Update for 2024.05.1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

.gitlab/issue_templates/default.md

@@ -0,0 +1,60 @@
+Thank you for opening a new issue. To help solve it faster and more easily,
+please review this check-list, and fill in the sections below. Adapt as
+needed.
+
+Do not open an issue to request a new feature; instead, post a message to
+[the mailing list](https://lists.buildroot.org/mailman/listinfo/buildroot).
+
+_Note: issues missing any information may get closed without further ado._
+
+---
+### Check-list
+
+- [ ] I did not find the issue in the existing issues
+- [ ] I can reproduce the issue with unmodified Buildroot from [this
+      repository](https://gitlab.com/buildroot.org/buildroot), not from a
+      fork somewhere else
+- [ ] I can reproduce the issue on the latest commit of the branch I'm using:
+    - [ ] master
+    - [ ] stable (i.e. 20NN.MM.x - please specify)
+    - [ ] LTS (i.e. 20NN.02.x - please specify)
+- [ ] I can reproduce the issue after running `make clean; make`
+- [ ] I attached the full build log file (e.g. `make 2>&1 |tee build.log`)
+- [ ] I attached a **minimal** defconfig file that can reproduce the
+      issue (`make BR2_DEFCONFIG=$(pwd)/issue_defconfig savedefconfig`)
+- [ ] I also attached the configuration for kconfig-based packages that
+      are enabled (and necessary to reproduce the issue), most notably:
+    - [ ] busybox
+    - [ ] linux
+    - [ ] uclibc
+    - [ ] uboot
+    - [ ] …
+
+---
+### What I did
+
+**Buildroot commit sha1**: _get this with `git describe HEAD`_
+**Distribution of the build machine**: _get this with `NAME` and `VERSION` from `/etc/os-release`_
+
+_Here, describe what you did:_
+- _any special environment variables: CC, CXX, TARGET, CROSS_COMPILE, etc…_
+- _the commands you ran:_
+    ```sh
+    $ make [...]
+    ```
+- _anything else that you might think is important…_
+
+---
+### What happens
+
+_Here, describe what happens that you believe was incorrect._
+
+---
+### What was expected
+
+_Here, describe the behaviour you expected._
+
+---
+### Extra information
+
+_Here, you may write additional information that does not fit above_

CHANGES

@@ -1,3 +1,21 @@
+2024.05.1, released July 13th, 2024
+
+	Important / security related fixes.
+
+	Infrastructure: Ensure support/scripts/apply-patches can be
+	used outside Buildroot (regression in 2024.05).
+
+	Defconfig: Pine64 rockpro64: Build ethernet driver in kernel
+	rather than as module. QEMU sh4: Change to initramfs to
+	workaround regression in QEMU. Visionfive2: Correct kernel
+	headers version
+
+	Updated/fixed packages: apache, avro-c, daq, dav1d,
+	fluent-bit, ghostscript, glibc, libmad, libopenssl,
+	linux-firmware, mesa3d, network-manager, ntp, nut, octave,
+	openssh, openvpn, php, raspberrypi-usbboot, redis, sentry-cli,
+	tor, uuu, vlc, xmrig, znc
+
 2024.05, released June 12th, 2024
 
 	Various fixes.

DEVELOPERS

@@ -1870,6 +1870,8 @@ F:	support/testing/tests/package/test_netsnmp/
 F:	support/testing/tests/package/test_nftables.py
 F:	support/testing/tests/package/test_nftables/
 F:	support/testing/tests/package/test_ngrep.py
+F:	support/testing/tests/package/test_ntp.py
+F:	support/testing/tests/package/test_ntp/
 F:	support/testing/tests/package/test_numactl.py
 F:	support/testing/tests/package/test_numactl/
 F:	support/testing/tests/package/test_octave.py

Makefile

@@ -90,9 +90,9 @@ all:
 .PHONY: all
 
 # Set and export the version string
-export BR2_VERSION := 2024.05
+export BR2_VERSION := 2024.05.1
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1718188000
+BR2_VERSION_EPOCH = 1720871000
 
 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)

board/pine64/rockpro64/linux.fragment

@@ -0,0 +1,3 @@
+CONFIG_STMMAC_ETH=y
+CONFIG_STMMAC_PLATFORM=y
+CONFIG_DWMAC_ROCKCHIP=y

board/qemu/sh4-r2d/readme.txt

@@ -1,6 +1,6 @@
 Run the emulation with:
 
-  qemu-system-sh4 -M r2d -kernel output/images/zImage -drive file=output/images/rootfs.ext2,if=ide,format=raw -append "rootwait root=/dev/sda console=ttySC1,115200 noiotrap" -serial null -serial stdio -net nic,model=rtl8139 -net user # qemu_sh4_r2d_defconfig
+  qemu-system-sh4 -M r2d -kernel output/images/zImage -append "console=ttySC1,115200 noiotrap" -serial null -serial stdio -net nic,model=rtl8139 -net user # qemu_sh4_r2d_defconfig
 
 The login prompt will appear in the terminal that started Qemu.
 The graphical window is the framebuffer.

board/qemu/sh4eb-r2d/readme.txt

@@ -1,6 +1,6 @@
 Run the emulation with:
 
-  qemu-system-sh4eb -M r2d -kernel output/images/zImage -drive file=output/images/rootfs.ext2,if=ide,format=raw -append "rootwait root=/dev/sda console=ttySC1,115200 noiotrap" -serial null -serial stdio -net nic,model=rtl8139 -net user # qemu_sh4eb_r2d_defconfig
+  qemu-system-sh4eb -M r2d -kernel output/images/zImage -append "console=ttySC1,115200 noiotrap" -serial null -serial stdio -net nic,model=rtl8139 -net user # qemu_sh4eb_r2d_defconfig
 
 The login prompt will appear in the terminal that started Qemu.
 The graphical window is the framebuffer.

board/stmicroelectronics/stm32f429-disco/patches/linux-headers/linux-headers.hash

@@ -0,0 +1 @@
+../linux/linux.hash

configs/qemu_sh4_r2d_defconfig

@@ -7,7 +7,7 @@ BR2_SYSTEM_DHCP="eth0"
 BR2_TARGET_GENERIC_GETTY_PORT="ttySC1"
 
 # Filesystem
-BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_INITRAMFS=y
 # BR2_TARGET_ROOTFS_TAR is not set
 
 # Image

configs/qemu_sh4eb_r2d_defconfig

@@ -6,7 +6,7 @@ BR2_sh4eb=y
 BR2_TARGET_GENERIC_GETTY_PORT="ttySC1"
 
 # Filesystem
-BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_INITRAMFS=y
 # BR2_TARGET_ROOTFS_TAR is not set
 
 # Image

configs/rockpro64_defconfig

@@ -40,6 +40,7 @@ BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
 BR2_LINUX_KERNEL_DTS_SUPPORT=y
 BR2_LINUX_KERNEL_INTREE_DTS_NAME="rockchip/rk3399-rockpro64"
 BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/pine64/rockpro64/linux.fragment"
 
 # Filesystem
 BR2_TARGET_GENERIC_HOSTNAME="rockpro64"

configs/stm32f429_disco_xip_defconfig

@@ -1,6 +1,6 @@
 BR2_arm=y
 BR2_cortex_m4=y
-BR2_KERNEL_HEADERS_6_1=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_1=y
 # BR2_UCLIBC_INSTALL_UTILS is not set
 BR2_ENABLE_LTO=y
 BR2_GLOBAL_PATCH_DIR="board/stmicroelectronics/stm32f429-disco/patches"

configs/visionfive2_defconfig

@@ -1,4 +1,5 @@
 BR2_riscv=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_8=y
 BR2_GLOBAL_PATCH_DIR="board/visionfive2/patches"
 BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
 BR2_SYSTEM_DHCP="eth0"

linux/linux.hash

@@ -1,13 +1,13 @@
 # From https://www.kernel.org/pub/linux/kernel/v6.x/sha256sums.asc
 sha256  19b31956d229b5b9ca5671fa1c74320179682a3d8d00fc86794114b21da86039  linux-6.8.12.tar.xz
-sha256  aaa824eaf07f61911d22b75ff090a403c3dd0bd73e23933e0bba8b5971436ce1  linux-6.6.32.tar.xz
-sha256  9019f427bfdc9ced5bc954d760d37ac08c0cdffb45ad28087fc45a73e64336c9  linux-6.1.92.tar.xz
+sha256  f3976e77708694fe4a1f8d1307c315c8a36cbc58f038a38e006b91e29a1f3214  linux-6.6.37.tar.xz
+sha256  890b845f36452328716e62dd893b634584f607cdd44b4e685392d302d3be41af  linux-6.1.97.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256  f41e718e33b88f269a6b6a7653e5e9824c4ba541f6ffe5bf26ecc37c540a1b05  linux-5.15.160.tar.xz
-sha256  9c36b243e8c3ec1d5963366618f336710b84340bf95be2037b26c452392cb2d6  linux-5.10.218.tar.xz
-sha256  7e1f5b28588e49ddfd18e7772476e4e8b52bdc9c3e19beafcbb7c103e6c01f51  linux-5.4.277.tar.xz
+sha256  91bfc0ea152ce7b102a0b79d35a7c92843874ebf085c99d2ba8b4d85e62b1a7c  linux-5.15.162.tar.xz
+sha256  da1dd47febac4f7856654038a47703666da3afba348b8e96e39584e0972e2725  linux-5.10.221.tar.xz
+sha256  b298436b26395b5c3ace6963836ba70d57cd61e01cff254b0e5443636c324a5e  linux-5.4.279.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
-sha256  6c5e4d3c87feadbfdb9f7d2e46f3f120b00286ba380491c5956708e0b94232c8  linux-4.19.315.tar.xz
+sha256  062b70cc132378e1c685df44ddf7e05bab4752b690ada17b080655a63f993581  linux-4.19.317.tar.xz
 # Locally computed
 sha256  fb0edc3c18e47d2b6974cb0880a0afb5c3fa08f50ee87dfdf24349405ea5f8ae  linux-cip-5.10.162-cip24.tar.gz
 sha256  b5539243f187e3d478d76d44ae13aab83952c94b885ad889df6fa9997e16a441  linux-cip-5.10.162-cip24-rt10.tar.gz

package/apache/apache.hash

@@ -1,5 +1,5 @@
-# From https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2.{sha256,sha512}
-sha256  ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323  httpd-2.4.59.tar.bz2
-sha512  209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2  httpd-2.4.59.tar.bz2
+# From https://downloads.apache.org/httpd/httpd-2.4.61.tar.bz2.{sha256,sha512}
+sha256  ea8ba86fd95bd594d15e46d25ac5bbda82ae0c9122ad93998cc539c133eaceb6  httpd-2.4.61.tar.bz2
+sha512  00656220ecc2b80788f539536553f0a3a57602fb981be22e63af87d0f98ffe5da3056e722ce52ae8cf9c2111ad1922b3aaea1fd7d69d0ed76795199203d593ff  httpd-2.4.61.tar.bz2
 # Locally computed
 sha256  47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43  LICENSE

package/apache/apache.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-APACHE_VERSION = 2.4.59
+APACHE_VERSION = 2.4.61
 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
 APACHE_SITE = https://dlcdn.apache.org/httpd
 APACHE_LICENSE = Apache-2.0

package/avro-c/0001-AVRO-3957-Fix-typos-in-docs-and-examples-2795.patch

@@ -0,0 +1,59 @@
+From 52f051dbeefad0b7e73187becad6c33747b047d3 Mon Sep 17 00:00:00 2001
+From: Sahil Kang <sahil.kang@asilaycomputing.com>
+Date: Mon, 11 Mar 2024 03:01:21 -0700
+Subject: [PATCH] AVRO-3957: [C] Fix typos in docs and examples (#2795)
+
+* AVRO-3957: [C] Fix misformatted type in docs
+
+Signed-off-by: Sahil Kang <sahil.kang@asilaycomputing.com>
+Signed-off-by: Sahil Kang <sahilkang@google.com>
+
+* AVRO-3957: [C] Fix type in quickstop example
+
+This removes the following warning:
+
+  avro/lang/c/examples/quickstop.c:123:40: warning: incompatible pointer types passing 'int32_t **' (aka 'int **') to parameter of type
+        'const char **' [-Wincompatible-pointer-types]
+                          avro_value_get_string(&first_value, &p, &size);
+
+Signed-off-by: Sahil Kang <sahil.kang@asilaycomputing.com>
+Signed-off-by: Sahil Kang <sahilkang@google.com>
+
+---------
+
+Signed-off-by: Sahil Kang <sahil.kang@asilaycomputing.com>
+Signed-off-by: Sahil Kang <sahilkang@google.com>
+
+Upstream: https://github.com/apache/avro/commit/52f051dbeefad0b7e73187becad6c33747b047d3
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ lang/c/docs/index.txt       | 2 +-
+ lang/c/examples/quickstop.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/docs/index.txt b/docs/index.txt
+index a439a052631..df16f9d9678 100644
+--- a/docs/index.txt
++++ b/docs/index.txt
+@@ -178,7 +178,7 @@ different versions of the Avro library.  That means that it's really
+ only safe to use these hash values internally within the context of a
+ single execution of a single application.
+ 
+-The +reset+ method “clears out” an +avro_value_t instance, making sure
++The +reset+ method “clears out” an +avro_value_t+ instance, making sure
+ that it's ready to accept the contents of a new value.  For scalars,
+ this is usually a no-op, since the new value will just overwrite the old
+ one.  For arrays and maps, this removes any existing elements from the
+diff --git a/examples/quickstop.c b/examples/quickstop.c
+index ff9e9700590..b26dad10c04 100644
+--- a/examples/quickstop.c
++++ b/examples/quickstop.c
+@@ -107,7 +107,7 @@ int print_person(avro_file_reader_t db, avro_schema_t reader_schema)
+ 	if (rval == 0) {
+ 		int64_t id;
+ 		int32_t age;
+-		int32_t *p;
++		const char *p;
+ 		size_t size;
+ 		avro_value_t id_value;
+ 		avro_value_t first_value;

package/collectd/Config.in

@@ -430,13 +430,14 @@ config BR2_PACKAGE_COLLECTD_NTPD
 config BR2_PACKAGE_COLLECTD_NUT
 	bool "nut"
 	depends on BR2_INSTALL_LIBSTDCPP
+	depends on BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_PACKAGE_NUT
 	help
 	  The NUT plugin collects uninterruptible power supply (UPS)
 	  statistics using the Network UPS Tools (NUT).
 
-comment "nut needs a toolchain w/ C++"
-	depends on !BR2_INSTALL_LIBSTDCPP
+comment "nut needs a toolchain w/ C++, threads"
+	depends on !BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_HAS_THREADS
 
 config BR2_PACKAGE_COLLECTD_OLSRD
 	bool "olsrd"

package/daq/daq.hash

@@ -1,7 +1,7 @@
 # From https://www.snort.org/downloads/snort/md5s
-md5  ea796f001d1b00302e4e69e337ab2460  daq-2.0.7.tar.gz
+md5  60e5ddcafb985fac7374884d28f299d1  daq-2.0.7-modified.tar.gz
 # Locally computed:
-sha256  bdc4e5a24d1ea492c39ee213a63c55466a2e8114b6a9abed609927ae13a7705e  daq-2.0.7.tar.gz
+sha256  d1f6709bc5dbddee3fdf170cdc1e49fb926e2031d4869ecf367a8c47efc87279  daq-2.0.7-modified.tar.gz
 
 # Hash for license files:
 sha256  07f28289c09fd9eb5a6ff7bc710ff40363601b1bbc6f3637d8ed412150e90819  COPYING

package/daq/daq.mk

@@ -5,7 +5,11 @@
 ################################################################################
 
 DAQ_VERSION = 2.0.7
-DAQ_SITE = https://www.snort.org/downloads/snort
+# Upstream re-published a modified archive for the same 2.0.7 version, so change
+# its name locally, to avoid conflict with older BR versions which had a hash
+# for the previous archive.
+DAQ_SOURCE = daq-2.0.7-modified.tar.gz
+DAQ_SITE = https://www.snort.org/downloads/snort/daq-$(DAQ_VERSION).tar.gz?buildroot-path=filename
 DAQ_LICENSE = GPL-2.0
 DAQ_LICENSE_FILES = COPYING
 DAQ_INSTALL_STAGING = YES

package/dav1d/dav1d.hash

@@ -1,4 +1,4 @@
-# From https://download.videolan.org/pub/videolan/dav1d/1.4.1/dav1d-1.4.1.tar.xz.sha256
-sha256  8d407dd5fe7986413c937b14e67f36aebd06e1fa5cfec679d10e548476f2d5f8  dav1d-1.4.1.tar.xz
+# From https://download.videolan.org/pub/videolan/dav1d/1.4.3/dav1d-1.4.3.tar.xz.sha256
+sha256  42fe524bcc82ea3a830057178faace22923a79bad3d819a4962d8cfc54c36f19  dav1d-1.4.3.tar.xz
 # Locally computed
 sha256  b327887de263238deaa80c34cdd2ff3e0ba1d35db585ce14a37ce3e74ee389e9  COPYING

package/dav1d/dav1d.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DAV1D_VERSION = 1.4.1
+DAV1D_VERSION = 1.4.3
 DAV1D_SOURCE = dav1d-$(DAV1D_VERSION).tar.xz
 DAV1D_SITE = https://download.videolan.org/pub/videolan/dav1d/$(DAV1D_VERSION)
 DAV1D_LICENSE = BSD-2-Clause

package/fluent-bit/fluent-bit.hash

@@ -1,3 +1,3 @@
 # Locally computed
-sha256  2f3b82e8b7802fe92625009531592f12d500ff61a02ecf4cd27e0f138a6dc566  fluent-bit-3.0.3.tar.gz
+sha256  b439f89e879e538849e9106fe450bcf58da5034dfc316af4d2a837423786ed11  fluent-bit-3.0.4.tar.gz
 sha256  0d542e0c8804e39aa7f37eb00da5a762149dc682d7829451287e11b938e94594  LICENSE

package/fluent-bit/fluent-bit.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FLUENT_BIT_VERSION = 3.0.3
+FLUENT_BIT_VERSION = 3.0.4
 FLUENT_BIT_SITE = $(call github,fluent,fluent-bit,v$(FLUENT_BIT_VERSION))
 FLUENT_BIT_LICENSE = Apache-2.0
 FLUENT_BIT_LICENSE_FILES = LICENSE

package/ghostscript/0001-Fix-build-without-BUILD_PDF.patch

@@ -1,34 +0,0 @@
-From 088f3cd6e58cff5fa51e072d1829f7691a5f6681 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Wed, 20 Sep 2023 13:44:28 +0100
-Subject: [PATCH] Fix build without BUILD_PDF
-
-The PDFSetParams PostScript extension operator was missing a stub function definition
-when the PDF interpreter is not built in.
-
- Author:    Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Upstream: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=088f3cd6e58cff5fa51e072d1829f7691a5f6681
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- psi/zpdfops.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/psi/zpdfops.c b/psi/zpdfops.c
-index e7e0a42ee..271687a18 100644
---- a/psi/zpdfops.c
-+++ b/psi/zpdfops.c
-@@ -1507,6 +1507,11 @@ static int zPDFdrawannots(i_ctx_t *i_ctx_p)
-     return_error(gs_error_undefined);
- }
- 
-+static int zPDFSetParams(i_ctx_t *i_ctx_p)
-+{
-+    return_error(gs_error_undefined);
-+}
-+
- static int zPDFInit(i_ctx_t *i_ctx_p)
- {
-     return_error(gs_error_undefined);
--- 
-2.34.1
-

package/ghostscript/ghostscript.hash

@@ -1,5 +1,5 @@
-# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10021/SHA512SUMS
-sha512  ee0f754c1bd8a18428ad14eaa3ead80ff8b96275af5012e7a8384f1f10490da056eec9ae3cc791a7a13a24e16e54df5bccdd109c7d53a14534bbd7360a300b11  ghostscript-10.02.1.tar.xz
+# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10031/SHA512SUMS
+sha512  59e071cd23aed246b51317d3cccd9ccf8e1e84c4ecf9b22fb938e561eff42cec61915b0bdd96a313a3ea27750579c54ca0d0862b65edd306a621731c0063ffd3  ghostscript-10.03.1.tar.xz
 
 # Hash for license file:
 sha256  8ce064f423b7c24a011b6ebf9431b8bf9861a5255e47c84bfb23fc526d030a8b  LICENSE

package/ghostscript/ghostscript.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GHOSTSCRIPT_VERSION = 10.02.1
+GHOSTSCRIPT_VERSION = 10.03.1
 GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
 GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION))
 GHOSTSCRIPT_LICENSE = AGPL-3.0

package/glibc/glibc.hash

@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  2ba018b344e0e8330dcadd6130f4174f0fc2502b2e032210345e0e5a2f7ed12e  glibc-2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e.tar.gz
+sha256  2858e8e47c4c0df32b526c56d5590ec939e8178201ee9526bb070999ce4aa1f2  glibc-2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING

package/glibc/glibc.mk

@@ -7,7 +7,7 @@
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+GLIBC_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
@@ -24,33 +24,17 @@ GLIBC_CPE_ID_VENDOR = gnu
 # allow proper matching with the CPE database.
 GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
 
-# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4527
+# Fixed by glibc-2.39-31-g31da30f23cddd36db29d5b6a1c7619361b271fb4
+GLIBC_IGNORE_CVES += CVE-2024-2961
 
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using
-GLIBC_IGNORE_CVES += CVE-2023-4806
+# Fixed by glibc-2.39-35-g1263d583d2e28afb8be53f8d6922f0842036f35d
+GLIBC_IGNORE_CVES += CVE-2024-33599
 
-# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-4911
+# Fixed by glibc-2.39-37-gc99f886de54446cd4447db6b44be93dabbdc2f8b
+GLIBC_IGNORE_CVES += CVE-2024-33600
 
-# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-5156
-
-# Fixed by 23514c72b780f3da097ecf33a793b7ba9c2070d2, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6246
-
-# Fixed by d0338312aace5bbfef85e03055e1212dd0e49578, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6779
-
-# Fixed by d37c2b20a4787463d192b32041c3406c2bd91de0, which is between
-# 2.38 and the version we're really using.
-GLIBC_IGNORE_CVES += CVE-2023-6780
+# Fixed by glibc-2.39-38-ga9a8d3eebb145779a18d90e3966009a1daa63cd
+GLIBC_IGNORE_CVES += CVE-2024-33601 CVE-2024-33602
 
 # All these CVEs are considered as not being security issues by
 # upstream glibc:

package/libmad/0003-drop-GCC-fforce-mem-option.patch

@@ -0,0 +1,18 @@
+configure.ac: drop GCC "-fforce-mem" option 
+
+As reported at [1], the option has been removed from version 4.3 of GCC.
+
+[1] https://ez.analog.com/dsp/software-and-development-tools/linux-blackfin/linux-bug-archive/w/documents/7460/5626-build-lib-mad-fail-at-option--fforce-mem-with-gcc-4-3
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Upstream: Dead
+
+--- libmad-0.15.1b-orig/configure.ac	2024-07-02 14:26:40.657984791 +0200
++++ libmad-0.15.1b/configure.ac	2024-07-02 14:27:07.098198997 +0200
+@@ -140,7 +140,6 @@
+     case "$optimize" in
+ 	-O|"-O "*)
+ 	    optimize="-O"
+-	    optimize="$optimize -fforce-mem"
+ 	    optimize="$optimize -fforce-addr"
+ 	    : #x optimize="$optimize -finline-functions"
+ 	    : #- optimize="$optimize -fstrength-reduce"

package/libmad/libmad.mk

@@ -19,7 +19,7 @@ define LIBMAD_APPLY_DEBIAN_PATCHES
 	fi
 endef
 
-LIBMAD_POST_PATCH_HOOKS += LIBMAD_APPLY_DEBIAN_PATCHES
+LIBMAD_PRE_PATCH_HOOKS += LIBMAD_APPLY_DEBIAN_PATCHES
 
 # debian/patches/md_size.diff
 LIBMAD_IGNORE_CVES += CVE-2017-8372 CVE-2017-8373

package/libopenssl/libopenssl.mk

@@ -84,6 +84,7 @@ define LIBOPENSSL_CONFIGURE_CMDS
 			no-fuzz-libfuzzer \
 			no-fuzz-afl \
 			no-afalgeng \
+			$(if $(BR2_PACKAGE_LIBOPENSSL_BIN),,no-apps) \
 			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_CHACHA),,no-chacha) \
 			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC2),,no-rc2) \
 			$(if $(BR2_PACKAGE_LIBOPENSSL_ENABLE_RC4),,no-rc4) \
@@ -135,8 +136,8 @@ endef
 
 define LIBOPENSSL_INSTALL_TARGET_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
-	rm -rf $(TARGET_DIR)/usr/lib/ssl
-	rm -f $(TARGET_DIR)/usr/bin/c_rehash
+	$(RM) -rf $(TARGET_DIR)/usr/lib/ssl
+	$(RM) -f $(TARGET_DIR)/usr/bin/c_rehash
 endef
 
 # libdl has no business in a static build
@@ -156,17 +157,9 @@ endef
 LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_PERL_SCRIPTS
 endif
 
-ifeq ($(BR2_PACKAGE_LIBOPENSSL_BIN),)
-define LIBOPENSSL_REMOVE_BIN
-	$(RM) -f $(TARGET_DIR)/usr/bin/openssl
-	$(RM) -f $(TARGET_DIR)/etc/ssl/misc/{CA.*,c_*}
-endef
-LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_BIN
-endif
-
-ifneq ($(BR2_PACKAGE_LIBOPENSSL_ENGINES),y)
+ifeq ($(BR2_PACKAGE_LIBOPENSSL_ENGINES),)
 define LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
-	rm -rf $(TARGET_DIR)/usr/lib/engines-1.1
+	$(RM) -rf $(TARGET_DIR)/usr/lib/engines-3
 endef
 LIBOPENSSL_POST_INSTALL_TARGET_HOOKS += LIBOPENSSL_REMOVE_LIBOPENSSL_ENGINES
 endif

package/linux-firmware/linux-firmware.mk

@@ -583,6 +583,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_9XXX),y)
 LINUX_FIRMWARE_FILES += iwlwifi-9???-*.ucode
+LINUX_FIRMWARE_FILES += iwlwifi-so-a0-jf-b0*.ucode
 LINUX_FIRMWARE_ALL_LICENSE_FILES += LICENCE.iwlwifi_firmware
 endif
 

package/linux-headers/Config.in.host

@@ -415,12 +415,12 @@ endchoice
 
 config BR2_DEFAULT_KERNEL_HEADERS
 	string
-	default "4.19.315"	if BR2_KERNEL_HEADERS_4_19
-	default "5.4.277"	if BR2_KERNEL_HEADERS_5_4
-	default "5.10.218"	if BR2_KERNEL_HEADERS_5_10
-	default "5.15.160"	if BR2_KERNEL_HEADERS_5_15
-	default "6.1.92"	if BR2_KERNEL_HEADERS_6_1
-	default "6.6.32"	if BR2_KERNEL_HEADERS_6_6
+	default "4.19.317"	if BR2_KERNEL_HEADERS_4_19
+	default "5.4.279"	if BR2_KERNEL_HEADERS_5_4
+	default "5.10.221"	if BR2_KERNEL_HEADERS_5_10
+	default "5.15.162"	if BR2_KERNEL_HEADERS_5_15
+	default "6.1.97"	if BR2_KERNEL_HEADERS_6_1
+	default "6.6.37"	if BR2_KERNEL_HEADERS_6_6
 	default "6.8.12"	if BR2_KERNEL_HEADERS_6_8
 	default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
 	default "custom"	if BR2_KERNEL_HEADERS_CUSTOM_TARBALL

package/localedef/localedef.mk

@@ -7,7 +7,7 @@
 # Use the same VERSION and SITE as target glibc
 # As in glibc.mk, generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.39-5-ge0910f1d3278f05439fb434ee528fc9be1b6bd5e
+LOCALEDEF_VERSION = 2.39-74-g198632a05f6c7b9ab67d3331d8caace9ceabb685
 LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
 LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
 HOST_LOCALEDEF_DL_SUBDIR = glibc

package/mesa3d-headers/mesa3d-headers.mk

@@ -12,7 +12,7 @@ endif
 
 # Not possible to directly refer to mesa3d variables, because of
 # first/second expansion trickery...
-MESA3D_HEADERS_VERSION = 24.0.7
+MESA3D_HEADERS_VERSION = 24.0.9
 MESA3D_HEADERS_SOURCE = mesa-$(MESA3D_HEADERS_VERSION).tar.xz
 MESA3D_HEADERS_SITE = https://archive.mesa3d.org
 MESA3D_HEADERS_DL_SUBDIR = mesa3d

package/mesa3d/0006-drisw-fix-build-without-dri3.patch

@@ -1,58 +0,0 @@
-From 3ab46dcfda9edf5c9bc27c8f5031146d9d9d8ade Mon Sep 17 00:00:00 2001
-From: Romain Naour <romain.naour@smile.fr>
-Date: Thu, 18 Jan 2024 22:50:16 +0100
-Subject: [PATCH] drisw: fix build without dri3
-
-commit 1887368df41 ("glx/sw: check for modifier support in the kopper path")
-added dri3_priv.h header and dri3_check_multibuffer() function in drisw that
-can be build without dri3.
-
-  i686-buildroot-linux-gnu/bin/ld: src/glx/libglx.a.p/drisw_glx.c.o: in function `driswCreateScreenDriver':
-  drisw_glx.c:(.text.driswCreateScreenDriver+0x3a0): undefined reference to `dri3_check_multibuffer'
-  collect2: error: ld returned 1 exit status
-
-Add HAVE_DRI3 guard around dri3_priv.h header and the zink code using
-dri3_check_multibuffer().
-
-Fixes: 1887368df41 ("glx/sw: check for modifier support in the kopper path")
-
-Upstream: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27478
-
-Signed-off-by: Romain Naour <romain.naour@smile.fr>
----
- src/glx/drisw_glx.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/glx/drisw_glx.c b/src/glx/drisw_glx.c
-index 3d3f75259bc..4b19e2d7707 100644
---- a/src/glx/drisw_glx.c
-+++ b/src/glx/drisw_glx.c
-@@ -32,7 +32,9 @@
- #include <dlfcn.h>
- #include "dri_common.h"
- #include "drisw_priv.h"
-+#ifdef HAVE_DRI3
- #include "dri3_priv.h"
-+#endif
- #include <X11/extensions/shmproto.h>
- #include <assert.h>
- #include <vulkan/vulkan_core.h>
-@@ -995,6 +997,7 @@ driswCreateScreenDriver(int screen, struct glx_display *priv,
-        goto handle_error;
-    }
- 
-+#ifdef HAVE_DRI3
-    if (pdpyp->zink) {
-       bool err;
-       psc->has_multibuffer = dri3_check_multibuffer(priv->dpy, &err);
-@@ -1005,6 +1008,7 @@ driswCreateScreenDriver(int screen, struct glx_display *priv,
-          goto handle_error;
-       }
-    }
-+#endif
- 
-    glx_config_destroy_list(psc->base.configs);
-    psc->base.configs = configs;
--- 
-2.43.0
-

package/mesa3d/0007-glxext-don-t-try-zink-if-not-enabled-in-mesa.patch

@@ -1,42 +0,0 @@
-From 83b4ff6616708bd7ba5981d22cd5211ca6787d58 Mon Sep 17 00:00:00 2001
-From: Romain Naour <romain.naour@smile.fr>
-Date: Wed, 24 Jan 2024 14:28:32 +0100
-Subject: [PATCH] glxext: don't try zink if not enabled in mesa
-
-Commit 7d9ea77b459 ("glx: add automatic zink fallback loading between hw and sw drivers")
-added an automatic zink fallback even when the zink gallium is not
-enabled at build time.
-
-It leads to unexpected error log while loading drisw driver and
-zink is not installed on the rootfs:
-
-  MESA-LOADER: failed to open zink: /usr/lib/dri/zink_dri.so
-
-Fixes: 7d9ea77b459 ("glx: add automatic zink fallback loading between hw and sw drivers")
-
-Upstream: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27478
-
-Signed-off-by: Romain Naour <romain.naour@smile.fr>
----
- src/glx/glxext.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/glx/glxext.c b/src/glx/glxext.c
-index 39d5f08bdcf..e106eb40046 100644
---- a/src/glx/glxext.c
-+++ b/src/glx/glxext.c
-@@ -904,9 +904,11 @@ __glXInitialize(Display * dpy)
- #endif /* HAVE_DRI3 */
-       if (!debug_get_bool_option("LIBGL_DRI2_DISABLE", false))
-          dpyPriv->dri2Display = dri2CreateDisplay(dpy);
-+#if defined(HAVE_ZINK)
-       if (!dpyPriv->dri3Display && !dpyPriv->dri2Display)
-          try_zink = !debug_get_bool_option("LIBGL_KOPPER_DISABLE", false) &&
-                     !getenv("GALLIUM_DRIVER");
-+#endif /* HAVE_ZINK */
-    }
- #endif /* GLX_USE_DRM */
-    if (glx_direct)
--- 
-2.43.0
-

package/mesa3d/mesa3d.hash

@@ -1,5 +1,5 @@
-# From https://lists.freedesktop.org/archives/mesa-announce/2024-May/000758.html
-sha256  7454425f1ed4a6f1b5b107e1672b30c88b22ea0efea000ae2c7d96db93f6c26a  mesa-24.0.7.tar.xz
-sha512  77b0fae80ab0a07e2e528c113eadef0e3004b8df3e6e98fffe6fc2d8ac39f5ce7fa38ebe5c2ae32bfbac993dd7cbe288ace18ebb03cf2fb445fe7114f74dd45c  mesa-24.0.7.tar.xz
+# From https://lists.freedesktop.org/archives/mesa-announce/2024-June/000764.html
+sha256  51aa686ca4060e38711a9e8f60c8f1efaa516baf411946ed7f2c265cd582ca4c  mesa-24.0.9.tar.xz
+sha512  de2ee6c9df1fc106ee10befe0a76be1e9cfe83d65dbdb83bad6d8d7cfaa085232fb115293a1a790b37b50b1fe14bd58aafbcfe5a15e953b5901a7105d57569a5  mesa-24.0.9.tar.xz
 # License
 sha256  a00275a53178e2645fb65be99a785c110513446a5071ff2c698ed260ad917d75  docs/license.rst

package/mesa3d/mesa3d.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 # When updating the version, please also update mesa3d-headers
-MESA3D_VERSION = 24.0.7
+MESA3D_VERSION = 24.0.9
 MESA3D_SOURCE = mesa-$(MESA3D_VERSION).tar.xz
 MESA3D_SITE = https://archive.mesa3d.org
 MESA3D_LICENSE = MIT, SGI, Khronos

package/network-manager/Config.in

@@ -5,7 +5,7 @@ config BR2_PACKAGE_NETWORK_MANAGER
 	depends on BR2_PACKAGE_HAS_UDEV
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
 	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_6
-	depends on BR2_TOOLCHAIN_USES_GLIBC # CLOCK_BOOTTIME, IPTOS_CLASS_*
+	depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
 	depends on BR2_USE_WCHAR # libglib2
 	select BR2_PACKAGE_DBUS
@@ -59,10 +59,11 @@ config BR2_PACKAGE_NETWORK_MANAGER_OVS
 	  This option enables support for OpenVSwitch
 endif
 
-comment "NetworkManager needs udev /dev management and a glibc toolchain w/ headers >= 4.6, dynamic library, wchar, threads, gcc >= 4.9"
+comment "NetworkManager needs udev /dev management and a glibc or musl toolchain w/ headers >= 4.6, dynamic library, wchar, threads, gcc >= 4.9"
 	depends on BR2_USE_MMU
 	depends on !BR2_PACKAGE_HAS_UDEV || \
 		!BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_6 || \
-		!BR2_TOOLCHAIN_USES_GLIBC || BR2_STATIC_LIBS || \
+		!(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL) || \
+		BR2_STATIC_LIBS || \
 		!BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
 		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_9

package/ntp/ntp.hash

@@ -1,4 +1,4 @@
-# From https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2.8p17.tar.gz.sha256
-sha256  103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866  ntp-4.2.8p17.tar.gz
+# From https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2.8p18.tar.gz.sha256
+sha256  cf84c5f3fb1a295284942624d823fffa634144e096cfc4f9969ac98ef5f468e5  ntp-4.2.8p18.tar.gz
 # Locally computed
-sha256  06246b8c15ccc1a1873c78525c810f0802e68f383e79ee041e06d1ab9cbf80a4  COPYRIGHT
+sha256  45b6e5a0a5f0ac4afdd9e23caa2241779e4da463e4dba32a41b4dbd61577b2a3  COPYRIGHT

package/ntp/ntp.mk

@@ -6,7 +6,7 @@
 
 NTP_VERSION_MAJOR = 4.2
 NTP_VERSION_MINOR = 8
-NTP_VERSION_POINT = 17
+NTP_VERSION_POINT = 18
 NTP_VERSION = $(NTP_VERSION_MAJOR).$(NTP_VERSION_MINOR)p$(NTP_VERSION_POINT)
 NTP_SITE = https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR)
 NTP_DEPENDENCIES = host-pkgconf libevent

package/nut/Config.in

@@ -1,11 +1,12 @@
-comment "nut needs a toolchain w/ C++"
+comment "nut needs a toolchain w/ C++, threads"
 	depends on BR2_USE_MMU
-	depends on !BR2_INSTALL_LIBSTDCPP
+	depends on !BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_HAS_THREADS
 
 config BR2_PACKAGE_NUT
 	bool "nut"
 	depends on BR2_USE_MMU # fork()
 	depends on BR2_INSTALL_LIBSTDCPP
+	depends on BR2_TOOLCHAIN_HAS_THREADS
 	help
 	  Network UPS tools
 

package/octave/octave.mk

@@ -36,6 +36,13 @@ else
 OCTAVE_CONF_OPTS += --without-magick
 endif
 
+ifeq ($(BR2_PACKAGE_LIBCURL),y)
+OCTAVE_CONF_OPTS += --with-curl
+OCTAVE_DEPENDENCIES += libcurl
+else
+OCTAVE_CONF_OPTS += --without-curl
+endif
+
 ifeq ($(BR2_PACKAGE_READLINE),y)
 OCTAVE_CONF_OPTS += \
 	--enable-readline \

package/openssh/0001-Improve-detection-of-fzero-call-used-regs-used.patch

@@ -0,0 +1,32 @@
+From f9193f03db0029fc9c31fbdb5c66a2737446bd8f Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Mon, 25 Mar 2024 09:28:02 +1100
+Subject: [PATCH] Improve detection of -fzero-call-used-regs=used.
+
+Should better detect problems with gcc 13 on m68k.  bz#3673 from Colin
+Watson via bz#3673 and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110934
+
+Signed-off-by: Darren Tucker <dtucker@dtucker.net>
+Upstream: https://github.com/openssh/openssh-portable/commit/f9193f03db0029fc9c31fbdb5c66a2737446bd8f
+---
+ m4/openssh.m4 | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 033df501c3d8..176a8d1c9282 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -20,7 +20,10 @@ char *f2(char *s, ...) {
+ 	va_end(args);
+ 	return strdup(ret);
+ }
++int i;
++double d;
+ const char *f3(int s) {
++	i = (int)d;
+ 	return s ? "good" : "gooder";
+ }
+ int main(int argc, char **argv) {
+-- 
+2.43.0
+

package/openssh/0002-sshsigdie-async-signal-unsafe.patch

@@ -0,0 +1,41 @@
+From 7f4a743171f9e6b283207d448de6562219774fbf Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 25 Jun 2024 12:24:29 +0100
+Subject: Disable async-signal-unsafe code from the sshsigdie() function
+
+Address signal handler race condition: if a client does not authenticate
+within LoginGraceTime seconds (120 by default, 600 in old OpenSSH
+versions), then sshd's SIGALRM handler is called asynchronously, but
+this signal handler calls various functions that are not
+async-signal-safe (for example, syslog()).
+
+This is a regression from CVE-2006-5051 ("Signal handler race condition
+in OpenSSH before 4.4 allows remote attackers to cause a denial of
+service (crash), and possibly execute arbitrary code")
+
+Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
+Upstream: https://salsa.debian.org/ssh-team/openssh/-/blob/525bb16e45edac4c03b95e106380d70aecbaf27e/debian/patches/sshsigdie-async-signal-unsafe.patch
+Patch-Name: sshsigdie-async-signal-unsafe.patch
+---
+ log.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/log.c b/log.c
+index 6a8b1fc4a..57256660f 100644
+--- a/log.c
++++ b/log.c
+@@ -452,12 +452,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+     LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ 	va_list args;
+ 
+ 	va_start(args, fmt);
+ 	sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ 	    suffix, fmt, args);
+ 	va_end(args);
++#endif
+ 	_exit(1);
+ }
+ 

package/openssh/openssh.mk

@@ -13,6 +13,9 @@ OPENSSH_SITE = http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
 OPENSSH_LICENSE = BSD-3-Clause, BSD-2-Clause, Public Domain
 OPENSSH_LICENSE_FILES = LICENCE
 
+# 0001-Improve-detection-of-fzero-call-used-regs-used.patch
+OPENSSH_AUTORECONF = YES
+
 OPENSSH_CONF_ENV = \
 	LD="$(TARGET_CC)" \
 	LDFLAGS="$(TARGET_CFLAGS)" \

package/openvpn/openvpn.hash

@@ -1,3 +1,3 @@
 # Locally calculated after checking signature
-sha256  1993bbb7b9edb430626eaa24573f881fd3df642f427fcb824b1aed1fca1bcc9b  openvpn-2.6.10.tar.gz
+sha256  d60adf413d37e11e6e63531cacf2655906756046b4edffe88a13b9e2fec40d5e  openvpn-2.6.11.tar.gz
 sha256  1fcb78d7e478bb8a9408010bdc91b36e213b1facfad093df3f7ce7e28af19043  COPYRIGHT.GPL

package/openvpn/openvpn.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-OPENVPN_VERSION = 2.6.10
+OPENVPN_VERSION = 2.6.11
 OPENVPN_SITE = https://swupdate.openvpn.net/community/releases
 OPENVPN_DEPENDENCIES = host-pkgconf libcap-ng
 OPENVPN_LICENSE = GPL-2.0

package/php/php.hash

@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  d53433c1ca6b2c8741afa7c524272e6806c1e895e5912a058494fea89988570a  php-8.3.7.tar.xz
+sha256  bf4d7b8ea60a356064f88485278bd6f941a230ec16f0fc401574ce1445ad6c77  php-8.3.9.tar.xz
 
 # License file
 sha256  b42e4df5e50e6ecda1047d503d6d91d71032d09ed1027ba1ef29eed26f890c5a  LICENSE

package/php/php.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 8.3.7
+PHP_VERSION = 8.3.9
 PHP_SITE = https://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES

package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch

@@ -1,4 +1,4 @@
-From 38b730c00f45abf324caf687b5b00662ff4252c2 Mon Sep 17 00:00:00 2001
+From acd175aa53af1f1b8422bf1f1fe57eafc710cdca Mon Sep 17 00:00:00 2001
 From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 Date: Fri, 2 Dec 2016 23:09:44 +0100
 Subject: [PATCH] Makefile: allow passing CFLAGS/LDFLAGS
@@ -10,21 +10,25 @@ Submitted-upstream: https://github.com/raspberrypi/usbboot/pull/2
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 [Rebased on 9324fd7]
 Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+[Rebased on 20221215-105525-0-g1afa26c5]
+Signed-off-by: Fiona Klute <fiona.klute+wiwa@gmx.de>
 ---
  Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 822e714..875e717 100755
+index dc78cfe..c9d4910 100755
 --- a/Makefile
 +++ b/Makefile
-@@ -1,5 +1,5 @@
+@@ -1,7 +1,7 @@
+ PKG_VER=$(shell grep rpiboot debian/changelog | head -n1 | sed 's/.*(\(.*\)).*/\1/g')
+ GIT_VER=$(shell git rev-parse HEAD 2>/dev/null | cut -c1-8 || echo "")
  rpiboot: main.c msd/bootcode.h msd/start.h msd/bootcode4.h msd/start4.h
--	$(CC) -Wall -Wextra -g -o $@ $< -lusb-1.0
-+	$(CC) -Wall -Wextra -g $(CFLAGS) -o $@ $< -lusb-1.0 $(LDFLAGS)
+-	$(CC) -Wall -Wextra -g -o $@ $< `pkg-config --cflags --libs libusb-1.0` -DGIT_VER="\"$(GIT_VER)\"" -DPKG_VER="\"$(PKG_VER)\""
++	$(CC) -Wall -Wextra -g $(CFLAGS) -o $@ $< `pkg-config --cflags --libs libusb-1.0` -DGIT_VER="\"$(GIT_VER)\"" -DPKG_VER="\"$(PKG_VER)\"" $(LDFLAGS)
  
  %.h: %.bin ./bin2c
  	./bin2c $< $@
 -- 
-2.31.1
+2.45.2
 

package/raspberrypi-usbboot/raspberrypi-usbboot.hash

@@ -1,5 +1,5 @@
 # Locally calculated
-sha256  4565314b38e7c7505b7d32a3b51b49f79c7dd5767d45b86d38e5255ae7489a43  raspberrypi-usbboot-2021.07.01.tar.gz
+sha256  2f02dbe9a88e9dfad5f05e513e1f30afd47b1575820f7c3b09665dfefc45bbaa  raspberrypi-usbboot-20221215-105525.tar.gz
 
 # License files
 sha256  b40930bbcf80744c86c46a12bc9da056641d722716c378f5659b9e555ef833e1  LICENSE

package/raspberrypi-usbboot/raspberrypi-usbboot.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-RASPBERRYPI_USBBOOT_VERSION = 2021.07.01
+RASPBERRYPI_USBBOOT_VERSION = 20221215-105525
 RASPBERRYPI_USBBOOT_SITE = \
-	$(call github,raspberrypi,usbboot,v$(RASPBERRYPI_USBBOOT_VERSION))
+	$(call github,raspberrypi,usbboot,$(RASPBERRYPI_USBBOOT_VERSION))
 RASPBERRYPI_USBBOOT_LICENSE = Apache-2.0
 RASPBERRYPI_USBBOOT_LICENSE_FILES = LICENSE
 

package/redis/redis.hash

@@ -1,5 +1,5 @@
 # From https://github.com/redis/redis-hashes/blob/master/README
-sha256  8d104c26a154b29fd67d6568b4f375212212ad41e0c2caa3d66480e78dbd3b59  redis-7.2.4.tar.gz
+sha256  5981179706f8391f03be91d951acafaeda91af7fac56beffb2701963103e423d  redis-7.2.5.tar.gz
 
 # Locally calculated
 sha256  97f0a15b7bbae580d2609dad2e11f1956ae167be296ab60f4691ab9c30ee9828  COPYING

package/redis/redis.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-REDIS_VERSION = 7.2.4
+REDIS_VERSION = 7.2.5
 REDIS_SITE = http://download.redis.io/releases
 REDIS_LICENSE = BSD-3-Clause (core); MIT and BSD family licenses (Bundled components)
 REDIS_LICENSE_FILES = COPYING

package/sentry-cli/sentry-cli.mk

@@ -9,6 +9,6 @@ SENTRY_CLI_SITE = $(call github,getsentry,sentry-cli,$(SENTRY_CLI_VERSION))
 SENTRY_CLI_LICENSE = BSD-3-clause
 SENTRY_CLI_LICENSE_FILES = LICENSE
 
-HOST_SENTRY_CLI_DEPENDENCIES = host-zlib
+HOST_SENTRY_CLI_DEPENDENCIES = host-pkgconf host-openssl host-zlib
 
 $(eval $(host-cargo-package))

package/tor/tor.hash

@@ -1,4 +1,4 @@
-# From https://dist.torproject.org/tor-0.4.8.11.tar.gz.sha256sum
-sha256  8f2bdf90e63380781235aa7d604e159570f283ecee674670873d8bb7052c8e07  tor-0.4.8.11.tar.gz
+# From https://dist.torproject.org/tor-0.4.8.12.tar.gz.sha256sum
+sha256  ca7cc735d98e3747b58f2f3cc14f804dd789fa0fb333a84dcb6bd70adbb8c874  tor-0.4.8.12.tar.gz
 # Locally computed
 sha256  47b54ed17e8fdcab3c44729a1789a09b208f9a63a845a7e50def9df729eebad0  LICENSE

package/tor/tor.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TOR_VERSION = 0.4.8.11
+TOR_VERSION = 0.4.8.12
 TOR_SITE = https://dist.torproject.org
 TOR_LICENSE = BSD-3-Clause
 TOR_LICENSE_FILES = LICENSE

package/uuu/uuu.hash

@@ -1,3 +1,3 @@
 # locally computed
-sha256  5e3bab017cf1b7a6a85d0cd46c0de6660de9b93fb24b0a21d8ecc4fb9f663e2c  uuu_source-uuu_1.5.181.tar.gz
+sha256  723d3da358e6af974a056e3adbcb105fac9dad4b87544de0d22b8c974a8037aa  uuu_source-uuu_1.5.182.tar.gz
 sha256  cc8d47f7b9260f6669ecd41c24554c552f17581d81ee8fc602c6d23edb8bf495  LICENSE

package/uuu/uuu.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-UUU_VERSION = 1.5.181
+UUU_VERSION = 1.5.182
 UUU_SOURCE = uuu_source-uuu_$(UUU_VERSION).tar.gz
 UUU_SITE = https://github.com/NXPmicro/mfgtools/releases/download/uuu_$(UUU_VERSION)
 UUU_LICENSE = BSD 3-Clause "New" or "Revised" License

package/vlc/vlc.hash

@@ -1,7 +1,7 @@
-# From https://get.videolan.org/vlc/3.0.20/vlc-3.0.20.tar.xz.sha256
-sha256  adc7285b4d2721cddf40eb5270cada2aaa10a334cb546fd55a06353447ba29b5  vlc-3.0.20.tar.xz
-# From https://get.videolan.org/vlc/3.0.20/vlc-3.0.20.tar.xz.sha1
-sha1  b834516ab701bf6311980ed5d67b77c834fdebe7  vlc-3.0.20.tar.xz
+# From https://get.videolan.org/vlc/3.0.21/vlc-3.0.21.tar.xz.sha256
+sha256  24dbbe1d7dfaeea0994d5def0bbde200177347136dbfe573f5b6a4cee25afbb0  vlc-3.0.21.tar.xz
+# From https://get.videolan.org/vlc/3.0.21/vlc-3.0.21.tar.xz.sha1
+sha1  be8557fc2f4be58caebe4a8b1d70f03dc6b95792  vlc-3.0.21.tar.xz
 # Locally computed
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB

package/vlc/vlc.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-VLC_VERSION = 3.0.20
+VLC_VERSION = 3.0.21
 VLC_SITE = https://get.videolan.org/vlc/$(VLC_VERSION)
 VLC_SOURCE = vlc-$(VLC_VERSION).tar.xz
 VLC_LICENSE = GPL-2.0+, LGPL-2.1+

package/xfsprogs/Config.in

@@ -18,4 +18,4 @@ config BR2_PACKAGE_XFSPROGS
 	help
 	  The XFS file system utilities and libraries
 
-	  http://xfs.org
+	  https://xfs.wiki.kernel.org

package/xmrig/xmrig.hash

@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  68b4be51e99687bad15d5bf4ac9eed79a080ba89141f7363457a957ce9304e4d  xmrig-6.21.2.tar.gz
+sha256  5d76fb19190956c564b405119315bc93db4ed8062b251d5e96bed70c5fa8033c  xmrig-6.21.3.tar.gz
 sha256  589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2  LICENSE

package/xmrig/xmrig.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-XMRIG_VERSION = 6.21.2
+XMRIG_VERSION = 6.21.3
 XMRIG_SITE = $(call github,xmrig,xmrig,v$(XMRIG_VERSION))
 XMRIG_LICENSE = GPL-3.0+
 XMRIG_LICENSE_FILES = LICENSE

package/znc/znc.hash

@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  8b99c9dbb21c1309705073460be9bfacb6f7b0e83a15fe5d4b7140201b39d2a1  znc-1.9.0.tar.gz
+sha256  e8a7cf80e19aad510b4e282eaf61b56bc30df88ea2e0f64fadcdd303c4894f3c  znc-1.9.1.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE

package/znc/znc.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-ZNC_VERSION = 1.9.0
+ZNC_VERSION = 1.9.1
 ZNC_SITE = http://znc.in/releases/archive
 ZNC_LICENSE = Apache-2.0
 ZNC_LICENSE_FILES = LICENSE

support/misc/Vagrantfile

@@ -5,7 +5,7 @@
 ################################################################################
 
 # Buildroot version to use
-RELEASE='2024.05'
+RELEASE='2024.05.1'
 
 ### Change here for more memory/cores ###
 VM_MEMORY=2048

support/scripts/apply-patches.sh

@@ -46,6 +46,8 @@ patchdir=${2-../kernel-patches}
 shift 2
 patchpattern=${@-*}
 
+export TAR=${TAR:-tar}
+
 # use a well defined sorting order
 export LC_COLLATE=C
 

support/testing/tests/package/test_ntp.py

@@ -0,0 +1,86 @@
+import os
+import re
+import time
+
+import infra.basetest
+
+
+class TestNtp(infra.basetest.BRTest):
+    rootfs_overlay = \
+        infra.filepath("tests/package/test_ntp/rootfs-overlay")
+    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
+        f"""
+        BR2_PACKAGE_NTP=y
+        BR2_PACKAGE_NTP_NTPD=y
+        BR2_PACKAGE_NTP_NTPQ=y
+        BR2_ROOTFS_OVERLAY="{rootfs_overlay}"
+        BR2_TARGET_ROOTFS_CPIO=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def dict_from_ntpq_output(self, output):
+        d = {}
+        for line in output:
+            if ':' not in line:
+                continue
+            fields = re.split(r":", line, maxsplit=2)
+            name = fields[0].strip()
+            value = fields[1].strip()
+            d[name] = value
+        return d
+
+    def test_run(self):
+        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        self.emulator.boot(arch="armv5",
+                           kernel="builtin",
+                           options=["-initrd", cpio_file])
+        self.emulator.login()
+
+        # Check our binaries can execute.
+        self.assertRunOk("ntpd --version")
+        self.assertRunOk("ntpq --version")
+
+        # The ntp daemon is expected to be started from init startup
+        # scripts, for the Buildroot package recipe. We wait a bit
+        # here to let the daemon settle. The next test step checks for
+        # the local peer to be the system peer (by checking the
+        # '*'). If querying the peers too soon after startup the peer
+        # will not be marked as such.
+        time.sleep(3 * self.timeout_multiplier)
+
+        # We query the ntp daemon peers. From our test configuration
+        # file, we should have exactly one.
+        out, ret = self.emulator.run("ntpq --peers")
+        self.assertEqual(ret, 0)
+        # ntpq --peers produces two lines of headers. So we check we
+        # have at least 3 lines of output.
+        self.assertGreaterEqual(len(out), 3)
+        # We check we see our undisciplined local clock and it's the
+        # system peer.
+        self.assertTrue(out[2].startswith("*LOCAL(0)"))
+
+        # We query the refid variable. We expect to see our
+        # undisciplined local clock.
+        out, ret = self.emulator.run("ntpq -c 'readvar 0 refid'")
+        self.assertEqual(ret, 0)
+        self.assertEqual(out[0], "refid=LOCAL(0)")
+
+        # We query the ntp system info. We check the reference ID is
+        # the same as in the test configuration file.
+        out, ret = self.emulator.run("ntpq -c sysinfo")
+        self.assertEqual(ret, 0)
+        sysinfo = self.dict_from_ntpq_output(out)
+        refid = "reference ID"
+        self.assertIn(refid, sysinfo)
+        self.assertEqual(sysinfo[refid], "127.127.1.0")
+
+        # Finally, we query the ntp system statistics. We check we can
+        # see some uptime. We waited a bit at the beginning of this
+        # test, plus the few queries we previously did should have
+        # accumulated some uptime.
+        out, ret = self.emulator.run("ntpq -c sysstats")
+        self.assertEqual(ret, 0)
+        sysstats = self.dict_from_ntpq_output(out)
+        up = "uptime"
+        self.assertIn(up, sysstats)
+        self.assertGreater(int(sysstats[up]), 0)

support/testing/tests/package/test_ntp/rootfs-overlay/etc/ntp.conf

@@ -0,0 +1,10 @@
+# Set an undisciplined local clock for testing without the need of
+# network connectivity.
+server 127.127.1.0 iburst prefer
+fudge  127.127.1.0 stratum 10
+
+# Keep standard access control setup. The test is doing local queries
+# from 127.0.0.1.
+restrict default nomodify nopeer noquery limited kod
+restrict 127.0.0.1
+restrict [::1]