33 files changed, 458 insertions, 89 deletions

diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/build-tests.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/build-tests.patch
index e63457cf2..e63457cf2 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/build-tests.patch
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/build-tests.patch
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/dont-include-target-CFLAGS-in-host-LDFLAGS.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/dont-include-target-CFLAGS-in-host-LDFLAGS.patch
index ee756dc9e..ee756dc9e 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/dont-include-target-CFLAGS-in-host-LDFLAGS.patch
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/dont-include-target-CFLAGS-in-host-LDFLAGS.patch
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/mkbuiltins_have_stringize.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/mkbuiltins_have_stringize.patch
index c4229a7ed..c4229a7ed 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/mkbuiltins_have_stringize.patch
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/mkbuiltins_have_stringize.patch
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/run-ptest b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/run-ptest
index 8dd3b9981..8dd3b9981 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/run-ptest
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/run-ptest
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/string-format.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/string-format.patch
index eda39649d..eda39649d 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/string-format.patch
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/string-format.patch
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/test-output.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/test-output.patch
index 2b09b7d97..2b09b7d97 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.48/test-output.patch
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash-3.2.57/test-output.patch
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash/CVE-2016-9401.patch b/import-layers/yocto-poky/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
new file mode 100644
index 000000000..28c927743
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
@@ -0,0 +1,50 @@
+From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet.ramey@case.edu>
+Date: Fri, 20 Jan 2017 11:47:31 -0500
+Subject: [PATCH] Bash-4.4 patch 6
+
+Bug-Reference-URL:
+https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html
+
+Reference to upstream patch:
+https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006
+
+Bug-Description:
+Out-of-range negative offsets to popd can cause the shell to crash attempting
+to free an invalid memory block.
+
+Upstream-Status: Backport
+CVE: CVE-2016-9401
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ builtins/pushd.def | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/builtins/pushd.def b/builtins/pushd.def
+index 9c6548f..8a13bae 100644
+--- a/builtins/pushd.def
++++ b/builtins/pushd.def
+@@ -359,7 +359,7 @@ popd_builtin (list)
+ 	break;
+     }
+ 
+-  if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
++  if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
+     {
+       pushd_error (directory_list_offset, which_word ? which_word : "");
+       return (EXECUTION_FAILURE);
+@@ -381,6 +381,11 @@ popd_builtin (list)
+ 	 remove that directory from the list and shift the remainder
+ 	 of the list into place. */
+       i = (direction == '+') ? directory_list_offset - which : which;
++      if (i < 0 || i > directory_list_offset)
++	{
++	  pushd_error (directory_list_offset, which_word ? which_word : "");
++	  return (EXECUTION_FAILURE);
++	}
+       free (pushd_directory_list[i]);
+       directory_list_offset--;
+ 
+-- 
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.48.bb b/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.48.bb
deleted file mode 100644
index 6b4028df1..000000000
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.48.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-require bash.inc
-
-LICENSE = "GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=fd5d9bcabd8ed5a54a01ce8d183d592a"
-
-PR = "r11"
-
-SRC_URI = "${GNU_MIRROR}/bash/bash-${PV}.tar.gz;name=tarball \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-049;apply=yes;striplevel=0;name=patch049 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-050;apply=yes;striplevel=0;name=patch050 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-051;apply=yes;striplevel=0;name=patch051 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-052;apply=yes;striplevel=0;name=patch052 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-053;apply=yes;striplevel=0;name=patch053 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-054;apply=yes;striplevel=0;name=patch054 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-055;apply=yes;striplevel=0;name=patch055 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-056;apply=yes;striplevel=0;name=patch056 \
-           ${GNU_MIRROR}/bash/bash-3.2-patches/bash32-057;apply=yes;striplevel=0;name=patch057 \
-           file://mkbuiltins_have_stringize.patch \
-           file://build-tests.patch \
-           file://test-output.patch \
-           file://run-ptest \
-           file://dont-include-target-CFLAGS-in-host-LDFLAGS.patch \
-           file://string-format.patch \
-          "
-
-SRC_URI[tarball.md5sum] = "338dcf975a93640bb3eaa843ca42e3f8"
-SRC_URI[tarball.sha256sum] = "128d281bd5682ba5f6953122915da71976357d7a76490d266c9173b1d0426348"
-SRC_URI[patch049.md5sum] = "af571a2d164d5abdcae4499e94e8892c"
-SRC_URI[patch049.sha256sum] = "b1217ed94bdb95dc878fa5cabbf8a164435eb0d9da23a392198f48566ee34a2f"
-SRC_URI[patch050.md5sum] = "8443d4385d73ec835abe401d90591377"
-SRC_URI[patch050.sha256sum] = "081bb03c580ecee63ba03b40beb3caf509eca29515b2e8dd3c078503609a1642"
-SRC_URI[patch051.md5sum] = "15c6653042e9814aa87120098fc7a849"
-SRC_URI[patch051.sha256sum] = "354886097cd95b4def77028f32ee01e2e088d58a98184fede9d3ce9320e218ef"
-SRC_URI[patch052.md5sum] = "691023a944bbb9003cc92ad462d91fa1"
-SRC_URI[patch052.sha256sum] = "a0eccf9ceda50871db10d21efdd74b99e35efbd55c970c400eeade012816bb61"
-SRC_URI[patch053.md5sum] = "eb97d1c9230a55283d9dac69d3de2e46"
-SRC_URI[patch053.sha256sum] = "fe6f0e96e0b966eaed9fb5e930ca12891f4380f30f9e0a773d200ff2063a864e"
-SRC_URI[patch054.md5sum] = "1107744058c43b247f597584b88ba0a6"
-SRC_URI[patch054.sha256sum] = "c6dab911e85688c542ce75afc175dbb4e5011de5102758e19a4a80dac1e79359"
-SRC_URI[patch055.md5sum] = "05d201176d3499e2dfa4a73d09d42f05"
-SRC_URI[patch055.sha256sum] = "c0e816700837942ed548da74e5917f74b70cbbbb10c9f2caf73e8e06a0713d0a"
-SRC_URI[patch056.md5sum] = "222eaa3a2c26f54a15aa5e08817a534a"
-SRC_URI[patch056.sha256sum] = "063a8d8d74e4407bf07a32b965b8ef6d213a66abdb6af26cc3584a437a56bbb4"
-SRC_URI[patch057.md5sum] = "47d98e3e042892495c5efe54ec6e5913"
-SRC_URI[patch057.sha256sum] = "5fc689394d515990f5ea74e2df765fc6e5e42ca44b4591b2c6f9be4b0cadf0f0"
-
-PARALLEL_MAKE = ""
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.57.bb b/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.57.bb
new file mode 100644
index 000000000..5c288b35a
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash_3.2.57.bb
@@ -0,0 +1,18 @@
+require bash.inc
+
+LICENSE = "GPLv2+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=fd5d9bcabd8ed5a54a01ce8d183d592a"
+
+SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
+           file://mkbuiltins_have_stringize.patch \
+           file://build-tests.patch \
+           file://test-output.patch \
+           file://run-ptest \
+           file://dont-include-target-CFLAGS-in-host-LDFLAGS.patch \
+           file://string-format.patch \
+          "
+
+SRC_URI[md5sum] = "237a8767c990b43ae2c89895c2dbc062"
+SRC_URI[sha256sum] = "3fa9daf85ebf35068f090ce51283ddeeb3c75eb5bc70b1a4a7cb05868bfe06a4"
+
+PARALLEL_MAKE = ""
diff --git a/import-layers/yocto-poky/meta/recipes-extended/bash/bash_4.3.30.bb b/import-layers/yocto-poky/meta/recipes-extended/bash/bash_4.3.30.bb
index 765562fbd..b40059fa1 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/bash/bash_4.3.30.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/bash/bash_4.3.30.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-044;apply=yes;striplevel=0;name=patch044 \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-045;apply=yes;striplevel=0;name=patch045 \
            ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-046;apply=yes;striplevel=0;name=patch046 \
+           ${GNU_MIRROR}/bash/bash-4.3-patches/bash43-047;apply=yes;striplevel=0;name=patch047 \
            file://execute_cmd.patch;striplevel=0 \
            file://mkbuiltins_have_stringize.patch \
            file://build-tests.patch \
@@ -30,6 +31,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://fix-run-builtins.patch \
            file://0001-help-fix-printf-format-security-warning.patch \
            file://fix-run-intl.patch \
+           file://CVE-2016-9401.patch \
            "
 
 SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"
@@ -67,5 +69,7 @@ SRC_URI[patch045.md5sum] = "4473244ca5abfd4b018ea26dc73e7412"
 SRC_URI[patch045.sha256sum] = "ba6ec3978e9eaa1eb3fabdaf3cc6fdf8c4606ac1c599faaeb4e2d69864150023"
 SRC_URI[patch046.md5sum] = "7e5fb09991c077076b86e0e057798913"
 SRC_URI[patch046.sha256sum] = "b3b456a6b690cd293353f17e22d92a202b3c8bce587ae5f2667c20c9ab6f688f"
+SRC_URI[patch047.md5sum] = "8483153bad1a6f52cadc3bd9a8df7835"
+SRC_URI[patch047.sha256sum] = "c69248de7e78ba6b92f118fe1ef47bc86479d5040fe0b1f908ace1c9e3c67c4a"
 
 BBCLASSEXTEND = "nativesdk"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/chkconfig/chkconfig_1.3.58.bb b/import-layers/yocto-poky/meta/recipes-extended/chkconfig/chkconfig_1.3.58.bb
index e8390264c..2f1f6c026 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/chkconfig/chkconfig_1.3.58.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/chkconfig/chkconfig_1.3.58.bb
@@ -6,7 +6,7 @@ of the drudgery of manually editing the symbolic links."
 
 RECIPE_NO_UPDATE_REASON = "Version 1.5 requires selinux"
 
-HOMEPAGE = "http://fedorahosted.org/releases/c/h/chkconfig"
+HOMEPAGE = "https://github.com/fedora-sysv"
 
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018"
@@ -16,12 +16,16 @@ PROVIDES += "virtual/update-alternatives"
 
 PR = "r7"
 
-SRC_URI = "http://fedorahosted.org/releases/c/h/chkconfig/${BPN}-${PV}.tar.bz2 \
+S = "${WORKDIR}/${BPN}-${BPN}-${PV}"
+
+UPSTREAM_CHECK_URI = "https://github.com/fedora-sysv/${BPN}/releases"
+
+SRC_URI = "https://github.com/fedora-sysv/chkconfig/archive/chkconfig-${PV}.tar.gz \
            file://replace_caddr_t.patch \
           "
 
-SRC_URI[md5sum] = "c2039ca67f2749fe0c06ef7c6f8ee246"
-SRC_URI[sha256sum] = "18b497d25b2cada955c72810e45fcad8280d105f17cf45e2970f18271211de68"
+SRC_URI[md5sum] = "3f51ac38a234be5278b3a2d9705eda5e"
+SRC_URI[sha256sum] = "bf1e81f0d7cc999b536c9fe7877abf584a4082fd03c9d2597b6f090966579b40"
 
 inherit gettext
 
diff --git a/import-layers/yocto-poky/meta/recipes-extended/cronie/cronie_1.5.1.bb b/import-layers/yocto-poky/meta/recipes-extended/cronie/cronie_1.5.1.bb
index 99b2bb5c8..6d46629ee 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/cronie/cronie_1.5.1.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/cronie/cronie_1.5.1.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Cronie contains the standard UNIX daemon crond that runs \
 specified programs at scheduled times and related tools. It is based on the \
 original cron and has security and configuration enhancements like the \
 ability to use pam and SELinux."
-HOMEPAGE = "https://fedorahosted.org/cronie/"
+HOMEPAGE = "https://github.com/cronie-crond/cronie/"
 BUGTRACKER = "https://bugzilla.redhat.com"
 
 # Internet Systems Consortium License
@@ -14,7 +14,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=dd2a592170760e1386c769e1043b3722 \
 
 SECTION = "utils"
 
-SRC_URI = "https://fedorahosted.org/releases/c/r/cronie/cronie-${PV}.tar.gz \
+UPSTREAM_CHECK_URI = "https://github.com/cronie-crond/${BPN}/releases/"
+
+SRC_URI = "https://github.com/cronie-crond/cronie/releases/download/cronie-${PV}/cronie-${PV}.tar.gz \
            file://crond.init \
            file://crontab \
            file://crond.service \
diff --git a/import-layers/yocto-poky/meta/recipes-extended/diffutils/diffutils_3.4.bb b/import-layers/yocto-poky/meta/recipes-extended/diffutils/diffutils_3.4.bb
index cb7092b51..be280ec0f 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/diffutils/diffutils_3.4.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/diffutils/diffutils_3.4.bb
@@ -10,6 +10,9 @@ SRC_URI = "${GNU_MIRROR}/diffutils/diffutils-${PV}.tar.xz \
 
 EXTRA_OECONF += "--without-libsigsegv-prefix"
 
+# Fix "Argument list too long" error when len(TMPDIR) = 410
+acpaths = "-I ./m4"
+
 do_configure_prepend () {
 	# Need to remove gettext macros with weird mix of versions
 	for i in codeset.m4 gettext_gl.m4 intlmacosx.m4 inttypes-pri.m4 lib-ld_gl.m4 lib-prefix_gl.m4 po_gl.m4 ssize_t.m4 wchar_t.m4 wint_t.m4; do
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ed/ed_1.9.bb b/import-layers/yocto-poky/meta/recipes-extended/ed/ed_1.9.bb
index f2ec42ad1..d128de321 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/ed/ed_1.9.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/ed/ed_1.9.bb
@@ -11,7 +11,7 @@ SECTION = "base"
 # LSB states that ed should be in /bin/
 bindir = "${base_bindir}"
 
-SRC_URI = "${GNU_MIRROR}/ed/ed-${PV}.tar.gz"
+SRC_URI = "https://ftp.osuosl.org/pub/blfs/conglomeration/ed/ed-${PV}.tar.gz"
 
 SRC_URI[md5sum] = "565b6d1d5a9a8816b9b304fc4ed9405d"
 SRC_URI[sha256sum] = "d5b372cfadf073001823772272fceac2cfa87552c5cd5a8efc1c8aae61f45a88"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
new file mode 100644
index 000000000..574abe0e4
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10219.patch
@@ -0,0 +1,49 @@
+From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Thu, 29 Dec 2016 15:57:43 +0000
+Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
+
+Arithmetic overflow due to extreme values in the scan conversion
+code can cause a division by 0.
+
+Avoid this with a simple extra check.
+
+  dx_old=cf814d81
+  endp->x_next=b0e859b9
+  alp->x_next=8069a73a
+
+leads to dx_den = 0
+
+Upstream-Status: Backport
+CVE: CVE-2016-10219
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gxfill.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/base/gxfill.c b/base/gxfill.c
+index 99196c0..2f81bb0 100644
+--- a/base/gxfill.c
++++ b/base/gxfill.c
+@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+     fixed dx_old = alp->x_current - endp->x_current;
+     fixed dx_den = dx_old + endp->x_next - alp->x_next;
+ 
+-    if (dx_den <= dx_old)
++    if (dx_den <= dx_old || dx_den == 0)
+         return false; /* Intersection isn't possible. */
+     dy = y1 - y;
+     if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
+@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
+     /* Do the computation in single precision */
+     /* if the values are small enough. */
+     y_new =
+-        ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
++        (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
+          dy * dx_old / dx_den :
+          (INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
+         + y;
+-- 
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
new file mode 100644
index 000000000..5e1e8ba10
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2016-10220.patch
@@ -0,0 +1,55 @@
+From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 21 Dec 2016 16:54:14 +0000
+Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
+
+Bug #697450 "Null pointer dereference in gx_device_finalize()"
+
+The problem here is that the code to finalise a device unconditionally
+frees the icc_struct member of the device structure. However this
+particular (weird) device is not setup as a normal device, probably
+because its very, very ancient. Its possible for the initialisation
+of the device to abort with an error before calling gs_make_mem_device()
+which is where the icc_struct member gets allocated (or set to NULL).
+
+If that happens, then the cleanup code tries to free the device, which
+calls finalize() which tries to free a garbage pointer.
+
+Setting the device memory to 0x00 after we allocate it means that the
+icc_struct member will be NULL< and our memory manager allows for that
+happily enough, which avoids the problem.
+
+Upstream-Status: Backport
+CVE: CVE-2016-10220
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gsdevmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/base/gsdevmem.c b/base/gsdevmem.c
+index 97b9cf4..fe75bcc 100644
+--- a/base/gsdevmem.c
++++ b/base/gsdevmem.c
+@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
+ 
+     if (pnew == 0)
+         return_error(gs_error_VMerror);
++
++    /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
++     * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
++     * initialisation will fail, crucially it will fail *before* it calls
++     * gs_make_mem_device() which initialises the device. This means that the
++     * icc_struct member will be uninitialsed, but the device finalise method
++     * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
++     * Apparently we do still need makeimagedevice to be available from
++     * PostScript, so in here just zero the device memory, which means that
++     * the finalise routine won't have a problem.
++     */
++    memset(pnew, 0x00, st_device_memory.ssize);
+     code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
+                                          colors, num_colors, word_oriented,
+                                          page_device, mem);
+-- 
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
new file mode 100644
index 000000000..62cc1342a
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-5951.patch
@@ -0,0 +1,44 @@
+From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 6 Apr 2017 16:44:54 +0100
+Subject: [PATCH] Bug 697548: use the correct param list enumerator
+
+When we encountered dictionary in a ref_param_list, we were using the enumerator
+for the "parent" param_list, rather than the enumerator for the param_list
+we just created for the dictionary. That parent was usually the stack
+list enumerator, and caused a segfault.
+
+Using the correct enumerator works better.
+
+Upstream-Status: Backport
+CVE: CVE-2017-5951
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ psi/iparam.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/psi/iparam.c b/psi/iparam.c
+index 4e63b6d..b2fa85f 100644
+--- a/psi/iparam.c
++++ b/psi/iparam.c
+@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
+                 gs_param_enumerator_t enumr;
+                 gs_param_key_t key;
+                 ref_type keytype;
++                dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
+ 
+                 param_init_enumerator(&enumr);
+-                if (!(*((iparam_list *) plist)->enumerate)
+-                    ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
++                if (!(*(dlist->enumerate))
++                    ((iparam_list *) dlist, &enumr, &key, &keytype)
+                     && keytype == t_integer) {
+-                    ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
++                    dlist->int_keys = 1;
+                     pvalue->type = gs_param_type_dict_int_keys;
+                 }
+             }
+-- 
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
new file mode 100644
index 000000000..a05dc02c6
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2017-7207.patch
@@ -0,0 +1,39 @@
+From 0e88bee1304993668fede72498d656a2dd33a35e Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Mon, 20 Mar 2017 09:34:11 +0000
+Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
+
+Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
+
+This is only possible by abusing/mis-using Ghostscript-specific
+language extensions, so cannot happen in a general PostScript program.
+
+Nevertheless, Ghostscript should not crash. So this commit checks the
+memory device to see if raster memory has been allocated, before trying
+to read from it.
+
+Upstream-Status: Backport
+CVE: CVE-2017-7207
+
+Author: Ken Sharp <ken.sharp@artifex.com>
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ base/gdevmem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/base/gdevmem.c b/base/gdevmem.c
+index 41108ba..183f96d 100644
+--- a/base/gdevmem.c
++++ b/base/gdevmem.c
+@@ -605,6 +605,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
+             GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
+         return_error(gs_error_rangecheck);
+     }
++    if (mdev->line_ptrs == 0x00)
++        return_error(gs_error_rangecheck);
+     if ((w <= 0) | (h <= 0)) {
+         if ((w | h) < 0)
+             return_error(gs_error_rangecheck);
+-- 
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript_9.19.bb b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript_9.19.bb
index fe2016b15..ab58157cd 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript_9.19.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/ghostscript/ghostscript_9.19.bb
@@ -30,6 +30,10 @@ SRC_URI = "${SRC_URI_BASE} \
            file://ghostscript-9.02-genarch.patch \
            file://objarch.h \
            file://cups-no-gcrypt.patch \
+           file://CVE-2017-7207.patch \
+           file://CVE-2016-10219.patch \
+           file://CVE-2016-10220.patch \
+           file://CVE-2017-5951.patch \
            "
 
 SRC_URI_class-native = "${SRC_URI_BASE} \
diff --git a/import-layers/yocto-poky/meta/recipes-extended/libarchive/libarchive_3.2.1.bb b/import-layers/yocto-poky/meta/recipes-extended/libarchive/libarchive_3.2.2.bb
index b65b5df01..7917ce707 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/libarchive/libarchive_3.2.1.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/libarchive/libarchive_3.2.2.bb
@@ -34,8 +34,8 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4,"
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            "
 
-SRC_URI[md5sum] = "afa257047d1941a565216edbf0171e72"
-SRC_URI[sha256sum] = "72ee1a4e3fd534525f13a0ba1aa7b05b203d186e0c6072a8a4738649d0b3cfd2"
+SRC_URI[md5sum] = "1ec00b7dcaf969dd2a5712f85f23c764"
+SRC_URI[sha256sum] = "691c194ee132d1f0f7a42541f091db811bc2e56f7107e9121be2bc8c04f1060f"
 
 inherit autotools update-alternatives pkgconfig
 
@@ -48,7 +48,7 @@ do_configure_prepend() {
 	cp -R ${STAGING_INCDIR_NATIVE}/ext2fs ${WORKDIR}/extra-includes/
 }
 
-ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_PRIORITY = "80"
 
 PACKAGES =+ "bsdtar"
 FILES_bsdtar = "${bindir}/bsdtar"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/libuser/libuser_0.62.bb b/import-layers/yocto-poky/meta/recipes-extended/libuser/libuser_0.62.bb
index 3d0b516ab..07028d55a 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/libuser/libuser_0.62.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/libuser/libuser_0.62.bb
@@ -1,8 +1,8 @@
 SUMMARY = "user and group account administration library"
 DESCRIPTION = "The libuser library implements a standardized interface for manipulating and administering user \
 and group accounts"
-HOMEPAGE = "https://fedorahosted.org/libuser/"
-BUGTRACKER = "https://fedorahosted.org/libuser/newticket"
+HOMEPAGE = "https://pagure.io/libuser"
+BUGTRACKER = "https://pagure.io/libuser/issues"
 
 LICENSE = "LGPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \
 
 SECTION = "base"
 
-SRC_URI = "https://fedorahosted.org/releases/l/i/libuser/libuser-${PV}.tar.xz \
+SRC_URI = "https://releases.pagure.org/libuser/libuser-${PV}.tar.xz \
            file://0001-Check-for-issetugid.patch \
            file://0002-remove-unused-execinfo.h.patch \
            file://0001-modules-files.c-parse_field-fix-string-formating-in-.patch \
diff --git a/import-layers/yocto-poky/meta/recipes-extended/logrotate/logrotate_3.9.1.bb b/import-layers/yocto-poky/meta/recipes-extended/logrotate/logrotate_3.9.1.bb
index 5f1a601ae..5bd338117 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/logrotate/logrotate_3.9.1.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/logrotate/logrotate_3.9.1.bb
@@ -1,6 +1,6 @@
 SUMMARY = "Rotates, compresses, removes and mails system log files"
 SECTION = "console/utils"
-HOMEPAGE = "https://fedorahosted.org/logrotate/"
+HOMEPAGE = "https://github.com/logrotate/logrotate/issues"
 LICENSE = "GPLv2"
 
 # TODO: logrotate 3.8.8 adds autotools/automake support, update recipe to use it.
@@ -10,14 +10,23 @@ DEPENDS="coreutils popt"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760"
 
-SRC_URI = "https://fedorahosted.org/releases/l/o/logrotate/logrotate-${PV}.tar.gz \
+# When updating logrotate to latest upstream, SRC_URI should point to
+# a proper release tarball from https://github.com/logrotate/logrotate/releases
+# and we have to take the snapshot for now because there is no such
+# tarball available for 3.9.1.
+
+S = "${WORKDIR}/${BPN}-r3-9-1"
+
+UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
+
+SRC_URI = "https://github.com/${BPN}/${BPN}/archive/r3-9-1.tar.gz \
            file://act-as-mv-when-rotate.patch \
            file://update-the-manual.patch \
            file://disable-check-different-filesystems.patch \
             "
 
-SRC_URI[md5sum] = "4492b145b6d542e4a2f41e77fa199ab0"
-SRC_URI[sha256sum] = "022769e3288c80981559a8421703c88e8438b447235e36dd3c8e97cd94c52545"
+SRC_URI[md5sum] = "8572b7c2cf9ade09a8a8e10098500fb3"
+SRC_URI[sha256sum] = "5bf8e478c428e7744fefa465118f8296e7e771c981fb6dffb7527856a0ea3617"
 
 PACKAGECONFIG ?= "\
     ${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \
diff --git a/import-layers/yocto-poky/meta/recipes-extended/lsof/lsof_4.89.bb b/import-layers/yocto-poky/meta/recipes-extended/lsof/lsof_4.89.bb
index b732cf0ac..29245b1ab 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/lsof/lsof_4.89.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/lsof/lsof_4.89.bb
@@ -1,20 +1,24 @@
 SUMMARY = "LiSt Open Files tool"
 DESCRIPTION = "Lsof is a Unix-specific diagnostic tool. \
 Its name stands for LiSt Open Files, and it does just that."
+HOMEPAGE = "http://people.freebsd.org/~abe/"
 SECTION = "devel"
 LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a"
 
-SRC_URI = "ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_${PV}.tar.bz2"
+# Upstream lsof releases are hosted on an ftp server which times out download
+# attempts from hosts for which it can not perform a DNS reverse-lookup (See:
+# https://people.freebsd.org/~abe/ ). http://www.mirrorservice.org seems to be
+# the most commonly used alternative.
+
+SRC_URI = "http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_${PV}.tar.bz2"
 
 SRC_URI[md5sum] = "1b9cd34f3fb86856a125abbf2be3a386"
 SRC_URI[sha256sum] = "81ac2fc5fdc944793baf41a14002b6deb5a29096b387744e28f8c30a360a3718"
 
-UPSTREAM_CHECK_URI = "http://www.mirrorservice.org/sites/lsof.itap.purdue.edu/pub/tools/unix/lsof"
-
 LOCALSRC = "file://${WORKDIR}/lsof_${PV}/lsof_${PV}_src.tar"
-S = "${WORKDIR}/lsof_${PV}_src"
 
-LIC_FILES_CHKSUM = "file://${S}/00README;beginline=645;endline=679;md5=964df275d26429ba3b39dbb9f205172a"
+S = "${WORKDIR}/lsof_${PV}_src"
 
 python do_unpack () {
     # temporarily change S for unpack
@@ -36,11 +40,11 @@ export LSOF_INCLUDE = "${STAGING_INCDIR}"
 do_configure () {
 	export LSOF_AR="${AR} cr"
 	export LSOF_RANLIB="${RANLIB}"
-        if [ "x${GLIBCVERSION}" != "x" ];then
-                LINUX_CLIB=`echo ${GLIBCVERSION} |sed -e 's,\.,,g'`
-                LINUX_CLIB="-DGLIBCV=${LINUX_CLIB}"
-                export LINUX_CLIB
-        fi
+	if [ "x${GLIBCVERSION}" != "x" ]; then
+		LINUX_CLIB=`echo ${GLIBCVERSION} |sed -e 's,\.,,g'`
+		LINUX_CLIB="-DGLIBCV=${LINUX_CLIB}"
+		export LINUX_CLIB
+	fi
 	yes | ./Configure linux
 }
 
@@ -53,6 +57,6 @@ do_compile () {
 
 do_install () {
 	install -d ${D}${sbindir} ${D}${mandir}/man8
-	install -m 4755 lsof ${D}${sbindir}/lsof
+	install -m 0755 lsof ${D}${sbindir}/lsof
 	install -m 0644 lsof.8 ${D}${mandir}/man8/lsof.8
 }
diff --git a/import-layers/yocto-poky/meta/recipes-extended/newt/libnewt_0.52.19.bb b/import-layers/yocto-poky/meta/recipes-extended/newt/libnewt_0.52.19.bb
index a26ce1fbe..de76ce20c 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/newt/libnewt_0.52.19.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/newt/libnewt_0.52.19.bb
@@ -8,7 +8,7 @@ shared library needed by programs built with newt, as well as a \
 /usr/bin/dialog replacement called whiptail.  Newt is based on the \
 slang library."
 
-HOMEPAGE = "https://fedorahosted.org/newt/"
+HOMEPAGE = "https://releases.pagure.org/newt/"
 SECTION = "libs"
 
 LICENSE = "LGPLv2"
@@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
 # slang needs to be >= 2.2
 DEPENDS = "slang popt"
 
-SRC_URI = "https://fedorahosted.org/releases/n/e/newt/newt-${PV}.tar.gz \
+SRC_URI = "https://releases.pagure.org/newt/newt-${PV}.tar.gz \
            file://fix_SHAREDDIR.patch \
            file://cross_ar.patch \
            file://Makefile.in-Add-tinfo-library-to-the-linking-librari.patch \
diff --git a/import-layers/yocto-poky/meta/recipes-extended/shadow/shadow.inc b/import-layers/yocto-poky/meta/recipes-extended/shadow/shadow.inc
index 35a18f8ab..f79565b35 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/shadow/shadow.inc
+++ b/import-layers/yocto-poky/meta/recipes-extended/shadow/shadow.inc
@@ -180,11 +180,12 @@ ALTERNATIVE_${PN}-base = "newgrp groups login su"
 ALTERNATIVE_LINK_NAME[login] = "${base_bindir}/login"
 ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su"
 
-ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3 groups.1 su.1"
+ALTERNATIVE_${PN}-doc = "passwd.5 getspnam.3 groups.1 su.1 nologin.8"
 ALTERNATIVE_LINK_NAME[passwd.5] = "${mandir}/man5/passwd.5"
 ALTERNATIVE_LINK_NAME[getspnam.3] = "${mandir}/man3/getspnam.3"
 ALTERNATIVE_LINK_NAME[groups.1] = "${mandir}/man1/groups.1"
 ALTERNATIVE_LINK_NAME[su.1] = "${mandir}/man1/su.1"
+ALTERNATIVE_LINK_NAME[nologin.8] = "${mandir}/man8/nologin.8"
 
 pkg_postinst_${PN} () {
 	if [ "x$D" != "x" ]; then
diff --git a/import-layers/yocto-poky/meta/recipes-extended/slang/slang/no-x.patch b/import-layers/yocto-poky/meta/recipes-extended/slang/slang/no-x.patch
new file mode 100644
index 000000000..d7666bfc8
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/slang/slang/no-x.patch
@@ -0,0 +1,14 @@
+There's no need to check for the X libraries as the socket module doesn't use
+anything from X.
+
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/autoconf/configure.ac b/autoconf/configure.ac
+index b61e974..a3e5db2 100644
+--- a/autoconf/configure.ac
++++ b/autoconf/configure.ac
+@@ -72,3 +71,0 @@ AC_SUBST(LIB_READLINE)
+-# For the socket module
+-AC_PATH_XTRA
+-
diff --git a/import-layers/yocto-poky/meta/recipes-extended/slang/slang_2.3.0.bb b/import-layers/yocto-poky/meta/recipes-extended/slang/slang_2.3.0.bb
index 17efbbe22..d5967d25d 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/slang/slang_2.3.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/slang/slang_2.3.0.bb
@@ -9,7 +9,7 @@ to recode S-Lang procedures in C if you need to."
 
 HOMEPAGE = "http://www.jedsoft.org/slang/"
 SECTION = "libs"
-DEPENDS = "pcre ncurses"
+DEPENDS = "ncurses virtual/libiconv"
 
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=a52a18a472d4f7e45479b06563717c02"
@@ -20,17 +20,23 @@ SRC_URI = "http://www.jedsoft.org/releases/${BPN}/${BP}.tar.bz2 \
            file://fix-check-pcre.patch \
            file://slang-fix-the-iconv-existence-checking.patch \
            file://0001-Fix-error-conflicting-types-for-posix_close.patch \
+           file://no-x.patch \
           "
+SRC_URI[md5sum] = "3bcc790460d52db1316c20395b7ac2f1"
+SRC_URI[sha256sum] = "f95224060f45e0d8212a5039b339afa5f1a94a1bb0298e796104e5b12e926129"
+
 UPSTREAM_CHECK_URI = "http://www.jedsoft.org/releases/slang/"
+PREMIRRORS_append = "\n http://www.jedsoft.org/releases/slang/.* http://www.jedsoft.org/releases/slang/old/ \n"
 
 inherit autotools-brokensep
-
 CLEANBROKEN = "1"
 
-SRC_URI[md5sum] = "3bcc790460d52db1316c20395b7ac2f1"
-SRC_URI[sha256sum] = "f95224060f45e0d8212a5039b339afa5f1a94a1bb0298e796104e5b12e926129"
+EXTRA_OECONF = "--without-onig"
 
-EXTRA_OECONF += " --without-z --without-png --without-onig --x-includes=${STAGING_DIR_HOST}/usr/include/X11 --x-libraries=${STAGING_DIR_HOST}/usr/lib"
+PACKAGECONFIG ??= "pcre"
+PACKAGECONFIG[pcre] = "--with-pcre,--without-pcre,pcre"
+PACKAGECONFIG[png] = "--with-png,--without-png,libpng"
+PACKAGECONFIG[zlib] = "--with-z,--without-z,zlib"
 
 do_configure_prepend() {
     # slang keeps configure.ac and rest of autoconf files in autoconf/ directory
@@ -47,5 +53,6 @@ do_install() {
 FILES_${PN} += "${libdir}/${BPN}/v2/modules/ ${datadir}/slsh/"
 
 PARALLEL_MAKE = ""
+PARALLEL_MAKEINST = ""
 
 BBCLASSEXTEND = "native"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/tar/tar/CVE-2016-6321.patch b/import-layers/yocto-poky/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
new file mode 100644
index 000000000..6d35bcc51
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/tar/tar/CVE-2016-6321.patch
@@ -0,0 +1,66 @@
+From 7340f67b9860ea0531c1450e5aa261c50f67165d Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@Penguin.CS.UCLA.EDU>
+Date: Sat, 29 Oct 2016 21:04:40 -0700
+Subject: [PATCH] When extracting, skip ".." members
+
+* NEWS: Document this.
+* src/extract.c (extract_archive): Skip members whose names
+contain "..".
+
+CVE: CVE-2016-6321
+Upstream-Status: Backport
+
+Cherry picked from commit: 7340f67 When extracting, skip ".." members
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ NEWS          | 8 +++++++-
+ src/extract.c | 8 ++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 501164a..fc97cfc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+-GNU tar NEWS - User visible changes. 2016-05-16
++GNU tar NEWS - User visible changes. 2016-10-29
+ Please send GNU tar bug reports to <bug-tar@gnu.org>
+ 
++* Member names containing '..' components are now skipped when extracting.
++
++This fixes tar's behavior to match its documentation, and is a bit
++safer when extracting untrusted archives over old files (an unsafe
++practice that the tar manual has long recommended against).
++
+ 
+ version 1.29 - Sergey Poznyakoff, 2016-05-16
+ 
+diff --git a/src/extract.c b/src/extract.c
+index f982433..7904148 100644
+--- a/src/extract.c
++++ b/src/extract.c
+@@ -1629,12 +1629,20 @@ extract_archive (void)
+ {
+   char typeflag;
+   tar_extractor_t fun;
++  bool skip_dotdot_name;
+ 
+   fatal_exit_hook = extract_finish;
+ 
+   set_next_block_after (current_header);
+ 
++  skip_dotdot_name = (!absolute_names_option
++		      && contains_dot_dot (current_stat_info.orig_file_name));
++  if (skip_dotdot_name)
++    ERROR ((0, 0, _("%s: Member name contains '..'"),
++	    quotearg_colon (current_stat_info.orig_file_name)));
++
+   if (!current_stat_info.file_name[0]
++      || skip_dotdot_name
+       || (interactive_option
+ 	  && !confirm ("extract", current_stat_info.file_name)))
+     {
+-- 
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/tar/tar_1.29.bb b/import-layers/yocto-poky/meta/recipes-extended/tar/tar_1.29.bb
index efce57d9d..f22d9c938 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/tar/tar_1.29.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/tar/tar_1.29.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI += "file://remove-gets.patch \
             file://musl_dirent.patch \
+            file://CVE-2016-6321.patch \
            "
 SRC_URI[md5sum] = "955cd533955acb1804b83fd70218da51"
 SRC_URI[sha256sum] = "236b11190c0a3a6885bdb8d61424f2b36a5872869aa3f7f695dea4b4843ae2f2"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/texi2html/files/0001-Allow-compiling-out-of-source.patch b/import-layers/yocto-poky/meta/recipes-extended/texi2html/files/0001-Allow-compiling-out-of-source.patch
new file mode 100644
index 000000000..0cf025ff4
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-extended/texi2html/files/0001-Allow-compiling-out-of-source.patch
@@ -0,0 +1,39 @@
+From: Olaf Mandel <o.mandel@menlosystems.com>
+Date: Fri, 21 Oct 2016 13:04:44 +0000
+Subject: [PATCH] Allow compiling out-of-source
+
+Upstream-Status: Backport of [svn://svn.sv.gnu.org/texinfo/trunk r3602]
+---
+ Makefile.am | 2 +-
+ Makefile.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 3447463..c9b5b5c 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -208,7 +208,7 @@ i18n/en.thl i18n/: $(po_document_dir)/po_document/$(PACKAGE)_document.pot
+ 	  done; \
+ 	  msgexec -i $< "$(srcdir)/gettext_to_separated.pl" | "$(srcdir)/separated_to_hash.pl" en > i18n/en.thl; \
+ 	else \
+-	  cp -p i18n_ref/*.thl i18n; \
++	  cp -p "$(srcdir)/i18n_ref/"*.thl i18n; \
+ 	fi
+ 
+ i18n_ref:
+diff --git a/Makefile.in b/Makefile.in
+index 4264b37..a13f84d 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -1126,7 +1126,7 @@ i18n/en.thl i18n/: $(po_document_dir)/po_document/$(PACKAGE)_document.pot
+ 	  done; \
+ 	  msgexec -i $< "$(srcdir)/gettext_to_separated.pl" | "$(srcdir)/separated_to_hash.pl" en > i18n/en.thl; \
+ 	else \
+-	  cp -p i18n_ref/*.thl i18n; \
++	  cp -p "$(srcdir)/i18n_ref/"*.thl i18n; \
+ 	fi
+ 
+ i18n_ref:
+-- 
+2.1.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-extended/texi2html/texi2html_5.0.bb b/import-layers/yocto-poky/meta/recipes-extended/texi2html/texi2html_5.0.bb
index eac289e3b..ae64816f8 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/texi2html/texi2html_5.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/texi2html/texi2html_5.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
 PR = "r2"
 
 SRC_URI     = "${SAVANNAH_GNU_MIRROR}/texi2html/${BPN}-${PV}.tar.bz2 \
+               file://0001-Allow-compiling-out-of-source.patch \
                "
 
 SRC_URI[md5sum] = "f15ac876fcdc8be865b16535f480aa54"
diff --git a/import-layers/yocto-poky/meta/recipes-extended/tzcode/tzcode-native_2016g.bb b/import-layers/yocto-poky/meta/recipes-extended/tzcode/tzcode-native_2017a.bb
index a2e621741..2c26744f3 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/tzcode/tzcode-native_2016g.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/tzcode/tzcode-native_2017a.bb
@@ -9,15 +9,17 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata"
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.md5sum] = "f89867013676e3cb9544be2df7d36a91"
-SRC_URI[tzcode.sha256sum] = "1ff90b47ad7986140a513b5287b1851c40f80fd44fd636db5cc5b46d06f9fa2b"
-SRC_URI[tzdata.md5sum] = "3c7e97ec8527211104d27cc1d97a23de"
-SRC_URI[tzdata.sha256sum] = "3c7137b2bc47323b0de47b77786bacf81ed503d4b2c693ff8ada2fbd1281ebd1"
+SRC_URI[tzcode.md5sum] = "eef0bfac7a52dce6989a7d8b40d86fe0"
+SRC_URI[tzcode.sha256sum] = "02f2c6b58b99edd0d47f0cad34075b359fd1a4dab71850f493b0404ded3b38ac"
+SRC_URI[tzdata.md5sum] = "cb8274cd175f8a4d9d1b89895df876dc"
+SRC_URI[tzdata.sha256sum] = "df3a5c4d0a2cf0cde0b3f35796ccf6c9acfd598b8e70f8dece5404cd7626bbd6"
 
 S = "${WORKDIR}"
 
 inherit native
 
+EXTRA_OEMAKE += "cc=${CC}"
+
 do_install () {
         install -d ${D}${bindir}/
         install -m 755 zic ${D}${bindir}/
diff --git a/import-layers/yocto-poky/meta/recipes-extended/tzdata/tzdata_2016g.bb b/import-layers/yocto-poky/meta/recipes-extended/tzdata/tzdata_2017a.bb
index 3ee4b5af6..ce59d7102 100644
--- a/import-layers/yocto-poky/meta/recipes-extended/tzdata/tzdata_2016g.bb
+++ b/import-layers/yocto-poky/meta/recipes-extended/tzdata/tzdata_2017a.bb
@@ -9,8 +9,8 @@ DEPENDS = "tzcode-native"
 SRC_URI = "http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata"
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzdata.md5sum] = "3c7e97ec8527211104d27cc1d97a23de"
-SRC_URI[tzdata.sha256sum] = "3c7137b2bc47323b0de47b77786bacf81ed503d4b2c693ff8ada2fbd1281ebd1"
+SRC_URI[tzdata.md5sum] = "cb8274cd175f8a4d9d1b89895df876dc"
+SRC_URI[tzdata.sha256sum] = "df3a5c4d0a2cf0cde0b3f35796ccf6c9acfd598b8e70f8dece5404cd7626bbd6"
 
 inherit allarch