Update for 2024.11.1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/libxcrypt: make available only with glibc
2025-01-09 15:43:35 +01:00 · 2025-01-09 10:50:50 +01:00 · 2025-01-09 10:48:17 +01:00 · 2025-01-09 10:17:40 +01:00 · 2025-01-09 10:17:26 +01:00 · 2025-01-09 10:06:58 +01:00
186 changed files with 4074 additions and 428 deletions
--- a/32
+++ b/32
@@ -1,3 +1,35 @@
+2024.11.1, released January 9th, 2025
+
+	Important / security related fixes.
+
+        Infrastructure:
+
+        - Ensure CONFIG_TRIM_UNUSED_KSYMS is disabled when building
+          external Linux kernel modules
+
+	Updated/fixed packages: apr, bc, bluez5_utils, c-icap,
+	cryptodev-linux, dahdi-linux, dpdk, freeipmi, gdb, gnupg2,
+	gnuplot, gnutls, go, gobject-introspection, grub2, gst-omx,
+	gst1-devtools, gst1-libav, gst1-plugins-bad,
+	gst1-plugins-base, gst1-plugins-good, gst1-plugins-ugly,
+	gst1-python, gst1-rtsp-server, gst1-vaapi, gstreamer1,
+	gstreamer1-editing-services, igt-gpu-tools, iperf3, libcurl,
+	libsha1, libsndfile, libsoup3, libvirt, libxcrypt, libxml2,
+	libzenoh-pico, linux, linux-pam, netatalk, nettle, octave,
+	opensc, perl, php, pixman, polkit, procps-ng,
+	python-autocommand, python-django, python3, quickjs, samba4,
+	skeleton, subversion, ti-k3-r5-loader, tzdata, v4l2loopback,
+	wayland, webkitgtk, weston, wget, wireshark, wpewebkit,
+	xr819-xradio, xxhash, zfs, zic
+
+	Issues resolved:
+	- bluetooth.service cannot connect to D-BUS
+	  https://gitlab.com/buildroot.org/buildroot/-/issues/65
+        - gdb package doesn't have a licence hash in the gdb.hash file
+          https://gitlab.com/buildroot.org/buildroot/-/issues/66
+	- package/libsha1: Build failure with GCC 14 [-Wimplicit-int]
+	  https://gitlab.com/buildroot.org/buildroot/-/issues/69
+
 2024.11, released December 8th, 2024

 	Various fixes.
--- a/Config.in
+++ b/Config.in
@@ -285,7 +285,7 @@ config BR2_KERNEL_MIRROR

 config BR2_GNU_MIRROR
 	string "GNU Software mirror"
-	default "http://ftpmirror.gnu.org"
+	default "https://ftpmirror.gnu.org"
 	help
 	  GNU has multiple software mirrors scattered around the
 	  world. The following allows you to select your preferred
--- a/4
+++ b/4
@@ -304,7 +304,6 @@ F:	package/git/
 N:	Bartosz Bilas <b.bilas@grinn-global.com>
 F:	board/stmicroelectronics/stm32mp157a-dk1/
 F:	configs/stm32mp157a_dk1_defconfig
-F:	package/cegui/
 F:	package/log4qt/
 F:	package/python-esptool/
 F:	package/python-pyaes/
@@ -1868,6 +1867,7 @@ F:	support/testing/tests/package/test_dmidecode.py
 F:	support/testing/tests/package/test_dos2unix.py
 F:	support/testing/tests/package/test_dosfstools.py
 F:	support/testing/tests/package/test_dosfstools/
+F:	support/testing/tests/package/test_dpdk.py
 F:	support/testing/tests/package/test_ed.py
 F:	support/testing/tests/package/test_ethtool.py
 F:	support/testing/tests/package/test_ethtool/
@@ -2005,6 +2005,8 @@ F:	support/testing/tests/package/test_which.py
 F:	support/testing/tests/package/test_wine.py
 F:	support/testing/tests/package/test_xfsprogs.py
 F:	support/testing/tests/package/test_xfsprogs/
+F:	support/testing/tests/package/test_xvisor.py
+F:	support/testing/tests/package/test_xxhash.py
 F:	support/testing/tests/package/test_xz.py
 F:	support/testing/tests/package/test_z3.py
 F:	support/testing/tests/package/test_z3/
--- a/4
+++ b/4
@@ -92,9 +92,9 @@ all:
 .PHONY: all

 # Set and export the version string
-export BR2_VERSION := 2024.11
+export BR2_VERSION := 2024.11.1
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1733653000
+BR2_VERSION_EPOCH = 1736433000

 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)
--- a/boot/grub2/grub2.mk
+++ b/boot/grub2/grub2.mk
@@ -5,7 +5,7 @@
 ################################################################################

 GRUB2_VERSION = 2.12
-GRUB2_SITE = http://ftp.gnu.org/gnu/grub
+GRUB2_SITE = $(BR2_GNU_MIRROR)/grub
 GRUB2_SOURCE = grub-$(GRUB2_VERSION).tar.xz
 GRUB2_LICENSE = GPL-3.0+
 GRUB2_LICENSE_FILES = COPYING
--- a/boot/ti-k3-r5-loader/ti-k3-r5-loader.mk
+++ b/boot/ti-k3-r5-loader/ti-k3-r5-loader.mk
@@ -46,6 +46,7 @@ TI_K3_R5_LOADER_DEPENDENCIES = \
 	host-pkgconf \
 	$(BR2_MAKE_HOST_DEPENDENCY) \
 	host-arm-gnu-toolchain \
+	host-gnutls \
 	host-openssl \
 	host-python3 \
 	host-python-jsonschema \
--- a/linux/Config.in
+++ b/linux/Config.in
@@ -30,6 +30,11 @@ choice
 config BR2_LINUX_KERNEL_LATEST_VERSION
 	bool "Latest version (6.11)"
 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_6_11 if BR2_KERNEL_HEADERS_AS_KERNEL
+	# mips always generates an ITB image
+	select BR2_PACKAGE_HOST_UBOOT_TOOLS if BR2_mips || BR2_mipsel || BR2_mips64 || BR2_mips64el
+	select BR2_PACKAGE_HOST_UBOOT_TOOLS_FIT_SUPPORT if BR2_mips || BR2_mipsel || BR2_mips64 || BR2_mips64el
+	# nios2 always generates a U-Boot image
+	select BR2_PACKAGE_HOST_UBOOT_TOOLS if BR2_nios2

 config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
 	bool "Latest CIP SLTS version (5.10.162-cip24)"
@@ -168,6 +173,12 @@ config BR2_LINUX_KERNEL_USE_DEFCONFIG

 config BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG
 	bool "Use the architecture default configuration"
+	# We know that the default configuration on some architectures
+	# requires host-openssl, so select it for the latest kernel
+	# version. This is mainly needed to fix autobuilder testing.
+	select BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL if \
+	       BR2_LINUX_KERNEL_LATEST_VERSION && \
+	       (BR2_aarch64 || BR2_aarch64_be || BR2_arcle || BR2_arceb || BR2_sparc || BR2_x86_64)
 	help
 	  This option will use the default configuration for the
 	  selected architecture. I.e, it is equivalent to running
--- a/linux/linux.hash
+++ b/linux/linux.hash
@@ -1,11 +1,11 @@
 # From https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
 sha256  62148e7e17f54c4a5ab5e75ad4882682c54bee818948be61a5963234fc0849fc  linux-6.11.11.tar.xz
-sha256  d1054ab4803413efe2850f50f1a84349c091631ec50a1cf9e891d1b1f9061835  linux-6.6.63.tar.xz
-sha256  aecdaf39d0a844a81ce4c67d9daff8979e938bb690df4f679fbbb494fe423278  linux-6.1.119.tar.xz
+sha256  283ff410e3f352ceed161ae30c0020301326059db03e86efcb384d46ac5840e2  linux-6.6.68.tar.xz
+sha256  e892c0b380100b7e6249060282ad07fbded092f0a2ca1d647243d0fbe9ce6e50  linux-6.1.122.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256  8a4b2a47ccc9b208b2b6ed9a216ea1a5eb12852c723bec1a04de9e671a1d7da8  linux-5.15.173.tar.xz
-sha256  cd1850ef3b771886df4e0b4c4eb07033864abab2bb553a20fd9e3cdc23584b47  linux-5.10.230.tar.xz
-sha256  180754f3df0e8d7f206625255b3f5a6e1f441feec83336df42613ca8f6b1887c  linux-5.4.286.tar.xz
+sha256  8fd8bbc80e7aae30aaca3b40576b283010b5e84e70f6fea1573589155ce8a9d0  linux-5.15.175.tar.xz
+sha256  fda44589a438dff8c718082e9a48843b15e5eb82f6cc2f98d48f48226063bef0  linux-5.10.232.tar.xz
+sha256  876fbae303723bcf9e01ab57b1a0a7d38045aacd481ff865dccc2cc89f591afe  linux-5.4.288.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 sha256  607bed7de5cda31a443df4c8a78dbe5e8a9ad31afde2a4d28fe99ab4730e8de1  linux-4.19.325.tar.xz
 # Locally computed
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -343,6 +343,12 @@ LINUX_KCONFIG_DEFCONFIG = $(call qstrip,$(BR2_LINUX_KERNEL_DEFCONFIG))_defconfig
 else ifeq ($(BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG),y)
 ifeq ($(BR2_powerpc64le),y)
 LINUX_KCONFIG_DEFCONFIG = ppc64le_defconfig
+else ifeq ($(BR2_powerpc64),y)
+LINUX_KCONFIG_DEFCONFIG = ppc64_defconfig
+else ifeq ($(BR2_powerpc),y)
+LINUX_KCONFIG_DEFCONFIG = ppc_defconfig
+else ifeq ($(BR2_arc750d)$(BR2_arc770d),y)
+LINUX_KCONFIG_DEFCONFIG = axs101_defconfig
 else
 LINUX_KCONFIG_DEFCONFIG = defconfig
 endif
--- a/package/apr/0004-Merge-r1920082-from-1.8.x.patch
+++ b/package/apr/0004-Merge-r1920082-from-1.8.x.patch
@@ -0,0 +1,71 @@
+From 36ea6d5a2bfc480dd8032cc8651e6793552bc2aa Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Tue, 20 Aug 2024 21:50:42 +0000
+Subject: [PATCH] Merge r1920082 from 1.8.x:
+
+use 0600 perms for named shared mem consistently
+
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1920083 13f79535-47bb-0310-9956-ffa450edef68
+Upstream: https://github.com/apache/apr/commit/36ea6d5a2bfc480dd8032cc8651e6793552bc2aa
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ shmem/unix/shm.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c
+index 096884d99..ea9b94277 100644
+--- a/shmem/unix/shm.c
+++ b/shmem/unix/shm.c
+@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+         status = APR_SUCCESS;
+     
+ #if APR_USE_SHMEM_MMAP_TMP
+-        /* FIXME: Is APR_OS_DEFAULT sufficient? */
+-        status = apr_file_open(&file, filename, 
+-                               APR_READ | APR_WRITE | APR_CREATE | APR_EXCL,
+-                               APR_OS_DEFAULT, pool);
+        status = apr_file_open(&file, filename,
+                               APR_FOPEN_READ | APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL,
+                               APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+         if (status != APR_SUCCESS) {
+             return status;
+         }
+@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+         }
+ #endif /* APR_USE_SHMEM_MMAP_TMP */
+ #if APR_USE_SHMEM_MMAP_SHM
+-        /* FIXME: SysV uses 0600... should we? */
+-        tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644);
+        tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600);
+         if (tmpfd == -1) {
+             return errno;
+         }
+@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m,
+ #elif APR_USE_SHMEM_SHMGET
+         new_m->realsize = reqsize;
+ 
+-        /* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */
+-        status = apr_file_open(&file, filename, 
+        status = apr_file_open(&file, filename,
+                                APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL,
+-                               APR_OS_DEFAULT, pool);
+                               APR_FPROT_UREAD | APR_FPROT_UWRITE, pool);
+         if (status != APR_SUCCESS) {
+             return status;
+         }
+@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m,
+ #if APR_USE_SHMEM_MMAP_SHM
+         const char *shm_name = make_shm_open_safe_name(filename, pool);
+ 
+-        /* FIXME: SysV uses 0600... should we? */
+-        tmpfd = shm_open(shm_name, O_RDWR, 0644);
+        tmpfd = shm_open(shm_name, O_RDWR, 0600);
+         if (tmpfd == -1) {
+             return errno;
+         }
+-- 
+2.39.5
+
--- a/package/apr/apr.mk
+++ b/package/apr/apr.mk
@@ -16,6 +16,9 @@ APR_INSTALL_STAGING = YES
 # so we need to autoreconf:
 APR_AUTORECONF = YES

+# 0004-Merge-r1920082-from-1.8.x.patch
+APR_IGNORE_CVES += CVE-2023-49582
+
 APR_CONF_OPTS = --disable-sctp

 # avoid apr_hints.m4 by setting apr_preload_done=yes and set
--- a/package/autoconf/0001-dont-add-dirty-to-version.patch
+++ b/package/autoconf/0001-dont-add-dirty-to-version.patch
@@ -1,7 +1,7 @@
 autoconf: don't append -dirty to version

 Don't append -dirty to autoconf version number if the buildroot git tree
-has uncommited changes.
+has uncommitted changes.

 This script is meant for the autoconf developers, but it also activates
 if you build autoconf in a subdirectory of a git tree (E.G. like how it's
--- a/package/bc/bc.mk
+++ b/package/bc/bc.mk
@@ -5,7 +5,7 @@
 ################################################################################

 BC_VERSION = 1.07.1
-BC_SITE = http://ftp.gnu.org/gnu/bc
+BC_SITE = $(BR2_GNU_MIRROR)/bc
 BC_DEPENDENCIES = host-flex
 BC_LICENSE = GPL-2.0+, LGPL-2.1+
 BC_LICENSE_FILES = COPYING COPYING.LIB
--- a/package/bluez5_utils-headers/bluez5_utils-headers.mk
+++ b/package/bluez5_utils-headers/bluez5_utils-headers.mk
@@ -5,7 +5,7 @@
 ################################################################################

 # Keep the version and patches in sync with bluez5_utils
-BLUEZ5_UTILS_HEADERS_VERSION = 5.78
+BLUEZ5_UTILS_HEADERS_VERSION = 5.79
 BLUEZ5_UTILS_HEADERS_SOURCE = bluez-$(BLUEZ5_UTILS_VERSION).tar.xz
 BLUEZ5_UTILS_HEADERS_SITE = $(BR2_KERNEL_MIRROR)/linux/bluetooth
 BLUEZ5_UTILS_HEADERS_DL_SUBDIR = bluez5_utils
--- a/package/bluez5_utils/0001-gdbus-define-MAX_INPUT-for-musl.patch
+++ b/package/bluez5_utils/0001-gdbus-define-MAX_INPUT-for-musl.patch
@@ -0,0 +1,33 @@
+From 9d69dba21f1e46b34cdd8ae27fec11d0803907ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Gu=C3=B0ni=20M=C3=A1r=20Gilbert?= <gudni.m.g@gmail.com>
+Date: Sat, 2 Nov 2024 16:10:18 +0000
+Subject: [PATCH] gdbus: define MAX_INPUT for musl
+
+This is the same solution as was done in src/shared/util.c
+
+Upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9d69dba21f1e46b34cdd8ae27fec11d0803907ee
+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
+---
+ gdbus/object.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/gdbus/object.c b/gdbus/object.c
+index 84f116bf1..7b0476f1a 100644
+--- a/gdbus/object.c
+++ b/gdbus/object.c
+@@ -20,6 +20,12 @@
+ #include <dbus/dbus.h>
+ 
+ #include "gdbus.h"
+
+/* define MAX_INPUT for musl */
+#ifndef MAX_INPUT
+#define MAX_INPUT _POSIX_MAX_INPUT
+#endif
+
+ #include "src/shared/util.h"
+ 
+ #define info(fmt...)
+-- 
+2.45.2
+
--- a/package/bluez5_utils/0002-Leave-config-files-writable-for-owner.patch
+++ b/package/bluez5_utils/0002-Leave-config-files-writable-for-owner.patch
@@ -0,0 +1,35 @@
+From b1fd409960001a77cda2a09ecc00147ebd9c3667 Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Mon, 9 Dec 2024 16:40:43 +0100
+Subject: [PATCH BlueZ] build: Leave config files writable for owner
+
+This is needed for builds running as non-root users, so the build
+process and any distribution tools can create/move/delete files in the
+config directory without adjusting permissions separately. Limiting
+writes from the running service needs to be done in the systemd unit
+(already the case) or init script.
+
+See also: https://lore.kernel.org/linux-bluetooth/4d1206df-598b-4a68-8655-74981b62ecca@gmx.de/T/
+Reviewed-by: Bastien Nocera <hadess@hadess.net>
+Upstream: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b1fd409960001a77cda2a09ecc00147ebd9c3667
+Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
+---
+ Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 297d0774c..29018a91c 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -32,7 +32,7 @@ confdir = $(sysconfdir)/bluetooth
+ statedir = $(localstatedir)/lib/bluetooth
+ 
+ bluetoothd-fix-permissions:
+-	install -dm555 $(DESTDIR)$(confdir)
+	install -dm755 $(DESTDIR)$(confdir)
+ 	install -dm700 $(DESTDIR)$(statedir)
+ 
+ if DATAFILES
+-- 
+2.45.2
+
--- a/package/bluez5_utils/bluez5_utils.hash
+++ b/package/bluez5_utils/bluez5_utils.hash
@@ -1,5 +1,5 @@
 # From https://www.kernel.org/pub/linux/bluetooth/sha256sums.asc:
-sha256  830fed1915c5d375b8de0f5e6f45fcdea0dcc5ff5ffb3d31db6ed0f00d73c5e3  bluez-5.78.tar.xz
+sha256  4164a5303a9f71c70f48c03ff60be34231b568d93a9ad5e79928d34e6aa0ea8a  bluez-5.79.tar.xz
 # Locally computed
 sha256  b499eddebda05a8859e32b820a64577d91f1de2b52efa2a1575a2cb4000bc259  COPYING
 sha256  ec60b993835e2c6b79e6d9226345f4e614e686eb57dc13b6420c15a33a8996e5  COPYING.LIB
--- a/package/bluez5_utils/bluez5_utils.mk
+++ b/package/bluez5_utils/bluez5_utils.mk
@@ -5,7 +5,7 @@
 ################################################################################

 # Keep the version and patches in sync with bluez5_utils-headers
-BLUEZ5_UTILS_VERSION = 5.78
+BLUEZ5_UTILS_VERSION = 5.79
 BLUEZ5_UTILS_SOURCE = bluez-$(BLUEZ5_UTILS_VERSION).tar.xz
 BLUEZ5_UTILS_SITE = $(BR2_KERNEL_MIRROR)/linux/bluetooth
 BLUEZ5_UTILS_INSTALL_STAGING = YES
@@ -13,6 +13,9 @@ BLUEZ5_UTILS_LICENSE = GPL-2.0+, LGPL-2.1+
 BLUEZ5_UTILS_LICENSE_FILES = COPYING COPYING.LIB
 BLUEZ5_UTILS_CPE_ID_VENDOR = bluez
 BLUEZ5_UTILS_CPE_ID_PRODUCT = bluez
+# required because 0002-Leave-config-files-writable-for-owner.patch
+# modifies Makefile.am
+BLUEZ5_UTILS_AUTORECONF = YES

 BLUEZ5_UTILS_DEPENDENCIES = \
 	$(if $(BR2_PACKAGE_BLUEZ5_UTILS_HEADERS),bluez5_utils-headers) \
@@ -22,13 +25,12 @@ BLUEZ5_UTILS_DEPENDENCIES = \
 BLUEZ5_UTILS_CONF_OPTS = \
 	--enable-library \
 	--disable-cups \
-	--disable-datafiles \
 	--disable-manpages \
 	--disable-asan \
 	--disable-lsan \
 	--disable-ubsan \
 	--disable-pie \
-	--with-dbusconfdir=/etc
+	--with-dbusconfdir=/usr/share

 ifeq ($(BR2_PACKAGE_BLUEZ5_UTILS_OBEX),y)
 BLUEZ5_UTILS_CONF_OPTS += --enable-obex
--- a/package/c-icap/0002-Fix-compile-warning-about-missing-stdio.h-include-fi.patch
+++ b/package/c-icap/0002-Fix-compile-warning-about-missing-stdio.h-include-fi.patch
@@ -0,0 +1,25 @@
+From ae8a1bc4979c797bb1f152fc92cfe6bc05a44594 Mon Sep 17 00:00:00 2001
+From: Christos Tsantilas <christos@chtsanti.net>
+Date: Tue, 20 Nov 2018 17:10:16 +0200
+Subject: [PATCH] Fix compile warning about missing stdio.h include file
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Upstream: https://github.com/c-icap/c-icap-server/commit/ae8a1bc4979c797bb1f152fc92cfe6bc05a44594
+---
+ tests/test_base64.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/test_base64.c b/tests/test_base64.c
+index 8a4a76c..7692197 100644
+--- a/tests/test_base64.c
+++ b/tests/test_base64.c
+@@ -1,5 +1,6 @@
+ #include "common.h"
+ #include "simple_api.h"
+#include <stdio.h>
+ 
+ 
+ int main(int argc, char *argv[])
+-- 
+2.47.1
+
--- a/package/c-icap/Config.in
+++ b/package/c-icap/Config.in
@@ -3,6 +3,9 @@ config BR2_PACKAGE_C_ICAP
 	depends on !BR2_STATIC_LIBS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_USE_MMU # fork()
+	# the libmemcached code uses <crypt.h>
+	select BR2_PACKAGE_LIBXCRYPT if \
+	       BR2_PACKAGE_LIBMEMCACHED && BR2_TOOLCHAIN_USES_GLIBC
 	help
 	  c-icap is an implementation of an ICAP server. It can be
 	  used with HTTP proxies that support the ICAP protocol to
--- a/package/c-icap/c-icap.mk
+++ b/package/c-icap/c-icap.mk
@@ -43,7 +43,7 @@ endif

 ifeq ($(BR2_PACKAGE_LIBMEMCACHED),y)
 C_ICAP_CONF_OPTS += --with-memcached
-C_ICAP_DEPENDENCIES += libmemcached
+C_ICAP_DEPENDENCIES += libmemcached $(if $(BR2_PACKAGE_LIBXCRYPT),libxcrypt)
 else
 C_ICAP_CONF_OPTS += --without-memcached
 endif
--- a/package/cryptodev-linux/cryptodev-linux.mk
+++ b/package/cryptodev-linux/cryptodev-linux.mk
@@ -21,7 +21,7 @@ define CRYPTODEV_LINUX_INSTALL_STAGING_CMDS
 		$(STAGING_DIR)/usr/include/crypto/cryptodev.h
 endef

-define CRYPTODEV_LINUX_CONFIG_FIXUPS
+define CRYPTODEV_LINUX_LINUX_CONFIG_FIXUPS
 	$(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_CRYPTO_USER_API_AEAD)
 endef
--- a/package/dahdi-linux/0003-xpp-sysfs-Use-const-struct-device_device-if-needed.patch
+++ b/package/dahdi-linux/0003-xpp-sysfs-Use-const-struct-device_device-if-needed.patch
@@ -0,0 +1,82 @@
+From ce9de5d1bf9d21c088b01ce9da6f7ff02b0d863d Mon Sep 17 00:00:00 2001
+From: InterLinked1 <24227567+InterLinked1@users.noreply.github.com>
+Date: Mon, 23 Sep 2024 08:04:54 -0400
+Subject: [PATCH] xpp, sysfs: Use const struct device_device if needed.
+
+Kernel commit d69d804845985c29ab5be5a4b3b1f4787893daf8
+changed struct device_driver to be const, so make the
+arguments const on kernels 6.11 and newer.
+
+Resolves: #63
+
+Upstream: https://github.com/asterisk/dahdi-linux/pull/64
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ drivers/dahdi/dahdi-sysfs-chan.c | 4 ++++
+ drivers/dahdi/dahdi-sysfs.c      | 4 ++++
+ drivers/dahdi/xpp/xbus-sysfs.c   | 8 ++++++++
+ 3 files changed, 16 insertions(+)
+
+diff --git a/drivers/dahdi/dahdi-sysfs-chan.c b/drivers/dahdi/dahdi-sysfs-chan.c
+index 09d7317..35b7bd4 100644
+--- a/drivers/dahdi/dahdi-sysfs-chan.c
+++ b/drivers/dahdi/dahdi-sysfs-chan.c
+@@ -220,7 +220,11 @@ static void chan_release(struct device *dev)
+ 	chan_dbg(DEVICES, chan, "SYSFS\n");
+ }
+ 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
+static int chan_match(struct device *dev, const struct device_driver *driver)
+#else
+ static int chan_match(struct device *dev, struct device_driver *driver)
+#endif /* LINUX_VERSION_CODE */
+ {
+ 	struct dahdi_chan *chan;
+ 
+diff --git a/drivers/dahdi/dahdi-sysfs.c b/drivers/dahdi/dahdi-sysfs.c
+index 7477ebc..246514c 100644
+--- a/drivers/dahdi/dahdi-sysfs.c
+++ b/drivers/dahdi/dahdi-sysfs.c
+@@ -42,7 +42,11 @@ module_param(tools_rootdir, charp, 0444);
+ MODULE_PARM_DESC(tools_rootdir,
+ 		"root directory of all tools paths (default /)");
+ 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
+static int span_match(struct device *dev, const struct device_driver *driver)
+#else
+ static int span_match(struct device *dev, struct device_driver *driver)
+#endif /* LINUX_VERSION_CODE */
+ {
+ 	return 1;
+ }
+diff --git a/drivers/dahdi/xpp/xbus-sysfs.c b/drivers/dahdi/xpp/xbus-sysfs.c
+index 177048b..f78a15e 100644
+--- a/drivers/dahdi/xpp/xbus-sysfs.c
+++ b/drivers/dahdi/xpp/xbus-sysfs.c
+@@ -397,7 +397,11 @@ static struct attribute *xbus_dev_attrs[] = {
+ ATTRIBUTE_GROUPS(xbus_dev);
+ #endif
+ 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
+static int astribank_match(struct device *dev, const struct device_driver *driver)
+#else
+ static int astribank_match(struct device *dev, struct device_driver *driver)
+#endif /* LINUX_VERSION_CODE */
+ {
+ 	DBG(DEVICES, "SYSFS MATCH: dev->bus_id = %s, driver->name = %s\n",
+ 	    dev_name(dev), driver->name);
+@@ -771,7 +775,11 @@ static DEVICE_ATTR_READER(refcount_xpd_show, dev, buf)
+ 	return len;
+ }
+ 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 11, 0)
+static int xpd_match(struct device *dev, const struct device_driver *driver)
+#else
+ static int xpd_match(struct device *dev, struct device_driver *driver)
+#endif /* LINUX_VERSION_CODE */
+ {
+ 	struct xpd_driver *xpd_driver;
+ 	xpd_t *xpd;
+-- 
+2.39.5
+
--- a/package/dmraid/0001-fix-compilation-under-musl.patch
+++ b/package/dmraid/0001-fix-compilation-under-musl.patch
@@ -8,7 +8,7 @@ Patch borrowed from Void Linux :
 https://github.com/voidlinux/void-packages/blob/master/srcpkgs/dmraid/patches/25_musl-libc.patch

 Upstream package appears dormant, no mailing list and no
-maintainence releases since Nov 2010.
+maintenance releases since Nov 2010.

 Upstream-Status: dormant
 Signed-off-by: Brendan Heading <brendanheading@gmail.com>
--- a/package/dpdk/dpdk.hash
+++ b/package/dpdk/dpdk.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  9944f7e5f268e7ac9b4193e2cd54ef6d98f6e1d7dddc967c77ae4f6616d6fbbd  dpdk-24.07.tar.xz
+sha256  bcae7d42c449fc456dfb279feabcbe0599a29bebb2fe2905761e187339d96b8e  dpdk-24.11.1.tar.xz
 sha256  9acc4bc871a4742550158e3696dcb381953172ef808d04ca248184f9f6322712  license/bsd-3-clause.txt
 sha256  e19808bccd90c238fac06da2fc3683e094c64f7ba647e9d86f03a98cf5f2ce05  license/exceptions.txt
 sha256  6c54c4d44faf3cba829b3d0c21c6955953e758767018fd7244f809b01d4f4845  license/mit.txt
--- a/package/dpdk/dpdk.mk
+++ b/package/dpdk/dpdk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-DPDK_VERSION = 24.07
+DPDK_VERSION = 24.11.1
 DPDK_SOURCE = dpdk-$(DPDK_VERSION).tar.xz
 DPDK_SITE = https://fast.dpdk.org/rel
 DPDK_LICENSE = \
--- a/package/freeipmi/freeipmi.mk
+++ b/package/freeipmi/freeipmi.mk
@@ -5,7 +5,7 @@
 ################################################################################

 FREEIPMI_VERSION = 1.6.14
-FREEIPMI_SITE = https://ftp.gnu.org/gnu/freeipmi
+FREEIPMI_SITE = $(BR2_GNU_MIRROR)/freeipmi
 FREEIPMI_LICENSE = GPL-3.0+, BSD-like (sunbmc)
 FREEIPMI_LICENSE_FILES = \
 	COPYING COPYING.bmc-watchdog COPYING.ipmiconsole COPYING.ipmi-dcmi \
--- a/package/gdb/gdb.hash
+++ b/package/gdb/gdb.hash
@@ -5,3 +5,9 @@ sha512  0217434073023a8b8316088bf3ee95d53a1b6a7897f6269095429016a8900f9a05e130c3

 # Locally calculated (fetched from Github)
 sha512  3518b47d5c11d1fb478ee152bde1719363f9391db73f3b9f5491217c17742bef8ebca6a51a40302dfaa9476c5a32a8b8f70a4bf64289422dea5f750ae53ab88d  gdb-arc-2023.09-release.tar.gz
+
+# Locally calculated (fetched from gcc.gnu.org)
+sha256  231f7edcc7352d7734a96eef0b8030f77982678c516876fcb81e25b32d68564c  COPYING
+sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING3
+sha256  a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c  COPYING3.LIB
+sha256  56bdea73b6145ef6ac5259b3da390b981d840c24cb03b8e1cbc678de7ecfa18d  COPYING.LIB
--- a/package/gnupg2/gnupg2.hash
+++ b/package/gnupg2/gnupg2.hash
@@ -1,5 +1,5 @@
 # From https://www.gnupg.org/download/integrity_check.html
-sha1  2d8aa2662c398d60f1f8e0bf46fd163eae703189  gnupg-2.4.6.tar.bz2
-sha256  95acfafda7004924a6f5c901677f15ac1bda2754511d973bb4523e8dd840e17a  gnupg-2.4.6.tar.bz2
+sha1  2d510a1a7294f2f9ef3f2e280c93c3ad9b0cdb68  gnupg-2.4.7.tar.bz2
+sha256  7b24706e4da7e0e3b06ca068231027401f238102c41c909631349dcc3b85eb46  gnupg-2.4.7.tar.bz2
 # Locally calculated
 sha256  bc2d6664f6276fa0a72d57633b3ae68dc7dcb677b71018bf08c8e93e509f1357  COPYING
--- a/package/gnupg2/gnupg2.mk
+++ b/package/gnupg2/gnupg2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GNUPG2_VERSION = 2.4.6
+GNUPG2_VERSION = 2.4.7
 GNUPG2_SOURCE = gnupg-$(GNUPG2_VERSION).tar.bz2
 GNUPG2_SITE = https://gnupg.org/ftp/gcrypt/gnupg
 GNUPG2_LICENSE = GPL-3.0+
--- a/package/gnuplot/0002-check-for-defined-FE_UNDERFLOW.patch
+++ b/package/gnuplot/0002-check-for-defined-FE_UNDERFLOW.patch
@@ -1,32 +0,0 @@
-From 806641b5ef504488f871b5cbd9e5c356d67d0bd1 Mon Sep 17 00:00:00 2001
-From: Edgar Bonet <bonet@grenoble.cnrs.fr>
-Date: Tue, 24 Sep 2024 20:03:18 -0700
-Subject: [PATCH] check for defined(FE_UNDERFLOW)
-
-According to fenv(3), the macro FE_UNDERFLOW is defined by fenv.h only
-if the implementation supports handling of the underflow exception. Do
-not assume the presence of fenv.h implies FE_UNDERFLOW is defined.
-
-Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
-Upstream: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/926d2c26d31f4b69feda372c76a28643ef45359d/
-Upstream: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/806641b5ef504488f871b5cbd9e5c356d67d0bd1/
---
- src/complexfun.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/complexfun.c b/src/complexfun.c
-index 7a5d9a13f..7ddb4ed60 100644
--- a/src/complexfun.c
-+++ b/src/complexfun.c
-@@ -86,7 +86,7 @@
- 	int_error(NO_CARET, "%s: error present on entry (errno %d %s)", who, errno, strerror(errno));
- #endif
- 
-#ifdef HAVE_FENV_H
-+#if defined (HAVE_FENV_H) && defined (FE_UNDERFLOW)
- #define handle_underflow( who, var ) \
-     if (errno) { \
- 	if (fetestexcept(FE_UNDERFLOW)) { \
-- 
-2.34.1
-
--- a/package/gnuplot/gnuplot.hash
+++ b/package/gnuplot/gnuplot.hash
@@ -1,6 +1,6 @@
-# From https://sourceforge.net/projects/gnuplot/files/gnuplot/6.0.1/
-md5  744fde2362fb20db6cfc58de73f96e9c  gnuplot-6.0.1.tar.gz
-sha1  ce1aaeff632c78cba2b3ca8142cf130bfd411478  gnuplot-6.0.1.tar.gz
+# From https://sourceforge.net/projects/gnuplot/files/gnuplot/6.0.2/
+md5  ea0931758fc180e3b1950931b9869921  gnuplot-6.0.2.tar.gz
+sha1  be803916e4ea32720b4a646f2ffc98d6ad3a0dc2  gnuplot-6.0.2.tar.gz
 # Locally computed
-sha256  e85a660c1a2a1808ff24f7e69981ffcbac66a45c9dcf711b65610b26ea71379a  gnuplot-6.0.1.tar.gz
+sha256  f68a3b0bbb7bbbb437649674106d94522c00bf2f285cce0c19c3180b1ee7e738  gnuplot-6.0.2.tar.gz
 sha256  895928ec0735cca1c8cec42656c7e314a065d0242813bb8693c0c1bf61fd4e4d  Copyright
--- a/package/gnuplot/gnuplot.mk
+++ b/package/gnuplot/gnuplot.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GNUPLOT_VERSION = 6.0.1
+GNUPLOT_VERSION = 6.0.2
 GNUPLOT_SITE = http://downloads.sourceforge.net/project/gnuplot/gnuplot/$(GNUPLOT_VERSION)
 GNUPLOT_LICENSE = gnuplot license (open source)
 GNUPLOT_LICENSE_FILES = Copyright
--- a/package/gnutls/0001-groups-represent-hybrid-groups-with-an-array-of-IDs.patch
+++ b/package/gnutls/0001-groups-represent-hybrid-groups-with-an-array-of-IDs.patch
@@ -0,0 +1,798 @@
+From 5ed597eb28c408c5968e6dfb839880ba5fa17ba1 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Fri, 6 Dec 2024 09:53:18 +0900
+Subject: [PATCH] groups: represent hybrid groups with an array of IDs
+
+Previously, the supported_groups array contained externally defined
+elements, which is legitimate in C99 but caused error with Clang:
+
+  groups.c:93:2: error: initializer element is not a compile-time constant
+          group_x25519,
+          ^~~~~~~~~~~~
+
+This reworks the array definition of indirection through group
+IDs (gnutls_group_t, i.e., integer).
+
+This also makes pqc-hybrid-kx test more exhaustive.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+Upstream: https://gitlab.com/gnutls/gnutls/-/commit/9cc9d5556d258d23a399abfe45715773e719d134
+Signed-off-by: Brandon Maier <brandon.maier@collins.com>
+---
+ lib/algorithms.h                |   7 ++
+ lib/algorithms/groups.c         | 161 ++++++++++++++++++++------------
+ lib/ext/key_share.c             |  81 ++++++++++++----
+ lib/ext/supported_groups.c      |  45 +++++----
+ lib/gnutls_int.h                |   8 +-
+ lib/includes/gnutls/gnutls.h.in |   4 +-
+ lib/priority.c                  |  25 ++---
+ lib/session.c                   |   6 +-
+ tests/pqc-hybrid-kx.sh          | 101 +++++++++++++++++---
+ 9 files changed, 315 insertions(+), 123 deletions(-)
+
+diff --git a/lib/algorithms.h b/lib/algorithms.h
+index 2e1b694c6..c4af571ce 100644
+--- a/lib/algorithms.h
+++ b/lib/algorithms.h
+@@ -55,6 +55,9 @@
+ #define IS_KEM(x) \
+ 	(((x) == GNUTLS_PK_MLKEM768) || ((x) == GNUTLS_PK_EXP_KYBER768))
+ 
+
+#define IS_GROUP_HYBRID(group) ((group)->ids[0] != GNUTLS_GROUP_INVALID)
+
+ #define SIG_SEM_PRE_TLS12 (1 << 1)
+ #define SIG_SEM_TLS13 (1 << 2)
+ #define SIG_SEM_DEFAULT (SIG_SEM_PRE_TLS12 | SIG_SEM_TLS13)
+@@ -493,6 +496,10 @@ const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num);
+ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id);
+ gnutls_group_t _gnutls_group_get_id(const char *name);
+ 
+int _gnutls_group_expand(
+	const gnutls_group_entry_st *group,
+	const gnutls_group_entry_st *subgroups[MAX_HYBRID_GROUPS + 1]);
+
+ gnutls_ecc_curve_t _gnutls_ecc_bits_to_curve(gnutls_pk_algorithm_t pk,
+ 					     int bits);
+ #define MAX_ECC_CURVE_SIZE 66
+diff --git a/lib/algorithms/groups.c b/lib/algorithms/groups.c
+index 88d0cf630..2fbe7b8ec 100644
+--- a/lib/algorithms/groups.c
+++ b/lib/algorithms/groups.c
+@@ -30,30 +30,6 @@
+ /* Supported ECC curves
+  */
+ 
+-#ifdef HAVE_LIBOQS
+-static const gnutls_group_entry_st group_mlkem768 = {
+-	.name = "MLKEM768",
+-	.id = GNUTLS_GROUP_INVALID,
+-	.curve = GNUTLS_ECC_CURVE_INVALID,
+-	.pk = GNUTLS_PK_MLKEM768,
+-};
+-
+-static const gnutls_group_entry_st group_kyber768 = {
+-	.name = "KYBER768",
+-	.id = GNUTLS_GROUP_INVALID,
+-	.curve = GNUTLS_ECC_CURVE_INVALID,
+-	.pk = GNUTLS_PK_EXP_KYBER768,
+-};
+-#endif
+-
+-static const gnutls_group_entry_st group_x25519 = {
+-	.name = "X25519",
+-	.id = GNUTLS_GROUP_X25519,
+-	.curve = GNUTLS_ECC_CURVE_X25519,
+-	.tls_id = 29,
+-	.pk = GNUTLS_PK_ECDH_X25519,
+-};
+-
+ static const gnutls_group_entry_st supported_groups[] = {
+ 	{
+ 		.name = "SECP192R1",
+@@ -90,7 +66,13 @@ static const gnutls_group_entry_st supported_groups[] = {
+ 		.tls_id = 25,
+ 		.pk = GNUTLS_PK_ECDSA,
+ 	},
+-	group_x25519,
+	{
+		.name = "X25519",
+		.id = GNUTLS_GROUP_X25519,
+		.curve = GNUTLS_ECC_CURVE_X25519,
+		.tls_id = 29,
+		.pk = GNUTLS_PK_ECDH_X25519,
+	},
+ #ifdef ENABLE_GOST
+ 	/* draft-smyshlyaev-tls12-gost-suites-06, Section 6 */
+ 	{
+@@ -191,24 +173,33 @@ static const gnutls_group_entry_st supported_groups[] = {
+ 	  .tls_id = 0x104 },
+ #endif
+ #ifdef HAVE_LIBOQS
+	{
+		.name = "MLKEM768",
+		.id = GNUTLS_GROUP_EXP_MLKEM768,
+		.pk = GNUTLS_PK_MLKEM768,
+		/* absense of .tls_id means that this group alone cannot be used in TLS */
+	},
+	{
+		.name = "KYBER768",
+		.id = GNUTLS_GROUP_EXP_KYBER768,
+		.pk = GNUTLS_PK_EXP_KYBER768,
+		/* absense of .tls_id means that this group alone cannot be used in TLS */
+	},
+ 	{ .name = "SECP256R1-MLKEM768",
+ 	  .id = GNUTLS_GROUP_EXP_SECP256R1_MLKEM768,
+-	  .curve = GNUTLS_ECC_CURVE_SECP256R1,
+-	  .pk = GNUTLS_PK_ECDSA,
+-	  .tls_id = 0x11EB,
+-	  .next = &group_mlkem768 },
+	  .ids = { GNUTLS_GROUP_SECP256R1, GNUTLS_GROUP_EXP_MLKEM768,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x11EB },
+ 	{ .name = "X25519-MLKEM768",
+ 	  .id = GNUTLS_GROUP_EXP_X25519_MLKEM768,
+-	  .curve = GNUTLS_ECC_CURVE_INVALID,
+-	  .pk = GNUTLS_PK_MLKEM768,
+-	  .tls_id = 0x11EC,
+-	  .next = &group_x25519 },
+	  .ids = { GNUTLS_GROUP_EXP_MLKEM768, GNUTLS_GROUP_X25519,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x11EC },
+ 	{ .name = "X25519-KYBER768",
+ 	  .id = GNUTLS_GROUP_EXP_X25519_KYBER768,
+-	  .curve = GNUTLS_ECC_CURVE_X25519,
+-	  .pk = GNUTLS_PK_ECDH_X25519,
+-	  .tls_id = 0x6399,
+-	  .next = &group_kyber768 },
+	  .ids = { GNUTLS_GROUP_X25519, GNUTLS_GROUP_EXP_KYBER768,
+		   GNUTLS_GROUP_INVALID },
+	  .tls_id = 0x6399 },
+ #endif
+ 	{ 0, 0, 0 }
+ };
+@@ -221,14 +212,46 @@ static const gnutls_group_entry_st supported_groups[] = {
+ 		}                                                  \
+ 	}
+ 
+static inline const gnutls_group_entry_st *group_to_entry(gnutls_group_t group)
+{
+	if (group == 0)
+		return NULL;
+
+	GNUTLS_GROUP_LOOP(if (p->id == group) { return p; });
+
+	return NULL;
+}
+
+static inline bool
+group_is_supported_standalone(const gnutls_group_entry_st *group)
+{
+	return group->pk != 0 && _gnutls_pk_exists(group->pk) &&
+	       (group->curve == 0 ||
+		_gnutls_ecc_curve_is_supported(group->curve));
+}
+
+static inline bool group_is_supported(const gnutls_group_entry_st *group)
+{
+	if (!IS_GROUP_HYBRID(group))
+		return group_is_supported_standalone(group);
+
+	for (size_t i = 0;
+	     i < MAX_HYBRID_GROUPS && group->ids[i] != GNUTLS_GROUP_INVALID;
+	     i++) {
+		const gnutls_group_entry_st *p = group_to_entry(group->ids[i]);
+		if (!p || !group_is_supported_standalone(p))
+			return false;
+	}
+
+	return true;
+}
+
+ /* Returns the TLS id of the given curve
+  */
+ const gnutls_group_entry_st *_gnutls_tls_id_to_group(unsigned num)
+ {
+ 	GNUTLS_GROUP_LOOP(
+-		if (p->tls_id == num &&
+-		    (p->curve == 0 ||
+-		     _gnutls_ecc_curve_is_supported(p->curve))) { return p; });
+		if (p->tls_id == num && group_is_supported(p)) { return p; });
+ 
+ 	return NULL;
+ }
+@@ -239,10 +262,7 @@ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id)
+ 		return NULL;
+ 
+ 	GNUTLS_GROUP_LOOP(
+-		if (p->id == id && (p->curve == 0 ||
+-				    _gnutls_ecc_curve_is_supported(p->curve))) {
+-			return p;
+-		});
+		if (p->id == id && group_is_supported(p)) { return p; });
+ 
+ 	return NULL;
+ }
+@@ -261,27 +281,17 @@ const gnutls_group_entry_st *_gnutls_id_to_group(unsigned id)
+  **/
+ const gnutls_group_t *gnutls_group_list(void)
+ {
+-	static gnutls_group_t groups[MAX_ALGOS] = { 0 };
+	static gnutls_group_t groups[MAX_ALGOS + 1] = { 0 };
+ 
+ 	if (groups[0] == 0) {
+-		int i = 0;
+		size_t i = 0;
+ 
+-		const gnutls_group_entry_st *p;
+-
+-		for (p = supported_groups; p->name != NULL; p++) {
+-			const gnutls_group_entry_st *pp;
+-
+-			for (pp = p; pp != NULL; pp = pp->next) {
+-				if ((pp->curve != 0 &&
+-				     !_gnutls_ecc_curve_is_supported(
+-					     pp->curve)) ||
+-				    (pp->pk != 0 && !_gnutls_pk_exists(pp->pk)))
+-					break;
+-			}
+-			if (pp == NULL)
+		for (const gnutls_group_entry_st *p = supported_groups;
+		     p->name != NULL; p++) {
+			if (group_is_supported(p))
+ 				groups[i++] = p->id;
+ 		}
+-		groups[i++] = 0;
+		groups[i++] = GNUTLS_GROUP_INVALID;
+ 	}
+ 
+ 	return groups;
+@@ -344,3 +354,34 @@ const char *gnutls_group_get_name(gnutls_group_t group)
+ 
+ 	return NULL;
+ }
+
+/* Expand GROUP into hybrid SUBGROUPS if any, otherwise an array
+ * containing the GROUP itself. The result will be written to
+ * SUBGROUPS, which will be NUL-terminated.
+ */
+int _gnutls_group_expand(
+	const gnutls_group_entry_st *group,
+	const gnutls_group_entry_st *subgroups[MAX_HYBRID_GROUPS + 1])
+{
+	size_t pos = 0;
+
+	if (IS_GROUP_HYBRID(group)) {
+		for (size_t i = 0; i < MAX_HYBRID_GROUPS &&
+				   group->ids[i] != GNUTLS_GROUP_INVALID;
+		     i++) {
+			const gnutls_group_entry_st *p =
+				group_to_entry(group->ids[i]);
+			/* This shouldn't happen, as GROUP is assumed
+			 * to be supported before calling this
+			 * function. */
+			if (unlikely(!p))
+				return gnutls_assert_val(
+					GNUTLS_E_INTERNAL_ERROR);
+			subgroups[pos++] = p;
+		}
+	} else {
+		subgroups[pos++] = group;
+	}
+	subgroups[pos] = NULL;
+	return 0;
+}
+diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
+index 574521157..8fbe2d2bd 100644
+--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
+@@ -232,6 +232,9 @@ static int client_gen_key_share(gnutls_session_t session,
+ 				gnutls_buffer_st *extdata)
+ {
+ 	unsigned int length_pos;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+ 	int ret;
+ 
+ 	_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session,
+@@ -247,8 +250,12 @@ static int client_gen_key_share(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
+-		ret = client_gen_key_share_single(session, p, extdata);
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	for (size_t i = 0; groups[i]; i++) {
+		ret = client_gen_key_share_single(session, groups[i], extdata);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 	}
+@@ -345,6 +352,9 @@ static int server_gen_key_share(gnutls_session_t session,
+ 				gnutls_buffer_st *extdata)
+ {
+ 	unsigned int length_pos;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+ 	int ret;
+ 
+ 	_gnutls_handshake_log("EXT[%p]: sending key share for %s\n", session,
+@@ -360,8 +370,12 @@ static int server_gen_key_share(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
+-		ret = server_gen_key_share_single(session, p, extdata);
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	for (size_t i = 0; groups[i]; i++) {
+		ret = server_gen_key_share_single(session, groups[i], extdata);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 	}
+@@ -594,13 +608,19 @@ static int server_use_key_share(gnutls_session_t session,
+ 				const uint8_t *data, size_t data_size)
+ {
+ 	gnutls_buffer_st buffer;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
+ 
+ 	_gnutls_ro_buffer_init(&buffer, data, data_size);
+ 
+-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
+-		int ret;
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+ 
+-		ret = server_use_key_share_single(session, p, &buffer);
+	for (size_t i = 0; groups[i]; i++) {
+		ret = server_use_key_share_single(session, groups[i], &buffer);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 	}
+@@ -775,13 +795,19 @@ static int client_use_key_share(gnutls_session_t session,
+ 				const uint8_t *data, size_t data_size)
+ {
+ 	gnutls_buffer_st buffer;
+	const gnutls_group_entry_st *groups[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
+ 
+ 	_gnutls_ro_buffer_init(&buffer, data, data_size);
+ 
+-	for (const gnutls_group_entry_st *p = group; p != NULL; p = p->next) {
+-		int ret;
+	ret = _gnutls_group_expand(group, groups);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+ 
+-		ret = client_use_key_share_single(session, p, &buffer);
+	for (size_t i = 0; groups[i]; i++) {
+		ret = client_use_key_share_single(session, groups[i], &buffer);
+ 		if (ret < 0)
+ 			return gnutls_assert_val(ret);
+ 	}
+@@ -958,18 +984,39 @@ static int key_share_recv_params(gnutls_session_t session, const uint8_t *data,
+ 	return 0;
+ }
+ 
+static inline bool pk_types_overlap_single(const gnutls_group_entry_st *a,
+					   const gnutls_group_entry_st *b)
+{
+	return a->pk == b->pk || (IS_ECDHX(a->pk) && IS_ECDHX(b->pk)) ||
+	       (IS_KEM(a->pk) && IS_KEM(b->pk));
+}
+
+ static inline bool pk_types_overlap(const gnutls_group_entry_st *a,
+ 				    const gnutls_group_entry_st *b)
+ {
+-	const gnutls_group_entry_st *pa;
+	const gnutls_group_entry_st *sa[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	const gnutls_group_entry_st *sb[MAX_HYBRID_GROUPS + 1] = {
+		NULL,
+	};
+	int ret;
+
+	ret = _gnutls_group_expand(a, sa);
+	if (ret < 0) {
+		gnutls_assert();
+		return false;
+	}
+ 
+-	for (pa = a; pa != NULL; pa = pa->next) {
+-		const gnutls_group_entry_st *pb;
+	ret = _gnutls_group_expand(b, sb);
+	if (ret < 0) {
+		gnutls_assert();
+		return false;
+	}
+ 
+-		for (pb = b; pb != NULL; pb = pb->next) {
+-			if (pa->pk == pb->pk ||
+-			    (IS_ECDHX(pa->pk) && IS_ECDHX(pb->pk)) ||
+-			    (IS_KEM(pa->pk) && IS_KEM(pb->pk)))
+	for (size_t i = 0; sa[i]; i++) {
+		for (size_t j = 0; sb[j]; j++) {
+			if (pk_types_overlap_single(sa[i], sb[j]))
+ 				return true;
+ 		}
+ 	}
+diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c
+index 254ec4882..4c31d2f8f 100644
+--- a/lib/ext/supported_groups.c
+++ b/lib/ext/supported_groups.c
+@@ -106,9 +106,9 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 	unsigned min_dh;
+ 	unsigned j;
+ 	int serv_ec_idx, serv_dh_idx,
+-		serv_kem_idx; /* index in server's priority listing */
+		serv_hybrid_idx; /* index in server's priority listing */
+ 	int cli_ec_pos, cli_dh_pos,
+-		cli_kem_pos; /* position in listing sent by client */
+		cli_hybrid_pos; /* position in listing sent by client */
+ 
+ 	if (session->security_parameters.entity == GNUTLS_CLIENT) {
+ 		/* A client shouldn't receive this extension in TLS1.2. It is
+@@ -134,8 +134,8 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 		/* we figure what is the minimum DH allowed for this session, if any */
+ 		min_dh = get_min_dh(session);
+ 
+-		serv_ec_idx = serv_dh_idx = serv_kem_idx = -1;
+-		cli_ec_pos = cli_dh_pos = cli_kem_pos = -1;
+		serv_ec_idx = serv_dh_idx = serv_hybrid_idx = -1;
+		cli_ec_pos = cli_dh_pos = cli_hybrid_pos = -1;
+ 
+ 		/* This extension is being processed prior to a ciphersuite being selected,
+ 		 * so we cannot rely on ciphersuite information. */
+@@ -180,14 +180,15 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 								break;
+ 							serv_ec_idx = j;
+ 							cli_ec_pos = i;
+-						} else if (IS_KEM(group->pk)) {
+-							if (serv_kem_idx !=
+						} else if (IS_GROUP_HYBRID(
+								   group)) {
+							if (serv_hybrid_idx !=
+ 								    -1 &&
+ 							    (int)j >
+-								    serv_kem_idx)
+								    serv_hybrid_idx)
+ 								break;
+-							serv_kem_idx = j;
+-							cli_kem_pos = i;
+							serv_hybrid_idx = j;
+							cli_hybrid_pos = i;
+ 						}
+ 					} else {
+ 						if (group->pk == GNUTLS_PK_DH) {
+@@ -200,11 +201,13 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 								break;
+ 							cli_ec_pos = i;
+ 							serv_ec_idx = j;
+-						} else if (IS_KEM(group->pk)) {
+-							if (cli_kem_pos != -1)
+						} else if (IS_GROUP_HYBRID(
+								   group)) {
+							if (cli_hybrid_pos !=
+							    -1)
+ 								break;
+-							cli_kem_pos = i;
+-							serv_kem_idx = j;
+							cli_hybrid_pos = i;
+							serv_hybrid_idx = j;
+ 						}
+ 					}
+ 					break;
+@@ -212,7 +215,7 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 			}
+ 		}
+ 
+-		/* serv_{dh,ec,kem}_idx contain the index of the groups we want to use.
+		/* serv_{dh,ec,hybrid}_idx contain the index of the groups we want to use.
+ 		 */
+ 		if (serv_dh_idx != -1) {
+ 			session->internals.cand_dh_group =
+@@ -236,18 +239,20 @@ static int _gnutls_supported_groups_recv_params(gnutls_session_t session,
+ 			}
+ 		}
+ 
+-		/* KEM can only be used in TLS 1.3, where no separation from
+-		 * ECDH and DH, and thus only cand_group is set here.
+		/* PQC hybrid key exchange groups can only be used in
+		 * TLS 1.3, where no distinction between ECDH and DH
+		 * in the group definitions, and thus only cand_group
+		 * is set here.
+ 		 */
+-		if (serv_kem_idx != -1) {
+		if (serv_hybrid_idx != -1) {
+ 			if (session->internals.cand_group == NULL ||
+ 			    (session->internals.priorities->server_precedence &&
+-			     serv_kem_idx < MIN(serv_ec_idx, serv_dh_idx)) ||
+			     serv_hybrid_idx < MIN(serv_ec_idx, serv_dh_idx)) ||
+ 			    (!session->internals.priorities->server_precedence &&
+-			     cli_kem_pos < MIN(cli_ec_pos, cli_dh_pos))) {
+			     cli_hybrid_pos < MIN(cli_ec_pos, cli_dh_pos))) {
+ 				session->internals.cand_group =
+ 					session->internals.priorities->groups
+-						.entry[serv_kem_idx];
+						.entry[serv_hybrid_idx];
+ 			}
+ 		}
+ 
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index fb2cacb54..01ef59729 100644
+--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
+@@ -756,6 +756,8 @@ typedef struct gnutls_cipher_suite_entry_st {
+ 	gnutls_mac_algorithm_t prf;
+ } gnutls_cipher_suite_entry_st;
+ 
+#define MAX_HYBRID_GROUPS 2
+
+ typedef struct gnutls_group_entry_st {
+ 	const char *name;
+ 	gnutls_group_t id;
+@@ -765,8 +767,12 @@ typedef struct gnutls_group_entry_st {
+ 	const unsigned *q_bits;
+ 	gnutls_ecc_curve_t curve;
+ 	gnutls_pk_algorithm_t pk;
+	gnutls_group_t ids[MAX_HYBRID_GROUPS + 1]; /* IDs of subgroups
+						    * comprising a
+						    * hybrid group,
+						    * terminated with
+						    * GNUTLS_GROUP_INVALID */
+ 	unsigned tls_id; /* The RFC4492 namedCurve ID or TLS 1.3 group ID */
+-	const struct gnutls_group_entry_st *next;
+ } gnutls_group_entry_st;
+ 
+ #define GNUTLS_MAC_FLAG_PREIMAGE_INSECURE \
+diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
+index 8b3bb5213..1e44fdd91 100644
+--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
+@@ -1147,8 +1147,10 @@ typedef enum {
+ 	GNUTLS_GROUP_EXP_X25519_KYBER768 = 512,
+ 	GNUTLS_GROUP_EXP_SECP256R1_MLKEM768 = 513,
+ 	GNUTLS_GROUP_EXP_X25519_MLKEM768 = 514,
+	GNUTLS_GROUP_EXP_KYBER768 = 515,
+	GNUTLS_GROUP_EXP_MLKEM768 = 516,
+ 	GNUTLS_GROUP_EXP_MIN = GNUTLS_GROUP_EXP_X25519_KYBER768,
+-	GNUTLS_GROUP_EXP_MAX = GNUTLS_GROUP_EXP_X25519_MLKEM768
+	GNUTLS_GROUP_EXP_MAX = GNUTLS_GROUP_EXP_MLKEM768
+ } gnutls_group_t;
+ 
+ /* macros to allow specifying a specific curve in gnutls_privkey_generate()
+diff --git a/lib/priority.c b/lib/priority.c
+index ac4ff2d8c..479dbccd6 100644
+--- a/lib/priority.c
+++ b/lib/priority.c
+@@ -2566,7 +2566,7 @@ static void add_dh(gnutls_priority_t priority_cache)
+ 	}
+ }
+ 
+-static void add_kem(gnutls_priority_t priority_cache)
+static void add_hybrid(gnutls_priority_t priority_cache)
+ {
+ 	const gnutls_group_entry_st *ge;
+ 	unsigned i;
+@@ -2579,7 +2579,7 @@ static void add_kem(gnutls_priority_t priority_cache)
+ 			    sizeof(priority_cache->groups.entry) /
+ 				    sizeof(priority_cache->groups.entry[0])) {
+ 			/* do not add groups which do not correspond to enabled ciphersuites */
+-			if (!IS_KEM(ge->pk))
+			if (!IS_GROUP_HYBRID(ge))
+ 				continue;
+ 			priority_cache->groups
+ 				.entry[priority_cache->groups.size++] = ge;
+@@ -2598,7 +2598,7 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
+ 	const gnutls_sign_entry_st *se;
+ 	unsigned have_ec = 0;
+ 	unsigned have_dh = 0;
+-	unsigned have_kem = 0;
+	unsigned have_hybrid = 0;
+ 	unsigned tls_sig_sem = 0;
+ 	const version_entry_st *tlsmax = NULL, *vers;
+ 	const version_entry_st *dtlsmax = NULL;
+@@ -2807,9 +2807,9 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
+ 			priority_cache->cs.entry[priority_cache->cs.size++] =
+ 				ce;
+ 
+-			if (!have_kem) {
+-				have_kem = 1;
+-				add_kem(priority_cache);
+			if (!have_hybrid) {
+				have_hybrid = 1;
+				add_hybrid(priority_cache);
+ 			}
+ 		}
+ 	}
+@@ -2851,8 +2851,8 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
+ 		}
+ 	}
+ 
+-	if (have_tls13 && (!have_ec || !have_dh || !have_kem)) {
+-		/* scan groups to determine have_{ec,dh,kem} */
+	if (have_tls13 && (!have_ec || !have_dh || !have_hybrid)) {
+		/* scan groups to determine have_{ec,dh,hybrid} */
+ 		for (i = 0; i < priority_cache->_supported_ecc.num_priorities;
+ 		     i++) {
+ 			const gnutls_group_entry_st *ge;
+@@ -2865,12 +2865,13 @@ static int set_ciphersuite_list(gnutls_priority_t priority_cache)
+ 				} else if (ge->prime && !have_dh) {
+ 					add_dh(priority_cache);
+ 					have_dh = 1;
+-				} else if (IS_KEM(ge->pk) && !have_kem) {
+-					add_kem(priority_cache);
+-					have_kem = 1;
+				} else if (IS_GROUP_HYBRID(ge) &&
+					   !have_hybrid) {
+					add_hybrid(priority_cache);
+					have_hybrid = 1;
+ 				}
+ 
+-				if (have_dh && have_ec && have_kem)
+				if (have_dh && have_ec && have_hybrid)
+ 					break;
+ 			}
+ 		}
+diff --git a/lib/session.c b/lib/session.c
+index a9049a464..7fcbe4fb4 100644
+--- a/lib/session.c
+++ b/lib/session.c
+@@ -415,7 +415,11 @@ char *gnutls_session_get_desc(gnutls_session_t session)
+ 				snprintf(kx_name, sizeof(kx_name), "(PSK)");
+ 			}
+ 		} else if (group && sign_str) {
+-			if (group->curve)
+			if (IS_GROUP_HYBRID(group))
+				snprintf(kx_name, sizeof(kx_name),
+					 "(HYBRID-%s)-(%s)", group_name,
+					 sign_str);
+			else if (group->curve)
+ 				snprintf(kx_name, sizeof(kx_name),
+ 					 "(ECDHE-%s)-(%s)", group_name,
+ 					 sign_str);
+diff --git a/tests/pqc-hybrid-kx.sh b/tests/pqc-hybrid-kx.sh
+index da936cf04..4984cd4b4 100644
+--- a/tests/pqc-hybrid-kx.sh
+++ b/tests/pqc-hybrid-kx.sh
+@@ -33,34 +33,113 @@
+ 
+ . "${srcdir}/scripts/common.sh"
+ 
+# First check any mismatch in the gnutls-cli --list
+ if ! "${CLI}" --list | grep '^Groups: .*GROUP-X25519-KYBER768.*' >/dev/null; then
+     if "${CLI}" --list | grep '^Public Key Systems: .*KYBER768.*' >/dev/null; then
+-	fail "KYBER768 is in Public Key Systems, while GROUP-X25519-KYBER768 is NOT in Groups"
+	fail '' 'KYBER768 is in Public Key Systems, while GROUP-X25519-KYBER768 is NOT in Groups'
+     fi
+-    exit 77
+ else
+     if ! "${CLI}" --list | grep '^Public Key Systems: .*KYBER768.*' >/dev/null; then
+-	fail "KYBER768 is NOT in Public Key Systems, while GROUP-X25519-KYBER768 is in Groups"
+	fail '' 'KYBER768 is NOT in Public Key Systems, while GROUP-X25519-KYBER768 is in Groups'
+    fi
+fi
+
+if ! "${CLI}" --list | grep '^Groups: .*GROUP-\(SECP256R1\|X25519\)-MLKEM768.*' >/dev/null; then
+    if "${CLI}" --list | grep '^Public Key Systems: .*ML-KEM-768.*' >/dev/null; then
+	fail '' 'ML-KEM-768 is in Public Key Systems, while GROUP-SECP256R1-MLKEM768 or GROUP-X25519-MLKEM768 is NOT in Groups'
+    fi
+else
+    if ! "${CLI}" --list | grep '^Public Key Systems: .*ML-KEM-768.*' >/dev/null; then
+	fail '' 'ML-KEM-768 is NOT in Public Key Systems, while GROUP-SECP256R1-MLKEM768 or GROUP-X25519-MLKEM768 is in Groups'
+     fi
+ fi
+ 
+# If none of those hybrid groups is supported, skip the test
+if ! "${CLI}" --list | grep '^Groups: .*GROUP-\(X25519-KYBER768\|SECP256R1-MLKEM768\|X25519-MLKEM768\).*' >/dev/null; then
+    exit 77
+fi
+
+ testdir=`create_testdir pqc-hybrid-kx`
+ 
+ KEY="$srcdir/../doc/credentials/x509/key-ecc.pem"
+ CERT="$srcdir/../doc/credentials/x509/cert-ecc.pem"
+ CACERT="$srcdir/../doc/credentials/x509/ca.pem"
+ 
+-eval "${GETPORT}"
+-launch_server --echo --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509keyfile="$KEY" --x509certfile="$CERT"
+-PID=$!
+-wait_server ${PID}
+# Test all supported hybrid groups
+for group in X25519-KYBER768 SECP256R1-MLKEM768 X25519-MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	echo "$group is not supported, skipping" >&2
+	continue
+    fi
+
+    eval "${GETPORT}"
+    launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
+
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    kill ${PID}
+    wait
+
+    grep -- "- Description: (TLS1.3-X.509)-(HYBRID-$group)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)" "$testdir/cli.log" || { echo "unexpected handshake description"; cat "$testdir/cli.log"; exit 1; }
+done
+
+# KEM based groups cannot be used standalone
+for group in KYBER768 MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	"$group is not supported, skipping"
+	continue
+    fi
+
+    eval "${GETPORT}"
+    launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
+
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    rc=$?
+    kill ${PID}
+    wait
+
+    if test $rc -eq 0; then
+	fail '' 'Handshake succeeded with a standalone KEM group'
+    fi
+done
+
+# Check if disabling a curve will also disables hybrid groups with it
+cat <<_EOF_ > "$testdir/test.config"
+[overrides]
+
+disabled-curve = x25519
+_EOF_
+
+for group in X25519-KYBER768 SECP256R1-MLKEM768 X25519-MLKEM768; do
+    if ! "${CLI}" --list | grep "^Groups: .*GROUP-$group.*" >/dev/null; then
+	echo "$group is not supported, skipping" >&2
+	continue
+    fi
+ 
+-${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority NORMAL:-GROUP-ALL:+GROUP-X25519-KYBER768 --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    eval "${GETPORT}"
+    GNUTLS_SYSTEM_PRIORITY_FILE="$testdir/test.config" launch_server --echo --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509keyfile="$KEY" --x509certfile="$CERT"
+    PID=$!
+    wait_server ${PID}
+ 
+-kill ${PID}
+-wait
+    ${VALGRIND} "${CLI}" -p "${PORT}" localhost --priority "NORMAL:-GROUP-ALL:+GROUP-$group" --x509cafile="$CACERT" --logfile="$testdir/cli.log" </dev/null
+    rc=$?
+    kill ${PID}
+    wait
+ 
+-grep -- '- Description: (TLS1.3-X.509)-(ECDHE-X25519-KYBER768)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)' "$testdir/cli.log" || { echo "unexpected handshake description"; exit 1; }
+    case "$group" in
+	X25519*)
+	    if test $rc -eq 0; then
+		fail '' 'Handshake succeeded with a hybrid group with X25519'
+	    fi
+	    ;;
+	*)
+	    grep -- "- Description: (TLS1.3-X.509)-(HYBRID-$group)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)" "$testdir/cli.log" || { echo "unexpected handshake description"; cat "$testdir/cli.log"; exit 1; }
+	    ;;
+    esac
+done
+ 
+ rm -rf "$testdir"
+ exit 0
+-- 
+2.47.1
+
--- a/package/go/go-bin/go-bin.hash
+++ b/package/go/go-bin/go-bin.hash
@@ -1,9 +1,9 @@
 # sha256 checksum from https://go.dev/dl/
-sha256  36930162a93df417d90bd22c6e14daff4705baac2b02418edda671cdfa9cd07f  go1.23.2.src.tar.gz
-sha256  cb1ed4410f68d8be1156cee0a74fcfbdcd9bca377c83db3a9e1b07eebc6d71ef  go1.23.2.linux-386.tar.gz
-sha256  542d3c1705f1c6a1c5a80d5dc62e2e45171af291e755d591c5e6531ef63b454e  go1.23.2.linux-amd64.tar.gz
-sha256  f626cdd92fc21a88b31c1251f419c17782933a42903db87a174ce74eeecc66a9  go1.23.2.linux-arm64.tar.gz
-sha256  e3286bdde186077e65e961cbe18874d42a461e5b9c472c26572b8d4a98d15c40  go1.23.2.linux-armv6l.tar.gz
-sha256  c164ce7d894b10fd861d7d7b96f1dbea3f993663d9f0c30bc4f8ae3915db8b0c  go1.23.2.linux-ppc64le.tar.gz
-sha256  de1f94d7dd3548ba3036de1ea97eb8243881c22a88fcc04cc08c704ded769e02  go1.23.2.linux-s390x.tar.gz
+sha256  ad345ac421e90814293a9699cca19dd5238251c3f687980bbcae28495b263531  go1.23.4.src.tar.gz
+sha256  4a4a0e7587ef8c8a326439b957027f2791795e2d29d4ae3885b4091a48f843bc  go1.23.4.linux-386.tar.gz
+sha256  6924efde5de86fe277676e929dc9917d466efa02fb934197bc2eba35d5680971  go1.23.4.linux-amd64.tar.gz
+sha256  16e5017863a7f6071363782b1b8042eb12c6ca4f4cd71528b2123f0a1275b13e  go1.23.4.linux-arm64.tar.gz
+sha256  1f1dda0dc7ce0b2295f57258ec5ef0803fd31b9ed0aa20e2e9222334e5755de1  go1.23.4.linux-armv6l.tar.gz
+sha256  65a303ef51e48ff77e004a6a5b4db6ce59495cd59c6af51b54bf4f786c01a1b9  go1.23.4.linux-ppc64le.tar.gz
+sha256  74aab82bf4eca7c26c830a5b0e2a31d193a4d5ba47045526b92473cc7188d7d7  go1.23.4.linux-s390x.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
--- a/package/go/go-src/go-src.hash
+++ b/package/go/go-src/go-src.hash
@@ -1,3 +1,3 @@
 # From https://go.dev/dl
-sha256  36930162a93df417d90bd22c6e14daff4705baac2b02418edda671cdfa9cd07f  go1.23.2.src.tar.gz
+sha256  ad345ac421e90814293a9699cca19dd5238251c3f687980bbcae28495b263531  go1.23.4.src.tar.gz
 sha256  2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
--- a/package/go/go.mk
+++ b/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GO_VERSION = 1.23.2
+GO_VERSION = 1.23.4

 HOST_GO_GOPATH = $(HOST_DIR)/share/go-path
 HOST_GO_HOST_CACHE = $(HOST_DIR)/share/host-go-cache
--- a/package/gobject-introspection/Config.in
+++ b/package/gobject-introspection/Config.in
@@ -2,6 +2,11 @@ config BR2_PACKAGE_GOBJECT_INTROSPECTION_ARCH_SUPPORTS
 	bool
 	default y
 	depends on BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS
+	# gobject-introspection programs cause a hang of Qemu on
+	# Microblaze, and supporting GOI on Microblaze is not very
+	# relevant.
+	depends on !BR2_microblazeel
+	depends on !BR2_microblazebe

 config BR2_PACKAGE_GOBJECT_INTROSPECTION
 	bool "gobject-introspection"
--- a/package/gstreamer1/gst-omx/gst-omx.hash
+++ b/package/gstreamer1/gst-omx/gst-omx.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-1.22.9.tar.xz.sha256sum
-sha256  9362d6117985d09dcf6e27bdaef377dc08efb7df01d00101d04fb644addac61e  gst-omx-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-1.22.12.tar.xz.sha256sum
+sha256  6b0685b92ac735032d7987d1028afaeab0a98ab726e0c51e5b9bfc8f2da7c8b1  gst-omx-1.22.12.tar.xz
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
--- a/package/gstreamer1/gst-omx/gst-omx.mk
+++ b/package/gstreamer1/gst-omx/gst-omx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST_OMX_VERSION = 1.22.9
+GST_OMX_VERSION = 1.22.12
 GST_OMX_SOURCE = gst-omx-$(GST_OMX_VERSION).tar.xz
 GST_OMX_SITE = https://gstreamer.freedesktop.org/src/gst-omx

--- a/package/gstreamer1/gst1-devtools/gst1-devtools.hash
+++ b/package/gstreamer1/gst1-devtools/gst1-devtools.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-1.22.9.tar.xz.sha256sum
-sha256  02e29400b44e9cc603aa6444dee5726b57edabef6455e6d0921ffed6f13840ee  gst-devtools-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-1.22.12.tar.xz.sha256sum
+sha256  015ff62789dab423edafe979b019c7de4c849a2b7e74912b20b74a70e5b68f72  gst-devtools-1.22.12.tar.xz
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  validate/COPYING
--- a/package/gstreamer1/gst1-devtools/gst1-devtools.mk
+++ b/package/gstreamer1/gst1-devtools/gst1-devtools.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_DEVTOOLS_VERSION = 1.22.9
+GST1_DEVTOOLS_VERSION = 1.22.12
 GST1_DEVTOOLS_SOURCE = gst-devtools-$(GST1_DEVTOOLS_VERSION).tar.xz
 GST1_DEVTOOLS_SITE = https://gstreamer.freedesktop.org/src/gst-devtools
 GST1_DEVTOOLS_LICENSE = LGPL-2.1+
--- a/package/gstreamer1/gst1-libav/gst1-libav.hash
+++ b/package/gstreamer1/gst1-libav/gst1-libav.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-1.22.9.tar.xz.sha256sum
-sha256  192f7d27d21c1e7c72c339a2647a9b0c247fedc62ea5029115f8c3e22ebb87d8  gst-libav-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-1.22.12.tar.xz.sha256sum
+sha256  3b60d4cac2fbcd085a93e9389ca23e0443bee1ca75574d31d4f12bb1bbecab48  gst-libav-1.22.12.tar.xz
 sha256  ad2eec519ebd4b5df86ea84dff24ae3bfa2edea846a703b58902dd221ae375db  COPYING
--- a/package/gstreamer1/gst1-libav/gst1-libav.mk
+++ b/package/gstreamer1/gst1-libav/gst1-libav.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_LIBAV_VERSION = 1.22.9
+GST1_LIBAV_VERSION = 1.22.12
 GST1_LIBAV_SOURCE = gst-libav-$(GST1_LIBAV_VERSION).tar.xz
 GST1_LIBAV_SITE = https://gstreamer.freedesktop.org/src/gst-libav
 GST1_LIBAV_LICENSE = LGPL-2.1+
--- a/package/gstreamer1/gst1-plugins-bad/gst1-plugins-bad.hash
+++ b/package/gstreamer1/gst1-plugins-bad/gst1-plugins-bad.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-1.22.9.tar.xz.sha256sum
-sha256  1bc65d0fd5f53a3636564efd3fcf318c3edcdec39c4109a503c1fc8203840a1d  gst-plugins-bad-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad-1.22.12.tar.xz.sha256sum
+sha256  388b4c4412f42e36a38b17cc34119bc11879bd4d9fbd4ff6d03b2c7fc6b4d494  gst-plugins-bad-1.22.12.tar.xz
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING
--- a/package/gstreamer1/gst1-plugins-bad/gst1-plugins-bad.mk
+++ b/package/gstreamer1/gst1-plugins-bad/gst1-plugins-bad.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_PLUGINS_BAD_VERSION = 1.22.9
+GST1_PLUGINS_BAD_VERSION = 1.22.12
 GST1_PLUGINS_BAD_SOURCE = gst-plugins-bad-$(GST1_PLUGINS_BAD_VERSION).tar.xz
 GST1_PLUGINS_BAD_SITE = https://gstreamer.freedesktop.org/src/gst-plugins-bad
 GST1_PLUGINS_BAD_INSTALL_STAGING = YES
--- a/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.hash
+++ b/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-1.22.9.tar.xz.sha256sum
-sha256  fac3e0dd2d8e9370388b34bf8c21b89d5f63bc3cfc12cd7fdc8fc6c1cba03334  gst-plugins-base-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-base-1.22.12.tar.xz.sha256sum
+sha256  73cfadc3a6ffe77ed974cfd6fb391c605e4531f48db21dd6b9f42b8cb69bd8c1  gst-plugins-base-1.22.12.tar.xz
 sha256  ad2eec519ebd4b5df86ea84dff24ae3bfa2edea846a703b58902dd221ae375db  COPYING
--- a/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk
+++ b/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_PLUGINS_BASE_VERSION = 1.22.9
+GST1_PLUGINS_BASE_VERSION = 1.22.12
 GST1_PLUGINS_BASE_SOURCE = gst-plugins-base-$(GST1_PLUGINS_BASE_VERSION).tar.xz
 GST1_PLUGINS_BASE_SITE = https://gstreamer.freedesktop.org/src/gst-plugins-base
 GST1_PLUGINS_BASE_INSTALL_STAGING = YES
--- a/package/gstreamer1/gst1-plugins-good/gst1-plugins-good.hash
+++ b/package/gstreamer1/gst1-plugins-good/gst1-plugins-good.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-1.22.9.tar.xz.sha256sum
-sha256  26959fcfebfff637d4ea08ef40316baf31b61bb7729820b0684e800c3a1478b6  gst-plugins-good-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-good-1.22.12.tar.xz.sha256sum
+sha256  9c1913f981900bd8867182639b20907b28ed78ef7a222cfbf2d8ba9dab992fa7  gst-plugins-good-1.22.12.tar.xz
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  COPYING
--- a/package/gstreamer1/gst1-plugins-good/gst1-plugins-good.mk
+++ b/package/gstreamer1/gst1-plugins-good/gst1-plugins-good.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_PLUGINS_GOOD_VERSION = 1.22.9
+GST1_PLUGINS_GOOD_VERSION = 1.22.12
 GST1_PLUGINS_GOOD_SOURCE = gst-plugins-good-$(GST1_PLUGINS_GOOD_VERSION).tar.xz
 GST1_PLUGINS_GOOD_SITE = https://gstreamer.freedesktop.org/src/gst-plugins-good
 GST1_PLUGINS_GOOD_LICENSE_FILES = COPYING
--- a/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.hash
+++ b/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-1.22.9.tar.xz.sha256sum
-sha256  0bf685d66015a01dd3fc1671b64a1c8acb321dd9d4ab9e05a29ab19782aa6236  gst-plugins-ugly-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-1.22.12.tar.xz.sha256sum
+sha256  d59a1aaf8dd2cc416dc5b5c0b7aecd02b1811bf1229aa724e6c2a503d3799083  gst-plugins-ugly-1.22.12.tar.xz
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  COPYING
--- a/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk
+++ b/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_PLUGINS_UGLY_VERSION = 1.22.9
+GST1_PLUGINS_UGLY_VERSION = 1.22.12
 GST1_PLUGINS_UGLY_SOURCE = gst-plugins-ugly-$(GST1_PLUGINS_UGLY_VERSION).tar.xz
 GST1_PLUGINS_UGLY_SITE = https://gstreamer.freedesktop.org/src/gst-plugins-ugly
 GST1_PLUGINS_UGLY_LICENSE_FILES = COPYING
--- a/package/gstreamer1/gst1-python/gst1-python.hash
+++ b/package/gstreamer1/gst1-python/gst1-python.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gst-python/gst-python-1.22.9.tar.xz.sha256sum
-sha256  3f9d5c6ffefda268703744b592a6b3983aa6723273b1220ecbcb62c2a5800009  gst-python-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-python/gst-python-1.22.12.tar.xz.sha256sum
+sha256  d98d3226efea20d5c440a28988a20319a953f7c594895df2bba4538633108e9f  gst-python-1.22.12.tar.xz
 sha256  ea3ad127610e5ded2210b3a86a46314f2b3b28e438eccffdae19a4d6fbcdb0c2  COPYING
--- a/package/gstreamer1/gst1-python/gst1-python.mk
+++ b/package/gstreamer1/gst1-python/gst1-python.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_PYTHON_VERSION = 1.22.9
+GST1_PYTHON_VERSION = 1.22.12
 GST1_PYTHON_SOURCE = gst-python-$(GST1_PYTHON_VERSION).tar.xz
 GST1_PYTHON_SITE = https://gstreamer.freedesktop.org/src/gst-python
 GST1_PYTHON_INSTALL_STAGING = YES
--- a/package/gstreamer1/gst1-rtsp-server/gst1-rtsp-server.hash
+++ b/package/gstreamer1/gst1-rtsp-server/gst1-rtsp-server.hash
@@ -1,4 +1,4 @@
-# From https://gstreamer.freedesktop.org/src/gst-rtsp-server/gst-rtsp-server-1.22.9.tar.xz.sha256sum
-sha256  808af148f89404ff74850f8ca5272bed4bfe67f9620231dc4514fd07eb26d0a4  gst-rtsp-server-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gst-rtsp-server/gst-rtsp-server-1.22.12.tar.xz.sha256sum
+sha256  bf6c7871e7cf3528e4ec87ddc2f2949691cd269f98e536482ae744c1405cf451  gst-rtsp-server-1.22.12.tar.xz
 sha256  ad2eec519ebd4b5df86ea84dff24ae3bfa2edea846a703b58902dd221ae375db  COPYING
 sha256  ad2eec519ebd4b5df86ea84dff24ae3bfa2edea846a703b58902dd221ae375db  COPYING.LIB
--- a/package/gstreamer1/gst1-rtsp-server/gst1-rtsp-server.mk
+++ b/package/gstreamer1/gst1-rtsp-server/gst1-rtsp-server.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_RTSP_SERVER_VERSION = 1.22.9
+GST1_RTSP_SERVER_VERSION = 1.22.12
 GST1_RTSP_SERVER_SOURCE = gst-rtsp-server-$(GST1_RTSP_SERVER_VERSION).tar.xz
 GST1_RTSP_SERVER_SITE = http://gstreamer.freedesktop.org/src/gst-rtsp-server
 GST1_RTSP_SERVER_LICENSE = LGPL-2.1+
--- a/package/gstreamer1/gst1-vaapi/gst1-vaapi.hash
+++ b/package/gstreamer1/gst1-vaapi/gst1-vaapi.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gstreamer-vaapi/gstreamer-vaapi-1.22.9.tar.xz.sha256sum
-sha256  8ba20da8c4cbf5b2953dba904672c4275d0053e1528f97fdf8e59942c7883ca8  gstreamer-vaapi-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gstreamer-vaapi/gstreamer-vaapi-1.22.12.tar.xz.sha256sum
+sha256  013ad729b2fe4fccda559bddc626bcb14230cfb90a2271049f8466bfec5d80df  gstreamer-vaapi-1.22.12.tar.xz
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB
--- a/package/gstreamer1/gst1-vaapi/gst1-vaapi.mk
+++ b/package/gstreamer1/gst1-vaapi/gst1-vaapi.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GST1_VAAPI_VERSION = 1.22.9
+GST1_VAAPI_VERSION = 1.22.12
 GST1_VAAPI_SITE = https://gstreamer.freedesktop.org/src/gstreamer-vaapi
 GST1_VAAPI_SOURCE = gstreamer-vaapi-$(GST1_VAAPI_VERSION).tar.xz
 GST1_VAAPI_LICENSE = LGPL-2.1+
--- a/package/gstreamer1/gstreamer1-editing-services/gstreamer1-editing-services.hash
+++ b/package/gstreamer1/gstreamer1-editing-services/gstreamer1-editing-services.hash
@@ -1,5 +1,5 @@
-# From https://gstreamer.freedesktop.org/src/gstreamer-editing-services/gst-editing-services-1.22.9.tar.xz.sha256sum
-sha256  3553ad3802dccde0c0ef1461881acd9b55bddf8adf751de4cb51b7f8cb50440d  gst-editing-services-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gstreamer-editing-services/gst-editing-services-1.22.12.tar.xz.sha256sum
+sha256  792339135ce713088663cc5d44e0aea8217793e88fabfd11571e7abf4a429f2c  gst-editing-services-1.22.12.tar.xz

 # Hashes for license files:
 sha256  f445dc78b88496f7e20c7a2a461b95baba5865c8919b8289ac24ac0a80c6ce7a  COPYING
--- a/package/gstreamer1/gstreamer1-editing-services/gstreamer1-editing-services.mk
+++ b/package/gstreamer1/gstreamer1-editing-services/gstreamer1-editing-services.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GSTREAMER1_EDITING_SERVICES_VERSION = 1.22.9
+GSTREAMER1_EDITING_SERVICES_VERSION = 1.22.12
 GSTREAMER1_EDITING_SERVICES_SOURCE = gst-editing-services-$(GSTREAMER1_EDITING_SERVICES_VERSION).tar.xz
 GSTREAMER1_EDITING_SERVICES_SITE = https://gstreamer.freedesktop.org/src/gstreamer-editing-services
 GSTREAMER1_EDITING_SERVICES_LICENSE = LGPL-2.0+
--- a/package/gstreamer1/gstreamer1/gstreamer1.hash
+++ b/package/gstreamer1/gstreamer1/gstreamer1.hash
@@ -1,3 +1,3 @@
-# From https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-1.22.9.tar.xz.sha256sum
-sha256  1e7124d347e8cdc80f08ec1d370c201be513002af1102bb20e83c5279cb48ebd  gstreamer-1.22.9.tar.xz
+# From https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-1.22.12.tar.xz.sha256sum
+sha256  ac352f3d02caa67f3b169daa9aa78b04dea0fc08a727de73cb28d89bd54c6f61  gstreamer-1.22.12.tar.xz
 sha256  ad2eec519ebd4b5df86ea84dff24ae3bfa2edea846a703b58902dd221ae375db  COPYING
--- a/package/gstreamer1/gstreamer1/gstreamer1.mk
+++ b/package/gstreamer1/gstreamer1/gstreamer1.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-GSTREAMER1_VERSION = 1.22.9
+GSTREAMER1_VERSION = 1.22.12
 GSTREAMER1_SOURCE = gstreamer-$(GSTREAMER1_VERSION).tar.xz
 GSTREAMER1_SITE = https://gstreamer.freedesktop.org/src/gstreamer
 GSTREAMER1_INSTALL_STAGING = YES
--- a/package/igt-gpu-tools/Config.in
+++ b/package/igt-gpu-tools/Config.in
@@ -3,9 +3,9 @@ config BR2_PACKAGE_IGT_GPU_TOOLS
 	depends on BR2_USE_MMU # fork()
 	depends on BR2_ENABLE_LOCALE
 	depends on !BR2_STATIC_LIBS
-	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL
 	depends on BR2_PACKAGE_HAS_UDEV
-	depends on BR2_USE_WCHAR # elfutils
+	depends on BR2_USE_WCHAR # elfutils, procps-ng
 	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_11 # linux/dma-buf.h
 	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # procps-ng
 	select BR2_PACKAGE_CAIRO
@@ -24,9 +24,9 @@ config BR2_PACKAGE_IGT_GPU_TOOLS

 	  https://gitlab.freedesktop.org/drm/igt-gpu-tools

-comment "igt-gpu-tools needs udev /dev management and toolchain w/ threads, wchar, dynamic library, locale, headers >= 4.11"
+comment "igt-gpu-tools needs udev /dev management and toolchain w/ NPTL, wchar, dynamic library, locale, headers >= 4.11"
 	depends on BR2_USE_MMU
 	depends on !BR2_PACKAGE_HAS_UDEV || BR2_STATIC_LIBS || \
-		!BR2_TOOLCHAIN_HAS_THREADS || !BR2_USE_WCHAR || \
+		!BR2_TOOLCHAIN_HAS_THREADS_NPTL || !BR2_USE_WCHAR || \
 		!BR2_ENABLE_LOCALE || \
 		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_11
--- a/package/iperf3/iperf3.hash
+++ b/package/iperf3/iperf3.hash
@@ -1,4 +1,4 @@
-# From https://downloads.es.net/pub/iperf/iperf-3.17.1.tar.gz.sha256
-sha256  84404ca8431b595e86c473d8f23d8bb102810001f15feaf610effd3b318788aa  iperf-3.17.1.tar.gz
+# From https://downloads.es.net/pub/iperf/iperf-3.18.tar.gz.sha256
+sha256  c0618175514331e766522500e20c94bfb293b4424eb27d7207fb427b88d20bab  iperf-3.18.tar.gz
 # Locally computed
 sha256  3dc3e2076dd9cdea2b66d8fe213997ff25fb6171594f055b59fe25321b438f6f  LICENSE
--- a/package/iperf3/iperf3.mk
+++ b/package/iperf3/iperf3.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-IPERF3_VERSION = 3.17.1
+IPERF3_VERSION = 3.18
 IPERF3_SITE = https://downloads.es.net/pub/iperf
 IPERF3_SOURCE = iperf-$(IPERF3_VERSION).tar.gz
 IPERF3_LICENSE = BSD-3-Clause, BSD-2-Clause, MIT
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-8.11.0.tar.xz.asc
+# https://curl.se/download/curl-8.11.1.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  db59cf0d671ca6e7f5c2c5ec177084a33a79e04c97e71cf183a5cdea235054eb  curl-8.11.0.tar.xz
+sha256  c7ca7db48b0909743eaef34250da02c19bc61d4f1dcedd6603f109409536ab56  curl-8.11.1.tar.xz
 sha256  adb1fc06547fd136244179809f7b7c2d2ae6c4534f160aa513af9b6a12866a32  COPYING
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBCURL_VERSION = 8.11.0
+LIBCURL_VERSION = 8.11.1
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
--- a/package/libsha1/0001-test-fix-gcc-14.x-compile-implicit-int.patch
+++ b/package/libsha1/0001-test-fix-gcc-14.x-compile-implicit-int.patch
@@ -0,0 +1,39 @@
+From d449f26f782be91b3847f88ed2bd937582a575b6 Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Sun, 25 Aug 2024 11:33:59 +0200
+Subject: [PATCH] test: fix gcc-14.x compile (implicit int)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+
+  test.c:14:8: error: type defaults to ‘int’ in declaration of ‘num_test’ [-Wimplicit-int]
+     14 | static num_test;
+        |        ^~~~~~~~
+
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+
+Upstream: https://github.com/dottedmag/libsha1/pull/1
+
+Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
+---
+ test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test.c b/test.c
+index 21a6525..1ec89d3 100644
+--- a/test.c
+++ b/test.c
+@@ -11,7 +11,7 @@ static void print_hex(const char* data, size_t size)
+         printf("%x%x", ((unsigned char)data[i])/16, ((unsigned char)data[i])%16);
+ }
+ 
+-static num_test;
+static int num_test;
+ 
+ static int do_test(const char* data, size_t size, const char* expected_dgst)
+ {
+-- 
+2.47.1
+
--- a/package/libsndfile/0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch
+++ b/package/libsndfile/0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch
@@ -0,0 +1,45 @@
+From 0754562e13d2e63a248a1c82f90b30bc0ffe307c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 10 Oct 2023 16:10:34 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow in dataend calculation
+
+The clang sanitizer warns of a possible signed integer overflow when
+calculating the `dataend` value in `mat4_read_header()`.
+
+```
+src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
+src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in
+```
+
+Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of
+`dataend` before performing the calculation, to avoid the issue.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/789
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/0754562e13d2e63a248a1c82f90b30bc0ffe307c
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/mat4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mat4.c b/src/mat4.c
+index 0b1b414b..575683ba 100644
+--- a/src/mat4.c
+++ b/src/mat4.c
+@@ -320,7 +320,7 @@ mat4_read_header (SF_PRIVATE *psf)
+ 				psf->filelength - psf->dataoffset, psf->sf.channels * psf->sf.frames * psf->bytewidth) ;
+ 		}
+ 	else if ((psf->filelength - psf->dataoffset) > psf->sf.channels * psf->sf.frames * psf->bytewidth)
+-		psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;
+		psf->dataend = psf->dataoffset + (sf_count_t) rows * (sf_count_t) cols * psf->bytewidth ;
+ 
+ 	psf->datalength = psf->filelength - psf->dataoffset - psf->dataend ;
+ 
+-- 
+2.39.5
+
--- a/package/libsndfile/0002-au-avoid-int-overflow-while-calculating-data_end.patch
+++ b/package/libsndfile/0002-au-avoid-int-overflow-while-calculating-data_end.patch
@@ -0,0 +1,58 @@
+From a5afea2e24080ddf5c7b8e26c29cdbd94ae8226b Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:36:02 -0400
+Subject: [PATCH] au: avoid int overflow while calculating data_end
+
+At several points in au_read_header(), we calculate the functional end
+of the data segment by adding the (int)au_fmt.dataoffset and the
+(int)au_fmt.datasize. This can overflow the implicit int_32 return value
+and cause undefined behavior.
+
+Instead, precalculate the value and assign it to a 64-bit
+(sf_count_t)data_end variable.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/a5afea2e24080ddf5c7b8e26c29cdbd94ae8226b
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/au.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/au.c b/src/au.c
+index 62bd691d..f68f2587 100644
+--- a/src/au.c
+++ b/src/au.c
+@@ -291,6 +291,7 @@ static int
+ au_read_header (SF_PRIVATE *psf)
+ {	AU_FMT	au_fmt ;
+ 	int		marker, dword ;
+	sf_count_t data_end ;
+ 
+ 	memset (&au_fmt, 0, sizeof (au_fmt)) ;
+ 	psf_binheader_readf (psf, "pm", 0, &marker) ;
+@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
+ 		return SFE_AU_EMBED_BAD_LEN ;
+ 		} ;
+ 
+	data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
+ 	if (psf->fileoffset > 0)
+-	{	psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+	{	psf->filelength = data_end ;
+ 		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
+ 		}
+-	else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
+	else if (au_fmt.datasize == -1 || data_end == psf->filelength)
+ 		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
+-	else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
+-	{	psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
+	else if (data_end < psf->filelength)
+	{	psf->filelength = data_end ;
+ 		psf_log_printf (psf, "  Data Size   : %d\n", au_fmt.datasize) ;
+ 		}
+ 	else
+-- 
+2.39.5
+
--- a/package/libsndfile/0003-avr-fix-int-overflow-in-avr_read_header.patch
+++ b/package/libsndfile/0003-avr-fix-int-overflow-in-avr_read_header.patch
@@ -0,0 +1,34 @@
+From 2f8eece78cc8b4dce6c95b3045867f0936714db8 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:46:29 -0400
+Subject: [PATCH] avr: fix int overflow in avr_read_header()
+
+Pre-cast hdr.frames to sf_count_t, to provide the calculation with
+enough numeric space to avoid an int-overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/2f8eece78cc8b4dce6c95b3045867f0936714db8
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/avr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/avr.c b/src/avr.c
+index 6c78ff69..1bc1ffc9 100644
+--- a/src/avr.c
+++ b/src/avr.c
+@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf)
+ 	psf->endian = SF_ENDIAN_BIG ;
+ 
+  	psf->dataoffset = AVR_HDR_SIZE ;
+-	psf->datalength = hdr.frames * (hdr.rez / 8) ;
+	psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ;
+ 
+ 	if (psf->fileoffset > 0)
+ 		psf->filelength = AVR_HDR_SIZE + psf->datalength ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0004-sds-fix-int-overflow-warning-in-sample-calculations.patch
+++ b/package/libsndfile/0004-sds-fix-int-overflow-warning-in-sample-calculations.patch
@@ -0,0 +1,61 @@
+From 2e9f71dd5d5c85b5bd4a0573d1fa05b5b89b33a7 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:54:21 -0400
+Subject: [PATCH] sds: fix int overflow warning in sample calculations
+
+The sds_*byte_read() functions compose their uint_32 sample buffers by
+shifting 7bit samples into a 32bit wide buffer, and adding them
+together. Because the 7bit samples are stored in 32bit ints, code
+fuzzers become concerned that the addition operation can overflow and
+cause undefined behavior.
+
+Instead, bitwise-OR the bytes together - which should accomplish the
+same arithmetic operation, without risking an int-overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Do the same for the 3byte and 4byte read functions.
+
+Upstream: https://github.com/libsndfile/libsndfile/commit/2e9f71dd5d5c85b5bd4a0573d1fa05b5b89b33a7
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/sds.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/sds.c b/src/sds.c
+index 6bc76171..2a0f164c 100644
+--- a/src/sds.c
+++ b/src/sds.c
+@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+ 
+ 	ucptr = psds->read_data + 5 ;
+ 	for (k = 0 ; k < 120 ; k += 2)
+-	{	sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ;
+	{	sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ;
+ 		psds->read_samples [k / 2] = (int) (sample - 0x80000000) ;
+ 		} ;
+ 
+@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+ 
+ 	ucptr = psds->read_data + 5 ;
+ 	for (k = 0 ; k < 120 ; k += 3)
+-	{	sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ;
+	{	sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ;
+ 		psds->read_samples [k / 3] = (int) (sample - 0x80000000) ;
+ 		} ;
+ 
+@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+ 
+ 	ucptr = psds->read_data + 5 ;
+ 	for (k = 0 ; k < 120 ; k += 4)
+-	{	sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ;
+	{	sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ;
+ 		psds->read_samples [k / 4] = (int) (sample - 0x80000000) ;
+ 		} ;
+ 
+-- 
+2.39.5
+
--- a/package/libsndfile/0005-aiff-fix-int-overflow-when-counting-header-elements.patch
+++ b/package/libsndfile/0005-aiff-fix-int-overflow-when-counting-header-elements.patch
@@ -0,0 +1,39 @@
+From 187451dbd3c044f9a76b6c1d950d458de0103180 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 17:26:51 -0400
+Subject: [PATCH] aiff: fix int overflow when counting header elements
+
+aiff_read_basc_chunk() tries to count the AIFF header size by keeping
+track of the bytes returned by psf_binheader_readf(). Though improbable,
+it is technically possible for these added bytes to exceed the int-sized
+`count` accumulator.
+
+Use a 64-bit sf_count_t type for `count`, to ensure that it always has
+enough numeric space.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/187451dbd3c044f9a76b6c1d950d458de0103180
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/aiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index ac3655e9..6d8f1bc8 100644
+--- a/src/aiff.c
+++ b/src/aiff.c
+@@ -1702,7 +1702,7 @@ static int
+ aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
+ {	const char * type_str ;
+ 	basc_CHUNK bc ;
+-	int count ;
+	sf_count_t count ;
+ 
+ 	count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
+ 	count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0006-ircam-fix-int-overflow-in-ircam_read_header.patch
+++ b/package/libsndfile/0006-ircam-fix-int-overflow-in-ircam_read_header.patch
@@ -0,0 +1,82 @@
+From 5d5319300587e3d4a146332a2f48674ceb8a0257 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 17:43:02 -0400
+Subject: [PATCH] ircam: fix int overflow in ircam_read_header()
+
+When reading the IRCAM header, it is possible for the calculated
+blockwidth to exceed the bounds of a signed int32.
+
+Use a 64bit sf_count_t to store the blockwidth.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/5d5319300587e3d4a146332a2f48674ceb8a0257
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/common.h |  2 +-
+ src/ircam.c  | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index cd9ac8b0..01f6ae09 100644
+--- a/src/common.h
+++ b/src/common.h
+@@ -439,7 +439,7 @@ typedef struct sf_private_tag
+ 	sf_count_t		datalength ;	/* Length in bytes of the audio data. */
+ 	sf_count_t		dataend ;		/* Offset to file tailer. */
+ 
+-	int				blockwidth ;	/* Size in bytes of one set of interleaved samples. */
+	sf_count_t		blockwidth ;	/* Size in bytes of one set of interleaved samples. */
+ 	int				bytewidth ;		/* Size in bytes of one sample (one channel). */
+ 
+ 	void			*dither ;
+diff --git a/src/ircam.c b/src/ircam.c
+index 8e7cdba8..3d73ba44 100644
+--- a/src/ircam.c
+++ b/src/ircam.c
+@@ -171,35 +171,35 @@ ircam_read_header	(SF_PRIVATE *psf)
+ 	switch (encoding)
+ 	{	case IRCAM_PCM_16 :
+ 				psf->bytewidth = 2 ;
+-				psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+				psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+ 
+ 				psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ;
+ 				break ;
+ 
+ 		case IRCAM_PCM_32 :
+ 				psf->bytewidth = 4 ;
+-				psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+				psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+ 
+ 				psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ;
+ 				break ;
+ 
+ 		case IRCAM_FLOAT :
+ 				psf->bytewidth = 4 ;
+-				psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+				psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+ 
+ 				psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ;
+ 				break ;
+ 
+ 		case IRCAM_ALAW :
+ 				psf->bytewidth = 1 ;
+-				psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+				psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+ 
+ 				psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ;
+ 				break ;
+ 
+ 		case IRCAM_ULAW :
+ 				psf->bytewidth = 1 ;
+-				psf->blockwidth = psf->sf.channels * psf->bytewidth ;
+				psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+ 
+ 				psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ;
+ 				break ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0007-mat4-mat5-fix-int-overflow-when-calculating-blockwid.patch
+++ b/package/libsndfile/0007-mat4-mat5-fix-int-overflow-when-calculating-blockwid.patch
@@ -0,0 +1,48 @@
+From 39f2a4ffe5ab77d1cadc2057c2db046a9a3d5d65 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:12:22 -0400
+Subject: [PATCH] mat4/mat5: fix int overflow when calculating blockwidth
+
+Pre-cast the components of the blockwidth calculation to sf_count_t to
+avoid overflowing integers during calculation.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/39f2a4ffe5ab77d1cadc2057c2db046a9a3d5d65
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/mat4.c | 2 +-
+ src/mat5.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mat4.c b/src/mat4.c
+index 575683ba..9f046f0c 100644
+--- a/src/mat4.c
+++ b/src/mat4.c
+@@ -104,7 +104,7 @@ mat4_open	(SF_PRIVATE *psf)
+ 
+ 	psf->container_close = mat4_close ;
+ 
+-	psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+	psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+ 
+ 	switch (subformat)
+ 	{	case SF_FORMAT_PCM_16 :
+diff --git a/src/mat5.c b/src/mat5.c
+index da5a6eca..20f0ea64 100644
+--- a/src/mat5.c
+++ b/src/mat5.c
+@@ -114,7 +114,7 @@ mat5_open	(SF_PRIVATE *psf)
+ 
+ 	psf->container_close = mat5_close ;
+ 
+-	psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+	psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+ 
+ 	switch (subformat)
+ 	{	case SF_FORMAT_PCM_U8 :
+-- 
+2.39.5
+
--- a/package/libsndfile/0008-common-fix-int-overflow-in-psf_binheader_readf.patch
+++ b/package/libsndfile/0008-common-fix-int-overflow-in-psf_binheader_readf.patch
@@ -0,0 +1,181 @@
+From 6be8906740cdca067f12920bb4a63f728485aff0 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Mon, 16 Oct 2023 12:37:47 -0400
+Subject: [PATCH] common: fix int overflow in psf_binheader_readf()
+
+The psf_binheader_readf() function attempts to count and return the
+number of bytes traversed in the header. During this accumulation, it is
+possible to overflow the int-sized byte_count variable.
+
+Avoid this overflow by checking that the accumulated bytes do not exceed
+INT_MAX and throwing an error if they do. This implies that files with
+multi-gigabyte headers threaten to produce this error, but I imagine
+those files don't really exist - and this error is better than the
+undefined behavior which would have resulted previously.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/6be8906740cdca067f12920bb4a63f728485aff0
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/common.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index b877aa86..8982379a 100644
+--- a/src/common.c
+++ b/src/common.c
+@@ -18,6 +18,7 @@
+ 
+ #include <config.h>
+ 
+#include <limits.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #if HAVE_UNISTD_H
+@@ -990,6 +991,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 	double			*doubleptr ;
+ 	char			c ;
+ 	int				byte_count = 0, count = 0 ;
+	int				read_bytes = 0 ;
+ 
+ 	if (! format)
+ 		return psf_ftell (psf) ;
+@@ -998,6 +1000,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 
+ 	while ((c = *format++))
+ 	{
+		read_bytes = 0 ;
+ 		if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ 			break ;
+ 
+@@ -1014,7 +1017,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 					intptr = va_arg (argptr, unsigned int*) ;
+ 					*intptr = 0 ;
+ 					ucptr = (unsigned char*) intptr ;
+-					byte_count += header_read (psf, ucptr, sizeof (int)) ;
+					read_bytes = header_read (psf, ucptr, sizeof (int)) ;
+ 					*intptr = GET_MARKER (ucptr) ;
+ 					break ;
+ 
+@@ -1022,7 +1025,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 					intptr = va_arg (argptr, unsigned int*) ;
+ 					*intptr = 0 ;
+ 					ucptr = (unsigned char*) intptr ;
+-					byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
+					read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
+ 					{	int k ;
+ 						intdata = 0 ;
+ 						for (k = 0 ; k < 16 ; k++)
+@@ -1034,14 +1037,14 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case '1' :
+ 					charptr = va_arg (argptr, char*) ;
+ 					*charptr = 0 ;
+-					byte_count += header_read (psf, charptr, sizeof (char)) ;
+					read_bytes = header_read (psf, charptr, sizeof (char)) ;
+ 					break ;
+ 
+ 			case '2' : /* 2 byte value with the current endian-ness */
+ 					shortptr = va_arg (argptr, unsigned short*) ;
+ 					*shortptr = 0 ;
+ 					ucptr = (unsigned char*) shortptr ;
+-					byte_count += header_read (psf, ucptr, sizeof (short)) ;
+					read_bytes = header_read (psf, ucptr, sizeof (short)) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						*shortptr = GET_BE_SHORT (ucptr) ;
+ 					else
+@@ -1051,7 +1054,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case '3' : /* 3 byte value with the current endian-ness */
+ 					intptr = va_arg (argptr, unsigned int*) ;
+ 					*intptr = 0 ;
+-					byte_count += header_read (psf, sixteen_bytes, 3) ;
+					read_bytes = header_read (psf, sixteen_bytes, 3) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						*intptr = GET_BE_3BYTE (sixteen_bytes) ;
+ 					else
+@@ -1062,7 +1065,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 					intptr = va_arg (argptr, unsigned int*) ;
+ 					*intptr = 0 ;
+ 					ucptr = (unsigned char*) intptr ;
+-					byte_count += header_read (psf, ucptr, sizeof (int)) ;
+					read_bytes = header_read (psf, ucptr, sizeof (int)) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						*intptr = psf_get_be32 (ucptr, 0) ;
+ 					else
+@@ -1072,7 +1075,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case '8' : /* 8 byte value with the current endian-ness */
+ 					countptr = va_arg (argptr, sf_count_t *) ;
+ 					*countptr = 0 ;
+-					byte_count += header_read (psf, sixteen_bytes, 8) ;
+					read_bytes = header_read (psf, sixteen_bytes, 8) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						countdata = psf_get_be64 (sixteen_bytes, 0) ;
+ 					else
+@@ -1083,7 +1086,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case 'f' : /* Float conversion */
+ 					floatptr = va_arg (argptr, float *) ;
+ 					*floatptr = 0.0 ;
+-					byte_count += header_read (psf, floatptr, sizeof (float)) ;
+					read_bytes = header_read (psf, floatptr, sizeof (float)) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						*floatptr = float32_be_read ((unsigned char*) floatptr) ;
+ 					else
+@@ -1093,7 +1096,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case 'd' : /* double conversion */
+ 					doubleptr = va_arg (argptr, double *) ;
+ 					*doubleptr = 0.0 ;
+-					byte_count += header_read (psf, doubleptr, sizeof (double)) ;
+					read_bytes = header_read (psf, doubleptr, sizeof (double)) ;
+ 					if (psf->rwf_endian == SF_ENDIAN_BIG)
+ 						*doubleptr = double64_be_read ((unsigned char*) doubleptr) ;
+ 					else
+@@ -1117,7 +1120,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 					charptr = va_arg (argptr, char*) ;
+ 					count = va_arg (argptr, size_t) ;
+ 					memset (charptr, 0, count) ;
+-					byte_count += header_read (psf, charptr, count) ;
+					read_bytes = header_read (psf, charptr, count) ;
+ 					break ;
+ 
+ 			case 'G' :
+@@ -1128,7 +1131,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 					if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
+ 						break ;
+ 
+-					byte_count += header_gets (psf, charptr, count) ;
+					read_bytes = header_gets (psf, charptr, count) ;
+ 					break ;
+ 
+ 			case 'z' :
+@@ -1152,7 +1155,7 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case 'j' :	/* Seek to position from current position. */
+ 					count = va_arg (argptr, size_t) ;
+ 					header_seek (psf, count, SEEK_CUR) ;
+-					byte_count += count ;
+					read_bytes = count ;
+ 					break ;
+ 
+ 			case '!' : /* Clear buffer, forcing re-read. */
+@@ -1164,8 +1167,17 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 				psf->error = SFE_INTERNAL ;
+ 				break ;
+ 			} ;
+
+		if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes))
+		{	psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ;
+			psf->error = SFE_INTERNAL ;
+			break ;
+		} else
+		{	byte_count += read_bytes ;
+ 		} ;
+ 
+		} ;	/*end while*/
+
+ 	va_end (argptr) ;
+ 
+ 	return byte_count ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0009-nms_adpcm-fix-int-overflow-in-signal-estimate.patch
+++ b/package/libsndfile/0009-nms_adpcm-fix-int-overflow-in-signal-estimate.patch
@@ -0,0 +1,233 @@
+From 71565532463b22c24824101845a533a67bff4c9c Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Thu, 19 Oct 2023 14:07:19 -0400
+Subject: [PATCH] nms_adpcm: fix int overflow in signal estimate
+
+It is possible (though functionally incorrect) for the signal estimate
+calculation in nms_adpcm_update() to overflow the int value of s_e,
+resulting in undefined behavior.
+
+Since adpcm state signal values are never practically larger than
+16 bits, use smaller numeric sizes throughout the file to avoid the
+overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Authored-by: Arthur Taylor <art@ified.ca>
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/71565532463b22c24824101845a533a67bff4c9c
+[Peter: adjust for 1.2.2]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/nms_adpcm.c | 81 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 40 insertions(+), 41 deletions(-)
+
+diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c
+index 5999be1f..dca85f0b 100644
+--- a/src/nms_adpcm.c
+++ b/src/nms_adpcm.c
+@@ -48,36 +48,36 @@
+ /* Variable names from ITU G.726 spec */
+ struct nms_adpcm_state
+ {	/* Log of the step size multiplier. Operated on by codewords. */
+-	int yl ;
+	short yl ;
+ 
+ 	/* Quantizer step size multiplier. Generated from yl. */
+-	int y ;
+	short y ;
+ 
+ 	/* Coefficents of the pole predictor */
+-	int a [2] ;
+	short a [2] ;
+ 
+ 	/* Coefficents of the zero predictor  */
+-	int b [6] ;
+	short b [6] ;
+ 
+ 	/* Previous quantized deltas (multiplied by 2^14) */
+-	int d_q [7] ;
+	short d_q [7] ;
+ 
+ 	/* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
+-	int p [3] ;
+	short p [3] ;
+ 
+ 	/* Previous reconstructed signal values. */
+-	int s_r [2] ;
+	short s_r [2] ;
+ 
+ 	/* Zero predictor components of the signal estimate. */
+-	int s_ez ;
+	short s_ez ;
+ 
+ 	/* Signal estimate, (including s_ez). */
+-	int s_e ;
+	short s_e ;
+ 
+ 	/* The most recent codeword (enc:generated, dec:inputted) */
+-	int Ik ;
+	char Ik ;
+ 
+-	int parity ;
+	char parity ;
+ 
+ 	/*
+ 	** Offset into code tables for the bitrate.
+@@ -109,7 +109,7 @@ typedef struct
+ } NMS_ADPCM_PRIVATE ;
+ 
+ /* Pre-computed exponential interval used in the antilog approximation. */
+-static unsigned int table_expn [] =
+static unsigned short table_expn [] =
+ {	0x4000, 0x4167, 0x42d5, 0x444c,	0x45cb, 0x4752, 0x48e2, 0x4a7a,
+ 	0x4c1b, 0x4dc7, 0x4f7a, 0x5138,	0x52ff, 0x54d1, 0x56ac, 0x5892,
+ 	0x5a82, 0x5c7e, 0x5e84, 0x6096,	0x62b4, 0x64dd, 0x6712, 0x6954,
+@@ -117,21 +117,21 @@ static unsigned int table_expn [] =
+ } ;
+ 
+ /* Table mapping codewords to scale factor deltas. */
+-static int table_scale_factor_step [] =
+static short table_scale_factor_step [] =
+ {	0x0,	0x0,	0x0,	0x0,	0x4b0,	0x0,	0x0,	0x0,	/* 2-bit */
+ 	-0x3c,	0x0,	0x90,	0x0,	0x2ee,	0x0,	0x898,	0x0,	/* 3-bit */
+ 	-0x30,	0x12,	0x6b,	0xc8,	0x188,	0x2e0,	0x551,	0x1150,	/* 4-bit */
+ } ;
+ 
+ /* Table mapping codewords to quantized delta interval steps. */
+-static unsigned int table_step [] =
+static unsigned short table_step [] =
+ {	0x73F,	0,		0,		0,		0x1829,	0,		0,		0,		/* 2-bit */
+ 	0x3EB,	0,		0xC18,	0,		0x1581,	0,		0x226E,	0,		/* 3-bit */
+ 	0x20C,	0x635,	0xA83,	0xF12,	0x1418,	0x19E3,	0x211A,	0x2BBA,	/* 4-bit */
+ } ;
+ 
+ /* Binary search lookup table for quantizing using table_step. */
+-static int table_step_search [] =
+static short table_step_search [] =
+ {	0,		0x1F6D,	0,		-0x1F6D,	0,		0,			0,			0, /* 2-bit */
+ 	0x1008,	0x1192,	0,		-0x219A,	0x1656,	-0x1656,	0,			0, /* 3-bit */
+ 	0x872,	0x1277,	-0x8E6,	-0x232B,	0xD06,	-0x17D7,	-0x11D3,	0, /* 4-bit */
+@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRIVATE *psf, int mode, sf_count_t offset)
+ ** Maps [1,20480] to [1,1024] in an exponential relationship. This is
+ ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
+ */
+-static inline int
+-nms_adpcm_antilog (int exp)
+-{	int ret ;
+static inline short
+nms_adpcm_antilog (short exp)
+{	int_fast32_t r ;
+ 
+-	ret = 0x1000 ;
+-	ret += (((exp & 0x3f) * 0x166b) >> 12) ;
+-	ret *= table_expn [(exp & 0x7c0) >> 6] ;
+-	ret >>= (26 - (exp >> 11)) ;
+	r = 0x1000 ;
+	r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
+	r *= table_expn [(exp & 0x7c0) >> 6] ;
+	r >>= (26 - (exp >> 11)) ;
+ 
+-	return ret ;
+	return (short) r ;
+ } /* nms_adpcm_antilog */
+ 
+ static void
+ nms_adpcm_update (struct nms_adpcm_state *s)
+ {	/* Variable names from ITU G.726 spec */
+-	int a1ul ;
+-	int fa1 ;
+	short a1ul, fa1 ;
+	int_fast32_t se ;
+ 	int i ;
+ 
+ 	/* Decay and Modify the scale factor in the log domain based on the codeword. */
+@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
+ 	else if (fa1 > 256)
+ 		fa1 = 256 ;
+ 
+-	s->a [0] = (0xff * s->a [0]) >> 8 ;
+	s->a [0] = (s->a [0] * 0xff) >> 8 ;
+ 	if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
+ 		s->a [0] -= 192 ;
+ 	else
+@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
+ 		fa1 = -fa1 ;
+ 		}
+ 
+-	s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
+	s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
+ 	if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
+ 		s->a [1] -= 128 ;
+ 	else
+@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state *s)
+ 			s->a [0] = a1ul ;
+ 		} ;
+ 
+-	/* Compute the zero predictor estimate. Rotate past deltas too. */
+-	s->s_ez = 0 ;
+	/* Compute the zero predictor estimate and rotate past deltas. */
+	se = 0 ;
+ 	for (i = 5 ; i >= 0 ; i--)
+-	{	s->s_ez += s->d_q [i] * s->b [i] ;
+	{	se += (int_fast32_t) s->d_q [i] * s->b [i] ;
+ 		s->d_q [i + 1] = s->d_q [i] ;
+ 		} ;
+	s->s_ez = se >> 14 ;
+ 
+-	/* Compute the signal estimate. */
+-	s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
+-
+-	/* Return to scale */
+-	s->s_ez >>= 14 ;
+-	s->s_e >>= 14 ;
+	/* Complete the signal estimate. */
+	se += (int_fast32_t) s->a [0] * s->s_r [0] ;
+	se += (int_fast32_t) s->a [1] * s->s_r [1] ;
+	s->s_e = se >> 14 ;
+ 
+ 	/* Rotate members to prepare for next iteration. */
+ 	s->s_r [1] = s->s_r [0] ;
+@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state *s)
+ static int16_t
+ nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
+ {	/* Variable names from ITU G.726 spec */
+-	int dqx ;
+	int_fast32_t dqx ;
+ 
+ 	/*
+ 	** The ordering of the 12-bit right-shift is a precision loss. It agrees
+@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_state *s, enum nms_enc_type type)
+ /*
+ ** nms_adpcm_encode_sample()
+ **
+-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
+** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
+ ** using and updating the predictor state.
+ */
+ static uint8_t
+ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
+ {	/* Variable names from ITU G.726 spec */
+-	int d ;
+	int_fast32_t d ;
+ 	uint8_t I ;
+ 
+ 	/* Down scale the sample from 16 => ~14 bits. */
+-	sl = (sl * 0x1fdf) / 0x7fff ;
+	sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
+ 
+ 	/* Compute estimate, and delta from actual value */
+ 	nms_adpcm_update (s) ;
+@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
+ */
+ static int16_t
+ nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
+-{	int sl ;
+{	int_fast32_t sl ;
+ 
+ 	nms_adpcm_update (s) ;
+ 	sl = nms_adpcm_reconstruct_sample (s, I) ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0010-nms_adpcm-fix-int-overflow-in-sf.frames-calc.patch
+++ b/package/libsndfile/0010-nms_adpcm-fix-int-overflow-in-sf.frames-calc.patch
@@ -0,0 +1,39 @@
+From 3fb27a2c93a11dd3321b0b13140d89ebb39060cb Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 11:50:53 -0400
+Subject: [PATCH] nms_adpcm: fix int overflow in sf.frames calc
+
+When calculating sf.frames from the blocks_total PNMS variable, it is
+theoretically possible to overflow the blocks_total int boundaries,
+leading to undefined behavior.
+
+Cast blocks_total to a long-sized sf_count_t before the calculation, to
+provide it with enough numeric space and because that is the final
+typing regardless.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/3fb27a2c93a11dd3321b0b13140d89ebb39060cb
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/nms_adpcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c
+index dca85f0b..61d171c7 100644
+--- a/src/nms_adpcm.c
+++ b/src/nms_adpcm.c
+@@ -1090,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf)
+ 	else
+ 		pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ;
+ 
+-	psf->sf.frames		= pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
+	psf->sf.frames		= (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
+ 	psf->codec_close	= nms_adpcm_close ;
+ 	psf->seek			= nms_adpcm_seek ;
+ 
+-- 
+2.39.5
+
--- a/package/libsndfile/0011-pcm-fix-int-overflow-in-pcm_init.patch
+++ b/package/libsndfile/0011-pcm-fix-int-overflow-in-pcm_init.patch
@@ -0,0 +1,35 @@
+From 09f8f8d5544d98a5a2d28504c02314a2a816ac37 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 11:57:23 -0400
+Subject: [PATCH] pcm: fix int overflow in pcm_init()
+
+Cast the int-sized bytewidth variable to a long-sized sf_count_t type
+prior to calculating the blockwidth, to provide the calculation with
+enough numeric space and sf_count_t is the final typing regardless.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/09f8f8d5544d98a5a2d28504c02314a2a816ac37
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pcm.c b/src/pcm.c
+index bdf46183..a42e4868 100644
+--- a/src/pcm.c
+++ b/src/pcm.c
+@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf)
+ 		return SFE_INTERNAL ;
+ 		} ;
+ 
+-	psf->blockwidth = psf->bytewidth * psf->sf.channels ;
+	psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+ 
+ 	if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8)
+ 		chars = SF_CHARS_SIGNED ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0012-rf64-fix-int-overflow-in-rf64_read_header.patch
+++ b/package/libsndfile/0012-rf64-fix-int-overflow-in-rf64_read_header.patch
@@ -0,0 +1,40 @@
+From 49704025956f03751d3436a0bb42287cd7f434b6 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 12:01:00 -0400
+Subject: [PATCH] rf64: fix int overflow in rf64_read_header()
+
+When checking for mismatches between the filelength and riff_size, it is
+possible to overflow the temporary riff_size value used in the
+comparison by adding a static offset; which is probably fine, but it is
+offensive to overflow fuzzers.
+
+Since filelength is always a positive value, simply move the offset to
+the other side of the comparison operator as a negative value, avoid the
+possibility of an overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/49704025956f03751d3436a0bb42287cd7f434b6
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/rf64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rf64.c b/src/rf64.c
+index 123db445..c60399fb 100644
+--- a/src/rf64.c
+++ b/src/rf64.c
+@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock)
+ 							} ;
+ 						} ;
+ 
+-					if (psf->filelength != riff_size + 8)
+					if (psf->filelength - 8 != riff_size)
+ 						psf_log_printf (psf, "  Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ;
+ 					else
+ 						psf_log_printf (psf, "  Riff size : %D\n", riff_size) ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0013-ima_adpcm-fix-int-overflow-in-ima_reader_init.patch
+++ b/package/libsndfile/0013-ima_adpcm-fix-int-overflow-in-ima_reader_init.patch
@@ -0,0 +1,55 @@
+From 9a829113c88a51e57c1e46473e90609e4b7df151 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 12:19:12 -0400
+Subject: [PATCH] ima_adpcm: fix int overflow in ima_reader_init()
+
+When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to
+provide the calculation with enough numeric space to avoid overflows.
+
+Other changes in this commit are syntactic, and only to satisfy the git
+pre-commit syntax checker.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+Upstream: https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/ima_adpcm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c
+index bc61f4e5..7464d1b3 100644
+--- a/src/ima_adpcm.c
+++ b/src/ima_adpcm.c
+@@ -187,7 +187,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 	**	to avoid having to branch when pulling apart the nibbles.
+ 	*/
+ 	count = ((samplesperblock - 2) | 7) + 2 ;
+-	pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof(short) * count) ;
+	pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ;
+ 
+ 	if (! (pima = calloc (1, pimasize)))
+ 		return SFE_MALLOC_FAILED ;
+@@ -238,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 		case SF_FORMAT_AIFF :
+ 				psf_log_printf (psf, "still need to check block count\n") ;
+ 				pima->decode_block = aiff_ima_decode_block ;
+-				psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ;
+				psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ;
+ 				break ;
+ 
+ 		default :
+@@ -391,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima)
+ static int
+ wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima)
+ {	int		chan, k, predictor, blockindx, indx, indxstart, diff ;
+-	short	step, bytecode, stepindx [2] = { 0 };
+	short	step, bytecode, stepindx [2] = { 0 } ;
+ 
+ 	pima->blockcount ++ ;
+ 	pima->samplecount = 0 ;
+-- 
+2.39.5
+
--- a/package/libsndfile/0014-src-ogg-better-error-checking-for-vorbis.-Fixes-1035.patch
+++ b/package/libsndfile/0014-src-ogg-better-error-checking-for-vorbis.-Fixes-1035.patch
@@ -0,0 +1,411 @@
+From 4755f5bd7854611d92ad0f1295587b439f9950ba Mon Sep 17 00:00:00 2001
+From: Arthur Taylor <art@ified.ca>
+Date: Fri, 15 Nov 2024 19:46:53 -0800
+Subject: [PATCH] src/ogg: better error checking for vorbis. Fixes #1035
+
+Upstream: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/ogg.c        |  12 ++--
+ src/ogg_opus.c   |  17 +++--
+ src/ogg_vorbis.c | 170 ++++++++++++++++++++++++++---------------------
+ 3 files changed, 114 insertions(+), 85 deletions(-)
+
+diff --git a/src/ogg.c b/src/ogg.c
+index 529941af..e2d679d4 100644
+--- a/src/ogg.c
+++ b/src/ogg.c
+@@ -211,12 +211,16 @@ ogg_read_first_page (SF_PRIVATE *psf, OGG_PRIVATE *odata)
+ 
+ int
+ ogg_write_page (SF_PRIVATE *psf, ogg_page *page)
+-{	int bytes ;
+{	int n ;
+ 
+-	bytes = psf_fwrite (page->header, 1, page->header_len, psf) ;
+-	bytes += psf_fwrite (page->body, 1, page->body_len, psf) ;
+	n = psf_fwrite (page->header, 1, page->header_len, psf) ;
+	if (n == page->header_len)
+		n += psf_fwrite (page->body, 1, page->body_len, psf) ;
+ 
+-	return bytes == page->header_len + page->body_len ;
+	if (n != page->body_len + page->header_len)
+		return -1 ;
+
+	return n ;
+ } /* ogg_write_page */
+ 
+ sf_count_t
+diff --git a/src/ogg_opus.c b/src/ogg_opus.c
+index 511653ec..e01224b9 100644
+--- a/src/ogg_opus.c
+++ b/src/ogg_opus.c
+@@ -827,15 +827,16 @@ ogg_opus_write_header (SF_PRIVATE *psf, int UNUSED (calc_length))
+ 
+ 	/* The first page MUST only contain the header, so flush it out now */
+ 	ogg_stream_packetin (&odata->ostream, &op) ;
+-	for ( ; (nn = ogg_stream_flush (&odata->ostream, &odata->opage)) ; )
+-	{	if (! (nn = ogg_write_page (psf, &odata->opage)))
+	while (ogg_stream_flush (&odata->ostream, &odata->opage))
+	{	nn = ogg_write_page (psf, &odata->opage) ;
+		if (nn < 0)
+ 		{	psf_log_printf (psf, "Opus : Failed to write header!\n") ;
+ 			if (psf->error)
+ 				return psf->error ;
+ 			return SFE_INTERNAL ;
+ 			} ;
+ 		psf->dataoffset += nn ;
+-		}
+		} ;
+ 
+ 	/*
+ 	** Metadata Tags (manditory)
+@@ -850,15 +851,16 @@ ogg_opus_write_header (SF_PRIVATE *psf, int UNUSED (calc_length))
+ 	vorbiscomment_write_tags (psf, &op, &opustags_ident, opus_get_version_string (), - (OGG_OPUS_COMMENT_PAD)) ;
+ 	op.packetno = 2 ;
+ 	ogg_stream_packetin (&odata->ostream, &op) ;
+-	for ( ; (nn = ogg_stream_flush (&odata->ostream, &odata->opage)) ; )
+-	{	if (! (nn = ogg_write_page (psf, &odata->opage)))
+	while (ogg_stream_flush (&odata->ostream, &odata->opage))
+	{	nn = ogg_write_page (psf, &odata->opage) ;
+		if (nn < 0)
+ 		{	psf_log_printf (psf, "Opus : Failed to write comments!\n") ;
+ 			if (psf->error)
+ 				return psf->error ;
+ 			return SFE_INTERNAL ;
+ 			} ;
+ 		psf->dataoffset += nn ;
+-		}
+		} ;
+ 
+ 	return 0 ;
+ } /* ogg_opus_write_header */
+@@ -1132,7 +1134,8 @@ ogg_opus_write_out (SF_PRIVATE *psf, OGG_PRIVATE *odata, OPUS_PRIVATE *oopus)
+ 		if (nbytes > 0)
+ 		{	oopus->u.encode.last_segments -= ogg_page_segments (&odata->opage) ;
+ 			oopus->pg_pos = oopus->pkt_pos ;
+-			ogg_write_page (psf, &odata->opage) ;
+			if (ogg_write_page (psf, &odata->opage) < 0)
+				return -1 ;
+ 			}
+ 		else
+ 			break ;
+diff --git a/src/ogg_vorbis.c b/src/ogg_vorbis.c
+index add12396..fae252ca 100644
+--- a/src/ogg_vorbis.c
+++ b/src/ogg_vorbis.c
+@@ -82,28 +82,6 @@
+ /* How many seconds in the future to not bother bisection searching for. */
+ #define VORBIS_SEEK_THRESHOLD 2
+ 
+-typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ;
+-
+-static int	vorbis_read_header (SF_PRIVATE *psf) ;
+-static int	vorbis_write_header (SF_PRIVATE *psf, int calc_length) ;
+-static int	vorbis_close (SF_PRIVATE *psf) ;
+-static int	vorbis_command (SF_PRIVATE *psf, int command, void *data, int datasize) ;
+-static int	vorbis_byterate (SF_PRIVATE *psf) ;
+-static int	vorbis_calculate_granulepos (SF_PRIVATE *psf, uint64_t *gp_out) ;
+-static int	vorbis_skip (SF_PRIVATE *psf, uint64_t target_gp) ;
+-static int	vorbis_seek_trysearch (SF_PRIVATE *psf, uint64_t target_gp) ;
+-static sf_count_t	vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) ;
+-static sf_count_t	vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t len) ;
+-static sf_count_t	vorbis_read_sample (SF_PRIVATE *psf, void *ptr, sf_count_t lens, convert_func *transfn) ;
+-static int	vorbis_rnull (SF_PRIVATE *psf, int samples, void *vptr, int off , int channels, float **pcm) ;
+-
+ typedef struct
+ {	int id ;
+ 	const char *name ;
+@@ -145,6 +123,45 @@ typedef struct
+ 	sf_count_t last_page ;
+ } VORBIS_PRIVATE ;
+ 
+typedef int convert_func (SF_PRIVATE *psf, int, void *, int, int, float **) ;
+
+static int	vorbis_read_header (SF_PRIVATE *psf) ;
+static int	vorbis_write_header (SF_PRIVATE *psf, int calc_length) ;
+static int	vorbis_close (SF_PRIVATE *psf) ;
+static int	vorbis_command (SF_PRIVATE *psf, int command, void *data, int datasize) ;
+static int	vorbis_byterate (SF_PRIVATE *psf) ;
+static int	vorbis_calculate_granulepos (SF_PRIVATE *psf, uint64_t *gp_out) ;
+static int	vorbis_skip (SF_PRIVATE *psf, uint64_t target_gp) ;
+static int	vorbis_seek_trysearch (SF_PRIVATE *psf, uint64_t target_gp) ;
+static sf_count_t	vorbis_seek (SF_PRIVATE *psf, int mode, sf_count_t offset) ;
+static sf_count_t	vorbis_read_s (SF_PRIVATE *psf, short *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_read_i (SF_PRIVATE *psf, int *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_read_f (SF_PRIVATE *psf, float *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t len) ;
+static sf_count_t	vorbis_read_sample (SF_PRIVATE *psf, void *ptr, sf_count_t lens, convert_func *transfn) ;
+static int	vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE *vdata, int in_frames) ;
+static int	vorbis_rnull (SF_PRIVATE *psf, int samples, void *vptr, int off , int channels, float **pcm) ;
+static void	vorbis_log_error (SF_PRIVATE *psf, int error) ;
+
+
+static void
+vorbis_log_error(SF_PRIVATE *psf, int error) {
+	switch (error)
+	{	case 0: return;
+		case OV_EIMPL:		psf->error = SFE_UNIMPLEMENTED ; break ;
+		case OV_ENOTVORBIS:	psf->error = SFE_MALFORMED_FILE ; break ;
+		case OV_EBADHEADER:	psf->error = SFE_MALFORMED_FILE ; break ;
+		case OV_EVERSION:	psf->error = SFE_UNSUPPORTED_ENCODING ; break ;
+		case OV_EFAULT:
+		case OV_EINVAL:
+		default: psf->error = SFE_INTERNAL ;
+		} ;
+} ;
+
+ static int
+ vorbis_read_header (SF_PRIVATE *psf)
+ {	OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+@@ -380,7 +397,6 @@ vorbis_write_header (SF_PRIVATE *psf, int UNUSED (calc_length))
+ 	{	ogg_packet header ;
+ 		ogg_packet header_comm ;
+ 		ogg_packet header_code ;
+-		int result ;
+ 
+ 		vorbis_analysis_headerout (&vdata->vdsp, &vdata->vcomment, &header, &header_comm, &header_code) ;
+ 		ogg_stream_packetin (&odata->ostream, &header) ; /* automatically placed in its own page */
+@@ -390,9 +406,9 @@ vorbis_write_header (SF_PRIVATE *psf, int UNUSED (calc_length))
+ 		/* This ensures the actual
+ 		 * audio data will start on a new page, as per spec
+ 		 */
+-		while ((result = ogg_stream_flush (&odata->ostream, &odata->opage)) != 0)
+-		{	ogg_write_page (psf, &odata->opage) ;
+-			} ;
+		while (ogg_stream_flush (&odata->ostream, &odata->opage))
+			if (ogg_write_page (psf, &odata->opage) < 0)
+				return -1 ;
+ 	}
+ 
+ 	return 0 ;
+@@ -402,6 +418,7 @@ static int
+ vorbis_close (SF_PRIVATE *psf)
+ {	OGG_PRIVATE* odata = psf->container_data ;
+ 	VORBIS_PRIVATE *vdata = psf->codec_data ;
+	int ret = 0 ;
+ 
+ 	if (odata == NULL || vdata == NULL)
+ 		return 0 ;
+@@ -412,34 +429,14 @@ vorbis_close (SF_PRIVATE *psf)
+ 	if (psf->file.mode == SFM_WRITE)
+ 	{
+ 		if (psf->write_current <= 0)
+-			vorbis_write_header (psf, 0) ;
+			ret = vorbis_write_header (psf, 0) ;
+ 
+-		vorbis_analysis_wrote (&vdata->vdsp, 0) ;
+-		while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock) == 1)
+-		{
+-
+-		/* analysis, assume we want to use bitrate management */
+-			vorbis_analysis (&vdata->vblock, NULL) ;
+-			vorbis_bitrate_addblock (&vdata->vblock) ;
+-
+-			while (vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket))
+-			{	/* weld the packet into the bitstream */
+-				ogg_stream_packetin (&odata->ostream, &odata->opacket) ;
+-
+-				/* write out pages (if any) */
+-				while (!odata->eos)
+-				{	int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ;
+-					if (result == 0) break ;
+-					ogg_write_page (psf, &odata->opage) ;
+-
+-		/* this could be set above, but for illustrative purposes, I do
+-		   it here (to show that vorbis does know where the stream ends) */
+-
+-					if (ogg_page_eos (&odata->opage)) odata->eos = 1 ;
+-				}
+-			}
+-		}
+-	}
+		if (ret == 0)
+		{	/* A write of zero samples tells Vorbis the stream is done and to
+			   flush. */
+			ret = vorbis_write_samples (psf, odata, vdata, 0) ;
+			} ;
+		} ;
+ 
+ 	/* ogg_page and ogg_packet structs always point to storage in
+ 	   libvorbis.  They are never freed or manipulated directly */
+@@ -449,7 +446,7 @@ vorbis_close (SF_PRIVATE *psf)
+ 	vorbis_comment_clear (&vdata->vcomment) ;
+ 	vorbis_info_clear (&vdata->vinfo) ;
+ 
+-	return 0 ;
+	return ret ;
+ } /* vorbis_close */
+ 
+ int
+@@ -688,33 +685,40 @@ vorbis_read_d (SF_PRIVATE *psf, double *ptr, sf_count_t lens)
+ /*==============================================================================
+ */
+ 
+-static void
+static int
+ vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE *vdata, int in_frames)
+-{
+-	vorbis_analysis_wrote (&vdata->vdsp, in_frames) ;
+{	int ret ;
+
+	if ((ret = vorbis_analysis_wrote (&vdata->vdsp, in_frames)) != 0)
+		return ret ;
+ 
+ 	/*
+ 	**	Vorbis does some data preanalysis, then divvies up blocks for
+ 	**	more involved (potentially parallel) processing. Get a single
+ 	**	block for encoding now.
+ 	*/
+-	while (vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock) == 1)
+	while ((ret = vorbis_analysis_blockout (&vdata->vdsp, &vdata->vblock)) == 1)
+ 	{
+ 		/* analysis, assume we want to use bitrate management */
+-		vorbis_analysis (&vdata->vblock, NULL) ;
+-		vorbis_bitrate_addblock (&vdata->vblock) ;
+		if ((ret = vorbis_analysis (&vdata->vblock, NULL)) != 0)
+			return ret ;
+		if ((ret = vorbis_bitrate_addblock (&vdata->vblock)) != 0)
+			return ret ;
+ 
+-		while (vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket))
+		while ((ret = vorbis_bitrate_flushpacket (&vdata->vdsp, &odata->opacket)) == 1)
+ 		{
+ 			/* weld the packet into the bitstream */
+-			ogg_stream_packetin (&odata->ostream, &odata->opacket) ;
+			if ((ret = ogg_stream_packetin (&odata->ostream, &odata->opacket)) != 0)
+				return ret ;
+ 
+ 			/* write out pages (if any) */
+ 			while (!odata->eos)
+-			{	int result = ogg_stream_pageout (&odata->ostream, &odata->opage) ;
+-				if (result == 0)
+			{	ret = ogg_stream_pageout (&odata->ostream, &odata->opage) ;
+				if (ret == 0)
+ 					break ;
+-				ogg_write_page (psf, &odata->opage) ;
+
+				if (ogg_write_page (psf, &odata->opage) < 0)
+					return -1 ;
+ 
+ 				/*	This could be set above, but for illustrative purposes, I do
+ 				**	it here (to show that vorbis does know where the stream ends) */
+@@ -722,16 +726,22 @@ vorbis_write_samples (SF_PRIVATE *psf, OGG_PRIVATE *odata, VORBIS_PRIVATE *vdata
+ 					odata->eos = 1 ;
+ 				} ;
+ 			} ;
+		if (ret != 0)
+			return ret ;
+ 		} ;
+	if (ret != 0)
+		return ret ;
+ 
+ 	vdata->gp += in_frames ;
+
+	return 0 ;
+ } /* vorbis_write_data */
+ 
+ 
+ static sf_count_t
+ vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t lens)
+ {
+-	int i, m, j = 0 ;
+	int i, m, j = 0, ret ;
+ 	OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ 	VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ 	int in_frames = lens / psf->sf.channels ;
+@@ -740,14 +750,17 @@ vorbis_write_s (SF_PRIVATE *psf, const short *ptr, sf_count_t lens)
+ 		for (m = 0 ; m < psf->sf.channels ; m++)
+ 			buffer [m][i] = (float) (ptr [j++]) / 32767.0f ;
+ 
+-	vorbis_write_samples (psf, odata, vdata, in_frames) ;
+	if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)))
+	{	vorbis_log_error (psf, ret) ;
+		return 0 ;
+		} ;
+ 
+ 	return lens ;
+ } /* vorbis_write_s */
+ 
+ static sf_count_t
+ vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t lens)
+-{	int i, m, j = 0 ;
+{	int i, m, j = 0, ret ;
+ 	OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ 	VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ 	int in_frames = lens / psf->sf.channels ;
+@@ -756,14 +769,17 @@ vorbis_write_i (SF_PRIVATE *psf, const int *ptr, sf_count_t lens)
+ 		for (m = 0 ; m < psf->sf.channels ; m++)
+ 			buffer [m][i] = (float) (ptr [j++]) / 2147483647.0f ;
+ 
+-	vorbis_write_samples (psf, odata, vdata, in_frames) ;
+	if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)))
+	{	vorbis_log_error (psf, ret) ;
+		return 0 ;
+		} ;
+ 
+ 	return lens ;
+ } /* vorbis_write_i */
+ 
+ static sf_count_t
+ vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t lens)
+-{	int i, m, j = 0 ;
+{	int i, m, j = 0, ret ;
+ 	OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ 	VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ 	int in_frames = lens / psf->sf.channels ;
+@@ -772,14 +788,17 @@ vorbis_write_f (SF_PRIVATE *psf, const float *ptr, sf_count_t lens)
+ 		for (m = 0 ; m < psf->sf.channels ; m++)
+ 			buffer [m][i] = ptr [j++] ;
+ 
+-	vorbis_write_samples (psf, odata, vdata, in_frames) ;
+	if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0)
+	{	vorbis_log_error (psf, ret) ;
+		return 0 ;
+		} ;
+ 
+ 	return lens ;
+ } /* vorbis_write_f */
+ 
+ static sf_count_t
+ vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t lens)
+-{	int i, m, j = 0 ;
+{	int i, m, j = 0, ret ;
+ 	OGG_PRIVATE *odata = (OGG_PRIVATE *) psf->container_data ;
+ 	VORBIS_PRIVATE *vdata = (VORBIS_PRIVATE *) psf->codec_data ;
+ 	int in_frames = lens / psf->sf.channels ;
+@@ -788,7 +807,10 @@ vorbis_write_d (SF_PRIVATE *psf, const double *ptr, sf_count_t lens)
+ 		for (m = 0 ; m < psf->sf.channels ; m++)
+ 			buffer [m][i] = (float) ptr [j++] ;
+ 
+-	vorbis_write_samples (psf, odata, vdata, in_frames) ;
+	if ((ret = vorbis_write_samples (psf, odata, vdata, in_frames)) != 0)
+	{	vorbis_log_error (psf, ret) ;
+		return 0 ;
+		} ;
+ 
+ 	return lens ;
+ } /* vorbis_write_d */
+@@ -884,7 +906,7 @@ vorbis_seek_trysearch (SF_PRIVATE *psf, uint64_t target_gp)
+ 		return 0 ;
+ 
+ 	/*	Search for a position a half large-block before our target. As Vorbis is
+-	**	lapped, every sample position come from two blocks, the "left" half of
+	**	lapped, every sample position comes from two blocks, the "left" half of
+ 	**	one block and the "right" half of the previous block.  The granule
+ 	**	position of an Ogg page of a Vorbis stream is the sample offset of the
+ 	**	last finished sample in the stream that can be decoded from a page.  A
+-- 
+2.39.5
+
--- a/package/libsndfile/libsndfile.mk
+++ b/package/libsndfile/libsndfile.mk
@@ -13,6 +13,24 @@ LIBSNDFILE_LICENSE_FILES = COPYING
 LIBSNDFILE_CPE_ID_VALID = YES
 LIBSNDFILE_DEPENDENCIES = host-pkgconf

+# 0001-mat4-mat5-fix-int-overflow-in-dataend-calculation.patch
+# 0002-au-avoid-int-overflow-while-calculating-data_end.patch
+# 0003-avr-fix-int-overflow-in-avr_read_header.patch
+# 0004-sds-fix-int-overflow-warning-in-sample-calculations.patch
+# 0005-aiff-fix-int-overflow-when-counting-header-elements.patch
+# 0006-ircam-fix-int-overflow-in-ircam_read_header.patch
+# 0007-mat4-mat5-fix-int-overflow-when-calculating-blockwid.patch
+# 0008-common-fix-int-overflow-in-psf_binheader_readf.patch
+# 0009-nms_adpcm-fix-int-overflow-in-signal-estimate.patch
+# 0010-nms_adpcm-fix-int-overflow-in-sf.frames-calc.patch
+# 0011-pcm-fix-int-overflow-in-pcm_init.patch
+# 0012-rf64-fix-int-overflow-in-rf64_read_header.patch
+# 0013-ima_adpcm-fix-int-overflow-in-ima_reader_init.patch
+LIBSNDFILE_IGNORE_CVES += CVE-2022-33065
+
+# 0014-src-ogg-better-error-checking-for-vorbis.-Fixes-1035.patch
+LIBSNDFILE_IGNORE_CVES += CVE-2024-50612
+
 LIBSNDFILE_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 LIBSNDFILE_CONF_OPTS = \
 	--disable-sqlite \
--- a/package/libsoup3/libsoup3.hash
+++ b/package/libsoup3/libsoup3.hash
@@ -1,4 +1,4 @@
-# From https://download.gnome.org/sources/libsoup/3.6/libsoup-3.6.0.sha256sum
-sha256  62959f791e8e8442f8c13cedac8c4919d78f9120d5bb5301be67a5e53318b4a3  libsoup-3.6.0.tar.xz
+# From https://download.gnome.org/sources/libsoup/3.6/libsoup-3.6.1.sha256sum
+sha256  ceb1f1aa2bdd73b2cd8159d3998c96c55ef097ef15e4b4f36029209fa18af838  libsoup-3.6.1.tar.xz
 # Locally calculated
 sha256  b7993225104d90ddd8024fd838faf300bea5e83d91203eab98e29512acebd69c  COPYING
--- a/package/libsoup3/libsoup3.mk
+++ b/package/libsoup3/libsoup3.mk
@@ -5,7 +5,7 @@
 ################################################################################

 LIBSOUP3_VERSION_MAJOR = 3.6
-LIBSOUP3_VERSION = $(LIBSOUP3_VERSION_MAJOR).0
+LIBSOUP3_VERSION = $(LIBSOUP3_VERSION_MAJOR).1
 LIBSOUP3_SOURCE = libsoup-$(LIBSOUP3_VERSION).tar.xz
 LIBSOUP3_SITE = https://download.gnome.org/sources/libsoup/$(LIBSOUP3_VERSION_MAJOR)
 LIBSOUP3_LICENSE = LGPL-2.0+
--- a/package/libvirt/libvirt.mk
+++ b/package/libvirt/libvirt.mk
@@ -250,6 +250,36 @@ define LIBVIRT_INSTALL_UDEV_RULES
 endef
 LIBVIRT_POST_INSTALL_TARGET_HOOKS += LIBVIRT_INSTALL_UDEV_RULES

+ifeq ($(BR2_PACKAGE_LIBVIRT_QEMU),y)
+define LIBVIRT_USERS_QEMU
+	qemu -1 kvm -1 * - - - Libvirt qemu/kvm daemon
+endef
+define LIBVIRT_PERMISSIONS_QEMU
+	/var/cache/libvirt/qemu                  d  750  qemu  kvm   -  -  -  -  -
+	/var/cache/libvirt/qemu/capabilities     d  755  root  root  -  -  -  -  -
+	/var/lib/libvirt/qemu                    d  751  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/autostart          d  700  root  root  -  -  -  -  -
+	/var/lib/libvirt/qemu/channel            d  755  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/channel/target     d  755  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/dump               d  755  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/networks           d  700  root  root  -  -  -  -  -
+	/var/lib/libvirt/qemu/networks/autostart d  700  root  root  -  -  -  -  -
+	/var/lib/libvirt/qemu/nvram              d  755  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/save               d  755  qemu  kvm   -  -  -  -  -
+	/var/lib/libvirt/qemu/snapshot           d  755  qemu  kvm   -  -  -  -  -
+	/var/log/libvirt/qemu                    d  750  root  root  -  -  -  -  -
+	/var/log/swtpm/libvirt/qemu              d  711  root  root  -  -  -  -  -
+endef
+define LIBVIRT_CREATE_SYMLINKS_QEMU
+	$(INSTALL) -m 751 -d $(TARGET_DIR)/var/lib/libvirt/qemu
+	ln -s -f ../../var/lib/libvirt/qemu $(TARGET_DIR)/etc/libvirt/
+endef
+endif
+
+define LIBVIRT_USERS
+	$(LIBVIRT_USERS_QEMU)
+endef
+
 # Adjust directory ownerships and permissions. Notice /var/log is a symlink to
 # /tmp in the default sysvinit skeleton, so some directories may disappear at
 # run-time. Set the permissions anyway, since they are valid for the default
@@ -263,29 +293,16 @@ define LIBVIRT_PERMISSIONS
 	/var/lib/libvirt/filesystems             d  711  root  root  -  -  -  -  -
 	/var/lib/libvirt/images                  d  711  root  root  -  -  -  -  -
 	/var/lib/libvirt/network                 d  700  root  root  -  -  -  -  -
-	/var/lib/libvirt/qemu                    d  751  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/autostart          d  700  root  root  -  -  -  -  -
-	/var/lib/libvirt/qemu/networks           d  700  root  root  -  -  -  -  -
-	/var/lib/libvirt/qemu/networks/autostart d  700  root  root  -  -  -  -  -
-	/var/lib/libvirt/qemu/channel            d  755  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/channel/target     d  755  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/dump               d  755  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/nvram              d  755  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/save               d  755  qemu  kvm   -  -  -  -  -
-	/var/lib/libvirt/qemu/snapshot           d  755  qemu  kvm   -  -  -  -  -
 	/var/lib/libvirt/secrets                 d  700  root  root  -  -  -  -  -
 	/var/lib/libvirt/storage                 d  755  root  root  -  -  -  -  -
 	/var/lib/libvirt/storage/autostart       d  755  root  root  -  -  -  -  -
 	/var/cache/libvirt                       d  711  root  root  -  -  -  -  -
 	/var/cache/libvirt/lxc                   d  750  root  root  -  -  -  -  -
-	/var/cache/libvirt/qemu                  d  750  qemu  kvm   -  -  -  -  -
-	/var/cache/libvirt/qemu/capabilities     d  755  root  root  -  -  -  -  -
 	/var/log/libvirt                         d  700  root  root  -  -  -  -  -
 	/var/log/libvirt/lxc                     d  750  root  root  -  -  -  -  -
-	/var/log/libvirt/qemu                    d  750  root  root  -  -  -  -  -
 	/var/log/swtpm                           d  755  root  root  -  -  -  -  -
 	/var/log/swtpm/libvirt                   d  755  root  root  -  -  -  -  -
-	/var/log/swtpm/libvirt/qemu              d  711  root  root  -  -  -  -  -
+	$(LIBVIRT_PERMISSIONS_QEMU)
 endef

 # libvirt may need to create persistent files (e.g. VM definitions) in these
@@ -296,22 +313,15 @@ endef
 define LIBVIRT_CREATE_SYMLINKS
 	$(INSTALL) -m 700 -d $(TARGET_DIR)/etc/libvirt
 	$(INSTALL) -m 755 -d $(TARGET_DIR)/var/lib/libvirt
-	$(INSTALL) -m 751 -d $(TARGET_DIR)/var/lib/libvirt/qemu
 	$(INSTALL) -m 700 -d $(TARGET_DIR)/var/lib/libvirt/secrets
 	$(INSTALL) -m 755 -d $(TARGET_DIR)/var/lib/libvirt/storage
-	ln -s -f ../../var/lib/libvirt/qemu $(TARGET_DIR)/etc/libvirt/
 	ln -s -f ../../var/lib/libvirt/secrets $(TARGET_DIR)/etc/libvirt/
 	ln -s -f ../../var/lib/libvirt/storage $(TARGET_DIR)/etc/libvirt/
+	$(LIBVIRT_CREATE_SYMLINKS_QEMU)
 endef

 LIBVIRT_PRE_INSTALL_TARGET_HOOKS += LIBVIRT_CREATE_SYMLINKS

-ifeq ($(BR2_PACKAGE_LIBVIRT_QEMU),y)
-define LIBVIRT_USERS
-	qemu -1 kvm -1 * - - - Libvirt qemu/kvm daemon
-endef
-endif
-
 ifeq ($(BR2_PACKAGE_LIBVIRT_DAEMON),y)
 define LIBVIRT_INSTALL_INIT_SYSV
 	$(INSTALL) -D -m 0755 package/libvirt/S91virtlogd $(TARGET_DIR)/etc/init.d/S91virtlogd
--- a/package/libxcrypt/Config.in
+++ b/package/libxcrypt/Config.in
@@ -1,5 +1,6 @@
 config BR2_PACKAGE_LIBXCRYPT
 	bool "libxcrypt"
+	depends on BR2_TOOLCHAIN_USES_GLIBC
 	help
 	  libxcrypt is a modern library for one-way hashing
 	  of passwords. It supports a wide variety of both
--- a/package/libxml2/0001-Fix-compilation-with-uclibc.patch
+++ b/package/libxml2/0001-Fix-compilation-with-uclibc.patch
@@ -0,0 +1,114 @@
+From fc72e0833a4e5724aef604e2fd9adb1014cb4844 Mon Sep 17 00:00:00 2001
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Date: Mon, 16 Dec 2024 17:23:23 +0100
+Subject: [PATCH] Fix compilation with uclibc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The patch fixes the following errors and warnings raised by the
+compilation of the library with uClibc:
+
+encoding.c: In function ‘xmlEncInputChunk’:
+encoding.c:2209:32: warning: comparison between pointer and integer
+ 2209 |     else if (handler->iconv_in != NULL) {
+      |                                ^~
+encoding.c: In function ‘xmlEncOutputChunk’:
+encoding.c:2269:33: warning: comparison between pointer and integer
+ 2269 |     else if (handler->iconv_out != NULL) {
+      |                                 ^~
+encoding.c: In function ‘xmlCharEncCloseFunc’:
+encoding.c:2681:29: warning: comparison between pointer and integer
+ 2681 |     if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) {
+      |                             ^~
+encoding.c:2681:60: warning: comparison between pointer and integer
+ 2681 |     if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) {
+      |                                                            ^~
+encoding.c:2683:32: warning: comparison between pointer and integer
+ 2683 |         if (handler->iconv_out != NULL) {
+      |                                ^~
+encoding.c:2686:32: error: assignment to ‘iconv_t’ {aka ‘long int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
+ 2686 |             handler->iconv_out = NULL;
+      |                                ^
+encoding.c:2688:31: warning: comparison between pointer and integer
+ 2688 |         if (handler->iconv_in != NULL) {
+      |                               ^~
+encoding.c:2691:31: error: assignment to ‘iconv_t’ {aka ‘long int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
+ 2691 |             handler->iconv_in = NULL;
+      |                               ^
+make[4]: *** [Makefile:1147: libxml2_la-encoding.lo] Error 1
+
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Upstream: https://gitlab.gnome.org/GNOME/libxml2/-/commit/fc72e0833a4e5724aef604e2fd9adb1014cb4844
+---
+ encoding.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/encoding.c b/encoding.c
+index 14ffafddbc02..41ecde1885e4 100644
+--- a/encoding.c
+++ b/encoding.c
+@@ -1264,7 +1264,7 @@ DECLARE_ISO_FUNCS(16)
+ #endif /* LIBXML_ISO8859X_ENABLED */
+ 
+ #ifdef LIBXML_ICONV_ENABLED
+-  #define EMPTY_ICONV , (iconv_t) 0, (iconv_t) 0
+  #define EMPTY_ICONV , (iconv_t) -1, (iconv_t) -1
+ #else
+   #define EMPTY_ICONV
+ #endif
+@@ -1389,8 +1389,8 @@ xmlNewCharEncodingHandler(const char *name,
+     handler->name = up;
+ 
+ #ifdef LIBXML_ICONV_ENABLED
+-    handler->iconv_in = NULL;
+-    handler->iconv_out = NULL;
+    handler->iconv_in = (iconv_t) -1;
+    handler->iconv_out = (iconv_t) -1;
+ #endif
+ #ifdef LIBXML_ICU_ENABLED
+     handler->uconv_in = NULL;
+@@ -2200,7 +2200,7 @@ xmlEncInputChunk(xmlCharEncodingHandler *handler, unsigned char *out,
+         }
+     }
+ #ifdef LIBXML_ICONV_ENABLED
+-    else if (handler->iconv_in != NULL) {
+    else if (handler->iconv_in != (iconv_t) -1) {
+         ret = xmlIconvWrapper(handler->iconv_in, out, outlen, in, inlen);
+     }
+ #endif /* LIBXML_ICONV_ENABLED */
+@@ -2260,7 +2260,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler *handler, unsigned char *out,
+         }
+     }
+ #ifdef LIBXML_ICONV_ENABLED
+-    else if (handler->iconv_out != NULL) {
+    else if (handler->iconv_out != (iconv_t) -1) {
+         ret = xmlIconvWrapper(handler->iconv_out, out, outlen, in, inlen);
+     }
+ #endif /* LIBXML_ICONV_ENABLED */
+@@ -2672,17 +2672,17 @@ xmlCharEncCloseFunc(xmlCharEncodingHandler *handler) {
+      * Iconv handlers can be used only once, free the whole block.
+      * and the associated icon resources.
+      */
+-    if ((handler->iconv_out != NULL) || (handler->iconv_in != NULL)) {
+    if ((handler->iconv_out != (iconv_t) -1) || (handler->iconv_in != (iconv_t) -1)) {
+         tofree = 1;
+-	if (handler->iconv_out != NULL) {
+	if (handler->iconv_out != (iconv_t) -1) {
+ 	    if (iconv_close(handler->iconv_out))
+ 		ret = -1;
+-	    handler->iconv_out = NULL;
+	    handler->iconv_out = (iconv_t) -1;
+ 	}
+-	if (handler->iconv_in != NULL) {
+	if (handler->iconv_in != (iconv_t) -1) {
+ 	    if (iconv_close(handler->iconv_in))
+ 		ret = -1;
+-	    handler->iconv_in = NULL;
+	    handler->iconv_in = (iconv_t) -1;
+ 	}
+     }
+ #endif /* LIBXML_ICONV_ENABLED */
+-- 
+2.43.0
+
--- a/package/libxml2/libxml2.hash
+++ b/package/libxml2/libxml2.hash
@@ -1,4 +1,4 @@
-# From https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.4.sha256sum
-sha256  65d042e1c8010243e617efb02afda20b85c2160acdbfbcb5b26b80cec6515650  libxml2-2.13.4.tar.xz
+# From https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.5.sha256sum
+sha256  74fc163217a3964257d3be39af943e08861263c4231f9ef5b496b6f6d4c7b2b6  libxml2-2.13.5.tar.xz
 # License files, locally calculated
 sha256  c99aae1afe013e50b8b3701e089222b351258043c3025b64053a233fd25b4be7  Copyright
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -5,7 +5,7 @@
 ################################################################################

 LIBXML2_VERSION_MAJOR = 2.13
-LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).4
+LIBXML2_VERSION = $(LIBXML2_VERSION_MAJOR).5
 LIBXML2_SOURCE = libxml2-$(LIBXML2_VERSION).tar.xz
 LIBXML2_SITE = \
 	https://download.gnome.org/sources/libxml2/$(LIBXML2_VERSION_MAJOR)
--- a/package/libzenoh-pico/0001-CMakeLists.txt-don-t-override-the-optimization-level.patch
+++ b/package/libzenoh-pico/0001-CMakeLists.txt-don-t-override-the-optimization-level.patch
@@ -0,0 +1,64 @@
+From 32d087860abaf5b2374043db7034174aec06b885 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Tue, 31 Dec 2024 15:52:57 +0100
+Subject: [PATCH] CMakeLists.txt: don't override the optimization level
+
+zenoh-pico's CMakeLists.txt has some logic to provide its own compiler
+optimization level: -O3 for release builds, -O0 for debug builds.
+
+Unfortunately, using add_compile_options() means that those settings
+take precedence over what the user can pass as custom compiler
+flags. And this causes issues for example when doing a debug build
+with _FORTIFY_SOURCE enabled, as _FORTIFY_SOURCE support in glibc is
+incompatible with unoptimized builds causing this build failure:
+
+/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include/features.h:414:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
+  414 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
+      |    ^~~~~~~
+
+which is a warning, but as zenoh-pico builds with -Werror, it turns
+into a build failure.
+
+As it is unclear how CMakeLists.txt can pass a default -O level, while
+allowing it to be overridden by the user, we simply remove those
+optimization level options.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Upstream: https://github.com/eclipse-zenoh/zenoh-pico/pull/847
+---
+ CMakeLists.txt | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 7a9fb6d1..97fba56a 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -85,13 +85,13 @@ string(TOUPPER ${CMAKE_BUILD_TYPE} CMAKE_BUILD_TYPE)
+ # Compile options
+ if(CMAKE_BUILD_TYPE MATCHES "RELEASE" OR "Release")
+   if(UNIX)
+-    add_compile_options(-pipe -O3)
+    add_compile_options(-pipe)
+   elseif(CMAKE_SYSTEM_NAME MATCHES "Generic")
+-    add_compile_options(-pipe -O3)
+    add_compile_options(-pipe)
+   endif()
+ else()
+   if(UNIX)
+-    add_compile_options(-c -Wall -Wextra -Werror -Wshadow -Wunused -Wstrict-prototypes -pipe -g -O0)
+    add_compile_options(-c -Wall -Wextra -Werror -Wshadow -Wunused -Wstrict-prototypes -pipe -g)
+     # C99 pedantic doesn't like struct anonymous in unix header
+     if (NOT CMAKE_C_STANDARD STREQUAL "99")
+       add_compile_options(-Wpedantic)
+@@ -100,7 +100,7 @@ else()
+   elseif(MSVC)
+     add_compile_options(/W4 /WX /Od /wd4127)
+   elseif(CMAKE_SYSTEM_NAME MATCHES "Generic")
+-    add_compile_options(-Wall -Wextra -Wno-unused-parameter -Wmissing-prototypes -pipe -g -O0)
+    add_compile_options(-Wall -Wextra -Wno-unused-parameter -Wmissing-prototypes -pipe -g)
+   endif()
+ endif()
+ 
+-- 
+2.47.1
+
--- a/package/linux-headers/Config.in.host
+++ b/package/linux-headers/Config.in.host
@@ -429,11 +429,11 @@ endchoice
 config BR2_DEFAULT_KERNEL_HEADERS
 	string
 	default "4.19.325"	if BR2_KERNEL_HEADERS_4_19
-	default "5.4.286"	if BR2_KERNEL_HEADERS_5_4
-	default "5.10.230"	if BR2_KERNEL_HEADERS_5_10
-	default "5.15.173"	if BR2_KERNEL_HEADERS_5_15
-	default "6.1.119"	if BR2_KERNEL_HEADERS_6_1
-	default "6.6.63"	if BR2_KERNEL_HEADERS_6_6
+	default "5.4.288"	if BR2_KERNEL_HEADERS_5_4
+	default "5.10.232"	if BR2_KERNEL_HEADERS_5_10
+	default "5.15.175"	if BR2_KERNEL_HEADERS_5_15
+	default "6.1.122"	if BR2_KERNEL_HEADERS_6_1
+	default "6.6.68"	if BR2_KERNEL_HEADERS_6_6
 	default "6.11.11"	if BR2_KERNEL_HEADERS_6_11
 	default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
 	default "custom"	if BR2_KERNEL_HEADERS_CUSTOM_TARBALL
--- a/package/linux-pam/0001-build-consistently-include-config.h-first.patch
+++ b/package/linux-pam/0001-build-consistently-include-config.h-first.patch
@@ -0,0 +1,180 @@
+From cdba2c8cdba9b3500595624fb375c0dda266631b Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@strace.io>
+Date: Fri, 30 Aug 2024 08:00:00 +0000
+Subject: [PATCH] build: consistently include config.h first
+
+Make sure that config.h is included before any system header.
+
+Upstream: https://github.com/linux-pam/linux-pam/commit/5d7eefb1883c557c7a027f68e966e2fae294a9b6
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ libpam/pam_prelude.c                | 8 ++++----
+ modules/pam_namespace/argv_parse.c  | 2 ++
+ modules/pam_setquota/pam_setquota.c | 3 ++-
+ modules/pam_timestamp/sha1.c        | 2 +-
+ modules/pam_unix/audit.c            | 3 +--
+ modules/pam_unix/bigcrypt_main.c    | 2 ++
+ modules/pam_unix/md5.c              | 4 ++--
+ modules/pam_unix/md5_crypt.c        | 2 +-
+ modules/pam_unix/yppasswd.h         | 2 ++
+ 9 files changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/libpam/pam_prelude.c b/libpam/pam_prelude.c
+index 6c73bf5d..c62e2f2c 100644
+--- a/libpam/pam_prelude.c
+++ b/libpam/pam_prelude.c
+@@ -5,17 +5,17 @@
+  * (C) Sebastien Tricaud 2005 <toady@gscore.org>
+  */
+ 
+-#include <stdio.h>
+-#include <syslog.h>
+-
+ #ifdef PRELUDE
+ 
+#include "pam_private.h"
+
+#include <stdio.h>
+#include <syslog.h>
+ #include <libprelude/prelude.h>
+ #include <libprelude/prelude-log.h>
+ #include <libprelude/idmef-message-print.h>
+ 
+ #include "pam_prelude.h"
+-#include "pam_private.h"
+ 
+ 
+ #define ANALYZER_CLASS "pam"
+diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c
+index ac7c9ae0..cbae7831 100644
+--- a/modules/pam_namespace/argv_parse.c
+++ b/modules/pam_namespace/argv_parse.c
+@@ -28,6 +28,8 @@
+  * Version 1.1, modified 2/27/1999
+  */
+ 
+#include "config.h"
+
+ #include <limits.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+diff --git a/modules/pam_setquota/pam_setquota.c b/modules/pam_setquota/pam_setquota.c
+index c15fc669..73445e29 100644
+--- a/modules/pam_setquota/pam_setquota.c
+++ b/modules/pam_setquota/pam_setquota.c
+@@ -8,6 +8,8 @@
+    Copyright © 2016 Keller Fuchs <kellerfuchs@hashbang.sh>
+ */
+ 
+#include "pam_inline.h"
+
+ #include <sys/types.h>
+ #include <sys/quota.h>
+ #include <linux/quota.h>
+@@ -22,7 +24,6 @@
+ #include <security/_pam_macros.h>
+ #include <security/pam_ext.h>
+ #include <security/pam_modutil.h>
+-#include "pam_inline.h"
+ 
+ #ifndef PATH_LOGIN_DEFS
+ # define PATH_LOGIN_DEFS "/etc/login.defs"
+diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c
+index dff454cf..f21b2870 100644
+--- a/modules/pam_timestamp/sha1.c
+++ b/modules/pam_timestamp/sha1.c
+@@ -37,6 +37,7 @@
+  */
+ /* See http://www.itl.nist.gov/fipspubs/fip180-1.htm for descriptions. */
+ 
+#include "pam_inline.h"
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <netinet/in.h>
+@@ -47,7 +48,6 @@
+ #include <endian.h>
+ #include <unistd.h>
+ #include "sha1.h"
+-#include "pam_inline.h"
+ 
+ static const unsigned char
+ padding[SHA1_BLOCK_SIZE] = {
+diff --git a/modules/pam_unix/audit.c b/modules/pam_unix/audit.c
+index 1547a652..9513aaa9 100644
+--- a/modules/pam_unix/audit.c
+++ b/modules/pam_unix/audit.c
+@@ -1,5 +1,3 @@
+-#include "audit.h"
+-
+ #include "config.h"
+ 
+ #ifdef HAVE_LIBAUDIT
+@@ -11,6 +9,7 @@
+ 
+ #include <security/_pam_types.h>
+ 
+#include "audit.h"
+ #include "passverify.h"
+ 
+ int audit_log(int type, const char *uname, int retval)
+diff --git a/modules/pam_unix/bigcrypt_main.c b/modules/pam_unix/bigcrypt_main.c
+index fab212d9..22d325da 100644
+--- a/modules/pam_unix/bigcrypt_main.c
+++ b/modules/pam_unix/bigcrypt_main.c
+@@ -1,3 +1,5 @@
+#include "config.h"
+
+ #include <stdio.h>
+ #include <string.h>
+ 
+diff --git a/modules/pam_unix/md5.c b/modules/pam_unix/md5.c
+index 95b8de4c..78e9af27 100644
+--- a/modules/pam_unix/md5.c
+++ b/modules/pam_unix/md5.c
+@@ -18,11 +18,11 @@
+  *
+  */
+ 
+#include "pam_inline.h"
+
+ #include <string.h>
+ #include "md5.h"
+ 
+-#include "pam_inline.h"
+-
+ #ifndef HIGHFIRST
+ #define byteReverse(buf, len)	/* Nothing */
+ #else
+diff --git a/modules/pam_unix/md5_crypt.c b/modules/pam_unix/md5_crypt.c
+index 9a6bd4f9..9451f376 100644
+--- a/modules/pam_unix/md5_crypt.c
+++ b/modules/pam_unix/md5_crypt.c
+@@ -12,11 +12,11 @@
+  *
+  */
+ 
+#include "pam_inline.h"
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "md5.h"
+-#include "pam_inline.h"
+ 
+ static const unsigned char itoa64[] =	/* 0 ... 63 => ascii - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+diff --git a/modules/pam_unix/yppasswd.h b/modules/pam_unix/yppasswd.h
+index dc686cd7..3a40c3ea 100644
+--- a/modules/pam_unix/yppasswd.h
+++ b/modules/pam_unix/yppasswd.h
+@@ -6,6 +6,8 @@
+ #ifndef _YPPASSWD_H_RPCGEN
+ #define _YPPASSWD_H_RPCGEN
+ 
+#include "config.h"
+
+ #include <rpc/rpc.h>
+ 
+ 
+-- 
+2.47.1
+
--- a/package/netatalk/netatalk.hash
+++ b/package/netatalk/netatalk.hash
@@ -1,7 +1,7 @@
-# From http://sourceforge.net/projects/netatalk/files/netatalk/3.1.18/
-md5  b1caff4e1da534d8ca57d688c7fa3ce1  netatalk-3.1.18.tar.xz
-sha1  cbd92c95d04cfd4a9f49977970501a623310c2d9  netatalk-3.1.18.tar.xz
+# From http://sourceforge.net/projects/netatalk/files/netatalk/3.1.19/
+md5  4861f0c2450ac7a6094e51090e6fdc75  netatalk-3.1.19.tar.xz
+sha1  16900b3b14da9c2f40e1267ecb3e68021cc794b0  netatalk-3.1.19.tar.xz
 # Locally computed
-sha256  3941effcc2c4e0dceecabc763fbb8478a2f2fbe0af4a6314983cfea452df8d47  netatalk-3.1.18.tar.xz
+sha256  433fa87ac23bc18a9acb0769b4f7f4047eeb14e02e0607ecd3a051c31859164f  netatalk-3.1.19.tar.xz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  7599ae145e53be03a08f8b558b2f2e0c828e1630f1843cc04f41981b8cefcd65  COPYRIGHT
--- a/package/netatalk/netatalk.mk
+++ b/package/netatalk/netatalk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-NETATALK_VERSION = 3.1.18
+NETATALK_VERSION = 3.1.19
 NETATALK_SITE = http://downloads.sourceforge.net/project/netatalk/netatalk-$(subst .,-,$(NETATALK_VERSION))
 NETATALK_SOURCE = netatalk-$(NETATALK_VERSION).tar.xz
 NETATALK_CONFIG_SCRIPTS = netatalk-config
--- a/package/nettle/nettle.mk
+++ b/package/nettle/nettle.mk
@@ -5,7 +5,7 @@
 ################################################################################

 NETTLE_VERSION = 3.10
-NETTLE_SITE = https://ftp.gnu.org/gnu/nettle
+NETTLE_SITE = $(BR2_GNU_MIRROR)/nettle
 NETTLE_DEPENDENCIES = host-m4 gmp
 NETTLE_INSTALL_STAGING = YES
 NETTLE_LICENSE = Dual GPL-2.0+/LGPL-3.0+
--- a/package/octave/octave.mk
+++ b/package/octave/octave.mk
@@ -5,7 +5,7 @@
 ################################################################################

 OCTAVE_VERSION = 9.2.0
-OCTAVE_SITE = https://ftp.gnu.org/gnu/octave
+OCTAVE_SITE = $(BR2_GNU_MIRROR)/octave
 OCTAVE_SOURCE = octave-$(OCTAVE_VERSION).tar.lz
 OCTAVE_LICENSE = GPL-3.0+
 OCTAVE_LICENSE_FILES = COPYING
--- a/package/open2300/open2300.hash
+++ b/package/open2300/open2300.hash
@@ -1,4 +1,4 @@
-# Localy computed
+# Locally computed
 sha256  ffa7f8d35b16abfbf5e52285cb21f2a7fc6afb901abb40c0c80eef9d23d08aab  open2300-f21982e0b1f8321561e5ad1668307fde97700e1b.tar.gz

 sha256  91df39d1816bfb17a4dda2d3d2c83b1f6f2d38d53e53e41e8f97ad5ac46a0cad  COPYING
--- a/package/open62541/Config.in
+++ b/package/open62541/Config.in
@@ -88,7 +88,7 @@ config BR2_PACKAGE_OPEN62541_PUBSUB_DELTAFRAMES
 	  The PubSub messages differentiate between keyframe (all
 	  published values contained) and deltaframe (only changed
 	  values contained) messages. Deltaframe messages creation
-	  consumes some additional ressources.
+	  consumes some additional resources.

 config BR2_PACKAGE_OPEN62541_PUBSUB_INFORMATIONMODEL
 	bool "publish/subscribe information model"
--- a/package/opensc/0001-pkcs11-tool-disable-wrap-unwrap-test-until-OpenSC-17.patch
+++ b/package/opensc/0001-pkcs11-tool-disable-wrap-unwrap-test-until-OpenSC-17.patch
@@ -0,0 +1,41 @@
+From 768c9bfcd91206f0d85cd4757fde48e00850a014 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Mon, 6 Jan 2025 22:36:10 +0100
+Subject: [PATCH] pkcs11-tool: disable wrap/unwrap test until OpenSC#1796 is
+ resolved
+
+Similar to ab74fae4d71d1705b77b9459141987a95dcfc91e ("pkcs11-tool:
+disable wrap/unwrap test until OpenSC#1796 is resolved"), but for
+0.26, since OpenSC#1796 is still open.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Upstream: https://github.com/OpenSC/OpenSC/pull/3303
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index d701d76d6..871a39977 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -7681,7 +7681,7 @@ static int test_verify(CK_SESSION_HANDLE sess)
+ 	return errors;
+ }
+ 
+-#if OPENSC_VERSION_MAJOR == 0 && OPENSC_VERSION_MINOR <= 25
+#if OPENSC_VERSION_MAJOR == 0 && OPENSC_VERSION_MINOR <= 26
+ #else
+ #ifdef ENABLE_OPENSSL
+ static int wrap_unwrap(CK_SESSION_HANDLE session,
+@@ -7805,7 +7805,7 @@ static int wrap_unwrap(CK_SESSION_HANDLE session,
+  */
+ static int test_unwrap(CK_SESSION_HANDLE sess)
+ {
+-#if OPENSC_VERSION_MAJOR == 0 && OPENSC_VERSION_MINOR <= 25
+#if OPENSC_VERSION_MAJOR == 0 && OPENSC_VERSION_MINOR <= 26
+ 	/* temporarily disable test, see https://github.com/OpenSC/OpenSC/issues/1796 */
+ 	return 0;
+ #else
+-- 
+2.47.1
+
--- a/Show More
+++ b/Show More