Add python3

Include python3 curses module due to the snake.py need it.

Signed-off-by: Chen Wang <unicorn_wang@outlook.com>

CHANGES

@@ -1,3 +1,33 @@
+2026.02, released March 4th, 2026
+
+	Various fixes.
+
+	Updated/fixed packages: freerdp, graphicsmagick, ruby, nsquid,
+	vim
+
+2026.02-rc3, released March 2nd, 2026
+
+	Fixes all over the tree.
+
+	support/testing/run-tests: Work around a node2 patch in Debian
+	testing/unstable:
+	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129350
+
+	Updated/fixed packages: bind, botan, containerd, cups, gpsd,
+	flashbench, igmpproxy, imagemagick, libssh, libunistring,
+	libvirt, mesa3d, mupdf, openscap, patch, poco,
+	python-multipart, rtl_433, safeclib, samba4, tinyproxy,
+	udisks, webkitgtk, wireshark, wlroots, wpewebkit
+
+2026.02-rc2, released February 24th, 2026
+
+	Fixes all over the tree.
+
+	Updated/fixed packages: bind, c-ares, libzlib, mpir, netsnmp,
+	python-anyio, python-fastapi, python-jsonschema,
+	python-pybind, python-starlette, qemu, ruby, snort, systemd,
+	wmctrl, wpewebkit
+
 2026.02-rc1, released February 17th, 2026
 
 	Fixes all over the tree and new features.
@@ -71,6 +101,75 @@
 	- How can I make the 'en_US' locale by default?
 	  https://gitlab.com/buildroot.org/buildroot/-/issues/161
 
+2025.11.2, released February 20, 2026
+
+	avahi: CVE-2021-3468, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471,
+	  CVE-2023-38472, CVE-2023-38473, CVE-2024-52615, CVE-2024-52616,
+	  CVE-2025-68276, CVE-2025-68468, CVE-2025-68471, CVE-2026-24401
+	bind: CVE-2025-13878
+	busybox: CVE-2025-46394, CVE-2025-60876
+	expat: CVE-2026-24515, CVE-2026-25210
+	glibc: CVE-2025-15281, CVE-2026-0861, CVE-2026-0915
+	gnutls: CVE-2025-14831, CVE-2026-1584
+	go: CVE-2025-61732, CVE-2025-68121, CVE-2025-61728, CVE-2025-61726,
+	  CVE-2025-68121, CVE-2025-61731, CVE-2025-61730
+	gpsd: CVE-2025-67268, CVE-2025-67268
+	haproxy: CVE-2025-11230
+	intel-microcode: CVE-2024-24853, CVE-2025-31648
+	libopenssl: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468,
+	  CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419,
+	  CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796
+	libpng: CVE-2026-22695, CVE-2026-22801, CVE-2026-25646
+	libtasn1: CVE-2025-13151
+	libvpx
+	linux-pam: CVE-2024-10963
+	nginx: CVE-2025-53859
+	nodejs: CVE-2025-27210, CVE-2025-55130, CVE-2025-55131, CVE-2025-55132,
+	  CVE-2025-59465, CVE-2025-59466, CVE-2026-21637
+	python3: gh-144125, gh-143935, gh-143925, gh-143919, gh-143916
+	python-django: CVE-2025-13473, CVE-2025-14550, CVE-2026-1207,
+	  CVE-2026-1285, CVE-2026-1287, CVE-2026-1312
+	python-urllib3: CVE-2026-21441
+	strongswan: CVE-2025-62291
+	tor: TROVE-2025-016
+	vim: CVE-2025-66476
+	webkitgtk
+
+	Infrastructure updates/fixes:
+
+	arm-trusted-firmware, at91bootstrap3, barebox, linux, opensbi, optee-os,
+	  uboot: Add support for custom license files
+	config-fragments/autobuild: drop a number of duplicated toolchains
+	generate-cyclonedx: fix dependencies
+	Makefile: add check-package-external target
+	pkg-stats: add -N/--needs-update option
+	pkg-stats: fix RuntimeError with python 3.14 asyncio
+	relocate-sdk.sh: pre-calculate files in need of relocation
+	system/Config.in: do not reference md5 for sha256 option
+	testing/run-tests: specify multiprocessing method
+	testing: fix SdbusModemmanager/SdbusNetworkmanager duplicate test name
+	testing: python-requests: new runtime test
+	testing: test_python.py: disable interpreter colors
+	testing: test_python_sdbus_modemmanager: remove unneeded systemd vconsole
+	testing/tests/package/test_firewalld: use ext2 instead of cpio
+
+	Updated / fixed packages: aardvark-dns, asterisk, at91bootstrap3, avahi,
+	berkeleydb, bind, bitcoin, blake3, brltty, brotli, busybox cryptsetup,
+	dash, dc3dd, docker-engine, easy-rsa, efl, ell, expat, frr, glibc,
+	gnutls, go, gpsd, grub2, haproxy, igmpproxy, intel-microcode,
+	kvm-unit-tests, libcec, libbsd, libcdio-paranoia, libcurl, libgphoto2,
+	libgpiod2, libite, libopenssl, libpng, libtasn1, libucl, libvpx,
+	libwebsockets, linux, linux-headers, linux-pam, localedef, lockdev,
+	m4, manual, mcelog, mesa3d, mp4v2, mpg123, mpir, mupdf, netdata,
+	netsniff-ng, nginx, nodejs, parprouted, php, php-lua, pkg-utils, podman,
+	python3, python-django, python-jinja2, python-urllib3, qemu, rp-pppoe,
+	rust-bindgen, safeclib, samba4, sane-airscan, screen, shadow, shapelib,
+	spandsp, squeezelite, strongswan, swig, syslog-ng, systemd, tor, uboot,
+	uclibc, uftp, util-linux, vim, vsftpd, webkitgtk, wireless-regdb,
+	xmlstarlet, zeek
+
+	Removed packages: criu, cvs, dbus-triggerd, dvdrw-tools, libsvg, libsvg-cairo, lockdev, gconf,
+
 2025.11.1, released January 20, 2026
 
 	Important / security related fixes:
@@ -832,6 +931,69 @@
 	- netsnmp: unexpected header length in /proc/net/snmp...
 	  https://gitlab.com/buildroot.org/buildroot/-/issues/110
 
+2025.02.11, released February 20, 2026
+
+	avahi: CVE-2021-3468, CVE-2023-38469, CVE-2023-38470, CVE-2023-38471,
+	  CVE-2023-38472, CVE-2023-38473, CVE-2024-52615, CVE-2024-52616,
+	  CVE-2025-68276, CVE-2025-68468, CVE-2025-68471, CVE-2026-24401
+	bind: CVE-2025-13878
+	busybox: CVE-2025-46394, CVE-2025-60876
+	expat: CVE-2026-24515, CVE-2026-25210
+	glibc: CVE-2025-15281, CVE-2026-0861, CVE-2026-0915
+	gnutls: CVE-2025-14831, CVE-2026-1584
+	haproxy: CVE-2025-11230
+	intel-microcode: CVE-2024-24853, CVE-2025-31648
+	libopenssl: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468,
+	  CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419,
+	  CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796
+	libpng: CVE-2026-22695, CVE-2026-22801, CVE-2026-25646
+	libtasn1: CVE-2025-13151
+	libvpx
+	linux-pam: CVE-2024-10963
+	nginx: CVE-2025-53859
+	nodejs: CVE-2025-27210, CVE-2025-55130, CVE-2025-55131, CVE-2025-55132,
+	  CVE-2025-59465, CVE-2025-59466, CVE-2026-21637
+	python-django: CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285,
+	 CVE-2026-1287, CVE-2026-1312
+	python-urllib3: CVE-2026-21441
+	strongswan: CVE-2025-62291
+	tor: TROVE-2025-016
+	vim: CVE-2025-66476
+	webkitgtk
+
+	Infrastructure updates/fixes:
+
+	arm-trusted-firmware, at91bootstrap3, barebox, linux, opensbi, optee-os,
+	  uboot: Add support for custom license files
+	config-fragments/autobuild: drop a number of duplicated toolchains
+	generate-cyclonedx: fix dependencies
+	Makefile: add check-package-external target
+	pkg-stats: add -N/--needs-update option
+	pkg-stats: fix RuntimeError with python 3.14 asyncio
+	relocate-sdk.sh: pre-calculate files in need of relocation
+	system/Config.in: do not reference md5 for sha256 option
+	testing/run-tests: specify multiprocessing method
+	testing: python-requests: new runtime test
+	testing: test_python.py: disable interpreter colors
+	testing/tests/package/test_firewalld: use ext2 instead of cpio
+
+	Updated / fixed packages: asterisk, at91bootstrap3, avahi, berkeleydb,
+	bind, bitcoin, brltty, busybox, cryptsetup, dash, dc3dd, docker-engine,
+	easy-rsa, ell, expat, frr, glibc, gnutls, haproxy,
+	igmpproxy, intel-microcode, libcec, libcurl, libgphoto2, libgpiod2,
+	libite, libopenssl, libpng, libselinux,
+	libtasn1, libucl, libvpx, libwebsockets, linux, linux-headers,
+	linux-pam, localedef, lockdev, m4, manual, mcelog, mesa3d, mp4v2,
+	mpg123, mpir, mupdf, netdata, nginx, nodejs, php, php-lua, pkg-utils,
+	python3, python-django, python-jinja2, python-urllib3, rp-pppoe,
+	rust-bindgen, safeclib, screen, shadow, spandsp, strongswan, swig,
+	syslog-ng, tor, uclibc, uftp, util-linux, vim, webkitgtk,
+	wireless-regdb, xmlstarlet, zeek
+
+	New package: libpam-pkcs11
+
+	Removed packages: criu, cvs, dbus-triggerd, dvdrw-tools, libsvg, libsvg-cairo, lockdev, gconf,
+
 2025.02.10, released January 20, 2026
 
 	Important / security related fixes:

Config.in.legacy

@@ -146,6 +146,12 @@ endif
 
 comment "Legacy options removed in 2026.02"
 
+config BR2_PACKAGE_QEMU_TARGET_CRIS
+	bool "qemu cris support has been removed"
+	select BR2_LEGACY
+	help
+	  CRIS support has been removed since Qemu 9.2.0.
+
 config BR2_PACKAGE_DVDRW_TOOLS
 	bool "dvdrw-tools removed"
 	select BR2_LEGACY

Makefile

@@ -92,9 +92,9 @@ all:
 .PHONY: all
 
 # Set and export the version string
-export BR2_VERSION := 2026.02-rc1
+export BR2_VERSION := 2026.02
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1771320000
+BR2_VERSION_EPOCH = 1772611600
 
 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)

board/olimex/a20_olinuxino/patches/linux/linux.hash

@@ -1,3 +1,2 @@
 # From https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
-sha256  7a8879167b89c4bae077d6f39c4f2130769f05dbdad2aad914adab9afb7d7f9a  linux-6.18.3.tar.xz
 sha256  37f0c5d5c242c1d604e87d48f08795e861a5a85f725b4ca11d0a538f12ff8cff  linux-6.18.8.tar.xz

board/xilinx/patches/arm-trusted-firmware/arm-trusted-firmware.hash

@@ -1,2 +1,5 @@
 # Locally calculated
 sha256  ea59fbfb702857a24f96ee8e9cf04f997942db1de98f8406b7daf9dcc8f4e9ea  xlnx_rebase_v2.12_2025.2.tar.gz
+
+# Locally calculated
+sha256  b2c79635797bafcde84c6edadadde290b9d5e05deb3ea16a847210fd2ca83669  docs/license.rst

board/xilinx/patches/linux/linux.hash

@@ -1,2 +1,7 @@
 # Locally calculated
 sha256  444f573cd4438af1f5062fd69fcc82965a56068e6a25cd43c062a68398f90b03  xlnx_rebase_v6.12_LTS_merge_6.12.60.tar.gz
+
+# Locally calculated
+sha256  fb5a425bd3b3cd6071a3a9aff9909a859e7c1158d54d32e07658398cd67eb6a0  COPYING
+sha256  f6b78c087c3ebdf0f3c13415070dd480a3f35d8fc76f3d02180a407c1c812f79  LICENSES/preferred/GPL-2.0
+sha256  8e378ab93586eb55135d3bc119cce787f7324f48394777d00c34fa3d0be3303f  LICENSES/exceptions/Linux-syscall-note

configs/olimex_a20_olinuxino_lime2_defconfig

@@ -14,7 +14,7 @@ BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="-c board/olimex/a20_olinuxino/genimage.cfg"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.3"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.8"
 BR2_LINUX_KERNEL_DEFCONFIG="sunxi"
 BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/olimex/a20_olinuxino/linux-disable-lima.fragment"
 BR2_LINUX_KERNEL_DTS_SUPPORT=y

configs/olimex_a20_olinuxino_lime_defconfig

@@ -14,7 +14,7 @@ BR2_ROOTFS_POST_IMAGE_SCRIPT="support/scripts/genimage.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="-c board/olimex/a20_olinuxino/genimage.cfg"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.3"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.8"
 BR2_LINUX_KERNEL_DEFCONFIG="sunxi"
 BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/olimex/a20_olinuxino/linux-disable-lima.fragment"
 BR2_LINUX_KERNEL_DTS_SUPPORT=y

configs/qemu_riscv64_virt_defconfig

@@ -1,18 +1,26 @@
 BR2_riscv=y
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_18=y
+BR2_TOOLCHAIN_EXTERNAL=y
+BR2_KERNEL_MIRROR="http://mirrors.ustc.edu.cn/kernel.org"
+BR2_GNU_MIRROR="http://mirrors.ustc.edu.cn/gnu"
+BR2_LUAROCKS_MIRROR="https://luarocks.cn"
+BR2_CPAN_MIRROR="http://mirrors.ustc.edu.cn/CPAN"
 BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
 BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
+BR2_INIT_SYSV=y
+BR2_SYSTEM_BIN_SH_BASH=y
 BR2_SYSTEM_DHCP="eth0"
 BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
 BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.7"
 BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
+BR2_PACKAGE_PYTHON3=y
+BR2_PACKAGE_PYTHON3_CURSES=y
+BR2_PACKAGE_COREUTILS=y
+BR2_PACKAGE_COREUTILS_INDIVIDUAL_BINARIES=y
+BR2_PACKAGE_VIM=y
 BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_SIZE="128M"
 BR2_TARGET_OPENSBI=y
 BR2_TARGET_OPENSBI_CUSTOM_VERSION=y
 BR2_TARGET_OPENSBI_CUSTOM_VERSION_VALUE="1.6"
 BR2_TARGET_OPENSBI_PLAT="generic"
-BR2_PACKAGE_HOST_QEMU=y
-BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y

docs/website/download.html

@@ -16,81 +16,83 @@
           <th>Latest release date</th>
           <th colspan="2">Downloads</td>
         </tr>
+<!--
         <tr>
           <th>Candidate</th>
-          <th>2025.11.x</th>
+          <th>2026.02.x</th>
           <td>June 2026</td>
           <td>
-            2026.02-rc1<br/>
-            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02-rc1/CHANGES">
+            2026.02-rc3<br/>
+            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02-rc3/CHANGES">
               Changelog
             </a>
           </td>
-          <td>2025-11-20</td>
+          <td>2026-03-02</td>
           <td>
-            <a href="/downloads/buildroot-2026.02-rc1.tar.gz">
+            <a href="/downloads/buildroot-2026.02-rc3.tar.gz">
               <img src="images/zip.png" width="24" alt="">
               .tar.gz
             </a><br/>
-            <a href="/downloads/buildroot-2026.02-rc1.tar.gz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2026.02-rc3.tar.gz.sign">[PGP sig]</a>
           </td>
           <td>
-            <a href="/downloads/buildroot-2026.02-rc1.tar.xz">
+            <a href="/downloads/buildroot-2026.02-rc3.tar.xz">
               <img src="images/package.png" width="24" alt="">
               .tar.xz
             </a><br/>
-            <a href="/downloads/buildroot-2026.02-rc1.tar.xz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2026.02-rc3.tar.xz.sign">[PGP sig]</a>
           </td>
         </tr>
+-->
         <tr>
           <th>Stable</th>
-          <th>2025.11.x</th>
-          <td>March 2026</td>
+          <th>2026.02.x</th>
+          <td>June 2026</td>
           <td>
-            2025.11.1<br/>
-            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11.1/CHANGES">
+            2026.02<br/>
+            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02/CHANGES">
               Changelog
             </a>
           </td>
-          <td>2026-01-20</td>
+          <td>2026-03-04</td>
           <td>
-            <a href="/downloads/buildroot-2025.11.1.tar.gz">
+            <a href="/downloads/buildroot-2026.02.tar.gz">
               <img src="images/zip.png" width="24" alt="">
               .tar.gz
             </a><br/>
-            <a href="/downloads/buildroot-2025.11.1.tar.gz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2026.02.tar.gz.sign">[PGP sig]</a>
           </td>
           <td>
-            <a href="/downloads/buildroot-2025.11.1.tar.xz">
+            <a href="/downloads/buildroot-2026.02.tar.xz">
               <img src="images/package.png" width="24" alt="">
               .tar.xz
             </a><br/>
-            <a href="/downloads/buildroot-2025.11.1.tar.xz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2026.02.tar.xz.sign">[PGP sig]</a>
           </td>
         <tr>
           <th>Long-term support</th>
           <th>2025.02.x</th>
           <td>March 2028</td>
           <td>
-            2025.02.10<br/>
-            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02.10/CHANGES">
+            2025.02.11<br/>
+            <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02.11/CHANGES">
               Changelog
             </a>
           </td>
-          <td>2026-01-20</td>
+          <td>2026-02-20</td>
           <td>
-            <a href="/downloads/buildroot-2025.02.10.tar.gz">
+            <a href="/downloads/buildroot-2025.02.11.tar.gz">
               <img src="images/zip.png" width="24" alt="">
               .tar.gz
             </a><br/>
-            <a href="/downloads/buildroot-2025.02.10.tar.gz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2025.02.11.tar.gz.sign">[PGP sig]</a>
           </td>
           <td>
-            <a href="/downloads/buildroot-2025.02.10.tar.xz">
+            <a href="/downloads/buildroot-2025.02.11.tar.xz">
               <img src="images/package.png" width="24" alt="">
               .tar.xz
             </a><br/>
-            <a href="/downloads/buildroot-2025.02.10.tar.xz.sign">[PGP sig]</a>
+            <a href="/downloads/buildroot-2025.02.11.tar.xz.sign">[PGP sig]</a>
           </td>
         </tr>
       </table>

docs/website/news.html

@@ -9,6 +9,104 @@
 <h2>News</h2>
 <ul class="timeline">
 
+  <li>
+    <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+    <div class="timeline-panel">
+      <div class="timeline-heading">
+	<h4 class="timeline-title">2026.02 released</h4>
+	<p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>4 March 2026</small></p>
+      </div>
+      <div class="timeline-body">
+	<p>The stable 2026.02 release is out - Thanks to everyone
+	  contributing and testing the release candidates. See the
+	  <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02/CHANGES">CHANGES</a>
+	  file for more details
+	  and go to the <a href="/downloads/">downloads page</a> to pick up the
+	  <a href="/downloads/buildroot-2026.02.tar.xz">2026.02 release</a>.</p>
+      </div>
+    </div>
+  </li>
+
+  <li class="timeline-inverted">
+    <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+    <div class="timeline-panel">
+      <div class="timeline-heading">
+	<h4 class="timeline-title">2026.02-rc3 released</h4>
+	<p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>2 March 2026</small></p>
+      </div>
+      <div class="timeline-body">
+        <p>Another week, another release candidate with more cleanups and build fixes. See the
+	  <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02-rc3/CHANGES">CHANGES</a>
+	  file for more details.</p>
+
+	<p>Go to the <a href="/downloads/">downloads page</a> to pick up the
+	  <a href="/downloads/buildroot-2026.02-rc3.tar.xz">2026.02-rc3
+	  release</a>, and report any problems found to the
+         <a href="support.html">mailing list</a> or
+         <a href="https://gitlab.com/buildroot.org/buildroot/-/issues">bug tracker</a>.</p>
+      </div>
+    </div>
+  </li>
+
+  <li>
+    <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+    <div class="timeline-panel">
+      <div class="timeline-heading">
+	<h4 class="timeline-title">2026.02-rc2 released</h4>
+	<p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>24 February 2026</small></p>
+      </div>
+      <div class="timeline-body">
+        <p>Another week, another release candidate with more cleanups and build fixes. See the
+	  <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2026.02-rc2/CHANGES">CHANGES</a>
+	  file for more details.</p>
+
+	<p>Go to the <a href="/downloads/">downloads page</a> to pick up the
+	  <a href="/downloads/buildroot-2026.02-rc2.tar.xz">2026.02-rc2
+	  release</a>, and report any problems found to the
+         <a href="support.html">mailing list</a> or
+         <a href="https://gitlab.com/buildroot.org/buildroot/-/issues">bug tracker</a>.</p>
+      </div>
+    </div>
+  </li>
+
+  <li class="timeline-inverted">
+    <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+    <div class="timeline-panel">
+      <div class="timeline-heading">
+	<h4 class="timeline-title">2025.11.2 released</h4>
+	<p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>20 February 2026</small></p>
+      </div>
+      <div class="timeline-body">
+	<p>The 2025.11.2 bugfix release is out, fixing a number of important /
+	  security related issues discovered since the 2025.11 release. See the
+	  <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11.2/CHANGES">CHANGES</a>
+	  file for more details, read the
+	  <a href="https://lore.kernel.org/buildroot/de9c890a-760a-4e6d-86b8-f8e5000a07ff@rnout.be/T/#u">announcement</a>
+	  and go to the <a href="/downloads/">downloads page</a> to pick up the
+	  <a href="/downloads/buildroot-2025.11.2.tar.xz">2025.11.2 release</a>.</p>
+      </div>
+    </div>
+  </li>
+
+  <li class="timeline">
+    <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+    <div class="timeline-panel">
+      <div class="timeline-heading">
+	<h4 class="timeline-title">2025.02.11 released</h4>
+	<p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>20 February 2026</small></p>
+      </div>
+      <div class="timeline-body">
+	<p>The 2025.02.11 bugfix release is out, fixing a number of important /
+	  security related issues discovered since the 2025.02.9 release. See the
+	  <a href="https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02.11/CHANGES">CHANGES</a>
+	  file for more details, read the
+	  <a href="https://lore.kernel.org/buildroot/e0164268-1836-426e-8a81-5e2790b8cc3e@rnout.be/T/#u">announcement</a>
+	  and go to the <a href="/downloads/">downloads page</a> to pick up the
+	  <a href="/downloads/buildroot-2025.02.11.tar.xz">2025.02.11 release</a>.</p>
+      </div>
+    </div>
+  </li>
+
   <li class="timeline-inverted">
     <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
     <div class="timeline-panel">

linux/Config.in

@@ -141,7 +141,7 @@ config BR2_LINUX_KERNEL_CUSTOM_REPO_GIT_SUBMODULES
 
 config BR2_LINUX_KERNEL_VERSION
 	string
-	default "6.19" if BR2_LINUX_KERNEL_LATEST_VERSION
+	default "6.19.5" if BR2_LINUX_KERNEL_LATEST_VERSION
 	default "5.10.246-cip66" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
 	default "5.10.246-cip66-rt29" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
 	default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \

linux/before-6.17/linux.hash

@@ -1,10 +1,10 @@
 # From https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
-sha256  143e8bc76cc41f831b51aa5e75819bed55bed41f299d35922820f1d2d2b02600  linux-6.12.71.tar.xz
-sha256  a7aefb9f8e9be2314a66ccda708257d1c2dc04e68235cda987879597fc89794e  linux-6.6.124.tar.xz
-sha256  fd2d033321bd15e0ad5669208b6e43f3f93ccecb059a512ca6b913ca940c38ea  linux-6.1.163.tar.xz
+sha256  3b56eeb1dc9a437f189ca56b823be3769994f59a4ea0895b08ec0d20acaca13e  linux-6.12.74.tar.xz
+sha256  a7cd9c97b4f0b31cc030bcdc60abe5434fffb2556e293f7438ce7909dff8c9fe  linux-6.6.127.tar.xz
+sha256  33bf087f7bbf7f626873dd7d955eb44182a93695db41f5f89a6bd3d233a39d1c  linux-6.1.164.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256  fce4b1c86688880932ba8f755880cbf390a89453464bfd90b9a1b01a121c2998  linux-5.15.200.tar.xz
-sha256  47754da223a9f264b917be5d575a4dae03fc8777aa9e1b00473e973ee997d529  linux-5.10.250.tar.xz
+sha256  4f2afffbeddaad6b8527d41a3e3a82646d3cf5dfd0acbb6c4e8a99fc70461b96  linux-5.15.201.tar.xz
+sha256  e6857625fee3b587b0279b445adc3940a5c40723385fa1055ac7af16ff4b4c01  linux-5.10.251.tar.xz
 # Locally computed
 sha256  93408e0c5d70ff0ab63dcf9edec6fda2b8524281d611a88e56590436bda43914  linux-cip-5.10.246-cip66.tar.gz
 sha256  b3454708b98016f02604433e41060be2c1feb595c2bddeb25292596f047f0915  linux-cip-5.10.246-cip66-rt29.tar.gz

linux/from-6.17/linux.hash

@@ -1,6 +1,6 @@
 # From https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
-sha256  303079a8250b8f381f82b03f90463d12ac98d4f6b149b761ea75af1323521357  linux-6.19.tar.xz
-sha256  d6d377161741ada2fab28eed69143277634a2aeb5e3883e50c031588ede48ede  linux-6.18.10.tar.xz
+sha256  95ae05c8c709e353c0e8506c072efc5598d85b8b7b564a1ebac7ee8345042ffa  linux-6.19.5.tar.xz
+sha256  7c716216c3c4134ed0de69195701e677577bbcdd3979f331c182acd06bf2f170  linux-6.18.15.tar.xz
 
 # Licenses hashes
 sha256  fb5a425bd3b3cd6071a3a9aff9909a859e7c1158d54d32e07658398cd67eb6a0  COPYING

package/bind/bind.hash

@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.18.44/bind-9.18.44.tar.xz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.18.46/bind-9.18.46.tar.xz.asc
 # with key D99CCEAF879747014F038D63182E23579462EFAA
-sha256  81f5035a25c576af1a93f0061cf70bde6d00a0c7bd1274abf73f5b5389a6f82d  bind-9.18.44.tar.xz
+sha256  6b59f0de30c6901cce783007d06f7dd717ec3aa74b5bb5cc5159f93f0be4fc1d  bind-9.18.46.tar.xz
 sha256  9734825d67a3ac967b2c2f7c9a83c9e5db1c2474dbe9599157c3a4188749ebd4  COPYRIGHT

package/bind/bind.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.18.44
+BIND_VERSION = 9.18.46
 BIND_SOURCE= bind-$(BIND_VERSION).tar.xz
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 BIND_INSTALL_STAGING = YES

package/botan/0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch

@@ -0,0 +1,65 @@
+From 53b0cfde580e86b03d0d27a488b6c134f662e957 Mon Sep 17 00:00:00 2001
+From: Jack Lloyd <jack@randombit.net>
+Date: Sat, 19 Oct 2024 07:43:18 -0400
+Subject: [PATCH] Add more value barriers to avoid compiler induced side
+ channels
+
+The paper https://arxiv.org/pdf/2410.13489 claims that on specific
+architectures Clang and GCC may introduce jumps here. The donna128
+issues only affect 32-bit processors, which explains why we would not
+see it in the x86-64 valgrind runs.
+
+The GHASH leak would seem to be generic but the authors only observed
+it on RISC-V.
+
+CVE: CVE-2024-50382
+CVE: CVE-2024-50383
+Upstream: https://github.com/randombit/botan/commit/53b0cfde580e86b03d0d27a488b6c134f662e957
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/lib/utils/donna128.h      | 5 +++--
+ src/lib/utils/ghash/ghash.cpp | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/utils/donna128.h b/src/lib/utils/donna128.h
+index 8212bd349e0..7adf54546df 100644
+--- a/src/lib/utils/donna128.h
++++ b/src/lib/utils/donna128.h
+@@ -8,6 +8,7 @@
+ #ifndef BOTAN_CURVE25519_DONNA128_H_
+ #define BOTAN_CURVE25519_DONNA128_H_
+ 
++#include <botan/internal/ct_utils.h>
+ #include <botan/internal/mul128.h>
+ #include <type_traits>
+ 
+@@ -73,14 +74,14 @@ class donna128 final {
+          l += x.l;
+          h += x.h;
+ 
+-         const uint64_t carry = (l < x.l);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x.l).if_set_return(1);
+          h += carry;
+          return *this;
+       }
+ 
+       constexpr donna128& operator+=(uint64_t x) {
+          l += x;
+-         const uint64_t carry = (l < x);
++         const uint64_t carry = CT::Mask<uint64_t>::is_lt(l, x).if_set_return(1);
+          h += carry;
+          return *this;
+       }
+diff --git a/src/lib/utils/ghash/ghash.cpp b/src/lib/utils/ghash/ghash.cpp
+index 8c3b1ed6c2a..61b28590002 100644
+--- a/src/lib/utils/ghash/ghash.cpp
++++ b/src/lib/utils/ghash/ghash.cpp
+@@ -131,7 +131,7 @@ void GHASH::key_schedule(std::span<const uint8_t> key) {
+          m_HM[4 * j + 2 * i + 1] = H1;
+ 
+          // GCM's bit ops are reversed so we carry out of the bottom
+-         const uint64_t carry = R * (H1 & 1);
++         const uint64_t carry = CT::Mask<uint64_t>::expand(H1 & 1).if_set_return(R);
+          H1 = (H1 >> 1) | (H0 << 63);
+          H0 = (H0 >> 1) ^ carry;
+       }

package/botan/botan.mk

@@ -11,6 +11,9 @@ BOTAN_LICENSE = BSD-2-Clause
 BOTAN_LICENSE_FILES = license.txt
 BOTAN_CPE_ID_VALID = YES
 
+# 0001-Add-more-value-barriers-to-avoid-compiler-induced-side-channels.patch
+BOTAN_IGNORE_CVES += CVE-2024-50382 CVE-2024-50383
+
 BOTAN_INSTALL_STAGING = YES
 
 BOTAN_DEPENDENCIES = host-python3

package/c-ares/c-ares.hash

@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-sha256  7d935790e9af081c25c495fd13c2cfcda4792983418e96358ef6e7320ee06346  c-ares-1.34.5.tar.gz
+sha256  912dd7cc3b3e8a79c52fd7fb9c0f4ecf0aaa73e45efda880266a2d6e26b84ef5  c-ares-1.34.6.tar.gz
 
 # Hash for license file
 sha256  460f5e768fda3752ca2169a95df062578a10fb126bfd65f3b9b1a1bed2f84807  LICENSE.md

package/c-ares/c-ares.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-C_ARES_VERSION = 1.34.5
+C_ARES_VERSION = 1.34.6
 C_ARES_SITE = https://github.com/c-ares/c-ares/releases/download/v$(C_ARES_VERSION)
 C_ARES_INSTALL_STAGING = YES
 C_ARES_CONF_OPTS = --with-random=/dev/urandom

package/containerd/containerd.hash

@@ -1,3 +1,3 @@
 # Computed locally
-sha256  472747a7a6b360a0864bab0ee00a8a6f51da5795171e6a60ab17aa80cbd850a2  containerd-2.0.2-go2.tar.gz
+sha256  2bbf9fedcf4ab31736fcb3ce224ef22610a87da9d53bbd8f6d205710fd849831  containerd-2.0.7-go2.tar.gz
 sha256  4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4  LICENSE

package/containerd/containerd.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONTAINERD_VERSION = 2.0.2
+CONTAINERD_VERSION = 2.0.7
 CONTAINERD_SITE = $(call github,containerd,containerd,v$(CONTAINERD_VERSION))
 CONTAINERD_LICENSE = Apache-2.0
 CONTAINERD_LICENSE_FILES = LICENSE

package/cups/cups.hash

@@ -1,4 +1,4 @@
 # Locally calculated:
-sha256  660288020dd6f79caf799811c4c1a3207a48689899ac2093959d70a3bdcb7699  cups-2.4.14-source.tar.gz
+sha256  0339587204b4f9428dd0592eb301dec0bf9ea6ea8dce5d9690d56be585aba92d  cups-2.4.16-source.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
 sha256  977206f041b9a6f47ac00531e1242c0fab7063da71178f8d868b167b70866b6d  NOTICE

package/cups/cups.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CUPS_VERSION = 2.4.14
+CUPS_VERSION = 2.4.16
 CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz
 CUPS_SITE = https://github.com/OpenPrinting/cups/releases/download/v$(CUPS_VERSION)
 CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception

package/flashbench/Config.in

@@ -7,4 +7,4 @@ config BR2_PACKAGE_FLASHBENCH
 	  SD cards and other media for the Linaro flash memory
 	  survey.
 
-	  https://git.linaro.org/people/arnd.bergmann/flashbench.git
+	  https://github.com/bradfa/flashbench

package/flashbench/flashbench.hash

@@ -1,3 +1,3 @@
 # Locally computed
-sha256  b5f95d2d057270adbce0f1a784b6a88db339b67326b6ca92474edd99f9fd4774  flashbench-2e30b1968a66147412f21002ea844122a0d5e2f0-git4.tar.gz
+sha256  408a2642700b7f8daf4356a49948b921137ad15bb6e0fd05b1cb8dc700c154dc  flashbench-2e30b1968a66147412f21002ea844122a0d5e2f0.tar.gz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING

package/flashbench/flashbench.mk

@@ -5,8 +5,7 @@
 ################################################################################
 
 FLASHBENCH_VERSION = 2e30b1968a66147412f21002ea844122a0d5e2f0
-FLASHBENCH_SITE = https://git.linaro.org/people/arnd/flashbench.git
-FLASHBENCH_SITE_METHOD = git
+FLASHBENCH_SITE = $(call github,bradfa,flashbench,$(FLASHBENCH_VERSION))
 FLASHBENCH_LICENSE = GPL-2.0
 FLASHBENCH_LICENSE_FILES = COPYING
 

package/freerdp/0009-fix-missing-check-in-rdp-write-logon-info-v1.patch

@@ -0,0 +1,29 @@
+From 71e463e31b4d69f4022d36bfc814592f56600793 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Sun, 21 Apr 2024 13:56:13 +0200
+Subject: [PATCH] [core,info] fix missing check in rdp_write_logon_info_v1
+
+CVE: CVE-2024-32661
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/core/info.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
+index 7d6eec13782d..3395e4d2e04c 100644
+--- a/libfreerdp/core/info.c
++++ b/libfreerdp/core/info.c
+@@ -1327,6 +1327,10 @@ static BOOL rdp_write_logon_info_v1(wStream* s, logon_info* info)
+ 		return FALSE;
+ 
+ 	/* domain */
++	WINPR_ASSERT(info);
++	if (!info->domain || !info->username)
++		return FALSE;
++
+ 	ilen = ConvertToUnicode(CP_UTF8, 0, info->domain, -1, &wString, 0);
+
+ 	if (ilen < 0)
+

package/freerdp/0010-fix-decoder-length-checks.patch

@@ -0,0 +1,29 @@
+From 1bab198a2edd0d0e6e1627d21a433151ea190500 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 15 Jan 2026 12:02:02 +0100
+Subject: [PATCH] [codec,planar] fix decoder length checks
+
+CVE: CVE-2026-23530
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/1bab198a2edd0d0e6e1627d21a433151ea190500
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/codec/planar.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libfreerdp/codec/planar.c b/libfreerdp/codec/planar.c
+index 1a06e36edb0c..94a640a551d1 100644
+--- a/libfreerdp/codec/planar.c
++++ b/libfreerdp/codec/planar.c
+@@ -616,6 +616,11 @@ BOOL freerdp_bitmap_decompress_planar(BITMAP_PLANAR_CONTEXT* WINPR_RESTRICT plan
+ 	WINPR_ASSERT(planar);
+ 	WINPR_ASSERT(prims);
+ 
++	if (planar->maxWidth < nSrcWidth)
++		return FALSE;
++	if (planar->maxHeight < nSrcHeight)
++		return FALSE;
++
+ 	if (nDstStep <= 0)
+ 		nDstStep = nDstWidth * GetBytesPerPixel(DstFormat);
+ 

package/freerdp/0011-fix-missing-length-checks.patch

@@ -0,0 +1,31 @@
+From 25102b432fb37916a1a553d7ef8fd940c6e52c3f Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 15 Jan 2026 12:17:33 +0100
+Subject: [PATCH] [codec,clear] fix missing length checks
+
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/25102b432fb37916a1a553d7ef8fd940c6e52c3f.patch
+CVE: CVE-2026-23531
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/codec/clear.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index aa36baa9b305..4a67a8ed692b 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -1141,8 +1141,11 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl
+ 
+ 	if (glyphData)
+ 	{
+-		if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, nWidth, nHeight, pDstData,
+-		                        DstFormat, nDstStep, nXDst, nYDst, palette, FREERDP_FLIP_NONE))
++		const uint32_t w = MIN(nWidth, nDstWidth);
++		const uint32_t h = MIN(nHeight, nDstHeight);
++		if (!freerdp_image_copy_no_overlap(glyphData, clear->format, 0, 0, 0, w, h, pDstData,
++		                                   DstFormat, nDstStep, nXDst, nYDst, palette,
++		                                   FREERDP_FLIP_NONE))
+ 			goto fail;
+ 	}
+ 

package/freerdp/0012-check-clear-decomress-glyphData.patch

@@ -0,0 +1,79 @@
+From 243ecf804bb122e8e643a5c142ad5a49d7aa19ee Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Fri, 16 Jan 2026 12:22:46 +0100
+Subject: [PATCH] [codec,clear] check clear_decomress glyphData
+
+Check destination coordinates and lengths against the actual sizes. Log
+every truncation accordingly
+
+CVE: CVE-2026-23531
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/243ecf804bb122e8e643a5c142ad5a49d7aa19ee
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/codec/clear.c | 50 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 0efa89f8d06c..f9aa4f0000c1 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -1141,9 +1141,55 @@ INT32 clear_decompress(CLEAR_CONTEXT* cl
+ 
+ 	if (glyphData)
+ 	{
+-		const uint32_t w = MIN(nWidth, nDstWidth);
+-		const uint32_t h = MIN(nHeight, nDstHeight);
+-		if (!freerdp_image_copy_no_overlap(glyphData, clear->format, 0, 0, 0, w, h, pDstData,
++		uint32_t w = MIN(nWidth, nDstWidth);
++		if (nXDst > nDstWidth)
++		{
++			WLog_WARN(TAG, "glyphData copy area x exceeds destination: x=%" PRIu32 " > %" PRIu32,
++			          nXDst, nDstWidth);
++			w = 0;
++		}
++		else if (nXDst + w > nDstWidth)
++		{
++			WLog_WARN(TAG,
++			          "glyphData copy area x + width exceeds destination: x=%" PRIu32 " + %" PRIu32
++			          " > %" PRIu32,
++			          nXDst, w, nDstWidth);
++			w = nDstWidth - nXDst;
++		}
++
++		if (w != nWidth)
++		{
++			WLog_WARN(TAG,
++			          "glyphData copy area width truncated: requested=%" PRIu32
++			          ", truncated to %" PRIu32,
++			          nWidth, w);
++		}
++
++		uint32_t h = MIN(nHeight, nDstHeight);
++		if (nYDst > nDstHeight)
++		{
++			WLog_WARN(TAG, "glyphData copy area y exceeds destination: y=%" PRIu32 " > %" PRIu32,
++			          nYDst, nDstHeight);
++			h = 0;
++		}
++		else if (nYDst + h > nDstHeight)
++		{
++			WLog_WARN(TAG,
++			          "glyphData copy area y + height exceeds destination: x=%" PRIu32 " + %" PRIu32
++			          " > %" PRIu32,
++			          nYDst, h, nDstHeight);
++			h = nDstHeight - nYDst;
++		}
++
++		if (h != nHeight)
++		{
++			WLog_WARN(TAG,
++			          "glyphData copy area height truncated: requested=%" PRIu32
++			          ", truncated to %" PRIu32,
++			          nHeight, h);
++		}
++
++		if (!freerdp_image_copy(glyphData, clear->format, 0, 0, 0, w, h, pDstData,
+ 		                                   DstFormat, nDstStep, nXDst, nYDst, palette,
+ 		                                   FREERDP_FLIP_NONE))
+ 			goto fail;

package/freerdp/0013-properly-clamp-SurfaceToSurface.patch

@@ -0,0 +1,48 @@
+From c4a7c371342edf0d307cea728f56d3302f0ab38c Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 15 Jan 2026 12:04:36 +0100
+Subject: [PATCH] [gdi,gfx] properly clamp SurfaceToSurface
+
+CVE: CVE-2026-23532
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/c4a7c371342edf0d307cea728f56d3302f0ab38c
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/gdi/gfx.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c
+index 56e6ff9ed50b..96ce1007025c 100644
+--- a/libfreerdp/gdi/gfx.c
++++ b/libfreerdp/gdi/gfx.c
+@@ -1175,7 +1175,6 @@ static UINT gdi_SurfaceToSurface(RdpgfxC
+ 	UINT status = ERROR_INTERNAL_ERROR;
+ 	UINT16 index;
+ 	BOOL sameSurface;
+-	UINT32 nWidth, nHeight;
+ 	const RECTANGLE_16* rectSrc;
+ 	RECTANGLE_16 invalidRect;
+ 	gdiGfxSurface* surfaceSrc;
+@@ -1199,8 +1198,8 @@ static UINT gdi_SurfaceToSurface(RdpgfxC
+ 	if (!is_rect_valid(rectSrc, surfaceSrc->width, surfaceSrc->height))
+ 		goto fail;
+ 
+-	nWidth = rectSrc->right - rectSrc->left;
+-	nHeight = rectSrc->bottom - rectSrc->top;
++	const UINT32 nWidth = rectSrc->right - rectSrc->left;
++	const UINT32 nHeight = rectSrc->bottom - rectSrc->top;
+ 
+ 	for (index = 0; index < surfaceToSurface->destPtsCount; index++)
+ 	{
+@@ -1209,8 +1208,10 @@ static UINT gdi_SurfaceToSurface(RdpgfxC
+ 		if (!is_rect_valid(&rect, surfaceDst->width, surfaceDst->height))
+ 			goto fail;
+ 
++		const UINT32 rwidth = rect.right - rect.left;
++		const UINT32 rheight = rect.bottom - rect.top;
+ 		if (!freerdp_image_copy(surfaceDst->data, surfaceDst->format, surfaceDst->scanline,
+-		                        destPt->x, destPt->y, nWidth, nHeight, surfaceSrc->data,
++		                        destPt->x, destPt->y, rwidth, rheight, surfaceSrc->data,
+ 		                        surfaceSrc->format, surfaceSrc->scanline, rectSrc->left,
+ 		                        rectSrc->top, NULL, FREERDP_FLIP_NONE))
+ 			goto fail;

package/freerdp/0014-fix-clear-resize-buffer-checks.patch

@@ -0,0 +1,58 @@
+From c4391827d7facfc874ca7f61a92afb82232a5748 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 15 Jan 2026 12:11:57 +0100
+Subject: [PATCH] [codec,clear] fix clear_resize_buffer checks
+
+CVE: CVE-2026-23533
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/c4391827d7facfc874ca7f61a92afb82232a5748
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/codec/clear.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index ad57529093e3..aa36baa9b305 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -62,7 +62,7 @@ struct S_CLEAR_CONTEXT
+ 	NSC_CONTEXT* nsc;
+ 	UINT32 seqNumber;
+ 	BYTE* TempBuffer;
+-	UINT32 TempSize;
++	size_t TempSize;
+ 	UINT32 nTempStep;
+ 	UINT32 TempFormat;
+ 	UINT32 format;
+@@ -313,16 +313,17 @@ static BOOL clear_decompress_subcode_rlex(wStream* WINPR_RESTRICT s, UINT32 bitm
+ 
+ static BOOL clear_resize_buffer(CLEAR_CONTEXT* clear, UINT32 width, UINT32 height)
+ {
+-	UINT32 size;
+-
+ 	if (!clear)
+ 		return FALSE;
+ 
+-	size = ((width + 16) * (height + 16) * GetBytesPerPixel(clear->format));
++	const UINT64 size = 1ull * (width + 16ull) * (height + 16ull);
++	const size_t bpp = GetBytesPerPixel(clear->format);
++	if (size > UINT32_MAX / bpp)
++		return FALSE;
+ 
+-	if (size > clear->TempSize)
++	if (size > clear->TempSize / bpp)
+ 	{
+-		BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size);
++		BYTE* tmp = (BYTE*)realloc(clear->TempBuffer, size * bpp);
+ 
+ 		if (!tmp)
+ 		{
+@@ -330,7 +331,7 @@ static BOOL clear_resize_buffer(CLEAR_CONTEXT* WINPR_RESTRICT clear, UINT32 widt
+ 			return FALSE;
+ 		}
+ 
+-		clear->TempSize = size;
++		clear->TempSize = size * bpp;
+ 		clear->TempBuffer = tmp;
+ 	}
+ 

package/freerdp/0015-fix-off-by-one-length-check.patch

@@ -0,0 +1,33 @@
+From f8688b57f6cfad9a0b05475a6afbde355ffab720 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Thu, 15 Jan 2026 12:19:53 +0100
+Subject: [PATCH] [codec,clear] fix off by one length check
+
+CVE: CVE-2026-23534
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/f8688b57f6cfad9a0b05475a6afbde355ffab720
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/codec/clear.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libfreerdp/codec/clear.c b/libfreerdp/codec/clear.c
+index 4a67a8ed692b..0efa89f8d06c 100644
+--- a/libfreerdp/codec/clear.c
++++ b/libfreerdp/codec/clear.c
+@@ -881,11 +881,14 @@ static BOOL clear_decompress_bands_data(
+ 				if (count > nHeight)
+ 					count = nHeight;
+ 
+-				if (nXDstRel + i > nDstWidth)
++				if (nXDstRel + i >= nDstWidth)
+ 					return FALSE;
+ 
+ 				for (UINT32 y = 0; y < count; y++)
+ 				{
++					if (nYDstRel + y >= nDstHeight)
++						return FALSE;
++
+ 					BYTE* pDstPixel8 = &pDstData[((nYDstRel + y) * nDstStep) +
+ 					                             ((nXDstRel + i) * GetBytesPerPixel(DstFormat))];
+ 					UINT32 color = ReadColor(cpSrcPixel, clear->format);

package/freerdp/0016-fix-missing-NULL-check.patch

@@ -0,0 +1,55 @@
+From 4d44e3c097656a8b9ec696353647b0888ca45860 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 19 Jan 2026 20:11:24 +0100
+Subject: [PATCH] [core,info] fix missing NULL check
+
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/4d44e3c097656a8b9ec696353647b0888ca45860
+CVE: CVE-2026-23948
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ libfreerdp/core/info.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/libfreerdp/core/info.c b/libfreerdp/core/info.c
+index 0b17b75d9f64..cc54aee7baef 100644
+--- a/libfreerdp/core/info.c
++++ b/libfreerdp/core/info.c
+@@ -1372,7 +1372,7 @@ static BOOL rdp_write_logon_info_v1(wStr
+ 	return TRUE;
+ }
+ 
+-static BOOL rdp_write_logon_info_v2(wStream* s, logon_info* info)
++static BOOL rdp_write_logon_info_v2(wStream* s, const logon_info* info)
+ {
+ 	UINT32 Size = 2 + 4 + 4 + 4 + 4 + 558;
+ 	size_t domainLen, usernameLen;
+@@ -1385,11 +1385,13 @@ static BOOL rdp_write_logon_info_v2(wStr
+ 	Stream_Write_UINT16(s, SAVE_SESSION_PDU_VERSION_ONE);
+ 	Stream_Write_UINT32(s, Size);
+ 	Stream_Write_UINT32(s, info->sessionId);
+-	domainLen = strlen(info->domain);
++	if (info->domain)
++		domainLen = strlen(info->domain);
+ 	if (domainLen > UINT32_MAX)
+ 		return FALSE;
+ 	Stream_Write_UINT32(s, (UINT32)(domainLen + 1) * 2);
+-	usernameLen = strlen(info->username);
++	if (info->username)
++		usernameLen = strlen(info->username);
+ 	if (usernameLen > UINT32_MAX)
+ 		return FALSE;
+ 	Stream_Write_UINT32(s, (UINT32)(usernameLen + 1) * 2);
+@@ -1466,10 +1468,10 @@ static BOOL rdp_write_logon_info_ex(wStr
+ 
+ BOOL rdp_send_save_session_info(rdpContext* context, UINT32 type, void* data)
+ {
+-	wStream* s;
+ 	BOOL status;
++	WINPR_ASSERT(context);
+ 	rdpRdp* rdp = context->rdp;
+-	s = rdp_data_pdu_init(rdp);
++	wStream* s = rdp_data_pdu_init(rdp);
+ 
+ 	if (!s)
+ 		return FALSE;

package/freerdp/0017-do-not-free-MsConfig-on-failure.patch

@@ -0,0 +1,31 @@
+From d676518809c319eec15911c705c13536036af2ae Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:54:56 +0100
+Subject: [PATCH] [channels,urbdrc] do not free MsConfig on failure
+
+let the channel handle it later.
+
+CVE: CVE-2026-24675
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/d676518809c319eec15911c705c13536036af2ae
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/urbdrc/client/data_transfer.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/channels/urbdrc/client/data_transfer.c b/channels/urbdrc/client/data_transfer.c
+index af4b9fb5f641..c4042107d4ee 100644
+--- a/channels/urbdrc/client/data_transfer.c
++++ b/channels/urbdrc/client/data_transfer.c
+@@ -570,10 +570,8 @@ static UINT urb_select_interface(IUDEVICE* pdev, GENERIC_CHANNEL_CALLBACK* callb
+ 	MsConfig = pdev->get_MsConfig(pdev);
+ 	InterfaceNumber = MsInterface->InterfaceNumber;
+ 	if (!msusb_msinterface_replace(MsConfig, InterfaceNumber, MsInterface))
+-	{
+-		msusb_msconfig_free(MsConfig);
+ 		return ERROR_BAD_CONFIGURATION;
+-	}
++
+ 	/* complete configuration setup */
+ 	if (!pdev->complete_msconfig_setup(pdev, MsConfig))
+ 	{

package/freerdp/0018-reset-audin-format.patch

@@ -0,0 +1,35 @@
+From 026b81ae5831ac1598d8f7371e0d0996fac7db00 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 10:20:23 +0100
+Subject: [PATCH] [channels,audin] reset audin->format
+
+Whenever the underlying structure changes reset the pointer to NULL
+
+CVE: CVE-2026-24676
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/026b81ae5831ac1598d8f7371e0d0996fac7db00
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/audin/client/audin_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/channels/audin/client/audin_main.c b/channels/audin/client/audin_main.c
+index c57c65a62d4e..76d87bb9c1ed 100644
+--- a/channels/audin/client/audin_main.c
++++ b/channels/audin/client/audin_main.c
+@@ -219,6 +219,7 @@ static UINT audin_process_formats(AUDIN_
+ 	}
+ 
+ 	Stream_Seek_UINT32(s); /* cbSizeFormatsPacket */
++	audin->format = NULL;
+ 	callback->formats = audio_formats_new(NumFormats);
+ 
+ 	if (!callback->formats)
+@@ -293,6 +294,7 @@ out:
+ 
+ 	if (error != CHANNEL_RC_OK)
+ 	{
++		audin->format = NULL;
+ 		audio_formats_free(callback->formats, NumFormats);
+ 		callback->formats = NULL;
+ 	}

package/freerdp/0019-ensure-InterfaceNumber-is-within-range.patch

@@ -0,0 +1,43 @@
+From 2d563a50be17c1b407ca448b1321378c0726dd31 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 10:59:39 +0100
+Subject: [PATCH] [channels,urbdrc] ensure InterfaceNumber is within range
+
+CVE: CVE-2026-24679
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/2d563a50be17c1b407ca448b1321378c0726dd31
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index 6c2376f74fd6..5341248ec64f 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
++++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -528,19 +528,19 @@ static int libusb_udev_select_interface(
+ {
+ 	int error = 0, diff = 0;
+ 	UDEVICE* pdev = (UDEVICE*)idev;
+-	URBDRC_PLUGIN* urbdrc;
+-	MSUSB_CONFIG_DESCRIPTOR* MsConfig;
+-	MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces;
+ 
+ 	if (!pdev || !pdev->urbdrc)
+ 		return -1;
+ 
+-	urbdrc = pdev->urbdrc;
+-	MsConfig = pdev->MsConfig;
++	URBDRC_PLUGIN* urbdrc = pdev->urbdrc;
++	MSUSB_CONFIG_DESCRIPTOR* MsConfig = pdev->MsConfig;
+ 
+ 	if (MsConfig)
+ 	{
+-		MsInterfaces = MsConfig->MsInterfaces;
++		if (InterfaceNumber >= MsConfig->NumInterfaces)
++			return -2;
++
++		MSUSB_INTERFACE_DESCRIPTOR** MsInterfaces = MsConfig->MsInterfaces;
+ 		if (MsInterfaces)
+ 		{
+ 			WLog_Print(urbdrc->log, WLOG_INFO,

package/freerdp/0020-cancel-all-usb-transfers-on-channel-close.patch

@@ -0,0 +1,24 @@
+From 414f701464929c217f2509bcbd6d2c1f00f7ed73 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 11:07:25 +0100
+Subject: [PATCH] [channels,urbdrc] cancel all usb transfers on channel close
+
+CVE: CVE-2026-24681
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/414f701464929c217f2509bcbd6d2c1f00f7ed73
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/urbdrc/client/libusb/libusb_udevice.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/channels/urbdrc/client/libusb/libusb_udevice.c b/channels/urbdrc/client/libusb/libusb_udevice.c
+index 5341248ec64f..9e2d3ec5a193 100644
+--- a/channels/urbdrc/client/libusb/libusb_udevice.c
++++ b/channels/urbdrc/client/libusb/libusb_udevice.c
+@@ -1116,6 +1116,7 @@ static void libusb_udev_mark_channel_closed(IUDEVICE* idev)
+ 		const uint8_t devNr = idev->get_dev_number(idev);
+ 
+ 		pdev->status |= URBDRC_DEVICE_CHANNEL_CLOSED;
++		pdev->iface.cancel_all_transfer_request(&pdev->iface);
+ 		urbdrc->udevman->unregister_udevice(urbdrc->udevman, busNr, devNr);
+ 	}
+ }

package/freerdp/0021-fix-audin-server-recv-formats-cleanup.patch

@@ -0,0 +1,26 @@
+From 1c5c74223179d425a1ce6dbbb6a3dd2a958b7aee Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 10:14:08 +0100
+Subject: [PATCH] [channels,audin] fix audin_server_recv_formats cleanup
+
+CVE: CVE-2026-24682
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/1c5c74223179d425a1ce6dbbb6a3dd2a958b7aee
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/audin/server/audin.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/channels/audin/server/audin.c b/channels/audin/server/audin.c
+index 5046a7d6f27c..17077efa6652 100644
+--- a/channels/audin/server/audin.c
++++ b/channels/audin/server/audin.c
+@@ -215,7 +215,7 @@ static UINT audin_server_recv_formats(au
+ 
+ 		if (!audio_format_read(s, format))
+ 		{
+-			audio_formats_free(audin->context.client_formats, i);
++			audio_formats_free(audin->context.client_formats, audin->context.num_client_formats);
+ 			audin->context.client_formats = NULL;
+ 			WLog_ERR(TAG, "expected length at least 18, but got %" PRIu32 "", length);
+ 			return ERROR_INVALID_DATA;

package/freerdp/0022-lock-context-when-updating-listener.patch

@@ -0,0 +1,109 @@
+From d9ca272dce7a776ab475e9b1a8e8c3d2968c8486 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 12:08:48 +0100
+Subject: [PATCH] [channels,ainput] lock context when updating listener
+
+CVE: CVE-2026-24683
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/d9ca272dce7a776ab475e9b1a8e8c3d2968c8486
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/ainput/client/ainput_main.c | 36 ++++++++++++++++++++--------
+ 1 file changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/channels/ainput/client/ainput_main.c b/channels/ainput/client/ainput_main.c
+index c291bd727285..5545753600a1 100644
+--- a/channels/ainput/client/ainput_main.c
++++ b/channels/ainput/client/ainput_main.c
+@@ -69,6 +69,7 @@ struct AINPUT_PLUGIN_
+ 	UINT32 MajorVersion;
+ 	UINT32 MinorVersion;
+ 	BOOL initialized;
++	CRITICAL_SECTION lock;
+ };
+ 
+ /**
+@@ -109,10 +110,7 @@ static UINT ainput_on_data_received(IWTS
+ 
+ static UINT ainput_send_input_event(AInputClientContext* context, UINT64 flags, INT32 x, INT32 y)
+ {
+-	AINPUT_PLUGIN* ainput;
+-	AINPUT_CHANNEL_CALLBACK* callback;
+ 	BYTE buffer[32] = { 0 };
+-	UINT64 time;
+ 	wStream sbuffer = { 0 };
+ 	wStream* s = &sbuffer;
+ 
+@@ -121,8 +119,8 @@ static UINT ainput_send_input_event(AInp
+ 	WINPR_ASSERT(s);
+ 	WINPR_ASSERT(context);
+ 
+-	time = GetTickCount64();
+-	ainput = (AINPUT_PLUGIN*)context->handle;
++	const UINT64 time = GetTickCount64();
++	AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)context->handle;
+ 	WINPR_ASSERT(ainput);
+ 	WINPR_ASSERT(ainput->listener_callback);
+ 
+@@ -132,8 +130,6 @@ static UINT ainput_send_input_event(AInp
+ 		          ainput->MajorVersion, ainput->MinorVersion);
+ 		return CHANNEL_RC_UNSUPPORTED_VERSION;
+ 	}
+-	callback = ainput->listener_callback->channel_callback;
+-	WINPR_ASSERT(callback);
+ 
+ 	{
+ 		char buffer[128] = { 0 };
+@@ -152,10 +148,15 @@ static UINT ainput_send_input_event(AInp
+ 	Stream_SealLength(s);
+ 
+ 	/* ainput back what we have received. AINPUT does not have any message IDs. */
++	EnterCriticalSection(&ainput->lock);
++	AINPUT_CHANNEL_CALLBACK* callback = ainput->listener_callback->channel_callback;
++	WINPR_ASSERT(callback);
+ 	WINPR_ASSERT(callback->channel);
+ 	WINPR_ASSERT(callback->channel->Write);
+-	return callback->channel->Write(callback->channel, (ULONG)Stream_Length(s), Stream_Buffer(s),
++	const UINT rc = callback->channel->Write(callback->channel, (ULONG)Stream_Length(s), Stream_Buffer(s),
+ 	                                NULL);
++	LeaveCriticalSection(&ainput->lock);
++	return rc;
+ }
+ 
+ /**
+@@ -167,7 +168,14 @@ static UINT ainput_on_close(IWTSVirtualC
+ {
+ 	AINPUT_CHANNEL_CALLBACK* callback = (AINPUT_CHANNEL_CALLBACK*)pChannelCallback;
+ 
+-	free(callback);
++	if (callback)
++	{
++		AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)callback->plugin;
++		WINPR_ASSERT(ainput);
++		EnterCriticalSection(&ainput->lock);
++		free(callback);
++		LeaveCriticalSection(&ainput->lock);
++	}
+ 
+ 	return CHANNEL_RC_OK;
+ }
+@@ -242,7 +250,10 @@ static UINT ainput_plugin_initialize(IWT
+ 	status = pChannelMgr->CreateListener(pChannelMgr, AINPUT_DVC_CHANNEL_NAME, 0,
+ 	                                     &ainput->listener_callback->iface, &ainput->listener);
+ 
++	InitializeCriticalSection(&ainput->lock);
++	EnterCriticalSection(&ainput->lock);
+ 	ainput->listener->pInterface = ainput->iface.pInterface;
++	LeaveCriticalSection(&ainput->lock);
+ 	ainput->initialized = status == CHANNEL_RC_OK;
+ 	return status;
+ }
+@@ -255,6 +266,8 @@ static UINT ainput_plugin_initialize(IWT
+ static UINT ainput_plugin_terminated(IWTSPlugin* pPlugin)
+ {
+ 	AINPUT_PLUGIN* ainput = (AINPUT_PLUGIN*)pPlugin;
++	WINPR_ASSERT(ainput);
++	DeleteCriticalSection(&ainput->lock);
+ 	if (ainput && ainput->listener_callback)
+ 	{
+ 		IWTSVirtualChannelManager* mgr = ainput->listener_callback->channel_mgr;

package/freerdp/0023-terminate-thread-before-free.patch

@@ -0,0 +1,64 @@
+From 622bb7b4402491ca003f47472d0e478132673696 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Mon, 26 Jan 2026 10:48:14 +0100
+Subject: [PATCH] [channels,rdpsnd] terminate thread before free
+
+Ensure that the optional rdpsnd thread is terminated and the message
+queue freed up before releasing the channel context memory
+
+CVE: CVE-2026-24684
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/622bb7b4402491ca003f47472d0e478132673696
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/rdpsnd/client/rdpsnd_main.c | 28 +++++++++++++++++++---------
+ 1 file changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/channels/rdpsnd/client/rdpsnd_main.c b/channels/rdpsnd/client/rdpsnd_main.c
+index 49c763a87e9b..61a29ec40aa8 100644
+--- a/channels/rdpsnd/client/rdpsnd_main.c
++++ b/channels/rdpsnd/client/rdpsnd_main.c
+@@ -1244,11 +1244,27 @@ fail:
+ 	return CHANNEL_RC_NO_MEMORY;
+ }
+ 
++static void rdpsnd_terminate_thread(rdpsndPlugin* rdpsnd)
++{
++	WINPR_ASSERT(rdpsnd);
++	if (rdpsnd->queue)
++		MessageQueue_PostQuit(rdpsnd->queue, 0);
++	if (rdpsnd->thread)
++	{
++		WaitForSingleObject(rdpsnd->thread, INFINITE);
++		CloseHandle(rdpsnd->thread);
++	}
++	MessageQueue_Free(rdpsnd->queue);
++	rdpsnd->thread = NULL;
++	rdpsnd->queue = NULL;
++}
++
+ static void cleanup_internals(rdpsndPlugin* rdpsnd)
+ {
+ 	if (!rdpsnd)
+ 		return;
+ 
++	rdpsnd_terminate_thread(rdpsnd);
+ 	if (rdpsnd->pool)
+ 		StreamPool_Return(rdpsnd->pool, rdpsnd->data_in);
+ 
+@@ -1396,14 +1412,7 @@ void rdpsnd_virtual_channel_event_termin
+ {
+ 	if (rdpsnd)
+ 	{
+-		if (rdpsnd->queue)
+-			MessageQueue_PostQuit(rdpsnd->queue, 0);
+-		if (rdpsnd->thread)
+-		{
+-			WaitForSingleObject(rdpsnd->thread, INFINITE);
+-			CloseHandle(rdpsnd->thread);
+-		}
+-		MessageQueue_Free(rdpsnd->queue);
++		rdpsnd_terminate_thread(rdpsnd);
+ 
+ 		free_internals(rdpsnd);
+ 		audio_formats_free(rdpsnd->fixed_format, 1);

package/freerdp/0024-only-clean-up-thread-before-free.patch

@@ -0,0 +1,116 @@
+From afa6851dc80835d3101e40fcef51b6c5c0f43ea5 Mon Sep 17 00:00:00 2001
+From: akallabeth <akallabeth@posteo.net>
+Date: Wed, 28 Jan 2026 09:31:06 +0100
+Subject: [PATCH] [channel,rdpsnd] only clean up thread before free
+
+rdpsnd channel usually has multiple instances (static, dynamic, ...) so
+ensure only to terminate the handler thread when the channel is actually
+closed for good.
+
+CVE: CVE-2026-24684
+Upstream: https://github.com/FreeRDP/FreeRDP/commit/afa6851dc80835d3101e40fcef51b6c5c0f43ea5
+[thomas: backport https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ channels/rdpsnd/client/rdpsnd_main.c | 43 ++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 18 deletions(-)
+
+diff --git a/channels/rdpsnd/client/rdpsnd_main.c b/channels/rdpsnd/client/rdpsnd_main.c
+index 61a29ec40aa8..5a1edaea62c6 100644
+--- a/channels/rdpsnd/client/rdpsnd_main.c
++++ b/channels/rdpsnd/client/rdpsnd_main.c
+@@ -132,6 +132,8 @@ struct rdpsnd_plugin
+ 	BOOL applyVolume;
+ };
+ 
++static DWORD WINAPI play_thread(LPVOID arg);
++
+ static const char* rdpsnd_is_dyn_str(BOOL dynamic)
+ {
+ 	if (dynamic)
+@@ -1264,7 +1266,6 @@ static void cleanup_internals(rdpsndPlug
+ 	if (!rdpsnd)
+ 		return;
+ 
+-	rdpsnd_terminate_thread(rdpsnd);
+ 	if (rdpsnd->pool)
+ 		StreamPool_Return(rdpsnd->pool, rdpsnd->data_in);
+ 
+@@ -1328,6 +1329,7 @@ static void free_internals(rdpsndPlugin*
+ 	if (!rdpsnd)
+ 		return;
+ 
++	rdpsnd_terminate_thread(rdpsnd);
+ 	freerdp_dsp_context_free(rdpsnd->dsp_context);
+ 	StreamPool_Free(rdpsnd->pool);
+ 	rdpsnd->pool = NULL;
+@@ -1349,6 +1351,21 @@ static BOOL allocate_internals(rdpsndPlu
+ 		if (!rdpsnd->dsp_context)
+ 			return FALSE;
+ 	}
++	if (!rdpsnd->queue)
++	{
++		wObject obj = { 0 };
++
++		obj.fnObjectFree = _queue_free;
++		rdpsnd->queue = MessageQueue_New(&obj);
++		if (!rdpsnd->queue)
++			return CHANNEL_RC_NO_MEMORY;
++	}
++	if (!rdpsnd->thread)
++	{
++		rdpsnd->thread = CreateThread(NULL, 0, play_thread, rdpsnd, 0, NULL);
++		if (!rdpsnd->thread)
++			return CHANNEL_RC_INITIALIZATION_ERROR;
++	}
+ 
+ 	return TRUE;
+ }
+@@ -1388,23 +1405,12 @@ static DWORD WINAPI play_thread(LPVOID a
+ 
+ static UINT rdpsnd_virtual_channel_event_initialized(rdpsndPlugin* rdpsnd)
+ {
+-	wObject obj = { 0 };
+-
+ 	if (!rdpsnd)
+ 		return ERROR_INVALID_PARAMETER;
+ 
+-	obj.fnObjectFree = _queue_free;
+-	rdpsnd->queue = MessageQueue_New(&obj);
+-	if (!rdpsnd->queue)
+-		return CHANNEL_RC_NO_MEMORY;
+-
+ 	if (!allocate_internals(rdpsnd))
+ 		return CHANNEL_RC_NO_MEMORY;
+ 
+-	rdpsnd->thread = CreateThread(NULL, 0, play_thread, rdpsnd, 0, NULL);
+-	if (!rdpsnd->thread)
+-		return CHANNEL_RC_INITIALIZATION_ERROR;
+-
+ 	return CHANNEL_RC_OK;
+ }
+ 
+@@ -1412,8 +1418,6 @@ void rdpsnd_virtual_channel_event_termin
+ {
+ 	if (rdpsnd)
+ 	{
+-		rdpsnd_terminate_thread(rdpsnd);
+-
+ 		free_internals(rdpsnd);
+ 		audio_formats_free(rdpsnd->fixed_format, 1);
+ 		free(rdpsnd->subsystem);
+@@ -1602,13 +1606,13 @@ static UINT rdpsnd_on_close(IWTSVirtualC
+ 
+ 	cleanup_internals(rdpsnd);
+ 
++	free_internals(rdpsnd);
+ 	if (rdpsnd->device)
+ 	{
+ 		IFCALL(rdpsnd->device->Free, rdpsnd->device);
+ 		rdpsnd->device = NULL;
+ 	}
+ 
+-	free_internals(rdpsnd);
+ 	free(pChannelCallback);
+ 	return CHANNEL_RC_OK;
+ }

package/freerdp/freerdp.hash

@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  f7cc2bf43b9778e9079cd229ea8e37fc1843eb1c11a8e4e003034af71858ce6a  freerdp-2.11.7-18-g0ee17e2f8e49d56ab5b90d5160fa8f87ffc445e0-git4.tar.gz
+sha256  8a7c953ece217aa4fa22c4a21ab2bc4c9093fc79aa67d3e1273c140d140203f7  freerdp-2.11.8-git4.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE

package/freerdp/freerdp.mk

@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-# Latest, and probably last, commit on the stable-2.0 branch
-FREERDP_VERSION = 2.11.7-18-g0ee17e2f8e49d56ab5b90d5160fa8f87ffc445e0
+# Latest, and probably last, release on the stable-2.0 branch
+FREERDP_VERSION = 2.11.8
 FREERDP_SITE = https://github.com/FreeRDP/FreeRDP
 FREERDP_SITE_METHOD = git
 FREERDP_DEPENDENCIES = libglib2 openssl zlib
@@ -13,6 +13,58 @@ FREERDP_LICENSE = Apache-2.0
 FREERDP_LICENSE_FILES = LICENSE
 FREERDP_CPE_ID_VENDOR = freerdp
 
+# Introduced in v3.0.0-beta1
+# https://security-tracker.debian.org/tracker/CVE-2024-32662
+FREERDP_IGNORE_CVES += CVE-2024-32662
+
+# Windows only
+# https://security-tracker.debian.org/tracker/CVE-2025-68118
+FREERDP_IGNORE_CVES += CVE-2025-68118
+
+# 0009-fix-missing-check-in-rdp-write-logon-info-v1.patch
+FREERDP_IGNORE_CVES += CVE-2024-32661
+
+# 0010-fix-decoder-length-checks.patch
+FREERDP_IGNORE_CVES += CVE-2026-23530
+
+# 0011-fix-missing-length-checks.patch
+# 0012-check-clear-decomress-glyphData.patch
+FREERDP_IGNORE_CVES += CVE-2026-23531
+
+# 0013-properly-clamp-SurfaceToSurface.patch
+FREERDP_IGNORE_CVES += CVE-2026-23532
+
+# 0014-fix-clear-resize-buffer-checks.patch
+FREERDP_IGNORE_CVES += CVE-2026-23533
+
+# 0015-fix-off-by-one-length-check.patch
+FREERDP_IGNORE_CVES += CVE-2026-23534
+
+# 0016-fix-missing-NULL-check.patch
+FREERDP_IGNORE_CVES += CVE-2026-23948
+
+# 0017-do-not-free-MsConfig-on-failure.patch
+FREERDP_IGNORE_CVES += CVE-2026-24675
+
+# 0018-reset-audin-format.patch
+FREERDP_IGNORE_CVES += CVE-2026-24676
+
+# 0019-ensure-InterfaceNumber-is-within-range.patch
+FREERDP_IGNORE_CVES += CVE-2026-24679
+
+# 0020-cancel-all-usb-transfers-on-channel-close.patch
+FREERDP_IGNORE_CVES += CVE-2026-24681
+
+# 0021-fix-audin-server-recv-formats-cleanup.patch
+FREERDP_IGNORE_CVES += CVE-2026-24682
+
+# 0022-lock-context-when-updating-listener.patch
+FREERDP_IGNORE_CVES += CVE-2026-24683
+
+# 0023-terminate-thread-before-free.patch
+# 0024-only-clean-up-thread-before-free.patch
+FREERDP_IGNORE_CVES += CVE-2026-24684
+
 FREERDP_INSTALL_STAGING = YES
 
 FREERDP_CONF_OPTS = \

package/gpsd/gpsd.hash

@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  ebb66ed92018b79cec88efb60e35a596925eef46502cf03d6ff0aea636ee7461  gpsd-3.27.2.tar.gz
+sha256  409873f5048462ef1ac413a51ab35caa8b50b31be62b3347bee1cc2994e7c649  gpsd-3.27.5.tar.gz
 sha256  fdf339997bbca9eaf507476b82fbcac608fc39a3d89b86b51e16db4c9f933716  COPYING

package/gpsd/gpsd.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GPSD_VERSION = 3.27.2
+GPSD_VERSION = 3.27.5
 GPSD_SITE = http://download-mirror.savannah.gnu.org/releases/gpsd
 GPSD_LICENSE = BSD-2-Clause
 GPSD_LICENSE_FILES = COPYING

package/graphicsmagick/0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch

@@ -0,0 +1,55 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1734634653 21600
+#      Thu Dec 19 12:57:33 2024 -0600
+# Node ID 883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+# Parent  cf7cd5ebabb0ca40204de7539f4fb9ae02121958
+ReadWPGImage(): Assure that palette buffer is allocated and the current size.
+
+CVE: CVE-2025-27796
+Upstream: https://foss.heptapod.net/graphicsmagick/graphicsmagick/-/commit/883ebf8cae6dfa5873d975fe3476b1a188ef3f9f
+[thomas: remove changelog and binary]
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -1704,28 +1704,23 @@
+                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);
+               }
+ 
+-              if(pPalette!=NULL &&
+-                 PaletteAllocBytes < 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries))
+-              {
+-                MagickFreeResourceLimitedMemory(pPalette);
+-                PaletteAllocBytes = 0;
+-              }
++              /* Assure that buffer is allocated and the current size */
++              if (PaletteAllocBytes != Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256))
++                {
++                  PaletteAllocBytes = Max(4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries),4*256);
++                  MagickReallocateResourceLimitedMemory(unsigned char *,pPalette,PaletteAllocBytes);
++                }
+               if(pPalette==NULL)
+-              {
+-                PaletteItems = WPG_Palette.NumOfEntries;
+-                PaletteAllocBytes = 4*(WPG_Palette.StartIndex+WPG_Palette.NumOfEntries);
+-                if(PaletteAllocBytes < 4*256) PaletteAllocBytes = 4*256;
+-                pPalette = MagickAllocateResourceLimitedMemory(unsigned char *,(size_t)PaletteAllocBytes);
+-                if(pPalette==NULL)
+-                    ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+-                for(i=0; i<=255; i++)
++                ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
++
++              PaletteItems = WPG_Palette.NumOfEntries;
++              for(i=0; i<=255; i++)
+                 {
+                   pPalette[4*i] = WPG1_Palette[i].Red;
+                   pPalette[4*i+1] = WPG1_Palette[i].Green;
+                   pPalette[4*i+2] = WPG1_Palette[i].Blue;
+                   pPalette[4*i+3] = OpaqueOpacity;
+                 }
+-              }
+               if(ReadBlob(image,(size_t) PaletteItems*4,pPalette+((size_t)4*WPG_Palette.StartIndex)) != (size_t) PaletteItems*4)
+               {
+                 MagickFreeResourceLimitedMemory(pPalette);

package/graphicsmagick/graphicsmagick.mk

@@ -11,12 +11,24 @@ GRAPHICSMAGICK_LICENSE = MIT
 GRAPHICSMAGICK_LICENSE_FILES = Copyright.txt
 GRAPHICSMAGICK_CPE_ID_VENDOR = graphicsmagick
 
+# Wrong NVD annotations
+# Fixed in version 1.2.3
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2008-6621
+
+# Wrong NVD annotations englobbing all versions
+# Wrong patch for CVE-2006-5456 later updated
+# https://bugzilla.redhat.com/show_bug.cgi?id=210921#c5
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2007-0770
+
 # 0001-ReadJXLImage-Apply-image-dimension-resource-limits.patch
 GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27795
 
 # 0002-ReadJXLImage-pixel_format-num_channels-needs-to-be.patch
 GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-32460
 
+# 0003-Assure-that-palette-buffer-is-allocated-and-the-current-size.patch
+GRAPHICSMAGICK_IGNORE_CVES += CVE-2025-27796
+
 GRAPHICSMAGICK_INSTALL_STAGING = YES
 GRAPHICSMAGICK_CONFIG_SCRIPTS = GraphicsMagick-config GraphicsMagickWand-config
 

package/igmpproxy/0001-Fix-Buffer-Overflow.patch

@@ -0,0 +1,25 @@
+From 2b30c36e6ab5b21defb76ec6458ab7687984484c Mon Sep 17 00:00:00 2001
+From: Jan Klemkow <j.klemkow@wemelug.de>
+Date: Thu, 17 Apr 2025 19:02:16 +0200
+Subject: [PATCH] Fix Buffer Overflow #97
+
+CVE: CVE-2025-50681
+Upstream: https://github.com/younix/igmpproxy/commit/2b30c36e6ab5b21defb76ec6458ab7687984484c
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/igmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/igmp.c b/src/igmp.c
+index a80c4e58..838694ce 100644
+--- a/src/igmp.c
++++ b/src/igmp.c
+@@ -94,7 +94,7 @@ static const char *igmpPacketKind(unsigned int type, unsigned int code) {
+     case IGMP_V2_LEAVE_GROUP:        return "Leave message     ";
+ 
+     default:
+-        sprintf(unknown, "unk: 0x%02x/0x%02x    ", type, code);
++        snprintf(unknown, sizeof unknown, "unk: 0x%02x/0x%02x    ", type, code);
+         return unknown;
+     }
+ }

package/igmpproxy/igmpproxy.mk

@@ -13,4 +13,7 @@ IGMPPROXY_LICENSE_FILES = COPYING GPL.txt Stanford.txt
 
 IGMPPROXY_CPE_ID_VENDOR = pali
 
+# 0001-Fix-Buffer-Overflow.patch
+IGMPPROXY_IGNORE_CVES += CVE-2025-50681
+
 $(eval $(autotools-package))

package/imagemagick/imagemagick.hash

@@ -1,3 +1,3 @@
 # Locally computed
-sha256  521fa7a8c0f664a3f5cf7437cbcc219f12bd6d5fe0c1fb014f212fa145076e60  imagemagick-7.1.2-12.tar.gz
-sha256  a556c5292c87c9a6ac795c80669b0c3660f9f729de8c476bf2b10f83ab1b34ec  LICENSE
+sha256  bf646e7fffdf50b7d886eec6bbe51c3ced1c4d68fbabfcc534e014575359fe7f  imagemagick-7.1.2-15.tar.gz
+sha256  131447ad0099069beaa32acf1700716eea294a5bdf936d8211d7026b1849e5d4  LICENSE

package/imagemagick/imagemagick.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-IMAGEMAGICK_VERSION = 7.1.2-12
+IMAGEMAGICK_VERSION = 7.1.2-15
 IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
 IMAGEMAGICK_LICENSE = Apache-2.0
 IMAGEMAGICK_LICENSE_FILES = LICENSE

package/libssh/libssh.hash

@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://www.libssh.org/files/0.11/libssh-0.11.3.tar.xz.asc
+# https://www.libssh.org/files/0.11/libssh-0.11.4.tar.xz.asc
 # with key 88A228D89B07C2C77D0C780903D5DF8CFDD3E8E7
-sha256  7d8a1361bb094ec3f511964e78a5a4dba689b5986e112afabe4f4d0d6c6125c3  libssh-0.11.3.tar.xz
+sha256  002ac320e3d66c9e100ec6576e3e84aa0c48949efde3bf5b40a2802992297701  libssh-0.11.4.tar.xz
 sha256  1656186e951db1c010a8485481fa94587f7e53a26d24976bef97945ad0c4df5a  COPYING

package/libssh/libssh.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 LIBSSH_VERSION_MAJOR = 0.11
-LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).3
+LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).4
 LIBSSH_SOURCE = libssh-$(LIBSSH_VERSION).tar.xz
 LIBSSH_SITE = https://www.libssh.org/files/$(LIBSSH_VERSION_MAJOR)
 LIBSSH_LICENSE = LGPL-2.1

package/libunistring/libunistring.hash

@@ -1,6 +1,6 @@
 # Locally calculated after checking pgp signature
-# https://ftp.gnu.org/gnu/libunistring/libunistring-1.4.1.tar.xz.sig
-sha256  67d88430892527861903788868c77802a217b0959990f7449f2976126a307763  libunistring-1.4.1.tar.xz
+# https://ftp.gnu.org/gnu/libunistring/libunistring-1.4.2.tar.xz.sig
+sha256  5b46e74377ed7409c5b75e7a96f95377b095623b689d8522620927964a41499c  libunistring-1.4.2.tar.xz
 # Locally calculated
 sha256  3972dc9744f6499f0f9b2dbf76696f2ae7ad8af9b23dde66d6af86c9dfb36986  COPYING
 sha256  a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c  COPYING.LIB

package/libunistring/libunistring.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBUNISTRING_VERSION = 1.4.1
+LIBUNISTRING_VERSION = 1.4.2
 LIBUNISTRING_SITE = $(BR2_GNU_MIRROR)/libunistring
 LIBUNISTRING_SOURCE = libunistring-$(LIBUNISTRING_VERSION).tar.xz
 LIBUNISTRING_INSTALL_STAGING = YES

package/libvirt/Config.in

@@ -89,12 +89,14 @@ comment "qemu needs a toolchain with gcc >= 8"
 config BR2_PACKAGE_LIBVIRT_LXC
 	bool "lxc"
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 # lxc
+	depends on !BR2_TOOLCHAIN_USES_UCLIBC # lxc
 	select BR2_PACKAGE_LXC
 	help
 	  Linux Container support
 
-comment "lxc needs a toolchain w/ gcc >= 4.7"
-	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7
+comment "lxc needs a glibc or musl toolchain w/ gcc >= 4.7"
+	depends on !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 \
+		|| BR2_TOOLCHAIN_USES_UCLIBC
 
 endif
 

package/libzlib/libzlib.hash

@@ -1,4 +1,4 @@
 # From http://www.zlib.net/
-sha256  38ef96b8dfe510d42707d9c781877914792541133e1870841463bfa73f883e32  zlib-1.3.1.tar.xz
+sha256  d7a0654783a4da529d1bb793b7ad9c3318020af77667bcae35f95d0e42a792f3  zlib-1.3.2.tar.xz
 # License files, locally calculated
-sha256  845efc77857d485d91fb3e0b884aaa929368c717ae8186b66fe1ed2495753243  LICENSE
+sha256  e32ff4e00d9d94930537635291da39e7e612703334bf6fde8c7f1686fe8a45a2  LICENSE

package/libzlib/libzlib.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBZLIB_VERSION = 1.3.1
+LIBZLIB_VERSION = 1.3.2
 LIBZLIB_SOURCE = zlib-$(LIBZLIB_VERSION).tar.xz
 LIBZLIB_SITE = https://www.zlib.net
 LIBZLIB_LICENSE = Zlib

package/linux-headers/Config.in.host

@@ -464,13 +464,13 @@ endchoice
 
 config BR2_DEFAULT_KERNEL_HEADERS
 	string
-	default "5.10.250"	if BR2_KERNEL_HEADERS_5_10
-	default "5.15.200"	if BR2_KERNEL_HEADERS_5_15
-	default "6.1.163"	if BR2_KERNEL_HEADERS_6_1
-	default "6.6.124"	if BR2_KERNEL_HEADERS_6_6
-	default "6.12.71"	if BR2_KERNEL_HEADERS_6_12
-	default "6.18.10"	if BR2_KERNEL_HEADERS_6_18
-	default "6.19"		if BR2_KERNEL_HEADERS_6_19
+	default "5.10.251"	if BR2_KERNEL_HEADERS_5_10
+	default "5.15.201"	if BR2_KERNEL_HEADERS_5_15
+	default "6.1.164"	if BR2_KERNEL_HEADERS_6_1
+	default "6.6.127"	if BR2_KERNEL_HEADERS_6_6
+	default "6.12.74"	if BR2_KERNEL_HEADERS_6_12
+	default "6.18.15"	if BR2_KERNEL_HEADERS_6_18
+	default "6.19.5"	if BR2_KERNEL_HEADERS_6_19
 	default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
 	default "custom"	if BR2_KERNEL_HEADERS_CUSTOM_TARBALL
 	default BR2_KERNEL_HEADERS_CUSTOM_REPO_VERSION \

package/mesa3d-headers/mesa3d-headers.mk

@@ -12,7 +12,7 @@ endif
 
 # Not possible to directly refer to mesa3d variables, because of
 # first/second expansion trickery...
-MESA3D_HEADERS_VERSION = 26.0.0
+MESA3D_HEADERS_VERSION = 26.0.1
 MESA3D_HEADERS_SOURCE = mesa-$(MESA3D_HEADERS_VERSION).tar.xz
 MESA3D_HEADERS_SITE = https://archive.mesa3d.org
 MESA3D_HEADERS_DL_SUBDIR = mesa3d

package/mesa3d/mesa3d.hash

@@ -1,6 +1,6 @@
-# From https://lists.freedesktop.org/archives/mesa-announce/2026-February/000838.html
-sha256  2a44e98e64d5c36cec64633de2d0ec7eff64703ee25b35364ba8fcaa84f33f72  mesa-26.0.0.tar.xz
-sha512  d39d190d0a17306f0aa69033e38dd8cf458dbf8da483b768841e2dc681dd670735999b212fbe0b29be839702a20750c87d6587bd925dca10693950830a17cd55  mesa-26.0.0.tar.xz
+# From https://lists.freedesktop.org/archives/mesa-announce/2026-February/000840.html
+sha256  bb5104f9f9a46c9b5175c24e601e0ef1ab44ce2d0fdbe81548b59adc8b385dcc  mesa-26.0.1.tar.xz
+sha512  d47072257035acfa8a5594c0cda831b4e5178169dea8a06c6657268a441e32271f8798486e837cea23f35ce3f0b4b9520a4ea4ed26b0e1267b02da4c649bc9f9  mesa-26.0.1.tar.xz
 # License
 sha256  0d1a0472ecc81830e75c20d59b0ea02841e3db21255e0ebad97ab682c54d6615  docs/license.rst
 sha256  323c587d0ccf10e376f8bf9a7f31fb4ca6078105194b42e0b1e0ee2bc9bde71f  licenses/MIT

package/mesa3d/mesa3d.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 # When updating the version, please also update mesa3d-headers
-MESA3D_VERSION = 26.0.0
+MESA3D_VERSION = 26.0.1
 MESA3D_SOURCE = mesa-$(MESA3D_VERSION).tar.xz
 MESA3D_SITE = https://archive.mesa3d.org
 MESA3D_LICENSE = MIT, SGI, Khronos

package/mpir/0004-fix-configure-with-gcc-15.patch

@@ -0,0 +1,41 @@
+From da003143cc6f217dcf474517d54b3aee06c9c18f Mon Sep 17 00:00:00 2001
+From: Leon White <l.white@interstellarlab.earth>
+Date: Mon, 25 Aug 2025 17:24:55 +0200
+Subject: [PATCH] fix configure with gcc-15
+
+Added to Alpine Linux with commit
+https://gitlab.alpinelinux.org/alpine/aports/-/commit/ded83e23c95b2560d2d77c0e61a6425872aa273b
+
+Fixes compile error
+
+conftest.c: In function 'f':
+conftest.c:14:48: error: too many arguments to function 'g'; expected 0, have 6
+   14 | for(i=0;i<1;i++){if(e(got,got,9,d[i].n)==0)h();g(i,d[i].src,d[i].n,got,d[i].want,9);if(d[i].n)h();}}
+      |                                                ^ ~
+conftest.c:13:17: note: declared here
+   13 | void h(){} void g(){}
+      |                 ^
+
+Upstream: https://github.com/wbhart/mpir/pull/300
+
+Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
+---
+ acinclude.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index cd917567..53b9ef9c 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -590,7 +590,7 @@ extern
+ __inline__ t1 e(t2 rp,t2 up,int n,t1 v0)
+ {t1 c,x,r;int i;if(v0){c=1;for(i=1;i<n;i++){x=up[i];r=x+1;rp[i]=r;}}return c;}
+ void f(){static const struct{t1 n;t1 src[9];t1 want[9];}d[]={{1,{0},{1}},};t1 got[9];int i;
+-void h(){} void g(){}
++void h(){} void g(int, t1 *, t1, t1 *, t1 *, int) {}
+ for(i=0;i<1;i++){if(e(got,got,9,d[i].n)==0)h();g(i,d[i].src,d[i].n,got,d[i].want,9);if(d[i].n)h();}}
+ #else
+ int dummy;
+-- 
+2.47.3
+

package/mupdf/0001-Fix-incorrect-error-case-free-of-pixmap.patch

@@ -0,0 +1,53 @@
+From d4743b6092d513321c23c6f7fe5cff87cde043c1 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon, 12 Jan 2026 19:08:56 +0000
+Subject: Bug 709029: Fix incorrect error-case free of pixmap.
+
+Don't free a pixmap we don't own!
+
+CVE: CVE-2026-25556
+Upstream: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ source/fitz/util.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/source/fitz/util.c b/source/fitz/util.c
+index 7710124cc..90226a5c1 100644
+--- a/source/fitz/util.c
++++ b/source/fitz/util.c
+@@ -119,7 +119,15 @@ fz_new_pixmap_from_display_list_with_separations(fz_context *ctx, fz_display_lis
+ 	else
+ 		fz_clear_pixmap_with_value(ctx, pix, 0xFF);
+
+-	return fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
++	fz_try(ctx)
++		fz_fill_pixmap_from_display_list(ctx, list, ctm, pix);
++	fz_catch(ctx)
++	{
++		fz_drop_pixmap(ctx, pix);
++		fz_rethrow(ctx);
++	}
++
++	return pix;
+ }
+
+ fz_pixmap *
+@@ -136,14 +144,9 @@ fz_fill_pixmap_from_display_list(fz_context *ctx, fz_display_list *list, fz_matr
+ 		fz_close_device(ctx, dev);
+ 	}
+ 	fz_always(ctx)
+-	{
+ 		fz_drop_device(ctx, dev);
+-	}
+ 	fz_catch(ctx)
+-	{
+-		fz_drop_pixmap(ctx, pix);
+ 		fz_rethrow(ctx);
+-	}
+
+ 	return pix;
+ }
+--
+cgit v1.2.3
+

package/mupdf/mupdf.mk

@@ -27,6 +27,9 @@ MUPDF_IGNORE_CVES = \
 	CVE-2024-24258 \
 	CVE-2024-24259
 
+# 0001-Fix-incorrect-error-case-free-of-pixmap.patch
+MUPDF_IGNORE_CVES += CVE-2026-25556
+
 # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
 # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
 MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \

package/netsnmp/0004-snmptrapd-Fix-out-of-bounds-trapOid-accesses.patch

@@ -0,0 +1,32 @@
+From b4e6f826d9ddcc2d72eac432746807e1234266db Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sun, 2 Nov 2025 14:48:55 -0800
+Subject: [PATCH] snmptrapd: Fix out-of-bounds trapOid[] accesses
+
+Fixes: https://issues.oss-fuzz.com/issues/457106694
+Fixes: https://issues.oss-fuzz.com/issues/458668421
+Fixes: https://issues.oss-fuzz.com/issues/458876071
+CVE: CVE-2025-68615
+Upstream: https://github.com/net-snmp/net-snmp/commit/b4e6f826d9ddcc2d72eac432746807e1234266db
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ apps/snmptrapd_handlers.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/apps/snmptrapd_handlers.c b/apps/snmptrapd_handlers.c
+index 6cd126f266..afd93ed0fb 100644
+--- a/apps/snmptrapd_handlers.c
++++ b/apps/snmptrapd_handlers.c
+@@ -1112,6 +1112,12 @@ snmp_input(int op, netsnmp_session *session,
+ 	     */
+             if (pdu->trap_type == SNMP_TRAP_ENTERPRISESPECIFIC) {
+                 trapOidLen = pdu->enterprise_length;
++                /*
++                 * Drop packets that would trigger an out-of-bounds trapOid[]
++                 * access.
++                 */
++                if (trapOidLen < 1 || trapOidLen > OID_LENGTH(trapOid) - 2)
++                    return 1;
+                 memcpy(trapOid, pdu->enterprise, sizeof(oid) * trapOidLen);
+                 if (trapOid[trapOidLen - 1] != 0) {
+                     trapOid[trapOidLen++] = 0;

package/netsnmp/netsnmp.mk

@@ -11,6 +11,8 @@ NETSNMP_LICENSE = Various BSD-like
 NETSNMP_LICENSE_FILES = COPYING
 NETSNMP_CPE_ID_VENDOR = net-snmp
 NETSNMP_CPE_ID_PRODUCT = $(NETSNMP_CPE_ID_VENDOR)
+# 0004-snmptrapd-Fix-out-of-bounds-trapOid-accesses.patch
+NETSNMP_IGNORE_CVES += CVE-2025-68615
 NETSNMP_SELINUX_MODULES = snmp
 NETSNMP_INSTALL_STAGING = YES
 NETSNMP_CONF_ENV = \

package/openscap/0001-set-project-as-c-project.patch

@@ -0,0 +1,78 @@
+From a742647efd215b682e4cd26b15ac3e580c10ef9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Alexis=20Lothor=C3=A9?= <alexis.lothore@bootlin.com>
+Date: Mon, 16 Feb 2026 13:50:48 +0100
+Subject: [PATCH] Set project as C project in CMakeLists.txt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The openscap tool has been recently integrated in the buildroot build
+system ([1]), which makes the openscap tool buildable for a wide variety
+or architectures/OSes, with a wide variety of _compilers_. And so when
+such compilers are not supporting C++ projects (as it is the case with a
+default buildroot toolchain), the build breaks on the following error
+(see [2] for an example):
+
+  -- Detecting CXX compiler ABI info
+  -- Detecting CXX compiler ABI info - failed
+  -- Check for working CXX compiler: /bin/false
+  -- Check for working CXX compiler: /bin/false - broken
+  CMake Error at /usr/share/cmake/Modules/CMakeTestCXXCompiler.cmake:73 (message):
+    The C++ compiler
+
+      "/bin/false"
+
+    is not able to compile a simple test program.
+
+    It fails with the following output:
+
+      Change Dir: '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
+
+      Run Build Command(s): /usr/bin/cmake -E env VERBOSE=1 /usr/bin/make -f Makefile cmTC_1834b/fast
+      make[1]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
+      /usr/bin/make  -f CMakeFiles/cmTC_1834b.dir/build.make CMakeFiles/cmTC_1834b.dir/build
+      make[2]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
+      Building CXX object CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o
+      /bin/false    -o CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o -c /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI/testCXXCompiler.cxx
+      make[2]: *** [CMakeFiles/cmTC_1834b.dir/build.make:81: CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o] Error 1
+      make[2]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
+      make[1]: *** [Makefile:134: cmTC_1834b/fast] Error 2
+      make[1]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
+
+    CMake will not be able to correctly generate this project.
+  Call Stack (most recent call first):
+    CMakeLists.txt:11 (project)
+
+openscap does not have any C++ code to build, so restricting builds to
+toolchains supporting C++ is overconstraining, the configuration step
+should rather not try to check C++ support.
+
+Enforce the project as a C project in CMakeLists.txt to make sure not to
+test C++ features on the used toolchain.
+
+[1] https://buildroot.org/
+[2] https://autobuild.buildroot.org/results/1fe550ffa79f0a083a450ae03fe067a8ab7336be/build-end.log
+
+Upstream: https://github.com/OpenSCAP/openscap/pull/2312
+[patch slightly adapted to be applicable on v1.3.12]
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+---
+ CMakeLists.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index cb13debb47cf..05b054327951 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -8,7 +8,7 @@ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+ 		"MinSizeRel" "RelWithDebInfo")
+ endif()
+ 
+-project("openscap")
++project("openscap" C)
+ set(OPENSCAP_VERSION_MAJOR "1")
+ set(OPENSCAP_VERSION_MINOR "3")
+ set(OPENSCAP_VERSION_PATCH "12")
+-- 
+2.53.0
+

package/patch/0006-Fix-swapping-fake-lines-in-pch-swap.patch

@@ -0,0 +1,33 @@
+From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 17 Aug 2018 13:35:40 +0200
+Subject: Fix swapping fake lines in pch_swap
+
+* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a
+blank line in the middle of a context-diff hunk: that empty line stays
+in the middle of the hunk and isn't swapped.
+
+Fixes: https://savannah.gnu.org/bugs/index.php?53133
+CVE: CVE-2018-6952
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pch.c b/src/pch.c
+index e92bc64..a500ad9 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2115,7 +2115,7 @@ pch_swap (void)
+     }
+     if (p_efake >= 0) {			/* fix non-freeable ptr range */
+ 	if (p_efake <= i)
+-	    n = p_end - i + 1;
++	    n = p_end - p_ptrn_lines;
+ 	else
+ 	    n = -i;
+ 	p_efake += n;
+-- 
+cgit v1.2.3
+

package/patch/0007-Avoid-invalid-memory-access-in-context-format-diffs.patch

@@ -0,0 +1,30 @@
+From 15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 19:10:02 +0200
+Subject: Avoid invalid memory access in context format diffs
+
+* src/pch.c (another_hunk): Avoid invalid memory access in context format
+diffs.
+
+CVE: CVE-2019-20633
+Upstream: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/pch.c b/src/pch.c
+index a500ad9..cb54e03 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1327,6 +1327,7 @@ another_hunk (enum diff difftype, bool rev)
+ 		  ptrn_prefix_context = context;
+ 		ptrn_suffix_context = context;
+ 		if (repl_beginning
++		    || p_end <= 0
+ 		    || (p_end
+ 			!= p_ptrn_lines + 1 + (p_Char[p_end - 1] == '\n')))
+ 		  {
+-- 
+cgit v1.2.3
+

package/patch/patch.mk

@@ -23,6 +23,12 @@ PATCH_IGNORE_CVES += CVE-2018-20969 CVE-2019-13638
 # 0005-Don-t-follow-symlinks-unless--follow-symlinks-is-given.patch
 PATCH_IGNORE_CVES += CVE-2019-13636
 
+# 0006-Fix-swapping-fake-lines-in-pch-swap.patch
+PATCH_IGNORE_CVES += CVE-2018-6952
+
+# 0007-Avoid-invalid-memory-access-in-context-format-diffs.patch
+PATCH_IGNORE_CVES += CVE-2019-20633
+
 ifeq ($(BR2_PACKAGE_ATTR),y)
 PATCH_CONF_OPTS += --enable-xattr
 PATCH_DEPENDENCIES += attr

package/poco/poco.mk

@@ -77,9 +77,8 @@ define POCO_CONFIGURE_CMDS
 		--no-samples)
 endef
 
-# Use $(MAKE1) to avoid failures on heavilly parallel machines (e.g. -j25)
 define POCO_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE1) POCO_TARGET_OSARCH=$(ARCH) CROSS_COMPILE=$(TARGET_CROSS) \
+	$(TARGET_MAKE_ENV) $(MAKE) POCO_TARGET_OSARCH=$(ARCH) CROSS_COMPILE=$(TARGET_CROSS) \
 		POCO_MYSQL_INCLUDE=$(STAGING_DIR)/usr/include/mysql \
 		POCO_MYSQL_LIB=$(STAGING_DIR)/usr/lib/mysql \
 		POCO_PGSQL_INCLUDE=$(STAGING_DIR)/usr/include/postgresql \

package/python-anyio/python-anyio.hash

@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/anyio/json
-md5  a026af4a3b485699718761b1b44ad1df  anyio-4.12.0.tar.gz
-sha256  73c693b567b0c55130c104d0b43a9baf3aa6a31fc6110116509f27bf75e21ec0  anyio-4.12.0.tar.gz
+md5  10e3ba7d02402b6605d834a1e4881a1d  anyio-4.12.1.tar.gz
+sha256  41cfcc3a4c85d3f05c932da7c26d0201ac36f72abd4435ba90d0464a3ffed703  anyio-4.12.1.tar.gz
 # Locally computed sha256 checksums
 sha256  5361ac9dc58f2ef5fd2e9b09c68297c17f04950909bbc8023bdb82eacf22c2b0  LICENSE

package/python-anyio/python-anyio.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_ANYIO_VERSION = 4.12.0
+PYTHON_ANYIO_VERSION = 4.12.1
 PYTHON_ANYIO_SOURCE = anyio-$(PYTHON_ANYIO_VERSION).tar.gz
-PYTHON_ANYIO_SITE = https://files.pythonhosted.org/packages/16/ce/8a777047513153587e5434fd752e89334ac33e379aa3497db860eeb60377
+PYTHON_ANYIO_SITE = https://files.pythonhosted.org/packages/96/f0/5eb65b2bb0d09ac6776f2eb54adee6abe8228ea05b20a5ad0e4945de8aac
 PYTHON_ANYIO_SETUP_TYPE = setuptools
 PYTHON_ANYIO_LICENSE = MIT
 PYTHON_ANYIO_LICENSE_FILES = LICENSE

package/python-fastapi/python-fastapi.hash

@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/fastapi/json
-md5  eb8cc0ba48ade2ac08bf55c880a69fdd  fastapi-0.128.0.tar.gz
-sha256  1cc179e1cef10a6be60ffe429f79b829dce99d8de32d7acb7e6c8dfdf7f2645a  fastapi-0.128.0.tar.gz
+md5  62d857497f46ee023ca1b7c5eb27f629  fastapi-0.129.0.tar.gz
+sha256  61315cebd2e65df5f97ec298c888f9de30430dd0612d59d6480beafbc10655af  fastapi-0.129.0.tar.gz
 # Locally computed sha256 checksums
 sha256  4ec89ffc81485b97fec584b2d4a961032eeffe834453894fd9c1274906cc744e  LICENSE

package/python-fastapi/python-fastapi.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_FASTAPI_VERSION = 0.128.0
+PYTHON_FASTAPI_VERSION = 0.129.0
 PYTHON_FASTAPI_SOURCE = fastapi-$(PYTHON_FASTAPI_VERSION).tar.gz
-PYTHON_FASTAPI_SITE = https://files.pythonhosted.org/packages/52/08/8c8508db6c7b9aae8f7175046af41baad690771c9bcde676419965e338c7
+PYTHON_FASTAPI_SITE = https://files.pythonhosted.org/packages/48/47/75f6bea02e797abff1bca968d5997793898032d9923c1935ae2efdece642
 PYTHON_FASTAPI_SETUP_TYPE = pep517
 PYTHON_FASTAPI_LICENSE = MIT
 PYTHON_FASTAPI_LICENSE_FILES = LICENSE

package/python-jsonschema/python-jsonschema.hash

@@ -1,6 +1,6 @@
 # md5, sha256 from https://pypi.org/pypi/jsonschema/json
-md5  e33f133a5b56b9f9756b38065849c86f  jsonschema-4.25.1.tar.gz
-sha256  e4a9655ce0da0c0b67a085847e00a3a51449e1157f4f75e9fb5aa545e122eb85  jsonschema-4.25.1.tar.gz
+md5  3c1deb667257ae19924dede13332d906  jsonschema-4.26.0.tar.gz
+sha256  0c26707e2efad8aa1bfc5b7ce170f3fccc2e4918ff85989ba9ffa9facb2be326  jsonschema-4.26.0.tar.gz
 # Locally computed sha256 checksums
 sha256  4f92a015a13c4d1a040bef018aa13430b4f1bc73b41b16bb846c346766de7439  COPYING
 sha256  837402bd25fad9b704265801ca3f92566a98157c1f9a7acd6f446299ba1c305a  json/LICENSE

package/python-jsonschema/python-jsonschema.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_JSONSCHEMA_VERSION = 4.25.1
+PYTHON_JSONSCHEMA_VERSION = 4.26.0
 PYTHON_JSONSCHEMA_SOURCE = jsonschema-$(PYTHON_JSONSCHEMA_VERSION).tar.gz
-PYTHON_JSONSCHEMA_SITE = https://files.pythonhosted.org/packages/74/69/f7185de793a29082a9f3c7728268ffb31cb5095131a9c139a74078e27336
+PYTHON_JSONSCHEMA_SITE = https://files.pythonhosted.org/packages/b3/fc/e067678238fa451312d4c62bf6e6cf5ec56375422aee02f9cb5f909b3047
 PYTHON_JSONSCHEMA_SETUP_TYPE = hatch
 PYTHON_JSONSCHEMA_LICENSE = MIT
 PYTHON_JSONSCHEMA_LICENSE_FILES = COPYING json/LICENSE

package/python-multipart/python-multipart.hash

@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/python_multipart/json
-md5  fd24645f1b328d5d328e8b10bc2c596c  python_multipart-0.0.21.tar.gz
-sha256  7137ebd4d3bbf70ea1622998f902b97a29434a9e8dc40eb203bbcf7c2a2cba92  python_multipart-0.0.21.tar.gz
+md5  0debb97a2b5d68f8dd5119bd200f4010  python_multipart-0.0.22.tar.gz
+sha256  7340bef99a7e0032613f56dc36027b959fd3b30a787ed62d310e951f7c3a3a58  python_multipart-0.0.22.tar.gz
 # Locally computed sha256 checksums
 sha256  a8e833176cd617daf00b9d6d39fa15ca8edebc6d1643079cd2f4893c0c289be2  LICENSE.txt

package/python-multipart/python-multipart.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_MULTIPART_VERSION = 0.0.21
+PYTHON_MULTIPART_VERSION = 0.0.22
 PYTHON_MULTIPART_SOURCE = python_multipart-$(PYTHON_MULTIPART_VERSION).tar.gz
-PYTHON_MULTIPART_SITE = https://files.pythonhosted.org/packages/78/96/804520d0850c7db98e5ccb70282e29208723f0964e88ffd9d0da2f52ea09
+PYTHON_MULTIPART_SITE = https://files.pythonhosted.org/packages/94/01/979e98d542a70714b0cb2b6728ed0b7c46792b695e3eaec3e20711271ca3
 PYTHON_MULTIPART_SETUP_TYPE = hatch
 PYTHON_MULTIPART_LICENSE = Apache-2.0
 PYTHON_MULTIPART_LICENSE_FILES = LICENSE.txt

package/python-pybind/python-pybind.mk

@@ -19,9 +19,16 @@ PYTHON_PYBIND_CONF_OPTS = \
 
 PYTHON_PYBIND_INSTALL_PATH = $(HOST_DIR)/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages/pybind11
 
+# Overwrite 'pybind11/_version.py' with a hard-coded version to replace
+# 'pybind11/_version.py' installed by default that require
+# pybind11/detail/common.h header in HOST_DIR.
+# https://github.com/pybind/pybind11/blob/f5fbe867d2d26e4a0a9177a51f6e568868ad3dc8/pyproject.toml#L93
 define PYTHON_PYBIND_INSTALL_MODULE
 	mkdir -p $(PYTHON_PYBIND_INSTALL_PATH)
 	cp -dpf $(@D)/pybind11/*.py $(PYTHON_PYBIND_INSTALL_PATH)
+	sed -e 's#@@PYBIND_VERSION@@#$(PYTHON_PYBIND_VERSION)#' \
+		$(PYTHON_PYBIND_PKGDIR)/python-pybind_version.py.in \
+		> $(PYTHON_PYBIND_INSTALL_PATH)/_version.py
 endef
 PYTHON_PYBIND_POST_INSTALL_STAGING_HOOKS += PYTHON_PYBIND_INSTALL_MODULE
 

package/python-pybind/python-pybind_version.py.in

@@ -0,0 +1,12 @@
+from __future__ import annotations
+
+
+def _to_int(s: str) -> int | str:
+    try:
+        return int(s)
+    except ValueError:
+        return s
+
+
+__version__ = "@@PYBIND_VERSION@@"
+version_info = tuple(_to_int(s) for s in __version__.split("."))

package/python-starlette/python-starlette.hash

@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/starlette/json
-md5  f3479ed026aeaffb43af371d3b7db527  starlette-0.50.0.tar.gz
-sha256  a2a17b22203254bcbc2e1f926d2d55f3f9497f769416b3190768befe598fa3ca  starlette-0.50.0.tar.gz
+md5  3fafce592e3b272a54e2fe7727397fc1  starlette-0.52.1.tar.gz
+sha256  834edd1b0a23167694292e94f597773bc3f89f362be6effee198165a35d62933  starlette-0.52.1.tar.gz
 # Locally computed sha256 checksums
 sha256  dcb95677a02240243187e964f941847d19b17821cf99e5afae684fab328c19bf  LICENSE.md

package/python-starlette/python-starlette.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_STARLETTE_VERSION = 0.50.0
+PYTHON_STARLETTE_VERSION = 0.52.1
 PYTHON_STARLETTE_SOURCE = starlette-$(PYTHON_STARLETTE_VERSION).tar.gz
-PYTHON_STARLETTE_SITE = https://files.pythonhosted.org/packages/ba/b8/73a0e6a6e079a9d9cfa64113d771e421640b6f679a52eeb9b32f72d871a1
+PYTHON_STARLETTE_SITE = https://files.pythonhosted.org/packages/c4/68/79977123bb7be889ad680d79a40f339082c1978b5cfcf62c2d8d196873ac
 PYTHON_STARLETTE_SETUP_TYPE = hatch
 PYTHON_STARLETTE_LICENSE = BSD-3-Clause
 PYTHON_STARLETTE_LICENSE_FILES = LICENSE.md

package/qemu/Config.in

@@ -189,11 +189,6 @@ config BR2_PACKAGE_QEMU_TARGET_AVR
 	help
 	  AVR 8-bit microcontroller architecture.
 
-config BR2_PACKAGE_QEMU_TARGET_CRIS
-	bool "cris"
-	help
-	  ETRAX CRIS microcontroller architecture.
-
 config BR2_PACKAGE_QEMU_TARGET_HEXAGON
 	bool "hexagon (linux-user, only)"
 	depends on BR2_PACKAGE_QEMU_LINUX_USER

package/qemu/qemu.mk

@@ -65,7 +65,6 @@ QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_AARCH64) += aarch64-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_ALPHA) += alpha-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_ARM) += arm-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_AVR) += avr-softmmu
-QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_CRIS) += cris-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_HPPA) += hppa-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_I386) += i386-softmmu
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_LOONGARCH64) += loongarch64-softmmu
@@ -102,7 +101,6 @@ QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_AARCH64_BE) += aarch64_be-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_ALPHA) += alpha-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_ARM) += arm-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_ARMEB) += armeb-linux-user
-QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_CRIS) += cris-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_HEXAGON) += hexagon-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_HPPA) += hppa-linux-user
 QEMU_TARGET_LIST_$(BR2_PACKAGE_QEMU_TARGET_I386) += i386-linux-user

package/rtl_433/0002-Fix-overflow-in-rfraw-test-data-parsing.patch

@@ -0,0 +1,31 @@
+From 25e47f8932f0401392ef1d3c8cc9ed5595bc894a Mon Sep 17 00:00:00 2001
+From: "Christian W. Zuckschwerdt" <christian@zuckschwerdt.org>
+Date: Wed, 8 Oct 2025 10:11:15 +0200
+Subject: [PATCH] Fix overflow in rfraw test data parsing (closes #3375)
+
+CVE: CVE-2025-34450
+Upstream: https://github.com/merbanan/rtl_433/commit/25e47f8932f0401392ef1d3c8cc9ed5595bc894a
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+---
+ src/rfraw.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/rfraw.c b/src/rfraw.c
+index 9f4c9780c..71a1c365d 100644
+--- a/src/rfraw.c
++++ b/src/rfraw.c
+@@ -159,9 +159,14 @@ static bool parse_rfraw(pulse_data_t *data, char const **p)
+             data->num_pulses++;
+             pulse_needed = true;
+         }
++        // abort reading if the pulse data array is full
++        if (data->num_pulses >= PD_MAX_PULSES) {
++            break;
++        }
+     }
+     //data->gap[data->num_pulses - 1] = 3000; // TODO: extend last gap?
+ 
++    // expand reapeats as long as the pulse data array has enough space
+     unsigned pkt_pulses = data->num_pulses - prev_pulses;
+     for (int i = 1; i < repeats && data->num_pulses + pkt_pulses <= PD_MAX_PULSES; ++i) {
+         memcpy(&data->pulse[data->num_pulses], &data->pulse[prev_pulses], pkt_pulses * sizeof (*data->pulse));

package/rtl_433/rtl_433.mk

@@ -10,6 +10,9 @@ RTL_433_LICENSE = GPL-2.0+
 RTL_433_LICENSE_FILES = COPYING
 RTL_433_CPE_ID_VALID = YES
 
+# 0002-Fix-overflow-in-rfraw-test-data-parsing.patch
+RTL_433_IGNORE_CVES += CVE-2025-34450
+
 # Force Release build to remove ASAN.
 RTL_433_CONF_OPTS = \
 	-DCMAKE_BUILD_TYPE=Release \

package/ruby/ruby.hash

@@ -1,5 +1,5 @@
-# https://www.ruby-lang.org/en/news/2025/12/25/ruby-4-0-0-released/
-sha256  a72bacee9de07283ebc19baa4ac243b193129f21aa4e168c7186fb1fe7d07fe1  ruby-4.0.0.tar.xz
+# https://www.ruby-lang.org/en/news/2026/01/13/ruby-4-0-1-released/
+sha256  0531fe57dfdb56bf591620d2450642ea0e0964f3512a6ebee7dc9305de69395f  ruby-4.0.1.tar.xz
 
 # License files, Locally calculated
 sha256  a74812486cffbdc55141a5d9f165d782cbb202660d827622ec966237d4717b99  LEGAL

package/ruby/ruby.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 RUBY_VERSION_MAJOR = 4.0
-RUBY_VERSION = $(RUBY_VERSION_MAJOR).0
+RUBY_VERSION = $(RUBY_VERSION_MAJOR).1
 RUBY_VERSION_EXT = 4.0.0
 RUBY_SITE = http://cache.ruby-lang.org/pub/ruby/$(RUBY_VERSION_MAJOR)
 RUBY_SOURCE = ruby-$(RUBY_VERSION).tar.xz
@@ -26,10 +26,12 @@ RUBY_CONF_OPTS = \
 	--disable-install-doc \
 	--disable-rpath \
 	--disable-rubygems \
-	--disable-yjit
+	--disable-yjit \
+	--disable-zjit
 HOST_RUBY_CONF_OPTS = \
 	--disable-install-doc \
 	--disable-yjit \
+	--disable-zjit \
 	--with-out-ext=curses,readline \
 	--without-gmp