-LIBCXXABI_LIBU.patch;patchdir=libcxxabi \
+"
+
+# libc++ patches
+LIBCXXPATCHES = "\
+"
+
+# lldb patches
+LLDBPATCHES = "\
+    file://0001-lldb-Include-limits.h-for-PATH_MAX-definition.patch;patchdir=lldb \
+    file://0002-lldb-Add-lxml2-to-linker-cmdline-of-xml-is-found.patch;patchdir=lldb \
+"
+
+S = "${TMPDIR}/work-shared/llvm-project-source-${PV}-${PR}/git"
+B = "${WORKDIR}/llvm-project-source-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
+
+# We need to ensure that for the shared work directory, the do_patch signatures match
+# The real WORKDIR location isn't a dependency for the shared workdir.
+src_patches[vardepsexclude] = "WORKDIR"
+should_apply[vardepsexclude] += "PN"
diff --git a/external/meta-clang/recipes-devtools/clang/compiler-rt_git.bb b/external/meta-clang/recipes-devtools/clang/compiler-rt_git.bb
new file mode 100644
index 00000000..05de71f4
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/compiler-rt_git.bb
@@ -0,0 +1,96 @@
+# Copyright (C) 2015 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "LLVM based C/C++ compiler Runtime"
+HOMEPAGE = "http://compiler-rt.llvm.org/"
+LICENSE = "MIT | NCSA"
+SECTION = "base"
+
+require clang.inc
+require common-source.inc
+
+inherit cmake pkgconfig pythonnative
+
+
+LIC_FILES_CHKSUM = "file://compiler-rt/LICENSE.TXT;md5=92bfbe70fc44c6e5efc6403a31180ed7; \
+"
+
+BASEDEPENDS_remove_toolchain-clang_class-target = "compiler-rt"
+BASEDEPENDS_remove_toolchain-clang_class-target = "libcxx"
+TARGET_CXXFLAGS_remove_toolchain-clang = " -stdlib=libc++ "
+TUNE_CCARGS_remove = "-no-integrated-as --rtlib=compiler-rt"
+DEPENDS += "ninja-native"
+DEPENDS_append_class-nativesdk = " clang-native"
+
+THUMB_TUNE_CCARGS = ""
+#TUNE_CCARGS += "-nostdlib"
+
+HF = "${@ bb.utils.contains('TUNE_CCARGS_MFLOAT', 'hard', 'hf', '', d)}"
+HF[vardepvalue] = "${HF}"
+EXTRA_OECMAKE += "-DCOMPILER_RT_STANDALONE_BUILD=ON \
+                  -DCOMPILER_RT_DEFAULT_TARGET_TRIPLE=${HOST_ARCH}${HF}${HOST_VENDOR}-${HOST_OS} \
+                  -DCOMPILER_RT_BUILD_XRAY=OFF \
+                  -G Ninja ${S}/compiler-rt \
+"
+EXTRA_OECMAKE_append_class-target = "\
+                  -DCMAKE_AR=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-ar \
+                  -DCMAKE_NM=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-nm \
+                  -DCMAKE_RANLIB=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-ranlib \
+"
+EXTRA_OECMAKE_append_class-nativesdk = "\
+               -DLLVM_TABLEGEN=${STAGING_BINDIR_NATIVE}/llvm-tblgen \
+               -DCLANG_TABLEGEN=${STAGING_BINDIR_NATIVE}/clang-tblgen \
+"
+
+EXTRA_OECMAKE_append_libc-musl = " -DCOMPILER_RT_BUILD_SANITIZERS=OFF -DCOMPILER_RT_BUILD_XRAY=OFF "
+EXTRA_OECMAKE_append_mipsarch = "-DCOMPILER_RT_BUILD_SANITIZERS=OFF -DCOMPILER_RT_BUILD_XRAY=OFF "
+
+do_compile() {
+	ninja ${PARALLEL_MAKE}
+}
+
+do_install() {
+	DESTDIR=${D} ninja ${PARALLEL_MAKE} install
+}
+
+
+do_install_append () {
+	if [ -d ${D}${libdir}/linux ]; then
+		for f in `find ${D}${libdir}/linux -maxdepth 1 -type f`
+		do
+			install -D -m 0644 $f ${D}${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/lib/linux/`basename $f`
+			rm $f
+		done
+		rmdir ${D}${libdir}/linux
+	fi
+	for f in `find ${D}${exec_prefix} -maxdepth 1 -name '*.txt' -type f`
+	do
+		install -D -m 0644  $f ${D}${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/`basename $f`
+		rm $f
+	done
+}
+
+FILES_SOLIBSDEV = ""
+FILES_${PN} += "${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/lib/linux/lib*${SOLIBSDEV} \
+                ${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/*.txt"
+FILES_${PN}-staticdev += "${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/lib/linux/*.a"
+FILES_${PN}-dev += "${datadir} ${libdir}/clang/${MAJOR_VER}.${MINOR_VER}.${PATCH_VER}/lib/linux/*.syms"
+INSANE_SKIP_${PN} = "dev-so"
+
+#PROVIDES_append_class-target = "\
+#        virtual/${TARGET_PREFIX}compilerlibs \
+#        libgcc \
+#        libgcc-initial \
+#        libgcc-dev \
+#        libgcc-initial-dev \
+#        "
+#
+
+RDEPENDS_${PN}-dev += "${PN}-staticdev"
+
+BBCLASSEXTEND = "native nativesdk"
+
+ALLOW_EMPTY_${PN} = "1"
+ALLOW_EMPTY_${PN}-dev = "1"
+
+TOOLCHAIN = "clang"
diff --git a/external/meta-clang/recipes-devtools/clang/libcxx_git.bb b/external/meta-clang/recipes-devtools/clang/libcxx_git.bb
new file mode 100644
index 00000000..b879df13
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/libcxx_git.bb
@@ -0,0 +1,81 @@
+# Copyright (C) 2015 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "libc++ is a new implementation of the C++ standard library, targeting C++11"
+HOMEPAGE = "http://libcxx.llvm.org/"
+LICENSE = "MIT | NCSA"
+SECTION = "base"
+
+require clang.inc
+require common-source.inc
+
+inherit cmake pythonnative
+
+DEPENDS += "ninja-native"
+BASEDEPENDS_remove_toolchain-clang = "libcxx"
+TARGET_CXXFLAGS_remove_toolchain-clang = " -stdlib=libc++ "
+
+PACKAGECONFIG ??= "unwind"
+PACKAGECONFIG_powerpc = ""
+PACKAGECONFIG_mipsarch = ""
+PACKAGECONFIG_riscv64 = ""
+PACKAGECONFIG[unwind] = "-DLIBCXXABI_USE_LLVM_UNWINDER=ON -DLIBCXXABI_LIBUNWIND_INCLUDES=${S}/projects/libunwind/include, -DLIBCXXABI_USE_LLVM_UNWINDER=OFF,"
+
+PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'unwind', 'libunwind', '', d)}"
+
+LIC_FILES_CHKSUM = "file://libcxx/LICENSE.TXT;md5=7b3a0e1b99822669d630011defe9bfd9; \
+                    file://libcxxabi/LICENSE.TXT;md5=3600117b7c18121ab04c53e4615dc36e \
+                    file://libunwind/LICENSE.TXT;md5=7ea986af7f70eaea5a297dd2744c79a5 \
+"
+THUMB_TUNE_CCARGS = ""
+#TUNE_CCARGS += "-nostdlib"
+
+EXTRA_OECMAKE += "\
+                  -DLIBCXX_CXX_ABI=libcxxabi \
+                  -DLLVM_BUILD_EXTERNAL_COMPILER_RT=ON \
+                  -DCXX_SUPPORTS_CXX11=ON \
+                  -DLIBCXXABI_LIBCXX_INCLUDES=${S}/libcxx/include \
+                  -DLIBCXX_CXX_ABI_INCLUDE_PATHS=${S}/libcxxabi/include \
+                  -DLIBCXX_CXX_ABI_LIBRARY_PATH=${B}/lib \
+                  -DLLVM_ENABLE_PROJECTS='libcxx;libcxxabi;libunwind' \
+                  -G Ninja \
+                  ${S}/llvm \
+"
+
+EXTRA_OECMAKE_append_class-target = "\
+                  -DCMAKE_AR=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-ar \
+                  -DCMAKE_NM=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-nm \
+                  -DCMAKE_RANLIB=${STAGING_BINDIR_TOOLCHAIN}/${TARGET_PREFIX}llvm-ranlib \
+"
+
+EXTRA_OECMAKE_append_class-native = " -DLIBCXX_ENABLE_ABI_LINKER_SCRIPT=OFF"
+EXTRA_OECMAKE_append_class-nativesdk = " -DLIBCXX_ENABLE_ABI_LINKER_SCRIPT=OFF"
+EXTRA_OECMAKE_append_libc-musl = " -DLIBCXX_HAS_MUSL_LIBC=ON "
+
+do_compile() {
+
+	ninja -v ${PARALLEL_MAKE} cxxabi
+	ninja -v ${PARALLEL_MAKE} cxx
+	if ${@bb.utils.contains('PACKAGECONFIG', 'unwind', 'true', 'false', d)}; then
+		ninja -v ${PARALLEL_MAKE} unwind
+	fi
+
+}
+
+do_install() {
+	DESTDIR=${D} ninja ${PARALLEL_MAKE} install-cxxabi
+	DESTDIR=${D} ninja ${PARALLEL_MAKE} install-cxx
+	if ${@bb.utils.contains('PACKAGECONFIG', 'unwind', 'true', 'false', d)}; then
+		DESTDIR=${D} ninja ${PARALLEL_MAKE} install-unwind
+	fi
+}
+
+PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'unwind', 'libunwind', '', d)}"
+FILES_libunwind += "${libdir}/libunwind.so.*"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN}-dev += "${PN}-staticdev"
+
+BBCLASSEXTEND = "native nativesdk"
+TOOLCHAIN = "clang"
diff --git a/external/meta-clang/recipes-devtools/clang/lldb_git.bb b/external/meta-clang/recipes-devtools/clang/lldb_git.bb
new file mode 100644
index 00000000..7c4be42f
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/lldb_git.bb
@@ -0,0 +1,57 @@
+# Copyright (C) 2017 Kai Ruhnau <kai.ruhnau@target-sg.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "Next generation, high-performance debugger"
+HOMEPAGE = "http://lldb.llvm.org/"
+LICENSE = "MIT | NCSA"
+SECTION = "devel"
+
+DEPENDS += "clang-native zlib libxml2 ninja-native"
+
+require clang.inc
+require common-source.inc
+
+inherit cmake pkgconfig
+
+LIC_FILES_CHKSUM = "file://llvm/LICENSE.TXT;md5=${LLVMMD5SUM}; \
+                    file://clang/LICENSE.TXT;md5=${CLANGMD5SUM}; \
+                    file://lldb/LICENSE.TXT;md5=${LLDBMD5SUM}; \
+"
+
+OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM = "BOTH"
+
+EXTRA_OECMAKE="\
+    -DCMAKE_CROSSCOMPILING=1 \
+    -DLLVM_ENABLE_CXX11=ON \
+    -DLLVM_BUILD_LLVM_DYLIB=ON \
+    -DBUILD_SHARED_LIBS=OFF \
+    -DLLVM_BUILD_LLVM_DYLIB=ON \
+    -DLLVM_ENABLE_PIC=ON \
+    -DLLDB_DISABLE_LIBEDIT=1 \
+    -DLLDB_DISABLE_CURSES=1 \
+    -DLLDB_DISABLE_PYTHON=1 \
+    -DLLVM_ENABLE_TERMINFO=0 \
+    -DLLVM_TABLEGEN=${STAGING_BINDIR_NATIVE}/llvm-tblgen \
+    -DCLANG_TABLEGEN=${STAGING_BINDIR_NATIVE}/clang-tblgen \
+    -DLLVM_HOST_TRIPLE=${TARGET_SYS} \
+    -DLLDB_TEST_USE_CUSTOM_C_COMPILER=ON \
+    -DLLDB_TEST_USE_CUSTOM_CXX_COMPILER=ON \
+    -DLLDB_TEST_C_COMPILER='${CC}' \
+    -DLLDB_TEST_CXX_COMPILER='${CXX}' \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DLLVM_ENABLE_PROJECTS='clang;lldb' \
+    -G Ninja ${S}/llvm \
+"
+
+EXTRA_OEMAKE = "VERBOSE=1"
+
+do_compile() {
+       ninja ${PARALLEL_MAKE} lldb
+}
+
+do_install() {
+       DESTDIR=${D} ninja ${PARALLEL_MAKE} tools/lldb/install
+}
+
+INSANE_SKIP_${PN}-dbg = "libdir"
+INSANE_SKIP_${PN} = "libdir"
diff --git a/external/meta-clang/recipes-devtools/clang/llvm-common.bb b/external/meta-clang/recipes-devtools/clang/llvm-common.bb
new file mode 100644
index 00000000..f17f01c2
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/llvm-common.bb
@@ -0,0 +1,22 @@
+SUMMARY = "Helper script for OE's llvm support"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://llvm-config"
+
+S = "${WORKDIR}"
+
+ALLOW_EMPTY_${PN} = "1"
+SYSROOT_PREPROCESS_FUNCS_append_class-target = " llvm_common_sysroot_preprocess"
+
+llvm_common_sysroot_preprocess() {
+    install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/
+    install -m 0755 ${WORKDIR}/llvm-config ${SYSROOT_DESTDIR}${bindir_crossscripts}/
+}
+
+do_install_class-native() {
+    install -d ${D}${bindir}
+    install -m 0755 ${WORKDIR}/llvm-config ${D}${bindir}
+}
+
+BBCLASSEXTEND = "native"
diff --git a/external/meta-clang/recipes-devtools/clang/llvm-common/llvm-config b/external/meta-clang/recipes-devtools/clang/llvm-common/llvm-config
new file mode 100644
index 00000000..4462896a
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/llvm-common/llvm-config
@@ -0,0 +1,39 @@
+#!/bin/bash
+#
+# Wrapper script for llvm-config. Supplies the right environment variables
+# for the target and delegates to the native llvm-config for anything else. This
+# is needed because arguments like --ldflags, --cxxflags, etc. are set by the
+# native compile rather than the target compile.
+#
+
+SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
+NEXT_LLVM_CONFIG="$(which -a llvm-config | sed -n 2p)"
+export YOCTO_ALTERNATE_EXE_PATH="$(readlink -f "$SCRIPT_DIR/../llvm-config")"
+
+if [[ $# == 0 ]]; then
+  exec "$NEXT_LLVM_CONFIG"
+fi
+
+if [[ $1 == "--libs" ]]; then
+  exec "$NEXT_LLVM_CONFIG" $@
+fi
+
+for arg in "$@"; do
+  case "$arg" in
+    --cppflags)
+      echo $TARGET_CPPFLAGS
+      ;;
+    --cflags)
+      echo $TARGET_CFLAGS
+      ;;
+    --cxxflags)
+      echo $TARGET_CXXFLAGS
+      ;;
+    --ldflags)
+      echo $TARGET_LDFLAGS
+      ;;
+    *)
+      echo "$("$NEXT_LLVM_CONFIG" "$arg")"
+      ;;
+  esac
+done
diff --git a/external/meta-clang/recipes-devtools/clang/llvm-project-source.bb b/external/meta-clang/recipes-devtools/clang/llvm-project-source.bb
new file mode 100644
index 00000000..78664c57
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/llvm-project-source.bb
@@ -0,0 +1,10 @@
+# Copyright (C) 2018 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMMARY = "This is the canonical git mirror of the LLVM subversion repository."
+HOMEPAGE = "https://github.com/llvm/llvm-project"
+
+require llvm-project-source.inc
+require clang.inc
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/external/meta-clang/recipes-devtools/clang/llvm-project-source.inc b/external/meta-clang/recipes-devtools/clang/llvm-project-source.inc
new file mode 100644
index 00000000..f6c552d8
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/llvm-project-source.inc
@@ -0,0 +1,20 @@
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+deltask do_populate_lic
+RM_WORK_EXCLUDE += "${PN}"
+
+inherit nopackages
+
+PN = "llvm-project-source-${PV}"
+
+WORKDIR = "${TMPDIR}/work-shared/llvm-project-source-${PV}-${PR}"
+SSTATE_SWSPEC = "sstate:llvm-project-source::${PV}:${PR}::${SSTATE_VERSION}:"
+
+STAMP = "${STAMPS_DIR}/work-shared/llvm-project-source-${PV}-${PR}"
+STAMPCLEAN = "${STAMPS_DIR}/work-shared/llvm-project-source-${PV}-*"
+
+INHIBIT_DEFAULT_DEPS = "1"
+DEPENDS = ""
+PACKAGES = ""
diff --git a/external/meta-clang/recipes-devtools/clang/nativesdk-clang-glue.bb b/external/meta-clang/recipes-devtools/clang/nativesdk-clang-glue.bb
new file mode 100644
index 00000000..6824bcb5
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/nativesdk-clang-glue.bb
@@ -0,0 +1,27 @@
+# Copyright (C) 2014 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "SDK Cross compiler wrappers for LLVM based C/C++ compiler"
+HOMEPAGE = "http://clang.llvm.org/"
+LICENSE = "NCSA"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/NCSA;md5=1b5fdec70ee13ad8a91667f16c1959d7"
+SECTION = "devel"
+
+require clang.inc
+require common-source.inc
+inherit nativesdk
+DEPENDS += "nativesdk-clang"
+
+do_install() {
+    install -d ${D}${prefix_nativesdk}
+    cd ${D}${prefix_nativesdk}
+    ln -s ..${libdir} .
+    ln -s ..${includedir} .
+}
+
+sysroot_stage_all () {
+	sysroot_stage_dir ${D} ${SYSROOT_DESTDIR}
+}
+
+FILES_${PN} += "${prefix_nativesdk}"
+FILES_${PN}-dbg = ""
diff --git a/external/meta-clang/recipes-devtools/clang/openmp_git.bb b/external/meta-clang/recipes-devtools/clang/openmp_git.bb
new file mode 100644
index 00000000..30bc3071
--- /dev/null
+++ b/external/meta-clang/recipes-devtools/clang/openmp_git.bb
@@ -0,0 +1,40 @@
+# Copyright (C) 2017 Khem Raj <raj.khem@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "LLVM based C/C++ compiler Runtime"
+HOMEPAGE = "http://openmp.llvm.org/"
+LICENSE = "MIT | NCSA"
+SECTION = "base"
+
+require clang.inc
+require common-source.inc
+
+DEPENDS += "ninja-native"
+
+RPROVIDES_${PN} += "libgomp"
+RPROVIDES_${PN}-dev += "libgomp-dev"
+
+TOOLCHAIN = "clang"
+
+LIC_FILES_CHKSUM = "file://openmp/LICENSE.txt;md5=5dcbca021bcb2fbc22186bc7a8a159e6"
+
+BASEDEPENDS_remove_toolchain-clang_class-target = "compiler-rt"
+BASEDEPENDS_remove_toolchain-clang_class-target = "libcxx"
+
+inherit cmake pkgconfig perlnative
+
+EXTRA_OECMAKE = "-G Ninja ${S}/openmp"
+
+THUMB_TUNE_CCARGS = ""
+
+do_compile() {
+	ninja ${PARALLEL_MAKE}
+}
+
+do_install() {
+	DESTDIR=${D} ninja ${PARALLEL_MAKE} install
+}
+
+FILES_SOLIBSDEV = ""
+FILES_${PN} += "${libdir}/lib*${SOLIBSDEV}"
+INSANE_SKIP_${PN} = "dev-so"
diff --git a/external/meta-clang/recipes-extended/mdadm/mdadm_%.bbappend b/external/meta-clang/recipes-extended/mdadm/mdadm_%.bbappend
new file mode 100644
index 00000000..903836e5
--- /dev/null
+++ b/external/meta-clang/recipes-extended/mdadm/mdadm_%.bbappend
@@ -0,0 +1,6 @@
+# Fix errors like
+# | super-intel.c:1673:23: error: taking address of packed member 'size_high' of class or structure 'imsm_dev' may result in an unaligned pointer value [-Werror,-Waddress-of-packed-member]
+# |                                  &dev->size_low, &dev->size_high);
+# |                                                   ^~~~~~~~~~~~~~
+
+CFLAGS_append_toolchain-clang = " -Wno-error=address-of-packed-member"
diff --git a/external/meta-clang/recipes-gnome/gcr/gcr_%.bbappend b/external/meta-clang/recipes-gnome/gcr/gcr_%.bbappend
new file mode 100644
index 00000000..4432748d
--- /dev/null
+++ b/external/meta-clang/recipes-gnome/gcr/gcr_%.bbappend
@@ -0,0 +1,4 @@
+# qemu crashes when built with hardening flags
+#
+GI_DATA_ENABLED_toolchain-clang = "False"
+
diff --git a/external/meta-clang/recipes-graphics/mesa/mesa_%.bbappend b/external/meta-clang/recipes-graphics/mesa/mesa_%.bbappend
new file mode 100644
index 00000000..fadc95ce
--- /dev/null
+++ b/external/meta-clang/recipes-graphics/mesa/mesa_%.bbappend
@@ -0,0 +1,5 @@
+LDFLAGS_append_toolchain-clang = " -latomic -lm"
+DEPENDS_append_toolchain-clang = " libatomic-ops"
+
+EXTRA_OECONF_append_toolchain-clang_x86 = " --disable-asm"
+EXTRA_OECONF_append_toolchain-clang_x86-64 = " --disable-asm"
diff --git a/external/meta-clang/recipes-kernel/perf/perf.bbappend b/external/meta-clang/recipes-kernel/perf/perf.bbappend
new file mode 100644
index 00000000..df46b9cd
--- /dev/null
+++ b/external/meta-clang/recipes-kernel/perf/perf.bbappend
@@ -0,0 +1 @@
+DEPENDS_append_toolchain-clang_class-target = " clang-cross-${TARGET_ARCH}"
diff --git a/external/meta-clang/recipes-multimedia/libvorbis/libvorbis_%.bbappend b/external/meta-clang/recipes-multimedia/libvorbis/libvorbis_%.bbappend
new file mode 100644
index 00000000..c6fe98c2
--- /dev/null
+++ b/external/meta-clang/recipes-multimedia/libvorbis/libvorbis_%.bbappend
@@ -0,0 +1,4 @@
+# | clang-7: error: unknown argument: '-mfused-madd'
+do_configure_prepend_toolchain-clang() {
+	sed -i -e "s/-mfused-madd//g" ${S}/configure.ac
+}
diff --git a/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
new file mode 100644
index 00000000..919f2b00
--- /dev/null
+++ b/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
@@ -0,0 +1,61 @@
+From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001
+From: Peiran Hong <peiran.hong@windriver.com>
+Date: Fri, 13 Sep 2019 17:02:57 -0400
+Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.
+
+---
+ netdissect.h | 12 ++++++++++++
+ print-aoe.c  |  1 +
+ 2 files changed, 13 insertions(+)
+
+diff --git a/netdissect.h b/netdissect.h
+index 089b0406..cd05fdb9 100644
+--- a/netdissect.h
++++ b/netdissect.h
+@@ -69,6 +69,11 @@ typedef struct {
+ typedef unsigned char nd_uint8_t;
+ typedef signed char nd_int8_t;
+ 
++/*
++ * Use this for MAC addresses.
++ */
++#define MAC_ADDR_LEN    6               /* length of MAC addresses */
++
+ /* snprintf et al */
+ 
+ #include <stdarg.h>
+@@ -309,12 +314,19 @@ struct netdissect_options {
+ 	((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
+          (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l)))
+ 
++#define ND_TTEST_LEN(p, l) \
++  (IS_NOT_NEGATIVE(l) && \
++        ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
++         (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l)))
++
+ /* True if "var" was captured */
+ #define ND_TTEST(var) ND_TTEST2(var, sizeof(var))
+ 
+ /* Bail if "l" bytes of "var" were not captured */
+ #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc
+ 
++#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc
++
+ /* Bail if "var" was not captured */
+ #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var))
+ 
+diff --git a/print-aoe.c b/print-aoe.c
+index 97e93df2..ac097a04 100644
+--- a/print-aoe.c
++++ b/print-aoe.c
+@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
+ 		goto invalid;
+ 	/* addresses */
+ 	for (i = 0; i < nmacs; i++) {
++		ND_TCHECK_LEN(cp, MAC_ADDR_LEN);
+ 		ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)));
+ 		cp += ETHER_ADDR_LEN;
+ 	}
+-- 
+2.21.0
+
diff --git a/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb b/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
index d38540e3..14e90b09 100644
--- a/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
+++ b/external/meta-openembedded/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
@@ -10,6 +10,7 @@ SRC_URI = " \
     file://unnecessary-to-check-libpcap.patch \
     file://add-ptest.patch \
     file://run-ptest \
+    file://0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch \
 "
 
 SRC_URI[md5sum] = "9bbc1ee33dab61302411b02dd0515576"
diff --git a/external/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_2.6.6.bb b/external/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_2.6.10.bb
index 4699f679..1bda9ed4 100644
--- a/external/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_2.6.6.bb
+++ b/external/meta-openembedded/meta-networking/recipes-support/wireshark/wireshark_2.6.10.bb
@@ -14,8 +14,8 @@ SRC_URI = "https://1.as.dl.wireshark.org/src/all-versions/${BP}.tar.xz \
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
 
-SRC_URI[md5sum] = "b30ba5b9b48ed2ff91c0ce357d33b46b"
-SRC_URI[sha256sum] = "487933ea075bdbb25d8df06017d9c4f49fc20eb7f6ec80af086718ed5550e863"
+SRC_URI[md5sum] = "4fd0cd96d990eab0e708339a5e0dc207"
+SRC_URI[sha256sum] = "b8fc32244352437db727a4517371dddfa9ffbf0057cfb58265588876b42b6c7e"
 
 PE = "1"
 
diff --git a/external/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc b/external/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc
index 4f7784be..f51667d9 100644
--- a/external/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/external/meta-openembedded/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -4,7 +4,7 @@ SECTION = "libs"
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe"
 
-SRC_URI = "https://downloads.mariadb.org/f/${BP}/source/${BP}.tar.gz \
+SRC_URI = "http://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://fix-cmake-module-path.patch \
            file://remove-bad-path.patch \
            file://fix-mysqlclient-r-version.patch \
diff --git a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Sync-our-copy-of-the-timezone-library-with-IANA-rele.patch b/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Sync-our-copy-of-the-timezone-library-with-IANA-rele.patch
deleted file mode 100644
index 6d8c46e7..00000000
--- a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Sync-our-copy-of-the-timezone-library-with-IANA-rele.patch
+++ /dev/null
@@ -1,1164 +0,0 @@
-From 12bfb778ce688fc662a6cb35f6298734fcf4856f Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Fri, 19 Oct 2018 19:36:34 -0400
-Subject: [PATCH] Sync our copy of the timezone library with IANA release
- tzcode2018f.
-
-About half of this is purely cosmetic changes to reduce the diff between
-our code and theirs, like inserting "const" markers where they have them.
-
-The other half is tracking actual code changes in zic.c and localtime.c.
-I don't think any of these represent near-term compatibility hazards, but
-it seems best to stay up to date.
-
-I also fixed longstanding bugs in our code for producing the
-known_abbrevs.txt list, which by chance hadn't been exposed before,
-but which resulted in some garbage output after applying the upstream
-changes in zic.c.  Notably, because upstream removed their old phony
-transitions at the Big Bang, it's now necessary to cope with TZif files
-containing no DST transition times at all.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/timezone/README      |   2 +-
- src/timezone/localtime.c | 126 ++++++++++++------
- src/timezone/pgtz.h      |  10 +-
- src/timezone/private.h   |   3 +
- src/timezone/strftime.c  |  10 +-
- src/timezone/tzfile.h    |   7 +-
- src/timezone/zic.c       | 330 ++++++++++++++++++++++++++---------------------
- 7 files changed, 291 insertions(+), 197 deletions(-)
-
-Index: postgresql-10.5/src/timezone/README
-===================================================================
---- postgresql-10.5.orig/src/timezone/README
-+++ postgresql-10.5/src/timezone/README
-@@ -55,7 +55,7 @@ match properly on the old version.
- Time Zone code
- ==============
- 
--The code in this directory is currently synced with tzcode release 2018e.
-+The code in this directory is currently synced with tzcode release 2018f.
- There are many cosmetic (and not so cosmetic) differences from the
- original tzcode library, but diffs in the upstream version should usually
- be propagated to our version.  Here are some notes about that.
-Index: postgresql-10.5/src/timezone/localtime.c
-===================================================================
---- postgresql-10.5.orig/src/timezone/localtime.c
-+++ postgresql-10.5/src/timezone/localtime.c
-@@ -1,3 +1,5 @@
-+/* Convert timestamp from pg_time_t to struct pg_tm.  */
-+
- /*
-  * This file is in the public domain, so clarified as of
-  * 1996-06-05 by Arthur David Olson.
-@@ -117,7 +119,7 @@ init_ttinfo(struct ttinfo *s, int32 gmto
- }
- 
- static int32
--detzcode(const char *codep)
-+detzcode(const char *const codep)
- {
- 	int32		result;
- 	int			i;
-@@ -143,7 +145,7 @@ detzcode(const char *codep)
- }
- 
- static int64
--detzcode64(const char *codep)
-+detzcode64(const char *const codep)
- {
- 	uint64		result;
- 	int			i;
-@@ -258,8 +260,13 @@ tzloadbody(char const *name, char *canon
- 		int32		charcnt = detzcode(up->tzhead.tzh_charcnt);
- 		char const *p = up->buf + tzheadsize;
- 
-+		/*
-+		 * Although tzfile(5) currently requires typecnt to be nonzero,
-+		 * support future formats that may allow zero typecnt in files that
-+		 * have a TZ string and no transitions.
-+		 */
- 		if (!(0 <= leapcnt && leapcnt < TZ_MAX_LEAPS
--			  && 0 < typecnt && typecnt < TZ_MAX_TYPES
-+			  && 0 <= typecnt && typecnt < TZ_MAX_TYPES
- 			  && 0 <= timecnt && timecnt < TZ_MAX_TIMES
- 			  && 0 <= charcnt && charcnt < TZ_MAX_CHARS
- 			  && (ttisstdcnt == typecnt || ttisstdcnt == 0)
-@@ -416,8 +423,7 @@ tzloadbody(char const *name, char *canon
- 		struct state *ts = &lsp->u.st;
- 
- 		up->buf[nread - 1] = '\0';
--		if (tzparse(&up->buf[1], ts, false)
--			&& ts->typecnt == 2)
-+		if (tzparse(&up->buf[1], ts, false))
- 		{
- 			/*
- 			 * Attempt to reuse existing abbreviations. Without this,
-@@ -430,7 +436,7 @@ tzloadbody(char const *name, char *canon
- 			int			gotabbr = 0;
- 			int			charcnt = sp->charcnt;
- 
--			for (i = 0; i < 2; i++)
-+			for (i = 0; i < ts->typecnt; i++)
- 			{
- 				char	   *tsabbr = ts->chars + ts->ttis[i].tt_abbrind;
- 				int			j;
-@@ -455,7 +461,7 @@ tzloadbody(char const *name, char *canon
- 					}
- 				}
- 			}
--			if (gotabbr == 2)
-+			if (gotabbr == ts->typecnt)
- 			{
- 				sp->charcnt = charcnt;
- 
-@@ -470,7 +476,8 @@ tzloadbody(char const *name, char *canon
- 					sp->timecnt--;
- 
- 				for (i = 0; i < ts->timecnt; i++)
--					if (sp->ats[sp->timecnt - 1] < ts->ats[i])
-+					if (sp->timecnt == 0
-+						|| sp->ats[sp->timecnt - 1] < ts->ats[i])
- 						break;
- 				while (i < ts->timecnt
- 					   && sp->timecnt < TZ_MAX_TIMES)
-@@ -481,11 +488,13 @@ tzloadbody(char const *name, char *canon
- 					sp->timecnt++;
- 					i++;
- 				}
--				sp->ttis[sp->typecnt++] = ts->ttis[0];
--				sp->ttis[sp->typecnt++] = ts->ttis[1];
-+				for (i = 0; i < ts->typecnt; i++)
-+					sp->ttis[sp->typecnt++] = ts->ttis[i];
- 			}
- 		}
- 	}
-+	if (sp->typecnt == 0)
-+		return EINVAL;
- 	if (sp->timecnt > 1)
- 	{
- 		for (i = 1; i < sp->timecnt; ++i)
-@@ -507,6 +516,18 @@ tzloadbody(char const *name, char *canon
- 	}
- 
- 	/*
-+	 * Infer sp->defaulttype from the data.  Although this default type is
-+	 * always zero for data from recent tzdb releases, things are trickier for
-+	 * data from tzdb 2018e or earlier.
-+	 *
-+	 * The first set of heuristics work around bugs in 32-bit data generated
-+	 * by tzdb 2013c or earlier.  The workaround is for zones like
-+	 * Australia/Macquarie where timestamps before the first transition have a
-+	 * time type that is not the earliest standard-time type.  See:
-+	 * https://mm.icann.org/pipermail/tz/2013-May/019368.html
-+	 */
-+
-+	/*
- 	 * If type 0 is unused in transitions, it's the type to use for early
- 	 * times.
- 	 */
-@@ -529,6 +550,11 @@ tzloadbody(char const *name, char *canon
- 	}
- 
- 	/*
-+	 * The next heuristics are for data generated by tzdb 2018e or earlier,
-+	 * for zones like EST5EDT where the first transition is to DST.
-+	 */
-+
-+	/*
- 	 * If no result yet, find the first standard type. If there is none, punt
- 	 * to type zero.
- 	 */
-@@ -542,7 +568,14 @@ tzloadbody(char const *name, char *canon
- 				break;
- 			}
- 	}
-+
-+	/*
-+	 * A simple 'sp->defaulttype = 0;' would suffice here if we didn't have to
-+	 * worry about 2018e-or-earlier data.  Even simpler would be to remove the
-+	 * defaulttype member and just use 0 in its place.
-+	 */
- 	sp->defaulttype = i;
-+
- 	return 0;
- }
- 
-@@ -601,10 +634,11 @@ static const int year_lengths[2] = {
- };
- 
- /*
-- * Given a pointer into a time zone string, scan until a character that is not
-- * a valid character in a zone name is found. Return a pointer to that
-- * character.
-+ * Given a pointer into a timezone string, scan until a character that is not
-+ * a valid character in a time zone abbreviation is found.
-+ * Return a pointer to that character.
-  */
-+
- static const char *
- getzname(const char *strp)
- {
-@@ -617,15 +651,17 @@ getzname(const char *strp)
- }
- 
- /*
-- * Given a pointer into an extended time zone string, scan until the ending
-- * delimiter of the zone name is located. Return a pointer to the delimiter.
-+ * Given a pointer into an extended timezone string, scan until the ending
-+ * delimiter of the time zone abbreviation is located.
-+ * Return a pointer to the delimiter.
-  *
-  * As with getzname above, the legal character set is actually quite
-  * restricted, with other characters producing undefined results.
-  * We don't do any checking here; checking is done later in common-case code.
-  */
-+
- static const char *
--getqzname(const char *strp, int delim)
-+getqzname(const char *strp, const int delim)
- {
- 	int			c;
- 
-@@ -635,13 +671,14 @@ getqzname(const char *strp, int delim)
- }
- 
- /*
-- * Given a pointer into a time zone string, extract a number from that string.
-+ * Given a pointer into a timezone string, extract a number from that string.
-  * Check that the number is within a specified range; if it is not, return
-  * NULL.
-  * Otherwise, return a pointer to the first character not part of the number.
-  */
-+
- static const char *
--getnum(const char *strp, int *nump, int min, int max)
-+getnum(const char *strp, int *const nump, const int min, const int max)
- {
- 	char		c;
- 	int			num;
-@@ -663,14 +700,15 @@ getnum(const char *strp, int *nump, int
- }
- 
- /*
-- * Given a pointer into a time zone string, extract a number of seconds,
-+ * Given a pointer into a timezone string, extract a number of seconds,
-  * in hh[:mm[:ss]] form, from the string.
-  * If any error occurs, return NULL.
-  * Otherwise, return a pointer to the first character not part of the number
-  * of seconds.
-  */
-+
- static const char *
--getsecs(const char *strp, int32 *secsp)
-+getsecs(const char *strp, int32 *const secsp)
- {
- 	int			num;
- 
-@@ -704,13 +742,14 @@ getsecs(const char *strp, int32 *secsp)
- }
- 
- /*
-- * Given a pointer into a time zone string, extract an offset, in
-+ * Given a pointer into a timezone string, extract an offset, in
-  * [+-]hh[:mm[:ss]] form, from the string.
-  * If any error occurs, return NULL.
-  * Otherwise, return a pointer to the first character not part of the time.
-  */
-+
- static const char *
--getoffset(const char *strp, int32 *offsetp)
-+getoffset(const char *strp, int32 *const offsetp)
- {
- 	bool		neg = false;
- 
-@@ -730,13 +769,14 @@ getoffset(const char *strp, int32 *offse
- }
- 
- /*
-- * Given a pointer into a time zone string, extract a rule in the form
-+ * Given a pointer into a timezone string, extract a rule in the form
-  * date[/time]. See POSIX section 8 for the format of "date" and "time".
-  * If a valid rule is not found, return NULL.
-  * Otherwise, return a pointer to the first character not part of the rule.
-  */
-+
- static const char *
--getrule(const char *strp, struct rule *rulep)
-+getrule(const char *strp, struct rule *const rulep)
- {
- 	if (*strp == 'J')
- 	{
-@@ -795,9 +835,10 @@ getrule(const char *strp, struct rule *r
-  * Given a year, a rule, and the offset from UT at the time that rule takes
-  * effect, calculate the year-relative time that rule takes effect.
-  */
-+
- static int32
--transtime(int year, const struct rule *rulep,
--		  int32 offset)
-+transtime(const int year, const struct rule *const rulep,
-+		  const int32 offset)
- {
- 	bool		leapyear;
- 	int32		value;
-@@ -981,7 +1022,7 @@ tzparse(const char *name, struct state *
- 		{
- 			dstname = name;
- 			name = getzname(name);
--			dstlen = name - dstname;	/* length of DST zone name */
-+			dstlen = name - dstname;	/* length of DST abbr. */
- 		}
- 		if (!dstlen)
- 			return false;
-@@ -1023,8 +1064,8 @@ tzparse(const char *name, struct state *
- 			/*
- 			 * Two transitions per year, from EPOCH_YEAR forward.
- 			 */
--			init_ttinfo(&sp->ttis[0], -dstoffset, true, stdlen + 1);
--			init_ttinfo(&sp->ttis[1], -stdoffset, false, 0);
-+			init_ttinfo(&sp->ttis[0], -stdoffset, false, 0);
-+			init_ttinfo(&sp->ttis[1], -dstoffset, true, stdlen + 1);
- 			sp->defaulttype = 0;
- 			timecnt = 0;
- 			janfirst = 0;
-@@ -1073,19 +1114,15 @@ tzparse(const char *name, struct state *
- 					if (!increment_overflow_time
- 						(&sp->ats[timecnt],
- 						 janoffset + starttime))
--						sp->types[timecnt++] = reversed;
--					else if (janoffset)
--						sp->defaulttype = reversed;
-+						sp->types[timecnt++] = !reversed;
- 					sp->ats[timecnt] = janfirst;
- 					if (!increment_overflow_time
- 						(&sp->ats[timecnt],
- 						 janoffset + endtime))
- 					{
--						sp->types[timecnt++] = !reversed;
-+						sp->types[timecnt++] = reversed;
- 						yearlim = year + YEARSPERREPEAT + 1;
- 					}
--					else if (janoffset)
--						sp->defaulttype = !reversed;
- 				}
- 				if (increment_overflow_time
- 					(&janfirst, janoffset + yearsecs))
-@@ -1094,7 +1131,10 @@ tzparse(const char *name, struct state *
- 			}
- 			sp->timecnt = timecnt;
- 			if (!timecnt)
-+			{
-+				sp->ttis[0] = sp->ttis[1];
- 				sp->typecnt = 1;	/* Perpetual DST.  */
-+			}
- 			else if (YEARSPERREPEAT < year - yearbeg)
- 				sp->goback = sp->goahead = true;
- 		}
-@@ -1163,7 +1203,6 @@ tzparse(const char *name, struct state *
- 					 * otherwise, add the standard time offset to the
- 					 * transition time.
- 					 */
--
- 					/*
- 					 * Transitions from DST to DDST will effectively disappear
- 					 * since POSIX provides for only one DST offset.
-@@ -1217,7 +1256,7 @@ tzparse(const char *name, struct state *
- }
- 
- static void
--gmtload(struct state *sp)
-+gmtload(struct state *const sp)
- {
- 	if (tzload(gmt, NULL, sp, true) != 0)
- 		tzparse(gmt, sp, true);
-@@ -1232,7 +1271,7 @@ gmtload(struct state *sp)
-  */
- static struct pg_tm *
- localsub(struct state const *sp, pg_time_t const *timep,
--		 struct pg_tm *tmp)
-+		 struct pg_tm *const tmp)
- {
- 	const struct ttinfo *ttisp;
- 	int			i;
-@@ -1300,6 +1339,11 @@ localsub(struct state const *sp, pg_time
- 	}
- 	ttisp = &sp->ttis[i];
- 
-+	/*
-+	 * To get (wrong) behavior that's compatible with System V Release 2.0
-+	 * you'd replace the statement below with t += ttisp->tt_gmtoff;
-+	 * timesub(&t, 0L, sp, tmp);
-+	 */
- 	result = timesub(&t, ttisp->tt_gmtoff, sp, tmp);
- 	if (result)
- 	{
-@@ -1322,8 +1366,10 @@ pg_localtime(const pg_time_t *timep, con
-  *
-  * Except we have a private "struct state" for GMT, so no sp is passed in.
-  */
-+
- static struct pg_tm *
--gmtsub(pg_time_t const *timep, int32 offset, struct pg_tm *tmp)
-+gmtsub(pg_time_t const *timep, int32 offset,
-+	   struct pg_tm *tmp)
- {
- 	struct pg_tm *result;
- 
-@@ -1337,6 +1383,7 @@ gmtsub(pg_time_t const *timep, int32 off
- 		gmt_is_set = true;
- 		gmtload(gmtptr);
- 	}
-+
- 	result = timesub(timep, offset, gmtptr, tmp);
- 
- 	/*
-@@ -1361,6 +1408,7 @@ pg_gmtime(const pg_time_t *timep)
-  * Return the number of leap years through the end of the given year
-  * where, to make the math easy, the answer for year zero is defined as zero.
-  */
-+
- static int
- leaps_thru_end_of_nonneg(int y)
- {
-Index: postgresql-10.5/src/timezone/pgtz.h
-===================================================================
---- postgresql-10.5.orig/src/timezone/pgtz.h
-+++ postgresql-10.5/src/timezone/pgtz.h
-@@ -49,10 +49,16 @@ struct state
- 	pg_time_t	ats[TZ_MAX_TIMES];
- 	unsigned char types[TZ_MAX_TIMES];
- 	struct ttinfo ttis[TZ_MAX_TYPES];
--	char		chars[BIGGEST(BIGGEST(TZ_MAX_CHARS + 1, 3 /* sizeof gmt */ ),
-+	char		chars[BIGGEST(BIGGEST(TZ_MAX_CHARS + 1, 4 /* sizeof gmt */ ),
- 							  (2 * (TZ_STRLEN_MAX + 1)))];
- 	struct lsinfo lsis[TZ_MAX_LEAPS];
--	int			defaulttype;	/* for early times or if no transitions */
-+
-+	/*
-+	 * The time type to use for early times or if no transitions. It is always
-+	 * zero for recent tzdb releases. It might be nonzero for data from tzdb
-+	 * 2018e or earlier.
-+	 */
-+	int			defaulttype;
- };
- 
- 
-Index: postgresql-10.5/src/timezone/private.h
-===================================================================
---- postgresql-10.5.orig/src/timezone/private.h
-+++ postgresql-10.5/src/timezone/private.h
-@@ -1,4 +1,7 @@
-+/* Private header for tzdb code.  */
-+
- #ifndef PRIVATE_H
-+
- #define PRIVATE_H
- 
- /*
-Index: postgresql-10.5/src/timezone/strftime.c
-===================================================================
---- postgresql-10.5.orig/src/timezone/strftime.c
-+++ postgresql-10.5/src/timezone/strftime.c
-@@ -1,4 +1,4 @@
--/* Convert a broken-down timestamp to a string. */
-+/* Convert a broken-down timestamp to a string.  */
- 
- /*
-  * Copyright 1989 The Regents of the University of California.
-@@ -115,7 +115,7 @@ static char *_add(const char *, char *,
- static char *_conv(int, const char *, char *, const char *);
- static char *_fmt(const char *, const struct pg_tm *, char *, const char *,
- 	 enum warn *);
--static char *_yconv(int, int, bool, bool, char *, const char *);
-+static char *_yconv(int, int, bool, bool, char *, char const *);
- 
- 
- size_t
-@@ -441,7 +441,8 @@ _fmt(const char *format, const struct pg
- 
- 					/*
- 					 * C99 and later say that %Z must be replaced by the empty
--					 * string if the time zone is not determinable.
-+					 * string if the time zone abbreviation is not
-+					 * determinable.
- 					 */
- 					continue;
- 				case 'z':
-@@ -519,6 +520,7 @@ _add(const char *str, char *pt, const ch
-  * same output as %Y, and that %Y contains at least 4 bytes,
-  * with more only if necessary.
-  */
-+
- static char *
- _yconv(int a, int b, bool convert_top, bool convert_yy,
- 	   char *pt, const char *ptlim)
-@@ -526,7 +528,7 @@ _yconv(int a, int b, bool convert_top, b
- 	int			lead;
- 	int			trail;
- 
--#define DIVISOR 100
-+#define DIVISOR	100
- 	trail = a % DIVISOR + b % DIVISOR;
- 	lead = a / DIVISOR + b / DIVISOR + trail / DIVISOR;
- 	trail %= DIVISOR;
-Index: postgresql-10.5/src/timezone/tzfile.h
-===================================================================
---- postgresql-10.5.orig/src/timezone/tzfile.h
-+++ postgresql-10.5/src/timezone/tzfile.h
-@@ -1,4 +1,7 @@
-+/* Layout and location of TZif files.  */
-+
- #ifndef TZFILE_H
-+
- #define TZFILE_H
- 
- /*
-@@ -21,14 +24,14 @@
-  * Information about time zone files.
-  */
- 
--#define TZDEFAULT	"localtime"
-+#define TZDEFAULT	"/etc/localtime"
- #define TZDEFRULES	"posixrules"
- 
- /*
-  * Each file begins with. . .
-  */
- 
--#define TZ_MAGIC	"TZif"
-+#define	TZ_MAGIC	"TZif"
- 
- struct tzhead
- {
-Index: postgresql-10.5/src/timezone/zic.c
-===================================================================
---- postgresql-10.5.orig/src/timezone/zic.c
-+++ postgresql-10.5/src/timezone/zic.c
-@@ -1,3 +1,5 @@
-+/* Compile .zi time zone data into TZif binary files.  */
-+
- /*
-  * This file is in the public domain, so clarified as of
-  * 2006-07-17 by Arthur David Olson.
-@@ -130,8 +132,7 @@ static void adjleap(void);
- static void associate(void);
- static void dolink(const char *, const char *, bool);
- static char **getfields(char *buf);
--static zic_t gethms(const char *string, const char *errstring,
--	   bool);
-+static zic_t gethms(const char *string, const char *errstring);
- static zic_t getstdoff(char *, bool *);
- static void infile(const char *filename);
- static void inleap(char **fields, int nfields);
-@@ -162,7 +163,7 @@ enum
- PERCENT_Z_LEN_BOUND = sizeof "+995959" - 1};
- 
- /* If true, work around a bug in Qt 5.6.1 and earlier, which mishandles
--   tz binary files whose POSIX-TZ-style strings contain '<'; see
-+   TZif files whose POSIX-TZ-style strings contain '<'; see
-    QTBUG-53071 <https://bugreports.qt.io/browse/QTBUG-53071>.  This
-    workaround will no longer be needed when Qt 5.6.1 and earlier are
-    obsolete, say in the year 2021.  */
-@@ -211,7 +212,7 @@ static int	typecnt;
- #define ZF_RULE		3
- #define ZF_FORMAT	4
- #define ZF_TILYEAR	5
--#define ZF_TILMONTH 6
-+#define ZF_TILMONTH	6
- #define ZF_TILDAY	7
- #define ZF_TILTIME	8
- #define ZONE_MINFIELDS	5
-@@ -224,12 +225,12 @@ static int	typecnt;
- #define ZFC_GMTOFF	0
- #define ZFC_RULE	1
- #define ZFC_FORMAT	2
--#define ZFC_TILYEAR 3
-+#define ZFC_TILYEAR	3
- #define ZFC_TILMONTH	4
- #define ZFC_TILDAY	5
--#define ZFC_TILTIME 6
--#define ZONEC_MINFIELDS 3
--#define ZONEC_MAXFIELDS 7
-+#define ZFC_TILTIME	6
-+#define ZONEC_MINFIELDS	3
-+#define ZONEC_MAXFIELDS	7
- 
- /*
-  * Which files are which on a Rule line.
-@@ -244,7 +245,7 @@ static int	typecnt;
- #define RF_TOD		7
- #define RF_STDOFF	8
- #define RF_ABBRVAR	9
--#define RULE_FIELDS 10
-+#define RULE_FIELDS	10
- 
- /*
-  * Which fields are which on a Link line.
-@@ -252,7 +253,7 @@ static int	typecnt;
- 
- #define LF_FROM		1
- #define LF_TO		2
--#define LINK_FIELDS 3
-+#define LINK_FIELDS	3
- 
- /*
-  * Which fields are which on a Leap line.
-@@ -264,7 +265,7 @@ static int	typecnt;
- #define LP_TIME		4
- #define LP_CORR		5
- #define LP_ROLL		6
--#define LEAP_FIELDS 7
-+#define LEAP_FIELDS	7
- 
- /*
-  * Year synonyms.
-@@ -998,48 +999,6 @@ dolink(char const *fromfield, char const
- static zic_t const min_time = MINVAL(zic_t, TIME_T_BITS_IN_FILE);
- static zic_t const max_time = MAXVAL(zic_t, TIME_T_BITS_IN_FILE);
- 
--/*
-- * Estimated time of the Big Bang, in seconds since the POSIX epoch.
-- * rounded downward to the negation of a power of two that is
-- * comfortably outside the error bounds.
-- *
-- * For the time of the Big Bang, see:
-- *
-- * Ade PAR, Aghanim N, Armitage-Caplan C et al.  Planck 2013 results.
-- * I. Overview of products and scientific results.
-- * arXiv:1303.5062 2013-03-20 20:10:01 UTC
-- * <https://arxiv.org/pdf/1303.5062v1> [PDF]
-- *
-- * Page 36, Table 9, row Age/Gyr, column Planck+WP+highL+BAO 68% limits
-- * gives the value 13.798 plus-or-minus 0.037 billion years.
-- * Multiplying this by 1000000000 and then by 31557600 (the number of
-- * seconds in an astronomical year) gives a value that is comfortably
-- * less than 2**59, so BIG_BANG is - 2**59.
-- *
-- * BIG_BANG is approximate, and may change in future versions.
-- * Please do not rely on its exact value.
-- */
--
--#ifndef BIG_BANG
--#define BIG_BANG (- (((zic_t) 1) << 59))
--#endif
--
--/* If true, work around GNOME bug 730332
--   <https://bugzilla.gnome.org/show_bug.cgi?id=730332>
--   by refusing to output time stamps before BIG_BANG.
--   Such time stamps are physically suspect anyway.
--
--   The GNOME bug is scheduled to be fixed in GNOME 3.22, and if so
--   this workaround will no longer be needed when GNOME 3.21 and
--   earlier are obsolete, say in the year 2021.  */
--enum
--{
--WORK_AROUND_GNOME_BUG_730332 = true};
--
--static const zic_t early_time = (WORK_AROUND_GNOME_BUG_730332
--								 ? BIG_BANG
--								 : MINVAL(zic_t, TIME_T_BITS_IN_FILE));
--
- /* Return true if NAME is a directory.  */
- static bool
- itsdir(char const *name)
-@@ -1281,8 +1240,9 @@ infile(const char *name)
-  * A null string maps to zero.
-  * Call error with errstring and return zero on errors.
-  */
-+
- static zic_t
--gethms(char const *string, char const *errstring, bool signable)
-+gethms(char const *string, char const *errstring)
- {
- 	/* PG: make hh be int not zic_t to avoid sscanf portability issues */
- 	int			hh;
-@@ -1299,9 +1259,7 @@ gethms(char const *string, char const *e
- 
- 	if (string == NULL || *string == '\0')
- 		return 0;
--	if (!signable)
--		sign = 1;
--	else if (*string == '-')
-+	if (*string == '-')
- 	{
- 		sign = -1;
- 		++string;
-@@ -1384,7 +1342,7 @@ getstdoff(char *field, bool *isdst)
- 				break;
- 		}
- 	}
--	stdoff = gethms(field, _("invalid saved time"), true);
-+	stdoff = gethms(field, _("invalid saved time"));
- 	*isdst = dst < 0 ? stdoff != 0 : dst;
- 	return stdoff;
- }
-@@ -1399,10 +1357,29 @@ inrule(char **fields, int nfields)
- 		error(_("wrong number of fields on Rule line"));
- 		return;
- 	}
--	if (*fields[RF_NAME] == '\0')
-+	switch (*fields[RF_NAME])
- 	{
--		error(_("nameless rule"));
--		return;
-+		case '\0':
-+		case ' ':
-+		case '\f':
-+		case '\n':
-+		case '\r':
-+		case '\t':
-+		case '\v':
-+		case '+':
-+		case '-':
-+		case '0':
-+		case '1':
-+		case '2':
-+		case '3':
-+		case '4':
-+		case '5':
-+		case '6':
-+		case '7':
-+		case '8':
-+		case '9':
-+			error(_("Invalid rule name \"%s\""), fields[RF_NAME]);
-+			return;
- 	}
- 	r.r_filename = filename;
- 	r.r_linenum = linenum;
-@@ -1507,7 +1484,7 @@ inzsub(char **fields, int nfields, bool
- 	}
- 	z.z_filename = filename;
- 	z.z_linenum = linenum;
--	z.z_gmtoff = gethms(fields[i_gmtoff], _("invalid UT offset"), true);
-+	z.z_gmtoff = gethms(fields[i_gmtoff], _("invalid UT offset"));
- 	if ((cp = strchr(fields[i_format], '%')) != NULL)
- 	{
- 		if ((*++cp != 's' && *cp != 'z') || strchr(cp, '%')
-@@ -1649,7 +1626,7 @@ inleap(char **fields, int nfields)
- 		return;
- 	}
- 	t = dayoff * SECSPERDAY;
--	tod = gethms(fields[LP_TIME], _("invalid time of day"), false);
-+	tod = gethms(fields[LP_TIME], _("invalid time of day"));
- 	cp = fields[LP_CORR];
- 	{
- 		bool		positive;
-@@ -1757,7 +1734,7 @@ rulesub(struct rule *rp, const char *loy
- 				break;
- 		}
- 	}
--	rp->r_tod = gethms(dp, _("invalid time of day"), false);
-+	rp->r_tod = gethms(dp, _("invalid time of day"));
- 	free(dp);
- 
- 	/*
-@@ -1942,7 +1919,43 @@ is32(const zic_t x)
- }
- 
- static void
--writezone(const char *const name, const char *const string, char version)
-+swaptypes(int i, int j)
-+{
-+	{
-+		zic_t		t = gmtoffs[i];
-+
-+		gmtoffs[i] = gmtoffs[j];
-+		gmtoffs[j] = t;
-+	}
-+	{
-+		char		t = isdsts[i];
-+
-+		isdsts[i] = isdsts[j];
-+		isdsts[j] = t;
-+	}
-+	{
-+		unsigned char t = abbrinds[i];
-+
-+		abbrinds[i] = abbrinds[j];
-+		abbrinds[j] = t;
-+	}
-+	{
-+		bool		t = ttisstds[i];
-+
-+		ttisstds[i] = ttisstds[j];
-+		ttisstds[j] = t;
-+	}
-+	{
-+		bool		t = ttisgmts[i];
-+
-+		ttisgmts[i] = ttisgmts[j];
-+		ttisgmts[j] = t;
-+	}
-+}
-+
-+static void
-+writezone(const char *const name, const char *const string, char version,
-+		  int defaulttype)
- {
- 	FILE	   *fp;
- 	ptrdiff_t	i,
-@@ -1977,14 +1990,12 @@ writezone(const char *const name, const
- 
- 		toi = 0;
- 		fromi = 0;
--		while (fromi < timecnt && attypes[fromi].at < early_time)
--			++fromi;
- 		for (; fromi < timecnt; ++fromi)
- 		{
--			if (toi > 1 && ((attypes[fromi].at +
--							 gmtoffs[attypes[toi - 1].type]) <=
--							(attypes[toi - 1].at +
--							 gmtoffs[attypes[toi - 2].type])))
-+			if (toi != 0 && ((attypes[fromi].at +
-+							  gmtoffs[attypes[toi - 1].type]) <=
-+							 (attypes[toi - 1].at + gmtoffs[toi == 1 ? 0
-+															: attypes[toi - 2].type])))
- 			{
- 				attypes[toi - 1].type =
- 					attypes[fromi].type;
-@@ -2019,8 +2030,8 @@ writezone(const char *const name, const
- 	}
- 
- 	/*
--	 * Work around QTBUG-53071 for time stamps less than y2038_boundary - 1,
--	 * by inserting a no-op transition at time y2038_boundary - 1. This works
-+	 * Work around QTBUG-53071 for timestamps less than y2038_boundary - 1, by
-+	 * inserting a no-op transition at time y2038_boundary - 1. This works
- 	 * only for timestamps before the boundary, which should be good enough in
- 	 * practice as QTBUG-53071 should be long-dead by 2038.
- 	 */
-@@ -2116,7 +2127,8 @@ writezone(const char *const name, const
- 		int			thisleapi,
- 					thisleapcnt,
- 					thisleaplim;
--		int			writetype[TZ_MAX_TYPES];
-+		int			old0;
-+		char		omittype[TZ_MAX_TYPES];
- 		int			typemap[TZ_MAX_TYPES];
- 		int			thistypecnt;
- 		char		thischars[TZ_MAX_CHARS];
-@@ -2144,28 +2156,19 @@ writezone(const char *const name, const
- 			error(_("too many transition times"));
- 		thistimelim = thistimei + thistimecnt;
- 		thisleaplim = thisleapi + thisleapcnt;
--		for (i = 0; i < typecnt; ++i)
--			writetype[i] = thistimecnt == timecnt;
--		if (thistimecnt == 0)
--		{
--			/*
--			 * No transition times fall in the current (32- or 64-bit) window.
--			 */
--			if (typecnt != 0)
--				writetype[typecnt - 1] = true;
--		}
--		else
--		{
--			for (i = thistimei - 1; i < thistimelim; ++i)
--				if (i >= 0)
--					writetype[types[i]] = true;
-+		memset(omittype, true, typecnt);
-+		omittype[defaulttype] = false;
-+		for (i = thistimei; i < thistimelim; i++)
-+			omittype[types[i]] = false;
-+
-+		/*
-+		 * Reorder types to make DEFAULTTYPE type 0. Use TYPEMAP to swap OLD0
-+		 * and DEFAULTTYPE so that DEFAULTTYPE appears as type 0 in the output
-+		 * instead of OLD0.  TYPEMAP also omits unused types.
-+		 */
-+		old0 = strlen(omittype);
-+		swaptypes(old0, defaulttype);
- 
--			/*
--			 * For America/Godthab and Antarctica/Palmer
--			 */
--			if (thistimei == 0)
--				writetype[0] = true;
--		}
- #ifndef LEAVE_SOME_PRE_2011_SYSTEMS_IN_THE_LURCH
- 
- 		/*
-@@ -2187,8 +2190,8 @@ writezone(const char *const name, const
- 					mrudst = types[i];
- 				else
- 					mrustd = types[i];
--			for (i = 0; i < typecnt; ++i)
--				if (writetype[i])
-+			for (i = old0; i < typecnt; i++)
-+				if (!omittype[i])
- 				{
- 					if (isdsts[i])
- 						hidst = i;
-@@ -2205,7 +2208,7 @@ writezone(const char *const name, const
- 							   ttisstds[mrudst],
- 							   ttisgmts[mrudst]);
- 				isdsts[mrudst] = 1;
--				writetype[type] = true;
-+				omittype[type] = false;
- 			}
- 			if (histd >= 0 && mrustd >= 0 && histd != mrustd &&
- 				gmtoffs[histd] != gmtoffs[mrustd])
-@@ -2217,22 +2220,26 @@ writezone(const char *const name, const
- 							   ttisstds[mrustd],
- 							   ttisgmts[mrustd]);
- 				isdsts[mrustd] = 0;
--				writetype[type] = true;
-+				omittype[type] = false;
- 			}
- 		}
- #endif							/* !defined
- 								 * LEAVE_SOME_PRE_2011_SYSTEMS_IN_THE_LURCH */
- 		thistypecnt = 0;
--		for (i = 0; i < typecnt; ++i)
--			typemap[i] = writetype[i] ? thistypecnt++ : -1;
-+		for (i = old0; i < typecnt; i++)
-+			if (!omittype[i])
-+				typemap[i == old0 ? defaulttype
-+						: i == defaulttype ? old0 : i]
-+					= thistypecnt++;
-+
- 		for (i = 0; i < sizeof indmap / sizeof indmap[0]; ++i)
- 			indmap[i] = -1;
- 		thischarcnt = 0;
--		for (i = 0; i < typecnt; ++i)
-+		for (i = old0; i < typecnt; i++)
- 		{
- 			char	   *thisabbr;
- 
--			if (!writetype[i])
-+			if (omittype[i])
- 				continue;
- 			if (indmap[abbrinds[i]] >= 0)
- 				continue;
-@@ -2267,23 +2274,16 @@ writezone(const char *const name, const
- 		DO(tzh_typecnt);
- 		DO(tzh_charcnt);
- #undef DO
--		for (i = thistimei; i < thistimelim; ++i)
--			if (pass == 1)
- 
--				/*
--				 * Output an INT32_MIN "transition" if appropriate; see above.
--				 */
--				puttzcode(((ats[i] < PG_INT32_MIN) ?
--						   PG_INT32_MIN : ats[i]), fp);
--			else
-+		/* PG: print current timezone abbreviations if requested */
-+		if (print_abbrevs && pass == 2)
-+		{
-+			/* Print "type" data for periods ending after print_cutoff */
-+			for (i = thistimei; i < thistimelim; ++i)
- 			{
--				puttzcode64(ats[i], fp);
--
--				/* Print current timezone abbreviations if requested */
--				if (print_abbrevs &&
--					(i == thistimelim - 1 || ats[i + 1] > print_cutoff))
-+				if (i == thistimelim - 1 || ats[i + 1] > print_cutoff)
- 				{
--					unsigned char tm = typemap[types[i]];
-+					unsigned char tm = types[i];
- 					char	   *thisabbrev = &thischars[indmap[abbrinds[tm]]];
- 
- 					/* filter out assorted junk entries */
-@@ -2295,6 +2295,32 @@ writezone(const char *const name, const
- 								isdsts[tm] ? "\tD" : "");
- 				}
- 			}
-+			/* Print the default type if we have no transitions at all */
-+			if (thistimei >= thistimelim)
-+			{
-+				unsigned char tm = defaulttype;
-+				char	   *thisabbrev = &thischars[indmap[abbrinds[tm]]];
-+
-+				/* filter out assorted junk entries */
-+				if (strcmp(thisabbrev, GRANDPARENTED) != 0 &&
-+					strcmp(thisabbrev, "zzz") != 0)
-+					fprintf(stdout, "%s\t" INT64_FORMAT "%s\n",
-+							thisabbrev,
-+							gmtoffs[tm],
-+							isdsts[tm] ? "\tD" : "");
-+			}
-+		}
-+
-+		for (i = thistimei; i < thistimelim; ++i)
-+			if (pass == 1)
-+
-+				/*
-+				 * Output an INT32_MIN "transition" if appropriate; see above.
-+				 */
-+				puttzcode(((ats[i] < PG_INT32_MIN) ?
-+						   PG_INT32_MIN : ats[i]), fp);
-+			else
-+				puttzcode64(ats[i], fp);
- 		for (i = thistimei; i < thistimelim; ++i)
- 		{
- 			unsigned char uc;
-@@ -2302,8 +2328,8 @@ writezone(const char *const name, const
- 			uc = typemap[types[i]];
- 			fwrite(&uc, sizeof uc, 1, fp);
- 		}
--		for (i = 0; i < typecnt; ++i)
--			if (writetype[i])
-+		for (i = old0; i < typecnt; i++)
-+			if (!omittype[i])
- 			{
- 				puttzcode(gmtoffs[i], fp);
- 				putc(isdsts[i], fp);
-@@ -2346,12 +2372,13 @@ writezone(const char *const name, const
- 				puttzcode64(todo, fp);
- 			puttzcode(corr[i], fp);
- 		}
--		for (i = 0; i < typecnt; ++i)
--			if (writetype[i])
-+		for (i = old0; i < typecnt; i++)
-+			if (!omittype[i])
- 				putc(ttisstds[i], fp);
--		for (i = 0; i < typecnt; ++i)
--			if (writetype[i])
-+		for (i = old0; i < typecnt; i++)
-+			if (!omittype[i])
- 				putc(ttisgmts[i], fp);
-+		swaptypes(old0, defaulttype);
- 	}
- 	fprintf(fp, "\n%s\n", string);
- 	close_file(fp, directory, name);
-@@ -2757,6 +2784,7 @@ outzone(const struct zone *zpfirst, ptrd
- 	zic_t		one = 1;
- 	zic_t		y2038_boundary = one << 31;
- 	zic_t		max_year0;
-+	int			defaulttype = -1;
- 
- 	max_abbr_len = 2 + max_format_len + max_abbrvar_len;
- 	max_envvar_len = 2 * max_abbr_len + 5 * 9;
-@@ -2880,9 +2908,9 @@ outzone(const struct zone *zpfirst, ptrd
- 		 */
- 		stdoff = 0;
- 		zp = &zpfirst[i];
--		usestart = i > 0 && (zp - 1)->z_untiltime > early_time;
-+		usestart = i > 0 && (zp - 1)->z_untiltime > min_time;
- 		useuntil = i < (zonecount - 1);
--		if (useuntil && zp->z_untiltime <= early_time)
-+		if (useuntil && zp->z_untiltime <= min_time)
- 			continue;
- 		gmtoff = zp->z_gmtoff;
- 		eat(zp->z_filename, zp->z_linenum);
-@@ -2901,7 +2929,7 @@ outzone(const struct zone *zpfirst, ptrd
- 				usestart = false;
- 			}
- 			else
--				addtt(early_time, type);
-+				defaulttype = type;
- 		}
- 		else
- 			for (year = min_year; year <= max_year; ++year)
-@@ -3032,6 +3060,8 @@ outzone(const struct zone *zpfirst, ptrd
- 					offset = oadd(zp->z_gmtoff, rp->r_stdoff);
- 					type = addtype(offset, ab, rp->r_isdst,
- 								   rp->r_todisstd, rp->r_todisgmt);
-+					if (defaulttype < 0 && !rp->r_isdst)
-+						defaulttype = type;
- 					if (rp->r_hiyear == ZIC_MAX
- 						&& !(0 <= lastatmax
- 							 && ktime < attypes[lastatmax].at))
-@@ -3050,11 +3080,15 @@ outzone(const struct zone *zpfirst, ptrd
- 			if (*startbuf == '\0')
- 				error(_("cannot determine time zone abbreviation to use just after until time"));
- 			else
--				addtt(starttime,
--					  addtype(startoff, startbuf,
--							  startoff != zp->z_gmtoff,
--							  startttisstd,
--							  startttisgmt));
-+			{
-+				bool		isdst = startoff != zp->z_gmtoff;
-+
-+				type = addtype(startoff, startbuf, isdst,
-+							   startttisstd, startttisgmt);
-+				if (defaulttype < 0 && !isdst)
-+					defaulttype = type;
-+				addtt(starttime, type);
-+			}
- 		}
- 
- 		/*
-@@ -3071,6 +3105,8 @@ outzone(const struct zone *zpfirst, ptrd
- 				starttime = tadd(starttime, -gmtoff);
- 		}
- 	}
-+	if (defaulttype < 0)
-+		defaulttype = 0;
- 	if (0 <= lastatmax)
- 		attypes[lastatmax].dontmerge = true;
- 	if (do_extend)
-@@ -3100,7 +3136,7 @@ outzone(const struct zone *zpfirst, ptrd
- 			attypes[timecnt - 1].dontmerge = true;
- 		}
- 	}
--	writezone(zpfirst->z_name, envvar, version);
-+	writezone(zpfirst->z_name, envvar, version, defaulttype);
- 	free(startbuf);
- 	free(ab);
- 	free(envvar);
-@@ -3109,21 +3145,6 @@ outzone(const struct zone *zpfirst, ptrd
- static void
- addtt(zic_t starttime, int type)
- {
--	if (starttime <= early_time
--		|| (timecnt == 1 && attypes[0].at < early_time))
--	{
--		gmtoffs[0] = gmtoffs[type];
--		isdsts[0] = isdsts[type];
--		ttisstds[0] = ttisstds[type];
--		ttisgmts[0] = ttisgmts[type];
--		if (abbrinds[type] != 0)
--			strcpy(chars, &chars[abbrinds[type]]);
--		abbrinds[0] = 0;
--		charcnt = strlen(chars) + 1;
--		typecnt = 1;
--		timecnt = 0;
--		type = 0;
--	}
- 	attypes = growalloc(attypes, sizeof *attypes, timecnt, &timecnt_alloc);
- 	attypes[timecnt].at = starttime;
- 	attypes[timecnt].dontmerge = false;
-@@ -3361,7 +3382,7 @@ is_alpha(char a)
- }
- 
- /* If A is an uppercase character in the C locale, return its lowercase
-- * counterpart.  Otherwise, return A.  */
-+   counterpart.  Otherwise, return A.  */
- static char
- lowerit(char a)
- {
-@@ -3628,6 +3649,18 @@ rpytime(const struct rule *rp, zic_t wan
- 	dayoff = 0;
- 	m = TM_JANUARY;
- 	y = EPOCH_YEAR;
-+	if (y < wantedy)
-+	{
-+		wantedy -= y;
-+		dayoff = (wantedy / YEARSPERREPEAT) * (SECSPERREPEAT / SECSPERDAY);
-+		wantedy %= YEARSPERREPEAT;
-+		wantedy += y;
-+	}
-+	else if (wantedy < 0)
-+	{
-+		dayoff = (wantedy / YEARSPERREPEAT) * (SECSPERREPEAT / SECSPERDAY);
-+		wantedy %= YEARSPERREPEAT;
-+	}
- 	while (wantedy != y)
- 	{
- 		if (wantedy > y)
-@@ -3706,7 +3739,6 @@ will not work with pre-2004 versions of
- 	if (dayoff > max_time / SECSPERDAY)
- 		return max_time;
- 	t = (zic_t) dayoff * SECSPERDAY;
--
- 	return tadd(t, rp->r_tod);
- }
- 
diff --git a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Update-time-zone-data-files-to-tzdata-release-2018f.patch b/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Update-time-zone-data-files-to-tzdata-release-2018f.patch
deleted file mode 100644
index 41e763c5..00000000
--- a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/files/0001-Update-time-zone-data-files-to-tzdata-release-2018f.patch
+++ /dev/null
@@ -1,6452 +0,0 @@
-From 13877d30f2ec93f6043937f76af207dcc614a4e7 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Fri, 19 Oct 2018 17:01:34 -0400
-Subject: [PATCH] Update time zone data files to tzdata release 2018f.
-
-DST law changes in Chile, Fiji, and Russia (Volgograd).
-Historical corrections for China, Japan, Macau, and North Korea.
-
-Note: like the previous tzdata update, this involves a depressingly
-large amount of semantically-meaningless churn in tzdata.zi.  That
-is a consequence of upstream's data compression method assigning
-unstable abbreviations to DST rulesets.  I complained about that
-to them last time, and this version now uses an assignment method
-that pays some heed to not changing abbreviations unnecessarily.
-So hopefully, that'll be better going forward.
-
-Upstream-Status: Backport
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- src/timezone/data/tzdata.zi      | 5273 +++++++++++++++++++-------------------
- src/timezone/known_abbrevs.txt   |    1 +
- src/timezone/tznames/America.txt |    3 +
- src/timezone/tznames/Asia.txt    |    4 +
- src/timezone/tznames/Default     |    3 +
- src/timezone/tznames/Pacific.txt |    3 +
- 6 files changed, 2660 insertions(+), 2627 deletions(-)
-
-diff --git a/src/timezone/data/tzdata.zi b/src/timezone/data/tzdata.zi
-index c470112..6d98902 100644
---- a/src/timezone/data/tzdata.zi
-+++ b/src/timezone/data/tzdata.zi
-@@ -1,36 +1,36 @@
--# version 2018e
-+# version 2018f
- # This zic input file is in the public domain.
--R A 1916 o - Jun 14 23s 1 S
--R A 1916 1919 - O Sun>=1 23s 0 -
--R A 1917 o - Mar 24 23s 1 S
--R A 1918 o - Mar 9 23s 1 S
--R A 1919 o - Mar 1 23s 1 S
--R A 1920 o - F 14 23s 1 S
--R A 1920 o - O 23 23s 0 -
--R A 1921 o - Mar 14 23s 1 S
--R A 1921 o - Jun 21 23s 0 -
--R A 1939 o - S 11 23s 1 S
--R A 1939 o - N 19 1 0 -
--R A 1944 1945 - Ap M>=1 2 1 S
--R A 1944 o - O 8 2 0 -
--R A 1945 o - S 16 1 0 -
--R A 1971 o - Ap 25 23s 1 S
--R A 1971 o - S 26 23s 0 -
--R A 1977 o - May 6 0 1 S
--R A 1977 o - O 21 0 0 -
--R A 1978 o - Mar 24 1 1 S
--R A 1978 o - S 22 3 0 -
--R A 1980 o - Ap 25 0 1 S
--R A 1980 o - O 31 2 0 -
-+R d 1916 o - Jun 14 23s 1 S
-+R d 1916 1919 - O Sun>=1 23s 0 -
-+R d 1917 o - Mar 24 23s 1 S
-+R d 1918 o - Mar 9 23s 1 S
-+R d 1919 o - Mar 1 23s 1 S
-+R d 1920 o - F 14 23s 1 S
-+R d 1920 o - O 23 23s 0 -
-+R d 1921 o - Mar 14 23s 1 S
-+R d 1921 o - Jun 21 23s 0 -
-+R d 1939 o - S 11 23s 1 S
-+R d 1939 o - N 19 1 0 -
-+R d 1944 1945 - Ap M>=1 2 1 S
-+R d 1944 o - O 8 2 0 -
-+R d 1945 o - S 16 1 0 -
-+R d 1971 o - Ap 25 23s 1 S
-+R d 1971 o - S 26 23s 0 -
-+R d 1977 o - May 6 0 1 S
-+R d 1977 o - O 21 0 0 -
-+R d 1978 o - Mar 24 1 1 S
-+R d 1978 o - S 22 3 0 -
-+R d 1980 o - Ap 25 0 1 S
-+R d 1980 o - O 31 2 0 -
- Z Africa/Algiers 0:12:12 - LMT 1891 Mar 15 0:1
- 0:9:21 - PMT 1911 Mar 11
--0 A WE%sT 1940 F 25 2
--1 A CE%sT 1946 O 7
-+0 d WE%sT 1940 F 25 2
-+1 d CE%sT 1946 O 7
- 0 - WET 1956 Ja 29
- 1 - CET 1963 Ap 14
--0 A WE%sT 1977 O 21
--1 A CE%sT 1979 O 26
--0 A WE%sT 1981 May
-+0 d WE%sT 1977 O 21
-+1 d CE%sT 1979 O 26
-+0 d WE%sT 1981 May
- 1 - CET
- Z Atlantic/Cape_Verde -1:34:4 - LMT 1912 Ja 1 2u
- -2 - -02 1942 S
-@@ -52,44 +52,44 @@ Li Africa/Abidjan Africa/Lome
- Li Africa/Abidjan Africa/Nouakchott
- Li Africa/Abidjan Africa/Ouagadougou
- Li Africa/Abidjan Atlantic/St_Helena
--R B 1940 o - Jul 15 0 1 S
--R B 1940 o - O 1 0 0 -
--R B 1941 o - Ap 15 0 1 S
--R B 1941 o - S 16 0 0 -
--R B 1942 1944 - Ap 1 0 1 S
--R B 1942 o - O 27 0 0 -
--R B 1943 1945 - N 1 0 0 -
--R B 1945 o - Ap 16 0 1 S
--R B 1957 o - May 10 0 1 S
--R B 1957 1958 - O 1 0 0 -
--R B 1958 o - May 1 0 1 S
--R B 1959 1981 - May 1 1 1 S
--R B 1959 1965 - S 30 3 0 -
--R B 1966 1994 - O 1 3 0 -
--R B 1982 o - Jul 25 1 1 S
--R B 1983 o - Jul 12 1 1 S
--R B 1984 1988 - May 1 1 1 S
--R B 1989 o - May 6 1 1 S
--R B 1990 1994 - May 1 1 1 S
--R B 1995 2010 - Ap lastF 0s 1 S
--R B 1995 2005 - S lastTh 24 0 -
--R B 2006 o - S 21 24 0 -
--R B 2007 o - S Th>=1 24 0 -
--R B 2008 o - Au lastTh 24 0 -
--R B 2009 o - Au 20 24 0 -
--R B 2010 o - Au 10 24 0 -
--R B 2010 o - S 9 24 1 S
--R B 2010 o - S lastTh 24 0 -
--R B 2014 o - May 15 24 1 S
--R B 2014 o - Jun 26 24 0 -
--R B 2014 o - Jul 31 24 1 S
--R B 2014 o - S lastTh 24 0 -
-+R K 1940 o - Jul 15 0 1 S
-+R K 1940 o - O 1 0 0 -
-+R K 1941 o - Ap 15 0 1 S
-+R K 1941 o - S 16 0 0 -
-+R K 1942 1944 - Ap 1 0 1 S
-+R K 1942 o - O 27 0 0 -
-+R K 1943 1945 - N 1 0 0 -
-+R K 1945 o - Ap 16 0 1 S
-+R K 1957 o - May 10 0 1 S
-+R K 1957 1958 - O 1 0 0 -
-+R K 1958 o - May 1 0 1 S
-+R K 1959 1981 - May 1 1 1 S
-+R K 1959 1965 - S 30 3 0 -
-+R K 1966 1994 - O 1 3 0 -
-+R K 1982 o - Jul 25 1 1 S
-+R K 1983 o - Jul 12 1 1 S
-+R K 1984 1988 - May 1 1 1 S
-+R K 1989 o - May 6 1 1 S
-+R K 1990 1994 - May 1 1 1 S
-+R K 1995 2010 - Ap lastF 0s 1 S
-+R K 1995 2005 - S lastTh 24 0 -
-+R K 2006 o - S 21 24 0 -
-+R K 2007 o - S Th>=1 24 0 -
-+R K 2008 o - Au lastTh 24 0 -
-+R K 2009 o - Au 20 24 0 -
-+R K 2010 o - Au 10 24 0 -
-+R K 2010 o - S 9 24 1 S
-+R K 2010 o - S lastTh 24 0 -
-+R K 2014 o - May 15 24 1 S
-+R K 2014 o - Jun 26 24 0 -
-+R K 2014 o - Jul 31 24 1 S
-+R K 2014 o - S lastTh 24 0 -
- Z Africa/Cairo 2:5:9 - LMT 1900 O
--2 B EE%sT
--R C 1920 1942 - S 1 0 0:20 -
--R C 1920 1942 - D 31 0 0 -
-+2 K EE%sT
-+R GH 1920 1942 - S 1 0 0:20 -
-+R GH 1920 1942 - D 31 0 0 -
- Z Africa/Accra -0:0:52 - LMT 1918
--0 C GMT/+0020
-+0 GH GMT/+0020
- Z Africa/Bissau -1:2:20 - LMT 1912 Ja 1 1u
- -1 - -01 1975
- 0 - GMT
-@@ -111,99 +111,99 @@ Z Africa/Monrovia -0:43:8 - LMT 1882
- -0:43:8 - MMT 1919 Mar
- -0:44:30 - MMT 1972 Ja 7
- 0 - GMT
--R D 1951 o - O 14 2 1 S
--R D 1952 o - Ja 1 0 0 -
--R D 1953 o - O 9 2 1 S
--R D 1954 o - Ja 1 0 0 -
--R D 1955 o - S 30 0 1 S
--R D 1956 o - Ja 1 0 0 -
--R D 1982 1984 - Ap 1 0 1 S
--R D 1982 1985 - O 1 0 0 -
--R D 1985 o - Ap 6 0 1 S
--R D 1986 o - Ap 4 0 1 S
--R D 1986 o - O 3 0 0 -
--R D 1987 1989 - Ap 1 0 1 S
--R D 1987 1989 - O 1 0 0 -
--R D 1997 o - Ap 4 0 1 S
--R D 1997 o - O 4 0 0 -
--R D 2013 o - Mar lastF 1 1 S
--R D 2013 o - O lastF 2 0 -
-+R L 1951 o - O 14 2 1 S
-+R L 1952 o - Ja 1 0 0 -
-+R L 1953 o - O 9 2 1 S
-+R L 1954 o - Ja 1 0 0 -
-+R L 1955 o - S 30 0 1 S
-+R L 1956 o - Ja 1 0 0 -
-+R L 1982 1984 - Ap 1 0 1 S
-+R L 1982 1985 - O 1 0 0 -
-+R L 1985 o - Ap 6 0 1 S
-+R L 1986 o - Ap 4 0 1 S
-+R L 1986 o - O 3 0 0 -
-+R L 1987 1989 - Ap 1 0 1 S
-+R L 1987 1989 - O 1 0 0 -
-+R L 1997 o - Ap 4 0 1 S
-+R L 1997 o - O 4 0 0 -
-+R L 2013 o - Mar lastF 1 1 S
-+R L 2013 o - O lastF 2 0 -
- Z Africa/Tripoli 0:52:44 - LMT 1920
--1 D CE%sT 1959
-+1 L CE%sT 1959
- 2 - EET 1982
--1 D CE%sT 1990 May 4
-+1 L CE%sT 1990 May 4
- 2 - EET 1996 S 30
--1 D CE%sT 1997 O 4
-+1 L CE%sT 1997 O 4
- 2 - EET 2012 N 10 2
--1 D CE%sT 2013 O 25 2
-+1 L CE%sT 2013 O 25 2
- 2 - EET
--R E 1982 o - O 10 0 1 -
--R E 1983 o - Mar 21 0 0 -
--R E 2008 o - O lastSun 2 1 -
--R E 2009 o - Mar lastSun 2 0 -
-+R MU 1982 o - O 10 0 1 -
-+R MU 1983 o - Mar 21 0 0 -
-+R MU 2008 o - O lastSun 2 1 -
-+R MU 2009 o - Mar lastSun 2 0 -
- Z Indian/Mauritius 3:50 - LMT 1907
--4 E +04/+05
--R F 1939 o - S 12 0 1 S
--R F 1939 o - N 19 0 0 -
--R F 1940 o - F 25 0 1 S
--R F 1945 o - N 18 0 0 -
--R F 1950 o - Jun 11 0 1 S
--R F 1950 o - O 29 0 0 -
--R F 1967 o - Jun 3 12 1 S
--R F 1967 o - O 1 0 0 -
--R F 1974 o - Jun 24 0 1 S
--R F 1974 o - S 1 0 0 -
--R F 1976 1977 - May 1 0 1 S
--R F 1976 o - Au 1 0 0 -
--R F 1977 o - S 28 0 0 -
--R F 1978 o - Jun 1 0 1 S
--R F 1978 o - Au 4 0 0 -
--R F 2008 o - Jun 1 0 1 S
--R F 2008 o - S 1 0 0 -
--R F 2009 o - Jun 1 0 1 S
--R F 2009 o - Au 21 0 0 -
--R F 2010 o - May 2 0 1 S
--R F 2010 o - Au 8 0 0 -
--R F 2011 o - Ap 3 0 1 S
--R F 2011 o - Jul 31 0 0 -
--R F 2012 2013 - Ap lastSun 2 1 S
--R F 2012 o - Jul 20 3 0 -
--R F 2012 o - Au 20 2 1 S
--R F 2012 o - S 30 3 0 -
--R F 2013 o - Jul 7 3 0 -
--R F 2013 o - Au 10 2 1 S
--R F 2013 ma - O lastSun 3 0 -
--R F 2014 2021 - Mar lastSun 2 1 S
--R F 2014 o - Jun 28 3 0 -
--R F 2014 o - Au 2 2 1 S
--R F 2015 o - Jun 14 3 0 -
--R F 2015 o - Jul 19 2 1 S
--R F 2016 o - Jun 5 3 0 -
--R F 2016 o - Jul 10 2 1 S
--R F 2017 o - May 21 3 0 -
--R F 2017 o - Jul 2 2 1 S
--R F 2018 o - May 13 3 0 -
--R F 2018 o - Jun 17 2 1 S
--R F 2019 o - May 5 3 0 -
--R F 2019 o - Jun 9 2 1 S
--R F 2020 o - Ap 19 3 0 -
--R F 2020 o - May 24 2 1 S
--R F 2021 o - Ap 11 3 0 -
--R F 2021 o - May 16 2 1 S
--R F 2022 o - May 8 2 1 S
--R F 2023 o - Ap 23 2 1 S
--R F 2024 o - Ap 14 2 1 S
--R F 2025 o - Ap 6 2 1 S
--R F 2026 ma - Mar lastSun 2 1 S
--R F 2036 o - O 19 3 0 -
--R F 2037 o - O 4 3 0 -
-+4 MU +04/+05
-+R M 1939 o - S 12 0 1 S
-+R M 1939 o - N 19 0 0 -
-+R M 1940 o - F 25 0 1 S
-+R M 1945 o - N 18 0 0 -
-+R M 1950 o - Jun 11 0 1 S
-+R M 1950 o - O 29 0 0 -
-+R M 1967 o - Jun 3 12 1 S
-+R M 1967 o - O 1 0 0 -
-+R M 1974 o - Jun 24 0 1 S
-+R M 1974 o - S 1 0 0 -
-+R M 1976 1977 - May 1 0 1 S
-+R M 1976 o - Au 1 0 0 -
-+R M 1977 o - S 28 0 0 -
-+R M 1978 o - Jun 1 0 1 S
-+R M 1978 o - Au 4 0 0 -
-+R M 2008 o - Jun 1 0 1 S
-+R M 2008 o - S 1 0 0 -
-+R M 2009 o - Jun 1 0 1 S
-+R M 2009 o - Au 21 0 0 -
-+R M 2010 o - May 2 0 1 S
-+R M 2010 o - Au 8 0 0 -
-+R M 2011 o - Ap 3 0 1 S
-+R M 2011 o - Jul 31 0 0 -
-+R M 2012 2013 - Ap lastSun 2 1 S
-+R M 2012 o - Jul 20 3 0 -
-+R M 2012 o - Au 20 2 1 S
-+R M 2012 o - S 30 3 0 -
-+R M 2013 o - Jul 7 3 0 -
-+R M 2013 o - Au 10 2 1 S
-+R M 2013 ma - O lastSun 3 0 -
-+R M 2014 2021 - Mar lastSun 2 1 S
-+R M 2014 o - Jun 28 3 0 -
-+R M 2014 o - Au 2 2 1 S
-+R M 2015 o - Jun 14 3 0 -
-+R M 2015 o - Jul 19 2 1 S
-+R M 2016 o - Jun 5 3 0 -
-+R M 2016 o - Jul 10 2 1 S
-+R M 2017 o - May 21 3 0 -
-+R M 2017 o - Jul 2 2 1 S
-+R M 2018 o - May 13 3 0 -
-+R M 2018 o - Jun 17 2 1 S
-+R M 2019 o - May 5 3 0 -
-+R M 2019 o - Jun 9 2 1 S
-+R M 2020 o - Ap 19 3 0 -
-+R M 2020 o - May 24 2 1 S
-+R M 2021 o - Ap 11 3 0 -
-+R M 2021 o - May 16 2 1 S
-+R M 2022 o - May 8 2 1 S
-+R M 2023 o - Ap 23 2 1 S
-+R M 2024 o - Ap 14 2 1 S
-+R M 2025 o - Ap 6 2 1 S
-+R M 2026 ma - Mar lastSun 2 1 S
-+R M 2036 o - O 19 3 0 -
-+R M 2037 o - O 4 3 0 -
- Z Africa/Casablanca -0:30:20 - LMT 1913 O 26
--0 F WE%sT 1984 Mar 16
-+0 M WE%sT 1984 Mar 16
- 1 - CET 1986
--0 F WE%sT
-+0 M WE%sT
- Z Africa/El_Aaiun -0:52:48 - LMT 1934
- -1 - -01 1976 Ap 14
--0 F WE%sT
-+0 M WE%sT
- Z Africa/Maputo 2:10:20 - LMT 1903 Mar
- 2 - CAT
- Li Africa/Maputo Africa/Blantyre
-@@ -213,15 +213,15 @@ Li Africa/Maputo Africa/Harare
- Li Africa/Maputo Africa/Kigali
- Li Africa/Maputo Africa/Lubumbashi
- Li Africa/Maputo Africa/Lusaka
--R G 1994 o - Mar 21 0 -1 WAT
--R G 1994 2017 - S Sun>=1 2 0 CAT
--R G 1995 2017 - Ap Sun>=1 2 -1 WAT
-+R NA 1994 o - Mar 21 0 -1 WAT
-+R NA 1994 2017 - S Sun>=1 2 0 CAT
-+R NA 1995 2017 - Ap Sun>=1 2 -1 WAT
- Z Africa/Windhoek 1:8:24 - LMT 1892 F 8
- 1:30 - +0130 1903 Mar
- 2 - SAST 1942 S 20 2
- 2 1 SAST 1943 Mar 21 2
- 2 - SAST 1990 Mar 21
--2 G %s
-+2 NA %s
- Z Africa/Lagos 0:13:36 - LMT 1919 S
- 1 - WAT
- Li Africa/Lagos Africa/Bangui
-@@ -241,52 +241,52 @@ Z Africa/Sao_Tome 0:26:56 - LMT 1884
- 1 - WAT
- Z Indian/Mahe 3:41:48 - LMT 1906 Jun
- 4 - +04
--R H 1942 1943 - S Sun>=15 2 1 -
--R H 1943 1944 - Mar Sun>=15 2 0 -
-+R SA 1942 1943 - S Sun>=15 2 1 -
-+R SA 1943 1944 - Mar Sun>=15 2 0 -
- Z Africa/Johannesburg 1:52 - LMT 1892 F 8
- 1:30 - SAST 1903 Mar
--2 H SAST
-+2 SA SAST
- Li Africa/Johannesburg Africa/Maseru
- Li Africa/Johannesburg Africa/Mbabane
--R I 1970 o - May 1 0 1 S
--R I 1970 1985 - O 15 0 0 -
--R I 1971 o - Ap 30 0 1 S
--R I 1972 1985 - Ap lastSun 0 1 S
-+R SD 1970 o - May 1 0 1 S
-+R SD 1970 1985 - O 15 0 0 -
-+R SD 1971 o - Ap 30 0 1 S
-+R SD 1972 1985 - Ap lastSun 0 1 S
- Z Africa/Khartoum 2:10:8 - LMT 1931
--2 I CA%sT 2000 Ja 15 12
-+2 SD CA%sT 2000 Ja 15 12
- 3 - EAT 2017 N
- 2 - CAT
- Z Africa/Juba 2:6:28 - LMT 1931
--2 I CA%sT 2000 Ja 15 12
-+2 SD CA%sT 2000 Ja 15 12
- 3 - EAT
--R J 1939 o - Ap 15 23s 1 S
--R J 1939 o - N 18 23s 0 -
--R J 1940 o - F 25 23s 1 S
--R J 1941 o - O 6 0 0 -
--R J 1942 o - Mar 9 0 1 S
--R J 1942 o - N 2 3 0 -
--R J 1943 o - Mar 29 2 1 S
--R J 1943 o - Ap 17 2 0 -
--R J 1943 o - Ap 25 2 1 S
--R J 1943 o - O 4 2 0 -
--R J 1944 1945 - Ap M>=1 2 1 S
--R J 1944 o - O 8 0 0 -
--R J 1945 o - S 16 0 0 -
--R J 1977 o - Ap 30 0s 1 S
--R J 1977 o - S 24 0s 0 -
--R J 1978 o - May 1 0s 1 S
--R J 1978 o - O 1 0s 0 -
--R J 1988 o - Jun 1 0s 1 S
--R J 1988 1990 - S lastSun 0s 0 -
--R J 1989 o - Mar 26 0s 1 S
--R J 1990 o - May 1 0s 1 S
--R J 2005 o - May 1 0s 1 S
--R J 2005 o - S 30 1s 0 -
--R J 2006 2008 - Mar lastSun 2s 1 S
--R J 2006 2008 - O lastSun 2s 0 -
-+R n 1939 o - Ap 15 23s 1 S
-+R n 1939 o - N 18 23s 0 -
-+R n 1940 o - F 25 23s 1 S
-+R n 1941 o - O 6 0 0 -
-+R n 1942 o - Mar 9 0 1 S
-+R n 1942 o - N 2 3 0 -
-+R n 1943 o - Mar 29 2 1 S
-+R n 1943 o - Ap 17 2 0 -
-+R n 1943 o - Ap 25 2 1 S
-+R n 1943 o - O 4 2 0 -
-+R n 1944 1945 - Ap M>=1 2 1 S
-+R n 1944 o - O 8 0 0 -
-+R n 1945 o - S 16 0 0 -
-+R n 1977 o - Ap 30 0s 1 S
-+R n 1977 o - S 24 0s 0 -
-+R n 1978 o - May 1 0s 1 S
-+R n 1978 o - O 1 0s 0 -
-+R n 1988 o - Jun 1 0s 1 S
-+R n 1988 1990 - S lastSun 0s 0 -
-+R n 1989 o - Mar 26 0s 1 S
-+R n 1990 o - May 1 0s 1 S
-+R n 2005 o - May 1 0s 1 S
-+R n 2005 o - S 30 1s 0 -
-+R n 2006 2008 - Mar lastSun 2s 1 S
-+R n 2006 2008 - O lastSun 2s 0 -
- Z Africa/Tunis 0:40:44 - LMT 1881 May 12
- 0:9:21 - PMT 1911 Mar 11
--1 J CE%sT
-+1 n CE%sT
- Z Antarctica/Casey 0 - -00 1969
- 8 - +08 2009 O 18 2
- 11 - +11 2010 Mar 5 2
-@@ -314,10 +314,10 @@ Z Antarctica/DumontDUrville 0 - -00 1947
- 10 - +10
- Z Antarctica/Syowa 0 - -00 1957 Ja 29
- 3 - +03
--R K 2005 ma - Mar lastSun 1u 2 +02
--R K 2004 ma - O lastSun 1u 0 +00
-+R Tr 2005 ma - Mar lastSun 1u 2 +02
-+R Tr 2004 ma - O lastSun 1u 0 +00
- Z Antarctica/Troll 0 - -00 2005 F 12
--0 K %s
-+0 Tr %s
- Z Antarctica/Vostok 0 - -00 1957 D 16
- 6 - +06
- Z Antarctica/Rothera 0 - -00 1976 D
-@@ -325,33 +325,33 @@ Z Antarctica/Rothera 0 - -00 1976 D
- Z Asia/Kabul 4:36:48 - LMT 1890
- 4 - +04 1945
- 4:30 - +0430
--R L 2011 o - Mar lastSun 2s 1 -
--R L 2011 o - O lastSun 2s 0 -
-+R AM 2011 o - Mar lastSun 2s 1 -
-+R AM 2011 o - O lastSun 2s 0 -
- Z Asia/Yerevan 2:58 - LMT 1924 May 2
- 3 - +03 1957 Mar
--4 M +04/+05 1991 Mar 31 2s
--3 M +03/+04 1995 S 24 2s
-+4 R +04/+05 1991 Mar 31 2s
-+3 R +03/+04 1995 S 24 2s
- 4 - +04 1997
--4 M +04/+05 2011
--4 L +04/+05
--R N 1997 2015 - Mar lastSun 4 1 -
--R N 1997 2015 - O lastSun 5 0 -
-+4 R +04/+05 2011
-+4 AM +04/+05
-+R AZ 1997 2015 - Mar lastSun 4 1 -
-+R AZ 1997 2015 - O lastSun 5 0 -
- Z Asia/Baku 3:19:24 - LMT 1924 May 2
- 3 - +03 1957 Mar
--4 M +04/+05 1991 Mar 31 2s
--3 M +03/+04 1992 S lastSun 2s
-+4 R +04/+05 1991 Mar 31 2s
-+3 R +03/+04 1992 S lastSun 2s
- 4 - +04 1996
--4 O +04/+05 1997
--4 N +04/+05
--R P 2009 o - Jun 19 23 1 -
--R P 2009 o - D 31 24 0 -
-+4 E +04/+05 1997
-+4 AZ +04/+05
-+R BD 2009 o - Jun 19 23 1 -
-+R BD 2009 o - D 31 24 0 -
- Z Asia/Dhaka 6:1:40 - LMT 1890
- 5:53:20 - HMT 1941 O
- 6:30 - +0630 1942 May 15
- 5:30 - +0530 1942 S
- 6:30 - +0630 1951 S 30
- 6 - +06 2009
--6 P +06/+07
-+6 BD +06/+07
- Z Asia/Thimphu 5:58:36 - LMT 1947 Au 15
- 5:30 - +0530 1987 O
- 6 - +06
-@@ -366,103 +366,127 @@ Z Asia/Yangon 6:24:47 - LMT 1880
- 6:30 - +0630 1942 May
- 9 - +09 1945 May 3
- 6:30 - +0630
--R Q 1940 o - Jun 3 0 1 D
--R Q 1940 1941 - O 1 0 0 S
--R Q 1941 o - Mar 16 0 1 D
--R R 1986 o - May 4 0 1 D
--R R 1986 1991 - S Sun>=11 0 0 S
--R R 1987 1991 - Ap Sun>=10 0 1 D
-+R Sh 1940 o - Jun 1 0 1 D
-+R Sh 1940 o - O 12 24 0 S
-+R Sh 1941 o - Mar 15 0 1 D
-+R Sh 1941 o - N 1 24 0 S
-+R Sh 1942 o - Ja 31 0 1 D
-+R Sh 1945 o - S 1 24 0 S
-+R Sh 1946 o - May 15 0 1 D
-+R Sh 1946 o - S 30 24 0 S
-+R Sh 1947 o - Ap 15 0 1 D
-+R Sh 1947 o - O 31 24 0 S
-+R Sh 1948 1949 - May 1 0 1 D
-+R Sh 1948 1949 - S 30 24 0 S
-+R CN 1986 o - May 4 2 1 D
-+R CN 1986 1991 - S Sun>=11 2 0 S
-+R CN 1987 1991 - Ap Sun>=11 2 1 D
- Z Asia/Shanghai 8:5:43 - LMT 1901
--8 Q C%sT 1949
--8 R C%sT
-+8 Sh C%sT 1949 May 28
-+8 CN C%sT
- Z Asia/Urumqi 5:50:20 - LMT 1928
- 6 - +06
--R S 1941 o - Ap 1 3:30 1 S
--R S 1941 o - S 30 3:30 0 -
--R S 1946 o - Ap 20 3:30 1 S
--R S 1946 o - D 1 3:30 0 -
--R S 1947 o - Ap 13 3:30 1 S
--R S 1947 o - D 30 3:30 0 -
--R S 1948 o - May 2 3:30 1 S
--R S 1948 1951 - O lastSun 3:30 0 -
--R S 1952 o - O 25 3:30 0 -
--R S 1949 1953 - Ap Sun>=1 3:30 1 S
--R S 1953 o - N 1 3:30 0 -
--R S 1954 1964 - Mar Sun>=18 3:30 1 S
--R S 1954 o - O 31 3:30 0 -
--R S 1955 1964 - N Sun>=1 3:30 0 -
--R S 1965 1976 - Ap Sun>=16 3:30 1 S
--R S 1965 1976 - O Sun>=16 3:30 0 -
--R S 1973 o - D 30 3:30 1 S
--R S 1979 o - May Sun>=8 3:30 1 S
--R S 1979 o - O Sun>=16 3:30 0 -
-+R HK 1941 o - Ap 1 3:30 1 S
-+R HK 1941 o - S 30 3:30 0 -
-+R HK 1946 o - Ap 20 3:30 1 S
-+R HK 1946 o - D 1 3:30 0 -
-+R HK 1947 o - Ap 13 3:30 1 S
-+R HK 1947 o - D 30 3:30 0 -
-+R HK 1948 o - May 2 3:30 1 S
-+R HK 1948 1951 - O lastSun 3:30 0 -
-+R HK 1952 o - O 25 3:30 0 -
-+R HK 1949 1953 - Ap Sun>=1 3:30 1 S
-+R HK 1953 o - N 1 3:30 0 -
-+R HK 1954 1964 - Mar Sun>=18 3:30 1 S
-+R HK 1954 o - O 31 3:30 0 -
-+R HK 1955 1964 - N Sun>=1 3:30 0 -
-+R HK 1965 1976 - Ap Sun>=16 3:30 1 S
-+R HK 1965 1976 - O Sun>=16 3:30 0 -
-+R HK 1973 o - D 30 3:30 1 S
-+R HK 1979 o - May Sun>=8 3:30 1 S
-+R HK 1979 o - O Sun>=16 3:30 0 -
- Z Asia/Hong_Kong 7:36:42 - LMT 1904 O 30
--8 S HK%sT 1941 D 25
-+8 HK HK%sT 1941 D 25
- 9 - JST 1945 S 15
--8 S HK%sT
--R T 1946 o - May 15 0 1 D
--R T 1946 o - O 1 0 0 S
--R T 1947 o - Ap 15 0 1 D
--R T 1947 o - N 1 0 0 S
--R T 1948 1951 - May 1 0 1 D
--R T 1948 1951 - O 1 0 0 S
--R T 1952 o - Mar 1 0 1 D
--R T 1952 1954 - N 1 0 0 S
--R T 1953 1959 - Ap 1 0 1 D
--R T 1955 1961 - O 1 0 0 S
--R T 1960 1961 - Jun 1 0 1 D
--R T 1974 1975 - Ap 1 0 1 D
--R T 1974 1975 - O 1 0 0 S
--R T 1979 o - Jul 1 0 1 D
--R T 1979 o - O 1 0 0 S
-+8 HK HK%sT
-+R f 1946 o - May 15 0 1 D
-+R f 1946 o - O 1 0 0 S
-+R f 1947 o - Ap 15 0 1 D
-+R f 1947 o - N 1 0 0 S
-+R f 1948 1951 - May 1 0 1 D
-+R f 1948 1951 - O 1 0 0 S
-+R f 1952 o - Mar 1 0 1 D
-+R f 1952 1954 - N 1 0 0 S
-+R f 1953 1959 - Ap 1 0 1 D
-+R f 1955 1961 - O 1 0 0 S
-+R f 1960 1961 - Jun 1 0 1 D
-+R f 1974 1975 - Ap 1 0 1 D
-+R f 1974 1975 - O 1 0 0 S
-+R f 1979 o - Jul 1 0 1 D
-+R f 1979 o - O 1 0 0 S
- Z Asia/Taipei 8:6 - LMT 1896
- 8 - CST 1937 O
- 9 - JST 1945 S 21 1
--8 T C%sT
--R U 1961 1962 - Mar Sun>=16 3:30 1 D
--R U 1961 1964 - N Sun>=1 3:30 0 S
--R U 1963 o - Mar Sun>=16 0 1 D
--R U 1964 o - Mar Sun>=16 3:30 1 D
--R U 1965 o - Mar Sun>=16 0 1 D
--R U 1965 o - O 31 0 0 S
--R U 1966 1971 - Ap Sun>=16 3:30 1 D
--R U 1966 1971 - O Sun>=16 3:30 0 S
--R U 1972 1974 - Ap Sun>=15 0 1 D
--R U 1972 1973 - O Sun>=15 0 0 S
--R U 1974 1977 - O Sun>=15 3:30 0 S
--R U 1975 1977 - Ap Sun>=15 3:30 1 D
--R U 1978 1980 - Ap Sun>=15 0 1 D
--R U 1978 1980 - O Sun>=15 0 0 S
--Z Asia/Macau 7:34:20 - LMT 1911 D 31 16u
--8 U C%sT
--R V 1975 o - Ap 13 0 1 S
--R V 1975 o - O 12 0 0 -
--R V 1976 o - May 15 0 1 S
--R V 1976 o - O 11 0 0 -
--R V 1977 1980 - Ap Sun>=1 0 1 S
--R V 1977 o - S 25 0 0 -
--R V 1978 o - O 2 0 0 -
--R V 1979 1997 - S lastSun 0 0 -
--R V 1981 1998 - Mar lastSun 0 1 S
-+8 f C%sT
-+R _ 1942 1943 - Ap 30 23 1 -
-+R _ 1942 o - N 17 23 0 -
-+R _ 1943 o - S 30 23 0 S
-+R _ 1946 o - Ap 30 23s 1 D
-+R _ 1946 o - S 30 23s 0 S
-+R _ 1947 o - Ap 19 23s 1 D
-+R _ 1947 o - N 30 23s 0 S
-+R _ 1948 o - May 2 23s 1 D
-+R _ 1948 o - O 31 23s 0 S
-+R _ 1949 1950 - Ap Sat>=1 23s 1 D
-+R _ 1949 1950 - O lastSat 23s 0 S
-+R _ 1951 o - Mar 31 23s 1 D
-+R _ 1951 o - O 28 23s 0 S
-+R _ 1952 1953 - Ap Sat>=1 23s 1 D
-+R _ 1952 o - N 1 23s 0 S
-+R _ 1953 1954 - O lastSat 23s 0 S
-+R _ 1954 1956 - Mar Sat>=17 23s 1 D
-+R _ 1955 o - N 5 23s 0 S
-+R _ 1956 1964 - N Sun>=1 3:30 0 S
-+R _ 1957 1964 - Mar Sun>=18 3:30 1 D
-+R _ 1965 1973 - Ap Sun>=16 3:30 1 D
-+R _ 1965 1966 - O Sun>=16 2:30 0 S
-+R _ 1967 1976 - O Sun>=16 3:30 0 S
-+R _ 1973 o - D 30 3:30 1 D
-+R _ 1975 1976 - Ap Sun>=16 3:30 1 D
-+R _ 1979 o - May 13 3:30 1 D
-+R _ 1979 o - O Sun>=16 3:30 0 S
-+Z Asia/Macau 7:34:10 - LMT 1904 O 30
-+8 - CST 1941 D 21 23
-+9 _ +09/+10 1945 S 30 24
-+8 _ C%sT
-+R CY 1975 o - Ap 13 0 1 S
-+R CY 1975 o - O 12 0 0 -
-+R CY 1976 o - May 15 0 1 S
-+R CY 1976 o - O 11 0 0 -
-+R CY 1977 1980 - Ap Sun>=1 0 1 S
-+R CY 1977 o - S 25 0 0 -
-+R CY 1978 o - O 2 0 0 -
-+R CY 1979 1997 - S lastSun 0 0 -
-+R CY 1981 1998 - Mar lastSun 0 1 S
- Z Asia/Nicosia 2:13:28 - LMT 1921 N 14
--2 V EE%sT 1998 S
--2 O EE%sT
-+2 CY EE%sT 1998 S
-+2 E EE%sT
- Z Asia/Famagusta 2:15:48 - LMT 1921 N 14
--2 V EE%sT 1998 S
--2 O EE%sT 2016 S 8
-+2 CY EE%sT 1998 S
-+2 E EE%sT 2016 S 8
- 3 - +03 2017 O 29 1u
--2 O EE%sT
-+2 E EE%sT
- Li Asia/Nicosia Europe/Nicosia
- Z Asia/Tbilisi 2:59:11 - LMT 1880
- 2:59:11 - TBMT 1924 May 2
- 3 - +03 1957 Mar
--4 M +04/+05 1991 Mar 31 2s
--3 M +03/+04 1992
--3 W +03/+04 1994 S lastSun
--4 W +04/+05 1996 O lastSun
-+4 R +04/+05 1991 Mar 31 2s
-+3 R +03/+04 1992
-+3 e +03/+04 1994 S lastSun
-+4 e +04/+05 1996 O lastSun
- 4 1 +05 1997 Mar lastSun
--4 W +04/+05 2004 Jun 27
--3 M +03/+04 2005 Mar lastSun 2
-+4 e +04/+05 2004 Jun 27
-+3 R +03/+04 2005 Mar lastSun 2
- 4 - +04
- Z Asia/Dili 8:22:20 - LMT 1912
- 8 - +08 1942 F 21 23
-@@ -504,72 +528,72 @@ Z Asia/Jayapura 9:22:48 - LMT 1932 N
- 9 - +09 1944 S
- 9:30 - +0930 1964
- 9 - WIT
--R X 1978 1980 - Mar 21 0 1 -
--R X 1978 o - O 21 0 0 -
--R X 1979 o - S 19 0 0 -
--R X 1980 o - S 23 0 0 -
--R X 1991 o - May 3 0 1 -
--R X 1992 1995 - Mar 22 0 1 -
--R X 1991 1995 - S 22 0 0 -
--R X 1996 o - Mar 21 0 1 -
--R X 1996 o - S 21 0 0 -
--R X 1997 1999 - Mar 22 0 1 -
--R X 1997 1999 - S 22 0 0 -
--R X 2000 o - Mar 21 0 1 -
--R X 2000 o - S 21 0 0 -
--R X 2001 2003 - Mar 22 0 1 -
--R X 2001 2003 - S 22 0 0 -
--R X 2004 o - Mar 21 0 1 -
--R X 2004 o - S 21 0 0 -
--R X 2005 o - Mar 22 0 1 -
--R X 2005 o - S 22 0 0 -
--R X 2008 o - Mar 21 0 1 -
--R X 2008 o - S 21 0 0 -
--R X 2009 2011 - Mar 22 0 1 -
--R X 2009 2011 - S 22 0 0 -
--R X 2012 o - Mar 21 0 1 -
--R X 2012 o - S 21 0 0 -
--R X 2013 2015 - Mar 22 0 1 -
--R X 2013 2015 - S 22 0 0 -
--R X 2016 o - Mar 21 0 1 -
--R X 2016 o - S 21 0 0 -
--R X 2017 2019 - Mar 22 0 1 -
--R X 2017 2019 - S 22 0 0 -
--R X 2020 o - Mar 21 0 1 -
--R X 2020 o - S 21 0 0 -
--R X 2021 2023 - Mar 22 0 1 -
--R X 2021 2023 - S 22 0 0 -
--R X 2024 o - Mar 21 0 1 -
--R X 2024 o - S 21 0 0 -
--R X 2025 2027 - Mar 22 0 1 -
--R X 2025 2027 - S 22 0 0 -
--R X 2028 2029 - Mar 21 0 1 -
--R X 2028 2029 - S 21 0 0 -
--R X 2030 2031 - Mar 22 0 1 -
--R X 2030 2031 - S 22 0 0 -
--R X 2032 2033 - Mar 21 0 1 -
--R X 2032 2033 - S 21 0 0 -
--R X 2034 2035 - Mar 22 0 1 -
--R X 2034 2035 - S 22 0 0 -
--R X 2036 ma - Mar 21 0 1 -
--R X 2036 ma - S 21 0 0 -
-+R i 1978 1980 - Mar 21 0 1 -
-+R i 1978 o - O 21 0 0 -
-+R i 1979 o - S 19 0 0 -
-+R i 1980 o - S 23 0 0 -
-+R i 1991 o - May 3 0 1 -
-+R i 1992 1995 - Mar 22 0 1 -
-+R i 1991 1995 - S 22 0 0 -
-+R i 1996 o - Mar 21 0 1 -
-+R i 1996 o - S 21 0 0 -
-+R i 1997 1999 - Mar 22 0 1 -
-+R i 1997 1999 - S 22 0 0 -
-+R i 2000 o - Mar 21 0 1 -
-+R i 2000 o - S 21 0 0 -
-+R i 2001 2003 - Mar 22 0 1 -
-+R i 2001 2003 - S 22 0 0 -
-+R i 2004 o - Mar 21 0 1 -
-+R i 2004 o - S 21 0 0 -
-+R i 2005 o - Mar 22 0 1 -
-+R i 2005 o - S 22 0 0 -
-+R i 2008 o - Mar 21 0 1 -
-+R i 2008 o - S 21 0 0 -
-+R i 2009 2011 - Mar 22 0 1 -
-+R i 2009 2011 - S 22 0 0 -
-+R i 2012 o - Mar 21 0 1 -
-+R i 2012 o - S 21 0 0 -
-+R i 2013 2015 - Mar 22 0 1 -
-+R i 2013 2015 - S 22 0 0 -
-+R i 2016 o - Mar 21 0 1 -
-+R i 2016 o - S 21 0 0 -
-+R i 2017 2019 - Mar 22 0 1 -
-+R i 2017 2019 - S 22 0 0 -
-+R i 2020 o - Mar 21 0 1 -
-+R i 2020 o - S 21 0 0 -
-+R i 2021 2023 - Mar 22 0 1 -
-+R i 2021 2023 - S 22 0 0 -
-+R i 2024 o - Mar 21 0 1 -
-+R i 2024 o - S 21 0 0 -
-+R i 2025 2027 - Mar 22 0 1 -
-+R i 2025 2027 - S 22 0 0 -
-+R i 2028 2029 - Mar 21 0 1 -
-+R i 2028 2029 - S 21 0 0 -
-+R i 2030 2031 - Mar 22 0 1 -
-+R i 2030 2031 - S 22 0 0 -
-+R i 2032 2033 - Mar 21 0 1 -
-+R i 2032 2033 - S 21 0 0 -
-+R i 2034 2035 - Mar 22 0 1 -
-+R i 2034 2035 - S 22 0 0 -
-+R i 2036 ma - Mar 21 0 1 -
-+R i 2036 ma - S 21 0 0 -
- Z Asia/Tehran 3:25:44 - LMT 1916
- 3:25:44 - TMT 1946
- 3:30 - +0330 1977 N
--4 X +04/+05 1979
--3:30 X +0330/+0430
--R Y 1982 o - May 1 0 1 -
--R Y 1982 1984 - O 1 0 0 -
--R Y 1983 o - Mar 31 0 1 -
--R Y 1984 1985 - Ap 1 0 1 -
--R Y 1985 1990 - S lastSun 1s 0 -
--R Y 1986 1990 - Mar lastSun 1s 1 -
--R Y 1991 2007 - Ap 1 3s 1 -
--R Y 1991 2007 - O 1 3s 0 -
-+4 i +04/+05 1979
-+3:30 i +0330/+0430
-+R IQ 1982 o - May 1 0 1 -
-+R IQ 1982 1984 - O 1 0 0 -
-+R IQ 1983 o - Mar 31 0 1 -
-+R IQ 1984 1985 - Ap 1 0 1 -
-+R IQ 1985 1990 - S lastSun 1s 0 -
-+R IQ 1986 1990 - Mar lastSun 1s 1 -
-+R IQ 1991 2007 - Ap 1 3s 1 -
-+R IQ 1991 2007 - O 1 3s 0 -
- Z Asia/Baghdad 2:57:40 - LMT 1890
- 2:57:36 - BMT 1918
- 3 - +03 1982 May
--3 Y +03/+04
-+3 IQ +03/+04
- R Z 1940 o - Jun 1 0 1 D
- R Z 1942 1944 - N 1 0 0 S
- R Z 1943 o - Ap 1 2 1 D
-@@ -659,163 +683,163 @@ R Z 2013 ma - O lastSun 2 0 S
- Z Asia/Jerusalem 2:20:54 - LMT 1880
- 2:20:40 - JMT 1918
- 2 Z I%sT
--R a 1948 o - May Sat>=1 24 1 D
--R a 1948 1951 - S Sun>=9 0 0 S
--R a 1949 o - Ap Sat>=1 24 1 D
--R a 1950 1951 - May Sat>=1 24 1 D
-+R JP 1948 o - May Sat>=1 24 1 D
-+R JP 1948 1951 - S Sat>=8 25 0 S
-+R JP 1949 o - Ap Sat>=1 24 1 D
-+R JP 1950 1951 - May Sat>=1 24 1 D
- Z Asia/Tokyo 9:18:59 - LMT 1887 D 31 15u
--9 a J%sT
--R b 1973 o - Jun 6 0 1 S
--R b 1973 1975 - O 1 0 0 -
--R b 1974 1977 - May 1 0 1 S
--R b 1976 o - N 1 0 0 -
--R b 1977 o - O 1 0 0 -
--R b 1978 o - Ap 30 0 1 S
--R b 1978 o - S 30 0 0 -
--R b 1985 o - Ap 1 0 1 S
--R b 1985 o - O 1 0 0 -
--R b 1986 1988 - Ap F>=1 0 1 S
--R b 1986 1990 - O F>=1 0 0 -
--R b 1989 o - May 8 0 1 S
--R b 1990 o - Ap 27 0 1 S
--R b 1991 o - Ap 17 0 1 S
--R b 1991 o - S 27 0 0 -
--R b 1992 o - Ap 10 0 1 S
--R b 1992 1993 - O F>=1 0 0 -
--R b 1993 1998 - Ap F>=1 0 1 S
--R b 1994 o - S F>=15 0 0 -
--R b 1995 1998 - S F>=15 0s 0 -
--R b 1999 o - Jul 1 0s 1 S
--R b 1999 2002 - S lastF 0s 0 -
--R b 2000 2001 - Mar lastTh 0s 1 S
--R b 2002 2012 - Mar lastTh 24 1 S
--R b 2003 o - O 24 0s 0 -
--R b 2004 o - O 15 0s 0 -
--R b 2005 o - S lastF 0s 0 -
--R b 2006 2011 - O lastF 0s 0 -
--R b 2013 o - D 20 0 0 -
--R b 2014 ma - Mar lastTh 24 1 S
--R b 2014 ma - O lastF 0s 0 -
-+9 JP J%sT
-+R J 1973 o - Jun 6 0 1 S
-+R J 1973 1975 - O 1 0 0 -
-+R J 1974 1977 - May 1 0 1 S
-+R J 1976 o - N 1 0 0 -
-+R J 1977 o - O 1 0 0 -
-+R J 1978 o - Ap 30 0 1 S
-+R J 1978 o - S 30 0 0 -
-+R J 1985 o - Ap 1 0 1 S
-+R J 1985 o - O 1 0 0 -
-+R J 1986 1988 - Ap F>=1 0 1 S
-+R J 1986 1990 - O F>=1 0 0 -
-+R J 1989 o - May 8 0 1 S
-+R J 1990 o - Ap 27 0 1 S
-+R J 1991 o - Ap 17 0 1 S
-+R J 1991 o - S 27 0 0 -
-+R J 1992 o - Ap 10 0 1 S
-+R J 1992 1993 - O F>=1 0 0 -
-+R J 1993 1998 - Ap F>=1 0 1 S
-+R J 1994 o - S F>=15 0 0 -
-+R J 1995 1998 - S F>=15 0s 0 -
-+R J 1999 o - Jul 1 0s 1 S
-+R J 1999 2002 - S lastF 0s 0 -
-+R J 2000 2001 - Mar lastTh 0s 1 S
-+R J 2002 2012 - Mar lastTh 24 1 S
-+R J 2003 o - O 24 0s 0 -
-+R J 2004 o - O 15 0s 0 -
-+R J 2005 o - S lastF 0s 0 -
-+R J 2006 2011 - O lastF 0s 0 -
-+R J 2013 o - D 20 0 0 -
-+R J 2014 ma - Mar lastTh 24 1 S
-+R J 2014 ma - O lastF 0s 0 -
- Z Asia/Amman 2:23:44 - LMT 1931
--2 b EE%sT
-+2 J EE%sT
- Z Asia/Almaty 5:7:48 - LMT 1924 May 2
- 5 - +05 1930 Jun 21
--6 M +06/+07 1991 Mar 31 2s
--5 M +05/+06 1992 Ja 19 2s
--6 M +06/+07 2004 O 31 2s
-+6 R +06/+07 1991 Mar 31 2s
-+5 R +05/+06 1992 Ja 19 2s
-+6 R +06/+07 2004 O 31 2s
- 6 - +06
- Z Asia/Qyzylorda 4:21:52 - LMT 1924 May 2
- 4 - +04 1930 Jun 21
- 5 - +05 1981 Ap
- 5 1 +06 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1991 Mar 31 2s
--4 M +04/+05 1991 S 29 2s
--5 M +05/+06 1992 Ja 19 2s
--6 M +06/+07 1992 Mar 29 2s
--5 M +05/+06 2004 O 31 2s
-+5 R +05/+06 1991 Mar 31 2s
-+4 R +04/+05 1991 S 29 2s
-+5 R +05/+06 1992 Ja 19 2s
-+6 R +06/+07 1992 Mar 29 2s
-+5 R +05/+06 2004 O 31 2s
- 6 - +06
- Z Asia/Aqtobe 3:48:40 - LMT 1924 May 2
- 4 - +04 1930 Jun 21
- 5 - +05 1981 Ap
- 5 1 +06 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1991 Mar 31 2s
--4 M +04/+05 1992 Ja 19 2s
--5 M +05/+06 2004 O 31 2s
-+5 R +05/+06 1991 Mar 31 2s
-+4 R +04/+05 1992 Ja 19 2s
-+5 R +05/+06 2004 O 31 2s
- 5 - +05
- Z Asia/Aqtau 3:21:4 - LMT 1924 May 2
- 4 - +04 1930 Jun 21
- 5 - +05 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1991 Mar 31 2s
--4 M +04/+05 1992 Ja 19 2s
--5 M +05/+06 1994 S 25 2s
--4 M +04/+05 2004 O 31 2s
-+5 R +05/+06 1991 Mar 31 2s
-+4 R +04/+05 1992 Ja 19 2s
-+5 R +05/+06 1994 S 25 2s
-+4 R +04/+05 2004 O 31 2s
- 5 - +05
- Z Asia/Atyrau 3:27:44 - LMT 1924 May 2
- 3 - +03 1930 Jun 21
- 5 - +05 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1991 Mar 31 2s
--4 M +04/+05 1992 Ja 19 2s
--5 M +05/+06 1999 Mar 28 2s
--4 M +04/+05 2004 O 31 2s
-+5 R +05/+06 1991 Mar 31 2s
-+4 R +04/+05 1992 Ja 19 2s
-+5 R +05/+06 1999 Mar 28 2s
-+4 R +04/+05 2004 O 31 2s
- 5 - +05
- Z Asia/Oral 3:25:24 - LMT 1924 May 2
- 3 - +03 1930 Jun 21
- 5 - +05 1981 Ap
- 5 1 +06 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1989 Mar 26 2s
--4 M +04/+05 1992 Ja 19 2s
--5 M +05/+06 1992 Mar 29 2s
--4 M +04/+05 2004 O 31 2s
-+5 R +05/+06 1989 Mar 26 2s
-+4 R +04/+05 1992 Ja 19 2s
-+5 R +05/+06 1992 Mar 29 2s
-+4 R +04/+05 2004 O 31 2s
- 5 - +05
--R c 1992 1996 - Ap Sun>=7 0s 1 -
--R c 1992 1996 - S lastSun 0 0 -
--R c 1997 2005 - Mar lastSun 2:30 1 -
--R c 1997 2004 - O lastSun 2:30 0 -
-+R KG 1992 1996 - Ap Sun>=7 0s 1 -
-+R KG 1992 1996 - S lastSun 0 0 -
-+R KG 1997 2005 - Mar lastSun 2:30 1 -
-+R KG 1997 2004 - O lastSun 2:30 0 -
- Z Asia/Bishkek 4:58:24 - LMT 1924 May 2
- 5 - +05 1930 Jun 21
--6 M +06/+07 1991 Mar 31 2s
--5 M +05/+06 1991 Au 31 2
--5 c +05/+06 2005 Au 12
-+6 R +06/+07 1991 Mar 31 2s
-+5 R +05/+06 1991 Au 31 2
-+5 KG +05/+06 2005 Au 12
- 6 - +06
--R d 1948 o - Jun 1 0 1 D
--R d 1948 o - S 13 0 0 S
--R d 1949 o - Ap 3 0 1 D
--R d 1949 1951 - S Sun>=8 0 0 S
--R d 1950 o - Ap 1 0 1 D
--R d 1951 o - May 6 0 1 D
--R d 1955 o - May 5 0 1 D
--R d 1955 o - S 9 0 0 S
--R d 1956 o - May 20 0 1 D
--R d 1956 o - S 30 0 0 S
--R d 1957 1960 - May Sun>=1 0 1 D
--R d 1957 1960 - S Sun>=18 0 0 S
--R d 1987 1988 - May Sun>=8 2 1 D
--R d 1987 1988 - O Sun>=8 3 0 S
-+R KR 1948 o - Jun 1 0 1 D
-+R KR 1948 o - S 13 0 0 S
-+R KR 1949 o - Ap 3 0 1 D
-+R KR 1949 1951 - S Sun>=8 0 0 S
-+R KR 1950 o - Ap 1 0 1 D
-+R KR 1951 o - May 6 0 1 D
-+R KR 1955 o - May 5 0 1 D
-+R KR 1955 o - S 9 0 0 S
-+R KR 1956 o - May 20 0 1 D
-+R KR 1956 o - S 30 0 0 S
-+R KR 1957 1960 - May Sun>=1 0 1 D
-+R KR 1957 1960 - S Sun>=18 0 0 S
-+R KR 1987 1988 - May Sun>=8 2 1 D
-+R KR 1987 1988 - O Sun>=8 3 0 S
- Z Asia/Seoul 8:27:52 - LMT 1908 Ap
- 8:30 - KST 1912
- 9 - JST 1945 S 8
- 9 - KST 1954 Mar 21
--8:30 d K%sT 1961 Au 10
--9 d K%sT
-+8:30 KR K%sT 1961 Au 10
-+9 KR K%sT
- Z Asia/Pyongyang 8:23 - LMT 1908 Ap
- 8:30 - KST 1912
- 9 - JST 1945 Au 24
- 9 - KST 2015 Au 15
--8:30 - KST 2018 May 5
-+8:30 - KST 2018 May 4 23:30
- 9 - KST
--R e 1920 o - Mar 28 0 1 S
--R e 1920 o - O 25 0 0 -
--R e 1921 o - Ap 3 0 1 S
--R e 1921 o - O 3 0 0 -
--R e 1922 o - Mar 26 0 1 S
--R e 1922 o - O 8 0 0 -
--R e 1923 o - Ap 22 0 1 S
--R e 1923 o - S 16 0 0 -
--R e 1957 1961 - May 1 0 1 S
--R e 1957 1961 - O 1 0 0 -
--R e 1972 o - Jun 22 0 1 S
--R e 1972 1977 - O 1 0 0 -
--R e 1973 1977 - May 1 0 1 S
--R e 1978 o - Ap 30 0 1 S
--R e 1978 o - S 30 0 0 -
--R e 1984 1987 - May 1 0 1 S
--R e 1984 1991 - O 16 0 0 -
--R e 1988 o - Jun 1 0 1 S
--R e 1989 o - May 10 0 1 S
--R e 1990 1992 - May 1 0 1 S
--R e 1992 o - O 4 0 0 -
--R e 1993 ma - Mar lastSun 0 1 S
--R e 1993 1998 - S lastSun 0 0 -
--R e 1999 ma - O lastSun 0 0 -
-+R l 1920 o - Mar 28 0 1 S
-+R l 1920 o - O 25 0 0 -
-+R l 1921 o - Ap 3 0 1 S
-+R l 1921 o - O 3 0 0 -
-+R l 1922 o - Mar 26 0 1 S
-+R l 1922 o - O 8 0 0 -
-+R l 1923 o - Ap 22 0 1 S
-+R l 1923 o - S 16 0 0 -
-+R l 1957 1961 - May 1 0 1 S
-+R l 1957 1961 - O 1 0 0 -
-+R l 1972 o - Jun 22 0 1 S
-+R l 1972 1977 - O 1 0 0 -
-+R l 1973 1977 - May 1 0 1 S
-+R l 1978 o - Ap 30 0 1 S
-+R l 1978 o - S 30 0 0 -
-+R l 1984 1987 - May 1 0 1 S
-+R l 1984 1991 - O 16 0 0 -
-+R l 1988 o - Jun 1 0 1 S
-+R l 1989 o - May 10 0 1 S
-+R l 1990 1992 - May 1 0 1 S
-+R l 1992 o - O 4 0 0 -
-+R l 1993 ma - Mar lastSun 0 1 S
-+R l 1993 1998 - S lastSun 0 0 -
-+R l 1999 ma - O lastSun 0 0 -
- Z Asia/Beirut 2:22 - LMT 1880
--2 e EE%sT
--R f 1935 1941 - S 14 0 0:20 -
--R f 1935 1941 - D 14 0 0 -
-+2 l EE%sT
-+R NB 1935 1941 - S 14 0 0:20 -
-+R NB 1935 1941 - D 14 0 0 -
- Z Asia/Kuala_Lumpur 6:46:46 - LMT 1901
- 6:55:25 - SMT 1905 Jun
- 7 - +07 1933
-@@ -827,98 +851,98 @@ Z Asia/Kuala_Lumpur 6:46:46 - LMT 1901
- 8 - +08
- Z Asia/Kuching 7:21:20 - LMT 1926 Mar
- 7:30 - +0730 1933
--8 f +08/+0820 1942 F 16
-+8 NB +08/+0820 1942 F 16
- 9 - +09 1945 S 12
- 8 - +08
- Z Indian/Maldives 4:54 - LMT 1880
- 4:54 - MMT 1960
- 5 - +05
--R g 1983 1984 - Ap 1 0 1 -
--R g 1983 o - O 1 0 0 -
--R g 1985 1998 - Mar lastSun 0 1 -
--R g 1984 1998 - S lastSun 0 0 -
--R g 2001 o - Ap lastSat 2 1 -
--R g 2001 2006 - S lastSat 2 0 -
--R g 2002 2006 - Mar lastSat 2 1 -
--R g 2015 2016 - Mar lastSat 2 1 -
--R g 2015 2016 - S lastSat 0 0 -
-+R X 1983 1984 - Ap 1 0 1 -
-+R X 1983 o - O 1 0 0 -
-+R X 1985 1998 - Mar lastSun 0 1 -
-+R X 1984 1998 - S lastSun 0 0 -
-+R X 2001 o - Ap lastSat 2 1 -
-+R X 2001 2006 - S lastSat 2 0 -
-+R X 2002 2006 - Mar lastSat 2 1 -
-+R X 2015 2016 - Mar lastSat 2 1 -
-+R X 2015 2016 - S lastSat 0 0 -
- Z Asia/Hovd 6:6:36 - LMT 1905 Au
- 6 - +06 1978
--7 g +07/+08
-+7 X +07/+08
- Z Asia/Ulaanbaatar 7:7:32 - LMT 1905 Au
- 7 - +07 1978
--8 g +08/+09
-+8 X +08/+09
- Z Asia/Choibalsan 7:38 - LMT 1905 Au
- 7 - +07 1978
- 8 - +08 1983 Ap
--9 g +09/+10 2008 Mar 31
--8 g +08/+09
-+9 X +09/+10 2008 Mar 31
-+8 X +08/+09
- Z Asia/Kathmandu 5:41:16 - LMT 1920
- 5:30 - +0530 1986
- 5:45 - +0545
--R h 2002 o - Ap Sun>=2 0 1 S
--R h 2002 o - O Sun>=2 0 0 -
--R h 2008 o - Jun 1 0 1 S
--R h 2008 2009 - N 1 0 0 -
--R h 2009 o - Ap 15 0 1 S
-+R PK 2002 o - Ap Sun>=2 0 1 S
-+R PK 2002 o - O Sun>=2 0 0 -
-+R PK 2008 o - Jun 1 0 1 S
-+R PK 2008 2009 - N 1 0 0 -
-+R PK 2009 o - Ap 15 0 1 S
- Z Asia/Karachi 4:28:12 - LMT 1907
- 5:30 - +0530 1942 S
- 5:30 1 +0630 1945 O 15
- 5:30 - +0530 1951 S 30
- 5 - +05 1971 Mar 26
--5 h PK%sT
--R i 1999 2005 - Ap F>=15 0 1 S
--R i 1999 2003 - O F>=15 0 0 -
--R i 2004 o - O 1 1 0 -
--R i 2005 o - O 4 2 0 -
--R i 2006 2007 - Ap 1 0 1 S
--R i 2006 o - S 22 0 0 -
--R i 2007 o - S Th>=8 2 0 -
--R i 2008 2009 - Mar lastF 0 1 S
--R i 2008 o - S 1 0 0 -
--R i 2009 o - S F>=1 1 0 -
--R i 2010 o - Mar 26 0 1 S
--R i 2010 o - Au 11 0 0 -
--R i 2011 o - Ap 1 0:1 1 S
--R i 2011 o - Au 1 0 0 -
--R i 2011 o - Au 30 0 1 S
--R i 2011 o - S 30 0 0 -
--R i 2012 2014 - Mar lastTh 24 1 S
--R i 2012 o - S 21 1 0 -
--R i 2013 o - S F>=21 0 0 -
--R i 2014 2015 - O F>=21 0 0 -
--R i 2015 o - Mar lastF 24 1 S
--R i 2016 ma - Mar Sat>=22 1 1 S
--R i 2016 ma - O lastSat 1 0 -
-+5 PK PK%sT
-+R P 1999 2005 - Ap F>=15 0 1 S
-+R P 1999 2003 - O F>=15 0 0 -
-+R P 2004 o - O 1 1 0 -
-+R P 2005 o - O 4 2 0 -
-+R P 2006 2007 - Ap 1 0 1 S
-+R P 2006 o - S 22 0 0 -
-+R P 2007 o - S Th>=8 2 0 -
-+R P 2008 2009 - Mar lastF 0 1 S
-+R P 2008 o - S 1 0 0 -
-+R P 2009 o - S F>=1 1 0 -
-+R P 2010 o - Mar 26 0 1 S
-+R P 2010 o - Au 11 0 0 -
-+R P 2011 o - Ap 1 0:1 1 S
-+R P 2011 o - Au 1 0 0 -
-+R P 2011 o - Au 30 0 1 S
-+R P 2011 o - S 30 0 0 -
-+R P 2012 2014 - Mar lastTh 24 1 S
-+R P 2012 o - S 21 1 0 -
-+R P 2013 o - S F>=21 0 0 -
-+R P 2014 2015 - O F>=21 0 0 -
-+R P 2015 o - Mar lastF 24 1 S
-+R P 2016 ma - Mar Sat>=22 1 1 S
-+R P 2016 ma - O lastSat 1 0 -
- Z Asia/Gaza 2:17:52 - LMT 1900 O
- 2 Z EET/EEST 1948 May 15
--2 B EE%sT 1967 Jun 5
-+2 K EE%sT 1967 Jun 5
- 2 Z I%sT 1996
--2 b EE%sT 1999
--2 i EE%sT 2008 Au 29
-+2 J EE%sT 1999
-+2 P EE%sT 2008 Au 29
- 2 - EET 2008 S
--2 i EE%sT 2010
-+2 P EE%sT 2010
- 2 - EET 2010 Mar 27 0:1
--2 i EE%sT 2011 Au
-+2 P EE%sT 2011 Au
- 2 - EET 2012
--2 i EE%sT
-+2 P EE%sT
- Z Asia/Hebron 2:20:23 - LMT 1900 O
- 2 Z EET/EEST 1948 May 15
--2 B EE%sT 1967 Jun 5
-+2 K EE%sT 1967 Jun 5
- 2 Z I%sT 1996
--2 b EE%sT 1999
--2 i EE%sT
--R j 1936 o - N 1 0 1 -
--R j 1937 o - F 1 0 0 -
--R j 1954 o - Ap 12 0 1 -
--R j 1954 o - Jul 1 0 0 -
--R j 1978 o - Mar 22 0 1 -
--R j 1978 o - S 21 0 0 -
-+2 J EE%sT 1999
-+2 P EE%sT
-+R PH 1936 o - N 1 0 1 D
-+R PH 1937 o - F 1 0 0 S
-+R PH 1954 o - Ap 12 0 1 D
-+R PH 1954 o - Jul 1 0 0 S
-+R PH 1978 o - Mar 22 0 1 D
-+R PH 1978 o - S 21 0 0 S
- Z Asia/Manila -15:56 - LMT 1844 D 31
- 8:4 - LMT 1899 May 11
--8 j +08/+09 1942 May
--9 - +09 1944 N
--8 j +08/+09
-+8 PH P%sT 1942 May
-+9 - JST 1944 N
-+8 PH P%sT
- Z Asia/Qatar 3:26:8 - LMT 1920
- 4 - +04 1972 Jun
- 3 - +03
-@@ -945,52 +969,52 @@ Z Asia/Colombo 5:19:24 - LMT 1880
- 6:30 - +0630 1996 O 26 0:30
- 6 - +06 2006 Ap 15 0:30
- 5:30 - +0530
--R k 1920 1923 - Ap Sun>=15 2 1 S
--R k 1920 1923 - O Sun>=1 2 0 -
--R k 1962 o - Ap 29 2 1 S
--R k 1962 o - O 1 2 0 -
--R k 1963 1965 - May 1 2 1 S
--R k 1963 o - S 30 2 0 -
--R k 1964 o - O 1 2 0 -
--R k 1965 o - S 30 2 0 -
--R k 1966 o - Ap 24 2 1 S
--R k 1966 1976 - O 1 2 0 -
--R k 1967 1978 - May 1 2 1 S
--R k 1977 1978 - S 1 2 0 -
--R k 1983 1984 - Ap 9 2 1 S
--R k 1983 1984 - O 1 2 0 -
--R k 1986 o - F 16 2 1 S
--R k 1986 o - O 9 2 0 -
--R k 1987 o - Mar 1 2 1 S
--R k 1987 1988 - O 31 2 0 -
--R k 1988 o - Mar 15 2 1 S
--R k 1989 o - Mar 31 2 1 S
--R k 1989 o - O 1 2 0 -
--R k 1990 o - Ap 1 2 1 S
--R k 1990 o - S 30 2 0 -
--R k 1991 o - Ap 1 0 1 S
--R k 1991 1992 - O 1 0 0 -
--R k 1992 o - Ap 8 0 1 S
--R k 1993 o - Mar 26 0 1 S
--R k 1993 o - S 25 0 0 -
--R k 1994 1996 - Ap 1 0 1 S
--R k 1994 2005 - O 1 0 0 -
--R k 1997 1998 - Mar lastM 0 1 S
--R k 1999 2006 - Ap 1 0 1 S
--R k 2006 o - S 22 0 0 -
--R k 2007 o - Mar lastF 0 1 S
--R k 2007 o - N F>=1 0 0 -
--R k 2008 o - Ap F>=1 0 1 S
--R k 2008 o - N 1 0 0 -
--R k 2009 o - Mar lastF 0 1 S
--R k 2010 2011 - Ap F>=1 0 1 S
--R k 2012 ma - Mar lastF 0 1 S
--R k 2009 ma - O lastF 0 0 -
-+R S 1920 1923 - Ap Sun>=15 2 1 S
-+R S 1920 1923 - O Sun>=1 2 0 -
-+R S 1962 o - Ap 29 2 1 S
-+R S 1962 o - O 1 2 0 -
-+R S 1963 1965 - May 1 2 1 S
-+R S 1963 o - S 30 2 0 -
-+R S 1964 o - O 1 2 0 -
-+R S 1965 o - S 30 2 0 -
-+R S 1966 o - Ap 24 2 1 S
-+R S 1966 1976 - O 1 2 0 -
-+R S 1967 1978 - May 1 2 1 S
-+R S 1977 1978 - S 1 2 0 -
-+R S 1983 1984 - Ap 9 2 1 S
-+R S 1983 1984 - O 1 2 0 -
-+R S 1986 o - F 16 2 1 S
-+R S 1986 o - O 9 2 0 -
-+R S 1987 o - Mar 1 2 1 S
-+R S 1987 1988 - O 31 2 0 -
-+R S 1988 o - Mar 15 2 1 S
-+R S 1989 o - Mar 31 2 1 S
-+R S 1989 o - O 1 2 0 -
-+R S 1990 o - Ap 1 2 1 S
-+R S 1990 o - S 30 2 0 -
-+R S 1991 o - Ap 1 0 1 S
-+R S 1991 1992 - O 1 0 0 -
-+R S 1992 o - Ap 8 0 1 S
-+R S 1993 o - Mar 26 0 1 S
-+R S 1993 o - S 25 0 0 -
-+R S 1994 1996 - Ap 1 0 1 S
-+R S 1994 2005 - O 1 0 0 -
-+R S 1997 1998 - Mar lastM 0 1 S
-+R S 1999 2006 - Ap 1 0 1 S
-+R S 2006 o - S 22 0 0 -
-+R S 2007 o - Mar lastF 0 1 S
-+R S 2007 o - N F>=1 0 0 -
-+R S 2008 o - Ap F>=1 0 1 S
-+R S 2008 o - N 1 0 0 -
-+R S 2009 o - Mar lastF 0 1 S
-+R S 2010 2011 - Ap F>=1 0 1 S
-+R S 2012 ma - Mar lastF 0 1 S
-+R S 2009 ma - O lastF 0 0 -
- Z Asia/Damascus 2:25:12 - LMT 1920
--2 k EE%sT
-+2 S EE%sT
- Z Asia/Dushanbe 4:35:12 - LMT 1924 May 2
- 5 - +05 1930 Jun 21
--6 M +06/+07 1991 Mar 31 2s
-+6 R +06/+07 1991 Mar 31 2s
- 5 1 +05/+06 1991 S 9 2s
- 5 - +05
- Z Asia/Bangkok 6:42:4 - LMT 1880
-@@ -1000,8 +1024,8 @@ Li Asia/Bangkok Asia/Phnom_Penh
- Li Asia/Bangkok Asia/Vientiane
- Z Asia/Ashgabat 3:53:32 - LMT 1924 May 2
- 4 - +04 1930 Jun 21
--5 M +05/+06 1991 Mar 31 2
--4 M +04/+05 1992 Ja 19 2
-+5 R +05/+06 1991 Mar 31 2
-+4 R +04/+05 1992 Ja 19 2
- 5 - +05
- Z Asia/Dubai 3:41:12 - LMT 1920
- 4 - +04
-@@ -1011,12 +1035,12 @@ Z Asia/Samarkand 4:27:53 - LMT 1924 May 2
- 5 - +05 1981 Ap
- 5 1 +06 1981 O
- 6 - +06 1982 Ap
--5 M +05/+06 1992
-+5 R +05/+06 1992
- 5 - +05
- Z Asia/Tashkent 4:37:11 - LMT 1924 May 2
- 5 - +05 1930 Jun 21
--6 M +06/+07 1991 Mar 31 2
--5 M +05/+06 1992
-+6 R +06/+07 1991 Mar 31 2
-+5 R +05/+06 1992
- 5 - +05
- Z Asia/Ho_Chi_Minh 7:6:40 - LMT 1906 Jul
- 7:6:30 - PLMT 1911 May
-@@ -1028,176 +1052,176 @@ Z Asia/Ho_Chi_Minh 7:6:40 - LMT 1906 Jul
- 7 - +07 1959 D 31 23
- 8 - +08 1975 Jun 13
- 7 - +07
--R l 1917 o - Ja 1 0:1 1 D
--R l 1917 o - Mar 25 2 0 S
--R l 1942 o - Ja 1 2 1 D
--R l 1942 o - Mar 29 2 0 S
--R l 1942 o - S 27 2 1 D
--R l 1943 1944 - Mar lastSun 2 0 S
--R l 1943 o - O 3 2 1 D
-+R AU 1917 o - Ja 1 0:1 1 D
-+R AU 1917 o - Mar 25 2 0 S
-+R AU 1942 o - Ja 1 2 1 D
-+R AU 1942 o - Mar 29 2 0 S
-+R AU 1942 o - S 27 2 1 D
-+R AU 1943 1944 - Mar lastSun 2 0 S
-+R AU 1943 o - O 3 2 1 D
- Z Australia/Darwin 8:43:20 - LMT 1895 F
- 9 - ACST 1899 May
--9:30 l AC%sT
--R m 1974 o - O lastSun 2s 1 D
--R m 1975 o - Mar Sun>=1 2s 0 S
--R m 1983 o - O lastSun 2s 1 D
--R m 1984 o - Mar Sun>=1 2s 0 S
--R m 1991 o - N 17 2s 1 D
--R m 1992 o - Mar Sun>=1 2s 0 S
--R m 2006 o - D 3 2s 1 D
--R m 2007 2009 - Mar lastSun 2s 0 S
--R m 2007 2008 - O lastSun 2s 1 D
-+9:30 AU AC%sT
-+R AW 1974 o - O lastSun 2s 1 D
-+R AW 1975 o - Mar Sun>=1 2s 0 S
-+R AW 1983 o - O lastSun 2s 1 D
-+R AW 1984 o - Mar Sun>=1 2s 0 S
-+R AW 1991 o - N 17 2s 1 D
-+R AW 1992 o - Mar Sun>=1 2s 0 S
-+R AW 2006 o - D 3 2s 1 D
-+R AW 2007 2009 - Mar lastSun 2s 0 S
-+R AW 2007 2008 - O lastSun 2s 1 D
- Z Australia/Perth 7:43:24 - LMT 1895 D
--8 l AW%sT 1943 Jul
--8 m AW%sT
-+8 AU AW%sT 1943 Jul
-+8 AW AW%sT
- Z Australia/Eucla 8:35:28 - LMT 1895 D
--8:45 l +0845/+0945 1943 Jul
--8:45 m +0845/+0945
--R n 1971 o - O lastSun 2s 1 D
--R n 1972 o - F lastSun 2s 0 S
--R n 1989 1991 - O lastSun 2s 1 D
--R n 1990 1992 - Mar Sun>=1 2s 0 S
--R o 1992 1993 - O lastSun 2s 1 D
--R o 1993 1994 - Mar Sun>=1 2s 0 S
-+8:45 AU +0845/+0945 1943 Jul
-+8:45 AW +0845/+0945
-+R AQ 1971 o - O lastSun 2s 1 D
-+R AQ 1972 o - F lastSun 2s 0 S
-+R AQ 1989 1991 - O lastSun 2s 1 D
-+R AQ 1990 1992 - Mar Sun>=1 2s 0 S
-+R Ho 1992 1993 - O lastSun 2s 1 D
-+R Ho 1993 1994 - Mar Sun>=1 2s 0 S
- Z Australia/Brisbane 10:12:8 - LMT 1895
--10 l AE%sT 1971
--10 n AE%sT
-+10 AU AE%sT 1971
-+10 AQ AE%sT
- Z Australia/Lindeman 9:55:56 - LMT 1895
--10 l AE%sT 1971
--10 n AE%sT 1992 Jul
--10 o AE%sT
--R p 1971 1985 - O lastSun 2s 1 D
--R p 1986 o - O 19 2s 1 D
--R p 1987 2007 - O lastSun 2s 1 D
--R p 1972 o - F 27 2s 0 S
--R p 1973 1985 - Mar Sun>=1 2s 0 S
--R p 1986 1990 - Mar Sun>=15 2s 0 S
--R p 1991 o - Mar 3 2s 0 S
--R p 1992 o - Mar 22 2s 0 S
--R p 1993 o - Mar 7 2s 0 S
--R p 1994 o - Mar 20 2s 0 S
--R p 1995 2005 - Mar lastSun 2s 0 S
--R p 2006 o - Ap 2 2s 0 S
--R p 2007 o - Mar lastSun 2s 0 S
--R p 2008 ma - Ap Sun>=1 2s 0 S
--R p 2008 ma - O Sun>=1 2s 1 D
-+10 AU AE%sT 1971
-+10 AQ AE%sT 1992 Jul
-+10 Ho AE%sT
-+R AS 1971 1985 - O lastSun 2s 1 D
-+R AS 1986 o - O 19 2s 1 D
-+R AS 1987 2007 - O lastSun 2s 1 D
-+R AS 1972 o - F 27 2s 0 S
-+R AS 1973 1985 - Mar Sun>=1 2s 0 S
-+R AS 1986 1990 - Mar Sun>=15 2s 0 S
-+R AS 1991 o - Mar 3 2s 0 S
-+R AS 1992 o - Mar 22 2s 0 S
-+R AS 1993 o - Mar 7 2s 0 S
-+R AS 1994 o - Mar 20 2s 0 S
-+R AS 1995 2005 - Mar lastSun 2s 0 S
-+R AS 2006 o - Ap 2 2s 0 S
-+R AS 2007 o - Mar lastSun 2s 0 S
-+R AS 2008 ma - Ap Sun>=1 2s 0 S
-+R AS 2008 ma - O Sun>=1 2s 1 D
- Z Australia/Adelaide 9:14:20 - LMT 1895 F
- 9 - ACST 1899 May
--9:30 l AC%sT 1971
--9:30 p AC%sT
--R q 1967 o - O Sun>=1 2s 1 D
--R q 1968 o - Mar lastSun 2s 0 S
--R q 1968 1985 - O lastSun 2s 1 D
--R q 1969 1971 - Mar Sun>=8 2s 0 S
--R q 1972 o - F lastSun 2s 0 S
--R q 1973 1981 - Mar Sun>=1 2s 0 S
--R q 1982 1983 - Mar lastSun 2s 0 S
--R q 1984 1986 - Mar Sun>=1 2s 0 S
--R q 1986 o - O Sun>=15 2s 1 D
--R q 1987 1990 - Mar Sun>=15 2s 0 S
--R q 1987 o - O Sun>=22 2s 1 D
--R q 1988 1990 - O lastSun 2s 1 D
--R q 1991 1999 - O Sun>=1 2s 1 D
--R q 1991 2005 - Mar lastSun 2s 0 S
--R q 2000 o - Au lastSun 2s 1 D
--R q 2001 ma - O Sun>=1 2s 1 D
--R q 2006 o - Ap Sun>=1 2s 0 S
--R q 2007 o - Mar lastSun 2s 0 S
--R q 2008 ma - Ap Sun>=1 2s 0 S
-+9:30 AU AC%sT 1971
-+9:30 AS AC%sT
-+R AT 1967 o - O Sun>=1 2s 1 D
-+R AT 1968 o - Mar lastSun 2s 0 S
-+R AT 1968 1985 - O lastSun 2s 1 D
-+R AT 1969 1971 - Mar Sun>=8 2s 0 S
-+R AT 1972 o - F lastSun 2s 0 S
-+R AT 1973 1981 - Mar Sun>=1 2s 0 S
-+R AT 1982 1983 - Mar lastSun 2s 0 S
-+R AT 1984 1986 - Mar Sun>=1 2s 0 S
-+R AT 1986 o - O Sun>=15 2s 1 D
-+R AT 1987 1990 - Mar Sun>=15 2s 0 S
-+R AT 1987 o - O Sun>=22 2s 1 D
-+R AT 1988 1990 - O lastSun 2s 1 D
-+R AT 1991 1999 - O Sun>=1 2s 1 D
-+R AT 1991 2005 - Mar lastSun 2s 0 S
-+R AT 2000 o - Au lastSun 2s 1 D
-+R AT 2001 ma - O Sun>=1 2s 1 D
-+R AT 2006 o - Ap Sun>=1 2s 0 S
-+R AT 2007 o - Mar lastSun 2s 0 S
-+R AT 2008 ma - Ap Sun>=1 2s 0 S
- Z Australia/Hobart 9:49:16 - LMT 1895 S
- 10 - AEST 1916 O 1 2
- 10 1 AEDT 1917 F
--10 l AE%sT 1967
--10 q AE%sT
-+10 AU AE%sT 1967
-+10 AT AE%sT
- Z Australia/Currie 9:35:28 - LMT 1895 S
- 10 - AEST 1916 O 1 2
- 10 1 AEDT 1917 F
--10 l AE%sT 1971 Jul
--10 q AE%sT
--R r 1971 1985 - O lastSun 2s 1 D
--R r 1972 o - F lastSun 2s 0 S
--R r 1973 1985 - Mar Sun>=1 2s 0 S
--R r 1986 1990 - Mar Sun>=15 2s 0 S
--R r 1986 1987 - O Sun>=15 2s 1 D
--R r 1988 1999 - O lastSun 2s 1 D
--R r 1991 1994 - Mar Sun>=1 2s 0 S
--R r 1995 2005 - Mar lastSun 2s 0 S
--R r 2000 o - Au lastSun 2s 1 D
--R r 2001 2007 - O lastSun 2s 1 D
--R r 2006 o - Ap Sun>=1 2s 0 S
--R r 2007 o - Mar lastSun 2s 0 S
--R r 2008 ma - Ap Sun>=1 2s 0 S
--R r 2008 ma - O Sun>=1 2s 1 D
-+10 AU AE%sT 1971 Jul
-+10 AT AE%sT
-+R AV 1971 1985 - O lastSun 2s 1 D
-+R AV 1972 o - F lastSun 2s 0 S
-+R AV 1973 1985 - Mar Sun>=1 2s 0 S
-+R AV 1986 1990 - Mar Sun>=15 2s 0 S
-+R AV 1986 1987 - O Sun>=15 2s 1 D
-+R AV 1988 1999 - O lastSun 2s 1 D
-+R AV 1991 1994 - Mar Sun>=1 2s 0 S
-+R AV 1995 2005 - Mar lastSun 2s 0 S
-+R AV 2000 o - Au lastSun 2s 1 D
-+R AV 2001 2007 - O lastSun 2s 1 D
-+R AV 2006 o - Ap Sun>=1 2s 0 S
-+R AV 2007 o - Mar lastSun 2s 0 S
-+R AV 2008 ma - Ap Sun>=1 2s 0 S
-+R AV 2008 ma - O Sun>=1 2s 1 D
- Z Australia/Melbourne 9:39:52 - LMT 1895 F
--10 l AE%sT 1971
--10 r AE%sT
--R s 1971 1985 - O lastSun 2s 1 D
--R s 1972 o - F 27 2s 0 S
--R s 1973 1981 - Mar Sun>=1 2s 0 S
--R s 1982 o - Ap Sun>=1 2s 0 S
--R s 1983 1985 - Mar Sun>=1 2s 0 S
--R s 1986 1989 - Mar Sun>=15 2s 0 S
--R s 1986 o - O 19 2s 1 D
--R s 1987 1999 - O lastSun 2s 1 D
--R s 1990 1995 - Mar Sun>=1 2s 0 S
--R s 1996 2005 - Mar lastSun 2s 0 S
--R s 2000 o - Au lastSun 2s 1 D
--R s 2001 2007 - O lastSun 2s 1 D
--R s 2006 o - Ap Sun>=1 2s 0 S
--R s 2007 o - Mar lastSun 2s 0 S
--R s 2008 ma - Ap Sun>=1 2s 0 S
--R s 2008 ma - O Sun>=1 2s 1 D
-+10 AU AE%sT 1971
-+10 AV AE%sT
-+R AN 1971 1985 - O lastSun 2s 1 D
-+R AN 1972 o - F 27 2s 0 S
-+R AN 1973 1981 - Mar Sun>=1 2s 0 S
-+R AN 1982 o - Ap Sun>=1 2s 0 S
-+R AN 1983 1985 - Mar Sun>=1 2s 0 S
-+R AN 1986 1989 - Mar Sun>=15 2s 0 S
-+R AN 1986 o - O 19 2s 1 D
-+R AN 1987 1999 - O lastSun 2s 1 D
-+R AN 1990 1995 - Mar Sun>=1 2s 0 S
-+R AN 1996 2005 - Mar lastSun 2s 0 S
-+R AN 2000 o - Au lastSun 2s 1 D
-+R AN 2001 2007 - O lastSun 2s 1 D
-+R AN 2006 o - Ap Sun>=1 2s 0 S
-+R AN 2007 o - Mar lastSun 2s 0 S
-+R AN 2008 ma - Ap Sun>=1 2s 0 S
-+R AN 2008 ma - O Sun>=1 2s 1 D
- Z Australia/Sydney 10:4:52 - LMT 1895 F
--10 l AE%sT 1971
--10 s AE%sT
-+10 AU AE%sT 1971
-+10 AN AE%sT
- Z Australia/Broken_Hill 9:25:48 - LMT 1895 F
- 10 - AEST 1896 Au 23
- 9 - ACST 1899 May
--9:30 l AC%sT 1971
--9:30 s AC%sT 2000
--9:30 p AC%sT
--R t 1981 1984 - O lastSun 2 1 -
--R t 1982 1985 - Mar Sun>=1 2 0 -
--R t 1985 o - O lastSun 2 0:30 -
--R t 1986 1989 - Mar Sun>=15 2 0 -
--R t 1986 o - O 19 2 0:30 -
--R t 1987 1999 - O lastSun 2 0:30 -
--R t 1990 1995 - Mar Sun>=1 2 0 -
--R t 1996 2005 - Mar lastSun 2 0 -
--R t 2000 o - Au lastSun 2 0:30 -
--R t 2001 2007 - O lastSun 2 0:30 -
--R t 2006 o - Ap Sun>=1 2 0 -
--R t 2007 o - Mar lastSun 2 0 -
--R t 2008 ma - Ap Sun>=1 2 0 -
--R t 2008 ma - O Sun>=1 2 0:30 -
-+9:30 AU AC%sT 1971
-+9:30 AN AC%sT 2000
-+9:30 AS AC%sT
-+R LH 1981 1984 - O lastSun 2 1 -
-+R LH 1982 1985 - Mar Sun>=1 2 0 -
-+R LH 1985 o - O lastSun 2 0:30 -
-+R LH 1986 1989 - Mar Sun>=15 2 0 -
-+R LH 1986 o - O 19 2 0:30 -
-+R LH 1987 1999 - O lastSun 2 0:30 -
-+R LH 1990 1995 - Mar Sun>=1 2 0 -
-+R LH 1996 2005 - Mar lastSun 2 0 -
-+R LH 2000 o - Au lastSun 2 0:30 -
-+R LH 2001 2007 - O lastSun 2 0:30 -
-+R LH 2006 o - Ap Sun>=1 2 0 -
-+R LH 2007 o - Mar lastSun 2 0 -
-+R LH 2008 ma - Ap Sun>=1 2 0 -
-+R LH 2008 ma - O Sun>=1 2 0:30 -
- Z Australia/Lord_Howe 10:36:20 - LMT 1895 F
- 10 - AEST 1981 Mar
--10:30 t +1030/+1130 1985 Jul
--10:30 t +1030/+11
-+10:30 LH +1030/+1130 1985 Jul
-+10:30 LH +1030/+11
- Z Antarctica/Macquarie 0 - -00 1899 N
- 10 - AEST 1916 O 1 2
- 10 1 AEDT 1917 F
--10 l AE%sT 1919 Ap 1 0s
-+10 AU AE%sT 1919 Ap 1 0s
- 0 - -00 1948 Mar 25
--10 l AE%sT 1967
--10 q AE%sT 2010 Ap 4 3
-+10 AU AE%sT 1967
-+10 AT AE%sT 2010 Ap 4 3
- 11 - +11
- Z Indian/Christmas 7:2:52 - LMT 1895 F
- 7 - +07
- Z Indian/Cocos 6:27:40 - LMT 1900
- 6:30 - +0630
--R u 1998 1999 - N Sun>=1 2 1 -
--R u 1999 2000 - F lastSun 3 0 -
--R u 2009 o - N 29 2 1 -
--R u 2010 o - Mar lastSun 3 0 -
--R u 2010 2013 - O Sun>=21 2 1 -
--R u 2011 o - Mar Sun>=1 3 0 -
--R u 2012 2013 - Ja Sun>=18 3 0 -
--R u 2014 o - Ja Sun>=18 2 0 -
--R u 2014 ma - N Sun>=1 2 1 -
--R u 2015 ma - Ja Sun>=14 3 0 -
-+R FJ 1998 1999 - N Sun>=1 2 1 -
-+R FJ 1999 2000 - F lastSun 3 0 -
-+R FJ 2009 o - N 29 2 1 -
-+R FJ 2010 o - Mar lastSun 3 0 -
-+R FJ 2010 2013 - O Sun>=21 2 1 -
-+R FJ 2011 o - Mar Sun>=1 3 0 -
-+R FJ 2012 2013 - Ja Sun>=18 3 0 -
-+R FJ 2014 o - Ja Sun>=18 2 0 -
-+R FJ 2014 ma - N Sun>=1 2 1 -
-+R FJ 2015 ma - Ja Sun>=13 3 0 -
- Z Pacific/Fiji 11:55:44 - LMT 1915 O 26
--12 u +12/+13
-+12 FJ +12/+13
- Z Pacific/Gambier -8:59:48 - LMT 1912 O
- -9 - -09
- Z Pacific/Marquesas -9:18 - LMT 1912 O
-@@ -1239,50 +1263,50 @@ Z Pacific/Nauru 11:7:40 - LMT 1921 Ja 15
- 9 - +09 1944 Au 15
- 11:30 - +1130 1979 May
- 12 - +12
--R v 1977 1978 - D Sun>=1 0 1 -
--R v 1978 1979 - F 27 0 0 -
--R v 1996 o - D 1 2s 1 -
--R v 1997 o - Mar 2 2s 0 -
-+R NC 1977 1978 - D Sun>=1 0 1 -
-+R NC 1978 1979 - F 27 0 0 -
-+R NC 1996 o - D 1 2s 1 -
-+R NC 1997 o - Mar 2 2s 0 -
- Z Pacific/Noumea 11:5:48 - LMT 1912 Ja 13
--11 v +11/+12
--R w 1927 o - N 6 2 1 S
--R w 1928 o - Mar 4 2 0 M
--R w 1928 1933 - O Sun>=8 2 0:30 S
--R w 1929 1933 - Mar Sun>=15 2 0 M
--R w 1934 1940 - Ap lastSun 2 0 M
--R w 1934 1940 - S lastSun 2 0:30 S
--R w 1946 o - Ja 1 0 0 S
--R w 1974 o - N Sun>=1 2s 1 D
--R x 1974 o - N Sun>=1 2:45s 1 -
--R w 1975 o - F lastSun 2s 0 S
--R x 1975 o - F lastSun 2:45s 0 -
--R w 1975 1988 - O lastSun 2s 1 D
--R x 1975 1988 - O lastSun 2:45s 1 -
--R w 1976 1989 - Mar Sun>=1 2s 0 S
--R x 1976 1989 - Mar Sun>=1 2:45s 0 -
--R w 1989 o - O Sun>=8 2s 1 D
--R x 1989 o - O Sun>=8 2:45s 1 -
--R w 1990 2006 - O Sun>=1 2s 1 D
--R x 1990 2006 - O Sun>=1 2:45s 1 -
--R w 1990 2007 - Mar Sun>=15 2s 0 S
--R x 1990 2007 - Mar Sun>=15 2:45s 0 -
--R w 2007 ma - S lastSun 2s 1 D
--R x 2007 ma - S lastSun 2:45s 1 -
--R w 2008 ma - Ap Sun>=1 2s 0 S
--R x 2008 ma - Ap Sun>=1 2:45s 0 -
-+11 NC +11/+12
-+R NZ 1927 o - N 6 2 1 S
-+R NZ 1928 o - Mar 4 2 0 M
-+R NZ 1928 1933 - O Sun>=8 2 0:30 S
-+R NZ 1929 1933 - Mar Sun>=15 2 0 M
-+R NZ 1934 1940 - Ap lastSun 2 0 M
-+R NZ 1934 1940 - S lastSun 2 0:30 S
-+R NZ 1946 o - Ja 1 0 0 S
-+R NZ 1974 o - N Sun>=1 2s 1 D
-+R k 1974 o - N Sun>=1 2:45s 1 -
-+R NZ 1975 o - F lastSun 2s 0 S
-+R k 1975 o - F lastSun 2:45s 0 -
-+R NZ 1975 1988 - O lastSun 2s 1 D
-+R k 1975 1988 - O lastSun 2:45s 1 -
-+R NZ 1976 1989 - Mar Sun>=1 2s 0 S
-+R k 1976 1989 - Mar Sun>=1 2:45s 0 -
-+R NZ 1989 o - O Sun>=8 2s 1 D
-+R k 1989 o - O Sun>=8 2:45s 1 -
-+R NZ 1990 2006 - O Sun>=1 2s 1 D
-+R k 1990 2006 - O Sun>=1 2:45s 1 -
-+R NZ 1990 2007 - Mar Sun>=15 2s 0 S
-+R k 1990 2007 - Mar Sun>=15 2:45s 0 -
-+R NZ 2007 ma - S lastSun 2s 1 D
-+R k 2007 ma - S lastSun 2:45s 1 -
-+R NZ 2008 ma - Ap Sun>=1 2s 0 S
-+R k 2008 ma - Ap Sun>=1 2:45s 0 -
- Z Pacific/Auckland 11:39:4 - LMT 1868 N 2
--11:30 w NZ%sT 1946
--12 w NZ%sT
-+11:30 NZ NZ%sT 1946
-+12 NZ NZ%sT
- Z Pacific/Chatham 12:13:48 - LMT 1868 N 2
- 12:15 - +1215 1946
--12:45 x +1245/+1345
-+12:45 k +1245/+1345
- Li Pacific/Auckland Antarctica/McMurdo
--R y 1978 o - N 12 0 0:30 -
--R y 1979 1991 - Mar Sun>=1 0 0 -
--R y 1979 1990 - O lastSun 0 0:30 -
-+R CK 1978 o - N 12 0 0:30 -
-+R CK 1979 1991 - Mar Sun>=1 0 0 -
-+R CK 1979 1990 - O lastSun 0 0:30 -
- Z Pacific/Rarotonga -10:39:4 - LMT 1901
- -10:30 - -1030 1978 N 12
---10 y -10/-0930
-+-10 CK -10/-0930
- Z Pacific/Niue -11:19:40 - LMT 1901
- -11:20 - -1120 1951
- -11:30 - -1130 1978 O
-@@ -1311,570 +1335,570 @@ Z Pacific/Pago_Pago 12:37:12 - LMT 1892 Jul 5
- -11:22:48 - LMT 1911
- -11 - SST
- Li Pacific/Pago_Pago Pacific/Midway
--R z 2010 o - S lastSun 0 1 -
--R z 2011 o - Ap Sat>=1 4 0 -
--R z 2011 o - S lastSat 3 1 -
--R z 2012 ma - Ap Sun>=1 4 0 -
--R z 2012 ma - S lastSun 3 1 -
-+R WS 2010 o - S lastSun 0 1 -
-+R WS 2011 o - Ap Sat>=1 4 0 -
-+R WS 2011 o - S lastSat 3 1 -
-+R WS 2012 ma - Ap Sun>=1 4 0 -
-+R WS 2012 ma - S lastSun 3 1 -
- Z Pacific/Apia 12:33:4 - LMT 1892 Jul 5
- -11:26:56 - LMT 1911
- -11:30 - -1130 1950
---11 z -11/-10 2011 D 29 24
--13 z +13/+14
-+-11 WS -11/-10 2011 D 29 24
-+13 WS +13/+14
- Z Pacific/Guadalcanal 10:39:48 - LMT 1912 O
- 11 - +11
- Z Pacific/Fakaofo -11:24:56 - LMT 1901
- -11 - -11 2011 D 30
- 13 - +13
--R ! 1999 o - O 7 2s 1 -
--R ! 2000 o - Mar 19 2s 0 -
--R ! 2000 2001 - N Sun>=1 2 1 -
--R ! 2001 2002 - Ja lastSun 2 0 -
--R ! 2016 o - N Sun>=1 2 1 -
--R ! 2017 o - Ja Sun>=15 3 0 -
-+R TO 1999 o - O 7 2s 1 -
-+R TO 2000 o - Mar 19 2s 0 -
-+R TO 2000 2001 - N Sun>=1 2 1 -
-+R TO 2001 2002 - Ja lastSun 2 0 -
-+R TO 2016 o - N Sun>=1 2 1 -
-+R TO 2017 o - Ja Sun>=15 3 0 -
- Z Pacific/Tongatapu 12:19:20 - LMT 1901
- 12:20 - +1220 1941
- 13 - +13 1999
--13 ! +13/+14
-+13 TO +13/+14
- Z Pacific/Funafuti 11:56:52 - LMT 1901
- 12 - +12
- Z Pacific/Wake 11:6:28 - LMT 1901
- 12 - +12
--R $ 1983 o - S 25 0 1 -
--R $ 1984 1991 - Mar Sun>=23 0 0 -
--R $ 1984 o - O 23 0 1 -
--R $ 1985 1991 - S Sun>=23 0 1 -
--R $ 1992 1993 - Ja Sun>=23 0 0 -
--R $ 1992 o - O Sun>=23 0 1 -
-+R VU 1983 o - S 25 0 1 -
-+R VU 1984 1991 - Mar Sun>=23 0 0 -
-+R VU 1984 o - O 23 0 1 -
-+R VU 1985 1991 - S Sun>=23 0 1 -
-+R VU 1992 1993 - Ja Sun>=23 0 0 -
-+R VU 1992 o - O Sun>=23 0 1 -
- Z Pacific/Efate 11:13:16 - LMT 1912 Ja 13
--11 $ +11/+12
-+11 VU +11/+12
- Z Pacific/Wallis 12:15:20 - LMT 1901
- 12 - +12
--R % 1916 o - May 21 2s 1 BST
--R % 1916 o - O 1 2s 0 GMT
--R % 1917 o - Ap 8 2s 1 BST
--R % 1917 o - S 17 2s 0 GMT
--R % 1918 o - Mar 24 2s 1 BST
--R % 1918 o - S 30 2s 0 GMT
--R % 1919 o - Mar 30 2s 1 BST
--R % 1919 o - S 29 2s 0 GMT
--R % 1920 o - Mar 28 2s 1 BST
--R % 1920 o - O 25 2s 0 GMT
--R % 1921 o - Ap 3 2s 1 BST
--R % 1921 o - O 3 2s 0 GMT
--R % 1922 o - Mar 26 2s 1 BST
--R % 1922 o - O 8 2s 0 GMT
--R % 1923 o - Ap Sun>=16 2s 1 BST
--R % 1923 1924 - S Sun>=16 2s 0 GMT
--R % 1924 o - Ap Sun>=9 2s 1 BST
--R % 1925 1926 - Ap Sun>=16 2s 1 BST
--R % 1925 1938 - O Sun>=2 2s 0 GMT
--R % 1927 o - Ap Sun>=9 2s 1 BST
--R % 1928 1929 - Ap Sun>=16 2s 1 BST
--R % 1930 o - Ap Sun>=9 2s 1 BST
--R % 1931 1932 - Ap Sun>=16 2s 1 BST
--R % 1933 o - Ap Sun>=9 2s 1 BST
--R % 1934 o - Ap Sun>=16 2s 1 BST
--R % 1935 o - Ap Sun>=9 2s 1 BST
--R % 1936 1937 - Ap Sun>=16 2s 1 BST
--R % 1938 o - Ap Sun>=9 2s 1 BST
--R % 1939 o - Ap Sun>=16 2s 1 BST
--R % 1939 o - N Sun>=16 2s 0 GMT
--R % 1940 o - F Sun>=23 2s 1 BST
--R % 1941 o - May Sun>=2 1s 2 BDST
--R % 1941 1943 - Au Sun>=9 1s 1 BST
--R % 1942 1944 - Ap Sun>=2 1s 2 BDST
--R % 1944 o - S Sun>=16 1s 1 BST
--R % 1945 o - Ap M>=2 1s 2 BDST
--R % 1945 o - Jul Sun>=9 1s 1 BST
--R % 1945 1946 - O Sun>=2 2s 0 GMT
--R % 1946 o - Ap Sun>=9 2s 1 BST
--R % 1947 o - Mar 16 2s 1 BST
--R % 1947 o - Ap 13 1s 2 BDST
--R % 1947 o - Au 10 1s 1 BST
--R % 1947 o - N 2 2s 0 GMT
--R % 1948 o - Mar 14 2s 1 BST
--R % 1948 o - O 31 2s 0 GMT
--R % 1949 o - Ap 3 2s 1 BST
--R % 1949 o - O 30 2s 0 GMT
--R % 1950 1952 - Ap Sun>=14 2s 1 BST
--R % 1950 1952 - O Sun>=21 2s 0 GMT
--R % 1953 o - Ap Sun>=16 2s 1 BST
--R % 1953 1960 - O Sun>=2 2s 0 GMT
--R % 1954 o - Ap Sun>=9 2s 1 BST
--R % 1955 1956 - Ap Sun>=16 2s 1 BST
--R % 1957 o - Ap Sun>=9 2s 1 BST
--R % 1958 1959 - Ap Sun>=16 2s 1 BST
--R % 1960 o - Ap Sun>=9 2s 1 BST
--R % 1961 1963 - Mar lastSun 2s 1 BST
--R % 1961 1968 - O Sun>=23 2s 0 GMT
--R % 1964 1967 - Mar Sun>=19 2s 1 BST
--R % 1968 o - F 18 2s 1 BST
--R % 1972 1980 - Mar Sun>=16 2s 1 BST
--R % 1972 1980 - O Sun>=23 2s 0 GMT
--R % 1981 1995 - Mar lastSun 1u 1 BST
--R % 1981 1989 - O Sun>=23 1u 0 GMT
--R % 1990 1995 - O Sun>=22 1u 0 GMT
-+R G 1916 o - May 21 2s 1 BST
-+R G 1916 o - O 1 2s 0 GMT
-+R G 1917 o - Ap 8 2s 1 BST
-+R G 1917 o - S 17 2s 0 GMT
-+R G 1918 o - Mar 24 2s 1 BST
-+R G 1918 o - S 30 2s 0 GMT
-+R G 1919 o - Mar 30 2s 1 BST
-+R G 1919 o - S 29 2s 0 GMT
-+R G 1920 o - Mar 28 2s 1 BST
-+R G 1920 o - O 25 2s 0 GMT
-+R G 1921 o - Ap 3 2s 1 BST
-+R G 1921 o - O 3 2s 0 GMT
-+R G 1922 o - Mar 26 2s 1 BST
-+R G 1922 o - O 8 2s 0 GMT
-+R G 1923 o - Ap Sun>=16 2s 1 BST
-+R G 1923 1924 - S Sun>=16 2s 0 GMT
-+R G 1924 o - Ap Sun>=9 2s 1 BST
-+R G 1925 1926 - Ap Sun>=16 2s 1 BST
-+R G 1925 1938 - O Sun>=2 2s 0 GMT
-+R G 1927 o - Ap Sun>=9 2s 1 BST
-+R G 1928 1929 - Ap Sun>=16 2s 1 BST
-+R G 1930 o - Ap Sun>=9 2s 1 BST
-+R G 1931 1932 - Ap Sun>=16 2s 1 BST
-+R G 1933 o - Ap Sun>=9 2s 1 BST
-+R G 1934 o - Ap Sun>=16 2s 1 BST
-+R G 1935 o - Ap Sun>=9 2s 1 BST
-+R G 1936 1937 - Ap Sun>=16 2s 1 BST
-+R G 1938 o - Ap Sun>=9 2s 1 BST
-+R G 1939 o - Ap Sun>=16 2s 1 BST
-+R G 1939 o - N Sun>=16 2s 0 GMT
-+R G 1940 o - F Sun>=23 2s 1 BST
-+R G 1941 o - May Sun>=2 1s 2 BDST
-+R G 1941 1943 - Au Sun>=9 1s 1 BST
-+R G 1942 1944 - Ap Sun>=2 1s 2 BDST
-+R G 1944 o - S Sun>=16 1s 1 BST
-+R G 1945 o - Ap M>=2 1s 2 BDST
-+R G 1945 o - Jul Sun>=9 1s 1 BST
-+R G 1945 1946 - O Sun>=2 2s 0 GMT
-+R G 1946 o - Ap Sun>=9 2s 1 BST
-+R G 1947 o - Mar 16 2s 1 BST
-+R G 1947 o - Ap 13 1s 2 BDST
-+R G 1947 o - Au 10 1s 1 BST
-+R G 1947 o - N 2 2s 0 GMT
-+R G 1948 o - Mar 14 2s 1 BST
-+R G 1948 o - O 31 2s 0 GMT
-+R G 1949 o - Ap 3 2s 1 BST
-+R G 1949 o - O 30 2s 0 GMT
-+R G 1950 1952 - Ap Sun>=14 2s 1 BST
-+R G 1950 1952 - O Sun>=21 2s 0 GMT
-+R G 1953 o - Ap Sun>=16 2s 1 BST
-+R G 1953 1960 - O Sun>=2 2s 0 GMT
-+R G 1954 o - Ap Sun>=9 2s 1 BST
-+R G 1955 1956 - Ap Sun>=16 2s 1 BST
-+R G 1957 o - Ap Sun>=9 2s 1 BST
-+R G 1958 1959 - Ap Sun>=16 2s 1 BST
-+R G 1960 o - Ap Sun>=9 2s 1 BST
-+R G 1961 1963 - Mar lastSun 2s 1 BST
-+R G 1961 1968 - O Sun>=23 2s 0 GMT
-+R G 1964 1967 - Mar Sun>=19 2s 1 BST
-+R G 1968 o - F 18 2s 1 BST
-+R G 1972 1980 - Mar Sun>=16 2s 1 BST
-+R G 1972 1980 - O Sun>=23 2s 0 GMT
-+R G 1981 1995 - Mar lastSun 1u 1 BST
-+R G 1981 1989 - O Sun>=23 1u 0 GMT
-+R G 1990 1995 - O Sun>=22 1u 0 GMT
- Z Europe/London -0:1:15 - LMT 1847 D 1 0s
--0 % %s 1968 O 27
-+0 G %s 1968 O 27
- 1 - BST 1971 O 31 2u
--0 % %s 1996
--0 O GMT/BST
-+0 G %s 1996
-+0 E GMT/BST
- Li Europe/London Europe/Jersey
- Li Europe/London Europe/Guernsey
- Li Europe/London Europe/Isle_of_Man
--R & 1971 o - O 31 2u -1 -
--R & 1972 1980 - Mar Sun>=16 2u 0 -
--R & 1972 1980 - O Sun>=23 2u -1 -
--R & 1981 ma - Mar lastSun 1u 0 -
--R & 1981 1989 - O Sun>=23 1u -1 -
--R & 1990 1995 - O Sun>=22 1u -1 -
--R & 1996 ma - O lastSun 1u -1 -
-+R IE 1971 o - O 31 2u -1 -
-+R IE 1972 1980 - Mar Sun>=16 2u 0 -
-+R IE 1972 1980 - O Sun>=23 2u -1 -
-+R IE 1981 ma - Mar lastSun 1u 0 -
-+R IE 1981 1989 - O Sun>=23 1u -1 -
-+R IE 1990 1995 - O Sun>=22 1u -1 -
-+R IE 1996 ma - O lastSun 1u -1 -
- Z Europe/Dublin -0:25 - LMT 1880 Au 2
- -0:25:21 - DMT 1916 May 21 2s
- -0:25:21 1 IST 1916 O 1 2s
--0 % %s 1921 D 6
--0 % GMT/IST 1940 F 25 2s
-+0 G %s 1921 D 6
-+0 G GMT/IST 1940 F 25 2s
- 0 1 IST 1946 O 6 2s
- 0 - GMT 1947 Mar 16 2s
- 0 1 IST 1947 N 2 2s
- 0 - GMT 1948 Ap 18 2s
--0 % GMT/IST 1968 O 27
--1 & IST/GMT
--R O 1977 1980 - Ap Sun>=1 1u 1 S
--R O 1977 o - S lastSun 1u 0 -
--R O 1978 o - O 1 1u 0 -
--R O 1979 1995 - S lastSun 1u 0 -
--R O 1981 ma - Mar lastSun 1u 1 S
--R O 1996 ma - O lastSun 1u 0 -
--R ' 1977 1980 - Ap Sun>=1 1s 1 S
--R ' 1977 o - S lastSun 1s 0 -
--R ' 1978 o - O 1 1s 0 -
--R ' 1979 1995 - S lastSun 1s 0 -
--R ' 1981 ma - Mar lastSun 1s 1 S
--R ' 1996 ma - O lastSun 1s 0 -
--R ( 1916 o - Ap 30 23 1 S
--R ( 1916 o - O 1 1 0 -
--R ( 1917 1918 - Ap M>=15 2s 1 S
--R ( 1917 1918 - S M>=15 2s 0 -
--R ( 1940 o - Ap 1 2s 1 S
--R ( 1942 o - N 2 2s 0 -
--R ( 1943 o - Mar 29 2s 1 S
--R ( 1943 o - O 4 2s 0 -
--R ( 1944 1945 - Ap M>=1 2s 1 S
--R ( 1944 o - O 2 2s 0 -
--R ( 1945 o - S 16 2s 0 -
--R ( 1977 1980 - Ap Sun>=1 2s 1 S
--R ( 1977 o - S lastSun 2s 0 -
--R ( 1978 o - O 1 2s 0 -
--R ( 1979 1995 - S lastSun 2s 0 -
--R ( 1981 ma - Mar lastSun 2s 1 S
--R ( 1996 ma - O lastSun 2s 0 -
--R W 1977 1980 - Ap Sun>=1 0 1 S
--R W 1977 o - S lastSun 0 0 -
--R W 1978 o - O 1 0 0 -
--R W 1979 1995 - S lastSun 0 0 -
--R W 1981 ma - Mar lastSun 0 1 S
--R W 1996 ma - O lastSun 0 0 -
--R M 1917 o - Jul 1 23 1 MST
--R M 1917 o - D 28 0 0 MMT
--R M 1918 o - May 31 22 2 MDST
--R M 1918 o - S 16 1 1 MST
--R M 1919 o - May 31 23 2 MDST
--R M 1919 o - Jul 1 0u 1 MSD
--R M 1919 o - Au 16 0 0 MSK
--R M 1921 o - F 14 23 1 MSD
--R M 1921 o - Mar 20 23 2 +05
--R M 1921 o - S 1 0 1 MSD
--R M 1921 o - O 1 0 0 -
--R M 1981 1984 - Ap 1 0 1 S
--R M 1981 1983 - O 1 0 0 -
--R M 1984 1995 - S lastSun 2s 0 -
--R M 1985 2010 - Mar lastSun 2s 1 S
--R M 1996 2010 - O lastSun 2s 0 -
--Z WET 0 O WE%sT
--Z CET 1 ( CE%sT
--Z MET 1 ( ME%sT
--Z EET 2 O EE%sT
--R ) 1940 o - Jun 16 0 1 S
--R ) 1942 o - N 2 3 0 -
--R ) 1943 o - Mar 29 2 1 S
--R ) 1943 o - Ap 10 3 0 -
--R ) 1974 o - May 4 0 1 S
--R ) 1974 o - O 2 0 0 -
--R ) 1975 o - May 1 0 1 S
--R ) 1975 o - O 2 0 0 -
--R ) 1976 o - May 2 0 1 S
--R ) 1976 o - O 3 0 0 -
--R ) 1977 o - May 8 0 1 S
--R ) 1977 o - O 2 0 0 -
--R ) 1978 o - May 6 0 1 S
--R ) 1978 o - O 1 0 0 -
--R ) 1979 o - May 5 0 1 S
--R ) 1979 o - S 30 0 0 -
--R ) 1980 o - May 3 0 1 S
--R ) 1980 o - O 4 0 0 -
--R ) 1981 o - Ap 26 0 1 S
--R ) 1981 o - S 27 0 0 -
--R ) 1982 o - May 2 0 1 S
--R ) 1982 o - O 3 0 0 -
--R ) 1983 o - Ap 18 0 1 S
--R ) 1983 o - O 1 0 0 -
--R ) 1984 o - Ap 1 0 1 S
-+0 G GMT/IST 1968 O 27
-+1 IE IST/GMT
-+R E 1977 1980 - Ap Sun>=1 1u 1 S
-+R E 1977 o - S lastSun 1u 0 -
-+R E 1978 o - O 1 1u 0 -
-+R E 1979 1995 - S lastSun 1u 0 -
-+R E 1981 ma - Mar lastSun 1u 1 S
-+R E 1996 ma - O lastSun 1u 0 -
-+R W- 1977 1980 - Ap Sun>=1 1s 1 S
-+R W- 1977 o - S lastSun 1s 0 -
-+R W- 1978 o - O 1 1s 0 -
-+R W- 1979 1995 - S lastSun 1s 0 -
-+R W- 1981 ma - Mar lastSun 1s 1 S
-+R W- 1996 ma - O lastSun 1s 0 -
-+R c 1916 o - Ap 30 23 1 S
-+R c 1916 o - O 1 1 0 -
-+R c 1917 1918 - Ap M>=15 2s 1 S
-+R c 1917 1918 - S M>=15 2s 0 -
-+R c 1940 o - Ap 1 2s 1 S
-+R c 1942 o - N 2 2s 0 -
-+R c 1943 o - Mar 29 2s 1 S
-+R c 1943 o - O 4 2s 0 -
-+R c 1944 1945 - Ap M>=1 2s 1 S
-+R c 1944 o - O 2 2s 0 -
-+R c 1945 o - S 16 2s 0 -
-+R c 1977 1980 - Ap Sun>=1 2s 1 S
-+R c 1977 o - S lastSun 2s 0 -
-+R c 1978 o - O 1 2s 0 -
-+R c 1979 1995 - S lastSun 2s 0 -
-+R c 1981 ma - Mar lastSun 2s 1 S
-+R c 1996 ma - O lastSun 2s 0 -
-+R e 1977 1980 - Ap Sun>=1 0 1 S
-+R e 1977 o - S lastSun 0 0 -
-+R e 1978 o - O 1 0 0 -
-+R e 1979 1995 - S lastSun 0 0 -
-+R e 1981 ma - Mar lastSun 0 1 S
-+R e 1996 ma - O lastSun 0 0 -
-+R R 1917 o - Jul 1 23 1 MST
-+R R 1917 o - D 28 0 0 MMT
-+R R 1918 o - May 31 22 2 MDST
-+R R 1918 o - S 16 1 1 MST
-+R R 1919 o - May 31 23 2 MDST
-+R R 1919 o - Jul 1 0u 1 MSD
-+R R 1919 o - Au 16 0 0 MSK
-+R R 1921 o - F 14 23 1 MSD
-+R R 1921 o - Mar 20 23 2 +05
-+R R 1921 o - S 1 0 1 MSD
-+R R 1921 o - O 1 0 0 -
-+R R 1981 1984 - Ap 1 0 1 S
-+R R 1981 1983 - O 1 0 0 -
-+R R 1984 1995 - S lastSun 2s 0 -
-+R R 1985 2010 - Mar lastSun 2s 1 S
-+R R 1996 2010 - O lastSun 2s 0 -
-+Z WET 0 E WE%sT
-+Z CET 1 c CE%sT
-+Z MET 1 c ME%sT
-+Z EET 2 E EE%sT
-+R q 1940 o - Jun 16 0 1 S
-+R q 1942 o - N 2 3 0 -
-+R q 1943 o - Mar 29 2 1 S
-+R q 1943 o - Ap 10 3 0 -
-+R q 1974 o - May 4 0 1 S
-+R q 1974 o - O 2 0 0 -
-+R q 1975 o - May 1 0 1 S
-+R q 1975 o - O 2 0 0 -
-+R q 1976 o - May 2 0 1 S
-+R q 1976 o - O 3 0 0 -
-+R q 1977 o - May 8 0 1 S
-+R q 1977 o - O 2 0 0 -
-+R q 1978 o - May 6 0 1 S
-+R q 1978 o - O 1 0 0 -
-+R q 1979 o - May 5 0 1 S
-+R q 1979 o - S 30 0 0 -
-+R q 1980 o - May 3 0 1 S
-+R q 1980 o - O 4 0 0 -
-+R q 1981 o - Ap 26 0 1 S
-+R q 1981 o - S 27 0 0 -
-+R q 1982 o - May 2 0 1 S
-+R q 1982 o - O 3 0 0 -
-+R q 1983 o - Ap 18 0 1 S
-+R q 1983 o - O 1 0 0 -
-+R q 1984 o - Ap 1 0 1 S
- Z Europe/Tirane 1:19:20 - LMT 1914
- 1 - CET 1940 Jun 16
--1 ) CE%sT 1984 Jul
--1 O CE%sT
-+1 q CE%sT 1984 Jul
-+1 E CE%sT
- Z Europe/Andorra 0:6:4 - LMT 1901
- 0 - WET 1946 S 30
- 1 - CET 1985 Mar 31 2
--1 O CE%sT
--R * 1920 o - Ap 5 2s 1 S
--R * 1920 o - S 13 2s 0 -
--R * 1946 o - Ap 14 2s 1 S
--R * 1946 1948 - O Sun>=1 2s 0 -
--R * 1947 o - Ap 6 2s 1 S
--R * 1948 o - Ap 18 2s 1 S
--R * 1980 o - Ap 6 0 1 S
--R * 1980 o - S 28 0 0 -
-+1 E CE%sT
-+R a 1920 o - Ap 5 2s 1 S
-+R a 1920 o - S 13 2s 0 -
-+R a 1946 o - Ap 14 2s 1 S
-+R a 1946 1948 - O Sun>=1 2s 0 -
-+R a 1947 o - Ap 6 2s 1 S
-+R a 1948 o - Ap 18 2s 1 S
-+R a 1980 o - Ap 6 0 1 S
-+R a 1980 o - S 28 0 0 -
- Z Europe/Vienna 1:5:21 - LMT 1893 Ap
--1 ( CE%sT 1920
--1 * CE%sT 1940 Ap 1 2s
--1 ( CE%sT 1945 Ap 2 2s
-+1 c CE%sT 1920
-+1 a CE%sT 1940 Ap 1 2s
-+1 c CE%sT 1945 Ap 2 2s
- 1 1 CEST 1945 Ap 12 2s
- 1 - CET 1946
--1 * CE%sT 1981
--1 O CE%sT
-+1 a CE%sT 1981
-+1 E CE%sT
- Z Europe/Minsk 1:50:16 - LMT 1880
- 1:50 - MMT 1924 May 2
- 2 - EET 1930 Jun 21
- 3 - MSK 1941 Jun 28
--1 ( CE%sT 1944 Jul 3
--3 M MSK/MSD 1990
-+1 c CE%sT 1944 Jul 3
-+3 R MSK/MSD 1990
- 3 - MSK 1991 Mar 31 2s
--2 M EE%sT 2011 Mar 27 2s
-+2 R EE%sT 2011 Mar 27 2s
- 3 - +03
--R + 1918 o - Mar 9 0s 1 S
--R + 1918 1919 - O Sat>=1 23s 0 -
--R + 1919 o - Mar 1 23s 1 S
--R + 1920 o - F 14 23s 1 S
--R + 1920 o - O 23 23s 0 -
--R + 1921 o - Mar 14 23s 1 S
--R + 1921 o - O 25 23s 0 -
--R + 1922 o - Mar 25 23s 1 S
--R + 1922 1927 - O Sat>=1 23s 0 -
--R + 1923 o - Ap 21 23s 1 S
--R + 1924 o - Mar 29 23s 1 S
--R + 1925 o - Ap 4 23s 1 S
--R + 1926 o - Ap 17 23s 1 S
--R + 1927 o - Ap 9 23s 1 S
--R + 1928 o - Ap 14 23s 1 S
--R + 1928 1938 - O Sun>=2 2s 0 -
--R + 1929 o - Ap 21 2s 1 S
--R + 1930 o - Ap 13 2s 1 S
--R + 1931 o - Ap 19 2s 1 S
--R + 1932 o - Ap 3 2s 1 S
--R + 1933 o - Mar 26 2s 1 S
--R + 1934 o - Ap 8 2s 1 S
--R + 1935 o - Mar 31 2s 1 S
--R + 1936 o - Ap 19 2s 1 S
--R + 1937 o - Ap 4 2s 1 S
--R + 1938 o - Mar 27 2s 1 S
--R + 1939 o - Ap 16 2s 1 S
--R + 1939 o - N 19 2s 0 -
--R + 1940 o - F 25 2s 1 S
--R + 1944 o - S 17 2s 0 -
--R + 1945 o - Ap 2 2s 1 S
--R + 1945 o - S 16 2s 0 -
--R + 1946 o - May 19 2s 1 S
--R + 1946 o - O 7 2s 0 -
-+R b 1918 o - Mar 9 0s 1 S
-+R b 1918 1919 - O Sat>=1 23s 0 -
-+R b 1919 o - Mar 1 23s 1 S
-+R b 1920 o - F 14 23s 1 S
-+R b 1920 o - O 23 23s 0 -
-+R b 1921 o - Mar 14 23s 1 S
-+R b 1921 o - O 25 23s 0 -
-+R b 1922 o - Mar 25 23s 1 S
-+R b 1922 1927 - O Sat>=1 23s 0 -
-+R b 1923 o - Ap 21 23s 1 S
-+R b 1924 o - Mar 29 23s 1 S
-+R b 1925 o - Ap 4 23s 1 S
-+R b 1926 o - Ap 17 23s 1 S
-+R b 1927 o - Ap 9 23s 1 S
-+R b 1928 o - Ap 14 23s 1 S
-+R b 1928 1938 - O Sun>=2 2s 0 -
-+R b 1929 o - Ap 21 2s 1 S
-+R b 1930 o - Ap 13 2s 1 S
-+R b 1931 o - Ap 19 2s 1 S
-+R b 1932 o - Ap 3 2s 1 S
-+R b 1933 o - Mar 26 2s 1 S
-+R b 1934 o - Ap 8 2s 1 S
-+R b 1935 o - Mar 31 2s 1 S
-+R b 1936 o - Ap 19 2s 1 S
-+R b 1937 o - Ap 4 2s 1 S
-+R b 1938 o - Mar 27 2s 1 S
-+R b 1939 o - Ap 16 2s 1 S
-+R b 1939 o - N 19 2s 0 -
-+R b 1940 o - F 25 2s 1 S
-+R b 1944 o - S 17 2s 0 -
-+R b 1945 o - Ap 2 2s 1 S
-+R b 1945 o - S 16 2s 0 -
-+R b 1946 o - May 19 2s 1 S
-+R b 1946 o - O 7 2s 0 -
- Z Europe/Brussels 0:17:30 - LMT 1880
- 0:17:30 - BMT 1892 May 1 12
- 0 - WET 1914 N 8
- 1 - CET 1916 May
--1 ( CE%sT 1918 N 11 11u
--0 + WE%sT 1940 May 20 2s
--1 ( CE%sT 1944 S 3
--1 + CE%sT 1977
--1 O CE%sT
--R , 1979 o - Mar 31 23 1 S
--R , 1979 o - O 1 1 0 -
--R , 1980 1982 - Ap Sat>=1 23 1 S
--R , 1980 o - S 29 1 0 -
--R , 1981 o - S 27 2 0 -
-+1 c CE%sT 1918 N 11 11u
-+0 b WE%sT 1940 May 20 2s
-+1 c CE%sT 1944 S 3
-+1 b CE%sT 1977
-+1 E CE%sT
-+R BG 1979 o - Mar 31 23 1 S
-+R BG 1979 o - O 1 1 0 -
-+R BG 1980 1982 - Ap Sat>=1 23 1 S
-+R BG 1980 o - S 29 1 0 -
-+R BG 1981 o - S 27 2 0 -
- Z Europe/Sofia 1:33:16 - LMT 1880
- 1:56:56 - IMT 1894 N 30
- 2 - EET 1942 N 2 3
--1 ( CE%sT 1945
-+1 c CE%sT 1945
- 1 - CET 1945 Ap 2 3
- 2 - EET 1979 Mar 31 23
--2 , EE%sT 1982 S 26 3
--2 ( EE%sT 1991
--2 W EE%sT 1997
--2 O EE%sT
--R . 1945 o - Ap M>=1 2s 1 S
--R . 1945 o - O 1 2s 0 -
--R . 1946 o - May 6 2s 1 S
--R . 1946 1949 - O Sun>=1 2s 0 -
--R . 1947 1948 - Ap Sun>=15 2s 1 S
--R . 1949 o - Ap 9 2s 1 S
-+2 BG EE%sT 1982 S 26 3
-+2 c EE%sT 1991
-+2 e EE%sT 1997
-+2 E EE%sT
-+R CZ 1945 o - Ap M>=1 2s 1 S
-+R CZ 1945 o - O 1 2s 0 -
-+R CZ 1946 o - May 6 2s 1 S
-+R CZ 1946 1949 - O Sun>=1 2s 0 -
-+R CZ 1947 1948 - Ap Sun>=15 2s 1 S
-+R CZ 1949 o - Ap 9 2s 1 S
- Z Europe/Prague 0:57:44 - LMT 1850
- 0:57:44 - PMT 1891 O
--1 ( CE%sT 1945 May 9
--1 . CE%sT 1946 D 1 3
-+1 c CE%sT 1945 May 9
-+1 CZ CE%sT 1946 D 1 3
- 1 -1 GMT 1947 F 23 2
--1 . CE%sT 1979
--1 O CE%sT
--R / 1916 o - May 14 23 1 S
--R / 1916 o - S 30 23 0 -
--R / 1940 o - May 15 0 1 S
--R / 1945 o - Ap 2 2s 1 S
--R / 1945 o - Au 15 2s 0 -
--R / 1946 o - May 1 2s 1 S
--R / 1946 o - S 1 2s 0 -
--R / 1947 o - May 4 2s 1 S
--R / 1947 o - Au 10 2s 0 -
--R / 1948 o - May 9 2s 1 S
--R / 1948 o - Au 8 2s 0 -
-+1 CZ CE%sT 1979
-+1 E CE%sT
-+R D 1916 o - May 14 23 1 S
-+R D 1916 o - S 30 23 0 -
-+R D 1940 o - May 15 0 1 S
-+R D 1945 o - Ap 2 2s 1 S
-+R D 1945 o - Au 15 2s 0 -
-+R D 1946 o - May 1 2s 1 S
-+R D 1946 o - S 1 2s 0 -
-+R D 1947 o - May 4 2s 1 S
-+R D 1947 o - Au 10 2s 0 -
-+R D 1948 o - May 9 2s 1 S
-+R D 1948 o - Au 8 2s 0 -
- Z Europe/Copenhagen 0:50:20 - LMT 1890
- 0:50:20 - CMT 1894
--1 / CE%sT 1942 N 2 2s
--1 ( CE%sT 1945 Ap 2 2
--1 / CE%sT 1980
--1 O CE%sT
-+1 D CE%sT 1942 N 2 2s
-+1 c CE%sT 1945 Ap 2 2
-+1 D CE%sT 1980
-+1 E CE%sT
- Z Atlantic/Faroe -0:27:4 - LMT 1908 Ja 11
- 0 - WET 1981
--0 O WE%sT
--R : 1991 1992 - Mar lastSun 2 1 D
--R : 1991 1992 - S lastSun 2 0 S
--R : 1993 2006 - Ap Sun>=1 2 1 D
--R : 1993 2006 - O lastSun 2 0 S
--R : 2007 ma - Mar Sun>=8 2 1 D
--R : 2007 ma - N Sun>=1 2 0 S
-+0 E WE%sT
-+R Th 1991 1992 - Mar lastSun 2 1 D
-+R Th 1991 1992 - S lastSun 2 0 S
-+R Th 1993 2006 - Ap Sun>=1 2 1 D
-+R Th 1993 2006 - O lastSun 2 0 S
-+R Th 2007 ma - Mar Sun>=8 2 1 D
-+R Th 2007 ma - N Sun>=1 2 0 S
- Z America/Danmarkshavn -1:14:40 - LMT 1916 Jul 28
- -3 - -03 1980 Ap 6 2
---3 O -03/-02 1996
-+-3 E -03/-02 1996
- 0 - GMT
- Z America/Scoresbysund -1:27:52 - LMT 1916 Jul 28
- -2 - -02 1980 Ap 6 2
---2 ( -02/-01 1981 Mar 29
---1 O -01/+00
-+-2 c -02/-01 1981 Mar 29
-+-1 E -01/+00
- Z America/Godthab -3:26:56 - LMT 1916 Jul 28
- -3 - -03 1980 Ap 6 2
---3 O -03/-02
-+-3 E -03/-02
- Z America/Thule -4:35:8 - LMT 1916 Jul 28
---4 : A%sT
-+-4 Th A%sT
- Z Europe/Tallinn 1:39 - LMT 1880
- 1:39 - TMT 1918 F
--1 ( CE%sT 1919 Jul
-+1 c CE%sT 1919 Jul
- 1:39 - TMT 1921 May
- 2 - EET 1940 Au 6
- 3 - MSK 1941 S 15
--1 ( CE%sT 1944 S 22
--3 M MSK/MSD 1989 Mar 26 2s
-+1 c CE%sT 1944 S 22
-+3 R MSK/MSD 1989 Mar 26 2s
- 2 1 EEST 1989 S 24 2s
--2 ( EE%sT 1998 S 22
--2 O EE%sT 1999 O 31 4
-+2 c EE%sT 1998 S 22
-+2 E EE%sT 1999 O 31 4
- 2 - EET 2002 F 21
--2 O EE%sT
--R ; 1942 o - Ap 2 24 1 S
--R ; 1942 o - O 4 1 0 -
--R ; 1981 1982 - Mar lastSun 2 1 S
--R ; 1981 1982 - S lastSun 3 0 -
-+2 E EE%sT
-+R FI 1942 o - Ap 2 24 1 S
-+R FI 1942 o - O 4 1 0 -
-+R FI 1981 1982 - Mar lastSun 2 1 S
-+R FI 1981 1982 - S lastSun 3 0 -
- Z Europe/Helsinki 1:39:49 - LMT 1878 May 31
- 1:39:49 - HMT 1921 May
--2 ; EE%sT 1983
--2 O EE%sT
-+2 FI EE%sT 1983
-+2 E EE%sT
- Li Europe/Helsinki Europe/Mariehamn
--R < 1916 o - Jun 14 23s 1 S
--R < 1916 1919 - O Sun>=1 23s 0 -
--R < 1917 o - Mar 24 23s 1 S
--R < 1918 o - Mar 9 23s 1 S
--R < 1919 o - Mar 1 23s 1 S
--R < 1920 o - F 14 23s 1 S
--R < 1920 o - O 23 23s 0 -
--R < 1921 o - Mar 14 23s 1 S
--R < 1921 o - O 25 23s 0 -
--R < 1922 o - Mar 25 23s 1 S
--R < 1922 1938 - O Sat>=1 23s 0 -
--R < 1923 o - May 26 23s 1 S
--R < 1924 o - Mar 29 23s 1 S
--R < 1925 o - Ap 4 23s 1 S
--R < 1926 o - Ap 17 23s 1 S
--R < 1927 o - Ap 9 23s 1 S
--R < 1928 o - Ap 14 23s 1 S
--R < 1929 o - Ap 20 23s 1 S
--R < 1930 o - Ap 12 23s 1 S
--R < 1931 o - Ap 18 23s 1 S
--R < 1932 o - Ap 2 23s 1 S
--R < 1933 o - Mar 25 23s 1 S
--R < 1934 o - Ap 7 23s 1 S
--R < 1935 o - Mar 30 23s 1 S
--R < 1936 o - Ap 18 23s 1 S
--R < 1937 o - Ap 3 23s 1 S
--R < 1938 o - Mar 26 23s 1 S
--R < 1939 o - Ap 15 23s 1 S
--R < 1939 o - N 18 23s 0 -
--R < 1940 o - F 25 2 1 S
--R < 1941 o - May 5 0 2 M
--R < 1941 o - O 6 0 1 S
--R < 1942 o - Mar 9 0 2 M
--R < 1942 o - N 2 3 1 S
--R < 1943 o - Mar 29 2 2 M
--R < 1943 o - O 4 3 1 S
--R < 1944 o - Ap 3 2 2 M
--R < 1944 o - O 8 1 1 S
--R < 1945 o - Ap 2 2 2 M
--R < 1945 o - S 16 3 0 -
--R < 1976 o - Mar 28 1 1 S
--R < 1976 o - S 26 1 0 -
-+R F 1916 o - Jun 14 23s 1 S
-+R F 1916 1919 - O Sun>=1 23s 0 -
-+R F 1917 o - Mar 24 23s 1 S
-+R F 1918 o - Mar 9 23s 1 S
-+R F 1919 o - Mar 1 23s 1 S
-+R F 1920 o - F 14 23s 1 S
-+R F 1920 o - O 23 23s 0 -
-+R F 1921 o - Mar 14 23s 1 S
-+R F 1921 o - O 25 23s 0 -
-+R F 1922 o - Mar 25 23s 1 S
-+R F 1922 1938 - O Sat>=1 23s 0 -
-+R F 1923 o - May 26 23s 1 S
-+R F 1924 o - Mar 29 23s 1 S
-+R F 1925 o - Ap 4 23s 1 S
-+R F 1926 o - Ap 17 23s 1 S
-+R F 1927 o - Ap 9 23s 1 S
-+R F 1928 o - Ap 14 23s 1 S
-+R F 1929 o - Ap 20 23s 1 S
-+R F 1930 o - Ap 12 23s 1 S
-+R F 1931 o - Ap 18 23s 1 S
-+R F 1932 o - Ap 2 23s 1 S
-+R F 1933 o - Mar 25 23s 1 S
-+R F 1934 o - Ap 7 23s 1 S
-+R F 1935 o - Mar 30 23s 1 S
-+R F 1936 o - Ap 18 23s 1 S
-+R F 1937 o - Ap 3 23s 1 S
-+R F 1938 o - Mar 26 23s 1 S
-+R F 1939 o - Ap 15 23s 1 S
-+R F 1939 o - N 18 23s 0 -
-+R F 1940 o - F 25 2 1 S
-+R F 1941 o - May 5 0 2 M
-+R F 1941 o - O 6 0 1 S
-+R F 1942 o - Mar 9 0 2 M
-+R F 1942 o - N 2 3 1 S
-+R F 1943 o - Mar 29 2 2 M
-+R F 1943 o - O 4 3 1 S
-+R F 1944 o - Ap 3 2 2 M
-+R F 1944 o - O 8 1 1 S
-+R F 1945 o - Ap 2 2 2 M
-+R F 1945 o - S 16 3 0 -
-+R F 1976 o - Mar 28 1 1 S
-+R F 1976 o - S 26 1 0 -
- Z Europe/Paris 0:9:21 - LMT 1891 Mar 15 0:1
- 0:9:21 - PMT 1911 Mar 11 0:1
--0 < WE%sT 1940 Jun 14 23
--1 ( CE%sT 1944 Au 25
--0 < WE%sT 1945 S 16 3
--1 < CE%sT 1977
--1 O CE%sT
--R = 1946 o - Ap 14 2s 1 S
--R = 1946 o - O 7 2s 0 -
--R = 1947 1949 - O Sun>=1 2s 0 -
--R = 1947 o - Ap 6 3s 1 S
--R = 1947 o - May 11 2s 2 M
--R = 1947 o - Jun 29 3 1 S
--R = 1948 o - Ap 18 2s 1 S
--R = 1949 o - Ap 10 2s 1 S
--R > 1945 o - May 24 2 2 M
--R > 1945 o - S 24 3 1 S
--R > 1945 o - N 18 2s 0 -
-+0 F WE%sT 1940 Jun 14 23
-+1 c CE%sT 1944 Au 25
-+0 F WE%sT 1945 S 16 3
-+1 F CE%sT 1977
-+1 E CE%sT
-+R DE 1946 o - Ap 14 2s 1 S
-+R DE 1946 o - O 7 2s 0 -
-+R DE 1947 1949 - O Sun>=1 2s 0 -
-+R DE 1947 o - Ap 6 3s 1 S
-+R DE 1947 o - May 11 2s 2 M
-+R DE 1947 o - Jun 29 3 1 S
-+R DE 1948 o - Ap 18 2s 1 S
-+R DE 1949 o - Ap 10 2s 1 S
-+R So 1945 o - May 24 2 2 M
-+R So 1945 o - S 24 3 1 S
-+R So 1945 o - N 18 2s 0 -
- Z Europe/Berlin 0:53:28 - LMT 1893 Ap
--1 ( CE%sT 1945 May 24 2
--1 > CE%sT 1946
--1 = CE%sT 1980
--1 O CE%sT
-+1 c CE%sT 1945 May 24 2
-+1 So CE%sT 1946
-+1 DE CE%sT 1980
-+1 E CE%sT
- Li Europe/Zurich Europe/Busingen
- Z Europe/Gibraltar -0:21:24 - LMT 1880 Au 2 0s
--0 % %s 1957 Ap 14 2
-+0 G %s 1957 Ap 14 2
- 1 - CET 1982
--1 O CE%sT
--R ? 1932 o - Jul 7 0 1 S
--R ? 1932 o - S 1 0 0 -
--R ? 1941 o - Ap 7 0 1 S
--R ? 1942 o - N 2 3 0 -
--R ? 1943 o - Mar 30 0 1 S
--R ? 1943 o - O 4 0 0 -
--R ? 1952 o - Jul 1 0 1 S
--R ? 1952 o - N 2 0 0 -
--R ? 1975 o - Ap 12 0s 1 S
--R ? 1975 o - N 26 0s 0 -
--R ? 1976 o - Ap 11 2s 1 S
--R ? 1976 o - O 10 2s 0 -
--R ? 1977 1978 - Ap Sun>=1 2s 1 S
--R ? 1977 o - S 26 2s 0 -
--R ? 1978 o - S 24 4 0 -
--R ? 1979 o - Ap 1 9 1 S
--R ? 1979 o - S 29 2 0 -
--R ? 1980 o - Ap 1 0 1 S
--R ? 1980 o - S 28 0 0 -
-+1 E CE%sT
-+R g 1932 o - Jul 7 0 1 S
-+R g 1932 o - S 1 0 0 -
-+R g 1941 o - Ap 7 0 1 S
-+R g 1942 o - N 2 3 0 -
-+R g 1943 o - Mar 30 0 1 S
-+R g 1943 o - O 4 0 0 -
-+R g 1952 o - Jul 1 0 1 S
-+R g 1952 o - N 2 0 0 -
-+R g 1975 o - Ap 12 0s 1 S
-+R g 1975 o - N 26 0s 0 -
-+R g 1976 o - Ap 11 2s 1 S
-+R g 1976 o - O 10 2s 0 -
-+R g 1977 1978 - Ap Sun>=1 2s 1 S
-+R g 1977 o - S 26 2s 0 -
-+R g 1978 o - S 24 4 0 -
-+R g 1979 o - Ap 1 9 1 S
-+R g 1979 o - S 29 2 0 -
-+R g 1980 o - Ap 1 0 1 S
-+R g 1980 o - S 28 0 0 -
- Z Europe/Athens 1:34:52 - LMT 1895 S 14
- 1:34:52 - AMT 1916 Jul 28 0:1
--2 ? EE%sT 1941 Ap 30
--1 ? CE%sT 1944 Ap 4
--2 ? EE%sT 1981
--2 O EE%sT
--R @ 1918 o - Ap 1 3 1 S
--R @ 1918 o - S 16 3 0 -
--R @ 1919 o - Ap 15 3 1 S
--R @ 1919 o - N 24 3 0 -
--R @ 1945 o - May 1 23 1 S
--R @ 1945 o - N 1 0 0 -
--R @ 1946 o - Mar 31 2s 1 S
--R @ 1946 1949 - O Sun>=1 2s 0 -
--R @ 1947 1949 - Ap Sun>=4 2s 1 S
--R @ 1950 o - Ap 17 2s 1 S
--R @ 1950 o - O 23 2s 0 -
--R @ 1954 1955 - May 23 0 1 S
--R @ 1954 1955 - O 3 0 0 -
--R @ 1956 o - Jun Sun>=1 0 1 S
--R @ 1956 o - S lastSun 0 0 -
--R @ 1957 o - Jun Sun>=1 1 1 S
--R @ 1957 o - S lastSun 3 0 -
--R @ 1980 o - Ap 6 1 1 S
-+2 g EE%sT 1941 Ap 30
-+1 g CE%sT 1944 Ap 4
-+2 g EE%sT 1981
-+2 E EE%sT
-+R h 1918 o - Ap 1 3 1 S
-+R h 1918 o - S 16 3 0 -
-+R h 1919 o - Ap 15 3 1 S
-+R h 1919 o - N 24 3 0 -
-+R h 1945 o - May 1 23 1 S
-+R h 1945 o - N 1 0 0 -
-+R h 1946 o - Mar 31 2s 1 S
-+R h 1946 1949 - O Sun>=1 2s 0 -
-+R h 1947 1949 - Ap Sun>=4 2s 1 S
-+R h 1950 o - Ap 17 2s 1 S
-+R h 1950 o - O 23 2s 0 -
-+R h 1954 1955 - May 23 0 1 S
-+R h 1954 1955 - O 3 0 0 -
-+R h 1956 o - Jun Sun>=1 0 1 S
-+R h 1956 o - S lastSun 0 0 -
-+R h 1957 o - Jun Sun>=1 1 1 S
-+R h 1957 o - S lastSun 3 0 -
-+R h 1980 o - Ap 6 1 1 S
- Z Europe/Budapest 1:16:20 - LMT 1890 O
--1 ( CE%sT 1918
--1 @ CE%sT 1941 Ap 8
--1 ( CE%sT 1945
--1 @ CE%sT 1980 S 28 2s
--1 O CE%sT
--R [ 1917 1919 - F 19 23 1 -
--R [ 1917 o - O 21 1 0 -
--R [ 1918 1919 - N 16 1 0 -
--R [ 1921 o - Mar 19 23 1 -
--R [ 1921 o - Jun 23 1 0 -
--R [ 1939 o - Ap 29 23 1 -
--R [ 1939 o - O 29 2 0 -
--R [ 1940 o - F 25 2 1 -
--R [ 1940 1941 - N Sun>=2 1s 0 -
--R [ 1941 1942 - Mar Sun>=2 1s 1 -
--R [ 1943 1946 - Mar Sun>=1 1s 1 -
--R [ 1942 1948 - O Sun>=22 1s 0 -
--R [ 1947 1967 - Ap Sun>=1 1s 1 -
--R [ 1949 o - O 30 1s 0 -
--R [ 1950 1966 - O Sun>=22 1s 0 -
--R [ 1967 o - O 29 1s 0 -
-+1 c CE%sT 1918
-+1 h CE%sT 1941 Ap 8
-+1 c CE%sT 1945
-+1 h CE%sT 1980 S 28 2s
-+1 E CE%sT
-+R w 1917 1919 - F 19 23 1 -
-+R w 1917 o - O 21 1 0 -
-+R w 1918 1919 - N 16 1 0 -
-+R w 1921 o - Mar 19 23 1 -
-+R w 1921 o - Jun 23 1 0 -
-+R w 1939 o - Ap 29 23 1 -
-+R w 1939 o - O 29 2 0 -
-+R w 1940 o - F 25 2 1 -
-+R w 1940 1941 - N Sun>=2 1s 0 -
-+R w 1941 1942 - Mar Sun>=2 1s 1 -
-+R w 1943 1946 - Mar Sun>=1 1s 1 -
-+R w 1942 1948 - O Sun>=22 1s 0 -
-+R w 1947 1967 - Ap Sun>=1 1s 1 -
-+R w 1949 o - O 30 1s 0 -
-+R w 1950 1966 - O Sun>=22 1s 0 -
-+R w 1967 o - O 29 1s 0 -
- Z Atlantic/Reykjavik -1:28 - LMT 1908
---1 [ -01/+00 1968 Ap 7 1s
-+-1 w -01/+00 1968 Ap 7 1s
- 0 - GMT
--R \ 1916 o - Jun 3 24 1 S
--R \ 1916 1917 - S 30 24 0 -
--R \ 1917 o - Mar 31 24 1 S
--R \ 1918 o - Mar 9 24 1 S
--R \ 1918 o - O 6 24 0 -
--R \ 1919 o - Mar 1 24 1 S
--R \ 1919 o - O 4 24 0 -
--R \ 1920 o - Mar 20 24 1 S
--R \ 1920 o - S 18 24 0 -
--R \ 1940 o - Jun 14 24 1 S
--R \ 1942 o - N 2 2s 0 -
--R \ 1943 o - Mar 29 2s 1 S
--R \ 1943 o - O 4 2s 0 -
--R \ 1944 o - Ap 2 2s 1 S
--R \ 1944 o - S 17 2s 0 -
--R \ 1945 o - Ap 2 2 1 S
--R \ 1945 o - S 15 1 0 -
--R \ 1946 o - Mar 17 2s 1 S
--R \ 1946 o - O 6 2s 0 -
--R \ 1947 o - Mar 16 0s 1 S
--R \ 1947 o - O 5 0s 0 -
--R \ 1948 o - F 29 2s 1 S
--R \ 1948 o - O 3 2s 0 -
--R \ 1966 1968 - May Sun>=22 0s 1 S
--R \ 1966 o - S 24 24 0 -
--R \ 1967 1969 - S Sun>=22 0s 0 -
--R \ 1969 o - Jun 1 0s 1 S
--R \ 1970 o - May 31 0s 1 S
--R \ 1970 o - S lastSun 0s 0 -
--R \ 1971 1972 - May Sun>=22 0s 1 S
--R \ 1971 o - S lastSun 0s 0 -
--R \ 1972 o - O 1 0s 0 -
--R \ 1973 o - Jun 3 0s 1 S
--R \ 1973 1974 - S lastSun 0s 0 -
--R \ 1974 o - May 26 0s 1 S
--R \ 1975 o - Jun 1 0s 1 S
--R \ 1975 1977 - S lastSun 0s 0 -
--R \ 1976 o - May 30 0s 1 S
--R \ 1977 1979 - May Sun>=22 0s 1 S
--R \ 1978 o - O 1 0s 0 -
--R \ 1979 o - S 30 0s 0 -
-+R I 1916 o - Jun 3 24 1 S
-+R I 1916 1917 - S 30 24 0 -
-+R I 1917 o - Mar 31 24 1 S
-+R I 1918 o - Mar 9 24 1 S
-+R I 1918 o - O 6 24 0 -
-+R I 1919 o - Mar 1 24 1 S
-+R I 1919 o - O 4 24 0 -
-+R I 1920 o - Mar 20 24 1 S
-+R I 1920 o - S 18 24 0 -
-+R I 1940 o - Jun 14 24 1 S
-+R I 1942 o - N 2 2s 0 -
-+R I 1943 o - Mar 29 2s 1 S
-+R I 1943 o - O 4 2s 0 -
-+R I 1944 o - Ap 2 2s 1 S
-+R I 1944 o - S 17 2s 0 -
-+R I 1945 o - Ap 2 2 1 S
-+R I 1945 o - S 15 1 0 -
-+R I 1946 o - Mar 17 2s 1 S
-+R I 1946 o - O 6 2s 0 -
-+R I 1947 o - Mar 16 0s 1 S
-+R I 1947 o - O 5 0s 0 -
-+R I 1948 o - F 29 2s 1 S
-+R I 1948 o - O 3 2s 0 -
-+R I 1966 1968 - May Sun>=22 0s 1 S
-+R I 1966 o - S 24 24 0 -
-+R I 1967 1969 - S Sun>=22 0s 0 -
-+R I 1969 o - Jun 1 0s 1 S
-+R I 1970 o - May 31 0s 1 S
-+R I 1970 o - S lastSun 0s 0 -
-+R I 1971 1972 - May Sun>=22 0s 1 S
-+R I 1971 o - S lastSun 0s 0 -
-+R I 1972 o - O 1 0s 0 -
-+R I 1973 o - Jun 3 0s 1 S
-+R I 1973 1974 - S lastSun 0s 0 -
-+R I 1974 o - May 26 0s 1 S
-+R I 1975 o - Jun 1 0s 1 S
-+R I 1975 1977 - S lastSun 0s 0 -
-+R I 1976 o - May 30 0s 1 S
-+R I 1977 1979 - May Sun>=22 0s 1 S
-+R I 1978 o - O 1 0s 0 -
-+R I 1979 o - S 30 0s 0 -
- Z Europe/Rome 0:49:56 - LMT 1866 S 22
- 0:49:56 - RMT 1893 O 31 23:49:56
--1 \ CE%sT 1943 S 10
--1 ( CE%sT 1944 Jun 4
--1 \ CE%sT 1980
--1 O CE%sT
-+1 I CE%sT 1943 S 10
-+1 c CE%sT 1944 Jun 4
-+1 I CE%sT 1980
-+1 E CE%sT
- Li Europe/Rome Europe/Vatican
- Li Europe/Rome Europe/San_Marino
--R ] 1989 1996 - Mar lastSun 2s 1 S
--R ] 1989 1996 - S lastSun 2s 0 -
-+R LV 1989 1996 - Mar lastSun 2s 1 S
-+R LV 1989 1996 - S lastSun 2s 0 -
- Z Europe/Riga 1:36:34 - LMT 1880
- 1:36:34 - RMT 1918 Ap 15 2
- 1:36:34 1 LST 1918 S 16 3
-@@ -1883,13 +1907,13 @@ Z Europe/Riga 1:36:34 - LMT 1880
- 1:36:34 - RMT 1926 May 11
- 2 - EET 1940 Au 5
- 3 - MSK 1941 Jul
--1 ( CE%sT 1944 O 13
--3 M MSK/MSD 1989 Mar lastSun 2s
-+1 c CE%sT 1944 O 13
-+3 R MSK/MSD 1989 Mar lastSun 2s
- 2 1 EEST 1989 S lastSun 2s
--2 ] EE%sT 1997 Ja 21
--2 O EE%sT 2000 F 29
-+2 LV EE%sT 1997 Ja 21
-+2 E EE%sT 2000 F 29
- 2 - EET 2001 Ja 2
--2 O EE%sT
-+2 E EE%sT
- Li Europe/Zurich Europe/Vaduz
- Z Europe/Vilnius 1:41:16 - LMT 1880
- 1:24 - WMT 1917
-@@ -1898,783 +1922,776 @@ Z Europe/Vilnius 1:41:16 - LMT 1880
- 2 - EET 1920 O 9
- 1 - CET 1940 Au 3
- 3 - MSK 1941 Jun 24
--1 ( CE%sT 1944 Au
--3 M MSK/MSD 1989 Mar 26 2s
--2 M EE%sT 1991 S 29 2s
--2 ( EE%sT 1998
-+1 c CE%sT 1944 Au
-+3 R MSK/MSD 1989 Mar 26 2s
-+2 R EE%sT 1991 S 29 2s
-+2 c EE%sT 1998
- 2 - EET 1998 Mar 29 1u
--1 O CE%sT 1999 O 31 1u
-+1 E CE%sT 1999 O 31 1u
- 2 - EET 2003
--2 O EE%sT
--R ^ 1916 o - May 14 23 1 S
--R ^ 1916 o - O 1 1 0 -
--R ^ 1917 o - Ap 28 23 1 S
--R ^ 1917 o - S 17 1 0 -
--R ^ 1918 o - Ap M>=15 2s 1 S
--R ^ 1918 o - S M>=15 2s 0 -
--R ^ 1919 o - Mar 1 23 1 S
--R ^ 1919 o - O 5 3 0 -
--R ^ 1920 o - F 14 23 1 S
--R ^ 1920 o - O 24 2 0 -
--R ^ 1921 o - Mar 14 23 1 S
--R ^ 1921 o - O 26 2 0 -
--R ^ 1922 o - Mar 25 23 1 S
--R ^ 1922 o - O Sun>=2 1 0 -
--R ^ 1923 o - Ap 21 23 1 S
--R ^ 1923 o - O Sun>=2 2 0 -
--R ^ 1924 o - Mar 29 23 1 S
--R ^ 1924 1928 - O Sun>=2 1 0 -
--R ^ 1925 o - Ap 5 23 1 S
--R ^ 1926 o - Ap 17 23 1 S
--R ^ 1927 o - Ap 9 23 1 S
--R ^ 1928 o - Ap 14 23 1 S
--R ^ 1929 o - Ap 20 23 1 S
-+2 E EE%sT
-+R LX 1916 o - May 14 23 1 S
-+R LX 1916 o - O 1 1 0 -
-+R LX 1917 o - Ap 28 23 1 S
-+R LX 1917 o - S 17 1 0 -
-+R LX 1918 o - Ap M>=15 2s 1 S
-+R LX 1918 o - S M>=15 2s 0 -
-+R LX 1919 o - Mar 1 23 1 S
-+R LX 1919 o - O 5 3 0 -
-+R LX 1920 o - F 14 23 1 S
-+R LX 1920 o - O 24 2 0 -
-+R LX 1921 o - Mar 14 23 1 S
-+R LX 1921 o - O 26 2 0 -
-+R LX 1922 o - Mar 25 23 1 S
-+R LX 1922 o - O Sun>=2 1 0 -
-+R LX 1923 o - Ap 21 23 1 S
-+R LX 1923 o - O Sun>=2 2 0 -
-+R LX 1924 o - Mar 29 23 1 S
-+R LX 1924 1928 - O Sun>=2 1 0 -
-+R LX 1925 o - Ap 5 23 1 S
-+R LX 1926 o - Ap 17 23 1 S
-+R LX 1927 o - Ap 9 23 1 S
-+R LX 1928 o - Ap 14 23 1 S
-+R LX 1929 o - Ap 20 23 1 S
- Z Europe/Luxembourg 0:24:36 - LMT 1904 Jun
--1 ^ CE%sT 1918 N 25
--0 ^ WE%sT 1929 O 6 2s
--0 + WE%sT 1940 May 14 3
--1 ( WE%sT 1944 S 18 3
--1 + CE%sT 1977
--1 O CE%sT
--R _ 1973 o - Mar 31 0s 1 S
--R _ 1973 o - S 29 0s 0 -
--R _ 1974 o - Ap 21 0s 1 S
--R _ 1974 o - S 16 0s 0 -
--R _ 1975 1979 - Ap Sun>=15 2 1 S
--R _ 1975 1980 - S Sun>=15 2 0 -
--R _ 1980 o - Mar 31 2 1 S
-+1 LX CE%sT 1918 N 25
-+0 LX WE%sT 1929 O 6 2s
-+0 b WE%sT 1940 May 14 3
-+1 c WE%sT 1944 S 18 3
-+1 b CE%sT 1977
-+1 E CE%sT
-+R MT 1973 o - Mar 31 0s 1 S
-+R MT 1973 o - S 29 0s 0 -
-+R MT 1974 o - Ap 21 0s 1 S
-+R MT 1974 o - S 16 0s 0 -
-+R MT 1975 1979 - Ap Sun>=15 2 1 S
-+R MT 1975 1980 - S Sun>=15 2 0 -
-+R MT 1980 o - Mar 31 2 1 S
- Z Europe/Malta 0:58:4 - LMT 1893 N 2 0s
--1 \ CE%sT 1973 Mar 31
--1 _ CE%sT 1981
--1 O CE%sT
--R ` 1997 ma - Mar lastSun 2 1 S
--R ` 1997 ma - O lastSun 3 0 -
-+1 I CE%sT 1973 Mar 31
-+1 MT CE%sT 1981
-+1 E CE%sT
-+R MD 1997 ma - Mar lastSun 2 1 S
-+R MD 1997 ma - O lastSun 3 0 -
- Z Europe/Chisinau 1:55:20 - LMT 1880
- 1:55 - CMT 1918 F 15
- 1:44:24 - BMT 1931 Jul 24
--2 { EE%sT 1940 Au 15
-+2 z EE%sT 1940 Au 15
- 2 1 EEST 1941 Jul 17
--1 ( CE%sT 1944 Au 24
--3 M MSK/MSD 1990 May 6 2
--2 M EE%sT 1992
--2 W EE%sT 1997
--2 ` EE%sT
-+1 c CE%sT 1944 Au 24
-+3 R MSK/MSD 1990 May 6 2
-+2 R EE%sT 1992
-+2 e EE%sT 1997
-+2 MD EE%sT
- Z Europe/Monaco 0:29:32 - LMT 1891 Mar 15
- 0:9:21 - PMT 1911 Mar 11
--0 < WE%sT 1945 S 16 3
--1 < CE%sT 1977
--1 O CE%sT
--R | 1916 o - May 1 0 1 NST
--R | 1916 o - O 1 0 0 AMT
--R | 1917 o - Ap 16 2s 1 NST
--R | 1917 o - S 17 2s 0 AMT
--R | 1918 1921 - Ap M>=1 2s 1 NST
--R | 1918 1921 - S lastM 2s 0 AMT
--R | 1922 o - Mar lastSun 2s 1 NST
--R | 1922 1936 - O Sun>=2 2s 0 AMT
--R | 1923 o - Jun F>=1 2s 1 NST
--R | 1924 o - Mar lastSun 2s 1 NST
--R | 1925 o - Jun F>=1 2s 1 NST
--R | 1926 1931 - May 15 2s 1 NST
--R | 1932 o - May 22 2s 1 NST
--R | 1933 1936 - May 15 2s 1 NST
--R | 1937 o - May 22 2s 1 NST
--R | 1937 o - Jul 1 0 1 S
--R | 1937 1939 - O Sun>=2 2s 0 -
--R | 1938 1939 - May 15 2s 1 S
--R | 1945 o - Ap 2 2s 1 S
--R | 1945 o - S 16 2s 0 -
-+0 F WE%sT 1945 S 16 3
-+1 F CE%sT 1977
-+1 E CE%sT
-+R N 1916 o - May 1 0 1 NST
-+R N 1916 o - O 1 0 0 AMT
-+R N 1917 o - Ap 16 2s 1 NST
-+R N 1917 o - S 17 2s 0 AMT
-+R N 1918 1921 - Ap M>=1 2s 1 NST
-+R N 1918 1921 - S lastM 2s 0 AMT
-+R N 1922 o - Mar lastSun 2s 1 NST
-+R N 1922 1936 - O Sun>=2 2s 0 AMT
-+R N 1923 o - Jun F>=1 2s 1 NST
-+R N 1924 o - Mar lastSun 2s 1 NST
-+R N 1925 o - Jun F>=1 2s 1 NST
-+R N 1926 1931 - May 15 2s 1 NST
-+R N 1932 o - May 22 2s 1 NST
-+R N 1933 1936 - May 15 2s 1 NST
-+R N 1937 o - May 22 2s 1 NST
-+R N 1937 o - Jul 1 0 1 S
-+R N 1937 1939 - O Sun>=2 2s 0 -
-+R N 1938 1939 - May 15 2s 1 S
-+R N 1945 o - Ap 2 2s 1 S
-+R N 1945 o - S 16 2s 0 -
- Z Europe/Amsterdam 0:19:32 - LMT 1835
--0:19:32 | %s 1937 Jul
--0:20 | +0020/+0120 1940 May 16
--1 ( CE%sT 1945 Ap 2 2
--1 | CE%sT 1977
--1 O CE%sT
--R } 1916 o - May 22 1 1 S
--R } 1916 o - S 30 0 0 -
--R } 1945 o - Ap 2 2s 1 S
--R } 1945 o - O 1 2s 0 -
--R } 1959 1964 - Mar Sun>=15 2s 1 S
--R } 1959 1965 - S Sun>=15 2s 0 -
--R } 1965 o - Ap 25 2s 1 S
-+0:19:32 N %s 1937 Jul
-+0:20 N +0020/+0120 1940 May 16
-+1 c CE%sT 1945 Ap 2 2
-+1 N CE%sT 1977
-+1 E CE%sT
-+R NO 1916 o - May 22 1 1 S
-+R NO 1916 o - S 30 0 0 -
-+R NO 1945 o - Ap 2 2s 1 S
-+R NO 1945 o - O 1 2s 0 -
-+R NO 1959 1964 - Mar Sun>=15 2s 1 S
-+R NO 1959 1965 - S Sun>=15 2s 0 -
-+R NO 1965 o - Ap 25 2s 1 S
- Z Europe/Oslo 0:43 - LMT 1895
--1 } CE%sT 1940 Au 10 23
--1 ( CE%sT 1945 Ap 2 2
--1 } CE%sT 1980
--1 O CE%sT
-+1 NO CE%sT 1940 Au 10 23
-+1 c CE%sT 1945 Ap 2 2
-+1 NO CE%sT 1980
-+1 E CE%sT
- Li Europe/Oslo Arctic/Longyearbyen
--R ~ 1918 1919 - S 16 2s 0 -
--R ~ 1919 o - Ap 15 2s 1 S
--R ~ 1944 o - Ap 3 2s 1 S
--R ~ 1944 o - O 4 2 0 -
--R ~ 1945 o - Ap 29 0 1 S
--R ~ 1945 o - N 1 0 0 -
--R ~ 1946 o - Ap 14 0s 1 S
--R ~ 1946 o - O 7 2s 0 -
--R ~ 1947 o - May 4 2s 1 S
--R ~ 1947 1949 - O Sun>=1 2s 0 -
--R ~ 1948 o - Ap 18 2s 1 S
--R ~ 1949 o - Ap 10 2s 1 S
--R ~ 1957 o - Jun 2 1s 1 S
--R ~ 1957 1958 - S lastSun 1s 0 -
--R ~ 1958 o - Mar 30 1s 1 S
--R ~ 1959 o - May 31 1s 1 S
--R ~ 1959 1961 - O Sun>=1 1s 0 -
--R ~ 1960 o - Ap 3 1s 1 S
--R ~ 1961 1964 - May lastSun 1s 1 S
--R ~ 1962 1964 - S lastSun 1s 0 -
-+R O 1918 1919 - S 16 2s 0 -
-+R O 1919 o - Ap 15 2s 1 S
-+R O 1944 o - Ap 3 2s 1 S
-+R O 1944 o - O 4 2 0 -
-+R O 1945 o - Ap 29 0 1 S
-+R O 1945 o - N 1 0 0 -
-+R O 1946 o - Ap 14 0s 1 S
-+R O 1946 o - O 7 2s 0 -
-+R O 1947 o - May 4 2s 1 S
-+R O 1947 1949 - O Sun>=1 2s 0 -
-+R O 1948 o - Ap 18 2s 1 S
-+R O 1949 o - Ap 10 2s 1 S
-+R O 1957 o - Jun 2 1s 1 S
-+R O 1957 1958 - S lastSun 1s 0 -
-+R O 1958 o - Mar 30 1s 1 S
-+R O 1959 o - May 31 1s 1 S
-+R O 1959 1961 - O Sun>=1 1s 0 -
-+R O 1960 o - Ap 3 1s 1 S
-+R O 1961 1964 - May lastSun 1s 1 S
-+R O 1962 1964 - S lastSun 1s 0 -
- Z Europe/Warsaw 1:24 - LMT 1880
- 1:24 - WMT 1915 Au 5
--1 ( CE%sT 1918 S 16 3
--2 ~ EE%sT 1922 Jun
--1 ~ CE%sT 1940 Jun 23 2
--1 ( CE%sT 1944 O
--1 ~ CE%sT 1977
--1 ' CE%sT 1988
--1 O CE%sT
--R AA 1916 o - Jun 17 23 1 S
--R AA 1916 o - N 1 1 0 -
--R AA 1917 o - F 28 23s 1 S
--R AA 1917 1921 - O 14 23s 0 -
--R AA 1918 o - Mar 1 23s 1 S
--R AA 1919 o - F 28 23s 1 S
--R AA 1920 o - F 29 23s 1 S
--R AA 1921 o - F 28 23s 1 S
--R AA 1924 o - Ap 16 23s 1 S
--R AA 1924 o - O 14 23s 0 -
--R AA 1926 o - Ap 17 23s 1 S
--R AA 1926 1929 - O Sat>=1 23s 0 -
--R AA 1927 o - Ap 9 23s 1 S
--R AA 1928 o - Ap 14 23s 1 S
--R AA 1929 o - Ap 20 23s 1 S
--R AA 1931 o - Ap 18 23s 1 S
--R AA 1931 1932 - O Sat>=1 23s 0 -
--R AA 1932 o - Ap 2 23s 1 S
--R AA 1934 o - Ap 7 23s 1 S
--R AA 1934 1938 - O Sat>=1 23s 0 -
--R AA 1935 o - Mar 30 23s 1 S
--R AA 1936 o - Ap 18 23s 1 S
--R AA 1937 o - Ap 3 23s 1 S
--R AA 1938 o - Mar 26 23s 1 S
--R AA 1939 o - Ap 15 23s 1 S
--R AA 1939 o - N 18 23s 0 -
--R AA 1940 o - F 24 23s 1 S
--R AA 1940 1941 - O 5 23s 0 -
--R AA 1941 o - Ap 5 23s 1 S
--R AA 1942 1945 - Mar Sat>=8 23s 1 S
--R AA 1942 o - Ap 25 22s 2 M
--R AA 1942 o - Au 15 22s 1 S
--R AA 1942 1945 - O Sat>=24 23s 0 -
--R AA 1943 o - Ap 17 22s 2 M
--R AA 1943 1945 - Au Sat>=25 22s 1 S
--R AA 1944 1945 - Ap Sat>=21 22s 2 M
--R AA 1946 o - Ap Sat>=1 23s 1 S
--R AA 1946 o - O Sat>=1 23s 0 -
--R AA 1947 1949 - Ap Sun>=1 2s 1 S
--R AA 1947 1949 - O Sun>=1 2s 0 -
--R AA 1951 1965 - Ap Sun>=1 2s 1 S
--R AA 1951 1965 - O Sun>=1 2s 0 -
--R AA 1977 o - Mar 27 0s 1 S
--R AA 1977 o - S 25 0s 0 -
--R AA 1978 1979 - Ap Sun>=1 0s 1 S
--R AA 1978 o - O 1 0s 0 -
--R AA 1979 1982 - S lastSun 1s 0 -
--R AA 1980 o - Mar lastSun 0s 1 S
--R AA 1981 1982 - Mar lastSun 1s 1 S
--R AA 1983 o - Mar lastSun 2s 1 S
-+1 c CE%sT 1918 S 16 3
-+2 O EE%sT 1922 Jun
-+1 O CE%sT 1940 Jun 23 2
-+1 c CE%sT 1944 O
-+1 O CE%sT 1977
-+1 W- CE%sT 1988
-+1 E CE%sT
-+R p 1916 o - Jun 17 23 1 S
-+R p 1916 o - N 1 1 0 -
-+R p 1917 o - F 28 23s 1 S
-+R p 1917 1921 - O 14 23s 0 -
-+R p 1918 o - Mar 1 23s 1 S
-+R p 1919 o - F 28 23s 1 S
-+R p 1920 o - F 29 23s 1 S
-+R p 1921 o - F 28 23s 1 S
-+R p 1924 o - Ap 16 23s 1 S
-+R p 1924 o - O 14 23s 0 -
-+R p 1926 o - Ap 17 23s 1 S
-+R p 1926 1929 - O Sat>=1 23s 0 -
-+R p 1927 o - Ap 9 23s 1 S
-+R p 1928 o - Ap 14 23s 1 S
-+R p 1929 o - Ap 20 23s 1 S
-+R p 1931 o - Ap 18 23s 1 S
-+R p 1931 1932 - O Sat>=1 23s 0 -
-+R p 1932 o - Ap 2 23s 1 S
-+R p 1934 o - Ap 7 23s 1 S
-+R p 1934 1938 - O Sat>=1 23s 0 -
-+R p 1935 o - Mar 30 23s 1 S
-+R p 1936 o - Ap 18 23s 1 S
-+R p 1937 o - Ap 3 23s 1 S
-+R p 1938 o - Mar 26 23s 1 S
-+R p 1939 o - Ap 15 23s 1 S
-+R p 1939 o - N 18 23s 0 -
-+R p 1940 o - F 24 23s 1 S
-+R p 1940 1941 - O 5 23s 0 -
-+R p 1941 o - Ap 5 23s 1 S
-+R p 1942 1945 - Mar Sat>=8 23s 1 S
-+R p 1942 o - Ap 25 22s 2 M
-+R p 1942 o - Au 15 22s 1 S
-+R p 1942 1945 - O Sat>=24 23s 0 -
-+R p 1943 o - Ap 17 22s 2 M
-+R p 1943 1945 - Au Sat>=25 22s 1 S
-+R p 1944 1945 - Ap Sat>=21 22s 2 M
-+R p 1946 o - Ap Sat>=1 23s 1 S
-+R p 1946 o - O Sat>=1 23s 0 -
-+R p 1947 1949 - Ap Sun>=1 2s 1 S
-+R p 1947 1949 - O Sun>=1 2s 0 -
-+R p 1951 1965 - Ap Sun>=1 2s 1 S
-+R p 1951 1965 - O Sun>=1 2s 0 -
-+R p 1977 o - Mar 27 0s 1 S
-+R p 1977 o - S 25 0s 0 -
-+R p 1978 1979 - Ap Sun>=1 0s 1 S
-+R p 1978 o - O 1 0s 0 -
-+R p 1979 1982 - S lastSun 1s 0 -
-+R p 1980 o - Mar lastSun 0s 1 S
-+R p 1981 1982 - Mar lastSun 1s 1 S
-+R p 1983 o - Mar lastSun 2s 1 S
- Z Europe/Lisbon -0:36:45 - LMT 1884
- -0:36:45 - LMT 1912 Ja 1 0u
--0 AA WE%sT 1966 Ap 3 2
-+0 p WE%sT 1966 Ap 3 2
- 1 - CET 1976 S 26 1
--0 AA WE%sT 1983 S 25 1s
--0 ' WE%sT 1992 S 27 1s
--1 O CE%sT 1996 Mar 31 1u
--0 O WE%sT
-+0 p WE%sT 1983 S 25 1s
-+0 W- WE%sT 1992 S 27 1s
-+1 E CE%sT 1996 Mar 31 1u
-+0 E WE%sT
- Z Atlantic/Azores -1:42:40 - LMT 1884
- -1:54:32 - HMT 1912 Ja 1 2u
---2 AA -02/-01 1942 Ap 25 22s
---2 AA +00 1942 Au 15 22s
---2 AA -02/-01 1943 Ap 17 22s
---2 AA +00 1943 Au 28 22s
---2 AA -02/-01 1944 Ap 22 22s
---2 AA +00 1944 Au 26 22s
---2 AA -02/-01 1945 Ap 21 22s
---2 AA +00 1945 Au 25 22s
---2 AA -02/-01 1966 Ap 3 2
---1 AA -01/+00 1983 S 25 1s
---1 ' -01/+00 1992 S 27 1s
--0 O WE%sT 1993 Mar 28 1u
---1 O -01/+00
-+-2 p -02/-01 1942 Ap 25 22s
-+-2 p +00 1942 Au 15 22s
-+-2 p -02/-01 1943 Ap 17 22s
-+-2 p +00 1943 Au 28 22s
-+-2 p -02/-01 1944 Ap 22 22s
-+-2 p +00 1944 Au 26 22s
-+-2 p -02/-01 1945 Ap 21 22s
-+-2 p +00 1945 Au 25 22s
-+-2 p -02/-01 1966 Ap 3 2
-+-1 p -01/+00 1983 S 25 1s
-+-1 W- -01/+00 1992 S 27 1s
-+0 E WE%sT 1993 Mar 28 1u
-+-1 E -01/+00
- Z Atlantic/Madeira -1:7:36 - LMT 1884
- -1:7:36 - FMT 1912 Ja 1 1u
---1 AA -01/+00 1942 Ap 25 22s
---1 AA +01 1942 Au 15 22s
---1 AA -01/+00 1943 Ap 17 22s
---1 AA +01 1943 Au 28 22s
---1 AA -01/+00 1944 Ap 22 22s
---1 AA +01 1944 Au 26 22s
---1 AA -01/+00 1945 Ap 21 22s
---1 AA +01 1945 Au 25 22s
---1 AA -01/+00 1966 Ap 3 2
--0 AA WE%sT 1983 S 25 1s
--0 O WE%sT
--R { 1932 o - May 21 0s 1 S
--R { 1932 1939 - O Sun>=1 0s 0 -
--R { 1933 1939 - Ap Sun>=2 0s 1 S
--R { 1979 o - May 27 0 1 S
--R { 1979 o - S lastSun 0 0 -
--R { 1980 o - Ap 5 23 1 S
--R { 1980 o - S lastSun 1 0 -
--R { 1991 1993 - Mar lastSun 0s 1 S
--R { 1991 1993 - S lastSun 0s 0 -
-+-1 p -01/+00 1942 Ap 25 22s
-+-1 p +01 1942 Au 15 22s
-+-1 p -01/+00 1943 Ap 17 22s
-+-1 p +01 1943 Au 28 22s
-+-1 p -01/+00 1944 Ap 22 22s
-+-1 p +01 1944 Au 26 22s
-+-1 p -01/+00 1945 Ap 21 22s
-+-1 p +01 1945 Au 25 22s
-+-1 p -01/+00 1966 Ap 3 2
-+0 p WE%sT 1983 S 25 1s
-+0 E WE%sT
-+R z 1932 o - May 21 0s 1 S
-+R z 1932 1939 - O Sun>=1 0s 0 -
-+R z 1933 1939 - Ap Sun>=2 0s 1 S
-+R z 1979 o - May 27 0 1 S
-+R z 1979 o - S lastSun 0 0 -
-+R z 1980 o - Ap 5 23 1 S
-+R z 1980 o - S lastSun 1 0 -
-+R z 1991 1993 - Mar lastSun 0s 1 S
-+R z 1991 1993 - S lastSun 0s 0 -
- Z Europe/Bucharest 1:44:24 - LMT 1891 O
- 1:44:24 - BMT 1931 Jul 24
--2 { EE%sT 1981 Mar 29 2s
--2 ( EE%sT 1991
--2 { EE%sT 1994
--2 W EE%sT 1997
--2 O EE%sT
-+2 z EE%sT 1981 Mar 29 2s
-+2 c EE%sT 1991
-+2 z EE%sT 1994
-+2 e EE%sT 1997
-+2 E EE%sT
- Z Europe/Kaliningrad 1:22 - LMT 1893 Ap
--1 ( CE%sT 1945
--2 ~ CE%sT 1946
--3 M MSK/MSD 1989 Mar 26 2s
--2 M EE%sT 2011 Mar 27 2s
-+1 c CE%sT 1945
-+2 O CE%sT 1946
-+3 R MSK/MSD 1989 Mar 26 2s
-+2 R EE%sT 2011 Mar 27 2s
- 3 - +03 2014 O 26 2s
- 2 - EET
- Z Europe/Moscow 2:30:17 - LMT 1880
- 2:30:17 - MMT 1916 Jul 3
--2:31:19 M %s 1919 Jul 1 0u
--3 M %s 1921 O
--3 M MSK/MSD 1922 O
-+2:31:19 R %s 1919 Jul 1 0u
-+3 R %s 1921 O
-+3 R MSK/MSD 1922 O
- 2 - EET 1930 Jun 21
--3 M MSK/MSD 1991 Mar 31 2s
--2 M EE%sT 1992 Ja 19 2s
--3 M MSK/MSD 2011 Mar 27 2s
-+3 R MSK/MSD 1991 Mar 31 2s
-+2 R EE%sT 1992 Ja 19 2s
-+3 R MSK/MSD 2011 Mar 27 2s
- 4 - MSK 2014 O 26 2s
- 3 - MSK
- Z Europe/Simferopol 2:16:24 - LMT 1880
- 2:16 - SMT 1924 May 2
- 2 - EET 1930 Jun 21
- 3 - MSK 1941 N
--1 ( CE%sT 1944 Ap 13
--3 M MSK/MSD 1990
-+1 c CE%sT 1944 Ap 13
-+3 R MSK/MSD 1990
- 3 - MSK 1990 Jul 1 2
- 2 - EET 1992
--2 W EE%sT 1994 May
--3 W MSK/MSD 1996 Mar 31 0s
-+2 e EE%sT 1994 May
-+3 e MSK/MSD 1996 Mar 31 0s
- 3 1 MSD 1996 O 27 3s
--3 M MSK/MSD 1997
-+3 R MSK/MSD 1997
- 3 - MSK 1997 Mar lastSun 1u
--2 O EE%sT 2014 Mar 30 2
-+2 E EE%sT 2014 Mar 30 2
- 4 - MSK 2014 O 26 2s
- 3 - MSK
- Z Europe/Astrakhan 3:12:12 - LMT 1924 May
- 3 - +03 1930 Jun 21
--4 M +04/+05 1989 Mar 26 2s
--3 M +03/+04 1991 Mar 31 2s
-+4 R +04/+05 1989 Mar 26 2s
-+3 R +03/+04 1991 Mar 31 2s
- 4 - +04 1992 Mar 29 2s
--3 M +03/+04 2011 Mar 27 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04 2014 O 26 2s
- 3 - +03 2016 Mar 27 2s
- 4 - +04
- Z Europe/Volgograd 2:57:40 - LMT 1920 Ja 3
- 3 - +03 1930 Jun 21
- 4 - +04 1961 N 11
--4 M +04/+05 1988 Mar 27 2s
--3 M +03/+04 1991 Mar 31 2s
-+4 R +04/+05 1988 Mar 27 2s
-+3 R +03/+04 1991 Mar 31 2s
- 4 - +04 1992 Mar 29 2s
--3 M +03/+04 2011 Mar 27 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04 2014 O 26 2s
--3 - +03
-+3 - +03 2018 O 28 2s
-+4 - +04
- Z Europe/Saratov 3:4:18 - LMT 1919 Jul 1 0u
- 3 - +03 1930 Jun 21
--4 M +04/+05 1988 Mar 27 2s
--3 M +03/+04 1991 Mar 31 2s
-+4 R +04/+05 1988 Mar 27 2s
-+3 R +03/+04 1991 Mar 31 2s
- 4 - +04 1992 Mar 29 2s
--3 M +03/+04 2011 Mar 27 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04 2014 O 26 2s
- 3 - +03 2016 D 4 2s
- 4 - +04
- Z Europe/Kirov 3:18:48 - LMT 1919 Jul 1 0u
- 3 - +03 1930 Jun 21
--4 M +04/+05 1989 Mar 26 2s
--3 M +03/+04 1991 Mar 31 2s
-+4 R +04/+05 1989 Mar 26 2s
-+3 R +03/+04 1991 Mar 31 2s
- 4 - +04 1992 Mar 29 2s
--3 M +03/+04 2011 Mar 27 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04 2014 O 26 2s
- 3 - +03
- Z Europe/Samara 3:20:20 - LMT 1919 Jul 1 0u
- 3 - +03 1930 Jun 21
- 4 - +04 1935 Ja 27
--4 M +04/+05 1989 Mar 26 2s
--3 M +03/+04 1991 Mar 31 2s
--2 M +02/+03 1991 S 29 2s
-+4 R +04/+05 1989 Mar 26 2s
-+3 R +03/+04 1991 Mar 31 2s
-+2 R +02/+03 1991 S 29 2s
- 3 - +03 1991 O 20 3
--4 M +04/+05 2010 Mar 28 2s
--3 M +03/+04 2011 Mar 27 2s
-+4 R +04/+05 2010 Mar 28 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04
- Z Europe/Ulyanovsk 3:13:36 - LMT 1919 Jul 1 0u
- 3 - +03 1930 Jun 21
--4 M +04/+05 1989 Mar 26 2s
--3 M +03/+04 1991 Mar 31 2s
--2 M +02/+03 1992 Ja 19 2s
--3 M +03/+04 2011 Mar 27 2s
-+4 R +04/+05 1989 Mar 26 2s
-+3 R +03/+04 1991 Mar 31 2s
-+2 R +02/+03 1992 Ja 19 2s
-+3 R +03/+04 2011 Mar 27 2s
- 4 - +04 2014 O 26 2s
- 3 - +03 2016 Mar 27 2s
- 4 - +04
- Z Asia/Yekaterinburg 4:2:33 - LMT 1916 Jul 3
- 3:45:5 - PMT 1919 Jul 15 4
- 4 - +04 1930 Jun 21
--5 M +05/+06 1991 Mar 31 2s
--4 M +04/+05 1992 Ja 19 2s
--5 M +05/+06 2011 Mar 27 2s
-+5 R +05/+06 1991 Mar 31 2s
-+4 R +04/+05 1992 Ja 19 2s
-+5 R +05/+06 2011 Mar 27 2s
- 6 - +06 2014 O 26 2s
- 5 - +05
- Z Asia/Omsk 4:53:30 - LMT 1919 N 14
- 5 - +05 1930 Jun 21
--6 M +06/+07 1991 Mar 31 2s
--5 M +05/+06 1992 Ja 19 2s
--6 M +06/+07 2011 Mar 27 2s
-+6 R +06/+07 1991 Mar 31 2s
-+5 R +05/+06 1992 Ja 19 2s
-+6 R +06/+07 2011 Mar 27 2s
- 7 - +07 2014 O 26 2s
- 6 - +06
- Z Asia/Barnaul 5:35 - LMT 1919 D 10
- 6 - +06 1930 Jun 21
--7 M +07/+08 1991 Mar 31 2s
--6 M +06/+07 1992 Ja 19 2s
--7 M +07/+08 1995 May 28
--6 M +06/+07 2011 Mar 27 2s
-+7 R +07/+08 1991 Mar 31 2s
-+6 R +06/+07 1992 Ja 19 2s
-+7 R +07/+08 1995 May 28
-+6 R +06/+07 2011 Mar 27 2s
- 7 - +07 2014 O 26 2s
- 6 - +06 2016 Mar 27 2s
- 7 - +07
- Z Asia/Novosibirsk 5:31:40 - LMT 1919 D 14 6
- 6 - +06 1930 Jun 21
--7 M +07/+08 1991 Mar 31 2s
--6 M +06/+07 1992 Ja 19 2s
--7 M +07/+08 1993 May 23
--6 M +06/+07 2011 Mar 27 2s
-+7 R +07/+08 1991 Mar 31 2s
-+6 R +06/+07 1992 Ja 19 2s
-+7 R +07/+08 1993 May 23
-+6 R +06/+07 2011 Mar 27 2s
- 7 - +07 2014 O 26 2s
- 6 - +06 2016 Jul 24 2s
- 7 - +07
- Z Asia/Tomsk 5:39:51 - LMT 1919 D 22
- 6 - +06 1930 Jun 21
--7 M +07/+08 1991 Mar 31 2s
--6 M +06/+07 1992 Ja 19 2s
--7 M +07/+08 2002 May 1 3
--6 M +06/+07 2011 Mar 27 2s
-+7 R +07/+08 1991 Mar 31 2s
-+6 R +06/+07 1992 Ja 19 2s
-+7 R +07/+08 2002 May 1 3
-+6 R +06/+07 2011 Mar 27 2s
- 7 - +07 2014 O 26 2s
- 6 - +06 2016 May 29 2s
- 7 - +07
- Z Asia/Novokuznetsk 5:48:48 - LMT 1924 May
- 6 - +06 1930 Jun 21
--7 M +07/+08 1991 Mar 31 2s
--6 M +06/+07 1992 Ja 19 2s
--7 M +07/+08 2010 Mar 28 2s
--6 M +06/+07 2011 Mar 27 2s
-+7 R +07/+08 1991 Mar 31 2s
-+6 R +06/+07 1992 Ja 19 2s
-+7 R +07/+08 2010 Mar 28 2s
-+6 R +06/+07 2011 Mar 27 2s
- 7 - +07
- Z Asia/Krasnoyarsk 6:11:26 - LMT 1920 Ja 6
- 6 - +06 1930 Jun 21
--7 M +07/+08 1991 Mar 31 2s
--6 M +06/+07 1992 Ja 19 2s
--7 M +07/+08 2011 Mar 27 2s
-+7 R +07/+08 1991 Mar 31 2s
-+6 R +06/+07 1992 Ja 19 2s
-+7 R +07/+08 2011 Mar 27 2s
- 8 - +08 2014 O 26 2s
- 7 - +07
- Z Asia/Irkutsk 6:57:5 - LMT 1880
- 6:57:5 - IMT 1920 Ja 25
- 7 - +07 1930 Jun 21
--8 M +08/+09 1991 Mar 31 2s
--7 M +07/+08 1992 Ja 19 2s
--8 M +08/+09 2011 Mar 27 2s
-+8 R +08/+09 1991 Mar 31 2s
-+7 R +07/+08 1992 Ja 19 2s
-+8 R +08/+09 2011 Mar 27 2s
- 9 - +09 2014 O 26 2s
- 8 - +08
- Z Asia/Chita 7:33:52 - LMT 1919 D 15
- 8 - +08 1930 Jun 21
--9 M +09/+10 1991 Mar 31 2s
--8 M +08/+09 1992 Ja 19 2s
--9 M +09/+10 2011 Mar 27 2s
-+9 R +09/+10 1991 Mar 31 2s
-+8 R +08/+09 1992 Ja 19 2s
-+9 R +09/+10 2011 Mar 27 2s
- 10 - +10 2014 O 26 2s
- 8 - +08 2016 Mar 27 2
- 9 - +09
- Z Asia/Yakutsk 8:38:58 - LMT 1919 D 15
- 8 - +08 1930 Jun 21
--9 M +09/+10 1991 Mar 31 2s
--8 M +08/+09 1992 Ja 19 2s
--9 M +09/+10 2011 Mar 27 2s
-+9 R +09/+10 1991 Mar 31 2s
-+8 R +08/+09 1992 Ja 19 2s
-+9 R +09/+10 2011 Mar 27 2s
- 10 - +10 2014 O 26 2s
- 9 - +09
- Z Asia/Vladivostok 8:47:31 - LMT 1922 N 15
- 9 - +09 1930 Jun 21
--10 M +10/+11 1991 Mar 31 2s
--9 M +09/+10 1992 Ja 19 2s
--10 M +10/+11 2011 Mar 27 2s
-+10 R +10/+11 1991 Mar 31 2s
-+9 R +09/+10 1992 Ja 19 2s
-+10 R +10/+11 2011 Mar 27 2s
- 11 - +11 2014 O 26 2s
- 10 - +10
- Z Asia/Khandyga 9:2:13 - LMT 1919 D 15
- 8 - +08 1930 Jun 21
--9 M +09/+10 1991 Mar 31 2s
--8 M +08/+09 1992 Ja 19 2s
--9 M +09/+10 2004
--10 M +10/+11 2011 Mar 27 2s
-+9 R +09/+10 1991 Mar 31 2s
-+8 R +08/+09 1992 Ja 19 2s
-+9 R +09/+10 2004
-+10 R +10/+11 2011 Mar 27 2s
- 11 - +11 2011 S 13 0s
- 10 - +10 2014 O 26 2s
- 9 - +09
- Z Asia/Sakhalin 9:30:48 - LMT 1905 Au 23
- 9 - +09 1945 Au 25
--11 M +11/+12 1991 Mar 31 2s
--10 M +10/+11 1992 Ja 19 2s
--11 M +11/+12 1997 Mar lastSun 2s
--10 M +10/+11 2011 Mar 27 2s
-+11 R +11/+12 1991 Mar 31 2s
-+10 R +10/+11 1992 Ja 19 2s
-+11 R +11/+12 1997 Mar lastSun 2s
-+10 R +10/+11 2011 Mar 27 2s
- 11 - +11 2014 O 26 2s
- 10 - +10 2016 Mar 27 2s
- 11 - +11
- Z Asia/Magadan 10:3:12 - LMT 1924 May 2
- 10 - +10 1930 Jun 21
--11 M +11/+12 1991 Mar 31 2s
--10 M +10/+11 1992 Ja 19 2s
--11 M +11/+12 2011 Mar 27 2s
-+11 R +11/+12 1991 Mar 31 2s
-+10 R +10/+11 1992 Ja 19 2s
-+11 R +11/+12 2011 Mar 27 2s
- 12 - +12 2014 O 26 2s
- 10 - +10 2016 Ap 24 2s
- 11 - +11
- Z Asia/Srednekolymsk 10:14:52 - LMT 1924 May 2
- 10 - +10 1930 Jun 21
--11 M +11/+12 1991 Mar 31 2s
--10 M +10/+11 1992 Ja 19 2s
--11 M +11/+12 2011 Mar 27 2s
-+11 R +11/+12 1991 Mar 31 2s
-+10 R +10/+11 1992 Ja 19 2s
-+11 R +11/+12 2011 Mar 27 2s
- 12 - +12 2014 O 26 2s
- 11 - +11
- Z Asia/Ust-Nera 9:32:54 - LMT 1919 D 15
- 8 - +08 1930 Jun 21
--9 M +09/+10 1981 Ap
--11 M +11/+12 1991 Mar 31 2s
--10 M +10/+11 1992 Ja 19 2s
--11 M +11/+12 2011 Mar 27 2s
-+9 R +09/+10 1981 Ap
-+11 R +11/+12 1991 Mar 31 2s
-+10 R +10/+11 1992 Ja 19 2s
-+11 R +11/+12 2011 Mar 27 2s
- 12 - +12 2011 S 13 0s
- 11 - +11 2014 O 26 2s
- 10 - +10
- Z Asia/Kamchatka 10:34:36 - LMT 1922 N 10
- 11 - +11 1930 Jun 21
--12 M +12/+13 1991 Mar 31 2s
--11 M +11/+12 1992 Ja 19 2s
--12 M +12/+13 2010 Mar 28 2s
--11 M +11/+12 2011 Mar 27 2s
-+12 R +12/+13 1991 Mar 31 2s
-+11 R +11/+12 1992 Ja 19 2s
-+12 R +12/+13 2010 Mar 28 2s
-+11 R +11/+12 2011 Mar 27 2s
- 12 - +12
- Z Asia/Anadyr 11:49:56 - LMT 1924 May 2
- 12 - +12 1930 Jun 21
--13 M +13/+14 1982 Ap 1 0s
--12 M +12/+13 1991 Mar 31 2s
--11 M +11/+12 1992 Ja 19 2s
--12 M +12/+13 2010 Mar 28 2s
--11 M +11/+12 2011 Mar 27 2s
-+13 R +13/+14 1982 Ap 1 0s
-+12 R +12/+13 1991 Mar 31 2s
-+11 R +11/+12 1992 Ja 19 2s
-+12 R +12/+13 2010 Mar 28 2s
-+11 R +11/+12 2011 Mar 27 2s
- 12 - +12
- Z Europe/Belgrade 1:22 - LMT 1884
- 1 - CET 1941 Ap 18 23
--1 ( CE%sT 1945
-+1 c CE%sT 1945
- 1 - CET 1945 May 8 2s
- 1 1 CEST 1945 S 16 2s
- 1 - CET 1982 N 27
--1 O CE%sT
-+1 E CE%sT
- Li Europe/Belgrade Europe/Ljubljana
- Li Europe/Belgrade Europe/Podgorica
- Li Europe/Belgrade Europe/Sarajevo
- Li Europe/Belgrade Europe/Skopje
- Li Europe/Belgrade Europe/Zagreb
- Li Europe/Prague Europe/Bratislava
--R AB 1918 o - Ap 15 23 1 S
--R AB 1918 1919 - O 6 24s 0 -
--R AB 1919 o - Ap 6 23 1 S
--R AB 1924 o - Ap 16 23 1 S
--R AB 1924 o - O 4 24s 0 -
--R AB 1926 o - Ap 17 23 1 S
--R AB 1926 1929 - O Sat>=1 24s 0 -
--R AB 1927 o - Ap 9 23 1 S
--R AB 1928 o - Ap 15 0 1 S
--R AB 1929 o - Ap 20 23 1 S
--R AB 1937 o - Jun 16 23 1 S
--R AB 1937 o - O 2 24s 0 -
--R AB 1938 o - Ap 2 23 1 S
--R AB 1938 o - Ap 30 23 2 M
--R AB 1938 o - O 2 24 1 S
--R AB 1939 o - O 7 24s 0 -
--R AB 1942 o - May 2 23 1 S
--R AB 1942 o - S 1 1 0 -
--R AB 1943 1946 - Ap Sat>=13 23 1 S
--R AB 1943 1944 - O Sun>=1 1 0 -
--R AB 1945 1946 - S lastSun 1 0 -
--R AB 1949 o - Ap 30 23 1 S
--R AB 1949 o - O 2 1 0 -
--R AB 1974 1975 - Ap Sat>=12 23 1 S
--R AB 1974 1975 - O Sun>=1 1 0 -
--R AB 1976 o - Mar 27 23 1 S
--R AB 1976 1977 - S lastSun 1 0 -
--R AB 1977 o - Ap 2 23 1 S
--R AB 1978 o - Ap 2 2s 1 S
--R AB 1978 o - O 1 2s 0 -
--R AC 1967 o - Jun 3 12 1 S
--R AC 1967 o - O 1 0 0 -
--R AC 1974 o - Jun 24 0 1 S
--R AC 1974 o - S 1 0 0 -
--R AC 1976 1977 - May 1 0 1 S
--R AC 1976 o - Au 1 0 0 -
--R AC 1977 o - S 28 0 0 -
--R AC 1978 o - Jun 1 0 1 S
--R AC 1978 o - Au 4 0 0 -
-+R s 1918 o - Ap 15 23 1 S
-+R s 1918 1919 - O 6 24s 0 -
-+R s 1919 o - Ap 6 23 1 S
-+R s 1924 o - Ap 16 23 1 S
-+R s 1924 o - O 4 24s 0 -
-+R s 1926 o - Ap 17 23 1 S
-+R s 1926 1929 - O Sat>=1 24s 0 -
-+R s 1927 o - Ap 9 23 1 S
-+R s 1928 o - Ap 15 0 1 S
-+R s 1929 o - Ap 20 23 1 S
-+R s 1937 o - Jun 16 23 1 S
-+R s 1937 o - O 2 24s 0 -
-+R s 1938 o - Ap 2 23 1 S
-+R s 1938 o - Ap 30 23 2 M
-+R s 1938 o - O 2 24 1 S
-+R s 1939 o - O 7 24s 0 -
-+R s 1942 o - May 2 23 1 S
-+R s 1942 o - S 1 1 0 -
-+R s 1943 1946 - Ap Sat>=13 23 1 S
-+R s 1943 1944 - O Sun>=1 1 0 -
-+R s 1945 1946 - S lastSun 1 0 -
-+R s 1949 o - Ap 30 23 1 S
-+R s 1949 o - O 2 1 0 -
-+R s 1974 1975 - Ap Sat>=12 23 1 S
-+R s 1974 1975 - O Sun>=1 1 0 -
-+R s 1976 o - Mar 27 23 1 S
-+R s 1976 1977 - S lastSun 1 0 -
-+R s 1977 o - Ap 2 23 1 S
-+R s 1978 o - Ap 2 2s 1 S
-+R s 1978 o - O 1 2s 0 -
- Z Europe/Madrid -0:14:44 - LMT 1900 D 31 23:45:16
--0 AB WE%sT 1940 Mar 16 23
--1 AB CE%sT 1979
--1 O CE%sT
-+0 s WE%sT 1940 Mar 16 23
-+1 s CE%sT 1979
-+1 E CE%sT
- Z Africa/Ceuta -0:21:16 - LMT 1900 D 31 23:38:44
- 0 - WET 1918 May 6 23
- 0 1 WEST 1918 O 7 23
- 0 - WET 1924
--0 AB WE%sT 1929
--0 AC WE%sT 1984 Mar 16
-+0 s WE%sT 1929
-+0 - WET 1967
-+0 M WE%sT 1984 Mar 16
- 1 - CET 1986
--1 O CE%sT
-+1 E CE%sT
- Z Atlantic/Canary -1:1:36 - LMT 1922 Mar
- -1 - -01 1946 S 30 1
- 0 - WET 1980 Ap 6 0s
- 0 1 WEST 1980 S 28 1u
--0 O WE%sT
-+0 E WE%sT
- Z Europe/Stockholm 1:12:12 - LMT 1879
- 1:0:14 - SET 1900
- 1 - CET 1916 May 14 23
- 1 1 CEST 1916 O 1 1
- 1 - CET 1980
--1 O CE%sT
--R AD 1941 1942 - May M>=1 1 1 S
--R AD 1941 1942 - O M>=1 2 0 -
-+1 E CE%sT
-+R CH 1941 1942 - May M>=1 1 1 S
-+R CH 1941 1942 - O M>=1 2 0 -
- Z Europe/Zurich 0:34:8 - LMT 1853 Jul 16
- 0:29:46 - BMT 1894 Jun
--1 AD CE%sT 1981
--1 O CE%sT
--R AE 1916 o - May 1 0 1 S
--R AE 1916 o - O 1 0 0 -
--R AE 1920 o - Mar 28 0 1 S
--R AE 1920 o - O 25 0 0 -
--R AE 1921 o - Ap 3 0 1 S
--R AE 1921 o - O 3 0 0 -
--R AE 1922 o - Mar 26 0 1 S
--R AE 1922 o - O 8 0 0 -
--R AE 1924 o - May 13 0 1 S
--R AE 1924 1925 - O 1 0 0 -
--R AE 1925 o - May 1 0 1 S
--R AE 1940 o - Jun 30 0 1 S
--R AE 1940 o - O 5 0 0 -
--R AE 1940 o - D 1 0 1 S
--R AE 1941 o - S 21 0 0 -
--R AE 1942 o - Ap 1 0 1 S
--R AE 1942 o - N 1 0 0 -
--R AE 1945 o - Ap 2 0 1 S
--R AE 1945 o - O 8 0 0 -
--R AE 1946 o - Jun 1 0 1 S
--R AE 1946 o - O 1 0 0 -
--R AE 1947 1948 - Ap Sun>=16 0 1 S
--R AE 1947 1950 - O Sun>=2 0 0 -
--R AE 1949 o - Ap 10 0 1 S
--R AE 1950 o - Ap 19 0 1 S
--R AE 1951 o - Ap 22 0 1 S
--R AE 1951 o - O 8 0 0 -
--R AE 1962 o - Jul 15 0 1 S
--R AE 1962 o - O 8 0 0 -
--R AE 1964 o - May 15 0 1 S
--R AE 1964 o - O 1 0 0 -
--R AE 1970 1972 - May Sun>=2 0 1 S
--R AE 1970 1972 - O Sun>=2 0 0 -
--R AE 1973 o - Jun 3 1 1 S
--R AE 1973 o - N 4 3 0 -
--R AE 1974 o - Mar 31 2 1 S
--R AE 1974 o - N 3 5 0 -
--R AE 1975 o - Mar 30 0 1 S
--R AE 1975 1976 - O lastSun 0 0 -
--R AE 1976 o - Jun 1 0 1 S
--R AE 1977 1978 - Ap Sun>=1 0 1 S
--R AE 1977 o - O 16 0 0 -
--R AE 1979 1980 - Ap Sun>=1 3 1 S
--R AE 1979 1982 - O M>=11 0 0 -
--R AE 1981 1982 - Mar lastSun 3 1 S
--R AE 1983 o - Jul 31 0 1 S
--R AE 1983 o - O 2 0 0 -
--R AE 1985 o - Ap 20 0 1 S
--R AE 1985 o - S 28 0 0 -
--R AE 1986 1993 - Mar lastSun 1s 1 S
--R AE 1986 1995 - S lastSun 1s 0 -
--R AE 1994 o - Mar 20 1s 1 S
--R AE 1995 2006 - Mar lastSun 1s 1 S
--R AE 1996 2006 - O lastSun 1s 0 -
-+1 CH CE%sT 1981
-+1 E CE%sT
-+R T 1916 o - May 1 0 1 S
-+R T 1916 o - O 1 0 0 -
-+R T 1920 o - Mar 28 0 1 S
-+R T 1920 o - O 25 0 0 -
-+R T 1921 o - Ap 3 0 1 S
-+R T 1921 o - O 3 0 0 -
-+R T 1922 o - Mar 26 0 1 S
-+R T 1922 o - O 8 0 0 -
-+R T 1924 o - May 13 0 1 S
-+R T 1924 1925 - O 1 0 0 -
-+R T 1925 o - May 1 0 1 S
-+R T 1940 o - Jun 30 0 1 S
-+R T 1940 o - O 5 0 0 -
-+R T 1940 o - D 1 0 1 S
-+R T 1941 o - S 21 0 0 -
-+R T 1942 o - Ap 1 0 1 S
-+R T 1942 o - N 1 0 0 -
-+R T 1945 o - Ap 2 0 1 S
-+R T 1945 o - O 8 0 0 -
-+R T 1946 o - Jun 1 0 1 S
-+R T 1946 o - O 1 0 0 -
-+R T 1947 1948 - Ap Sun>=16 0 1 S
-+R T 1947 1950 - O Sun>=2 0 0 -
-+R T 1949 o - Ap 10 0 1 S
-+R T 1950 o - Ap 19 0 1 S
-+R T 1951 o - Ap 22 0 1 S
-+R T 1951 o - O 8 0 0 -
-+R T 1962 o - Jul 15 0 1 S
-+R T 1962 o - O 8 0 0 -
-+R T 1964 o - May 15 0 1 S
-+R T 1964 o - O 1 0 0 -
-+R T 1970 1972 - May Sun>=2 0 1 S
-+R T 1970 1972 - O Sun>=2 0 0 -
-+R T 1973 o - Jun 3 1 1 S
-+R T 1973 o - N 4 3 0 -
-+R T 1974 o - Mar 31 2 1 S
-+R T 1974 o - N 3 5 0 -
-+R T 1975 o - Mar 30 0 1 S
-+R T 1975 1976 - O lastSun 0 0 -
-+R T 1976 o - Jun 1 0 1 S
-+R T 1977 1978 - Ap Sun>=1 0 1 S
-+R T 1977 o - O 16 0 0 -
-+R T 1979 1980 - Ap Sun>=1 3 1 S
-+R T 1979 1982 - O M>=11 0 0 -
-+R T 1981 1982 - Mar lastSun 3 1 S
-+R T 1983 o - Jul 31 0 1 S
-+R T 1983 o - O 2 0 0 -
-+R T 1985 o - Ap 20 0 1 S
-+R T 1985 o - S 28 0 0 -
-+R T 1986 1993 - Mar lastSun 1s 1 S
-+R T 1986 1995 - S lastSun 1s 0 -
-+R T 1994 o - Mar 20 1s 1 S
-+R T 1995 2006 - Mar lastSun 1s 1 S
-+R T 1996 2006 - O lastSun 1s 0 -
- Z Europe/Istanbul 1:55:52 - LMT 1880
- 1:56:56 - IMT 1910 O
--2 AE EE%sT 1978 O 15
--3 AE +03/+04 1985 Ap 20
--2 AE EE%sT 2007
--2 O EE%sT 2011 Mar 27 1u
-+2 T EE%sT 1978 O 15
-+3 T +03/+04 1985 Ap 20
-+2 T EE%sT 2007
-+2 E EE%sT 2011 Mar 27 1u
- 2 - EET 2011 Mar 28 1u
--2 O EE%sT 2014 Mar 30 1u
-+2 E EE%sT 2014 Mar 30 1u
- 2 - EET 2014 Mar 31 1u
--2 O EE%sT 2015 O 25 1u
-+2 E EE%sT 2015 O 25 1u
- 2 1 EEST 2015 N 8 1u
--2 O EE%sT 2016 S 7
-+2 E EE%sT 2016 S 7
- 3 - +03
- Li Europe/Istanbul Asia/Istanbul
- Z Europe/Kiev 2:2:4 - LMT 1880
- 2:2:4 - KMT 1924 May 2
- 2 - EET 1930 Jun 21
- 3 - MSK 1941 S 20
--1 ( CE%sT 1943 N 6
--3 M MSK/MSD 1990 Jul 1 2
-+1 c CE%sT 1943 N 6
-+3 R MSK/MSD 1990 Jul 1 2
- 2 1 EEST 1991 S 29 3
--2 W EE%sT 1995
--2 O EE%sT
-+2 e EE%sT 1995
-+2 E EE%sT
- Z Europe/Uzhgorod 1:29:12 - LMT 1890 O
- 1 - CET 1940
--1 ( CE%sT 1944 O
-+1 c CE%sT 1944 O
- 1 1 CEST 1944 O 26
- 1 - CET 1945 Jun 29
--3 M MSK/MSD 1990
-+3 R MSK/MSD 1990
- 3 - MSK 1990 Jul 1 2
- 1 - CET 1991 Mar 31 3
- 2 - EET 1992
--2 W EE%sT 1995
--2 O EE%sT
-+2 e EE%sT 1995
-+2 E EE%sT
- Z Europe/Zaporozhye 2:20:40 - LMT 1880
- 2:20 - +0220 1924 May 2
- 2 - EET 1930 Jun 21
- 3 - MSK 1941 Au 25
--1 ( CE%sT 1943 O 25
--3 M MSK/MSD 1991 Mar 31 2
--2 W EE%sT 1995
--2 O EE%sT
--R AF 1918 1919 - Mar lastSun 2 1 D
--R AF 1918 1919 - O lastSun 2 0 S
--R AF 1942 o - F 9 2 1 W
--R AF 1945 o - Au 14 23u 1 P
--R AF 1945 o - S lastSun 2 0 S
--R AF 1967 2006 - O lastSun 2 0 S
--R AF 1967 1973 - Ap lastSun 2 1 D
--R AF 1974 o - Ja 6 2 1 D
--R AF 1975 o - F 23 2 1 D
--R AF 1976 1986 - Ap lastSun 2 1 D
--R AF 1987 2006 - Ap Sun>=1 2 1 D
--R AF 2007 ma - Mar Sun>=8 2 1 D
--R AF 2007 ma - N Sun>=1 2 0 S
-+1 c CE%sT 1943 O 25
-+3 R MSK/MSD 1991 Mar 31 2
-+2 e EE%sT 1995
-+2 E EE%sT
-+R u 1918 1919 - Mar lastSun 2 1 D
-+R u 1918 1919 - O lastSun 2 0 S
-+R u 1942 o - F 9 2 1 W
-+R u 1945 o - Au 14 23u 1 P
-+R u 1945 o - S lastSun 2 0 S
-+R u 1967 2006 - O lastSun 2 0 S
-+R u 1967 1973 - Ap lastSun 2 1 D
-+R u 1974 o - Ja 6 2 1 D
-+R u 1975 o - F 23 2 1 D
-+R u 1976 1986 - Ap lastSun 2 1 D
-+R u 1987 2006 - Ap Sun>=1 2 1 D
-+R u 2007 ma - Mar Sun>=8 2 1 D
-+R u 2007 ma - N Sun>=1 2 0 S
- Z EST -5 - EST
- Z MST -7 - MST
- Z HST -10 - HST
--Z EST5EDT -5 AF E%sT
--Z CST6CDT -6 AF C%sT
--Z MST7MDT -7 AF M%sT
--Z PST8PDT -8 AF P%sT
--R AG 1920 o - Mar lastSun 2 1 D
--R AG 1920 o - O lastSun 2 0 S
--R AG 1921 1966 - Ap lastSun 2 1 D
--R AG 1921 1954 - S lastSun 2 0 S
--R AG 1955 1966 - O lastSun 2 0 S
-+Z EST5EDT -5 u E%sT
-+Z CST6CDT -6 u C%sT
-+Z MST7MDT -7 u M%sT
-+Z PST8PDT -8 u P%sT
-+R NY 1920 o - Mar lastSun 2 1 D
-+R NY 1920 o - O lastSun 2 0 S
-+R NY 1921 1966 - Ap lastSun 2 1 D
-+R NY 1921 1954 - S lastSun 2 0 S
-+R NY 1955 1966 - O lastSun 2 0 S
- Z America/New_York -4:56:2 - LMT 1883 N 18 12:3:58
---5 AF E%sT 1920
---5 AG E%sT 1942
---5 AF E%sT 1946
---5 AG E%sT 1967
---5 AF E%sT
--R AH 1920 o - Jun 13 2 1 D
--R AH 1920 1921 - O lastSun 2 0 S
--R AH 1921 o - Mar lastSun 2 1 D
--R AH 1922 1966 - Ap lastSun 2 1 D
--R AH 1922 1954 - S lastSun 2 0 S
--R AH 1955 1966 - O lastSun 2 0 S
-+-5 u E%sT 1920
-+-5 NY E%sT 1942
-+-5 u E%sT 1946
-+-5 NY E%sT 1967
-+-5 u E%sT
-+R Ch 1920 o - Jun 13 2 1 D
-+R Ch 1920 1921 - O lastSun 2 0 S
-+R Ch 1921 o - Mar lastSun 2 1 D
-+R Ch 1922 1966 - Ap lastSun 2 1 D
-+R Ch 1922 1954 - S lastSun 2 0 S
-+R Ch 1955 1966 - O lastSun 2 0 S
- Z America/Chicago -5:50:36 - LMT 1883 N 18 12:9:24
---6 AF C%sT 1920
---6 AH C%sT 1936 Mar 1 2
-+-6 u C%sT 1920
-+-6 Ch C%sT 1936 Mar 1 2
- -5 - EST 1936 N 15 2
---6 AH C%sT 1942
---6 AF C%sT 1946
---6 AH C%sT 1967
---6 AF C%sT
-+-6 Ch C%sT 1942
-+-6 u C%sT 1946
-+-6 Ch C%sT 1967
-+-6 u C%sT
- Z America/North_Dakota/Center -6:45:12 - LMT 1883 N 18 12:14:48
---7 AF M%sT 1992 O 25 2
---6 AF C%sT
-+-7 u M%sT 1992 O 25 2
-+-6 u C%sT
- Z America/North_Dakota/New_Salem -6:45:39 - LMT 1883 N 18 12:14:21
---7 AF M%sT 2003 O 26 2
---6 AF C%sT
-+-7 u M%sT 2003 O 26 2
-+-6 u C%sT
- Z America/North_Dakota/Beulah -6:47:7 - LMT 1883 N 18 12:12:53
---7 AF M%sT 2010 N 7 2
---6 AF C%sT
--R AI 1920 1921 - Mar lastSun 2 1 D
--R AI 1920 o - O lastSun 2 0 S
--R AI 1921 o - May 22 2 0 S
--R AI 1965 1966 - Ap lastSun 2 1 D
--R AI 1965 1966 - O lastSun 2 0 S
-+-7 u M%sT 2010 N 7 2
-+-6 u C%sT
-+R De 1920 1921 - Mar lastSun 2 1 D
-+R De 1920 o - O lastSun 2 0 S
-+R De 1921 o - May 22 2 0 S
-+R De 1965 1966 - Ap lastSun 2 1 D
-+R De 1965 1966 - O lastSun 2 0 S
- Z America/Denver -6:59:56 - LMT 1883 N 18 12:0:4
---7 AF M%sT 1920
---7 AI M%sT 1942
---7 AF M%sT 1946
---7 AI M%sT 1967
---7 AF M%sT
--R AJ 1948 o - Mar 14 2:1 1 D
--R AJ 1949 o - Ja 1 2 0 S
--R AJ 1950 1966 - Ap lastSun 1 1 D
--R AJ 1950 1961 - S lastSun 2 0 S
--R AJ 1962 1966 - O lastSun 2 0 S
-+-7 u M%sT 1920
-+-7 De M%sT 1942
-+-7 u M%sT 1946
-+-7 De M%sT 1967
-+-7 u M%sT
-+R CA 1948 o - Mar 14 2:1 1 D
-+R CA 1949 o - Ja 1 2 0 S
-+R CA 1950 1966 - Ap lastSun 1 1 D
-+R CA 1950 1961 - S lastSun 2 0 S
-+R CA 1962 1966 - O lastSun 2 0 S
- Z America/Los_Angeles -7:52:58 - LMT 1883 N 18 12:7:2
---8 AF P%sT 1946
---8 AJ P%sT 1967
---8 AF P%sT
-+-8 u P%sT 1946
-+-8 CA P%sT 1967
-+-8 u P%sT
- Z America/Juneau 15:2:19 - LMT 1867 O 19 15:33:32
- -8:57:41 - LMT 1900 Au 20 12
- -8 - PST 1942
---8 AF P%sT 1946
-+-8 u P%sT 1946
- -8 - PST 1969
---8 AF P%sT 1980 Ap 27 2
---9 AF Y%sT 1980 O 26 2
---8 AF P%sT 1983 O 30 2
---9 AF Y%sT 1983 N 30
---9 AF AK%sT
-+-8 u P%sT 1980 Ap 27 2
-+-9 u Y%sT 1980 O 26 2
-+-8 u P%sT 1983 O 30 2
-+-9 u Y%sT 1983 N 30
-+-9 u AK%sT
- Z America/Sitka 14:58:47 - LMT 1867 O 19 15:30
- -9:1:13 - LMT 1900 Au 20 12
- -8 - PST 1942
---8 AF P%sT 1946
-+-8 u P%sT 1946
- -8 - PST 1969
---8 AF P%sT 1983 O 30 2
---9 AF Y%sT 1983 N 30
---9 AF AK%sT
-+-8 u P%sT 1983 O 30 2
-+-9 u Y%sT 1983 N 30
-+-9 u AK%sT
- Z America/Metlakatla 15:13:42 - LMT 1867 O 19 15:44:55
- -8:46:18 - LMT 1900 Au 20 12
- -8 - PST 1942
---8 AF P%sT 1946
-+-8 u P%sT 1946
- -8 - PST 1969
---8 AF P%sT 1983 O 30 2
-+-8 u P%sT 1983 O 30 2
- -8 - PST 2015 N 1 2
---9 AF AK%sT
-+-9 u AK%sT
- Z America/Yakutat 14:41:5 - LMT 1867 O 19 15:12:18
- -9:18:55 - LMT 1900 Au 20 12
- -9 - YST 1942
---9 AF Y%sT 1946
-+-9 u Y%sT 1946
- -9 - YST 1969
---9 AF Y%sT 1983 N 30
---9 AF AK%sT
-+-9 u Y%sT 1983 N 30
-+-9 u AK%sT
- Z America/Anchorage 14:0:24 - LMT 1867 O 19 14:31:37
- -9:59:36 - LMT 1900 Au 20 12
- -10 - AST 1942
---10 AF A%sT 1967 Ap
-+-10 u A%sT 1967 Ap
- -10 - AHST 1969
---10 AF AH%sT 1983 O 30 2
---9 AF Y%sT 1983 N 30
---9 AF AK%sT
-+-10 u AH%sT 1983 O 30 2
-+-9 u Y%sT 1983 N 30
-+-9 u AK%sT
- Z America/Nome 12:58:22 - LMT 1867 O 19 13:29:35
- -11:1:38 - LMT 1900 Au 20 12
- -11 - NST 1942
---11 AF N%sT 1946
-+-11 u N%sT 1946
- -11 - NST 1967 Ap
- -11 - BST 1969
---11 AF B%sT 1983 O 30 2
---9 AF Y%sT 1983 N 30
---9 AF AK%sT
-+-11 u B%sT 1983 O 30 2
-+-9 u Y%sT 1983 N 30
-+-9 u AK%sT
- Z America/Adak 12:13:22 - LMT 1867 O 19 12:44:35
- -11:46:38 - LMT 1900 Au 20 12
- -11 - NST 1942
---11 AF N%sT 1946
-+-11 u N%sT 1946
- -11 - NST 1967 Ap
- -11 - BST 1969
---11 AF B%sT 1983 O 30 2
---10 AF AH%sT 1983 N 30
---10 AF H%sT
-+-11 u B%sT 1983 O 30 2
-+-10 u AH%sT 1983 N 30
-+-10 u H%sT
- Z Pacific/Honolulu -10:31:26 - LMT 1896 Ja 13 12
- -10:30 - HST 1933 Ap 30 2
- -10:30 1 HDT 1933 May 21 12
-@@ -2683,531 +2700,531 @@ Z Pacific/Honolulu -10:31:26 - LMT 1896 Ja 13 12
- -10:30 - HST 1947 Jun 8 2
- -10 - HST
- Z America/Phoenix -7:28:18 - LMT 1883 N 18 11:31:42
---7 AF M%sT 1944 Ja 1 0:1
-+-7 u M%sT 1944 Ja 1 0:1
- -7 - MST 1944 Ap 1 0:1
---7 AF M%sT 1944 O 1 0:1
-+-7 u M%sT 1944 O 1 0:1
- -7 - MST 1967
---7 AF M%sT 1968 Mar 21
-+-7 u M%sT 1968 Mar 21
- -7 - MST
- Z America/Boise -7:44:49 - LMT 1883 N 18 12:15:11
---8 AF P%sT 1923 May 13 2
---7 AF M%sT 1974
-+-8 u P%sT 1923 May 13 2
-+-7 u M%sT 1974
- -7 - MST 1974 F 3 2
---7 AF M%sT
--R AK 1941 o - Jun 22 2 1 D
--R AK 1941 1954 - S lastSun 2 0 S
--R AK 1946 1954 - Ap lastSun 2 1 D
-+-7 u M%sT
-+R In 1941 o - Jun 22 2 1 D
-+R In 1941 1954 - S lastSun 2 0 S
-+R In 1946 1954 - Ap lastSun 2 1 D
- Z America/Indiana/Indianapolis -5:44:38 - LMT 1883 N 18 12:15:22
---6 AF C%sT 1920
---6 AK C%sT 1942
---6 AF C%sT 1946
---6 AK C%sT 1955 Ap 24 2
-+-6 u C%sT 1920
-+-6 In C%sT 1942
-+-6 u C%sT 1946
-+-6 In C%sT 1955 Ap 24 2
- -5 - EST 1957 S 29 2
- -6 - CST 1958 Ap 27 2
- -5 - EST 1969
---5 AF E%sT 1971
-+-5 u E%sT 1971
- -5 - EST 2006
---5 AF E%sT
--R AL 1951 o - Ap lastSun 2 1 D
--R AL 1951 o - S lastSun 2 0 S
--R AL 1954 1960 - Ap lastSun 2 1 D
--R AL 1954 1960 - S lastSun 2 0 S
-+-5 u E%sT
-+R Ma 1951 o - Ap lastSun 2 1 D
-+R Ma 1951 o - S lastSun 2 0 S
-+R Ma 1954 1960 - Ap lastSun 2 1 D
-+R Ma 1954 1960 - S lastSun 2 0 S
- Z America/Indiana/Marengo -5:45:23 - LMT 1883 N 18 12:14:37
---6 AF C%sT 1951
---6 AL C%sT 1961 Ap 30 2
-+-6 u C%sT 1951
-+-6 Ma C%sT 1961 Ap 30 2
- -5 - EST 1969
---5 AF E%sT 1974 Ja 6 2
-+-5 u E%sT 1974 Ja 6 2
- -6 1 CDT 1974 O 27 2
---5 AF E%sT 1976
-+-5 u E%sT 1976
- -5 - EST 2006
---5 AF E%sT
--R AM 1946 o - Ap lastSun 2 1 D
--R AM 1946 o - S lastSun 2 0 S
--R AM 1953 1954 - Ap lastSun 2 1 D
--R AM 1953 1959 - S lastSun 2 0 S
--R AM 1955 o - May 1 0 1 D
--R AM 1956 1963 - Ap lastSun 2 1 D
--R AM 1960 o - O lastSun 2 0 S
--R AM 1961 o - S lastSun 2 0 S
--R AM 1962 1963 - O lastSun 2 0 S
-+-5 u E%sT
-+R V 1946 o - Ap lastSun 2 1 D
-+R V 1946 o - S lastSun 2 0 S
-+R V 1953 1954 - Ap lastSun 2 1 D
-+R V 1953 1959 - S lastSun 2 0 S
-+R V 1955 o - May 1 0 1 D
-+R V 1956 1963 - Ap lastSun 2 1 D
-+R V 1960 o - O lastSun 2 0 S
-+R V 1961 o - S lastSun 2 0 S
-+R V 1962 1963 - O lastSun 2 0 S
- Z America/Indiana/Vincennes -5:50:7 - LMT 1883 N 18 12:9:53
---6 AF C%sT 1946
---6 AM C%sT 1964 Ap 26 2
-+-6 u C%sT 1946
-+-6 V C%sT 1964 Ap 26 2
- -5 - EST 1969
---5 AF E%sT 1971
-+-5 u E%sT 1971
- -5 - EST 2006 Ap 2 2
---6 AF C%sT 2007 N 4 2
---5 AF E%sT
--R AN 1946 o - Ap lastSun 2 1 D
--R AN 1946 o - S lastSun 2 0 S
--R AN 1953 1954 - Ap lastSun 2 1 D
--R AN 1953 1959 - S lastSun 2 0 S
--R AN 1955 o - May 1 0 1 D
--R AN 1956 1963 - Ap lastSun 2 1 D
--R AN 1960 o - O lastSun 2 0 S
--R AN 1961 o - S lastSun 2 0 S
--R AN 1962 1963 - O lastSun 2 0 S
-+-6 u C%sT 2007 N 4 2
-+-5 u E%sT
-+R Pe 1946 o - Ap lastSun 2 1 D
-+R Pe 1946 o - S lastSun 2 0 S
-+R Pe 1953 1954 - Ap lastSun 2 1 D
-+R Pe 1953 1959 - S lastSun 2 0 S
-+R Pe 1955 o - May 1 0 1 D
-+R Pe 1956 1963 - Ap lastSun 2 1 D
-+R Pe 1960 o - O lastSun 2 0 S
-+R Pe 1961 o - S lastSun 2 0 S
-+R Pe 1962 1963 - O lastSun 2 0 S
- Z America/Indiana/Tell_City -5:47:3 - LMT 1883 N 18 12:12:57
---6 AF C%sT 1946
---6 AN C%sT 1964 Ap 26 2
-+-6 u C%sT 1946
-+-6 Pe C%sT 1964 Ap 26 2
- -5 - EST 1969
---5 AF E%sT 1971
-+-5 u E%sT 1971
- -5 - EST 2006 Ap 2 2
---6 AF C%sT
--R AO 1955 o - May 1 0 1 D
--R AO 1955 1960 - S lastSun 2 0 S
--R AO 1956 1964 - Ap lastSun 2 1 D
--R AO 1961 1964 - O lastSun 2 0 S
-+-6 u C%sT
-+R Pi 1955 o - May 1 0 1 D
-+R Pi 1955 1960 - S lastSun 2 0 S
-+R Pi 1956 1964 - Ap lastSun 2 1 D
-+R Pi 1961 1964 - O lastSun 2 0 S
- Z America/Indiana/Petersburg -5:49:7 - LMT 1883 N 18 12:10:53
---6 AF C%sT 1955
---6 AO C%sT 1965 Ap 25 2
-+-6 u C%sT 1955
-+-6 Pi C%sT 1965 Ap 25 2
- -5 - EST 1966 O 30 2
---6 AF C%sT 1977 O 30 2
-+-6 u C%sT 1977 O 30 2
- -5 - EST 2006 Ap 2 2
---6 AF C%sT 2007 N 4 2
---5 AF E%sT
--R AP 1947 1961 - Ap lastSun 2 1 D
--R AP 1947 1954 - S lastSun 2 0 S
--R AP 1955 1956 - O lastSun 2 0 S
--R AP 1957 1958 - S lastSun 2 0 S
--R AP 1959 1961 - O lastSun 2 0 S
-+-6 u C%sT 2007 N 4 2
-+-5 u E%sT
-+R St 1947 1961 - Ap lastSun 2 1 D
-+R St 1947 1954 - S lastSun 2 0 S
-+R St 1955 1956 - O lastSun 2 0 S
-+R St 1957 1958 - S lastSun 2 0 S
-+R St 1959 1961 - O lastSun 2 0 S
- Z America/Indiana/Knox -5:46:30 - LMT 1883 N 18 12:13:30
---6 AF C%sT 1947
---6 AP C%sT 1962 Ap 29 2
-+-6 u C%sT 1947
-+-6 St C%sT 1962 Ap 29 2
- -5 - EST 1963 O 27 2
---6 AF C%sT 1991 O 27 2
-+-6 u C%sT 1991 O 27 2
- -5 - EST 2006 Ap 2 2
---6 AF C%sT
--R AQ 1946 1960 - Ap lastSun 2 1 D
--R AQ 1946 1954 - S lastSun 2 0 S
--R AQ 1955 1956 - O lastSun 2 0 S
--R AQ 1957 1960 - S lastSun 2 0 S
-+-6 u C%sT
-+R Pu 1946 1960 - Ap lastSun 2 1 D
-+R Pu 1946 1954 - S lastSun 2 0 S
-+R Pu 1955 1956 - O lastSun 2 0 S
-+R Pu 1957 1960 - S lastSun 2 0 S
- Z America/Indiana/Winamac -5:46:25 - LMT 1883 N 18 12:13:35
---6 AF C%sT 1946
---6 AQ C%sT 1961 Ap 30 2
-+-6 u C%sT 1946
-+-6 Pu C%sT 1961 Ap 30 2
- -5 - EST 1969
---5 AF E%sT 1971
-+-5 u E%sT 1971
- -5 - EST 2006 Ap 2 2
---6 AF C%sT 2007 Mar 11 2
---5 AF E%sT
-+-6 u C%sT 2007 Mar 11 2
-+-5 u E%sT
- Z America/Indiana/Vevay -5:40:16 - LMT 1883 N 18 12:19:44
---6 AF C%sT 1954 Ap 25 2
-+-6 u C%sT 1954 Ap 25 2
- -5 - EST 1969
---5 AF E%sT 1973
-+-5 u E%sT 1973
- -5 - EST 2006
---5 AF E%sT
--R AR 1921 o - May 1 2 1 D
--R AR 1921 o - S 1 2 0 S
--R AR 1941 1961 - Ap lastSun 2 1 D
--R AR 1941 o - S lastSun 2 0 S
--R AR 1946 o - Jun 2 2 0 S
--R AR 1950 1955 - S lastSun 2 0 S
--R AR 1956 1960 - O lastSun 2 0 S
-+-5 u E%sT
-+R v 1921 o - May 1 2 1 D
-+R v 1921 o - S 1 2 0 S
-+R v 1941 1961 - Ap lastSun 2 1 D
-+R v 1941 o - S lastSun 2 0 S
-+R v 1946 o - Jun 2 2 0 S
-+R v 1950 1955 - S lastSun 2 0 S
-+R v 1956 1960 - O lastSun 2 0 S
- Z America/Kentucky/Louisville -5:43:2 - LMT 1883 N 18 12:16:58
---6 AF C%sT 1921
---6 AR C%sT 1942
---6 AF C%sT 1946
---6 AR C%sT 1961 Jul 23 2
-+-6 u C%sT 1921
-+-6 v C%sT 1942
-+-6 u C%sT 1946
-+-6 v C%sT 1961 Jul 23 2
- -5 - EST 1968
---5 AF E%sT 1974 Ja 6 2
-+-5 u E%sT 1974 Ja 6 2
- -6 1 CDT 1974 O 27 2
---5 AF E%sT
-+-5 u E%sT
- Z America/Kentucky/Monticello -5:39:24 - LMT 1883 N 18 12:20:36
---6 AF C%sT 1946
-+-6 u C%sT 1946
- -6 - CST 1968
---6 AF C%sT 2000 O 29 2
---5 AF E%sT
--R AS 1948 o - Ap lastSun 2 1 D
--R AS 1948 o - S lastSun 2 0 S
-+-6 u C%sT 2000 O 29 2
-+-5 u E%sT
-+R Dt 1948 o - Ap lastSun 2 1 D
-+R Dt 1948 o - S lastSun 2 0 S
- Z America/Detroit -5:32:11 - LMT 1905
- -6 - CST 1915 May 15 2
- -5 - EST 1942
---5 AF E%sT 1946
---5 AS E%sT 1973
---5 AF E%sT 1975
-+-5 u E%sT 1946
-+-5 Dt E%sT 1973
-+-5 u E%sT 1975
- -5 - EST 1975 Ap 27 2
---5 AF E%sT
--R AT 1946 o - Ap lastSun 2 1 D
--R AT 1946 o - S lastSun 2 0 S
--R AT 1966 o - Ap lastSun 2 1 D
--R AT 1966 o - O lastSun 2 0 S
-+-5 u E%sT
-+R Me 1946 o - Ap lastSun 2 1 D
-+R Me 1946 o - S lastSun 2 0 S
-+R Me 1966 o - Ap lastSun 2 1 D
-+R Me 1966 o - O lastSun 2 0 S
- Z America/Menominee -5:50:27 - LMT 1885 S 18 12
---6 AF C%sT 1946
---6 AT C%sT 1969 Ap 27 2
-+-6 u C%sT 1946
-+-6 Me C%sT 1969 Ap 27 2
- -5 - EST 1973 Ap 29 2
---6 AF C%sT
--R AU 1918 o - Ap 14 2 1 D
--R AU 1918 o - O 27 2 0 S
--R AU 1942 o - F 9 2 1 W
--R AU 1945 o - Au 14 23u 1 P
--R AU 1945 o - S 30 2 0 S
--R AU 1974 1986 - Ap lastSun 2 1 D
--R AU 1974 2006 - O lastSun 2 0 S
--R AU 1987 2006 - Ap Sun>=1 2 1 D
--R AU 2007 ma - Mar Sun>=8 2 1 D
--R AU 2007 ma - N Sun>=1 2 0 S
--R AV 1917 o - Ap 8 2 1 D
--R AV 1917 o - S 17 2 0 S
--R AV 1919 o - May 5 23 1 D
--R AV 1919 o - Au 12 23 0 S
--R AV 1920 1935 - May Sun>=1 23 1 D
--R AV 1920 1935 - O lastSun 23 0 S
--R AV 1936 1941 - May M>=9 0 1 D
--R AV 1936 1941 - O M>=2 0 0 S
--R AV 1946 1950 - May Sun>=8 2 1 D
--R AV 1946 1950 - O Sun>=2 2 0 S
--R AV 1951 1986 - Ap lastSun 2 1 D
--R AV 1951 1959 - S lastSun 2 0 S
--R AV 1960 1986 - O lastSun 2 0 S
--R AV 1987 o - Ap Sun>=1 0:1 1 D
--R AV 1987 2006 - O lastSun 0:1 0 S
--R AV 1988 o - Ap Sun>=1 0:1 2 DD
--R AV 1989 2006 - Ap Sun>=1 0:1 1 D
--R AV 2007 2011 - Mar Sun>=8 0:1 1 D
--R AV 2007 2010 - N Sun>=1 0:1 0 S
-+-6 u C%sT
-+R C 1918 o - Ap 14 2 1 D
-+R C 1918 o - O 27 2 0 S
-+R C 1942 o - F 9 2 1 W
-+R C 1945 o - Au 14 23u 1 P
-+R C 1945 o - S 30 2 0 S
-+R C 1974 1986 - Ap lastSun 2 1 D
-+R C 1974 2006 - O lastSun 2 0 S
-+R C 1987 2006 - Ap Sun>=1 2 1 D
-+R C 2007 ma - Mar Sun>=8 2 1 D
-+R C 2007 ma - N Sun>=1 2 0 S
-+R j 1917 o - Ap 8 2 1 D
-+R j 1917 o - S 17 2 0 S
-+R j 1919 o - May 5 23 1 D
-+R j 1919 o - Au 12 23 0 S
-+R j 1920 1935 - May Sun>=1 23 1 D
-+R j 1920 1935 - O lastSun 23 0 S
-+R j 1936 1941 - May M>=9 0 1 D
-+R j 1936 1941 - O M>=2 0 0 S
-+R j 1946 1950 - May Sun>=8 2 1 D
-+R j 1946 1950 - O Sun>=2 2 0 S
-+R j 1951 1986 - Ap lastSun 2 1 D
-+R j 1951 1959 - S lastSun 2 0 S
-+R j 1960 1986 - O lastSun 2 0 S
-+R j 1987 o - Ap Sun>=1 0:1 1 D
-+R j 1987 2006 - O lastSun 0:1 0 S
-+R j 1988 o - Ap Sun>=1 0:1 2 DD
-+R j 1989 2006 - Ap Sun>=1 0:1 1 D
-+R j 2007 2011 - Mar Sun>=8 0:1 1 D
-+R j 2007 2010 - N Sun>=1 0:1 0 S
- Z America/St_Johns -3:30:52 - LMT 1884
---3:30:52 AV N%sT 1918
---3:30:52 AU N%sT 1919
---3:30:52 AV N%sT 1935 Mar 30
---3:30 AV N%sT 1942 May 11
---3:30 AU N%sT 1946
---3:30 AV N%sT 2011 N
---3:30 AU N%sT
-+-3:30:52 j N%sT 1918
-+-3:30:52 C N%sT 1919
-+-3:30:52 j N%sT 1935 Mar 30
-+-3:30 j N%sT 1942 May 11
-+-3:30 C N%sT 1946
-+-3:30 j N%sT 2011 N
-+-3:30 C N%sT
- Z America/Goose_Bay -4:1:40 - LMT 1884
- -3:30:52 - NST 1918
---3:30:52 AU N%sT 1919
-+-3:30:52 C N%sT 1919
- -3:30:52 - NST 1935 Mar 30
- -3:30 - NST 1936
---3:30 AV N%sT 1942 May 11
---3:30 AU N%sT 1946
---3:30 AV N%sT 1966 Mar 15 2
---4 AV A%sT 2011 N
---4 AU A%sT
--R AW 1916 o - Ap 1 0 1 D
--R AW 1916 o - O 1 0 0 S
--R AW 1920 o - May 9 0 1 D
--R AW 1920 o - Au 29 0 0 S
--R AW 1921 o - May 6 0 1 D
--R AW 1921 1922 - S 5 0 0 S
--R AW 1922 o - Ap 30 0 1 D
--R AW 1923 1925 - May Sun>=1 0 1 D
--R AW 1923 o - S 4 0 0 S
--R AW 1924 o - S 15 0 0 S
--R AW 1925 o - S 28 0 0 S
--R AW 1926 o - May 16 0 1 D
--R AW 1926 o - S 13 0 0 S
--R AW 1927 o - May 1 0 1 D
--R AW 1927 o - S 26 0 0 S
--R AW 1928 1931 - May Sun>=8 0 1 D
--R AW 1928 o - S 9 0 0 S
--R AW 1929 o - S 3 0 0 S
--R AW 1930 o - S 15 0 0 S
--R AW 1931 1932 - S M>=24 0 0 S
--R AW 1932 o - May 1 0 1 D
--R AW 1933 o - Ap 30 0 1 D
--R AW 1933 o - O 2 0 0 S
--R AW 1934 o - May 20 0 1 D
--R AW 1934 o - S 16 0 0 S
--R AW 1935 o - Jun 2 0 1 D
--R AW 1935 o - S 30 0 0 S
--R AW 1936 o - Jun 1 0 1 D
--R AW 1936 o - S 14 0 0 S
--R AW 1937 1938 - May Sun>=1 0 1 D
--R AW 1937 1941 - S M>=24 0 0 S
--R AW 1939 o - May 28 0 1 D
--R AW 1940 1941 - May Sun>=1 0 1 D
--R AW 1946 1949 - Ap lastSun 2 1 D
--R AW 1946 1949 - S lastSun 2 0 S
--R AW 1951 1954 - Ap lastSun 2 1 D
--R AW 1951 1954 - S lastSun 2 0 S
--R AW 1956 1959 - Ap lastSun 2 1 D
--R AW 1956 1959 - S lastSun 2 0 S
--R AW 1962 1973 - Ap lastSun 2 1 D
--R AW 1962 1973 - O lastSun 2 0 S
-+-3:30 j N%sT 1942 May 11
-+-3:30 C N%sT 1946
-+-3:30 j N%sT 1966 Mar 15 2
-+-4 j A%sT 2011 N
-+-4 C A%sT
-+R H 1916 o - Ap 1 0 1 D
-+R H 1916 o - O 1 0 0 S
-+R H 1920 o - May 9 0 1 D
-+R H 1920 o - Au 29 0 0 S
-+R H 1921 o - May 6 0 1 D
-+R H 1921 1922 - S 5 0 0 S
-+R H 1922 o - Ap 30 0 1 D
-+R H 1923 1925 - May Sun>=1 0 1 D
-+R H 1923 o - S 4 0 0 S
-+R H 1924 o - S 15 0 0 S
-+R H 1925 o - S 28 0 0 S
-+R H 1926 o - May 16 0 1 D
-+R H 1926 o - S 13 0 0 S
-+R H 1927 o - May 1 0 1 D
-+R H 1927 o - S 26 0 0 S
-+R H 1928 1931 - May Sun>=8 0 1 D
-+R H 1928 o - S 9 0 0 S
-+R H 1929 o - S 3 0 0 S
-+R H 1930 o - S 15 0 0 S
-+R H 1931 1932 - S M>=24 0 0 S
-+R H 1932 o - May 1 0 1 D
-+R H 1933 o - Ap 30 0 1 D
-+R H 1933 o - O 2 0 0 S
-+R H 1934 o - May 20 0 1 D
-+R H 1934 o - S 16 0 0 S
-+R H 1935 o - Jun 2 0 1 D
-+R H 1935 o - S 30 0 0 S
-+R H 1936 o - Jun 1 0 1 D
-+R H 1936 o - S 14 0 0 S
-+R H 1937 1938 - May Sun>=1 0 1 D
-+R H 1937 1941 - S M>=24 0 0 S
-+R H 1939 o - May 28 0 1 D
-+R H 1940 1941 - May Sun>=1 0 1 D
-+R H 1946 1949 - Ap lastSun 2 1 D
-+R H 1946 1949 - S lastSun 2 0 S
-+R H 1951 1954 - Ap lastSun 2 1 D
-+R H 1951 1954 - S lastSun 2 0 S
-+R H 1956 1959 - Ap lastSun 2 1 D
-+R H 1956 1959 - S lastSun 2 0 S
-+R H 1962 1973 - Ap lastSun 2 1 D
-+R H 1962 1973 - O lastSun 2 0 S
- Z America/Halifax -4:14:24 - LMT 1902 Jun 15
---4 AW A%sT 1918
---4 AU A%sT 1919
---4 AW A%sT 1942 F 9 2s
---4 AU A%sT 1946
---4 AW A%sT 1974
---4 AU A%sT
-+-4 H A%sT 1918
-+-4 C A%sT 1919
-+-4 H A%sT 1942 F 9 2s
-+-4 C A%sT 1946
-+-4 H A%sT 1974
-+-4 C A%sT
- Z America/Glace_Bay -3:59:48 - LMT 1902 Jun 15
---4 AU A%sT 1953
---4 AW A%sT 1954
-+-4 C A%sT 1953
-+-4 H A%sT 1954
- -4 - AST 1972
---4 AW A%sT 1974
---4 AU A%sT
--R AX 1933 1935 - Jun Sun>=8 1 1 D
--R AX 1933 1935 - S Sun>=8 1 0 S
--R AX 1936 1938 - Jun Sun>=1 1 1 D
--R AX 1936 1938 - S Sun>=1 1 0 S
--R AX 1939 o - May 27 1 1 D
--R AX 1939 1941 - S Sat>=21 1 0 S
--R AX 1940 o - May 19 1 1 D
--R AX 1941 o - May 4 1 1 D
--R AX 1946 1972 - Ap lastSun 2 1 D
--R AX 1946 1956 - S lastSun 2 0 S
--R AX 1957 1972 - O lastSun 2 0 S
--R AX 1993 2006 - Ap Sun>=1 0:1 1 D
--R AX 1993 2006 - O lastSun 0:1 0 S
-+-4 H A%sT 1974
-+-4 C A%sT
-+R o 1933 1935 - Jun Sun>=8 1 1 D
-+R o 1933 1935 - S Sun>=8 1 0 S
-+R o 1936 1938 - Jun Sun>=1 1 1 D
-+R o 1936 1938 - S Sun>=1 1 0 S
-+R o 1939 o - May 27 1 1 D
-+R o 1939 1941 - S Sat>=21 1 0 S
-+R o 1940 o - May 19 1 1 D
-+R o 1941 o - May 4 1 1 D
-+R o 1946 1972 - Ap lastSun 2 1 D
-+R o 1946 1956 - S lastSun 2 0 S
-+R o 1957 1972 - O lastSun 2 0 S
-+R o 1993 2006 - Ap Sun>=1 0:1 1 D
-+R o 1993 2006 - O lastSun 0:1 0 S
- Z America/Moncton -4:19:8 - LMT 1883 D 9
- -5 - EST 1902 Jun 15
---4 AU A%sT 1933
---4 AX A%sT 1942
---4 AU A%sT 1946
---4 AX A%sT 1973
---4 AU A%sT 1993
---4 AX A%sT 2007
---4 AU A%sT
-+-4 C A%sT 1933
-+-4 o A%sT 1942
-+-4 C A%sT 1946
-+-4 o A%sT 1973
-+-4 C A%sT 1993
-+-4 o A%sT 2007
-+-4 C A%sT
- Z America/Blanc-Sablon -3:48:28 - LMT 1884
---4 AU A%sT 1970
-+-4 C A%sT 1970
- -4 - AST
--R AY 1919 o - Mar 30 23:30 1 D
--R AY 1919 o - O 26 0 0 S
--R AY 1920 o - May 2 2 1 D
--R AY 1920 o - S 26 0 0 S
--R AY 1921 o - May 15 2 1 D
--R AY 1921 o - S 15 2 0 S
--R AY 1922 1923 - May Sun>=8 2 1 D
--R AY 1922 1926 - S Sun>=15 2 0 S
--R AY 1924 1927 - May Sun>=1 2 1 D
--R AY 1927 1932 - S lastSun 2 0 S
--R AY 1928 1931 - Ap lastSun 2 1 D
--R AY 1932 o - May 1 2 1 D
--R AY 1933 1940 - Ap lastSun 2 1 D
--R AY 1933 o - O 1 2 0 S
--R AY 1934 1939 - S lastSun 2 0 S
--R AY 1945 1946 - S lastSun 2 0 S
--R AY 1946 o - Ap lastSun 2 1 D
--R AY 1947 1949 - Ap lastSun 0 1 D
--R AY 1947 1948 - S lastSun 0 0 S
--R AY 1949 o - N lastSun 0 0 S
--R AY 1950 1973 - Ap lastSun 2 1 D
--R AY 1950 o - N lastSun 2 0 S
--R AY 1951 1956 - S lastSun 2 0 S
--R AY 1957 1973 - O lastSun 2 0 S
-+R t 1919 o - Mar 30 23:30 1 D
-+R t 1919 o - O 26 0 0 S
-+R t 1920 o - May 2 2 1 D
-+R t 1920 o - S 26 0 0 S
-+R t 1921 o - May 15 2 1 D
-+R t 1921 o - S 15 2 0 S
-+R t 1922 1923 - May Sun>=8 2 1 D
-+R t 1922 1926 - S Sun>=15 2 0 S
-+R t 1924 1927 - May Sun>=1 2 1 D
-+R t 1927 1932 - S lastSun 2 0 S
-+R t 1928 1931 - Ap lastSun 2 1 D
-+R t 1932 o - May 1 2 1 D
-+R t 1933 1940 - Ap lastSun 2 1 D
-+R t 1933 o - O 1 2 0 S
-+R t 1934 1939 - S lastSun 2 0 S
-+R t 1945 1946 - S lastSun 2 0 S
-+R t 1946 o - Ap lastSun 2 1 D
-+R t 1947 1949 - Ap lastSun 0 1 D
-+R t 1947 1948 - S lastSun 0 0 S
-+R t 1949 o - N lastSun 0 0 S
-+R t 1950 1973 - Ap lastSun 2 1 D
-+R t 1950 o - N lastSun 2 0 S
-+R t 1951 1956 - S lastSun 2 0 S
-+R t 1957 1973 - O lastSun 2 0 S
- Z America/Toronto -5:17:32 - LMT 1895
---5 AU E%sT 1919
---5 AY E%sT 1942 F 9 2s
---5 AU E%sT 1946
---5 AY E%sT 1974
---5 AU E%sT
-+-5 C E%sT 1919
-+-5 t E%sT 1942 F 9 2s
-+-5 C E%sT 1946
-+-5 t E%sT 1974
-+-5 C E%sT
- Z America/Thunder_Bay -5:57 - LMT 1895
- -6 - CST 1910
- -5 - EST 1942
---5 AU E%sT 1970
---5 AY E%sT 1973
-+-5 C E%sT 1970
-+-5 t E%sT 1973
- -5 - EST 1974
---5 AU E%sT
-+-5 C E%sT
- Z America/Nipigon -5:53:4 - LMT 1895
---5 AU E%sT 1940 S 29
-+-5 C E%sT 1940 S 29
- -5 1 EDT 1942 F 9 2s
---5 AU E%sT
-+-5 C E%sT
- Z America/Rainy_River -6:18:16 - LMT 1895
---6 AU C%sT 1940 S 29
-+-6 C C%sT 1940 S 29
- -6 1 CDT 1942 F 9 2s
---6 AU C%sT
-+-6 C C%sT
- Z America/Atikokan -6:6:28 - LMT 1895
---6 AU C%sT 1940 S 29
-+-6 C C%sT 1940 S 29
- -6 1 CDT 1942 F 9 2s
---6 AU C%sT 1945 S 30 2
-+-6 C C%sT 1945 S 30 2
- -5 - EST
--R AZ 1916 o - Ap 23 0 1 D
--R AZ 1916 o - S 17 0 0 S
--R AZ 1918 o - Ap 14 2 1 D
--R AZ 1918 o - O 27 2 0 S
--R AZ 1937 o - May 16 2 1 D
--R AZ 1937 o - S 26 2 0 S
--R AZ 1942 o - F 9 2 1 W
--R AZ 1945 o - Au 14 23u 1 P
--R AZ 1945 o - S lastSun 2 0 S
--R AZ 1946 o - May 12 2 1 D
--R AZ 1946 o - O 13 2 0 S
--R AZ 1947 1949 - Ap lastSun 2 1 D
--R AZ 1947 1949 - S lastSun 2 0 S
--R AZ 1950 o - May 1 2 1 D
--R AZ 1950 o - S 30 2 0 S
--R AZ 1951 1960 - Ap lastSun 2 1 D
--R AZ 1951 1958 - S lastSun 2 0 S
--R AZ 1959 o - O lastSun 2 0 S
--R AZ 1960 o - S lastSun 2 0 S
--R AZ 1963 o - Ap lastSun 2 1 D
--R AZ 1963 o - S 22 2 0 S
--R AZ 1966 1986 - Ap lastSun 2s 1 D
--R AZ 1966 2005 - O lastSun 2s 0 S
--R AZ 1987 2005 - Ap Sun>=1 2s 1 D
-+R W 1916 o - Ap 23 0 1 D
-+R W 1916 o - S 17 0 0 S
-+R W 1918 o - Ap 14 2 1 D
-+R W 1918 o - O 27 2 0 S
-+R W 1937 o - May 16 2 1 D
-+R W 1937 o - S 26 2 0 S
-+R W 1942 o - F 9 2 1 W
-+R W 1945 o - Au 14 23u 1 P
-+R W 1945 o - S lastSun 2 0 S
-+R W 1946 o - May 12 2 1 D
-+R W 1946 o - O 13 2 0 S
-+R W 1947 1949 - Ap lastSun 2 1 D
-+R W 1947 1949 - S lastSun 2 0 S
-+R W 1950 o - May 1 2 1 D
-+R W 1950 o - S 30 2 0 S
-+R W 1951 1960 - Ap lastSun 2 1 D
-+R W 1951 1958 - S lastSun 2 0 S
-+R W 1959 o - O lastSun 2 0 S
-+R W 1960 o - S lastSun 2 0 S
-+R W 1963 o - Ap lastSun 2 1 D
-+R W 1963 o - S 22 2 0 S
-+R W 1966 1986 - Ap lastSun 2s 1 D
-+R W 1966 2005 - O lastSun 2s 0 S
-+R W 1987 2005 - Ap Sun>=1 2s 1 D
- Z America/Winnipeg -6:28:36 - LMT 1887 Jul 16
---6 AZ C%sT 2006
---6 AU C%sT
--R Aa 1918 o - Ap 14 2 1 D
--R Aa 1918 o - O 27 2 0 S
--R Aa 1930 1934 - May Sun>=1 0 1 D
--R Aa 1930 1934 - O Sun>=1 0 0 S
--R Aa 1937 1941 - Ap Sun>=8 0 1 D
--R Aa 1937 o - O Sun>=8 0 0 S
--R Aa 1938 o - O Sun>=1 0 0 S
--R Aa 1939 1941 - O Sun>=8 0 0 S
--R Aa 1942 o - F 9 2 1 W
--R Aa 1945 o - Au 14 23u 1 P
--R Aa 1945 o - S lastSun 2 0 S
--R Aa 1946 o - Ap Sun>=8 2 1 D
--R Aa 1946 o - O Sun>=8 2 0 S
--R Aa 1947 1957 - Ap lastSun 2 1 D
--R Aa 1947 1957 - S lastSun 2 0 S
--R Aa 1959 o - Ap lastSun 2 1 D
--R Aa 1959 o - O lastSun 2 0 S
--R Ab 1957 o - Ap lastSun 2 1 D
--R Ab 1957 o - O lastSun 2 0 S
--R Ab 1959 1961 - Ap lastSun 2 1 D
--R Ab 1959 o - O lastSun 2 0 S
--R Ab 1960 1961 - S lastSun 2 0 S
-+-6 W C%sT 2006
-+-6 C C%sT
-+R r 1918 o - Ap 14 2 1 D
-+R r 1918 o - O 27 2 0 S
-+R r 1930 1934 - May Sun>=1 0 1 D
-+R r 1930 1934 - O Sun>=1 0 0 S
-+R r 1937 1941 - Ap Sun>=8 0 1 D
-+R r 1937 o - O Sun>=8 0 0 S
-+R r 1938 o - O Sun>=1 0 0 S
-+R r 1939 1941 - O Sun>=8 0 0 S
-+R r 1942 o - F 9 2 1 W
-+R r 1945 o - Au 14 23u 1 P
-+R r 1945 o - S lastSun 2 0 S
-+R r 1946 o - Ap Sun>=8 2 1 D
-+R r 1946 o - O Sun>=8 2 0 S
-+R r 1947 1957 - Ap lastSun 2 1 D
-+R r 1947 1957 - S lastSun 2 0 S
-+R r 1959 o - Ap lastSun 2 1 D
-+R r 1959 o - O lastSun 2 0 S
-+R Sw 1957 o - Ap lastSun 2 1 D
-+R Sw 1957 o - O lastSun 2 0 S
-+R Sw 1959 1961 - Ap lastSun 2 1 D
-+R Sw 1959 o - O lastSun 2 0 S
-+R Sw 1960 1961 - S lastSun 2 0 S
- Z America/Regina -6:58:36 - LMT 1905 S
---7 Aa M%sT 1960 Ap lastSun 2
-+-7 r M%sT 1960 Ap lastSun 2
- -6 - CST
- Z America/Swift_Current -7:11:20 - LMT 1905 S
---7 AU M%sT 1946 Ap lastSun 2
---7 Aa M%sT 1950
---7 Ab M%sT 1972 Ap lastSun 2
-+-7 C M%sT 1946 Ap lastSun 2
-+-7 r M%sT 1950
-+-7 Sw M%sT 1972 Ap lastSun 2
- -6 - CST
--R Ac 1918 1919 - Ap Sun>=8 2 1 D
--R Ac 1918 o - O 27 2 0 S
--R Ac 1919 o - May 27 2 0 S
--R Ac 1920 1923 - Ap lastSun 2 1 D
--R Ac 1920 o - O lastSun 2 0 S
--R Ac 1921 1923 - S lastSun 2 0 S
--R Ac 1942 o - F 9 2 1 W
--R Ac 1945 o - Au 14 23u 1 P
--R Ac 1945 o - S lastSun 2 0 S
--R Ac 1947 o - Ap lastSun 2 1 D
--R Ac 1947 o - S lastSun 2 0 S
--R Ac 1967 o - Ap lastSun 2 1 D
--R Ac 1967 o - O lastSun 2 0 S
--R Ac 1969 o - Ap lastSun 2 1 D
--R Ac 1969 o - O lastSun 2 0 S
--R Ac 1972 1986 - Ap lastSun 2 1 D
--R Ac 1972 2006 - O lastSun 2 0 S
-+R Ed 1918 1919 - Ap Sun>=8 2 1 D
-+R Ed 1918 o - O 27 2 0 S
-+R Ed 1919 o - May 27 2 0 S
-+R Ed 1920 1923 - Ap lastSun 2 1 D
-+R Ed 1920 o - O lastSun 2 0 S
-+R Ed 1921 1923 - S lastSun 2 0 S
-+R Ed 1942 o - F 9 2 1 W
-+R Ed 1945 o - Au 14 23u 1 P
-+R Ed 1945 o - S lastSun 2 0 S
-+R Ed 1947 o - Ap lastSun 2 1 D
-+R Ed 1947 o - S lastSun 2 0 S
-+R Ed 1967 o - Ap lastSun 2 1 D
-+R Ed 1967 o - O lastSun 2 0 S
-+R Ed 1969 o - Ap lastSun 2 1 D
-+R Ed 1969 o - O lastSun 2 0 S
-+R Ed 1972 1986 - Ap lastSun 2 1 D
-+R Ed 1972 2006 - O lastSun 2 0 S
- Z America/Edmonton -7:33:52 - LMT 1906 S
---7 Ac M%sT 1987
---7 AU M%sT
--R Ad 1918 o - Ap 14 2 1 D
--R Ad 1918 o - O 27 2 0 S
--R Ad 1942 o - F 9 2 1 W
--R Ad 1945 o - Au 14 23u 1 P
--R Ad 1945 o - S 30 2 0 S
--R Ad 1946 1986 - Ap lastSun 2 1 D
--R Ad 1946 o - O 13 2 0 S
--R Ad 1947 1961 - S lastSun 2 0 S
--R Ad 1962 2006 - O lastSun 2 0 S
-+-7 Ed M%sT 1987
-+-7 C M%sT
-+R Va 1918 o - Ap 14 2 1 D
-+R Va 1918 o - O 27 2 0 S
-+R Va 1942 o - F 9 2 1 W
-+R Va 1945 o - Au 14 23u 1 P
-+R Va 1945 o - S 30 2 0 S
-+R Va 1946 1986 - Ap lastSun 2 1 D
-+R Va 1946 o - O 13 2 0 S
-+R Va 1947 1961 - S lastSun 2 0 S
-+R Va 1962 2006 - O lastSun 2 0 S
- Z America/Vancouver -8:12:28 - LMT 1884
---8 Ad P%sT 1987
---8 AU P%sT
-+-8 Va P%sT 1987
-+-8 C P%sT
- Z America/Dawson_Creek -8:0:56 - LMT 1884
---8 AU P%sT 1947
---8 Ad P%sT 1972 Au 30 2
-+-8 C P%sT 1947
-+-8 Va P%sT 1972 Au 30 2
- -7 - MST
- Z America/Fort_Nelson -8:10:47 - LMT 1884
---8 Ad P%sT 1946
-+-8 Va P%sT 1946
- -8 - PST 1947
---8 Ad P%sT 1987
---8 AU P%sT 2015 Mar 8 2
-+-8 Va P%sT 1987
-+-8 C P%sT 2015 Mar 8 2
- -7 - MST
- Z America/Creston -7:46:4 - LMT 1884
- -7 - MST 1916 O
- -8 - PST 1918 Jun 2
- -7 - MST
--R Ae 1918 o - Ap 14 2 1 D
--R Ae 1918 o - O 27 2 0 S
--R Ae 1919 o - May 25 2 1 D
--R Ae 1919 o - N 1 0 0 S
--R Ae 1942 o - F 9 2 1 W
--R Ae 1945 o - Au 14 23u 1 P
--R Ae 1945 o - S 30 2 0 S
--R Ae 1965 o - Ap lastSun 0 2 DD
--R Ae 1965 o - O lastSun 2 0 S
--R Ae 1980 1986 - Ap lastSun 2 1 D
--R Ae 1980 2006 - O lastSun 2 0 S
--R Ae 1987 2006 - Ap Sun>=1 2 1 D
-+R Y 1918 o - Ap 14 2 1 D
-+R Y 1918 o - O 27 2 0 S
-+R Y 1919 o - May 25 2 1 D
-+R Y 1919 o - N 1 0 0 S
-+R Y 1942 o - F 9 2 1 W
-+R Y 1945 o - Au 14 23u 1 P
-+R Y 1945 o - S 30 2 0 S
-+R Y 1965 o - Ap lastSun 0 2 DD
-+R Y 1965 o - O lastSun 2 0 S
-+R Y 1980 1986 - Ap lastSun 2 1 D
-+R Y 1980 2006 - O lastSun 2 0 S
-+R Y 1987 2006 - Ap Sun>=1 2 1 D
- Z America/Pangnirtung 0 - -00 1921
---4 Ae A%sT 1995 Ap Sun>=1 2
---5 AU E%sT 1999 O 31 2
---6 AU C%sT 2000 O 29 2
---5 AU E%sT
-+-4 Y A%sT 1995 Ap Sun>=1 2
-+-5 C E%sT 1999 O 31 2
-+-6 C C%sT 2000 O 29 2
-+-5 C E%sT
- Z America/Iqaluit 0 - -00 1942 Au
---5 Ae E%sT 1999 O 31 2
---6 AU C%sT 2000 O 29 2
---5 AU E%sT
-+-5 Y E%sT 1999 O 31 2
-+-6 C C%sT 2000 O 29 2
-+-5 C E%sT
- Z America/Resolute 0 - -00 1947 Au 31
---6 Ae C%sT 2000 O 29 2
-+-6 Y C%sT 2000 O 29 2
- -5 - EST 2001 Ap 1 3
---6 AU C%sT 2006 O 29 2
-+-6 C C%sT 2006 O 29 2
- -5 - EST 2007 Mar 11 3
---6 AU C%sT
-+-6 C C%sT
- Z America/Rankin_Inlet 0 - -00 1957
---6 Ae C%sT 2000 O 29 2
-+-6 Y C%sT 2000 O 29 2
- -5 - EST 2001 Ap 1 3
---6 AU C%sT
-+-6 C C%sT
- Z America/Cambridge_Bay 0 - -00 1920
---7 Ae M%sT 1999 O 31 2
---6 AU C%sT 2000 O 29 2
-+-7 Y M%sT 1999 O 31 2
-+-6 C C%sT 2000 O 29 2
- -5 - EST 2000 N 5
- -6 - CST 2001 Ap 1 3
---7 AU M%sT
-+-7 C M%sT
- Z America/Yellowknife 0 - -00 1935
---7 Ae M%sT 1980
---7 AU M%sT
-+-7 Y M%sT 1980
-+-7 C M%sT
- Z America/Inuvik 0 - -00 1953
---8 Ae P%sT 1979 Ap lastSun 2
---7 Ae M%sT 1980
---7 AU M%sT
-+-8 Y P%sT 1979 Ap lastSun 2
-+-7 Y M%sT 1980
-+-7 C M%sT
- Z America/Whitehorse -9:0:12 - LMT 1900 Au 20
---9 Ae Y%sT 1967 May 28
---8 Ae P%sT 1980
---8 AU P%sT
-+-9 Y Y%sT 1967 May 28
-+-8 Y P%sT 1980
-+-8 C P%sT
- Z America/Dawson -9:17:40 - LMT 1900 Au 20
---9 Ae Y%sT 1973 O 28
---8 Ae P%sT 1980
---8 AU P%sT
--R Af 1939 o - F 5 0 1 D
--R Af 1939 o - Jun 25 0 0 S
--R Af 1940 o - D 9 0 1 D
--R Af 1941 o - Ap 1 0 0 S
--R Af 1943 o - D 16 0 1 W
--R Af 1944 o - May 1 0 0 S
--R Af 1950 o - F 12 0 1 D
--R Af 1950 o - Jul 30 0 0 S
--R Af 1996 2000 - Ap Sun>=1 2 1 D
--R Af 1996 2000 - O lastSun 2 0 S
--R Af 2001 o - May Sun>=1 2 1 D
--R Af 2001 o - S lastSun 2 0 S
--R Af 2002 ma - Ap Sun>=1 2 1 D
--R Af 2002 ma - O lastSun 2 0 S
-+-9 Y Y%sT 1973 O 28
-+-8 Y P%sT 1980
-+-8 C P%sT
-+R m 1939 o - F 5 0 1 D
-+R m 1939 o - Jun 25 0 0 S
-+R m 1940 o - D 9 0 1 D
-+R m 1941 o - Ap 1 0 0 S
-+R m 1943 o - D 16 0 1 W
-+R m 1944 o - May 1 0 0 S
-+R m 1950 o - F 12 0 1 D
-+R m 1950 o - Jul 30 0 0 S
-+R m 1996 2000 - Ap Sun>=1 2 1 D
-+R m 1996 2000 - O lastSun 2 0 S
-+R m 2001 o - May Sun>=1 2 1 D
-+R m 2001 o - S lastSun 2 0 S
-+R m 2002 ma - Ap Sun>=1 2 1 D
-+R m 2002 ma - O lastSun 2 0 S
- Z America/Cancun -5:47:4 - LMT 1922 Ja 1 0:12:56
- -6 - CST 1981 D 23
---5 Af E%sT 1998 Au 2 2
---6 Af C%sT 2015 F 1 2
-+-5 m E%sT 1998 Au 2 2
-+-6 m C%sT 2015 F 1 2
- -5 - EST
- Z America/Merida -5:58:28 - LMT 1922 Ja 1 0:1:32
- -6 - CST 1981 D 23
- -5 - EST 1982 D 2
---6 Af C%sT
-+-6 m C%sT
- Z America/Matamoros -6:40 - LMT 1921 D 31 23:20
- -6 - CST 1988
---6 AF C%sT 1989
---6 Af C%sT 2010
---6 AF C%sT
-+-6 u C%sT 1989
-+-6 m C%sT 2010
-+-6 u C%sT
- Z America/Monterrey -6:41:16 - LMT 1921 D 31 23:18:44
- -6 - CST 1988
---6 AF C%sT 1989
---6 Af C%sT
-+-6 u C%sT 1989
-+-6 m C%sT
- Z America/Mexico_City -6:36:36 - LMT 1922 Ja 1 0:23:24
- -7 - MST 1927 Jun 10 23
- -6 - CST 1930 N 15
- -7 - MST 1931 May 1 23
- -6 - CST 1931 O
- -7 - MST 1932 Ap
---6 Af C%sT 2001 S 30 2
-+-6 m C%sT 2001 S 30 2
- -6 - CST 2002 F 20
---6 Af C%sT
-+-6 m C%sT
- Z America/Ojinaga -6:57:40 - LMT 1922 Ja 1 0:2:20
- -7 - MST 1927 Jun 10 23
- -6 - CST 1930 N 15
-@@ -3215,10 +3232,10 @@ Z America/Ojinaga -6:57:40 - LMT 1922 Ja 1 0:2:20
- -6 - CST 1931 O
- -7 - MST 1932 Ap
- -6 - CST 1996
---6 Af C%sT 1998
-+-6 m C%sT 1998
- -6 - CST 1998 Ap Sun>=1 3
---7 Af M%sT 2010
---7 AF M%sT
-+-7 m M%sT 2010
-+-7 u M%sT
- Z America/Chihuahua -7:4:20 - LMT 1921 D 31 23:55:40
- -7 - MST 1927 Jun 10 23
- -6 - CST 1930 N 15
-@@ -3226,9 +3243,9 @@ Z America/Chihuahua -7:4:20 - LMT 1921 D 31 23:55:40
- -6 - CST 1931 O
- -7 - MST 1932 Ap
- -6 - CST 1996
---6 Af C%sT 1998
-+-6 m C%sT 1998
- -6 - CST 1998 Ap Sun>=1 3
---7 Af M%sT
-+-7 m M%sT
- Z America/Hermosillo -7:23:52 - LMT 1921 D 31 23:36:8
- -7 - MST 1927 Jun 10 23
- -6 - CST 1930 N 15
-@@ -3238,7 +3255,7 @@ Z America/Hermosillo -7:23:52 - LMT 1921 D 31 23:36:8
- -6 - CST 1942 Ap 24
- -7 - MST 1949 Ja 14
- -8 - PST 1970
---7 Af M%sT 1999
-+-7 m M%sT 1999
- -7 - MST
- Z America/Mazatlan -7:5:40 - LMT 1921 D 31 23:54:20
- -7 - MST 1927 Jun 10 23
-@@ -3249,7 +3266,7 @@ Z America/Mazatlan -7:5:40 - LMT 1921 D 31 23:54:20
- -6 - CST 1942 Ap 24
- -7 - MST 1949 Ja 14
- -8 - PST 1970
---7 Af M%sT
-+-7 m M%sT
- Z America/Bahia_Banderas -7:1 - LMT 1921 D 31 23:59
- -7 - MST 1927 Jun 10 23
- -6 - CST 1930 N 15
-@@ -3259,8 +3276,8 @@ Z America/Bahia_Banderas -7:1 - LMT 1921 D 31 23:59
- -6 - CST 1942 Ap 24
- -7 - MST 1949 Ja 14
- -8 - PST 1970
---7 Af M%sT 2010 Ap 4 2
---6 Af C%sT
-+-7 m M%sT 2010 Ap 4 2
-+-6 m C%sT
- Z America/Tijuana -7:48:4 - LMT 1922 Ja 1 0:11:56
- -7 - MST 1924
- -8 - PST 1927 Jun 10 23
-@@ -3273,315 +3290,315 @@ Z America/Tijuana -7:48:4 - LMT 1922 Ja 1 0:11:56
- -8 - PST 1948 Ap 5
- -8 1 PDT 1949 Ja 14
- -8 - PST 1954
---8 AJ P%sT 1961
-+-8 CA P%sT 1961
- -8 - PST 1976
---8 AF P%sT 1996
---8 Af P%sT 2001
---8 AF P%sT 2002 F 20
---8 Af P%sT 2010
---8 AF P%sT
--R Ag 1964 1975 - O lastSun 2 0 S
--R Ag 1964 1975 - Ap lastSun 2 1 D
-+-8 u P%sT 1996
-+-8 m P%sT 2001
-+-8 u P%sT 2002 F 20
-+-8 m P%sT 2010
-+-8 u P%sT
-+R BS 1964 1975 - O lastSun 2 0 S
-+R BS 1964 1975 - Ap lastSun 2 1 D
- Z America/Nassau -5:9:30 - LMT 1912 Mar 2
---5 Ag E%sT 1976
---5 AF E%sT
--R Ah 1977 o - Jun 12 2 1 D
--R Ah 1977 1978 - O Sun>=1 2 0 S
--R Ah 1978 1980 - Ap Sun>=15 2 1 D
--R Ah 1979 o - S 30 2 0 S
--R Ah 1980 o - S 25 2 0 S
-+-5 BS E%sT 1976
-+-5 u E%sT
-+R BB 1977 o - Jun 12 2 1 D
-+R BB 1977 1978 - O Sun>=1 2 0 S
-+R BB 1978 1980 - Ap Sun>=15 2 1 D
-+R BB 1979 o - S 30 2 0 S
-+R BB 1980 o - S 25 2 0 S
- Z America/Barbados -3:58:29 - LMT 1924
- -3:58:29 - BMT 1932
---4 Ah A%sT
--R Ai 1918 1942 - O Sun>=2 0 0:30 -0530
--R Ai 1919 1943 - F Sun>=9 0 0 CST
--R Ai 1973 o - D 5 0 1 CDT
--R Ai 1974 o - F 9 0 0 CST
--R Ai 1982 o - D 18 0 1 CDT
--R Ai 1983 o - F 12 0 0 CST
-+-4 BB A%sT
-+R BZ 1918 1942 - O Sun>=2 0 0:30 -0530
-+R BZ 1919 1943 - F Sun>=9 0 0 CST
-+R BZ 1973 o - D 5 0 1 CDT
-+R BZ 1974 o - F 9 0 0 CST
-+R BZ 1982 o - D 18 0 1 CDT
-+R BZ 1983 o - F 12 0 0 CST
- Z America/Belize -5:52:48 - LMT 1912 Ap
---6 Ai %s
-+-6 BZ %s
- Z Atlantic/Bermuda -4:19:18 - LMT 1930 Ja 1 2
- -4 - AST 1974 Ap 28 2
---4 AU A%sT 1976
---4 AF A%sT
--R Aj 1979 1980 - F lastSun 0 1 D
--R Aj 1979 1980 - Jun Sun>=1 0 0 S
--R Aj 1991 1992 - Ja Sat>=15 0 1 D
--R Aj 1991 o - Jul 1 0 0 S
--R Aj 1992 o - Mar 15 0 0 S
-+-4 C A%sT 1976
-+-4 u A%sT
-+R CR 1979 1980 - F lastSun 0 1 D
-+R CR 1979 1980 - Jun Sun>=1 0 0 S
-+R CR 1991 1992 - Ja Sat>=15 0 1 D
-+R CR 1991 o - Jul 1 0 0 S
-+R CR 1992 o - Mar 15 0 0 S
- Z America/Costa_Rica -5:36:13 - LMT 1890
- -5:36:13 - SJMT 1921 Ja 15
---6 Aj C%sT
--R Ak 1928 o - Jun 10 0 1 D
--R Ak 1928 o - O 10 0 0 S
--R Ak 1940 1942 - Jun Sun>=1 0 1 D
--R Ak 1940 1942 - S Sun>=1 0 0 S
--R Ak 1945 1946 - Jun Sun>=1 0 1 D
--R Ak 1945 1946 - S Sun>=1 0 0 S
--R Ak 1965 o - Jun 1 0 1 D
--R Ak 1965 o - S 30 0 0 S
--R Ak 1966 o - May 29 0 1 D
--R Ak 1966 o - O 2 0 0 S
--R Ak 1967 o - Ap 8 0 1 D
--R Ak 1967 1968 - S Sun>=8 0 0 S
--R Ak 1968 o - Ap 14 0 1 D
--R Ak 1969 1977 - Ap lastSun 0 1 D
--R Ak 1969 1971 - O lastSun 0 0 S
--R Ak 1972 1974 - O 8 0 0 S
--R Ak 1975 1977 - O lastSun 0 0 S
--R Ak 1978 o - May 7 0 1 D
--R Ak 1978 1990 - O Sun>=8 0 0 S
--R Ak 1979 1980 - Mar Sun>=15 0 1 D
--R Ak 1981 1985 - May Sun>=5 0 1 D
--R Ak 1986 1989 - Mar Sun>=14 0 1 D
--R Ak 1990 1997 - Ap Sun>=1 0 1 D
--R Ak 1991 1995 - O Sun>=8 0s 0 S
--R Ak 1996 o - O 6 0s 0 S
--R Ak 1997 o - O 12 0s 0 S
--R Ak 1998 1999 - Mar lastSun 0s 1 D
--R Ak 1998 2003 - O lastSun 0s 0 S
--R Ak 2000 2003 - Ap Sun>=1 0s 1 D
--R Ak 2004 o - Mar lastSun 0s 1 D
--R Ak 2006 2010 - O lastSun 0s 0 S
--R Ak 2007 o - Mar Sun>=8 0s 1 D
--R Ak 2008 o - Mar Sun>=15 0s 1 D
--R Ak 2009 2010 - Mar Sun>=8 0s 1 D
--R Ak 2011 o - Mar Sun>=15 0s 1 D
--R Ak 2011 o - N 13 0s 0 S
--R Ak 2012 o - Ap 1 0s 1 D
--R Ak 2012 ma - N Sun>=1 0s 0 S
--R Ak 2013 ma - Mar Sun>=8 0s 1 D
-+-6 CR C%sT
-+R Q 1928 o - Jun 10 0 1 D
-+R Q 1928 o - O 10 0 0 S
-+R Q 1940 1942 - Jun Sun>=1 0 1 D
-+R Q 1940 1942 - S Sun>=1 0 0 S
-+R Q 1945 1946 - Jun Sun>=1 0 1 D
-+R Q 1945 1946 - S Sun>=1 0 0 S
-+R Q 1965 o - Jun 1 0 1 D
-+R Q 1965 o - S 30 0 0 S
-+R Q 1966 o - May 29 0 1 D
-+R Q 1966 o - O 2 0 0 S
-+R Q 1967 o - Ap 8 0 1 D
-+R Q 1967 1968 - S Sun>=8 0 0 S
-+R Q 1968 o - Ap 14 0 1 D
-+R Q 1969 1977 - Ap lastSun 0 1 D
-+R Q 1969 1971 - O lastSun 0 0 S
-+R Q 1972 1974 - O 8 0 0 S
-+R Q 1975 1977 - O lastSun 0 0 S
-+R Q 1978 o - May 7 0 1 D
-+R Q 1978 1990 - O Sun>=8 0 0 S
-+R Q 1979 1980 - Mar Sun>=15 0 1 D
-+R Q 1981 1985 - May Sun>=5 0 1 D
-+R Q 1986 1989 - Mar Sun>=14 0 1 D
-+R Q 1990 1997 - Ap Sun>=1 0 1 D
-+R Q 1991 1995 - O Sun>=8 0s 0 S
-+R Q 1996 o - O 6 0s 0 S
-+R Q 1997 o - O 12 0s 0 S
-+R Q 1998 1999 - Mar lastSun 0s 1 D
-+R Q 1998 2003 - O lastSun 0s 0 S
-+R Q 2000 2003 - Ap Sun>=1 0s 1 D
-+R Q 2004 o - Mar lastSun 0s 1 D
-+R Q 2006 2010 - O lastSun 0s 0 S
-+R Q 2007 o - Mar Sun>=8 0s 1 D
-+R Q 2008 o - Mar Sun>=15 0s 1 D
-+R Q 2009 2010 - Mar Sun>=8 0s 1 D
-+R Q 2011 o - Mar Sun>=15 0s 1 D
-+R Q 2011 o - N 13 0s 0 S
-+R Q 2012 o - Ap 1 0s 1 D
-+R Q 2012 ma - N Sun>=1 0s 0 S
-+R Q 2013 ma - Mar Sun>=8 0s 1 D
- Z America/Havana -5:29:28 - LMT 1890
- -5:29:36 - HMT 1925 Jul 19 12
---5 Ak C%sT
--R Al 1966 o - O 30 0 1 EDT
--R Al 1967 o - F 28 0 0 EST
--R Al 1969 1973 - O lastSun 0 0:30 -0430
--R Al 1970 o - F 21 0 0 EST
--R Al 1971 o - Ja 20 0 0 EST
--R Al 1972 1974 - Ja 21 0 0 EST
-+-5 Q C%sT
-+R DO 1966 o - O 30 0 1 EDT
-+R DO 1967 o - F 28 0 0 EST
-+R DO 1969 1973 - O lastSun 0 0:30 -0430
-+R DO 1970 o - F 21 0 0 EST
-+R DO 1971 o - Ja 20 0 0 EST
-+R DO 1972 1974 - Ja 21 0 0 EST
- Z America/Santo_Domingo -4:39:36 - LMT 1890
- -4:40 - SDMT 1933 Ap 1 12
---5 Al %s 1974 O 27
-+-5 DO %s 1974 O 27
- -4 - AST 2000 O 29 2
---5 AF E%sT 2000 D 3 1
-+-5 u E%sT 2000 D 3 1
- -4 - AST
--R Am 1987 1988 - May Sun>=1 0 1 D
--R Am 1987 1988 - S lastSun 0 0 S
-+R SV 1987 1988 - May Sun>=1 0 1 D
-+R SV 1987 1988 - S lastSun 0 0 S
- Z America/El_Salvador -5:56:48 - LMT 1921
---6 Am C%sT
--R An 1973 o - N 25 0 1 D
--R An 1974 o - F 24 0 0 S
--R An 1983 o - May 21 0 1 D
--R An 1983 o - S 22 0 0 S
--R An 1991 o - Mar 23 0 1 D
--R An 1991 o - S 7 0 0 S
--R An 2006 o - Ap 30 0 1 D
--R An 2006 o - O 1 0 0 S
-+-6 SV C%sT
-+R GT 1973 o - N 25 0 1 D
-+R GT 1974 o - F 24 0 0 S
-+R GT 1983 o - May 21 0 1 D
-+R GT 1983 o - S 22 0 0 S
-+R GT 1991 o - Mar 23 0 1 D
-+R GT 1991 o - S 7 0 0 S
-+R GT 2006 o - Ap 30 0 1 D
-+R GT 2006 o - O 1 0 0 S
- Z America/Guatemala -6:2:4 - LMT 1918 O 5
---6 An C%sT
--R Ao 1983 o - May 8 0 1 D
--R Ao 1984 1987 - Ap lastSun 0 1 D
--R Ao 1983 1987 - O lastSun 0 0 S
--R Ao 1988 1997 - Ap Sun>=1 1s 1 D
--R Ao 1988 1997 - O lastSun 1s 0 S
--R Ao 2005 2006 - Ap Sun>=1 0 1 D
--R Ao 2005 2006 - O lastSun 0 0 S
--R Ao 2012 2015 - Mar Sun>=8 2 1 D
--R Ao 2012 2015 - N Sun>=1 2 0 S
--R Ao 2017 ma - Mar Sun>=8 2 1 D
--R Ao 2017 ma - N Sun>=1 2 0 S
-+-6 GT C%sT
-+R HT 1983 o - May 8 0 1 D
-+R HT 1984 1987 - Ap lastSun 0 1 D
-+R HT 1983 1987 - O lastSun 0 0 S
-+R HT 1988 1997 - Ap Sun>=1 1s 1 D
-+R HT 1988 1997 - O lastSun 1s 0 S
-+R HT 2005 2006 - Ap Sun>=1 0 1 D
-+R HT 2005 2006 - O lastSun 0 0 S
-+R HT 2012 2015 - Mar Sun>=8 2 1 D
-+R HT 2012 2015 - N Sun>=1 2 0 S
-+R HT 2017 ma - Mar Sun>=8 2 1 D
-+R HT 2017 ma - N Sun>=1 2 0 S
- Z America/Port-au-Prince -4:49:20 - LMT 1890
- -4:49 - PPMT 1917 Ja 24 12
---5 Ao E%sT
--R Ap 1987 1988 - May Sun>=1 0 1 D
--R Ap 1987 1988 - S lastSun 0 0 S
--R Ap 2006 o - May Sun>=1 0 1 D
--R Ap 2006 o - Au M>=1 0 0 S
-+-5 HT E%sT
-+R HN 1987 1988 - May Sun>=1 0 1 D
-+R HN 1987 1988 - S lastSun 0 0 S
-+R HN 2006 o - May Sun>=1 0 1 D
-+R HN 2006 o - Au M>=1 0 0 S
- Z America/Tegucigalpa -5:48:52 - LMT 1921 Ap
---6 Ap C%sT
-+-6 HN C%sT
- Z America/Jamaica -5:7:10 - LMT 1890
- -5:7:10 - KMT 1912 F
- -5 - EST 1974
---5 AF E%sT 1984
-+-5 u E%sT 1984
- -5 - EST
- Z America/Martinique -4:4:20 - LMT 1890
- -4:4:20 - FFMT 1911 May
- -4 - AST 1980 Ap 6
- -4 1 ADT 1980 S 28
- -4 - AST
--R Aq 1979 1980 - Mar Sun>=16 0 1 D
--R Aq 1979 1980 - Jun M>=23 0 0 S
--R Aq 2005 o - Ap 10 0 1 D
--R Aq 2005 o - O Sun>=1 0 0 S
--R Aq 2006 o - Ap 30 2 1 D
--R Aq 2006 o - O Sun>=1 1 0 S
-+R NI 1979 1980 - Mar Sun>=16 0 1 D
-+R NI 1979 1980 - Jun M>=23 0 0 S
-+R NI 2005 o - Ap 10 0 1 D
-+R NI 2005 o - O Sun>=1 0 0 S
-+R NI 2006 o - Ap 30 2 1 D
-+R NI 2006 o - O Sun>=1 1 0 S
- Z America/Managua -5:45:8 - LMT 1890
- -5:45:12 - MMT 1934 Jun 23
- -6 - CST 1973 May
- -5 - EST 1975 F 16
---6 Aq C%sT 1992 Ja 1 4
-+-6 NI C%sT 1992 Ja 1 4
- -5 - EST 1992 S 24
- -6 - CST 1993
- -5 - EST 1997
---6 Aq C%sT
-+-6 NI C%sT
- Z America/Panama -5:18:8 - LMT 1890
- -5:19:36 - CMT 1908 Ap 22
- -5 - EST
- Li America/Panama America/Cayman
- Z America/Puerto_Rico -4:24:25 - LMT 1899 Mar 28 12
- -4 - AST 1942 May 3
---4 AF A%sT 1946
-+-4 u A%sT 1946
- -4 - AST
- Z America/Miquelon -3:44:40 - LMT 1911 May 15
- -4 - AST 1980 May
- -3 - -03 1987
---3 AU -03/-02
-+-3 C -03/-02
- Z America/Grand_Turk -4:44:32 - LMT 1890
- -5:7:10 - KMT 1912 F
- -5 - EST 1979
---5 AF E%sT 2015 N Sun>=1 2
-+-5 u E%sT 2015 N Sun>=1 2
- -4 - AST 2018 Mar 11 3
---5 AF E%sT
--R Ar 1930 o - D 1 0 1 -
--R Ar 1931 o - Ap 1 0 0 -
--R Ar 1931 o - O 15 0 1 -
--R Ar 1932 1940 - Mar 1 0 0 -
--R Ar 1932 1939 - N 1 0 1 -
--R Ar 1940 o - Jul 1 0 1 -
--R Ar 1941 o - Jun 15 0 0 -
--R Ar 1941 o - O 15 0 1 -
--R Ar 1943 o - Au 1 0 0 -
--R Ar 1943 o - O 15 0 1 -
--R Ar 1946 o - Mar 1 0 0 -
--R Ar 1946 o - O 1 0 1 -
--R Ar 1963 o - O 1 0 0 -
--R Ar 1963 o - D 15 0 1 -
--R Ar 1964 1966 - Mar 1 0 0 -
--R Ar 1964 1966 - O 15 0 1 -
--R Ar 1967 o - Ap 2 0 0 -
--R Ar 1967 1968 - O Sun>=1 0 1 -
--R Ar 1968 1969 - Ap Sun>=1 0 0 -
--R Ar 1974 o - Ja 23 0 1 -
--R Ar 1974 o - May 1 0 0 -
--R Ar 1988 o - D 1 0 1 -
--R Ar 1989 1993 - Mar Sun>=1 0 0 -
--R Ar 1989 1992 - O Sun>=15 0 1 -
--R Ar 1999 o - O Sun>=1 0 1 -
--R Ar 2000 o - Mar 3 0 0 -
--R Ar 2007 o - D 30 0 1 -
--R Ar 2008 2009 - Mar Sun>=15 0 0 -
--R Ar 2008 o - O Sun>=15 0 1 -
-+-5 u E%sT
-+R A 1930 o - D 1 0 1 -
-+R A 1931 o - Ap 1 0 0 -
-+R A 1931 o - O 15 0 1 -
-+R A 1932 1940 - Mar 1 0 0 -
-+R A 1932 1939 - N 1 0 1 -
-+R A 1940 o - Jul 1 0 1 -
-+R A 1941 o - Jun 15 0 0 -
-+R A 1941 o - O 15 0 1 -
-+R A 1943 o - Au 1 0 0 -
-+R A 1943 o - O 15 0 1 -
-+R A 1946 o - Mar 1 0 0 -
-+R A 1946 o - O 1 0 1 -
-+R A 1963 o - O 1 0 0 -
-+R A 1963 o - D 15 0 1 -
-+R A 1964 1966 - Mar 1 0 0 -
-+R A 1964 1966 - O 15 0 1 -
-+R A 1967 o - Ap 2 0 0 -
-+R A 1967 1968 - O Sun>=1 0 1 -
-+R A 1968 1969 - Ap Sun>=1 0 0 -
-+R A 1974 o - Ja 23 0 1 -
-+R A 1974 o - May 1 0 0 -
-+R A 1988 o - D 1 0 1 -
-+R A 1989 1993 - Mar Sun>=1 0 0 -
-+R A 1989 1992 - O Sun>=15 0 1 -
-+R A 1999 o - O Sun>=1 0 1 -
-+R A 2000 o - Mar 3 0 0 -
-+R A 2007 o - D 30 0 1 -
-+R A 2008 2009 - Mar Sun>=15 0 0 -
-+R A 2008 o - O Sun>=15 0 1 -
- Z America/Argentina/Buenos_Aires -3:53:48 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
---3 Ar -03/-02
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
-+-3 A -03/-02
- Z America/Argentina/Cordoba -4:16:48 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar 3
- -4 - -04 1991 O 20
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
---3 Ar -03/-02
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
-+-3 A -03/-02
- Z America/Argentina/Salta -4:21:40 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar 3
- -4 - -04 1991 O 20
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/Tucuman -4:20:52 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar 3
- -4 - -04 1991 O 20
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 Jun
- -4 - -04 2004 Jun 13
---3 Ar -03/-02
-+-3 A -03/-02
- Z America/Argentina/La_Rioja -4:27:24 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar
- -4 - -04 1991 May 7
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 Jun
- -4 - -04 2004 Jun 20
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/San_Juan -4:34:4 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar
- -4 - -04 1991 May 7
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 May 31
- -4 - -04 2004 Jul 25
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/Jujuy -4:21:12 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1990 Mar 4
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1990 Mar 4
- -4 - -04 1990 O 28
- -4 1 -03 1991 Mar 17
- -4 - -04 1991 O 6
- -3 1 -02 1992
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/Catamarca -4:23:8 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1991 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1991 Mar 3
- -4 - -04 1991 O 20
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 Jun
- -4 - -04 2004 Jun 20
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/Mendoza -4:35:16 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1990 Mar 4
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1990 Mar 4
- -4 - -04 1990 O 15
- -4 1 -03 1991 Mar
- -4 - -04 1991 O 15
- -4 1 -03 1992 Mar
- -4 - -04 1992 O 18
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 May 23
- -4 - -04 2004 S 26
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
--R As 2008 2009 - Mar Sun>=8 0 0 -
--R As 2007 2008 - O Sun>=8 0 1 -
-+R Sa 2008 2009 - Mar Sun>=8 0 0 -
-+R Sa 2007 2008 - O Sun>=8 0 1 -
- Z America/Argentina/San_Luis -4:25:24 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1990
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1990
- -3 1 -02 1990 Mar 14
- -4 - -04 1990 O 15
- -4 1 -03 1991 Mar
-@@ -3590,286 +3607,288 @@ Z America/Argentina/San_Luis -4:25:24 - LMT 1894 O 31
- -4 1 -03 2000 Mar 3
- -3 - -03 2004 May 31
- -4 - -04 2004 Jul 25
---3 Ar -03/-02 2008 Ja 21
---4 As -04/-03 2009 O 11
-+-3 A -03/-02 2008 Ja 21
-+-4 Sa -04/-03 2009 O 11
- -3 - -03
- Z America/Argentina/Rio_Gallegos -4:36:52 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 Jun
- -4 - -04 2004 Jun 20
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Z America/Argentina/Ushuaia -4:33:12 - LMT 1894 O 31
- -4:16:48 - CMT 1920 May
- -4 - -04 1930 D
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1999 O 3
---4 Ar -04/-03 2000 Mar 3
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1999 O 3
-+-4 A -04/-03 2000 Mar 3
- -3 - -03 2004 May 30
- -4 - -04 2004 Jun 20
---3 Ar -03/-02 2008 O 18
-+-3 A -03/-02 2008 O 18
- -3 - -03
- Li America/Curacao America/Aruba
- Z America/La_Paz -4:32:36 - LMT 1890
- -4:32:36 - CMT 1931 O 15
- -4:32:36 1 BST 1932 Mar 21
- -4 - -04
--R At 1931 o - O 3 11 1 -
--R At 1932 1933 - Ap 1 0 0 -
--R At 1932 o - O 3 0 1 -
--R At 1949 1952 - D 1 0 1 -
--R At 1950 o - Ap 16 1 0 -
--R At 1951 1952 - Ap 1 0 0 -
--R At 1953 o - Mar 1 0 0 -
--R At 1963 o - D 9 0 1 -
--R At 1964 o - Mar 1 0 0 -
--R At 1965 o - Ja 31 0 1 -
--R At 1965 o - Mar 31 0 0 -
--R At 1965 o - D 1 0 1 -
--R At 1966 1968 - Mar 1 0 0 -
--R At 1966 1967 - N 1 0 1 -
--R At 1985 o - N 2 0 1 -
--R At 1986 o - Mar 15 0 0 -
--R At 1986 o - O 25 0 1 -
--R At 1987 o - F 14 0 0 -
--R At 1987 o - O 25 0 1 -
--R At 1988 o - F 7 0 0 -
--R At 1988 o - O 16 0 1 -
--R At 1989 o - Ja 29 0 0 -
--R At 1989 o - O 15 0 1 -
--R At 1990 o - F 11 0 0 -
--R At 1990 o - O 21 0 1 -
--R At 1991 o - F 17 0 0 -
--R At 1991 o - O 20 0 1 -
--R At 1992 o - F 9 0 0 -
--R At 1992 o - O 25 0 1 -
--R At 1993 o - Ja 31 0 0 -
--R At 1993 1995 - O Sun>=11 0 1 -
--R At 1994 1995 - F Sun>=15 0 0 -
--R At 1996 o - F 11 0 0 -
--R At 1996 o - O 6 0 1 -
--R At 1997 o - F 16 0 0 -
--R At 1997 o - O 6 0 1 -
--R At 1998 o - Mar 1 0 0 -
--R At 1998 o - O 11 0 1 -
--R At 1999 o - F 21 0 0 -
--R At 1999 o - O 3 0 1 -
--R At 2000 o - F 27 0 0 -
--R At 2000 2001 - O Sun>=8 0 1 -
--R At 2001 2006 - F Sun>=15 0 0 -
--R At 2002 o - N 3 0 1 -
--R At 2003 o - O 19 0 1 -
--R At 2004 o - N 2 0 1 -
--R At 2005 o - O 16 0 1 -
--R At 2006 o - N 5 0 1 -
--R At 2007 o - F 25 0 0 -
--R At 2007 o - O Sun>=8 0 1 -
--R At 2008 2017 - O Sun>=15 0 1 -
--R At 2008 2011 - F Sun>=15 0 0 -
--R At 2012 o - F Sun>=22 0 0 -
--R At 2013 2014 - F Sun>=15 0 0 -
--R At 2015 o - F Sun>=22 0 0 -
--R At 2016 2022 - F Sun>=15 0 0 -
--R At 2018 ma - N Sun>=1 0 1 -
--R At 2023 o - F Sun>=22 0 0 -
--R At 2024 2025 - F Sun>=15 0 0 -
--R At 2026 o - F Sun>=22 0 0 -
--R At 2027 2033 - F Sun>=15 0 0 -
--R At 2034 o - F Sun>=22 0 0 -
--R At 2035 2036 - F Sun>=15 0 0 -
--R At 2037 o - F Sun>=22 0 0 -
--R At 2038 ma - F Sun>=15 0 0 -
-+R B 1931 o - O 3 11 1 -
-+R B 1932 1933 - Ap 1 0 0 -
-+R B 1932 o - O 3 0 1 -
-+R B 1949 1952 - D 1 0 1 -
-+R B 1950 o - Ap 16 1 0 -
-+R B 1951 1952 - Ap 1 0 0 -
-+R B 1953 o - Mar 1 0 0 -
-+R B 1963 o - D 9 0 1 -
-+R B 1964 o - Mar 1 0 0 -
-+R B 1965 o - Ja 31 0 1 -
-+R B 1965 o - Mar 31 0 0 -
-+R B 1965 o - D 1 0 1 -
-+R B 1966 1968 - Mar 1 0 0 -
-+R B 1966 1967 - N 1 0 1 -
-+R B 1985 o - N 2 0 1 -
-+R B 1986 o - Mar 15 0 0 -
-+R B 1986 o - O 25 0 1 -
-+R B 1987 o - F 14 0 0 -
-+R B 1987 o - O 25 0 1 -
-+R B 1988 o - F 7 0 0 -
-+R B 1988 o - O 16 0 1 -
-+R B 1989 o - Ja 29 0 0 -
-+R B 1989 o - O 15 0 1 -
-+R B 1990 o - F 11 0 0 -
-+R B 1990 o - O 21 0 1 -
-+R B 1991 o - F 17 0 0 -
-+R B 1991 o - O 20 0 1 -
-+R B 1992 o - F 9 0 0 -
-+R B 1992 o - O 25 0 1 -
-+R B 1993 o - Ja 31 0 0 -
-+R B 1993 1995 - O Sun>=11 0 1 -
-+R B 1994 1995 - F Sun>=15 0 0 -
-+R B 1996 o - F 11 0 0 -
-+R B 1996 o - O 6 0 1 -
-+R B 1997 o - F 16 0 0 -
-+R B 1997 o - O 6 0 1 -
-+R B 1998 o - Mar 1 0 0 -
-+R B 1998 o - O 11 0 1 -
-+R B 1999 o - F 21 0 0 -
-+R B 1999 o - O 3 0 1 -
-+R B 2000 o - F 27 0 0 -
-+R B 2000 2001 - O Sun>=8 0 1 -
-+R B 2001 2006 - F Sun>=15 0 0 -
-+R B 2002 o - N 3 0 1 -
-+R B 2003 o - O 19 0 1 -
-+R B 2004 o - N 2 0 1 -
-+R B 2005 o - O 16 0 1 -
-+R B 2006 o - N 5 0 1 -
-+R B 2007 o - F 25 0 0 -
-+R B 2007 o - O Sun>=8 0 1 -
-+R B 2008 2017 - O Sun>=15 0 1 -
-+R B 2008 2011 - F Sun>=15 0 0 -
-+R B 2012 o - F Sun>=22 0 0 -
-+R B 2013 2014 - F Sun>=15 0 0 -
-+R B 2015 o - F Sun>=22 0 0 -
-+R B 2016 2022 - F Sun>=15 0 0 -
-+R B 2018 ma - N Sun>=1 0 1 -
-+R B 2023 o - F Sun>=22 0 0 -
-+R B 2024 2025 - F Sun>=15 0 0 -
-+R B 2026 o - F Sun>=22 0 0 -
-+R B 2027 2033 - F Sun>=15 0 0 -
-+R B 2034 o - F Sun>=22 0 0 -
-+R B 2035 2036 - F Sun>=15 0 0 -
-+R B 2037 o - F Sun>=22 0 0 -
-+R B 2038 ma - F Sun>=15 0 0 -
- Z America/Noronha -2:9:40 - LMT 1914
---2 At -02/-01 1990 S 17
-+-2 B -02/-01 1990 S 17
- -2 - -02 1999 S 30
---2 At -02/-01 2000 O 15
-+-2 B -02/-01 2000 O 15
- -2 - -02 2001 S 13
---2 At -02/-01 2002 O
-+-2 B -02/-01 2002 O
- -2 - -02
- Z America/Belem -3:13:56 - LMT 1914
---3 At -03/-02 1988 S 12
-+-3 B -03/-02 1988 S 12
- -3 - -03
- Z America/Santarem -3:38:48 - LMT 1914
---4 At -04/-03 1988 S 12
-+-4 B -04/-03 1988 S 12
- -4 - -04 2008 Jun 24
- -3 - -03
- Z America/Fortaleza -2:34 - LMT 1914
---3 At -03/-02 1990 S 17
-+-3 B -03/-02 1990 S 17
- -3 - -03 1999 S 30
---3 At -03/-02 2000 O 22
-+-3 B -03/-02 2000 O 22
- -3 - -03 2001 S 13
---3 At -03/-02 2002 O
-+-3 B -03/-02 2002 O
- -3 - -03
- Z America/Recife -2:19:36 - LMT 1914
---3 At -03/-02 1990 S 17
-+-3 B -03/-02 1990 S 17
- -3 - -03 1999 S 30
---3 At -03/-02 2000 O 15
-+-3 B -03/-02 2000 O 15
- -3 - -03 2001 S 13
---3 At -03/-02 2002 O
-+-3 B -03/-02 2002 O
- -3 - -03
- Z America/Araguaina -3:12:48 - LMT 1914
---3 At -03/-02 1990 S 17
-+-3 B -03/-02 1990 S 17
- -3 - -03 1995 S 14
---3 At -03/-02 2003 S 24
-+-3 B -03/-02 2003 S 24
- -3 - -03 2012 O 21
---3 At -03/-02 2013 S
-+-3 B -03/-02 2013 S
- -3 - -03
- Z America/Maceio -2:22:52 - LMT 1914
---3 At -03/-02 1990 S 17
-+-3 B -03/-02 1990 S 17
- -3 - -03 1995 O 13
---3 At -03/-02 1996 S 4
-+-3 B -03/-02 1996 S 4
- -3 - -03 1999 S 30
---3 At -03/-02 2000 O 22
-+-3 B -03/-02 2000 O 22
- -3 - -03 2001 S 13
---3 At -03/-02 2002 O
-+-3 B -03/-02 2002 O
- -3 - -03
- Z America/Bahia -2:34:4 - LMT 1914
---3 At -03/-02 2003 S 24
-+-3 B -03/-02 2003 S 24
- -3 - -03 2011 O 16
---3 At -03/-02 2012 O 21
-+-3 B -03/-02 2012 O 21
- -3 - -03
- Z America/Sao_Paulo -3:6:28 - LMT 1914
---3 At -03/-02 1963 O 23
-+-3 B -03/-02 1963 O 23
- -3 1 -02 1964
---3 At -03/-02
-+-3 B -03/-02
- Z America/Campo_Grande -3:38:28 - LMT 1914
---4 At -04/-03
-+-4 B -04/-03
- Z America/Cuiaba -3:44:20 - LMT 1914
---4 At -04/-03 2003 S 24
-+-4 B -04/-03 2003 S 24
- -4 - -04 2004 O
---4 At -04/-03
-+-4 B -04/-03
- Z America/Porto_Velho -4:15:36 - LMT 1914
---4 At -04/-03 1988 S 12
-+-4 B -04/-03 1988 S 12
- -4 - -04
- Z America/Boa_Vista -4:2:40 - LMT 1914
---4 At -04/-03 1988 S 12
-+-4 B -04/-03 1988 S 12
- -4 - -04 1999 S 30
---4 At -04/-03 2000 O 15
-+-4 B -04/-03 2000 O 15
- -4 - -04
- Z America/Manaus -4:0:4 - LMT 1914
---4 At -04/-03 1988 S 12
-+-4 B -04/-03 1988 S 12
- -4 - -04 1993 S 28
---4 At -04/-03 1994 S 22
-+-4 B -04/-03 1994 S 22
- -4 - -04
- Z America/Eirunepe -4:39:28 - LMT 1914
---5 At -05/-04 1988 S 12
-+-5 B -05/-04 1988 S 12
- -5 - -05 1993 S 28
---5 At -05/-04 1994 S 22
-+-5 B -05/-04 1994 S 22
- -5 - -05 2008 Jun 24
- -4 - -04 2013 N 10
- -5 - -05
- Z America/Rio_Branco -4:31:12 - LMT 1914
---5 At -05/-04 1988 S 12
-+-5 B -05/-04 1988 S 12
- -5 - -05 2008 Jun 24
- -4 - -04 2013 N 10
- -5 - -05
--R Au 1927 1931 - S 1 0 1 -
--R Au 1928 1932 - Ap 1 0 0 -
--R Au 1968 o - N 3 4u 1 -
--R Au 1969 o - Mar 30 3u 0 -
--R Au 1969 o - N 23 4u 1 -
--R Au 1970 o - Mar 29 3u 0 -
--R Au 1971 o - Mar 14 3u 0 -
--R Au 1970 1972 - O Sun>=9 4u 1 -
--R Au 1972 1986 - Mar Sun>=9 3u 0 -
--R Au 1973 o - S 30 4u 1 -
--R Au 1974 1987 - O Sun>=9 4u 1 -
--R Au 1987 o - Ap 12 3u 0 -
--R Au 1988 1990 - Mar Sun>=9 3u 0 -
--R Au 1988 1989 - O Sun>=9 4u 1 -
--R Au 1990 o - S 16 4u 1 -
--R Au 1991 1996 - Mar Sun>=9 3u 0 -
--R Au 1991 1997 - O Sun>=9 4u 1 -
--R Au 1997 o - Mar 30 3u 0 -
--R Au 1998 o - Mar Sun>=9 3u 0 -
--R Au 1998 o - S 27 4u 1 -
--R Au 1999 o - Ap 4 3u 0 -
--R Au 1999 2010 - O Sun>=9 4u 1 -
--R Au 2000 2007 - Mar Sun>=9 3u 0 -
--R Au 2008 o - Mar 30 3u 0 -
--R Au 2009 o - Mar Sun>=9 3u 0 -
--R Au 2010 o - Ap Sun>=1 3u 0 -
--R Au 2011 o - May Sun>=2 3u 0 -
--R Au 2011 o - Au Sun>=16 4u 1 -
--R Au 2012 2014 - Ap Sun>=23 3u 0 -
--R Au 2012 2014 - S Sun>=2 4u 1 -
--R Au 2016 ma - May Sun>=9 3u 0 -
--R Au 2016 ma - Au Sun>=9 4u 1 -
-+R x 1927 1931 - S 1 0 1 -
-+R x 1928 1932 - Ap 1 0 0 -
-+R x 1968 o - N 3 4u 1 -
-+R x 1969 o - Mar 30 3u 0 -
-+R x 1969 o - N 23 4u 1 -
-+R x 1970 o - Mar 29 3u 0 -
-+R x 1971 o - Mar 14 3u 0 -
-+R x 1970 1972 - O Sun>=9 4u 1 -
-+R x 1972 1986 - Mar Sun>=9 3u 0 -
-+R x 1973 o - S 30 4u 1 -
-+R x 1974 1987 - O Sun>=9 4u 1 -
-+R x 1987 o - Ap 12 3u 0 -
-+R x 1988 1990 - Mar Sun>=9 3u 0 -
-+R x 1988 1989 - O Sun>=9 4u 1 -
-+R x 1990 o - S 16 4u 1 -
-+R x 1991 1996 - Mar Sun>=9 3u 0 -
-+R x 1991 1997 - O Sun>=9 4u 1 -
-+R x 1997 o - Mar 30 3u 0 -
-+R x 1998 o - Mar Sun>=9 3u 0 -
-+R x 1998 o - S 27 4u 1 -
-+R x 1999 o - Ap 4 3u 0 -
-+R x 1999 2010 - O Sun>=9 4u 1 -
-+R x 2000 2007 - Mar Sun>=9 3u 0 -
-+R x 2008 o - Mar 30 3u 0 -
-+R x 2009 o - Mar Sun>=9 3u 0 -
-+R x 2010 o - Ap Sun>=1 3u 0 -
-+R x 2011 o - May Sun>=2 3u 0 -
-+R x 2011 o - Au Sun>=16 4u 1 -
-+R x 2012 2014 - Ap Sun>=23 3u 0 -
-+R x 2012 2014 - S Sun>=2 4u 1 -
-+R x 2016 2018 - May Sun>=9 3u 0 -
-+R x 2016 2018 - Au Sun>=9 4u 1 -
-+R x 2019 ma - Ap Sun>=2 3u 0 -
-+R x 2019 ma - S Sun>=2 4u 1 -
- Z America/Santiago -4:42:46 - LMT 1890
- -4:42:46 - SMT 1910 Ja 10
- -5 - -05 1916 Jul
- -4:42:46 - SMT 1918 S 10
- -4 - -04 1919 Jul
- -4:42:46 - SMT 1927 S
---5 Au -05/-04 1932 S
-+-5 x -05/-04 1932 S
- -4 - -04 1942 Jun
- -5 - -05 1942 Au
- -4 - -04 1946 Jul 15
- -4 1 -03 1946 S
- -4 - -04 1947 Ap
- -5 - -05 1947 May 21 23
---4 Au -04/-03
-+-4 x -04/-03
- Z America/Punta_Arenas -4:43:40 - LMT 1890
- -4:42:46 - SMT 1910 Ja 10
- -5 - -05 1916 Jul
- -4:42:46 - SMT 1918 S 10
- -4 - -04 1919 Jul
- -4:42:46 - SMT 1927 S
---5 Au -05/-04 1932 S
-+-5 x -05/-04 1932 S
- -4 - -04 1942 Jun
- -5 - -05 1942 Au
- -4 - -04 1947 Ap
- -5 - -05 1947 May 21 23
---4 Au -04/-03 2016 D 4
-+-4 x -04/-03 2016 D 4
- -3 - -03
- Z Pacific/Easter -7:17:28 - LMT 1890
- -7:17:28 - EMT 1932 S
---7 Au -07/-06 1982 Mar 14 3u
---6 Au -06/-05
-+-7 x -07/-06 1982 Mar 14 3u
-+-6 x -06/-05
- Z Antarctica/Palmer 0 - -00 1965
---4 Ar -04/-03 1969 O 5
---3 Ar -03/-02 1982 May
---4 Au -04/-03 2016 D 4
-+-4 A -04/-03 1969 O 5
-+-3 A -03/-02 1982 May
-+-4 x -04/-03 2016 D 4
- -3 - -03
--R Av 1992 o - May 3 0 1 -
--R Av 1993 o - Ap 4 0 0 -
-+R CO 1992 o - May 3 0 1 -
-+R CO 1993 o - Ap 4 0 0 -
- Z America/Bogota -4:56:16 - LMT 1884 Mar 13
- -4:56:16 - BMT 1914 N 23
---5 Av -05/-04
-+-5 CO -05/-04
- Z America/Curacao -4:35:47 - LMT 1912 F 12
- -4:30 - -0430 1965
- -4 - AST
- Li America/Curacao America/Lower_Princes
- Li America/Curacao America/Kralendijk
--R Aw 1992 o - N 28 0 1 -
--R Aw 1993 o - F 5 0 0 -
-+R EC 1992 o - N 28 0 1 -
-+R EC 1993 o - F 5 0 0 -
- Z America/Guayaquil -5:19:20 - LMT 1890
- -5:14 - QMT 1931
---5 Aw -05/-04
-+-5 EC -05/-04
- Z Pacific/Galapagos -5:58:24 - LMT 1931
- -5 - -05 1986
---6 Aw -06/-05
--R Ax 1937 1938 - S lastSun 0 1 -
--R Ax 1938 1942 - Mar Sun>=19 0 0 -
--R Ax 1939 o - O 1 0 1 -
--R Ax 1940 1942 - S lastSun 0 1 -
--R Ax 1943 o - Ja 1 0 0 -
--R Ax 1983 o - S lastSun 0 1 -
--R Ax 1984 1985 - Ap lastSun 0 0 -
--R Ax 1984 o - S 16 0 1 -
--R Ax 1985 2000 - S Sun>=9 0 1 -
--R Ax 1986 2000 - Ap Sun>=16 0 0 -
--R Ax 2001 2010 - Ap Sun>=15 2 0 -
--R Ax 2001 2010 - S Sun>=1 2 1 -
-+-6 EC -06/-05
-+R FK 1937 1938 - S lastSun 0 1 -
-+R FK 1938 1942 - Mar Sun>=19 0 0 -
-+R FK 1939 o - O 1 0 1 -
-+R FK 1940 1942 - S lastSun 0 1 -
-+R FK 1943 o - Ja 1 0 0 -
-+R FK 1983 o - S lastSun 0 1 -
-+R FK 1984 1985 - Ap lastSun 0 0 -
-+R FK 1984 o - S 16 0 1 -
-+R FK 1985 2000 - S Sun>=9 0 1 -
-+R FK 1986 2000 - Ap Sun>=16 0 0 -
-+R FK 2001 2010 - Ap Sun>=15 2 0 -
-+R FK 2001 2010 - S Sun>=1 2 1 -
- Z Atlantic/Stanley -3:51:24 - LMT 1890
- -3:51:24 - SMT 1912 Mar 12
---4 Ax -04/-03 1983 May
---3 Ax -03/-02 1985 S 15
---4 Ax -04/-03 2010 S 5 2
-+-4 FK -04/-03 1983 May
-+-3 FK -03/-02 1985 S 15
-+-4 FK -04/-03 2010 S 5 2
- -3 - -03
- Z America/Cayenne -3:29:20 - LMT 1911 Jul
- -4 - -04 1967 O
-@@ -3878,46 +3897,46 @@ Z America/Guyana -3:52:40 - LMT 1915 Mar
- -3:45 - -0345 1975 Jul 31
- -3 - -03 1991
- -4 - -04
--R Ay 1975 1988 - O 1 0 1 -
--R Ay 1975 1978 - Mar 1 0 0 -
--R Ay 1979 1991 - Ap 1 0 0 -
--R Ay 1989 o - O 22 0 1 -
--R Ay 1990 o - O 1 0 1 -
--R Ay 1991 o - O 6 0 1 -
--R Ay 1992 o - Mar 1 0 0 -
--R Ay 1992 o - O 5 0 1 -
--R Ay 1993 o - Mar 31 0 0 -
--R Ay 1993 1995 - O 1 0 1 -
--R Ay 1994 1995 - F lastSun 0 0 -
--R Ay 1996 o - Mar 1 0 0 -
--R Ay 1996 2001 - O Sun>=1 0 1 -
--R Ay 1997 o - F lastSun 0 0 -
--R Ay 1998 2001 - Mar Sun>=1 0 0 -
--R Ay 2002 2004 - Ap Sun>=1 0 0 -
--R Ay 2002 2003 - S Sun>=1 0 1 -
--R Ay 2004 2009 - O Sun>=15 0 1 -
--R Ay 2005 2009 - Mar Sun>=8 0 0 -
--R Ay 2010 ma - O Sun>=1 0 1 -
--R Ay 2010 2012 - Ap Sun>=8 0 0 -
--R Ay 2013 ma - Mar Sun>=22 0 0 -
-+R y 1975 1988 - O 1 0 1 -
-+R y 1975 1978 - Mar 1 0 0 -
-+R y 1979 1991 - Ap 1 0 0 -
-+R y 1989 o - O 22 0 1 -
-+R y 1990 o - O 1 0 1 -
-+R y 1991 o - O 6 0 1 -
-+R y 1992 o - Mar 1 0 0 -
-+R y 1992 o - O 5 0 1 -
-+R y 1993 o - Mar 31 0 0 -
-+R y 1993 1995 - O 1 0 1 -
-+R y 1994 1995 - F lastSun 0 0 -
-+R y 1996 o - Mar 1 0 0 -
-+R y 1996 2001 - O Sun>=1 0 1 -
-+R y 1997 o - F lastSun 0 0 -
-+R y 1998 2001 - Mar Sun>=1 0 0 -
-+R y 2002 2004 - Ap Sun>=1 0 0 -
-+R y 2002 2003 - S Sun>=1 0 1 -
-+R y 2004 2009 - O Sun>=15 0 1 -
-+R y 2005 2009 - Mar Sun>=8 0 0 -
-+R y 2010 ma - O Sun>=1 0 1 -
-+R y 2010 2012 - Ap Sun>=8 0 0 -
-+R y 2013 ma - Mar Sun>=22 0 0 -
- Z America/Asuncion -3:50:40 - LMT 1890
- -3:50:40 - AMT 1931 O 10
- -4 - -04 1972 O
- -3 - -03 1974 Ap
---4 Ay -04/-03
--R Az 1938 o - Ja 1 0 1 -
--R Az 1938 o - Ap 1 0 0 -
--R Az 1938 1939 - S lastSun 0 1 -
--R Az 1939 1940 - Mar Sun>=24 0 0 -
--R Az 1986 1987 - Ja 1 0 1 -
--R Az 1986 1987 - Ap 1 0 0 -
--R Az 1990 o - Ja 1 0 1 -
--R Az 1990 o - Ap 1 0 0 -
--R Az 1994 o - Ja 1 0 1 -
--R Az 1994 o - Ap 1 0 0 -
-+-4 y -04/-03
-+R PE 1938 o - Ja 1 0 1 -
-+R PE 1938 o - Ap 1 0 0 -
-+R PE 1938 1939 - S lastSun 0 1 -
-+R PE 1939 1940 - Mar Sun>=24 0 0 -
-+R PE 1986 1987 - Ja 1 0 1 -
-+R PE 1986 1987 - Ap 1 0 0 -
-+R PE 1990 o - Ja 1 0 1 -
-+R PE 1990 o - Ap 1 0 0 -
-+R PE 1994 o - Ja 1 0 1 -
-+R PE 1994 o - Ap 1 0 0 -
- Z America/Lima -5:8:12 - LMT 1890
- -5:8:36 - LMT 1908 Jul 28
---5 Az -05/-04
-+-5 PE -05/-04
- Z Atlantic/South_Georgia -2:26:8 - LMT 1890
- -2 - -02
- Z America/Paramaribo -3:40:40 - LMT 1911
-@@ -3940,65 +3959,65 @@ Li America/Port_of_Spain America/St_Lucia
- Li America/Port_of_Spain America/St_Thomas
- Li America/Port_of_Spain America/St_Vincent
- Li America/Port_of_Spain America/Tortola
--R A! 1923 1925 - O 1 0 0:30 -
--R A! 1924 1926 - Ap 1 0 0 -
--R A! 1933 1938 - O lastSun 0 0:30 -
--R A! 1934 1941 - Mar lastSat 24 0 -
--R A! 1939 o - O 1 0 0:30 -
--R A! 1940 o - O 27 0 0:30 -
--R A! 1941 o - Au 1 0 0:30 -
--R A! 1942 o - D 14 0 0:30 -
--R A! 1943 o - Mar 14 0 0 -
--R A! 1959 o - May 24 0 0:30 -
--R A! 1959 o - N 15 0 0 -
--R A! 1960 o - Ja 17 0 1 -
--R A! 1960 o - Mar 6 0 0 -
--R A! 1965 o - Ap 4 0 1 -
--R A! 1965 o - S 26 0 0 -
--R A! 1968 o - May 27 0 0:30 -
--R A! 1968 o - D 1 0 0 -
--R A! 1970 o - Ap 25 0 1 -
--R A! 1970 o - Jun 14 0 0 -
--R A! 1972 o - Ap 23 0 1 -
--R A! 1972 o - Jul 16 0 0 -
--R A! 1974 o - Ja 13 0 1:30 -
--R A! 1974 o - Mar 10 0 0:30 -
--R A! 1974 o - S 1 0 0 -
--R A! 1974 o - D 22 0 1 -
--R A! 1975 o - Mar 30 0 0 -
--R A! 1976 o - D 19 0 1 -
--R A! 1977 o - Mar 6 0 0 -
--R A! 1977 o - D 4 0 1 -
--R A! 1978 1979 - Mar Sun>=1 0 0 -
--R A! 1978 o - D 17 0 1 -
--R A! 1979 o - Ap 29 0 1 -
--R A! 1980 o - Mar 16 0 0 -
--R A! 1987 o - D 14 0 1 -
--R A! 1988 o - F 28 0 0 -
--R A! 1988 o - D 11 0 1 -
--R A! 1989 o - Mar 5 0 0 -
--R A! 1989 o - O 29 0 1 -
--R A! 1990 o - F 25 0 0 -
--R A! 1990 1991 - O Sun>=21 0 1 -
--R A! 1991 1992 - Mar Sun>=1 0 0 -
--R A! 1992 o - O 18 0 1 -
--R A! 1993 o - F 28 0 0 -
--R A! 2004 o - S 19 0 1 -
--R A! 2005 o - Mar 27 2 0 -
--R A! 2005 o - O 9 2 1 -
--R A! 2006 2015 - Mar Sun>=8 2 0 -
--R A! 2006 2014 - O Sun>=1 2 1 -
-+R U 1923 1925 - O 1 0 0:30 -
-+R U 1924 1926 - Ap 1 0 0 -
-+R U 1933 1938 - O lastSun 0 0:30 -
-+R U 1934 1941 - Mar lastSat 24 0 -
-+R U 1939 o - O 1 0 0:30 -
-+R U 1940 o - O 27 0 0:30 -
-+R U 1941 o - Au 1 0 0:30 -
-+R U 1942 o - D 14 0 0:30 -
-+R U 1943 o - Mar 14 0 0 -
-+R U 1959 o - May 24 0 0:30 -
-+R U 1959 o - N 15 0 0 -
-+R U 1960 o - Ja 17 0 1 -
-+R U 1960 o - Mar 6 0 0 -
-+R U 1965 o - Ap 4 0 1 -
-+R U 1965 o - S 26 0 0 -
-+R U 1968 o - May 27 0 0:30 -
-+R U 1968 o - D 1 0 0 -
-+R U 1970 o - Ap 25 0 1 -
-+R U 1970 o - Jun 14 0 0 -
-+R U 1972 o - Ap 23 0 1 -
-+R U 1972 o - Jul 16 0 0 -
-+R U 1974 o - Ja 13 0 1:30 -
-+R U 1974 o - Mar 10 0 0:30 -
-+R U 1974 o - S 1 0 0 -
-+R U 1974 o - D 22 0 1 -
-+R U 1975 o - Mar 30 0 0 -
-+R U 1976 o - D 19 0 1 -
-+R U 1977 o - Mar 6 0 0 -
-+R U 1977 o - D 4 0 1 -
-+R U 1978 1979 - Mar Sun>=1 0 0 -
-+R U 1978 o - D 17 0 1 -
-+R U 1979 o - Ap 29 0 1 -
-+R U 1980 o - Mar 16 0 0 -
-+R U 1987 o - D 14 0 1 -
-+R U 1988 o - F 28 0 0 -
-+R U 1988 o - D 11 0 1 -
-+R U 1989 o - Mar 5 0 0 -
-+R U 1989 o - O 29 0 1 -
-+R U 1990 o - F 25 0 0 -
-+R U 1990 1991 - O Sun>=21 0 1 -
-+R U 1991 1992 - Mar Sun>=1 0 0 -
-+R U 1992 o - O 18 0 1 -
-+R U 1993 o - F 28 0 0 -
-+R U 2004 o - S 19 0 1 -
-+R U 2005 o - Mar 27 2 0 -
-+R U 2005 o - O 9 2 1 -
-+R U 2006 2015 - Mar Sun>=8 2 0 -
-+R U 2006 2014 - O Sun>=1 2 1 -
- Z America/Montevideo -3:44:51 - LMT 1908 Jun 10
- -3:44:51 - MMT 1920 May
- -4 - -04 1923 O
---3:30 A! -0330/-03 1942 D 14
---3 A! -03/-0230 1960
---3 A! -03/-02 1968
---3 A! -03/-0230 1970
---3 A! -03/-02 1974
---3 A! -03/-0130 1974 Mar 10
---3 A! -03/-0230 1974 D 22
---3 A! -03/-02
-+-3:30 U -0330/-03 1942 D 14
-+-3 U -03/-0230 1960
-+-3 U -03/-02 1968
-+-3 U -03/-0230 1970
-+-3 U -03/-02 1974
-+-3 U -03/-0130 1974 Mar 10
-+-3 U -03/-0230 1974 D 22
-+-3 U -03/-02
- Z America/Caracas -4:27:44 - LMT 1890
- -4:27:40 - CMT 1912 F 12
- -4:30 - -0430 1965
-diff --git a/src/timezone/known_abbrevs.txt b/src/timezone/known_abbrevs.txt
-index 67d2f0b..2ae443a 100644
---- a/src/timezone/known_abbrevs.txt
-+++ b/src/timezone/known_abbrevs.txt
-@@ -92,6 +92,7 @@ NZST	43200
- PDT	-25200	D
- PKT	18000
- PST	-28800
-+PST	28800
- SAST	7200
- SST	-39600
- UCT	0
-diff --git a/src/timezone/tznames/America.txt b/src/timezone/tznames/America.txt
-index 1c5eb1f..2594c37 100644
---- a/src/timezone/tznames/America.txt
-+++ b/src/timezone/tznames/America.txt
-@@ -237,6 +237,9 @@ PDT    -25200 D  # Pacific Daylight Time
- PET    -18000    # Peru Time (obsolete)
- PMDT    -7200 D  # Pierre & Miquelon Daylight Time (obsolete)
- PMST   -10800    # Pierre & Miquelon Standard Time (obsolete)
-+# CONFLICT! PST is not unique
-+# Other timezones:
-+#  - PST: Philippine Standard Time
- PST    -28800    # Pacific Standard Time
-                  #     (America/Dawson)
-                  #     (America/Los_Angeles)
-diff --git a/src/timezone/tznames/Asia.txt b/src/timezone/tznames/Asia.txt
-index e1fa931..1133339 100644
---- a/src/timezone/tznames/Asia.txt
-+++ b/src/timezone/tznames/Asia.txt
-@@ -158,6 +158,10 @@ PKT     18000    # Pakistan Time
-                  #     (Asia/Karachi)
- PKST    21600 D  # Pakistan Summer Time
-                  #     (Asia/Karachi)
-+# CONFLICT! PST is not unique
-+# Other timezones:
-+#  - PST: Pacific Standard Time (America)
-+PST     28800    # Philippine Standard Time
- QYZT    21600    # Kizilorda Time (obsolete)
- SAKST   Asia/Sakhalin  # Sakhalin Summer Time (obsolete)
- SAKT    Asia/Sakhalin  # Sakhalin Time (obsolete)
-diff --git a/src/timezone/tznames/Default b/src/timezone/tznames/Default
-index 3826096..1532413 100644
---- a/src/timezone/tznames/Default
-+++ b/src/timezone/tznames/Default
-@@ -181,6 +181,9 @@ PDT    -25200 D  # Pacific Daylight Time
-                  #     (America/Whitehorse)
- PMDT    -7200 D  # Pierre & Miquelon Daylight Time (obsolete)
- PMST   -10800    # Pierre & Miquelon Standard Time (obsolete)
-+# CONFLICT! PST is not unique
-+# Other timezones:
-+#  - PST: Philippine Standard Time
- PST    -28800    # Pacific Standard Time
-                  #     (America/Dawson)
-                  #     (America/Los_Angeles)
-diff --git a/src/timezone/tznames/Pacific.txt b/src/timezone/tznames/Pacific.txt
-index c86248b..c30008c 100644
---- a/src/timezone/tznames/Pacific.txt
-+++ b/src/timezone/tznames/Pacific.txt
-@@ -52,6 +52,9 @@ NZST    43200    # New Zealand Standard Time
- PGT     36000    # Papua New Guinea Time (obsolete)
- PHOT    Pacific/Enderbury  # Phoenix Islands Time (Kiribati) (obsolete)
- PONT    39600    # Ponape Time (Micronesia) (obsolete)
-+# CONFLICT! PST is not unique
-+# Other timezones:
-+#  - PST: Philippine Standard Time
- PST    -28800    # Pacific Standard Time
-                  #     (America/Dawson)
-                  #     (America/Los_Angeles)
--- 
-2.7.4
-
diff --git a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.10.bb b/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.10.bb
new file mode 100644
index 00000000..8be794c3
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.10.bb
@@ -0,0 +1,10 @@
+require postgresql.inc
+
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=87da2b84884860b71f5f24ab37e7da78"
+
+SRC_URI += "\
+    file://not-check-libperl.patch \
+"
+
+SRC_URI[md5sum] = "3dac8187636fa8237802bef85be78023"
+SRC_URI[sha256sum] = "ad4f9b8575f98ed6091bf9bb2cb16f0e52795a5f66546c1f499ca5c69b21f253"
diff --git a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.5.bb b/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.5.bb
deleted file mode 100644
index 1a02f154..00000000
--- a/external/meta-openembedded/meta-oe/recipes-dbs/postgresql/postgresql_10.5.bb
+++ /dev/null
@@ -1,12 +0,0 @@
-require postgresql.inc
-
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=6dc95e63aa4d72502ff8193dfe2ddd38"
-
-SRC_URI += "\
-    file://not-check-libperl.patch \
-    file://0001-Update-time-zone-data-files-to-tzdata-release-2018f.patch \
-    file://0001-Sync-our-copy-of-the-timezone-library-with-IANA-rele.patch \
-"
-
-SRC_URI[md5sum] = "a5fe5fdff2d6c28f65601398be0950df"
-SRC_URI[sha256sum] = "6c8e616c91a45142b85c0aeb1f29ebba4a361309e86469e0fb4617b6a73c4011"
diff --git a/external/meta-openembedded/meta-oe/recipes-devtools/libedit/libedit_20180525-3.1.bb b/external/meta-openembedded/meta-oe/recipes-devtools/libedit/libedit_20180525-3.1.bb
index 8cc0e959..60f4f5a2 100644
--- a/external/meta-openembedded/meta-oe/recipes-devtools/libedit/libedit_20180525-3.1.bb
+++ b/external/meta-openembedded/meta-oe/recipes-devtools/libedit/libedit_20180525-3.1.bb
@@ -19,3 +19,5 @@ SRC_URI[md5sum] = "97679319742f45d6cdcd6075511b14ac"
 SRC_URI[sha256sum] = "c41bea8fd140fb57ba67a98ec1d8ae0b8ffa82f4aba9c35a87e5a9499e653116"
 
 S = "${WORKDIR}/${BPN}-${PV}"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
new file mode 100644
index 00000000..cfe48af5
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
@@ -0,0 +1,32 @@
+CVE-2019-6706: use-after-free in lua_upvaluejoin function 
+
+Upstream-Status: Backport
+http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
+CVE: CVE-2019-6706
+Affects < 5.3.5
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: lua-5.3.4/src/lapi.c
+===================================================================
+--- lua-5.3.4.orig/src/lapi.c
++++ lua-5.3.4/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
++  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
++  if (*up1 == *up2) return; /* Already joined */
++  (*up2)->refcount++;
++  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
++  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+ 
diff --git a/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua_5.3.4.bb b/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
index 8f4e8fe6..978c2033 100644
--- a/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
+++ b/external/meta-openembedded/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
@@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/"
 DEPENDS = "readline"
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
            file://lua.pc.in \
+           file://CVE-2019-6706.patch \
            "
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \
            'http://www.lua.org/tests/lua-${PV}-tests.tar.gz;name=tarballtest \
diff --git a/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
new file mode 100644
index 00000000..32ea0bac
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
@@ -0,0 +1,194 @@
+From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 10:28:58 +0100
+Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group
+ objects
+
+(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
+there should be no users with such number, see
+https://systemd.io/UIDS-GIDS#special-linux-uids.
+
+(uid_t) -1 is used as the default value in class initialization.
+
+When a user or group above INT32_MAX is created, the numeric uid or
+gid wraps around to negative when the value is assigned to gint, and
+polkit gets confused. Let's accept such gids, except for -1.
+
+A nicer fix would be to change the underlying type to e.g. uint32 to
+not have negative values. But this cannot be done without breaking the
+API, so likely new functions will have to be added (a
+polkit_unix_user_new variant that takes a unsigned, and the same for
+_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
+require a bigger patch.
+
+Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
+
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixgroup.c   | 15 +++++++++++----
+ src/polkit/polkitunixprocess.c | 12 ++++++++----
+ src/polkit/polkitunixuser.c    | 13 ++++++++++---
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
+index c57a1aa..309f689 100644
+--- a/src/polkit/polkitunixgroup.c
++++ b/src/polkit/polkitunixgroup.c
+@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
+ static void
+ polkit_unix_group_init (PolkitUnixGroup *unix_group)
+ {
++  unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
+ }
+ 
+ static void
+@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
++  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_GID:
+-      unix_group->gid = g_value_get_int (value);
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      unix_group->gid = val;
+       break;
+ 
+     default:
+@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
+                                    g_param_spec_int ("gid",
+                                                      "Group ID",
+                                                      "The UNIX group ID",
+-                                                     0,
++                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
++                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
+  */
+ void
+ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+-                          gint gid)
++                           gint gid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
++  g_return_if_fail (gid != -1);
+   group->gid = gid;
+ }
+ 
+@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+ PolkitIdentity *
+ polkit_unix_group_new (gint gid)
+ {
++  g_return_val_if_fail (gid != -1, NULL);
++
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
+                                        "gid", gid,
+                                        NULL));
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 972b777..b02b258 100644
+--- a/src/polkit/polkitunixprocess.c
++++ b/src/polkit/polkitunixprocess.c
+@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID:
+-      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
++    case PROP_UID: {
++      gint val;
++
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      polkit_unix_process_set_uid (unix_process, val);
+       break;
++    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     -1,
++                                                     G_MININT,
+                                                      G_MAXINT,
+                                                      -1,
+                                                      G_PARAM_CONSTRUCT |
+@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
+                              gint               uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+-  g_return_if_fail (uid >= -1);
+   process->uid = uid;
+ }
+ 
+diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
+index 8bfd3a1..234a697 100644
+--- a/src/polkit/polkitunixuser.c
++++ b/src/polkit/polkitunixuser.c
+@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
+ static void
+ polkit_unix_user_init (PolkitUnixUser *unix_user)
+ {
++  unix_user->uid = -1;  /* (uid_t) -1 is not a valid UID under Linux */
+   unix_user->name = NULL;
+ }
+ 
+@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
++  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_UID:
+-      unix_user->uid = g_value_get_int (value);
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      unix_user->uid = val;
+       break;
+ 
+     default:
+@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     0,
++                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
++                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+                           gint uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_USER (user));
++  g_return_if_fail (uid != -1);
+   user->uid = uid;
+ }
+ 
+@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ PolkitIdentity *
+ polkit_unix_user_new (gint uid)
+ {
++  g_return_val_if_fail (uid != -1, NULL);
++
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
+                                         "uid", uid,
+                                         NULL));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
new file mode 100644
index 00000000..097dfd92
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
@@ -0,0 +1,153 @@
+From 17f18d9f81d99b014c680e7e50198d7f190b804e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 11:20:34 +0100
+Subject: [PATCH 2/3] tests: add tests for high uids
+
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ test/data/etc/group                           |  1 +
+ test/data/etc/passwd                          |  2 +
+ .../etc/polkit-1/rules.d/10-testing.rules     | 21 ++++++
+ .../test-polkitbackendjsauthority.c           | 72 +++++++++++++++++++
+ 4 files changed, 96 insertions(+)
+
+diff --git a/test/data/etc/group b/test/data/etc/group
+index 12ef328..b9acab9 100644
+--- a/test/data/etc/group
++++ b/test/data/etc/group
+@@ -5,3 +5,4 @@ john:x:500:
+ jane:x:501:
+ sally:x:502:
+ henry:x:503:
++highuid2:x:4000000000:
+diff --git a/test/data/etc/passwd b/test/data/etc/passwd
+index 8544feb..5cf14a5 100644
+--- a/test/data/etc/passwd
++++ b/test/data/etc/passwd
+@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash
+ jane:x:501:501:Jane Smith:/home/jane:/bin/bash
+ sally:x:502:502:Sally Derp:/home/sally:/bin/bash
+ henry:x:503:503:Henry Herp:/home/henry:/bin/bash
++highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin
++highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin
+diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
+index 446e622..98bf062 100644
+--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
++++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
+@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) {
+     }
+ });
+ 
++polkit.addRule(function(action, subject) {
++    if (action.id == "net.company.john_action") {
++        if (subject.user == "john") {
++            return polkit.Result.YES;
++        } else {
++            return polkit.Result.NO;
++        }
++    }
++});
++
++polkit.addRule(function(action, subject) {
++    if (action.id == "net.company.highuid2_action") {
++        if (subject.user == "highuid2") {
++            return polkit.Result.YES;
++        } else {
++            return polkit.Result.NO;
++        }
++    }
++});
++
++
+ // ---------------------------------------------------------------------
+ // variables
+ 
+diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
+index b484a26..71aad23 100644
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
++++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = {
+     NULL,
+     POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+   },
++
++  {
++    /* highuid1 is not a member of group 'users', see test/data/etc/group */
++    "group_membership_with_non_member(highuid22)",
++    "net.company.group.only_group_users",
++    "unix-user:highuid2",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
++
++  {
++    /* highuid2 is not a member of group 'users', see test/data/etc/group */
++    "group_membership_with_non_member(highuid21)",
++    "net.company.group.only_group_users",
++    "unix-user:highuid2",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
++
++  {
++    /* highuid1 is not a member of group 'users', see test/data/etc/group */
++    "group_membership_with_non_member(highuid24)",
++    "net.company.group.only_group_users",
++    "unix-user:2147483648",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
++
++  {
++    /* highuid2 is not a member of group 'users', see test/data/etc/group */
++    "group_membership_with_non_member(highuid23)",
++    "net.company.group.only_group_users",
++    "unix-user:4000000000",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
++
++  {
++    /* john is authorized to do this, see 10-testing.rules */
++    "john_action",
++    "net.company.john_action",
++    "unix-user:john",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
++  },
++
++  {
++    /* only john is authorized to do this, see 10-testing.rules */
++    "jane_action",
++    "net.company.john_action",
++    "unix-user:jane",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
++
++  {
++    /* highuid2 is authorized to do this, see 10-testing.rules */
++    "highuid2_action",
++    "net.company.highuid2_action",
++    "unix-user:highuid2",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
++  },
++
++  {
++    /* only highuid2 is authorized to do this, see 10-testing.rules */
++    "highuid1_action",
++    "net.company.highuid2_action",
++    "unix-user:highuid1",
++    NULL,
++    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++  },
+ };
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
new file mode 100644
index 00000000..b97a6b06
--- /dev/null
+++ b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
@@ -0,0 +1,53 @@
+From 0fd5884a943a92aa076fa3276bd83f502dcb934e Mon Sep 17 00:00:00 2001
+From: Matthew Leeds <matthew.leeds@endlessm.com>
+Date: Tue, 11 Dec 2018 12:04:26 -0800
+Subject: [PATCH 3/3] Allow uid of -1 for a PolkitUnixProcess
+
+Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
+PolkitUnixProcess to allow negative values for their uid/gid properties,
+since these are values above INT_MAX which wrap around but are still
+valid, with the exception of -1 which is not valid. However,
+PolkitUnixProcess allows a uid of -1 to be passed to
+polkit_unix_process_new_for_owner() which means polkit is expected to
+figure out the uid on its own (this happens in the _constructed
+function). So this commit removes the check in
+polkit_unix_process_set_property() so that new_for_owner() can be used
+as documented without producing a critical error message.
+
+This does not affect the protection against CVE-2018-19788 which is
+based on creating a user with a UID up to but not including 4294967295
+(-1).
+
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/c05472b86222a72505adc5eec460493980224ef8]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixprocess.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index b02b258..e2a3c03 100644
+--- a/src/polkit/polkitunixprocess.c
++++ b/src/polkit/polkitunixprocess.c
+@@ -159,14 +159,9 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID: {
+-      gint val;
+-
+-      val = g_value_get_int (value);
+-      g_return_if_fail (val != -1);
+-      polkit_unix_process_set_uid (unix_process, val);
++    case PROP_UID:
++      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+       break;
+-    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit_0.115.bb b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit_0.115.bb
index 8d592054..1587cc0e 100644
--- a/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit_0.115.bb
+++ b/external/meta-openembedded/meta-oe/recipes-extended/polkit/polkit_0.115.bb
@@ -24,6 +24,9 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
     file://0001-make-netgroup-support-configurable.patch \
     ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
     file://CVE-2019-6133.patch \
+    file://CVE-2018-19788_p1.patch \
+    file://CVE-2018-19788_p2.patch \
+    file://CVE-2018-19788_p3.patch \
 "
 SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"
 SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb
deleted file mode 100644
index 4cc38454..00000000
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.34.bb
+++ /dev/null
@@ -1,46 +0,0 @@
-DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \
-extensible web server."
-SUMMARY = "Apache HTTP Server"
-HOMEPAGE = "http://httpd.apache.org/"
-DEPENDS = "expat-native pcre-native apr-native apr-util-native"
-SECTION = "net"
-LICENSE = "Apache-2.0"
-
-inherit autotools pkgconfig native
-
-SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
-           file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
-           file://CVE-2018-11763.patch \
-          "
-
-S = "${WORKDIR}/httpd-${PV}"
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d52d0fd0bc788f068e647116c01ddfcd"
-SRC_URI[md5sum] = "818adca52f3be187fe45d6822755be95"
-SRC_URI[sha256sum] = "fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0"
-
-EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
-                --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
-                --prefix=${prefix} --datadir=${datadir}/apache2 \
-               "
-
-do_install () {
-    install -d ${D}${bindir} ${D}${libdir}
-    cp server/gen_test_char ${D}${bindir}
-    install -m 755 support/apxs ${D}${bindir}/
-    install -m 755 httpd ${D}${bindir}/
-    install -d ${D}${datadir}/apache2/build
-    cp ${S}/build/*.mk ${D}${datadir}/apache2/build
-    cp build/*.mk ${D}${datadir}/apache2/build
-    cp ${S}/build/instdso.sh ${D}${datadir}/apache2/build
-
-    install -d ${D}${includedir}/apache2
-    cp ${S}/include/* ${D}${includedir}/apache2
-    cp include/* ${D}${includedir}/apache2
-    cp ${S}/os/unix/os.h ${D}${includedir}/apache2
-    cp ${S}/os/unix/unixd.h ${D}${includedir}/apache2
-
-    cp support/envvars-std ${D}${bindir}/envvars
-    chmod 755 ${D}${bindir}/envvars
-}
-
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch
index da38a8cf..6c028645 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0001-configure-use-pkg-config-for-PCRE-detection.patch
@@ -1,4 +1,4 @@
-From 419181e242892ded050f5a375a709b9588fb581d Mon Sep 17 00:00:00 2001
+From d2cedfa3394365689a3f7c8cfe8e0dd56b29bed9 Mon Sep 17 00:00:00 2001
 From: Koen Kooi <koen.kooi@linaro.org>
 Date: Tue, 17 Jun 2014 09:10:57 +0200
 Subject: [PATCH] configure: use pkg-config for PCRE detection
@@ -6,13 +6,12 @@ Subject: [PATCH] configure: use pkg-config for PCRE detection
 Upstream-Status: Pending
 
 Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
-
 ---
  configure.in | 27 +++++----------------------
  1 file changed, 5 insertions(+), 22 deletions(-)
 
 diff --git a/configure.in b/configure.in
-index be7bd25..54dfd0d 100644
+index 9feaceb..dc6ea15 100644
 --- a/configure.in
 +++ b/configure.in
 @@ -215,28 +215,11 @@ fi
@@ -49,3 +48,6 @@ index be7bd25..54dfd0d 100644
  APACHE_SUBST(PCRE_LIBS)
  
  AC_MSG_NOTICE([])
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch
index ae4ff0c5..85fe6ae4 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-corelimit.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch
@@ -1,7 +1,8 @@
-From 55ebb07cc57854cbfb372c3a688365039b809bc8 Mon Sep 17 00:00:00 2001
+From 7df207ad4d0dcda2ad36e5642296e0dec7e13647 Mon Sep 17 00:00:00 2001
 From: Paul Eggleton <paul.eggleton@linux.intel.com>
 Date: Tue, 17 Jul 2012 11:27:39 +0100
-Subject: [PATCH] apache2: add from OE-Classic, update to version 2.4.2 and fix
+Subject: [PATCH] apache2: bump up the core size limit if CoreDumpDirectory
+ is configured
 
 Bump up the core size limit if CoreDumpDirectory is
 configured.
@@ -16,10 +17,10 @@ Note: upstreaming was discussed but there are competing desires;
  1 file changed, 19 insertions(+)
 
 diff --git a/server/core.c b/server/core.c
-index 4af0816..4fd2b9f 100644
+index eacb54f..7aa841f 100644
 --- a/server/core.c
 +++ b/server/core.c
-@@ -4940,6 +4940,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
+@@ -4965,6 +4965,25 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
      }
      apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
                                apr_pool_cleanup_null);
@@ -45,3 +46,6 @@ index 4af0816..4fd2b9f 100644
      return OK;
  }
  
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch
index 843226c0..081a02ba 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.4-export.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch
@@ -1,7 +1,8 @@
-From a5627edbcc88cd50caaa42ca051ac7ed3d870172 Mon Sep 17 00:00:00 2001
+From ddd560024a6d526187fd126f306b59533ca3f7e2 Mon Sep 17 00:00:00 2001
 From: Paul Eggleton <paul.eggleton@linux.intel.com>
 Date: Tue, 17 Jul 2012 11:27:39 +0100
-Subject: [PATCH] apache2: add from OE-Classic, update to version 2.4.2 and fix
+Subject: [PATCH] apache2: do not export apr/apr-util symbols when using
+ shared libapr
 
 There is no need to "suck in" the apr/apr-util symbols when using
 a shared libapr{,util}, it just bloats the symbol table; so don't.
@@ -15,7 +16,7 @@ Note: EXPORT_DIRS change is conditional on using shared apr
  1 file changed, 3 deletions(-)
 
 diff --git a/server/Makefile.in b/server/Makefile.in
-index cb11684..0d48924 100644
+index 1fa3344..f635d76 100644
 --- a/server/Makefile.in
 +++ b/server/Makefile.in
 @@ -60,9 +60,6 @@ export_files:
@@ -28,3 +29,6 @@ index cb11684..0d48924 100644
  	) | sed -e s,//,/,g | sort -u > $@
  
  exports.c: export_files
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch
index 015034c7..78a04d9a 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.1-selinux.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch
@@ -1,4 +1,4 @@
-From 33c0f2d88ccfe02777f183eb785bb2b891aff168 Mon Sep 17 00:00:00 2001
+From dfa834ebd449df299f54e98f0fb3a7bb4008fb03 Mon Sep 17 00:00:00 2001
 From: Paul Eggleton <paul.eggleton@linux.intel.com>
 Date: Tue, 17 Jul 2012 11:27:39 +0100
 Subject: [PATCH] Log the SELinux context at startup.
@@ -15,10 +15,10 @@ Note: unlikely to be any interest in this upstream
  2 files changed, 31 insertions(+)
 
 diff --git a/configure.in b/configure.in
-index 761e836..d828512 100644
+index dc6ea15..caa6f54 100644
 --- a/configure.in
 +++ b/configure.in
-@@ -483,6 +483,11 @@ getloadavg
+@@ -466,6 +466,11 @@ getloadavg
  dnl confirm that a void pointer is large enough to store a long integer
  APACHE_CHECK_VOID_PTR_LEN
  
@@ -31,7 +31,7 @@ index 761e836..d828512 100644
  [AC_TRY_RUN(#define _GNU_SOURCE
  #include <unistd.h>
 diff --git a/server/core.c b/server/core.c
-index 4fd2b9f..c61304a 100644
+index 7aa841f..79f34db 100644
 --- a/server/core.c
 +++ b/server/core.c
 @@ -59,6 +59,10 @@
@@ -45,7 +45,7 @@ index 4fd2b9f..c61304a 100644
  /* LimitRequestBody handling */
  #define AP_LIMIT_REQ_BODY_UNSET         ((apr_off_t) -1)
  #define AP_DEFAULT_LIMIT_REQ_BODY       ((apr_off_t) 0)
-@@ -4959,6 +4963,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
+@@ -4984,6 +4988,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
      }
  #endif
  
@@ -53,18 +53,18 @@ index 4fd2b9f..c61304a 100644
 +    {
 +        static int already_warned = 0;
 +        int is_enabled = is_selinux_enabled() > 0;
-+        
++
 +        if (is_enabled && !already_warned) {
 +            security_context_t con;
-+            
++
 +            if (getcon(&con) == 0) {
-+                
++
 +                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
 +                             "SELinux policy enabled; "
 +                             "httpd running as context %s", con);
-+                
++
 +                already_warned = 1;
-+                
++
 +                freecon(con);
 +            }
 +        }
@@ -74,3 +74,6 @@ index 4fd2b9f..c61304a 100644
      return OK;
  }
  
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch
index 020f1d79..47320a9e 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/replace-lynx-to-curl-in-apachectl-script.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0005-replace-lynx-to-curl-in-apachectl-script.patch
@@ -1,4 +1,4 @@
-From 94a9e2241ea27e75babbfdeb38043b13049e23b0 Mon Sep 17 00:00:00 2001
+From 7db1b650bb4b01a5194a34cd7573f915656a595b Mon Sep 17 00:00:00 2001
 From: Yulong Pei <Yulong.pei@windriver.com>
 Date: Thu, 1 Sep 2011 01:03:14 +0800
 Subject: [PATCH] replace lynx to curl in apachectl script
@@ -6,7 +6,6 @@ Subject: [PATCH] replace lynx to curl in apachectl script
 Upstream-Status: Inappropriate [configuration]
 
 Signed-off-by: Yulong Pei <Yulong.pei@windriver.com>
-
 ---
  support/apachectl.in | 14 ++++++++++----
  1 file changed, 10 insertions(+), 4 deletions(-)
@@ -48,3 +47,6 @@ index 3281c2e..6ab4ba5 100644
      ;;
  *)
      $HTTPD "$@"
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch
index 2262e9f8..227d0406 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/httpd-2.4.3-fix-race-issue-of-dir-install.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0006-apache2-fix-the-race-issue-of-parallel-installation.patch
@@ -1,4 +1,4 @@
-From 3b079a9df7582e305246fd805837d87a2c4ef534 Mon Sep 17 00:00:00 2001
+From 4f4d7d6b88b6e440263ebeb22dfb40c52bb30fd8 Mon Sep 17 00:00:00 2001
 From: Zhenhua Luo <zhenhua.luo@freescale.com>
 Date: Fri, 25 Jan 2013 18:10:50 +0800
 Subject: [PATCH] apache2: fix the race issue of parallel installation
@@ -13,7 +13,6 @@ fix following race issue when do parallel install
 | make[1]: *** Waiting for unfinished jobs....
 
 Signed-off-by: Zhenhua Luo <zhenhua.luo@freescale.com>
-
 ---
  build/mkdir.sh | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
@@ -31,3 +30,6 @@ index e2d5bb6..dde5ae0 100755
          fi
          pathcomp="$pathcomp/"
      done
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch
index a6ccfb6a..fed6b501 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/configure-allow-to-disable-selinux-support.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch
@@ -1,4 +1,4 @@
-From 166cbc02f72d13d5e7bf08ac2351c0f07e1ff4b9 Mon Sep 17 00:00:00 2001
+From 964ef2c1af74984602f46e7db938d3b95b148385 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Mon, 1 Dec 2014 02:08:27 -0500
 Subject: [PATCH] apache2: allow to disable selinux support
@@ -6,13 +6,12 @@ Subject: [PATCH] apache2: allow to disable selinux support
 Upstream-Status: Pending
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
-
 ---
  configure.in | 14 ++++++++++----
  1 file changed, 10 insertions(+), 4 deletions(-)
 
 diff --git a/configure.in b/configure.in
-index 54dfd0d..377e062 100644
+index caa6f54..eab2090 100644
 --- a/configure.in
 +++ b/configure.in
 @@ -466,10 +466,16 @@ getloadavg
@@ -36,3 +35,6 @@ index 54dfd0d..377e062 100644
  
  AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
  [AC_TRY_RUN(#define _GNU_SOURCE
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch
index 5476d4f3..82e9e8c3 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/server-makefile.patch
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0008-apache2-do-not-use-relative-path-for-gen_test_char.patch
@@ -1,6 +1,7 @@
-From aa02bbfd8f16871db5563a95fa94dd170964949f Mon Sep 17 00:00:00 2001
+From b62c4cd2295c98b2ebe12641e5f01590bd96ae94 Mon Sep 17 00:00:00 2001
 From: Paul Eggleton <paul.eggleton@linux.intel.com>
 Date: Tue, 17 Jul 2012 11:27:39 +0100
+Subject: [PATCH] apache2: do not use relative path for gen_test_char
 
 Upstream-Status: Inappropriate [embedded specific]
 
@@ -9,7 +10,7 @@ Upstream-Status: Inappropriate [embedded specific]
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/server/Makefile.in b/server/Makefile.in
-index 1fa3344..cb11684 100644
+index f635d76..0d48924 100644
 --- a/server/Makefile.in
 +++ b/server/Makefile.in
 @@ -29,7 +29,7 @@ gen_test_char: $(gen_test_char_OBJECTS)
@@ -21,3 +22,6 @@ index 1fa3344..cb11684 100644
  
  util.lo: test_char.h
  
+-- 
+2.7.4
+
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch
deleted file mode 100644
index a2c5b2e0..00000000
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/CVE-2018-11763.patch
+++ /dev/null
@@ -1,512 +0,0 @@
-From 484aba5048e3457dc1d15189f1910d007b1a4a76 Mon Sep 17 00:00:00 2001
-From: Jim Jagielski <jim@apache.org>
-Date: Wed, 12 Sep 2018 20:38:02 +0000
-Subject: [PATCH] Merge r1840010 from trunk:
-
-On the trunk:
-
-mod_http2: connection IO event handling reworked. Instead of reacting on
-     incoming bytes, the state machine now acts on incoming frames that are
-     affecting it. This reduces state transitions.
-
-
-Submitted by: icing
-Reviewed by: icing, ylavic, jim
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1840757 13f79535-47bb-0310-9956-ffa450edef68
-CVE: CVE-2018-11763
-Upstream-Status: Backport [https://github.com/apache/httpd/commit/484aba5048e3457dc1d15189f1910d007b1a4a76]
-
-Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
----
- modules/http2/h2_session.c | 238 +++++++++++++++++++++++--------------
- modules/http2/h2_session.h |   7 +-
- modules/http2/h2_version.h |   4 +-
- 3 files changed, 158 insertions(+), 97 deletions(-)
-
-diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c
-index 805d6774dc..a1b31d2b30 100644
---- a/modules/http2/h2_session.c
-+++ b/modules/http2/h2_session.c
-@@ -235,6 +235,7 @@ static int on_data_chunk_recv_cb(nghttp2_session *ngh2, uint8_t flags,
-     stream = h2_session_stream_get(session, stream_id);
-     if (stream) {
-         status = h2_stream_recv_DATA(stream, flags, data, len);
-+        dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream data rcvd");
-     }
-     else {
-         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03064)
-@@ -317,9 +318,9 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
- }
- 
- /**
-- * nghttp2 session has received a complete frame. Most, it uses
-- * for processing of internal state. HEADER and DATA frames however
-- * we need to handle ourself.
-+ * nghttp2 session has received a complete frame. Most are used by nghttp2
-+ * for processing of internal state. Some, like HEADER and DATA frames,
-+ * we need to act on.
-  */
- static int on_frame_recv_cb(nghttp2_session *ng2s,
-                             const nghttp2_frame *frame,
-@@ -378,6 +379,9 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
-                           "h2_stream(%ld-%d): WINDOW_UPDATE incr=%d", 
-                           session->id, (int)frame->hd.stream_id,
-                           frame->window_update.window_size_increment);
-+            if (nghttp2_session_want_write(session->ngh2)) {
-+                dispatch_event(session, H2_SESSION_EV_FRAME_RCVD, 0, "window update");
-+            }
-             break;
-         case NGHTTP2_RST_STREAM:
-             ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03067)
-@@ -404,6 +408,12 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
-                                frame->goaway.error_code, NULL);
-             }
-             break;
-+        case NGHTTP2_SETTINGS:
-+            if (APLOGctrace2(session->c)) {
-+                ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c,
-+                              H2_SSSN_MSG(session, "SETTINGS, len=%ld"), (long)frame->hd.length);
-+            }
-+            break;
-         default:
-             if (APLOGctrace2(session->c)) {
-                 char buffer[256];
-@@ -415,7 +425,40 @@ static int on_frame_recv_cb(nghttp2_session *ng2s,
-             }
-             break;
-     }
--    return (APR_SUCCESS == rv)? 0 : NGHTTP2_ERR_PROTO;
-+    
-+    if (session->state == H2_SESSION_ST_IDLE) {
-+        /* We received a frame, but session is in state IDLE. That means the frame
-+         * did not really progress any of the (possibly) open streams. It was a meta
-+         * frame, e.g. SETTINGS/WINDOW_UPDATE/unknown/etc.
-+         * Remember: IDLE means we cannot send because either there are no streams open or
-+         * all open streams are blocked on exhausted WINDOWs for outgoing data.
-+         * The more frames we receive that do not change this, the less interested we
-+         * become in serving this connection. This is expressed in increasing "idle_delays".
-+         * Eventually, the connection will timeout and we'll close it. */
-+        session->idle_frames = H2MIN(session->idle_frames + 1, session->frames_received);
-+            ap_log_cerror( APLOG_MARK, APLOG_TRACE2, 0, session->c,
-+                          H2_SSSN_MSG(session, "session has %ld idle frames"), 
-+                          (long)session->idle_frames);
-+        if (session->idle_frames > 10) {
-+            apr_size_t busy_frames = H2MAX(session->frames_received - session->idle_frames, 1);
-+            int idle_ratio = (int)(session->idle_frames / busy_frames); 
-+            if (idle_ratio > 100) {
-+                session->idle_delay = apr_time_from_msec(H2MIN(1000, idle_ratio));
-+            }
-+            else if (idle_ratio > 10) {
-+                session->idle_delay = apr_time_from_msec(10);
-+            }
-+            else if (idle_ratio > 1) {
-+                session->idle_delay = apr_time_from_msec(1);
-+            }
-+            else {
-+                session->idle_delay = 0;
-+            }
-+        }
-+    }
-+    
-+    if (APR_SUCCESS != rv) return NGHTTP2_ERR_PROTO;
-+    return 0;
- }
- 
- static int h2_session_continue_data(h2_session *session) {
-@@ -1603,23 +1646,57 @@ static void update_child_status(h2_session *session, int status, const char *msg
- 
- static void transit(h2_session *session, const char *action, h2_session_state nstate)
- {
-+    apr_time_t timeout;
-+    int ostate, loglvl;
-+    const char *s;
-+    
-     if (session->state != nstate) {
--        int loglvl = APLOG_DEBUG;
--        if ((session->state == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT)
--            || (session->state == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){
-+        ostate = session->state;
-+        session->state = nstate;
-+        
-+        loglvl = APLOG_DEBUG;
-+        if ((ostate == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT)
-+            || (ostate == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){
-             loglvl = APLOG_TRACE1;
-         }
-         ap_log_cerror(APLOG_MARK, loglvl, 0, session->c, 
-                       H2_SSSN_LOG(APLOGNO(03078), session, 
-                       "transit [%s] -- %s --> [%s]"), 
--                      h2_session_state_str(session->state), action, 
-+                      h2_session_state_str(ostate), action, 
-                       h2_session_state_str(nstate));
--        session->state = nstate;
-+        
-         switch (session->state) {
-             case H2_SESSION_ST_IDLE:
--                update_child_status(session, (session->open_streams == 0? 
--                                              SERVER_BUSY_KEEPALIVE
--                                              : SERVER_BUSY_READ), "idle");
-+                if (!session->remote.emitted_count) {
-+                    /* on fresh connections, with async mpm, do not return
-+                     * to mpm for a second. This gives the first request a better
-+                     * chance to arrive (und connection leaving IDLE state).
-+                     * If we return to mpm right away, this connection has the
-+                     * same chance of being cleaned up by the mpm as connections
-+                     * that already served requests - not fair. */
-+                    session->idle_sync_until = apr_time_now() + apr_time_from_sec(1);
-+                    s = "timeout";
-+                    timeout = H2MAX(session->s->timeout, session->s->keep_alive_timeout);
-+                    update_child_status(session, SERVER_BUSY_READ, "idle");
-+                    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, 
-+                                  H2_SSSN_LOG("", session, "enter idle, timeout = %d sec"), 
-+                                  (int)apr_time_sec(H2MAX(session->s->timeout, session->s->keep_alive_timeout)));
-+                }
-+                else if (session->open_streams) {
-+                    s = "timeout";
-+                    timeout = session->s->keep_alive_timeout;
-+                    update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle");
-+                }
-+                else {
-+                    /* normal keepalive setup */
-+                    s = "keepalive";
-+                    timeout = session->s->keep_alive_timeout;
-+                    update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle");
-+                }
-+                session->idle_until = apr_time_now() + timeout; 
-+                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, 
-+                              H2_SSSN_LOG("", session, "enter idle, %s = %d sec"), 
-+                              s, (int)apr_time_sec(timeout));
-                 break;
-             case H2_SESSION_ST_DONE:
-                 update_child_status(session, SERVER_CLOSING, "done");
-@@ -1726,8 +1803,6 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg)
-                      * This means we only wait for WINDOW_UPDATE from the 
-                      * client and can block on READ. */
-                     transit(session, "no io (flow wait)", H2_SESSION_ST_IDLE);
--                    session->idle_until = apr_time_now() + session->s->timeout;
--                    session->keep_sync_until = session->idle_until;
-                     /* Make sure we have flushed all previously written output
-                      * so that the client will react. */
-                     if (h2_conn_io_flush(&session->io) != APR_SUCCESS) {
-@@ -1738,12 +1813,7 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg)
-             }
-             else if (session->local.accepting) {
-                 /* When we have no streams, but accept new, switch to idle */
--                apr_time_t now = apr_time_now();
-                 transit(session, "no io (keepalive)", H2_SESSION_ST_IDLE);
--                session->idle_until = (session->remote.emitted_count? 
--                                       session->s->keep_alive_timeout : 
--                                       session->s->timeout) + now;
--                session->keep_sync_until = now + apr_time_from_sec(1);
-             }
-             else {
-                 /* We are no longer accepting new streams and there are
-@@ -1758,12 +1828,25 @@ static void h2_session_ev_no_io(h2_session *session, int arg, const char *msg)
-     }
- }
- 
--static void h2_session_ev_data_read(h2_session *session, int arg, const char *msg)
-+static void h2_session_ev_frame_rcvd(h2_session *session, int arg, const char *msg)
-+{
-+    switch (session->state) {
-+        case H2_SESSION_ST_IDLE:
-+        case H2_SESSION_ST_WAIT:
-+            transit(session, "frame received", H2_SESSION_ST_BUSY);
-+            break;
-+        default:
-+            /* nop */
-+            break;
-+    }
-+}
-+
-+static void h2_session_ev_stream_change(h2_session *session, int arg, const char *msg)
- {
-     switch (session->state) {
-         case H2_SESSION_ST_IDLE:
-         case H2_SESSION_ST_WAIT:
--            transit(session, "data read", H2_SESSION_ST_BUSY);
-+            transit(session, "stream change", H2_SESSION_ST_BUSY);
-             break;
-         default:
-             /* nop */
-@@ -1803,16 +1886,6 @@ static void h2_session_ev_pre_close(h2_session *session, int arg, const char *ms
- static void ev_stream_open(h2_session *session, h2_stream *stream)
- {
-     h2_iq_append(session->in_process, stream->id);
--    switch (session->state) {
--        case H2_SESSION_ST_IDLE:
--            if (session->open_streams == 1) {
--                /* enter timeout, since we have a stream again */
--                session->idle_until = (session->s->timeout + apr_time_now());
--            }
--            break;
--        default:
--            break;
--    }
- }
- 
- static void ev_stream_closed(h2_session *session, h2_stream *stream)
-@@ -1825,11 +1898,6 @@ static void ev_stream_closed(h2_session *session, h2_stream *stream)
-     }
-     switch (session->state) {
-         case H2_SESSION_ST_IDLE:
--            if (session->open_streams == 0) {
--                /* enter keepalive timeout, since we no longer have streams */
--                session->idle_until = (session->s->keep_alive_timeout
--                                       + apr_time_now());
--            }
-             break;
-         default:
-             break;
-@@ -1887,6 +1955,7 @@ static void on_stream_state_enter(void *ctx, h2_stream *stream)
-         default:
-             break;
-     }
-+    dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream state change");
- }
- 
- static void on_stream_event(void *ctx, h2_stream *stream, 
-@@ -1945,8 +2014,8 @@ static void dispatch_event(h2_session *session, h2_session_event_t ev,
-         case H2_SESSION_EV_NO_IO:
-             h2_session_ev_no_io(session, arg, msg);
-             break;
--        case H2_SESSION_EV_DATA_READ:
--            h2_session_ev_data_read(session, arg, msg);
-+        case H2_SESSION_EV_FRAME_RCVD:
-+            h2_session_ev_frame_rcvd(session, arg, msg);
-             break;
-         case H2_SESSION_EV_NGH2_DONE:
-             h2_session_ev_ngh2_done(session, arg, msg);
-@@ -1957,6 +2026,9 @@ static void dispatch_event(h2_session *session, h2_session_event_t ev,
-         case H2_SESSION_EV_PRE_CLOSE:
-             h2_session_ev_pre_close(session, arg, msg);
-             break;
-+        case H2_SESSION_EV_STREAM_CHANGE:
-+            h2_session_ev_stream_change(session, arg, msg);
-+            break;
-         default:
-             ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c,
-                           H2_SSSN_MSG(session, "unknown event %d"), ev);
-@@ -1990,13 +2062,15 @@ apr_status_t h2_session_process(h2_session *session, int async)
-     apr_status_t status = APR_SUCCESS;
-     conn_rec *c = session->c;
-     int rv, mpm_state, trace = APLOGctrace3(c);
--
-+    apr_time_t now;
-+    
-     if (trace) {
-         ap_log_cerror( APLOG_MARK, APLOG_TRACE3, status, c,
-                       H2_SSSN_MSG(session, "process start, async=%d"), async);
-     }
-                   
-     while (session->state != H2_SESSION_ST_DONE) {
-+        now = apr_time_now();
-         session->have_read = session->have_written = 0;
- 
-         if (session->local.accepting 
-@@ -2034,39 +2108,42 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                 break;
-                 
-             case H2_SESSION_ST_IDLE:
--                /* We trust our connection into the default timeout/keepalive
--                 * handling of the core filters/mpm iff:
--                 * - keep_sync_until is not set
--                 * - we have an async mpm
--                 * - we have no open streams to process
--                 * - we are not sitting on a Upgrade: request
--                 * - we already have seen at least one request
--                 */
--                if (!session->keep_sync_until && async && !session->open_streams
--                    && !session->r && session->remote.emitted_count) {
-+                if (session->idle_until && (apr_time_now() + session->idle_delay) > session->idle_until) {
-+                    ap_log_cerror( APLOG_MARK, APLOG_TRACE1, status, c,
-+                                  H2_SSSN_MSG(session, "idle, timeout reached, closing"));
-+                    if (session->idle_delay) {
-+                        apr_table_setn(session->c->notes, "short-lingering-close", "1"); 
-+                    }
-+                    dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout");
-+                    goto out;
-+                }
-+                
-+                if (session->idle_delay) {
-+                    /* we are less interested in spending time on this connection */
-+                    ap_log_cerror( APLOG_MARK, APLOG_TRACE2, status, c,
-+                                  H2_SSSN_MSG(session, "session is idle (%ld ms), idle wait %ld sec left"), 
-+                                  (long)apr_time_as_msec(session->idle_delay),
-+                                  (long)apr_time_sec(session->idle_until - now));
-+                    apr_sleep(session->idle_delay);
-+                    session->idle_delay = 0;
-+                }
-+
-+                h2_conn_io_flush(&session->io);
-+                if (async && !session->r && (now > session->idle_sync_until)) {
-                     if (trace) {
-                         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
-                                       H2_SSSN_MSG(session, 
-                                       "nonblock read, %d streams open"), 
-                                       session->open_streams);
-                     }
--                    h2_conn_io_flush(&session->io);
-                     status = h2_session_read(session, 0);
-                     
-                     if (status == APR_SUCCESS) {
-                         session->have_read = 1;
--                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
-                     }
--                    else if (APR_STATUS_IS_EAGAIN(status) 
--                        || APR_STATUS_IS_TIMEUP(status)) {
--                        if (apr_time_now() > session->idle_until) {
--                            dispatch_event(session, 
--                                           H2_SESSION_EV_CONN_TIMEOUT, 0, NULL);
--                        }
--                        else {
--                            status = APR_EAGAIN;
--                            goto out;
--                        }
-+                    else if (APR_STATUS_IS_EAGAIN(status) || APR_STATUS_IS_TIMEUP(status)) {
-+                        status = APR_EAGAIN;
-+                        goto out;
-                     }
-                     else {
-                         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
-@@ -2078,7 +2155,6 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                 }
-                 else {
-                     /* make certain, we send everything before we idle */
--                    h2_conn_io_flush(&session->io);
-                     if (trace) {
-                         ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
-                                       H2_SSSN_MSG(session, 
-@@ -2090,7 +2166,6 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                      */
-                     status = h2_mplx_idle(session->mplx);
-                     if (status == APR_EAGAIN) {
--                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
-                         break;
-                     }
-                     else if (status != APR_SUCCESS) {
-@@ -2101,33 +2176,11 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                     status = h2_session_read(session, 1);
-                     if (status == APR_SUCCESS) {
-                         session->have_read = 1;
--                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
-                     }
-                     else if (status == APR_EAGAIN) {
-                         /* nothing to read */
-                     }
-                     else if (APR_STATUS_IS_TIMEUP(status)) {
--                        apr_time_t now = apr_time_now();
--                        if (now > session->keep_sync_until) {
--                            /* if we are on an async mpm, now is the time that
--                             * we may dare to pass control to it. */
--                            session->keep_sync_until = 0;
--                        }
--                        if (now > session->idle_until) {
--                            if (trace) {
--                                ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
--                                              H2_SSSN_MSG(session, 
--                                              "keepalive timeout"));
--                            }
--                            dispatch_event(session, 
--                                           H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout");
--                        }
--                        else if (trace) {                        
--                            ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c,
--                                          H2_SSSN_MSG(session, 
--                                          "keepalive, %f sec left"),
--                                          (session->idle_until - now) / 1000000.0f);
--                        }
-                         /* continue reading handling */
-                     }
-                     else if (APR_STATUS_IS_ECONNABORTED(status)
-@@ -2145,6 +2198,18 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                         dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 0, "error");
-                     }
-                 }
-+                if (nghttp2_session_want_write(session->ngh2)) {
-+                    ap_update_child_status(session->c->sbh, SERVER_BUSY_WRITE, NULL);
-+                    status = h2_session_send(session);
-+                    if (status == APR_SUCCESS) {
-+                        status = h2_conn_io_flush(&session->io);
-+                    }
-+                    if (status != APR_SUCCESS) {
-+                        dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 
-+                                       H2_ERR_INTERNAL_ERROR, "writing");
-+                        break;
-+                    }
-+                }
-                 break;
-                 
-             case H2_SESSION_ST_BUSY:
-@@ -2154,7 +2219,6 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                     status = h2_session_read(session, 0);
-                     if (status == APR_SUCCESS) {
-                         session->have_read = 1;
--                        dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
-                     }
-                     else if (status == APR_EAGAIN) {
-                         /* nothing to read */
-@@ -2218,7 +2282,7 @@ apr_status_t h2_session_process(h2_session *session, int async)
-                                              session->iowait);
-                 if (status == APR_SUCCESS) {
-                     session->wait_us = 0;
--                    dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL);
-+                        dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, NULL);
-                 }
-                 else if (APR_STATUS_IS_TIMEUP(status)) {
-                     /* go back to checking all inputs again */
-diff --git a/modules/http2/h2_session.h b/modules/http2/h2_session.h
-index 486938b009..df2a862445 100644
---- a/modules/http2/h2_session.h
-+++ b/modules/http2/h2_session.h
-@@ -66,10 +66,11 @@ typedef enum {
-     H2_SESSION_EV_PROTO_ERROR,      /* protocol error */
-     H2_SESSION_EV_CONN_TIMEOUT,     /* connection timeout */
-     H2_SESSION_EV_NO_IO,            /* nothing has been read or written */
--    H2_SESSION_EV_DATA_READ,        /* connection data has been read */
-+    H2_SESSION_EV_FRAME_RCVD,       /* a frame has been received */
-     H2_SESSION_EV_NGH2_DONE,        /* nghttp2 wants neither read nor write anything */
-     H2_SESSION_EV_MPM_STOPPING,     /* the process is stopping */
-     H2_SESSION_EV_PRE_CLOSE,        /* connection will close after this */
-+    H2_SESSION_EV_STREAM_CHANGE,    /* a stream (state/input/output) changed */
- } h2_session_event_t;
- 
- typedef struct h2_session {
-@@ -118,7 +119,9 @@ typedef struct h2_session {
-     apr_size_t max_stream_mem;      /* max buffer memory for a single stream */
-     
-     apr_time_t idle_until;          /* Time we shut down due to sheer boredom */
--    apr_time_t keep_sync_until;     /* Time we sync wait until passing to async mpm */
-+    apr_time_t idle_sync_until;     /* Time we sync wait until keepalive handling kicks in */
-+    apr_size_t idle_frames;         /* number of rcvd frames that kept session in idle state */
-+    apr_interval_time_t idle_delay; /* Time we delay processing rcvd frames in idle state */
-     
-     apr_bucket_brigade *bbtmp;      /* brigade for keeping temporary data */
-     struct apr_thread_cond_t *iowait; /* our cond when trywaiting for data */
-diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h
-index 5c53abd575..2ac718fc0f 100644
---- a/modules/http2/h2_version.h
-+++ b/modules/http2/h2_version.h
-@@ -27,7 +27,7 @@
-  * @macro
-  * Version number of the http2 module as c string
-  */
--#define MOD_HTTP2_VERSION "1.10.20"
-+#define MOD_HTTP2_VERSION "1.11.0"
- 
- /**
-  * @macro
-@@ -35,7 +35,7 @@
-  * release. This is a 24 bit number with 8 bits for major number, 8 bits
-  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
-  */
--#define MOD_HTTP2_VERSION_NUM 0x010a14
-+#define MOD_HTTP2_VERSION_NUM 0x010b00
- 
- 
- #endif /* mod_h2_h2_version_h */
--- 
-2.17.1
-
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
deleted file mode 100644
index a2bc6e02..00000000
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/apache-configure_perlbin.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 5412077c398dec74321388fe6e593a44c4c80de6 Mon Sep 17 00:00:00 2001
-From: echo <fei.geng@windriver.com>
-Date: Tue, 28 Apr 2009 03:11:06 +0000
-Subject: [PATCH] Fix perl install directory to /usr/bin
-
-Upstream-Status: Inappropriate [configuration]
-
----
- configure.in | 5 +----
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index d828512..be7bd25 100644
---- a/configure.in
-+++ b/configure.in
-@@ -855,10 +855,7 @@ AC_DEFINE_UNQUOTED(SERVER_CONFIG_FILE, "${rel_sysconfdir}/${progname}.conf",
- AC_DEFINE_UNQUOTED(AP_TYPES_CONFIG_FILE, "${rel_sysconfdir}/mime.types",
- 	[Location of the MIME types config file, relative to the Apache root directory])
- 
--perlbin=`$ac_aux_dir/PrintPath perl`
--if test "x$perlbin" = "x"; then
--    perlbin="/replace/with/path/to/perl/interpreter"
--fi
-+perlbin='/usr/bin/perl'
- AC_SUBST(perlbin)
- 
- dnl If we are running on BSD/OS, we need to use the BSD .include syntax.
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.41.bb
index a87e3847..543d1246 100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.34.bb
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.41.bb
@@ -2,89 +2,98 @@ DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \
 extensible web server."
 SUMMARY = "Apache HTTP Server"
 HOMEPAGE = "http://httpd.apache.org/"
-DEPENDS = "libtool-native apache2-native openssl expat pcre apr apr-util"
 SECTION = "net"
 LICENSE = "Apache-2.0"
 
 SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
-           file://server-makefile.patch \
-           file://httpd-2.4.1-corelimit.patch \
-           file://httpd-2.4.4-export.patch \
-           file://httpd-2.4.1-selinux.patch \
-           file://apache-configure_perlbin.patch \
-           file://replace-lynx-to-curl-in-apachectl-script.patch \
-           file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
            file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
-           file://configure-allow-to-disable-selinux-support.patch \
-           file://CVE-2018-11763.patch \
+           file://0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch \
+           file://0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch \
+           file://0004-apache2-log-the-SELinux-context-at-startup.patch \
+           file://0005-replace-lynx-to-curl-in-apachectl-script.patch \
+           file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \
+           file://0007-apache2-allow-to-disable-selinux-support.patch \
+          "
+
+SRC_URI_append_class-target = " \
+           file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \
            file://init \
            file://apache2-volatile.conf \
            file://apache2.service \
            file://volatiles.04_apache2 \
-          "
+           "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=d52d0fd0bc788f068e647116c01ddfcd"
-SRC_URI[md5sum] = "818adca52f3be187fe45d6822755be95"
-SRC_URI[sha256sum] = "fa53c95631febb08a9de41fd2864cfff815cf62d9306723ab0d4b8d7aa1638f0"
+SRC_URI[md5sum] = "dfc674f8f454e3bc2d4ccd73ad3b5f1e"
+SRC_URI[sha256sum] = "133d48298fe5315ae9366a0ec66282fa4040efa5d566174481077ade7d18ea40"
 
 S = "${WORKDIR}/httpd-${PV}"
 
 inherit autotools update-rc.d pkgconfig systemd update-alternatives
 
-ALTERNATIVE_${PN}-doc = "htpasswd.1"
-ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1"
+DEPENDS = "openssl expat pcre apr apr-util apache2-native "
 
-SYSTEMD_SERVICE_${PN} = "apache2.service"
-SYSTEMD_AUTO_ENABLE_${PN} = "disable"
+CVE_PRODUCT = "http_server"
 
 SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice"
 
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux"
+PACKAGECONFIG[openldap] = "--enable-ldap --enable-authnz-ldap,--disable-ldap --disable-authnz-ldap,openldap"
+PACKAGECONFIG[zlib] = "--enable-deflate,,zlib,zlib"
+
 CFLAGS_append = " -DPATH_MAX=4096"
-CFLAGS_prepend = "-I${STAGING_INCDIR}/openssl "
-EXTRA_OECONF = "--enable-ssl \
-    --with-ssl=${STAGING_LIBDIR}/.. \
-    --with-expat=${STAGING_LIBDIR}/.. \
-    --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \
-    --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \
-    --enable-info \
-    --enable-rewrite \
-    --with-dbm=sdbm \
-    --with-berkeley-db=no \
-    --localstatedir=/var/${BPN} \
-    --with-gdbm=no \
-    --with-ndbm=no \
+
+EXTRA_OECONF_class-target = "\
+    --enable-layout=Debian \
+    --prefix=${base_prefix} \
+    --exec_prefix=${exec_prefix} \
     --includedir=${includedir}/${BPN} \
-    --datadir=${datadir}/${BPN} \
     --sysconfdir=${sysconfdir}/${BPN} \
+    --datadir=${datadir}/${BPN} \
+    --libdir=${libdir} \
     --libexecdir=${libdir}/${BPN}/modules \
-    ap_cv_void_ptr_lt_long=no \
+    --localstatedir=${localstatedir} \
+    --enable-ssl \
+    --with-dbm=sdbm \
+    --with-gdbm=no \
+    --with-ndbm=no \
+    --with-berkeley-db=no \
+    --enable-info \
+    --enable-rewrite \
     --enable-mpms-shared \
+    ap_cv_void_ptr_lt_long=no \
     ac_cv_have_threadsafe_pollset=no \
-    --enable-layout=Debian \
-    --prefix=${base_prefix}/"
+    "
 
-PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux"
-PACKAGECONFIG[openldap] = "--enable-ldap --enable-authnz-ldap,--disable-ldap --disable-authnz-ldap,openldap"
-PACKAGECONFIG[zlib] = "--enable-deflate --with-z=${STAGING_LIBDIR},,zlib,zlib"
+EXTRA_OECONF_class-native = "\
+    --prefix=${prefix} \
+    --includedir=${includedir}/${BPN} \
+    --sysconfdir=${sysconfdir}/${BPN} \
+    --datadir=${datadir}/${BPN} \
+    --libdir=${libdir} \
+    --libexecdir=${libdir}/${BPN}/modules \
+    --localstatedir=${localstatedir} \
+    "
 
 do_configure_prepend() {
-        sed -i -e 's:$''{prefix}/usr/lib/cgi-bin:$''{libdir}/cgi-bin:g' ${S}/config.layout
+    sed -i -e 's:$''{prefix}/usr/lib/cgi-bin:$''{libdir}/cgi-bin:g' ${S}/config.layout
 }
 
-do_install_append() {
+do_install_append_class-target() {
     install -d ${D}/${sysconfdir}/init.d
+
     cat ${WORKDIR}/init | \
         sed -e 's,/usr/sbin/,${sbindir}/,g' \
             -e 's,/usr/bin/,${bindir}/,g' \
-            -e 's,/usr/lib,${libdir}/,g' \
+            -e 's,/usr/lib/,${libdir}/,g' \
             -e 's,/etc/,${sysconfdir}/,g' \
             -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN}
+
     chmod 755 ${D}/${sysconfdir}/init.d/${BPN}
-    # remove the goofy original files...
+
+    # Remove the goofy original files...
     rm -rf ${D}/${sysconfdir}/${BPN}/original
-    # Expat should be found in the staging area via DEPENDS...
-    rm -f ${D}/${libdir}/libexpat.*
 
     install -d ${D}${sysconfdir}/${BPN}/conf.d
     install -d ${D}${sysconfdir}/${BPN}/modules.d
@@ -93,44 +102,58 @@ do_install_append() {
     printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf
     printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.load" >> ${D}/${sysconfdir}/${BPN}/httpd.conf
     printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf
-    # match with that is in init script
+
+    # Match with that is in init script
     printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf
+
     # Set 'ServerName' to fix error messages when restart apache service
     sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf
 
+    sed -i 's/^ServerRoot/#ServerRoot/' ${D}/${sysconfdir}/${BPN}/httpd.conf
+
+    sed -i -e 's,${STAGING_DIR_TARGET},,g' \
+           -e 's,${DEBUG_PREFIX_MAP},,g' \
+           -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \
+           -e 's,${HOSTTOOLS_DIR}/,,g' \
+           -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \
+           -e 's,APU_CONFIG = .*,APU_CONFIG = ,g' ${D}${datadir}/apache2/build/config_vars.mk
+
+    sed -i -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
+           -e 's,${DEBUG_PREFIX_MAP},,g' \
+           -e 's,${RECIPE_SYSROOT},,g' \
+           -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \
+           -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \
+           -e 's,".*/configure","configure",g' ${D}${datadir}/apache2/build/config.nice
+
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/tmpfiles.d/
         install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
+
+        install -d ${D}${systemd_unitdir}/system
+        install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system
+        sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service
+        sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service
     elif ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/default/volatiles
         install -m 0644 ${WORKDIR}/volatiles.04_apache2 ${D}${sysconfdir}/default/volatiles/04_apache2
     fi
 
-    install -d ${D}${systemd_unitdir}/system
-    install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system
-    sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service
-    sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service
-
+    rm -rf ${D}${localstatedir}
     chown -R root:root ${D}
 }
 
-do_install_append_class-target() {
-    sed -i -e 's,${STAGING_DIR_HOST},,g' \
-           -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \
-           -e 's,APU_CONFIG = .*,APU_CONFIG = ,g' ${D}${datadir}/apache2/build/config_vars.mk
-
-    sed -i -e 's,${STAGING_DIR_HOST},,g' \
-           -e 's,".*/configure","configure",g' ${D}${datadir}/apache2/build/config.nice
-    rm -rf ${D}${localstatedir}/run
+do_install_append_class-native() {
+    install -d ${D}${bindir} ${D}${libdir}
+    install -m 755 server/gen_test_char ${D}${bindir}
 }
 
-SYSROOT_PREPROCESS_FUNCS += "apache_sysroot_preprocess"
+SYSROOT_PREPROCESS_FUNCS_append_class-target = " apache_sysroot_preprocess"
 
-apache_sysroot_preprocess () {
-    install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/
-    install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts}/
-    install -d ${SYSROOT_DESTDIR}${sbindir}/
-    install -m 755 ${D}${sbindir}/apachectl ${SYSROOT_DESTDIR}${sbindir}/
+apache_sysroot_preprocess() {
+    install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}
+    install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts}
+    install -d ${SYSROOT_DESTDIR}${sbindir}
+    install -m 755 ${D}${sbindir}/apachectl ${SYSROOT_DESTDIR}${sbindir}
     sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs
     sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${HOST_SYS}-libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs
 
@@ -143,52 +166,38 @@ apache_sysroot_preprocess () {
     sed -i 's!--sysroot=[^ ]*!--sysroot=${STAGING_DIR_HOST}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk
 }
 
-#
-# implications - used by update-rc.d scripts
-#
+# Implications - used by update-rc.d scripts
 INITSCRIPT_NAME = "apache2"
 INITSCRIPT_PARAMS = "defaults 91 20"
-LEAD_SONAME = "libapr-1.so.0"
+
+SYSTEMD_SERVICE_${PN} = "apache2.service"
+SYSTEMD_AUTO_ENABLE_${PN} = "enable"
+
+ALTERNATIVE_${PN}-doc = "htpasswd.1"
+ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1"
 
 PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}"
 
 CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \
                    ${sysconfdir}/${BPN}/magic \
-                   ${sysconfdir}/${BPN}/mime.types \
-                   ${sysconfdir}/init.d/${BPN} "
+                   ${sysconfdir}/${BPN}/mime.types"
 
-# we override here rather than append so that .so links are
+# We override here rather than append so that .so links are
 # included in the runtime package rather than here (-dev)
-# and to get build, icons, error into the -dev package
-FILES_${PN}-dev = "${datadir}/${BPN}/build \
-                   ${datadir}/${BPN}/icons \
+# and to get icons, error into the -dev package
+FILES_${PN}-dev = "${datadir}/${BPN}/icons \
                    ${datadir}/${BPN}/error \
-                   ${bindir}/apr-config ${bindir}/apu-config \
-                   ${libdir}/apr*.exp \
                    ${includedir}/${BPN} \
-                   ${libdir}/*.la \
-                   ${libdir}/*.a \
-                   ${bindir}/apxs \
-                "
-
-
-# manual to manual
-FILES_${PN}-doc += " ${datadir}/${BPN}/manual"
+                  "
 
 FILES_${PN}-scripts += "${bindir}/dbmmanage"
 
-#
-# override this too - here is the default, less datadir
-#
-FILES_${PN} =  "${bindir} ${sbindir} ${libexecdir} ${libdir}/lib*.so.* ${sysconfdir} \
-                ${sharedstatedir} ${localstatedir} /bin /sbin /lib/*.so* \
-                ${libdir}/${BPN}"
-
-# we want htdocs and cgi-bin to go with the binary
-FILES_${PN} += "${datadir}/${BPN}/htdocs ${datadir}/${BPN}/cgi-bin"
+# Override this too - here is the default, less datadir
+FILES_${PN} =  "${bindir} ${sbindir} ${libexecdir} ${libdir} \
+                ${sysconfdir} ${libdir}/${BPN}"
 
-#make sure the lone .so links also get wrapped in the base package
-FILES_${PN} += "${libdir}/lib*.so ${libdir}/pkgconfig/*"
+# We want htdocs and cgi-bin to go with the binary
+FILES_${PN} += "${datadir}/${BPN}/ ${libdir}/cgi-bin"
 
 FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug"
 
@@ -196,5 +205,4 @@ RDEPENDS_${PN} += "openssl libgcc"
 RDEPENDS_${PN}-scripts += "perl ${PN}"
 RDEPENDS_${PN}-dev = "perl"
 
-FILES_${PN} += "${libdir}/cgi-bin"
-FILES_${PN} += "${datadir}/${BPN}/"
+BBCLASSEXTEND = "native"
diff --git a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/files/init b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/files/init
index 758d133b..758d133b 100755..100644
--- a/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/files/init
+++ b/external/meta-openembedded/meta-webserver/recipes-httpd/apache2/files/init
diff --git a/external/meta-qt5/recipes-qt/qt5/qtbase_git.bb b/external/meta-qt5/recipes-qt/qt5/qtbase_git.bb
index ca8de801..8ab1746a 100644
--- a/external/meta-qt5/recipes-qt/qt5/qtbase_git.bb
+++ b/external/meta-qt5/recipes-qt/qt5/qtbase_git.bb
@@ -64,10 +64,10 @@ QT_CONFIG_FLAGS_GOLD_x86 = "-no-use-gold-linker"
 LDFLAGS_append_x86 = "${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}"
 
 # separate some parts of PACKAGECONFIG which are often changed
-PACKAGECONFIG_GL ?= "${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'gl', '', d)}"
+PACKAGECONFIG_GL ?= "${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'gl', 'no-opengl', d)}"
 PACKAGECONFIG_FB ?= "${@bb.utils.contains('DISTRO_FEATURES', 'directfb', 'directfb', '', d)}"
 PACKAGECONFIG_X11 ?= "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xcb xinput2 glib xkb xkbcommon-evdev', '', d)}"
-PACKAGECONFIG_KDE ?= "${@bb.utils.contains('DISTRO_FEATURES', 'kde', 'sm cups fontconfig kms gbm libinput', '', d)}"
+PACKAGECONFIG_KDE ?= "${@bb.utils.contains('DISTRO_FEATURES', 'kde', 'sm cups fontconfig kms gbm libinput sql-sqlite openssl', '', d)}"
 PACKAGECONFIG_FONTS ?= ""
 PACKAGECONFIG_SYSTEM ?= "jpeg libpng zlib"
 PACKAGECONFIG_DISTRO ?= ""
@@ -75,7 +75,7 @@ PACKAGECONFIG_DISTRO ?= ""
 PACKAGECONFIG_RELEASE ?= "release"
 # This is in qt5.inc, because qtwebkit-examples are using it to enable ca-certificates dependency
 # PACKAGECONFIG_OPENSSL ?= "openssl"
-PACKAGECONFIG_DEFAULT ?= "dbus udev evdev widgets tools libs freetype tests \
+PACKAGECONFIG_DEFAULT ?= "accessibility dbus udev evdev widgets tools libs freetype tests \
     ${@bb.utils.contains('SELECTED_OPTIMIZATION', '-Os', 'optimize-size ltcg', '', d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'qt5-static', 'static', '', d)} \
 "
diff --git a/external/meta-spdxscanner/README.md b/external/meta-spdxscanner/README.md
index 799bba1f..a41f8216 100644
--- a/external/meta-spdxscanner/README.md
+++ b/external/meta-spdxscanner/README.md
@@ -1,52 +1,79 @@
+# This repository has been moved to http://git.yoctoproject.org/cgit/cgit.cgi/meta-spdxscanner/.
+
 # meta-spdxscanner
 
 meta-spdxscanner supports the following SPDX create tools.
-1. fossdriver (recommend)
-2. DoSOCSv2 (Not recommended)
+1. fossology REST API (Can work with fossology after 3.5.0)
+2. fossdriver (Can work with fossology)
+3. scancode-toolkit
+4. DoSOCSv2 (Scanner comes from fossology 3.4.0)
+
+# This layer supplys invoking scanners as following:
+
+1. fossology REST API
+- openembedded-core
 
-# This layer depends on:
+2. fossdriver
+- openembedded-core
 
+3. scancode-toolkit
+- openembedded-core
+
+4. DoSOCSv2
 - openembedded-core
 - meta-openembedded/meta-oe
 - meta-openembedded/meta-python
 
 # How to use
 
-1.  fossdriver-host.bbclass(recommend) 
+1.  fossology-rest.bbclass
+- inherit the folowing class in your conf/local.conf for all of recipes or
+  in some recipes which you want.
+
+```
+  INHERIT += "fossology-rest"
+  TOKEN = "eyJ0eXAiO..."
+  FOSSOLOGY_SERVER = "http://xx.xx.xx.xx:8081/repo" //Optional,by default, it is http://127.0.0.1:8081/repo
+  FOLDER_NAME = "xxxx" //Optional,by default, it is the top folder "Software Repository"(folderId=1).
+```
+Note
+- If you want to use fossology-rest.bbclass, you have to make sure that fossology server on your host and make sure it works well.
+  Please reference to https://hub.docker.com/r/fossology/fossology/.
+- TOKEN can be created on fossology server after login by "Admin"->"Users"->"Edit user account"->"Create a new token".
+- If you don't want to create spdx files for *-native, please use meta-spdxscanner/classes/nopackages.bbclass instead of oe-core.
+
+2.  fossdriver-host.bbclass
 - inherit the folowing class in your conf/local.conf for all of recipes or
   in some recipes which you want.
 
 ```
   INHERIT += "fossdriver-host"
-  SPDX_DEPLOY_DIR = "${SPDX_DEST_DIR}"
 ```
 Note
 - If you want to use fossdriver-host.bbclass, you have to make sure that fossology server and fossdriver has been installed on your host and make sure it works well.
   Please reference to https://hub.docker.com/r/fossology/fossology/ and https://github.com/fossology/fossdriver.
 - Please use meta-spdxscanner/classes/nopackages.bbclass instead of oe-core. Because there is no necessary to create spdx files for *-native.
   
-2. dosocs-host.bbclass (Not recommended)
+3.  scancode.bbclass
 - inherit the folowing class in your conf/local.conf for all of recipes or
   in some recipes which you want.
 
 ```
-  INHERIT += "dosocs-host"
-  SPDX_DEPLOY_DIR = "${SPDX_DEST_DIR}"
+  INHERIT += "scancode-tk"
 ```
-
 Note
-  - If you want to use dosocs-host.bbclass, you have to make sure that DoSOCSv2 has been installed on your host and it works wekk.
-    Please reference to https://github.com/DoSOCSv2/DoSOCSv2.
-  - To make DoSOCSv2 support multi task, Add PostgreSQL configuration for DoSOCSv2.
-  
-3. dosocs.bbclass (Not recommended)
+- If you want to use scancode.bbclass, There is no need to install anything on your host.
+- To aviod loop dependence,please use meta-spdxscanner/classes/nopackages.bbclass instead the file comes from oe-core.
+
+
+4. dosocs.bbclass 
 - inherit the folowing class in your conf/local.conf for all of recipes or
   in some recipes which you want.
 
 ```
   INHERIT += "dosocs"
-  SPDX_DEPLOY_DIR = "${SPDX_DEST_DIR}"
 ```
-
-Note 
-  - Default, DoSOCSv2 uses SQLite for database, so dosocs.bbclass doesn't support multi tasks of do_spdx.
+Note
+- There is no necessary to install any OSS on host.
+- Please use meta-spdxscanner/classes/nopackages.bbclass instead of oe-core. Because there is no necessary to create spdx files for *-native.
+- Default, DoSOCSv2 uses SQLite for database, so dosocs.bbclass doesn't support multi tasks of do_spdx.
diff --git a/external/meta-spdxscanner/classes/dosocs-host.bbclass b/external/meta-spdxscanner/classes/dosocs-host.bbclass
deleted file mode 100644
index a6ed6917..00000000
--- a/external/meta-spdxscanner/classes/dosocs-host.bbclass
+++ /dev/null
@@ -1,262 +0,0 @@
-# This class integrates real-time license scanning, generation of SPDX standard
-# output and verifiying license info during the building process.
-# It is a combination of efforts from the OE-Core, SPDX and DoSOCSv2 projects.
-#
-# For more information on DoSOCSv2:
-#   https://github.com/DoSOCSv2
-#
-# For more information on SPDX:
-#   http://www.spdx.org
-#
-# Note:
-# 1) Make sure DoSOCSv2 has beed installed in your host
-# 2) By default,spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR] 
-#    in ./meta/conf/spdx-dosocs.conf.
-
-SPDXSSTATEDIR = "${WORKDIR}/spdx_sstate_dir"
-LICENSELISTVERSION = "2.6"
-CREATOR_TOOL = "meta-spdxscanner"
-# If ${S} isn't actually the top-level source directory, set SPDX_S to point at
-# the real top-level directory.
-
-SPDX_S ?= "${S}"
-
-python do_spdx () {
-    import os, sys
-    import json
-
-    import shutil
-
-    pn = d.getVar('PN')
-    workdir_tmp = d.getVar('WORKDIR')
-
-    ## It's no necessary to get spdx files for *-native
-    if pn.find("-native") != -1 or pn.find("binutils-cross") != -1:
-        return None
-
-    # Forcibly expand the sysroot paths as we're about to change WORKDIR
-    d.setVar('RECIPE_SYSROOT', d.getVar('RECIPE_SYSROOT'))
-    d.setVar('RECIPE_SYSROOT_NATIVE', d.getVar('RECIPE_SYSROOT_NATIVE'))
-
-    ## gcc and kernel is too big to get spdx file.
-    if ('gcc') in d.getVar('PN', True):
-        #invoke_dosocs2("/yocto/work002/fnst/leimh/community/gcc-7.3.0/","/yocto/work001/gcc-7.3.spdx",(d.getVar('WORKDIR', True) or ""))
-        return None
-    if bb.data.inherits_class('kernel', d):
-        #invoke_dosocs2("/yocto/work002/fnst/leimh/community/linux-4.14.44","/yocto/work001/linux-4.14.44.spdx",(d.getVar('WORKDIR', True) or ""))
-        return None
-
-    bb.note('Archiving the configured source...')
-    # "gcc-source-${PV}" recipes don't have "do_configure"
-    # task, so we need to run "do_preconfigure" instead
-    if pn.startswith("gcc-source-"):
-        d.setVar('WORKDIR', d.getVar('ARCHIVER_WORKDIR'))
-        bb.build.exec_func('do_preconfigure', d)
-
-    # Change the WORKDIR to make do_configure run in another dir.
-    d.setVar('WORKDIR', d.getVar('SPDX_TEMP_DIR'))
-    #if bb.data.inherits_class('kernel-yocto', d):
-    #    bb.build.exec_func('do_kernel_configme', d)
-    #if bb.data.inherits_class('cmake', d):
-    #    bb.build.exec_func('do_generate_toolchain_file', d)
-    bb.build.exec_func('do_unpack', d)
-  
-    d.setVar('WORKDIR', workdir_tmp)
-    info = {} 
-    info['workdir'] = (d.getVar('WORKDIR', True) or "")
-    info['pn'] = (d.getVar( 'PN', True ) or "")
-    info['pv'] = (d.getVar( 'PV', True ) or "")
-    info['package_download_location'] = (d.getVar( 'SRC_URI', True ) or "")
-    if info['package_download_location'] != "":
-        info['package_download_location'] = info['package_download_location'].split()[0]
-    info['spdx_version'] = (d.getVar('SPDX_VERSION', True) or '')
-    info['data_license'] = (d.getVar('DATA_LICENSE', True) or '')
-    info['creator'] = {}
-    info['creator']['Tool'] = (d.getVar('CREATOR_TOOL', True) or '')
-    info['license_list_version'] = (d.getVar('LICENSELISTVERSION', True) or '')
-    info['package_homepage'] = (d.getVar('HOMEPAGE', True) or "")
-    info['package_summary'] = (d.getVar('SUMMARY', True) or "")
-    info['package_summary'] = info['package_summary'].replace("\n","")
-    info['package_summary'] = info['package_summary'].replace("'"," ")
-    info['package_contains'] = (d.getVar('CONTAINED', True) or "")
-    info['package_static_link'] = (d.getVar('STATIC_LINK', True) or "")
-
-    spdx_sstate_dir = (d.getVar('SPDXSSTATEDIR', True) or "")
-    manifest_dir = (d.getVar('SPDX_DEPLOY_DIR', True) or "")
-    info['outfile'] = os.path.join(manifest_dir, info['pn'] + "-" + info['pv'] + ".spdx" )
-    sstatefile = os.path.join(spdx_sstate_dir, 
-        info['pn'] + "-" + info['pv'] + ".spdx" )
-
-    ## get everything from cache.  use it to decide if 
-    ## something needs to be rerun
-    if not os.path.exists( spdx_sstate_dir ):
-        bb.utils.mkdirhier( spdx_sstate_dir )
-    
-    d.setVar('WORKDIR', d.getVar('SPDX_TEMP_DIR', True))
-    info['sourcedir'] = (d.getVar('SPDX_S', True) or "")
-    cur_ver_code = get_ver_code( info['sourcedir'] ).split()[0]
-    cache_cur = False
-    if os.path.exists( sstatefile ):
-        ## cache for this package exists. read it in
-        cached_spdx = get_cached_spdx( sstatefile )
-        if cached_spdx:
-            cached_spdx = cached_spdx.split()[0]
-        if (cached_spdx == cur_ver_code):
-            bb.warn(info['pn'] + "'s ver code same as cache's. do nothing")
-            cache_cur = True
-            create_manifest(info,sstatefile)
-    if not cache_cur:
-        git_path = "%s/.git" % info['sourcedir']
-        if os.path.exists(git_path):
-            remove_dir_tree(git_path)
-
-        ## Get spdx file
-        #bb.warn(' run_dosocs2 ...... ')
-        invoke_dosocs2(info['sourcedir'],sstatefile,info['workdir'])
-        if get_cached_spdx( sstatefile ) != None:
-            write_cached_spdx( info,sstatefile,cur_ver_code )
-            ## CREATE MANIFEST(write to outfile )
-            create_manifest(info,sstatefile)
-        else:
-            bb.warn('Can\'t get the spdx file ' + info['pn'] + '. Please check your dosocs2.')
-    d.setVar('WORKDIR', info['workdir'])
-}
-
-addtask spdx after do_patch before do_configure
-
-def invoke_dosocs2( OSS_src_dir, spdx_file, workdir):
-    import subprocess
-    import string
-    import json
-    import codecs
-
-    
-    dosocs2_cmd = "/usr/local/bin/dosocs2"
-    dosocs2_oneshot_cmd = dosocs2_cmd + " oneshot " + OSS_src_dir
-    print(dosocs2_oneshot_cmd)
-    try:
-        dosocs2_output = subprocess.check_output(dosocs2_oneshot_cmd,
-                                                 stderr=subprocess.STDOUT,
-                                                 shell=True)
-    except subprocess.CalledProcessError as e:
-        bb.warn("Could not invoke dosocs2 oneshot Command "
-                 "'%s' returned %d:\n%s" % (dosocs2_oneshot_cmd, e.returncode, e.output))
-        return None
-    dosocs2_output = dosocs2_output.decode('utf-8')
-
-    f = codecs.open(spdx_file,'w','utf-8')
-    f.write(dosocs2_output)
-
-def create_manifest(info,sstatefile):
-    import shutil
-    shutil.copyfile(sstatefile,info['outfile'])
-
-def get_cached_spdx( sstatefile ):
-    import subprocess
-
-    if not os.path.exists( sstatefile ):
-        return None
-    
-    try:
-        output = subprocess.check_output(['grep', "PackageVerificationCode", sstatefile])
-    except subprocess.CalledProcessError as e:
-        bb.error("Index creation command '%s' failed with return code %d:\n%s" % (e.cmd, e.returncode, e.output))
-        return None
-    cached_spdx_info=output.decode('utf-8').split(': ')
-    return cached_spdx_info[1]
-
-## Add necessary information into spdx file
-def write_cached_spdx( info,sstatefile, ver_code ):
-    import subprocess
-
-    def sed_replace(dest_sed_cmd,key_word,replace_info):
-        dest_sed_cmd = dest_sed_cmd + "-e 's#^" + key_word + ".*#" + \
-            key_word + replace_info + "#' "
-        return dest_sed_cmd
-
-    def sed_insert(dest_sed_cmd,key_word,new_line):
-        dest_sed_cmd = dest_sed_cmd + "-e '/^" + key_word \
-            + r"/a\\" + new_line + "' "
-        return dest_sed_cmd
-
-    ## Document level information
-    sed_cmd = r"sed -i -e 's#\r$##g' " 
-    spdx_DocumentComment = "<text>SPDX for " + info['pn'] + " version " \ 
-        + info['pv'] + "</text>"
-    sed_cmd = sed_replace(sed_cmd,"DocumentComment",spdx_DocumentComment)
-    
-    ## Creator information
-    sed_cmd = sed_replace(sed_cmd,"Creator: ",info['creator']['Tool'])
-    sed_cmd = sed_replace(sed_cmd,"LicenseListVersion: ",info['license_list_version'])
-
-    ## Package level information
-    sed_cmd = sed_replace(sed_cmd,"PackageName: ",info['pn'])
-    sed_cmd = sed_insert(sed_cmd,"PackageName: ", "PackageVersion: " + info['pv'])
-    sed_cmd = sed_replace(sed_cmd,"PackageDownloadLocation: ",info['package_download_location'])
-    sed_cmd = sed_replace(sed_cmd,"PackageHomePage: ",info['package_homepage'])
-    sed_cmd = sed_replace(sed_cmd,"PackageSummary: ","<text>" + info['package_summary'] + "</text>")
-    sed_cmd = sed_insert(sed_cmd,"PackageVerificationCode: ",ver_code)
-    sed_cmd = sed_replace(sed_cmd,"PackageDescription: ", 
-        "<text>" + info['pn'] + " version " + info['pv'] + "</text>")
-    for contain in info['package_contains'].split( ):
-        sed_cmd = sed_insert(sed_cmd,"PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " CONTAINS " + contain)
-    for static_link in info['package_static_link'].split( ):
-        sed_cmd = sed_insert(sed_cmd,"PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " STATIC_LINK " + static_link)
-    sed_cmd = sed_cmd + sstatefile
-
-    subprocess.call("%s" % sed_cmd, shell=True)
-
-def remove_dir_tree( dir_name ):
-    import shutil
-    try:
-        shutil.rmtree( dir_name )
-    except:
-        pass
-
-def remove_file( file_name ):
-    try:
-        os.remove( file_name )
-    except OSError as e:
-        pass
-
-def list_files( dir ):
-    for root, subFolders, files in os.walk( dir ):
-        for f in files:
-            rel_root = os.path.relpath( root, dir )
-            yield rel_root, f
-    return
-
-def hash_file( file_name ):
-    """
-    Return the hex string representation of the SHA1 checksum of the filename
-    """
-    try:
-        import hashlib
-    except ImportError:
-        return None
-    
-    sha1 = hashlib.sha1()
-    with open( file_name, "rb" ) as f:
-        for line in f:
-            sha1.update(line)
-    return sha1.hexdigest()
-
-def hash_string( data ):
-    import hashlib
-    sha1 = hashlib.sha1()
-    sha1.update( data.encode('utf-8') )
-    return sha1.hexdigest()
-
-def get_ver_code( dirname ):
-    chksums = []
-    for f_dir, f in list_files( dirname ):
-        try:
-            stats = os.stat(os.path.join(dirname,f_dir,f))
-        except OSError as e:
-            bb.warn( "Stat failed" + str(e) + "\n")
-            continue
-        chksums.append(hash_file(os.path.join(dirname,f_dir,f)))
-    ver_code_string = ''.join( chksums ).lower()
-    ver_code = hash_string( ver_code_string )
-    return ver_code
-
diff --git a/external/meta-spdxscanner/classes/dosocs.bbclass b/external/meta-spdxscanner/classes/dosocs.bbclass
deleted file mode 100644
index 755e8260..00000000
--- a/external/meta-spdxscanner/classes/dosocs.bbclass
+++ /dev/null
@@ -1,302 +0,0 @@
-# This class integrates real-time license scanning, generation of SPDX standard
-# output and verifiying license info during the building process.
-# It is a combination of efforts from the OE-Core, SPDX and DoSOCSv2 projects.
-#
-# For more information on DoSOCSv2:
-#   https://github.com/DoSOCSv2
-#
-# For more information on SPDX:
-#   http://www.spdx.org
-#
-# Note:
-# 1) Make sure DoSOCSv2 has beed installed in your host
-# 2) By default,spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR] 
-#    in ./meta/conf/spdx-dosocs.conf.
-
-PYTHON_INHERIT = "${@bb.utils.contains('PN', '-native', '', 'python3-dir', d)}"
-PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
-
-inherit ${PYTHON_INHERIT} python3-dir
-
-PYTHON = "${@bb.utils.contains('PN', '-native', '${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN}', '', d)}" 
-EXTRANATIVEPATH += "${PYTHON_PN}-native"
-
-# python-config and other scripts are using distutils modules
-# which we patch to access these variables
-export STAGING_INCDIR
-export STAGING_LIBDIR
-
-# autoconf macros will use their internal default preference otherwise
-export PYTHON
-
-do_spdx[depends] += "python3-dosocs2-init-native:do_dosocs2_init"
-do_spdx[depends] += "python3-dosocs2-native:do_populate_sysroot"
-
-SPDXSSTATEDIR = "${WORKDIR}/spdx_sstate_dir"
-
-# If ${S} isn't actually the top-level source directory, set SPDX_S to point at
-# the real top-level directory.
-
-SPDX_S ?= "${S}"
-
-python do_spdx () {
-    import os, sys
-    import json
-
-    pn = d.getVar("PN")
-    depends = d.getVar("DEPENDS")
-    ## It's no necessary  to get spdx files for *-native  
-    if pn.find("-native") == -1 and pn.find("binutils-cross") == -1:
-        PYTHON = "${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN}"
-        os.environ['PYTHON'] = PYTHON
-        depends = "%s python3-dosocs2-init-native" % depends
-        d.setVar("DEPENDS", depends)
-    else:
-        return None
-
-    ## gcc and kernel is too big to get spdx file.
-    if ('gcc' or 'linux-yocto') in d.getVar('PN', True):
-        return None 
-    
-    info = {} 
-    info['workdir'] = (d.getVar('WORKDIR', True) or "")
-    info['pn'] = (d.getVar( 'PN', True ) or "")
-    info['pv'] = (d.getVar( 'PV', True ) or "")
-    info['package_download_location'] = (d.getVar( 'SRC_URI', True ) or "")
-    if info['package_download_location'] != "":
-        info['package_download_location'] = info['package_download_location'].split()[0]
-    info['spdx_version'] = (d.getVar('SPDX_VERSION', True) or '')
-    info['data_license'] = (d.getVar('DATA_LICENSE', True) or '')
-    info['creator'] = {}
-    info['creator']['Tool'] = (d.getVar('CREATOR_TOOL', True) or '')
-    info['license_list_version'] = (d.getVar('LICENSELISTVERSION', True) or '')
-    info['package_homepage'] = (d.getVar('HOMEPAGE', True) or "")
-    info['package_summary'] = (d.getVar('SUMMARY', True) or "")
-    info['package_summary'] = info['package_summary'].replace("\n","")
-    info['package_summary'] = info['package_summary'].replace("'"," ")
-    info['package_contains'] = (d.getVar('CONTAINED', True) or "")
-    info['package_static_link'] = (d.getVar('STATIC_LINK', True) or "")
-
-    spdx_sstate_dir = (d.getVar('SPDXSSTATEDIR', True) or "")
-    manifest_dir = (d.getVar('SPDX_DEPLOY_DIR', True) or "")
-    info['outfile'] = os.path.join(manifest_dir, info['pn'] + "-" + info['pv'] + ".spdx" )
-    sstatefile = os.path.join(spdx_sstate_dir, 
-        info['pn'] + "-" + info['pv'] + ".spdx" )
-
-    ## get everything from cache.  use it to decide if 
-    ## something needs to be rerun
-    if not os.path.exists( spdx_sstate_dir ):
-        bb.utils.mkdirhier( spdx_sstate_dir )
-    
-    d.setVar('WORKDIR', d.getVar('SPDX_TEMP_DIR', True))
-    info['sourcedir'] = (d.getVar('SPDX_S', True) or "")
-    cur_ver_code = get_ver_code( info['sourcedir'] ).split()[0]
-    cache_cur = False
-    if os.path.exists( sstatefile ):
-        ## cache for this package exists. read it in
-        cached_spdx = get_cached_spdx( sstatefile )
-        if cached_spdx:
-            cached_spdx = cached_spdx.split()[0]
-        if (cached_spdx == cur_ver_code):
-            bb.warn(info['pn'] + "'s ver code same as cache's. do nothing")
-            cache_cur = True
-            create_manifest(info,sstatefile)
-    if not cache_cur:
-        git_path = "%s/.git" % info['sourcedir']
-        if os.path.exists(git_path):
-            remove_dir_tree(git_path)
-
-        ## Get spdx file
-        #bb.warn(' run_dosocs2 ...... ')
-        invoke_dosocs2(info['sourcedir'],sstatefile)
-        if get_cached_spdx( sstatefile ) != None:
-            write_cached_spdx( info,sstatefile,cur_ver_code )
-            ## CREATE MANIFEST(write to outfile )
-            create_manifest(info,sstatefile)
-        else:
-            bb.warn('Can\'t get the spdx file ' + info['pn'] + '. Please check your dosocs2.')
-    d.setVar('WORKDIR', info['workdir'])
-}
-#python () {
-#    deps = ' python3-dosocs2-native:do_dosocs2_init'
-#    d.appendVarFlag('do_spdx', 'depends', deps)
-#}
-
-## Get the src after do_patch.
-python do_get_spdx_s() {
-    import shutil
-
-    pn = d.getVar('PN') 
-    ## It's no necessary to get spdx files for *-native
-    if d.getVar('PN', True) == d.getVar('BPN', True) + "-native":
-        return None
-
-    ## gcc and kernel is too big to get spdx file.
-    if ('gcc' or 'linux-yocto') in d.getVar('PN', True):
-        return None
-
-    # Forcibly expand the sysroot paths as we're about to change WORKDIR
-    d.setVar('RECIPE_SYSROOT', d.getVar('RECIPE_SYSROOT'))
-    d.setVar('RECIPE_SYSROOT_NATIVE', d.getVar('RECIPE_SYSROOT_NATIVE'))
-
-    bb.note('Archiving the configured source...')
-    pn = d.getVar('PN')
-    # "gcc-source-${PV}" recipes don't have "do_configure"
-    # task, so we need to run "do_preconfigure" instead
-    if pn.startswith("gcc-source-"):
-        d.setVar('WORKDIR', d.getVar('ARCHIVER_WORKDIR'))
-        bb.build.exec_func('do_preconfigure', d)
-
-    # Change the WORKDIR to make do_configure run in another dir.
-    d.setVar('WORKDIR', d.getVar('SPDX_TEMP_DIR'))
-    #if bb.data.inherits_class('kernel-yocto', d):
-    #    bb.build.exec_func('do_kernel_configme', d)
-    #if bb.data.inherits_class('cmake', d):
-    #    bb.build.exec_func('do_generate_toolchain_file', d)
-    bb.build.exec_func('do_unpack', d)
-}
-
-python () {
-    pn = d.getVar("PN")
-    depends = d.getVar("DEPENDS")
-
-    if pn.find("-native") == -1 and pn.find("binutils-cross") == -1:
-        depends = "%s python3-dosocs2-native" % depends
-        d.setVar("DEPENDS", depends)
-        bb.build.addtask('do_get_spdx_s','do_configure','do_patch', d)
-        bb.build.addtask('do_spdx','do_package', 'do_get_spdx_s', d)
-}
-#addtask get_spdx_s after do_patch before do_configure
-#addtask spdx after do_get_spdx_s before do_package
-
-def invoke_dosocs2( OSS_src_dir, spdx_file):
-    import subprocess
-    import string
-    import json
-    import codecs
-
-    path = os.getenv('PATH')
-    dosocs2_cmd = bb.utils.which(os.getenv('PATH'), "dosocs2")
-    dosocs2_oneshot_cmd = dosocs2_cmd + " oneshot " + OSS_src_dir
-    print(dosocs2_oneshot_cmd)
-    try:
-        dosocs2_output = subprocess.check_output(dosocs2_oneshot_cmd,
-                                                 stderr=subprocess.STDOUT,
-                                                 shell=True)
-    except subprocess.CalledProcessError as e:
-        bb.fatal("Could not invoke dosocs2 oneshot Command "
-                 "'%s' returned %d:\n%s" % (dosocs2_oneshot_cmd, e.returncode, e.output))
-    dosocs2_output = dosocs2_output.decode('utf-8')
-
-    f = codecs.open(spdx_file,'w','utf-8')
-    f.write(dosocs2_output)
-
-def create_manifest(info,sstatefile):
-    import shutil
-    shutil.copyfile(sstatefile,info['outfile'])
-
-def get_cached_spdx( sstatefile ):
-    import subprocess
-
-    if not os.path.exists( sstatefile ):
-        return None
-    
-    try:
-        output = subprocess.check_output(['grep', "PackageVerificationCode", sstatefile])
-    except subprocess.CalledProcessError as e:
-        bb.error("Index creation command '%s' failed with return code %d:\n%s" % (e.cmd, e.returncode, e.output))
-        return None
-    cached_spdx_info=output.decode('utf-8').split(': ')
-    return cached_spdx_info[1]
-
-## Add necessary information into spdx file
-def write_cached_spdx( info,sstatefile, ver_code ):
-    import subprocess
-
-    def sed_replace(dest_sed_cmd,key_word,replace_info):
-        dest_sed_cmd = dest_sed_cmd + "-e 's#^" + key_word + ".*#" + \
-            key_word + replace_info + "#' "
-        return dest_sed_cmd
-
-    def sed_insert(dest_sed_cmd,key_word,new_line):
-        dest_sed_cmd = dest_sed_cmd + "-e '/^" + key_word \
-            + r"/a\\" + new_line + "' "
-        return dest_sed_cmd
-
-    ## Document level information
-    sed_cmd = r"sed -i -e 's#\r$##g' " 
-    spdx_DocumentComment = "<text>SPDX for " + info['pn'] + " version " \ 
-        + info['pv'] + "</text>"
-    sed_cmd = sed_replace(sed_cmd,"DocumentComment",spdx_DocumentComment)
-    
-    ## Package level information
-    sed_cmd = sed_replace(sed_cmd,"PackageName: ",info['pn'])
-    sed_cmd = sed_insert(sed_cmd,"PackageVersion: ",info['pv'])
-    sed_cmd = sed_replace(sed_cmd,"PackageDownloadLocation: ",info['package_download_location'])
-    sed_cmd = sed_replace(sed_cmd,"PackageChecksum: ","PackageHomePage: " + info['package_homepage'])
-    sed_cmd = sed_replace(sed_cmd,"PackageSummary: ","<text>" + info['package_summary'] + "</text>")
-    sed_cmd = sed_replace(sed_cmd,"PackageVerificationCode: ",ver_code)
-    sed_cmd = sed_replace(sed_cmd,"PackageDescription: ", 
-        "<text>" + info['pn'] + " version " + info['pv'] + "</text>")
-    for contain in info['package_contains'].split( ):
-        sed_cmd = sed_insert(sed_cmd,"PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " CONTAINS " + contain)
-    for static_link in info['package_static_link'].split( ):
-        sed_cmd = sed_insert(sed_cmd,"PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " STATIC_LINK " + static_link)
-    sed_cmd = sed_cmd + sstatefile
-
-    subprocess.call("%s" % sed_cmd, shell=True)
-
-def remove_dir_tree( dir_name ):
-    import shutil
-    try:
-        shutil.rmtree( dir_name )
-    except:
-        pass
-
-def remove_file( file_name ):
-    try:
-        os.remove( file_name )
-    except OSError as e:
-        pass
-
-def list_files( dir ):
-    for root, subFolders, files in os.walk( dir ):
-        for f in files:
-            rel_root = os.path.relpath( root, dir )
-            yield rel_root, f
-    return
-
-def hash_file( file_name ):
-    """
-    Return the hex string representation of the SHA1 checksum of the filename
-    """
-    try:
-        import hashlib
-    except ImportError:
-        return None
-    
-    sha1 = hashlib.sha1()
-    with open( file_name, "rb" ) as f:
-        for line in f:
-            sha1.update(line)
-    return sha1.hexdigest()
-
-def hash_string( data ):
-    import hashlib
-    sha1 = hashlib.sha1()
-    sha1.update( data.encode('utf-8') )
-    return sha1.hexdigest()
-
-def get_ver_code( dirname ):
-    chksums = []
-    for f_dir, f in list_files( dirname ):
-        try:
-            stats = os.stat(os.path.join(dirname,f_dir,f))
-        except OSError as e:
-            bb.warn( "Stat failed" + str(e) + "\n")
-            continue
-        chksums.append(hash_file(os.path.join(dirname,f_dir,f)))
-    ver_code_string = ''.join( chksums ).lower()
-    ver_code = hash_string( ver_code_string )
-    return ver_code
-
diff --git a/external/meta-spdxscanner/classes/fossdriver-host.bbclass b/external/meta-spdxscanner/classes/fossdriver-host.bbclass
index a279eab1..0b168a60 100644
--- a/external/meta-spdxscanner/classes/fossdriver-host.bbclass
+++ b/external/meta-spdxscanner/classes/fossdriver-host.bbclass
@@ -1,40 +1,23 @@
 # This class integrates real-time license scanning, generation of SPDX standard
 # output and verifiying license info during the building process.
-# It is a combination of efforts from the OE-Core, SPDX and DoSOCSv2 projects.
+# It is a combination of efforts from the OE-Core, SPDX and fossology projects.
 #
-# For more information on DoSOCSv2:
-#   https://github.com/DoSOCSv2
+# For more information on fossology REST API:
+#   https://www.fossology.org/get-started/basic-rest-api-calls/
 #
 # For more information on SPDX:
 #   http://www.spdx.org
 #
 # Note:
-# 1) Make sure fossdriver has beed installed in your host
-# 2) By default,spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR] 
-#    in ./meta/conf/spdx-dosocs.conf.
-
-
-SPDXEPENDENCY += "${PATCHTOOL}-native:do_populate_sysroot"
-SPDXEPENDENCY += " wget-native:do_populate_sysroot"
-SPDXEPENDENCY += " subversion-native:do_populate_sysroot"
-SPDXEPENDENCY += " git-native:do_populate_sysroot"
-SPDXEPENDENCY += " lz4-native:do_populate_sysroot"
-SPDXEPENDENCY += " lzip-native:do_populate_sysroot"
-SPDXEPENDENCY += " xz-native:do_populate_sysroot"
-SPDXEPENDENCY += " unzip-native:do_populate_sysroot"
-SPDXEPENDENCY += " xz-native:do_populate_sysroot"
-SPDXEPENDENCY += " nodejs-native:do_populate_sysroot"
-SPDXEPENDENCY += " quilt-native:do_populate_sysroot"
-SPDXEPENDENCY += " tar-native:do_populate_sysroot"
-
-SPDX_TOPDIR ?= "${WORKDIR}/spdx_sstate_dir"
-SPDX_OUTDIR = "${SPDX_TOPDIR}/${TARGET_SYS}/${PF}/"
-SPDX_WORKDIR = "${WORKDIR}/spdx_temp/"
+# 1) Make sure fossology (after 3.5.0)(https://hub.docker.com/r/fossology/fossology/) has beed started on your host
+# 2) spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR].
+#    By default, SPDX_DEPLOY_DIR is tmp/deploy/
+# 3) Added TOKEN has been set in conf/local.conf
+#
 
-do_spdx[dirs] = "${WORKDIR}"
+inherit spdx-common
 
-LICENSELISTVERSION = "2.6"
-CREATOR_TOOL = "meta-spdxscanner"
+CREATOR_TOOL = "fossdriver-host.bbclass in meta-spdxscanner"
 
 # If ${S} isn't actually the top-level source directory, set SPDX_S to point at
 # the real top-level directory.
@@ -55,8 +38,6 @@ python do_spdx () {
     # so avoid archiving source here.
     if pn.startswith('glibc-locale'):
         return
-    if (d.getVar('BPN') == "linux-yocto"):
-        return
     if (d.getVar('PN') == "libtool-cross"):
         return
     if (d.getVar('PN') == "libgcc-initial"):
@@ -64,6 +45,9 @@ python do_spdx () {
     if (d.getVar('PN') == "shadow-sysroot"):
         return
 
+    if d.getVar('BPN') in ['gcc', 'libgcc']:
+        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
+        return
 
     # We just archive gcc-source for all the gcc related recipes
     if d.getVar('BPN') in ['gcc', 'libgcc']:
@@ -103,6 +87,9 @@ python do_spdx () {
                 info['modified'] = "true"
 
     manifest_dir = (d.getVar('SPDX_DEPLOY_DIR', True) or "")
+    if not os.path.exists( manifest_dir ):
+        bb.utils.mkdirhier( manifest_dir )
+
     info['outfile'] = os.path.join(manifest_dir, info['pn'] + "-" + info['pv'] + ".spdx" )
     sstatefile = os.path.join(spdx_outdir, info['pn'] + "-" + info['pv'] + ".spdx" )
     
@@ -122,8 +109,12 @@ python do_spdx () {
         for f_dir, f in list_files(spdx_temp_dir):
             temp_file = os.path.join(spdx_temp_dir,f_dir,f)
             shutil.copy(temp_file, temp_dir)
-        shutil.rmtree(spdx_temp_dir)
+    
     d.setVar('WORKDIR', spdx_workdir)
+    info['sourcedir'] = spdx_workdir
+    git_path = "%s/git/.git" % info['sourcedir']
+    if os.path.exists(git_path):
+        remove_dir_tree(git_path)
     tar_name = spdx_create_tarball(d, d.getVar('WORKDIR'), 'patched', spdx_outdir)
     ## get everything from cache.  use it to decide if 
     ## something needs to be rerun
@@ -142,76 +133,21 @@ python do_spdx () {
         create_manifest(info,sstatefile)
     else:
         bb.warn('Can\'t get the spdx file ' + info['pn'] + '. Please check your.')
+    remove_file(tar_name)
 }
 
-addtask do_spdx before do_unpack after do_fetch
-
-def spdx_create_tarball(d, srcdir, suffix, ar_outdir):
-    """
-    create the tarball from srcdir
-    """
-    import tarfile, shutil
-    # Make sure we are only creating a single tarball for gcc sources
-    #if (d.getVar('SRC_URI') == ""):
-    #    return
-
-    # For the kernel archive, srcdir may just be a link to the
-    # work-shared location. Use os.path.realpath to make sure
-    # that we archive the actual directory and not just the link.
-    srcdir = os.path.realpath(srcdir)
-
-    bb.utils.mkdirhier(ar_outdir)
-    if suffix:
-        filename = '%s-%s.tar.gz' % (d.getVar('PF'), suffix)
-    else:
-        filename = '%s.tar.gz' % d.getVar('PF')
-    tarname = os.path.join(ar_outdir, filename)
-
-    bb.note('Creating %s' % tarname)
-    tar = tarfile.open(tarname, 'w:gz')
-    tar.add(srcdir, arcname=os.path.basename(srcdir))
-    tar.close()
-    shutil.rmtree(srcdir)
-    return tarname
-
-# Run do_unpack and do_patch
-def spdx_get_src(d):
-    import shutil
-    spdx_workdir = d.getVar('SPDX_WORKDIR')
-    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
-    pn = d.getVar('PN')
-
-    # We just archive gcc-source for all the gcc related recipes
-    if d.getVar('BPN') in ['gcc', 'libgcc']:
-        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
-        return
-
-    # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
-    if not is_work_shared(d):
-        # Change the WORKDIR to make do_unpack do_patch run in another dir.
-        d.setVar('WORKDIR', spdx_workdir)
-        # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
-        d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
-
-        # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
-        # possibly requiring of the following tasks (such as some recipes's
-        # do_patch required 'B' existed).
-        bb.utils.mkdirhier(d.getVar('B'))
-
-        bb.build.exec_func('do_unpack', d)
-
-    # Make sure gcc and kernel sources are patched only once
-    if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
-        bb.build.exec_func('do_patch', d)
-    # Some userland has no source.
-    if not os.path.exists( spdx_workdir ):
-        bb.utils.mkdirhier(spdx_workdir)
 
 def invoke_fossdriver(tar_file, spdx_file):
     import os
     import time
     delaytime = 20
     
+    import logging
+    
+    logger = logging.getLogger()
+    logger.setLevel(logging.INFO)
+    logging.basicConfig(level=logging.INFO)
+    
     (work_dir, tar_file) = os.path.split(tar_file)
     os.chdir(work_dir)
 
@@ -238,7 +174,7 @@ def invoke_fossdriver(tar_file, spdx_file):
                 i = 0
                 while i < 10:                
                     if (Scanners(server, tar_file, "Software Repository").run() != True):
-                        bb.warn("%s scanner failed, try again!" % tar_file)
+                        bb.warn("%s Scanners failed, try again!" % tar_file)
                         time.sleep(delaytime)
                         i+= 1
                     else:
@@ -270,123 +206,4 @@ def invoke_fossdriver(tar_file, spdx_file):
         bb.warn("%s SPDXTV failed, Please check your fossology server." % tar_file)
         return False
 
-def create_manifest(info,sstatefile):
-    import shutil
-    shutil.copyfile(sstatefile,info['outfile'])
-
-def get_cached_spdx( sstatefile ):
-    import subprocess
-
-    if not os.path.exists( sstatefile ):
-        return None
-    
-    try:
-        output = subprocess.check_output(['grep', "PackageVerificationCode", sstatefile])
-    except subprocess.CalledProcessError as e:
-        bb.error("Index creation command '%s' failed with return code %d:\n%s" % (e.cmd, e.returncode, e.output))
-        return None
-    cached_spdx_info=output.decode('utf-8').split(': ')
-    return cached_spdx_info[1]
-
-## Add necessary information into spdx file
-def write_cached_spdx( info,sstatefile, ver_code ):
-    import subprocess
-
-    def sed_replace(dest_sed_cmd,key_word,replace_info):
-        dest_sed_cmd = dest_sed_cmd + "-e 's#^" + key_word + ".*#" + \
-            key_word + replace_info + "#' "
-        return dest_sed_cmd
-
-    def sed_insert(dest_sed_cmd,key_word,new_line):
-        dest_sed_cmd = dest_sed_cmd + "-e '/^" + key_word \
-            + r"/a\\" + new_line + "' "
-        return dest_sed_cmd
-
-    ## Document level information
-    sed_cmd = r"sed -i -e 's#\r$##g' " 
-    spdx_DocumentComment = "<text>SPDX for " + info['pn'] + " version " \ 
-        + info['pv'] + "</text>"
-    sed_cmd = sed_replace(sed_cmd,"DocumentComment",spdx_DocumentComment)
-    
-    ## Creator information
-    sed_cmd = sed_replace(sed_cmd,"Creator: ",info['creator']['Tool'])
-
-    ## Package level information
-    sed_cmd = sed_replace(sed_cmd, "PackageName: ", info['pn'])
-    sed_cmd = sed_insert(sed_cmd, "PackageName: ", "PackageVersion: " + info['pv'])
-    sed_cmd = sed_replace(sed_cmd, "PackageDownloadLocation: ",info['package_download_location'])
-    sed_cmd = sed_insert(sed_cmd, "PackageDownloadLocation: ", "PackageHomePage: " + info['package_homepage'])
-    sed_cmd = sed_insert(sed_cmd, "PackageDownloadLocation: ", "PackageSummary: " + "<text>" + info['package_summary'] + "</text>")
-    sed_cmd = sed_insert(sed_cmd, "PackageDownloadLocation: ", "modification record : " + info['modified'])
-    sed_cmd = sed_replace(sed_cmd, "PackageVerificationCode: ",ver_code)
-    sed_cmd = sed_insert(sed_cmd, "PackageVerificationCode: ", "PackageDescription: " + 
-        "<text>" + info['pn'] + " version " + info['pv'] + "</text>")
-    for contain in info['package_contains'].split( ):
-        sed_cmd = sed_insert(sed_cmd, "PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " CONTAINS " + contain)
-    for static_link in info['package_static_link'].split( ):
-        sed_cmd = sed_insert(sed_cmd, "PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " STATIC_LINK " + static_link)
-    sed_cmd = sed_cmd + sstatefile
-
-    subprocess.call("%s" % sed_cmd, shell=True)
-
-def is_work_shared(d):
-    pn = d.getVar('PN')
-    return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
-
-def remove_dir_tree(dir_name):
-    import shutil
-    try:
-        shutil.rmtree(dir_name)
-    except:
-        pass
-
-def remove_file(file_name):
-    try:
-        os.remove(file_name)
-    except OSError as e:
-        pass
-
-def list_files(dir ):
-    for root, subFolders, files in os.walk(dir):
-        for f in files:
-            rel_root = os.path.relpath(root, dir)
-            yield rel_root, f
-    return
-
-def hash_file(file_name):
-    """
-    Return the hex string representation of the SHA1 checksum of the filename
-    """
-    try:
-        import hashlib
-    except ImportError:
-        return None
-    
-    sha1 = hashlib.sha1()
-    with open( file_name, "rb" ) as f:
-        for line in f:
-            sha1.update(line)
-    return sha1.hexdigest()
-
-def hash_string(data):
-    import hashlib
-    sha1 = hashlib.sha1()
-    sha1.update(data.encode('utf-8'))
-    return sha1.hexdigest()
-
-def get_ver_code(dirname):
-    chksums = []
-    for f_dir, f in list_files(dirname):
-        try:
-            stats = os.stat(os.path.join(dirname,f_dir,f))
-        except OSError as e:
-            bb.warn( "Stat failed" + str(e) + "\n")
-            continue
-        chksums.append(hash_file(os.path.join(dirname,f_dir,f)))
-    ver_code_string = ''.join(chksums).lower()
-    ver_code = hash_string(ver_code_string)
-    return ver_code
-
-do_spdx[depends] = "${SPDXEPENDENCY}"
-
 EXPORT_FUNCTIONS do_spdx
diff --git a/external/meta-spdxscanner/classes/fossology-rest.bbclass b/external/meta-spdxscanner/classes/fossology-rest.bbclass
new file mode 100644
index 00000000..d253853d
--- /dev/null
+++ b/external/meta-spdxscanner/classes/fossology-rest.bbclass
@@ -0,0 +1,499 @@
+# This class integrates real-time license scanning, generation of SPDX standard
+# output and verifiying license info during the building process.
+# It is a combination of efforts from the OE-Core, SPDX and DoSOCSv2 projects.
+#
+# For more information on DoSOCSv2:
+#   https://github.com/DoSOCSv2
+#
+# For more information on SPDX:
+#   http://www.spdx.org
+#
+# Note:
+# 1) Make sure fossdriver has beed installed in your host
+# 2) By default,spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR] 
+#    in ./meta/conf/spdx-dosocs.conf.
+inherit spdx-common
+FOSSOLOGY_SERVER ?= "http://127.0.0.1:8081/repo"
+
+#upload OSS into No.1 folder of fossology
+FOLDER_ID = "1"
+
+HOSTTOOLS_NONFATAL += "curl"
+
+CREATOR_TOOL = "fossology-rest.bbclass in meta-spdxscanner"
+
+# If ${S} isn't actually the top-level source directory, set SPDX_S to point at
+# the real top-level directory.
+SPDX_S ?= "${S}"
+
+python do_spdx () {
+    import os, sys, shutil
+
+    pn = d.getVar('PN')
+    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
+    if pn in assume_provided:
+        for p in d.getVar("PROVIDES").split():
+            if p != pn:
+                pn = p
+                break
+    if d.getVar('BPN') in ['gcc', 'libgcc']:
+        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
+        return
+    # The following: do_fetch, do_unpack and do_patch tasks have been deleted,
+    # so avoid archiving do_spdx here.
+    if pn.startswith('glibc-locale'):
+        return
+    if (d.getVar('PN') == "libtool-cross"):
+        return
+    if (d.getVar('PN') == "libgcc-initial"):
+        return
+    if (d.getVar('PN') == "shadow-sysroot"):
+        return
+
+    spdx_outdir = d.getVar('SPDX_OUTDIR')
+    spdx_workdir = d.getVar('SPDX_WORKDIR')
+    spdx_temp_dir = os.path.join(spdx_workdir, "temp")
+    temp_dir = os.path.join(d.getVar('WORKDIR'), "temp")
+    
+    info = {} 
+    info['workdir'] = (d.getVar('WORKDIR', True) or "")
+    info['pn'] = (d.getVar( 'PN', True ) or "")
+    info['pv'] = (d.getVar( 'PV', True ) or "")
+    info['package_download_location'] = (d.getVar( 'SRC_URI', True ) or "")
+    if info['package_download_location'] != "":
+        info['package_download_location'] = info['package_download_location'].split()[0]
+    info['spdx_version'] = (d.getVar('SPDX_VERSION', True) or '')
+    info['data_license'] = (d.getVar('DATA_LICENSE', True) or '')
+    info['creator'] = {}
+    info['creator']['Tool'] = (d.getVar('CREATOR_TOOL', True) or '')
+    info['license_list_version'] = (d.getVar('LICENSELISTVERSION', True) or '')
+    info['package_homepage'] = (d.getVar('HOMEPAGE', True) or "")
+    info['package_summary'] = (d.getVar('SUMMARY', True) or "")
+    info['package_summary'] = info['package_summary'].replace("\n","")
+    info['package_summary'] = info['package_summary'].replace("'"," ")
+    info['package_contains'] = (d.getVar('CONTAINED', True) or "")
+    info['package_static_link'] = (d.getVar('STATIC_LINK', True) or "")
+    info['modified'] = "false"
+    info['token'] = (d.getVar('TOKEN', True) or "")
+    
+    srcuri = d.getVar("SRC_URI", False).split()
+    length = len("file://")
+    for item in srcuri:
+        if item.startswith("file://"):
+            item = item[length:]
+            if item.endswith(".patch") or item.endswith(".diff"):
+                info['modified'] = "true"
+
+    manifest_dir = (d.getVar('SPDX_DEPLOY_DIR', True) or "")
+    if not os.path.exists( manifest_dir ):
+        bb.utils.mkdirhier( manifest_dir )
+
+    info['outfile'] = os.path.join(manifest_dir, info['pn'] + "-" + info['pv'] + ".spdx" )
+    sstatefile = os.path.join(spdx_outdir, info['pn'] + "-" + info['pv'] + ".spdx" )
+    
+    # if spdx has been exist
+    if os.path.exists(info['outfile']):
+        bb.note(info['pn'] + "spdx file has been exist, do nothing")
+        return
+    if os.path.exists( sstatefile ):
+        bb.note(info['pn'] + "spdx file has been exist, do nothing")
+        create_manifest(info,sstatefile)
+        return
+
+    spdx_get_src(d)
+
+    bb.note('SPDX: Archiving the patched source...')
+    if os.path.isdir(spdx_temp_dir):
+        for f_dir, f in list_files(spdx_temp_dir):
+            temp_file = os.path.join(spdx_temp_dir,f_dir,f)
+            shutil.copy(temp_file, temp_dir)
+    #    shutil.rmtree(spdx_temp_dir)
+    d.setVar('WORKDIR', spdx_workdir)
+    info['sourcedir'] = spdx_workdir
+    git_path = "%s/git/.git" % info['sourcedir']
+    if os.path.exists(git_path):
+        remove_dir_tree(git_path)
+    tar_name = spdx_create_tarball(d, d.getVar('WORKDIR'), 'patched', spdx_outdir)
+
+    ## get everything from cache.  use it to decide if 
+    ## something needs to be rerun
+    if not os.path.exists(spdx_outdir):
+        bb.utils.mkdirhier(spdx_outdir)
+    cur_ver_code = get_ver_code(spdx_workdir).split()[0] 
+    ## Get spdx file
+    bb.note(' run fossology rest api ...... ')
+    if not os.path.isfile(tar_name):
+        bb.warn(info['pn'] + "has no source, do nothing")
+        return
+    folder_id = get_folder_id(d)
+    if invoke_rest_api(d, tar_name, sstatefile, folder_id) == False:
+        bb.warn(info['pn'] + ": Get spdx file fail, please check fossology server.")
+        remove_file(tar_name)
+        return False
+    if get_cached_spdx(sstatefile) != None:
+        write_cached_spdx( info,sstatefile,cur_ver_code )
+        ## CREATE MANIFEST(write to outfile )
+        create_manifest(info,sstatefile)
+    else:
+        bb.warn(info['pn'] + ': Can\'t get the spdx file ' + '. Please check fossology server.')
+    remove_file(tar_name)
+}
+
+def get_folder_id_by_name(d, folder_name):
+    import os
+    import subprocess
+    import json
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+
+    rest_api_cmd = "curl -k -s -S -X GET " + server_url + "/api/v1/folders" \
+                   + " -H \"Authorization: Bearer " + token + "\"" \
+                   + " --noproxy 127.0.0.1"
+    bb.note("Invoke rest_api_cmd = " + rest_api_cmd )
+    try:
+        all_folder = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+    except subprocess.CalledProcessError as e:
+        bb.error(d.getVar('PN', True) + ": Get folder list failed: \n%s" % e.output.decode("utf-8"))
+        return False
+    all_folder = str(all_folder, encoding = "utf-8")
+    bb.note("all_folder list= " + all_folder)
+    all_folder = json.loads(all_folder)
+    bb.note("len of all_folder = ")
+    bb.note(str(len(all_folder)))
+    if len(all_folder) == 0:
+        bb.note("Can not get folder list.")
+        return False
+    bb.note("all_folder[0][name] = ")
+    bb.note(all_folder[0]["name"])
+    for i in range(0, len(all_folder)):
+        if all_folder[i]["name"] == folder_name:
+                bb.note("Find " + folder_name + "in fossology server ")
+                return all_folder[i]["id"]
+    return False
+
+def create_folder(d, folder_name):
+    import os
+    import subprocess
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+
+    rest_api_cmd = "curl -k -s -S -X POST " + server_url + "/api/v1/folders" \
+                   + " -H \'parentFolder: 1\'" \
+                   + " -H \'folderName: " + folder_name + "\'" \
+                   + " -H \"Authorization: Bearer " + token + "\"" \
+                   + " --noproxy 127.0.0.1"
+    bb.note("Invoke rest_api_cmd = " + rest_api_cmd)
+    try:
+        add_folder = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+    except subprocess.CalledProcessError as e:
+        bb.error(d.getVar('PN', True) + ": Added folder failed: \n%s" % e.output.decode("utf-8"))
+        return False
+
+    add_folder = str(add_folder, encoding = "utf-8")
+    bb.note("add_folder = ")
+    bb.note(add_folder)
+    add_folder = eval(add_folder)
+    if str(add_folder["code"]) == "201":
+        bb.note("add_folder = " + folder_name)
+        return add_folder["message"]
+    elif str(add_folder["code"]) == "200":
+        bb.note("Folder : " + folder_name + "has been created.")
+        return get_folder_id_by_name(d, folder_name)
+    else:
+        bb.error(d.getVar('PN', True) + ": Added folder failed, please check your fossology server.")
+        return False
+
+def get_folder_id(d):
+
+    if d.getVar('FOLDER_NAME', False):
+        folder_name = d.getVar('FOLDER_NAME')
+        folder_id = create_folder(d, folder_name)
+    else:
+        folder_id = (d.getVar('FOLDER_ID', True) or "1")
+
+    bb.note("Folder Id =  " + str(folder_id))
+    return str(folder_id)
+
+def has_upload(d, tar_file, folder_id):
+    import os
+    import subprocess
+    
+    (work_dir, file_name) = os.path.split(tar_file) 
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+
+    rest_api_cmd = "curl -k -s -S -X GET " + server_url + "/api/v1/uploads" \
+                   + " -H \"Authorization: Bearer " + token + "\"" \
+                   + " --noproxy 127.0.0.1"
+    bb.note("Invoke rest_api_cmd = " + rest_api_cmd )
+        
+    try:
+        upload_output = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+    except subprocess.CalledProcessError as e:
+        bb.error("curl failed: \n%s" % e.output.decode("utf-8"))
+        return False
+
+    upload_output = str(upload_output, encoding = "utf-8")
+    upload_output = eval(upload_output)
+    bb.note("upload_output = ")
+    print(upload_output)
+    bb.note("len of upload_output = ")
+    bb.note(str(len(upload_output)))
+    if len(upload_output) == 0:
+        bb.note("The upload of fossology is 0.")
+        return False
+    bb.note("upload_output[0][uploadname] = ")
+    bb.note(upload_output[0]["uploadname"])
+    bb.note("len of upload_output = ")
+    bb.note(str(len(upload_output)))
+    for i in range(0, len(upload_output)):
+        if upload_output[i]["uploadname"] == file_name and str(upload_output[i]["folderid"]) == str(folder_id):
+            bb.warn("Find " + file_name + " in fossology server \"Software Repository\" folder. So, will not upload again.")
+            return upload_output[i]["id"]
+    return False
+
+def upload(d, tar_file, folder):
+    import os
+    import subprocess
+    delaytime = 50
+    i = 0
+ 
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+    
+    rest_api_cmd = "curl -k -s -S -X POST " + server_url + "/api/v1/uploads" \ 
+                    + " -H \"folderId: " + folder + "\"" \
+                    + " -H \"Authorization: Bearer " + token + "\"" \
+                    + " -H \'uploadDescription: created by REST\'" \
+                    + " -H \'public: public\'"  \
+                    + " -H \'Content-Type: multipart/form-data\'"  \
+                    + " -F \'fileInput=@\"" + tar_file + "\";type=application/octet-stream\'" \
+                    + " --noproxy 127.0.0.1"
+    bb.note("Upload : Invoke rest_api_cmd = " + rest_api_cmd )
+    while i < 10:
+        time.sleep(delaytime)
+        try:
+            upload = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+        except subprocess.CalledProcessError as e:
+            bb.error(d.getVar('PN', True) + ": Upload failed: \n%s" % e.output.decode("utf-8"))
+            return False
+        upload = str(upload, encoding = "utf-8")
+        bb.note("Upload = ")
+        bb.note(upload)
+        upload = eval(upload)
+        if str(upload["code"]) == "201":
+            return upload["message"]
+        i += 1
+    bb.warn(d.getVar('PN', True) + ": Upload is fail, please check your fossology server.")
+    return False
+
+def analysis(d, folder_id, upload_id):
+    import os
+    import subprocess
+    delaytime = 50
+    i = 0
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+
+    rest_api_cmd = "curl -k -s -S -X POST " + server_url + "/api/v1/jobs" \
+                    + " -H \"folderId: " + str(folder_id) + "\"" \
+                    + " -H \"uploadId: " + str(upload_id) + "\"" \
+                    + " -H \"Authorization: Bearer " + token + "\"" \
+                    + " -H \'Content-Type: application/json\'" \
+                    + " --data \'{\"analysis\": {\"bucket\": true,\"copyright_email_author\": true,\"ecc\": true, \"keyword\": true,\"mime\": true,\"monk\": true,\"nomos\": true,\"package\": true},\"decider\": {\"nomos_monk\": true,\"bulk_reused\": true,\"new_scanner\": true}}\'" \
+                    + " --noproxy 127.0.0.1"
+    bb.note("Analysis : Invoke rest_api_cmd = " + rest_api_cmd )
+    while i < 10:
+        try:
+            time.sleep(delaytime)
+            analysis = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+        except subprocess.CalledProcessError as e:
+            bb.error("Analysis failed: \n%s" % e.output.decode("utf-8"))
+            return False
+        time.sleep(delaytime)
+        analysis = str(analysis, encoding = "utf-8")
+        bb.note("analysis  = ")
+        bb.note(analysis)
+        analysis = eval(analysis)
+        if str(analysis["code"]) == "201":
+            return analysis["message"]
+        elif str(analysis["code"]) == "404":
+            bb.warn(d.getVar('PN', True) + ": analysis is still not complete.")
+            time.sleep(delaytime*2)
+        else:
+            return False
+        i += 1
+        bb.warn(d.getVar('PN', True) + ": Analysis is fail, will try again.")
+    bb.warn(d.getVar('PN', True) + ": Analysis is fail, please check your fossology server.")
+    return False
+
+def trigger(d, folder_id, upload_id):
+    import os
+    import subprocess
+    delaytime = 50
+    i = 0
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+
+    rest_api_cmd = "curl -k -s -S -X GET " + server_url + "/api/v1/report" \
+                    + " -H \"Authorization: Bearer " + token + "\"" \
+                    + " -H \"uploadId: " + str(upload_id) + "\"" \
+                    + " -H \'reportFormat: spdx2tv\'" \
+                    + " --noproxy 127.0.0.1"
+    bb.note("trigger : Invoke rest_api_cmd = " + rest_api_cmd )
+    while i < 10:
+        time.sleep(delaytime)
+        try:
+            trigger = subprocess.check_output(rest_api_cmd, stderr=subprocess.STDOUT, shell=True)
+        except subprocess.CalledProcessError as e:
+            bb.error(d.getVar('PN', True) + ": Trigger failed: \n%s" % e.output.decode("utf-8"))
+            return False
+        time.sleep(delaytime)
+        trigger = str(trigger, encoding = "utf-8")
+        trigger = eval(trigger)
+        bb.note("trigger id = ")
+        bb.note(str(trigger["message"]))
+        if str(trigger["code"]) == "201":
+            return trigger["message"].split("/")[-1]
+        i += 1
+        time.sleep(delaytime * 2)
+        bb.warn(d.getVar('PN', True) + ": Trigger is fail, will try again.")
+    bb.warn(d.getVar('PN', True) + ": Trigger is fail, please check your fossology server.")
+    return False
+
+def get_spdx(d, report_id, spdx_file):
+    import os
+    import subprocess
+    import time
+    delaytime = 50
+    complete = False
+    i = 0
+
+    server_url = (d.getVar('FOSSOLOGY_SERVER', True) or "")
+    if server_url == "":
+        bb.note("Please set fossology server URL by setting FOSSOLOGY_SERVER!\n")
+        raise OSError(errno.ENOENT, "No setting of  FOSSOLOGY_SERVER")
+
+    token = (d.getVar('TOKEN', True) or "")
+    if token == "":
+        bb.note("Please set token of fossology server by setting TOKEN!\n" + srcPath)
+        raise OSError(errno.ENOENT, "No setting of TOKEN comes from fossology server.")
+    rest_api_cmd = "curl -k -s -S -X GET " + server_url + "/api/v1/report/" + report_id \
+                    + " -H \'accept: text/plain\'" \
+                    + " -H \"Authorization: Bearer " + token + "\"" \
+                    + " --noproxy 127.0.0.1"
+    bb.note("get_spdx : Invoke rest_api_cmd = " + rest_api_cmd )
+    while i < 10:
+        time.sleep(delaytime)
+        file = open(spdx_file,'wt')
+        try:
+            p = subprocess.Popen(rest_api_cmd, shell=True, universal_newlines=True, stdout=file).wait()
+        except subprocess.CalledProcessError as e:
+            bb.error("Get spdx failed: \n%s. Please check fossology server." % e.output.decode("utf-8"))
+            file.close()
+            os.remove(spdx_file)
+            return False
+        file.flush()
+        time.sleep(delaytime)
+        file.close()
+        file = open(spdx_file,'r+')
+        first_line = file.readline()
+        if "SPDXVersion" in first_line:
+            line = file.readline()
+            while line:
+                if "LicenseID:" in line:
+                    complete = True
+                    break
+                line = file.readline()
+            file.close()
+            if complete == False:
+                bb.warn("license info not complete, try agin.")
+            else:
+                return True
+        else:
+            bb.warn(d.getVar('PN', True) + ": Get the first line is " + first_line + ". Try agin")
+
+        file.close()
+        os.remove(spdx_file)
+        i += 1
+        delaytime = delaytime + 20
+        time.sleep(delaytime)
+
+    file.close()
+    bb.warn(d.getVar('PN', True) + ": Get spdx failed, Please check your fossology server.")
+
+def invoke_rest_api(d, tar_file, spdx_file, folder_id):
+    import os
+    import time
+    i = 0
+        
+    bb.note("invoke fossology REST API : tar_file = %s " % tar_file)
+    upload_id = has_upload(d, tar_file, folder_id)
+    if upload_id == False:
+        bb.note("This OSS has not been scanned. So upload it to fossology server.")
+        upload_id = upload(d, tar_file, folder_id)
+        if upload_id == False:
+            return False
+    
+    if analysis(d, folder_id, upload_id) == False:
+        return False
+    while i < 10:
+        i += 1
+        report_id = trigger(d, folder_id, upload_id)
+        if report_id == False:
+            return False
+        spdx2tv = get_spdx(d, report_id, spdx_file)
+        if spdx2tv == False:
+            bb.warn(d.getVar('PN', True) + ": get_spdx is unnormal. Will try again!")
+        else:
+            return True
+
+    bb.warn("get_spdx of %s is unnormal. Please confirm!")
+    return False
diff --git a/external/meta-spdxscanner/classes/scancode-tk.bbclass b/external/meta-spdxscanner/classes/scancode-tk.bbclass
new file mode 100644
index 00000000..0dc244f9
--- /dev/null
+++ b/external/meta-spdxscanner/classes/scancode-tk.bbclass
@@ -0,0 +1,139 @@
+# This class integrates real-time license scanning, generation of SPDX standard
+# output and verifiying license info during the building process.
+# It is a combination of efforts from the OE-Core, SPDX and ScanCode projects.
+#
+# For more information on ScanCode:
+#   https://github.com/nexB/scancode-toolkit
+#
+# For more information on SPDX:
+#   http://www.spdx.org
+#
+# Note:
+# 1) By default,spdx files will be output to the path which is defined as[SPDX_DEPLOY_DIR] 
+# 2) By default, SPDX_DEPLOY_DIR is tmp/deploy
+#
+
+inherit spdx-common
+
+SPDXEPENDENCY += "scancode-toolkit-native:do_populate_sysroot"
+
+CREATOR_TOOL = "scancode-tk.bbclass in meta-spdxscanner"
+
+python do_spdx(){
+    import os, sys, json, shutil
+    pn = d.getVar('PN')
+    assume_provided = (d.getVar("ASSUME_PROVIDED") or "").split()
+    if pn in assume_provided:
+        for p in d.getVar("PROVIDES").split():
+            if p != pn:
+                pn = p
+                break
+    if d.getVar('BPN') in ['gcc', 'libgcc']:
+        bb.debug(1, 'spdx: There is bug in scan of %s is, do nothing' % pn)
+        return
+    # glibc-locale: do_fetch, do_unpack and do_patch tasks have been deleted,
+    # so avoid archiving source here.
+    if pn.startswith('glibc-locale'):
+        return
+    if (d.getVar('PN') == "libtool-cross"):
+        return
+    if (d.getVar('PN') == "libgcc-initial"):
+        return
+    if (d.getVar('PN') == "shadow-sysroot"):
+        return
+
+    spdx_outdir = d.getVar('SPDX_OUTDIR')
+    spdx_workdir = d.getVar('SPDX_WORKDIR')
+    spdx_temp_dir = os.path.join(spdx_workdir, "temp")
+    temp_dir = os.path.join(d.getVar('WORKDIR'), "temp")
+    
+    info = {} 
+    info['workdir'] = (d.getVar('WORKDIR', True) or "")
+    info['pn'] = (d.getVar( 'PN', True ) or "")
+    info['pv'] = (d.getVar( 'PV', True ) or "")
+    info['package_download_location'] = (d.getVar( 'SRC_URI', True ) or "")
+    if info['package_download_location'] != "":
+        info['package_download_location'] = info['package_download_location'].split()[0]
+    info['spdx_version'] = (d.getVar('SPDX_VERSION', True) or '')
+    info['data_license'] = (d.getVar('DATA_LICENSE', True) or '')
+    info['creator'] = {}
+    info['creator']['Tool'] = (d.getVar('CREATOR_TOOL', True) or '')
+    info['license_list_version'] = (d.getVar('LICENSELISTVERSION', True) or '')
+    info['package_homepage'] = (d.getVar('HOMEPAGE', True) or "")
+    info['package_summary'] = (d.getVar('SUMMARY', True) or "")
+    info['package_summary'] = info['package_summary'].replace("\n","")
+    info['package_summary'] = info['package_summary'].replace("'"," ")
+    info['package_contains'] = (d.getVar('CONTAINED', True) or "")
+    info['package_static_link'] = (d.getVar('STATIC_LINK', True) or "")
+    info['modified'] = "false"
+    srcuri = d.getVar("SRC_URI", False).split()
+    length = len("file://")
+    for item in srcuri:
+        if item.startswith("file://"):
+            item = item[length:]
+            if item.endswith(".patch") or item.endswith(".diff"):
+                info['modified'] = "true"
+
+    manifest_dir = (d.getVar('SPDX_DEPLOY_DIR', True) or "")
+    if not os.path.exists( manifest_dir ):
+        bb.utils.mkdirhier( manifest_dir )
+    info['outfile'] = os.path.join(manifest_dir, info['pn'] + "-" + info['pv'] + ".spdx" )
+    sstatefile = os.path.join(spdx_outdir, info['pn'] + "-" + info['pv'] + ".spdx" )
+    # if spdx has been exist
+    if os.path.exists(info['outfile']):
+        bb.note(info['pn'] + "spdx file has been exist, do nothing")
+        return
+    if os.path.exists( sstatefile ):
+        bb.note(info['pn'] + "spdx file has been exist, do nothing")
+        create_manifest(info,sstatefile)
+        return
+    spdx_get_src(d)
+    
+    bb.note('SPDX: Archiving the patched source...')
+    if os.path.isdir(spdx_temp_dir):
+        for f_dir, f in list_files(spdx_temp_dir):
+            temp_file = os.path.join(spdx_temp_dir,f_dir,f)
+            shutil.copy(temp_file, temp_dir)
+        #shutil.rmtree(spdx_temp_dir)
+    if not os.path.exists(spdx_outdir):
+        bb.utils.mkdirhier(spdx_outdir)
+    cur_ver_code = get_ver_code(spdx_workdir).split()[0] 
+    ## Get spdx file
+    bb.note(' run scanCode ...... ')
+    d.setVar('WORKDIR', d.getVar('SPDX_WORKDIR', True))
+    info['sourcedir'] = spdx_workdir
+    git_path = "%s/git/.git" % info['sourcedir']
+    if os.path.exists(git_path):
+        remove_dir_tree(git_path)
+    invoke_scancode(info['sourcedir'],sstatefile)
+    bb.warn("source dir = " + info['sourcedir'])
+    if get_cached_spdx(sstatefile) != None:
+        write_cached_spdx( info,sstatefile,cur_ver_code )
+        ## CREATE MANIFEST(write to outfile )
+        create_manifest(info,sstatefile)
+    else:
+        bb.warn('Can\'t get the spdx file ' + info['pn'] + '. Please check your.')
+}
+
+def invoke_scancode( OSS_src_dir, spdx_file):
+    import subprocess
+    import string
+    import json
+    import codecs
+    import logging
+
+    logger = logging.getLogger()
+    logger.setLevel(logging.INFO)
+    logging.basicConfig(level=logging.INFO)    
+
+    path = os.getenv('PATH')
+    scancode_cmd = bb.utils.which(os.getenv('PATH'), "scancode")
+    scancode_cmd = scancode_cmd + " -lpci --spdx-tv " + spdx_file + " " + OSS_src_dir
+    print(scancode_cmd)
+    try:
+        subprocess.check_output(scancode_cmd,
+                                stderr=subprocess.STDOUT,
+                                shell=True)
+    except subprocess.CalledProcessError as e:
+        bb.fatal("Could not invoke scancode Command "
+                 "'%s' returned %d:\n%s" % (scancode_cmd, e.returncode, e.output))
diff --git a/external/meta-spdxscanner/classes/spdx-common.bbclass b/external/meta-spdxscanner/classes/spdx-common.bbclass
new file mode 100644
index 00000000..0dcd7938
--- /dev/null
+++ b/external/meta-spdxscanner/classes/spdx-common.bbclass
@@ -0,0 +1,221 @@
+# This class supplys common functions.
+
+
+SPDXEPENDENCY += "${PATCHTOOL}-native:do_populate_sysroot"
+SPDXEPENDENCY += " wget-native:do_populate_sysroot"
+SPDXEPENDENCY += " subversion-native:do_populate_sysroot"
+SPDXEPENDENCY += " git-native:do_populate_sysroot"
+SPDXEPENDENCY += " lz4-native:do_populate_sysroot"
+SPDXEPENDENCY += " lzip-native:do_populate_sysroot"
+SPDXEPENDENCY += " xz-native:do_populate_sysroot"
+SPDXEPENDENCY += " unzip-native:do_populate_sysroot"
+SPDXEPENDENCY += " xz-native:do_populate_sysroot"
+SPDXEPENDENCY += " quilt-native:do_populate_sysroot"
+SPDXEPENDENCY += " tar-native:do_populate_sysroot"
+
+SPDX_DEPLOY_DIR ??= "${DEPLOY_DIR}/spdx"
+SPDX_TOPDIR ?= "${WORKDIR}/spdx_sstate_dir"
+SPDX_OUTDIR = "${SPDX_TOPDIR}/${TARGET_SYS}/${PF}/"
+SPDX_WORKDIR = "${WORKDIR}/spdx_temp/"
+
+do_spdx[dirs] = "${WORKDIR}"
+
+LICENSELISTVERSION = "2.6"
+
+# If ${S} isn't actually the top-level source directory, set SPDX_S to point at
+# the real top-level directory.
+SPDX_S ?= "${S}"
+
+addtask do_spdx before do_configure after do_patch
+
+def spdx_create_tarball(d, srcdir, suffix, ar_outdir):
+    """
+    create the tarball from srcdir
+    """
+    import tarfile, shutil
+
+    # Make sure we are only creating a single tarball for gcc sources
+    #if (d.getVar('SRC_URI') == ""):
+    #    return
+    # For the kernel archive, srcdir may just be a link to the
+    # work-shared location. Use os.path.realpath to make sure
+    # that we archive the actual directory and not just the link.
+    srcdir = os.path.realpath(srcdir)
+
+    bb.utils.mkdirhier(ar_outdir)
+    if suffix:
+        filename = '%s-%s.tar.gz' % (d.getVar('PF'), suffix)
+    else:
+        filename = '%s.tar.gz' % d.getVar('PF')
+    tarname = os.path.join(ar_outdir, filename)
+
+    bb.note('Creating %s' % tarname)
+    tar = tarfile.open(tarname, 'w:gz')
+    tar.add(srcdir, arcname=os.path.basename(srcdir))
+    tar.close()
+    #shutil.rmtree(srcdir)
+    return tarname
+
+# Run do_unpack and do_patch
+def spdx_get_src(d):
+    import shutil
+    spdx_workdir = d.getVar('SPDX_WORKDIR')
+    spdx_sysroot_native = d.getVar('STAGING_DIR_NATIVE')
+    pn = d.getVar('PN')
+    
+    # The kernel class functions require it to be on work-shared, so we dont change WORKDIR
+    if not is_work_shared(d):
+        # Change the WORKDIR to make do_unpack do_patch run in another dir.
+        d.setVar('WORKDIR', spdx_workdir)
+        # Restore the original path to recipe's native sysroot (it's relative to WORKDIR).
+        d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
+
+        # The changed 'WORKDIR' also caused 'B' changed, create dir 'B' for the
+        # possibly requiring of the following tasks (such as some recipes's
+        # do_patch required 'B' existed).
+        bb.utils.mkdirhier(d.getVar('B'))
+
+        bb.build.exec_func('do_unpack', d)
+    # Copy source of kernel to spdx_workdir
+    if is_work_shared(d):
+        d.setVar('WORKDIR', spdx_workdir)
+        d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native)
+        src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR')
+        bb.utils.mkdirhier(src_dir)
+        if bb.data.inherits_class('kernel',d):
+            share_src = d.getVar('STAGING_KERNEL_DIR')
+        cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/"
+        cmd_copy_kernel_result = os.popen(cmd_copy_share).read()
+        bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result)
+        
+        git_path = src_dir + "/.git"
+        if os.path.exists(git_path):
+            remove_dir_tree(git_path)
+
+    # Make sure gcc and kernel sources are patched only once
+    if not (d.getVar('SRC_URI') == "" or is_work_shared(d)):
+        bb.build.exec_func('do_patch', d)
+
+    # Some userland has no source.
+    if not os.path.exists( spdx_workdir ):
+        bb.utils.mkdirhier(spdx_workdir)
+
+def create_manifest(info,sstatefile):
+    import shutil
+    shutil.copyfile(sstatefile,info['outfile'])
+
+def get_cached_spdx( sstatefile ):
+    import subprocess
+
+    if not os.path.exists( sstatefile ):
+        return None
+    
+    try:
+        output = subprocess.check_output(['grep', "PackageVerificationCode", sstatefile])
+    except subprocess.CalledProcessError as e:
+        bb.error("Index creation command '%s' failed with return code %d:\n%s" % (e.cmd, e.returncode, e.output))
+        return None
+    cached_spdx_info=output.decode('utf-8').split(': ')
+    return cached_spdx_info[1]
+
+## Add necessary information into spdx file
+def write_cached_spdx( info,sstatefile, ver_code ):
+    import subprocess
+
+    def sed_replace(dest_sed_cmd,key_word,replace_info):
+        dest_sed_cmd = dest_sed_cmd + "-e 's#^" + key_word + ".*#" + \
+            key_word + replace_info + "#' "
+        return dest_sed_cmd
+
+    def sed_insert(dest_sed_cmd,key_word,new_line):
+        dest_sed_cmd = dest_sed_cmd + "-e '/^" + key_word \
+            + r"/a\\" + new_line + "' "
+        return dest_sed_cmd
+
+    ## Document level information
+    sed_cmd = r"sed -i -e 's#\r$##' " 
+    spdx_DocumentComment = "<text>SPDX for " + info['pn'] + " version " \ 
+        + info['pv'] + "</text>"
+    sed_cmd = sed_replace(sed_cmd,"DocumentComment",spdx_DocumentComment)
+    
+    ## Creator information
+    sed_cmd = sed_replace(sed_cmd,"Creator: Tool: ",info['creator']['Tool'])
+
+    ## Package level information
+    sed_cmd = sed_replace(sed_cmd, "PackageName: ", info['pn'])
+    sed_cmd = sed_insert(sed_cmd, "PackageName: ", "PackageVersion: " + info['pv'])
+    sed_cmd = sed_replace(sed_cmd, "PackageDownloadLocation: ",info['package_download_location'])
+    sed_cmd = sed_insert(sed_cmd, "PackageDownloadLocation: ", "PackageHomePage: " + info['package_homepage'])
+    sed_cmd = sed_insert(sed_cmd, "PackageDownloadLocation: ", "PackageSummary: " + "<text>" + info['package_summary'] + "</text>")
+    sed_cmd = sed_insert(sed_cmd, "PackageCopyrightText: ", "PackageComment: <text>\\nModificationRecord: " + info['modified'] + "\\n</text>")
+    sed_cmd = sed_replace(sed_cmd, "PackageVerificationCode: ",ver_code)
+    sed_cmd = sed_insert(sed_cmd, "PackageVerificationCode: ", "PackageDescription: " + 
+        "<text>" + info['pn'] + " version " + info['pv'] + "</text>")
+    for contain in info['package_contains'].split( ):
+        sed_cmd = sed_insert(sed_cmd, "PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " CONTAINS " + contain)
+    for static_link in info['package_static_link'].split( ):
+        sed_cmd = sed_insert(sed_cmd, "PackageComment:"," \\n\\n## Relationships\\nRelationship: " + info['pn'] + " STATIC_LINK " + static_link)
+    sed_cmd = sed_cmd + sstatefile
+
+    subprocess.call("%s" % sed_cmd, shell=True)
+
+def is_work_shared(d):
+    pn = d.getVar('PN')
+    return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
+
+def remove_dir_tree(dir_name):
+    import shutil
+    try:
+        shutil.rmtree(dir_name)
+    except:
+        pass
+
+def remove_file(file_name):
+    try:
+        os.remove(file_name)
+    except OSError as e:
+        pass
+
+def list_files(dir ):
+    for root, subFolders, files in os.walk(dir):
+        for f in files:
+            rel_root = os.path.relpath(root, dir)
+            yield rel_root, f
+    return
+
+def hash_file(file_name):
+    """
+    Return the hex string representation of the SHA1 checksum of the filename
+    """
+    try:
+        import hashlib
+    except ImportError:
+        return None
+    
+    sha1 = hashlib.sha1()
+    with open( file_name, "rb" ) as f:
+        for line in f:
+            sha1.update(line)
+    return sha1.hexdigest()
+
+def hash_string(data):
+    import hashlib
+    sha1 = hashlib.sha1()
+    sha1.update(data.encode('utf-8'))
+    return sha1.hexdigest()
+
+def get_ver_code(dirname):
+    chksums = []
+    for f_dir, f in list_files(dirname):
+        try:
+            stats = os.stat(os.path.join(dirname,f_dir,f))
+        except OSError as e:
+            bb.warn( "Stat failed" + str(e) + "\n")
+            continue
+        chksums.append(hash_file(os.path.join(dirname,f_dir,f)))
+    ver_code_string = ''.join(chksums).lower()
+    ver_code = hash_string(ver_code_string)
+    return ver_code
+
+do_spdx[depends] = "${SPDXEPENDENCY}"
+
diff --git a/external/meta-spdxscanner/conf/include/security_flags.inc b/external/meta-spdxscanner/conf/include/security_flags.inc
deleted file mode 100644
index 8c5fbea1..00000000
--- a/external/meta-spdxscanner/conf/include/security_flags.inc
+++ /dev/null
@@ -1 +0,0 @@
-SECURITY_CFLAGS_pn-fossology-nomos = "${SECURITY_NO_PIE_CFLAGS}"
diff --git a/external/meta-spdxscanner/conf/layer.conf b/external/meta-spdxscanner/conf/layer.conf
index 120dc274..f1c4329a 100644
--- a/external/meta-spdxscanner/conf/layer.conf
+++ b/external/meta-spdxscanner/conf/layer.conf
@@ -9,4 +9,4 @@ BBFILE_COLLECTIONS += "spdxscanner"
 BBFILE_PATTERN_spdxscanner = "^${LAYERDIR}/"
 BBFILE_PRIORITY_spdxscanner = "6"
 
-LAYERSERIES_COMPAT_spdxscanner = "sumo thud warrior master"
+LAYERSERIES_COMPAT_spdxscanner = "sumo thud warrior zeus master"
diff --git a/external/meta-spdxscanner/conf/lid-scan.conf b/external/meta-spdxscanner/conf/lid-scan.conf
deleted file mode 100644
index 14263800..00000000
--- a/external/meta-spdxscanner/conf/lid-scan.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-LID_TEMP_DIR ?= "${WORKDIR}/spdx_temp"
-LID_DEPLOY_DIR ?= "/home/yocto/lid_scans"
-
diff --git a/external/meta-spdxscanner/conf/spdx-dosocs.conf b/external/meta-spdxscanner/conf/spdx-dosocs.conf
deleted file mode 100644
index 55fbd0a5..00000000
--- a/external/meta-spdxscanner/conf/spdx-dosocs.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-SPDX_TEMP_DIR ?= "${WORKDIR}/spdx_temp"
-SPDX_DEPLOY_DIR ?= "/home/yocto/spdx_scans"
-
-ASSUME_PROVIDED_remove = "file-native"
-
diff --git a/external/meta-spdxscanner/recipes-devtools/file/file/0001-magic.py-modified-for-dosocs2.patch b/external/meta-spdxscanner/recipes-devtools/file/file/0001-magic.py-modified-for-dosocs2.patch
deleted file mode 100644
index 0d2bb40c..00000000
--- a/external/meta-spdxscanner/recipes-devtools/file/file/0001-magic.py-modified-for-dosocs2.patch
+++ /dev/null
@@ -1,501 +0,0 @@
-From e983220202c3c7fcc36ba2719ed2cdaa33e3d38c Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Wed, 15 Feb 2017 11:46:05 +0900
-Subject: [PATCH] magic.py: modified for dosocs2
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- python/magic.py | 462 ++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 262 insertions(+), 200 deletions(-)
-
-diff --git a/python/magic.py b/python/magic.py
-index a17e8da..c6142a7 100644
---- a/python/magic.py
-+++ b/python/magic.py
-@@ -1,221 +1,283 @@
--#!/usr/bin/env python
--'''
--Python bindings for libmagic
--'''
-+"""
-+magic is a wrapper around the libmagic file identification library.
- 
--import ctypes
-+See README for more information.
- 
--from ctypes import *
--from ctypes.util import find_library
-+Usage:
- 
-+>>> import magic
-+>>> magic.from_file("testdata/test.pdf")
-+'PDF document, version 1.2'
-+>>> magic.from_file("testdata/test.pdf", mime=True)
-+'application/pdf'
-+>>> magic.from_buffer(open("testdata/test.pdf").read(1024))
-+'PDF document, version 1.2'
-+>>>
- 
--def _init():
--    """
--    Loads the shared library through ctypes and returns a library
--    L{ctypes.CDLL} instance
--    """
--    return ctypes.cdll.LoadLibrary(find_library('magic'))
--
--_libraries = {}
--_libraries['magic'] = _init()
--
--# Flag constants for open and setflags
--MAGIC_NONE = NONE = 0
--MAGIC_DEBUG = DEBUG = 1
--MAGIC_SYMLINK = SYMLINK = 2
--MAGIC_COMPRESS = COMPRESS = 4
--MAGIC_DEVICES = DEVICES = 8
--MAGIC_MIME_TYPE = MIME_TYPE = 16
--MAGIC_CONTINUE = CONTINUE = 32
--MAGIC_CHECK = CHECK = 64
--MAGIC_PRESERVE_ATIME = PRESERVE_ATIME = 128
--MAGIC_RAW = RAW = 256
--MAGIC_ERROR = ERROR = 512
--MAGIC_MIME_ENCODING = MIME_ENCODING = 1024
--MAGIC_MIME = MIME = 1040
--MAGIC_APPLE = APPLE = 2048
--
--MAGIC_NO_CHECK_COMPRESS = NO_CHECK_COMPRESS = 4096
--MAGIC_NO_CHECK_TAR = NO_CHECK_TAR = 8192
--MAGIC_NO_CHECK_SOFT = NO_CHECK_SOFT = 16384
--MAGIC_NO_CHECK_APPTYPE = NO_CHECK_APPTYPE = 32768
--MAGIC_NO_CHECK_ELF = NO_CHECK_ELF = 65536
--MAGIC_NO_CHECK_TEXT = NO_CHECK_TEXT = 131072
--MAGIC_NO_CHECK_CDF = NO_CHECK_CDF = 262144
--MAGIC_NO_CHECK_TOKENS = NO_CHECK_TOKENS = 1048576
--MAGIC_NO_CHECK_ENCODING = NO_CHECK_ENCODING = 2097152
--
--MAGIC_NO_CHECK_BUILTIN = NO_CHECK_BUILTIN = 4173824
--
--
--class magic_set(Structure):
--    pass
--magic_set._fields_ = []
--magic_t = POINTER(magic_set)
--
--_open = _libraries['magic'].magic_open
--_open.restype = magic_t
--_open.argtypes = [c_int]
--
--_close = _libraries['magic'].magic_close
--_close.restype = None
--_close.argtypes = [magic_t]
--
--_file = _libraries['magic'].magic_file
--_file.restype = c_char_p
--_file.argtypes = [magic_t, c_char_p]
--
--_descriptor = _libraries['magic'].magic_descriptor
--_descriptor.restype = c_char_p
--_descriptor.argtypes = [magic_t, c_int]
--
--_buffer = _libraries['magic'].magic_buffer
--_buffer.restype = c_char_p
--_buffer.argtypes = [magic_t, c_void_p, c_size_t]
--
--_error = _libraries['magic'].magic_error
--_error.restype = c_char_p
--_error.argtypes = [magic_t]
--
--_setflags = _libraries['magic'].magic_setflags
--_setflags.restype = c_int
--_setflags.argtypes = [magic_t, c_int]
--
--_load = _libraries['magic'].magic_load
--_load.restype = c_int
--_load.argtypes = [magic_t, c_char_p]
--
--_compile = _libraries['magic'].magic_compile
--_compile.restype = c_int
--_compile.argtypes = [magic_t, c_char_p]
--
--_check = _libraries['magic'].magic_check
--_check.restype = c_int
--_check.argtypes = [magic_t, c_char_p]
--
--_list = _libraries['magic'].magic_list
--_list.restype = c_int
--_list.argtypes = [magic_t, c_char_p]
--
--_errno = _libraries['magic'].magic_errno
--_errno.restype = c_int
--_errno.argtypes = [magic_t]
--
--
--class Magic(object):
--    def __init__(self, ms):
--        self._magic_t = ms
--
--    def close(self):
--        """
--        Closes the magic database and deallocates any resources used.
--        """
--        _close(self._magic_t)
- 
--    def file(self, filename):
--        """
--        Returns a textual description of the contents of the argument passed
--        as a filename or None if an error occurred and the MAGIC_ERROR flag
--        is set.  A call to errno() will return the numeric error code.
--        """
--        try:  # attempt python3 approach first
--            if isinstance(filename, bytes):
--                bi = filename
--            else:
--                bi = bytes(filename, 'utf-8')
--            return str(_file(self._magic_t, bi), 'utf-8')
--        except:
--            return _file(self._magic_t, filename.encode('utf-8'))
--
--    def descriptor(self, fd):
--        """
--        Like the file method, but the argument is a file descriptor.
--        """
--        return _descriptor(self._magic_t, fd)
-+"""
- 
--    def buffer(self, buf):
--        """
--        Returns a textual description of the contents of the argument passed
--        as a buffer or None if an error occurred and the MAGIC_ERROR flag
--        is set. A call to errno() will return the numeric error code.
--        """
--        try:  # attempt python3 approach first
--            return str(_buffer(self._magic_t, buf, len(buf)), 'utf-8')
--        except:
--            return _buffer(self._magic_t, buf, len(buf))
-+import sys
-+import glob
-+import os.path
-+import ctypes
-+import ctypes.util
-+import threading
- 
--    def error(self):
--        """
--        Returns a textual explanation of the last error or None
--        if there was no error.
--        """
--        try:  # attempt python3 approach first
--            return str(_error(self._magic_t), 'utf-8')
--        except:
--            return _error(self._magic_t)
-+from ctypes import c_char_p, c_int, c_size_t, c_void_p
- 
--    def setflags(self, flags):
--        """
--        Set flags on the magic object which determine how magic checking
--        behaves; a bitwise OR of the flags described in libmagic(3), but
--        without the MAGIC_ prefix.
- 
--        Returns -1 on systems that don't support utime(2) or utimes(2)
--        when PRESERVE_ATIME is set.
--        """
--        return _setflags(self._magic_t, flags)
-+class MagicException(Exception):
-+    def __init__(self, message):
-+        super(MagicException, self).__init__(message)
-+        self.message = message
- 
--    def load(self, filename=None):
--        """
--        Must be called to load entries in the colon separated list of database
--        files passed as argument or the default database file if no argument
--        before any magic queries can be performed.
- 
--        Returns 0 on success and -1 on failure.
--        """
--        return _load(self._magic_t, filename)
-+class Magic:
-+    """
-+    Magic is a wrapper around the libmagic C library.
- 
--    def compile(self, dbs):
--        """
--        Compile entries in the colon separated list of database files
--        passed as argument or the default database file if no argument.
--        Returns 0 on success and -1 on failure.
--        The compiled files created are named from the basename(1) of each file
--        argument with ".mgc" appended to it.
--        """
--        return _compile(self._magic_t, dbs)
-+    """
- 
--    def check(self, dbs):
--        """
--        Check the validity of entries in the colon separated list of
--        database files passed as argument or the default database file
--        if no argument.
--        Returns 0 on success and -1 on failure.
-+    def __init__(self, mime=False, magic_file=None, mime_encoding=False,
-+                 keep_going=False, uncompress=False):
-         """
--        return _check(self._magic_t, dbs)
-+        Create a new libmagic wrapper.
- 
--    def list(self, dbs):
-+        mime - if True, mimetypes are returned instead of textual descriptions
-+        mime_encoding - if True, codec is returned
-+        magic_file - use a mime database other than the system default
-+        keep_going - don't stop at the first match, keep going
-+        uncompress - Try to look inside compressed files.
-         """
--        Check the validity of entries in the colon separated list of
--        database files passed as argument or the default database file
--        if no argument.
--        Returns 0 on success and -1 on failure.
--        """
--        return _list(self._magic_t, dbs)
--
--    def errno(self):
-+        self.flags = MAGIC_NONE
-+        if mime:
-+            self.flags |= MAGIC_MIME
-+        elif mime_encoding:
-+            self.flags |= MAGIC_MIME_ENCODING
-+        if keep_going:
-+            self.flags |= MAGIC_CONTINUE
-+
-+        if uncompress:
-+            self.flags |= MAGIC_COMPRESS
-+
-+        self.cookie = magic_open(self.flags)
-+        self.lock = threading.Lock()
-+        
-+        magic_load(self.cookie, magic_file)
-+
-+    def from_buffer(self, buf):
-         """
--        Returns a numeric error code. If return value is 0, an internal
--        magic error occurred. If return value is non-zero, the value is
--        an OS error code. Use the errno module or os.strerror() can be used
--        to provide detailed error information.
-+        Identify the contents of `buf`
-         """
--        return _errno(self._magic_t)
--
-+        with self.lock:
-+            try:
-+                return magic_buffer(self.cookie, buf)
-+            except MagicException as e:
-+                return self._handle509Bug(e)
-+
-+    def from_file(self, filename):
-+        # raise FileNotFoundException or IOError if the file does not exist
-+        with open(filename):
-+            pass
-+        with self.lock:
-+            try:
-+                return magic_file(self.cookie, filename)
-+            except MagicException as e:
-+                return self._handle509Bug(e)
-+
-+    def _handle509Bug(self, e):
-+        # libmagic 5.09 has a bug where it might fail to identify the
-+        # mimetype of a file and returns null from magic_file (and
-+        # likely _buffer), but also does not return an error message.
-+        if e.message is None and (self.flags & MAGIC_MIME):
-+            return "application/octet-stream"
-+
-+    def __del__(self):
-+        # no _thread_check here because there can be no other
-+        # references to this object at this point.
-+
-+        # during shutdown magic_close may have been cleared already so
-+        # make sure it exists before using it.
-+
-+        # the self.cookie check should be unnecessary and was an
-+        # incorrect fix for a threading problem, however I'm leaving
-+        # it in because it's harmless and I'm slightly afraid to
-+        # remove it.
-+        if self.cookie and magic_close:
-+            magic_close(self.cookie)
-+            self.cookie = None
-+
-+_instances = {}
-+
-+def _get_magic_type(mime):
-+    i = _instances.get(mime)
-+    if i is None:
-+        i = _instances[mime] = Magic(mime=mime)
-+    return i
-+
-+def from_file(filename, mime=False):
-+    """"
-+    Accepts a filename and returns the detected filetype.  Return
-+    value is the mimetype if mime=True, otherwise a human readable
-+    name.
-+
-+    >>> magic.from_file("testdata/test.pdf", mime=True)
-+    'application/pdf'
-+    """
-+    m = _get_magic_type(mime)
-+    return m.from_file(filename)
- 
--def open(flags):
-+def from_buffer(buffer, mime=False):
-     """
--    Returns a magic object on success and None on failure.
--    Flags argument as for setflags.
-+    Accepts a binary string and returns the detected filetype.  Return
-+    value is the mimetype if mime=True, otherwise a human readable
-+    name.
-+
-+    >>> magic.from_buffer(open("testdata/test.pdf").read(1024))
-+    'PDF document, version 1.2'
-     """
--    return Magic(_open(flags))
-+    m = _get_magic_type(mime)
-+    return m.from_buffer(buffer)
-+
-+
-+
-+
-+libmagic = None
-+# Let's try to find magic or magic1
-+dll = ctypes.util.find_library('magic') or ctypes.util.find_library('magic1') or ctypes.util.find_library('cygmagic-1')
-+
-+# This is necessary because find_library returns None if it doesn't find the library
-+if dll:
-+    libmagic = ctypes.CDLL(dll)
-+
-+if not libmagic or not libmagic._name:
-+    windows_dlls = ['magic1.dll','cygmagic-1.dll']
-+    platform_to_lib = {'darwin': ['/opt/local/lib/libmagic.dylib',
-+                                  '/usr/local/lib/libmagic.dylib'] +
-+                         # Assumes there will only be one version installed
-+                         glob.glob('/usr/local/Cellar/libmagic/*/lib/libmagic.dylib'),
-+                       'win32': windows_dlls,
-+                       'cygwin': windows_dlls }
-+    for dll in platform_to_lib.get(sys.platform, []):
-+        try:
-+            libmagic = ctypes.CDLL(dll)
-+            break
-+        except OSError:
-+            pass
-+
-+if not libmagic or not libmagic._name:
-+    # It is better to raise an ImportError since we are importing magic module
-+    raise ImportError('failed to find libmagic.  Check your installation')
-+
-+magic_t = ctypes.c_void_p
-+
-+def errorcheck_null(result, func, args):
-+    if result is None:
-+        err = magic_error(args[0])
-+        raise MagicException(err)
-+    else:
-+        return result
-+
-+def errorcheck_negative_one(result, func, args):
-+    if result is -1:
-+        err = magic_error(args[0])
-+        raise MagicException(err)
-+    else:
-+        return result
-+
-+
-+def coerce_filename(filename):
-+    if filename is None:
-+        return None
-+
-+    # ctypes will implicitly convert unicode strings to bytes with
-+    # .encode('ascii').  If you use the filesystem encoding 
-+    # then you'll get inconsistent behavior (crashes) depending on the user's
-+    # LANG environment variable
-+    is_unicode = (sys.version_info[0] <= 2 and
-+                  isinstance(filename, unicode)) or \
-+                  (sys.version_info[0] >= 3 and
-+                   isinstance(filename, str))
-+    if is_unicode:
-+        return filename.encode('utf-8')
-+    else:
-+        return filename
-+
-+magic_open = libmagic.magic_open
-+magic_open.restype = magic_t
-+magic_open.argtypes = [c_int]
-+
-+magic_close = libmagic.magic_close
-+magic_close.restype = None
-+magic_close.argtypes = [magic_t]
-+
-+magic_error = libmagic.magic_error
-+magic_error.restype = c_char_p
-+magic_error.argtypes = [magic_t]
-+
-+magic_errno = libmagic.magic_errno
-+magic_errno.restype = c_int
-+magic_errno.argtypes = [magic_t]
-+
-+_magic_file = libmagic.magic_file
-+_magic_file.restype = c_char_p
-+_magic_file.argtypes = [magic_t, c_char_p]
-+_magic_file.errcheck = errorcheck_null
-+
-+def magic_file(cookie, filename):
-+    return _magic_file(cookie, coerce_filename(filename))
-+
-+_magic_buffer = libmagic.magic_buffer
-+_magic_buffer.restype = c_char_p
-+_magic_buffer.argtypes = [magic_t, c_void_p, c_size_t]
-+_magic_buffer.errcheck = errorcheck_null
-+
-+def magic_buffer(cookie, buf):
-+    return _magic_buffer(cookie, buf, len(buf))
-+
-+
-+_magic_load = libmagic.magic_load
-+_magic_load.restype = c_int
-+_magic_load.argtypes = [magic_t, c_char_p]
-+_magic_load.errcheck = errorcheck_negative_one
-+
-+def magic_load(cookie, filename):
-+    return _magic_load(cookie, coerce_filename(filename))
-+
-+magic_setflags = libmagic.magic_setflags
-+magic_setflags.restype = c_int
-+magic_setflags.argtypes = [magic_t, c_int]
-+
-+magic_check = libmagic.magic_check
-+magic_check.restype = c_int
-+magic_check.argtypes = [magic_t, c_char_p]
-+
-+magic_compile = libmagic.magic_compile
-+magic_compile.restype = c_int
-+magic_compile.argtypes = [magic_t, c_char_p]
-+
-+
-+
-+MAGIC_NONE = 0x000000 # No flags
-+MAGIC_DEBUG = 0x000001 # Turn on debugging
-+MAGIC_SYMLINK = 0x000002 # Follow symlinks
-+MAGIC_COMPRESS = 0x000004 # Check inside compressed files
-+MAGIC_DEVICES = 0x000008 # Look at the contents of devices
-+MAGIC_MIME = 0x000010 # Return a mime string
-+MAGIC_MIME_ENCODING = 0x000400 # Return the MIME encoding
-+MAGIC_CONTINUE = 0x000020 # Return all matches
-+MAGIC_CHECK = 0x000040 # Print warnings to stderr
-+MAGIC_PRESERVE_ATIME = 0x000080 # Restore access time on exit
-+MAGIC_RAW = 0x000100 # Don't translate unprintable chars
-+MAGIC_ERROR = 0x000200 # Handle ENOENT etc as real errors
-+
-+MAGIC_NO_CHECK_COMPRESS = 0x001000 # Don't check for compressed files
-+MAGIC_NO_CHECK_TAR = 0x002000 # Don't check for tar files
-+MAGIC_NO_CHECK_SOFT = 0x004000 # Don't check magic entries
-+MAGIC_NO_CHECK_APPTYPE = 0x008000 # Don't check application type
-+MAGIC_NO_CHECK_ELF = 0x010000 # Don't check for elf details
-+MAGIC_NO_CHECK_ASCII = 0x020000 # Don't check for ascii files
-+MAGIC_NO_CHECK_TROFF = 0x040000 # Don't check ascii/troff
-+MAGIC_NO_CHECK_FORTRAN = 0x080000 # Don't check ascii/fortran
-+MAGIC_NO_CHECK_TOKENS = 0x100000 # Don't check ascii/tokens
--- 
-1.8.4.2
-
diff --git a/external/meta-spdxscanner/recipes-devtools/file/file_%.bbappend b/external/meta-spdxscanner/recipes-devtools/file/file_%.bbappend
deleted file mode 100644
index 8bb8199a..00000000
--- a/external/meta-spdxscanner/recipes-devtools/file/file_%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-SRC_URI_native += " 0001-magic.py-modified-for-dosocs2.patch \
-        "
-
diff --git a/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos-native_git.bb b/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos-native_git.bb
deleted file mode 100644
index e034a341..00000000
--- a/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos-native_git.bb
+++ /dev/null
@@ -1,29 +0,0 @@
-DESCRIPTION = "SPDX 2.0 document creation and storage"
-HOMEPAGE = "https://github.com/DoSOCSv2/DoSOCSv2"
-SECTION = "devel/python"
-LICENSE = "GPLv2"
-
-LIC_FILES_CHKSUM = "file://GenCodeCopyright;md5=7296ec131dbd040718b64fb843d63048"
-DEPENDS = "glib-2.0-native libpcre-native"
-
-SRCREV = "34467fd530b832f08c095936a72c22c40fa13278"
-BRANCH = "release/${PV}/master"
-SRC_URI = "git://github.com/fossology/fossology.git \
-           file://0001-Add-rpath-to-fix-error-as-following.patch \
-          " 
-
-S = "${WORKDIR}/git/src/nomos/agent"
-
-inherit native
-
-do_compile() {
-	cp ${S}/Makefile.sa ${S}/Makefile -f
-	make
-}
-
-do_install() {
-        oe_runmake install \
-                DESTDIR="${D}" \
-                PREFIX="${prefix}" \
-                SBINDIR="${D}${sbindir}"
-}
diff --git a/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos/0001-Add-rpath-to-fix-error-as-following.patch b/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos/0001-Add-rpath-to-fix-error-as-following.patch
deleted file mode 100644
index 4052b1c8..00000000
--- a/external/meta-spdxscanner/recipes-devtools/fossology/fossology-nomos/0001-Add-rpath-to-fix-error-as-following.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From b81cced8566406c85b38a1c3c71858982a3dd4a5 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Wed, 1 Mar 2017 10:23:03 +0900
-Subject: [PATCH] Add rpath to fix error as following:
-
-/usr/bin/ld: warning: libpcre.so.1, needed by tmp/sysroots/x86_64-linux/usr/lib/libglib-2.0.so, not found (try using -rpath or -rpath-link)
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- Makefile.sa | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile.sa b/Makefile.sa
-index 24a16ca..f39bdd6 100644
---- a/Makefile.sa
-+++ b/Makefile.sa
-@@ -26,7 +26,7 @@ all: encode nomos
- debug: nomos-gl
- 
- nomos: nomos.o $(OBJS) $(GENOBJS)
--	$(CC) nomos.o $(OBJS) $(GENOBJS) $(CFLAGS_LOCAL) -o $(EXE)
-+	$(CC) nomos.o $(OBJS) $(GENOBJS) $(CFLAGS_LOCAL) -o $(EXE) -Wl,-rpath,${libdir}
- 
- nomos.o: nomos.c $(HDRS) $(DB) $(REPO) $(AGENTLIB) $(VARS)
- 	$(CC) -c $< $(CFLAGS_LOCAL) $(DEFS)
--- 
-1.8.4.2
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/files/0001-Delete-the-version-limit-for-dosocs2.patch b/external/meta-spdxscanner/recipes-devtools/python/files/0001-Delete-the-version-limit-for-dosocs2.patch
deleted file mode 100644
index 5773b8b6..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/files/0001-Delete-the-version-limit-for-dosocs2.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 3e3bef6aff2563e4bb206c1169b783a1c61308e5 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Fri, 25 Aug 2017 03:03:06 +0900
-Subject: [PATCH] Delete the version limit for dosocs2.
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- setup.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/setup.py b/setup.py
-index b35863f..1bae161 100644
---- a/setup.py
-+++ b/setup.py
-@@ -1,6 +1,6 @@
- from setuptools import setup
- 
--_dosocs2_version = '0.16.1'
-+_dosocs2_version = ''
- 
- install_requires=[
-     ]
--- 
-2.7.4
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/files/0001-Deleted-version-limit-for-dosocs2.patch b/external/meta-spdxscanner/recipes-devtools/python/files/0001-Deleted-version-limit-for-dosocs2.patch
deleted file mode 100644
index 4daab5ea..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/files/0001-Deleted-version-limit-for-dosocs2.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From f9b27dee4dc01dafec111957a1ad411f20bcb644 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Fri, 25 Aug 2017 03:17:19 +0900
-Subject: [PATCH] Deleted version limit for dosocs2.
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- setup.py | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/setup.py b/setup.py
-index b35863f..9be6cd7 100644
---- a/setup.py
-+++ b/setup.py
-@@ -10,7 +10,6 @@ tests_require=[
- 
- setup(
-     name='dosocs2',
--    version=_dosocs2_version,
-     description='SPDX 2.0 document creation and storage',
-     long_description='',
-     url='https://github.com/DoSOCSv2/DoSOCSv2',
--- 
-2.7.4
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/files/0001-setup-py-delete-the-depends-install.patch b/external/meta-spdxscanner/recipes-devtools/python/files/0001-setup-py-delete-the-depends-install.patch
deleted file mode 100644
index 41f6bb2c..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/files/0001-setup-py-delete-the-depends-install.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d282ba074625922d12615af676ac1f0e922db88f Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Wed, 15 Feb 2017 23:23:53 +0900
-Subject: [PATCH] setup.py: delete the depends install
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- setup.py | 7 -------
- 1 file changed, 7 deletions(-)
-
-diff --git a/setup.py b/setup.py
-index 527b161..b35863f 100644
---- a/setup.py
-+++ b/setup.py
-@@ -3,16 +3,9 @@ from setuptools import setup
- _dosocs2_version = '0.16.1'
- 
- install_requires=[
--    'jinja2',
--    'python-magic',
--    'docopt',
--    'SQLAlchemy',
--    'psycopg2'
-     ]
- 
- tests_require=[
--    'pytest',
--    'mock'
-     ]
- 
- setup(
--- 
-1.8.4.2
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python-futures/python-futures_%.bbappend b/external/meta-spdxscanner/recipes-devtools/python/python-futures/python-futures_%.bbappend
deleted file mode 100644
index d3267ac4..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python-futures/python-futures_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python-lid_git.bb b/external/meta-spdxscanner/recipes-devtools/python/python-lid_git.bb
deleted file mode 100644
index 1897f467..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python-lid_git.bb
+++ /dev/null
@@ -1,25 +0,0 @@
-DESCRIPTION = "Identify OS licenses and OS license text in source code."
-HOMEPAGE = "https://source.codeaurora.org/external/qostg/lid/"
-SECTION = "devel/python"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3dd6f349067c9c1c473ae3f54efeb2e0"
-
-SRC_URI = "git://source.codeaurora.org/external/qostg/lid;protocol=https \
-          "
-
-S = "${WORKDIR}/git"
-
-SRCREV = "d4ec360b51f34e8e73dcad7b0539fc0029eb7a20"
-BRANCH = "master"
-PV = "1"
-
-inherit distutils pythonnative setuptools python-dir  
-
-DEPENDS += "python-pyyaml-native \
-            python-future-native \
-            python-nltk-native \
-            python-six-native \
-            python-chardet \
-           "
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python-nltk_3.0.3.bb b/external/meta-spdxscanner/recipes-devtools/python/python-nltk_3.0.3.bb
deleted file mode 100644
index 0c9e5d2c..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python-nltk_3.0.3.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Natural Language Toolkit"
-DESCRIPTION = "NLTK is a leading platform for building Python programs \
-to work with human language data."
-HOMEPAGE = "http://www.nltk.org/"
-SECTION = "libs"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=dda944de6d6a9ad8f6bb436dffdade1b"
-
-SRC_URI = "https://pypi.python.org/packages/source/n/nltk/nltk-${PV}.tar.gz \
-          "
-
-SRC_URI[md5sum] = "7bda53f59051337554d243bef904a5e9"
-SRC_URI[sha256sum] = "28d6175984445b9cdcc719f36701f034320edbecb78b69a37d1edc876843ea93"
-
-inherit distutils pythonnative setuptools python-dir
-
-S="${WORKDIR}/nltk-3.0.3"
-
-BBCLASSEXTEND = "native"
-
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python-whatthepatch_0.0.5.bb b/external/meta-spdxscanner/recipes-devtools/python/python-whatthepatch_0.0.5.bb
deleted file mode 100644
index b9ba7c6a..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python-whatthepatch_0.0.5.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "A patch parsing library"
-DESCRIPTION = "What The Patch!? is a library for parsing patch files. \
-Its only purpose is to read a patch file and get it into some usable form by other programs."
-HOMEPAGE = "https://pypi.python.org/pypi/whatthepatch"
-SECTION = "libs"
-
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://setup.py;md5=a6377e466f612f442bbc6bb2e91eee5d"
-
-SRC_URI = "https://pypi.python.org/packages/64/1e/7a63cba8a0d70245b9ab1c03694dabe36476fa65ee546e6dff6c8660434c/whatthepatch-0.0.5.tar.gz \
-          "
-
-SRC_URI[md5sum] = "80d7c24de99ca9501f07b42e88d6f7c1"
-SRC_URI[sha256sum] = "494a2ec6c05b80f9ed1bd773f5ac9411298e1af6f0385f179840b5d60d001aa6"
-
-S="${WORKDIR}/whatthepatch-0.0.5"
-PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}"
-PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}"
-
-inherit distutils ${PYTHON_INHERIT} setuptools python-dir
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-docopt_0.6.2.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-docopt_0.6.2.bb
deleted file mode 100644
index 2b1dd0a8..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-docopt_0.6.2.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-DESCRIPTION = "Pythonic command line arguments parser, that will make you smile http://docopt.org"
-HOMEPAGE = "http://docopt.org"
-SECTION = "devel/python"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=09b77fb74986791a3d4a0e746a37d88f"
-
-SRC_NAME = "docopt"
-SRC_URI = "https://github.com/docopt/docopt/archive/${PV}.tar.gz;downloadfilename=${SRC_NAME}-${PV}.tar.gz"
-
-S = "${WORKDIR}/${SRC_NAME}-${PV}/"
-
-SRC_URI[md5sum] = "a6c44155426fd0f7def8b2551d02fef6"
-SRC_URI[sha256sum] = "2113eed1e7fbbcd43fb7ee6a977fb02d0b482753586c9dc1a8e3b7d541426e99"
-
-inherit setuptools3 python3-dir
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2-init_git.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2-init_git.bb
deleted file mode 100644
index 200f5963..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2-init_git.bb
+++ /dev/null
@@ -1,49 +0,0 @@
-DESCRIPTION = "SPDX 2.0 document creation and storage"
-HOMEPAGE = "https://github.com/DoSOCSv2/DoSOCSv2"
-SECTION = "devel/python"
-LICENSE = "GPLv2"
-
-SRCREV = "97140a1fc2905ca646220dace1692e0ede475e3e"
-BRANCH = "master"
-PV = "0.16.1"
-
-addtask do_dosocs2_init before do_populate_sysroot
-
-do_dosocs2_init[depends] += "python3-dosocs2-native:do_populate_sysroot"
-
-DEPENDS = "python3-dosocs2-native"
-
-BBCLASSEXTEND = "native"
-
-inherit distutils3 python3native setuptools3 python3-dir
-
-python do_dosocs2_init() {
-
-    import os
-    import subprocess
-    import bb
-    import oe.utils
-    import oe.path
-    import string
-    
-    path = os.getenv('PATH')    
-    dosocs2_cmd = bb.utils.which(os.getenv('PATH'), "dosocs2")
-    dosocs2_init_cmd = dosocs2_cmd + " dbinit --no-confirm"
-    #dosocs2_init_cmd = dosocs2_cmd + " --help"
-    bb.note("lmh test PATH = %s " % path)
-    bb.note("lmh test dosocs2_init_cmd = %s " % dosocs2_init_cmd)
-    try:
-        complementary_pkgs = subprocess.check_output(dosocs2_init_cmd,
-                                                     stderr=subprocess.STDOUT,
-                                                     shell=True)
-        return
-    except subprocess.CalledProcessError as e:
-        bb.fatal("Could not invoke dosocs2 dbinit Command "
-                 "'%s' returned %d:\n%s" % (dosocs2_init_cmd, e.returncode, e.output))
-}
-deltask do_fetch
-deltask do_unpack
-deltask do_patch
-deltask do_configure
-deltask do_compile
-deltask do_install
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-error-as-fowllowing.patch b/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-error-as-fowllowing.patch
deleted file mode 100644
index 870201d4..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-error-as-fowllowing.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 957574355fe80e0dfb86d7318cdd105e472294a4 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Sun, 12 Nov 2017 00:37:10 +0900
-Subject: [PATCH] Fix a error as fowllowing:
-
-" TypeError: cannot use a string pattern on a bytes-like object"
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- dosocs2/scanners/nomos.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/dosocs2/scanners/nomos.py b/dosocs2/scanners/nomos.py
-index e4f2901..ebdde74 100644
---- a/dosocs2/scanners/nomos.py
-+++ b/dosocs2/scanners/nomos.py
-@@ -34,6 +34,7 @@ class Nomos(scannerbase.FileLicenseScanner):
-             return ''
- 
-     def _get_licenses(self, file, nomos_output):
-+        nomos_output = nomos_output.decode('utf-8')
-         parsed_output = [
-             Nomos.Evidence(*item)
-             for item in re.findall(self.search_pattern, nomos_output)
--- 
-2.7.4
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-magic-error-as-following.patch b/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-magic-error-as-following.patch
deleted file mode 100644
index 4b1e3977..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-a-magic-error-as-following.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From c4ae0f2eb4a2a03329089419fe6f1b0cd05548f9 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Mon, 13 Nov 2017 15:43:51 +0900
-Subject: [PATCH] Fix a magic error as following:
-
-could not find any valid magic files!
----
- dosocs2/util.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dosocs2/util.py b/dosocs2/util.py
-index aba864c..200688e 100644
---- a/dosocs2/util.py
-+++ b/dosocs2/util.py
-@@ -30,7 +30,7 @@ import uuid
- import zipfile
- 
- import magic
--
-+magic = magic.Magic(magic_file="path_to_magic_file")
- 
- def bool_from_str(s):
-     if s.lower() == 'true':
--- 
-2.7.4
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-bugs-because-python-from-2.x-to-3.x.patch b/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-bugs-because-python-from-2.x-to-3.x.patch
deleted file mode 100644
index f648d501..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2/0001-Fix-bugs-because-python-from-2.x-to-3.x.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From dbea8f1cf03b986ce98d50faa39f8721048b280e Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@cn.fujitsu.com>
-Date: Thu, 26 Oct 2017 16:08:39 +0900
-Subject: [PATCH] Fix bugs because python from 2.x to 3.x.
-
-Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
----
- dosocs2/render.py      |  4 ++--
- dosocs2/scannerbase.py |  6 +++---
- dosocs2/spdxdb.py      |  2 +-
- dosocs2/util.py        | 30 +++++++++++++++---------------
- 4 files changed, 21 insertions(+), 21 deletions(-)
-
-diff --git a/dosocs2/render.py b/dosocs2/render.py
-index 7118e3d..434bb5b 100644
---- a/dosocs2/render.py
-+++ b/dosocs2/render.py
-@@ -54,7 +54,7 @@ def get_row(conn, query):
- 
- 
- def get_rows(conn, query):
--    return list(sorted(dict(**row) for row in conn.execute(query)))
-+    return list(dict(**row) for row in conn.execute(query))
- 
- 
- def render_template(templatefile, context):
-@@ -77,7 +77,7 @@ def render_document(conn, docid, template_file):
-     query = queries.relationships(document['document_namespace_id'], package['id_string'])
-     package['relationships'] = get_rows(conn, query)
-     package['files'] = get_rows(conn, queries.documents_files(docid, package['package_id']))
--    for file in sorted(package['files']):
-+    for file in package['files']:
-         file['license_info'] = get_rows(conn, queries.files_licenses(file['file_id']))
-         file['contributors'] = get_rows(conn, queries.file_contributors(file['file_id']))
-         file['annotations'] = get_rows(conn, queries.annotations(docid, file['id_string']))
-diff --git a/dosocs2/scannerbase.py b/dosocs2/scannerbase.py
-index d7a38b6..a54dce7 100644
---- a/dosocs2/scannerbase.py
-+++ b/dosocs2/scannerbase.py
-@@ -274,8 +274,8 @@ class FileLicenseScanner(Scanner):
- 
-         Return the new or existing license object in any case.
-         '''
--        transtable = string.maketrans('()[]<>', '------')
--        short_name = string.translate(short_name, transtable)
-+        transtable = str.maketrans('()[]<>', '------')
-+        short_name = str.translate(short_name, transtable)
-         existing_license = FileLicenseScanner.lookup_license(conn, short_name)
-         if existing_license is not None:
-             return existing_license
-@@ -311,7 +311,7 @@ class FileLicenseScanner(Scanner):
- 
-     def store_results(self, processed_files):
-         licenses_to_add = []
--        for (file, licenses_extracted) in processed_files.iteritems():
-+        for (file, licenses_extracted) in processed_files.items():
-             licenses = []
-             for license_name in licenses_extracted:
-                 license_kwargs = {
-diff --git a/dosocs2/spdxdb.py b/dosocs2/spdxdb.py
-index a8d3fd6..b8aef5f 100644
---- a/dosocs2/spdxdb.py
-+++ b/dosocs2/spdxdb.py
-@@ -135,7 +135,7 @@ def register_package(conn, package_root, name=None, version=None, comment=None,
-     package['package_id'] = insert(conn, db.packages, package)
-     # Create packages_files rows
-     row_params = []
--    for (file_path, file_sha256) in hashes.iteritems():
-+    for (file_path, file_sha256) in hashes.items():
-         fileobj = register_file(conn, file_path, known_sha256=file_sha256)
-         package_file_params = {
-             'package_id': package['package_id'],
-diff --git a/dosocs2/util.py b/dosocs2/util.py
-index 5670f67..aba864c 100644
---- a/dosocs2/util.py
-+++ b/dosocs2/util.py
-@@ -43,23 +43,23 @@ def bool_from_str(s):
- 
- def is_source(magic_string):
-     return (
--        ' source' in magic_string and ' text' in magic_string or
--        ' script' in magic_string and ' text' in magic_string or
--        ' program' in magic_string and ' text' in magic_string or
--        ' shell script' in magic_string or
--        ' text executable' in magic_string or
--        'HTML' in magic_string and 'text' in magic_string or
--        'XML' in magic_string and 'text' in magic_string
-+        b' source' in magic_string and b' text' in magic_string or
-+        b' script' in magic_string and b' text' in magic_string or
-+        b' program' in magic_string and b' text' in magic_string or
-+        b' shell script' in magic_string or
-+        b' text executable' in magic_string or
-+        b'HTML' in magic_string and b'text' in magic_string or
-+        b'XML' in magic_string and b'text' in magic_string
-         )
- 
- 
- def is_binary(magic_string):
-     return (
--        ' executable' in magic_string or
--        ' relocatable' in magic_string or
--        ' shared object' in magic_string or
--        ' dynamically linked' in magic_string or
--        ' ar archive' in magic_string
-+        b' executable' in magic_string or
-+        b' relocatable' in magic_string or
-+        b' shared object' in magic_string or
-+        b' dynamically linked' in magic_string or
-+        b' ar archive' in magic_string
-         )
- 
- 
-@@ -70,7 +70,7 @@ def spdx_filetype(filename):
-         return 'SOURCE'
-     if is_binary(magic_string):
-         return 'BINARY'
--    if 'archive' in magic_string:
-+    if b'archive' in magic_string:
-         return 'ARCHIVE'
-     return 'OTHER'
- 
-@@ -158,7 +158,7 @@ def gen_ver_code(hashes, excluded_hashes=None):
-         excluded_hashes = set()
-     hashes_less_excluded = (h for h in hashes if h not in excluded_hashes)
-     hashblob = ''.join(sorted(hashes_less_excluded))
--    return hashlib.sha256(hashblob).hexdigest()
-+    return hashlib.sha256((hashblob).encode('utf-8')).hexdigest()
- 
- 
- def get_dir_hashes(path, excluded_hashes=None):
-@@ -184,7 +184,7 @@ def get_dir_hashes(path, excluded_hashes=None):
-         and hashes.get(abspath) not in excluded_hashes
-         )
-     rel_listing_hashes = (
--        hashlib.sha256(relpath).hexdigest()
-+        hashlib.sha256((relpath).encode('utf-8')).hexdigest()
-         for relpath in sorted(relative_listing)
-         )
-     return (gen_ver_code(hashes.values(), excluded_hashes),
--- 
-2.7.4
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2_git.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2_git.bb
deleted file mode 100644
index 75d43955..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-dosocs2_git.bb
+++ /dev/null
@@ -1,36 +0,0 @@
-DESCRIPTION = "SPDX 2.0 document creation and storage"
-HOMEPAGE = "https://github.com/DoSOCSv2/DoSOCSv2"
-SECTION = "devel/python"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-
-SRC_URI = "git://github.com/DoSOCSv2/DoSOCSv2.git;branch=dev \
-           file://0001-setup-py-delete-the-depends-install.patch \
-           file://0001-Fix-bugs-because-python-from-2.x-to-3.x.patch \
-           file://0001-Fix-a-error-as-fowllowing.patch \
-           file://0001-Fix-a-magic-error-as-following.patch \
-          "
-
-S = "${WORKDIR}/git"
-
-SRCREV = "aa84166694913bf1d2cce416f1c2bff120c3ba3b"
-BRANCH = "dev"
-PV = "0.16.1"
-
-inherit distutils3 python3native setuptools3 python3-dir  
-
-DEPENDS += "python3-jinja2-native \
-            python3-psycopg2-native \
-            python3-docopt-native \
-            python3-sqlalchemy-native \
-            file-native \
-            fossology-nomos-native \
-            python3-markupsafe-native \
-            python3-magic-native "
-
-do_install_append() {
-	sed -i "s|scanner_nomos_path = /usr/local/|scanner_nomos_path = ${STAGING_DIR_NATIVE}/usr/|g" ${D}${PYTHON_SITEPACKAGES_DIR}/dosocs2/configtools.py
-	sed -i "s,path_to_magic_file,${STAGING_DATADIR_NATIVE}/misc/magic," ${D}${STAGING_LIBDIR}/${PYTHON_DIR}/site-packages/dosocs2/util.py
-}
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-jinja2_%.bbappend b/external/meta-spdxscanner/recipes-devtools/python/python3-jinja2_%.bbappend
deleted file mode 100644
index 3eecfad0..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-jinja2_%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-BBCLASSEXTEND = "native"
-
-RDEPENDS_${PN} = "python3-sphinx python3-markupsafe"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-lid_git.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-lid_git.bb
deleted file mode 100644
index c93e86d8..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-lid_git.bb
+++ /dev/null
@@ -1,25 +0,0 @@
-DESCRIPTION = "Identify OS licenses and OS license text in source code."
-HOMEPAGE = "https://source.codeaurora.org/external/qostg/lid/"
-SECTION = "devel/python"
-LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3dd6f349067c9c1c473ae3f54efeb2e0"
-
-SRC_URI = "git://source.codeaurora.org/external/qostg/lid;protocol=https \
-          "
-
-S = "${WORKDIR}/git"
-
-SRCREV = "d4ec360b51f34e8e73dcad7b0539fc0029eb7a20"
-BRANCH = "master"
-PV = "0.16.1"
-
-inherit distutils pythonnative setuptools python-dir  
-
-DEPENDS += "python-pyyaml-native \
-            python-future-native \
-            python-nltk-native \
-            python-six-native \
-            python-chardet-native \
-           "
-
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-magic-5.25/0001-Modified-the-magic.py-for-dosocs2-to-fix-the-error-a.patch b/external/meta-spdxscanner/recipes-devtools/python/python3-magic-5.25/0001-Modified-the-magic.py-for-dosocs2-to-fix-the-error-a.patch
deleted file mode 100644
index 1383df4e..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-magic-5.25/0001-Modified-the-magic.py-for-dosocs2-to-fix-the-error-a.patch
+++ /dev/null
@@ -1,504 +0,0 @@
-From ef5ad90f3aba98ae3e222f6b076377701997585b Mon Sep 17 00:00:00 2001
-From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
-Date: Fri, 5 May 2017 02:23:24 +0900
-Subject: [PATCH] Modified the magic.py for dosocs2 to fix the error as
- fowllowing.
-
-AttributeError: 'module' object has no attribute 'from_file'
-
-Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
----
- magic.py | 462 ++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 262 insertions(+), 200 deletions(-)
-
-diff --git a/magic.py b/magic.py
-index a17e8da..c6142a7 100644
---- a/magic.py
-+++ b/magic.py
-@@ -1,221 +1,283 @@
--#!/usr/bin/env python
--'''
--Python bindings for libmagic
--'''
-+"""
-+magic is a wrapper around the libmagic file identification library.
- 
--import ctypes
-+See README for more information.
- 
--from ctypes import *
--from ctypes.util import find_library
-+Usage:
- 
-+>>> import magic
-+>>> magic.from_file("testdata/test.pdf")
-+'PDF document, version 1.2'
-+>>> magic.from_file("testdata/test.pdf", mime=True)
-+'application/pdf'
-+>>> magic.from_buffer(open("testdata/test.pdf").read(1024))
-+'PDF document, version 1.2'
-+>>>
- 
--def _init():
--    """
--    Loads the shared library through ctypes and returns a library
--    L{ctypes.CDLL} instance
--    """
--    return ctypes.cdll.LoadLibrary(find_library('magic'))
--
--_libraries = {}
--_libraries['magic'] = _init()
--
--# Flag constants for open and setflags
--MAGIC_NONE = NONE = 0
--MAGIC_DEBUG = DEBUG = 1
--MAGIC_SYMLINK = SYMLINK = 2
--MAGIC_COMPRESS = COMPRESS = 4
--MAGIC_DEVICES = DEVICES = 8
--MAGIC_MIME_TYPE = MIME_TYPE = 16
--MAGIC_CONTINUE = CONTINUE = 32
--MAGIC_CHECK = CHECK = 64
--MAGIC_PRESERVE_ATIME = PRESERVE_ATIME = 128
--MAGIC_RAW = RAW = 256
--MAGIC_ERROR = ERROR = 512
--MAGIC_MIME_ENCODING = MIME_ENCODING = 1024
--MAGIC_MIME = MIME = 1040
--MAGIC_APPLE = APPLE = 2048
--
--MAGIC_NO_CHECK_COMPRESS = NO_CHECK_COMPRESS = 4096
--MAGIC_NO_CHECK_TAR = NO_CHECK_TAR = 8192
--MAGIC_NO_CHECK_SOFT = NO_CHECK_SOFT = 16384
--MAGIC_NO_CHECK_APPTYPE = NO_CHECK_APPTYPE = 32768
--MAGIC_NO_CHECK_ELF = NO_CHECK_ELF = 65536
--MAGIC_NO_CHECK_TEXT = NO_CHECK_TEXT = 131072
--MAGIC_NO_CHECK_CDF = NO_CHECK_CDF = 262144
--MAGIC_NO_CHECK_TOKENS = NO_CHECK_TOKENS = 1048576
--MAGIC_NO_CHECK_ENCODING = NO_CHECK_ENCODING = 2097152
--
--MAGIC_NO_CHECK_BUILTIN = NO_CHECK_BUILTIN = 4173824
--
--
--class magic_set(Structure):
--    pass
--magic_set._fields_ = []
--magic_t = POINTER(magic_set)
--
--_open = _libraries['magic'].magic_open
--_open.restype = magic_t
--_open.argtypes = [c_int]
--
--_close = _libraries['magic'].magic_close
--_close.restype = None
--_close.argtypes = [magic_t]
--
--_file = _libraries['magic'].magic_file
--_file.restype = c_char_p
--_file.argtypes = [magic_t, c_char_p]
--
--_descriptor = _libraries['magic'].magic_descriptor
--_descriptor.restype = c_char_p
--_descriptor.argtypes = [magic_t, c_int]
--
--_buffer = _libraries['magic'].magic_buffer
--_buffer.restype = c_char_p
--_buffer.argtypes = [magic_t, c_void_p, c_size_t]
--
--_error = _libraries['magic'].magic_error
--_error.restype = c_char_p
--_error.argtypes = [magic_t]
--
--_setflags = _libraries['magic'].magic_setflags
--_setflags.restype = c_int
--_setflags.argtypes = [magic_t, c_int]
--
--_load = _libraries['magic'].magic_load
--_load.restype = c_int
--_load.argtypes = [magic_t, c_char_p]
--
--_compile = _libraries['magic'].magic_compile
--_compile.restype = c_int
--_compile.argtypes = [magic_t, c_char_p]
--
--_check = _libraries['magic'].magic_check
--_check.restype = c_int
--_check.argtypes = [magic_t, c_char_p]
--
--_list = _libraries['magic'].magic_list
--_list.restype = c_int
--_list.argtypes = [magic_t, c_char_p]
--
--_errno = _libraries['magic'].magic_errno
--_errno.restype = c_int
--_errno.argtypes = [magic_t]
--
--
--class Magic(object):
--    def __init__(self, ms):
--        self._magic_t = ms
--
--    def close(self):
--        """
--        Closes the magic database and deallocates any resources used.
--        """
--        _close(self._magic_t)
- 
--    def file(self, filename):
--        """
--        Returns a textual description of the contents of the argument passed
--        as a filename or None if an error occurred and the MAGIC_ERROR flag
--        is set.  A call to errno() will return the numeric error code.
--        """
--        try:  # attempt python3 approach first
--            if isinstance(filename, bytes):
--                bi = filename
--            else:
--                bi = bytes(filename, 'utf-8')
--            return str(_file(self._magic_t, bi), 'utf-8')
--        except:
--            return _file(self._magic_t, filename.encode('utf-8'))
--
--    def descriptor(self, fd):
--        """
--        Like the file method, but the argument is a file descriptor.
--        """
--        return _descriptor(self._magic_t, fd)
-+"""
- 
--    def buffer(self, buf):
--        """
--        Returns a textual description of the contents of the argument passed
--        as a buffer or None if an error occurred and the MAGIC_ERROR flag
--        is set. A call to errno() will return the numeric error code.
--        """
--        try:  # attempt python3 approach first
--            return str(_buffer(self._magic_t, buf, len(buf)), 'utf-8')
--        except:
--            return _buffer(self._magic_t, buf, len(buf))
-+import sys
-+import glob
-+import os.path
-+import ctypes
-+import ctypes.util
-+import threading
- 
--    def error(self):
--        """
--        Returns a textual explanation of the last error or None
--        if there was no error.
--        """
--        try:  # attempt python3 approach first
--            return str(_error(self._magic_t), 'utf-8')
--        except:
--            return _error(self._magic_t)
-+from ctypes import c_char_p, c_int, c_size_t, c_void_p
- 
--    def setflags(self, flags):
--        """
--        Set flags on the magic object which determine how magic checking
--        behaves; a bitwise OR of the flags described in libmagic(3), but
--        without the MAGIC_ prefix.
- 
--        Returns -1 on systems that don't support utime(2) or utimes(2)
--        when PRESERVE_ATIME is set.
--        """
--        return _setflags(self._magic_t, flags)
-+class MagicException(Exception):
-+    def __init__(self, message):
-+        super(MagicException, self).__init__(message)
-+        self.message = message
- 
--    def load(self, filename=None):
--        """
--        Must be called to load entries in the colon separated list of database
--        files passed as argument or the default database file if no argument
--        before any magic queries can be performed.
- 
--        Returns 0 on success and -1 on failure.
--        """
--        return _load(self._magic_t, filename)
-+class Magic:
-+    """
-+    Magic is a wrapper around the libmagic C library.
- 
--    def compile(self, dbs):
--        """
--        Compile entries in the colon separated list of database files
--        passed as argument or the default database file if no argument.
--        Returns 0 on success and -1 on failure.
--        The compiled files created are named from the basename(1) of each file
--        argument with ".mgc" appended to it.
--        """
--        return _compile(self._magic_t, dbs)
-+    """
- 
--    def check(self, dbs):
--        """
--        Check the validity of entries in the colon separated list of
--        database files passed as argument or the default database file
--        if no argument.
--        Returns 0 on success and -1 on failure.
-+    def __init__(self, mime=False, magic_file=None, mime_encoding=False,
-+                 keep_going=False, uncompress=False):
-         """
--        return _check(self._magic_t, dbs)
-+        Create a new libmagic wrapper.
- 
--    def list(self, dbs):
-+        mime - if True, mimetypes are returned instead of textual descriptions
-+        mime_encoding - if True, codec is returned
-+        magic_file - use a mime database other than the system default
-+        keep_going - don't stop at the first match, keep going
-+        uncompress - Try to look inside compressed files.
-         """
--        Check the validity of entries in the colon separated list of
--        database files passed as argument or the default database file
--        if no argument.
--        Returns 0 on success and -1 on failure.
--        """
--        return _list(self._magic_t, dbs)
--
--    def errno(self):
-+        self.flags = MAGIC_NONE
-+        if mime:
-+            self.flags |= MAGIC_MIME
-+        elif mime_encoding:
-+            self.flags |= MAGIC_MIME_ENCODING
-+        if keep_going:
-+            self.flags |= MAGIC_CONTINUE
-+
-+        if uncompress:
-+            self.flags |= MAGIC_COMPRESS
-+
-+        self.cookie = magic_open(self.flags)
-+        self.lock = threading.Lock()
-+        
-+        magic_load(self.cookie, magic_file)
-+
-+    def from_buffer(self, buf):
-         """
--        Returns a numeric error code. If return value is 0, an internal
--        magic error occurred. If return value is non-zero, the value is
--        an OS error code. Use the errno module or os.strerror() can be used
--        to provide detailed error information.
-+        Identify the contents of `buf`
-         """
--        return _errno(self._magic_t)
--
-+        with self.lock:
-+            try:
-+                return magic_buffer(self.cookie, buf)
-+            except MagicException as e:
-+                return self._handle509Bug(e)
-+
-+    def from_file(self, filename):
-+        # raise FileNotFoundException or IOError if the file does not exist
-+        with open(filename):
-+            pass
-+        with self.lock:
-+            try:
-+                return magic_file(self.cookie, filename)
-+            except MagicException as e:
-+                return self._handle509Bug(e)
-+
-+    def _handle509Bug(self, e):
-+        # libmagic 5.09 has a bug where it might fail to identify the
-+        # mimetype of a file and returns null from magic_file (and
-+        # likely _buffer), but also does not return an error message.
-+        if e.message is None and (self.flags & MAGIC_MIME):
-+            return "application/octet-stream"
-+
-+    def __del__(self):
-+        # no _thread_check here because there can be no other
-+        # references to this object at this point.
-+
-+        # during shutdown magic_close may have been cleared already so
-+        # make sure it exists before using it.
-+
-+        # the self.cookie check should be unnecessary and was an
-+        # incorrect fix for a threading problem, however I'm leaving
-+        # it in because it's harmless and I'm slightly afraid to
-+        # remove it.
-+        if self.cookie and magic_close:
-+            magic_close(self.cookie)
-+            self.cookie = None
-+
-+_instances = {}
-+
-+def _get_magic_type(mime):
-+    i = _instances.get(mime)
-+    if i is None:
-+        i = _instances[mime] = Magic(mime=mime)
-+    return i
-+
-+def from_file(filename, mime=False):
-+    """"
-+    Accepts a filename and returns the detected filetype.  Return
-+    value is the mimetype if mime=True, otherwise a human readable
-+    name.
-+
-+    >>> magic.from_file("testdata/test.pdf", mime=True)
-+    'application/pdf'
-+    """
-+    m = _get_magic_type(mime)
-+    return m.from_file(filename)
- 
--def open(flags):
-+def from_buffer(buffer, mime=False):
-     """
--    Returns a magic object on success and None on failure.
--    Flags argument as for setflags.
-+    Accepts a binary string and returns the detected filetype.  Return
-+    value is the mimetype if mime=True, otherwise a human readable
-+    name.
-+
-+    >>> magic.from_buffer(open("testdata/test.pdf").read(1024))
-+    'PDF document, version 1.2'
-     """
--    return Magic(_open(flags))
-+    m = _get_magic_type(mime)
-+    return m.from_buffer(buffer)
-+
-+
-+
-+
-+libmagic = None
-+# Let's try to find magic or magic1
-+dll = ctypes.util.find_library('magic') or ctypes.util.find_library('magic1') or ctypes.util.find_library('cygmagic-1')
-+
-+# This is necessary because find_library returns None if it doesn't find the library
-+if dll:
-+    libmagic = ctypes.CDLL(dll)
-+
-+if not libmagic or not libmagic._name:
-+    windows_dlls = ['magic1.dll','cygmagic-1.dll']
-+    platform_to_lib = {'darwin': ['/opt/local/lib/libmagic.dylib',
-+                                  '/usr/local/lib/libmagic.dylib'] +
-+                         # Assumes there will only be one version installed
-+                         glob.glob('/usr/local/Cellar/libmagic/*/lib/libmagic.dylib'),
-+                       'win32': windows_dlls,
-+                       'cygwin': windows_dlls }
-+    for dll in platform_to_lib.get(sys.platform, []):
-+        try:
-+            libmagic = ctypes.CDLL(dll)
-+            break
-+        except OSError:
-+            pass
-+
-+if not libmagic or not libmagic._name:
-+    # It is better to raise an ImportError since we are importing magic module
-+    raise ImportError('failed to find libmagic.  Check your installation')
-+
-+magic_t = ctypes.c_void_p
-+
-+def errorcheck_null(result, func, args):
-+    if result is None:
-+        err = magic_error(args[0])
-+        raise MagicException(err)
-+    else:
-+        return result
-+
-+def errorcheck_negative_one(result, func, args):
-+    if result is -1:
-+        err = magic_error(args[0])
-+        raise MagicException(err)
-+    else:
-+        return result
-+
-+
-+def coerce_filename(filename):
-+    if filename is None:
-+        return None
-+
-+    # ctypes will implicitly convert unicode strings to bytes with
-+    # .encode('ascii').  If you use the filesystem encoding 
-+    # then you'll get inconsistent behavior (crashes) depending on the user's
-+    # LANG environment variable
-+    is_unicode = (sys.version_info[0] <= 2 and
-+                  isinstance(filename, unicode)) or \
-+                  (sys.version_info[0] >= 3 and
-+                   isinstance(filename, str))
-+    if is_unicode:
-+        return filename.encode('utf-8')
-+    else:
-+        return filename
-+
-+magic_open = libmagic.magic_open
-+magic_open.restype = magic_t
-+magic_open.argtypes = [c_int]
-+
-+magic_close = libmagic.magic_close
-+magic_close.restype = None
-+magic_close.argtypes = [magic_t]
-+
-+magic_error = libmagic.magic_error
-+magic_error.restype = c_char_p
-+magic_error.argtypes = [magic_t]
-+
-+magic_errno = libmagic.magic_errno
-+magic_errno.restype = c_int
-+magic_errno.argtypes = [magic_t]
-+
-+_magic_file = libmagic.magic_file
-+_magic_file.restype = c_char_p
-+_magic_file.argtypes = [magic_t, c_char_p]
-+_magic_file.errcheck = errorcheck_null
-+
-+def magic_file(cookie, filename):
-+    return _magic_file(cookie, coerce_filename(filename))
-+
-+_magic_buffer = libmagic.magic_buffer
-+_magic_buffer.restype = c_char_p
-+_magic_buffer.argtypes = [magic_t, c_void_p, c_size_t]
-+_magic_buffer.errcheck = errorcheck_null
-+
-+def magic_buffer(cookie, buf):
-+    return _magic_buffer(cookie, buf, len(buf))
-+
-+
-+_magic_load = libmagic.magic_load
-+_magic_load.restype = c_int
-+_magic_load.argtypes = [magic_t, c_char_p]
-+_magic_load.errcheck = errorcheck_negative_one
-+
-+def magic_load(cookie, filename):
-+    return _magic_load(cookie, coerce_filename(filename))
-+
-+magic_setflags = libmagic.magic_setflags
-+magic_setflags.restype = c_int
-+magic_setflags.argtypes = [magic_t, c_int]
-+
-+magic_check = libmagic.magic_check
-+magic_check.restype = c_int
-+magic_check.argtypes = [magic_t, c_char_p]
-+
-+magic_compile = libmagic.magic_compile
-+magic_compile.restype = c_int
-+magic_compile.argtypes = [magic_t, c_char_p]
-+
-+
-+
-+MAGIC_NONE = 0x000000 # No flags
-+MAGIC_DEBUG = 0x000001 # Turn on debugging
-+MAGIC_SYMLINK = 0x000002 # Follow symlinks
-+MAGIC_COMPRESS = 0x000004 # Check inside compressed files
-+MAGIC_DEVICES = 0x000008 # Look at the contents of devices
-+MAGIC_MIME = 0x000010 # Return a mime string
-+MAGIC_MIME_ENCODING = 0x000400 # Return the MIME encoding
-+MAGIC_CONTINUE = 0x000020 # Return all matches
-+MAGIC_CHECK = 0x000040 # Print warnings to stderr
-+MAGIC_PRESERVE_ATIME = 0x000080 # Restore access time on exit
-+MAGIC_RAW = 0x000100 # Don't translate unprintable chars
-+MAGIC_ERROR = 0x000200 # Handle ENOENT etc as real errors
-+
-+MAGIC_NO_CHECK_COMPRESS = 0x001000 # Don't check for compressed files
-+MAGIC_NO_CHECK_TAR = 0x002000 # Don't check for tar files
-+MAGIC_NO_CHECK_SOFT = 0x004000 # Don't check magic entries
-+MAGIC_NO_CHECK_APPTYPE = 0x008000 # Don't check application type
-+MAGIC_NO_CHECK_ELF = 0x010000 # Don't check for elf details
-+MAGIC_NO_CHECK_ASCII = 0x020000 # Don't check for ascii files
-+MAGIC_NO_CHECK_TROFF = 0x040000 # Don't check ascii/troff
-+MAGIC_NO_CHECK_FORTRAN = 0x080000 # Don't check ascii/fortran
-+MAGIC_NO_CHECK_TOKENS = 0x100000 # Don't check ascii/tokens
--- 
-1.8.4.2
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-magic_5.25.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-magic_5.25.bb
deleted file mode 100644
index edc815c5..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-magic_5.25.bb
+++ /dev/null
@@ -1,27 +0,0 @@
-SUMMARY = "File classification tool: python-magic"
-DESCRIPTION = "File attempts to classify files depending \
-on their contents and prints a description if a match is found."
-HOMEPAGE = "http://www.darwinsys.com/file/"
-SECTION = "console/utils"
-
-# two clause BSD
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://setup.py;md5=1cf0577ca152455b257b815fcc8517de"
-
-SRC_URI = "ftp://ftp.astron.com/pub/file/file-${PV}.tar.gz \
-           file://0001-Modified-the-magic.py-for-dosocs2-to-fix-the-error-a.patch \
-          "
-
-SRC_URI[md5sum] = "e6a972d4e10d9e76407a432f4a63cd4c"
-SRC_URI[sha256sum] = "3735381563f69fb4239470b8c51b876a80425348b8285a7cded8b61d6b890eca"
-
-S="${WORKDIR}/file-${PV}/python"
-
-inherit setuptools3 python3-dir
-
-BBCLASSEXTEND = "native"
-
-do_install_append(){
-    install -d ${D}${datadir}/misc/
-    install -m 644 ${WORKDIR}/file-${PV}/magic/Magdir/magic ${D}${datadir}/misc/magic
-}
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-markupsafe_%.bbappend b/external/meta-spdxscanner/recipes-devtools/python/python3-markupsafe_%.bbappend
deleted file mode 100644
index d3267ac4..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-markupsafe_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-BBCLASSEXTEND = "native"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-nltk_3.0.3.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-nltk_3.0.3.bb
deleted file mode 100644
index 0c9e5d2c..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-nltk_3.0.3.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "Natural Language Toolkit"
-DESCRIPTION = "NLTK is a leading platform for building Python programs \
-to work with human language data."
-HOMEPAGE = "http://www.nltk.org/"
-SECTION = "libs"
-
-LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=dda944de6d6a9ad8f6bb436dffdade1b"
-
-SRC_URI = "https://pypi.python.org/packages/source/n/nltk/nltk-${PV}.tar.gz \
-          "
-
-SRC_URI[md5sum] = "7bda53f59051337554d243bef904a5e9"
-SRC_URI[sha256sum] = "28d6175984445b9cdcc719f36701f034320edbecb78b69a37d1edc876843ea93"
-
-inherit distutils pythonnative setuptools python-dir
-
-S="${WORKDIR}/nltk-3.0.3"
-
-BBCLASSEXTEND = "native"
-
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-psycopg2-native_2.6.1.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-psycopg2-native_2.6.1.bb
deleted file mode 100644
index 9f7f7b04..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-psycopg2-native_2.6.1.bb
+++ /dev/null
@@ -1,23 +0,0 @@
-DESCRIPTION = "Python-PostgreSQL Database Adapter"
-HOMEPAGE = "http://initd.org/psycopg/"
-SECTION = "devel/python"
-LICENSE = "GPLv3+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=2c9872d13fa571e7ba6de95055da1fe2"
-
-PR = "r0"
-SRCNAME = "psycopg2"
-
-DEPENDS += "postgresql-native"
-
-inherit native python3native
-
-SRC_URI = "https://pypi.python.org/packages/source/p/${SRCNAME}/${SRCNAME}-${PV}.tar.gz \
-          "
-
-SRC_URI[md5sum] = "842b44f8c95517ed5b792081a2370da1"
-SRC_URI[sha256sum] = "6acf9abbbe757ef75dc2ecd9d91ba749547941abaffbe69ff2086a9e37d4904c"
-
-S = "${WORKDIR}/${SRCNAME}-${PV}"
-
-inherit distutils3
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-six_1.10.0.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-six_1.10.0.bb
deleted file mode 100644
index 5fd29182..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-six_1.10.0.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "python3 compatibility library"
-
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6f00d4a50713fa859858dd9abaa35b21"
-
-SRC_URI[md5sum] = "34eed507548117b2ab523ab14b2f8b55"
-SRC_URI[sha256sum] = "105f8d68616f8248e24bf0e9372ef04d3cc10104f1980f54d57b2ce73a5ad56a"
-
-RDEPENDS_${PN} += "${PYTHON_PN}-io"
-
-inherit pypi setuptools3 distutils3 python3native python3-dir 
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-sphinx-native_1.6.6.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-sphinx-native_1.6.6.bb
deleted file mode 100644
index 1fd2507b..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-sphinx-native_1.6.6.bb
+++ /dev/null
@@ -1,18 +0,0 @@
-DESCRIPTION = "Python documentation generator"
-HOMEPAGE = "http://sphinx-doc.org/"
-SECTION = "devel/python"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d5575c977f2e4659ece47f731f2b8319"
-
-PR = "r0"
-SRCNAME = "sphinx"
-
-SRC_URI = "https://github.com/sphinx-doc/sphinx/archive/${PV}.tar.gz"
-
-SRC_URI[md5sum] = "567457f488771643ea4d8adffacc6b2a"
-SRC_URI[sha256sum] = "1ce2041ef4538eba0dc8394a5add4a97fbfa54f026322ae4a7e6fb2c2ea51ae7"
-
-S = "${WORKDIR}/${SRCNAME}-${PV}"
-
-inherit setuptools3 native python3native
-
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-sqlalchemy_%.bbappend b/external/meta-spdxscanner/recipes-devtools/python/python3-sqlalchemy_%.bbappend
deleted file mode 100644
index c5e10df5..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-sqlalchemy_%.bbappend
+++ /dev/null
@@ -1,3 +0,0 @@
-BBCLASSEXTEND = "native"
-
-RDEPENDS_${PN}_remove = "python3-numbers python3-misc"
diff --git a/external/meta-spdxscanner/recipes-devtools/python/python3-whatthepatch_0.0.5.bb b/external/meta-spdxscanner/recipes-devtools/python/python3-whatthepatch_0.0.5.bb
deleted file mode 100644
index c0b76821..00000000
--- a/external/meta-spdxscanner/recipes-devtools/python/python3-whatthepatch_0.0.5.bb
+++ /dev/null
@@ -1,22 +0,0 @@
-SUMMARY = "A patch parsing library"
-DESCRIPTION = "What The Patch!? is a library for parsing patch files. \
-Its only purpose is to read a patch file and get it into some usable form by other programs."
-HOMEPAGE = "https://pypi.python.org/pypi/whatthepatch"
-SECTION = "libs"
-
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://setup.py;md5=a6377e466f612f442bbc6bb2e91eee5d"
-
-SRC_URI = "https://pypi.python.org/packages/64/1e/7a63cba8a0d70245b9ab1c03694dabe36476fa65ee546e6dff6c8660434c/whatthepatch-0.0.5.tar.gz \
-          "
-
-SRC_URI[md5sum] = "80d7c24de99ca9501f07b42e88d6f7c1"
-SRC_URI[sha256sum] = "494a2ec6c05b80f9ed1bd773f5ac9411298e1af6f0385f179840b5d60d001aa6"
-
-S="${WORKDIR}/whatthepatch-0.0.5"
-
-inherit distutils3 python3native setuptools3 python3-dir
-
-BBCLASSEXTEND = "native"
-
-
diff --git a/external/meta-spdxscanner/recipes-devtools/scancode-toolkit/scancode-toolkit-native_3.1.1.bb b/external/meta-spdxscanner/recipes-devtools/scancode-toolkit/scancode-toolkit-native_3.1.1.bb
new file mode 100644
index 00000000..8f6f4667
--- /dev/null
+++ b/external/meta-spdxscanner/recipes-devtools/scancode-toolkit/scancode-toolkit-native_3.1.1.bb
@@ -0,0 +1,40 @@
+SUMMARY = "ScanCode toolkit"
+DESCRIPTION = "A typical software project often reuses hundreds of third-party \
+packages. License and origin information is not always easy to find and not \
+normalized: ScanCode discovers and normalizes this data for you."
+HOMEPAGE = "https://github.com/nexB/scancode-toolkit"
+SECTION = "devel"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://NOTICE;md5=8aedb84647f637c585e71f8f2e96e5c8"
+
+EXTRANATIVEPATH_remove = "python-native"
+
+inherit setuptools pypi distutils native
+
+DEPENDS = "python-setuptools-native xz-native zlib-native libxml2-native \
+	   libxslt-native bzip2-native \
+           "
+
+SRC_URI = "git://github.com/nexB/scancode-toolkit;branch=master \
+          "
+
+SRCREV = "1af5ac8449cbb1ce98a0b461a6d9a5ad42a5d248"
+
+
+S = "${WORKDIR}/git"
+
+do_configure(){
+	./scancode --help
+}
+
+do_install_append(){
+	install -d ${D}${bindir}/bin
+	install -d ${D}${bindir}/include
+	install -d ${D}${bindir}/local
+
+	install ${S}/scancode ${D}${bindir}/
+	install ${S}/bin/* ${D}${bindir}/bin/
+	mv ${S}/include/* ${D}${bindir}/include/
+}
+
diff --git a/external/meta-spdxscanner/recipes-extended/glib-2.0/glib-2.0_%.bbappend b/external/meta-spdxscanner/recipes-extended/glib-2.0/glib-2.0_%.bbappend
deleted file mode 100644
index fdc10279..00000000
--- a/external/meta-spdxscanner/recipes-extended/glib-2.0/glib-2.0_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-STATIC_LINK = "${@bb.utils.contains('PACKAGECONFIG', 'system-pcre', 'system-pcre', '', d)}"
diff --git a/external/meta-spdxscanner/recipes-extended/perl/perl_%.bbappend b/external/meta-spdxscanner/recipes-extended/perl/perl_%.bbappend
deleted file mode 100644
index 0042c866..00000000
--- a/external/meta-spdxscanner/recipes-extended/perl/perl_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-CONTAINED=" File-Path-2.12 "
diff --git a/external/meta-spdxscanner/recipes-support/postgresql/files/0001-Use-pkg-config-for-libxml2-detection.patch b/external/meta-spdxscanner/recipes-support/postgresql/files/0001-Use-pkg-config-for-libxml2-detection.patch
deleted file mode 100644
index d08ec6af..00000000
--- a/external/meta-spdxscanner/recipes-support/postgresql/files/0001-Use-pkg-config-for-libxml2-detection.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From d52e330be895bb8c5f0fb3e2884766acbd942a85 Mon Sep 17 00:00:00 2001
-From: Philip Balister <philip@balister.org>
-Date: Tue, 1 Jul 2014 09:40:44 -0400
-Subject: [PATCH] Use pkg-config for libxml2 detection.
-
-Upstream-Status: Inappropriate [configuration]
-
-xml2-config does not work. Use pkgconfig to set CPPFLAGS and LIBS.
-
-Signed-off-by: Philip Balister <philip@balister.org>
----
- configure.in | 15 ++-------------
- 1 file changed, 2 insertions(+), 13 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index f8bf466..1f4fabf 100644
---- a/configure.in
-+++ b/configure.in
-@@ -734,19 +734,8 @@ PGAC_ARG_BOOL(with, libxml, no, [build with XML support],
-               [AC_DEFINE([USE_LIBXML], 1, [Define to 1 to build with XML support. (--with-libxml)])])
- 
- if test "$with_libxml" = yes ; then
--  AC_CHECK_PROGS(XML2_CONFIG, xml2-config)
--  if test -n "$XML2_CONFIG"; then
--    for pgac_option in `$XML2_CONFIG --cflags`; do
--      case $pgac_option in
--        -I*|-D*) CPPFLAGS="$CPPFLAGS $pgac_option";;
--      esac
--    done
--    for pgac_option in `$XML2_CONFIG --libs`; do
--      case $pgac_option in
--        -L*) LDFLAGS="$LDFLAGS $pgac_option";;
--      esac
--    done
--  fi
-+  CPPFLAGS="$CPPFLAGS `pkg-config --short-errors --print-errors --cflags "libxml-2.0" 2>&1`"
-+  LIBS="`pkg-config --short-errors --print-errors --libs "libxml-2.0" 2>&1` $LIBS"
- fi
- 
- AC_SUBST(with_libxml)
--- 
-1.8.3.1
-
diff --git a/external/meta-spdxscanner/recipes-support/postgresql/postgresql-native_9.4.11.bb b/external/meta-spdxscanner/recipes-support/postgresql/postgresql-native_9.4.11.bb
deleted file mode 100644
index 0bd69908..00000000
--- a/external/meta-spdxscanner/recipes-support/postgresql/postgresql-native_9.4.11.bb
+++ /dev/null
@@ -1,91 +0,0 @@
-SUMMARY = "PostgreSQL is a powerful, open source relational database system."
-DESCRIPTION = "\
-    PostgreSQL is an advanced Object-Relational database management system \
-    (DBMS) that supports almost all SQL constructs (including \
-    transactions, subselects and user-defined types and functions). The \
-    postgresql package includes the client programs and libraries that \
-    you'll need to access a PostgreSQL DBMS server.  These PostgreSQL \
-    client programs are programs that directly manipulate the internal \
-    structure of PostgreSQL databases on a PostgreSQL server. These client \
-    programs can be located on the same machine with the PostgreSQL \
-    server, or may be on a remote machine which accesses a PostgreSQL \
-    server over a network connection. This package contains the docs \
-    in HTML for the whole package, as well as command-line utilities for \
-    managing PostgreSQL databases on a PostgreSQL server. \
-    \
-    If you want to manipulate a PostgreSQL database on a local or remote \
-    PostgreSQL server, you need this package. You also need to install \
-    this package if you're installing the postgresql-server package. \
-"
-HOMEPAGE = "http://www.postgresql.com"
-LICENSE = "BSD"
-DEPENDS = "tcl-native libxml2-native libxslt-native perl-native"
-
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=81b69ddb31a8be66baafd14a90146ee2"
-
-SRC_URI[md5sum] = "2fee03f2034034dbfcb3321a0bb0f829"
-SRC_URI[sha256sum] = "e3eb51d045c180b03d2de1f0c3af9356e10be49448e966ca01dfc2c6d1cc9d23"
-
-SRC_URI = "http://ftp.postgresql.org/pub/source/v${PV}/${BP}.tar.bz2 \
-    file://0001-Use-pkg-config-for-libxml2-detection.patch \
-"
-
-LEAD_SONAME = "libpq.so"
-
-# LDFLAGS for shared libraries
-export LDFLAGS_SL = "${LDFLAGS}"
-
-inherit autotools-brokensep pkgconfig perlnative native python3-dir
-
-CFLAGS += "-I${STAGING_INCDIR}/${PYTHON_DIR} -I${STAGING_INCDIR}/tcl8.6"
-
-EXTRA_OECONF = " --with-tclconfig=${STAGING_LIBDIR_NATIVE} \
-                 --with-includes=${STAGING_INCDIR_NATIVE}/tcl${TCL_VER} \	
-"
-
-EXTRA_OECONF_append = " \
-	--with-tcl --with-openssl --with-perl \
-	--with-libxml --with-libxslt \
-	${COMMON_CONFIGURE_FLAGS} \
-"
-
-do_configure_append() {
-    test -d build_py3 || mkdir build_py3
-    cd build_py3
-        ../configure --host=${HOST_SYS} \
-        --build=${BUILD_SYS} \
-        --target=${TARGET_SYS} \
-        ${COMMON_CONFIGURE_FLAGS}
-    cd ${S}
-}
-
-do_compile_append() {
-    oe_runmake -C contrib all
-    cd build_py3
-    #cp ${S}/src/pl/plpython/*.o ${S}/build_py3/src/pl/plpython
-    oe_runmake -C src/backend/ submake-errcodes
-    oe_runmake -C src/pl/plpython
-}
-
-# server needs to configure user and group
-usernum = "28"
-groupnum = "28"
-USERADD_PACKAGES = "${PN}"
-USERADD_PARAM_${PN} = "-M -g postgres -o -r -d ${localstatedir}/lib/${BPN} \
-    -s /bin/bash -c 'PostgreSQL Server' -u ${usernum} postgres"
-GROUPADD_PARAM_${PN} = "-g ${groupnum} -o -r postgres"
-
-do_install_append() {
-    # Follow Deian, some files belong to /usr/bin
-    install -d ${D}${bindir}
-    oe_runmake -C ${S}/contrib install DESTDIR=${D}
-    install -m 0644 ${S}/src/pl/plpython/plpython3u* \
-        ${D}${datadir}/${MAJOR_VER}/extension/
-    #install -m 0755 ${S}/build_py3/src/pl/plpython/plpython3.so ${D}${libdir}/${MAJOR_VER}/lib
-
-    # Remove the the absolute path to sysroot
-    sed -i -e "s|${STAGING_LIBDIR}|${libdir}|" \
-        ${D}${libdir}/pkgconfig/*.pc
-}
-
-SSTATE_SCAN_FILES += "Makefile.global"
diff --git a/external/meta-updater-qemux86-64/.gitlab-ci.yml b/external/meta-updater-qemux86-64/.gitlab-ci.yml
new file mode 100644
index 00000000..7aa2d2b1
--- /dev/null
+++ b/external/meta-updater-qemux86-64/.gitlab-ci.yml
@@ -0,0 +1,68 @@
+stages:
+  - docker
+  - checkout
+  - test
+  - trigger
+
+variables:
+  BITBAKE_IMAGE: ${METAUPDATER_REGISTRY_IMAGE}:ci-master-bitbake
+  BITBAKE_CHECKOUT_IMAGE: ${METAUPDATER_REGISTRY_IMAGE}:ci-master-checkout
+
+include:
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/docker.yml'
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/checkout.yml'
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/tests.yml'
+
+Docker setup:
+  extends: .bb_docker_remote
+
+  stage: docker
+  except:
+    - pushes
+
+Checkout:
+  extends: .bb_checkout
+
+  stage: checkout
+  variables:
+    MANIFEST: thud
+    CURRENT_PROJECT: meta-updater-qemux86-64
+  except:
+    - pushes
+
+Build core-image-minimal (qemu):
+  extends: .bitbake
+
+  stage: test
+  variables:
+    TEST_BUILD_DIR: 'build-core-image-minimal-qemux86_64'
+    BITBAKE_TARGETS: 'core-image-minimal'
+  except:
+    - pushes
+
+Oe-selftest qemux86_64:
+  extends: .oe-selftest
+
+  stage: test
+  variables:
+    TEST_BUILD_DIR: 'build-oe-qemux86_64'
+    OE_SELFTESTS: 'updater_native updater_qemux86_64'
+  except:
+    - pushes
+
+# -- otf
+
+trigger-otf-on-pr:
+  stage: trigger
+  when: always
+  except:
+    - pushes
+  script:
+    - apk add --no-cache curl
+    - curl -X POST -F "token=$CI_JOB_TOKEN" -F "ref=master" -F "variables[BITBAKE_JOB_ONLY]=true" -F "variables[BITBAKE_ENV]=thud" -F "variables[PROJECT_NAME]=meta-updater-qemux86-64" -F "variables[PROJECT_SHA]=$CI_COMMIT_SHA" https://main.gitlab.in.here.com/api/v4/projects/163/trigger/pipeline
diff --git a/external/meta-updater-qemux86-64/README.md b/external/meta-updater-qemux86-64/README.md
index 95ffe0ca..4aa25d05 100644
--- a/external/meta-updater-qemux86-64/README.md
+++ b/external/meta-updater-qemux86-64/README.md
@@ -1,3 +1,6 @@
-# BSP layer for testing OSTree with QEMU on x86_64 host
+# BSP layer for updating QEMU x86-64 guests with OSTree
 
 OSTree bootloader integration for qemu-x86-64. Add it to BBLAYERS when using [meta-updater](https://github.com/advancedtelematic/meta-updater) with [QEMU](https://www.qemu.org).
+
+For more documentation on using this layer and [HERE OTA Connect](https://connect.ota.here.com/), please see the [OTA Connect documentation portal](https://docs.ota.here.com/), in particular the guide on [building a QEMU image](https://docs.ota.here.com/ota-client/latest/build-qemu.html).
+
diff --git a/external/meta-updater-qemux86-64/conf/layer.conf b/external/meta-updater-qemux86-64/conf/layer.conf
index 8920f552..91249fa3 100644
--- a/external/meta-updater-qemux86-64/conf/layer.conf
+++ b/external/meta-updater-qemux86-64/conf/layer.conf
@@ -8,4 +8,6 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
 BBFILE_COLLECTIONS += "updater-qemux86-64"
 BBFILE_PATTERN_updater-qemux86-64 = "^${LAYERDIR}/"
 BBFILE_PRIORITY_updater-qemux86-64 = "7"
+
+LAYERDEPENDS_updater-qemux86-64 = "sota"
 LAYERSERIES_COMPAT_updater-qemux86-64 = "thud"
diff --git a/external/meta-updater-qemux86-64/recipes-bsp/u-boot/u-boot_%.bbappend b/external/meta-updater-qemux86-64/recipes-bsp/u-boot/u-boot_%.bbappend
index 677f8683..74fa95a9 100644
--- a/external/meta-updater-qemux86-64/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/external/meta-updater-qemux86-64/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -9,7 +9,7 @@ SRC_URI +=" \
 # fix after default security flags in poky
 TOOLCHAIN_OPTIONS_append = "${SECURITY_NOPIE_CFLAGS}"
 
-do_compile_prepend() {
+do_compile_prepend_qemux86-64 () {
   export BUILD_ROM=y
 }
-UBOOT_SUFFIX = "rom"
+UBOOT_SUFFIX_qemux86-64 = "rom"
diff --git a/external/meta-updater-raspberrypi/.gitlab-ci.yml b/external/meta-updater-raspberrypi/.gitlab-ci.yml
new file mode 100644
index 00000000..eb097fb6
--- /dev/null
+++ b/external/meta-updater-raspberrypi/.gitlab-ci.yml
@@ -0,0 +1,58 @@
+stages:
+  - docker
+  - checkout
+  - test
+
+variables:
+  # bitbake variables
+  BITBAKE_IMAGE: ${METAUPDATER_REGISTRY_IMAGE}:ci-master-bitbake
+  BITBAKE_CHECKOUT_IMAGE: ${METAUPDATER_REGISTRY_IMAGE}:ci-master-checkout
+
+include:
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/docker.yml'
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/checkout.yml'
+  - project: 'olp/edge/ota/connect/client/meta-updater'
+    ref: 'master'
+    file: 'scripts/ci/gitlab/tests.yml'
+
+Docker setup:
+  extends: .bb_docker_remote
+
+  stage: docker
+  except:
+    - pushes
+
+Checkout:
+  extends: .bb_checkout
+
+  stage: checkout
+  variables:
+    MANIFEST: thud
+    CURRENT_PROJECT: meta-updater-raspberrypi
+  except:
+    - pushes
+
+Build core-image-minimal (rpi):
+  extends: .bitbake
+
+  stage: test
+  variables:
+    TEST_BUILD_DIR: 'build-core-image-minimal-rpi'
+    BITBAKE_TARGETS: 'core-image-minimal'
+    TEST_MACHINE: 'raspberrypi3'
+  except:
+    - pushes
+
+Oe-selftest rpi:
+  extends: .oe-selftest
+
+  stage: test
+  variables:
+    TEST_BUILD_DIR: 'build-oe-rpi'
+    OE_SELFTESTS: 'updater_raspberrypi'
+  except:
+    - pushes
diff --git a/external/meta-updater-raspberrypi/README.md b/external/meta-updater-raspberrypi/README.md
index 3623a212..29ea2989 100644
--- a/external/meta-updater-raspberrypi/README.md
+++ b/external/meta-updater-raspberrypi/README.md
@@ -1,7 +1,25 @@
-# BSP layer for updating Raspberrypi with OSTree
+# BSP layer for updating Raspberry Pi with OSTree
 
-* OSTree bootloader integration for Raspberry Pi. Add it to BBLAYERS when using [meta-updater](https://github.com/advancedtelematic/meta-updater) with [Raspberry Pi](https://github.com/agherzan/meta-raspberrypi).
-* Wi-Fi enablement for Raspberry Pi
+OSTree bootloader integration for Raspberry Pi. Add it to BBLAYERS when using [meta-updater](https://github.com/advancedtelematic/meta-updater) with [Raspberry Pi](https://github.com/agherzan/meta-raspberrypi).
+
+For more documentation on using this layer and [HERE OTA Connect](https://connect.ota.here.com/), please see the [OTA Connect documentation portal](https://docs.ota.here.com/), in particular the guide on [building a Raspberry Pi image](https://docs.ota.here.com/ota-client/latest/build-raspberry.html).
+
+## Device tree configuration
+
+The Raspberry Pi firmware allows customization of the device tree with special entries in `/boot/config.txt`:
+<https://www.raspberrypi.org/documentation/configuration/device-tree.md>.
+
+This is not supported in this form when using meta-updater, as the device tree and eventual overlays are managed separately via u-boot and ostree.
+
+Thus, you will have to make the necessary changes directly in yocto and either:
+
+- patch the kernel sources to modify source dts
+- patch the kernel sources to add overlay sources and add the corresponding binaries in `KERNEL_DEVICETREE`
+- use a customized complete dtb and declare it with `EXTERNAL_KERNEL_DEVICETREE`
+
+You can see examples of the first two approaches in [the linux-raspberrypi bbappend](recipes-kernel/linux/linux-raspberrypi_%.bbappend).
+
+## Wi-Fi enablement for Raspberry Pi
 
 | Name | Default | Description |
 |---|---|---|
diff --git a/external/meta-updater-raspberrypi/conf/layer.conf b/external/meta-updater-raspberrypi/conf/layer.conf
index 6ae8c76e..6d3859bb 100644
--- a/external/meta-updater-raspberrypi/conf/layer.conf
+++ b/external/meta-updater-raspberrypi/conf/layer.conf
@@ -9,6 +9,9 @@ BBFILE_COLLECTIONS += "updater-raspberrypi"
 BBFILE_PATTERN_updater-raspberrypi = "^${LAYERDIR}/"
 BBFILE_PRIORITY_updater-raspberrypi = "7"
 
+LAYERDEPENDS_updater-raspberrypi = "sota"
+LAYERDEPENDS_updater-raspberrypi += "meta-python"
+LAYERDEPENDS_updater-raspberrypi += "raspberrypi"
 LAYERSERIES_COMPAT_updater-raspberrypi = "thud"
 
 RPI_WIFI_ENABLE ?= "0"
diff --git a/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Add-rpi4-uart0-dtb-overlay.patch b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Add-rpi4-uart0-dtb-overlay.patch
new file mode 100644
index 00000000..32731940
--- /dev/null
+++ b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/0001-Add-rpi4-uart0-dtb-overlay.patch
@@ -0,0 +1,59 @@
+From cea75af3d1cc86ea8dec19cfe3c817b7c7869037 Mon Sep 17 00:00:00 2001
+From: lbonn <bonnans.l@gmail.com>
+Date: Fri, 13 Sep 2019 12:46:31 +0200
+Subject: [PATCH] Add rpi4 uart0 dtb overlay
+
+---
+ arch/arm/boot/dts/overlays/Makefile           |  2 ++
+ .../boot/dts/overlays/uart0-rpi4-overlay.dts  | 26 +++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+ create mode 100644 arch/arm/boot/dts/overlays/uart0-rpi4-overlay.dts
+
+diff --git a/arch/arm/boot/dts/overlays/Makefile b/arch/arm/boot/dts/overlays/Makefile
+index 6b4af500f51c..634a2f252b17 100644
+--- a/arch/arm/boot/dts/overlays/Makefile
++++ b/arch/arm/boot/dts/overlays/Makefile
+@@ -185,6 +185,8 @@ dtbo-$(CONFIG_ARCH_BCM2835) += \
+ 	w1-gpio-pullup.dtbo \
+ 	wittypi.dtbo
+ 
++dtbo-$(CONFIG_ARCH_BCM2835) += uart0-rpi4.dtbo
++
+ targets += dtbs dtbs_install
+ targets += $(dtbo-y)
+ 
+diff --git a/arch/arm/boot/dts/overlays/uart0-rpi4-overlay.dts b/arch/arm/boot/dts/overlays/uart0-rpi4-overlay.dts
+new file mode 100644
+index 000000000000..048ec5755f6a
+--- /dev/null
++++ b/arch/arm/boot/dts/overlays/uart0-rpi4-overlay.dts
+@@ -0,0 +1,26 @@
++/dts-v1/;
++/plugin/;
++
++/{
++	compatible = "brcm,bcm2835";
++
++	fragment@0 {
++		target = <&uart0>;
++		__overlay__ {
++			pinctrl-names = "default";
++			pinctrl-0 = <&uart0_pins>;
++			status = "okay";
++		};
++	};
++
++	fragment@1 {
++		target = <&gpio>;
++		__overlay__ {
++			uart0_pins: uart0_pins {
++				brcm,pins = <30 31 32 33>;
++				brcm,function = <7>;
++				brcm,pull = <2 0 0 2>;
++			};
++		};
++	};
++};
+-- 
+2.20.1
+
diff --git a/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/audio.patch b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/audio.patch
new file mode 100644
index 00000000..cfa1b65a
--- /dev/null
+++ b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi/audio.patch
@@ -0,0 +1,13 @@
+diff --git a/arch/arm/boot/dts/bcm2708-rpi.dtsi b/arch/arm/boot/dts/bcm2708-rpi.dtsi
+index 6a82591c51d1..783b7306b861 100644
+--- a/arch/arm/boot/dts/bcm2708-rpi.dtsi
++++ b/arch/arm/boot/dts/bcm2708-rpi.dtsi
+@@ -65,7 +65,7 @@
+ 		audio: audio {
+ 			compatible = "brcm,bcm2835-audio";
+ 			brcm,pwm-channels = <8>;
+-			status = "disabled";
++			status = "okay";
+ 		};
+ 
+ 		/* External sound card */
diff --git a/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend
index e2e7e60b..1587fbe5 100644
--- a/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend
+++ b/external/meta-updater-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend
@@ -1,5 +1,16 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
 
+# dtoverlays and dtparam definitions in rpi's config.txt are ignored when using
+# ostree integration. You will have to patch existing dts or add overlays in
+# your layer to achieve the same results.
+# As a common example, here is a patch to enable audio support.
+#
+# see README.md and https://github.com/advancedtelematic/meta-updater-raspberrypi/issues/23 for
+# more details
+SRC_URI_append = " ${@oe.utils.conditional('ENABLE_AUDIO', '1', 'file://audio.patch', '', d)}"
+
+SRC_URI_append_raspberrypi4 = " file://0001-Add-rpi4-uart0-dtb-overlay.patch"
+
 do_configure_append_sota() {
     # ramblk for inird
     kernel_configure_variable BLK_DEV_RAM y
diff --git a/external/meta-updater-raspberrypi/scripts/flash-image.sh b/external/meta-updater-raspberrypi/scripts/flash-image.sh
index ef59eb37..aa4187b3 100755
--- a/external/meta-updater-raspberrypi/scripts/flash-image.sh
+++ b/external/meta-updater-raspberrypi/scripts/flash-image.sh
@@ -51,15 +51,12 @@ if [ -z "$1" ]; then
   echo "   Usage: ./flash-configured-image.sh device [imagefile [force]]"
   echo ""
   echo ""
-  echo "    device     : The device name to flash. Must be a removable device."
+  echo "    device     : The device name to flash. Should be a removable device."
   echo "      Example: sdb"
   echo ""
   echo "    imagefile  : An image file generated by bitbake (optional)."
   echo "      Default: ./tmp/deploy/images/raspberrypi3/core-image-minimal-raspberrypi3.wic"
   echo ""
-  echo "    force      : 1 to skip the check if device is removeable."
-  echo "      Default: 0"
-  echo ""
   echo "   The following utilities are prerequisites:"
   echo ""
   echo "    dd"
@@ -75,22 +72,12 @@ set -euo pipefail
 
 DEVICE_TO_FLASH=$1
 IMAGE_TO_FLASH="${2-./tmp/deploy/images/raspberrypi3/core-image-minimal-raspberrypi3.wic}"
-FORCE_WRITE=${3-0}
-DEVICE_IS_REMOVABLE=$(cat "/sys/block/$DEVICE_TO_FLASH/removable")
-
-if [[ $FORCE_WRITE != "1" && $DEVICE_IS_REMOVABLE != "1" ]]; then
-  echo ""
-  echo "  For safety, this script will only flash removable block devices."
-  echo ""
-  echo "  This check is implemented by reading /sys/block/$DEVICE_TO_FLASH/removable."
-  echo ""
-  exit 1
-fi
 
 echo " "
 echo "   Writing image file: $IMAGE_TO_FLASH "
 echo "   to device         : $DEVICE_TO_FLASH "
 echo " "
+echo "Please double-check the device name!"
 if ask "Do you want to continue?" N; then
     echo " "
 else
diff --git a/external/meta-updater/.gitignore b/external/meta-updater/.gitignore
index 8d35cb32..147f1629 100644
--- a/external/meta-updater/.gitignore
+++ b/external/meta-updater/.gitignore
@@ -1,2 +1,3 @@
 __pycache__
 *.pyc
+.idea/
diff --git a/external/meta-updater/.gitlab-ci.yml b/external/meta-updater/.gitlab-ci.yml
index 6ad00ea3..f0c08db7 100644
--- a/external/meta-updater/.gitlab-ci.yml
+++ b/external/meta-updater/.gitlab-ci.yml
@@ -2,6 +2,7 @@ stages:
   - docker
   - checkout
   - test
+  - trigger
 
 variables:
   BITBAKE_IMAGE: ${CI_REGISTRY_IMAGE}:ci-master-bitbake
@@ -45,6 +46,17 @@ Build core-image-minimal:
   except:
     - pushes
 
+Build core-image-minimal (rpi):
+  extends: .bitbake
+
+  stage: test
+  variables:
+    TEST_BUILD_DIR: 'build-core-image-minimal-rpi'
+    BITBAKE_TARGETS: 'core-image-minimal'
+    TEST_MACHINE: 'raspberrypi3'
+  except:
+    - pushes
+
 Oe-selftest qemux86_64:
   extends: .oe-selftest
 
@@ -89,3 +101,15 @@ Ptest qemux86_64:
   only:
     variables:
       - $OE_PTEST
+
+# -- otf
+
+trigger-otf-on-pr:
+  stage: trigger
+  when: always
+  except:
+    - pushes
+    - schedules
+  script:
+    - apk add --no-cache curl
+    - curl -X POST -F "token=$CI_JOB_TOKEN" -F "ref=master" -F "variables[BITBAKE_JOB_ONLY]=true" -F "variables[BITBAKE_ENV]=thud" -F "variables[PROJECT_NAME]=meta-updater" -F "variables[PROJECT_SHA]=$CI_COMMIT_SHA" https://main.gitlab.in.here.com/api/v4/projects/163/trigger/pipeline
diff --git a/external/meta-updater/CONTRIBUTING.adoc b/external/meta-updater/CONTRIBUTING.adoc
index 0b404382..24916ccd 100644
--- a/external/meta-updater/CONTRIBUTING.adoc
+++ b/external/meta-updater/CONTRIBUTING.adoc
@@ -1,17 +1,9 @@
 = Contributing
+:aktualizr-docsroot: https://github.com/advancedtelematic/aktualizr/tree/master/docs/ota-client-guide/modules/ROOT/pages/
 
-We welcome pull requests from anyone. The master branch is the primary branch for development, and if you wish to add new functionality, it probably belongs there. We attempt to maintain recent previous branches and welcome bug fixes and backports for those. Currently, the actively maintained branches are:
+We welcome pull requests from anyone. The master branch is the primary branch for development, and if you wish to add new functionality, it probably belongs there. We attempt to maintain recent release branches and welcome bug fixes and backports for those. Please see the xref:{aktualizr-docsroot}yocto-release-branches.adoc[release branches] documentation for the current list of supported branches.
 
-* thud
-* sumo
-* rocko
-
-Previously, some older branches were also regularly supported, and while they should still be stable, they have not been updated or actively maintained for a while. These branches include:
-
-* pyro
-* morty
-
-If you are developing with meta-updater, it may be helpful to read the README and other documentation for link:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
+If you are developing with meta-updater, it may be helpful to read the README and other documentation for xref:README.adoc[this repo], https://github.com/advancedtelematic/aktualizr[aktualizr], and the link:https://github.com/advancedtelematic/updater-repo/[updater-repo], particularly the sections about development and debugging.
 
 == Developer Certificate of Origin (DCO)
 
@@ -23,7 +15,7 @@ New pull requests will automatically be checked by the https://probot.github.io/
 
 * OTA-enabled build succeeds for at least one platform, the resulting image boots, and an update can be installed. This check is absolutely necessary for every pull request unless it only touches documentation.
 * If your change touches platform code (like `classes/sota_<platform>.bbclass`), please check building and updating on this particular platform.
-* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`. See the link:README.adoc#qa-with-oe-selftest[relevant section of the README] for more details.
+* oe-selftest succeeds. To test meta-updater, run `oe-selftest -r updater` from a build directory with `MACHINE` set to `qemux86-64`. See the link:{aktualizr-docsroot}meta-updater-testing.adoc#qa-with-oe-selftest[relevant section of the README] for more details.
 * Updates are forwards- and backwards-compatible. You should be able to update an OTA-enabled build before the change is applied to the version with change applied and vice versa. One should pay double attention to the compatibility when bootloader code is affected.
 * The patch/branch should be based on the latest version of the target branch. This may mean that rebasing is necessary if other PRs are merged before yours is approved.
 
diff --git a/external/meta-updater/README.adoc b/external/meta-updater/README.adoc
index b047f914..1f18af6b 100644
--- a/external/meta-updater/README.adoc
+++ b/external/meta-updater/README.adoc
@@ -1,25 +1,20 @@
 = meta-updater
 :toc: macro
 :toc-title:
+:devguide-docsroot: https://docs.ota.here.com/ota-client/latest/
+:getstarted-docsroot: https://docs.ota.here.com/getstarted/dev/
 
-This layer enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr].
+Meta-updater is a link:https://www.yoctoproject.org/software-overview/layers/[Yocto layer] that enables over-the-air updates (OTA) with https://github.com/ostreedev/ostree[OSTree] and https://github.com/advancedtelematic/aktualizr[Aktualizr] -- the default client for link:https://www.here.com/products/automotive/ota-technology[HERE OTA Connect].
 
 https://github.com/ostreedev/ostree[OSTree] is a tool for atomic full file system upgrades with rollback capability. OSTree has several advantages over traditional dual-bank systems, but the most important one is that it minimizes network bandwidth and data storage footprint by sharing files with the same contents across file system deployments.
 
-https://github.com/advancedtelematic/aktualizr[Aktualizr] (and https://github.com/advancedtelematic/rvi_sota_client[RVI SOTA client]) add authentication and provisioning capabilities to OTA and are integrated with OSTree. You can connect with these open-source applications or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
+https://github.com/advancedtelematic/aktualizr[Aktualizr] implements https://uptane.github.io/uptane-standard/uptane-standard.html[Uptane], supports device authentication and provisioning, and is integrated with OSTree. You can connect aktualizr to your own server solution or sign up for a free account at https://connect.ota.here.com/[HERE OTA Connect] to get started.
 
-[discrete]
-== Table of Contents
-
-toc::[]
-
-== Build
+== Quickstart
 
-=== Quickstart
+If you don't already have a Yocto project that you want to add OTA to, you can use the xref:{getstarted-docsroot}get-started.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a xref:{getstarted-docsroot}raspberry-pi.html[Raspberry Pi] or with xref:{getstarted-docsroot}qemuvirtualbox.html[QEMU]. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
 
-If you don't already have a Yocto project that you want to add OTA to, you can use the https://docs.atsgarage.com/quickstarts/raspberry-pi.html[HERE OTA Connect Quickstart] project to rapidly get up and running on a Raspberry Pi. It takes a standard https://www.yoctoproject.org/tools-resources/projects/poky[poky] distribution, and adds OTA and OSTree capabilities.
-
-=== Dependencies
+== Dependencies
 
 In addition to the link:https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#required-packages-for-the-build-host[standard Yocto dependencies], meta-updater generally requires a few additional dependencies, depending on your use case and target platform. To install these additional packages on Debian/Ubuntu, run this:
 
@@ -33,247 +28,49 @@ To build for https://github.com/advancedtelematic/meta-updater-minnowboard[Minno
 sudo apt install ovmf
 ....
 
-=== Adding meta-updater capabilities to your build
-
-If you already have a Yocto-based project and you want to add atomic filesystem updates to it, you just need to do three things:
-
-1.  Clone the `meta-updater` layer and add it to your https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#structure-build-conf-bblayers.conf[bblayers.conf].
-2.  Clone BSP integration layer (`meta-updater-$\{PLATFORM}`, e.g. https://github.com/advancedtelematic/meta-updater-raspberrypi[meta-updater-raspberrypi]) and add it to your `conf/bblayers.conf`. If your board isn't supported yet, you could write a BSP integration for it yourself. See the <<Adding support for your board>> section for the details.
-3.  Set up your https://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#var-DISTRO[distro]. If you are using "poky", the default distro in Yocto, you can change it in your `conf/local.conf` to "poky-sota". Alternatively, if you are using your own or third party distro configuration, you can add `INHERIT += " sota"` to it, thus combining capabilities of your distro with meta-updater features.
-
-You can then build your image as usual, with bitbake. After building the root file system, bitbake will then create an https://ostree.readthedocs.io/en/latest/manual/adapting-existing/[OSTree-enabled version] of it, commit it to your local OSTree repo and (optionally) push it to a remote server. Additionally, a live disk image will be created (normally named `$\{IMAGE_NAME}.-sdimg-ota` e.g. `core-image-raspberrypi3.rpi-sdimg-ota`). You can control this behaviour through <<sota-related-variables-in-localconf,variables in your local.conf>>.
-
-=== Build in AGL
-
-With AGL you can just add agl-sota feature while configuring your build environment:
-
-....
-source meta-agl/scripts/aglsetup.sh -m porter agl-demo agl-appfw-smack agl-devel agl-sota
-....
-
-You can then run:
-
-....
-bitbake agl-demo-platform
-....
-
-and get as a result an `ostree_repo` folder in your images directory (`tmp/deploy/images/$\{MACHINE}/ostree_repo`). It will contain:
-
-* your OSTree repository, with the rootfs committed as an OSTree deployment,
-* an `ota-ext4` bootstrap image, which is an OSTree physical sysroot as a burnable filesystem image, and optionally
-* some machine-dependent live images (e.g. `.wic` for Raspberry Pi or `.porter-sdimg-ota` Renesas Porter board).
-
-Although `aglsetup.sh` hooks provide reasonable defaults for SOTA-related variables, you may want to tune some of them.
-
-=== Build problems
-
-Ubuntu users that encounter an error due to missing `Python.h` should install `libpython2.7-dev` on their host machine.
-
-== Supported boards
-
-Currently supported platforms are
-
-* https://github.com/advancedtelematic/meta-updater-raspberrypi[Raspberry Pi3]
-* https://github.com/advancedtelematic/meta-updater-minnowboard[Minnowboard]
-* https://github.com/advancedtelematic/meta-updater-qemux86-64[Native QEMU emulation]
-
-=== Adding support for your board
-
-If your board isn't supported yet, you can add board integration code yourself. The main purpose of this code is to provide a bootloader that will be able to use https://ostree.readthedocs.io/en/latest/manual/atomic-upgrades/[OSTree's boot directory]. In the meta-updater integration layers we have written so far, the basic steps are:
-
-1.  Make the board boot into http://www.denx.de/wiki/U-Boot[U-Boot]
-2.  Make U-boot import variables from /boot/loader/uEnv.txt and load the kernel with initramfs and kernel command line arguments according to what is set in this file.
-
-You may take a look into https://github.com/advancedtelematic/meta-updater-minnowboard[Minnowboard] or https://github.com/advancedtelematic/meta-updater-raspberrypi[Raspberry Pi] integration layers for examples.
-
-Although we have focused on U-Boot and GRUB so far, other bootloaders can be configured to work with OSTree as well.
-
-Your images will also need network connectivity to be able to reach an actual OTA backend. Our 'poky-sota' distribution does not mandate or install a default network manager but our supported platforms use the `virtual/network-configuration` recipe, which can be used as a starting example.
-
-== SOTA-related variables in local.conf
-
-* `OSTREE_REPO` - path to your OSTree repository. Defaults to `$\{DEPLOY_DIR_IMAGE}/ostree_repo`
-* `OSTREE_OSNAME` - OS deployment name on your target device. For more information about deployments and osnames see the https://ostree.readthedocs.io/en/latest/manual/deployment/[OSTree documentation]. Defaults to "poky".
-* `OSTREE_COMMIT_BODY` - Message attached to OSTree commit. Empty by default.
-* `OSTREE_COMMIT_SUBJECT` - Commit subject used by OSTree. Defaults to `Commit-id: ${IMAGE_NAME}`
-* `OSTREE_UPDATE_SUMMARY` - Set this to '1' to update summary of OSTree repository on each commit. '0' by default.
-* `OSTREE_DEPLOY_DEVICETREE` - Set this to '1' to include devicetree(s) to boot
-* `GARAGE_SIGN_AUTOVERSION` - Set this to '1' to automatically fetch the last version of the garage tools installed by the aktualizr-native. Otherwise use the fixed version specified in the recipe.
-* `INITRAMFS_IMAGE` - initramfs/initrd image that is used as a proxy while booting into OSTree deployment. Do not change this setting unless you are sure that your initramfs can serve as such a proxy.
-* `SOTA_PACKED_CREDENTIALS` - when set, your ostree commit will be pushed to a remote repo as a bitbake step. This should be the path to a zipped credentials file in https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[the format accepted by garage-push].
-* `SOTA_DEPLOY_CREDENTIALS` - when set to '1' (default value), deploys credentials to the built image. Override it in `local.conf` to built a generic image that can be provisioned manually after the build.
-* `SOTA_CLIENT_PROV` - which provisioning method to use. Valid options are `aktualizr-shared-prov`, `aktualizr-device-prov`, and `aktualizr-device-prov-hsm`. For more information on these provisioning methods, see the https://docs.ota.here.com/client-config/client-provisioning-methods.html[OTA Connect documentation]. The default is `aktualizr-shared-prov`. This can also be set to an empty string to avoid using a provisioning recipe.
-* `SOTA_CLIENT_FEATURES` - extensions to aktualizr. The only valid options are `hsm` (to build with HSM support) and `secondary-network` (to set up a simulated 'in-vehicle' network with support for a primary node with a DHCP server and a secondary node with a DHCP client).
-* `SOTA_SECONDARY_CONFIG` - a file containing JSON configuration for secondaries. It will be installed into `/etc/sota/ecus` on the device and automatically provided to aktualizr. See link:https://github.com/advancedtelematic/aktualizr/blob/master/docs/posix-secondaries-bitbaking.adoc[here] for more details.
-* `SOTA_HARDWARE_ID` - a custom hardware ID that will be written to the aktualizr config. Defaults to MACHINE if not set.
-* `SOTA_MAIN_DTB` - base device tree to use with the kernel. Used together with FIT images. You can change it, and the device tree will also be changed after the update.
-* `SOTA_DT_OVERLAYS` - whitespace-separated list of used device tree overlays for FIT image. This list is OSTree-updateable as well.
-* `SOTA_EXTRA_CONF_FRAGS` - extra https://lxr.missinglinkelectronics.com/uboot/doc/uImage.FIT/overlay-fdt-boot.txt[configuration fragments] for FIT image.
-* `RESOURCE_xxx_pn-aktualizr` - controls maximum resource usage of the aktualizr service, when `aktualizr-resource-control` is installed on the image. See <<aktualizr service resource control>> for details.
-* `SOTA_POLLING_SEC` - sets polling interval for aktualizr to check for updates if aktualizr-polling-sec is included in the image.
-
-== Usage
-
-=== OSTree
-
-OSTree used to include a simple HTTP server as part of the ostree binary, but this has been removed in more recent versions. However, OSTree repositories are self-contained directories, and can be trivially served over the network using any HTTP server. For example, you could use Python's SimpleHTTPServer:
-
-....
-cd tmp/deploy/images/qemux86-64/ostree_repo
-python -m SimpleHTTPServer <port> # port defaults to 8000
-....
-
-You can then run ostree from inside your device by adding your repo:
-
-....
-# This behaves like adding a Git remote; you can name it anything
-ostree remote add --no-gpg-verify my-remote http://<your-ip>:<port>
-
-# If OSTREE_BRANCHNAME is set in local.conf, that will be the name of the
-# branch. If not set, it defaults to the value of MACHINE (e.g. qemux86-64).
-ostree pull my-remote <branch>
-
-# poky is the OS name as set in OSTREE_OSNAME
-ostree admin deploy --os=poky my-remote:<branch>
-....
-
-After restarting, you will boot into the newly deployed OS image.
-
-For example, on the raspberry pi you can try this sequence:
-
-....
-# add remote
-ostree remote add --no-gpg-verify agl-snapshot https://download.automotivelinux.org/AGL/snapshots/master/latest/raspberrypi3/deploy/images/raspberrypi3/ostree_repo/ agl-ota
-
-# pull
-ostree pull agl-snapshot agl-ota
-
-# deploy
-ostree admin deploy --os=agl agl-snapshot:agl-ota
-....
-
-=== garage-push
-
-The https://github.com/advancedtelematic/aktualizr[aktualizr repo] contains a tool, garage-push, which lets you push the changes in OSTree repository generated by bitbake process. It communicates with an http server capable of querying files with HEAD requests and uploading them with POST requests. In particular, this can be used with https://connect.ota.here.com/[HERE OTA Connect]. garage-push is used as follows:
-
-....
-garage-push --repo=/path/to/ostree-repo --ref=mybranch --credentials=/path/to/credentials.zip
-....
-
-You can set `SOTA_PACKED_CREDENTIALS` in your `local.conf` to automatically synchronize your build results with a remote server. Credentials are stored in an archive as described in the https://github.com/advancedtelematic/aktualizr/blob/master/docs/credentials.adoc[aktualizr documentation].
-
-=== aktualizr configuration
-
-https://github.com/advancedtelematic/aktualizr[Aktualizr] supports a variety of https://github.com/advancedtelematic/aktualizr/blob/master/docs/configuration.adoc[configuration options via a configuration file and the command line]. There are two primary ways to control aktualizr's configuration from meta-updater.
-
-First, you can set `SOTA_CLIENT_PROV` to control which provisioning recipe is used. Each recipe installs an appropriate `sota.toml` file from aktualizr according to the provisioning needs. See the <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section for more information.
-
-Second, you can write recipes to install additional config files with customized options. A few recipes already exist to address common needs and provide an example:
-
-* link:recipes-sota/config/aktualizr-auto-reboot.bb[aktualizr-auto-reboot.bb] configures aktualizr to automatically reboot after new updates are installed in order to apply the updates immediately. This is only relevant for package managers (such as OSTree) that require a reboot to complete the installation process. If this is not enabled, you will need to reboot the system through other means.
-* link:recipes-sota/config/aktualizr-disable-send-ip.bb[aktualizr-disable-send-ip.bb] disables the reporting of networking information to the server. This is enabled by default and supported by https://connect.ota.here.com/[HERE OTA Connect]. However, if you are using a different server that does not support this feature, you may want to disable it in aktualizr.
-* link:recipes-sota/config/aktualizr-log-debug.bb[aktualizr-log-debug.bb] sets the log level of aktualizr to 0 (trace). The default is 2 (info). This recipe is intended for development and debugging purposes.
-
-To use these recipes, you will need to add them to your image with a line such as `IMAGE_INSTALL_append = " aktualizr-log-debug "` in your `local.conf`.
-
-=== aktualizr service resource control
-
-With systemd based images, it is possible to set resource policies for the aktualizr service. The main use case is to provide a safeguard against resource exhaustion during an unforeseen failure scenario.
-
-To enable it, install `aktualizr-resource-control` on the target image and optionally override the default resource limits set in link:recipes-sota/aktualizr/aktualizr_git.bb[aktualizr_git.bb], from your `local.conf`.
-
-For example:
-
-....
-IMAGE_INSTALL_append += " aktualizr-resource-control "
-RESOURCE_CPU_WEIGHT_pn-aktualizr = "50"
-....
-
-== Development configuration
-
-There are a few settings that can be controlled in `local.conf` to simplify the development process:
-
-[options="header"]
-|======================
-| Option                              | Effect
-| `require classes/sota_bleeding.inc` | Build the latest head (by default, using the master branch) of Aktualizr
-| `BRANCH_pn-aktualizr = "mybranch"`
-
-`BRANCH_pn-aktualizr-native = "mybranch"` | Build `mybranch` of Aktualizr. Note that both of these need to be set. This is normally used in conjunction with `require classes/sota_bleeding.inc`
-| `SRCREV_pn-aktualizr = "1004efa3f86cef90c012b34620992b5762b741e3"`
-
-`SRCREV_pn-aktualizr-native = "1004efa3f86cef90c012b34620992b5762b741e3"` | Build the specified revision of Aktualizr. Note that both of these need to be set. This can be used in conjunction with `BRANCH_pn-aktualizr` and `BRANCH_pn-aktualizr-native` but will conflict with `require classes/sota_bleeding.inc`
-| `TOOLCHAIN_HOST_TASK_append = " nativesdk-cmake "` | Use with `bitbake -c populate_sdk core-image-minimal` to build an SDK. See the https://github.com/advancedtelematic/aktualizr#developing-against-an-openembedded-system[aktualizr repo] for more information.
-|======================
-
-=== Overriding target version
-*Warning: overriding target version is a dangerous operation, make sure you understand this section completely before doing it.*
-
-Every time you build an image with `SOTA_PACKED_CREDENTIALS` set, a new entry in your Uptane metadata is created and you can see it in the OTA Garage UI if you're using one. Normally this version will be equal to OSTree hash of your root file system. If you want it to be different though you can override is using one of two methods:
-
-1. Set `GARAGE_TARGET_VERSION` variable in your `local.conf`.
-2. Write a recipe or a bbclass to write the desired version to `${STAGING_DATADIR_NATIVE}/target_version`. An example of such bbclass can be found in `classes/target_version_example.bbclass`.
-
-Please note that [target name, target version] pairs are expected to be unique in the system. If you build a new target with the same target version as a previously built one, the old package will be overwritten on the update server. It can have unpredictable effect on devices that have this version installed, and it is not guaranteed that information will be reported correctly for such devices or that you will be able to update them (we're doing our best though). The easiest way to avoid problems is to make sure that your overriding version is as unique as an OSTree commit hash.
-
-== QA with oe-selftest
+[discrete]
+== Table of Contents
 
-This layer relies on the test framework oe-selftest for quality assurance. Currently, you will need to run this in a build directory with `MACHINE` set to `qemux86-64`. Follow the steps below to run the tests:
+The following documentation focuses on tasks that involve the meta-updater layer. If you want to get an idea of the overall developer workflow in OTA Connect, see the link:{devguide-docsroot}index.html[OTA Connect Developer Guide].
 
-1. Append the line below to `conf/local.conf` to disable the warning about supported operating systems:
+* xref:{devguide-docsroot}supported-boards.html[Supported boards]
 +
-```
-SANITY_TESTED_DISTROS = ""
-```
-
-2. If your image does not already include an ssh daemon such as dropbear or openssh, add this line to `conf/local.conf` as well:
+Find out if your board is supported and learn about the minimum hardware requirements.
 +
-```
-IMAGE_INSTALL_append = " dropbear "
-```
-
-3. Some tests require that `SOTA_PACKED_CREDENTIALS` is set in your `conf/local.conf`. See the <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section.
-
-4. To be able to build an image for the GRUB tests, you will need to install the ovmf package as described in the <<Dependencies,dependencies>>.
-
-5. Run oe-selftest:
+* xref:{devguide-docsroot}build-agl.html[Build an Automotive Grade Linux image]
 +
-```
-oe-selftest -r updater_native updater_qemux86_64 updater_minnowboard updater_raspberrypi updater_qemux86_64_ptest
-```
-
-For more information about oe-selftest, including details about how to run individual test modules or classes, please refer to the https://wiki.yoctoproject.org/wiki/Oe-selftest[Yocto Project wiki].
-
-== Aktualizr test suite with ptest
-
-The meta-updater layer includes support for running parts of the aktualizr test suite on deployed devices through link:https://wiki.yoctoproject.org/wiki/Ptest[Yocto's ptest functionality]. Since it adds significant build time cost, it is currently disabled by default. To enable it, add the following to your `conf/local.conf`:
-
-```
-PTEST_ENABLED_pn-aktualizr = "1"
-IMAGE_INSTALL_append += " aktualizr-ptest ptest-runner "
-```
-
-Be aware that it will add several hundreds of MB to the generated file system.
-
-The aktualizr tests will now be part of the deployed ptest suite, which can be run by calling `ptest-runner`. Alternatively, the required files and run script can be found in `/usr/lib/aktualizr/ptest`.
-
-== Manual provisoning
-
-As described in <<sota-related-variables-in-localconf,SOTA-related variables in local.conf>> section you can set `SOTA_DEPLOY_CREDENTIALS` to `0` to prevent deploying credentials to the built `wic` image. In this case you get a generic image that you can use e.g. on a production line to flash a series of devices. The cost of this approach is that this image is half-baked and should be provisioned before it can connect to the backend.
-
-Provisioning procedure depends on your provisioning recipe, i.e. the value of `SOTA_CLIENT_PROV` (equal to `aktualizr-shared-prov` by default):
-
-* For `aktualizr-shared-prov` put your `credentials.zip` to `/var/sota/sota_provisioning_credentials.zip` on the filesystem of a running device. If you have the filesystem of our device mounted to your build machine, prefix all paths with `/ostree/deploy/poky` as in `/ostree/deploy/poky/var/sota/sota_provisioning_credentials.zip`.
-* For `aktualizr-device-prov`
-** put URL to the backend server (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
-** put client certificate, private key and root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/client.pem`, `/var/sota/import/pkey.pem` and `/var/sota/import/root.crt` respectively.
-* For  `aktualizr-device-prov-hsm`
-** put URL to the server backend (together with protocol prefix and port number) at `/var/sota/gateway.url`. If you're using HERE OTA Connect, you can find the URL in the `autoprov.url` file in your credentials archive.
-** put root CA certificate (for the *server*, not for the *device*) at `/var/sota/import/root.crt`.
-** put client certificate and private key to slots 1 and 2 of the PKCS#11-compatible device.
+Learn how to use this layer as part of AGL.
++
+* xref:{devguide-docsroot}add-ota-functonality-existing-yocto-project.html[Add OTA functionality to an existing Yocto project]
++
+Learn how to add this layer to your own Yocto project.
++
+* xref:{devguide-docsroot}build-configuration.html[SOTA-related variables in local.conf]
++
+Learn how to configure OTA-related functionality when building images, including how to install custom versions of aktualizr.
++
+* xref:{devguide-docsroot}recommended-clientconfig.html[Recommended configuration]
++
+Learn how to optimize your build for development or production.
++
+* xref:{devguide-docsroot}client-provisioning-methods.html[Provisoning methods]
++
+Learn more about the methods for provisioning devices. For more detail, you may also want to read about how to xref:{devguide-docsroot}enable-device-cred-provisioning.html[enable device credential provisioning] or how to xref:{devguide-docsroot}simulate-device-cred-provtest.html[simulate it for testing].
++
+* xref:{devguide-docsroot}meta-updater-usage.html[Advanced usage]
++
+Learn about the `garage-push` and `garage-sign` utilities, aktualizr configuration recipes, and service resource control.
++
+* xref:{devguide-docsroot}meta-updater-testing.html[Testing with oe-selftest and ptest]
++
+Learn how to use the `oe-selftest` framework for quality assurance and how to run the aktualizr test suite via ptest.
++
+* xref:{devguide-docsroot}troubleshooting.html[Troubleshooting]
++
+Get help on common problems.
 
 == License
 
-This code is licensed under the link:COPYING.MIT[MIT license], a copy of which can be found in this repository. All code is copyright HERE Europe B.V., 2016-2019.
+This code is licensed under the link:COPYING.MIT[MIT license], a copy of which can be found in this repository. All code is copyright HERE Europe B.V., 2016-2020.
 
 We require that contributors accept the terms of Linux Foundation's link:https://developercertificate.org/[Developer Certificate of Origin]. Please see the https://github.com/advancedtelematic/aktualizr/blob/master/CONTRIBUTING.md[contribution instructions of aktualizr] for more information.
diff --git a/external/meta-updater/classes/image_repo_manifest.bbclass b/external/meta-updater/classes/image_repo_manifest.bbclass
index c2e7056d..72dc28fe 100644
--- a/external/meta-updater/classes/image_repo_manifest.bbclass
+++ b/external/meta-updater/classes/image_repo_manifest.bbclass
@@ -9,8 +9,6 @@
 # For more information, see:
 # https://web.archive.org/web/20161224194009/https://wiki.cyanogenmod.org/w/Doc:_Using_manifests 
 
-HOSTTOOLS_NONFATAL += " repo "
-
 # Write build information to target filesystem
 buildinfo_manifest () {
   if [ $(which repo) ]; then
diff --git a/external/meta-updater/classes/image_types_ostree.bbclass b/external/meta-updater/classes/image_types_ostree.bbclass
index 56d4d76c..533d338b 100644
--- a/external/meta-updater/classes/image_types_ostree.bbclass
+++ b/external/meta-updater/classes/image_types_ostree.bbclass
@@ -5,6 +5,7 @@ OSTREE_KERNEL ??= "${KERNEL_IMAGETYPE}"
 OSTREE_ROOTFS ??= "${WORKDIR}/ostree-rootfs"
 OSTREE_COMMIT_SUBJECT ??= "Commit-id: ${IMAGE_NAME}"
 OSTREE_COMMIT_BODY ??= ""
+OSTREE_COMMIT_VERSION ??= "${DISTRO_VERSION}"
 OSTREE_UPDATE_SUMMARY ??= "0"
 OSTREE_DEPLOY_DEVICETREE ??= "0"
 
@@ -13,11 +14,11 @@ BUILD_OSTREE_TARBALL ??= "1"
 SYSTEMD_USED = "${@oe.utils.ifelse(d.getVar('VIRTUAL-RUNTIME_init_manager') == 'systemd', 'true', '')}"
 
 IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
-CONVERSION_CMD_tar = "touch ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}; ${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.tar -C ${OTA_IMAGE_ROOTFS} . || [ $? -eq 1 ]"
+CONVERSION_CMD_tar = "touch ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}; ${IMAGE_CMD_TAR} --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.tar -C ${TAR_IMAGE_ROOTFS} . || [ $? -eq 1 ]"
 CONVERSIONTYPES_append = " tar"
 
 REQUIRED_DISTRO_FEATURES = "usrmerge"
-OTA_IMAGE_ROOTFS_task-image-ostree = "${OSTREE_ROOTFS}"
+TAR_IMAGE_ROOTFS_task-image-ostree = "${OSTREE_ROOTFS}"
 do_image_ostree[dirs] = "${OSTREE_ROOTFS}"
 do_image_ostree[cleandirs] = "${OSTREE_ROOTFS}"
 do_image_ostree[depends] = "coreutils-native:do_populate_sysroot virtual/kernel:do_deploy ${INITRAMFS_IMAGE}:do_image_complete"
@@ -78,15 +79,15 @@ IMAGE_CMD_ostree () {
             if [ "$(ls -A $dir)" ]; then
                 bbwarn "Data in /$dir directory is not preserved by OSTree. Consider moving it under /usr"
             fi
-
-            if [ -n "${SYSTEMD_USED}" ]; then
-                echo "d /var/rootdirs/${dir} 0755 root root -" >>${tmpfiles_conf}
-            else
-                echo "mkdir -p /var/rootdirs/${dir}; chown 755 /var/rootdirs/${dir}" >>${tmpfiles_conf}
-            fi
             rm -rf ${dir}
-            ln -sf var/rootdirs/${dir} ${dir}
         fi
+
+        if [ -n "${SYSTEMD_USED}" ]; then
+            echo "d /var/rootdirs/${dir} 0755 root root -" >>${tmpfiles_conf}
+        else
+            echo "mkdir -p /var/rootdirs/${dir}; chown 755 /var/rootdirs/${dir}" >>${tmpfiles_conf}
+        fi
+        ln -sf var/rootdirs/${dir} ${dir}
     done
 
     if [ -d root ] && [ ! -L root ]; then
@@ -95,15 +96,40 @@ IMAGE_CMD_ostree () {
         fi
 
         if [ -n "${SYSTEMD_USED}" ]; then
-            echo "d /var/roothome 0755 root root -" >>${tmpfiles_conf}
+            echo "d /var/roothome 0700 root root -" >>${tmpfiles_conf}
         else
-            echo "mkdir -p /var/roothome; chown 755 /var/roothome" >>${tmpfiles_conf}
+            echo "mkdir -p /var/roothome; chown 700 /var/roothome" >>${tmpfiles_conf}
         fi
 
         rm -rf root
         ln -sf var/roothome root
     fi
 
+    if [ -d usr/local ] && [ ! -L usr/local ]; then
+        if [ "$(ls -A usr/local)" ]; then
+            bbfatal "Data in /usr/local directory is not preserved by OSTree."
+        fi
+        rm -rf usr/local
+    fi
+
+    if [ -n "${SYSTEMD_USED}" ]; then
+        echo "d /var/usrlocal 0755 root root -" >>${tmpfiles_conf}
+    else
+        echo "mkdir -p /var/usrlocal; chown 755 /var/usrlocal" >>${tmpfiles_conf}
+    fi
+
+    dirs="bin etc games include lib man sbin share src"
+
+    for dir in ${dirs}; do
+        if [ -n "${SYSTEMD_USED}" ]; then
+            echo "d /var/usrlocal/${dir} 0755 root root -" >>${tmpfiles_conf}
+        else
+            echo "mkdir -p /var/usrlocal/${dir}; chown 755 /var/usrlocal/${dir}" >>${tmpfiles_conf}
+        fi
+    done
+
+    ln -sf ../var/usrlocal usr/local
+
     if [ "${KERNEL_IMAGETYPE}" = "fitImage" ]; then
         # this is a hack for ostree not to override init= in kernel cmdline -
         # make it think that the initramfs is present (while it is in FIT image)
@@ -143,7 +169,9 @@ IMAGE_CMD_ostreecommit () {
            --skip-if-unchanged \
            --branch=${OSTREE_BRANCHNAME} \
            --subject="${OSTREE_COMMIT_SUBJECT}" \
-           --body="${OSTREE_COMMIT_BODY}"
+           --body="${OSTREE_COMMIT_BODY}" \
+           --add-metadata-string=version="${OSTREE_COMMIT_VERSION}" \
+           --bind-ref="${OSTREE_BRANCHNAME}-${IMAGE_BASENAME}"
 
     if [ "${OSTREE_UPDATE_SUMMARY}" = "1" ]; then
         ostree --repo=${OSTREE_REPO} summary -u
@@ -160,13 +188,20 @@ IMAGE_CMD_ostreecommit () {
 IMAGE_TYPEDEP_ostreepush = "ostreecommit"
 do_image_ostreepush[depends] += "aktualizr-native:do_populate_sysroot ca-certificates-native:do_populate_sysroot"
 IMAGE_CMD_ostreepush () {
-    # Print warnings if credetials are not set or if the file has not been found.
+    # send a copy of the repo manifest to backend if available
+    local SEND_MANIFEST=""
+    # check if garage-push supports the --repo-manifest option before trying
+    if $(garage-push --help | grep -q '^\s*--repo-manifest') && [ -f ${IMAGE_ROOTFS}${sysconfdir}/manifest.xml ]; then
+        SEND_MANIFEST="--repo-manifest ${IMAGE_ROOTFS}${sysconfdir}/manifest.xml"
+    fi
+
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         if [ -e ${SOTA_PACKED_CREDENTIALS} ]; then
             garage-push -vv --repo=${OSTREE_REPO} \
                         --ref=${OSTREE_BRANCHNAME} \
                         --credentials=${SOTA_PACKED_CREDENTIALS} \
-                        --cacert=${STAGING_ETCDIR_NATIVE}/ssl/certs/ca-certificates.crt
+                        --cacert=${STAGING_ETCDIR_NATIVE}/ssl/certs/ca-certificates.crt \
+                        $SEND_MANIFEST
         else
             bbwarn "SOTA_PACKED_CREDENTIALS file does not exist."
         fi
@@ -203,19 +238,29 @@ IMAGE_CMD_garagesign () {
         target_version=${ostree_target_hash}
         if [ -n "${GARAGE_TARGET_VERSION}" ]; then
             target_version=${GARAGE_TARGET_VERSION}
-            bbwarn "Target version is overriden with GARAGE_TARGET_VERSION variable. It is a dangerous operation, make sure you've read the respective secion in meta-updater/README.adoc"
+            bbwarn "Target version is overriden with GARAGE_TARGET_VERSION variable. This is a dangerous operation! See https://docs.ota.here.com/ota-client/latest/build-configuration.html#_overriding_target_version"
         elif [ -e "${STAGING_DATADIR_NATIVE}/target_version" ]; then
             target_version=$(cat "${STAGING_DATADIR_NATIVE}/target_version")
-            bbwarn "Target version is overriden with target_version file. It is a dangerous operation, make sure you've read the respective secion in meta-updater/README.adoc"
+            bbwarn "Target version is overriden with target_version file. This is a dangerous operation! See https://docs.ota.here.com/ota-client/latest/build-configuration.html#_overriding_target_version"
         fi
 
         # Push may fail due to race condition when multiple build machines try to push simultaneously
         #   in which case targets.json should be pulled again and the whole procedure repeated
         push_success=0
-	target_url=""
-	if [ -n "${GARAGE_TARGET_URL}" ]; then
-		target_url='--url ${GARAGE_TARGET_URL}'
-	fi
+        target_url=""
+        if [ -n "${GARAGE_TARGET_URL}" ]; then
+            target_url="--url ${GARAGE_TARGET_URL}"
+        fi
+        target_expiry=""
+        if [ -n "${GARAGE_TARGET_EXPIRES}" ] && [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            bbfatal "Both GARAGE_TARGET_EXPIRES and GARAGE_TARGET_EXPIRE_AFTER are set. Only one can be set at a time."
+        elif [ -n "${GARAGE_TARGET_EXPIRES}" ]; then
+            target_expiry="--expires ${GARAGE_TARGET_EXPIRES}"
+        elif [ -n "${GARAGE_TARGET_EXPIRE_AFTER}" ]; then
+            target_expiry="--expire-after ${GARAGE_TARGET_EXPIRE_AFTER}"
+        else
+            target_expiry="--expire-after 1M"
+        fi
 
         for push_retries in $( seq 3 ); do
             garage-sign targets pull --repo tufrepo \
@@ -229,8 +274,15 @@ IMAGE_CMD_garagesign () {
                                     ${target_url} \
                                     --sha256 ${ostree_target_hash} \
                                     --hardwareids ${SOTA_HARDWARE_ID}
+            if [ -n "${GARAGE_CUSTOMIZE_TARGET}" ]; then
+                bbplain "Running command(${GARAGE_CUSTOMIZE_TARGET}) to customize target"
+                ${GARAGE_CUSTOMIZE_TARGET} \
+                    ${GARAGE_SIGN_REPO}/tufrepo/roles/unsigned/targets.json \
+                    ${GARAGE_TARGET_NAME}-${target_version}
+            fi
             garage-sign targets sign --repo tufrepo \
                                      --home-dir ${GARAGE_SIGN_REPO} \
+                                     ${target_expiry} \
                                      --key-name=targets
             errcode=0
             garage-sign targets push --repo tufrepo \
diff --git a/external/meta-updater/classes/image_types_ota.bbclass b/external/meta-updater/classes/image_types_ota.bbclass
index 12375ec1..857161af 100644
--- a/external/meta-updater/classes/image_types_ota.bbclass
+++ b/external/meta-updater/classes/image_types_ota.bbclass
@@ -38,13 +38,14 @@ calculate_size () {
 }
 
 OTA_SYSROOT = "${WORKDIR}/ota-sysroot"
-OTA_IMAGE_ROOTFS_task-image-ota = "${OTA_SYSROOT}"
+TAR_IMAGE_ROOTFS_task-image-ota = "${OTA_SYSROOT}"
 IMAGE_TYPEDEP_ota = "ostreecommit"
 do_image_ota[dirs] = "${OTA_SYSROOT}"
 do_image_ota[cleandirs] = "${OTA_SYSROOT}"
 do_image_ota[depends] = "${@'grub:do_populate_sysroot' if d.getVar('OSTREE_BOOTLOADER') == 'grub' else ''} \
                          ${@'virtual/bootloader:do_deploy' if d.getVar('OSTREE_BOOTLOADER') == 'u-boot' else ''}"
 IMAGE_CMD_ota () {
+	export OSTREE_BOOT_PARTITION=${OSTREE_BOOT_PARTITION}
 	ostree admin --sysroot=${OTA_SYSROOT} init-fs ${OTA_SYSROOT}
 	ostree admin --sysroot=${OTA_SYSROOT} os-init ${OSTREE_OSNAME}
 	mkdir -p ${OTA_SYSROOT}/boot/loader.0
diff --git a/external/meta-updater/classes/sota.bbclass b/external/meta-updater/classes/sota.bbclass
index bf27b6dd..c248cfc0 100644
--- a/external/meta-updater/classes/sota.bbclass
+++ b/external/meta-updater/classes/sota.bbclass
@@ -1,28 +1,12 @@
 DISTROOVERRIDES .= "${@bb.utils.contains('DISTRO_FEATURES', 'sota', ':sota', '', d)}"
 
-HOSTTOOLS_NONFATAL += "java"
-
 SOTA_CLIENT ??= "aktualizr"
 SOTA_CLIENT_PROV ??= "aktualizr-shared-prov"
 SOTA_DEPLOY_CREDENTIALS ?= "1"
 SOTA_HARDWARE_ID ??= "${MACHINE}"
 
-# Translate old provisioning recipe names into the new versions.
-python () {
-    prov = d.getVar("SOTA_CLIENT_PROV")
-    if prov == "aktualizr-auto-prov":
-        bb.warn('aktualizr-auto-prov is deprecated. Please use aktualizr-shared-prov instead.')
-        d.setVar("SOTA_CLIENT_PROV", "aktualizr-shared-prov")
-    elif prov == "aktualizr-ca-implicit-prov":
-        bb.warn('aktualizr-ca-implicit-prov is deprecated. Please use aktualizr-device-prov instead.')
-        d.setVar("SOTA_CLIENT_PROV", "aktualizr-device-prov")
-    elif prov == "aktualizr-hsm-prov":
-        bb.warn('aktualizr-hsm-prov is deprecated. Please use aktualizr-device-prov-hsm instead.')
-        d.setVar("SOTA_CLIENT_PROV", "aktualizr-device-prov-hsm")
-}
-
 IMAGE_INSTALL_append_sota = " ostree os-release ${SOTA_CLIENT} ${SOTA_CLIENT_PROV}"
-IMAGE_CLASSES += " image_types_ostree image_types_ota"
+IMAGE_CLASSES += " image_types_ostree image_types_ota image_repo_manifest"
 
 IMAGE_FSTYPES += "${@bb.utils.contains('DISTRO_FEATURES', 'sota', 'ostreepush garagesign garagecheck ota-ext4 wic', ' ', d)}"
 IMAGE_FSTYPES += "${@bb.utils.contains('BUILD_OSTREE_TARBALL', '1', 'ostree.tar.bz2', ' ', d)}"
@@ -38,11 +22,11 @@ EXTRA_IMAGEDEPENDS_append_sota = " parted-native mtools-native dosfstools-native
 INITRAMFS_FSTYPES ?= "${@oe.utils.ifelse(d.getVar('OSTREE_BOOTLOADER') == 'u-boot', 'cpio.gz.u-boot', 'cpio.gz')}"
 
 # Please redefine OSTREE_REPO in order to have a persistent OSTree repo
-export OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
-export OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
-export OSTREE_OSNAME ?= "poky"
-export OSTREE_BOOTLOADER ??= 'u-boot'
-export OSTREE_BOOT_PARTITION ??= "/boot"
+OSTREE_REPO ?= "${DEPLOY_DIR_IMAGE}/ostree_repo"
+OSTREE_BRANCHNAME ?= "${SOTA_HARDWARE_ID}"
+OSTREE_OSNAME ?= "poky"
+OSTREE_BOOTLOADER ??= 'u-boot'
+OSTREE_BOOT_PARTITION ??= "/boot"
 
 INITRAMFS_IMAGE ?= "initramfs-ostree-image"
 
@@ -51,6 +35,9 @@ GARAGE_SIGN_KEYNAME ?= "garage-key"
 GARAGE_TARGET_NAME ?= "${OSTREE_BRANCHNAME}"
 GARAGE_TARGET_VERSION ?= ""
 GARAGE_TARGET_URL ?= ""
+GARAGE_TARGET_EXPIRES ?= ""
+GARAGE_TARGET_EXPIRE_AFTER ?= ""
+GARAGE_CUSTOMIZE_TARGET ?= ""
 
 SOTA_MACHINE ??="none"
 SOTA_MACHINE_rpi ?= "raspberrypi"
@@ -63,4 +50,4 @@ SOTA_MACHINE_am335x-evm ?= "am335x-evm-wifi"
 SOTA_OVERRIDES_BLACKLIST = "ostree ota"
 SOTA_REQUIRED_VARIABLES = "OSTREE_REPO OSTREE_BRANCHNAME OSTREE_OSNAME OSTREE_BOOTLOADER OSTREE_BOOT_PARTITION GARAGE_SIGN_REPO GARAGE_TARGET_NAME"
 
-inherit sota_sanity sota_${SOTA_MACHINE} image_repo_manifest
+inherit sota_sanity sota_${SOTA_MACHINE}
diff --git a/external/meta-updater/classes/sota_bleeding.inc b/external/meta-updater/classes/sota_bleeding.inc
index fc5947de..77d004bf 100644
--- a/external/meta-updater/classes/sota_bleeding.inc
+++ b/external/meta-updater/classes/sota_bleeding.inc
@@ -1 +1,2 @@
 SRCREV_pn-aktualizr ?= "${AUTOREV}"
+SRCREV_pn-aktualizr-native ?= "${AUTOREV}"
diff --git a/external/meta-updater/classes/sota_m3ulcb.bbclass b/external/meta-updater/classes/sota_m3ulcb.bbclass
index b93cc407..e7fa9c2f 100644
--- a/external/meta-updater/classes/sota_m3ulcb.bbclass
+++ b/external/meta-updater/classes/sota_m3ulcb.bbclass
@@ -1,11 +1,12 @@
 # Commit united image to OSTree, not just uImage
 OSTREE_KERNEL = "Image"
 
-EXTRA_IMAGEDEPENDS_append_sota = " m3ulcb-ota-bootfiles"
-IMAGE_BOOT_FILES_sota += "m3ulcb-ota-bootfiles/*"
+EXTRA_IMAGEDEPENDS_append_sota = " renesas-ota-bootfiles"
+IMAGE_BOOT_FILES_sota += "renesas-ota-bootfiles/*"
 
 OSTREE_BOOTLOADER ?= "u-boot"
-UBOOT_MACHINE_sota = "m3ulcb_defconfig"
+
+UBOOT_MACHINE_sota = "${@d.getVar('SOC_FAMILY').split(':')[1]}_ulcb_defconfig"
 
 PREFERRED_RPROVIDER_virtual/network-configuration ?= "connman"
 IMAGE_INSTALL_append_sota = " virtual/network-configuration "
diff --git a/external/meta-updater/classes/sota_raspberrypi.bbclass b/external/meta-updater/classes/sota_raspberrypi.bbclass
index 69f09fd5..c901a70e 100644
--- a/external/meta-updater/classes/sota_raspberrypi.bbclass
+++ b/external/meta-updater/classes/sota_raspberrypi.bbclass
@@ -16,25 +16,55 @@ DEV_MATCH_DIRECTIVE_pn-networkd-dhcp-conf = "Driver=smsc95xx lan78xx"
 IMAGE_INSTALL_append_sota = " virtual/network-configuration "
 
 PREFERRED_PROVIDER_virtual/bootloader_sota ?= "u-boot"
-UBOOT_ENTRYPOINT_sota ?= "0x00008000"
+UBOOT_ENTRYPOINT_sota ?= "0x00080000"
 
 IMAGE_FSTYPES_remove_sota = "rpi-sdimg"
 OSTREE_BOOTLOADER ?= "u-boot"
 
+def make_dtb_boot_files(d):
+    # Generate IMAGE_BOOT_FILES entries for device tree files listed in
+    # KERNEL_DEVICETREE.
+    #
+    # This function was taken from conf/machine/include/rpi-base.inc in
+    # meta-raspberrypi
+    alldtbs = d.getVar('KERNEL_DEVICETREE')
+    imgtyp = d.getVar('KERNEL_IMAGETYPE')
+
+    def transform(dtb):
+        base = os.path.basename(dtb)
+        if dtb.endswith('dtb'):
+            return base
+        elif dtb.endswith('dtbo'):
+            return '{};{}'.format(base, dtb)
+
+    return ' '.join([transform(dtb) for dtb in alldtbs.split(' ') if dtb])
+
+IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* \
+                         u-boot.bin;${SDIMG_KERNELIMAGE} \
+                         "
+
 # OSTree puts its own boot.scr to bcm2835-bootfiles
-IMAGE_BOOT_FILES_sota = "bcm2835-bootfiles/* u-boot.bin;${SDIMG_KERNELIMAGE}"
+# raspberrypi4 needs dtb in /boot partition so that they can be read by the
+# firmware
+IMAGE_BOOT_FILES_append_sota_raspberrypi4 = "${@make_dtb_boot_files(d)}"
 
 # Just the overlays that will be used should be listed
 KERNEL_DEVICETREE_raspberrypi2_sota ?= " bcm2709-rpi-2-b.dtb "
 KERNEL_DEVICETREE_raspberrypi3_sota ?= " bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/rpi-ft5406.dtbo"
 KERNEL_DEVICETREE_raspberrypi3-64_sota ?= " broadcom/bcm2710-rpi-3-b.dtb overlays/vc4-kms-v3d.dtbo overlays/vc4-fkms-v3d.dtbo overlays/rpi-ft5406.dtbo"
+KERNEL_DEVICETREE_raspberrypi4_sota ?= " bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
+KERNEL_DEVICETREE_raspberrypi4-64_sota ?= " broadcom/bcm2711-rpi-4-b.dtb overlays/vc4-fkms-v3d.dtbo overlays/uart0-rpi4.dtbo"
 
 SOTA_MAIN_DTB_raspberrypi2 ?= "bcm2709-rpi-2-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3 ?= "bcm2710-rpi-3-b.dtb"
 SOTA_MAIN_DTB_raspberrypi3-64 ?= "broadcom_bcm2710-rpi-3-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4_sota ?= "bcm2711-rpi-4-b.dtb"
+SOTA_MAIN_DTB_raspberrypi4-64_sota ?= "broadcom_bcm2711-rpi-4-b.dtb"
 
 SOTA_DT_OVERLAYS_raspberrypi3 ?= "vc4-kms-v3d.dtbo rpi-ft5406.dtbo"
 SOTA_DT_OVERLAYS_raspberrypi3-64 ?= "vc4-kms-v3d.dtbo vc4-fkms-v3d.dtbo rpi-ft5406.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
+SOTA_DT_OVERLAYS_raspberrypi4-64 ?= "vc4-fkms-v3d.dtbo uart0-rpi4.dtbo"
 
 # Kernel args normally provided by RPi's internal bootloader. Non-updateable
 OSTREE_KERNEL_ARGS_sota ?= " 8250.nr_uarts=1 bcm2708_fb.fbwidth=656 bcm2708_fb.fbheight=614 bcm2708_fb.fbswap=1 vc_mem.mem_base=0x3ec00000 vc_mem.mem_size=0x40000000 dwc_otg.lpm_enable=0 console=ttyS0,115200 usbhid.mousepoll=0 "
diff --git a/external/meta-updater/classes/sota_sanity.bbclass b/external/meta-updater/classes/sota_sanity.bbclass
index 8e80acbf..74973eb5 100644
--- a/external/meta-updater/classes/sota_sanity.bbclass
+++ b/external/meta-updater/classes/sota_sanity.bbclass
@@ -10,6 +10,52 @@ def sota_check_required_variables(status, d):
         if not d.getVar(var):
             status.addresult("%s should be set in your local.conf.\n" % var)
 
+def sota_check_variables_validity(status, d):
+    import re
+    import os.path
+
+    if d.getVar("OSTREE_BRANCHNAME") and re.match("^[a-zA-Z0-9._-]*$", d.getVar("OSTREE_BRANCHNAME")) is None:
+        status.addresult("OSTREE_BRANCHNAME Should only contain characters from the character set [a-zA-Z0-9._-].\n")
+    if d.getVar("SOTA_HARDWARE_ID") and re.match("^[a-zA-Z0-9._-]*$", d.getVar("SOTA_HARDWARE_ID")) is None:
+        status.addresult("SOTA_HARDWARE_ID Should only contain characters from the character set [a-zA-Z0-9._-].\n")
+    if d.getVar("SOTA_CLIENT_FEATURES") is not None:
+        for feat in d.getVar("SOTA_CLIENT_FEATURES").split(' '):
+            if feat not in ("hsm", "serialcan", "ubootenv", ""):
+                status.addresult("SOTA_CLIENT_FEATURES should only include hsm, serialcan and bootenv.\n")
+                break
+    if d.getVar("SOTA_CLIENT_PROV") is not None:
+        prov = d.getVar("SOTA_CLIENT_PROV").strip()
+        if prov not in ("aktualizr-shared-prov", "aktualizr-device-prov", "aktualizr-device-prov-hsm", ""):
+            status.addresult("Valid options for SOTA_CLIENT_PROV are aktualizr-shared-prov, aktualizr-device-prov and aktualizr-device-prov-hsm.\n")
+            if prov == "aktualizr-auto-prov":
+                bb.warn('aktualizr-auto-prov is deprecated. Please use aktualizr-shared-prov instead.')
+            elif prov == "aktualizr-ca-implicit-prov":
+                bb.warn('aktualizr-ca-implicit-prov is deprecated. Please use aktualizr-device-prov instead.')
+            elif prov == "aktualizr-hsm-prov":
+                bb.warn('aktualizr-hsm-prov is deprecated. Please use aktualizr-device-prov-hsm instead.')
+    if d.getVar("GARAGE_TARGET_URL") and re.match("^(https?|ftp|file)://.+$", d.getVar("GARAGE_TARGET_URL")) is None:
+        status.addresult("GARAGE_TARGET_URL is set to a bad url.\n")
+    if d.getVar("SOTA_POLLING_SEC") and re.match("^[1-9]\d*|0$", d.getVar("SOTA_POLLING_SEC")) is None:
+        status.addresult("SOTA_POLLING_SEC should be an integer.\n")
+    config = d.getVar("SOTA_SECONDARY_CONFIG")
+    if config is not None and config != "":
+        path = os.path.abspath(config)
+        if not os.path.exists(path):
+            status.addresult("SOTA_SECONDARY_CONFIG is not set correctly. The file containing JSON configuration for secondaries does not exist.\n")
+    credentials = d.getVar("SOTA_PACKED_CREDENTIALS")
+    if credentials is not None and credentials != "":
+        path = os.path.abspath(credentials)
+        if not os.path.exists(path):
+            status.addresult("SOTA_PACKED_CREDENTIALS is not set correctly. The zipped credentials file does not exist.\n")
+    if d.getVar("OSTREE_UPDATE_SUMMARY") and d.getVar("OSTREE_UPDATE_SUMMARY") not in ("0", "1", ""):
+        status.addresult("OSTREE_UPDATE_SUMMARY should be set to 0 or 1.\n")
+    if d.getVar("OSTREE_DEPLOY_DEVICETREE") and d.getVar("OSTREE_DEPLOY_DEVICETREE") not in ("0", "1", ""):
+        status.addresult("OSTREE_DEPLOY_DEVICETREE should be set to 0 or 1.\n")
+    if d.getVar("GARAGE_SIGN_AUTOVERSION") and d.getVar("GARAGE_SIGN_AUTOVERSION") not in ("0", "1", ""):
+        status.addresult("GARAGE_SIGN_AUTOVERSION should be set to 0 or 1.\n")
+    if d.getVar("SOTA_DEPLOY_CREDENTIALS") and d.getVar("SOTA_DEPLOY_CREDENTIALS") not in ("0", "1", ""):
+        status.addresult("SOTA_DEPLOY_CREDENTIALS should be set to 0 or 1.\n")
+    
 def sota_raise_sanity_error(msg, d):
     if d.getVar("SANITY_USE_EVENTS") == "1":
         bb.event.fire(bb.event.SanityCheckFailed(msg), d)
@@ -34,6 +80,7 @@ def sota_check_sanity(sanity_data):
 
     sota_check_overrides(status, sanity_data)
     sota_check_required_variables(status, sanity_data)
+    sota_check_variables_validity(status, sanity_data)
 
     if status.messages != "":
         sota_raise_sanity_error(sanity_data.expand(status.messages), sanity_data)
diff --git a/external/meta-updater/classes/target_version_example.bbclass b/external/meta-updater/classes/target_version_example.bbclass
index ef119fb2..c0b5aec3 100644
--- a/external/meta-updater/classes/target_version_example.bbclass
+++ b/external/meta-updater/classes/target_version_example.bbclass
@@ -1,7 +1,5 @@
 # Writes target version to be used by garage-sign
 
-HOSTTOOLS += " git "
-
 deploy_target_version () {
   version=$(git --git-dir=${METADIR}/.repo/manifests/.git/ rev-parse HEAD)
   echo -n ${version} > ${STAGING_DATADIR_NATIVE}/target_version
diff --git a/external/meta-updater/conf/distro/poky-sota-systemd.conf b/external/meta-updater/conf/distro/poky-sota-systemd.conf
index b30b322b..0dc50b0e 100644
--- a/external/meta-updater/conf/distro/poky-sota-systemd.conf
+++ b/external/meta-updater/conf/distro/poky-sota-systemd.conf
@@ -2,7 +2,7 @@ require conf/distro/poky.conf
 
 require conf/distro/sota.conf.inc
 
-DISTRO = "poky-sota"
+DISTRO = "poky-sota-systemd"
 DISTRO_NAME = "OTA-enabled Linux"
 DISTRO_VERSION = "1.0"
 DISTRO_CODENAME = "sota"
diff --git a/external/meta-updater/conf/distro/poky-sota.conf b/external/meta-updater/conf/distro/poky-sota.conf
index 3fb1d204..bfac90f8 100644
--- a/external/meta-updater/conf/distro/poky-sota.conf
+++ b/external/meta-updater/conf/distro/poky-sota.conf
@@ -5,3 +5,5 @@ DISTRO = "poky-sota"
 DISTRO_NAME = "OTA-enabled Linux"
 DISTRO_VERSION = "1.0"
 DISTRO_CODENAME = "sota"
+
+IMAGE_INSTALL_append_sota = " ostree-booted"
diff --git a/external/meta-updater/conf/distro/sota.conf.inc b/external/meta-updater/conf/distro/sota.conf.inc
index f6111bfc..1d5f8df1 100644
--- a/external/meta-updater/conf/distro/sota.conf.inc
+++ b/external/meta-updater/conf/distro/sota.conf.inc
@@ -16,4 +16,5 @@ INHERIT += "reproducible_build_simple"
 export SOURCE_DATE_EPOCH ?= "0"
 REPRODUCIBLE_TIMESTAMP_ROOTFS ?= "0"
 
-HOSTTOOLS_append = " sync sha256sum"
+HOSTTOOLS += "git sync sha256sum"
+HOSTTOOLS_NONFATAL += "java repo python"
diff --git a/external/meta-updater/conf/include/bblayers/sota_raspberrypi3-64.inc b/external/meta-updater/conf/include/bblayers/sota_raspberrypi3-64.inc
index ea420bad..03f8f44b 100644
--- a/external/meta-updater/conf/include/bblayers/sota_raspberrypi3-64.inc
+++ b/external/meta-updater/conf/include/bblayers/sota_raspberrypi3-64.inc
@@ -1,2 +1,3 @@
+BBLAYERS += "${METADIR}/meta-openembedded/meta-python"
 BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
 BBLAYERS += "${METADIR}/meta-raspberrypi"
diff --git a/external/meta-updater/conf/include/bblayers/sota_raspberrypi4-64.inc b/external/meta-updater/conf/include/bblayers/sota_raspberrypi4-64.inc
new file mode 100644
index 00000000..7e320af2
--- /dev/null
+++ b/external/meta-updater/conf/include/bblayers/sota_raspberrypi4-64.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/external/meta-updater/conf/include/bblayers/sota_raspberrypi4.inc b/external/meta-updater/conf/include/bblayers/sota_raspberrypi4.inc
new file mode 100644
index 00000000..7e320af2
--- /dev/null
+++ b/external/meta-updater/conf/include/bblayers/sota_raspberrypi4.inc
@@ -0,0 +1,3 @@
+BBLAYERS += "${METADIR}/meta-updater-raspberrypi"
+BBLAYERS += "${METADIR}/meta-raspberrypi"
+BBLAYERS += "${METADIR}/meta-openembedded/meta-networking"
diff --git a/external/meta-updater/conf/layer.conf b/external/meta-updater/conf/layer.conf
index 627a1b8a..39ea749f 100644
--- a/external/meta-updater/conf/layer.conf
+++ b/external/meta-updater/conf/layer.conf
@@ -9,5 +9,14 @@ BBFILE_COLLECTIONS += "sota"
 BBFILE_PATTERN_sota = "^${LAYERDIR}/"
 BBFILE_PRIORITY_sota = "7"
 
-LAYERDEPENDS_sota = "filesystems-layer"
+LAYERDEPENDS_sota = "openembedded-layer"
+LAYERDEPENDS_sota += "filesystems-layer"
 LAYERSERIES_COMPAT_sota = "thud"
+
+SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
+  aktualizr-device-prov->aktualizr \
+  aktualizr-device-prov-hsm->aktualizr \
+  aktualizr-shared-prov->aktualizr \
+  aktualizr-shared-prov-creds->aktualizr \
+  aktualizr-uboot-env-rollback->aktualizr \
+"
diff --git a/external/meta-updater/conf/local.conf.base.append b/external/meta-updater/conf/local.conf.base.append
new file mode 100644
index 00000000..36b2f59f
--- /dev/null
+++ b/external/meta-updater/conf/local.conf.base.append
@@ -0,0 +1,18 @@
+#
+# meta-updater configuration, see README.adoc and aktualizr's
+# documentation for more options and detailed documentation
+#
+
+MACHINE = "##MACHINE##"
+DISTRO = "##DISTRO##"
+
+# General SOTA setup
+#SOTA_CLIENT_PROV = "aktualizr-shared-prov"
+#SOTA_PACKED_CREDENTIALS = "/path/to/credentials.zip"
+
+# Uncomment this line to start an ssh server at boot automatically
+#IMAGE_FEATURES += "ssh-server-dropbear"
+
+# Uncomment this line to set the log level of aktualizr to 'debug' (from 'info'
+# by default)
+#IMAGE_INSTALL_append += " aktualizr-log-debug"
diff --git a/external/meta-updater/conf/local.conf.nonostree.append b/external/meta-updater/conf/local.conf.nonostree.append
new file mode 100644
index 00000000..0e63e988
--- /dev/null
+++ b/external/meta-updater/conf/local.conf.nonostree.append
@@ -0,0 +1,11 @@
+
+DISTRO_FEATURES_append = " systemd"
+VIRTUAL-RUNTIME_init_manager = "systemd"
+
+PREFERRED_RPROVIDER_virtual/network-configuration ??= "networkd-dhcp-conf"
+
+SOTA_DEPLOY_CREDENTIALS ?= "1"
+PACKAGECONFIG_pn-aktualizr = ""
+
+IMAGE_INSTALL_append += "aktualizr"
+IMAGE_INSTALL_append += "aktualizr-shared-prov"
diff --git a/external/meta-updater/conf/local.conf.sample.append b/external/meta-updater/conf/local.conf.systemd.append
index 4588ec3a..12e0182a 100644
--- a/external/meta-updater/conf/local.conf.sample.append
+++ b/external/meta-updater/conf/local.conf.systemd.append
@@ -1,23 +1,3 @@
-
-#
-# meta-updater configuration, see README.adoc and aktualizr's
-# documentation for more options and detailed documentation
-#
-
-MACHINE = "##MACHINE##"
-DISTRO = "poky-sota-systemd"
-
-# General SOTA setup
-#SOTA_CLIENT_PROV = "aktualizr-auto-prov"
-#SOTA_PACKED_CREDENTIALS = "/path/to/credentials.zip"
-
-# Uncomment this line to start an ssh server at boot automatically
-#IMAGE_FEATURES += "ssh-server-dropbear"
-
-# Uncomment this line to set the log level of aktualizr to 'debug' (from 'info'
-# by default)
-#IMAGE_INSTALL_append += " aktualizr-log-debug"
-
 # Store systemd logs in persistent storage
 #
 # It greatly helps diagnosing issues on testing devices but should be
diff --git a/external/meta-updater/lib/oeqa/selftest/cases/testutils.py b/external/meta-updater/lib/oeqa/selftest/cases/testutils.py
index 8d618a68..3abfa5eb 100644
--- a/external/meta-updater/lib/oeqa/selftest/cases/testutils.py
+++ b/external/meta-updater/lib/oeqa/selftest/cases/testutils.py
@@ -33,6 +33,7 @@ def qemu_boot_image(imagename, **kwargs):
     # subdirectory.
     args.dir = 'tmp/deploy/images'
     args.efi = kwargs.get('efi', False)
+    args.bootloader = kwargs.get('bootloader', None)
     args.machine = kwargs.get('machine', None)
     args.mem = kwargs.get('mem', '128M')
     qemu_use_kvm = get_bb_var("QEMU_USE_KVM")
@@ -48,6 +49,7 @@ def qemu_boot_image(imagename, **kwargs):
     args.overlay = kwargs.get('overlay', None)
     args.dry_run = kwargs.get('dry_run', False)
     args.secondary_network = kwargs.get('secondary_network', False)
+    args.uboot_enable = kwargs.get('uboot_enable', 'yes')
 
     qemu = QemuCommand(args)
     cmdline = qemu.command_line()
@@ -119,20 +121,29 @@ def verifyNotProvisioned(testInst, machine):
                       'Device already provisioned!? ' + stderr.decode() + stdout.decode())
 
 
-def verifyProvisioned(testInst, machine):
+def verifyProvisioned(testInst, machine, hwid=''):
     # Verify that device HAS provisioned.
+    # First loop while waiting for the device to boot.
     ran_ok = False
     for delay in [5, 5, 5, 5, 10, 10, 10, 10]:
         stdout, stderr, retcode = testInst.qemu_command('aktualizr-info')
-        if retcode == 0 and stderr == b'' and stdout.decode().find('Fetched metadata: yes') >= 0:
+        if retcode == 0 and stderr == b'':
             ran_ok = True
             break
         sleep(delay)
     testInst.assertTrue(ran_ok, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
-
+    # Then wait for aktualizr to provision.
+    if stdout.decode().find('Fetched metadata: yes') < 0:
+        stdout, stderr, retcode = testInst.qemu_command('aktualizr-info --wait-until-provisioned')
+        testInst.assertFalse(retcode, 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
+        testInst.assertEqual(stderr, b'', 'aktualizr-info failed: ' + stderr.decode() + stdout.decode())
     testInst.assertIn(b'Device ID: ', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
-    testInst.assertIn(b'Primary ecu hardware ID: ' + machine.encode(), stdout,
-                      'Provisioning failed: ' + stderr.decode() + stdout.decode())
+    if hwid == '':
+        testInst.assertIn(b'Primary ECU hardware ID: ' + machine.encode(), stdout,
+                  'Provisioning failed: ' + stderr.decode() + stdout.decode())
+    else:
+        testInst.assertIn(b'Primary ECU hardware ID: ' + hwid.encode(), stdout,
+                  'Provisioning failed: ' + stderr.decode() + stdout.decode())
     testInst.assertIn(b'Fetched metadata: yes', stdout, 'Provisioning failed: ' + stderr.decode() + stdout.decode())
     p = re.compile(r'Device ID: ([a-z0-9-]*)\n')
     m = p.search(stdout.decode())
diff --git a/external/meta-updater/lib/oeqa/selftest/cases/updater_qemux86_64.py b/external/meta-updater/lib/oeqa/selftest/cases/updater_qemux86_64.py
index 2b4726cb..08220f4e 100644
--- a/external/meta-updater/lib/oeqa/selftest/cases/updater_qemux86_64.py
+++ b/external/meta-updater/lib/oeqa/selftest/cases/updater_qemux86_64.py
@@ -85,6 +85,7 @@ class SharedCredProvTests(OESelftestTestCase):
         self.append_config('MACHINE = "qemux86-64"')
         self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
         self.append_config('IMAGE_FSTYPES_remove = "ostreepush garagesign garagecheck"')
+        self.append_config('SOTA_HARDWARE_ID = "plain_reibekuchen_314"')
         self.qemu, self.s = qemu_launch(machine='qemux86-64')
 
     def tearDownLocal(self):
@@ -107,7 +108,34 @@ class SharedCredProvTests(OESelftestTestCase):
         self.assertEqual(value, machine,
                          'MACHINE does not match hostname: ' + machine + ', ' + value)
 
-        verifyProvisioned(self, machine)
+        hwid = get_bb_var('SOTA_HARDWARE_ID')
+        verifyProvisioned(self, machine, hwid)
+
+
+class SharedCredProvTestsNonOSTree(SharedCredProvTests):
+
+    def setUpLocal(self):
+        layer = "meta-updater-qemux86-64"
+        result = runCmd('bitbake-layers show-layers')
+        if re.search(layer, result.output) is None:
+            self.meta_qemu = metadir() + layer
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu)
+        else:
+            self.meta_qemu = None
+        self.append_config('MACHINE = "qemux86-64"')
+        self.append_config('SOTA_CLIENT_PROV = ""')
+        self.append_config('IMAGE_FSTYPES_remove = "ostreepush garagesign garagecheck"')
+        self.append_config('SOTA_HARDWARE_ID = "plain_reibekuchen_314"')
+
+        self.append_config('DISTRO = "poky"')
+        self.append_config('DISTRO_FEATURES_append = " systemd"')
+        self.append_config('VIRTUAL-RUNTIME_init_manager = "systemd"')
+        self.append_config('PREFERRED_RPROVIDER_virtual/network-configuration ??= "networkd-dhcp-conf"')
+        self.append_config('PACKAGECONFIG_pn-aktualizr = ""')
+        self.append_config('SOTA_DEPLOY_CREDENTIALS = "1"')
+        self.append_config('IMAGE_INSTALL_append += "aktualizr"')
+        self.append_config('IMAGE_INSTALL_append += " aktualizr-shared-prov"')
+        self.qemu, self.s = qemu_launch(machine='qemux86-64', uboot_enable='no')
 
 
 class ManualControlTests(OESelftestTestCase):
@@ -358,17 +386,7 @@ class IpSecondaryTests(OESelftestTestCase):
             self._test_ctx.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
 
         def is_ecu_registered(self, ecu_id):
-            max_number_of_tries = 40
-            try_counter = 0
-
-            # aktualizr-info is not always able to load ECU serials from DB
-            # so, let's run it a few times until it actually succeeds
-            while try_counter < max_number_of_tries:
-                device_status = self.get_info()
-                try_counter += 1
-                if device_status.find("load ECU serials") == -1:
-                    break
-                sleep(1)
+            device_status = self.get_info()
 
             if not ((device_status.find(ecu_id[0]) != -1) and (device_status.find(ecu_id[1]) != -1)):
                 return False
@@ -377,7 +395,7 @@ class IpSecondaryTests(OESelftestTestCase):
             return not_reg_start == -1 or (device_status.find(ecu_id[1], not_reg_start) == -1)
 
         def get_info(self):
-            stdout, stderr, retcode = self.send_command('aktualizr-info')
+            stdout, stderr, retcode = self.send_command('aktualizr-info --wait-until-provisioned', timeout=620)
             self._test_ctx.assertEqual(retcode, 0, 'Unable to run aktualizr-info: {}'.format(stderr))
             return stdout
 
@@ -473,4 +491,40 @@ class ResourceControlTests(OESelftestTestCase):
         stdout, stderr, retcode = self.qemu_command('systemctl --no-pager show --property=ExecMainStatus aktualizr')
         self.assertIn(b'ExecMainStatus=0', stdout, 'Aktualizr did not restart')
 
+
+class NonSystemdTests(OESelftestTestCase):
+    def setUpLocal(self):
+        layer = "meta-updater-qemux86-64"
+        result = runCmd('bitbake-layers show-layers')
+        if re.search(layer, result.output) is None:
+            self.meta_qemu = metadir() + layer
+            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu)
+        else:
+            self.meta_qemu = None
+        self.append_config('MACHINE = "qemux86-64"')
+        self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
+        self.append_config('IMAGE_FSTYPES_remove = "ostreepush garagesign garagecheck"')
+        self.append_config('DISTRO = "poky-sota"')
+        self.append_config('IMAGE_INSTALL_remove += " aktualizr-resource-control"')
+        self.qemu, self.s = qemu_launch(machine='qemux86-64')
+
+    def tearDownLocal(self):
+        qemu_terminate(self.s)
+        if self.meta_qemu:
+            runCmd('bitbake-layers remove-layer "%s"' % self.meta_qemu, ignore_status=True)
+
+    def qemu_command(self, command):
+        return qemu_send_command(self.qemu.ssh_port, command)
+
+    def test_provisioning(self):
+        print('Checking if systemd is not installed...')
+        stdout, stderr, retcode = self.qemu_command('systemctl')
+        self.assertTrue(retcode != 0, 'systemd is installed while it is not supposed to: ' + str(stdout))
+
+        stdout, stderr, retcode = self.qemu_command('aktualizr --run-mode once')
+        self.assertEqual(retcode, 0, 'Failed to run aktualizr: ' + str(stdout) + str(stderr))
+
+        machine = get_bb_var('MACHINE', 'core-image-minimal')
+        verifyProvisioned(self, machine)
+
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/external/meta-updater/lib/oeqa/selftest/cases/updater_raspberrypi.py b/external/meta-updater/lib/oeqa/selftest/cases/updater_raspberrypi.py
index 26d5c4c6..25c5f12e 100644
--- a/external/meta-updater/lib/oeqa/selftest/cases/updater_raspberrypi.py
+++ b/external/meta-updater/lib/oeqa/selftest/cases/updater_raspberrypi.py
@@ -35,26 +35,10 @@ class RpiTests(OESelftestTestCase):
         else:
             self.meta_upd_rpi = None
 
-        # This is trickier that I would've thought. The fundamental problem is
-        # that the qemu layer changes the u-boot file extension to .rom, but
-        # raspberrypi still expects .bin. To prevent this, the qemu layer must
-        # be temporarily removed if it is present. It has to be removed by name
-        # without the complete path, but to add it back when we are done, we
-        # need the full path.
-        p = re.compile(r'meta-updater-qemux86-64\s*(\S*meta-updater-qemux86-64)\s')
-        m = p.search(result.output)
-        if m and m.lastindex > 0:
-            self.meta_qemu = m.group(1)
-            runCmd('bitbake-layers remove-layer meta-updater-qemux86-64')
-        else:
-            self.meta_qemu = None
-
         self.append_config('MACHINE = "raspberrypi3"')
         self.append_config('SOTA_CLIENT_PROV = " aktualizr-shared-prov "')
 
     def tearDownLocal(self):
-        if self.meta_qemu:
-            runCmd('bitbake-layers add-layer "%s"' % self.meta_qemu, ignore_status=True)
         if self.meta_upd_rpi:
             runCmd('bitbake-layers remove-layer "%s"' % self.meta_upd_rpi, ignore_status=True)
         if self.meta_rpi:
diff --git a/external/meta-updater/recipes-connectivity/connman/connman_1.35.bbappend b/external/meta-updater/recipes-connectivity/connman/connman_1.35.bbappend
new file mode 100644
index 00000000..08ec8326
--- /dev/null
+++ b/external/meta-updater/recipes-connectivity/connman/connman_1.35.bbappend
@@ -0,0 +1,6 @@
+RPROVIDES_${PN} += "virtual/network-configuration"
+
+# patch to not create the resolv.conf symlink at run-time, as it's already
+# handled in the recipe and messes up with ostree
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://0001-tmpfiles-script-do-not-create-the-resolv.conf-symlin.patch"
diff --git a/external/meta-updater/recipes-connectivity/connman/files/0001-tmpfiles-script-do-not-create-the-resolv.conf-symlin.patch b/external/meta-updater/recipes-connectivity/connman/files/0001-tmpfiles-script-do-not-create-the-resolv.conf-symlin.patch
new file mode 100644
index 00000000..9b4a78c9
--- /dev/null
+++ b/external/meta-updater/recipes-connectivity/connman/files/0001-tmpfiles-script-do-not-create-the-resolv.conf-symlin.patch
@@ -0,0 +1,22 @@
+From 9e724a61f015304c9d72d829a66178d20e3fa980 Mon Sep 17 00:00:00 2001
+From: Laurent Bonnans <laurent.bonnans@here.com>
+Date: Wed, 31 Jul 2019 18:15:47 +0200
+Subject: [PATCH] tmpfiles script: do not create the resolv.conf symlink
+
+It's handled by yocto in our case
+
+Signed-off-by: Laurent Bonnans <laurent.bonnans@here.com>
+---
+ scripts/connman_resolvconf.conf.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/scripts/connman_resolvconf.conf.in b/scripts/connman_resolvconf.conf.in
+index 2d61dfe1..8a7d3071 100644
+--- a/scripts/connman_resolvconf.conf.in
++++ b/scripts/connman_resolvconf.conf.in
+@@ -1,2 +1 @@
+ d	@runstatedir@/connman	- - - -
+-L+	/etc/resolv.conf	- - - -	@runstatedir@/connman/resolv.conf
+-- 
+2.20.1
+
diff --git a/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/clean-connman-symlink.service b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/clean-connman-symlink.service
new file mode 100644
index 00000000..8af82637
--- /dev/null
+++ b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/clean-connman-symlink.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Clean up bogus symlinked resolv.conf
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/resolvconf-clean
+
+[Install]
+WantedBy=multi-user.target
diff --git a/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/resolvconf-clean b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/resolvconf-clean
new file mode 100644
index 00000000..89c7e905
--- /dev/null
+++ b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/files/resolvconf-clean
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -L /etc/resolv.conf ]; then
+    exit 0
+fi
+
+# 'readlink -f' will fail if the symlink doesn't resolve to an existing path
+if readlink /etc/resolv.conf | grep -q connman; then
+    echo "Replacing resolv.conf symlink: $(readlink /etc/resolv.conf) to /etc/resolv-conf.systemd"
+    rm /etc/resolv.conf
+    ln -s /etc/resolv-conf.systemd /etc/resolv.conf
+fi
diff --git a/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
index 0700ac6e..40a39582 100644
--- a/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
+++ b/external/meta-updater/recipes-connectivity/networkd-dhcp-conf/networkd-dhcp-conf.bb
@@ -4,25 +4,41 @@ interfaces through systemd-networkd"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch systemd
+inherit systemd
 
 RPROVIDES_${PN} = "virtual/network-configuration"
 
-SRC_URI_append = " file://20-wired-dhcp.network"
+SRC_URI = " \
+  file://20-wired-dhcp.network \
+  file://resolvconf-clean \
+  file://clean-connman-symlink.service \
+  "
 PR = "r1"
 
-RDEPENDS_${PN} = "systemd"
+REQUIRED_DISTRO_FEATURES_${PN} = "systemd"
+RCONFLICTS_${PN} = "connman"
 
 S = "${WORKDIR}"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-FILES_${PN} = "${systemd_unitdir}/network/*"
+FILES_${PN} = " \
+        ${systemd_unitdir}/network/* \
+        ${sbindir}/resolvconf-clean \
+        ${systemd_unitdir}/system/clean-connman-symlink.service \
+        "
+
+SYSTEMD_SERVICE_${PN} = "clean-connman-symlink.service"
 
 DEV_MATCH_DIRECTIVE ?= "Name=en*"
 
 do_install() {
     install -d ${D}/${systemd_unitdir}/network
-    install -m 0644 ${WORKDIR}/20-wired-dhcp.network ${D}/${systemd_unitdir}/network
+    install -m 0644 ${WORKDIR}/20-wired-dhcp.network ${D}${systemd_unitdir}/network
     sed -i -e 's|@MATCH_DIRECTIVE@|${DEV_MATCH_DIRECTIVE}|g' ${D}${systemd_unitdir}/network/20-wired-dhcp.network
+
+    install -d ${D}${sbindir}
+    install -m 0755 ${WORKDIR}/resolvconf-clean ${D}${sbindir}/resolvconf-clean
+    install -d ${D}${systemd_unitdir}/system
+    install -m 0644 ${WORKDIR}/clean-connman-symlink.service ${D}${systemd_unitdir}/system/clean-connman-symlink.service
 }
diff --git a/external/meta-updater/recipes-connectivity/zabbix/zabbix_%.bbappend b/external/meta-updater/recipes-connectivity/zabbix/zabbix_%.bbappend
new file mode 100644
index 00000000..c6a69b5b
--- /dev/null
+++ b/external/meta-updater/recipes-connectivity/zabbix/zabbix_%.bbappend
@@ -0,0 +1,20 @@
+
+do_install_append() {
+
+    # Set the zabbix Server 
+    if [ ! -z ${SOTA_COMM_CONF_ZABBIX_SERVER} ]; then
+        sed -i "s/Server=\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/Server=${SOTA_COMM_CONF_ZABBIX_SERVER}/g" ${D}${sysconfdir}/zabbix_agentd.conf
+        if ! grep -Fxq "Server=${SOTA_COMM_CONF_ZABBIX_SERVER}" ${D}${sysconfdir}/zabbix_agentd.conf; then
+            echo -e '\nServer='${SOTA_COMM_CONF_ZABBIX_SERVER} >> ${D}${sysconfdir}/zabbix_agentd.conf
+        fi
+    fi
+
+    # Set ServerActive
+    if [ ! -z ${SOTA_COMM_CONF_ZABBIX_SERVERACTIVE} ]; then
+        sed -i "s/ServerActive=\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/ServerActive=${SOTA_COMM_CONF_ZABBIX_SERVERACTIVE}/g" ${D}${sysconfdir}/zabbix_agentd.conf
+        if ! grep -Fxq "ServerActive=${SOTA_COMM_CONF_ZABBIX_SERVERACTIVE}" ${D}${sysconfdir}/zabbix_agentd.conf; then
+            echo -e '\nServerActive='${SOTA_COMM_CONF_ZABBIX_SERVERACTIVE} >> ${D}${sysconfdir}/zabbix_agentd.conf
+        fi
+
+    fi
+}
diff --git a/external/meta-updater/recipes-core/images/initramfs-ostree-image.bb b/external/meta-updater/recipes-core/images/initramfs-ostree-image.bb
index e77499e2..936c59a0 100644
--- a/external/meta-updater/recipes-core/images/initramfs-ostree-image.bb
+++ b/external/meta-updater/recipes-core/images/initramfs-ostree-image.bb
@@ -13,8 +13,13 @@ IMAGE_LINGUAS = ""
 
 LICENSE = "MIT"
 
+IMAGE_CLASSES_remove = "image_repo_manifest"
+
 IMAGE_FSTYPES = "${INITRAMFS_FSTYPES}"
 
+# Avoid circular dependencies
+EXTRA_IMAGEDEPENDS = ""
+
 inherit core-image
 
 IMAGE_ROOTFS_SIZE = "8192"
@@ -25,5 +30,3 @@ IMAGE_ROOTFS_EXTRA_SPACE = "0"
 IMAGE_OVERHEAD_FACTOR = "1.0"
 
 BAD_RECOMMENDATIONS += "busybox-syslog"
-
-
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
deleted file mode 100644
index 6e02a501..00000000
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-creds.bb
+++ /dev/null
@@ -1,60 +0,0 @@
-SUMMARY = "Credentials for device provisioning with fleet CA certificate"
-HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
-SECTION = "base"
-LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
-
-inherit allarch
-
-# WARNING: it is NOT a production solution. The secure way to provision devices
-# is to create certificate request directly on the device (either with HSM/TPM
-# or with software) and then sign it with a CA stored on a disconnected machine.
-
-DEPENDS = "aktualizr aktualizr-native"
-ALLOW_EMPTY_${PN} = "1"
-
-SRC_URI = " \
-            file://ca.cnf \
-            "
-
-require credentials.inc
-
-export SOTA_CACERT_PATH
-export SOTA_CAKEY_PATH
-
-do_install() {
-    if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
-        if [ -z ${SOTA_CACERT_PATH} ]; then
-            SOTA_CACERT_PATH=${DEPLOY_DIR_IMAGE}/CA/cacert.pem
-            SOTA_CAKEY_PATH=${DEPLOY_DIR_IMAGE}/CA/ca.private.pem
-            mkdir -p ${DEPLOY_DIR_IMAGE}/CA
-            bbwarn "SOTA_CACERT_PATH is not specified, use default one at ${SOTA_CACERT_PATH}"
-
-            if [ ! -f ${SOTA_CACERT_PATH} ]; then
-                bbwarn "${SOTA_CACERT_PATH} does not exist, generate a new CA"
-                SOTA_CACERT_DIR_PATH="$(dirname "${SOTA_CACERT_PATH}")"
-                openssl genrsa -out ${SOTA_CACERT_DIR_PATH}/ca.private.pem 4096
-                openssl req -key ${SOTA_CACERT_DIR_PATH}/ca.private.pem -new -x509 -days 7300 -out ${SOTA_CACERT_PATH} -subj "/C=DE/ST=Berlin/O=Reis und Kichererbsen e.V/commonName=meta-updater" -batch -config ${WORKDIR}/ca.cnf -extensions cacert
-                bbwarn "${SOTA_CACERT_PATH} has been created, you'll need to upload it to the server"
-            fi
-        fi
-
-        if [ -z ${SOTA_CAKEY_PATH} ]; then
-            bbfatal "SOTA_CAKEY_PATH should be set when using device credential provisioning"
-        fi
-
-        install -m 0700 -d ${D}${localstatedir}/sota
-        aktualizr-cert-provider --credentials ${SOTA_PACKED_CREDENTIALS} \
-                                --fleet-ca ${SOTA_CACERT_PATH} \
-                                --fleet-ca-key ${SOTA_CAKEY_PATH} \
-                                --root-ca \
-                                --server-url \
-                                --local ${D} \
-                                --config ${STAGING_DIR_HOST}${libdir}/sota/sota-device-cred.toml
-    fi
-}
-
-FILES_${PN} = " \
-                ${localstatedir}/sota/*"
-
-# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
index c3cd593b..8f28c03b 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov-hsm.bb
@@ -7,14 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds softhsm-testtoken' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
-SRC_URI = ""
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
-PR = "6"
+PR = "7"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov.bb
index d5795324..55f398d6 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-device-prov.bb
@@ -7,13 +7,16 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr aktualizr-native openssl-native"
-RDEPENDS_${PN}_append = "${@' aktualizr-device-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "1"
 
-require credentials.inc
+SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-hwid.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-hwid.bb
new file mode 100644
index 00000000..fd3e3953
--- /dev/null
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-hwid.bb
@@ -0,0 +1,24 @@
+SUMMARY = "Aktualizr hwid configuration"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+SRC_URI = ""
+
+do_install() {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    if [ -n "${SOTA_HARDWARE_ID}" ]; then
+        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
+    fi
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d \
+                ${libdir}/sota/conf.d/40-hardware-id.toml \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
index dbb5fde5..9c6f0dd4 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov-creds.bb
@@ -6,22 +6,32 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+DEPENDS = "zip-native"
 ALLOW_EMPTY_${PN} = "1"
 
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
+
+SRC_URI = ""
+
 require credentials.inc
 
 do_install() {
     if [ -n "${SOTA_PACKED_CREDENTIALS}" ]; then
         install -m 0700 -d ${D}${localstatedir}/sota
-        cp "${SOTA_PACKED_CREDENTIALS}" ${D}${localstatedir}/sota/sota_provisioning_credentials.zip
-        # Device should not be able to push data to treehub
-        zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip treehub.json
-        # Device has no use for the API Gateway. Remove if present. See:
-        # https://github.com/advancedtelematic/ota-plus-server/pull/1913/
-        if unzip -l ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url > /dev/null; then
-            zip -d ${D}${localstatedir}/sota/sota_provisioning_credentials.zip api_gateway.url 
-        fi
+        # root.json contains the root metadata for bootstrapping the Uptane metadata verification process.
+        # autoprov.url has the URL to the device gateway on the server, which is where we send most of our requests.
+        # autoprov_credentials.p12 contains the shared provisioning credentials.
+        for var in root.json autoprov.url autoprov_credentials.p12; do
+            if unzip -l "${SOTA_PACKED_CREDENTIALS}" $var > /dev/null; then
+                unzip "${SOTA_PACKED_CREDENTIALS}" $var -d ${T}
+                zip -mj -q ${D}${localstatedir}/sota/sota_provisioning_credentials.zip ${T}/$var
+            else
+                bbwarn "$var is missing from credentials.zip"
+            fi
+        done
     fi
 }
 
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov.bb
index d3d6f165..2ee47a16 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-shared-prov.bb
@@ -7,15 +7,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native zip-native"
+# We need to get the config files from the aktualizr-host-tools package built by
+# the aktualizr (target) recipe.
+DEPENDS = "aktualizr"
 RDEPENDS_${PN}_append = "${@' aktualizr-shared-prov-creds' if d.getVar('SOTA_DEPLOY_CREDENTIALS') == '1' else ''}"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
 PV = "1.0"
 PR = "6"
 
 SRC_URI = ""
 
-require credentials.inc
-
 do_install() {
     if [ -n "${SOTA_AUTOPROVISION_CREDENTIALS}" ]; then
         bbwarn "SOTA_AUTOPROVISION_CREDENTIALS are ignored. Please use SOTA_PACKED_CREDENTIALS"
@@ -31,7 +34,7 @@ do_install() {
     fi
 
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-shared-cred.toml \
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-shared-cred.toml \
         ${D}${libdir}/sota/conf.d/20-sota-shared-cred.toml
 }
 
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
index 860f225c..2895e5c4 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr-uboot-env-rollback.bb
@@ -6,14 +6,18 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 inherit allarch
 
-DEPENDS = "aktualizr-native"
-RDEPENDS_${PN} = "aktualizr"
+DEPENDS = "aktualizr"
+
+# If the config file from aktualizr used here is changed, you will need to bump
+# the version here because of SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS!
+PV = "1.0"
+PR = "1"
 
 SRC_URI = ""
 
 do_install() {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${STAGING_DIR_NATIVE}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
+    install -m 0644 ${STAGING_DIR_HOST}${libdir}/sota/sota-uboot-env.toml ${D}${libdir}/sota/conf.d/30-rollback.toml
 }
 
 FILES_${PN} = " \
diff --git a/external/meta-updater/recipes-sota/aktualizr/aktualizr_git.bb b/external/meta-updater/recipes-sota/aktualizr/aktualizr_git.bb
index 5de341e4..20dd4237 100644
--- a/external/meta-updater/recipes-sota/aktualizr/aktualizr_git.bb
+++ b/external/meta-updater/recipes-sota/aktualizr/aktualizr_git.bb
@@ -3,35 +3,36 @@ DESCRIPTION = "SOTA Client application written in C++"
 HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
 SECTION = "base"
 LICENSE = "MPL-2.0"
-LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=9741c346eef56131163e13b9db1241b3"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=815ca599c9df247a0c7f619bab123dad"
 
 DEPENDS = "boost curl openssl libarchive libsodium sqlite3 asn1c-native"
 DEPENDS_append = "${@bb.utils.contains('PTEST_ENABLED', '1', ' coreutils-native net-tools-native ostree-native aktualizr-native ', '', d)}"
-RDEPENDS_${PN}_class-target = "aktualizr-configs lshw"
-RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-repo aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
+RDEPENDS_${PN}_class-target = "${PN}-configs ${PN}-hwid lshw"
+RDEPENDS_${PN}-host-tools = "aktualizr aktualizr-cert-provider ${@bb.utils.contains('PACKAGECONFIG', 'sota-tools', 'garage-deploy garage-push', '', d)}"
 
 RDEPENDS_${PN}-ptest += "bash cmake curl python3-misc python3-modules openssl-bin sqlite3 valgrind"
 
+PRIVATE_LIBS_${PN}-ptest = "libaktualizr.so libaktualizr_secondary.so"
+
 PV = "1.0+git${SRCPV}"
 PR = "7"
 
-GARAGE_SIGN_PV = "0.7.0-3-gf5ba640"
+GARAGE_SIGN_PV = "0.7.0-87-g905dc3c"
 
 SRC_URI = " \
-  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH} \
+  gitsm://github.com/advancedtelematic/aktualizr;branch=${BRANCH};name=aktualizr \
   file://run-ptest \
   file://aktualizr.service \
   file://aktualizr-secondary.service \
   file://aktualizr-serialcan.service \
   file://10-resource-control.conf \
-  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
+  ${@ d.expand("https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/cli-${GARAGE_SIGN_PV}.tgz;unpack=0;name=garagesign") if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''} \
   "
 
-# for garage-sign archive
-SRC_URI[md5sum] = "e104ccd4f32e52571a5fc0e5042db050"
-SRC_URI[sha256sum] = "c590be1a57523bfe097af82279eda5c97cf40ae47fb27162cf33c469702c8a9b"
+SRC_URI[garagesign.md5sum] = "064b408c60676dcf282aa9209bff7dac"
+SRC_URI[garagesign.sha256sum] = "75c9b3cf24eb31dacb127d3b3d073359082e2b4ee4eeb27d75e792664800ba82"
 
-SRCREV = "9c592cf9d8dfcd995d47753f2be7bd1a2b56c7da"
+SRCREV = "f90e8996e826d130976a7b7f1835947b7e631025"
 BRANCH ?= "master"
 
 S = "${WORKDIR}/git"
@@ -46,17 +47,17 @@ SYSTEMD_PACKAGES = "${PN} ${PN}-secondary"
 SYSTEMD_SERVICE_${PN} = "aktualizr.service"
 SYSTEMD_SERVICE_${PN}-secondary = "aktualizr-secondary.service"
 
-EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release -DAKTUALIZR_VERSION=${PV} ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
+EXTRA_OECMAKE = "-DCMAKE_BUILD_TYPE=Release ${@bb.utils.contains('PTEST_ENABLED', '1', '-DTESTSUITE_VALGRIND=on', '', d)}"
 
 GARAGE_SIGN_OPS = "${@ d.expand('-DGARAGE_SIGN_ARCHIVE=${WORKDIR}/cli-${GARAGE_SIGN_PV}.tgz') if d.getVar('GARAGE_SIGN_AUTOVERSION') != '1' else ''}"
+PKCS11_ENGINE_PATH = "${libdir}/engines-1.1/pkcs11.so"
 
-PACKAGECONFIG ?= "ostree ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
+PACKAGECONFIG ?= "ostree ${@bb.utils.filter('SOTA_CLIENT_FEATURES', 'hsm serialcan ubootenv', d)}"
 PACKAGECONFIG_class-native = "sota-tools"
 PACKAGECONFIG[warning-as-error] = "-DWARNING_AS_ERROR=ON,-DWARNING_AS_ERROR=OFF,"
 PACKAGECONFIG[ostree] = "-DBUILD_OSTREE=ON,-DBUILD_OSTREE=OFF,ostree,"
-PACKAGECONFIG[hsm] = "-DBUILD_P11=ON,-DBUILD_P11=OFF,libp11,"
+PACKAGECONFIG[hsm] = "-DBUILD_P11=ON -DPKCS11_ENGINE_PATH=${PKCS11_ENGINE_PATH},-DBUILD_P11=OFF,libp11,"
 PACKAGECONFIG[sota-tools] = "-DBUILD_SOTA_TOOLS=ON ${GARAGE_SIGN_OPS},-DBUILD_SOTA_TOOLS=OFF,glib-2.0,"
-PACKAGECONFIG[systemd] = "-DBUILD_SYSTEMD=ON,-DBUILD_SYSTEMD=OFF,systemd,"
 PACKAGECONFIG[load-tests] = "-DBUILD_LOAD_TESTS=ON,-DBUILD_LOAD_TESTS=OFF,"
 PACKAGECONFIG[serialcan] = ",,,slcand-start"
 PACKAGECONFIG[ubootenv] = ",,,u-boot-fw-utils aktualizr-uboot-env-rollback"
@@ -70,6 +71,14 @@ RESOURCE_CPU_WEIGHT = "100"
 RESOURCE_MEMORY_HIGH = "100M"
 RESOURCE_MEMORY_MAX = "80%"
 
+do_configure_prepend() {
+    # CMake has trouble finding yocto's git when cross-compiling, let's do this step manually
+    cd ${S}
+    if [ ! -f VERSION ]; then
+        ./scripts/get_version.sh > VERSION
+    fi
+}
+
 do_compile_ptest() {
     cmake_runcmake_build --target build_tests "${PARALLEL_MAKE}"
 }
@@ -79,9 +88,6 @@ do_install_ptest() {
     cp -r ${B}/ ${D}/${PTEST_PATH}/build
     cp -r ${S}/ ${D}/${PTEST_PATH}/src
 
-    # remove huge external unused repository
-    rm -rf ${D}/${PTEST_PATH}/src/partial/extern/RIOT
-
     # remove huge build artifacts
     find ${D}/${PTEST_PATH}/build/src -name "*.a" -delete
 
@@ -102,10 +108,6 @@ do_install_append () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
     install -m 0700 -d ${D}${sysconfdir}/sota/conf.d
 
-    if [ -n "${SOTA_HARDWARE_ID}" ]; then
-        printf "[provision]\nprimary_ecu_hardware_id = ${SOTA_HARDWARE_ID}\n" > ${D}${libdir}/sota/conf.d/40-hardware-id.toml
-    fi
-
     install -m 0755 -d ${D}${systemd_unitdir}/system
     aktualizr_service=${@bb.utils.contains('SOTA_CLIENT_FEATURES', 'serialcan', '${WORKDIR}/aktualizr-serialcan.service', '${WORKDIR}/aktualizr.service', d)}
     install -m 0644 ${aktualizr_service} ${D}${systemd_unitdir}/system/aktualizr.service
@@ -137,7 +139,7 @@ python split_hosttools_packages () {
 
 PACKAGES_DYNAMIC = "^aktualizr-.* ^garage-.*"
 
-PACKAGES =+ "${PN}-resource-control ${PN}-examples ${PN}-secondary ${PN}-configs ${PN}-host-tools"
+PACKAGES =+ "${PN}-host-tools ${PN}-lib ${PN}-resource-control ${PN}-configs ${PN}-secondary ${PN}-secondary-lib ${PN}-sotatools-lib"
 
 ALLOW_EMPTY_${PN}-host-tools = "1"
 
@@ -147,6 +149,10 @@ FILES_${PN} = " \
                 ${systemd_unitdir}/system/aktualizr.service \
                 "
 
+FILES_${PN}-lib = " \
+                ${libdir}/libaktualizr.so \
+                "
+
 FILES_${PN}-resource-control = " \
                 ${systemd_system_unitdir}/aktualizr.service.d/10-resource-control.conf \
                 "
@@ -156,16 +162,22 @@ FILES_${PN}-configs = " \
                 ${libdir}/sota/* \
                 "
 
-FILES_${PN}-examples = " \
-                ${bindir}/hmi-stub \
-                "
-
 FILES_${PN}-secondary = " \
                 ${bindir}/aktualizr-secondary \
                 ${libdir}/sota/sota-secondary.toml \
                 ${systemd_unitdir}/system/aktualizr-secondary.service \
                 "
 
+FILES_${PN}-secondary-lib = " \
+                ${libdir}/libaktualizr_secondary.so \
+                "
+
+FILES_${PN}-sotatools-lib = " \
+                ${libdir}/libsota_tools.so \
+                "
+
+FILES_${PN}-dev = ""
+
 BBCLASSEXTEND = "native"
 
 # vim:set ts=4 sw=4 sts=4 expandtab:
diff --git a/external/meta-updater/recipes-sota/aktualizr/files/aktualizr-secondary.service b/external/meta-updater/recipes-sota/aktualizr/files/aktualizr-secondary.service
index b577ae8b..fb610f9b 100644
--- a/external/meta-updater/recipes-sota/aktualizr/files/aktualizr-secondary.service
+++ b/external/meta-updater/recipes-sota/aktualizr/files/aktualizr-secondary.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Aktualizr SOTA Client (UPTANE Secondary)
-After=network.target
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 RestartSec=10
diff --git a/external/meta-updater/recipes-sota/aktualizr/files/aktualizr.service b/external/meta-updater/recipes-sota/aktualizr/files/aktualizr.service
index 726809e8..3d807a1f 100644
--- a/external/meta-updater/recipes-sota/aktualizr/files/aktualizr.service
+++ b/external/meta-updater/recipes-sota/aktualizr/files/aktualizr.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Aktualizr SOTA Client
-After=network.target
+After=network-online.target nss-lookup.target
+Wants=network-online.target
 
 [Service]
 RestartSec=10
diff --git a/external/meta-updater/recipes-sota/config/aktualizr-virtualsec.bb b/external/meta-updater/recipes-sota/config/aktualizr-virtualsec.bb
new file mode 100644
index 00000000..b7d55aaa
--- /dev/null
+++ b/external/meta-updater/recipes-sota/config/aktualizr-virtualsec.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Example virtual secondary in aktualizr"
+DESCRIPTION = "Creates an example virtual secondary to be used to update an arbitrary file on the primary"
+HOMEPAGE = "https://github.com/advancedtelematic/aktualizr"
+SECTION = "base"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+
+inherit allarch
+
+SRC_URI = " \
+            file://30-virtualsec.toml \
+            file://virtualsec.json \
+            "
+
+do_install_append () {
+    install -m 0700 -d ${D}${libdir}/sota/conf.d
+    install -m 0644 ${WORKDIR}/30-virtualsec.toml ${D}${libdir}/sota/conf.d/30-virtualsec.toml
+    install -m 0644 ${WORKDIR}/virtualsec.json ${D}${libdir}/sota/virtualsec.json
+}
+
+FILES_${PN} = " \
+                ${libdir}/sota/conf.d/30-virtualsec.toml \
+                ${libdir}/sota/virtualsec.json \
+                "
+
+# vim:set ts=4 sw=4 sts=4 expandtab:
+
diff --git a/external/meta-updater/recipes-sota/config/files/30-virtualsec.toml b/external/meta-updater/recipes-sota/config/files/30-virtualsec.toml
new file mode 100644
index 00000000..987f692d
--- /dev/null
+++ b/external/meta-updater/recipes-sota/config/files/30-virtualsec.toml
@@ -0,0 +1,3 @@
+[uptane]
+secondary_config_file = "/usr/lib/sota/virtualsec.json"
+
diff --git a/external/meta-updater/recipes-sota/config/files/virtualsec.json b/external/meta-updater/recipes-sota/config/files/virtualsec.json
new file mode 100644
index 00000000..dcdcdba7
--- /dev/null
+++ b/external/meta-updater/recipes-sota/config/files/virtualsec.json
@@ -0,0 +1,14 @@
+{
+    "virtual": [
+        {
+            "partial_verifying": "false",
+            "ecu_hardware_id": "external-config",
+            "full_client_dir": "/var/sota/external-config",
+            "ecu_private_key": "sec.private",
+            "ecu_public_key": "sec.public",
+            "firmware_path": "/var/sota/external-config/config.txt",
+            "target_name_path": "/var/sota/external-config/target_name",
+            "metadata_path": "/var/sota/external-config/metadata"
+        }
+    ]
+}
diff --git a/external/meta-updater/recipes-sota/ostree/files/touch-ostree b/external/meta-updater/recipes-sota/ostree/files/touch-ostree
new file mode 100755
index 00000000..28cb6723
--- /dev/null
+++ b/external/meta-updater/recipes-sota/ostree/files/touch-ostree
@@ -0,0 +1,21 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          touch-ostree
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Indicate OSTree boot
+### END INIT INFO
+
+case "$1" in
+  start)
+        touch /run/ostree-booted
+        ;;
+  stop)
+        ;;
+  *)
+        echo "Usage: /etc/init.d/touch-ostree {start|stop}"
+        exit 1
+        ;;
+esac
diff --git a/external/meta-updater/recipes-sota/ostree/ostree-booted_1.0.bb b/external/meta-updater/recipes-sota/ostree/ostree-booted_1.0.bb
new file mode 100644
index 00000000..d74cf247
--- /dev/null
+++ b/external/meta-updater/recipes-sota/ostree/ostree-booted_1.0.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Indicate an OSTree boot"
+DESCRIPTION =  "Indicate an OSTree boot"
+LICENSE = "MPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
+SRC_URI = "file://touch-ostree"
+
+inherit allarch update-rc.d
+
+INITSCRIPT_NAME = "touch-ostree"
+INITSCRIPT_PARAMS = "start 8 2 3 4 5 . stop 20 0 1 6 ."
+
+do_install() {
+	install -d ${D}${sysconfdir}/init.d
+	install -m 0755 ${WORKDIR}/touch-ostree ${D}${sysconfdir}/init.d/touch-ostree
+}
diff --git a/external/meta-updater/recipes-test/demo-config/files/30-fake-pacman.toml b/external/meta-updater/recipes-test/demo-config/files/30-fake-pacman.toml
deleted file mode 100644
index 3fb5cf2c..00000000
--- a/external/meta-updater/recipes-test/demo-config/files/30-fake-pacman.toml
+++ /dev/null
@@ -1,2 +0,0 @@
-[pacman]
-type = "fake"
diff --git a/external/meta-updater/recipes-test/demo-config/files/30-pacman-config.toml b/external/meta-updater/recipes-test/demo-config/files/30-pacman-config.toml
new file mode 100644
index 00000000..750cf5c7
--- /dev/null
+++ b/external/meta-updater/recipes-test/demo-config/files/30-pacman-config.toml
@@ -0,0 +1,2 @@
+[pacman]
+type = @UPDATE_TYPE@
diff --git a/external/meta-updater/recipes-test/demo-config/primary-config.bb b/external/meta-updater/recipes-test/demo-config/primary-config.bb
index 27cb553e..5c8abb54 100644
--- a/external/meta-updater/recipes-test/demo-config/primary-config.bb
+++ b/external/meta-updater/recipes-test/demo-config/primary-config.bb
@@ -4,11 +4,14 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+inherit allarch
+
 PRIMARY_SECONDARIES ?= "${SECONDARY_IP}:${SECONDARY_PORT}"
 
 SRC_URI = "\
     file://30-secondary-config.toml \
     file://ip_secondary_config.json \
+    ${@('file://' + d.getVar('SOTA_SECONDARY_CONFIG')) if d.getVar('SOTA_SECONDARY_CONFIG') else ''} \
     "
 
 def get_secondary_addrs(d):
diff --git a/external/meta-updater/recipes-test/demo-config/secondary-config.bb b/external/meta-updater/recipes-test/demo-config/secondary-config.bb
index 9411646b..638f0aea 100644
--- a/external/meta-updater/recipes-test/demo-config/secondary-config.bb
+++ b/external/meta-updater/recipes-test/demo-config/secondary-config.bb
@@ -4,36 +4,55 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7
 
 require shared-conf.inc
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_SERIAL_ID ?= ""
 SOTA_HARDWARE_ID ?= "${MACHINE}-sndry"
 SECONDARY_HARDWARE_ID ?= "${SOTA_HARDWARE_ID}"
+SECONDARY_UPDATE_TYPE ?= "ostree"
+
+UPDATE_TYPE = "${SECONDARY_UPDATE_TYPE}"
+python () {
+    update_type = d.getVar('UPDATE_TYPE')
+    if update_type not in [ 'ostree', 'file']:
+        bb.fatal('Unsupported type of an update specified for secondary: SECONDARY_UPDATE_TYPE = {}\n'
+                  'Supported update types are: ostree and file'
+        .format(update_type))
+
+    if update_type == 'file':
+        d.setVar('UPDATE_TYPE', 'none')
+}
 
 SRC_URI = "\
-    file://30-fake-pacman.toml \
+    file://30-pacman-config.toml \
     file://35-network-config.toml \
     file://45-id-config.toml \
     "
 
+
 do_install () {
     install -m 0700 -d ${D}${libdir}/sota/conf.d
-    install -m 0644 ${WORKDIR}/30-fake-pacman.toml ${D}/${libdir}/sota/conf.d/30-fake-pacman.toml
 
-    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}/${libdir}/sota/conf.d/35-network-config.toml
+    install -m 0644 ${WORKDIR}/30-pacman-config.toml ${D}${libdir}/sota/conf.d/30-pacman-config.toml
+    sed -i -e 's|@UPDATE_TYPE@|${UPDATE_TYPE}|g' ${D}${libdir}/sota/conf.d/30-pacman-config.toml
+
+    install -m 0644 ${WORKDIR}/35-network-config.toml ${D}${libdir}/sota/conf.d/35-network-config.toml
     sed -i -e 's|@PORT@|${SECONDARY_PORT}|g' \
            -e 's|@PRIMARY_IP@|${PRIMARY_IP}|g' \
            -e 's|@PRIMARY_PORT@|${PRIMARY_PORT}|g' \
-           ${D}/${libdir}/sota/conf.d/35-network-config.toml
+           ${D}${libdir}/sota/conf.d/35-network-config.toml
 
-    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}/${libdir}/sota/conf.d/45-id-config.toml
+    install -m 0644 ${WORKDIR}/45-id-config.toml ${D}${libdir}/sota/conf.d/45-id-config.toml
     sed -i -e 's|@SERIAL@|${SECONDARY_SERIAL_ID}|g' \
            -e 's|@HWID@|${SECONDARY_HARDWARE_ID}|g' \
-           ${D}/${libdir}/sota/conf.d/45-id-config.toml
+           ${D}${libdir}/sota/conf.d/45-id-config.toml
 
 }
 
 FILES_${PN} = " \
                 ${libdir}/sota/conf.d \
-                ${libdir}/sota/conf.d/30-fake-pacman.toml \
+                ${libdir}/sota/conf.d/30-pacman-config.toml \
                 ${libdir}/sota/conf.d/35-network-config.toml \
                 ${libdir}/sota/conf.d/45-id-config.toml \
                 "
diff --git a/external/meta-updater/recipes-test/demo-config/shared-conf.inc b/external/meta-updater/recipes-test/demo-config/shared-conf.inc
index c5ab5987..55234068 100644
--- a/external/meta-updater/recipes-test/demo-config/shared-conf.inc
+++ b/external/meta-updater/recipes-test/demo-config/shared-conf.inc
@@ -1,5 +1,5 @@
-SECONDARY_IP ?= "10.0.3.2"
+SECONDARY_IP ?= "192.168.254.2"
 SECONDARY_PORT ?= "9050"
-PRIMARY_IP ?= "10.0.3.1"
+PRIMARY_IP ?= "192.168.254.1"
 PRIMARY_PORT ?= "9040"
 PRIMARY_WAIT_TIMEOUT ?= "240"
diff --git a/external/meta-updater/recipes-test/demo-network-config/files/25-dhcp-server.network b/external/meta-updater/recipes-test/demo-network-config/files/25-dhcp-server.network
index 4766f9ae..03bb3023 100644
--- a/external/meta-updater/recipes-test/demo-network-config/files/25-dhcp-server.network
+++ b/external/meta-updater/recipes-test/demo-network-config/files/25-dhcp-server.network
@@ -4,9 +4,9 @@ Name=enp0s4
 [Network]
 Description=Private internal network between aktualizr Primary and Secondary nodes
 DHCPServer=yes
-Address=10.0.3.1/24
+Address=192.168.254.1/24
 IPForward=yes
 IPMasquerade=yes
 
 [DHCPServer]
-PoolOffset=10
\ No newline at end of file
+PoolOffset=10
diff --git a/external/meta-updater/recipes-test/demo-network-config/network-config.inc b/external/meta-updater/recipes-test/demo-network-config/network-config.inc
index ed623d46..b023f514 100644
--- a/external/meta-updater/recipes-test/demo-network-config/network-config.inc
+++ b/external/meta-updater/recipes-test/demo-network-config/network-config.inc
@@ -2,15 +2,18 @@ SRC_URI_append = "\
     file://26-${CONF_TYPE}-client.network \
     "
 
+# Because of the dependency on MACHINE.
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 SECONDARY_INTERFACE ?= "${@ 'eth0' if d.getVar('MACHINE') == 'raspberrypi3' else 'enp0s5'}"
 
 do_install_append() {
     bbnote "Network configuration type to be applied: ${CONF_TYPE}"
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/26-${CONF_TYPE}-client.network ${D}${libdir}/systemd/network/
     sed -i -e 's|@ADDR@|${IP_ADDR}|g' \
            -e 's|@IFNAME@|${SECONDARY_INTERFACE}|g' \
-           ${D}/usr/lib/systemd/network/26-${CONF_TYPE}-client.network
+           ${D}${libdir}/systemd/network/26-${CONF_TYPE}-client.network
 
 }
 
diff --git a/external/meta-updater/recipes-test/demo-network-config/primary-network-config.bb b/external/meta-updater/recipes-test/demo-network-config/primary-network-config.bb
index d840a951..7ee873f4 100644
--- a/external/meta-updater/recipes-test/demo-network-config/primary-network-config.bb
+++ b/external/meta-updater/recipes-test/demo-network-config/primary-network-config.bb
@@ -2,22 +2,20 @@ DESCRIPTION = "Sample network configuration for an Uptane Primary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
-PRIMARY_IP ?= "10.0.3.1"
+PRIMARY_IP ?= "192.168.254.1"
 
 IP_ADDR = "${PRIMARY_IP}"
 CONF_TYPE ?= "${@ 'multihomed' if d.getVar('MACHINE') == 'raspberrypi3' and d.getVar('RPI_WIFI_ENABLE') != '1' else 'static'}"
diff --git a/external/meta-updater/recipes-test/demo-network-config/secondary-network-config.bb b/external/meta-updater/recipes-test/demo-network-config/secondary-network-config.bb
index b1d70f1f..b268cd38 100644
--- a/external/meta-updater/recipes-test/demo-network-config/secondary-network-config.bb
+++ b/external/meta-updater/recipes-test/demo-network-config/secondary-network-config.bb
@@ -2,8 +2,6 @@ DESCRIPTION = "Sample network configuration for an Uptane Secondary"
 LICENSE = "MPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MPL-2.0;md5=815ca599c9df247a0c7f619bab123dad"
 
-inherit allarch
-
 # TODO: It configures the 'user' interface in NAT mode and provides an access to public Inet via it
 # which is not desired for Secondary. It cannot be just removed since we get SSH access to Secondary
 # VM via this interface. So, the task is to configure the interface in such way that it does provide access
@@ -12,18 +10,18 @@ SRC_URI = "\
     file://27-dhcp-client-external.network \
     "
 
-FILES_${PN} = "/usr/lib/systemd/network"
+FILES_${PN} = "${libdir}/systemd/network"
 
 PR = "1"
 
 do_install() {
-    install -d ${D}/usr/lib/systemd/network
-    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}/usr/lib/systemd/network/
+    install -d ${D}${libdir}/systemd/network
+    install -m 0644 ${WORKDIR}/27-dhcp-client-external.network ${D}${libdir}/systemd/network/
 }
 
-SECONDARY_IP ?= "10.0.3.2"
+SECONDARY_IP ?= "192.168.254.2"
 IP_ADDR = "${SECONDARY_IP}"
-CONF_TYPE = "static"
+CONF_TYPE ?= "${@ 'multihomed' if d.getVar('MACHINE') == 'raspberrypi3' and d.getVar('RPI_WIFI_ENABLE') != '1' else 'static'}"
 
 require network-config.inc
 
diff --git a/external/meta-updater/recipes-test/images/secondary-image.bb b/external/meta-updater/recipes-test/images/secondary-image.bb
index 27d1e3f9..7db2c684 100644
--- a/external/meta-updater/recipes-test/images/secondary-image.bb
+++ b/external/meta-updater/recipes-test/images/secondary-image.bb
@@ -14,7 +14,6 @@ IMAGE_INSTALL_remove = " \
                         aktualizr-shared-prov \
                         aktualizr-shared-prov-creds \
                         aktualizr-device-prov \
-                        aktualizr-device-prov-creds \
                         aktualizr-device-prov-hsm \
                         aktualizr-uboot-env-rollback \
                         virtual/network-configuration \
diff --git a/external/meta-updater/scripts/ci/Dockerfile.bitbake b/external/meta-updater/scripts/ci/Dockerfile.bitbake
index c91f94c3..51eaa570 100644
--- a/external/meta-updater/scripts/ci/Dockerfile.bitbake
+++ b/external/meta-updater/scripts/ci/Dockerfile.bitbake
@@ -1,15 +1,17 @@
-FROM debian:stable
+FROM debian:stretch
 LABEL Description="Image for bitbaking"
 
-RUN sed -i 's#deb http://deb.debian.org/debian stable main#deb http://deb.debian.org/debian stable main contrib#g' /etc/apt/sources.list
-RUN sed -i 's#deb http://deb.debian.org/debian stable-updates main#deb http://deb.debian.org/debian stable-updates main contrib#g' /etc/apt/sources.list
-RUN apt-get update -q && apt-get install -qy \
+RUN sed -i 's#deb http://deb.debian.org/debian stretch main#deb http://deb.debian.org/debian stretch main contrib#g' /etc/apt/sources.list
+RUN sed -i 's#deb http://deb.debian.org/debian stretch-updates main#deb http://deb.debian.org/debian stretch-updates main contrib#g' /etc/apt/sources.list
+RUN apt-get update -q && apt-get install --no-install-suggests --no-install-recommends -qy \
+     awscli \
      build-essential \
      bzip2 \
      chrpath \
      cpio \
      default-jre \
      diffstat \
+     file \
      gawk \
      gcc-multilib \
      git-core \
@@ -17,26 +19,40 @@ RUN apt-get update -q && apt-get install -qy \
      iproute \
      libpython-dev \
      libsdl1.2-dev \
+     libvirt-clients \
+     libvirt-daemon-system \
      locales \
      ovmf \
+     openssh-client \
      procps \
      python \
      python3 \
      python3-pexpect \
-     qemu \
+     qemu-kvm \
      socat \
+     sudo \
      texinfo \
      unzip \
      wget \
      xterm \
      xz-utils
 
-ARG uid=1000
-ARG gid=1000
+ARG uid=4321
+ARG gid=4321
 RUN groupadd -g $gid bitbake
-RUN useradd -m -u $uid -g $gid bitbake
+RUN useradd -m -u $uid -g $gid -s /bin/bash bitbake
 
 RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen
 ENV LC_ALL="en_US.UTF-8"
 ENV LANG="en_US.UTF-8"
 ENV LANGUAGE="en_US.UTF-8"
+
+# script to mirror kvm group id with host
+RUN echo "bitbake ALL=NOPASSWD: /usr/local/bin/setup_kvm.sh" >> /etc/sudoers
+COPY ./docker/setup_kvm.sh /usr/local/bin/setup_kvm.sh
+
+# other ci scripts
+RUN mkdir /scripts
+COPY configure.sh build.sh oe-selftest.sh /scripts/
+
+USER "bitbake"
diff --git a/external/meta-updater/scripts/ci/Jenkinsfile.bleeding b/external/meta-updater/scripts/ci/Jenkinsfile.bleeding
deleted file mode 100644
index 6d340fde..00000000
--- a/external/meta-updater/scripts/ci/Jenkinsfile.bleeding
+++ /dev/null
@@ -1,87 +0,0 @@
-// This CI setup checks out aktualizr, meta-updater and updater-repo and builds
-// master branches whenever a change is pushed to any of these
-
-// define these for docker image creation
-node {
-  // might cause some problems:
-  // https://stackoverflow.com/questions/44805076/setting-build-args-for-dockerfile-agent-using-a-jenkins-declarative-pipeline
-  JENKINS_UID = sh(returnStdout: true, script: 'id -u').trim()
-  JENKINS_GID = sh(returnStdout: true, script: 'id -g').trim()
-}
-
-pipeline {
-  agent any
-  environment {
-    TEST_AKTUALIZR_REMOTE = 'aktualizr'
-    TEST_AKTUALIZR_DIR = 'aktualizr'
-    TEST_AKTUALIZR_BRANCH = 'master'
-    TEST_BITBAKE_COMMON_DIR = "/opt/jenkins/bitbake-common"
-  }
-  stages {
-    stage('checkout') {
-      steps {
-
-        checkout([$class: 'GitSCM',
-            userRemoteConfigs: [
-              [url: 'https://github.com/advancedtelematic/aktualizr', name: 'aktualizr']
-            ],
-            branches: [[name: 'refs/heads/master']],
-            extensions: [
-              [$class: 'DisableRemotePoll'],
-              [$class: 'PruneStaleBranch'],
-              [$class: 'RelativeTargetDirectory',
-                relativeTargetDir: 'aktualizr'
-              ]
-            ],
-        ])
-
-        checkout([$class: 'RepoScm',
-            manifestRepositoryUrl: 'https://github.com/advancedtelematic/updater-repo',
-            manifestBranch: null,
-            manifestFile: 'master.xml',
-            manifestGroup: null,
-            mirrorDir: null,
-            jobs: 0,
-            depth: 0,
-            localManifest: null,
-            destinationDir: 'updater-repo',
-            repoUrl: null,
-            currentBranch: false,
-            resetFirst: true,
-            quiet: false,
-            trace: false,
-            showAllChanges: false,
-        ])
-
-        // ignore bitbake build directories in docker
-        sh 'echo \'build*\' > .dockerignore'
-
-        // override meta-updater commit with currently tested branch
-        sh '''
-           META_UPDATER_COMMIT=$(git rev-parse HEAD)
-           cd updater-repo/meta-updater
-           git checkout $META_UPDATER_COMMIT
-           '''
-      }
-    }
-    stage('build-core-image-minimal') {
-      agent {
-        dockerfile {
-          filename 'scripts/ci/Dockerfile.bitbake'
-          args '-v /opt/jenkins/bitbake-common:/opt/jenkins/bitbake-common'
-          additionalBuildArgs "--build-arg uid=${JENKINS_UID} --build-arg gid=${JENKINS_GID}"
-          reuseNode true
-        }
-      }
-      environment {
-        TEST_AKTUALIZR_CREDENTIALS = credentials('garage-credentials')
-      }
-      steps {
-        sh 'scripts/ci/configure.sh'
-
-        sh 'scripts/ci/build.sh core-image-minimal'
-      }
-    }
-  }
-}
-// vim: set ft=groovy tabstop=2 shiftwidth=2 expandtab:
diff --git a/external/meta-updater/scripts/ci/Jenkinsfile.bleeding-selftest b/external/meta-updater/scripts/ci/Jenkinsfile.bleeding-selftest
deleted file mode 100644
index 8c2d1de6..00000000
--- a/external/meta-updater/scripts/ci/Jenkinsfile.bleeding-selftest
+++ /dev/null
@@ -1,91 +0,0 @@
-// This CI setup checks out aktualizr, meta-updater and updater-repo and builds
-// master branches whenever a change is pushed to any of these
-
-// define these for docker image creation
-node {
-  // might cause some problems:
-  // https://stackoverflow.com/questions/44805076/setting-build-args-for-dockerfile-agent-using-a-jenkins-declarative-pipeline
-  JENKINS_UID = sh(returnStdout: true, script: 'id -u').trim()
-  JENKINS_GID = sh(returnStdout: true, script: 'id -g').trim()
-}
-
-pipeline {
-  agent { 
-    node { label 'bitbake' } 
-        }
-  environment {
-    TEST_AKTUALIZR_REMOTE = 'aktualizr'
-    TEST_AKTUALIZR_DIR = 'aktualizr'
-    TEST_AKTUALIZR_BRANCH = 'master'
-    TEST_BITBAKE_COMMON_DIR = "/opt/jenkins/bitbake-common"
-  }
-  stages {
-    stage('checkout') {
-      steps {
-
-        checkout([$class: 'GitSCM',
-            userRemoteConfigs: [
-              [url: 'https://github.com/advancedtelematic/aktualizr', name: 'aktualizr']
-            ],
-            branches: [[name: 'refs/heads/master']],
-            extensions: [
-              [$class: 'DisableRemotePoll'],
-              [$class: 'PruneStaleBranch'],
-              [$class: 'RelativeTargetDirectory',
-                relativeTargetDir: 'aktualizr'
-              ]
-            ],
-        ])
-
-        checkout([$class: 'RepoScm',
-            manifestRepositoryUrl: 'https://github.com/advancedtelematic/updater-repo',
-            manifestBranch: null,
-            manifestFile: 'master.xml',
-            manifestGroup: null,
-            mirrorDir: null,
-            jobs: 0,
-            depth: 0,
-            localManifest: null,
-            destinationDir: 'updater-repo',
-            repoUrl: null,
-            currentBranch: false,
-            resetFirst: true,
-            quiet: false,
-            trace: false,
-            showAllChanges: false,
-        ])
-
-        // ignore bitbake build directories in docker
-        sh 'echo \'build*\' > .dockerignore'
-
-        // override meta-updater commit with currently tested branch
-        sh '''
-           META_UPDATER_COMMIT=$(git rev-parse HEAD)
-           cd updater-repo/meta-updater
-           git checkout $META_UPDATER_COMMIT
-           '''
-      }
-    }
-    stage('build-core-image-minimal+oe-selftest') {
-      agent {
-        dockerfile {
-          filename 'scripts/ci/Dockerfile.bitbake'
-          args '-v /opt/jenkins/bitbake-common:/opt/jenkins/bitbake-common'
-          additionalBuildArgs "--build-arg uid=${JENKINS_UID} --build-arg gid=${JENKINS_GID}"
-          reuseNode true
-        }
-      }
-      environment {
-        TEST_AKTUALIZR_CREDENTIALS = credentials('garage-credentials')
-      }
-      steps {
-        sh 'scripts/ci/configure.sh'
-
-        sh 'scripts/ci/build.sh core-image-minimal'
-
-        sh 'scripts/ci/oe-selftest.sh'
-      }
-    }
-  }
-}
-// vim: set ft=groovy tabstop=2 shiftwidth=2 expandtab:
diff --git a/external/meta-updater/scripts/ci/README.adoc b/external/meta-updater/scripts/ci/README.adoc
deleted file mode 100644
index 222982b1..00000000
--- a/external/meta-updater/scripts/ci/README.adoc
+++ /dev/null
@@ -1,14 +0,0 @@
-= Jenkins setup for running meta-updater CI
-
-As bitbake is quite resource-hungry, there are some special steps that are
-needed to run Jenkins CI tasks:
-
-- docker should be installed and the `jenkins` unix user should belong to
-  the `docker` group
-- `/opt/jenkins` should exist and have `jenkins:jenkins` permissions, it
-  will be mapped as a volume on the same location in the docker build
-  container
-
-Note that for nodes running Jenkins slaves as a docker container, the
-`/opt/jenkins` directory must exist on the host system as well, with
-permissions matching the user and groupd ids in Jenkins' docker
diff --git a/external/meta-updater/scripts/ci/build.sh b/external/meta-updater/scripts/ci/build.sh
index 62354289..9fbae989 100755
--- a/external/meta-updater/scripts/ci/build.sh
+++ b/external/meta-updater/scripts/ci/build.sh
@@ -12,7 +12,10 @@ IMAGE_NAME=${1:-core-image-minimal}
 (
 set +euo pipefail
 set +x
+METADIR=$(realpath "$TEST_REPO_DIR")
+export METADIR
 . "${TEST_REPO_DIR}/meta-updater/scripts/envsetup.sh" "${TEST_MACHINE}" "${TEST_BUILD_DIR}"
 
+set -x
 bitbake "${IMAGE_NAME}"
 )
diff --git a/external/meta-updater/scripts/ci/configure.sh b/external/meta-updater/scripts/ci/configure.sh
index 960a0cc9..ae78f066 100755
--- a/external/meta-updater/scripts/ci/configure.sh
+++ b/external/meta-updater/scripts/ci/configure.sh
@@ -8,9 +8,19 @@ TEST_BUILD_DIR=${TEST_BUILD_DIR:-build}
 TEST_REPO_DIR=${TEST_REPO_DIR:-updater-repo}
 TEST_BITBAKE_COMMON_DIR=${TEST_BITBAKE_COMMON_DIR:-}
 
-TEST_AKTUALIZR_DIR=${TEST_AKTUALIZR_DIR:-.}
-TEST_AKTUALIZR_BRANCH=${TEST_AKTUALIZR_BRANCH:-master}
-TEST_AKTUALIZR_REV=${TEST_AKTUALIZR_REV:-$(GIT_DIR="$TEST_AKTUALIZR_DIR/.git" git rev-parse "$TEST_AKTUALIZR_REMOTE/$TEST_AKTUALIZR_BRANCH")}
+TEST_AKTUALIZR_REMOTE=${TEST_AKTUALIZR_REMOTE:-}
+TEST_AKTUALIZR_TAG=${TEST_AKTUALIZR_TAG:-}
+if [ -n "$TEST_AKTUALIZR_REMOTE" ]; then
+    if [ -n "$TEST_AKTUALIZR_TAG" ]; then
+        TEST_AKTUALIZR_BRANCH=""
+        TEST_AKTUALIZR_REV=""
+    else
+        TEST_AKTUALIZR_DIR=${TEST_AKTUALIZR_DIR:-.}
+        TEST_AKTUALIZR_BRANCH=${TEST_AKTUALIZR_BRANCH:-master}
+        TEST_AKTUALIZR_REV=${TEST_AKTUALIZR_REV:-$(GIT_DIR="$TEST_AKTUALIZR_DIR/.git" git rev-parse "$TEST_AKTUALIZR_REMOTE/$TEST_AKTUALIZR_BRANCH")}
+    fi
+fi
+
 TEST_AKTUALIZR_CREDENTIALS=${TEST_AKTUALIZR_CREDENTIALS:-}
 
 # move existing conf directory to backup, before generating a new one
@@ -21,6 +31,8 @@ mv "$TEST_BUILD_DIR/conf" "$TEST_BUILD_DIR/conf.old" || true
 set +euo pipefail
 set +x
 echo ">> Running envsetup.sh"
+METADIR=$(realpath "$TEST_REPO_DIR")
+export METADIR
 . "$TEST_REPO_DIR/meta-updater/scripts/envsetup.sh" "$TEST_MACHINE" "$TEST_BUILD_DIR"
 )
 
@@ -31,19 +43,30 @@ SITE_CONF="$TEST_BUILD_DIR/conf/site.conf"
 echo ">> Set common bitbake config options"
 cat << EOF > "$SITE_CONF"
 SANITY_TESTED_DISTROS = ""
-SSTATE_MIRRORS ?= "file://.* https://bitbake-cache.atsgarage.com/PATH;downloadfilename=PATH"
 IMAGE_FEATURES += "ssh-server-openssh"
 
 EOF
 
-echo ">> Set aktualizr branch in bitbake's config"
-cat << EOF >> "$SITE_CONF"
+if [ -n "$TEST_AKTUALIZR_REMOTE" ]; then
+    echo ">> Set aktualizr branch in bitbake's config"
+    if [ -n "$TEST_AKTUALIZR_TAG" ]; then
+        # tag case
+        cat << EOF >> "$SITE_CONF"
+SRCREV_pn-aktualizr = ""
+SRCREV_pn-aktualizr-native = ""
+BRANCH_pn-aktualizr = ";nobranch=1;tag=$TEST_AKTUALIZR_TAG"
+BRANCH_pn-aktualizr-native = "\${BRANCH_pn-aktualizr}"
+EOF
+    else
+        # branch case
+        cat << EOF >> "$SITE_CONF"
 SRCREV_pn-aktualizr = "$TEST_AKTUALIZR_REV"
 SRCREV_pn-aktualizr-native = "\${SRCREV_pn-aktualizr}"
 BRANCH_pn-aktualizr = "$TEST_AKTUALIZR_BRANCH"
 BRANCH_pn-aktualizr-native = "\${BRANCH_pn-aktualizr}"
-
 EOF
+    fi
+fi
 
 if [[ -n $TEST_AKTUALIZR_CREDENTIALS ]]; then
     echo ">> Set aktualizr credentials"
@@ -63,3 +86,6 @@ SSTATE_DIR = "$SSTATE_DIR"
 DL_DIR = "$DL_DIR"
 EOF
 fi
+
+echo -e ">> Final configuration (site.conf):\\n"
+cat "$SITE_CONF"
diff --git a/external/meta-updater/scripts/ci/oe-selftest.sh b/external/meta-updater/scripts/ci/oe-selftest.sh
index 3124cce1..d441d027 100755
--- a/external/meta-updater/scripts/ci/oe-selftest.sh
+++ b/external/meta-updater/scripts/ci/oe-selftest.sh
@@ -12,7 +12,19 @@ TEST_REPO_DIR=${TEST_REPO_DIR:-updater-repo}
 (
 set +euo pipefail
 set +x
+METADIR=$(realpath "$TEST_REPO_DIR")
+export METADIR
 . "${TEST_REPO_DIR}/meta-updater/scripts/envsetup.sh" "${TEST_MACHINE}" "${TEST_BUILD_DIR}"
 
-oe-selftest -r updater
+set -x
+
+# work poky around bug on sumo and thud
+# see https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=d3a94e5b9b3c107cf54d5639071cc6609c002f67
+mkdir -p "tmp/log"
+
+# This is apparently required here now as well.
+git config --global user.email "meta-updater-ci@example.org"
+git config --global user.name "meta-updater-ci"
+
+oe-selftest -r "$@"
 )
diff --git a/external/meta-updater/scripts/envsetup.sh b/external/meta-updater/scripts/envsetup.sh
index 5827bc2a..a7ee877d 100755
--- a/external/meta-updater/scripts/envsetup.sh
+++ b/external/meta-updater/scripts/envsetup.sh
@@ -3,15 +3,26 @@
 SCRIPT="envsetup.sh"
 MACHINE="$1"
 BUILDDIR="build"
+DISTRO="poky-sota-systemd"
+BASE_CONF="local.conf.base.append"
 
-[[ "$#" -lt 1 ]] && { echo "Usage: ${SCRIPT} <machine> [builddir]"; return 1; }
-[[ "$#" -eq 2 ]] && { BUILDDIR="$2"; }
+# A definition of a dictionary with a list of configuration files that must be appended
+# to resulting conf/local.conf file for each particular distribution.
+declare -A supported_distros=(
+    ["poky-sota-systemd"]="local.conf.systemd.append"
+    ["poky-sota"]="local.conf.base.append"
+    ["poky"]="local.conf.systemd.append local.conf.nonostree.append"
+)
+
+[[ "$#" -lt 1 ]] && { echo "Usage: ${SCRIPT} <machine> [builddir] [distro=< poky-sota-systemd | poky-sota | poky >]"; return 1; }
+[[ "$#" -ge 2 ]] && { BUILDDIR="$2"; }
+[[ "$#" -eq 3 ]] && { DISTRO="$3"; }
 
 # detect if this script is sourced: see http://stackoverflow.com/a/38128348/6255594
 SOURCED=0
-if [ -n "$ZSH_EVAL_CONTEXT" ]; then
+if [[ -n "$ZSH_EVAL_CONTEXT" ]]; then
   [[ "$ZSH_EVAL_CONTEXT" =~ :file$ ]] && { SOURCED=1; SOURCEDIR=$(cd "$(dirname -- "$0")" && pwd -P); }
-elif [ -n "$BASH_VERSION" ]; then
+elif [[ -n "$BASH_VERSION" ]]; then
   [[ "$0" != "${BASH_SOURCE[0]}" ]] && { SOURCED=1; SOURCEDIR=$(cd "$(dirname -- "${BASH_SOURCE[0]}")" && pwd -P); }
 fi
 
@@ -24,13 +35,23 @@ fi
 METADIR=${METADIR:-${SOURCEDIR}/../..}
 
 if [[ ! -f "${BUILDDIR}/conf/local.conf" ]]; then
+  declare -a DISTRO_CONFIGS=${supported_distros[$DISTRO]}
+  [[ -n ${DISTRO_CONFIGS[@]} ]] && { echo "Using (${DISTRO_CONFIGS[*]}) for the specified distro '$DISTRO'"; } || { echo "The specified distro $DISTRO is not supported"; return 1; }
+
   source "$METADIR/poky/oe-init-build-env" "$BUILDDIR"
 
   echo "METADIR  := \"\${@os.path.abspath('${METADIR}')}\"" >> conf/bblayers.conf
   cat "${METADIR}/meta-updater/conf/include/bblayers/sota.inc" >> conf/bblayers.conf
   cat "${METADIR}/meta-updater/conf/include/bblayers/sota_${MACHINE}.inc" >> conf/bblayers.conf
-
-  sed "s/##MACHINE##/$MACHINE/g" "${METADIR}/meta-updater/conf/local.conf.sample.append" >> conf/local.conf
+  sed -e "s/##MACHINE##/$MACHINE/g" \
+      -e "s/##DISTRO##/$DISTRO/g" \
+         "${METADIR}/meta-updater/conf/$BASE_CONF" >> conf/local.conf
+
+  for config in ${DISTRO_CONFIGS[@]}; do
+    if [[ "$BASE_CONF" != "$config" ]]; then
+      cat "${METADIR}/meta-updater/conf/$config" >> conf/local.conf
+    fi
+  done
 else
   source "$METADIR/poky/oe-init-build-env" "$BUILDDIR"
-fi
+fi
\ No newline at end of file
diff --git a/external/meta-updater/scripts/find_aktualizr_dependencies.sh b/external/meta-updater/scripts/find_aktualizr_dependencies.sh
index 493df800..fcb2f97e 100755
--- a/external/meta-updater/scripts/find_aktualizr_dependencies.sh
+++ b/external/meta-updater/scripts/find_aktualizr_dependencies.sh
@@ -13,7 +13,6 @@ ${parentdir}/find_dependencies.py aktualizr
 ${parentdir}/find_dependencies.py aktualizr-shared-prov
 ${parentdir}/find_dependencies.py aktualizr-shared-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov
-${parentdir}/find_dependencies.py aktualizr-device-prov-creds
 ${parentdir}/find_dependencies.py aktualizr-device-prov-hsm
 ${parentdir}/find_dependencies.py aktualizr-auto-reboot
 ${parentdir}/find_dependencies.py aktualizr-disable-send-ip
diff --git a/external/meta-updater/scripts/qemucommand.py b/external/meta-updater/scripts/qemucommand.py
index 3045b454..30929acc 100644
--- a/external/meta-updater/scripts/qemucommand.py
+++ b/external/meta-updater/scripts/qemucommand.py
@@ -1,7 +1,8 @@
-from os.path import exists, join, realpath, abspath
+from os.path import exists, isdir, join, realpath, abspath
 from os import listdir
 import random
 import socket
+from shutil import copyfile
 from subprocess import check_output
 
 EXTENSIONS = {
@@ -39,29 +40,84 @@ def random_mac():
 
 class QemuCommand(object):
     def __init__(self, args):
+        self.enable_u_boot = True
+        self.dry_run = args.dry_run
+        self.overlay = args.overlay
+        self.host_fwd = None
+        self.kernel = None
+        self.drive_interface = "ide"
+
+        if hasattr(args, 'uboot_enable'):
+            self.enable_u_boot = args.uboot_enable.lower() in ("yes", "true", "1")
+
+        # Rise an exception if U-Boot is disabled and overlay option is used
+        if not self.enable_u_boot and self.overlay:
+            raise EnvironmentError("An overlay option is currently supported only with U-Boot loader!")
+
+        # If booting with u-boot is disabled we use "ext4" root fs instead of custom one "ota-ext4"
+        if not self.enable_u_boot:
+            self.drive_interface = "virtio"
+            EXTENSIONS['qemux86-64'] = 'ext4'
+
         if args.machine:
             self.machine = args.machine
         else:
+            if not isdir(args.dir):
+                raise ValueError("Directory %s does not exist, please specify a --machine or a valid images directory" % args.dir)
             machines = listdir(args.dir)
             if len(machines) == 1:
                 self.machine = machines[0]
             else:
                 raise ValueError("Could not autodetect machine type. More than one entry in %s. Maybe --machine qemux86-64?" % args.dir)
+
+        # If using an overlay with U-Boot, copy the rom when we create the
+        # overlay so that we can keep it around just in case.
         if args.efi:
             self.bios = 'OVMF.fd'
+        elif self.enable_u_boot:
+            uboot_path = abspath(join(args.dir, self.machine, 'u-boot-qemux86-64.rom'))
+            if self.overlay:
+                new_uboot_path = self.overlay + '.u-boot.rom'
+                if not exists(self.overlay):
+                    if not exists(uboot_path):
+                        raise ValueError("U-Boot image %s does not exist" % uboot_path)
+                    if not exists(new_uboot_path):
+                        if self.dry_run:
+                            print("cp %s %s" % (uboot_path, new_uboot_path))
+                        else:
+                            copyfile(uboot_path, new_uboot_path)
+                uboot_path = new_uboot_path
+            if not exists(uboot_path) and not (self.dry_run and not exists(self.overlay)):
+                raise ValueError("U-Boot image %s does not exist" % uboot_path)
+            self.bios = uboot_path
         else:
-            uboot = abspath(join(args.dir, self.machine, 'u-boot-qemux86-64.rom'))
-            if not exists(uboot):
-                raise ValueError("U-Boot image %s does not exist" % uboot)
-            self.bios = uboot
+            self.kernel = abspath(join(args.dir, self.machine, 'bzImage-qemux86-64.bin'))
+
+        # If using an overlay, we need to keep the "backing" image around, as
+        # bitbake will often clean it up, and the overlay silently depends on
+        # the hardcoded path. The easiest solution is to keep the file and use
+        # a relative path to it.
         if exists(args.imagename):
-            image = args.imagename
+            image = realpath(args.imagename)
         else:
             ext = EXTENSIONS.get(self.machine, 'wic')
             image = join(args.dir, self.machine, '%s-%s.%s' % (args.imagename, self.machine, ext))
-        self.image = realpath(image)
-        if not exists(self.image):
+        if self.overlay:
+            new_image_path = self.overlay + '.img'
+            if not exists(self.overlay):
+                if not exists(image):
+                    raise ValueError("OS image %s does not exist" % image)
+                if not exists(new_image_path):
+                    if self.dry_run:
+                        print("cp %s %s" % (image, new_image_path))
+                    else:
+                        copyfile(image, new_image_path)
+            self.image = new_image_path
+        else:
+            self.image = realpath(image)
+        if not exists(self.image) and not (self.dry_run and not exists(self.overlay)):
             raise ValueError("OS image %s does not exist" % self.image)
+
         if args.mac:
             self.mac_address = args.mac
         else:
@@ -84,28 +140,34 @@ class QemuCommand(object):
         self.gui = not args.no_gui
         self.gdb = args.gdb
         self.pcap = args.pcap
-        self.overlay = args.overlay
         self.secondary_network = args.secondary_network
 
+        # Append additional port forwarding to QEMU command line.
+        if hasattr(args, 'host_forward'):
+            self.host_fwd = args.host_forward
+
     def command_line(self):
         netuser = 'user,hostfwd=tcp:0.0.0.0:%d-:22,restrict=off' % self.ssh_port
         if self.gdb:
             netuser += ',hostfwd=tcp:0.0.0.0:2159-:2159'
+        if self.host_fwd:
+            netuser += ",hostfwd=" + self.host_fwd
+
         cmdline = [
             "qemu-system-x86_64",
-            "-bios", self.bios
         ]
+        if self.enable_u_boot:
+            cmdline += ["-bios", self.bios]
+        else:
+            cmdline += ["-kernel", self.kernel]
+
         if not self.overlay:
-            cmdline += ["-drive", "file=%s,if=ide,format=raw,snapshot=on" % self.image]
+            cmdline += ["-drive", "file=%s,if=%s,format=raw,snapshot=on" % (self.image, self.drive_interface)]
         cmdline += [
             "-serial", "tcp:127.0.0.1:%d,server,nowait" % self.serial_port,
             "-m", self.mem,
-            "-usb",
             "-object", "rng-random,id=rng0,filename=/dev/urandom",
             "-device", "virtio-rng-pci,rng=rng0",
-            "-device", "usb-tablet",
-            "-show-cursor",
-            "-vga", "std",
             "-net", netuser,
             "-net", "nic,macaddr=%s" % self.mac_address
         ]
@@ -117,15 +179,27 @@ class QemuCommand(object):
                 '-device', 'e1000,netdev=vlan1,mac='+random_mac(),
             ]
         if self.gui:
-            cmdline += ["-serial", "stdio"]
+            cmdline += [
+                    "-usb",
+                    "-device", "usb-tablet",
+                    "-show-cursor",
+                    "-vga", "std"
+            ]
         else:
-            cmdline.append('-nographic')
+            cmdline += [
+                    "-nographic",
+                    "-monitor", "null",
+            ]
         if self.kvm:
             cmdline += ['-enable-kvm', '-cpu', 'host']
         else:
             cmdline += ['-cpu', 'Haswell']
         if self.overlay:
             cmdline.append(self.overlay)
+
+        # If booting with u-boot is disabled, add kernel command line arguments through qemu -append option
+        if not self.enable_u_boot:
+            cmdline += ["-append", "root=/dev/vda rw highres=off console=ttyS0 ip=dhcp"]
         return cmdline
 
     def img_command_line(self):
diff --git a/external/meta-updater/scripts/run-qemu-ota b/external/meta-updater/scripts/run-qemu-ota
index de632970..59301a43 100755
--- a/external/meta-updater/scripts/run-qemu-ota
+++ b/external/meta-updater/scripts/run-qemu-ota
@@ -2,7 +2,7 @@
 
 from argparse import ArgumentParser
 from subprocess import Popen
-from os.path import exists
+from os.path import exists, dirname
 import sys
 from qemucommand import QemuCommand
 
@@ -13,6 +13,9 @@ def main():
     parser = ArgumentParser(description='Run meta-updater image in qemu')
     parser.add_argument('imagename', default='core-image-minimal', nargs='?',
                         help="Either the name of the bitbake image target, or a path to the image to run")
+    parser.add_argument('--uboot-enable', default='yes',
+                        help='(yes/no). Determines whether or not to use U-Boot loader for running image, '
+                             'if yes then u-boot binary file will be passed as -bios option into QEMU cmd line.')
     parser.add_argument('mac', default=None, nargs='?')
     parser.add_argument('--dir', default=DEFAULT_DIR,
                         help='Path to build directory containing the image and u-boot-qemux86-64.rom')
@@ -20,6 +23,7 @@ def main():
                         help='Boot using UEFI rather than U-Boot. This requires the image to be built with ' +
                              'OSTREE_BOOTLOADER = "grub" and OVMF.fd firmware to be installed (try "apt install ovmf")',
                         action='store_true')
+    parser.add_argument('--bootloader', default=None, help="Path to bootloader, e.g. a u-boot ROM")
     parser.add_argument('--machine', default=None, help="Target MACHINE")
     kvm_group = parser.add_argument_group()
     kvm_group.add_argument('--force-kvm', help='Force use of KVM (default is to autodetect)',
@@ -38,28 +42,44 @@ def main():
                         help='Give the image a second network card connected to a virtual network. ' +
                              'This can be used to test Uptane Primary/Secondary communication.')
     parser.add_argument('-n', '--dry-run', help='Print qemu command line rather then run it', action='store_true')
+    parser.add_argument('--host-forward',
+                        help='Redirect incoming TCP or UDP connections to the host port. '
+                             'Example forwarding guest port 10050 to the host port 10555:'
+                             '--host-forward="tcp:0.0.0.0:10556-:10050". '
+                             'For more details please refer to QEMU man page, option <hostfwd>. '
+                             'https://manpages.debian.org/testing/qemu-system-x86/qemu-system-x86_64.1.en.html')
     args = parser.parse_args()
+
+    if args.overlay and not exists(args.overlay) and dirname(args.overlay) and not dirname(args.overlay) == '.':
+        print('Error: please provide a file name in the current working directory. ' +
+                'Overlays do not work properly with other directories.')
+        sys.exit(1)
+    if args.overlay and exists(args.overlay) and args.imagename != parser.get_default('imagename'):
+        # qemu-img amend -o <filename> might work, but it has not yet been done
+        # successfully.
+        print('Warning: cannot change backing image of overlay after it has been created.')
+
     try:
         qemu_command = QemuCommand(args)
     except ValueError as e:
         print(e.message)
         sys.exit(1)
 
-    print("Launching %s with mac address %s" % (args.imagename, qemu_command.mac_address))
-    print("To connect via SSH:")
-    print(" ssh -o StrictHostKeyChecking=no root@localhost -p %d" % qemu_command.ssh_port)
-    print("To connect to the serial console:")
-    print(" nc localhost %d" % qemu_command.serial_port)
-
     cmdline = qemu_command.command_line()
     if args.overlay and not exists(args.overlay):
-        print("Image file %s does not yet exist, creating." % args.overlay)
+        print("Overlay file %s does not yet exist, creating." % args.overlay)
         img_cmdline = qemu_command.img_command_line()
         if args.dry_run:
             print(" ".join(img_cmdline))
         else:
             Popen(img_cmdline).wait()
 
+    print("Launching %s with mac address %s" % (args.imagename, qemu_command.mac_address))
+    print("To connect via SSH:")
+    print(" ssh -o StrictHostKeyChecking=no root@localhost -p %d" % qemu_command.ssh_port)
+    print("To connect to the serial console:")
+    print(" nc localhost %d" % qemu_command.serial_port)
+
     if args.dry_run:
         print(" ".join(cmdline))
     else:
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch
new file mode 100644
index 00000000..4413d5fb
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0001-cpu_x86-Do-not-cache-microcode-version.patch
@@ -0,0 +1,59 @@
+From 33998cdd47300fc3ca6cb8f85714c149440b9c8b Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 5 Apr 2019 11:33:32 +0200
+Subject: [PATCH 01/11] cpu_x86: Do not cache microcode version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The microcode version checks are used to invalidate cached CPU data we
+get from QEMU. To minimize /proc/cpuinfo parsing the microcode version
+was only read when libvirtd started and cached for the daemon's
+lifetime. However, the CPU microcode can change anytime (updating the
+microcode package can automatically upload it to the CPU) and we need to
+stop caching it to avoid using stale CPU model data.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit be46f613261d3b655a1f15afd635087e68a9c39b)
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/cpu/cpu_x86.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c
+index cb27550..ce48ca6 100644
+--- a/src/cpu/cpu_x86.c
++++ b/src/cpu/cpu_x86.c
+@@ -163,7 +163,6 @@ struct _virCPUx86Map {
+ };
+ 
+ static virCPUx86MapPtr cpuMap;
+-static unsigned int microcodeVersion;
+ 
+ int virCPUx86DriverOnceInit(void);
+ VIR_ONCE_GLOBAL_INIT(virCPUx86Driver);
+@@ -1331,8 +1330,6 @@ virCPUx86DriverOnceInit(void)
+     if (!(cpuMap = virCPUx86LoadMap()))
+         return -1;
+ 
+-    microcodeVersion = virHostCPUGetMicrocodeVersion();
+-
+     return 0;
+ }
+ 
+@@ -2372,7 +2369,7 @@ virCPUx86GetHost(virCPUDefPtr cpu,
+         goto cleanup;
+ 
+     ret = x86DecodeCPUData(cpu, cpuData, models);
+-    cpu->microcodeVersion = microcodeVersion;
++    cpu->microcodeVersion = virHostCPUGetMicrocodeVersion();
+ 
+  cleanup:
+     virCPUx86DataFree(cpuData);
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch
new file mode 100644
index 00000000..6d0f2986
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/0002-qemu-Don-t-cache-microcode-version.patch
@@ -0,0 +1,155 @@
+From d606ac113007901522dab6c4b3979686d43eaa87 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 12 Apr 2019 21:21:05 +0200
+Subject: [PATCH 02/11] qemu: Don't cache microcode version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+My earlier commit be46f61326 was incomplete. It removed caching of
+microcode version in the CPU driver, which means the capabilities XML
+will see the correct microcode version. But it is also cached in the
+QEMU capabilities cache where it is used to detect whether we need to
+reprobe QEMU. By missing the second place, the original commit
+be46f61326 made the situation even worse since libvirt would report
+correct microcode version while still using the old host CPU model
+(visible in domain capabilities XML).
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 673c62a3b7855a0685d8f116e227c402720b9ee9)
+
+Conflicts:
+        src/qemu/qemu_capabilities.c
+            - virQEMUCapsCacheLookupByArch refactoring (commits
+              7948ad4129a and 1a3de67001c) are missing
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/qemu/qemu_capabilities.c | 12 ++++++++----
+ src/qemu/qemu_capabilities.h |  3 +--
+ src/qemu/qemu_driver.c       |  9 +--------
+ tests/testutilsqemu.c        |  2 +-
+ 4 files changed, 11 insertions(+), 15 deletions(-)
+
+diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
+index a075677..eaf369f 100644
+--- a/src/qemu/qemu_capabilities.c
++++ b/src/qemu/qemu_capabilities.c
+@@ -4700,7 +4700,7 @@ virQEMUCapsNewData(const char *binary,
+                                            priv->libDir,
+                                            priv->runUid,
+                                            priv->runGid,
+-                                           priv->microcodeVersion,
++                                           virHostCPUGetMicrocodeVersion(),
+                                            priv->kernelVersion);
+ }
+ 
+@@ -4783,8 +4783,7 @@ virFileCachePtr
+ virQEMUCapsCacheNew(const char *libDir,
+                     const char *cacheDir,
+                     uid_t runUid,
+-                    gid_t runGid,
+-                    unsigned int microcodeVersion)
++                    gid_t runGid)
+ {
+     char *capsCacheDir = NULL;
+     virFileCachePtr cache = NULL;
+@@ -4808,7 +4807,6 @@ virQEMUCapsCacheNew(const char *libDir,
+ 
+     priv->runUid = runUid;
+     priv->runGid = runGid;
+-    priv->microcodeVersion = microcodeVersion;
+ 
+     if (uname(&uts) == 0 &&
+         virAsprintf(&priv->kernelVersion, "%s %s", uts.release, uts.version) < 0)
+@@ -4829,8 +4827,11 @@ virQEMUCapsPtr
+ virQEMUCapsCacheLookup(virFileCachePtr cache,
+                        const char *binary)
+ {
++    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
+     virQEMUCapsPtr ret = NULL;
+ 
++    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
++
+     ret = virFileCacheLookup(cache, binary);
+ 
+     VIR_DEBUG("Returning caps %p for %s", ret, binary);
+@@ -4876,10 +4877,13 @@ virQEMUCapsPtr
+ virQEMUCapsCacheLookupByArch(virFileCachePtr cache,
+                              virArch arch)
+ {
++    virQEMUCapsCachePrivPtr priv = virFileCacheGetPriv(cache);
+     virQEMUCapsPtr ret = NULL;
+     virArch target;
+     struct virQEMUCapsSearchData data = { .arch = arch };
+ 
++    priv->microcodeVersion = virHostCPUGetMicrocodeVersion();
++
+     ret = virFileCacheLookupByFunc(cache, virQEMUCapsCompareArch, &data);
+     if (!ret) {
+         /* If the first attempt at finding capabilities has failed, try
+diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
+index 3d3a978..956babc 100644
+--- a/src/qemu/qemu_capabilities.h
++++ b/src/qemu/qemu_capabilities.h
+@@ -574,8 +574,7 @@ void virQEMUCapsFilterByMachineType(virQEMUCapsPtr qemuCaps,
+ virFileCachePtr virQEMUCapsCacheNew(const char *libDir,
+                                     const char *cacheDir,
+                                     uid_t uid,
+-                                    gid_t gid,
+-                                    unsigned int microcodeVersion);
++                                    gid_t gid);
+ virQEMUCapsPtr virQEMUCapsCacheLookup(virFileCachePtr cache,
+                                       const char *binary);
+ virQEMUCapsPtr virQEMUCapsCacheLookupCopy(virFileCachePtr cache,
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index a0f7c71..75f8699 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -592,8 +592,6 @@ qemuStateInitialize(bool privileged,
+     char *hugepagePath = NULL;
+     char *memoryBackingPath = NULL;
+     size_t i;
+-    virCPUDefPtr hostCPU = NULL;
+-    unsigned int microcodeVersion = 0;
+ 
+     if (VIR_ALLOC(qemu_driver) < 0)
+         return -1;
+@@ -813,15 +811,10 @@ qemuStateInitialize(bool privileged,
+         run_gid = cfg->group;
+     }
+ 
+-    if ((hostCPU = virCPUProbeHost(virArchFromHost())))
+-        microcodeVersion = hostCPU->microcodeVersion;
+-    virCPUDefFree(hostCPU);
+-
+     qemu_driver->qemuCapsCache = virQEMUCapsCacheNew(cfg->libDir,
+                                                      cfg->cacheDir,
+                                                      run_uid,
+-                                                     run_gid,
+-                                                     microcodeVersion);
++                                                     run_gid);
+     if (!qemu_driver->qemuCapsCache)
+         goto error;
+ 
+diff --git a/tests/testutilsqemu.c b/tests/testutilsqemu.c
+index 8438613..4e53f03 100644
+--- a/tests/testutilsqemu.c
++++ b/tests/testutilsqemu.c
+@@ -707,7 +707,7 @@ int qemuTestDriverInit(virQEMUDriver *driver)
+ 
+     /* Using /dev/null for libDir and cacheDir automatically produces errors
+      * upon attempt to use any of them */
+-    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0, 0);
++    driver->qemuCapsCache = virQEMUCapsCacheNew("/dev/null", "/dev/null", 0, 0);
+     if (!driver->qemuCapsCache)
+         goto error;
+ 
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch
new file mode 100644
index 00000000..45f51d4a
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch
@@ -0,0 +1,894 @@
+From b15a3c9f9bd24d12082b5a6ea505eb3ea48137cb Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 5 Apr 2019 11:19:30 +0200
+Subject: [PATCH 03/11] cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit 5cd9db3ac11e88846cbcf95fad9f6fae9d880dee)
+
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+
+Conflicts:
+	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+	tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+            - intel-pt feature is missing
+	    - stibp feature is missing
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+
+CVE: CVE-2018-12126
+CVE: CVE-2018-12127
+CVE: CVE-2018-12130
+CVE: CVE-2019-11091
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ tests/cputest.c                                    |   1 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml      |   7 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml       |   8 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml         |  26 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml          |  27 +
+ .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml          |  10 +
+ .../cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json  | 652 +++++++++++++++++++++
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig |   4 +
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml |  47 ++
+ 9 files changed, 782 insertions(+)
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
+ create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
+
+diff --git a/tests/cputest.c b/tests/cputest.c
+index baf2b3c..fbb2a86 100644
+--- a/tests/cputest.c
++++ b/tests/cputest.c
+@@ -1190,6 +1190,7 @@ mymain(void)
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST);
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST);
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE);
++    DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1225-v5", JSON_MODELS);
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1245-v5", JSON_MODELS);
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2609-v3", JSON_MODELS);
+     DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2623-v4", JSON_MODELS);
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
+new file mode 100644
+index 0000000..ce51903
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml
+@@ -0,0 +1,7 @@
++<!-- Features disabled by QEMU -->
++<cpudata arch='x86'>
++  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x0800c1fc' edx='0xb0600000'/>
++  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x02000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
++</cpudata>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+new file mode 100644
+index 0000000..0deca9f
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+@@ -0,0 +1,8 @@
++<!-- Features enabled by QEMU -->
++<cpudata arch='x86'>
++  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
++  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
++</cpudata>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+new file mode 100644
+index 0000000..993db80
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+@@ -0,0 +1,26 @@
++<cpu mode='custom' match='exact'>
++  <model fallback='forbid'>Skylake-Client-IBRS</model>
++  <vendor>Intel</vendor>
++  <feature policy='require' name='ds'/>
++  <feature policy='require' name='acpi'/>
++  <feature policy='require' name='ss'/>
++  <feature policy='require' name='ht'/>
++  <feature policy='require' name='tm'/>
++  <feature policy='require' name='pbe'/>
++  <feature policy='require' name='dtes64'/>
++  <feature policy='require' name='monitor'/>
++  <feature policy='require' name='ds_cpl'/>
++  <feature policy='require' name='vmx'/>
++  <feature policy='require' name='smx'/>
++  <feature policy='require' name='est'/>
++  <feature policy='require' name='tm2'/>
++  <feature policy='require' name='xtpr'/>
++  <feature policy='require' name='pdcm'/>
++  <feature policy='require' name='osxsave'/>
++  <feature policy='require' name='tsc_adjust'/>
++  <feature policy='require' name='clflushopt'/>
++  <feature policy='require' name='ssbd'/>
++  <feature policy='require' name='xsaves'/>
++  <feature policy='require' name='pdpe1gb'/>
++  <feature policy='require' name='invtsc'/>
++</cpu>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+new file mode 100644
+index 0000000..074a39b
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+@@ -0,0 +1,27 @@
++<cpu>
++  <arch>x86_64</arch>
++  <model>Skylake-Client-IBRS</model>
++  <vendor>Intel</vendor>
++  <feature name='ds'/>
++  <feature name='acpi'/>
++  <feature name='ss'/>
++  <feature name='ht'/>
++  <feature name='tm'/>
++  <feature name='pbe'/>
++  <feature name='dtes64'/>
++  <feature name='monitor'/>
++  <feature name='ds_cpl'/>
++  <feature name='vmx'/>
++  <feature name='smx'/>
++  <feature name='est'/>
++  <feature name='tm2'/>
++  <feature name='xtpr'/>
++  <feature name='pdcm'/>
++  <feature name='osxsave'/>
++  <feature name='tsc_adjust'/>
++  <feature name='clflushopt'/>
++  <feature name='ssbd'/>
++  <feature name='xsaves'/>
++  <feature name='pdpe1gb'/>
++  <feature name='invtsc'/>
++</cpu>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+new file mode 100644
+index 0000000..1984bd4
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+@@ -0,0 +1,10 @@
++<cpu mode='custom' match='exact'>
++  <model fallback='forbid'>Skylake-Client-IBRS</model>
++  <vendor>Intel</vendor>
++  <feature policy='require' name='ss'/>
++  <feature policy='require' name='hypervisor'/>
++  <feature policy='require' name='tsc_adjust'/>
++  <feature policy='require' name='clflushopt'/>
++  <feature policy='require' name='ssbd'/>
++  <feature policy='require' name='pdpe1gb'/>
++</cpu>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
+new file mode 100644
+index 0000000..0847475
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json
+@@ -0,0 +1,652 @@
++{
++  "return": {
++    "model": {
++      "name": "base",
++      "props": {
++        "phys-bits": 0,
++        "core-id": -1,
++        "xlevel": 2147483656,
++        "cmov": true,
++        "ia64": false,
++        "aes": true,
++        "mmx": true,
++        "rdpid": false,
++        "arat": true,
++        "gfni": false,
++        "pause-filter": false,
++        "xsavec": true,
++        "intel-pt": false,
++        "osxsave": false,
++        "hv-frequencies": false,
++        "tsc-frequency": 0,
++        "xd": true,
++        "hv-vendor-id": "",
++        "kvm-asyncpf": true,
++        "kvm_asyncpf": true,
++        "perfctr_core": false,
++        "perfctr-core": false,
++        "mpx": true,
++        "pbe": false,
++        "decodeassists": false,
++        "avx512cd": false,
++        "sse4_1": true,
++        "sse4.1": true,
++        "sse4-1": true,
++        "family": 6,
++        "legacy-cache": true,
++        "vmware-cpuid-freq": true,
++        "avx512f": false,
++        "msr": true,
++        "mce": true,
++        "mca": true,
++        "hv-runtime": false,
++        "xcrypt": false,
++        "thread-id": -1,
++        "min-level": 13,
++        "xgetbv1": true,
++        "cid": false,
++        "hv-relaxed": false,
++        "hv-crash": false,
++        "ds": false,
++        "fxsr": true,
++        "xsaveopt": true,
++        "xtpr": false,
++        "avx512vl": false,
++        "avx512-vpopcntdq": false,
++        "phe": false,
++        "extapic": false,
++        "3dnowprefetch": true,
++        "avx512vbmi2": false,
++        "cr8legacy": false,
++        "stibp": true,
++        "cpuid-0xb": true,
++        "xcrypt-en": false,
++        "kvm_pv_eoi": true,
++        "apic-id": 4294967295,
++        "pn": false,
++        "dca": false,
++        "vendor": "GenuineIntel",
++        "pku": false,
++        "smx": false,
++        "cmp_legacy": false,
++        "cmp-legacy": false,
++        "node-id": -1,
++        "avx512-4fmaps": false,
++        "vmcb_clean": false,
++        "vmcb-clean": false,
++        "3dnowext": false,
++        "hle": true,
++        "npt": false,
++        "memory": "/machine/unattached/system[0]",
++        "clwb": false,
++        "lbrv": false,
++        "adx": true,
++        "ss": true,
++        "pni": true,
++        "svm_lock": false,
++        "svm-lock": false,
++        "pfthreshold": false,
++        "smep": true,
++        "smap": true,
++        "x2apic": true,
++        "avx512vbmi": false,
++        "avx512vnni": false,
++        "hv-stimer": false,
++        "i64": true,
++        "flushbyasid": false,
++        "f16c": true,
++        "ace2-en": false,
++        "pat": true,
++        "pae": true,
++        "sse": true,
++        "phe-en": false,
++        "kvm_nopiodelay": true,
++        "kvm-nopiodelay": true,
++        "tm": false,
++        "kvmclock-stable-bit": true,
++        "hypervisor": true,
++        "socket-id": -1,
++        "pcommit": false,
++        "syscall": true,
++        "level": 13,
++        "avx512dq": false,
++        "svm": false,
++        "full-cpuid-auto-level": true,
++        "hv-reset": false,
++        "invtsc": false,
++        "sse3": true,
++        "sse2": true,
++        "ssbd": true,
++        "est": false,
++        "avx512ifma": false,
++        "tm2": false,
++        "kvm-pv-eoi": true,
++        "cx8": true,
++        "kvm_mmu": false,
++        "kvm-mmu": false,
++        "sse4_2": true,
++        "sse4.2": true,
++        "sse4-2": true,
++        "pge": true,
++        "fill-mtrr-mask": true,
++        "avx512bitalg": false,
++        "nodeid_msr": false,
++        "pdcm": false,
++        "movbe": true,
++        "model": 94,
++        "nrip_save": false,
++        "nrip-save": false,
++        "kvm_pv_unhalt": true,
++        "ssse3": true,
++        "sse4a": false,
++        "invpcid": true,
++        "pdpe1gb": true,
++        "tsc-deadline": true,
++        "fma": true,
++        "cx16": true,
++        "de": true,
++        "enforce": false,
++        "stepping": 3,
++        "xsave": true,
++        "clflush": true,
++        "skinit": false,
++        "tsc": true,
++        "tce": false,
++        "fpu": true,
++        "ibs": false,
++        "ds_cpl": false,
++        "ds-cpl": false,
++        "host-phys-bits": true,
++        "fma4": false,
++        "la57": false,
++        "osvw": false,
++        "check": true,
++        "hv-spinlocks": -1,
++        "pmu": false,
++        "pmm": false,
++        "apic": true,
++        "spec-ctrl": true,
++        "min-xlevel2": 0,
++        "tsc-adjust": true,
++        "tsc_adjust": true,
++        "kvm-steal-time": true,
++        "kvm_steal_time": true,
++        "kvmclock": true,
++        "l3-cache": true,
++        "lwp": false,
++        "ibpb": false,
++        "xop": false,
++        "avx": true,
++        "ospke": false,
++        "ace2": false,
++        "avx512bw": false,
++        "acpi": false,
++        "hv-vapic": false,
++        "fsgsbase": true,
++        "ht": false,
++        "nx": true,
++        "pclmulqdq": true,
++        "mmxext": false,
++        "vaes": false,
++        "popcnt": true,
++        "xsaves": false,
++        "tcg-cpuid": true,
++        "lm": true,
++        "umip": false,
++        "pse": true,
++        "avx2": true,
++        "sep": true,
++        "pclmuldq": true,
++        "virt-ssbd": false,
++        "x-hv-max-vps": -1,
++        "nodeid-msr": false,
++        "md-clear": true,
++        "kvm": true,
++        "misalignsse": false,
++        "min-xlevel": 2147483656,
++        "kvm-pv-unhalt": true,
++        "bmi2": true,
++        "bmi1": true,
++        "realized": false,
++        "tsc_scale": false,
++        "tsc-scale": false,
++        "topoext": false,
++        "hv-vpindex": false,
++        "xlevel2": 0,
++        "clflushopt": true,
++        "kvm-no-smi-migration": false,
++        "monitor": false,
++        "avx512er": false,
++        "pmm-en": false,
++        "pcid": true,
++        "3dnow": false,
++        "erms": true,
++        "lahf-lm": true,
++        "lahf_lm": true,
++        "vpclmulqdq": false,
++        "fxsr-opt": false,
++        "hv-synic": false,
++        "xstore": false,
++        "fxsr_opt": false,
++        "kvm-hint-dedicated": false,
++        "rtm": true,
++        "lmce": true,
++        "hv-time": false,
++        "perfctr-nb": false,
++        "perfctr_nb": false,
++        "ffxsr": false,
++        "rdrand": true,
++        "rdseed": true,
++        "avx512-4vnniw": false,
++        "vmx": false,
++        "vme": true,
++        "dtes64": false,
++        "mtrr": true,
++        "rdtscp": true,
++        "pse36": true,
++        "kvm-pv-tlb-flush": false,
++        "tbm": false,
++        "wdt": false,
++        "pause_filter": false,
++        "sha-ni": false,
++        "model-id": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz",
++        "abm": true,
++        "avx512pf": false,
++        "xstore-en": false
++      }
++    }
++  },
++  "id": "model-expansion"
++}
++
++{
++  "return": [
++    {
++      "name": "max",
++      "typename": "max-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": false
++    },
++    {
++      "name": "host",
++      "typename": "host-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": false
++    },
++    {
++      "name": "base",
++      "typename": "base-x86_64-cpu",
++      "unavailable-features": [],
++      "static": true,
++      "migration-safe": true
++    },
++    {
++      "name": "qemu64",
++      "typename": "qemu64-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "qemu32",
++      "typename": "qemu32-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "phenom",
++      "typename": "phenom-x86_64-cpu",
++      "unavailable-features": [
++        "mmxext",
++        "fxsr-opt",
++        "3dnowext",
++        "3dnow",
++        "sse4a",
++        "npt"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "pentium3",
++      "typename": "pentium3-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "pentium2",
++      "typename": "pentium2-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "pentium",
++      "typename": "pentium-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "n270",
++      "typename": "n270-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "kvm64",
++      "typename": "kvm64-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "kvm32",
++      "typename": "kvm32-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "cpu64-rhel6",
++      "typename": "cpu64-rhel6-x86_64-cpu",
++      "unavailable-features": [
++        "sse4a"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "coreduo",
++      "typename": "coreduo-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "core2duo",
++      "typename": "core2duo-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "athlon",
++      "typename": "athlon-x86_64-cpu",
++      "unavailable-features": [
++        "mmxext",
++        "3dnowext",
++        "3dnow"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Westmere",
++      "typename": "Westmere-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Westmere-IBRS",
++      "typename": "Westmere-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Skylake-Server",
++      "typename": "Skylake-Server-x86_64-cpu",
++      "unavailable-features": [
++        "avx512f",
++        "avx512dq",
++        "clwb",
++        "avx512cd",
++        "avx512bw",
++        "avx512vl",
++        "avx512f",
++        "avx512f",
++        "avx512f"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Skylake-Server-IBRS",
++      "typename": "Skylake-Server-IBRS-x86_64-cpu",
++      "unavailable-features": [
++        "avx512f",
++        "avx512dq",
++        "clwb",
++        "avx512cd",
++        "avx512bw",
++        "avx512vl",
++        "avx512f",
++        "avx512f",
++        "avx512f"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Skylake-Client",
++      "typename": "Skylake-Client-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Skylake-Client-IBRS",
++      "typename": "Skylake-Client-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "SandyBridge",
++      "typename": "SandyBridge-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "SandyBridge-IBRS",
++      "typename": "SandyBridge-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Penryn",
++      "typename": "Penryn-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Opteron_G5",
++      "typename": "Opteron_G5-x86_64-cpu",
++      "unavailable-features": [
++        "sse4a",
++        "misalignsse",
++        "xop",
++        "fma4",
++        "tbm"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Opteron_G4",
++      "typename": "Opteron_G4-x86_64-cpu",
++      "unavailable-features": [
++        "sse4a",
++        "misalignsse",
++        "xop",
++        "fma4"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Opteron_G3",
++      "typename": "Opteron_G3-x86_64-cpu",
++      "unavailable-features": [
++        "sse4a",
++        "misalignsse"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Opteron_G2",
++      "typename": "Opteron_G2-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Opteron_G1",
++      "typename": "Opteron_G1-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Nehalem",
++      "typename": "Nehalem-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Nehalem-IBRS",
++      "typename": "Nehalem-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "IvyBridge",
++      "typename": "IvyBridge-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "IvyBridge-IBRS",
++      "typename": "IvyBridge-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Haswell",
++      "typename": "Haswell-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Haswell-noTSX",
++      "typename": "Haswell-noTSX-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Haswell-noTSX-IBRS",
++      "typename": "Haswell-noTSX-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Haswell-IBRS",
++      "typename": "Haswell-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "EPYC",
++      "typename": "EPYC-x86_64-cpu",
++      "unavailable-features": [
++        "sha-ni",
++        "mmxext",
++        "fxsr-opt",
++        "cr8legacy",
++        "sse4a",
++        "misalignsse",
++        "osvw"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "EPYC-IBPB",
++      "typename": "EPYC-IBPB-x86_64-cpu",
++      "unavailable-features": [
++        "sha-ni",
++        "mmxext",
++        "fxsr-opt",
++        "cr8legacy",
++        "sse4a",
++        "misalignsse",
++        "osvw",
++        "ibpb"
++      ],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Conroe",
++      "typename": "Conroe-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Broadwell",
++      "typename": "Broadwell-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Broadwell-noTSX",
++      "typename": "Broadwell-noTSX-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Broadwell-noTSX-IBRS",
++      "typename": "Broadwell-noTSX-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "Broadwell-IBRS",
++      "typename": "Broadwell-IBRS-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    },
++    {
++      "name": "486",
++      "typename": "486-x86_64-cpu",
++      "unavailable-features": [],
++      "static": false,
++      "migration-safe": true
++    }
++  ],
++  "id": "definitions"
++}
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
+new file mode 100644
+index 0000000..7e57c2d
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig
+@@ -0,0 +1,4 @@
++0506e3
++family:     6 (0x06)
++model:     94 (0x5e)
++stepping:   3 (0x03)
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
+new file mode 100644
+index 0000000..437429d
+--- /dev/null
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml
+@@ -0,0 +1,47 @@
++<!-- Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz -->
++<cpudata arch='x86'>
++  <cpuid eax_in='0x00000000' ecx_in='0x00' eax='0x00000016' ebx='0x756e6547' ecx='0x6c65746e' edx='0x49656e69'/>
++  <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x000506e3' ebx='0x06100800' ecx='0x7ffafbff' edx='0xbfebfbff'/>
++  <cpuid eax_in='0x00000002' ecx_in='0x00' eax='0x76036301' ebx='0x00f0b6ff' ecx='0x00000000' edx='0x00c30000'/>
++  <cpuid eax_in='0x00000003' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000004' ecx_in='0x00' eax='0x1c004121' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
++  <cpuid eax_in='0x00000004' ecx_in='0x01' eax='0x1c004122' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/>
++  <cpuid eax_in='0x00000004' ecx_in='0x02' eax='0x1c004143' ebx='0x00c0003f' ecx='0x000003ff' edx='0x00000000'/>
++  <cpuid eax_in='0x00000004' ecx_in='0x03' eax='0x1c03c163' ebx='0x03c0003f' ecx='0x00001fff' edx='0x00000006'/>
++  <cpuid eax_in='0x00000005' ecx_in='0x00' eax='0x00000040' ebx='0x00000040' ecx='0x00000003' edx='0x00142120'/>
++  <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x000027f7' ebx='0x00000002' ecx='0x00000009' edx='0x00000000'/>
++  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x029c6fbf' ecx='0x00000000' edx='0x9c002400'/>
++  <cpuid eax_in='0x00000008' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000009' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000a' ecx_in='0x00' eax='0x07300804' ebx='0x00000000' ecx='0x00000000' edx='0x00000603'/>
++  <cpuid eax_in='0x0000000b' ecx_in='0x00' eax='0x00000001' ebx='0x00000001' ecx='0x00000100' edx='0x00000006'/>
++  <cpuid eax_in='0x0000000b' ecx_in='0x01' eax='0x00000004' ebx='0x00000004' ecx='0x00000201' edx='0x00000006'/>
++  <cpuid eax_in='0x0000000c' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x00' eax='0x0000001f' ebx='0x00000440' ecx='0x00000440' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x000003c0' ecx='0x00000100' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x02' eax='0x00000100' ebx='0x00000240' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x03' eax='0x00000040' ebx='0x000003c0' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x04' eax='0x00000040' ebx='0x00000400' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000d' ecx_in='0x08' eax='0x00000080' ebx='0x00000000' ecx='0x00000001' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000e' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x0000000f' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000010' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000011' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000012' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000013' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000014' ecx_in='0x00' eax='0x00000001' ebx='0x0000000f' ecx='0x00000007' edx='0x00000000'/>
++  <cpuid eax_in='0x00000014' ecx_in='0x01' eax='0x02490002' ebx='0x003f3fff' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000015' ecx_in='0x00' eax='0x00000002' ebx='0x00000114' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x00000016' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
++  <cpuid eax_in='0x80000000' ecx_in='0x00' eax='0x80000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
++  <cpuid eax_in='0x80000002' ecx_in='0x00' eax='0x65746e49' ebx='0x2952286c' ecx='0x6f655820' edx='0x2952286e'/>
++  <cpuid eax_in='0x80000003' ecx_in='0x00' eax='0x55504320' ebx='0x2d334520' ecx='0x35323231' edx='0x20357620'/>
++  <cpuid eax_in='0x80000004' ecx_in='0x00' eax='0x2e332040' ebx='0x48473033' ecx='0x0000007a' edx='0x00000000'/>
++  <cpuid eax_in='0x80000005' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x80000006' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x01006040' edx='0x00000000'/>
++  <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/>
++  <cpuid eax_in='0x80000008' ecx_in='0x00' eax='0x00003027' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
++  <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
++  <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/>
++</cpudata>
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch
new file mode 100644
index 00000000..b39e8662
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch
@@ -0,0 +1,116 @@
+From c811c618c114c4a6493ede602bdca22d33c1972a Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Tue, 9 Apr 2019 12:35:52 +0200
+Subject: [PATCH 04/11] cpu_map: Define md-clear CPUID bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+
+The bit is set when microcode provides the mechanism to invoke a flush
+of various exploitable CPU buffers by invoking the VERW instruction.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 538d873571d7a682852dc1d70e5f4478f4d64e85)
+
+Conflicts:
+        src/cpu_map/x86_features.xml
+            - missing pconfig feature
+
+        tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml
+        tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml
+            - test data missing downstream
+
+        tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+        tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+            - intel-pt feature is missing
+	    - stibp feature is missing
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+
+CVE: CVE-2018-12126 
+CVE: CVE-2018-12127 
+CVE: CVE-2018-12130 
+CVE: CVE-2019-11091
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/cpu_map/x86_features.xml                               | 3 +++
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +-
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml   | 1 +
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml    | 1 +
+ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml    | 1 +
+ 5 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml
+index 109c653..c8ae540 100644
+--- a/src/cpu_map/x86_features.xml
++++ b/src/cpu_map/x86_features.xml
+@@ -290,6 +290,9 @@
+   <feature name='avx512-4fmaps'>
+     <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
+   </feature>
++  <feature name='md-clear'> <!-- md_clear -->
++    <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
++  </feature>
+   <feature name='spec-ctrl'>
+     <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+   </feature>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+index 0deca9f..74763a4 100644
+--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
+@@ -2,7 +2,7 @@
+ <cpudata arch='x86'>
+   <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
+   <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+-  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/>
++  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/>
+   <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
+   <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
+ </cpudata>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+index 993db80..29c1fdb 100644
+--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
+@@ -19,6 +19,7 @@
+   <feature policy='require' name='osxsave'/>
+   <feature policy='require' name='tsc_adjust'/>
+   <feature policy='require' name='clflushopt'/>
++  <feature policy='require' name='md-clear'/>
+   <feature policy='require' name='ssbd'/>
+   <feature policy='require' name='xsaves'/>
+   <feature policy='require' name='pdpe1gb'/>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+index 074a39b..2003ca9 100644
+--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
+@@ -20,6 +20,7 @@
+   <feature name='osxsave'/>
+   <feature name='tsc_adjust'/>
+   <feature name='clflushopt'/>
++  <feature name='md-clear'/>
+   <feature name='ssbd'/>
+   <feature name='xsaves'/>
+   <feature name='pdpe1gb'/>
+diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+index 1984bd4..d6529c5 100644
+--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
++++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
+@@ -5,6 +5,7 @@
+   <feature policy='require' name='hypervisor'/>
+   <feature policy='require' name='tsc_adjust'/>
+   <feature policy='require' name='clflushopt'/>
++  <feature policy='require' name='md-clear'/>
+   <feature policy='require' name='ssbd'/>
+   <feature policy='require' name='pdpe1gb'/>
+ </cpu>
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
new file mode 100644
index 00000000..11c1c5df
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch
@@ -0,0 +1,63 @@
+From dfd22fc50f8f268b9810d2ef21adada021f740eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Apr 2019 17:26:13 +0100
+Subject: [PATCH 05/11] admin: reject clients unless their UID matches the
+ current UID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The admin protocol RPC messages are only intended for use by the user
+running the daemon. As such they should not be allowed for any client
+UID that does not match the server UID.
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
+index b78ff90..9f25813 100644
+--- a/src/admin/admin_server_dispatch.c
++++ b/src/admin/admin_server_dispatch.c
+@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
+                    void *opaque)
+ {
+     struct daemonAdmClientPrivate *priv;
++    uid_t clientuid;
++    gid_t clientgid;
++    pid_t clientpid;
++    unsigned long long timestamp;
++
++    if (virNetServerClientGetUNIXIdentity(client,
++                                          &clientuid,
++                                          &clientgid,
++                                          &clientpid,
++                                          &timestamp) < 0)
++        return NULL;
++
++    VIR_DEBUG("New client pid %lld uid %lld",
++              (long long)clientpid,
++              (long long)clientuid);
++
++    if (geteuid() != clientuid) {
++        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
++                                 (long long)clientpid,
++                                 (long long)clientuid);
++        return NULL;
++    }
+ 
+     if (VIR_ALLOC(priv) < 0)
+         return NULL;
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
new file mode 100644
index 00000000..860c1e53
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch
@@ -0,0 +1,56 @@
+From 54005b84b0165b62b2ef88c7df229bddbaa29e76 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Apr 2019 16:51:37 +0100
+Subject: [PATCH 06/11] locking: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlockd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/locking/virtlockd-admin.socket.in | 1 +
+ src/locking/virtlockd.socket.in       | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
+index 2a7500f..f674c49 100644
+--- a/src/locking/virtlockd-admin.socket.in
++++ b/src/locking/virtlockd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
+ Service=virtlockd.service
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
+index 45e0f20..d701b27 100644
+--- a/src/locking/virtlockd.socket.in
++++ b/src/locking/virtlockd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
new file mode 100644
index 00000000..ddd0740e
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch
@@ -0,0 +1,56 @@
+From 030fdf57255f97289a407529194bf26c77548acb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 30 Apr 2019 17:27:41 +0100
+Subject: [PATCH 07/11] logging: restrict sockets to mode 0600
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virtlogd daemon's only intended client is the libvirtd daemon. As
+such it should never allow clients from other user accounts to connect.
+The code already enforces this and drops clients from other UIDs, but
+we can get earlier (and thus stronger) protection against DoS by setting
+the socket permissions to 0600
+
+Fixes CVE-2019-10132
+
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
+
+Upstream-Status: Backport
+CVE: CVE-2019-10132
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/logging/virtlogd-admin.socket.in | 1 +
+ src/logging/virtlogd.socket.in       | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
+index 595e6c4..5c41dfe 100644
+--- a/src/logging/virtlogd-admin.socket.in
++++ b/src/logging/virtlogd-admin.socket.in
+@@ -5,6 +5,7 @@ Before=libvirtd.service
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
+ Service=virtlogd.service
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
+index 22b9360..ae48cda 100644
+--- a/src/logging/virtlogd.socket.in
++++ b/src/logging/virtlogd.socket.in
+@@ -4,6 +4,7 @@ Before=libvirtd.service
+ 
+ [Socket]
+ ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sockets.target
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
new file mode 100644
index 00000000..118ece4c
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
@@ -0,0 +1,99 @@
+From 3352c8af264a7b9b741208790ecca0bbc6733f42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 08:47:42 +0200
+Subject: [PATCH 08/11] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Conflicts:
+  src/libvirt-domain.c
+  src/remote/remote_protocol.x
+
+Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+alias for VIR_DOMAIN_XML_SECURE is not backported.
+Just skip the commit since we now disallow the whole API on read-only
+connections, regardless of the flag.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-10161
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libvirt-domain.c         | 11 ++---------
+ src/qemu/qemu_driver.c       |  2 +-
+ src/remote/remote_protocol.x |  3 +--
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+Index: libvirt-4.7.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-4.7.0.orig/src/libvirt-domain.c
++++ libvirt-4.7.0/src/libvirt-domain.c
+@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections.  For this API, @flags should not contain either
+- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
++ * VIR_DOMAIN_XML_SECURE.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+  * error.  The caller must free() the returned value.
+@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+Index: libvirt-4.7.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-4.7.0.orig/src/qemu/qemu_driver.c
++++ libvirt-4.7.0/src/qemu/qemu_driver.c
+@@ -6791,7 +6791,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+Index: libvirt-4.7.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-4.7.0.orig/src/remote/remote_protocol.x
++++ libvirt-4.7.0/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
new file mode 100644
index 00000000..12ab5436
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch
@@ -0,0 +1,43 @@
+From 6da721ea37bf3624ff9922637cfa657d2dcb20f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:14:53 +0200
+Subject: [PATCH 09/11] api: disallow virDomainManagedSaveDefineXML on
+ read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-10166
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 270e10e..5c764aa 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9482,6 +9482,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
new file mode 100644
index 00000000..576f46c7
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch
@@ -0,0 +1,41 @@
+From 5441f05a42a90779b0df86518286bf527e94aafb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:16:14 +0200
+Subject: [PATCH 10/11] api: disallow virConnectGetDomainCapabilities on
+ read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-10167
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 5c764aa..9862a5d 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11274,6 +11274,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
new file mode 100644
index 00000000..16f1a6d9
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch
@@ -0,0 +1,49 @@
+From f5ace9c05d59b70d4899199a187cb32ec6f600d8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 09:17:39 +0200
+Subject: [PATCH 11/11] api: disallow virConnect*HypervisorCPU on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-10168
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee..2978825 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;
+-- 
+2.7.4
+
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb b/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb
index 270dc725..1d3b48e8 100644
--- a/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt_4.7.0.bb
@@ -37,6 +37,17 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
            file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \
            file://lxc_monitor-Avoid-AB-BA-lock-race.patch \
            file://CVE-2019-3840.patch \
+           file://0001-cpu_x86-Do-not-cache-microcode-version.patch \
+           file://0002-qemu-Don-t-cache-microcode-version.patch \
+           file://CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p1.patch \
+           file://CVE-2018-12126_CVE-2018-12127_CVE-2018-12130_CVE-2019-11091_p2.patch \
+           file://CVE-2019-10132_p1.patch \
+           file://CVE-2019-10132_p2.patch \
+           file://CVE-2019-10132_p3.patch \
+           file://CVE-2019-10161.patch \
+           file://CVE-2019-10166.patch \
+           file://CVE-2019-10167.patch \
+           file://CVE-2019-10168.patch \
           "
 
 SRC_URI[libvirt.md5sum] = "38da6c33250dcbc0a6d68de5c758262b"
diff --git a/external/poky/bitbake/bin/bitbake-worker b/external/poky/bitbake/bin/bitbake-worker
index e925054b..0e669054 100755
--- a/external/poky/bitbake/bin/bitbake-worker
+++ b/external/poky/bitbake/bin/bitbake-worker
@@ -192,9 +192,6 @@ def fork_off_task(cfg, data, databuilder, workerdata, fn, task, taskname, append
             global worker_pipe_lock
             pipein.close()
 
-            signal.signal(signal.SIGTERM, sigterm_handler)
-            # Let SIGHUP exit as SIGTERM
-            signal.signal(signal.SIGHUP, sigterm_handler)
             bb.utils.signal_on_parent_exit("SIGTERM")
 
             # Save out the PID so that the event can include it the
@@ -209,6 +206,11 @@ def fork_off_task(cfg, data, databuilder, workerdata, fn, task, taskname, append
             # This ensures signals sent to the controlling terminal like Ctrl+C
             # don't stop the child processes.
             os.setsid()
+
+            signal.signal(signal.SIGTERM, sigterm_handler)
+            # Let SIGHUP exit as SIGTERM
+            signal.signal(signal.SIGHUP, sigterm_handler)
+
             # No stdin
             newsi = os.open(os.devnull, os.O_RDWR)
             os.dup2(newsi, sys.stdin.fileno())
diff --git a/external/poky/bitbake/lib/bb/cookerdata.py b/external/poky/bitbake/lib/bb/cookerdata.py
index 5df66e61..d9887c71 100644
--- a/external/poky/bitbake/lib/bb/cookerdata.py
+++ b/external/poky/bitbake/lib/bb/cookerdata.py
@@ -26,6 +26,7 @@ import logging
 import os
 import re
 import sys
+import hashlib
 from functools import wraps
 import bb
 from bb import data
@@ -279,6 +280,7 @@ class CookerDataBuilder(object):
         self.mcdata = {}
 
     def parseBaseConfiguration(self):
+        data_hash = hashlib.sha256()
         try:
             bb.parse.init_parser(self.basedata)
             self.data = self.parseConfigurationFiles(self.prefiles, self.postfiles)
@@ -302,7 +304,7 @@ class CookerDataBuilder(object):
                 bb.event.fire(bb.event.ConfigParsed(), self.data)
 
             bb.parse.init_parser(self.data)
-            self.data_hash = self.data.get_hash()
+            data_hash.update(self.data.get_hash().encode('utf-8'))
             self.mcdata[''] = self.data
 
             multiconfig = (self.data.getVar("BBMULTICONFIG") or "").split()
@@ -310,9 +312,11 @@ class CookerDataBuilder(object):
                 mcdata = self.parseConfigurationFiles(self.prefiles, self.postfiles, config)
                 bb.event.fire(bb.event.ConfigParsed(), mcdata)
                 self.mcdata[config] = mcdata
+                data_hash.update(mcdata.get_hash().encode('utf-8'))
             if multiconfig:
                 bb.event.fire(bb.event.MultiConfigParsed(self.mcdata), self.data)
 
+            self.data_hash = data_hash.hexdigest()
         except (SyntaxError, bb.BBHandledException):
             raise bb.BBHandledException
         except bb.data_smart.ExpansionError as e:
diff --git a/external/poky/bitbake/lib/bb/fetch2/__init__.py b/external/poky/bitbake/lib/bb/fetch2/__init__.py
index 709372e1..03e56471 100644
--- a/external/poky/bitbake/lib/bb/fetch2/__init__.py
+++ b/external/poky/bitbake/lib/bb/fetch2/__init__.py
@@ -966,7 +966,8 @@ def rename_bad_checksum(ud, suffix):
 
     new_localpath = "%s_bad-checksum_%s" % (ud.localpath, suffix)
     bb.warn("Renaming %s to %s" % (ud.localpath, new_localpath))
-    bb.utils.movefile(ud.localpath, new_localpath)
+    if not bb.utils.movefile(ud.localpath, new_localpath):
+        bb.warn("Renaming %s to %s failed, grep movefile in log.do_fetch to see why" % (ud.localpath, new_localpath))
 
 
 def try_mirror_url(fetch, origud, ud, ld, check = False):
@@ -1596,7 +1597,7 @@ class Fetch(object):
         fn = d.getVar('FILE')
         mc = d.getVar('__BBMULTICONFIG') or ""
         if cache and fn and mc + fn in urldata_cache:
-            self.ud = urldata_cache[mc + fn]
+            self.ud = urldata_cache[mc + fn + str(id(d))]
 
         for url in urls:
             if url not in self.ud:
@@ -1608,7 +1609,7 @@ class Fetch(object):
                         pass
 
         if fn and cache:
-            urldata_cache[mc + fn] = self.ud
+            urldata_cache[mc + fn + str(id(d))] = self.ud
 
     def localpath(self, url):
         if url not in self.urls:
diff --git a/external/poky/bitbake/lib/bb/runqueue.py b/external/poky/bitbake/lib/bb/runqueue.py
index 383c1832..0f2fdcee 100644
--- a/external/poky/bitbake/lib/bb/runqueue.py
+++ b/external/poky/bitbake/lib/bb/runqueue.py
@@ -2109,8 +2109,8 @@ class RunQueueExecuteTasks(RunQueueExecute):
                 deps = self.rqdata.runtaskentries[revdep].depends
                 provides = self.rqdata.dataCaches[mc].fn_provides[taskfn]
                 taskhash = self.rqdata.runtaskentries[revdep].hash
-                taskdepdata[revdep] = [pn, taskname, fn, deps, provides, taskhash]
                 deps = self.filtermcdeps(task, deps)
+                taskdepdata[revdep] = [pn, taskname, fn, deps, provides, taskhash]
                 for revdep2 in deps:
                     if revdep2 not in taskdepdata:
                         additional.append(revdep2)
diff --git a/external/poky/bitbake/lib/bb/tests/fetch.py b/external/poky/bitbake/lib/bb/tests/fetch.py
index 9c71207f..57376c44 100644
--- a/external/poky/bitbake/lib/bb/tests/fetch.py
+++ b/external/poky/bitbake/lib/bb/tests/fetch.py
@@ -1128,8 +1128,8 @@ class FetchLatestVersionTest(FetcherTest):
         # packages with valid UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
         ("cups", "http://www.cups.org/software/1.7.2/cups-1.7.2-source.tar.bz2", "https://github.com/apple/cups/releases", "(?P<name>cups\-)(?P<pver>((\d+[\.\-_]*)+))\-source\.tar\.gz")
             : "2.0.0",
-        ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://www.oracle.com/technetwork/products/berkeleydb/downloads/index-082944.html", "http://download.oracle.com/otn/berkeley-db/(?P<name>db-)(?P<pver>((\d+[\.\-_]*)+))\.tar\.gz")
-            : "6.1.19",
+        ("db", "http://download.oracle.com/berkeley-db/db-5.3.21.tar.gz", "http://ftp.debian.org/debian/pool/main/d/db5.3/", "(?P<name>db5\.3_)(?P<pver>\d+(\.\d+)+).+\.orig\.tar\.xz")
+            : "5.3.10",
     }
 
     @skipIfNoNetwork()
diff --git a/external/poky/bitbake/lib/bb/utils.py b/external/poky/bitbake/lib/bb/utils.py
index 215c18cf..f5bd816c 100644
--- a/external/poky/bitbake/lib/bb/utils.py
+++ b/external/poky/bitbake/lib/bb/utils.py
@@ -796,7 +796,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
             os.rename(src, destpath)
             renamefailed = 0
         except Exception as e:
-            if e[0] != errno.EXDEV:
+            if e.errno != errno.EXDEV:
                 # Some random error.
                 print("movefile: Failed to move", src, "to", dest, e)
                 return None
diff --git a/external/poky/documentation/Makefile b/external/poky/documentation/Makefile
index 093422f6..0566a0f3 100644
--- a/external/poky/documentation/Makefile
+++ b/external/poky/documentation/Makefile
@@ -83,6 +83,11 @@
 # example publishes the 1.2 version of the PDF and HTML YP Development Tasks Manual
 # for the 'denzil' branch.
 #
+# IN MEMORIAM: This comment is to remember Scott Rifenbark (scottrif), whom we lost
+# in January, 2020. Scott was the primary technical writer for the Yocto Project for
+# over 9 years. In that time, he contributed many thousands of patches, built this
+# documentation tree, and enabled tens of thousands of developers to succeed with
+# embedded Linux. He ran this Makefile many thousands of times. Godspeed, Dude.
 
 ifeq ($(DOC),brief-yoctoprojectqs)
 XSLTOPTS = --stringparam html.stylesheet brief-yoctoprojectqs-style.css \
diff --git a/external/poky/documentation/bsp-guide/bsp-guide.xml b/external/poky/documentation/bsp-guide/bsp-guide.xml
index 7c608ebd..b7a5ba67 100644
--- a/external/poky/documentation/bsp-guide/bsp-guide.xml
+++ b/external/poky/documentation/bsp-guide/bsp-guide.xml
@@ -138,9 +138,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/dev-manual/dev-manual.xml b/external/poky/documentation/dev-manual/dev-manual.xml
index e9fd35ea..3ec921f6 100644
--- a/external/poky/documentation/dev-manual/dev-manual.xml
+++ b/external/poky/documentation/dev-manual/dev-manual.xml
@@ -123,9 +123,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/kernel-dev/kernel-dev.xml b/external/poky/documentation/kernel-dev/kernel-dev.xml
index 870dc75f..6f3e5895 100644
--- a/external/poky/documentation/kernel-dev/kernel-dev.xml
+++ b/external/poky/documentation/kernel-dev/kernel-dev.xml
@@ -103,9 +103,19 @@
             </revision>
             <revision>
                 <revnumber>2.6.2</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>April 2019</date>
                 <revremark>Released with the Yocto Project 2.6.2 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.3</revnumber>
+                <date>August 2019</date>
+                <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
+            </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/mega-manual/mega-manual.xml b/external/poky/documentation/mega-manual/mega-manual.xml
index 561f8acc..300246c9 100644
--- a/external/poky/documentation/mega-manual/mega-manual.xml
+++ b/external/poky/documentation/mega-manual/mega-manual.xml
@@ -92,9 +92,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/overview-manual/overview-manual.xml b/external/poky/documentation/overview-manual/overview-manual.xml
index 8e7be426..e79867ec 100644
--- a/external/poky/documentation/overview-manual/overview-manual.xml
+++ b/external/poky/documentation/overview-manual/overview-manual.xml
@@ -53,9 +53,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/poky.ent b/external/poky/documentation/poky.ent
index cb7f3082..34f8c114 100644
--- a/external/poky/documentation/poky.ent
+++ b/external/poky/documentation/poky.ent
@@ -1,17 +1,17 @@
-<!ENTITY DISTRO "2.6.3">
-<!ENTITY DISTRO_COMPRESSED "263">
+<!ENTITY DISTRO "2.6.4">
+<!ENTITY DISTRO_COMPRESSED "264">
 <!ENTITY DISTRO_NAME_NO_CAP "thud">
 <!ENTITY DISTRO_NAME "Thud">
 <!ENTITY DISTRO_NAME_NO_CAP_MINUS_ONE "sumo">
 <!ENTITY DISTRO_NAME_MINUS_ONE "Sumo">
-<!ENTITY YOCTO_DOC_VERSION "2.6.3">
-<!ENTITY YOCTO_DOC_VERSION_MINUS_ONE "2.5.3">
-<!ENTITY DISTRO_REL_TAG "yocto-2.6.3">
+<!ENTITY YOCTO_DOC_VERSION "2.6.4">
+<!ENTITY YOCTO_DOC_VERSION_MINUS_ONE "2.5.4">
+<!ENTITY DISTRO_REL_TAG "yocto-2.6.4">
 <!ENTITY METAINTELVERSION "10.1">
-<!ENTITY REL_MONTH_YEAR "July 2019">
+<!ENTITY REL_MONTH_YEAR "November 2019">
 <!ENTITY META_INTEL_REL_TAG "&METAINTELVERSION;-&DISTRO_NAME_NO_CAP;-&YOCTO_DOC_VERSION;">
-<!ENTITY POKYVERSION "20.0.3">
-<!ENTITY POKYVERSION_COMPRESSED "2003">
+<!ENTITY POKYVERSION "20.0.4">
+<!ENTITY POKYVERSION_COMPRESSED "2004">
 <!ENTITY YOCTO_POKY "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;">
 <!ENTITY COPYRIGHT_YEAR "2010-2019">
 <!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
diff --git a/external/poky/documentation/profile-manual/profile-manual.xml b/external/poky/documentation/profile-manual/profile-manual.xml
index d2c84cce..02d989ff 100644
--- a/external/poky/documentation/profile-manual/profile-manual.xml
+++ b/external/poky/documentation/profile-manual/profile-manual.xml
@@ -108,9 +108,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/ref-manual/ref-manual.xml b/external/poky/documentation/ref-manual/ref-manual.xml
index 3f980677..104bbb9e 100644
--- a/external/poky/documentation/ref-manual/ref-manual.xml
+++ b/external/poky/documentation/ref-manual/ref-manual.xml
@@ -139,9 +139,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
         </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/sdk-manual/sdk-manual.xml b/external/poky/documentation/sdk-manual/sdk-manual.xml
index 4d4df8ed..d4f615f7 100644
--- a/external/poky/documentation/sdk-manual/sdk-manual.xml
+++ b/external/poky/documentation/sdk-manual/sdk-manual.xml
@@ -73,9 +73,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/toaster-manual/toaster-manual.xml b/external/poky/documentation/toaster-manual/toaster-manual.xml
index e80e9d97..15f1702e 100644
--- a/external/poky/documentation/toaster-manual/toaster-manual.xml
+++ b/external/poky/documentation/toaster-manual/toaster-manual.xml
@@ -83,9 +83,14 @@
             </revision>
             <revision>
                 <revnumber>2.6.3</revnumber>
-                <date>&REL_MONTH_YEAR;</date>
+                <date>August 2019</date>
                 <revremark>Released with the Yocto Project 2.6.3 Release.</revremark>
             </revision>
+            <revision>
+                <revnumber>2.6.4</revnumber>
+                <date>November 2019</date>
+                <revremark>Released with the Yocto Project 2.6.4 Release.</revremark>
+            </revision>
        </revhistory>
 
     <copyright>
diff --git a/external/poky/documentation/tools/mega-manual.sed b/external/poky/documentation/tools/mega-manual.sed
index 9906a3d7..34c2ada6 100644
--- a/external/poky/documentation/tools/mega-manual.sed
+++ b/external/poky/documentation/tools/mega-manual.sed
@@ -2,39 +2,39 @@
 # This style is for manual folders like "yocto-project-qs" and "poky-ref-manual".
 # This is the old way that did it.  Can't do that now that we have "bitbake-user-manual" strings
 # in the mega-manual.
-# s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/yocto-project-qs/yocto-project-qs.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/poky-ref-manual/poky-ref-manual.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/[a-z]*-[a-z]*-[a-z]*/[a-z]*-[a-z]*-[a-z]*.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/yocto-project-qs/yocto-project-qs.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/poky-ref-manual/poky-ref-manual.html#@"link" href="#@g
 
 # Processes all other manuals (<word>-<word> style) except for the BitBake User Manual because
 # it is not included in the mega-manual.
 # This style is for manual folders that use two word, which is the standard now (e.g. "ref-manual").
 # This was the one-liner that worked before we introduced the BitBake User Manual, which is
 # not in the mega-manual.
-# s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
+# s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/[a-z]*-[a-z]*/[a-z]*-[a-z]*.html#@"link" href="#@g
 
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/sdk-manual/sdk-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/bsp-guide/bsp-guide.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/dev-manual/dev-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/overview-manual/overview-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/kernel-dev/kernel-dev.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/profile-manual/profile-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/ref-manual/ref-manual.html#@"link" href="#@g
-s@"ulink" href="http://www.yoctoproject.org/docs/2.6.3/toaster-manual/toaster-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/sdk-manual/sdk-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/bsp-guide/bsp-guide.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/dev-manual/dev-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/overview-manual/overview-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/kernel-dev/kernel-dev.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/profile-manual/profile-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/ref-manual/ref-manual.html#@"link" href="#@g
+s@"ulink" href="http://www.yoctoproject.org/docs/2.6.4/toaster-manual/toaster-manual.html#@"link" href="#@g
 
 # Process cases where just an external manual is referenced without an id anchor
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/yocto-project-qs/yocto-project-qs.html" target="_top">Yocto Project Quick Start</a>@Yocto Project Quick Start@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/brief-yoctoprojectqs/brief-yoctoprojectqs.html" target="_top">Yocto Project Quick Build</a>@Yocto Project Quick Build@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/yocto-project-qs/yocto-project-qs.html" target="_top">Yocto Project Quick Start</a>@Yocto Project Quick Start@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/dev-manual/dev-manual.html" target="_top">Yocto Project Development Tasks Manual</a>@Yocto Project Development Tasks Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/overview-manual/overview-manual.html" target="_top">Yocto Project Overview and Concepts Manual</a>@Yocto project Overview and Concepts Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/sdk-manual/sdk-manual.html" target="_top">Yocto Project Application Development and the Extensible Software Development Kit (eSDK)</a>@Yocto Project Application Development and the Extensible Software Development Kit (eSDK)@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/bsp-guide/bsp-guide.html" target="_top">Yocto Project Board Support Package (BSP) Developer's Guide</a>@Yocto Project Board Support Package (BSP) Developer's Guide@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/profile-manual/profile-manual.html" target="_top">Yocto Project Profiling and Tracing Manual</a>@Yocto Project Profiling and Tracing Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/kernel-dev/kernel-dev.html" target="_top">Yocto Project Linux Kernel Development Manual</a>@Yocto Project Linux Kernel Development Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/ref-manual/ref-manual.html" target="_top">Yocto Project Reference Manual</a>@Yocto Project Reference Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/toaster-manual/toaster-manual.html" target="_top">Toaster User Manual</a>@Toaster User Manual@g
 
 # Process a single, rouge occurrence of a linked reference to the Mega-Manual.
-s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.3/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
+s@<a class="ulink" href="http://www.yoctoproject.org/docs/2.6.4/mega-manual/mega-manual.html" target="_top">Yocto Project Mega-Manual</a>@Yocto Project Mega-Manual@g
 
diff --git a/external/poky/meta-poky/conf/distro/poky.conf b/external/poky/meta-poky/conf/distro/poky.conf
index 6f0dba79..2d060e3f 100644
--- a/external/poky/meta-poky/conf/distro/poky.conf
+++ b/external/poky/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
-DISTRO_VERSION = "2.6.3"
+DISTRO_VERSION = "2.6.4"
 DISTRO_CODENAME = "thud"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"
diff --git a/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend b/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
index 502485a9..bbe6eae5 100644
--- a/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
+++ b/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.14.bbappend
@@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 KMACHINE_beaglebone-yocto ?= "beaglebone"
 
-SRCREV_machine_genericx86    ?= "2c5caa7e84311f2a0097974a697ac1f59030530e"
-SRCREV_machine_genericx86-64 ?= "2c5caa7e84311f2a0097974a697ac1f59030530e"
-SRCREV_machine_edgerouter ?= "e06bfa18c727bd0e6e10cf26d9f161e4c791f52b"
-SRCREV_machine_beaglebone-yocto ?= "b8805de77dcf8f59d8368fee4921c146c1300a6a"
-SRCREV_machine_mpc8315e-rdb ?= "f88e87360b10f8fbd853a7d412982e6620f3f96d"
+SRCREV_machine_genericx86 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_genericx86-64 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_edgerouter ?= "16d624ede7ca9f71331b626685435ffee022dd32"
+SRCREV_machine_beaglebone-yocto ?= "2e7b9777f352f70e2e9a82d8c403d3ea88d0bde3"
+SRCREV_machine_mpc8315e-rdb ?= "9ff346785bdf42767b4002c41f5692f0a98b7480"
 
 COMPATIBLE_MACHINE_genericx86 = "genericx86"
 COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
 COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
 
-LINUX_VERSION_genericx86 = "4.14.76"
-LINUX_VERSION_genericx86-64 = "4.14.76"
-LINUX_VERSION_edgerouter = "4.14.71"
-LINUX_VERSION_beaglebone-yocto = "4.14.71"
-LINUX_VERSION_mpc8315e-rdb = "4.14.71"
+LINUX_VERSION_genericx86 = "4.14.154"
+LINUX_VERSION_genericx86-64 = "4.14.154"
+LINUX_VERSION_edgerouter = "4.14.154"
+LINUX_VERSION_beaglebone-yocto = "4.14.154"
+LINUX_VERSION_mpc8315e-rdb = "4.14.154"
diff --git a/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.18.bbappend b/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.18.bbappend
index 7f15843f..11b35cc1 100644
--- a/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.18.bbappend
+++ b/external/poky/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.18.bbappend
@@ -8,11 +8,11 @@ KMACHINE_genericx86 ?= "common-pc"
 KMACHINE_genericx86-64 ?= "common-pc-64"
 KMACHINE_beaglebone-yocto ?= "beaglebone"
 
-SRCREV_machine_genericx86    ?= "db2d813869a0501782469ecdb17e277a501c9f57"
-SRCREV_machine_genericx86-64 ?= "db2d813869a0501782469ecdb17e277a501c9f57"
-SRCREV_machine_edgerouter ?= "28e7781d57a59227bf1c08c7f3dbdfee16aa0dc2"
-SRCREV_machine_beaglebone-yocto ?= "28e7781d57a59227bf1c08c7f3dbdfee16aa0dc2"
-SRCREV_machine_mpc8315e-rdb ?= "99071a599d8650b069fb8135866fca203f375350"
+SRCREV_machine_genericx86    ?= "b24d9d2146d4ce4ef3ad7251b936f35c69dcf0c4"
+SRCREV_machine_genericx86-64 ?= "b24d9d2146d4ce4ef3ad7251b936f35c69dcf0c4"
+SRCREV_machine_edgerouter ?= "b24d9d2146d4ce4ef3ad7251b936f35c69dcf0c4"
+SRCREV_machine_beaglebone-yocto ?= "b24d9d2146d4ce4ef3ad7251b936f35c69dcf0c4"
+SRCREV_machine_mpc8315e-rdb ?= "0802dc980cbc8bdb156d6fe305e7b88e6b602634"
 
 COMPATIBLE_MACHINE_genericx86 = "genericx86"
 COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
@@ -20,8 +20,8 @@ COMPATIBLE_MACHINE_edgerouter = "edgerouter"
 COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
 COMPATIBLE_MACHINE_mpc8315e-rdb = "mpc8315e-rdb"
 
-LINUX_VERSION_genericx86 = "4.18.22"
-LINUX_VERSION_genericx86-64 = "4.18.22"
-LINUX_VERSION_edgerouter = "4.18.25"
-LINUX_VERSION_beaglebone-yocto = "4.18.25"
-LINUX_VERSION_mpc8315e-rdb = "4.18.25"
+LINUX_VERSION_genericx86 = "4.18.35"
+LINUX_VERSION_genericx86-64 = "4.18.35"
+LINUX_VERSION_edgerouter = "4.18.35"
+LINUX_VERSION_beaglebone-yocto = "4.18.35"
+LINUX_VERSION_mpc8315e-rdb = "4.18.35"
diff --git a/external/poky/meta/classes/cve-check.bbclass b/external/poky/meta/classes/cve-check.bbclass
index 743bc08a..19ed5548 100644
--- a/external/poky/meta/classes/cve-check.bbclass
+++ b/external/poky/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
 
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,39 +37,39 @@ CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 
 # Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
-    glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
 
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
-    'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+# 
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+# 
+CVE_CHECK_WHITELIST ?= ""
 
 python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
     """
 
-    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
         patched_cves = get_patches_cves(d)
         patched, unpatched = check_cves(d, patched_cves)
         if patched or unpatched:
             cve_data = get_cve_info(d, patched + unpatched)
             cve_write_data(d, patched, unpatched, cve_data)
     else:
-        bb.note("Failed to update CVE database, skipping CVE check")
+        bb.note("No CVE database found, skipping CVE check")
+
 }
 
-addtask cve_check after do_unpack before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
+addtask cve_check before do_build
+do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {
     """
     Delete the file used to gather all the CVE information.
     """
-
     bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
 }
 
@@ -163,89 +163,121 @@ def get_patches_cves(d):
 
 def check_cves(d, patched_cves):
     """
-    Run cve-check-tool looking for patched and unpatched CVEs.
+    Connect to the NVD database and find unpatched cves.
     """
+    from distutils.version import LooseVersion
 
-    import ast, csv, tempfile, subprocess, io
-
-    cves_patched = []
     cves_unpatched = []
-    bpn = d.getVar("CVE_PRODUCT")
+    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+    products = d.getVar("CVE_PRODUCT").split()
     # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
-    if not bpn:
+    if not products:
         return ([], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
-    cves = " ".join(patched_cves)
-    cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
-    cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
-    cve_cmd = "cve-check-tool"
-    cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
 
     # If the recipe has been whitlisted we return empty lists
     if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [])
 
-    try:
-        # Write the faux CSV file to be used with cve-check-tool
-        fd, faux = tempfile.mkstemp(prefix="cve-faux-")
-        with os.fdopen(fd, "w") as f:
-            for pn in bpn.split():
-                f.write("%s,%s,%s,\n" % (pn, pv, cves))
-        cmd.append(faux)
-
-        output = subprocess.check_output(cmd).decode("utf-8")
-        bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
-    except subprocess.CalledProcessError as e:
-        bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
-    finally:
-        os.remove(faux)
-
-    for row in csv.reader(io.StringIO(output)):
-        # Third row has the unpatched CVEs
-        if row[2]:
-            for cve in row[2].split():
-                # Skip if the CVE has been whitlisted for the current version
-                if pv in cve_whitelist.get(cve,[]):
-                    bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
+    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
+    if old_cve_whitelist:
+        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
+    cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
+
+    import sqlite3
+    db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+    conn = sqlite3.connect(db_file, uri=True)
+
+    # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
+    for product in products:
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "%"
+
+        # Find all relevant CVE IDs.
+        for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+            cve = cverow[0]
+
+            if cve in cve_whitelist:
+                bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+                # TODO: this should be in the report as 'whitelisted'
+                patched_cves.add(cve)
+                continue
+            elif cve in patched_cves:
+                bb.note("%s has been patched" % (cve))
+                continue
+
+            vulnerable = False
+            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+                (_, _, _, version_start, operator_start, version_end, operator_end) = row
+                #bb.debug(2, "Evaluating row " + str(row))
+
+                if (operator_start == '=' and pv == version_start):
+                    vulnerable = True
                 else:
+                    if operator_start:
+                        try:
+                            vulnerable_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+                            vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                        except:
+                            bb.warn("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_start, version_start, cve))
+                            vulnerable_start = False
+                    else:
+                        vulnerable_start = False
+
+                    if operator_end:
+                        try:
+                            vulnerable_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+                            vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                        except:
+                            bb.warn("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_end, version_end, cve))
+                            vulnerable_end = False
+                    else:
+                        vulnerable_end = False
+
+                    if operator_start and operator_end:
+                        vulnerable = vulnerable_start and vulnerable_end
+                    else:
+                        vulnerable = vulnerable_start or vulnerable_end
+
+                if vulnerable:
+                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
                     cves_unpatched.append(cve)
-                    bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
-        # Fourth row has patched CVEs
-        if row[3]:
-            for cve in row[3].split():
-                cves_patched.append(cve)
-                bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
+                    break
+
+            if not vulnerable:
+                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+                # TODO: not patched but not vulnerable
+                patched_cves.add(cve)
+
+    conn.close()
 
-    return (cves_patched, cves_unpatched)
+    return (list(patched_cves), cves_unpatched)
 
 def get_cve_info(d, cves):
     """
-    Get CVE information from the database used by cve-check-tool.
-
-    Unfortunately the only way to get CVE info is set the output to
-    html (hard to parse) or query directly the database.
+    Get CVE information from the database.
     """
 
-    try:
-        import sqlite3
-    except ImportError:
-        from pysqlite2 import dbapi2 as sqlite3
+    import sqlite3
 
     cve_data = {}
-    db_file = d.getVar("CVE_CHECK_DB_FILE")
-    placeholder = ",".join("?" * len(cves))
-    query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
-    conn = sqlite3.connect(db_file)
-    cur = conn.cursor()
-    for row in cur.execute(query, tuple(cves)):
-        cve_data[row[0]] = {}
-        cve_data[row[0]]["summary"] = row[1]
-        cve_data[row[0]]["score"] = row[2]
-        cve_data[row[0]]["modified"] = row[3]
-        cve_data[row[0]]["vector"] = row[4]
-    conn.close()
+    conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
 
+    for cve in cves:
+        for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+            cve_data[row[0]] = {}
+            cve_data[row[0]]["summary"] = row[1]
+            cve_data[row[0]]["scorev2"] = row[2]
+            cve_data[row[0]]["scorev3"] = row[3]
+            cve_data[row[0]]["modified"] = row[4]
+            cve_data[row[0]]["vector"] = row[5]
+
+    conn.close()
     return cve_data
 
 def cve_write_data(d, patched, unpatched, cve_data):
@@ -270,7 +302,8 @@ def cve_write_data(d, patched, unpatched, cve_data):
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
-        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
+        write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
+        write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
         write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
         write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
 
diff --git a/external/poky/meta/classes/kernel.bbclass b/external/poky/meta/classes/kernel.bbclass
index bd185e25..c72d1fe7 100644
--- a/external/poky/meta/classes/kernel.bbclass
+++ b/external/poky/meta/classes/kernel.bbclass
@@ -451,7 +451,7 @@ do_shared_workdir () {
 	cp .config $kerneldir/
 	mkdir -p $kerneldir/include/config
 	cp include/config/kernel.release $kerneldir/include/config/kernel.release
-	if [ -e certs/signing_key.pem ]; then
+	if [ -e certs/signing_key.x509 ]; then
 		# The signing_key.* files are stored in the certs/ dir in
 		# newer Linux kernels
 		mkdir -p $kerneldir/certs
diff --git a/external/poky/meta/conf/distro/include/maintainers.inc b/external/poky/meta/conf/distro/include/maintainers.inc
index 672f0677..c027901f 100644
--- a/external/poky/meta/conf/distro/include/maintainers.inc
+++ b/external/poky/meta/conf/distro/include/maintainers.inc
@@ -116,6 +116,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang <liezhi.yang@windriver.com>"
 RECIPE_MAINTAINER_pn-cups = "Chen Qi <Qi.Chen@windriver.com>"
 RECIPE_MAINTAINER_pn-curl = "Armin Kuster <akuster808@gmail.com>"
 RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton <ross.burton@intel.com>"
+RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton <ross.burton@intel.com>"
 RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton <ross.burton@intel.com>"
 RECIPE_MAINTAINER_pn-db = "Mark Hatle <mark.hatle@windriver.com>"
 RECIPE_MAINTAINER_pn-dbus = "Chen Qi <Qi.Chen@windriver.com>"
diff --git a/external/poky/meta/conf/distro/include/yocto-uninative.inc b/external/poky/meta/conf/distro/include/yocto-uninative.inc
index df243468..ad75d3e2 100644
--- a/external/poky/meta/conf/distro/include/yocto-uninative.inc
+++ b/external/poky/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.29"
+UNINATIVE_MAXGLIBCVERSION = "2.30"
 
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.6/"
-UNINATIVE_CHECKSUM[aarch64] ?= "a37118fc8b423f48146120707b81dd15017512c3e8ef9e6ca2cb3a033f4f4046"
-UNINATIVE_CHECKSUM[i686] ?= "3234fc3ded810225071f23a0e9a99f4f8c2480059945a848eff076ce78122ade"
-UNINATIVE_CHECKSUM[x86_64] ?= "133387753a9acf3e1b788103c59fac91e968e2ee331d7a4b9498e926ada7be57"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/"
+UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc"
+UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924"
+UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216"
diff --git a/external/poky/meta/conf/machine/include/arm/arch-arm64.inc b/external/poky/meta/conf/machine/include/arm/arch-arm64.inc
index 5f90763f..53f45668 100644
--- a/external/poky/meta/conf/machine/include/arm/arch-arm64.inc
+++ b/external/poky/meta/conf/machine/include/arm/arch-arm64.inc
@@ -4,7 +4,7 @@ require conf/machine/include/arm/arch-armv7ve.inc
 
 TUNEVALID[aarch64] = "Enable instructions for aarch64"
 
-MACHINEOVERRIDES .= "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', ':aarch64', '' ,d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'aarch64', 'aarch64:', '' ,d)}"
 
 # Little Endian base configs
 AVAILTUNES += "aarch64 aarch64_be"
diff --git a/external/poky/meta/lib/oe/buildhistory_analysis.py b/external/poky/meta/lib/oe/buildhistory_analysis.py
index ad7fceb8..d3cde4f6 100644
--- a/external/poky/meta/lib/oe/buildhistory_analysis.py
+++ b/external/poky/meta/lib/oe/buildhistory_analysis.py
@@ -127,7 +127,7 @@ class ChangeRecord:
             removed = list(set(aitems) - set(bitems))
             added = list(set(bitems) - set(aitems))
 
-            if not removed and not added:
+            if not removed and not added and self.fieldname in ['RPROVIDES', 'RDEPENDS', 'RRECOMMENDS', 'RSUGGESTS', 'RREPLACES', 'RCONFLICTS']:
                 depvera = bb.utils.explode_dep_versions2(self.oldvalue, sort=False)
                 depverb = bb.utils.explode_dep_versions2(self.newvalue, sort=False)
                 for i, j in zip(depvera.items(), depverb.items()):
diff --git a/external/poky/meta/lib/oe/package_manager.py b/external/poky/meta/lib/oe/package_manager.py
index 7d880481..882e7c42 100644
--- a/external/poky/meta/lib/oe/package_manager.py
+++ b/external/poky/meta/lib/oe/package_manager.py
@@ -1329,8 +1329,6 @@ class OpkgPM(OpkgDpkgPM):
         cmd = "%s %s" % (self.opkg_cmd, self.opkg_args)
         for exclude in (self.d.getVar("PACKAGE_EXCLUDE") or "").split():
             cmd += " --add-exclude %s" % exclude
-        for bad_recommendation in (self.d.getVar("BAD_RECOMMENDATIONS") or "").split():
-            cmd += " --add-ignore-recommends %s" % bad_recommendation
         cmd += " install "
         cmd += " ".join(pkgs)
 
@@ -1399,6 +1397,45 @@ class OpkgPM(OpkgDpkgPM):
     def list_installed(self):
         return OpkgPkgsList(self.d, self.target_rootfs, self.config_file).list_pkgs()
 
+    def handle_bad_recommendations(self):
+        bad_recommendations = self.d.getVar("BAD_RECOMMENDATIONS") or ""
+        if bad_recommendations.strip() == "":
+            return
+
+        status_file = os.path.join(self.opkg_dir, "status")
+
+        # If status file existed, it means the bad recommendations has already
+        # been handled
+        if os.path.exists(status_file):
+            return
+
+        cmd = "%s %s info " % (self.opkg_cmd, self.opkg_args)
+
+        with open(status_file, "w+") as status:
+            for pkg in bad_recommendations.split():
+                pkg_info = cmd + pkg
+
+                try:
+                    output = subprocess.check_output(pkg_info.split(), stderr=subprocess.STDOUT).strip().decode("utf-8")
+                except subprocess.CalledProcessError as e:
+                    bb.fatal("Cannot get package info. Command '%s' "
+                             "returned %d:\n%s" % (pkg_info, e.returncode, e.output.decode("utf-8")))
+
+                if output == "":
+                    bb.note("Ignored bad recommendation: '%s' is "
+                            "not a package" % pkg)
+                    continue
+
+                for line in output.split('\n'):
+                    if line.startswith("Status:"):
+                        status.write("Status: deinstall hold not-installed\n")
+                    else:
+                        status.write(line + "\n")
+
+                # Append a blank line after each package entry to ensure that it
+                # is separated from the following entry
+                status.write("\n")
+
     def dummy_install(self, pkgs):
         """
         The following function dummy installs pkgs and returns the log of output.
diff --git a/external/poky/meta/lib/oe/rootfs.py b/external/poky/meta/lib/oe/rootfs.py
index aa9fb2e0..e5512d09 100644
--- a/external/poky/meta/lib/oe/rootfs.py
+++ b/external/poky/meta/lib/oe/rootfs.py
@@ -879,6 +879,8 @@ class OpkgRootfs(DpkgOpkgRootfs):
 
         self.pm.update()
 
+        self.pm.handle_bad_recommendations()
+
         if self.progress_reporter:
             self.progress_reporter.next_stage()
 
diff --git a/external/poky/meta/lib/oe/sdk.py b/external/poky/meta/lib/oe/sdk.py
index 153b07d7..ef81f8cf 100644
--- a/external/poky/meta/lib/oe/sdk.py
+++ b/external/poky/meta/lib/oe/sdk.py
@@ -84,10 +84,6 @@ class Sdk(object, metaclass=ABCMeta):
             bb.warn("cannot remove SDK dir: %s" % path)
 
     def install_locales(self, pm):
-        # This is only relevant for glibc
-        if self.d.getVar("TCLIBC") != "glibc":
-            return
-
         linguas = self.d.getVar("SDKIMAGE_LINGUAS")
         if linguas:
             import fnmatch
diff --git a/external/poky/meta/lib/oeqa/selftest/context.py b/external/poky/meta/lib/oeqa/selftest/context.py
index c5212903..c56e53dc 100644
--- a/external/poky/meta/lib/oeqa/selftest/context.py
+++ b/external/poky/meta/lib/oeqa/selftest/context.py
@@ -108,6 +108,7 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
         logdir = os.environ.get("BUILDDIR")
         if 'LOG_DIR' in bbvars:
             logdir = bbvars['LOG_DIR']
+        bb.utils.mkdirhier(logdir)
         args.output_log = logdir + '/%s-results-%s.log' % (self.name, args.test_start_time)
 
         super(OESelftestTestContextExecutor, self)._process_args(logger, args)
diff --git a/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
deleted file mode 100644
index 7a2ba7ea..00000000
--- a/external/poky/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
-
-CVE: CVE-2018-5740
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
-
-diff --git a/CHANGES b/CHANGES
-index 750b600..3d8d655 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,9 @@
-+	--- 9.11.4-P1 released ---
-+
-+4997.	[security]	named could crash during recursive processing
-+			of DNAME records when "deny-answer-aliases" was
-+			in use. (CVE-2018-5740) [GL #387]
-+
- 	--- 9.11.4 released ---
- 
- 	--- 9.11.4rc2 released ---
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 8f674a2..41d1385 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
- 	unsigned int nlabels;
- 	dns_fixedname_t fixed;
- 	dns_name_t prefix;
-+	int order;
- 
- 	REQUIRE(rdataset != NULL);
- 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
-@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
- 		tname = &cname.cname;
- 		break;
- 	case dns_rdatatype_dname:
-+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
-+		    dns_namereln_subdomain)
-+		{
-+			return (ISC_TRUE);
-+		}
- 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
- 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
- 		dns_name_init(&prefix, NULL);
- 		tname = dns_fixedname_initname(&fixed);
--		nlabels = dns_name_countlabels(qname) -
--			  dns_name_countlabels(rname);
-+		nlabels = dns_name_countlabels(rname);
- 		dns_name_split(qname, nlabels, &prefix, NULL);
- 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
- 					      NULL);
--		if (result == DNS_R_NAMETOOLONG)
-+		if (result == DNS_R_NAMETOOLONG) {
-+			if (chainingp != NULL) {
-+				*chainingp = ISC_TRUE;
-+			}
- 			return (ISC_TRUE);
-+		}
- 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
- 		break;
- 	default:
-@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
- 		}
- 		if ((ardataset->type == dns_rdatatype_cname ||
- 		     ardataset->type == dns_rdatatype_dname) &&
--		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
-+		    type != ardataset->type &&
-+		    type != dns_rdatatype_any &&
-+		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
- 					      NULL))
- 		{
- 			return (DNS_R_SERVFAIL);
diff --git a/external/poky/meta/recipes-connectivity/bind/bind_9.11.4.bb b/external/poky/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
index cb4a21a9..432bad01 100644
--- a/external/poky/meta/recipes-connectivity/bind/bind_9.11.4.bb
+++ b/external/poky/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
 SECTION = "console/network"
 
 LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=6ba7c9fe0c888a943c79c93e6de744fb"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
 
 DEPENDS = "openssl libcap zlib"
 
@@ -20,14 +20,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
-           file://CVE-2018-5740.patch \
 "
 
-SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"
-SRC_URI[sha256sum] = "595070b031f869f8939656b5a5d11b121211967f15f6afeafa895df745279617"
+SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960"
+SRC_URI[sha256sum] = "7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
+RECIPE_NO_UPDATE_REASON = "9.11 is LTS 2021"
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_script
 
diff --git a/external/poky/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch b/external/poky/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch
new file mode 100644
index 00000000..1bc14224
--- /dev/null
+++ b/external/poky/meta/recipes-connectivity/dhcp/dhcp/0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch
@@ -0,0 +1,79 @@
+From 8194daabfd590f17825f0c61e9534bee5c99cc86 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Fri, 14 Sep 2018 13:41:41 -0400
+Subject: [master] Added includes of new BIND9 compatibility headers
+
+    Merges in rt48072.
+
+Upstream-Status: Backport
+Signed-off-by: Adrian Bunk <bunk@stusta.de>
+
+diff --git a/includes/omapip/isclib.h b/includes/omapip/isclib.h
+index 75a87ff6..538b927f 100644
+--- a/includes/omapip/isclib.h
++++ b/includes/omapip/isclib.h
+@@ -48,6 +48,9 @@
+ #include <string.h>
+ #include <netdb.h>
+ 
++#include <isc/boolean.h>
++#include <isc/int.h>
++
+ #include <isc/buffer.h>
+ #include <isc/lex.h>
+ #include <isc/lib.h>
+diff --git a/includes/omapip/result.h b/includes/omapip/result.h
+index 91243e1b..860298f6 100644
+--- a/includes/omapip/result.h
++++ b/includes/omapip/result.h
+@@ -26,6 +26,7 @@
+ #ifndef DHCP_RESULT_H
+ #define DHCP_RESULT_H 1
+ 
++#include <isc/boolean.h>
+ #include <isc/lang.h>
+ #include <isc/resultclass.h>
+ #include <isc/types.h>
+diff --git a/server/dhcpv6.c b/server/dhcpv6.c
+index a7110f98..cde4f617 100644
+--- a/server/dhcpv6.c
++++ b/server/dhcpv6.c
+@@ -1034,7 +1034,8 @@ void check_pool6_threshold(struct reply_state *reply,
+ 				  shared_name,
+ 				  inet_ntop(AF_INET6, &lease->addr,
+ 					    tmp_addr, sizeof(tmp_addr)),
+-				  used, count);
++				  (long long unsigned)(used),
++				  (long long unsigned)(count));
+ 		}
+ 		return;
+ 	}
+@@ -1066,7 +1067,8 @@ void check_pool6_threshold(struct reply_state *reply,
+ 		  "address: %s; high threshold %d%% %llu/%llu.",
+ 		  shared_name,
+ 		  inet_ntop(AF_INET6, &lease->addr, tmp_addr, sizeof(tmp_addr)),
+-		  poolhigh, used, count);
++		  poolhigh, (long long unsigned)(used),
++		  (long long unsigned)(count));
+ 
+ 	/* handle the low threshold now, if we don't
+ 	 * have one we default to 0. */
+@@ -1436,12 +1438,15 @@ pick_v6_address(struct reply_state *reply)
+ 		log_debug("Unable to pick client address: "
+ 			  "no addresses available  - shared network %s: "
+ 			  " 2^64-1 < total, %llu active,  %llu abandoned",
+-			  shared_name, active - abandoned, abandoned);
++			  shared_name, (long long unsigned)(active - abandoned),
++			  (long long unsigned)(abandoned));
+ 	} else {
+ 		log_debug("Unable to pick client address: "
+ 			  "no addresses available  - shared network %s: "
+ 			  "%llu total, %llu active,  %llu abandoned",
+-			  shared_name, total, active - abandoned, abandoned);
++			  shared_name, (long long unsigned)(total),
++			  (long long unsigned)(active - abandoned),
++		          (long long unsigned)(abandoned));
+ 	}
+ 
+ 	return ISC_R_NORESOURCES;
+
diff --git a/external/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch b/external/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch
deleted file mode 100644
index 006d18ae..00000000
--- a/external/poky/meta/recipes-connectivity/dhcp/dhcp/0008-tweak-to-support-external-bind.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 92875f5cc44914515e50c11c503a09cec90497b2 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Sat, 11 Jun 2016 22:51:44 -0400
-Subject: [PATCH 08/11] tweak to support external bind
-
-Tweak the external bind to oe-core's sysroot rather than
-external bind source build.
-
-Upstream-Status: Inappropriate <oe-core specific>
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- client/Makefile.am       | 2 +-
- client/tests/Makefile.am | 2 +-
- common/tests/Makefile.am | 2 +-
- dhcpctl/Makefile.am      | 2 +-
- omapip/Makefile.am       | 2 +-
- relay/Makefile.am        | 2 +-
- server/Makefile.am       | 2 +-
- server/tests/Makefile.am | 2 +-
- 8 files changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/client/Makefile.am b/client/Makefile.am
-index 4730bb3..84d8131 100644
---- a/client/Makefile.am
-+++ b/client/Makefile.am
-@@ -4,7 +4,7 @@
- # production code. Sadly, we are not there yet.
- SUBDIRS = . tests
- 
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = -DCLIENT_PATH='"PATH=$(sbindir):/sbin:/bin:/usr/sbin:/usr/bin"' \
- 	      -DLOCALSTATEDIR='"$(localstatedir)"' -I$(top_srcdir)/includes
-diff --git a/client/tests/Makefile.am b/client/tests/Makefile.am
-index 5031d0c..a8dfd26 100644
---- a/client/tests/Makefile.am
-+++ b/client/tests/Makefile.am
-@@ -1,6 +1,6 @@
- SUBDIRS = .
- 
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = $(ATF_CFLAGS) -DUNIT_TEST -I$(top_srcdir)/includes
- AM_CPPFLAGS += -I@BINDDIR@/include -I$(top_srcdir)
-diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
-index f6a43e4..2f98d22 100644
---- a/common/tests/Makefile.am
-+++ b/common/tests/Makefile.am
-@@ -1,6 +1,6 @@
- SUBDIRS = .
- 
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = $(ATF_CFLAGS) -I$(top_srcdir)/includes
- 
-diff --git a/dhcpctl/Makefile.am b/dhcpctl/Makefile.am
-index ba8dd8b..9b2486e 100644
---- a/dhcpctl/Makefile.am
-+++ b/dhcpctl/Makefile.am
-@@ -1,4 +1,4 @@
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = -I$(top_srcdir)/includes -I$(top_srcdir)
- 
-diff --git a/omapip/Makefile.am b/omapip/Makefile.am
-index dd1afa0..e4a8599 100644
---- a/omapip/Makefile.am
-+++ b/omapip/Makefile.am
-@@ -1,4 +1,4 @@
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- AM_CPPFLAGS = -I$(top_srcdir)/includes
- 
- lib_LIBRARIES = libomapi.a
-diff --git a/relay/Makefile.am b/relay/Makefile.am
-index 6d652f6..b3bf578 100644
---- a/relay/Makefile.am
-+++ b/relay/Makefile.am
-@@ -1,4 +1,4 @@
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
- 
-diff --git a/server/Makefile.am b/server/Makefile.am
-index 3990b9c..b5d8c2d 100644
---- a/server/Makefile.am
-+++ b/server/Makefile.am
-@@ -4,7 +4,7 @@
- # production code. Sadly, we are not there yet.
- SUBDIRS = . tests
- 
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = -I$(top_srcdir) -DLOCALSTATEDIR='"@localstatedir@"' -I$(top_srcdir)/includes
- 
-diff --git a/server/tests/Makefile.am b/server/tests/Makefile.am
-index a87c5e7..9821081 100644
---- a/server/tests/Makefile.am
-+++ b/server/tests/Makefile.am
-@@ -1,6 +1,6 @@
- SUBDIRS = .
- 
--BINDLIBDIR = @BINDDIR@/lib
-+BINDLIBDIR = @BINDDIR@
- 
- AM_CPPFLAGS = $(ATF_CFLAGS) -DUNIT_TEST -I$(top_srcdir)/includes
- AM_CPPFLAGS += -I@BINDDIR@/include -I$(top_srcdir)
--- 
-1.8.3.1
-
diff --git a/external/poky/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb b/external/poky/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
index 159abbc4..e8cc731a 100644
--- a/external/poky/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
+++ b/external/poky/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
             file://0009-remove-dhclient-script-bash-dependency.patch \
             file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
             file://0013-fixup_use_libbind.patch \
+            file://0001-master-Added-includes-of-new-BIND9-compatibility-hea.patch \
 "
 
 SRC_URI[md5sum] = "18c7f4dcbb0a63df25098216d47b1ede"
diff --git a/external/poky/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch b/external/poky/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
new file mode 100644
index 00000000..393c70ca
--- /dev/null
+++ b/external/poky/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
@@ -0,0 +1,127 @@
+From f0120c5d97a4cc1b659e86d38f2b1f646ca20ea3 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 30 May 2019 12:53:03 +0100
+Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
+ owner
+
+The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
+of a shared home directory by having the server write a secret "cookie"
+into a .dbus-keyrings subdirectory of the desired identity's home
+directory with 0700 permissions, and having the client prove that it can
+read the cookie. This never actually worked for non-malicious clients in
+the case where server uid != client uid (unless the server and client
+both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
+Unix uid 0) because an unprivileged server would fail to write out the
+cookie, and an unprivileged client would be unable to read the resulting
+file owned by the server.
+
+Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
+is owned by the uid of the server (a side-effect of a check added to
+harden our use of XDG_RUNTIME_DIR), further ruling out successful use
+by a non-malicious client with a uid differing from the server's.
+
+Joe Vennix of Apple Information Security discovered that the
+implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
+attack: a malicious client with write access to its own home directory
+could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
+read and write in unintended locations. In the worst case this could
+result in the DBusServer reusing a cookie that is known to the
+malicious client, and treating that cookie as evidence that a subsequent
+client connection came from an attacker-chosen uid, allowing
+authentication bypass.
+
+This is mitigated by the fact that by default, the well-known system
+dbus-daemon (since 2003) and the well-known session dbus-daemon (in
+stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
+authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
+at an early stage, before manipulating cookies. As a result, this
+vulnerability only applies to:
+
+* system or session dbus-daemons with non-standard configuration
+* third-party dbus-daemon invocations such as at-spi2-core (although
+  in practice at-spi2-core also only accepts EXTERNAL by default)
+* third-party uses of DBusServer such as the one in Upstart
+
+Avoiding symlink attacks in a portable way is difficult, because APIs
+like openat() and Linux /proc/self/fd are not universally available.
+However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
+a non-matching uid, we can solve this vulnerability in an easier way
+without regressions, by rejecting it early (before looking at
+~/.dbus-keyrings) whenever the requested identity doesn't match the
+identity of the process hosting the DBusServer.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
+Closes: CVE-2019-12749
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/dbus/dbus/commit
+/47b1a4c41004bf494b87370987b222c934b19016]
+
+CVE: CVE-2019-12749
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
+index 37d8d4c9..7390a9d5 100644
+--- a/dbus/dbus-auth.c
++++ b/dbus/dbus-auth.c
+@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   DBusString tmp2;
+   dbus_bool_t retval = FALSE;
+   DBusError error = DBUS_ERROR_INIT;
++  DBusCredentials *myself = NULL;
+ 
+   _dbus_string_set_length (&auth->challenge, 0);
+   
+@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+       return FALSE;
+     }
+ 
++  myself = _dbus_credentials_new_from_current_process ();
++
++  if (myself == NULL)
++    goto out;
++
++  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
++    {
++      /*
++       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
++       * client is anyone other than the user owning the process
++       * containing the DBusServer: we probably aren't allowed to write
++       * to other users' home directories. Even if we can (for example
++       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
++       * must not, because the other user controls their home directory,
++       * and could carry out symlink attacks to make us read from or
++       * write to unintended locations. It's difficult to avoid symlink
++       * attacks in a portable way, so we just don't try. This isn't a
++       * regression, because DBUS_COOKIE_SHA1 never worked for other
++       * users anyway.
++       */
++      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
++                     "but that doesn't match this process",
++                     DBUS_AUTH_NAME (auth),
++                     _dbus_string_get_const_data (data));
++      retval = send_rejected (auth);
++      goto out;
++    }
++
+   /* we cache the keyring for speed, so here we drop it if it's the
+    * wrong one. FIXME caching the keyring here is useless since we use
+    * a different DBusAuth for every connection.
+@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   _dbus_string_zero (&tmp2);
+   _dbus_string_free (&tmp2);
+ 
++  if (myself != NULL)
++    _dbus_credentials_unref (myself);
++
+   return retval;
+ }
+ 
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-core/dbus/dbus_1.12.10.bb b/external/poky/meta/recipes-core/dbus/dbus_1.12.10.bb
index d71f7f70..d7ad1d8b 100644
--- a/external/poky/meta/recipes-core/dbus/dbus_1.12.10.bb
+++ b/external/poky/meta/recipes-core/dbus/dbus_1.12.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
            file://tmpdir.patch \
            file://dbus-1.init \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+		   file://CVE-2019-12749.patch \
 "
 
 SRC_URI[md5sum] = "c3e12b4206e2a7da39d7cc42567790ef"
diff --git a/external/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/external/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 00000000..29c5d984
--- /dev/null
+++ b/external/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,47 @@
+From c7f7fd53780f8caebccc903d61ffc21632b46a6c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/glib/commit
+/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+
+CVE: CVE-2019-13012
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e83..580a0b0a1 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+ 
+   contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+   g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+-                           G_FILE_CREATE_REPLACE_DESTINATION,
++                           G_FILE_CREATE_REPLACE_DESTINATION |
++                           G_FILE_CREATE_PRIVATE,
+                            NULL, NULL, NULL);
+ 
+   compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+ 
+   kfsb->file = g_file_new_for_path (filename);
+   kfsb->dir = g_file_get_parent (kfsb->file);
+-  g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++  g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+ 
+   kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+   kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb b/external/poky/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
index f0075969..611abd8e 100644
--- a/external/poky/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
+++ b/external/poky/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://CVE-2019-12450.patch \
            file://CVE-2019-9633_p1.patch \
            file://CVE-2019-9633_p2.patch \
+           file://CVE-2019-13012.patch \
            "
 
 SRC_URI_append_class-native = " file://relocate-modules.patch"
diff --git a/external/poky/meta/recipes-core/glibc/glibc-locale.inc b/external/poky/meta/recipes-core/glibc/glibc-locale.inc
index 1b676dc2..97d83cb8 100644
--- a/external/poky/meta/recipes-core/glibc/glibc-locale.inc
+++ b/external/poky/meta/recipes-core/glibc/glibc-locale.inc
@@ -95,3 +95,6 @@ do_install () {
 inherit libc-package
 
 BBCLASSEXTEND = "nativesdk"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/external/poky/meta/recipes-core/glibc/glibc-mtrace.inc b/external/poky/meta/recipes-core/glibc/glibc-mtrace.inc
index d703c14b..ef9d60ec 100644
--- a/external/poky/meta/recipes-core/glibc/glibc-mtrace.inc
+++ b/external/poky/meta/recipes-core/glibc/glibc-mtrace.inc
@@ -11,3 +11,6 @@ do_install() {
 	install -d -m 0755 ${D}${bindir}
 	install -m 0755 ${SRC}/mtrace ${D}${bindir}/
 }
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/external/poky/meta/recipes-core/glibc/glibc-scripts.inc b/external/poky/meta/recipes-core/glibc/glibc-scripts.inc
index 2a2b4150..14a14e45 100644
--- a/external/poky/meta/recipes-core/glibc/glibc-scripts.inc
+++ b/external/poky/meta/recipes-core/glibc/glibc-scripts.inc
@@ -18,3 +18,6 @@ do_install() {
 # sotruss script requires sotruss-lib.so (given by libsotruss package), 
 # to produce trace of the library calls.
 RDEPENDS_${PN} += "libsotruss"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/external/poky/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/external/poky/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
index 7eb55d66..7dc84288 100644
--- a/external/poky/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
+++ b/external/poky/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
@@ -5,12 +5,12 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
 From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
 From: Florian Weimer <fweimer@redhat.com>
 Date: Mon, 21 Jan 2019 08:59:42 +0100
-Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
+Subject: [PATCH 1/4] resolv: Reformat inet_addr, inet_aton to GNU style
 
 (cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
 ---
  ChangeLog          |   5 ++
- resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
+ resolv/inet_addr.c | 192 ++++++++++++++++++++++++---------------------
  2 files changed, 106 insertions(+), 91 deletions(-)
 
 diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
@@ -229,4 +229,908 @@ index 022f7ea084..32f58b0e13 100644
  weak_alias (__inet_aton, inet_aton)
  libc_hidden_def (__inet_aton)
 -- 
-2.11.0
+2.20.1
+
+
+From 37edf1d3f8ab9adefb61cc466ac52b53114fbd5b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 09:26:41 +0100
+Subject: [PATCH 2/4] resolv: Do not send queries for non-host-names in nss_dns
+ [BZ #24112]
+
+Before this commit, nss_dns would send a query which did not contain a
+host name as the query name (such as invalid\032name.example.com) and
+then reject the answer in getanswer_r and gaih_getanswer_slice, using
+a check based on res_hnok.  With this commit, no query is sent, and a
+host-not-found error is returned to NSS without network interaction.
+
+(cherry picked from commit 6ca53a2453598804a2559a548a08424fca96434a)
+---
+ ChangeLog                 |  9 +++++++++
+ resolv/nss_dns/dns-host.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5dc2829cd1..99c3b61e1c 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -274,11 +274,26 @@ gethostbyname3_context (struct resolv_context *ctx,
+   return status;
+ }
+ 
++/* Verify that the name looks like a host name.  There is no point in
++   sending a query which will not produce a usable name in the
++   response.  */
++static enum nss_status
++check_name (const char *name, int *h_errnop)
++{
++  if (res_hnok (name))
++    return NSS_STATUS_SUCCESS;
++  *h_errnop = HOST_NOT_FOUND;
++  return NSS_STATUS_NOTFOUND;
++}
++
+ enum nss_status
+ _nss_dns_gethostbyname2_r (const char *name, int af, struct hostent *result,
+ 			   char *buffer, size_t buflen, int *errnop,
+ 			   int *h_errnop)
+ {
++  enum nss_status status = check_name (name, h_errnop);
++  if (status != NSS_STATUS_SUCCESS)
++    return status;
+   return _nss_dns_gethostbyname3_r (name, af, result, buffer, buflen, errnop,
+ 				    h_errnop, NULL, NULL);
+ }
+@@ -289,6 +304,9 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+ 			  char *buffer, size_t buflen, int *errnop,
+ 			  int *h_errnop)
+ {
++  enum nss_status status = check_name (name, h_errnop);
++  if (status != NSS_STATUS_SUCCESS)
++    return status;
+   struct resolv_context *ctx = __resolv_context_get ();
+   if (ctx == NULL)
+     {
+@@ -296,7 +314,7 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+       *h_errnop = NETDB_INTERNAL;
+       return NSS_STATUS_UNAVAIL;
+     }
+-  enum nss_status status = NSS_STATUS_NOTFOUND;
++  status = NSS_STATUS_NOTFOUND;
+   if (res_use_inet6 ())
+     status = gethostbyname3_context (ctx, name, AF_INET6, result, buffer,
+ 				     buflen, errnop, h_errnop, NULL, NULL);
+@@ -313,6 +331,9 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+ 			   char *buffer, size_t buflen, int *errnop,
+ 			   int *herrnop, int32_t *ttlp)
+ {
++  enum nss_status status = check_name (name, herrnop);
++  if (status != NSS_STATUS_SUCCESS)
++    return status;
+   struct resolv_context *ctx = __resolv_context_get ();
+   if (ctx == NULL)
+     {
+@@ -347,7 +368,6 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+   int ans2p_malloced = 0;
+ 
+   int olderr = errno;
+-  enum nss_status status;
+   int n = __res_context_search (ctx, name, C_IN, T_QUERY_A_AND_AAAA,
+ 				host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ 				&ans2p, &nans2p, &resplen2, &ans2p_malloced);
+-- 
+2.20.1
+
+
+From 2373941bd73cb288c8a42a33e23e7f7bb81151e7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 21:26:03 +0100
+Subject: [PATCH 3/4] CVE-2016-10739: getaddrinfo: Fully parse IPv4 address
+ strings [BZ #20018]
+
+The IPv4 address parser in the getaddrinfo function is changed so that
+it does not ignore trailing whitespace and all characters after it.
+For backwards compatibility, the getaddrinfo function still recognizes
+legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8
+(octal).
+
+This commit does not change the behavior of inet_addr and inet_aton.
+gethostbyname already had additional sanity checks (but is switched
+over to the new __inet_aton_exact function for completeness as well).
+
+To avoid sending the problematic query names over DNS, commit
+6ca53a2453598804a2559a548a08424fca96434a ("resolv: Do not send queries
+for non-host-names in nss_dns [BZ #24112]") is needed.
+
+(cherry picked from commit 108bc4049f8ae82710aec26a92ffdb4b439c83fd)
+---
+ ChangeLog                      |  33 ++++++++
+ NEWS                           |   4 +
+ include/arpa/inet.h            |   6 +-
+ nscd/gai.c                     |   1 -
+ nscd/gethstbynm3_r.c           |   2 -
+ nss/digits_dots.c              |   3 +-
+ resolv/Makefile                |   7 ++
+ resolv/Versions                |   1 +
+ resolv/inet_addr.c             |  62 ++++++++++-----
+ resolv/res_init.c              |  17 ++--
+ resolv/tst-aton.c              |  35 +++++++--
+ resolv/tst-inet_aton_exact.c   |  47 +++++++++++
+ resolv/tst-resolv-nondecimal.c | 139 +++++++++++++++++++++++++++++++++
+ resolv/tst-resolv-trailing.c   | 136 ++++++++++++++++++++++++++++++++
+ sysdeps/posix/getaddrinfo.c    |   2 +-
+ 15 files changed, 455 insertions(+), 40 deletions(-)
+ create mode 100644 resolv/tst-inet_aton_exact.c
+ create mode 100644 resolv/tst-resolv-nondecimal.c
+ create mode 100644 resolv/tst-resolv-trailing.c
+
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index c3f28f2baa..19aec74275 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -1,10 +1,10 @@
+ #include <inet/arpa/inet.h>
+ 
+ #ifndef _ISOMAC
+-extern int __inet_aton (const char *__cp, struct in_addr *__inp);
+-libc_hidden_proto (__inet_aton)
++/* Variant of inet_aton which rejects trailing garbage.  */
++extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp);
++libc_hidden_proto (__inet_aton_exact)
+ 
+-libc_hidden_proto (inet_aton)
+ libc_hidden_proto (inet_ntop)
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+diff --git a/nscd/gai.c b/nscd/gai.c
+index 24bdfee1db..f57f396f57 100644
+--- a/nscd/gai.c
++++ b/nscd/gai.c
+@@ -19,7 +19,6 @@
+ 
+ /* This file uses the getaddrinfo code but it compiles it without NSCD
+    support.  We just need a few symbol renames.  */
+-#define __inet_aton inet_aton
+ #define __ioctl ioctl
+ #define __getsockname getsockname
+ #define __socket socket
+diff --git a/nscd/gethstbynm3_r.c b/nscd/gethstbynm3_r.c
+index 7beb9dce9f..f792c4fcd0 100644
+--- a/nscd/gethstbynm3_r.c
++++ b/nscd/gethstbynm3_r.c
+@@ -38,8 +38,6 @@
+ #define HAVE_LOOKUP_BUFFER	1
+ #define HAVE_AF			1
+ 
+-#define __inet_aton inet_aton
+-
+ /* We are nscd, so we don't want to be talking to ourselves.  */
+ #undef	USE_NSCD
+ 
+diff --git a/nss/digits_dots.c b/nss/digits_dots.c
+index 39bff38865..5441bce16e 100644
+--- a/nss/digits_dots.c
++++ b/nss/digits_dots.c
+@@ -29,7 +29,6 @@
+ #include "nsswitch.h"
+ 
+ #ifdef USE_NSCD
+-# define inet_aton __inet_aton
+ # include <nscd/nscd_proto.h>
+ #endif
+ 
+@@ -160,7 +159,7 @@ __nss_hostname_digits_dots_context (struct resolv_context *ctx,
+ 		     255.255.255.255?  The test below will succeed
+ 		     spuriously... ???  */
+ 		  if (af == AF_INET)
+-		    ok = __inet_aton (name, (struct in_addr *) host_addr);
++		    ok = __inet_aton_exact (name, (struct in_addr *) host_addr);
+ 		  else
+ 		    {
+ 		      assert (af == AF_INET6);
+diff --git a/resolv/Makefile b/resolv/Makefile
+index ea395ac3eb..d36eedd34a 100644
+--- a/resolv/Makefile
++++ b/resolv/Makefile
+@@ -34,6 +34,9 @@ routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
+ tests = tst-aton tst-leaks tst-inet_ntop
+ xtests = tst-leaks2
+ 
++tests-internal += tst-inet_aton_exact
++
++
+ generate := mtrace-tst-leaks.out tst-leaks.mtrace tst-leaks2.mtrace
+ 
+ extra-libs := libresolv libnss_dns
+@@ -54,8 +57,10 @@ tests += \
+   tst-resolv-binary \
+   tst-resolv-edns \
+   tst-resolv-network \
++  tst-resolv-nondecimal \
+   tst-resolv-res_init-multi \
+   tst-resolv-search \
++  tst-resolv-trailing \
+ 
+ # These tests need libdl.
+ ifeq (yes,$(build-shared))
+@@ -190,9 +195,11 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
+   $(shared-thread-library)
+ $(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
+   $(shared-thread-library)
++$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
++$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-threads: \
+   $(libdl) $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-canonname: \
+diff --git a/resolv/Versions b/resolv/Versions
+index b05778d965..9a82704af7 100644
+--- a/resolv/Versions
++++ b/resolv/Versions
+@@ -27,6 +27,7 @@ libc {
+     __h_errno; __resp;
+ 
+     __res_iclose;
++    __inet_aton_exact;
+     __inet_pton_length;
+     __resolv_context_get;
+     __resolv_context_get_preinit;
+diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
+index 32f58b0e13..41b6166a5b 100644
+--- a/resolv/inet_addr.c
++++ b/resolv/inet_addr.c
+@@ -96,26 +96,14 @@
+ #include <limits.h>
+ #include <errno.h>
+ 
+-/* ASCII IPv4 Internet address interpretation routine.  The value
+-   returned is in network order.  */
+-in_addr_t
+-__inet_addr (const char *cp)
+-{
+-  struct in_addr val;
+-
+-  if (__inet_aton (cp, &val))
+-    return val.s_addr;
+-  return INADDR_NONE;
+-}
+-weak_alias (__inet_addr, inet_addr)
+-
+ /* Check whether "cp" is a valid ASCII representation of an IPv4
+    Internet address and convert it to a binary address.  Returns 1 if
+    the address is valid, 0 if not.  This replaces inet_addr, the
+    return value from which cannot distinguish between failure and a
+-   local broadcast address.  */
+-int
+-__inet_aton (const char *cp, struct in_addr *addr)
++   local broadcast address.  Write a pointer to the first
++   non-converted character to *endp.  */
++static int
++inet_aton_end (const char *cp, struct in_addr *addr, const char **endp)
+ {
+   static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
+   in_addr_t val;
+@@ -180,6 +168,7 @@ __inet_aton (const char *cp, struct in_addr *addr)
+ 
+   if (addr != NULL)
+     addr->s_addr = res.word | htonl (val);
++  *endp = cp;
+ 
+   __set_errno (saved_errno);
+   return 1;
+@@ -188,6 +177,41 @@ __inet_aton (const char *cp, struct in_addr *addr)
+   __set_errno (saved_errno);
+   return 0;
+ }
+-weak_alias (__inet_aton, inet_aton)
+-libc_hidden_def (__inet_aton)
+-libc_hidden_weak (inet_aton)
++
++int
++__inet_aton_exact (const char *cp, struct in_addr *addr)
++{
++  struct in_addr val;
++  const char *endp;
++  /* Check that inet_aton_end parsed the entire string.  */
++  if (inet_aton_end (cp, &val, &endp) != 0 && *endp == 0)
++    {
++      *addr = val;
++      return 1;
++    }
++  else
++    return 0;
++}
++libc_hidden_def (__inet_aton_exact)
++
++/* inet_aton ignores trailing garbage.  */
++int
++__inet_aton_ignore_trailing (const char *cp, struct in_addr *addr)
++{
++  const char *endp;
++  return  inet_aton_end (cp, addr, &endp);
++}
++weak_alias (__inet_aton_ignore_trailing, inet_aton)
++
++/* ASCII IPv4 Internet address interpretation routine.  The value
++   returned is in network order.  */
++in_addr_t
++__inet_addr (const char *cp)
++{
++  struct in_addr val;
++  const char *endp;
++  if (inet_aton_end (cp, &val, &endp))
++    return val.s_addr;
++  return INADDR_NONE;
++}
++weak_alias (__inet_addr, inet_addr)
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index f5e52cbbb9..94743a252e 100644
+--- a/resolv/res_init.c
++++ b/resolv/res_init.c
+@@ -399,8 +399,16 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+               cp = parser->buffer + sizeof ("nameserver") - 1;
+               while (*cp == ' ' || *cp == '\t')
+                 cp++;
++
++              /* Ignore trailing contents on the name server line.  */
++              {
++                char *el;
++                if ((el = strpbrk (cp, " \t\n")) != NULL)
++                  *el = '\0';
++              }
++
+               struct sockaddr *sa;
+-              if ((*cp != '\0') && (*cp != '\n') && __inet_aton (cp, &a))
++              if ((*cp != '\0') && (*cp != '\n') && __inet_aton_exact (cp, &a))
+                 {
+                   sa = allocate_address_v4 (a, NAMESERVER_PORT);
+                   if (sa == NULL)
+@@ -410,9 +418,6 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                 {
+                   struct in6_addr a6;
+                   char *el;
+-
+-                  if ((el = strpbrk (cp, " \t\n")) != NULL)
+-                    *el = '\0';
+                   if ((el = strchr (cp, SCOPE_DELIMITER)) != NULL)
+                     *el = '\0';
+                   if ((*cp != '\0') && (__inet_pton (AF_INET6, cp, &a6) > 0))
+@@ -472,7 +477,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                   char separator = *cp;
+                   *cp = 0;
+                   struct resolv_sortlist_entry e;
+-                  if (__inet_aton (net, &a))
++                  if (__inet_aton_exact (net, &a))
+                     {
+                       e.addr = a;
+                       if (is_sort_mask (separator))
+@@ -484,7 +489,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+                             cp++;
+                           separator = *cp;
+                           *cp = 0;
+-                          if (__inet_aton (net, &a))
++                          if (__inet_aton_exact (net, &a))
+                             e.mask = a.s_addr;
+                           else
+                             e.mask = net_mask (e.addr);
+diff --git a/resolv/tst-aton.c b/resolv/tst-aton.c
+index 08110a007a..eb734d7758 100644
+--- a/resolv/tst-aton.c
++++ b/resolv/tst-aton.c
+@@ -1,11 +1,29 @@
++/* Test legacy IPv4 text-to-address function inet_aton.
++   Copyright (C) 1998-2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <array_length.h>
+ #include <stdio.h>
+ #include <stdint.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
+-
+-static struct tests
++static const struct tests
+ {
+   const char *input;
+   int valid;
+@@ -16,6 +34,7 @@ static struct tests
+   { "-1", 0, 0 },
+   { "256", 1, 0x00000100 },
+   { "256.", 0, 0 },
++  { "255a", 0, 0 },
+   { "256a", 0, 0 },
+   { "0x100", 1, 0x00000100 },
+   { "0200.0x123456", 1, 0x80123456 },
+@@ -40,7 +59,12 @@ static struct tests
+   { "1.2.256.4", 0, 0 },
+   { "1.2.3.0x100", 0, 0 },
+   { "323543357756889", 0, 0 },
+-  { "10.1.2.3.4", 0, 0},
++  { "10.1.2.3.4", 0, 0 },
++  { "192.0.2.1", 1, 0xc0000201 },
++  { "192.0.2.2\nX", 1, 0xc0000202 },
++  { "192.0.2.3 Y", 1, 0xc0000203 },
++  { "192.0.2.3Z", 0, 0 },
++  { "192.000.002.010", 1, 0xc0000208 },
+ };
+ 
+ 
+@@ -50,7 +74,7 @@ do_test (void)
+   int result = 0;
+   size_t cnt;
+ 
+-  for (cnt = 0; cnt < sizeof (tests) / sizeof (tests[0]); ++cnt)
++  for (cnt = 0; cnt < array_length (tests); ++cnt)
+     {
+       struct in_addr addr;
+ 
+@@ -73,5 +97,4 @@ do_test (void)
+   return result;
+ }
+ 
+-#define TEST_FUNCTION do_test ()
+-#include "../test-skeleton.c"
++#include <support/test-driver.c>
+diff --git a/resolv/tst-inet_aton_exact.c b/resolv/tst-inet_aton_exact.c
+new file mode 100644
+index 0000000000..0fdfa3d6aa
+--- /dev/null
++++ b/resolv/tst-inet_aton_exact.c
+@@ -0,0 +1,47 @@
++/* Test internal legacy IPv4 text-to-address function __inet_aton_exact.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <arpa/inet.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  struct in_addr addr = { };
++
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.1", &addr), 1);
++  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000201);
++
++  TEST_COMPARE (__inet_aton_exact ("192.000.002.010", &addr), 1);
++  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000208);
++  TEST_COMPARE (__inet_aton_exact ("0xC0000234", &addr), 1);
++  TEST_COMPARE (ntohl (addr.s_addr), 0xC0000234);
++
++  /* Trailing content is not accepted.  */
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.2X", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.3 Y", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.4\nZ", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.5\tT", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.6 Y", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.7\n", &addr), 0);
++  TEST_COMPARE (__inet_aton_exact ("192.0.2.8\t", &addr), 0);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-nondecimal.c b/resolv/tst-resolv-nondecimal.c
+new file mode 100644
+index 0000000000..a0df6f332a
+--- /dev/null
++++ b/resolv/tst-resolv-nondecimal.c
+@@ -0,0 +1,139 @@
++/* Test name resolution behavior for octal, hexadecimal IPv4 addresses.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <netdb.h>
++#include <stdlib.h>
++#include <support/check.h>
++#include <support/check_nss.h>
++#include <support/resolv_test.h>
++#include <support/support.h>
++
++static void
++response (const struct resolv_response_context *ctx,
++          struct resolv_response_builder *b,
++          const char *qname, uint16_t qclass, uint16_t qtype)
++{
++  /* The tests are not supposed send any DNS queries.  */
++  FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
++}
++
++static void
++run_query_addrinfo (const char *query, const char *address)
++{
++  char *quoted_query = support_quote_string (query);
++
++  struct addrinfo *ai;
++  struct addrinfo hints =
++    {
++     .ai_socktype = SOCK_STREAM,
++     .ai_protocol = IPPROTO_TCP,
++    };
++
++  char *context = xasprintf ("getaddrinfo \"%s\" AF_INET", quoted_query);
++  char *expected = xasprintf ("address: STREAM/TCP %s 80\n", address);
++  hints.ai_family = AF_INET;
++  int ret = getaddrinfo (query, "80", &hints, &ai);
++  check_addrinfo (context, ai, ret, expected);
++  if (ret == 0)
++    freeaddrinfo (ai);
++  free (context);
++
++  context = xasprintf ("getaddrinfo \"%s\" AF_UNSPEC", quoted_query);
++  hints.ai_family = AF_UNSPEC;
++  ret = getaddrinfo (query, "80", &hints, &ai);
++  check_addrinfo (context, ai, ret, expected);
++  if (ret == 0)
++    freeaddrinfo (ai);
++  free (expected);
++  free (context);
++
++  context = xasprintf ("getaddrinfo \"%s\" AF_INET6", quoted_query);
++  expected = xasprintf ("flags: AI_V4MAPPED\n"
++                        "address: STREAM/TCP ::ffff:%s 80\n",
++                        address);
++  hints.ai_family = AF_INET6;
++  hints.ai_flags = AI_V4MAPPED;
++  ret = getaddrinfo (query, "80", &hints, &ai);
++  check_addrinfo (context, ai, ret, expected);
++  if (ret == 0)
++    freeaddrinfo (ai);
++  free (expected);
++  free (context);
++
++  free (quoted_query);
++}
++
++static void
++run_query (const char *query, const char *address)
++{
++  char *quoted_query = support_quote_string (query);
++  char *context = xasprintf ("gethostbyname (\"%s\")", quoted_query);
++  char *expected = xasprintf ("name: %s\n"
++                              "address: %s\n", query, address);
++  check_hostent (context, gethostbyname (query), expected);
++  free (context);
++
++  context = xasprintf ("gethostbyname_r \"%s\"", quoted_query);
++  struct hostent storage;
++  char buf[4096];
++  struct hostent *e = NULL;
++  TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
++                                 &e, &h_errno), 0);
++  check_hostent (context, e, expected);
++  free (context);
++
++  context = xasprintf ("gethostbyname2 (\"%s\", AF_INET)", quoted_query);
++  check_hostent (context, gethostbyname2 (query, AF_INET), expected);
++  free (context);
++
++  context = xasprintf ("gethostbyname2_r \"%s\" AF_INET", quoted_query);
++  e = NULL;
++  TEST_COMPARE (gethostbyname2_r (query, AF_INET, &storage, buf, sizeof (buf),
++                                  &e, &h_errno), 0);
++  check_hostent (context, e, expected);
++  free (context);
++  free (expected);
++
++  free (quoted_query);
++
++  /* The gethostbyname tests are always valid for getaddrinfo, but not
++     vice versa.  */
++  run_query_addrinfo (query, address);
++}
++
++static int
++do_test (void)
++{
++  struct resolv_test *aux = resolv_test_start
++    ((struct resolv_redirect_config)
++     {
++       .response_callback = response,
++     });
++
++  run_query ("192.000.002.010", "192.0.2.8");
++
++  /* Hexadecimal numbers are not accepted by gethostbyname.  */
++  run_query_addrinfo ("0xc0000210", "192.0.2.16");
++  run_query_addrinfo ("192.0x234", "192.0.2.52");
++
++  resolv_test_end (aux);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-trailing.c b/resolv/tst-resolv-trailing.c
+new file mode 100644
+index 0000000000..7504bdae57
+--- /dev/null
++++ b/resolv/tst-resolv-trailing.c
+@@ -0,0 +1,136 @@
++/* Test name resolution behavior with trailing characters.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <array_length.h>
++#include <netdb.h>
++#include <support/check.h>
++#include <support/check_nss.h>
++#include <support/resolv_test.h>
++#include <support/support.h>
++
++static void
++response (const struct resolv_response_context *ctx,
++          struct resolv_response_builder *b,
++          const char *qname, uint16_t qclass, uint16_t qtype)
++{
++  /* The tests are not supposed send any DNS queries.  */
++  FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
++}
++
++static int
++do_test (void)
++{
++  struct resolv_test *aux = resolv_test_start
++    ((struct resolv_redirect_config)
++     {
++       .response_callback = response,
++     });
++
++  static const char *const queries[] =
++    {
++     "192.0.2.1 ",
++     "192.0.2.2\t",
++     "192.0.2.3\n",
++     "192.0.2.4 X",
++     "192.0.2.5\tY",
++     "192.0.2.6\nZ",
++     "192.0.2. ",
++     "192.0.2.\t",
++     "192.0.2.\n",
++     "192.0.2. X",
++     "192.0.2.\tY",
++     "192.0.2.\nZ",
++     "2001:db8::1 ",
++     "2001:db8::2\t",
++     "2001:db8::3\n",
++     "2001:db8::4 X",
++     "2001:db8::5\tY",
++     "2001:db8::6\nZ",
++    };
++  for (size_t query_idx = 0; query_idx < array_length (queries); ++query_idx)
++    {
++      const char *query = queries[query_idx];
++      struct hostent storage;
++      char buf[4096];
++      struct hostent *e;
++
++      h_errno = 0;
++      TEST_VERIFY (gethostbyname (query) == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      h_errno = 0;
++      e = NULL;
++      TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
++                                     &e, &h_errno), 0);
++      TEST_VERIFY (e == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      h_errno = 0;
++      TEST_VERIFY (gethostbyname2 (query, AF_INET) == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      h_errno = 0;
++      e = NULL;
++      TEST_COMPARE (gethostbyname2_r (query, AF_INET,
++                                      &storage, buf, sizeof (buf),
++                                     &e, &h_errno), 0);
++      TEST_VERIFY (e == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      h_errno = 0;
++      TEST_VERIFY (gethostbyname2 (query, AF_INET6) == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      h_errno = 0;
++      e = NULL;
++      TEST_COMPARE (gethostbyname2_r (query, AF_INET6,
++                                      &storage, buf, sizeof (buf),
++                                     &e, &h_errno), 0);
++      TEST_VERIFY (e == NULL);
++      TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++      static const int gai_flags[] =
++        {
++         0,
++         AI_ADDRCONFIG,
++         AI_NUMERICHOST,
++         AI_IDN,
++         AI_IDN | AI_NUMERICHOST,
++         AI_V4MAPPED,
++         AI_V4MAPPED | AI_NUMERICHOST,
++        };
++      for (size_t gai_flags_idx; gai_flags_idx < array_length (gai_flags);
++             ++gai_flags_idx)
++        {
++          struct addrinfo hints = { .ai_flags = gai_flags[gai_flags_idx], };
++          struct addrinfo *ai;
++          hints.ai_family = AF_INET;
++          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++          hints.ai_family = AF_INET6;
++          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++          hints.ai_family = AF_UNSPEC;
++          TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++        }
++    };
++
++  resolv_test_end (aux);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 553833d1f2..c91b281e31 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -488,7 +488,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ 	  malloc_name = true;
+ 	}
+ 
+-      if (__inet_aton (name, (struct in_addr *) at->addr) != 0)
++      if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
+ 	{
+ 	  if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+ 	    at->family = AF_INET;
+-- 
+2.20.1
+
+
+From c533244b8e00ae701583ec50aeb43377d292452d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 4 Feb 2019 20:07:18 +0100
+Subject: [PATCH 4/4] nscd: Do not use __inet_aton_exact@GLIBC_PRIVATE [BZ
+ #20018]
+
+This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE
+symbol from nscd.  In master, the separately-compiled getaddrinfo
+implementation in nscd needs it, however such an internal ABI change
+is not desirable on a release branch if it can be avoided.
+---
+ ChangeLog             | 10 ++++++++++
+ nscd/Makefile         |  2 +-
+ nscd/gai.c            |  6 ++++++
+ nscd/nscd-inet_addr.c | 32 ++++++++++++++++++++++++++++++++
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 nscd/nscd-inet_addr.c
+
+diff --git a/nscd/Makefile b/nscd/Makefile
+index b713a84c49..eb23c01a39 100644
+--- a/nscd/Makefile
++++ b/nscd/Makefile
+@@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
+ 		getsrvbynm_r getsrvbypt_r servicescache \
+ 		dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \
+ 		xmalloc xstrdup aicache initgrcache gai res_hconf \
+-		netgroupcache
++		netgroupcache nscd-inet_addr
+ 
+ ifeq ($(build-nscd)$(have-thread-library),yesyes)
+ 
+diff --git a/nscd/gai.c b/nscd/gai.c
+index f57f396f57..68a4abd30e 100644
+--- a/nscd/gai.c
++++ b/nscd/gai.c
+@@ -33,6 +33,12 @@
+ #define __getifaddrs getifaddrs
+ #define __freeifaddrs freeifaddrs
+ 
++/* We do not want to export __inet_aton_exact.  Get the prototype and
++   change its visibility to hidden.  */
++#include <arpa/inet.h>
++__typeof__ (__inet_aton_exact) __inet_aton_exact
++  __attribute__ ((visibility ("hidden")));
++
+ /* We are nscd, so we don't want to be talking to ourselves.  */
+ #undef  USE_NSCD
+ 
+diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c
+new file mode 100644
+index 0000000000..f366b9567d
+--- /dev/null
++++ b/nscd/nscd-inet_addr.c
+@@ -0,0 +1,32 @@
++/* Legacy IPv4 text-to-address functions.  Version for nscd.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <arpa/inet.h>
++
++/* We do not want to export __inet_aton_exact.  Get the prototype and
++   change the visibility to hidden.  */
++#include <arpa/inet.h>
++__typeof__ (__inet_aton_exact) __inet_aton_exact
++  __attribute__ ((visibility ("hidden")));
++
++/* Do not provide definitions of the public symbols exported from
++   libc.  */
++#undef weak_alias
++#define weak_alias(from, to)
++
++#include <resolv/inet_addr.c>
+-- 
+2.20.1
diff --git a/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-6488.patch b/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-6488.patch
new file mode 100644
index 00000000..fa423754
--- /dev/null
+++ b/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-6488.patch
@@ -0,0 +1,274 @@
+From 718016100d889a986c536b595bf6ec0d6ab4b90e Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Fri, 1 Feb 2019 12:17:09 -0800
+Subject: [PATCH] x86-64 memchr/wmemchr: Properly handle the length parameter
+ [BZ #24097]
+Reply-To: muislam@microsoft.com
+
+On x32, the size_t parameter may be passed in the lower 32 bits of a
+64-bit register with the non-zero upper 32 bits.  The string/memory
+functions written in assembly can only use the lower 32 bits of a
+64-bit register as length or must clear the upper 32 bits before using
+the full 64-bit register for length.
+
+This pach fixes memchr/wmemchr for x32.  Tested on x86-64 and x32.  On
+x86-64, libc.so is the same with and withou the fix.
+
+	[BZ #24097]
+	CVE-2019-6488
+	* sysdeps/x86_64/memchr.S: Use RDX_LP for length.  Clear the
+	upper 32 bits of RDX register.
+	* sysdeps/x86_64/multiarch/memchr-avx2.S: Likewise.
+	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memchr and
+	tst-size_t-wmemchr.
+	* sysdeps/x86_64/x32/test-size_t.h: New file.
+	* sysdeps/x86_64/x32/tst-size_t-memchr.c: Likewise.
+	* sysdeps/x86_64/x32/tst-size_t-wmemchr.c: Likewise.
+
+(cherry picked from commit 97700a34f36721b11a754cf37a1cc40695ece1fd)
+
+CVE: CVE-2019-6488
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+---
+ NEWS                                    |  1 -
+ sysdeps/x86_64/memchr.S                 | 10 ++--
+ sysdeps/x86_64/multiarch/memchr-avx2.S  |  8 ++-
+ sysdeps/x86_64/x32/Makefile             |  8 +++
+ sysdeps/x86_64/x32/test-size_t.h        | 35 ++++++++++++
+ sysdeps/x86_64/x32/tst-size_t-memchr.c  | 72 +++++++++++++++++++++++++
+ sysdeps/x86_64/x32/tst-size_t-wmemchr.c | 20 +++++++
+ 7 files changed, 148 insertions(+), 6 deletions(-)
+ create mode 100644 sysdeps/x86_64/x32/test-size_t.h
+ create mode 100644 sysdeps/x86_64/x32/tst-size_t-memchr.c
+ create mode 100644 sysdeps/x86_64/x32/tst-size_t-wmemchr.c
+
+diff --git a/NEWS b/NEWS
+index fd14941128..b158973a30 100644
+--- a/NEWS
++++ b/NEWS
+@@ -17,7 +17,6 @@ The following bugs are resolved with this release:
+   [23606] Missing ENDBR32 in sysdeps/i386/start.S
+   [23679] gethostid: Missing NULL check for gethostbyname_r result
+   [23717] Fix stack overflow in stdlib/tst-setcontext9
+-
+ 
+ Version 2.28
+ 
+diff --git a/sysdeps/x86_64/memchr.S b/sysdeps/x86_64/memchr.S
+index feef5d4f24..cb320257a2 100644
+--- a/sysdeps/x86_64/memchr.S
++++ b/sysdeps/x86_64/memchr.S
+@@ -34,12 +34,16 @@ ENTRY(MEMCHR)
+ 	mov	%edi, %ecx
+ 
+ #ifdef USE_AS_WMEMCHR
+-	test	%rdx, %rdx
++	test	%RDX_LP, %RDX_LP
+ 	jz	L(return_null)
+-	shl	$2, %rdx
++	shl	$2, %RDX_LP
+ #else
++# ifdef __ILP32__
++	/* Clear the upper 32 bits.  */
++	movl	%edx, %edx
++# endif
+ 	punpcklbw %xmm1, %xmm1
+-	test	%rdx, %rdx
++	test	%RDX_LP, %RDX_LP
+ 	jz	L(return_null)
+ 	punpcklbw %xmm1, %xmm1
+ #endif
+diff --git a/sysdeps/x86_64/multiarch/memchr-avx2.S b/sysdeps/x86_64/multiarch/memchr-avx2.S
+index 5f5e772554..c81da19bf0 100644
+--- a/sysdeps/x86_64/multiarch/memchr-avx2.S
++++ b/sysdeps/x86_64/multiarch/memchr-avx2.S
+@@ -40,16 +40,20 @@
+ ENTRY (MEMCHR)
+ # ifndef USE_AS_RAWMEMCHR
+ 	/* Check for zero length.  */
+-	testq	%rdx, %rdx
++	test	%RDX_LP, %RDX_LP
+ 	jz	L(null)
+ # endif
+ 	movl	%edi, %ecx
+ 	/* Broadcast CHAR to YMM0.  */
+ 	vmovd	%esi, %xmm0
+ # ifdef USE_AS_WMEMCHR
+-	shl	$2, %rdx
++	shl	$2, %RDX_LP
+ 	vpbroadcastd %xmm0, %ymm0
+ # else
++#  ifdef __ILP32__
++	/* Clear the upper 32 bits.  */
++	movl	%edx, %edx
++#  endif
+ 	vpbroadcastb %xmm0, %ymm0
+ # endif
+ 	/* Check if we may cross page boundary with one vector load.  */
+diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
+index f2ebc24fb0..7d528889c6 100644
+--- a/sysdeps/x86_64/x32/Makefile
++++ b/sysdeps/x86_64/x32/Makefile
+@@ -4,3 +4,11 @@ ifeq ($(subdir),math)
+ # 64-bit llround.  Add -fno-builtin-lround to silence the compiler.
+ CFLAGS-s_llround.c += -fno-builtin-lround
+ endif
++
++ifeq ($(subdir),string)
++tests += tst-size_t-memchr
++endif
++
++ifeq ($(subdir),wcsmbs)
++tests += tst-size_t-wmemchr
++endif
+diff --git a/sysdeps/x86_64/x32/test-size_t.h b/sysdeps/x86_64/x32/test-size_t.h
+new file mode 100644
+index 0000000000..78a940863e
+--- /dev/null
++++ b/sysdeps/x86_64/x32/test-size_t.h
+@@ -0,0 +1,35 @@
++/* Test string/memory functions with size_t in the lower 32 bits of
++   64-bit register.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define TEST_MAIN
++#include <string/test-string.h>
++
++/* On x32, parameter_t may be passed in a 64-bit register with the LEN
++   field in the lower 32 bits.  When the LEN field of 64-bit register
++   is passed to string/memory function as the size_t parameter, only
++   the lower 32 bits can be used.  */
++typedef struct
++{
++  union
++    {
++      size_t len;
++      void (*fn) (void);
++    };
++  void *p;
++} parameter_t;
+diff --git a/sysdeps/x86_64/x32/tst-size_t-memchr.c b/sysdeps/x86_64/x32/tst-size_t-memchr.c
+new file mode 100644
+index 0000000000..29a3daf102
+--- /dev/null
++++ b/sysdeps/x86_64/x32/tst-size_t-memchr.c
+@@ -0,0 +1,72 @@
++/* Test memchr with size_t in the lower 32 bits of 64-bit register.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#ifndef WIDE
++# define TEST_NAME "memchr"
++#else
++# define TEST_NAME "wmemchr"
++#endif /* WIDE */
++#include "test-size_t.h"
++
++#ifndef WIDE
++# define MEMCHR memchr
++# define CHAR char
++# define UCHAR unsigned char
++#else
++# include <wchar.h>
++# define MEMCHR wmemchr
++# define CHAR wchar_t
++# define UCHAR wchar_t
++#endif /* WIDE */
++
++IMPL (MEMCHR, 1)
++
++typedef CHAR * (*proto_t) (const CHAR*, int, size_t);
++
++static CHAR *
++__attribute__ ((noinline, noclone))
++do_memchr (parameter_t a, parameter_t b)
++{
++  return CALL (&b, a.p, (uintptr_t) b.p, a.len);
++}
++
++static int
++test_main (void)
++{
++  test_init ();
++
++  parameter_t src = { { page_size / sizeof (CHAR) }, buf2 };
++  parameter_t c = { { 0 }, (void *) (uintptr_t) 0x12 };
++
++  int ret = 0;
++  FOR_EACH_IMPL (impl, 0)
++    {
++      c.fn = impl->fn;
++      CHAR *res = do_memchr (src, c);
++      if (res)
++	{
++	  error (0, 0, "Wrong result in function %s: %p != NULL",
++		 impl->name, res);
++	  ret = 1;
++	}
++    }
++
++  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
++}
++
++#include <support/test-driver.c>
+diff --git a/sysdeps/x86_64/x32/tst-size_t-wmemchr.c b/sysdeps/x86_64/x32/tst-size_t-wmemchr.c
+new file mode 100644
+index 0000000000..877801d646
+--- /dev/null
++++ b/sysdeps/x86_64/x32/tst-size_t-wmemchr.c
+@@ -0,0 +1,20 @@
++/* Test wmemchr with size_t in the lower 32 bits of 64-bit register.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define WIDE 1
++#include "tst-size_t-memchr.c"
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch b/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch
new file mode 100644
index 00000000..04963c29
--- /dev/null
+++ b/external/poky/meta/recipes-core/glibc/glibc/CVE-2019-7309.patch
@@ -0,0 +1,207 @@
+From af7f46c45a60e6df754fb6258b546917e61ae6f1 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Mon, 4 Feb 2019 08:55:52 -0800
+Subject: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size [BZ
+ #24155]
+Reply-To: muislam@microsoft.com
+
+Since the size argument is unsigned. we should use unsigned Jcc
+instructions, instead of signed, to check size.
+
+Tested on x86-64 and x32, with and without --disable-multi-arch.
+
+	[BZ #24155]
+	CVE-2019-7309
+	* NEWS: Updated for CVE-2019-7309.
+	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
+	upper 32 bits of RDX register for x32.  Use unsigned Jcc
+	instructions, instead of signed.
+	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
+	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
+
+(cherry picked from commit 3f635fb43389b54f682fc9ed2acc0b2aaf4a923d)
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+CVE: CVE-2019-7309
+
+Upstream-Status: Backport
+---
+ sysdeps/x86_64/memcmp.S                  | 20 +++---
+ sysdeps/x86_64/x32/Makefile              |  2 +-
+ sysdeps/x86_64/x32/tst-size_t-memcmp-2.c | 79 ++++++++++++++++++++++++
+ 3 files changed, 92 insertions(+), 9 deletions(-)
+ create mode 100644 sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+
+diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S
+index bcb4a2e88d..45918d375a 100644
+--- a/sysdeps/x86_64/memcmp.S
++++ b/sysdeps/x86_64/memcmp.S
+@@ -21,14 +21,18 @@
+ 
+ 	.text
+ ENTRY (memcmp)
+-	test	%rdx, %rdx
++#ifdef __ILP32__
++	/* Clear the upper 32 bits.  */
++	movl	%edx, %edx
++#endif
++	test	%RDX_LP, %RDX_LP
+ 	jz	L(finz)
+ 	cmpq	$1, %rdx
+-	jle	L(finr1b)
++	jbe	L(finr1b)
+ 	subq	%rdi, %rsi
+ 	movq	%rdx, %r10
+ 	cmpq	$32, %r10
+-	jge	L(gt32)
++	jae	L(gt32)
+ 	/* Handle small chunks and last block of less than 32 bytes.  */
+ L(small):
+ 	testq	$1, %r10
+@@ -156,7 +160,7 @@ L(A32):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 	/* Pre-unroll to be ready for unrolled 64B loop.  */
+ 	testq	$32, %rdi
+ 	jz	L(A64)
+@@ -178,7 +182,7 @@ L(A64):
+ 	movq	%r11, %r10
+ 	andq	$-64, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt32)
++        jae	L(mt32)
+ 
+ L(A64main):
+ 	movdqu    (%rdi,%rsi), %xmm0
+@@ -216,7 +220,7 @@ L(mt32):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 
+ L(A32main):
+ 	movdqu    (%rdi,%rsi), %xmm0
+@@ -254,7 +258,7 @@ L(ATR):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 	testq	$16, %rdi
+ 	jz	L(ATR32)
+ 
+@@ -325,7 +329,7 @@ L(ATR64main):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 
+ L(ATR32res):
+ 	movdqa    (%rdi,%rsi), %xmm0
+diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
+index 7d528889c6..c9850beeb5 100644
+--- a/sysdeps/x86_64/x32/Makefile
++++ b/sysdeps/x86_64/x32/Makefile
+@@ -6,7 +6,7 @@ CFLAGS-s_llround.c += -fno-builtin-lround
+ endif
+ 
+ ifeq ($(subdir),string)
+-tests += tst-size_t-memchr
++tests += tst-size_t-memchr tst-size_t-memcmp-2
+ endif
+ 
+ ifeq ($(subdir),wcsmbs)
+diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+new file mode 100644
+index 0000000000..d8ae1a0813
+--- /dev/null
++++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+@@ -0,0 +1,79 @@
++/* Test memcmp with size_t in the lower 32 bits of 64-bit register.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define TEST_MAIN
++#ifdef WIDE
++# define TEST_NAME "wmemcmp"
++#else
++# define TEST_NAME "memcmp"
++#endif
++
++#include "test-size_t.h"
++
++#ifdef WIDE
++# include <inttypes.h>
++# include <wchar.h>
++
++# define MEMCMP wmemcmp
++# define CHAR wchar_t
++#else
++# define MEMCMP memcmp
++# define CHAR char
++#endif
++
++IMPL (MEMCMP, 1)
++
++typedef int (*proto_t) (const CHAR *, const CHAR *, size_t);
++
++static int
++__attribute__ ((noinline, noclone))
++do_memcmp (parameter_t a, parameter_t b)
++{
++  return CALL (&b, a.p, b.p, a.len);
++}
++
++static int
++test_main (void)
++{
++  test_init ();
++
++  parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 };
++  parameter_t src = { { 0 }, buf2 };
++
++  memcpy (buf1, buf2, page_size);
++
++  CHAR *p = (CHAR *) buf1;
++  p[page_size / sizeof (CHAR) - 1] = (CHAR) 1;
++
++  int ret = 0;
++  FOR_EACH_IMPL (impl, 0)
++    {
++      src.fn = impl->fn;
++      int res = do_memcmp (dest, src);
++      if (res >= 0)
++	{
++	  error (0, 0, "Wrong result in function %s: %i >= 0",
++		 impl->name, res);
++	  ret = 1;
++	}
++    }
++
++  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
++}
++
++#include <support/test-driver.c>
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-core/glibc/glibc_2.28.bb b/external/poky/meta/recipes-core/glibc/glibc_2.28.bb
index 0839fa12..4e6ee4dc 100644
--- a/external/poky/meta/recipes-core/glibc/glibc_2.28.bb
+++ b/external/poky/meta/recipes-core/glibc/glibc_2.28.bb
@@ -50,6 +50,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://CVE-2019-9169.patch \
            file://CVE-2016-10739.patch \
            file://CVE-2018-19591.patch \
+           file://CVE-2019-6488.patch \
+           file://CVE-2019-7309.patch \
 "
 
 NATIVESDKFIXES ?= ""
diff --git a/external/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/external/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index d9d6c1e4..2099a124 100644
--- a/external/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/external/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -22,7 +22,7 @@ IMAGE_FSTYPES = "wic.vmdk"
 
 inherit core-image module-base setuptools3
 
-SRCREV ?= "9dfebdaf7af11b69006996f3253e435bce0dfbfb"
+SRCREV ?= "2c5af52109bca8c0452b1539589cf073f6f0064a"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=thud \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
diff --git a/external/poky/meta/recipes-core/meta/cve-update-db-native.bb b/external/poky/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 00000000..db1d69a2
--- /dev/null
+++ b/external/poky/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,185 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+python () {
+    if not d.getVar("CVE_CHECK_DB_FILE"):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_populate_cve_db() {
+    """
+    Update NVD database with json data feed
+    """
+    import bb.utils
+    import sqlite3, urllib, urllib.parse, shutil, gzip
+    from datetime import date
+
+    bb.utils.export_proxies(d)
+
+    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+    YEAR_START = 2002
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
+
+    # Don't refresh the database more than once an hour
+    try:
+        import time
+        if time.time() - os.path.getmtime(db_file) < (60*60):
+            return
+    except OSError:
+        pass
+
+    cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
+
+    if not os.path.isdir(db_dir):
+        os.mkdir(db_dir)
+
+    # Connect to database
+    conn = sqlite3.connect(db_file)
+    c = conn.cursor()
+
+    initialize_db(c)
+
+    for year in range(YEAR_START, date.today().year + 1):
+        year_url = BASE_URL + str(year)
+        meta_url = year_url + ".meta"
+        json_url = year_url + ".json.gz"
+
+        # Retrieve meta last modified date
+        response = urllib.request.urlopen(meta_url)
+        if response:
+            for l in response.read().decode("utf-8").splitlines():
+                key, value = l.split(":", 1)
+                if key == "lastModifiedDate":
+                    last_modified = value
+                    break
+            else:
+                bb.warn("Cannot parse CVE metadata, update failed")
+                return
+
+        # Compare with current db last modified date
+        c.execute("select DATE from META where YEAR = ?", (year,))
+        meta = c.fetchone()
+        if not meta or meta[0] != last_modified:
+            # Clear products table entries corresponding to current year
+            c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+
+            # Update db with current year json file
+            try:
+                response = urllib.request.urlopen(json_url)
+                if response:
+                    update_db(c, gzip.decompress(response.read()).decode('utf-8'))
+                c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+            except urllib.error.URLError as e:
+                cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                return
+
+        # Update success, set the date to cve_check file.
+        if year == date.today().year:
+            cve_f.write('CVE database update : %s\n\n' % date.today())
+
+    cve_f.close()
+    conn.commit()
+    conn.close()
+}
+
+def initialize_db(c):
+    c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+    c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+        SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+    c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+        VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+        VERSION_END TEXT, OPERATOR_END TEXT)")
+    c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+def parse_node_and_insert(c, node, cveId):
+    # Parse children node if needed
+    for child in node.get('children', ()):
+        parse_node_and_insert(c, child, cveId)
+
+    def cpe_generator():
+        for cpe in node.get('cpe_match', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe['cpe23Uri'].split(':')
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if version != '*':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version, '=', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+
+    c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
+
+def update_db(c, jsondata):
+    import json
+    root = json.loads(jsondata)
+
+    for elt in root['CVE_Items']:
+        if not elt['impact']:
+            continue
+
+        cveId = elt['cve']['CVE_data_meta']['ID']
+        cveDesc = elt['cve']['description']['description_data'][0]['value']
+        date = elt['lastModifiedDate']
+        accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+        cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+
+        try:
+            cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        except:
+            cvssv3 = 0.0
+
+        c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
+
+        configurations = elt['configurations']['nodes']
+        for config in configurations:
+            parse_node_and_insert(c, config, cveId)
+
+
+addtask do_populate_cve_db before do_fetch
+do_populate_cve_db[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils-2.31.inc b/external/poky/meta/recipes-devtools/binutils/binutils-2.31.inc
index 62acec50..c9a3610e 100644
--- a/external/poky/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/external/poky/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -46,6 +46,12 @@ SRC_URI = "\
      file://CVE-2018-18605.patch \
      file://CVE-2018-18606.patch \
      file://CVE-2018-18607.patch \
+     file://CVE-2019-14444.patch \
+     file://CVE-2019-12972.patch \
+     file://CVE-2018-20623.patch \
+     file://CVE-2018-20651.patch \
+     file://CVE-2018-20671.patch \
+     file://CVE-2018-1000876.patch \
 "
 S  = "${WORKDIR}/git"
 
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
new file mode 100644
index 00000000..ff853511
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
+From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 16 Dec 2018 23:02:50 +1030
+Subject: [PATCH] PR23994, libbfd integer overflow
+
+	PR 23994
+	* aoutx.h: Include limits.h.
+	(get_reloc_upper_bound): Detect long overflow and return a file
+	too big error if it occurs.
+	* elf.c: Include limits.h.
+	(_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
+	a file too big error if it occurs.
+	(_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
+	(_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
+
+CVE: CVE-2018-1000876
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
+ bfd/elf.c   | 32 ++++++++++++++++++++++++--------
+ 2 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 023843b0be..78eaa9c503 100644
+--- a/bfd/aoutx.h
++++ b/bfd/aoutx.h
+@@ -117,6 +117,7 @@ DESCRIPTION
+ #define KEEPIT udata.i
+ 
+ #include "sysdep.h"
++#include <limits.h>
+ #include "bfd.h"
+ #include "safe-ctype.h"
+ #include "bfdlink.h"
+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
+ long
+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ {
++  bfd_size_type count;
++
+   if (bfd_get_format (abfd) != bfd_object)
+     {
+       bfd_set_error (bfd_error_invalid_operation);
+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+     }
+ 
+   if (asect->flags & SEC_CONSTRUCTOR)
+-    return sizeof (arelent *) * (asect->reloc_count + 1);
+-
+-  if (asect == obj_datasec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
+-	 + 1);
+-
+-  if (asect == obj_textsec (abfd))
+-    return sizeof (arelent *)
+-      * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
+-	 + 1);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return sizeof (arelent *);
+-
+-  if (asect == obj_bsssec (abfd))
+-    return 0;
++    count = asect->reloc_count;
++  else if (asect == obj_datasec (abfd))
++    count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
++  else if (asect == obj_textsec (abfd))
++    count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
++  else if (asect == obj_bsssec (abfd))
++    count = 0;
++  else
++    {
++      bfd_set_error (bfd_error_invalid_operation);
++      return -1;
++    }
+ 
+-  bfd_set_error (bfd_error_invalid_operation);
+-  return -1;
++  if (count >= LONG_MAX / sizeof (arelent *))
++    {
++      bfd_set_error (bfd_error_file_too_big);
++      return -1;
++    }
++  return (count + 1) * sizeof (arelent *);
+ }
+ 
+ long
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 828241d48a..10037176a3 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -35,6 +35,7 @@ SECTION
+ /* For sparc64-cross-sparc32.  */
+ #define _SYSCALL32
+ #include "sysdep.h"
++#include <limits.h>
+ #include "bfd.h"
+ #include "bfdlink.h"
+ #include "libbfd.h"
+@@ -8114,11 +8115,16 @@ error_return:
+ long
+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
++  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
++  if (symcount >= LONG_MAX / sizeof (asymbol *))
++    {
++      bfd_set_error (bfd_error_file_too_big);
++      return -1;
++    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ long
+ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+ {
+-  long symcount;
++  bfd_size_type symcount;
+   long symtab_size;
+   Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
+ 
+@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+     }
+ 
+   symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
++  if (symcount >= LONG_MAX / sizeof (asymbol *))
++    {
++      bfd_set_error (bfd_error_file_too_big);
++      return -1;
++    }
+   symtab_size = (symcount + 1) * (sizeof (asymbol *));
+   if (symcount > 0)
+     symtab_size -= sizeof (asymbol *);
+@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
+ long
+ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+ {
+-  long ret;
++  bfd_size_type count;
+   asection *s;
+ 
+   if (elf_dynsymtab (abfd) == 0)
+@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+       return -1;
+     }
+ 
+-  ret = sizeof (arelent *);
++  count = 1;
+   for (s = abfd->sections; s != NULL; s = s->next)
+     if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
+ 	&& (elf_section_data (s)->this_hdr.sh_type == SHT_REL
+ 	    || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
+-      ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
+-	      * sizeof (arelent *));
+-
+-  return ret;
++      {
++	count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
++	if (count > LONG_MAX / sizeof (arelent *))
++	  {
++	    bfd_set_error (bfd_error_file_too_big);
++	    return -1;
++	  }
++      }
++  return count * sizeof (arelent *);
+ }
+ 
+ /* Canonicalize the dynamic relocation entries.  Note that we return the
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
new file mode 100644
index 00000000..b44d448f
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
@@ -0,0 +1,74 @@
+From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 9 Jan 2019 12:25:16 +0000
+Subject: [PATCH] Fix a heap use after free memory access fault when displaying
+ error messages about malformed archives.
+
+	PR 14049
+	* readelf.c (process_archive): Use arch.file_name in error
+	messages until the qualified name is available.
+
+CVE: CVE-2018-20623
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/readelf.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index f4df697a7d..280023d8de 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       /* Read the next archive header.  */
+       if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
+         {
+-          error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
++          error (_("%s: failed to seek to next archive header\n"), arch.file_name);
+           return FALSE;
+         }
+       got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
+@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+         {
+           if (got == 0)
+ 	    break;
+-          error (_("%s: failed to read archive header\n"), filedata->file_name);
++	  /* PR 24049 - we cannot use filedata->file_name as this will
++	     have already been freed.  */
++	  error (_("%s: failed to read archive header\n"), arch.file_name);
++	    
+           ret = FALSE;
+           break;
+         }
+@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       name = get_archive_member_name (&arch, &nested_arch);
+       if (name == NULL)
+ 	{
+-	  error (_("%s: bad archive file name\n"), filedata->file_name);
++	  error (_("%s: bad archive file name\n"), arch.file_name);
+ 	  ret = FALSE;
+ 	  break;
+ 	}
+@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+       qualified_name = make_qualified_name (&arch, &nested_arch, name);
+       if (qualified_name == NULL)
+ 	{
+-	  error (_("%s: bad archive file name\n"), filedata->file_name);
++	  error (_("%s: bad archive file name\n"), arch.file_name);
+ 	  ret = FALSE;
+ 	  break;
+ 	}
+@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ 	  if (nested_arch.file == NULL)
+ 	    {
+ 	      error (_("%s: contains corrupt thin archive: %s\n"),
+-		     filedata->file_name, name);
++		     qualified_name, name);
+ 	      ret = FALSE;
+ 	      break;
+ 	    }
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
new file mode 100644
index 00000000..24fb0312
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
@@ -0,0 +1,35 @@
+From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 31 Dec 2018 15:40:08 +1030
+Subject: [PATCH] PR24041, Invalid Memory Address Dereference in
+ elf_link_add_object_symbols
+
+	PR 24041
+	* elflink.c (elf_link_add_object_symbols): Don't segfault on
+	crafted ET_DYN with no program headers.
+
+CVE: CVE-2018-20651
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 46091b6341..557c550082 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -4178,7 +4178,7 @@ error_free_dyn:
+ 	 all sections contained fully therein.  This makes relro
+ 	 shared library sections appear as they will at run-time.  */
+       phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum;
+-      while (--phdr >= elf_tdata (abfd)->phdr)
++      while (phdr-- > elf_tdata (abfd)->phdr)
+ 	if (phdr->p_type == PT_GNU_RELRO)
+ 	  {
+ 	    for (s = abfd->sections; s != NULL; s = s->next)
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
new file mode 100644
index 00000000..9bd9207b
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
@@ -0,0 +1,49 @@
+From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 4 Jan 2019 13:44:34 +0000
+Subject: [PATCH] Fix a possible integer overflow problem when examining
+ corrupt binaries using a 32-bit binutil.
+
+	PR 24005
+	* objdump.c (load_specific_debug_section): Check for integer
+	overflow before attempting to allocate contents.
+
+CVE: CVE-2018-20671
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/objdump.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index f468fcdb59..89ca688938 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+   section->reloc_info = NULL;
+   section->num_relocs = 0;
+   section->address = bfd_get_section_vma (abfd, sec);
++  section->user_data = sec;
+   section->size = bfd_get_section_size (sec);
+   amt = section->size + 1;
++  if (amt == 0 || amt > bfd_get_file_size (abfd))
++    {
++      section->start = NULL;
++      free_debug_section (debug);
++      printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
++	      section->name, (unsigned long long) section->size);
++      return FALSE;
++    }
+   section->start = contents = malloc (amt);
+-  section->user_data = sec;
+-  if (amt == 0
+-      || section->start == NULL
++  if (section->start == NULL
+       || !bfd_get_full_section_contents (abfd, sec, &contents))
+     {
+       free_debug_section (debug);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 00000000..3e95b922
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,39 @@
+From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+	PR 24689
+	* elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
+
+CVE: CVE-2019-12972
+Affects: <= 2.23.0
+Dropped Changelog
+Signed-off-by Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elfcode.h
+===================================================================
+--- git.orig/bfd/elfcode.h
++++ git/bfd/elfcode.h
+@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd)
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+     {
+-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++	  || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ 	{
+ 	  /* PR 2257:
+ 	     We used to just goto got_wrong_format_error here
diff --git a/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
new file mode 100644
index 00000000..499cf0e0
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
@@ -0,0 +1,33 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+	PR 24829
+	* readelf.c (apply_relocations): Catch potential integer overflow
+	whilst checking reloc location against section size.
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
+CVE: CVE-2019-14444
+Dropped changelog
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/readelf.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -13113,7 +13113,7 @@ apply_relocations (Filedata *
+ 	    }
+ 
+ 	  rloc = start + rp->r_offset;
+-	  if ((rloc + reloc_size) > end || (rloc < start))
++	  if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ 	    {
+ 	      warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ 		    (unsigned long) rp->r_offset,
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/external/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1c..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
-           file://check-for-malloc_trim-before-using-it.patch \
-           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
-           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
-           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
-           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
-          "
-
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-
-RDEPENDS_${PN} = "ca-certificates"
-
-inherit pkgconfig autotools
-
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-
-do_populate_cve_db() {
-    if [ "${BB_NO_NETWORK}" = "1" ] ; then
-        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
-        return
-    fi
-
-    # In case we don't inherit cve-check class, use default values defined in the class.
-    cve_dir="${CVE_CHECK_DB_DIR}"
-    cve_file="${CVE_CHECK_TMP_FILE}"
-
-    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
-    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-
-    unused="${@bb.utils.export_proxies(d)}"
-    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    # --cacert works around curl-native not finding the CA bundle
-    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
-        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
-    else
-        bbwarn "Error in executing cve-check-update"
-        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
-            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
-        fi
-    fi
-}
-
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
deleted file mode 100644
index 4a82cf2d..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
-From: Peter Marko <peter.marko@siemens.com>
-Date: Thu, 13 Apr 2017 23:09:52 +0200
-Subject: [PATCH] Fix freeing memory allocated by sqlite
-
-Upstream-Status: Backport
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core.c b/src/core.c
-index 6263031..6788f16 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
- 
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
-         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
-         if (rc != SQLITE_OK) {
-                 fprintf(stderr, "ensure_table(): %s\n", err);
--                free(err);
-+                sqlite3_free(err);
-                 return false;
-         }
-         if (err) {
--                free(err);
-+                sqlite3_free(err);
-         }
- 
-         return true;
--- 
-2.1.4
-
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1b..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
-
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
----
- src/library/cve-check-tool.h |  1 +
- src/library/fetch.c          | 10 +++++++++-
- src/library/fetch.h          |  3 ++-
- src/main.c                   |  5 ++++-
- src/update-main.c            |  4 +++-
- src/update.c                 | 12 +++++++-----
- src/update.h                 |  2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
---- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
-     bool bugs;                          /**<Whether bug tracking is enabled */
-     GHashTable *mapping;                /**<CVE Mapping */
-     const char *output_file;            /**<Output file, if any */
-+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
- 
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
- 
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
--                      unsigned int start_percent, unsigned int end_percent)
-+                      unsigned int start_percent, unsigned int end_percent,
-+                      const char *cacert_file)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                 return ret;
-         }
- 
-+        if (cacert_file) {
-+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+                if (res != CURLE_OK) {
-+                        goto bail;
-+                }
-+        }
-+
-         if (stat(target, &st) == 0) {
-                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
-                 if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
-  * @return A FetchStatus, indicating the operation taken
-  */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
--                      unsigned int this_percent, unsigned int next_percent);
-+                      unsigned int this_percent, unsigned int next_percent,
-+                      const char *cacert_file);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
-         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
-         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
-         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
- 
-         quiet = csv_mode || !no_html;
-         self->output_file = output_file;
-+        self->cacert_file = cacert_file;
- 
-         if (!csv_mode && self->output_file) {
-                 quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
-                 if (status) {
-                         fprintf(stderr, "Update of db forced\n");
-                         cve_db_unlock();
--                        if (!update_db(quiet, db_path->str)) {
-+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
-                                 fprintf(stderr, "DB update failure\n");
-                                 goto cleanup;
-                         }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
---- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
-         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
-         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
-                 goto end;
-         }
- 
--        if (update_db(_quiet, db_path->str)) {
-+        if (update_db(_quiet, db_path->str, _cacert_file)) {
-                 ret = EXIT_SUCCESS;
-         } else {
-                 fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-                            bool db_exist, bool verbose,
--                           unsigned int this_percent, unsigned int next_percent)
-+                           unsigned int this_percent, unsigned int next_percent,
-+                           const char *cacert_file)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
--        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
--        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
-         return 0;
- }
- 
--bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
-         autofree(char) *db_dir = NULL;
-         autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
-                 if (!quiet)
-                         fprintf(stderr, "completed: %u%%\r", start_percent);
-                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
--                                     start_percent, end_percent);
-+                                     start_percent, end_percent,
-+                                     cacert_file);
-                 switch (rc) {
-                 case 0:
-                         if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
---- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
- 
- int update_required(const char *db_file);
- 
--bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
- 
- 
- /*
--- 
-2.1.4
-
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
deleted file mode 100644
index 8ea6f686..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 26 Sep 2016 12:12:41 +0100
-Subject: [PATCH] print progress in percent when downloading CVE db
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream-Status: Pending
-Signed-off-by: André Draszik <git@andred.net>
----
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-
- src/library/fetch.h |  3 ++-
- src/update.c        | 16 ++++++++++++----
- 3 files changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 06d4b30..0fe6d76 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
-         return fwrite(ptr, size, nmemb, f->f);
- }
- 
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-+struct percent_t {
-+        unsigned int start;
-+        unsigned int end;
-+};
-+
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
-+{
-+        (void) ultotal;
-+        (void) ulnow;
-+
-+        struct percent_t *percent = (struct percent_t *) ptr;
-+
-+        if (dltotal && percent && percent->end >= percent->start) {
-+                unsigned int diff = percent->end - percent->start;
-+                if (diff) {
-+                        fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
-+                }
-+        }
-+
-+        return 0;
-+}
-+
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int start_percent, unsigned int end_percent)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-         struct stat st;
-         CURL *curl = NULL;
-         struct fetch_t *f = NULL;
-+        struct percent_t percent = { .start = start_percent, .end = end_percent };
- 
-         curl = curl_easy_init();
-         if (!curl) {
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-         }
-         if (verbose) {
-                 (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
-+                (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
-         }
-         res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
-         if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 70c3779..4cce5d1 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -28,7 +28,8 @@ typedef enum {
-  * @param verbose Whether to be verbose
-  * @return A FetchStatus, indicating the operation taken
-  */
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+                      unsigned int this_percent, unsigned int next_percent);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/update.c b/src/update.c
-index 30fbe96..eaeeefd 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- }
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
--                           bool db_exist, bool verbose)
-+                           bool db_exist, bool verbose,
-+                           unsigned int this_percent, unsigned int next_percent)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -330,14 +331,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
--        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
--        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
-         for (int i = YEAR_START; i <= year+1; i++) {
-                 int y = i > year ? -1 : i;
-                 int rc;
-+                unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
-+                unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
- 
--                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
-+                if (!quiet)
-+                        fprintf(stderr, "completed: %u%%\r", start_percent);
-+                rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-+                                     start_percent, end_percent);
-                 switch (rc) {
-                 case 0:
-+                        if (!quiet)
-+                                fprintf(stderr,"completed: %u%%\r", end_percent);
-                         continue;
-                 case ENOMEM:
-                         goto oom;
--- 
-2.9.3
-
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc8..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
----
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
-                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
-         }
- 
--        ret = streq(csum_meta, csum_data);
-+        ret = !strcasecmp(csum_meta, csum_data);
- 
- err_unmap:
-         munmap(buffer, length);
--- 
-2.11.0
-
diff --git a/external/poky/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/external/poky/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
deleted file mode 100644
index 0774ad94..00000000
--- a/external/poky/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 22 Aug 2016 22:54:24 -0700
-Subject: [PATCH] Check for malloc_trim before using it
-
-malloc_trim is gnu specific and not all libc
-implement it, threfore write a configure check
-to poke for it first and use the define to
-guard its use.
-
-Helps in compiling on musl based systems
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
- configure.ac | 2 ++
- src/core.c   | 4 ++--
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d3b66ce..79c3542 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
- m4_define([openssl_required_version],[1.0.0])
- # TODO: Set minimum sqlite
- 
-+AC_CHECK_FUNCS_ONCE(malloc_trim)
-+
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,
-                  [
-                   glib-2.0 >= glib_required_version,
-diff --git a/src/core.c b/src/core.c
-index 6263031..0d5df29 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
-         }
- 
-         b = true;
--
-+#ifdef HAVE_MALLOC_TRIM
-         malloc_trim(0);
--
-+#endif
-         xmlFreeTextReader(r);
-         if (fd) {
-                 close(fd);
--- 
-2.9.3
-
diff --git a/external/poky/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/external/poky/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index e94a48ef..862a9b6c 100644
--- a/external/poky/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/external/poky/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://CVE-2019-7150.patch \
            file://CVE-2019-7146_p1.patch \
            file://CVE-2019-7146_p2.patch \
+           file://CVE-2019-7664.patch \
+           file://CVE-2019-7665.patch \
            "
 SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
 
diff --git a/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
new file mode 100644
index 00000000..e55dc5a0
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
+From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 12:25:57 +0100
+Subject: [PATCH] CVE: CVE-2019-7664
+
+Upstream-Status: Backport
+libelf: Correct overflow check in note_xlate.
+
+We want to make sure the note_len doesn't overflow and becomes shorter
+than the note header. But the namesz and descsz checks got the note header
+size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24084
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libelf/ChangeLog    | 13 +++++++++++++
+ libelf/note_xlate.h |  4 ++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 68c4fbd..892e6e7 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,16 @@
++<<<<<<< HEAD
++=======
++2019-01-16  Mark Wielaard  <mark@klomp.org>
++
++	* note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
++	overflow note_len into note header.
++
++2018-11-17  Mark Wielaard  <mark@klomp.org>
++
++	* elf32_updatefile.c (updatemmap): Make sure to call convert
++	function on a properly aligned destination.
++
++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
+ 2018-11-16  Mark Wielaard  <mark@klomp.org>
+ 
+ 	* libebl.h (__elf32_msize): Mark with const attribute.
+diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
+index 9bdc3e2..bc9950f 100644
+--- a/libelf/note_xlate.h
++++ b/libelf/note_xlate.h
+@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
+       /* desc needs to be aligned.  */
+       note_len += n->n_namesz;
+       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+-      if (note_len > len || note_len < 8)
++      if (note_len > len || note_len < sizeof *n)
+ 	break;
+ 
+       /* data as a whole needs to be aligned.  */
+       note_len += n->n_descsz;
+       note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+-      if (note_len > len || note_len < 8)
++      if (note_len > len || note_len < sizeof *n)
+ 	break;
+ 
+       /* Copy or skip the note data.  */
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
new file mode 100644
index 00000000..a1bb3097
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
+From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 15:41:31 +0100
+Subject: [PATCH] CVE: CVE-2019-7665
+
+Upstream-Status: Backport
+
+Sign off: Shubham Agrawal <shuagr@microsoft.com>
+
+libebl: Check NT_PLATFORM core notes contain a zero terminated string.
+
+Most strings in core notes are fixed size. But NT_PLATFORM contains just
+a variable length string. Check that it is actually zero terminated
+before passing to readelf to print.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24089
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libdwfl/linux-core-attach.c |  9 +++++----
+ libebl/eblcorenote.c        | 39 +++++++++++++++++++--------------------
+ libebl/libebl.h             |  3 ++-
+ src/readelf.c               |  2 +-
+ 4 files changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 6c99b9e..c0f1b0d 100644
+--- a/libdwfl/linux-core-attach.c
++++ b/libdwfl/linux-core-attach.c
+@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+       const Ebl_Register_Location *reglocs;
+       size_t nitems;
+       const Ebl_Core_Item *items;
+-      if (! ebl_core_note (core_arg->ebl, &nhdr, name,
++      if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+ 			   &regs_offset, &nregloc, &reglocs, &nitems, &items))
+ 	{
+ 	  /* This note may be just not recognized, skip it.  */
+@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+   const Ebl_Register_Location *reglocs;
+   size_t nitems;
+   const Ebl_Core_Item *items;
+-  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, &regs_offset,
+-				     &nregloc, &reglocs, &nitems, &items);
++  int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
++				     &regs_offset, &nregloc, &reglocs,
++				     &nitems, &items);
+   /* __libdwfl_attach_state_for_core already verified the note is there.  */
+   assert (core_note_err != 0);
+   assert (nhdr.n_type == NT_PRSTATUS);
+@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+       const Ebl_Register_Location *reglocs;
+       size_t nitems;
+       const Ebl_Core_Item *items;
+-      if (! ebl_core_note (ebl, &nhdr, name,
++      if (! ebl_core_note (ebl, &nhdr, name, desc,
+ 			   &regs_offset, &nregloc, &reglocs, &nitems, &items))
+ 	{
+ 	  /* This note may be just not recognized, skip it.  */
+diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
+index 783f981..7fab397 100644
+--- a/libebl/eblcorenote.c
++++ b/libebl/eblcorenote.c
+@@ -36,11 +36,13 @@
+ #include <inttypes.h>
+ #include <stdio.h>
+ #include <stddef.h>
++#include <string.h>
+ #include <libeblP.h>
+ 
+ 
+ int
+ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++	       const char *desc,
+ 	       GElf_Word *regs_offset, size_t *nregloc,
+ 	       const Ebl_Register_Location **reglocs, size_t *nitems,
+ 	       const Ebl_Core_Item **items)
+@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+     {
+       /* The machine specific function did not know this type.  */
+ 
+-      *regs_offset = 0;
+-      *nregloc = 0;
+-      *reglocs = NULL;
+-      switch (nhdr->n_type)
++      /* NT_PLATFORM is kind of special since it needs a zero terminated
++         string (other notes often have a fixed size string).  */
++      static const Ebl_Core_Item platform[] =
+ 	{
+-#define ITEMS(type, table)				\
+-	  case type:					\
+-	    *items = table;				\
+-	    *nitems = sizeof table / sizeof table[0];	\
+-	    result = 1;					\
+-	    break
++	  {
++	    .name = "Platform",
++	    .type = ELF_T_BYTE, .count = 0, .format = 's'
++	  }
++	};
+ 
+-	  static const Ebl_Core_Item platform[] =
+-	    {
+-	      {
+-		.name = "Platform",
+-		.type = ELF_T_BYTE, .count = 0, .format = 's'
+-	      }
+-	    };
+-	  ITEMS (NT_PLATFORM, platform);
+-
+-#undef	ITEMS
++      if (nhdr->n_type == NT_PLATFORM
++	  && memchr (desc, '\0', nhdr->n_descsz) != NULL)
++        {
++	  *regs_offset = 0;
++	  *nregloc = 0;
++	  *reglocs = NULL;
++	  *items = platform;
++	  *nitems = 1;
++	  result = 1;
+ 	}
+     }
+ 
+diff --git a/libebl/libebl.h b/libebl/libebl.h
+index ca9b9fe..24922eb 100644
+--- a/libebl/libebl.h
++++ b/libebl/libebl.h
+@@ -319,7 +319,8 @@ typedef struct
+ 
+ /* Describe the format of a core file note with the given header and NAME.
+    NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes.  */
+-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
++			  const char *name, const char *desc,
+ 			  GElf_Word *regs_offset, size_t *nregloc,
+ 			  const Ebl_Register_Location **reglocs,
+ 			  size_t *nitems, const Ebl_Core_Item **items)
+diff --git a/src/readelf.c b/src/readelf.c
+index 3a73710..71651e0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+   size_t nitems;
+   const Ebl_Core_Item *items;
+ 
+-  if (! ebl_core_note (ebl, nhdr, name,
++  if (! ebl_core_note (ebl, nhdr, name, desc,
+ 		       &regs_offset, &nregloc, &reglocs, &nitems, &items))
+     return;
+ 
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-devtools/gcc/gcc-8.2.inc b/external/poky/meta/recipes-devtools/gcc/gcc-8.2.inc
index 866a7755..bd95ccda 100644
--- a/external/poky/meta/recipes-devtools/gcc/gcc-8.2.inc
+++ b/external/poky/meta/recipes-devtools/gcc/gcc-8.2.inc
@@ -73,6 +73,7 @@ SRC_URI = "\
            ${BACKPORTS} \
 "
 BACKPORTS = "\
+           file://CVE-2019-14250.patch \
 "
 SRC_URI[md5sum] = "4ab282f414676496483b3e1793d07862"
 SRC_URI[sha256sum] = "196c3c04ba2613f893283977e6011b2345d1cd1af9abeac58e916b1aab3e0080"
diff --git a/external/poky/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch b/external/poky/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch
new file mode 100644
index 00000000..e327684e
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001
+From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 25 Jul 2019 10:48:26 +0000
+Subject: [PATCH] 2019-07-25  Richard Biener  <rguenther@suse.de>
+
+	PR lto/90924
+	Backport from mainline
+	2019-07-12  Ren Kimura  <rkx1209dev@gmail.com>
+
+	* simple-object-elf.c (simple_object_elf_match): Check zero value
+	shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: <  9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster <Akustre@mvista.com>
+
+---
+ libiberty/simple-object-elf.c | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-8.2.0/libiberty/simple-object-elf.c
+===================================================================
+--- gcc-8.2.0.orig/libiberty/simple-object-elf.c
++++ gcc-8.2.0/libiberty/simple-object-elf.c
+@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h
+       return NULL;
+     }
+ 
++  if (eor->shstrndx == 0)
++    {
++      *errmsg = "invalid ELF shstrndx == 0";
++      *err = 0;
++      XDELETE (eor);
++      return NULL;
++    }
++
+   return (void *) eor;
+ }
+ 
diff --git a/external/poky/meta/recipes-devtools/go/go-1.11.inc b/external/poky/meta/recipes-devtools/go/go-1.11.inc
index 401e71fe..90d40376 100644
--- a/external/poky/meta/recipes-devtools/go/go-1.11.inc
+++ b/external/poky/meta/recipes-devtools/go/go-1.11.inc
@@ -1,7 +1,7 @@
 require go-common.inc
 
 GO_BASEVERSION = "1.11"
-GO_MINOR = ".10"
+GO_MINOR = ".13"
 PV .= "${GO_MINOR}"
 FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
 
@@ -19,5 +19,5 @@ SRC_URI += "\
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 
-SRC_URI[main.md5sum] = "f2d2e44b9954b827daa8ad4d936a7a82"
-SRC_URI[main.sha256sum] = "df27e96a9d1d362c46ecd975f1faa56b8c300f5c529074e9ea79bdd885493c1b"
+SRC_URI[main.md5sum] = "32e71746981695517387a2149eb541ef"
+SRC_URI[main.sha256sum] = "5032095fd3f641cafcce164f551e5ae873785ce7b07ca7c143aecd18f7ba4076"
diff --git a/external/poky/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/external/poky/meta/recipes-devtools/json-c/json-c_0.13.1.bb
index 5b10e682..e6a38995 100644
--- a/external/poky/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/external/poky/meta/recipes-devtools/json-c/json-c_0.13.1.bb
@@ -20,8 +20,6 @@ RPROVIDES_${PN} = "libjson"
 
 inherit autotools
 
-EXTRA_OECONF = "--enable-rdrand"
-
 do_configure_prepend() {
     # Clean up autoconf cruft that should not be in the tarball
     rm -f ${S}/config.status
diff --git a/external/poky/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch b/external/poky/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
new file mode 100644
index 00000000..b8cfb3c4
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
@@ -0,0 +1,97 @@
+From cea10cd1f2ef6bb4edaac0c1d46d47bf237c42b8 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <rschiron@redhat.com>
+Date: Mon, 21 Jan 2019 18:11:42 +0100
+Subject: [PATCH] Fix UAF in comps_objmrtree_unite function
+
+The added field is not used at all in many places and it is probably the
+left-over of some copy-paste.
+
+Upstream-Status: Backport
+[https://github.com/rpm-software-management/libcomps/commit
+/e3a5d056633677959ad924a51758876d415e7046]
+
+CVE: CVE-2019-3817
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ libcomps/src/comps_mradix.c    | 2 --
+ libcomps/src/comps_objmradix.c | 2 --
+ libcomps/src/comps_objradix.c  | 2 --
+ libcomps/src/comps_radix.c     | 1 -
+ 4 files changed, 7 deletions(-)
+
+diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c
+index 338cb07..6ceb7c9 100644
+--- a/libcomps/src/comps_mradix.c
++++ b/libcomps/src/comps_mradix.c
+@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c
+index 9be6648..8771c89 100644
+--- a/libcomps/src/comps_objmradix.c
++++ b/libcomps/src/comps_objmradix.c
+@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+         parent_pair = (struct Pair*) it->data;
+         free(it);
+ 
+-        pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c
+index a790270..0ebaf22 100644
+--- a/libcomps/src/comps_objradix.c
++++ b/libcomps/src/comps_objradix.c
+@@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+@@ -711,7 +710,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+         //printf("key-part:%s\n", parent_pair->key);
+         free(it);
+ 
+-        //pair->added = 0;
+         for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+             pair = malloc(sizeof(struct Pair));
+             pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c
+index ada4fda..05dcaf2 100644
+--- a/libcomps/src/comps_radix.c
++++ b/libcomps/src/comps_radix.c
+@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) {
+     struct Pair {
+         COMPS_HSList * subnodes;
+         char * key;
+-        char added;
+     } *pair, *parent_pair;
+ 
+     pair = malloc(sizeof(struct Pair));
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-devtools/libcomps/libcomps_git.bb b/external/poky/meta/recipes-devtools/libcomps/libcomps_git.bb
index e69bf677..b657f337 100644
--- a/external/poky/meta/recipes-devtools/libcomps/libcomps_git.bb
+++ b/external/poky/meta/recipes-devtools/libcomps/libcomps_git.bb
@@ -6,6 +6,7 @@ SRC_URI = "git://github.com/rpm-software-management/libcomps.git \
            file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
            file://0002-Set-library-installation-path-correctly.patch \
            file://0001-Make-__comps_objmrtree_all-static-inline.patch \
+           file://CVE-2019-3817.patch \
            "
 
 PV = "0.1.8+git${SRCPV}"
diff --git a/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 00000000..9891526e
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+  tmpname. Don't unlink the file directly, instead tag it for removal
+  at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/common.h |  2 ++
+ src/pch.c    | 12 +++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+ 
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+ 
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+     file_offset beginning_of_this_line;
+     size_t chars_read;
+     FILE *tmpfp = 0;
+-    char const *tmpname;
+     int tmpfd;
+     pid_t pid;
+ 
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+ 	   invalid commands and treats the next line as a new command, which
+ 	   can lead to arbitrary command execution.  */
+ 
+-	tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++	tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+ 	if (tmpfd == -1)
+-	  pfatal ("Can't create temporary file %s", quotearg (tmpname));
++        pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++        TMPEDNAME_needs_removal = true;
+ 	tmpfp = fdopen (tmpfd, "w+b");
+ 	if (! tmpfp)
+-	  pfatal ("Can't open stream for file %s", quotearg (tmpname));
++        pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+       }
+ 
+     for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+       write_fatal ();
+ 
+     if (lseek (tmpfd, 0, SEEK_SET) == -1)
+-      pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
++        pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+     if (! dry_run && ! skip_rest_of_patch) {
+ 	int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+ 	*outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+     }
+ 
+     fclose (tmpfp);
+-    safe_unlink (tmpname);
+ 
+     if (ofp)
+       {
+-- 
+2.17.0
+
diff --git a/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 00000000..d6a219a1
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed multi-file ed-style patch
+
+The previous fix worked fine with single-file ed-style patches, but
+would still leak temporary files in the case of multi-file ed-style
+patch. Fix that case as well, and extend the test case to check for
+it.
+
+* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+  the next file in a patch.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/patch.c    |  1 +
+ tests/ed-style | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+ 	    }
+ 	  remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+ 	}
++      remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+ 
+       if (! skip_rest_of_patch && ! file_type)
+ 	{
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
++
++# Test the case where one ed-style patch modifies several files
++
++cat > ed3.diff <<EOF
++--- foo
+++++ foo
++1c
++bar
++.
++--- baz
+++++ baz
++0a
++baz
++.
++EOF
++
++# Apparently we can't create a file with such a patch, while it works fine
++# when the file name is provided on the command line
++cat > baz <<EOF
++EOF
++
++check 'patch -e -i ed3.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++bar
++EOF
++
++check 'cat baz' <<EOF
++baz
++EOF
+-- 
+cgit v1.0-41-gc330
+
diff --git a/external/poky/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/external/poky/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 00000000..f60dfe87
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ 	    *outname_needs_removal = true;
+ 	    copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ 	  }
+-	sprintf (buf, "%s %s%s", editor_program,
+-		 verbosity == VERBOSE ? "" : "- ",
+-		 outname);
+ 	fflush (stdout);
+ 
+ 	pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ 	else if (pid == 0)
+ 	  {
+ 	    dup2 (tmpfd, 0);
+-	    execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++	    assert (outname[0] != '!' && outname[0] != '-');
++	    execlp (editor_program, editor_program, "-", outname, (char  *) NULL);
+ 	    _exit (2);
+ 	  }
+ 	else
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch b/external/poky/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
new file mode 100644
index 00000000..9f8b6db0
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
@@ -0,0 +1,113 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks.  So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+
+CVE: CVE-2019-13636
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ src/inp.c  | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+     {
+       if (S_ISREG (instat.st_mode))
+         {
+-	  int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++	  int flags = O_RDONLY | binary_transput;
+ 	  size_t buffered = 0, n;
++	  int ifd;
++
++	  if (! follow_symlinks)
++	    flags |= O_NOFOLLOW;
++	  ifd = safe_open (filename, flags, 0);
+ 	  if (ifd < 0)
+ 	    pfatal ("can't open file %s", quotearg (filename));
+ 
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++  int flags = O_RDONLY | binary_transput;
+   int ifd;
+   FILE *ifp;
+   int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+ 
+   if (instat.st_size == 0)
+     filename = NULL_DEVICE;
+-  if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++  if (! follow_symlinks)
++    flags |= O_NOFOLLOW;
++  if ((ifd = safe_open (filename, flags, 0)) < 0
+       || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+     pfatal ("Can't open file %s", quotearg (filename));
+   if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+ 
+ 	  try_makedirs_errno = ENOENT;
+ 	  safe_unlink (bakname);
+-	  while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++	  while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ 	    {
+ 	      if (errno != try_makedirs_errno)
+ 		pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++  int from_flags = O_RDONLY | O_BINARY;
+   int fromfd;
+   ssize_t i;
+ 
+-  if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++  if (! follow_symlinks)
++    from_flags |= O_NOFOLLOW;
++  if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (from));
+   while ((i = read (fromfd, buf, bufsize)) != 0)
+     {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+   else
+     {
+       assert (S_ISREG (mode));
++      if (! follow_symlinks)
++	to_flags |= O_NOFOLLOW;
+       tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ 			  to_dir_known_to_exist);
+       copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++  int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+   int tofd;
+ 
+-  if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++  if (! follow_symlinks)
++    to_flags |= O_NOFOLLOW;
++  if ((tofd = safe_open (to, to_flags, 0)) < 0)
+     pfatal ("Can't reopen file %s", quotearg (to));
+   copy_to_fd (from, tofd);
+   if (close (tofd) != 0)
+-- 
+cgit v1.0-41-gc330
+
diff --git a/external/poky/meta/recipes-devtools/patch/patch_2.7.6.bb b/external/poky/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db73..5d7f55f8 100644
--- a/external/poky/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/external/poky/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,10 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
             file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
             file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
             file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
+            file://CVE-2019-13636.patch \
+            file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
+            file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
+            file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
 "
 
 SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
diff --git a/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
new file mode 100644
index 00000000..ba8cf151
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
@@ -0,0 +1,183 @@
+From 4706b65d7c835c0bb219db160fbcdbcd98efab2d Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 29 Jun 2018 13:37:03 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+
+RT #133204
+
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+
+The wrapper check function is probably overkill, but belt and braces...
+
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+
+(cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be)
+
+CVE: CVE-2018-18311
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/5737d31aac51360cc1eb412ef059e36147c9d6d6]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ util.c | 76 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 53 insertions(+), 23 deletions(-)
+
+diff --git a/util.c b/util.c
+index 7c3d271f51..27f4eddf3b 100644
+--- a/util.c
++++ b/util.c
+@@ -2160,8 +2160,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+    *(s+(nlen+1+vlen)) = '\0'
+ 
+ #ifdef USE_ENVIRON_ARRAY
+-       /* VMS' my_setenv() is in vms.c */
++
++/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
++ * 'current' is non-null, with up to three sizes that are added together.
++ * It handles integer overflow.
++ */
++static char *
++S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
++{
++    void *p;
++    Size_t sl, l = l1 + l2;
++
++    if (l < l2)
++        goto panic;
++    l += l3;
++    if (l < l3)
++        goto panic;
++    sl = l * size;
++    if (sl < l)
++        goto panic;
++
++    p = current
++            ? safesysrealloc(current, sl)
++            : safesysmalloc(sl);
++    if (p)
++        return (char*)p;
++
++  panic:
++    croak_memory_wrap();
++}
++
++
++/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
++
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+@@ -2177,28 +2209,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+     if (!PL_use_safe_putenv) {
+         /* most putenv()s leak, so we manipulate environ directly */
+-        I32 i;
+-        const I32 len = strlen(nam);
+-        int nlen, vlen;
++        UV i;
++        Size_t vlen, nlen = strlen(nam);
+ 
+         /* where does it go? */
+         for (i = 0; environ[i]; i++) {
+-            if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
++            if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+                 break;
+         }
+ 
+         if (environ == PL_origenviron) {   /* need we copy environment? */
+-            I32 j;
+-            I32 max;
++            UV j, max;
+             char **tmpenv;
+ 
+             max = i;
+             while (environ[max])
+                 max++;
+-            tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
++            /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
++            tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+             for (j=0; j<max; j++) {         /* copy environment */
+-                const int len = strlen(environ[j]);
+-                tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
++                const Size_t len = strlen(environ[j]);
++                tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+                 Copy(environ[j], tmpenv[j], len+1, char);
+             }
+             tmpenv[max] = NULL;
+@@ -2217,15 +2248,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #endif
+         }
+         if (!environ[i]) {                 /* does not exist yet */
+-            environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
++            environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+             environ[i+1] = NULL;    /* make sure it's null terminated */
+         }
+         else
+             safesysfree(environ[i]);
+-        nlen = strlen(nam);
++
+         vlen = strlen(val);
+ 
+-        environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
++        environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(environ[i], nam, nlen, val, vlen);
+     } else {
+@@ -2250,22 +2281,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+             if (environ) /* old glibc can crash with null environ */
+                 (void)unsetenv(nam);
+         } else {
+-	    const int nlen = strlen(nam);
+-	    const int vlen = strlen(val);
+-	    char * const new_env =
+-                (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++	    const Size_t nlen = strlen(nam);
++	    const Size_t vlen = strlen(val);
++	    char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+             my_setenv_format(new_env, nam, nlen, val, vlen);
+             (void)putenv(new_env);
+         }
+ #       else /* ! HAS_UNSETENV */
+         char *new_env;
+-	const int nlen = strlen(nam);
+-	int vlen;
++	const Size_t nlen = strlen(nam);
++	Size_t vlen;
+         if (!val) {
+ 	   val = "";
+         }
+         vlen = strlen(val);
+-        new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++        new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(new_env, nam, nlen, val, vlen);
+         (void)putenv(new_env);
+@@ -2288,14 +2318,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+     dVAR;
+     char *envstr;
+-    const int nlen = strlen(nam);
+-    int vlen;
++    const Size_t nlen = strlen(nam);
++    Size_t vlen;
+ 
+     if (!val) {
+        val = "";
+     }
+     vlen = strlen(val);
+-    Newx(envstr, nlen+vlen+2, char);
++    envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+     my_setenv_format(envstr, nam, nlen, val, vlen);
+     (void)PerlEnv_putenv(envstr);
+     Safefree(envstr);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18312.patch b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
new file mode 100644
index 00000000..1c342654
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
diff --git a/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
new file mode 100644
index 00000000..540aa073
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
@@ -0,0 +1,60 @@
+From 3458f6115ca8e8d11779948c12b7e1cc5803358c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sat, 25 Mar 2017 15:00:22 -0600
+Subject: [PATCH 2/3] regcomp.c: Convert some strchr to memchr
+
+This allows things to work properly in the face of embedded NULs.
+See the branch merge message for more information.
+
+(cherry picked from commit 43b2f4ef399e2fd7240b4eeb0658686ad95f8e62)
+
+CVE: CVE-2018-18313
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/c1c28ce6ba90ee05aa96b11ad551a6063680f3b9]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ regcomp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 00d26d9290..2688979882 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11783,8 +11783,9 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+ 
+     RExC_parse++;	/* Skip past the '{' */
+ 
+-    if (! (endbrace = strchr(RExC_parse, '}'))  /* no trailing brace */
+-	|| ! (endbrace == RExC_parse		/* nothing between the {} */
++    endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++    if ((! endbrace) /* no trailing brace */
++	    || ! (endbrace == RExC_parse		/* nothing between the {} */
+               || (endbrace - RExC_parse >= 2	/* U+ (bad hex is checked... */
+                   && strnEQ(RExC_parse, "U+", 2)))) /* ... below for a better
+                                                        error msg) */
+@@ -12483,9 +12484,11 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+             else {
+                 STRLEN length;
+                 char name = *RExC_parse;
+-                char * endbrace;
++                char * endbrace = NULL;
+                 RExC_parse += 2;
+-                endbrace = strchr(RExC_parse, '}');
++                if (RExC_parse < RExC_end) {
++                    endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++                }
+ 
+                 if (! endbrace) {
+                     vFAIL2("Missing right brace on \\%c{}", name);
+@@ -15939,7 +15942,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+ 		    vFAIL2("Empty \\%c", (U8)value);
+ 		if (*RExC_parse == '{') {
+ 		    const U8 c = (U8)value;
+-		    e = strchr(RExC_parse, '}');
++		    e = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
+                     if (!e) {
+                         RExC_parse++;
+                         vFAIL2("Missing right brace on \\%c{}", c);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
new file mode 100644
index 00000000..e84e7bc4
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
@@ -0,0 +1,271 @@
+From 6a2d07f43ae7cfcb2eb30cf39751f2f7fed7ecc1 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Mon, 26 Jun 2017 13:19:55 +0200
+Subject: [PATCH 3/3] fix #131649 - extended charclass can trigger assert
+
+The extended charclass parser makes some assumptions during the
+first pass which are only true on well structured input, and it
+does not properly catch various errors. later on the code assumes
+that things the first pass will let through are valid, when in
+fact they should trigger errors.
+
+(cherry picked from commit 19a498a461d7c81ae3507c450953d1148efecf4f)
+
+CVE: CVE-2018-18314
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/dabe076af345ab4512ea80245b4e4cd7ec0996cd]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ pod/perldiag.pod        | 27 ++++++++++++++++++++++++++-
+ pod/perlrecharclass.pod |  4 ++--
+ regcomp.c               | 23 +++++++++++++----------
+ t/lib/warnings/regcomp  |  6 +++---
+ t/re/reg_mesg.t         | 29 ++++++++++++++++-------------
+ t/re/regex_sets.t       |  6 +++---
+ 6 files changed, 63 insertions(+), 32 deletions(-)
+
+diff --git a/pod/perldiag.pod b/pod/perldiag.pod
+index 737d3633f6..644b814008 100644
+--- a/pod/perldiag.pod
++++ b/pod/perldiag.pod
+@@ -5777,7 +5777,7 @@ yourself.
+ a perl4 interpreter, especially if the next 2 tokens are "use strict"
+ or "my $var" or "our $var".
+ 
+-=item Syntax error in (?[...]) in regex m/%s/
++=item Syntax error in (?[...]) in regex; marked by <-- HERE in m/%s/
+ 
+ (F) Perl could not figure out what you meant inside this construct; this
+ notifies you that it is giving up trying.
+@@ -6153,6 +6153,31 @@ for example,
+ (F) The unexec() routine failed for some reason.  See your local FSF
+ representative, who probably put it there in the first place.
+ 
++=item Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing an extended character class a ']' character was encountered
++at a point in the definition where the only legal use of ']' is to close the
++character class definition as part of a '])', you may have forgotten the close
++paren, or otherwise confused the parser.
++
++=item Expecting close paren for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++    (?[ ... (?flags:(?[ ... ])) ... ])
++                             ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
++=item Expecting close paren for wrapper for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++    (?[ ... (?flags:(?[ ... ])) ... ])
++                              ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
+ =item Unexpected binary operator '%c' with no preceding operand in regex;
+ marked by S<<-- HERE> in m/%s/
+ 
+diff --git a/pod/perlrecharclass.pod b/pod/perlrecharclass.pod
+index 89f4a7ef3f..a557cc0384 100644
+--- a/pod/perlrecharclass.pod
++++ b/pod/perlrecharclass.pod
+@@ -1101,8 +1101,8 @@ hence both of the following work:
+ Any contained POSIX character classes, including things like C<\w> and C<\D>
+ respect the C<E<sol>a> (and C<E<sol>aa>) modifiers.
+ 
+-C<< (?[ ]) >> is a regex-compile-time construct.  Any attempt to use
+-something which isn't knowable at the time the containing regular
++Note that C<< (?[ ]) >> is a regex-compile-time construct.  Any attempt
++to use something which isn't knowable at the time the containing regular
+ expression is compiled is a fatal error.  In practice, this means
+ just three limitations:
+ 
+diff --git a/regcomp.c b/regcomp.c
+index 2688979882..cb8409ed27 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -14609,8 +14609,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+                                     TRUE /* Force /x */ );
+ 
+             switch (*RExC_parse) {
+-                case '?':
+-                    if (RExC_parse[1] == '[') depth++, RExC_parse++;
++                case '(':
++                    if (RExC_parse[1] == '?' && RExC_parse[2] == '[')
++                        depth++, RExC_parse+=2;
+                     /* FALLTHROUGH */
+                 default:
+                     break;
+@@ -14667,9 +14668,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+                 }
+ 
+                 case ']':
+-                    if (depth--) break;
+-                    RExC_parse++;
+-                    if (*RExC_parse == ')') {
++                    if (RExC_parse[1] == ')') {
++                        RExC_parse++;
++                        if (depth--) break;
+                         node = reganode(pRExC_state, ANYOF, 0);
+                         RExC_size += ANYOF_SKIP;
+                         nextchar(pRExC_state);
+@@ -14681,20 +14682,20 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+ 
+                         return node;
+                     }
+-                    goto no_close;
++                    RExC_parse++;
++                    vFAIL("Unexpected ']' with no following ')' in (?[...");
+             }
+ 
+             RExC_parse += UTF ? UTF8SKIP(RExC_parse) : 1;
+         }
+ 
+-      no_close:
+         /* We output the messages even if warnings are off, because we'll fail
+          * the very next thing, and these give a likely diagnosis for that */
+         if (posix_warnings && av_tindex_nomg(posix_warnings) >= 0) {
+             output_or_return_posix_warnings(pRExC_state, posix_warnings, NULL);
+         }
+ 
+-        FAIL("Syntax error in (?[...])");
++        vFAIL("Syntax error in (?[...])");
+     }
+ 
+     /* Pass 2 only after this. */
+@@ -14868,12 +14869,14 @@ redo_curchar:
+                      * inversion list, and RExC_parse points to the trailing
+                      * ']'; the next character should be the ')' */
+                     RExC_parse++;
+-                    assert(UCHARAT(RExC_parse) == ')');
++                    if (UCHARAT(RExC_parse) != ')')
++                        vFAIL("Expecting close paren for nested extended charclass");
+ 
+                     /* Then the ')' matching the original '(' handled by this
+                      * case: statement */
+                     RExC_parse++;
+-                    assert(UCHARAT(RExC_parse) == ')');
++                    if (UCHARAT(RExC_parse) != ')')
++                        vFAIL("Expecting close paren for wrapper for nested extended charclass");
+ 
+                     RExC_flags = save_flags;
+                     goto handle_operand;
+diff --git a/t/lib/warnings/regcomp b/t/lib/warnings/regcomp
+index 08cb27b00f..367276d0fc 100644
+--- a/t/lib/warnings/regcomp
++++ b/t/lib/warnings/regcomp
+@@ -59,21 +59,21 @@ Unmatched [ in regex; marked by <-- HERE in m/abc[ <-- HERE fi[.00./ at - line
+ qr/(?[[[:word]]])/;
+ EXPECT
+ Assuming NOT a POSIX class since there is no terminating ':' in regex; marked by <-- HERE in m/(?[[[:word <-- HERE ]]])/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:word]]])/ at - line 2.
++Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/(?[[[:word]] <-- HERE ])/ at - line 2.
+ ########
+ # NAME qr/(?[ [[:digit: ])/
+ # OPTION fatal
+ qr/(?[[[:digit: ])/;
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME qr/(?[ [:digit: ])/
+ # OPTION fatal
+ qr/(?[[:digit: ])/
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME [perl #126141]
+ # OPTION fatal
+diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
+index 658397ac27..08a3688e1d 100644
+--- a/t/re/reg_mesg.t
++++ b/t/re/reg_mesg.t
+@@ -202,8 +202,9 @@ my @death =
+  '/\b{gc}/' => "'gc' is an unknown bound type {#} m/\\b{gc{#}}/",
+  '/\B{gc}/' => "'gc' is an unknown bound type {#} m/\\B{gc{#}}/",
+ 
+- '/(?[[[::]]])/' => "Syntax error in (?[...]) in regex m/(?[[[::]]])/",
+- '/(?[[[:w:]]])/' => "Syntax error in (?[...]) in regex m/(?[[[:w:]]])/",
++
++ '/(?[[[::]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[::]]{#}])/",
++ '/(?[[[:w:]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[:w:]]{#}])/",
+  '/(?[[:w:]])/' => "",
+  '/[][[:alpha:]]' => "",    # [perl #127581]
+  '/([.].*)[.]/'   => "",    # [perl #127582]
+@@ -227,11 +228,12 @@ my @death =
+  '/(?[ \p{foo} ])/' => 'Can\'t find Unicode property definition "foo" {#} m/(?[ \p{foo}{#} ])/',
+  '/(?[ \p{ foo = bar } ])/' => 'Can\'t find Unicode property definition "foo = bar" {#} m/(?[ \p{ foo = bar }{#} ])/',
+  '/(?[ \8 ])/' => 'Unrecognized escape \8 in character class {#} m/(?[ \8{#} ])/',
+- '/(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ]/',
+- '/(?[ [ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ \t ]/',
+- '/(?[ \t ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ] ]/',
+- '/(?[ [ ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ ] ]/',
+- '/(?[ \t + \e # This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # This was supposed to be a comment ])/',
++ '/(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#}/",
++ '/(?[ [ \t ]/' => "Syntax error in (?[...]) {#} m/(?[ [ \\t ]{#}/",
++ '/(?[ \t ] ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#} ]/",
++ '/(?[ [ ] ]/' => "Syntax error in (?[...]) {#} m/(?[ [ ] ]{#}/",
++ '/(?[ \t + \e # This was supposed to be a comment ])/' =>
++    "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # This was supposed to be a comment ]){#}/",
+  '/(?[ ])/' => 'Incomplete expression within \'(?[ ])\' {#} m/(?[ {#}])/',
+  'm/(?[[a-\d]])/' => 'False [] range "a-\d" {#} m/(?[[a-\d{#}]])/',
+  'm/(?[[\w-x]])/' => 'False [] range "\w-" {#} m/(?[[\w-{#}x]])/',
+@@ -410,10 +412,10 @@ my @death_utf8 = mark_as_utf8(
+ 
+  '/ネ\p{}ネ/' => 'Empty \p{} {#} m/ネ\p{{#}}ネ/',
+ 
+- '/ネ(?[[[:ネ]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ]]])ネ/",
+- '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ: ])ネ/",
+- '/ネ(?[[[::]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[::]]])ネ/",
+- '/ネ(?[[[:ネ:]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ:]]])ネ/",
++ '/ネ(?[[[:ネ]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ]]{#}])ネ/",
++ '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) {#} m/ネ(?[[[:ネ: ])ネ{#}/",
++ '/ネ(?[[[::]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[::]]{#}])ネ/",
++ '/ネ(?[[[:ネ:]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ:]]{#}])ネ/",
+  '/ネ(?[[:ネ:]])ネ/' => "",
+  '/ネ(?[ネ])ネ/' =>  'Unexpected character {#} m/ネ(?[ネ{#}])ネ/',
+  '/ネ(?[ + [ネ] ])/' => 'Unexpected binary operator \'+\' with no preceding operand {#} m/ネ(?[ +{#} [ネ] ])/',
+@@ -426,8 +428,9 @@ my @death_utf8 = mark_as_utf8(
+  '/(?[ \x{ネ} ])ネ/' => 'Non-hex character {#} m/(?[ \x{ネ{#}} ])ネ/',
+  '/(?[ \p{ネ} ])/' => 'Can\'t find Unicode property definition "ネ" {#} m/(?[ \p{ネ}{#} ])/',
+  '/(?[ \p{ ネ = bar } ])/' => 'Can\'t find Unicode property definition "ネ = bar" {#} m/(?[ \p{ ネ = bar }{#} ])/',
+- '/ネ(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/ネ(?[ \t ]/',
+- '/(?[ \t + \e # ネ This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # ネ This was supposed to be a comment ])/',
++ '/ネ(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[ \\t ]{#}/",
++ '/(?[ \t + \e # ネ This was supposed to be a comment ])/' =>
++    "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # ネ This was supposed to be a comment ]){#}/",
+  'm/(*ネ)ネ/' => q<Unknown verb pattern 'ネ' {#} m/(*ネ){#}ネ/>,
+  '/\cネ/' => "Character following \"\\c\" must be printable ASCII",
+  '/\b{ネ}/' => "'ネ' is an unknown bound type {#} m/\\b{ネ{#}}/",
+diff --git a/t/re/regex_sets.t b/t/re/regex_sets.t
+index 92875677be..60a126ba3c 100644
+--- a/t/re/regex_sets.t
++++ b/t/re/regex_sets.t
+@@ -157,13 +157,13 @@ for my $char ("٠", "٥", "٩") {
+ 	eval { $_ = '/(?[(\c]) /'; qr/$_/ };
+ 	like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
+ 	eval { $_ = '(?[\c#]' . "\n])"; qr/$_/ };
+-	like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
++	like($@, qr/^Unexpected/, '/(?[(\c]) / should not panic');
+ 	eval { $_ = '(?[(\c])'; qr/$_/ };
+ 	like($@, qr/^Syntax error/, '/(?[(\c])/ should be a syntax error');
+ 	eval { $_ = '(?[(\c]) ]\b'; qr/$_/ };
+-	like($@, qr/^Syntax error/, '/(?[(\c]) ]\b/ should be a syntax error');
++	like($@, qr/^Unexpected/, '/(?[(\c]) ]\b/ should be a syntax error');
+ 	eval { $_ = '(?[\c[]](])'; qr/$_/ };
+-	like($@, qr/^Syntax error/, '/(?[\c[]](])/ should be a syntax error');
++	like($@, qr/^Unexpected/, '/(?[\c[]](])/ should be a syntax error');
+ 	like("\c#", qr/(?[\c#])/, '\c# should match itself');
+ 	like("\c[", qr/(?[\c[])/, '\c[ should match itself');
+ 	like("\c\ ", qr/(?[\c\])/, '\c\ should match itself');
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/perl/perl_5.24.4.bb b/external/poky/meta/recipes-devtools/perl/perl_5.24.4.bb
index a6449701..2f27749c 100644
--- a/external/poky/meta/recipes-devtools/perl/perl_5.24.4.bb
+++ b/external/poky/meta/recipes-devtools/perl/perl_5.24.4.bb
@@ -65,6 +65,10 @@ SRC_URI += " \
         file://perl-5.26.1-guard_old_libcrypt_fix.patch \
         file://CVE-2018-12015.patch \
         file://0001-ExtUtils-MM_Unix.pm-fix-race-issues.patch \
+	file://CVE-2018-18311.patch \
+	file://CVE-2018-18312.patch \
+	file://CVE-2018-18313.patch \
+	file://CVE-2018-18314.patch \
 "
 
 # Fix test case issues
diff --git a/external/poky/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch b/external/poky/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch
new file mode 100644
index 00000000..f4c56bb8
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch
@@ -0,0 +1,219 @@
+From 39815ee5bb7f2f9ca1f0d5e9f51e27a2877ec35b Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Tue, 21 May 2019 15:12:33 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
+ (GH-13154) (GH-13315)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib2.urlopen.  This
+addresses a potential security problem for applications that do not
+sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when
+python is built without SSL to fix test failures.
+
+Use httplib.InvalidURL instead of ValueError as the new error case's
+exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+
+(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
+
+Notes on backport to Python 2.7:
+
+* test_urllib tests urllib.urlopen() which quotes the URL and so is
+  not vulerable to HTTP Header Injection.
+* Add tests to test_urllib2 on urllib2.urlopen().
+* Reject non-ASCII characters: range 0x80-0xff.
+
+CVE: CVE-2019-9740 CVE-2019-9747
+Upstream-Status: Accepted
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/httplib.py                                | 16 ++++++
+ Lib/test/test_urllib.py                       | 25 +++++++++
+ Lib/test/test_urllib2.py                      | 51 ++++++++++++++++++-
+ Lib/test/test_xmlrpc.py                       |  8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
+ 5 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index 60a8fb4e35..1b41c346e0 100644
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -247,6 +247,16 @@ _MAXHEADERS = 100
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within HTTP URL paths.
++#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
++# Restrict non-ASCII characters above \x7f (0x80-0xff).
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +937,12 @@ class HTTPConnection:
+         self._method = method
+         if not url:
+             url = '/'
++        # Prevent CVE-2019-9740.
++        match = _contains_disallowed_url_pchar_re.search(url)
++        if match:
++            raise InvalidURL("URL can't contain control characters. %r "
++                             "(found at least %r)"
++                             % (url, match.group()))
+         hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+         self._output(hdr)
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c06..d7778d4194 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -257,6 +257,31 @@ class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
+         finally:
+             self.unfakehttp()
+ 
++    def test_url_with_control_char_rejected(self):
++        for char_no in range(0, 0x21) + range(0x7f, 0x100):
++            char = chr(char_no)
++            schemeless_url = "//localhost:7777/test%s/" % char
++            self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++            try:
++                # urllib quotes the URL so there is no injection.
++                resp = urllib.urlopen("http:" + schemeless_url)
++                self.assertNotIn(char, resp.geturl())
++            finally:
++                self.unfakehttp()
++
++    def test_url_with_newline_header_injection_rejected(self):
++        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++        schemeless_url = "//" + host + ":8080/test/?test=a"
++        try:
++            # urllib quotes the URL so there is no injection.
++            resp = urllib.urlopen("http:" + schemeless_url)
++            self.assertNotIn(' ', resp.geturl())
++            self.assertNotIn('\r', resp.geturl())
++            self.assertNotIn('\n', resp.geturl())
++        finally:
++            self.unfakehttp()
++
+     def test_read_bogus(self):
+         # urlopen() should raise IOError for many error codes.
+         self.fakehttp('''HTTP/1.1 401 Authentication Required
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 6d24d5ddf8..9531818e16 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -15,6 +15,9 @@ try:
+ except ImportError:
+     ssl = None
+ 
++from test.test_urllib import FakeHTTPMixin
++
++
+ # XXX
+ # Request
+ # CacheFTPHandler (hard to write)
+@@ -1262,7 +1265,7 @@ class HandlerTests(unittest.TestCase):
+         self.assertEqual(len(http_handler.requests), 1)
+         self.assertFalse(http_handler.requests[0].has_header(auth_header))
+ 
+-class MiscTests(unittest.TestCase):
++class MiscTests(unittest.TestCase, FakeHTTPMixin):
+ 
+     def test_build_opener(self):
+         class MyHTTPHandler(urllib2.HTTPHandler): pass
+@@ -1317,6 +1320,52 @@ class MiscTests(unittest.TestCase):
+             "Unsupported digest authentication algorithm 'invalid'"
+         )
+ 
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_control_char_rejected(self):
++        for char_no in range(0, 0x21) + range(0x7f, 0x100):
++            char = chr(char_no)
++            schemeless_url = "//localhost:7777/test%s/" % char
++            self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++            try:
++                # We explicitly test urllib.request.urlopen() instead of the top
++                # level 'def urlopen()' function defined in this... (quite ugly)
++                # test suite.  They use different url opening codepaths.  Plain
++                # urlopen uses FancyURLOpener which goes via a codepath that
++                # calls urllib.parse.quote() on the URL which makes all of the
++                # above attempts at injection within the url _path_ safe.
++                escaped_char_repr = repr(char).replace('\\', r'\\')
++                InvalidURL = httplib.InvalidURL
++                with self.assertRaisesRegexp(
++                    InvalidURL, "contain control.*" + escaped_char_repr):
++                    urllib2.urlopen("http:" + schemeless_url)
++                with self.assertRaisesRegexp(
++                    InvalidURL, "contain control.*" + escaped_char_repr):
++                    urllib2.urlopen("https:" + schemeless_url)
++            finally:
++                self.unfakehttp()
++
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_newline_header_injection_rejected(self):
++        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++        schemeless_url = "//" + host + ":8080/test/?test=a"
++        try:
++            # We explicitly test urllib2.urlopen() instead of the top
++            # level 'def urlopen()' function defined in this... (quite ugly)
++            # test suite.  They use different url opening codepaths.  Plain
++            # urlopen uses FancyURLOpener which goes via a codepath that
++            # calls urllib.parse.quote() on the URL which makes all of the
++            # above attempts at injection within the url _path_ safe.
++            InvalidURL = httplib.InvalidURL
++            with self.assertRaisesRegexp(
++                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++                urllib2.urlopen("http:" + schemeless_url)
++            with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
++                urllib2.urlopen("https:" + schemeless_url)
++        finally:
++            self.unfakehttp()
++
++
+ 
+ class RequestTests(unittest.TestCase):
+ 
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 36b3be67fd..90ccb30716 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -659,7 +659,13 @@ class SimpleServerTestCase(BaseServerTestCase):
+     def test_partial_post(self):
+         # Check that a partial POST doesn't make the server loop: issue #14001.
+         conn = httplib.HTTPConnection(ADDR, PORT)
+-        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++        conn.send('POST /RPC2 HTTP/1.0\r\n'
++                  'Content-Length: 100\r\n\r\n'
++                  'bye HTTP/1.1\r\n'
++                  'Host: %s:%s\r\n'
++                  'Accept-Encoding: identity\r\n'
++                  'Content-Length: 0\r\n\r\n'
++                  % (ADDR, PORT))
+         conn.close()
+ 
+ class SimpleServerEncodingTestCase(BaseServerTestCase):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 0000000000..47cb899df1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch b/external/poky/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
new file mode 100644
index 00000000..7ce7b1f9
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
@@ -0,0 +1,127 @@
+From 1bd50d351e508b8947e5813c5f925eb4b61c8d76 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sat, 15 Jun 2019 20:59:43 +0530
+Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (GH-13426)
+
+This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
+
+https://bugs.python.org/issue35121
+
+CVE: CVE-2018-20852
+Upstream-Status: Accepted
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/cookielib.py                              | 13 ++++++--
+ Lib/test/test_cookielib.py                    | 30 +++++++++++++++++++
+ .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst  |  4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+
+diff --git a/Lib/cookielib.py b/Lib/cookielib.py
+index 2dd7c48728..0b471a42f2 100644
+--- a/Lib/cookielib.py
++++ b/Lib/cookielib.py
+@@ -1139,6 +1139,11 @@ class DefaultCookiePolicy(CookiePolicy):
+         req_host, erhn = eff_request_host(request)
+         domain = cookie.domain
+ 
++        if domain and not domain.startswith("."):
++            dotdomain = "." + domain
++        else:
++            dotdomain = domain
++
+         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+         if (cookie.version == 0 and
+             (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1151,7 +1156,7 @@ class DefaultCookiePolicy(CookiePolicy):
+             _debug("   effective request-host name %s does not domain-match "
+                    "RFC 2965 cookie domain %s", erhn, domain)
+             return False
+-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
++        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+             _debug("   request-host %s does not match Netscape cookie domain "
+                    "%s", req_host, domain)
+             return False
+@@ -1165,7 +1170,11 @@ class DefaultCookiePolicy(CookiePolicy):
+             req_host = "."+req_host
+         if not erhn.startswith("."):
+             erhn = "."+erhn
+-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
++        if domain and not domain.startswith("."):
++            dotdomain = "." + domain
++        else:
++            dotdomain = domain
++        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+             #_debug("   request domain %s does not match cookie domain %s",
+             #       req_host, domain)
+             return False
+diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
+index f2dd9727d1..7f7ff614d6 100644
+--- a/Lib/test/test_cookielib.py
++++ b/Lib/test/test_cookielib.py
+@@ -368,6 +368,7 @@ class CookieTests(TestCase):
+             ("http://foo.bar.com/", ".foo.bar.com", True),
+             ("http://foo.bar.com/", "foo.bar.com", True),
+             ("http://foo.bar.com/", ".bar.com", True),
++            ("http://foo.bar.com/", "bar.com", True),
+             ("http://foo.bar.com/", "com", True),
+             ("http://foo.com/", "rhubarb.foo.com", False),
+             ("http://foo.com/", ".foo.com", True),
+@@ -378,6 +379,8 @@ class CookieTests(TestCase):
+             ("http://foo/", "foo", True),
+             ("http://foo/", "foo.local", True),
+             ("http://foo/", ".local", True),
++            ("http://barfoo.com", ".foo.com", False),
++            ("http://barfoo.com", "foo.com", False),
+             ]:
+             request = urllib2.Request(url)
+             r = pol.domain_return_ok(domain, request)
+@@ -938,6 +941,33 @@ class CookieTests(TestCase):
+         c.add_cookie_header(req)
+         self.assertFalse(req.has_header("Cookie"))
+ 
++        c.clear()
++
++        pol.set_blocked_domains([])
++        req = Request("http://acme.com/")
++        res = FakeResponse(headers, "http://acme.com/")
++        cookies = c.make_cookies(res, req)
++        c.extract_cookies(res, req)
++        self.assertEqual(len(c), 1)
++
++        req = Request("http://acme.com/")
++        c.add_cookie_header(req)
++        self.assertTrue(req.has_header("Cookie"))
++
++        req = Request("http://badacme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(pol.return_ok(cookies[0], req))
++        self.assertFalse(req.has_header("Cookie"))
++
++        p = pol.set_blocked_domains(["acme.com"])
++        req = Request("http://acme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(req.has_header("Cookie"))
++
++        req = Request("http://badacme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(req.has_header("Cookie"))
++
+     def test_secure(self):
+         from cookielib import CookieJar, DefaultCookiePolicy
+ 
+diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+new file mode 100644
+index 0000000000..7725180616
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+@@ -0,0 +1,4 @@
++Don't send cookies of domain A without Domain attribute to domain B when
++domain A is a suffix match of domain B while using a cookiejar with
++:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
++Singaravelan.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python3/CVE-2018-14647.patch b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
new file mode 100644
index 00000000..c1f21f82
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
@@ -0,0 +1,95 @@
+From 610b4b0dbaedd3099ab76acf678e9cc845d99a76 Mon Sep 17 00:00:00 2001
+From: stratakis <cstratak@redhat.com>
+Date: Mon, 25 Feb 2019 22:04:09 +0100
+Subject: [PATCH] [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933)
+
+* bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
+
+The C accelerated _elementtree module now initializes hash randomization
+salt from _Py_HashSecret instead of libexpat's default CPRNG.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue34623
+(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+
+CVE: CVE-2018-14647
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/41b48e71ac8a71f56694b548f118bd20ce203410]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Include/pyexpat.h                                            | 4 +++-
+ .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst   | 2 ++
+ Modules/_elementtree.c                                       | 5 +++++
+ Modules/pyexpat.c                                            | 5 +++++
+ 4 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 44259bf6d7..07020b5dc9 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -3,7 +3,7 @@
+ 
+ /* note: you must import expat.h before importing this module! */
+ 
+-#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC  "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+ 
+ struct PyExpat_CAPI
+@@ -48,6 +48,8 @@ struct PyExpat_CAPI
+     enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
+     int (*DefaultUnknownEncodingHandler)(
+         void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
++    /* might be none for expat < 2.1.0 */
++    int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+     /* always add new stuff to the end! */
+ };
+ 
+diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+new file mode 100644
+index 0000000000..cbaa4b7506
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+@@ -0,0 +1,2 @@
++CVE-2018-14647: The C accelerated _elementtree module now initializes hash
++randomization salt from _Py_HashSecret instead of libexpat's default CSPRNG.
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index 5dba9f70a9..90c6daf64a 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -3282,6 +3282,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
+         PyErr_NoMemory();
+         return -1;
+     }
++    /* expat < 2.1.0 has no XML_SetHashSalt() */
++    if (EXPAT(SetHashSalt) != NULL) {
++        EXPAT(SetHashSalt)(self->parser,
++                           (unsigned long)_Py_HashSecret.expat.hashsalt);
++    }
+ 
+     if (target) {
+         Py_INCREF(target);
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index adc9b6cde8..948ab1b703 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -1882,6 +1882,11 @@ MODULE_INITFUNC(void)
+     capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
+     capi.SetEncoding = XML_SetEncoding;
+     capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
++#if XML_COMBINED_VERSION >= 20100
++    capi.SetHashSalt = XML_SetHashSalt;
++#else
++    capi.SetHashSalt = NULL;
++#endif
+ 
+     /* export using capsule */
+     capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20406.patch b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
new file mode 100644
index 00000000..b69e0c4d
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
@@ -0,0 +1,217 @@
+From 3c7fd2b2729e3ebcf7877e7a32b3bbabf907a38d Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@redhat.com>
+Date: Tue, 26 Feb 2019 01:42:39 +0100
+Subject: [PATCH] closes bpo-34656: Avoid relying on signed overflow in _pickle
+ memos. (GH-9261) (#11869)
+
+(cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd)
+
+CVE: CVE-2018-20406
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Modules/_pickle.c | 63 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 31 deletions(-)
+
+diff --git a/Modules/_pickle.c b/Modules/_pickle.c
+index 0f62b1c019..fcb9e87899 100644
+--- a/Modules/_pickle.c
++++ b/Modules/_pickle.c
+@@ -527,9 +527,9 @@ typedef struct {
+ } PyMemoEntry;
+ 
+ typedef struct {
+-    Py_ssize_t mt_mask;
+-    Py_ssize_t mt_used;
+-    Py_ssize_t mt_allocated;
++    size_t mt_mask;
++    size_t mt_used;
++    size_t mt_allocated;
+     PyMemoEntry *mt_table;
+ } PyMemoTable;
+ 
+@@ -573,8 +573,8 @@ typedef struct UnpicklerObject {
+     /* The unpickler memo is just an array of PyObject *s. Using a dict
+        is unnecessary, since the keys are contiguous ints. */
+     PyObject **memo;
+-    Py_ssize_t memo_size;       /* Capacity of the memo array */
+-    Py_ssize_t memo_len;        /* Number of objects in the memo */
++    size_t memo_size;       /* Capacity of the memo array */
++    size_t memo_len;        /* Number of objects in the memo */
+ 
+     PyObject *pers_func;        /* persistent_load() method, can be NULL. */
+ 
+@@ -658,7 +658,6 @@ PyMemoTable_New(void)
+ static PyMemoTable *
+ PyMemoTable_Copy(PyMemoTable *self)
+ {
+-    Py_ssize_t i;
+     PyMemoTable *new = PyMemoTable_New();
+     if (new == NULL)
+         return NULL;
+@@ -675,7 +674,7 @@ PyMemoTable_Copy(PyMemoTable *self)
+         PyErr_NoMemory();
+         return NULL;
+     }
+-    for (i = 0; i < self->mt_allocated; i++) {
++    for (size_t i = 0; i < self->mt_allocated; i++) {
+         Py_XINCREF(self->mt_table[i].me_key);
+     }
+     memcpy(new->mt_table, self->mt_table,
+@@ -721,7 +720,7 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
+ {
+     size_t i;
+     size_t perturb;
+-    size_t mask = (size_t)self->mt_mask;
++    size_t mask = self->mt_mask;
+     PyMemoEntry *table = self->mt_table;
+     PyMemoEntry *entry;
+     Py_hash_t hash = (Py_hash_t)key >> 3;
+@@ -743,22 +742,24 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
+ 
+ /* Returns -1 on failure, 0 on success. */
+ static int
+-_PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
++_PyMemoTable_ResizeTable(PyMemoTable *self, size_t min_size)
+ {
+     PyMemoEntry *oldtable = NULL;
+     PyMemoEntry *oldentry, *newentry;
+-    Py_ssize_t new_size = MT_MINSIZE;
+-    Py_ssize_t to_process;
++    size_t new_size = MT_MINSIZE;
++    size_t to_process;
+ 
+     assert(min_size > 0);
+ 
+-    /* Find the smallest valid table size >= min_size. */
+-    while (new_size < min_size && new_size > 0)
+-        new_size <<= 1;
+-    if (new_size <= 0) {
++    if (min_size > PY_SSIZE_T_MAX) {
+         PyErr_NoMemory();
+         return -1;
+     }
++
++    /* Find the smallest valid table size >= min_size. */
++    while (new_size < min_size) {
++        new_size <<= 1;
++    }
+     /* new_size needs to be a power of two. */
+     assert((new_size & (new_size - 1)) == 0);
+ 
+@@ -808,6 +809,7 @@ static int
+ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
+ {
+     PyMemoEntry *entry;
++    size_t desired_size;
+ 
+     assert(key != NULL);
+ 
+@@ -831,10 +833,12 @@ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
+      * Very large memo tables (over 50K items) use doubling instead.
+      * This may help applications with severe memory constraints.
+      */
+-    if (!(self->mt_used * 3 >= (self->mt_mask + 1) * 2))
++    if (SIZE_MAX / 3 >= self->mt_used && self->mt_used * 3 < self->mt_allocated * 2) {
+         return 0;
+-    return _PyMemoTable_ResizeTable(self,
+-        (self->mt_used > 50000 ? 2 : 4) * self->mt_used);
++    }
++    // self->mt_used is always < PY_SSIZE_T_MAX, so this can't overflow.
++    desired_size = (self->mt_used > 50000 ? 2 : 4) * self->mt_used;
++    return _PyMemoTable_ResizeTable(self, desired_size);
+ }
+ 
+ #undef MT_MINSIZE
+@@ -1273,9 +1277,9 @@ _Unpickler_Readline(UnpicklerObject *self, char **result)
+ /* Returns -1 (with an exception set) on failure, 0 on success. The memo array
+    will be modified in place. */
+ static int
+-_Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
++_Unpickler_ResizeMemoList(UnpicklerObject *self, size_t new_size)
+ {
+-    Py_ssize_t i;
++    size_t i;
+ 
+     assert(new_size > self->memo_size);
+ 
+@@ -1292,9 +1296,9 @@ _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
+ 
+ /* Returns NULL if idx is out of bounds. */
+ static PyObject *
+-_Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
++_Unpickler_MemoGet(UnpicklerObject *self, size_t idx)
+ {
+-    if (idx < 0 || idx >= self->memo_size)
++    if (idx >= self->memo_size)
+         return NULL;
+ 
+     return self->memo[idx];
+@@ -1303,7 +1307,7 @@ _Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
+ /* Returns -1 (with an exception set) on failure, 0 on success.
+    This takes its own reference to `value`. */
+ static int
+-_Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
++_Unpickler_MemoPut(UnpicklerObject *self, size_t idx, PyObject *value)
+ {
+     PyObject *old_item;
+ 
+@@ -4194,14 +4198,13 @@ static PyObject *
+ _pickle_PicklerMemoProxy_copy_impl(PicklerMemoProxyObject *self)
+ /*[clinic end generated code: output=bb83a919d29225ef input=b73043485ac30b36]*/
+ {
+-    Py_ssize_t i;
+     PyMemoTable *memo;
+     PyObject *new_memo = PyDict_New();
+     if (new_memo == NULL)
+         return NULL;
+ 
+     memo = self->pickler->memo;
+-    for (i = 0; i < memo->mt_allocated; ++i) {
++    for (size_t i = 0; i < memo->mt_allocated; ++i) {
+         PyMemoEntry entry = memo->mt_table[i];
+         if (entry.me_key != NULL) {
+             int status;
+@@ -6620,7 +6623,7 @@ static PyObject *
+ _pickle_UnpicklerMemoProxy_copy_impl(UnpicklerMemoProxyObject *self)
+ /*[clinic end generated code: output=e12af7e9bc1e4c77 input=97769247ce032c1d]*/
+ {
+-    Py_ssize_t i;
++    size_t i;
+     PyObject *new_memo = PyDict_New();
+     if (new_memo == NULL)
+         return NULL;
+@@ -6771,8 +6774,7 @@ static int
+ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+ {
+     PyObject **new_memo;
+-    Py_ssize_t new_memo_size = 0;
+-    Py_ssize_t i;
++    size_t new_memo_size = 0;
+ 
+     if (obj == NULL) {
+         PyErr_SetString(PyExc_TypeError,
+@@ -6789,7 +6791,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+         if (new_memo == NULL)
+             return -1;
+ 
+-        for (i = 0; i < new_memo_size; i++) {
++        for (size_t i = 0; i < new_memo_size; i++) {
+             Py_XINCREF(unpickler->memo[i]);
+             new_memo[i] = unpickler->memo[i];
+         }
+@@ -6837,8 +6839,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+ 
+   error:
+     if (new_memo_size) {
+-        i = new_memo_size;
+-        while (--i >= 0) {
++        for (size_t i = new_memo_size - 1; i != SIZE_MAX; i--) {
+             Py_XDECREF(new_memo[i]);
+         }
+         PyMem_FREE(new_memo);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
new file mode 100644
index 00000000..82a114f2
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,129 @@
+From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sun, 17 Mar 2019 05:33:39 +0530
+Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (#12281)
+
+Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy.  Patch by Karthikeyan Singaravelan.
+(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
+
+Co-authored-by: Xtreak <tir.karthi@gmail.com>
+
+CVE: CVE-2018-20852
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/http/cookiejar.py                         | 13 ++++++--
+ Lib/test/test_http_cookiejar.py               | 30 +++++++++++++++++++
+ .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst  |  4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+
+diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
+index 6d4572af03..1cc9378ae4 100644
+--- a/Lib/http/cookiejar.py
++++ b/Lib/http/cookiejar.py
+@@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy):
+         req_host, erhn = eff_request_host(request)
+         domain = cookie.domain
+ 
++        if domain and not domain.startswith("."):
++            dotdomain = "." + domain
++        else:
++            dotdomain = domain
++
+         # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+         if (cookie.version == 0 and
+             (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy):
+             _debug("   effective request-host name %s does not domain-match "
+                    "RFC 2965 cookie domain %s", erhn, domain)
+             return False
+-        if cookie.version == 0 and not ("."+erhn).endswith(domain):
++        if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+             _debug("   request-host %s does not match Netscape cookie domain "
+                    "%s", req_host, domain)
+             return False
+@@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy):
+             req_host = "."+req_host
+         if not erhn.startswith("."):
+             erhn = "."+erhn
+-        if not (req_host.endswith(domain) or erhn.endswith(domain)):
++        if domain and not domain.startswith("."):
++            dotdomain = "." + domain
++        else:
++            dotdomain = domain
++        if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+             #_debug("   request domain %s does not match cookie domain %s",
+             #       req_host, domain)
+             return False
+diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
+index 49c01ae489..e67e6ae780 100644
+--- a/Lib/test/test_http_cookiejar.py
++++ b/Lib/test/test_http_cookiejar.py
+@@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase):
+             ("http://foo.bar.com/", ".foo.bar.com", True),
+             ("http://foo.bar.com/", "foo.bar.com", True),
+             ("http://foo.bar.com/", ".bar.com", True),
++            ("http://foo.bar.com/", "bar.com", True),
+             ("http://foo.bar.com/", "com", True),
+             ("http://foo.com/", "rhubarb.foo.com", False),
+             ("http://foo.com/", ".foo.com", True),
+@@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase):
+             ("http://foo/", "foo", True),
+             ("http://foo/", "foo.local", True),
+             ("http://foo/", ".local", True),
++            ("http://barfoo.com", ".foo.com", False),
++            ("http://barfoo.com", "foo.com", False),
+             ]:
+             request = urllib.request.Request(url)
+             r = pol.domain_return_ok(domain, request)
+@@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase):
+         c.add_cookie_header(req)
+         self.assertFalse(req.has_header("Cookie"))
+ 
++        c.clear()
++
++        pol.set_blocked_domains([])
++        req = urllib.request.Request("http://acme.com/")
++        res = FakeResponse(headers, "http://acme.com/")
++        cookies = c.make_cookies(res, req)
++        c.extract_cookies(res, req)
++        self.assertEqual(len(c), 1)
++
++        req = urllib.request.Request("http://acme.com/")
++        c.add_cookie_header(req)
++        self.assertTrue(req.has_header("Cookie"))
++
++        req = urllib.request.Request("http://badacme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(pol.return_ok(cookies[0], req))
++        self.assertFalse(req.has_header("Cookie"))
++
++        p = pol.set_blocked_domains(["acme.com"])
++        req = urllib.request.Request("http://acme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(req.has_header("Cookie"))
++
++        req = urllib.request.Request("http://badacme.com/")
++        c.add_cookie_header(req)
++        self.assertFalse(req.has_header("Cookie"))
++
+     def test_secure(self):
+         for ns in True, False:
+             for whitespace in " ", "":
+diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+new file mode 100644
+index 0000000000..d2eb8f1f35
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+@@ -0,0 +1,4 @@
++Don't send cookies of domain A without Domain attribute to domain B
++when domain A is a suffix match of domain B while using a cookiejar
++with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
++Karthikeyan Singaravelan.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
new file mode 100644
index 00000000..ce8eb666
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
@@ -0,0 +1,154 @@
+From b0305339567b64e07df87620e97e4cb99332aef6 Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@microsoft.com>
+Date: Sun, 10 Mar 2019 21:59:24 -0700
+Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
+ to separators (GH-12201) (#12223)
+
+CVE: CVE-2019-9636
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Doc/library/urllib.parse.rst                  | 18 +++++++++++++++
+ Lib/test/test_urlparse.py                     | 23 +++++++++++++++++++
+ Lib/urllib/parse.py                           | 17 ++++++++++++++
+ .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst  |  3 +++
+ 4 files changed, 61 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 6f722a8897..a4c6b6726e 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -120,6 +120,11 @@ or on combining URL components into a URL string.
+    Unmatched square brackets in the :attr:`netloc` attribute will raise a
+    :exc:`ValueError`.
+ 
++   Characters in the :attr:`netloc` attribute that decompose under NFKC
++   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++   decomposed before parsing, no error will be raised.
++
+    .. versionchanged:: 3.2
+       Added IPv6 URL parsing capabilities.
+ 
+@@ -128,6 +133,10 @@ or on combining URL components into a URL string.
+       false), in accordance with :rfc:`3986`.  Previously, a whitelist of
+       schemes that support fragments existed.
+ 
++   .. versionchanged:: 3.5.7
++      Characters that affect netloc parsing under NFKC normalization will
++      now raise :exc:`ValueError`.
++
+ 
+ .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace')
+ 
+@@ -236,6 +245,15 @@ or on combining URL components into a URL string.
+    Unmatched square brackets in the :attr:`netloc` attribute will raise a
+    :exc:`ValueError`.
+ 
++   Characters in the :attr:`netloc` attribute that decompose under NFKC
++   normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++   ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++   decomposed before parsing, no error will be raised.
++
++   .. versionchanged:: 3.5.7
++      Characters that affect netloc parsing under NFKC normalization will
++      now raise :exc:`ValueError`.
++
+ 
+ .. function:: urlunsplit(parts)
+ 
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index e2cf1b7e0f..d0420b0e74 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1,3 +1,5 @@
++import sys
++import unicodedata
+ import unittest
+ import urllib.parse
+ 
+@@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase):
+                 expected.append(name)
+         self.assertCountEqual(urllib.parse.__all__, expected)
+ 
++    def test_urlsplit_normalization(self):
++        # Certain characters should never occur in the netloc,
++        # including under normalization.
++        # Ensure that ALL of them are detected and cause an error
++        illegal_chars = '/:#?@'
++        hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
++        denorm_chars = [
++            c for c in map(chr, range(128, sys.maxunicode))
++            if (hex_chars & set(unicodedata.decomposition(c).split()))
++            and c not in illegal_chars
++        ]
++        # Sanity check that we found at least one such character
++        self.assertIn('\u2100', denorm_chars)
++        self.assertIn('\uFF03', denorm_chars)
++
++        for scheme in ["http", "https", "ftp"]:
++            for c in denorm_chars:
++                url = "{}://netloc{}false.netloc/path".format(scheme, c)
++                with self.subTest(url=url, char='{:04X}'.format(ord(c))):
++                    with self.assertRaises(ValueError):
++                        urllib.parse.urlsplit(url)
+ 
+ class Utility_Tests(unittest.TestCase):
+     """Testcase to test the various utility functions in the urllib."""
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 62e8ddf04b..7ba2b445f5 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -327,6 +327,21 @@ def _splitnetloc(url, start=0):
+             delim = min(delim, wdelim)     # use earliest delim position
+     return url[start:delim], url[delim:]   # return (domain, rest)
+ 
++def _checknetloc(netloc):
++    if not netloc or not any(ord(c) > 127 for c in netloc):
++        return
++    # looking for characters like \u2100 that expand to 'a/c'
++    # IDNA uses NFKC equivalence, so normalize for this check
++    import unicodedata
++    netloc2 = unicodedata.normalize('NFKC', netloc)
++    if netloc == netloc2:
++        return
++    _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
++    for c in '/?#@:':
++        if c in netloc2:
++            raise ValueError("netloc '" + netloc2 + "' contains invalid " +
++                             "characters under NFKC normalization")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+     """Parse a URL into 5 components:
+     <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+                 url, fragment = url.split('#', 1)
+             if '?' in url:
+                 url, query = url.split('?', 1)
++            _checknetloc(netloc)
+             v = SplitResult(scheme, netloc, url, query, fragment)
+             _parse_cache[key] = v
+             return _coerce_result(v)
+@@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+         url, fragment = url.split('#', 1)
+     if '?' in url:
+         url, query = url.split('?', 1)
++    _checknetloc(netloc)
+     v = SplitResult(scheme, netloc, url, query, fragment)
+     _parse_cache[key] = v
+     return _coerce_result(v)
+diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+new file mode 100644
+index 0000000000..5546394157
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+@@ -0,0 +1,3 @@
++Changes urlsplit() to raise ValueError when the URL contains characters that
++decompose under IDNA encoding (NFKC-normalization) into characters that
++affect how the URL is parsed.
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9740.patch b/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
new file mode 100644
index 00000000..83709016
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
@@ -0,0 +1,155 @@
+From afe3a4975cf93c97e5d6eb8800e48f368011d37a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Sun, 14 Jul 2019 11:07:11 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
+ (#13207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib.urlopen.  This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
+
+Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
+
+Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+Upstream-Status: Backport[https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a]
+CVE: CVE-2019-9740
+CVE: CVE-2019-9947
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/http/client.py                            | 16 ++++++
+ Lib/test/test_urllib.py                       | 55 +++++++++++++++++++
+ Lib/test/test_xmlrpc.py                       |  8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst  |  1 +
+ 4 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 352c1017adce..76b9be69a374 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -141,6 +141,16 @@
+ _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
+ _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
+ 
++# These characters are not allowed within HTTP URL paths.
++#  See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++#  https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740.  Includes control characters such as \r\n.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++#  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -978,6 +988,12 @@ def putrequest(self, method, url, skip_host=False,
+         self._method = method
+         if not url:
+             url = '/'
++        # Prevent CVE-2019-9740.
++        match = _contains_disallowed_url_pchar_re.search(url)
++        if match:
++            raise InvalidURL("URL can't contain control characters. {!r} "
++                             "(found at least {!r})".format(url,
++                                                            match.group()))
+         request = '%s %s %s' % (method, url, self._http_vsn_str)
+ 
+         # Non-ASCII characters should have been eliminated earlier
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 3afb1312de32..1e2c622e29fd 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -330,6 +330,61 @@ def test_willclose(self):
+         finally:
+             self.unfakehttp()
+ 
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_control_char_rejected(self):
++        for char_no in list(range(0, 0x21)) + [0x7f]:
++            char = chr(char_no)
++            schemeless_url = "//localhost:7777/test{}/".format(char)
++            self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++            try:
++                # We explicitly test urllib.request.urlopen() instead of the top
++                # level 'def urlopen()' function defined in this... (quite ugly)
++                # test suite.  They use different url opening codepaths.  Plain
++                # urlopen uses FancyURLOpener which goes via a codepath that
++                # calls urllib.parse.quote() on the URL which makes all of the
++                # above attempts at injection within the url _path_ safe.
++                escaped_char_repr = repr(char).replace('\\', r'\\')
++                InvalidURL = http.client.InvalidURL
++                with self.assertRaisesRegex(
++                    InvalidURL,
++                    "contain control.*{}".format(escaped_char_repr)):
++                    urllib.request.urlopen("http:{}".format(schemeless_url))
++                with self.assertRaisesRegex(
++                    InvalidURL,
++                    "contain control.*{}".format(escaped_char_repr)):
++                    urllib.request.urlopen("https:{}".format(schemeless_url))
++                # This code path quotes the URL so there is no injection.
++                resp = urlopen("http:{}".format(schemeless_url))
++                self.assertNotIn(char, resp.geturl())
++            finally:
++                self.unfakehttp()
++
++    @unittest.skipUnless(ssl, "ssl module required")
++    def test_url_with_newline_header_injection_rejected(self):
++        self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++        host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++        schemeless_url = "//" + host + ":8080/test/?test=a"
++        try:
++            # We explicitly test urllib.request.urlopen() instead of the top
++            # level 'def urlopen()' function defined in this... (quite ugly)
++            # test suite.  They use different url opening codepaths.  Plain
++            # urlopen uses FancyURLOpener which goes via a codepath that
++            # calls urllib.parse.quote() on the URL which makes all of the
++            # above attempts at injection within the url _path_ safe.
++            InvalidURL = http.client.InvalidURL
++            with self.assertRaisesRegex(
++                InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++                urllib.request.urlopen("http:{}".format(schemeless_url))
++            with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
++                urllib.request.urlopen("https:{}".format(schemeless_url))
++            # This code path quotes the URL so there is no injection.
++            resp = urlopen("http:{}".format(schemeless_url))
++            self.assertNotIn(' ', resp.geturl())
++            self.assertNotIn('\r', resp.geturl())
++            self.assertNotIn('\n', resp.geturl())
++        finally:
++            self.unfakehttp()
++
+     def test_read_0_9(self):
+         # "0.9" response accepted (but not "simple responses" without
+         # a status line)
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index c2de057ecbfa..99e510fcee86 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -896,7 +896,13 @@ def test_unicode_host(self):
+     def test_partial_post(self):
+         # Check that a partial POST doesn't make the server loop: issue #14001.
+         conn = http.client.HTTPConnection(ADDR, PORT)
+-        conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++        conn.send('POST /RPC2 HTTP/1.0\r\n'
++                  'Content-Length: 100\r\n\r\n'
++                  'bye HTTP/1.1\r\n'
++                  'Host: {}:{}\r\n'
++                  'Accept-Encoding: identity\r\n'
++                  'Content-Length: 0\r\n\r\n'
++                  .format(ADDR, PORT).encode('ascii'))
+         conn.close()
+ 
+     def test_context_manager(self):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..ed8027fb4d64
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request.  Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/external/poky/meta/recipes-devtools/python/python3_3.5.6.bb b/external/poky/meta/recipes-devtools/python/python3_3.5.6.bb
index 6aa6df65..b2f8a3d0 100644
--- a/external/poky/meta/recipes-devtools/python/python3_3.5.6.bb
+++ b/external/poky/meta/recipes-devtools/python/python3_3.5.6.bb
@@ -43,6 +43,11 @@ SRC_URI += "\
             file://0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch \
             file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \
             file://run-ptest \
+            file://CVE-2019-9740.patch \
+            file://CVE-2018-14647.patch \
+            file://CVE-2018-20406.patch \
+            file://CVE-2018-20852.patch \
+            file://CVE-2019-9636.patch \
            "
 
 inherit multilib_header python3native update-alternatives qemu ptest
diff --git a/external/poky/meta/recipes-devtools/python/python_2.7.16.bb b/external/poky/meta/recipes-devtools/python/python_2.7.16.bb
index 9c79faf9..16b17447 100644
--- a/external/poky/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/external/poky/meta/recipes-devtools/python/python_2.7.16.bb
@@ -35,6 +35,8 @@ SRC_URI += "\
   file://bpo-35907-cve-2019-9948-fix.patch \
   file://bpo-36216-cve-2019-9636.patch \
   file://bpo-36216-cve-2019-9636-fix.patch \
+  file://bpo-35121-cve-2018-20852.patch \
+  file://bpo-30458-cve-2019-9740.patch \
 "
 
 S = "${WORKDIR}/Python-${PV}"
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
new file mode 100644
index 00000000..767b200b
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
@@ -0,0 +1,49 @@
+From 184943d827ce09375284e6fbb9fd5eeb9e369529 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 20 Mar 2019 16:18:41 +0000
+Subject: [PATCH] linux-user: assume __NR_gettid always exists
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The gettid syscall was introduced in Linux 2.4.11. This is old enough
+that we can assume it always exists and thus not bother with the
+conditional backcompat logic.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+Message-Id: <20190320161842.13908-2-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+Upstream-Status: Backport
+dependancy patch for fix
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+
+
+ linux-user/syscall.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -251,15 +251,7 @@ static type name (type1 arg1,type2 arg2,
+ #define TARGET_NR__llseek TARGET_NR_llseek
+ #endif
+ 
+-#ifdef __NR_gettid
+ _syscall0(int, gettid)
+-#else
+-/* This is a replacement for the host gettid() and must return a host
+-   errno. */
+-static int gettid(void) {
+-    return -ENOSYS;
+-}
+-#endif
+ 
+ /* For the 64-bit guest on 32-bit host case we must emulate
+  * getdents using getdents64, because otherwise the host
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
new file mode 100644
index 00000000..ab3b71d7
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
@@ -0,0 +1,95 @@
+From 71ba74f67eaca21b0cc9d96f534ad3b9a7161400 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 20 Mar 2019 16:18:42 +0000
+Subject: [PATCH] linux-user: rename gettid() to sys_gettid() to avoid clash
+ with glibc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The glibc-2.29.9000-6.fc31.x86_64 package finally includes the gettid()
+function as part of unistd.h when __USE_GNU is defined. This clashes
+with linux-user code which unconditionally defines this function name
+itself.
+
+/home/berrange/src/virt/qemu/linux-user/syscall.c:253:16: error: static declaration of ‘gettid’ follows non-static declaration
+  253 | _syscall0(int, gettid)
+      |                ^~~~~~
+/home/berrange/src/virt/qemu/linux-user/syscall.c:184:13: note: in definition of macro ‘_syscall0’
+  184 | static type name (void)   \
+      |             ^~~~
+In file included from /usr/include/unistd.h:1170,
+                 from /home/berrange/src/virt/qemu/include/qemu/osdep.h:107,
+                 from /home/berrange/src/virt/qemu/linux-user/syscall.c:20:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
+   34 | extern __pid_t gettid (void) __THROW;
+      |                ^~~~~~
+  CC      aarch64-linux-user/linux-user/signal.o
+make[1]: *** [/home/berrange/src/virt/qemu/rules.mak:69: linux-user/syscall.o] Error 1
+make[1]: *** Waiting for unfinished jobs....
+make: *** [Makefile:449: subdir-aarch64-linux-user] Error 2
+
+While we could make our definition conditional and rely on glibc's impl,
+this patch simply renames our definition to sys_gettid() which is a
+common pattern in this file.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+Message-Id: <20190320161842.13908-3-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+Upstream-status: Backport
+
+Fixes issue found on tumbleweed-ty-1
+Yocto bug: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13577
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ linux-user/syscall.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -251,7 +251,8 @@ static type name (type1 arg1,type2 arg2,
+ #define TARGET_NR__llseek TARGET_NR_llseek
+ #endif
+ 
+-_syscall0(int, gettid)
++#define __NR_sys_gettid __NR_gettid
++_syscall0(int, sys_gettid)
+ 
+ /* For the 64-bit guest on 32-bit host case we must emulate
+  * getdents using getdents64, because otherwise the host
+@@ -6483,7 +6484,7 @@ static void *clone_func(void *arg)
+     cpu = ENV_GET_CPU(env);
+     thread_cpu = cpu;
+     ts = (TaskState *)cpu->opaque;
+-    info->tid = gettid();
++    info->tid = sys_gettid();
+     task_settid(ts);
+     if (info->child_tidptr)
+         put_user_u32(info->tid, info->child_tidptr);
+@@ -6628,9 +6629,9 @@ static int do_fork(CPUArchState *env, un
+                mapping.  We can't repeat the spinlock hack used above because
+                the child process gets its own copy of the lock.  */
+             if (flags & CLONE_CHILD_SETTID)
+-                put_user_u32(gettid(), child_tidptr);
++                put_user_u32(sys_gettid(), child_tidptr);
+             if (flags & CLONE_PARENT_SETTID)
+-                put_user_u32(gettid(), parent_tidptr);
++                put_user_u32(sys_gettid(), parent_tidptr);
+             ts = (TaskState *)cpu->opaque;
+             if (flags & CLONE_SETTLS)
+                 cpu_set_tls (env, newtls);
+@@ -11876,7 +11877,7 @@ abi_long do_syscall(void *cpu_env, int n
+         break;
+ #endif
+     case TARGET_NR_gettid:
+-        ret = get_errno(gettid());
++        ret = get_errno(sys_gettid());
+         break;
+ #ifdef TARGET_NR_readahead
+     case TARGET_NR_readahead:
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
index 8a9141ac..03ec2c90 100644
--- a/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
@@ -18,11 +18,11 @@ Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
  2 files changed, 29 insertions(+)
  create mode 100644 custom_debug.h
 
-diff --git a/cpus.c b/cpus.c
-index 38eba8bff3..b84a60a4f3 100644
---- a/cpus.c
-+++ b/cpus.c
-@@ -1690,6 +1690,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
+Index: qemu-3.0.0/cpus.c
+===================================================================
+--- qemu-3.0.0.orig/cpus.c
++++ qemu-3.0.0/cpus.c
+@@ -1693,6 +1693,8 @@ static void *qemu_tcg_cpu_thread_fn(void
      return NULL;
  }
  
@@ -31,7 +31,7 @@ index 38eba8bff3..b84a60a4f3 100644
  static void qemu_cpu_kick_thread(CPUState *cpu)
  {
  #ifndef _WIN32
-@@ -1702,6 +1704,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
+@@ -1705,6 +1707,9 @@ static void qemu_cpu_kick_thread(CPUStat
      err = pthread_kill(cpu->thread->thread, SIG_IPI);
      if (err) {
          fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
@@ -41,11 +41,10 @@ index 38eba8bff3..b84a60a4f3 100644
          exit(1);
      }
  #else /* _WIN32 */
-diff --git a/custom_debug.h b/custom_debug.h
-new file mode 100644
-index 0000000000..f029e45547
+Index: qemu-3.0.0/custom_debug.h
+===================================================================
 --- /dev/null
-+++ b/custom_debug.h
++++ qemu-3.0.0/custom_debug.h
 @@ -0,0 +1,24 @@
 +#include <execinfo.h>
 +#include <stdio.h>
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
new file mode 100644
index 00000000..31a7c948
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
@@ -0,0 +1,336 @@
+From 8104018ba4c66e568d2583a3a0ee940851ee7471 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé <berrange@redhat.com>
+Date: Tue, 23 Jul 2019 17:50:00 +0200
+Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
+ kernels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SIOCGSTAMP symbol was previously defined in the
+asm-generic/sockios.h header file. QEMU sees that header
+indirectly via sys/socket.h
+
+In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
+the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
+Instead it provides only SIOCGSTAMP_OLD, which only uses a
+32-bit time_t on 32-bit architectures.
+
+The linux/sockios.h header then defines SIOCGSTAMP using
+either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
+SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
+on 32-bit architectures
+
+To cope with this we must now convert the old and new type from
+the target to the host one.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+---
+Uptream-status: Backport (upstream commit: 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2)
+
+ linux-user/ioctls.h        |  21 +++++-
+ linux-user/syscall.c       | 140 +++++++++++++++++++++++++++++--------
+ linux-user/syscall_defs.h  |  30 +++++++-
+ linux-user/syscall_types.h |   6 --
+ 4 files changed, 159 insertions(+), 38 deletions(-)
+
+Index: qemu-3.0.0/linux-user/ioctls.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/ioctls.h
++++ qemu-3.0.0/linux-user/ioctls.h
+@@ -173,8 +173,25 @@
+   IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
+   IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
+   IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
+-  IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
+-  IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
++
++  /*
++   * We can't use IOCTL_SPECIAL() because it will set
++   * host_cmd to XXX_OLD and XXX_NEW and these macros
++   * are not defined with kernel prior to 5.2.
++   * We must set host_cmd to the same value as in target_cmd
++   * otherwise the consistency check in syscall_init()
++   * will trigger an error.
++   * host_cmd is ignored by the do_ioctl_XXX() helpers.
++   * FIXME: create a macro to define this kind of entry
++   */
++  { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
++    "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
++    "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
++  { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
++    "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
++    "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
+ 
+   IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
+   IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -37,6 +37,7 @@
+ #include <sched.h>
+ #include <sys/timex.h>
+ #include <sys/socket.h>
++#include <linux/sockios.h>
+ #include <sys/un.h>
+ #include <sys/uio.h>
+ #include <poll.h>
+@@ -1391,8 +1392,9 @@ static inline abi_long copy_from_user_ti
+ {
+     struct target_timeval *target_tv;
+ 
+-    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
++    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
+         return -TARGET_EFAULT;
++    }
+ 
+     __get_user(tv->tv_sec, &target_tv->tv_sec);
+     __get_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1407,8 +1409,26 @@ static inline abi_long copy_to_user_time
+ {
+     struct target_timeval *target_tv;
+ 
+-    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
++    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++
++    __put_user(tv->tv_sec, &target_tv->tv_sec);
++    __put_user(tv->tv_usec, &target_tv->tv_usec);
++
++    unlock_user_struct(target_tv, target_tv_addr, 1);
++
++    return 0;
++}
++
++static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
++                                             const struct timeval *tv)
++{
++    struct target__kernel_sock_timeval *target_tv;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
+         return -TARGET_EFAULT;
++    }
+ 
+     __put_user(tv->tv_sec, &target_tv->tv_sec);
+     __put_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1418,6 +1438,48 @@ static inline abi_long copy_to_user_time
+     return 0;
+ }
+ 
++static inline abi_long target_to_host_timespec(struct timespec *host_ts,
++                                               abi_ulong target_addr)
++{
++    struct target_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
++        return -TARGET_EFAULT;
++    }
++    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 0);
++    return 0;
++}
++
++static inline abi_long host_to_target_timespec(abi_ulong target_addr,
++                                               struct timespec *host_ts)
++{
++    struct target_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 1);
++    return 0;
++}
++
++static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
++                                                 struct timespec *host_ts)
++{
++    struct target__kernel_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 1);
++    return 0;
++}
++
+ static inline abi_long copy_from_user_timezone(struct timezone *tz,
+                                                abi_ulong target_tz_addr)
+ {
+@@ -5733,6 +5795,54 @@ static abi_long do_ioctl_kdsigaccept(con
+     return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
+ }
+ 
++static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
++                                    int fd, int cmd, abi_long arg)
++{
++    struct timeval tv;
++    abi_long ret;
++
++    ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
++    if (is_error(ret)) {
++        return ret;
++    }
++
++    if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
++        if (copy_to_user_timeval(arg, &tv)) {
++            return -TARGET_EFAULT;
++        }
++    } else {
++        if (copy_to_user_timeval64(arg, &tv)) {
++            return -TARGET_EFAULT;
++        }
++    }
++
++    return ret;
++}
++
++static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
++                                      int fd, int cmd, abi_long arg)
++{
++    struct timespec ts;
++    abi_long ret;
++
++    ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
++    if (is_error(ret)) {
++        return ret;
++    }
++
++    if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
++        if (host_to_target_timespec(arg, &ts)) {
++            return -TARGET_EFAULT;
++        }
++    } else{
++        if (host_to_target_timespec64(arg, &ts)) {
++            return -TARGET_EFAULT;
++        }
++    }
++
++    return ret;
++}
++
+ #ifdef TIOCGPTPEER
+ static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
+                                      int fd, int cmd, abi_long arg)
+@@ -7106,32 +7216,6 @@ static inline abi_long target_ftruncate6
+ }
+ #endif
+ 
+-static inline abi_long target_to_host_timespec(struct timespec *host_ts,
+-                                               abi_ulong target_addr)
+-{
+-    struct target_timespec *target_ts;
+-
+-    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
+-        return -TARGET_EFAULT;
+-    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
+-    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+-    unlock_user_struct(target_ts, target_addr, 0);
+-    return 0;
+-}
+-
+-static inline abi_long host_to_target_timespec(abi_ulong target_addr,
+-                                               struct timespec *host_ts)
+-{
+-    struct target_timespec *target_ts;
+-
+-    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
+-        return -TARGET_EFAULT;
+-    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
+-    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+-    unlock_user_struct(target_ts, target_addr, 1);
+-    return 0;
+-}
+-
+ static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
+                                                  abi_ulong target_addr)
+ {
+Index: qemu-3.0.0/linux-user/syscall_defs.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall_defs.h
++++ qemu-3.0.0/linux-user/syscall_defs.h
+@@ -203,16 +203,34 @@ struct target_ip_mreq_source {
+     uint32_t imr_sourceaddr;
+ };
+ 
++#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
++struct target_timeval {
++    abi_long tv_sec;
++    abi_int tv_usec;
++};
++#define target__kernel_sock_timeval target_timeval
++#else
+ struct target_timeval {
+     abi_long tv_sec;
+     abi_long tv_usec;
+ };
+ 
++struct target__kernel_sock_timeval {
++    abi_llong tv_sec;
++    abi_llong tv_usec;
++};
++#endif
++
+ struct target_timespec {
+     abi_long tv_sec;
+     abi_long tv_nsec;
+ };
+ 
++struct target__kernel_timespec {
++    abi_llong tv_sec;
++    abi_llong tv_nsec;
++};
++
+ struct target_timezone {
+     abi_int tz_minuteswest;
+     abi_int tz_dsttime;
+@@ -738,8 +756,16 @@ struct target_pollfd {
+ #define TARGET_SIOCATMARK      0x8905
+ #define TARGET_SIOCGPGRP       0x8904
+ #endif
+-#define TARGET_SIOCGSTAMP      0x8906          /* Get stamp (timeval) */
+-#define TARGET_SIOCGSTAMPNS    0x8907          /* Get stamp (timespec) */
++#if defined(TARGET_SH4)
++#define TARGET_SIOCGSTAMP_OLD   TARGET_IOR('s', 100, struct target_timeval)
++#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
++#else
++#define TARGET_SIOCGSTAMP_OLD   0x8906
++#define TARGET_SIOCGSTAMPNS_OLD 0x8907
++#endif
++
++#define TARGET_SIOCGSTAMP_NEW   TARGET_IOR(0x89, 0x06, abi_llong[2])
++#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
+ 
+ /* Networking ioctls */
+ #define TARGET_SIOCADDRT       0x890B          /* add routing table entry */
+Index: qemu-3.0.0/linux-user/syscall_types.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall_types.h
++++ qemu-3.0.0/linux-user/syscall_types.h
+@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
+ STRUCT(sockaddr,
+        TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
+ 
+-STRUCT(timeval,
+-       MK_ARRAY(TYPE_LONG, 2))
+-
+-STRUCT(timespec,
+-       MK_ARRAY(TYPE_LONG, 2))
+-
+ STRUCT(rtentry,
+        TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
+        TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
index 7e1e442a..81607c95 100644
--- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
@@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff
 ;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]
 
-CVE: CVE-2018-10839
+CVE: CVE-2018-10839 CVE-2018-17958
 
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
deleted file mode 100644
index af40ff27..00000000
--- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Mon, 15 Oct 2018 16:33:04 +0800
-Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
-
-In ne2000_receive(), we try to assign size_ to size which converts
-from size_t to integer. This will cause troubles when size_ is greater
-INT_MAX, this will lead a negative value in size and it can then pass
-the check of size < MIN_BUF_SIZE which may lead out of bound access of
-for both buf and buf1.
-
-Fixing by converting the type of size to size_t.
-
-CC: address@hidden
-Reported-by: Daniel Shapira <address@hidden>
-Reviewed-by: Michael S. Tsirkin <address@hidden>
-Signed-off-by: Jason Wang <address@hidden>
-
-Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
-
-CVE: CVE-2018-17958
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- hw/net/ne2000.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 07d79e3..869518e 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
- ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- {
-     NE2000State *s = qemu_get_nic_opaque(nc);
--    int size = size_;
-+    size_t size = size_;
-     uint8_t *p;
-     unsigned int total_len, next, avail, len, index, mcast_idx;
-     uint8_t buf1[60];
-@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
-         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
- 
- #if defined(DEBUG_NE2000)
--    printf("NE2000: received len=%d\n", size);
-+    printf("NE2000: received len=%zu\n", size);
- #endif
- 
-     if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
--- 
-2.7.4
-
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
new file mode 100644
index 00000000..9fe13645
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
@@ -0,0 +1,50 @@
+From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 26 Oct 2018 18:03:58 +0530
+Subject: [PATCH] ppc/pnv: check size before data buffer access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While performing PowerNV memory r/w operations, the access length
+'sz' could exceed the data[4] buffer size. Add check to avoid OOB
+access.
+
+Reported-by: Moguofang <moguofang@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+CVE: CVE-2018-18954
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/pnv_lpc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
+index d7721320a2..172a915cfc 100644
+--- a/hw/ppc/pnv_lpc.c
++++ b/hw/ppc/pnv_lpc.c
+@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
+     /* XXX Check for magic bits at the top, addr size etc... */
+     unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
+     uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
+-    uint8_t data[4];
++    uint8_t data[8];
+     bool success;
+ 
++    if (sz > sizeof(data)) {
++        qemu_log_mask(LOG_GUEST_ERROR,
++            "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
++        return;
++    }
++
+     if (cmd & ECCB_CTL_READ) {
+         success = opb_read(lpc, opb_addr, data, sz);
+         if (success) {
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 00000000..0e11ad28
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
+From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: [PATCH] i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Suggested-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190108102301.1957-1-kraxel@redhat.com
+
+CVE: CVE-2019-3812
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index bec0c91e2d..89e659288e 100644
+--- a/hw/i2c/i2c-ddc.c
++++ b/hw/i2c/i2c-ddc.c
+@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+     I2CDDCState *s = I2CDDC(i2c);
+ 
+     int value;
+-    value = s->edid_blob[s->reg];
++    value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+     s->reg++;
+     return value;
+ }
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
new file mode 100644
index 00000000..5b145960
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
@@ -0,0 +1,41 @@
+From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Sun, 13 Jan 2019 23:29:48 +0530
+Subject: [PATCH] slirp: check data length while emulating ident function
+
+While emulating identification protocol, tcp_emu() does not check
+available space in the 'sc_rcv->sb_data' buffer. It could lead to
+heap buffer overflow issue. Add check to avoid it.
+
+Reported-by: Kira <864786842@qq.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+CVE: CVE-2019-6778
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ slirp/tcp_subr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 8d0f94b75f..7277aadfdf 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 			socklen_t addrlen = sizeof(struct sockaddr_in);
+ 			struct sbuf *so_rcv = &so->so_rcv;
+ 
++			if (m->m_len > so_rcv->sb_datalen
++					- (so_rcv->sb_wptr - so_rcv->sb_data)) {
++			    return 1;
++			}
++
+ 			memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+ 			so_rcv->sb_wptr += m->m_len;
+ 			so_rcv->sb_rptr += m->m_len;
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
new file mode 100644
index 00000000..db3201c5
--- /dev/null
+++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
@@ -0,0 +1,215 @@
+From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Feb 2019 23:43:49 +0530
+Subject: [PATCH] ppc: add host-serial and host-model machine attributes
+ (CVE-2019-8934)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On ppc hosts, hypervisor shares following system attributes
+
+  - /proc/device-tree/system-id
+  - /proc/device-tree/model
+
+with a guest. This could lead to information leakage and misuse.[*]
+Add machine attributes to control such system information exposure
+to a guest.
+
+[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
+
+Reported-by: Daniel P. Berrangé <berrange@redhat.com>
+Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+CVE: CVE-2019-8934
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/spapr.c         | 128 ++++++++++++++++++++++++++++++++++++++---
+ include/hw/ppc/spapr.h |   2 +
+ 2 files changed, 123 insertions(+), 7 deletions(-)
+
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index 421b2dd09b..069d678ee0 100644
+--- a/hw/ppc/spapr.c
++++ b/hw/ppc/spapr.c
+@@ -1266,13 +1266,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+      * Add info to guest to indentify which host is it being run on
+      * and what is the uuid of the guest
+      */
+-    if (kvmppc_get_host_model(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+-        g_free(buf);
++    if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
++        if (g_str_equal(spapr->host_model, "passthrough")) {
++            /* -M host-model=passthrough */
++            if (kvmppc_get_host_model(&buf)) {
++                _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
++                g_free(buf);
++            }
++        } else {
++            /* -M host-model=<user-string> */
++            _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
++        }
+     }
+-    if (kvmppc_get_host_serial(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+-        g_free(buf);
++
++    if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
++        if (g_str_equal(spapr->host_serial, "passthrough")) {
++            /* -M host-serial=passthrough */
++            if (kvmppc_get_host_serial(&buf)) {
++                _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
++                g_free(buf);
++            }
++        } else {
++            /* -M host-serial=<user-string> */
++            _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
++        }
+     }
+ 
+     buf = qemu_uuid_unparse_strdup(&qemu_uuid);
+@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
+     visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+ }
+ 
++static char *spapr_get_ic_mode(Object *obj, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    if (spapr->irq == &spapr_irq_xics_legacy) {
++        return g_strdup("legacy");
++    } else if (spapr->irq == &spapr_irq_xics) {
++        return g_strdup("xics");
++    } else if (spapr->irq == &spapr_irq_xive) {
++        return g_strdup("xive");
++    } else if (spapr->irq == &spapr_irq_dual) {
++        return g_strdup("dual");
++    }
++    g_assert_not_reached();
++}
++
++static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
++        error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
++        return;
++    }
++
++    /* The legacy IRQ backend can not be set */
++    if (strcmp(value, "xics") == 0) {
++        spapr->irq = &spapr_irq_xics;
++    } else if (strcmp(value, "xive") == 0) {
++        spapr->irq = &spapr_irq_xive;
++    } else if (strcmp(value, "dual") == 0) {
++        spapr->irq = &spapr_irq_dual;
++    } else {
++        error_setg(errp, "Bad value for \"ic-mode\" property");
++    }
++}
++
++static char *spapr_get_host_model(Object *obj, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    return g_strdup(spapr->host_model);
++}
++
++static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    g_free(spapr->host_model);
++    spapr->host_model = g_strdup(value);
++}
++
++static char *spapr_get_host_serial(Object *obj, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    return g_strdup(spapr->host_serial);
++}
++
++static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    g_free(spapr->host_serial);
++    spapr->host_serial = g_strdup(value);
++}
++
+ static void spapr_instance_init(Object *obj)
+ {
+     sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj)
+                                     " the host's SMT mode", &error_abort);
+     object_property_add_bool(obj, "vfio-no-msix-emulation",
+                              spapr_get_msix_emulation, NULL, NULL);
++
++    /* The machine class defines the default interrupt controller mode */
++    spapr->irq = smc->irq;
++    object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
++                            spapr_set_ic_mode, NULL);
++    object_property_set_description(obj, "ic-mode",
++                 "Specifies the interrupt controller mode (xics, xive, dual)",
++                 NULL);
++
++    object_property_add_str(obj, "host-model",
++        spapr_get_host_model, spapr_set_host_model,
++        &error_abort);
++    object_property_set_description(obj, "host-model",
++        "Set host's model-id to use - none|passthrough|string", &error_abort);
++    object_property_add_str(obj, "host-serial",
++        spapr_get_host_serial, spapr_set_host_serial,
++        &error_abort);
++    object_property_set_description(obj, "host-serial",
++        "Set host's system-id to use - none|passthrough|string", &error_abort);
+ }
+ 
+ static void spapr_machine_finalizefn(Object *obj)
+@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine)
+ 
+ static void spapr_machine_3_0_class_options(MachineClass *mc)
+ {
+-    /* Defaults for the latest behaviour inherited from the base class */
++    sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
++    static GlobalProperty compat[] = {
++        { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
++        { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
++    };
++
++    spapr_machine_4_0_class_options(mc);
++    compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
++    compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
++
++    mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
++    smc->update_dt_enabled = false;
+ }
+ 
+ DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
+diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
+index 7e5de1a6fd..4c69a55374 100644
+--- a/include/hw/ppc/spapr.h
++++ b/include/hw/ppc/spapr.h
+@@ -165,6 +165,8 @@ struct sPAPRMachineState {
+ 
+     /*< public >*/
+     char *kvm_type;
++    char *host_model;
++    char *host_serial;
+ 
+     const char *icp_type;
+ 
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index b591cc24..e483acab 100644
--- a/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0009-apic-fixup-fallthrough-to-PIC.patch \
            file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
            file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
+           file://CVE-2018-10839.patch\
            file://CVE-2018-15746.patch \
-           file://CVE-2018-17958.patch \
            file://CVE-2018-17962.patch \
            file://CVE-2018-17963.patch \
            file://CVE-2018-16867.patch \
@@ -35,6 +35,13 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2018-20815_p1.patch \
            file://CVE-2018-20815_p2.patch \
            file://CVE-2019-9824.patch \
+           file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+           file://CVE-2018-18954.patch \
+           file://CVE-2019-3812.patch \
+           file://CVE-2019-6778.patch \
+           file://CVE-2019-8934.patch \
+           file://0001-linux-user-assume-__NR_gettid-always-exists.patch \
+           file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \
            "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch
new file mode 100644
index 00000000..b10fd827
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0003-Fix-Dereference-of-null-pointer.patch
@@ -0,0 +1,33 @@
+From fcd9e3aba122a220af617a802c4f47bad4b51e64 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Fri, 7 Dec 2018 07:05:10 +0100
+Subject: [PATCH] Fix: Dereference of null pointer
+Reply-To: muislam@microsoft.com
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+
+---
+ ext/repo_repomdxml.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/repo_repomdxml.c b/ext/repo_repomdxml.c
+index 760d481f..b2a5b8dd 100644
+--- a/ext/repo_repomdxml.c
++++ b/ext/repo_repomdxml.c
+@@ -181,7 +181,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha
+             while (value)
+ 	      {
+ 		char *p = strchr(value, ',');
+-		if (*p)
++		if (p)
+ 		  *p++ = 0;
+ 		if (*value)
+ 		  repodata_add_poolstr_array(pd->data, SOLVID_META, REPOSITORY_UPDATES, value);
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch
new file mode 100644
index 00000000..fde19940
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0004-Fix-Add-va_end-before-return.patch
@@ -0,0 +1,36 @@
+From 58053b44c9ed043d48fa7dd595d213849b733f0f Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 09:50:06 +0100
+Subject: [PATCH] Fix: Add va_end() before return
+Reply-To: muislam@microsoft.com
+
+The va_end() performs cleanup.
+If va_end() is not called before a function that calls va_start() returns,
+the behavior is undefined.
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ src/pool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pool.c b/src/pool.c
+index 60cc0f49..f03b43f9 100644
+--- a/src/pool.c
++++ b/src/pool.c
+@@ -1505,6 +1505,7 @@ pool_debug(Pool *pool, int type, const char *format, ...)
+         vprintf(format, args);
+       else
+         vfprintf(stderr, format, args);
++      va_end(args);
+       return;
+     }
+   vsnprintf(buf, sizeof(buf), format, args);
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
new file mode 100644
index 00000000..85398a82
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
@@ -0,0 +1,158 @@
+From 6c99f33252d8bf8ff3e49013b8ad78aacf71c5d8 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 10:14:04 +0100
+Subject: [PATCH] Fix: Memory leaks
+Reply-To: muislam@microsoft.com
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ ext/repo_rpmdb.c  | 16 ++++++++++++++++
+ ext/testcase.c    |  4 ++++
+ tools/repo2solv.c |  1 +
+ 3 files changed, 21 insertions(+)
+
+diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c
+index 75bb6780..ff939978 100644
+--- a/ext/repo_rpmdb.c
++++ b/ext/repo_rpmdb.c
+@@ -1939,6 +1939,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (fread(lead, 96 + 16, 1, fp) != 1 || getu32(lead) != 0xedabeedb)
+     {
+       pool_error(pool, -1, "%s: not a rpm", rpm);
++      solv_chksum_free(leadsigchksumh, NULL);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1951,12 +1953,16 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (lead[78] != 0 || lead[79] != 5)
+     {
+       pool_error(pool, -1, "%s: not a rpm v5 header", rpm);
++      solv_chksum_free(leadsigchksumh, NULL);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+   if (getu32(lead + 96) != 0x8eade801)
+     {
+       pool_error(pool, -1, "%s: bad signature header", rpm);
++      solv_chksum_free(leadsigchksumh, NULL);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1965,6 +1971,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (sigcnt >= MAX_SIG_CNT || sigdsize >= MAX_SIG_DSIZE)
+     {
+       pool_error(pool, -1, "%s: bad signature header", rpm);
++      solv_chksum_free(leadsigchksumh, NULL);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1975,6 +1983,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+     {
+       if (!headfromfp(&state, rpm, fp, lead + 96, sigcnt, sigdsize, sigpad, chksumh, leadsigchksumh))
+ 	{
++      solv_chksum_free(leadsigchksumh, NULL);
++      solv_chksum_free(chksumh, NULL);
+ 	  fclose(fp);
+ 	  return 0;
+ 	}
+@@ -2014,6 +2024,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+ 	  if (fread(lead, l, 1, fp) != 1)
+ 	    {
+ 	      pool_error(pool, -1, "%s: unexpected EOF", rpm);
++          solv_chksum_free(leadsigchksumh, NULL);
++          solv_chksum_free(chksumh, NULL);
+ 	      fclose(fp);
+ 	      return 0;
+ 	    }
+@@ -2034,6 +2046,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (fread(lead, 16, 1, fp) != 1)
+     {
+       pool_error(pool, -1, "%s: unexpected EOF", rpm);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2042,6 +2055,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (getu32(lead) != 0x8eade801)
+     {
+       pool_error(pool, -1, "%s: bad header", rpm);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2050,6 +2064,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (sigcnt >= MAX_HDR_CNT || sigdsize >= MAX_HDR_DSIZE)
+     {
+       pool_error(pool, -1, "%s: bad header", rpm);
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2057,6 +2072,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+ 
+   if (!headfromfp(&state, rpm, fp, lead, sigcnt, sigdsize, 0, chksumh, 0))
+     {
++      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+diff --git a/ext/testcase.c b/ext/testcase.c
+index aa72a8d7..3901d90d 100644
+--- a/ext/testcase.c
++++ b/ext/testcase.c
+@@ -2348,6 +2348,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+ 	  if (fclose(fp))
+ 	    {
+ 	      pool_error(solv->pool, 0, "testcase_write: write error");
++	      solv_free(result);
+ 	      strqueue_free(&sq);
+ 	      return 0;
+ 	    }
+@@ -2360,12 +2361,14 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+   if (!(fp = fopen(out, "w")))
+     {
+       pool_error(solv->pool, 0, "testcase_write: could not open '%s' for writing", out);
++      solv_free(cmd);
+       strqueue_free(&sq);
+       return 0;
+     }
+   if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1)
+     {
+       pool_error(solv->pool, 0, "testcase_write: write error");
++      solv_free(cmd);
+       strqueue_free(&sq);
+       fclose(fp);
+       return 0;
+@@ -2373,6 +2376,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+   if (fclose(fp))
+     {
+       pool_error(solv->pool, 0, "testcase_write: write error");
++      solv_free(cmd);
+       strqueue_free(&sq);
+       return 0;
+     }
+diff --git a/tools/repo2solv.c b/tools/repo2solv.c
+index e055e408..30a41f42 100644
+--- a/tools/repo2solv.c
++++ b/tools/repo2solv.c
+@@ -208,6 +208,7 @@ read_plaindir_repo(Repo *repo, const char *dir)
+ 	repodata_set_location(data, p, 0, 0, bp[0] == '.' && bp[1] == '/' ? bp + 2 : bp);
+       solv_free(rpm);
+     }
++  solv_free(buf);
+   fclose(fp);
+   while (waitpid(pid, &wstatus, 0) == -1)
+     {
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch
new file mode 100644
index 00000000..559aefb1
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0006-Fix-testsolv-segfault.patch
@@ -0,0 +1,41 @@
+From 823bf65087a017d2f488f01e09ee284fa36f7446 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 10:22:09 +0100
+Subject: [PATCH] Fix: testsolv segfault
+Reply-To: muislam@microsoft.com
+
+ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab0e11bf2b bp 0x7ffdfc044b70 sp 0x7ffdfc044a90 T0)
+0 0x7fab0e11bf2a in testcase_str2dep_complex /home/company/real_sanitize/libsolv-master/ext/testcase.c:577
+1 0x7fab0e11c80f in testcase_str2dep /home/company/real_sanitize/libsolv-master/ext/testcase.c:656
+2 0x7fab0e12e64a in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2952
+3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
+4 0x7fab0d9d2a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ ext/testcase.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/testcase.c b/ext/testcase.c
+index 3901d90d..dd20de14 100644
+--- a/ext/testcase.c
++++ b/ext/testcase.c
+@@ -571,6 +571,8 @@ testcase_str2dep_complex(Pool *pool, const char **sp, int relop)
+   Id flags, id, id2, namespaceid = 0;
+   struct oplist *op;
+ 
++  if (!s)
++    return 0;
+   while (*s == ' ' || *s == '\t')
+     s++;
+   if (!strncmp(s, "namespace:", 10))
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch
new file mode 100644
index 00000000..5c13ce5e
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0007-Fix-testsolv-segfaults.patch
@@ -0,0 +1,47 @@
+From 43928ee565b9c4f69daa1875da66f92b2d5bf932 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 10:27:15 +0100
+Subject: [PATCH] Fix: testsolv segfaults
+Reply-To: muislam@microsoft.com
+
+ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0)
+0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331
+1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793
+2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807
+3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
+4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)
+
+ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5af9e7815f bp 0x7ffc4c843a40 sp 0x7ffc4c8436c0 T0)
+0 0x7f5af9e7815e in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2799
+1 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148
+2 0x7f5af971da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+3 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ ext/testcase.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/testcase.c b/ext/testcase.c
+index dd20de14..83467fe2 100644
+--- a/ext/testcase.c
++++ b/ext/testcase.c
+@@ -2772,7 +2772,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ 	{
+ 	  int i = strlen(pieces[1]);
+ 	  s = strchr(pieces[1], '(');
+-	  if (!s && pieces[1][i - 1] != ')')
++	  if (!s || pieces[1][i - 1] != ')')
+ 	    {
+ 	      pool_error(pool, 0, "testcase_read: bad namespace '%s'", pieces[1]);
+ 	    }
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch
new file mode 100644
index 00000000..fdea9dbd
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0008-Fix-Be-sure-that-NONBLOCK-is-set.patch
@@ -0,0 +1,37 @@
+From ebb51f73491987435664ac14b79bebe16ffbdd5c Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 12:40:42 +0100
+Subject: [PATCH] Fix: Be sure that NONBLOCK is set
+Reply-To: muislam@microsoft.com
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ examples/solv/fastestmirror.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/examples/solv/fastestmirror.c b/examples/solv/fastestmirror.c
+index d2ebd97a..0ee4e73b 100644
+--- a/examples/solv/fastestmirror.c
++++ b/examples/solv/fastestmirror.c
+@@ -68,7 +68,11 @@ findfastest(char **urls, int nurls)
+ 	  socks[i] = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
+ 	  if (socks[i] >= 0)
+ 	    {
+-	      fcntl(socks[i], F_SETFL, O_NONBLOCK);
++	      if (fcntl(socks[i], F_SETFL, O_NONBLOCK) == -1)
++            {
++		      close(socks[i]);
++		      socks[i] = -1;
++            }
+ 	      if (connect(socks[i], result->ai_addr, result->ai_addrlen) == -1)
+ 		{
+ 		  if (errno != EINPROGRESS)
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch b/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch
new file mode 100644
index 00000000..8b4a993d
--- /dev/null
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv/0009-Don-t-set-values-that-are-never-read.patch
@@ -0,0 +1,113 @@
+From edf87c92cf59c2eed9c1e33c51a47163da15d90b Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 12:58:34 +0100
+Subject: [PATCH] Don't set values that are never read
+Reply-To: muislam@microsoft.com
+
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ ext/pool_fileconflicts.c | 1 -
+ ext/repo_appdata.c       | 2 +-
+ ext/repo_comps.c         | 2 +-
+ src/cleandeps.c          | 1 -
+ src/dirpool.c            | 2 +-
+ src/order.c              | 1 -
+ src/repopage.c           | 1 -
+ 7 files changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/ext/pool_fileconflicts.c b/ext/pool_fileconflicts.c
+index eaeb52b2..2fd3d540 100644
+--- a/ext/pool_fileconflicts.c
++++ b/ext/pool_fileconflicts.c
+@@ -590,7 +590,6 @@ findfileconflicts_alias_cb(void *cbdatav, const char *fn, struct filelistinfo *i
+ 
+   if (!info->dirlen)
+     return;
+-  dp = fn + info->dirlen;
+   if (info->diridx != cbdata->lastdiridx)
+     {
+       cbdata->lastdiridx = info->diridx;
+diff --git a/ext/repo_appdata.c b/ext/repo_appdata.c
+index 62faf2d8..69d46386 100644
+--- a/ext/repo_appdata.c
++++ b/ext/repo_appdata.c
+@@ -103,7 +103,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha
+ {
+   struct parsedata *pd = xmlp->userdata;
+   Pool *pool = pd->pool;
+-  Solvable *s = pd->solvable;
++  Solvable *s;
+   const char *type;
+ 
+   /* ignore all language tags */
+diff --git a/ext/repo_comps.c b/ext/repo_comps.c
+index 255ecb16..e59f8d12 100644
+--- a/ext/repo_comps.c
++++ b/ext/repo_comps.c
+@@ -107,7 +107,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha
+ {
+   struct parsedata *pd = xmlp->userdata;
+   Pool *pool = pd->pool;
+-  Solvable *s = pd->solvable;
++  Solvable *s;
+ 
+   switch(state)
+     {
+diff --git a/src/cleandeps.c b/src/cleandeps.c
+index 1da28f6e..b2fde317 100644
+--- a/src/cleandeps.c
++++ b/src/cleandeps.c
+@@ -748,7 +748,6 @@ solver_createcleandepsmap(Solver *solv, Map *cleandepsmap, int unneeded)
+ 	    continue;
+ 	  if (strncmp(pool_id2str(pool, s->name), "pattern:", 8) != 0)
+ 	    continue;
+-	  dp = s->repo->idarraydata + s->requires;
+ 	  for (dp = s->repo->idarraydata + s->requires; *dp; dp++)
+ 	    FOR_PROVIDES(p, pp, *dp)
+ 	      if (pool->solvables[p].repo == installed)
+diff --git a/src/dirpool.c b/src/dirpool.c
+index afb26ea5..bed9435e 100644
+--- a/src/dirpool.c
++++ b/src/dirpool.c
+@@ -85,7 +85,7 @@ dirpool_make_dirtraverse(Dirpool *dp)
+     return;
+   dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK);
+   dirtraverse = solv_calloc_block(dp->ndirs, sizeof(Id), DIR_BLOCK);
+-  for (parent = 0, i = 0; i < dp->ndirs; i++)
++  for (i = 0; i < dp->ndirs; i++)
+     {
+       if (dp->dirs[i] > 0)
+ 	continue;
+diff --git a/src/order.c b/src/order.c
+index c92c3328..cfde40c9 100644
+--- a/src/order.c
++++ b/src/order.c
+@@ -1066,7 +1066,6 @@ transaction_order(Transaction *trans, int flags)
+ #if 0
+ printf("do %s [%d]\n", pool_solvid2str(pool, te->p), temedianr[i]);
+ #endif
+-      s = pool->solvables + te->p;
+       for (j = te->edges; od.invedgedata[j]; j++)
+ 	{
+ 	  struct _TransactionElement *te2 = od.tes + od.invedgedata[j];
+diff --git a/src/repopage.c b/src/repopage.c
+index 2b7a863b..85d53eb9 100644
+--- a/src/repopage.c
++++ b/src/repopage.c
+@@ -399,7 +399,6 @@ match_done:
+ 	      litlen -= 32;
+ 	    }
+ 	}
+-      litofs = 0;
+     }
+   return oo;
+ }
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb b/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
index 12dfc5d3..ed6a7cbf 100644
--- a/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
+++ b/external/poky/meta/recipes-extended/libsolv/libsolv_0.6.35.bb
@@ -10,6 +10,13 @@ DEPENDS = "expat zlib"
 SRC_URI = "git://github.com/openSUSE/libsolv.git"
 SRC_URI_append_libc-musl = " file://0001-Add-fallback-fopencookie-implementation.patch \
                              file://0002-Fixes-to-internal-fopencookie-implementation.patch \
+                             file://0003-Fix-Dereference-of-null-pointer.patch \
+                             file://0004-Fix-Add-va_end-before-return.patch \
+                             file://0005-Fix-Memory-leaks.patch \
+                             file://0006-Fix-testsolv-segfault.patch \
+                             file://0007-Fix-testsolv-segfaults.patch \
+                             file://0008-Fix-Be-sure-that-NONBLOCK-is-set.patch \
+                             file://0009-Don-t-set-values-that-are-never-read.patch \
                            "
 
 SRCREV = "38c5374d4712667b0b6ada4bf78ddbb343095d0c"
diff --git a/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
new file mode 100644
index 00000000..f954fac8
--- /dev/null
+++ b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
@@ -0,0 +1,170 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+
+Index: sudo-1.8.21p2/lib/util/strtoid.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/strtoid.c	2019-10-10 14:31:08.338476078 -0400
++++ sudo-1.8.21p2/lib/util/strtoid.c	2019-10-10 14:31:08.338476078 -0400
+@@ -42,6 +42,27 @@
+ #include "sudo_util.h"
+ 
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++    bool valid = false;
++    debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++    if (ep != p) {
++	/* check for valid separator (including '\0') */
++	if (sep == NULL)
++	    sep = "";
++	do {
++	    if (*ep == *sep)
++		valid = true;
++	} while (*sep++ != '\0');
++    }
++    debug_return_bool(valid);
++}
++
++/*
+  * Parse a uid/gid in string form.
+  * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+  * If endp is non-NULL it is set to the next char after the ID.
+@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha
+     char *ep;
+     id_t ret = 0;
+     long long llval;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
++    /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+     errno = 0;
+     llval = strtoll(p, &ep, 10);
+-    if (ep != p) {
+-	/* check for valid separator (including '\0') */
+-	do {
+-	    if (*ep == *sep)
+-		valid = true;
+-	} while (*sep++ != '\0');
++    if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++	errno = ERANGE;
++	if (errstr != NULL)
++	    *errstr = N_("value too large");
++	goto done;
+     }
+-    if (!valid) {
++    if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++	errno = ERANGE;
+ 	if (errstr != NULL)
+-	    *errstr = N_("invalid value");
+-	errno = EINVAL;
++	    *errstr = N_("value too small");
+ 	goto done;
+     }
+-    if (errno == ERANGE) {
+-	if (errstr != NULL) {
+-	    if (llval == LLONG_MAX)
+-		*errstr = N_("value too large");
+-	    else
+-		*errstr = N_("value too small");
+-	}
++
++    /* Disallow id -1, which means "no change". */
++    if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
++	if (errstr != NULL)
++	    *errstr = N_("invalid value");
++	errno = EINVAL;
+ 	goto done;
+     }
+     ret = (id_t)llval;
+@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+     char *ep;
+     id_t ret = 0;
+-    bool valid = false;
+     debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+ 
+     /* skip leading space so we can pick up the sign, if any */
+     while (isspace((unsigned char)*p))
+ 	p++;
+-    if (sep == NULL)
+-	sep = "";
++
+     errno = 0;
+     if (*p == '-') {
+ 	long lval = strtol(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
+-	    if (errstr != NULL)
+-		*errstr = N_("invalid value");
+-	    errno = EINVAL;
+-	    goto done;
+-	}
+ 	if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha
+ 		*errstr = N_("value too small");
+ 	    goto done;
+ 	}
+-	ret = (id_t)lval;
+-    } else {
+-	unsigned long ulval = strtoul(p, &ep, 10);
+-	if (ep != p) {
+-	    /* check for valid separator (including '\0') */
+-	    do {
+-		if (*ep == *sep)
+-		    valid = true;
+-	    } while (*sep++ != '\0');
+-	}
+-	if (!valid) {
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || lval == -1) {
+ 	    if (errstr != NULL)
+ 		*errstr = N_("invalid value");
+ 	    errno = EINVAL;
+ 	    goto done;
+ 	}
++	ret = (id_t)lval;
++    } else {
++	unsigned long ulval = strtoul(p, &ep, 10);
+ 	if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ 	    errno = ERANGE;
+ 	    if (errstr != NULL)
+ 		*errstr = N_("value too large");
+ 	    goto done;
+ 	}
++
++	/* Disallow id -1, which means "no change". */
++	if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++	    if (errstr != NULL)
++		*errstr = N_("invalid value");
++	    errno = EINVAL;
++	    goto done;
++	}
+ 	ret = (id_t)ulval;
+     }
+     if (errstr != NULL)
diff --git a/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
new file mode 100644
index 00000000..dcb2703d
--- /dev/null
+++ b/external/poky/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
@@ -0,0 +1,98 @@
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/db06a8336c09]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+
+Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c	2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c	2019-10-11 07:13:07.471005893 -0400
+@@ -24,6 +24,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <errno.h>
+ 
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -78,15 +79,20 @@ static struct strtoid_data {
+     id_t id;
+     const char *sep;
+     const char *ep;
++    int errnum;
+ } strtoid_data[] = {
+-    { "0,1", 0, ",", "," },
+-    { "10", 10, NULL, NULL },
+-    { "-2", -2, NULL, NULL },
++    { "0,1", 0, ",", ",", 0 },
++    { "10", 10, NULL, NULL, 0 },
++    { "-1", 0, NULL, NULL, EINVAL },
++    { "4294967295", 0, NULL, NULL, EINVAL },
++    { "4294967296", 0, NULL, NULL, ERANGE },
++    { "-2147483649", 0, NULL, NULL, ERANGE },
++    { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+-    { "-2", 4294967294U, NULL, NULL },
++    { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+-    { "4294967294", 4294967294U, NULL, NULL },
+-    { NULL, 0, NULL, NULL }
++    { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
++    { NULL, 0, NULL, NULL, 0 }
+ };
+ 
+ static int
+@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
+ 	(*ntests)++;
+ 	errstr = "some error";
+ 	value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+-	if (errstr != NULL) {
+-	    if (d->id != (id_t)-1) {
+-		sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++	if (d->errnum != 0) {
++	    if (errstr == NULL) {
++		sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
++		    d->idstr, d->errnum);
++		errors++;
++	    } else if (value != 0) {
++		sudo_warnx_nodebug("FAIL: %s should return 0 on error",
++		    d->idstr);
++		errors++;
++	    } else if (errno != d->errnum) {
++		sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
++		    d->idstr, errno, d->errnum);
+ 		errors++;
+ 	    }
++	} else if (errstr != NULL) {
++	    sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++	    errors++;
+ 	} else if (value != d->id) {
+ 	    sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+ 	    errors++;
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok	2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok	2019-10-11 07:11:49.870655365 -0400
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+ 
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+ 
+ Entries for user root:
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh	2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh	2019-10-11 07:11:49.870655365 -0400
+@@ -24,7 +24,7 @@ EOF
+ 
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+ 
diff --git a/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb b/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb
index ce32bd18..d12cf2d5 100644
--- a/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb
+++ b/external/poky/meta/recipes-extended/sudo/sudo_1.8.23.bb
@@ -3,6 +3,8 @@ require sudo.inc
 SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            file://0001-Include-sys-types.h-for-id_t-definition.patch \
+           file://CVE-2019-14287_p1.patch \
+           file://CVE-2019-14287_p2.patch \
            "
 
 PAM_SRC_URI = "file://sudo.pam"
diff --git a/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
new file mode 100644
index 00000000..2a131484
--- /dev/null
+++ b/external/poky/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
@@ -0,0 +1,405 @@
+From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Thu, 27 Dec 2018 17:48:57 +0200
+Subject: [PATCH] Fix CVE-2018-20482
+
+* NEWS: Update.
+* src/sparse.c (sparse_dump_region): Handle short read condition.
+(sparse_extract_region,check_data_region): Fix dumped_size calculation.
+Handle short read condition.
+(pax_decode_header): Fix dumped_size calculation.
+* tests/Makefile.am: Add new testcases.
+* tests/testsuite.at: Likewise.
+
+* tests/sptrcreat.at: New file.
+* tests/sptrdiff00.at: New file.
+* tests/sptrdiff01.at: New file.
+
+CVE: CVE-2018-20482
+Upstream-Status: Backport
+[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/sparse.c        | 50 +++++++++++++++++++++++++++++++-----
+ tests/Makefile.am   |  5 +++-
+ tests/sptrcreat.at  | 62 +++++++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/testsuite.at  |  5 +++-
+ 6 files changed, 224 insertions(+), 8 deletions(-)
+ create mode 100644 tests/sptrcreat.at
+ create mode 100644 tests/sptrdiff00.at
+ create mode 100644 tests/sptrdiff01.at
+
+diff --git a/src/sparse.c b/src/sparse.c
+index 0830f62..e8e8259 100644
+--- a/src/sparse.c
++++ b/src/sparse.c
+@@ -1,6 +1,6 @@
+ /* Functions for dealing with sparse files
+ 
+-   Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc.
++   Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify it
+    under the terms of the GNU General Public License as published by the
+@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i)
+ 			     bufsize);
+ 	  return false;
+ 	}
++      else if (bytes_read == 0)
++	{
++	  char buf[UINTMAX_STRSIZE_BOUND];
++	  struct stat st;
++	  size_t n;
++	  if (fstat (file->fd, &st) == 0)
++	    n = file->stat_info->stat.st_size - st.st_size;
++	  else
++	    n = file->stat_info->stat.st_size
++	      - (file->stat_info->sparse_map[i].offset
++		 + file->stat_info->sparse_map[i].numbytes
++		 - bytes_left);
++	  
++	  WARNOPT (WARN_FILE_SHRANK,
++		   (0, 0,
++		    ngettext ("%s: File shrank by %s byte; padding with zeros",
++			      "%s: File shrank by %s bytes; padding with zeros",
++			      n),
++		    quotearg_colon (file->stat_info->orig_file_name),
++		    STRINGIFY_BIGINT (n, buf)));
++	  if (! ignore_failed_read_option)
++	    set_exit_status (TAREXIT_DIFFERS);
++	  return false;
++	}
+ 
+       memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read);
+       bytes_left -= bytes_read;
+@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i)
+ 	  return false;
+ 	}
+       set_next_block_after (blk);
++      file->dumped_size += BLOCKSIZE;
+       count = blocking_write (file->fd, blk->buffer, wrbytes);
+       write_size -= count;
+-      file->dumped_size += count;
+       mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+       file->offset += count;
+       if (count != wrbytes)
+@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+ 			     rdsize);
+ 	  return false;
+ 	}
++      else if (bytes_read == 0)
++	{
++	  report_difference (file->stat_info, _("Size differs"));
++	  return false;
++	}
++      
+       if (!zero_block_p (diff_buffer, bytes_read))
+ 	{
+ 	  char begbuf[INT_BUFSIZE_BOUND (off_t)];
+@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+ 
+       beg += bytes_read;
+     }
++
+   return true;
+ }
+ 
+@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+ 	  return false;
+ 	}
+       set_next_block_after (blk);
++      file->dumped_size += BLOCKSIZE;      
+       bytes_read = safe_read (file->fd, diff_buffer, rdsize);
+       if (bytes_read == SAFE_READ_ERROR)
+ 	{
+@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+ 			     rdsize);
+ 	  return false;
+ 	}
+-      file->dumped_size += bytes_read;
++      else if (bytes_read == 0)
++	{
++	  report_difference (&current_stat_info, _("Size differs"));
++	  return false;
++	}
+       size_left -= bytes_read;
+       mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+       if (memcmp (blk->buffer, diff_buffer, rdsize))
+@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file)
+       union block *blk;
+       char *p;
+       size_t i;
+-
++      off_t start;
++      
+ #define COPY_BUF(b,buf,src) do                                     \
+  {                                                                 \
+    char *endp = b->buffer + BLOCKSIZE;                             \
+@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file)
+        if (src == endp)                                            \
+ 	 {                                                         \
+ 	   set_next_block_after (b);                               \
+-           file->dumped_size += BLOCKSIZE;                         \
+            b = find_next_block ();                                 \
+            if (!b)                                                 \
+              FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
+@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file)
+    dst[-1] = 0;                                                    \
+  } while (0)
+ 
++      start = current_block_ordinal ();
+       set_next_block_after (current_header);
+-      file->dumped_size += BLOCKSIZE;
+       blk = find_next_block ();
+       if (!blk)
+         FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
+@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file)
+ 	  sparse_add_map (file->stat_info, &sp);
+ 	}
+       set_next_block_after (blk);
++
++      file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start);
+     }
+ 
+   return true;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2d7939d..ac3b6e7 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1,6 +1,6 @@
+ # Makefile for GNU tar regression tests.
+ 
+-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software
++# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software
+ 
+ # This file is part of GNU tar.
+ 
+@@ -228,6 +228,9 @@ TESTSUITE_AT = \
+  spmvp00.at\
+  spmvp01.at\
+  spmvp10.at\
++ sptrcreat.at\
++ sptrdiff00.at\
++ sptrdiff01.at\
+  time01.at\
+  time02.at\
+  truncate.at\
+diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at
+new file mode 100644
+index 0000000..8e28f0e
+--- /dev/null
++++ b/tests/sptrcreat.at
+@@ -0,0 +1,62 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++
++# This file is part of GNU tar.
++
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++# Tar up to 1.30 would loop endlessly if a sparse file had been truncated
++# while being archived (with --sparse flag).
++#
++# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a
++# denial of service possibility).
++# 
++# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu>
++# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>,
++#   <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html>
++#   <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug>
++#   <https://nvd.nist.gov/vuln/detail/CVE-2018-20482>
++
++AT_SETUP([sparse file truncated while archiving])
++AT_KEYWORDS([truncate filechange sparse sptr sptrcreat])
++
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++genfile --run --checkpoint 3 --length 200m --truncate foo -- \
++ tar --checkpoint=1 \
++     --checkpoint-action=echo \
++     --checkpoint-action=sleep=1 \
++     --sparse -vcf bar foo baz
++echo Exit status: $?
++echo separator
++genfile --file foo --seek 200m --length 11575296 --pattern=zeros
++tar dvf bar],
++[1],
++[foo
++baz
++Exit status: 1
++separator
++foo
++foo: Mod time differs
++baz
++],
++[tar: foo: File shrank by 11575296 bytes; padding with zeros
++],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at
+new file mode 100644
+index 0000000..c410561
+--- /dev/null
++++ b/tests/sptrdiff00.at
+@@ -0,0 +1,55 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++#
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++#
++# This file is part of GNU tar.
++#
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
++# that similar bug exists in file checking code (tar d). 
++# This test case checks if tar correctly handles a short read condition
++# appearing in check_sparse_region.
++
++AT_SETUP([file truncated in sparse region while comparing])
++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
++
++# This triggers short read in check_sparse_region.
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++echo creating
++tar --sparse -vcf bar foo baz
++echo comparing
++genfile --run --checkpoint 3 --length 200m --truncate foo -- \
++ tar --checkpoint=1 \
++     --checkpoint-action=echo='Write checkpoint %u' \
++     --checkpoint-action=sleep=1 \
++     --sparse -vdf bar 
++],
++[1],
++[creating
++foo
++baz
++comparing
++foo
++foo: Size differs
++baz
++],
++[],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at
+new file mode 100644
+index 0000000..2da2267
+--- /dev/null
++++ b/tests/sptrdiff01.at
+@@ -0,0 +1,55 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++#
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++#
++# This file is part of GNU tar.
++#
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
++# that similar bug exists in file checking code (tar d). 
++# This test case checks if tar correctly handles a short read condition
++# appearing in check_data_region.
++
++AT_SETUP([file truncated in data region while comparing])
++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
++
++# This triggers short read in check_data_region.
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++  0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++echo creating
++tar --sparse -vcf bar foo baz
++echo comparing
++genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \
++ tar --checkpoint=1 \
++     --checkpoint-action=echo='Write checkpoint %u' \
++     --checkpoint-action=sleep=1 \
++     --sparse -vdf bar 
++],
++[1],
++[creating
++foo
++baz
++comparing
++foo
++foo: Size differs
++baz
++],
++[],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 2a83757..23386f7 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -1,7 +1,7 @@
+ # Process this file with autom4te to create testsuite. -*- Autotest -*-
+ 
+ # Test suite for GNU tar.
+-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc.
++# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc.
+ 
+ # This file is part of GNU tar.
+ 
+@@ -405,6 +405,9 @@ m4_include([sparsemv.at])
+ m4_include([spmvp00.at])
+ m4_include([spmvp01.at])
+ m4_include([spmvp10.at])
++m4_include([sptrcreat.at])
++m4_include([sptrdiff00.at])
++m4_include([sptrdiff01.at])
+ 
+ AT_BANNER([Updates])
+ m4_include([update.at])
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-extended/tar/tar_1.30.bb b/external/poky/meta/recipes-extended/tar/tar_1.30.bb
index ab1b33b3..7cf05224 100644
--- a/external/poky/meta/recipes-extended/tar/tar_1.30.bb
+++ b/external/poky/meta/recipes-extended/tar/tar_1.30.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
            file://remove-gets.patch \
            file://musl_dirent.patch \
            file://CVE-2019-9923.patch \
+           file://CVE-2018-20482.patch \
 "
 
 SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65"
diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
new file mode 100644
index 00000000..d485a1bd
--- /dev/null
+++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
@@ -0,0 +1,33 @@
+From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Mon, 27 May 2019 08:20:32 -0700
+Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input
+ state.
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ fileio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fileio.c b/fileio.c
+index 7605a29..14460f3 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -532,8 +532,10 @@ void undefer_input(__G)
+          * This condition was checked when G.incnt_leftover was set > 0 in
+          * defer_leftover_input(), and it is NOT allowed to touch G.csize
+          * before calling undefer_input() when (G.incnt_leftover > 0)
+-         * (single exception: see read_byte()'s  "G.csize <= 0" handling) !!
++         * (single exception: see readbyte()'s  "G.csize <= 0" handling) !!
+          */
++        if (G.csize < 0L)
++            G.csize = 0L;
+         G.incnt = G.incnt_leftover + (int)G.csize;
+         G.inptr = G.inptr_leftover - (int)G.csize;
+         G.incnt_leftover = 0;
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
new file mode 100644
index 00000000..41037a8e
--- /dev/null
+++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
@@ -0,0 +1,356 @@
+From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 11 Jun 2019 22:01:18 -0700
+Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries.
+
+This detects an invalid zip file that has at least one entry that
+overlaps with another entry or with the central directory to the
+end of the file. A Fifield zip bomb uses overlapped local entries
+to vastly increase the potential inflation ratio. Such an invalid
+zip file is rejected.
+
+See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+analysis, construction, and examples of such zip bombs.
+
+The detection maintains a list of covered spans of the zip files
+so far, where the central directory to the end of the file and any
+bytes preceding the first entry at zip file offset zero are
+considered covered initially. Then as each entry is decompressed
+or tested, it is considered covered. When a new entry is about to
+be processed, its initial offset is checked to see if it is
+contained by a covered span. If so, the zip file is rejected as
+invalid.
+
+This commit depends on a preceding commit: "Fix bug in
+undefer_input() that misplaced the input state."
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ globals.c |   1 +
+ globals.h |   3 +
+ process.c |  10 +++
+ unzip.h   |   1 +
+ 5 files changed, 204 insertions(+), 1 deletion(-)
+
+diff --git a/extract.c b/extract.c
+index 24db2a8..2bb72ba 100644
+--- a/extract.c
++++ b/extract.c
+@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] =
+   "\nerror:  unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+   "error [%s]:  bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++  "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++  "error: invalid zip file with overlapped components (possible zip bomb)\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++    bound_t beg;        /* start of the span */
++    bound_t end;        /* one past the end of the span */
++} span_t;
++typedef struct {
++    span_t *span;       /* allocated, distinct, and sorted list of spans */
++    size_t num;         /* number of spans in the list */
++    size_t max;         /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++    cover_t *cover;
++    bound_t val;
++{
++    size_t lo = 0, hi = cover->num;
++    while (lo < hi) {
++        size_t mid = (lo + hi) >> 1;
++        if (val < cover->span[mid].beg)
++            hi = mid;
++        else
++            lo = mid + 1;
++    }
++    return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++    cover_t *cover;
++    bound_t val;
++{
++    size_t pos = cover_find(cover, val);
++    return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++    cover_t *cover;
++    bound_t beg;
++    bound_t end;
++{
++    size_t pos;
++    int prec, foll;
++
++    if (beg >= end)
++    /* The new span is invalid. */
++        return -1;
++
++    /* Find where the new span should go, and make sure that it does not
++       overlap with any existing spans. */
++    pos = cover_find(cover, beg);
++    if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++        (pos < cover->num && end > cover->span[pos].beg))
++        return 1;
++
++    /* Check for adjacencies. */
++    prec = pos > 0 && beg == cover->span[pos - 1].end;
++    foll = pos < cover->num && end == cover->span[pos].beg;
++    if (prec && foll) {
++        /* The new span connects the preceding and following spans. Merge the
++           following span into the preceding span, and delete the following
++           span. */
++        cover->span[pos - 1].end = cover->span[pos].end;
++        cover->num--;
++        memmove(cover->span + pos, cover->span + pos + 1,
++                (cover->num - pos) * sizeof(span_t));
++    }
++    else if (prec)
++        /* The new span is adjacent only to the preceding span. Extend the end
++           of the preceding span. */
++        cover->span[pos - 1].end = end;
++    else if (foll)
++        /* The new span is adjacent only to the following span. Extend the
++           beginning of the following span. */
++        cover->span[pos].beg = beg;
++    else {
++        /* The new span has gaps between both the preceding and the following
++           spans. Assure that there is room and insert the span.  */
++        if (cover->num == cover->max) {
++            size_t max = cover->max == 0 ? 16 : cover->max << 1;
++            span_t *span = realloc(cover->span, max * sizeof(span_t));
++            if (span == NULL)
++                return -2;
++            cover->span = span;
++            cover->max = max;
++        }
++        memmove(cover->span + pos + 1, cover->span + pos,
++                (cover->num - pos) * sizeof(span_t));
++        cover->num++;
++        cover->span[pos].beg = beg;
++        cover->span[pos].end = end;
++    }
++    return 0;
++}
+ 
+ 
+ 
+@@ -376,6 +495,29 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+     }
+ #endif /* !SFX || SFX_EXDIR */
+ 
++    /* One more: initialize cover structure for bomb detection. Start with a
++       span that covers the central directory though the end of the file. */
++    if (G.cover == NULL) {
++        G.cover = malloc(sizeof(cover_t));
++        if (G.cover == NULL) {
++            Info(slide, 0x401, ((char *)slide,
++              LoadFarString(NotEnoughMemCover)));
++            return PK_MEM;
++        }
++        ((cover_t *)G.cover)->span = NULL;
++        ((cover_t *)G.cover)->max = 0;
++    }
++    ((cover_t *)G.cover)->num = 0;
++    if ((G.extra_bytes != 0 &&
++         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++        cover_add((cover_t *)G.cover,
++                  G.extra_bytes + G.ecrec.offset_start_central_directory,
++                  G.ziplen) != 0) {
++        Info(slide, 0x401, ((char *)slide,
++          LoadFarString(NotEnoughMemCover)));
++        return PK_MEM;
++    }
++
+ /*---------------------------------------------------------------------------
+     The basic idea of this function is as follows.  Since the central di-
+     rectory lies at the end of the zipfile and the member files lie at the
+@@ -593,7 +735,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+             if (error > error_in_archive)
+                 error_in_archive = error;
+             /* ...and keep going (unless disk full or user break) */
+-            if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++            if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++                error == PK_BOMB) {
+                 /* clear reached_end to signal premature stop ... */
+                 reached_end = FALSE;
+                 /* ... and cancel scanning the central directory */
+@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
+ 
+         /* seek_zipf(__G__ pInfo->offset);  */
+         request = G.pInfo->offset + G.extra_bytes;
++        if (cover_within((cover_t *)G.cover, request)) {
++            Info(slide, 0x401, ((char *)slide,
++              LoadFarString(OverlappedComponents)));
++            return PK_BOMB;
++        }
+         inbuf_offset = request % INBUFSIZ;
+         bufstart = request - inbuf_offset;
+ 
+@@ -1593,6 +1741,18 @@ reprompt:
+             return IZ_CTRLC;        /* cancel operation by user request */
+         }
+ #endif
++        error = cover_add((cover_t *)G.cover, request,
++                          G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++        if (error < 0) {
++            Info(slide, 0x401, ((char *)slide,
++              LoadFarString(NotEnoughMemCover)));
++            return PK_MEM;
++        }
++        if (error != 0) {
++            Info(slide, 0x401, ((char *)slide,
++              LoadFarString(OverlappedComponents)));
++            return PK_BOMB;
++        }
+ #ifdef MACOS  /* MacOS is no preemptive OS, thus call event-handling by hand */
+         UserStop();
+ #endif
+@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G)    /* return PK-type error code */
+     }
+ 
+     undefer_input(__G);
++
++    if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++        /* skip over data descriptor (harder than it sounds, due to signature
++         * ambiguity)
++         */
++#       define SIG 0x08074b50
++#       define LOW 0xffffffff
++        uch buf[12];
++        unsigned shy = 12 - readbuf((char *)buf, 12);
++        ulg crc = shy ? 0 : makelong(buf);
++        ulg clen = shy ? 0 : makelong(buf + 4);
++        ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++        if (crc == SIG &&                       /* if not SIG, no signature */
++            (G.lrec.crc32 != SIG ||             /* if not SIG, have signature */
++             (clen == SIG &&                    /* if not SIG, no signature */
++              ((G.lrec.csize & LOW) != SIG ||   /* if not SIG, have signature */
++               (ulen == SIG &&                  /* if not SIG, no signature */
++                (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++                                                /* if not SIG, have signature */
++                )))))
++                   /* skip four more bytes to account for signature */
++                   shy += 4 - readbuf((char *)buf, 4);
++        if (G.zip64)
++            shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++        if (shy)
++            error = PK_ERR;
++    }
++
+     return error;
+ 
+ } /* end function extract_or_test_member() */
+diff --git a/globals.c b/globals.c
+index fa8cca5..1e0f608 100644
+--- a/globals.c
++++ b/globals.c
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
+ # if (!defined(NO_TIMESTAMPS))
+     uO.D_flag=1;    /* default to '-D', no restoration of dir timestamps */
+ # endif
++    G.cover = NULL;     /* not allocated yet */
+ #endif
+ 
+     uO.lflag=(-1);
+diff --git a/globals.h b/globals.h
+index 11b7215..2bdcdeb 100644
+--- a/globals.h
++++ b/globals.h
+@@ -260,12 +260,15 @@ typedef struct Globals {
+     ecdir_rec       ecrec;         /* used in unzip.c, extract.c */
+     z_stat   statbuf;              /* used by main, mapname, check_for_newer */
+ 
++    int zip64;                     /* true if Zip64 info in extra field */
++
+     int      mem_mode;
+     uch      *outbufptr;           /* extract.c static */
+     ulg      outsize;              /* extract.c static */
+     int      reported_backslash;   /* extract.c static */
+     int      disk_full;
+     int      newfile;
++    void     **cover;              /* used in extract.c for bomb detection */
+ 
+     int      didCRlast;            /* fileio static */
+     ulg      numlines;             /* fileio static: number of lines printed */
+diff --git a/process.c b/process.c
+index a3c1a4d..208619c 100644
+--- a/process.c
++++ b/process.c
+@@ -637,6 +637,13 @@ void free_G_buffers(__G)     /* releases all memory allocated in global vars */
+     }
+ #endif
+ 
++    /* Free the cover span list and the cover structure. */
++    if (G.cover != NULL) {
++        free(*(G.cover));
++        free(G.cover);
++        G.cover = NULL;
++    }
++
+ } /* end function free_G_buffers() */
+ 
+ 
+@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ 
+ #define Z64FLGS 0xffff
+ #define Z64FLGL 0xffffffff
++    G.zip64 = FALSE;
+ 
+     if (ef_len == 0 || ef_buf == NULL)
+         return PK_COOL;
+@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+             G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+             offset += 4;
+           }
++
++          G.zip64 = TRUE;
+ #if 0
+           break;                /* Expect only one EF_PKSZ64 block. */
+ #endif /* 0 */
+diff --git a/unzip.h b/unzip.h
+index 5b2a326..ed24a5b 100644
+--- a/unzip.h
++++ b/unzip.h
+@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
+ #define PK_NOZIP           9   /* zipfile not found */
+ #define PK_PARAM          10   /* bad or illegal parameters specified */
+ #define PK_FIND           11   /* no files found */
++#define PK_BOMB           12   /* likely zip bomb */
+ #define PK_DISK           50   /* disk full */
+ #define PK_EOF            51   /* unexpected EOF */
+ 
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
new file mode 100644
index 00000000..fd26fdd8
--- /dev/null
+++ b/external/poky/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
@@ -0,0 +1,121 @@
+From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Thu, 25 Jul 2019 20:43:17 -0700
+Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central
+ directory.
+
+There is a zip-like file in the Firefox distribution, omni.ja,
+which is a zip container with the central directory placed at the
+start of the file instead of after the local entries as required
+by the zip standard. This commit marks the actual location of the
+central directory, as well as the end of central directory records,
+as disallowed locations. This now permits such containers to not
+raise a zip bomb alert, where in fact there are no overlaps.
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ extract.c | 25 +++++++++++++++++++------
+ process.c |  6 ++++++
+ unzpriv.h | 10 ++++++++++
+ 3 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 2bb72ba..a9dcca8 100644
+--- a/extract.c
++++ b/extract.c
+@@ -495,8 +495,11 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+     }
+ #endif /* !SFX || SFX_EXDIR */
+ 
+-    /* One more: initialize cover structure for bomb detection. Start with a
+-       span that covers the central directory though the end of the file. */
++    /* One more: initialize cover structure for bomb detection. Start with
++       spans that cover any extra bytes at the start, the central directory,
++       the end of central directory record (including the Zip64 end of central
++       directory locator, if present), and the Zip64 end of central directory
++       record, if present. */
+     if (G.cover == NULL) {
+         G.cover = malloc(sizeof(cover_t));
+         if (G.cover == NULL) {
+@@ -508,15 +511,25 @@ int extract_or_test_files(__G)    /* return PK-type error code */
+         ((cover_t *)G.cover)->max = 0;
+     }
+     ((cover_t *)G.cover)->num = 0;
+-    if ((G.extra_bytes != 0 &&
+-         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+-        cover_add((cover_t *)G.cover,
++    if (cover_add((cover_t *)G.cover,
+                   G.extra_bytes + G.ecrec.offset_start_central_directory,
+-                  G.ziplen) != 0) {
++                  G.extra_bytes + G.ecrec.offset_start_central_directory +
++                  G.ecrec.size_central_directory) != 0) {
+         Info(slide, 0x401, ((char *)slide,
+           LoadFarString(NotEnoughMemCover)));
+         return PK_MEM;
+     }
++    if ((G.extra_bytes != 0 &&
++         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++        (G.ecrec.have_ecr64 &&
++         cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++                   G.ecrec.ec64_end) != 0) ||
++        cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++                  G.ecrec.ec_end) != 0) {
++        Info(slide, 0x401, ((char *)slide,
++          LoadFarString(OverlappedComponents)));
++        return PK_BOMB;
++    }
+ 
+ /*---------------------------------------------------------------------------
+     The basic idea of this function is as follows.  Since the central di-
+diff --git a/process.c b/process.c
+index 208619c..5f8f6c6 100644
+--- a/process.c
++++ b/process.c
+@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen)         /* return PK-class error */
+ 
+     /* Now, we are (almost) sure that we have a Zip64 archive. */
+     G.ecrec.have_ecr64 = 1;
++    G.ecrec.ec_start -= ECLOC64_SIZE+4;
++    G.ecrec.ec64_start = ecrec64_start_offset;
++    G.ecrec.ec64_end = ecrec64_start_offset +
++                       12 + makeint64(&byterec[ECREC64_LENGTH]);
+ 
+     /* Update the "end-of-central-dir offset" for later checks. */
+     G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen)          /* return PK-class error */
+       makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+     G.ecrec.zipfile_comment_length =
+       makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++    G.ecrec.ec_start = G.real_ecrec_offset;
++    G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+ 
+     /* Now, we have to read the archive comment, BEFORE the file pointer
+        is moved away backwards to seek for a Zip64 ECLOC64 structure.
+diff --git a/unzpriv.h b/unzpriv.h
+index c8d3eab..5e177c7 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
+        int have_ecr64;                  /* valid Zip64 ecdir-record exists */
+        int is_zip64_archive;            /* Zip64 ecdir-record is mandatory */
+        ush zipfile_comment_length;
++       zusz_t ec_start, ec_end;         /* offsets of start and end of the
++                                           end of central directory record,
++                                           including if present the Zip64
++                                           end of central directory locator,
++                                           which immediately precedes the
++                                           end of central directory record */
++       zusz_t ec64_start, ec64_end;     /* if have_ecr64 is true, then these
++                                           are the offsets of the start and
++                                           end of the Zip64 end of central
++                                           directory record */
+    } ecdir_rec;
+ 
+ 
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb b/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb
index daba7227..464d73d0 100644
--- a/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/external/poky/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
 	file://symlink.patch \
 	file://0001-unzip-fix-CVE-2018-1000035.patch \
 	file://CVE-2018-18384.patch \
+	file://CVE-2019-13232_p1.patch \
+	file://CVE-2019-13232_p2.patch \
+        file://CVE-2019-13232_p3.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
diff --git a/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
new file mode 100644
index 00000000..cbc4a127
--- /dev/null
+++ b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
+From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 13:51:48 +0100
+Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
+
+* src/init.c (defaults): Set enable_xattr to false by default
+* src/main.c (print_help): Reverse option logic of --xattr
+* doc/wget.texi: Add description for --xattr
+
+Users may not be aware that the origin URL and Referer are saved
+including credentials, and possibly access tokens within
+the urls.
+
+CVE: CVE-2018-20483 patch 1
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ doc/wget.texi | 8 ++++++++
+ src/init.c    | 4 ----
+ src/main.c    | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b380..3f9d7c1c 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -540,6 +540,14 @@ right NUMBER.
+ Set preferred location for Metalink resources. This has effect if multiple
+ resources with same priority are available.
+ 
++@cindex xattr
++@item --xattr
++Enable use of file system's extended attributes to save the
++original URL and the Referer HTTP header value if used.
++
++Be aware that the URL might contain private information like
++access tokens or credentials.
++
+ 
+ @cindex force html
+ @item -F
+diff --git a/src/init.c b/src/init.c
+index eb81ab47..800970c5 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -509,11 +509,7 @@ defaults (void)
+   opt.hsts = true;
+ #endif
+ 
+-#ifdef ENABLE_XATTR
+-  opt.enable_xattr = true;
+-#else
+   opt.enable_xattr = false;
+-#endif
+ }
+ 
+ /* Return the user's home directory (strdup-ed), or NULL if none is
+diff --git a/src/main.c b/src/main.c
+index 81db9319..6ac1621b 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -754,7 +754,7 @@ Download:\n"),
+ #endif
+ #ifdef ENABLE_XATTR
+     N_("\
+-       --no-xattr                  turn off storage of metadata in extended file attributes\n"),
++       --xattr                     turn on storage of metadata in extended file attributes\n"),
+ #endif
+     "\n",
+ 
+-- 
+2.19.1
+
diff --git a/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
new file mode 100644
index 00000000..72ce8a0b
--- /dev/null
+++ b/external/poky/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
+From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 14:38:18 +0100
+Subject: [PATCH 2/2] Don't save user/pw with --xattr
+
+Also the Referer info is reduced to scheme+host+port.
+
+* src/ftp.c (getftp): Change params of set_file_metadata()
+* src/http.c (gethttp): Change params of set_file_metadata()
+* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
+  reduce Referer value to scheme/host/port.
+* src/xattr.h: Change prototype of set_file_metadata()
+
+CVE: CVE-2018-20483 patch 2
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ src/ftp.c   |  2 +-
+ src/http.c  |  4 ++--
+ src/xattr.c | 24 ++++++++++++++++++++----
+ src/xattr.h |  3 ++-
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/ftp.c b/src/ftp.c
+index 69148936..db8a6267 100644
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
+ 
+ #ifdef ENABLE_XATTR
+   if (opt.enable_xattr)
+-    set_file_metadata (u->url, NULL, fp);
++    set_file_metadata (u, NULL, fp);
+ #endif
+ 
+   fd_close (local_sock);
+diff --git a/src/http.c b/src/http.c
+index 77bdbbed..472c328f 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+   if (opt.enable_xattr)
+     {
+       if (original_url != u)
+-        set_file_metadata (u->url, original_url->url, fp);
++        set_file_metadata (u, original_url, fp);
+       else
+-        set_file_metadata (u->url, NULL, fp);
++        set_file_metadata (u, NULL, fp);
+     }
+ #endif
+ 
+diff --git a/src/xattr.c b/src/xattr.c
+index 66524226..0f20fadf 100644
+--- a/src/xattr.c
++++ b/src/xattr.c
+@@ -21,6 +21,7 @@
+ #include <string.h>
+ 
+ #include "log.h"
++#include "utils.h"
+ #include "xattr.h"
+ 
+ #ifdef USE_XATTR
+@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
+ #endif /* USE_XATTR */
+ 
+ int
+-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
+ {
+   /* Save metadata about where the file came from (requested, final URLs) to
+    * user POSIX Extended Attributes of retrieved file.
+@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+    * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
+    */
+   int retval = -1;
++  char *value;
+ 
+   if (!origin_url || !fp)
+     return retval;
+ 
+-  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
+-  if ((!retval) && referrer_url)
+-    retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
++  value = url_string (origin_url, URL_AUTH_HIDE);
++  retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
++  xfree (value);
++
++  if (!retval && referrer_url)
++    {
++	  struct url u;
++
++	  memset(&u, 0, sizeof(u));
++      u.scheme = referrer_url->scheme;
++      u.host = referrer_url->host;
++      u.port = referrer_url->port;
++
++      value = url_string (&u, 0);
++      retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
++      xfree (value);
++    }
+ 
+   return retval;
+ }
+diff --git a/src/xattr.h b/src/xattr.h
+index 10f3ed11..40c7a8d3 100644
+--- a/src/xattr.h
++++ b/src/xattr.h
+@@ -16,12 +16,13 @@
+    along with this program; if not, see <http://www.gnu.org/licenses/>.  */
+ 
+ #include <stdio.h>
++#include <url.h>
+ 
+ #ifndef _XATTR_H
+ #define _XATTR_H
+ 
+ /* Store metadata name/value attributes against fp. */
+-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
+ 
+ #if defined(__linux)
+ /* libc on Linux has fsetxattr (5 arguments). */
+-- 
+2.19.1
+
diff --git a/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb b/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb
index 920b74de..a53844bb 100644
--- a/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/external/poky/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0002-improve-reproducibility.patch \
            file://CVE-2019-5953.patch \
+           file://CVE-2018-20483_p1.patch \
+           file://CVE-2018-20483_p2.patch \
           "
 
 SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"
diff --git a/external/poky/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch b/external/poky/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
new file mode 100644
index 00000000..5b0c342f
--- /dev/null
+++ b/external/poky/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
@@ -0,0 +1,38 @@
+From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Wed, 10 Jul 2019 20:26:23 -0400
+Subject: [PATCH] bidi: Be safer against bad input
+
+Don't run off the end of an array that we
+allocated to certain length.
+
+Closes: https://gitlab.gnome.org/GNOME/pango/issues/342
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54]
+CVE: CVE-2019-1010238
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ pango/pango-bidi-type.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c
+index 3e46b66c..5c02dbbb 100644
+--- a/pango/pango-bidi-type.c
++++ b/pango/pango-bidi-type.c
+@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar    *text,
+   for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++)
+     {
+       gunichar ch = g_utf8_get_char (p);
+-      FriBidiCharType char_type;
+-      char_type = fribidi_get_bidi_type (ch);
++      FriBidiCharType char_type = fribidi_get_bidi_type (ch);
++
++      if (i == n_chars)
++        break;
++
+       bidi_types[i] = char_type;
+       ored_types |= char_type;
+       if (FRIBIDI_IS_STRONG (char_type))
+-- 
+2.21.0
+
diff --git a/external/poky/meta/recipes-graphics/pango/pango_1.42.4.bb b/external/poky/meta/recipes-graphics/pango/pango_1.42.4.bb
index 22fe3af1..f6a3a5ac 100644
--- a/external/poky/meta/recipes-graphics/pango/pango_1.42.4.bb
+++ b/external/poky/meta/recipes-graphics/pango/pango_1.42.4.bb
@@ -15,7 +15,9 @@ inherit gnomebase gtk-doc ptest-gnome upstream-version-is-even gobject-introspec
 
 SRC_URI += "file://run-ptest \
             file://0001-Enforce-recreation-of-docs-pango.types-it-is-build-c.patch \
-"
+            file://CVE-2019-1010238.patch \
+            "
+
 SRC_URI[archive.md5sum] = "deb171a31a3ad76342d5195a1b5bbc7c"
 SRC_URI[archive.sha256sum] = "1d2b74cd63e8bd41961f2f8d952355aa0f9be6002b52c8aa7699d9f5da597c9d"
 
diff --git a/external/poky/meta/recipes-kernel/linux/kernel-devsrc.bb b/external/poky/meta/recipes-kernel/linux/kernel-devsrc.bb
index 361ad21e..ec5cf099 100644
--- a/external/poky/meta/recipes-kernel/linux/kernel-devsrc.bb
+++ b/external/poky/meta/recipes-kernel/linux/kernel-devsrc.bb
@@ -62,6 +62,12 @@ do_install() {
 	cd ${S}
 	cp --parents $(find  -type f -name "Makefile*" -o -name "Kconfig*") $kerneldir/build
 	cp --parents $(find  -type f -name "Build" -o -name "Build.include") $kerneldir/build
+
+	# Copy localversion file if any to keep correct version magic after
+	# modules_prepare.
+	if [ -f *localversion* ]; then
+	    cp *localversion* $kerneldir/build
+	fi
     )
 
     # then drop all but the needed Makefiles/Kconfig files
@@ -213,6 +219,9 @@ do_install() {
 
         # required to build scripts/selinux/genheaders/genheaders
         cp -a --parents security/selinux/include/* $kerneldir/build/
+
+	# copy any localversion files
+	cp -a localversion* $kerneldir/build/ 2>/dev/null || :
     )
 
     # Make sure the Makefile and version.h have a matching timestamp so that
diff --git a/external/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/external/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 4189fc8d..de6f5c98 100644
--- a/external/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/external/poky/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
         raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
 }
 
-SRCREV_machine ?= "82ac7b2b8048b537481bf16b8acda1cc9bfe9565"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine ?= "3aa9671ae072f45665e72591be5636522c8a6215"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.154"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/external/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/external/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index 71f5c471..52c02cad 100644
--- a/external/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/external/poky/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.154"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
 KMETA = "kernel-meta"
 KCONF_BSP_AUDIT_LEVEL = "2"
 
-SRCREV_machine ?= "6ce17eae5d962b30846a5258956246438d68d60a"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine ?= "38c3a6549d60a3b4a5ab0cb6a440929ba8502f7f"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 
 PV = "${LINUX_VERSION}+git${SRCPV}"
 
diff --git a/external/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/external/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 65b24440..0048735c 100644
--- a/external/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/external/poky/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86  ?= "v4.14/standard/base"
 KBRANCH_qemux86-64 ?= "v4.14/standard/base"
 KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
 
-SRCREV_machine_qemuarm ?= "8752b8421efe8b5a478f17fbffacf4af974ec703"
-SRCREV_machine_qemuarm64 ?= "ac66474ba7f7e93d16ae3ea005f214113bb127c5"
-SRCREV_machine_qemumips ?= "ab031b267e2a79fcd48da5d10d503f4d065f4821"
-SRCREV_machine_qemuppc ?= "f47c3945e8dd230ea37771bcacc836245fc79d22"
-SRCREV_machine_qemux86 ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_machine_qemux86-64 ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_machine_qemumips64 ?= "8063a7258fc670a361fed85b858fabb237485f1c"
-SRCREV_machine ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine_qemuarm ?= "e4e2990af921c2d1544d18efa5f7183f95289cd0"
+SRCREV_machine_qemuarm64 ?= "51c9e69ebef5d2d15dfbcdf098269d86e0e38317"
+SRCREV_machine_qemumips ?= "e70c76a3fe9cc785619d9e4c8e28cb4d4d76ecaf"
+SRCREV_machine_qemuppc ?= "6b6eab44d3a04294c233e0b47d6b7c6cbb6e9ffb"
+SRCREV_machine_qemux86 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_qemux86-64 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_qemumips64 ?= "4e099e87d223bfc1526543a5e4c5383cb2edda70"
+SRCREV_machine ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
 
 SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
            git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
 
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.154"
 
 DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
 DEPENDS += "openssl-native util-linux-native"
diff --git a/external/poky/meta/recipes-support/atk/at-spi2-core_2.28.0.bb b/external/poky/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
index 7975f58b..0bdb1e37 100644
--- a/external/poky/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
+++ b/external/poky/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
@@ -18,7 +18,7 @@ inherit meson gtk-doc gettext systemd pkgconfig distro_features_check upstream-v
 REQUIRED_DISTRO_FEATURES = "x11"
 
 EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \
-                  -Ddbus_daemon=${bindir}"
+                  -Ddbus_daemon=${bindir}/dbus-daemon"
 
 GTKDOC_ENABLE_FLAG = "-Denable_docs=true"
 GTKDOC_DISABLE_FLAG = "-Denable_docs=false"
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch
new file mode 100644
index 00000000..3776f362
--- /dev/null
+++ b/external/poky/meta/recipes-support/curl/curl/CVE-2018-16890.patch
@@ -0,0 +1,50 @@
+From 53d3c2f92b4a7561b1006494badf8cf2ef9110c0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH 1/3] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/b780b30d1377adb10bbe774835f49e9b237fb9bb]
+
+CVE: CVE-2018-16890
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index cdb8d8f0d..0212756ab 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+     target_info_len = Curl_read16_le(&buffer[40]);
+     target_info_offset = Curl_read32_le(&buffer[44]);
+     if(target_info_len > 0) {
+-      if(((target_info_offset + target_info_len) > size) ||
++      if((target_info_offset >= size) ||
++         ((target_info_offset + target_info_len) > size) ||
+          (target_info_offset < 48)) {
+         infof(data, "NTLM handshake failure (bad type-2 message). "
+-                    "Target Info Offset Len is set incorrect by the peer\n");
++              "Target Info Offset Len is set incorrect by the peer\n");
+         return CURLE_BAD_CONTENT_ENCODING;
+       }
+ 
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch
new file mode 100644
index 00000000..4f612ddd
--- /dev/null
+++ b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3822.patch
@@ -0,0 +1,47 @@
+From 761b51f66c7b1cd2cd6c71b807bfdb6a27c49b30 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer
+ overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/50c9484278c63b958655a717844f0721263939cc]
+
+CVE: CVE-2019-3822
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0212756ab..3be0403d9 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+   });
+ 
+ #ifdef USE_NTRESPONSES
+-  if(size < (NTLM_BUFSIZE - ntresplen)) {
+-    DEBUGASSERT(size == (size_t)ntrespoff);
+-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+-    size += ntresplen;
++  /* ntresplen + size should not be risking an integer overflow here */
++  if(ntresplen + size > sizeof(ntlmbuf)) {
++    failf(data, "incoming NTLM message too big");
++    return CURLE_OUT_OF_MEMORY;
+   }
++  DEBUGASSERT(size == (size_t)ntrespoff);
++  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++  size += ntresplen;
+ 
+   DEBUG_OUT({
+     fprintf(stderr, "\n   ntresp=");
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch
new file mode 100644
index 00000000..194e6e64
--- /dev/null
+++ b/external/poky/meta/recipes-support/curl/curl/CVE-2019-3823.patch
@@ -0,0 +1,55 @@
+From 40f6c913f63cdbfa81daa7ac7f1c7415bb99edeb Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Sat, 19 Jan 2019 00:42:47 +0100
+Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol
+
+If the incoming len 5, but the buffer does not have a termination
+after 5 bytes, the strtol() call may keep reading through the line
+buffer until is exceeds its boundary. Fix by ensuring that we are
+using a bounded read with a temporary buffer on the stack.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
+Reported-by: Brian Carpenter (Geeknik Labs)
+CVE-2019-3823
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484]
+
+CVE: CVE-2019-3823
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/smtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smtp.c b/lib/smtp.c
+index ecf10a41a..1b9f92d30 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len,
+      Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
+      only send the response code instead as per Section 4.2. */
+   if(line[3] == ' ' || len == 5) {
++    char tmpline[6];
++
+     result = TRUE;
+-    *resp = curlx_sltosi(strtol(line, NULL, 10));
++    memset(tmpline, '\0', sizeof(tmpline));
++    memcpy(tmpline, line, (len == 5 ? 5 : 3));
++    *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
+ 
+     /* Make sure real server never sends internal value */
+     if(*resp == 1)
+-- 
+2.22.0
+
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch
new file mode 100644
index 00000000..91b18669
--- /dev/null
+++ b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5482.patch
@@ -0,0 +1,68 @@
+From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+Reply-To: muislam@microsoft.com
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+
+CVE: CVE-2019-5482
+
+Upstream-Status: Backport
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 064eef318..2c148e3e1 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-support/curl/curl_7.61.0.bb b/external/poky/meta/recipes-support/curl/curl_7.61.0.bb
index 1027f75e..cd880f9e 100644
--- a/external/poky/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/external/poky/meta/recipes-support/curl/curl_7.61.0.bb
@@ -13,6 +13,10 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
            file://CVE-2018-16842.patch \
            file://CVE-2019-5435.patch \
            file://CVE-2019-5436.patch \
+           file://CVE-2018-16890.patch \
+           file://CVE-2019-3822.patch \
+           file://CVE-2019-3823.patch \
+           file://CVE-2019-5482.patch \
 "
 
 SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
diff --git a/external/poky/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch b/external/poky/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
new file mode 100644
index 00000000..4a280f9d
--- /dev/null
+++ b/external/poky/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
@@ -0,0 +1,31 @@
+From 0df5800cc2e720aad883a517f7d24a9722fe5845 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 20 Dec 2018 17:37:48 -0800
+Subject: [PATCH] Woverride-init is not needed with gcc 9
+
+Fixes
+| ../../gnupg-2.2.12/dirmngr/dns.h:525:16: error: lvalue required as
+unary '&' operand                                                 |
+525 |  dns_rr_i_init(&dns_quietinit((struct dns_rr_i){ 0, __VA_ARGS__
+}), (P))
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ dirmngr/dns.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dirmngr/dns.h b/dirmngr/dns.h
+index 30d0b45..98fe412 100644
+--- a/dirmngr/dns.h
++++ b/dirmngr/dns.h
+@@ -154,7 +154,7 @@ DNS_PUBLIC int *dns_debug_p(void);
+ 
+ #define dns_quietinit(...) \
+ 	DNS_PRAGMA_PUSH DNS_PRAGMA_QUIET __VA_ARGS__ DNS_PRAGMA_POP
+-#elif (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || __GNUC__ > 4
++#elif (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || (__GNUC__ > 4 && __GNUC__ < 9)
+ #define DNS_PRAGMA_PUSH _Pragma("GCC diagnostic push")
+ #define DNS_PRAGMA_QUIET _Pragma("GCC diagnostic ignored \"-Woverride-init\"")
+ #define DNS_PRAGMA_POP _Pragma("GCC diagnostic pop")
diff --git a/external/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/external/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 3f1c3aba..c43ecdf8 100644
--- a/external/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/external/poky/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From 8eb4d25c25a1c1323797d94e0727a3e42b7f3287 Mon Sep 17 00:00:00 2001
+From c69c3a49f3295179c247db5ceb3ef8952928a724 Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Mon, 22 Jan 2018 18:00:21 +0200
 Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index 4d66af9..b9ef235 100644
+index 919ab31..cd58fdb 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1848,7 +1848,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
  
  AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
  
diff --git a/external/poky/meta/recipes-support/gnupg/gnupg/relocate.patch b/external/poky/meta/recipes-support/gnupg/gnupg/relocate.patch
index c494ef80..1a5ea4aa 100644
--- a/external/poky/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/external/poky/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From f9fc214b0bf2f67b515ca8a5333f39c497d1b518 Mon Sep 17 00:00:00 2001
+From 6d31b04d7a75f1d73c3518bf043b5b0a2dc40cb1 Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@intel.com>
 Date: Wed, 19 Sep 2018 14:44:40 +0100
 Subject: [PATCH] Allow the environment to override where gnupg looks for its
diff --git a/external/poky/meta/recipes-support/gnupg/gnupg_2.2.12.bb b/external/poky/meta/recipes-support/gnupg/gnupg_2.2.12.bb
index 1f381c2d..a02c66a0 100644
--- a/external/poky/meta/recipes-support/gnupg/gnupg_2.2.12.bb
+++ b/external/poky/meta/recipes-support/gnupg/gnupg_2.2.12.bb
@@ -14,7 +14,8 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
            file://0002-use-pkgconfig-instead-of-npth-config.patch \
            file://0003-dirmngr-uses-libgpg-error.patch \
            file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
-          "
+           file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+           "
 SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
                                 file://relocate.patch"
 
diff --git a/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch
new file mode 100644
index 00000000..823869e8
--- /dev/null
+++ b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p1.patch
@@ -0,0 +1,39 @@
+From 367688c05988bc7257d7e1801c5acf17ef7e854d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Tue, 12 Feb 2019 15:09:11 +0100
+Subject: [PATCH 1/3] Automatically NULLify after gnutls_free()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This method prevents direct use-after-free and
+double-free issues.
+
+Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
+
+CVE: CVE-2019-3829
+Upstream-Status: Backport
+[https://gitlab.com/gnutls/gnutls/commit/d39778e43d1674cb3ab3685157fd299816d535c0]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ lib/includes/gnutls/gnutls.h.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 49990b5f5..fa77fd0df 100644
+--- a/lib/includes/gnutls/gnutls.h.in
++++ b/lib/includes/gnutls/gnutls.h.in
+@@ -2132,6 +2132,10 @@ extern _SYM_EXPORT gnutls_realloc_function gnutls_realloc;
+ extern _SYM_EXPORT gnutls_calloc_function gnutls_calloc;
+ extern _SYM_EXPORT gnutls_free_function gnutls_free;
+ 
++#ifdef GNUTLS_INTERNAL_BUILD
++#define gnutls_free(a) gnutls_free((void *) (a)), a=NULL
++#endif
++
+ extern _SYM_EXPORT char *(*gnutls_strdup) (const char *);
+ 
+ /* a variant of memset that doesn't get optimized out */
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch
new file mode 100644
index 00000000..b3cd0477
--- /dev/null
+++ b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p2.patch
@@ -0,0 +1,871 @@
+From a57509ef7c4983721193ac325ad5fb1783ea0f57 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Tue, 12 Feb 2019 15:14:07 +0100
+Subject: [PATCH 2/3] Remove redundant resets of variables after free()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
+
+CVE: CVE-2019-3829
+Upstream-Status: Backport
+[https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ lib/auth.c                                        |  3 ---
+ lib/auth/rsa.c                                    |  2 ++
+ lib/auth/rsa_psk.c                                |  1 -
+ lib/auth/srp_sb64.c                               |  2 --
+ lib/cert-cred-x509.c                              |  3 ---
+ lib/cert-cred.c                                   |  3 ---
+ lib/hello_ext.c                                   |  5 ++---
+ lib/mpi.c                                         |  1 -
+ lib/nettle/mpi.c                                  |  2 --
+ lib/nettle/pk.c                                   |  3 ---
+ lib/ocsp-api.c                                    |  1 -
+ lib/pk.c                                          |  2 --
+ lib/pkcs11.c                                      |  1 -
+ lib/pkcs11_privkey.c                              |  6 +-----
+ lib/pkcs11_write.c                                |  1 -
+ lib/session_pack.c                                |  2 --
+ lib/srp.c                                         |  1 -
+ lib/str.c                                         |  2 +-
+ lib/tls13/certificate_request.c                   |  2 --
+ lib/tpm.c                                         |  2 --
+ lib/x509/ocsp.c                                   | 15 +++------------
+ lib/x509/pkcs12_bag.c                             |  1 -
+ lib/x509/pkcs7-crypt.c                            |  1 -
+ lib/x509/pkcs7.c                                  |  6 ------
+ lib/x509/privkey_pkcs8.c                          |  1 -
+ lib/x509/verify-high2.c                           |  1 -
+ lib/x509/virt-san.c                               |  1 -
+ lib/x509/x509.c                                   |  4 ----
+ lib/x509/x509_ext.c                               |  1 -
+ lib/x509_b64.c                                    |  1 -
+ tests/cert.c                                      |  2 --
+ tests/name-constraints-ip.c                       |  3 +--
+ tests/pkcs11/pkcs11-import-url-privkey.c          |  2 --
+ tests/pkcs11/pkcs11-privkey-always-auth.c         |  2 --
+ tests/pkcs11/pkcs11-privkey-fork-reinit.c         |  1 -
+ tests/pkcs11/pkcs11-privkey-fork.c                |  1 -
+ tests/pkcs11/pkcs11-privkey-safenet-always-auth.c |  2 --
+ tests/pkcs7.c                                     |  2 --
+ tests/resume-dtls.c                               |  1 -
+ tests/resume.c                                    |  1 -
+ tests/sign-verify-data.c                          |  1 -
+ tests/sign-verify-ext.c                           |  2 --
+ tests/sign-verify-ext4.c                          |  2 --
+ tests/sign-verify.c                               |  1 -
+ tests/x509-extensions.c                           |  1 -
+ tests/x509sign-verify-error.c                     |  1 -
+ 46 files changed, 10 insertions(+), 92 deletions(-)
+
+diff --git a/lib/auth.c b/lib/auth.c
+index 4bdedda38..5f9b8c427 100644
+--- a/lib/auth.c
++++ b/lib/auth.c
+@@ -349,8 +349,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
+ 
+ 			gnutls_free(info->raw_certificate_list);
+ 			gnutls_free(info->raw_ocsp_list);
+-			info->raw_certificate_list = NULL;
+-			info->raw_ocsp_list = NULL;
+ 			info->ncerts = 0;
+ 			info->nocsp = 0;
+ 
+@@ -367,7 +365,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
+ 	}
+ 
+ 	gnutls_free(session->key.auth_info);
+-	session->key.auth_info = NULL;
+ 	session->key.auth_info_size = 0;
+ 	session->key.auth_info_type = 0;
+ 
+diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
+index 6afc91ae6..df6bd7bc6 100644
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -196,6 +196,8 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
+ 	ret = gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
+ 			  rndkey.size);
+ 	if (ret < 0) {
++		gnutls_free(session->key.key.data);
++		session->key.key.size = 0;
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 5a29f9183..590ff0f71 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -341,7 +341,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ 		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+ 		if (ret >= 0) {
+ 			gnutls_free(plaintext.data);
+-			plaintext.data = NULL;
+ 		}
+ 		randomize_key = 1;
+ 	} else {
+diff --git a/lib/auth/srp_sb64.c b/lib/auth/srp_sb64.c
+index 1177e7671..7bfffdf07 100644
+--- a/lib/auth/srp_sb64.c
++++ b/lib/auth/srp_sb64.c
+@@ -263,7 +263,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
+ 		tmp = decode(tmpres, datrev);
+ 		if (tmp < 0) {
+ 			gnutls_free((*result));
+-			*result = NULL;
+ 			return tmp;
+ 		}
+ 
+@@ -277,7 +276,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
+ 		tmp = decode(tmpres, (uint8_t *) & data[i]);
+ 		if (tmp < 0) {
+ 			gnutls_free((*result));
+-			*result = NULL;
+ 			return tmp;
+ 		}
+ 		memcpy(&(*result)[j], tmpres, tmp);
+diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c
+index f342a420b..da9cd647e 100644
+--- a/lib/cert-cred-x509.c
++++ b/lib/cert-cred-x509.c
+@@ -296,7 +296,6 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res,
+ 	    gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, GNUTLS_X509_CRT_LIST_SORT);
+ 	if (ret < 0) {
+ 		gnutls_free(pcerts);
+-		pcerts = NULL;
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
+@@ -540,7 +539,6 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const
+ 			goto cleanup;
+ 		}
+ 		gnutls_free(t.data);
+-		t.data = NULL;
+ 	}
+ 
+ 	ret = certificate_credential_append_crt_list(res, key, names, ccert, count);
+@@ -991,7 +989,6 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
+ 			while (i--)
+ 				gnutls_x509_crt_deinit((*crt_list)[i]);
+ 			gnutls_free(*crt_list);
+-			*crt_list = NULL;
+ 
+ 			return gnutls_assert_val(ret);
+ 		}
+diff --git a/lib/cert-cred.c b/lib/cert-cred.c
+index 2150e903f..190a8b3a2 100644
+--- a/lib/cert-cred.c
++++ b/lib/cert-cred.c
+@@ -63,7 +63,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
+ 
+ 		for (j = 0; j < sc->certs[i].ocsp_data_length; j++) {
+ 			gnutls_free(sc->certs[i].ocsp_data[j].response.data);
+-			sc->certs[i].ocsp_data[j].response.data = NULL;
+ 		}
+ 		_gnutls_str_array_clear(&sc->certs[i].names);
+ 		gnutls_privkey_deinit(sc->certs[i].pkey);
+@@ -71,8 +70,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
+ 
+ 	gnutls_free(sc->certs);
+ 	gnutls_free(sc->sorted_cert_idx);
+-	sc->certs = NULL;
+-	sc->sorted_cert_idx = NULL;
+ 
+ 	sc->ncerts = 0;
+ }
+diff --git a/lib/hello_ext.c b/lib/hello_ext.c
+index c4907aace..fb2b4db67 100644
+--- a/lib/hello_ext.c
++++ b/lib/hello_ext.c
+@@ -464,9 +464,8 @@ void _gnutls_hello_ext_deinit(void)
+ 			continue;
+ 
+ 		if (extfunc[i]->free_struct != 0) {
+-			gnutls_free((void*)extfunc[i]->name);
+-			gnutls_free((void*)extfunc[i]);
+-			extfunc[i] = NULL;
++			gnutls_free(((hello_ext_entry_st *)extfunc[i])->name);
++			gnutls_free(extfunc[i]);
+ 		}
+ 	}
+ }
+diff --git a/lib/mpi.c b/lib/mpi.c
+index 2bc970d7c..ed208d511 100644
+--- a/lib/mpi.c
++++ b/lib/mpi.c
+@@ -88,7 +88,6 @@ _gnutls_mpi_random_modp(bigint_t r, bigint_t p,
+ 
+ 	if (buf_release != 0) {
+ 		gnutls_free(buf);
+-		buf = NULL;
+ 	}
+ 
+ 	if (r != NULL) {
+diff --git a/lib/nettle/mpi.c b/lib/nettle/mpi.c
+index 8a93ac278..96bec4aa4 100644
+--- a/lib/nettle/mpi.c
++++ b/lib/nettle/mpi.c
+@@ -122,7 +122,6 @@ static int wrap_nettle_mpi_init_multi(bigint_t *w, ...)
+ fail:
+ 	mpz_clear(TOMPZ(*w));
+ 	gnutls_free(*w);
+-	*w = NULL;
+ 
+ 	va_start(args, w);
+ 	
+@@ -131,7 +130,6 @@ fail:
+ 		if (next != last_failed) {
+ 			mpz_clear(TOMPZ(*next));
+ 			gnutls_free(*next);
+-			*next = NULL;
+ 		}
+ 	} while(next != last_failed);
+ 	
+diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
+index 6dcd2fdd0..f010493c0 100644
+--- a/lib/nettle/pk.c
++++ b/lib/nettle/pk.c
+@@ -371,7 +371,6 @@ dh_cleanup:
+ 
+ 			if (_gnutls_mem_is_zero(out->data, out->size)) {
+ 				gnutls_free(out->data);
+-				out->data = NULL;
+ 				gnutls_assert();
+ 				ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
+ 				goto cleanup;
+@@ -2203,8 +2202,6 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
+ 	params->params_nr = 0;
+ 	gnutls_free(params->raw_priv.data);
+ 	gnutls_free(params->raw_pub.data);
+-	params->raw_priv.data = NULL;
+-	params->raw_pub.data = NULL;
+ 
+ 	FAIL_IF_LIB_ERROR;
+ 	return ret;
+diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
+index d18a1f0c2..a0005e99d 100644
+--- a/lib/ocsp-api.c
++++ b/lib/ocsp-api.c
+@@ -473,7 +473,6 @@ gnutls_certificate_set_ocsp_status_request_mem(gnutls_certificate_credentials_t
+ 			nresp++;
+ 
+ 			gnutls_free(der.data);
+-			der.data = NULL;
+ 
+ 			p.data++;
+ 			p.size--;
+diff --git a/lib/pk.c b/lib/pk.c
+index 1f137f71c..a5bb58b73 100644
+--- a/lib/pk.c
++++ b/lib/pk.c
+@@ -537,8 +537,6 @@ void gnutls_pk_params_release(gnutls_pk_params_st * p)
+ 	}
+ 	gnutls_free(p->raw_priv.data);
+ 	gnutls_free(p->raw_pub.data);
+-	p->raw_priv.data = NULL;
+-	p->raw_pub.data = NULL;
+ 
+ 	p->params_nr = 0;
+ }
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index 990912790..fa1b65884 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -1233,7 +1233,6 @@ int gnutls_pkcs11_obj_init(gnutls_pkcs11_obj_t * obj)
+ 	(*obj)->info = p11_kit_uri_new();
+ 	if ((*obj)->info == NULL) {
+ 		gnutls_free(*obj);
+-		*obj = NULL;
+ 		gnutls_assert();
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
+index b721ed125..560a732e3 100644
+--- a/lib/pkcs11_privkey.c
++++ b/lib/pkcs11_privkey.c
+@@ -443,7 +443,6 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs11_privkey_t key,
+ 		}
+ 
+ 		gnutls_free(tmp.data);
+-		tmp.data = NULL;
+ 	} else {
+ 		signature->size = siglen;
+ 		signature->data = tmp.data;
+@@ -521,10 +520,8 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
+ 
+ 	memset(&pkey->sinfo, 0, sizeof(pkey->sinfo));
+ 
+-	if (pkey->url) {
++	if (pkey->url)
+ 		gnutls_free(pkey->url);
+-		pkey->url = NULL;
+-	}
+ 
+ 	if (pkey->uinfo) {
+ 		p11_kit_uri_free(pkey->uinfo);
+@@ -613,7 +610,6 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
+ 		pkey->uinfo = NULL;
+ 	}
+ 	gnutls_free(pkey->url);
+-	pkey->url = NULL;
+ 
+ 	return ret;
+ }
+diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
+index 35207d554..6e866e2d4 100644
+--- a/lib/pkcs11_write.c
++++ b/lib/pkcs11_write.c
+@@ -268,7 +268,6 @@ static void clean_pubkey(struct ck_attribute *a, unsigned a_val)
+ 			case CKA_EC_PARAMS:
+ 			case CKA_EC_POINT:
+ 				gnutls_free(a[i].value);
+-				a[i].value = NULL;
+ 				break;
+ 		}
+ 	}
+diff --git a/lib/session_pack.c b/lib/session_pack.c
+index c5801fb32..5d475ea59 100644
+--- a/lib/session_pack.c
++++ b/lib/session_pack.c
+@@ -562,8 +562,6 @@ unpack_certificate_auth_info(gnutls_session_t session,
+ 
+ 		gnutls_free(info->raw_certificate_list);
+ 		gnutls_free(info->raw_ocsp_list);
+-		info->raw_certificate_list = NULL;
+-		info->raw_ocsp_list = NULL;
+ 	}
+ 
+ 	return ret;
+diff --git a/lib/srp.c b/lib/srp.c
+index c3eb8e684..670642d64 100644
+--- a/lib/srp.c
++++ b/lib/srp.c
+@@ -608,7 +608,6 @@ gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t res,
+ 	if (res->password_conf_file == NULL) {
+ 		gnutls_assert();
+ 		gnutls_free(res->password_file);
+-		res->password_file = NULL;
+ 		return GNUTLS_E_MEMORY_ERROR;
+ 	}
+ 
+diff --git a/lib/str.c b/lib/str.c
+index c8d742e91..7408ea6ac 100644
+--- a/lib/str.c
++++ b/lib/str.c
+@@ -81,7 +81,7 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
+ 		return;
+ 	gnutls_free(str->allocd);
+ 
+-	str->data = str->allocd = NULL;
++	str->data = NULL;
+ 	str->max_length = 0;
+ 	str->length = 0;
+ }
+diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
+index a7ec0e2fd..823adc87f 100644
+--- a/lib/tls13/certificate_request.c
++++ b/lib/tls13/certificate_request.c
+@@ -152,7 +152,6 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
+ 			return gnutls_assert_val(ret);
+ 
+ 		gnutls_free(session->internals.post_handshake_cr_context.data);
+-		session->internals.post_handshake_cr_context.data = NULL;
+ 		ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
+ 					context.data, context.size);
+ 		if (ret < 0)
+@@ -279,7 +278,6 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
+ 			}
+ 
+ 			gnutls_free(session->internals.post_handshake_cr_context.data);
+-			session->internals.post_handshake_cr_context.data = NULL;
+ 			ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
+ 						rnd, sizeof(rnd));
+ 			if (ret < 0) {
+diff --git a/lib/tpm.c b/lib/tpm.c
+index ee53c7154..03565acb0 100644
+--- a/lib/tpm.c
++++ b/lib/tpm.c
+@@ -1645,10 +1645,8 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
+ 	gnutls_pubkey_deinit(pub);
+       privkey_cleanup:
+ 	gnutls_free(privkey->data);
+-	privkey->data = NULL;
+       cleanup:
+ 	gnutls_free(tmpkey.data);
+-	tmpkey.data = NULL;
+       err_sa:
+ 	pTspi_Context_CloseObject(s.tpm_ctx, key_ctx);
+       err_cc:
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index db54b3ea2..55cae94c3 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -162,7 +162,6 @@ void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp)
+ 		asn1_delete_structure(&resp->basicresp);
+ 
+ 	resp->resp = NULL;
+-	resp->response_type_oid.data = NULL;
+ 	resp->basicresp = NULL;
+ 
+ 	gnutls_free(resp->der.data);
+@@ -299,7 +298,6 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp,
+ 		}
+ 
+ 		gnutls_free(resp->der.data);
+-		resp->der.data = NULL;
+ 	}
+ 
+ 	resp->init = 1;
+@@ -1668,18 +1666,12 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp,
+ 
+ 	return GNUTLS_E_SUCCESS;
+  fail:
+-	if (issuer_name_hash) {
++	if (issuer_name_hash)
+ 		gnutls_free(issuer_name_hash->data);
+-		issuer_name_hash->data = NULL;
+-	}
+-	if (issuer_key_hash) {
++	if (issuer_key_hash)
+ 		gnutls_free(issuer_key_hash->data);
+-		issuer_key_hash->data = NULL;
+-	}
+-	if (serial_number) {
++	if (serial_number)
+ 		gnutls_free(serial_number->data);
+-		serial_number->data = NULL;
+-	}
+ 	return ret;
+ }
+ 
+@@ -1955,7 +1947,6 @@ gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_t resp,
+ 		}
+ 
+ 		gnutls_free(c.data);
+-		c.data = NULL;
+ 	}
+ 
+ 	tmpcerts[ctr] = NULL;
+diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
+index 26d2142ea..35d12ac4b 100644
+--- a/lib/x509/pkcs12_bag.c
++++ b/lib/x509/pkcs12_bag.c
+@@ -62,7 +62,6 @@ static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag)
+ 		_gnutls_free_datum(&bag->element[i].data);
+ 		_gnutls_free_datum(&bag->element[i].local_key_id);
+ 		gnutls_free(bag->element[i].friendly_name);
+-		bag->element[i].friendly_name = NULL;
+ 		bag->element[i].type = 0;
+ 	}
+ 
+diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
+index c2b00e61c..39eb7784b 100644
+--- a/lib/x509/pkcs7-crypt.c
++++ b/lib/x509/pkcs7-crypt.c
+@@ -1269,7 +1269,6 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn,
+ 	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
+ 
+ 	gnutls_free(key);
+-	key = NULL;
+ 
+ 	if (ret < 0) {
+ 		gnutls_assert();
+diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
+index 955cb5ae9..8ae7b3e78 100644
+--- a/lib/x509/pkcs7.c
++++ b/lib/x509/pkcs7.c
+@@ -692,7 +692,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
+ 
+ 		ret = gnutls_pkcs7_add_attr(&info->signed_attrs, oid, &tmp, 0);
+ 		gnutls_free(tmp.data);
+-		tmp.data = NULL;
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -730,7 +729,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
+ 		ret =
+ 		    gnutls_pkcs7_add_attr(&info->unsigned_attrs, oid, &tmp, 0);
+ 		gnutls_free(tmp.data);
+-		tmp.data = NULL;
+ 
+ 		if (ret < 0) {
+ 			gnutls_assert();
+@@ -842,9 +840,7 @@ static int verify_hash_attr(gnutls_pkcs7_t pkcs7, const char *root,
+ 		}
+ 
+ 		gnutls_free(tmp.data);
+-		tmp.data = NULL;
+ 		gnutls_free(tmp2.data);
+-		tmp2.data = NULL;
+ 	}
+ 
+ 	if (msg_digest_ok)
+@@ -1087,7 +1083,6 @@ static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
+ 			gnutls_x509_crt_deinit(issuer);
+ 			issuer = NULL;
+ 			gnutls_free(tmp.data);
+-			tmp.data = NULL;
+ 			continue;
+ 		}
+ 
+@@ -1204,7 +1199,6 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
+ 				gnutls_x509_crt_deinit(crt);
+ 				crt = NULL;
+ 				gnutls_free(tmpdata.data);
+-				tmpdata.data = NULL;
+ 				continue;
+ 			}
+ 		} else {
+diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
+index 92dea06b0..56000ff12 100644
+--- a/lib/x509/privkey_pkcs8.c
++++ b/lib/x509/privkey_pkcs8.c
+@@ -600,7 +600,6 @@ gnutls_pkcs8_info(const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format,
+  cleanup:
+ 	if (ret != GNUTLS_E_UNKNOWN_CIPHER_TYPE && oid) {
+ 		gnutls_free(*oid);
+-		*oid = NULL;
+ 	}
+ 	if (need_free)
+ 		_gnutls_free_datum(&_data);
+diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
+index 8ba2f2a3e..b9aed5cf4 100644
+--- a/lib/x509/verify-high2.c
++++ b/lib/x509/verify-high2.c
+@@ -178,7 +178,6 @@ int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file)
+ {
+ 	if (strcmp(ca_file, list->pkcs11_token) == 0) {
+ 		gnutls_free(list->pkcs11_token);
+-		list->pkcs11_token = NULL;
+ 	}
+ 	return 0;
+ }
+diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
+index f3b87135b..a81337e25 100644
+--- a/lib/x509/virt-san.c
++++ b/lib/x509/virt-san.c
+@@ -70,7 +70,6 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type, gnutl
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 		gnutls_free(san->data);
+-		san->data = NULL;
+ 
+ 		if (othername_oid) {
+ 			name->othername_oid.data = (uint8_t *) othername_oid;
+diff --git a/lib/x509/x509.c b/lib/x509/x509.c
+index 4aff55eba..c149881f6 100644
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -383,7 +383,6 @@ static int cache_alt_names(gnutls_x509_crt_t cert)
+ 	if (ret >= 0) {
+ 		ret = gnutls_x509_ext_import_subject_alt_names(&tmpder, cert->san, 0);
+ 		gnutls_free(tmpder.data);
+-		tmpder.data = NULL;
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 	}
+@@ -3680,7 +3679,6 @@ gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs,
+ 
+ 	if (ret < 0) {
+ 		gnutls_free(*certs);
+-		*certs = NULL;
+ 		return ret;
+ 	}
+ 
+@@ -4310,7 +4308,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
+ 
+ 		if (gnutls_x509_crt_equals2(crts[i-1], &issuer)) {
+ 			gnutls_free(issuer.data);
+-			issuer.data = NULL;
+ 			break;
+ 		}
+ 
+@@ -4331,7 +4328,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
+ 		}
+ 
+ 		gnutls_free(issuer.data);
+-		issuer.data = NULL;
+ 	}
+ 
+ 	*certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t));
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 58c3263d1..477cf03c4 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -1994,7 +1994,6 @@ int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext,
+ 				ret =
+ 				    decode_user_notice(td.data, td.size, &txt);
+ 				gnutls_free(td.data);
+-				td.data = NULL;
+ 
+ 				if (ret < 0) {
+ 					gnutls_assert();
+diff --git a/lib/x509_b64.c b/lib/x509_b64.c
+index 9a1037405..3117843be 100644
+--- a/lib/x509_b64.c
++++ b/lib/x509_b64.c
+@@ -302,7 +302,6 @@ _gnutls_base64_decode(const uint8_t * data, size_t data_size,
+ 
+  fail:
+ 	gnutls_free(result->data);
+-	result->data = NULL;
+ 
+  cleanup:
+ 	gnutls_free(pdata.data);
+diff --git a/tests/cert.c b/tests/cert.c
+index da0ab23df..ec566a4a4 100644
+--- a/tests/cert.c
++++ b/tests/cert.c
+@@ -89,7 +89,6 @@ static int getnextcert(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
+ 				*exp_ret = atoi((char*)local.data);
+ 				success("expecting error code %d\n", *exp_ret);
+ 				gnutls_free(local.data);
+-				local.data = NULL;
+ 			}
+ 
+ 			return 0;
+@@ -135,7 +134,6 @@ void doit(void)
+ 
+ 		gnutls_x509_crt_deinit(cert);
+ 		gnutls_free(der.data);
+-		der.data = NULL;
+ 		der.size = 0;
+ 		exp_ret = -1;
+ 	}
+diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c
+index 3dd4ff2cb..ed96109c7 100644
+--- a/tests/name-constraints-ip.c
++++ b/tests/name-constraints-ip.c
+@@ -78,7 +78,6 @@ static void check_test_result(int ret, int expected_outcome,
+ static void parse_cidr(const char* cidr, gnutls_datum_t *datum) {
+ 	if (datum->data != NULL) {
+ 		gnutls_free(datum->data);
+-		datum->data = NULL;
+ 	}
+ 	int ret = gnutls_x509_cidr_to_rfc5280(cidr, datum);
+ 	check_for_error(ret);
+@@ -699,7 +698,7 @@ static int teardown(void **state) {
+ 	gnutls_free(test_vars->ip.data);
+ 	gnutls_x509_name_constraints_deinit(test_vars->nc);
+ 	gnutls_x509_name_constraints_deinit(test_vars->nc2);
+-	gnutls_free(test_vars);
++	gnutls_free(*state);
+ 	return 0;
+ }
+ 
+diff --git a/tests/pkcs11/pkcs11-import-url-privkey.c b/tests/pkcs11/pkcs11-import-url-privkey.c
+index cb44fb1e5..c7e06eb1a 100644
+--- a/tests/pkcs11/pkcs11-import-url-privkey.c
++++ b/tests/pkcs11/pkcs11-import-url-privkey.c
+@@ -85,7 +85,6 @@ void doit(void)
+ 	for (i=0;i<obj_list_size;i++)
+ 		gnutls_pkcs11_obj_deinit(obj_list[i]);
+ 	gnutls_free(obj_list);
+-	obj_list = NULL;
+ 	obj_list_size = 0;
+ 
+ #ifndef _WIN32
+@@ -116,7 +115,6 @@ void doit(void)
+ 		for (i=0;i<obj_list_size;i++)
+ 			gnutls_pkcs11_obj_deinit(obj_list[i]);
+ 		gnutls_free(obj_list);
+-		obj_list = NULL;
+ 		obj_list_size = 0;
+ 	}
+ #endif
+diff --git a/tests/pkcs11/pkcs11-privkey-always-auth.c b/tests/pkcs11/pkcs11-privkey-always-auth.c
+index 3561c412f..441f63722 100644
+--- a/tests/pkcs11/pkcs11-privkey-always-auth.c
++++ b/tests/pkcs11/pkcs11-privkey-always-auth.c
+@@ -175,7 +175,6 @@ void doit(void)
+ 	pin_called = 0;
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	/* call again - should re-authenticate */
+ 	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
+@@ -190,7 +189,6 @@ void doit(void)
+ 	pin_called = 0;
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	if (debug)
+ 		printf("done\n\n\n");
+diff --git a/tests/pkcs11/pkcs11-privkey-fork-reinit.c b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
+index 1535d644f..a72584225 100644
+--- a/tests/pkcs11/pkcs11-privkey-fork-reinit.c
++++ b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
+@@ -123,7 +123,6 @@ void doit(void)
+ 	}
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	pid = fork();
+ 	if (pid != 0) {
+diff --git a/tests/pkcs11/pkcs11-privkey-fork.c b/tests/pkcs11/pkcs11-privkey-fork.c
+index 9d301d7d6..b99755c73 100644
+--- a/tests/pkcs11/pkcs11-privkey-fork.c
++++ b/tests/pkcs11/pkcs11-privkey-fork.c
+@@ -123,7 +123,6 @@ void doit(void)
+ 	}
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	pid = fork();
+ 	if (pid != 0) {
+diff --git a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
+index 1b5b34054..a4ab5b5aa 100644
+--- a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
++++ b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
+@@ -157,7 +157,6 @@ void doit(void)
+ 	pin_called = 0;
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	/* call again - should re-authenticate */
+ 	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
+@@ -172,7 +171,6 @@ void doit(void)
+ 	pin_called = 0;
+ 
+ 	gnutls_free(sig.data);
+-	sig.data = NULL;
+ 
+ 	if (debug)
+ 		printf("done\n\n\n");
+diff --git a/tests/pkcs7.c b/tests/pkcs7.c
+index a490976fc..2d5a5548d 100644
+--- a/tests/pkcs7.c
++++ b/tests/pkcs7.c
+@@ -90,7 +90,6 @@ static int getnextfile(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
+ 				*exp_ret = atoi((char*)local.data);
+ 				success("expecting error code %d\n", *exp_ret);
+ 				gnutls_free(local.data);
+-				local.data = NULL;
+ 			}
+ 
+ 			return 0;
+@@ -134,7 +133,6 @@ void doit(void)
+ 
+ 		gnutls_pkcs7_deinit(cert);
+ 		gnutls_free(der.data);
+-		der.data = NULL;
+ 		der.size = 0;
+ 		exp_ret = -1;
+ 	}
+diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c
+index 9e6327c7f..b5b214313 100644
+--- a/tests/resume-dtls.c
++++ b/tests/resume-dtls.c
+@@ -363,7 +363,6 @@ static void server(int sds[], struct params_res *params)
+ 	}
+ 
+ 	gnutls_free(session_ticket_key.data);
+-	session_ticket_key.data = NULL;
+ 	gnutls_anon_free_server_credentials(anoncred);
+ 
+ 	if (debug)
+diff --git a/tests/resume.c b/tests/resume.c
+index 84314b836..3dc225136 100644
+--- a/tests/resume.c
++++ b/tests/resume.c
+@@ -873,7 +873,6 @@ static void server(int sds[], struct params_res *params)
+ 	}
+ 
+ 	gnutls_free(session_ticket_key.data);
+-	session_ticket_key.data = NULL;
+ 
+ 	if (debug)
+ 		success("server: finished\n");
+diff --git a/tests/sign-verify-data.c b/tests/sign-verify-data.c
+index 3aa261175..558ad2253 100644
+--- a/tests/sign-verify-data.c
++++ b/tests/sign-verify-data.c
+@@ -153,7 +153,6 @@ void doit(void)
+ 
+ 		/* test the raw interface */
+ 		gnutls_free(signature.data);
+-		signature.data = NULL;
+ 
+ 		gnutls_free(signature.data);
+ 		gnutls_x509_crt_deinit(crt);
+diff --git a/tests/sign-verify-ext.c b/tests/sign-verify-ext.c
+index eecb1f357..cc80bf907 100644
+--- a/tests/sign-verify-ext.c
++++ b/tests/sign-verify-ext.c
+@@ -186,9 +186,7 @@ void doit(void)
+ 
+ 		/* test the raw interface */
+ 		gnutls_free(signature.data);
+-		signature.data = NULL;
+ 		gnutls_free(signature2.data);
+-		signature2.data = NULL;
+ 
+ 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
+ 		    GNUTLS_PK_RSA) {
+diff --git a/tests/sign-verify-ext4.c b/tests/sign-verify-ext4.c
+index 81aa345bf..be582ec14 100644
+--- a/tests/sign-verify-ext4.c
++++ b/tests/sign-verify-ext4.c
+@@ -227,7 +227,6 @@ void doit(void)
+ 			testfail("gnutls_pubkey_verify_data2\n");
+ 
+ 		gnutls_free(signature.data);
+-		signature.data = NULL;
+ 
+ 
+ 		if (!tests[i].data_only) {
+@@ -243,7 +242,6 @@ void doit(void)
+ 				testfail("gnutls_pubkey_verify_hash2-1 (hashed data)\n");
+ 
+ 			gnutls_free(signature2.data);
+-			signature2.data = NULL;
+ 		}
+ 
+ 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
+diff --git a/tests/sign-verify.c b/tests/sign-verify.c
+index 1fbed5ece..5a14741fc 100644
+--- a/tests/sign-verify.c
++++ b/tests/sign-verify.c
+@@ -206,7 +206,6 @@ void doit(void)
+ 
+ 		/* test the raw interface */
+ 		gnutls_free(signature.data);
+-		signature.data = NULL;
+ 
+ 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
+ 		    GNUTLS_PK_RSA) {
+diff --git a/tests/x509-extensions.c b/tests/x509-extensions.c
+index d480f8364..a062c1ba8 100644
+--- a/tests/x509-extensions.c
++++ b/tests/x509-extensions.c
+@@ -767,7 +767,6 @@ void doit(void)
+ 			}
+ 		}
+ 		gnutls_free(ext.data);
+-		ext.data = NULL;
+ 	}
+ 
+ 	if (debug)
+diff --git a/tests/x509sign-verify-error.c b/tests/x509sign-verify-error.c
+index 54bdc40ab..97c966685 100644
+--- a/tests/x509sign-verify-error.c
++++ b/tests/x509sign-verify-error.c
+@@ -181,7 +181,6 @@ void doit(void)
+ 			fail("gnutls_privkey_sign_hash\n");
+ 
+ 		gnutls_free(signature2.data);
+-		signature2.data = NULL;
+ 
+ 		_gnutls_lib_simulate_error();
+ 		ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0,
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch
new file mode 100644
index 00000000..d27ea4a9
--- /dev/null
+++ b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3829_p3.patch
@@ -0,0 +1,36 @@
+From bf616850cf20af2bec3d68b82e6ac610ee8fc404 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Tue, 12 Feb 2019 15:20:23 +0100
+Subject: [PATCH 3/3] gnutls_x509_crt_init: Fix dereference of NULL pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
+
+CVE: CVE-2019-3829
+Upstream-Status: Backport
+[https://gitlab.com/gnutls/gnutls/commit/6b5cbc9ea5bdca704bdbe2f8fb551f720d634bc6]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ lib/x509/x509.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/x509/x509.c b/lib/x509/x509.c
+index c149881f6..cc232ea50 100644
+--- a/lib/x509/x509.c
++++ b/lib/x509/x509.c
+@@ -224,8 +224,8 @@ int gnutls_x509_crt_init(gnutls_x509_crt_t * cert)
+ 	if (result < 0) {
+ 		gnutls_assert();
+ 		asn1_delete_structure(&tmp->cert);
+-		gnutls_free(tmp);
+ 		gnutls_subject_alt_names_deinit(tmp->san);
++		gnutls_free(tmp);
+ 		return result;
+ 	}
+ 
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch
new file mode 100644
index 00000000..4aeb6893
--- /dev/null
+++ b/external/poky/meta/recipes-support/gnutls/gnutls/CVE-2019-3836.patch
@@ -0,0 +1,35 @@
+From c68195f0ff65144d7e0c32f4de5f264c4012983a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Mon, 25 Mar 2019 16:06:39 +0100
+Subject: [PATCH] handshake: add missing initialization of local variable
+
+Resolves: #704
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
+
+CVE: CVE-2019-3836
+Upstream-Status: Backport
+[https://gitlab.com/gnutls/gnutls/commit/96e07075e8f105b13e76b11e493d5aa2dd937226]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ lib/handshake-tls13.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/handshake-tls13.c b/lib/handshake-tls13.c
+index 06c7c01d2..82689b5d8 100644
+--- a/lib/handshake-tls13.c
++++ b/lib/handshake-tls13.c
+@@ -534,6 +534,8 @@ _gnutls13_recv_async_handshake(gnutls_session_t session)
+ 		return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+ 
+ 	do {
++		_gnutls_handshake_buffer_init(&hsk);
++
+ 		/* the received handshake message has already been pushed into
+ 		 * handshake buffers. As we do not need to use the handshake hash
+ 		 * buffers we call the lower level receive functions */
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/external/poky/meta/recipes-support/gnutls/gnutls_3.6.4.bb b/external/poky/meta/recipes-support/gnutls/gnutls_3.6.4.bb
index 6d2a11df..30873f00 100644
--- a/external/poky/meta/recipes-support/gnutls/gnutls_3.6.4.bb
+++ b/external/poky/meta/recipes-support/gnutls/gnutls_3.6.4.bb
@@ -19,6 +19,10 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
 
 SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
            file://arm_eabi.patch \
+           file://CVE-2019-3829_p1.patch \
+           file://CVE-2019-3829_p2.patch \
+           file://CVE-2019-3829_p3.patch \
+           file://CVE-2019-3836.patch \
 "
 
 SRC_URI[md5sum] = "63363d1c00601f4d11a5cadc8b5e0799"
diff --git a/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch b/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
new file mode 100644
index 00000000..cda52119
--- /dev/null
+++ b/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
@@ -0,0 +1,176 @@
+From 263ad8ae08f287e32656d4e3e0116479f3d9ad9d Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:27:25 +0300
+Subject: [PATCH] GCM: move look-up table to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+
+CVE: CVE-2019-12904_p1 
+Upstream-Status: Backport 
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> 
+Upstream-commit : https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
+
+* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
+(gcmR): Move to 'gcm_table' structure.
+(gcm_table): New structure for look-up table with counters before and
+after.
+(gcmR): New macro.
+(prefetch_table): Handle input with length not multiple of 256.
+(do_prefetch_tables): Modify pre- and post-table counters to unshare
+look-up table pages between processes.
+--
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/cipher-gcm.c | 129 ++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 95 insertions(+), 34 deletions(-)
+
+diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
+index 6169d14..97a8015 100644
+--- a/cipher/cipher-gcm.c
++++ b/cipher/cipher-gcm.c
+@@ -30,6 +30,14 @@
+ #include "./cipher-internal.h"
+ 
+ 
++/* Helper macro to force alignment to 16 or 64 bytes.  */
++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
++# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
++#else
++# define ATTR_ALIGNED_64
++#endif
++
++
+ #ifdef GCM_USE_INTEL_PCLMUL
+ extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c);
+ 
+@@ -63,40 +71,93 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf,
+ 
+ 
+ #ifdef GCM_USE_TABLES
+-static const u16 gcmR[256] = {
+-  0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+-  0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+-  0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+-  0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+-  0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+-  0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+-  0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+-  0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+-  0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+-  0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+-  0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+-  0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+-  0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+-  0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+-  0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+-  0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+-  0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+-  0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+-  0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+-  0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+-  0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+-  0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+-  0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+-  0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+-  0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+-  0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+-  0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+-  0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+-  0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+-  0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+-  0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+-  0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+-};
++static struct
++{
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
++  u16 R[256];
++  volatile u32 counter_tail;
++} gcm_table ATTR_ALIGNED_64 =
++  {
++    0,
++    { 0, },
++    {
++      0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
++      0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
++      0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
++      0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
++      0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
++      0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
++      0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
++      0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
++      0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
++      0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
++      0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
++      0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
++      0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
++      0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
++      0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
++      0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
++      0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
++      0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
++      0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
++      0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
++      0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
++      0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
++      0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
++      0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
++      0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
++      0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
++      0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
++      0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
++      0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
++      0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
++      0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
++      0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
++    },
++    0
++  };
++
++#define gcmR gcm_table.R
++static inline
++void prefetch_table(const void *tab, size_t len)
++{
++  const volatile byte *vtab = tab;
++  size_t i;
++
++  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
++    {
++      (void)vtab[i + 0 * 32];
++      (void)vtab[i + 1 * 32];
++      (void)vtab[i + 2 * 32];
++      (void)vtab[i + 3 * 32];
++      (void)vtab[i + 4 * 32];
++      (void)vtab[i + 5 * 32];
++      (void)vtab[i + 6 * 32];
++      (void)vtab[i + 7 * 32];
++    }
++  for (; i < len; i += 32)
++    {
++      (void)vtab[i];
++    }
++
++  (void)vtab[len - 1];
++}
++
++static inline void
++do_prefetch_tables (const void *gcmM, size_t gcmM_size)
++{
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  gcm_table.counter_head++;
++  gcm_table.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
++  prefetch_table(gcmM, gcmM_size);
++  prefetch_table(&gcm_table, sizeof(gcm_table));
++}
+ 
+ #ifdef GCM_TABLES_USE_U64
+ static void
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch b/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
new file mode 100644
index 00000000..0cb503ed
--- /dev/null
+++ b/external/poky/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
@@ -0,0 +1,330 @@
+From a5c359cc68a4def9bf39f63070837d89711b4e17 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:18:09 +0300
+Subject: [PATCH] AES: move look-up tables to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+
+CVE: CVE-2019-12904_p2 
+Upstream-status: Backport 
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com> 
+Upstream-commit: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
+
+* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
+* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
+(enc_tables): New structure for encryption table with counters before
+and after.
+(encT): New macro.
+(dec_tables): Add counters before and after encryption table; Move
+from .rodata to .data section.
+(do_encrypt): Change 'encT' to 'enc_tables.T'.
+(do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
+* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
+with length not multiple of 256.
+(prefetch_enc, prefetch_dec): Modify pre- and post-table counters
+to unshare look-up table pages between processes.
+--
+
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/rijndael-internal.h |   4 +-
+ cipher/rijndael-tables.h   | 155 +++++++++++++++++++++++++--------------------
+ cipher/rijndael.c          |  35 ++++++++--
+ 3 files changed, 118 insertions(+), 76 deletions(-)
+
+diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h
+index 160fb8c..a62d4b7 100644
+--- a/cipher/rijndael-internal.h
++++ b/cipher/rijndael-internal.h
+@@ -29,11 +29,13 @@
+ #define BLOCKSIZE               (128/8)
+ 
+ 
+-/* Helper macro to force alignment to 16 bytes.  */
++/* Helper macro to force alignment to 16 or 64 bytes.  */
+ #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+ # define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
++# define ATTR_ALIGNED_64  __attribute__ ((aligned (64)))
+ #else
+ # define ATTR_ALIGNED_16
++# define ATTR_ALIGNED_64
+ #endif
+ 
+ 
+diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h
+index 8359470..b54d959 100644
+--- a/cipher/rijndael-tables.h
++++ b/cipher/rijndael-tables.h
+@@ -21,80 +21,98 @@
+ /* To keep the actual implementation at a readable size we use this
+    include file to define the tables.  */
+ 
+-static const u32 encT[256] =
++static struct
++{
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
++  u32 T[256];
++  volatile u32 counter_tail;
++} enc_tables ATTR_ALIGNED_64 =
+   {
+-    0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+-    0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+-    0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+-    0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+-    0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+-    0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+-    0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+-    0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+-    0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+-    0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+-    0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+-    0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+-    0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+-    0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+-    0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+-    0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+-    0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+-    0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+-    0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+-    0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+-    0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+-    0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+-    0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+-    0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+-    0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+-    0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+-    0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+-    0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+-    0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+-    0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+-    0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+-    0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+-    0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+-    0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+-    0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+-    0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+-    0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+-    0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+-    0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+-    0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+-    0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+-    0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+-    0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+-    0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+-    0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+-    0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+-    0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+-    0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+-    0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+-    0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+-    0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+-    0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+-    0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+-    0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+-    0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+-    0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+-    0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+-    0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+-    0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+-    0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+-    0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+-    0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+-    0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+-    0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++    0,
++    { 0, },
++    {
++      0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
++      0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
++      0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
++      0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
++      0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
++      0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
++      0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
++      0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
++      0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
++      0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
++      0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
++      0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
++      0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
++      0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
++      0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
++      0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
++      0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
++      0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
++      0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
++      0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
++      0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
++      0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
++      0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
++      0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
++      0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
++      0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
++      0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
++      0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
++      0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
++      0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
++      0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
++      0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
++      0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
++      0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
++      0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
++      0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
++      0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
++      0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
++      0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
++      0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
++      0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
++      0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
++      0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
++      0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
++      0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
++      0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
++      0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
++      0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
++      0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
++      0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
++      0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
++      0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
++      0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
++      0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
++      0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
++      0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
++      0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
++      0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
++      0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
++      0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
++      0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
++      0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
++      0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
++      0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++    },
++    0
+   };
+ 
+-static const struct
++#define encT enc_tables.T
++
++static struct
+ {
++  volatile u32 counter_head;
++  u32 cacheline_align[64 / 4 - 1];
+   u32 T[256];
+   byte inv_sbox[256];
+-} dec_tables =
++  volatile u32 counter_tail;
++} dec_tables ATTR_ALIGNED_64 =
+   {
++    0,
++    { 0, },
+     {
+       0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
+       0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
+@@ -194,7 +212,8 @@ static const struct
+       0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
+       0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
+       0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
+-    }
++    },
++    0
+   };
+ 
+ #define decT dec_tables.T
+diff --git a/cipher/rijndael.c b/cipher/rijndael.c
+index 8637195..d0edab2 100644
+--- a/cipher/rijndael.c
++++ b/cipher/rijndael.c
+@@ -227,11 +227,11 @@ static const char *selftest(void);
+ 
+ 
+ /* Prefetching for encryption/decryption tables. */
+-static void prefetch_table(const volatile byte *tab, size_t len)
++static inline void prefetch_table(const volatile byte *tab, size_t len)
+ {
+   size_t i;
+ 
+-  for (i = 0; i < len; i += 8 * 32)
++  for (i = 0; len - i >= 8 * 32; i += 8 * 32)
+     {
+       (void)tab[i + 0 * 32];
+       (void)tab[i + 1 * 32];
+@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len)
+       (void)tab[i + 6 * 32];
+       (void)tab[i + 7 * 32];
+     }
++  for (; i < len; i += 32)
++    {
++      (void)tab[i];
++    }
+ 
+   (void)tab[len - 1];
+ }
+ 
+ static void prefetch_enc(void)
+ {
+-  prefetch_table((const void *)encT, sizeof(encT));
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  enc_tables.counter_head++;
++  enc_tables.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
++  prefetch_table((const void *)&enc_tables, sizeof(enc_tables));
+ }
+ 
+ static void prefetch_dec(void)
+ {
++  /* Modify counters to trigger copy-on-write and unsharing if physical pages
++   * of look-up table are shared between processes.  Modifying counters also
++   * causes checksums for pages to change and hint same-page merging algorithm
++   * that these pages are frequently changing.  */
++  dec_tables.counter_head++;
++  dec_tables.counter_tail++;
++
++  /* Prefetch look-up tables to cache.  */
+   prefetch_table((const void *)&dec_tables, sizeof(dec_tables));
+ }
+ 
+@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+-				       encT);
++				       enc_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx,
+   return ret;
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+-  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT);
++  return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
++				     enc_tables.T);
+ #else
+   return do_encrypt_fn (ctx, bx, ax);
+ #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/
+@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+   return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-				       &dec_tables);
++				       dec_tables.T);
+ # else
+   /* Call SystemV ABI function without storing non-volatile XMM registers,
+    * as target function does not use vector instruction sets. */
+@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+   return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+-				     &dec_tables);
++				     dec_tables.T);
+ #else
+   return do_decrypt_fn (ctx, bx, ax);
+ #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/external/poky/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index fda68a29..13d03788 100644
--- a/external/poky/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/external/poky/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
            file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
            file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
+           file://CVE-2019-12904_p1.patch \
+           file://CVE-2019-12904_p2.patch \
 "
 SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
 SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"
diff --git a/external/poky/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch b/external/poky/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
new file mode 100644
index 00000000..dc3d558e
--- /dev/null
+++ b/external/poky/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
@@ -0,0 +1,161 @@
+Upstream-Status: Backport [https://dev.gnupg.org/T4459]
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+
+From 37069826e497d6af01e3e48fe5d2220ae7f85449 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Mon, 15 Apr 2019 15:10:44 +0900
+Subject: [PATCH] awk: Prepare for Gawk 5.0.
+
+* src/Makefile.am: Use pkg_namespace (instead of namespace).
+* src/mkerrnos.awk: Likewise.
+* lang/cl/mkerrcodes.awk: Don't escape # in regexp.
+* src/mkerrcodes.awk, src/mkerrcodes1.awk, src/mkerrcodes2.awk: Ditto.
+
+--
+
+In Gawk 5.0, regexp routines are replaced by Gnulib implementation,
+which only allows escaping specific characters.
+
+GnuPG-bug-id: 4459
+Reported-by: Marius Schamschula
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ lang/cl/mkerrcodes.awk |  2 +-
+ src/Makefile.am        |  2 +-
+ src/mkerrcodes.awk     |  2 +-
+ src/mkerrcodes1.awk    |  2 +-
+ src/mkerrcodes2.awk    |  2 +-
+ src/mkerrnos.awk       |  2 +-
+ src/mkstrtable.awk     | 10 +++++-----
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lang/cl/mkerrcodes.awk b/lang/cl/mkerrcodes.awk
+index ae29043..9a1fc18 100644
+--- a/lang/cl/mkerrcodes.awk
++++ b/lang/cl/mkerrcodes.awk
+@@ -122,7 +122,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 42998e4..0ceac9f 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -281,7 +281,7 @@ code-from-errno.h: mkerrcodes Makefile
+ 
+ errnos-sym.h: Makefile mkstrtable.awk errnos.in
+ 	$(AWK) -f $(srcdir)/mkstrtable.awk -v textidx=2 -v nogettext=1 \
+-		-v prefix=GPG_ERR_ -v namespace=errnos_ \
++		-v prefix=GPG_ERR_ -v pkg_namespace=errnos_ \
+ 		$(srcdir)/errnos.in >$@
+ 
+ 
+diff --git a/src/mkerrcodes.awk b/src/mkerrcodes.awk
+index 46d436c..e9c857c 100644
+--- a/src/mkerrcodes.awk
++++ b/src/mkerrcodes.awk
+@@ -85,7 +85,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrcodes1.awk b/src/mkerrcodes1.awk
+index a771a73..4578e29 100644
+--- a/src/mkerrcodes1.awk
++++ b/src/mkerrcodes1.awk
+@@ -81,7 +81,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrcodes2.awk b/src/mkerrcodes2.awk
+index ea58503..188f7a4 100644
+--- a/src/mkerrcodes2.awk
++++ b/src/mkerrcodes2.awk
+@@ -91,7 +91,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkerrnos.awk b/src/mkerrnos.awk
+index f79df66..15b1aad 100644
+--- a/src/mkerrnos.awk
++++ b/src/mkerrnos.awk
+@@ -83,7 +83,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+diff --git a/src/mkstrtable.awk b/src/mkstrtable.awk
+index c9de9c1..285e45f 100644
+--- a/src/mkstrtable.awk
++++ b/src/mkstrtable.awk
+@@ -77,7 +77,7 @@
+ #
+ # The variable prefix can be used to prepend a string to each message.
+ #
+-# The variable namespace can be used to prepend a string to each
++# The variable pkg_namespace can be used to prepend a string to each
+ # variable and macro name.
+ 
+ BEGIN {
+@@ -102,7 +102,7 @@ header {
+       print "/* The purpose of this complex string table is to produce";
+       print "   optimal code with a minimum of relocations.  */";
+       print "";
+-      print "static const char " namespace "msgstr[] = ";
++      print "static const char " pkg_namespace "msgstr[] = ";
+       header = 0;
+     }
+   else
+@@ -110,7 +110,7 @@ header {
+ }
+ 
+ !header {
+-  sub (/\#.+/, "");
++  sub (/#.+/, "");
+   sub (/[ 	]+$/, ""); # Strip trailing space and tab characters.
+ 
+   if (/^$/)
+@@ -150,7 +150,7 @@ END {
+   else
+     print "  gettext_noop (\"" last_msgstr "\");";
+   print "";
+-  print "static const int " namespace "msgidx[] =";
++  print "static const int " pkg_namespace "msgidx[] =";
+   print "  {";
+   for (i = 0; i < coded_msgs; i++)
+     print "    " pos[i] ",";
+@@ -158,7 +158,7 @@ END {
+   print "  };";
+   print "";
+   print "static GPG_ERR_INLINE int";
+-  print namespace "msgidxof (int code)";
++  print pkg_namespace "msgidxof (int code)";
+   print "{";
+   print "  return (0 ? 0";
+ 
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb b/external/poky/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
index e552001c..52ae11a9 100644
--- a/external/poky/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
+++ b/external/poky/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgpg-error/libgpg-error-${PV}.tar.bz2 \
            file://pkgconfig.patch \
            file://0001-syscfg-Support-ARC-CPUs-and-simplify-aliasing-table.patch \
            file://0002-syscfg-Add-support-for-arc-unknown-linux-gnu.patch \
+           file://libgpg-error-1.35-gawk5-support.patch \
 	  "
 SRC_URI[md5sum] = "ef3d928a5a453fa701ecc3bb22be1c64"
 SRC_URI[sha256sum] = "c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca"
diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 00000000..ef3f2709
--- /dev/null
+++ b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13117
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ 		tokens->tokens[tokens->nTokens].token = val - 1;
+ 		ix += len;
+ 		val = xmlStringCurrentChar(NULL, format+ix, &len);
+-	    }
++	    } else {
++                tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++                tokens->tokens[tokens->nTokens].width = 1;
++            }
+ 	} else if ( (val == (xmlChar)'A') ||
+ 		    (val == (xmlChar)'a') ||
+ 		    (val == (xmlChar)'I') ||
+-- 
+2.21.0
+
diff --git a/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 00000000..595e6c2f
--- /dev/null
+++ b/external/poky/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13118
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ libxslt/numbers.c         | 5 +++--
+ tests/docs/bug-222.xml    | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+     number = floor((scale * number + 0.5)) / scale;
+     if ((self->grouping != NULL) &&
+         (self->grouping[0] != 0)) {
++        int gchar;
+ 
+ 	len = xmlStrlen(self->grouping);
+-	pchar = xsltGetUTF8Char(self->grouping, &len);
++	gchar = xsltGetUTF8Char(self->grouping, &len);
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+ 				format_info.group,
+-				pchar, len);
++				gchar, len);
+     } else
+ 	xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ 				format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++  <xsl:decimal-format name="f" grouping-separator="⠢"/>
++  <xsl:template match="/">
++    <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++  </xsl:template>
++</xsl:stylesheet>
+-- 
+2.21.0
+
diff --git a/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
new file mode 100644
index 00000000..83ca8a3c
--- /dev/null
+++ b/external/poky/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
@@ -0,0 +1,128 @@
+From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+
+Signed-off-by: Muminul Islam <muminul.islam@microsoft.com>
+
+CVE: CVE-2019-11068
+
+Upstream-Status: Backport
+
+https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(ctxt, NULL, NULL,
++                     "xsltLoadDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltLoadStyleDocument: read rights for %s denied\n",
++                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 7262aab9..b62e0877 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
++	if (secres <= 0) {
++            if (secres == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsl:import: read rights for %s denied\n",
++                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 560f43ca..46eef553 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
++	if (ret <= 0) {
++            if (ret == 0)
++                xsltTransformError(ctxt, NULL, inst,
++                     "xsltDocumentElem: write rights for %s denied\n",
++                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 54a39de9..359913e4 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
++	if (res <= 0) {
++            if (res == 0)
++                xsltTransformError(NULL, NULL, NULL,
++                     "xsltParseStylesheetFile: read rights for %s denied\n",
++                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.23.0
+
diff --git a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb
index f0fa5e72..e2a515f8 100644
--- a/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb
+++ b/external/poky/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -10,7 +10,10 @@ DEPENDS = "libxml2"
 
 SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
            file://fix-rvts-handling.patch \
-           "
+           file://CVE-2019-11068.patch \
+           file://CVE-2019-13117.patch \
+           file://CVE-2019-13118.patch \
+"
 
 SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
 SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460"
diff --git a/external/poky/meta/recipes-support/sqlite/files/CVE-2019-8457.patch b/external/poky/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
new file mode 100644
index 00000000..5883774e
--- /dev/null
+++ b/external/poky/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
@@ -0,0 +1,126 @@
+From fbf2392644f0ae4282fa4583c9bb67260995d983 Mon Sep 17 00:00:00 2001
+From: Shubham Agrawal <shuagr@microsoft.com>
+Date: Mon, 23 Sep 2019 20:58:47 +0000
+Subject: [PATCH] sqlite: fix for CVE-2019-8457
+
+Upstream-Status: Backport
+CVE: CVE-2019-8457
+Signed-off-by: Shubham Agrawal <shuagr@microsoft.com>
+---
+ sqlite3.c | 50 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 00513d4..5c8c7f4 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -172325,6 +172325,33 @@
+ }
+ 
+ 
++/* Allocate and initialize a new dynamic string object */
++StrAccum *sqlite3_str_new(sqlite3 *db){
++  StrAccum *p = sqlite3DbMallocRaw(db, sizeof(*p));
++  if( p ){
++    sqlite3StrAccumInit(p, db, 0, 0, SQLITE_MAX_LENGTH);
++  }
++  return p;
++}
++
++/* Finalize a string created using sqlite3_str_new().
++*/
++
++char *sqlite3_str_finish(StrAccum *p){
++  char *z;
++  if( p ){
++    z = sqlite3StrAccumFinish(p);
++    sqlite3DbFree(p->db, p);
++  }else{
++    z = 0;
++  }
++  return z;
++}
++/* Return any error code associated with p */
++int sqlite3_str_errcode(StrAccum *p){
++  return p ? p->accError : SQLITE_NOMEM;
++}
++
+ /*
+ ** Implementation of a scalar function that decodes r-tree nodes to
+ ** human readable strings. This can be used for debugging and analysis.
+@@ -172342,49 +172369,53 @@
+ ** <num-dimension>*2 coordinates.
+ */
+ static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
+-  char *zText = 0;
++
+   RtreeNode node;
+   Rtree tree;
+   int ii;
++  int nData;
++  int errCode;
++  StrAccum *pOut;
+ 
+   UNUSED_PARAMETER(nArg);
+   memset(&node, 0, sizeof(RtreeNode));
+   memset(&tree, 0, sizeof(Rtree));
+   tree.nDim = (u8)sqlite3_value_int(apArg[0]);
++  if( tree.nDim<1 || tree.nDim>5 ) return;
+   tree.nDim2 = tree.nDim*2;
+   tree.nBytesPerCell = 8 + 8 * tree.nDim;
+   node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
++  nData = sqlite3_value_bytes(apArg[1]);
++  if( nData<4 ) return;
++  if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+ 
++  pOut = sqlite3_str_new(0);
+   for(ii=0; ii<NCELL(&node); ii++){
+-    char zCell[512];
+-    int nCell = 0;
++
++
+     RtreeCell cell;
+     int jj;
+ 
+     nodeGetCell(&tree, &node, ii, &cell);
+-    sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
+-    nCell = (int)strlen(zCell);
++    if( ii>0 ) sqlite3StrAccumAppend(pOut, " ", 1);
++    sqlite3XPrintf(pOut, "{%lld", cell.iRowid);
++
+     for(jj=0; jj<tree.nDim2; jj++){
+ #ifndef SQLITE_RTREE_INT_ONLY
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
+-                       (double)cell.aCoord[jj].f);
++
++      sqlite3XPrintf(pOut, " %g", (double)cell.aCoord[jj].f);
+ #else
+-      sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
+-                       cell.aCoord[jj].i);
++
++      sqlite3XPrintf(pOut, " %d", cell.aCoord[jj].i);
+ #endif
+-      nCell = (int)strlen(zCell);
+-    }
+ 
+-    if( zText ){
+-      char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
+-      sqlite3_free(zText);
+-      zText = zTextNew;
+-    }else{
+-      zText = sqlite3_mprintf("{%s}", zCell);
+     }
++    sqlite3StrAccumAppend(pOut, "}", 1);
+   }
+-  
+-  sqlite3_result_text(ctx, zText, -1, sqlite3_free);
++
++  errCode = sqlite3_str_errcode(pOut);
++  sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
++  sqlite3_result_error_code(ctx, errCode);
+ }
+ 
+ /* This routine implements an SQL function that returns the "depth" parameter
+-- 
+2.7.4
+
diff --git a/external/poky/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/external/poky/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index d214ea15..7df61cd1 100644
--- a/external/poky/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/external/poky/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "\
   http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
   file://CVE-2018-20505.patch \
   file://CVE-2018-20506.patch \
+  file://CVE-2019-8457.patch \
   "
 SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
 SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"