[OE-core][whinlatter][PATCH 01/12] ccache: upgrade 4.12.2 -> 4.12.3

[OE-core][whinlatter][PATCH 01/12] ccache: upgrade 4.12.2 -> 4.12.3

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

License-Update: Copyright year updated to 2026

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 76a5917034080a87c02f79bb925edf0746bf8baf)

Bug fix release:
https://ccache.dev/releasenotes.html#_ccache_4_12_3

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../ccache/{ccache_4.12.2.bb => ccache_4.12.3.bb}             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/ccache/{ccache_4.12.2.bb => ccache_4.12.3.bb} (88%)

diff --git a/meta/recipes-devtools/ccache/ccache_4.12.2.bb b/meta/recipes-devtools/ccache/ccache_4.12.3.bb
similarity index 88%
rename from meta/recipes-devtools/ccache/ccache_4.12.2.bb
rename to meta/recipes-devtools/ccache/ccache_4.12.3.bb
index 28f36e5ed7..0cd9a43a1b 100644
--- a/meta/recipes-devtools/ccache/ccache_4.12.2.bb
+++ b/meta/recipes-devtools/ccache/ccache_4.12.3.bb
@@ -7,7 +7,7 @@ HOMEPAGE = "http://ccache.samba.org"
 SECTION = "devel"
 
 LICENSE = "GPL-3.0-or-later & MIT & BSL-1.0 & ISC"
-LIC_FILES_CHKSUM = "file://LICENSE.adoc;md5=5633f18ca110f0d4cb907eba07c920ef \
+LIC_FILES_CHKSUM = "file://LICENSE.adoc;md5=22ef4326c8a14ac937fc2b76ef0fd233 \
                     file://src/third_party/cpp-httplib/httplib.h;endline=6;md5=663aca6f84e7d67ade228aad32afc0ea \
                     file://src/third_party/nonstd-span/nonstd/span.hpp;endline=9;md5=b4af92a7f068b38c5b3410dceb30c186 \
                     file://src/third_party/win32-compat/win32/mktemp.c;endline=17;md5=d287e9c1f1cd2bb2bd164490e1cf449a \
@@ -17,7 +17,7 @@ DEPENDS = "zstd fmt xxhash"
 
 SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz"
 
-SRC_URI[sha256sum] = "2a087efb66b62d4c66d4eb276748bbfa797ff3bde20adf44c53e5a8b9f3679af"
+SRC_URI[sha256sum] = "d683d5964a395f00c1c812ea1d1d523179f1097cbff7e7e54e714fa3f99711b1"
 
 inherit cmake github-releases
 

[OE-core][whinlatter][PATCH 02/12] libsoup: upgrade 3.6.5 -> 3.6.6

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

Changelog:
============
* websocket: Fix out-of-bounds read in process_frame
* Check nulls returned by soup_date_time_new_from_http_string()
* Numerous fixes to handling of Range headers
* server: close the connection after responsing a request containing Content-Length and Transfer-Encoding
* Use CRLF as line boundary when parsing chunked enconding data
* websocket: do not accept messages frames after closing due to an error
* Sanitize filename of content disposition header values
* Always validate the headers value when coming from untrusted source
* uri-utils: do host validation when checking if a GUri is valid
* multipart: check length of bytes read soup_filter_input_stream_read_until()
* message-headers: Reject duplicate Host headers
* server: null-check soup_date_time_to_string()
* auth-digest: fix crash in soup_auth_digest_get_protection_space()
* session: fix 'heap-use-after-free' caused by 'finishing' queue item twice
* cookies: Avoid expires attribute if date is invalid
* http1: Set EOF flag once content-length bytes have been read
* date-utils: Add value checks for date/time parsing
* multipart: Fix multiple boundry limits
* Fixed multiple possible memory leaks
* message-headers: Correct merge of ranges
* body-input-stream: Correct chunked trailers end detection
* server-http2: Correctly validate URIs
* multipart: Fix read out of buffer bounds under soup_multipart_new_from_message()
* headers: Ensure Request-Line comprises entire first line
* tests: Fix MSVC build error
* Fix possible deadlock on init from gmodule usage
* Add Cornish translation
* Update Turkish translation
* Update Uighur translation
* Update Romanian translation
* Add Uzbek (Latin) translation
* Add Kazakh translation

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b6fb8f26a26a28a13f64c4c31003b2d0bf1061a2)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libsoup/{libsoup_3.6.5.bb => libsoup_3.6.6.bb}              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/libsoup/{libsoup_3.6.5.bb => libsoup_3.6.6.bb} (95%)

diff --git a/meta/recipes-support/libsoup/libsoup_3.6.5.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
similarity index 95%
rename from meta/recipes-support/libsoup/libsoup_3.6.5.bb
rename to meta/recipes-support/libsoup/libsoup_3.6.6.bb
index 549bbb7981..f9dd5311a4 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.5.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
 
 DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2"
 
-SRC_URI[archive.sha256sum] = "6891765aac3e949017945c3eaebd8cc8216df772456dc9f460976fbdb7ada234"
+SRC_URI[archive.sha256sum] = "51ed0ae06f9d5a40f401ff459e2e5f652f9a510b7730e1359ee66d14d4872740"
 
 PROVIDES = "libsoup-3.0"
 

[OE-core][whinlatter][PATCH 03/12] libsoup: fix CVE-2025-32049/CVE-2026-1539

[ankur.tyagi85]

From: Changqing Li <changqing.li@windriver.com>

Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
https://gitlab.gnome.org/GNOME/libsoup/-/issues/489

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c226dc8a4129717b433863f70fd90d66380eb571)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libsoup/libsoup/CVE-2025-32049-1.patch    | 229 ++++++++++++++
 .../libsoup/libsoup/CVE-2025-32049-2.patch    |  34 ++
 .../libsoup/libsoup/CVE-2025-32049-3.patch    | 133 ++++++++
 .../libsoup/libsoup/CVE-2025-32049-4.patch    | 291 ++++++++++++++++++
 .../libsoup/libsoup/CVE-2026-1539.patch       |  97 ++++++
 meta/recipes-support/libsoup/libsoup_3.6.6.bb |   7 +
 6 files changed, 791 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-32049-4.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2026-1539.patch

diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-1.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-1.patch
new file mode 100644
index 0000000000..adec7b3cf0
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-1.patch
@@ -0,0 +1,229 @@
+From 46338bccc2ad9c34f892af19123f64ca2d9d866f Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 24 Jul 2024 15:20:35 +0200
+Subject: [PATCH 1/4] websocket: add a way to restrict the total message size
+
+Otherwise a client could send small packages smaller than
+total-incoming-payload-size but still to break the server
+with a big allocation
+
+Fixes: #390
+
+Change SOUP_AVAILABLE_IN_3_8 to SOUP_AVAILABLE_IN_3_6
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/websocket/soup-websocket-connection.c | 106 +++++++++++++++++-
+ libsoup/websocket/soup-websocket-connection.h |   7 ++
+ 2 files changed, 110 insertions(+), 3 deletions(-)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index 36e8459..a4fc36e 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -78,6 +78,7 @@ enum {
+ 	PROP_KEEPALIVE_INTERVAL,
+ 	PROP_KEEPALIVE_PONG_TIMEOUT,
+ 	PROP_EXTENSIONS,
++	PROP_MAX_TOTAL_MESSAGE_SIZE,
+ 
+         LAST_PROPERTY
+ };
+@@ -120,6 +121,7 @@ typedef struct {
+ 	char *origin;
+ 	char *protocol;
+ 	guint64 max_incoming_payload_size;
++	guint64 max_total_message_size;
+ 	guint keepalive_interval;
+ 	guint keepalive_pong_timeout;
+ 	guint64 last_keepalive_seq_num;
+@@ -164,6 +166,7 @@ typedef struct {
+ } SoupWebsocketConnectionPrivate;
+ 
+ #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT   128 * 1024
++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT   128 * 1024
+ #define READ_BUFFER_SIZE 1024
+ #define MASK_LENGTH 4
+ 
+@@ -696,8 +699,8 @@ bad_data_error_and_close (SoupWebsocketConnection *self)
+ }
+ 
+ static void
+-too_big_error_and_close (SoupWebsocketConnection *self,
+-                         guint64 payload_len)
++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self,
++                                          guint64 payload_len)
+ {
+         SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
+ 	GError *error;
+@@ -713,6 +716,24 @@ too_big_error_and_close (SoupWebsocketConnection *self,
+ 	emit_error_and_close (self, error, TRUE);
+ }
+ 
++static void
++too_big_message_error_and_close (SoupWebsocketConnection *self,
++                                 guint64 len)
++{
++	SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++	GError *error;
++
++	error = g_error_new_literal (SOUP_WEBSOCKET_ERROR,
++				     SOUP_WEBSOCKET_CLOSE_TOO_BIG,
++				     priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ?
++				     "Received WebSocket payload from the client larger than configured max-total-message-size" :
++				     "Received WebSocket payload from the server larger than configured max-total-message-size");
++	g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT,
++	         priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client",
++	         len, priv->max_total_message_size);
++	emit_error_and_close (self, error, TRUE);
++}
++
+ static void
+ close_connection (SoupWebsocketConnection *self,
+                   gushort                  code,
+@@ -973,6 +994,12 @@ process_contents (SoupWebsocketConnection *self,
+ 		switch (priv->message_opcode) {
+ 		case 0x01:
+ 		case 0x02:
++			/* Safety valve */
++			if (priv->max_total_message_size > 0 &&
++			    (priv->message_data->len + payload_len) > priv->max_total_message_size) {
++				too_big_message_error_and_close (self, (priv->message_data->len + payload_len));
++				return;
++			}
+ 			g_byte_array_append (priv->message_data, payload, payload_len);
+ 			break;
+ 		default:
+@@ -1111,7 +1138,7 @@ process_frame (SoupWebsocketConnection *self)
+ 	/* Safety valve */
+ 	if (priv->max_incoming_payload_size > 0 &&
+ 	    payload_len > priv->max_incoming_payload_size) {
+-		too_big_error_and_close (self, payload_len);
++		too_big_incoming_payload_error_and_close (self, payload_len);
+ 		return FALSE;
+ 	}
+ 
+@@ -1428,6 +1455,10 @@ soup_websocket_connection_get_property (GObject *object,
+ 		g_value_set_pointer (value, priv->extensions);
+ 		break;
+ 
++        case PROP_MAX_TOTAL_MESSAGE_SIZE:
++		g_value_set_uint64 (value, priv->max_total_message_size);
++		break;
++
+ 	default:
+ 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ 		break;
+@@ -1486,6 +1517,10 @@ soup_websocket_connection_set_property (GObject *object,
+ 		priv->extensions = g_value_get_pointer (value);
+ 		break;
+ 
++	case PROP_MAX_TOTAL_MESSAGE_SIZE:
++		priv->max_total_message_size = g_value_get_uint64 (value);
++		break;
++
+ 	default:
+ 		G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ 		break;
+@@ -1716,6 +1751,26 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+                                       G_PARAM_CONSTRUCT_ONLY |
+                                       G_PARAM_STATIC_STRINGS);
+ 
++	/**
++	 * SoupWebsocketConnection:max-total-message-size:
++	 *
++	 * The total message size for incoming packets.
++	 *
++	 * The protocol expects or 0 to not limit it.
++	 *
++	 * Since: 3.8
++	 */
++        properties[PROP_MAX_TOTAL_MESSAGE_SIZE] =
++                g_param_spec_uint64 ("max-total-message-size",
++                                     "Max total message size",
++                                     "Max total message size ",
++                                     0,
++                                     G_MAXUINT64,
++                                     MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++                                     G_PARAM_READWRITE |
++                                     G_PARAM_CONSTRUCT |
++                                     G_PARAM_STATIC_STRINGS);
++
+         g_object_class_install_properties (gobject_class, LAST_PROPERTY, properties);
+ 
+ 	/**
+@@ -2186,6 +2241,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection
+ 	}
+ }
+ 
++/**
++ * soup_websocket_connection_get_max_total_message_size:
++ * @self: the WebSocket
++ *
++ * Gets the maximum total message size allowed for packets.
++ *
++ * Returns: the maximum total message size.
++ *
++ * Since: 3.8
++ */
++guint64
++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self)
++{
++	SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++
++	g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT);
++
++	return priv->max_total_message_size;
++}
++
++/**
++ * soup_websocket_connection_set_max_total_message_size:
++ * @self: the WebSocket
++ * @max_total_message_size: the maximum total message size
++ *
++ * Sets the maximum total message size allowed for packets.
++ *
++ * It does not limit the outgoing packet size.
++ *
++ * Since: 3.8
++ */
++void
++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self,
++                                                      guint64                  max_total_message_size)
++{
++	SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++
++	g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self));
++
++	if (priv->max_total_message_size != max_total_message_size) {
++		priv->max_total_message_size = max_total_message_size;
++		g_object_notify_by_pspec (G_OBJECT (self), properties[PROP_MAX_TOTAL_MESSAGE_SIZE]);
++	}
++}
++
+ /**
+  * soup_websocket_connection_get_keepalive_interval:
+  * @self: the WebSocket
+diff --git a/libsoup/websocket/soup-websocket-connection.h b/libsoup/websocket/soup-websocket-connection.h
+index f047c0a..ea0cb58 100644
+--- a/libsoup/websocket/soup-websocket-connection.h
++++ b/libsoup/websocket/soup-websocket-connection.h
+@@ -88,6 +88,13 @@ SOUP_AVAILABLE_IN_ALL
+ void                soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection *self,
+                                                                              guint64                  max_incoming_payload_size);
+ 
++SOUP_AVAILABLE_IN_3_6
++guint64             soup_websocket_connection_get_max_total_message_size    (SoupWebsocketConnection *self);
++
++SOUP_AVAILABLE_IN_3_6
++void                soup_websocket_connection_set_max_total_message_size    (SoupWebsocketConnection *self,
++                                                                             guint64                  max_total_message_size);
++
+ SOUP_AVAILABLE_IN_ALL
+ guint               soup_websocket_connection_get_keepalive_interval (SoupWebsocketConnection *self);
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-2.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-2.patch
new file mode 100644
index 0000000000..4cb9cf201b
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-2.patch
@@ -0,0 +1,34 @@
+From c00f1e961a17c0af1cd34881f64db2948f32bb65 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Fri, 20 Sep 2024 12:12:38 +0200
+Subject: [PATCH 2/4] websocket-test: set the total message size
+
+This is required when sending a big amount of data
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4904a46a2d9a014efa6be01a186ac353dbf5047b]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/websocket-test.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index c924601..1678042 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -615,6 +615,11 @@ test_send_big_packets (Test *test,
+ 	soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1);
+ 	g_assert_true (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1));
+ 
++	soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1);
++	g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1));
++	soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1);
++	g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1));
++
+ 	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
+ 	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+ 	WAIT_UNTIL (received != NULL);
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-3.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-3.patch
new file mode 100644
index 0000000000..b5ccf374bf
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-3.patch
@@ -0,0 +1,133 @@
+From aa189f8bf0593427c67e0becb13f60f2da2fea26 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 8 May 2025 16:16:25 -0500
+Subject: [PATCH 3/4] Set message size limit in SoupServer rather than
+ SoupWebsocketConnection
+
+We're not sure about the compatibility implications of having a default
+size limit for clients.
+
+Also not sure whether the server limit is actually set appropriately,
+but there is probably very little server usage of
+SoupWebsocketConnection in the wild, so it's not so likely to break
+things.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/server/soup-server.c                  | 24 +++++++++++++++----
+ libsoup/websocket/soup-websocket-connection.c | 24 +++++++++++++------
+ 2 files changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/libsoup/server/soup-server.c b/libsoup/server/soup-server.c
+index 63af0cf..023abed 100644
+--- a/libsoup/server/soup-server.c
++++ b/libsoup/server/soup-server.c
+@@ -188,6 +188,16 @@ static GParamSpec *properties[LAST_PROPERTY] = { NULL, };
+ 
+ G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT)
+ 
++/* SoupWebsocketConnection by default limits only maximum packet size. But a
++ * message may consist of multiple packets, so SoupServer additionally restricts
++ * total message size to mitigate denial of service attacks on the server.
++ * SoupWebsocketConnection does not do this by default because I don't know
++ * whether that would or would not cause compatibility problems for websites.
++ *
++ * This size is in bytes and it is arbitrary.
++ */
++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT   128 * 1024
++
+ static void request_finished (SoupServerMessage      *msg,
+                               SoupMessageIOCompletion completion,
+                               SoupServer             *server);
+@@ -952,11 +962,15 @@ complete_websocket_upgrade (SoupServer        *server,
+ 
+ 	g_object_ref (msg);
+ 	stream = soup_server_message_steal_connection (msg);
+-	conn = soup_websocket_connection_new (stream, uri,
+-					      SOUP_WEBSOCKET_CONNECTION_SERVER,
+-					      soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN),
+-					      soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL),
+-					      handler->websocket_extensions);
++	conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION,
++					  "io-stream", stream,
++					  "uri", uri,
++					  "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER,
++					  "origin", soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN),
++					  "protocol", soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL),
++					  "extensions", handler->websocket_extensions,
++					  "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++					  NULL));
+ 	handler->websocket_extensions = NULL;
+ 	g_object_unref (stream);
+ 
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index a4fc36e..f60297c 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -166,7 +166,6 @@ typedef struct {
+ } SoupWebsocketConnectionPrivate;
+ 
+ #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT   128 * 1024
+-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT   128 * 1024
+ #define READ_BUFFER_SIZE 1024
+ #define MASK_LENGTH 4
+ 
+@@ -1681,9 +1680,10 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ 	/**
+ 	 * SoupWebsocketConnection:max-incoming-payload-size:
+ 	 *
+-	 * The maximum payload size for incoming packets.
++	 * The maximum payload size for incoming packets, or 0 to not limit it.
+ 	 *
+-	 * The protocol expects or 0 to not limit it.
++	 * Each message may consist of multiple packets, so also refer to
++	 * [property@WebSocketConnection:max-total-message-size].
+ 	 */
+         properties[PROP_MAX_INCOMING_PAYLOAD_SIZE] =
+                 g_param_spec_uint64 ("max-incoming-payload-size",
+@@ -1754,9 +1754,19 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ 	/**
+ 	 * SoupWebsocketConnection:max-total-message-size:
+ 	 *
+-	 * The total message size for incoming packets.
++	 * The maximum size for incoming messages.
+ 	 *
+-	 * The protocol expects or 0 to not limit it.
++	 * Set to a value to limit the total message size, or 0 to not
++	 * limit it.
++	 *
++	 * [method@Server.add_websocket_handler] will set this to a nonzero
++	 * default value to mitigate denial of service attacks. Clients must
++	 * choose their own default if they need to mitigate denial of service
++	 * attacks. You also need to set your own default if creating your own
++	 * server SoupWebsocketConnection without using SoupServer.
++	 *
++	 * Each message may consist of multiple packets, so also refer to
++	 * [property@WebSocketConnection:max-incoming-payload-size].
+ 	 *
+ 	 * Since: 3.8
+ 	 */
+@@ -1766,7 +1776,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+                                      "Max total message size ",
+                                      0,
+                                      G_MAXUINT64,
+-                                     MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++                                     0,
+                                      G_PARAM_READWRITE |
+                                      G_PARAM_CONSTRUCT |
+                                      G_PARAM_STATIC_STRINGS);
+@@ -2256,7 +2266,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s
+ {
+ 	SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
+ 
+-	g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT);
++	g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0);
+ 
+ 	return priv->max_total_message_size;
+ }
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-4.patch b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-4.patch
new file mode 100644
index 0000000000..c89637eae2
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2025-32049-4.patch
@@ -0,0 +1,291 @@
+From 800cbde5e42131bdea3d6f30808b7e034d45d438 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 16 May 2025 16:55:40 -0500
+Subject: [PATCH 4/4] Add tests for max-incoming-packet-size and
+ max-total-message-size
+
+An even better test would verify that it's possible to send big messages
+containing small packets, but libsoup doesn't offer control over packet
+size, and I don't want to take the time to learn how WebSockets work to
+figure out how to do that manually. Instead, I just check that both
+limits work, for both client and server.
+
+I didn't add deflate variants of these tests because I doubt that would
+add valuable coverage.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4d00b45b7eebdcfa0706b58e34c40b8a0a16015b]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/websocket-test.c | 213 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 196 insertions(+), 17 deletions(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 1678042..60da66f 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -591,16 +591,9 @@ test_send_big_packets (Test *test,
+ {
+ 	GBytes *sent = NULL;
+ 	GBytes *received = NULL;
++	gulong signal_id;
+ 
+-	g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received);
+-
+-	sent = g_bytes_new_take (g_strnfill (400, '!'), 400);
+-	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+-	WAIT_UNTIL (received != NULL);
+-	g_assert_true (g_bytes_equal (sent, received));
+-	g_bytes_unref (sent);
+-	g_bytes_unref (received);
+-	received = NULL;
++	signal_id = g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received);
+ 
+ 	sent = g_bytes_new_take (g_strnfill (100 * 1000, '?'), 100 * 1000);
+ 	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+@@ -611,23 +604,173 @@ test_send_big_packets (Test *test,
+ 	received = NULL;
+ 
+ 	soup_websocket_connection_set_max_incoming_payload_size (test->client, 1000 * 1000 + 1);
+-	g_assert_true (soup_websocket_connection_get_max_incoming_payload_size (test->client) == (1000 * 1000 + 1));
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 1000 * 1000 + 1);
+ 	soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1);
+-	g_assert_true (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1));
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 1000 * 1000 + 1);
+ 
+ 	soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1);
+-	g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1));
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 1000 * 1000 + 1);
+ 	soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1);
+-	g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1));
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 1000 * 1000 + 1);
+ 
+ 	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
+ 	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+ 	WAIT_UNTIL (received != NULL);
+ 	g_assert_true (g_bytes_equal (sent, received));
++	g_bytes_unref (received);
++	received = NULL;
++
++	/* Reverse the test and send the big message to the server. */
++	g_signal_handler_disconnect (test->client, signal_id);
++	g_signal_connect (test->server, "message", G_CALLBACK (on_text_message), &received);
++
++	soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++	WAIT_UNTIL (received != NULL);
++	g_assert_true (g_bytes_equal (sent, received));
+ 	g_bytes_unref (sent);
+ 	g_bytes_unref (received);
+ }
+ 
++static void
++test_send_big_packets_direct (Test *test,
++                              gconstpointer data)
++{
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0);
++
++	test_send_big_packets (test, data);
++}
++
++static void
++test_send_big_packets_soup (Test *test,
++                            gconstpointer data)
++{
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++	/* Max total message size defaults to 0 (unlimited), but SoupServer applies its own limit by default. */
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024);
++
++	test_send_big_packets (test, data);
++}
++
++static void
++test_send_exceeding_client_max_payload_size (Test *test,
++                                             gconstpointer data)
++{
++	GBytes *sent = NULL;
++	GBytes *received = NULL;
++	gboolean close_event = FALSE;
++	GError *error = NULL;
++
++	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++
++	soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 0);
++
++	/* The message to the client is dropped due to the client's limit. */
++	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
++	g_bytes_unref (sent);
++	WAIT_UNTIL (close_event);
++	g_assert_null (received);
++	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++	g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_server_max_payload_size (Test *test,
++                                             gconstpointer data)
++{
++	GBytes *sent = NULL;
++	GBytes *received = NULL;
++	gboolean close_event = FALSE;
++	GError *error = NULL;
++
++	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	soup_websocket_connection_set_max_incoming_payload_size (test->client, 0);
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 0);
++
++	g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++
++	/* The message to the server is dropped due to the server's limit. */
++	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++	soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++	g_bytes_unref (sent);
++	WAIT_UNTIL (close_event);
++	g_assert_null (received);
++	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++	g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_client_max_message_size (Test *test,
++                                             gconstpointer data)
++{
++	GBytes *sent = NULL;
++	GBytes *received = NULL;
++	gboolean close_event = FALSE;
++	GError *error = NULL;
++
++	g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	soup_websocket_connection_set_max_total_message_size (test->client, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 128 * 1024);
++
++	soup_websocket_connection_set_max_total_message_size (test->server, 0);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0);
++
++	/* The message to the client is dropped due to the client's limit. */
++	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++	soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
++	g_bytes_unref (sent);
++	WAIT_UNTIL (close_event);
++	g_assert_null (received);
++	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++	g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_server_max_message_size (Test *test,
++                                             gconstpointer data)
++{
++	GBytes *sent = NULL;
++	GBytes *received = NULL;
++	gboolean close_event = FALSE;
++	GError *error = NULL;
++
++	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++	g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++	soup_websocket_connection_set_max_total_message_size (test->client, 0);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++	/* Set the server message total message size manually, because its
++	 * default is different for direct connection vs. soup connection.
++	 */
++	soup_websocket_connection_set_max_total_message_size (test->server, 128 * 1024);
++	g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024);
++
++	/* The message to the server is dropped due to the server's limit. */
++	sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++	soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++	g_bytes_unref (sent);
++	WAIT_UNTIL (close_event);
++	g_assert_null (received);
++	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++	g_assert_no_error (test->client_error);
++}
++
+ static void
+ test_send_empty_packets (Test *test,
+ 			 gconstpointer data)
+@@ -2262,11 +2405,47 @@ main (int argc,
+ 
+ 	g_test_add ("/websocket/direct/send-big-packets", Test, NULL,
+ 		    setup_direct_connection,
+-		    test_send_big_packets,
++		    test_send_big_packets_direct,
+ 		    teardown_direct_connection);
+ 	g_test_add ("/websocket/soup/send-big-packets", Test, NULL,
+ 		    setup_soup_connection,
+-		    test_send_big_packets,
++		    test_send_big_packets_soup,
++		    teardown_soup_connection);
++
++	g_test_add ("/websocket/direct/send-exceeding-client-max-payload-size", Test, NULL,
++		    setup_direct_connection,
++		    test_send_exceeding_client_max_payload_size,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/send-exceeding-client-max-payload-size", Test, NULL,
++		    setup_soup_connection,
++		    test_send_exceeding_client_max_payload_size,
++		    teardown_soup_connection);
++
++	g_test_add ("/websocket/direct/send-exceeding-server-max-payload-size", Test, NULL,
++		    setup_direct_connection,
++		    test_send_exceeding_server_max_payload_size,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/send-exceeding-server-max-payload-size", Test, NULL,
++		    setup_soup_connection,
++		    test_send_exceeding_server_max_payload_size,
++		    teardown_soup_connection);
++
++	g_test_add ("/websocket/direct/send-exceeding-client-max-message-size", Test, NULL,
++		    setup_direct_connection,
++		    test_send_exceeding_client_max_message_size,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/send-exceeding-client-max-message-size", Test, NULL,
++		    setup_soup_connection,
++		    test_send_exceeding_client_max_message_size,
++		    teardown_soup_connection);
++
++	g_test_add ("/websocket/direct/send-exceeding-server-max-message-size", Test, NULL,
++		    setup_direct_connection,
++		    test_send_exceeding_server_max_message_size,
++		    teardown_direct_connection);
++	g_test_add ("/websocket/soup/send-exceeding-server-max-message-size", Test, NULL,
++		    setup_soup_connection,
++		    test_send_exceeding_server_max_message_size,
+ 		    teardown_soup_connection);
+ 
+ 	g_test_add ("/websocket/direct/send-empty-packets", Test, NULL,
+@@ -2421,11 +2600,11 @@ main (int argc,
+ 
+ 	g_test_add ("/websocket/direct/deflate-send-big-packets", Test, NULL,
+ 		    setup_direct_connection_with_extensions,
+-		    test_send_big_packets,
++		    test_send_big_packets_direct,
+ 		    teardown_direct_connection);
+ 	g_test_add ("/websocket/soup/deflate-send-big-packets", Test, NULL,
+ 		    setup_soup_connection_with_extensions,
+-		    test_send_big_packets,
++		    test_send_big_packets_soup,
+ 		    teardown_soup_connection);
+ 
+ 	g_test_add ("/websocket/direct/deflate-send-empty-packets", Test, NULL,
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup/CVE-2026-1539.patch b/meta/recipes-support/libsoup/libsoup/CVE-2026-1539.patch
new file mode 100644
index 0000000000..e887b441df
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup/CVE-2026-1539.patch
@@ -0,0 +1,97 @@
+From 7a70f089e13cc113032b1459286835b72a2986af Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Tue, 20 Jan 2026 13:17:42 +0100
+Subject: [PATCH] Also remove Proxy-Authorization header on cross origin
+ redirect
+
+Closes #489
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/98c1285d9d78662c38bf14b4a128af01ccfdb446]
+CVE: CVE-2026-1539
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-session.c |  1 +
+ tests/httpd.conf.in    |  1 +
+ tests/proxy-test.c     | 34 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
+index 2d34022..386d145 100644
+--- a/libsoup/soup-session.c
++++ b/libsoup/soup-session.c
+@@ -1234,6 +1234,7 @@ soup_session_redirect_message (SoupSession *session,
+         /* Strip all credentials on cross-origin redirect. */
+         if (!soup_uri_host_equal (soup_message_get_uri (msg), new_uri)) {
+                 soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_AUTHORIZATION);
++                soup_message_headers_remove_common (soup_message_get_request_headers (msg), SOUP_HEADER_PROXY_AUTHORIZATION);
+                 soup_message_set_auth (msg, NULL);
+         }
+ 
+diff --git a/tests/httpd.conf.in b/tests/httpd.conf.in
+index 809dc5c..cc0a116 100644
+--- a/tests/httpd.conf.in
++++ b/tests/httpd.conf.in
+@@ -34,6 +34,7 @@ LoadModule ssl_module           @APACHE_SSL_MODULE_DIR@/mod_ssl.so
+ DirectoryIndex index.txt
+ TypesConfig /dev/null
+ Redirect permanent /redirected /index.txt
++Redirect permanent /Basic/realm1/redirected https://127.0.0.1:47525/index.txt
+ 
+ # Prefer http1 for now because most of the tests expect http1 behavior.
+ Protocols http/1.1 h2
+diff --git a/tests/proxy-test.c b/tests/proxy-test.c
+index d730c8a..68c97ac 100644
+--- a/tests/proxy-test.c
++++ b/tests/proxy-test.c
+@@ -269,6 +269,39 @@ do_proxy_redirect_test (void)
+ 	soup_test_session_abort_unref (session);
+ }
+ 
++static void proxy_auth_redirect_message_restarted (SoupMessage *msg)
++{
++        if (soup_message_get_status (msg) != SOUP_STATUS_MOVED_PERMANENTLY)
++                return;
++
++        g_assert_null (soup_message_headers_get_one (soup_message_get_request_headers (msg), "Proxy-Authorization"));
++}
++
++static void
++do_proxy_auth_redirect_test (void)
++{
++        SoupSession *session;
++        SoupMessage *msg;
++        char *url;
++
++        SOUP_TEST_SKIP_IF_NO_APACHE;
++        SOUP_TEST_SKIP_IF_NO_TLS;
++
++        session = soup_test_session_new ("proxy-resolver", proxy_resolvers[AUTH_PROXY], NULL);
++
++        url = g_strconcat (HTTP_SERVER, "/Basic/realm1/redirected", NULL);
++        msg = soup_message_new (SOUP_METHOD_GET, url);
++        g_signal_connect (msg, "authenticate", G_CALLBACK (authenticate), NULL);
++        g_signal_connect (msg, "restarted", G_CALLBACK (proxy_auth_redirect_message_restarted), NULL);
++
++        soup_test_session_send_message (session, msg);
++        soup_test_assert_message_status (msg, SOUP_STATUS_OK);
++
++        g_free (url);
++        g_object_unref (msg);
++        soup_test_session_abort_unref (session);
++}
++
+ static void
+ do_proxy_auth_request (const char *url, SoupSession *session, gboolean do_read)
+ {
+@@ -402,6 +435,7 @@ main (int argc, char **argv)
+ 
+ 	g_test_add_data_func ("/proxy/fragment", base_uri, do_proxy_fragment_test);
+ 	g_test_add_func ("/proxy/redirect", do_proxy_redirect_test);
++        g_test_add_func ("/proxy/auth-redirect", do_proxy_auth_redirect_test);
+ 	g_test_add_func ("/proxy/auth-cache", do_proxy_auth_cache_test);
+         g_test_add_data_func ("/proxy/connect-error", base_https_uri, do_proxy_connect_error_test);
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.6.6.bb b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
index f9dd5311a4..981e74d816 100644
--- a/meta/recipes-support/libsoup/libsoup_3.6.6.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.6.6.bb
@@ -11,6 +11,13 @@ DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl nghttp2"
 
 SRC_URI[archive.sha256sum] = "51ed0ae06f9d5a40f401ff459e2e5f652f9a510b7730e1359ee66d14d4872740"
 
+SRC_URI += "file://CVE-2025-32049-1.patch \
+            file://CVE-2025-32049-2.patch \
+            file://CVE-2025-32049-3.patch \
+            file://CVE-2025-32049-4.patch \
+            file://CVE-2026-1539.patch \
+"
+
 PROVIDES = "libsoup-3.0"
 
 inherit gettext gnomebase upstream-version-is-even gobject-introspection gi-docgen vala

[OE-core][whinlatter][PATCH 04/12] libxmlb: upgrade 0.3.24 -> 0.3.25

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

Bugfixes:
 - Correctly decompress heavily compressed zstd streams

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0421e9b2031fcc56df192da796a4cadef6966b38)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libxmlb/{libxmlb_0.3.24.bb => libxmlb_0.3.25.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-gnome/libxmlb/{libxmlb_0.3.24.bb => libxmlb_0.3.25.bb} (93%)

diff --git a/meta/recipes-gnome/libxmlb/libxmlb_0.3.24.bb b/meta/recipes-gnome/libxmlb/libxmlb_0.3.25.bb
similarity index 93%
rename from meta/recipes-gnome/libxmlb/libxmlb_0.3.24.bb
rename to meta/recipes-gnome/libxmlb/libxmlb_0.3.25.bb
index 24eb62c98c..8687436052 100644
--- a/meta/recipes-gnome/libxmlb/libxmlb_0.3.24.bb
+++ b/meta/recipes-gnome/libxmlb/libxmlb_0.3.25.bb
@@ -8,7 +8,7 @@ SRC_URI = " \
 	file://0001-xb-selftest.c-hardcode-G_TEST_SRCDIR.patch \
 	file://run-ptest \
 "
-SRCREV = "d004cca465e5c5af3ce02c02a15978ff02b510c3"
+SRCREV = "b31dec072f4428123db3866c18bf32bc5db04d35"
 
 DEPENDS = "glib-2.0 xz zstd"
 

[OE-core][whinlatter][PATCH 05/12] ca-certificates: upgrade 20250419 -> 20260223

[ankur.tyagi85]

From: Andrej Kozemcak <andrej.kozemcak@siemens.com>

Changelog:
 * Update Mozilla certificate authority bundle to version 2.82
    The following certificate authorities were added (+):
    + TrustAsia TLS ECC Root CA
    + TrustAsia TLS RSA Root CA
    + SwissSign RSA TLS Root CA 2022 - 1
    + OISTE Server Root ECC G1
    +  OISTE Server Root RSA G1
    The following certificate authorities were removed (-):
    - GlobalSign Root CA
    - Entrust.net Premium 2048 Secure Server CA
    - Baltimore CyberTrust Root (closes: #1121936)
    - Comodo AAA Services root
    - XRamp Global CA Root
    - Go Daddy Class 2 CA
    - Starfield Class 2 CA
    - CommScope Public Trust ECC Root-01
    - CommScope Public Trust ECC Root-02
    - CommScope Public Trust RSA Root-01
    - CommScope Public Trust RSA Root-02
  * Use dh_usrlocal to create /usr/local/share/ca-certificates

Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 738e08718e31de19c1c8db5e162a4a00e2b0c0e6)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 ...{ca-certificates_20250419.bb => ca-certificates_20260223.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/ca-certificates/{ca-certificates_20250419.bb => ca-certificates_20260223.bb} (97%)

diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb b/meta/recipes-support/ca-certificates/ca-certificates_20260223.bb
similarity index 97%
rename from meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
rename to meta/recipes-support/ca-certificates/ca-certificates_20260223.bb
index a11433c9da..41690d1d08 100644
--- a/meta/recipes-support/ca-certificates/ca-certificates_20250419.bb
+++ b/meta/recipes-support/ca-certificates/ca-certificates_20260223.bb
@@ -14,7 +14,7 @@ DEPENDS:class-nativesdk = "openssl-native"
 # Need rehash from openssl and run-parts from debianutils
 PACKAGE_WRITE_DEPS += "openssl-native debianutils-native"
 
-SRC_URI[sha256sum] = "33b44ef78653ecd3f0f2f13e5bba6be466be2e7da72182f737912b81798ba5d2"
+SRC_URI[sha256sum] = "2fa2b00d4360f0d14ec51640ae8aea9e563956b95ea786e3c3c01c4eead42b56"
 SRC_URI = "${DEBIAN_MIRROR}/main/c/ca-certificates/${BPN}_${PV}.tar.xz \
            file://0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch \
            file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \

[OE-core][whinlatter][PATCH 06/12] tzdata,tzcode-native: Upgrade 2025b -> 2025c

[ankur.tyagi85]

From: Paul Barker <paul@pbarker.dev>

This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.

Full release notes:
  https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-extended/timezone/timezone.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index 9a5105ffd7..b9323432b8 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2025b"
+PV = "2025c"
 
 SRC_URI = "http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${UNPACKDIR}/tz"
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
-SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
+SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
+SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"

[OE-core][whinlatter][PATCH 07/12] seatd: Create seat user and package systemd service

[ankur.tyagi85]

From: Khem Raj <raj.khem@gmail.com>

With latest version seatd does not work properly if
user access permissions are not correctly set, therefore
create 'seat' group and package the seatd.service file
and enable it by default with systemd distro feature

set logind to systemd when using systemd as default init system

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 26746a02fc94b569f633d581b27a8634cfba38f5)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-core/seatd/seatd_0.9.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.1.bb
index 3be27dda9d..f9f72c9e82 100644
--- a/meta/recipes-core/seatd/seatd_0.9.1.bb
+++ b/meta/recipes-core/seatd/seatd_0.9.1.bb
@@ -34,6 +34,8 @@ PACKAGECONFIG[systemd] = "-Dlibseat-logind=systemd,,systemd"
 do_install:append() {
         if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then
                 install -Dm755 ${UNPACKDIR}/init ${D}/${sysconfdir}/init.d/seatd
+        else
+                install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
         fi
         install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
 }

[OE-core][whinlatter][PATCH 08/12] seatd: fix packaging error with systemd DISTRO_FEATURES

[ankur.tyagi85]

From: Gyorgy Sarvari <skandigraun@gmail.com>

The systemd unit file for this recipe is only installed in case
the target system's init system is systemd. It is achieved by
inspecting the VIRTUAL-RUNTIME_init_manager variable.

However the systemd class was inherited unconditionally. This caused
a failure in do_package task, in case systemd is present in the
DISTRO_FEATURES but the system's init manager is sysvinit: in this case
the systemd unit file is not installed, however systemd.bbclass is
still trying to register is as a startup service. At this point
it failed:

ERROR: seatd-0.9.1-r0 do_package: Didn't find service unit 'seatd.service', specified in SYSTEMD_SERVICE:seatd.

To avoid this, install the systemd unit file unconditionally, regardless
of the used init system.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c7f157ad1207567ef3614ee4f6e755bccf60a3f4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-core/seatd/seatd_0.9.1.bb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.1.bb
index f9f72c9e82..3be27dda9d 100644
--- a/meta/recipes-core/seatd/seatd_0.9.1.bb
+++ b/meta/recipes-core/seatd/seatd_0.9.1.bb
@@ -34,8 +34,6 @@ PACKAGECONFIG[systemd] = "-Dlibseat-logind=systemd,,systemd"
 do_install:append() {
         if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then
                 install -Dm755 ${UNPACKDIR}/init ${D}/${sysconfdir}/init.d/seatd
-        else
-                install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
         fi
         install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
 }

[OE-core][whinlatter][PATCH 09/12] seatd: upgrade 0.9.1 -> 0.9.2

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 719713495ebd46addc779b60360d4dde81170d72)

Bugfix release:
https://git.sr.ht/~kennylevinsen/seatd/refs/0.9.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-core/seatd/{seatd_0.9.1.bb => seatd_0.9.2.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/seatd/{seatd_0.9.1.bb => seatd_0.9.2.bb} (97%)

diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.2.bb
similarity index 97%
rename from meta/recipes-core/seatd/seatd_0.9.1.bb
rename to meta/recipes-core/seatd/seatd_0.9.2.bb
index 3be27dda9d..9e1b50c087 100644
--- a/meta/recipes-core/seatd/seatd_0.9.1.bb
+++ b/meta/recipes-core/seatd/seatd_0.9.2.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=715a99d2dd552e6188e74d4ed2914d5a"
 
 SRC_URI = "git://git.sr.ht/~kennylevinsen/seatd;protocol=https;branch=master \
            file://init"
-SRCREV = "566ffeb032af42865dc1210e48cec08368059bb9"
+SRCREV = "a3c56c324c3a84474cc1615d94ccd6a6255d0c10"
 
 inherit meson pkgconfig systemd update-rc.d useradd
 

[OE-core][whinlatter][PATCH 10/12] seatd: upgrade 0.9.2 -> 0.9.3

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6bf3674d8a59f8fa5a9bbd51c116cd3144fc4f23)

Bugfix release
https://git.sr.ht/~kennylevinsen/seatd/refs/0.9.3

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-core/seatd/{seatd_0.9.2.bb => seatd_0.9.3.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/seatd/{seatd_0.9.2.bb => seatd_0.9.3.bb} (97%)

diff --git a/meta/recipes-core/seatd/seatd_0.9.2.bb b/meta/recipes-core/seatd/seatd_0.9.3.bb
similarity index 97%
rename from meta/recipes-core/seatd/seatd_0.9.2.bb
rename to meta/recipes-core/seatd/seatd_0.9.3.bb
index 9e1b50c087..d0802eee60 100644
--- a/meta/recipes-core/seatd/seatd_0.9.2.bb
+++ b/meta/recipes-core/seatd/seatd_0.9.3.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=715a99d2dd552e6188e74d4ed2914d5a"
 
 SRC_URI = "git://git.sr.ht/~kennylevinsen/seatd;protocol=https;branch=master \
            file://init"
-SRCREV = "a3c56c324c3a84474cc1615d94ccd6a6255d0c10"
+SRCREV = "daa8196e10b180b8b0caeafa8e5f860eb1bd6706"
 
 inherit meson pkgconfig systemd update-rc.d useradd
 

[OE-core][whinlatter][PATCH 11/12] e2fsprogs: upgrade 1.47.3 -> 1.47.4

[ankur.tyagi85]

From: Wang Mingyu <wangmy@fujitsu.com>

0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
removed since it's inclued in 1.47.4

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b14266b4c27e7e3f37a1057ab694c6b21b66b83a)

Release Notes:
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/doc/RelNotes/v1.47.4.txt?h=v1.47.4

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 ...inode.c-Fix-for-file-larger-than-2GB.patch | 40 -------------------
 ...2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} |  3 +-
 2 files changed, 1 insertion(+), 42 deletions(-)
 delete mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
 rename meta/recipes-devtools/e2fsprogs/{e2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} (97%)

diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
deleted file mode 100644
index 1c578022fb..0000000000
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 6359e0ec8ef249d202dbb8583a6e430f20c5b1a0 Mon Sep 17 00:00:00 2001
-From: Robert Yang <liezhi.yang@windriver.com>
-Date: Sun, 30 Nov 2025 21:47:50 +0800
-Subject: [PATCH] misc/create_inode.c: Fix for file larger than 2GB
-
-Fixed:
-$ dd if=/dev/zero of=../image.ext4 bs=1M count=4k
-$ dd if=/dev/random of=../rootfs/largefile bs=1M count=3k
-$ ./misc/mke2fs -t ext4 -d ../rootfs/ ../image.ext4
-__populate_fs: Ext2 file too big while writing file "largefile"
-mke2fs: Ext2 file too big while populating file system
-
-This was because the offset is overflow, use __u64 to fix the problem.
-
-Another code which uses ext2_off_t is copy_fs_verity_data(), but it only copies
-the metadata, so it should be enough large for it, just leave it there.
-
-Upstream-Status: Submitted [https://github.com/tytso/e2fsprogs/pull/258]
-
-Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
----
- misc/create_inode.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/misc/create_inode.c b/misc/create_inode.c
-index 624efc03..14273534 100644
---- a/misc/create_inode.c
-+++ b/misc/create_inode.c
-@@ -414,7 +414,7 @@ static ssize_t my_pread(int fd, void *buf, size_t count, off_t offset)
- }
- #endif /* !defined HAVE_PREAD64 && !defined HAVE_PREAD */
- 
--static errcode_t write_all(ext2_file_t e2_file, ext2_off_t off, const char *buf, unsigned int n_bytes) {
-+static errcode_t write_all(ext2_file_t e2_file, __u64 off, const char *buf, unsigned int n_bytes) {
- 	errcode_t err = ext2fs_file_llseek(e2_file, off, EXT2_SEEK_SET, NULL);
- 	if (err)
- 		return err;
--- 
-2.34.1
-
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
similarity index 97%
rename from meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
rename to meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
index 40658399d9..90f8f37b8e 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
@@ -4,14 +4,13 @@ SRC_URI += "file://remove.ldconfig.call.patch \
            file://run-ptest \
            file://ptest.patch \
            file://mkdir_p.patch \
-           file://0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch \
            "
 SRC_URI:append:class-native = " \
            file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
            file://quiet-debugfs.patch \
            "
 
-SRCREV = "da631e117dcf8797bfda0f48bdaa05ac0fbcf7af"
+SRCREV = "ece89fac4603e400155b7bbf6326284f8511bca9"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
 
 EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \

[OE-core][whinlatter][PATCH 12/12] libinput: upgrade 1.29.1 -> 1.29.2

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Release Notes:
https://gitlab.freedesktop.org/libinput/libinput/-/releases/1.29.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4cd78e63cbf4edaeac1fc9f46fb737e1356e3f1b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb}          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb} (97%)

diff --git a/meta/recipes-graphics/wayland/libinput_1.29.1.bb b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
similarity index 97%
rename from meta/recipes-graphics/wayland/libinput_1.29.1.bb
rename to meta/recipes-graphics/wayland/libinput_1.29.2.bb
index 809c291e23..f771085388 100644
--- a/meta/recipes-graphics/wayland/libinput_1.29.1.bb
+++ b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
@@ -15,7 +15,7 @@ DEPENDS = "libevdev udev mtdev"
 SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=1.29-branch;tag=${PV} \
            file://run-ptest \
            "
-SRCREV = "dc2c1ad181be88e1487468f7ca6f9d320981f133"
+SRCREV = "917783150a5bab7d55eedc5714f1b49b192426ac"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+\.(?!9\d+)\d+)"
 

Re: [OE-core][whinlatter][PATCH 07/12] seatd: Create seat user and package systemd service

[Yoann Congal]

On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> From: Khem Raj <raj.khem@gmail.com>
>
> With latest version seatd does not work properly if
> user access permissions are not correctly set, therefore
> create 'seat' group and package the seatd.service file
> and enable it by default with systemd distro feature
>
> set logind to systemd when using systemd as default init system
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 26746a02fc94b569f633d581b27a8634cfba38f5)
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> ---
>  meta/recipes-core/seatd/seatd_0.9.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.1.bb
> index 3be27dda9d..f9f72c9e82 100644
> --- a/meta/recipes-core/seatd/seatd_0.9.1.bb
> +++ b/meta/recipes-core/seatd/seatd_0.9.1.bb
> @@ -34,6 +34,8 @@ PACKAGECONFIG[systemd] = "-Dlibseat-logind=systemd,,systemd"
>  do_install:append() {
>          if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then
>                  install -Dm755 ${UNPACKDIR}/init ${D}/${sysconfdir}/init.d/seatd
> +        else
> +                install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service

Hello,

The patch content does not match the description anymore (no added seat
user). Can you update it?

Thanks!

>          fi
>          install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
>  }


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH 11/12] e2fsprogs: upgrade 1.47.3 -> 1.47.4

[Yoann Congal]

On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> From: Wang Mingyu <wangmy@fujitsu.com>
>
> 0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> removed since it's inclued in 1.47.4
>
> Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit b14266b4c27e7e3f37a1057ab694c6b21b66b83a)
>
> Release Notes:
> https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/doc/RelNotes/v1.47.4.txt?h=v1.47.4
>
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>

Hello,

I'm sorry but this upgrade contains feature change and, because of that
is not eligible for stable merge:
> E2fsprogs 1.47.4 (March 6, 2025)
> ================================
> 
> Updates/Fixes since v1.47.3:
> 
> UI and Features
> ---------------
> 
> [...]
> 
> Add mke2fs extended option in root_selinux to set a SELinux security
> context label for the root directory.
> 
> Enable mke2fs to support multiple -E options in the command line.

Regards,

> ---
>  ...inode.c-Fix-for-file-larger-than-2GB.patch | 40 -------------------
>  ...2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} |  3 +-
>  2 files changed, 1 insertion(+), 42 deletions(-)
>  delete mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
>  rename meta/recipes-devtools/e2fsprogs/{e2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} (97%)
>
> diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> deleted file mode 100644
> index 1c578022fb..0000000000
> --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -From 6359e0ec8ef249d202dbb8583a6e430f20c5b1a0 Mon Sep 17 00:00:00 2001
> -From: Robert Yang <liezhi.yang@windriver.com>
> -Date: Sun, 30 Nov 2025 21:47:50 +0800
> -Subject: [PATCH] misc/create_inode.c: Fix for file larger than 2GB
> -
> -Fixed:
> -$ dd if=/dev/zero of=../image.ext4 bs=1M count=4k
> -$ dd if=/dev/random of=../rootfs/largefile bs=1M count=3k
> -$ ./misc/mke2fs -t ext4 -d ../rootfs/ ../image.ext4
> -__populate_fs: Ext2 file too big while writing file "largefile"
> -mke2fs: Ext2 file too big while populating file system
> -
> -This was because the offset is overflow, use __u64 to fix the problem.
> -
> -Another code which uses ext2_off_t is copy_fs_verity_data(), but it only copies
> -the metadata, so it should be enough large for it, just leave it there.
> -
> -Upstream-Status: Submitted [https://github.com/tytso/e2fsprogs/pull/258]
> -
> -Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ----
> - misc/create_inode.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/misc/create_inode.c b/misc/create_inode.c
> -index 624efc03..14273534 100644
> ---- a/misc/create_inode.c
> -+++ b/misc/create_inode.c
> -@@ -414,7 +414,7 @@ static ssize_t my_pread(int fd, void *buf, size_t count, off_t offset)
> - }
> - #endif /* !defined HAVE_PREAD64 && !defined HAVE_PREAD */
> - 
> --static errcode_t write_all(ext2_file_t e2_file, ext2_off_t off, const char *buf, unsigned int n_bytes) {
> -+static errcode_t write_all(ext2_file_t e2_file, __u64 off, const char *buf, unsigned int n_bytes) {
> - 	errcode_t err = ext2fs_file_llseek(e2_file, off, EXT2_SEEK_SET, NULL);
> - 	if (err)
> - 		return err;
> --- 
> -2.34.1
> -
> diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> similarity index 97%
> rename from meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
> rename to meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> index 40658399d9..90f8f37b8e 100644
> --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
> +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> @@ -4,14 +4,13 @@ SRC_URI += "file://remove.ldconfig.call.patch \
>             file://run-ptest \
>             file://ptest.patch \
>             file://mkdir_p.patch \
> -           file://0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch \
>             "
>  SRC_URI:append:class-native = " \
>             file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
>             file://quiet-debugfs.patch \
>             "
>  
> -SRCREV = "da631e117dcf8797bfda0f48bdaa05ac0fbcf7af"
> +SRCREV = "ece89fac4603e400155b7bbf6326284f8511bca9"
>  UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
>  
>  EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH 12/12] libinput: upgrade 1.29.1 -> 1.29.2

[Yoann Congal]

On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>
> Release Notes:
> https://gitlab.freedesktop.org/libinput/libinput/-/releases/1.29.2
>
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 4cd78e63cbf4edaeac1fc9f46fb737e1356e3f1b)
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> ---

Hello,

I'm sorry but this upgrade contains feature change and, because of that
is not eligible for stable merge:
* All those added/removed/reverted quirks
* libinput: Add libinput_event_gesture forward declaration

Regards,


>  .../wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb}          | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>  rename meta/recipes-graphics/wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb} (97%)
>
> diff --git a/meta/recipes-graphics/wayland/libinput_1.29.1.bb b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
> similarity index 97%
> rename from meta/recipes-graphics/wayland/libinput_1.29.1.bb
> rename to meta/recipes-graphics/wayland/libinput_1.29.2.bb
> index 809c291e23..f771085388 100644
> --- a/meta/recipes-graphics/wayland/libinput_1.29.1.bb
> +++ b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
> @@ -15,7 +15,7 @@ DEPENDS = "libevdev udev mtdev"
>  SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=1.29-branch;tag=${PV} \
>             file://run-ptest \
>             "
> -SRCREV = "dc2c1ad181be88e1487468f7ca6f9d320981f133"
> +SRCREV = "917783150a5bab7d55eedc5714f1b49b192426ac"
>  
>  UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+\.(?!9\d+)\d+)"
>  


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH 12/12] libinput: upgrade 1.29.1 -> 1.29.2

[Ankur Tyagi]

On Thu, Apr 2, 2026 at 4:21 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> > From: Ankur Tyagi <ankur.tyagi85@gmail.com>
> >
> > Release Notes:
> > https://gitlab.freedesktop.org/libinput/libinput/-/releases/1.29.2
> >
> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit 4cd78e63cbf4edaeac1fc9f46fb737e1356e3f1b)
> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> > ---
>
> Hello,
>
> I'm sorry but this upgrade contains feature change and, because of that
> is not eligible for stable merge:
> * All those added/removed/reverted quirks
> * libinput: Add libinput_event_gesture forward declaration
>

Understood, thanks for the review

> Regards,
>
>
> >  .../wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb}          | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >  rename meta/recipes-graphics/wayland/{libinput_1.29.1.bb => libinput_1.29.2.bb} (97%)
> >
> > diff --git a/meta/recipes-graphics/wayland/libinput_1.29.1.bb b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
> > similarity index 97%
> > rename from meta/recipes-graphics/wayland/libinput_1.29.1.bb
> > rename to meta/recipes-graphics/wayland/libinput_1.29.2.bb
> > index 809c291e23..f771085388 100644
> > --- a/meta/recipes-graphics/wayland/libinput_1.29.1.bb
> > +++ b/meta/recipes-graphics/wayland/libinput_1.29.2.bb
> > @@ -15,7 +15,7 @@ DEPENDS = "libevdev udev mtdev"
> >  SRC_URI = "git://gitlab.freedesktop.org/libinput/libinput.git;protocol=https;branch=1.29-branch;tag=${PV} \
> >             file://run-ptest \
> >             "
> > -SRCREV = "dc2c1ad181be88e1487468f7ca6f9d320981f133"
> > +SRCREV = "917783150a5bab7d55eedc5714f1b49b192426ac"
> >
> >  UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+\.(?!9\d+)\d+)"
> >
>
>
> --
> Yoann Congal
> Smile ECS
>

Re: [OE-core][whinlatter][PATCH 11/12] e2fsprogs: upgrade 1.47.3 -> 1.47.4

[Ankur Tyagi]

On Thu, Apr 2, 2026 at 4:04 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> > From: Wang Mingyu <wangmy@fujitsu.com>
> >
> > 0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> > removed since it's inclued in 1.47.4
> >
> > Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit b14266b4c27e7e3f37a1057ab694c6b21b66b83a)
> >
> > Release Notes:
> > https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/doc/RelNotes/v1.47.4.txt?h=v1.47.4
> >
> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
>
> Hello,
>
> I'm sorry but this upgrade contains feature change and, because of that
> is not eligible for stable merge:
> > E2fsprogs 1.47.4 (March 6, 2025)
> > ================================
> >
> > Updates/Fixes since v1.47.3:
> >
> > UI and Features
> > ---------------
> >
> > [...]
> >
> > Add mke2fs extended option in root_selinux to set a SELinux security
> > context label for the root directory.
> >
> > Enable mke2fs to support multiple -E options in the command line.
>

Understood, thanks for the review.

> Regards,
>
> > ---
> >  ...inode.c-Fix-for-file-larger-than-2GB.patch | 40 -------------------
> >  ...2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} |  3 +-
> >  2 files changed, 1 insertion(+), 42 deletions(-)
> >  delete mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> >  rename meta/recipes-devtools/e2fsprogs/{e2fsprogs_1.47.3.bb => e2fsprogs_1.47.4.bb} (97%)
> >
> > diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> > deleted file mode 100644
> > index 1c578022fb..0000000000
> > --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch
> > +++ /dev/null
> > @@ -1,40 +0,0 @@
> > -From 6359e0ec8ef249d202dbb8583a6e430f20c5b1a0 Mon Sep 17 00:00:00 2001
> > -From: Robert Yang <liezhi.yang@windriver.com>
> > -Date: Sun, 30 Nov 2025 21:47:50 +0800
> > -Subject: [PATCH] misc/create_inode.c: Fix for file larger than 2GB
> > -
> > -Fixed:
> > -$ dd if=/dev/zero of=../image.ext4 bs=1M count=4k
> > -$ dd if=/dev/random of=../rootfs/largefile bs=1M count=3k
> > -$ ./misc/mke2fs -t ext4 -d ../rootfs/ ../image.ext4
> > -__populate_fs: Ext2 file too big while writing file "largefile"
> > -mke2fs: Ext2 file too big while populating file system
> > -
> > -This was because the offset is overflow, use __u64 to fix the problem.
> > -
> > -Another code which uses ext2_off_t is copy_fs_verity_data(), but it only copies
> > -the metadata, so it should be enough large for it, just leave it there.
> > -
> > -Upstream-Status: Submitted [https://github.com/tytso/e2fsprogs/pull/258]
> > -
> > -Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> > ----
> > - misc/create_inode.c | 2 +-
> > - 1 file changed, 1 insertion(+), 1 deletion(-)
> > -
> > -diff --git a/misc/create_inode.c b/misc/create_inode.c
> > -index 624efc03..14273534 100644
> > ---- a/misc/create_inode.c
> > -+++ b/misc/create_inode.c
> > -@@ -414,7 +414,7 @@ static ssize_t my_pread(int fd, void *buf, size_t count, off_t offset)
> > - }
> > - #endif /* !defined HAVE_PREAD64 && !defined HAVE_PREAD */
> > -
> > --static errcode_t write_all(ext2_file_t e2_file, ext2_off_t off, const char *buf, unsigned int n_bytes) {
> > -+static errcode_t write_all(ext2_file_t e2_file, __u64 off, const char *buf, unsigned int n_bytes) {
> > -     errcode_t err = ext2fs_file_llseek(e2_file, off, EXT2_SEEK_SET, NULL);
> > -     if (err)
> > -             return err;
> > ---
> > -2.34.1
> > -
> > diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> > similarity index 97%
> > rename from meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
> > rename to meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> > index 40658399d9..90f8f37b8e 100644
> > --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.3.bb
> > +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.47.4.bb
> > @@ -4,14 +4,13 @@ SRC_URI += "file://remove.ldconfig.call.patch \
> >             file://run-ptest \
> >             file://ptest.patch \
> >             file://mkdir_p.patch \
> > -           file://0001-misc-create_inode.c-Fix-for-file-larger-than-2GB.patch \
> >             "
> >  SRC_URI:append:class-native = " \
> >             file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
> >             file://quiet-debugfs.patch \
> >             "
> >
> > -SRCREV = "da631e117dcf8797bfda0f48bdaa05ac0fbcf7af"
> > +SRCREV = "ece89fac4603e400155b7bbf6326284f8511bca9"
> >  UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+\.\d+(\.\d+)*)$"
> >
> >  EXTRA_OECONF += "--libdir=${base_libdir} --sbindir=${base_sbindir} \
>
>
> --
> Yoann Congal
> Smile ECS
>

Re: [OE-core][whinlatter][PATCH 07/12] seatd: Create seat user and package systemd service

[Ankur Tyagi]

On Thu, Apr 2, 2026 at 3:58 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Wed Mar 25, 2026 at 3:18 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> > From: Khem Raj <raj.khem@gmail.com>
> >
> > With latest version seatd does not work properly if
> > user access permissions are not correctly set, therefore
> > create 'seat' group and package the seatd.service file
> > and enable it by default with systemd distro feature
> >
> > set logind to systemd when using systemd as default init system
> >
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit 26746a02fc94b569f633d581b27a8634cfba38f5)
> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> > ---
> >  meta/recipes-core/seatd/seatd_0.9.1.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-core/seatd/seatd_0.9.1.bb b/meta/recipes-core/seatd/seatd_0.9.1.bb
> > index 3be27dda9d..f9f72c9e82 100644
> > --- a/meta/recipes-core/seatd/seatd_0.9.1.bb
> > +++ b/meta/recipes-core/seatd/seatd_0.9.1.bb
> > @@ -34,6 +34,8 @@ PACKAGECONFIG[systemd] = "-Dlibseat-logind=systemd,,systemd"
> >  do_install:append() {
> >          if [ "${VIRTUAL-RUNTIME_init_manager}" != "systemd" ]; then
> >                  install -Dm755 ${UNPACKDIR}/init ${D}/${sysconfdir}/init.d/seatd
> > +        else
> > +                install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
>
> Hello,
>
> The patch content does not match the description anymore (no added seat
> user). Can you update it?
>

Please drop this patch.

> Thanks!
>
> >          fi
> >          install -Dm644 ${S}/contrib/systemd/seatd.service ${D}${systemd_unitdir}/system/seatd.service
> >  }
>
>
> --
> Yoann Congal
> Smile ECS
>